FDA Regulatory Framework for Devices Applied to HIT

Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroup’s views

1

FDA REGULATORY FRAMEWORK FOR DEVICES APPLIED TO HIT

Bradley Merrill ThompsonEpstein Becker & Green

June 7, 2013 (updated June 11, 2013)


2

Roadmap

1. Exercise Overview

2. Health IT Use Case

3. FDA Device Regulatory Framework• Title 21 – Subchapter H of the CFR

4. Big Picture Assessment


3

Exercise Overview

• Identifying Health IT Use Cases – • Review the FDA’s current regulatory framework:• Discuss how well does the current regulatory framework

function to classify and regulate a Health IT• Fits/No Changes • Changes Needed/Unique Considerations• Doesn’t Fit


4

Health IT Use Cases

• Identify uses cases that help assess the suitability of the FDA regulatory approach• Consider

• mechanical ventilation weaning• A lower acuity use such as mobile health• One that presents interoperability issues• Perhaps PCA based on AAMI

work--http://ppahs.wordpress.com/2012/02/01/guest-post-yes-real-time-monitoring-would-have-saved-leah-2/


5

21 CFR Chapter 1

21 CFR Chapter 1: FDA, Subchapter H: Medical Devices Applies? Fits?

801 Labeling

803 Medical Device Reporting

806 Corrections and Removals

807 Registration and Listing (Part E Pre-Market Notification)

808 Exemption from Fed Preemption of State and Local Reqts

809 In Vitro Diagnostics (IVD) If accessory

810 Recall Authority

812 Investigational Device Exemption (IDE)

814 Premarket Approval (PMA) Small subset of HIT

820 Quality System

821 Medical Device Tracking N/A

822 Post Market Surveillance If required

860 Medical Device Classification

861 Procedures for Performance Standards Development

862-892 Specific Product Classifications

895 Banned Devices Low likelihood

898 Performance Std For Electrode Lead Wires And Patient Cables N/A


6

Part 801 - Labeling• General Purpose:

• Serves the purposes of: (i) identifying and describing legally responsible persons for a particular medical device; (ii) specifying the type of information and content that must be on a medical device label; and (iii) stating exemptions to labeling requirements.

• Breakdown: • Subpart A – General Labeling Provisions

• Identification of and minimum information regarding responsible persons

• Subpart C – Labeling Requirements for Over-the-Counter (OTC) Devices• Specific information, warning and quality requirements for OTC devices

• Subpart D – Exemptions from Adequate Directions for Use • Describes circumstances where directions for use do not need to be included

• Subpart E – Other Exemptions • Exemptions related to shipments and deliveries of devices

• Subpart H – Special Requirements for Specific Devices • Specific requirements and exemptions for enumerated devices

• How Does this Fit with Health IT?• Unique considerations for labeling that is incorporated in the software product.

Labeling changes may require product changes and have design controls impact.• Consider the impact of shared responsibility.


7

Subpart A – §801.1 – Labeling – Name and place of business• Regulatory Requirement:

• The label of a medical device must “conspicuously” specify both the name and place of business of the manufacturer, packer, or distributor of the device

• Purpose or Risk Mitigated:• Helps prevent ambiguity in determining who the responsible party

for the device is by specifying not only the manufacturer, but also others in the chain of control of the device (e.g. packer/distributor).

• How Does this Fit with Health IT?• Unique considerations for labeling that is incorporated in the

software product. Labeling changes may require product changes and have design controls impact.

• Who is responsible party as software is modified and morphs over time?


8

Subpart A – §801.4 – Labeling - Meaning of Intended Uses• Regulatory Requirement:

• The intended use of the devices is determined by the objective intent of the persons legally responsible for the device

• Purpose or Risk Mitigated:• Ensures that devices which are intended to be medical devices are regulated as

such, preventing both over regulation and under regulation.

• How Does this Fit with Health IT?• Unique considerations for labeling that is incorporated in the software product.

