Skip to main content
BMJ Open Access logoLink to BMJ Open Access
. 2023 Sep 21;33(3):156–165. doi: 10.1136/bmjqs-2023-016042

What can Safety Cases offer for patient safety? A multisite case study

Elisa Giulia Liberati 1,, Graham P Martin 1, Guillaume Lamé 1,2, Justin Waring 3, Carolyn Tarrant 4, Janet Willars 4, Mary Dixon-Woods 1
PMCID: PMC10894827  PMID: 37734957

Abstract

Background

The Safety Case is a regulatory technique that requires organisations to demonstrate to regulators that they have systematically identified hazards in their systems and reduced risks to being as low as reasonably practicable. It is used in several high-risk sectors, but only in a very limited way in healthcare. We examined the first documented attempt to apply the Safety Case methodology to clinical pathways.

Methods

Data are drawn from a mixed-methods evaluation of the Safer Clinical Systems programme. The development of a Safety Case for a defined clinical pathway was a centrepiece of the programme. We base our analysis on 143 interviews covering all aspects of the programme and on analysis of 13 Safety Cases produced by clinical teams.

Results

The principles behind a proactive, systematic approach to identifying and controlling risk that could be curated in a single document were broadly welcomed by participants, but was not straightforward to deliver. Compiling Safety Cases helped teams to identify safety hazards in clinical pathways, some of which had been previously occluded. However, the work of compiling Safety Cases was demanding of scarce skill and resource. Not all problems identified through proactive methods were tractable to the efforts of front-line staff. Some persistent hazards, originating from institutional and organisational vulnerabilities, appeared also to be out of the scope of control of even the board level of organisations. A particular dilemma for organisational senior leadership was whether to prioritise fixing the risks proactively identified in Safety Cases over other pressing issues, including those that had already resulted in harm.

Conclusions

The Safety Case approach was recognised by those involved in the Safer Clinical Systems programme as having potential value. However, it is also fraught with challenge, highlighting the limitations of efforts to transfer safety management practices to healthcare from other sectors.

Keywords: Patient safety, Qualitative research, Risk management


WHAT IS ALREADY KNOWN ON THIS TOPIC

  • Safety Cases are a well-established regulatory technique in some areas, requiring organisations to make the case to the relevant regulator that they have put in place adequate measures to reduce risks in their systems to a level ‘as low as reasonably practicable’ (ALARP).

  • Importing of safety practices from other sectors has a long track record in healthcare, but little is known about the potential of the Safety Case approach when applied to clinical pathways.

WHAT THIS STUDY ADDS

  • It was difficult for clinical teams to use the Safety Case as intended (to show that risks had been reduced to ALARP), not least because they often identified issues that front-line staff could not address.

  • Safety Cases were sometimes used instead to attract senior leaders’ attention and to make the case for better support and resourcing, but some issues were beyond the control even of organisational leadership.

HOW THIS STUDY MIGHT AFFECT RESEARCH, PRACTICE OR POLICY

  • Safety Cases may have some potential in healthcare, but their optimal use in this sector may require modifications, particularly if they are considered for regulatory purposes.

Introduction

Patient safety remains a major challenge for healthcare, despite more than two decades of sustained policy, practice and research attention.1 2 The initial enthusiasm for borrowing practices and methods from other safety-critical industries (such as aviation) at the outset of the patient safety movement3–5 has been tempered by experience.6–12 It is now widely recognised that attempts to transfer approaches between contexts require care and caution, and should be supported by theory and empirical evaluation.13–15 This paper seeks to contribute to addressing this need through examination of an attempt to introduce into healthcare a specific safety approach—the Safety Case—that is already used in other industries (including oil, transport and mining) both as a regulatory technique,16 and, more rarely, as a quality management approach without regulatory mandate (eg, in the automotive industry).17 18

The specifics of the Safety Case approach vary between sectors and regulators,19 but the general principles are listed in box 1. In brief, a claim to operational safety is justified through a series of linked arguments that explain how safety has been secured, with supporting evidence, including the processes in place to control risk. Where used as a regulatory technique, Safety Cases are produced by organisations to ‘make the case’ to the relevant regulator that they have put in place adequate measures to reduce risks in a product or system to a level ‘as low as reasonably practicable’ (often abbreviated as ALARP). The regulator then reviews the Safety Case and either grants the organisation licence to operate, or may require further risk assessments, justification of the measures proposed or additional risk mitigations.20

Box 1. Typical features of safety cases.

Safety Cases are developed to ‘make the case’ that risk has been reduced to a level ‘as low as reasonably practicable’ (ALARP). To do so, Safety Cases integrate various forms of prospective risk management analysis, based on the idea that operators are better placed than external regulators to assess risks in their own systems. The core of the Safety Case is typically a risk-based argument and corresponding evidence to demonstrate that all risks associated with a particular system have been identified, that appropriate risk controls have been put in place, and that there are appropriate processes in place to monitor the effectiveness of the risk controls and the safety performance of the system on an ongoing basis.23

Safety cases typically contain:

  • A description of the system and its operational context;

  • How safe the system is claimed to be and the criteria by which safety is assessed;

  • How hazards have been identified and how the risks they pose have been assessed;

  • What kind of risk control measures have been put into place and why they are effective; and

  • Why the residual level of risk is acceptable.23

Safety Cases are typically reviewed and assessed by an external regulator, for example, in the nuclear or petrochemical industries in the UK. However, some industrial sectors have also deployed the approach outside of a regulatory requirement. For example, the automotive industry uses Safety Cases that are part of the ISO26262 standard, but this is not mandated by regulators.17 18

As an approach requiring organisations to proactively describe what procedures and actions they are putting in place to control risk, Safety Cases can be contrasted with prescriptive, compliance-oriented approaches, where organisations are required to show that they have met externally imposed safety standards.21 Because they are written for a specific system and its context of use, they are intended to be more adaptable to specific situations than generic safety standards, and also more responsive to rapid change in technologies or practices.22

On the face of it, the Safety Case would appear to have value as an approach to safety management in healthcare, particularly in its potential for prospective identification and control of risk. However, the Safety Case approach has only rarely been used in healthcare, and only in a very limited number of applications (eg, development of information systems and medical devices).23 24 In this article, we develop an analysis of the application the Safety Case approach within the UK National Health Service (NHS) using a case study of the first documented attempt to apply the principles of the methodology to clinical pathways. As the approach was deployed outside a regulatory context, our analysis focuses on the transferability of an approach to risk management that is proactive, structured, and tailored in nature and that presents evidence about the safety of specific clinical systems and existing mitigations in a single ‘case’ document.

Methods

Case study: the Safer Clinical Systems programme

Our analysis draws on an evaluation we conducted of a programme known as Safer Clinical Systems, which is designed to improve the safety and reliability of clinical pathways based on learning adapted from a range of hazardous industries. It seeks to enable organisations to make improvements to local clinical systems and pathways through a structured methodology for identifying risks and re-engineering systems to control risk and enhance resilience.25 26 Use of the principles of the Safety Case approach is a centrepiece of the Safer Clinical Systems programme, although outside a regulatory context.

Funded by the Health Foundation, the Safer Clinical Systems programme was developed by a team at Warwick University and tested over a number of phases. Following initial development, a ‘testing phase’ involving eight NHS hospital sites (seven in England, one in Scotland) ran from 2011 to 2014. An ‘extension phase’ (2014 to 2016) involved further work by five of these sites and one new site.

Each participating hospital site (table 1) was required to establish a multidisciplinary clinical team. Sites in the testing phase were advised by a support team of clinicians and experts, received inperson training, had access to other resources (such as a reference manual and telephone support) and were required to report their progress regularly. Sites in the extension phase had less bespoke support and were expected instead to build on their previous learning.

Table 1.

Sites involved in the programme

Site Aim of the Safer Clinical Systems project
Main phase Extension phase
1 Improve the medication management pathway for patients with Parkinson’s disease between primary and secondary care. Improve the recognition and treatment of venous thromboembolism in patients admitted for surgery.
2 Improve prescribing accuracy for patients with an acute medical illness by developing a prescribing pathway between the emergency department and the emergency admissions unit. Improve the accuracy of prescriptions in the emergency admission unit (follow-up).
3 Improve the handover across primary, secondary and tertiary care for children with complex illnesses. Improve the recognition of, and timely response to, sepsis or potential sepsis in patients admitted to the emergency department.
4 Improve safety and effectiveness of the transfer of care between daytime and out-of-hours clinical teams. Refine the Safety Case approach, explore its scalability and its potential application to a complex pathway (ie, surgery).
5 Reduce the number of medication prescribing errors that reached the patient in the acute medical unit. Improve the reliability and accuracy of medicines reviews and reconciliation on admission and discharge.
6 Improve the quality and safety of shared care of renal patients receiving surgical intervention. Did not take part in this phase.
7 Reduce medications prescription errors and increase the safety of the prescribing pathway for patients admitted to the acute medicine admissions unit from primary care or the emergency department. Did not take part in this phase.
8 Reduce the number of unplanned re-admissions to hospital among patients aged 75 years or older. Did not take part in this phase.
9 Did not take part in this phase. Improve the medication management process (with particular focus on Sepsis Six Care bundle) and explore the possibility to use the Safety Case approach for assurance purposes.

A requirement of participating teams was that they use the Safer Clinical Systems approach to proactively assess risks and hazards in their clinical pathways and that they produce Safety Cases at the end of their projects describing the risks and how they were being mitigated. The Safety Cases were expected to be similar in format to those used in other sectors,27 comprising a description of the clinical pathway covered, the key hazards identified through structured analysis using prescribed tools, the risk controls implemented, and, critically, a ‘safety claim’ and associated ‘confidence argument’—a pronouncement on the current safety of the system concerned, and a statement explaining how risks had been made ALARP. Rather than being presented to an external regulator, as would be the case if the Safety Case were being used as a regulatory technique, the principal intended audience in this programme was the senior leadership (executive and board level) within organisations.

Evaluation methods

To study the testing and extension phases of the Safer Clinical Systems programme, we used a mixed-methods, longitudinal design, involving interviews, ethnographic observations, and documentary analysis across the nine participating sites. The analysis we report here is based primarily on interviews and documentary analysis. Ethnographic observations (over 850 hours) provided valuable data on how clinical teams carried out their Safer Clinical Systems projects in practice in the context of existing and competing demands, but are not reported in detail here.

