Cooliba is coming soon. This site is a preview — the platform is currently in development. Register your interest →
Clinical Governance. From source code to patient and everything in between.
Cooliba is the agentic clinical governance platform for digital health. Seven pillars of assurance — Safety, Quality, Security, Privacy, Usability, Accessibility, and Regulatory — connected in one platform, governed by the same Human Accountability Architecture. Whether you build digital health software, deploy it, or procure it, Cooliba gives you the governance structure to prevent risk before it reaches a patient.
Prevent the risks that governance was designed to catch.
The Cooliba Clinical Governance Framework
Seven pillars of assurance. One platform. Human accountability.
Clinical Governance was designed for clinical services. Cooliba extends it to the software that delivers those services — every dimension of assurance, connected and traceable.
One unmitigated risk. Three pillars. One platform.
A security vulnerability that reaches a patient is a clinical safety event.
Ransomware attacks on healthcare infrastructure are a documented and growing threat. When a pathology system goes offline, blood transfusions are cancelled, operations are postponed, and patient data is exposed. These are foreseeable, documentable risks — the kind that a structured governance process is designed to identify and mitigate before they materialise. Cooliba connects the security threat model, the privacy impact assessment, and the clinical hazard log so that no foreseeable risk falls through the gap between pillars.
The threat model would flag it.
Clinical view: "If the blood bank system goes offline, we cannot cross-match transfusions. This is a catastrophic foreseeable risk."
Technical view: threat-model/blood-bank.md · Availability threat · CVSS 9.1 · Compensating control required before deployment
The data impact is already assessed.
Clinical view: "Patient blood group and transfusion history is classified HIGH sensitivity. A breach would require 72-hour notification."
Technical view: PIA-2024-011 · data-register/blood-bank · Sensitivity: HIGH · Breach response plan: linked
The hazard is logged before deployment.
Clinical view: "HZ-0091 — System unavailability during emergency transfusion. Severity: Catastrophic. Risk control required."
Technical view: HZ-0091 ⇔ REQ-119 ⇔ RC-044 · Approved: CSO · Status: Controlled before go-live
SYSTEM OF RECORD
One platform. Every dimension of assurance. Connected.
Cooliba is not a collection of compliance checklists. It is a single system of record where every hazard, privacy impact, threat model, usability finding, and regulatory artefact is linked to every other — and every link is traceable to the code that implements it.
For clinicians
Write in plain language. Review AI-drafted artefacts. Approve with your professional credential. No technical knowledge required.
For engineers
See safety, privacy, and security implications inline. Every change shows what it affects clinically. Source code access is optional.
For deployers & procurers
Produce your DCB0160 safety case, DTAC evidence pack, and deployment hazard log without access to the vendor's source code.
For compliance teams
One audit trail across all seven pillars. Export-ready for DCB, DTAC, ISO, and TGA. Always current, never assembled at the end.
The problem we solve
Clinical teams and engineering teams speak different languages. Cooliba is the translator.
A clinician identifies a hazard: "A nurse could accidentally administer ten times the intended dose." An engineer writes a validation function. Today, there is no reliable connection between those two facts — and that gap is where patient harm enters.
Cooliba creates that connection. Every clinical artefact is linked to the technical artefact that implements it. When the code changes, the clinical team is notified. When the clinical team approves a hazard, the engineer sees it in their IDE. The gap closes.
FULL TRACEABILITY CHAIN
Patient Hazard
Infusion rate error
Requirement
REQ-042: Dose validation
Risk Control
RC-019: Range check
Test Case
TEST-119: Boundary test
Source Code
validateDoseRange.ts:47
The human element
AI does the pattern-matching. Humans make the decisions.
Cooliba's AI agents surface connections and draft documentation. But every artefact that enters the safety record is reviewed and approved by a named, credentialled human. That's not a limitation — it's the point.
Dr. Sarah Mitchell
Chief Clinical Officer · Luminate Health
CLINICAL"For the first time, I can see exactly which line of code corresponds to a hazard I've identified. That connection changes everything about how we work with our engineering team."
James Okafor
VP Engineering · Meridian Digital Health
TECHNICAL"Our engineers used to dread the clinical safety review — it felt like a black box. Now they can see the patient impact of every PR before they merge. It's changed how the team thinks about their work."
