Cybersecurity for Medical Devices – FDA and EU MDR Perspective

Cybersecurity for Medical Devices – FDA and EU MDR Perspective

FDA –Food and Drug Administration

The revolution in the digital sector has resulted in the Internet of Things (IoT), Software as a Medical Device (SaMD), Internet of Medical Things (IoMT) and other connected devices permeating the healthcare environment, both in hospital and home, has ended up with the possibility of cyberattacks and intrusions against the connected medical devices and the networks to which such a device is connected.

Most Medical devices are connected to the Internet, hospital networks, and other medical devices to provide health care and increase the ability of healthcare providers to treat patients. These features also increase potential risks for Cybersecurity. Medical devices, like other computer systems, are vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.

Since 2005, the FDA has tried to accomplish and enhance medical device cybersecurity, and the latest FDA effort is to create draft guidance that expects security throughout the total product life cycle (TPLC). Another effort is the Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act of 2022),which, if passed, would revise the existing Federal Food, Drug, and Cosmetic Act.

The FDA guidance establishes six broad expectations on the Secure Product Development Framework (SPDF), which covers all aspects of a product’s life cycle, for the development, release, support, and decommission and satisfy Quality System Regulations (QSR) under 21 CFR Part 820:

  • Cybersecurity is a fundamental part of device safety and the QSR
  • Security by design
  • Transparency
  • Security risk management
  • Security architecture
  • Testing/objective evidence

The FDA draft guidance, under QSR, also declares that verification and validation activities by the medical device manufacturers shall include sufficient testing performed on the Cybersecurity of the system, which validates their inputs and outputs. Further, the FDA summarizes that cybersecurity controls require testing beyond standard software verification and validation to demonstrate that the device has a good assurance of safety and effectiveness.

 The following cybersecurity testing and corresponding objective evidence would be considered as the minimum support for a premarket submission:

Security requirements

  • Evidence of their boundary analysis creates a rationale for their boundary assumptions.
  • Threat mitigation
  • Evidence that all the design input security requirements were implemented successfully
  • Evidence of testing their threat models that demonstrates effective risk control measures provided in the system and use case
  • Evidence of the adequacy of risk control.

Vulnerability testing – Evidence on the testing of malformed

  • Abuse case and unexpected inputs
  • Vulnerability chaining
  • Closed box testing of known vulnerability scanning
  • Software composition analysis of binary executable files
  • Static and dynamic code analysis

Penetration testing – Identify and characterize security-related issues that discover security vulnerabilities in the product.

Regular interval cybersecurity testing – It is performed at regular intervals to identify the potential vulnerabilities before exploitation

THE FDA’S ROLE IN MEDICAL DEVICE CYBERSECURITY

Dispelling Myths and Understanding

Download the Fact Sheet (PDF – 175kb)

04/07/2022 Draft Guidance: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions

This draft guidance replaces the 2018 draft version, which emphasizes the importance of understanding that all medical devices are designed securely, enabling new cybersecurity risks to be mitigated throughout the Total Product Life Cycle, and it elaborates the outline of the FDA’s recommendations more clearly for premarket submission to address cybersecurity concerns.

03/08/2022 Cybersecurity Alert: Vulnerabilities identified in medical device software components: PTC Axeda agent and Axeda Desktop Server

The PTC Axeda agent and Axeda Desktop Server are cloud-based technologies that allow people to securely view and operate the same desktop through the Internet. The Axeda agent and its desktop server are owned by the computer software company PTC.

The FDA alerts all medical device users and manufacturers about a cybersecurity vulnerability identified for the Axeda agent and Axeda Desktop Server. The agent and desktop server of Axeda are used in many medical devices across several medical device manufacturers, and all the versions of the Axeda agent and Axeda Desktop Server are affected. On the 8th of March, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory, ICSA-22-067-01, on these vulnerabilities.

Any successful exploitation of this vulnerability could allow an unauthorized attacker to take complete control of the host operating system, resulting in full system access, remote code execution, reading or changing the configuration, system file access, accessing log information, and other denial condition. These vulnerabilities may result in changes to the functions of the medical device and impact the availability of the remote support functionality.

As a result, PTC recommends that affected manufacturers:

  • To upgrade Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051 while running older versions of the Axeda agent.
  • Also, to configure the Axeda agent and Axeda Desktop Server to listen only on the local host interface 127.0.0.1.
  • Then, Provide a unique password in the AxedaDesktop.ini file for each and every unit.
  • Remove the installation file.
  • Make sure to delete the ERemoteServer file from the host device.
  • Never use ERemoteServer in production.
  • When running the Windows operating system, first configure Localhost communications (127.0.0.1) between ERemoteServer and Axeda Builder.
  • When running in Windows or Linux, only allow connections to ERemoteServer from trusted hosts and block all others.
  • Configure the Axeda agent for the authentication information required to log in to the Axeda Deployment Utility.

