Experts Discuss CDRH Proposals That May Require New Authorities

Regulatory NewsRegulatory News | 24 May 2019 |  By 

From a pre-certification (PreCert) approach on software as a medical device (SaMD) and laboratory-developed tests (LDTs) to cybersecurity and the 510(k) premarket review pathway, the US Food and Drug Administration (FDA) has set forth several proposals that may require additional statutory authority.

Legal experts at the AdvaMed Digital MedTech Conference in San Francisco this week shed light on the specific areas within FDA’s existing statutory authority that pose questions and discussed how these limitations may be tweaked.


FDA’s Center for Devices and Radiological Health (CDRH) acknowledged over the course of 2018 that it may require new authority to modify existing regulatory frameworks and premarket review pathways. The string of recent proposals unveiled by former FDA Commissioner Scott Gottlieb and current CDRH Director Jefferey Shuren raised questions among industry.

Among the proposed initiatives for which CDRH is no longer accepting public comment are three that form part of the Medical Device Safety Action Plan. These include two on 510(k) modernization—a 10 year old limit on the use of predicate devices for 510(k)s and additional postmarket safety mitigation measures that can be imposed at a faster pace than current processes allow.

The agency also recognized the need for new authority to implement a PreCert approach for LDTs via a provision of the Verifying Accurate Leading-edge IVCT Development Act of 2018 (VALID Act), though it did not open a public comment period.

Designing the new digital health-specific framework has been more time-consuming than previously anticipated and the pilot was opened to more volunteers on Wednesday, rather than the initial timeline at the end of 2018.


Yet in an interview with Focus, senior director of government relations at consulting group ML Strategies and former CDRH official Aaron Josephson explained how work on PreCert is more connected with other proposed initiatives within CDRH than some may have realized.

The relationship between software PreCert and that of LDTs is clear, though there are fundamental differences. That of using de novos for PreCert is not as clear but an uptick in granted de novos for standalone software goes hand in hand with seeking to impose a limit on predicate use and additional postmarket safety measures to better mitigate detected cybersecurity vulnerabilities, Josephson argued.

Josephson expressed doubt on the de novo pathway as a mechanism to use existing authorities for PreCert being the ideal solution. FDA said that it is still interested in additional authority that may be needed when it announced how it will use the de novo model, he said. “I think in an ideal world, there would be very specific authority for precertification because it is a much different approach to evaluating safety and effectiveness.”

He expressed worries about the lingering questions around how a premarket appraisal translates into a product being safe and effective.

“Without a product-specific evaluation there is this question about how can you say a product is safe and effective without actually looking at the product,” Josephson said. He noted that this is a PreCert pilot task, but a robust postmarket system needs to be in place prior to a fast-track pathway.

On PreCert for LDTs, partner at Hogan Lovells Yarmela Pavlovic told Focus that the agency has been using a similar approach for in vitro diagnostics to an extent by creating a new type of 510(k)-exempt status. “To my knowledge, this has not been challenged, but technically when FDA creates a new 510(k) exemption they must issue a regulation to do so and so perhaps they view that regulation as sufficient authority.” Needed authority would be set if the VALID Act has the PreCert provision, she added.

Josephson, at the same time, further argued for more education with Congress if the PreCert concept is something that will be pursued long-term, pointing to Rep. Frank Pallone (D-NJ), his staffers and others that are not fans of PreCert as a concept, as well as additional guardrails around what that looks like.

“As we now know from the software discussion, FDA does not need authority to explore precertification,” said Josephson. “The question is do they need authority to actually do pre-certification.”

He said he does not think that the VALID Act is quite there, citing “fundamental disagreements between the lab community, FDA and Congress. Such disagreements include FDA looking at lab tests as physical artifacts to run tests whereas the lab industry has said that LDTs are services and cautions against regulating LDTs as artifacts. “I would not be surprised if this would draw a very similar test program set up with labs who willingly say, 'We acknowledge this is going to be the future so let us try and work out these details now.'”

The legal experts also challenged the question of whether cybersecurity is an area in which FDA is currently lacking authority. This relates to a next step under FDA's Medical Device Safety Action Plan—consider new postmarket authority to require policies and procedures on coordinated disclosures of vulnerabilities.

“Generally FDA, in the past, has not believed that they had the authority to order postmarket mitigation measures for 510(k) cleared devices,” said Pavlovic. She added FDA would have this authority if measures are implemented as special controls during classification processes. This is a unique component of the de novo pathway—special controls set via classification of a new device type.

Josephson also explained that FDA is concerned about when a 510(k) cleared device has been proven to not be cybersecure and can be used as a predicate, especially as establishing new special controls can be a time-consuming process.

Regarding the 10-year limit on device predicates, Josephson cited recent analyses that indicate such a move would not have a real impact because it is a small percentage of companies that are not using more modern predicates anyway. Yet he added that such a limit could play a different role for software products, including SaMD and software in a medical device, as an additional measure to mitigate cybersecurity vulnerabilities.

Editor's note: This article was updated on 29 May 2019 to note that Frank Pallone is a US Representative and to clarify the name of the VALID Act. 


© 2022 Regulatory Affairs Professionals Society.

Discover more of what matters to you

No taxonomy