RAPS Convergence Montreal 2023: MedEnvoy Key Takeaways

The MedEnvoy team was present at RAPS Convergence which took place in Montreal Canada from 2nd October to 5th October 2023. The event was attended by Regulatory Affairs professionals and other experts working within the medical device industry, pharmaceutical industry, and other regulated medical product sectors.

Key takeaways from RAPS Convergence Montreal 2023

The conference had several breakaway sessions from subject matter experts and regulatory agencies, as well as exhibitions from different manufacturers and service providers. MedEnvoy attended several of the breakaway sessions to gain insights into current industry practices. Some key takeaways we found valuable are discussed below:

eSTAR Program by US FDA 

The FDA has now rolled out the eSTAR (electronic Submission Template And Resource) program. As of October 1, 2023, all 510(k) submissions, unless exempted, must be submitted as electronic submissions using eSTAR. The eSTAR program could also be used to submit other types of applications like De Novo or Pre-Submissions. This RAPS Convergence Montreal session provided a run-down of how to use the eSTAR by a panel that consisted of an FDA staff member and two industry representatives. The points to note about the eSTAR program are presented below: 

• • eSTAR is an interactive PDF form utilized for 510(k), De Novo, and PreSub submissions to the CDRH Portal. 
  • The CDRH Portal should be used to submit 510(k) eSTARs by uploading the eSTAR file.  
  • De Novo and Pre-Sub eSTARs are submitted through the FDA Document Control Center as electronic media such as a CD-ROM or Flash Drive. 
  • It aligns with content and structure with CDRH internal review templates. 
  • It guides submitters through the submission process with automation, guided construction for each section, integration with FDA’s databases, built-in forms (e.g., Form 3881, 3514), and automatic verification. 
  • The standardized eSTAR PDF submitted replaces the unstandardized eCopy. 
  • No RTA review is required for the eSTAR. However, a Technical Screening (TS) is done within 15 days of the submission.  
  • The Technical Screening would mainly check for accuracy and relevancy of the information submitted for each section of the application. 
  • Automatic verification of required information within the eSTAR for completeness. 
  • Applicants are advised to limit entering confidential information in the eSTAR template text boxes as these could be publicly available as part of the 510(k) Summary. However, attachments can be referenced which would have more detailed information. 
  • The eSTAR also has Help prompts to guide users through completing their application. Users are advised to follow this guidance to ensure their application is up to par. 
  • Acceptable attachment formats include PDF, Word, Excel, and many other formats. 
  • Users have the option to replace attachments when Additional Information is required. This ensures the final submission would have the latest information which addresses any potential deficiencies during the review process. 
  • While providing valid scientific evidence to support safety and efficacy is required, users are encouraged to include a clear and concise overview of their products in a way that helps the FDA reviewers easily navigate through the application. Users are encouraged to have an Executive Summary and Cover Letter which helps with this overall guidance for the reviewers and other FDA staff. 
  • There is an ongoing pilot program to use the eSTAR for Health Canada submissions for Class III and IV. There are also plans to add other types of submissions to the eSTAR such as IDE, IDE supplements, PMA, etc. These have not gone live yet to the public.
  • If users need additional help with completing or submitting the eSTAR, users can use available FDA eSTAR help resources or contact experienced industry service providers like MedEnvoy for guidance.

US FDA Pre-Determined Change Control Plans (PCCP) 

The US Food and Drug Omnibus Reform Act of 2022 (FDORA) gave the FDA the authority to approve a PCCP. Software and Artificial Intelligence (AI) devices are currently on the rise in the market. These devices usually undergo very frequent changes during their life cycle. As such the FDA has now embraced its responsibility for approving Pre-Determined Change Control Plans for devices as part of the manufacturers’ Pre-Market submissions such as a 510(k), De Novo, etc.

The PCCP allows for devices to change after marketing authorization if those changes are pre-specified and agreed to by the FDA. Changes with an approved PCCP do not require a supplemental application. This provision applies to all devices. Manufacturers could use the Q-Submission process to obtain FDA feedback on a proposed PCCP prior to submitting a marketing submission or use an industry expert to assist with this plan. Feedback obtained during the Q-Sub process would not constitute approval of the PCCP which must be obtained at the time of clearance/approval of the marketing application. Future changes to the PCCP may trigger the need for a new market application. Also, the eSTAR template now has the option to add the PCCP. The FDA views PCCPs as an approach to increasing the pace of medical device innovation in the United States and enabling more personalized medicine. MedEnvoy can assist manufacturers with Q-Submissions to gain FDA feedback on the PCCP, we could also draft the PCCP or advise on the overall PCCP strategy.

