Learning/ High Reliability Healthcare Systems/ Lesson 02
Lesson 02 of 06High Reliability Healthcare Systems

How Failures Happen
The Anatomy of Harm

Harm rarely has a single cause. It is almost always the convergence of multiple latent conditions and active failures, aligned at the wrong moment. Before we can prevent harm, we need to understand precisely how it occurs.

What you will learn
Apply the Swiss cheese model to analyze how healthcare failures occur
Distinguish between active failures and latent conditions in clinical environments
Explain the role of human factors in healthcare safety events
Identify how normalization of deviance develops in healthcare organizations
Recognize the early warning signs of systemic vulnerability
Start Lesson Back to Course
Lesson Snapshot
Lesson02 of 6
Progress33% Complete
Est. Time~35 Minutes
Knowledge Checks5 Questions
Course Progress
01 Why Systems Fail 02 Anatomy of Harm 03 The Five HRO Principles 04 Safety Culture 05 Designing for Reliability 06 Leading HRO

The Swiss cheese model
of organizational failure

The most influential model for understanding how healthcare failures occur was developed by British psychologist James Reason in the early 1990s. Known as the Swiss cheese model of organizational accidents, it offers a framework that has shaped patient safety thinking for three decades.

Reason's insight was this: organizations build multiple layers of defense against failure — policies, procedures, training, equipment checks, supervision, and technology. Each layer is intended to prevent harm. But no layer is perfect. Each has gaps — holes — through which a failure can potentially pass.

Harm occurs when the holes in multiple layers momentarily align — when the gaps line up — allowing a failure to travel all the way through every layer of defense and reach the patient. In isolation, a hole in one layer does not cause harm. The defenses around it catch the problem before it reaches the patient.

Visualize a stack of Swiss cheese slices. Each slice is a layer of defense. Each hole is a weakness in that layer. Most of the time, the slices are misaligned and the holes do not line up. Occasionally, they do. That is when harm occurs.

Key Principle

Harm is not caused by a single hole in a single layer of defense. It is caused by the rare and momentary alignment of holes across multiple layers simultaneously.

Active failures and
latent conditions

Reason also drew a critical distinction between two types of contributing factors in healthcare failures: active failures and latent conditions.

Active failures are the unsafe acts committed by people who are in direct contact with the patient or system at the point of care. They are the visible triggers — the wrong drug drawn, the missed vital sign, the misread label. Active failures are what investigations most readily find, and what person-focused responses most commonly target.

Latent conditions are the hidden vulnerabilities embedded in the system long before any individual error occurs. They arise from decisions made weeks, months, or years earlier — design choices, resource allocations, staffing decisions, equipment procurement, policy gaps, and cultural norms that create conditions in which errors are more likely to happen.

Latent conditions are far more dangerous than active failures, precisely because they are invisible until activated. They sit quietly in the system, waiting for the right combination of circumstances. A corridor where look-alike medications are stored together. A monitoring system with too many alerts, so staff learn to override them. A handover process that evolved through informal workarounds into something fundamentally different from the written protocol.

Human factors
and the limits of human performance

Human factors is the scientific discipline concerned with understanding the interaction between humans and the systems, environments, and tools they work with. In healthcare, human factors examines how cognitive, physical, and organizational factors influence the ability of clinical staff to perform safely and effectively.

The fundamental insight of human factors science is that humans have predictable limitations. Working memory is finite. Attention is selective. Performance degrades under fatigue, time pressure, noise, and interruption. These are not character flaws — they are universal features of human cognition. Safe system design accounts for these limitations rather than assuming they can be overcome through willpower or training.

Normalization of deviance — a concept introduced by sociologist Diane Vaughan — describes the gradual process by which unsafe practices become accepted as normal through repeated occurrence without immediate consequence. In healthcare, it appears as workarounds that become standard practice, protocols that are routinely skipped because they seem unnecessary, and warning signs that are habitually dismissed because they have never caused harm before.

Human Factors Principle

Safe systems are not designed for ideal humans performing under ideal conditions. They are designed for real humans, working under real conditions — with finite attention, finite memory, and the full range of human limitations.

