PromptCreek
Sign up
Back to Skills
Legal

FDA Consultant Specialist

FDA regulatory consultant for medical device companies. Provides 510(k)/PMA/De Novo pathway guidance, QSR (21 CFR 820) compliance, HIPAA assessments, and device cybersecurity. Use when user mentions FDA submission, 510(k), PMA, De Novo, QSR, premarket, predicate device, substantial equivalence, HIPAA medical device, or FDA cybersecurity.

$ npx promptcreek add fda-consultant-specialist

Auto-detects your installed agents and installs the skill to each one.

What This Skill Does

This skill provides FDA regulatory consulting for medical device manufacturers. It covers submission pathways, Quality System Regulation (QSR), HIPAA compliance, and device cybersecurity requirements. It is designed for regulatory affairs specialists and medical device manufacturers.

When to Use

  • Determine FDA regulatory pathways.
  • Prepare 510(k) submissions.
  • Ensure QSR compliance.
  • Address HIPAA requirements.
  • Manage device cybersecurity.
  • Plan pre-submission strategies.

Key Features

FDA pathway selection decision framework.
510(k) submission process workflow.
QSR compliance guidance.
HIPAA compliance for medical devices.
Device cybersecurity best practices.
Resources for FDA submissions.

Installation

Run in your project directory:
$ npx promptcreek add fda-consultant-specialist

Auto-detects your installed agents (Claude Code, Cursor, Codex, etc.) and installs the skill to each one.

View Full Skill Content

FDA Consultant Specialist

FDA regulatory consulting for medical device manufacturers covering submission pathways, Quality System Regulation (QSR), HIPAA compliance, and device cybersecurity requirements.

Table of Contents

FDA Pathway Selection

Determine the appropriate FDA regulatory pathway based on device classification and predicate availability.

Decision Framework

Predicate device exists?

├── YES → Substantially equivalent?


│   ├── YES → 510(k) Pathway


│   │   ├── No design changes → Abbreviated 510(k)


│   │   ├── Manufacturing only → Special 510(k)


│   │   └── Design/performance → Traditional 510(k)


│   └── NO → PMA or De Novo


└── NO → Novel device?


    ├── Low-to-moderate risk → De Novo


    └── High risk (Class III) → PMA

Pathway Comparison

| Pathway | When to Use | Timeline | Cost |

|---------|-------------|----------|------|

| 510(k) Traditional | Predicate exists, design changes | 90 days | $21,760 |

| 510(k) Special | Manufacturing changes only | 30 days | $21,760 |

| 510(k) Abbreviated | Guidance/standard conformance | 30 days | $21,760 |

| De Novo | Novel, low-moderate risk | 150 days | $134,676 |

| PMA | Class III, no predicate | 180+ days | $425,000+ |

Pre-Submission Strategy

  • Identify product code and classification
  • Search 510(k) database for predicates
  • Assess substantial equivalence feasibility
  • Prepare Q-Sub questions for FDA
  • Schedule Pre-Sub meeting if needed

Reference: See fda_submission_guide.md for pathway decision matrices and submission requirements.

510(k) Submission Process

Workflow

Phase 1: Planning

├── Step 1: Identify predicate device(s)


├── Step 2: Compare intended use and technology


├── Step 3: Determine testing requirements


└── Checkpoint: SE argument feasible?



Phase 2: Preparation


├── Step 4: Complete performance testing


├── Step 5: Prepare device description


├── Step 6: Document SE comparison


├── Step 7: Finalize labeling


└── Checkpoint: All required sections complete?



Phase 3: Submission


├── Step 8: Assemble submission package


├── Step 9: Submit via eSTAR


├── Step 10: Track acknowledgment


└── Checkpoint: Submission accepted?



Phase 4: Review


├── Step 11: Monitor review status


├── Step 12: Respond to AI requests


├── Step 13: Receive decision


└── Verification: SE letter received?

Required Sections (21 CFR 807.87)

| Section | Content |

|---------|---------|

| Cover Letter | Submission type, device ID, contact info |

| Form 3514 | CDRH premarket review cover sheet |

| Device Description | Physical description, principles of operation |

| Indications for Use | Form 3881, patient population, use environment |

| SE Comparison | Side-by-side comparison with predicate |

| Performance Testing | Bench, biocompatibility, electrical safety |

| Software Documentation | Level of concern, hazard analysis (IEC 62304) |

| Labeling | IFU, package labels, warnings |

| 510(k) Summary | Public summary of submission |

Common RTA Issues

| Issue | Prevention |

|-------|------------|

| Missing user fee | Verify payment before submission |

| Incomplete Form 3514 | Review all fields, ensure signature |

| No predicate identified | Confirm K-number in FDA database |

| Inadequate SE comparison | Address all technological characteristics |

QSR Compliance

Quality System Regulation (21 CFR Part 820) requirements for medical device manufacturers.

Key Subsystems

| Section | Title | Focus |

|---------|-------|-------|

| 820.20 | Management Responsibility | Quality policy, org structure, management review |

| 820.30 | Design Controls | Input, output, review, verification, validation |

| 820.40 | Document Controls | Approval, distribution, change control |

| 820.50 | Purchasing Controls | Supplier qualification, purchasing data |

| 820.70 | Production Controls | Process validation, environmental controls |

| 820.100 | CAPA | Root cause analysis, corrective actions |

| 820.181 | Device Master Record | Specifications, procedures, acceptance criteria |

Design Controls Workflow (820.30)

Step 1: Design Input

└── Capture user needs, intended use, regulatory requirements


    Verification: Inputs reviewed and approved?



Step 2: Design Output


└── Create specifications, drawings, software architecture


    Verification: Outputs traceable to inputs?



