The Saudi Food and Drug Authority (SFDA), the country’s regulating authority in the sphere of medical devices, has published a guidance document dedicated to the regulatory requirements for medical devices based on Artificial Intelligence (AI) technology.

In particular, the document describes how an interested party can apply for a Medical Device Marketing Authorization (MDMA) – special permission necessary for a medical device to be allowed for marketing and use. The present document constitutes the final version of the guidance initially published for public consultations earlier in February 2021.

Regulatory Background

Medical devices based on the use of such technologies as big data and artificial intelligence could be utilized for the prediction of diseases and many other medical purposes for which the analysis of medical data and pattern recognition could be of assistance. In such cases, machine learning is utilized to recognize common patterns, while the extension of datasets used to train the algorithms improves the accuracy of the results, provided that the data used for training is relevant, reliable, and accurate. 

The scope of the present SFDA guidance covers independent AI-based software products (standalone software) intended to be used for medical purposes. Initially, the guidance describes the regulatory requirements related to standalone software, which could be installed on different platforms and thus should be treated as a separate medical device. However, the scope of the document also covers software intended to be used with particular hardware medical devices, as well as clinical decision supporting (CDS) software or computer-aided detection/diagnosis (CAD) software. 

The regulatory requirements described in the guidance are based on the provisions of the following acts:

– The Law of Saudi Food and Drug Authority (Royal Decree No. (M/6) issued on 25/1/1428 H;

– Guidance on Requirements for Listing and Medical Device Marketing Authorization (MDS – G5);

– Guidance to Pre-Market Cybersecurity of Medical Devices MDS-G38;

– Guidance to Post-Market Cybersecurity of Medical Devices MDS-G37. 

Medical Device Classification

First, the SFDA describes the medical device classification rules to be applied with regard to medical software. The authority acknowledges the complexity of AI-based software due to its specific features. The medical device classification rules have been developed to cover both current needs and also new ones arising due to the new types of software products appearing. Thus, the regulatory approach should be flexible enough to avoid preventing medical device manufacturers (software developers) from placing their novel products on the market or creating an unnecessary regulatory burden making the process of obtaining Medical Device Marketing Approval too complicated. The SFDA also mentions that for some novel software products, it can be difficult to make a clear determination whether they should be subject to regulation under the medical device framework or not. Hence, the medical device classification rules should be subject to continuous development and improvement in order to reflect the development of technologies.

Software utilizing AI and big data technologies is intended to provide healthcare professionals and patients with additional information to be used in the decision-making process in order to improve the accuracy of medical decision-making, as well as the efficiency of medical care in general.

When determining the regulatory status of a software product, the general definition of a medical device provided by Article 1 of the Medical Devices Interim Regulation should be applied. The aforementioned definition describes a medical device through its intended purposes. In the case of big data and AI-based software, the same approach should be applied – its regulatory status should be determined depending on the intended purpose.

In order to assist in applying medical device classification rules, the guidance provides several examples describing how these rules should be applied in particular situations.

According to the guidance, medical software should be subject to regulation as a medical device if it is intended to:

  • Diagnose, predict or monitor the possibility of diseases using clinical information obtained by analyzing medical information,
  • Provide clinical information used for diagnosis and treatment by analyzing the signal from a medical device.

At the same time, medical software intended to be used for the purposes outlined below should not be regulated as a medical device.

  • Provide support to administrative operations of a healthcare facility (e.g. inventory management);
  • General wellness activities;
  • Education and research;
  • Managing medical records;
  • Organize information.

Under the risk-based classification, medical devices are divided into classes depending on their intended use, as well as the risks associated thereto.

Medical Device Software: Review and Approval

The SFDA guidance also describes the particular aspects to be considered by the authority during the review of an application for Medical Device Marketing Authorization related to big data and AI-based software. The authority also refers to the appropriate Guidance on Software as a Medical Device (MDS-G23) issued previously by the SFDA. 

According to the present guidance, the medical device manufacturer (software developer) applying for Medical Device Marketing Authorization shall provide extensive information about its product, including the following details:

  • Technical specification including cloud server operating environment, cloud service type, security standard; 
  • The output information, cycle of training data and accuracy of diagnosis results;
  • Data encryption and decryption, and policy on anonymity (in the security specification). 

In terms of validation of performance and clinical efficacy of the software subject to review, the following criteria should be applied: 

  • Sensitivity,
  • Specificity,
  • Positive predictive value, 
  • Negative predictive value, 
  • Receiver operating characteristic (ROC) curve, and 
  • Area Under the Curve (AUC).

The authority additionally emphasizes that if the operation of the software requires the transmission of medical data, the manufacturer shall provide a description of measures taken in order to prevent possible damage of medical information during transmission. The SFDA pays special attention to all the aspects related to cybersecurity, including access control, user authentication, use of encryption method upon transmitting and saving medical information and de-identification. In this regard, the medical device manufacturer (software developer) shall refer to the appropriate SFDA guidance documents on cybersecurity matters mentioned above. 

The validation of the performance of a medical device could also be performed by virtue of clinical validation, including prospective, retrospective, and prospective/retrospective studies carried out in order to identify the characteristics of the software product in question. 

The application should be submitted in accordance with the general rules described in the Guidance on Requirements for Listing and Medical Device Marketing Authorization (MDS – G5). The authority states that in the case of big data and AI-based medical devices, the equivalence approach could also be applied. According to this approach, the party interested in placing a new software on the market shall demonstrate equivalence to an existing product in terms of safety and effectiveness. 

In summary, the SFDA guidance on big data and AI-based medical devices describes the most important aspects related to this type of software in the context of applying for Medical Device Marketing Approval. In particular, the document outlines classification rules and the particular way they should be applied due to specific features of the software.

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.