HomeDomainsD4

D4 · Compliance by design

Axis II · D4

Compliance by design

Thesis. Compliance treated as a final phase structurally produces non-compliant systems. Compliance by design is not a slogan but an architectural inversion: regulatory requirements are design constraints, on equal footing with latency or precision.

The distinction that cuts

Documentary compliance vs substantive compliance. The first produces a file; the second produces a system. The first can pass an audit; only the second withstands litigation.

Typical market error

Treating EU AI Act, MDR/IVDR and GDPR as superposed paperwork layers, when they share a common grammar (risk analysis, traceability, human oversight, post-market surveillance) that a single architecture can serve. Common consequence: three siloed teams, three redundant files, zero guarantee of integration.

Failure signals

The risk management file (in the ISO 14971 sense) is drafted after architectural freeze. No explicit mapping between a requirement (e.g. EU AI Act art. 14, human oversight) and a testable software component. Technical documentation produced by template copy, never from the actual system. No operational post-market surveillance plan before market release.

References

Regulation (EU) 2024/1689 on AI, progressive entry into application 2025-2027, notably art. 9-15 and Annex IV; Regulations (EU) 2017/745 (MDR) and 2017/746 (IVDR); ISO 14971:2019; IEC 62304:2006/A1:2015; IEC 82304-1:2016; ISO 13485:2016; MDCG 2019-11, 2020-1 and 2025-6 for SaMD; GDPR art. 22, 25, 32, 35.

Ground of implementation

PREDICARE is a territorial programme on a French GHT. It requires a combined reading of MDR (if the score becomes SaMD), GDPR (health research, art. 9-2-j) and the French HDS / MR-004 framework. Documentary architecture is designed before patient enrollment. The instance illustrates multi-framework integration; it does not prove every territorial deployment must adopt the same partitioning, since SaMD status remains a contextual decision.

Articulation

Inseparable from D5, of which it is the structural form, while D5 is its daily operation. Inseparable also from D6, which conditions its territorial scope.