Managing the patient safety risks of bottom-up health information technology innovations: recommendations for healthcare providers

Mark A. Sujan

Warwick Medical School, University of Warwick, Coventry, UK

Author address for correspondence:

Mark A. Sujan

Warwick Medical School

University of Warwick

Coventry CV4 7AL, UK


Cite this article: Sujan MA. Managing the patient safety risks of bottom-up health information technology innovations: recommendations for healthcare providers. J Innov Health Inform. 2018;25(1):007–013.

Copyright © 2018 The Author(s). Published by BCS, The Chartered Institute for IT under Creative Commons license


Health information technology (IT) offers exciting opportunities for providing novel services to patients, and for improving the quality and safety of care. Many healthcare professionals are already improving services through the development of numerous bottom-up local health IT innovations. Such innovations from the ground up are to be welcomed, but healthcare providers are struggling to develop processes for managing the risks that come with the introduction of health IT into clinical processes. I argue that too often the main strategy appears to be one of organisational ignorance. This puts patients at risk, and it threatens the successful adoption of health IT. I recommend that healthcare providers focus on strengthening their processes for organisational learning, promoting proactive risk management strategies, and making risk management decisions transparent and explicit.

Keywords: digital health, risk, safety, security, electronic health record


Health systems, in the United Kingdom and worldwide, are going digital. Healthcare providers need to ensure that they harness the ‘information revolution’ to provide better health outcomes, better patient experience and better value.1 While national policy is concerned to a large extent with major information technology (IT) programmes, such as the widespread introduction of Electronic Health Records (EHRs), many healthcare professionals are already improving their services through development of numerous bottom-up local health IT innovations. Healthcare providers need to be mindful of the potential risks to patient safety that come with the introduction of new IT into clinical practice, but many organisations are struggling to find the right strategy to engage adequately with such bottom-up small-scale innovations.

The recent Wachter review2 and other influential reports published by The King’s Fund3 and the Nuffield Trust4 set out a strategy and recommendations for the transformation of the National Health Service (NHS) towards a fully digitised and interoperable health system. It is expected that the digital infrastructure will be a key mechanism for delivering the vision set out in the NHS 5-year forward view for a modern health service.1 Indeed, health IT offers exciting opportunities for providing novel services to patients, and for improving the quality and safety of care.2,5 Experiences from several countries illustrate the wide range of potential benefits that IT can bring to healthcare, including: more engaging and patient-centred care, better access to care in rural and underserved areas, greater continuity of care across organisational boundaries, efficiency gains and cost savings.2,6

However, there is still a lively debate about the extent to which the available evidence supports the claims about the benefits of IT in healthcare.79 In addition, there is an increasing amount of evidence to suggest that the introduction of IT can lead to unintended consequences, and create opportunities for failure, which can have significant effects on patient safety and data security.6,1014 For example, concerns about the quality and safety of care have recently sparked controversy about the Cerner EHR system iHealth introduced in 2016 by Island Health at Nanaimo Regional General Hospital (British Columbia). After a series of problems and failures, some staff refused to use the system and decided to go back to pen and paper to protect the safety of patients.15

The Wachter review recognises that the NHS lacks clinicians with skills in digital health and health informatics. In response, the government set up the NHS Digital Academy with a brief to train significant numbers of clinicians to become suitably qualified Chief Clinical Information Officers (CCIO). Such CCIOs are set to become the champions and the leaders of local digital transformation.16 This is an important step forward, because it recognises that technological change needs to be carried by changes in the workforce and the culture within every organisation.

A further important observation made in the Wachter review is the need to allow for local variation in order to avoid the pitfalls of a centralised top-down approach, which formed the basis of the previous, much criticised National Programme for IT. From a patient safety perspective, I believe this is crucial for two reasons: first, because patient safety risks need to be understood and managed within the local context of use of any technology;17,18 and second, because much of the digital innovation is driven from the ground up by enthusiastic clinicians aiming to improve care within their local context.

