Written evidence submitted by the Medicines and Healthcare products Regulatory Agency (MHRA) (ADM0026)

The Medicines and Healthcare products Regulatory Agency (MHRA) is an executive agency of the Department of Health. The agency has 3 centres: the Clinical Practice Research Datalink (CPRD), a data research service that aims to improve public health by using anonymised NHS clinical data; the National Institute for Biological Standards and Control (NIBSC), a global leader in the standardisation and control of biological medicines; and the MHRA, the UK’s regulator of medicines, medical devices and blood components for transfusion, responsible for ensuring their safety, quality and effectiveness.

1. What policy, if any, you have in regard to the use of algorithms in your sector.

MEDICAL DEVICE ALGORITHMS

1. The role of MHRA as the Competent Authority (CA) for the UK in this area is to ensure that medical device apps and algorithms placed on the market comply with current legislation and prepare for incoming European legislation in 2020 and 2022. MHRA has powers to take action as appropriate for safety and non-compliance issues. 

Stand-alone software or apps algorithms that claim a medical purpose and meet the definitions of a medical device are required to be CE marked in accordance with the current EU Medical Device, Active Implantable Medical Device & In-Vitro Diagnostic [IVD] Medical Device directives. These directives were transposed into UK law by the UK Medical Device Regulations (MDR) 2002.   MDR 2002 defines a medical device as:

any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnosis or therapeutic purposes or both and necessary for its proper application, which:

a)         is intended by the manufacturer to be used for human beings for the purpose of

(i)         diagnosis, prevention, monitoring, treatment or alleviation of disease,

(ii)        diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,

(iii)       investigation, replacement or modification of the anatomy or of a physiological process, or

(iv)       control of conception;

and

b)         does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, even if it is assisted in its function by such means, and includes devices intended to administer a medicinal product or which incorporate as an integral part a substance which, if used separately, would be a medicinal product and which is liable to act upon the body with action ancillary to that of the device.

an In-vitro diagnostic medical device means a medical device which

a)      is a reagent, reagent product, calibrator, control material, kit, instrument, apparatus, equipment or system, whether used alone or in combination; and

b)      is intended by the manufacturer to be used in vitro for the examination of specimens, including blood and tissue donations, derived from the human body, solely or principally for the purpose of providing information

(i)                  concerning a physiological or pathological state,

(ii)                concerning a congenital abnormality,

(iii)               to determine the safety and compatibility of donations, including blood and tissue donations, with potential recipients, or

(iv)              to monitor therapeutic measures,

and includes a specimen receptacle but not a product for general laboratory use, unless that product, in view of its characteristics, is specifically intended by its manufacturer to be used for in vitro diagnostic examination;

2. These directives require that in every case there must be clinical evidence and evaluation that they do what they say, a risk /benefit evaluation and that in addition they must comply with all relevant essential requirements including software verification and validation to show compliance to the regulation before a CE-mark can be applied and the product legally placed on the European market.
3. Currently most stand-alone algorithms and apps are classified as class 1 devices or general IVDs, the lowest class. This is fairly ’light touch’ regulation with the developer/manufacturer self-declaring conformity to the above legislation.   There is an exemption from regulation for software algorithms developed and used within the health service but not placed on the market. That is used exclusively within the health care establishment that developed them.
4. For any algorithms that fall into higher risk classes the developer will require the input of a notified body to ensure the device is CE marked appropriately. A notified body is an organisation that has been designated by an EU member state (the designating authority) to assess whether manufacturers and their medical devices meet the requirements set out in legislation.
5. The medical device directives include a set of classification rules for medical devices and a list based system for in-vitro diagnostic medical devices. Guidance on classification is provided in the European MEDDEV - 2. 4/1 and examples are given in the manual on borderline and classification.