Labeling changes may require product changes and have design controls impact.• What about intended uses that evolve over time?• How does FDA cope with interoperable software where the whole system is not

defined at the time of market introduction?• How does the use of SDKs and APIs by 3rd parties impact a product’s intended

use? Does the 3rd party product impact the intended use?• How do claims of compatibility by one manufacturer impact the other product’s

intended use? What data is needed to support such claims? How are claims maintained as either product is updated?


9

Subpart A – §801.5 – Labeling – Adequate Directions for Use• Regulatory Requirement:

• The directions for us on the label must be understandable to a lay person and enable such person to use a device safely and for the purposes for which it is intended.

• Purpose or Risk Mitigated:• Prevent the risk of an end user misusing the device and injuring

themselves or others due to insufficient directions on the label

• How Does this Fit with Health IT?• Important to consider consumer use of Health IT products.• Unique considerations for labeling that is incorporated in the software

product. Labeling changes may require product changes and have design controls impact.

• How does FDA treat the need to constrain the possible uses of HIT components?

• How do you label for frequent changes to software and what about distributed software?


10

Subpart A – §801.6 – Labeling – Misleading Statements• Regulatory Requirement:

• A device is misbranded if the labeling contains a false or misleading representation with respect to another device, drug, food or cosmetic.

• Purpose or Risk Mitigated:• Prevent the risk of confusion amongst different devices and certain

other products due to a representation in the labeling.

• How Does this Fit with Health IT?• Unique considerations for labeling that is incorporated in the

software product. Labeling changes may require product changes and have design controls impact.


11

Subpart A – §801.15 – Labeling –Prominence of Required Label Statements• Regulatory Requirement:

• A label must have the prominence and conspicuousness required by section 502(c) of the Food, Drug and Cosmetic Act and must be in English*.

• Purpose or Risk Mitigated:• The purpose is to decrease the risk of harm to the user due to failure to see

and appreciate information on the label because of a lack of “visibility” of an element of the label or a foreign language issue.

• How Does this Fit with Health IT?• Unique considerations for labeling that is incorporated in the software

product. Labeling changes may require product changes and have design controls impact.

• What about the use of links and others means to highlight important information uniquely available for software?

• For physical products, there are detailed descriptions of where information should go and, in some instances, font or image size. What is the principle display for software or a website? What relevance does font size have when a user can zoom an image?*801.16 – Spanish language acceptable for products distributed solely in Puerto Rico


12

Subpart C – §801.60 to §801.63 – Labeling Requirements for Over-the-Counter Devices• Regulatory Requirement:

• Over-The-Counter(OTC) Devices must comply with specific requirements, including: (i) the most visible aspect of the label to the consumer (i.e. the principal display panel); (ii) the statement of identity including intended action and common name; (iii) declaration of quantity and (iv) warning statements for certain devices.

• Purpose or Risk Mitigated:• The purpose of specific disclosures and labeling requirements is to account for

the increased likelihood that a lay person will be using the device without obtaining prior instruction from a health care professional such as a physician.

• How Does this Fit with Health IT?• Important to consider consumer use of Health IT products.• What is the principal display panel, etc. when software is sold through an app

store?• Can FDA develop more guidance to address human factor issues for software?


13

Subpart D – §801.109 – Labeling – Exemptions for Adequate Directions for Use• Regulatory Requirement:

• Adequate directions are not required for certain devices that must be used only under the supervision of an adequately supervised practitioner, due to the likelihood of harm to a user, the complexity of the method of use and/or the collateral measures necessary for safe use.

• Purpose or Risk Mitigated:• The risk for certain devices is so great, or the issues so complex, that

adequate directions for use cannot be stated in a label. The risk is mitigated by ensuring that access is only available to such devices in conjunction with supervision by an appropriate practitioner.

• How Does this Fit with Health IT?• But what of the need for software transparency (e.g. explaining how the

algorithm works.)


