AI clinical decision support is one of the most consequential technology shifts in UK healthcare, with the potential to reduce diagnostic error, improve treatment outcomes, and make specialist expertise accessible at scale. It is also one of the most regulated, with MHRA classification requirements, NICE evidence standards, NHS Digital interoperability expectations, and CQC oversight all applying simultaneously.
For NHS trusts, private hospitals, and independent clinics in London and across the UK, the opportunity is substantial. The regulation is manageable. But the organisations that deploy AI clinical decision support without understanding the regulatory framework will face enforcement, product withdrawal, and the clinical risk that comes from deploying systems that have not been properly assessed.
This guide covers what AI clinical decision support is, how MHRA classifies it, what NICE requires for evidence, how NHS Digital's standards apply, and what a responsible deployment programme looks like.
Clinical decision support (CDS) systems provide clinicians with patient-specific information and recommendations designed to improve clinical decisions. AI clinical decision support applies machine learning, natural language processing, or deep learning to generate or augment those recommendations.
The spectrum is broad. At one end, an AI system that flags a drug interaction in a prescribing workflow is a relatively simple form of AI CDS. At the other end, a deep learning system that analyses radiological images and identifies potential malignancies - with the radiologist reviewing the AI's output before making a clinical decision - is a sophisticated AI CDS with significant safety implications.
Common UK use cases include: AI-assisted diagnostic imaging in radiology and pathology; AI triage tools that assess patient-reported symptoms and recommend care pathways; AI prescribing support that identifies interaction risks and dosing anomalies; AI risk stratification tools that identify high-risk patients for proactive intervention; and AI documentation tools that extract structured clinical data from clinician notes.
Each of these use cases has different regulatory implications depending on the degree of autonomy the AI exercises and whether a clinician is always in the decision loop.
The MHRA's Software as a Medical Device (SaMD) framework is the starting point for any AI clinical decision support product. Software is classified as a medical device when it is intended to be used for a medical purpose independently of hardware. AI CDS tools - which diagnose, monitor, predict, or support treatment decisions - are almost always SaMD.
Classification runs from Class I to Class III. The classification depends on what the software does with the information it processes and the consequence of the AI being wrong.
Class I SaMD: Software that provides information but where the output is not used to make or influence decisions of clinical significance. Example: a tool that summarises a patient's medical history for administrative purposes.
Class IIa SaMD: Software that drives or guides management of chronic disease, provides diagnosis or treatment of non-serious conditions, or monitors vital parameters where incorrect information could lead to serious harm. Example: an AI triage tool that recommends GP or urgent care referrals.
Class IIb SaMD: Software that diagnoses, prevents, monitors, treats, or alleviates a life-threatening disease or condition. Example: an AI sepsis detection tool that flags high-risk patients for immediate clinical review.
Class III SaMD: Software whose failure would cause death or irreversible deterioration in health and that provides diagnosis or treatment of conditions that are immediately life-threatening. Example: an autonomous AI system that recommends chemotherapy dosing without mandatory clinical review.
Class IIa and above requires a conformity assessment with a UK Approved Body, a Quality Management System aligned to ISO 13485, clinical evidence, and UK registration. The process typically takes 9 to 24 months depending on classification and the complexity of the clinical evidence required.
The MHRA published specific guidance for AI-enabled medical devices in 2024, recognising that adaptive AI systems present unique regulatory challenges that the traditional device framework was not designed to handle. Key requirements from the guidance include:
Predetermined change control plan. AI systems that update their models based on new data must document in advance what changes are permissible without triggering a new conformity assessment. Undocumented model updates that change the system's performance are a regulatory breach.
Transparency and explainability. Clinical users must be able to understand, at least at a functional level, how the AI is generating its recommendations. Black-box systems with no explainability mechanism are increasingly difficult to approve under MHRA guidance.
Bias assessment. AI systems must demonstrate performance consistency across protected characteristic groups - sex, age, ethnicity, disability. Systems trained on non-representative datasets that perform poorly for certain patient populations present both a clinical safety risk and a legal risk under the Equality Act 2010.
Post-market surveillance. Approved AI medical devices must maintain active post-market surveillance, tracking real-world performance against the performance claims made in the conformity assessment. Significant performance degradation must be reported to MHRA.
NICE evaluates digital health technologies using the Evidence Standards Framework (ESF) and, for NHS adoption decisions, the Digital Technology Assessment Criteria (DTAC). AI clinical decision support tools that seek NHS adoption must meet NICE's evidentiary bar.
