FDA / EU / Regulatory Updates
This draft guidance describes the FDA’s policy about its participation in the Voluntary Improvement Program (VIP). The VIP is a voluntary program facilitated through the Medical Device Innovation Consortium (MDIC) that evaluates the capability and performance of a medical device manufacturer’s practices using third-party appraisals and is intended to guide improvement to enhance the quality of devices.
As part of CDRH’s 2016-2017 strategic priority to “Promote a Culture of Quality and Organizational Excellence,” FDA envisions a future where the medical device ecosystem is inherently focused on device features and manufacturing practices that have the greatest impact on product quality and patient safety. Among its other regulatory activities, FDA evaluates manufacturers’ compliance with regulations governing the design and production of devices. Compliance with the Quality System Regulation, 21 CFR Part 820, is a baseline requirement for medical device manufacturing firms.
The VIP uses the CMMI Maturity Model for Development Version 2.0 and the Medical Device Discovery Appraisal Program (MDDAP) to perform an appraisal of capabilities and performance of the medical device manufacturer’s current business processes for achieving quality objectives against the best practices outlined by the maturity model. The MDDAP program is administered by the CMMI Institute, which also certifies and coordinates third-party appraisers, maintains the detailed results of the appraisals, and evaluates the collected data.
Participating manufacturing sites who demonstrate sustained capability and performance, or improvements in the appraisal results, may benefit from several opportunities that the VIP offers, following FDA’s review of the site’s appraisal, including:
- Opportunity for FDA Consideration in Risk-Based Inspection Planning
- Opportunity to Utilize a Modified Submission Format for Premarket Approval Application (PMA) and Humanitarian Device Exemption (HDE) 30-Day Change Notices for Modifications to Manufacturing Procedures or Methods of Manufacture
- Opportunity to Utilize a Modified Submission Format for PMA and HDE Manufacturing Site Change Supplements
- Opportunity to Utilize a Modified Submission Format for PMA or HDE Manufacturing Modules
This final guidance provides details about the information that should be included in premarket submissions to show EMC for electrically powered medical devices and medical devices with electrical or electronic functions. The new guidance will replace the 2016 final guidance: Information to Support a Claim of Electromagnetic Compatibility (EMC) of Electrically-Powered Medical Devices
- 1 year after the publication of this final guidance for in vitro diagnostics (IVD).
- 60 days after the publication of this final guidance for other device types
Cybersecurity
The cybersecurity vulnerability affects the Local Run Manager (LRM) software. An unauthorized user could exploit the vulnerability by:
- taking control of the instrument remotely.
- operating the system to alter settings, configurations, software, or data on the instrument or a customer’s network; or
- impacting patient test results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results or incorrect results, altered results, or a potential data breach.
Illumina has developed a software patch to protect against the exploitation of this vulnerability and is working to provide a permanent software fix for current and future instruments. The FDA wants laboratory personnel and health care providers to be aware of the required actions to mitigate these cybersecurity risks.
- Vulnerability: Not Using Password Aging
- Risk Evaluation: Successful exploitation of this vulnerability could allow an attacker to gain access to electronic protected health information (ePHI) or other sensitive information
Vulnerability Overview: Specific BD Pyxis products were installed with default credentials and may still operate with these credentials. There may be scenarios where BD Pyxis products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. Threat actors could exploit this vulnerability to gain privileged access to the underlying file system and exploit or gain access to ePHI or other sensitive information.
