Varvara Bogdanova: Hello everyone, and welcome to a new Healthcare and Life Sciences webinar. My name is Varvara, and I'll be your moderator for this session. Please excuse the brief delay—we had a technical issue, and I had to switch to my phone. Today, we are going to discuss a very important, interesting, and somewhat complex topic: the role of real-world data in validating AI-driven medical devices.
We're going to look at this topic from both technological and regulatory perspectives. I'm happy to welcome our speakers and my dear colleagues, Andrey and Sara. Hi, everyone. Let's start with a short round of introductions. Sara, you go first.
Sara Jaworska: Hello, thank you very much for having me here. My name is Sara, and I'm the Quality and Regulatory Affairs Manager at DataArt.
Varvara Bogdanova: Thank you, Andrey. Before we move on, here's a brief overview of what we'll discuss today. AI-powered medical software is becoming more widespread and sophisticated. Its development requires a unique approach to design, validation, and, of course, compliance. Today, we'll learn that regulatory bodies like the FDA and the European Commission have already emphasized the role of real-world data as key to validating AI-driven software as a medical device.
We'll discuss the challenges and best practices for leveraging real-world data in this process. Our agenda includes why real-world data is crucial, the challenges around AI validation, the approach of regulatory bodies, and post-market development and ongoing regulatory compliance. Before we start, I’d like to encourage our audience to post their questions and comments in the chat. We’ll have a dedicated Q&A after the discussion, so feel free to ask anything.
All right, let’s get started. Andrey, let’s talk about clinical trials. It’s known that traditional clinical trials are often limited in scope and may underrepresent the real-world patient population. How does real-world data help here?
Andrey Sorokin: Sure. Clinical trials, especially when developing a medical device, rely on narrowly defined patient groups in highly controlled environments. This is necessary to achieve valid, verifiable results. However, it also means they might not cover all the different types of patients or healthcare settings seen in real life.
Clinical practice is much different and is also based on real-world data, meaning information gathered from routine clinical practice rather than controlled experimental settings. We're talking about data collected from a wider range of patient demographics, healthcare settings, geographic areas, and during and after medical device development.
AI solutions can be validated and refined using this previously unseen real-world data to predict anomalies, adjust algorithms, and improve solutions. Ultimately, this increases reliability and improves patient safety.
Varvara Bogdanova: Thank you. As we see, real-world data helps make AI more robust, effective, and ultimately safer. But are there any risks around this data? If so, how can we manage them to ensure AI remains safe? Sara, that’s a question for you.
Sara Jaworska: Of course. AI models are only as good as the data they are trained on, and in healthcare, data quality directly impacts patient safety. Inefficient AI-based medical devices may lead to misdiagnosis, delayed diagnosis or treatment, and unequal access to healthcare. Bias is one of the biggest risks—if an AI model is trained on data that doesn't represent the full diversity of the patient population, it can produce results that are inaccurate or even harmful for underrepresented groups.
At the same time, models are dynamic—they keep evolving, as do clinical practices and patient populations. If not continuously monitored, their performance can degrade over time. That’s why regulatory bodies like the FDA and the European Commission enforce strict data requirements for AI-powered medical devices. These rules aren’t just boxes to check—they exist to protect patients.
We continuously observe regulatory frameworks evolving to keep up with technology.
Varvara Bogdanova: Thank you, Sara. Let’s now move to the topic of validating AI models using real-world data. AI in healthcare is different from other industries due to its nature. Andrey, what are the key challenges or complexities in validating AI models in medical devices, particularly when using real-world data?
Andrey Sorokin: First, I’d like to emphasize the specifics of ground truth data. When training computer vision models, for example, you usually have clear labels—an image of a digit “5” is labeled as “5.” But this is very different in clinical practice. Medical datasets for machine learning often involve differential diagnosis, and it’s hard to find two doctors who classify the same specimen exactly the same way.
This introduces technical issues. We need to deliver data, like DICOM images or other samples, to doctors for annotation. Before sharing patient data, we must anonymize and clean it, then send it back. With geographically distributed patient cohorts, we’re dealing with cross-border data transfer, adding another level of complexity in data management, ownership, and governance.
