Findings
The traditional medical device regulatory paradigm is not designed for the adaptive nature of AI/ML technologies, which can learn and change after they are on the market. A key benefit of AI/ML is its ability to improve performance by learning from real-world data, but this also presents a unique regulatory challenge. To ensure patient safety and device effectiveness, a new, flexible regulatory framework is required that can accommodate these iterative improvements. Transparency and robust monitoring are essential to manage the risks associated with evolving algorithms.

Recommendations
The FDA proposes a "Predetermined Change Control Plan" (PCCP) to be included in premarket submissions. This plan would specify the anticipated modifications to the device (the "what") and the methodology for implementing and validating those changes (the "how"). The development of "Good Machine Learning Practice" (GMLP) is encouraged to ensure that AI/ML algorithms are developed and validated using best practices. Manufacturers should implement robust real-world performance monitoring to ensure that their devices remain safe and effective after deployment.

Regulatory Considerations
The FDA is developing a new regulatory framework tailored to the unique aspects of AI/ML-based SaMD, which will leverage a TPLC approach. The agency has issued an "AI/ML SaMD Action Plan" that outlines its multi-pronged approach, including issuing draft guidance on PCCPs and promoting the harmonization of GMLP. The FDA is actively collaborating with stakeholders to foster innovation while ensuring patient safety. The agency maintains a public list of authorized AI/ML-enabled medical devices to enhance transparency.

Findings
AI-enabled medical devices require robust risk assessment to address data drift, bias, and transparency challenges.
The total product lifecycle (TPLC) approach is essential for managing AI-enabled devices, ensuring continuous oversight and updates.
There is a need for improved standardization in AI model validation and performance monitoring to ensure consistency in regulatory submissions.
Effective data management practices, including dataset representativeness and bias control, are critical for AI model development.
Cybersecurity vulnerabilities in AI-enabled medical devices must be proactively addressed to prevent risks to patient safety and data integrity.

Recommendations
AI-enabled device manufacturers should integrate Good Machine Learning Practice (GMLP) principles throughout the device lifecycle.
Marketing submissions should include comprehensive documentation of AI model development, validation, and performance monitoring.
Developers should implement transparency measures, such as model interpretability and explainability, to enhance user trust and understanding.
AI models must undergo rigorous bias evaluation to ensure equitable performance across diverse patient populations.
A predetermined change control plan (PCCP) should be established to allow safe and effective AI model updates post-market without additional FDA submissions.

Regulatory Considerations
FDA encourages early engagement through the Q-Submission Program for AI-enabled device manufacturers.
Compliance with FDA-recognized consensus standards, such as ANSI/AAMI/ISO 14971 for risk management, is recommended.
AI-enabled devices must meet labeling requirements, ensuring that users clearly understand model inputs, outputs, and performance metrics.
Post-market surveillance and continuous monitoring of AI model performance are necessary to ensure ongoing safety and effectiveness.
Cybersecurity measures must be included in regulatory submissions, detailing safeguards against data breaches and unauthorized model modifications.

Findings
The document introduces a risk-based credibility assessment framework for establishing and evaluating the credibility of an Artificial Intelligence (AI) model's output when used to support regulatory decisions regarding drug safety, effectiveness, or quality. The framework outlines a 7-step process beginning with defining the question of interest and the Context of Use (COU). Credibility is defined as trust, established through evidence, in the AI model's performance for a particular COU. The credibility assessment is tailored to the AI model risk, which is a combination of model influence (the AI model's evidence contribution relative to other evidence) and decision consequence (the significance of an adverse outcome from an incorrect decision). The document highlights challenges with AI use, including variability in development datasets (training/tuning), the need for methodological transparency due to model complexity, difficulty in quantifying and interpreting uncertainty in model output, and the potential for performance change over time (data drift), which necessitates life cycle maintenance.

