Guide
AI medical device compliance
MHRA requirements for AI as a Medical Device (AIaMD) and Software as a Medical Device (SaMD). Covers classification, registration, technical documentation, quality management, post-market surveillance, and data protection for health AI.
If your AI software is used for medical purposes in the UK, you must register it with the MHRA before selling it. Check if your AI is classified as a medical device based on its function. Apply Good Machine Learning Practice (GMLP) principles and comply with UK GDPR for health data.
- Register AI medical devices with MHRA before UK market launch
- Check if your AI software qualifies as a medical device
- Apply Good Machine Learning Practice (GMLP) principles
- CE marked SaMDs recognised until June 2028 or June 2030
- Comply with UK GDPR for health data processing
- Submit a Data Protection Impact Assessment (DPIA)
- Monitor and report incidents via MHRA's MORE portal
- Penalty: up to 6 months imprisonment for non-compliance
- Use MHRA's Innovation Office for classification queries
- Follow transitional rules until new framework starts in 2026
Artificial intelligence used for clinical purposes in the UK is regulated as a medical device by the Medicines and Healthcare products Regulatory Agency (MHRA). If your AI software diagnoses conditions, recommends treatments, monitors patients, triages clinical data, or assists clinical decision-making, it is likely classified as a medical device and must be registered with the MHRA before it can be placed on the UK market.
The regulatory framework distinguishes between AI as a Medical Device (AIaMD), where the AI itself is the device, and Software as a Medical Device (SaMD), where software performs a medical function independently of hardware. Both categories require MHRA registration, but the classification rules and conformity assessment routes differ depending on the risk level.
When AI qualifies as a medical device
Software qualifies as a medical device under UK law if it is intended by the manufacturer to be used for one or more medical purposes, and it does not achieve its principal intended action by pharmacological, immunological, or metabolic means. Medical purposes include:
- Diagnosis: AI that analyses medical images (radiology, pathology, dermatology), interprets test results, or identifies conditions
- Treatment recommendation: AI that suggests drug dosages, treatment pathways, or surgical approaches
- Monitoring: AI that tracks patient vital signs, detects deterioration, or predicts clinical events
- Triage: AI that prioritises patients based on clinical urgency
- Risk prediction: AI that calculates a patient's risk of developing a condition or experiencing an adverse event
Software that performs purely administrative functions (appointment scheduling, billing, record-keeping) is generally not a medical device, even if it operates in a healthcare setting.
What is NOT a medical device
The following AI applications in healthcare typically fall outside MHRA regulation:
- Administrative scheduling and resource allocation tools
- Clinical documentation and dictation software
- General-purpose search engines used by clinicians
- Population health analytics that do not drive individual clinical decisions
- Electronic health record systems (unless they include clinical decision support features)
If you are unsure whether your product qualifies, the MHRA's Innovation Office provides pre-submission meetings to discuss classification.
MHRA registration and requirements
AI medical devices must comply with the UK Medical Devices Regulations 2002 (as amended). The MHRA is implementing a new regulatory framework following Brexit, with transitional arrangements in place through the Medicines and Medical Devices Act 2021.
Data protection for health AI
Health data is special category data under UK GDPR Article 9. AI medical devices that process patient data must meet heightened data protection requirements, including identifying both a lawful basis under Article 6 and a special category condition under Article 9. For most clinical AI applications, the relevant conditions are health or social care purposes (Article 9(2)(h)) or substantial public interest (Article 9(2)(g)).
The intersection of MHRA and ICO requirements creates a dual compliance obligation. Your medical device must satisfy MHRA's safety and performance standards whilst simultaneously meeting UK GDPR's data protection principles. A DPIA is almost certainly required.
Continuous learning and adaptive AI
Many AI medical devices are designed to improve over time by learning from new data. This creates a specific regulatory challenge: if the algorithm changes after registration, does the modified version remain compliant?
The MHRA's position is that significant changes to a device's algorithm may constitute a new device requiring fresh conformity assessment. Manufacturers must have a predetermined change control plan that defines:
- Which types of algorithm updates are within the scope of the original registration
- What constitutes a significant change requiring a new submission
- How performance will be monitored after each update
- Rollback procedures if an update degrades performance
The Software as a Medical Device Pre-Submissions Programme allows manufacturers to discuss their change control plans with the MHRA before market placement.
Steps to achieve compliance
The following steps cover the end-to-end process for bringing an AI medical device to the UK market.
-
1. Classify your device
Determine whether your AI software qualifies as a medical device and, if so, which risk class applies (Class I, IIa, IIb, or III). Classification depends on the intended purpose, the clinical context, and the level of risk to patients. Class I devices can self-certify; Class IIa and above require Approved Body involvement. Use the MHRA's classification guidance or request a pre-submission meeting with the Innovation Office.
-
2. Prepare technical documentation
Compile comprehensive technical documentation covering the device's intended purpose, design specifications, algorithm description, training data provenance, validation methodology, clinical evidence, risk analysis (ISO 14971), and software lifecycle documentation (IEC 62304). For AI devices, include details of the training dataset, model architecture, performance metrics, and bias assessment.
-
3. Apply to the MHRA for registration
Submit your device registration through the MHRA's online portal. For Class I devices, this is a manufacturer's self-declaration. For higher-risk classes, you will need a certificate from a UK Approved Body confirming conformity assessment. Pay the applicable registration fee and allow processing time, which varies by risk class.
-
4. Implement a quality management system
Establish a quality management system compliant with ISO 13485. This must cover design controls, document management, risk management, supplier management, corrective and preventive actions, and staff training. The QMS must be maintained throughout the product lifecycle, not just at the point of registration.
-
5. Set up post-market surveillance
Implement a systematic process for collecting and analysing data on your device's performance after it enters clinical use. This includes monitoring clinical outcomes, tracking complaints, reviewing published literature, and conducting periodic safety update reports. For AI devices, monitor for algorithm drift, performance degradation, and emerging bias patterns.
-
6. Report safety incidents via the Yellow Card scheme
Report any adverse incident or near-miss involving your device to the MHRA through the Yellow Card reporting system. Manufacturers have a legal obligation to report serious incidents within defined timeframes. Establish internal processes to detect, investigate, and report incidents promptly.