AI as a medical device

Increasingly, more products and services that use AI are being developed and marketed in the healthcare domain. Examples include radiology software that assists the radiologist in the detection of tumors, but also internal cardiac defibrillators (ICD) that detect heart rate patterns and perform targeted interventions, and even algorithms that convert text into structured data.

Marketing products in the healthcare domain is stringently regulated and for good reasons. The safety of patients should always be safeguarded, and the considerations of evidence-based medicine should be upheld in accepting the use of products. Before the radiologist can rely on the tumor detection of a piece of software, it needs to be rigorously tested for performance and reliability. Similarly, before implanting an ICD, it needs to be confirmed that it intervenes at the appropriate times.

Products that have a medical purpose fall under the recently effectuated Medical Device Regulation (MDR). If the product mainly works with data obtained through an in-vitro diagnostic product, then from May 2022 onwards it will fall under the IVDR, the In-Vitro Diagnostic Device Regulation (which is comparable to the MDR).

The MDR regulates which products, including software, are considered a medical device and which are not. This depends on the intended use of the product. If the intended use is for a medical purpose of diagnosis, prevention, monitoring, treatment, alleviation, as well as specific prediction or prognosis of disease and injuries in humans, it is considered as a medical device, irrespective of the type of application. A piece of software can also be considered an ‘accessory’ in case it enables or assists in the medical functionality of some hardware product.

AI as a medical device

Although the MDR does not address the regulation of AI specifically, its intended use can thus determine whether it is categorized as being a medical device or not. However, determining if your software is regarded as a medical device is not an easy task. For that reason, the EU provides guidelines to help you make this decision.

If the AI is considered a medical product, a conformity assessment on the general safety and performance requirements (GSPR) needs to be performed prior to being marketed. This can be done either by self-certification or through a notified body, depending on how much risk is involved. If conformity is demonstrated then the product is CE-marked.

The MDR uses a risk-based system to determine the extent of the requirements using four risk classes:

• Class I products can be self-certified and represent the lowest risk category.
• Class IIa includes software that for instance assists in making decisions for diagnosis or therapy.
• Class IIb products include products that are involved in situations that can cause serious damage to a patient’s health.
• Class III includes products that when they fail can lead to a life and death situation or cause permanent disability.

Requirements for any organization that wishes to market a medical device include the implementation of a sufficient quality management system (QMS). Depending on the risk classification of the products being marketed, and whether it processes medical data, the requirements to this QMS may require compliance to several ISO, IEC or NEN standards. The implementation of such systems can be both costly and time-consuming and requires an upfront investment prior to developing and marketing a product.

After the AI software has been approved, it should remain stable in its performance and it is therefore obligatory to re-certify the software after significant changes are made to it. Although AI models could be implemented such that they learn from experience while being deployed, these are not complying to this stable performance and thus only so-called ‘frozen’ models are currently allowed in clinical use.

Medical devices that use AI will likely process medical data. In that respect, compliance is also required with the General Data Protection Regulation (GDPR). The GDPR applies to EU-based companies when processing personal data as well as any company from all over the world that processes personal data of people living in the EU. The GDPR imposes stricter requirements than the MDR does when it comes to data processing. In the next step, the GDPR will be discussed in more detail.