The recent article from NHS England on the relationship between ISO 14971 and DCB0129 is a helpful contribution to an area where we continue to see uncertainty emerge for NHS organisations and medical device manufacturers.
It is encouraging to see recognition that alignment between the two standards is possible. In practice, this reflects what many organisations are already doing or attempting to do, particularly those with mature ISO 14971 risk management systems. However, we still see friction in alignment.
The article focuses largely on the potential drawbacks of alignment, with less attention given to the consequences of not aligning approaches at all. This friction can create misaligned expectations for suppliers and limit the NHS’s access to high-potential technologies. We believe that there should be equity between the standards where solutions exist to benefit the NHS.
Shared foundations, different context
We have previously discussed the application of DCB0129 for medical device manufacturers with an established a QMS compliant with ISO13485 and ISO14971 in this blog. Their integration is possible due to them being built on the same core principles:
- Identification of hazards
- Assessment of risk
- Implementation of controls
- Evaluation of residual risk
DCB0129 introduces additional NHS-specific expectations that medical device manufacturers must be aware of, particularly:
- Clinical safety governance
- Accountability through the Clinical Safety Officer role
- Structured safety case reporting
- Focus purely on clinical risk
These are important additions, but they do not require a completely different approach to risk management activities, just a slightly different lens. In most cases, they sit as minor additions to an existing ISO 14971-aligned system.
Where theoretical differences don’t translate.
The NHS article discusses how ISO 14971 considers risks to users and the environment, whereas DCB0129 focuses specifically on clinical risk.
While technically correct, this is often (but not always) of limited practical relevance for digital health systems.
Based on our experience, the majority of health IT products typically do not pose physical hazards in the same manner as conventional medical devices. They are unable to directly inflict mechanical harm or release energy/substances that result in environmental risks.
Instead, risk is primarily associated with incorrect, delayed, or missing information, misinterpretation of outputs, workflow disruption, or over-reliance on system behaviour.
In these contexts, ISO 14971 risk assessments for digital devices are already inherently clinical. The practical gap between the two standards is therefore much smaller than it may initially appear. Where non-clinical risks are present, these can be clearly categorised within the Hazard Log, allowing a well-structured view to present only those risks relevant to a DCB0129 audience
A common misunderstanding.
Manufacturers with established ISO 14971 processes often mistakenly believe their existing risk documentation satisfies DCB0129 requirements for NHS use.
While ISO 14971 proves a robust process, DCB0129 demands that risk is:
- Clinical safety governance
- Accountability through the Clinical Safety Officer role
- Structured safety case reporting
- Focus purely on clinical risk
We believe that organisations should focus on translating and aligning existing evidence to meet NHS expectations, avoiding unnecessary duplication, and this is the approach we take when we work with Medical Device manufacturers to comply with DCB0129.
The real risk: duplication and divergence.
Where alignment is not considered, organisations often default to running parallel processes for ISO 14971 and DCB0129.
This can lead to:
- Duplicate risk assessments
- Separate hazard logs describing the same system
- Divergence in risk ratings, controls, and rationale
This is not just inefficient; it introduces its own form of risk.
We have seen instances where misalignment between documentation raises questions about traceability and the overall robustness of the risk management process. In some cases, this is compounded by organisational separation, where Clinical Safety Officers have limited or no interaction with quality assurance or regulatory teams responsible for ISO 14971 activities. This can result in risk assessments being developed in isolation, increasing the likelihood of inconsistencies across artefacts.
Feedback from Notified Bodies has consistently reinforced that inconsistencies between risk management artefacts are viewed unfavourably in conformity assessments, as they call into question the coherence of the overall system.
Compliance Silos.
Maintaining two overlapping risk management approaches has clear practical implications:
- Increased resource requirements across clinical and regulatory teams
- Ongoing maintenance burden as systems evolve
- Greater likelihood of rework during audits and deployments
There is also a direct cost impact. Additional effort required to maintain parallel processes increases the burden on manufacturers, the cost of which is ultimately passed on to NHS organisations.
In a system where both funding and clinical safety expertise are finite, this becomes a question of proportionality. Effort spent duplicating processes and documentation is effort not spent in other crucial business areas, such as innovation.
Summary
While this discussion focuses on ISO 14971 and DCB0129, the challenge is not unique. Organisations are increasingly required to navigate multiple overlapping standards and regulatory frameworks.
Treating each as a standalone exercise creates duplication and fragmentation. A more effective approach is to develop a coherent system that satisfies multiple requirements simultaneously, improving consistency and reducing unnecessary burden.
The core mission for all involved in health technology risk management is to safely expedite innovative products to clinicians and patients. We believe this can only be achieved by reducing bottlenecks and duplication, no matter which standards are being discussed.
Need help aligning your Risk Management Plans?
Book a risk management consultation with a member of our team to find out how we can integrate your risk management approaches to comply with DCB0129 and ISO 14971.