The U.S. Food & Drug Administration (FDA) published its final Guidance for Industry and Food and Drug Administration Staff – Mobile Medical Applications (Guidance). As noted by Vernessa Pollard, Partner at Arnold and Porter LLP, the Guidance is the result of a two-year process, which started when FDA issued its Draft Guidance on Mobile Medical Applications in July 2011. The final Guidance is one component of a multi-tiered, multi-agency legislative mandate to develop a comprehensive regulatory framework for health information technology. The Guidance has received a significant amount of media coverage.
BACKGROUND
In 1989, FDA prepared a general policy statement on how it planned to determine whether a computer-based product and/or software-based product is a device, and, if so, how the FDA intended to regulate it. The document, “FDA Policy for the Regulation of Computer Products,” became known as the “Draft Software Policy.” After 1989, however, the use of computer and software products as medical devices grew exponentially and the types of products diversified and grew more complex (and that trend has continued). As a result, the FDA determined that the draft policy did not adequately address all of the issues related to the regulation of all medical devices containing software. Therefore, in 2005, the Draft Software Policy was withdrawn.
Although the FDA has not issued an overarching software policy, the Agency has formally classified certain types of software applications that meet the definition of a device and, through classification, identified specific regulatory requirements that apply to these devices and their manufacturers. These software devices include products that feature one or more software components, parts, or accessories (such as electrocardiographic (ECG) systems used to monitor cardiac rhythms), as well as devices that are composed solely of software (such as laboratory information management systems).
On February 15, 2011, the FDA issued a regulation down-classifying certain computer and software-based devices intended to be used for the electronic transfer, storage, display, and/or format conversion of medical device data – called Medical Device Data Systems (MDDSs) – from Class III (high-risk) to Class I (low-risk). The FDA has previously clarified that when stand-alone software is used to analyze medical device data, it has traditionally been regulated as an accessory to a medical device or as medical device software.
As is the case with traditional medical devices, certain mobile medical apps can pose potential risks to public health. Moreover, certain mobile medical apps may pose risks that are unique to the characteristics of the platform on which the mobile medical app is run. For example, the interpretation of radiological images on a mobile device could be adversely affected by the smaller screen size, lower contrast ratio, and uncontrolled ambient light of the mobile platform.
FDA intends to take these risks into account in assessing the appropriate regulatory oversight for these products. This guidance clarifies and outlines the FDA’s current thinking. The Agency will continue to evaluate the potential impact these technologies might have on improving health care, reducing potential medical mistakes, and protecting patients.
I. Definitions
A. Mobile Platform
In guidance, “mobile platforms” are defined as commercial off-the-shelf (COTS) computing platforms, with or without wireless connectivity, that are handheld in nature. Examples of these mobile platforms include mobile computers such as smart phones, tablet computers, or other portable computers.
B. Mobile Application (Mobile App)
For purposes of this guidance, a mobile application or “mobile app” is defined as a software application that can be executed (run) on a mobile platform (i.e., a handheld commercial off-the shelf computing platform, with or without wireless connectivity), or a web-based software application that is tailored to a mobile platform but is executed on a server.
C. Mobile Medical Application (Mobile Medical App)
For purposes of this guidance, a “mobile medical app” is a mobile app that meets the definition of device in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act); and either is intended: to be used as an accessory to a regulated medical device; or to transform a mobile platform into a regulated medical device.
The intended use of a mobile app determines whether it meets the definition of a “device.” As stated in 21 CFR 801.4, intended use may be shown by labeling claims, advertising materials, or oral or written statements by manufacturers or their representatives. When the intended use of a mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the body of man, the mobile app is a device.
D. Regulated Medical Device
For purposes of this guidance, a “regulated medical device” is defined as a product that meets the definition of device in section 201(h) of the FD&C Act and that has been cleared or approved by the FDA review of a premarket submission or otherwise classified by the FDA.
