Breaking news! The FDA just released new guidance on the refusal to accept (RTA) policy for cybersecurity devices.
Where can I find the new cybersecurity devices guidance?
The new guidance is titled “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act,” and you can download a copy of the PDF directly from our website. This is the first time the FDA has created a definition for a “cyber device,” but this guidance is specific to the refusal to accept policy (RTA) rather than guidance for the format and content of pre-market notification (i.e., 510k) If you want to learn about new guidance documents as they are released, we recommend that you sign up for FDA email notifications. If you want to be notified of when our new blogs are posted, subscribe to our blog email notification list on this page.
What is a “cyber device” in the context of this cybersecurity devices guidance and submissions?
This new guidance defines “cyber device” using the following language:
includes software validated, installed, or authorized by the sponsor as a device or in a device;
has the ability to connect to the internet; and
contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
What does “refusal to accept” (RTA) mean?
“Refusal to accept” or (RTA) is a policy that the FDA implemented for pre-market notification submissions (i.e., 510k) in 2012. The process occurs during the first 15 calendar days of the FDA review process. The FDA assigns a preliminary reviewer to perform the RTA screening of the submission, and the person completes an RTA checklist. The FDA substitutes an RTA screening with a technical screening for FDA eSTAR templates, and this is one of the reasons why Medical Device Academy uses the FDA eSTAR templates for all 510k submissions and De Novo classification requests instead of using the older 510k format and content requirements with 20 sections.
When will the FDA begin rejecting submissions during the RTA processes?
The FDA states directly in the guidance document that they will not reject submissions for cybersecurity for the balance of FY 2023 (i.e., before October 1, 2023). The wording used by the FDA is: “The FDA generally intends not to issue “refuse to accept” (RTA) decisions for premarket submissions for cyber devices that are submitted before October 1, 2023, based solely on information required by section 524B of the FD&C Act. Instead, the FDA will work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process.” We believe the FDA will update the eSTAR template to include requirements for cybersecurity on October 1, 2023. It will not be possible to submit a 510k that does not include the cybersecurity requirements in future eSTAR templates, because the eSTAR automatically verifies the completion of each section in the template.
Will there be another cybersecurity guidance released soon?
The FDA announced last October that a new cybersecurity guidance would be replacing the 2014 final guidance for cybersecurity. A draft was released in 2018, and an updated draft was released in 2022. The final updated guidance is included in the A-list of FDA priorities for final guidance documents, but the updated final version has not been released yet. The FDA webpage for cybersecurity was updated to include this new guidance on RTA policy for cybersecurity devices. We believe this indicates that the updated final version will be released soon. When it is released, we will publish a new blog about that guidance.
This article uses a case study example to explain how to determine the correct regulatory pathway for your medical device through the US FDA.
How do you select the right regulatory pathway for your device?
Every consultant likes to answer this type of question with the answer, “It depends.” Well, of course, it depends. If there was only one answer, you could google that question, and you wouldn’t need to pay a regulatory consultant to answer the question. A more useful response is to start by asking five qualifying questions:
Does your product meet the definition of a device?
What is the intended purpose of your product?
How many people in the USA need your product annually?
Is there a similar product already on the market?
What are the risks associated with your product?
The first question is important because some products are not regulated as medical devices. If your product does not diagnose, treat, or monitor a medical condition, then your product may not be a device. For example, the product might be considered a general wellness product or clinical decision support software. In addition, some products have a systemic mode of action, and these products are typically categorized as a drug rather than a device–even if the product includes a needle and syringe.
The intended purpose of a product is the primary method used by the US FDA to determine how a product is regulated. This also determines which group within the FDA is responsible for reviewing a submission for your product. The US regulations use the term “intended use” of a device, but the decision is based upon the “indications for use” which are more specific. To understand the difference, we created a video explaining the difference.
Even regulatory consultants sometimes forget to ask how many people need your product annually, but population size determines the regulatory pathway. Any intended patient population less than 8,000 patients annually in the USA is eligible for a humanitarian device exemption with a special regulatory pathway and pricing constraints. If your product is intended for a population of <8,000 people annually, your device could qualify for a humanitarian device exemption, and the market is small enough that there may not be any similar products on the market.
If similar products are already on the US market, determining the regulatory pathway is much easier. We can look up the competitor product(s) in the FDA’s registration and listing database. In most cases, you must follow the same pathway your competitors took, and the FDA database will tell us your regulatory pathway.
If all of the products on the US market have different indications for use, or the technological characteristics of your product are different from other devices, then you need to categorize your product’s risks. For low-risk devices, general controls may be adequate. For medium-risk devices, special controls are required by the FDA. For the highest-risk devices, the FDA usually requires a clinical study, a panel review of your clinical data, and the FDA requires pre-market approval.
This article will use the example of bipolar forceps used with an electrosurgical generator as a case study.
What is the US FDA regulatory pathway for your device?
The generic term used for regulator authorization is “approval,” but the US FDA reserves this term for Class 3 devices with a Premarket Approval (PMA) submission. The reason for this is that only these submissions include a panel review of clinical data to support the safety and effectiveness of the device. Approval is limited to ~30 devices each year, and approximately 1,000 devices have been approved through the PMA process since 1976 when the US FDA first began regulating medical devices.
Most Class 2 devices are submitted to the FDA as Premarket Notifications or 510k submissions. This process is referred to as “510k clearance,” because clinical data is usually not required with this submission and there is no panel review of safety and effectiveness data. A 510k was originally planned as a rare pathway that would only be used by devices that are copies of other devices that are already sold on the market. However, the 510k pathway became the defacto regulatory pathway for 95+% of devices that are sold in the USA.
For moderate and high-risk devices that are intended for rare patient populations (i.e., <8,000 patients per year in the USA), the humanitarian device exemption process is the regulatory pathway.
Class 1 devices typically do not require a 510k submission, most of these devices are exempt from design controls, and some are exempt from quality system requirements. These devices still require listing on the FDA registration and listing database, but there is no review of the device by the FDA to ensure you have correctly classified and labeled Class 1 devices.
How do you find a predicate for your 510k submission?
As stated above, one of the most critical questions is, “Is there a similar product already on the market?” For our example of bipolar forceps, the answer is “yes.” There are approximately 169 bipolar forceps that have been 510k cleared by the FDA since 1976. If you are developing new bipolar forceps, you must prepare a 510k submission. The first step of this process is to verify that a 510k submission is the correct pathway and to find a suitable competitor product to use as a “predicate” device. A predicate device is a device that meets each of the following criteria:
it is legally marketing in the USA
it has indications for use that are equivalent to your device
the technological characteristics are equivalent to your device
There are two search strategies we use to verify the product classification of a new device and to find a suitable predicate device. The first strategy is to use the free, public databases provided by the FDA. Ideally, you instantly think of a direct competitor that sells bipolar forceps for electrosurgery in the USA (e.g., Conmed bipolar forceps). You can use the registration and listing database to find a suitable predicate in this situation. First, you type “Conmed” into the database search tool for the name of the company, and then you type “bipolar forceps” in the data search tool for the name of the device.
If you are unaware of any competitor products, you will need to search using the product classification database instead. Unfortunately, this approach will result in no results if you use the terms “bipolar” or “forceps.” Therefore, you will need to be more creative and use the word “electrosurgical,” which describes a larger product classification that includes both monopolar and bipolar surgical devices that have many sizes and shapes–including bipolar forceps. The correct product classification is seventh out of 31 search results.
The most significant disadvantage of the FDA databases is that you can only search each database separately. The search is also a boolean-type search rather than using natural language algorithms that we all take for granted. The second strategy is to use a licensed database (e.g., Basil Systems).
Searching these databases is more efficient, and the software will provide additional information that the FDA website does not offer, such as a predicate tree, review time, and models listed under each 510k number are provided below:
What does the predicate tree look like for the predicate device you selected?
I’m glad I don’t need to manually enter the 510k review time for 2,263 devices to create the above graph.
Wouldn’t having the model numbers for every device identified in the US FDA listing database be nice?
Another advantage of the Basil Systems software is that the database is lightning-fast, while the FDA is a free government database (i.e., not quite as fast).
How do you create a regulatory pathway strategy for medical devices?
The best strategy for obtaining 510k clearance is to select a predicate device with the same indications for use that you want and was recently cleared by the FDA. Therefore, you will need to review FDA Form 3881 for each of the potential predicate devices you find for your device. In the case of the bipolar forceps, there are 169 devices to choose from, but FDA Form 3881 is not available for 100% of those devices because the FDA database only displays FDA Form 3881 and the 510(k) Summary for devices cleared since 1996. Therefore, you should select a device cleared by the FDA in the past ten years unless there are no equivalent devices with a recent clearance.
In addition to identifying the correct product classification code for your device and selecting a predicate device, you will also need to develop a testing plan for the verification and validation of your device. For electrosurgical devices, there is an FDA special controls guidance that defines the testing requirements and the content required for a 510k submission. Once you develop a testing plan, you should confirm that the FDA agrees with your regulatory strategy and testing plan in a pre-submission meeting.
Which type of 510k submission is required for your device?
There are three types of 510k submissions:
Special 510k – 30-day review target timeline
Abbreviated 510k – 90-day review target timeline (requires summary reports and use of recognized consensus standards)
Traditional 510k – 90-day review target timeline
The special 510k pathway is intended for minor device modifications from the predicate device. However, this pathway is only eligible to your company if your company also submitted the predicate device. Originally it was only permitted to submit a Special 510k for modifications that require the review of one functional area. However, the FDA recently completed a pilot study evaluating if more than one functional area could be reviewed. The FDA determined that up to three functional areas could be reviewed. However, the FDA decides whether they can complete the review within 30 days or if you need to convert your Special 510k submission to a Traditional submission. Therefore, you should also discuss the submission type with the FDA in a pre-submission meeting if you are unsure whether the device modifications will allow the FDA to complete the review in 30 days.
In 2019 the FDA updated the guidance document for Abbreviated 510k submissions. However, this pathway requires that the manufacturer use recognized consensus standards for the testing, and the manufacturer must provide a summary document for each test report. The theory is that abbreviated reports require less time for the FDA to review than full test reports. However, if you do not provide sufficient information in the summary document, the FDA will place your submission on hold and request additional information. This happens for nearly 100% of abbreviated 510k submissions. Therefore, there is no clear benefit for manufacturers to take the time to write a summary for each report in the 510k submission. This also explains why less than 2% of submissions were abbreviated type in 2022.
The traditional type of 510k is the most common type of 510k submission used by manufacturers, and this is the type we recommend for all new device manufacturers.
It’s a common misconception that FDA De Novo content is very different from FDA 510k submission content, but is that true?
What do you think the De Novo content differences are?
Most people think the difference between a 510k and a De Novo is time and money. That conclusion is based upon a very important assumption: a 510k will not require clinical data, and a De Novo will require clinical data. That assumption is not always correct. 10-15% of 510k submissions include clinical data to support the performance claims, and last year our team submitted three De Novo submissions that did not include any clinical data. So what are the differences between a 510k and a De Novo content?
We use the same FDA eSTAR template for both types of FDA submissions, and on the first page of the eSTAR template, we identify if the submission is a 510k or De Novo. If we select De Novo, the eSTAR will be pre-populated with six unique De Novo content requirements covering four (4) different areas that are not found in a 510k. The six unique content requirements are:
Recommending a classification, providing a justification for that classification, and explaining what efforts were taken to identify a suitable 510k product code
Description of existing alternative practices or procedures used in diagnosing, treating, preventing, curing, or mitigating the disease or condition for which the IVD or device is intended
Providing a written benefit/risk analysis starting with the clinical benefits of your device
Efforts to identify a potential predicate (including identifying alternative practices, procedures, or even drugs)
Recommendations for FDA special controls for your new product code based upon the risks to health and the mitigation measures for each risk
What alternative practices and procedures are currently available?
The unique De Novo content requirement is to provide a description of alternative practices and procedures for treatment or diagnosis of the same indications that you are proposing for your subject device. This is a subsection of the device description section in the FDA eSTAR template. Your should description should include other 510k-cleared products, drugs, and even products that have similar indications but are not identical. The description of alternative practices and procedures must also be attached as a document in the section for benefits, risks, and mitigation measures. To maintain consistency throughout your submission, you should create the document for attachment first and copy and paste the content into the text box at the end of the device description section.
You need to recommend a classification in your De Novo
The unique De Novo content requirement is found in a section titled “Classification.” There is a shorter classification section included in 510k submissions, but the 510k version only has four cells. The first three are populated by selecting one of the options from a dropdown menu, and the fourth cell is only used if your subject device includes other product classification codes.
The De Novo version of the eSTAR is identical for the first row of the classification section, but then you must select a proposed product classification (i.e., Class 1 or Class 2) in accordance with FDA Classification Procedures (i.e., 21 CFR 860). The third cell is a text box for you to enter your justification for the proposed classification. Next, the FDA requires you to enter a proposed classification name. Finally, at the end of the classification section, the FDA requires that you provide a classification summary or reference to a previous NSE 510k submission.
A benefit-risk analysis is required in the De Novo content
For new devices, the FDA uses a benefit-risk analysis to decide if a device should be authorized for marketing in the USA. This process includes humanitarian device exemptions, De Novo applications, and Premarket Approval submissions. The FDA has a guidance document that provides guidance for FDA reviewers and the industry. The most important aspect is, to begin with, the benefits of the device and to provide a quantitative comparison of benefits and risks. Many De Novo submissions have been rejected because the submitter did not provide objective evidence of clinical benefits for the subject device.
The FDA guidance documents are helpful for creating a benefit-risk analysis, but you can also find information in the ISO/TIR 24971:2020–the guidance for the application of ISO 14971:2019. Our company also includes a template for a benefit/risk analysis as part of our risk management procedure (i.e., SYS-010).
What are your recommended Special Controls?
