2023 was a busy year with FDA and EU advancing key initiatives focused on AI/ML, cybersecurity, global harmonization, real-world evidence, and pharma companion apps…and more is coming in 2024.
While 2023 brought its share of challenges for the digital health sector, it ultimately served as a pivotal year for shaping the future of how digital medical devices are developed and regulated. Many new regulations and policies were introduced or issued after years in the making, and others were reactions to sweeping technological and methodological industry advancements that required broad changes in the global regulatory environment.
First, we’ll zoom in on key global initiatives poised to shake up digital health. Then, we’ll dissect FDA’s most impactful moves in 2023 impacting digital health. Finally, we’ll shift gears and set our sights on the exciting horizons of 2024.
Key Global Initiatives
A handful of global initiatives were introduced in 2023 that represent a significant step towards a more streamlined, efficient, and risk-based global regulatory environment for digital health. Key changes in 2023 point to the ever-changing digital health landscape and the need for manufacturers to remain informed as global regulatory bodies continue to refine their approach to medical device regulation. While specific regulatory and market access requirements demand regional attention, these four general topics stand to have the greatest impact on digital health manufacturers across global markets:
- Extension of the EU Medical Device Regulation (MDR): The European Commission implemented Regulation (EU) 2023/607, amending Regulations (EU) 2017/745 (MDR) and Regulation (EU) 2017/746 (IVDR) in response to delays due to COVID-19 and an insufficient number of notified bodies. Regulation 2023/607 removes the “sell-off” deadline and staggers transition periods for certain medical devices and in vitro diagnostics based on device risk class to either December 2027 or December 2028. While the extended timeline may seem like a relief to device manufacturers, 2024 is when legacy device manufacturers must begin their compliance journey and secure agreements and contracts with a notified body if they haven’t already done so. These changes have important global implications for the timing and commercial and regulatory strategies of companies seeking to launch in multiple markets.
- International focus on AI/ML in medical devices: Regulatory bodies are grappling with the growing use of artificial intelligence and machine learning (AI/ML) in medical devices and digital health. The lack of generalizability of AI/ML is a growing concern, with jurisdictions wrestling with basic concepts like the exact definition of AI versus software as a medical device (SaMD) and how to manage the inevitable changes in AI/ML devices as they learn and develop.
FDA has long been busy building a framework to ensure the safety and effectiveness of AI/ML devices, and in April issued final guidance Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions. The requirements build on the Agency’s proposed framework and clarify the types of modifications that should include a Predetermined Change Control Plan (PCCP). Notably, the new guidance proposes that PCCPs be used not only for AI/ML-enabled Software as a Medical Device (SaMD) but for all AI/ML-enabled software functions, including those functions that are part of hardware medical devices.
Potentially the most significant change for AI from a global perspective was the European Commission clarifying its approach to AI, with a proposed Regulatory Framework and Coordinated Plan. The proposed risk-based approach varies governance from “free use” for minimal-risk AI to banning all AI systems considered to present a clear threat to the safety, livelihoods, and rights of people. The middle tiers (limited risk and high risk) will be subjected to transparency obligations, adequate risk assessment and mitigation systems, logging activities, and appropriate oversight measures to minimize risk. While seemingly simple, this proposed approach represents a potentially sweeping paradigm shift and more detail is awaited as the regulation is developed.
- Standardization of Cybersecurity: The International Medical Device Regulators Forum (IMDRF) released Principles and Practices for Cybersecurity in Legacy Medical Devices (“IMDRF N60”). It sets forth foundational security principles and best practices that span the total product lifecycle. IMDRF N60 accompanies IMDRF N73, Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity, which describes an SBOM and how it can be leveraged to improve cybersecurity risk management processes. Both documents complement previous actions by FDA and the European Commission.
In 2023, FDA supplemented its cybersecurity efforts with the Cybersecurity Modernization Action Plan (CMAP), which outlines key actions to enhance the Agency’s internal cybersecurity posture and support secure innovation in medical devices. CMAP followed the Refuse to Accept (RTA) policy that was enacted to automatically reject premarket submissions that do not meet FDA’s expectations for security controls, handling vulnerability disclosure, and information that FDA may require to ensure the cyber device meets the cybersecurity requirements. The RTA policy sits on top of FDA’s new guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, which was also finalized in 2023. The guidance places increased emphasis on quality systems and a risk-based approach to cybersecurity considerations, including security in context of larger systems to which devices may be connected.