This definition can include novel devices, whether or not on a mobile platform, that the FDA will clear or approve by the review of a premarket submission or otherwise classify. Examples of regulated medical devices are identified in Appendix D.
E. Mobile Medical App Manufacturer
For purposes of this guidance, a “mobile medical app manufacturer” is any person or entity that manufactures mobile medical apps in accordance with the definitions of manufacturer in 21 CFR Parts 803, 806, 807, and 820. A mobile medical app manufacturer may include anyone who initiates specifications, designs, labels, or creates a software system or application for a regulated medical device in whole or from multiple software components. This term does not include persons who exclusively distribute mobile medical apps without engaging in manufacturing functions; examples of such distributors may include owners and operators of “Google play,” “iTunes App store,” and “BlackBerry App World.”
II. Scope
This guidance explains the FDA’s intentions to focus its oversight on a subset of mobile apps. Mobile medical apps as defined in section III include only those mobile apps that meet the statutory definition of a device and either are intended: to be used as an accessory to a regulated medical device; or to transform a mobile platform into a regulated medical device.
This guidance does not address the approach for software that performs patient-specific analysis to aid or support clinical decision-making. FDA’s policies regarding accessories to medical devices are not unique to mobile medical apps and go beyond the scope of this guidance. Specifically this guidance does not address FDA’s general approach for accessories to medical devices.
III. Regulatory approach for mobile medical apps
As described in this guidance, FDA intends to apply its regulatory oversight to only those mobile apps that are medical devices and whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended. This approach to overseeing mobile medical apps is consistent with our existing approach to overseeing medical device functionality of a product and the risks it poses to patients regardless of the shape, size or the platform. The FDA believes that this subset of mobile medical apps poses the same or similar potential risks to the public health as currently regulated devices if they fail to function as intended.
The FDA strongly recommends that manufacturers of all mobile apps that may meet the definition of a device follow the Quality System regulation (which includes good manufacturing practices) in the design and development of their mobile medical apps and initiate prompt corrections to their mobile medical apps, when appropriate, to prevent patient and user harm.
For mobile medical apps, manufacturers must meet the requirements associated with the applicable device classification. If the mobile medical app, on its own, falls within a medical device classification, its manufacturer is subject to the requirements associated with that classification. A mobile medical app, like other devices, may be classified as class I (general controls), class II (special controls in addition to general controls), or class III (premarket approval).
A. Mobile medical apps: Subset of mobile apps that are the focus of FDA’s regulatory oversight
Mobile apps may take a number of forms, but it is important to note that the FDA intends to apply its regulatory oversight to only the subset of mobile apps identified below. These mobile apps can transform a mobile platform into a regulated medical device by using attachments, display screens, sensors, or other such methods. Regardless of the mechanism behind the transformation, FDA considers such mobile apps to be mobile medical apps.
The following are mobile apps that FDA considers to be mobile medical apps subject to regulatory oversight:
1. Mobile apps that are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or displaying, storing, analyzing, or transmitting patient-specific medical device data.
2. Mobile apps that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. Mobile apps that use attachments, display screens, sensors or other such similar components to transform a mobile platform into a regulated medical device are required to comply with the device classification associated with the transformed platform.
3. Mobile apps that become a regulated medical device (software) by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations. These types of mobile medical apps are similar to or perform the same function as those types of software devices that have been previously cleared or approved.
B. Mobile Apps for which FDA intends to exercise enforcement discretion (meaning that FDA does not intend to enforce requirements under the FD&C Act)
FDA intends to exercise enforcement discretion for mobile apps that:
- Help patients (i.e., users) self-manage their disease or conditions without providing specific treatment or treatment suggestions;
- Provide patients with simple tools to organize and track their health information;
- Provide easy access to information related to patients’ health conditions or treatments;
- Help patients document, show, or communicate potential medical conditions to health care providers;
- Automate simple tasks for health care providers; or
- Enable patients or providers to interact with Personal Health Record (PHR) or Electronic Health Record (EHR) systems.
