The Core Misconception
"Our supplier is DCB0129 compliant, so we're covered for clinical safety."
This is one of the most common—and dangerous—misconceptions in NHS digital health. It is also completely wrong.
DCB0129 compliance by a supplier does not remove your obligation to comply with DCB0160. They are separate standards with different responsibilities. You need both.
This article explains why.
Safe as Designed vs Safe as Deployed
The difference between DCB0129 and DCB0160 comes down to two questions:
- DCB0129: Is the product safe when used as the manufacturer intended?
- DCB0160: Is the product safe when used in your specific practice, with your workflows, your staff, and your patients?
These are not the same question.
A digital health product can be perfectly safe as designed by the manufacturer, but unsafe as deployed in your practice if:
- Your staff are not trained properly on how to use it
- You are using it for a purpose the manufacturer did not anticipate
- It is integrated with other systems in a way that introduces new risks
- Your workflows create opportunities for errors that the manufacturer did not foresee
- Your patient population has characteristics (age, language, health literacy) that affect how the system performs
This is why both standards exist. The manufacturer cannot predict every possible way their product will be used, so they focus on making it safe in general. You focus on making it safe in your specific environment.
Who is Responsible for What?
| Responsibility | DCB0129 (Supplier) | DCB0160 (You) |
|---|---|---|
| Identify hazards in the product design | Yes | No |
| Build safety features into the product | Yes | No |
| Test the product before release | Yes | No |
| Provide safety documentation (safety case, hazard log) | Yes | No |
| Appoint a Clinical Safety Officer for the product | Yes | Yes (separate CSO for your organisation) |
| Identify hazards specific to your deployment | No | Yes |
| Train staff on safe use | No | Yes |
| Configure the system for your workflows | No | Yes |
| Monitor for incidents in your practice | No | Yes |
| Update your safety case when you change how you use it | No | Yes |
As you can see, the responsibilities do not overlap—they complement each other. The supplier focuses on the product. You focus on the deployment.
Common Scenarios: Do I Need to Do X?
Scenario 1: The Supplier Has a Clinical Safety Case—Do I Need One Too?
Yes. The supplier's safety case covers the product in general. Your safety case must cover how you are deploying it in your practice. You should use the supplier's safety case as the starting point, but you must still produce your own.
Scenario 2: The Supplier Has Identified Hazards—Do I Need to Identify More?
Yes. The supplier's hazard log lists risks inherent to the product. You must identify additional risks specific to your deployment, such as:
- Integration risks (how the system interacts with your other systems)
- Workflow risks (how your staff will use it in practice)
- Training risks (what happens if staff misunderstand how it works)
- Patient-specific risks (characteristics of your patient population)
Scenario 3: The Supplier Has Built Safety Features—Do I Still Need Controls?
Yes. The supplier's built-in safety features (e.g., validation checks, alerts, access controls) are part of your overall safety approach, but they are not sufficient on their own. You still need:
- Staff training on how to use those features correctly
- Procedures for what to do when alerts fire
- Backup processes in case the system fails
- Monitoring to ensure the safety features are working as expected
Scenario 4: The Supplier Has a Clinical Safety Officer—Do I Need One Too?
Yes. The supplier's Clinical Safety Officer is responsible for the product. Your CSO is responsible for how you deploy and use it. These are different roles and cannot be performed by the same person.
Scenario 5: Can I Just Rely on the Supplier's Documentation?
No. The supplier's DCB0129 documentation is essential—you should request it and review it before procurement. But it is not a substitute for your own DCB0160 assessment. You must conduct your own risk assessment for your specific deployment.
Why You Need Both Standards
Think of it this way:
- DCB0129 ensures the supplier has thought about safety when building the product
- DCB0160 ensures you have thought about safety when deploying the product
If either standard is missing, there is a gap in safety governance:
- Supplier has no DCB0129: You have no confidence the product is safe as designed. You are taking on significant unknown risk.
- You have no DCB0160: You have no confidence the product is safe in your environment. You are deploying blind.
Both standards working together provide comprehensive safety coverage across the entire lifecycle—from design through to live use.
The Real-World Consequences of Confusion
When practices assume DCB0129 compliance covers them, they skip essential safety work:
- They do not conduct risk assessments for new systems
- They do not train staff systematically on safe use
- They do not monitor for incidents or near misses
- They do not update their safety documentation when systems change
This leaves the practice exposed to:
- Clinical risk: Incidents that could have been prevented with proper risk assessment and controls
- Regulatory risk: Non-compliance with DCB0160, which is a legal requirement under the Health and Social Care Act 2012
- Reputational risk: Inability to demonstrate due diligence if an incident occurs
If something goes wrong, saying "the supplier said it was safe" is not a defence. You are responsible for ensuring it was safe in your environment.
Decision Tree: Do I Need to Comply with This Standard?
Are you manufacturing or selling a health IT product?
- Yes → You must comply with DCB0129
- No → Continue
Are you deploying or using a health IT product in a clinical setting?
- Yes → You must comply with DCB0160
- No → Neither standard applies
Are you both manufacturing AND deploying?
- Yes → You must comply with both DCB0129 and DCB0160 (different assessments for each role)
Are you procuring a product?
- Yes → Request the supplier's DCB0129 documentation, then conduct your own DCB0160 assessment
Quick Reference Summary
| Question | DCB0129 | DCB0160 |
|---|---|---|
| Who does it apply to? | Manufacturers and suppliers | Organisations deploying and using systems |
| What is the focus? | Product safety (safe as designed) | Deployment safety (safe as deployed) |
| Who is responsible? | The supplier | You (the deploying organisation) |
| What must they produce? | Safety case, hazard log, evidence of CSO | Safety case, hazard log, evidence of CSO |
| Can one replace the other? | No | No |
| Do you need both? | Yes (for any product used in NHS care) | Yes (for any product used in NHS care) |
Next Steps
Now you understand the difference between DCB0129 and DCB0160, and why you need both:
- Request DCB0129 documentation from suppliers: See A Simple Guide to DCB0129 for what to request and how to evaluate it
- Conduct your own DCB0160 assessments: See How to Conduct a DCB0160 Assessment for step-by-step guidance
- Build a clinical safety management system: See How to Build a Clinical Safety Management System to establish the framework
Resources to Bookmark
- A Simple Guide to DCB0160 – Your obligations
- A Simple Guide to DCB0129 – Supplier obligations
- What is a Clinical Safety Officer? – The role responsible for both standards
- DCB0160 Standard (NHS England)
- DCB0129 Standard (NHS England)
Key Takeaways
DCB0129 and DCB0160 are not alternatives—they are complementary standards that work together.
DCB0129 makes the supplier responsible for ensuring the product is safe as designed. DCB0160 makes you responsible for ensuring the product is safe as deployed in your specific environment.
A supplier's DCB0129 compliance does not remove your DCB0160 obligations. You must conduct your own risk assessment, train your staff, implement controls, and monitor for incidents.
Both standards are legally required under the Health and Social Care Act 2012. Assuming one covers the other is a dangerous misconception that leaves your practice exposed to clinical, regulatory, and reputational risk.