FDA final guidance on PCCP for AI‑enabled device software

Regulatory Update

FDA Final Guidance: Predetermined Change Control Plans (PCCP) for AI-Enabled Device Software

Originally reported by FDA • Publication date: 18 Aug 2025 • Applies to 510(k), De Novo, and PMA submissions • Non-binding guidance (FDA’s current thinking)

FDAPCCPAI/MLSaMD QMSR & ISO 13485IEC 62304ISO 14971Cybersecurity

Overview

Artificial intelligence and machine-learning (AI/ML) algorithms are increasingly central to medical devices. Historically, any meaningful algorithm change after clearance could force a new submission. FDA’s final guidance on Marketing Submission Recommendations for a Predetermined Change Control Plan for AI-Enabled Device Software Functions provides a framework to pre-authorize a defined set of future modifications—so sponsors can update models within agreed boundaries without re-submitting each time.

The guidance outlines what belongs in a PCCP, how to validate planned changes, and how to maintain transparency with users and FDA. It emphasizes responsible AI (bias awareness, robust data, security, and monitoring) while preserving safety and effectiveness.

What changed in the final guidance

Description of modifications

  • List specific, limited, verifiable changes you intend to implement (e.g., performance tuning, expanded inputs, sub-population adaptation).
  • Bound the scope with clear guardrails (what’s in vs. out) and versioning logic.

Modification protocol

  • Define data governance, retraining triggers, and statistical plans.
  • Use representative datasets (sites, devices, demographics) with bias-mitigation strategies.
  • Pre-specify verification/validation metrics and update procedures.

Impact assessment

  • Risk–benefit analysis for each change, including potential unintended bias.
  • Show how controls maintain safety and effectiveness within PCCP limits.

Labeling & transparency

  • Disclose that the device contains a ML model and an authorized PCCP.
  • Summarize implemented changes and supporting data in updated labeling and public summaries.
  • Plan for UDI updates for significant major version changes when required.

Who’s affected

AI-enabled device manufacturers

Teams working on imaging, clinical decision support, monitoring, wearables, and other ML-driven functions should integrate PCCP planning early.

Regulatory & quality teams

Update design controls, software lifecycle (IEC 62304), risk management (ISO 14971), cybersecurity (e.g., secure updates, SBOM), PMS, and vigilance to accommodate pre-authorized updates.

Combination products

For device-led combinations, the PCCP applies to the device constituent part; coordinate with combination product governance and labeling.

What this means for your roadmap

  • Faster iteration inside guardrails: If a change fits the authorized PCCP, you can update without a fresh submission—reducing cycle time and review burden.
  • Higher bar for upfront planning: Vague or open-ended PCCPs are unlikely to fly. Be concrete about changes, data, metrics, and protections.
  • Operational rigor matters: Traceability from planned change → datasets → V&V → labeling must be clear and auditable.
  • Bias & security are first-class risks: Expect scrutiny of representativeness, drift monitoring, model update security, and coordinated disclosure.

Action checklist (start this quarter)

PCCP strategy

  • Inventory AI/ML functions; decide which warrant a PCCP.
  • Draft description of modifications with explicit in-scope/out-of-scope examples.
  • Define retraining triggers (time, data drift, performance thresholds).

Protocol & controls

  • Lock data pipelines, curation criteria, and bias tests.
  • Pre-specify V&V metrics, acceptance criteria, and rollback plans.
  • Tie updates to secure SDLC (IEC 62304) and cybersecurity maintenance.

QMS & documentation

  • Embed PCCP in design control, change control, and release processes.
  • Maintain a PCCP index mapping every planned change to evidence.
  • Update PMS to monitor post-deployment performance and drift.

Labeling & UDI

  • Prepare templates to summarize implemented PCCP changes.
  • Define UDI update rules for major model versions.
  • Align user comms and training for post-update usability.

Quick FAQs

Does every AI device need a PCCP?

No. Use a PCCP where meaningful future updates are anticipated and can be constrained by verifiable guardrails and validation plans.

Can we add new indications under a PCCP?

Generally, indication changes are outside the typical PCCP scope and may require a new submission. Keep PCCP changes within the authorized boundaries.

How detailed should datasets be in the PCCP?

Describe sources, representativeness, inclusion/exclusion, and bias controls sufficiently for reviewers to understand robustness—without exposing proprietary IP.

Need help drafting a reviewer-ready PCCP?

We align PCCP scope, validation metrics, cybersecurity, labeling, and QMS processes, so you can iterate safely inside FDA’s guardrails.

Talk to an Expert

This article summarizes public guidance and industry analysis without linking to external sites.