Article Text


Tracing the foundations of a conceptual framework for a patient safety ontology
  1. William B Runciman1,2,
  2. G Ross Baker3,
  3. Philippe Michel4,
  4. Susan Dovey5,
  5. Richard J Lilford6,
  6. Natasja Jensen7,
  7. Rhona Flin8,
  8. William B Weeks9,
  9. Pierre Lewalle7,
  10. Itziar Larizgoitia10,
  11. David Bates11 on behalf of the Methods & Measures Working Group of the World Health Organization World Alliance for Patient Safety
  1. 1The University of South Australia and the Safety and Quality Research Unit, Joanna Briggs Institute, Adelaide, Australia
  2. 2Australian Patient Safety Foundation, Adelaide, Australia
  3. 3Department of Health Policy, Management and Evaluation, Faculty of Medicine, University of Toronto, Toronto, Canada
  4. 4Regional Center for Quality and Safety, Bordeaux University Hospital, Bordeaux, France
  5. 5Department of General Practice, Dunedin School of Medicine, Dunedin, New Zealand
  6. 6Department of Public Health and Epidemiology, University of Birmingham, Edgbaston, Birmingham, UK
  7. 7World Health Organization, Geneva, Switzerland
  8. 8School of Psychology, University of Aberdeen, Aberdeen, UK
  9. 9The Dartmouth Institute for Health Policy and Clinical Practice, Lebanon, New Hampshire, USA
  10. 10World Alliance for Patient Safety, World Health Organization, Geneva, Switzerland
  11. 11Division of Internal Medicine, Brigham & Women's Hospital, Boston, Massachusetts, USA
  1. Correspondence to Professor W B Runciman, Australian Patient Safety Foundation, GPO Box 400, Adelaide, SA 5001, Australia; bill.runciman{at}


Background In work for the World Alliance for Patient Safety on research methods and measures and on defining key concepts for an International Patient Safety Classification (ICPS), it became apparent that there was a need to try to understand how the meaning of patient safety and underlying concepts relate to the existing safety and quality frameworks commonly used in healthcare.

Objectives To unfold the concept of patient safety and how it relates to safety and quality frameworks commonly used in healthcare and to trace the evolution of the ICPS framework as a basis of the electronic capture of the component elements of patient safety.

Conclusion The ICPS conceptual framework for patient safety has its origins in existing frameworks and an international consultation process. Although its 10 classes and their semantic relationships may be used as a reference model for different disciplines, it must remain dynamic in the ever-changing world of healthcare. By expanding the ICPS by examining data from all available sources, and ensuring rigorous compliance with the latest principles of informatics, a deeper interdisciplinary approach will progressively be developed to address the complex, refractory problem of reducing healthcare-associated harm.

Statistics from

Although some notable people have been concerned with patient safety in the past, such as Florence Nightingale 150 years ago1 and Ernest Codman nearly 100 years ago,2 it was only after the appearance of national reports less than a decade ago that it became a priority in healthcare.3–5 In response, the WHO launched the World Alliance for Patient Safety in October 2004,6 under the auspices of the WHO.7 The World Alliance initiated work in several areas, including one to address patient safety research,8 ,9 and another to reach agreement on definitions for key concepts to provide a basis for an International Classification for Patient Safety (ICPS).10–13 In doing this work, it became apparent that there was a need to try to understand how the meaning of patient safety and underlying concepts relate to the existing safety and quality frameworks which are commonly used in healthcare.

The authors therefore traced how frameworks proposed by Donabedian,14 Reason15 and others have shaped the understanding of these concepts and led to integrating Donabedian's triad into a workflow16 model and to representing Reason's framework by a ‘Generic Reference Model’ (GRM),17 a form suitable for the electronic capture and storage of the elements of patient safety incidents.18 These frameworks provided a basis for the development of a conceptual framework to underpin the WHO-led ICPS and therefore provide a foundation for an ontologically based classification which is now in development.