Many healthcare providers are struggling to fully embrace the opportunities afforded by health IT, and to develop processes for managing the risks that come with the introduction of health IT into clinical processes. In this paper, I look at how healthcare providers might manage the risks of health IT in use, with a particular view to local bottom-up innovations. I argue that many of the patient safety risks relating to health IT are probably quite predictable, but all too often healthcare providers do not properly consider potential risks, and leave these unaddressed. This puts patients at risk, and it threatens the successful adoption of health IT. I draw upon experiences from a number of projects funded by the Health Foundation to outline three key recommendations for how healthcare providers might better manage their health IT risks.


I believe that it is useful to consider the different ways in which health IT innovations are introduced into clinical practice, because in this way we can determine the gaps that exist in current organisational risk management practice. On the one hand, there are large national- and organisation-wide projects, where expensive third-party health IT systems are introduced throughout an organisation or even throughout a health system. An example is the introduction of EHRs such as iHealth. Manufacturers of such systems are expected to have robust quality and safety assurance processes in place. Healthcare providers make purchasing decisions through procurement committees. These committees usually place great reliance on manufacturers to build ‘safe’ systems, and they look for quality standards such as the European Conformité Européene marking.19 While this is not unreasonable, there are plenty of examples that suggest that this in itself is not sufficient to ensure that technology is safe when used in clinical practice.18,20,21 This is because the local context of use, and the procedures and infrastructures in place can have a significant impact on patient safety.22

There is another form in which digital innovations rapidly transform health services, however, and this is talked about much less, and is seriously under-researched. On a site visit, I talked to a consultant in acute care, who demonstrated to me an electronic handover tool that his team has developed. The clinical team had experienced problems with poor handover, missing data and inappropriately prioritised patients. The team felt that these problems resulted, to a large extent, from the ad-hoc use of non-standardised (i.e. random) pieces of paper during handover. The electronic handover tool addresses this issue by providing a standardised approach, and it displays real-time data (e.g. recent observations) as well as a red-amber-green classification to indicate patient acuity. From problem identification to tool development and deployment in clinical practice, this innovation project was entirely a local effort driven exclusively by the enthusiasm of the clinical team.

In the NHS, and in health services worldwide, there are many more such examples, where enthusiastic clinicians and healthcare professionals drive local bottom-up health IT innovations in order to provide more accessible, more patient-centred, and better services to their patients. The breadth of examples spans almost all clinical processes, and includes innovations such as locally developed electronic and mobile handover tools, electronic observation tools to support compliance with Early Warning Score assessments, mobile bed management tools, mobile patient referrals, electronic sepsis screening tools, web portals offering advice to patients with long-term conditions, clinician-led chat rooms for patients, virtual counselling and mobile phone apps that support patients with mental health conditions. The local digital innovation potential within the health service appears limitless, and for the most part they are great ideas that can improve patient care. But what about the safety risks to patients?

While such innovations are to be welcomed, they frequently occur somewhat ‘under the radar’ of organisational risk management and governance processes. The reasons for this can be manifold. The perceived bureaucracy might put off clinicians. For example, a clinician setting up a patient portal might use an outside server to host the service – and they might perceive that aligning this with organisational information governance procedures would be a lengthy process with uncertain outcome. In other situations, healthcare professionals might fear that innovations would never get off ground if they had to cut through all of the organisational red tape. Other reasons might be a strong focus on the expected benefits, which blinds to potential risks, or simply a lack of awareness that relevant organisational processes exist. In the case of the electronic handover tool referred to above, the clinical team initially regarded their innovation as part of their everyday quality improvement efforts, and only later started to embed this within the wider, more formalised organisational quality improvement initiatives.

I believe there is much value to these bottom-up initiatives. However, the downside is that organisations are not aware of the various local improvement efforts that are going on, and that these improvement efforts might not draw on relevant quality improvement and safety management expertise.23 As a result, potential patient safety risks might not be properly thought through, and in some instances patients could be harmed.


