SaMD Digital Technology Assessment Criteria (DTAC)

The integration of digital technologies into healthcare systems represents both tremendous opportunity and significant challenges. To address these challenges, NHS England established the Digital Technology Assessment Criteria (DTAC) framework—a comprehensive approach to evaluating digital health technologies seeking adoption within NHS and social care environments.

DTAC emerged from the recognition that digital health technologies require specialized assessment methodologies that extend beyond traditional medical device evaluation. By combining regulatory requirements from the Health and Social Care Act 2012 with established best practices, DTAC provides a structured assessment framework that ensures digital solutions meet essential standards while encouraging innovation and improvement in healthcare delivery.

This guide examines the core components of DTAC, explores their practical implementation, and considers how developers can navigate this framework to achieve successful market access within UK healthcare systems.

The Five Pillars of DTAC Assessment

Clinical Safety

At the heart of DTAC lies a fundamental commitment to patient safety. The clinical safety component recognizes that digital technologies introduce unique risks that must be systematically identified and mitigated throughout the development lifecycle.

Central to this component is compliance with DCB0129 (for developers) and DCB0160 (for healthcare organizations)—mandatory standards under the Health and Social Care Act 2012. These standards establish clinical risk management processes that begin during early development and continue throughout deployment and use.

Developers must establish a formal Clinical Risk Management System (CRMS) under the guidance of a qualified Clinical Safety Officer. This system creates a structured approach to hazard identification, risk assessment, and mitigation that evolves with the product. The resulting Clinical Safety Case Report and Hazard Log document this process, providing transparency and accountability.

The clinical safety assessment examines not only inherent risks but also those that might emerge through implementation in complex healthcare environments. This holistic perspective recognizes that safety emerges from the interaction between technology, users, and healthcare systems—not merely from the technology itself.

Data Protection

Healthcare data represents some of the most sensitive personal information, requiring rigorous protection frameworks. The data protection component of DTAC evaluates how digital technologies handle this information throughout its lifecycle.

UK GDPR and the Data Protection Act 2018 establish the regulatory foundation for this assessment, which extends beyond mere compliance to consider the ethical dimensions of health data management. Key considerations include lawfulness and transparency of data processing, purpose limitation, data minimization, and privacy by design principles.

When technologies access NHS patient data, they must also complete the Data Security and Protection Toolkit—a practical implementation of the National Data Guardian’s ten data security standards. This toolkit provides concrete measures to address areas ranging from staff education to technical security controls.

DTAC assessment in this area considers the entire data journey: collection, processing, storage, sharing, and eventual deletion. By examining both governance frameworks and technical implementation, DTAC helps ensure that patient data remains protected while enabling its appropriate use to improve care.

Technical Security

Digital healthcare technologies operate within an increasingly complex threat landscape, making robust security essential. The technical security component evaluates the underlying architecture and implementation of security controls to protect against vulnerabilities and threats.

This assessment examines multiple security domains, including authentication mechanisms, access controls, encryption protocols, vulnerability management, and incident response capabilities. The evaluation considers both preventative measures and the resilience of systems when security events occur.

Technical security assessment recognizes the evolving nature of cybersecurity threats, particularly for technologies with extended lifecycles. Evaluation considers not only current security posture but also the mechanisms for responding to emerging threats through updates, patches, and security advisories.

For cloud-based technologies, assessment extends to the shared responsibility model between technology providers and cloud services. This includes examining security certifications, data residency considerations, and contractual security provisions with third-party services.

Interoperability

The fragmentation of healthcare information represents a significant barrier to coordinated care. The interoperability component of DTAC evaluates how effectively digital technologies exchange information with existing healthcare systems—a critical factor for both adoption and effectiveness.

Assessment examines adherence to recognized interoperability standards such as FHIR and HL7, along with implementation of NHS interoperability toolkit specifications. Beyond technical standards, evaluation considers semantic interoperability—ensuring that information exchanged between systems maintains consistent meaning and clinical value.

The NHS Interoperability Toolkit provides developers with specifications and frameworks to achieve system interoperability within the English NHS. Technologies demonstrating toolkit conformance gain inclusion in publicly accessible catalogues, simplifying the integration process for healthcare organizations.

Effective interoperability extends beyond technical interfaces to consider clinical workflows and information governance. DTAC assessment examines how technologies fit within existing care pathways and data sharing agreements, recognizing that successful interoperability relies on both technical and organizational alignment.

Usability and Accessibility

Even the most advanced healthcare technology fails to deliver benefits if users cannot effectively engage with it. The usability and accessibility component evaluates how well digital technologies serve diverse user needs across healthcare contexts.

