Introduction

The CDS API Conformance Approach is used to evidence that a developed product is compliant with the CDS API Implementation Guide.

It allows UEC System Suppliers to demonstrate to NHS Digital that their developed product follows guidance correctly, and therefore is likely to be interoperable with other systems using the standard. Suppliers that successfully complete the Technical Conformance process will be granted CDS API Guide Conformance certification for their product. These systems and suppliers will also be listed on NHS Digital’s Conformance Catalogue.

The approach centres around suppliers referencing a requirements list and providing the required evidence to NHS Digital for assessment. Technical tooling will be provided by NHS Digital to help with the execution of test cases to demonstrate the requirements have been met. Evidence will be in the form of both test tooling log outputs and self-certifying statements.

The CDS API Conformance Approach will be applied to both Encounter Management Systems (EMS) and Clinical Decision Support Systems (CDSS).

Please view the CDS API overview for further information on the CDS API Implementation Guide.

Basic Technical Overview

The API service being assured is the technical interaction between an Encounter Management System (EMS) and a Clinical Decision Support System (CDSS) using FHIR as detailed in the CDS API Implementation Guide.

Encounter Management System

An Encounter Management System (EMS) is used for workflow management and to record, manage and track patient encounters of care through Urgent and Emergency Care (UEC) settings.

The EMS enables the triage and clinical assessment of patients to determine their health needs. It will then signpost them to the appropriate care setting or support the provision of clinical consultation and treatment. This patient journey is expected to be achieved through integration with one or more supporting systems and services.

The EMS is responsible for invoking the decision support process on the Clinical Decision Support System (CDSS). The EMS will typically also manage elements like user authentication, workflow and user interactions.

As per the CDS API Implementation Guide, the EMS MUST be able to:

• Initiate the search and selection of a ServiceDefinition
• Initiate the evaluation of a ServiceDefinition
• Read appropriate resources from the CDSS (e.g. Questionnaire)
• Write (Create & Update) appropriate resources (e.g. QuestionnaireResponse)

The Encounter Management System MAY:

• Write (Create & Update) resources which are not core (e.g. Condition)

Clinical Decision Support System

A Clinical Decision Support System (CDSS) is a health information technology system that is designed to provide clinical decision support (CDS); that is, assistance with clinical decision-making tasks. A CDSS may provide this support to clinical and non-clinical UEC personnel undertaking triage or consultation.

The CDSS is responsible for making clinical decisions, and communicating these as recommendations to the EMS.

As per the CDS API Implementation Guide, the CDSS MUST be able to:

• Respond to filtered searches for ServiceDefinition
• Respond to evaluation of a ServiceDefinition
• Read appropriate resources from the EMS (e.g. QuestionnaireResponse)
• Write (Create & Update) appropriate resources (e.g. Questionnaire, Observation)

Journey process

The illustration below summarises the key stages and activities a UEC Technology supplier will go through in the conformance journey.

1. Check published conformance requirements
   

   Details of the conformance process are published on NHS Digital website for Suppliers to understand the requirements and determine the feasibility of completion.

2. Access conformance resources
   

   The conformance requirements list will be published on these pages of the NHS Digital developer site. The requirements list will detail all requirements that are needed to provide evidence towards a passing level of conformance.

   Access to technical tooling will be made available with test scripts for suppliers to develop their systems to, and generate conformance evidence.

3. Collect conformance evidence
   

   Using the conformance requirements list Suppliers can collate their evidence. Evidence will be in the form of self-certifying statements and technical tooling log outputs.

4. Submit conformance evidence
   

   Once evidence has been collected against the requirements list this can be submitted to NHS Digital for assessment.

   There may be a period of iteration where Suppliers will revise the submitted evidence until it satisfies the requirements.

   At the end of the conformance assessment process a report is generated with details of the tests.

5. Achieve conformance certificate
   

   Upon passing the assessment criteria a conformance certificate is provided to the Supplier. This can be shared with provider agencies as conformance evidence.

   Conformant systems will also be published to the Conformance catalogue on the NHS Digital website.

   The Conformance catalogue is a way to identify all vendors and products that have been awarded Solution Assurance Conformance Certificates.

6. Tell us of any material change after go live
   

   The conformance process tests systems at a point in time. If a Supplier system has a version increment that affects the implementation of the CDS API Guide in the product, then Suppliers must work with the Solutions Assurance team to retest the affected requirements in scope to achieve an uplift of the conformance status.

Requirements list and technical tooling

Development of the conformance requirements and technical tooling for suppliers to execute test cases to generate evidence is currently underway. These will be linked to from these pages once available for circulation.

The test tooling will provide various technical test features, including the ability to validate HTTP headers, JWT, and FHIR base/profiled resources.

We welcome suppliers wishing to engage with the Conformance approach to contact us via the CDS API Communication Channels.

Pre-requisites for CDS API Guide Conformance

Pre-requisites for CDS API Guide conformance can be viewed on the pre-requisites page.

Test requirements

Suppliers undergoing conformance testing are expected to provide:

• Contact details of relevant individuals within the organisation
• Details of the product and deployment scenarios
• Technical API compliance evidence (the requirements list will reference the automated tooling and associated tests to be executed)
• A declaration regarding whether the product or service is a medical device. If not a medical device then justification in line with the Medicines and Healthcare products Regulatory Agency.
• A declaration regarding clinical safety to confirm the obligations under DCB0129 - Clinical Risk Management: its Application in the Manufacture of Health IT Systems

Scope of the Conformance Approach

The scope of the CDS API Conformance Approach is assuring that a system conforms to V1.1.1 of the CDS API Implementation Guide. As such, it solely covers technical certification of a given product to this standard.

Out of scope of the Conformance Approach

The following areas are out of the scope of the Implementation Guide and Conformance. We have provided useful links to assist individuals in making their own judgements on what additional assessments and accreditation may be needed.

Clinical safety and risk

The Conformance Approach requires a declaration regarding clinical safety to confirm the obligations under DCB0129 - Clinical Risk Management: its Application in the Manufacture of Health IT Systems. However, management of clinical safety and risk remains the responsibility of system manufacturers, which should seek assessments and accreditation appropriate for the nature and use of their product.

Useful links:

• NHS Digital: DCB0129 - Clinical Risk Management: its Application in the Manufacture of Health IT Systems
• CDS API Implementation Guide - Clinical Safety Case Report.

Medical Device assessment and regulation

It is the responsibility of system manufacturers to ensure that any assessment or regulation of their product as a potential Medical Device is carried out.

Useful links:

• Medicines and Healthcare products Regulatory Agency: Medical devices regulation and safety
• Medicines and Healthcare products Regulatory Agency: Medical device stand-alone software including apps

Performance Testing

It is the responsibility of system manufacturers to ensure that any system or service they provide performs as intended in a live service environment.

Security

The Implementation Guide features guidance on how an API should identify authorised access to an endpoint. However, this is just one aspect of information security and it remains the responsibility of system manufacturers to ensure safe and suitable security practices are followed.

Information Governance

Appropriate handling, storage and consents around patient and system data remain the responsibilities of system manufacturers.

Useful links:

• Gov.UK Caldicott review: information governance in the health and care system
• Information Commissioner’s Office: Guide to the General Data Protection Regulation (GDPR)

Contact details

To begin the process contact us at: uecdi@nhs.net