Across the nine sites, we conducted 89 semistructured interviews in the testing phase and 39 in the extension phase with participating clinical team members and programme leaders. Sampling at the sites sought to purposefully include a range of different roles in the programme, including the clinical leaders of each project and others. We also conducted 5 semistructured interviews in the testing phase, followed by 10 in the extension phase, with organisational senior leadership, comprising executive team/board members. Interviews explored general experiences of the programme as well as specific exploration of using the Safety Case approach. Participants were informed of the aims and commissioners of the evaluation. All interviews were conducted by experienced social scientists using topic guides (online supplemental material 1). Interviews were conducted either in person or by telephone, between November 2012 and June 2016, and were digitally audio recorded and then transcribed for analysis.

Supplementary data

bmjqs-2023-016042supp001.pdf (107.7KB, pdf)

Analysis, conducted by EL and guided by the wider team, was based on the constant comparative method28 combining inductive and deductive approaches. We coded interviews and observations using an inductive approach, deriving codes directly from each interview and then progressively clustering codes in higher order categories and themes. To strengthen explanatory power, this inductive strategy was complemented by theoretical concepts drawn from the wider literature.

GL and EL conducted a documentary analysis of the Safety Cases prepared by the clinical teams (table 2). We used recommendations and guidelines for writing and maintaining safety cases in other sectors,29–31 to organise the Safety Cases’ content thematically, and identified their main strengths and weaknesses in terms of completeness, presence of appropriate evidence and analyses to support the claims, consistency with the site’s safety improvement objectives, readability, and presence of a safety claim and confidence argument.

Table 2.

Format and content of 13 Safety Cases reviewed

Median (min-max) Number of Safety Cases with available data
Reporting (number of pages)
 Safety Case (without executive summary and appendices) 20 (14–40) 13
 Executive summary 2.5 (1–7) 8
 Total length of submitted document (including executive summary and appendices) 43 (14–360) 13
Identification of hazards in the clinical pathway
 Number of hazards or failure modes identified 22 (5–99) 11
 Number of ‘high-risk’ hazards identified 7.5 (4–36) 8
Choice of risk controls
 Number of interventions selected 7 (2–40) 11
Measurement of progress
 Number of measures in ‘safety set’ 5.5 (3–13) 12

Finally, we organised our higher order themes and overall reflections using concepts and themes proposed by recent works on the topic.19 32 Regular team meetings and correspondence provided oversight of the analytical approach, consistency and adequacy of codes, and reporting. Given the nature of the programme, we did not undertake a formal test for theoretical saturation for the interviews or the Safety Cases.

Findings

Across the testing and extension phases of Safer Clinical Systems, we undertook 143 interviews with participants across programme leadership, clinical teams and organisational leadership. We analysed 13 submitted Safety Cases; although 14 should have been developed, one site from the extension phase struggled to implement the programme in full and did not produce a Safety Case.

In presenting our analysis below, we consider, first, participants’ views on the Safety Case as a novel approach to understanding and managing safety risk in healthcare, and second, the work that went into developing Safety Cases. We then turn to the analysis of Safety Cases themselves.

Views on the value of safety cases

By the end of the programme, members of the project teams and senior leadership in the participating organisations had largely come to see the Safety Case as a valuable approach, with the potential to make hazards visible in an accountable, systematic and scientific way. The analytical steps required to compile a Safety Case, such as process mapping the patient pathway, were seen to be particularly useful in proactively identifying threats to safety, rather than reactively managing incidents once they had happened. The role of Safety Cases in enabling an overarching, system-wide view of the hazards, rather than focusing on what happens in particular segments of the pathway, was also welcomed. Broadly, teams valued the possibilities of new ways of thinking about risk.

I like the idea that you just have one document that you can hand to somebody and say how safe is your system. I like the concept that you can say ‘Well this is what our system is like just now’. (Project participant)

Some organisational senior leaders agreed, at least in principle, that Safety Cases could offer value, and recognised the importance of a prospective approach to safety.

We have immensely complex systems which could be simplified and therefore made a bit more reliable. […] So something which looks at that could certainly be a useful thing, because it’s saying ‘Well actually here is a little nest of complexity which you can reduce, but it’s also a significant risk to the patient, because you’re missing information or you’re hurrying things through.’ […] (Senior leader)

Other senior leaders, however, were not always clear on the practicalities of the approach, and some found it difficult to identify the added value of Safety Cases. They suggested, for example, that existing risk management tools performed very similar functions.

If you look at our risk register, mitigation is the last box, we spend a good amount of time on the other things, but if we were to spend any time on a particular risk it would be on mitigation […]. And so that sounds like a very similar process, and so I’m back to what the delineation is between Safety Case and risk register. (Senior leader)

Some project teams saw the Safety Case as useful for a secondary reason: that of securing the attention and interest of senior leaders in their organisations. Their hope was that, by providing new evidence and analysis of the riskiness of clinical systems, senior management attention, support, and resources might be solicited.

So they’ve [senior management] actually kind of bought into it, so I think they will feel pressure to deliver. (Project participant)

However, as we explain below, the exact fit of Safety Cases into the existing ecology of tools and documents in healthcare was not clear to all participants.

Preparing safety cases

Project teams were required to learn new techniques to prepare the Safety Cases, including use of systematic methods to identify and assess risks in their clinical pathways, to propose risk controls and to identify metrics that could be used to monitor systems. Production and communication of Safety Cases also required skills in making persuasive claims, structuring arguments and presenting evidence compellingly. The participating teams were, understandably, unfamiliar with many of these skills, and expressed uncertainties about the expected structure, content and style of the Safety Case itself, especially in terms of what issues to emphasise and how to evidence them. Participants described compiling and drafting the Safety Case as labour-intensive and difficult.

