From Deficient to Accepted: An FDA Submission Victory

SITUATION

• Client filed a 510(k) submission with the FDA for a next-generation medical device
• In response, they received an information request letter (IR) from the FDA citing the need for clarification on security risk management and to address gaps in the submission
• The client had 90 days to address the FDA’s concerns with a satisfactory response, or face the delays and increased scrutiny associated with a full resubmission

Challenges

• Client had deficient security risk management documentation on file for its legacy system, jeopardizing their ability to obtain pre-market approval of the next-generation system
• Client received Insufficient guidance from an external third-party consultant which resulted in the IR notification
• Promptly address and resolve the FDA’s concerns to ensure successful resolution, while also minimizing the potential opportunity cost associated with any time-to-market delay

SOLUTION

• MedAcuity conducted a comprehensive assessment of the FDA submission to identify gaps relative to current FDA guidance for security risk management
• Reworked SOPs and work instructions for the stalled submission while taking into consideration existing SOPs from previous submissions to ensure that they were still supported
• Collaborated with the client’s team to update their QMS to close security risk management gaps
• Created a security architecture and threat model
• Executed a comprehensive security risk analysis

Results

In alignment with current FDA guidance and TIR57, MedAcuity

• Ensured the client could implement and verify the security risk controls and documented all the activities in the Security Risk Management Report
• Client submitted updates addressing security risk management gaps to the FDA; resubmission was accepted and FDA granted premarket approval
• This project became the ‘gold standard’ for demonstrating how to safeguard a premarket submission package from security risk management deficiencies