Top 5 FAQs – Clinical safety standards NHS Digital Technology Assessment Criteria (DTAC)

Young female IT professionals working together on their mobile app project.

We asked Paul S Weston, Director of Review & Accreditation at ORCHA, and Adam McCabe, Senior Digital Health Assessor at ORCHA, to answer your top 5 questions about clinical safety requirements you need for your health app to pass an NHS DTAC assessment.  

Why do I need to check my health app meets NHS DTAC clinical safety standards?

You need to identify and check your health app has mitigations in place for any risks that could harm a patient’s health. Do this as early as possible when you develop your health app and use this process as a road map for development. It can highlight how to improve the usability of your health app for the benefit of your users: patients or healthcare professionals. Otherwise, it is difficult to go back and make changes to an established health app.  

Here are some examples of risks we’ve identified in health apps during a DTAC assessment: 

  • Signposting to a resource that is no longer available, and the patient not having access to that in a time of need 
  • Entering a number that is not flagged as ‘outside of an acceptable range’, such as an insulin dose or body temperature 
  • Data that is entered and processed in a way (data migration) where it doesn’t end up in the right place, for example it doesn’t identify a patient correctly 
  • Important data that is not included in a patient’s record, which could affect a diagnosis or treatment decision, such as recent prescription or allergy 

How do you assess my health app so it meets NHS DTAC clinical safety standards?

At ORCHA we look at the documents you have in place, and the people you have involved in the development of your health app (Android, Apple (iOS) or web-based app). 

We assess your health app against the standard DCB0129, which is an NHS standard you need to pass to be used in NHS organisations. 

You will need to share 3 specific documents and keep records internally for your processes. 

These 3 specific clinical safety documents include:  

1. Clinical risk management system – this outlines your organisational safety processes, so who is involved, what training they have had, any process you have for auditing your platform and any third-party platforms that fit into it.

2. Clinical safety case report – this talks specifically about your app in scope. So what is it, what does it do, what is the intended use and what testing you have done. This includes if you have done any clinical safety tests to look for risks. And if you have done testing, what were the outcomes? And finally, has this report been signed off by a relevant clinical safety officer (CSO)?

3. Hazard logs – Each app you develop requires a hazard log, which records any risks to patients that may arise from use of the app. The likelihood and severity of these risks must be recorded, as well as any control measures you will put in place against these risks. 

What is needed to be a clinical safety officer (CSO) and how do I find one?

The clinical safety officer (CSO) needs to be clinically trained, so they need to have a current valid registration as a healthcare professional. For the DTAC, the CSO needs to have undergone appropriate risk management training. For example, at ORCHA, our Medical Director and CSO is Dr Tom Micklewright. 

Some organisations that offer clinical safety risk management training can also supply clinical safety officers (CSO) to help set up a process and maintain it.  

So, you can hire a CSO, or have your own in-house CSO who is a registered clinician that has undertaken the training. 

Ideally the CSO will have expertise in the clinical area that your health app helps with, for example a diabetologist could identify risks, when you develop your health app, if it helps people with diabetes. 

What if I don’t have documentation for NHS DTAC clinical safety standards, including those that show compliance with DCB0129?

Clinical safety standards documentation, including those that show compliance with DCB0129, are your assurance that what you are doing doesn’t lead to unmitigated risk to patients. 

If something were to go wrong, you can point to these documents to demonstrate that you did everything you possibly could to mitigate the risks of that in your health app. 

This is why it’s important to understand at an early stage what the risks are for using your health app and how you can mitigate them.  

Your clinical safety documentation should be passed over to the NHS organisation that will commission your health app, and they will then do their own risk assessment of your health app, including the use of your health app within clinical practice. 

By having independent external validation, for example through ORCHA checking your documents, this helps you prepare for important conversation with NHS organisations when they want to commission your health app, so it is used in the most safe and effective way. This means that your health app will be used by the people and for the purpose you intended. 

Another benefit of getting help in preparing your documents ahead of any procurement, is that we can speed the process up and reduce the risk of gaps or problems being flagged at crucial points in contracting discussions. 

Is the NHS DTAC only for medical devices?

The DTAC asks if your health app is a medical device, and if it is then you need to provide the appropriate registration details and documentation.  

If your health app is not a medical device, then you need to explain this too.  

We do find that some health apps are in fact medical devices, and they may be unaware that they are. We encourage them to independently go through the medical device certification process to obtain the appropriate EU CE or UK CA marking and classification.

The DTAC covers all digital health products (including health apps), whether they are or aren’t a medical device, and you need to evidence this in either case. And part of the DTAC process is complying with standards such as the DCB0129, and others such as the ISO14971 if your health app is a medical device. 

Contact us or watch the NHS DTAC clinical safety webinar (link below)

At ORCHA we help deconstruct the clinical safety requirements for the DTAC into over 70 short questions, to provide you with a granular and clear picture of how clinically safe your digital health product is. 

The NHS Digital Technology Assessment Criteria (DTAC) is an assessment that digital health products, such as Apple, Android and web apps, need to go through to be commissioned by the NHS in the UK.  

There are five key areas that an NHS DTAC covers when assessing a digital health product. These include: 

  • Clinical safety 
  • Data protection 
  • Usability and accessibility 
  • Technical security 
  • Interoperability (if applicable) 

We can help guide you through an NHS DTAC to improve your chances of getting commissioned by an NHS organisation, or you can do it as a self-assessment. 

Want to learn more? Email us at or watch the webinar: NHS DTAC – spotlight on clinical safety.