CE conformity for AI-based software in medicine with BAIM

The regulatory complexity is not only rooted in new legislative projects for the regulation of AI technologies, but also in the technical peculiarities of AI-based software. In contrast to conventional software, in addition to the software code (in terms of the model and the application), the model itself and the data used make a decisive contribution to the product's functionalities. This results in a whole series of special challenges for the manufacturer, e.g. with regard to generalizability, transparency and representativeness.

To support manufacturers of AI-based software in medicine in coping with the high requirements for market access, the VDE has developed the regulatory approach "BAIM - Boost AI to Market". We explain what is behind this in this article.

The BAIM Concept

Every medical device manufacturer needs a quality management system (QMS) as the basis for regulatory compliance with the MDR. A number of medical device standards and MDCG guidelines are applied here:

VDE

The IG-NB questionnaire "Artificial Intelligence in Medical Devices" is based on this. Within BAIM, this document will first be converted into a list of individual requirements, which will include references to MDCG guidelines and legal requirements as well as to processes and documents from the QMS to demonstrate compliance. Furthermore, for implementation purposes, AI-specific standards as well as reports and literature on best practices are continuously analyzed as part of the state-of-the-art and integrated into the regulatory documents.

VDE

BAIM primarily aims to align the following regulatory areas in the manufacturer's QMS:

VDE

Selective adjustments are also made to the QMS processes:

documentation for placing on the market,
human resources management,
regulatory strategy,
infrastructure,
purchasing and suppliers,
external processes, and
Information Security (Organization) and Data Protection.

Extension of software lifecycle processes to include AI model development

Manufacturers of AI-based software apply the EN 62304 standard on the software lifecycle. If the software is also standalone, the EN 82304-1 standard also applies. For this purpose, the manufacturer implements a development process, a release process, a maintenance process and a process for decommissioning the software in its QMS. These processes are supplemented by validation and post-market activities of the manufacturer.

BAIM introduces an additional AI development process for the AI component, which is subordinate to the actual software development process of EN 62304. This includes the collection and analysis of all user and system requirements including the AI-specific ones in the general development process whereas data management and model development take place in the AI development process.

Adaptation of further central QMS processes

According to the MDR, a risk management system as part of the QMS is mandatory for every medical device manufacturer. The complexity of AI technology is accompanied by special hazards such as various forms of bias, which must be considered in risk management. BAIM extends the necessary risk analysis to include AI-specific risks and thus contributes to increased safety of these products. Since the new edition of the relevant EN ISO 14971 standard in 2019, risk management must consider safety (in the sense of operational safety) together with (cyber) security and their interactions. BAIM uses the VDE's ARGOS cybersecurity approach to also analyze AI-specific assets, interfaces and methods of attack and to take appropriate measures.

As part of the QMS process "Usability Engineering", formative validations take place during development (or maintenance) as well as summative validations at the end of development (or maintenance). In a process-integrated checklist, BAIM formulates specific requirements for the usability-oriented development of AI-based software. This includes, for example, dealing with transparency, explainability or automation bias.

The clinical evaluation serves to demonstrate the safety and performance as well as a positive benefit-risk ratio for the respective medical device. In addition to the relevant guideline MEDDEV 2.7/1 for the clinical evaluation of medical devices, the guideline MDCG 2020-1 must also be applied to software. BAIM supports the manufacturer in the clinical evaluation with a checklist that addresses AI-specific aspects in the corresponding QMS process. This also refers to the use of AI-specific databases for literature searches.

The software lifecycle includes post-market surveillance and vigilance by the manufacturer. Especially for AI-based software, a significant level of safety and performance is ensured by comprehensive post-market surveillance by the manufacturer. BAIM extends the post-market surveillance plan to include AI-specific aspects, e.g. with regard to the quality of real-life data and timeliness of the ground truth or gold standard. In the course of this, corresponding methods and their frequency in application as well as parameters and limit values to be considered are implemented.

Practical Implementation

A typical BAIM project starts with the creation or revision of the purpose statement of the AI-based software, which sufficiently considers the so-called operating principle of the AI component. In the further course, the AI development process is anchored in the QMS and risk management including cybersecurity is applied according to ARGOS. In parallel, usability-oriented activities will be started and the first clinical evaluation will be performed. In the context of monitoring (incl. post-market clinical follow-up) and vigilance, the performance of the AI-based software is continuously observed and the collected data is fed back to the clinical evaluation.

In summary, BAIM either extends an existing QMS or is applied when a QMS is established, ensuring the manufacturer's compliance with the specific requirements for AI-based software as a medical device. The application of BAIM also ensures that the manufacturer's QMS is future-oriented and prepared for new challenges such as the EU AIA.