Talk to us!

The Decision to Go Clinical-Grade

At Acorn Compliance, we work with innovators like Limbic who choose the harder, but ultimately more impactful, path when it comes to compliance and building regulation ready digital health products. We sat down with Ben Carrington, General Manager from Limbic, to show you what that journey looks like, and what you should consider if you want to follow it.

When we started Limbic, the digital mental health space was in a peculiar place. Most companies were avoiding regulatory scrutiny, operating under vague wellness claims or pushing products that danced around medical device classifications. We chose a different path. From the outset, we committed to building clinical-grade AI that could meaningfully improve patient outcomes, and that meant embracing regulation not sidestepping it.

That commitment led us to pursue Class IIa certification -  a rigorous classification that enabled us to be used for clinical decision support and triage as a digital front door. The move was motivated by a very practical need inside mental health talking therapies: services had a need to better identify specific anxiety disorders and attach the correct problem descriptor. Meeting that clinical need required a tool that was not just useful but validated, safe, and formally recognized as a medical device. Taking the Class IIa route was about meeting the moment, but also setting the bar for what safe, scalable, AI-enabled mental health care should look like.

Choosing the harder pathway positioned Limbic as a leader taking patient safety and clinical validation seriously. It turned marketing claims into verifiable facts. Commissioners suddenly had a chatbot whose safety, performance and post-market surveillance were reviewed by regulators, not merely asserted by a vendor. It signalled to NHS services that this is the product you can trust to put in the hands of patients because it's the only one that's been validated.

The credibility dividend was immediate. Customers cite our Class IIa status and peer-reviewed outcome data as reasons they procured Limbic. Today we’re live in >40 % of NHS Talking Therapies and 13 US states and have helped half a million patients because we chose to lead with regulation rather than dodge it.

‍

What It Takes to Achieve Class IIa: A Guide from Acorn Compliance

‍What Class IIa actually means 

Class IIa is a European medical device classification under the Medical Device Regulation (EU MDR 2017/745) that applies to moderate-risk devices. These include devices intended to support clinical decision making or perform certain functions that have an impact on patient care, but are not life-sustaining or invasive.

For a digital health product or AI tool, being classified as Class IIa means it is recognised as a medical device with regulatory approval to directly support diagnosis, triage, or treatment decisions—as Limbic does in NHS Talking Therapies.

Here's what's required

Quality Management System (QMS):

A compliant ISO 13485:2016 QMS is essential. This framework governs all aspects of the company’s operations, from design and development processes to release control and supplier validation. It ensures complete traceability of components and versions, and mandates that all decisions and documentation are auditable. The QMS becomes the operational backbone that supports safe, consistent product delivery. 

Risk Classification:

Class IIa classification is determined by the product’s intended use, functionality, and the level of risk it poses to patients. It applies to software used for clinical decision support — tools that inform or guide diagnosis, triage, or treatment decisions, but do not directly control life-sustaining systems. This classification represents a step up from Class I devices, which are generally associated with wellness or lower-risk use cases, and therefore entails significantly more regulatory scrutiny.

Intended Use:

At the core of medical device classification is the concept of intended use — a clear, regulatory statement describing what the product is designed to do, who it's for, and how it will be used in a clinical context. This definition isn’t just a formality; it determines the level of regulatory scrutiny the product will face. For AI-driven health tools, especially, the line between wellness support and clinical intervention can be thin — so being explicit is crucial. If your product is intended to support diagnosis, inform clinical decisions, or guide treatment pathways, it will likely fall under a higher-risk classification such as Class IIa. This means you must substantiate every claim you make with evidence, and build systems to ensure the product performs safely and consistently in that specific use case. A well-defined intended use is not only a regulatory requirement — it becomes the foundation for clinical evaluation, risk assessment, and product design choices throughout your development process.

Verification and Validation:

Before any software release reaches patients, it must pass a comprehensive suite of tests. These include unit testing, end-to-end system validation, usability checks, and clinical safety assessments. All test results must be meticulously documented and stored in a way that is both traceable and accessible for regulatory audits. This testing ensures that each version of the product maintains the standard of safety and performance expected of a Class IIa medical device.

Clinical Evaluation:

To achieve EU MDR Class IIa certification, companies must provide robust clinical evidence that their product is safe, effective, and performs as intended in real-world clinical settings. This typically involves a combination of literature reviews, clinical studies or trials, published outcomes in peer-reviewed journals, and rigorous user validation and performance testing. The goal is to demonstrate that the product’s claims are not just theoretical but are backed by tangible, clinically relevant data.

Post-Market Surveillance (PMS):

After a Class IIa product is placed on the market, manufacturers must implement ongoing surveillance to monitor its real-world safety and performance. This includes systematically collecting usage data, investigating and reporting any adverse events, and regularly updating both risk assessments and the clinical evaluation. A formal Post-Market Surveillance Plan must be in place, and companies are required to submit Periodic Safety Update Reports (PSURs) to maintain compliance.

Audits

Unlike Class I devices, which can be self-certified, Class IIa products require external oversight. A Notified Body must conduct independent audits to review and certify the product, its documentation, and the company’s QMS. These audits are typically performed annually and include in-depth evaluations of the technical file, clinical evidence, and post-market surveillance activities. This layer of independent verification reinforces trust with regulators, clinicians, and patients.

Limbic's biggest lessons learned from taking this journey to Class IIa

Let’s be honest: the paperwork is brutal. Objectively, regulation can slow you down. It forces tradeoffs. And it creates points of friction for fast-moving startups. But it also builds muscle.

Because AI is at the heart of our product, we’ve invested heavily in safety infrastructure. From human-in-the-loop QA on our models, to proprietary pipelines that reduce hallucination and bias, to the Limbic Layer - our clinical AI stack that ensures every output is medically safe and explainable.

One of the biggest surprises was the tension between agile software development and regulatory documentation. The two worlds aren’t naturally aligned, but they can be harmonized. By building our own internal systems to track, test, and audit AI development, we found a way to ship at speed without compromising compliance. We now have a repeatable engine for building AI Software as a Medical Device (SaMD) that rivals the most established players in regulated health tech.

Where we really got it right was in our approach to clinical evidence. With ten PhDs on staff, running regulator-grade studies felt natural, and we published three landmark papers in Nature Medicine, BMJ and JMIR demonstrating higher recovery rates and faster access for tens of thousands of patients. Those publications not only satisfied the notified body; they became sales assets that continue to shorten procurement cycles.

All in all compliance has been a force multiplier not a blocker. In a market awash with mental health apps, now being powered out the box by genAI, Class IIa certification instantly filters Limbic into the trustworthy bucket. Buyers can validate the product with objective audited evidence, shortening sales cycles and easing clinician buy-in. In other words, compliance became our growth engine rather than a tax on speed.

Should Every Startup Aim for This?

At Acorn, we help innovators avoid the trap of treating compliance as a last-minute scramble. Even if you’re not ready for Class IIa today, you can still begin laying the groundwork. Here’s how you can get started:

• Define your intended use early. Write it down. Be explicit about what clinical role your product plays. This single statement drives your regulatory trajectory.
  
  
• Build compliance incrementally. Adopt a QMS framework (like ISO 13485) before you think you “need” it. Squirrel™ makes this less daunting by automating traceability, audit trails, and documentation as you grow.
  
  
• Collect real-world evidence from day one. User studies, safety logs, and early outcome data will all become part of your clinical evaluation file later.
  
  
• Plan your resourcing. Regulatory guidance is something you should have engrained in your product cycle.  Consultancies are expensive, while the DIY approach is risky, so weigh your options. We built Squirrel™ to fill in the gaps for innovators and support your product through regulatory growth and expansion.
  
  
• See compliance as strategy. The companies who succeed, like Limbic, are the ones who embed compliance culture into their organisation and every step of product development.
  

By roadmapping this way, startups can reach Class IIa readiness at the right time, without derailing product development or burning through investor capital.

There are tradeoffs. Class II+ requires deep investment financially, operationally, and culturally. You’ll need cross-functional buy-in, dedicated regulatory expertise, and a tolerance for being audited at any time. And the ongoing overhead is real: processes need to be lived and maintained, not just set and forgotten. It’s possible to build AI products that are safe, effective, and regulation-ready. But it takes intention. It takes structure. On the upside, independent audits confer deep trust with clinicians, regulators and patients. The licence grants legal permission to automate high-stakes decisions and creates defensibility few competitors can compete with. We remain the only AI mental-health platform with Class IIa certification. -Ben Carrington, Limbic

At the heart of the decision should be what you want your product to do. You may be building something that doesn’t require that level of classification. However if you’re wanting to inform and drive clinical decisions you should plan for higher classifications from day one. 

Constriction is coming in our industry as regulation catches up to technical advancements. It’s what happened a decade ago in radiology AI. Our bet is the category defining companies will be those who’ve baked regulation and compliance into their DNA.

We’ve seen what happens when companies avoid this. At the start of the year, an NHS Talking Therapies triage tool from a competitor was pulled from the market after regulators found their claims weren’t supported and the product wasn’t appropriately regulated. That shook providers' trust across the board and reinforced that regulation isn’t a nice-to-have, it’s a moat. For anyone building AI in health: this future is coming. And if you get regulation right, you don’t just survive,  you lead.

You can read more about Limbic’s real-world impact in the NHS here.

If you’re thinking about Class IIa—or simply want to make sure your AI health product is future-proof against incoming regulation—Acorn can help. Our Squirrel™ platform guides innovators through every stage of compliance, from ISO to MDR, with automation that saves time, reduces risk, and gets your innovation to those who need it most. 

Book your free discovery call today