ISO/DTS 24971-2

ISO TS /DTS 24971-2:20XX(E)
ISO/TC 210/JWG 1
Secretariat: ANSI
Date: 2025-06-2708-14
Medical devices — Guidance on the application of ISO 14971
— —
Part 2:
Machine learning in artificial intelligence

DTS stage
Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.

A model document of an International Standard (the Model International Standard) is available at:

© ISO #### – All rights reserved

ISO #####-#:####(X)
2 © ISO #### – All rights reserved

ISO TS /DTS 24971-2:20XX(E:(en)
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
EmailE-mail: copyright@iso.org
Website: www.iso.orgwww.iso.org
Published in Switzerland
© ISO #### 2025 – All rights reserved
iii
ISO #####-#:####(X/DTS 24971-2:(en)
Contents
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General requirements for risk management system . 4
4.1 Risk management process . 4
4.2 Management responsibilities . 4
4.3 Competence of personnel . 4
4.4 Risk management plan . 5
4.5 Risk management file . 6
5 Risk analysis . 6
5.1 Risk analysis process . 6
5.2 Intended use and reasonably foreseeable misuse . 6
5.3 Identification of characteristics related to safety . 6
5.4 Identification of hazards and hazardous situations . 6
5.5 Risk estimation . 7
6 Risk evaluation . 7
7 Risk control . 7
7.1 Risk control option analysis . 7
7.2 Implementation of risk control measures . 8
7.3 Residual risk evaluation and subsequent steps . 8
8 Evaluation of overall residual risk . 8
8.1 General considerations for MLMD . 8
8.2 Disclosure of significant residual risks . 9
9 Risk management review . 9
10 Production and post-production activities . 10
10.1 General . 10
10.2 Information collection . 11
10.3 Information review . 11
10.4 Actions . 11
Annex A (informative) Explanation of bias . 13
Annex B (informative) Examples of hazards and hazardous situations . 16
Annex C (informative) Identification of hazards and characteristics related to safety . 22
Annex D (informative) Considerations for MLMD having a level of autonomy . 32
Bibliography . 34

© ISO #### 2025 – All rights reserved
iv
ISO TS /DTS 24971-2:20XX(E:(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent rights
in respect thereof. As of the date of publication of this document, ISO had not received notice of (a) patent(s)
which may be required to implement this document. However, implementers are cautioned that this may not
represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO'sISO’s adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 210, Quality management and corresponding
general aspects for products with a health purpose including medical devices, in collaboration with Technical
Committee IEC/TC 62, Medical equipment, software, and systems, Subcommittee SC 62A, Common aspects of
medical equipment, software, and systems, and with the European Committee for Standardization (CEN)
Technical Committee CEN/CLC/JTC 3, Quality management and corresponding general aspects for medical
devices, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna
Agreement).
A list of all parts in the ISO 24971 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
© ISO #### 2025 – All rights reserved
v
ISO #####-#:####(X/DTS 24971-2:(en)
Introduction
Artificial Intelligenceintelligence (AI) is rapidly evolving and can bring advantages to healthcare. These
advantages can be related to improved benefits for the patient, improved efficiencies in clinical workflows and
improvement in the management of healthcare itself. However, the implementation of new technologies such
as AI can also present new risks and can, for example, jeopardize patient safety, affect privacy and security,
influence user actions, undermine trust in healthcare or adversely affect the management of healthcare.
[16 ]
The safety and effectiveness of AI in medical devices was explored in an AAMI-BSI document , , which
identified three ways in which AI-based medical devices differed from “traditional” (non-AI) medical devices:
a) Training. These medical devices can process large amounts of data and learn from these data to improve
their results. Thus, they can have positive effects on patient health within the scope of the intended use of
the medical device.
b) Level of autonomy. These medical devices can have the ability to generate different treatment options,
select the best option based on a trained model and execute the selected option (see for example
[8 ]
IEC/TR 60601-4-1 ). ). These steps can be performed with reduced or even without direct user action,
but only with human oversight.
c) Explainability. These medical devices often rely on complex algorithms and large datasets to generate
output. However, the inherent opacity of these algorithms makes it challenging to interpret how specific
conclusions or recommendations are derived. This can lead to difficulties in understanding their rationale,
even by well-trained clinicians and other healthcare personnel, and certainly by individuals without
specialist knowledge.
Many different AI-based technologies and algorithms exist today, including decision trees, genetic algorithms
[4]
and deep learning-based technologies such as generative AI and neural networks. ISO/IEC 22989 and
[6]
ISO/IEC 23894 provide general guidance on AI concepts, terminology and risk management, but they do not
specifically address the application of AI to medical devices. It is noted that “risk” is defined in these documents
[2 ]
as the effect of uncertainties on objectives (see also ISO 31000 ). ). This definition is useful for organizational
or business risk management. The term “risk” used in the healthcare sector is different and is defined in
ISO 14971:2019 as the combination of the probability of occurrence of harm and the severity of that harm.

Acceptance
criteria
Concept
ML algorithm
development
Trained,
Untrained Tested
Training untested Testing
ML model ML model
ML model
Training data Test data
© ISO #### 2025 – All rights reserved
vi
ISO TS /DTS 24971-2:20XX(E:(en)

Figure  1 — Concept development, training and testing stages of the ML model
and its relationship with the ML algorithm, the training data and the test data.
This document focuses on machine learning (ML) techniques and is restricted to ML-enabled medical devices
(MLMD). Machine learning is considered a subset of AI that involves an ML model and an ML algorithm. See
Figure 1. The ML model and the ML algorithm are the results of the concept development for a new MLMD,
together with acceptance criteria for the eventual MLMD. It is important that the acceptance criteria are
established at the start as part of concept development and not at the end of the MLMD development. After
concept development, the ML model is trained by using an ML algorithm enabling it to learn patterns from
training data without being explicitly programmed. Next, the trained ML model is applied to test data to verify
its performance. The training data and the test data are different (disjoint) sets. They can be actual patient
data or synthetic data, i.e. data created to simulate a patient for training or testing purposes. The tested ML
model can then be applied to new patient data in a clinical setting. More information on MLMD can be found
[21] [23] [17][18]
in IMDRF documents N67 and N88 and in guidance documents from FDA, Health Canada and
MHRA.
It is recognized that the ML model can require retraining after a period of use to redefine its parameters. An
ML model can learn continuously
...