Friday, March 4, 2016

FDA Publishes RFI for Medical Device Refurbishment

Today the Food and Drug Administration (FDA) published a request for information (RFI) notice in the Federal Register (81 FR 11477-11479) to receive information and comments on the medical device industry and healthcare community that refurbish, recondition, rebuild, remarket, remanufacture, service, and repair medical devices.


The FDA’s notice explains that:

“Stakeholders have expressed concerns that some third-party entities who refurbish, recondition, rebuild, remarket, remanufacture, service, and repair medical devices may use unqualified personnel to perform service, maintenance, refurbishment, and device alterations on their equipment and that the work performed may not be adequately documented. Possible public health issues arising from these activities include ineffective recalls, disabled device safety features, and improper or unexpected device operation. OEMs have also requested clarification of their responsibilities when their devices have been altered by a third-party entity. Federal Agencies other than FDA address service and maintenance activities as well.”

The notice provides descriptive definitions of the activities of interest in this RFI. Those activities are:

Remanufacturing; and

The FDA is soliciting comments on concerning the service, maintenance, refurbishment, and alteration of medical devices, including endoscopes (Ref. 3), by third-party entities. They are specifically looking for responses to the following questions:

• Who are the different stakeholders involved with the medical device activities listed previously?
• What evidence exists regarding actual problems with the safety and/or performance of devices that result from these activities?
• What are the potential risks (patients/users) and failure modes (devices) introduced as a result of performing the previously defined activities on medical devices?
• Are the risks different depending on who performs the previously mentioned activities?
• Which of these activities are more difficult or riskier to perform on certain devices versus others?
• What information do third-party entities need in order to perform these activities in a way that results in safe and effective operation of the medical device?
• What additional challenges do stakeholders encounter with devices that result from these activities?

The FDA is soliciting public feedback on these questions. Responses can be submitted via the Federal eRulemaking Portal (; Docket # FDA-2016-N-0436). Comments should be submitted by May 3rd, 2016.


As more and more of these devices contain electronic control systems and data storage systems the issue of cybersecurity must be included in any discussion of refurbishment of medical devices. Some of the types of cybersecurity issues that will need to be looked at will include:

• Verification that there has not been has not been tampering with any firmware/software loaded on the device;
• Verification that any manufacturer updates to firmware/software have successfully been applied;
• Verification that any additional communications protocols associated with the device are up to date; and
• Where the device must be hooked to a personal computer (PC) similar questions about the software on the PC must be addressed;

Additionally, before the device is sent to a third party, or even the original vendor, for refurbishment, specific procedures are going to have to be established to ensure that all patient information is permanently removed from the device.

Since the FDA is planning on holding meetings on the medical device refurbishment issue, perhaps is should consider holding a meeting to specifically look at the related cybersecurity issues.

A copy of this post was submitted to the FDA Docket on March 6th, 2015.

No comments:

/* Use this with templates/template-twocol.html */