The following examples represent mobile apps for which the FDA intends to exercise enforcement discretion:
1. Mobile apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in their daily environment. – These are apps that supplement professional clinical care by facilitating behavioral change or coaching patients with specific diseases or identifiable health conditions in their daily environment.
2. Mobile apps that provide patients with simple tools to organize and track their health information – These are apps that provide patients with tools to organize and track health information without providing recommendations to alter or change a previously prescribed treatment or therapy.
3. Mobile apps that provide easy access to information related to patients’ health conditions or treatments (beyond providing an electronic “copy” of a medical reference) – These are apps that provide contextually-relevant information to users by matching patient-specific information (e.g., diagnosis, treatments, allergies, signs or symptoms) to reference information routinely used in clinical practice (e.g., practice guidelines) to facilitate a user’s assessment of a specific patient.
4. Mobile apps that are specifically marketed to help patients document, show, or communicate to providers potential medical conditions – These are apps that in their labeling or promotional materials are not promoted for medical uses but which, by virtue of other circumstances surrounding their distribution, may meet the definition of a medical device. These products either pose little or no risk, or are the sole responsibility of the health care providers who have used them in medical applications.
5. Mobile apps that perform simple calculations routinely used in clinical practice – These are apps that are intended to provide a convenient way for clinicians to perform various simple medical calculations taught in medical schools and are routinely used in clinical practice. These apps are generally tailored for clinical use, but retain functionality that is similar to simple general purpose tools such as paper charts, spread sheets, timers or generic mathematical calculators.
6. Mobile apps that enable individuals to interact with PHR systems or EHR systems — These are apps that provide patients and providers with mobile access to health record systems or enables them to gain electronic access to health information stored within a PHR system or EHR system. Applications that only allow individuals to view or download EHR data are also included in this category. These mobile apps are generally meant to facilitate general patient health information management and health record-keeping activities
IV. Regulatory requirements
This guidance and existing medical device regulatory classifications are intended to assist manufacturers in determining if a product is a mobile medical app and FDA’s expectations for that product. Additional information can be found in “Device Advice: Classify Your Medical Device“. This section describes in greater detail the regulatory requirements applicable to mobile medical apps under this guidance.
Manufacturers of mobile medical apps are subject to the requirements described in the applicable device classification regulation below. Depending on the classification and the associated regulation for the mobile medical apps, manufacturers of mobile medical apps are required to follow associated controls established by the regulation.
In general, the associated controls for each class of device is outlined below.
Class I devices: General Controls, including:
- Establishment registration, and Medical Device listing (21 CFR Part 807);
- Quality System (QS) regulation (21 CFR Part 820);
- Labeling requirements (21 CFR Part 801);
- Medical Device Reporting (21 CFR Part 803);
- Premarket notification (21 CFR Part 807);
- Reporting Corrections and Removals (21 CFR Part 806); and
- Investigational Device Exemption (IDE) requirements for clinical studies of investigational devices (21 CFR Part 812).
Class II devices: General Controls (as described for Class I), Special Controls, and (for most Class II devices) Premarket Notification.
Class III devices: General Controls (as described for Class I), and Premarket Approval (21 CFR Part 814).
V. Appendix A: Examples of mobile apps that are NOT medical devices
This Appendix provides a representative list of mobile app functionalities to illustrate the types of mobile apps that could be used in a healthcare environment, in clinical care or patient management, but are not considered medical devices. Because these mobile apps are not considered medical devices, FDA does not regulate them. The FDA understands that there may be other unique and innovative mobile apps that may not be covered in this list that may also constitute healthcare related mobile apps. This list is not exhaustive; it is only intended to provide clarity and assistance in identifying when a mobile app is not considered to be a medical device.
