STATEMENT BY
JOHN CALLAHAN, PH.D.
ASSISTANT SECRETARY
FOR MANAGEMENT AND BUDGET
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT
AND INVESTIGATIONS
COMMITTEE ON VETERANS'
AFFAIRS
U.S. HOUSE OF REPRESENTATIVES
SEPTEMBER 24, 1998
I INTRODUCTION
Good morning, my name is John Callahan, Ph.D., Assistant
Secretary for Management and Budget, and Chief Information
Officer (CIO) for the Department of Health and Human Services
(DHHS). I am pleased to be here today to provide information on
the Year 2000 date issue as it relates to medical devices. The Food
and Drug Administration (FDA) has taken a number of constructive
actions to work with manufacturers and provide information to
users about medical device Year 2000 compliance.
II. WHAT IS A MEDICAL DEVICE?
According to the definition in the Federal Food, Drug, and
Cosmetic (FD&C) Act, a "device" is:
an instrument, apparatus, implement, machine, contrivance,
implant, in vitro reagent, or other similar or related article,
including any component, part or accessory, which is
intended for use in the diagnosis of disease or other
conditions, or in the cure, mitigation, treatment, or
prevention of disease, in man or other animals, or intended
to affect the structure or any function of the body and which
does not achieve its primary intended purposes through
chemical action and which is not dependent upon being
metabolized for the achievement of its primary intended
purposes.
As this definition suggests, many different types of products are
properly regulated as medical devices. Medical devices include
over 100,000 products in more than 1,700 categories. The
products regulated by FDA as medical devices range from simple
everyday articles, such as thermometers, tongue depressors, and
heating pads, to the more complex devices, such as pacemakers,
intrauterine devices, diagnostic imaging devices, and kidney dialysis
machines.
Any computer software which meets the legal definition of a
medical device is within the scope of the law and must comply with
applicable FDA regulations. Medical devices which use computers
or software can take several forms including: embedded microchips
which are part, or components, of devices; non-embedded software
used with, or to control, devices or record data from devices; or
individual software programs which use or process patient data to
reach a diagnosis, aid in therapy, or track donors and products.
FDA is responsible for promoting and protecting public health by
helping to ensure that medical devices are safe and effective. FDA
carries out its mission by evaluating new products before they are
marketed; assuring quality control in manufacture through
inspection and compliance activities; monitoring adverse events in
already marketed products; and, taking action, when necessary, to
prevent injury or death. A device manufacturer must comply with
all applicable requirements of the FD&C Act, including, but not
limited to, establishment registration and device listing, premarket
review, use of good manufacturing practices, and reporting adverse
events. The FDA Center for Devices and Radiological Health
(CDRH) has responsibility for regulating medical devices.
As diverse as medical devices are, so are the range and complexity
of problems which can arise from their use. These problems include
mechanical failure, faulty design, poor manufacturing quality,
adverse effects of materials implanted in the body, improper
maintenance/specifications, user error, compromised sterility/shelf
life, and electromagnetic interference among devices.
A. Embedded Computer Software
Computer software frequently is embedded as a "component" of
devices, i.e., software contained on a microchip to control device
operation. Examples of such common, important devices are
pacemakers, infusion pumps and ventilators. Based on FDA's
discussions with the manufacturers, the majority of these products
will not be impacted by the Year 2000 problem since almost none
of them require knowledge of the current date to operate safely and
effectively. For example, pacemakers do not use the current date in
their operation.
B. Non-embedded Computer Software
Non-embedded software is intended to be operated on a separate
computer, often a personal computer or work station. Such
software devices may be used to enhance the operation of another
device or devices and, further, may use the two-digit year format.
It is possible that non-embedded software devices may rely on the
current date for proper operation and might be affected by the Year
2000 date change.
An example of non-embedded software is a computer program used
to plan radiation therapy treatments delivered using radioactive
isotopes as the radiation source (teletherapy or brachytherapy).
These treatments possibly could be affected if the computer
program that calculates the radiation dose parameters uses only a
two-digit year representation. The calculation of the length of time
since the source was last calibrated could be in error and thus lead
to an incorrect treatment prescription.
Other examples of non-embedded software devices include:
conversion of pacemaker telemetry data; conversion, transmission,
or storage of medical images; off-line analysis of ECG data;
automated analysis and interpretation of ECG data; calculation of
rate response for a cardiac pacemaker; perfusion calculations for
cardiopulmonary bypass; and calculation of bone fracture risk from
bone densitometry data. Since there is a chance that the two-digit
format may affect the performance of these software devices, FDA
believes that the Year 2000 risk needs to be mitigated through
proactively working with manufacturers.
