Baseline Assurance Standard and Solution Categories for Assurance in DSIC - Guidance
ID | R11 |
|---|---|
Version | 1.0.1 |
Type | Reference |
Baseline Assurance Standard
The Baseline Assurance Standard (BAS) provides a proportionate, risk-based assurance approach for Solutions; balancing safety against efficiency by combining a minimum set of essential requirements from the DSIC Overarching Standards. The Baseline Assurance Standard is the first step in the assurance process, allowing Suppliers to sell their Solution on the Buying Catalogue whilst they work towards full compliance with the Overarching Standards as applicable to the Contracting Vehicle.
The Baseline Assurance Standard is composed of Requirements, which are the individual expectations of the Standard. The Requirements cover the essential criteria for being able to sell on the Buying Catalogue including aspects of Clinical Safety, Data Standards and Information Governance as well as several other areas.
The Supplier will be asked to attain Baseline Assurance Standard compliance alongside completing their Capability Assessment(s) and any other applicable mandatory Standards Assurance as defined by individual Epics within the selected Capabilities. Once this compliance is attained, the Supplier will be allowed to list their Solution on the Buying Catalogue. The Supplier will then have a further 12 months to complete full compliance with any remaining Further Requirements in the Overarching Standards as applicable to the Contracting Vehicle.
As part of the Baseline Assurance Standard, Supplier Solutions will be assigned a Solution Category which will determine the level of assurance that the Supplier completes for their Solution.
Solution Categories for Assurance
Solution Categories are assigned to Supplier Solutions based on the Capabilities that the Solution delivers, operational characteristics and the associated risks. The Solution Category determines the level of assurance that a Supplier will complete as part of the Baseline Assurance Standard and assurance of the Further Requirements in the DSIC Overarching Standards. This means that the level of assurance they undertake is proportional to the level of risk the Supplier’s Solution poses.
How Solution Categories are Determined
As part of the Solution Registration process the Supplier will complete a set of questions that provide some information about the Supplier’s Solution. For example, the Supplier will be asked about the type of data the Solution holds, their approach to data migration and what level of service they plan to provide. The Supplier will also be asked to select the Capabilities and Epics that their Solution delivers. The responses to these questions, combined with the risk rating of the Capabilities they select, will determine which Solution Category the Solution is assigned.
The scoring mechanism has a high weighting for the Capability risk levels; this means that if the Solution is delivering Capabilities that are considered high risk such as Clinical Decision Support, they are likely to be considered as a Category A Solution and complete the highest level of assurance. If the Supplier’s Solution delivers multiple Capabilities, the scoring mechanism will use the highest risk level to determine the Solution Category.
Assurance Levels
The Solution Category that the Solution is assigned will determine what level of assurance the Supplier will need to complete; this means that the evidence the Supplier provides may differ or may be assessed in different ways. In each of the Overarching Standards there are three columns next to each Requirement; one column each for Categories A, B & C. The columns will be used by the Supplier to find out how the evidence will be assessed for the Solution Category they have been assigned.
There are four options:
Self-certification - the Supplier will need to provide a description of how the Solution meets the Requirement. The Authority will review the description and may ask questions for clarification, but additional evidence will not typically need to be provided. Some Self-certification Requirements outline specific scenarios or details that the Supplier will need to include in their description; Suppliers should ensure this detail is included in their response where requested.
Self-certification with Supporting Evidence - the Supplier will need to provide a description and supporting evidence of how the Solution meets the Requirement. Supporting evidence may include certifications, data extracts, or examples of policies and processes designed to manage the Requirement. The evidence for each Requirement contains detailed descriptions of the types of evidence that are suitable for each Solution Category. The Authority will review the description and the evidence provided.
Full Assessment - the Supplier will need to provide a description and full and comprehensive evidence for how the Solution meets the Requirement, and the Authority will conduct a thorough assessment. The evidence for each Requirement contains detailed descriptions of the types of evidence that are suitable for each Solution Category. In addition, this may involve arranging a Live Witness Assessment where the Supplier will demonstrate the evidence to the Authority who will have the opportunity to ask questions and provide feedback on the evidence.
N/A - the Requirement is not applicable for this category of Solution.
How to View the Assurance Evidence Required
Once a Solution Category has been assigned to a Solution, Suppliers will be able to view the type of evidence they need to provide against each Requirement within the Overarching Standards. An example Requirement is displayed below; please note this is for illustrative purposes only.
Applicable Contracting Vehicle(s) | ID | Requirement | Level | Category A | Category B | Category C |
|---|---|---|---|---|---|---|
All | REQ1 | Solutions shall ensure that NHS assurance guidelines are followed. | must | Full Assessment Supporting evidence could include:
| Self-certification with Supporting Evidence Supporting evidence could include:
| Self-certification |
Review Cycle
At certain points the Authority will need to confirm that the assigned Solution Category is still appropriate for the Supplier’s Solution. A review may be triggered by reaching the annual milestone or by the Supplier submitting a Change Request which increases the scope of the Supplier’s Solution e.g. adding Capabilities with higher risk levels.
The Supplier will be asked to complete the question set again.
Once the Supplier has returned the question set, one of the following will apply:
The Solution Category has not changed - no further assurance will be required.
The Solution Category risk level has increased - the Supplier will need to complete any additional assurance and/or resubmit evidence for more in depth assurance where required.