MCC: During your tenure at the FDA, there was a strong focus on medical product safety. What prompted such attention?
Brown: Over the course of my time at the FDA in a couple different capacities starting in 2010, the issue of medical product safety, including medical device safety, was a paramount priority, in part because it was increasingly apparent that the existing paradigm of using good manufacturing practices as the primary means of ensuring quality was insufficient.
In harnessing greater access to data, both the industry and government were better able to identify potential safety concerns that may or may not also be reflected in an instance of noncompliance, but that would nevertheless signal the possibility of an adverse event or recall. At the same time, the increasingly global nature of product development stretches FDA’s inspection capacity, particularly given that the inspectorate is still predominantly located in the United States. So, there has been a lot of big-picture discussion, which is ongoing, about changing the FDA’s approaches to quality assurance and enforcement, in keeping with its primary focus on ensuring safety and reducing the occurrence of adverse events. Up to now, much of the public attention to these issues has focused on the drug industry, but many of the same principles and trends apply to the device industry as well.
This implies a stronger focus on prevention, particularly when it extends beyond thinking in strict terms about regulatory compliance. In other words, companies in compliance with the letter of good manufacturing practices may still be able to detect signs that something could go wrong or that there is the potential for hiccups in their manufacturing process or supply chain, and the FDA expects them to act on that knowledge. This new approach also places a premium on a global approach to quality, meaning the FDA is looking to companies to exercise consistent practices and preemptively address concerns across their operations, not just in the one plant in which the problem arose.
MCC: Please talk about current developments and any major changes you are anticipating.
Brown: The device industry is emerging from a period of significant frustration with the FDA, a high level of distrust and, whether accurate or not, a feeling that the agency’s performance was inconsistent. The last round of user-fee negotiations with the industry, which took place as part of the 2012 FDA reauthorization, has led to reforms that have brought greater transparency and consistency, particularly in the pre-market review process.
With more resources now available to the FDA and more formalized procedures, we’ve seen overall improvement in the regulatory environment and in the relationship between the industry and the agency. There are still refinements to be made to the premarket review process. The de novo program, for instance, is very challenging legally because it requires creation of a brand new classification; these reviews tend to take longer and, so far, the de novo process hasn’t been subject to the types of negotiated performance goals that other submission types have. Going forward, huge changes in technology will lead to continued policy discussions as to the right approach to regulation, in areas such as diagnostic tests, medical software and combination products.
Right now, Congress is debating significant reforms to the FDA regulatory framework. Later this year we’ll also see the beginning of another round of user fee negotiations with the device industry that will culminate in a reauthorization of the user fee program in 2017. There will continue to be focus, in Congress, and in FDA/industry negotiations, on how to accommodate new technologies, such as software and diagnostics, into the existing regulatory framework, and how to leverage significant amounts of data, not just from a post-market perspective but also on the pre-market side, to expedite clinical trials and look for other ways to speed products to market while maintaining the assurance that they are safe and effective.
MCC: What insights from government service do you find useful in private practice?
Brown: The first big-picture insight is that the agency is staffed with hard-working and overburdened people, not clock-punchers, and they are trying to do the right thing. When, for example, a company develops a new diagnostic tool or testing method, the challenge lies in trying to fit that innovation into the existing regulatory frameworks, recognizing both the potential risk and the potential reward from this innovative new product. It takes effort and trust to work out these types of issues with an agency, and the agency’s staffing and resources do matter in terms of ensuring there is bandwidth to think through novel issues in a creative way.
Secondly, it is important to keep in mind that various government agencies often pursue different, sometimes even conflicting, yet equally legitimate, missions to meet their core objectives. Together they have a significant influence over a company’s business strategy, and here I refer in particular to the FDA, the Centers for Medicare & Medicaid Services (CMS), the Department of Health and Human Services (HHS) more broadly, the Office of Management and Budget (OMB) and Congress. Companies have to be aware of a matrix of governmental interests as they determine how to advance their own strategy and need to be able to demonstrate somewhat different benefits and results in each case. FDA’s concern about safety and efficacy, and the type of data the agency will want to see to support product approval, may or may not match up with the types of data CMS will want to see to support Medicare coverage, and each of those data requests may support or undermine cost considerations and budget impact.