The concept of patient safety

The WHO ICPS drafting group agreed on definitions for 48 concepts.10–13 Patient safety was defined as the reduction in the risk of unnecessary harm associated with healthcare to an acceptable minimum, and risk as the probability that an incident will occur.13 An alternative view is that patient safety should simply be defined as ‘freedom from injury.’3 As high levels of risk (and harm) appear to have been deemed ‘acceptable’ in the past, it may be argued that to include the term ‘acceptable minimum’ in a definition of patient safety may pave the way to ‘normalise’ what many regard as fundamentally unacceptable. The issue is a complex one, as the acceptability of risk in healthcare (from the perspectives of patients, healthcare professionals and society) relates to a balance between the expectation of the potential for harm, the likelihood of doing good and the choices available at the time.19 The ideal remains ‘freedom from injury’ (or harm), but there are many instances in healthcare in which the available choices are constrained by circumstances or events beyond the control of those delivering and/or receiving healthcare. For example, there may be no alternative but to accept the risk of no electronic physiological monitors being available if one needs an anaesthetic for a life-saving procedure in a war zone or after a natural disaster, but it remains true that the safety margin has been reduced.

Structure, process and outcome in healthcare

Donabedian,14 over 40 years ago, proposed a model for understanding the elements of quality in healthcare. He introduced the concept of a triad comprising structure, process and outcome, with the idea of a service (healthcare) embedded within a system (see figure 1). ‘Structure’ includes the physical infrastructure and biomedical engineering support systems, as well as how healthcare services are organised with respect to staffing, rostering and the availability of the necessary equipment and supplies. ‘Process’ refers to the fidelity with which protocols and interventions are carried out—how the structure is used within a system. ‘Outcome’ refers to the impact of these processes on patients and the organisation. Donabedian did not originally specifically identify patient safety, but encompassed all health related outcomes and attributes of healthcare under the umbrella of the Quality of Care. Donabedian was concerned with achieving the best possible outcomes for patients, implicitly embracing the concept of patient safety.

Figure 1

Donabedian's structure, process and outcome model. Adapted from Battles JB, Lilford RJ. Organising patient safety research to identify risks and hazards. Qual Saf Health Care 2003;12 (Suppl 2):ii2–7.27

Behaviour, culture and interventions

Brown et al extended this model by adding a representation of workflow and separating management and clinical processes (see figure 2).16 Each set of processes can be influenced by interventions, with generic interventions at the management level affecting intervening variables such as morale, which in turn impact on clinical processes. This model thus incorporates the influence of human behaviour and the system-based concepts of safety culture and climate.20 Safety pioneers such as Leape have written eloquently on the deleterious effects of a ‘medical’ culture—a culture expecting perfection and denying fallibility—on the behaviour of healthcare professionals, both individually and collectively.21

Figure 2

Donabedian's triad of structure, process and outcome showing generic and specific interventions, and how behaviour and culture may impact on clinical processes. Adapted from Brown et al.16

Complex sociotechnical systems and the Swiss cheese model

Some 20–30 years ago, the notion of human behaviour (including error) and a range of organisational and system-based contributing factors affecting both structure and process in complex systems were articulated by pioneers such as Rasmussen,22 Moray,23 Senders,24 Perrow,25 Norman26 and Reason27; much of the original work was focused on high-risk ventures such as the generation of nuclear power. Reason proposed his now famous ‘Swiss cheese’ model for how the trajectory of an incident or accident usually has to pass through a series of often transient gaps in defences (the holes in the cheese), with each being necessary but not always sufficient to lead to an adverse outcome (see figure 3).28 The notion is that while the particular concatenation of circumstances and events may never be repeated, the various latent and active contributing factors are finite in number and type, and merely combine together on particular occasions in configurations that can result in harm. The strength of deconstructing incidents into these component elements lies in the fact that, once identified and characterised, preventive and corrective strategies can be devised and applied.27

