Expert Insights into the Digital Healthcare Revolution

What role does technology play in healthcare – and how will it continue to evolve?   We invited Ali Aga, the Founder and CEO of Flowbit®, to share his insights on our latest episode of Compliance Conversations. Ali is a digital innovator, software developer, and healthcare insider with a unique perspective on the regulatory processes behind healthcare software.

Ali has had a fascinating career in software development, and his experience spans multiple industries and specialties. It's amazing to learn about the behind-the-scenes work that goes into creating and deploying new healthcare software.

Listen to our latest episode, “Is Software a Medical Device?” to learn more about:

  • How software use in the medical industry has evolved over the last few decades
  • The impact of artificial intelligence on digital healthcare services
  • Regulatory considerations for software as a medical device

We appreciate Ali’s time and expertise – and if you have a moment, check out his YouTube page for some additional insights.


Listen Now >>


Is Software a Medical Device? - Podcast


Episode Transcript

CJ Wolf: Welcome everybody to another episode of Compliance Conversations. I am CJ Wolf with Healthicity and I'm excited to welcome our guest Ali Aga on the on the line. Welcome, Ali! 

Ali Aga: Hi, thank you, CJ. Happy to be here.  

CJ: I'm so grateful that you made some time. Everyone, all my listeners, Ali's got some great information on a topic that I had not really known much about, so I'm excited to talk to Ali about it. It's software as a medical device, so I most of my listeners know I was a Chief Compliance officer for a medical device company. But we were making, you know, things that go into patients and that sort of thing. And I hadn't heard much about software as a medical device and Ali knows all about it.  

Ali, before we kind of jump into that topic though, we always want our guests to share a little bit about themselves. How did you get to do what you're doing? What are you doing? Share whatever you feel comfortable sharing.  

Ali: Sure. Yeah, so basically like I'm I started out doing systems engineering at Motorola as a software engineer soon after that, that was around 2005, 2007-time frame, and then soon after that I transitioned to translational science research at the University of Illinois in Chicago, center for magnetic resonance research, where we worked on advanced algorithms that were active areas of research in software as a medical device space.  

CJ: Right!  

Ali: And as the technology landscape evolved to include smartphones, and mobile data collection systems, I've basically developed expertise in mobile technologies. This was back around the twenty-tens. So, while working at the University of Chicago, ORC at the University of Chicago, I proposed and developed a mobile application that changed the way that they do data collection in the field.  

So, most recently I also worked actually at a software consulting company called Orthogonal at MATTER, which is like a medical device, kind of like an incubator in the Chicago land area. And my clients included; Google and Quidel, those were my most notable clients and after that I just really got interested in software as a medical device space because it had a real good mix of hard science and also they had this like a regulatory framework that kind of mandated like systems engineering approach so that was really interesting to me so, I really got into this field following that last job. So since then, I've just been working in this particular area and I went and started my own company FLOWBIT. Now I work on projects such as those.  

CJ: Well, that's exciting! And I know you have a YouTube channel, we'll put this in the show notes. And you've got some videos going on up there with FLOWBIT, that's F-L-O-W-B-I-T, and so we'll share that a little bit so people can find those types of things.  

Why don't we jump into this topic and you can at least just start at ground zero for people like me or listeners, what is the concept of software as a medical device? Like what is that?  

Ali: It's a very interesting concept and to really understand what software as a medical device really is, you first got to understand what a medical device is, right? So, medical devices are very legal term, and it's laid out in the Food and Drug, and Cosmetic Act. Basically, in the code of federal regulations, and it's enforced by the US FDA.  

But for your audience, to put it simply, I would say that a medical device is something that helps patients and providers monitor, diagnose, treat, or otherwise assist or mitigate a specific disease or condition, and it should do that primarily without the use of like chemical action, like say for example in drugs.  

CJ: Exactly!  

Ali: Now, software as a medical device is basically like accomplishing those specific tasks that I mentioned. But it needs to do that only through software and it excludes hardware like the definition, so hardware is not considered as part of the software as a medical device.  