In FDA De Novo Classification Decision Summaries, there is a table provided that identifies the identified risks to health and the recommended mitigation measures for each risk category. In the FDA eSTAR, you are required to add a similar table for De Novo content. The only difference between the table in summary and the eSTAR is that the eSTAR table has a third column where the FDA wants you to reference the supporting data provided for each mitigation measure–including the document and page within the document. The FDA also provided an example table in the eSTAR, copied below.
The above table for the risks to health and mitigations needs to be translated into a list of recommended Special Controls for Class II devices. Since most De Novo applications are for Class II devices, you will need to convert each of your mitigations into a corresponding Special Control and type these controls into the text box provided in the FDA eSTAR.
What else is different from a 510k?
There are no additional mandatory elements that you need to include in a De Novo application, but there are several elements of a 510k submission that are not included in a De Novo. The most obvious of these sections is the Substantial Equivalence Comparison Table in the section labeled “Predicates and Substantial Equivalence.” Another difference is that you are more likely to need clinical data to support a De Novo application than for a 510k submission. It is also possible that subsequent 510k submissions for the same product code may not need to provide clinical data because the 510k process only requires a demonstration of substantial equivalence rather than clinical benefits outweighing risks to health. The FDA review time for a Traditional 510(k) varied between 190 and 210 days in 2022, while the De Novo review timeline averaged 390 days in 2022. Finally, the FDA user fees for 510k submissions are far less than those for a De Novo application.
Best human factors questions to ask the FDA during a pre-submission meeting, and what information content do you need in a 510k?
Human factors questions to ask the FDA?
The FDA did not start enforcing the requirement to apply human factors and usability engineering to medical device design until 2017 because the final version of the human factors guidance document was not released until February 3, 2016. Approximately ninety percent of the human factors testing reports submitted to the FDA in 510k pre-market submissions are deficient because the 510k submission content only includes the final summative testing report. The FDA needs a complete usability engineering file, and the human factors information needs to comply with FDA guidelines for the format and content of a 510k pre-market submission–not just IEC 62366-1:2015.
What human factors information does the FDA want?
For several years, FDA submission deficiency letters indicated that you should not include the frequency of occurrence in your estimation of use-related risks. Still, the FDA never provided this information in a guidance document. On December 9, 2022, the FDA finally released a draft human factors guidance regarding the format and content of a 510k pre-market submission. The new draft guidance includes a use-related risk analysis (URRA) requirement in table 2 (copied below).
In this new draft FDA guidance, the FDA identifies three different human factors submission categories. For the first category, only a conclusion and high-level summary are needed. For the second category, a user specification is also needed. For the third category, you need a comprehensive human factors engineering report with the following elements described in Section IV of the draft FDA guidance:
Submission Category 1, 2, and 3
Conclusion and high-level summary
Submission Category 2 and 3
Descriptions of intended device users, uses, use environments and training
Description of the device-user interface
Summary of known use problems
Submission Category 3 only
Summary of preliminary analyses and evaluations
Use-related risk analysis to analyze hazards and risks associated with the use of the device
Identification and description of critical tasks
Details of validation testing of the final design
Before spending tens of thousands or hundreds of thousands of dollars on human factors testing, you want to ensure the FDA agrees with your human factors testing plan. Otherwise, you will pay for the testing twice: once for your initial submission and a second time in your response to the FDA request for additional information to address deficiencies. Testing can cost more than your electrical safety testing. The facility needs the right equipment and space for the testing; you need support personnel to set up the equipment; you need to recruit participants; you need to compensate participants; and you need device samples.
When can you ask the FDA human factors questions?
The FDA cannot provide consulting advice on a submission, and the agency will not review data during pre-submission meetings. The FDA can provide feedback on protocols, specifications, and scientific justifications. Therefore, you should submit questions to the FDA in a pre-submission when you have a draft protocol, a draft specification, or a draft justification for why a task is not critical. Pre-submissions are “non-binding.” You can change your design and approach to human factors. Therefore, don’t wait until your information is 100% finalized. Share your documentation at the draft stage during the development phase and before your design freeze. You need these answers when you are planning a study and obtaining quotes.
What are the best human factors questions to ask in a pre-sub?
In the FDA guidance for pre-submission meetings, the FDA provides suggested questions to ask:
Does the Agency have comments on our proposed human factors engineering process?
Is the attached use-related risk analysis plan adequate? Does the Agency agree that we have identified all the critical tasks?
Does the Agency agree with our proposed test participant recruitment plan for the human factors validation testing?
The above examples are only suggestions, but the best approach is to provide a brief example of what the human factors information will look like and ask the FDA to comment on the examples. The FDA does not have time to review data during a pre-sub meeting, but the FDA can review a few rows extracted from your URRA and comment on your proposed approach to the human factors process.
Human factors questions that are not appropriate
The FDA pre-submission guidance cautions you only to ask 3-4 questions for each meeting request because the FDA has difficulty answering more questions in a 60-minute teleconference. Therefore, you should not ask questions already answered in the FDA guidance. The new draft guidance includes examples of when a device modification can leverage existing human factors information and when new information is needed to support a premarket submission. Instead of asking a question specific to leveraging existing human factors information, provide your rationale for leveraging existing data and ask if the FDA has any concerns with your overall approach to human factors.
Recommended human factors action items
Create a procedure for your human factors process that includes detailed instructions for creating the information required in a usability engineering report and templates for each document.
Learn why you need to start with software validation documentation before you jump into software development.
When do you create software validation documentation for a medical device or IVD?
At least once a week, I speak with the founder of a new MedTech company that developed a new software application as a medical device (SaMD). The founder will ask me to explain the process for obtaining a 510(k), and they want help with software validation documentation. Many people I speak with have never even heard of IEC 62304.
Even though they already have a working application, usually, validation documentation has not even been started. Although you can create all of your software validation documentation after you create a working application, certain tasks are important to perform before you develop software code. Jumping into software development without the foundational documentation will not get your device to market faster. Instead, you will struggle to create documentation retroactively, and the process will be slower. In the end, the result will be a frustrating delay in the launch of your device.
What are the 11 software validation documents required by the FDA?
In 2005 the FDA released a guidance document outlining software validation documentation content required for a premarket submission. There were 11 documents identified in that guidance:
What the FDA guidance fails to explain is that some of these documents need to be created before software development begins, or your software validation documentation will be missing critical design elements. Therefore, it is important to create a software development plan that schedules activities that result in those documents at the right time. In contrast, four of the eleven documents can wait until your software development is complete.
Which of the software validation documents can wait until the end?
The level of concern only determines what documents the FDA wants to review in a submission rather than what documents are needed for a design history file. In fact, the level of concern (LOC) document is no longer required as a separate document in premarket submissions using the FDA eSTAR template because the template already incorporates the questions that document your LOC. The revision level history document is simply a summary of revisions made to the software during the development process, and that document can be created manually or automatically at the end of the process, or the revision level history can be a living document that is created as changes are made. The traceability matrix can also be a living document created as changes are made, but its only purpose is to act as a tool to provide traceability from hazards to software requirements, to design specifications, and finally to verification and validation reports. Other software tools, such as Application Lifecycle Management (ALM) Software, are designed to ensure the traceability of every hazard and requirement throughout the entire development process. Finally, unresolved anomalies should only be documented at the time of submission. The list may be incomplete until all verification and validation testing is completed, and the list should be the shortest at the time of submission.
