top of page

Next revision date: 2 April 2025

Clinical Risk Management System

Last updated: 28 March 2023

Author: Maureen Kale, Clinical Safety Officer/Industry Lead



1 - Introduction


This Clinical Risk Management System (CRMS) outlines the processes to be followed to ensure that information technology developed by OVACtech is developed, implemented and used in a safe manner.


This CRMS provides a framework that promotes the effective risk management, by OVACtech of potential health IT hazards and operational incidents.


This CRMS compliments existing risk management processes that are defined in OVACtech’s Risk Management Strategy and wherever practical, uses existing procedures, processes and governance arrangements.


This CRMS addresses the requirements of DCB0129 and DCB0160 and follows best practice as promoted by NHS Digital. 


This CRMS will be reviewed and maintained in accordance with OVACtech’s policy review cycle.


2 - Purpose


The aim of the CRMS is to ensure that all staff in OVACtech involved with the development, implementation and use of Sermegon® or any Software as a Service Solutions (SaaS) are aware of the activities that are required to be undertaken to ensure patient safety is improved rather than compromised from the introduction of healthcare IT systems.


OVACtech is required to adhere to National Information standards created and monitored via the Data Coordination Board (DCB) within NHS Information Standards frameworks.


The mechanisms used are approved process Clinical Risk Management System compliance documents.


This Clinical Risk Management System will be reviewed periodically to ensure that:


  • changes in working practices are incorporated.

  • issues identified though an established internal audit programme are addressed

  • the safety approach continues to adhere to the requirements of applicable international standards.

  • the system continues to protect the safety of patients in a complex and changing environment.

3 - Audience

This document is for staff that are involved in ensuring the safety of healthcare IT systems, products or services.


4 - Scope


The scope applies to Sermegon® and to all subsequent updates or upgrades to systems.  The policy also applies to any local customisations or specific configurations made to a healthcare IT system by OVACtech.


If clarification is required of whether any system falls within scope of this CRMS this should be raised with the Clinical Safety Officer (CSO) for clarification. The CSO provides clinical and organisational leadership on healthcare IT Patient Safety on behalf of OVACtech.


5 - Definitions


DCB - Data Coordination Board

CSO - Clinical Safety Officer - the person responsible for ensuring that the healthcare IT Clinical Risk Management System is applied to all clinical systems. 

HL - Hazards Log


6 - Healthcare IT clinical risk management (CRM) governance arrangements


The responsibility for healthcare IT CRM within OVACtech resides with the Programmes Directorate. Organisational management of healthcare IT related risks is as per the existing management arrangements as specified in the Organisation’s Risk Management Strategy.


7 - Clinical Risk Management Team Organisation Chart

Clinical Risk Management System - Organisation chart

8 - Personnel


Roles and responsibilities for the following clinical safety related positions are defined below:


  • Programme Director - Overall responsibility for organisational risk.

  • Clinical Safety Officer - Overall responsibility of clinical safety in the organisation.

  • Data Protection Officer - Overall responsibility for compliance with Data Protection laws.

  • Data Architect - Overall responsibility that data flow design is aligned to user needs and meet all observances.

  • Solutions Architect - Responsibility to ensure the design and development meet all clinical safety recommendations and mitigate risks.

  • Service Design Lead - User and service liaison lead to ensure the needs of the service user do not conflict with clinical safety observances.


9 - Governance


Governance for patient safety within OVACtech is provided through the following forums:


  • Quality and Clinical Safety Risk Management Committee

  • Risk Management Board


10 - Healthcare IT clinical risk management deliverables


Clinical Risk Management File

OVACtech has a Clinical Risk Management File (CRMF) for each safety related healthcare IT system.  This is situated in SharePoint. The purpose of the CRMF is to provide a central repository where all safety related information pertaining to the healthcare IT system is stored and controlled.


Clinical Risk Management Plan

OVACtech has a Clinical Risk Management Plan (DTAC-CS-CRMP-01) for each safety related healthcare IT system.  The purpose of the CRMP is to identify the clinical risk management activities that are to be undertaken and the phasing of these activities in the project lifecycle.  The CRMP will also identify the resources required to discharge these clinical risk management activities.


Hazard Log

OVACtech maintains a Hazard Log (HL) for each safety related healthcare IT system.  The HL is controlled and configured in accordance with the Risk Management Strategy.


Clinical Safety Case

The Organisation has a Clinical Safety Case (CSC) for Sermegon®.


Clinical Safety Case Report

OVACtech issues a Clinical Safety Case Report (CSCR) for each safety related healthcare IT system.  The CSCR will be issued to support initial deployment and will be updated during the lifecycle of the healthcare IT system should the safety characteristics change.  The CSCR will be controlled and configured in accordance with the OVACtech’s Risk Management Strategy.


