Part of series: UK Health Tech Compliance·Part 1 of 3
UK Health Tech Compliance: See the System
The UK regulatory environment is in significant transition following Brexit and the 2024-2025 MHRA reform programme. CE marking remains accepted until June 2030 for most devices, but companies must prepare for UK-specific requirements including mandatory UK Responsible Person appointment, enhanced post-market surveillance from June 2025, and emerging software/AI-specific pathways.
"Healthcare systems worldwide face a paradox: despite unprecedented investment, outcomes often remain stagnant. The root cause isn't a lack of resources - it's a mismatch between how we think about problems and the nature of the problems themselves."
This framework applies systems thinking to regulatory compliance, transforming what appears as bureaucratic complexity into a navigable, interconnected system.
Phase 1: See the system
Before acting on any compliance requirement, map the interconnections. The UK health technology regulatory landscape comprises five interacting subsystems:
The five regulatory subsystems
MHRA Medical Device Regulations - The foundation governing all medical devices on the Great Britain market. Classification divides devices into four risk classes:
- Class I - Self-certifiable for basic devices
- Class IIa/IIb - Moderate risk requiring UK Approved Body assessment
- Class III - Highest risk with extensive clinical investigation requirements
NICE Evaluation Pathways - Determines NHS reimbursement and adoption through the Evidence Standards Framework for Digital Health Technologies:
- Tier 1: System service DHTs (communicate/store data)
- Tier 2: Tools informing clinical management
- Tier 3a: Active monitoring and prevention
- Tier 3b: Treatment or diagnosis (highest evidence bar)
NHS Digital Technology Assessment Criteria - Mandatory baseline for all digital health technologies procured by NHS, covering:
- Clinical safety (DCB0129/DCB0160)
- Data protection (UK GDPR, DSPT)
- Cybersecurity (Cyber Essentials)
- Interoperability (FHIR, NHS Login)
Data Protection Framework - Layered information governance requirements:
- UK GDPR compliance
- NHS Data Security and Protection Toolkit (DSPT)
- Cyber Essentials certification
- Caldicott Principles adherence
NHS Procurement Routes - Multiple pathways to market access:
- G-Cloud frameworks for proven technologies
- Local ICB procurement for bespoke requirements
- Innovation DPS for novel technologies
- NICE evaluation for reimbursement
Mapping the stocks and flows
Using the fundamentals of systems theory, we can identify:
| Element | Examples | Significance |
|---|---|---|
| Stocks | Technical documentation, clinical evidence, certifications, relationships | What accumulates over time |
| Flows | Application submissions, audit cycles, evidence generation | What moves between stocks |
| Feedback loops | MHRA consultations, post-market surveillance, NICE reassessment | How the system responds to itself |
| Delays | 8+ month UK Approved Body queues, 12-36 month clinical investigations | Where effects lag behind causes |
| Boundaries | GB vs EU markets, device vs non-device classification | What you're including and excluding |
"Most software as medical device (SaMD) currently classified as Class I will be reclassified to minimum Class IIa under forthcoming changes - a system-wide shift requiring proactive response, not reactive compliance."
Phase 2: Diagnose the leverage points
Not all compliance activities are equal. The Chandegra Model prioritises interventions by leverage level.
High leverage: Mindsets and paradigms
The most powerful leverage point is shifting from "compliance as cost" to "compliance as competitive advantage." Companies beginning regulatory planning at concept stage reduce time to market by 30-40% and avoid costly design changes.
Every £1 invested in early MHRA consultation (£987 per hour) generates 50-100x ROI through preventing technical file rework.
Medium leverage: Rules and information flows
Understanding classification rules determines your entire pathway. Device classification follows Annex IX rules based on:
- Invasiveness and duration of contact
- Body location and intended purpose
- Significance of information provided (for software)
Software classification specifically depends on:
- "Low functionality" (stores/communicates without modification) - Generally not medical devices
- "High functionality" (AI/ML, personalised recommendations, complex calculations) - Typically medical devices requiring oversight
Lower leverage: Physical stocks and resources
While easiest to measure, simply throwing resources at compliance without understanding system dynamics leads to waste. The key is matching resource allocation to actual bottlenecks.
Current critical bottleneck: UK Approved Body capacity - only seven designated bodies as of 2023, many not accepting new clients, 8+ month waiting lists, and 780% projected workload increase.
What's next
Now that you understand the system landscape and leverage points, Part 2: Design the Pathways covers the specific requirements for MHRA registration, NICE evidence generation, and NHS DTAC compliance.
Related reading:
- The systems paradigm - Philosophical foundations of systems thinking
- Fundamentals of systems theory - Core concepts: feedback, emergence, boundaries
- About The Chandegra Model - Framework for healthcare system design
Continue in UK Health Tech Compliance