Pre-Conference Day

A practical, end-to-end walkthrough of how regulated medical device software is actually built, controlled, and monitored in the real world. Participants will move chronologically through the product lifecycle, connecting design controls, risk management, and post-market activities into one continuous system

• Walk through the full software lifecycle, from intended use and design controls to risk management, V&V, change control, and post market surveillances show how each stage connects and shapes regulatory expectations
• Use hands-on exercises and scenario-based discussions to practice drafting design inputs, risk tables, and change assessments while exploring how AI, automation, and real-world data influence control strategies
• Give attendees a clear mental model of an end-to-end lifecycle, practical examples of strong documentation and traceability, and confidence in building processes where quality and compliance are integrated throughout development
• Extend these principles to ML/AI-enabled devices, demonstrating how design controls, risk management, validation, monitoring, and change management are adapted for adaptive algorithms and continuously learning systems

Closing Question: How do you apply design controls & do you even apply design controls to non-medical device software?

Interactive, scenario-based working session combining short expert framing talks with small-group exercises. Attendees work through a realistic device scenario and leave with a reusable threat modeling and security design framework

• Step-by-step walkthrough of how to build a regulator-ready threat model and map real cybersecurity risks to concrete security architecture decisions for a connected medical device
• Practical guidance on linking threats, controls, and verification evidence so cybersecurity work is clearly traceable and defensible in FDA submissions
• Attendees leave with a repeatable framework and documentation approach they can apply immediately to strengthen their own device security design and reduce regulatory pushback

A collaborative simulation where participants design and test autonomous AI agents, exploring how goals, constraints, and decision making logic shape system behavior.

• Teams confront a realistic scenario where an autonomous AI agent can write code, review PRs, run tests, and respond to cyber threats, forcing them to decide what actions they’re truly comfortable delegating
• Participants break into governance style groups (engineering, V&V, regulatory, cybersecurity, and patient safety) to define guardrails around autonomy, validation, documentation, risk, and oversight across the SDLC
• Live “curveballs” expose failure modes and challenge assumptions, culminating in a cross-discipline debate on what to allow, forbid, or reconsider, revealing blind spots and making agentic AI risks tangible
• Decide whether autonomous AI agents are advantageous in comparison to classic AI/ML models (such as Co-pilot)

Closing Question: In 5 years, which of today’s ‘absolutely not’ decisions will sound overly cautious?