Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Expert Insights: CQC Regulation and Clinical Safety Standards

  • Published: July 3, 2024
  • Category: CQC

Share this post

Headshot of a bald man wearing a tropical print shirt
Nick Pavard

Share this post

Aligning quality management systems in healthcare.

Quality management systems are commonplace in healthcare and all have similar fundamental elements. In the NHS, this applies to standards and regulation such as DCB0129, DCB0160 and the Care Quality Commission (CQC)with commonalities presenting opportunities to transfer best practice across what could be perceived as siloed regulated areas. Written by Nick Pavard,  Clinical Safety Officer and CQC Lead at 8foldGovernance, this blog is reflective of his recent experiences working with organisations registered or registering with the CQC and how institutional knowledge can be applied to the DCB0160 clinical safety assessment.  

What are DCB0129 and DCB0160 Clinical Safety Standards?

DCB0129 and DCB0160 are NHS information standards that are legally mandated under section 250 of the Health and Social Care Act 2012. DCB0129 is the standard relevant to health tech manufacturers, DCB0160 is the standard relevant to deploying healthcare organisations. Fundamentally, they are a risk management system – with DCB0129 &  very closely aligned to ISO 14971 – as discussed in a previous Expert Insights Blog which you can find here. By taking an even closer look they are principles which apply to all good governance practices regarding the effective design, implementation and maintenance of policies.  

DCB0160

DCB0160 clinical risk assessments revolve around 5 key elements.  

Clinical Risk Management System.

This is an organisational wide policy.  It is a commitment on what activities developers or implementers will undertake in order to be compliant with the relevant Information Standard. Importantly it emphasises the need for a multi-disciplinary approach in assessing the development or implementation of digital health tech.  

Clinical Risk Management Plan.

This document details how organisations will achieve the commitments set out in the Clinical Risk Management System. This is the detail, specifying who is responsible for what activities, how these activities are achieved, how assessments will take place, and how the effectiveness will be reviewed.  

The Hazard Log

The Hazard Log is the risk assessment of the health tech. It details what patient harm could occur, how, and what mitigations are in there. For deploying organisations the DCB0129 hazard log is a key document in understanding what transferred risks they inherit.  

The Incident reporting process

This needs to be in place for the lifecycle of the system, including during any trials or phased rollouts and includes a log of all incidents for the risk management team to review.  

The Clinical Safety Case Report.

The Clinical Safety Case Report (CSCR) is a summary of all of the above and any documentation used to assure “Top Management” that the risk management team are satisfied the product is as safe as reasonably practicable. Importantly DCB0129 and DCB0160 are not one off assessments. They are an ongoing process with a live Clinical Safety Case and a need to constantly review the incident logs and system releases. The hazard log and CSCR must then be updated accordingly. This falls to the responsible person known as the Clinical Safety Officer.  

How is DCB0160 similar to CQC compliance?

If you want a management system to be ‘Outstanding’ the organisation needs to abide by a set of quality management principles. Unsurprisingly, the expectations of ISO audits are comparable to CQC inspections, representing a clear correlation between international and UK specific regulatory frameworks.  

In our experience, good governance comprises of:

  1. Policies aligned to legal requirements and best practice
  2. Procedures detailing how the policies will be implemented and who has responsibility – including a risk assessment of the procedures
  3. Evidence of the implementation and effectiveness of procedures – (audits, training records, incident reports etc)
  4. Review of the evidence and any alteration to the above as a result.
  All of the above should generate a level of assurance to feedback to Top Management who can review and feel satisfied that policies are effective. In the clinical safety realm, these four elements form the Clinical Safety Case – with the Clinical Safety Case Report providing evidence of Top Management assurance. This suite of documents is exactly how organisations can provide assurance they are meeting their regulatory obligations under a number of other mandated activities. Another good example that forms a part of CQC Quality measures is Safeguarding. This would look like so:  
  1. Safeguarding policy reflecting legally mandated activities
  2. Safeguarding procedure detailing how people raise safeguarding referrals, to who, when etc
  3. Audits are provided by training records of attendance, knowledge checks, safeguarding number audits etc
  4. Policy and procedural review evidence can be evidenced from minutes of safeguarding process review meetings and changes in policy and procedures
  5. This would be accompanied by a safeguarding report to Top Management of the effectiveness of the safeguarding procedure. 

