Back to Details

fda-consultant-specialist

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

FDA Consultant Specialist

FDA法规顾问专家

FDA regulatory consulting for medical device manufacturers covering submission pathways, Quality System Regulation (QSR), HIPAA compliance, and device cybersecurity requirements.
为医疗器械制造商提供FDA法规咨询服务,涵盖申报路径、质量体系法规(QSR)、HIPAA合规性以及设备网络安全要求。

Table of Contents

目录

FDA Pathway Selection

FDA路径选择

Determine the appropriate FDA regulatory pathway based on device classification and predicate availability.
根据器械分类和predicate device的可用性,确定合适的FDA监管路径。

Decision Framework

决策框架

Predicate device exists?
├── YES → Substantially equivalent?
│   ├── YES → 510(k) Pathway
│   │   ├── No design changes → Abbreviated 510(k)
│   │   ├── Manufacturing only → Special 510(k)
│   │   └── Design/performance → Traditional 510(k)
│   └── NO → PMA or De Novo
└── NO → Novel device?
    ├── Low-to-moderate risk → De Novo
    └── High risk (Class III) → PMA
Predicate device是否存在?
├── 是 → 是否实质等效?
│   ├── 是 → 510(k)路径
│   │   ├── 无设计变更 → 简化版510(k)
│   │   ├── 仅制造变更 → 特殊版510(k)
│   │   └── 设计/性能变更 → 传统版510(k)
│   └── 否 → PMA或De Novo
└── 否 → 是否为新型器械?
    ├── 低至中等风险 → De Novo
    └── 高风险(III类) → PMA

Pathway Comparison

路径对比

PathwayWhen to UseTimelineCost
510(k) TraditionalPredicate exists, design changes90 days$21,760
510(k) SpecialManufacturing changes only30 days$21,760
510(k) AbbreviatedGuidance/standard conformance30 days$21,760
De NovoNovel, low-moderate risk150 days$134,676
PMAClass III, no predicate180+ days$425,000+
路径适用场景时间周期费用
传统版510(k)存在predicate device,涉及设计变更90天$21,760
特殊版510(k)仅涉及制造变更30天$21,760
简化版510(k)符合指南/标准要求30天$21,760
De Novo新型、低至中等风险150天$134,676
PMAIII类器械,无predicate device180+天$425,000+

Pre-Submission Strategy

预申报策略

  1. Identify product code and classification
  2. Search 510(k) database for predicates
  3. Assess substantial equivalence feasibility
  4. Prepare Q-Sub questions for FDA
  5. Schedule Pre-Sub meeting if needed
Reference: See fda_submission_guide.md for pathway decision matrices and submission requirements.
  1. 确定产品代码和分类
  2. 在510(k)数据库中搜索predicate device
  3. 评估实质等效性可行性
  4. 准备提交给FDA的Q-Sub问题
  5. 如有需要,安排预申报会议
参考: 详见fda_submission_guide.md中的路径决策矩阵和申报要求。

510(k) Submission Process

510(k)申报流程

Workflow

工作流程

Phase 1: Planning
├── Step 1: Identify predicate device(s)
├── Step 2: Compare intended use and technology
├── Step 3: Determine testing requirements
└── Checkpoint: SE argument feasible?

Phase 2: Preparation
├── Step 4: Complete performance testing
├── Step 5: Prepare device description
├── Step 6: Document SE comparison
├── Step 7: Finalize labeling
└── Checkpoint: All required sections complete?

Phase 3: Submission
├── Step 8: Assemble submission package
├── Step 9: Submit via eSTAR
├── Step 10: Track acknowledgment
└── Checkpoint: Submission accepted?

Phase 4: Review
├── Step 11: Monitor review status
├── Step 12: Respond to AI requests
├── Step 13: Receive decision
└── Verification: SE letter received?
阶段1:规划
├── 步骤1:确定predicate device
├── 步骤2:对比预期用途和技术参数
├── 步骤3:确定测试要求
└── 检查点:实质等效性论证是否可行?