Assessment examines implementation of user-centered design principles throughout development, supported by evidence from user testing and feedback incorporation. Accessibility compliance (minimum WCAG 2.1 AA standard) ensures technologies serve users with diverse abilities and preferences.

Evaluation considers the entire user experience—from initial onboarding through routine use and troubleshooting. This includes examining interface design, navigation logic, error handling, and support resources. For clinical technologies, assessment specifically considers integration with clinical workflows and decision processes.

The diversity of healthcare environments requires technologies adaptable to various contexts—from acute care settings to community environments and patients’ homes. DTAC assessment examines how technologies accommodate these different contexts while maintaining usability and effectiveness.

DCB0129: The Foundation of Clinical Safety

The DCB0129 standard represents perhaps the most significant regulatory requirement within DTAC for software developers. As a mandatory standard under the Health and Social Care Act 2012, it establishes clinical risk management processes specifically designed for health IT systems.

Clinical Risk Management System

The standard requires developers to establish a comprehensive Clinical Risk Management System (CRMS) that integrates with broader quality management processes. This system establishes:

A clinical safety governance structure with clearly defined roles and responsibilities, including a qualified Clinical Safety Officer with appropriate clinical experience and training.

Documented processes for hazard identification using techniques appropriate to the technology and its clinical context.

Risk assessment methodologies that consider both probability and severity of potential harm, along with the effectiveness of existing controls.

Risk control measures implemented according to a defined hierarchy—from design changes that eliminate hazards to transparent communication of residual risks.

Verification activities that ensure risk controls function as intended across expected usage scenarios.

The Clinical Safety Case

Throughout development, developers must maintain a comprehensive Clinical Safety Case consisting of:

A Clinical Risk Management Plan outlining the scope, approach, and responsibilities for risk management activities.

A living Hazard Log that documents identified hazards, associated risks, mitigations, and residual risk assessments—evolving throughout the development lifecycle.

A detailed Clinical Safety Case Report that summarizes the clinical risk management activities, conclusions, and evidence supporting the technology’s safety for intended use.

The Clinical Safety Case serves both regulatory and practical purposes. Beyond demonstrating compliance, it provides valuable insights for implementation teams, supporting appropriate deployment within healthcare environments.

Integration Throughout Development

DCB0129 emphasizes that clinical risk management must begin during the earliest stages of development and continue throughout the entire lifecycle. This integration ensures that safety considerations influence fundamental design decisions rather than becoming retrospective assessments.

This ongoing process adapts to emerging risks as development progresses, creating a continuous feedback loop that improves both safety and functionality. By integrating clinical risk management with development processes, organizations can identify potential issues earlier—when modifications are less costly and more effective.

Evidence Standards Framework for Digital Health Technologies

While DTAC establishes baseline criteria for digital health technologies, the NICE Evidence Standards Framework (ESF) complements this by providing standards for demonstrating value. Together, these frameworks guide both development and procurement decisions within NHS environments.

Functional Classification

The ESF classifies digital health technologies according to their function and associated risk:

Technologies that inform clinical management provide information to support clinical decisions but leave interpretation and action to healthcare professionals.

Technologies that drive clinical management actively guide care pathways or treatment decisions, often through algorithms or decision support functions.

Technologies that treat specific conditions deliver therapeutic interventions directly, such as digital cognitive behavioral therapy or rehabilitation programs.

Technologies that diagnose specific conditions analyze patient data to provide diagnostic information, often using AI or other analytical approaches.

Most software classified as medical devices falls into Tier C—requiring more substantial evidence of effectiveness proportionate to their higher impact on clinical care.

Evidence Expectations

The ESF outlines evidence expectations across five domains:

Design factors examine the technology’s development process, including safety considerations, technical stability, and data protection measures.

Value proposition articulates how the technology addresses specific healthcare needs, creates benefits for users and the healthcare system, and compares to existing alternatives.

Performance demonstration requires evidence of effectiveness appropriate to the technology’s function and risk classification—from observational studies for lower-risk technologies to randomized controlled trials for higher-risk applications.

Value demonstration examines resource impact, cost-effectiveness, and potential efficiency gains through implementation.

Deployment considerations address practical implementation requirements, including interoperability, training needs, and support structures.

The ESF recognizes that evidence requirements should be proportionate to risk and function—avoiding unnecessary barriers for lower-risk technologies while ensuring rigorous evaluation for those with greater potential impact.

