Navigating Regulatory Requirements When Developing Next-Gen Medical Devices

This article is based on our recent webinar, 'Cybersecurity, AI, and PCCPs: Navigating Regulatory Requirements When Developing Next-Gen Medical Devices', in which S3 Connected Health’s John O’Gorman, Principal Technology Officer – Cybersecurity & Data Analytics, and Padraig Maguire, Head of Quality & Regulatory Affairs shared practical, actionable guidance on the most important regulatory topics shaping next generation devices and solutions.

Cybersecurity, and increasingly AI considerations, are becoming an ever more prominent feature of medical device regulation. What was once considered separate technical or operational concerns are now becoming a central component of regulatory review, product development, and post-market oversight.

Historically, medical device risk management focused almost entirely on patient safety and harm. As a result, cybersecurity risks were often difficult to address because they did not always map directly to immediate patient harm and therefore did not fit neatly into traditional safety risk frameworks.

Over time, the industry introduced a clearer separation between safety risks and security risks, creating dedicated cybersecurity risk management processes alongside traditional patient safety registers. While security risks still need to inform safety where appropriate, treating cybersecurity as its own discipline has allowed companies to build more secure devices overall, rather than forcing every issue through a purely patient-harm lens.

AI is now emerging as a new, distinct risk domain. Just as the industry had to learn how to manage cybersecurity risks, organizations will increasingly need frameworks for handling AI-specific risks while still ensuring they integrate appropriately with broader safety and security processes.

AI medical devices are still medical devices

The key to remember is that AI does not sit outside existing medical device regulations. AI-enabled devices are generally treated as software as a medical device (SaMD) and must comply with the same core standards and regulations that govern traditional medical devices, including FDA and EU MDR requirements. Standards covering software development, usability, validation, and risk management still apply.

Where AI adds another level of complexity is in its dependence on data. For AI systems, the quality, source, management, and ongoing maintenance of training data become central to both performance and regulatory scrutiny. This algorithm training and real-world performance monitoring introduce additional lifecycle considerations regarding data governance that are not typically seen in a standard medical device.

Additionally, unlike traditional software, AI models can degrade over time as they encounter new clinical conditions or changing datasets in real-world environments. As a result, regulators increasingly expect manufacturers to implement continuous post-market monitoring processes to ensure ongoing safety and performance after deployment.

Practical advice for developers incorporating AI into their medical devices

As regulators gain more experience reviewing AI-enabled medical devices, one message is becoming increasingly clear: successful submissions depend less on isolated technical controls and more on having a mature, end-to-end development and governance process. Some key tips include:

Assess risk early and often: Know your AI system's risk classification. Understand which processes or outputs could affect patient safety, data integrity, or clinical decision-making

Stay connected with regulators: Regular communication with regulatory bodies ensures you are on top of guidance changes and expectations. Don’t wait until submission time to ask questions

Develop robust compliance frameworks: Keep clear documentation of design, testing, risk management, and monitoring procedures. This is your safety net and your roadmap for audits

Plan for third-party assessments: Independent evaluations of your AI system, especially for high-risk devices, help verify reliability and demonstrate due diligence

Engage clinicians early: Clinicians aren’t just users – they’re your quality control. Get their input in design validation, and deployment to make sure the tool works safely in real workflows

Follow ISO-based quality principles: Leverage standards such as ISO 23894 & AAMI 34971 for AI risk management and ISO 42001 for management systems. These frameworks give structure to processes and help ensure long term safety.

Predetermined Change Control Plans (PCCPs)

If you work with medical devices, it’s almost guaranteed that the devices you build today will need improvements down the line. Updates happen, algorithms improve, and user needs evolve. To help streamline this process — and to spare companies from seeking new clearance every time an update rolls out — the FDA introduced the Predetermined Change Control Plan, or PCCP.

A PCCP is, at its core, a pre-agreed plan for future changes to a medical device. Normally, certain modifications would require a fresh FDA submission. With a PCCP, a company can map specific, clearly defined updates they plan to make later — along with the testing and data that will support those updates. These are changes that would otherwise generally require an FDA submission. Once the FDA approves that plan, future changes that fall within the boundaries of the PCCP can occur without requiring the filing of a new 510(k), PMA, or De Novo each time.

“One of the major advantages of AI/ML systems is that model performance can continue to improve over time through iterative updates. By retraining models using new real-world data from the intended use population, manufacturers can continuously refine performance post-market. A PCCP provides a structured mechanism for implementing those updates safely and compliantly once the device is already in the field.”

Padraig Maguire, Head of Quality & Regulatory Affairs, S3 Connected Health

The cybersecurity foundations of next-gen medical devices

Although AI-enabled devices are creating new regulatory and technical challenges, manufacturers cannot lose sight of the broader cybersecurity foundations that underpin modern medical device development. AI-specific controls are important, but they ultimately sit within a much larger framework of lifecycle security, threat management, documentation, testing, and post-market oversight, and the following should be considered:

Treat cybersecurity as a full-lifecycle activity: It cannot be bolted on at the end of development. It needs to be integrated from the earliest design stages through post-market monitoring and long-term maintenance.

Start thinking about security during requirements and architecture design: Security decisions made early, especially around hardware, connectivity, and system architecture, can have ramifications for years. Manufacturers should define security requirements alongside business and clinical requirements from the start.

Build security into risk management and threat modelling: Manufacturers should identify attack surfaces, conduct security risk management, and develop threat models to understand how devices could be compromised before moving into testing and validation.

Plan for legacy devices and long product lifecycles: Medical devices often remain in the field for many years, including devices built before modern security capabilities existed. Companies need strategies for securing older hardware and updating deployed systems over time.

Maintain complete cybersecurity records for years: Companies should retain not only final reports, but also the raw testing data behind them. The FDA is increasingly requesting historical raw data from penetration tests conducted several years earlier.

Make submissions clear and readable: As submissions become more detailed and complex, documentation clarity becomes critical. Regulators need a coherent, intelligible narrative they can follow easily in both written documentation and oral discussions. We are also seeing signs that AI tools are increasingly used during submission review. Documentation, therefore, needs to be structured clearly enough for both human reviewers and machine-assisted analysis.

To dive deeper into these insights and gain expert guidance, access the full webinar now. Hear from cybersecurity and regulatory experts from S3 Connected Health as they provide practical guidance covering cybersecurity, AI, and PCCPs, and clear frameworks aligned with FDA, EU MDR, EU AI Act, ISO/IEC standards and global expectations.