Regulation and standardization of AI in healthcare

AI potentially introduces new risk that is not currently addressed within the current portfolio of standards and guidance for software

As further advancements are made with AI technology, regulators may consider multiple approaches for addressing the safety and effectiveness of AI in healthcare, including how international standards and other best practices are currently used to support the regulation of medical software, along with differences and gaps that will need to be addressed for AI solutions. A key aspect will be the need to generate real world clinical evidence for AI throughout its life cycle, and the potential for additional clinical evidence to support adaptive systems.

In the last ten years, regulatory guidance and international standards have emerged for software, either as a standalone medical device or where it is incorporated into a physical device. This has provided requirements and guidance for software manufacturers to demonstrate compliance to medical device regulations and to place their products on the market.

However, AI potentially introduces new risk[1] that is not currently addressed within the current portfolio of standards and guidance for software. Different approaches will be required to ensure the safety and performance of AI solutions placed on the market. As these new approaches are being defined, the current regulatory landscape for software should be considered as a good starting point.

In Europe, the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) include several generic requirements that can apply to software. These consist of the following:

• general obligations of manufacturers, such as risk management, clinical performance evaluation, quality management, technical documentation, unique device identification, postmarket surveillance and corrective actions;
• requirements regarding design and manufacture, including construction of devices, interaction with the environment, diagnostic and measuring functions, active and connected devices; and
• information supplied with the device, such as labelling and instructions for use.

In addition, the EU regulations contain requirements that are specific to software. These include avoidance of negative interactions between software and the IT environment, and requirements for electronic programmable systems.

In the U.S., the FDA recently published a discussion paper[2] for a proposed regulatory framework for modifications to AI/machine learning-based SaMD. It is based upon practices from current FDA premarket programs, including 510(k), De Novo, and Premarket Approval (PMA) pathways. It utilizes risk categorization principles from the IMDRF, along with the FDA benefit-risk framework, risk management principles in the software modifications guidance, and the Total Product Life Cycle (TPLC) approach from the FDA Digital Health Pre-Cert program.

Elsewhere, other countries are beginning to develop and publish papers relating to regulatory guidance. In China, the National Medical Products Administration (NMPA)[3] has produced a guideline for aided decision-making medical device software using deep learning techniques. Japanese and South Korean regulatory bodies have also published guidance for AI in healthcare.

This is an excerpt from the BSI/AAMI white paper: Machine learning AI in medical devices: adapting regulatory frameworks and standards to ensure safety and performance. To browse our collection of medical device white papers, please visit the Insight page on the Compliance Navigator website.