Every regulatory AI medical device standard you need to know
As AI is increasingly integrated into more and more medical devices, the regulations and standards are also maturing and developing. Often we get asked ‘What are the most important standards we need to know?’, so I thought it would be useful to give an overview of the crucial standards for AIaMD that are fundamental, as well as the most helpful standards that provide AI specific guidance, with some right at the cutting edge.
Base standards
Let’s start by looking at the basic standards that are both essential and form part of a conformity assessment (i.e. which standards a regulatory auditor will be assessing against for your regulatory submission, against testable requirements).
ISO 13485 - Quality Management Systems
It is now pretty much impossible to bring a regulated medical device to market anywhere in the world without a QMS. It used to be the case that in the EU Class I devices did not need one, but that all changed with the introduction of the EU MDR. The UK has since essentially followed suit, most other global jurisdictions use it too, and the US FDA is currently transitioning to recognising the same international standard for QMS.
ISO13485:2016, Medical devices – Quality management systems – Requirements for regulatory purposes (to give it its full name) is the bedrock of any company making medical devices. ISO 13485 is your blueprint to ensuring quality across all of your organisation’s processes, both pre and post market.
ISO 13485 is so important it even has its own assessment and certification process separate to a medical device audit. In many jurisdictions companies must have a compliant QMS before they can get regulatory authorisation for any devices. (In the EU you can be certified by a certifying body or a notified/approved body - but beware of the difference - a certificate from a certifying body is not always necessarily accepted by a notified body when it comes to assessing documentation for a technical file audit.)
An interesting point if you want to be super pedantic is that nowhere in the medical device regulation does it say you must have an ISO 13485 certified QMS - article 10(9) of the EU MDR only outlines the requirements for a QMS and does not mention the standard, but practically, since these requirements almost exactly match ISO 13485 it’s just the norm to get the certification to avoid anyone questioning this slight nuance. Indeed, savvy purchasers are now even asking for evidence of conformity to the standard, so in reality you should just use it.
A well designed QMS, integrated deep into your company’s processes will help across the board in streamlining quality management. If you want to know more, you can read our recent article ‘Everything you need to know about Quality Management Systems’.
ISO 14971 - Risk Management
Every medical device has risks associated with it, and in recognition of that it is important to demonstrate that you have identified all foreseeable risks, mitigated against those that can be controlled, and have mechanisms in place to identify unknown risks as they present. This is common sense stuff, and hence ISO 14971:2019, Medical devices – Application of risk management to medical devices has found its place firmly as one of the essential base standards for all medical devices, including AI.
ISO 14971 does not require its own certification, but it is used within the context of a QMS and in conformity assessments, and therefore should be integral to your medical device development (and maintenance). Many of the principles within it extend to AI devices, however hazards specific to AI and related mitigations are not explicitly addressed. Therefore, AI developers can use the principles within ISO 14971 to extrapolate to AI risks, as explained in supplementary guidance such as AAMI TIR 34971 (more on this below).
As AI in medical devices becomes more ubiquitous, we would expect that more supplementary guidance will be released over time, explicitly to support novel and cutting edge technologies as they arise. For instance, the current project under development ISO 24971-2 is intended to support AI developers specifically. For now, ISO 14971 is your go-to standard for risk management.
IEC 62304 - Software Life Cycle Processes
It is a sad fact that AI developers who are not accustomed to medical device standards start with a dataset, train a neural network on it, validate it on some hold-out data, and then think they’ve got a viable product ready to sell. Unfortunately, this is not the case, since no effort has been put into managing the lifecycle of the actual medical-grade software in which the AI is deployed. That’s where IEC 62304:2006+AMD1:2015, Medical device software – Software life cycle processes comes in.
IEC 62304’s goal is to ensure that software is safe, functional, and maintained throughout its life cycle, through appropriately documented architectural design and documented software validation process. Anyone familiar with the typical software development cadence of development planning, requirements analysis, architectural design, unit implementation, verification, integration testing, system testing and release will feel right at home here.
IEC 62304 also introduces the concept of Safety Classes (not to be confused with device risk classification), which helps guide developers as to how much documentation is actually required for a complete technical file.
IEC 62304 does not require an individual certification, instead it is folded in to your QMS processes, and regulators will be checking your technical documentation against this standard when it comes to submitting for a regulatory authorisation.
IEC 62366-1 - Usability Engineering
Every medical device should be simple and safe to use by the intended users once they have been appropriately trained. But how would you know this is the case? IEC 62366-1:2015+AMD1:2020, Medical devices – Part 1: Application of usability engineering to medical devices is the go-to standard for usability engineering.