That’s the technical perspective, but there are also regulatory challenges.
Varvara Bogdanova: Thank you, Andrey. You mentioned cross-border data processing, collection, and transfer. Sara, could you explain this challenge from a regulatory standpoint? How do we ensure personal data is protected during these transfers?
Sara Jaworska: Certainly. When working with personal data across different countries, one of the biggest challenges is that regulations vary widely. Companies often want to enter multiple markets. For example, GDPR in the EU and regulations in the US have completely different definitions of anonymized data, making compliance tricky.
The best approach is to plan from the start where the AI model will be used and design data governance under strict requirements. This helps maintain compliance across regions without needing separate policies for each, which can be difficult to manage. GDPR sets a very high standard for data protection, so aligning globally with it can simplify operations.
Cross-border data transfer adds another layer of complexity. Regulations often limit how personal data can be shared between regions. One solution is to assess where data could be transferred and implement additional controls, such as regulatory approvals or extra security measures, if needed.
Privacy and security must be built into AI development from the beginning. This includes software architecture, minimizing collected data, documenting legitimate interests, and limiting access rights. Companies that adopt a privacy-first approach now will be better prepared for future requirements.
Varvara Bogdanova: Perfect, Sara. Thank you for discussing data privacy protection. Let’s stay with you and talk about the approach of regulatory bodies like the FDA and the European Commission toward AI in medical devices and their validation. What’s the current state?
Sara Jaworska: The situation is very dynamic, especially regarding the EU and FDA. The regulatory landscape for AI-based medical software is evolving rapidly, with new regulations coming into effect and more in the pipeline. We’ve also seen new guidelines finalized recently.
There’s a gray area, and additional organizations like the EMA or European Medicines Agency have added their perspectives, especially for drug discovery and development. It’s a robust environment, and there are many sources of requirements. It’s important to ensure these requirements are not contradictory and are appropriate for your case.
New AI-specific ISO standards are in development. We also have new IMDRF guidelines on good machine learning practices, which describe high-level principles for AI development.
So far, the FDA has already approved hundreds of AI-powered medical devices. While we don’t have such data for the EU, the experience gained by regulatory bodies is helping to shape new requirements.
Varvara Bogdanova: Thank you, Sara. That’s a great overview. With so many different regulations, especially new ones and those in gray areas, how can organizations comply successfully?
Sara Jaworska: When talking about medical devices, we need to consider two aspects: product requirements and systemic requirements. For products, start by drafting the intended use of the medical device. This defines what needs to be validated, how reliable the model must be, and in what clinical context it will be applied.
Once that’s clear, companies can structure verification, validation, and risk management plans. The key is ensuring AI models are trained and tested using diverse, high-quality datasets. Regulators expect detailed documentation covering data sources, preprocessing steps, data labeling, and validation results to prove the model is efficient and fit for purpose.
The FDA also has a predetermined change control plan, which frames how the model can operate and change, including impact and risk assessments.
On the system side, companies must comply with quality requirements like ISO 13485, QMS, and risk management and ensure proper security measures. Good machine learning practices should be implemented and followed, either internally or as required by vendors.
One of the most significant elements is human oversight. For example, the AI Act requires a “stop button” functionality—humans must be able to shut the system down easily. Training datasets must be independent, cybersecurity controls must be in place, and the model must reflect the intended use.
By following both systemic and product-related regulatory requirements and thoroughly validating AI models, companies can ensure patient safety and bring products to market.
Varvara Bogdanova: Thank you, Sara. That's a great overview. Let’s talk about post-market. Andrey, as Sara mentioned, regulations and AI evolve constantly. When an AI-driven medical device is already on the market, how can we monitor and improve the product post-market?
Andrey Sorokin: Developing a medical device and establishing documentation doesn’t stop its evolution. While some devices may have fixed machine learning weights, we’re often discussing more dynamic systems. Ongoing evolution is anchored by the predetermined change control plan, which sets how an AI model may be refined over time without requiring repeated submissions or recertification.
