NHS GPIT Futures Framework: Engineering for UK Healthcare IT Compliance

The NHS GPIT Futures framework is the procurement mechanism through which NHS England commissions clinical software for GP practices, primary care networks, and integrated care systems. It replaced the GP Systems of Choice framework and extended the procurement scope to cover a broader range of primary care applications beyond core GP clinical systems. For software suppliers seeking NHS procurement, GPIT Futures represents both the gate through which sales must pass and a set of technical and clinical standards that define what NHS-ready software must do.

The framework has a high failure rate among first-time applicants — not primarily because the software does not function, but because the regulatory submission packages, particularly the clinical safety case, do not satisfy DCB0129 requirements. Understanding what NHS Digital and NHS England are actually assessing — and designing the development programme to produce compliant artefacts from the start — is what separates suppliers who pass on first submission from those who spend 12 months in remediation.

DCB0129: Clinical Risk Management System for Health IT Manufacturers

DCB0129 is the NHS Digital standard for clinical risk management in health IT development. It requires manufacturers to establish a Clinical Risk Management System — a set of processes and documentation that demonstrates systematic identification, assessment, and mitigation of clinical risks associated with the software throughout its lifecycle. The CRMS must produce a Hazard Log (a documented register of identified clinical hazards with severity and likelihood assessments), a Clinical Safety Case Report (a structured argument that the software is acceptably safe for its intended use), and a Clinical Safety Summary.

The Clinical Safety Case Report is the document that NHS Digital assessors evaluate most carefully. It must not merely list hazards and mitigations — it must construct a logical argument, supported by evidence, that the residual clinical risk from using the software is acceptable. Hazard logs that list mitigations without demonstrating that the mitigations are effective, or safety case reports that claim no clinical risk without credible justification, are the most common reasons for submission failure.

The DCB0129 assessment must be conducted by a qualified Clinical Safety Officer — an individual with clinical training and specific competency in clinical risk assessment for health IT. The supplier must employ or contract a qualified CSO, and the CSO must be named in the submission. Using a CSO who lacks the required clinical background or health IT risk management experience is a common submission failure point.

DCB0160: Clinical Risk Management for Health IT Deployment

DCB0160 applies to NHS organisations deploying health IT systems — the deployment-side counterpart to DCB0129. For GPIT Futures suppliers, understanding DCB0160 is important because NHS customers will conduct their own DCB0160 risk assessments when deploying the supplier's software. Suppliers whose DCB0129 safety case documentation is insufficient to support an NHS organisation's DCB0160 assessment create procurement friction for their NHS customers.

GPIT Futures submissions that include documentation explicitly designed to support NHS customer DCB0160 assessments — including deployment guidance, site-specific hazard considerations, and residual risk documentation — are better positioned in procurement evaluations. This documentation is not strictly required by DCB0129, but it demonstrates clinical safety maturity and is commercially valuable.

NHS Digital Technical Standards: GP Connect, IM1, and SNOMED CT

GPIT Futures clinical applications must demonstrate conformance with NHS Digital technical standards relevant to their functional scope. GP Connect is the NHS interoperability framework for GP system integrations, providing FHIR R3 and R4 APIs for structured data access — appointments, documents, structured records — from GP clinical systems. Applications that exchange data with GP clinical systems must implement GP Connect FHIR APIs and pass NHS Digital's GP Connect assurance process.

The IM1 standard governs integration between third-party applications and GP clinical systems. Major GP system suppliers (EMIS, SystmOne, Vision) each have their own IM1 implementation. Applications requiring deep integration with GP clinical system data beyond what GP Connect provides must implement IM1 integrations with each major GP system provider — a significant development investment.

SNOMED CT is the required clinical terminology for NHS clinical systems. All clinical concepts — diagnoses, procedures, findings, medications — must be coded using SNOMED CT or the NHS Dictionary of Medicines and Devices for medications. Applications that store clinical data using local codes without SNOMED CT mapping do not satisfy NHS coding requirements.

Data Security and Protection: DSPT Requirements

All suppliers accessing NHS patient data through GPIT Futures must complete the NHS Data Security and Protection Toolkit assessment annually. The DSPT requires suppliers to demonstrate compliance with the National Data Guardian's ten data security standards, including staff data security training, technical security controls aligned to Cyber Essentials Plus, and a defined process for managing data security incidents.

Cyber Essentials Plus certification — a UK government-backed cybersecurity certification scheme — is required for GPIT Futures framework placement. It involves an independent technical verification of the supplier's network security controls, patch management, malware protection, access control, and boundary firewall configuration. Suppliers who have only basic Cyber Essentials (self-assessment) must obtain the Plus certification, which requires a third-party assessor to conduct technical verification.

The GPIT Futures Submission Process: What Assessors Actually Evaluate

The GPIT Futures assessment process involves both documentary review and technical assurance activities. Documentary review covers the DCB0129 clinical safety case, DSPT status, Cyber Essentials Plus certification, and functional specification compliance. Technical assurance covers API conformance testing where applicable.

Assessors evaluate DCB0129 submissions against the standard's explicit requirements but also apply clinical judgement to the adequacy of the hazard log and safety case argument. A hazard log that does not include hazards related to data entry errors, incorrect patient identification, or workflow disruption — common sources of clinical risk in health IT — will generate assessor questions regardless of how well other hazards are documented.

The Algorithm Approach: GPIT Futures Engineering and Clinical Safety

The Algorithm supports GPIT Futures submissions by building DCB0129 clinical safety programmes from the requirements phase of software development — integrating hazard identification into the software requirements process so that mitigations are designed into the architecture rather than retrofitted. We provide qualified Clinical Safety Officers for DCB0129 assessment, design GP Connect and IM1 integration architectures for NHS interoperability requirements, and manage the Cyber Essentials Plus certification process. For international software suppliers entering the NHS market, we provide an end-to-end GPIT Futures readiness programme that addresses every submission requirement in sequence, from initial compliance gap assessment through framework placement.