阶段2:准备
├── 步骤4:完成性能测试
├── 步骤5:准备器械说明文档
├── 步骤6:记录实质等效性对比内容
├── 步骤7:最终确定标签内容
└── 检查点:所有必填部分是否完成?

阶段3:申报
├── 步骤8:整理申报材料包
├── 步骤9:通过eSTAR提交
├── 步骤10:跟踪确认回执
└── 检查点:申报是否被接受?

阶段4:审核
├── 步骤11:监控审核状态
├── 步骤12:回复AI(审核意见)请求
├── 步骤13:接收决策结果
└── 验证:是否收到实质等效性信函?

Required Sections (21 CFR 807.87)

必填部分(21 CFR 807.87)

SectionContent
Cover LetterSubmission type, device ID, contact info
Form 3514CDRH premarket review cover sheet
Device DescriptionPhysical description, principles of operation
Indications for UseForm 3881, patient population, use environment
SE ComparisonSide-by-side comparison with predicate
Performance TestingBench, biocompatibility, electrical safety
Software DocumentationLevel of concern, hazard analysis (IEC 62304)
LabelingIFU, package labels, warnings
510(k) SummaryPublic summary of submission
部分内容
封面信申报类型、器械ID、联系信息
表格3514CDRH上市前审核封面表
器械说明物理描述、工作原理
预期用途表格3881、患者群体、使用环境
实质等效性对比与predicate device的逐项对比
性能测试台架测试、生物相容性测试、电气安全测试
软件文档关注等级、危害分析(IEC 62304)
标签使用说明书(IFU)、包装标签、警示信息
510(k)摘要申报内容的公开摘要

Common RTA Issues

常见RTA(拒绝接受)问题

IssuePrevention
Missing user feeVerify payment before submission
Incomplete Form 3514Review all fields, ensure signature
No predicate identifiedConfirm K-number in FDA database
Inadequate SE comparisonAddress all technological characteristics
问题预防措施
未缴纳用户费用申报前确认费用已缴纳
表格3514填写不完整检查所有字段,确保已签名
未指定predicate device确认FDA数据库中的K编号
实质等效性对比不充分涵盖所有技术特性

QSR Compliance

QSR合规性

Quality System Regulation (21 CFR Part 820) requirements for medical device manufacturers.
面向医疗器械制造商的质量体系法规(21 CFR第820部分)要求。

Key Subsystems

核心子系统

SectionTitleFocus
820.20Management ResponsibilityQuality policy, org structure, management review
820.30Design ControlsInput, output, review, verification, validation
820.40Document ControlsApproval, distribution, change control
820.50Purchasing ControlsSupplier qualification, purchasing data
820.70Production ControlsProcess validation, environmental controls
820.100CAPARoot cause analysis, corrective actions
820.181Device Master RecordSpecifications, procedures, acceptance criteria
部分标题重点
820.20管理层职责质量方针、组织结构、管理层评审
820.30设计控制输入、输出、评审、验证、确认
820.40文件控制批准、分发、变更控制
820.50采购控制供应商资质审核、采购数据
820.70生产控制过程验证、环境控制
820.100CAPA根本原因分析、纠正措施
820.181器械主记录(DMR)规格、流程、验收标准

Design Controls Workflow (820.30)

设计控制工作流程(820.30)

Step 1: Design Input
└── Capture user needs, intended use, regulatory requirements
    Verification: Inputs reviewed and approved?

Step 2: Design Output
└── Create specifications, drawings, software architecture
    Verification: Outputs traceable to inputs?

Step 3: Design Review
└── Conduct reviews at each phase milestone
    Verification: Review records with signatures?

Step 4: Design Verification
└── Perform testing against specifications
    Verification: All tests pass acceptance criteria?

Step 5: Design Validation
└── Confirm device meets user needs in actual use conditions
    Verification: Validation report approved?

Step 6: Design Transfer
└── Release to production with DMR complete
    Verification: Transfer checklist complete?
步骤1:设计输入
└── 收集用户需求、预期用途、法规要求
    验证:输入内容是否已评审并批准?

步骤2:设计输出
└── 创建规格说明、图纸、软件架构
    验证:输出是否可追溯至输入?

