Logo

Assuric

Sign inBook a demo

DCB0129 Clinical Risk Management: An Introduction to Clinical Safety for Healthtech Companies

DCB0129 explained: the clinical risk management steps, the CSO and the key deliverable documents (Hazard Log, Safety Case) you need for NHS deployment

Dr. Rosie Taylor

Dr. Rosie Taylor

DCB0129 Clinical Risk Management: An Introduction to Clinical Safety for Healthtech Companies

If you’re building digital health technology for the NHS, understanding clinical risk management is essential. This guide explains what DCB0129 requires, who it applies to, the documents you need to produce, and the role of the Clinical Safety Officer. It is intended to give healthtech companies a clear overview of the clinical risk management process and what is needed for NHS deployment.

What Is DCB0129?

DCB0129 is an NHS England information standard for clinical risk management, published under section 250 of the Health and Social Care Act 2012, and compliance is mandatory for manufacturers of digital health software deployed in the NHS in England.

DCB0129 ensures that digital health products are clinically safe, and is a core requirement of the wider NHS DTAC (Digital Technology Assessment Criteria) framework. Without DCB0129 compliance and associated evidence, your product is unlikely to be procured or deployed within the NHS.

Who does DCB0129 apply to?

Health IT systems are defined as “any system, application, or product that captures, stores, transmits, or manipulates information relating to the health of individuals, and is used to support healthcare delivery”.

You need to comply with DCB0129 if your Health IT system will be deployed in the NHS and influences, supports or manages the direct care of patients. You do not need to comply with DCB0129 if your product which provides wellness or fitness advice.

What are the Key DCB0129 Deliverables?

To meet DCB0129 requirements, manufacturers must produce and maintain the following documents as a minimum, overseen by a Clinical Safety Officer (CSO):

  • Clinical Risk Management Plan
  • Hazard Log
  • Clinical Safety Case Report
Key DCB0129 Deliverables

After your system goes live, you’ll also need to perform continuous clinical safety monitoring, recording any changes (e.g. bug fixes or feature updates), and logging safety incidents.

Do you need a Clinical Safety Officer?

In short, yes - a Clinical Safety Officer (CSO) is mandatory for DCB0129 compliance

A Clinical Safety Officer is required to be a clinician who is currently registered with a professional body (for example, a doctor, nurse or pharmacist), with expertise or appropriate experience in digital health risk management. They assess potential clinical risks and define the necessary safety controls to ensure your health IT system is compliant and safe for NHS use.

They must be competent to undertake clinical risk assessment (which in practice means they have received Clinical Safety Officer training). It is beneficial, although not strictly required, to be familiar with the specific clinical area that the system relates to. The CSO is responsible for making sure the processes defined by the clinical risk management process are followed.

Learn more about official Clinical Safety Officer training on the NHS digital website.

Understanding the DCB0129 risk management process

As mentioned earlier, there are three key deliverables required to comply with the DCB0129 process. Each must be developed, maintained and formally reviewed and signed off by your Clinical Safety Officer (CSO) as part of your organisation’s clinical risk management framework.

Step 1: Clinical Risk Management Plan

Once a CSO has been appointed, the first step of DCB0129 is to create a Clinical Risk Management Plan.

This is a document created at the start of the clinical risk management process, that outlines your plan to safely identify, assess and mitigate clinical risks throughout the lifecycle of a digital product.

Step 2: Hazard Log

The next step is to create a Hazard Log. This is a structured risk assessment that sets out potential hazards that could lead to patient harm

For each hazard, the Clinical Safety Officer and their team, will decide on the severity and likelihood of causing harm, to estimate the level of clinical risk. The Hazard Log must document and evidence control measures, such as technical safeguards, user training, design features or business processes, in place to reduce the clinical risk, and each hazard must be given an initial risk score (taking into consideration any retained risk control measures) and residual risk score (clinical risk remaining after the application of risk control measures).

