مشروع الدليل الإرشادي لمتطلبات ترخيص الأجهزة والمستلزمات الطبية القائمة على الذكاء الاصطناعي والبيانات الضخمة

​

The purpose of this guidance is to clarify the requirements for obtaining Medical Devices Marketing Authorization (MDMA) for Artificial Intelligence (AI)-based medical devices, in order to place them on the market within the KSA.

Big data and artificial intelligence (AI)-based medical devices can diagnose or predict diseases or provide a customized treatment to a patient by learning medical big data and recognizing a certain pattern based on machine learning. ​​

​This guidance applies to the standalone software type of medical devices, to which machine-learning-based AI technology is applied, that diagnose, manage or predict diseases by analyzing medical big data. It is also applicable to AI software that is configured with hardware. For example, clinical decision supporting (CDS) software or computer-aided detection/diagnosis (CAD) software belong to this category. ​

​

SFDA/MDS has issued this guidance document in reference to the following:

• Article Three of “The Law of Saudi Food and Drug Authority" issued by the Royal Decree No.(M/6) issued on 25/1/1428 H
• Requirements specified in “Guidance on Requirements for Listing and Medical Device Marketing Authorization (MDS – G5)".
• Guidance to Pre-Market Cybersecurity of Medical Devices MDS-G38
• Guidance to Post-Market Cybersecurity of Medical Devices MDS-G37
  
  

 A. Overview

Currently, software that utilizes big data and AI technology is under development and more advanced products equipped with more diverse and complex functions are expected to emerge with the advancement of technology in the future. Accordingly, the purpose of this section is to present the judgment criteria and control method for medical devices by evaluating the need to manage products, which are developed and used as of now and products which are expected to emerge soon, as a medical device.​

​​

The purpose of big data and AI-based medical software is to provide massive amount of information to a medical professional or a patient in real time and aid a decision-making. It can contribute to improving the satisfaction level of a medical professional and a patient by improving quality of patient care, accuracy of medical decision and efficiency.

The regulation on big data and AI-based medical software shall be flexible enough to reflect the speed of technological advancement, frequent modification and upgrade, and complex algorithm and consider users including patients and medical professionals and the software use environment.

Therefore, the SFDA aims to manage software which meets the definition of medical device clearly or software that could cause risk to a patient if it does not function as intended as a medical device. The necessary to manage software under the medical device regulation will be reviewed continuously considering the trend of future product development and current status of use.​

​

In accordance with Article (1) of the Medical Devices Interim Regulation, a medical device means any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or calibrator, software, material or other similar products used alone or in combination for human beings as specified as follows.

 ​​

Whether big data and AI-based medical software is a medical device or not is determined based on the intended use. Decision on whether software is a medical device or not shall be made by considering the intended use in accordance with Article (1) of the Medical Devices Interim Regulation and following determinants.​

​​​​

The scope of medical devices and non-medical devices is presented below. The examples given below are for reference only and each case should be judged considering characteristics, situation and scientific evidence of each product.

1) Medical software that falls into the category of a medical device

1. Software that diagnoses, predicts or monitors the possibility of diseases including the existence of disease and condition, or treats diseases using clinical information (ex: size and location of tumor lesion, etc.) obtained by analyzing medical information based on medical big data.
    
2. Software that provides clinical information necessary for diagnosis and treatment by analyzing medical image, signal from in-vitro diagnostic medical device and a pattern or signal from signal acquisition system (electrocardiograph, electroencephalograph, etc.)
    
   2) Medical software that does not fall into the category of a medical device
1. Software that supports administrative work of a medical institution (management of wards and inventory, handling of electronic procedure, etc.)
2. Software intended for exercise, leisure activities and general health care
   Detailed criteria shall be in accordance with 'Criteria for Judging Whether Medical Devices or Personal Health Care (wellness) Products'.
3. Software for education/research purpose
4. Software intended for managing medical records which are not related to treatment and diagnosis of diseases
5. Software that provides a tool to organize and trace health or treatment information of a patient to a medical professional or that helps a medical professional easily find medical information
    
   

​​Medical devices are classified based on the intended use of the medical devices and degree of potential risk to human body upon use in accordance with the “Guidance on Requirements for Listing and Medical Device Marketing Authorization (MDS – G5), Annex (5) Risk Classification Rules for Medical Devices".​

​Following matters shall be considered upon approval and review for big data and AI-based medical devices. For more information to be considered upon review and approval of Medical Device Software, refer to SFDA MDS-G23 guidance titled “Guidance on Software as a Medical Device."​

​

“Performance" you shall fill out in the application form for review and approval, includes technical specification including cloud​ server operating environment, cloud service type, security standard.​

You shall write down the output information, update cycle of training data and accuracy of diagnosis results in the main performance, as well as provide cloud server operating environment and cloud service type in case where cloud server is used. Also, you shall describe data encryption and decryption and policy on anonymity in the security specification.​

​​

For the performance and clinical efficacy of big data and AI-based medical devices, diagnosis accuracy of a product can be confirmed with items such as sensitivity, specificity, positive predictive value, negative predictive value, receiver operating characteristic (ROC) curve and Area Under the Curve (AUC).

