Madhuri Iyer

📃 Lets talk CDS -- The Clinical Decision Support (CDS) Software guidance update introduced some 🩻radiology-specific clarifications regarding the device boundaries (these changes are from the first Jan 6 2026 update; see item 3 for comment on new Jan. 29 update😏). Three general "call outs" standout from this lens: 1️⃣ Finalized Radiologist Findings A major addition in the Jan. 6 CDS (still in the current) was the explicit mention of software that interacts with finalized radiologist findings (text-based reports or dictated findings). FDA clarifies that software analyzing a radiologist’s clinical findings to generate a proposed summary for a report or a diagnostic recommendation (i.e. impressions) may fall under enforcement discretion or be considered a non-device. The Condition: For this to remain outside of device regulation, the software must not analyze the underlying medical image (Criterion 1). Instead, it must rely on the "medical information" (Criterion 2) provided by the human expert. This change appears intended to support the use of genAI to synthesize existing human-interpreted data without the tool itself performing the primary "diagnosis" from the raw image. However, please be careful out there and not forget the purpose of impressions... (ACR guidance linked in comments). 2️⃣ Cleared Radiology Outputs The Jan. 6 (and current) guidance addresses the use of outputs from other already-cleared medical devices (such as CADe or CADx software) as inputs for a CDS tool. Reaffirmation of Criterion 1: The FDA maintains that any function that acquires, processes, or analyzes a medical image (e.g., CT, MRI, X-ray) remains a device. However, the update clarifies that if a CDS tool takes the processed output (e.g., a discrete score or finding) from a cleared radiology device and uses it as "medical information about a patient" to provide a recommendation, it may be viewed differently than software that analyzes the image itself. This may allow "well-understood" outputs to be treated as medical information to potential foster "non-device" clinical workflows. 3️⃣ Time-sensitive elimination? The "newest"/second January update (Jan. 29) strikes out time-sensitive decision making from select components. However, don't move too fast on your take-away. Criterion 4 still explicitly states: "FDA does not consider software functions intended for a critical, time-sensitive task or decision to meet Criterion 4, because an HCP is unlikely to have sufficient time to independently review the basis of the recommendations." Additionally, note that the phrasing remains listed in the device examples starting on page 22 - see examples 4, 9, 11, and 22-29; definitely not a clean elimination. Takeaway: do not misinterpret the removal - its a minor update from the Jan. 6 guidance, but its a little odd considering the remaining text. 🛑 Summary: Keep in mind that all four criterion must be met to be non-device CDS, so always consider the full device context.

28

3 Comments

6 mistakes leading to MDR certification delays When developing medical software according to Medical Device Regulation, companies must undergo a conformity assessment. Yet, some manufacturers fall into the trap of overlooking compliance. This is a short list of most common mistakes that delays certification. 1. Not considering compliance from the beginning One of the most common mistakes we notice is that companies do not consider compliance from the beginning of the development process. Some manufacturers build medical software first and then think about regulatory requirements later. 2. Lack of defined intended use causing classification issues There are four classes of medical devices regulated by MDR – I, IIa, IIb, and III. Unfortunately, sometimes companies aren’t aware of which class their product belongs to or for which class they would like to aim. 3. Disregarding traceability MDR impose traceability requirements on medical device software manufacturers. Meaning that a manufacturer should document every step taken during the development process (and, of course, later during maintenance). 4. Ignoring the risk analysis Risk analysis (as demanded in ISO 14971) is a crucial aspect of developing medical software, as potential misuse might result in the decline of health or, in some cases, even the death of the patient. 5. Lack of collaboration between teams We are well aware of the fact that regulatory affairs specialists and software developers think, work, and use language differently. 6. Rushing to meet deadline The last problem is the rush to meet deadlines at the expense of neglecting the processes of preparing medical software for conformity assessment. Some companies focus so strongly on getting the final product ready as quickly as possible that they overlook important documentation and regulatory elements. Happy to chat if you disagree with any of the above. Source: Revolve Healthcare blog.