Recommendations
Sponsors and interested parties should define the question of interest and clearly define the COU, detailing the AI model's specific role and scope and whether other information will be used. They should assess the AI model risk (low, medium, or high) to ensure that subsequent credibility assessment activities (Step 4) are commensurate with that risk and tailored to the COU. For Step 4, the credibility assessment plan should include a description of the model, model development process (including inputs, architecture, feature selection, and rationale), and data used (training and tuning data). Development data must be deemed fit for use (relevant and reliable) to mitigate issues like algorithmic bias. The plan should also detail the model evaluation process using independent test data and include performance metrics with confidence intervals, an estimate of uncertainty, and a description of model limitations. Early engagement with the FDA is strongly encouraged to discuss model risk and the adequacy of the credibility assessment plan.

Regulatory Considerations
The risk-based credibility assessment framework is intended to help organize and document information for regulatory submissions. The required stringency of assessment activities and the level of documentation should be commensurate with the AI model risk. For AI models whose performance can change over time (e.g., in pharmaceutical manufacturing or postmarketing), sponsors must implement life cycle maintenance plans to monitor performance and manage changes in a risk-based manner. Changes to AI models should be evaluated through the manufacturer's change management system and may require re-execution of parts of the credibility assessment plan. Early engagement can be facilitated through formal meetings (e.g., Pre-IND) or other specialized programs listed in the guidance, such as the Center for Clinical Trial Innovation (C3TI), the Model-Informed Drug Development (MIDD) Paired Meeting Program, and the Emerging Technology Program (ETP) or Advanced Technologies Team (CATT).

Findings
Cybersecurity is an integral part of medical device safety and effectiveness, and manufacturers are responsible for addressing it throughout the entire device lifecycle. The FDA considers a device's cybersecurity as part of its benefit-risk assessment for both premarket and postmarket activities. A lack of robust cybersecurity controls can lead to patient harm, compromised device functionality, and breaches of data privacy. The dynamic nature of cybersecurity threats requires ongoing monitoring, risk management, and timely implementation of mitigation strategies.

Recommendations
Manufacturers should build cybersecurity into devices from the design phase ("secure by design") and conduct a thorough risk analysis to identify and mitigate potential vulnerabilities. Premarket submissions should include comprehensive documentation of the device's cybersecurity controls, a risk management plan, and a plan for postmarket surveillance and response. Manufacturers should establish a robust postmarket surveillance program to monitor for, identify, and address new cybersecurity threats in a timely manner. Clear and informative labeling is essential to help users understand and manage cybersecurity risks.

Regulatory Considerations
The FDA has the authority to take action against devices with inadequate cybersecurity that pose a risk to public health. The agency recommends that manufacturers use the Q-submission process to discuss specific cybersecurity questions related to their device submissions. Compliance with recognized standards and best practices for cybersecurity is strongly encouraged. Manufacturers must report certain cybersecurity incidents to the FDA as part of their postmarket reporting requirements. The FDA collaborates with other government agencies and stakeholders to promote a coordinated approach to medical device cybersecurity.

Findings
The use of Artificial Intelligence (AI) and Machine Learning (ML) is being applied to a broad range of drug development activities with the potential to accelerate the process and make clinical trials safer and more efficient. The inclusion of AI/ML is most common in the clinical development/research phase of regulatory submissions. Concerns exist that AI/ML algorithms could amplify errors and preexisting biases in underlying data sources, which raises issues related to generalizability and ethical considerations. Other challenges include limited explainability due to model complexity and proprietary reasons, as well as managing risks related to data quality, reliability, and representativeness. The FDA recognizes that a careful, risk-based assessment of the specific context of use (COU) is needed when evaluating AI/ML.

Recommendations
Stakeholders should adhere to practices in three key areas: human-led governance, accountability, and transparency; quality, reliability, and representativeness of data; and model development, performance, monitoring, and validation. A risk management plan should be applied to identify and mitigate risks based on the COU, guiding the level of documentation and transparency. Practices are needed to ensure the integrity of AI/ML and address issues like bias and missing data. For models, developers should use pre-specification steps and clear documentation for development and assessment criteria. Models must be monitored over time for reliability and consistency, and Real-World Data (RWD) performance can provide valuable feedback, including for potential re-training.

