Who controls the Spice? - Exits and Outcomes

In this article:

The inside story of how Apple timed its 2018 de novos in collaboration with the FDA — thanks to its Pre-Cert Pilot Program. Following a series of FOIA requests, E&O analyzed more than 17,000 pages of emails and other documents that Apple and the FDA exchanged between 2013 and 2019 to investigate Apple’s original regulatory clearances.

In December 2015, about 18 months before he became the Commissioner of the FDA, Scott Gottlieb MD wrote a column for Forbes entitled, “Why Apple Dumbs down Your Smartphone.”

Gottlieb argued that while Apple “advances the medical promise of its watch and smartphones,” the company has made clear that its “foremost aim” was not to “cross the lines that would class its new watch as a ‘medical device’ in the eyes of regulators.”

Gottlieb’s column was well-read both in digital health circles and on Capitol Hill. It’s also a prime example of a common refrain at the time: The FDA was holding back digital health innovation, especially from Big Tech companies.

Another go-to example for Gottlieb back then: In 2014, Google’s founders said that they wouldn’t move into health tech because of the regulatory burden in the US.

And, of course, 23andMe once had its own infamous FDA avoidance strategy.

So, when Gottlieb became the FDA Commissioner in 2017, and the agency stood up the Pre-Cert program a few months later, the FDA’s relationship with Silicon Valley was set to change.

By the end of 2017, Pre-Cert attracted three Big Tech companies among its nine pilot participants: Apple, Google/Verily, and Samsung.

And by the end of 2018, the FDA could announce that Apple, the biggest tech company in the world, now marketed two medical device products regulated by the agency.

Since then there has been little grumbling on Capitol Hill or in Forbes columns about the FDA restraining health tech innovations. On that political front, anyway: Mission accomplished.

Of course, the two de novos that Apple announced in September 2018 from the stage of one of their big product launch events were controversial from the start. The official review time for one of the de novos clocked in at just 28 days. And Apple and the FDA had apparently coordinated the timing of the clearances to coincide with the date of Apple’s big event. Finally, questions arose about how Apple managed to keep the FDA from reviewing the hardware of its Apple Watch along with the two software as a medical device (SaMD) products.

More than three years later, questions surrounding Apple’s 2018 de novos remain largely unanswered.

In response to a series of Freedom Of Information Act requests to the FDA, Exits & Outcomes received more than 17,000 pages of emails and other documents that the FDA exchanged with Apple. The emails reveal:

Surprisingly, it was Apple’s participation in the Pre-Cert program that enabled it to convince the FDA to tailor-make a much more interactive, modular regulatory pathway just for its two SaMDs.
In March 2018 the FDA made it a goal to grant Apple its de novo clearances in time for the company’s launch event in September.
Apple set up two shell companies that submitted the de novos on its behalf. Apple also code-named the two SaMDs “Spice” and “Caterpillar.”
FDA officials verbally instructed some members of the review teams (and possibly all members of the review teams) not to issue additional information letters as the September 1, 2018 deadline drew near, but instead make “decline” decisions that FDA managers would then be in a position to overrule days later.

Here’s how it happened…

2013-2016: Apple and the FDA, the early years

Apple’s past meetings and emails with the FDA have been well-documented over the years, but those older email exchanges take on new meaning in the context of this report. (The emails cited in this section come from a batch of nearly 300 emails that I received via a FOIA request back in 2016 when I was still the Editor-in-Chief of MobiHealthNews.)

The very first emails that the FDA and Apple exchanged were back in 2013 while the agency was focused on developing its strategy for regulating Mobile Medical Apps (MMAs). FDA met with Apple as early as December 2013 to discuss how the operator of the AppStore reviewed medical apps made by third-party developers as well as to discuss “commercial platforms with sensors,” according to emails exchanged between the company and the FDA.

Apple’s interest in helping the FDA re-shape the 510(k) process became apparent in 2016. Apple’s Principal Counsel Robin Diane Goldstein wrote Bakul Patel, then-associate director for digital health in the FDA’s Center for Devices and Radiological Health, on March 18, 2016:

“as [Apple’s VP of Medical Technology Mike O’Reilly] mentioned, [Apple’s COO Jeff Williams] has asked me to lead the thinking (or at least the conversation) on the intersection of the regulatory landscape (as it currently exists and where we hope we might be able to influence its movement) and our products and platforms… i think we all see an opportunity for innovation, building new models of engagement, and adapting regulatory paradigms to enable the kind of solutions we all want to see… i know you have been leading the charge within the FDA on this front and would love to get your thinking and begin what i hope is an extended conversation.

