510(k) Means Substantial Equivalence…Unless Your Device Has SoftwareOctober 7, 2014
In our previous posts (here and here) regarding FDA’s approach to cybersecurity in medical devices we noted that, while neither FDA nor industry was aware of any actual intentional, malevolent software breaches that led to patient harm, FDA seemed to be enforcing the draft guidance by refusing to accept at least one 510(k) submission that did not contain documentation demonstrating the cybersecurity of the device. We also noted that FDA does not seem concerned with applying the substantial equivalence review standard, since it will now be requiring software devices to contain substantially more information than the predicate devices. (Of course, it is not uncommon for FDA to require a new 510(k) to meet a standard to which the predicate was not held.)
FDA has now finalized the guidance, and while some of the language has changed, the intent and ultimate impact on device manufacturers has not. Regardless of what the predicate device had to show, moving forward, FDA will expect to see substantial documentation of a firm’s cybersecurity considerations, including a hazard analysis, list of all cybersecurity risks considered, list and justification for all cybersecurity controls established, and a “traceability matrix” linking the risks considered to the controls implemented. The takeaway message is this: be sure that you can adequately address any and all risks considered, no matter how remote, because they all must be provided to FDA and accounted for in the software design, even if they are not accounted for in the predicate.
Fear not: while substantial equivalence for software devices fades into distant memory, at least the guidance states that FDA will not typically need to review software changes made solely to strengthen cybersecurity. So, go forth and strengthen cybersecurity—but be careful about making any other changes to the software; those may well require review.