CJ: So, hardware might be like if I'm wearing a heart monitor, that's the hardware.  

Ali: Yeah. And I'm glad you mentioned a heart monitor, for example. I'll give you a specific example.  

Apple's got this watch, right? like the Apple Watch, everybody wears it. In the Apple Watch, runs software, runs a lot of software. Apple specifically has this one feature, like a software feature called Apple Irregular Rhythm Notification Feature, right? It runs on the Apple Watch. It is one of the software as a medical device application that Apple has registered with the USFDA. And as part of the Apple Health app, right? 

Ali: Now it's important to note, Apple Health app as a whole is not software as a medical device.  

CJ: OK, just that feature.  

Ali: Just that feature exactly, and the Apple Watch hardware. So the Apple Watch itself, is not a software as a medical device. The entire OS, watch OS, not software as a medical device, just that feature.  

But that small slice of software is registered with the US FDA, and they say just like just this feature in the submission. And basically, how it works, it gets the data from the Apple Watch sensors, processes it using proprietary AI-enabled algorithms. That's also mentioned in the submission.  

Besides, if there is a certain pattern present or not. So, for example, if it detects an irregular heartbeat. And then accordingly, we'll notify you on your phone, also on your Apple Watch, and tell you that you have an A-fib; irregular heartbeat.  

CJ: Right! 

Ali: Now it's important to also note that's not officially a medical diagnosis, so Apple will tell you this is not officially a medical diagnosis. It has just detected an irregular heartbeat and we'll encourage you to go talk to your primary care provider. So, that is one example of software as a medical device. 

CJ: I see! Is the hardware of the watch also have to be approved though? Or can you just have software as a medical device without some other feature? It seems like you couldn't, but I don't know.  

Ali: It's very interesting. So, one important thing about medical devices is that you have to validate the environment that they're working on, or they're working in. So, for example, if I have a heart valve and it's working on one side of my heart and then move it to another side of my heart, I have to add, like validate and verify that it works in that spot too, right?  

So, for same with software. However, in this case. Yeah, no, the software is not, you know, the watch is not considered part, but you still have to verify and validate that the irregular rhythm notification, in this case, was working correctly on the watch, and there were actually some clinical trials. Actually, there were some sponsored clinical trials, if you go look up clinical trials that come, I'm sure you'll find something that is that there was a study sponsored by Apple like they verified and validated its effectiveness, it's actually a Class II risk medical device.  

CJ: That is fascinating. So, tell us a little bit about how software as a medical device, like its role in the healthcare industry over time. What's that been?  

Ali: Yeah, no, it's actually really interesting, I'll just basically go in the chronological order here. The earliest applications of software as a medical device were these computer-aided detection systems and there was basically just software using X-ray data, CT scan data, and MRI scans, and it went as far back as the 1970s! 

CJ: Wow! 

Ali: Yeah, it was really far back. And incidentally, like my first exposure to this industry was in this space, back at UIC, where I was working at the center of magnetic resonance research. So, it was quite established.  

Now, what happened here was also like very interesting. Like, software as medical device applications got boosted by deep technologies, for example, like microchips became more powerful, and cloud computing became more affordable and accessible to everybody, right?  

Data processing happened at a very large scale. There were these proprietary algorithms like in AI and ML that were developed like that could do these chest x-ray analyses and whatnot.  

So, that was one factor and then there was this also like this mobile era like this connect these connected devices there were these smartphones that emerged, smart watches, wearable fitness tractors, all of them are backed with sensors. So, that allowed lots of data collection.  

Then also, Electronic Health Records. So, in the mid-2000s, EHRs were less than 10% at an adoption rate of yet less than 10% by U.S. hospitals. Now like, I don't know if you know, but now it's close to over 90% of U.S. hospitals. So, you have like these electronic medical records, you know that are ubiquitous in U.S. hospitals and also like other facilities. For example, if you go to a doctor, most doctors nowadays are at their computers, right? like typing in these electronic medical records. And for most appointments.  

You also had this digitization of your health data, also like played a big role. So, you had this convergence like of Internet, computing power, increasing cloud computing, big data, EHR adoption, mobile era, all this kind of coming together.  

