Skill Guide

Regulatory compliance for AI/ML medical devices (FDA SaMD, CE marking, IEC 62304)

The systematic process of ensuring AI/ML-driven medical software (SaMD) meets all regional regulatory requirements for safety, efficacy, and quality throughout its lifecycle, as defined by frameworks like the FDA, EU MDR/IVDR, and IEC 62304.

This skill is non-negotiable for market entry and sustained commercial viability, as non-compliance results in severe financial penalties, product recalls, and reputational damage. Mastery directly accelerates time-to-market by preventing costly redesigns and regulatory delays, securing a competitive edge in the global health-tech landscape.

1 Careers

1 Categories

9.1 Avg Demand

15% Avg AI Risk

How to Learn Regulatory compliance for AI/ML medical devices (FDA SaMD, CE marking, IEC 62304)

Focus on: 1) Understanding core definitions (SaMD, IEC 62304 software safety classification, intended use). 2) Memorizing the primary regulatory pathways (FDA 510(k), De Novo, PMA; EU MDR conformity assessment routes). 3) Grasping the concept of a Quality Management System (QMS) per ISO 13485.

Move to practice by: 1) Mapping your AI/ML model's risk profile to the correct SaMD category (FDA) and IEC 62304 safety class (A, B, C). 2) Drafting a design history file (DHF) for a hypothetical feature, focusing on traceability. 3) Avoid the critical mistake of treating AI model updates as minor patches; implement a change control protocol for algorithm changes as per FDA's Predetermined Change Control Plan (PCCP).

Master the domain by: 1) Architecting a compliant, agile development lifecycle that integrates continuous AI/ML model monitoring with a robust post-market surveillance (PMS) plan. 2) Leading a Notified Body or FDA pre-submission meeting to negotiate the regulatory strategy for a novel adaptive algorithm. 3) Mentoring engineering teams on the ethical and technical implications of bias, explainability, and real-world performance (RWP) monitoring as mandated by regulations.

Practice Projects

Beginner

Case Study/Exercise

Classify a SaMD and Define its Regulatory Pathway

Scenario

You are given a product brief for a mobile app that uses a convolutional neural network (CNN) to analyze smartphone photos of skin lesions and provide a risk score for melanoma. The app is intended for use by healthcare professionals as a clinical decision support tool.

How to Execute

1) Analyze the intended use statement to determine the FDA SaMD category (I, II, III) based on the clinical context and significance of the information provided. 2) Determine the IEC 62304 software safety class by evaluating the potential harm from a software failure. 3) Research and document the specific premarket submission type required (e.g., 510(k), De Novo) and list 2-3 predicate devices or classification panels. 4) Create a one-page regulatory strategy memo summarizing your findings.

Intermediate

Project

Develop a Design History File (DHF) for an AI Model Update

Scenario

Your team has developed a software patch for an existing, cleared SaMD for diabetic retinopathy detection. The update improves the AI model's sensitivity by 5% using a new training dataset, but maintains the same intended use and indications for use.

How to Execute

1) Draft a change impact assessment document, referencing FDA guidance on when a new 510(k) is required for software changes. 2) Create the key DHF deliverables for this change: updated software requirements specification (SRS), verification and validation (V&V) test protocols for the new model, and a risk management file (ISO 14971) addendum analyzing new failure modes. 3) Write a draft 510(k) summary or Special 510(k) justification, depending on your assessment. 4) Document the post-market monitoring plan for the updated model's real-world performance.

Advanced

Case Study/Exercise

Lead a Regulatory Submission for a Continuously Learning AI System

Scenario

Your company is developing a SaMD for ECG analysis that uses a federated learning approach to continuously improve its algorithm on hospital data without the data leaving the premises. The algorithm's performance is intended to adapt and improve over time.

How to Execute

1) Develop a comprehensive Predetermined Change Control Plan (PCCP) as outlined in the FDA's 2023 guidance, detailing the boundaries for change, the methodology for re-training, and the validation protocol for each update. 2) Structure the technical documentation to meet both FDA and EU MDR requirements, focusing on explaining the 'locked' vs. 'adaptive' algorithm aspects and demonstrating ongoing conformity to the General Safety and Performance Requirements (GSPR). 3) Prepare a risk-based rationale for the notified body or FDA reviewer, addressing concerns about data drift, bias propagation, and the 'black box' nature of adaptive AI. 4) Draft a post-market clinical follow-up (PMCF) plan specifically for monitoring the real-world safety and effectiveness of the evolving algorithm.

Tools & Frameworks

Regulatory & Quality Frameworks

FDA SaMD Framework & Guidance DocumentsEU MDR 2017/745 & IVDR 2017/746IEC 62304:2006+AMD1:2015 (Medical device software - Software life cycle processes)ISO 14971:2019 (Application of risk management to medical devices)ISO 13485:2016 (Quality management systems)

These are the foundational legal and normative documents. The FDA and EU frameworks define market access, while IEC 62304, ISO 14971, and ISO 13485 provide the international, process-based standards for building the compliant software and quality system. They are used from initial design control through post-market surveillance.

Software & Documentation Tools

Requirements Management Tools (e.g., Jama Connect, IBM DOORS)ALM/QMS Platforms (e.g., Greenlight Guru, Qualio)Version Control with Audit Trails (e.g., Git with strict branching policies)Test Management & Traceability Software

These tools operationalize compliance. Jama/DOORS ensure traceability from user need to test case. ALM/QMS platforms manage the DHF, DHR, and CAPA processes in a 21 CFR Part 11 compliant environment. They are essential for maintaining an audit-ready state and demonstrating software provenance.

Interview Questions

Answer Strategy

Use the FDA's SaMD categorization framework (based on healthcare situation and significance of information) as your primary decision tree. Then link the category to the required IEC 62304 safety class and the premarket pathway (e.g., De Novo vs. 510(k)). Emphasize the need for a robust dataset, algorithm locking protocol, and performance testing against a clinically validated ground truth. Sample Answer: 'First, I'd categorize it as a SaMD, likely Category II, as it provides diagnostic information to a clinician for a serious condition. This would classify the software as IEC 62304 Class B or C, requiring a more rigorous lifecycle process. The regulatory pathway would likely be a De Novo classification given the novel technology. Core documentation would include a detailed algorithm description, extensive V&V against a large, diverse, and adjudicated test set, and a comprehensive risk management file addressing failure modes like false negatives.'

Answer Strategy

The interviewer is testing your practical experience with change control under ISO 13485 and FDA guidance. Use the STAR method, focusing on the 'A' (Action) which should detail a formal impact assessment against the intended use and risk profile. Highlight collaboration with Regulatory Affairs and Quality. Sample Answer: 'In a previous role, we discovered a performance degradation in our AI model under specific, rare lighting conditions. My initial technical assessment was that a minor patch was needed. However, per our change control SOP, I conducted a formal impact assessment with our RA/QA lead. We concluded that because it affected the device's core performance claim, it was a significant change requiring documentation in the DHF, a new verification report, and a Special 510(k) notification to the FDA. We executed the change within that framework, avoiding a regulatory hold and maintaining our compliant status.'