There are currently no specific rules for software in either directive but the following are considered to be higher risk and would require notified body involvement:

• Software that drives or influences the use of a higher risk device e.g. Picture Archiving and Communication Systems with image enhancing function that controls image acquisition.
• Software that allows clinicians to review a patient’s ECG history during routine check-ups and see a full presentation generated by the analysis algorithms.
• Software that is considered to allow direct diagnosis – e.g. ECG-systems which classify the patient as having "heart arrhythmia.
• Software that is intended to be used for contraception.
• IVD software for risk assessment of trisomy 21.

6. There are 2 new EU regulations, the Medical Device Regulations [incorporating active implantable devices] and the In-Vitro Diagnostic [IVD] Medical Device Regulations which are due to apply in Member States in May 2020 and 2022 respectively. These have specific sections for software including aspects covering cyber security and unique identifiers. In addition, they will up-classify many software algorithms requiring them to engage with a Notified Body. They were not specifically written for machine learning and artificial intelligence algorithms so this will have to be considered further ahead of their introduction across the EU. Software developed in-house will be subject to the health institution requirements of the new regulations – this includes safety, performance and quality management requirements.

MEDICINES DEVELOPMENT

7. There are no specific policies in this area as many possible health uses of AI would qualify as medical devices and be regulated as outlined above. For example, medical device algorithms could assist with:  

• Diagnosis / prognosis of clinical conditions.
• Use in developing evidence for medicines submissions and / or in clinical trials.
• Use in combination systems e.g. a medicine with an app that could be constantly learning and changing action parameters or an AI natural language processing app used as an interface to control a physical device such as a robot.   
• Genomics / personalised medicine-selection of therapies; choice of medicine.
• As part of vigilance / market / post-market surveillance of medicines and devices in identifying new signals in large databases of e.g. adverse incident data.
• Real time prediction/detection/monitoring of pandemics/epidemics (Ebola, flu, etc).
• Radiotherapy tumour segmentation.
• Production control in the manufacturing process of medicines and devices.

CPRD

8. The Clinical Practice Research Datalink (CPRD) is a dedicated UK Government initiative jointly supported by the MHRA and the National Institute for Health Research (NIHR) to provide electronic health record (EHR) data for public health studies. For more than 30 years, CPRD has been providing EHR data to enable high quality health research.
9. CPRD data is used worldwide by regulators, academic researchers and industry to conduct public health research. Access to patient level data is provided for health research purposes only and is dependent on approval of a research protocol by the MHRA Independent Scientific Advisory Committee (ISAC) in accordance with data governance procedures and research ethics.
10. CPRD’s data governance framework is not specific to AI based research and is designed to be flexible and robust enough to encompass a wide range of methods. At recent stakeholder consultation workshops on machine learning organised by CPRD and including machine learning experts, the overall view was that while most machine learning methods did not pose fundamentally new risks or caveats as compared to classical statistical techniques, there may be slightly increased risks (due to the capability of machine learning to deal with an increased number of attributes). Thus, attendees felt that further discussion and guidance was required on how a machine learning proposal should be written in a transparent way to enable reviewers to assess any risks and promote responsible public health research.

2. What rules or guidance you have issued about algorithms in your sector.

1. The exponential increase in the number and complexity of algorithms using machine learning continues and we are continuing to be involved in cross-Government work to develop a common approach to app/algorithm/machine learning/artificial intelligence regulation which reflects the rapid and evolving landscape in this area and is within regulatory boundaries.  Activity already undertaken includes:
• We have issued interactive guidance on determining if an algorithm/ app is a medical device or a lifestyle wellness app. This was last updated in September 2017 and will be revised again when the implications of the new European Medical device and In-Vitro diagnostic medical device regulations are further clarified.  https://www.gov.uk/government/publications/medical-devices-software-applications-apps  .
• CPRD have completed 2 stakeholder workshops on Machine learning. The output of these workshops includes proposals for how validation and verification of AI/machine learning algorithms can be achieved. 
• Presentations at The Organisation for Professionals in Regulatory Affairs (TOPRA), South East Health Technologies Alliance (SEHTA), Digital Health London,  Digital Health & Care Alliance (DHACA) and global innovation and new technology health event (GIANT) meetings.
2. Several initiatives are underway to ensure there is comprehensive input and the aim is to ensure there is a suite of tools/guidance for manufacturers and developers. This is a medium to long-term project. These include: 
• We are working with the Department of Health and NHS Digital (NHSD), on a 'Quick Guide' to governance and regulatory requirements for decision making software algorithms in the NHS.  This is aimed at developers to ensure they consider all aspects for data, research and medical device regulation at an early stage in the development of apps and algorithms.
• MHRA are currently working on a standards proposal with the British Standards Institute (BSI) for a new PAS [publicly available specification] for machine learning algorithms in healthcare. There is currently no standard specifically in this area. The proposal is looking to work collaboratively with our USA equivalents;  the Association for the Advancement of Medical Instrumentation (AAMI) and the Food and Drug Administration (FDA) to provide innovative and globally relevant guidance in this area. Initially the PAS would be a guidance/ best practice document but could progress to a full ISO standard over time.
• A workshop is being planned in conjunction with the Royal College of Physicians to look at clinical input to algorithm safety and regulation to be held in Spring 2018.
• Developing effective but proportionate regulation will be key to maintaining patient safety and aligning to wider government strategy for economic development and increased digital pathways for patient care in the NHS. We are working with NHS bioinformaticians to understand specific challenges for developing bioinformatics software for the NHS.
• Our Innovation Office page will be refreshed to include specific mention of availability of advice on novel independent software/apps.

3. Any arrangements for bodies in the sector to make available, to you or the public, (i) the details of any algorithms used and/or (ii) an explanation of the way any algorithm functions, to aid understanding. 

1. There is a requirement under the Medical Device & IVD directives for a manufacturer to give clear instructions for the use of his device, appropriate to the intended user, and to report any serious or potential serious injury to the relevant Competent Authority.  In investigating any reported incidents or safety issues the manufacturer is required to supply all relevant quality, technical and clinical evaluation documentation if MHRA requests.

4. What arrangements are in place in the sector to monitor the development and use of algorithms.

1. MHRA are a member of the new Clinical Digital Council chaired until the end of 2017 by Professor Keith McNeil that brings together clinicians from across the ALBs and wider including  NHSD,  the National Institute for Health and Social Care (NICE), Public Health England  (PHE), NHS England (NHSE) Care Quality Commission (CQC) & MHRA to look at wider clinical health and social care agenda (not just the NHS) regarding apps, algorithms and technology and including the NHS library and NICE app appraisal. They are still evolving and their place in the overall governance structure is developing. 

5. The accountability that bodies in the sector have to you for their use of algorithms.

1. The role of MHRA as the CA for the UK in this area is to ensure that medical device apps and algorithms placed on the market comply with current legislation. MHRA has powers to take action as appropriate for safety and non-compliance issues. 

2. Although we have not yet seen algorithms feature significantly in clinical development programmes for medicines or evidence from machine learning used in marketing authorisation applications, some companies are exploring the potential of these approaches.  It is possible for them to use them to generate evidence under the current regulations so long as the robustness of the approaches can be demonstrated in the application.

6. What assessments have been made of the impact that the Data Protection Bill, and the EU General Data Protection Regulation, will have in your sector in regard to the development and use of algorithms.
1. We have also discussed this with the Department of Health, who are of the view that that GDPR won’t prevent the increasing adoption of algorithms, including AI, in health and care.  However, the Regulation does bring forward new and complex rights and obligations in these areas which we are clear need to be fully understood, as well as significantly raising the stakes for data owners (NHS providers) and data processors (suppliers) due to the very large fines that can be levied in the event of a breach.  GDPR includes exceptions and derogations that apply to research, so should have a beneficial impact through removing some barriers to research, whilst enhancing the rights of individuals.  This is reflected in clauses in the current Data Protection Bill. The MHRA are also aware of the findings in the comprehensive assessment of the impact of the DPA and GDPR in the ICO paper titled ‘Big data, artificial intelligence, machine learning and data protection’, was published in 2017.

January 2018