Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Expert Insights: How ISO 14971 helps to meet DCB0129 (and vice versa)

  • Published: January 17, 2024
  • Category: Expert Insights

Share this post

Avatar photo
Daniel Mannion

Share this post

By Karen Whitton, Director of Clinical Risk, and Daniel Mannion, Head of Quality Assurance and Regulatory Affairs

Navigating the intricacies of risk management standards is crucial for ensuring clinical safety and regulatory compliance. This blog post delves into the relationship between ISO 14971 and DCB0129, two pivotal standards that form the cornerstone of risk management in the medical device sector. It aims to demystify the standards, highlighting their similarities, differences, and how they complement each other to safeguard the integrity of medical products. Whether you’re a manufacturer expanding into the UK market or a digital health developer integrating medical device features, understanding the interplay between ISO 14971 and DCB0129 is essential for your product’s success and compliance.

What is ISO 14971?

ISO 14971 tells manufacturers and developers of medical devices how to approach risk management to ensure the safety of their product. It dates back to before the turn of the century with the European Committee for Standardisation’s creation of EN 1441, and was most recently updated by the International Standards Organization (ISO) in 2019 (with an addendum by the European Committee for Standardisation CEN in 2021). It’s highly-regarded internationally, including by the MHRA in the UK as a designated standard.

What is DCB0129?

DCB0129 tells manufacturers and developers of health IT systems* supplied to the public health and social care sector in England how to approach clinical risk management to ensure the safety of the product. Its initial version (DSCN 14/2009) was derived from an earlier version of ISO 14971 and later updated in 2018 to encompass ‘medical devices’. It was made mandatory under Section 250 of the Health and Social Care Act 2012.

*Health IT systems are product[s] used to provide electronic information for health or social care purposes.” Software medical devices are almost always health IT systems, but some health IT systems are not medical devices. Confusing? We know, however, that the two standards address broadly the same issue in very similar ways. But, just how similar are they and what are the commonly-missed differences?

What are the similarities between DCB0129 and ISO 14971?

As you would expect from two documents with such a shared history, there are a lot of similarities – DCB0129 even states that: “..the requirements defined [in DCB0129] are broadly consistent with the requirements of ISO 14971″.

Both place overall responsibilities for risk on top (or senior) management, require knowledge and competence of any staff involved, require a plan, a risk assessment, a report to be created and follow a very similar approach to how risks should be identified, assessed and controlled. If you’ve created a Risk Management File under either system, you’ll likely be pretty close to meeting the requirements of the other standard. However, missing any of the key differences outlined below could cause problems with your customer or regulator when they are reviewing your file:

 

1. Clinical Safety Officer (CSO)

The guidance document* for ISO 14971 (ISO TR 24971) gives the example of “Medical or Clinical Expert” as the type of expertise that would be required when performing risk management activities. However, DCB0129 goes further and makes it very clear, indicating that you MUST have a Clinical Safety Officer leading risk management throughout the product lifecycle. The CSO must be a qualified clinician with a current registration and knowledge of clinical risk management; the CSO is responsible for ensuring that your company complies with DCB0129. Having a suitably qualified CSO will certainly add credibility to your ISO 14971 risk management file, but without a CSO on a DCB0129 risk management file, you will have fallen at the first hurdle. Fortunately, we have many experienced CSOs to support you.

*Yes. There are supplementary guidance documents for some standards and yes, your auditors and regulators will have read them and expect your company to have followed them to the letter. We’re sorry.. we didn’t write these standards!

 

2. Benefit-Risk Analysis

DCB0129 mandates that when a risk remains elevated and no further ‘practicable’ risk control measures can be implemented, this risk should be evaluated against the clinical benefits of the product to decide whether it can be deemed acceptable.

