FDA / EU MDR / Regulatory News
FDA permits limited modifications to previously cleared infusion pumps without requiring submission of a new 510(K) premarket notification
The policy is aimed at increasing the availability and remote monitoring capabilities of infusion pumps and related accessories used to treat patients infected with COVID-19 during the pandemic
FDA will not object to limited modifications to:
- Hardware, software, or design modifications implementing the capability for remote monitoring and remote manual adjustment of infusion parameters
- Hardware, software architecture to allow for increased remote monitoring and manual setting adjustment capability
- More (transfer of electronic drug library information over a wireless or wired network connection, intended use, material, chemical composition, energy source, or manufacturing process etc.)
The policy applies where a modification is made to the device that normally would trigger the requirement of a new 510(k) premarket submission.
During Pandemic, ISO (The International Organization for Standardization) ISO temporarily allows free access to health and medical device related standards
The list includes ISO 13485, the medical device manufacturers quality system standard.
Additional standards available (read-only) for free:
ISO 13688:2013, Protective clothing – General requirements
ISO 17510:2015, Medical devices — Sleep apnea breathing therapy — Masks and application accessories
ISO 19223:2019, Lung ventilators and related equipment — Vocabulary and semantics
ISO 22301:2019, Security and resilience – Business continuity management systems –Requirements
ISO 80601-2-12:2020, Medical electrical equipment — Part 2-12: Particular requirements for basic safety and essential performance of critical care ventilators
ISO 80601-2-13:2011, Medical electrical equipment — Part 2-13: Particular requirements for basic safety and essential performance of an anesthetic workstation
ISO/TS 16976-8:2013, Respiratory protective devices — Human factors — Part 8: Ergonomic factors
Company Name – Mandelay Kft (Hungary, manufacturer of devices that detect (diagnose) electrical signatures of tissues, organs, nutrients, toxins and allergens and record the degree to which the body reacts to these elements)
Subject: CGMP/QSR/Medical Devices/Adulterated
Violations included in the letter (not a full list):
- Failure to establish and maintain adequate procedures to control the design of the device in order to ensure that specified design requirements are met, as required by 21 CFR 820.30
- Your firm provided a copy of Software Beta Test Summary Report (dated May 2, 2018) as the design validation for the Quest 9 device. However, your test report does not demonstrate that a full design validation was performed to include the execution of the device functions in a real or simulated environment to demonstrate that your devices conform to defined user need and intended uses
- Software Beta Test Summary Report indicated that defects were found and corrected, but it does not provide a description of the defects found, the corrections made, and if a re-test was performed
- Software problems documented on Software Failure Analysis/Corrective Action Report indicate that corrections were made to the software. However, your firm’s software verification test, Test Cases for Clasp 64 (dated March 19, 2019), does not specify which test cases are related to the software corrections
Cybersecurity
Cybersecurity alert about BD’s line of Pyxis devices
The Department of Homeland Security has issued cybersecurity alert about BD’s line of Pyxis medication and supply management devices
DHS’s Cybersecurity and Infrastructure Security Agency alerted users of Pyxis MedStation and Anesthesia ES Systems to a vulnerability that could enable someone with physical access to the machines to view or modify sensitive data. However, BD (Becton, Dickinson and Company) has no reports of the vulnerability being exploited.
The affected BD medical devices utilize a method of software application implementation called “kiosk mode.” This kiosk mode is vulnerable to local breakouts, which could allow an attacker with physical access to bypass kiosk mode and view and/or modify sensitive data.
BD said “the probability of harm is low” because the user would need physical access to the equipment to exploit the vulnerability. In the longer term, BD plans to roll out a security update to mitigate the threat. The security update will strengthen kiosk mode by closing off known means of escape. The company said the update will restrict “access to tools for viewing or manipulating local resources.”