I think the other bit that we have been challenged by is the actual writing of the Safety Case and again it is because it is fairly new to healthcare in general. I think we are going to go through a few reiterations before we fully understand what it is and how to use it. (Project participant)

Notwithstanding the training and support received in the ‘testing’ phase, teams continued to report difficulties with preparing and drafting Safety Cases well into the extension phase. A recurrent source of ambiguity related to the size and scope of the clinical system that the Safety Cases should target. The first, diagnostic, step in the Safer Clinical Systems process involved defining the clinical pathway of focus. However, determining the boundaries of the pathway was far from straightforward. Furthermore, clinical pathways typically involved dozens of technological systems (eg, infusion pumps, IT systems) and sociotechnical processes (eg, guidelines, multidisciplinary meetings). Each might be amenable to risk assessment and management individually, but making sense of their connections, aggregate risks and potential interactions was a much more complex task.

It’s not a linear process and you do go back trying to understand another bit of the process that you thought you understood, but actually didn't as (…) you had hoped. (Project participant)

Once the pathways and their components had been determined (or at least approximated), project teams used a range of methods recommended by the Safer Clinical Systems programme, mostly derived from similar activities in other industries, to assess hazards and risks. The teams found the processes often challenging and time-consuming, with much discussion about the relative merits of different sources of data and evidence. Despite the challenges, teams generally concluded that conducting a systematic risk assessment using structured tools offered important new insights about clinical pathways.

What I’ve loved doing is, is talking to the staff and actually understanding what goes on, because it’s only when you understand what goes on that you can put it right… You’ve worked in the hospital for years and there’s still things you didn’t realise actually went on and things that people did that you didn't realise that they actually did. That was quite an eye-opener. (Project participant)

This new understanding through structured risk assessment enabled teams to identify multiple shortcomings that had potential to harm patients. The hazards they unearthed varied greatly in scale, level of risk posed and tractability to intervention. Some problems identified were amenable to resolution by the project teams, typically those with their roots in suboptimal service planning and pathway design, failures in communication among staff, or unclear distribution of responsibility or ownership of key processes. In response to these, most, but not all, sites designed or implemented some risk controls and documented them in their Safety Cases.

[Staff are] given the freedom and the autonomy to go ahead and do whatever things they think might be necessary to make things better. And that’s what people do, there is very much a culture of promoting change there, so they talked about small cycles of change, doing PDSA [Plan Dp Study Act] cycles, and there’s a number of different projects that are running (Observation notes)

The extent to which these risk control interventions were consistent with the principles of the Safer Clinical Systems programme varied by site. Some project teams were able to draw on extensive experience, while others foundered at this stage. Common to all sites, however, was the identification of issues that were well beyond the scope of control of the front-line teams themselves. These vulnerabilities tended to originate from deep-rooted institutional and organisational pathologies or constraints. The importance of these problems, including, for example, staffing levels, was beyond doubt. Exactly what to do about them was less clear. Some project teams made valiant attempts to at least mitigate the risks through local work, but others appeared to accept that standard quality improvement efforts would not solve the issues. Some teams described the ongoing failure to mitigate the risks in their Safety Cases, in part, as noted above, in the hope that action from senior level might be provoked.

There were other things that were discussed at the [meeting] that they thought would be good as a team to change… but with some of them, they just knew it would be impossible to do so, so actually they didn't even bother to write them down. (Observation notes)

And the team very bravely went to the board and said, you know, our Safety Case is showing and we're telling you that our processes are unsafe, so it alerted people to the issues. […] So that was the strength of it. (Project participant)

However, as we now describe, for senior organisational leaders, both the imperative offered by the Safety Case and their own ability to act were less clear.

Content of, and responses to, safety cases

Our documentary review showed that submitted Safety Cases were highly variable in format and length (table 2). Some were highly structured, clearly written and precise in the use of evidence; others were harder to follow, lacking in clarity and less well organised. Our review also found that the descriptive elements (analysis of risk and hazards) were much better achieved than the assurance components (the safety claim and the confidence argument). Indicative, perhaps, of the intractability to local-level intervention of some of the hazards uncovered, or the lack of expert safety science input in the project teams, most Safety Cases focused more on what had been done to determine the risk than on the level of safety that had been achieved in mitigating it. The documents also varied in the extent to which they reported the residual risks—those that remained despite the implementation of risk controls—in a clear and transparent way. For instance, one Safety Case noted that the diagnostic process had found 99 ways in which the pathway could fail, that the level of reliability in the microsystem remained lower than acceptable, and that radical re-design was needed. Others were more circumspect. Accordingly, while they documented sometimes-extensive mitigations, none of the Safety Cases could make an unambiguous safety claim supported by a powerful confidence argument. Some teams were not clear about how the evidence gathered and analyses conducted would contribute to the safety claim. Some sites listed project activities in lieu of offering an actual safety claim, reporting what they had done rather than the level of safety they had reached.

It was a useful, […] a really good repository for all the stuff we've done in the project, which I find really good. And has been good when people ask ‘What did you do?’ then you can say that this is what we did, so that’s useful. I'm not sure about whether people use it for what it is meant to be, which is to prove the pathway is now safe, I’m not sure whether it is used for that really. (Project participant)

Sometimes, safety claims were reported for each identified hazard (comparing levels of risk before and after the interventions they had implemented) rather than at the level of the clinical system. No site explicitly discussed whether risks had been reduced ‘as low as reasonably practical’. Some sites claimed improvements as a result of the interventions they had implemented, but these did not always stand up to statistical scrutiny.33

The response of senior leadership to the Safety Cases submitted by teams varied. Some focused on the potential of the Safety Case for supporting organisational-level decision making in relation to risk reduction, resource allocation and strategic prioritisation.

