As discussed in the final guidance, FDA anticipates that the agency and industry will need up to 60 days after the publication of this guidance to operationalize the recommendations discussed; however, CDRH intends to review information submitted according to the new guidance at any time.
In the newly released final guidance, FDA has updated its November 2021 draft guidance by the same name, recognizing both the recent changes to the Federal Food, Drug, and Cosmetic Act (FDCA) made by the 21st Century Cures Act – which excluded certain software functions from the “device” definition – and modernizing FDA’s guidance to account for the rapidly-evolving nature of digital health and recent FDA-recognized consensus standards related to software.
The most dramatic difference between the final guidance and the long-standing 2005 guidance is the new distinction between two levels of software documentation – “basic” and “enhanced” – as compared to the three (for Major, Moderate, and Minor levels of concern) established in the 2005 guidance. Under the updated framework, companies must submit “enhanced” (i.e., more) documentation for a premarket submission when a software-containing device presents a greater risk to a patient, a device user, or others in the environment of use. “Table 1” of the guidance outlines the recommended documentation for both levels.
Specifically, enhanced documentation should be provided for any premarket submission that includes device software function(s) where a failure or flaw of any device software function(s) could present a hazardous situation with a probable risk of death or serious injury, either to a patient, user of the device, or others in the environment of use. These risks should be assessed prior to implementation of risk control measures. Sponsors should consider the risks in the context of the device’s intended use (e.g., impacts to safety, treatment, and/or diagnosis), and other relevant considerations. The risks associated with each documentation level should also include the likelihood that device functionality is intentionally or unintentionally compromised by inadequate device cybersecurity. Notably, the final guidance continues to reference the 2014 guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Device, given that a final version of the draft guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, is expected to be finalized in 2023.
As with the prior framework, a device’s documentation level is meant to reflect the device as a whole, considering the risks of its device software function(s) in the context of the intended use. Basic documentation should be submitted for any premarket filing that includes device software function(s) where Enhanced documentation does not apply.
While both the new 2023 and prior 2005 versions of the software submission guidances appear to align FDA’s standards with the International Organization for Standardization’s (ISO) IEC 62304: Medical device software - Software life cycle processes, the change to basic or enhanced documentation level is more closely aligned with the prior documentation requirements for software presenting a Moderate and Major level of concern, respectively.
The final guidance also clarifies that FDA “does not recommend the use of any specific software life cycle model or development methodology (such as waterfall model or other variations thereof, spiral model, Agile model, etc.).” Instead, device software sponsors should establish a software life cycle model that is appropriate for their product and organization, and meets the applicable regulatory requirements, covering the software throughout its total product life cycle.
Last, it is worth noting that FDA’s final guidance differs from the draft version in its recommendations for how to address unresolved software anomalies, adding more details regarding what those records should include, such as the “[i]dentification of how the anomaly was discovered and, where possible, identification of the root cause(s) of the anomaly;” and the outcome of the impact of the anomaly on the device’s safety and effectiveness.”
FDA is hosting a webinar on the final guidance on July 20, 2023, for which registration is not required. The final guidance replaces FDA’s May 2005 guidance on the “Content of Premarket Submissions for Software Contained in Medical Devices.”
If you have any questions on the guidance, or on software documentation or premarket submissions more generally, please contact any of the authors of this alert or the Hogan Lovells attorney with whom you generally work.
Authored by Lina Kontos, Kelliann Payne, Suzanne Levy Friedman, Alex Smith, and Evelyn Tsisin