Medical Device Regulations

BREAKING! The FDA just released this draft guidance, titled Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations, that aims to provide industry and FDA staff with a Total Product Life Cycle (TPLC) approach for developing, validating, and maintaining AI-enabled medical devices. The guidance is important even in its draft stage in providing more detailed, AI-specific instructions on what regulators expect in marketing submissions; and how developers can control AI bias. What’s new in it? 1) It requests clear explanations of how and why AI is used within the device. 2) It requires sponsors to provide adequate instructions, warnings, and limitations so that users understand the model’s outputs and scope (e.g., whether further tests or clinical judgment are needed). 3) Encourages sponsors to follow standard risk-management procedures; and stresses that misunderstanding or incorrect interpretation of the AI’s output is a major risk factor. 4) Recommends analyzing performance across subgroups to detect potential AI bias (e.g., different performance in underrepresented demographics). 5) Recommends robust testing (e.g., sensitivity, specificity, AUC, PPV/NPV) on datasets that match the intended clinical conditions. 6) Recognizes that AI performance may drift (e.g., as clinical practice changes), therefore sponsors are advised to maintain ongoing monitoring, identify performance deterioration, and enact timely mitigations. 7) Discusses AI-specific security threats (e.g., data poisoning, model inversion/stealing, adversarial inputs) and encourages sponsors to adopt threat modeling and testing (fuzz testing, penetration testing). 8) And proposed for public-facing FDA summaries (e.g., 510(k) Summaries, De Novo decision summaries) to foster user trust and better understanding of the model’s capabilities and limits.

Quality isn’t expensive. Poor quality is. Most quality systems look good on paper. Reality tells a different story. ISO 13485 isn’t just another standard. It’s how you keep patients safe. Lost in the ISO maze? Here’s your practical guide through it: 1. Quality Management System (QMS) ↳ The foundation of everything you build • Design Controls  • Training management • Requirements management • Supplier Qualification • Product Record Control  • Quality Management 2. Risk-Based Thinking (RBT) ↳ Spot problems before they happen ↳ Put smart solutions in place early ↳ Stay ahead of what could go wrong 3. Design Controls ↳ Track every step with purpose ↳ Verify before moving forward ↳ Turn ideas into trusted products 4. CAPA Process ↳ Fix issues at their root ↳ Make solutions stick ↳ Learn from each problem 5. Post-Market Surveillance ↳ Your eyes in the real world ↳ Listen to what users tell you ↳ Turn feedback into improvement 6. QMS Structure ↳ Build consistency into everything ↳ Keep records that tell the story ↳ Make quality automatic 7. Implementation Best Practices ↳ Get real leadership commitment ↳ Train until it becomes natural ↳ Never stop improving 8. Smart Audit Strategy ↳ Keep internal checks honest ↳ Stay ahead of regulators ↳ Build trust through transparency These parts work together. Each one makes the others stronger. Remember: ISO 13485 builds more than compliance. It builds trust that saves lives. Which part challenges you most? ♻️ Find this valuable? Repost for your network. Follow Bastian Krapinger-Ruether expert insights on MedTech compliance and QM.

Every quality manager knows the truth: ISO 13485 looks simple on paper. But implementing it? That's where reality hits hard. I've audited dozens of medical device manufacturers, and one pattern keeps emerging: Companies often miss the forest for the trees. They focus on individual requirements without seeing how everything connects. Here's what 15 years of working with quality management systems have taught me: 1.⁠ ⁠Core QMS Foundation ↳ Your quality system isn't just documentation—it's your operational backbone ↳ Start with clear processes before diving into procedures ↳ Remember: A good QMS should make work easier, not harder 2.⁠ ⁠Design Control Integration ↳ This isn't a checkbox exercise—it's your product development roadmap ↳ Link user needs directly to verification steps ↳ Make design reviews meaningful, not just meetings 3.⁠ ⁠Risk Management Evolution ↳ Stop treating risk management as a one-time exercise ↳ Build it into every process decision ↳ Use real-world data to challenge your initial assumptions 4.⁠ ⁠CAPA That Actually Works ↳ Most CAPAs fail because they solve symptoms, not causes ↳ Invest time in proper root cause analysis ↳ Track effectiveness checks like they matter—because they do 5.⁠ ⁠Post-Market Intelligence ↳ Your QMS should be learning and evolving ↳ Turn complaint trends into design improvements ↳ Use post-market data to validate your risk assumptions The secret to ISO 13485 success isn't in the standard's text. It's in how you make these elements work together seamlessly. Think of your QMS as a living system, not a stack of documents. P.S. What's your biggest challenge in making these elements work together? ⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡⬡ MedTech regulatory challenges can be complex, but smart strategies, cutting-edge tools, and expert insights can make all the difference. I'm Tibor, passionate about leveraging AI to transform how regulatory processes are automated and managed. Let's connect and collaborate to streamline regulatory work for everyone! #automation #regulatoryaffairs #medicaldevices

