The new article highlights the aspects related to managing the risks associated with medical devices based on novel technologies.

The Saudi Food & Drug Authority (SFDA), a country’s regulatory agency in the field of healthcare products, has published a guidance document dedicated to medical devices based on Artificial Intelligence (AI) and Machine Learning (ML) technologies. The document provides an overview of the applicable regulatory requirements, as well as specific recommendations to be followed by medical device manufacturers and other parties involved in order to ensure compliance thereto. At the same time, provisions of the guidance are non-binding in their legal nature, nor are intended to introduce new rules or impose new obligations. The authority also reserves the right to make changes thereto, should such changes be reasonably necessary to reflect corresponding amendments to the underlying regulations. 

Risk Management: Key Points 

First of all, the authority states that the increasing use of novel technologies in medical devices creates new risks for patients, their health, and safety. Hence, medical device manufacturers utilizing such technologies should take all the steps necessary to demonstrate that the products they are responsible for do not expose patients to unacceptable risks and that the risks are justified in terms of the benefits provided. The authority also explains that since Artificial Intelligence (AI) and Machine Learning (ML) are software-driven, the unique or elevated risks are those around data management, feature extraction, algorithm training, model evaluation, and cyber and information security. It is further stated that safety risks may be introduced by Machine Learning systems by learning incorrectly, making wrong references, and then recommending or initiating actions that, instead of better outcomes, can lead to harm. Thus, in order to ensure the proper assessment of risks associated with an ML-based medical device, the actual performance of the respective algorithm and limitations associated thereto should be taken into consideration. Moreover, healthcare professionals operating such devices should be trained properly to identify algorithm errors affecting the accuracy of the results the device provides. This requires, inter alia, an engagement of data scientists to the team that conducts risk assessment and management. 


Risk Management Plan

As further stated by the SFDA, a party responsible for a medical device should develop a proper risk management plan. According to the guidance, the said plan should include the following elements:

  • The scope of risk management activities;
  • Assignment of responsibilities;
  • Requirements for review of the activities;
  • Risk acceptability criteria;
  • Method to evaluate overall residual risk;
  • Activities of the implementation and effectiveness of the risk control measures;
  • Activities to collect and review post-production information;
  • The criteria used to trigger an update, risk management of the update process itself, and provisions for returning the product to a previous version if necessary;
  • For ML-based medical devices that communicate with other devices or IT systems, the scope of the plan should include risks related to interoperability;
  • Cyber security risks. 


Apart from the above key elements to be covered by a risk management plan, the authority also outlines the most important questions to be considered in terms of risk analysis. The questions listed in the document include, inter alia, the following ones: 

  • Whether the software in question is intended to provide diagnostic or treatment recommendations;
  • The significance of the information provided by the software in terms of the impact caused to the user;
  • The intended target population of the product subject to review (including the details of the disease or condition to be addressed); 
  • Urgency characteristic of the information provided;
  • Possibility to detect errors;
  • Possibility to make changes to the algorithm employed by the device, as well as the autonomous functions it provides;
  • Whether the device can adjust its performance characteristics over time;
  • The ways the device can be used in an inappropriate way (off-label use/misuse);
  • Contraindications to be taken into consideration when determining whether the device should be used for a specific patient; and
  • Whether the system can learn over time and the potential impact of such function.


As explained by the authority, specific aspects to be taken into consideration for ML-based medical devices are:

  • Potential consequences of a user failing to act based on the recommendations provided by the device due to the lack of confidence;
  • Underlying data becoming irrelevant within the time, resulting in lower performance of the device; and 
  • Fragmented data throughout different formats. 


Additional Aspects 

The document highlights the key points medical device manufacturers should take into account with respect to ML-based medical devices, and also describes the principles to be applied when evaluating the risks. In particular, the authority emphasizes the following:

  • Where the probability of occurrence cannot be estimated (which can often be the case for ML applications), the risk should be estimated based on the severity of possible harm alone. 
  • It is important to introduce proper risk controls for the data deriving from the use of ML-based medical devices, including the activities to be undertaken within the entire data lifecycle in order to ensure completeness and consistency of data, which should also be representative at the time of collection. 
  • The software should have operational risk controls as specific features addressing the cases when it interacts directly with the user. 
  • Design of the human user interface should be reviewed to ensure this does not introduce bias or unduly influence the user. 
  • Each autonomous system should have a hand-off strategy allowing the user to take over the control. 
  • A proper risk management review should be conducted in accordance with the requirements set forth under ISO 14971:2019. 


In summary, the present SFDA guidance describes in detail the approach to be applied with respect to risk management for medical devices based on Artificial Intelligence and Machine Learning technologies. The document pays special attention to technology-specific risks and explains the proper way they should be addressed. 



How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.