Skill Guide

Regulatory literacy (FDA SaMD, HIPAA, GDPR, CE marking for AI medical devices)

The applied knowledge to navigate and implement compliance frameworks (FDA SaMD, HIPAA, GDPR, CE marking) for AI-based medical software as part of a product development lifecycle.

This skill directly enables market access and mitigates severe legal and financial risk, as non-compliance can result in product recalls, massive fines, and loss of trust. It transforms regulatory constraints into a structured development framework, accelerating time-to-market for compliant products.

1 Careers

1 Categories

9.2 Avg Demand

15% Avg AI Risk

How to Learn Regulatory literacy (FDA SaMD, HIPAA, GDPR, CE marking for AI medical devices)

1. Master core definitions: SaMD (Software as a Medical Device), PHI (Protected Health Information), PII (Personally Identifiable Information), MDR (Medical Device Regulation). 2. Study the intended use and risk classification process for each framework (e.g., FDA SaMD risk categories I-III). 3. Understand basic documentation concepts: Design History File (DHF), Technical File, Risk Management File (ISO 14971).

1. Conduct a gap analysis: Map your product's features and data flows against specific requirements (e.g., GDPR Article 35 for DPIAs, HIPAA Security Rule safeguards). 2. Practice creating submission-ready artifacts: e.g., a 510(k) summary, a GDPR Data Protection Impact Assessment (DPIA), a Clinical Evaluation Report (CER) outline. 3. Avoid common mistakes: Assuming HIPAA compliance covers GDPR, or conflating CE marking (EU) with FDA clearance (US) processes.

1. Architect a 'regulatory by design' strategy: Integrate compliance gates (e.g., QMS checkpoints, audit logs) directly into the Agile/DevOps pipeline. 2. Lead regulatory strategy for a global launch, navigating conflicting requirements between jurisdictions. 3. Mentor engineering teams on 'compliance as code' principles and conduct mock audits (Notified Body, FDA pre-submission).

Practice Projects

Beginner

Project

Regulatory Classification Dossier

Scenario

You have an AI-powered diagnostic assistant for skin lesion analysis (image input, binary output: refer/no refer). Determine its regulatory pathway.

How to Execute

1. Define the intended use statement. 2. For FDA: Use the SaMD risk categorization framework to classify it (likely Category II). Identify the predicate device for a 510(k). 3. For EU: Map it to the EU MDR classification rules (likely Class IIa). Draft an outline for the Technical File. 4. For both: Identify the key standards (ISO 13485, IEC 62304, ISO 14971) and list 3-5 critical tests required (e.g., clinical validation, cybersecurity).

Intermediate

Case Study/Exercise

Cross-Border Data Flow Incident Response

Scenario

Your EU-based cloud platform, hosting a SaMD's training data (anonymized patient images from Germany), is accessed by a US-based developer team during a debug session. A suspected data breach occurs.

How to Execute

1. Triage: Activate incident response plan. Determine if data is pseudonymized vs. anonymized under GDPR. 2. GDPR Assessment: Calculate if the 72-hour notification clock to the German supervisory authority (BfDI) starts. Assess need to notify data subjects. 3. HIPAA Assessment: Determine if any data qualifies as PHI and if a breach notification to HHS is required under the Breach Notification Rule. 4. Draft a unified remediation and communication plan for both legal teams.

Advanced

Case Study/Exercise

Strategic QMS Integration for AI/ML Lifecycle

Scenario

As Head of Regulatory, you must integrate a continuous learning AI/ML model update pipeline into your company's ISO 13485 Quality Management System (QMS) without stifling innovation.

How to Execute

1. Design a change control board process with pre-defined algorithmic change thresholds that trigger a regulatory re-submission (e.g., performance delta > X%). 2. Create a 'Living Design History File' that auto-captures versioned datasets, model architectures, and validation reports from the MLOps platform. 3. Establish a 'Regulatory Sand-box' protocol with your Notified Body or FDA reviewer to pre-approve the update methodology. 4. Document the entire framework in a new SOP and train R&D, QA, and Regulatory Affairs teams.

Tools & Frameworks

Regulatory Frameworks & Standards

FDA SaMD Pre-Specifications (SPS) & Algorithm Change Protocol (ACP)ISO 13485:2016 (Medical devices - QMS)IEC 62304:2006+AMD1:2015 (Software lifecycle)EU MDR 2017/745 Annex IX, XI, XII

These are the primary rulebooks. SPS/ACP governs locked vs. adaptive algorithms. ISO 13485 is the backbone QMS. IEC 62304 details software development rigor. EU MDR Annexes define conformity assessment routes.

Documentation & Submission Tools

FDA eSTAR TemplateEU MDR Technical File Structure (per Notified Body)GDPR Data Protection Impact Assessment (DPIA) TemplateHIPAA Risk Assessment Toolkit (NIST SP 800-66)

eSTAR is the mandatory electronic FDA submission format. Technical File structure is mandated for CE marking. DPIAs are legally required for high-risk processing under GDPR. The NIST toolkit provides a structured method for HIPAA risk analysis.

Quality & Risk Management Methodologies

ISO 14971:2019 (Application of risk management)FMEA (Failure Modes and Effects Analysis)Traceability Matrix (Requirements to Testing)Post-Market Surveillance (PMS) & PMCF Plan

ISO 14971 provides the formal risk management process. FMEA is a specific tool within it for analyzing hazards. Traceability matrices prove requirement fulfillment to auditors. PMS/PMCF are mandatory post-market processes to monitor real-world performance.

Interview Questions

Answer Strategy

The interviewer is testing for structured, parallel pathway thinking and specific process knowledge. Use a framework: 1) Classification (FDA risk category vs. EU MDR rule), 2) Predicate/Equivalence Strategy (FDA 510(k) vs. EU Clinical Evaluation), 3) QMS Foundation (both require ISO 13485, but emphasis differs), 4) Key Deliverables (eSTAR vs. Technical File), 5) Post-Market. Sample: 'I'd start by aligning the intended use to define classification: for the FDA, using the SaMD risk matrix, and for the EU, applying MDR Annex VIII rules. The predicate strategy for a 510(k) would be mirrored by building a clinical evaluation report for EU MDR Annex XIV. The common backbone is our ISO 13485 QMS, but I'd ensure our technical file incorporates IEC 62304 for software rigor and ISO 14971 for risk management. For submission, I'd prepare an FDA eSTAR package and a separate, notified-body-specific technical file. Post-market, the FDA's Quality System Regulation and the EU's PMCF requirements would run in parallel under one surveillance system.'

Answer Strategy

Testing for proactive risk identification across multiple domains. Answer must cover GDPR, SaMD regulatory status, and QMS impact. Sample: 'Three critical assessments: First, under GDPR, this constitutes new, regular processing of special category data (health data). We'd need a lawful basis (likely Article 9(2)(h) for healthcare) and must conduct a mandatory DPIA. Second, from an FDA/MDR perspective, if the model is no longer 'locked,' this triggers the Algorithm Change Protocol for the FDA and may require a significant change notification to our Notified Body, potentially necessitating a new conformity assessment. Third, operationally, this monthly retraining must be integrated into our validated QMS process for software updates, with full traceability from new data inputs to model performance metrics.'