“full disclosure: i don’t come from a medical device/industry background (i’m a 30+ year consumer electronics geek) so i don’t really have any pre-conceived notions on what we should/shouldn’t do… rather this seems like an opportunity to create something (rather than correct something), so at the outset i’ll have little to offer and much to learn, and would be grateful for any insights you’d be willing to share!”

On June 16, 2016, Apple’s VP of Medical Technology Mike O’Reilly asked his assistant to set up a call that included Patel, Goldstein, Apple lobbyist Alexis Marks Mosher, and Apple Senior Counsel Kelly McCrystle. The hoped-for call was set to focus on the “510k approval process.” O’Reilly explains in an email that “the purpose is to talk with Bakul about their (and our) thinking about the process and how it might be re-engineered going forward.”

Less than a month later, on July 14, 2016, Apple’s interest in re-engineering the 510(k) process became less abstract. On that date, Goldstein revealed in an email to Patel that Apple wanted to talk to the FDA about “two possible (and related) products in the cardiac space, as well as the associated regulatory and quality systems and requirements.”

A few weeks later, on September 8, 2016, Goldstein writes Patel again with an update and a request for more brainstorming on a less burdensome regulatory pathway for Apple’s cardiac products:

“we continue to have ‘energetic’ conversations here at apple, but i’m going to make an ‘executive decision’ and say if you’re going to be out our way we should definitely have a get together with the group so you can meet people and we can start a longer conversation… i know, for example, people would love to understand your thoughts on what the ‘bare minimum’ (my term) for a quality system would like; how ‘real world evidence’ would apply or impact the kinds of efforts we might get into (back load the process so we can get to market faster) to the more traditional approach folks who come from the industry are familiar with, and it may be far more effective for them to hear it from you directly!”

These early exchanges between Apple and the FDA include echoes of what the agency’s Software Precertification Program (Pre-Cert) sets out to accomplish a little less than a year later.

2017: Here comes Pre-Cert

Then-FDA Commissioner Scott Gottlieb announced the Pre-Cert pilot on July 27, 2017. Here’s an excerpt from his blog post at the time that explains why the FDA created the pilot:

“We need to make sure our approach to innovative products with continual updates and upgrades is efficient and that it fosters, not impedes, innovation. Recognizing this, and understanding that the potential of digital health is nothing short of revolutionary, we must work toward establishing an appropriate approach that’s closely tailored to this new category of products. We need a regulatory framework that accommodates the distinctive nature of digital health technology, its clinical promise, the unique user interface, and industry’s compressed commercial cycle of new product introductions.”

Gottlieb went on to write how the FDA hopes to regulate digital health software via Pre-Cert:

“The goal of our new approach is for FDA to, after reviewing systems for software design, validation and maintenance, determine whether the company meets the necessary quality standards and pre-certify the company. Pre-certified companies could submit less information to us than is currently required before marketing a new digital health tool. In some cases, pre-certified companies could not submit a premarket submission at all. In those cases, the pre-certified company could launch a new product and immediately begin post-market data collection. Pre-certified digital health companies could take advantage of this approach for certain lower-risk devices by demonstrating that the underlying software and internal processes are sufficiently reliable. The post-market data could help FDA assure that the new product remains safe and effective as well as supports new uses.”

The FDA solicited applications for the Pre-Cert pilot and received more than 100. When the agency announced the nine pilot participants in September 2017, Apple was among those chosen along with Verily, Roche, J&J, Samsung, Fitbit, Phosphorus, Tidepool, and Pear Therapeutics. FDA staff chose these nine companies via a closed-door process.

(It’s worth noting here — but we’ll get into it more below — that the Pre-Cert pilot was intended to be an advisory program to help the FDA create a future regulatory pathway for digital health products. At no point did the agency state publicly that applicants or pilot participants would directly benefit from participating in the program while they were in it.)

The FDA would eventually set up an FAQ page on its website about the Pre-Cert pilot that ended with this question and answer:

Q: When will participating companies be able to realize the benefits of the Pre-Cert Pilot Program approach, including Streamlined Review of marketing submissions and marketing of modifications? A: Companies participating in the Test Plan are helping the FDA build, iterate, and test the proposed framework in the Working Model to provide a reasonable assurance of safety and effectiveness for software products. These companies will participate in mock Excellence Appraisals to shape the process, explore real-world performance collection methods, and experiment in providing necessary information for premarket submission in an efficient way. During these explorations the FDA does not intend to provide a stamp of precertification for companies or market authorization for products through the program.

