4.1.1 Identifying applicable rules and regulations

Practical guidance - healthcare

Authors: S. White, NHS Digital and R. Pearson, Medicines and Healthcare Regulatory Agency


The following guidance may help manufacturers[1] of Digital Health Technology (DHT) products that are intended to be used for health or social care purposes in the UK understand the regulation that applies to safe product development.

The existing regulatory landscape

Ensuring the development of safe digital products for use in healthcare in the UK is of paramount importance. The principles of risk management are adopted to support this, and the associated risk management requirements are governed via two frameworks.  Establishing which framework applies can be difficult and is determined by considering the intended purpose of the product and the country in which it will be placed on the market.

DHT is generally classified into 1 of 2 types: Medical Device (MD) or Health Information Technology (HIT).

The definition of a MD is established through the medical device regulations.  In the UK, with the exception of Northern Ireland, the The Medical Devices Regulations 2002 [1] apply.  Currently, the European Medical Device Regulations EU 2017/745  [2] apply in Northern Ireland.  The regulations are established in statute and manufacturers of MDs must comply with the relevant regulation, depending on where they intend to deploy/place on market their product.  The Medicines and Healthcare products Regulatory Agency (MHRA), an executive agency of the Department of Health and Social care, is responsible for regulating the UK medical devices market.

HIT products can be defined as a “product used to provide electronic information for health or social care purposes ...” [3] and fall outside of scope of the MDRs.  Regulation of HIT is not as strongly governed and only England has legislation addressing the safe development of such products.  This is established through DCB 0129 [3] standard which is mandated through the Health and Social Care Act 2012 Section 250.  The Health and Social Care Act applies in the context of provision of health and adult social care services.  DCB 0129 also applies in the context to MD devices (in addition to MDR 2002) where the MD is implemented in a HIT product.  An example of this would be the implementation of a QRisk3[2] calculator in a primary care HIT product.  NHS Digital is responsible for maintaining DCB 0129 but it’s jurisdiction extends only to those suppliers wishing to integrate into the NHS Infrastructure at a national level. Manufacturers who deploy directly into health or social care organisations will need to self-manage the requirements of the standard. 

Guidance has been developed during the SAFR project to support interpretation of the applicability of the above: Applicability of DCB 0129 & DCB 0160 [CST-RPT01-02]

A risk-based approach

Both regulatory regimes are similar in that they adopt a pro-active risk-based approach to ensuring safe DHT product development.

MDR risk management requirements can be addressed through compliance with harmonised[3] standard ISO 14971 [4]. It is a process standard that assists manufacturers of MDs to identify the hazards associated with the MD, to estimate and evaluate the associated hazard risk, to control these risks, and to monitor the effectiveness of the controls during use of the MD. 

IEC 62304 [5] defines the life cycle requirements for MD software. Similar to ISO 14971 this standard uses a risk-based approach to determine the classification of the software which in turn establishes the specific requirements that must be met. 

DCB 0129 is similar in that it is a process standard with the original version, DSCN 14/2009, being derived from ISO 14971.  Although DCB 0129 has subsequently been redesigned and looks different to ISO 14971, the fundamental concepts, objectives and activities remain comparable between the two risk management standards.  

The concept of classification has not been adopted in the HIT domain as HIT products do not administer care; invariably there is a healthcare professional in the care pathway who remains responsible for the administration of a care decision or activity. However, DCB 0129 does recognise that HIT products can have different risk profiles, so the concept of proportionality has been incorporated into the standard to ensure resources are used to greatest benefit.

To assist manufacturers of DHT products, the SAFR project has conducted a side-by-side review of DCB 0129 and ISO 14971 to identify:

  • Direct and complete requirement to requirement correlation
  • Direct but partial requirement to requirement correlation or correlation of requirement with EN 14971 narrative.
  • No direct or partial correlation

The conclusions of this work are documented in AAIP BoK 4.1.2 Understanding the requirements of rules and regulations.

The future regulatory landscape

The MHRA have recognised the limitations of the existing regulations and are currently working under the powers of the Medicines and Medical Devices Act [6] to replace the existing UK legislation.  A key factor influencing this work is the need to address the challenges presented by novel, data-driven DHT such as AI.  Software and AI as a Medical Device Change Programme provides the context and detail of the work being conducted with respect to future regulation of software and AI based MD.

Once the new MDR regulations are established and considering the similarity between ISO 14971 and DCB 0129 discussed above, work needs to be undertaken to consider if the objectives of DCB 0129 can be realised through the adoption of ISO 14971, so simplifying the risk management ask across the DHT manufacturing community.


[1] The Medical Devices Regulations, 2002.

[2] European Medical Device Regulations, (EU) 2017/745, 2017.

[3] NHS, DCB0129: Clinical Risk Management: Its Application in the Manufacture of Health IT Systems, 2018.

[4] ISO, ISO 14971:2019, Medical devices — Application of risk management to medical devices, 2019.

[5] IEC, IEC 62304:2006 A1:2015, Medical device software — Software life cycle processes — Amendment 1, 2015.

[6] Medicines and Medical Devices Act, 2021.


[1] Manufacturer is defined as an organisation that places a product on the market

[2] QRISK3 algorithm calculates a person's risk of developing a heart attack or stroke over the next 10 years

[3] A harmonised standard is a standard developed by a recognised Standards Organisation that can be used to demonstrate that products, services, or processes comply with relevant legislation.

Contact us

Assuring Autonomy International Programme

+44 (0)1904 325345
Institute for Safe Autonomy, University of York, Deramore Lane, York YO10 5GH

Related links

Download this guidance as a PDF:

Contact us

Assuring Autonomy International Programme

+44 (0)1904 325345
Institute for Safe Autonomy, University of York, Deramore Lane, York YO10 5GH

Related links

Download this guidance as a PDF: