Skip to content

Near-Miss Normalization

Prime #
1014
Origin domain
Safety Reliability Engineering
Subdomain
organizational safety and high reliability → Safety Reliability Engineering

Core Idea

A system experiences a sequence of events in which a hazardous outcome was narrowly averted — a near miss, a close call, an anomaly that did not propagate to harm. Each near miss carries diagnostic information that the relevant safety margin is smaller, or the relevant defence more fragile, than the design assumed. Instead of triggering redesign, the absence of harm is read as evidence the system is robust: the deviation is reinterpreted as within tolerance, the recurrence rate is treated as the new normal, and the margin is silently reset to the smaller value. Over time the operating envelope expands toward and through the failure boundary while the organisation continues to count itself safe.

The arrangement carries a definite set of roles. There is an operating system with a designed safety margin to a failure boundary. There is a stream of events that come closer to that boundary than the design assumed, without crossing it. There is an organisational channel through which those events are recorded and interpreted. There is a reinterpretation step that recodes the events as "normal" or "within tolerance" rather than as margin loss. There is a feedback loop in which the new normal becomes the operating baseline, expanding the envelope. And there is an eventual envelope-exceeding event whose post-hoc reconstruction reveals the prior margin loss that the outcome record had obscured.

What the frame changes is the separation of outcome from margin. The naive operational lens sees only outcomes — no harm — and concludes the system is safe; the structural lens sees margin and concludes the system is operating closer to the failure boundary than it was designed for. The near miss is data about the margin, not reassurance about the outcome, and treating it as the latter is the move the prime names.

How would you explain it like I'm…

The Almost-Hurt Habit

Imagine you almost trip on a loose stair but catch yourself just in time. A near miss like that is a warning that something is dangerous. Near-Miss Normalization is when, instead of fixing the stair, you say 'see, I didn't fall, so it's fine' — and keep walking on it. Each time nothing bad happens, you feel safer, even though the danger is still there and getting closer.

Close Calls Become Normal

Sometimes something dangerous almost happens but doesn't — a close call. Each close call is actually a warning that the safety cushion is smaller than people thought. Near-miss normalization is when, instead of taking the warning and fixing things, people read 'nothing bad happened' as proof the system is safe, and they treat the close call as normal. Over time they keep cutting it closer and closer to real danger while still believing they're safe. The trap is confusing the outcome (no harm) with the margin (how close to disaster they really got).

Mistaking Outcome For Margin

A system has a designed safety margin between normal operation and a failure boundary. A near miss is an event that comes closer to that boundary than the design assumed, without crossing it — and it carries diagnostic information that the margin is smaller, or the defense more fragile, than believed. Near-Miss Normalization is the move where the ABSENCE of harm is misread as evidence the system is robust: the deviation is reinterpreted as 'within tolerance,' the recurrence becomes the new normal, and the margin is silently reset to the smaller value. Through a feedback loop the new normal becomes the operating baseline, so the envelope expands toward and eventually through the failure boundary while the organization still counts itself safe. The core error is conflating outcome with margin — treating the near miss as reassurance about the outcome when it is really data about the shrinking margin.

 

Near-Miss Normalization names how organizations silently consume their own safety margins. The roles are definite. There is an operating system with a designed safety margin to a failure boundary. There is a stream of events that come closer to that boundary than the design assumed, without crossing it — each one diagnostic that the margin is smaller or the defense more fragile than assumed. There is an organizational channel through which those events are recorded and interpreted. There is a reinterpretation step that recodes the events as 'normal' or 'within tolerance' rather than as margin loss. There is a feedback loop in which the new normal becomes the operating baseline, expanding the envelope toward the boundary. And eventually there is an envelope-exceeding event whose post-hoc reconstruction reveals the prior margin loss the outcome record had obscured. The decisive distinction is between outcome and margin: the naive lens sees only outcomes — no harm — and infers safety, while the structural lens sees the margin shrinking and infers the system is operating closer to failure than it was designed for. The near miss is data about the margin, not reassurance about the outcome.

