Introduction
Manufacturers of AI-enabled Software as a Medical Device (SaMD) for in vitro diagnostics must navigate numerous overlapping international regulations, including IVDR and the forthcoming AI Act, as well as requirements for information security, data protection, and data quality. Even though these requirements might initially seem overwhelming, they ultimately center around core principles aimed at ensuring optimal patient outcomes.
At PAICON, we recognized the opportunity to streamline processes and reduce redundancy within the complex regulatory landscape of the MedTech industry. By developing compliant AI frameworks and showcases, we provide a foundation that helps manufacturers and partners accelerate innovation while maintaining the highest standards of safety and trust.
Core Principles: Aligning data integrity with IVDR and AI Act
Our framework begins with the classic data-integrity abbreviation, ALCOA standing for Attributable, Legible, Contemporaneous, Accurate, and Consistent. We decided to start integrating AI Act requirements even though they are not yet formally applicable to our products to minimize the risk of costly rework once the AI Act comes into force. So, we mapped ALCOA pillars directly to IVDR and AI Act requirements. By laying out these correspondences of regulations up front, and training our teams accordingly, we enabled them immediately to see how any new process aligns with applicable regulations.
Refer to the Table:
| ALCOA | IVDR | AI Act |
|---|---|---|
| Attributable & Original | Labeling traceability, UDI | Audit-trail of AI decisions |
| Legible & Enduring | Documentation in human-readable form | Explainable model summaries |
| Contemporaneous & Available | Post-market data reporting | Performance monitoring |
| Accurate & Complete | Clinical evidence (sensitivity/specificity) | Bias-mitigation & robustness testing |
| Consistent | Quality system control | Data governance policies |
Table 1. High-Level ALCOA - IVDR - AI Act Mapping
This table illustrates an example of mapping for requirement tracking and regulatory compliance. One key advantage of such mapping is the ability to identify and eliminate redundancies by recognizing requirements that have already been addressed within the scope of another regulation.
Data Criticality and Risk Management as Fundamental Points of a Compliant System
By defining our compliance approach and aligning it with regulatory expectations, we also ensured that real-world data risks were carefully evaluated. Before building a single product module, we structure every data stream including processed results, metadata, or AI training inputs and outputs; and assess how errors in each data unit could impact patient safety. We apply common risk principles to prioritize our strongest controls for the datasets with the highest safety impact. This upfront evaluation transforms a vague “secure everything” approach into a simple plan: protect most what matters most.
Designing a single compliant system
With data priorities clear, we design and test our platform’s functionalities from the beginning to meet both ISO 13485’s QMS requirements and IVDR’s General Safety and Performance Requirements.
Every software component is validated for its specific role and contributes to a complete audit trail that captures every unit of work mapped to the initial feature requirement. The examples are sample runs, data transformations, or AI-model updates all with assigned user IDs, timestamps, and rationales. We manage access through individual logins, role-based permissions, electronic signatures for critical actions. In parallel, we automate whatever we can to eliminate manual errors, synchronize systems, and train our staff to ensure all processes operate within a single, coherent system.
Data, Metadata and AI models
For our partners, data integrity is not just a technical detail but the backbone of regulatory acceptance and clinical trust. That’s why every data point in our system is enriched with full metadata, capturing who, what, when, where, and why. This creates an unbroken chain of evidence that manufacturers can rely on to demonstrate traceability, auditability, and model robustness when engaging with Notified Bodies or Competent Authorities.
We also ensure strict separation between training and test datasets, so model performance is validated on truly unseen data. This prevents hidden shortcuts that could compromise reliability and gives partners reproducible results backed by deterministic metrics. Manufacturers using our framework can present performance evidence with confidence, knowing that results are consistent and regulator-ready.
Finally, we embed data diversity into every AI-model training cycle. By ensuring that algorithms learn from a wide range of patient populations, sample types, and clinical settings, we not only enhance diagnostic accuracy but also address AI Act requirements for bias mitigation and representative coverage from the start. Our Remaining84 initiative reflects this commitment to data equity, enabling our partners to deliver solutions that are both scientifically robust and socially responsible.
