On 21 July the FDA released Draft Guidance for Industry and Food and Drug Administration Staff Mobile Medical Applications, a document that I think has great significance for the regulation of the EU eHealth and medical device markets, even if it is presently only a draft. If adopted by the FDA its importance will only increase. You can download a copy of the document with my annotations in it over here.
Important guidance for the EU too
I have read the document and the reasoning behind it can, as you will read in the following, almost for a 100% be transplanted to the EU medical devices regulatory environment and the document describes in a very detailed and practical way what is regulated as device (and what not) while giving lots of examples. This is a significant benefit for stakeholders in the EU (and in the US). Why is this document so significant for regulation of eHealth and medical devices markets in the EU?
Firstly, the EU regulatory environment, although software is regulated in very general terms, is way behind in terms of the sophistication and level of detail provided. While the different stakeholders and regulators are going back and forth to agree on possible guidance to be published after the publication of the ‘Swedish report‘ and whether this should be in a MEDDEV or guidance document, the industry and in particular the clinical institutions in the EU seem to have no clue about how apps, websites and software with diagnostic and/or therapeutic functionality are regulated and more often than not act like it is not regulated at all.
Secondly, because the reasoning of the FDA fits so well into the EU regulatory system, medical technology and software companies can rely on the same things being regulated as medical device. Of course, the clinical substantiation and the way devices are regulated differs significantly between the EU and the US, but knowing that the same things are regulated as device in the first place is already a big step forwards.
Scope of software regulated
The FDA proposes that the guidance is applicable to mobile medical applications or “mobile medical apps”, defined as
- “a software application that can be executed (run) on a mobile platform, or a web-based software application that is tailored to a mobile platform but is executed on a server”; and
- has an intended use within the scope of the concept of medical ‘device’ as regulated by the FDA; and
- are used as an accessory to a regulated medical device; or
- transform a mobile platform into a regulated medical device.
Although the wording “app” is misleading here because that seems to refer to software that is stored and run locally, it is quite clear that also web applications are covered by the definition.
Such regulation applications are:
- Mobile apps that are an extension of one or more medical device(s) by connecting to such device(s) for purposes of controlling the device(s) or displaying, storing, analyzing, or transmitting patient-specific medical device data
- Mobile apps that transform the mobile platform into a medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices.
- Mobile apps that allow the user to input patient-specific information and – using formulae or processing algorithms – output a patient-specific result, diagnosis, or treatment recommendation to be used in clinical practice or to assist in making clinical decisions.
The FDA plans to address in a separate issuance mobile medical apps intended to analyze, process, or interpret medical device data (electronically collected or manually entered) from more than one medical device.
Excluded however are
- “mobile apps that are electronic “copies” of medical textbooks, teaching aids or reference materials, or are solely used to provide clinicians with training or reinforce training previously received. These types of apps do not contain any patient-specific information, but could show examples for a specific medical specialty.” In EU regulation terms, these devices quite clearly do no achieve a therapeutic or diagnostic effect “in or on the human body” as required by the definition of ‘medical device’ under the Medical Devices Directive (MDD);
- Mobile apps that are solely used to log, record, track, evaluate, or make decisions or suggestions related to developing or maintaining general health and wellness, provided that they are not intended for curing, treating, seeking treatment for mitigating, or diagnosing a specific disease, disorder, patient state, or any specific, identifiable health condition. This outcome would be largely similar under EU law as there is no intended therapeutic or diagnostic use except that the EU definition also covers “investigation […] of the anatomy or of a physiological process” which makes these apps borderline cases under EU law.
- Mobile apps that only automate general office operations with functionalities that include billing, inventory, appointments, or insurance transactions. These are also excluded under the EU MDD.
- Mobile apps that are generic aids that assist users but are not commercially marketed for a specific medical indication, such as recording audio, note-taking, replaying audio with amplification, and other similar functionalities. These are currently also excluded under the EU MDD.
- Mobile apps that perform the functionality of an electronic health record system or personal health record system. These are also excluded under the EU MDD.
A mobile medical device manufacturer may include anyone who initiates specifications, designs, labels, or creates a software system or application in whole or from multiple software components. Examples of mobile medical device manufacturers include any person or entity that:
- Creates, designs, develops, labels, re-labels, remanufactures, modifies, or creates a software system from multiple components;
- Provides mobile medical app functionality through a “web service” or “web support” for use on a mobile platform;
- Initiates specifications or requirements for mobile medical apps or procures product development/manufacturing services from other individuals or entities (second party) for subsequent commercial distribution;
- Creates a mobile medical app intended to be used on a mobile platform, or that manufactures a mobile app to be supported by hardware attachments to the mobile platform with a device intended use.
All of this fits perfectly in the definition of manufacturer under the MDD, defined as “the natural or legal person with responsibility for the design, manufacture, packaging and labelling of a device before it is placed on the market under his own name, regardless of whether these operations are carried out by that person himself or on his behalf by a third party.”
An important point is that the FDA urges manufacturers of applications that do not meet the definition of ‘device’ still apply a quality system to the design and development. A standard that would work for the EU is the EN 62304 standard on life cycle requirements for medical devices software harmonised under the MDD.
A very important final point in the draft guidance is that the FDA expects distributors of mobile medical apps who may or may not be a platform or service provider will cooperate with manufacturers in conducting corrections and removal actions and requires medical app manufacturers to make timely reports of corrections and removals made to reduce a health risk or remedy a violation of the FD&C Act that presents a health risk, and to keep records regarding other corrections and removals. In EU wording: the manufacturer must exercise control over its supply chain and be able to implement Field Safety Corrective Action through its supply chain, while the supply chain is expected to cooperate. This is a very important point, because in my experience manufacturers distributing apps via larger stores will have no control whatsoever over these stores, like the iTunes Store or the Android Market. They will have very limited options to implement field safety corrective action (in US wording: recall) in case of serious issues. If the FDA and the EU authorities are serious on safety in this respect, they should require design functionality that gives the manufacturer sufficient reach through to the user (e.g. by means of push messages to discontinue use or to upgrade the app to a new version), but also make it clear to the middle men that they have a duty to cooperate as they may be facilitating illegal / unsafe medical devices. In the EU that would mean that the store would for example lose its ‘only intermediary’ immunity under the e-Commerce directive.
A lot more can be said about the subject, like how to implement in practice all the consequences of a mobile app being regulated as medical device in practice but I will leave it at this for the moment. In any event this draft guidance should be welcomed on both sides of the Atlantic and the EU should use it to its advantage to take a much-needed and due step in the clarification of its regulation of software under the MDD.