Key concepts
from this lesson

Key Concept

Swiss Cheese Model

Layers of defense with gaps; harm occurs when gaps align across layers simultaneously.

Key Concept

Active Failures

Unsafe acts at the point of care — the visible trigger of a harmful event.

Key Concept

Latent Conditions

Hidden system vulnerabilities created long before any individual error occurs.

Key Concept

Human Factors

The science of designing systems that account for the predictable limits of human performance.

Key Concept

Normalization of Deviance

The gradual process by which unsafe practices become accepted as normal through repeated occurrence without consequence.

Key Concept

Weak Signals

Small, easily dismissed indicators that precede more serious system failures in complex organizations.

Case Study

The handover that wasn't

A patient admitted overnight with chest pain deteriorates in the early morning hours. The night team hands over to the day team in a busy corridor during a period of high ward activity. The handover takes four minutes. The patient's rising troponin levels — ordered at 3am — are not yet back from the laboratory and are not mentioned in the handover.

The day nurse assumes the results are normal because she has not been told otherwise. The day physician does not review the electronic results because the patient appears stable at the start of his shift. By 11am, when the laboratory flags the result as critical and calls the ward directly, the patient has developed a significant arrhythmia.

Active failure: the physician did not review the pending results. Latent conditions: no structured handover tool requiring documentation of pending investigations; a culture where handovers happen wherever staff happen to be rather than in a protected space; a laboratory alerting system that flags results to the ward phone rather than directly to the responsible physician.

Human factors: the handover occurred during peak interruption time; the physician's morning was immediately absorbed by four new admissions; the patient's apparent stability made the pending result feel less urgent.

What this illustrates

The active failure — not reviewing the result — was the visible trigger. But removing that individual from the system would not have fixed the handover process, the alerting system, the cultural norms around protected time, or the absence of a structured tool for tracking pending investigations.

Reflection Prompt

Where are the latent conditions in your organization?

Think about a routine process in your workplace — a handover, a medication administration step, a documentation workflow — that has gradually drifted from its original design. Where have workarounds become standard? Where do people routinely skip steps because they feel unnecessary? Those drifts are latent conditions in the making. What would it take to surface them before they contribute to harm?

IHI Open School — Further Learning

PS 102: From Error to Harm and PS 103: Human Factors and Safety are directly relevant to this lesson and recommended for deeper exploration of error taxonomy and human factors design. Available at ihi.org.

Knowledge Check — Lesson 02

1. According to the Swiss cheese model, when does serious harm most commonly occur in healthcare?

AWhen an experienced clinician makes an uncharacteristic error
BWhen gaps in multiple layers of organizational defense simultaneously align
CWhen a patient presents with an unusual or complex clinical condition
DWhen a new staff member is working without adequate supervision

2. A ward policy requires two-nurse verification for high-risk medication administration. Over time, because nurses are often working alone, single-nurse verification becomes standard practice — and no adverse event occurs for 18 months. This is best described as:

AAn acceptable adaptation to staffing constraints
BA human factors engineering improvement
CNormalization of deviance
DAn active failure waiting to be investigated

3. Which of the following is an example of a latent condition in a healthcare organization?

AA nurse who draws up the wrong medication during a rushed preparation
BA physician who orders a drug the patient is allergic to
CA medication storage system where look-alike drugs are stored adjacent to each other
DA patient who does not report a worsening symptom to clinical staff

4. A hospital introduces an automated drug-drug interaction alert system. Within six months, physicians override 95% of all alerts because most are for minor interactions. This creates a risk of:

AOver-reliance on clinical judgment at the expense of technology
BAlert fatigue leading to dismissal of clinically significant alerts
CReduced physician autonomy in prescribing decisions
DIncreased medication costs through unnecessary alerts

5. Human factors science is primarily concerned with:

AIdentifying which individuals are most prone to making errors under pressure
BDesigning systems and environments that account for the predictable limits of human performance
CTraining clinicians to overcome cognitive limitations through practice
DReducing the human element in clinical decision-making through automation
← Lesson 01: Why Systems Fail Lesson 02 of 06 — High Reliability Healthcare Systems Lesson 03: The Five HRO Principles →