Trigger: an AI system may read patient data, or influence a clinical decision.
Health AI · AI Act Art. 6(1) · MDR Rule 11
Health AI needs evidence
before it reaches a patient.
Two different routes make health AI high-risk, and most deployments cannot say which one they are on. Decision-support and diagnostic software reaches high-risk through Art. 6(1) as the safety component of an MDR device — Rule 11, Class IIa or above, notified body. Emergency patient triage is named directly in Annex III 5(d). Both process Art. 9 data. Currents scans inside the clinical perimeter, Ripples record what is proven, and a Droplet clears one cohort, one site, one model version — then expires.
Data boundary — nothing identifiable crosses
Notes · imaging · vitals
stay on the clinical network
Evidence Records
signed metric + hash only
Sensitive context
Why health AI is the hardest evidence problem in the Act.
Patient-facing AI is high-risk by one of two distinct routes, and the distinction is not cosmetic. Software with a medical purpose — decision support, diagnosis, deterioration prediction — is high-risk under Art. 6(1), because the AI is a safety component of a device already regulated by MDR 2017/745. Under Rule 11 that is normally Class IIa or above: a notified body, not a self-declaration. Emergency patient triage is different — it is named directly in Annex III point 5(d) and reaches high-risk under Art. 6(2) without any device classification at all. Either route imports the same obligations: a lifecycle risk management system (Art. 9), data governance and representativeness on every training, validation and test set (Art. 10), automatic event logging for the life of the system (Art. 12), human oversight by someone competent to override (Art. 14), and declared accuracy and robustness that must still hold in the deployed population (Art. 15). GDPR runs in parallel: health data is special category (Art. 9), large-scale processing needs a DPIA (Art. 35), and a near-automatic output engages Art. 22. Most deployments we scan cannot yet say which route they are on — and a vendor that cannot answer that question has not begun its conformity assessment.
Data categories in scope
People affected
Risk scenarios
What typically goes wrong.
Specific failure modes seen in this sensitive context — without structured evidence.
A deterioration score is deployed at a second site with a different case-mix and no revalidation.
Distribution shift is unmeasured. Art. 15 requires accuracy and robustness in the intended context — the declared metric describes the first cohort only. No subgroup breakdown exists, so degradation on the out-of-cohort population is invisible until an incident.
An ambient scribe processes consultation audio through a general-purpose model API.
Art. 9 GDPR special-category data leaves the perimeter with no confirmed condition for processing, no DPIA under Art. 35, no confirmation that transcripts are excluded from training, and no raw-export flag visible to the DPO.
A clinical RAG assistant retrieves over guidelines, protocols, and scanned patient documents in one index.
No document boundary and no injection resistance evidence. Retrieved context is unbounded, grounding is unmeasured, and a poisoned document changes the answer with no trace in the log.
A copilot with EHR write access issues orders and updates via agent tool-calls.
Art. 12 logging does not cover the tool-call layer. The prompt, the retrieved context, the tool invoked, and the human decision that followed cannot be reconstructed for a single encounter. The audit fails at the first question.
The imaging vendor upgrades the model behind the same endpoint mid-contract.
No version pin and no change-notification clause. The evidence in the file — accuracy, subgroup performance, robustness — describes a system that is no longer running. Nothing revoked, nothing re-reviewed.
A vendor asserts NHS DSPT and GDPR alignment, and offers a DPA as the evidence.
Procurement cannot distinguish a commitment from a measurement. No Art. 10 provenance, no Art. 15 subgroup metrics, no Art. 12 log configuration, no MDR classification. The access decision is made on trust.
Border control, applied here
Scan the system. Issue the passport. Grant the visa.
What the scan finds in this context, what the passport records, and what conditions the visa attaches.
Currents
the scanWhat AI is running, and what do we not know about it?
Currents opens the file. It finds every AI system touching clinical data, its Art. 6 classification, whether it carries an MDR/IVDR medical purpose, which model versions are actually in production behind each endpoint, where raw patient data crosses the perimeter, and which of the Art. 9, 10, 12, 14 and 15 obligations currently have no evidence behind them at all.
