Quality / Compliance / Regulatory Updates – 21 January 2022

FDA / EU / Regulatory Updates

FDA releases draft guidance “Content of Premarket Submissions for Device Software Functions”

• It will replace 16-year-old guidance when final version released
• This draft guidance document provides information regarding the recommended software and risk management documentation submitters should include in premarket submissions (i.e., 510k etc.)
• Covers both software in a medical device (SiMD) and software as a medical device (SaMD)

New Approach:

• No more software “levels of concern”
• Instead, there is a Risk-based approach to the level of documentation that submitters need to provide. Documentation Level – Basic or Enhanced
• Multiple changes in the required documentation, for example, no SDS required for Basic Level; Entire Risk Management File required for both levels etc.

When Enhanced Level of documentation will be required?

1) The device is a constituent part of a combination product.

2) The device (a) is intended to test blood donations for transfusion-transmitted infections; or (b) is used to determine donor and recipient compatibility; or (c) is a Blood Establishment Computer Software.

3) The device is classified as Class III.

4) A failure or latent flaw of the device software function(s) could present a probable risk of death or serious injury, either to a patient, user of the device, or others in the environment of use. These risk(s) should be assessed prior to implementation of risk control measures. You should consider the risk(s) in the context of the device’s intended use; the direct and indirect impacts to safety, treatment, and/or diagnosis; and other relevant considerations.

FDA Example:

Outcome: The device is not a constituent part of a combination product, is not Blood Establishment Computer Software, and is not intended for use in testing blood donations for transfusion-transmitted infections or determining donor and recipient compatibility. The device is class II. However, a failure or latent flaw of the device software function(s) (e.g., exploited cybersecurity vulnerability compromises device functionality) would present a probable risk of death or serious injury to a patient (e.g., loss of life supporting function) prior to the implementation of risk control measures. Therefore, this device would fall under “Enhanced Documentation Level.”

FDA Warning Letters

Medtronic Receives a Warning Letter from the FDA

Excerpts:

• You failed to adequately establish procedures for corrective and preventive action, as required by 21 CFR 820.100(a).
• Your firm revised your Product Risk Management Process (SOP104-08, Version AL), which updated the formula for risk calculation; however, this also did not result in accurate risk calculation.  The updated formula uses the “total shipment of affected product” which again underestimates the probability of occurrence because the number of products shipped includes devices not in use by patients (e.g., devices shipped to distributors that have not yet been distributed to customers).
• Your firm failed to adequately investigate reported issues with your CareLink software that your firm manufactures; this software uses information transmitted from insulin infusion pumps and glucose meters to create reports intended to assist users with diabetes management.  Of the 25 complaints reviewed during our inspection, your firm documented “software error unknown” in 20 of the complaints; however, there is no evidence in your complaint records that technical support attempted to determine the version of software used by the device in order to conduct an investigation.
• Per your CAPA #401464, to address the root cause of the lack of cyber security requirements in the design, all current and future Medtronic Diabetes software products would be evaluated for encryption security requirements.  Your firm also discontinued the manufacture and distribution of the Paradigm Pump products and scrapped remaining inventory of the remote controllers; however, these corrective actions did not address the devices in the field.  While your firm initiated a recall of 15,787 remote controllers shipped to customers in the previous four years, you have distributed over remote controllers since its release in 1999, and you did not notify all customers of this safety issue.
• And more…

Cybersecurity

The FDA is raising awareness of a cybersecurity vulnerability in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1.

Log4j is broadly used in a variety of consumer and enterprise services, websites, and applications—as well as medical devices and supporting systems—to log security and performance information. There is active, widespread exploitation of the vulnerability across various industries.

(This is remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services).

These vulnerabilities may introduce risks for certain medical devices where the device could be made unavailable, or an unauthorized user could remotely impact the safety and effectiveness of device functionality. At this time, the FDA is not aware of any confirmed adverse events affecting medical devices related to these vulnerabilities.

Manufacturers should assess whether they are affected by the vulnerability, evaluate the risk, and develop remediation actions. As Apache Log4j is broadly used across software, applications, and services, medical device manufacturers should also evaluate whether third-party software components or services used in or with their medical device may use the affected software and follow the above process to assess the device impact.