Comparison guide
RTA vs Deficiency Letter
Both can stall a 510(k) - but they hit at different review stages and the clock behaves very differently.
Side-by-side breakdown
| Dimension | Refuse-To-Accept (RTA) | Deficiency Letter |
|---|---|---|
| Review stage | Day 1-15 administrative screening. | Day 60-90 substantive review. |
| Trigger | Submission is administratively incomplete (e.g. cybersecurity package missing). | Reviewer needs more information to make a clearance decision. |
| Clock impact | Review clock does not start. You have 180 days to respond before withdrawal. | Clock stops on the day the letter issues. Resumes when the FDA accepts your response. |
| Typical cybersecurity causes | Missing SBOM, missing threat model, missing labeling, no SPDF documentation. | Inadequate threat-model coverage, weak pen-test scope, VEX inconsistencies, postmarket plan gaps. |
| Response window | 180 days; multiple resubmissions allowed. | FDA-specified; typically 180 days but can be shorter. |
| Avoidance strategy | Use the eSTAR checklist + a pre-submission cybersecurity audit. | Build the cybersecurity package against the 2026 final guidance with full traceability to AAMI SW96 and IEC 81001-5-1. |
When to use which
For an RTA, treat it as a checklist exercise. Map every missing item to the eSTAR cybersecurity section and resubmit within weeks, not months.
For a deficiency letter, respond in one consolidated package addressing every comment with traceability to your risk file. Partial responses extend the clock and invite follow-ups.
Frequently asked questions
Keep exploring
Ready when you are
Get FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.