Six guiding principles
Remanufacturing is “the processing, conditioning, renovating, repackaging, restoring, or any other act done to a finished device that significantly changes the finished device’s performance or safety specifications, or intended use.” 21 CFR 820.3(w). In contrast, the draft guidance defines servicing as “ the repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the OEM [original equipment manufacturer] and to meet its original intended use.” The draft guidance points out that this distinction does not turn on an entity’s self-identified designation as a “servicer” or “remanufacturer,” but instead focuses on the specific activities an entity performs on a particular device and the impact of that activity on the device.
In the draft guidance, FDA recommends following six guiding principles when determining whether activities are “remanufacturing”:
Assess whether there is a change to the intended use;
Determine whether the activities, individually and cumulatively, “significantly change” the safety or performance specifications of a finished device;
Evaluate whether any changes to a device require a new marketing submission;
Assess component/part/material dimensional and performance specifications;
Employ a risk-based approach; and
Adequately document decision-making.
FDA says it will deem a product to be remanufactured when there is a “significant change,” and the draft guidance emphasizes that FDA considers a “significant change” to device performance or safety specifications to be one that, based on verification and validation testing and/or a risk-based assessment, results in a finished device that is outside the OEM’s performance or safety specifications or introduces new risks or significantly modifies existing risks, such as changes to the device’s sterilization methods, reprocessing instructions, control mechanism, operating principle, or energy type.
The draft guidance offers the following flowchart to help determine whether activities performed are likely to be considered remanufacturing:
As noted in Figure 1, the flow chart is only intended to be used after a determination is made that there is no significant change to the device’s intended use or to its sterilization methods, reprocessing instructions, controls mechanism, operating principle, or energy type; any of which would indicate the occurrence of a remanufacturing activity. If that determination is made, the flowchart may then be helpful in determining if the activity is still likely to be considered “remanufacturing.”.
FDA does not recommend evaluation with Figure 1 when an activity is performed on behalf of or otherwise explicitly authorized by the OEM and the activity returns the legally marketed device to its original performance and safety specifications and intended use. FDA believes such activities would likely not be remanufacturing, and such determination should be adequately documented.
Documenting a change to a medical device
The draft guidance also focuses on the importance of medical device companies preparing documentation in a way that an FDA investigator or other third party can understand what changes were made to a product, as well as the rationale underlying the company’s conclusion on whether those changes should be deemed “remanufacturing.” FDA recommends that the documentation include, at a minimum, the following:
- Product name (including model number and serial number, if applicable);
- Date of activities performed, assessment, and determination;
- Description of device;
- Description of activities to be performed, including documentation of components/parts/materials involved;
- Determination of whether the activity is remanufacturing (we recommend using the applicable sections of this guidance);
- Reference to related documents supporting the decision-making process; and,
The guidance also contains an appendix that provides examples of proper documentation.
Changes to software
The guidance indicates that Figure 1 and its accompanying text should not be applied to changes involving software and goes on to state that many software changes are likely remanufacturing because of their impact on a product’s software architecture, software requirements specifications, unresolved anomalies, and other key characteristics. Because the probability of a software failure cannot be determined using traditional statistical methods, the guidance recommends applying an alternative software specific analysis when evaluating whether an activity constitutes remanufacturing. FDA has identified certain activities performed on software that are likely not remanufacturing because “they generally do not significantly change the performance or safety specifications of the device”:
- Activities performed on behalf of or otherwise explicitly authorized by the OEM that return the legally marketed device to its performance and safety specifications, and intended use;
- Implementing OEM provided updates and upgrades;
- Running software-based hardware diagnostics;
- Assessing for viruses, malware, and other cybersecurity related issues;
- Reinstalling OEM software to restore original performance and safety specifications;
- Reverting software to a previous configuration;
- Installing cybersecurity updates that are authorized by the OEM;
- Turning on or off connectivity features (e.g., Wi-Fi and Bluetooth connections) consistent with OEM intended use;
- Performing data backup and recovery operations;
- Assessing software inventory;
- Collecting system logs;
- Managing user accounts; and
- Accessing diagnostic and repair information.
Yet, the draft guidance notes that “[m]any software changes are likely remanufacturing because of their impact on a product’s software architecture, software requirements specifications, unresolved anomalies and other key characteristics” (emphasis added). The guidance also states that software changes that significantly modify a device’s intended use would be considered “remanufacturing.”
Labeling for reuse
FDA warns in the draft guidance that unintentional remanufacturing can occur when entities do not have the instructions necessary to return a device to its original performance and safety specifications. In addition, the “lack of adequate servicing instructions can also create challenges in the availability of quality, safe, and effective devices,” the agency writes.
Accordingly, the draft guidance encourages OEMs to provide servicing instructions that facilitate routine maintenance and repair of their reusable devices, recommending that the labeling of reusable devices include the following information, as applicable:
- A description of the key performance and safety specifications;
- Critical technical or functional specifications, including:
- Physical dimensions;
- Electrical characteristics, including batteries (e.g., chemistry, amperage, voltage, rechargeability), internal fuses, and power supply (e.g., voltage, amperage, frequency); and
- Device-specific performance specifications (e.g., flow rate accuracy or range, humidity, temperature, wavelength).
- The recommended maintenance activities and schedule;
- Recommended routine testing and acceptance criteria to confirm that the device remains within its performance and safety specifications;
- A description of error codes, alerts, and alarm features on the device;
- Precautions and warnings relevant to servicing the device; and
- Version number and release date of software.
Where an entity is deemed to be “remanufacturing,” that activity triggers consideration of all of the obligations of a medical device manufacturer, including, for example:
Whether a new marketing submission is required;
MDR reporting (for both the remanufacturer, and the OEM if they become aware of a reportable event);
Registration and listing;
Removals or corrections obligations and reporting; and
General adulteration and misbranding prohibitions
Cybersecurity discussion paper
Simultaneously with the draft guidance, FDA published a related discussion paper that covers four cybersecurity issues unique to servicing of medical devices by entities who are not the OEMs: (1) privileged access; (2) identification of cybersecurity vulnerabilities and incidents; (3) prevention and mitigation of cybersecurity vulnerabilities; and (4) product lifecycle challenges and opportunities. FDA is seeking input on each of these topics, and on the following questions:
What are the cybersecurity challenges and opportunities associated with the servicing of medical devices?
Are the four areas identified in this white paper the correct cybersecurity priority issues to address in the servicing of medical devices? If not, which areas should be the focus?
How can entities that service medical devices contribute to strengthening the cybersecurity of medical devices?
On July 27, the FDA will also host a webinar for stakeholders interested in learning more about the guidance and discussion paper. FDA will accept comments on both until August 17, 2021.