Course Description
This intensive two-day training program provides a deep, practical understanding of FDA cybersecurity and Software as a Medical Device (SaMD) regulatory requirement.
Participants will learn how to design, document, and submit compliant software and cybersecurity information for FDA 510(k), De Novo, and PMA submissions. The course bridges both domains—SaMD regulatory fundamentals and cybersecurity expectations showing how software risk, threat modeling, and security controls align with FDA’s Quality System Regulation (QSR), Cybersecurity Guidance, and IMDRF SaMD principles.
Real-world examples, hands-on exercises, and interactive workshops prepare attendees to author compliant documentation, develop SBOMs, conduct cybersecurity risk management, and implement effective postmarked vulnerability response processes.
Course Summary
Upcoming Courses
Learning Objectives
By the end of the two-day course, participants will be able to:
-
•
1. Understand FDA’s latest cybersecurity guidance and its integration into the design and submission lifecycle.
-
•
2. Interpret the IMDRF SaMD framework and how it informs FDA regulatory expectations.
-
•
3. Identify key FDA guidances applicable to SaMD, including Clinical Evaluation and Algorithm Change Control (PCCP).
-
•
4. Develop and maintain a Software Bill of Materials (SBOM) in line with FDA expectations.
-
•
5. Build a threat model and conduct security risk assessments following FDA and AAMI TIR57 best practices.
-
•
6. Prepare cybersecurity documentation for 510(k), De Novo, or PMA submissions.
-
•
7. Implement postmarket cybersecurity processes, including coordinated vulnerability disclosure (CVD) and incident response.
-
•
8. Understand software lifecycle documentation requirements (IEC 62304, 81001-5-1) and how they align with regulatory deliverables.
-
•
9. Apply cybersecurity and regulatory principles to AI/ML-based software functions.
Who Should Attend
-
•
Regulatory Affairs and Quality Professionals
-
•
Cybersecurity Specialists in MedTech
-
•
Software Developers and System Architects
-
•
SaMD and Digital Health Innovators
-
•
FDA Submission and Compliance Teams
-
•
Risk Management and Product Security Leads
Course Outline
Day 1 – FDA SaMD and Software Regulatory Foundations
Module 1 – Introduction to FDA Software Regulation
- Defining Software in a Medical Device (SiMD) vs. Software as a Medical Device (SaMD)
- IMDRF SaMD Framework and its adoption by FDA
- FDA device classification and intended use for software
- Overview of applicable FDA guidances and standards (62304, 81001- 5-1, PCCP, Clinical Evaluation)
- Workshop 1: Classify sample software functions under SaMD vs. SiMD
Module 2 – Regulatory Pathways and Documentation Requirements
- Determining submission type: 510(k), De Novo, or PMA
- Required documentation for software submissions (SRS, SDS, SVR, Cybersecurity Plan)
- Levels of concern and risk documentation under FDA’s guidance
- Traceability from requirements to validation
- Establishment registration, device listing, and UDI requirements
- Labeling and promotional compliance.
- Workshop 2: Create a simplified software documentation index for a mock SaMD product
Module 3 – Software Lifecycle and Change Management
- IEC 62304 software development process alignment with FDA QSR
- Pre-Specification and Algorithm Change Control documentation examples
- Case Study: Managing postmarket updates to an AI-enabled SaMD
Day 2 – FDA Cybersecurity Framework and Implementation
Module 4 – FDA Cybersecurity Requirements (2023–2024 Guidance)
- FDA’s expectations for secure product design
- Cybersecurity documentation in premarket submissions
- Mapping cybersecurity activities to the device lifecycle
- Security risk management and linkage to ISO 14971
- Workshop 3: Develop a simple threat model and risk table for a sample connected device
Module 5 – SBOM Development and Security Controls
- SBOM fundamentals and structure
- Identifying SOUP, open-source, and third-party components
- SBOM tools, automation, and validation practices
- Defensive design and cybersecurity control categories (authentication, authorization, encryption, integrity)
- Workshop 4: Draft an SBOM entry and map vulnerabilities to control mitigations
Module 6 – Postmarket Cybersecurity and Vulnerability Response
- Coordinated Vulnerability Disclosure (CVD) best practices
- FDA postmarket management of cybersecurity risk guidance
- Incident reporting and field correction considerations
- Building a vulnerability monitoring and patch management process
- Case Study: Analyzing a real FDA cybersecurity recall
Module 7 – Integration and Emerging Trends
- Aligning cybersecurity, QMS, and regulatory submissions
- How to integrate SaMD and cybersecurity documentation into one coherent submission
- Artificial Intelligence / Machine Learning (AI/ML) device considerations
- Cybersecurity labeling and patient safety communications
- Workshop 5: Build a Cybersecurity Documentation Checklist for a SaMD submission
Closing Session
- Knowledge Assessment Quiz
- Participant Q&A and Discussion
- Certificate of Completion
Interactive Activities
- •
5 Hands-On Workshops: Classification, documentation mapping,threat modeling, SBOM creation, and cyber documentation planning.
- •
Real-World Case Studies: FDA recalls and cybersecurity submissions.
- •
Live Polls & Group Discussions: Reinforce understanding through scenario-based learning.
- •
Mock Documentation Review: Teams critique a sample SaMD cybersecurity section for compliance gaps.
- •
Final Quiz & Instructor Q&A: Summarizes and applies key takeaways.