The data used for verification of performance and clinical efficacy shall be considered the mutual independency with data developing to maintain objectivity.

In addition, in case where medical information is saved and transmitted through network by applying cloud computing technology, the possibility of modification of medical information and the occurrence of damage can be considered depending on the medical information security and cloud transmission.

Security requirements for the use of network include sever access control, user authentication, use of encryption method upon transmitting and saving medical information and de-identification and requirements shall be appropriately set according to the relevant SFDA guidance documents :

• Guidance to Pre-Market Cybersecurity of Medical Devices MDS-G38
• Guidance to Post-Market Cybersecurity of Medical Devices MDS-G37
   
  

​​​

The methods for clinical validation applicable to big data and AI-based medical devices can be broadly divided into a prospective study, a retrospective study and a prospective/retrospective study where both studies are conducted in parallel and appropriate clinical trial method can be designed according to the characteristics of a product.

Upon designing retrospective study, sample data should be independent from data used in the product development process. For the inclusion and exclusion criteria of sample data and the targeted number of subjects, the information related to sample data collection (collection method, collection place, collection format, collected items, etc.), sample data measurement timing, the number of subjects, and the inclusion and exclusion criteria for sample data should be considered.​

​​​

The documents to be submitted upon application for the approval for medical devices shall be in accordance with the requirements specified in “Guidance on Requirements for Listing and Medical Device Marketing Authorization (MDS – G5)".

For the approval for big data and AI-based medical device, comparison of the device with previously approved product should be conducted according to the regulation and if it is found that the intended use and operating principles are different, documents for clinical trial should be submitted. If the two products show equivalence, submissions on clinical trial may be waived.

Equivalence comparison of machine-learning-based medical devices should be conducted to compare on the intended use, model used for machine learning and characteristics of training data in the two products.

​​

Version control rules for big data and AI-based medical devices can be divided into the management of product structure and design by a manufacturer and other management such as addition of training data.

The design modification of a product can be managed in the same way as the management of general medical device software version but in case where version is changed due to additional training data, appropriate version control method shall be applied in accordance with data control policy of a manufacturer and a medical institution and write down the information in the application form for approval and review.

As shown in Table 1, version control method for big data and AI-based medical devices can be divided into major function change, simple change, minor change and training data change.

Table 1 Version Control Method

 ​

In case where performance (accuracy) is changed due to training data change, it is managed as a major function change. In contrast, if the change is made within the performance (accuracy) range written during approval, a manufacturer can autonomously control the version by setting the version control rule for training data change and version number may be expressed as 'X' without need to mention the specific numbers in the application form for approval and review.

​​

Big data and AI-based medical devices require various training data including Electronic Medical Record (EMR), medical literature (clinical papers, guidelines of society of clinical trial, etc.) and medical image to extract characteristics for diagnosing and predicting diseases and such training data may have an impact on the performance and effectiveness of a product.

Therefore, a manufacturer shall establish a policy on data management to maintain the effectiveness of training data consistently and the timing for updating training data update can be determined based on consultation between a manufacturer and a medical institution.

Policy on data management is related to the planning of data acquisition by a manufacturer and a medical institution and defining an effective operating system and plan for acquired data. System and plan for data management principle, management organization and quality control process shall be established.

In particular, data management organization is required to set the quality control items, scope and criteria related to training data and assess the quality of product algorithm to training data which are added regularly or irregularly.​​

​​​

Cloud configuration that can be used for big data and AI-based medical devices can be divided into private cloud which can be used by a certain medical institution as the institution installs data center internally, public cloud where cloud service by external provider is used and hybrid cloud where public cloud and private cloud are used in combination.

In case of applying cloud computing technology, cloud server is not subject to regulation regarding medical devices but the information on cloud service type and server operating environment shall be written down in the application form for approval and review.

In case where cloud service type (ex: IaaS, PaaS, SaaS, etc.) or cloud server operating environment which impacts to performance of a medical device is changed after getting approval or certification of the medical device, manufacturers shall obtain the change approval.

However, such changes shall be managed by a manufacturer or a medical institution without the need for obtaining change approval or certification if there is no impact on the performance of medical devices.

In addition, medical device manufacturers (importers) shall implement and document technical measures necessary for security of medical device software (access control, de-identification of personal information, data encryption and decryption, etc.). ​

​​​

​​​

o    Software as a Medical Device (SaMD): Key Definitions (IMDRF/SaMD WG/N10FINAL:2013)

o    Software as a Medical Device (SaMD): Possible Framework for Risk Categorization and Corresponding Considerations (IMDRF/SaMD WG/N12FINAL:2014)

o    Software as a Medical Device (SaMD): Application of Quality Management System (IMDRF/SaMD WG/N23 FINAL:2015)

o    Software as a Medical Device (SaMD): Clinical Evaluation (SaMD WG (PD1)/N41R3)

•  Guideline on Review and Approval of Artificial Intelligence(AI) and big data-based Medical Devices (For Industry), Republic of Korea, Ministry of Food and Drug Safety.

o    Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD), FDA.​