In one line: DCB0129 applies to the organisation responsible for developing and maintaining the health IT system; DCB0160 applies to the health or care organisation deploying, using, maintaining or decommissioning it.
The ownership difference
NHS England describes DCB0129 as the manufacturer standard. It requires effective clinical risk management from organisations responsible for developing and maintaining health IT. DCB0160 is the deployment-and-use standard: it requires the health organisation to manage clinical risk in the setting where the technology will actually operate.
They are related because neither party sees the whole risk picture alone. The manufacturer understands product design, intended use, known limitations and system controls. The deployment organisation understands local pathways, staffing, configuration, interfaces, training, downtime arrangements and patient population.
What DCB0129 should provide
- A defined clinical risk management system and named Clinical Safety Officer.
- Intended use, scope, assumptions, dependencies and excluded use.
- A product hazard log with controls and verification evidence.
- A Clinical Safety Case Report supporting the released version.
- Known residual risks, deployment requirements and safety information for customers.
- A process for change, incident review and maintenance of the safety file.
What DCB0160 adds locally
- Local clinical ownership, governance and a deployment Clinical Safety Officer.
- Assessment of the real pathway, users, infrastructure and system configuration.
- Review of manufacturer evidence for relevance and adequacy in the intended setting.
- Locally introduced hazards, including integrations, workarounds, training and downtime.
- Local risk controls, testing, readiness decisions and post-deployment monitoring.
- Safety management through use, modification and eventual decommissioning.
Why a DCB0129 report is not a DCB0160 report
A supplier cannot sign off risks it cannot observe or control inside a trust. Equally, a trust should not have to reverse-engineer the product’s design hazards because the manufacturer’s evidence is incomplete. The deployment safety case should consume manufacturer evidence, test its assumptions against the local environment and add what is specific to the implementation.
For example, a product may correctly display a high-risk result under its intended configuration. A local interface mapping, alert-routing rule or staffing model could still delay action. The product control and the deployment control are different, and both need owners and evidence.
Who needs a Clinical Safety Officer?
Both sides need competent clinical safety leadership appropriate to their responsibilities. NHS England’s training pathway includes Essentials, Intermediate and Practitioner training, with Practitioner positioned for those looking to become a Clinical Safety Officer. Training matters, but so do clinical credibility, product understanding, risk-management judgement and the authority to challenge release or deployment.
A clean handover between manufacturer and trust
- Share the current Clinical Safety Case Report and hazard log under appropriate controls.
- State intended use, contraindicated use, assumptions and required deployment controls plainly.
- Identify safety-relevant configuration and integration decisions.
- Agree how incidents, changes and new hazards will be communicated.
- Keep version references aligned so the deployment case points to the evidence for the installed release.