Here’s this week’s example of an Additional Information Request (AI Request):
FDA Additional Information Request – Example #6: Information on OTS used in the Device is Contradictory
You provided documentation on the commercial, open-source, and off-the-shelf software (OTS) components used in the device, indicating that no OTS is used in the device. However, the information provided is contradictory. In another section, you indicate that “OTS software must be performed maintenance according to section 1.1.1 Maintenance of OTS software”. Section 1.1.1 in the submission could not be found.
An adequate assessment of vulnerabilities in the software components is important to comply with the requirements specified in section 524B(b)(2) of the Federal Food, Drug, and Cosmetic Act to provide a reasonable assurance that the device and related systems are cybersecure. It is also consistent with the recommendations in the FDA Guidance “Off-the-Shelf Software Use in Medical Devices” (https://www.fda.gov/media/71794/download) for off-the-shelf software. Further, the FDA Guidance “Multiple Function Device Products: Policy and Considerations” (https://www.fda.gov/media/112671/download) recommends cybersecurity considerations for software that performs “other functions.” These guidance documents include recommendations for assessing risks and these assessments should include cybersecurity considerations.
Therefore, please update your cybersecurity risk management documentation and any other affected documentation to address these concerns. This assessment should be referenced against a vulnerability database like the NIST National Vulnerability Database (https://nvd.nist.gov/vuln/search).
In this example, the medical device company provided documentation regarding OTS which was contradictory. Another document configuration challenge occurred where one document references another document’s section which doesn’t exist.
The company also needs to perform cybersecurity risk vulnerability assessment for each of the software components. The assessment should include references to a vulnerability database, such as NIST National Vulnerability Database (NVD).
FDA is asking for updates to any cybersecurity and other documentation requiring modification to address their concerns.
Please follow us to see more examples of AI Requests – a new one is released every week.
Should you receive an Additional Information Request from the FDA, CriTech is here to help. Please give us a call to discuss and we’ll help you craft what you need to do going forward.