What documentation will be created near the end of development?
The software design specification (SDS) is typically a living document until your development process is completed, and you may need to update the SDS after the initial software release to add new features, maintain interoperability with software accessories, or change security controls. The SDS can not begin, however, until you have software requirements and the basic architecture defined. The verification and validation activities are discrete documents created after each revision of the SDS and must therefore be one of the last documents created–especially when provided to the FDA as a summary of the verification and validation efforts.
Which validation documents do you need first?
At the beginning of software development, you need a procedure(s) that defines your software development process. That procedure should have a section that explains the software development environment–including how patches and upgrades will be controlled and released. If you don’t have a quality system procedure that defines your development process, then each developer may document their coding and validation activities differently. That does not mean that you can’t improve or change the procedure once development has begun, but we recommend limiting the implementation of a revised procedure when making major software changes and discussing how revisions will be implemented for any work that remains in progress or has already been completed.
When do the remaining software validation documents get created?
The remaining four software validation documents required for a premarket submission to the FDA are:
Software description
Software hazard analysis
Software requirements specification (SRS)
Architecture design chart
Your development process will be iterative, and therefore, you should be building and refining these four documents iteratively in parallel with your software code. At the beginning of your project, your design plan will need a brief software description. Your initial software description needs to include the indications for use, a list of the software’s functional elements, and the elements of your user specification (i.e., intended patient population, intended users, and user interface). If you are using lean startup methodology, the first version of your device description will be limited to a minimal viable product (MVP). The target performance of the MVP should be documented as an initial software requirements specification (SRS). This initial SRS might only consist of one requirement, but the SRS will expand quickly. Next, you need to perform an initial software hazard analysis to identify the possible hazards. It is important to remember that software hazards are typically hazardous situations and are not limited to direct physical harm. For each potential hazard you identify in your hazard analysis, you will need a software requirement to address each hazard, and each requirement needs to be added to your SRS. As your software becomes more complex by adding software features, your device description needs to be updated. As you add functions and requirements to your software application, your SRS will need updates too. Finally, your development team will need a tool to track data flow and calculations from one software function to the next. That tool is your architecture design chart, and you will want to organize your SRS to match the various software modules identified in your architecture diagram. This phase is iterative and non-linear, you will always have failures, and typically a team of developers will collaborate virtually. Maintaining a current version of the four software documents is critical to keeping your development team on track.
How do you perform a software hazard analysis?
One of the most important pre-requisite tasks for software developers is conducting a hazard analysis. You can develop an algorithm before you write any code, but if you start developing your application to execute an algorithm before you perform a software hazard analysis, you will be missing critical software requirements. Software hazard analysis is different from traditional device hazard analysis because software hazards are unique to software. A traditional device hazard analysis consists of three steps: 1) answering the 37 questions in Annex A of ISO/TR 24971:2020, 2) systematically identifying hazards by using Table C1 in Annex C of ISO 14971:2019, and 3) reviewing the risks associated with previous versions of the device and similar competitor devices. A software hazard analysis will have very few hazards identified from steps 1 and 2 above. Instead, the best resource for software hazard analysis is IEC/TR 80002-1:2009. You should still use the other two standards, especially if you are developing software in a medical device (SiMD) or firmware, but IEC/TR 80002-1 has a wealth of tables that can be used to populate your initial hazards analysis and to update your hazard analysis when you add new features.
How do you document your hazard analysis?
Another key difference between a traditional hazard analysis and a software hazard analysis is how you document the hazards. Most devices use a design FMEA (dFMEA) to document hazards. The dFMEA is a bottom-up method for documenting your risk analysis by starting with device failure modes. Another tool for documenting hazards is a fault tree diagram.
A fault tree is a top-down method for documenting your risk analysis, where you identify all of the potential causes that contribute to a specific failure mode. Fault tree diagrams lend themselves to complaint investigations because complaint investigations begin with the identification of the failure (i.e., complaint) at the top of the diagram. For software, the FDA will not allow you to use the probability of occurrence to estimate risks. Instead, software risk estimation should be limited to the severity of the potential harm. Therefore, a fault tree diagram is generally a better tool for documenting software risk analysis and organizing your list of hazards. You might even consider creating a separate fault tree diagram for each module of your software identified in the architecture diagram. This approach will also help you identify the potential impact of any software hazard by looking at the failure at the top of the fault tree. The higher the potential severity of the software failure, the more resources the software team needs to apply to developing software risk controls and verifying risk control effectiveness for the associated fault tree.
The FDA CCP keeps getting better. Now, you can request small business determination (SBD) online through the FDA CDRH portal.
Preparing your FDA eSubmission for the FDA CCP
There are three possible formats for an FDA eSubmission to the FDA CCP for CDRH: 1) FDA eCopy, 2) FDA eSTAR, and 3) Small Business Determination (SBD) Request. We explain each in sequence below:
FDA eCopy:
The FDA eCopy is no longer an acceptable format for a 510k submission. You must use the FDA eSTAR template for a 510k submission. In contrast, pre-submission meeting minutes and withdrawal letters require an FDA eCopy. An FDA eCopy is also required for Sprints (i.e., pre-sub variation for Breakthrough devices and STeP devices). For a De Novo Submission and 513(g) submissions, you have the option of using the FDA eSTAR or the FDA eCopy (BUT use the FDA eSTAR or PreSTAR respectively). Here are the preparation steps:
Confirm your eSTAR is complete. There are three ways to know that your eSTAR is complete and ready for upload, but don’t worry too much. The FDA validated that the FDA CCP will automatically detect an incomplete eSTAR and will not allow it to be uploaded.
Bold Font at the top of the eSTAR or PreSTAR template is Green
All of the color-coded bars on the left side of the template are Green or Grey
All of the sections of the template in the verification section are found on the left side
Small Business Determination Request:
The ability to upload your small business qualification documents as an eSubmission instead of sending a hardcopy via courier is a new feature enabled by the FDA on Saturday night (i.e., September 29, 2024). Confirm your eCopy complies with FDA’s eCopy guidance.
FDA CCP step-by-step uploading process
When you are uploading a submission to the FDA CCP (i.e., CDRH Customer Collaboration Portal), you must perform the following steps:
#1 Sign in to the portal on the login page. If you don’t already have your own account, you can Sign up in less than 5 minutes.
#2 Accept the FDA User Terms and Conditions
#3 You have three options one you accept the FDA user terms and conditions. One option is to check on the status of prior eSubmissions on the Home page. Your second option is to send a new FDA eCopy or FDA eSTAR. For this second option you click on the “+” symbol on the left panel of the webpage (if you hover over the “+” symbol, you will see “Send a submission”) or you can expand the left panel as I have done in the picture below. The third option (i.e., the newest FY2025 option) is to create a request for small business determination (i.e., SBD).
#4 If you selected “Send a submission” you can upload your FDA eCopy or FDA eSTAR. The top of the page has the following instructions “Send your submission before 16:00 ET on a business day for us to process it the same day. Once you send a submission through the portal, you do not need to physically ship any copies to FDA. The online process replaced the physical process.”