2017: Apple set up two LLCs as the official manufacturers of its cardiac devices and it code-named its SaMDs “Spice” and “Caterpillar”

Before Pre-Cert launched, Apple quietly set up two LLCs that it would end up using to file its initial de novo submissions for its Irregular Heart Rhythm Notification feature and its ECG App. On March 13, 2017, Apple formed New Atlantis Research LLC in Delaware. Similarly, on June 27, 2017, Apple set up an LLC named Columbia Science in Delaware. Apple’s hardware lead on the Apple Watch team, Eugene Kim also registered Columbia Science as a business with an office in Kansas, and he stated the company had a focus on “research”.

New Atlantis Research LLC was the original applicant listed on the de novo submission for Apple’s ECG App. However, Apple (via New Atlantis Research) also gave its device a codename: “Spice.” (I assume that’s a reference to Dune.) Meanwhile, Columbia Science LLC was listed as the applicant on Apple’s original de novo submission for its Irregular Heart Rhythm Notification feature, which the company codenamed “Caterpillar”. Apple and the FDA, however, frequently refer to the de novo submissions collectively as “Spice” or the “Spice App”.

In the thousands of pages of emails and other documents that the FDA’s FOIA office released to E&O, Apple and the FDA never discuss why Apple decided to form the LLCs or use codenames for its products. Apple often uses internal codenames for unreleased products, but submitting for market authorization from the FDA using a shell company is not a typical practice.

Here’s one theory as to why Apple went this route: Apple is known to guard its trade secrets more aggressively than most companies. After the FDA released hundreds of the company’s emails via FOIA and disclosed the focus of the company’s past meetings with top FDA officials, it’s likely Apple wanted to use shell companies to make it more difficult for journalists and competitors to ask the FDA for information about its interactions with Apple. In the months leading up to Apple’s de novo clearances in September 2018, the FDA was interacting with Columbia Science and New Atlantis Research — at least on paper.

After Apple received its de novos, it did not appear to use either of these shell companies again. Columbia Science LLC shut down in March 2019 and New Atlantis Research LLC disbanded in October 2020.

January 2018: Apple stated publicly that it will “proceed under the current regulatory pathway”

Despite Apple’s numerous brainstorming sessions with the FDA’s Digital Health Policy Team in 2016 and 2017, at a public workshop featuring Q&As with the FDA’s recently chosen Pre-Cert Pilot Participants, Apple’s Principal Counsel Jennifer Newberger told attendees the company would “proceed under the current regulatory pathway” for Software as a Medical Device because there is no Pre-Cert Program up and running “right now.” Here’s what Newberger said according to the FDA’s transcript of the workshop held in January 2018:

“Yeah, I mean we didn’t change our processes. I mean as I said earlier, I think, you know, part of what we’re hoping to get from Pre-Cert is exactly to not have to change our processes no matter what. We want to keep doing what we’re doing and make good products. And to the extent, you know, we did not get rid of, you know, [Design History Files] to the extent that we have them and, you know, I think the idea right now is just that, you know, we are going to proceed under the current regulatory pathway. I mean I think that the message that we got, I don’t know if others sort of saw it different, but that that’s what is supposed to happen right now. Is that you just proceed under what exists, you know, maybe keep Bakul in the loop more than he wants to and, you know, see what happens. But I think right now there is no Pre-Cert program and so there’s nothing to change a system to accommodate.”

February 2018: Apple asks FDA to let it be a “guinea pig” for “alternate paths of review for software as a medical device” and “piloting potential new processes as part of the Pre-Cert Pilot Program”

A few weeks later on February 15, 2018, a group of ten people from Apple’s Health team and six officials from the FDA, including Deborah Castillo, then-acting branch chief for cardiac diagnostic devices, held a meeting via teleconference to discuss Apple’s two cardiac devices. The discussion planted the seed for a novel modular review approach that makes use of the pre-submission process. Here are a few highlights from the meeting minutes that Apple shared with the FDA five days after the call took place:

“[Apple’s Divya Nagg from the Health Special Projects team] provided an overview of Apple’s product life cycle, fall announcement schedule, the desire to ‘surprise and delight’ our customers, and Apple’s appreciation of FDA’s willingness to work with us in meeting our goals.”

This next line is important because it is clear that from the outset Apple emphasizes to the FDA that the agency should not consider the sensors on the Apple Watch a part of its submission:

“Jennifer [Newberger] then provided a brief overview of the two products Apple intends to launch in the fall of this year — [REDACTED]. The sensors for both [REDACTED] are located on Apple Watch, a general purpose computing platform.”

A significant portion of the meeting was dedicated to discussing the two SaMDs and how the user interfaces flow and the specifics of the messaging, including, for example, what words appear on the screen once an irregular heart rhythm is detected. Apple also floated its goal of launching these SaMDs in the fall:

“Apple stated that its goal is to announce both [REDACTED] in September 2018.”