23

2 Comments

A clean, structured DHF usually means the company has: A defined design control process Clear ownership of documents Version control discipline Traceability that’s actually maintainable under audit pressure In other words, it’s not just about neat folders—it’s a signal that the underlying quality system is functioning. On the flip side, that “chaotic DHF” view isn’t just messy—it’s a red flag for deeper issues: Competing “final” versions → weak document control Orphaned or duplicated requirements → broken traceability “Use this one” folders → tribal knowledge instead of controlled processes Mixed drafts and released docs → no clear design state And you already know where that leads during an audit: Inconsistent trace matrix Gaps between inputs → outputs → V&V Risk files that don’t align with requirements Painful sampling that snowballs fast That said, one nuance: a structured DHF doesn’t guarantee compliance—it just means they’ve made it possible. I’ve seen beautifully organized folders hiding weak technical content. But a chaotic DHF? That almost always correlates with real compliance problems, not just cosmetic ones.

6

🧠 One carousel. 14 questions. Expert answers. 1️⃣ What encryption fundamentals matter for medical device software? 2️⃣ What input is MHRA asking healthcare and AI stakeholders to contribute right now? 3️⃣ What problem in quality systems is “The Compliance Trap” trying to address? 4️⃣ What new escalation route is proposed for disputes with Notified Bodies under MDR/IVDR? 5️⃣ What does MDCG 2025-10 change about the way PMS data functions in practice? 6️⃣ What makes quality “take time” even with a compliant QMS? 7️⃣ What shifted between the 2022 and 2026 FDA CDS guidance interpretations? 8️⃣ What direction is FDA signaling for low-risk wellness wearables? 9️⃣ What does the history of childhood mortality show about vaccine impact? 🔟 What EU publication is being highlighted as a major 2025 deliverable for devices and IVDs? 1️⃣1️⃣ What new consolidated MDR/IVDR working documents did the Commission services prepare? 1️⃣2️⃣ What standards advanced through ISO TC121 activity in 2025? 1️⃣3️⃣ What final classifications did CDSCO publish for oncology devices under MDR 2017? 1️⃣4️⃣ What is the purpose of EMA’s COMBO Operational Group for combination products? Coming Up: ✅ Wed, Jan. 14 — 10:00 AM ET / 4:00 PM CET — MedTechUX: Conquering the Human (Merrill Zavod, PhD, ClariMed, Inc.) Register with one click: https://lnkd.in/gDwqE_dq ✅ Friday In-Focus, January 16, 2026 | 11:00 AM ET — 2026 Cybersecurity Priorities for MedTech, featuring Jose Bohorquez (CyberMed), focusing on practical cybersecurity expectations for medical devices in 2026, including encryption fundamentals, FDA security objectives, risk management alignment, and how teams can prepare for increasing regulatory scrutiny around software, connectivity, and post-market security. ✅ Thu, Jan. 22 — 10:00 AM ET / 4:00 PM CET — 2026 Regulatory Roadmap: Key MDR & IVDR Compliance Priorities (Bassil Akra, Erik Vollebregt, Tom Patten, and Julia Hoyer) ✅ Wed, Jan. 28 — 10:00 AM ET / 4:00 PM CET — Real-Life PMCF: Practical Lessons and 2026 Priorities (Daniela Karrer, Matteo Mosso, and Diane Legere RN, BSN, MSc, APCCN) Sean 🐝

55

7 Comments

CAPA in Medical Devices: "It's Your Quality Backbone, Not Just an #MDR Checkbox." Under the EU MDR, #CAPA isn't a suggestion—it's a mandate. But seeing it merely as a regulatory requirement misses the entire point. CAPA is the #proactive #mindset that separates market leaders from the rest. Let's talk about the MDR's perspective. Annex III, Chapter 3.3 requires your post-market surveillance system to be used to: "update the benefit-risk determination and to improve the risk management as referred to in Section 3 of Annex I." This isn't just legalese. This is the regulation demanding a robust CAPA system. It's the formal channel through which post-market data must feed back into preventive actions and design improvements. The True CAPA Perspective & Its Implications: ✓ Reactive (Corrective): Addressing a non-conforming product, a complaint, or an audit finding. It's necessary damage control. ✓ Proactive (Preventive): Analyzing post-market data, trend reports, and even "near-misses" to prevent that non-conformance from ever happening. This is the gold standard MDR pushes us toward. When you treat CAPA as a strategic mindset, the long-term benefits are profound: ✓Global Market Acceptance: A robust CAPA system demonstrates a mature Quality Management System to regulators worldwide (FDA, EMA, etc.), facilitating smoother audits and market access. ✓Drastically Reduced Rework & Scrap: By preventing recurring issues, you slash the immense costs associated with corrections and recalls. ✓Increased Operational Efficiency: Streamlined processes with fewer fire-fights free up your team to focus on innovation, not investigation. ✓Enhanced Patient Safety & Trust: This is the ultimate goal. A proactive CAPA system is your most powerful tool for continually safeguarding users and building brand reputation. in nutshell - A best-in-class CAPA process transforms your post-market surveillance from a data-collection exercise into a powerful engine for continuous improvement and competitive advantage. Dive Deeper into the Requirements: ✓EU MDR Annex III - PMS Plan & Reports - The legal text itself. ✓FDA: Corrections and Removals (Recalls) - A critical view of the corrective side from the FDA. ✓MEDDEV 2.12-1 Rev. 8 on Market Surveillance - Provides guidance on the vigilance system that feeds CAPA. ✓AAMI TIR57: Principles of Medical Device Quality System Fundamentals - Excellent resource on building a quality culture. How has your organization shifted from a reactive to a proactive CAPA mindset under MDR? #MedicalDevices #MDR #CAPA #QualityManagement #MedTech #PatientSafety #PostMarketSurveillance #PMS #Vigilance #QualitySystem #RegulatoryAffairs #ISO13485 #PreventiveAction #OpEx #ContinuousImprovement