Specific examples of mobile apps that FDA does not consider to be devices and with no regulatory requirements under the current laws administered by FDA include:
1. Mobile apps that are intended to provide access to electronic “copies” (e.g., e-books, audio books) of medical textbooks or other reference materials with generic text search capabilities. These are not devices because these apps are intended to be used as reference materials and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease by facilitating a health professional’s assessment of a specific patient, replacing the judgment of clinical personnel, or performing any clinical assessment.
2. Mobile apps that are intended for health care providers to use as educational tools for medical training or to reinforce training previously received. These may have more functionality than providing an electronic copy of text (e.g., videos, interactive diagrams), but are not devices because they are intended generally for user education and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease by facilitating a health professional assessment of a specific patient, replacing the judgment of clinical personnel, or performing any clinical assessment.
3. Mobile apps that are intended for general patient education and facilitate patient access to commonly used reference information. These apps can be patient-specific (i.e., filters information to patient-specific characteristics), but are intended for increased patient awareness, education, and empowerment, and ultimately support patient-centered health care. These are not devices because they are intended generally for patient education, and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease by aiding clinical decision-making (i.e., to facilitate a health professional’s assessment of a specific patient, replace the judgment of a health professional, or perform any clinical assessment).
4. Mobile apps that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.
5. Mobile apps that are generic aids or general purpose products. These apps are not considered devices because they are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.
VI. Frequently Asked Questions (FAQs)
1) I have a mobile app not identified in this guidance. What is the best way to get additional information from the FDA about my product?
Answer: FDA recognizes that this guidance does not describe all types of mobile apps used in healthcare. Some manufacturers may be unsure whether their mobile app is considered a medical device which is subject to regulatory oversight, or whether their medical device could be under FDA’s intent to exercise enforcement discretion. If the device is subject to regulatory oversight, manufacturers may have questions about which regulatory requirements are applicable to their specific mobile app.
After reviewing this guidance, FDA encourages mobile app manufacturers to contact the Agency to obtain more information.
2) Why does FDA recommend that manufacturers follow the Quality System (QS) regulation for those mobile apps that MAY be devices and could be mobile medical apps but for which FDA intends to exercise enforcement discretion?
Answer: FDA believes all manufacturers of medical device software should have in place an adequate quality management system that helps ensure that their products consistently meet applicable requirements and specifications and can support the software throughout its total life cycle. Having and maintaining an adequate quality management system is also important since the FDA has found that the majority of software-related failures in medical devices are due to design errors. In one study, the most common problem was failure to validate software prior to routine maintenance.
Adequate quality management systems incorporate appropriate risk management strategies, good design practices, adequate verification and validation, and appropriate methods to correct and prevent risks to patients and adverse events that may arise from the use of the product. All of these elements are part of FDA’s QS regulation.
3) Is FDA’s QS regulation similar to software development practices I already use?
Answer: Most likely. Though not all of the principles in the QS regulation are applicable to the development and manufacture of quality mobile medical apps, the majority of them are applicable and are consistent with commonly used and accepted good software development practices, such as those from the Institute of Electrical and Electronics Engineers’ (IEEE), Software Engineering Body of Knowledge (SWEBOK), and Carnegie Mellon Software Engineering Institute’s Capability Maturity Model Integration (CMMI) methods.
The FDA’s approach to QS regulation is also harmonized with certain international standards such as ISO 9001 and ISO 13485. Similar to these international standards, the QS regulation does not prescribe in detail how a manufacturer must produce a specific device but provides a framework for all manufacturers to develop and follow to help ensure that their products consistently meet applicable requirements and specifications. The QS regulation can apply to and be scaled for any size manufacturer and any type of product. It also allows for a manufacturer to choose those requirements most appropriate for its given device and manufacturing process.
4) What are some examples of parts of the QS regulation that are of particular importance to mobile medical apps and where can I find more information about them?