Europe just CE marked its first LLM-powered medical device. Prof. Valmed, a clinical decision-support system built on a retrieval-augmented generation (RAG) architecture, has been certified as a Class IIb medical device under EU MDR (2017/745). That classification places it in the same risk category as infusion pumps and ventilators meaning it requires Notified Body review, a full ISO 13485 quality management system, software lifecycle documentation under IEC 62304, and a robust post-market surveillance plan. This is a notable precedent for generative AI in clinical care. For those of us building regulated healthtech products, a few takeaways: --RAG architectures are viable, but only with traceability, curation, and grounding. Prof. Valmed queried over 2.5 million validated sources and preserved retrieval paths, prompt logic, and model state for auditability. --Evidence requirements are tightening. Generic model benchmarks won’t cut it. The review demanded indication-specific performance data, bias mitigation strategies, and plans for continuous monitoring. --Dual-framework compliance is the new norm. The EU AI Act adds layers of transparency, human oversight, and data governance to what MDR already requires. The FDA’s PCCP guidance is converging in similar ways. Teams will need harmonized documentation across all three. --Enterprise buyers and payers are factoring in compliance maturity. Cost-effectiveness, audit trails, and fairness metrics are making their way into procurement criteria, especially for clinical AI. If you’re an early-stage team, this is less about racing to certification and more about structuring your product, data, and validation strategy with these expectations in mind. Compliance isn't the goal, it’s the baseline for clinical credibility and long-term defensibility. Happy to compare notes if you're navigating MDR, the AI Act, or FDA alignment. https://lnkd.in/g7rkk97b