III. DHHS and FDA efforts to address Year 2000
issue
A. June 25, 1997 notification to
manufacturers
The impact of the Year 2000 problem on some medical devices
containing embedded microchips and software applications clearly
warrants the attention of FDA. Manufacturers of such products are
the only reliable source of information as to the details of the
methods used in the programming.
In light of the review of the impact of the Year 2000 on some
medical device computer systems and software applications, FDA
has been proactive in alerting the medical device industry through a
series of letters to medical device manufacturers. The first alert
letter was sent over a year ago on June 25, 1997, to 13,407 medical
device manufacturers (8,322 domestic and 5,085 foreign) indicating
that manufacturers needed to address this issue and review both
embedded and non-embedded software products. FDA reminded
manufacturers that, in addition to potentially affecting the
functioning of some devices, the two-digit year format also could
affect computer-controlled design, production, or quality control
processes. FDA requested that manufacturers review the software
used in medical devices to determine if there is any risk.
FDA recommended specific actions to ensure the continued safety
and effectiveness of these devices. For currently and previously
produced manufactured medical devices, manufacturers should
conduct hazard and safety analyses to determine whether device
performance could be affected by the Year 2000 date change. If
these analyses show that device safety or effectiveness could be
affected, then appropriate steps should be taken to correct current
production and to assist customers who have purchased such
devices. For computer-controlled design, production, and quality
control processes, manufacturers should assure that two-digit date
formats or computations do not cause problems.
In the June 1997 letter to industry, FDA reminded manufacturers
that under the Good Manufacturing Practices Regulation and the
current Quality System Regulation (which describe the design and
manufacturing processes that must be used to assure design and
production of a safe, effective finished product), they must
investigate and correct problems with medical devices. This
includes devices which fail to operate according to their
specifications because of inaccurate date recording and/or
calculations.
FDA expects manufacturers who identify products that have a
date-related problem to take the necessary action to remedy the problem.
This might include notification to device purchasers so that their
device can be appropriately modified before the year 2000.
Provided appropriate corrections are made, FDA does not
anticipate any significant problems to the patients with individual
medical devices containing embedded microchips since these
devices generally do not use the current date in their operation. At
the same time, FDA wants to ensure the continued safety and
effectiveness of these devices.
For future medical device premarket submissions, sponsors of
devices whose safe operation could be affected by the Year 2000
date change will be required to verify that the products can
perform date recording and computations properly (i.e., are Year
2000 compliant), or clearly label products, which are introduced
and are not Year 2000 compliant as not to be used after December
31, 1999.
B. January 21, 1998 Request for
Information
In the year since the first letter, there have been continuing efforts
by DHHS and FDA to obtain and provide information on the Year
2000 status of medical devices. In a letter dated January 21, 1998,
DHHS Deputy Secretary Kevin Thurm asked approximately 16,000
medical device and biomedical equipment manufacturers to
voluntarily provide information on the Year 2000 compliance status
of their products. Under its current regulations, FDA does not
have the authority to require all device manufacturers to submit
reports on whether their devices are Year 2000 compliant. Included
in the mailing were all FDA registered manufacturers without
respect to the specific kind of device produced, even though FDA
estimates fewer than 2,000 manufacturers make products listed in
the categories which include computerized products potentially
sensitive to Year 2000 problems. Approximately 3,000 of the
manufacturers included in the mailing are not regulated by FDA; for
example, scientific instrument manufacturers. The letter detailed
instructions on ways to submit the data requested and explained
that to be Year 2000 compliant products must function as intended
regardless of the date. Manufacturers also were given the
opportunity to certify that their products are not affected, if that is
the case, or certify that none of their products use computers or
date information.
C. Year 2000 Database
The Year 2000 product database was established in March 1998
and is being maintained by FDA on its World Wide Web site at the
request of the Interagency Biomedical Equipment Working Group.
This Working Group was organized under the Chief Information
Officer's Councils' Subcommittee on the Year 2000. The web site
is intended to give the general public, government agencies, and the
healthcare and research communities one comprehensive source of
information about this issue. The web site is found at:
http://www.fda.gov/cdrh/yr2000/year2000.html. Manufacturers
also may submit a World Wide Web link to their own web site
where the requested information is provided to the public, if they so
choose. FDA does provide a link to the site where the manufacturer
presents complete product information.
The web site includes information at the individual model level only
for non-compliant products, since this is the most useful
information to a user of the web site. The decision to include only
this information was based on the belief that if a manufacturer's
entire product line is certified to be compliant, users would receive
no additional benefit from posting of the specific model level
information of compliant products.