14

Subpart D – §801.110 – Labeling – Retail Exemption for Prescription Devices• Regulatory Requirement:

• Prescription devices under §801.109 delivered by a licensed practitioner or pursuant to a prescription are exempt from the labeling requirements under Section 502(f)(1) of the Food, Drug and Cosmetic Act provided that such practitioner makes certain disclosures and provides certain direction for use.

• Purpose or Risk Mitigated:• The risk of harm to the end user is mitigated when a qualified

practitioner is in a position to provide additional instructive and cautionary information to the end user.

• How Does this Fit with Health IT?• Applicable/Fits. Need to consider how a software company

adequately controls for prescription use.


15

Subpart D – §801.116 – Labeling – Medical Devices Having Commonly Known Directions• Regulatory Requirement:

• Devices with common uses that are known to he ordinary individual do not need to list adequate directions for use.

• Purpose or Risk Mitigated:• The risk of harm to the end user is mitigated when the average

person expected to use the device will already be aware of the directions for use.

• How Does this Fit with Health IT?• Important to consider consumer use of Health IT products.• If a GUI is designed using guidance for an iOS or Windows system

is that considered “commonly known directions” relative to navigation of the program? Would the answer change for a use case where there was a high risk of patient injury if the navigations were not followed?


16

Subpart D – §801.122 – Labeling – Medical Devices for processing, repacking, or manufacturing• Regulatory Requirement:

• Devices meant to be processed, repacked or used in the manufacture of another drug or device are exempt from Section the labeling requirements under 502(f)(1) of the Food, Drug and Cosmetic Act if they employ a cautionary label.

• Purpose or Risk Mitigated:• Devices that meet this exemption are not intended to be used by a

user in their current state and thus there is a lower degree of risk associated with such products.

• How Does this Fit with Health IT?• Consider application to software modules.• What is software manufacturing, and in particular when can

partially complete software be sent to hospitals, etc. for completion


17

Subpart D – §801.125– Labeling – Medical devices for use in teaching, law enforcement, research, and analysis.• Regulatory Requirement:

• Devices meant to be used in instruction law enforcement, research, chemical analysis or physical testing are exempt from the labeling requirements under Section 502(f)(1) of the Food, Drug and Cosmetic Act so long as such activities do not involve clinical testing.

• Purpose or Risk Mitigated:• Devices that meet this exemption are not intended to be used by a

user for the purposes of clinical treatment and thus the risk of harm is mitigated.

• How Does this Fit with Health IT?• Applicable.


18

Part 803 – Medical Device Reporting

• General Purpose:• Governs required reports by medical device user facilities, manufacturers,

importers and distributors. Reports are required by multiple types parties in conjunction with various triggers.

• Breakdown: • Subpart A – General Provisions

• General summary of reporting requirements and procedural requirements for reports

• Subpart B – Generally Applicable Requirements For Individual Adverse Event Reports

• Subpart C – User Facility Reporting Requirements • Subpart D – Importer Reporting Requirements• Subpart E – Manufacturer Reporting Requirements


19

Subpart A – §§803.1 to .19 – Medical Device Reporting – General Provisions

• Regulatory Requirement:• This subpart provides a general overview of the procedures to be

followed when making reports related to medical device adverse events.

• Purpose or Risk Mitigated:• The purpose is to standardize information received from various

sources concerning adverse events and ensure that the information available is accurately collected.

• How Does this Fit with Health IT?• What about the special challenges of figuring out who has the

obligation when an AE occurs related to a network of devices?• How is root cause analysis performed in order to determine cause?

A network of devices may contain competitors. Who decides?


20

Subpart B – §§803.20 to .22 – Medical Device Reporting – Individual Adverse Event Reports• Regulatory Requirement:

• Details requirements and procedures for reports of individual adverse events for various entities including: (i) optional reports for individuals and health care professionals and (ii) mandatory reporting for user facilities, manufacturers and importers.

