Christopher Ezold of The Ezold Law Firm.

A question that investors frequently ask of emerging growth life sciences companies is whether they have considered how to monetize the data they will inevitably collect in the development, marketing and sale of their service or product. Data merely existing in a compilation can have value; analytics can increase that value by orders of magnitude. Beyond compilation and analytics is the use of data to provide direct treatment or services. Using artificial intelligence (AI) (smart machines that are developed to do work normally done by humans) and machine learning (ML) (machines that are designed to teach themselves), data can be used to produce products and services of great value, such as customized genomic cancer treatments. These tools, products and services are a rapidly emerging growth area in the life sciences, and the Food and Drug Administration has taken note.

On April 2, the FDA released a discussion paper titled “Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD).” The International Medical Device Regulators Forum defines SaMD as software intended to be used for … medical purposes … without being part of a hardware medical device. Thus, the software can perform its medical purpose without being tied to a specific piece of hardware. The discussion paper recognizes the challenges in regulating AI/ML SaMD, which learns and adapts over time. Essentially, the FDA is examining how to regulate SaMD that is designed to, over time, evolve into a product different from the one that was originally found to be safe and effective by the FDA's regulatory process and cleared for market.

In a statement released with the discussion paper, Scott Gottlieb, former FDA commissioner, stated that AI technologies that have been granted marketing authorization and cleared by the FDA are locked algorithms that do not continually adapt or learn every time the algorithm is used. Gottlieb further stated that the FDA is exploring a framework that would help developers bring AI devices to market; the discussion paper is the initial step in that process, as well as future draft guidance.

Currently, SaMD reaches the market after a 510(k) process; the FDA's Center for Devices and Radiological Health (CDRH) has published guidance on when changes to software require a new 510(k) submission. A new 510(k) is required when a change to the software introduces a new risk or modifies an existing risk that could result in significant harm (without mitigation in the most recently cleared device), necessitates or new or modified risk control measure for a risk that could result in significant harm, or significantly affects clinical functionality or performance specifications, see “Deciding When to Submit a 510(k) for a Software Change to an Existing Device;” Guidance for industry and FDA staff, October 2017. The FDA has recognized that these standards could result in a significant number of new 510(k) submissions for existing SaMD; this number would only increase as the numbers of SaMD increase in the marketplace.  The FDA is considering whether an approach that 'enables the evaluation and monitoring' of SaMD from premarket development to post-market performance would be able to provide reasonable assurance that iterative SaMD could meet FDA safety and effectiveness standards. It is clear that the FDA envisions that the industry will collaborate and self-regulate in part by establishing a quality control system that is active through the lifecycle of an SaMD product.

The FDA's discussion paper is a review of the issues surrounding regulation of SaMD, and poses a large number of questions and solicits feedback from the industry. In particular, the discussion paper envisions a total oroduct lifecycle' (TPLC) approach to regulatory oversight of SaMD as necessary to assure safety and efficacy due to SaMD's evolution over time. The TPLC approach would:

• Establish clear expectations on quality systems and good ML practices;
• Conduct premarket review for SaMD to demonstrate reasonable assurance of safety and efficacy and establish clear expectations for manufacturers to continually manage patient risk through the product's lifecycle;
• Expect manufacturers to monitor SaMD an incorporate a risk-management approach to development and execution of SaMD evolution; and
• Enable increased transparency to users and the FDA using postmarket real-world reporting to maintain safety and efficacy.

If manufacturers must perpetually monitor SaMD throughout its lifecycle, it is clear that an enormous amount of valuable data will be captured by the manufacturers, and the privacy, research and commercialization issues arising out of this captured data are not yet addressed by the FDA. Various federal and state laws, including the recent far reaching California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will have a significant impact on manufacturer operations and compliance in this sphere and will have to be carefully considered. Given the global nature of the medical device and pharmaceutical industries, as well as a potential reduction in logistical issues for SaMD distribution over the internet, the European Union's General Data Protection Regulation (GDPR) is also likely to have an impact. The FDA considers transparency about the function and modifications of medical devices as a key aspect of their safety. Whether the FDA will consider transparency with regard to the collateral collection, use and commercialization of SaMD data in the developing regulatory scheme remains to be seen, but manufacturers would be wise to plan ahead on this issue.

Christopher Ezold is the managing partner of the business and health law group The Ezold Law Firm in Bala Cynwyd. He is also EVP for strategy and general counsel for health tech firm Forerunner Holdings and a sponsor of the Mid-Atlantic Region of The Keiretsu Forum, the world's largest angel investment group.