𝗜’𝗺 𝗼𝗳𝘁𝗲𝗻 𝗮𝘀𝗸𝗲𝗱 𝘄𝗵𝗮𝘁 𝗶𝘁 𝗿𝗲𝗮𝗹𝗹𝘆 𝘁𝗮𝗸𝗲𝘀 𝘁𝗼 𝗮𝗰𝗵𝗶𝗲𝘃𝗲 𝗘𝗨 𝗚𝗠𝗣 𝗰𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗺𝗲𝗱𝗶𝗰𝗮𝗹 𝗰𝗮𝗻𝗻𝗮𝗯𝗶𝘀. It’s a fair question, because the answer is not just cleanrooms and checklists. EU GMP is a mindset, a system, and a daily operational standard, not a one-time milestone. Here’s my breakdown of the main pillars, based on years of building, auditing, and advising GMP-certified operations across Latin America, North America, Europe, and Africa: 𝟭. 𝗤𝘂𝗮𝗹𝗶𝘁𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗦𝘆𝘀𝘁𝗲𝗺 (𝗤𝗠𝗦): This is the backbone of everything. If you don’t have a robust, documented, and auditable QMS, you won’t get far. Your SOPs, deviations, CAPAs, and quality reviews must be in place, and lived by the team daily. 𝟮. 𝗧𝗿𝗮𝗶𝗻𝗲𝗱 𝗣𝗲𝗼𝗽𝗹𝗲, 𝗡𝗼𝘁 𝗝𝘂𝘀𝘁 𝗪𝗮𝗿𝗺 𝗕𝗼𝗱𝗶𝗲𝘀: GMP fails when staff don’t understand the 'why'. You need continual training, proper onboarding, and a culture of compliance. The least-trained person on your team defines your weakest point. 𝟯. 𝗙𝗮𝗰𝗶𝗹𝗶𝘁𝗶𝗲𝘀 𝗮𝗻𝗱 𝗘𝗾𝘂𝗶𝗽𝗺𝗲𝗻𝘁 𝗕𝘂𝗶𝗹𝘁 𝗳𝗼𝗿 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲: You can’t retrofit your way into GMP easily. Airflow, zoning, cleanroom classifications, and validated equipment all matter. Design with flow, segregation, and contamination control in mind from day one. 𝟰. 𝗗𝗼𝗰𝘂𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻: If it’s not written down, it didn’t happen. Every action, every batch, every cleaning must be recorded. This is your legal proof that you’re operating to standard. 𝟱. 𝗣𝗿𝗼𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹𝘀: From drying to packaging, every step must be standardised and monitored. That includes moisture content, microbial risk, traceability, and in-process checks. It’s about consistency and control. 𝟲. 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 𝗮𝗻𝗱 𝗥𝗲𝗹𝗲𝗮𝘀𝗲: Every batch must go through full-spectrum testing, cannabinoids, terpenes, heavy metals, pesticides, aflatoxins, and microbiology. Testing must be performed in a GMP-compliant lab, using validated methods. 𝟳. 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗤𝘂𝗮𝗹𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻: Your rooms, equipment, cleaning procedures, and analytical methods all need to be validated. No validation, no compliance. It’s as simple as that. 𝟴. 𝗔𝘂𝗱𝗶𝘁𝘀 𝗮𝗻𝗱 𝗖𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗜𝗺𝗽𝗿𝗼𝘃𝗲𝗺𝗲𝗻𝘁: EU GMP doesn’t end with certification. Internal audits, CAPAs, management reviews, supplier checks, these are all part of daily life. You must be audit-ready at all times. For those serious about exporting medical cannabis to the EU, UK, or Switzerland, these aren’t optional. They're the standard. Start right, stay disciplined, and don’t cut corners. And ask me how I can help you and your business achieve EU GMP. #MedicalCannabis #EUGMP #CannabisCompliance #CannabisIndustry #GACP #CannabisExport #CannabisOperations #PharmaceuticalStandards #FacilityDesign #CannabisLeadership

When a Quality Manager join a new company, how he must start his working in professionally and effectively for improvement , step by step.. *Phase 1: Familiarization and Foundation Building 1. Review Company Policies and Procedures 2. Meet with Key Personnel's of all departments 3. Conduct a thorough tour of the facility to understand operations, identify potential quality risks, and get a sense of the company culture. 4. Examine quality records, including audit reports, customer complaints, and corrective actions to understand the company's quality performance. *Phase 2: Assessment and Gap Analysis 1. Evaluate quality processes, such as inspection, testing, and calibration to identify gaps and inefficiencies. 2. Identify potential quality risks, including supply chain risks, equipment risks, and process risks. 3. Analyze quality data, including defect rates, customer satisfaction, and supplier performance to identify trends and areas for improvement. 4. Develop a comprehensive report outlining the gaps and inefficiencies in the quality management system. *Phase 3: Setting Key Performance Indicators (KPIs) and Targets 1. Establish quality objectives, including defect reduction, customer satisfaction improvement, and supplier performance enhancement. 2. Develop KPIs to measure quality performance, including defect rates, customer satisfaction, and supplier performance. 3. Set targets and benchmarks for each KPI based on industry standards, customer requirements, and company goals. 4. Communicate KPIs and targets to relevant stakeholders, including department heads, supervisors, and quality team members. *Phase 4: Quality improvements plan 1. Prioritize areas for improvement based on the gap analysis report and quality data analysis. 2. Develop corrective actions to address gaps and inefficiencies in the quality management system. 3. Establish timelines and responsibilities for implementing corrective actions. 4. Develop a comprehensive quality improvement plan outlining the corrective actions, timelines, and responsibilities. *Phase 5: Implementation and Monitoring 1. Implement corrective actions outlined in the quality improvement plan. 2. Regularly monitor progress against KPIs and targets. 3. Continuously evaluate and improve the quality management system to ensure it remains effective and efficient. 4. Communicate results to relevant stakeholders, including department heads, supervisors, and quality team members. Countermeasures for inefficiencies- 1. Streamline processes to reduce waste and increase efficiency. 2. Implement lean principles to minimize waste and maximize value. 3. Provide training and development opportunities to enhance employee skills and knowledge. 4. Foster open communication across departments and levels to ensure quality issues are identified and addressed promptly. 5. Conduct regular audits to ensure compliance with quality standards and identify areas for improvement.

