It feels like in the past couple of years, everyone has been talking about AI! But is it about time the Regulations caught up with the ever evolving and advancing medical device technologies.
The AI Act 2024/1689 is a legal Framework on Artificial Intelligence, which follows a risk-based approach, approved in May 2024.
It provides legal certainty and ensures the protection of fundamental rights. The AI Act aims to promote development and innovation of safe and trustworthy AI, while encouraging its uptake across the EU in both the private and public sectors. Innovation encourages the use of AI regulatory sandboxes, which enable a controlled environment for development, validation and testing in real world conditions.
Who does it apply to?
The AI Act applies to providers, deployers and economic operators of AI within and supplying into the EU, which currently is not applicable to the UK or US markets. Each region should be checked to see which AI legislation or rules are applicable during the regulatory planning.
What does this mean for AI Medical Devices?
Under Article 3, AI is defined as:
“’AI system’ means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”
First, you need to understand if your Software as a Medical Device (SaMD) falls under this definition and whether the AI Act is applicable to your device.
AI devices are classified based on Risk – Low Risk, High Risk or Unacceptable Risk. Under Article 6 of the AI Act, medical devices with AI fall within the scope of a High Risk AI System.
As a manufacturer, what does this mean for me?
The AI Act is a horizontal legislation, meaning it will be used in addition to the EU Medical Device Regulation (MDR) 2017/745 – and both regulations will need to be considered for medical devices that contain an AI function determined under the medical device definition.
All the EU MDR requirements will still need to be followed, but additional AI Act ones will also need to be considered and implemented during your regulatory planning.
At LFH Regulatory we appreciate this can be overwhelming, so we have created a useful table to help outline the similar requirements, and the differences between both regulations:
| Requirement | EU MDR 2017/745 | EU AI Act 2024/1689 |
| Quality Management System | ✔ | ✔ |
| Risk Management | ✔ | ✔ |
| Data Governance | X | ✔- NEW |
| Documentation Keeping | ✔ | ✔ |
| Automated generated logs | X | ✔- NEW |
| Technical Documentation | ✔ | ✔ |
| Cooperation with competent authorities | ✔ | ✔ |
| Post Market Surveillance | ✔ | ✔ |
| Corrective action and duty of information | ✔ | ✔ |
| EU Authorised representative | ✔ | ✔ |
| Conformity Assessment | ✔ | ✔ |
| Human Oversight | X | ✔- NEW |
| Transparency and provision of information to deployers | ✔ | ✔ |
| Accuracy, robustness and cybersecurity | ✔ | ✔ |
| Accessibility requirements | NEW | ✔- NEW |
| EU Declaration of conformity | ✔ | ✔ |
| EU AI Database registration | X | ✔- NEW |
| CE Mark | ✔ | ✔ |
| GSPRS | There is no GSPR requirement in the AI Act but the EU MDR GSPR list still needs to be followed. | |
With all this in mind, you may be asking – what standards do I need to follow?
There is a lot to consider and complying with the latest standards is one of them. Below are some of the standards you should be considering when conforming to the AI Act:
• Harmonised medical device standards are still to be complied to such as ISO 13485 Quality Management Systems for Medical Devices and ISO 14971 Risk Management for Medical Devices.
• Guidance document ISO TR 34971 for the Application of ISO 14971 to machine learning in artificial intelligence is a useful tool to have.
• As the product would be SaMD, IEC 62304 Medical Device Software – Software Lifecycle Processes should still be followed.
• EU GDPR, ISO 27001 should be considered for information security, and ISO 27002 for cybersecurity.
It’s not all that straight forward though. There are various AI specific standards under development which might be applicable to your medical device and that should be considered while regulatory planning to see if they are required. This is to be done on a case-by-case basis. Standards include guidance on accuracy, robustness and trustworthiness. See: ISO/IEC JTC 1/SC 42 – Artificial intelligence
AI Act Timeline and Key Dates
So far, you’ve identified that you are an AI medical Device Manufacturer – but do you know when everything has to be in place by?
• The key date is 2nd August 2027. This is when High-risk systems, including AI Medical Devices must comply with the requirements of the AI Act.
Here is a timeline explaining the journey from approval through to transition…
Things that still need clarifying…
With the legislation still being new, and not created with medical devices in mind, there are some outstanding queries, for example:
• Devices covered by the EU MDR or EU IVDR, the conformity assessment of the EU MDR or IVDR (as required) should be followed. This includes an assessment of technical documentation and quality management system (Article 43.3 of the AI Act).
• It is unclear if the ISO 13485 QMS is adequate for AI compliance or if manufacturers need to comply to ISO AI Management System for notified body conformity assessment.
• A new conformity assessment must be conducted in the event of every substantial modification (as medical device is a high risk AI; Article 43.4 of the AI Act). This would require manufactures to implement a system for predetermined changes, perhaps similar to the Predetermined Change Control Plans (PCCP) set out by the FDA. PCCP is a process describing what modifications will be made to a device and how the modifications will be assessed. How changes are to be managed by AI medical device manufacturers complying to the AI Act, and if it is even applicable, is still a mystery.
Other Considerations
Now, in this short post, we couldn’t cover everything on AI Medical Devices. Here are some questions you may be thinking:
• What is the UK’s or USA’s stance on AI as a Medical Device?
• What about Large Language Models like ChatGPT and similar – can these be approved as medical devices?
• What about Generative AI?
• Are Medical Scribes Medical Devices?
The AI Act is a much-needed regulation with the med-tech industry is keen to bring more AI enabled medical devices to the EU market. There are still lots of unanswered questions and very interesting discussions to be had around this subject.
How can LFH help?
The AI and Machine Learning as a medical device landscape is vastly growing and changing, and as you can see, there can be quite a bit to follow.
• We keep up to date will all the regulations and guidance documents within the AI and Machine Learning as a medical device landscape.
• Speak to your Notified Bodies to answer the outstanding questions.
• Develop regulatory strategies, and tailored, compliant solutions for your business.
• Develop all required technical documentation for your business.
We can make the regulations simple for you. Get in touch today
