top of page

What is clinical safety?

Clinical Safety is about keeping patients safe. It applies to health and social care providers, as well as manufacturers of health software.

Healthcare today involves the use of a complex arrangement of software systems and services. Caring for patients today depends on the use of Health Information Technology (HIT) and the NHS Clinical Safety standards are there to ensure that the systems don’t cause patient harm.

What is the difference between patient safety and clinical safety?

Patient Safety

Patient safety tends to be broader than clinical safety, or digital clinical safety, but most of the factors can still apply to digital systems:

-        Technological factors: issues relating to HIT systems and misuse of technology

-        System & organizational factors: inadequate processes and procedures, disruptions in workflow, resource constraints, inadequate staffing or inadequately trained staff

-        Human factors and behaviours: fatigue, burnout, distraction, lack of training, cognitive bias

-        Patient-related factors: lack of digital literacy, lack of engagement

-        External factors: absence of policies, inconsistent regulations

WHO definition: the absence of preventable harm to a patient and reduction of unnecessary harm associated with health care to an acceptable minimum.

It is a culture, consisting of processes and procedures, focusing on technologies and environments in healthcare, to reduce the occurrence of avoidable harm, reduce error, and minimize the impact of harm when it does occur.

Digital Clinical Safety

The avoidance of harm to patients as a result of technologies manufactured, implemented and used in the health service.

What does a Health IT manufacturer need to do?

1.        Nominate a clinical safety officer.

2.        Define and document clinical risk management processes.

3.        Carry out a risk assessment and document that in a Hazard Log and Safety Case

4.        Conduct clinical risk management activities during live service to keep the safety case up to date.

5.        Ensure Senior Management Accountability

6.        Provide training.

7.        Report and manage clinical incidents.

What are Clinical Incidents?

Clinical Incident Management ensures processes are in place to manage clinical incidents (and near misses) should they occur, and to prevent further patient harm from occurring.

A clinical incident is the occurrence of a clinical hazard that might have progressed to an accident but did not. The incident (or near miss) is relevant to the manufacturer if their product has been a contributing factor in causing the incident.

There are many factors that can contribute to a clinical incident, including but not limited to:

User error

·        data entry errors

·        misunderstanding of how to use the system

·        unclear user interface

·        lack of training

·        deliberate misuse

·        fatigue

Technical defects

·        bugs missed in testing

·        enhancements made which have not undergone full regression testing and impact another area of the system

·        interoperability issues

·        infrastructure issues e.g. lack of access, network, firewalls

·        third party issues

What are the NHS clinical safety standards?


The DCB 0129 standard is issued by NHS England. It requires manufacturers of health IT systems to carry out a particular type of risk assessment on their product. This process determines whether the product is acceptably safe to go live. Compliance with DCB 0129 is mandatory under the Health and Social Care Act 2012. The idea is that the manufacturer carries out a risk assessment, documents the findings and passes these to the healthcare organisation that are implementing their product. They, in turn, look at how they are customising and configuring the product and conduct a further risk assessment. This is also documented.

DCB 0129 has got little to do with security, privacy or information governance. Those are covered by other standards and frameworks such as ISO 27001. DSPT and Cyber Essentials. DCB 0129 is strictly about safety, i.e., ensuring that the system does not cause patient harm.


The DCB 0160 standard is also issued by NHS England. It provides a set of requirements suitably structured to promote and ensure the effective application of clinical risk management by those health organisations that are responsible for the deployment, use, maintenance or decommissioning of Health IT Systems within the health and care environment.

The standard includes implementation guidance and is supported by the related standard for the DBV 0129: Application of clinical risk management in the manufacture of Health IT Systems discussed above.

Where do they apply?

Compliance with DCB 0129 and DCB0160 is mandatory under the Health and Social Care Act 2012. They are applicable to all Health IT manufacturers who wish to market their product within the NHS. Whilst strictly speaking the Health & Social Care Act applies to England, it is adopted by the developed nations. Since 2021, compliant with the DCB 0129 standard has formed part of the DTAC.

Where do they NOT apply?

If a Health IT product is marketed in England and intended for use in adult health or social care BUT is only available to private healthcare providers or private care homes, then strictly speaking, it doesn't have to comply with DCB0129. Under the Health & Social Care Act, it is only NHS organisations that must comply with the standard. The CQC can raise concerns if they don't believe the system is clinically safe.

However, if the product provides services to the NHS, or is marketed to both NHS and privately funded care homes, then the NHS requires that their suppliers are compliant with DCB0129. It needs to have a medical purpose, i.e. non-clinical care home software systems like HR or finance don't need to comply but anything that could potentially impact on a patient's care does.

2 views0 comments

Recent Posts

See All

When is an app a medical device?

When I’m trying to explain to friends and family what I do, and I tell them that I work in Health IT and medical device software safety and regulation, they often ask me what sort of products I work w


bottom of page