In September 2025 SAHPRA published the most concrete sector AI document yet seen in South Africa: Communication MD08 2025/2026, Regulatory Requirements of AI/ML-Enabled Medical Devices. For a sector still working through the implications of the POPIA Health Information Regulations and the HPCSA’s Booklet 20, the SaMD framework is the harder-edged document — product-level, evidence-led, and operationally demanding. Guidance carried it through 2025. In 2026 it moves toward enforcement, and healthcare organisations are expected to be visibly compliant rather than merely aware.
What SaMD means and why AI/ML SaMD is different
Software-as-a-Medical-Device is software intended for a medical purpose that is not itself part of, or embedded in, a physical device. A radiology image-analysis platform, a clinical decision-support tool, a sepsis early-warning service running off hospital vitals — all SaMD. The regulatory expectations have existed for traditional, deterministic SaMD for some time.
AI/ML SaMD is different in one critical respect. Its decisions evolve through learning. The model deployed today may not be the model running in six months. Retraining, fine-tuning, drift correction and updates to the underlying foundation layer all alter behaviour in ways that traditional medical-device regulation never had to contemplate. The regulatory problem is therefore not “is this device safe at the moment of authorisation?” but “is the organisation structured to keep it safe as it changes?” That shift is what SAHPRA’s framework is designed to address.
The SAHPRA framework’s core demands
SaMD classification. The framework requires every AI/ML SaMD to carry a clinical risk classification that drives the rest of its obligations. The classification is aligned with the IMDRF framework SAHPRA references throughout, and decision-influencing AI used in clinical settings tends to attract the higher tiers. Classification is not paperwork — it determines the depth of clinical validation, the rigour of post-market surveillance and the scope of change control.
Clinical safety case. Organisations must produce documented evidence that the SaMD performs as intended in its target clinical context. This is more than a validation report. The clinical safety case sets out the intended use, the clinical claims, the validation methodology, known limitations and the failure modes the organisation has identified and mitigated. Where the SaMD informs clinical decisions, the safety case must reach into the human-factors layer: how clinicians are expected to interpret outputs, what override mechanisms exist, what happens when the model is uncertain.
Post-market surveillance. Authorisation is not the end of the obligation. Organisations must monitor real-world performance after deployment, detect model drift, and operate trigger conditions for resubmission. Surveillance is the most under-resourced area in current SA healthcare AI programmes. It is also the area SAHPRA will most visibly enforce, because drift is the canonical AI/ML SaMD risk and the regulator’s authorisation depends on it being managed.
Change-control process. AI/ML SaMD changes constantly. The framework requires organisations to distinguish between a routine model update — within the envelope of the authorised intended use — and a substantive change that re-opens authorisation. That boundary must be set out in writing, agreed in advance, and operated by people who understand both the clinical context and the model architecture. Organisations without a documented change-control policy default to the more conservative position: every meaningful change is a substantive change.
Pre-deployment validation. SAHPRA explicitly requires manufacturers to assess whether the device performs equally well on South African patient populations. Models trained predominantly on non-SA cohorts cannot assume their performance transfers. Where the SaMD addresses clinical conditions with demographic or epidemiological variance — and most do — local clinical validation in representative SA populations is the expectation.
How SAHPRA’s framework interacts with HPCSA Booklet 20
The two documents address different layers of the same activity and both apply. HPCSA Booklet 20, in force from November 2025 and revised in January 2026, sets clinical-practice expectations for the registered practitioner using AI: patient notification, retained clinical responsibility, documented evaluation of AI output, validated tools, alignment with SA clinical contexts. It is a duty owed by the clinician.
SAHPRA’s framework sets product-level expectations for the SaMD itself: authorisation, classification, safety case, surveillance, change control. It is a duty owed by the organisation developing, importing or selling the device.
The two duties stack rather than substitute. A clinician using an authorised SaMD still owes the Booklet 20 oversight obligation — the SaMD’s authorisation does not displace clinical judgement. An organisation whose SaMD is in clinical use still owes the SAHPRA obligation regardless of how diligent the clinician is at the bedside. Healthcare organisations operating in both layers — for example a hospital group with an in-house AI tool — owe both duties simultaneously.
The POPIA overlay
Patient personal information sits within the “special personal information” category under POPIA section 26, which imposes stricter processing conditions than the general regime. Any AI/ML SaMD processing health data must therefore satisfy not only SAHPRA’s product expectations but also POPIA’s special-data conditions.
Section 71 ADM exposure attaches where the SaMD makes a clinical decision without meaningful human review. Triage tools that auto-prioritise, prior-authorisation engines that auto-decline, or decision-support outputs that practitioners adopt without genuine independent assessment, all sit close to the §71 line. The forthcoming integration of the POPIA Health Information Regulations with the SAHPRA framework will reinforce this overlay — health data, automated decisions and clinical safety are converging in 2026 into a single compliance posture, not three separate workstreams.
What healthcare organisations must demonstrate in 2026
- An inventory of every AI/ML tool used or relied on in clinical decision-support, including third-party tools embedded in vendor platforms.
- SaMD classification for each tool, with reasoning recorded.
- Clinical safety case documentation appropriate to the classification.
- Post-market surveillance protocols, including drift-detection thresholds, monitoring cadence and the trigger conditions for resubmission.
- Supervision arrangements that satisfy HPCSA Booklet 20 — clinician oversight, patient notification, documented evaluation of AI output.
- POPIA section 26 safeguards for special personal information — appropriate lawful basis, security controls, retention limits, operator agreements with model vendors.
- POPIA section 71 meaningful human review wherever the SaMD informs decisions with legal or substantial effect on patients.
Most healthcare organisations can produce two or three of these in 2026. Few can produce all seven, mapped together, with named owners. That gap is the work.
How Rhentech helps
Our AI Governance and Compliance engagements are tailored for healthcare. We support SaMD classification, structure clinical safety case documentation, and design post-market surveillance protocols that fit the organisation’s clinical and technical capacity. POPIA, HPCSA Booklet 20 and the SAHPRA framework are mapped onto a single defensible compliance posture rather than left as parallel obligations to be reconciled in a regulator’s meeting room. Every engagement begins with an AI Usage Audit so the organisation knows precisely which tools, in which clinical settings, fall inside the SaMD perimeter.
The SAHPRA framework is the most advanced sector AI document South Africa has produced, and healthcare organisations cannot treat it as guidance any longer. In 2026, demonstrable compliance is the baseline.
Book a free initial consultation to discuss your organisation’s SaMD exposure and what a structured AI governance programme would cover.
This article is for informational purposes. It does not constitute regulatory or clinical advice.