Structural Signature

an operating system with a designed margin to a boundarya stream of boundary-approaching events that do not crossa recording-and-interpreting channela reinterpretation step recoding margin-loss as normala feedback loop installing the new normal as baselinean eventual boundary-crossing event that exposes the prior erosion

The pattern is present when each of the following holds:

  • A margined system. Some operating entity holds a designed separation between its normal state and a failure boundary. The margin, not the outcome, is the quantity at stake.
  • A stream of margin-consuming events. Events occur that come closer to the boundary than the design assumed yet do not cross it — proximities, not outcomes.
  • An interpreting channel. The events are recorded and read by an interpreter that must classify each as either margin-loss or normal variation.
  • A reinterpretation operation. The interpreter recodes the no-harm outcome as evidence of robustness, resetting the assumed margin to the smaller observed value rather than treating the event as a warning.
  • A drift feedback loop. The reset margin becomes the operating baseline, licensing further approach to the boundary, which produces more near-misses, each normalized in turn — a self-reinforcing contraction.
  • A latent exposure invariant. Because outcome and margin are decoupled, the clean record cannot certify safety; the true proximity remains unobserved until a boundary-crossing event reconstructs it after the fact.

The components compose so that the load-bearing object is the decoupling of outcome from margin: the structure forces into view that a no-harm record carries no information about proximity-to-failure unless the margin itself is instrumented and the reinterpretation step audited.

What It Is Not

  • Not risk itself. risk is the standing exposure to a hazardous outcome; near-miss normalization is the misreading of risk evidence — treating a margin-loss signal as a robustness signal. Risk is the quantity; this prime is a specific inference failure about it.
  • Not robustness. robustness is the genuine property of withstanding perturbation; the whole point of this prime is that an organization mistakes a clean outcome record for robustness it does not have.
  • Not a black-swan surprise. A black_swan_high_impact_low_probability_events event is unforeseeable from prior data; here the warning data existed all along as near-misses and was actively recoded away. The information was present, not absent.
  • Not monitoring. monitoring is the act of observing a system; this prime names a pathology of monitoring — observing outcomes while leaving margin uninstrumented, so the watch itself manufactures false reassurance.
  • Not controlled reentry. controlled_reentry is a deliberate, provisioned return toward a boundary; near-miss normalization is undeliberate drift toward the boundary that the organization does not recognize as drift.
  • Common misclassification. Reading a long no-harm streak as accumulated safety evidence. Catch it by asking whether the margin shrank or only the outcome stayed clean; if near-misses are rising while injuries stay zero, the envelope is eroding, not proving itself.

Broad Use

The pattern operates with the same structural force across high-stakes substrates. In aviation, minor altitude deviations, unstable approaches, and runway incursions accumulate without being treated as harbingers, and the next event in the same envelope is the one with a different outcome.[1] In medicine, medication near-misses and last-moment catches become workflow assumptions rather than warnings, and the eventual harm sits in a long tail of unreported close calls. In nuclear and process safety, tolerance to small excursions in temperature, pressure, or procedure expands until an excursion is no longer a recoverable transient.[2] In spacecraft operations, the canonical cases recur — O-ring blow-by and foam-strike events reclassified as "experience" rather than as evidence the design was outside its qualification envelope.[3] In finance, small breaches of risk limits and operational error rates that did not yet cause loss are reinterpreted as conservative-margin proof rather than adverse signal. In cybersecurity, alerts that did not become incidents are used as evidence that defences work, when they may evidence an attacker who chose not to escalate that day.[4] In climate and infrastructure operations, floods and heat events within historical envelopes become baseline despite a shifting climate, so the next event tests a new baseline against pre-shift design assumptions.[5]

Clarity

The label separates outcome (no harm) from margin (how close to harm the system actually was). The naive operational lens sees only outcomes and concludes "we are safe"; the structural lens sees margin and concludes "we are operating closer to the failure boundary than we designed for." Once a team can name the normalisation, it can audit incidents by margin loss rather than by outcome, shifting the diagnostic question from "did anyone get hurt?" to "did our envelope shrink, and if so, did we act on it?"

The clarification matters because the two lenses give opposite readings of the same record. A long string of no-harm events looks like accumulating evidence of robustness under the outcome lens and like accumulating evidence of margin erosion under the margin lens, and the prime says the margin lens is the correct one whenever the events were near misses rather than comfortable successes. By making the distinction explicit, the frame defuses the reassurance that a clean outcome record provides and replaces it with a question about the unobserved proximity-to-failure that the clean record was hiding.

