DCB0129 & DTAC Compliance9 July 2026·6 min read

DCB0129 Compliance Checklist: What UK Health Tech Software Companies Need in 2026

Software developer working on a laptop in a healthcare technology setting

Most health tech founders first hear the words "DCB0129" when an NHS trust's procurement team asks for a Clinical Safety Case Report before they'll sign — and by then, the clock is already running. DCB0129 is the NHS England information standard that governs clinical risk management for anyone building software that could affect patient safety, and it now sits directly inside the NHS's main buying gate, the Digital Technology Assessment Criteria (DTAC).

Two Standards, One Gate

DCB0129 + DTAC

DCB0129 is your evidence. DTAC is where NHS buyers ask to see it — Clinical Safety Case Report, Hazard Log and a named Clinical Safety Officer, all before procurement can proceed.

What Is DCB0129, and Why Does It Matter to Your Software?

DCB0129, formally "Clinical Risk Management: its Application in the Manufacture of Health IT Systems," is an NHS England information standard. It sets out the process manufacturers must follow to identify, assess and mitigate clinical risk in health IT systems, and to evidence that process so purchasing organisations can be assured the product is safe to use.

It applies to any organisation that manufactures, develops or maintains software intended for use in health and care settings where a fault, error or design flaw could plausibly cause harm to a patient. That covers a wide range of products: clinical decision support tools, patient-facing apps, SaaS platforms used by clinicians, AI-based diagnostic or triage tools, and administrative systems that feed clinical decisions.

It's worth distinguishing DCB0129 from its sister standard, DCB0160. DCB0129 sits with the manufacturer — you, as the software supplier. DCB0160 sits with the health or care organisation deploying your system, who must run their own local clinical risk assessment before go-live. Buyers will often expect you to support their DCB0160 process with evidence from your DCB0129 work, so the two are closely linked in practice even though the legal responsibility differs.

NHS England opened a public consultation on 29 June 2026 reviewing both DCB0129 and DCB0160, open until 11 September 2026, so some of the detail may evolve later this year. The core obligation — demonstrable, evidenced clinical risk management — isn't going away.

How DCB0129 Relates to DTAC

The Digital Technology Assessment Criteria (DTAC) is the national assurance framework NHS commissioners and providers use to assess a digital health product before adoption. It covers five areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility.

The clinical safety section of DTAC is where DCB0129 becomes unavoidable. Assessors will ask for your Clinical Safety Case Report, your Hazard Log, and details of your named Clinical Safety Officer. Without these, a DTAC submission stalls at the first hurdle.

NHS England refreshed DTAC in February 2026, cutting the form by roughly 25% and removing duplication with the Data Security and Protection Toolkit and pre-acquisition questionnaires. The previous form was fully retired by 6 April 2026. One change worth knowing: the requirement for a Clinical Safety Officer to complete a specific NHS Digital training course has been dropped from both DTAC and the updated DCB0129 guidance — competency can now be evidenced through professional registration, clinical experience, IT experience or a supporting CV, rather than a single mandated course.

Clinical decision support
Patient-facing apps
Clinical SaaS platforms
AI as a medical device
Triage & diagnostic tools
Care admin systems

If your product falls into any of these categories, the software & health technology sector page and the wider document library set out the governance documentation NHS buyers typically expect to see alongside your safety case.

The DCB0129 Compliance Checklist

Eight steps cover the core of what DCB0129 — and a DTAC submission built on it — actually requires:

Appoint a Clinical Safety Officer

A registered clinician, or someone who can otherwise evidence clinical safety competency, with authority to sign off your safety case. Document how competency is evidenced — registration, clinical background, IT experience or CV — since a specific training certificate is no longer the only accepted route.

Establish a clinical risk management system

A documented process across the product lifecycle, typically aligned to ISO 14971 principles, covering how hazards are identified, assessed, mitigated and reviewed from design through to retirement.

Build and maintain a Hazard Log

A living record of every identified clinical hazard: cause, potential harm, likelihood, severity, mitigations and residual risk. A hazard log written retrospectively, just before a DTAC submission, is one of the most common reasons assessors push back.

Run risk assessments at each development stage

Design, build, test, deployment and post-market — each stage should generate its own risk assessment output feeding back into the hazard log.

Produce a Clinical Safety Case Report

The document that ties everything together: the hazard log, the evidence behind each mitigation, and the CSO's formal sign-off that the system is safe for its intended use.

Maintain version control and change management

Any material change to functionality — a new feature, an algorithm update, an integration — should trigger a review of the safety case, not just a changelog entry.

Set up post-deployment surveillance

A defined process for capturing safety incidents once the product is live, feeding them back into the hazard log and risk management system.

Keep it submission-ready

DTAC assessors and NHS buyers will ask for your Clinical Safety Case Report and CSO details directly, often with short turnaround. Current, organised documentation moves procurement along faster than anything reconstructed under deadline pressure.

Common Mistakes That Delay NHS Procurement

The same handful of gaps come up repeatedly in health tech procurement conversations: no named CSO, or one whose competency isn't documented; a hazard log with vague, generic entries rather than product-specific hazards; no defined process for updating the safety case after a code or feature change; confusion between DCB0129 (manufacturer) and DCB0160 (deploying organisation) responsibilities; and treating DTAC as a one-off form-filling exercise rather than an ongoing assurance obligation that needs revisiting as the product evolves.

Worth knowing: with NHS England's consultation on DCB0129 and DCB0160 running until September 2026, and DTAC having just gone through its own overhaul, health tech suppliers are working against a moving target this year. Build clinical risk management into your process now, in a form that's easy to update, rather than treating it as a document you produce once and file away.

Where ProPolicyForge Fits In

ProPolicyForge generates regulation-aligned policy and governance documentation for software and health technology providers, alongside tools built for the eight other regulated UK sectors we cover. You can see how the platform works on our features page, and full plans — including ongoing document management — start from £49/month, detailed on our pricing page.

Before Your Next DTAC Submission

Generate regulation-aligned compliance documents in minutes

ProPolicyForge generates UK compliance policies specific to your organisation, your sector, and the obligations you face. Three free documents — no account required, no card needed.

Generate Your First Document Free

Sources & disclaimer: This article provides general guidance only and does not constitute clinical, legal or regulatory advice. See NHS England Digital's guidance on DCB0129 at digital.nhs.uk and on the review of DCB0129/DCB0160 (consultation open until 11 September 2026), and the Digital Technology Assessment Criteria guidance on the AI and Digital Regulations Service at digitalregulations.innovation.nhs.uk. Details reflect published guidance as of July 2026. Health tech organisations should refer directly to current NHS England guidance and seek specialist advice for their specific product and setting.