11 - Healthcare IT clinical risk management activities


Hazard Identification

OVACtech will conduct hazard identification workshops to identify potential hazards associated with the deployment and use of a healthcare IT system.  The CSO will be responsible for facilitating such workshops and ensuring attendance of appropriate representatives.  Typically, representatives from the following team leaders will be required:


  • User Research and Service Design

  • Data Architecture

  • Data Protection

  • Solutions Architecture


The workshops will have minutes taken and a copy stored in the CRMF.  If a healthcare IT solution is deemed not to be safety related then this decision will be formally recorded.


Where any third-party components are used to support the healthcare IT system then they will be considered in the scope of the hazard identification activities and subsequent risk assessment.  Where none are used, a positive declaration to this effect will be recorded in the minutes.


All identified hazards will be recorded in the HL.


Risk assessment

OVACtech will conduct healthcare IT system risk assessment in accordance with the Corporate Risk Management Strategy.  The HL will be updated to capture the risk assessment.


Risk evaluation

OVACtech will conduct healthcare IT system risk evaluation in accordance with the Corporate Risk Management Strategy. The HL will be updated to capture the risk evaluation.


Risk control

Where the initial risk evaluation is deemed unacceptable, further risk controls will be required.  OVACtech will manage healthcare IT system risk in accordance with the Risk Management Strategy. Details of the risk control measure and evidence of effective implementation will be captured in the HL.


Deployment and Ongoing Maintenance

To support clinical safety activities undertaken during any deployment phases of a project or programme of work the following documentation will be required to form a part of the overall approval process:

  • Service Readiness Assessment

  • GoNoGo checklist

  • Onboarding Assessment


Incident Management

Clinical Risk Management activities within OVACtech and the healthcare IT programmes and services offered are completed within the OVACtech risk management strategy. As such clinical safety related incidents are dealt with in a similar manner as other incidents within the organisational such as financial, reputational, technical and other service impacting categories.


12 - Clinical safety competence and training



The clinical safety activities described in this Clinical Risk Management System shall be undertaken by competent staff. Suitable training shall be undertaken by staff to maintain and expand their level of competence.



All of the staff identified in the organisation chart, shall be sufficiently competent for the roles and task which they are asked to undertake.  Where an individual does not have sufficient experience or knowledge then that person shall be monitored, and his/her work reviewed, by someone who has the necessary competence.  Such supervision shall prevail until it is judged that the individual has amassed the necessary experience to undertake such tasks unsupervised.


In assessing competency, the different functional roles required to fully discharge the obligations of the Clinical Risk Management System, and the necessary skills and knowledge needed for each, shall be considered.  Primary functional roles may include:


  • Conducting discrete safety analyses (for example, a hazard and operability study (HAZOP) orFact-Finding Assessment (FFA)) or defining the Hazard Risk Indicators for a particular project.

  • Making a valid judgement on the safety tasks, activities and techniques required for a given Health Software Product in order to justify the comprehensiveness and completeness of the safety assessment and produce the safety argument with supporting evidence.

  • Assurance of safety assessments and healthcare IT software products. Performance of safety techniques and development of the safety argument for a particular healthcare IT software product must be independent to any assurance activities for the same.

  • Improving and refining the overall Clinical Risk Management System, for example, audit, process change, quality.

  • Ownership and leadership, for example, ultimate safety accountability, culture change, influencing and strategic direction.


The first test in establishing competency shall be at the interview stage where potential staff shall be assessed against the above representative roles and agreed job descriptions. Thereafter, competence shall be monitored through the organisation’s established appraisal scheme.  Any perceived deficiencies identified during the course of the work or at the appraisal stage, especially during probation, shall be addressed immediately, for example, through the assignment of a competent supervisor or the provision of suitable training.


All registered clinicians involved in safety roles shall, as a minimum, have completed an accredited training course.



As part of the employment process and thereafter through the appraisal scheme, clinical safety personnel will undergo suitable training to develop, maintain or enhance their competency level. Such training can comprise:


  • ‘On the job’ training conducted under supervision.

  • Internal training courses.

  • Approved external training courses.


All registered clinicians involved in clinical safety roles shall, as a minimum, have completed an accredited training course.


Completion of any safety training shall be recorded by the individual on the annual appraisal form.


13 - Audits



Audits shall be undertaken to ensure that projects are adhering to the defined safety requirements. Such audits will focus on the Clinical Safety Team and third-party suppliers.


Internal safety audits

OVACtech shall undertake regular internal safety audits to ensure that projects undertaken within the organisation are compliant with this Clinical Risk Management System. These audits shall be conducted and recorded in accordance with OVACtech’s Risk Management Strategy.


Supplier audits

OVACtech shall undertake regular third-party supplier audits, as a minimum annually, to ensure compliance with their Clinical Risk Management System.  The audit shall focus on the Clinical Risk Management System, the evidence which demonstrates its effective operation and any issues arising from the deployment of the healthcare IT products and services.

bottom of page