FDA Considers Software Regulation

Amid opposition from the medical infotech industry, officials in the Food and Drug Administration are considering new regulations intended to improve the reliability of health-related computer systems.

"With regulations that are not carefully thought through, the possibility exists that research and development of new technologies could be hampered," said Carla Smith, executive director of the industry-sponsored Center for Health Care Information Management, Ann Arbor, Mich.

FDA officials and executives from the health-care infotech industry, which had revenues of approximately $12.5 billion last year, will discuss the proposed FDA policy at a public meeting at the National Institutes of Health, Bethesda, Md., Sept. 3-4.

If the FDA decides to regulate software, it will take several years of rulemaking and legal appeals before the software safety regulations would take effect, said Dee Simons, vice president for technology and regulatory affairs at the Washington-based Health Industry Manufacturers Association. "The FDA is really concerned about doing the right thing. They know that they have to do it slowly," she said.

The health-care infotech industry has not devised a common response to the FDA's software policy proposal, partly because "we know so little about what the FDA is considering," said Smith. "We are also concerned about how far the FDA wants to go. Do they want to regulate [health-related] satellites and modems? That's a scary thought," said Simons.

After the FDA meeting in September, software executives will meet to devise a common position, said Simons.

Under existing rules, FDA officials tightly regulate the safety of medical devices, such as heart pacemakers or software-controlled X-ray machines. Under a 1989 policy, these regulations exempt software-driven devices that allow "competent human intervention" before they affect any patient.

However, FDA officials say the "competent human intervention" exemption is being undermined by the advent of improved medical technology. For example, the industry may develop a software-controlled machine to automatically administer drugs when a patient's condition changes, said Chuck Furfine, an official in the FDA's office of science and technology in Rockville, Md.

Because such a machine may pose a health risk to the public, the FDA must try to measure the risk that critical software might contain flaws, and then perhaps regulate medical software's design and use, Furfine said.

The immediate concern, said Simons, is that FDA regulations could affect the introduction of Diagnostic Support Systems, which suggest possible remedies to patients' symptoms, or the development of new software programs intended to process and track data from blood and other laboratory tests.

Hospitals, doctors and insurance companies are increasingly using such technology to streamline patient care and cut costs. The technology is being developed by companies such as Shared Medical Systems, Malvern, Pa., and HBO &amp Co., Atlanta.

The critical issue for the infotech industry is whether Diagnostic Support Systems and other software should be regulated, said Simons. If so, industry and government officials must debate what level of regulation should be applied. FDA regulators use a three-level regulatory scheme, where the most intensive oversight is given to Class 3 products, she said.

"I am sure there are some legitimate reasons to regulate some [software] devices that have fallen through the [regulatory] cracks," said Simons. However, the FDA should avoid regulation of record-keeping software, large-scale database software, or general-purpose software such as word-processing programs, she said. Overregulation may cause long delays as companies struggle to get their new product through the FDA's regulatory hoops, she said.

The September meeting will help FDA officials develop methods to gauge the risk of software, said Furfine. With that knowledge, FDA officials can draft regulations to reduce risks, and establish methods to measure the cost and benefits of safety regulations, he said. "Ideally, this could be done in a year," but may take much longer, he said.

Companies have already taken steps to ensure the safety and reliability of their products, partly because they know that safety flaws may prompt greater FDA regulation, Smith said.

During the 1980s, the FDA imposed tight safety regulations on the industry that collects and distributes blood, following the industry's failure to screen blood tainted by AIDS and other diseases, she said. "The computer and software industry is aware of what happened" to the blood business, Smith said.