步骤3:设计评审
└── 在每个阶段里程碑进行评审
    验证:评审记录是否包含签名?

步骤4:设计验证
└── 针对规格要求执行测试
    验证:所有测试是否通过验收标准?

步骤5:设计确认
└── 确认器械在实际使用条件下满足用户需求
    验证:确认报告是否已批准?

步骤6:设计转移
└── 随完整DMR一起发布至生产环节
    验证:转移检查清单是否完成?

CAPA Process (820.100)

CAPA流程(820.100)

  1. Identify: Document nonconformity or potential problem
  2. Investigate: Perform root cause analysis (5 Whys, Fishbone)
  3. Plan: Define corrective/preventive actions
  4. Implement: Execute actions, update documentation
  5. Verify: Confirm implementation complete
  6. Effectiveness: Monitor for recurrence (30-90 days)
  7. Close: Management approval and closure
Reference: See qsr_compliance_requirements.md for detailed QSR implementation guidance.
  1. 识别:记录不合格项或潜在问题
  2. 调查:执行根本原因分析(5问法、鱼骨图)
  3. 规划:定义纠正/预防措施
  4. 实施:执行措施,更新文档
  5. 验证:确认实施完成
  6. 有效性:监控是否复发(30-90天)
  7. 关闭:管理层批准并结案
参考: 详见qsr_compliance_requirements.md中的QSR实施详细指南。

HIPAA for Medical Devices

医疗器械HIPAA合规

HIPAA requirements for devices that create, store, transmit, or access Protected Health Information (PHI).
针对创建、存储、传输或访问受保护健康信息(PHI)的器械的HIPAA要求。

Applicability

适用范围

Device TypeHIPAA Applies
Standalone diagnostic (no data transmission)No
Connected device transmitting patient dataYes
Device with EHR integrationYes
SaMD storing patient informationYes
Wellness app (no diagnosis)Only if stores PHI
器械类型是否适用HIPAA
独立诊断器械(无数据传输)
传输患者数据的联网器械
与EHR集成的器械
存储患者信息的SaMD
健康管理应用(无诊断功能)仅在存储PHI时适用

Required Safeguards

必需保障措施

Administrative (§164.308)
├── Security officer designation
├── Risk analysis and management
├── Workforce training
├── Incident response procedures
└── Business associate agreements

Physical (§164.310)
├── Facility access controls
├── Workstation security
└── Device disposal procedures

Technical (§164.312)
├── Access control (unique IDs, auto-logoff)
├── Audit controls (logging)
├── Integrity controls (checksums, hashes)
├── Authentication (MFA recommended)
└── Transmission security (TLS 1.2+)
管理措施(§164.308)
├── 指定安全负责人
├── 风险分析与管理
├── 员工培训
├── 事件响应流程
└── 业务伙伴协议(BAA)

物理措施(§164.310)
├── 设施访问控制
├── 工作站安全
└── 器械处置流程

技术措施(§164.312)
├── 访问控制(唯一ID、自动登出)
├── 审计控制(日志记录)
├── 完整性控制(校验和、哈希值)
├── 身份验证(推荐多因素认证MFA)
└── 传输安全(TLS 1.2+)

Risk Assessment Steps

风险评估步骤

  1. Inventory all systems handling ePHI
  2. Document data flows (collection, storage, transmission)
  3. Identify threats and vulnerabilities
  4. Assess likelihood and impact
  5. Determine risk levels
  6. Implement controls
  7. Document residual risk
Reference: See hipaa_compliance_framework.md for implementation checklists and BAA templates.
  1. 盘点所有处理ePHI的系统
  2. 记录数据流(收集、存储、传输)
  3. 识别威胁与漏洞
  4. 评估可能性与影响
  5. 确定风险等级
  6. 实施控制措施
  7. 记录残余风险
参考: 详见hipaa_compliance_framework.md中的实施检查清单和BAA模板。

Device Cybersecurity

设备网络安全

FDA cybersecurity requirements for connected medical devices.
针对联网医疗器械的FDA网络安全要求。

