In a service as large and complex as the NHS, things will sometimes go wrong. When they do, the response should not be one of blame and retribution, but of learning, a drive to reduce risk for future patients, and concern for staff who may suffer as a consequence. In relation to doctors and patients, this is a fundamental pledge made by the Government, the medical professions, and the NHS in A Commitment to Quality, A Quest for Excellence, published on 27 June 2001 (1).

The Department of Health (DH) publications An Organisation with a Memory (2) and Building a Safer NHS for Patients (3) identified the significant opportunities that exist to reduce unintended harm to patients arising during NHS care. This is supported by the recent work of Neale et al, who have established from retrospective medical record reviews that at least one in twenty NHS patients suffers preventable harm (4). The report of the public inquiry into children’s heart surgery at the Bristol Royal Infirmary (5) adds further impetus to the drive to improve the safety and quality of care.

This document builds on the work that has been carried out to-date and sets out the key requirements for local organisations to manage, report, analyse and learn from adverse patient incidents. The aim is to reduce the risk of harm to future NHS patients through improving patient safety and quality of care.

It is not sufficient for organisations and individuals involved in provision of NHS care to learn and improve only from things that go wrong. Engaging in proactive risk management activity, in addition to the reactive process of incident management, will enable the identification of many things that could go wrong as part of a systematic approach to risk assessment. This is a fundamental requirement set out in both the DH Risk Management System standard (6), developed to meet the requirements of the NHS controls assurance project, and the Clinical Negligence Scheme for Trusts (CNST) risk management standards (7). The need for sound ‘clinical’ risk management is further reinforced through the clinical governance agenda.

The cornerstone of the requirements set out in this document is the need to establish the underlying cause(s) of serious incidents through root cause analysis. Unless the causes of adverse patient incidents are properly understood, lessons will not be learned and suitable improvements will not be made to secure a reduction in the risk of harm to future patients.

In many instances, the root causes of adverse patient incidents lie in the management and organisational systems that support the delivery of care, and blame cannot, and should not, be attributed to individual health care professionals. Identifying and addressing dysfunctional systems is, therefore, the key to reducing future risk of harm for many NHS patients and is the ethos behind the new national system for reporting adverse incidents that will be run by the National Patient Safety Agency.

The NPSA will collect and analyse incident and other patient safety information and provide timely and relevant feedback to healthcare organisations, clinicians and other health care professionals, and patients/carers in a way that promotes learning and risk reduction through environmental and/or systems changes, and/or changes in organisational, management or clinical practice.

The requirements presented in this document should be reflected, as appropriate, in local incident management and reporting policies. They are applicable to all NHS organisations in both primary and secondary care, including independent contractors, and to private healthcare organisations providing services to NHS patients. In the case of independent contractors, it should be noted that they have a responsibility to report adverse incidents to their primary care trust and should ensure they have the necessary reporting systems in place. The issue of involvement of social care organisations is being considered and, if appropriate, updated guidance will be issued in due course.

Complying with the requirements of this document will help organisations meet mandatory DH incident management and reporting standards (6). For those organisations who are members of the Clinical Negligence Scheme (CNST) for Trusts, the requirements provide guidance that are complementary to the CNST standards for incident reporting and for responding to major clinical incidents (8,9).

Whilst the requirements set out in this document relate specifically to adverse patient incidents that could have or did lead to harm, the principles can be applied to all other incident types and outcomes. Health care providers should, in accordance with the mandatory incident criteria set down in the Department of Health Risk Management System standard (6), have in place a holistic and integrated system covering management, reporting, analysis and learning from all adverse incidents involving patients, staff and others and other types of incidents, not directly involving people.

Summary of key requirements

Figure 1 (draft.pdf) sets out, schematically, ten key local requirements for managing, reporting, analysing and learning from adverse incidents involving NHS patients. These are summarised below. Additional guidance and information is contained, or referred to, in subsequent chapters and annexes.

Ten key local requirements

1. All individuals involved directly or indirectly in patient care are aware of what constitutes an adverse patient incident.

2. The incident is managed and reported to a designated person, or persons, in accordance with local arrangements.

3. All serious incidents are reported immediately to a locally designated person, or persons, and, where appropriate, information on these incidents is ‘fast-tracked’ to relevant external stakeholders.

4. All reported incidents are graded according to the actual impact on the patient(s), and the, potential future risk to patients and to the organisation, and reviewed to establish stakeholder reporting requirements.

5. Adverse patient incidents are subject to an appropriate level of local investigation and causal analysis and, where relevant, an improvement strategy is prepared.

6. Incidents graded as red, are reported to the NPSA within 3 working days of the date of occurrence. For category red adverse events only (i.e. where serious actual harm has resulted), this information is also reported within 3 working days to relevant Regional Office of the DH.

7. For all category red incidents, a full root cause analysis is undertaken by the local organisation and reported to the NPSA within 45 working days of occurrence of the incident. For category red adverse events only (i.e. where serious actual harm has resulted), this information is also reported within 45 working days to the relevant Regional Office of the DH.

8. Where appropriate, the organisation co-operates with the DH to establish the need for an independent investigation or inquiry, and also co-operates with other stakeholders who might be required to undertake investigations and/or inquiries into the circumstances surrounding a particular adverse patient incident.

9. Aggregate reviews of local incident data/information are carried out on an ongoing basis by the organisation and the significant results communicated to local stakeholders. Aggregate review reports are sent to the NPSA on a quarterly basis.

10. Lessons are learned from individual adverse patient incidents, from local aggregate reviews and from wider experiences, including feedback from the NPSA, other agencies/bodies, and benchmarking. Improvement strategies aimed at reducing risk to future patients are implemented and monitored by the organisation. Where appropriate, local staff learn lessons and change practice in order to improve the safety and quality of care for patients.