So, Cybersecurity is one of the crucial aspects of today’s fast pacing digital world. The threats caused by Cybersecurity, especially on medical devices, are hard to deny. It is important to learn how to defend themselves from them and create a safe environment for the usage of medical devices.

EU MDR and IVDR

In the EU, both the MDR and IVDR Annex I create requirements for mandate consideration of medical device cybersecurity, and the Medical Device Coordination Group (MDCG), in its guidance, explains to the manufacturers of medical devices how to fulfil all the relevant essential requirements regarding Cybersecurity.

Source: MDCG 2019-16 Guidance on Cybersecurity of medical devices
 Figure 1: Cybersecurity requirements contained in MDR Annex I

The NIS Directive also provides for legal measures to increase the overall level of Cybersecurity in the EU.

GDPR (General Data Protection Regulation) helps the manufacturers of medical devices in regulating, protecting and processing personal data by the individual, company or organization that relates to the EU.

The EU Cybersecurity Act certifies Cybersecurity for ICT products, services, and processes.

According to the Cybersecurity Act, manufacturers are required to demonstrate state of art in the design, development, and improvement of their medical devices throughout their life cycle. During that period, the manufacturers must consider the safety, security, and efficacy of the medical devices, and in vitro diagnostic safety mechanism design must be considered early during the manufacturing process.

Source: MDCG 2019-16 Guidance on Cybersecurity of medical devices
Figure 4: Lifecycle stages

The MDCG has proposed some key philosophies of the staged security concept strategy (“defense in depth strategy”) as follows:

  • Security management
  • Specification of security requirements
  • Security by design
  • Secure implementation
  • Management of security-related issues
  • Security update management
  • Security risk management

The list of possible IT security requirements for the operating environment according to MDCG:

  • Compliance with national and EU regulations (e.g., GDPR).
  • Ensuring appropriate security controls are in place
  • Ensuring the physical security of the medical device through security measures
  • Ensure control and security of network traffic through proper measures
  • Life Cycle Aspects
  • Security measures specific to their workstations connected to the medical device.
  • Security vulnerabilities related to the device hardware/software and third-party hardware/software used with the medical device.
  • During the life of the devices, the manufacturer should implement the process to collect post-market information about the security of the device.
Source: MDCG 2019-16 Guidance on Cybersecurity of medical devices
Figure 3: Cybersecurity measures may cause safety impacts

Based on the EU Cybersecurity Act, the manufacturer must provide the following information to the user of the medical device:

Specifications of the operating system

  • IT security risk assessment information.
  • Provisions for ensuring the integrity of software updates and security patches
  • Product installation
  • Security configuration options
  • Initial configuration guidelines
  • Step-by-step instructions for deploying security updates
  • Description of the backup and restore functions for data and configuration settings
  • Procedures for using all the medical devices in failsafe mode

The manufacturers are required to establish a post-market surveillance (PMS) system and actively keep these PMSs (Post Market Surveillance) up to date. Medical device cybersecurity requirements should be part of this PMS system.

Depending on the class of medical device, a PMS report or PSUR report will be generated, which concludes the analysis of all data from the market.

FAQs

How can we protect heath care from cyber-attacks?

·         Vulnerability assessment and required testing
·         Training health care providers to protect from any breaches
·         Follow the standards of the regulations

Where is Cybersecurity used?

Cybersecurity helps in protecting the Datas, software or hardware connected with the system. This reduces unauthorized access to the data or the system.

What is the PATCH act?

PATCH act helps to meet all the Cybersecurity requirements for the manufacturer to complete FDA regulation standard.

What medical devices can be hacked?

MRI, Pacemakers, Implants, Heart rate monitors, Drug infusion pumps, medical records and other devices connected to the hospital network.

What are the new cybersecurity requirements according to EU MDR?

MDR Annex I explain the risks associated with the interaction between software and medical devices. Manufacturers should follow standard during life cycle, risk management, verification, and validation of the devices.


Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.

Testing Standard Requirements around the World

Testing Standard Requirements around the World

Medical device testing- an overview

Medical device testing is a crucial step in manufacturing a product. This mandatory process ensures that the medical device is safe and effective. Testing of medical devices proves that the product complies with the standards and regulations of a country. Moreover, it also sheds light on any product defects. This article discusses the testing requirements and the applicable standards.

Medical device testing applies to all medical devices, in-vitro diagnostic devices, combinational products, and active implantable devices. Some common testing of medical devices is given below:

  • Electrical safety tests
  • Functional safety tests
  • Performance tests
  • Electromagnetic compatibility (EMC) tests
  • Electromagnetic Interference (EMI) tests
  • Immunity Tests
  • Biocompatibility tests
  • Chemical testing
  • Cybersecurity tests (applicable to SaMDs or software that store data)
  • Storage and Transport
  • Ingress Protection

Medical device testing is crucial as the device intended for patient use must be safe. The tests a medical device must undergo depend on the device’s type. To explain further, medical equipment like a ventilator must undergo an electrical safety test. At the same time, a device such as a cannula requires appropriate biocompatibility tests. Hence, the choice for a practical device test is taken with the help of the medical device’s intended use.

