What qualifies an AI agent as FDA Software as a Medical Device (SaMD)?

An AI system qualifies as FDA SaMD when it is software (not hardware), intended for medical purposes, and performs those purposes without being part of a hardware device. Clinical AI agents that diagnose conditions, recommend treatment, triage severity, predict clinical outcomes, or analyze clinical data for treatment decisions typically qualify. FDA uses the IMDRF risk matrix (healthcare situation x intended purpose) to classify SaMD and determine whether premarket review is required.

What is a Predetermined Change Control Plan (PCCP) for AI SaMD?

A PCCP is an FDA-accepted mechanism allowing AI SaMD developers to modify algorithms without a new premarket submission for each change. Introduced in FDA's 2024 guidance, a PCCP includes: description of anticipated modifications, modification protocol with testing/validation criteria, and impact assessment with post-deployment monitoring plan. Decision records capturing pre- and post-modification behavioral delta are the primary evidence that the modification protocol was followed.

How do decision records support FDA adverse event reporting?

When a clinical adverse event involves a patient whose care was influenced by an AI SaMD system, FDA Medical Device Reporting (MDR) may require evidence of what the AI recommended and how that influenced the care episode. Decision records retrievable by encounter_id provide: the specific AI recommendation, the clinical inputs used, the algorithm version, and tamper-evident proof the record is unaltered. This encounter linkage is essential for MDR root cause analysis.

Does FDA SaMD regulation apply to AI that only informs clinical decisions?

It depends on the level of clinician independence. AI that outputs information a clinician reviews and independently interprets — with no automation bias or override barriers — may qualify for the non-device CDS software exemption under 21st Century Cures Act. However, FDA has made clear this exemption is narrow: AI that presents outputs in a way that directs or constrains clinician action, or that operates without mandatory clinician review, generally does not qualify. Most clinical AI agents used in practice fall outside the exemption.

How does FDA SaMD regulation compare to EU AI Act for clinical AI?

Both apply to high-risk clinical AI but through different mechanisms. FDA SaMD regulation requires premarket authorization (510(k), De Novo, or PMA) for Class II/III devices and 21 CFR Part 11 audit trails. EU AI Act Annex III classifies medical device AI as high-risk requiring Articles 9-15 compliance and conformity assessment, but primarily through post-market compliance rather than premarket authorization. Systems that are both FDA SaMD and EU AI Act Annex III must satisfy both frameworks in parallel.

Can a clinical AI team satisfy both 21 CFR Part 11 and HIPAA with one audit trail implementation?

Yes, if the record captures the required fields for both. 21 CFR Part 11 requires: time-stamped, algorithm-version-linked, tamper-evident records. HIPAA §164.312(b) requires: activity records covering what the agent decided and why for ePHI-touching decisions, with 6-year retention. A Tenet AI decision record satisfies both: it captures algorithm version provenance (Part 11), complete clinical context snapshot (Part 11 + HIPAA), tamper-evident Ed25519 signature (Part 11 §11.10 + HIPAA §164.312(c)(1)), and links to the clinical encounter for MDR purposes.

FDA SaMD Compliance for AI Agents: Audit Trails, PCCP, and GMLP

Q: What GMLP principle requires post-deployment monitoring?

GMLP Principle 9 (FDA/Health Canada/MHRA joint principles, 2021) requires that deployed models are monitored for performance and re-training triggers are defined. This requires continuous production decision records to compare against pre-deployment validation benchmarks. When performance metrics (sensitivity/specificity drift, confidence distribution shift, covariate shift) cross defined thresholds, a PCCP review or new premarket submission is triggered.

Clinical AI agents that diagnose conditions, recommend treatment, triage severity, or predict clinical outcomes typically qualify as FDA Software as a Medical Device (SaMD) and must satisfy regulatory requirements that go well beyond general clinical software. Three frameworks are most operationally demanding: 21 CFR Part 11 (audit trail and tamper-evidence requirements for electronic records), GMLP Principle 9 (post-deployment performance monitoring with re-training triggers), and the Predetermined Change Control Plan (PCCP) framework (evidence requirements for algorithm modifications without new premarket submission).

What Qualifies as FDA AI/ML SaMD

Software qualifies as SaMD when it is intended for one or more medical purposes and performs those purposes without being part of a hardware medical device. Clinical AI agents that diagnose, triage, recommend treatment, predict clinical outcomes, or analyze clinical data for treatment decisions typically qualify. FDA uses the IMDRF risk matrix to determine whether premarket review is required — critical-situation diagnostic AI (Class IV) requires PMA, while serious-situation care management AI typically requires 510(k). AI agents that produce clinical outputs without mandatory clinician review generally do not qualify for the non-device CDS software exemption.

21 CFR Part 11 Audit Trail Requirements

21 CFR Part 11 requires computer-generated, time-stamped audit trails that independently record the date/time of actions that create, modify, or delete electronic records. For AI SaMD, this means: every decision record must be time-stamped with an authoritative source, linked to the specific algorithm version, linked to the clinical inputs used, and tamper-evident. SHA-256 hashing + Ed25519 signing satisfies the "discern invalid or altered records" requirement of §11.10(c) and §11.10(a). Records must be retrievable by encounter ID to support FDA Medical Device Reporting (MDR) when adverse events occur.

Predetermined Change Control Plans (PCCP)

FDA PCCP guidance (December 2024) allows AI SaMD developers to modify algorithms without a new premarket submission for each change, subject to a pre-approved protocol. A PCCP requires three components: (1) Description of anticipated modifications, (2) modification protocol with testing and validation criteria, (3) impact assessment with post-deployment monitoring plan. Decision records captured before and after each modification are the primary evidence that the modification protocol was followed — providing the behavioral delta measurements the PCCP requires.

GMLP Principle 9: Post-Deployment Monitoring

The FDA/Health Canada/MHRA joint GMLP principles require that deployed models be monitored for performance and that re-training triggers be defined (Principle 9). This requires continuous production decision records to compare against pre-deployment validation benchmarks. Key monitoring metrics: sensitivity/specificity drift vs. clinical validation, confidence score distribution shift, input population covariate shift, and adverse event rate for patients whose care was influenced by the AI. When monitoring metrics cross defined thresholds, a PCCP review or new premarket submission is triggered.

Decision Records for FDA SaMD Submissions and TPLC

A Tenet AI decision record captures the fields required for FDA SaMD compliance: encounter_id (enables MDR linkage), algorithm_version (Part 11 provenance), requesting_clinician_id (Part 11 user identification), clinical_data context snapshot (Part 11 input capture), tamper-evident Ed25519 signature (Part 11 integrity), and samd_cleared_id linking the record to the premarket clearance. For PCCP modification validation, Tenet Deterministic Replay re-executes the production baseline against the modified algorithm using stored context snapshots, generating the before/after behavioral delta evidence the modification protocol requires.