Back to home pageNext sector: Government

Sector Page / Healthcare

Clinical AI becomes a patient safety risk when the recommendation is visible but the data chain is not.

CongDB provides the deterministic-first truth layer that preserves clinical, operational and model provenance across healthcare decision environments.

Operating constraints

  • NHS-controlled patient and operational data
  • Clinical notes, imaging and device-derived outputs
  • Model-derived risk scores and recommendations
  • On-premises only, with no external network calls

Decision Chain At A Glance

From clinical inputs to auditable patient-affecting outputs.

CongDB keeps patient records, notes, imaging and model outputs separated by truth type before they enter clinical decision support, triage and research workflows.

One-glance model

Input signals

EHR records and coded observations
Clinical notes and referral context
Imaging, pathology and device outputs
Risk scores and clinical AI models

CongDB truth lanes

Deterministic

Verified patient records, observations, orders and operational care data remain asserted and traceable.

Probabilistic

Clinical model scores, inferred findings and risk signals stay explicitly probabilistic.

Hybrid

Recommendations, pathway decisions and research views stay anchored to the evidential chain beneath them.

Decision graph

Separated signals enter one contextual graph without losing their evidential status or source lineage.

Replayable outputs

Auditable clinical recommendations
Replayable triage decisions
Traceable research and audit outputs

Patient safety

Clinical outputs remain connected to the data and logic that informed them.

Provenance

EHR, note, imaging, device and model signals all retain source lineage.

Replay

Any AI-assisted clinical output can be reconstructed against the exact historical data state.

Deployment

NHS-controlled, sovereign deployment with no cloud dependency or external calls.

Healthcare organisations can move from clinical source systems through to AI-assisted recommendations without collapsing provenance into an opaque recommendation layer.

The Problem

Clinical AI combines heterogeneous signals faster than most healthcare infrastructure can preserve their provenance.

Clinical AI systems draw from structured EHR data, clinical notes, imaging outputs, device signals and model-derived risk scores to produce recommendations that influence clinical decisions. These signals do not share the same evidential status, confidence level or operational origin, but they are increasingly combined within the same workflow.

When that happens, the provenance of the recommendation is often lost. The clinician sees an output, but the data chain that produced it is not visible, not auditable and not preserved in a form that can withstand governance review, safety investigation or regulatory challenge.

For AI systems that influence triage, diagnosis support, treatment recommendation or resource allocation, this is not just a data quality problem. It is a patient safety problem.

Failure mode

Clinical source data and model-derived signals are collapsed into a single recommendation layer. The output is visible to the user, but the evidential chain beneath it is no longer legible.

EHR records, observations and clinical system data
Clinical notes, imaging outputs and model-derived signals
Derived triage, treatment and allocation recommendations

Regulatory And Governance

NHS AI governance and Caldicott Principles

Clinical AI adoption in NHS settings requires clear accountability for how patient data is used, justified and controlled. If a recommendation cannot show what data informed it, why that data was used and who remained accountable for the outcome, governance is weaker precisely where scrutiny is highest.

EU AI Act

Clinical decision support falls into the category of systems that attract stringent expectations around logging, transparency, accuracy and human oversight where the Act applies. Those obligations are difficult to satisfy if provenance disappears the moment clinical and model signals are combined.

DCB0129

Clinical risk management standards require manufacturers of health IT systems to document and evidence how patient-safety risks are controlled. Where software affects clinical decisions, auditable decision logic and preserved evidential context are part of the safety case, not an optional reporting layer.

DSPT

NHS organisations using patient data and systems must show good security practice, appropriate auditability and proper handling of personal information. A clinical AI estate that cannot account for provenance, access context and downstream use creates avoidable assurance risk.

UK GDPR Article 22

Where automated decisions have legal or similarly significant effects, additional transparency and safeguard obligations apply. Even where a clinician remains in the loop, the organisation still needs a legible account of what data the system used and how an individual outcome can be reviewed or challenged.

How CongDB Addresses It

Truth lanes

CongDB separates coded EHR records, observations, orders and other verified care-system data into deterministic truth lanes. Clinical notes, model-derived findings, imaging inference outputs and risk scores remain probabilistic unless and until they are explicitly asserted as evidence.

Hybrid artefacts such as triage recommendations, pathway routing or treatment-support outputs can then be represented with their own logic while remaining anchored to the clinical evidential chain beneath them.

Canonical provenance chain

Every assertion carries a canonical hash, ingest-run trace and complete provenance chain. EHR data, referral context, clinical notes, imaging outputs, device signals and model-derived scores remain attributable after they are brought into the same decision environment.

That is what allows a clinician, governance lead or regulator to inspect the basis of a recommendation instead of being asked to trust an opaque output.

Historical replay

CongDB can reconstruct the exact data state that informed a triage decision, risk score, pathway recommendation or clinical audit point. A corrected note, amended observation or updated model produces a new traceable state; it does not erase the state that informed the earlier recommendation.

This makes patient-safety review, incident investigation and regulatory response materially easier.

Sovereign deployment

CongDB deploys entirely on-premises with no cloud dependency and no external network calls under any operating condition. It is built in Rust, air-gap compatible and suited to NHS and clinical environments that need hard control over patient data, infrastructure boundaries and third-party exposure.

Clinical data remains inside the organisation's controlled environment unless the organisation explicitly chooses and records a permitted transfer.

Healthcare Data Types

Clinical Decision Support

EHR data, clinical notes and model outputs can be ingested as distinct truth-lane types. AI recommendations remain anchored to their evidential basis so they can be audited by the clinician, the trust and the regulator against the exact data state that produced them.

The recommendation is therefore reviewable as a clinical artefact rather than presented as an unexplained result.

Triage and Pathway Management

Patient risk scores, referral context and pathway recommendations can be stored with full provenance preserved. When an outcome is questioned, the data chain remains intact instead of being reconstructed from system logs, note edits and memory after the event.

This matters because triage error in an AI-assisted setting is a patient-safety issue before it is a reporting issue.

Population Health Analytics

ICB-level intelligence can be built on a provenance-preserving graph that keeps source signals, modelled views and derived interventions distinct. Intervention decisions remain traceable to the signal sets that justified them rather than collapsing into a summary dashboard detached from source evidence.

That makes the analytic layer more compatible with Caldicott-style information governance by design.

Research and Audit

Clinical AI outputs and the data that produced them can be preserved in a replayable, immutable record. Research governance, audit work and MHRA-facing submission activity are easier to support when the underlying lineage is retained from source through to model-assisted output.

The evidential chain can then be inspected historically rather than restated retrospectively.

NHS-Controlled Deployment

NHS organisations operate under strict data residency requirements, which means patient data must remain inside NHS-controlled infrastructure. CongDB deploys entirely on-premises with no cloud dependency and no external network calls under any operating condition. Each deployment is sovereign, air-gap compatible and aligned to the DSPT and NHS information-governance requirements that apply to clinical data systems.

NHS trust or ICB deployment

Patient data, governance evidence and clinical decision traces remain inside the local NHS-controlled environment and can be audited against the organisation's own operating and safety model.

Supplier or clinical AI deployment

Manufacturers can operate with a sovereign evidential layer that supports procurement scrutiny, safety-case work and regulated clinical deployment without external data movement by default.

Request a Conversation

If you are assessing how AI-assisted clinical recommendations, triage decisions or governance submissions can remain auditable inside NHS-controlled environments, the next step is a technical conversation about evidential architecture.

Request a conversation