It is split into two parts: IEC 62366:2015 + A1:2020 and IEC 62366-2:2016. The first part explains how to apply usability engineering to all medical devices, and the second part gives guidance on how this may be achieved in practice. The key takeaway is that usability should be assessed for all intended users in all intended environments both in development (formative usability) and in the real world (summative usability).
For software, this comes down to assessing things such as making sure log-ins work correctly, button descriptions in a UI are legible and understandable or ensuring users understand and can control user settings correctly. This will be particularly important for AI devices that give suggestions for decision support to clinicians, since they will need to understand what the AI outputs mean, how to agree/disagree/overwrite them etc.
As for risk management and software development lifecycle management, usability should be an integral part of your QMS. It is an international harmonised standard, not certified as an individual standard, but will be assessed by your auditors (both in the EU and USA) in your technical file and QMS. (Top tip: Make sure you use the most recent amended version known as +AMD:2020).
IEC 81001-5-1 - Cybersecurity
This is the one that is most often missed, since the entire 81001 standard is not relevant to AI devices, only part 5-1, which covers cybersecurity throughout the software lifecycle. It has a broader remit than pure AI devices, covering both software stand-alone and within a hardware device.
ISO 81001-5-1 supplements and extends ISO 62304, and since cybersecurity should technically be an integral part of any software development lifecycle it is currently being harmonised (at the time of writing) so we expect this will become one of the base standards in due course, hence its inclusion on this list. We expect this shift to catch some developers out if they are unprepared when it comes to audit time.
This sleeper standard is the one to watch, since compliance with IEC 81001-5-1 can give startups a competitive edge in terms of regulatory moat, especially before it becomes a de facto base standard.
In addition to this, when you consider cybersecurity risk analysis and the results of penetration or vulnerability testing of software, you may use the Common Vulnerability Scoring System (CVSS) as a way to prioritise security issues to fix - this is itself contained in the standard ISO/IEEE 11073-40101:2022 - Health informatics — Device interoperability Part 40101: Foundational — Cybersecurity — Processes for vulnerability assessment.
AI specific standards
Now let’s look at important specific standards for AI medical devices that build up from the base standards. Some of these have testable requirements and can support conformity assessments, and some don’t (yet), so we’ll split these into two categories.
Testable requirements
AI risk management
AAMI TIR 34971:2023; Guide/BS/AAMI 34971:2023, Application of ISO 14971 to machine learning in artificial intelligence is the first on this list that actually mentions AI. It's a precursor to a formal standard, but can be said to be state of the art thinking on a given subject - in this case, identification of hazards and device risk classification for AIaMD
This technical report provides guidance on how to apply ISO 14971 to AI/ML devices. It really is a very helpful document, and while not yet harmonised or incorporated into 14971, it for now is the best guidance available specifically for risk management in AI medical devices.
Data Quality
Data quality is everything when it comes to ML-based medical devices, and thankfully there is a standard for ensuring that high quality data control is used for medical-grade applications.
ISO/IEC 25024, Systems and software Quality Requirements and Evaluation (SQuaRE) – Measurement of data quality came out in 2015, so on its own is not up-to-date enough for the current paradigm of AI, nor does it have appropriate testable requirements, however, the ISO/IEC 5259 standard complements it and provides new definitions applicable to AI.
Parts 2 and 4 of this brand new joint standard from ISO and IEC cover data quality measures and data quality process frameworks for AI/ML devices. It supports conformity assessment to the ISO/IEC 25024:2015, with a particular focus on AI data quality.
ISO/IEC 5259-2, Artificial intelligence – Data quality for analytics and machine learning (ML) – Part 2: Data quality measures defines quality measures for data quality e.g. how to ensure accuracy, completeness, consistency, credibility and currentness principles to data used for and produced by AI systems.
ISO/IEC 5259-4, AI System lifecycle defines the basic steps necessary for a data quality management process. This part of the 5259 standard provides useful guidelines (rather than requirements) and aligns for the most part with current conformity assessments. We do however expect this standard to be updated, or a superseding standard to be produced to better harmonise with current frameworks, but for now, this is right at the cutting edge.
Non testable requirements
AI frameworks
Often when submitting to regulators manufacturers can cause confusion by using non-standard terminologies when describing their AI architecture. ISO/IEC 23053:2022 Framework for Artificial Intelligence (AI) Systems Using Machine Learning (ML) aims to provide a framework for the description of AI systems that use ML. By establishing a common terminology and a common set of concepts for such systems, this standard provides a basis for the clear explanation of AI systems and various considerations that apply to their engineering and to their use. While not specific to medical devices, there is useful terminology in this document that should be used universally by medical device manufacturers.
