SCCI 0129 and SCCI 0160 are two standards issued by NHS Digital. They require manufacturers of health IT systems and healthcare organisations to carry out a particular type of risk assessment on the product. This process determines whether or not the product is acceptably safe to go live.
The two standards are very similar. The idea is that the manufacturer carries out a risk assessment, documents the findings and passes these to the healthcare organisation. They, in turn, look at how they are customising and configuring the product and conduct a further risk assessment. This is also documented. NHS Digital may ask to see the final report before the product goes live.
Note that, in the main, the two standards have got little to do with security, privacy or information governance. Those are covered by other standards and frameworks such as ISO 27001. SCCI 0129 and SCCI 0160 are strictly about safety, i.e. ensuring that the system doesn’t cause patient harm.