Regulatory Considerations
The FDA encourages early engagement through mechanisms like the Critical Path Innovation Meetings (CPIM), ISTAND Pilot Program, and Emerging Technology Program to discuss relevant AI/ML methodologies or technologies. The Verification and Validation (V&V 40) risk-informed credibility assessment framework and the principles for Good Machine Learning Practices (GMLP), while not specific to drug development, are helpful guides for evaluating models. The industry is exploring the use of a Predetermined Change Control Plan (PCCP) mechanism for AI/ML-based devices to proactively specify and manage modifications, enhancing adaptability. In general, a risk-based approach should guide the level of evidence and record keeping needed for the verification and validation of AI/ML models for a specific COU.

Findings
Enhanced documentation is required for high-risk device software where flaws could result in serious injury or death.
Risk management plans should include robust risk assessments, including residual risk evaluations.
Verification and validation activities are critical to confirm software functionality and mitigate risks.
The lack of traceability between software design and requirements can undermine device safety and effectiveness.
Unresolved software anomalies must be carefully documented and justified based on a risk assessment.

Recommendations
Use a risk-based approach to determine whether basic or enhanced documentation levels are required for premarket submissions.
Include comprehensive risk management documentation, detailing hazard identification, risk control measures, and residual risk evaluations.
Provide detailed system and software architecture diagrams, highlighting relationships between modules and external systems.
Document unresolved software anomalies and justify their impact on safety and effectiveness using a risk-based rationale.
Align software development, configuration management, and maintenance practices with FDA-recognized standards like ANSI/AAMI/IEC 62304.

Regulatory Considerations
Adherence to 21 CFR Part 820 Quality System regulations, emphasizing design controls and risk management.
Submission of risk management files and unresolved software anomalies as part of premarket documentation.
Use of system and software architecture diagrams to demonstrate software functionality and risk mitigation.
Implementation of cybersecurity measures as part of software validation and risk management processes.
Documentation of premarket changes and interactions between device functions and external systems, particularly in multi-function devices.

Findings
Cybersecurity threats in healthcare are increasingly frequent and severe, posing risks to device safety and clinical care.
Many vulnerabilities arise from third-party software components and interconnected device ecosystems.
Legacy devices often lack adequate cybersecurity controls, leading to increased patient and organizational risks.
Cybersecurity risk management processes must integrate safety and security assessments throughout the device lifecycle.
Transparency in device cybersecurity is crucial for enabling safe integration and use by healthcare providers and end users.

Recommendations
Implement a Secure Product Development Framework (SPDF) for comprehensive cybersecurity throughout the product lifecycle.
Include a Software Bill of Materials (SBOM) for all premarket submissions to track software dependencies and vulnerabilities.
Perform robust cybersecurity testing, including penetration testing and vulnerability assessments.
Enhance device labeling with clear cybersecurity-related instructions and risks for users.
Develop a coordinated vulnerability disclosure plan for postmarket cybersecurity management.

Regulatory Considerations
Adherence to 21 CFR Part 820 Quality System regulation requirements, including design controls and risk management.
Compliance with Section 524B of the FD&C Act for cybersecurity of cyber devices.
Submission of SBOMs and detailed security risk management reports for premarket applications.
Provision of cybersecurity information as part of device labeling to prevent misbranding under Section 502 of the FD&C Act.
Integration of security testing and validation as part of the FDA review process.

Findings
OTS software introduces unique risks due to its general-purpose design and lack of lifecycle control by medical device manufacturers.
Comprehensive testing and risk management are essential to mitigate safety hazards associated with OTS software in medical devices.
Regular updates and maintenance are critical for managing obsolescence and ensuring long-term safety and effectiveness of OTS components.
Networking and interoperability of OTS software pose additional risks related to data integrity, cybersecurity, and scalability.
Enhanced documentation is required for high-risk devices incorporating OTS software, especially those involving AI or ML functionalities.

Recommendations
Provide comprehensive descriptions of OTS software, including version details and system specifications.
Conduct thorough risk assessments and include mitigation plans in premarket submissions.
Perform rigorous testing, including integration and regression testing, for OTS software components.
Establish mechanisms for continued maintenance, support, and version control of OTS software.
Ensure that device labeling includes warnings and specifications related to OTS software compatibility and restrictions.