The testing procedure should be logical and must begin with a risk analysis. After identifying the failure mechanisms and hazards associated with a device, testing strategies and processes can be devised to quantify the size of these risks. As a result, the purpose of a test method and procedure is to offer evidence that the hazards connected with a device are insignificant or, at the very least, acceptable when weighed against the benefits received from its use.

Types of medical device testing

Medical device testing is broadly categorized into physical, chemical/biological and cybersecurity testing. Physical testing involves the tests such as electrical testing, MRI safety, functional safety tests and EMC tests.

IEC 60601 series is a widely accepted technical standard for the safety and performance of electrical equipment. EMC/EMI tests ensure that the overall device is compatible with other medical devices and works optimally in the device environment when subjected to interference and immunity. Conformance to this standard provides that medical equipment does not create electromagnetic fields that could impair the operation of other devices in the usual environment.

Chemical or biological testing help achieve device compatibility with the surface of the skin. Medical devices that contact skin must comply with the ISO 10993 series- Biological evaluation of medical devices. For this, the manufacturer must consider the choice of material used compatibility between device materials and the biological tissues, cells, and body fluids. Testing methods like stress, shear testing, and ageing tests are performed so that the final product causes the least quality concerns.

Cybersecurity testing is crucial to medical devices so that risks such as unauthorised access to data and breaches are identified, and their occurrence minimised. A common standard followed for medical device software is IEC 62304 and ISO27001. IEC 62304 standard specifies the life cycle requirements for medical device software, whereas in ISO 27001 focuses on data and information security.

It should be noted that each of the above standards is closely related to the ISO standard for risk management of medical devices (ISO 14971). The risks associated with the medical device should be correctly identified, and appropriate tests should be done, proving that the relevant standards are met. Please read our article on global ISO requirements for a better understanding of the ISO standards. 

Testing requirements around the world

To fully comply with the regulations of each country, one must also align with the testing standards accepted within each country. ISO and IEC standards are accepted across the globe. Compliance with these ensures that the devices can be marketed without any major difficulties. This article discusses the testing standards followed in major medical device markets.

In Europe, close to 80% of electrical and electronic standards follow the various IEC International Standards. Standards for electromedical equipment include IEC 60601 series standards for the requirements for high-frequency surgical instruments, short-wave therapy equipment and so on. The EU from time to time releases the harmonized standards list which are the most acceptable standards for the EU compliance.

In the US, accepts certain ISO standards however there are a list of recognized consensus standards that the FDA accepts for medical devices in the US. These include ANSI, AAMI, ATSM and so on. ANSI standards are applicable to a variety of industries like the ISO whereas AAMI testing standards are specific to medical instruments and ATSM standards are specific for materials used in medical devices.

Canada’s list of Recognized Standards for Medical Devices mentions a combination of ISO and ATSM standards. For electromedical compatibility, it accepts CSA standards.

Australia accepts the list of standards referenced in  Conformity Assessment Standard Orders (CASO) and Medical Device Standard Orders (MDSO). It is not mandatory but conformance to these standards are recommended.

FAQs

Why are testing standards important?

Testing standards ensure that the medical device is fit for use not just for the patient but also for the healthcare professionals handling them. Most countries do not have stringent requirements for testing standards, but it is recommended that the devices have some form of tests done.

Why are risk management and testing standards closely linked?

Risk analysis is a crucial step in designing a medical device. Certain identified risks can be managed with a minor change in the initial stages of the manufacture and these can be identified with the help of an appropriate test.


Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.

Global Labelling Requirements

Global Labelling Requirements

Label, Labelling vs Instructions for Use (IFU)?

  • A Label is the written, printed, or graphic information that goes on the packaging of the medical device.
  • Instructions For Use (IFUs) or Package Insert is the essential information accompanying the medical device for its safe and effective use by the user. It can be a single to multiple-page document.
  • Labelling is the content that goes on the Label or IFUs.

What are the minimum requirements for labeling?

The ISO has published many standards applicable to the medical device industry. Some of them are as below:

Standard NumberStandard Name
ISO 18113  In vitro diagnostic medical devices – Information supplied by the manufacturer (labelling) – Part 1, 2, 3, 4 and 5
ISO 28219Packaging – Labelling and direct product marking with linear bar code and two-dimensional symbols
ISO 15223  Medical Devices – Symbols to be used with medical device labels, labelling and information to be supplied – Part 1 and 2
ISO 3864  Graphical symbols – Safety colours and safety signs – Part 1, 2, 3
ISO 20417Medical devices – Information to be supplied by the manufacturer
ISO 14025Environmental labels and declarations – Type III environmental declarations – Principles and procedures
ISO 14021Environmental labels and declarations – Self-declared environmental claims (Type II environmental labelling)
ISO 14020Environmental labels and declarations – General principles
ISO 22742Packaging – Linear barcode and two-dimensional symbols for product packaging
There are more specific product-oriented labelling standards available.