In safety engineering, risk is often described in terms of the likelihood of an event occurring, and the severity of the associated consequences. In safety-critical industries, much effort goes into predicting and preventing the so-called high-severity, low-frequency events, that is, the rare, but potentially catastrophic accident scenarios. Of course, such events have to be understood and prevented in healthcare, too, as tragic cases repeatedly demonstrate.18,24 However, equally relevant in a healthcare context are risks that have relatively high likelihood of occurrence but maybe only moderate severity of consequences.25 These are events that happen relatively often and cause minor or moderate harm, such as many prescribing errors.26 Because such medium-level risks are common occurrences, they are predictable and understandable, and improvements or countermeasures can be put in place.

I would argue that, similarly, many of the health IT risks arise from very common types of hazards that might be anticipated and assessed readily. Consider, for example, the fast-growing domain of medical apps.27 Although the technology is relatively new in a health context, many of the risks are not, for example, the information stored in apps does not currently transfer easily to electronic patient records – this can result in gaps in documentation and potentially conflicting or contradictory advice being given; the advice provided by apps could be inaccurate or misleading – patients might suffer harm from wrong drug dose adjustments or inadequate drug frequencies; and apps run on mobile devices, which might be lost or stolen – sensitive patient information might be inadvertently disclosed. I suspect that such risks are hardly surprising to clinicians. Many clinicians will have experienced similar problems in other contexts, such as gaps in documentation due to poor communication and handover.28

So, if many risks are predictable, can patients expect to be protected? Too often, the organisational strategy of dealing with such bottom-up innovations under the radar of organisational governance frameworks appears to be one of organisational ignorance, pretended or real: patient safety risks are ignored at the organisational level, and innovations are assumed to be safe until proven otherwise. Then, following an incident or an adverse event, the organisational risk management and governance machinery springs into action.29 All too often the end result is that individual clinicians are blamed, but deeper learning about the organisational processes and structures is rare.30,31

Healthcare providers need to foster bottom-up health IT innovations, and provide an organisational structure to manage effectively any patient safety risks.


Healthcare providers need to focus on strengthening their processes for organisational learning.32 The importance of organisational learning for improving patient safety has been highlighted many times.33,34 Following the Mid Staffordshire inquiry, the Berwick report called for the NHS to become a system devoted to continuous learning and improvement.35 Effective organisational learning can be hard to achieve in practice, and the barriers to organisational learning have been documented in the literature.3638 The review of the introduction of the iHealth EHR found that staff, who had been initially very supportive, were disappointed and frustrated because their concerns had not been taken seriously, there was little in terms of feedback and improvements, and staff were blamed for mistakes in the use of iHealth.39

It is widely recognised that the introduction of IT into work processes, clinical and otherwise, can cause disruption to existing work practices.40 Organisations are dependent, therefore, on feedback from staff who engage with the technology, and who are able to provide valuable information about weaknesses and inadequacies of electronic systems. For staff to feel comfortable providing such information, healthcare providers need to ensure that they foster an open and just culture, where staff reporting incidents are not blamed.41

Healthcare organisations also need to acknowledge that deviations from planned procedures and protocols do not necessarily represent ‘violations’.42 Healthcare is a complex system that relies on local adaptations by healthcare professionals to provide the resilience necessary to deal with changing demands, disruptions and surprises.43,44 Healthcare organisations can utilise different instruments to tap into this important information about local adaptations. Examples include adaptation-reporting schemes,45,46 learning from excellence reporting47 and supporting informal learning in communities of practice.48


Healthcare providers need to develop and promote proactive risk management strategies, which are best practice in other safety-critical industries.49,50 Patients have a right to expect that healthcare providers have thought systematically and thoroughly about patient safety risks before a system is introduced. However, the capacity for the proactive identification and mitigation of technology-related risks is underdeveloped or lacking in many healthcare organisations.5153

Methods and techniques for the proactive identification of risk in healthcare exist, even if most of them come with limitations.54,55 The most frequently used prospective hazard analysis technique is failure mode and effects analysis (FMEA), for which a healthcare specific version (Healthcare FMEA) has been developed.56 FMEA and its variants have been used, for example, to analyse organ procurement and transplantation, patient handover in emergency care and intravenous drug infusions.5759 More recently, human reliability analysis techniques, such as systematic human error reduction and prevention approach, have been used to analyse drug prescription and administration in hospital, primary care and community settings.6062 However, such methods are used still only infrequently, and often those who drive bottom-up health IT innovations do not know them.14 There is a need to provide greater awareness and education about the existence and possible use of such techniques, along with the recognition of their limitations.

One might argue that to a certain extent this extends also to regulatory bodies. While there is a strong regulatory focus on counting harms (e.g. through the NHS patient safety thermometer), there are few regulatory incentives for healthcare providers to systematically identify and to reduce patient safety risks proactively. This requires funding and an adequate knowledge base to enable assessors and inspectors to look for appropriate evidence and to ask the right questions.


Healthcare providers should make decisions about risks, risk reduction and risk acceptance explicitly and transparently.63 This is not to suggest that all risks should be eliminated, but patients should expect that healthcare providers be in a position to describe their patient safety risks, and to justify why these are thought to be acceptable.

Again, this is best practice in UK safety-critical industries as well as in several other countries. Before and during the introduction of a new system or major changes to existing practices, organisations document the risks they have identified, the risk reduction measures they have implemented, and the justification for why the residual risk is thought to be acceptable in a report referred to as safety case.64 The safety case can be critiqued both internally and externally, and it can provide assurance that risks have been considered appropriately.

NHS Digital standards SCCI 012965 and SCCI 016066 for the management of risk in the manufacture and use of health IT explicitly require the development of such a clinical safety case modelled after industrial practice. However, awareness of these standards appears not widespread among healthcare professionals implementing health IT innovations. In addition, the regulatory landscape is still evolving, and there is uncertainty and confusion about the regulatory status of many health IT products.6769


We are seeing many exciting bottom-up, local health IT innovations being developed and adopted to improve patient care. Healthcare providers need to encourage bottom-up health IT innovations, but also provide frameworks to ensure that patients remain safe. This requires active engagement with local innovations, and proactive consideration of patient safety risks. Thinking about risks proactively does not inhibit innovation, but instead supports the adoption and spread of useful technologies that are safe.

Methods and frameworks for understanding and managing health IT risks exist, and healthcare providers should not ignore the patient safety risks that might come with the introduction of health IT. A key challenge appears to be the current lack of awareness and safety management knowledge among both organisations and healthcare professionals. In response to the suggestions made in the Wachter review, government policy focuses on the education of clinicians to become CCIOs, who can champion and lead health IT innovations. The extent to which this includes aspects of patient safety and risk management is not yet clear. Arguably, it might be unreasonable to expect clinicians to become experts in all aspects of technological change. A complementary strategy might be to consider the more widespread training and deployment of clinical safety engineers and safety professionals within healthcare providers.

The introduction of health IT into clinical practice, both bottom-up and organisation-wide, needs to be underpinned by a strong commitment to organisational learning. Healthcare professionals experience the problems with health IT on a daily basis. They are not responsible for these problems, and they can provide valuable insights into how the technology can be improved. Healthcare providers need to resist the temptation of blaming staff, and invest in formal and informal processes for learning and improving from staff feedback.


This work was supported in part by research grants from the Health Foundation.

The manuscript is based on a presentation given at UK eHealth Week, London on 4 May 2017.


1. NHS England. Five-Year Forward View. London, UK: NHS England, 2014. Available from: Accessed 15 February 2018.

2. Department of Health. Making IT Work: Harnessing the Power of Health Information Technology to Improve Care in England. London, UK: Department of Health, 2016.