ISO 14971 expands on this by stating that the total risk associated with the medical device must be weighed against its overall clinical benefit. But, it also necessitates an understanding of, and the ability to provide evidence of your product’s total clinical benefit, with a comparative analysis of the total risk relative to this benefit. This process is closely linked with Clinical Evaluations under UK and EU Medical Device Regulations, and is referred to as “Performance Evaluations” for In Vitro Diagnostics (IVDs). *See section on ALARP and AFAP below.

 

3. Risk Control Implementation Responsibility

Medical device manufacturers take full responsibility for the safety and performance of their product – if a user uses it wrong, it’s on the manufacturer not having checked for that in Usability Engineering. ISO 14971 reflects this by stating that it is solely on the manufacturer to ensure risk controls are implemented. For example, if your medical device instructions contain a risk control from the customer’s power backup, you’ll need to verify this is an effective risk control.

DCB0129 allows for the manufacturer to rely on risk control measures carried out by other organisations (e.g. the clinical setting), but remember – your customer will see this transfer of responsibility when they are performing their DCB0160 assessment of your product.

 

4. ALARP and AFAP

“As low as reasonably practicable” (ALARP) and “as far as possible” (AFAP) are both terms used to describe the level of remaining risk after you have put risk controls in place. The technical definitions of both terms are very complicated and steeped in decades of legal history.  In short, ‘ALARP’ is the term used in health and safety guidance (in the UK) and allows for a trade-off between the difficulty of implementing a control and its effectiveness and ‘AFAP’ is used in Medical Device Regulations in the UK and the EU to describe the acceptable level of risk for some types of risk. Confusingly, both ISO 14971 and DCB0129 make reference to ALARP and ISO 14971 also mentions AFAP, but neither specify which is required and when. That comes down to the regulations for medical devices, which is why having a Regulatory Expert involved in your risk management is a must.

 

5. Documentation and Practical Concerns

As carefully as you apply either or both standards, practical experience in what is expected from customers, regulators and the auditors tasked with reviewing your documentation, will save you time and heartbreak when submitting your application. Neither standard specifies the format the documentation produced must be stored in, but you’ll need to send your hazard log as a spreadsheet to an NHS customer, and a PDF or a spreadsheet (their choice, not yours) to a regulator. 

Other things to consider: 

  • Is the wording of the risk control clear enough that the regulator will be able to find the relevant report? 
  • Does the doctor reviewing your clinical safety case have enough information about your product to understand and recommend it?

When should you add DCB0129 requirements to your ISO 14971 risk management file?

Medical device manufacturers outside the UK market who want to deploy your product in the UK (particularly in the NHS) need to meet the requirements of DCB0129 on top of ISO 14971 as part of their DTAC compliance work – we support you to do this with Clinical Safety Officer as-a-service.

When should you add ISO 14971 requirements to your DCB0129 risk management file?

Digital health developers already on the UK market will need to add the extra requirements of ISO 14971 as they develop medical device features for their product.

COMING SOON!
We’ll soon be supporting all aspects of Medical Device Regulations and Standards for digital health technology organisations. Get in touch for more information.

Access specialist support

As specialists in the field, we understand the nuanced relationship between ISO 14971 and DCB0129, and the importance of specialised guidance in this complex arena of medical device and health IT system development. That’s why our expertise goes beyond compliance; we’re dedicated to ensuring the highest safety and efficacy of products while making it as simple as possible to implement.

Working with 8foldGovernance means partnering with a team that is deeply committed to upholding the highest standards, especially in stringent markets like the UK and the EU. Our knowledge and experience guides manufacturers to align these standards with their product development process, making it not just a regulatory necessity but a strategic move to advance healthcare technology and patient safety in line with commercial success.

Other Articles​

Loading...
ROPA

FAQ: What is a Records of Processing Activity (RoPA)?

Read More →

November 24, 2025
Digital Mental Health

Expert Insights: Crisis Signposting in Digital Mental Health

Read More →

July 15, 2025

Navigating the UK’s Health Tech Landscape: Building Foundations for Global Success

Read More →

July 2, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept