End-of-Life (EOL) and End-of-Support (EOS): A Growing Challenge for Medical Device Manufacturers

With cybersecurity regulations tightening, the FDA now requires Medical Device Manufacturers (MDMs) to include detailed End-of-Life (EOL) and/or End-of-Support (EOS) information in their Software Bill of Materials (SBOM). The reality of accomplishing this is far more complex for some manufacturers, particularly organizations managing hundreds or thousands of software dependencies.

Historically, SBOMs have focused on cataloging software components, but the FDA’s latest guidelines go further. They require a deeper understanding of each component’s lifecycle, requiring medical device manufacturers to document:

1. Level of Support: Is the software still actively maintained?
2. EOL Dates: When will support officially end?

In today’s regulatory environment, failure to provide this information can result in delayed submissions, FDA rejections, or questions about the safety and security of medical devices relying on outdated or unsupported software.

The Challenge of Identifying EOL/EOS in Open-Source and Proprietary Software

For proprietary software, manufacturers should state in their submission to the FDA, under the proprietary component’s level of support, whether or not they have a contract for support with the supplier. If they do, manufacturers should also indicate whether the contract can be renewed or extended. Additionally, the contract’s expiration or termination date can be used as the EOL/EOS date. Open-source software presents more significant challenges including:

• No Defined EOL Dates: Most open-source projects don’t specify EOL dates
• Uncertainty Around Support: Identifying whether an open-source library is actively maintained requires analyzing metrics such as update frequency, contributor activity, and recency of releases

MDMs must balance regulatory requirements with the reality of working with open-source components, often relying on best estimates to determine lifecycle information.

The FDA’s Deficiencies in Addressing EOL/EOS

While the FDA now mandates EOL/EOS data, the agency has not provided clear criteria for how to assess or document this information. For example:

• There is no standardized definition for “actively maintained” software.
• The burden of proof lies with manufacturers, forcing teams to justify their criteria for determining EOL/EOS.

This ambiguity, combined with the sheer volume of dependencies in modern devices, leads to significant time and resource challenges for MDMs.

The Manual Burden of Compliance

For the average manufacturer, compiling EOL/EOS data is a time-consuming process:

• Teams spend 8 hours per SBOM, on average, gathering and verifying lifecycle information
• Many dedicate up to two weeks per quarter maintaining outdated spreadsheets to track this data

This approach is not only inefficient but also prone to errors. The result is a compliance process that cannot scale alongside the increasing complexity of device ecosystems.

How Helm’s New Feature Revolutionizes EOL/EOS Management

To address this challenge, Medcrypt’s Helm has introduced a groundbreaking feature designed to automate and scale EOL/EOS management for MDMs. By automating this process, Helm empowers manufacturers to not only meet FDA expectations but also future-proof their compliance efforts. Here’s how it works:

1. Single Data Entry: Helm’s rules manager allows teams to enter EOL/EOS information for each unique component once. This information is then automatically applied across all SBOMs — past, present, and future.
2. Error Reduction: By replacing manual spreadsheets, Helm minimizes errors and ensures consistency across all submissions.
3. Time Savings: What previously took weeks can now be completed in hours, enabling teams to focus on innovation rather than compliance bottlenecks.

Why It Matters

The release of Helm’s EOL/EOS feature comes at a critical pain point for MDMs at a pivotal time. As the FDA enforces stricter cybersecurity requirements, failing to proactively manage lifecycle data can result in delayed submissions, regulatory penalties, and increased security risks.

Helm’s automation through the Rules Manager empowers manufacturers to meet FDA expectations efficiently and ensures compliance efforts scale with the growing complexity of device ecosystems. By improving accuracy and reducing manual workloads, Helm helps MDMs future-proof their processes while focusing on innovation and patient safety.

Looking Ahead

The demand for lifecycle transparency will only grow as regulatory bodies worldwide adopt similar expectations. While Helm currently streamlines EOL/EOS management through the Single Data Entry feature of the Rules Manager, there’s more to come. For instance, automating the identification of actively maintained or abandoned software via integrations with tools like Tidelift and ecosyste.ms is on the horizon. These enhancements will address outstanding challenges and provide even greater efficiency for manufacturers.

Whether you’re dealing with legacy systems, open-source challenges, or proprietary contracts, Helm simplifies the process — turning a regulatory headache into a manageable task.

Check out Helm’s EOL/EOS functionality and see how it can transform your SBOM workflows, and stay tuned for future automations with Helm’s Rules Manager.