New Guidance for AI and Big Data Medical Devices in Saudi Arabia

Christina Sochacki - Senior Counsel - Corporate / Mergers and Acquisitions

Nick O’Connell - Partner, Head of Digital & Data - Saudi Arabia - Digital & Data

This illustration is inspired by the original painting of Girl with a Pearl Earring by Johannes Vermeer.


The Saudi Food & Drug Authority (“SFDA”) recently published guidance on artificial intelligence and ‘Big Data’ in the context of medical devices: Guidance on the Review and Approval of Artificial Intelligence and Big Data based Medical Devices (“AI Guidelines”).  The AI Guidelines are to be read in conjunction with the SFDA’s Guidance on Software as a Medical Device.

The AI Guidelines apply to standalone software type medical devices, to which machine-learning-based AI technology is applied in order to diagnose, manage, or predict diseases by analysing medical data. It also applies to AI software that is configured with hardware, such as clinical decision support (“CDS”) software or computer-aided detection/diagnosis (“CAD”) software.

The medical device marketing authorisation requirements relevant to AI-based medical devices, as set out in the AI Guidelines, include demonstrating the accuracy of AI technology, to diagnose or predict diseases or provide customised treatment to patients, by analysing ‘Big Data’ and recognising certain patters based on machine learning.

The SFDA describes medical ‘Big Data’ as “various kinds of medical information used to diagnose, manage or predict diseases – such as medical records, biometric information measured by medical devices, medical images, and genetic information”.


Classification of Software as a Medical Device

Whether Big Data and AI-based medical software is a medical device is determined based on the intended use. In general, software intended for exercise, leisure activities, and general health care are not considered medical devices; software that helps a medical professional easily find medical information is also generally not considered a medical device. Each case will be judged based on it characteristics, situation, and scientific evidence of each product.


Considerations for Review & Approval

When examining applications for medical device marketing authorisations, performance and clinical efficacy will be reviewed. In addition, in cases where medical information is saved and transmitted through a network by applying cloud computing technology, the medical information security and cloud transmission process will be evaluated to examine the possibility of modification of medical information and the occurrence of damage. Security requirements for the use of a network include, server access control, user authentication, use of encryption, and de-identification, which will need to conform to SFDA guidance on pre- and post-market cybersecurity of medical devices.

Big Data and AI-based medical devices submitted for medical device marketing authorisation will be compared with previously approved medical devices. If the intended use and operating principles are different to ones already approved, documents from a clinical trial should be submitted. An equivalence comparison of machine-learning-based medical devices will be conducted to compare the intended use, model used for machine learning, and characteristics of training data in the two products. If the two products are equivalent, submissions of clinical trials may be waived by the SFDA.

The AI Guidelines discuss version control methods and requirements based on the type of version control: major function change; simple change; minor change; and training data change. Also addressed is the requirement for a manufacturer to establish a policy on data management when it comes to the various training/learning data integrated into the software, such as electronic medical records, medical images, and medical literature.

Finally, the AI Guidelines address cloud configuration, including; 1) private cloud, which can be used by a medical institution as the institution installs data centres internally; 2) public cloud, where cloud services are provided by an external provider is used; and 3) hybrid cloud, where public cloud and private cloud are used in combination.


Our Healthcare & Life Sciences as well as the Digital & Data sector groups regularly advise on these types of matters. For further information, please contact