© 2017 The Texas Lawbook.
(Dec. 7) – With the overwhelming growth of medical devices connected to the “internet of things,” the Food and Drug Administration has scrutinized the accompanying cybersecurity risks and design issues closely and has issued a variety of guidance documents in recent years.
For example, the FDA in 2014 focused its guidance on cybersecurity threats during the research and development phase of a medical device’s life cycle. And in 2016, the agency expanded its focus and provided draft guidance concerning how medical device makers should monitor, identify and address cybersecurity vulnerabilities after introducing devices into the marketplace.
On Sept. 6, 2017, the FDA released its final guidance on Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices. Although the guidance is not binding, it provides medical device manufacturers with direction and recommendations with respect to design considerations when developing interoperable medical devices, as well as recommendations regarding information to include in premarket submissions and device labeling.
The FDA’s guidance highlights several issues that medical device manufacturers should consider in order to provide reasonable assurance that their connected devices are safe and effective. These issues include: (1) designing systems with interoperability as an objective (i.e., the ability to exchange and make use of information); (2) conducting appropriate verification, validation and risk management activities; and (3) specifying the relevant functional, performance and interface characteristics in a “user available” manner such as labeling. As set forth below, the FDA’s guidance discusses two main areas to help manufacturers provide appropriate safety and effectiveness: design implications and premarket submissions.
During the design process itself, the FDA recommends that manufacturers take into account the following issues associated with electronic interfaces that are incorporated into medical devices: (1) the purpose of the electronic interface and the types of data exchanges taking place; (2) the anticipated users and how the device will be used; (3) risk management related to the device, the network to which it is connected and other interfaced devices; (4) verification and validation of the device; (5) labeling considerations that are necessary to ensure predictable and safe connectivity; and (6) use of consensus standards related to interoperability.
The FDA’s guidance includes specific questions and concerns to consider in each of these six areas. For instance, there are more than a dozen different questions to consider when determining the purpose of a device’s electronic interface, including the need for time synchronization, the clinical context for the use of information exchanged in the interface, and the functional and performance requirements of the device as a result of the exchanged information. With regard to risk management considerations, the guidance advises manufacturers to consider, among other things, whether implementation and use of an electronic interface degrades the basic safety controls of the device. And when preparing device labeling, the FDA guidance suggests that manufacturers consider the best way to provide information regarding the intended use and accompanying risks of the device based on the device’s anticipated users and risk analysis.
The FDA’s guidance also includes recommendations for manufacturers preparing premarket submissions. In short, the FDA recommends that manufacturers address each of the six issues mentioned above when preparing premarket submissions.
For example, the premarket submission should discuss any electronic interfaces found in the device, the purpose of each interface and the anticipated users of the interface. Manufacturers should also highlight whether the device is intended to exchange information with other devices, along with what information would be exchanged and how.
With respect to labeling considerations in a premarket submission, the FDA’s recommendations include providing information regarding the device’s electronic interface; instructions on how to use the device as it was intended; any limitations of the device’s connectivity; and precautions, warnings and contraindications.
In addition to these items, there may be a number of other things to include to ensure that the labeling complies with the requirements of 21 CFR parts 801 and 809, which address the regulatory requirements for medical device labeling. (For more on labeling, see FDA Guidance: Labeling—Regulatory Requirements for Medical Devices.)
The guidance does recognize that manufacturers “may need up to 60 days to perform activities to operationalize the policies within the guidance.” As such, if the FDA receives a premarket submission before or up to 60 days after the publication of its guidance, it does not intend to ask for the new information highlighted in the guidance document. It will, however, review the information if it is submitted.
Ultimately, the FDA’s primary concerns are that connected medical devices are able to safely exchange and use information and that patients and medical device operators are able to safely use interoperable medical devices. Although the information contained in the guidance is not an exhaustive summary of the issues that should be considered by manufacturers, it does provide a detailed starting point in this rapidly growing and changing area.
© 2017 The Texas Lawbook. Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.
If you see any inaccuracy in any article in The Texas Lawbook, please contact us. Our goal is content that is 100% true and accurate. Thank you.