Prepare for RTA: What is the FDA Medical Device Review Process?

Topics:
FDA readiness
This is some text inside of a div block.
Naomi Schwartz
Naomi Schwartz

August 29, 2023

Prepare for RTA: What is the FDA Medical Device Review Process?

Leading up to October 1, 2023, when the FDA Refuse to Accept (RTA) policy will be in full effect, Medcrypt is publishing a series of 4 new blogs around FDA Guidance Readiness. First, discover what you should know about the FDA review process from Naomi Schwartz, Medcrypt Senior Director of Cybersecurity Quality and Safety.

The Food and Drug Administration (FDA) has rigorous medical device submission processes to ensure the safety and effectiveness of medical devices. The preparation and resources required to complete these submissions can vary based on the class and complexity of the device. If submissions are documented appropriately and sufficiently, the submission process can be straightforward and lead to timely commercial launch. Conversely, if the FDA deems the submission insufficient and requests further evidence or documentation, the process can become drawn out and ultimately result in a costly delay in getting the device to market.

Device classification and types of submissions

Prior to submitting to the FDA, the device manufacturer needs to determine which regulatory class the device falls under: class I, class II or class III. Class I (low to moderate risk) and Class II (moderate to high risk) represent the vast majority of medical devices regulated by the FDA and require a 510(k) submission unless exempted (most Class I devices and some Class II devices). Whether or not the device type is exempted, regardless of classification, the manufacturer is required to register their establishment and list the generic category or classification name (Registration and listing information is submitted by using FDA’s Unified Registration and Listing System (FURLS)/ Device Registration and Listing Module (DRLM)).

High risk devices and especially those medical devices that sustain or support life, or are implanted, are considered to be Class III (high risk) devices and require a more in-depth assessment through a Pre-Market Approval (PMA). Devices that are first of kind and don’t have an existing predicate device on the market are automatically considered Class III devices. However, if the product has a lower risk profile it may qualify for the De Novo pathway instead of requiring a PMA. See examples of device classifications in table below:

Note: There are nuances to classifications, please visit this link for a more detailed explanation of how the FDA classifies devices

FDA submission review process

The duration of the submission review process differs based on the type of submission the device requires, but can take anywhere from 90–180 FDA days and allow the manufacturer up to 180 days to respond to requests for additional information. The process is fundamentally the same and includes the following milestones: submission, submission acceptance (or rejection), substantive review, interactive review questions to manufacturer, formal additional information requests and final FDA decision. Each type of submission may include different sub-steps that may include: responses, meetings, inspections, amendments, re-submissions.

Cybersecurity specifics across submissions

Perhaps most critical to note — there are cybersecurity considerations that span all types of FDA submissions. Cybersecurity considerations have received more scrutiny in recent years, as cyber attacks across the healthcare industry are becoming more frequent and more complex. Due to these recent trends, the FDA has issued new final guidance on the Refuse to Accept (RTA) Policy relating to cybersecurity in medical devices, specifically for “Cyber Devices” as defined in the newly-amended FD&C Act in Section 542B. With this final guidance, the FDA is alerting manufacturers that FDA is now requiring medical device manufacturers to take greater responsibility in securing their devices and will start refusing to review filings that are incomplete.

With the inclusion of software on nearly all medical devices, explicitly calling out cybersecurity expectations is intentional, as security has consistently proven inadequate when positioned as an afterthought. Those organizations that embed cybersecurity into their device development process have the highest success rate to build, and sustain security over the lifetime of a device — which also enables demonstrating critical criteria for the regulatory approval process.

Interested in learning more? Register for the free webinar: The FDA ‘Cybersecurity Refuse to Accept Policy’ (RTA) will affect Medical Device Manufacturers!

This concludes part 1 of Medcrypt’s 4-part blog series on FDA Readiness. Stay tuned this month for more on Refuse to Accept (RTA), eSTAR, and setting your organization up for success. Looking for help preparing for FDA submissions, see what Medcrypt can do for your team.

Subscribe to get more FDA Submission Readiness content. Medcrypt provides medical device cybersecurity products and services that meet regulatory guidance requirements. Schedule a meeting with us at info@medcrypt.com and learn more about our solutions.

Related articles

Top 5 Things People Get Wrong About SBOM Generation
This is some text inside of a div block.

Top 5 Things People Get Wrong About SBOM Generation

Vulnerability management
This is some text inside of a div block.
Tools & processes
This is some text inside of a div block.
Thought leadership
This is some text inside of a div block.
Jobe Naff
Jobe Naff

October 30, 2024

Cybersecurity in FDA CDRH’s Proposed Guidance List for Fiscal Year 2025
This is some text inside of a div block.

Cybersecurity in FDA CDRH’s Proposed Guidance List for Fiscal Year 2025

FDA readiness
This is some text inside of a div block.
Regulatory
This is some text inside of a div block.
Thought leadership
This is some text inside of a div block.
Axel Wirth
Axel Wirth

October 28, 2024

Meeting FDA Cybersecurity Requirements with Medcrypt Guardian & RTI Connext
This is some text inside of a div block.

Meeting FDA Cybersecurity Requirements with Medcrypt Guardian & RTI Connext

Company
This is some text inside of a div block.
Cryptography
This is some text inside of a div block.
Tools & processes
This is some text inside of a div block.
All authors
All authors

October 22, 2024

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information