FDA Digital Health Precertification: Lessons Learned and the Path Forward for Software Developers

The FDA’s Digital Health Software Precertification Pilot Program, commonly known as Pre-Cert, stands as one of the most ambitious experiments in regulatory innovation attempted by any medical device regulatory authority. Launched in 2017, the program sought to fundamentally reimagine how the FDA oversees digital health software by shifting regulatory focus from the individual product to the organization developing it. The premise was compelling: if the FDA could evaluate and certify that a software developer had excellent organizational practices in product quality, patient safety, clinical responsibility, cybersecurity responsiveness, and proactive culture, then the premarket review of individual products from that organization could be streamlined or, for lower-risk products, potentially replaced by robust postmarket surveillance. The program attracted nine prominent technology and healthcare companies, generated extensive research and working model documentation, and concluded in 2022 with a final report that acknowledged both the program’s insights and its limitations.

While the Pre-Cert program did not result in a permanent regulatory pathway, its influence on the current landscape of digital health regulation is profound and ongoing. The concepts explored during the pilot, particularly around organizational excellence assessment, real-world performance monitoring, and adaptive regulatory approaches for software products, have directly informed subsequent FDA initiatives including the Predetermined Change Control Plan framework, the Total Product Lifecycle approach to software regulation, and the Digital Health Center of Excellence’s strategic priorities. For software developers navigating today’s digital health regulatory environment, understanding the Pre-Cert experiment, its aspirations, its outcomes, and its legacy, provides essential context for appreciating why current regulatory frameworks take the form they do and where digital health regulation may evolve in the future.

This article provides a comprehensive analysis of the Pre-Cert program from inception through conclusion, examines the lessons learned that continue to shape regulatory policy, and traces the evolutionary path from Pre-Cert’s organizational excellence model to the product-focused lifecycle management frameworks that define digital health regulation in 2026.

The Pre-Cert Vision: Rethinking Digital Health Regulation

The intellectual foundation of the Pre-Cert program was the recognition that the traditional medical device regulatory paradigm, designed for physical products with relatively fixed functionality, was ill-suited to the characteristics of modern software development. Software products are developed iteratively, deployed continuously, and modified frequently. The organizations that develop them operate in development cultures where rapid iteration, continuous integration and deployment, automated testing, and data-driven decision-making are foundational practices. The Pre-Cert vision proposed that regulatory oversight could leverage these organizational characteristics rather than working against them.

The Organization-Centric Regulatory Model

The core innovation of Pre-Cert was the proposal to evaluate and certify organizations rather than, or in addition to, individual products. Under this model, the FDA would assess a software developer’s organizational practices, capabilities, and culture across defined excellence domains. Organizations that demonstrated excellence in these domains would receive a precertification that would affect the level of premarket review required for their individual products. Higher levels of organizational excellence would correspond to more streamlined premarket review pathways, reflecting the premise that an organization with excellent quality, safety, and cybersecurity practices is more likely to produce safe and effective software products than an organization without such practices, regardless of the specific characteristics of any individual product.

This approach represented a fundamental departure from the product-centric regulatory model that had governed medical devices since the Medical Device Amendments of 1976. Under the traditional model, regulatory oversight focuses on the individual product: its intended use, its performance characteristics, its manufacturing processes, and its clinical evidence. The organization behind the product is relevant only to the extent that it maintains a quality management system adequate to ensure consistent manufacturing. The Pre-Cert model proposed to invert this relationship, making organizational excellence the primary basis for regulatory confidence and reducing product-level review for organizations that had earned that confidence.

The Three-Component Framework

The Pre-Cert working model described a three-component framework comprising excellence appraisal, streamlined premarket review, and real-world performance monitoring. These components were designed to work together as an integrated regulatory system: excellence appraisal would establish the foundation of regulatory confidence in the organization; streamlined review would leverage that confidence to provide faster, more efficient premarket pathways for individual products; and real-world performance monitoring would provide ongoing assurance that products were performing safely and effectively in clinical use, closing the feedback loop that would inform both product oversight and organizational reappraisal.