Manages Complexity

Near-miss normalisation decomposes a high-dimensional safety question into a two-step structure that can be engineered separately. Detect: does the organisation have a channel by which near-misses are reported, recorded, and tagged with margin loss rather than merely with outcome? Act: when a near-miss is detected, does the organisation re-examine the relevant design margin and redesign, or does it absorb the event as new normal? Each step has standard remediations — incident-reporting and just-culture policies and anonymous reporting for detection; margin-reconstructing root-cause analysis, formal envelope re-qualification, and mandatory redesign triggers above a frequency threshold for action — so a safety program that audits both steps separately can detect normalisation even when individual incident counts look fine.

The decomposition's value is that it locates the failure precisely. Normalisation can fail at detection (the near-miss never enters the record tagged as margin loss) or at action (it enters but is absorbed rather than acted on), and the two failures call for entirely different fixes. Without the two-step structure, "improve safety culture" is an undifferentiated exhortation; with it, the analyst can ask which of the two steps is broken in a given organisation and apply the matching remediation, which is what turns a diffuse cultural worry into an engineerable program.

Abstract Reasoning

The prime exposes a generic logical trap: outcome-conditioned inference. Conditioning on "we did not get hurt" is selection on a post-treatment variable, and inferring system robustness from it is a sampling fallacy. The unobserved counterfactual — a slightly different timing would have produced harm — is what carries the information about the true margin, and the argument generalises: any system that learns about its safety margin only from observed outcomes, not from observed proximities to failure, will silently drift toward the failure boundary along whichever margin is being tested.

There is also a self-reinforcing feedback reading: normalisation weakens the incentive to invest in margin recovery; the weakened incentive allows further envelope expansion; the further expansion produces more near-misses, each normalised in turn, until a single event escapes the envelope. The frame sharpens its boundaries by contrast — it is the inverse of Bayesian updating, since it fails to update on negative-looking evidence by reinterpreting it as positive; it is survivorship bias applied to near-misses by the operating organisation itself, with a feedback consequence on future margin; and it is what happens when verification is replaced by outcome inspection.[3] The reasoning is, however, heavily framed: the pattern requires an interpreter who normalises the deviation, it is deeply tied to organisational safety culture, and it leans toward human and organisational substrates wherever an organisation interprets margin signals — which is why its substrate independence sits in the middle of the scale despite its broad domain reach.

Knowledge Transfer

The structure suggests portable interventions because its roles map across substrates: the safety margin maps to an approach-stability gate, a medication-check buffer, a temperature or pressure tolerance, a qualification envelope, a risk limit, or a historical climate envelope; the near-miss stream maps to unstable approaches, caught medication errors, small excursions, blow-by events, limit breaches, or within-envelope storms; the reinterpretation step recurs identically wherever an organisation recodes a margin loss as normal; and the feedback loop is the same self-reinforcing drift in every case. Because the roles correspond, the interventions are the same moves everywhere: measure margin rather than outcome by instrumenting the gap to the failure boundary as a time series; pre-commit to redesign triggers that define ex ante what frequency or severity of near-miss must force re-qualification, before the political cost of triggering rises; separate near-miss reporting from blame so that just-culture or anonymous reporting raises the observable rate without suppressing the actual one; re-baseline against pre-shift envelopes when the operating environment changes; and use the absorbing reinterpretation itself as the diagnostic, treating phrases like "we always handle that" or "that's just Tuesdays" in incident reviews as evidence of normalisation in progress.

The documented transfers are concrete and forensically convergent. A regional airline whose unstable-approach rate at one airport rises by an order of magnitude over five years without producing an injury — the incidents logged as "windy approaches" rather than "unstable approaches," the chief pilot reading the pattern as skilled crews — discovers in the sixth-year overrun that its margin to overrun had collapsed years earlier and the outcome record had only obscured it.[6] The structurally identical pattern is documented in the Columbia foam-strike normalisation, in pre-2008 risk-limit breaches on trading desks, and in pre-pandemic hospital surge-overflow events.[7] Across these the intervention pattern — measure margin, pre-commit to triggers, separate reporting from blame — transports without modification. The transfer is genuine but framed: every destination requires an interpreting organisation that records and re-reads its near-misses, so the structural primitive (outcome-conditioned inference about margin in a system with self-reinforcing incentives) travels while the organisational-safety-culture context travels with it, which is what keeps the prime toward the framed end of the spectrum.

