Justin McCarthy at the 2017 EBME SeminarWhat I'm going to talk to you today about is regulations, guidance, and standards.

What’s it all about?

What I want to try and do is bring some clarity to the difference between regulations, guidance, and standards.

Then I want to talk to you about an important issue for the future that’s coming through in the next couple of weeks.

Now, you may consider this the boring bit, but my colleagues will liven it up a bit later, but there’s an important message here, I hope.

Let’s look at regulations. Regulations are what the law is, but they're always written in very general terms, because most regulations are covering a very broad range of situations.

Usually regulations are followed up with guidance. It can be guidance that’s formal guidance from the organisation that’s been responsible for the regulations. There’s an awful lot of guidance documents from the Health and Safety Executive, for example.

Guidance can also be from respected professional organisations, like the IET or IPEM in our field.

Sometimes formal official guidance is called an Approved Code of Practice, and actually they have a slightly higher status in the pecking order of guidance. If it’s an Approved Code of Practice you really need to be looking at it carefully.

Then we have standards. An important thing about standards is that they're voluntary. People have a misconception that standards are the law. They're not. Standards are voluntary.

They represent state of the art. On the other hand, I know from my own experience of chairing a standards committee that they're the result of compromise. They're what emerge from consensus around the table in discussing a particular issue.

The important thing about standards is that they usually always give detailed processes or detailed requirements, detailed technical requirements or details of processes that ought to be followed if you're following that standard.

So that’s an important distinction between regulations, guidance, and standards. I want to try and illustrate it with something that will be familiar to most of you.

Let’s have a look at this, Electricity at Work Regulations. Now, don’t let anyone ever tell you that there’s an Electricity at Work Act. There’s no such thing. It’s a set of regulations made under the Health and Safety at Work Act.

If you take as an example from Regulation 4(1) in the Electricity at Work Regulations it says, ‘All systems shall at all times be of such construction so as to prevent danger. Systems is a defined term and danger is a defined term in the regulations’. That’s what the law says. That’s the legal requirement.

In Regulation 2 it defines systems such that it includes electrical equipment, and it defines electrical equipment such that it includes plugged-in equipment.

We’re familiar with that. We know that there is something in the Electricity at Work Regulations that involves particularly the plugged-in equipment or the fixed equipment that we’re all used to dealing with. So that’s what the law says.

You look at the guidance, and frankly it’s not worth going out and buying the regulation. You can buy the regulation from HMSO and it’s just the regulations.

You can also buy HSE’s guidance to the regulations, and it includes all the wording of the regulations, but the guidance notes in it as well. And that’s the same across many, many of certainly the HSE regulations.

Paragraph 62, regarding Regulation 4(1), says, ‘The word construction in the regulation has a wide application. It may be considered to cover physical conditions and arrangements of components at any time during its life’. That’s my emphasis.

So the regulation is not just about making sure that equipment is well constructed when it’s new, but it’s also about making sure that it remains safe throughout its working life.

So that’s beginning to put a bit more meat on the bones, so to speak. We’re getting a bit more detail from the guidance.

If we look at regulation 4(2) now. This is one that’s particularly important for us as clinical engineers. The regulation says, ‘As may be necessary to prevent danger, all systems shall be maintained so as to prevent such danger’.

Now, that’s terribly general. What does it mean? What have we got to do?

The interesting thing to note is there is absolutely nothing in there about doing PAT testing. There’s absolutely nothing in there about testing equipment once a year. That’s not part of the law. What you have to do is demonstrate that you're meeting this really rather vague and general regulation.

You then look at the guidance, and the guidance again starts to build on that. Starts to give us some… guidance. Some clearer vision of where we’re going.

It says, ‘Inspection, and where necessary testing, is an essential part.’ And it says, ‘Practical experience of use may indicate an adjustment to the frequency’. Then, very importantly, it says, ‘This is a matter for the judgment of duty holders’.

Now, the duty holder again is a defined term. Strictly speaking it means the legal person, the organisation that has the responsibility for the equipment.

Of course, in a big organisation like an NHS Trust that gets devolved down to the clinical engineering department, in terms of medical devices. Medical equipment, anyway.

Once again there’s nothing absolutely specific about what you should do and how often you should do it. You’ve got to use your judgment, and the issue of practical experience is very important.

That’s why it’s important to keep records of what you're doing. So that you can look back and say, “Well, when we did it every six months we never found anything as a problem, so that’s a reason for extending the term”, etc.

The point I'm trying to make is that the legal requirement is written in very general terms. The guidance begins to get a bit more specific.

Then let’s have a look at where standards come in. Because in these regulations, and I'm just using this as one example, there is absolutely nothing in the regulation about standards.

When you look at the guidance it mostly uses the words ‘should’ and ‘shall’. Now, certainly in standards speak they're not requirements. They're guidance.