I think it would be easier to respond to a Safety Case rather than more so the [other quality and safety] data I get. Because it’s back to first principles, what are we actually here to do… Then if we have an unsafe system everything else needs to fall in behind that, no matter cost pressures, no matter personal opinion, no matter all the other complexities in a big system. If an element is at risk, then that will always be made a priority. (Senior leader)

Not all senior leaders, however, were so confident that the insight offered by Safety Cases would or should inevitably lead to action. Some of the issues identified in the Safety Cases were beyond the ability not only of front-line teams to solve, but also of organisational leaders. Issues such as staffing levels, IT interoperability, and securing timely discharge required at least interorganisational coordination, resourcing, coordination, and support across the whole healthcare system. Additionally, the prevailing approach to risk management, and the perceived unavoidability of risks in the complex systems of healthcare, meant that the insights offered by a Safety Case might be unwelcome or not necessarily candidates for priority attention. In a system that relied primarily on retrospective risk management approaches, such as incident reporting and investigations, the need to tackle risks of recurrence (where problems had already manifested as serious incidents or ‘near misses’, and might do again) could easily take precedence over addressing seemingly ‘theoretical’ risks (problems identified through a detailed prospective analysis but yet to occur).

Because you’re saying actually ‘That was a potential harm on our risk management system, and we knew about it, and we were accepting that we don’t have enough money to address all of these issues at one time’. So there is, if you like, a prioritisation and rationing of where we put money according to the level of risk. […] It’s a bit like county councils putting crossings on roads, or a zebra crossing. You’re waiting for the fatality to occur before actually that will get the funding. (Senior leader)

Some feared that, given the legal obligation of boards to take action in response to safety risks that were revealed to them, an unintended consequence of the Safety Case approach might be to distract organisational focus from areas that were at least as worthy of attention but lacked the spotlight offered by the Safety Case. There was a perception that to have a Safety Case for every pathway or area of practice would likely be impossible, and that too many Safety Cases would be overwhelming.

The complexity of health care is such that there are hundreds of complex connected pathways that patients are on and so… You in theory could write hundreds [of Safety Cases] and that would then become meaningless because if you write hundreds no one would ever read them. So, I think it might be helpful in some specific examples… Rather than being something that could cover everything that we do to patients. (Senior leader)

Consequently, Safety Cases might serve not to assure about control of risks, but to unnerve—and unnerve leaders who were not always well placed to act, given the scope of their control and the other priorities they faced. In a system where Safety Cases were new, without an established function in safety management, and covering only a small proportion of safety-critical activity, the information they provided was not always readily actionable from a managerial perspective and, moreover, had potential to create uncontrolled reputational risk.

The danger is that what you have is a legal requirement to spend money on a Safety Case that actually is of low, relative risk to harms that are occurring in the absence of Safety Cases. So what you get is a spurious diversion of money to a wheel that has been made very squeaky, but actually isn’t causing harm… There’s the risk of diversion to get a perfect patch in one part of the system while everything else is actually terrible. (Senior leader)

(A danger) is, you know, if it does get into the wrong hands, particularly with the media, because there’s not the openness and the ability to manage some of this data, which needs explanation. But we do pride ourselves on being a very open and transparent board. (Senior leader)

Discussion

Our examination of an attempt to introduce the principles and methodologies of the Safety Case approach into healthcare suggests that the approach was broadly welcomed by participants in our study, but was fraught with challenge. In other sectors, the Safety Case rests on the ALARP principle. While the Safety Cases produced by participating teams in the Safer Clinical Systems programme did present proactive analyses of risks, they did not show that the risks in clinical pathways on which they focused had been reduced as far as reasonably possible. Instead, teams identified multiple residual risks that had resisted efforts at control and mitigation by the teams themselves. These findings emphasise the importance of careful consideration of context and implementation when transferring safety management approaches from one setting to another.12 34–36 The evidence underlying other industrial risk management techniques (eg, Failure Modes and Effects Analysis,37 ‘5 Whys’10 or Root Case Analysis11) is also weak, but the regulatory function of Safety Cases warrants specific caution. Sujan et al’s review of various sectors nonetheless concluded that even with the differences in regulatory context, healthcare organisations could benefit from using the Safety Case approach to develop understanding and exposition of their current levels of risk.19 Our study does suggest that Safety Cases show some promise as a way of structuring more responsive, adaptable and specific proactive safety management practices in healthcare settings, but further careful development and evaluation are needed, particularly if consideration is given to using them for regulatory purposes.19

An important feature of the programme we examined—essentially a feasibility study—was that the Safety Case approach was being used outside the regulatory frameworks and infrastructures characteristic of use of the technique in most other sectors. Without an external regulatory requirement to satisfy, participating organisations in the Safer Clinical Systems programme may not have felt a strong imperative to make the responses that might otherwise be expected; absent the spectre of regulatory action, senior leadership may not have felt compelled to reduce the risks ALARP. However, even when Safety Cases are part of a regulatory framework, they are not always rigorous or successful in controlling risk38 or showing they have been reduced ALARP.39 While our study does not allow conclusions to be drawn about what might happen if Safety Cases were included in a regulatory regime in healthcare, it does allow insights into the nature of the challenges that might be anticipated should regulators consider introducing the approach in healthcare settings.