Regulatory Considerations
Adherence to 21 CFR Part 820 Quality System regulations, including design controls and purchasing controls for OTS software.
Submission of a risk management file and traceability documentation linking risks, design requirements, and testing outcomes.
Compliance with premarket submission requirements, including 510(k), IDE, and PMA applications, as applicable.
Use of device labeling to communicate hardware and software compatibility and restrictions to users.
Development of beta testing and investigational plans for clinical studies involving OTS software.

Findings
Pre-Submissions (Pre-Subs) allow submitters to obtain FDA feedback on specific questions before submitting formal IDEs, 510(k)s, PMAs, or other applications. Early feedback can improve submission quality and streamline the review process.
Submission Issue Requests (SIRs) provide a mechanism for addressing issues raised in FDA hold letters (e.g., 510(k) deficiencies) to help expedite resolutions.
Study Risk Determinations help sponsors clarify whether clinical studies are significant risk (SR), non-significant risk (NSR), or exempt from IDE regulations.
Informational Meetings are non-feedback sessions aimed at familiarizing FDA staff with new devices or sharing updates on ongoing development.
The program encourages timely submissions, including supplements for ongoing discussions and amendments to update materials.

Recommendations
Clearly define the purpose and goals of the Q-Sub in the submission to facilitate effective FDA review.
Include specific, well-formulated questions that focus on a limited number of topics to ensure actionable feedback.
For Pre-Subs, align planned testing and submissions with FDA guidance and include detailed device descriptions, testing protocols, and relevant background information.
Use SIRs to discuss proposed solutions to deficiencies raised in FDA hold letters, focusing on timely resolution.
Draft and submit meeting minutes promptly (within 15 days of meetings) to ensure accurate documentation of FDA feedback.

Regulatory Considerations
Submitters should adhere to the timelines specified for different Q-Sub types, including 70 days for Pre-Sub feedback or 21 days for SIRs submitted promptly after a hold letter.
Q-Subs should include all relevant regulatory history and references to prior FDA communications to streamline the review process.
FDA feedback through the Q-Sub program is non-binding and based on the information available at the time; subsequent submissions must align with the provided feedback to maintain consistency.
Informational Meeting requests should clearly state that feedback is not expected and may be used to track interactions outside other formal Q-Sub types.
Confidentiality of Q-Subs is maintained in compliance with FDA’s disclosure regulations and the Freedom of Information Act (FOIA).

Findings
Regulation exists to ensure the safety and effectiveness of digital health products and to protect the public from potential risks. Engaging with the FDA throughout product development, even though it may seem burdensome, offers valuable benefits such as shared understanding of requirements, faster outcomes, enhanced efficiency in the review process, and built trust with regulators and the public. Working with the FDA is crucial for understanding a device's risk classification and applicable regulatory requirements.

Recommendations
Developers should follow a three-step approach for successful interaction:
EARLY: Start interacting with the agency as early as possible in development, ensuring the intended use and some basic product functionalities are defined.
OFTEN: Maintain communication, especially if new product features, design changes, or changes to how the product will be used occur, to ensure the FDA's advice remains accurate.
TRANSPARENT: Be honest and upfront about the product, evidence, testing plans, and data.
For both "non-written" (meetings) and "written" communications, best practices include:
Preparation: Define the purpose, have specific goals and questions, and prepare a well-planned meeting package (including supporting documentation and data) in advance.
Format and Tone: Select the right type of interaction for the goal, use a professional tone, and communicate clearly, concisely, and with proper formatting.
Follow-up: Respond to all FDA requests promptly and accurately, as delays can result in regulatory action.

