Rise of the Machines: Regulating Medical Device Software

In the Terminator movies, the freakishly badass silver machines rebelled against their human creators and set their glowing red eyes on a single objective – defeating mankind and taking control of the world. And while artificial intelligence (AI) and machine learning (ML) have not yet advanced to the point of creating an army of rogue infusion pumps and rebellious endoscopes, the incorporation of these advanced technologies into our medical devices does pose some unprecedented challenges for manufacturers and regulators alike.

Cybersecurity is just one of the concerns arising from the incorporation of digital, cloud-based technologies into something as risk-averse as the HIPAA-forward US healthcare system. The use of artificial intelligence and machine learning to diagnose and monitor disease raises a whole host of regulatory questions, as even the most carefully crafted programs and algorithms can fall victim to inaccuracies, malfunctions, and biases in its results.

Undeniably, the future of healthcare depends on software in all its forms, and the sooner the FDA can establish defined regulation for its many digital features and cloud-based benefits, the better. Industry pressure is increasing for workable regulation that allows manufacturers to continue to innovate – while keeping the machines firmly under human control.

Regulating the Machines

Digital devices are nothing new, and lightning-fast innovation has allowed manufacturers to incorporate SaMD into devices at an alarming rate. Fortunately, despite being a little late to the game, the FDA still had the foresight to realize the impact that medical device software and all its associated mobile applications would have on the healthcare industry.

In 2013, as apps began to invade every aspect of our lives, the agency issued the Mobile Medical Applications Guidance (MMA), which stated that FDA would apply standard medical device regulations to any device software function which – if it malfunctioned – would pose an increased risk to patients. The MMA also clarified that mobile medical apps that could cause smartphones or computers to impact the function or performance of a medical device would themselves be regulated as medical devices.

Medical device software and technology continued to evolve at meteoric rates, and manufacturers began to balk at the byzantine device regulations that were delaying market entry for what they perceived as non-medical products. As the industry continued to lobby for a simpler regulatory path for these products, the 21^st Century Cures Act was signed into law, amending existing language in the long-standing FD&C Act to remove certain “minimal risk” software functions from the definition of a medical device. As long as there was no specific safety concern present, the following software healthcare applications were no longer subject to FDA oversight:

• Software for administrative support of healthcare facilities
• “Healthy lifestyle” software that provides no diagnostic, prevention, or treatment function
• Electronic patient records
• Software for transferring, storing, or displaying medical device or clinical laboratory test data but that does not support interpretation or analyze clinical data
• Software to acquire, process or analyze medical images from an IVD or signal acquisition system

The last two items in this list provided clarification on the definition of medical device data systems, or MDDS. The FDA had down-classified software systems used to transfer, store, convert, and display medical device data to Class I in 2011, but they were still considered devices. The Cures Act required the FDA to amend their definition of medical device to exclude software that was “solely intended to transfer, store, convert formats, and display medical device data or medical imaging data.” Conversely, hardware products designed to transfer, store, convert or display medical device data remain classified as medical devices but FDA does not intend to enforce compliance with medical device regulation if the hardware function serves only to assist software functions. The September 2019 guidance – Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communication Devices – outlines the agency’s current thinking on the subject.

In 2019, the FDA updated the MMA, renaming it the Policy for Device Software Functions and Mobile Medical Applications and incorporating the updated definitions of a medical device. What remained under FDA oversight were those software functions that could be used by a licensed practitioner to diagnose or treat disease:

• Mobile apps using a phone or other mobile platform’s built-in features such as light, vibrations, camera, or other similar sources to perform medical device functions
• Software functions that control the operation or function of an implantable or body worn medical device
• Software functions that are used in active patient monitoring to analyze patient-specific medical device data

The FDA will exercise enforcement discretion for those software functions still meeting the definition of a device while posing little risk to patients and consumers – think software to automate provider tasks or general disease management apps that provide no specific treatment suggestions. But the agency’s work was far from over. The rapid advancement of artificial intelligence (AI) and machine learning (ML) technologies raised even more regulatory questions, and more than a few ethical ones as well.

Staying Ahead of the Machines

Artificial intelligence and machine learning are no longer mere science fiction. These technologies are fast becoming an integral part of healthcare, albeit in a much less threatening way than books and movies typically present.

It should be noted, however, that the two terms are not interchangeable. Artificial intelligence is more flexible and adaptable than traditional computer programs and can take information other than its fixed programming and produce a better output. Manufacturers use AI to make devices such as remote cardiac monitors more accurate, taking external patient data and adjusting to improve device performance. Machine learning, on the other hand, is a specific form of artificial intelligence that can be trained to interpret data and predict outcomes. Machine learning has tremendous potential in identifying early-stage disease or tumors that even highly trained providers can miss.

Early in 2019, the Center for Devices and Radiologic Health (CRDH) issued a discussion paper outlining how the agency intended to approach the use of these innovative technologies in medical devices. After a lengthy public comment period, that discussion paper was transformed into the Artificial Intelligence and Machine Learning (AI/ML) Software as a Medical Device Action Plan that will help guide the agency’s next steps. To date, the FDA has approved or cleared only those devices with “locked” algorithms, but as manufacturers work toward incorporating AI into their devices, it is clear that these advanced technologies need clearly defined guidance to ensure patient safety. The FDA is working on a document that will lay out a clear strategy for bringing devices with AI and ML technologies to market, with regulatory and quality management guidelines for the entire lifecycle of the product, including post-market surveillance and device improvements based on real-world data gathered post-release.

Living with the Machines

The future of healthcare is here, and regulators will no doubt be challenged again and again as technology improves and the first AI devices begin to enter the marketplace. But with a solid regulatory strategy and clear guidelines on where and how AI and ML technologies can and cannot be used, medical devices will continue to offer great advances in patient care well into the future – and hopefully little chance of a bot uprising.