TriageNix Group logo
TriageNix Group
UK · Digital Front Door
Clinical Governance

CSO Approval Workflow

How clinical safety sign-offs are requested, reviewed and logged for every AI triage update — aligned to NHS DCB0129 & DCB0160.

Submit a Change Request Meet our clinical leadership

The workflow, end to end

Every AI triage update — from a prompt tweak to a model upgrade — moves through these six gated stages.

  1. Engineering + Clinical

    1. Change Request Raised

    Any change to triage logic, prompts, models, red-flag rules or clinical content opens a Clinical Change Request (CCR) — including diff, intended benefit and patient population affected.

  2. Safety Case

    2. Hazard Assessment (DCB0129)

    The proposed change is mapped against the live Hazard Log. New hazards are scored (likelihood × severity), existing controls re-evaluated, and mitigations documented before review.

  3. Evidence

    3. Evidence Pack Compiled

    Automated test results, red-flag regression suite (100% must pass), bias audits, model evaluation metrics and rollback plan are attached to the CCR for the CSO to review.

  4. Human Oversight

    4. CSO Review & Sign-Off

    The Clinical Safety Officer reviews the hazard log delta and evidence pack. Sign-off is recorded with name, GMC/NMC number, timestamp and decision rationale. Rejections return to step 1 with required actions.

  5. Progressive Rollout

    5. Staged Deployment

    Approved changes deploy to a shadow cohort first, with live monitoring of triage outcomes vs. baseline. Promotion to 100% requires a second CSO confirmation after the monitoring window closes.

  6. Audit Trail

    6. Immutable Audit Log (DCB0160)

    Every CCR, hazard entry, evidence artefact and sign-off is written to an append-only audit log with cryptographic integrity — available to NHS Digital, CQC and internal incident reviews on demand.

Built-in guardrails

Red-flag regression: 100% pass-rate gate

No change reaches production if a single red-flag scenario regresses. The gate is enforced in CI before the CSO ever sees the request.

Two-person rule for clinical logic

Changes to triage decisioning require sign-off from the CSO plus an independent senior clinician — never a single approver.

One-click rollback

Every deployment carries a pre-validated rollback artefact. The on-call CSO can revert any change inside 5 minutes, 24/7.

What gets logged

  • Change Request ID, author, and linked code/model diff
  • Hazard Log delta (new, modified, retired hazards)
  • Red-flag regression test results and coverage
  • CSO identity, professional registration number, decision and rationale
  • Shadow-cohort monitoring metrics vs. baseline
  • Deployment timestamp, rollout percentage and rollback artefact hash
  • Any post-deployment incidents linked back to the CCR
  • Independent second-clinician sign-off (where required)

Audit records are append-only and exportable on request to NHS Digital, the CQC and commissioning bodies.

Want to see the live Hazard Log?

NHS partners and procurement teams can request a walkthrough of our DCB0129 safety case and the most recent CSO sign-off pack.

Request a governance review