---
title: "A Guide to Implementing CI-CD in Your AI-ML SaMD Projects"
type: white-paper
publisher: Ketryx
source: "https://www.ketryx.com/assets/ci-cd-ai-ml-white-paper"
content: text extracted from PDF (layout/tables/figures not preserved)
---

# A Guide to Implementing CI-CD in Your AI-ML SaMD Projects

*Source: [https://www.ketryx.com/assets/ci-cd-ai-ml-white-paper](https://www.ketryx.com/assets/ci-cd-ai-ml-white-paper)*

---

A Guide to Implementing CI/CD in Your AI/ML SaMD Projects © Ketryx Corporation 2024 1

The Challenge The number of AI-powered medical devices is quickly growing. As of August 2024, the FDA has authorized 950 AI/ML-enabled medical devices, a significant increase from the 500 devices on the market in 2022. While some manufacturers have cracked the code, far more businesses are unsure how to develop and manage complex, rapidly changing AI systems. Continuous integration and deployment (CI/CD) is a critical component of modern DevOps methodology and is required to enable AI/ML in medical software. CI/CD uses incremental code changes to increase speed and tighten feedback loops across the software development lifecycle. This practice fits well with FDA guidance, such as Predetermined Change Control Plans (PCCP), designed to help manufacturers effectively manage risks while upholding high regulatory standards to ensure device safety. However, executing CI/CD and validating AI/ ML systems in highly regulated industries can be challenging. Manufacturers must maintain traceability and design verification while ensuring that all risk controls are properly tested. When a given product involves hundreds of data sources and thousands of requirements, specifications, and tests, the path to CI/CD may seem daunting. The good news is that there are proven steps you can take to accelerate your transition to CI/CD and attain this gold standard of SaMD development. Let’s examine the details of AI/ML system validation, why DevOps practices are necessary, and how to get started with CI/CD. Source: FDA — AI/ML-Enabled Medical Devices © Ketryx Corporation 2024 2

Understanding AI and ML system validation Training is at the core of supervised machine learning, which is where most innovation for at-scale medical device manufacturers is happening today. Organizations constantly receive more data to train and improve their models, as optimal system performance is tied to the volume and quality of labeled data. Today, the software powering medical devices like wearable monitors (e.g., watches, glasses, chest straps, rings, and more) is being updated to include AI features, which can enable more proactive care and better health outcomes. Moreover, companies like KelaHealth are updating their surgical platforms to incorporate AI, with the aim of building better risk-reduction models using data from past surgeries. Meanwhile, CLEW Medical has recently received FDA 510(K) clearance to implement their ICU solution designed to predict hemodynamic instability in adult patients, which allows for faster evaluation and improved care. For more examples of AI in action in the medical device space, the FDA keeps a list of approved AI/ML-enabled medical devices, which can be viewed here. As of August 7, 2024, the FDA has authorized 950 such devices, and the list continues to grow. Of course, the proliferating usage of AI and ML in medical device software has come with strict guidance to ensure safety and reliability. Training AI/ML models for better performance in medical devices ultimately means changing the underlying software. FDA guidance, such as PCCP, states that every time AI/ML-enabled software is changed, you must lift the model out, retrain and retest it to ensure it is still safe and reliable, and then put it back into the software. This continuous model validation requires an understanding of three key areas: • Critical quality attributes: There are hundreds of potential metrics to optimize a model for. Your model expert (e.g., ML engineer or data scientist) must select a few primary metrics, outline a process for measuring them, and set a baseline against which performance is measured. • Potential risks: What risks may be present in your model? Depending on what these are, you will need to have controls in place to detect and account for them (e.g., continuous monitoring to mitigate data drift). • Underlying datasets: You must also have a deep understanding of the datasets used to train the model and ensure the data is fair and representative (i.e., no sampling bias for a specific population, ethnic group, comorbidities, etc.). However, evaluating these factors to iteratively improve ML models is a very slow process when done manually. This is antithetical to the purpose of AI/ ML-enabled software, which thrives on continuous learning from new data and requires the integration of fresh data into the model training process to remain up-to-date while improving accuracy and performance over time. The highly iterative, autonomous, and adaptive nature of these [AI] tools requires a new, total product lifecycle (TPLC) regulatory approach that facilitates a rapid cycle of product improvement and allows these devices to continually improve while providing effective safeguards. — The United States Food and Drug Administration “ ” © Ketryx Corporation 2024 3