Emma Thornton
Clinical Safety Consultant · Thornton Health Compliance
COMPLIANCE"I manage clinical safety for six digital health clients. Cooliba has cut the time I spend on documentation by 60% — and the quality of the safety case is dramatically better because it's connected to the actual code."
Every approval is signed. Every signature is credentialled. Every record is immutable.
When a Clinical Safety Officer approves a hazard in Cooliba, their professional credential number is captured alongside their digital signature. That record is written to an immutable audit log — defensible under regulatory scrutiny, and transparent to every stakeholder.
How it works
From commit to compliance in five steps.
Bring your governance artefacts
Upload existing requirements, risk registers, architecture docs, or vendor evidence packs. No source code required.
AI identifies gaps
Agents cross-reference your artefacts, surface missing links, and draft hazard log entries for clinical review.
Clinical team reviews
Plain-language review and approval. No technical knowledge required.
Connect deeper as you choose
Optionally connect CI/CD pipeline outputs, issue trackers, or source repositories for continuous evidence.
Export your Safety Case
DCB 0129/0160, ISO 14971, DTAC — always current, always traceable.
Connect at your own pace
Governance value at every level of data sensitivity.
Every organisation has a different appetite for what data they will share with a third-party platform. Cooliba is designed to deliver meaningful governance value at every level — starting from publicly available documents and scaling to full source code integration as trust and appetite grow.
Public Artefacts
Any organisation — no approval required
Cooliba ingests publicly available or vendor-published artefacts: regulatory submissions, published safety cases, DTAC forms, and procurement documentation. No internal data leaves your organisation.
GOVERNANCE GATES UNLOCKED
ARTEFACTS PRODUCED
Internal Documents
Organisations comfortable sharing governance docs
Upload your own governance artefacts — business requirements, clinical requirements, technical requirements, security requirements, architecture documents, and risk registers. These are the governance gates that exist in every organisation, regardless of whether source code is involved.
GOVERNANCE GATES UNLOCKED
ARTEFACTS PRODUCED
Pipeline Outputs
Development teams with security governance controls
Grant read-only access to CI/CD pipeline outputs — test results, defect logs, vulnerability scan findings, build provenance records, and SBOM updates. Source code is never shared; only the outputs of the build process are ingested.
GOVERNANCE GATES UNLOCKED
ARTEFACTS PRODUCED
Source Code
SaMD developers who choose full integration
For organisations that choose to grant repository access, Cooliba performs static analysis, dependency scanning, and automated requirements traceability directly from the codebase. This level maximises automation but is never a prerequisite for governance value.
GOVERNANCE GATES UNLOCKED
ARTEFACTS PRODUCED
THE GOVERNANCE GATES
Nine gates. Every one a source of preventable risk.
Every digital health product passes through nine governance gates — from the first business requirement to post-deployment monitoring. Each gate produces artefacts. Each artefact, if unstructured or unlinked, is a potential source of unmitigated risk. Cooliba governs all nine gates. The depth of integration at each gate is determined by your organisation's data sensitivity appetite — not by Cooliba's requirements.
Platform
Every pillar of clinical governance. One platform.
Hazard Log
AI-assisted hazard identification from your codebase and clinical documentation. Clinical review in plain language.
Traceability Graph
From patient hazard to source code in one click. Bidirectional, versioned, and always current.
Safety Case Builder
GSN-based safety case assembled from your approved artefacts. DCB 0129/0160 export ready.
Risk Register
Pre-populated with VCP, DCB, and ISO 14971 risk libraries. Live, auditable, and always current.
Human Accountability
Every AI artefact requires human approval. Credential capture. Immutable audit log.
Enterprise Security
Row-level security, SSO, MFA, AU/UK data residency. Your data never leaves your chosen region.
Built for the regulatory frameworks that govern digital health.
NHS · TGA · ATSC · ISO · IEC · EU AI Act
EARLY ACCESS
Prevent the risks that governance was designed to catch.
Clinical governance for every stage of digital health — whether you build, deploy, or procure.
We're onboarding a small cohort of early partners with dedicated implementation support and direct access to the founding team.