Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

If a change that warrants a 510(k) is made to a cyber device and that change does not impact the cyber aspects (software, networking etc) of the device, does the 510(k) need to include the cybersecurity information identified in the recent final guidance.  As an example, it only involves a change to the patient contacting materials of the device.  No change to software or the networking aspect of the device.  Can the 510(k) just focus on the material change?

Hello Anon,

Yes, definitely.  In fact, if the change to the product can be done under a Special 510(k) this is even easier because it does indeed only focus on the changes which were made to the device (considering these changes are within the scope of being able to submit a Special 510(k)).  If the submission is a regular 510(k), you do need to submit a "full" submission again, but there is some flexibility in what is submitted if there are no changes.  It does depend on the device, and submission being made, but there can be some more efficient ways of making the submission.

------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs
Oriel STAT A MATRIX - ENTERPRISE
------------------------------

Original Message:
Sent: 20-Dec-2023 06:39
From: Anonymous Member
Subject: 510(k) for Cyber Device

This message was posted by a user wishing to remain anonymous

If a change that warrants a 510(k) is made to a cyber device and that change does not impact the cyber aspects (software, networking etc) of the device, does the 510(k) need to include the cybersecurity information identified in the recent final guidance.  As an example, it only involves a change to the patient contacting materials of the device.  No change to software or the networking aspect of the device.  Can the 510(k) just focus on the material change?

Hi,

What I believe the guidance says is if the device has software or logic, even if the change does not affect the cyber aspects of the device you still need to include it going forward in all 510(k)'s or else you will get a Refuse to Accept (RTA) from the Agency. The idea is moving forward this documentation and rigor will need to be taken for any device with Cybersecurity risks.

------------------------------
Sebastian Feye
Accurate Consultants
San Diego CA
United States
------------------------------

Original Message:
Sent: 20-Dec-2023 06:39
From: Anonymous Member
Subject: 510(k) for Cyber Device

This message was posted by a user wishing to remain anonymous

If a change that warrants a 510(k) is made to a cyber device and that change does not impact the cyber aspects (software, networking etc) of the device, does the 510(k) need to include the cybersecurity information identified in the recent final guidance.  As an example, it only involves a change to the patient contacting materials of the device.  No change to software or the networking aspect of the device.  Can the 510(k) just focus on the material change?

Yes you will need to include the updated sections. I would also be surprised if your team didn't need to do some work to comply with the updated Software and Cybersecurity requirements. FDA was given much broader enforcement for Cybersecurity specifically in the 2022 omnibus bill and your device will need to be compliant with the current thinking/requirements from FDA. I would suggest you engage your software teams and review the guidance and requirements that have been published throughout 2023.

------------------------------
Randy Parry
South Jordan UT
United States
------------------------------

Original Message:
Sent: 20-Dec-2023 06:39
From: Anonymous Member
Subject: 510(k) for Cyber Device

This message was posted by a user wishing to remain anonymous

If a change that warrants a 510(k) is made to a cyber device and that change does not impact the cyber aspects (software, networking etc) of the device, does the 510(k) need to include the cybersecurity information identified in the recent final guidance.  As an example, it only involves a change to the patient contacting materials of the device.  No change to software or the networking aspect of the device.  Can the 510(k) just focus on the material change?