4

Starting today, I’ll be answering real-world MDR questions, one post at a time. First up: Do I need to report design changes to my Notified Body? Short answer: usually yes, but the level of involvement depends on the change. 1. Could the tweak alter safety, performance, or use conditions? ↳ If so, you need NB approval before you ship the updated device (Annex IX Section 4.10). 2. Run the “significant change” test. ↳ Ask: does the change touch intended purpose, materials, software logic, sterilization, or risk class? ↳ MDCG 2020-3 Rev. 1 gives a clear flowchart for this call. 3. Map every change against the GSPRs (Annex I). ↳ If compliance could shift, treat it as significant and loop in the NB. 4. Remember the contractual fine print. ↳ Most NB agreements, backed by Annex VII Section 4.9, ask you to inform them of non-significant changes within days, even when no formal approval is needed. 5. Log everything. ↳ Annex IX section 2.4 obliges you to record and, for “substantial” QMS or device-range shifts, notify the NB; auditors will check that trail. → Rule of thumb: if a future auditor might ask, “Why didn’t you tell your NB?”, submit at least an information notice today. Have a regulatory question you’d like answered? Leave a comment below. ⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡ MedTech regulatory challenges can be complex, but smart strategies, cutting-edge tools, and expert insights can make all the difference. I'm Tibor, passionate about leveraging AI to transform how regulatory processes are automated and managed. Let's connect and collaborate to streamline regulatory work for everyone! #automation #regulatoryaffairs #medicaldevices

220

39 Comments

Enterprise MDR Governance Series TOPIC: How Governance Heatmaps Give Boards Visibility Before Certificate Cliffs Most MDR certificate cliffs do not originate in regulatory interpretation. They emerge from portfolio visibility gap across functions. Across many device portfolios, the underlying data already exists: • Regulatory tracks certificate timelines • Clinical tracks evidence maturity and CER status • Quality systems monitor post-market signals and complaints • Commercial teams tracks revenue performance and margins These signals rarely converge in a governance view that leadership can interpret quickly. MDR risk only becomes “visible” when renewal timelines compress, and capacity is already constrained. Over time several operational signals tend to appear: - CER updates scheduled primarily around renewal cycles - PMCF investment deferred until NB questions arise - post-market signals remaining isolated within vigilance systems Individually these are manageable. Across a portfolio they create structural exposure and certificate cliffs and revenue shocks. Across many organizations, the response is emerging: They build portfolio governance heatmaps that visualize: - Certificate timelines and renewal clustering - Evidence maturity versus MDR expectations - PMCF investment requirements and risk level​ - Revenue contribution and strategic importance​ When those signals are viewed together, patterns emerge quickly. Products with strong commercial performance may show approaching evidence gaps. Others reveal clinical investment requirements that outweigh portfolio value. That visibility allows leadership teams to act earlier — prioritizing evidence generation, sequencing renewals, or making portfolio decisions before external pressure (NB capacity, market disruption, or board scrutiny) forces them. As MDR timelines continue to approach across Europe, organizations that can visualize these signals earlier will likely navigate the transition with fewer disruptions and better valuations. For leaders overseeing device portfolios: Do certificate timelines, evidence maturity, and portfolio value converge in your governance view —or do those signals only appear during renewal preparation? #MedTechLeadership #EUMDR #MedicalDevices #PortfolioStrategy #RegulatoryStrategy

6

2 Comments

New FDA guidance (https://lnkd.in/eiavDw43) - cybersecurity is now mandatory for devices that connect to the Internet. Is your device affected?