3. Honeyman M, Dunn P and McKenna H. A Digital NHS? An Introduction to the Digital Agenda and Plans for Implementation. London, UK: The King’s Fund, 2016.

4. Imison C, Castle-Clarke S, Watson R and Edwards N. Delivering the Benefits of Digital Health Care. London, UK: Nuffield Trust, 2016.

5. Institute of Medicine. Crossing the Quality Chasm: A New Health System for the 21st Century. Washington, DC: National Academy of Sciences, 2001.

6. Institute of Medicine. Health IT and Patient Safety: Building Safer Systems for Better Care. Washington, DC: National Academy of Sciences, 2012.

7. Black AD, Car J, Pagliari C, Anandan C, Cresswell K, Bokun T, et al. The impact of eHealth on the quality and safety of health care: a systematic overview. PLoS Medicine 2011;8(1):e1000387. Available from: PMid:21267058; PMCid:PMC3022523. Epub 2011/01/27. eng.

8. Brenner SK, Kaushal R, Grinspan Z, Joyce C, Kim I, Allard RJ, et al. Effects of health information technology on patient outcomes: a systematic review. Journal of the American Medical Informatics Association 2016;23(5):1016–36. Available from: PMid:26568607. Epub 2015/11/17. eng.

9. Ranji SR, Rennke S and Wachter RM. Computerised provider order entry combined with clinical decision support systems to improve medication safety: a narrative review. BMJ Quality & Safety 2014;23(9):773–80. Available from: PMid:24728888.

10. Ash JS, Sittig DF, Dykstra RH, Guappone K, Carpenter JD and Seshadri V. Categorizing the unintended sociotechnical consequences of computerized provider order entry. International Journal of Medical Informatics 2007;76(1):S21–7. Available from: PMid:16793330. Epub 2006/06/24. eng.

11. Househ M, Borycki E and Kushniruk A. Empowering patients through social media: the benefits and challenges. Health Informatics Journal 2014;20(1):50–58.

12. Koppel R, Metlay JP, Cohen A, Abaluck B, Localio AR, Kimmel SE, et al. Role of computerized physician order entry systems in facilitating medication errors. The Journal of the American Medical Association 2005;293(10):1197–203. Available from: PMid:15755942. Epub 2005/03/10. eng.

13. Mozaffar H, Cresswell KM, Williams R, Bates DW and Sheikh A. Exploring the roots of unintended safety threats associated with the introduction of hospital ePrescribing systems and candidate avoidance and/or mitigation strategies: a qualitative study. BMJ Quality & Safety 2017;26(9):722–33. Available from:

14. Singh H and Sittig DF. Measuring and improving patient safety through health information technology: The Health IT Safety Framework. BMJ Quality & Safety 2016;25(4):226–32. Available from: PMid:26369894; PMCid:PMC4819641.

15. Smart A. Nanaimo doctors defy IHealth, dump software. Times Colonist 2016, 28 April 2016.

16. Sood H, NcNeil K and Keogh B. Chief clinical information officers: clinical leadership for a digital age. British Medical Journal 2017;358:j3295.

17. Blandford A, Furniss D and Vincent C. Patient safety and interactive medical devices: realigning work as imagined and work as done. Clinical Risk 2014;20(5):107–10. Available from: PMid:25866466; PMCid:PMC4361486.

18. Cook R, Nemeth C and Dekker S. What went wrong at the Beatson Oncology Centre. In: Hollnagel E, Nemeth C and Dekker S (Eds.), Resilience Engineering Perspectives: Remaining Sensitive to the Possibility of Failure (pp. 225–36). Farnham, UK: Ashgate, 2008.

19. Vincent CJ and Blandford A. How do health service professionals consider human factors when purchasing interactive medical devices? A qualitative interview study. Applied Ergonomics 2017;59(Part A):114–22.

20. Thimbleby H, Lewis A and Williams J. Making healthcare safer by understanding, designing and buying better IT. Clinical Medicine 2015;15(3):258–62. Available from: PMid:26031976.