#5 Click on the “Next” button that appears below the selection formats once a format is selected.
#6 Drag & drop your single “.zip” file here, or browse for it.
#7 The webpage will ask you for a short description of your submission. The company name and type of submission is sufficient [e.g., “Medical Device Academy – presubmission meeting minutes (i.e., Q24xxxx.A001)”]. Click on “Send” button to complete the uploading process.
#8 Verify that the FDA CCP site gives you a confirmation for the successful uploading of your submission. I always create a screen capture of the confirmation page once I hit send, but that is unnecessary but faster to insert in an email to your boss. You will receive an email seconds later.
The process is identical for the FDA eSTAR, but you DO NOT need to zip an FDA eSTAR or PreSTAR.
Starting a Small Business Determination (SBD) Request
The third type of submission for the FDA CCP is a small business determination. This new option was enabled last Saturday night (i.e., September 28, 2024)….what a thoughtful birthday present from the FDA to me. Just click on the document icon beneath the plus sign. The website will take you to the “Create a request” page where you can begin your SBD request. Before you start this process, you will need to prepare some documents: #1 Tax return for the most recent tax year #2 Organization ID number (watch our YouTube Video)
July 2022 Update for the FDA eCopy process (FDA CCP is launched!)
Finally, we can use the new FDA CCP to eliminate FedEx shipments, and 100% of your submissions will be electronic through the portal. The FDA created a Customer Collaboration Portal (CCP) for medical device manufacturers. Initially, the portal’s purpose was to provide a place where submitters could track the status of their submissions and verify the deadlines for each stage of the submission review process. On July 19, 2022, the FDA emailed all active FDA CCP account holders that they can upload both FDA eCopy and FDA eSTAR files to the portal 100% electronically. The FDA released a draft eSTAR guidance as well. Since our consulting team sends out submissions daily, everyone on the team was able to test the new process. If you have a CCP account, you no longer need to ship submissions via FedEx to the Document Control Center (DCC).
FDA Q&A about the new FDA CCP Submission Uploading Process
Medical Device Academy Question: Who will be permitted to use the FDA CCP to upload submissions for the DCC? FDA Response: We will first offer this feature in batches to people like you who already use CCP so we can study its performance. We will then refine it and make it available to all premarket submitters.
Medical Device Academy Question: What do you need to use the FDA CCP? FDA Response: You don’t need to do anything to participate since you already use CCP. We will email you again when you can start sending your next submissions online.
Medical Device Academy Question: Suppose another consultant asks me to submit an eSTAR or eCopy for them, or I do this for a member of my consulting team. Is there any reason I cannot upload the submission using my account even though the other person is the official submission correspondent and their name is listed on the cover letter? FDA Response: The applicant and correspondent information of the submission is still used when logging the submission in. The submitter (i.e., the person uploading the submission) is not used in any part of the log-in process. The submission portal is essentially replacing snail mail only; once the DCC loads the submission, whether it be from a CD or an online source, the subsequent process is identical to what it used to be, for now.
Medical Device Academy Question: Is there any type of eCopy that would not be appropriate for this electronic submission process (e.g., withdrawal letters, MAF, or breakthrough device designations)? FDA Response: You can use the eCopy option to submit anything that goes to the DCC, so all your examples are fair game, though interactive review responses would still be emailed to the reviewer.
Medical Device Academy Question: How can I get help from the FDA? FDA Response: If you have questions, contact us at CCP@fda.hhs.gov.
On April 8, 2022, the FDA released a new draft cybersecurity guidance document to replace the 2018 draft that the industry does not support.
Why was the draft cybersecurity guidance created?
Due to the ubiquitous nature of software and networked devices in the medical industry, the impact of cybersecurity attacks is becoming more frequent and more severe. The WannaCry Ransomeware Attack is just one example of this global cybersecurity issue. The FDA is responding to the need for stronger cybersecurity controls by issuing a new draft cybersecurity guidance for 2022.
The first four paragraphs of the introduction explain why we need this, and WannaCry is mentioned in the second paragraph of the background section. This new guidance is only a draft, but this is the FDA’s third attempt at regulating the cybersecurity of medical devices. The first guidance was finalized in 2014. That’s the 9-page guidance we currently have in effect. The guidance mentions risk 11 times and there is no mention of testing requirements or a bill of materials (BOM). The 2018 draft guidance (24-pages) met with resistance from the industry for a lot of reasons. One of the reasons mentioned by Suzanne Schwartz in an interview is the inclusion of a cybersecurity bill of materials (CBOM). The industry felt it would be too burdensome to disclose all of the hardware elements that are related to cybersecurity. Therefore, the FDA rewrote the 2018 draft and released a new draft on April 8, 2022 (49-pages).
You might have expected the FDA to soften its requirements in the face of resistance from industry, but the new draft does not appear to be less robust. It is true that the CBOM was replaced by a software bill of materials (SBOM). However, the SBOM must be electronically readable and it must include:
the asset(s) where the software resides;
the software component name;
the software component version;
the software component manufacturer;
the software level of support provided through monitoring and maintenance from the software component manufacturer;
the software component’s end-of-support date; and
any known vulnerabilities.
You can be sure that the medical device industry will view providing an SBOM as a hefty burden. After all, a machine-readable SBOM is more complex than UDI labeling requirements. An SBOM will not fit on the “Splash Screen” for anyone’s software application. Companies may provide documentation through the company website with a link in their software to that information. The format of the information could be in the “Manufacturer Disclosure Statement for Medical Device Security (MDS2).” However, MDS2 is a 349-line item Excel spreadsheet to be used as a checklist (i.e. quite a bit longer than the GUDID data elements spreadsheet), and it took the FDA eight years to complete the transition for the UDI Final Rule (i.e. 2013 – 2021).
The 2018 draft cybersecurity guidance document from the FDA required a cybersecurity bill of materials (CBOM). CBOM was defined as “a list that includes but is not limited to commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities.” Therefore, the FDA’s change from a CBOM to an SBOM eliminated the requirement to disclose the hardware components. Despite the change in disclosure requirements, manufacturers will still be expected to monitor potential hardware vulnerabilities to cybersecurity attacks. It should also be noted that the language in the PATCH Act (a new bill submitted to the House of Representatives and to the Senate for ensuring the cybersecurity of medical devices) specifically requires manufacturers “to furnish a software bill of materials as required under section 524B (relating to ensuring the cybersecurity).”
Structure of the draft cybersecurity guidance
The 2022 draft cybersecurity guidance organizes the requirements into four major principles:
cybersecurity as part of device safety and the quality system regulations
designing for security
transparency
submission documentation
The draft cybersecurity guidance recommends the implementation of a Secure Product Development Framework (SPDF). However, there is not much detail provided in the guidance for a SPDF. In the past, the term for this type of process was referred to as a Secure Software Development Lifecycle (i.e. Secure SDLC). However, in February 2022, the NIST Computer Security Resource Center (CSRC) released version 1.1 of the Secure SDLC guidance which is now titled “Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities.” This guidance provides guidance on the implementation of best practices for reducing the risk of software vulnerabilities because existing standards for managing the software development lifecycle do not explicitly address software security (e.g. IEC 62304-1:2015). The SSDF recommends implementing a core set of high-level secure software development practices that can be integrated into your SDLC process. Your software development team will also require cybersecurity training.
