Costa Rica MedTech Header
Gowned technicians assembling and inspecting medical devices in a clean, modern Costa Rica manufacturing lab.

CPMAI for MedTech: Design Controls for Data and Models

CPMAI wheel showing six phases—Business Understanding, Data Understanding, Data Preparation, Model Development, Evaluation, and Operationalization—arranged in a circular loop with arrows indicating iteration, in a clean blueprint-style layout.

CPMAI for MedTech: Design Controls for Data and Models

AI initiatives often fail for reasons that look familiar to any program leader: unclear goals, mis-scoped solutions, hidden dependencies, and weak validation in real-world conditions. CPMAI (Cognitive Project Management for AI) brings discipline to AI delivery by emphasizing two realities:

  • AI is not traditional software. System behavior is heavily shaped by training data, not only by code.
  • Iteration is core, not optional. Data, requirements, and model performance evolve; the process must explicitly support learning loops.

In MedTech and safety‑critical industries, those two realities collide with additional expectations: risk management, traceability, verification/validation, change control, and post‑deployment monitoring. The value of CPMAI is that it can be framed as “design controls for data & models”. It is a repeatable loop that produces the evidence needed to ship and sustain an AI/ML-enabled system responsibly.

The questions CPMAI forces teams to answer

Before building models, CPMAI pushes alignment on foundational questions:

  • Are we tackling the right problem?
  • Is AI the right solution to that problem?
  • What type/pattern of AI is most appropriate for this use case?
  • What constraints, risks, and success metrics must be explicit from the start?

This is governance done well: forcing clarity early, reducing downstream rework, and creating a repeatable approach across initiatives.


Regulated lens: what changes in MedTech & safety‑critical delivery

In regulated environments, you’re not only trying to “get to a working model.” You’re building a system that must be safe, effective, and maintainable under change.

Key implications:

  • Risk management is continuous: hazards, misuse, foreseeable use, drift, and failure modes must be tracked across iterations.
  • Traceability is mandatory: intended use → requirements → data → model → V&V → deployment controls (and back).
  • Change control must include data & retraining: model updates can be design changes; dataset changes can alter behavior.
  • Post‑deployment monitoring is part of validation: real‑world performance and safety signals feed CAPA/continuous improvement loops.

CPMAI as an iterative wheel (6 phases)

CPMAI is best visualized as a circular process: after each cycle, teams return to Business Understanding and iterate as requirements and data change.

To make this MedTech‑ready, think of each phase as producing two outputs:

  1. delivery alignment (execution clarity), and
  2. objective evidence (design-controls / safety case inputs).

Phase 1 — Business Understanding

Get clear on goals and requirements and align them to AI abilities.

Delivery lens

  • Define measurable outcomes (value, risk, user impact).
  • Establish scope boundaries and “what success looks like.”
  • Confirm feasibility: where AI adds advantage vs. traditional rules/software.

Regulated outputs (objective evidence)

  • Intended use & indications-for-use statement (and limitations)
  • High-level safety classification rationale & constraints
  • Initial hazard analysis inputs and acceptance criteria

Why they map to Phase 1

In regulated and safety-critical work, everything downstream (data, model choice, evaluation design, monitoring thresholds) must trace back to a clear intended use and measurable success criteria.

This is the anchor for benefit–risk framing: what harm are you preventing, what errors are tolerable, and where must the system abstain/escalate?

Phase 2 — Data Understanding

Once we have established clear objectives and a specific need for AI, we determine the data needs for the AI project.

Delivery lens

  • Inventory available data sources and owners.
  • Identify gaps, bias risks, and privacy/security constraints.
  • Define target data coverage and quality thresholds.

Regulated outputs (objective evidence)

  • Data provenance & governance (ownership, access, retention)
  • Representativeness assessment (population / sites / device variants)
  • Bias assessment plan and privacy/security constraints

Why they map to Phase 2

Before you “clean anything,” you need to prove you understand what the data actually represents and where it will break. In MedTech, representativeness is an early driver of safety risk (bias, undersampling edge cases, site/device variability).

