With the increasing power and accessibility of AI systems, more and more medical devices and IVDs are integrating artificial intelligence. This could be directly, through using AI as part of a diagnosis or evaluation function; or indirectly through recommendation systems or chatbots. In the UK we recently had the worlds first Class III Medical Device for autonomous skin cancer detection (DERM by Skin Analytics) approved by the MHRA.
Increasing AI usage in the healthcare sector is naturally coupled with increasing regulatory scrutiny and requirements. After the introduction of the EU AI Act, governing the use of high-risk AI in Europe, many countries are expected to implement their own equivalent requirements over the coming years.
As a medical device organisation, you should already have an established and effective ISO 13485 compliant QMS to handle your products and processes. Choosing to include AI in your medical device is an exciting and potentially valuable improvement for you and your customers, but doing so will have an impact. In this blog, we outline the potential impacts and some practical strategies to consider when building an AI medical device or integrating AI into existing medical devices.
Quality Management System and Documentation for AI
AI brings with it the need for new processes (or steps within existing processes) within your organisation, relating to everything from development and testing to risk assessment and cybersecurity. These procedures must be documented as part of your QMS and kept up-to-date in the same way as any other QMS process. You may also need to create new forms of records to capture key information, particularly related to transparency and explainability of the AI system.
AI must also be considered at the quality policy level, establishing an AI portion of the quality policy provides your organisation with an overview of the purpose and goals of using AI within your product.
Given the rate of technological change associated with AI, it can be helpful to re-evaluate your periodic document review timelines to make sure that you don’t end up with staff referring to out-of-date information.
Training and Awareness of AI
Training and competence are an important facet of your ISO 13485 QMS, to ensure that competent people are involved with the production of medical devices.
Under the EU AI Act, if your organisation creates or markets an AI product, your staff must have a baseline awareness and understanding of the technology and the impacts and risks associated with it. This should be documented as part of your training records and maintained as any other critical training is. In addition, you should also be verifying the competence of any staff or suppliers who are providing technical input to your AI system or managing cybersecurity, particularly if the AI has any associated clinical or usability risks.
Need help with AI Literacy?
Take a look at our AI Literacy training course to give your staff the knowledge they need.
Labelling and Communication in AI
Labelling in medical devices is an important regulatory requirement, and you should already have a procedure to handle the creation, review and display of labels appropriate to your device, whether that is through physical labels or in-software identification.
AI systems must also be clearly labelled and explained to their users, this can be in many forms, but an Instructions for Use (IFU) or user guide is a common way to provide users with information such as intended use, technical capabilities and limitations, and use-cases.
AI and Internal Audit
Working with high-risk AI under the EU AI Act (which all AIaMD is classified as), ISO 42001 and other upcoming local regulations should impact the scope of your internal audits. Internal audit is an important tool for verifying that your procedures are effective at maintaining compliance with standards and regulations, and this should include anything AI-related if it impacts your product. Expanding the scope of internal audits to include new standards or regulations also likely impacts your auditor competence requirements and how often audits should be carried out.
AI Risk Management and Post-Market Surveillance
Introducing AI into a medical device also introduces a new set of risks and potential hazards, both from a clinical perspective and from a technical and security perspective. AI risks can be found across your processes, from ensuring their output is clinically valid to protecting your training datasets from poisoning or excessive, unmitigated bias.
BS/AAMI 34971:2023 is a great resource for identifying AI-specific risks and how to handle them to ensure a safe medical device, so much so that it is currently being considered for adoption as an ISO standard (as ISO/CD TS 24971-2). We recently wrote about this new standard in another blog here.
Relatedly, your Post Market Surveillance (PMS) plan, which should be an input to your risk management strategy should also be revised to consider AI-related post-market activity. You should be collecting and analysing data which is specifically related to the performance of the AI components as well as changes in the state-of-the-art around AI.
Post-Market Surveillance
The UK has new regulations coming into force in June 2025 around Post-Market Surveillance; check whether you are compliant with a free review from 8foldGovernance.
Summary
Integrating AI into a medical device product can be a huge competitive advantage for your organisation and your customers, expanding the potential for you to help patients and improve clinical outcomes and your Quality Management System is the tool to help you ensure this is done safely for patients and your business. Having a strong and effective foundational QMS that is compliant with ISO 13485 already will make any changes much easier to handle.
Still unsure?
Struggling with your QMS or the specifics of AI-as-a-Medical Device?
We can help your team understand the requirements around AI and ensure a smooth implementation of changes.