There are three major cases when recertification is required:
✓ New data sources or modalities (e.g., moving from X-ray to CT or MRI)
✓ Significant algorithm changes (e.g., switching from a convolutional neural network to a visual transformer)
✓ New data from clinical trials or research revealing safety or performance concerns
Even the most robustly tested models will encounter unexpected edge cases in real-world use. We need to collect and analyze these cases and establish pipelines to track model drift and new data. Human feedback is invaluable, and cross-correlation with data from wearables or other sources can enhance datasets and performance.
Practically, this means creating real-world performance monitoring practices—whether cloud-based or on-premises—to track model drift and performance metrics. If performance goes outside established thresholds or isn’t covered in the evolution plan, recertification is needed. But if improvements are within the plan, you can enhance performance without new certification.
Varvara Bogdanova: Thank you, Andrey. That was the technical side. Sara, from the regulatory standpoint, how can companies ensure AI updates don’t violate initial certification?
Sara Jaworska: This is where the predetermined change control plan is essential. It should clearly outline what changes are acceptable and which are not. If a model changes in ways not covered by the plan, a new regulatory submission is likely required.
From a regulatory perspective, whether a change is significant or not is determined by risk management. During post-market surveillance, if you observe new risks or a drop in performance, these are factors that require attention.
Manufacturers need a proactive post-market surveillance process. While requirements differ between the EU and the US, common elements include continuous monitoring, risk detection, real-time data analysis, and integrating these into regulatory and quality strategies.
This is the only way to ensure ongoing performance assessment and risk management. Regulators pay close attention to adaptive AI, and companies that build strong frameworks will be best positioned to maintain compliance and patient safety.
Varvara Bogdanova: Thank you, Sara. We’ve covered all our planned topics. Before we move to the Q&A, Sara and Andrey, could you briefly recommend something to our audience, especially those involved in developing AI-based software as a medical device?
Sara Jaworska: Validating AI in healthcare is very complex. For years, there were no clear regulations—only drafts. Now, final versions are being published, often with significant changes. It’s essential to work with experienced professionals who are up to date with requirements in the medical field, cybersecurity, and privacy. When choosing a vendor, pay attention to competencies in all three areas.
Andrey Sorokin: I’d add that if you’re working with real-world data, you need established data management and governance practices, well-defined security measures, and continuous validation and monitoring of your models. Adjust them according to real-world data. This requires expertise and domain knowledge to manage changing regulations and technology—they go hand in hand.
Varvara Bogdanova: Thank you. Let’s move to questions. The first one, Sara, is for you: What types of submissions are applicable for AI in the US?
Sara Jaworska: In the US, an AI-based medical device can be introduced to the market via 510(k), a special 510(k) if it’s a new generation, or, if the device is higher risk, the PMA route applies. The last route is De Novo. As far as I know, these are the four pathways for bringing AI models to market.
Varvara Bogdanova: Thank you. Next, Andrey, how do we ensure continuous monitoring of AI performance?
Andrey Sorokin: Depending on whether you use on-premises or cloud technology, you need to establish an algorithm and practice for adjusting and appending data to your dataset, preventing overlap between training and test data, and monitoring declared metrics and performance. This can involve ML monitoring tools in Azure, AWS, or scripts for MLflow pipelines.
Varvara Bogdanova: Thank you. Another question: Sara, who does AI validation apply to? What are the main use cases?
Sara Jaworska: Different laws and guidance apply to various economic actors, but we focus on legal manufacturers, as they carry the highest liability and regulatory burden. It doesn’t matter if they develop their own model or outsource it; the responsibility remains with the legal manufacturer.
Varvara Bogdanova: Thank you. Andrey, what strategies do you use to scale data ingestion pipelines for real-world data?
Andrey Sorokin: It depends. For large, accumulated datasets, it’s an engineering task to move petabytes of data for processing, often to the cloud. For real-time data from wearables or thousands of medical devices, a scalable cloud infrastructure is usually required. Cloud providers offer monitoring practices, allowing you to take the latest data, use prediction algorithms to identify anomalies, and react in real time—something not possible before such infrastructure.
Varvara Bogdanova: Thank you, Andrey. There are no more questions, so we’re ready to wrap up. I’d like to thank our audience for joining us and Sara and Andrey for your insights. Stay tuned for upcoming webinars from the Healthcare and Life Sciences Data Team.
Have a great evening and goodbye.