• Purpose or Risk Mitigated:• Purpose is to standardize the procedures and timing of reports for

all of the entities mentioned above

• How Does this Fit with Health IT?• Applicable/Fits. Need to consider which product within the system

the adverse event is filed against.


21

Subpart C – §§803.30 to .33 – Medical Device Reporting – User Facility Reporting Requirements

• Regulatory Requirement:• User facilities are required to report to the FDA upon discovery that

a device may have caused or contributed to the death of a patient. User facilities must also report to the manufacturer, or the FDA if the manufacturer is unknown, if a device may have caused a serious injury to a patient.

• Purpose or Risk Mitigated:• Purpose is to ensure that adverse events caused by medical

devices are reported by user facilities.

• How Does this Fit with Health IT?• Consider the complexities of not knowing which networked

device is responsible.• For a user facility comprised of multiple user facilities, some

perhaps mobile, which facility reports?


22

Subpart D – §§803.40 to .42 – Medical Device Reporting – Importer Reporting Requirements

• Regulatory Requirement:• Importers are required to report to the FDA upon receiving reports

or becoming aware of information that indicates that a device marketed by the importer may have caused or contributed to a death or serious injury. The importer must also submit reports of malfunctions to the manufacturer upon obtaining information indicating that a manufacturer’s device has malfunctioned.

• Purpose or Risk Mitigated:• Purpose is to ensure that one additional type of entity that may

have information on adverse events is required to make reports.

• How Does this Fit with Health IT?• Applicable/Fits. Need to consider software downloads.


23

Subpart E – §§803.50 to .58 – Medical Device Reporting – Manufacturer Reporting Requirements

• Regulatory Requirement:• Manufacturers are required to report to the FDA upon becoming aware of

information that indicates that a device marketed by the manufacturer may have caused or contributed to a death or serious injury. The manufacturer must also submit individual adverse event reports, conduct investigations of adverse events and report to the FDA when certain malfunctions occur.

• Purpose or Risk Mitigated:• Purpose is to ensure that manufacturers, which hold primary responsibility

for devices, are subject to stringent reporting requirements.

• How Does this Fit with Health IT?• Applicable/Fits. Need to consider which vendor is responsible for reporting

adverse events when unclear which product in ecosystem is the cause.• When products can be downloaded multiple times some installed, some not

installed or some deleted, how many products have been “manufactured”?


24

Part 806 – Medical Device Reporting – Reports of Corrections and Removals• General Purpose

• Requires device manufacturers and importers to submit a written report to FDA any voluntary corrections and removals of product from the market within 10 days that were initiated to reduce a risk to health posed by the device

• Purpose or Risk Mitigated• Provides a method for manufacturers and distributors to voluntary

take action to protect the public health from products that may present a risk of injury or that may be defective

• Breakdown• Subpart A – General Provisions• Subpart B – Reports and Records


25

Subpart B - §§806.10 Medical Device Reporting – Reports of Corrections and Removals • Regulatory Requirements

• Device manufacturers and importers are required to submit a written report to FDA within 10-working days of any correction or removal of a device initiated to reduce risk or health imposed by the device or to remedy a violation.

• Purpose or Risk Mitigated• Provides FDA the visibility of any safety issues that may arise with a

product as soon as possible.

• How does this fit with Health IT?• Need to consider practical challenges of recalling software that may

be integrated with various other Health IT systems. Which vendor is responsible for recall when product is part of a interconnected ecosystem of software and hardware products?

• Need to consider recall conducted through updates that may be installed by users.


26

Subpart B - §§806.20-30 Medical Device Reporting – Reports of Corrections and Removals • Regulatory Requirements

• If per the regulation, a manufacturer is not required to submit a report to FDA within the 10 working day period, the manufacturer shall keep a record of such a correction or removal with the required information mentioned in this Part.

