Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Expert Insights: Regulating Imaging Software

  • Published: February 28, 2025
  • Category: Medical Devices

Share this post

Headshot of a man with long hair, a beard and glasses, wearing a patterned shirt
Dan York

Share this post

Introduction

Radiology Imaging Software (RIS) can be a powerful tool for clinicians all along the oncology pipeline. The technology has opened up time-saving workflows and the potential for radiological results analysis to be more effective than ever, which is especially important in the light of the Royal College of Radiologists and the NHS identifying a significant shortage in Radiologists.

With the rise of Artificial Intelligence and Machine Learning algorithms, this technology is at the forefront of a technology enabled revolution in medicine and is already showing its value across health systems globally. Written by our Quality and Regulatory Specialist, Dan York, in this blog we’ll dive into the nuances of regulating Radiology Imaging Software and what manufacturers must consider when developing novel approaches to radiology reporting.

What is Radiology Imaging software?

Instead of reviewing multiple radiological results independently, a RIS system allows clinicians to combine, align and overlay (known as “registering”) results from different techniques (CT, PET/CT, MRI etc) into a single, 3D “image” of the patient. They can be used to help identify tumour lesions or other areas of interest in particular to track the effectiveness of treatments or in some cases to assist in planning dosage and location of localised therapy.

What about PACS software?

While outwardly similar, PACS (Picture Archiving and Communication System) play a different role in the clinical workflow and are usually not subject to the same regulatory oversight as a RIS system. 

RIS systems are considered to be Software Medical Devices in the UK, EU and US (and most other territories) because manufacturers intend for them to be used as a way to measure physiological parameters and make clinical decisions based on the results. PACS, on the other hand, are only for image capture, storage and management, which generally puts them outside of the purview of being medical devices. However, features in some PACS do cross the line into Medical Device territory, so it’s worth confirming the status of your product or you risk falling into some heavy penalties.

What standards are applicable to my Radiology product?

As a Software Medical Device product, there will be many international standards that are relevant and applicable to an RIS system. You should be considering how to best implement these, and others, when you’re creating a product in this family:

ISO 13485

ISO 13485: 2016
Medical Device Quality Management Systems

This standard outlines the requirements for your management system to operate in a way to produce safe and compliant products.

See our ISO 13485 Blog

IEC 62304

IEC 62304: 2006
Software Life Cycle Processes

A software-specific standard which provides a framework for software production, verification and validation in the context of medical devices

ISO 1497

ISO 14971: 2019
Risk Management for Medical Devices

This standard sets out how to approach risk management to ensure the safety of your product.

See our ISO 1491 Blog

There are also many other standards and regulations which you should be considering, including labelling requirements, cybersecurity processes and DICOM (Digital Imaging in Communication and Medicine) for specific medical imaging data formats.

What standards are applicable to my Radiology product?

FDA logo

USA

The FDA has dedicated categories for many types of medical devices to make it easy for manufacturers to categorise their products. For example, your product may fall into the category for “Radiological computer-assisted diagnostic software for lesions suspicious of cancer”, which would be considered Class II based on risk. Some additional controls related to software do apply too, such as the need to provide detailed descriptions of any algorithms and clear evidence of improved clinical benefit. Class II devices need approval from the FDA in the form of a 510k before they can be sold on the US market.

CE mark

Europe

In accordance with Rule 11 of the Medical Device Regulation (2017/745 Annex VIII) software that provides information which informs diagnosis or treatments, but not in a way that those decisions could have some urgent impact on a patient’s health, will be considered as Class IIa within Europe. This means you’ll need a notified body to issue you with a CE mark to verify compliance in order to sell to your European customers.

UKCA mark

U.K

The MHRA, through the UK Medical Device Regulation (UKMDR 2002) also considers medical device software that provides decisive information for making diagnoses as Class IIa.  Placing them in the “medium risk” category for the UK, requiring either a UKCA mark, or at least a CE mark if you’re planning to sell into Europe too.