Phase 3 — Data Preparation

We ensure that we have quality data that can provide reliable results.

Delivery lens

  • Treat data prep like a critical workstream (not a side task).
  • Build repeatable pipelines for cleaning, labeling, and versioning.
  • Capture evidence: data lineage, transformations, and assumptions.

Regulated outputs (objective evidence)

  • Dataset versioning and “frozen” datasets for verification/validation
  • Labeling protocol (incl. reviewer guidance) and agreement checks where applicable
  • Data lineage and transformation records (reproducibility)

Why they map to Phase 3

This is where “data as a controlled artifact” becomes real: you define exactly what data version produced what model.

For safety-critical systems, labeling and preprocessing are part of the product behavior. If they change, the model can change. therefore they require control and repeatability.

Phase 4 — Model Development

Before we implement a single model, we’ve defined the business understanding, data understanding, and data prep to setup success so when we’re ready to implement, things are aligned.

Delivery lens

  • Model work becomes less speculative when upstream alignment is strong.
  • Maintain traceability between business goals → evaluation criteria → model choices.
  • Plan for retraining triggers and model drift early.

Regulated outputs (objective evidence)

  • Model specification and rationale (including interpretability expectations)
  • Traceability links: requirements ↔ evaluation criteria ↔ model behavior targets
  • Reproducible training pipeline definition (inputs, parameters, outputs)

Why they map to Phase 4

The key safety-critical move is to prevent “model-first” building. Instead, model development must be constrained by upstream requirements and downstream verification.

This is also where you establish how the model will be reproduced (training pipeline definition), which supports change impact analysis later.

Phase 5 — Evaluation

We test our AI solution in the real world.

Delivery lens

  • Validate performance in realistic scenarios (not just offline benchmarks).
  • Confirm stakeholder acceptance and usability.
  • Explicitly test failure modes, edge cases, and operational risk.

Regulated outputs (objective evidence)

  • Verification & validation plan aligned to intended use and risk
  • Robustness/edge-case testing and defined performance bounds
  • Evidence package for benefit–risk and human factors where applicable

Why they map to Phase 5

For MedTech/safety-critical contexts, evaluation is not “accuracy once.” It’s evidence that the system meets acceptance criteria under realistic conditions and known failure modes.

Robustness testing is where you prove safe behavior boundaries (and define escalation/abstention rules).

Phase 6 — Operationalization

Once we know that the AI system can deliver the promised value, we figure out how to run the AI system in the real world.

Delivery lens

  • Define monitoring, retraining cadence, and incident response.
  • Operationalize SLAs, governance, and change control.
  • Build the feedback loop so the system improves as data and needs evolve.

Regulated outputs (objective evidence)

  • Monitoring plan (drift, safety signals, performance by subgroup/site/device)
  • Retraining/change control procedure (approval gates + rollback plan)
  • CAPA triggers and post‑market surveillance linkage (complaints → signals → action)

Why they map to Phase 6

In regulated environments, the “validated state” has to be maintained. Monitoring is how you detect when reality diverges from what was validated.

CAPA/change control makes iteration safe: it turns learning loops into governed loops.

Change-control flowchart showing monitoring, triage, impact analysis, retraining, re-validation, approval, deployment, and rollback paths in a loop.
Controlled iteration: retraining under change control.

Iteration principle

Because CPMAI is an iterative loop, after each cycle of AI development, we come right back to the start of the CPMAI cycle at Business Understanding, iterating the AI system to continue to meet evolving requirements.


MedTech example: automated visual inspection in manufacturing

System schematic showing camera and fixture feeding preprocessing and a vision model, producing pass/fail/review decisions with operator review and QMS/CAPA records.

A concrete example that fits CPMAI well is computer-vision inspection of critical components (e.g., detecting defects in molded parts, assemblies, or packaging integrity).

  • In Business Understanding, define what constitutes a critical defect, acceptable false-negative risk, and how humans remain in the loop.
  • In Data Understanding/Preparation, ensure training images represent shifts across lots, lighting, fixtures, camera changes, and operators.
  • In Evaluation, test performance under controlled stressors (blur, glare, occlusion) and define when the system must abstain/escalate.
  • In Operationalization, monitor drift (camera calibration changes, material lots) and define retraining gates as controlled changes.

