Since it began regulating medical devices under a 1976 statute, the FDA has required stringent review of software that is "embedded" inside such devices as pacemakers and ventilators. Likewise, it has regulated "accessory" software that can be run on general-purpose computers to operate systems, such as radiation-planning systems or brain-mapping software.

But stand-alone software, which runs on conventional computers to process words and data, has been in a gray zone. Its applications range from computerized patient record systems and off-line archives to data analysis programs that aid in determining therapy, and such expert systems as decision and diagnostic support programs.

With renewed momentum, the FDA is moving to adopt its first formal regulation of the $6 billion stand-alone software industry. Harvey Rudolph, PhD, acting director of the FDA's Office of Science and Technology in the Center for Devices and Radiological Health, said the agency's position is likely to be "deregulatory" or mainly "hands-off." Rudolph said the policy options will be discussed soon with the staff of the secretary of Health and Human Services, Donna Shalala. Rudolph expects final regulations to be in place in another year.

Exempting Low Risk

Rudolph said the FDA will propose a "risk-based approach" that focuses its regulatory efforts on software with the greatest potential to harm patients, while exempting most software that poses minimal risk. For some moderate-risk products, manufacturers would be required to submit a standard premarket notification or make self-declarations that their products meet certain standards. The FDA is still defining risk categories.

Some medical catastrophes have assured that software-controlled devices will receive high-level scrutiny. In 1986, several patients received massive overexposure to electron beam radiation from a linear accelerator because of a software problem. Two patients died and another was severely burned, recalled Rudolph.

He said that about 500 device recalls occur annually, 100 of which involve products with software. Of those 100 products, the malfunctions in 40 are related to the software itself.

Problems have included software malfunctions that resulted in improperly labeled radiographs and infusion pumps with incorrect timing that resulted in overdoses of medication.

But the FDA has trod lightly on the stand-alone medical software industry. And developers of such software, unlike the makers of traditional medical devices with embedded software, such as pacemakers and ventilators, are unaccustomed to regulation. They are worried about the implications of the new rules. Some software developers have feared, for example, that even stand-alone programs that run with widely used spreadsheet programs, such as software for billing systems or patient appointment reminders, would have to undergo the same scrutiny as a new pacemaker or infusion pump.

Human Intervention Loophole

The argument for exemption is based on a draft policy supported in 1989 by then FDA Commissioner Frank Young, MD, who stated that software, such as expert systems and products using artificial intelligence, should be exempted if it is "intended to involve competent human intervention before any impact on human health occurs."

Rudolph warned that some manufacturers have "purposely or inadvertently" tried to apply the "competent human intervention" standard to avoid regulation. Harold Schoolman, MD, deputy director for research at the National Library of Medicine in Bethesda, Maryland, added, "We all thought we had a simple solution: As long as a competent health professional can interpret and intervene and make the ultimate decision, then there was no need for premarket approval. But things have gotten more complicated since 1989." Computer networking has resulted in interconnections among several software devices. When data flow through a combination of programs, the chance of malfunction can increase.

Still, developers of stand-alone medical software hope that the FDA will continue its present practice of minimal regulation, according to Edward Larsen, president of Health Patterns, of LaGrange, Illinois. Larsen prepared a proposal on FDA regulation for the Center for Healthcare Information Management (CHIM) in Ann Arbor, Michigan, which represents about 100 vendors of stand-alone software and computer networking equipment. The American Medical Informatics Association has also joined with related groups to propose an approach that keeps federal regulations to a minimum (Ann Intern Med. 1997; 127:842-5. J Am Med Informatics Assoc. 1997; 4:442-57).

"There is no evidence of hazard in terms of death or serious injury attributable to ‘stand-alone’ medical software that CHIM has been able to find," according to the CHIM report. "Mandating new regulations is unwarranted in the face of the absence of data showing harm and the availability of data showing that standalone software reduces paperwork errors."

CHIM has submitted to the FDA an algorithm to determine whether a standalone product should be regulated or excluded. It would exempt software used for education and in financial and administrative systems. It calls for increased scrutiny of software used in immediate decisions that could harm or kill patients in the absence of competent human review.

The FDA has met several times with CHIM to draft regulations that would serve the public health and be acceptable to industry. Rudolph said he expects that the FDA's deregulatory proposals are "in concert" with CHIM's recommendations.

But Larsen said he is taking a wait-and-see approach: "Self-declaration about meeting standards in theory is a good thing. But who is going to write the standards? And what are they going to say? The devil is in the details."

-Howard Wolinsky