Here’s where the meeting started to get interesting:

“Apple briefly discussed the clinical validation study that will begin later this month for [REDACTED]. FDA requested that Apple submit the clinical protocol for FDA review and feedback. Apple responded that the study is scheduled to begin shortly, and there is therefore limited ability to make significant changes to the protocol at this time. Nevertheless, Apple can share the protocol, and if there are minor issues or concerns on the part of the FDA, can consider how to update the protocol mid-stream.”

Next, Apple asked about “alternate review pathways” for SaMD:

“After the product overview, Apple asked to discuss possible alternate review pathways for software as a medical device, e.g., a modular review approach that would make use of the pre-submission process. [Apple’s Jennifer Newberger], [FDA’s Associate Director for Digital Health Programs Linda Ricci], and [Apple’s Health Special Projects team member Chuck Schlaff] had briefly discussed this as a possibility, but others at FDA and Apple had not yet had an opportunity to consider this approach. FDA and Apple agree that both sides should discuss this possible approach internally and revisit during an on-site at FDA. Apple will come to FDA with suggestions for alternate review pathways, and will also be prepared to discuss what a modular approach for Spice might look like.”

Here’s how Apple tied this modular approach proposal to its participation in Pre-Cert:

“FDA asked what Apple wants to get out of the on-site visit. Apple responded that it would like to give an overview of our products and the extensive thought and rigorous testing we have conducted to get to where we are now. As noted above, Apple also would like to talk about alternate paths of review for Software as a Medical Device, and describe its willingness to be a ‘guinea pig’ for piloting potential new processes as part of the Pre-Cert Pilot Program. Finally, Apple would like to give FDA a deep dive into the algorithms, software development, and process for developing messaging for users in the over-the-counter population.”

March 2018: FDA proposes a “staged modular review” for Apple’s two de novos as a “test case for a more interactive and collaborative review for SaMD products”

On March 21, 2018, ahead of a call with Apple, the FDA sent Apple a three-page proposal that lays out its plan for a “staged modular review” and “engagement strategy” for Apple’s two upcoming de novo submissions:

“Apple Health has notified FDA of two planned regulatory submissions for digital health products in 2018, both of which have been determined to require a de novo process. As a test case for a more interactive and collaborative review for SaMD products, FDA intends to proceed with a staged modular review for these two submissions.”

The FDA’s proposal outlines three goals for the modular approach:

“Goals:

Granting of both Apple Health de novo submissions by September 1, 2018
Development and implementation of a modular regulatory review approach; and
Testing and evaluation of the modular review to assess impact on review timeframes and resource expenditure for both FDA and the sponsor”

The FDA also bulleted out four expectations for Apple and the agency to follow during the process:

“Engagement Expectations:

Early and frequent communications between FDA and Apple Health to provide updates, answer questions, and address concerns;
Responsiveness to requests made by either party for additional information or clarifications;
Clearly established points of contact for both parties; and
Participation in regular after-action reviews to inform development of the Pre-Cert program.”

Finally, the FDA outlined the potential benefits of this modular approach along with the potential risks:

“Potential Benefits of a Modular Approach

More interactive review process that is better aligned to the product development lifecycle;
Increased frequency of engagement to minimize miscommunication and address concerns early in the review process; and
More consistent and predictable resource allocation requirements across the review cycle

Potential Risks of a Modular Approach

Anticipated efficiencies of a modular approach are not realized in implementation; and
System issues related to the integration of component parts are not discovered until later in the review process.”

The proposal also includes timelines for two modules and the final de novo submission as well as the types of information expected from Apple in each of the modules. It concludes:

“Final module is the de novo submission including all test results, unresolved anomalies and all other information not included in the previous modules as well as responses to any outstanding concerns from previous modules. All the data available to date is submitted in Module 1; FDA will triage and decide what data should be reviewed in module 2. Timelines will be established interactively.”

Apple’s Newberger responded to the FDA’s proposal email two hours later by writing:

“We are excited about discussing these plans with you further, and for this opportunity to work together to try something new!”

But wait: Pre-Cert was an advisory program. Were pilot participants entitled to any preferential treatment?

Apple’s path to its September 2018 de novo clearances takes a few more turns, but before we dig into them, it’s worth taking a step back to consider if the FDA’s proposal to Apple is consistent with the public’s (meaning digital health companies who were not chosen as one of the nine Pre-Cert participants) understanding of the Pre-Cert program.