If you look around the software industry, it’s clear that agile development processes have become the cultural and operational norm. Manual handoffs and repetitive tasks have been significantly reduced by merging development and operations — DevOps — to shorten cycles, accelerate deployment, and improve release dependability. SaMD manufacturers need to transition from traditional waterfall-style development to rapid, measurable improvement if they want to remain competitive with AI/ML-enabled, FDA-cleared products. One of the most critical aspects of DevOps that MedTech companies must embrace is the aforementioned CI/CD, the practice of using automation to increase speed and tighten feedback loops across the software development lifecycle. CI/CD allows developers and engineers to work independently on making small, incremental changes to the model or software. Teams use a local sandbox to experiment, then make a pull/change request to signal that a new feature is ready to be merged into the mainline (deliverable form of software). In the case of regulated software, a human will perform an initial review to verify the change and then a continuous integration server will run automated tasks to ensure the code can safely be merged. From there, continuous delivery automation will deploy approved code changes to final testing and production environments. When applied to the world of machine learning, CI/CD helps facilitate faster, more efficient model validation via: • Automated testing: CI/CD pipelines can include automated tests specifically designed to validate models. These tests can check various aspects of the model, such as its accuracy, performance metrics, and behavior under different conditions. By running these tests automatically upon each code change, teams can quickly identify any regressions or issues in the model. • Version control: CI/CD facilitates version control best practices, allowing teams to track changes to models and their associated code over time. This ensures that the development process is transparent and reproducible, enabling easier validation of model changes and comparisons between different versions. • Validation gates: CI/CD pipelines can be configured with validation gates that prevent code changes from being merged or deployed if they fail certain criteria, such as failing automated tests or not meeting predefined performance thresholds. This ensures that only validated and quality-tested models are deployed into production environments. • Monitoring and feedback loops: CI/CD pipelines can integrate with monitoring systems to track the performance of deployed models in real time. Any deviations or anomalies in model behavior can trigger alerts, enabling teams to quickly respond and investigate potential issues. This feedback loop helps in the continuous validation and improvement of models over time. In addition to enabling faster deployment and time to market for products, CI/CD incorporates DevOps-friendly technology, such as GitHub and GitLab, that most developers are already familiar with and want to use in their daily work. Why DevOps and CI/CD are required for medical software innovation © Ketryx Corporation 2024 4

The workflow generally entails: 1. Plan: Planning the software development aspect of an AI-enabled product. This includes the process of defining the objectives, scope, resources, timeline, and strategies for developing and delivering a software project, ensuring alignment with business goals and efficient resource allocation. 2. Develop: Developing (designing, coding, and testing) the software. 3. Data: Sourcing appropriate data to train the underlying AI/ML model(s). 4. Data Debiasing: Scrubbing and cleaning the data to be incorporated to ensure viability and identify any potential issues like bias. 5. Model: Using the cleaned data to train the model. 6. Model Validation: Validating the model to assess whether it’s performing as intended. 7. Software Supply Chain Configuration: Managing and integrating all components involved in the development and delivery of software products, such as APIs or third-party libraries. The potential challenges of CI/CD for regulated software development Applying DevOps and CI/CD to machine learning, sometimes referred to as MLOps, is already an established process at many software companies. 8. Software Validation: Evaluating software to ensure it meets specified requirements, functions correctly according to the model baseline, and satisfies the needs of users and stakeholders, typically through testing, reviews, and other quality assurance activities. 9. Release: Releasing the software to ensure quality and availability to end-users. 10. Deploy: Deploying the software to make it available in a specific environment (e.g., a medical device operating system). 11. Monitor: Continuously tracking and analyzing the performance, functionality, and security of AI-enabled medical device software applications and systems to ensure they operate effectively, detect any issues, and optimize performance as needed. 12. Plan: Planning the next version of the product, often with an eye towards incorporating more data to improve the model. And then, of course, as the graphic below illustrates, the cycle repeats itself (hence the word “continuous”). © Ketryx Corporation 2024 5

