The Evolution of the FDA's Device Approval Process: What You Need to Know-The HSB Blog 7/12/21
Innovators relying on the ease of the FDA’s 510(k) streamline device approval process need to be aware of potential changes as well as what the ongoing threat of cyber security incidents could impose on both premarket and post market security management for those devices.
More than 90% of medical devices enter the market via the FDA’s less intensive 510(k) pathway which has caused them to miss adverse events or lead to product recalls.
While the FDA’s requirement for substantial equivalence to “predicate devices” can lead to more rapid approval some believe it can also lead to “device creep” and comparison to outdated and unsafe predicate devices.
The FDA recently introduced the Safety and Performance Based Pathway to modernize and streamline premarket device testing. Device manufacturers and innovators should monitor how this evolves as it will have important implications for device approvals
While devices approved via the 510(k) process make up the majority of recalls, devices approved via the PMA process pose approximately a 3x greater risk to public safety (JAMA Network Open)
The FDA has a three tier process for the approval of medical devices “based on their risks and the regulatory controls necessary to provide a reasonable assurance of safety and effectiveness”. Class I devices are considered minimal risk while Class III devices are considered to pose the highest risk for the patient. Under FDA regulations there are three major processes for applying for and receiving FDA approval for medical devices, 1) Pre-market approval or (PMA), 2) pre-marketing notification or more-commonly the 510(k) process, and 3) the humanitarian device exemption (HDE).
Following several high profile medical device recalls that had been approved through the 510(k) pathway, in 2011 the Institute of Medicine (IOM) “recommended the FDA replace the pathway after concluding it was inadequate to ensure device safety and effectiveness to promote technological innovation.” As a result of this and other criticism, in 2019 the FDA introduced the Safety and Performance Based Pathway to modernize and streamline premarket device review and evaluation. As a result, innovators need to be aware of which products might qualify for approval via the existing 510(k) pathway as well as impending changes to the FDA’s device approval regimen. In addition, given the increasing use of networked devices in clinical settings and the ongoing threat of cyber security incidents, medical device manufacturers need to ensure that they are meeting FDA standards for cyber security controls.
Under the Federal Food Drug and Cosmetics Act a medical device is defined as:
"an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes."
In order for these devices to be publicly used in the United States, they must be approved by the Food and Drug Administration. As noted earlier there are three main approval processes used by the FDA to approve medical devices.
First is the Pre-market Approval process or PMA. Given that Class III devices “are those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury” they are required to receive PMA approval. As noted by the FDA, the PMA must contain “scientific, regulatory documentation to the FDA to demonstrate the safety and effectiveness of the Class III device”, including clinical trial data that demonstrate that the product’s benefits outweigh the risks associated with its usage. In addition, the data must show that the device will successfully help a majority of its intended population and that the applicants must prove their device’s data is independent of any other data reported by another device. According to an article published in the Journal of the American College of Cardiology, medical device approval via the PMA pathway can take anywhere from three to seven years.
The second approval process is the 510k process accounting for about 90% of new device approvals. As noted in “Modernizing The FDA’s 510(k) Pathway”, in order for a device to receive 510(k) approval, the FDA “requires manufacturers to demonstrate that devices are ‘substantially equivalent’ in intended use and technological characteristics (with allowable exceptions) to currently legally marketed (‘predicate’) devices. A predicate device is one that is identical or similar to a device that is already legally approved and marketed in the United States for use. One must prove their device is substantially equivalent by meeting two requirements. First, the intended use of the new device must be the same as the predicate device. Secondly, for a device to be substantially equivalent to a predicate device, it must also display similar technological functions. If after review, a device is not determined to be substantially equivalent to the predicate device, then it is classified as a Class III classification, requiring PMA approval. According to data from a 2017 study from Emergo, the average time from FDA submission to clearance under the 510(k) pathway is approximately six months. A number of high profile incidents which led to recalls of devices approved via the 510(k) process, including highly publicized recalls of metal-on-metal hips, pacemaker and implantable cardioverter-defibrillator (ICD) as well as angioplasty devices has exposed weaknesses in the 510(k) process. This has raised questions and concerns about safety and efficacy. A recent study in JAMA noted that given the large majority of medical devices to reach the market do so via 510(k) clearance. Interestingly, although recalls of 510(k) approved devices make up the majority of recalls, new devices approved via the PMA process pose approximately a 3x greater risk of recall that would threaten patient safety, only partially reflecting the fact these are higher risk devices.
