Deciding When to Submit a New 510k for Software Changes to Medical Devices
This guidance assists manufacturers in determining when a software change to a medical device requires submission of a new 510(k). It applies to software that is embedded within or a component of a medical device, software accessories, and standalone software medical devices. The guidance specifically addresses software modifications and is intended as a companion to the general guidance on device modifications.
Recommended Actions
- Implement a systematic process to evaluate software changes using the provided flowchart
- Document all software changes and decision rationale in the quality system
- Conduct risk-based assessment for all software changes
- Perform verification and validation activities for all changes
- Compare changes against the most recently cleared device version
- Evaluate cybersecurity changes separately from other software modifications
- Consider both individual and cumulative effects of multiple changes
- Maintain documentation of software versions and configurations
- Consult with FDA when uncertain about the need for a new 510(k)
- Include all relevant changes in new 510(k) submissions, even those that didn’t trigger the submission requirement
Key Considerations
Non-clinical testing
- Verification and validation activities must be conducted regardless of whether a new 510(k) is required
- If routine verification and validation activities produce unexpected results, reconsider the decision about 510(k) submission
Software
- Evaluate both intended and unintended consequences of software changes
- Consider the impact of infrastructure changes (compilers, programming languages, drivers, libraries)
- Assess architectural changes (porting to new OS, new hardware platform, middleware)
- Evaluate core algorithm changes that directly impact intended use
- Consider the impact of reengineering and refactoring activities
- Document all software changes as per QS requirements
Cybersecurity
- Changes made solely to strengthen cybersecurity without other impacts typically don’t require new 510(k)
- Evaluate any incidental or unintended impacts of cybersecurity changes
Safety
- Evaluate if changes introduce new risks or modify existing risks that could result in significant harm
- Assess modifications to risk control measures
- Consider the cumulative effect of multiple changes on safety
Other considerations
- Compare changes to the most recently cleared device version
- Document decision-making process as part of quality system
- Consider the combined impact of multiple simultaneous changes
- Evaluate changes in performance specifications related to intended use
Relevant Guidances
- Content of Premarket Submissions for Device Software Functions
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Software Validation for Medical Device Production, Quality Systems, and Device Components
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Changes to Medical Device Definition for Software Functions Under the 21st Century Cures Act
- Policy for Device Software Functions and Mobile Medical Applications
- Multiple Function Device Products: Policy and Considerations for Functions Not Subject to FDA Review
Related references and norms
- AAMI/ANSI/IEC 62304: Medical device software - software life cycle processes
- ISO 14971: Medical devices – Application of risk management to medical devices
- IEC TR 80002-1: Medical device software – Part 1: Guidance on the application of ISO 14971 to medical device software
Original guidance
- Deciding When to Submit a New 510k for Software Changes to Medical Devices
- HTML / PDF
- Issue date: 2017-10-25
- Last changed date: 2020-03-02
- Status: FINAL
- Official FDA topics: Medical Devices, Laboratory Tests, Digital Health, 510(k), Labeling, Premarket, IVDs (In Vitro Diagnostic Devices), Biologics
- ReguVirta summary file ID: fbafc648b4a72cda678c8a7d756053e4
This post is licensed under CC BY 4.0 by the author.