Accenture

The Accenture Trust Centre makes available Clinical Safety Case Reports and Hazard Logs. These documents provide assurance that each release or update of the Health IT System has been assessed for clinical safety and is compliant with NHS Digital standards.

DCB0129 is a mandatory NHS clinical risk management standard for manufacturers of health IT systems. DCB0129 requires all developers and manufacturers of digital health systems used in NHS funded care in England to put a robust clinical risk management system in place. This includes appointing a Clinical Safety Officer (CSO), maintaining a hazard log, conducting risk assessments, and producing a Clinical Safety Case Report to demonstrate the product is safe for clinical use. Compliance is a legal obligation under the Health and Social Care Act 2012 and is required for market access and procurement by NHS bodies. For example, if a digital health company builds a new electronic patient record system to be used in NHS hospitals, it must follow DCB0129. This involves documenting all potential clinical risks, how they are managed or mitigated, and ensuring that a qualified CSO signs off on all safety casework before the software can go live. Without DCB0129 compliance, NHS organisations cannot legally implement the system, making DCB0129 fundamental to safe, effective health technology deployment in the NHS.

DCB0129 compliance is important because it ensures that digital health and IT products used in NHS in England are clinically safe, effectively manage risk, and meet legal and regulatory requirements. DCB0129 provides a systematic framework for manufacturers to identify, assess, and mitigate clinical risks associated with digital health technologies throughout their lifecycle. Compliance is mandatory under the Health and Social Care Act 2012 and is a requirement for NHS procurement. Without DCB0129, digital health products cannot be deployed in the NHS or be considered safe for clinical use. The standard mandates robust risk management, oversight by a Clinical Safety Officer, and thorough documentation, all aimed at reducing harm to patients, building trust for clinicians, and supporting high standards of care.

All safety documents in the Trust Centre are controlled, versioned, and securely stored. Access is restricted to authorized users, and regular reviews ensure accuracy, completeness, and compliance with DCB0129.

The Hazard Log lists Initial Risk Ratings (IRRs) based on verified controls, not Residual Risk Ratings (RRRs), because final risk levels depend on each organisation’s actual controls and their effectiveness, which must be locally verified. Additional controls are suggested in the Hazard Log to help organisations with their DCB0160 (local clinical risk management) assessments, but these controls must be verified in each specific implementation. Each NHS organisation is responsible for assessing its own residual risks by documenting all controls in its own local Hazard Log and confirming they are in place and effective before an RRR can be assigned. Because some controls may already exist or be implemented differently across organisations, RRRs cannot be pre-filled or universally standardised. Accurate risk assessment relies on local verification and documentation.

NHS England (NHSE) is the body that produces and governs information standards such as DCB0129. The Data Alliance Partnership Board (DAPB), overseen by NHSE, is responsible for formally approving the standards under Section 250 of the Health and Social Care Act 2012.

A clinical safety case report is a structured document that presents the evidence and arguments showing a digital health system is acceptably safe for clinical use, in accordance with NHS standards such as DCB0129. The clinical safety case report (CSCR) summarises how hazards associated with the digital health solution have been identified, assessed, and managed throughout the product lifecycle. This report draws on supporting documents like a hazard log and risk assessments, explaining how risks are reduced to acceptable levels, what controls are in place, and including sign-off from a Clinical Safety Officer. The CSCR is essential for providing assurance to key stakeholders that the product’s safety has been rigorously and transparently evaluated. Producing and maintaining a current clinical safety case report is a mandatory requirement for DCB0129 compliance.

A hazard log is a structured, continuously updated document that records, tracks, and helps manage all identified clinical hazards, potential risks, mitigations, and controls associated with a digital health system. The hazard log is a formal requirement in NHS clinical risk management standards (DCB0129 and DCB0160). It underpins clinical safety work by listing all hazards considered relevant to a product, the possible causes and impacts, and what controls and mitigations are in place. Risk levels, both before and after controls, are recorded, and the log is maintained throughout the system’s lifecycle. It is referenced by Clinical Safety Officers, NHS organisations, and suppliers to assess the level of clinical risk, support incident investigation, and ensure that hazards are properly understood, managed, and regularly reviewed. The hazard log serves as a basis for producing the Clinical Safety Case Report, supporting the argument that a system is safe for clinical use. For example, when an NHS trust implements an electronic health record (EHR) system, the hazard log will itemise risks such as incorrect patient identification or loss of clinical data, along with potential consequences (e.g., patient harm) and the controls in place (e.g., barcode scanning, audit trails). If a new risk arises or a system update changes a process, the hazard log is updated accordingly. The log ensures systematic review, traceability, and transparency, helping stakeholders maintain safety as the technology and its clinical use evolve.

ISO 14971 is the internationally recognised standard for risk management of medical devices, and its principles are broadly aligned with DCB0129. If your Software as a Medical Device (SaMD) is integrated with a broader Health IT (HIT) system, it may fall under both medical device regulations and NHS clinical safety requirements. DCB0129 remains applicable to the HIT components, regardless of whether they are themselves regulated as medical devices. In publicly funded NHS or social care settings in England, suppliers must still ensure that clinical safety documentation, such as the Clinical Safety Case Report, Hazard Log, and Clinical Risk Management Plan, aligns with DCB0129. Integration with SaMD does not exempt HIT from these obligations.

DCB0160 is the NHS clinical risk management standard that health and care organisations must follow when deploying and using health IT systems. It sets out how to ensure those systems are clinically safe in operational environments. DCB0160 requires every healthcare organisation implementing a digital health system (such as EHRs or health apps) to establish a clinical risk management process, including identifying, documenting, and mitigating hazards and risks during deployment and throughout the use of the technology. The standard mandates a local Clinical Safety Officer, a clinical risk management plan, a maintained hazard log, and a clinical safety case report. DCB0160 compliance is a legal requirement under the Health and Social Care Act 2012 and complements the DCB0129 standard, which applies to system manufacturers or developers. Adhering to DCB0160 is essential for patient safety, ongoing assurance, and NHS approval for use of any new or existing clinical IT systems.