Ripples
the passportWhat is this system, and what is proven about it?
The Ripple is the evidence passport. It records the declared intended purpose and validated cohort, training and test provenance under Art. 10, subgroup accuracy and robustness under Art. 15, the Art. 12 log configuration, the named clinical overseer and their override rate under Art. 14, the Art. 9 condition and DPIA status under GDPR — and, in the same record, the clinical validity that is not proven.
Droplets
the visaMay it operate HERE, on THIS data, under WHAT conditions?
The Droplet is the context visa. It clears this system for one cohort, one site, one pinned model version: local-only inference, clinician review before any patient impact, drift and subgroup thresholds that revoke the clearance automatically when breached, and an expiry date that arrives whether or not anyone remembers it.
Scope
What needs a Ripple.
Stakeholder workflow
From trigger to access decision.
Scan
Art. 6 route · Annex III test
Evidence call
Annex IV · Art. 10 bias file
Seal Review
DPO · CISO · Art. 14 owner
Droplet
Conditions bound · expiring
Re-scan
On retrain, drift or model swap
Scan
Art. 6 route · Annex III test
Evidence call
Annex IV · Art. 10 bias file
Seal Review
DPO · CISO · Art. 14 owner
Droplet
Conditions bound · expiring
Re-scan
On retrain, drift or model swap
DPO
“An AI system may process Art. 9 health data, or produce a near-automatic output about a patient.”
Require the Ripple before sign-off: Art. 9 condition, DPIA acceptance, Art. 22 analysis, subprocessors, and the raw-export flag.
Clinical Safety Officer
“A model will influence triage, diagnosis, or treatment for a live cohort.”
Require the validated cohort, Art. 15 subgroup metrics, and the Art. 14 override evidence before the clinical safety case is signed.
CISO
“A vendor has not pinned a model version or confirmed data residency.”
Require raw-export flag off, model version pinned, and a contractual change-notification trigger that suspends the Droplet on a silent swap.
Access decisions
Context Droplet conditions.
The access decisions that apply in this sensitive context — and the evidence conditions that produce them.
- Inference runs on-premises or inside the clinical network
- No raw patient data crosses the perimeter — only signed evidence records leave
- Model version pinned; a vendor swap suspends the clearance
- Art. 12 logs retained inside the trust boundary
- A named clinician reviews before any patient-affecting output
- Art. 14 oversight is evidenced by override rates, not just override capability
- Every encounter reconstructable: input, model version, retrieved context, decision
- Automation-bias mitigations documented and reviewed
- Validated cohort only — out-of-cohort use excluded by policy
- Subgroup accuracy within declared bounds under Art. 15
- DPIA accepted by the DPO; Art. 9 condition recorded
- Renewal in 12 months; drift breach triggers earlier review
- No Art. 10 provenance for the training or test set
- Subgroup performance not broken out — aggregate accuracy only
- Model version unpinned or vendor change notification absent
- DPIA or Art. 9 condition missing
- Raw clinical data leaving the perimeter with no confirmed Art. 9 condition
- Medical purpose without MDR/IVDR classification or CE marking
- No human override path on a patient-affecting output
- Agent tool-calls into the record with no Art. 12 log line
Measurement
Evidence families we can structure.
The measurable evidence categories relevant to this context and the evidence signals they produce.
Data Governance & Representativeness (Art. 10)
Provenance of training, validation, and test sets; which cohorts are present and which are absent; class balance for rare presentations; and the bias examination Art. 10(2)(f) requires.
Performance, Drift & Robustness (Art. 15)
Declared metrics with confidence intervals, subgroup breakdown by age, sex, ethnicity, comorbidity, site, and device vendor, plus behaviour under out-of-distribution input and continuous drift monitoring against the declared operating point.
Logging, Lineage & Traceability (Art. 12)
Automatic event logs for the life of the system: input, model version, retrieved context, agent tool-calls, and the human decision that followed — reconstructable per patient encounter.
