The new article describes in detail the way a risk-based approach should be applied with respect to clinical trials involving human subjects, paying special attention to the initial risk assessment to be carried out by the party responsible for a clinical investigation before it will be commenced.
The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to the application of a risk-based approach to monitoring clinical investigations. The guidance structured as a questions-and-answers document is intended to provide medical device manufacturers and study sponsors with additional clarifications regarding the regulatory requirements set forth under the existing framework, as well as recommendations to be considered in order to ensure compliance thereto. At the same time, provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations. Moreover, the authority explicitly states that an alternative approach could be applied, provided such an approach is in line with the respective legislation. It has been agreed with the authority in advance.

Secondary Legislation

First of all, the document describes the changes to be implemented to the secondary legislation in order to ensure that cybersecurity-related matters are addressed properly and the respective risks are duly mitigated. The authority acknowledges that many medical devices containing software should be connected to a network in order to operate properly. This exposes the product to risks associated with potential inferences in their normal operations. 

A similar question has been raised by the authority in the course of respective public consultations, and feedback from the industry has been obtained. In order to make sure the risks identified are addressed properly, the authority intends to develop and implement secondary legislation that will:

  • Align with the Connected Medical Device Security Steering Group principles;
  • Be consistent with and build upon complementary requirements such as the Department of Culture, Media, and Sport’s Product Security and Telecommunications Infrastructure Bill, NHS DCB (Data Coordination Board) standards, and NHS Digital Technology Assessment Criteria requirements;
  • Be harmonized with international best practices. 

Apart from introducing secondary legislation, the authority intends to issue additional guidance documents in order to assist medical device manufacturers/software developers in ensuring compliance with the respective regulatory requirements. These guidance documents will describe the way provisions of underlying legislation should be interpreted and also provide additional recommendations to be followed. In particular, the authority mentions that in these guidance documents to be developed:

  • The matters related to cybersecurity will be described in the context of the entire product lifecycle;
  • It will be explicitly stated that the cybersecurity matters are within the shared responsibility of all the parties involved in operations with medical devices and require joint efforts;
  • Additional clarifications will be provided with respect to the responsibilities of and requirements for medical device manufacturers as set forth under the applicable legislation;
  • Additional clarifications will also be provided with respect to cybersecurity vulnerabilities that are common for general and in vitro diagnostic medical devices. 

The authority also mentions that the key stakeholders will be involved in the development of the aforementioned guidance documents. 

Best Practices 

The authority intends to pay special attention to best practices to be followed by medical device manufacturers in order to ensure the safety and proper performance of their products. In particular, the MHRA emphasizes the importance of risks associated with products that are no longer supported by their manufacturers but are still in use. This creates unique risks to be duly mitigated. For this purpose, the authority intends to issue a separate guidance document describing in detail the best practices to be followed in this respect. 


The roadmap also covers the aspects related to reporting cybersecurity vulnerabilities identified. In this respect, the authority intends to take steps to improve the existing reporting procedures in order to ensure all the vulnerabilities identified are flagged in a timely manner. The intent is to improve consistency and make the reporting requirements clear for the parties involved to follow. 

In summary, the present document outlines the key points MHRA will pay attention to in the context of the further improvement of the existing regulatory framework for medical devices containing software, as well as AI-based products. The document highlights the most critical issues identified by the authority and also describes the particular steps to be taken to make sure they are addressed properly. 

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.