Design for security is the second principle of the draft cybersecurity guidance
Under this new draft cybersecurity guidance, the FDA will be evaluating the cybersecurity of devices based on the ability of the device to provide and implement the following security objectives:
Authenticity, which includes integrity;
Authorization;
Availability;
Confidentiality; and
Secure and timely updatability and patchability.
Transparency of cybersecurity information is for users
The draft cybersecurity guidance seeks to give device users more information pertaining to the device’s cybersecurity controls, potential risks, and other relevant information. This information will be in the form of an SBOM that is electronically readable. This information shall include disclosure of 1) known vulnerabilities or risks, 2) information to securely configure and update devices, and 3) communication interfaces and third-party software.
In addition to providing an SBOM, the FDA draft cybersecurity guidance includes requirements for cybersecurity labeling in section VI(A). There are 15 specific labeling requirements identified by the FDA for sharing with device users to improve the transparency of cybersecurity information. The first of these requirements is recommendations from the manufacturer for cybersecurity controls appropriate for the intended use environment (e.g., antimalware software, use of a firewall, password requirements). This first labeling requirement is identical to the 2018 draft guidance. Several of the other requirements are copied from the 2018 draft guidance, but others are new and/or reworded cybersecurity labeling requirements.
FDA Submission Documentation Requirements
The 2022 FDA draft cybersecurity guidance includes requirements for FDA submission documentation. Submission documentation must include a security risk management plan and report. The draft cybersecurity guidance explains on page 13 (numbered 9) that “performing security risk management is a distinct process from performing safety risk management as described in ISO 14971:2019.” Therefore, instead of using your safety risk management process, your software development team will need to have a different risk management process for software security. Details on the content for security risk management plans and reports can be found in AAMI TIR57:2016 – Principles for medical device security—Risk management. Appendix 2 also provides guidance for the inclusion of a) call flow diagrams, and b) information details for an architecture view.
Cybersecurity testing requirements for your FDA submission
The biggest impact of this new draft guidance may be the requirement for testing. The 2014 guidance has no testing requirement, the 2018 draft guidance mentioned testing 5 times in a few bullet points, but this new draft guidance mentions testing 43 times. The testing requirements for cybersecurity risk management verification include:
Security requirements
Threat mitigation
Vulnerability testing
Penetration testing
This guidance also includes a paragraph with multiple bullets of requirements for each of the four types of testing. This would essentially double the size and scope of the current software section for a 510k submission, and manufacturers will need to create new procedures and templates for their cybersecurity risk management process. For example, penetration testing requirements include the following elements:
Independence and technical expertise of testers,
Scope of testing,
Duration of testing,
Testing methods employed, and
Test results, findings, and observations.
Differences between the cybersecurity guidance documents
The following table provides a high-level overview comparing the four cybersecurity guidance documents released by the FDA, including the 2016 guidance on post-market management of cybersecurity:
Vulnerability management plans
The FDA draft cybersecurity guidance document also has a requirement for manufacturers to develop a plan for identifying and communicating vulnerabilities to device users after the release of the device. The FDA requires this plan to be included in your device submission. The vulnerability management plan should include the following information (in addition to the requirements of the 2016 guidance for postmarket cybersecurity management):
Personnel responsible;
Sources, methods, and frequency for monitoring for and identifying vulnerabilities (e.g. researchers, NIST NVD, third-party software manufacturers, etc.);
Periodic security testing to test identified vulnerability impact;
Timeline to develop and release patches;
Update processes;
Patching capability (i.e. rate at which update can be delivered to devices);
Description of their coordinated vulnerability disclosure process; and
Description of how manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.
What’s the next step for the draft cybersecurity guidance?
In March the “Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act)” was introduced to the House of Representatives and the Senate. The goal of the PATCH Act is to enhance medical device security by requiring manufacturers to create a cybersecurity risk management plan for monitoring and addressing potential postmarket cybersecurity vulnerabilities. The FDA seeks comments on the draft cybersecurity guidance through July 7, 2022. Given the support of the new bill in the House of Representatives and Congress, it is likely that the FDA will get the support it needs for this new guidance.
Before you complete FDA forms for your 510k submission, you need to made sure you have the most updated FDA forms.
How do you know if the FDA form you are using is current?
The FDA assigns numbers to each FDA form and the document control number is found in the bottom left footer of the document. In addition, the top right-hand header of the document will have an expiration date for the form (see the picture below). Often the changes to FDA forms are minor, but you should only submit the current version of the FDA form which has not expired.
What happens if you are using an expired FDA form?
In the past, if you included an obsolete document in your submission the FDA would often ignore this an proceed with the review of your submission anyway. Now FDA reviewers will identify the obsolete form and require you to resubmit the document on the current version of the form. If the reviewer is conducting an initial Refusal to Accept (RTA) screening, and one of the required items in the RTA screening are identified, then you will receive an RTA Hold letter and the RTA checklist will include a comment that you have used an obsolete version of an FDA Form.
If there are no deficiencies identified in the RTA checklist, the reviewer may still send you an email asking you to submit the document on the correct form. This could be a formal amendment (e.g. K123456/A001) or it could be as an informal email of the corrected document. This type of request could also be identified after the substantive review is complete in the form of a comment in an Additional Information (AI) Request or as part of an Interactive Review Request. An AI Request must be responded to with a formal supplement submitted to the Document Control Center (DCC) as a supplement to the original submission (e.g. K123456/S001) or as an informal ammendment submitted by email.
Examples of updated FDA forms for your 510k submission
Expired forms are frequently submitted to the FDA because submitters are using templates that have not been properly maintained or the submitter modified a form that was submitted in a previous 510k submission. The most common examples include: FDA Form 3514 (i.e. Submission Coversheet), FDA Form 3881 (i.e. Indications for Use), and the RTA Checklist.
Where can you find updated FDA forms?
Recently one of our clients noticed that the 510k template folder we share with people that have purchased our 510k courseincluded obsolete templates for Financial Disclosure. There are three financial disclosure forms that can be used for a 510k submission or De Novo Classification Request:
FDA Form 3454, Certification: Financial Interest and Arrangements of Clinical Investigator (PDF)
FDA Form 3455, Disclosure: Financial Interest and Arrangements of Clinical Investigators (PDF)
FDA Form 3674, Certification of Compliance, under 42 U.S.C. , 282(j)(5)(B), with Requirements of ClinicalTrials.gov (PDF)
We normally update these FDA forms as soon as the new form is released, but this financial disclosure forms are only used in about 10-15% of 510k submissions.
The current version of most FDA forms can usually be found by simply conducting an internet search for the form using your favorite browser. However, sometimes you may find a copy of the document that was editted by a consultant to facilitate completion of the document as an unsecured PDF or Word document. Although this is convenient, you should not use these “bastardized” forms. You should use the original secured form provided by the FDA. These native forms require Adobe Acrobat to complete the form and save the content. The most current version of the FDA form can be found using the FDA’s Form search tool.