21. Wears RL, Cook RI and Perry SJ. Automation, interaction, complexity, and failure: a case study. Reliability Engineering & System Safety 2006;91(12):1494–501. Available from:

22. Sujan MA, Koornneef F, Chozos N, Pozzi S and Kelly T. Safety cases for medical devices and health IT: involving healthcare organisations in the assurance of safety. Health Informatics Journal 2013;19(3):165–82. Available from: PMid:23981393.

23. Dixon-Woods M and Pronovost PJ. Patient safety and the problem of many hands. BMJ Quality & Safety 2016;25(7):485–88.

24. Hopkins Tanne J. When Jesica died. British Medical Journal 2003;326(7391):717. PMid:PMC1125622.

25. Kapur N, Parand A, Soukup T, Reader T and Sevdalis N. Aviation and healthcare: a comparative review with implications for patient safety. JRSM Open 2016;7(1):2054270415616548. Available from: PMid:26770817; PMCid:PMC4710114.

26. Dean B, Schachter M, Vincent C and Barber N. Prescribing errors in hospital inpatients: their incidence and clinical significance. Quality & Safety in Health Care 2002;11(4):340–4. Availble from: PMid:12468694; PMCid:PMC1758003. Epub 2002/12/07. eng.

27. Lewis TL and Wyatt JC. mHealth and mobile medical apps: a framework to assess risk and promote safer use. Journal of Medical Internet Research 2014;16(9):e210. PMid:25223398.

28. Sujan MA, Chessum P, Rudd M, Fitton L, Inada-Kim M, Cooke MW, et al. Managing competing organizational priorities in clinical handover across organizational boundaries. Journal of Health Services Research & Policy 2015;20(1):17–25.

29. Peerally MF, Carr S, Waring J and Dixon-Woods M. The problem with root cause analysis. BMJ Quality & Safety 2017;26(5):417–422. Available from: PMid:27340202; PMCid:PMC5530340.

30. Sujan MA, Huang H and Braithwaite J. Learning from incidents in health care: critique from a safety-II perspective. Safety Science 2017;99:115–21. Availble from:

31. Sujan M and Furniss D. Organisational reporting and learning systems: innovating inside and outside of the box. Clinical Risk 2015;21(1):7–12.

32. Sujan M, Pozzi S and Valbonesi C. Reporting and learning: from extraordinary to ordinary. In: Braithwaite J, Wears R and Hollnagel E (Eds.), Resilient Health Care III: Reconciling Work-as-Imagined with Work-as-Done. Farnham, UK: Ashgate, 2016. Available from: PMCid:PMC4750306.

33. Department of Health. An Organisation with a Memory. London, UK: The Stationery Office, 2000.

34. Kohn LT, Corrigan JM and Donaldson MS. To Err Is Human: Building a Safer Health System. Washington, DC: The National Academies Press, 2000.

35. National Advisory Group on the Safety of Patients in England. A Promise to Learn – A Commitment to Act. London, UK: Department of Health, 2013.

36. Anderson JE and Kodate N. Learning from patient safety incidents in incident review meetings: organisational factors and indicators of analytic process effectiveness. Safety Science 2015;80:105–14. Available from:

37. Lawton R and Parker D. Barriers to incident reporting in a healthcare system. Quality & Safety in Health Care 2002;11(1):15–8. Available from: PMid:12078362; PMCid:PMC1743585. Epub 2002/06/25. eng.

38. Sujan M, Huang H and Braithwaite J. Why do healthcare organisations struggle to learn from experience? A safety-II perspective. In: Mollo V and Falzon P (Eds), Healthcare Systems Ergonomics and Patient Safety (pp. 342–48). Geneva, Switzerland: International Ergonomics Association, 2016. PMCid:PMC4750306.

39. Cochrane D. Review of the Functioning of iHealth: Nanaimo Regional General Hospital, Oceanside Health Centre and Dufferin Place. Victoria, Canada: Ministry of Health, 2016.