This is a must read for every HealthTech CEO. The UK Government’s AI Playbook outlines ten principles that ensure AI is used lawfully, ethically, and effectively. 1. Know AI’s Capabilities and Limitations AI is not infallible. Understanding what AI can and cannot do, its risks, and how to mitigate inaccuracies is essential for responsible use. 2. Use AI Lawfully and Ethically Legal compliance and ethical considerations are paramount. AI must be deployed responsibly, with proper data protection, fairness, and risk assessments in place. 3. Ensure Security and Resilience AI systems are vulnerable to cyber threats. Safeguards like security testing and validation checks are necessary to mitigate risks such as data poisoning and adversarial attacks. 4. Maintain Meaningful Human Control AI should not operate unchecked. Human oversight must be embedded in critical decision-making processes to prevent harm and ensure accountability. 5. Manage the Full AI Lifecycle AI systems require continuous monitoring to prevent drift, bias, and inaccuracies. A well-defined lifecycle strategy ensures sustainability and effectiveness. 6. Use the Right Tool for the Job AI is not always the answer. Carefully assess whether AI is the best solution or if traditional methods would be more effective and efficient. 7. Promote Openness and Collaboration Engaging with cross-government communities, civil society, and the public fosters transparency and trust in AI deployments. 8. Work with Commercial Experts Collaboration with commercial and procurement teams ensures AI solutions align with regulatory and ethical standards, whether developed in-house or procured externally. 9. Develop AI Skills and Expertise Upskilling teams on AI’s technical and ethical dimensions is crucial. Decision-makers must understand AI’s impact on governance and strategy. 10. Align AI Use with Organisational Policies AI implementation should adhere to existing governance frameworks, with clear assurance and escalation processes in place. AI in healthcare can be revolutionary if it’s done right. My key (well some) takeaways: - Any AI solution aimed at the NHS must comply with UK AI regulations, GDPR, and NHS-specific security policies. - AI models should be explainable to clinicians and patients to build trust. - AI in healthcare must be clinically validated and continuously monitored. - Having internal AI ethics committees and compliance frameworks will be key to NHS adoption. Is your AI truly NHS ready?

🤩 A milestone for #MedTech: Digital technical documentation will enter EU legislation This week, the European Commission published a proposal to simplify the european laws MDR and IVDR for #medicalDevices and in vitro diagnostic devices. 🌟 For the first time ever, the draft includes explicit provisions on the digitalisation of technical documentation and conformity assessment (new MDR Article 52b / IVDR Article 48b). 👉 This is a true novum for the medical device industry and a strong signal that that the #digitalisation of regulatory processes and related #technicalDocumentation plays an important role for the industry. --- 😁 Personally, this proposal makes me genuinely happy: I have been working on solutions for these topics for many years now. Seeing these concepts reflected in a concrete legislative proposal is highly motivating and reinforces my belief that this work truly matters. Not only am I proud of my work at the avasis solutions GmbH (avasis Group), but above all I am proud of our collaborative work in the non-profit Medical Device Knowledge Units (MDKU) e.V. association: More than five years ago, we began to put into practice the idea of a unified data model for technical documentation of medical devices. We will soon publish DIN SPEC 91509 with a first release. Our goal has always been to enable structured, interoperable and reusable technical documentation - digital by design, not a collection of static PDFs. Because that is "real digitalisation" and the foundation for a useful application of AI. ❇️ From documents to data! ❇️ --- Seeing this principle now reflected in a legislative proposal confirms that the direction was right - and that collaborative, pre-competitive work can help prepare the ground for future regulation 🥳 I am more motivated than ever to continue contributing to this transformation and to help ensure that these new legal provisions can be translated into practical, scalable and industry-ready solutions. --- 👉 How do you see the future of digital technical documentation under MDR & IVDR? I’d love to hear perspectives from manufacturers, notified bodies and regulators!

