Digital systems are now at the heart of how NHS care is delivered. Electronic patient records, clinical decision support tools, prescribing systems, and AI-assisted diagnostics all influence clinical decisions — sometimes in real time. These technologies can dramatically improve care quality and efficiency, but they also introduce new categories of risk if they are not properly governed.
DCB0160 is the NHS's answer to that challenge. It is the clinical safety standard that applies when healthcare organisations deploy or use health IT systems — ensuring that patient safety risks arising from technology are systematically identified, assessed, and managed before and after go-live.
If your organisation is deploying or commissioning digital health technology within the NHS, DCB0160 is almost certainly relevant to you. This guide explains what it is, who it applies to, what implementing it involves, and what you need to produce.
DCB0160 is an NHS information standard for clinical risk management in the deployment and use of health IT systems. Published and maintained by NHS England, it sets out a structured approach for healthcare organisations to identify and manage patient safety risks associated with the digital systems they deploy and use.
The standard defines a health IT system broadly: it is any product — hardware, software, or a combination — used to provide electronic information for health or social care purposes. That definition is deliberately wide, covering everything from large enterprise clinical systems to smaller, more focused digital tools used in specific clinical pathways.
DCB0160 is frequently discussed alongside DCB0129, and it is important to understand the distinction between them. They are complementary standards that address different sides of the same clinical safety challenge:
|
DCB0129 |
DCB0160 |
|
|
Applies to |
Manufacturers and developers of health IT systems (suppliers) |
Healthcare organisations that deploy and use health IT systems |
|
Focus |
Clinical risk management in the design and development of health IT |
Clinical risk management in the deployment and use of health IT |
|
Key output |
Safety Case Report signed off by a supplier-side CSO before the system is released |
Safety Case Report signed off by a deployer-side CSO before the system goes live |
|
Who it protects |
Patients from risks arising from how the software is built |
Patients from risks arising from how the software is deployed in a specific setting |
Both standards are often required simultaneously. A healthtech supplier deploying a product within an NHS organisation may need to meet DCB0129 as the manufacturer of the system, while the NHS organisation deploying it needs to meet DCB0160 as the deployer. Understanding which role applies to you — and which standard governs that role — is the essential starting point.
DCB0160 applies to organisations responsible for deploying digital products in England that are publicly funded and support health or adult social care. This includes NHS trusts, integrated care boards, primary care organisations, and community and mental health providers.
There is an important distinction within the standard about when compliance is legally mandated versus when it is best practice:
DCB0160 is legally mandated when the digital product is used to influence or manage real-time or near-real-time direct patient or service user care.For products that support health and social care services without directly influencing real-time clinical decisions, compliance is best practice and strongly recommended.
In practice, many NHS organisations apply DCB0160 to a wider range of digital systems than strictly required by the legal mandate — recognising that the clinical risk management principles it embeds are valuable across the full range of health IT, not just systems with direct real-time clinical influence.
Even within an organisation that is already using health IT systems, DCB0160 is triggered at specific points:
Each of these scenarios represents a point at which new clinical risks may be introduced — and therefore a point at which DCB0160 clinical risk management should be applied.
DCB0160 requires organisations to apply a structured clinical risk management process to the deployment and use of health IT systems. The process is not a one-time exercise at go-live — it is a continuous lifecycle activity that runs from initial procurement planning through to ongoing post-deployment monitoring.
The DCB0160 clinical risk management process follows a structured sequence of activities:
1. Define the scope of the clinical risk management activity, identify the system and the clinical environment it will be deployed in, and establish governance arrangements including appointment of a Clinical Safety Officer.Scope and planning.
2. Systematically identify the clinical hazards that could arise from deploying and using the system in the specific clinical environment. This involves structured workshops, clinical input, and review of supplier DCB0129 documentation.Hazard identification.
3. For each identified hazard, assess the likelihood that the hazard will occur, the potential severity of harm to patients if it does, and the initial risk rating before any controls are applied.Risk assessment.
4. Identify and implement controls to reduce identified risks to an acceptable level. Controls may be technical (system configuration, workflow restrictions) or operational (staff training, clinical protocols, escalation procedures).Risk control.
5. After controls are implemented, reassess the risk and confirm that it has been reduced to an acceptably low level. Document the residual risk and the rationale for accepting it.Residual risk evaluation.
6. Compile the Clinical Safety Case Report, providing a structured argument that the system is sufficiently safe for use in the intended clinical environment.Safety case compilation.
7. The Clinical Safety Officer reviews and formally approves the Safety Case Report before the system goes live.CSO sign-off and approval.
8. Maintain active monitoring of the system in clinical use, including incident reporting, user feedback, and periodic safety reviews.Post-deployment monitoring.
One of the aspects of DCB0160 that organisations sometimes underestimate is the ongoing requirement for post-deployment safety monitoring. Clinical safety obligations do not end at go-live.
Effective post-deployment monitoring means having clear processes in place to capture and act on:
Any new hazards identified post-deployment should be documented in the hazard log and assessed through the same risk management process applied pre-deployment. The hazard log and safety documentation must remain current throughout the system's operational life.
DCB0160 requires organisations to produce and maintain four core documentary outputs. These are not simply compliance documents — they are working governance tools that should reflect the genuine clinical safety management of the system throughout its lifecycle.
