Skip to main content

Clinical risk management standards

Page contents

Information standards underpin national healthcare initiatives from the Department of Health, NHS England, the Care Quality Commission and other national health organisations. They provide the mechanism for introducing requirements to which the NHS, those with whom it commissions services and its IT system suppliers, must conform.

The following two standards, relating to clinical safety, are accepted for publication under section 250 of the Health and Social Care Act 2012 by the Data Coordination Board (DCB). In line with current DCB practice, each standard comprises:

  • a specification, which defines the requirements and conformance criteria to be met by the user of the standard - how these requirements are met is the responsibility of the user
  • implementation guidance, which provides an interpretation of the requirements and, where appropriate, defines possible approaches to achieving them

Compliance with DCB0129 and DCB0160 is mandatory under the Health and Social care Act 2012.

NHS Digital clinical safety standards are now aligned with the new medical devices regulation for standalone software. This provides clarity and removes uncertainty among users and developers with regard to the registration of software as a medical device and compliance with this standard.

The evidence for this statement comes from academic and industry advisors, and recent experiences with devices, currently in use, that are decision making or supporting and integrated into unregulated software.

The new medical devices regulation was published by the European Commission in May 2017. In summary it means:

  • software is specifically identified as a type of medical device - this will broaden the number of software solutions that are a medical device
  • classification now includes risk as a component, in line with the NHS Digital Clinical Safety standards
  • the regulation includes additional essential requirements in the fields of IT environment, interoperability, cybersecurity , mobile platforms, IT network and IT security

This is a change in scope of the clinical risk management of health IT within the NHS Digital Clinical Safety standards. It provides a means of complying with MHRA regulations for the design, build, deployment and maintenance of software. It also conforms to European standards and is in line with the medical devices regulations.


Clinical Risk Management: its Application in the Manufacture of Health IT Systems.

This standard sets clinical risk management requirements for Manufacturers of health IT systems.


Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.

This standard requires a health organisation to establish a framework within which the clinical risks associated with the deployment and implementation of a new or modified health IT system are properly managed.

Last edited: 27 July 2020 1:27 pm