- FDA Harmonization with ISO 13485: Regulatory frameworks in the US and Europe are evolving, providing clearer pathways for digital medical device development and approval. In December, FDA submitted the Quality System Management System Regulation final rule for clearance under the Direct Final Rule Procedures. The rule would harmonize FDA’s Quality System Regulation (CFR 820) to ISO 13485, which is the quality management system standard for medical devices in the EU, UK Japan, and most other markets. Considering FDA began working in 2018 to harmonize the Quality System regulation, the final rule being sent for clearance marks the beginning of work for medical device manufacturers. And, while harmonization with ISO 13485 won’t change FDA’s authority, harmonization could improve efficiencies and reduce costs of compliance for digital health manufacturers.
FDA Activity in Digital Health
Whew! It was a busy year for FDA in 2023 —so much so that it would take several pages to describe it all. Instead, we summarize the guidance documents that are relevant to digital health and their implications. We also share potential impact we expect each to have on manufacturers (burning hot or ice cold?). Our assessment is based on the broader application of these guidances to digital health rather than on individual products.
| Topic | Implications | Potential Impact |
| Final Guidance: Content of Premarket Submissions for Device Software Functions | This updated guidance document outlines the documentation to be included in premarket submissions and shifts the software risk level of concern into two categories: Basic or Enhanced. This enables manufacturers of lower-risk devices to simplify their premarket submissions. Perhaps most helpful are the insightful discussions and detailed examples for risk management files and software architecture diagrams. This guidance will have a high impact simply because it is relevant to all digital health submissions. | 🔥🔥🔥 |
| Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems | The policy grants FDA authority to refuse a premarket submission due to insufficient cybersecurity information. The aim is clear that FDA expects manufacturers to address cybersecurity concerns early in the development process and information presented in premarket submissions must satisfy all applicable requirements. | 🔥🔥🔥 |
| Draft Guidance: Decentralized Clinical Trials for Drugs, Biological Products, and Devices | DCTs have already begun to replace traditional clinical trials in digital medicine due to improved efficiency and lower cost. In response to this trend, which was accelerated during COVID-19, FDA has released new draft guidance that provides needed recommendations for designing, conducting, and monitoring DCTs. | 🔥🔥 |
| Draft Guidance: Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices | Expands on potential use cases where RWE can be used in regulatory submissions from prior FDA guidance, including primary evidence in new submissions and supplemental evidence in support of OUS data. Clarifies the concerns with use and collection of RWD. Highly relevant to Digital Medicine, and a potential game changer for the adoption of RWE studies and acceptance of RWE. However, in practice, we still expect FDA to be conservative in their acceptance of RWE. | 🔥🔥
|
| Draft Guidance: Regulatory Considerations for Prescription Drug Use Related Software (PDURS) | Provides a framework on regulatory oversight of software for use with prescription drugs, either with combination products or as standalone companion apps. This presents new opportunities for software to be included in drug labeling if there is a clinical benefit to the drug. There is potential for large impact, as this could be a new opportunity for improved outcomes, brand differentiation, extended revenue lifetime for a drug, and a new way to monetize and demonstrate the value of digital solutions. But everything is tempered by the ambiguity around clinical requirements and implementation. | 🔥🔥 |
| Draft Guidance: Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions | While still draft guidance, the established framework sets forth expected information to be included in premarket submissions for anticipated changes, assessment and control strategies, validation and verification activities, and governance oversight with the goals of ensuring continued safety and effectiveness while promoting transparency and predictability as an AI/ML-enabled device continues to evolve. While establishing a PCCP up front creates a moderate burden for manufacturers, it ultimately will allow for more flexibility and free manufacturers from the burden of having to file additional premarket submissions. | 🔥🔥 |
| Final Guidance: Digital Health Technologies for Remote Data Acquisition in Clinical Investigations | This guidance explains how DHTs can be used in clinical trials to acquire data remotely and may improve trial efficiency, increase opportunities and convenience for participants, and allow for capture of richer data. This guidance can have substantial impact on clinical development, but commercial impact on digital medicine is limited. | 🔥 |
| Select Updates for the Breakthrough Devices Program Guidance: Reducing Disparities in Health and Health Care | Updates the final 2018 Breakthrough Devices guidance to also allow for improvements in health disparities and accessibility to be considered in granting a Breakthrough Device Designation, rather than just clinical outcomes. Potential for moderate impact in digital medicine because so many of these products are ideally suited to address health disparities and access. However, early returns do not signal much change in behavior from FDA reviewers, and the impact is dampened by CMS’ lack of alignment with FDA on these kinds of products in its new Transitional Coverage for Emerging Technologies (TCET) reimbursement pathway. | 🔥 |
