Skip to main content
Back to articles

Protect Clinical Insights

How to Build a Clinical Safety Management System from Scratch

Step-by-step guide to creating your first clinical safety management system. Start with what matters most, accept where you are, and build systematically without being overwhelmed.

Published · 6 January 2025Topics: Clinical Safety, DCB0160, Implementation
Practice team building their clinical safety framework together

Starting From Zero

Most GP practices do not have a formal clinical safety management system. Digital tools have been deployed over many years, often without systematic safety assessments, because DCB0160 requirements were not widely understood or enforced.

If you are starting from scratch, you are not alone. You are also not behind—you are taking the first step that puts you ahead of most practices.

This guide walks you through building a clinical safety management system from the ground up, starting with what matters most and building systematically without being overwhelmed.

Prerequisites: Before starting, make sure you understand:

Step 1: Write a Simple Clinical Safety Policy

Your first task is to write a clinical safety policy. This is a short document (2-4 pages) that sets out your organisation's commitment to managing clinical risk.

What the Policy Must Include

  • Commitment statement: "This organisation is committed to managing clinical risk from digital health systems in accordance with DCB0160."
  • Clinical Safety Officer: Name your CSO, state their qualifications, and describe their authority (including the power to pause or stop deployments).
  • Risk management approach: Briefly describe how you will identify, assess, and control risks.
  • Incident management: State that incidents will be reported, investigated, and learned from.
  • Review schedule: Commit to reviewing the policy annually or when significant changes occur.
  • Signatures: The policy must be signed by the accountable officer (senior partner, practice manager, or governing body chair) and the CSO.

Keep It Short and Clear

Do not overcomplicate the policy. Two to three pages is enough. The policy sets the direction—the detail goes in your standard operating procedures (SOPs).

If you are part of a Primary Care Network (PCN) or federation, ask whether a template policy is available. Many organisations provide templates you can adapt rather than starting from a blank page.

Write a Realistic Policy (Don't Set Yourself Up for Failure)

Be careful not to commit to things you cannot or will not do. A policy that says "we will conduct DCB0160 assessments for all digital systems" becomes evidence of non-compliance if you do not follow through.

Instead, write your policy to reflect what you will actually do:

Instead of: "All digital systems will be assessed under DCB0160."

Write: "We will complete DCB0160 assessments for all AI-powered systems by [date], followed by high-risk systems on a prioritised schedule."

This approach is honest, achievable, and demonstrates that you have a plan.

What About Legacy Systems?

Many practices have decided not to conduct formal DCB0160 assessments for their long-established, non-AI digital systems (such as their EPR, which has been in use for years and is well understood by staff).

This is not technically compliant with DCB0160, but it is a pragmatic decision many practices make given limited resources and competing priorities.

If you plan to take this approach, document your rationale clearly in your policy or a supporting document:

Example wording:

"Our electronic patient record system (EMIS Web) has been in use at this practice since 2015. Staff are highly familiar with its operation, and the system is subject to regular updates and monitoring by the supplier under DCB0129. While we have not completed a formal DCB0160 assessment for this system, we have assessed it as lower priority than newer AI-powered tools where staff are less familiar with risks. We will review this decision annually and conduct a full assessment if circumstances change (e.g., significant system changes, incident trends, or availability of resources)."

Documenting your reasoning shows that you have made a conscious, risk-based decision rather than simply ignoring the requirement. It also gives you a defensible position if challenged by auditors or commissioners.

A Note on CSO Training

Full compliance with DCB0160 requires that your CSO has completed accredited clinical safety training. See What is a Clinical Safety Officer? for the training requirements.

However, if you are starting from zero and do not yet have access to trained CSO, the reality is that you are already not complying with DCB0160. In this situation:

  • Appoint an interim CSO (a senior clinician who will take on the role)
  • Document this as a risk on your practice risk register: "CSO not yet trained in clinical safety"
  • Create a plan to get them trained within the next 6-12 months (book them on the NHS England Clinical Safety Officer course or equivalent)
  • State this clearly in your policy: "Our CSO will complete accredited training by [date]"

This interim approach is not full compliance, but it is better than doing nothing. It demonstrates that you are taking clinical safety seriously and working towards compliance, rather than ignoring the requirement entirely.