Step 3: Design Review


└── Conduct reviews at each phase milestone


    Verification: Review records with signatures?



Step 4: Design Verification


└── Perform testing against specifications


    Verification: All tests pass acceptance criteria?



Step 5: Design Validation


└── Confirm device meets user needs in actual use conditions


    Verification: Validation report approved?



Step 6: Design Transfer


└── Release to production with DMR complete


    Verification: Transfer checklist complete?

CAPA Process (820.100)

  • Identify: Document nonconformity or potential problem
  • Investigate: Perform root cause analysis (5 Whys, Fishbone)
  • Plan: Define corrective/preventive actions
  • Implement: Execute actions, update documentation
  • Verify: Confirm implementation complete
  • Effectiveness: Monitor for recurrence (30-90 days)
  • Close: Management approval and closure

Reference: See qsr_compliance_requirements.md for detailed QSR implementation guidance.

HIPAA for Medical Devices

HIPAA requirements for devices that create, store, transmit, or access Protected Health Information (PHI).

Applicability

| Device Type | HIPAA Applies |

|-------------|---------------|

| Standalone diagnostic (no data transmission) | No |

| Connected device transmitting patient data | Yes |

| Device with EHR integration | Yes |

| SaMD storing patient information | Yes |

| Wellness app (no diagnosis) | Only if stores PHI |

Required Safeguards

Administrative (§164.308)

├── Security officer designation


├── Risk analysis and management


├── Workforce training


├── Incident response procedures


└── Business associate agreements



Physical (§164.310)


├── Facility access controls


├── Workstation security


└── Device disposal procedures



Technical (§164.312)


├── Access control (unique IDs, auto-logoff)


├── Audit controls (logging)


├── Integrity controls (checksums, hashes)


├── Authentication (MFA recommended)


└── Transmission security (TLS 1.2+)

Risk Assessment Steps

  • Inventory all systems handling ePHI
  • Document data flows (collection, storage, transmission)
  • Identify threats and vulnerabilities
  • Assess likelihood and impact
  • Determine risk levels
  • Implement controls
  • Document residual risk

Reference: See hipaa_compliance_framework.md for implementation checklists and BAA templates.

Device Cybersecurity

FDA cybersecurity requirements for connected medical devices.

Premarket Requirements

| Element | Description |

|---------|-------------|

| Threat Model | STRIDE analysis, attack trees, trust boundaries |

| Security Controls | Authentication, encryption, access control |

| SBOM | Software Bill of Materials (CycloneDX or SPDX) |

| Security Testing | Penetration testing, vulnerability scanning |

| Vulnerability Plan | Disclosure process, patch management |

Device Tier Classification

Tier 1 (Higher Risk):

  • Connects to network/internet
  • Cybersecurity incident could cause patient harm

Tier 2 (Standard Risk):

  • All other connected devices

Postmarket Obligations

  • Monitor NVD and ICS-CERT for vulnerabilities
  • Assess applicability to device components
  • Develop and test patches
  • Communicate with customers
  • Report to FDA per guidance

Coordinated Vulnerability Disclosure

Researcher Report



Acknowledgment (48 hours)




Initial Assessment (5 days)




Fix Development




Coordinated Public Disclosure

Reference: See device_cybersecurity_guidance.md for SBOM format examples and threat modeling templates.

Resources

scripts/

| Script | Purpose |

|--------|---------|

| fda_submission_tracker.py | Track 510(k)/PMA/De Novo submission milestones and timelines |

| qsr_compliance_checker.py | Assess 21 CFR 820 compliance against project documentation |

| hipaa_risk_assessment.py | Evaluate HIPAA safeguards in medical device software |

references/

| File | Content |

|------|---------|

| fda_submission_guide.md | 510(k), De Novo, PMA submission requirements and checklists |

| qsr_compliance_requirements.md | 21 CFR 820 implementation guide with templates |

| hipaa_compliance_framework.md | HIPAA Security Rule safeguards and BAA requirements |

| device_cybersecurity_guidance.md | FDA cybersecurity requirements, SBOM, threat modeling |

| fda_capa_requirements.md | CAPA process, root cause analysis, effectiveness verification |

Usage Examples

# Track FDA submission status

python scripts/fda_submission_tracker.py /path/to/project --type 510k



Assess QSR compliance


python scripts/qsr_compliance_checker.py /path/to/project --section 820.30



Run HIPAA risk assessment


python scripts/hipaa_risk_assessment.py /path/to/project --category technical

0Installs
0Views

Supported Agents

Claude CodeCursorCodexGemini CLIAiderWindsurfOpenClaw

Attribution

Alireza Rezvani
alirezarezvani/claude-skills
MITseeded

Details

License
MIT
Source
seeded
Published
3/17/2026

Tags

regulatory & quality

Related Skills

GDPR Dsgvo Expert

GDPR and German DSGVO compliance automation. Scans codebases for privacy risks, generates DPIA documentation, tracks data subject rights requests. Use for GDPR compliance assessments, privacy audits, data protection planning, DPIA generation, and data subject rights management.

00
Alireza Rezvani
#regulatory & quality

Brief

Generate contextual briefings for legal work — daily summary, topic research, or incident response. Use when starting your day and need a scan of legal-relevant items across email, calendar, and contracts, when researching a specific legal question across internal sources, or when a developing situation (data breach, litigation threat, regulatory inquiry) needs rapid context.

00
anthropics
#legal

Compliance Check

Run a compliance check on a proposed action, product feature, or business initiative, surfacing applicable regulations, required approvals, and risk areas. Use when launching a feature that touches personal data, when marketing or product proposes something with regulatory implications, or when you need to know which approvals and jurisdictional requirements apply before proceeding.

00
anthropics
#legal