Leading up to October 1, 2023, when the FDA Refuse to Accept (RTA) policy will be in full effect, Medcrypt is publishing a series of 4 new blogs around FDA Guidance Readiness. First, discover what you should know about the FDA review process from Naomi Schwartz, Medcrypt Senior Director of Cybersecurity Quality and Safety.
The Food and Drug Administration (FDA) has rigorous medical device submission processes to ensure the safety and effectiveness of medical devices. The preparation and resources required to complete these submissions can vary based on the class and complexity of the device. If submissions are documented appropriately and sufficiently, the submission process can be straightforward and lead to timely commercial launch. Conversely, if the FDA deems the submission insufficient and requests further evidence or documentation, the process can become drawn out and ultimately result in a costly delay in getting the device to market.
Prior to submitting to the FDA, the device manufacturer needs to determine which regulatory class the device falls under: class I, class II or class III. Class I (low to moderate risk) and Class II (moderate to high risk) represent the vast majority of medical devices regulated by the FDA and require a 510(k) submission unless exempted (most Class I devices and some Class II devices). Whether or not the device type is exempted, regardless of classification, the manufacturer is required to register their establishment and list the generic category or classification name (Registration and listing information is submitted by using FDA’s Unified Registration and Listing System (FURLS)/ Device Registration and Listing Module (DRLM)).
High risk devices and especially those medical devices that sustain or support life, or are implanted, are considered to be Class III (high risk) devices and require a more in-depth assessment through a Pre-Market Approval (PMA). Devices that are first of kind and don’t have an existing predicate device on the market are automatically considered Class III devices. However, if the product has a lower risk profile it may qualify for the De Novo pathway instead of requiring a PMA. See examples of device classifications in table below:
The duration of the submission review process differs based on the type of submission the device requires, but can take anywhere from 90–180 FDA days and allow the manufacturer up to 180 days to respond to requests for additional information. The process is fundamentally the same and includes the following milestones: submission, submission acceptance (or rejection), substantive review, interactive review questions to manufacturer, formal additional information requests and final FDA decision. Each type of submission may include different sub-steps that may include: responses, meetings, inspections, amendments, re-submissions.
Perhaps most critical to note — there are cybersecurity considerations that span all types of FDA submissions. Cybersecurity considerations have received more scrutiny in recent years, as cyber attacks across the healthcare industry are becoming more frequent and more complex. Due to these recent trends, the FDA has issued new final guidance on the Refuse to Accept (RTA) Policy relating to cybersecurity in medical devices, specifically for “Cyber Devices” as defined in the newly-amended FD&C Act in Section 542B. With this final guidance, the FDA is alerting manufacturers that FDA is now requiring medical device manufacturers to take greater responsibility in securing their devices and will start refusing to review filings that are incomplete.
With the inclusion of software on nearly all medical devices, explicitly calling out cybersecurity expectations is intentional, as security has consistently proven inadequate when positioned as an afterthought. Those organizations that embed cybersecurity into their device development process have the highest success rate to build, and sustain security over the lifetime of a device — which also enables demonstrating critical criteria for the regulatory approval process.
This concludes part 1 of Medcrypt’s 4-part blog series on FDA Readiness. Stay tuned this month for more on Refuse to Accept (RTA), eSTAR, and setting your organization up for success. Looking for help preparing for FDA submissions, see what Medcrypt can do for your team.
Subscribe to get more FDA Submission Readiness content. Medcrypt provides medical device cybersecurity products and services that meet regulatory guidance requirements. Schedule a meeting with us at info@medcrypt.com and learn more about our solutions.
April 24, 2024
April 11, 2024
.png)
March 28, 2024
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information
