Thought Leadership

Understanding Our MHRA Regulatory Pathway

7 min read

Transparency matters. Too many healthcare AI companies make vague claims about "regulatory approval" without showing their work. Here's our detailed roadmap to MHRA authorization—timeline, costs, standards, and why it takes 12-18 months.

Current Status: In Development

Let's be absolutely clear: HeAIth does NOT have MHRA approval. We are an investigational clinical decision support tool in development.

This means:

  • We cannot be used for clinical care
  • We are not available for sale or distribution
  • We do not have a UKCA marking
  • We are in the regulatory preparation phase

Expected MHRA authorization: Q3 2026 (subject to funding and successful compliance)

What is MHRA AIaMD Classification?

The Medicines and Healthcare products Regulatory Agency (MHRA) classifies medical devices based on risk. HeAIth falls under:

  • Class IIb Software as a Medical Device (SaMD) – Moderate to high risk
  • AI as a Medical Device (AIaMD) – Uses machine learning/AI for clinical decision support

Why Class IIb?

Our classification is based on intended use:

  • We provide differential diagnoses that inform treatment decisions
  • We recommend investigations for diagnostic workup
  • Incorrect or missed suggestions could lead to patient harm

This classification requires conformity assessment by a UK Approved Body—a third-party auditor that verifies our quality management system and technical documentation.

The 7-Phase Regulatory Pathway

Regulatory authorization isn't a single event—it's a 12-18 month process with distinct phases:

Phase 1: Foundation (Q4 2025 – Months 1-3)

  • Regulatory strategy finalization
  • Clinical Safety Officer (CSO) appointment
  • Data Protection Officer (DPO) appointment
  • Documentation framework establishment
  • Device classification confirmation

Cost: £35,000 - £100,000

Phase 2: Quality & Safety Systems (Q1 2026 – Months 3-6)

  • ISO 13485 Quality Management System implementation
  • ISO 14971 Risk Management framework
  • DCB0129 Clinical Safety compliance
  • Hazard identification and analysis
  • Clinical Safety Case Report development

Cost: £40,000 - £80,000

Phase 3: Technical Documentation (Q1 2026 – Months 6-9)

  • Technical File preparation
  • Clinical Evaluation Report
  • Data Protection Impact Assessment
  • ICO registration
  • Clinical validation studies

Cost: £30,000 - £60,000

Phase 4: Conformity Assessment (Q2 2026 – Months 9-12)

  • UK Approved Body engagement
  • QMS audit and technical file review
  • UKCA Certificate of Conformity
  • MHRA device registration (£240)

Cost: £15,000 - £40,000

Phase 5: NHS Readiness (Q2 2026 – Months 10-12)

  • NHS DTAC completion
  • Cyber Essentials certification
  • Penetration testing
  • HL7 FHIR interoperability
  • NHS Digital integration testing

Cost: £35,000 - £95,000

Phase 6: Market Entry (Q3 2026 – Months 12-15)

  • UKCA marking affixed
  • Declaration of Conformity
  • Post-market surveillance system active
  • Limited NHS pilot release (2-3 trusts)

Cost: £10,000 - £25,000

Phase 7: Post-Market (Ongoing)

  • Continuous performance monitoring
  • MHRA incident reporting (Yellow Card)
  • Annual management reviews
  • Clinical evaluation updates

Cost: £20,000 - £50,000/year

Total Investment: £250,000 - £500,000

Full regulatory compliance requires substantial investment. Here's the breakdown:

  • ISO 13485 QMS Implementation & Certification: £20,000 - £50,000
  • Clinical Safety Officer (DCB0129): £20,000 - £100,000/year
  • Data Protection Officer (UK GDPR): £15,000 - £80,000/year
  • UK Approved Body Assessment: £15,000 - £40,000
  • Clinical Evaluation & Validation Studies: £10,000 - £25,000
  • NHS DTAC & Technical Assurance: £10,000 - £30,000
  • NHS Interoperability (FHIR): £20,000 - £50,000
  • Regulatory Consulting & Support: £20,000 - £60,000

This represents 35% of our £500k-700k seed funding round. We're not cutting corners on compliance.

Key Standards & Compliance

MHRA Regulations

UK Medical Device Regulations 2002 (UK MDR 2002), UKCA marking pathway, AIaMD classification under 2025 MHRA AI/ML guidance.

Quality Management (ISO 13485:2016)

Comprehensive quality management system covering design, development, production, installation, servicing, and post-market surveillance. Audited annually by UK Approved Body.

Risk Management (ISO 14971:2019)

Systematic risk identification, analysis, evaluation, and control. Covers clinical risks, data security risks, and AI-specific risks like algorithmic bias.

Clinical Safety (DCB0129/DCB0160)

NHS Digital standards for clinical safety. Requires appointed Clinical Safety Officer (registered UK clinician), hazard analysis, and Clinical Safety Case Report.

NHS Digital Technology Assessment Criteria (DTAC)

Essential for NHS procurement eligibility. Covers clinical safety, data protection, technical security, interoperability, and usability.

Data Protection (UK GDPR)

Data Protection Act 2018 compliance, Data Protection Impact Assessment (DPIA), ICO registration, NHS DSPT standards.

Cybersecurity

Cyber Essentials certification (annual), ISO 27001 alignment, regular penetration testing, vulnerability management.

Interoperability (HL7 FHIR R4)

Integration with NHS GP systems (EMIS, SystmOne), hospital EPRs, and NHS Digital infrastructure. SNOMED CT clinical terminology support.

Why It Takes 12-18 Months

Many healthcare startups underestimate regulatory timelines. Here's why it genuinely takes this long:

  • ISO 13485 implementation – 4-8 months to build QMS, conduct internal audits, and prepare for external audit
  • Clinical validation studies – 3-6 months to design, conduct, and analyze multi-site studies
  • UK Approved Body review – 3-6 months for conformity assessment and QMS audit
  • Technical File preparation – 2-4 months to compile comprehensive documentation
  • NHS DTAC completion – 2-3 months for technical assurance evidence

Rushing this process leads to failures. We've built realistic timelines with contingency.

Why Transparency Matters

The healthcare AI space has a credibility problem. Companies claim "FDA/MHRA approval" when they mean "registered as a general wellness app." They promise launch dates without understanding regulatory requirements.

We're taking a different approach:

  • We clearly state we're "in development" and don't have approval yet
  • We provide realistic timelines based on research and expert guidance
  • We openly share our regulatory roadmap and compliance requirements
  • We acknowledge the complexity and investment required
  • We will never claim approval until we have it

This transparency builds trust with advisors, investors, and future customers. It also sets realistic expectations about what's required to bring a safe, effective medical device to market.

Questions?

If you have questions about our regulatory status or compliance approach:

View Full Regulatory Roadmap Join Advisory Board