The NICE ESF distinguishes between self-care technologies (lower evidence bar) and clinical or health system technologies (higher evidence bar). AI CDS tools sit firmly in the health system technology category, requiring:
NICE has published specific guidance for AI-powered clinical tools (2024) that adds requirements for bias assessment across NHS patient demographics, continuous monitoring of performance in production, and transparency about model limitations. NHS procurement teams reference NICE guidance when evaluating AI CDS products, and products without NICE endorsement face longer sales cycles in NHS markets.
NHS Digital - now NHS England - has published interoperability requirements for AI tools deployed in NHS clinical systems. The key requirements are:
FHIR R4 integration. AI CDS tools that receive clinical data from NHS systems or send recommendations back into clinical workflows must use FHIR R4 as the data exchange format. AI systems that require bespoke data extracts rather than standard FHIR interfaces create integration burden and NHS operational risk.
NHS login compatibility. Patient-facing AI tools that authenticate individuals should use NHS login to provide a consistent identity experience and a verified NHS number for clinical record matching.
Audit and access logging. AI system access to patient data must be auditable to the individual user, timestamp, patient record, and action taken. This logging must persist for the data retention periods applicable to clinical records.
Clinical safety assurance. DCB0129 and DCB0160 apply to AI clinical tools deployed in NHS settings. The AI vendor is responsible for DCB0129 (manufacturer safety case) and the deploying NHS organisation is responsible for DCB0160 (deployment safety case). Both must be completed and signed off by qualified Clinical Safety Officers before go-live.
Our AI process automation service builds AI clinical workflow tools that meet NHS Digital's interoperability standards from the ground up, including FHIR R4 integration, audit logging, and clinical safety documentation support.
Current MHRA guidance, NICE standards, and NHS Digital policies all favour AI CDS tools where a qualified clinician makes the final clinical decision with AI providing a recommendation, rather than AI making autonomous decisions. This is the clinician-in-the-loop principle.
In practice, this means AI tools should be designed to augment clinical judgement, not replace it. The AI flags the potential sepsis case; the clinician reviews and decides. The AI highlights the imaging finding; the radiologist confirms and reports. The AI recommends the drug interaction warning; the prescriber accepts or overrides with documented reasoning.
Systems designed with clinician-in-the-loop from the outset are easier to classify, easier to gain MHRA approval for, and easier to deploy in NHS settings. Systems designed for autonomous AI decision-making face a significantly higher regulatory burden and a more sceptical reception from both regulators and clinical users.
AI clinical decision support systems process health data - special category data under UK GDPR Article 9. The obligations are significant:
A lawful basis under Article 9(2) must be established before processing begins. For NHS AI tools, this is typically Article 9(2)(h) - healthcare provision and management - supplemented by Schedule 1 of the Data Protection Act 2018. Research AI tools may rely on Article 9(2)(j) with appropriate ethical oversight.
A Data Protection Impact Assessment (DPIA) is mandatory for AI systems processing health data at scale. The DPIA must cover the data flows, the risks of AI bias and incorrect outputs, the mitigations implemented, and the safeguards protecting patient rights.
The ICO has published specific guidance on AI and data protection, including requirements for transparency about automated decision-making under Article 22. Where AI significantly influences a clinical decision without mandatory human review, Article 22 safeguards may apply. The ICO expects organisations deploying AI in healthcare to demonstrate proactive engagement with these obligations, not reactive compliance after an incident.
Healthcare organisations procuring AI CDS tools should require the following from vendors as minimum due diligence:
Vendors who cannot provide all eight of these documents are not appropriate for NHS or regulated private healthcare deployment. The regulatory environment in the UK is mature enough that compliant AI medical devices can produce all of this documentation. Vendors who cannot are either non-compliant or insufficiently established in the UK market to be a safe procurement choice.
Most healthcare organisations should procure commercial AI CDS tools rather than build them. The regulatory development burden - MHRA conformity assessment, clinical evidence generation, QMS implementation - is substantial and requires specialised expertise that most healthcare IT teams do not have.
However, there are scenarios where custom AI development is appropriate:
Proprietary clinical data. Organisations with large, unique clinical datasets - specialist research hospitals, large private hospital groups - may have the training data and clinical governance infrastructure to develop AI tools that outperform commercial alternatives in their specific patient population.
Highly specific workflows. AI tools that need to integrate deeply with a unique combination of clinical systems, proprietary protocols, or specialist clinical workflows may require custom development because no commercial product addresses the specific combination of requirements.
