FDA Draft Guidance AI/ML

FDA Draft Submission Guidance AI/ML

For Use of AI/Machine Learning-Enabled Device Software Functions

Almost every day there is another news story about something involving “artificial intelligence.” So it seems timely that the FDA has just released a draft guidance for Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions. Actually though this is the result of several years of FDA proposals combined with industry feedback as the Agency has been investigating how to best support the use of device software functions that implement an ML model trained with ML techniques – what they call “Machine Learning-Enabled Device Software Functions” (ML-DSF).

The scope of the draft guidance is for ML-DSF that you plan to modify over time – manually or automatically – where those modifications would normally require a PMA supplement, De Novo submission, or a new 510(k) notification. To help support this, the guidance defines a new item to be included in your submission: The “Predetermined Change Control Plan” (PCCP). The PCCP defines in advance the kinds of changes that you anticipate making to the ML-DSF along with how you will evaluate those changes to maintain the safety and efficacy of your device. Once the PCCP has been reviewed and established by the FDA through a device marketing authorization it becomes an “authorized PCCP”, which can then be used in making modifications to the ML-DSF without requiring additional marketing submissions.

The PCCP is made up of the following elements:

  • A Description of Modifications which outlines the types of modifications that you plan to make to the ML-DSF. This establishes the boundaries of the modifications that can be made under the PCCP without triggering the need for a new submission.
  • A Modification Protocol which describes the verification and validation activities that will be performed for each of the modification types.
  • An Impact Assessment that ties the Description of Modifications and the Modification Protocol together. It identifies the benefits and risks that could be introduced by the making modifications that are listed in the Description of Modifications and describes how the verification and validation activities in the Modification Protocol assure the continued safety and effectiveness of the device.

A new submission is not required for a modification under an authorized PCCP if both of the following criteria are met:

  • The modification is specified in the Description of Modifications of the authorized PCCP
  • The modification is implemented in conformance with the methods and specifications in the Modification Protocol of the authorized PCCP

Here are some examples of the types of modifications that might be included in a PCCP:

  • Improvements to analytical and clinical performance resulting from re-training the ML model based on new data
  • Expanding the algorithm to include new sources of the same signal type
  • Limited modifications related to the device’s use and performance (e.g., for use within a specific subpopulation)

However, not all kinds of modifications can be covered by a PCCP. In particular modifications that would change the device’s intended cannot be included in a PCCP or – with some possible exceptions – modifications that would be outside of the device’s indications for use.

The guidance states that it is the Agency’s desire “to promote the development of safe and effective medical devices that use ML models trained by ML algorithms”. But there is some understandable tension between being able to use these technologies while keeping medical devices safe and effective. So the guidance provides a lot of details about what types of changes can or cannot be covered by a PCCP, but also a lot of warnings to be very careful to only make changes within the bounds of the “authorized PCCP”. Careful crafting of the PCCP along with pre-submission discussions with the FDA could be especially important for this to be successful.

Since it’s only a draft guidance there is no guarantee that it will be finalized, but even so it’s still worth a look. It includes some very good practices that could be applied in the Software Maintenance Plan for any device containing ML-DSF.

Download the draft guidance here: 2023-Draft-Guidance-Predetermined-Change-Control-AIML

See our related post on Retaining Training Data Sets.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.