Clinical AI & Assurance
DCB0129 vs DCB0160: the difference explained
In short: DCB0129 is the clinical risk management standard for the manufacturer of a health IT system; DCB0160 is the standard for the healthcare organisation that deploys it. DCB0129 produces the product's clinical safety case and hazard log; DCB0160 manages the local clinical risk of using it in a specific care setting.
What is DCB0129?
DCB0129 (Clinical Risk Management: its Application in the Manufacture of Health IT Systems) sets out how the manufacturer of a health IT system must identify, assess and control clinical risk during design and build. The core outputs are a clinical safety case report and a hazard log, owned by a named Clinical Safety Officer. If you build software used in patient care — including AI tools — and sell or supply it to the NHS, DCB0129 is typically the standard that applies to you.
What is DCB0160?
DCB0160 (Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems) applies to the healthcare organisation deploying a system — for example an NHS trust rolling out an ambient scribe or a clinical decision-support tool. It requires the deploying organisation to manage the clinical risks specific to their environment, workflows and patient population, again under a named Clinical Safety Officer.
DCB0129 vs DCB0160 at a glance
| DCB0129 | DCB0160 | |
|---|---|---|
| Who it applies to | Manufacturer / supplier | Deploying healthcare organisation |
| Focus | Building the product safely | Using the product safely locally |
| Key outputs | Clinical safety case report + hazard log | Local clinical risk management file |
| Accountable role | Manufacturer's Clinical Safety Officer | Organisation's Clinical Safety Officer |
How they work together
The two standards are complementary, not alternatives. A vendor produces a DCB0129 safety case for the product; the deploying NHS organisation uses that as an input to its own DCB0160 assessment, adding the risks introduced by its local workflows and integrations. Good vendors make deployment easier by handing over a clear, current safety case and hazard log.
Where this fits with DTAC and DPIAs
Clinical safety (DCB0129/0160) is one of the five areas assessed by the NHS Digital Technology Assessment Criteria (DTAC), alongside data protection, technical security, interoperability and accessibility. Where personal or health data is processed, you will also need a Data Protection Impact Assessment (DPIA). Together these make up the assurance evidence NHS buyers expect.
Meds Global Health supports both sides — manufacturer clinical safety (DCB0129) and deployment safety (DCB0160). This article is general information, not legal or regulatory advice; applicability depends on your product and role.
Answers
Frequently asked questions
What is the main difference between DCB0129 and DCB0160?
DCB0129 is for the manufacturer of a health IT system and requires a clinical safety case and hazard log. DCB0160 is for the healthcare organisation deploying that system and requires local clinical risk management. One covers building the product safely; the other covers using it safely in a specific setting.
Do both standards always apply?
Often, yes — but to different parties. A vendor selling into the NHS typically needs DCB0129; the NHS trust deploying it needs DCB0160. If you both build and deploy, you may need to address both.
Who signs off the clinical safety case?
A named Clinical Safety Officer (CSO) — a suitably qualified clinician — is accountable for the safety case under each standard, within the respective organisation.
Are these standards legally mandatory?
They are mandatory where applicable under the relevant NHS information-standards framework. Applicability depends on whether your product is health IT used in care and your role in the supply chain. Take formal advice on your specific case.
Need a clinical safety case?
We help manufacturers and NHS deployers meet DCB0129 and DCB0160.