September 3, 2024 | Courtney Lias, Ph.D., the newly named director of the FDA’s Office of In Vitro Diagnostic Devices (OHT7) took to the stage at last week’s Next Generation Dx Summit to discuss the latest trends, and associated challenges, in carrying out total product lifecycle activities for in vitro diagnostic devices for the Food and Drug Administration's (FDA) Center for Devices and Radiological Health (CDRH). Most critical for manufacturers is ensuring their devices are cybersecure— even if they didn’t design the software components, intend the product to be plugged in, or the functions in question aren’t serving a medical purpose.
Other big themes of her keynote presentation were increased access to testing, an independent test assessment program (ITAP) that is streamlining the authorization process, and recent down-classification of most high-risk in vitro diagnostics (IVDs) so they are overseen by the 510(k) program instead of the Premarket Approval (PMA) program. Lias also provided an update on an oncology diagnostics pilot program that launched last year, the agency’s experiences with devices enabled by artificial intelligence (AI) and machine learning (ML), and how the advent of “predetermined change control plans” (PCCPs) is adding value in the AI/ML realm.
But she started with a rundown of the significant management leadership changes that have occurred recently within CDRH. In addition to her promotion from acting director of OHT7, the list includes the retirement of Jeff Shuren, M.D., whose position is being temporarily filled by Michelle Tarver, M.D., Ph.D., an ophthalmologist by training who has been leading efforts in center director’s office around patient engagement and outreach. Bill Maisel, M.D., founding director of CDRH’s Office of Product Evaluation Quality, also retired with Owen Faris, Ph.D., now serving as acting director with a permanent director soon to take over.
Increased access to testing—notably, through at-home tests, self-sampling, and near-patient clinics—has emerged as a major theme within OHT7, coming to a head during the COVID-19 pandemic, Lias reports. The new and predominant area of interest is testing for infectious diseases, including sexually transmitted diseases.
The authorization of home testing is nothing new for the agency, she continues, adding that the FDA has authorized more than 400 over-the-counter (OTC) products in just the last 10 years. However, the types of tests being approved are changing (e.g., COVID-19 tests and blood glucose meters).
Developers of tests intended to be performed at home or requiring a specimen to be collected at home have a lot to think about, says Lias. But there are real opportunities in the infectious disease and cancer screening spaces for “technologies that enable untrained or less trained users to access testing... [to] increase undertested or under-screened populations.”
The Biden administration’s Cancer Moonshot initiative is particularly interested in increasing home specimen collection for HPV screening to try to get more people screened for cervical cancer, she says. “We are trying to look for additional tests for sexually transmitted infections for people who may be embarrassed to go to the doctor or prefer the privacy of the home.”
When the science, validation, and need are there, says Lias, “we have the ability to move very quickly ... in conjunction with other stakeholders.” She cites as an example an OTC fentanyl test meeting an unmet need where the review process was completed in a couple of weeks.
CDRH overall is interested in home use devices, she adds, referencing a “home use docket” that was soliciting public comments last fall. The devices include IVDs as well as “home as a healthcare hub” concepts whereby homes (even workplaces) are designed to enable healthcare, including the diagnostics piece with all the necessary supplies and refrigeration at the ready.
ITAP, started out of the Rapid Acceleration of Diagnostics (RADx) program of the National Institutes of Health during the pandemic, has enabled the efficient development and validation of many tests to bring them to market quicker, says Lias. The focus initially was on COVID tests but expanded to include multi-analyte, point-of-care and OTC COVID/flu tests.
It’s a great model that highlights the potential for government and industry to work together to streamline regulatory processes, particularly for unmet needs, she says. ITAP most recently expanded to a point-of-care, CLIA-waived test for the hepatitis C virus, around which the Biden administration favors the creation of a test-to-treat paradigm for underserved populations in drug clinics and homeless shelters who are otherwise lost to follow-up and hinder disease eradication efforts. The project initiated in January and the test was authorized by June.
Among the other new notable authorizations that are increasing patient access to testing is the recently approved Shield colon cancer screening blood test of Guardant Health, Lias says, and the first OTC syphilis test developed by NOWDiagnostics that was authorized in mid-August. The syphilis test is performed fully at home on a fingerprick specimen and addresses a public health problem of epidemic proportion.
In addition, continuous glucose monitors (CGMs) frequently used by people with type 1 diabetes soon will be available over the counter. Abbott and Dexcom will be providing access to the technology, reports Lias.
As announced at the end of January, CDHR will be reclassifying most Class 3 IVDs that will allow manufacturers of certain types of tests, including companion diagnostic (CDx) and microbiology devices, to seek marketing clearance through the 510(k) pathway—yet another area where regulation is being streamlined, Lias says. The thinking here is that the tests are now well known and therefore special controls could be crafted to mitigate the risks to a level sufficient to make the less burdensome pathway appropriate. The move “provides an incentive for more [smaller] players to get into the field” in terms of both predictability and cost.
Performance Specifications
An oncology diagnostics pilot program involving nine drug sponsors, which was announced through guidance in June of 2023, is another area where the CDHR is attempting to streamline some of the “clunky” areas around CDx, Lias shares. The idea here is to get drug manufacturers to “think about the performance specifications that their companion diagnostic test should have to achieve the outcome they need, and then make sure that the clinical trial assay... used across their sites meets those performance specifications.”
