ISO 15189:2022 vs MHRA for POCT: The UK Compliance Map

Four compliance binders representing ISO 15189, UKAS, MHRA and CQC stacked on a clinical desk — the UK POCT compliance map

If you run Point-of-Care Testing in the UK, four bodies are looking at you — and most POCT leads can’t cleanly explain who does what.

Are you accredited to ISO 15189:2022, registered with the MHRA, assessed by UKAS, and inspected by the CQC? The honest answer at most NHS trusts and almost every private clinic I’ve worked with is “some of those, mostly some of the time, and we’re not entirely sure who needs what.”

This is the UK POCT compliance map I wish I’d had on day one. Four bodies, what each actually requires, where they overlap, and how to satisfy all of them from a single evidence base.

Four acronyms · four different jobs

Who does what — TL;DR

ISO 15189:2022 — the international standard for medical laboratory quality and competence. Voluntary, evidence-based.
UKAS — the UK accreditation body that assesses you against ISO 15189. UKAS issues the certificate.
MHRA — the UK regulator for medicines and medical devices. Sets the rules for IVD devices, post-market surveillance and incident reporting.
CQC — the regulator that inspects the service delivering POCT, mapping findings to its Safe / Effective / Caring / Responsive / Well-led KLOEs.

STANDARDISO 15189:2022 — what UK POCT actually has to do

Gloved hand turning a page of an ISO 15189 quality manual on a clinical laboratory bench
ISO 15189:2022 — the international standard UK pathology services work to.

ISO 15189:2022 is the international standard for quality and competence in medical laboratories, with a dedicated annex (Annex A) for Point-of-Care Testing. The 2022 revision replaced the 2012 edition and is now the active standard UK laboratories work to.

What changed in 2022 matters for POCT in three concrete ways:

  • Risk-based thinking is mandatory, not optional. Every POCT process should have a documented risk assessment — operator error, device failure, connectivity loss, result misinterpretation — and a mitigation linked to it.
  • Patient safety is the unifying lens. Every requirement now ties back to “could a patient be harmed if this fails?” — competency, QC, EQA, post-analytical reporting.
  • Impartiality and conflicts of interest are explicitly required. POCT leads who also sell devices, or accept vendor hospitality, now need a register and a declaration.

For POCT specifically, ISO 15189:2022 expects: a defined POCT scope, documented operator competency with re-assessment intervals, QC and EQA programmes with documented review and escalation, traceability of results back to a patient record, and an annual management review with senior sign-off. If you’ve read our guide to Measurement Uncertainty in POCT, you’ll recognise most of these as ISO 15189 derived.

ACCREDITATIONUKAS — the body that actually signs your ISO 15189 certificate

Senior clinical assessor reviewing a UKAS accreditation report at a UK pathology laboratory
UKAS is the body that assesses you against ISO 15189.

UKAS (United Kingdom Accreditation Service) is the sole national accreditation body recognised by the UK government. ISO 15189 is the standard; UKAS is the organisation that comes to your lab, assesses you against it, and issues the accreditation.

UKAS accreditation for POCT happens through assessment of the host pathology service — POCT is typically scoped within the main laboratory’s ISO 15189 certificate. UKAS will assess: technical scope (which analytes, which devices, which sites), management system, evidence of competency, QC and EQA, and document control. Assessments are usually annual surveillance plus a 4-year reassessment cycle.

A critical detail many private clinics miss: you don’t need UKAS accreditation to operate POCT in the UK. UKAS is voluntary. CQC registration is mandatory; UKAS is a quality kitemark you choose to pursue. NHS pathology services maintain UKAS accreditation as a matter of course. Most private clinics do not.

REGULATORMHRA — devices, incidents, and what the regulator actually wants

The Medicines and Healthcare products Regulatory Agency (MHRA) is the UK regulator for medicines and medical devices. POCT devices are in vitro diagnostic medical devices (IVDs), so they fall under MHRA’s IVD regulatory framework.

Post-Brexit, the UK runs its own framework. Devices placed on the UK market need a UKCA mark (or CE mark during the current extended recognition window). MHRA’s job isn’t to inspect your POCT service — it’s to regulate the devices, the manufacturers and the safety signals that come out of clinical use.

What MHRA expects from a POCT lead specifically:

  • Use IVDs within their intended use. Off-label POCT (e.g. using a capillary device on arterial blood, or repurposing a device for an unlicensed analyte) creates a manufacturer liability gap.
  • Report adverse incidents through the MHRA Yellow Card system. Device malfunction, false results that led to clinical harm, near-misses — these are reportable.
  • Track Field Safety Notices (FSNs) from manufacturers and act on them. Most UK POCT incidents I’ve audited involve an FSN that was sent, received as an email attachment, and never actioned at ward level.
  • Maintain device traceability — serial number, lot, software version — so that a recall can be acted on within the same week.

INSPECTORCQC — the regulator who inspects the service running POCT

CQC inspector walking through an NHS clinical corridor with clipboard and tablet, reviewing a POCT service
CQC inspects the service running the devices.