As a result of publicity around device recalls and these safety concerns, in February of 2019, the FDA announced the Safety and Performance Based Pathway to aid in modernizing the 510k premarket process by no longer comparing new devices to predicate devices. In doing so, the goal is to potentially avoid any oversights missed in assuming device stability and reliability by using predicate devices’ data. The Safety and Performance Based Pathway would instead call for new applicants to compare the performance of moderate-risk medical devices to FDA-identified criteria. These criteria would also include agency-recognized standards that are objective, transparent and validated. The goal of this modernized process is to yield safer and well developed medical devices.
Along with the PMA and 510(k) process, the FDA also has a third approval process called the Humanitarian Device Exemption (HDE). The HDE is a regulatory pathway typically used for rare diseases. This process is used under special and emergency circumstances whereby there are no other Humanitarian Use Devices available to treat or aid in illnesses.
In addition to the issues in the approval process, given the increased connectivity of medical devices as well as incidences of ransomware, the FDA is becoming increasingly more stringent on the cybersecurity controls in medical devices. While this is particularly important for innovators in terms of premarket submissions, manufacturers must also pay attention to post-market surveillance as well.
As noted in “Cybersecurity-Related Regulatory Considerations for Medical Devices” the FDA expects manufacturers to develop and maintain a set of controls around several general areas to protect the device from cyber attacks. For premarket controls, these include: 1) Making extensive use of encryption to keep data private, 2) using digital signatures to verify authenticity of devices, data, and instructions, 3) Designing devices to anticipate regular/routine cybersecurity patches, 4) Adopting the use of strong user authentication tools, and 5) Ensuring devices alert users when any cybersecurity breach occurs. With respect to device surveillance post-market the FDA recommends:1) Understanding, assessing, and monitoring assets, threats, and vulnerabilities, 2) Maintaining a process for software lifecycle management including ongoing updating and patching, 3) Deploying threat modeling techniques to assess the impact of threats and vulnerabilities on device functionality and end users/patients; and, 4) Having and participating in a coordinated vulnerability disclosure policy.
Given the increasing pace of innovation as well as ongoing exposure to cyber threats, startups should anticipate additional actions on the part of regulators and increasing vigilance in terms of both approval and cybersecurity. Product developers should do their best to anticipate the needs of the FDA and prepare the documents accordingly by staying abreast of industry standards and guidance published by the FDA and industry bodies. First and foremost, startups must make sure they understand the appropriate regulations, what regulations apply to their product, and be prepared to supply regulators with the required data in support of their product. Given the current focus on the shortcomings of the 510(k) process, including the risk of “device creep” and undue reliance upon the use of outdated predicate devices, device manufacturers must ensure they are not overly reliant on the 510(k) process and be prepared for the possibility that they may have to pursue the PMA process. In addition, there are approximately 10-15 medical devices per hospital bed and that an increasing number of devices are being deployed in hospital at home configurations. As a result, medical device network security and remote monitoring security will be paramount. Moreover, developers must be aware of risks that reliance upon outside parties could pose to security. For example, developers who incorporate the use of “off-the-shelf software” are responsible for maintaining security of that software, not the vendor of the off-the-shelf software. Similarly, medical device manufacturers that incorporate the use of cloud services into their products should understand how and where their data will be stored (ex: domestically/overseas), what data security and privacy regulations that may expose them to and what the security obligations of their agreement with the cloud vendor are. In addition, innovators must realize that they need to incorporate a lifecycle management approach for their devices to ensure they “demonstrate a commitment to implementing cybersecurity best practices both before and after their devices are on the market.”