FDA's Final Guidance on AI/ML in Medical Devices

fda healthcare software October 7, 2025 · by Eleanor Hartwell

FDA finalized its guidance on Marketing Submission Recommendations for a Predetermined Change Control Plan (PCCP) for AI/ML-Enabled Device Software Functions on September 30. The final guidance is a meaningful deliverable from the agency, having moved through draft (2023) and revised draft (2024) stages with industry-collaborative working groups. It is the first piece of the broader AI/ML SaMD framework FDA committed to in its 2021 action plan to actually land in final form.

This is one of the better examples of the U.S. federal regulatory state continuing AI-related work despite the broader political pivot. CDRH has been mostly insulated from the EO 14110 rescission and has continued executing on a 2021-vintage plan. Practitioners advising medical device clients should treat the final guidance as the operative framework for AI/ML medical devices going forward.

The PCCP framework, in summary

The core conceptual problem the guidance addresses: traditional medical device clearance assumes a static product. AI/ML devices, particularly those that incorporate continuous learning, change in the field. The traditional alternatives — re-submitting for clearance every time the model is updated, or freezing the model and never updating — are both unworkable.

The PCCP solution is to allow manufacturers to submit, as part of their original 510(k) or De Novo submission, a description of the modifications they anticipate making to the AI/ML model post-clearance, along with the methods they will use to make and validate those modifications. If FDA approves the PCCP, the manufacturer can implement the described modifications without further submissions.

A PCCP has three components:

1. Description of modifications. Specific list of the categories of changes the manufacturer plans to make. These can include changes to inputs (e.g., new patient populations), outputs (e.g., new clinical predictions), performance (e.g., recalibration), or training data (e.g., expanded training sets).
2. Modification protocol. The methods the manufacturer will use to develop, validate, and deploy each category of modification, including data management, training procedures, validation protocols, and acceptance criteria.
3. Impact assessment. An analysis of the benefits and risks of the planned modifications, with a particular focus on how the modifications could affect the device's safety and effectiveness.

FDA reviews and approves these as part of the original submission. Modifications consistent with the approved PCCP can be implemented without new submissions; modifications outside the PCCP scope require new submissions or a PCCP amendment.

What's new in the final guidance

Compared to the 2024 revised draft, the final guidance has six material changes:

• Expanded scope. The final guidance applies to a broader range of devices, including some software that was on the borderline in earlier drafts. Devices that use locked algorithms but periodically retrain are clearly in scope.
• Real-world performance monitoring. Strengthened expectations that PCCP holders will monitor real-world performance and report meaningful deviations. The expectation is more demanding than what most current device manufacturers have built infrastructure for.
• Bias and equity considerations. The final guidance integrates more substantive expectations around bias monitoring and mitigation as part of the PCCP. Earlier drafts treated this as an aspirational nod; the final guidance incorporates it as a substantive review element.
• Cybersecurity integration. Cross-references to FDA's cybersecurity guidance are tighter. PCCP submissions need to address how cybersecurity will be maintained through the modification lifecycle.
• Supplier management. Where PCCP holders rely on third-party model components or training data, the supplier-management expectations are now explicit. This is going to require contractual restructuring at many manufacturers.
• De-implementation. The final guidance addresses what happens when modifications produce unexpected adverse outcomes — what the de-implementation/rollback expectations are. This was almost entirely absent from earlier drafts.

Liability implications

For products-liability defense work, the PCCP framework changes the landscape in several ways:

1. Compliance evidence. Adherence to an FDA-approved PCCP creates a meaningful compliance argument in tort cases involving AI/ML medical device errors. It does not provide preemption (Riegel-style preemption applies only to PMA devices, and AI/ML SaMDs are mostly 510(k)/De Novo), but it does provide regulatory-compliance evidence that is heavily weighted in product-liability defense.
2. Failure to comply with the PCCP. Manufacturers who deviate from the approved PCCP — even if the deviation seems immaterial — create a problem. A regulatory deviation is going to be more useful to plaintiffs than an absence of regulatory framework would be.
3. Real-world monitoring obligations. The strengthened monitoring expectations will produce real-world performance data that is discoverable. Plaintiffs will use it. Manufacturers should design their monitoring programs with that in mind — which means, among other things, having clear documentation of the rationale for any decision not to act on a performance signal.
4. Bias monitoring. The bias and equity element creates a new vector. Patient-population subgroups may have litigable disparate-performance claims that did not previously exist as well-defined claim types.

How this interacts with the EU AI Act

For multinational device manufacturers, the FDA PCCP framework and the EU AI Act high-risk-system regime overlap substantially. Both contemplate lifecycle risk management, both require performance monitoring, both have post-market surveillance expectations. They are not identical. Key differences:

• FDA's bias and equity expectations are more developed than the AI Act's, which folds them into the broader Article 10 data governance obligations.
• The AI Act's incident-reporting timelines (Article 73) are more compressed than FDA's.
• FDA's predetermined change framework has no clean AI Act equivalent — the AI Act treats material modifications as new "placing on the market" events, which complicates iterative AI/ML development.
• FDA documentation expectations are more granular at the technical level; the AI Act expectations are more granular at the governance level.

For multinational compliance, mapping the two frameworks to a single internal compliance program is feasible but requires careful work. We are seeing several large device manufacturers stand up unified AI/ML lifecycle management programs that satisfy both FDA and AI Act expectations; that is the right architectural move.

Practical action items

For device manufacturers:

1. Review pending and recent submissions against the final guidance. Where PCCPs were submitted under prior draft frameworks, plan for amendment if material gaps emerge.
2. Real-world performance monitoring infrastructure needs evaluation. The final guidance's expectations are higher than the draft, and many manufacturers have not built to the elevated bar.
3. Supplier management contracts may need updating. The supplier expectations are now explicit, and many manufacturer/supplier contracts predate them.
4. Bias monitoring programs need integration with PCCP submissions. This is a 2026 build for most manufacturers.

The PCCP framework is the most operationally meaningful U.S. AI regulatory development of 2025. Use it.