While these challenges apply to other industries to an extent, MedTech is (understandably) under some of the most intense scrutiny and pressure to get it right because the potential consequences of mistakes are enormous. Today, even small tech companies repeat this cycle on a daily basis to ensure their models are trained for accuracy and achieve the desired level of performance. Organizations with a properly governed and integrated MLOps pipeline are much more likely to consistently release software updates to production. This is a significant competitive advantage, as Gartner research found that only 48% of AI projects make it into production on average. Moreover, an “eMagazine” from Dataiku on “AI in 2024” quotes Snowflake’s Head of AI/ML, Ahmad Khan, as saying, “Getting the most value from Generative AI will require organizations to define a holistic strategy that first establishes a robust data and model governance and then enables developers to accelerate LLM app development.” Generating documentation Ensuring that all risk controls are properly tested Maintaining traceability and design verification Capturing records and electronic signatures Storing deployment versions Managing approvals Practicing postmarket surveillance However, practicing CI/CD and validating AI/ML systems at high velocity in highly regulated industries such as healthcare can be more difficult than in other sectors. MedTechs face challenges such as: © Ketryx Corporation 2024 6

How to get started with validated CI/CD Because a given SaMD product can involve hundreds of data sources and thousands of requirements, specs, and tests, the path to CI/CD can seem daunting. Fortunately, there are practical steps you can take in the immediate future to work toward attaining this gold standard of software development. Let’s take a look at five strategies you should adopt to get started with CI/CD: • Strategy #1: Design an architecture built for change • Strategy #2: Enforce procedures and automatically generate evidence • Strategy #3: Integrate risk analysis into configuration management • Strategy #4: Automate documentation, tests, and create control • Strategy #5: Maintain end-to-end traceability Strategy #1: Design an architecture built for change It’s essential to design an architecture that is purpose-built for DevOps and agile software development — from a design control perspective, from a software perspective, from an engineering perspective, from a process perspective, and from a QMS perspective. You must be able to identify your AI/ML subsystem and have it architected so that you can easily take the subsystem in or out, revise all of its design controls, put it back in, and then test the whole system to ensure it satisfies your risk control measures. It’s not just about getting code ready to support CI/CD; it’s about aligning the processes, design controls, and IT systems used to manage the product lifecycle. Many tech companies build software and devices using a “system of systems” approach in which multiple subsystems are integrated to create a larger, more comprehensive system. They may also have systems that another project or product calls on or uses as a service to meet its requirements. This allows for greater flexibility and modularity, and can better tie your software architecture with your regulatory strategy. However, to realize this strategy, teams need the right tooling in place to manage version control and traceability, which become even more complex. © Ketryx Corporation 2024 7

Strategy #2: Enforce procedures and automatically generate evidence Because quality assurance and development teams include a lot of people — many of them working remotely — organizations must change their approach to enforcing procedures and generating evidence. With the speed of CI/CD, it’s not feasible to rely on the traditional workflow of manual process verification through meetings. Instead, your tools and systems should dictate the lifecycle to ensure the right steps are being executed in the right order. The best way to do this is to leverage automation that: • Takes the logic/rules of your QMS and enforces them across the applications where products are developed. • Works within your native workflows and tools to align processes with relevant regulations. • Generates DHF and other FDA-required evidence from these applications with minimal manual effort. This graphic illustrates how MedTechs can ensure quality management and regulatory compliance within medical device software without unnecessary manual efforts. © Ketryx Corporation 2024 8

Another aspect of automatically enforcing your procedures is integrating risk analysis into your configuration management. During R&D, you should evaluate and understand the risk of different subsystems and use automated guardrails to guide you through the procedures appropriate for your goals. This is increasingly important for any open-source software, which now requires an FDA-compliant SBOM to help manage cybersecurity risks. In the “requirements” phase, it’s is crucial to include a plan to track and manage vulnerabilities, comply with software use laws and regulatory requirements specific to the MedTech industry, and clearly track and manage dependencies so that if future vulnerabilities are discovered, your team is already aware that your software could be impacted. Beyond the requirements phase, these should make it into your specifications and be continuously monitored and managed. Additionally, when performing postmarket surveillance after the product has been released, automated risk analysis also helps you understand where risks are coming from and how you can mitigate risks for a given configuration item, specification, requirement, piece of code, model, or device as appropriate to its intended use. To put a fine point on this: you must automate continuous monitoring of your application for vulnerabilities, anomalies, new threats, and any other potential risks to the application that would impact its security and/or compliance. Strategy #3: Integrate risk analysis into configuration management © Ketryx Corporation 2024 9

CONTINUOUS DEPLOYMENT: Once the change has been integrated into the main branch, it’s time to build all the necessary release artifacts and perform automated and/or manual testing on production-like environments to make sure the software is ready for end users. This includes design verification and document generation/ approvals that are guided by engineering controls. These controls are automated documentation checks based on traceability, the workflow state of items, event sequences, and other criteria. If proper traceability and design verification aren’t in place, the software will be blocked from release/automatic deployment. Just as factories have many engineering controls to prevent mishaps, we need to integrate controls into software manufacturing to ensure that everything is safe for patients and compliant with the latest security and compliance best practices. CONTINUOUS INTEGRATION: When a developer creates a pull request to merge the software changes they’ve been working on into the main/release branch, that request must be traced to relevant requirements and documentation. Within this change, the developer provides automated unit, integration, and end-to-end tests tagged to their corresponding software specification, allowing the CI server to automatically collect evidence. Finally, they generate a testing and code review report and make sure it has all the necessary e-signatures and Part 11-compliant signatures required for medical device software. Strategy #4: Automate documentation and tests, create control To formalize your approach to validated CI/CD, it’s essential that you automate documentation and testing while inserting high levels of controls across your CI and CD builds. Here’s what that looks like in practice for both sides of the pipeline. © Ketryx Corporation 2024 10

Because traceability is essential for automation and speed in validated CI/CD, you must maintain end-to-end traceability across and within your tools. Given the complexity of medical devices and software, many organizations today are facing huge productivity losses because of their manual approach to traceability. Maintaining spreadsheets with thousands of requirements and specifications takes a lot of time and effort. It’s also extremely difficult to scale to support interdependencies as the number of items naturally increases over time. To better address this challenge, Ketryx streamlines and automates the process of creating and maintaining traceability to improve accuracy and visibility while enhancing overall efficiency and quality. It essentially provides a lifecycle management agent that looks across your systems and makes sure you’re following the logic of your rules and creating evidence where you work, all very rapidly. This is key, because the moment you take information from one tool and paste it into another tool, you’re losing time on your CI/ CD workflows. The whole point of CI/CD is to automate as much of the software development, integration, testing, and deployment process as possible to ensure fast and repeatable workflows. Manually transferring information between tools introduces delays that reduce the overall efficiency of the CI/CD pipeline. Strategy #5: Maintain end-to-end traceability across DevTools © Ketryx Corporation 2024 11

Software for AI/ML-powered medical devices cannot be effectively designed and maintained without CI/CD. This DevOps practice is table stakes for modern software development, as it facilitates the quick iteration and rapid feedback required to continuously improve and refine AI-driven systems. Ketryx’s Connected Lifecycle Management Platform makes the transition to CI/CD much easier for medical device software producers by automatically enforcing procedures, generating required documentation, and orchestrating releases. This allows developers and engineers to focus on improving the product rather Are you ready to streamline your medical device software CI/CD processes while ensuring safety, security, and compliance? Book a custom demo with our expert team. than endlessly documenting and handing off software for review, which can lead to slower CI/CD cycles, frustration, and costly errors. Armed with these capabilities, you can follow FDA guidance for AI/ML-enabled SaMD by writing a PCCP, integrating it into your quality system, and automatically updating traceability for change management to ensure you’re following your PCCP. Accelerating your journey to CI/CD © Ketryx Corporation 2024 12

To learn more about implementing CI/CD for your AI/ML or SaMD application, contact us today at www.Ketryx.com Schedule a demo today by scanning this QR Code or visiting: https:/ /go.ketryx.com/ci-cd-white-paper