One of the things it does say, it’s one of the only references, actually, to a standard, it says, ‘Standards such as 7671’. Does anyone know what 7671 is? What’s it usually called?

It’s usually called the Wiring Regulations. It’s very badly named, because they're not regulations. It’s a standard. It’s the old IET Wiring Regulations that are now issued as a British Standard, and are lined up with a European and an IEC standard.

So there’s a reference out to a standard. ‘Standards such as can provide assistance, but ultimately compliance with the regulation is required’.

So you’ve got to get those three issues of regulation, guidance, and standards in the right order and the right understanding.

I found one thing where there is a ‘must’ in the guidance. I'm not sure whether the writers of the guidance were as assiduous in their use of ‘must’, and ‘shall’, and ‘can’ as we are in writing standards, but it does say this. It says, ‘Plugs and sockets for portable equipment must be constructed according to appropriate standards’.

Again, not referencing any particular standard, but that to me would mean that if you're using a 13 amp plug on the end of a piece of equipment then you must use a plug that’s made to the BS1361, I think it is. Is it 1361 or 1362? As opposed to a cheap Chinese import.

There is a ‘must’ there. So there’s a bit more strength in that bit of the guidance.

Do they matter? Do standards matter? Are they important? I've been talking them down in a way. Well, that’s strange coming from a person who chairs the IEC committee for the 60601-1 standard.

They are important, but they must be used in the right context. They're not always the only source of guidance. And, if you're going to use a standard, it’s actually very important that you read the introduction to the standard and you read the scope. There’s always a scope statement.

The 60601 standard, for example, the general standard, is actually a standard that’s aimed at designers and manufacturers. There’s just one small bit in it that’s actually aimed at users, at what they call ‘the responsible organisation’, and that’s in Clause 16 about medical electrical systems.

In most standards, certainly most IEC standards, there’s also an informative Annexe A. What that informative annexe does, it’s not part of the normative, the requirement of the standard, but it adds in additional explanatory issues in relation to a particular clause.

If you look at the 60601 standard against some clause numbers there’s an asterisk. What the asterisk means is that there’s an entry in annexe A about it, and you really need to look at it at the same time, if you're looking at the standard.

What I want to do now is just to tell you about a new regulation and its link to standards.

Back in 2012 there was a proposal from the European Commission to replace the Medical Devices Directive.

I'm making the assumption that you all know that there is a Medical Devices Directive. That’s the directive that gives the CE mark on medical devices.

There was a proposal to change it from a directive to a European regulation, and the final text of that regulation was agreed by the Council of Ministers.

Because at the end of the day the Commission get a bad rap, but the Commission actually only draft and propose stuff. The agreement is made jointly by the Council, the representatives of the member states, and then by the European Parliament.

The new regulation was approved by the Parliament on 4th April. It will be published in the official journal in the next few weeks, and will come into force twenty days after publication, with a three-year transition period. So there’s not a mad panic, but there are things we’re going to have to do.

There’s a difference in the legal requirements between a directive and a regulation, in that directives are the European Union saying to member states, “Take this legislation in this area and put it into your own legislation.”

So there’s wiggle room. It can be interpreted slightly differently in the UK than in France or Germany. Which it was in respect of what I'm going to talk to you about.

Whereas a European Regulation becomes law. It’s all drafted in English, but then translated into the other 27 languages. It becomes law in all of those 28 member states once it’s published. It doesn’t need ‘transposing’ is the technical term they use.

The legal requirement for the medical device is set out in Annexe 1. They now call it the General Safety and Performance Requirements. In the directive it was called the essential requirements. New name, but very, very similar requirements. Probably a bit stricter, but similar.

It says, ‘Devices should be designed and manufactured in such a way as to avoid, as far as possible, the risks of accidental electric shocks to patients, users, or other persons’. That’s all it says about electrical safety.

How do we go about interpreting that? Well, there’s no citation of a particular standard, but Article 8.1 in the regulation, and there was a similar thing in the directive as well, says, ‘Devices which are in conformity with the relevant harmonised standards, or the relevant parts of those standards, shall be presumed to be in conformity with the requirements of this regulation’.

All of a sudden the standards take on a very important place, because it’s not the only way you can do it but it’s one of the ways of saying, “Well, I meet the requirements in Annexe 1 of the regulation, because I meet this standard, and this standard has been harmonised. This standard has been approved.”

All of a sudden standards can give this presumption of conformity. So it elevates the standard to a quasi-legal status.

You don’t have to. The requirement is to meet the requirement in the General Safety and Performance Requirements. The legal requirement isn’t to meet the standard. The standard is a means of meeting the regulation.

That presumption of conformity applies to other legal requirements. For example, we’ve got ISO 13485, which is quality management systems for regulatory purposes. You’ve got ISO 14971, which is application of risk management for medical devices.