In addition, the DHHS and the Department of Veterans Affairs
(DVA) are working as a Federal partnership to develop a single
data clearinghouse. DVA, as a purchaser of medical devices, has
been collecting information from its vendors as to the compliance
status of the medical devices used in its facilities. DVA is taking
the steps necessary to make the product status information it
gathers available to the public. FDA is working with DVA to
merge this data with the FDA database and provide a single
comprehensive source of information for the public. We have
signed a collaborative agreement to accomplish this goal. To date,
FDA alone has borne the cost of the web site database effort. Both
HHS and DVA are working with private sector associates, mostly
professional associations such as the American Medical
Association, the American Hospital Association, the Joint
Commission on Health Care Accreditation, and the Health Industry
Manufacturers Association (HIMA), who will provide advice and
assistance as requested.
D. Targeted Follow-up with Manufacturers of
Computerized Devices
On June 29, 1998, FDA issued a targeted, follow up letter to 1,935
specific manufacturers of computerized devices urging them to
respond to our January 21 request to submit product data. This list
was derived from the names of those firms which have registered as
manufacturers of devices in the categories where Year 2000
vulnerability is likely. This letter is our second comprehensive
request for voluntary submission of data.
On August 14, 1998, Dr. Bruce Burlington, Director, CDRH, and
again on September 2, 1998, Dr. Friedman, Acting Commissioner
of the Food and Drug Administration, issued letters to HIMA
requesting that HIMA take aggressive and immediate actions to
encourage and assist medical device equipment manufacturers in
providing information to FDA about the Year 2000 compliance
status of their products.
Then on September 2, 1998, FDA issued a follow-up to the June
29, 1998 letter, directed to the approximately 1,400 manufacturers
of computerized devices who had not responded to the previous
requests for information on the Year 2000 status of their devices.
In the letter, FDA requested that the manufacturers respond to
FDA within two weeks with the Year 2000 compliance status of
their devices, or at least indicate that a complete response was
being developed. FDA will continue to work with manufacturers to
obtain this data and report to Congress on the status of these Year
2000 requests.
In the past few weeks FDA has decided that it would be useful to
provide an indication of whether a particular manufacturer of
computerized devices that are susceptible to Year 2000 concerns
has or has not provided information on Year 2000 compliance. To
that end, FDA intends to post on the web site the identity of
manufacturers of those selected product categories which are likely
to include vulnerable products and have not provided a response to
FDA's inquiries.
E. Additional Outreach and Guidance
In addition to the web site and the letter, CDRH has been
conducting outreach to the device industry on this issue. CDRH's
Division of Small Manufacturers Assistance provided an article
entitled "Biomedical Equipment Manufacturers Urged to Share
Year 2000 Information" to 12 Medical Device Trade Press contacts
and to 65 U.S. and 35 foreign medical device trade associations in
order to facilitate the dissemination of information to their members
regarding the web site database and to encourage the posting of
data by manufacturers. The web site and database are mentioned in
the FDA Column of the June 3, 1998, Journal of the American
Medical Association and in an article in FDA's Medical Bulletin
that was sent to approximately 700,000 health care practitioners
this past summer.
Although most devices are regulated by CDRH, FDA's Center for
Biologics Evaluation and Research (CBER) regulates blood bank
software, which is of particular concern for potential Year 2000
problems. In January 1998, CBER posted guidance for industry
entitled "Year 2000 Date Change for Computer Systems and
Software Applications Used in the Manufacture of Blood Products"
on the FDA web site. The guidance provided specific
recommendations to assist industry in its evaluation of computer
and software systems used in the manufacture of blood products
and to assist in evaluating the impact of potential Year 2000
problems. In the Spring of 1998, CDRH developed a Guidance
Document on FDA's expectations of medical device manufacturers
concerning the Year 2000 date problem. The guidance is available
on the FDA web site. The guidance was published in the Federal
Register on June 24 for greater dissemination. The guidance
re-emphasizes the provisions in existing regulations that require
manufacturers to address any date problems which may present a
significant risk to public health.
FDA staff organized, with the staff of the ECRI, a medical device
consulting and testing organization, a half-day session on the Year
2000 date problem at the June 2, 1998 annual meeting of the
Association for the Advancement of Medical Instrumentation. This
meeting was attended by hospital clinical engineers, representing
the device purchasers and users, medical device researchers and
developers, and device manufacturers. The session permitted an
exchange of information on all aspects of the Year 2000 problem as
it relates to medical devices and the actions healthcare facilities
should be taking to address this issue. In addition, a satellite video
conference to discuss product compliance and manufacturers' Good
Manufacturing Practices issues, including the Year 2000 issue, was
held September 9, 1998 with medical device companies.
To reinforce its efforts, FDA intends to send additional follow-up
letters to manufacturers informing them of Good Manufacturing
Practices obligations with respect to Year 2000 compliance. FDA
will continue periodically to send additional follow-up letters to
manufacturers reminding them of the need to provide the Year
2000 status of their devices for posting on the web site.
