FDA Draft Guidance on AI-Enabled Medical Devices: Key Insights & Takeaways

Introduction

Artificial Intelligence (AI) is poised to reshape how medical devices are designed, validated, and brought to market in the fast-evolving landscape of healthcare technology. To address AI's growing importance in this space, SoftComply | Compliance Made Easy on Atlassian recently hosted a live webinar with industry experts from Orthogonal and Chino.io . The discussion revolved around the FDA’s draft guidance on AI-enabled medical devices (published on January 7th, 2025), spotlighting regulatory expectations, data protection mandates, and practical advice for manufacturers preparing their FDA submissions.

Our panel included:

• Megan Graham , VP of Quality & Regulatory at Orthogonal
• Jovan Stevovic , CEO & Co-Founder of Chino.io
• Matteo Gubellini , Chief Regulatory Officer at SoftComply
• Marion Lepmets, Dr. (Moderator), SoftComply

With diverse backgrounds spanning regulatory strategy, cybersecurity, data privacy, and AI-driven software development, these experts unpacked how the FDA and the EU approach oversight and what it means for companies looking to innovate responsibly. Below is a comprehensive summary of the key themes, direct quotes, and the major takeaways from our discussion.

Key Discussion Points

?? Evolving Regulatory Landscape: U.S. vs. EU

Balancing Innovation and Oversight

The session opened by examining how regulators on both sides of the Atlantic are grappling with AI. In the U.S., attention has centered on the FDA’s draft guidance, which attempts to provide clarity for developers of AI-powered devices. Meanwhile, the EU’s AI Act aims to address AI in all sectors, not just medical devices, potentially leading to broad but somewhat high-level requirements.

“Nothing has changed, as of this moment, in terms of the FDA’s regulatory framework for medical devices.” — Megan Graham, VP of Quality & Regulatory at Orthogonal

Despite new policies and shifting political environments, our panelists agreed that core U.S. regulations (e.g., 21 CFR Part 820) remain intact. However, manufacturers should watch for additional FDA guidance documents that offer more specific directives on AI, especially regarding how devices adapt and “learn” over time.

On the European side, Matteo Gubellini pointed out that while the EU’s AI Act is ambitious, it can sometimes lack the FDA’s detail on medical-specific risk management and technical documentation. Therefore, EU-based companies often find it helpful to align with U.S. best practices on software-based devices especially for areas like risk assessment and design controls.

?? Data Protection & Privacy: HIPAA, GDPR, and Beyond

Securing Sensitive Health Data

AI thrives on data, but the more data these systems consume, the more complex compliance becomes, especially for highly sensitive health information. Jovan Stevovic compared HIPAA (sector-specific, well-established in the U.S.) to the GDPR (broad, unifying regulation in the EU). Yet, both systems can become fragmented when individual states or member countries add local nuances.

“We need to stop with single-state level regulations and simplify things if we want a single digital market, whether European or U.S.” — Jovan Stevovic, CEO & Co-Founder of Chino.io

Startups or scale-ups aiming for cross-border markets should establish robust data processing agreements (DPAs) or business associate agreements (BAAs) early to protect themselves and their partners. Moreover, the rise of large language models and data scraping controversies underscore the need for clear data governance policies, especially when training AI models on clinical information.

?? FDA Guidance on AI-Enabled Devices: What’s New?

Clinical Evidence & Context of Use

While some aspects of FDA oversight remain familiar (design controls, risk management), the agency now places greater emphasis on clinical evidence for AI models. Manufacturers should articulate:

• Intended Use & Context of Use: Who will deploy the AI, in which clinical scenarios, and how will it integrate into the broader workflow?
• Data Sources & Quality: How was the training data collected and verified? Have you evaluated potential biases?
• Ongoing Monitoring: After deployment, what measures ensure your AI model remains accurate as real-world data evolves or “drifts”?

“If you’re adding an AI-driven function to your device, you have to clarify the context of use who will use it, what’s the workflow, and how does it fit into clinical practice?” — Megan Graham, Orthogonal

Predetermined Change Control Plans

A central challenge for AI-based devices is how rapidly they can change. The FDA has indicated a willingness to let manufacturers update or refine models within pre-set boundaries without requiring a fresh submission every time. However, companies must propose a Predetermined Change Control Plan detailing:

1. Which parameters or methods may change,
2. How these changes will be tested,
3. Risk mitigation steps to ensure patient safety.

This framework encourages ongoing innovation but demands detailed documentation upfront.

?? Practical Tips for Compliance & FDA Submissions

Planning & Architecture

Modular architecture is vital when AI is just one part of your system. Separating regulated from non-regulated functionalities can help manage your regulatory burden, streamline your submission, and allow incremental feature growth:

“Identify what’s medical and what’s not. Then treat the medical part as usual and make sure the rest doesn’t negatively affect it.” — Matteo Gubellini, Chief Regulatory Officer at SoftComply

Engaging the FDA Early

Pre-submission meetings or Q-Sub pathways offer invaluable clarity, provided you come prepared. Megan Graham advised that manufacturers do their homework, present a concise device description, and list targeted questions. The more specific and data-backed your queries are, the more actionable the FDA’s feedback will be.

Internal AI Governance

As GenAI and other AI solutions gain popularity, organizations might use multiple AI tools internally for product development or business processes. Setting AI governance policies within the company ensures that AI use is documented, compliant, and consistent with regulatory standards.

Key Takeaways

Here are the most important points from our webinar on AI-enabled medical devices:

1?? Regulation Evolves, Best Practices Remain

Despite new guidelines, core FDA regulatory principles (risk management, design controls) still apply.

2?? Data Quality & Data Rights

Secure legal rights to use data and establish clear protocols (DPA, BAA) for managing patient information.

3?? Clinical Validation Matters

The FDA increasingly wants clinical evidence that AI-driven outputs aid patient care and decision-making.

4?? Plan for AI Model Iteration

Aim to incorporate a predetermined change control plan so you can adapt models responsibly without multiple resubmissions.

5?? Stay Engaged & Ask the Right Questions

Use pre-submissions or direct FDA engagement to clarify classification, scope, and data requirements.

Final Thoughts & Next Steps

This SoftComply-hosted webinar highlighted how AI is both an opportunity and a regulatory challenge for medical device manufacturers. From obtaining high-quality, bias-free data to building robust change control processes, successful AI products hinge on thorough planning and transparent execution.

Above all, remember that patient safety and clinical efficacy remain the guiding star. As one panelist said, “It’s about ensuring your device performs as intended and aligns with both ethical and regulatory standards.”