May 7, 2019


  • US FDA publishes final guidance on Q-Submission Program for medical device and IVD manufacturers;
  • Sample Q-Sub questions provided by FDA now include those for cybersecurity-related issues;
  • Final Q-Sub guidance replaces draft guidance issued in 2017.

Finalized US Food and Drug Administration guidance for its Q-Submission (Q-Sub) Program whereby manufacturers solicit feedback from the agency prior to submitting their premarket applications now includes recommendations for cybersecurity-related issues.

The final guidance replaces draft guidance published in 2017, which established a process for medical device and IVD companies to request and obtain FDA feedback on 510(k), Premarket Approval (PMA) and other registration-related issues as well as Investigational Device Exemptions (IDEs) before submitting their premarket applications for formal review.

A major addition to the final FDA Q-Sub guidance are a set of cybersecurity-related questions in Appendix 2 provided as suggested example questions for premarket consulting with the regulator. Inclusion of these questions alongside topics such as regulatory strategy, clinical study and human factors shows the growing awareness (and scrutiny) of the need for cyber-related risk management and mitigation in the device industry.

Cybersecurity-related Pre-Sub topics FDA identifies

The sample cybersecurity questions FDA provides in the final guidance show where the regulator is focusing in terms of cybersecurity measures expected in premarket submissions:

  • Whether FDA agrees with attack vectors applicant has identified for its device;
  • Whether FDA has any comments or feedback on applicant’s cybersecurity management plan;
  • If FDA agrees with applicant’s proposed risk models for use in assessing device cybersecurity;
  • If applicant’s described level of security is appropriate for the device risk.

Other sample Q-Sub questions included in the final guidance cover regulatory strategy, clinical studies, software and firmware issues and human factors.

FDA draft guidance in 2018 laid out various Q-Sub request and meeting options available to medical device and IVD manufacturers interested in the program.

Additional US FDA medical device regulatory information:


  • Stewart Eisenhart