How to get clinical AI tech approved by regulators – Towards Data Science

AI in medicine is coming, and there is little to stop it… apart from one pesky hurdle. Whether you are a small three man start-up or a multi-billion dollar international conglomerate, you have to pass the litmus test of medical device regulation. There is no avoiding it, there is no hiding from it, so you might as well embrace it. Remember the children's story book 'We're going on a bear hunt?'…

Regulations related to healthcare products have been around a lot longer than AI has. It all started off in the 1960's when people started realising that (sadly) Thalidomide could severely damage unborn babies. Medicines therefore began to require pre-market evidence and quality control regulation to avoid repeating such a disastrous event happening again. Not long after pharmaceuticals, medical devices were also included in the regulatory landscape.

Medical device regulations have traditionally been applied to physical products (surgical instruments, for example) and software that runs physical clinical machines (the software inside an ECG machine). The regulations are there for a simple reason — patient safety. Regulatory bodies want to know just one thing — is your product safe to use for its intended purpose? Nothing in medicine (or anywhere) is 100% perfect, so you must provide evidence that you have done your best to ensure that the benefits of using the device outweigh any risks, and that any unmitigated risks are acceptable.

It's all very well trying to innovate at break-neck speed, but the regulators do not care about that. They want you to stop, test, validate and prove that you are going to 'do no harm'. Remember, you're in healthcare now, not some app store or research lab, and you have a duty to patients just as much as any doctor does. You wouldn't want your tech to be considered as dangerous as Thalidomide, would you?

Not only do you have to describe a device's capabilities and functions in truthful and exacting detail using verifiable data, you must do so in a way that your marketing team can convey without overhyping or mis-selling. One huge error is to tell the regulators one thing, but then sell another …

Ever heard of Theranos? This American lab company lost almost $9billion in value by telling the FDA that their blood tests could detect results on just tiny samples, but then were found to be failing internal quality control checks by up to one third, affecting patient care around blood clotting test results, and potentially leading to strokes and heart attacks. A lesson to be learned here — be truthful and honest about what your product can do!

In this article I will go through the current steps required to get your product approved for the European market and get the holy grail stamp of approval — the CE mark (I say current, and I mean it — things are changing rapidly!).

You may be wondering how an academic radiologist knows this stuff? Well, I was recently the lead for regulatory affairs at the UK's most prominent digital health tech start-up (Babylon Health), and successfully got the world's first CE marking for an AI-supported medical mobile app.

Here's how you can do it… but I warn you, this is not for the easily deterred…

What is the CE mark?

CE is an acronym for the French phrase 'Conformité Européene'. Hopefully that doesn't need translating...

CE marking doesn't just apply to medical devices — you can find it on almost any product in Europe. Just have a look at an object near you and somewhere in the small print there'll be a CE mark. The mark means that the product in question meets the essential requirements of the relevant directives, and that it may legally be placed on market freely throughout European member states. In the case of medical devices, the product specifically has to meet the requirements of the Medical Device Directives 93/42/EEC set by the central European Commission (known colloquially as the MedDevs). The directives are a guide, and not prescriptive. They are also a good cure for insomnia, but that's not their intended use.

Intended Use

Whatever your algorithm or AI product does, you need to define it carefully and clearly. This description is known in regulatory parlance as the device's 'Intended Use' and it is the cornerstone of your journey into the maze of the regulation industry. Not only does defining a purpose give the regulators a clear understanding of your device, but it helps cement in your team's mind what they are building.

Intended Use is usually broken down into several components:

Name, model, device description, principals of operation, intended purpose, exact medical indications, stage and severity of medical conditions, intended patient population (including exclusions), intended users, risks of use, intended outcome limitations, and conditions of normal use.

Nailing down your device's Intended Use is the first step towards regulatory approval, so it's important to get it right.. You must describe EXACTLY what your device does, not what it COULD do. (If you are unsure about what an Intended Use is — go to your bathroom cupboard, pull out a packet of pills, and read the beginning of the piece of paper inside. That's the level of documentation you need to produce, at a bare minimum). Once you have your Intended Use statement defined, that's it. There's no going back — the regulators will class and judge your product based on the description you give. Any change to your Intended Use means you have to start the whole process again.

Figure out the Class for your device

In Europe, the Class of medical device is defined by the MedDevs (these are soon to undergo some updating, so keep an eye out!). In America, the FDA set the device Class. Classes are broken down into three main types, depending on their potential risks to patients:

Class I — low risk, such as an electronic thermometer or disability aid.

Class II — medium risk, such as a hearing aid or blood pressure cuff. (Class II in Europe is also broken down into Class IIa and IIb, where the latter is more risky, such as a contact lens which makes direct contact with the human body).

Class III — high risk, such as surgical instruments or an implanted defibrillator.

These classes (I, IIa, IIB, III) dictate which of four conformity assessment routes you need to go down.

It goes without saying that the more risky your device is, the more invasive or dangerous it's malfunction could be, the more side effects it has, the higher Class of device it will be. Similarly, the level of regulatory scrutiny required increases with device Class.

In general, AI algorithms that support doctors in their decision making are known as Clinical Decision Support software (CDS), and are regarded as Class II, under the current rules. Whether or not it is Class IIa or b depends on what your algorithm's intended use is. I wish I could give you a precise breakdown of exactly which algorithmic functions come under which Class, but it's not black and white, unfortunately. As a rule of thumb however, CDS devices whose outputs are able to be overwritten by humans are usually IIa e.g. breast mammography CAD), and those which are more autonomous (e.g. automatically entering quantitative results into reports) are IIb.

You should always start a conversation with the regulators or regulatory advisors if you aren't sure. Don't waste time applying for a Class which turns out to be incorrect!

Class II conformity

Once you have pinned down your intended use and device class, you need to nominate a Notified Body (NB). This is an independent and external organisation that comes in to your place of work and audits how you make and test your products. The reason for the Notified Body is that the European Commission doesn't have the time or resource to do this themselves (and doesn't trust you to do it on your own, unless your device is Class I) so instead they rely on third parties, who are in turn regulated by local governmental bodies. For instance, in the UK, the government body that oversees medical device regulations is the Medicines and Healthcare products Regulatory Agency (MHRA) which enforce the European MedDevs. They require developers to use an approved NB in order for the CE marking to be valid.

For Class IIa medical devices, you can choose an NB to audit you as per one of four defined conformity routes:

  • an examination and testing of each product;
  • an audit of the production quality assurance system;
  • an audit of final inspection and testing; or
  • an audit of the full quality assurance system.

For Class IIb, you need an NB to carry out the fourth option, and any of the first three.

In practice, clinical AI developers won't want to go down the batch testing route or final inspection and testing (options 1 and 3), as it means that each and every update to the algorithm needs to undergo repeated clinical validation. This would be monumentally slow and expensive. Instead, AI developers should choose the quality assurance routes, as this is a measure of how good you are at ensuring that development of your product is done with strict quality assurance in mind.

The QMS in brief

A Quality Management System is a series of documents and Standard Operating Procedures (SOPs) that detail your company's development procedures, risk management and testing. Unsurprisingly this is about as boring as it sounds, but is absolutely vital if you want to be able to sell your algorithms. Luckily for you, there is a set standard to adhere to, known as ISO13485:2016. It is also another great cure for insomnia. Luckily, even those in the regulation industry realise this, and someone has even translated it into plain English to make it slightly easier to fathom.

There's lots in ISO13485 that won't apply to AI systems, such as sterilisation, packaging and environmental hazards, but much of it is still directly critical to your CE marking journey, and is essentially the only standard you need for medical device CE marking. On the flip side, lots of ISO13485 is already covered by other directives such as Quality Management (ISO9001, which your organisation may already have), Risk Management (ISO14971, ditto) and Information Security Management (ISO27001, double ditto). Yes, there is a standard for just about everything, so don't think you can cut corners! If your AI is using live patient data and storing it in any way, you will most likely need the latter.

A typical QMS will contain all of the above… and much more! Get expert advice if you don't know where to start!

My advice is to get started as early as possible on working to these standards, because changing your development procedures just as you want to get to market won't cut it. Auditors want to see a QMS in full, with proof that you've been using it for at least three months before an audit starts. If you are having difficulty, you can always outsource some of the work to one of innumerable third party companies who do this stuff for a living.