M. Jason Brooke, Attorney & Managing Member, Brooke Consulting, who has nearly 20 years of experience in the device industry as an entrepreneur, technology developer, and attorney, with a particular focus on digital health and AI-enabled devices, explained the industry’s general perception of Pre-Cert in an email to E&O:

“The FDA’s Pre-Cert Pilot was billed as an opportunity for the Agency to gather information and learn from industry so that the FDA could build the various elements of the Pre-Cert Program. It was in no way meant to be a competitive advantage for the nine participants who, to my knowledge, were selected without a competitive bidding process. Indeed, competitive neutrality is a fundamental tenet of the FDA’s role as a regulatory agency and, hence, it would be inappropriate for the Agency to establish a pilot program that advantages a small number of select participants over the rest of the industry. Given this basic principle and the FDA’s own statements about the purpose of the pilot, it has been clearly understood that participation was not intended to result in direct benefit to the participants.”

Brooke pointed out, however, that there were likely indirect benefits:

“Of course, it was reasonable to conclude that, through interactive discussions with the Agency about, for example, the participant’s quality processes and mock Excellence Appraisals or Streamlined Reviews, the participants would have a leg-up as compared to non-participants in that the participants would understand what the FDA was focused on as it relates to building the full program. In that way, the participants would have a better understanding of what to expect in the future once the program was implemented; however, such an advantage was perceived to be indirect and not guaranteed because, since the FDA (as I understood it then and understand it even today) is still developing the Pre-Cert Program based on their learnings from the pilot, the ultimate implementation of the program would be largely new to all of industry, including the participants.”

April 2018: New Atlantis Research and Columbia Science submit Apple’s two de novos

On April 16, 2018, Apple’s shell company New Atlantis Research LLC submitted a de novo classification request for Apple’s ECG app, which is codenamed Spice Mobile Medical App in the filing. Soon after, on April 30, 2018, the other Apple shell company, Columbia Science LLC, files a similar de novo classification request for Apple’s Irregular Rhythm Notification feature, which the company has codenamed “Caterpillar.”

28 days or 148 days? During the nearly five months that pass between this initial submission and Apple’s eventual de novo market authorizations on September 11, 2018, Apple submits batches of documents and answers questions from the FDA’s two review teams about the two modules and the final de novo submission. So, while the official timer clocks Apple’s De Novo for its ECG App at 28 days, from the company’s first shell company de novo submission until market authorization day, it was actually more like 148 days for the FDA’s novel modular de novo pilot from start to finish.

The FDA’s September deadline: The 28-day review time attracted a lot of attention — including countless mentions in E&O newsletters over the past three years — the more striking element of Apple’s 2018 de novos was that the FDA granted the de novos the day before one of Apple’s splashy product reveal events. That apparent coordination surprised many in digital health.

Remember: The FDA’s first bullet under the goals for its rules of engagement with Apple was that it would get the two de novos granted by September 1, 2018. The coordination was real. As it happened, however, the FDA missed that deadline by 10 days.

September 2018: Both of the FDA’s lead reviewers for Apple’s de novos recommend that the FDA decline to grant Apple’s cardiac devices market authorization

The FDA review teams for Apple’s two de novo submissions had a few members in common, but each had its own lead reviewer. Erdit Gremi was the lead reviewer on Apple’s Irregular Rhythm Notification Feature (DEN180042) de novo submission. Luke Ralston was the lead reviewer on Apple’s ECG App (DEN180044) de novo submission.

Both Ralston and Gremi recommended that the FDA decline the de novos.

In each case, the lead reviewers were overruled by FDA management who ultimately granted the de novos just days after the lead reviewers submitted their recommendations to decline. Gremi wrote his memo on September 6, 2018. That’s five days before the de novo was officially granted.

Ralston’s final memo was almost entirely redacted, but Gremi’s included just about every word of his review summary, which explains his decision at a high level. Here’s an excerpt from Gremi’s final memo:

“After extensive review of the sponsor’s documentation as well as almost daily interactive review done with the sponsor on a pilot de novo timeline, there are some concerns that remain outstanding for the subject device. The outstanding issues include concerns with the performance of the device in the intended use population instead of the study population that was included in the clinical study used to support the submission as well as a still unofficial interim analysis of a larger clinical study from which that sub study was derived. The conclusions drawn from these trials as well as the statistical analysis of these data continue to remain deficient. Additionally, the manner in which the sponsor has provided a hazard analysis, the mitigations that have been included in that analysis for various hazards, the requirements in the software for mitigating those hazards, and the testing that was conducted to validate that those requirements remain deficient. Finally, the performance of the device algorithm and the specificity of software and platform requirements to ensure that the performance can remain safe and effective across all compatible platform versions as well as be translatable and testable in future versions remains deficient.”

