When healthcare innovators understand and can evidence compliance with international standards, the path to a successful DTAC is much simpler and cost effective (once you understand the similarities).
For established UK-based and international businesses, International Standards may already be a necessary part of doing business. For regulated healthcare products, standards such as ISO 13485 and ISO 14971 remain the de-facto standards for quality and risk management. Meanwhile, ISO 27001 is globally recognised as the leading standard in Information Security Management with some healthcare systems mandating its application to healthcare technology.
This blog delves into how compliance with ISO 27001, ISO 9001, ISO 14971, and ISO 13485 helps to meet the obligations for the NHS Digital Technology Assessment Criteria (DTAC), but also sets a firm foundation for global compliance success in health tech.
Understanding ISO Standards
- ISO 9001: This standard focuses on Quality Management Systems (QMS), emphasising customer satisfaction and continuous improvement. It’s essential for health tech companies to ensure product and service quality, and the establishment of a QMS provides a foundation on which to build towards other ISO standards and wider compliance activities.
- ISO 27001: ISO 27001 is a framework for Information Security Management Systems, pivotal for ensuring the security and privacy of sensitive data (such as health data). It provides a comprehensive approach to managing information security risks.
- ISO 13485: This is a Quality Management Standard specifically for Medical Devices – addressing customer and regulatory requirements.
- ISO 14971: Specifically tailored for the medical device industry, ISO 14971 centres on risk management throughout a product’s lifecycle, from design to post-market deployment activities.
Meeting NHS DTAC Obligations
The Digital Technology Assessment Criteria (DTAC) sets the quality standard for digital health technologies used in the UK’s National Health Service (NHS). For any regulated Medical Devices (including Software or AI Medical Devices – SaMD/AiMD) there must be a valid declaration of conformity which by design means innovators must apply ISO 13485 and ISO 14971 as the basis of their quality and risk management system. Without this declaration of conformity, it’s impossible to develop a complete DTAC submission. Despite ISO 14971 being created specifically for medical devices, DCB0129 is based on ISO 14971 and applicable to all health technology used in publicly-funded health and social care services in England, so application of ISO 14971 can help all innovative healthtech companies comply with DTAC. Similar to ISO 9001, ISO 13485 has created a framework for the implementation of all of the DTAC requirements, but specifically Value Proposition, Interoperability, Usability and Accessibility through the Design and Development processes. Whilst not mandated or referenced in the current version of DTAC, compliance with ISO 27001 and ISO 9001 can help in meeting DTAC’s data protection and technical security requirements. Both standards evidence a level of organisational maturity and quality that could pose a competitive advantage for a supplier and whilst not mandated, many NHS organisations will value this additional layer of assurance. Needless to say, compliance with ISO 27001 will go a long way in helping innovators complete the NHS Data Security Protection Toolkit (DSPT); the foundation of the data protection domain in the DTAC submission.How ISO certification will help in international healthcare markets
Adhering to these ISO standards does more than just satisfy NHS requirements. It positions health tech companies on a global platform, demonstrating a commitment to quality, safety, and security that resonates internationally. For example:- ISO 27001 (Information Security Management): ISO 27001 focuses on establishing and improving information security management systems. The DTAC requires robust data protection and technical security measures, especially when handling patient data and healthcare information. By complying with ISO 27001, organisations demonstrate effective information security practices and illustrates to Information Governance teams in the NHS a business commitment to information security best practice.
- ISO 9001 (Quality Management System): This standard is about performance enhancement, customer satisfaction, and a commitment to quality. It involves setting up and continually improving a quality management system or ‘QMS’. The DTAC emphasises the need for quality and safety of digital health technologies. Compliance with ISO 9001 shows that an organisation has a system in place to consistently provide products and services that meet customer and regulatory requirements, aligning with DTAC’s focus on quality and efficacy, while also being a key factor in winning customer trust globally
- ISO 14971 (Medical Devices – Risk Management): ISO 14971 is crucial for medical device developers, offering best practices for risk management across all product lifecycle stages. DTAC includes assessments related to the clinical safety of digital health technologies while ISO 14971 compliance ensures that a company systematically identifies, evaluates, and controls risks associated with their medical devices. This strategically aligns with the DTAC’s clinical safety requirements but does not remove the need for evidence of compliance with the DCB0129 clinical safety standard. We recently wrote about the crossover between these two standards in another blog here.
- ISO 13485 (Medical Devices – Quality Management Systems): ISO 13485 details the requirements for a quality management system where an organisation needs to demonstrate its ability to specifically provide medical devices and related services. This is particularly relevant for medical device suppliers aiming to meet DTAC standards, as it provides a framework for implementing DTAC requirements within the functions of the organisation..
The Road to Compliance
When considering whether to adopt international standards as part of your compliance or regulatory strategy, it’s important to take a structured and informed approach. This will not only ensure organisational alignment but can bolster fundraising efforts and clarify a go-to-market strategy. For new entrants to the UK market, or those just starting in the development of their innovation, we would recommend the following approach to avoid any nasty surprises:- Regulatory Strategy: Develop a Company-wide strategy addressing the specific compliance activities, costs and timelines required to smoothly bring your product to the market(s).
- Gap Analysis: Understand where your company currently stands in relation to the UK and international standards using your regulatory strategy to inform priorities and objectives.
- Design and Build Processes: By developing well-designed processes (in some cases formed into a Management System) implementing new requirements for new markets (like DTAC) can help expedite compliance and reduce the ongoing cost of management.
- Product Documentation: Aligning this to regulatory and market assessment requirements can be tricky, but by following a well defined control process, changes can be easily made, especially for standards like DTAC which need constant updates.
- Regular Audits and Reviews: Compliance is not a one-time event but an ongoing process and DTAC requires equivalent due diligence as other regulatory or compliance activities.