Some of the challenges we identified arose from the mismatch between the complexity and interdependencies of clinical pathways, with their often unbounded character, and the more tightly defined (and often more mechanical or technical) applications of the approach in other industries.22 40 Future research might usefully clarify whether and how the scope of a Safety Case could best be defined for healthcare settings, noting that the highly dynamic and interdependent nature of multiple subsystems of care may defy attempts to impose clear boundaries. These kinds of questions are becoming increasingly prominent in safety science as recognition grows that the development of networked complex systems (eg, unmanned aircraft systems) requires a shift from relatively static prelaunch assessment to a dynamic approach that can accommodate changes in the system’s properties and behaviour during its life-cycle.41 42

Other challenges arose in the demanding nature of the expertise, skill and time commitment required to engage in the tasks of conducting safety analyses, identifying and testing risk controls, and compiling a Safety Case. The variable quality of the Safety Cases submitted by clinical teams in this programme is likely to be linked to variable competencies and available capacity. In contrast, in safety-critical industries where these risk assessment techniques originated, the design of effective risk controls is the responsibility of safety/reliability engineers with extensive training and expertise. For healthcare, use of the Safety Case approach will require additional resource and new dedicated roles with specific expertise, rather than relying on making further demands of existing clinical teams.40 43 The resourcing implications of a wholesale effort to shift the regulatory system and culture of an entire sector could, however, be enormous, especially given the volume and complexity of activity in healthcare and the number of diverse clinical pathways.

An additional set of challenges was more cultural in character, and related to the revelatory potential of the Safety Case. On one hand, participants—especially clinical teams—appreciated the value of the Safety Case in offering a proactive, prospective and rigorous approach to identifying safety risks. Some also saw it as a means of attracting managerial attention and obtaining resources.44 But leaders in organisations were not always convinced that the approach offered much that was new, suggesting that more evidence would be needed to demonstrate the added value of Safety Cases—especially in moving beyond description to solution,45 and adding value over current approaches such as risk registers. A further concern at the leadership level was that it was unclear whether areas that did have a Safety Case should be considered to have a stronger warrant for action than those that did not. A framework for supporting prioritisation of risks is likely to be helpful in any future use of Safety Cases. However, current tools, such as risk matrices, may be flawed,46 47 so better tools should be investigated.

Even less tractable was what to do about some of the problems reported in the Safety Cases. Clinical teams had done their best to implement risk controls where they could, but they did not have sufficient power and access to resources to address those that were institutional or structural in character. They therefore often fell back on weaker administrative measures, like training or procedures.8 Yet organisational leaders were often similarly challenged, given their limited capacity and resources for radical systems re-design, improved staffing, IT infrastructure, or other major re-engineering or influencing of activities outside the organisation itself. These findings are indicative of broader problems with the selection of risk controls in health services44 48 that may need to be addressed before Safety Cases could achieve their potential.

Our study has a number of strengths, including its in-depth, mixed-methods, longitudinal design with engagement both with the project teams and senior leaders in organisations. It was limited in its ability to assess the impact of the Safety Case approach in improving safety, not least because of issues with data on processes and outcomes.33

Conclusions

The Safety Case approach offers promise in principle as a safety management approach in healthcare, but substantial challenges need to be addressed before further deployment, particularly in regulation. Further experimentation with the use of Safety Cases in healthcare might therefore more profitably focus on how to make the most of their assets—including the new insights offered by prospective, system-wide risk analysis—while managing their potential unintended consequences.

Acknowledgments

We thank the people from the nine sites who participated in the Safer Clinical Systems programme and the support team. We also thank colleagues on the evaluation team, including Sarah Chew, Liz Shaw, Liz Sutton, and Lisa Hallam.

Footnotes

Twitter: @graham_p_martin, @carolynctarrant

Contributors: EL and GL produced the first draft of the article, subsequently revised by GM, JWa, and MD-W. EL and JWi collected the data, analysed by EL and GL. All authors contributed to data interpretation, manuscript writing and reviewing, and approved the final version. MD-W was the study Chief Investigator and study guarantor.

Funding: This study was funded by the Health Foundation, charity number 286967. The Healthcare Improvement Studies (THIS) Institute is supported by the Health Foundation – an independent charity committed to bringing about better health and health care for people in the UK. The views expressed in this publication are those of the authors and not necessarily those of the Health Foundation.

Competing interests: None declared.

Provenance and peer review: Not commissioned; externally peer reviewed.

Supplemental material: This content has been supplied by the author(s). It has not been vetted by BMJ Publishing Group Limited (BMJ) and may not have been peer-reviewed. Any opinions or recommendations discussed are solely those of the author(s) and are not endorsed by BMJ. BMJ disclaims all liability and responsibility arising from any reliance placed on the content. Where the content includes any translated material, BMJ does not warrant the accuracy and reliability of the translations (including but not limited to local regulations, clinical guidelines, terminology, drug names and drug dosages), and is not responsible for any error and/or omissions arising from translation and adaptation or otherwise.

Data availability statement

No data are available.

Ethics statements

Patient consent for publication

Not applicable.

Ethics approval

This study involves human participants and was approved by the East Midlands – Leicester Research Ethics Committee (12/EM/0228). Participants gave informed consent to participate in the study before taking part.