Supporting Data Lifecycle Integrity with Governance by Design
To ensure that every bit of data, from raw input to model output, stays reproducible, traceable, and ready for audit, PAICON embeds data lifecycle governance into the platform’s core design. Rather than relying on simple backup routines, our system treats storage, versioning, lineage and archival as an integrated continuum.
Data remains reusable for retraining and regulatory queries, while automated policies govern data access, retention, and export. Auditable actions from data pulls to model updates are logged end-to-end, enabling partners to demonstrate compliance with confidence. Transparent governance frameworks akin to a Trust Center ensure stakeholders can assess security controls, certifications, and integrity guarantees without hidden gaps.
Keeping Products Reliable and Audit-Ready
Compliance is not a one-time event; it is an ongoing commitment. We monitor our software performance in real time via dashboards, instantly alerting us to drift that could affect product availability and patient safety. For every software patch, data pipeline tweak, or model update, we follow a unified change-control workflow that incorporates both IVDR’s “substantial modification” criteria and the AI Act’s “substantial change” provisions. This single workflow streamlines submissions to Notified Bodies and Competent Authorities and eliminates duplicated effort.
For manufacturers and diagnostic partners, one of the biggest challenges is showing regulators that AI-driven systems remain reliable after every update. PAICON addresses this by combining real-time performance monitoring with a unified change-control framework that is already mapped to IVDR and AI Act requirements.
Dashboards detect data or model drift immediately, so partners can respond before it impacts product availability or patient safety. Every patch, pipeline adjustment, or model update is logged, assessed, and versioned under a workflow that mirrors regulatory expectations for “substantial modifications.”
For customers, this means two things:
-
Confidence that updates won’t create regulatory surprises since changes are evaluated in line with the same rules regulators apply.
-
Efficiency in submissions because documentation for Notified Bodies or Competent Authorities is generated through one consistent workflow, reducing duplication and speeding up review.
In practice, this transforms compliance from a reactive burden into a proactive safeguard, helping partners keep their AI solutions both agile and regulator-ready.
Conclusion
By treating ISO 13485, IVDR, AI Act, GDPR, and GxP as overlapping circles, PAICON has built a data-governance framework that is greater than the sum of its parts. From the moment data enters our platform through every update we make in production, we maintain a single, clear lifecycle with patient safety always at the front. We transform a set of regulations into one efficient system, saving time, reducing risk, and ensuring AI-powered products deliver on their promise safely and reliably.
Enabling Innovation for Hardware Manufacturers
Beyond applying this framework internally, PAICON develops AI-based showcases and reference solutions that demonstrate how regulatory alignment and cutting-edge AI practices can be realized in practice. These serve as a solid technical and compliant foundation that hardware and diagnostic manufacturers can build upon.
By integrating our frameworks into their own development pipelines, partners can accelerate innovation, reduce regulatory risk, and bring AI-enabled solutions to market with greater confidence.
In this way, PAICON acts as both an innovation catalyst and a compliance accelerator for the MedTech industry, turning regulatory complexity into a launchpad for safe, effective, and future-ready AI in healthcare.
References:
-
Regulation (EU) 2017/746 of 5 April 2017 on in vitro diagnostic medical devices.
-
Regulation (EU) 2024/1689 of 13 June 2024 on harmonised rules for AI (AI Act).
-
MHRA. ‘GxP’ Data Integrity Guidance and Definitions; Revision 1: March 2018. UK MHRA; 2018.
-
ISO 13485 Medical devices - Quality management systems - Requirements for regulatory purposes
-
MDCG 2025-6. Interplay between MDR/IVDR & AI Act. European Commission
-
General Data Protection Regulation (GDPR)
-
ISO 14971 Medical devices - Application of riskmanagement to medical devices
-
ISO 31010 Risk management - Risk assessment techniques
-
ISO 27001 Information security, cybersecurity and privacy protection - Information security management systems - Requirements
-
ISO 27002 Information security, cybersecurity and privacy protection - Information security controls
-
ISO 38500 Information technology - Governance of IT for the organization