ISO 20417 has defines information to be disclosed by the manufacturer. Every medical device manufacturer, distributor, importer, or Authorized Representative is bound to comply with the standard before placing the device on market. The requirements are as follows:

Information on Label

  • Manufacturer details – Trade Name, address, country
  • Product description.
  • Product identification – model or catalogue number, Lot number, serial number, expiry date, UDI,
  • Storage instructions
  • Operating instructions
  • Warning or precautions
  • Presence of any harmful substances (>0.1% w/w), biological origin substances, medicinal substances, nanotechnology materials
  • Electronic IFUs (if available)
  • Mention of: Single-use/ Single patient multiple-use / Reuse / Limitation on reuse
  • If Sterile and method of sterilization
  • Explanation of safety-related colours

Information on Packaging

  • Name and address of the manufacturer or an authorized representative
  • UDI
  • Production controls – lot number, serial number, expiry date
  • Model number, catalog number, commercial name
  • Mention of: Single-use/ Single patient multiple-use / Reuse / Limitation on reuse
  • Storage or special handling requirements
  • Any special requirements for battery-powered medical device
  • Contraindications, warnings, or precautions

Information in IFUs

  • General information (as above)
  • Intended Use of the medical device
  • Safety information
  • Performance of the medical device
  • Any residual risk associated with the use of the medical device or its accessory
  • Any known contraindications
  • Document control number of the IFU
  • Safe disposal information
  • Any specific instructions for handling or preparatory treatment
  • Any warnings, precautions, or limitations
  • If any accessories or indicators are provided along with the device, instructions on their use to be provided in the IFU.
  • Technical description

The harmonized ISO standard makes sure true and uniform information is conveyed to a lay/common person.

Global Labelling Requirements

Most countries have a mandatory requirement for the IFUs or Labels in their local language. To streamline this requirement, ISO 15223 standard provides a list of signs and symbols that depict common terms such as Manufacturer, Lot number, storage conditions, Expiry, eIFU and many more.

The uniform symbols help in identifying the necessary information without the language barrier. Another advantage is it saves significant label space.

FAQs

Is it necessary to follow the ISO standards?

It is advisable to develop a medical device in compliance with the applicable harmonized standards. This shall favor in smooth marketing of the product along with its competitors.

Is it necessary to brief the symbols in IFU when symbols from standards are used?

Yes, it is required to brief every symbol in the IFU that is used on the label of the product.

Can a distributor or an importer label be affixed separately apart from the main label?

Yes, it is also allowed to affix these labels separately on the product. This is because one manufacturer may have several distributors or importers within EEA.

Is it necessary to create dedicated labels for accessories of medical devices?

Yes, it is. Not every time the accessory is shipped along with the medical device and it is required to identify them with appropriate labels.

If the manufacturer wants to provide an eIFU how to indicate this on the label?

Firstly, not all the medical devices are eligible for eIFU provision. Regulation 207/2012 states what are the categories of MDs that are eligible for eIFU.

What is the deadline to implement UDI carrier on device labelling?

Article 123.3.f states these timelines as:

Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.

De Novo Request | FDA

De Novo Request | FDA

The De novo request is a simpler marketing pathway to classify novel medical devices that provide a reasonable assurance of safety and effectiveness for the intended use and do not already have a predicate device on the market. FDA also declares that the devices marked as Class I or II as per De novo request can be further used as a predicate device for future premarket 510(k) notifications.

De Novo Request Procedure

There are two ways to submit a De Novo request to the FDA for a risk-based evaluation of the device’s classification into class I or II.

Method 1: In response to a previous 510(k) submission that determines the product as high-level not substantially equivalent (NSE).

Method 2: The requester determines that no legally marketed devices can be treated as substantially equivalent. Then without first submitting 510(k), the device can receive a high-level NSE determination.

The FDA recommends that sponsors follow a pre-submission to get feedback from the appropriate premarket review division.

Points to remember

FDA will reject the De novo request if:

  • The Coversheet of the request does not mention “Request for Evaluation of Automatic Class III Designation.”
  • Administrative Information about the device
  •  Device description
  • Classification information and supporting files
  • Clinical data (if applicable)
  • Non-clinical data, including bench performance testing
  • Compatibility and safety studies
  • The Benefit-Risk analysis data

Submission Procedure

  • Preparing the application inelectronic copy (eCopy) or electronic submission Template And Resource (eSTAR) format.
  • Once applied, receive a Unique Document number assigned by CDER/CDRH
  • Within 7 days, the centre communicates the applicant with a DeNovo number via acknowledgement letter
  • Stage:01 Acceptance Review (Refer to the Acceptance checklist) which is an initial review to evaluate the availability of the document
  • Stage:02 Substantive review – a detailed review along with an interactive review to discuss with the applicant for the deficiencies to be resolved

De Novo request decision

The FDA will make a final decision on whether to grant or deny the De Novo request after reviewing it. In some cases, the FDA will consider withdrawing the De Novo request. If the FDA decides to withdraw a De Novo request, the requester is notified with the De Novo request number and the date the FDA decided to withdraw the De Novo request. These orders aren’t available on the FDA’s website.

De Novo Submission Fee Requirements

The Current fee requirements for De Novo request submission can be found here.

De Novo Submission Flowchart Representation

Refer to the final rule for more information on the content of the De Novo Request.

What are the immediate effects after the FDA grants the De Novo request?

The new device is authorized to be marketed and must be in compliance with applicable regulatory controls
A new classification regulation for the device type is established
The new device may now serve as a predicate device for 510(k) submissions of future devices of the same type, when applicable
The FDA publishes in the Federal Register a notice that announces the new classification regulation and, for class II devices, the new special controls
The FDA posts on its website a copy of the granting order notifying the requester we have granted marketing authorization
The FDA generates and publicly discloses a decision summary

Why does the FDA decline the De Novo request?

General controls or general and special controls are insufficient to provide reasonable assurance of the safety and effectiveness of the device (or)
The data provided in the De Novo request are insufficient to determine whether general controls or general and special controls can provide a reasonable assurance of the safety and effectiveness of the device (or)
The probable benefits of the device do not outweigh the probable risks.

When does the FDA withdraw a De Novo request?

The requester submits a written notice to the FDA that the requester is withdrawing the De Novo request (or)
The requester fails to provide a complete response to a request for additional Information (21 CFR 860.240), or deficiencies identified by the FDA (21 CFR 860.230) are not addressed within 180 days after the date the FDA issues such request (or)
The requester does not permit an authorized FDA employee an opportunity to inspect the facilities (21 CFR 860.240) at a reasonable time and in a reasonable manner and to have access to copy and verify all records pertinent to the De Novo request.        

Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.

Global ISO Requirements

Global ISO Requirements

What is ISO?

ISO – International Organization for Standardization, is the international, non-governmental body for drafting and establishing technical and non-technical standards. These standards are developed by different committees within the ISO. Having around 165 member states, with one representative from each, ISO is a global entity catering to the needs of industry requirements.

Are ISO standards important?

The ISO medical device standards are the Bible for many countries, especially ones which do not have predefined regulations or processes. For regulated countries, in addition to their respective regulations and guidance, ISO standards are also preferred. The most popularly referred ISO standard is the ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes. In addition to general standards, ISO also publishes product-specific guidance such as for Implants, Orthopedic, Medical Electric Equipment, and many more.

Global ISO Requirements

In Europe, the European Commission has the Medical Device Regulation MDR 2017/745 and In-vitro Diagnostic Device Regulation IVDR 2017/746. These regulations provide a detailed framework for introducing a medical device in the European market. However, in addition to that, certain ISO standards may also be referred to for ensuring a better-quality product. Some of the many popularly used standards include:

  • ISO 14971:2019 Medical Devices – Application of Risk Management to medical devices
  • ISO 15223-1:2021 Medical devices – Symbols to be used with information to be supplied by the manufacturer – Part 1: General requirements
  • IEC 60601-2-83 Medical electrical equipment – Part 2-83: Particular requirements for the basic safety and essential performance of home light therapy equipment
  • IEC 60601-1 Medical electrical equipment – Part 1: General requirements for basic safety and essential performance

The European Commission also has Harmonized Standards, developed by European Standards Organization CEN, CENELEC, or ETSI, per the international standards. It provides a list of the applicable harmonized standards for enhanced product safety and quality.

In the USA, the US Food and Drug Administration (FDA) has a Code of Federal Regulations (CFR) and Guidance.

  • CFRs are legally binding. Manufacturers must comply with the requirements of CFR
  • The guidance provides Agency’s thinking on regulatory issues. They are NOT legally binding

In addition to these, the FDA also accepts certain recognized consensus standards from different organizations such as ISO, CLSI, ANSI, IEC, CEN, etc. These standards may be used to justify a Declaration of Conformity for a product. The widely accepted medical device ISO standards are, but are not limited to:

  • ISO 10993 – Biological Evaluation for Medical Devices
  • ISO 14160 – Sterilization of Healthcare Products
  • ISO 11737 – Sterilization of Medical Devices

In Canada, the Standards Council of Canada (SCC) is the ISO member body. Similar to the US FDA, the Therapeutic Products Directorate (TPD) of Health Canada periodically releases a list of acceptable international or national standards for medical devices. Manufacturers can use these recognized standards in conjunction with the Health Canada’s Medical Devices Regulations (SOR-98/282) and the Guidance Documents, to prove product conformity and safe use in the market.