References

  • 1. Illingworth J, Shaw A, Fernandez Crespo R, et al. The National state of patient safety: what we know about Avoidable harm in England. London, 2022. [Google Scholar]
  • 2. Panagioti M, Khan K, Keers RN, et al. Prevalence, severity, and nature of preventable patient harm across medical care settings: systematic review and meta-analysis. BMJ 2019;366:l4185. 10.1136/bmj.l4185 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 3. Hudson P. Applying the lessons of high risk industries to health care. Qual Saf Health Care 2003;12 Suppl 1(Suppl 1):i7–12. 10.1136/qhc.12.suppl_1.i7 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 4. Young T. Using industrial processes to improve patient care. BMJ 2004;328:162–4. 10.1136/bmj.328.7432.162 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 5. Berwick DM. Continuous improvement as an ideal in health care. N Engl J Med 1989;320:53–6. 10.1056/NEJM198901053200110 [DOI] [PubMed] [Google Scholar]
  • 6. Bosk CL, Dixon-Woods M, Goeschel CA, et al. Reality check for checklists. The Lancet 2009;374:444–5. 10.1016/S0140-6736(09)61440-9 [DOI] [PubMed] [Google Scholar]
  • 7. Catchpole K, Russ S. The problem with checklists. BMJ Qual Saf 2015;24:545–9. 10.1136/bmjqs-2015-004431 [DOI] [PubMed] [Google Scholar]
  • 8. Liberati EG, Peerally MF, Dixon-Woods M. Learning from high risk Industries may not be straightforward: a qualitative study of the hierarchy of risk controls approach in healthcare. Int J Qual Health Care 2018;30:39–43. 10.1093/intqhc/mzx163 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 9. Reed JE, Card AJ. The problem with plan-do-study-act cycles. BMJ Qual Saf 2016;25:147–52. 10.1136/bmjqs-2015-005076 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 10. Card AJ. The problem with ‘5 Whys'. BMJ Qual Saf 2017;26:671–7. 10.1136/bmjqs-2016-005849 [DOI] [PubMed] [Google Scholar]
  • 11. Peerally MF, Carr S, Waring J, et al. The problem with root cause analysis. BMJ Qual Saf 2017;26:417–22. 10.1136/bmjqs-2016-005511 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 12. Radnor ZJ, Holweg M, Waring J. Lean in healthcare: the unfilled promise Social Science & Medicine 2012;74:364–71. 10.1016/j.socscimed.2011.02.011 [DOI] [PubMed] [Google Scholar]
  • 13. Marshall M, Pronovost P, Dixon-Woods M. Promotion of improvement as a science. The Lancet 2013;381:419–21. 10.1016/S0140-6736(12)61850-9 [DOI] [PubMed] [Google Scholar]
  • 14. Auerbach AD, Landefeld CS, Shojania KG. The tension between needing to improve care and knowing how to do it. N Engl J Med 2007;357:608–13. 10.1056/NEJMsb070738 [DOI] [PubMed] [Google Scholar]
  • 15. Portela MC, Pronovost PJ, Woodcock T, et al. How to study improvement interventions: a brief overview of possible study types. BMJ Qual Saf 2015;24:325–36. 10.1136/bmjqs-2014-003620 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 16. Miller K. Piper alpha and the CULLEN report. Ind Law J 1991;20:176–87. 10.1093/ilj/20.3.176 [DOI] [Google Scholar]
  • 17. Cleland G, Habli I, Medhurst J. Supplements to: using safety cases in industry and healthcare. London: The Health Foundation, 2012: 104. [Google Scholar]
  • 18. Palin R, Habli I. Assurance of Automotive Safety – A Safety Case Approach. Berlin, Heidelberg: Springer, 2010. 10.1007/978-3-642-15651-9 [DOI] [Google Scholar]
  • 19. Sujan MA, Habli I, Kelly TP, et al. Should Healthcare providers do safety cases? Lessons from a cross-industry review of safety case practices. Safety Science 2016;84:181–9. 10.1016/j.ssci.2015.12.021 [DOI] [Google Scholar]
  • 20. Hopkins A. Explaining “safety case". Canberra: National Research Centre for OHS Regulation, 2012: 13. [Google Scholar]
  • 21. Leveson NG. The use of safety cases in certification and regulation. Cambridge, MA: Massachussets Institute of Technology, 2011. [Google Scholar]
  • 22. Sujan M, Habli I. Safety cases for digital health innovations: can they work BMJ Qual Saf 2021;30:1047–50. 10.1136/bmjqs-2021-012983 [DOI] [PubMed] [Google Scholar]
  • 23. Cleland GM, Habli I, Medhurst J. Evidence: using safety cases in industry and Healthcare. London, UK: The Health Foundation, 2012: vii+32pp. [Google Scholar]
  • 24. Habli I, White S, Sujan M, et al. What is the safety case for health IT? A study of assurance practices in England. Safety Science 2018;110:324–35. 10.1016/j.ssci.2018.09.001 [DOI] [Google Scholar]
  • 25. Spurgeon P, Flanagan H, Cooke M, et al. Creating safer health systems: lessons from other sectors and an account of an application in the safer clinical systems programme. Health Serv Manage Res 2017;30:85–93. 10.1177/0951484817696211 [DOI] [PubMed] [Google Scholar]
  • 26. Sujan M, Spurgeon P, Cooke M, et al. The development of safety cases for healthcare services: practical experiences, opportunities and challenges. Reliability Engineering & System Safety 2015;140:200–7. 10.1016/j.ress.2015.03.033 [DOI] [Google Scholar]