Pilot Program Design and Participant Selection

The FDA selected nine organizations for the Pre-Cert pilot through a competitive application process that attracted over 100 applicants. The selected participants represented a diverse cross-section of the digital health ecosystem, including large technology companies, established medical device manufacturers with digital health divisions, and smaller health technology companies. The diversity of participants was intentional, designed to test the Pre-Cert concepts across different organizational sizes, maturity levels, and technology domains.

Participant Engagement Structure

Pilot participants engaged with the FDA through a structured program that included organizational assessments, product-specific case studies, working group participation, and iterative refinement of the Pre-Cert working model. The FDA conducted on-site assessments of participating organizations to evaluate their practices against the excellence appraisal criteria, and participants submitted product case studies that the FDA used to test the streamlined review concepts and compare outcomes against the traditional review process.

The pilot was explicitly designed as a learning exercise rather than a formal regulatory program. Products submitted by pilot participants still went through the standard regulatory review process, with the Pre-Cert analysis conducted in parallel to enable comparison without affecting actual regulatory outcomes. This parallel processing approach allowed the FDA to evaluate the Pre-Cert concepts against real regulatory decisions without exposing patients to the risks of an untested regulatory pathway.

The Excellence Appraisal Model

The excellence appraisal component of Pre-Cert defined five domains that the FDA proposed to assess as indicators of organizational capability to develop safe and effective digital health software. These domains were developed through extensive research, stakeholder engagement, and iterative refinement during the pilot program.

Proactive Culture as a Cross-Cutting Domain

The fifth domain, proactive culture, was distinguished from the other four as a cross-cutting organizational characteristic rather than a functional capability. The FDA’s working model described proactive culture as encompassing leadership commitment to patient safety and product quality, organizational transparency and willingness to share information with regulators, continuous improvement orientation, and the integration of safety and quality considerations into organizational decision-making at all levels. This domain was arguably the most innovative and also the most challenging to assess objectively, as organizational culture is inherently difficult to measure through the documentary and interview-based assessment methods available to regulatory authorities.

Assessment Methodology and Scoring

The FDA developed assessment tools and scoring rubrics for evaluating organizations against the excellence domains, drawing on established frameworks from quality management, software engineering maturity models, cybersecurity assessment programs, and organizational effectiveness research. The assessment methodology included documentary review of organizational policies, procedures, and evidence of practice; on-site visits with interviews of leadership, development teams, quality personnel, and other relevant staff; product-specific deep dives examining how organizational practices translated into actual product development outcomes; and structured scoring against defined maturity levels within each excellence domain.

The pilot experience revealed significant challenges in developing assessment methods that were simultaneously rigorous enough to provide meaningful regulatory confidence, practical enough to be administered efficiently by FDA staff, and flexible enough to accommodate the diverse organizational structures and development approaches of different software developers. Assessment consistency across different FDA assessment teams and different types of organizations proved particularly challenging, as the inherently qualitative nature of organizational excellence assessment resists the kind of standardization that regulatory assessment processes typically require.

Streamlined Premarket Review Concepts

The streamlined review component of Pre-Cert proposed that the level of premarket scrutiny applied to a specific product would be calibrated based on both the risk level of the product and the organizational excellence level of the developer. Under this model, a lower-risk product from a high-excellence organization might require minimal premarket review, with regulatory assurance provided primarily through the organization’s demonstrated excellence and robust postmarket monitoring. A higher-risk product from the same organization would still undergo substantive premarket review but might benefit from streamlined processes, reduced documentation requirements, or expedited timelines reflecting the FDA’s confidence in the organization’s development practices.

Risk-Based Review Tiers

The working model described a tiered review system with differentiated requirements based on the intersection of product risk and organizational excellence. At the most streamlined tier, products below a defined risk threshold from organizations with demonstrated excellence would proceed to market through a notification process with minimal premarket review, relying on postmarket surveillance to provide ongoing safety assurance. At intermediate tiers, products would undergo abbreviated reviews that focused on product-specific clinical and technical considerations while relying on the organizational excellence assessment for confidence in underlying development quality. At the most intensive tier, high-risk products would continue to undergo comprehensive premarket review regardless of the organization’s excellence level.

