Five key differences between the Medical Device Directive and SCCI 0129
Home / Blog / Five key differences between the Medical Device Directive and SCCI 0129
Clinical Risk Management Training
10 October 2013, by , in Blog, 5 comments

Are you confused by the different safety standards and regulations which apply to eHealth? Certainly the relationship between the Medical Device Directive (MDD) and eHealth Safety Standards SCCI 0129 and SCCI 0160 can, at times, be complex. The SCCI Standards tell us that only one or the other can apply to a particular product so how do the scope and requirements of the two compare? Here are five differences between the two:

  1. The MDD only applies to eHealth systems which meet defined criteria based on the product’s functionality and Intended Purpose. The SCCI Standards apply to all products (apart from Medical Devices) which have the potential to adversely impact the care of individual patients. So, a TeleHealth system which provides advice on the basis of blood pressure measurements taken from a patient might be a Medical Device. An EPR which simply lists blood pressure recordings over time might not a Medical Device but would be subject to the SCCIs. A product which ascertains mean blood pressure for a cohort of patients for research purposes might not be subject to either.
  2. The SCCI Standards are enforced through policy, procurement and local commercial contracts. The MDD is a piece of European Law which is enacted as a regulation by parliament. The directive is enforced by the MHRA and there can be serious implications if a Manufacturer fails to comply.
  3. Products compliant with the MDD must be CE Marked and be accompanied by a Declaration of Conformity; it is for the Manufacturer and Notified Bodies to take a view on the product’s safety position at the time of certifying the product. In contrast there is no SCCI 0129 ‘certificate’. Products compliant with the SCCI Standards are accompanied by a Safety Case. It is for Healthcare organisations to judge the safety position of the system based on that Safety Case (supported as appropriate by NHS Digital).
  4. The SCCI Standards set out the requirements for a risk management system. The MDD also has requirements for a risk management system but also a number of other things (quality management system, clinical effectiveness, security, management of complaints and investigations, compliance with other harmonized standards, etc.) Whilst manufacturers may choose to undertake these activities anyway as part of their business case and product lifecycle they would not be audited against SCCI 0129.
  5. MDD compliance can only be undertaken by the Manufacturer. Whilst SCCI 0129 is addressed to Manufacturers, compliance activities could be undertaken by a System Integrator or other stakeholder providing that they have adequate knowledge of the product and the support of the manufacturer. Each Safety Case is considered on its merits irrespective of the precise authoring party.

Dr Adrian Stavert-Dobson is the Managing Partner of Safehand, independent consultants in clinical risk management, and the author of Health Information Systems: Managing Clinical Risk.

About author:

5 Comments on "Five key differences between the Medical Device Directive and SCCI 0129"

lindaclegg - 11 October 2013 Reply

Reblogged this on lindaclegg and commented: Interesting new clinical risk management blog, worth w read.

Dr Michael Richards - 24 July 2014 Reply

I found this really useful. If I understand it MDD certification for software is a legal requirement but ISB0129 certification is brought about by pressure of the procuring organisations - does it have any legal back up? My Trust has a COTS medical programme which has been registered for historical reasons as medical device software for many years but as far as I can see it has been developed into a fully fledged EPR (and is advertised as an EPR by the company) for which MDD standards aren't really designed. It has been heavily tested by the programmers to ensure accuracy of any output (MDD) - but not tested or errors logged when used by humans (0129)! The company don't want the expense of being compliant for 0129 as well as MDD compliant! To complete the required ISB 0160 for this system for my organisation I really need to have the ISB 0129 documents though I realise I could do 0160 'blind' - it would be much better to do this with the manufacturers logs. I assume we can only enforce this change in the Manufacturers attitude to being ISB 0129 compliant at re-procurement when we can specify ISB 0129 compliance as being a requisite - unless 0129 is UK law for deployed systems that manage patients even though the system may be MDD compliant? Michael Richards CCIO & IT safety

    astavertdobson - 29 July 2014 Reply

    Thanks Michael, some interesting points. Technically of course a product usually needs to comply with either ISB0129 or MDD. Similarly if a product is MDD you don't often need to do ISB0160. I'll drop you an email as I might be able to provide some advice. Cheers, Adrian Stavert-Dobson

Pauline Sweetman - 26 November 2014 Reply

Thanks for such a good summary, I have found the same. I have recently been discussing how, when the electronic prescribing system integrates with and controls a smart pump it will need to be CE marked, and then, perhaps, may be covered under CE marking rather than ISB 0129

    Dr Michael Richards - 27 November 2014 Reply

    Pauline, correct me if I'm wrong - the pump is a medical device and the messages it requires to drive it safely and its performance will be catalogued and will be risk assessed in the medical device format ie tested in the laboratory and CE marked. The ISB0129 will be the software manufacturer's risk logs of how users control the pump using the e-prescribing software? I assume that would include a list of known compatible pumps? So if the pump has the appropriate CE mark and the software has had ISB0129 and 0160 risk assessments - isn't that enough? Or do I need to do more?

Leave a Reply