Classification performance
For AI devices with an intended purpose to perform a classification task (e.g. binary/multi decision support, or classifying findings on an image) there is a useful technical standard for measuring the performance of classification systems.
ISO/IEC TS 4213:2022 - Information technology – Artificial intelligence – Assessment of machine learning classification performance specifies methodologies for measuring the classification performance of machine learning models, systems and algorithms. This includes common statistical measures for performance, like those derived from a confusion matrix and statistical tests for significance, like Chi-squared tests. Highly recommended for those developers who want to know what an auditor may look for in a clinical evaluation report for an AI classifier. Getting your performance metrics right will ultimately support your claims when it comes to a conformity assessment.
Bias
Every AI system will have some form of bias - but how do you measure or assess for this? How would developers ensure and demonstrate minimal bias in an AI model? ISO/IEC TR 24027:2021- Information technology — Artificial intelligence (AI) — Bias in AI systems and AI aided decision making addresses bias in relation to AI systems, especially with regards to AI-aided decision-making. While this standard is more general than just medical devices, it provides useful recommended measurement techniques and methods for assessing bias, with the aim to address and treat bias-related vulnerabilities. This standard covers all aspects of bias including, but not limited to data collection, training, continual learning, design, testing, evaluation and use.
Cutting edge guidance
Finally let’s look at some other guidance applicable to AIaMD that are neither required for a conformity assessment, nor accepted widely as standards for medical devices yet, but can be potentially useful for developers at the cutting edge.
Autonomous AI
While there are very few software devices that are completely autonomous in medicine (pacemakers for example), there is a useful technical report which gives a good framework for differing degrees of autonomy in medical systems.
IEC TR 60601-4-1:2017, Medical electrical equipment – Part 4-1: Guidance and interpretation – Medical electrical equipment and medical electrical systems employing a degree of autonomy may be of interest to AI developers who want to break new ground and start to introduce the concept of AI autonomy into their products. Machine autonomy is a thorny and ethically charged area, which is likely why we won’t see a harmonised standard for this just yet, but IEC TR 60601-4-1 is a good starting point.
Continuous learning AI
The holy grail of AI in medicine would be to deploy and maintain an AI system that could continuously learn from its input data as well as through feedback from downstream outcomes data. While obviously there is no specific standard for this since all regulated AIaMD currently on market is ‘static’ or fixed at a given point in time (or at least should be!), there is a general standard applicable to all AI (not just medical) that starts to lay that ground work.
ISO/IEC 8183, Artificial intelligence – Data life cycle framework defines the stages and identifies associated actions for data processing throughout an AI lifecycle. It has useful sections for developers considering how to maintain a continuous learning system post-deployment, assuming that you are prepared to accept a human must be in the loop throughout the retraining lifecycle to ensure proper processes and validation occur. This standard is not acceptable for medical devices yet, but could be seen as an early indicator of where AI medical device standards may be going.
Conclusion
Medical AI is a very exciting area in terms of regulation, with every new iteration of the technology provoking a reaction from regulators and standards bodies to up their game and provide guidance and requirements for developers to ensure a smooth market entry. In this article we covered the key base standards you absolutely must read and comply with, as well as useful AI specific standards, and some cutting edge standards that will, we hope, over time be further updated and incorporated into best practice.
We did not include standards related to clinical evaluation (ISO 14155) or cybersecurity (ISO 27001) since these standards are more general and apply to a broader range of medical devices, not just AI. You can find out more about these standards in our previous article. We also did not include BS 30440 in this article since it only applies to Great Britain, nor did we cover the EU AI Act since, at the time of writing, it does not align particularly well with the current EU MDR, and the community is waiting for further guidance. For those interested, ISO 42001 is the place to start when considering AI Act compliance for management systems, however this is largely superseded by the existing base standards for medical devices as we described.
We recommend that developers purchase copies of the base standards at a minimum (auditors can and will check you actually have a copy), and we also strongly recommend the AI specific standards. If purchasing multiple standards, and to future-proof your library, you should consider a subscription to a standards organisation to take advantage of cheaper prices (for example BSI offer up to 50% off for members). Good luck out there!
Hardian Health is a clinical digital consultancy focused on leveraging technology into healthcare markets through clinical strategy, scientific validation, regulation, health economics, and intellectual property.