China‘s National Medical Products Administration (NMPA) is developing indigenous standards that more closely align with those of ISO. Biocompatibility testing is one avenue where the scope and requirements for China are more than that of the US/EU. Hence, NMPA has developed various biocompatibility testing standards which are to be used in addition to the ISO standard.

For the rest of the world’s medical device industry,

  • India encourages ISO certification for all its industries. The medical sector must be ISO 13485 compliant while the pharmaceutical sector must be ISO 9001 compliant for Quality Management Systems, in addition to other relevant and applicable ISO standards.
  • Japan’s The Japanese Industrial Standards Committee (JISC) is an ISO member body. The regulatory authority, Pharmaceutical and Medical Device Agency (PMDA) revised its Ordinance No. 169 in 2021 to closely align with the ISO 13485:2016 standard. The transition period is 3 years and must comply by March 25, 2024
  • For the Korean regulatory authority, aligning the requirements of Korean Good Manufacturing Practice (GMP) to that of ISO 13485:2016 is believed to be a step closer to entering the Medical Device Single Audit Program (MDSAP)
  • Russia’s Federal Service for Surveillance in Healthcare (Roszdravnadzor) is known to accept ISO 13485:2016 certification. Information on acceptance of other ISO standards cannot be confirmed. It does not accept market approvals in the US, EU, or other countries as a reference for market authorization in Russia
  • Australia’s Standard Australia is a member of the ISO, IEC, and ICSID. It strongly encourages the use of international standards, except where their use is ineffective or inappropriate and does not develop any national Australian standard for which there is already an international standard in existence. In 2019, TGA published Therapeutic Goods (Conformity Assessment Standard for Quality Management Systems) Order 2019 which provides a list of applicable conformity assessment standards.
  • Brazil’s ANVISA accepts Good Manufacturing Practices (GMP) along with the ISO 13485

FAQs

Can QMS be established solely based on ISO standards?

For countries that do not have their own QMS regulations, the ISO standard can be used as a reference. For countries with established local regulations, and that accepts ISO, both ISO standard and local/national regulations must be considered.

Are ISO standards freely available?

No. ISO standards are available for purchase from the ISO official website. However, they do have FREE read-only formats available.

Comparing ISO standards to local regulations, which one takes precedence?

The local or national regulation always takes precedence over the ISO standard.

Can the manufacturer use an older version of an ISO standard for compliance?

No. Manufacturers must make sure they comply with the active or most recent version of the ISO standard. This is not restricted just to ISO standards but applies to National regulations too. Manufacturers must keep their QMS up to date with the latest requirements of the industry. The ideal way to be updated is to refer to the latest version of any Standard or Regulation.


Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.

FDA’s 510(K) Submission Process 

FDA’s 510(K) Submission Process 

The FDA 510(K) Pre-market notification submission as per 21 CFR 807 Subpart E is to be adopted by manufacturers to receive FDA clearance to market medical devices or for commercial distribution in the U.S. This review is done by FDA’s Centre for Devices and Radiological Health (CDRH). A 510(K) submission allows medical devices to be “FDA Cleared” and not FDA Approved.

The route to 510(K) must be carefully investigated by the manufacturer through a step-by-step process which allows determining if the regulatory pathway chosen for the Medical Device’s FDA access is in the right direction.

Step: 01 Decision Criteria Checklist

The assessment checklist helps the manufacturer to arrive at a decision if they are eligible or fall under the rules to submit an FDA 510(K) application.

Criteria510(K) Submission required?
Are you a domestic manufacturer willing to commercially distribute your product in the U.S?ü
Are you developing specifications for a Finished device and you have an external firm/contractor who manufactures the device based on your specifications?ü
Are you a repacker or re-labeller who makes significant changes to the device operations such as changing label contents/warnings/safety signs / operating conditions to the original device label prior to sale to the market?ü
Are you a foreign manufacturer?ü
Are you making changes to an existing 510(K) cleared finished device where the changes could significantly affect the device’s safety and effectiveness?ü
Are you making changes to the intended use of the medical device?ü
Do you manufacture accessories for a medical device that are sold directly to the end-user as replaceable/serviceable parts?ü
Do you sell unfinished devices or components to another firm that places the Finished device for sale using your components in their device?û
Are you willing to introduce your finished devices for clinical trials only to the market? (this means you are only subjecting your device for clinical trials and not commercially distributing them)û
Are you acting the role of a distributor for a domestically manufactured device by affixing only labels indicating “distributor” or “manufacturer” details?û
Are you an “Importer” who is willing to import a foreign manufactured device and that device has already been 510(K) cleared?û
Is your device either Class I or Class II and falls under the Medical Device Exemptions 510(K) and GMP requirements of the FDA?û

Step: 02 Device Classification

The next step toward submission is to verify how the medical device is classified under the FDA classification regulations. There are different generic types of devices identified by the FDA and placed under 3 categories of regulatory classes based on the risk posed by the medical device and the level of controls necessary for the safety and effectiveness of the device.