Step 2: Write Basic Standard Operating Procedures

Standard operating procedures (SOPs) describe how you actually do the work. Start with two or three essential SOPs:

SOP 1: Assessing a New Digital System Before Deployment

This SOP should describe:

  1. Who requests the assessment (usually the person proposing the new system)
  2. What information is needed (supplier DCB0129 documentation, description of how the system will be used, user groups)
  3. How the CSO reviews the request
  4. What hazards must be identified
  5. What risk assessment method is used (e.g., likelihood × severity matrix)
  6. What controls are required before deployment
  7. Who approves the final safety case
  8. Where the documentation is stored

SOP 2: Reporting and Investigating Incidents

This SOP should describe:

  1. What counts as a reportable incident (any safety concern, near miss, or actual harm related to a digital system)
  2. How staff report incidents (form, email, safety log)
  3. Who is responsible for initial triage (CSO or designated deputy)
  4. How incidents are investigated (root cause analysis, timeline review)
  5. How corrective actions are identified and implemented
  6. How the hazard log is updated
  7. When incidents must be escalated to NHS England or the Care Quality Commission

SOP 3: Reviewing System Changes and Updates

This SOP should describe:

  1. When a change review is required (supplier updates, configuration changes, new integrations)
  2. How the CSO is notified of proposed changes
  3. What information is needed (supplier change notes, impact assessment)
  4. How the CSO assesses whether new hazards are introduced
  5. What testing is required before changes go live
  6. Who approves the change
  7. How the hazard log is updated

Keep SOPs Practical

Each SOP should be 1-3 pages. Use bullet points, flowcharts, or checklists rather than dense paragraphs. The test of a good SOP is: can someone follow it without asking for help?

Step 3: Create an Inventory of All Your Digital Systems

Before you can assess risks, you need to know what systems you are using. Create a simple spreadsheet (or document) listing every digital tool that interacts with patient care or clinical workflows.

What to Include

  • System name: e.g., "EMIS Web", "AccuRx", "Klinik AI Triage"
  • Supplier: Who provides it?
  • Purpose: What is it used for?
  • User groups: Who uses it (GPs, nurses, reception, patients)?
  • Deployment date: When did you start using it?
  • Safety assessment status: Has a DCB0160 assessment been completed? (Yes / No / In progress)
  • Responsible person: Who in your practice is responsible for this system?

Systems to List

Include everything:

  • Electronic patient record (EPR) or clinical system
  • Online consultation platforms
  • Patient messaging or communication apps
  • Prescribing tools and interfaces
  • Clinical decision support tools
  • AI-assisted triage, scribing, or diagnostic tools
  • Shared care records or integrated care systems
  • Remote monitoring or telehealth platforms
  • Appointment booking systems (if used for clinical triage or decision-making)

Do not worry if the list is long. Most practices have 10-20 digital systems. The inventory is not a test you pass or fail—it is a tool to help you understand your digital footprint.

Step 4: Accept the Reality—Most Systems Will Have "No Assessment"

When you first fill in your inventory, most systems will have a safety assessment status of "No."

This is not a failure. It is honest. The reality is that most GP practices are in exactly the same position. Digital tools have been deployed incrementally over many years, often without formal safety assessments.

Writing "No" next to most of your systems is not a problem—it is the starting point. You are now ahead of practices that have not even created an inventory.

Step 5: Prioritise—Start with AI Systems

You cannot assess every system at once. You need to prioritise. Here is the order to tackle them:

1. AI-Powered Systems (Highest Priority)

If your practice uses any AI-powered tools—such as ambient voice scribes, AI-assisted triage, or clinical decision support—start here.

Why AI systems first?

  • They are the newest: Staff may not have developed the implicit safety habits they have with familiar tools.
  • They are more error-prone by nature: AI systems can produce plausible-sounding but incorrect outputs, which is a significant clinical safety risk.
  • They attract regulatory scrutiny: Commissioners, ICBs, and regulators are paying close attention to AI deployment.
  • They change frequently: AI models are updated regularly, and each update can introduce new risks.

