by Brendan Bradley | 4/14/2023

Manufacturers of medical devices face a plethora of regulatory standards from multiple entities and agencies. ISO 13485, IEC 62304, and UL 2900 are just some of the international standards that regulate all levels of the medical device supply chain, addressing key requirements such as quality and risk. While the FDA previously relied upon suggested best practices for the cybersecurity of medical devices in the form of guidelines, the agency has recently taken a far more proactive approach to regulation. The Consolidated Appropriations Act of 2023, colloquially known as the “omnibus spending bill”, gives increased regulatory power to the FDA, expanding the definition of a medical device to potentially include some consumer wearables. Section 3305 requires manufacturers of any medical device that is connected to the internet to submit a comprehensive software bill of materials (SBOM) to the FDA, documenting all commercial, open-source, and off-the-shelf software components used in the development of the device. Additionally, manufacturers must meet minimum cybersecurity requirements, and submit a plan to monitor, identify, and address post-market cybersecurity threats. The stipulations put forth by this bill went into effect March 29, 2023. These new regulations introduce complications to manufacturers seeking to bring their medical device, or medically capable consumer wearable, to market through FDA clearance/approval.

An important distinction exists between a cleared device and an approved device. Manufacturers seeking FDA clearance must make a 510(k) submission. This process essentially proves that the device contains similar processes and functions that serve the same intended use as an already-existing cleared or approved device, achieving the FDA guideline of substantial equivalence. FDA cleared devices do not need to undergo any additional clinical research, trials, or testing.

Premarket Approval (PMA) is a much more involved, lengthier, and costly process. Device manufacturers of Class III medical devices, defined as those that pose a high risk to patients, must undergo rigorous testing and review before going to market. Devices must be developed in adherence to the FDA Design Controls, which is a formalized development process that contains documentation proving the safety and effectiveness of the device. The components that must be addressed are as follows: user needs, design & development planning, design inputs, design outputs, design review, design verification, design validation, design transfer, and design changes. While the approach to obtaining each of these components is up to the manufacturer, each of these aspects must be completely documented and integrated into the development process in order to achieve FDA approval. Depending on the type of device, PMA also requires Level I or II clinical evidence, which requires manufacturers to obtain an investigational device exemption (IDE) to conduct clinical trials.

More manufacturers will need to adopt new tools in order to keep up with the requirements of the latest regulatory updates. With the introduction of the SBOM as a mandated requirement for achieving FDA approval, certain software development tools will become critical in order to bring products to market in a timely manner. These tools and more are covered in VDC’s recent report, The Global Market for Software Composition Analysis.