DCB 0129 and DCB 0160 are two standards issued by NHS Digital. They require manufacturers of health IT systems and healthcare organisations to carry out a particular type of risk assessment on the product. This process determines whether or not the product is acceptably safe to go live. Compliance with DCB 0129 and DCB 0160 is mandatory under the Health and Social Care Act 2012 (see NHS Digital page).
The two standards are very similar. The idea is that the manufacturer carries out a risk assessment, documents the findings and passes these to the healthcare organisation. They, in turn, look at how they are customising and configuring the product and conduct a further risk assessment. This is also documented. NHS Digital may ask to see the final report before the product goes live.
Note that, in the main, the two standards have got little to do with security, privacy or information governance. Those are covered by other standards and frameworks such as ISO 27001. DCB 0129 and DCB 0160 are strictly about safety, i.e. ensuring that the system doesn’t cause patient harm. Each standard consists of two important documents; a Specification which sets out what MUST be done to comply and Implementation Guidance which provides helpful advice.
DCB 0129 applies to the manufacturers of health IT systems whereas DCB 0160 applies to the healthcare organisations implementing them. The requirements in the two standards are almost identical.
Each standard has over 60 requirements but they can be summarised by the following four tasks. You can expand each of these to find our more.