All of them in a way peripheral to what we do in a day to day context, but you ought to know that these standards exist out there.

Particularly the risk management standard. It’s actually got some annexes in it that are good textbook stuff. Good learning material.

There are various types of standard.

There are what we call basic standards. For example, that one on protection of electric shock.

There are group standards, and the 60601 standard is an important one there. There’s a group standard for domestic electrical equipment, there’s a group standard for laboratory equipment, and so on.

Then below that you have the product standards, which would be the particular requirements for pumps or the particular requirements for ECGs.

Standing alongside those are what are called process standards.

The 62353, which some of you may be familiar with, that’s the one that’s called recurrent tests and tests after repair of medical electrical equipment.

It’s a useful standard. I don’t think it’s a particularly good standard, personally, but it’s there. It’s useful. If you're using it you're not likely to get criticised. If you're not using it you don’t have to. It’s not a legal requirement to use that standard.

There is ISO 55000, which is a process standard on asset management, which the book there talks quite a lot about.

So this is the issue for the future. The Medical Devices Directive is completely silent on the issue of in-house manufacture and use of equipment. The original draft of the regulation would have made in-house manufacture and use subject to the full regulation, with one exception.

Now, the view that I took when I saw that was that this is going to stifle innovation. It’s going to give a big problem in the rehabilitation engineering field, where they're having to make bits and pieces all the time. Low-risk bits and pieces, but they're doing it on a regular basis.

There would be a possible issue if you're putting systems together. Are you a manufacturer if you're putting systems together? You're only going to use it internally.

So I decided to lobby hard on this, and, as happens with IPEM, if you stick your head above the parapet you get a job to do. So I ended up going to Brussels with colleagues, talking to the MEPs, and talking to the Commission people, and so on.

Also, very significantly, talking to MHRA. Who were in this regard extremely collaborative, and are still being very collaborative. Now, that isn’t something…

Anyone from MHRA here? It’s not something you say very often about MHRA, but they’ve been really good.

So we’ve now got an in-house exemption. So we’re not going to be free from regulation, as we were with the directive. We’re not any longer free from regulation for in-house development.

That’s what the exemption says. It says, ‘With the exception of the relevant General Safety and Performance Requirements, the requirements of this regulation shall not apply to devices manufactured and used only within a health institution, provided that the following conditions are met’.

So if you don’t meet the following conditions you have to meet all of the regulations.

The conditions are:

‘Those devices are not transferred to another legal entity’. Well, that’s placing it on the market. So that’s obvious. If you're placing it on the market you’ve got to meet the regulations.

‘The manufacture and use occurs under appropriate quality management systems’. That’s going to need some really clever guidance because…

I could go on more about that. I will have to move on.

‘That you can justify not using an available CE mark device’. That’s probably fairly easy. There’s a good engineering principle, isn’t there? Don’t reinvent the wheel. If you can buy one, go and buy it. Don’t put an awful lot of time and effort into making your own.

‘You have to provide information on request to the competent authority’, which is MHRA in our case.

‘You have to make sure that you document the design and the risk management in a technical file. You have to make publicly available a declaration of those in-house manufacture and use devices that you’ve done. You need to review your experience and correct things if necessary’.

Now, I've got asterisks against five of those. In my opinion, if you’re doing in-house development now, you ought to be doing those things that are asterisked anyway, as best practice.

If you're not, you're not breaking the law, because the directive doesn’t say that you can’t do in-house manufacture, but you're putting yourself at risk if anything goes wrong, because you're not following best practice.

So we’ve come full circle. There’s a regulation with general requirements, but guidance will be needed. MHRA have been very influential in that guidance, but they're also being collaborative and wanting input into the drafts of the guidance.

One of the issues is, what’s appropriate quality management systems if you're doing inhouse development? Should it be ISO 9001? Or should you be looking at 13485, which is medical devices quality management systems for regulatory purposes?

Well, all of a sudden we are in the regulatory regime.

Standards represent state of the art, so they need to be used in design and construction. It’s far and away the best thing to do, but it’s something that’s coming our way. We’ve got a three-year transition period, but there is work going to need to be done in many departments I think.

In summary, regulations set out legal requirements. They usually only give wide and general objectives.

Guidance expands on that. Gives you a wider context of the regulations.

Then standards often give the specific, testable requirements, or more detailed processes, which if you follow at the very least you’ve got a defendable position with regard to the regulation.

In some cases, like the medical devices regulation, you may get something stronger than a defendable position. You may have a presumption of conformity to the relevant bits of the regulation.

So there we are.

Any questions on that?


Justin McCarthy's presentation at the 2017 EBME Seminar, may be downloaded here:


Like what you see?

Hit the buttons below to follow us, you won't regret it...