Given the proliferation of medical devices using wireless technology—and the accompanying risks regarding security, performance, compatibility, and other challenges—FDA in August 2013 issued a guidance for radio frequency wireless technology in medical devices.
|Learn more about incorporating wireless technology into your medical device designs by attending the Wireless and Mobile Technology in Medical Devices master class at the MD&M Minneapolis conference on October 29, 2013.|
Although the guidance states that it is only a recommendation and does not establish legally enforceable responsibilities, it is nonetheless useful for device makers. Guidances provide FDA’s interpretation of existing regulations and are frequently referenced by attorneys and courts in lawsuits seeking to establish that a manufacturer was negligent for failing to follow FDA statements in a guidance. Review of the wireless technology guidance, therefore, is critical for companies whose devices use such technology.
There are two parts to the guidance: One contains consideration for design, testing, and use of wireless technology and the other gives recommendations for premarket submissions for devices that incorporate radio frequency wireless technology.
The first part of the guidance sets forth recommendations and interpretations in connection with FDA regulations 21 CFR 820.30, which regulates the design of a medical device, and 21 CFR 820.100, which regulates procedures for corrective and preventive actions.
Per 21 CFR 820.30, manufacturers are required to establish and maintain procedures to ensure design requirements are met. These design procedures include addressing design reviews, conflicting design requirements, and procedures for design validation to confirm the devices conform to intended uses and needs.
As part of design validation, the guidance requires manufacturers to include risk analysis of wireless communications and control functions. Six factors should be addressed when dealing with design controls:
- Selection and performance of wireless technology. Noting that many medical devices operate without a Federal Communications Commission license to incorporate interference protection, FDA recommends that manufacturers consider the allocation and availability of radio frequency bands to be used by the device, address how other existing users of selected radio frequency bands can impact a device’s operation, and describe methods of mitigating frequency band interference. To minimize electromagnetic interference with other devices, FDA recommends using the radio frequency that uses the lowest amount of power.
- Wireless quality of service, or the quality of service for a device’s choice of wireless communication, whether by radio frequency, cellular telephone network, or other medium. The quality of connectivity and ability to ensure a connection should be considered.
- Wireless coexistence. Manufacturers should address risks posed by interference from electromagnetic disturbances, such as voltage dips and electrostatic discharges, as well as interference from other technology using the same frequency. FDA recommends testing such devices in the presence of other devices using the same band, identifying the associated risks, and then justifying what is deemed to be an acceptable risk or demonstrating appropriate risk mitigation measures.
- Security of wireless signals and data. FDA recommends vaguely that wireless medical devices use wireless security protection at a level appropriate for the risks presented and references its previously issued draft guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, which recommends authentication (password log-in) and encryption.
- Electromagnetic compatibility of the wireless technology. The guidance recommends that manufacturers address applicable standards and regulations, such as FCC requirements, regarding the potential for a wireless medical device to interfere with other equipment. But some voluntary standards recognized by FDA, such as IEC 60601-1-2, do not adequately address whether wireless communications will operate properly in the presence of electromagnetic disturbances, and FDA recommends that electromagnetic immunity testing be addressed in addition to meeting such standards. Users of wireless devices should be advised that the device conforms to IEC 60601-1-2 standards but that electromagnetic compatibility susceptibilities were discovered during testing.
- Information for proper setup and operation. Appropriate information should be provided to users of wireless devices, including the specific type of wireless technology, FCC labeling, a warning that other equipment could interfere with the device, and advice that the user will need to recognize and address issues that might arise, such as the quality of service and management of wireless transmitters.
The guidance also recommends that manufacturers continue to manage wireless technology risks for the entire life cycle of the device. Procedures for implementing corrective and preventive action must include analyses for possible trends seen from complaints or reports of failures. If a failure or malfunction of a wireless function is identified, the cause must be investigated and action must be taken to correct the problem and prevent its recurrence. Measures include analyzing production and repair records and verifying any corrective and preventative action to ensure that such action is effective. This recommendation may be in reaction to well-publicized accounts of a hacker who was able to hack into his own wireless medical device and who was purportedly ignored by manufacturers.
The second part of the guidance recommends that manufacturers preparing premarket submissions for wireless medical devices include these four subjects:
- A description of the wireless device’s technology and functions, how wireless-related risks are managed, and whether other devices are able to make a wireless connection to the device.
- A risk-based approach to verification and validation, outlined by the concerns raised in the first part of the guidance regarding the design of wireless medical devices.
- Summaries of test data, particularly electromagnetic compatibility tests.
- A summary of the wireless medical device’s labeling that should include any precautions a user should take. FDA explicitly warns that label warning is not a substitute for risk mitigation measures.
The guidance provides not only insight into the FDA’s expectations with respect to premarket submissions and design protocols of wireless medical devices, but sets a standard for a manufacturer’s response to reports of complaints or problems with such products. Not only must the risks of wireless functions in new medical devices be foreseen and anticipated, but risks in existing wireless medical devices that may not have been present when the device was designed must also be investigated, and the process must be documented. This also has ramifications for potential liability exposure in future litigation, as manufacturers that fail to heed this guidance may be deemed to have not acted properly in either the design process or the postmarket surveillance process.
Michael D. Shalhoub is cochair of the life sciences and medical devices practice group at the law firm Goldberg Segalla. He has more than 30 years of experience defending manufacturers of health-related and personal care products. Reach him at [email protected]
Soo-young Chang is an attorney in Goldberg Segalla’s cyber risk and social media practice group. He represents medical device manufacturers in product liability litigation and regulatory matters and has authored and presented on the subject of data security risk. E-mail him at [email protected]
[image courtesy of David Castillo Dominici/FREEDIGITALPHOTOS.NET]