The FDA’s August 2024 Draft Guidance for Predetermined Change Control Plans (PCCP) for Medical Devices introduces significant updates to how medical device manufacturers (MDMs) plan and communicate future changes to their devices. This draft guidance stems from the new statutory authority added to the Federal Food, Drug, and Cosmetic Act (FD&C Act) under section 515C, which provides a framework for managing device modifications.

What is a Predetermined Change Control Plan?

A Predetermined Change Control Plan outlines anticipated changes to a medical device that are expected to occur after the device receives market authorization. The goal is to ensure that modifications can be implemented without compromising the device’s safety or effectiveness. This approach is particularly relevant for software-based devices, where updates and improvements can be used to add features, and to maintain performance and security.

Key Components of a PCCP

According to the draft guidance, a PCCP submitted as part of a premarket submission (De Novo, 510(k), or PMA) should include:

• A detailed description of modifications
• A modification protocol
• An impact assessment

Notably, the guidance emphasizes that modifications under a PCCP must maintain the device’s intended use. Any changes to the device’s intended use or indications for use typically require additional regulatory review, except in very limited circumstances as enumerated in the draft guidance.

Additionally, the FDA will likely update several existing guidance documents, including:

• Modifications to Devices Subject to Premarket Approval (PMA) — The PMA Supplement Decision-Making Process
• Deciding When to Submit a 510(k) for a Change to an Existing Device
• Deciding When to Submit a 510(k) for a Software Change to an Existing Device
• Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML) — Enabled Device Software Functions

Implications for Medical Device Manufacturers

The draft guidance signals a shift towards more flexible regulatory pathways for devices that require frequent updates. This is particularly beneficial for manufacturers of connected medical devices, where cybersecurity updates are critical to maintaining patient safety, and where connectivity facilitates those updates. However, the increased transparency and documentation requirements may pose new challenges for manufacturers who are not accustomed to proactive change management.

Case Study: Implementing a PCCP with Medcrypt’s Cybersecurity Expertise

Medcrypt recently partnered with an MDM to support the development of a PCCP as part of their regulatory submission. The device is connected and will require frequent updates for clinical functionality, adjustments to an algorithm and secure patching. The device is also interoperable. The PCCP that was developed with this MDM supports a variety of clinical functionality updates that do not affect intended use or indications for use. The change types also included minor tweaks to how the algorithm utilized data input from interoperable components in order to handle a variety of input sources that may change over time. Finally, the PCCP demonstrates the manufacturers’ plan for secure patching in order to handle any software updates that are needed to support clinical functionality or new interoperable component interfacing.

Medcrypt reviewed the change types, the modification protocols associated with each change type, the impact assessments, and the device’s overall cybersecurity design to ensure that the PCCP would provide evidence supporting continuing safety, effectiveness, and security of the device.

As a result, the manufacturer successfully submitted their PCCP, ensuring they could implement future cybersecurity updates without requiring additional regulatory submissions for each modification.

Preparing for FDA’s Final Guidance

As the FDA works toward finalizing this guidance, manufacturers should begin assessing how the PCCP framework will impact their product development and regulatory strategies. Developing a comprehensive PCCP requires cross-functional collaboration between regulatory, engineering, and cybersecurity teams.

If you’re seeking guidance on building a PCCP or understanding how the FDA’s evolving cybersecurity requirements affect your devices, Medcrypt’s team of experts is here to help. Contact us at info@medcrypt.com to learn more about our cybersecurity-regulatory and cybersecurity-design services.

‍