Companies need to post the Year 2000 status of their devices
quickly if the web site is to meet its objective -- to provide an
information clearinghouse which will be valuable to the users, such
as doctors' offices and hospitals. Users of medical devices will
need time to plan and budget for corrective action. This means that
Year 2000 status information is needed as soon as possible. This
urgency is reflected in FDA's and DHHS's repeated
communications with medical device manufacturers.
F. WHAT IS THE DATA TELLING US THUS
FAR?
So far, the overall response from manufacturers has been
disappointing and incomplete. As indicated above, FDA believes
that approximately 2,000 manufacturers may produce equipment
that may be impacted by the Year 2000 problem. Approximately
962 or approximately 50 per cent of the 1,935 manufacturers had
responded to FDA by September 21, 1998. FDA knows, however,
that there are companies still in the process of assessing their
devices. FDA had requested that complete information be
submitted. While manufacturers may report that specific products
have not been assessed, FDA expects that some companies prefer
to complete assessment before reporting. FDA hopes that its
recent, targeted mailings to the remainder of the 1,935
manufacturers who have not answered will produce additional
responses. The letter included a request that companies still
assessing products tell FDA when they expect to post information.
As of September 21, 1998, FDA has entered a total of 2,404
responses from the 16,000 manufacturers contacted. The data from
all of these manufacturers who have responded have been entered
into the database on the FDA web site. These numbers change
daily as data are entered, corrected or even removed at the request
of manufacturers. Of the 2,404 manufacturers who have
responded, 2,104 have reported that their products do not use
date-related data or are compliant. One hundred sixty-four
manufacturers have reported one or more products with
date-related problems. One hundred and twenty-six manufacturers
have provided World Wide Web links (URLs) to data provided on
their own manufacturer-operated web sites. There are a few
submissions in which the data were incomplete or unclear in some
manner. FDA is communicating with these manufacturers to obtain
clarification before entering the information into the database.
With regard to the data submitted, the great majority of the
date-related problems described present minor concerns, typically
involving incorrect display or printing of a date. There are,
however, a few reported instances where the device will not
function or operate at all unless the date problem is corrected.
There are also a number of reports which indicate that the device
will function correctly, provided the personal computer (PC) with
which it is used is compliant. For many of these PCs, the
correction required to correct the date is a straightforward
operation. In general, manufacturers are indicating that currently or
recently produced products will be corrected at no cost. For old
and discontinued devices, the response is quite varied, i.e., from
free upgrades, upgrades at a cost, or no upgrade or solution being
offered, to a declaration of obsolescence of the device.
In reviewing the data received from the manufacturers so far, FDA
sees no indication of widespread problems which will place patients
at risk, if and only if the solutions being developed and offered by
manufacturers are implemented. Of course, we can not make
assurances about manufacturers who have not reported product
status to us. FDA believes that the information received to date
confirms our original expectation that the Year 2000 problems with
medical devices are not significant or widespread. Although there
will be specific problems which need correction, the current
assessment is that they are much more likely to disrupt patient care
rather than be of direct danger to patients. Nonetheless, this
disruption could be serious and the potential for it to happen
certainly merits rigorous attention to the problem.
FDA will continue to emphasize to manufacturers the importance of
reporting and take additional steps to boost the response rate.
Healthcare facilities need information from all manufacturers to
properly prepare and plan for any actions they need to take to
assure their devices needing corrections or updates receive these
well before the Year 2000.
IV. CONCLUSION
Thank you for the opportunity to update you about the issue of the
Year 2000 and medical devices. Let me assure you that DHHS
takes this issue very seriously, as we do with all problems which
could affect the public health. We are committed to a scientifically
sound regulatory environment which will provide Americans with
the best medical care. In the public interest, DHHS's commitment
must be coupled with a reciprocal industry commitment: that
medical device firms will meet high standards in the design,
manufacture, and evaluation of their products. DHHS and FDA
recognize that this can only be attained through a collaborative
effort -- between government and industry -- grounded in mutual
respect and responsibility. The protections afforded the American
consumer, and the benefits provided the medical device industry,
cannot be underestimated.
The role of DHHS and FDA is to assure that medical devices are
safe and effective and manufactured in accordance with their
specifications. DHHS, of course, will provide any assistance it can
to address specific problems that any other agency, such as the
DVA, identifies. FDA also is working with other agencies, patient
groups, medical associations and industry to optimize data
collection and information sharing. FDA will continue urging
manufacturers to ensure the continued safety and effectiveness of
their medical devices by ensuring that their devices can perform
date recording and computations that will be unaffected by the Year
2000 date change.
Thank you for the opportunity to testify.
Recent Testimonies
(Hypertext updated by jch 1999-JUL-16)