FDA just posted this draft guidance updating Quality Management System requirement for Premarket Authorization (PMA) submissions. Most of the document lays out how the requirements from each clause in ISO 13485 and the revised 21 CFR part 820 should be communicated in the submission package. The thing everyone really wants to know, however, is how the FDA will handle submissions delivered prior to 2 February 2026, where the review period crosses the effective date. Here is your answer in section IV of the draft guidance: "On and after February 2, 2026, FDA will be evaluating the documents and records included in marketing submissions to determine whether there is conformance with the requirements of the QMSR. A gap analysis or another type of comparative analysis may assist FDA in determining when documents and records created prior to the QMSR effective date are submitted to FDA. Additionally, on and after February 2, 2026, FDA inspections of device manufacturers that are evaluating CGMP, including PMA preapproval inspections, will evaluate compliance with QMSR requirements. In doing so, it may help FDA to make that determination by providing a gap analysis or a comparative assessment. " I've attached the full draft guidance for your reading pleasure.

After reviewing multiple medical device submissions over the past 5 years, I've found that most failed applications shared common, preventable mistakes I've helped MedTech companies navigate the regulatory maze, cutting average time-to-market by 7 months and saving tons in remediation costs per client 𝗛𝗲𝗿𝗲 𝗮𝗿𝗲 𝘁𝗵𝗲 𝟳 𝗺𝗼𝘀𝘁 𝗰𝗼𝗺𝗺𝗼𝗻 𝗿𝗲𝗮𝘀𝗼𝗻𝘀 𝘆𝗼𝘂𝗿 𝗺𝗲𝗱𝗶𝗰𝗮𝗹 𝗱𝗲𝘃𝗶𝗰𝗲 𝘄𝗶𝗹𝗹 𝗳𝗮𝗶𝗹 𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘆 𝘀𝗰𝗿𝘂𝘁𝗶𝗻𝘆: 1. **Inadequate Risk Management** • Risk files don't align with ISO 14971:2019 requirements • Missing traceability between hazards and mitigations • Failure to update risk assessments after design changes (seen in a large portion of rejections) 2. **Poor Design Control Documentation** • Incomplete Design History Files with gaps in verification records • User needs not properly translated to design inputs • Design outputs that don't satisfy acceptance criteria 3. **Insufficient Clinical Evidence** • Relying on literature alone when equivalence can't be established • Underpowered clinical studies (average n=24 when n=68+ was needed) • Missing patient subpopulation analyses required by regulators 4. **Software Documentation Gaps** • IEC 62304 compliance issues, especially for Class B and C software • Inadequate cybersecurity risk assessments (flagged in 90%+ of connected devices) • Missing or incomplete software validation protocols 5. **Usability Engineering Failures** • Formative studies conducted too late in development • Use-related risk analysis disconnected from overall risk management • Summative testing that doesn't represent actual use environments 6. **Supply Chain Vulnerabilities** • Critical component suppliers without adequate quality agreements • Missing or insufficient supplier reviews/audits • Incomplete component specifications leading to inconsistent performance 7. **Post-Market Surveillance Planning** • Reactive rather than proactive monitoring strategies • PMCF/PMS plans that don't address residual risks • Inadequate complaint handling procedures (cited in 62% of MDR submissions) 𝗧𝗔𝗞𝗘𝗔𝗪𝗔𝗬: The most successful medical device companies build quality and regulatory strategy into their development process from day one, not as an afterthought. I've seen startups save millions and many months by investing in proper QMS and regulatory planning early The harsh reality? Most MedTech founders underestimate regulatory requirements until they're facing rejection. Don't be one of them! Want to avoid these pitfalls? My calendar is open for the next two weeks for 30-minute strategy calls with serious MedTech leaders, if you are looking for shortcuts and false claims of accelerated deadlines, then I am not the right client for you but if you want evidence backed timelines and proven experience, get in touch!