Developers - Complying with NHS Digital clinical risk management standards

If you want your digital technology to be adopted by the NHS, you need to meet safety standards set by NHS Digital.

The NHS Digital standards

NHS Digital has issued 2 clinical risk management standards:

• DCB0129, which applies to developers
• DCB0160, which applies to adopters

These standards require both developers and adopters to do a risk assessment on the digital technology.

As a developer, standard DCB0129 requires you to:

• create a clinical risk management system
• do clinical risk analysis

This is done to support the safe development of digital technology in health and social care.

If your digital technology cannot meet standard DCB0129, you will not be able to place it on the market. Adopters will not be able to use your technology in the NHS.

How to meet the NHS Digital standard DCB0129

As a developer, you must:

• do a clinical risk assessment
• provide evidence of effective risk management
• present your findings to the adopter

Use the relevant standard DCB0129 Clinical Risk Management: its application in the manufacture of health IT systems.

This standard requires you to detail and evidence that a clinical risk management system is in place. This includes:

• clinical risk management governance arrangements
• clinical risk management activities
• clinical safety competence and training

You must start your clinical risk management process at the earliest stage of your development lifecycle and continue to assess and gather evidence throughout development.

It is important to note that risk management includes digital technology maintenance and decommissioning. So, also plan how to monitor and manage risk assessment after deployment.

Adopters will assess whether you have complied with DCB0129 before they can deploy and use your technology.

Adopters also want to know whether you have followed good-practice principles. The Digital Technology Assessment Criteria (DTAC) establishes good practice in key areas of digital technology development, including clinical risk management. It forms the new national baseline criteria for digital technologies entering the NHS and social care.

Meeting DTAC criteria means your digital technology is meeting national baseline criteria.

You can use the NHS Digital document templates to help you complete your clinical risk management requirements. It is important that staff have the appropriate knowledge, experience and competencies to do the risk management tasks assigned to them.

Risk management of medical devices

If you are developing a medical device, you will also need to comply with the International Organization for Standardization’s ISO 14971:2019 medical devices - application of risk management to medical devices.

Read more about risk management for medical devices in Meeting ISO 14971 risk management requirements for medical devices.

If you are planning to implement your medical device in a health IT system, then you must also comply with DCB0129.