Our health and wellness software development team has experience scoping and developing AI clinical tools within the UK regulatory framework. We advise clients on the build-vs-buy decision honestly - build only makes sense in specific circumstances, and we will tell you when it does not.
AI-assisted radiology is the most mature and widely deployed category of AI CDS in the UK NHS. NHS trusts in London, Birmingham, and Manchester have deployed AI tools for chest X-ray analysis, diabetic retinopathy screening, and CT scan triage. NHS England's AI imaging programme has invested in validating AI imaging tools at scale, providing a template for AI deployment in other clinical domains.
The key learning from NHS imaging AI deployments is the importance of performance monitoring in the real patient population, not just the training dataset. Several AI imaging tools that performed well in validation studies showed performance degradation on NHS patient populations that differed demographically from the training cohort. This has reinforced MHRA's guidance on bias assessment and NHS Digital's requirement for post-deployment performance monitoring in clinical settings.
For private radiology services in London, AI imaging tools offer a compelling ROI case: reduced reporting time, improved detection rates for subtle findings, and the ability to prioritise urgent cases automatically. The regulatory pathway for these tools is well-established, and the MHRA classification and NICE evidence requirements for CE/UKCA-marked AI imaging tools are better understood than for newer clinical AI categories.
NHS Digital has published specific guidance on AI use in primary care settings, including AI triage, AI consultation support, and AI documentation tools. The guidance distinguishes between AI tools that support but do not replace the GP's clinical judgement - which NHS Digital supports - and AI tools that autonomously direct patients to care pathways without GP review - which NHS Digital considers high risk and subject to the highest levels of regulatory scrutiny.
London primary care networks (PCNs) are among the most active in the UK in piloting AI primary care tools. Several PCNs have deployed AI pre-consultation questionnaires and AI-assisted coding of clinical notes. The evidence from these deployments is feeding into NICE's evidence requirements for primary care AI tools, and products that have real-world data from London PCN deployments have a significant advantage in NHS procurement processes.
Private GP services and direct access primary care clinics in London are adopting AI clinical tools faster than the NHS, unconstrained by some of the procurement and governance timelines that slow NHS adoption. This creates a pathway where AI tools prove clinical value in private settings, generate real-world evidence, and then transition into NHS procurement with a stronger evidence base.
If the AI tool is intended to diagnose, monitor, predict, or support clinical treatment decisions, it is almost certainly Software as a Medical Device (SaMD) under MHRA rules. The intended purpose stated in your product documentation and marketing materials determines classification, not the underlying technology. If your product makes clinical claims - even in sales materials or website copy - MHRA considers it to be marketed as a medical device. Products that are borderline should seek a classification opinion from the MHRA or an MHRA-accredited UK Approved Body before launch.
NICE requires prospective clinical studies demonstrating safety and effectiveness in the target population, health economic evidence demonstrating cost-effectiveness or cost-saving, and real-world performance evidence from deployed systems. For AI specifically, NICE expects bias assessment across protected demographic characteristics, transparency about model limitations, and evidence of ongoing performance monitoring in production. The exact evidence requirements depend on the clinical indication and the level of risk the tool presents. Products in the highest risk categories require randomised controlled trial evidence or equivalent rigor.
MHRA, NICE, and NHS Digital guidance all favour clinician-in-the-loop designs where AI provides recommendations and a qualified clinician makes the final decision. Fully autonomous AI clinical decision-making - where AI acts without mandatory human review - faces the highest MHRA classification (Class III), is subject to NICE's most demanding evidence requirements, and is actively discouraged by NHS Digital for most clinical use cases. Most commercially viable AI CDS tools in the UK are designed as decision support, not decision replacement.
AI systems processing patient data process special category data under UK GDPR Article 9. This requires an explicit lawful basis under Article 9(2), a mandatory Data Protection Impact Assessment, transparency obligations about automated processing, and Article 22 safeguards where AI significantly influences decisions affecting individuals. The ICO's guidance on AI and data protection requires organisations to conduct algorithmic impact assessments for AI systems that affect individuals, document how AI outputs are reviewed and overridden, and ensure patients understand when AI is involved in their care.
The Digital Technology Assessment Criteria (DTAC) is NHS England's assessment framework for digital health technologies seeking adoption in NHS settings. It covers clinical safety, data protection, technical security, interoperability, and usability. NHS organisations increasingly require DTAC completion as a condition of procurement. An AI CDS product that has completed DTAC assessment and received a positive outcome has a structured evidence base that NHS procurement teams can reference, significantly simplifying the procurement process compared to products that have not been assessed.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
