Artificial intelligence is transforming the medical device industry, offering unprecedented opportunities to enhance patient care. However, this technological leap comes with significant regulatory challenges. Across the globe, frameworks such as the EU AI Act, ISO 13485 combined with the EU Medical Device Regulation (MDR), FDA’s regulatory pathways, and the U.S. Quality System Regulation (QSR) under 21 CFR Part 820 establish different expectations for AI-enabled devices. Understanding the nuances of these frameworks is essential for navigating this evolving landscape, and on April 29-30, Hogan Lovells is hosting its fourth annual AI Health Law & Policy Summit, where panelists will discuss global trends in this space.
EU AI Act: A comprehensive approach to AI risks and ethics
The EU AI Act takes a forward-looking stance, addressing not just the technical and safety aspects of AI in medical devices but also its societal and ethical implications. AI-based medical devices (AIMD) are classified as "high-risk," requiring a CE mark and triggering strict oversight that builds upon ISO 13485 and MDR requirements. This includes:
- Conformity assessment: Unlike ISO 13485 or MDR, the AI Act groups AI systems into four risk levels, with high-risk systems – which are where most AIMD are categorized -- requiring a conformity assessment procedure and the involvement of a notified body.
- AI-specific Quality Management Systems (QMS): The EU AI Act introduces additional requirements for data governance and lifecycle oversight. For example:
- Human oversight: AIMD must include mechanisms to guide and inform a natural person to whom human oversight has been assigned to make informed decisions if, when and how to intervene in order to avoid negative consequences or risks, or stop the system if it does not perform as intended.
- Data integrity: Manufacturers of AIMD must demonstrate that training datasets are unbiased, representative, and traceable — a step beyond traditional QMS protocols.
- Lifecycle management: The EU AI Act mandates continuous validation and monitoring of AI systems to address their dynamic, evolving nature.
- Transparency: Accountability is prioritized, requiring clear documentation of how algorithms function, their limitations, and potential risks.
- Integration with MDR: The EU AI Act bridges its requirements with MDR’s technical documentation, creating an integrated conformity assessment procedure with the involvement of a single notified body.
Where ISO 13485 and MDR focus primarily on device safety and quality, the EU AI Act delves deeper into data integrity fairness, non-discrimination, and the fundamental rights impacted by AI.
FDA: Prioritizing flexibility, data integrity, and patient outcomes
In the United States, FDA’s regulatory framework reflects the dynamic and fast-paced nature of the AI field. The agency takes a pragmatic, patient-centered approach that builds on a longstanding focus on data integrity:
- Data integrity leadership: For decades, FDA has emphasized the importance of data reliability and traceability across medical devices. This principle is key for AI technologies, where high-quality datasets drive training, validation, and testing. The agency requires manufacturers to verify the provenance, accuracy, and representativeness of datasets to prevent bias and ensure transparency.
- Audit trails: Just as traditional devices must maintain clear records, AI systems must include audit trails to track changes in data and algorithms, reinforcing trust and accountability.
- Bias mitigation: High-quality, representative datasets are crucial to mitigating bias and safeguarding equitable outcomes in AI-enabled devices.
- Risk classification: Devices are categorized as Class I, II, or III, depending on their potential risks and intended uses, in contrast to the EU MDR’s four classes of I, IIa, IIb, and III based on intended use, level of invasiveness, duration of use, and potential risks to patients and users and the EU AI Act’s treatment of all medical devices as high risk within the four-tier AI-specific system.
- Predetermined Change Control Plan (PCCP): Recognizing the iterative nature of AI, FDA allows manufacturers to update AI models within defined parameters without needing reapproval when the PCCP is part of the original approval. This ensures the technology stays current while maintaining safety and reduces potential delays to releasing improvements to market.
- Patient-centered focus: FDA guidance emphasizes clinical outcomes and safety while ensuring innovation is not stifled by overly prescriptive requirements.
FDA's combined focus on adaptability, patient outcomes, and its well-established leadership in data integrity positions it as a strong regulatory force in this space.
ISO 13485/EU MDR: The backbone of medical device quality
ISO 13485 and the EU MDR remain the cornerstone standards for medical device compliance in Europe. Their focus is on ensuring safety, quality, and post-market surveillance. However, these frameworks leave certain gaps when it comes to AI, such as:
- Algorithm bias: Neither standard directly addresses the risks of algorithmic bias in AI systems.
- Dynamic performance: The evolving nature of AI systems is not explicitly covered, which the EU AI Act remedies.
- Ethical oversight: Broader societal considerations are also outside the scope of these standards.
These limitations underscore the gap that the EU AI Act seeks to fill.
U.S. Quality System Regulation (QSR): Prescriptive compliance for medical devices
The U.S. QSR under 21 CFR Part 820 provides a structured, prescriptive framework for quality systems, with key provisions tailored to medical devices:
- Design controls: The QSR requires robust design controls, including usability testing and risk management, which complement the demands of AI-enabled systems.
- Documentation and traceability: Recordkeeping requirements ensure traceability of data sources, algorithms, and updates, aligning well with AI governance.
- Post-market surveillance: Like the EU MDR, the QSR emphasizes performance monitoring, but for AI, this includes addressing issues like algorithmic drift.
While sharing principles with ISO 13485, the QSR stands out with its stringent, U.S.-specific focus on compliance.
Our expertise: Your partner in global AI compliance
The regulatory landscape for AI in medical devices is complex, but it offers immense opportunities for those who navigate it successfully. This is where our global team excels. With expertise across the EU, U.S., and other regulatory environments, we provide comprehensive support to manufacturers facing these challenges.
- We tailor strategies to meet the requirements of the EU AI Act, FDA, and QSR, ensuring seamless global compliance as it relates to product development as well as organizational governance over the use of AI in business and operations.
- Our specialists design and implement AI-specific quality management systems, addressing data governance, bias mitigation, and lifecycle oversight.
- We assist with regulatory submissions, creating technical documentation that reflects both compliance and innovation.
- Post-market surveillance programs help our clients continuously monitor their AI systems and address risks proactively.
Whether you are integrating AI into an existing product or launching a cutting-edge solution, we are here to guide you through every step of the process. Let us help you unlock the full potential of AI-enabled medical devices while meeting the highest standards of safety, quality, and ethical integrity.
Finding the balance
While the EU AI Act prioritizes ethics and societal impact, FDA emphasizes adaptability and patient outcomes, and the QSR ensures prescriptive compliance. These frameworks, though distinct, converge on principles like safety, transparency, and bias mitigation. Together, they offer a roadmap for manufacturers to harness the transformative power of AI responsibly.
Navigating these frameworks is not just about meeting regulatory requirements — it is about setting the stage for innovation that truly changes lives. That is a journey we are passionate about supporting.
[View source.]
