In this article, Dr. Baya Oussena outlines transforming lifecycle compliance into a driver of innovation in medical software.
Dr. Baya Oussena has worked on embedded software projects for Siemens, Volkswagen, and Fresenius Medical Care. She has researched distributed systems, algorithms, and their parallelization, synchronization, and applications in medical computing, including diagnostic assistance and the early detection of breast cancer. While she was a lecturer and researcher at the universities of Glasgow and Mainz, Dr. Oussena worked on embedded systems for nuclear physics experiments. This work aimed to optimize the performance of data acquisition systems for subatomic physics, requiring software skills ranging from manipulating binary machine instructions to effectively utilizing high-level programming languages such as C++.
In the modern medical device ecosystem, software drives innovation in diagnostics, therapy, and connectivity. However, software updates are subject to increased regulation as the US FDA and EU MDR now require full traceability, transparency, and accountability throughout product and software lifecycles.
This article outlines an initiative for managing FDA and MDR compliance throughout the device software lifecycle. It shows how stakeholders can innovate quickly while upholding quality, regulatory standards, and patient safety.
Both the FDA’s Total Product Lifecycle (TPLC) model and the MDR’s lifecycle and quality management framework now consider software updates, bug fixes, AI improvements, and cybersecurity patches as regulated events rather than routine maintenance. Compliance has become an ongoing, integrated process instead of a separate post-development phase.
Achieving compliance whilst fostering innovation demands close collaboration among engineering, regulatory affairs, and quality assurance. This is best achieved through DevSecOps-QMS integration: a unified environment where compliance is embedded into the development lifecycle from the very beginning.
Implement a risk-based SDLC aligned with IEC 62304 for both embedded and standalone software. Ensure comprehensive traceability across all development artefacts using tools like Jira, Git, Polarion, and Jenkins to facilitate reviews and ensure audit readiness. Incorporate cybersecurity from the outset, following IEC 81001-5-1, with controls that cover secure design and over-the-air (OTA) updates.
Develop version-controlled CI/CD pipelines that enable change classification, verification workflows, and automatically generate audit-ready documentation. Align these quality processes with ISO 13485, FDA QSR, and EU MDR standards. View regulatory compliance as a strategic advantage—driving innovation and supporting market entry rather than obstructing progress.
Implement structured decision trees to systematically evaluate and categorise software changes based on their impact. Coordinate updates to CERs, PSURs, IFUs, and UDI databases with each release to maintain lifecycle consistency. Follow MDCG 2020-3 and FDA 510(k) guidance to support global submission strategies and ensure cross-market readiness.
The following case studies illustrate practical examples of regulatory compliance throughout the full device software lifecycle.
An update to a Class III neurostimulator’s detection algorithm triggers a revalidation of the Design History File (DHF). This necessitates a new 510(k) submission, Notified Body review, cybersecurity enhancements, and updates to clinical documentation. Traceability is preserved across Jira, Polarion, Git, and Jenkins.
A connectivity upgrade introduces remote monitoring and clinician alerts, requiring updates to UDI, risk assessment, IFU, and PSUR. Implementation involves validated encryption, alert verification, and new PMS strategies.
AI-driven dehydration prediction raises concerns about third-party data use, interoperability, and privacy. Reclassification risks emerge under MDR Rule 11 and FDA Section 201(h), potentially categorising the patch as SaMD.
These cases show that compliant innovation is achievable, but only with structure, foresight, and leadership.
Regulatory compliance is no longer just a final checkpoint in medical device development but has become a crucial driver of innovation. By integrating compliance considerations from the very beginning, development teams can accelerate regulatory approvals, minimise risks of recalls or rejections, and enhance product quality through improved documentation and traceability. This proactive approach facilitates access to both local and global markets while building greater trust among patients, clinicians, and regulators. Ultimately, embracing a compliance-by-design mindset leads to the creation of safer, more reliable, and sustainable medical technologies that do more than merely meet standards; they actively push healthcare forward.
Chief Technology Officers, Regulatory Affairs Directors, Quality Assurance Directors, Product Vice Presidents, and Engineering Leaders must promote a proactive compliance culture through integrated tools, continuous training, and traceability from the start. Embedding compliance into daily workflows rather than only at the end supports sustainable growth, scaling, and regulatory preparedness. This team-based approach enables everyone, from engineers to executives, to innovate confidently and deliver safer, higher-quality medical devices more efficiently.
For a comprehensive understanding of regulatory requirements, real-world case studies, and best practices in managing both the medical device and software lifecycles, including the implementation of IEC 62304, ISO 13485, and risk-based software lifecycle management, please refer to the full white paper, Navigating FDA and MDR Compliance: Managing the Device Lifecycle and Embedded Software Updates in Medical Devices.