• Purpose or Risk Mitigated• If FDA need to conduct an audit for a specified reason of the

manufacturer, this would provide easy access to such documentation.

• How does this fit with Health IT?• Need to consider updates, bug fixes and routine software support and

maintenance.• Does the manufacturer need to keep records of downloads or records

of each person or IP address that downloads the update?• What is software is web-based, does the manufacturer need to require

user registration?


27

Part 807 – Procedures for Device Establishments• General Purpose:

• All owners or operators of establishment that engaged in the manufacturer, preparation, assembly, processing of a device must register and submit lists of its devices in commercial distribution. This section also mandates submission of premarket notifications for certain devices.

• Purpose or Risk Mitigated: • This section is intended to increase disclosure of ownership interests in medical devices and

provide the public with information on manufacturers of medical devices.

• Breakdown: • Subpart A – General Provisions• Subpart B – Procedures for Device Establishments• Subpart C – Procedures for Foreign Device Establishments• Subpart D – Exemptions• Subpart E – Premarket Notification Procedures

• How Does this Fit with Health IT?• Applicable/Fits but need to consider virtual establishments where there is not one physical

location where software is being developed.• Is end user customization of the system manufacturing? Or is that just use? What is the line

between configuration and customization?


Subpart E – §§807.81 to .100 – Establishment Registration – Premarket Notification• Regulatory Requirement:

• Devices that are not required to obtain a premarket approval (PMA) must nevertheless make submissions to the FDA, unless exempt. Such submissions must contain information, including a 510k summary, which will allow the FDA to make a finding of substantial equivalence.

• Purpose or Risk Mitigated:• The purpose of this section is to provide an abbreviated procedure for a device not

subject to PMA to obtain approval but still provide the FDA with enough information to find that such a device is at least as safe and effective as a legally marketed device.

• How Does this Fit with Health IT?• Need to consider non-high risk Health IT functions for which there may not be a

predicate device.• How does a vendor draw the boundaries of an interoperable open system for

purposes of finding a predicate device? • How are open ended or evolving intended uses addressed in a 510k?• What data is needed to support claims of interoperability? Who needs to provide the

data?• When is a software update subject to new premarket notification?

28


29

Part 808 – Exemptions From Federal Preemption Of State And Local Medical Device Requirements• General Purpose:

• This part details the preemption of most state regulation of medical devices by the Food, Drug and Cosmetic Act. It also describes the procedures for the submission of applications for exemption from preemption and lists state and local exemptions that are not pre-empted

• Purpose or Risk Mitigated: • The Food, Drug and Cosmetic Act is intended to impose uniform regulation of

medical devices throughout the country. The stringent provisions regarding exemptions to preemption for state and local regulations are intended to ensure that the same general scheme is applicable to medical devices regardless of exemption and minimize the effect of state and local differences.

• Breakdown: • Subpart A – General Provisions• Subpart B – Exemption Procedures• Subpart C – Listing of Specific State and Local Exemptions

• How Does this Fit with Health IT?• Applicable/Fits.


30

Part 809 – In Vitro Diagnostic Products for Human Use• Regulatory Requirement:

• In vitro diagnostic (IVD) products are reagents, instruments, and systems that are intended for use in the diagnosis of disease or other conditions, including a determination of the state of health, in order to cure, mitigate, treat, or prevent disease. Such products are intended for use in the collection, preparation, and examination of specimens taken from the human body.

• Purpose or Risk Mitigated by Regulation:• Provides an overview of the IVD submission, manufacture, and

labeling process.

• How Does this Fit with Health IT?• Applicable to the extent software is considered an accessory but fit

is awkward for stand alone software.


31

Part 810 – Medical Device Recall Authority

• Regulatory Requirement:• If FDA finds that there is a reasonable probability that a medical device

could cause serious adverse health consequences or death, the agency may require the manufacturer to cease distribution of the device, instruct professionals to cease the use of the device and require the manufacturer to withdraw the product from the market.

