The Food and Drug Administration issued draft guidance Monday that clarifies when medical device manufacturers and software developers must receive regulatory approval before making changes to their products.
The proposal states that if the “overall structure" of a device's software is altered, the company should consider filing a 510(k) form that demonstrates a marketed medical device is safe and effective. An example of an overall structure change would be software tweaks to support new hardware. The FDA would have to approve any changes outlined in the 510(k) form.
Changes that could cause a “hazardous situation” for patients will also likely require regulatory approval.
Devices undergoing "core algorithm" changes also may need FDA approval. For example, a rewrite of an algorithm that impacts the performance of the device should be re-considered for approval.
The FDA also clarified circumstances that likely don't require renewed regulatory approval.
The agency stated that “in many cases” a change to a device made only to strengthen cybersecurity likely doesn't require a new 510(k).
The FDA recently raised concerns over security of devices as hacks in the industry persist. The agency issued guidance in January that recommended manufacturers of medical devices monitor, identify and respond to cybersecurity vulnerabilities.
Changes to the appearance of the device also don't require renewed approval if they don't impact the device's clinical use. Alterations that clarify software requirements after a product receives authorization don't require approval as well.
The FDA will accept comments and suggestions for 90 days on the proposed guidance.