UK –MHRA and DTAC update -March 2024

Deviceology took part in update meetings with NHS England and the MHRA in the last fortnight, outlining the direction of travel for revised UK medical device regulations and the NHS Digital Technology Assessment Criteria (DTAC). Our takeaways were:

There will be significant alignment with the new UK MDR regulations and EU regulations when the scope of regulations in published. The draft scope shows alignment to EU classification rules with a new rule for standalone software, and the substantive adoption of post-market surveillance requirements outlined in point 17 of the EU MDR’s general safety and performance requirements.

The UK regulations will align with the International Medical Device Regulators Forum guidelines on device classification for software as a medical device (not IVDs) and IVD medical devices classification with 3 UK specific adoptions related to monitoring infectious loads of life-threatening diseases, and devices intended to screen, detect or diagnose neuro-generative or cardiovascular diseases.

In practice, this means most software and artificial intelligence as a medical device is likely to fall under a higher risk classification once the regulations are adopted. Manufacturers will be expected to implement the enacting guidance to comply with the essential requirements of the new regulations. It is planned that direct-to-consumer tests, companion diagnostics, software and AI diagnostic IVDs, wearables (with a medical purpose) currently outside of the IVD regulations, will be in scope of future UK regulations.

The new regulations will also enable pre-determined change control plans on a voluntary basis and outline minimum requirements for IT security measures across hardware, IT networks and associated software.

The proposed scope will address one anomaly of Brexit that has seen the UK revert to a 30 year regulatory framework for medical devices, whilst the rest of Europe has adopted the 2017 MDR regulations.  Greater harmonisation and a twenty-first century regulatory framework should be welcomed, It makes little sense to require manufacturers to go through duplicate conformity assessments of near-identical requirements, so here’s hoping the regulations allow for portability or recognition of CE marked devices in the UK.

Revised regulations will be made public when presented to the World Trade Organisation later in 2024. Current planning is for post-market surveillance regulations to be in force later in 2024 and future regulations in 2025 subject to introduction and approval of three standing orders before parliament. The MHRA roadmap for the future regulatory framework is available here.

There was some helpful clarity from NHS England following a rapid review of the DTAC that a DTAC assessment is done by a procuring NHS organisation, and a recognition that the current DTAC framework needs revision to provide better assurance and promote effective use of digital technology.

DTAC plays an important and valued role in providing a framework for both suppliers and buyers to make sure the technology used in the healthcare system is safe, secure and usable, but its now nearly three years since the DTAC was published back in April 2021, and it has not received any updates since its first publication, so a review is well overdue.  NHS England mapped out activities to conduct a line-by-line review of the current criteria which they hope will lead to a future revision sometime in 2025. Until then the current DTAC remains as is.

It was interesting to note the on-going confusion about DTAC certification (for the avoidance of doubt – there is no DTAC certification available), and common desire across NHS England and manufacturers to reduce the compliance burden.

NHS England acknowledged several opportunities for improvements to reduce the burden on providers and suppliers: forms can be simplified with clearer and better guidance on when criteria apply, the process can be made more user-friendly and streamlined, and duplicated assessments reduced.  

At Deviceology we’d like to see an updated process avoid repetitive assessments for suppliers across various NHS and social care organisations and meaningless questions. Questions around interoperability and usability should differentiate maturity and capability of applications. Most organisations assert they are working towards WCAG compliance, have a multidisciplinary team and can share data. In its current form, these questions do not help distinguish the level of integration, ease of data sharing or accessibility.

Differentiated DTAC criteria for enabling, patient facing and hospital systems with criteria tailored to the characteristics and risks of product types would make this assessment more meaningful and any future assessment should consider whether suppliers have a robust Quality Management System in place, such as ISO 9001 or ISO 13485 for medical devices, to ensure consistent quality.

Our biggest concern with the DTAC in it’s current form, is that technology has outpaced what was good three years ago.  The current criteria lack the rigour to effectively identify and evaluate potential safety and performance concerns and mitigating controls for artificial-intelligence driven digital technology. With a 12 month timescale for revision, there is scope for these weaknesses to be addressed, and in the meantime we’d encourage manufacturers and health IT organisations to implement effective AI management systems frameworks based on ISO42001.

See you at Rewired!