40. Wears RL and Berg M. Computer technology and clinical work: still waiting for Godot. The Journal of the American Medical Association 2005;293(10):1261–63. Available from: PMid:15755949. Epub 2005/03/10. eng.

41. Dekker SWA and Breakey H. ‘Just culture:’ improving safety by achieving substantive, procedural and restorative justice. Safety Science 2016;85:187–93.

42. Sujan M, Spurgeon P and Cooke M. Translating tensions into safe practices through dynamic trade-offs: the secret second handover. In: Wears R, Hollnagel E and Braithwaite J (Eds.), The Resilience of Everday Clinical Work (pp. 11–22). Farnham, UK: Asghate, 2015.

43. Fairbanks RJ, Wears RL, Woods DD, Hollnagel E, Plsek P and Cook RI. Resilience and resilience engineering in health care. Joint Commission Journal on Quality and Patient Safety/Joint Commission Resources 2014;40(8):376–83. PMid:25208443. Epub 2014/09/12. eng.

44. Sujan M, Spurgeon P and Cooke M. The role of dynamic trade-offs in creating safety—A qualitative study of handover across care boundaries in emergency care. Reliability Engineering & System Safety 2015;141:54–62. Epub 13/05/2015.

45. Sujan MA. A novel tool for organisational learning and its impact on safety culture in a hospital dispensary. Reliability Engineering & System Safety 2012;101:21–34. Available from:

46. Sujan MA, Ingram C, McConkey T, Cross S and Cooke MW. Hassle in the dispensary: pilot study of a proactive risk monitoring tool for organisational learning based on narratives and staff perceptions. BMJ Quality & Safety 2011;20(6):549–56. Available from: PMid:21398689.

47. Kelly N, Blake S and Plunkett A. Learning from excellence in healthcare: a new approach to incident reporting. Archives of Disease in Childhood 2016;101:788–91.

48. Sujan M. An organisation without a memory: a qualitative study of hospital staff perceptions on reporting and organisational learning for patient safety. Reliability Engineering & System Safety 2015;144:45–52.

49. Sujan MA, Habli I, Kelly TP, Gühnemann A, Pozzi S and Johnson CW. How can health care organisations make and justify decisions about risk reduction? Lessons from a cross-industry review and a health care stakeholder consensus development process. Reliability Engineering & System Safety 2017;161:1–11.

50. Spurgeon P, Flanagan H, Cooke M, Sujan M, Cross S and Jarvis R. Creating safer health systems: lessons from other sectors and an account of an application in the safer clinical systems programme. Health Services Management Research 2017;30(2):85–93. Available from: PMid:28539084.

51. Coiera E, Aarts J and Kulikowski C. The dangerous decade. Journal of the American Medical Informatics Association 2012;19(1):2–5. PMid:PMC3240771.

52. Schiff GD, Hickman TT, Volk LA, Bates DW and Wright A. Computerised prescribing for safer medication ordering: still a work in progress. BMJ Quality & Safety 2016;25(5):315–19. Available from: PMid:26515444. Epub 2015/10/31. eng.

53. Walker JM, Carayon P, Leveson N, Paulus RA, Tooker J, Chin H, et al. EHR safety: the way forward to safe and effective systems. Journal of the American Medical Informatics Association 2008;15(3):272–77. Available from: PMid:18308981; PMCid:PMC2409999. Epub 2008/03/01. eng.

54. Potts HW, Anderson JE, Colligan L, Leach P, Davis S and Berman J. Assessing the validity of prospective hazard analysis methods: a comparison of two techniques. BMC Health Services Research 2014;14(1):41. Available from: PMid:24467813; PMCid:PMC3906758.

55. Dean Franklin B, Shebl NA and Barber N. Failure mode and effects analysis: too little for too much? BMJ Quality & Safety 2012;21(7):607–11. Available from: PMid:22447819. Epub 2012/03/27. eng.

