International MedTech Safety Conference (IMSC26)
Boston, MA, USA
2-5 June 2026
Tutorial
Medical Device Cybersecurity: What FDA Expects – and How to Navigate Submissions
Description: If you develop, approve, or support connected medical devices, you are now in the cybersecurity business—whether you planned to be or not. Cybersecurity incidents and vulnerabilities have steadily increased across the medical device sector, and healthcare delivery organizations are understandably concerned that new devices might introduce increased risks into their hospitals and clinics.
Regulators have responded. In the United States, the Federal Food, Drug, and Cosmetic Act has been amended to explicitly require medical device cybersecurity, and FDA has issued updated premarket guidance and expectations. At the same time, procurement teams are asking much tougher questions about cybersecurity readiness before they buy.
In this tutorial, you will hear directly from a former FDA Cybersecurity Policy Analyst about what FDA expects in terms of legal requirements and premarket submission deliverables, and how these expectations compare with some other key international jurisdictions. Just as importantly, we will discuss how cybersecurity and safety intersect to ensure medical devices address design considerations and risks across both processes.
You will leave with a clearer understanding of what has changed in regulatory oversight, key considerations of what “good” looks like in cybersecurity submissions, and how international expectations are evolving.
Who should attend: RA/QA, risk management, systems and software engineers, clinical and medical safety leaders, and innovators involved in the development, approval, or support of connected medical devices and combination products.
Learning objectives:
-
Understand the US cybersecurity legal requirements
-
Describe the FDA premarket submission cybersecurity deliverables
-
Identify similarities between FDA submission deliverables and some common international expectations
Shannon Hoste
Hoste Consulting
Founder & Principal Engineer
Workshop
Factoring Human Factors Data into Your Risk File and Safety Case Using Quantitative and Qualitative Data
Description: There are many pieces to establishing a case for safety and assessment of benefit-risk. The risk management process is intended to design risk out of the product with evaluation of implementation and effectiveness of the risk controls needed. This is evaluated through bench testing, reliability assessments, cleaning validation, clinical studies, etc. These are all assessments to prove that the product works as intended, within the constraints of those protocols. Unfortunately, even if it is written into an IFU, end users do not always follow the same protocols as those used by test engineers and clinical investigators. There is large potential for variety in the real world in who is using the product and how they are using it. The process of Human Factors (Usability) Engineering (HFE) provides a safety-critical approach to designing use-error out of your interface and provides the methods to bridge how your product performs in the lab vs. in actual use.
This two-part workshop will be structured like an HFE Process 'Clinic' where we delve into common challenges and barriers to the integration and execution of HFE in a way that augments the product design and the ISO 14971 risk management process. In part one, we will discuss integration challenges such as: the difference between a URRA and a uFMEA, how to scale the HFE efforts up and down with risk and product complexity, and how and where to get data to justify design and risk decisions (e.g. quantitative and qualitative research methods). In part two, we will cover the tactical execution of the URRA, focusing on known pain points including the assessment of known use problems. We will use case studies to demonstrate best practices and real-world challenges associated with identifying user and use environment characteristics, conducting task analyses, and identifying potential use errors.
Attendees will leave with a framework for scoping HFE activities and practical tools for managing use-related risks. They will also have example cases around the question of when HF-Validation is needed and where regulatory questions require quantitative vs qualitative methods.
Who should attend: RA/QA, risk management, systems & software engineers, human-factors, clinical, and innovators.
Learning objectives:
-
Scope and prioritize activities around use-related risk using a structured HFE framework.
-
Utilize URRA techniques to identify, analyze, prioritize, and mitigate use-related risks.
-
Apply key HFE tools and methods to help develop safe and effective products.
Workshop
Building & Using an IEC 60601 Conformity Evaluation File (CEF) for Today and Tomorrow (IEC 60601-1, 4th Ed.)
Description: This workshop presents a practical and immediately usable approach to applying Conformity Evaluation File (CEF) and Conformity Evaluation Plan (CEP) concepts to current IEC 60601 projects, while clearly aligning participants with what is taking shape for IEC 60601-1, 4th Ed. Rather than waiting for full adoption of the new edition, attendees will learn how the CEF mindset can already be leveraged to improve test planning, constructional review of device design and labeling, verification testing, and related QMS-driven compliance activities.
IEC 60601-1, 4th Ed. introduces the Conformity Evaluation File (CEF) as a structured set of records and supporting documents used to demonstrate fulfilment of applicable requirements. Closely tied to this concept is the Conformity Evaluation Plan (CEP), which serves as the organizing construct for how each requirement is addressed, evaluated, and documented.
Using a guided example, the session walks participants through how requirements are identified using the 4th Ed. categorization system, how those requirements are addressed through evaluation activities defined in a CEP, and how the resulting evidence is assembled into a defensible CEF. The workshop demonstrates how a well-structured CEP–CEF approach supports rigorous technical review by test laboratories, auditing bodies, regulators, and internal compliance resources, while enabling clearer and efficient interactions across development teams and external reviewers.
