This information explains why the standards were introduced, why we are reviewing them, the current challenges, and findings from focus groups.
You must read this information before completing the consultation questionnaire.
Why the standards were introduced
Standard DCB0129 defines clinical risk management requirements for manufacturers of health IT systems, ensuring that digital health technologies are developed with appropriate safety considerations from design through to delivery. The standard requires manufacturers to:
- implement proportionate clinical risk management processes
- maintain clinical safety documentation
- appoint a clinical safety officer (CSO) throughout the development lifecycle
DCB0160 establishes clinical risk management requirements for care organisations that deploy and use health IT systems. This standard ensures that NHS trusts, primary care organisations, social care providers, and other care entities have robust processes for assessing and managing clinical risks when implementing and using health IT systems.
DCB0129 and DCB0160 are published information standards in accordance with section 250 of the Health and Social Care Act 2012. This reflects the importance of systematic clinical risk management as care services became increasingly dependent on digital technologies.
First introduced in 2009, the standards have been updated periodically, with the current versions (DCB0129 version 4.2 and DCB0160 version 3.2) published in 2018 to include medical devices.
Note that section 250 of the Health and Social Care Act 2012 has subsequently been amended by:
i. section 95 of the Health and Care Act 2022: this came into force on 7 July 2025 and changed the duty from ‘have regard to’ to ‘must comply’ and introduced The Health and Social Care Information Standards (Procedure) Regulations 2025
ii. section 121 of the Data Use and Access Act 2025: this came into force on 5 February 2026 and expanded scope to allow IT providers to be subject to a duty of compliance
As they stand, bodies exercising a health and care function must continue to have regard to the standards, but future revisions of the standards are likely to leverage these enhanced powers.
Over the past 15 years, these standards have established a mature digital clinical safety ecosystem, with thousands of clinical safety officers trained and deployed across manufacturing and health and care organisations. The standards have been instrumental in:
- identifying and mitigating clinical risks
- supporting the safe deployment of electronic patient records
- clinical decision support systems
- numerous other digital health innovations that protect patients from harm whilst enabling better healthcare delivery
Why these standards are important
The NHS is going through a major digital transformation, moving quickly from paper-based and analogue systems to modern digital ways of working. The government’s 10 Year Health Plan explains that technology must sit at the heart of a modern, efficient, and patient-focused NHS. To make this possible, robust standards are needed to make sure digital systems are safe for patients and the staff who use them.
As health and care organisations increasingly depend on digital tools, the opportunities for improvements are huge. But so too are the risks if things go wrong.
The standards act as a safety net for the NHS’s digital transformation. They make sure that, as new technology is designed and used, patient safety remains the top priority. They provide healthcare organisations and technology suppliers with a clear framework to follow, so they can innovate confidently while knowing that robust safety checks are in place.
Rationale for review
We are reviewing these standards to ensure they remain practical, effective and aligned with advances in technology and clinical practice. Several key factors have driven the need for this consultation:
- Greater digitisation: digital transformation has accelerated significantly, with electronic patient record implementations, integrated care system development and widespread adoption of digital-first approaches to healthcare delivery. Digital technologies are now central to clinical practice rather than supplementary tools, requiring more sophisticated safety management approaches to protect patients from potential harm.
- Newer technologies: artificial intelligence, machine learning, ambient voice technologies, and complex algorithmic systems are increasingly deployed in clinical settings. These technologies present novel risk profiles requiring specific governance frameworks that current standards do not adequately address to ensure patient safety.
- Current development and deployment methodologies: there has been a shift away from the traditional ‘waterfall’ lifecycle model, where digital systems are designed, built, and delivered in a single, step-by-step process, to an ‘agile’ approach, where small parts of a system are developed, tested, and improved continuously in short cycles. This agile model allows for faster feedback, quicker updates and more flexibility as technology and user needs evolve.
- Changing clinical workflows: the integration of digital tools into daily clinical practice has transformed how NHS staff interact with technology systems. Modern care delivery relies on interconnected systems and cross-organisational data sharing, potentially creating new pathways and potential for patient harm if not properly managed.
- Regulatory evolution: the broader regulatory landscape has evolved significantly, with new medical device regulations, cybersecurity requirements, data protection legislation, and emerging artificial intelligence governance frameworks requiring better integration with clinical risk management standards to maintain comprehensive patient protection.
- Stakeholder feedback: ongoing engagement with clinical safety officers, healthcare organisations, technology suppliers, and regulatory bodies has identified opportunities for improvement in clarity, practical application and compliance, whilst maintaining the fundamental goal of protecting patients from harm.
To contribute to this review, please complete the consultation questionnaire.
Summary of focus group findings
Between January and July 2025, NHS England hosted 11 focus groups, involving manufacturers and health and care providers across all sectors, clinical safety officers and industry experts, to systematically review both standards. Key findings include:
- Support for mandatory standards: all focus groups supported maintaining mandatory clinical risk management requirements. Participants emphasised that voluntary compliance would be insufficient given increasing care dependency on digital systems and the necessity of systematic safety management to protect patients from harm.
- Balanced approach to prescription: while supporting the principle of standards, participants called for more selective prescription, with enhanced requirements for high-risk areas balanced against flexibility for different organisational contexts. A risk-based, tiered approach, similar to medical device classification, was widely supported to ensure patient safety whilst enabling appropriate innovation.
- Significant scope gaps identified: all groups identified critical missing areas including artificial intelligence governance, complex system interactions, cross-organisational collaboration frameworks, digital inclusion requirements and modern development practices. Post-implementation monitoring and resource guidance were also identified as requiring strengthening to better protect patients.
- Modernisation rather than retirement: participants supported updating terminology, reducing duplication between standards and clarifying requirements rather than the removal of existing themes. The patient-centred focus was identified as essential for ensuring patient safety.
- No suitable alternatives: the focus groups concluded that no alternative existing standard could adequately replace the health and social care-specific, NHS-contextualised approach of these standards, though better integration with complementary international standards was supported.
- Compliance and regulation: current mechanisms were consistently identified as insufficient, with calls for stronger compliance tracking, clearer consequences for non-compliance, and better integration with regulatory inspection frameworks to ensure patient safety standards are consistently maintained.
Next steps
We will analyse all survey responses and insights from the focus groups. A consultation response report will then be published summarising key findings, areas of consensus and divergence, and the proposed approach for revising the standards.
The findings will also inform how we strengthen the support available to those applying the standards, for example, by improving implementation guidance, training and resources for clinical safety officers, developing better tools and templates, and ensuring compliance mechanisms are both effective and supportive.
Some updates, such as revised guidance or templates, may be delivered quickly, while others will require longer-term collaboration with health and social care organisations, technology suppliers, professional bodies, and other partners.
We are committed to transparency and continued engagement with stakeholders throughout this process.
Publication reference: PRN01634_i