Expected outputs at this stage of the clinical safety process which will be reflected in the risk management file.
Clinical risk management file
The purpose of the clinical risk management file is to provide a physical or logical repository of all records and documents that are produced by the clinical risk management process and required as stated in the suppliers CSMS and DCB0129. If the documents are referenced from the clinical risk management file, then they must be capable of being retrieved.
This is maintained for the functionality that is being delivered to the health organisation. This should include any hazards that have been identified as part of the development cycle and those that have been identified by the customer and are system related in the pre go-live phase. A baseline hazard log is produced at the commencement of the project and is subsequently maintained throughout the project lifecycle. It is the responsibility of the CSO to make sure the hazard log is reviewed and updated as required.
Such on-going revisions will:
- incorporate new hazards, when identified
- record the mitigation of defined hazards through the implementation of clinical risk control mechanisms whether through design, testing, training or business process change
- reference supporting evidence where available
- record the status of actions
Clinical risk management plan
A clinical risk management plan will be produced at the commencement of each project which gives the risk management approach for that project relating to the delivered functionality. This plan must be updated if key personnel or the nature of the project changes during the development or modification of the health IT system. This plan will be maintained throughout the life of the health IT system.
The clinical safety case is a structured argument which is supported by a body of relevant evidence that provides a compelling, comprehensible and valid case that a system is safe for release. The argument provides an explanation of how the supporting evidence can be interpreted as indicating that the health IT system exhibits an adequate degree of safety, such as by demonstrating compliance with requirements or sufficient mitigation of identified hazards. During the initial stages of the project the safety case is not expected to provide mitigation or residual risk rating but will give evidence of existing controls and initial risk ratings.