And you basically, like you gave a boost to like software as a medical device. Nowadays you have digital health mobile apps, and some of them fall into this very special category. It's called medical mobile apps. It's in this category kind of recognized by the US FDA. Then you also have this like clinical decision support software, you know in-vitro diagnostics; glucose monitoring systems, digital diagnostics, all those, right? 

So, the computer-aided detection systems are part of these and they have been along and they've been more successful. Also, a new category that's playing a bigger and bigger role is like these algorithms AI and machine learning, you know.  

CJ: Yes. Well, I wanted to ask you about that because now all the rage and talk is AI and ChatGPT and all these other things, right? I mean, how does that play into all of this?  

Ali: AI is actually making a really big impact on digital health and software as a medical device. There are three big categories, there are AI-enabled medical devices. There's also like this genomic sequencing. And then there's this like processing of large amounts of EHR data. So, for AI-enabled medical devices, like I've already mentioned, like the one from Apple, right? The Apple Watch, the irregular rhythm notification feature that detects A-fib.  

As of October 2022, the US FDA posted a long list of AI-enabled medical devices. They were about 522 devices that were listed. Yeah, there were quite a few. A vast majority of them were for radiology. Radiology was the biggest category it had 392 devices that were enabled by AI. And the second highest was the cardiovascular medical device category, and it was about 50 plus, the second highest.   

And so those were like the AI-enabled medical devices. And then there's like this genomic sequencing, you know, like precisionFDAs and FDA community platform for next-generation sequencing assay evaluation and they do regulatory science exploration. So, they held many competitions, including Truth Challenge back in 2016 and then in 2020, where participants tested technologies for DNA variant calling. Some of the entries using machine learning and AI had crazy outstanding scores like 99.96 accuracy, and 99.97 accuracy, like nearly perfect. And just showed the importance of AI in genomic sequencing, like just playing a bigger role there.  

Then obviously like these large sets of EHR data are now available. Now you can think of "How hard it would be for humans to write rules and process this?" But yeah, I can do this much more effectively, where it goes through large sets of electronic health records, it can look at a large number of possible health conditions, it can look at all your symptoms, and you can imagine the AI triage room, emergency room situation where it's time-sensitive, you have access to limited resources. Something like an AI-enabled system could help you make critical decisions really fast really quickly. 

CJ: Right. It's that processing power.  

Ali: Yeah, it's really fast. I actually, I don't know if you've worked with like some AI-enabled models, but they're really fast, they're incredibly fast. There's an interesting story here too of an AI-enabled system. You know, before like you had ChatGPT like large language models, right? which were text-based prompt-based, right?  

There was another prompt-based system and it was INTERNIST-I, it was in the 1980s. It was developed, it was an AI program created by a team of researchers based out of the University of Pittsburgh. It helped with the medical diagnosis, you know, and specifically, it was supposed to mimic an internist, a Doctor Who specializes in internal medicine. It would ask you questions about the patient, like say, what's the patient's name, age, and gender? What kind of conditions and what kind of symptoms there are, and so on and so forth. And then it would help with the diagnosis. It took 15 years to build.  

It was a massive effort, but it failed. It failed not because it was not inaccurate, but it failed because it didn't have a really fluid clinical workflow. There was a lot of manual entry of data. And it also not it was not also like generalizable to other locations, for example like their data set did not learn from new cases. So, if it was developed in Pittsburgh or the Midwest or wherever. Like you couldn't take it to Japan and it wouldn't work there. The data was static. But the medical expert system was groundbreaking. It was groundbreaking AI and it was ahead of its time.  

Obviously, it suffered from these disadvantages like not having these large sets of electronic health records. There was no voice recognition. There was no natural language processing. Machine learning was not applied in this case. But with models like ChatGPT on the horizon, like I'm pretty sure there're like innovators out there in this space that are looking at this problem again and making some good progress now.  

CJ: Yeah, I bet. This is all fascinating. Let's take a quick break and then we're going to come back and talk some more. This is such an exciting topic. So, hang in there with us, folks. We'll be right back. 


Welcome back, everybody from our break, we're here with Ali, telling us all about software as a medical device and it's just fascinating and the first part we've kind of Ali has given us kind of a background kind of an evolution of it and kind of where it is today a little bit and maybe Ali we can shift directions a little bit and talk a little bit about the regulatory aspect of some of these things. I mean, you mentioned the FDA at the beginning. Tell us a little bit more about how the regulatory agencies have a part to play in this.  


Ali: So, there are quite a few regulatory agencies. But the one that's most important is the US FDA.  


CJ: Right!  


Ali: There are other agencies also up that are kind of like concerned here like for example FCC if you you're dealing with IoT type stuff, like for that FCC needs to ensure you're using the right bandwidth and you're not interfering with other medical devices using, you know, and the radiation levels are kind of like in with an acceptable range. But for software, I think US FDA, like is important. And they have a lot of like regulatory guidance and best practices on this.  


Now US FDA's approach to software as a medical device is very risk-based, you know. It's in general for medical devices. It's very risk-based. So, here different classes of risk are there. So, it's very quite simple, the model is quite simple. Class I is the lowest risk, Class II is moderate risk, and Class III, as you might have guessed, is the highest risk. And based on these three different types of classes of risks, different regulatory controls apply.  


CJ: Okay.  


Ali: So, for example, Class I, which is low risk. An example of that would be a patient bed monitor. You can imagine why that's like a low-risk device. Here something like general controls will apply. What that means is that it would pertain to, the general controls would like, which mean you would do device registration and listing. You have some design history, records, and reports, and you'd follow some good manufacturing practices. You know, these are just a few general controls.  


CJ: Okay.  


Ali: A Class II would be moderate risk and an example of this is Apple's irregular rhythm notification feature because it has mounted risk, because you can imagine like A-fib is a serious condition, right?  


CJ: Right.  

Ali: So, here you had the general controls that we discussed from the previous class, on top of that, you layer on an additional regulatory control, like which is called Special Controls. In special controls category you have to have like performance standards. You have to do post-market surveillance. You have to have pre-data requirements and you have to have labeling. And then there are some other controls as well.  


And then finally you got this Class III, which is the highest risk. An example of that would be a variable automated external defibrillator, right? So, it's like a, you know, you could basically, it's a life-sustaining, or if it doesn't work right it could be life-threatening, right?  


CJ: Exactly! 

Ali: So, you've got general controls that we discussed from class I, on top of that, you add this really strict, stringent pre-market authorization controls on top of that. And PMA involves a lot of work, so you have to do post-approval studies even after you're approved, you have to kind of just study the performance of your device. You have to also do periodic reporting. Even if you change your company name which has no impact on performance, you have to file an amendment. If the device is being used in a new environment and it has an impact to performance, you have to do a supplement.  


So, these are the kinds of regulatory controls that you have to follow. Now it's important for developers to understand this because this will determine your FDA's regulatory pathway going forward.  


CJ: Okay. And is that why you started FLOWBIT to kind of help with that or how does FLOWBIT help?  


Ali: So FLOWBIT actually, because we are not the device manufacturer we are not allowed to file with the FDA, the device manufacturer, the innovator, who produces the whole system needs to file with the FDA, right? So, we only help with the software.  

But we can help you anticipate regulatory controls by performing risk analysis, right? We will build software under design controls. We do this in a quality-controlled manner. It's a Dell-documented process. So, that you can prove to regulators that your product has been developed under adequate design controls. We also provide documentation supporting regulatory compliance, things like your software development plans need to be there, so if you're developing software as a medical device, you also have to have a technical architecture documentation. You need to have a quality plan which includes your verification and validation protocols. You need to have also some system integration planning. All these documentation needs, are dictated by your regulatory controls that apply to your device, and that's determined by your risk levels.  

CJ: And you may have alluded to this already, but because you talked about the external defibrillator, right? There's a hardware component, but then there's the software component. Are those both filed together or are those separate filings, is that not even an accurate question?  