| Draft Guidance: Best Practices for Selecting a Predicate Device to Support a Premarket Notification [510(k)] Submission | For most digital medicine companies and sponsors developing innovative products, the issue isn’t which of many predicates to choose between but rather if any of them are appropriate. Therefore, the impact of this guidance will be limited, however, there are some mature areas of digital health, such as CAD software, where this has greater relevance. | 😐 |
| Draft Guidance: Recommendations for the Use of Clinical Data in Premarket Notification [510(k)] Submissions | There is not much new in the guidance, and the focus is unfortunately on if clinical data is required rather than what type and extent of clinical data would be needed – this is really the question that 95% of digital medicine companies have. But it is helpful to get a general understanding of this topic. | 🧊
|
| Final Guidance: Transition Plan for Medical Devices That Fall Within Enforcement Policies Issued During the COVID-19 PHE | FDA finalized guidance on the transition plan for medical devices, including some digital therapeutics and digital pathology software that had been able to skirt FDA enforcement during the COVID-19 PHE, requiring manufacturers to have a 510(k) accepted by FDA by November 7, 2023, to remain on market. Overall, the impact is expected to be low for digital medicine, as few products are likely to utilize this pathway effectively. | 🧊
|
FDA also issued new guidance documents on the Q-submission program, electronic submissions for 510(k) submissions, and De Novo classification requests. These new documents will also impact digital medicine manufacturers and align with goals established in MDUFA V aimed at modernizing each program.
Looking forward to 2024…
While 2023 was a year of transition and adaptation, 2024 is expected to bring continued focus on specific areas within the broader regulatory landscape. Here are a few key projections we are watching in 2024:
- Continued focus on AI/ML: We anticipate the release of further guidance and frameworks for ensuring the safety and effectiveness of medical devices incorporating AI/ML algorithms. Primarily, we look for stricter requirements for data transparency, bias mitigation, and ongoing monitoring of device performance.
- Enhanced Cybersecurity Measures: With cyberthreats becoming increasingly sophisticated, manufacturers must stay proactive and adapt quickly as cyberthreats become more sophisticated. With NIST announcing already this year that it has identified cyberattacks that manipulate AI behavior, we anticipate a sharpened focus on SBOMs and additional specificity on security and threat detection.
- Growing Regulatory Scrutiny of SaMD: As SaMD adoption continues to rise, expect stricter regulations covering software updates, cybersecurity vulnerabilities, and potential interoperability issues with other medical devices and electronic health records.
- Post-market Surveillance and Data Collection: Increased use of wearables and remote monitoring technologies may lead to new regulations regarding data privacy and patient consent. With FDA announcing its work to align with IMDRF Adverse Event Terminology and the National Competent Authority Report (NCAR), we anticipate conversations around post-market surveillance and data collection to bubble to the top in 2024.
- Prescription Drug Use-Related Software (PDURS): As described above, PDURS presents new opportunities for software that is paired with prescription drugs. One of the loudest requests from manufacturers in the public comments was related to the clarification of clinical data requirements for “FDA-required labeling” and a desire for acceptance of real-world evidence. We expect some additional clarity to come from formal interactions that manufacturers are expected to have with CDER and CBER about specific products in 2024, but do not expect final guidance to provide enlightenment on this matter until 2025.
- United Kingdom: The Medicines and Healthcare Products Regulatory Agency (MHRA) extended the deadline for the transition for CE Mark to UKCA certification to July 2024. This transition is set to shake up the industry as the country and manufacturers prepare to deal (yet again) with the limited availability of UK-approved bodies for carrying out conformity assessments.
- 3D Printing of Medical Devices at the Point-of-Care (POC): POC 3D printing is a burgeoning market with several players poised to disrupt the industry. While the regulatory landscape for POC 3D printed medical devices is still evolving, we anticipate regulatory bodies taking actions for design control and validation of the 3D file, materials and printing process, as well as sterilization and biocompatibility. We also expect some type of framework for POC-specific regulations and pre-market versus post-market requirements.
Author
With over 25 years in business and technology operations, Kory brings a wealth of experience to the ever-evolving medical device field. He partners with companies developing medical devices, leveraging his deep understanding of global…
Gwilym is a seasoned regulatory professional with 15+ years of experience in Software as a Medical Device (SaMD). His expertise spans startups to large corporations, covering manufacturers and distributors. Gwilym has contributed significantly to…
Marty Culjat, PhD is the SVP, Global Head of Digital Medicine & Regulatory Innovation at EVERSANA. In this role, he leads a cross-functional team supporting the commercialization of digital medicine products within companies ranging…