Regulatory Considerations
Manufacturers must be familiar with and in compliance with relevant FDA guidance and regulations. Developers should present their argument for a product's regulatory category but must understand that the FDA determines the final regulatory status and obligations. It is critical to avoid providing false or misleading claims or withholding important information, as failure to cooperate or address concerns raised by the FDA can lead to penalties or failure to clear/approve the product for marketing. All communications may be subject to Freedom of Information requests and could become public

Findings
The QS regulation under 21 CFR Part 820 has been effective but requires updates to align with global standards like ISO 13485.
Adopting ISO 13485 will harmonize FDA requirements with international practices, benefiting manufacturers that sell devices globally.
FDA’s proposed amendments retain some unique provisions to ensure alignment with the Federal Food, Drug, and Cosmetic Act (FD&C Act).
The incorporation of risk management principles throughout the product lifecycle is more explicit in ISO 13485 than in the current QS regulation.
The proposed changes are expected to reduce regulatory burdens and enhance device quality and accessibility.

Recommendations
Align quality management systems with ISO 13485 to ensure compliance with both U.S. and international regulatory requirements.
Establish documentation processes that meet FDA’s additional requirements, such as those for traceability and complaint handling.
Incorporate risk management throughout the device lifecycle, as emphasized in ISO 13485.
Manufacturers should train personnel and update their systems to comply with the new requirements within the proposed one-year transition period.
Provide comments on the proposed rule to FDA before the deadline to address any potential concerns or suggestions for improvement.

Regulatory Considerations
The proposed rule incorporates ISO 13485:2016 by reference and aligns FDA’s QS regulation with international QMS standards.
FDA-specific requirements include:
Traceability for certain life-supporting devices.
Documentation of unique device identifiers (UDI) in compliance with FDA’s regulations.
Complaint handling and servicing records that meet FDA standards.
FDA inspections will not issue ISO 13485 certifications but will assess compliance with the proposed Quality Management System Regulation (QMSR).
Manufacturers must continue to comply with existing FDA regulations where conflicts with ISO 13485 arise.

Findings
Patient-Reported Outcome (PRO) instruments are a type of Clinical Outcome Assessment that provides valid scientific evidence for regulatory and healthcare decision-making regarding medical devices. The FDA encourages the integration of patient perspectives throughout the Total Product Lifecycle (TPLC). PRO instruments can be used to measure the effects of a medical intervention, including the impact on patient well-being and Health-Related Quality of Life (HRQOL). The validity evidence needed to support a PRO instrument's use is determined by its specific Context of Use (COU) and role (e.g., primary, secondary endpoint) in the clinical study protocol. To be "fit-for-purpose," a PRO instrument must measure a Concept of Interest (COI) that is meaningful to patients and whose measurement is supported by evidence that is consistent with the intended use population.

Recommendations
Sponsors should establish and clearly define the Concept of Interest (COI) the PRO instrument is intended to capture. It is recommended that sponsors clearly identify the role of the PRO (e.g., primary, secondary, effectiveness, safety) in the clinical study protocol and statistical analysis plan. The development or modification of PRO instruments should measure concepts important to patients to reduce unnecessary patient burden and ensure the outcomes are relevant to a patient's daily lived experience. Cognitive interviews should be conducted to ensure the instrument's instructions and items are understandable to the intended use population, including patients with limited English language proficiency. Sponsors are encouraged to leverage existing PRO instruments (by using them as-is, modifying, or adapting) as a least burdensome approach to take advantage of existing validity evidence. Alternative approaches, such as using Real-World Data (RWD) platforms or conducting parallel development work during clinical studies, are encouraged to efficiently generate validity evidence.

Regulatory Considerations
The FDA encourages sponsors to engage with the Agency regarding the relevance and suitability of a proposed PRO instrument early in the development process, prior to the Investigational Device Exemption (IDE) submission or pivotal study. The Q-Submission program is the recommended pathway for sponsors to obtain feedback from the FDA regarding cognitive interview approaches and the modification or adaptation of existing instruments. The Agency uses the fit-for-purpose concept as a flexible approach to determine the validity evidence needed for a PRO instrument's specified use for a regulatory purpose. The use of PRO instruments that have been qualified under the Medical Device Development Tools (MDDT) program is encouraged. Sponsors should prospectively specify the intent to generate validity evidence in the clinical study protocol and statistical analysis plan, even if the evidence will only support future studies.