Figure 3

Swiss cheese model. Adapted from Reason.28

Generic reference model: towards an informatics ontology

In another representation of Reason's model, these contributing factors were presented in parallel (see figure 4), accommodating the fact that one or more contributing factors from each category can contribute to the evolution of an incident by aligning in any sequence. In this representation, the cascade of changes by which an incident unfolds could be explicitly represented.17 ,29 Inadequacies in aspects of quality which impinge on safety may be systematically captured as contributing factors, such as external or environmental factors (including availability of resources, transport and so on), organisational factors (such as rosters, protocols) and human factors (factors affecting the behaviour and performance of both individuals and teams). As described below, these inadequacies often relate to aspects of both structure and process. The notion that many contributing factors may be involved, and that there is usually no single root cause, has been emphasised by Vincent.18 ,30

Figure 4

Generic reference model. Adapted from Runciman et al.17

Components of this model also include the details of what had happened for any particular type of incident, the context, the defences breached, any aggravating or mitigating factors, outcomes for both the patient and the system, and any short or long-term actions taken. All of these components of the GRM were populated by cascading hierarchies of concepts arranged intuitively according to the principles of natural mapping. These concepts were identified by analysing thousands of ‘real-world’ incidents.17

Building an operational ontology of patient safety

Thus, what started as a philosophical framework for patient safety progressively evolved towards a computer-based application, underpinning the development of a computer science health informatics ontology for patient safety.31 Progress to date allows the development of automated systems that, for example, prompt reporters to elicit the information necessary for devising corrective strategies and allow storage in a form that allows subsequent retrieval. This is necessary, as those involved in healthcare do not always spontaneously proffer all the information needed to provide the insight necessary for devising these strategies. It also provides a basis for a system which will allow electronic records to be created for aggregation and subsequent analysis and for tracking trends and comparing patterns, both between organisations or disciplines and over time. It allows the complex characteristics of the individually rare but collectively important incidents which make up more than half of the things that go wrong to be determined, by allowing the structured aggregation of information from quite disparate sources.9 ,17

International Classification for Patient Safety

The WHO World Alliance for Patient Safety convened an expert panel to develop a conceptual framework for the International Classification for Patient Safety (ICPS; see figure 5).11–13 based on the previous development of the frameworks outlined above and several other classifications,32–34 together with inputs from a wider consultation.12 The ICPS has evolved over previous conceptual models in that detection and mitigating and ameliorating factors are explicitly represented, and may thus inform actions taken to reduce risk.11 ,13

Figure 5

Conceptual Framework for the International Classification for Patient Safety (reproduced with permission). Adapted from Sherman et al.11 The solid lines enclose the 10 major classes of the ICPS and represent the semantic relationships between them. The dotted lines represent the flow of information.

Donabedian triad and the ICPS

Each action taken to reduce risk and its consequences may be envisaged as comprising some or all of the Donabedian triad outlined in figure 1. Figures 1, 2 may be envisaged as lying at right angles to and constituting the third dimension of the two-dimensional diagrams in figures 4, 5. An example is given in box 1 of how the concepts may be represented if the problem was a breathing circuit disconnection during anaesthesia which led to a paralysed patient suffering hypoxic brain damage.

Box 1

An incident in which brain damage followed the undetected disconnection of the breathing circuit of a paralysed patient under anaesthesia

Details elicited and captured about the incident

  • Contributing factors (staff): anaesthetist distracted by having to resuscitate the patient because of blood loss during the operation

  • Contributing factors (patient): the patient was fully paralysed for good surgical access for surgery involving the head and neck

  • Incident type (equipment problem): circuit disconnection between the endotracheal tube and the breathing circuit

  • Contributing Factor (equipment problem): no capnograph, oximeter or disconnect alarms

  • What happened?: patient breathing circuit disconnected under the drapes when the surgeon moved the patient's head

  • Outcome (patient): patient became acidotic, failed to wake up after the anaesthetic and later satisfied the criteria for brain death; treatment was withdrawn after 3 days in the intensive care unit

  • Outcome (organisation): root cause analysis, open disclosure to relatives, mediated compensation and support for the family were arranged

Actions taken to reduce risk (of future patients suffering brain damage or death from circuit disconnection)

  • Detection (structure): a decision made to have a ‘belt and braces’ approach to detecting future circuit disconnections by purchasing both capnographs and oximeters for use during every anaesthetic

  • Detection (process): anaesthetists would be required to check these devices before use and make sure that they are used: assistants would be taught to remind anaesthetists if either step was omitted