The workshop is designed to bridge current IEC 60601 practices with future expectations, helping participants strengthen compliance activities now while preparing for the transition to IEC 60601-1, 4th Ed.
Participants will leave with a clearer understanding of how to structure conformity evidence in a way that strengthens technical reviews, improves traceability, and positions organizations to transition smoothly into IEC 60601-1, 4th Ed. expectations without disrupting active development or testing programs.
Who should attend: Ideal for medical device, diagnostic equipment, and drug-device combination innovators; R&D teams including design, systems, and software engineers; RA/QA professionals; and risk management specialists. Also valuable for test laboratories, consultants, auditors, and technical reviewers from auditing or certification organizations supporting IEC 60601 compliance, verification testing, and regulatory submissions.
Learning objectives:
-
Understand how a well-built Conformity Evaluation Plan (CEP) and Conformity Evaluation File (CEF) organizes all applicable IEC 60601 requirements using the 4th Ed. categorization approach and drives systematic conformity evaluation.
-
Apply the Conformity Evaluation File (CEF) structure to support test planning, constructional review of device design and labeling, verification testing, and related QMS-driven compliance activities.
-
Trace hazards to requirements and evidence, linking risk management outputs to specific IEC 60601 clauses, test methods, labeling elements, and documentation within the CEF.
-
Assemble and review CEF content in a way that clearly demonstrates fulfilment of requirements for manufacturers, test laboratories, technical reviewers of auditing organizations, and regulators.
-
Prepare for IEC 60601-1, 4th Ed. expectations by aligning current compliance practices with the evolving CEF and CEP concepts without disrupting active development or testing programs.
Workshop Attendance Limited to 25
Using ChatGPT to Analyze Device Recalls and Adverse Events
Description: Recalls are an unfortunate reality in MedTech. But every recall starts as a faint signal buried in post-market data. The challenge is detecting it before patients are harmed.
Databases like FDA MAUDE contain millions of reports, yet most analyses rely only on structured fields such as Device Problem or Patient Problem. The real insight often hides in the narrative - what the clinician observed, what the device did, what went wrong.
Large Language Models (LLMs) such as ChatGPT can analyze this text at scale, revealing hidden patterns traditional tools miss. Using the WATCHMAN TruSeal recall as a case study, this four-hour workshop shows how QA/RA and risk professionals can combine expert judgment with ChatGPT Plus (GPT-4 Turbo) to detect weak signals, trace root causes, and convert narrative data into actionable safety intelligence.
Who should attend: Ideal for QA/RA leaders, post-market surveillance and vigilance teams, and risk or CAPA professionals seeking practical ways to analyze unstructured data. Also valuable for clinicians, engineers, and educators exploring how AI can strengthen recall analysis and risk assurance under FDA’s QMSR framework.
Learning objectives:
-
Frame analytical problems and develop an analysis plan
-
Prepare and validate data for ChatGPT use
-
Identify hidden patterns and insights
-
Link adverse-event narratives to recalls
-
Gain hands-on practice with reproducible workflows
Pre-requisites:
-
Active ChatGPT Plus subscription
-
Basic Excel or CSV skills (no programming required)
Significance & Take-Home Value:
Participants will learn to use ChatGPT not as automation but as a thinking partner - enhancing analytical depth, reproducibility, and cross-functional learning. The workflow is immediately transferable to other devices, CAPA reviews, and PMS programs, supporting FDA’s QMSR focus on proactive, risk-based assurance and data-driven decision-making.
Tutorial
How to Demonstrate Safety to Regulators: Turning Risk Files into a Clear, Credible Safety Story
Description: Risk management documentation can run to hundreds of pages or thousands of table rows; instead of persuading reviewers, it often overwhelms them. It isn’t the volume that convinces, it’s the clarity, completeness, and quality of the argument. Regulators want a logically structured, evidence-backed explanation that your device is safe and effective for its intended use.
This workshop shows how to transform the ISO 14971 risk-management file into a concise safety story using the principles of safety assurance case method. We’ll introduce the core elements, then demonstrate the method on a real-world case study that shows how risk management outputs can be woven into a review-ready narrative. We’ll unpack what reviewers actually scan for, such as logical structure, completeness, traceability, proportionality, and context with rationale, and build an illustrative safety case live.
Attendees leave with a first-principles understanding, reusable templates, and review checklists aligned to FDA expectations and reviewer practice, plus a short research-program case study on how the method guides emerging technologies and produces regulator-ready documentation even as regulatory requirements evolve. This workshop is designed for teams that want to reduce back-and-forth, right-size documentation, increase effectiveness, and shorten review timelines.
Who should attend: RA/QA, risk management, systems & software engineers, human-factors, clinical, and innovators.
Learning objectives:
-
Explain first-principles foundations of safety.
-
Convert risk management outputs into a safety story.
-
Make risk-management information comprehensive, convincing, and proportionate—without unnecessary volume.
Workshop
Design Changes: How Much Risk Re-Evaluation Is Enough?
