Learn more about technical standards, why they are important and how to follow them.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

- England


- AI and Digital Regulations Service

- NHS England

Page last reviewed: 12 Jan 2023

Complying with NHS Digital clinical risk management standards

If you want to adopt a digital technology on behalf of the NHS, you need to meet safety standards set by NHS Digital.

The NHS Digital standards

NHS Digital has issued 2 clinical risk management standards:

  • DCB0129, which applies to developers
  • DCB0160, which applies to adopters

These standards require both developers and adopters to do a risk assessment on the digital technology. They help developers evidence the clinical safety of their technology. They assure adopters that the technology is safe to use in health and social care.

As an adopter, standard DCB0160 requires you to:

  • create a clinical risk management system
  • do clinical risk analysis

This is done to support the safe deployment and use of digital technology in health and social care.

If the digital technology does not meet these standards, you should not adopt it.

How to meet NHS Digital standard DCB0160

As an adopter, you must:

  • think about how the digital technology will be deployed and used
  • make sure the developer is compliant with DCB0129
  • do a clinical risk assessment
  • provide evidence of effective risk management
  • present your findings to the adopter

Use the relevant standard DCB0160 Clinical Risk Management: its application in the deployment and use of health IT systems.

This standard requires you to detail and evidence that a clinical risk management system is in place. This includes:

  • clinical risk management governance arrangements
  • clinical risk management activities
  • clinical safety competence and training

You must start your clinical risk management process at the earliest stage of your development lifecycle and continue to assess and gather evidence throughout development.

It is important to note that risk management includes digital technology maintenance and decommissioning. So, also plan how to monitor and manage risk assessment after deployment.

As an adopter, you may wish to use the Digital Technology Assessment Criteria (DTAC) to support your procurement.  DTAC establishes good practice in key areas of digital technology development, including clinical risk management. It forms the new national baseline criteria for digital technologies entering the NHS and social care.

You can use the NHS Digital document templates to help you complete your clinical risk management requirements. It is important that staff have the appropriate knowledge, experience and competencies to do the risk management tasks assigned to them.

Risk management of medical devices

If you are integrating a medical device into your IT infrastructure you are recommended to use standard IS0 IEC 80001-1:2021 (Application of risk management for IT-networks incorporating medical devices — Part 1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software). This supports the safe, secure and effective introduction of such devices.

Is there anything wrong with this page? Let us know