“These deficiencies are not insurmountable and would normally require a detailed revision from the sponsor to fully identify the breadth and depth of hazards posed by the sponsor device, testable requirements that need to exist in order to mitigate those hazards and testing to demonstrate a passing condition throughout the possible foreseeable use conditions. Additionally, the sponsor could simply provide final clinical trial data from the ongoing trial set to conclude in early 2019 to support the use of the device in the intended use population instead of the sub-study data which has extensive statistical concerns. It is the opinion of the Lead Reviewer that these concerns be communicated to the sponsor through a traditional AINN Letter so that the sponsor can have time to address the concerns and the FDA can review them. However, the Lead Reviewer has been directed to make a Final Decision Recommendation to either Grant or Decline the de novo. Due to the deficiencies that remain outstanding, the file cannot receive a granting recommendation at this time.”

Gremi’s line about being “directed to make a Final Decision Recommendation to either Grant or Decline the de novo” is striking. It echoes what one of Ralston’s review team members, Loriano Galeotti, wrote in his Device Hazard Analysis memo:

“As you can see in my memo, there are many aspects that were not properly addressed by the sponsor. I believe that these aspects can be potentially solved with an additional information hold (AINN); however I was verbally asked to reach a final-decision recommendation, therefore my recommendation is decline (DEND).”

In Ralston’s review memo for the ECG App (DEN180044), the sections of the review document that the review team concluded were “not acceptable” included: The indications for use, labeling, software, EMC/Wireless/EMT and risk analysis, performance testing, and the classification discussion/identification and exemption from 510(k) section. Only the device description was found to be minimally acceptable and while the benefit/risk assessment memo appears to be almost entirely redacted, the team’s benefit/risk assessment lead determined that the benefits outweighed the risks.

In Gremi’s review memo for the Irregular Rhythm Notification Feature (DEN180042), the sections of the review document that the team concluded were “not acceptable” included: the software, performance testing, the the classification discussion/identification and exemption from 510(k) section. The benefit/risk assessment review section in Gremi’s memo is entirely redacted. Gremi’s team concluded that the acceptable components of the submission included the device description, the indications for use, and the labeling.

On September 11, 2018, the FDA’s director of the division of cardiovascular devices, Bram Zuckerman MD wrote a memo in response to Gremi’s that concluded:

“An extremely comprehensive and thorough review has been performed by Mr. Erdit Gremi and his FDA review team. I believe, however, that the remaining deficiencies cited by Mr. Gremi have been adequately addressed. As such, I have concluded that the information provided by the sponsor demonstrates that there is a reasonable assurance of safety and effectiveness for the device for its intended use. I believe the benefits of the Irregular Rhythm Notification Feature outweigh the risks and I recommend this De Novo be granted.”

Bram wrote a similar memo in response to Ralston’s that contained the same conclusion to grant that de novo too.

Did the FDA have regulatory oversight of the Apple Watch hardware as well as the software? At least one of the lead reviewers believed so

While Ralston’s final review memo is mostly redacted and Gremi’s does not mention the Apple Watch hardware in any of the unredacted sections, both of Bram’s final memos granting the de novos declared that the FDA does not have oversight of the Watch hardware as part of this regulatory submission.

Earlier in the process, during either Module 1 or Module 2 of Apple’s modular de novo review, Ralston’s team presented its concerns to Apple as part of a Day 45 briefing. This likely occurred in either late June or July 2018. As part of Ralston’s summary of the regulatory history for the ECG App de novo submission, he wrote:

“The CDRH Digital Health team had several interactions with Apple outside the scope of this review and has attempted to exempt the Watch and iPhone from FDA review. This would severely limit our ability to require even basic performance data from similar manufacturers in the future.”

“This review team has determined that the ECG acquisition hardware is subject to FDA regulatory oversight.”

As noted above, in both of his final memos for the two de novos, Bram declared that the Apple Watch’s hardware is not subject to the agency’s oversight as part of either of these de novos:

“Based on CDRH policy, the Apple Watch is not considered within scope of this review given that there are no medical claims being proposed for the Watch. The Watch and the iPhone are considered general purpose computing devices and are not subject to FDA review. The Watch acquires an electrical signal from contact with the user, but the electrical signal itself does not have a medical claim.”

If you want to get into the nuances of the FDA’s oversight of hardware vs. software, scroll down and read the appendix section at the end of this report for some regulatory history and other insights on hardware and SaMD from M. Jason Brooke.

Other Pre-Cert Pilot Participants were surprised by the FDA’s decision not to regulate the Apple Watch hardware and asked the FDA about it days after Apple’s de novos were public

Members of the FDA’s own cardiac device review team weren’t the only ones having trouble wrapping their heads around the idea that the FDA did not have oversight of the Apple Watch in these de novo submissions.

