FREQUENTLY Asked Questions
What documentation should be included for Tier 1 and Tier 2 devices?
View All FAQs
About the Author
Proxima CRO Team
Isabella Schmitt, RAC
Director of Regulatory Affairs

Prior to joining Proxima, Isabella served as the Senior Regulatory & Quality Manager at a medical device company, where she outlined the regulatory strategy & put together design controls & design history documentation. She was the Dir. of CMC & Quality at a biopharmaceutical company, where she oversaw all manufacturing and analytical processes and timelines and ensured CMC regulatory strategy was sufficient for filings in Europe and the US.

The FDA recommends premarket submissions for Tier 1 devices with higher cybersecurity risk to include documentation demonstrating how the device design and risk assessment incorporate the cybersecurity design controls of identifying and protecting device assets and functionality and detecting, responding, and recovering design expectations. Tier 2 devices with standard cybersecurity risk should include documentation that either 1) demonstrates they have incorporated each of the specific design features and cybersecurity design controls aforementioned, or 2) provide a risk-based rationale for why specific cybersecurity design controls are not appropriate. Risk-based rationales should leverage an analysis of exploitability to describe likelihood instead of probability.

Related Terms:
No items found.
Related FAQs:
More Questions? We're here to help!