  • Mitigating factors (structure): a decision made to ensure that crisis-management algorithms are available with separate self-inflating bags suitable for ventilating a patient's lungs

  • Mitigating factors (process): anaesthetists would be given instruction in how to follow the crisis management algorithms and assemble and use the self-inflating bags while the exact nature of the circuit disconnection was determined and corrected

Applications of the ICPS

The frameworks in figures 4, 5 may form the basis for three sets of activities.17 First, for individual incidents, they may provide mental models for guiding the response to an evolving incident, as well as providing frameworks for deconstructing the incident and eliciting and capturing the relevant information for classification or documentation. The second way in which the frameworks can be used, after identifying a problem or theme to be studied, is to analyse aggregated data from the relevant classes about particular phenomena or types of incidents to enhance understanding for devising corrective strategies.35 The third use is to identify the components that should be targeted for implementing such strategies, for example, through the use of social networks in healthcare.36 In time, the framework could also be populated so as to provide a compendium of evidence-based actions or solutions for particular problems. How to characterise these, gauge their relevance in the real world and determine whether the solutions are risk- and cost-effective is the subject of a companion paper.9

The conceptual framework for the WHO ICPS is shown in figure 5. It provides a basis for the progressive development of an ontological representation of patient safety suitable for application in computer science.31 In computer and information science, an ontology is a data model that represents a set of concepts within a domain, and the relationships between those concepts.31 With adequate representation in some form of language of their embedded knowledge, ontologies support rigorous, machine-aided reasoning about the objects within that domain.

A classification, in essence is a special case of an ontological representation of a domain (patient safety in this case) which, from the perspective of information architecture, consists of sets of concepts (classes) with characteristics that make them mutually exclusive but will allow them, collectively and exhaustively, to capture the attributes of relevant incidents. An international collaborative project has been set up by the WHO to expand the content of the ICPS conceptual framework and configure it as a classification compliant with sound computer science principles.17 Finer-grained concepts will populate the classes in order to provide enough depth and detail for the ICPS to be useful to those who wish to devise preventive or corrective strategies.

What next?

The concept of patient safety will evolve with greater understanding of the determinants of healthcare processes and outcomes, and the evolution of clinical and related sciences. The next phase will involve teasing out some of the possible different views using techniques such as ethnography and discourse analysis, as understanding them will facilitate harnessing the strengths and avoiding the weaknesses of the various approaches to enhancing patient safety. The ICPS may act as a ‘reference model’ for different disciplines but must remain dynamic in the ever-changing world of healthcare. By expanding the ICPS by examining data from all available sources, and ensuring rigorous compliance with the latest principles of informatics, a deeper interdisciplinary approach can progressively be developed, which we believe will be necessary to address the complex, refractory problem of reducing healthcare-associated harm.


The authors wish to thank D Bates of the Division of General Internal Medicine, Brigham and Women's Hospital and External Research Lead for the WHO World Alliance for Patient Safety, for his contribution and leadership in this project; also M Fletcher, Director of the National Patient Safety Agency of England and Wales, H Coates of the Health Information and Quality Authority, Ireland, and A Andermann at the Faculty of Medicine of McGill University, Montreal, for their contribution to advancing this work. The members of the Methods & Measurement working group of the WHO World Alliance for Patient Safety are: R Baker, W B Runciman, C Aibar, S Dovey, R Flin, R Lilford, P Michel, S Asavaroengchai, C Travassos, W Weeks and DW Bates, External Research Lead of the WHO World Alliance for Patient Safety. The authors acknowledge the contribution of the WHO ICPS Drafting Group in the development of the ICPS Conceptual Framework, whose members are M Fletcher, M Hatlie, P Hibbert, P Lewalle, J Loeb, T Perneger, W Runciman, T van der Schaaf, H Sherman and R Thomson.


View Abstract


  • Funding The work was supported by a Program Grant by the National Health and Medical Research Council of Australia, Canberra, ACT, Australia.

  • Competing interests None.

  • Provenance and peer review Not commissioned; externally peer reviewed.

Request permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.