Post

Deciding When to Submit a New 510k for Software Changes to Medical Devices

This guidance assists manufacturers in determining when a software change to a medical device requires submission of a new 510(k). It applies to software that is embedded within or a component of a medical device, software accessories, and standalone software medical devices. The guidance specifically addresses software modifications and is intended as a companion to the general guidance on device modifications.

  1. Implement a systematic process to evaluate software changes using the provided flowchart
  2. Document all software changes and decision rationale in the quality system
  3. Conduct risk-based assessment for all software changes
  4. Perform verification and validation activities for all changes
  5. Compare changes against the most recently cleared device version
  6. Evaluate cybersecurity changes separately from other software modifications
  7. Consider both individual and cumulative effects of multiple changes
  8. Maintain documentation of software versions and configurations
  9. Consult with FDA when uncertain about the need for a new 510(k)
  10. Include all relevant changes in new 510(k) submissions, even those that didn’t trigger the submission requirement

Key Considerations

Non-clinical testing

  • Verification and validation activities must be conducted regardless of whether a new 510(k) is required
  • If routine verification and validation activities produce unexpected results, reconsider the decision about 510(k) submission

Software

  • Evaluate both intended and unintended consequences of software changes
  • Consider the impact of infrastructure changes (compilers, programming languages, drivers, libraries)
  • Assess architectural changes (porting to new OS, new hardware platform, middleware)
  • Evaluate core algorithm changes that directly impact intended use
  • Consider the impact of reengineering and refactoring activities
  • Document all software changes as per QS requirements

Cybersecurity

  • Changes made solely to strengthen cybersecurity without other impacts typically don’t require new 510(k)
  • Evaluate any incidental or unintended impacts of cybersecurity changes

Safety

  • Evaluate if changes introduce new risks or modify existing risks that could result in significant harm
  • Assess modifications to risk control measures
  • Consider the cumulative effect of multiple changes on safety

Other considerations

  • AAMI/ANSI/IEC 62304: Medical device software - software life cycle processes
  • ISO 14971: Medical devices – Application of risk management to medical devices
  • IEC TR 80002-1: Medical device software – Part 1: Guidance on the application of ISO 14971 to medical device software

Original guidance

  • Deciding When to Submit a New 510k for Software Changes to Medical Devices
  • HTML / PDF
  • Issue date: 2017-10-25
  • Last changed date: 2020-03-02
  • Status: FINAL
  • Official FDA topics: Medical Devices, Laboratory Tests, Digital Health, 510(k), Labeling, Premarket, IVDs (In Vitro Diagnostic Devices), Biologics
  • ReguVirta summary file ID: fbafc648b4a72cda678c8a7d756053e4
This post is licensed under CC BY 4.0 by the author.