The Care Quality Commission (CQC) regulates the providers — NHS trusts, GP practices, private clinics, longevity centres, urgent care providers. CQC does not directly accredit POCT, but every regulated provider that performs diagnostic testing has POCT in scope of inspection.

CQC looks at POCT through its five Key Lines of Enquiry — Safe, Effective, Caring, Responsive, Well-led. It will cross-reference UKAS findings if you have them, and it expects evidence aligned with ISO 15189:2022 even where you’re not formally accredited. In practice, CQC is the most likely body to find a problem in your POCT service first, and the only one with statutory teeth to suspend or limit your service if you’re inadequate.

We’ve covered the seven most common CQC inspection failures in this article. If you read one piece on this stack first, read that one.

Where they overlap — the UK POCT compliance map

This is the part that’s never written down anywhere clearly. Which requirement comes from which body? Where are the duplicates? Where are the gaps?

RequirementISO 15189 / UKASMHRACQC
Documented POCT scope✓ (clause 5.2)✓ (Well-led)
Operator competency framework✓ (clause 6.2)✓ (Safe)
QC programme with documented review✓ (clause 7.3)✓ (Safe)
EQA enrolment and review✓ (clause 7.3)✓ (Effective)
SOPs version-controlled to current practice✓ (clause 8.3)✓ (Safe, Well-led)
Device intended-use compliance✓ (IVD regs)✓ (Safe)
Yellow Card adverse incident reporting✓ (mandatory)✓ (Safe)
Field Safety Notice actioning✓ (mandatory)✓ (Well-led)
Patient identification and result traceability✓ (clause 7.4)✓ (Safe)
Annual management review with senior sign-off✓ (clause 8.6)✓ (Well-led)
Provider registration to deliver service✓ (mandatory)
Accreditation certificate displayed✓ (if accredited)

Two things jump out of this table once you read it carefully. First, ISO 15189 and CQC overlap on about 80% of the substantive requirements — meaning the evidence pack you build for one largely serves the other. Second, MHRA has a tiny but non-negotiable footprint: Yellow Card and Field Safety Notices are mandatory, regularly missed, and the easiest way to come unstuck.

Strategic move

The one-evidence-pack approach

Build a single POCT evidence pack — scope register, competency records, QC + EQA logs, SOP register, FSN log, incident log, annual management review — and let it serve all four bodies. Trying to maintain separate paperwork for UKAS, CQC, and MHRA is how POCT leads burn out. The standards are 80% the same; treat them as such.

Frequently asked questions

Do I need UKAS accreditation to run POCT in the UK?

No. UKAS accreditation against ISO 15189 is voluntary. To operate POCT in the UK you need CQC registration (for the host service) and you need to use devices within MHRA-recognised regulatory frameworks. UKAS is a quality kitemark — most NHS pathology services maintain it; most private clinics do not.

What’s the difference between ISO 15189 and ISO 22870?

ISO 22870 was the standalone POCT standard, but it has been withdrawn. ISO 15189:2022 absorbed POCT requirements into its main standard (specifically Annex A). You no longer accredit to ISO 22870 — you accredit to ISO 15189 with POCT included in scope.

Does MHRA inspect POCT services?

No. MHRA regulates devices and manufacturers, not POCT services. MHRA only becomes involved with end-users when there’s a device incident, a safety signal, or a Yellow Card report. The day-to-day inspector of your POCT service is CQC, not MHRA.

If I have UKAS accreditation, does that cover me with CQC?

Not automatically, but it helps. CQC will cross-reference UKAS assessment findings and gives significant weight to active accreditation. However CQC inspects the service — the team, training, governance, operational reality — which goes beyond the technical scope UKAS assesses.

What about IVDR? Does the UK follow the EU regulation?

The UK has its own regulatory framework post-Brexit. The EU IVDR (Regulation 2017/746) applies to devices placed on the EU market. UK devices need UKCA marking, though the UK government has extended recognition of CE-marked devices into the UK market through to 2030. MHRA is consulting on a future UK IVD framework that will diverge from EU IVDR. POCT leads should track devices via their manufacturer’s UK regulatory status rather than assume EU compliance is sufficient.

Does this apply to private GP clinics and longevity centres?

Yes. Any UK provider delivering diagnostic and screening procedures needs CQC registration. MHRA rules apply to every IVD device regardless of where it’s used. UKAS accreditation is voluntary for both NHS and private. ISO 15189:2022 is the relevant standard for both sectors. The cleanest move for a private clinic launching POCT is: register with CQC for the service, work to ISO 15189:2022 principles even without formal accreditation, and maintain the MHRA-mandated device logs from day one.

Building your UK POCT compliance pack?

POCTIFY helps NHS trusts and private clinics build one POCT evidence base that satisfies ISO 15189, UKAS, MHRA and CQC at the same time. Scope reviews, SOP refreshes, governance frameworks and audit-readiness packages.


Related reads

Scroll to Top