Two days after the Apple de novos announcement, Shilpa Mydur, Verily’s Senior Principal of Global Regulatory Affairs at the time, emailed the FDA’s Linda Ricci seemingly to clarify whether or not Verily’s hardware would need to be submitted for a market authorization the company was considering at the time:

Happy Friday and Thank you for your time and looking forward to getting the agency more information. In the wake af Apple’s [REDACTED] de novo clearances, it now seems like the [REDACTED] does not need clearance and just the software to [REDACTED]. Am I understanding this correctly? Thanks for your guidance.

Four days later Ricci responded to Mydur:

Depending on the claims made, yes. Happy to discuss for your specific case to make sure we are on the same page if needed.

Similarly, Matthew Wiggins, Samsung Strategy and Innovation Center’s Acting Manager of QA/RA & Senior Manager of Algorithms at the time, emailed the FDA’s Pre-Cert team on September 17, 2018 — five days after Apple’s de novos to inform them that the Samsung team had questions about the software-hardware “boundary” for SaMD.

Conclusion: New questions for the FDA’s regulation of SaMD

Traditionally the FDA’s mission has been one focused on patient safety. The FDA’s website currently states the agency’s mission is a bit more complex:

“Protect consumers/patients and enhance public health by ensuring timely access to safe, quality FDA-regulated products.”

Over the years the FDA has bundled in the implicit mission of ensuring access to health innovations because denying access to innovative health products, one could argue, may negatively impact patients’ health too.

While this report helps explain many of the lingering questions surrounding how Apple navigated the FDA’s de novo process back in 2018, it also raises new questions about fairness and process.

For example: Was the agency’s decision to create a customized de novo pathway for one company, which happens to be the world’s biggest tech company, rooted in its mission to protect patients?

While the FDA failed to meet its stated goal of granting Apple’s two de novos by September 1, 2018, it did deliver them in time for Apple’s event on September 12, 2018. Did the two collaborators manage to achieve the other goals laid out in the novel modular review proposal from March?

Remember: The third bullet point under the goals read:

“Testing and evaluation of the modular review to assess impact on review timeframes and resource expenditure for both FDA and the sponsor.”

One of the lead reviewers of Apple’s de novos, Erdit Gremi wrote in his final memo that during the review process:

“There have also been daily calls with the sponsor to interactively communicate concerns and receive feedback.”

(That was the only line in his memo, at least the parts that the FDA left unredacted, that Gremi underlined.)

Considering the flood of SaMD clearances that the agency expects to field in the years ahead, does the FDA have the resources to offer same-day customer service in order to support the modular review process that it piloted with Apple for every future SaMD sponsor?

Appendix: Q&A on FDA’s consistently inconsistent approach to regulating hardware with SaMD

This appendix is an excerpt of an interview E&O recently conducted over email with M. Jason Brooke, Attorney & Managing Member, Brooke Consulting.

E&O: Can you explain how the FDA regulates hardware that acts as an input to Software as a Medical Device? When is that hardware regulated by the agency and when is that hardware an off-the-shelf, general computing platform? (One bit of context for the second question. In its January 2019 working model V 1.0 for PreCert, the FDA writes:

“Non-medical products, such as general wellness devices and general-purpose sensors may also collect data that could be used as input into a SaMD. The SaMD algorithm acts on that data for a specific medical purpose, which may be to inform, drive, diagnose, or treat a healthcare situation or condition. Further clarification on the data quality and collection principles for non-medical sensors used as inputs into SaMD is under development.”

That indicates the agency had yet to clarify its approach to non-medical sensors in January 2019, months after the Apple de novos. Is that notable?)

Brooke: The answer is complicated and depends on the time period you are referring to and the specific scenario being considered (including the specific review division/team within the Agency). The traditional approach to regulation of medical devices is on a system-level. By that I mean that, if a company manufactures a product that is made up of several products or components, the entire “system” would be regulated based on the highest-risk part of the system unless there was a specific classification regulation for a particular part of the system. For example, if a company marketed a smartphone app that acts like a Holter monitor along with ECG leads that connect to the smartphone and disposable skin electrodes, the three components would be regulated as a system. In this scenario, the system would be regulated as a Class II medical device because the Holter monitor software falls under 21 C.F.R. § 870.2300. The leads would be subject to the controls established under 21 C.F.R. § 870.2900 for Class II transducers and electrode cables, while the electrodes would be subject to the controls under 21 C.F.R. § 870.2360. If you included, for example, a Bluetooth-enabled stopwatch to allow a patient to manually count their heart rate and the stopwatch shares data with the Holter monitor software (e.g., for recording how often the patient manually checks their heart rate), the stopwatch would be regulated as a Class II accessory to the Holter monitor (even though the stopwatch in any other circumstance would not be a medical device).