3

A key callout of this FDA #safety playbook is the shared responsibility between #devicemanufacturers and their #supplychain partners. In particular, coordinated vulnerability disclosure (#CVD) programs and #thirdparty #riskmanagement protocols to ensure transparency. Mapping #dependencies and requiring #SLA adherence and so on had been essential but even more so going forward especially when #hardware crosses over to #cloud and #ai based #software. #securitybydesign #medicaldevice #medicaldevicemanufacturers https://lnkd.in/e7a_cegK

2

Does parallel MDR and AI Act oversight genuinely improve patient safety, or does it risk creating duplicated processes without proportional benefit? Medical devices remain subject to the AI Act’s high-risk rules despite significant calls from industry to integrate AI requirements into MDR/IVDR. The EU appeared close to significantly reducing duplication between the AI Act and existing MDR/IVDR requirements for AI-enabled medical devices. There were reports of growing optimism that MDR/IVDR certified AI medical devices might avoid additional standalone AI Act conformity assessments through notified bodies, reducing overlapping audits, duplicate technical documentation, additional notified body burden, and increasing predictability for AI MedTech developers. However, following the final trilogue negotiations held on 7th May 2026 between the European Parliament, Commission and Council, many of the proposed simplifications for medical devices appear to have been weakened or removed. While broader implementation delays and simplification measures were agreed for certain high-risk AI systems, AI medical devices largely remain subject to parallel AI Act obligations alongside MDR/IVDR. That potentially leaves AI MedTech companies facing dual compliance requirements, ongoing uncertainty around overlapping assessments, greater regulatory burden for SMEs and startups, and growing questions around Europe’s long-term competitiveness for healthcare AI innovation. At the same time, there is clearly another side to the argument. Healthcare AI can directly influence diagnosis, treatment decisions and patient outcomes, so policymakers and patient safety advocates continue to argue that strong oversight is necessary. The challenge for Europe increasingly appears to be balancing these competing priorities of supporting AI innovation and competitiveness, while also maintaining strong patient safety and governance standards. At the moment, the framework still feels complicated, particularly for AI-enabled SaMD companies already navigating MDR, clinical evidence, cybersecurity, post-market surveillance and now additional AI-specific obligations on top. Could regulatory complexity ultimately push more healthcare AI innovation toward the US and other markets instead? Sources include reports and commentary from MedTech Insight/Citeline, Reuters and MedTech Europe. #MedTech #SaMD #AIAct #AIaMD #DigitalHealth #HealthTech #RegulatoryAffairs #MDR #IVDR #MedicalDevices #HealthcareAI

4

2 Comments

📌 Understanding PSUR in Medical Devices – A Regulatory Perspective Periodic Safety Update Report (PSUR) is a critical post-market document that provides a structured, cumulative evaluation of a medical device’s safety and performance. 🔹 PSUR is derived from the Post-Market Surveillance (PMS) system 🔹 It summarizes real-world data such as complaints, adverse events, returned devices, and CAPA outcomes 🔹 Applicable mainly to higher-risk medical devices (Class IIa, IIb, and III under EU MDR) 🔹 Helps regulators continuously assess the benefit–risk profile of devices already in the market As Regulatory Affairs professionals, our responsibility is to ensure complete transparency, accuracy, and regulatory compliance — with no assumptions and no fabrication. Every data point matters because these reports directly impact public health and patient safety. PSUR is not just a report — it is a trust document between manufacturers, regulators, and patients. #RegulatoryAffairs #MedicalDevices #PSUR #PostMarketSurveillance #PatientSafety #EU_MDR

21

1 Comment

Designing a medical device is more than just building something that works. It's a regulated process — and most teams get it wrong by treating compliance as the last step. Here's what it actually takes to design Class I & II medical devices 👆 (Swipe through the carousel) Save this for reference. Share it with someone building in MedTech. 🔁 #MedicalDevices #MedTech #FDA510k #ISO13485 #BiomedicalEngineering #RegulatoryAffairs #DeviceDesign #HealthcareInnovation

