top of page

What is AMLAS? A Guide to Machine Learning Assurance for Medical Device Manufacturers

  • 1 hour ago
  • 7 min read



What is AMLAS in Plain Terms?


AMLAS (Assurance of Machine Learning for use in Autonomous Systems) is an open assurance methodology that helps organisations develop structured safety arguments demonstrating that machine learning (ML) components are sufficiently safe for their intended use.


For medical device manufacturers, Software as a Medical Device (SaMD) developers and digital health companies, AMLAS provides a practical framework for assuring AI and machine learning systems throughout their lifecycle. Rather than focusing solely on software development or regulatory documentation, it addresses the unique challenges associated with machine learning, including training data quality, model performance, verification, deployment and ongoing monitoring.


This guide is written for regulatory affairs professionals, clinical safety specialists, quality teams and AI developers building AI-enabled healthcare products that must satisfy increasingly demanding regulatory expectations.


Importantly, AMLAS is not a certification scheme and does not replace medical device conformity assessment. It is freely available guidance published by the University of York, providing organisations with a structured engineering methodology for developing confidence in machine learning systems.


The practical output of AMLAS is a machine learning safety case which is a structured argument, supported by evidence, demonstrating why an ML component can be considered acceptably safe within its intended operational context.




Who Developed AMLAS?


AMLAS was developed through the Assuring Autonomy International Programme (AAIP), a major research initiative led by the University of York between 2018 and 2023. Following completion of the programme, responsibility for continuing this work transferred to the University's Centre for Assuring Autonomy (CfAA).


To support practical adoption, the University also launched the AMLAS Tool in 2022. The software guides organisations through each stage of the methodology and helps generate the evidence required to build a structured machine learning safety case.


Development of AMLAS was supported by collaboration with organisations across healthcare, aerospace, automotive, defence and other safety-critical industries. Although originally designed as a cross-sector methodology, its principles have proven particularly valuable for AI-enabled medical devices where patient safety depends upon trustworthy machine learning.




The Six Stages of AMLAS


AMLAS divides machine learning assurance into six connected stages. Each stage addresses a different aspect of assuring an ML system, while contributing evidence towards a single integrated machine learning safety case.


Rather than following a traditional waterfall approach, AMLAS is explicitly iterative. Every stage feeds into a continual Feedback and Iterate loop, allowing teams to revisit earlier decisions as new evidence emerges.


1. ML Safety Assurance Scoping


The first stage establishes the foundations of the assurance programme.


Teams define:


  • the intended use of the ML component

  • operational environment

  • system boundaries

  • stakeholders

  • assumptions

  • safety objectives


The primary output is a clearly defined assurance scope together with the initial structure of the safety argument.


2. ML Safety Requirements Assurance


Once the scope is understood, organisations identify the safety requirements the machine learning system must satisfy.


This includes:


  • clinical safety objectives

  • performance requirements

  • operational constraints

  • acceptable failure behaviour

  • assurance claims


These requirements become the basis against which later evidence is assessed within the safety case.


3. Data Management


Machine learning performance depends fundamentally on data quality.


AMLAS therefore examines:


  • dataset provenance

  • representativeness

  • completeness

  • labelling quality

  • bias

  • governance

  • version control


Evidence generated during this stage demonstrates that training, validation and testing datasets appropriately support the intended safety claims.


4. Model Learning


The fourth stage focuses on developing the machine learning model itself.


Activities include:


  • model selection

  • training processes

  • reproducibility

  • configuration management

  • documenting design decisions


Rather than simply recording technical choices, AMLAS encourages teams to justify why those choices support safe system behaviour.


5. Model Verification


Verification demonstrates that the trained model satisfies its defined safety requirements.


Evidence may include:


  • performance testing

  • robustness assessment

  • stress testing

  • uncertainty analysis

  • verification against representative clinical scenarios


This stage provides objective evidence supporting confidence in the model's behaviour before deployment.


6. Model Deployment


The final stage considers how the machine learning model will operate within the real-world system.


Topics include:


  • deployment architecture

  • monitoring

  • operational controls

  • configuration management

  • model updates

  • change management

  • post-deployment assurance


This stage also establishes how the organisation will detect performance degradation, monitor emerging risks and respond to model drift over time.


Across all six stages, AMLAS builds one integrated machine learning safety case. Each stage contributes additional evidence supporting the overall argument that the ML component is sufficiently safe for its intended application.




Safety Cases and Goal Structuring Notation (GSN)


The central output of AMLAS is a safety case. A safety case is a structured argument, supported by evidence, demonstrating that a system is acceptably safe for a defined context of use. Rather than relying on isolated test results, it brings together requirements, assumptions, analyses and objective evidence into a coherent justification. AMLAS represents these arguments using Goal Structuring Notation (GSN).


GSN is a graphical language that organises safety arguments into connected goals, strategies, evidence and assumptions. It allows reviewers to understand not only what evidence exists, but also why that evidence supports the overall safety claim.


One of AMLAS's strengths is its use of reusable argument patterns. Rather than beginning every project with a blank page, organisations can adapt established assurance structures while tailoring them to the specifics of each machine learning application.


For medical device manufacturers, the concept will already feel familiar. Organisations producing documentation under IEC 62304, ISO 14971 or DCB0129 are accustomed to presenting structured evidence supporting product safety. AMLAS extends this principle specifically to machine learning systems.




AMLAS for Medical Devices


AMLAS is designed to complement existing medical device standards rather than replace them.


Medical device manufacturers typically operate several established frameworks:


  • ISO 13485 governs the quality management system.

  • ISO 14971 manages medical device risks.