Real-World Performance and Postmarket Surveillance

The real-world performance component of Pre-Cert was designed to provide the ongoing safety assurance that would compensate for streamlined premarket review. The working model envisioned robust, data-driven postmarket surveillance systems that would monitor product performance continuously and generate actionable safety signals when performance deviated from expected parameters.

The real-world performance framework addressed the types of data that would be collected, including clinical outcomes, user experience metrics, software performance metrics, and adverse event reports; the analytical methods that would be applied to detect safety signals and performance trends; the reporting cadences and thresholds that would govern communication between manufacturers and the FDA; and the corrective action processes that would be triggered when performance monitoring identified potential safety concerns.

Pilot Program Outcomes and FDA Findings

The FDA published its final report on the Pre-Cert pilot program in 2022, providing a candid assessment of the program’s accomplishments, challenges, and conclusions. The report acknowledged that while the pilot generated valuable insights and advanced the FDA’s understanding of organization-based regulatory approaches, significant challenges remained unresolved and the program would not continue as an active regulatory pathway.

Accomplishments and Insights

The pilot demonstrated that organizational excellence assessment could provide meaningful information about a developer’s capacity to produce safe and effective software. The on-site assessments conducted during the pilot identified both strengths and areas for improvement at participating organizations, and several participants reported that the assessment process itself drove organizational improvements in their quality, safety, and cybersecurity practices. The pilot also generated practical experience with streamlined review concepts, producing case studies that informed the FDA’s understanding of how organizational confidence could be leveraged in premarket review processes.

The real-world performance work conducted during the pilot advanced the FDA’s thinking about postmarket surveillance for digital health products and contributed to the development of real-world evidence frameworks that continue to influence regulatory policy. The pilot’s emphasis on continuous monitoring and data-driven oversight helped shape the FDA’s evolving approach to total product lifecycle oversight for software-based medical devices.

Challenges and Limitations

The pilot identified several fundamental challenges that prevented the Pre-Cert concept from advancing to a formal regulatory program. The most significant was the statutory limitation: the FDA’s existing statutory authority under the Federal Food, Drug, and Cosmetic Act is fundamentally product-centric, and implementing an organization-based regulatory pathway would require legislative changes that Congress had not authorized. The pilot could explore and demonstrate concepts, but it could not create a legally enforceable regulatory pathway for organizational precertification without new statutory authority.

Beyond the statutory barrier, the pilot revealed practical challenges in the consistency and scalability of organizational assessments, the difficulty of maintaining organizational excellence certifications over time as organizations change, the complexity of defining appropriate boundaries between streamlined and standard review, and the resource intensity of the assessment and monitoring processes envisioned by the working model.

Key Lessons Learned from the Pre-Cert Experiment

The Pre-Cert pilot generated several lessons that have shaped subsequent regulatory policy and that remain relevant for software developers navigating the current digital health regulatory landscape.

Organizational Practices Matter, But Are Hard to Regulate

The pilot confirmed the intuitive premise that organizational practices significantly influence product quality and safety, but it also demonstrated that translating this observation into a formal regulatory framework is extraordinarily challenging. The assessment tools and scoring rubrics developed during the pilot provided useful snapshots of organizational capability but struggled with consistency, objectivity, and the dynamic nature of organizations that change personnel, practices, and priorities continuously. The lesson for software developers is that investing in organizational excellence, including robust quality systems, strong cybersecurity practices, and a genuine safety culture, creates real value in regulatory interactions even without a formal precertification pathway, because these practices produce better regulatory submissions, more successful reviews, and stronger postmarket compliance.