Here’s where it gets complicated. In 2016, Congress changed the rules by enacting Section 520(o)(2) of the Federal Food, Drug & Cosmetic Act (as part of the 21st Century Cures Act), which established a modular approach to regulating medical devices (at least as it relates to unregulated software components of a regulated software/hardware system). The FDA took this further, publishing in 2020 its Multiple Function Device Products guidance that articulated a policy that applied a modular regulatory approach “whether those functions are software-based, hardware-based, or both.” Combining the multiple functions policy with the FDA’s post-Cures Act 2016 policy (subsequently republished in substantially the same form in 2017) that accessories would be regulated based on the risk of the accessory as opposed to the highest-risk component of a system, the FDA has effectively moved away (at least in principle if not in application) from a system approach to a modular approach to determining whether and to what extent a module within a system is regulated.

The FDA’s Accessories guidance is important here because a product that is not in its own right a medical device could still be regulated as an accessory to a medical device (albeit at a different level based on the risk profile of the accessory). The FDA specifically articulated in that guidance the following:

“It is important to note that FDA does not generally consider articles that do not meet the definition of an accessory as accessories simply because they may be used in conjunction with a device. For example, FDA would generally not consider a mobile phone that is used as a general platform for applications that include mobile medical applications that are medical devices or an off-the-shelf computer monitor used to display medical data as accessories unless they are specifically intended for use with such medical devices.”

That policy approach is consistent with what the FDA has always said about general IT infrastructure–it’s not a medical device unless it’s specifically marketed as a medical device.

Contrast that, however, with the concept articulated in 2013 in the then-referred to as Mobile Medical Apps guidance (now referred to as the Software Policy guidance published in substantially the same form in 2019).

On the one hand, the FDA states unequivocally that “[p]roviders of tools, services, or infrastructure used in the development, distribution, or use of a mobile medical app” are not manufacturers of medical devices, implying that the tools, services, and infrastructure themselves are not regulated by the Agency. The FDA provided examples of such tools, services and infrastructure, which included “internet connectivity (i.e., internet service), . . . general-purpose computer or information technology, . . . cloud hosting services, . . . [and] software development kits.”

On the other hand, the Mobile Medical Apps guidance indicates that the software functions the Agency intends to regulate are those functions that “can transform a general-purpose computing platform or mobile platform into a regulated medical device by using attachments, display screens, sensors, or other such methods.”

A reasonable interpretation here would be that the software causes the general-purpose hardware to become a regulated medical device; however, the FDA has generally not applied this interpretation.

Instead, the FDA’s approach has been that the software is regulated while the general-purpose hardware remains unregulated. This principle is reinforced by way of examples in the Multiple Functions guidance, one of which identifies the “[s]mart phone computing platform” and the “[c]amera on the computing platform” as unregulated functions in the scenario where a smartphone app detects skin cancer from photos of moles. In this example, the FDA has effectively stated that a camera on a smartphone is not a regulated function, despite the fact that the Agency does regulate cameras that are used for medical purposes (see, e.g., 21 C.F.R. § 886.1120, which defines an ophthalmic camera as a Class II medical device).

Given that background, it’s not entirely clear when hardware is treated as a general-purpose computing platform versus when it is regulated. It’s even less clear when a sensor built into or is otherwise connected to a general-purpose computing platform is regulated. Here’s what I can say:

Under the traditional approach (which has not disappeared entirely), a general-purpose computing platform and its built-in sensor would be regulated along with the rest of the system components.
Under the Accessories guidance, one or both of the computing platform and the sensor are subject to regulation as an accessory to a medical device if the platform and sensor (as applicable) are intended 1) to be used with one or more medical devices (including SaMD) as determined by the labeling of the computing platform or sensor, and 2) to support, supplement, and/or augment the performance of the one or more medical devices.
Under the Software Policy and Multiple Functions guidance, neither the general-purpose computing platform nor the built-in sensor would be regulated.

The statement [in your question above] quoted from the FDA’s 2019 Pre-Cert working model publication regarding “general wellness devices and general-purpose sensors” being “[n]on-medical products” while nonetheless collecting data that is used as input by a SaMD is consistent with the way the Agency has applied the policy stated in the Software Policy/Mobile Medical Apps guidance as early as 2013 as well as with the Multiple Functions guidance from 2020.

It is inconsistent, however, with the Accessories guidance from 2016/2017.

Unfortunately, in my experience, the FDA has been consistently inconsistent in its application of these various policies in the digital health context and, understandably so, because the policies themselves are not consistent.