Answer: Though not a complete list, some examples of principles within the QS regulation that are relevant to all mobile medical app manufacturers include risk assessment and management, design controls, and corrective and preventive actions. Risk assessment and management is a critical part of good quality management systems. Good design practices are important to the development and manufacture of safe mobile medical apps. It is also important for
manufacturers to have procedures in place to identify, analyze, correct, and prevent app-related causes of patient or user harm. Additional references about these principles which mobile medical app manufacturers may find useful include the following: FDA’s “Design Control Guidance for Medical Device Manufacturers” and FDA’s “General Principles of Software Validation” guidance.
5) Do all the mobile medical apps have to submit a premarket submission and receive FDA clearance or approval before marketing?
Answer: No, not all mobile medical app manufacturers have to submit a premarket submission (i.e., a 510(k) or PMA) prior to marketing their app. This determination depends on the classification of the device. Manufacturers of devices that are exempt from 510(k) or PMA requirements do not have to file a submission with FDA prior to marketing their device. For example, the majority of class I devices are exempt from the premarket submission requirements and are subject to the least regulatory control.
Regardless of whether medical devices are subject to the premarket submission requirements, most medical devices (including Class I devices) have to comply with other basic regulatory requirements that are called “General Controls.”
6) Some FDA classifications state they are “510(k) exempt.” What does 510(k) exempt mean and how do I know if it applies to my product?
Answer: If a classification states the device type is “510(k) exempt,” this means that the manufacturer is not required to submit a premarket notification (i.e., a 510(k)) prior to marketing the device. However, the 510(k) exemption may be subject to certain limitations. Manufacturers are encouraged to confirm the device’s exempt status and any limitations to that status that may apply in accordance with 21 CFR Parts 862-892. Additional information about 510(k) exempt devices can be found here.
7) If a 510(k) is required for my mobile medical app, what type of software documentation does FDA recommend I include in the submission?
Answer: FDA’s recommendations for the software-related documentation that you provide in your premarket submission are addressed in detail in the FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices.”
If the mobile medical app uses off-the-shelf software, manufacturers should also refer to FDA’s “Guidance for Industry, FDA Reviewers, and Compliance on Off-the-Shelf Software Use in Medical Devices.”
8) I am a medical device manufacturer and making my product labeling available electronically using a mobile app. Is my app considered a mobile medical app?
Answer: Mobile apps that provide electronic access and are intended for use as a digital version of medical device labeling or instructions for use are not considered medical device on their own and therefore are not considered mobile medical apps. These are apps from a device manufacturer that provide information to support the company’s own device. Examples include apps that provide an electronic copy of cleared or approved medical device labeling or apps that provide video instruction for how to use a medical device. These types of apps are not considered devices within themselves, but instead are considered part of the medical device labeling and are subject to the regulatory labeling requirements relevant to that particular product
9) Does an electronic method of collecting clinical investigations for example through a mobile app considered a mobile medical app, what requirements apply?
Answer: Mobile apps used for data collection in clinical studies (such as electronic Patient Reported Outcomes (ePRO) apps) are not considered on its own a mobile medical app.
However, manufacturers and users of this type of mobile app should see FDA’s draft guidance related to use of computers in clinical trials, “Electronic Source Data in Clinical Investigations,” issued on November 20, 2012. When final, this guidance will represent the FDA’s current thinking on this topic. For the most recent version of this guidance, check the CDER guidance webpage.
10) I am a medical device manufacturer. Is an electronic method of collecting and storing quality systems information in my manufacturing process considered a medical device or a mobile medical app?
Answer: Mobile apps used in the production process for medical devices, or for collecting, storing and maintaining quality system data collection for medical devices (including complaint submissions) are not considered medical device on their own and therefore are not considered mobile medical apps. These types of apps do not meet the definition of medical device but are part of the quality system. However these mobile apps are required to comply with the appropriate good manufacturing practices (GMP) regulations (see 21 CFR Part 820).
I am happy to see that FDA is catching up on providing guidance on mobile medical applications. This way, the general public will be able to assess the information provided by their app is accurate or not.