Class I Devices Low-Risk Devices – General Controls

  1. With Exemptions
  2. Without Exemptions

The above states that certain class I low-risk devices are exempted from the “General Controls”.

Class II Devices Moderately Risk Devices – General Controls and Special Controls

  1. With Exemptions
  2. Without Exemptions

The above states that certain class II devices are exempted while others fall under the provisions of “General and Special Controls”.

Class III Devices High-Risk Devices – General Controls and Pre-market Approvals

  1. Pre-Market Approval

Step: 03 Determine if your device is Substantially Equivalent to a Predicate Device

510(K) submission is applicable only for devices that can claim Substantial Equivalence (SE) to a predicate device. Below flowchart is an illustration that helps to clearly understand the decision route:

“SE” – Substantial Equivalent

“NSE” – Non-Substantial Equivalent

Multiple Predicate Devices

In certain cases, the manufacturer may identify more than one predicate device i.e., multiple predicates. In such cases, the primary predicate refers to the one that is most similar to the below factors:

  • Intended Use
  • Indications for use
  • Technological characteristics

The manufacturer is recommended to identify the most appropriate primary predicate device with a well-supported decision document.

Supporting Documents to Claim Substantial Equivalence

The following are required by the manufacturer but not limited to, while demonstrating the most appropriate predicate device and that the new device to be submitted for 510(K) is a substantial equivalent to a predicate device.

  • Intended Use
  • Indications for Use
  • Technological Characteristics (similarities, differences and whether the differences pose different questions on safety and effectiveness)
  • Performance data to support substantial equivalence (biocompatibility testing, Electrical safety and Electromagnetic Compatibility, Software verification and validation testing, mechanical testing, clinical study, animal study, if applicable)
  • A declaration of conformity to recognised standards applicable to the medical device

Refer to the Section 807.92 content and format of a 510(K) summary.

Step: 04 Determine the Type of 510(K) Submission

Within the 510(K) applications, there are 3 categories of submissions as discussed below

SL.SubmissionsType of 510(K) applicable
1To introduce a new medical device into the market which has a predicate device available  Traditional 510(K)
2If a manufacturer introduces changes introduced to the device that is already existing in the market and has obtained a 510(K) clearance  Special 510(K)
3If submission relies on FDA guidance documents voluntary consensus standard demonstration of compliance with special controls for the device typeAbbreviated 510(K)

Step: 05 The 510(K) Submission Process

Step:5.1 FORM FDA 3601 Medical Device User Fee Cover Sheet

Visit webpage User fee website to register and make payment.

Take a printed copy of this user fee cover sheet. This could be the first page of the 510(K).

Step:5.2 FORM FDA 3514 CDRH PREMARKET REVIEW SUBMISSION COVER SHEET

Download form FDA 3514 pdf. This form captures detailed information required for the different types of submissions.

A cover letter and/or the FDA Form 3514 should follow the User fee cover sheet. If FDA Form 3514 is not affixed, then the cover letter should contain all the elements relevant to the submission contained in Form 3514. This will expedite the processing time.

Step:5.3 510(K) Submission Acknowledgement receipt by FDA

If a valid eCopy and a proper user fee has been paid Acknowledgment Letter get received from DCC through email. If the proper fee and a valid eCopy are submitted by the holder, then the holder receives an acknowledgement letter from the DCC through an email. The following are identified by the Acknowledgement Letter:

  • Receipt’s date (the date that FDA received the 510(k) submission, an eCopy and the proper user fee payment);
  • The receipt’s date (this is the day that 510(k) submission was received by FDA, valid eCopy, and proper user fee payment); and 510(k) number

Step: 5.4 Document Contents in a 510(K) Submission

Below is the minimum list of contents necessary to be available in 510(K) submission documents.

  • Cover Letter
  • Table of Contents
  • Indications for Use (FDA Form 3881)
  • 510(K) Summary or Statement
  • Truthful and accurate statement as required by 21 CFR 807.87(l)
  • Class III Summary and Certification (to be submitted when claiming equivalence to a Class III device) As per 21 CFR 807.94
  • Financial Certification & Disclosure Statement
  • Declaration of Conformity and Summary Reports
  • Proposed Labelling
  • Sterilization and Shelf Life
  • Biocompatibility
  • Device Specifications    
  • Substantial Equivalence Comparison
  • Software
  • Electromagnetic compatibility and Electrical Safety
  • Performance Data (Summary on Clinical and Non-Clinical data)
  • Additional Requirements
  • Summary

Mode of Submission to FDA – E copies

In section 745A(b)(1) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) (21 U.S.C. 379k-1) FDA is amending its regulations on medical device submissions to remove requirements for paper and multiple copies and replace them with requirements for a single submission in electronic format. Submissions in electronic format include eCopies, submissions created and submitted on CD, DVD, or flash drive and mailed to FDA, and eSubmissions, submission package produced by an electronic submission template.

