FDA Consultant Specialist¶
Domain: Regulatory & Quality | Skill: fda-consultant-specialist | Source: ra-qm-team/fda-consultant-specialist/SKILL.md
FDA Consultant Specialist¶
FDA regulatory consulting for medical device manufacturers covering submission pathways, Quality System Regulation (QSR), HIPAA compliance, and device cybersecurity requirements.
Table of Contents¶
- FDA Pathway Selection
- 510(k) Submission Process
- QSR Compliance
- HIPAA for Medical Devices
- Device Cybersecurity
- Resources
FDA Pathway Selection¶
Determine the appropriate FDA regulatory pathway based on device classification and predicate availability.
Decision Framework¶
Predicate device exists?
├── YES → Substantially equivalent?
│ ├── YES → 510(k) Pathway
│ │ ├── No design changes → Abbreviated 510(k)
│ │ ├── Manufacturing only → Special 510(k)
│ │ └── Design/performance → Traditional 510(k)
│ └── NO → PMA or De Novo
└── NO → Novel device?
├── Low-to-moderate risk → De Novo
└── High risk (Class III) → PMA
Pathway Comparison¶
| Pathway | When to Use | Timeline | Cost |
|---|---|---|---|
| 510(k) Traditional | Predicate exists, design changes | 90 days | $21,760 |
| 510(k) Special | Manufacturing changes only | 30 days | $21,760 |
| 510(k) Abbreviated | Guidance/standard conformance | 30 days | $21,760 |
| De Novo | Novel, low-moderate risk | 150 days | $134,676 |
| PMA | Class III, no predicate | 180+ days | $425,000+ |
Pre-Submission Strategy¶
- Identify product code and classification
- Search 510(k) database for predicates
- Assess substantial equivalence feasibility
- Prepare Q-Sub questions for FDA
- Schedule Pre-Sub meeting if needed
Reference: See fda_submission_guide.md for pathway decision matrices and submission requirements.
510(k) Submission Process¶
Workflow¶
Phase 1: Planning
├── Step 1: Identify predicate device(s)
├── Step 2: Compare intended use and technology
├── Step 3: Determine testing requirements
└── Checkpoint: SE argument feasible?
Phase 2: Preparation
├── Step 4: Complete performance testing
├── Step 5: Prepare device description
├── Step 6: Document SE comparison
├── Step 7: Finalize labeling
└── Checkpoint: All required sections complete?
Phase 3: Submission
├── Step 8: Assemble submission package
├── Step 9: Submit via eSTAR
├── Step 10: Track acknowledgment
└── Checkpoint: Submission accepted?
Phase 4: Review
├── Step 11: Monitor review status
├── Step 12: Respond to AI requests
├── Step 13: Receive decision
└── Verification: SE letter received?
Required Sections (21 CFR 807.87)¶
| Section | Content |
|---|---|
| Cover Letter | Submission type, device ID, contact info |
| Form 3514 | CDRH premarket review cover sheet |
| Device Description | Physical description, principles of operation |
| Indications for Use | Form 3881, patient population, use environment |
| SE Comparison | Side-by-side comparison with predicate |
| Performance Testing | Bench, biocompatibility, electrical safety |
| Software Documentation | Level of concern, hazard analysis (IEC 62304) |
| Labeling | IFU, package labels, warnings |
| 510(k) Summary | Public summary of submission |
Common RTA Issues¶
| Issue | Prevention |
|---|---|
| Missing user fee | Verify payment before submission |
| Incomplete Form 3514 | Review all fields, ensure signature |
| No predicate identified | Confirm K-number in FDA database |
| Inadequate SE comparison | Address all technological characteristics |
QSR Compliance¶
Quality System Regulation (21 CFR Part 820) requirements for medical device manufacturers.
Key Subsystems¶
| Section | Title | Focus |
|---|---|---|
| 820.20 | Management Responsibility | Quality policy, org structure, management review |
| 820.30 | Design Controls | Input, output, review, verification, validation |
| 820.40 | Document Controls | Approval, distribution, change control |
| 820.50 | Purchasing Controls | Supplier qualification, purchasing data |
| 820.70 | Production Controls | Process validation, environmental controls |
| 820.100 | CAPA | Root cause analysis, corrective actions |
| 820.181 | Device Master Record | Specifications, procedures, acceptance criteria |
Design Controls Workflow (820.30)¶
Step 1: Design Input
└── Capture user needs, intended use, regulatory requirements
Verification: Inputs reviewed and approved?