AI lifecycle controls: data is a controlled artifact

Blueprint-style diagram showing two parallel AI pipelines where the same model code produces different model versions when trained on different dataset versions, with change control and monitoring gates.

A software application can often stay the same even if the data changes. But in AI, you feed new data into the same model code and it behaves differently. That makes data both the power and the risk.

From a safety‑critical program perspective, this means:

  • Data readiness is a leading indicator of schedule and quality risk.
  • Evidence must include data evidence, not only code/test artifacts.
  • Change control must include retraining, dataset refreshes, and pipeline updates.
  • Continuous evaluation is part of operations, not just pre-release testing.

CPMAI extends Agile or established project management practices with the lifecycle controls AI requires: data discipline, evaluation rigor, and explicit iteration.


Intended use & ML pattern: scoping the validation burden

When we say “AI,” we could mean very different systems with different risk profiles, costs, and data needs. Categorizing the solution into recognizable patterns (conversational systems, recognition, anomaly detection, predictive analytics, hyperpersonalization, autonomous systems, goal-driven optimization) helps teams right-size:

  • the data strategy,
  • the evaluation metrics and validation depth,
  • the governance and monitoring burden,
  • and the operational controls required for safe change.

We will talk about this in a later article since it grants a more detailed explanation.


Summary

CPMAI provides a disciplined, repeatable way to deliver AI solutions by treating them as iterative, data-centric systems. In MedTech and safety‑critical industries, the strongest framing is design controls for data + models: make the hidden work explicit (data + evaluation + operations), generate objective evidence across iterations, and ensure changes remain safe, effective, and governed at scale.

Leave a Reply

Managing Change in Regulated MedTech Software

🧭 TL;DR Who this article is for This article is for MedTech project managers, product managers, software leads, QA/RA, systems engineers, cybersecurity leads, and supplier-quality partners working with regulated software, SaMD and SiMD, connected devices, or hybrid medical-device programs. It is especially useful for teams trying to reconcile two pressures that often feel opposed: How…

Stakeholder Management in MedTech

Stakeholder management in MedTech is not a “soft skill.” It is part of the design-control and risk-control system that determines whether a product can be safely released, adopted, supported, and defended with objective evidence. This article is MedTech-first and experience-based. In regulated medical software, stakeholder management is not just communication. It is how expectations become…

Unpacking the Project Performance Domains

Project performance domains are one of those concepts that sit quietly underneath everything in modern project management: they’re not a “method,” but they often determine whether the work is coherent, repeatable, and value-realizing. I’m writing this from the perspective of a program manager in high‑stakes engineering (MedTech and other regulated environments). I started learning with…

From Sand to Silicon: Semiconductor Materials, Purification, Wafers, Films, and Dopants

Semiconductors are one of those fields where materials science and electronics meet in the most practical way: what a material is (and how clean, ordered, and intentionally “imperfect” it can be made) ultimately determines what circuits can do. I’m writing this series as an electronics engineer, and because earlier in my career I had the…

Agile in regulated medical device software: what TIR45:2023 really added

I believe in starting an Agile roadmap from an agnostic Agile perspective. I focus on the outcomes. I focus on flow. I focus on learning. I do this in any industry. I do it even more in safety-critical industries. That is why I paid close attention to the updates in AAMI TIR45:2023. This update matters.…

Laura López: The Economist Behind Costa Rica’s MedTech Boom

Laura López: The Economist Behind Costa Rica’s MedTech Boom You may know that Costa Rica has become a MedTech powerhouse but do you know that behind all these engineers and managers there is an economist thought leader helping shape the conditions for this economic miracle in the Americas? Laura López, CEO of PROCOMER (Costa Rica’s…

Something went wrong. Please refresh the page and/or try again.

Discover more from Costa Rica MedTech

Subscribe now to keep reading and get access to the full archive.

Continue reading