• Purpose or Risk Mitigated by Regulation:• Provides a streamlined process to ensure that all impacted product that

could pose risk to patients are accounted for and removed from the market efficiently.

• How Does this Fit with Health IT?• Applicable. Need to consider what is sufficient for recall of

software? What if reports or results are generated by the software? Do they need to be recalled?


32

Part 812 – Investigational Device Exemptions

• Regulatory Requirement• An investigational device exemption (IDE) allows the investigational device to be

used in a clinical study in order to collect safety and effectiveness data. All clinical evaluations of investigational devices, unless exempt, must have an approved IDE before the study is initiated.

• Purpose or Risk Mitigated by Regulation:• Provides a streamlined process to submit an application for an IDE so that a

manufacturer can begin a clinical study in support of a submission.

• How Does this Fit with Health IT?• Need to consider traditional software testing and application of clinical

evaluations. • A common and considered good engineering practice is to deploy software in

pilot launches. The intent is not to determine if the verification or validation for the software is correct. Rather, the intent is to shake out any issues that cannot be found in a test environment. For example, network bandwidth or user volume. Is this an investigational use?


33

Part 814 – Premarket Approval of Medical Devices• Regulatory Requirement:

• Medical devices that require PMAs are Class III products and are considered high risk devices that pose a significant risk of illness or injury, or are devices that are found not substantially equivalent to Class I and II predicate through the 510(k) process. This part provides all requirements to submit a PMA which includes clinical required clinical data.

• Purpose or Risk Mitigated by Regulation:• Provides all requirements to industry to plan for a submission for a

Class III product.

• How Does this Fit with Health IT?• Applicable to small subset of Health IT products but would fit as

applicable.


34

Part 820 – Quality System Regulation• General Purpose:

• Device manufacturers are required to establish and follow set procedures and policies to help ensure that their products consistently meet set requirements, specifications and are safe and effective. The quality systems for FDA-regulated products (food, drugs, biologics, and devices) are known as current good manufacturing practices (CGMP’s).

• How does this fit with Health IT?• At high level, QSR is focused on traditional manufacturing and needs to consider application to

traditional software development.

• Most Relevant Sections• Subpart B: Management Controls• Subpart C: Design Controls• Subpart E: Purchasing Controls• Subpart J: Corrective and Preventive Action• Subpart M: Records

• Limited or No Application• 820.65; 820.70, 820.72, 820.75, 820.80, 820.86, 820.90, 820.130, 820.150

• AAMI published report on application of 5 QSR requirements to Health IT http://www.aami.org/publications/AAMINews/May2012/sw87.html

http://www.aami.org/publications/AAMINews/May2012/sw87.html

http://www.aami.org/publications/AAMINews/May2012/sw87.html


35

Continued Part 820 – Quality System Regulation• Breakdown:

• Subpart A – General Provision• An overview of the requirements to create a full quality system and the type of manufacturer

this provision applies to.

• Subpart B – Quality System Requirements• Specifies quality system requirements including how to structure the organization.

• Subpart C – Design Controls • Describes the step-by-step process manufactures must implement to develop a medical

device.

• Subpart D – Document Controls • Manufactures must develop methods to reviewed, approve and store documents adequately.

• Subpart E – Purchasing Power • Manufacturers must develop a process to ensure that their suppliers, contractors, and

consultants maintain quality requirements.

• Subpart F – Identification and Traceability • Manufactures must establish procedures to identify all production, distribution, and

installation of products and specifically for surgical implants that support or sustain life by using unit, lot or batch number.

• Subpart G – Production and Process Controls • Manufactures must control the production process to ensure device conforms to device

specifications.


36

Continued Part 820 – Quality System Regulation• Breakdown:

• Subpart H – Acceptance Activities • Manufacturers must establish procedures to ensure acceptable product or components are being

delivered using inspections, tests or other verification tests.