Market Access Considerations

Understanding the factors that influence technology adoption in healthcare environments provides valuable insights for developers navigating the market access pathway. Research has identified several key barriers that often impede adoption, particularly for clinical decision support systems.

Addressing Clinical Concerns

Clinicians express particular concerns about digital technologies that influence decision-making:

Questions about accuracy reflect the fundamental need for technologies to provide reliable information that supports clinical judgment. Transparency in how technologies reach conclusions and explicit acknowledgment of limitations help address these concerns.

Clinical validation questions examine whether technologies have been tested in representative clinical environments with appropriate patient populations. Involving clinicians in study design and evidence generation builds credibility for effectiveness claims.

Evidence currency concerns acknowledge the rapid evolution of clinical knowledge and the need for technologies to remain aligned with current best practices. Clear update mechanisms and evidence of ongoing clinical review help address these issues.

Success Factors for Market Entry

Beyond addressing specific concerns, several factors consistently contribute to successful market entry:

Alignment with established healthcare priorities ensures technologies address recognized needs rather than creating solutions in search of problems. Understanding NHS priorities outlined in strategies such as the NHS Long Term Plan provides valuable direction.

User-centered design informed by extensive engagement with target users creates technologies that fit naturally within existing workflows. This engagement should begin during early concept development and continue throughout the development lifecycle.

Transparent evidence base that clearly communicates both capabilities and limitations builds trust with clinical users and procurement teams. Overstated capabilities create skepticism that undermines even well-designed technologies.

Implementation support resources that help organizations integrate technologies into existing systems and workflows reduce adoption barriers. This includes training materials, integration guidance, and ongoing support mechanisms.

Data Protection in Healthcare Contexts

Digital health technologies operate within a complex regulatory landscape regarding data protection. Beyond general UK GDPR and Data Protection Act 2018 requirements, healthcare introduces additional considerations regarding sensitive personal data.

Core Principles for Health Data Management

Several principles guide effective health data management within DTAC-compliant technologies:

Lawful basis for processing health data typically requires explicit consent or appropriate alternative legal bases such as provision of healthcare. Technologies must clearly establish and document these bases for all data processing activities.

Data minimization ensures only necessary information is collected and processed—particularly important for sensitive health data. Technologies should demonstrate thoughtful consideration of what data is truly required for their function.

Purpose limitation restricts data use to specified, explicit purposes communicated to data subjects. Secondary uses, including research applications, require appropriate consent or anonymization.

Transparency through clear privacy notices explains how health data will be used, shared, and protected in language accessible to patients and clinicians.

The Data Security and Protection Toolkit

When accessing NHS patient data, completion of the Data Security and Protection Toolkit provides a structured framework for implementing the National Data Guardian’s security standards. This toolkit addresses:

Governance structures that establish clear accountability for data protection, including designated roles and responsibility frameworks.

Staff education ensuring everyone handling patient data understands their responsibilities and recognizes potential security risks.

Access controls that limit data availability to appropriate personnel based on legitimate need, with attributable access records.

Technical controls including encryption, secure network design, and protection against malware and other threats.

Business continuity planning that ensures data remains protected and available even during disruptive events.

The toolkit provides both assessment criteria and improvement tools, helping organizations systematically enhance their data protection practices.

Interoperability as an Enabler

Effective interoperability represents more than a technical requirement—it serves as a fundamental enabler for integrated care delivery and technology adoption. DTAC assessment recognizes the multi-faceted nature of interoperability in healthcare environments.

Beyond Technical Standards

While technical standards provide essential foundations for interoperability, effective information exchange requires consideration of several dimensions:

Foundational interoperability establishes basic connectivity between systems, enabling data exchange without guaranteeing interpretation. This includes network protocols, security standards, and basic message formats.

Structural interoperability defines consistent data formats and syntax, ensuring that information maintains its structure during exchange. This includes implementation of standards like HL7 FHIR and appropriate use of clinical coding systems.

Semantic interoperability ensures consistent meaning across systems, maintaining clinical value during information exchange. This requires shared terminology, context preservation, and consistent interpretation of clinical concepts.

Organizational interoperability addresses governance frameworks, policies, and workflows that enable effective information sharing between entities. This includes data sharing agreements, consent models, and aligned processes.

The NHS Interoperability Toolkit

The NHS Interoperability Toolkit provides a unified specification framework that addresses multiple interoperability dimensions. For developers, the toolkit offers:

Technical specifications that define message structures, API definitions, and authentication mechanisms—providing concrete implementation guidance.

Common terminology resources that support semantic consistency across systems through shared code sets and concept mapping.

Implementation guides that address practical challenges in deploying interoperable systems within NHS environments.

