Date published: 28 July, 2023
Date last updated: 4 March, 2025
Digital, General practice

Digital clinical safety assurance

Version 1.2, 03 March 2025

This guidance is part of the Clinical safety section of the Good practice guidelines for GP electronic patient records.

What is digital clinical safety assurance?

Digital clinical safety assurance is the process by which health IT used by care professionals is assured as safe and meets the required national standards.

Clinical safety assurance is, in essence, a clinical risk management activity.

What are DCB0129 and DCB0160?

The two standards issued by the NHS relating to digital clinical safety are:

  • DCB0129 – Clinical Risk Management: its Application in the Manufacture of Health IT Systems. This standard is designed to help manufacturers of health IT software evidence the clinical safety of their products. Any health organisation looking to implement a solution can request, and should be provided with, this documentation.
  • DCB0160 – Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems. This standard is designed to help health and care organisations assure the clinical safety of their health IT software.

For the complete specification and accompanying guidance documents please see the resources below.  They provide definitive guidance on what should be included and what to expect of each of the standards:

manufacture – DCB 0129 guidance

deployment – DCB 0160 guidance

When do they apply?

Not all digital solutions are subject to formal clinical safety assurance.  In some cases it’s suggested/advised, whilst in others it’s mandated. There is a tool designed by the NHS to help determine the applicability of the DCB0129 / DCB0160 and this can be found on the Step by step guidance

Who needs to be involved?

Both standards, regardless of whether you are a manufacturer or a healthcare organisation, require you nominate an individual to be the Clinical Safety Officer (CSO).  The CSO must be a senior clinician and have a current registration with a professional body such as the General Medical Council (GMC) or Both standards, regardless of whether you are a manufacturer or a healthcare organisation, require you nominate an individual to be the Clinical Safety Officer (CSO).  The CSO must be a senior clinician and have a current registration with a professional body such as the General Medical Council (GMC) or Nursing and Midwifery Council (NMC).  They must also have sufficient training in clinical safety and clinical risk management.   An individual general practice may not have the expertise within their organisation so it may be appropriate to approach your commissioning organisation or primary care network (PCN)  for advice. 

NHS England offers training in clinical risk management.

The CSO will be responsible for the process as defined in the standard.  This may include undertaking or overseeing the clinical risk management activities, which may include:

  • hazard workshops
  • evaluating the evidence that clinical risks have been mitigated or accepted
  • ensuring that the risk management processes are documented and recorded appropriately
  • reviewing or developing key documents such as the clinical safety case report, hazard log and clinical risk management plan

These processes are beyond the scope of this document but are defined in both standards DCB0129 and DCB0160.

Processes

Digital clinical risk management has to be a rigorous, methodical, and clearly documented process to ensure that any clinical risks have been assessed and if required, mitigated appropriately.  This rigour is required both from the perspective of compliance with the standards and ultimately to ensure that the product is safe for patients. 

Both DCB0129 and DCB0160 outline how the clinical risk management activities should take place and how they should be documented.

Clinical risk management activities

A clinical risk assessment is a process by which each of a particular product’s functions is analysed.  This can be from various perspectives and use cases.  It considers ‘what if’ scenarios and how they may have a clinical impact and present a clinical risk to a patient.  These potential sources of harm are described as hazards. It is through a rigorous process of clinical safety assurance that these hazards are considered, as are the controls or mitigations that may need to be put into place to prevent, mitigate, or minimise those hazards.  These risks also need to be evaluated in a systematic way to determine what is considered acceptable. 

Hazards are documented in the form of a ‘hazard log’.  The hazard log is a key document as it underpins the work carried out to evaluate the clinical safety of a product. 

There are various methods of identifying hazards and these are described in the DCB0129 and DCB0160 standards (Appendix B) such FFA (Functional Failure Analysis) HAZID (Hazard Identification) SWIFT (Structured What-IF Technique) Fishbone Diagrams. 

Hazard log

This is a formal document specified in DCB 0129 and DCB 0160 which describes all the hazards that have been considered attributable to the product.  It describes the hazards, potential clinical impact of those hazards, mitigations and controls and final assessment of risk.

Once this analysis has been completed, it is presented more formally as the clinical safety case. 

Clinical safety case (as defined in the DCB 0129 and DCB 0160)

The clinical safety case is a structured argument which is supported by a body of relevant evidence that provides a compelling, comprehensible, and valid case that a system is safe for release.

When should digital clinical risk management activities occur?

The clinical risks that need to be considered depend on the phase in the product lifecycle.  Implementing a new product will have different risks to the decommissioning or maintenance of a product in a health IT environment. 

There will be various requirements, such as the need to maintain a safety incident log, throughout the lifecycle of a product, and processes to reassess risks as they are identified during the use of a product.  When safety incidents occur they can often have importance beyond an individual practice and should be raised with the manufacturer, the responsible commissioner and nationally through systems such as the learn from patient safety events (LFPSE) service.

Importance of clinical safety assurance for general practice

General practice is becoming more and more digitally diverse.  The GP IT estate now comprises a myriad of IT systems, both clinical and administrative, that form part of routine care of patients. 

Practices need to make sure they understand the risks involved in using a digital solution in primary care.  To do this, the practice needs to understand the clinical risk assessment carried out by the manufacturer (the DCB0129 process) then re-evaluate and form their own risk assessment in the form of the DCB0160.  This will ensure the practice understands not only the solution itself but what it needs to put in place to operate the solution safely within that particular GP organisation.

The standards apply equally where practices use solutions outside of the NHS digital buying catalogue but which involves the handling and processing of patient data.  These include sub-contracting of primary care services, engaging a digital service (software or hosting) provider or a physical record handling service (e.g. scanning or archiving patient records).

For some programmes there have been national risk assessments such as total triage solutions in primary care during the COVID 19 pandemic.  Although some of the more formal aspects of the assurance will have been completed, each practice still needs to understand the risks and mitigations required to operate safely.  This can be achieved by ensuring the activities described in the DCB0160 are carried out.

Similarly, integrated care boards may help practices carry out some of the DCB0160 activities but ultimately GP practices still remain responsible for the activities and mitigations required to operate digital solutions safely.

Related GPG content

Other helpful resources

Date published: 28 July, 2023
Date last updated: 4 March, 2025