Real-World Performance Monitoring Is Essential

The pilot reinforced the critical importance of real-world performance monitoring for digital health products and demonstrated that effective monitoring requires deliberate architectural investment and organizational commitment. This lesson has directly influenced the FDA’s increasing emphasis on postmarket performance monitoring requirements in digital health device clearances and approvals, and it underlies the monitoring obligations embedded in the PCCP framework for AI/ML-enabled devices. Software developers should view real-world performance monitoring not as a postmarket compliance obligation but as a strategic capability that informs product improvement, demonstrates ongoing safety, and supports regulatory relationships.

Regulatory Innovation Requires Statutory Authority

Perhaps the most consequential lesson from Pre-Cert was the reminder that regulatory innovation is constrained by statutory authority. The FDA demonstrated creativity and ambition in designing the Pre-Cert concepts, but ultimately could not implement a formal organizational precertification pathway without congressional authorization. This lesson has influenced the FDA’s subsequent approach to digital health regulatory innovation, which has focused on mechanisms that can be implemented within existing statutory authority, such as the PCCP framework, enforcement discretion policies, and the De Novo classification pathway for novel device types.

Legislative and Statutory Barriers

The statutory framework governing medical device regulation in the United States was established by the Medical Device Amendments of 1976 and has been modified through subsequent legislation including the Safe Medical Devices Act of 1990, the FDA Modernization Act of 1997, the 21st Century Cures Act of 2016, and the Consolidated Appropriations Act of 2023. Throughout these legislative updates, the fundamental regulatory architecture has remained product-centric: the FDA evaluates individual devices for safety and effectiveness, clears or approves them for marketing, and monitors them in the postmarket period.

An organizational precertification pathway would require statutory changes authorizing the FDA to grant regulatory status to organizations rather than products, defining the legal basis for streamlined or waived premarket review based on organizational certification, establishing the enforcement mechanisms for organizational compliance including certification revocation, addressing liability and accountability questions that arise when organizational certification substitutes for product-level review, and defining the relationship between organizational certification and existing product-level regulatory requirements. Congress has not passed legislation authorizing these changes, and the political dynamics of medical device regulation, where patient safety considerations weigh heavily against proposals to reduce premarket oversight, make such legislation challenging to advance.

How Pre-Cert Shaped Current Digital Health Policy

Although Pre-Cert did not produce a permanent regulatory pathway, its influence on current digital health policy is substantial and multifaceted. The program’s most significant legacy lies in the concepts, frameworks, and institutional expertise it developed, which continue to inform the FDA’s approach to digital health regulation.

The Digital Health Center of Excellence

The FDA’s Digital Health Center of Excellence, established in 2020, reflects the institutional commitment to digital health regulatory expertise that the Pre-Cert program helped catalyze. The DHCoE serves as a focal point for digital health policy development, stakeholder engagement, and cross-center coordination within the FDA, ensuring that the digital health expertise developed during Pre-Cert and other initiatives is preserved and applied across the agency’s regulatory programs.

The Total Product Lifecycle Approach

The Pre-Cert emphasis on integrating premarket and postmarket oversight into a unified lifecycle framework has influenced the FDA’s broader adoption of total product lifecycle thinking for software-based devices. Current FDA policies and guidance documents increasingly describe regulatory oversight as a continuous process that spans premarket review, market authorization, postmarket monitoring, and product modification, rather than a series of discrete regulatory events. This lifecycle perspective is evident in the PCCP framework, in the FDA’s approach to digital health modification guidance, and in the increasing emphasis on real-world evidence and performance monitoring in digital health device oversight.

From Pre-Cert to PCCP: The Evolutionary Thread

The intellectual and practical connection between Pre-Cert and the Predetermined Change Control Plan framework illustrates how regulatory experiments can influence policy even when they do not produce their originally envisioned outcomes. The PCCP framework addresses the same fundamental challenge that motivated Pre-Cert, the need for regulatory approaches that accommodate the iterative, continuously evolving nature of software-based medical devices, but does so through a mechanism that operates within existing statutory authority.