Human Oversight & Automation Bias (Art. 14)
Evidence that the named clinical overseer can interpret the output, has authority to override, and does so — measured override rates, escalation paths, and documented automation-bias mitigations.
Privacy & Legal Basis (GDPR Art. 9 · 22 · 35)
The Art. 9 condition relied on, DPIA status and DPO acceptance, Art. 22 analysis where the output is near-automatic, subprocessors, residency, and the raw-export flag.
Retrieval Grounding & Injection Resistance
For clinical RAG: document boundary, retrieval faithfulness, and resistance to injected instructions inside ingested documents — measured without exporting the corpus.
Model Supply Chain & Data Boundary
Version pinning, vendor change notification, subprocessor stack, and evidence that a silent model swap triggers re-review instead of passing unnoticed.
Honest scope
What remains not assessable.
AffectLog does not overclaim. These items require external expertise, regulatory process, or long-term study.
Clinical validity and diagnostic accuracy in your population
Clinical effectiveness is established by prospective clinical evaluation against outcomes, not by governance tooling. We can show what the vendor measured and on whom; we cannot show that it works on your patients.
Instead: Commission a clinical investigation or local validation study. Reference the clinical evaluation report, CE marking under MDR/IVDR, and post-market clinical follow-up data.
MDR/IVDR classification and conformity assessment
Medical-device classification and conformity assessment are regulatory processes requiring a notified body. An evidence platform cannot perform or substitute for that route.
Instead: Engage regulatory affairs and a notified body. Software with a diagnostic or therapeutic purpose usually reaches Class IIa or above under Rule 11.
Whether a foundation model's training corpus contained patient data
Absence cannot be proven from outside a closed training corpus. Membership-inference and extraction tests raise suspicion; they never establish the negative.
Instead: Require the provider's training-data disclosure and contractual warranty. We record what is disclosed and mark the remainder as unverified rather than clean.
Whether the system is safe to deploy
Deployment safety is a clinical safety case owned by clinical governance — hazard analysis, mitigation, and residual-risk acceptance under a named clinical safety officer.
Instead: Run the clinical safety case (for example DCB0129/DCB0160 in the NHS). Our evidence is an input to it, never a replacement for it.
Example
Sample Ripple for this context.
Deterioration Risk Score v4.2
Inpatient deterioration prediction · MDR Rule 11 Class IIa · AI Act Art. 6(1)
Access conditions
What we will not overclaim
AL360° Oceans structures technical and operational evidence for health AI access decisions. We do not claim clinical validity, medical-device conformity, or regulatory approval, and we do not sign a clinical safety case. We show what is proven, what is measured, what is merely asserted by the vendor, and what remains not assessable.
Common questions
Questions this context raises.
“Our vendor is GDPR compliant — we have their DPA.”
A DPA is a contract about processing, not a measurement of a model. It says nothing about Art. 10 provenance, Art. 15 subgroup accuracy, Art. 12 logging, or which model version is actually behind the endpoint today. Those are the questions a competent authority asks second.
“We cannot send patient data to any external tool to assess it.”
You do not. The local runner executes the diagnostics inside the clinical network. Only signed evidence records leave — never records, prompts, images, or clinical text. That is the point of the local-only Droplet.
“It is only a pilot — formal evidence can wait for scale-up.”
A pilot that touches live patient data is a live system with a smaller denominator. Art. 6 classification does not depend on cohort size. Evidence assembled at pilot stage is the cheapest it will ever be.
“The model is CE marked, so the evidence is already there.”
CE marking under MDR covers the medical-device claim for the intended purpose the manufacturer declared. It does not cover your cohort, your drift, your logging configuration, or your Art. 14 oversight in practice. The Ripple records both, and marks the boundary between them.
Get started
Keep health AI inside the perimeter
until the evidence lets it travel.
Scan the estate, see which systems are Annex III and cannot prove it, and which vendors still owe you Art. 10 provenance and Art. 15 subgroup performance. Then decide what may reach a patient, and under what conditions.
AL360° Oceans provides technical and operational evidence to support access decisions. Not clinical validation, medical-device conformity assessment, or legal advice.