Medical device cybersecurity 

This breakout session at RAPS Convergence Montreal was presented by an FDA cybersecurity staff and a medical device industry cybersecurity expert. This session discussed the current state of cybersecurity within the healthcare sector, current published standards, guidance, and regulatory requirements. Some of the takeaways from this session are listed below:

A cybersecurity standard has recently been released: IEC 81001-5-1, “Health software and health IT system safety, effectiveness, and security—Part 5-1: Security— Activities in the product life cycle.” (2021)

• • This standard IEC 81001-5-1 continues to gain global acceptance. It is one of the more important new standards released in the past several years to cover cybersecurity.  
  • It is developed to be a “security equivalent of IEC 62304”. 
  • Used IEC 62304 and IEC 62443 as a foundation. 
  • The standard notably includes requirements for Security Risk Management (Subclause 4.2) including threat modeling; Software development process (Clause 5); Software Maintenance (Clause 6) and Software Problem Resolution Process (Clause 9), etc. 
  • The standard is expected to gain Harmonized Standard status under the European Union’s (EU) Medical Device Regulation (2017/745 MDR). 
  • It is now considered MANDATORY by EU Notified Bodies. 
  • On March 9, 2023, a new regulation for ensuring cyber security was issued in the Essential Requirements Criteria in Japan. This new regulation was put into practice on April 1, 2023, with a one-year transitional period until March 31, 2024. When applying for device approval after the end of the transitional period, it is required that device manufacturers demonstrate conformity to the above cyber security regulation

On 29 Dec. 2022, President Biden signed the Consolidated Appropriations Act, 2023 “Omnibus” which amended the FD&C Act to ensure the cybersecurity of medical devices. 

• • On 29 March 2023, the FDA issued “Refuse to Accept Policy” guidance for cyber devices and related systems that are addressed in Omnibus. As of Oct 1, 2023: Submissions lacking the new 524B requirements are no longer accepted by FDA. 
  • The Regulation defines a “Cyber Device”. This is a device that has 3 main characteristics: contains software as part of a device or standalone, has internet connectivity, and characteristics that could be vulnerable to cybersecurity threats.  
  • The regulation also requires post-market surveillance and updates to remediate identified vulnerabilities in a timely manner. The post-market requirements of the regulations align with the FDA’s Guidance on Post Market Cybersecurity (2016).  
  • Coordinated Vulnerability Disclosures (CVD) are also required.  
  • Software Bill of Materials (SBOM) is also required. 

On September 26, 2023, the FDA published final guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” 

• • The guidance provides recommendations to help manufacturers comply with requirements under Section 524B of the FD&C Act.
  • It addressed how cybersecurity fits into the Quality System Requirements (21 CFR Part 820) and premarket submission documentation requirements.  

The panel also highlighted a Guidance document released by the Medical Device Cybersecurity Working Group at IMDRF: IMDRF/CYBER WG/N70 LEGACY FINAL Guidance 2023. This guidance document provides the following:

• • Explains legacy medical device cybersecurity within the context of the TPLC Framework (Development, Support, Limited Support, and End of Support) with clearly defined responsibilities for Medical Device Manufacturers (MDMs) and health care Professionals (HCPs) at each stage;
  • Provides recommendations for MDMs and HCPs in communication (including vulnerability management), risk management, and transfer of responsibility to the HCP; 
  • Provides recommendations regarding compensating controls after End of Support;
  • Provides implementation considerations for MDMs and HCPs in addressing existing legacy devices that were developed prior to the TPLC Framework for medical device cybersecurity and are still in use.

EU MDR/IVDR transition timeline extension 

One of the breakout sessions at the RAPS Convergence Montreal covered MDR/IVDR extension timelines (EU 2023/607 Amending Regulation). This was published by the European Regulators a few months back. Key takeaways from the regulations included:

• • Abolishment of the sell-off provisions in both MDR and IVDR;
  • Extension of the MDR transitional timelines;
  • Extended the validity of the MDD/AIMDD certificates (under certain conditions);
  • Allowed for transfer of appropriate surveillance under Directives to the MDR Notified Bodies.

RAPS Convergence Montreal 2023 Recap

Intrigued by the wealth of knowledge and insights shared at RAPS Convergence Montreal, we invite you to explore our website and meet our exceptional regulatory affairs/quality assurance team. From eSTAR submissions to the extension of the EU MDR/IVDR timeline we have gained valuable insights from this event that will help navigate current and potential future challenges within our industry.

If you have any further questions or want to delve deeper into these topics, do not hesitate to reach out to us. We are here to provide guidance and expertise in this ever-evolving regulatory landscape. Contact us today!