2

If you are looking for luck ☘️ in medical device development, you are already behind. ⚙️ ISO 14971 is not a paperwork exercise. It is not a stack of FMEAs created for an auditor. Real risk management is the framework that should guide every serious design decision you make. Hazards must be real. \- Severity must reflect actual clinical impact. \- Probability must be evidence based. \- Risk controls must be implemented and verified… not simply documented. If an infusion pump risks overd delivery, you need architecture that prevents it. If thermal events are possible, you need protective circuitry and fault tolerant design. If usability introduces setup errors, you validate through summative testing, not assumptions. Objective evidence beats optimism. When risk management is done correctly, audits move faster, design reviews tighten up, and verification becomes predictable. Your risk file becomes a blueprint for safer engineering and stronger submissions. No luck required. Just discipline. Watch the full video to see what ISO 14971 really requires.🧠 #MedTech #ISO14971 #RiskManagement #MedicalDevices #FDA #ProductDevelopment #StPatricksDay #medtechman

25

1 Comment

Most device teams misunderstand design controls. They think it’s: ❌ FDA paperwork ❌ A pre-submission checkbox ❌ Something to clean up “before audit” But from the U.S. Food and Drug Administration’s perspective, design controls answer one question: “Can you prove this device was designed safely, intentionally, and for its intended use?” For medtech, biotech, neurotech, and SaMD, that means: • Clear design inputs (clinical + user needs) • Testable design outputs • Verification: did you build it right? • Validation: did you build the right thing? • Traceability inside a Design History File Weak design controls don’t just slow FDA clearance — they: • Delay SBIR Phase II • Kill diligence conversations • Force costly redesigns late in development I published a Design Controls 101 breakdown to help founders and operators understand what FDA actually expects — without regulatory jargon. Subscribe to my newsletter in bio!

1

We simplify what a cyber device is in this podcast and blog. Really just two criteria to focus on: 1. Does the device contain software/firmware? 2. Does the device have any possible way to connect to the internet? The second trips most people up...any of these interfaces introduces a possible network/internet connection: - Wi-Fi - Cellular - Bluetooth (including Bluetooth Low Energy) - USB ports - Serial ports - Magnetic coils (e.g. RFID, NFC) - HDMI Need help with MedTech Cybersecurity? Schedule a Discovery Session with us: https://lnkd.in/giBYXqTH

10

1 Comment

CAPA is still the #1 issue cited in FDA 483s—but under QMSR, the expectation isn’t “open more CAPAs.” It’s make better, risk-based decisions—and be able to defend them. This is one of the most misunderstood shifts companies are walking into. #medicaldevice #compliance #FDA #qualitymanagement #medtech #biotech #regulatoryaffairs #qmsr

26

5 Comments

11 things every MedTech quality director can challenge in their own QMS before requesting additional resources for CAPA management: 1. “One-size-fits-all” CAPA process 2. Redundant review steps adding no value 3. Teams defaulting to “human error” as RC 4. Multiple systems storing the same information 5. Unclear criteria for when a CAPA is a CAPA 6. Complex approval workflows causing delays 7. Lack of recognition for well-executed CAPAs 8. Rigid templates limiting investigation efficiency 9. KPIs driving speed over quality of investigations 10. Focus only on lagging metrics (e.g., closure rate) 11. Unnecessary CRB meetings consuming team time Here's how I'd optimize such a system: 1. Apply risk-based CAPA categorization 2. Streamline approvals to essential sign-offs 3. Enforce structured root cause methods 4. Consolidate into a single source of truth 5. Risk-based criteria for CAPA initiation 6. Map workflows and eliminate bottlenecks 7. Celebrate and share successful CAPA case studies 8. Create flexible investigation templates 9. Metrics with focus on recurrence prevention 10. Add leading indicators to predict performance 11. Replace with dashboards and ad-hoc reviews Challenge your existing processes first. Then determine if you really need more resources. ______ Enjoyed the post? Follow Georg Digel to learn more about NC & CAPA in the medical device industry.

99

26 Comments

FDA tightens medical device cybersecurity (Feb 2026): SPDF, SBOM, security architecture & vuln plans now required. Will update more—need to dig into details, but yes QMS is Ctrl+F and replaced with QMSR. The guidance explicitly aligns cybersecurity expectations with QMSR, which incorporates ISO 13485 by reference. 😊

9