Logo Eclevar

UKCA – Software and Artificial Intelligence as a Medical device

Software and Artificial Intelligence

Learn more about Software and Artificial Intelligence as a Medical device in UK

Software and Artificial Intelligence as a medical device (SaMD/AIaMD) is a face paced, yet challenging sector. The opportunities to have significant impact on healthcare options and delivery are endless, but how can we be assured of safety and performance of these products? 

 ‘Traditional’ regulation is no longer able to take on the challenges this area poses, it calls for new ways of thinking, new principles and new approaches. The UK, guided by the MHRA are looking to lead the way in looking at how best to regulate this sector and how to support the sector – to make sure that SaMD and AIaMD is safe and delivers on its potential.  


Scope & definition

• A new definition of software will be added - 'A set of instructions that processes input data and creates output data' will be added.
• Supporting guidance will be published.

Distance Sales

• No decision taken, further cross governement engagement will be undertaken.
• MHRA do not currently identify a need for speciifc distance sales regualtions relating to SaMD
• There will be guidance on broader distance sales regualtions and how they may impact SaMD


• MHRA intend to amend the classification rules in UK medical devices regulations to include the IMDRF SaMD classification rule for general medical devices, not IVDs (with supporting definitions and implementing rules)
• The level of scrutiny applies will be more in line with their level of risk.

Airlock Classification rule

• Further work to be done to understand this concept further, future consultation canbe expected

Pre-Market requirements

• The government has considered key themes raised, as follows:
• Cyber security - to include cyber security as an essential requirement.
• Data protection, privacy, or confidentiality
• Better alignment to Data Coordination Board (DCB) standards - shifting essential requirements to match DCB standards would risk international divergence for the benefit of national convergence. MHRA will work with NHS Digital and NHSX to map and align where possible, also using guidance to better harmonise with these standards.
• MHRA consider requirements specific to AI as a medical device are best clarified via guidance on how to meet a GSPR akin to E U MDR’s GSPR 17.2 (which includes verification and validation) rather than setting up a separate essential requirement/GSPR specific to AI as a medical device.

Post-market requirements

• Mandating a report adverse incident will not be taken forward
• Intention to proceed with the proposal to enable predetermined change control plans (PCCPs), this will be on a voluntary basis.

SaMD cyber security

• manufacturers of SaMD will be required to meet certain minimum requirements relating to security measures and protection against unauthorised access. as set out in the pre-market requirements.

AI as a Medical Device

• MHRA do not intend to introduce AI specific requirements in legislation
• MHRA will not mandate the logging of outputs to enable auditability for SaMD and AIaMD

The consultation response demonstrates that the MHRA are not seeking to be overly prescriptive, they are considering what is beneficial and will add value to the regulation of SaMD and AIaMD. The work on the legislative text is being built upon with the MHRA’s Software and AI as a Medical Device Change Programme – Roadmap.  Click here for MHRA’s document 

This programme seeks to ensure: 

  • There is assurance that these devices are acceptable safe and perform as intended. 
  • Requirements are clear, with guidance and efficient processes that work for software  
  • Cross sector collaboration to ensure duplication is minimise when meeting various requirements such as NICE, MHRA or NHS England.


There are 11 work packages – 8 looking at reforms across the SaMD lifecycle and 3 looking at AIaMD and the challenges it brings.  

 The work packages cover a wide range of topics: 

  • What qualifies as SaMD? 
  • Classification rules to ensure the scrutiny applied is appropriate for the risk posed to patients  
  • Pre-market requirements, seeking to ensure these products have adequate data before being placed on the market and ensuring the requirements are proportionate to risk.   
  • Post-Market requirements, adapting the system so that signals are clearly received. Allowing for stronger vigilance by manufacturers and to detect and mitigate the risk of patient safety incidents.  
  • Cyber secure medical devices, looking at how cyber security issues translate to SaMD issues and that it is reflected in the requirements in post market surveillance requirements. 
  • AI Rigour, outlineing technical methods to test AIaMD, ensuring devices are acceptably safe and effective 
  • Project Glass box, this looks how opacity of AIaMD translates in safety, effectiveness or quality concerns, guidance regarding interpretability to ensure transparency and usability.  
  • Project Ship of Theseus will look at setting out the problems f fit with medical device regulation for adaptive AIaMD, distinguishing between models that are locked, batch-trained or continuous learning on streaming data, looking at existing change manage processes and looking at the need for guidance around adaptive AIaMD that does not fit these processes.  

It is ambitious but really does set the course the UK looking SaMD and AIaMD differently, pushing the boundaries of traditional regulation and seeking to create a system that acknowledges the challenges and looks to address them, ensuring public health and supporting industry.