Digital Health Software – Accreditation for NHS use

Digital Technology Assessment Criteria (DTAC)

Anyone involved in the development of digital health technologies (including everything from public-facing health Apps to digital systems used in hospitals) needs to be aware that NHS England has introduced the Digital Technology Assessment Criteria (DTAC) for health and social care. DTAC is intended to provide staff, patients and citizens confidence that the digital health tools they use or purchase meet clinical safety, data protection, technical security, interoperability and usability and accessibility standards. Without this accreditation, it will not be possible for developers to deploy their product into the NHS.

DTAC will form the new national baseline criteria for procurement of digital health technologies by the NHS and social care. It sets out, for digital health suppliers, what is expected for entry into the NHS and social care and forms part of the due diligence process for NHS procurement.

Digital technologies are assessed against 5 core areas:

For further information visit:

New simpler and faster assessment process for digital health technologies launched for the NHS and social care

Digital technology assessment criteria DTAC

Clinical Risk Management

It should also be borne in mind that prior to accessing the NHS procurement market there are additional development standards that must be demonstrated to have been met before any new digital product will be considered for use.

DCB 0129 and DCB 0160 are two standards issued by NHS Digital. They require developers of health IT systems and healthcare organisations to carry out a particular type of risk assessment on the product. This process determines whether or not the product is acceptably safe to go live. Compliance with DCB 0129 and DCB 0160 is mandatory under the Health and Social Care Act 2012 (see NHS Digital page). It may also be a requirement to obtain approval prior to applying for DTAC certification.

DCB 0129 applies to the developers of health IT systems whereas DCB 0160 applies to the healthcare organisations implementing them. The requirements in the two standards are almost identical.  The idea is that the developer carries out a risk assessment, documents the findings and passes these to the healthcare organisation. They, in turn, look at how they are customising and configuring the product and conduct a further risk assessment. This is also documented. NHS Digital may ask to see the final report before the product goes live.

In the main, the two standards have got little to do with security, privacy or information governance. Those are covered by other standards and frameworks such as ISO 27001. DCB 0129 and DCB 0160 are strictly about safety, i.e. ensuring that the system doesn’t cause patient harm. Each standard consists of two important documents; a specification which sets out what MUST be done to comply and Implementation Guidance which provides helpful advice.

Where To Find The DCB Standards

The DCB (SCCI) Standards for managing clinical risk occasionally change names and where they are hosted. Below are the definitive locations:

Applicability of DCB 0129 and DCB 0160

Applicability of DCB 0129 and DCB 0160

The latest specification for developers – DCB 0129 specification

DCB 0129 clinical risk management its application in the manufacture of health IT systems

The latest specification for healthcare organisations – DCB 0160 specification

DCB 0160 clinical risk management its application in the deployment and use of health IT systems


Contact if you need any help on this topic.

Share this