Description: Design changes are a normal, and necessary part of the medical device lifecycle. Whether driven by supplier changes, manufacturing improvements, component obsolescence, or new features, each change raises an important question: what needs to be re-evaluated to ensure patient safety and regulatory compliance?
ISO 13485:2016 requires manufacturers to assess the impact of design changes on risk management inputs and outputs, while ISO 14971 emphasizes the need to re-evaluate residual risk and existing risk controls when new information emerges during production and post-production activities. Translating these requirements into a clear, practical approach can be challenging, especially when risk management files are complex and changes are not obviously safety related.
This interactive workshop is designed to make design-change risk assessment approachable, practical, and repeatable. Participants will learn how to tailor evaluation through a guided structured methodology to decide:
-
which elements of the risk management file should be reviewed
-
how deep the review should go
-
how to right-size the effort based on the potential impact on product performance and patient safety
The session includes small-group, hands-on exercises using realistic change scenarios, some inspired by situations that have led to recalls or FDA warning letters. Working together, participants will practice:
-
asking the right questions during change review
-
identifying relevant risk management elements
-
documenting risk-based decisions with confidence
Attendees will leave with practical tools, decision frameworks, and a clearer understanding of how to establish a sustainable, risk-based approach to evaluating design changes across the product lifecycle.
Who should attend: Risk management file managers, quality assurance, regulatory affairs, change review board participants, R&D and on-market technical support individuals who may be responsible for initiating design changes.
Learning objectives:
-
Identify which elements of the risk management file are impacted by different types of design changes.
-
Determine how specific changes affect risk management inputs and outputs and existing control measures.
-
Apply a structured, risk-based decision process to scope the depth of assessment and documentation needed for design changes.
-
Document design change evaluations in a clear, defensible way for audits, inspections, and internal reviews.
Workshop
The AI-Powered MedTech Professional
Description: AI tools are already changing how medical device professionals work, but many teams struggle to use them in ways that genuinely support sound risk management. This workshop focuses on how to work with AI as a thinking partner in safety-critical contexts, rather than treating it as a shortcut or a black box.
Participants will learn how to structure inputs, guide AI reasoning, and critically evaluate outputs when working with common risk artifacts such as FMEAs, URRAs, and Risk Traceability Matrices. The emphasis is on learning how to prompt and interact with AI in ways that produce useful, defensible results across different platforms.
The workshop follows a progressive structure: grounding in core risk concepts, hands-on practice with AI interaction and prompting, and a realistic end-to-end example reflecting real medical device development challenges. The focus remains on judgment, validation, and decision-making, not automation for its own sake.
Who should attend: This workshop is intended for medical device and diagnostic professionals involved in risk management, quality, product development, or regulatory activities, including engineers, quality and safety professionals, risk managers, and technical leaders. It is especially relevant for teams early in development, as well as those working in small or resource-constrained organizations exploring how AI can support rigorous safety work.
No prior AI experience is required.
Learning objectives:
After this workshop, participants will be able to:
• Understand how AI can responsibly support medical device risk management
• Interact with AI tools using structured inputs and effective prompting
• Use AI to support analysis across common risk sources and Risk Traceability Matrices
• Critically evaluate AI-generated risk content for safety-critical use
Workshop
Proactive System Safety for Medical Devices Using STPA
Description: Traditional hazard analysis methods often struggle with today’s increasingly software-intensive, automated, and user-interactive medical devices. System-Theoretic Process Analysis (STPA) offers a powerful way to analyze safety at the system level, focusing on control actions, feedback, and human–automation interaction rather than isolated component failures.
This 4-hour workshop introduces participants to the fundamentals of STPA and applies them to a medical device concept and its requirements. We will focus on modeling operator control actions, device feedback, and automation behaviors, and on identifying effective ways to enforce safe behavior within these interactions. Participants will see how early requirements analysis, supported by STPA, can reveal missing or unclear system requirements related to human interaction, automation logic, and interface behavior before they become latent hazards.
The session is highly interactive. After a brief introduction to STPA and the medical device example, attendees will work in small groups under instructor guidance, to model system control loops, identify unsafe control actions, develop safety constraints, and analyze potential loss/harm scenarios. Along the way, we will discuss efficient strategies for integrating STPA results into requirements, design decisions, and risk management documentation.
Participants will leave with practical, hands-on experience applying STPA to a realistic medical device scenario, along with a clearer understanding of how proactive system safety analysis can strengthen device requirements, improve collaboration between engineering and safety teams, and reduce the likelihood of hazardous system behavior in real-world use.
Who should attend: Systems, software, and hardware engineers; risk management practitioners; human factors and usability specialists; safety and reliability engineers; and RA/QA professionals involved in requirements, architecture, or safety analysis for medical devices or MedTech systems.
Learning objectives:
-
Understand the core concepts of STPA and how it differs from traditional hazard analysis methods.
-
Model control loops involving operators, device feedback, and automation to identify unsafe control actions.
-
Derive safety constraints and analyze loss/harm scenarios that inform system and interface requirements.
-
Apply STPA results to strengthen requirements and support risk management activities for medical devices.