• Subpart I – Nonconforming Product• Manufacturers must establish procedure to control product that does not conform to specified

requirements.

• Subpart J – Corrective and Preventative Action• Manufacturers must establish procedures to investigate, capture, and resolve product or other

quality issues.

• Subpart K – Labeling and Packaging Control• Manufacturers must establish controlled procedures to develop, change and implement labeling.

• Subpart L – Handling, Storage, Distribution and Installation • Manufacturers must establish procedures to ensure product integrity during the handling, storage,

distribution and/or installation of product.

• Subpart M – Records• Manufacturers must establish procedures to maintain all documents related to Part 820.

• Subpart N – Servicing• Manufacturers must establish and maintain instructions and procedures to verify servicing meets

specified requirements and proper service reports be generated.

• Subpart O – Statistical Techniques• Manufacturers must establish and maintain procedures for identifying valid statistical techniques for

process and product characteristics.


37

Subpart B – 820 – Quality System Regulation – Quality System Requirements• Regulatory Requirement:

• Management with executive responsibility must establish and implement a quality policy which demonstrates the commitment to quality across all levels of the organization and provide an organizational structure that ensures devices are designed and produced according to this quality objective.

• Purpose or Risk Mitigated by Regulation:• Helps prevent faulty devices being generated and reduces the risk

of inconsistencies between two identical products.



38

Subpart C – 820 – Quality System Regulation – Design Controls• Regulatory Requirement:

• Device manufacturers are required to establish and maintain policies and procedures to follow a step by step process called design controls when developing or changing a medical device for class III or II products.

• Purpose or Risk Mitigated by Regulation:• Ensures that product is being developed according to a streamlined process and

appropriate checks and balances are occurring throughout the product development cycle so that product issues are captured earlier rather than after it has been developed.

• How Does this Fit with Health IT?• Critical in software development. Need to consider differences between

software development and traditional manufacturing and various software development techniques (e.g. Agile).

• The conundrum faced by research teams that want to transition HIT prototypes to commercial implementation. Must prototype software that was not developed under a Quality System be re-developed.

• Need to consider software modularization and re-use of software.


39

Subpart E – 820 – Quality System Regulation – Purchasing Controls• Regulatory Requirement:

• Device manufacturers are required to establish and maintain policies and procedures that ensure suppliers, contractors, and consultants maintain quality requirements. to follow a step by step process called design controls when developing or changing a medical device for class III or II products.

• Purpose or Risk Mitigated by Regulation:• Ensures that incoming products and components meet quality

standards and that the manufacturers have adequate control over the manufacturing process of a given device/component.

• How Does this Fit with Health IT?• Need to consider design transfer. Physical manufacturing

requirements do not fit.


40

Subpart J – 820 – Quality System Regulation – Corrective and Preventative Action • Regulatory Requirement:

• Each manufacturer must establish procedures to implement corrective and preventative actions to investigate, capture, and resolve product or other quality issues.

• Purpose or Risk Mitigated by Regulation:• Helps capture product or quality issues quickly, creates a streamlined process

to detect such issues and ensures a preventative plan is in place for the future.

• How Does this Fit with Health IT?• Applicable/Fits.• Further, while not a regulatory requirement on HIT, HIT obviously can play a

role in the facilitating CAPAs on other devices.• How is CAPA handled in a ecosystem of Health IT products where issue may

be result of combination of multiple products or unique configurations? Which vendor is responsible?


41

Subpart M – 820 – Quality System Regulation – Records• Regulatory Requirement:

• All records that may result from Part 820 must be maintained at the manufacturing establishment or other location that can be accessible by the manufacturer and to FDA. These documents should be readily available for review and copying by the FDA and should be retained for the period of time equivalent to the design and expected life of the product.

• Purpose or Risk Mitigated by Regulation:• Assists FDA during their audits and reviews to determine whether the

manufacturing facility and company is operating under an adequate quality system and complies with Part 820.