The ongoing pilot is focused on established technologies with a “well-validated reference method or characterized material to enable the transfer of performance specification across tests,” she continues. It has become apparent that manufacturers are having trouble getting information on the clinical trial assays that they’re using because laboratories are unwilling to provide test performance information and “that makes is difficult for us to accept them into a pilot.”
Additionally, variability has been seen across clinical trial assay sites and in some instances the programs have been retrospective based on a study previously conducted, says Lias. How these challenges will be addressed has yet to be determined.
“What we really want out of this pilot and for companion diagnostics in general is a situation where a patient, no matter what insurance they have and no matter where they live, can go to a laboratory and get the same result at one hospital or lab as... [any other] hospital or lab and that’s currently unfortunately not the case,” Lias says. “We would love to work toward transparency around test performance as well as have more standardization and harmonization in companion diagnostic assays, whether they be IHC [immunohistochemistry], FISH [fluorescence in situ hybridization], or NGS [next-generation sequencing], or other technologies.”
When it comes to AI and ML, generative AI often come to mind, says Lias. But what the FDA typically sees more are device developers using algorithms in the development of a product or to analyze a specimen set. “Those algorithms are frozen in use and they’re not continually learning.”
However, the technology is expanding, and the agency is “committed to coming up with frameworks that really work [and], to that end, we are in lockstep with Health Canada and the UK to really look at some best practices for machine learning and AI,” Lias continues. To be clear, she adds, the FDA does not discourage the development of AI-enabled devices; the problem has been the difficulty in creating and validating such tests for a clinical purpose and “that will change over time.”
“We really encourage the conversation,” says Lias, noting that many of the AI-enabled devices she has seen have been IVDs for evaluating images to diagnose cancer. The full list is available on the FDA’s Digital Health Center of Excellence website along with a host of other helpful resources.
Change control is a “big, important piece” of the development and validation process with AI-enabled devices, she says, in introducing the topic of predetermined change control plans (PCCP) for such devices. PCCPs, which formally came on the scene in September of 2022, document how a manufacturer is going to “implement and validate prespecified types of changes in [their] device.”
A plan gets authorized by the FDA as part of the premarket review process when a device gets cleared or approved, she explains. Thereafter, in lieu of submitting a new PMA or 510(k) application when making modifications, companies can simply follow their plan. “We really think this is a way we can optimize resources for industry, provide transparency for everyone about what is happening, and if you don’t want to follow the plan you can certainly follow other pathways.”
A PCCP can theoretically be used for any type of change, not just updates to an AI/ML device, Lias says. But “the more complicated the change, the more complicated the plan, so there probably is a practical limit to where one would go with this.”
IVDs are a bit “ahead of the curve” with PCCPs, she adds. They’ve been used in multiple scenarios, including for the addition of genetic variants to a testing panel or CGMs to an insulin pump. Companies need to be very specific in their plans about the changes they anticipate making and exactly how those changes will be validated and how it will be determined that validation is successful, she stresses.
Lias closed out her presentation with what she views as the most important, and troubling, topic of the day—cybersecurity. Under a new law that went into effect in 2023, the FDA is required to review certain cybersecurity information on any medical device defined as a cyber device; that is, “a device that includes software that’s validated, installed, or authorized by the sponsor of a device or in a device, has the ability to connect to the internet, and contains any such technological characteristics validated, installed, or authorized by the sponsor that can be vulnerable to cybersecurity threats.”
The definition covers most current medical devices, unless they involve no software whatsoever, says emphasizes.
Cyber devices all need a cybersecurity management plan, including “documentation to provide a reasonable assurance that the device and related systems are secure and made available with regular critical updates,” Lias continues. It is not enough that a device was designed to be secure because “it is not about what you meant to happen; it’s what somebody else means to happen through your device.”
Medical device manufacturers must take seriously the need to engage cybersecurity experts in the evaluation and design of their devices, including the upkeep and maintenance of cybersecurity, if they hope to get through these reviews, says Lias. The FDA has issued final premarket and post-market guidance on the cybersecurity mandates and highly recommend they be given a thorough reading.
Cybersecurity is no longer “nice to have” as it was a decade ago, she stresses. “We are in a situation now where the center is enforcing a plan for cybersecurity requirements and when people come in and [have not done that]... submissions are not getting through”—and that applies to both new and some legacy devices. When developing a new cyber device, “build that cybersecurity in,” she suggests, including the ability to create or make appropriate cybersecurity updates.
Yes, hospitals are struggling to come up with the budget to update their cybersecurity infrastructure, she says. “We are aware that hospitals have different levels of readiness to accept devices that have certain security features and those are challenges that have been dealt with in different ways,” for example by designing two different types of cybersecurity cards.
“If you are a test developer and do not make the instrument you are using, you should choose one that is cybersecure and... is either separately regulated [e.g., exempted products that have to meet cybersecurity requirements on their own]... or you have access to all the information you need to address these cybersecurity questions,” advises Lias. For companies leveraging legacy instruments not designed with cybersecurity in mind, gaining access to the required information is one of the biggest expected challenges on the horizon.