 

CQC and Clinical Safety Assurance

In 1955, the Johari Window was developed and later used as the foundation of a speech by the US Defence Secretary when discussing Afghanistan “There are known knowns. There are things we know we know. We also know there are known unknowns. That is to say; we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t know.” The CQC inspection process recognises it is not possible to know everything about everything – therefore core inspection teams are supported with subject matter experts who may or may not be part of the initial team. These could be specialist advisors, experts by experience or national advisors. Importantly, inspections are a multi-disciplinary approach. The CQC work with other regulators and advisory groups to continually drive down their “unknown unknowns.” Organisations have a responsibility to continually explore and reduce areas of ignorance. The DCB0160 stipulation of multi-disciplinary team assessments of technology products aims to do exactly this with both its assessment of risk and the control measures. The multi-disciplinary approach allows more potential hazards to be identified, but also allows for the most practical controls to be designed and implemented. When the CSO function is outsourced this then increases that depth of experience – at 8fold, CSOs can not only call on their CSO colleagues for advice but tap into the expertise on offer from multiple subject matter experts ranging from Medical Device regulations, International Standards and Information Governance.  

Championing continuous improvement

Under the old inspection methodology prior to onsite CQC inspections the inspection team would receive a briefing. At some point this would cover the organisation’s incident reporting. The CQC team would be particularly interested if an organisation had lower than average incident reporting. The second worry would come from repeated incident reports concerning the same issue. Organisations need to be confident they are capturing all incidents occurring – this involves having a low threshold for incident capture. And organisations need to be confident they are learning from incidents. The DCB0160 standard has incident reporting systems and incident logs at their heart. The standing agenda item for Risk Management Team’s should be the review of incident logs with NHS organisations having  a means of capturing incidents from end users. needs collating and sharing with the manufacturer when the incident is product related. Incident reporting and learning from incidents is at the back bone of quality management systems – be it in tech development or healthcare delivery.  

The Benefits of Aligning CQC Regulations and Clinical Safety Standards

DCB0129 and DCB0160 are not just tick box exercises. Done well, they can ensure a high level of buy-in from the end user, lift a product’s functionality and importantly reduce the level of harm. Most importantly for deploying organisations the assessment should assess the holistic impact of integration with current systems and the impact on existing workflows. The same is true for healthcare organisations. Regulations are written with a macro level expectation of what healthcare organisations should provide their service users. It is common for organisations to be challenged by the regulations as they are not written for one type of provider. However understanding regulatory requirements and ensuring compliance builds a solid foundation on which innovation can safely be developed. Further it assists the individual organisation in their part as part of a wider health economy. When top management uses phrases like “it’s not possible to comply with all policies and deliver x,y,z” or “how do we get this signed off” – it shows a tick box attitude to governance processes. When Top Management within an organisation starts to pick and choose which of the aforementioned it is going to abide by it sets a precedent for its more junior staff – who then in turn pick and choose what they want to abide by. This can snowball into non-compliant, unsafe and illegal ways of working – ultimately resulting in patient or staff harm. With quality management systems permeating all aspects of healthcare delivery, whether that be in the use of technology or operational delivery, it’s essential for organisations to create cohesion. By adopting these principles and aligning the activities, this makes for an effective, well-led and safe business or healthcare organisation.

We’re the experts that have your back.

Lets see how we can help you navigate DCB0129 or DCB0160 with market leading Clinical Risk Management
Book a Call with our Expert Team

Other Articles​

Loading...
Event Medical Provider CQC Registration

Event Medical Provider CQC registration – start your preparation now

Read More →

June 8, 2026
Title graphic reading 'FAQs: CQC Registration' with the 8fold logo

CQC Registration: FAQs

Read More →

November 12, 2025
Title graphic reading 'Quick Start Guide to CQC Registration' with a CQC icon

Quick Start Guide to Provider CQC Registration

Read More →

September 8, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept