Warning: JavaScript is not enabled or not loaded. Please enable JavaScript for the best experience.

Independent principal engineer • MedTech

I'm Wayne Larson, a principal engineer who helps MedTech teams that need faster progress, stronger compliance, and lower program risk.

  • Cybersecurity and V&V support
  • Risk management for regulated products
  • FDA readiness for demanding timelines

    • Maple Grove, MN Independent seniorlevel support
    Request a consultation Explore assessments

    Consulting Services

    Principal-level engineering support for high-risk MedTech programs

    Focused, regulator-ready interventions that stabilize programs, close compliance gaps, and provide decision-grade technical clarity.

    Request a consult View engagements

    MedTech Cybersecurity Gap Assessment

    Identify critical control gaps, threat exposure, and regulatory liabilities with a prioritized remediation roadmap tailored to device risk class and intended use.

    FDA / SW96 Readiness Review

    Benchmark submissions against current FDA cybersecurity expectations and SW96 guidance, highlighting gaps that could delay clearance or trigger additional scrutiny.

    Security Risk Management Remediation

    Repair incomplete risk files, tighten threat models, and align mitigations with IEC 62304/82304 and FDA expectations for traceable cybersecurity controls.

    Software / System V&V Rescue

    Stabilize verification and validation plans, resolve coverage gaps, and produce audit-ready evidence without derailing program timelines.

    Independent DHF / Design Assurance Review

    Senior-level audit of design history files, traceability, and design controls to surface compliance risk before external inspections.

    Technical Due Diligence

    Provide investor-grade technical assessments, risk summaries, and remediation priorities to inform acquisition, investment, or partnership decisions.

    Fractional Principal Engineer Support

    Embed senior engineering leadership for critical phases, offering independent guidance that aligns stakeholders, regulators, and delivery teams.

    Best‑fit situations

    When a principal‑level MedTech engineer is most valuable

    Diagnostic scenarios where independent, regulator‑ready depth stabilizes programs, strengthens evidence, and closes risk exposure.

    Fragmented cybersecurity work streams

    • Threat modeling, SBOM, and vulnerability handling are occurring, but not integrated into system safety or design controls.
    • Evidence is scattered across tools with no cohesive rationale for FDA or customer review.

    Weak V&V evidence or late verification surprises

    • Verification reports don’t trace cleanly to requirements, hazards, or intended use.
    • Test results exist, but the story for risk control effectiveness is thin or inconsistent.

    Poor linkage across architecture, hazards, controls, and verification

    • Architecture diagrams, risk files, and test plans don’t map to each other.
    • Design assurance review reveals gaps in traceability and control rationale.

    Late or pressured Class II / III programs

    • Submission timelines are tightening and “good enough” evidence is creeping in.
    • Leadership needs a clear remediation path without destabilizing the plan.

    Need for independent expert review

    • Regulators, auditors, or investors require an outside assessment of readiness.
    • Internal teams need an objective voice to align on risk and evidence gaps.

    Principal‑level MedTech depth required

    • Program needs senior engineering leadership without adding permanent headcount.
    • Hands‑on leadership required across software, systems, cybersecurity, and risk.

    If two or more of these scenarios sound familiar, a short assessment can clarify evidence strength, regulatory exposure, and remediation path.

    Start an assessment

    Why clients hire Wayne Larson

    Independent principal engineering judgment when the stakes are highest

    Clients engage Wayne to stabilize complex, high-risk medical device programs and deliver regulator-ready evidence. Every engagement is structured to reduce uncertainty, sharpen technical decisions, and prepare teams for scrutiny.

    Engineering-first cybersecurity

    Threat modeling, architecture review, and evidence packages aligned to FDA and SW96 expectations—without diluting delivery velocity.

    Depth with active implantable & critical devices

    Experience in high-consequence systems brings rigor to safety, reliability, and clinical risk trade-offs.

    Class II/III FDA-regulated expertise

    Hands-on with audit-ready documentation, gap closures, and regulatory strategies that stand up under review.

    Integrated V&V, risk & design assurance

    Brings verification, validation, risk management, and design assurance together into one cohesive delivery plan.

    Troubled program stabilization

    Rapid triage, root-cause clarity, and structured remediation for programs that need to regain momentum fast.

    Independent scrutiny before submissions

    Objective technical judgment ahead of submissions, audits, CAPAs, or diligence to prevent late-stage surprises.

    Request a consultation Review engagement options

    Selected Proof Points

    Credibility highlights grounded in regulator-ready execution

    Focus areas

    • FDA-aligned cybersecurity strategy, SW96 readiness, and lifecycle integration.
    • Verification & validation stabilization, risk management remediation, and design assurance.
    • Regulatory execution support across U.S. and international submissions and responses.

    Provisioning models aligned to FDA & SW96 expectations

    Established provisioning frameworks that map cybersecurity controls, risk management artifacts, and verification evidence to regulator-ready expectations without adding unnecessary overhead.

    Cybersecurity integrated into lifecycle engineering

    Embedded threat modeling, vulnerability management, and secure design practices into development workflows to support durable compliance and post-market readiness.

    Leadership through remediation & investigations

    Guided cross-functional teams during high-risk V&V recoveries, CAPA execution, and root-cause investigations with a bias toward clear traceability and defensible outcomes.

    U.S. and international regulatory execution

    Supported submissions, deficiency responses, and harmonized documentation across FDA, EU MDR, and global markets to keep programs moving with minimal disruption.

    Need evidence-backed support on a high-risk MedTech program? Select a quick assessment to align scope, timing, and regulator-facing expectations.

    Request a consultation

    Representative clients & organizations

    Trusted by regulated MedTech teams and technical investors

    Independent principal-level support for stabilization, verification, cybersecurity, and regulatory readiness across flagship OEMs and emerging innovators.

    What this represents

    • Flagship device OEM programs and global quality organizations
    • High-growth OEMs bringing first-of-kind platforms to market
    • Consulting partners and investor-side diligence teams
    Medtronic
    Boston Scientific
    Johnson & Johnson
    Emerging OEMs in Class II/III portfolios
    Engineering & regulatory consulting firms
    Investor-side diligence teams

    Specific engagements available upon request, subject to confidentiality obligations.

    Request a reference discussion

    Domain Depth

    Regulated MedTech expertise with security-first rigor

    Principal-level engineering coverage for high-stakes programs: cybersecurity, software/system verification, risk management, and design assurance aligned to global regulatory expectations.

    Cybersecurity V&V Rescue Risk Management Design Assurance

    Medical Device Domains

    • Networked and connected medical device cybersecurity programs.
    • Software verification & validation planning, execution, and remediation.
    • System-level risk management with clinical and usability impacts.
    • Design assurance reviews for regulator-ready evidence packages.

    Standards & Regulations

    • ISO 13485 quality system alignment and audit readiness.
    • ISO 14971 risk management file structure and controls.
    • IEC 62304 lifecycle, safety classification, and traceability.
    • IEC 81001-5-1 + IEC 62443 cybersecurity requirements.
    • ANSI/AAMI SW96 software lifecycle and cybersecurity guidance.

    Engagement Format

    Clear, low-friction ways to engage

    Choose the structure that best fits your timeline, risk level, and internal capacity. Engagements are designed to be focused, regulator-ready, and easy to initiate without long setup cycles.

    Fixed-fee assessment

    A scoped, time-boxed assessment that identifies risk, compliance gaps, and the fastest path to regulatory readiness.

    Short remediation sprints

    Targeted 2–6 week sprints to stabilize V&V, cybersecurity, or risk management with measurable outcomes.

    Fractional advisory support

    Ongoing principal-level oversight for teams that need senior technical governance without a full-time hire.

    Subcontract consulting

    Available to partner with consulting firms or internal teams to cover deep technical areas, audits, or diligence reviews.

    • White-labeled deliverables as needed
    • Integrates with your process and tools
    • Clear handoff documentation

    Remote or onsite

    Remote-first support with onsite availability for workshops, audits, or critical program milestones.

    Remote delivery with secure toolchain access
    Onsite facilitation for high-stakes reviews

    Start with a short intake call

    15–30 minutes to clarify scope, urgency, and the right engagement model. You receive a crisp proposal within days, not weeks.

    Schedule an intake call

    Available engagements

    Independent principal-level support for short, high‑value consulting sprints.

    When a medical device program is under pressure, a focused assessment brings clarity fast. I step in independently to identify root causes, de‑risk regulatory exposure, and define an actionable recovery path that your team can execute with confidence.

    Start an assessment Email Wayne directly

    Engagements are scoped for impact: precise, evidence‑driven, and regulator‑ready.

    Recommended starting points

    • Cybersecurity Gap Assessment — align SW96 expectations, threat modeling, and risk controls.
    • V&V Rescue Review — find verification blind spots, traceability gaps, and test coverage issues.
    • Independent Design Assurance Review — objective design history file and risk management scrutiny.
    • Technical Due Diligence — executive‑ready findings for investment or acquisition decisions.

    Why start with a focused assessment?

    It produces a prioritized action plan, confirms regulatory readiness, and gives leadership a defensible basis for scope, budget, and timelines — without disrupting your engineering velocity.

    Request a consult slot Call 612‑860‑8507