Editing and Signing FDA Forms
Most of the FDA forms are secured and you can only enter information in specific locations. If there is a location for a signature, usually the signature cannot be added in Adobe to the secured form. In these situations, our team will save the document as a “Microsoft Print PDF” format. Once the document has been saved in this “non-native” format, you can manipulate almost anything in the document. Then we will add signatures using the “Fill and Sign” tool in Adobe Acrobat or we will use the “Edit” tool. Editing also gives us ability to make corrections when the document has incorrect information filled in the form somewhere.
Another option for adding dates and signatures is for you to save the document as a non-secure PDF. Then using an electronic signature software tool like Docusign, you can request that another person add their electronic signature or you can add your own electronic signature. Some companies prefer to do this to ensure the electronic signature meets 21 CFR Part 11 requirements, but the FDA accepts scanned images of a signature that was added to the document without certification in a 510k submission. This is even true for the Truthful and Accuracy Statement for a 510k. That document can be attached as a PDF in an FDA eSTAR template or you can electronically sign the eSTAR template if the person preparing the eSTAR is also the person signing the Truthful and Accuracy Statement.
Tips and Tricks for maintaining templates
Our company is a consulting firm, and we do not have a formal document control process that would be typical of our clients. However, we do have a shared Dropbox folder where we maintain the most current version of 510k templates. Any obsolete versions we move to an archive folder. However, there are ways to improve this informal system. You can include a date of the document in the file name. For example, “Vol 4 001_Indications for Use (FDA Form 3881) rvp 2-7-2022.” This indicates that this file is the FDA Form 3881 which is the indications for use form used in Volume 4 of the 510k submission. The document is the first document in that volume. The date the form was revised and saved is February 7, 2022 and the author’s initials are “rvp.”
If you are saving 510k templates you might consider adding an expiration date to the file name. For example, “Vol 4 001_Indications for Use (FDA Form 3881) exp 06-30-2023.” This file name indicates that the form’s expiration date is June 30, 2023. The inclusion of an expiration date in the file name is a visual reminder of when you will need to search for an updated FDA form.
A third way to manage your FDA Forms is to include them in your documents of external origin. ISO 13485:2016, Clause 4.2.4, requires that you maintain control of documents of external origin. Therefore, if your company has a formal quality system, a list or log of documents of external origin is the best way to manage FDA forms. Your log should indicate the date the updated FDA form was created, any parent guidance documents should be cross-referenced, and the expiration date of the FDA form should be identified. By using a log of this type, you can sort the list by expiration date or by the date of creation if there is no expiration date identified. Sorting the list will help your team prioritize which documents need to be reviewed next for new and revised versions.
Additional 510k submission resources
The FDA will be updating the 510k guidance for the new FDA eSTAR template by September 2022. Medical Device Academy will be systematically updating all of our templates and training webinars related to preparation of 510k submissions. We will also be preparing for the transition from FDA eCopy submissions to electronic submissions via a Webtrader Account.
You can keep up-to-date on template revisions in one of two ways:
Purchase our 510k course, and you will receive access to the updated templates as they are created. We will send email notifications each time a template is updated.
Register for our New Blog email subscription for automated email notifications of when a new blog is released about updated FDA forms, templates, and webinars.
Register for our New Webinar email subscription for automated email notifications of when a new or revised webinar is scheduled and for email notification of our newest live streaming YouTube videos.
I hated the the FDA eSubmitter template which was discontinued May 30, 2021. Finally we have eSTAR draft guidance for the new eSTAR template. Note: the final FDA eSTAR guidance was released on October 2, 2023 and we published a new blog the day of release.
History of 510k electronic submissions
The FDA has experimented with a multitude of pilot 510k submission programs over the years to streamline and improve the 510k submission content, formatting, and to facilitate a faster review process. The Turbo 510k program was one of the first successful pilot programs. In 2012, I wrote one of my first blogs about how to improve the 510k process. In September 2018, the FDA launched the “Quality in 510k Review Program Pilot” for certain devices using the eSubmitter electronic submission template. The goal of the this pilot program was to enable electronic submissions instead of requiring manufacturers to deliver USB flash drives to the FDA Document Control Center (DCC). I hated the eSubmitter template, and the FDA finally discontinued availability of the eSubmitter template on May 30, 2021. During the past 15 years, the FDA gradually streamlined the eCopy process too. Originally we had to submit one complete hardcopy, averaging 1,200 pages per submission, and one CD containing an electronic “eCopy.” Today, the current process involves a single USB flash drive and a 2-page printed cover letter, but today’s eCopy must still be shipped by mail or courier to the DCC.
eSTAR Pilot Program is Launched
During the 15-year evolution of the FDA eCopy, CDRH was trying to develop a reliable process for electronic submissions of a 510k. CBER, the biologics division of the FDA, has already eliminated the submission of eCopy submissions and now 100% of biologics submissions must be submitted through an electronic submissions gateway (ESG). In February 2020, CDRH launched a new and improved 510k template through the electronic Submission Template And Resource (eSTAR) Pilot Program. The eSTAR templates include benefits of the deceased eSubmitter template, but CDRH has incorporated additional benefits:
the templates use Adobe Acrobat Pro instead of a proprietary application requiring training;
support for images and messages with hyperlinks;
support for creation of Supplements and Amendments;
availability for use on mobile devices as a dynamic PDF;
ability to add comments to the PDF; and
the content and logic mirrors checklists used by CDRH reviewers.
Medical Device Academy’s experience with the eSTAR Templates
Every time the FDA has released a new template for electronic submissions we have obtained a copy and tried populating the template with content from one of our 510k submissions. Unfortunately, all of the templates have been slower to populate that the Word document templates that our company uses every day. On May 16 we conducted an internal training for our team on the eSTAR submission templates, and we published that training as a YouTube Video (see embedded video below). Then nine days later the FDA released updates to the eSTAR templates (version 0.7). The new eSTAR templates are available for non-IVD and IVD products (ver 0.7 updated May 27, 2021).
Sharon Morrow submitted our first eSTAR template to the FDA in August and we experienced no delays with the 510k submission during the initial uploading to the CDHR database, there was no RTA screening process, and CDRH did not identify any issues during their technical screening process. Shoron’s first eSTAR submission is now in interactive review, which is a better outcome than 95%+ of our 510k submissions. I have several other eSTAR submissions that are almost ready to submit as well. The other 510k consultants on our team are also working on their first eSTAR submissions.
Finally the CDRH releases an FDA eSTAR draft guidance
On September 29, 2021 the FDA released the new eSTAR draft Guidance for 510k submissions. This is a huge milestone because there have not been any draft guidance documents created for pilot programs. The draft indicates that the comment period will last 60 days (i.e. until November 28, 2021). However, the draft also states that the guidance will not be finalized until a date for requiring electronic submissions (i.e. submission via an ESG) is identified. The draft indicates that this will be no later than September 30, 2022. Once the guidance is finalized, there will be a transition period of at least one year where companies may submit via an ESG or by physical delivery to the FDA DCC.
