Skip to main content

Clinical AI-Assisted Software Development Lifecycle (AI-SDLC)

Adapted for NHS/Healthcare from the GOV.UK AI-SDLC Playbook.

This playbook provides guidance for Nurse Citizen Developers on integrating AI coding assistants (like Copilot, Cursor, or Claude) across all phases of building clinical applications.

Core Clinical Principles​

When using AI coding assistants in healthcare software development, apply these principles constantly:

  1. Clinical Oversight Remains Essential: AI accelerates work but does NOT replace professional nursing judgement. All AI-generated outputs require human review, particularly for patient-facing logic or clinical algorithms (DCB0129 compliance).
  2. Context Drives Clinical Quality: The effectiveness of AI outputs depends directly on the context you provide. Invest time in Context Engineering to achieve clinically accurate results.
  3. Verify Before Committing: Never deploy AI-generated code without intimately understanding its logic.
  4. Continuous Compliance: Embed the NMC Code, NHS Data Security and Protection Toolkit (DSPT), and Digital Technology Assessment Criteria (DTAC) into your workflow from the start, not as an afterthought.

The Clinical AI-SDLC Phases​

1. Plan​

Purpose: Decide what to build and break it into safe deliverables.

How AI Helps: AI can review user stories (e.g., a nurse needing a handover tool) to identify edge cases or GDPR implications early on.

Example Prompt:

"Review this user story for a diabetic foot ulcer tracking app. Identify any ambiguities, missing clinical edge cases, or DSPT compliance risks we should clarify before development."

Avoid: Using AI to write user stories without actual patient or frontline nurse input.

2. Code​

Purpose: Write software that solves clinical problems while meeting strict healthcare standards.

How AI Helps: Generating boilerplate code, explaining legacy NHS codebases, and enforcing formatting.

Example Prompt:

"Create a Python Flask route for receiving patient handover notes. Follow these patterns:

  • Validate input to ensure no Personally Identifiable Information (PII) is processed without explicit consent flags.
  • Follow NCSC secure coding guidelines.
  • Use SNOMED CT code structures for any symptom classifications."

Avoid: Generating massive blocks of code without incremental testing, or accepting AI suggestions that bypass input sanitization.

3. Test​

Purpose: Ensure total clinical safety and regulatory compliance.

How AI Helps: Generating unit tests, edge cases, and compliant synthetic (fake) patient data for safe testing.

Example Prompt:

"Generate Pytest unit tests for this clinical risk scoring function. Include:

  • Happy path for standard scores.
  • Edge cases (e.g., negative age inputs, extreme vital signs that defy human physiology).
  • Verify that any input over the critical threshold triggers the correct escalation flag."

Avoid: Using real patient data (even anonymised) in AI prompts. ALWAYS use synthetic data.

4. Deploy & Operate​

Purpose: Safely put your service live for clinicians or patients, and keep it running smoothly.

How AI Helps: Generating strict deployment checklists, infrastructure-as-code with locked-down permissions, and analyzing server logs during incidents.

Security Consideration: Never include NHS credentials, API keys, or database passwords in an AI prompt when troubleshooting a deployment failure.