Ali: Yeah. No, that's a good question. Yeah, no, I have seen filings where they're both lumps together like it'll say, "Oh, this works in tandem with our such and such." So, there are like, US FDA does have a medical device database. You can look up your specific product category. You could say like, "Oh, this is my software-intensive system and as part of that whole system this is the hardware that works in tandem with my software and this is my application," so it could be part of the whole system and you could have different classes all of these subsystems. So, I've seen both. Like sometimes you can file together and sometimes you do it individually.  

CJ: Well, that makes sense cause one thing I was thinking about, you know all these people with sleep apnea and they used their CPAP machines. And I've heard of some trials in the last few years. And I think they've been approved now where you can do like these implant stimulators where they implant Electro-stimulator so that it will stimulate the neck muscles. So, when they relax and that's what causes the snoring and the obstruction, the little shock. So, I'm curious, would that kind of device have software in it? You can tell I'm not a techie, I mean or is it, you know what I mean like, where does it stop from like being a sensor? And where does when does it become software as a medical device versus just the device?  

Ali: So, the software basically has to make a medical device claim, right? For example, if I were to have, like, in that sleep apnea device, right? If the hardware is just collecting some vitals, like some information, right? it would not really be considered software as a medical device. But for example, if it did some processing with that data, it did some like there was an algorithm that looked at the pattern of data and told you like, "we need to like, shock the user.  

CJ: Or do whatever!  

Ali: You know, like in that case, it sounds like it's treatment, right?  

CJ: Yeah, I got you.  

Ali: So, yeah that would be software as a medical device. Now, specifically, I'm not aware of any specific sleep apnea device. But you're right 100% I was looking at the other day, I was looking at some clinical trials and I did see a lot of these sleep apnea devices and they're probably also listed in the US FDA website. And you could get specific information regarding what is classified software as a medical device and which category this falls under.  

But yeah, like when the algorithm is doing a medical function, it would be considered...  

CJ: That makes sense. So, do you have any other examples of successful applications of software as a medical device in the clinical practice?  

Ali: Oh, yeah. There have been many. So, we discussed like, clinical decision support software and clinical-aided detection systems. There are also a lot of variables and monitoring apps. There are also continuous glucose monitoring devices, which have been incorporated into clinical practice now, so you probably see a lot of ads for these glucose monitoring devices, right?  

CJ: Okay.  

Ali: There are also digital therapeutic apps. So, EndeavorRX was the first-ever video game used to treat ADHD as of June 15, 2020, FDA permitted marketing of the first game-based digital therapeutic. And it was basically to improve attention function in children with ADHD. Now, what was interesting about these clinical trials showed it had longer-lasting effects when compared to drug-based treatments.  

CJ: Ah, that is fascinating!  

Ali: Yeah, I like it.  

CJ: I love that and I love what you're talking about, just like with the electronic health record and all the data, many years ago, I was involved in a project where there was going to be, there was a massive influx of people into a geographic region and the public health department was trying to monitor. So, like, they wanted to predict if there was an outbreak, an infectious outbreak going to happen. So, they wanted to monitor all the hospitals in this region for chief complaints that would make someone suspicious of it, and then they would look to see if it's spreading and that sort of thing. I don't know if it, I don't think that ever came of anything, but I'm just thinking with when you were talking about all the data that's in health records if there were some ways in the future and maybe this is a future state kind of question if all of that could be connected somehow, you wonder if, like at a public health level, if you could, identify hotspots in certain parts of the country and you know what I mean?  

Ali: Actually, it's being done already. Like there's flu forecasting for example. So, I think that's what you were alluding towards right?  

CJ: Right! Yeah, the example I was using was, it was actually the Olympics was coming to a certain geographic and.  

Ali: Oh! I see.  

CJ: And the health department is expecting an influx of people from all over the world. And so they were thinking, "Okay, How can we use data just to kind of keep people healthy because you're getting this mix of all these populations from all over the world, what if somebody's carrying something that kind of thing?" But my guess is you'd have to have software as a medical device doing that kind of analysis.  