MCC: On October 14, 2014, the International Medical Device Regulators Forum (IMDRF) issued a final version of Software as a Medical Device: Possible Framework for Risk Categorization and Corresponding Considerations (the Framework). Can you give us some background and your thoughts on the role of software?
Brown: I engaged on this issue extensively during my time in government and take a great personal interest in it. Most recently, the U.S. has led IMDRF’s “Software as a Medical Device” discussions, which have included Europe, Russia, Japan, China, Canada, Australia, Brazil and certain other affiliated organizations. The idea is not to develop a harmonized regulatory approach that supersedes each country's existing standards, but rather to outline shared principles, essentially suggestions for countries in planning what direction to take.
Even more so than other technologies, software lends itself to a great degree of harmonization because it's digital and moves more freely, whereas physical products easily stop at borders to be reviewed according to each country’s approach. Also, regulation of medical software is new, so many countries haven’t yet articulated how they intend to bring it under their existing device regulatory umbrella.
Most countries use a definition of “medical device” that is roughly similar to the U.S. definition, which is very broad in potentially including virtually all software that has a medical purpose. This broad definition creates some uncertainty, however, because the U.S. government has not taken the position that it will apply the medical device standards to all software, such as mobile apps, which technically falls under that broad definition. The U.S. government, and FDA in particular, has provided a significant amount of policy clarity over the last year and a half, although open questions certainly remain. Many other countries are even further from providing clarity on how they intend to regulate software, from very high-end clinical software down to wearables and fitness apps. So the IMDRF’s value is to provide guidance, at an international level, with a framework that focuses on a product’s risk profile and intended use, and it is fairly consistent with the U.S. health IT framework, designed to reflect our own regulatory approach to health software. This is very valuable to companies as they seek to develop software-based products with as much worldwide potential as possible.
MCC: What is the current status of the FDA's claim to regulatory authority over laboratory-developed tests (LDTs), including any implications for product liability?
Brown: Earlier this year, the FDA released two draft guidances proposing a framework for LDTs, which essentially are diagnostic tests developed by a CLIA*-certified lab (*Clinical Laboratory Improvement Amendments), sometimes referred to as home-brew tests. Since at least the early 1990s, the FDA’s position has been that LDTs are indeed medical devices that fall within its regulatory authority, notwithstanding that they are developed and used by a CLIA lab. But the FDA has exercised enforcement discretion, meaning that the agency has generally not enforced requirements under the Federal Food, Drug, and Cosmetic Act (FD&C Act) against LDTs. As a result, that industry has proliferated over time, but there are concerns about a decline in quality because LDTs don't go through the premarket review process and, thus, haven’t been shown to perform as promoted or may not be as precise in their diagnoses.
Makers of other diagnostics that are regulated as medical devices have complained about an uneven playing field. Labs argue, in turn, that they are regulated under CLIA, and they are providing a testing service that does not fall under the FD&C Act’s device definition. The current proposed draft guidance essentially phases in an approach where most types of LDTs would fall under FDA's regulatory authority, meaning FDA would lift its current enforcement discretion posture. The fate of that guidance remains to be seen; the lab community is resisting, and there may be lawsuits. In recent years, Congress has proposed legislation to address LDTs and may do so again this year, so there’s much still to be resolved.
The question about implications for products liability is very interesting. On the one hand, strictly speaking, only devices that are approved through the premarket approval (PMA) process for the highest-risk category devices (as opposed to the 510(k) clearance process) receive preemption from product liability. Speaking more broadly, there is an obvious value in having the imprimatur of FDA clearance, even the lower-risk-level clearance for 510(K) products, because it proves that the company has provided data – or shown substantial equivalence to other products on the market, and through that process the sponsor has modulated its promotional claims to receive clearance or approval in ways that inherently reduce liability risk.
In the LDT context, it's important to understand that there is a huge variety of LDTs and that the ultimate liability risk, even within the FDA regulatory framework, will depend greatly on the context in which they're used. To cite one example, many LDTs are developed by hospitals for use in the hospital and may serve more as an aid to a doctor in making a decision rather than as the final word on a diagnosis. Here, the nature of the liability risk is potentially attenuated as compared to an independent lab that delivers a final diagnosis to outside hospitals and providers.
MCC: Talk about some of the issues companies face in managing various federal and state enforcement regimes.
Brown: Many states have incorporated the Federal Food, Drug, and Cosmetic Act into their own state laws, with the result that its provisions may be enforced at the federal or state levels. In recent years, I have noted increasing instances in which state interpretations of the FD&C Act have deviated from those of the FDA or DOJ, which also enforces the FD&C Act.
These potential differences lead to very significant challenges for companies. While the FDA's enforcement is largely focused on concerns over safety and efficacy, a state attorney general may pursue a case for the purpose of raising the prominence of certain issues or, potentially, for the civil monetary value of suits or simply without a broader consideration for how a particular enforcement action might impact the availability of necessary medical products. Certainly, states are often concerned about safety as well and the protection of their residents; however, in many cases, companies are faced with state-imposed liability based on an application of the law that federal officials either would disagree with or perhaps would feel represents an excessive level of penalty. So, it’s an understandable instinct when companies try to force the intervention or input of the FDA into a state action. For a variety of reasons, the agency prefers to avoid entanglements with state cases – leaving companies with difficult choices.
In other cases, state action can be an advantage when a company is unable to convince the FDA or other federal officials to take action. For instance, if a competitor is, say, marketing an unapproved product or making inappropriate claims for a product, it may be difficult to convince the FDA or DOJ to take enforcement action if the product’s allegedly violative marketing doesn’t raise compelling safety or efficacy concerns. States often serve as an outlet to achieve a result that then can have a precedential effect elsewhere in the country.
MCC: What are the common triggers for regulatory scrutiny? How do you advise companies to cope with these challenges?
Brown: The biggest trigger will always be an adverse event. On the proactive side, my best advice is to implement safeguards that prevent these issues or, at least, minimize their scope. When an event does occur, I counsel companies to investigate the cause of an event and respond promptly. Failure to do the latter is another significant cause of investigations.
More broadly, under the quality systems approach to regulation, the standards are largely ones of principle, meaning it’s up to the company to establish detailed standard operating procedures. While there is a significant amount of flexibility, the key to success is in following those SOPs to the letter.
The last trigger I’ll discuss relates to our global economy. Increasingly, companies are relying on an international base of suppliers for parts and even finished products; therefore, regulators increasingly expect companies to police and maintain control over their supply chains. I might add that many companies have found that in order to comply, there is no choice but to maintain a physical presence and do their own supplier inspections.
MCC: It’s interesting that you mention globalization. Can you tell us more?
Brown: What I’m seeing is an ongoing culture shift. The FDA has expanded what used to be a largely domestic reach that focused on the U.S. operations of companies. The agency has established a nascent but growing global presence, both through partnering with other countries to share information and in actually conducting investigations in other parts of the world, such as China and India. So, the dynamic has changed and essentially represents a force multiplier of regulatory oversight that companies now face.
Now, getting back to the discussion on supply chains, a company should consider these developments when vetting and hiring suppliers, for instance, in confirming that they are sufficiently regulated in their own countries and that the countries themselves maintain sophisticated oversight functions. These steps will add a degree of assurance in facing regulatory risks. Increasing globalization has also put more pressure on the imports process, which is also straining under resource limitations, and there is a need to look for more creative approaches that improve efficiency. There is a lot of room for partnership between government and industry here, as delays – whether due to resource limitations or official holds – have significant economic consequences for companies.
MCC: You also mentioned effective SOPs as a deterrent to regulatory attention. Would you expand on the importance of documenting policies and procedures?
Brown: Sure. Under the Quality Systems regime, a company has to distill its approach in its policies, both as an official regulatory requirement and as substantive effort. What I mean by the latter is that policies have to be ingrained into a corporate culture so that they're followed not just to the letter, but in spirit as well. Companies must formalize that process through documentation but also through training and consistent re-evaluation. It also does little good to have policies in practice but not document them, because you will be unprepared when inspectors arrive or the company is faced with a lawsuit. From a policy-development and a record-keeping standpoint, it's important to have a very thorough system in place.
MCC: Some argue that the high level of U.S. innovation in the medical device industry is positively correlated with the rigorous standards applied by federal regulators. What’s your opinion on where we stand and where we are headed?
Brown: It's a great question, and educated opinions go in both directions, including the alternate point of view that the current level of regulation stifles innovation. While there's truth on both sides, my personal opinion is that the U.S. process remains a gold standard. Our bifurcated system imposes rigorous clearance hurdles from the FDA and CMS, but it also leads to the development of very high-quality products.
With respect to innovation, we’re seeing a couple of changes. It is codified within the CMS process to look at the real value – or, as some would say, the comparative effectiveness – of a product. While not technically part of the FDA review process, reforms to the premarket process have moved in the direction of placing greater priority, via accelerated approval processes, on breakthrough products that potentially make clinically significant differences over currently marketed products. Inherently, that gives innovation a leg up and provides desirable incentives to the industry. We’re making progress, but it will take time to adapt a rigorous system to the newest frontiers of innovation. We discussed software, which is a good example. There is a constant need to adapt our regulatory system to changes in technology, and there’s always the risk that by the time we adapt to one change, another change is upon us.
MCC: What is the FDA’s current stance on building cybersecurity into medical devices? Talk about some of the risks.
Brown: The medical device industry faces two main buckets of cyber risk. The first is a fairly common variety of data theft risk that many companies face. The products of a medical device company are connected to medical software or other equipment that stores patient health information – or potentially other types of commercially valuable information. And device companies have their own valuable information. On top of that, however, medical device companies face product-related risk because cyber breaches - or even more mundane types of intrusions like malware – can affect the functioning of a device and slow the transmission of data. Some intrusions are intentional, and some are not, but either way they can interfere with image quality, reduce data transmission speed, change data fields or create other such issues, any of which could render the device incapable of working in real time or cause it to provide incorrect data – all with adverse implications on the quality of healthcare.
The FDA's approach to cyber issues has been balanced: they are concerned with the safety and efficacy of medical devices, while also recognizing that the security measures themselves might make the device difficult to use as intended, thus interfering with efficacy. The FDA has issued final guidance that lays out issues for device companies to address during premarket submissions, but these expectations tend toward a balanced approach to the security versus usability factors. Some have pushed FDA to be more prescriptive than it is, but that's the approach that FDA has taken at the moment, and it is generally consistent with the overall approach to the Quality Systems regulation, which lays out general expectations without being prescriptive about how a company should get there.
I will add that there is also the risk – although my sense and hope is that it remains theoretical at this point – that someone could hack into a device such as a pacemaker to cause someone intentional harm. Up to now, I'm not aware of any breaches that were intentionally designed to interfere with a device’s functionality with the purpose of causing harm. We’ve seen this depicted on TV, but in reality I think it’s a longer-term concern.
MCC: Given the opportunities and challenges in this rapidly developing space, what excites you most about your practice?
Brown: What excites me is the opportunity to work with innovative companies that believe they can improve the healthcare system – through better treatments, better diagnoses or simply more cost-effective approaches. When I was in government, I was lucky enough to work on many of these cutting-edge areas of innovation. I often find that my value is translational: it is difficult for a company to understand what the FDA thinks about a particular issue beyond existing guidance documents, if there are any. In many cases, we can find a creative path that can meet the agency’s concerns and the concerns of other stakeholders, but it often takes constructive engagement to get there. The explosion in technology and access to information, coupled with globalization, has put a fine point on the need for our regulatory system to focus on the greatest areas of risk. FDA will never be able to inspect every plant around the world and will never be able to pre-review every product. The collective challenge for industry and the agency is to continue to find ways to focus efforts – and finite resources – in ways that are best suited to reduce risks to patients and also facilitate development of new treatments.
Published March 19, 2015.