Fees, Exemptions and Waivers

Under the user fee system, medical device companies pay fees to the FDA when they register their establishments and list their devices with the agency, whenever they submit an application or a notification to market a new medical device in the U.S. and for certain other types of submissions.

The MDUFA (Medical Device User Fee) website User Fee has information on the current fee charges applicable. Payment must be received and processed at the time or before the date the application is sent. If the FDA receives an application without full payment of all required fees, the FDA will consider the application incomplete and will not begin its review.

Review Stages

Acceptance Review

  • This is based on the Refuse to Accept (RTA) policy by the FDA. It is a mechanism adopted by the FDA to provide a quick review of the 510(K) submission.
  • This stage is only the initial (Acceptance review) stage where the FDA reviewer using separate checklists for each type of submission (traditional, abbreviated and special) reviews the submission and gives a declaration if the submission contents meet the minimum threshold requirements or is placed on RTA hold.
  • The FDA reviewer evaluates the submission against specific acceptance criteria and informs the submitter within the above timeline on acceptance or indicate the missing element(s) in submission.
  • In order to enhance the consistency of FDA’s acceptance decisions and to help submitters better understand the types of information FDA needs to conduct a substantive review, this guidance, includes the checklists to clarify the necessary elements and contents of a complete 510(k) submission.

Only if this stage is cleared, the submission gets qualified for the actual Substantive review stage. The reviewer conducting substantive review is the actual Lead reviewer.

Substantive Review

During Substantive Review, the Lead Reviewer conducts a comprehensive review of the 510(k) submission and communicates with the submitter through a Substantive Interaction, which should occur within 60 calendar days of receipt of the 510(k) submission.

Substantive Interaction communication is typically:

  • an email stating that FDA will proceed to resolve any outstanding deficiencies via Interactive Review; or
  • an Additional Information (AI) request which places the submission on hold.

Additional Information (AI) request

If the lead reviewer sends an AI request, then it means the submission is placed on hold. The submitter has 180 calendar days to address the queries from the date of additional information request by FDA reviewer. If the queries are not addressed by the applicant within this time span, then 510(K) submission is deleted from the FDA database and the applicant will need to submit a new 510(K) to pursue the FDA market clearance process.

 The submitter must submit the response, with a valid eCopy, to the DCC. The response should:

  • include the submitter’s name;
  • list the 510(k) number;
  • identify the submission as Additional Information (AI) to the 510(k);
  • list the date of FDA’s request for additional information; and
  • provide the requested information in an organized manner.

Interactive Review

If the Lead Reviewer chooses to continue with an Interactive Review, this means the Lead Reviewer has determined that any outstanding deficiencies may be adequately addressed within the timeframe set by the Medical Device User Fee Amendment of 2012 (MDUFA III) performance goal for a 510(k) (90 FDA days) and that the submission will not be placed on hold. The Lead Reviewer communicates with the submitter during the Interactive Review using tools such as:

  • Email
  • Telephone Call

During Interactive Review, the Lead Reviewer may request additional information from the submitter, who may either send the information to the Lead Reviewer directly or to the DCC (Document control centre).  Note:  During Interactive Review, any information submitted to the DCC must include a valid eCopy.

Timeline – An overview of 510(K) Submission

Day:01

FDA receives the 510(K)-application submission

Day:07

FDA sends the acknowledgement letter (or) FDA sends HOLD letter (in case of issues)

Day:15

FDA conducts Acceptance Review and informs the applicant if the application is eligible for substantive review (or)

Places it under RTA Hold

Day:60

FDA conducts Substantiative Review and communicates on the next move towards Interactive Review

Day:90

FDA sends Final MDUFA Decision Letter

Step:06 Final 510(K) Decision Letter

MDUFA Decisions for 510(k) submissions include findings of substantially equivalent (SE) or not substantially equivalent (NSE).

When a decision is made, FDA will issue the decision letter to the submitter by email to the email address provided in the 510(k) cover letter.

  • A 510(k) that receives an SE decision is considered “cleared.”
  • FDA adds the cleared 510(k) to the 510(k) database, which is updated weekly.
  • The IFU and the summary will be sent as attachments to the SE letter. The IFU will not be signed since it is considered an attachment to the SE letter. Therefore, the signature on the SE letter will apply to both the letter and the IFU.

If FDA does not reach an MDUFA decision within 100 FDA days (i.e., 10 days after the MDUFA goal), FDA will issue a Missed MDUFA Communication, which is written feedback to the submitter to be discussed in a meeting or teleconference, including the major outstanding review topic areas or other reasons that are preventing FDA from reaching a final decision, with an estimated date of completion.

510(K) decision-making flow chart


Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.