To fully understand the hazards, their causes and any controls implemented, the NHS England guidance strongly recommends that Clinical Safety Officers should hold a series of Hazard Workshops. These are meetings with a multidisciplinary team of product experts (such as product designers, engineers, customer success managers) where the product can be discussed in detail in order to fully assess any possible causes of harm to the patient. A hazard workshop should be minuted and recorded in the Clinical Risk Management File and Clinical Safety Case Report.

Step 3: Clinical Safety Case Report

The Clinical Safety Case Report is the final, comprehensive document that demonstrates the safety of the system. It’s an evidence-based report that summarises all the clinical risks identified, how they’ve been mitigated, and why the system is considered safe for use.

Key Elements:

  1. Summary of the Risk Management Process: Outline the clinical risk management activities carried out, including the development of the risk management plan and the hazard log.
  2. Evidence of Hazard Mitigation: For every identified hazard, the report should provide evidence that the risk has been appropriately mitigated. This could include test results, user feedback, or updates to software that address specific risks.
  3. Clinical Safety Sign-off: The CSO signs off on the report, confirming that all risks have been managed to an acceptable level and that the system is safe to deploy or continue using.
  4. Residual Risks: It’s crucial to acknowledge any residual risks that remain despite mitigation and explain why they are considered acceptable.

Once these have been completed and reviewed by your CSO, you’ll have achieved initial DCB0129 compliance.

🎉 Congratulations, you are now ready for deployment! 🎉

What Happens Next: DCB0160 and NHS Procurement

When your system is ready for deployment, the NHS will complete DCB0160, the counterpart standard that ensures they are safely implementing your system.

(DCB0129 = for suppliers | DCB0160 = for NHS organisations)

Post deployment monitoring

To remain compliant:

  • Continuously review system changes and updates
  • Record and investigate clinical safety incidents
  • Maintain an audit trail of your Hazard Log and Safety Case Report versions

Regular reviews help demonstrate ongoing compliance and readiness for NHS procurement audits.

DCB0129 vs DCB0160: what’s the difference?

In simple terms, DCB0129 applies to the digital health technology manufacturer or supplier, and DCB0160 applies to the NHS or social care organisation deploying the digital health technology. They are very similar standards, outlining the same clinical risk management process that should be followed, but with a different focus.

  • The focus of DCB0129 (suppliers/manufacturers) is around the safe design and development of the Health IT system by the manufacturer.
  • In contrast, DCB0160 (NHS organisations) is focused on ensuring the safe implementation, deployment and later decommissioning of the system, particularly specific workflows, process, configurations, training and governance.

What does the future hold for DCB0129?

The DCB0129 and DCB0160 standards are undergoing review and updatean time of writing. We will be sure to give you the latest as soon as we hear what the changes are, and when the updated standards are released, so watch this space, and be sure to sign-up to our mailing.

How Assuric simplifies DCB0129

Assuric is a compliance, governance and assurance platform built for digital health companies to streamline NHS compliance, including DCB0129, DTAC and several other digital health frameworks.

The Assuric platform helps in the following ways:

  • Step-by-step guidance and automated task management for DCB0129
  • Guides throughout the platform to walk new CSOs through creation of your Clinical Risk Management File
  • Bank of hazards, causes and controls to help you generate your Hazard Log
  • AI features, including suggestions of hazards, harms, causes and controls related to your product, and AI report generation
  • Smart automated templates of all the necessary key deliverable documents
  • Automate parts of the deliverable documentation, avoiding all unnecessary duplication, to focus effort and resources on intelligent risk assessment rather than on manual processes
  • Post-deployment monitoring, including incident management
  • Easily share your documentation with NHS stakeholders via your own Trust Centre, and keep them uptodate.

Book a demo to learn how it could help you, and get started today: Book a demo

See all posts

Make your life easier
and talk to us to simplify compliance

Goodbye manual processes, hello automation. Let Assuric manage compliance and security, so you can focus on growth.

Talk to us
CTA Image