Exercise 1 — The CSCR signature audit
A DMHT supplier is finalising its DTAC C1 pack. Three candidates are proposed as the signatory for the Clinical Safety Case Report. Which one can validly sign?
What the Digital Technology Assessment Criteria actually are, the five domains, what an NHS reviewer is looking for in the C1 clinical safety pack, common failure modes, and how DTAC sits alongside (not instead of) UKCA classification.
Common issues: Suppliers and advisors routinely treat DTAC as a certification or as a substitute for MHRA clearance. It is neither. It is a locally-administered procurement gate, and the clinical safety domain is where most DMHT packs fail.
This module is educational and does not constitute formal regulatory or procurement advice. uk/services/digital-technology-assessment-criteria.
PDF guidance circulating in the sector is frequently outdated — always check the current version date before quoting it to a client or a deploying NHS organisation.
DTAC (Digital Technology Assessment Criteria) is NHS England's procurement-facing assurance framework. Before an NHS organisation can formally adopt a digital health product, that product must demonstrate it meets a minimum threshold across five domains.
Confusion about what DTAC delivers is the single most common source of misaligned regulatory plans in early-stage DMHT.
The DTAC submission is organised under five domains. NHS England names them Clinical Safety, Data Protection, Technical Security, Interoperability, and Usability and Accessibility; the short codes used below (C1, D1, T1, I1, U1) are this module's shorthand for readability, not official DTAC labels.
Each domain has its own evidence expectations.
The supplier assembles evidence for each domain and submits it to the deploying NHS organisation. uk/services/digital-technology-assessment-criteria.
The pack is reviewed by the organisation's digital, information governance and clinical safety teams. They can accept, request more evidence, or reject.
These are the three patterns that most often cause a C1 pack to be returned by a rigorous NHS reviewer — and the ones that would certainly fail if the product subsequently came under MHRA scrutiny.
| Failure mode | Why it fails |
|---|---|
| CSCR signed by someone without a valid clinical registration | DCB0129 sign-off authority is tied to the certified Clinical Safety Officer role, which requires a registered clinician. A signature from a software lead or a lapsed clinician is not a valid sign-off. |
| Hazard log copy-pasted from a generic template | Hazards must be specific to the product's mechanism, intended purpose and user population. Generic entries reveal that no real hazard identification work has been done. |
| Residual risk statement that asserts acceptability without justification | Acceptability of residual risk must be argued against the benefit-risk balance, the affected population, and the counterfactual. An assertion of 'acceptable' with no supporting reasoning is not a clinical argument. |
C1 is the only domain that requires a clinician with a specific certification. The other four are typically owned by IG consultants, DevSecOps teams and UX researchers inside the developer organisation.
| Domain | Developer | F&G Strategy (DCB0129 Certified CSO) | NHS Deploying Organisation |
|---|---|---|---|
| C1 Clinical Safety | Produces engineering inputs, mitigations, verification evidence | Owns the CSCR, Hazard Log and CRMP; signs off as Clinical Safety Lead | Applies DCB0160 to local deployment; nominates its own CSO for the deployment-side risk file |
| D1 Data Protection | Owns DSPT submission, DPIA, processor agreements | Advisory — alignment with clinical risk arguments where relevant | Reviews DPIA against local data flows and IG policy |
| T1 Technical Security | Owns penetration testing, infra security, resilience evidence | Not in scope | May require additional assurance based on local risk appetite |
| I1 Interoperability | Owns FHIR/SNOMED/NHS Number conformance and integration testing | Not in scope | Confirms compatibility with local systems |
| U1 Usability and Accessibility | Owns user research, WCAG conformance, representative-user testing | Advisory — alignment with intended-purpose population | Reviews against local accessibility duties |
For AI-enabled and adaptive products, DTAC alone is increasingly insufficient. The framework was designed before contemporary AI/ML supply chains and does not yet handle drift, PCCP-style change control, or subgroup performance monitoring as first-class concerns.
DTAC sits downstream of UKCA classification, not in place of it. The classification and risk-file work done elsewhere in the academy is what makes a credible C1 pack possible in the first place.
Form your own view first. Reveal the reference answer to compare reasoning.
A DMHT supplier is finalising its DTAC C1 pack. Three candidates are proposed as the signatory for the Clinical Safety Case Report. Which one can validly sign?
You are reviewing three sample hazard log entries from a draft C1 pack. Which entry would survive a rigorous NHS reviewer?
A Class IIa adaptive AI DMHT is preparing its first DTAC submission. The developer team has a strong DevSecOps function, an experienced IG consultant, and a UX research lead. Which DTAC domain is the structural bottleneck — and why?
Educational resource. Not formal regulatory or legal advice.