Working with a Notified Body you must pass a two-stage audit to gain the ISO13485 accreditation. However, there is more to do to get the CE mark!

The Technical File

In addition to having passed the test for Quality Management, you must also go through an extra audit to get the CE mark. This will take into account your 13485 certification, but also requires you to produce what is known as a Technical File. This file is an electronic or hard copy dossier not only linked to your QMS but also several key factors that allow you to demonstrate that you meet the Essential requirements laid out in the MedDevs.

Instructions for Use; as displayed in your brochure/supporting materials or within the software itself

Labelling; the label on the box and packaging. It's also a good idea to have examples of marketing copy, so you know your marketing is going to be above board.

Design Specifications, such as acceptable functionality and measures taken to ensure the device works as intended.

System Architecture; this is in the form of a design dossier.

Declaration of Conformity; a signed statement from the head of the company basically saying everything conforms as required.

and finally….

The Clinical Evaluation Report (CER)

So far, the astute (and still awake) among you will have noticed that no clinical performance data has been mentioned yet. You thought you got away with it, didn't you? Well, sorry, you still need to prove your AI works by running a clinical study.

The CER is a dossier of all clinical testing that has been performed on your device during its development, pre-market testing, and post-market performance.

You don't have to prove that your device works 100% accurately – nothing in medicine ever will. Instead you have to show that you have tested your device appropriately and in the correct clinical setting as per your intended use, and can back up any claims of accuracy with evidence. For instance – there are chemotherapy drugs on market which only cure 5% of patients treated. That's fine, as long as that is what was demonstrated in clinical trials and is made clear in any labelling or marketing. The risk/benefit ratio must be made clear, and is largely reliant on the severity of condition(s) being treated/diagnoses and the results of any clinical studies.

Your CER will include four key components:

  1. A literature review — you need to ascertain what state-of-the-art is for your device, the performance and safety metrics for any equivalent devices, and have a critical understanding of the potential benefits and risks of your device.
  2. A clinical investigation plan — this is a formal study outline, often approved by an independent Research Ethics Committee (REC) that adheres both to the principles of Good Clinical Practice (GCP) and the ISO 14155 standard. Yes, another ISO standard for you to read and fall asleep to!
  3. Clinical investigation results and analysis — including positive and negative findings. This is typically in the form of a publishable paper, but you don't necessarily need to publish the results in a journal, just have them ready for expert analysis. If you are unsure about what statistical analyses to run, I've got your back here — or you can check out some good advice from the FDA.
  4. The final report — a summation of risk and benefits from the literature review and conclusions as to the clinical performance of your device and it's limitations.

If your company is lacking clinical research expertise, you can always partner with an accredited academic institution, Contract Research Organisation (CRO) or hire internally the relevant expertise. In most cases, the Notified Body will want to see Real-World Evidence (RWE), so that means you need to run the trial on real live clinical data or patients, so having good clinical partnerships is essential here. Do not under-estimate how long a proper clinical study can take either — remember most run for a year or more from planning to completion!

Phew — that's it

Once you have a functioning QMS, ISO 13485 certification and a completed Clinical Evaluation Report you are ready for your final CE marking audit!

However, it doesn't stop there…

A CE mark is for life, not just for product launch. Once awarded you need to maintain your ISO certifications, and regularly re-audit and re-test your device's performance. Having a good Post-Market Surveillance (PMS) system in place will help you keep your CER updated, and using the QMS properly will ensure you stay on top of things. Hiring a quality manager is a good idea, as you'll need someone to make sure you stay ahead of the game — remember — the regulators can come knocking at any time to see your documentation!

If you want to launch elsewhere outside of Europe there is a new process called Medical Device Single Audit Programme (MDSAP) which involves one further audit and gets you approval for market access in Australia, Brazil, Japan, and Canada, and may well become the international standard for medical devices in the near future. Not all Notified Bodies are certified to conduct MDSAP audits, so be sure to ask first.

And finally… entry to the American market involves the notoriously strict Food and Drug Administration (FDA) which has similar but slightly more stringent and detailed processes to go through. But I've already told you enough, so I'll leave it here for now!

Regulators, mount up!

Previous Post
Next Post