The U.S. Food and Drug Administration’s (FDA’s) Center for Devices and Radiological Health (CDRH) recently issued its Medical Device Safety Action Plan:  Protecting Patients, Promoting Public Health (Action Plan), an aspirational set of goals concerning the agency’s approach to medical device safety.  This Action Plan can be considered the FDA’s attempt to reorganize its toolbox to make its regulatory efforts more efficient, effective, and responsive.  The Action Plan describes the FDA’s intentions to:

  1. Integrate CDRH’s premarket and postmarket offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety;
  2. Establish a robust medical device patient safety net in the United States;
  3. Explore regulatory options to streamline and modernize timely implementation of postmarket mitigations;
  4. Spur innovation towards safer medical devices; and,
  5. Advance medical device cybersecurity.

Radically Restructuring CDRH

The cornerstone of the Action Plan is a TPLC approach intended to enable nimble and comprehensive medical device regulation, especially as it concerns postmarket medical device surveillance and response, balancing patient benefit, device safety, and innovation.  Perhaps the clearest indicator of the FDA’s embrace of the TPLC approach is the proposed radical restructuring of CDRH, which has been talked about for some time.  The Action Plan sets out the FDA’s rationale for the restructuring:

Rather than assessing a device only at one point in time – for instance, to evaluate whether a device meets the standard for approval, or to evaluate post-market data involving a device safety signal – reviewers, compliance officers, and other experts would work in teams with responsibility for device oversight throughout the product’s development and commercialization.

Therefore, instead of the current structure that focuses on stages of a product’s life cycle, CDRH would be reorganized into one office and seven smaller “device-specific offices that would each be responsible for premarket review, postmarket surveillance, manufacturing and device quality, and enforcement.”  A separate office focused on clinical evidence and analysis is being considered, and it would comprise teams working on “clinical evidence policy, evidence synthesis and analysis, biostatistics, bioresearch compliance, and collaboration and outreach to clinical researchers outside of the FDA.”  With this kind of structure, it is clear that the FDA expects CDRH to adopt a “universal” view of and an integrated approach to medical device regulation, with the goal of eliminating regulatory silos.  The proposed reorganization should also enhance information sharing and analysis.

Establishing a Robust Medical Device Safety Net and Streamlining Implementation of Postmarket Mitigations

Another important theme of the Action Plan is to address some of the limitations of current postmarket surveillance tools (e.g., that Medical Device Reports (MDRs) rely on a clinician to recognize a problem and its relationship to the device rather than some other factor, or that there are few incentives for patients to participate in postmarket surveillance studies of a device).  To that end, the Action Plan seeks to position CDRH to have access to the vast and growing amount of available digital health data.  By focusing attention on developing a robust medical device safety net and the impact that will have on improving the timeliness and effectiveness of postmarket mitigations, the FDA is positioning itself squarely at the crossroads of Big Data and complex data analysis.  CDRH already has programs in place to track medical devices – the Global Unique Device Identification Database (GUDID) – and to understand and use real world evidence (RWE).  Unique device identifiers (UDIs) now appear on most medical device labels, and labelers are required to submit information about each medical device bearing a UDI to the FDA; this information is stored in the GUDID.  According to the FDA, UDIs provide a way to document device use (e.g., electronic health records and registries can include UDI information) so that there can be, among other things, “more accurate reporting, reviewing, and analyzing of adverse event reports” because “healthcare professionals and others [will be able] to more rapidly and precisely identify a device and obtain important information concerning the device’s characteristics.”  RWE (comprised of raw patient health information) typically originates from non-clinical research sources, such as health monitoring devices and claims and billing activities.  RWE can be aggregated and analyzed to assess and identify trends, though special attention must be paid to data quality and privacy issues.

According to the Action Plan, the FDA plans to use this data collection in two critical data evaluation programs:  The National Evaluation System for Health Technology (NEST) and CDRH’s Signal Management Program (SMP).  The SMP uses signals (defined by the FDA as “a new potentially causal association or a new aspect of a known association between a medical device and an adverse event or set of adverse events”) to connect postmarket surveillance with the premarket review process by informing the design and use of similar devices that are in the premarket review phase.  By integrating postmarket surveillance information into pre-market review, the FDA intends for similar devices seeking entry into the market to have already accounted for known safety risks.

It appears that the FDA will make NEST, a public-private partnership (or PPP), the central hub for data evaluation and management that, according to the FDA, will enable improved safety risk identification and postmarket mitigation activity and strategy.  NEST is intended to “facilitate detection of potential safety risks that would not otherwise have been identified as quickly, or at all, as well as facilitate more timely capture of potential safety signals.”  However, by the FDA’s own admission, NEST is currently underfunded; realizing its full potential in the way the FDA envisions remains an open and unaddressed issue.

A critical part of this robust patient safety net, according to the FDA, is attention to women’s health.  The FDA stated that, over the last several years, there have been “several significant medical device safety issues [involving] devices intended for women’s health uses.”  To that end, the Action Plan contemplates building out, for example, the Women’s Health Technologies Strategically Coordinated Registry Network (CRN) to improve its functionality and utility for providing the evidence needed to improve women’s medical device safety evaluation.

The Action Plan also contemplates the FDA using these data collection and analyses portals to improve postmarket mitigations (e.g., labeling or user training).  The FDA plans to examine its current statutory authority to determine whether it can develop a so-called “umbrella regulation” to enable quicker implementation of certain postmarket mitigations.  Because issues related to medical device safety may not be known until the device is used in a clinical setting or among a diverse population, the FDA frequently identifies necessary improvements for medical device safety after a medical device is on the market.  To implement postmarket mitigations, however, the FDA typically must engage in rulemaking, which is a lengthy process involving notice and comment.  Though the FDA is often able to work with manufacturers to voluntarily implement postmarket mitigations, the agency is clearly unhappy with having to resort to this option.  The “umbrella regulation” mentioned in the Action Plan is a way for the FDA to have a more rapid and direct response to postmarket safety incidents.

Facilitating Medical Device Innovation and Safety

As the FDA identifies postmarket mitigations necessary to improve medical safety, so too do manufacturers, on their own, modify and improve the safety of medical devices (e.g., by adding new features).  According to the FDA, however, this kind of innovation is not readily incentivized by the marketplace unless there is a known safety concern.  The FDA is concerned with the effect on the quality of medical devices on the market.  Within the bounds of the FDA’s statutory authority and to encourage innovation – as has been done, for example, with the Breakthrough Devices Program – the Action Plan mentions several things that the FDA intends to do to support and facilitate medical device innovation as it concerns safety.  Among the options the FDA will explore are encouraging greater collaboration between the FDA’s staff and medical device developers, developing a discrete program like the Breakthrough Devices Program, focusing regulatory science resources on safety innovation, and developing scientific toolkits for developers to use to integrate safety risk management into medical device design and development.

Medical Device Cybersecurity as a Patient Safety Issue

Finally, but importantly, medical devices are like every other connected device in today’s world:  They are not immune to the dangers posed by cyber threats.  As interconnectivity increases, so too does exposure to cyber risk, and the Action Plan recognizes this by including a focus on medical device cybersecurity as a patient safety issue.  During the pre-market review process, the FDA will consider requiring firms to embed cybersecurity capabilities (e.g., the capacity to patch a software vulnerability) into the design of the medical device.  Such an approach should emphasize for manufacturers that cybersecurity considerations cannot be an afterthought in medical device design.  Another way the FDA plans to emphasize its commitment to managing cybersecurity issues is by considering postmarket authority that would “require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified.”  Consistent with its use of PPPs in other data collection and analysis areas, the FDA is also considering developing a team of experts across several disciplines to be a resource for device makers and the FDA staff.  This CyberMed Safety (Expert) Analysis Board (CYMSAB) would, among other things, assess vulnerabilities, evaluate patient safety risks, consult with organizations, and be a rapid-response field team that investigates the circumstances surrounding a compromised medical device (at the manufacturer’s or the FDA’s request).

The Action Plan:  Looking Ahead

Though aspirational, the Action Plan implicates a number of legal issues, including the traditional (e.g., medical device marketing applications and postmarket surveillance, intellectual property protection) and the novel, emerging, and rapidly-evolving (e.g., cybersecurity threat and risk management, medical device software development, digital health data access, privacy, and protection).  In only a short five item list, the FDA presents a dense, ambitious plan to build on its existing resources and to shift its regulatory approach to one that considers the TPLC of a medical device and that continues to refine the patient benefit-risk framework currently in use.  Only time will tell if this Action Plan will meet the FDA’s quest to be more comprehensive and nimble.  Funding for existing programs and for the expansions contemplated by this Action Plan was not specifically addressed, but the FDA has indicated that it is ready to embrace fresh thinking in medical device regulation.

Venable’s team of attorneys is ready and able to help you plan for the multi- and inter-disciplinary issues presented by this Action Plan, and for the many changes it could introduce into the medical device regulatory space and for your business.  In addition, the FDA is accepting comments on the Medical Device Action Plan: Protecting Patients, Promoting Public Health, and our attorneys are prepared to assist with the drafting and submission of comments.