On June 14, 2023, the FDA released their current thinking on what information should be included in a 510(k) for device software functions. By “functions” they mean firmware and other means for software-based control of medical devices, software accessories to medical devices, and software only function(s) that meet the definition of a device.  But don’t worry, the FDA applied the least burdensome approach “to identify the minimum amount of information that, based on our experience, would generally be needed to support a premarket submission for a device that uses software”.

The first change that jumped out at me is the documentation needed is no longer based on the Level of Concern. The FDA now uses the term Documentation Level. The Documentation Level needed for a submission can be either Basic or Enhanced, and that decision “is based on the risks of its device software function(s) in the context of the device’s intended use, such that the documentation level reflects the device as a whole “.  But after reading the guidance you can still see remnants of the old guidance.

The new guidance contains FDA’s definitions of Enhanced and Basic:

Enhanced Documentation should be provided for any premarket submission that
includes device software function(s) where a failure or flaw of any device software
function(s) could present a hazardous situation with a probable29 risk of death or serious
injury,30 either to a patient, user of the device, or others in the environment of use. These
risks should be assessed prior to implementation of risk control measures. Sponsors
should consider the risks in the context of the device’s intended use (e.g., impacts to
safety, treatment, and/or diagnosis), and other relevant considerations.

Basic Documentation should be provided for any premarket submission that includes
device software function(s) where Enhanced Documentation does not apply.

To identify the documentation level, companies need to think about the know or potential software hazards and hazardous situations related to the device, even reasonably foreseeable misuse, prior to implementing risk control measures. The Agency wants you to also include the risk of intentional/unintentional functionality issues from inadequate cybersecurity.

FDA did identify types of devices where Enhanced Documentation should be submitted, such as:

• devices intended to test blood donations for transfusion-transmitted infections,

• devices used to determine blood donor and recipient compatibility,

• ·automated blood cell separator devices intended for collection of blood and blood components for transfusion or further manufacturing use,  

• blood establishment computer software (BECS).

• constituent part of a combination product (i.e., drug/device, biologic/device, or drug/device/biologic) and

• Class III devices.

The FDA did say if you determine the Enhanced Documentation does not apply to your combination or Class III device, you can provide “an appropriately detailed rationale as to why Basic Documentation instead of Enhanced Documentation is appropriate for the premarket submission”.

If you feel this is the case, the best option would be to submit a Pre-Submission prior to your premarket submission to get FDA’s alignment on your rationale.

Similar to the old guidance, there is a chart that explains what documentation is required for Enhanced and Basic. The usual suspects are there such as: software description, software requirements specification,  architecture, software design specification, testing V&V, version history, and unresolved anomalies, but there are 2 new players. Software Development, Configuration Management, and Maintenance Practices, which is just a summary of  the processes and procedures that are in place to manage the life cycle development plan and a summary of configuration management and maintenance activities. But the one that may take everyone by surprise is the Risk Management File. This includes the risk management plan, risk assessment demonstrating that risks have been appropriately mitigated, and risk management report. Yep, that’s right you now have to submit the complete software RMF!!!  This shouldn’t be a big issue since you need to have your RMF for your device anyway. But this will give the FDA an opportunity to review your software risks, which will be a new “requirement” for a 510(k) with software.

So, while there are some similarities to the old guidance, there are some new requirements that we will need to remember to include.  If you need help with your 510(k) submission that contains software, reach out to O’Connell & Myers and let us help you get your documents in a row for a successful clearance!!