Efficient market access for artificial intelligence (AI)-based software: BAIM

Provided that an AI-based software has a medical intended purpose, it is subject to the regulations 2017/745 (MDR) or 2017/746 (IVDR) in the EU. To help manufacturers of AI-based software in medicine dealing with the ever-increasing stringent requirements for market access, the VDE has developed the regulatory approach “BAIMBoost AI to Market”. In this blog post we explain the respective background.

Particularly complex regulatory challenges

The future EU Artificial Intelligence Act (AIA) could bring even higher hurdles for market access. In Germany, manufacturers of these products are subject to the Medizinprodukterecht-Durchführungsgesetz (MPDG) in addition to the EU regulations. Furthermore, many AI-specific standards and guidelines are currently being published (e.g., by the IG-NB Interest Group of Notified Bodies for Medical Devices in Germany), and best practice methods for developing AI models are subject to ongoing innovation. Accordingly, it is of highest importance that the manufacturer keeps track in this very dynamic regulatory environment and constantly adapts the processes to the changes.

The regulatory complexity is mainly due to the technical features of AI-based software. Besides the software code (in terms of the model development and the application), the model itself and the data used contribute substantially to the product’s functionalities. This results in a whole series of special challenges for the manufacturer, e.g. with regard to generalizability, transparency and representativeness.

The BAIM concept

Every medical device manufacturer needs a quality management system (QMS) as the basis for regulatory compliance with the MDR. In this regard, several medical device standards and MDCG guidelines are applied:

QMS processes as a basis for compliance of AI-based medical devices

The IG-NB question catalog “Artificial Intelligence in Medical Devices” is based on this. Within the framework of BAIM, this document is initially converted into a list of 132 individual requirements, which contains references both to MDCG guidelines and legal requirements as well as to processes and documents from the QMS to demonstrate compliance. Moreover, for implementation purposes, AI-specific standards as well as reports and literature on best practices are continuously analyzed as part of the state-of-the-art and integrated into the regulatory documents.

BAIM primarily aims to adapt the following regulatory areas in the manufacturer’s QMS:

Adaptation of regulatory fields to AI requirements

In addition, certain adjustments are made to the QMS processes:

  • Documentation for placing on the market,
  • human resources management,
  • Regulatory strategy,
  • Infrastructure,
  • Purchase and Suppliers,
  • External Processes, and
  • Information Security (Organization) and Data Protection.

Extending Software Lifecycle Processes to include AI Model Development

Manufacturers of AI-based software apply the EN 62304 standard on the software lifecycle. If it is an independent software, the EN 82304-1 standard is additionally applied. For this purpose, the manufacturer implements a development process, a release process, a maintenance process, and a process for decommissioning the software in its QMS. These processes are supplemented by validation and post-market activities of the manufacturer.

BAIM introduces an additional AI development process for the AI component, which is secondary to the actual software development process of EN 62304. This includes the collection and analysis of all user and system requirements including the AI-specific ones in the general development process whereas the data management and model development take place in the AI development process.

Adaptation of further central QMS processes

According to the MDR, a risk management system as part of the QMS is mandatory for every medical device manufacturer. The complexity of AI technology is also accompanied by special hazards such as various forms of bias, which must be considered in risk management. BAIM extends the necessary risk analysis to cover AI-specific risks and thus contributes to increased safety of these products. Since the new edition of the applicable EN ISO 14971 standard in 2019, risk management must consider both safety and (cyber) security as well as their interactions. BAIM uses the VDE’s ARGOS cybersecurity approach to also analyze AI-specific assets, interfaces, and methods of attack and to take appropriate measures.

As part of the QMS process “Usability Engineering“, formative validations take place during development (or maintenance) as well as summative validations at the end of development (or maintenance). In a process-integrated checklist, BAIM formulates specific requirements for the usability-oriented development of AI-based software. This includes, for example, dealing with transparency, explainability or automation bias.

The clinical evaluation serves to demonstrate safety and performance as well as a positive benefit-risk ratio for the respective medical device. In addition to the applicable guideline MEDDEV 2.7/1 for the clinical evaluation of medical devices, the guideline MDCG 2020-1 must also be followed for software. BAIM supports the manufacturer in the clinical evaluation with a checklist that addresses AI-specific aspects in the corresponding QMS process. This includes the use of AI-specific databases for literature searches.

The software lifecycle includes post-market surveillance and vigilance by the manufacturer. For AI-based software in particular, a significant level of safety and performance is ensured by comprehensive post-market surveillance by the manufacturer. BAIM extends the post-market surveillance plan to include AI-specific aspects, e.g. with regard to the quality of real-life data and actuality of the ground truth or gold standard. During this, corresponding methods and their frequency in application as well as parameters and threshold values to be taken into account are implemented.

Practical implementation

A typical BAIM project starts with the preparation or revision of the purpose statement of the AI-based software, which sufficiently considers the operating principle of the AI component. Next, the AI development process is anchored in the QMS and risk management including cybersecurity is applied according to ARGOS. In parallel, usability-oriented activities will be started and the first clinical evaluation will be performed. As part of the monitoring (including post-market clinical follow-up) and vigilance, the performance of the AI-based software is continuously monitored, and the collected data are re-submitted to the clinical evaluation.

In summary, BAIM either extends an existing QMS or is applied when a QMS is established, ensuring the manufacturer’s compliance with the specific requirements for AI-based software as a medical device. The application of BAIM also ensures that the manufacturer’s QMS is future oriented and prepared for new challenges such as the EU AIA.