  • 27. Hawkins R, et al. A New Approach to creating Clear Safety Arguments. London: Springer, 2011. 10.1007/978-0-85729-133-2 [DOI] [Google Scholar]
  • 28. Charmaz K. Constructing grounded theory: a practical guide through qualitative analysis. London: Sage, 2006. [Google Scholar]
  • 29. UK Ministry of Defence . Safety management requirements for defence systems - part 1 - requirements. London, 2007. [Google Scholar]
  • 30. Haddon-Cave C. Zen and the art of safety case maintenance in the post-Nimrod world. In: Fit For Purpose Safety Cases in the Nuclear Industry. Birmingham, UK, 2017. [Google Scholar]
  • 31. Kelly T. “Are "safety cases" working?” Safety Critical Systems Club Newsletter 2008;17:31–3. [Google Scholar]
  • 32. Sujan MA, Habli I, Kelly TP, et al. How can health care organisations make and justify decisions about risk reduction? lessons from a cross-industry review and a health care Stakeholder consensus development process. Reliability Engineering & System Safety 2017;161:1–11. 10.1016/j.ress.2017.01.001 [DOI] [Google Scholar]
  • 33. Woodcock T, Liberati EG, Dixon-Woods M. A mixed-methods study of challenges experienced by clinical teams in measuring improvement. BMJ Qual Saf 2021;30:106–15. 10.1136/bmjqs-2018-009048 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 34. Kapur N, Parand A, Soukup T, et al. Aviation and healthcare: a comparative review with implications for patient safety. JRSM Open 2016;7. 10.1177/2054270415616548 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 35. Ricci M, Panos AL, Lincoln J, et al. Is Aviation a good model to study human errors in health care Am J Surg 2012;203:798–801. 10.1016/j.amjsurg.2011.06.010 [DOI] [PubMed] [Google Scholar]
  • 36. Macrae C, Stewart K. Can we import improvements from industry to healthcare? BMJ 2019;364:l1039. 10.1136/bmj.l1039 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 37. Franklin BD, Shebl NA, Barber N. Failure mode and effects analysis: too little for too much. BMJ Qual Saf 2012;21:607–11. 10.1136/bmjqs-2011-000723 [DOI] [PubMed] [Google Scholar]
  • 38. Haddon-Cave C. The Nimrod review: an independent review into the broader issues surrounding the loss of the RAF Nimrod Mr2 aircraft Xv230 in Afghanistan in 2006. In: House of Commons papers. London: UK: Stationery Office, 2009: 587. [Google Scholar]
  • 39. Ho P. Do safety cases demonstrate risks have been reduced so far as is reasonably practicable? An Australian study examining the methods of presenting safety cases. Safety Science 2023;159:106042. 10.1016/j.ssci.2022.106042 [DOI] [Google Scholar]
  • 40. Perry SJ, Catchpole K, Rivera AJ, et al. “'strangers in a strange land': understanding professional challenges for human factors/Ergonomics and Healthcare”. Appl Ergon 2021;94:103040. 10.1016/j.apergo.2019.103040 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 41. Denney E, Pai G, Habli I. Dynamic safety cases for through-life safety assurance. 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE); Florence, Italy.2015. 10.1109/ICSE.2015.199 [DOI] [Google Scholar]
  • 42. Warg F, Blom H, Borg J, et al. Continuous deployment for dependable systems with continuous assurance cases. 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW); Berlin, Germany.2019. 10.1109/ISSREW.2019.00091 [DOI] [Google Scholar]
  • 43. Xiao Y, Fairbanks RJ. Speaking systems engineering: Bilingualism in health care delivery organizations. Mayo Clin Proc 2011;86:719–20. 10.4065/mcp.2011.0400 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 44. Iedema R, Jorm C, Braithwaite J. Managing the scope and impact of root cause analysis recommendations. J Health Organ Manag 2008;22:569–85. 10.1108/14777260810916551 [DOI] [PubMed] [Google Scholar]
  • 45. Lozano R, Naghavi M, Foreman K, et al. Global and regional mortality from 235 causes of death for 20 age groups in 1990 and 2010: a systematic analysis for the global burden of disease study 2010. The Lancet 2012;380:2095–128. 10.1016/S0140-6736(12)61728-0 [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 46. Ball DJ, Watt J. Further thoughts on the utility of risk Matrices. Risk Anal 2013;33:2068–78. 10.1111/risa.12057 [DOI] [PubMed] [Google Scholar]
  • 47. Cox LA. What's wrong with risk Matrices? Risk Anal 2008;28:497–512. 10.1111/j.1539-6924.2008.01030.x [DOI] [PubMed] [Google Scholar]
  • 48. Card AJ, Ward J, Clarkson PJ. Successful risk assessment may not always lead to successful risk control: a systematic literature review of risk control after root cause analysis. J Healthc Risk Manag 2012;31:6–12. 10.1002/jhrm.20090 [DOI] [PubMed] [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Supplementary Materials

Supplementary data

bmjqs-2023-016042supp001.pdf (107.7KB, pdf)

Data Availability Statement

No data are available.


Articles from BMJ Quality & Safety are provided here courtesy of BMJ Publishing Group

RESOURCES