Conformance processes that validate implementation against specifications, providing quality assurance for both developers and procuring organizations.

Developers can apply for toolkit conformance by supplying relevant technical information and undergoing assessment. Successful conformance results in listing within publicly accessible catalogues, signaling readiness for NHS integration.

Support Resources for Developers

Navigating the complex landscape of healthcare technology regulation and assessment can present significant challenges for developers. Several organizations offer specialized support to facilitate this journey.

NIHR HealthTech Research Centre

The NIHR HealthTech Research Centre in Devices, Digital and Robotics (NIHR HRC-DDR) provides support services specifically designed for healthcare technology developers:

Usability studies conducted according to IEC 62366 standards, utilizing specialized facilities that simulate healthcare environments—from operating theaters to clinic spaces.

Expert clinical reviews with specialists in relevant fields, providing insights into clinical workflows, terminology, and decision processes.

Regulatory guidance addressing classification, technical documentation, and conformity assessment routes appropriate to the technology.

Clinical investigation support including study design, protocol development, and MHRA submission preparation.

Patient and public involvement facilitating engagement with end users throughout development and evaluation processes.

The centre represents one of fourteen HealthTech Research Centres funded to support safe and effective translation of healthcare technologies into routine care within NHS environments.

Academic Health Science Networks

Academic Health Science Networks (AHSNs) serve as regional innovation hubs connecting NHS organizations, academic institutions, and industry partners. For digital health developers, AHSNs offer:

Market insights regarding regional health priorities, procurement processes, and implementation challenges specific to local health systems.

Clinical connections facilitating relationships with potential clinical partners for evaluation studies and early adoption.

Implementation support addressing practical challenges in deploying technologies within NHS environments.

Evidence generation guidance helping developers design studies that meet both regulatory requirements and procurement decision needs.

AHSNs operate across England with regional focus, providing tailored support that recognizes local healthcare contexts and challenges.

Conclusion

The Digital Technology Assessment Criteria represents a sophisticated framework for evaluating technologies seeking adoption within NHS and social care environments. By addressing clinical safety, data protection, technical security, interoperability, and usability within a unified assessment approach, DTAC helps ensure that digital solutions meet essential quality standards while supporting innovation.

For developers, DTAC offers more than regulatory hurdles—it provides a structured pathway to develop technologies that truly meet healthcare needs. By understanding and embracing DTAC principles throughout development, organizations can create solutions that not only achieve market access but deliver meaningful benefits for patients, clinicians, and healthcare systems.

As healthcare continues its digital transformation, frameworks like DTAC will play increasingly important roles in balancing innovation with appropriate safeguards. Through thoughtful implementation of these principles, developers can contribute to a healthcare environment where technology enhances rather than complicates the delivery of safe, effective, and accessible care.

References

1. National Institute for Health and Care Research. (2023). Software as a Medical Device (SaMD) Regulatory Pathway. NIHR HealthTech Research Centre in Devices, Digital and Robotics.
2. NHS England. (2023). Digital Technology Assessment Criteria (DTAC). https://transform.england.nhs.uk/key-tools-and-info/digital-technology-assessment-criteria-dtac/
3. National Institute for Health and Care Excellence. (2023). Evidence Standards Framework for Digital Health Technologies. https://www.nice.org.uk/corporate/ecd7/resources/evidence-standards-framework-for-digital-health-technologies-pdf-1124017457605
4. NHS Digital. (2023). Data Security and Protection Toolkit. https://www.dsptoolkit.nhs.uk/Help/about
5. NHS Digital. (2023). Interoperability Toolkit. https://digital.nhs.uk/services/interoperability-toolkit
6. Cresswell, K., Williams, R., & Sheikh, A. (2021). Using clinical decision support systems safely: What all clinicians need to know. BMJ Informatics, 28(1), e100247. https://informatics.bmj.com/content/28/1/e100247
7. Greenhalgh, T., Wherton, J., Papoutsi, C., Lynch, J., Hughes, G., A’Court, C., Hinder, S., Fahy, N., Procter, R., & Shaw, S. (2017). Beyond Adoption: A New Framework for Theorizing and Evaluating Nonadoption, Abandonment, and Challenges to the Scale-Up, Spread, and Sustainability of Health and Care Technologies. Journal of Medical Internet Research, 19(11), e367. https://www.jmir.org/2017/11/e367/
8. Medicines and Healthcare products Regulatory Agency. (2023). Medical Devices: Software as a Medical Device. https://www.gov.uk/government/publications/medical-devices-software-applications-apps