Ali: Yeah, that sounds right. Yeah, I think that would be one of the things that you could use software for yeah, for sure. That's an interesting use case.  

CJ: Yeah, well, we're getting kind of close to the end of our time and I probably didn't ask you all the things I wanted to ask you, but in the last couple of minutes, is there anything that you would advise like, maybe best practices in the field, companies that want to get into this or anything else that I didn't ask that you'd like to highlight?  

Ali: So for best practices, right? So, software as a medical device has a really long list of best practices and standards. And you can look at FDA's website to get a feel for what are all the best back best practices in this space. From my experience with clients, there are some that are overlooked that I have talked about most recently and these include in-app analytics, automated testing, interoperability and I can give you some details around this. So, for in-app analytics, right? So, this has widespread adoption in e-commerce, marketing, and social media. And it's for some reason it's not as popular in healthcare applications, maybe because, you know, biomedical engineers don't have that in their background, but what it does is it helps developers keep track of how many users are coming onto the system, what screens are they looking at, which functions are being utilized most, which functions are being underutilized? What problems and errors were encountered using your software? If you gather such analytical information, you have to do it in a HIPAA-compliant manner. That's a given of course. We have to follow regulatory compliance.  

CJ: Our listeners would like to hear that because they're compliance officers.  

Ali: Yeah, for sure. But however, you are not using in-app analytics altogether is a big mistake, so it leaves you at a big disadvantage. You need to know how well your system is performing. You know, like it helps can help you in the post-market surveillance too. So that's one important thing that you need to be considering as a best practice.  

Another thing is like here, this is quite interesting, automated testing. For example, iOS is currently supporting 23 models, right? Like phone models, it sounds like a lot, but it's actually, you know, those are the iPhone models that are available out there.  

CJ: OK.  

Ali: Now imagine, like, you develop a software medical function. And now you have to test this critical medical function on all 23 devices because you have to validate them on these 20 devices. And now, CJ, imagine how many Android phone models are there.  

CJ: Right. I don't know.  

Ali: Android is running right now on 24,000 distinct phone models.  

CJ: Oh my goodness!  

Ali: So it just becomes very, even if you were to, like cut down the number of you know devices your software is compatible with, but you still are left with a large number of devices, phone models to test your software as a medical device to run on, right? So, you need to have an automated testing strategy here.  

And then what happens here is innovators understand this, but sometimes either they don't start at the right time doing this or they start too late or they just don't know, they don't have the expertise to design it well.  

CJ: Right!  

Ali: So, this kind of like falls short. Last but not least is the interoperability piece. Besides at-home patients, your medical devisor users could be like an outpatient facility or clinic. They could also be a hospital network. It could be a medical lab. It could also be a research facility or academic institution. Now what's important about these types of users is they work in offices or organizations that have large IT departments. And those IT departments have ISO standards, cybersecurity standards, and privacy standards, you know. All these practices need to be kept in mind, but also like there needs to be a data interoperability focus as well. So, your data that you're collecting needs to be interoperable with their data systems, right?  

So that is another thing that I've noticed innovators will think about last, when they get to their client and they talk to the client’s needs and then they realize, "Oh, actually we need this one additional thing." So, if you think about interoperability up front, they'll save you some time down the line.  

CJ: That is fascinating! And obviously, you have the experience where people are making missteps and where you can kind of give them some advice. This is really great, Ali. Any anything else before we kind of close any last-minute thoughts or to me? This has been fascinating.  

Ali: No, thank you, though. I really enjoyed the conversation. I really love talking about this, so thanks for giving me a chance.  

CJ: Absolutely! And your passion comes through clearly, I love it! And for those who are listening, we're going to include in the show notes some links, and some information if you want to reach out to Ali. And I already mentioned his YouTube channel and those sorts of things. So, there are lots of ways to learn more from him and from those he’s working with.  

And we just, as always, we want to thank our listeners. If you like these episodes, please hit the like button, and share it with colleagues. Get the word out and I always welcome other ideas. If you know people who you think would be good guests, please reach out to us. And until our next episode have a great day, everyone.


Questions or Comments?