Let AbedGraham guide you.
Background
DCB0129 is a mandatory clinical risk management standard that applies to all health IT vendors and many medical device manufacturers and network infrastructure/cybersecurity suppliers operating in the NHS in England. This standard is now an integral part of tenders, procurement processes and compliance onboarding and can or may be requested by any of the following stakeholders:
-
Clinical Safety Officers (CSOs) or compliance teams at individual healthcare organisations
-
Regional bodies covering compliance work on behalf of purchasing organisations (e.g. Clinical Commissioning Groups or Integrated Care Systems)
-
National regulators running procurement frameworks (NHS Digital)
-
Any organisation overseeing a DTAC (Digital Technology Assessment Criteria) process
-
Other vendors, resellers and managed service companies you may be working with


Challenge
DCB0129 will apply to a huge number of companies looking to sell to the NHS, including many sectors you may not imagine. The definition in the standard itself is suitably vague (“any product used to provide electronic information for health or social care purposes”) but if you fall into any of the following categories, DCB0129 will be requested from you:
-
Any health IT product, app, or software
-
Any network infrastructure that underpins clinical service provision
-
Any cybersecurity product that covers healthcare organisations
-
Many medical device manufacturers
-
Any company that has a product (hardware or software) that is involved with patient data, patient or clinician workflow or would cause any disruption to clinical services if it was compromised or unavailable
Compliance with the standard itself can seem complex and laborious at first glance and there are a number of specific processes, activities, appointments and documents that need to be put in place by any applicable organisation:
-
Appoint a Clinical Safety Officer (CSO) – this needs to be a registered clinician with experience in risk management activities and a comprehensive knowledge and experience of health IT systems. The standard doesn’t specify if the clinician needs to be UK-based but a working knowledge of the NHS and its policies, procedures and infrastructure does help.
-
Define an appropriate Clinical Risk Management Process – this is really the core function that underpins DCB0129 – ensuring a rigorous clinical risk assessment methodology that is followed by the company to ensure its products are built, developed and released in a safe manner.
-
Issue a specific set of documents to help show compliance – the key documents that are frequently requested are the Clinical Risk Management Plan (in essence the methodology of your risk processes), the Clinical Safety Case Report (a structured document that shows the rationale behind why you believe the product is safe to use) and the Hazard Log (a comprehensive view of all the potential hazards associated with the product and the associated mitigation and risk scoring). We provide several other documents to help support compliance
-
Ensure appropriate on-going clinical risk work – this is key and marks DCB0129 out from other compliance standards – vendors must ensure on-going clinical safety activities are in place to cover current products, new products and functionalities, there is not a single sign-off that covers DCB0129 for a year for example.
Our solution
At the AbedGraham Group we have provided risk management and DCB0129 consultancy services to some of the largest technology vendors in the world as well as at the national and international level. Our team of expert clinicians can develop the core documentation required as well as handle any ongoing clinical safety activities that arise, giving you peace of mind in this area. We generally provide this in a two-step approach:
Step 1 – Core Documentation Creation
First off, we will work with your product, sales and compliance leads to establish the base set of core documents that are required for DCB0129. A series of structured workshops will provide the knowledge for us to create these and start developing the processes around them for your institution. The final output of these activities is to create the key documents required (Clinical Risk Management Plan, Clinical Safety Case Report and Hazard Log) as well as other supporting documents to help cover other questions that may arise (third-party risk management, medical device applicability, incident management and how to help deploying organisations with their DCB0160 documentation).
Step 2 – Ongoing Compliance
One of the headaches of DCB0129 compared to other standards is the nature of the ongoing work that needs to take place to remain compliant. Any new release or new product needs to be vetted in a similar fashion, any clinical safety incidents need to be captured and written up and questions from regional or national regulators will need to be responded to. Our solution to this is an effective, flexible retainer that allows us to manage all aspects of ongoing clinical safety work for you. We will (if requested) also act as the named Clinical Safety Officer (CSO) for you for the purposes of responding to procurement activities.
