Is my software a medical device?

If your software has a medical purpose for an individual patient, such as diagnosis, prevention, monitoring, prediction, prognosis, or treatment, it is likely Software as a Medical Device (SaMD) and falls under MHRA regulation in the UK. Software that only stores, displays, or communicates data without interpreting it for a clinical decision is usually not a medical device. The boundary is fact-specific, so confirm classification before relying on it.

If I am a CE or UKCA marked medical device, do I still need DCB 0129?

Yes, if the product is used in NHS care. Medical device marking and DCB 0129 are different regimes covering different risks. Device marking covers conformity of the device itself; DCB 0129 covers clinical safety of the health IT system in NHS use. Being a marked device does not exempt you from DCB 0129.

Do I need both MHRA registration and DCB 0129?

Often, yes. If your product is a medical device and it is used in the NHS, you typically need MHRA registration and UKCA marking for the device, plus a DCB 0129 clinical safety case for NHS deployment, plus DTAC for procurement. They are complementary, not interchangeable.

Which comes first, the medical device work or DCB 0129?

Run them in parallel where you can. Device classification and conformity work shape the product; DCB 0129 hazard analysis shapes how it is safely deployed in the NHS. Both are cheapest when started during design rather than at launch.

DCB 0129 or a Medical Device? When You Need Which

One of the most common questions I get from founders is some version of: "We are getting CE or UKCA marked as a medical device, so we do not also need DCB 0129, right?" Or the reverse: "We are doing DCB 0129, so we do not need to worry about the MHRA." Both assumptions are wrong, and getting them wrong is expensive. These are two separate regimes that answer two separate questions, and plenty of products need both.

Two different questions

Hold these apart in your head and most of the confusion disappears.

Is it a medical device? That is a regulatory question for the MHRA. It is about the product itself and whether it meets device requirements.
Is it safe health IT in the NHS? That is a clinical safety question answered by DCB 0129. It is about how the software behaves in a clinical workflow and whether it could contribute to patient harm.

A product can be a medical device but not used in the NHS. It can be used in the NHS but not be a medical device. It can be both. The two questions do not collapse into one another.

The medical device side (MHRA)

In the UK, medical devices are regulated by the MHRA under the Medical Devices Regulations 2002. Software counts as a medical device, often called Software as a Medical Device or SaMD, when it has a medical purpose for an individual: diagnosis, prevention, monitoring, prediction, prognosis, or treatment. A symptom checker that suggests a likely condition is probably a device. A tool that simply stores and displays a record, without interpreting it, usually is not.

If your software is a device, you have to classify it (the risk-based class drives how much scrutiny applies), demonstrate conformity, apply UKCA marking (CE marking is accepted during the current transition), and register with the MHRA. Higher-risk classes need involvement from an approved body. This regime is about the device being fit and conformant.

The clinical safety side (DCB 0129)

DCB 0129 is an NHS information standard, mandatory under the Health and Social Care Act 2012 for health IT used in NHS care. It does not ask whether your product is a conformant device. It asks whether, in the specific way it is used in a clinical setting, it could contribute to a patient being harmed, and it makes you prove you have analysed and controlled those hazards with a named Clinical Safety Officer signing it off. If you want the full picture, read DCB 0129 explained in plain English.

Crucially, being a marked medical device does not satisfy DCB 0129. A device can be perfectly conformant and still be deployed in a way that creates clinical hazards, for example by surfacing a result at the wrong moment in a workflow. DCB 0129 exists to catch exactly that.

The simple matrix

Here is the practical decision.

Medical device, used in the NHS: you need MHRA registration and UKCA marking for the device, plus DCB 0129 for NHS deployment, plus DTAC for procurement. This is the common case for clinical AI.
Not a device, but health IT used in the NHS: no MHRA device work, but you still need DCB 0129 and DTAC.
A device sold outside NHS care: MHRA device requirements apply, but DCB 0129 may not, because DCB 0129 is specifically about NHS health IT.

If you sell clinical AI into NHS trusts, assume you are in the first row until a regulatory assessment tells you otherwise.

Why one never replaces the other

They cover different failure modes. Device regulation asks: is this thing built and validated to be what it claims to be? Clinical safety asks: deployed into this messy human workflow, could it still hurt someone, and have you designed that risk down? A product can pass one and fail the other. That is why NHS buyers, through DTAC, ask for both your device status and your clinical safety case. For how all of this gets packaged at procurement, see DTAC explained in plain English.

Common questions

We are pre-revenue, can we defer this? You can defer registration, but not the thinking. Classification and hazard analysis should shape the design. Deferring them just means reworking the product later under a deadline.

Does CE marking still count in the UK? CE marking is accepted during the current transition period; UKCA is the UK route. Confirm the current position for your class before relying on it, as timelines have shifted more than once.

Who decides if we are a medical device? Classification is your responsibility as the manufacturer, against MHRA guidance. Get it confirmed rather than assumed, because the answer changes your whole obligations stack.

DCB 0129 or a
medical device?