Premarket Requirements

上市前要求

ElementDescription
Threat ModelSTRIDE analysis, attack trees, trust boundaries
Security ControlsAuthentication, encryption, access control
SBOMSoftware Bill of Materials (CycloneDX or SPDX)
Security TestingPenetration testing, vulnerability scanning
Vulnerability PlanDisclosure process, patch management
要素说明
威胁模型STRIDE分析、攻击树、信任边界
安全控制措施身份验证、加密、访问控制
SBOM软件物料清单(CycloneDX或SPDX格式)
安全测试渗透测试、漏洞扫描
漏洞应对计划披露流程、补丁管理

Device Tier Classification

器械分级

Tier 1 (Higher Risk):
  • Connects to network/internet
  • Cybersecurity incident could cause patient harm
Tier 2 (Standard Risk):
  • All other connected devices
1级(高风险):
  • 连接至网络/互联网
  • 网络安全事件可能导致患者伤害
2级(标准风险):
  • 所有其他联网器械

Postmarket Obligations

上市后义务

  1. Monitor NVD and ICS-CERT for vulnerabilities
  2. Assess applicability to device components
  3. Develop and test patches
  4. Communicate with customers
  5. Report to FDA per guidance
  1. 监控NVD和ICS-CERT的漏洞信息
  2. 评估漏洞对器械组件的适用性
  3. 开发并测试补丁
  4. 与客户沟通
  5. 根据指南向FDA报告

Coordinated Vulnerability Disclosure

协同漏洞披露流程

Researcher Report
Acknowledgment (48 hours)
Initial Assessment (5 days)
Fix Development
Coordinated Public Disclosure
Reference: See device_cybersecurity_guidance.md for SBOM format examples and threat modeling templates.
研究人员报告
48小时内确认收到
5天内完成初步评估
修复开发
协同公开披露
参考: 详见device_cybersecurity_guidance.md中的SBOM格式示例和威胁建模模板。

Resources

资源

scripts/

scripts/

ScriptPurpose
fda_submission_tracker.py
Track 510(k)/PMA/De Novo submission milestones and timelines
qsr_compliance_checker.py
Assess 21 CFR 820 compliance against project documentation
hipaa_risk_assessment.py
Evaluate HIPAA safeguards in medical device software
脚本用途
fda_submission_tracker.py
跟踪510(k)/PMA/De Novo申报的里程碑和时间线
qsr_compliance_checker.py
根据项目文档评估21 CFR 820合规性
hipaa_risk_assessment.py
评估医疗器械软件的HIPAA保障措施

references/

references/

FileContent
fda_submission_guide.md
510(k), De Novo, PMA submission requirements and checklists
qsr_compliance_requirements.md
21 CFR 820 implementation guide with templates
hipaa_compliance_framework.md
HIPAA Security Rule safeguards and BAA requirements
device_cybersecurity_guidance.md
FDA cybersecurity requirements, SBOM, threat modeling
fda_capa_requirements.md
CAPA process, root cause analysis, effectiveness verification
文件内容
fda_submission_guide.md
510(k)、De Novo、PMA的申报要求和检查清单
qsr_compliance_requirements.md
21 CFR 820实施指南及模板
hipaa_compliance_framework.md
HIPAA安全规则保障措施和BAA要求
device_cybersecurity_guidance.md
FDA网络安全要求、SBOM、威胁建模
fda_capa_requirements.md
CAPA流程、根本原因分析、有效性验证

Usage Examples

使用示例

bash
undefined
bash
undefined

Track FDA submission status

跟踪FDA申报状态

python scripts/fda_submission_tracker.py /path/to/project --type 510k
python scripts/fda_submission_tracker.py /path/to/project --type 510k

Assess QSR compliance

评估QSR合规性

python scripts/qsr_compliance_checker.py /path/to/project --section 820.30
python scripts/qsr_compliance_checker.py /path/to/project --section 820.30

Run HIPAA risk assessment

执行HIPAA风险评估

python scripts/hipaa_risk_assessment.py /path/to/project --category technical
undefined
python scripts/hipaa_risk_assessment.py /path/to/project --category technical
undefined