The new article highlights the aspects related to the first two stages of the total product life cycle, namely the initial development, when the product is being created, and support – the period that starts from the moment the product becomes available on the market.

The International Medical Device Regulators Forum (IMDRF), a voluntary association of national regulating authorities in the sphere of medical devices collaborating for further improvement of the respective regulatory framework, has published a guidance document dedicated to the principles and practices for the cybersecurity of legacy medical devices. The IMDRF acknowledges that medical devices are quite often being used after the expiration of the intended use life even if not being supported by their original manufacturers, meaning that such devices no longer receive updates and safety patches. This situation creates additional risks from a cybersecurity perspective to be addressed properly in order to ensure the proper performance of such products when used for their initial intended purpose, as well as the continuous safety of patients. 

Recommendations provided in the present guidance are non-binding in their legal nature, nor are intended to introduce new rules or impose new obligations on the parties involved. Moreover, the IMDRF reserves the right to make changes to the guidance and provisions thereof, should such changes be reasonably necessary to reflect corresponding changes to underlying legislation or accommodate new information and data becoming available with respect to the new risks arising. 

The IMDRF additionally emphasizes that cybersecurity-related matters are within the scope of the shared responsibility of all the parties involved in operations with medical devices, including healthcare providers actually using these devices, and not only their original manufacturers.

IMDRF TPLC Framework for Medical Devices: Overview

First of all, the association mentions that in order to effectively manage the dynamic nature of cybersecurity risk, risk management should be applied throughout the Total Product Life Cycle (TPLC) where cybersecurity risk is evaluated and mitigated in various parts of the TPLC, including but not limited to design, manufacturing, testing, and post-market monitoring activities. Furthermore, the authority emphasizes the importance of ensuring the proper balance when introducing cybersecurity measures and controls. When addressing matters related to cybersecurity, the IMDRF covers the main stages of the TPLC, namely: Development, Support, Limited Support, and End Of Service (EOS). It is important to mention that specific terms used for each stage could vary depending on the jurisdiction and applicable legislation while the underlying concepts remain the same. 

According to the flowchart provided in the guidance, the abovemteinoted stages should be interpreted as follows:

  1. The first stage, Development, refers to the period when a medical device is being developed in a secure development environment. This stage ends with a commercial release of the product when the medical device manufacturer makes it available and places it on the market for the first time. 
  2. The second, the Support stage, describes the period from the launch of the sale till the end of the projected life of the device. During this stage, the manufacturer should duly communicate the end of life and also the timeline for End of Support so that the users be aware. 
  3. The third stage, Limited Support, starts at the end of life and lasts will the End of Support. During this stage, customers should plan the activities related to the upcoming end of support. 
  4. The fourth stage, End of Support, refers to the period when the product is actually considered to be a legacy device. It is important to mention that from the beginning of this stage, responsibility for the product will be transitioned in full from the original medical device manufacturer to the customer (healthcare institution) using the device, while any support will no longer be provided. 

The guidance further describes each of the abovementioned stages in detail and highlights the key points associated thereto.

Development Stage

According to the guidance, the development stage stands for a pre-market stage where medical device manufacturers are expected to incorporate security by design. As further explained by the IMDRF, at this stage, manufacturers should duly conduct a rigorous risk assessment, identify the threats associated with the product in question, carry out a proper security testing, and also take all the steps necessary to mitigate the risks identified and ensure the safety and proper performance of a medical device subject to review. Upon completion of this stage, the manufacturer will have a set of product-related security documentation providing potential customers with additional important information to be taken into consideration when using the product. According to the guidance, such documentation could also contain references to the applicable international standards.

Support Stage

As further explained by the IMDRF, devices in the Support stage are defined as the products that:

  • Are used for providing patient care, and
  • Are available on the market, and
  • Contain major software, firmware, or programmable hardware components (e.g., CPU) which are all supported by their suppliers.

At this stage, the product in question is supposed to receive full cybersecurity support including but not limited to software patches and updates. 

In summary, the present IDMRF guidance highlights the most important aspects associated with the first two stages of the TPLC. The document outlines the key points to be taken into consideration by medical device manufacturers in order to ensure compliance with the respective regulatory requirements.

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.