Skill Guide

Regulatory science: FDA SaMD framework, IEC 62304, IVDR compliance for AI diagnostics

A multidisciplinary field focused on navigating the regulatory pathways for software with a medical purpose, encompassing the US FDA's SaMD risk categorization, the international IEC 62304 software lifecycle standard, and the EU's In Vitro Diagnostic Regulation (IVDR) for AI-based diagnostic tools.

This skill is critical for transforming innovative AI diagnostics into legally marketable medical devices, directly impacting a company's time-to-market, mitigating regulatory risk, and ensuring patient safety. It bridges the gap between software engineering and regulatory affairs, enabling compliant global commercialization.

1 Careers

1 Categories

9.2 Avg Demand

15% Avg AI Risk

How to Learn Regulatory science: FDA SaMD framework, IEC 62304, IVDR compliance for AI diagnostics

1. Master the core regulatory frameworks: FDA's SaMD guidance (IMDRF risk categories), IEC 62304 software development lifecycle processes, and the EU IVDR classification rules for IVDs. 2. Understand the definition of a 'medical device' and 'in vitro diagnostic' in each jurisdiction. 3. Learn the fundamental concepts of risk management (ISO 14971) and how it applies to software.

Apply frameworks to specific device scenarios. Practice: a) Mapping a software function (e.g., an AI model for diabetic retinopathy screening) to the correct FDA SaMD category and IVDR class, then drafting the intended use statement. b) Creating a traceability matrix linking software requirements to IEC 62304 safety classification and risk controls. Common mistake: Confusing the IEC 62304 software safety class (A, B, C) with a regulatory submission category.

Lead regulatory strategy for a novel AI/ML-based SaMD. This involves: 1. Designing a pre-submission (Q-Sub) meeting strategy with the FDA, including presenting the algorithm's Predetermined Change Control Plan (PCCP). 2. Architecting the Quality Management System (QMS) to simultaneously satisfy FDA 21 CFR 820, IEC 62304, and IVDR Annex IX requirements. 3. Negotuating with Notified Bodies (for IVDR) on clinical evidence requirements for adaptive algorithms.

Practice Projects

Beginner

Case Study/Exercise

Classification & Gap Analysis for a Hypothetical AI Diagnostic

Scenario

You are given a specification for 'SkinScan', an AI-powered smartphone app that analyzes images of skin lesions to suggest a risk score for melanoma. The company is based in the US and wants to sell in the EU.

How to Execute

1. Determine the FDA SaMD category (I, II, or III) and the IVDR class (A, B, C, D) based on the intended use and risk. 2. Identify key regulatory documents needed for a 510(k) or De Novo submission vs. an IVDR technical file. 3. Perform a high-level gap analysis: Does the development process as described meet IEC 62304 Level of Concern (now software safety class)? What key ISO 14971 risk controls are missing?

Intermediate

Project

Create a Regulatory Submission Outline for a SaMD

Scenario

Compile a submission-ready outline for a Class II SaMD (e.g., an ECG interpretation algorithm) for the FDA 510(k) pathway.

How to Execute

1. Draft the 510(k) cover letter and Indication for Use statement. 2. Outline the Software Description section per FDA's 'Content of a 510(k)' guidance, referencing IEC 62304 for software lifecycle documentation. 3. Create a summary table for the Clinical Performance Testing plan, specifying the standard (e.g., IEC 62304, IEC 62366 for usability). 4. Define the cybersecurity management plan outline per FDA's premarket cybersecurity guidance.

Advanced

Case Study/Exercise

Navigate a Regulatory Authority Inquiry Post-Market

Scenario

Your company's IIa-class AI-based in vitro diagnostic (under IVDR) for sepsis prediction is on the market. A Notified Body requests a Corrective Action Plan (CAPA) due to a performance drift detected in post-market surveillance data. Simultaneously, the FDA issues a warning letter citing inadequacies in your software change management process (IEC 62304 compliance).

How to Execute

1. Prioritize and triage the two regulatory actions. Develop a unified response strategy that addresses both the root cause and the specific deficiencies cited. 2. Draft a CAPA report for the Notified Body that includes an updated risk management file (ISO 14971) and a revised post-market clinical follow-up (PMCF) plan. 3. Formulate a detailed response to the FDA warning letter, outlining specific remediation steps for the software change control process, referencing IEC 62304 clauses, and proposing a third-party audit.

Tools & Frameworks

Regulatory Standards & Guidance Documents

FDA SaMD Guidance & IMRF FrameworkIEC 62304:2006/AMD1:2015EU IVDR (EU) 2017/746ISO 14971:2019 (Risk Management)IEC 62366-1:2015 (Usability Engineering)

These are the non-negotiable reference documents. The FDA and IVDR texts define legal requirements. IEC 62304 and ISO 14971 provide the specific engineering processes and risk management methodology expected by all regulators to demonstrate compliance.

Quality Management System (QMS) Software

Greenlight GuruQualioMasterControl

Purpose-built QMS platforms for medical device companies. They are used to manage design controls (per 21 CFR 820), document software lifecycle processes (per IEC 62304), and maintain audit trails essential for regulatory submissions and Notified Body audits.

Technical & Submission Tools

Requirements Traceability Matrix (RTM) in Excel/JiraFDA eSTAR/Predicate Device Search (AccessGUDID)EU EUDAMED Database

RTMs are critical for demonstrating traceability from requirements to verification/validation, a core IEC 62304 and design control requirement. The FDA and EU databases are used for competitive analysis, predicate searching, and checking device classification and registration status.

Interview Questions

Answer Strategy

The candidate must demonstrate a structured, parallel-path strategy. A strong answer: 'First, I would define the intended use precisely for both jurisdictions to determine FDA classification (likely De Novo or PMA) and IVDR class (likely Class C or D). For the FDA, the key challenge is the adaptive algorithm. I would propose a Predetermined Change Control Plan (PCCP) in the pre-submission to define the algorithm's update protocol and acceptance criteria, aiming for a post-market change pathway. For the EU, I would engage a Notified Body early to discuss the clinical evidence requirements under IVDR Annex XIII, focusing on performance studies and post-market surveillance plans for continuous learning. The technical file would need robust documentation of the algorithm's training, validation, and change control per IEC 62304 software safety class C.'

Answer Strategy

This tests influence and pragmatic communication. The core competency is translating regulatory necessity into engineering and business value. A strong response: 'I met with the team lead individually. I acknowledged the perception of overhead but reframed it: formal verification isn't just a checkbox; it's our primary defense against costly, late-stage defects and the only way to get FDA clearance. I used a past example where skipping it led to a 6-month delay in 510(k) review. Then, I collaborated with them to streamline the process-integrating verification tasks directly into their CI/CD pipeline and automating parts of the traceability matrix. This reduced their manual effort while ensuring compliance, which they appreciated.'