  • IEC 62304 defines software lifecycle processes.

  • IEC 62366 addresses usability engineering.


AMLAS sits alongside these standards by focusing specifically on the assurance of machine learning components. Traditional software standards were developed before widespread adoption of modern machine learning. While they remain essential, they provide relatively little guidance on challenges unique to AI, including:


  • dataset bias

  • data representativeness

  • distribution shift

  • model uncertainty

  • concept drift

  • changing model performance


AMLAS provides a structured methodology for addressing these issues while integrating naturally with existing development processes. In practice, responsibility for the AMLAS safety case usually sits with the manufacturer, supported by multidisciplinary input from software engineering, regulatory affairs, quality assurance, data science and clinical safety teams. Where organisations operate under DCB0129, the Clinical Safety Officer should contribute to the clinical safety aspects of the assurance argument.


Evidence produced through AMLAS can support technical documentation, risk management files and post-market surveillance activities. As products evolve, the methodology also supports ongoing monitoring of deployed machine learning systems, helping organisations detect model drift and maintain confidence throughout the product lifecycle.




AMLAS and AI Regulation


AMLAS is an assurance methodology, not legislation. Its purpose is to help organisations generate the structured evidence increasingly expected by regulators reviewing AI-enabled products. Within Europe, the EU AI Act establishes legal requirements for high-risk AI systems, including obligations relating to risk management, data governance, transparency, human oversight and post-market monitoring. The legislation entered into force on 1 August 2024, with phased implementation including general-purpose AI provisions from 2 August 2025, most high-risk AI obligations from 2 August 2026, and transition arrangements for AI integrated into regulated products extending to 2 August 2028.


AMLAS provides practical engineering activities that naturally support many of these obligations by documenting how machine learning systems have been designed, verified and monitored.


Within the UK, the MHRA Software and AI as a Medical Device Change Programme continues to shape expectations around AI assurance. While AMLAS is not mandated, its structured approach aligns well with the direction of travel towards evidence-based assurance of AI-enabled medical devices.


Similarly, the US FDA has published Good Machine Learning Practice (GMLP) guiding principles together with guidance on Predetermined Change Control Plans (PCCPs) for AI/ML-enabled Software as a Medical Device. AMLAS complements these initiatives by providing a practical methodology for generating assurance evidence throughout the machine learning lifecycle.


At an organisational level, ISO/IEC 42001 provides governance for artificial intelligence management systems. AMLAS sits beneath this organisational layer by focusing on assurance of individual machine learning products and components.




Limitations of AMLAS


Although AMLAS is one of the most mature machine learning assurance methodologies currently available, it is important to understand what it does not provide. AMLAS does not certify products and does not replace conformity assessment under the MDR, UKCA or FDA regulatory pathways. Manufacturers must still satisfy all applicable medical device legislation and standards.


Its primary focus is the assurance of machine learning components. Conventional software, hardware and system-level safety arguments continue to require established engineering approaches such as IEC 62304 and ISO 14971.


The methodology was also developed before the rapid emergence of generative AI and large language models. While many principles remain applicable, organisations deploying foundation models will often need to extend AMLAS with additional assurance techniques and more recent AI governance guidance.


Finally, AMLAS is most effective when introduced early in product development. Retrofitting a comprehensive machine learning safety case after a system has already been completed is considerably more challenging and often results in weaker supporting evidence.




Frequently Asked Questions


Who created AMLAS?


AMLAS was developed by researchers at the University of York through the Assuring Autonomy International Programme. It is now maintained and further developed by the University's Centre for Assuring Autonomy.


Is AMLAS mandatory?


No. AMLAS is voluntary guidance rather than a regulatory requirement. However, many organisations use it to strengthen machine learning assurance and support regulatory submissions for AI-enabled products.


Is AMLAS free?


Yes. The methodology, supporting documentation and associated resources are freely available from the University of York.


How long does it take to produce an AMLAS safety case?


The effort depends on the complexity of the machine learning system and the maturity of existing development processes. Organisations introducing AMLAS early in development generally find it integrates more efficiently than attempting to build assurance evidence retrospectively.


Does AMLAS cover generative AI?


Not specifically. AMLAS was originally developed around more traditional machine learning systems. Many of its principles remain relevant to generative AI, but additional assurance approaches are often required when working with foundation models or large language models.


How does AMLAS relate to IEC 62304?


IEC 62304 governs the software development lifecycle, while AMLAS focuses specifically on assuring the safety of machine learning components. The two approaches are complementary and are often used together within AI-enabled medical device development.


Who should own the AMLAS process within a medical device company?


Ownership normally sits with the manufacturer, supported by a multidisciplinary team including quality assurance, regulatory affairs, software engineering, data science and clinical safety specialists. Responsibility for individual activities may vary, but successful implementation requires collaboration across these functions.




Next Steps for Manufacturers


For organisations developing AI-enabled medical devices, AMLAS provides one of the most comprehensive open methodologies currently available for demonstrating machine learning assurance. While it is not a regulatory requirement, it offers a structured way to build confidence in AI systems and generate evidence that supports broader regulatory and clinical safety activities.


A practical starting point is to select a single machine learning component, complete the first two AMLAS stages, and identify where evidence gaps exist before expanding the methodology across the wider product. If your organisation is developing AI-enabled healthcare technology, our specialists can help you integrate AMLAS alongside ISO 14971, IEC 62304, ISO 42001, DCB0129 and wider medical device regulatory requirements. Book a discovery call to discuss how a structured machine learning assurance approach can support your AI medical device development programme.














 
 
 

Comments


bottom of page