56. DeRosier J, Stalhandske E, Bagian JP and Nudell T. Using health care failure mode and effect analysis: the VA National Center for Patient Safety’s prospective risk analysis system. The Joint Commission Journal on Quality Improvement 2002;28(5):248–67. PMid:12053459. Epub 2002/06/11. eng.

57. Apkon M, Leonard J, Probst L, DeLizio L and Vitale R. Design of a safer approach to intravenous drug infusions: failure mode effects analysis. Quality & Safety in Health Care 2004;13(4):265–71. Available from: PMid:15289629; PMCid:PMC1743853. Epub 2004/08/04. eng.

58. Steinberger DM, Douglas SV and Kirschbaum MS. Use of failure mode and effects analysis for proactive identification of communication and handoff failures from organ procurement to transplantation. Progress in Transplantation 2009;19(3):208–14. Available from:; PMid:19813481. Epub 2009/10/10. eng.

59. Sujan M, Spurgeon P, Inada-kim M, Rudd M, Fitton L, Horniblow S, et al. Clinical handover within the emergency care pathway and the potential risks of clinical handover failure (ECHO): primary research. Health Services and Delivery Research 2014;2(5).

60. Chana N, Porat T, Whittlesea C and Delaney B. Improving specialist drug prescribing in primary care using task and error analysis: an observational study. The British Journal of General Practice: The Journal of the Royal College of General Practitioners 2017;67(656):e157–e67. PMid:28193619; PMCid:PMC5325657. Epub 2017/02/15. eng.

61. Parand A, Faiella G, Franklin BD, Johnston M, Clemente F, Stanton NA, et al. A prospective risk assessment of informal carers’ medication administration errors within the domiciliary setting. Ergonomics 2018;61(1):104–21.

62. Lane R, Stanton NA and Harrison D. Applying hierarchical task analysis to medication administration errors. Applied Ergonomics 2006;37(5):669–79. Available from: PMid:16182230. Epub 2005/09/27. eng.

63. Sujan MA, Habli I, Kelly TP, Pozzi S and Johnson CW. Should healthcare providers do safety cases? Lessons from a cross-industry review of safety case practices. Safety Science 2016;84:181–89.

64. Sujan M, Spurgeon P, Cooke M, Weale A, Debenham P and Cross S. The development of safety cases for healthcare services: practical experiences, opportunities and challenges. Reliability Engineering & System Safety 2015;140:200–7. Epub 08/04/2015.

65. Health & Social Care Information Centre. Clinical risk management: its application in the manufacture of health IT systems – implementation guidance (SCCI 0129) 2016. Available from: Accessed 6 February 2018.

66. Health & Social Care Information Centre. Clinical risk management: its application in the deployment and use of health IT systems – implementation guidance (SCCI 0160) 2016. Available from: Accessed 6 February 2018.

67. Coiera EW and Westbrook JI. Should clinical software be regulated? The Medical Journal of Australia 2007;186(11):607–8.

68. Cortez NG, Cohen IG and Kesselheim AS. FDA regulation of mobile health technologies. New England Journal of Medicine 2014;371(4):372–79. Available from: PMid:25054722.

69. Thompson BM and Brodsky I. Should the FDA regulate mobile medical apps? British Medical Journal 2013;347.


  • There are currently no refbacks.

This is an open access journal, which means that all content is freely available without charge to the user or their institution. Users are allowed to read, download, copy, distribute, print, search, or link to the full texts of the articles in this journal starting from Volume 21 without asking prior permission from the publisher or the author. This is in accordance with the BOAI definition of open accessFor permission regarding papers published in previous volumes, please contact us.

Privacy statement: The names and email addresses entered in this journal site will be used exclusively for the stated purposes of this journal and will not be made available for any other purpose or to any other party.

Online ISSN 2058-4563 - Print ISSN 2058-4555. Published by BCS, The Chartered Institute for IT