AI Regulation meets MDR: High-Risk AI Requirements for Medical Devices
This document is aimed at manufacturers who are adding an AI component to an existing MDR-compliant medical device, thereby bringing it within the scope of the High-Risk AI (HRKI) category under the AI Regulation.
Purpose
The AI Regulation document links the requirements of the EU AI Regulation (AI Act) for high-risk AI systems which generally also include AI-based medical devices from an AI Regulation perspective with the requirements of the MDR.
Two categories of overlap are distinguished:
- Areas where existing MDR processes (e.g. technical documentation, QMS, risk management, PMS, reporting obligations) can be used directly as a basis for implementing the AI-specific requirements.
- Additional AI-specific requirements such as those relating to data quality, transparency, robustness and cybersecurity for which the MDR provides points of reference but does not sufficiently address from an AI technical perspective.
The aim is to provide a structured overview of the HRKI requirements of the AI Regulation that go beyond the MDR, whilst also referring to relevant standards, guidelines and further sources.
Key Content
Risk Management (Art. 9 AI Regulation)
AI-specific risks must be identified and assessed within a continuous system.The processes can be integrated into existing MDR risk management systems.
Data Governance (Art. 10 AI Regulation)
Requirements for training, validation and test datasets must be met in addition to the MDR, as the MDR addresses data primarily from the perspective of clinical evaluation.
Technical Documentation (Art. 11 AI Regulation)
AI-specific information must be integrated into the existing MDR documentation. Simplifications for SMEs under the AI Regulation do not automatically apply to MDR documentation.
Transparency and Human Oversight (Art. 13 and 14 AI Regulation)
Instructions for use must include AI-specific content, covering performance limitations, explainability of outputs, and measures for human oversight.
Accuracy, Robustness, Cybersecurity (Art. 15 AI Regulation)
Manufacturers must explicitly define accuracy thresholds, apply AI-specific robustness methods, and protect against attacks such as data poisoning and adversarial examples.
QMS and Record Retention (Art. 17 and 18 AI Regulation)
A single QMS must cover both legal frameworks. Retention periods under the AI Regulation are a minimum of ten years; under the MDR, up to 15 years for implantable devices. Recommendation: apply the maximum period uniformly.
AI Competence (Art. 4 AI Regulation)
Providers and deployers must ensure that all persons involved with AI systems demonstrate a sufficient level of AI competence. The MDR contains no comparable requirement.
Bottom Line
Manufacturers of AI-assisted medical devices should specifically review their existing QMS, risk management and documentation processes against the AI-specific requirements of the AI Regulation. Where synergies with the MDR exist, established processes can be extended. However, in several areas in particular data governance, logging and AI competence new measures are required that have no equivalent in the MDR.