2. High-Risk, High-Use Systems (Second Priority)

After AI tools, prioritise systems that are:

  • Used for safety-critical tasks (prescribing, test result handling, triage)
  • Used by large numbers of staff or patients
  • Recently changed, updated, or integrated with other systems
  • Known to have caused incidents or near misses

3. Mature, Stable Systems (Later)

Systems that have been in use for many years, are well understood by staff, and have a stable safety record can be assessed later. Your EPR or clinical system, for example, is critical but probably well embedded. It is still on the list—just not first.

Next Steps: Conducting DCB0160 Assessments

Now you have the framework in place:

  • A clinical safety policy
  • Basic SOPs
  • An inventory of systems
  • A prioritised list of systems to assess

The next step is to actually conduct DCB0160 assessments for your prioritised systems. This involves identifying hazards, assessing risks, implementing controls, documenting everything, and maintaining the assessments over time.

Detailed guidance on how to conduct a DCB0160 assessment—including hazard identification, risk scoring, control selection, documentation requirements, and ongoing monitoring—is available in: How to Conduct a DCB0160 Clinical Safety Assessment.

What About Risk Registers, Safety Logs, and Other Documents?

You may have heard about other documents like practice-wide risk registers, safety logs, incident registers, and change control logs.

These are all useful tools, and you may need them as your management system matures. But they are not the starting point.

Start with:

  1. A policy (2-4 pages)
  2. Basic SOPs (1-3 pages each)
  3. An inventory of systems (a spreadsheet)
  4. Clinical safety assessments for your highest-risk tools (safety case reports and hazard logs)

Once you have those in place, you can add more sophisticated tools and processes as needed. Do not let the perfect be the enemy of the good. A simple, working management system is better than an elaborate plan that never gets implemented.

Note: While you can manage all of this using documents and spreadsheets, digital tools can help streamline the process—especially as your system grows. Protect Clinical, for example, provides a purpose-built platform for managing digital clinical safety governance in GP practices, helping automate inventory management, hazard logs, incident tracking, and compliance reporting.

Getting Help: PCN Collaboration and Shared Resources

You do not have to build everything alone. Many Primary Care Networks (PCNs), federations, and Integrated Care Boards (ICBs) provide:

  • Template policies and SOPs you can adapt
  • Shared hazard logs and risk assessment templates
  • Peer support networks for Clinical Safety Officers
  • Shared CSO services across multiple practices
  • Joint training sessions and workshops

If you are part of a PCN or federation, ask what support is available. Clinical safety is an area where collaboration makes sense—most practices face the same risks and can learn from each other.

Common Pitfalls to Avoid

Pitfall 1: Trying to Do Everything at Once

Do not attempt to assess every system simultaneously. Prioritise, start with AI tools, and build momentum. Progress is better than perfection.

Pitfall 2: Overcomplicating the Documentation

Your policy does not need to be 20 pages. Your SOPs do not need to cover every edge case. Start simple, test your processes, and refine them based on what actually happens.

Pitfall 3: Treating It as a One-Time Exercise

Clinical safety management is an ongoing process, not a project with an end date. Build the review rhythm into your governance from the start.

Pitfall 4: Doing It Alone

Your CSO should not be working in isolation. Involve practice managers, clinical leads, and frontline staff. Clinical safety works best when it is embedded in how the practice operates, not bolted on as an afterthought.

Action Checklist

Use this checklist to track your progress:

  • Appoint a Clinical Safety Officer with appropriate training and authority
  • Write a clinical safety policy (2-4 pages) and get it signed by the accountable officer and CSO
  • Write basic SOPs for assessing new systems, handling incidents, and reviewing changes
  • Create an inventory of all digital systems in use
  • Accept the reality—most will say "no assessment"
  • Prioritise AI systems and other high-risk tools for assessment
  • Begin conducting DCB0160 assessments for prioritised systems

Resources to Bookmark

Key Takeaways

Building a clinical safety management system from scratch is not as overwhelming as it sounds. Start with a simple policy, basic SOPs, and an honest inventory of your systems.

Prioritise AI tools and other high-risk systems. Be honest about what you will and will not assess. Document your reasoning so auditors understand your risk-based decisions.

Most importantly, build the management system into how your practice operates. Make it part of your governance rhythm, involve the right people, and keep it simple enough to maintain.

You are not aiming for a perfect system—you are aiming for a working system that manages risk, learns from incidents, and demonstrates compliance.