Are there any new format or content requirements in the FDA eSTAR draft guidance?
There are no new format or content requirements in the eSTAR draft guidance, but the eSTAR template itself has several text boxes that must be filled in with summary information that is not specified in the guidance for format and content of a 510k. The information requested for the text boxes is a brief summary of non-confidential information contained in the attachments of the submission. Therefore, these boxes can information that would normally be in the overview summary documentst that are typically included at the beginning of each section of a 510k. If your overview documents do not already have this information, then you may have some additional work to do in order to complete the eSTAR templates. An example of one of these text boxes is provided below:
Another example of additional content required by the eSTAR templates is references to page numbers. Normally the FDA reviewer has to search the submission for information that is required in their regulatory review checklist. In the new templates the submitter is now asked to enter the page numbers of each attachment where specific information can be found. The following is an example of this type of request for a symbols glossary:
Are there any changes to the review timelines for a 510k in the eSTAR draft guidance?
The eSTAR draft guidance indicates that a technical screening will be completed in 15 calendar days instead of conducting a RTA screening. I believe that the technical screening is less challenging than the RTA screening, but the FDA has not released a draft of the technical screening criteria or a draft checklist. I would imagine that the intent was to streamline the process and reduce the workload of reviewers performing a technical screening, but we only have guesses regarding the substance of the technical review and so far our performance is 100% passing (i.e. 1 of 1). The next step in the 510k review process is a substantive review. Timelines for the substantive review are not even mentioned in the new draft guidance, but the FDA usually has the review clock details in Table 1 (MDUFA III performance goals) and Table 2 (MDUFA IV performance goals) of the FDA guidance specific to “Effect on FDA Review Clock and Goals.” In both tables, the goal is 60 calendar days, and our first eSTAR submission completed the substantive review in 60 days successfully. The 180-day deadline for responding to an additional information (AI) request has not changed in the eSTAR draft guidance, but our first submission is now interactive review. I believe this suggests that companies may have a higher likelihood of having an interactive review with their CDRH lead reviewer instead of being placed upon AI Hold, but we won’t have enough submissions reviewed by the FDA to be sure until the end of Q1 2022.
Register for our new webinar on the FDA eSTAR draft guidance
We hosted a live webinar on Thursday, October 21, 2021 @ Noon EDT. The webinar was approximately 37 minutes in duration. In this webinar we shared the lessons learned from our initial work with the eSTAR template. Anyone that registers for our webinar will also receive a copy of our table of contents template that we updated for use with the eSTAR templates. Unlike a 510k eCopy, an eSTAR template does not require a table of contents but we still use a table of contents to communicate the status of the 510(k) project with our clients. Finally, we reviewed the eSTAR draft guidance in detail. If you would like to receive our new eSTAR table of content template and an invitation to our live webinar, please complete the registration form below.
About the Instructor
Rob Packard is a regulatory consultant with ~25 years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Rob was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Rob’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at +1.802.258.1881 or by email. You can also follow him on YouTube, LinkedIn, or Twitter.
How much a 510k costs is the most common question I receive from customers, and there are three parts to the cost of a 510k.
There are three parts to the 510k cost of submission:
Testing
Submission Preparation
FDA User Fees
The highest cost is testing
The testing cost is the most significant cost, but I think the average is around $100K for our clients. For devices that only consist of a software (i.e., software as a medical device or SaMD), the testing costs are less, but the cost of documenting your software validation and cybersecurity will be more extensive than the cost of preparing your 510k and the FDA user fee. The more you can do in-house, the lower the testing costs will be. Biocompatibility testing for a non-invasive device might be only $13,000, but a long-term implant can cost as much as $100,000 for implantation studies. Sterilization validation testing depends upon the method of sterilization and whether you are doing a single-lot method or a full validation. Typical costs for EO sterilization validation are around $15,000, and then you should add several thousand more for the shelf-life testing.
For devices that are powered and/or have software, you will need to perform software validation in accordance with IEC 62304 ed 1.1 (2015). There are also five FDA guidance documents that apply:
You can do all of the software validation in-house, but some firms outsource the software validation. In the long term, you need to learn this, and it pays to hire an expert in IEC 62304 to help your team learn how to document software validation if you have not done this before. Typically, software validation documentation will be between 300 and 1,000 pages long.
Electrical safety and EMC testing are often the most expensive part of the testing process for our customers. EMC testing should always be done first to ensure you can pass the immunity and emissions testing. If you must modify the device to pass the EMC testing, you must repeat any electrical safety testing. The total cost of this testing is typically $50-60K.
Performance testing is the last part of the testing process. Performance testing should be performed on sterile and aged products if your product requires sterility and claims a shelf-life. Most of the testing is benchtop testing only to demonstrate performance. This includes simulated use testing (e.g., summative usability testing), cadaver testing, and computer modeling. Benchtop performance testing typically takes tens of thousands of dollars to complete, but you might be able to do the testing in-house. If animal testing is required, this typically costs around $100K. Finally, if a human clinical study is required (i.e., ~10% of 510k submissions), you should expect to spend between $250K and $2.5 million. Some simple clinical studies (e.g., IR thermometers) cost less than $100K, but these resemble benchtop performance testing in many ways.
The second highest cost is the cost of submission preparation
Medical Device Academy has two different options for preparation consulting fees. Your first option is hourly consulting fees. The second option is a flat fee. As of July 2023, we are charging $3,500 for pre-submission preparation and $17,500 for 510k submission preparation.
The first option is to avoid the FDA altogether and submit to a third-party reviewer. We only recommend one third-party reviewer (i.e., Regulatory Technology Services), because the other companies do not have sufficient experience to have predictable review times and positive outcomes. The typical RTS third-party review cost is 6% more than the FDA Standard fee.
The second option is to submit directly to the FDA. The standard user fee for FDA review of a 510k is $21,760 for FY 2024.
The third option is to apply for small business status. For companies that have annual revenues of less than $100 million USD, the FDA will grant you small business status. For companies with small business qualifications, the FDA user fee is reduced to $5,440.
Reduce 510k cost by applying for small business status
Any medical device company with revenues of less than $100 million annually can apply, but you must apply each year. There is no application fee, but you must complete FDA Form 3602 if you are a US firm. The form must be completed for each subsidiary too. FDA Form 3602A must be completed for foreign firms, and the national tax authority must verify the accuracy of your income statement on the form to submit it to the FDA. If your national tax authority refuses to sign the form, you can justify it, but I don’t know anyone who has done this yet. The qualification review by the FDA requires 60 days. Therefore, you should apply every year in August for the next fiscal year (October 1, 2023 – September 30, 2024, is FY 2024). The form will request that you include your Organization ID #. A Dun & Bradstreet Number (DUNS #) is also required if your firm is located outside the USA. Finally, you need to attach a copy of your tax return. Therefore, you must file your tax return–even if your firm had a loss or had no revenues. You can also use R&D tax credits in the USA or Canada if you are a start-up device company developing a new device.
About the Author
Rob Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at 802.258.1881 or by email. You can also follow him on Google+, LinkedIn,YouTube, or Twitter.