What about AI in my Radiology system?

The core of many RIS systems may require the use of complex algorithms which analyse the radiology scan data and produce summary results, such as the size and perfused volume of a tumour.

Teal opening quotation marks graphic

The core of many RIS systems may require the use of complex algorithms which analyse the radiology scan data and produce summary results, such as the size and perfused volume of a tumour.

Teal closing quotation marks graphic

The need to study structured data for clinically observable features makes it a prime candidate for training and using an AI model within the product.

Using an AI model within a medical device brings additional complexity in terms of regulatory requirements, but for radiology use-cases there are features working in your favour to smooth out the process. For example, comparing the output of your algorithm to the opinion of trained clinicians can be done in a clear and systematic manner by comparing the overlap and counting the voxels (3D equivalent of pixels) between a tumour region deduced by both parties.

Verifications such as these, along with documentation such as a well-realised AI development plan will be needed in order to be compliant with the latest standards and regulations.

The Good Machine Learning Practice

The Good Machine Learning Practice was released by the UK MHRA, US FDA and Health Canada as guidance to developers of AI medical device systems; RISs demonstrate points 7 (Focus Is Placed on the Performance of the Human-AI Team) and 9 (Users Are Provided Clear, Essential Information) especially when:

  • RISs typically require human oversight and review before any treatment decisions are made or confirmed.
  • RISs often offer additional administrative functions that support good integration into the treatment pathway (e.g. report generation, integration with EPR).
  • RISs display the data that make up the basis of their recommendation in a clear interface that allows the radiologist to simply review and amend where necessary.

You can learn more about the Latest Guidance for Artificial Intelligence and Machine Learning in Medical Devices in our blog Here.

What standards are applicable to my Radiology product?

As a Software Medical Device product, there will be many international standards that are relevant and applicable to an RIS system. You should be considering how to best implement these, and others, when you’re creating a product in this family:

HIPAA

HIPAA

As the Federal Law designed to protect sensitive patient health information (PHI), RIS providers and other digital health or med-tech businesses will need to comply with HIPAA to work with payors, providers and insurers in the United States.

ISO 27001 iso 27001 certification iso 27001 certification price

ISO 27001

Due to the volume and nature of information often transmitted to radiology information systems, there may be the requirement for businesses to comply with ISO 27001. As the de facto standard for information security best practices, manufacturers of radiology solutions should strongly consider how integrating ISO 27001 into their business management system may serve as a strategic advantage.

Nhs dtac, dtac, dtac nhs

NHS Digital Technology Assessment Criteria (DTAC)

Developed as the national baseline for compliance in the NHS, the Digital Technology Assessment Criteria or DTAC provides a comprehensive list of requirements for early or late-stage innovators to build technology that is NHS-ready. It is made up of several critical compliance pillars for all digital technology suppliers to the NHS with many dovetailing or aligning with medical device regulations or international standards. For the NHS, evidencing compliance with this framework is a critical requirement as part of the procurement process.

You can learn more about the alignment between DTAC and ISO standards in a recent blog we published Here.

Summary

If you’re planning to bring a Radiology Imaging Software product to fruition, then there’s lots of things to cover from a compliance perspective. Whether this be addressing statutory requirements, such as the Medical Device Directive in the UK or Medical Device Regulations in the EU, we can help you find a route from where you are, to where you need to be.

Get in Touch with our Expert Team

With expertise covering Medical Device Regulations, International Standards and Market Specific compliance such as the NHS DTAC, we have the resources to help your innovation serve the people that need it the most.
Book a Call with our Expert Team

Other Articles​

Loading...
IEC 62304 vs EU MDR classification

Implementing IEC 62304: 5 Common Mistakes

Read More →

July 3, 2026
FAQ: What is a Technical File?

FAQ: What is a Technical File?

Read More →

May 9, 2026
What is IEC 62304

FAQ: What is IEC 62304?

Read More →

April 27, 2026
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept