The U.S. FDA Revamps Medical Device Cybersecurity Guidance in Light of New Regulations
The U.S. Food and Drug Administration (FDA) has reissued its conclusive guidance pertaining to medical device cybersecurity, marking a significant shift as the agency transitions from the Quality System Regulation (QSR) to the Quality System Management Regulation (QMSR).
This revised guidance was published on February 4, mere days after the formal activation of the QMSR. The updated document incorporates regulatory references and aligns its cybersecurity expectations within the updated quality system framework set forth in 21 CFR Part 820, which now includes ISO 13485 by reference.
The FDA clarified that these revisions to its cybersecurity guidance emerged under Level 2 guidance procedures.
“These revisions were enacted under Level 2 guidance procedures (21 CFR 10.115(g)(4)), alongside amendments to 21 CFR 820 (the Quality Management System Regulation),” the agency affirmed.
Notably, this updated guidance supersedes the earlier document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” which was issued in June of the previous year.
Throughout the amended FDA cybersecurity guidance, references to the obsolete QSR have been substituted with the current QMSR terminology.
Furthermore, the guidance consistently references ISO 13485, underscoring its pivotal role in the revised regulatory landscape aimed at harmonizing U.S. standards with those of international regulatory bodies.
QMSR Framework Reshapes FDA Cybersecurity Guidance and Quality System Expectations
The QMSR, which took effect on February 2, modifies the current good manufacturing practice (CGMP) requirements articulated under 21 CFR Part 820. Initially authorized under section 520(f) of the Federal Food, Drug, and Cosmetic Act (FD&C Act), these CGMP requirements were first codified in 1978.
The first major revisions occurred in 1996, when the FDA integrated design controls to foster better alignment with global standards, including ISO 9001 and early iterations of ISO 13485.
With the QMSR, the FDA has now officially incorporated ISO 13485:2016—“Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes”—and Clause 3 of ISO 9000:2015, which delineates the fundamentals and vocabulary of quality management systems.
This strategy aims to promote uniformity in quality system mandates across international markets while alleviating regulatory burdens for manufacturers.
The QMSR is applicable to manufacturers of finished devices intending to distribute medical devices commercially within the United States.
A finished device, as defined in 21 CFR 820.3(a), encompasses any device or accessory deemed suitable for use or capable of functioning, irrespective of its packaging, labeling, or sterilization.
Certain components, such as blood tubing and diagnostic x-ray elements, qualify as finished devices when utilized as accessories and are, therefore, subject to QMSR mandates.
While some devices may be exempt from CGMP requirements in accordance with classification regulations in 21 CFR Parts 862 through 892, such exemptions do not absolve manufacturers from obligations related to complaint handling or recordkeeping.
Moreover, devices produced under an investigational device exemption are not exempt from design and development prerequisites as articulated in 21 CFR 820.10(c) of the QMSR or their corresponding ISO 13485 stipulations.
FDA Cybersecurity Guidance Emphasizes QMSR-Based Design, Risk, and Inspection Changes
The revised FDA cybersecurity guidance emphasizes that documentation reflecting adherence to the QMSR can effectively address cybersecurity risks, providing a solid assurance of both safety and efficacy.
The agency directs sponsors to particular ISO 13485 clauses to bolster this approach. For instance, the FDA cited that “21 CFR 820.10(c) mandates that for all classes of devices utilizing software, manufacturers must comply with the Design and Development requirements in Clause 7.3 and its subsequent subclauses of ISO 13485.”
The guidance brings attention to ISO 13485 Subclause 7.3.7, which stipulates that design and development validation must ensure that a product can meet its specified application or intended use. “Design and development validation also encompasses the validation of device software,” the agency noted.
Additionally, the FDA referenced Subclause 7.1 of ISO 13485, which specifies that organizations are required to document one or more processes for risk management within product realization, an expectation intricately linked to cybersecurity risk controls.
In this update, the FDA has excised a significant section from previous guidance that elaborated on former QSR design control provisions, including mandates under 21 CFR 820.30(c) and (d) concerning design inputs and outputs. Consequently, these provisions no longer feature in the updated FDA cybersecurity guidance.
The shift to QMSR has similarly reformed FDA inspection methodologies. As of February 2, the agency ceased employing the Quality System Inspection Technique (QSIT) and commenced inspections under the renovated Inspection of Medical Device Manufacturers Compliance Program: 7382.850.
Concurrently, the FDA has dismantled Compliance Programs 7382.845 and 7383.001, which previously governed device manufacturing and PMA-related inspections.
Source link: Thecyberexpress.com.
