Clinical safety is a vital part of implementing a new EPR system.

Here our clinical safety officer and principal associate – EPR, Gerry Bolger, outlines the six steps you should take to ensure safety is at the heart of your EPR journey.


Change aimed at improving care can have unintended consequences.

As a result, clinical safety is a crucial aspect that shouldn’t be overlooked when implementing EPRs.

The challenge is threefold from the organisation’s perspective:

1. Do you understand what can go wrong in your implementation or use of IT?

2. Do you know what systems prevent this from happening?

3. Do you have information to assure that the controls and processes are working effectively?

There are six important steps that healthcare organisations need to take to ensure the clinical safety of their EPR or clinical IT system.

1. Conduct a comprehensive clinical safety assessment

The Health and Social Care Act 2012 (HSCA 2012) introduced two information standards relating to clinical safety in IT systems: DCB0129: Clinical Risk Management: its Application in the Manufacture of Health IT Systems, which is for any organisation that develop IT systems in England, and the DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems, which made it mandatory for all NHS trusts or social care organisations that develop, deploy or use health IT systems in England to manage the associated clinical risks.

To comply, trusts must carry out a number of actions, including identifying and assessing risks; implementing controls to mitigate risks; monitoring and reviewing risks; and reporting and investigating incidents.

A comprehensive clinical safety assessment that addresses these issues should be carried out by the manufacturer and that assessment should be passed to the implementing organisation for it to develop its own evaluation. By following this best practice, organisations gain valuable insights into potential hazards associated with the EPR system and can mitigate them effectively.

2. Familiarise yourself with Digital Technological Assessment Criteria (DTAC)

The DTAC requirements have been specifically designed to assist healthcare organisations in evaluating suppliers during the procurement process.

By adhering to these criteria, organisations can ensure that their chosen digital technology meets the minimum baseline standards necessary for the NHS and social care systems. The DTAC covers various aspects, including clinical safety and information governance, offering a comprehensive framework for due diligence.

3. Request the Clinical Safety Case Report

It is essential to obtain the Clinical Safety Case Report from the manufacturer or supplier of the EPR system. While this is covered by the DTAC (Section 3), it is often not seen as a priority especially in assessing the complexity of mitigating risks, which needs to be incorporated into the change management processes and training and resource materials.

This report provides crucial information about potential hazards and risks associated with the software. By thoroughly reviewing this report, organisations can gain insights into the safety measures implemented within the EPR system and assess their suitability or what adoptive changes they must do for their specific healthcare environment.

4. Evaluate hazard logs

In addition to the Clinical Safety Case Report, organisations should request access to the hazard log associated with the EPR or clinical IT system.

The log provides a detailed record of identified hazards and the corresponding mitigations. By reviewing the hazard logs, organisations can gain a comprehensive understanding of potential risks and the measures taken to address them. This also means taking those risks that are medium (or in rare occasion, high) and robustly considering what actions you can take locally to reduce them, which may mean developing certain competences in higher risk-related factors for training.

5. Involve clinical experts in the procurement process

To ensure a robust clinical safety assessment, it is crucial to involve clinical experts, such as doctors, nurses, physiotherapists and pharmacists, and staff in ambulance and other centres where clinical IT is being deployed, in the procurement, design and development of the EPR or clinical IT system.

These experts should be trained in hazardous assessment techniques, including established methods like Bowtie. Bowtie is a barriers-focused approach that identifies causes of events and shows the effectiveness (or not) of the controls to mitigate the risk happening or the effect of any harm or disbenefit. By leveraging this model and the expertise of specialists, organisations can accurately evaluate potential harms, measure the impact of mitigations and work towards minimising risks.

6. Ongoing evaluation of risk effectiveness

Having deployed/implemented your solution, it does not stop there. As your clinical IT system matures, the hazards change, especially if you are developing the solution or adding local changes, or additional functionality. It is paramount this is not seen as a burden, but in fact an assurance layer that demonstrates the system is safe and fit for purpose.

Get in touch

Gerry Bolger is a registered nurse and has dedicated his career to ensuring patient safety and driving clinical excellence in digital solutions. As a trusted authority in clinical safety assessment and evaluation, he plays a pivotal role in guiding healthcare organisations through the complex process of implementing EPRs and other clinical digital products.

He has recently been accredited as a Bowtie Practitioner and Ethical Healthcare can offer this enhanced service to clients. If you would like to speak to Gerry about your EPR journey or using Bowtie to support your organisation, email him at