FDA Regulatory Framework for Devices Applied to HIT

FDA Regulatory Framework for Devices Applied to HITBradley Merrill ThompsonEpstein Becker & GreenJune 7, 2013 (updated June 11, 2013)

1Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsRoadmapExercise Overview Health IT Use Case FDA Device Regulatory FrameworkTitle 21 Subchapter H of the CFRBig Picture Assessment2Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsExercise OverviewIdentifying Health IT Use Cases Review the FDAs current regulatory framework:Discuss how well does the current regulatory framework function to classify and regulate a Health ITFits/No Changes Changes Needed/Unique ConsiderationsDoesnt Fit3

Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsHealth IT Use CasesIdentify uses cases that help assess the suitability of the FDA regulatory approachConsider mechanical ventilation weaningA lower acuity use such as mobile healthOne that presents interoperability issuesPerhaps PCA based on AAMI work--http://ppahs.wordpress.com/2012/02/01/guest-post-yes-real-time-monitoring-would-have-saved-leah-2/

4Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups views21 CFR Chapter 1521 CFR Chapter 1: FDA, Subchapter H: Medical DevicesApplies?Fits?801 Labeling 803 Medical Device Reporting 806 Corrections and Removals 807 Registration and Listing (Part E Pre-Market Notification) 808 Exemption from Fed Preemption of State and Local Reqts 809 In Vitro Diagnostics (IVD) If accessory810 Recall Authority 812 Investigational Device Exemption (IDE) 814 Premarket Approval (PMA)Small subset of HIT 820 Quality System 821 Medical Device TrackingN/A822 Post Market SurveillanceIf required 860 Medical Device Classification 861 Procedures for Performance Standards Development 862-892 Specific Product Classifications 895 Banned DevicesLow likelihood898 Performance Std For Electrode Lead Wires And Patient CablesN/AWork product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 801 - LabelingGeneral Purpose:Serves the purposes of: (i) identifying and describing legally responsible persons for a particular medical device; (ii) specifying the type of information and content that must be on a medical device label; and (iii) stating exemptions to labeling requirements. Breakdown: Subpart A General Labeling ProvisionsIdentification of and minimum information regarding responsible personsSubpart C Labeling Requirements for Over-the-Counter (OTC) DevicesSpecific information, warning and quality requirements for OTC devicesSubpart D Exemptions from Adequate Directions for Use Describes circumstances where directions for use do not need to be includedSubpart E Other Exemptions Exemptions related to shipments and deliveries of devices Subpart H Special Requirements for Specific Devices Specific requirements and exemptions for enumerated devicesHow Does this Fit with Health IT?Unique considerations for labeling that is incorporated in the software product. Labeling changes may require product changes and have design controls impact.Consider the impact of shared responsibility.

6Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart A 801.1 Labeling Name and place of businessRegulatory Requirement:The label of a medical device must conspicuously specify both the name and place of business of the manufacturer, packer, or distributor of the devicePurpose or Risk Mitigated:Helps prevent ambiguity in determining who the responsible party for the device is by specifying not only the manufacturer, but also others in the chain of control of the device (e.g. packer/distributor). How Does this Fit with Health IT?Unique considerations for labeling that is incorporated in the software product. Labeling changes may require product changes and have design controls impact.Who is responsible party as software is modified and morphs over time?

7Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart A 801.4 Labeling - Meaning of Intended UsesRegulatory Requirement:The intended use of the devices is determined by the objective intent of the persons legally responsible for the devicePurpose or Risk Mitigated:Ensures that devices which are intended to be medical devices are regulated as such, preventing both over regulation and under regulation.How Does this Fit with Health IT?Unique considerations for labeling that is incorporated in the software product. Labeling changes may require product changes and have design controls impact.What about intended uses that evolve over time?How does FDA cope with interoperable software where the whole system is not defined at the time of market introduction?How does the use of SDKs and APIs by 3rd parties impact a products intended use? Does the 3rd party product impact the intended use?How do claims of compatibility by one manufacturer impact the other products intended use? What data is needed to support such claims? How are claims maintained as either product is updated?

8Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart A 801.5 Labeling Adequate Directions for UseRegulatory Requirement:The directions for us on the label must be understandable to a lay person and enable such person to use a device safely and for the purposes for which it is intended. Purpose or Risk Mitigated:Prevent the risk of an end user misusing the device and injuring themselves or others due to insufficient directions on the labelHow Does this Fit with Health IT?Important to consider consumer use of Health IT products.Unique considerations for labeling that is incorporated in the software product. Labeling changes may require product changes and have design controls impact.How does FDA treat the need to constrain the possible uses of HIT components?How do you label for frequent changes to software and what about distributed software?

9Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart A 801.6 Labeling Misleading StatementsRegulatory Requirement:A device is misbranded if the labeling contains a false or misleading representation with respect to another device, drug, food or cosmetic. Purpose or Risk Mitigated:Prevent the risk of confusion amongst different devices and certain other products due to a representation in the labeling. How Does this Fit with Health IT?Unique considerations for labeling that is incorporated in the software product. Labeling changes may require product changes and have design controls impact.

10Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart A 801.15 Labeling Prominence of Required Label StatementsRegulatory Requirement:A label must have the prominence and conspicuousness required by section 502(c) of the Food, Drug and Cosmetic Act and must be in English*. Purpose or Risk Mitigated:The purpose is to decrease the risk of harm to the user due to failure to see and appreciate information on the label because of a lack of visibility of an element of the label or a foreign language issue. How Does this Fit with Health IT?Unique considerations for labeling that is incorporated in the software product. Labeling changes may require product changes and have design controls impact.What about the use of links and others means to highlight important information uniquely available for software?For physical products, there are detailed descriptions of where information should go and, in some instances, font or image size. What is the principle display for software or a website? What relevance does font size have when a user can zoom an image?

11*801.16 Spanish language acceptable for products distributed solely in Puerto RicoWork product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart C 801.60 to 801.63 Labeling Requirements for Over-the-Counter DevicesRegulatory Requirement:Over-The-Counter(OTC) Devices must comply with specific requirements, including: (i) the most visible aspect of the label to the consumer (i.e. the principal display panel); (ii) the statement of identity including intended action and common name; (iii) declaration of quantity and (iv) warning statements for certain devices. Purpose or Risk Mitigated:The purpose of specific disclosures and labeling requirements is to account for the increased likelihood that a lay person will be using the device without obtaining prior instruction from a health care professional such as a physician. How Does this Fit with Health IT?Important to consider consumer use of Health IT products.What is the principal display panel, etc. when software is sold through an app store?Can FDA develop more guidance to address human factor issues for software?

12Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart D 801.109 Labeling Exemptions for Adequate Directions for UseRegulatory Requirement:Adequate directions are not required for certain devices that must be used only under the supervision of an adequately supervised practitioner, due to the likelihood of harm to a user, the complexity of the method of use and/or the collateral measures necessary for safe use. Purpose or Risk Mitigated:The risk for certain devices is so great, or the issues so complex, that adequate directions for use cannot be stated in a label. The risk is mitigated by ensuring that access is only available to such devices in conjunction with supervision by an appropriate practitioner.How Does this Fit with Health IT?But what of the need for software transparency (e.g. explaining how the algorithm works.) 13Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart D 801.110 Labeling Retail Exemption for Prescription DevicesRegulatory Requirement:Prescription devices under 801.109 delivered by a licensed practitioner or pursuant to a prescription are exempt from the labeling requirements under Section 502(f)(1) of the Food, Drug and Cosmetic Act provided that such practitioner makes certain disclosures and provides certain direction for use. Purpose or Risk Mitigated:The risk of harm to the end user is mitigated when a qualified practitioner is in a position to provide additional instructive and cautionary information to the end user. How Does this Fit with Health IT?Applicable/Fits. Need to consider how a software company adequately controls for prescription use. 14Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart D 801.116 Labeling Medical Devices Having Commonly Known DirectionsRegulatory Requirement:Devices with common uses that are known to he ordinary individual do not need to list adequate directions for use. Purpose or Risk Mitigated:The risk of harm to the end user is mitigated when the average person expected to use the device will already be aware of the directions for use. How Does this Fit with Health IT?Important to consider consumer use of Health IT products.If a GUI is designed using guidance for an iOS or Windows system is that considered commonly known directions relative to navigation of the program? Would the answer change for a use case where there was a high risk of patient injury if the navigations were not followed?

15Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart D 801.122 Labeling Medical Devices for processing, repacking, or manufacturingRegulatory Requirement:Devices meant to be processed, repacked or used in the manufacture of another drug or device are exempt from Section the labeling requirements under 502(f)(1) of the Food, Drug and Cosmetic Act if they employ a cautionary label. Purpose or Risk Mitigated:Devices that meet this exemption are not intended to be used by a user in their current state and thus there is a lower degree of risk associated with such products. How Does this Fit with Health IT?Consider application to software modules.What is software manufacturing, and in particular when can partially complete software be sent to hospitals, etc. for completion

16Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart D 801.125 Labeling Medical devices for use in teaching, law enforcement, research, and analysis.Regulatory Requirement:Devices meant to be used in instruction law enforcement, research, chemical analysis or physical testing are exempt from the labeling requirements under Section 502(f)(1) of the Food, Drug and Cosmetic Act so long as such activities do not involve clinical testing. Purpose or Risk Mitigated:Devices that meet this exemption are not intended to be used by a user for the purposes of clinical treatment and thus the risk of harm is mitigated. How Does this Fit with Health IT?Applicable.

17Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 803 Medical Device Reporting General Purpose:Governs required reports by medical device user facilities, manufacturers, importers and distributors. Reports are required by multiple types parties in conjunction with various triggers.Breakdown: Subpart A General ProvisionsGeneral summary of reporting requirements and procedural requirements for reports Subpart B Generally Applicable Requirements For Individual Adverse Event ReportsSubpart C User Facility Reporting Requirements Subpart D Importer Reporting RequirementsSubpart E Manufacturer Reporting Requirements 18Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart A 803.1 to .19 Medical Device Reporting General Provisions Regulatory Requirement:This subpart provides a general overview of the procedures to be followed when making reports related to medical device adverse events. Purpose or Risk Mitigated:The purpose is to standardize information received from various sources concerning adverse events and ensure that the information available is accurately collected. How Does this Fit with Health IT?What about the special challenges of figuring out who has the obligation when an AE occurs related to a network of devices?How is root cause analysis performed in order to determine cause? A network of devices may contain competitors. Who decides?19Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart B 803.20 to .22 Medical Device Reporting Individual Adverse Event ReportsRegulatory Requirement:Details requirements and procedures for reports of individual adverse events for various entities including: (i) optional reports for individuals and health care professionals and (ii) mandatory reporting for user facilities, manufacturers and importers.Purpose or Risk Mitigated:Purpose is to standardize the procedures and timing of reports for all of the entities mentioned aboveHow Does this Fit with Health IT?Applicable/Fits. Need to consider which product within the system the adverse event is filed against.

20Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart C 803.30 to .33 Medical Device Reporting User Facility Reporting RequirementsRegulatory Requirement:User facilities are required to report to the FDA upon discovery that a device may have caused or contributed to the death of a patient. User facilities must also report to the manufacturer, or the FDA if the manufacturer is unknown, if a device may have caused a serious injury to a patient. Purpose or Risk Mitigated:Purpose is to ensure that adverse events caused by medical devices are reported by user facilities. How Does this Fit with Health IT?Consider the complexities of not knowing which networked device is responsible.For a user facility comprised of multiple user facilities, some perhaps mobile, which facility reports?

21Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart D 803.40 to .42 Medical Device Reporting Importer Reporting RequirementsRegulatory Requirement:Importers are required to report to the FDA upon receiving reports or becoming aware of information that indicates that a device marketed by the importer may have caused or contributed to a death or serious injury. The importer must also submit reports of malfunctions to the manufacturer upon obtaining information indicating that a manufacturers device has malfunctioned. Purpose or Risk Mitigated:Purpose is to ensure that one additional type of entity that may have information on adverse events is required to make reports. How Does this Fit with Health IT?Applicable/Fits. Need to consider software downloads.

22Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart E 803.50 to .58 Medical Device Reporting Manufacturer Reporting RequirementsRegulatory Requirement:Manufacturers are required to report to the FDA upon becoming aware of information that indicates that a device marketed by the manufacturer may have caused or contributed to a death or serious injury. The manufacturer must also submit individual adverse event reports, conduct investigations of adverse events and report to the FDA when certain malfunctions occur. Purpose or Risk Mitigated:Purpose is to ensure that manufacturers, which hold primary responsibility for devices, are subject to stringent reporting requirements. How Does this Fit with Health IT?Applicable/Fits. Need to consider which vendor is responsible for reporting adverse events when unclear which product in ecosystem is the cause.When products can be downloaded multiple times some installed, some not installed or some deleted, how many products have been manufactured?

23Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 806 Medical Device Reporting Reports of Corrections and RemovalsGeneral PurposeRequires device manufacturers and importers to submit a written report to FDA any voluntary corrections and removals of product from the market within 10 days that were initiated to reduce a risk to health posed by the device Purpose or Risk MitigatedProvides a method for manufacturers and distributors to voluntary take action to protect the public health from products that may present a risk of injury or that may be defectiveBreakdownSubpart A General ProvisionsSubpart B Reports and Records

24Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart B - 806.10 Medical Device Reporting Reports of Corrections and Removals Regulatory RequirementsDevice manufacturers and importers are required to submit a written report to FDA within 10-working days of any correction or removal of a device initiated to reduce risk or health imposed by the device or to remedy a violation.Purpose or Risk MitigatedProvides FDA the visibility of any safety issues that may arise with a product as soon as possible.How does this fit with Health IT?Need to consider practical challenges of recalling software that may be integrated with various other Health IT systems. Which vendor is responsible for recall when product is part of a interconnected ecosystem of software and hardware products?Need to consider recall conducted through updates that may be installed by users.

25Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart B - 806.20-30 Medical Device Reporting Reports of Corrections and Removals Regulatory RequirementsIf per the regulation, a manufacturer is not required to submit a report to FDA within the 10 working day period, the manufacturer shall keep a record of such a correction or removal with the required information mentioned in this Part. Purpose or Risk MitigatedIf FDA need to conduct an audit for a specified reason of the manufacturer, this would provide easy access to such documentation. How does this fit with Health IT?Need to consider updates, bug fixes and routine software support and maintenance.Does the manufacturer need to keep records of downloads or records of each person or IP address that downloads the update?What is software is web-based, does the manufacturer need to require user registration?

26Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 807 Procedures for Device EstablishmentsGeneral Purpose:All owners or operators of establishment that engaged in the manufacturer, preparation, assembly, processing of a device must register and submit lists of its devices in commercial distribution. This section also mandates submission of premarket notifications for certain devices. Purpose or Risk Mitigated: This section is intended to increase disclosure of ownership interests in medical devices and provide the public with information on manufacturers of medical devices. Breakdown: Subpart A General ProvisionsSubpart B Procedures for Device EstablishmentsSubpart C Procedures for Foreign Device EstablishmentsSubpart D ExemptionsSubpart E Premarket Notification ProceduresHow Does this Fit with Health IT?Applicable/Fits but need to consider virtual establishments where there is not one physical location where software is being developed.Is end user customization of the system manufacturing? Or is that just use? What is the line between configuration and customization?27Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart E 807.81 to .100 Establishment Registration Premarket NotificationRegulatory Requirement: Devices that are not required to obtain a premarket approval (PMA) must nevertheless make submissions to the FDA, unless exempt. Such submissions must contain information, including a 510k summary, which will allow the FDA to make a finding of substantial equivalence. Purpose or Risk Mitigated:The purpose of this section is to provide an abbreviated procedure for a device not subject to PMA to obtain approval but still provide the FDA with enough information to find that such a device is at least as safe and effective as a legally marketed device. How Does this Fit with Health IT?Need to consider non-high risk Health IT functions for which there may not be a predicate device.How does a vendor draw the boundaries of an interoperable open system for purposes of finding a predicate device? How are open ended or evolving intended uses addressed in a 510k?What data is needed to support claims of interoperability? Who needs to provide the data?When is a software update subject to new premarket notification?

28Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 808 Exemptions From Federal Preemption Of State And Local Medical Device RequirementsGeneral Purpose:This part details the preemption of most state regulation of medical devices by the Food, Drug and Cosmetic Act. It also describes the procedures for the submission of applications for exemption from preemption and lists state and local exemptions that are not pre-emptedPurpose or Risk Mitigated: The Food, Drug and Cosmetic Act is intended to impose uniform regulation of medical devices throughout the country. The stringent provisions regarding exemptions to preemption for state and local regulations are intended to ensure that the same general scheme is applicable to medical devices regardless of exemption and minimize the effect of state and local differences. Breakdown: Subpart A General ProvisionsSubpart B Exemption ProceduresSubpart C Listing of Specific State and Local ExemptionsHow Does this Fit with Health IT?Applicable/Fits.29Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 809 In Vitro Diagnostic Products for Human UseRegulatory Requirement:In vitro diagnostic (IVD) products are reagents, instruments, and systems that are intended for use in the diagnosis of disease or other conditions, including a determination of the state of health, in order to cure, mitigate, treat, or prevent disease. Such products are intended for use in the collection, preparation, and examination of specimens taken from the human body. Purpose or Risk Mitigated by Regulation:Provides an overview of the IVD submission, manufacture, and labeling process. How Does this Fit with Health IT?Applicable to the extent software is considered an accessory but fit is awkward for stand alone software.

30Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 810 Medical Device Recall AuthorityRegulatory Requirement:If FDA finds that there is a reasonable probability that a medical device could cause serious adverse health consequences or death, the agency may require the manufacturer to cease distribution of the device, instruct professionals to cease the use of the device and require the manufacturer to withdraw the product from the market.Purpose or Risk Mitigated by Regulation:Provides a streamlined process to ensure that all impacted product that could pose risk to patients are accounted for and removed from the market efficiently.How Does this Fit with Health IT?Applicable. Need to consider what is sufficient for recall of software? What if reports or results are generated by the software? Do they need to be recalled?31Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 812 Investigational Device ExemptionsRegulatory RequirementAn investigational device exemption (IDE) allows the investigational device to be used in a clinical study in order to collect safety and effectiveness data. All clinical evaluations of investigational devices, unless exempt, must have an approved IDE before the study is initiated.Purpose or Risk Mitigated by Regulation:Provides a streamlined process to submit an application for an IDE so that a manufacturer can begin a clinical study in support of a submission. How Does this Fit with Health IT?Need to consider traditional software testing and application of clinical evaluations. A common and considered good engineering practice is to deploy software in pilot launches. The intent is not to determine if the verification or validation for the software is correct. Rather, the intent is to shake out any issues that cannot be found in a test environment. For example, network bandwidth or user volume. Is this an investigational use?32Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 814 Premarket Approval of Medical DevicesRegulatory Requirement:Medical devices that require PMAs are Class III products and are considered high risk devices that pose a significant risk of illness or injury, or are devices that are found not substantially equivalent to Class I and II predicate through the 510(k) process. This part provides all requirements to submit a PMA which includes clinical required clinical data.Purpose or Risk Mitigated by Regulation:Provides all requirements to industry to plan for a submission for a Class III product. How Does this Fit with Health IT?Applicable to small subset of Health IT products but would fit as applicable.33Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 820 Quality System RegulationGeneral Purpose:Device manufacturers are required to establish and follow set procedures and policies to help ensure that their products consistently meet set requirements, specifications and are safe and effective. The quality systems for FDA-regulated products (food, drugs, biologics, and devices) are known as current good manufacturing practices (CGMPs). How does this fit with Health IT?At high level, QSR is focused on traditional manufacturing and needs to consider application to traditional software development.Most Relevant SectionsSubpart B: Management ControlsSubpart C: Design ControlsSubpart E: Purchasing ControlsSubpart J: Corrective and Preventive ActionSubpart M: RecordsLimited or No Application820.65; 820.70, 820.72, 820.75, 820.80, 820.86, 820.90, 820.130, 820.150AAMI published report on application of 5 QSR requirements to Health IT http://www.aami.org/publications/AAMINews/May2012/sw87.html

34Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsContinued Part 820 Quality System RegulationBreakdown: Subpart A General ProvisionAn overview of the requirements to create a full quality system and the type of manufacturer this provision applies to. Subpart B Quality System RequirementsSpecifies quality system requirements including how to structure the organization.Subpart C Design Controls Describes the step-by-step process manufactures must implement to develop a medical device.Subpart D Document Controls Manufactures must develop methods to reviewed, approve and store documents adequately.Subpart E Purchasing Power Manufacturers must develop a process to ensure that their suppliers, contractors, and consultants maintain quality requirements. Subpart F Identification and Traceability Manufactures must establish procedures to identify all production, distribution, and installation of products and specifically for surgical implants that support or sustain life by using unit, lot or batch number. Subpart G Production and Process Controls Manufactures must control the production process to ensure device conforms to device specifications.

35Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsContinued Part 820 Quality System RegulationBreakdown: Subpart H Acceptance Activities Manufacturers must establish procedures to ensure acceptable product or components are being delivered using inspections, tests or other verification tests. Subpart I Nonconforming ProductManufacturers must establish procedure to control product that does not conform to specified requirements. Subpart J Corrective and Preventative ActionManufacturers must establish procedures to investigate, capture, and resolve product or other quality issues. Subpart K Labeling and Packaging ControlManufacturers must establish controlled procedures to develop, change and implement labeling. Subpart L Handling, Storage, Distribution and Installation Manufacturers must establish procedures to ensure product integrity during the handling, storage, distribution and/or installation of product.Subpart M RecordsManufacturers must establish procedures to maintain all documents related to Part 820. Subpart N ServicingManufacturers must establish and maintain instructions and procedures to verify servicing meets specified requirements and proper service reports be generated. Subpart O Statistical TechniquesManufacturers must establish and maintain procedures for identifying valid statistical techniques for process and product characteristics.

36Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart B 820 Quality System Regulation Quality System RequirementsRegulatory Requirement:Management with executive responsibility must establish and implement a quality policy which demonstrates the commitment to quality across all levels of the organization and provide an organizational structure that ensures devices are designed and produced according to this quality objective. Purpose or Risk Mitigated by Regulation:Helps prevent faulty devices being generated and reduces the risk of inconsistencies between two identical products. How Does this Fit with Health IT?Applicable/Fits.37Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart C 820 Quality System Regulation Design ControlsRegulatory Requirement:Device manufacturers are required to establish and maintain policies and procedures to follow a step by step process called design controls when developing or changing a medical device for class III or II products. Purpose or Risk Mitigated by Regulation:Ensures that product is being developed according to a streamlined process and appropriate checks and balances are occurring throughout the product development cycle so that product issues are captured earlier rather than after it has been developed. How Does this Fit with Health IT?Critical in software development. Need to consider differences between software development and traditional manufacturing and various software development techniques (e.g. Agile).The conundrum faced by research teams that want to transition HIT prototypes to commercial implementation. Must prototype software that was not developed under a Quality System be re-developed.Need to consider software modularization and re-use of software.

38Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart E 820 Quality System Regulation Purchasing ControlsRegulatory Requirement:Device manufacturers are required to establish and maintain policies and procedures that ensure suppliers, contractors, and consultants maintain quality requirements. to follow a step by step process called design controls when developing or changing a medical device for class III or II products. Purpose or Risk Mitigated by Regulation:Ensures that incoming products and components meet quality standards and that the manufacturers have adequate control over the manufacturing process of a given device/component. How Does this Fit with Health IT?Need to consider design transfer. Physical manufacturing requirements do not fit.

39Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart J 820 Quality System Regulation Corrective and Preventative Action Regulatory Requirement:Each manufacturer must establish procedures to implement corrective and preventative actions to investigate, capture, and resolve product or other quality issues.

Purpose or Risk Mitigated by Regulation:Helps capture product or quality issues quickly, creates a streamlined process to detect such issues and ensures a preventative plan is in place for the future.

How Does this Fit with Health IT?Applicable/Fits.Further, while not a regulatory requirement on HIT, HIT obviously can play a role in the facilitating CAPAs on other devices.How is CAPA handled in a ecosystem of Health IT products where issue may be result of combination of multiple products or unique configurations? Which vendor is responsible?

40Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsSubpart M 820 Quality System Regulation RecordsRegulatory Requirement:All records that may result from Part 820 must be maintained at the manufacturing establishment or other location that can be accessible by the manufacturer and to FDA. These documents should be readily available for review and copying by the FDA and should be retained for the period of time equivalent to the design and expected life of the product. Purpose or Risk Mitigated by Regulation:Assists FDA during their audits and reviews to determine whether the manufacturing facility and company is operating under an adequate quality system and complies with Part 820. How Does this Fit with Health IT?Consider changes to reflect software development methods.Where is the design history file held for a product that could be designed and developed in a virtual space with multiple project team modules located around the globe working on the same project?

41Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 821 Medical Device Tracking RequirementsRegulatory Requirement:The agency requires certain categories of manufacturers to track their medical devices from manufacture through distribution

Purpose or Risk Mitigated by Regulation:The purpose of device tracking is to allow certain manufacturers to promptly locate devices in commercial distribution

How Does this Fit with Health IT?Not applicable.42Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 822 Postmarket Surveillance Regulatory RequirementManufacturers may be required to implement postmarket surveillance plans to monitor the safety and effectiveness of products on a continuous basis. Purpose or Risk Mitigated by Regulation:This data provides a larger sample size of uses of a given device and can reveal unforeseen adverse events, the actual rate of anticipated adverse events, or other information necessary to protect the public health.How Does this Fit with Health IT?Unlikely to be applicable because it is reserved for very high risk devices but would fit.Further, while not a regulatory requirement on HIT, HIT obviously can play a role in the post market surveillance of other devices43Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 860 Medical Device ClassificationRegulatory Requirement:Establishes the criteria and procedures used determining class of regulatory control (class I, class II, or class III) appropriate for particular devicesPurpose or Risk Mitigated by Regulation:To ensure consistent application and risk-based classification of medical devices.How Does this Fit with Health IT?Applicable/Fit.44Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 861 Procedures for Performance Standards Development Regulatory RequirementStates FDAs authority to develop special controls for certain medical devices and outlines the content of such guideline .Purpose or Risk Mitigated by Regulation:To ensure safety and effectiveness of certain moderate or high risk medical devices. How Does this Fit with Health IT?Applicable/Fits.45Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsParts 862-892 Specific Product ClassificationsRegulatory RequirementProvides a description of various functionality and serves as product classification for the applicable medical device Purpose or Risk MitigatedThe product classification identifies which Class, I, II or III the medical device falls into and determines what regulatory requirements apply. How Does this Fit with Health IT?Applicable/Fits. Need to consider additional classifications. 46Clinical Chemistry & Clinical Toxicology864 Hematology & Pathology866 Immunology & Microbiology868 Anesthesiology870 Cardiovascular872 Dental874 Ear Nose & Throat876 Gastroenterology-Urology878 General and Plastic Surgey880 General Hospital & Personal Use882 Neurological884 OB/GYN886 Ophthalmic888 Orthopedic890 Physical Medicine892 Radiology

Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 895 Banned Devices Regulatory RequirementThe Commissioner may initiate a proceeding to designate a device a banned device if the Commissioner finds, on the basis of all available data, which a manufacturer may be required to provide, that the device presents substantial deception or an unreasonable and substantial risk of illness or injury that the Commissioner determines cannot be, or has not been, corrected or eliminated by labeling or by a change in labeling, or by a change in advertising if the device is a restricted device.Purpose or Risk Mitigated by Regulation:The ability to remove product completely from the market that may pose significant risk to human life quickly. How Does this Fit with Health IT?Unlikely to be applicable but would fit.47Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsPart 898 Performance Standard for Electrode Lead Wires and Patient CablesRegulatory RequirementWires and cables that connect to a patient must meet certain performance standards.Purpose or Risk Mitigated by Regulation:Ensure patient safety in use of wires that connect to the patient.How Does this Fit with Health IT?Not applicable.48Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups viewsBig PictureAre there any risks this does not include?

Are there any risks associated with Health IT that are not adequately addressed by these FDA requirements?

In the aggregate, are the requirements too much?

Is there a better way to regulate these risks?49Work product of EBG for review and discussion by the FDASIA Regulation Subgroup; May not reflect the subgroups views