Step 2: Design Output
└── Create specifications, drawings, software architecture
Verification: Outputs traceable to inputs?
Step 3: Design Review
└── Conduct reviews at each phase milestone
Verification: Review records with signatures?
Step 4: Design Verification
└── Perform testing against specifications
Verification: All tests pass acceptance criteria?
Step 5: Design Validation
└── Confirm device meets user needs in actual use conditions
Verification: Validation report approved?
Step 6: Design Transfer
└── Release to production with DMR complete
Verification: Transfer checklist complete?
CAPA Process (820.100)¶
- Identify: Document nonconformity or potential problem
- Investigate: Perform root cause analysis (5 Whys, Fishbone)
- Plan: Define corrective/preventive actions
- Implement: Execute actions, update documentation
- Verify: Confirm implementation complete
- Effectiveness: Monitor for recurrence (30-90 days)
- Close: Management approval and closure
Reference: See qsr_compliance_requirements.md for detailed QSR implementation guidance.
HIPAA for Medical Devices¶
HIPAA requirements for devices that create, store, transmit, or access Protected Health Information (PHI).
Applicability¶
| Device Type | HIPAA Applies |
|---|---|
| Standalone diagnostic (no data transmission) | No |
| Connected device transmitting patient data | Yes |
| Device with EHR integration | Yes |
| SaMD storing patient information | Yes |
| Wellness app (no diagnosis) | Only if stores PHI |
Required Safeguards¶
Administrative (§164.308)
├── Security officer designation
├── Risk analysis and management
├── Workforce training
├── Incident response procedures
└── Business associate agreements
Physical (§164.310)
├── Facility access controls
├── Workstation security
└── Device disposal procedures
Technical (§164.312)
├── Access control (unique IDs, auto-logoff)
├── Audit controls (logging)
├── Integrity controls (checksums, hashes)
├── Authentication (MFA recommended)
└── Transmission security (TLS 1.2+)
Risk Assessment Steps¶
- Inventory all systems handling ePHI
- Document data flows (collection, storage, transmission)
- Identify threats and vulnerabilities
- Assess likelihood and impact
- Determine risk levels
- Implement controls
- Document residual risk
Reference: See hipaa_compliance_framework.md for implementation checklists and BAA templates.
Device Cybersecurity¶
FDA cybersecurity requirements for connected medical devices.
Premarket Requirements¶
| Element | Description |
|---|---|
| Threat Model | STRIDE analysis, attack trees, trust boundaries |
| Security Controls | Authentication, encryption, access control |
| SBOM | Software Bill of Materials (CycloneDX or SPDX) |
| Security Testing | Penetration testing, vulnerability scanning |
| Vulnerability Plan | Disclosure process, patch management |
Device Tier Classification¶
Tier 1 (Higher Risk): - Connects to network/internet - Cybersecurity incident could cause patient harm
Tier 2 (Standard Risk): - All other connected devices
Postmarket Obligations¶
- Monitor NVD and ICS-CERT for vulnerabilities
- Assess applicability to device components
- Develop and test patches
- Communicate with customers
- Report to FDA per guidance
Coordinated Vulnerability Disclosure¶
Researcher Report
↓
Acknowledgment (48 hours)
↓
Initial Assessment (5 days)
↓
Fix Development
↓
Coordinated Public Disclosure
Reference: See device_cybersecurity_guidance.md for SBOM format examples and threat modeling templates.
Resources¶
scripts/¶
| Script | Purpose |
|---|---|
fda_submission_tracker.py |
Track 510(k)/PMA/De Novo submission milestones and timelines |
qsr_compliance_checker.py |
Assess 21 CFR 820 compliance against project documentation |
hipaa_risk_assessment.py |
Evaluate HIPAA safeguards in medical device software |
references/¶
| File | Content |
|---|---|
fda_submission_guide.md |
510(k), De Novo, PMA submission requirements and checklists |
qsr_compliance_requirements.md |
21 CFR 820 implementation guide with templates |
hipaa_compliance_framework.md |
HIPAA Security Rule safeguards and BAA requirements |
device_cybersecurity_guidance.md |
FDA cybersecurity requirements, SBOM, threat modeling |
fda_capa_requirements.md |
CAPA process, root cause analysis, effectiveness verification |
Usage Examples¶
# Track FDA submission status
python scripts/fda_submission_tracker.py /path/to/project --type 510k
# Assess QSR compliance
python scripts/qsr_compliance_checker.py /path/to/project --section 820.30
# Run HIPAA risk assessment
python scripts/hipaa_risk_assessment.py /path/to/project --category technical