Where Pre-Cert proposed to address this challenge through organizational certification that would streamline oversight of all products from certified organizations, the PCCP framework addresses it through product-level change control plans that enable pre-authorized modifications within defined boundaries. The PCCP approach is narrower in scope than Pre-Cert’s ambition but is implementable under existing law and has been formalized through final guidance. The organizational excellence concepts explored in Pre-Cert, while not codified in a formal certification pathway, continue to influence how the FDA evaluates manufacturers’ capability to execute PCCPs effectively, as the credibility of a change control plan depends in part on the manufacturer’s demonstrated organizational capability to implement it as described.

International Parallels and Alternative Models

The Pre-Cert concept was not unique to the FDA, and other regulatory authorities have explored or implemented organization-based or pathway-streamlining approaches to digital health regulation that parallel aspects of the Pre-Cert vision.

Singapore’s Regulatory Sandbox

Singapore’s Health Sciences Authority has operated a regulatory sandbox that allows selected digital health products to be made available within controlled environments while regulatory evidence is accumulated. This approach shares Pre-Cert’s emphasis on adaptive, learning-oriented regulatory frameworks but applies the flexibility at the product level within defined sandbox parameters rather than at the organizational level.

United Kingdom’s ILAP and Software Approaches

The UK’s Medicines and Healthcare products Regulatory Agency has explored innovative regulatory approaches for software and AI-based medical devices through its Innovative Licensing and Access Pathway and through targeted guidance on software regulation. The MHRA’s approach emphasizes proportionate regulation based on risk level, with streamlined pathways for lower-risk digital health products that share the Pre-Cert vision of calibrating regulatory burden to actual risk.

Japan’s DASH for SaMD

Japan’s approach to continuously improving medical devices through its regulatory framework has established mechanisms that allow manufacturers to implement certain software modifications without new regulatory submissions, provided they maintain comprehensive change management programs. This approach parallels aspects of both Pre-Cert’s organizational focus and the PCCP’s product-level change control approach.

The Path Forward for Digital Health Software Regulation

The Pre-Cert experience has informed a more nuanced understanding of the possibilities and limitations of regulatory innovation in digital health. The path forward for software regulation is likely to be evolutionary rather than revolutionary, building on the incremental policy developments that Pre-Cert influenced while remaining constrained by statutory frameworks and the imperative of patient safety assurance.

Expanding the PCCP Framework

The PCCP framework represents the most immediate evolutionary path for digital health regulatory innovation, and its scope and application are likely to expand as manufacturers and the FDA gain experience with its implementation. Future developments may include broader acceptance of PCCPs across device categories, more sophisticated change control plan structures that accommodate a wider range of modification types, and clearer guidance on the evidence requirements for different types of modifications within a PCCP. As the PCCP framework matures, it may absorb additional elements of the Pre-Cert vision, particularly around organizational capability assessment as a factor in evaluating PCCP credibility.

Digital Health Regulatory Modernization

Broader regulatory modernization efforts, including potential legislative updates to the Federal Food, Drug, and Cosmetic Act, may eventually create the statutory authority needed for more ambitious approaches to digital health regulation. The groundwork laid by Pre-Cert, including the detailed working models, assessment tools, and stakeholder engagement, provides a foundation that could be revisited if legislative opportunities arise. The FDA’s ongoing engagement with Congress on digital health policy, combined with the growing political salience of healthcare technology innovation, creates conditions under which legislative modernization remains a possibility, though the timeline and scope of any such legislation remain uncertain.

The Pre-Cert pilot program stands as a landmark experiment in regulatory innovation that advanced the FDA’s thinking about digital health regulation in ways that continue to influence policy years after the program’s conclusion. While the ambitious vision of organizational precertification was ultimately constrained by statutory limitations and practical challenges, the program generated insights, frameworks, and institutional expertise that have shaped the current regulatory landscape in profound ways. For digital health software developers, the lessons of Pre-Cert provide both strategic guidance for navigating today’s regulatory environment and a window into the direction that digital health regulation may evolve as technology, policy, and legislative frameworks continue to develop.