Here’s this week’s example of an Additional Information Request (AI Request):
FDA Additional Information Request - Example #21: Operating System (OS) No Longer Supported by the Vendor
Your submission documentation indicates that you are using YYY as the operating system (OS) for the device. This OS has passed its end of support date and is no longer supported. Your ability to monitor, identify and address vulnerabilities is hindered because unsupported OS’s are expected to be exposed to cybersecurity vulnerabilities and additional software bugs may be identified which could result in unacceptable risks to the device as the OS vendor no longer is providing patches.
Adequate support for the OS is important to comply with the requirement specified in section 524B(b)(2) of the Federal Food, Drug, and Cosmetic Act to provide a reasonable assurance that the device and related systems are cybersecure. It is also consistent with recommendations in the FDA Guidance “Off-The-Shelf Software Use in Medical Devices” for manufacturers to demonstrate the existence of appropriate mechanisms for assuring the continued maintenance and support of the OTS Software should the original OTS Software developer terminate their support.
Therefore, please address these risks to the system by updating the device to a supported platform which can receive security updates throughout the expected life of the device. All associated software, cybersecurity, and design documents as well as corresponding testing should be provided.
In this example, the FDA’s Additional Information Request has identified the version of the Operating System (OS), used within the medical device, is no longer supported by the OS vendor. The FDA expects the OS will have cybersecurity challenges down the line and is asking the medical device company to document its ability to monitor, identify, and address vulnerabilities in the OS going forward given the OS vendor is no longer providing patches for this version.
The medical device company must demonstrate the existence of appropriate mechanisms for assuring the continued maintenance and support of Off-the-Shelf (OTS) software should the original OTS software vendor terminate their support (which has happened in this case). This support, in the worst-case scenario, could require the medical device company to (a) reverse engineer and document/test the OTS software or (b) abandon the OTS software in favor of a replacement OTS software, which can be extremely expensive and potentially not achievable within the constraints of the medical device’s hardware.
It’s important to plan for the end-of-life scenario before committing to OTS usage in a device. What are you as a medical device company going to do should the vendor terminate support of the OTS software or fail due to bankruptcy? Appropriate contractual agreements can provide access to the version(s) of the software used in the device should a supported version of the OTS no longer be available. These agreements can include provisions providing a software escrow, where the developer agrees to place all versions of the software and its related documentation and test with an escrow firm. Should the OTS vendor go out of business or end-of-life the OTS version, the medical device company will have access to the documents allowing continued maintenance by the medical device company.
In order to move forward with the submission, the FDA is asking for the device to be updated to a version of the OS which can be supported throughout the expected life of the device. As part of the update, all affected documentation and testing will need to be updated and provided to the FDA.
Please follow us on LinkedIn to see more examples of AI Requests – a new one is released every week.
Should you receive an Additional Information Request from the FDA, CriTech is here to help. Please give us a call to discuss and we’ll help you craft what you need to do going forward.