Secure Product Development Framework for Medical Device Cybersecurity

“Cybersecurity Management System” for FDA Premarket Submissions

What is a Secure Product Development Framework (SPDF)?

“An SPDF is a set of processes that help identify and reduce the number and severity of vulnerabilities in products. An SPDF encompasses all aspects of a product’s lifecycle, including design, development, release, support, and decommission.”

Food and Drug Administration - Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (referred to after as the Guidance)

Think of the SPDF as a Cybersecurity Management System that rolls up under your Quality Management System, containing cybersecurity-specific procedures and templates that uniquely address medical device cybersecurity requirements.

BG Networks’ (BGN) SPDF documentation package includes a SPDF manual, procedures, and templates to enable you create all premarket cybersecurity information required by the FDA in the shortest amount of time and with the highest level of confidence of acceptance.

The Food and Drug Administration (FDA) may send a deficiency letter to applicants when there are major gaps in a submission or minor deficiencies that persist after initial communication. This temporarily puts the marketing application on hold until the FDA receives the requested information. Implementing BG Networks SPDF provides confidence that your pre-market submission process will not get bogged down with costly and time-consuming delays responding to a potential FDA deficiency letter.

Highlights of BGN’s SPDF:

  • Complies with FDA’s premarket and postmarket medical device cybersecurity recommendations
  • Is based on IEC 81001-5-1, a FDA consensus cybersecurity standard
  • Includes security risk management based on ANSI/AAMI SE96:2023, an FDA consensus standard
  • Easily integrates with your existing QMS and risk management processes
  • Includes a complete set of cybersecurity premarket FDA submission templates matching eSTAR terminology
  • Cybersecurity SPDF procedures and templates to support all security processes needed for an FDA inspection
  • Developed by experts with over 50+ years of medical device, quality management systems, and cybersecurity expertise
This graphic shows the elements that make up an SPDF. This graphic shows the elements that make up an SPDF.

"Premarket clearance has been complicated by the issuance of FD&C Act section 524B and FDA’s related consensus standards creating quite a swirl.  This is why we integrated all of this as a singular process into our SPDF to provide a clear pathway for others to follow," says Eric Pettes, Medical Device Cybersecurity Services Lead at BG Networks, who has 25 years of experience in medical device QMS and cybersecurity.

Medical Device SPDF Training and Services

Cybersecurity Meddevices02 Cybersecurity Meddevices02

Why a SPDF? Because the Food Drug & Cosmetic Act, section 524B requires assurance that devices are cybersecure.

Section 524B says, a sponsor of an application shall “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure”. It also requires SBOMs, monitoring of vulnerabilities, and software updates.

In the Guidance the FDA is clear that cybersecurity is part of device safety and the Quality System (QS) Regulation. Also, an SPDF is highlighted as a way of meeting QS regulations and FDA expectations.

Webinar Series - Medical Device Cybersecurity - Free

IEC 81001-5-1 & ANSI/AAMI SW96: 2023?
A strong foundation for a SPDF

These two standards make for a strong foundation for a SPDF because both were developed specifically for medical devices and Software as Medical Devices (SaMD). They are recognized by the FDA as consensus standards and by other regulatory bodies around the world.

IEC 81001-5-1 provides guidance for SPDF activities over the lifecycle of the product. While it is a cybersecurity software only standard, BG Networks’ SPDF fills gaps so that security for both hardware and software are coved.

Another very nice aspect of IEC 81001-5-1 is that it was specifically developed to be an extension to your existing safety and effectiveness QMS and also your software lifecycle processes. So this standard is a good complement to ISO 13485: Medical Devices — Quality Management Systems — Requirements for Regulatory Purposes ) and IEC 62304: Medical Device Software – Software Life Cycle Processes

While IEC 81001-5-1 has a small section on risk management, ANSI/AAMI SW96:2023 is a dedicated risk management standard and much more comprehensive. ANSI/AAMI SW96 is based on the widely adopted Technical Information Reports: AAMI TIR57 and TIR97. AAMI SW96 covers risk through the total product lifecycle and was developed as complement to your existing safety and effectiveness risk management process such as ISO 14971: Medical Devices – Application of Risk Management to Medical Devices.

BG Networks has directly mapped every section of IEC 81001-5-1 and AAMI SW96 to our SPDF to make sure we completely cover both. In addition, we have mapped all of the FDA’s cybersecurity recommendations from their pre-market and post-market documents. Having a process based on FDA consensus standards, use of that process, and making sure all FDA recommendations are addressed, like we have done in our SPDF, is a recipe for fast acceptance by the FDA and avoiding costly and time-consuming deficiency letters.

SPDF Foundation White SPDF Foundation White

White Paper - Practical Advice for FDA Submissions

SPDF Options

BG Networks has two documentation package options. Those are:

FDA Premarket Submission Templates:

Fifteen templates that the FDA requires for a premarket submission. These templates are comprehensively based on all the FDA’s premarket recommendations.

Full SPDF Package:

Includes a cybersecurity SPDF manual, 25 templates including the 15 required for a FDA premarket submission, and 25 procedures that enable users in populating the templates. This package provides all documentation needed to establish a cybersecurity SPDF that complements your existing QMS.

Contact us for more information on our Secure Product Development Framework.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.