• How Does this Fit with Health IT?• Consider changes to reflect software development methods.• Where is the design history file held for a product that could be designed

and developed in a virtual space with multiple project team modules located around the globe working on the same project?


42

Part 821 – Medical Device Tracking Requirements• Regulatory Requirement:

• The agency requires certain categories of manufacturers to track their medical devices from manufacture through distribution

• Purpose or Risk Mitigated by Regulation:• The purpose of device tracking is to allow certain manufacturers to

promptly locate devices in commercial distribution

• How Does this Fit with Health IT?• Not applicable.


43

Part 822 – Postmarket Surveillance

• Regulatory Requirement• Manufacturers may be required to implement postmarket surveillance

plans to monitor the safety and effectiveness of products on a continuous basis.

• Purpose or Risk Mitigated by Regulation:• This data provides a larger sample size of uses of a given device and can

reveal unforeseen adverse events, the actual rate of anticipated adverse events, or other information necessary to protect the public health.

• How Does this Fit with Health IT?• Unlikely to be applicable because it is reserved for very high risk devices

but would fit.• Further, while not a regulatory requirement on HIT, HIT obviously can play

a role in the post market surveillance of other devices


44

Part 860– Medical Device Classification

• Regulatory Requirement:• Establishes the criteria and procedures used determining class of

regulatory control (class I, class II, or class III) appropriate for particular devices

• Purpose or Risk Mitigated by Regulation:• To ensure consistent application and risk-based classification of

medical devices.

• How Does this Fit with Health IT?• Applicable/Fit.


45

Part 861 – Procedures for Performance Standards Development

• Regulatory Requirement• States FDA’s authority to develop special controls for certain medical

devices and outlines the content of such guideline .

• Purpose or Risk Mitigated by Regulation:• To ensure safety and effectiveness of certain moderate or high risk

medical devices.



46

Parts 862-892 Specific Product Classifications

• Regulatory Requirement• Provides a description of various functionality and serves as product classification

for the applicable medical device

• Purpose or Risk Mitigated• The product classification identifies which Class, I, II or III the medical device falls

into and determines what regulatory requirements apply.

• How Does this Fit with Health IT?• Applicable/Fits. Need to consider additional classifications.

862Clinical Chemistry & Clinical Toxicology

864 Hematology & Pathology866 Immunology & Microbiology868 Anesthesiology870 Cardiovascular872 Dental874 Ear Nose & Throat876 Gastroenterology-Urology

878 General and Plastic Surgey880 General Hospital & Personal Use882 Neurological884 OB/GYN886 Ophthalmic888 Orthopedic890 Physical Medicine892 Radiology


47

Part 895 – Banned Devices • Regulatory Requirement

• The Commissioner may initiate a proceeding to designate a device a banned device if the Commissioner finds, on the basis of all available data, which a manufacturer may be required to provide, that the device presents substantial deception or an unreasonable and substantial risk of illness or injury that the Commissioner determines cannot be, or has not been, corrected or eliminated by labeling or by a change in labeling, or by a change in advertising if the device is a restricted device.

• Purpose or Risk Mitigated by Regulation:• The ability to remove product completely from the market that may

pose significant risk to human life quickly.

• How Does this Fit with Health IT?• Unlikely to be applicable but would fit.


48

Part 898 – Performance Standard for Electrode Lead Wires and Patient Cables

• Regulatory Requirement• Wires and cables that connect to a patient must meet certain

performance standards.

• Purpose or Risk Mitigated by Regulation:• Ensure patient safety in use of wires that connect to the patient.

• How Does this Fit with Health IT?• Not applicable.


49

Big Picture• Are there any risks this does not include?

• Are there any risks associated with Health IT that are not adequately addressed by these FDA requirements?

• In the aggregate, are the requirements too much?

• Is there a better way to regulate these risks?

Documents

FDA Regulatory Framework for Devices Applied to HIT