Introduction
In recent years, the use of Artificial Intelligence (AI) and Machine Learning (ML) in Software as a Medical Device (SaMD) has grown substantially, presenting both opportunities and regulatory challenges. Regulators, including the FDA, have been working to adapt existing medical device regulations to accommodate the dynamic nature of AI/ML-based devices. At the same time, cybersecurity concerns have become increasingly significant, as AI/ML-based devices require robust security measures to protect patient data and ensure safe operation.
Recently, an interesting article has been published on Digital Medicine: The need for a system view to regulate artificial intelligence/ machine learning-based software as medical device where the obstacles in the adoption of the current FDA regulations for AI/ML medical device is well described.
One of the first medical device based on Artificial Intelligence which is able to perform a diagnosis was IDx-DR, an AI diagnostic system that detects signs of diabetic retinopathy in retinal images.
Challenges for Regulatory Compliance
One of the most pressing regulatory challenges for AI/ML-based medical devices is managing device modifications. Unlike traditional medical devices, AI/ML systems inherently evolve over time, improving performance through continuous learning from new data. This capability, while advantageous, raises concerns for regulatory bodies such as the FDA, which mandate strict control over device modifications, particularly those affecting performance, safety, or intended use. In cybersecurity terms, evolving AI/ML systems also introduce new vulnerabilities, as software updates and learning algorithms could be exploited if security controls are insufficient. Regulators now emphasize cybersecurity risk management as an integral part of AI/ML-based medical device compliance.
-
Cybersecurity Documentation Kit€299,00
FDA Analysis on the Possible Changes for AI/ML-Based Devices
In this contest, FDA recently published a discussion paper (and request for feedback) related to a proposed regulatory framework for (AI/ML)-Based Software as a Medical Device.
In response to these challenges, the FDA published a discussion paper outlining a proposed regulatory framework for AI/ML-based SaMD. The paper categorizes possible modifications into three areas:
- Performance – Clinical and analytical performance updates,
- Inputs – Changes to algorithmic inputs and their clinical association to device outputs,
- Intended Use – Adjustments to the intended purpose as defined by IMDRF risk categorization frameworks.
To address these evolving challenges, the FDA has proposed a Total Lifecycle Regulatory Approach, incorporating risk management to determine whether modifications require a new 510(k) submission and implementing real-world data surveillance to monitor software performance post-market. Additionally, cybersecurity risk assessment is a critical component of this model, as software updates could introduce security vulnerabilities that need proactive mitigation.
Key regulatory factors in this model include:
- Quality Systems and Good Machine Learning Practices (GMLP) – Ensuring consistent and reliable AI/ML model performance while incorporating robust cybersecurity controls.
- Premarket Review for High-Risk SaMD – Evaluating AI/ML-based software prior to market approval to ensure safety, effectiveness, and security.
- Post-Market Risk Monitoring – Implementing continuous surveillance mechanisms to assess risks introduced by updates or learning algorithms.
FDA Proposal on how to handle changes for AI/ML-Based Devices
The FDA’s approach to AI/ML-based software modifications centers on the Predetermined Change Control Plan (PCCP), consisting of:
- SaMD Pre-Specifications (SPS) – Anticipated modifications regarding performance, inputs, or intended use, defining the range of permissible changes without triggering new regulatory submissions.
- Algorithm Change Protocol (ACP) – The manufacturer’s strategy for controlling risks associated with the planned modifications outlined in the SPS.
If proposed changes remain within the SPS/ACP framework, a new 510(k) submission may not be required. This model provides the necessary flexibility for AI/ML-based medical devices, allowing continuous software updates while maintaining regulatory oversight.
Subscribe to 4EasyReg Newsletter
4EasyReg is an online platform dedicated to Regulatory matters within the medical device, information security and AI-Based business.
We offer a wide range of documentation kits to support your compliance efforts towards a wide range of standards and regulations, such as ISO 13485, EU MDR, ISO 27001, ISO 42001 and much more. . Specifically, in our webshop you will find:
- ISO 13485 Documentation / Compliance Kit
- EU MDR Documentation Kit
- MDSAP Documentation Kit
- ISO 27001 Documentation / Compliance Kit
- ISO 42001 Documentation / Compliance Kit
- FDA Cybersecurity Documentation
Within our sister platform QualityMedDev Academy, a wide range of online & self-paced training courses is available, such as for example:
- Complaint Handling and Vigilance Reporting
- Artificial Intelligence in Medical Device. Regulatory Requirements
- Unique Device Identification (UDI) Requirements according to EU MDR
- Clinical Evaluation Process According to EU MDR
- Medical Device SW Verification & Validation
- Risk Management for Medical Devices
- Usability Evaluation for Medical Devices
As one of the leading online platforms in the medical device sector, 4EasyReg offers extensive support for regulatory compliance. Our services cover a wide range of topics, from EU MDR & IVDR to ISO 13485, encompassing risk management, biocompatibility, usability, software verification and validation, and assistance in preparing technical documentation for MDR compliance.
Do not hesitate to subscribe to our Newsletter!
