Join our Free Members area to access more resources on DCB 0129/0160 compliance.
DCB 0129 and DCB 0160 are two standards issued by NHS Digital. They require manufacturers of health IT systems and healthcare organisations to carry out a particular type of risk assessment on the product. This process determines whether or not the product is acceptably safe to go live. Compliance with DCB 0129 and DCB 0160 is mandatory under the Health and Social care Act 2012 (see NHS Digital page).
The two standards are very similar. The idea is that the manufacturer carries out a risk assessment, documents the findings and passes these to the healthcare organisation. They, in turn, look at how they are customising and configuring the product and conduct a further risk assessment. This is also documented. NHS Digital may ask to see the final report before the product goes live.
Note that, in the main, the two standards have got little to do with security, privacy or information governance. Those are covered by other standards and frameworks such as ISO 27001. DCB 0129 and DCB 0160 are strictly about safety, i.e. ensuring that the system doesn’t cause patient harm.
Each standard consists of two important documents; a Specification which sets out what MUST be done to comply and Implementation Guidance which provides helpful advice.
DCB 0129 applies to the manufacturers of health IT systems whereas DCB 0160 applies to the healthcare organisations implementing them. The requirements in the two standards are almost identical.
Each standard has over 60 requirements but they can be summarised as follows:
The organisation must:
Let’s take each of those in turn:
Nominate a clinical safety officer
Whether you are a manufacturer or healthcare organisation you must nominate an individual to be the Clinical Safety Officer (CSO). The CSO must be a clinician and have a current registration with a professional body. They must also be trained in clinical risk management – they can choose where they obtain that training from.
The CSO will be responsible for overseeing the clinical risk management activities and signing off the documentation. They will typically run clinical risk management workshops to formulate the hazard register and validate the evidence set out in the safety case. The CSO is responsible for ensuring that the work is carried out but they are not personally accountable for any clinical risk.
Carry out a risk assessment
The risk assessment itself looks at each of the product’s functions, it’s architecture and failure modes and considers what could happen to a patient if something went wrong. The assessor has to consider the various hazards and look at what controls might be in place to prevent those hazards occurring. The risk is evaluated and, if it is at a level which is unacceptable, then further controls must be identified and implemented.
All of this is documented in the form of a Hazard Log and Safety Case. These documents can sometimes be lengthy and they require a very careful structure. The best approach is to use a document template and work with someone who has gone through the process before.
Define and document processes
Clinical Risk Management is not something that can be done in an ad-hoc way. It has to be methodical, rigorous and systematic otherwise it’s impossible to know when the process is complete. It’s also in everyone’s interest for the process to be repeatable and consistent as this makes it easier to apply again and again.
DCB 0129 and DCB 0160 are broken down into a number of sections. Organisations must define and document how they plan to ensure that those requirements are met. The best way to do this is to integrate the activities into the wider project.
Clinical Risk Management in live service
All systems change over time. Products are upgraded, bugs are fixed and new modules are implemented. We also learn more about the behavior of systems once they are up and running in the real world. Users might report faults or safety incidents and hazard may come to light that we had not previously foreseen.
It is important to continually review the risk acceptability of the product and the Hazard Log and Safety Case need to be kept up to date. This is overseen by the Clinical Safety Officer.
Where can I get more help?