The CRMS is the overarching governance structure within which clinical risk management activities are conducted. It defines the policies, procedures, roles, and responsibilities that govern how your organisation manages clinical safety risks associated with health IT. Think of it as the framework within which all other DCB0160 activities sit.
The CRMP is the project-specific document that describes how clinical risk management will be carried out for a particular system deployment. It sets out the scope, governance arrangements, the methodology that will be used to identify and assess hazards, the timeline for safety activities, and the escalation and reporting processes. The CRMP should be established at the outset of a deployment project, before hazard identification begins.
The hazard log is the central record of all clinical risks associated with the system. Each entry documents a hazard, its potential causes, the clinical consequences if the hazard occurs, the severity and likelihood assessment, the controls implemented to mitigate the risk, and the residual risk rating after controls. The hazard log must be maintained and updated throughout the system's lifecycle — it is a live document, not a one-time deliverable.
The Clinical Safety Case Report is the formal output of the risk management process. It provides a structured, evidence-based argument that the system is acceptably safe for its intended clinical use in the specific deployment context. It summarises the hazards identified, the controls implemented, and the rationale for accepting any remaining residual risk. The report must be reviewed and formally signed off by the Clinical Safety Officer before the system goes live.
A Clinical Safety Officer (CSO) is a mandatory role under DCB0160. The CSO must be a registered clinician — a doctor, nurse, pharmacist, or other registered healthcare professional — who has completed NHS-recognised training in digital clinical safety.
The DCB0160 CSO has distinct responsibilities from the supplier-side CSO required under DCB0129. The deployer-side CSO is specifically responsible for:
For NHS trusts and larger healthcare organisations, the CSO is typically an in-house clinician with a dedicated clinical safety or digital health role. For smaller organisations such as GP practices or PCNs, the CSO function is often fulfilled through shared governance arrangements within an ICB, or supported by external clinical safety expertise.
DCB0160 implementation presents real challenges for NHS organisations, particularly given the scale of the NHS's digital footprint and the resource constraints that many organisations operate under. Understanding these challenges is the first step to managing them effectively.
Recent research has highlighted a striking reality: the majority of digital health technologies currently in use across the NHS do not have documented assurance against clinical safety standards. Many systems were deployed before DCB0160 was consistently applied, or in environments where clinical safety governance was not yet mature.
This creates what clinical safety leaders have called "legacy debt" — a backlog of systems in active clinical use that lack formal hazard logs, safety case reports, or documented risk assessments. Addressing legacy debt is a significant challenge that requires organisational commitment, prioritisation, and a structured, proportionate approach.
The CSO Council has published guidance on managing legacy debt. Their recommended approach involves maintaining a documented inventory of legacy clinical systems, undertaking an initial scoping assessment to understand the size of the legacy estate, and prioritising remediation based on clinical risk and system complexity. This allows organisations to make progress in a practical, risk-based way without being overwhelmed by the scale of the task.
Meaningful DCB0160 implementation requires active engagement from clinical staff — not just from digital and informatics teams. Clinical staff are essential to effective hazard identification: they understand the workflows, the edge cases, and the ways that digital systems can interact with clinical practice in unexpected ways.
Building genuine clinical engagement means explaining the purpose and value of DCB0160 to frontline staff — framing it as a patient safety activity, not a compliance exercise. It also means establishing clear feedback channels through which staff can raise concerns or report potential hazards identified in operational use.
Healthcare organisations deploying digital systems are significantly supported — or hindered — by the quality of the DCB0129 documentation they receive from suppliers. Well-produced supplier DCB0129 documentation, including a clear hazard log with transferred controls clearly identified, substantially reduces the burden on the deploying organisation.
Deployers should actively request and review supplier DCB0129 documentation as early as possible in the procurement process. Suppliers who can provide clear, comprehensive safety documentation are not just easier to work with — they are demonstrating a genuine commitment to clinical safety that should influence procurement decisions.
Different types of NHS organisations implement DCB0160 in different ways, reflecting differences in scale, governance maturity, and digital complexity.
Large NHS trusts often operate complex digital ecosystems with multiple integrated clinical systems. This scale increases the number of potential hazards and makes coordination across clinical departments and digital teams more challenging. Effective DCB0160 implementation in these environments typically requires centralised clinical safety governance, standardised hazard logging processes, and dedicated clinical safety resource embedded within digital transformation programmes.
ICBs have a dual role in DCB0160: as system leaders responsible for the digital health of their local population, and as organisations that may directly commission and deploy digital tools. ICBs are increasingly providing DCB0160 governance support to smaller provider organisations within their system, including GP practices and community providers, which is a practical and effective approach to building consistent clinical safety standards across a local health economy.
Primary care organisations typically have smaller digital teams and more limited clinical safety governance resource. Many rely on ICB support or shared PCN governance arrangements to fulfil DCB0160 requirements. Using standardised templates and guidance significantly simplifies the process, and drawing on supplier DCB0129 documentation to inform the deployer-side hazard log is particularly valuable in resource-constrained settings.
Our DCB0160 services include:
We work with NHS trusts, ICBs, primary care organisations, and digital health suppliers — helping each to understand and fulfil their DCB0160 obligations in a practical, proportionate, and sustainable way.