What is a 510(k) for Connected Medical Devices? 

A 510(k) is a premarket submission made to the FDA by those that wish to sell medium-risk medical devices or IVDs in the United States. A 510(k) is required by the FDA in order to obtain market clearance for devices that are intended for human use and pose a moderate risk to users. The 510(k) submission provides regulators with detailed technical, safety, and performance information regarding your new medical device. 

If you’re in the planning stages of bringing a connected medical device to market, one of the routes you might want to explore is the 510(k). A 510(k) is one of several ways in which you can obtain market clearance. The route you take will depend on the level of risk associated with the device. Medium-risk devices require a 510(k) submission while devices that pose a higher level of risk require Premarket Approval (PMA). We will break this down in greater detail further below.  

This is what is said about 510(k) submissions on FDA’s official website:  

“Each person who wants to market in the U.S., a Class I, II, and III device intended for human use, for which a Premarket Approval application (PMA) is not required, must submit a 510(k) to FDA unless the device is exempt from 510(k) requirements of the Federal Food, Drug, and Cosmetic Act (the FD&C Act) and does not exceed the limitations of exemptions in .9 of the device classification regulation chapters (e.g., 21 CFR 862.9, 21 CFR 864.9).” 

The 510(k) is generally the most efficient route to market clearance as it removes the need to present extensive clinical trial data related to your medical device. Instead, the purpose of the 510(k) is to demonstrate that your device is as safe and effective as a legally marketed device (called a predicate device). This process is known as substantial equivalence. Until the applicant receives an order declaring that their device is substantially equivalent, they cannot market that device. 

What is a 510(k)?

What is a 510(k)? Substantial Equivalence Explained 

The logic behind substantial equivalence is actually quite simple. To understand it better it can help to use an analogy. Let’s say you are trying to convince a fussy eater that a fruit they’ve never heard of is safe to eat. Your friend knows that apples are safe to eat. So, you reassure them that this new fruit is pretty much like an apple in every way (substantially equivalent). Thus, this new fruit is safe to eat.  

By the same token, a legally marketed/predicate device is considered safe and effective for public use. You prove that your new device is substantially equivalent to the predicate device. Thus, your device is safe and effective for public use.   

According to the FDA, a device is substantially equivalent to a predicate device if it: 

                    • has the same intended use as the predicate; and 
                    • has the same technological characteristics as the predicate; 

or 

                    • has the same intended use as the predicate; and 
                    • has different technological characteristics and does not raise different questions of safety and effectiveness; and 
                    • the information submitted to the FDA demonstrates that the device is as safe and effective as the legally marketed device. 

Device Classes and Premarket Requirements 

We mentioned earlier that a 510(k) submission is required for anyone that wants to market ‘medium-risk’ medical devices. The wording here is important as there are different premarket requirements depending, amongst other things, on the level of risk. 

FDA categorizes devices as Class I, Class II, or Class III. While there are exceptions, generally speaking, the premarket requirement corresponds with device classification and the assumed level of risk. See breakdown below: 

                      • Level 1: These devices are simple, with minimal risk to the user. These are generally Class I with some select Class II. These devices are exempt from premarket notification. Products in this category are often referred to as ‘FDA registered’ or ‘FDA listed’ devices. Examples include dental floss, toothbrushes, forceps, bedpans, and bandages.  
                      • Level 2: Devices in this class pose a moderate risk to the user. They are mainly Class II with some higher risk Class I and lower risk Class III. These devices are important for healthcare, but a malfunction would be unlikely to cause a patient serious harm. Examples include pregnancy tests and intravenous kits. As mentioned above, a 510(k) submission is required for medium-risk medical devices. Devices that go through this process are often referred to as ‘FDA-cleared’.  
                      • Level 3: High level of risk — typically either implanted medical devices or those that sustain life. Examples here include pacemakers, heart valves and defibrillators. These are mainly Class III devices with some Class II. Medical devices with a higher level of risk that can’t use a 510(k) must go through a different more rigorous process, known as a Premarket Approval.  
What is a 510(k)?

What’s the Difference Between 510(k) and Premarket Approval (PMA)? 

While a 510(k) submission is required for some medical devices, a more stringent process is needed for medical devices that carry higher levels of risk (mainly Class III devices). This process is known as Premarket Approval or PMA. 

The PMA application requires clinical evidence to prove that a device is safe and effective, and that the benefits of the product outweigh the associated risk. The process usually includes clinical trials with human participants along with laboratory testing. Proving substantial equivalence is not enough here. The standards are much higher and the FDA has just 180 days to accept or reject the application. 

Cybersecurity Documentation Required as Part of Premarket Submissions 

When it comes to making your premarket submission, the FDA has provided recommendations on what type of information to include for effective cybersecurity management. Effective cybersecurity management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.

In the premarket submission, manufacturers should provide the following information related to the cybersecurity of their medical device: 

                        1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: 
                          • A specific list of all cybersecurity risks that were considered in the design of your device; 
                          • A specific list and justification for all cybersecurity controls that were established for your device. 
                        2. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered; 
                        3. A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness. 
                        4. A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g., remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer; and 
                        5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-virus software, use of firewall). 
What is a 510(k)?

Conclusion 

If you are planning to bring a connected medical device to market within the United States of America, the FDA requires (in most cases) that you complete either a 510(k) submission or obtain PMA for your medical device. The necessary action will depend on the nature of the device.  

If you’re developing a connected medical device that is similar to one already on the market, a 510(k) submission is more than likely the way to go. This is known as substantial equivalence. It’s the fastest and most economical way to get your medical device cleared. 

To help you decide which market pathway to take, FDA has provided a simple four-step process. The first step in preparing a device for marketing in the United States is to determine how the FDA has classified your device and understand the regulatory controls. A medical device is defined by law in the section 201(h) of the Federal Food, Drug and Cosmetic (FD&C) Act. As device class increases from class I to class II to class III, the regulatory controls also increase, with class I devices subject to the least regulatory control, and class III devices subject to the most stringent regulatory control. 

Whether your device requires premarket approval, and what kind of approval it needs, depends on the device classification. Because of this, anyone that is bringing a connected product to market must first complete the following steps: 

                      • Determine device classification using FDA guidelines. 
                      • Once classified, you can first determine whether the device requires premarket approval. And if so, whether a 510k submission or a PMA is required. 
                      • Submit the required documentation to the FDA and interact with FDA staff during review. 

SelectEvidence™: Nova Leah’s Complete Cybersecurity Medical Device Risk Assessment Platform 

If you are bringing a connected product to market, now is the time to think about cybersecurity risk management. It will save you time and money to consider security and risk management from the outset rather than bolting-on retrospectively.

SelectEvidence™ is an expert cybersecurity risk assessment platform that guides medical device manufacturers through the process of identifying applicable vulnerabilities and identifying the right security controls to mitigate those risks. It provides device manufacturers with an intelligent, automated, and traceable approach to cybersecurity assessments.

Get in touch today and speak to one of our experts to find out how SelectEvidence™ can be used to protect, assess, and continually monitor your connected devices.