This site uses cookies and other tracking technology to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional efforts, and provide content from third parties. You can read more in our privacy policy.

Clinical Risk Management Training with NHS Digital - a Review

Tuesday, November 6, 2018
Dr Michael Barry

After completing the Maker’s Academy software development course in 2016, I entered 2017 as a fresh faced self-titled "Clinician Software Developer", thinking I would change the system by building the technology I felt was missing.

I started with some low hanging fruit to test out my skills - digitising the “heart attack” treatment pathway in the Emergency Department. I had visions of people using my app to decide how to manage patients, replacing the tatty sheet of paper currently pasted to the Emergency Department wall.

The app looked great, and the specialists I built it with loved it.

But the first time I tried to use it on a hospital computer, it took me to the wrong decision each time I used it. It turned out that the Microsoft Internet browser worked slightly differently to the Google Chrome browser that I had built it with.

If this had happened in real life, the worst case scenario would have been that a patient having a heart attack might not have been recognised...

It was simple to fix the problem but it scared me. What else had I missed?

That experience made me realise two things. Firstly, clinicians shouldn't build digital tools on their own - there are too many requirements and risks. You need a team behind you to look at user experience, security, interoperability with other systems etc. And secondly, I've come to realise that clinical risk analysis is one of the keys to creating safe digital tools.

Clinical risk

The digital tools we use in the clinical environment have real potential to do harm (otherwise called “risk”).

There are many aspects to assuring the quality of a digital tool - for example the NHS Digital “Digital Assessment Questionnaire” and the NHS Scotland “Quality Assurance Framework” provide solid guidance on this process which is rightly comprehensive and robust. A key section in these documents is about clinical risk management and that is where I want to focus this article because I am currently on the train back from Leeds where I completed the NHS Digital “Clinical Risk Management” training, providing me with the knowledge to fill the role of “Clinical Safety Officer”.

What is Clinical Risk Management?

In its simplest form, any risk management process should provide answers to the following questions:

  • What can go wrong?
  • How serious would it be?
  • How likely is it?
  • What should we do about it?

Specifically for clinical risk management, we are looking at any “Health IT system” including any “product used to provide electronic information for health or social care purposes. The product may be hardware, software or a combination”. This also includes software which is classified as a medical device.

NHS Digital has been mandated by NHS England via the Health and Social Care Act 2012 to publish two standards relating to clinical safety:

These are actually very readable, and provide a framework for 1) the manufacturer of a Health IT system (which may be an SME, a corporate organisation or a public sector organisation (DCB0129) and 2) the deployer of a Health IT system (which may be an NHS or social care organisation) (DCB0160).

What manufacturers and deployers need to do

At a high level, both standards recommend roughly the following.

1.   Your organisation should have a clinical risk management process.

2.   The clinical risk management process should involve:

    • Risk Analysis
      • Identifying hazards to patients
      • Estimating “risk” based on the likelihood and the severity of the harm that could be caused
    • Risk Evaluation - deciding whether the risk to the patient are acceptable or not
    • Risk Control - for the risks that are unacceptable, using techniques to mitigate and reduce the risks to acceptable levels

3.   You should keep a Clinical Risk Management File which contains documentation of your compliance with the standards

4.   Each project should have a Clinical Risk Management Plan

5.   Throughout the project, you should have different iterations of a Clinical Safety Case Report - this is a summary document which shows your argument & evidence for the clinical safety (or not) of the Health IT system.

6.   Each project should have a Hazard Log that documents all the points in 2 above.

7.   The Clinical Safety Officer must approve the Clinical Risk Management Plan, the Clinical Safety Case Report, the Hazard Log

8.    The Clinical Safety Officer must be a clinician with current registration

For examples of the documentation I have named, read the implementation guides found on the standards pages (eg DCB0160 can be found here). NB The above is a non-comprehensive high level overview for informational sake.

Risk Management versus Clinical Risk Management

Importantly, clinical risk management is different to standard project management risk assessments, because it is all about the risk of harm to patients - not about financial or other business risks. This has been a mistake that we have seen in submissions to the NHS Scotland Mobile App "Quality Assurance Framework" working group pilot.

Clinical Safety Officer

The clinical safety officer role is an interesting one.

Clinicians involved in digital health often do it as a hobby rather than via a specific role - this was also recognised in the 2016 Wachter review, who recommended formalisation of the Clinical Informatician role and creation of Chief Clinical Informatician roles in health boards/trusts.

The "Clinical Safety Officer" role represents another such formalisation for a clinical innovator, and would probably make an excellent part-time mix with a clinical job.

I’ve seen several companies advertising for this role, and I think the skill set will become increasingly valuable. One company (which I won’t name) posted a Clinical Safety Officer role on their website, with the following responsibilities:


  • Conducting clinical risk assessment for products
  • Creating and maintaining key safety documentation, including:
    • Risk Management Plan
    • Hazard Log
    • Safety Case
    • Safety Case Report(s) (Phase Reports, Closure Report)
  • Ensuring all affected standard operating procedures and business processes are updated to incorporate relevant clinical risk procedures and activities
  • Leading the investigation and resolution of safety incidents
  • Conducting root cause analysis of safety incidents in line with best practice, ensuring necessary actions are taken and outcomes communicated to relevant parties
  • Providing training to raise staff awareness and guidance on clinical safety best practice
  • Providing safety input into design, development and test activities for products
  • Engaging with other clinicians to ensure the safe design and implementation of products
  • Supporting CSOs from partner organisations in their efforts towards compliance with DCB0160
  • Assisting external audits, and follow through of resulting actions
  • Providing clinical safety cover for both in office hours and out of hours on a rota basis
  • Preparing reports at regular intervals for safety workstream
  • Maintaining clinical registration and competence sufficient to discharge the clinical safety role


If being a clinical safety officer sounds interesting to you, I highly recommend the Clinical Risk Management training course run by the fantastic Clinical Safety Team. This skill and the Clinical Safety Officer role is becoming increasingly important so sign up for the training here - there is an initial online part (which is free) and then a one day in person course which costs £450 for NHS and £600 for non-NHS organisations.

It's a good way for clinicians to train in a tangible, mandated digital skill.

Furthermore, it is a key step for creating safe digital tools, and for avoiding harm to citizens.

And next time I go to build an “app”, I might just follow my user research with a clinical risk management plan…