Examples

Formal/abstract

Consider a reliability model in which a system's true safety margin to a failure boundary is a latent variable \(M_t\), and operators observe only the binary outcome \(O_t \in \{\text{harm}, \text{no-harm}\}\) on each operating cycle. The margined system is the controlled process; the boundary-approaching events are cycles where the realized stress approaches the boundary so that \(M_t\) is small but positive; the recording channel is the outcome log \(\{O_t\}\); the reinterpretation step is an inference rule that updates a robustness estimate \(\hat{R}_t\) upward whenever \(O_t = \text{no-harm}\). The structural flaw is exact: \(O_t\) is the sign of \(M_t\) thresholded by a noisy realized stress, so conditioning the robustness estimate on no-harm discards all information about how small \(M_t\) became. The feedback loop closes when \(\hat{R}_t\) licenses tightening the operating envelope, which lowers the next cycle's \(M_{t+1}\), generating more near-misses that again read as no-harm. The latent-exposure invariant is that \(\hat{R}_t\) is uncorrelated with \(M_t\) along the sequence, so the variance of the time-to-boundary-crossing collapses without warning. The intervention the formalism dictates is to instrument \(M_t\) directly — a continuous margin estimate, not the binary outcome — so the update conditions on proximity rather than result.

Mapped back: The formal model exhibits every role — margined system, near-miss stream, reinterpreting channel, drift loop, latent exposure — and shows that the failure is the act of conditioning a robustness estimate on outcome rather than on the unobserved margin.

Applied/industry

In commercial aviation operational safety, a carrier's flight-data monitoring program tracks unstable approaches: an approach where the aircraft crosses a defined gate (height, speed, descent rate) outside stabilized criteria yet lands without incident is a textbook near-miss.[8] The margined system is the approach-stability envelope; the boundary-approaching events are the unstable-but-landed approaches; the recording channel is the FOQA database; the reinterpretation step is a chief pilot reading rising unstable-approach counts at one airport as "experienced crews handling a hard, windy runway" rather than as envelope erosion; the drift loop is that absorbing the rate as normal licenses scheduling tighter turnarounds that produce still more rushed approaches.[3] The diagnosis the prime forces is to plot the margin — the go-around rate against unstable-approach rate — as a time series and set a pre-committed trigger: above a frequency threshold, the airport's approach procedure is re-qualified regardless of the clean injury record. The same structure governs clinical medication safety: a pharmacy's barcode-scan override, used repeatedly to push past a dosage alert without an adverse event, is a near-miss stream whose no-harm record is read as evidence the alerts are over-sensitive; the intervention is to audit override frequency as a margin signal and force review when it climbs, rather than waiting for a harmful dose.[9] And in bank market-risk operations, repeated small breaches of a value-at-risk limit that did not produce a loss get recoded as proof the limit is conservative; instrumenting the breach magnitude and frequency as the margin signal — and pre-committing to a limit re-qualification trigger — converts a reassuring loss-free record back into the adverse signal it actually is.[10]

Mapped back: Across aviation, medicine, and banking the identical roles recur — a designed margin, a no-harm near-miss stream, an interpreting organization that recodes erosion as robustness — and the same intervention transports: measure proximity-to-boundary, not outcome, and pre-commit to a redesign trigger before the political cost of pulling it rises.

Structural Tensions

T1 — Margin Signal versus Outcome Signal (measurement). The prime insists margin be instrumented directly, but margin is latent and noisy while outcome is clean and cheap, so the instrumented margin proxy may itself be unreliable. The failure mode is proxy normalization: a team that adopts a margin metric then drifts the margin metric's own thresholds, normalizing the second-order signal exactly as it once normalized outcomes. The competing prime is outlier_leverage — a margin time series can be dominated by a few extreme near-misses. Diagnostic: ask whether the margin instrument has itself acquired an "acceptable rate" that creeps upward; if it has, the meta-control has been captured.

T2 — Genuine Robustness versus Hidden Erosion (sign/direction). A long no-harm streak is read as erosion under this frame, but sometimes the streak really is evidence of improved capability — operators who have genuinely learned to fly the hard runway. Over-applying the prime produces false-alarm fatigue: re-qualifying procedures that were never eroding burns credibility until real triggers are ignored. The boundary with learning is the crux. Diagnostic: did the margin (go-around rate, override magnitude) actually shrink, or only the outcome stay clean? Erosion shows margin contraction; genuine skill shows stable or growing margin under tighter conditions.

T3 — Detection Step versus Action Step (scopal). The two-step decomposition assumes a fix targets one step, but interventions on detection (anonymous reporting) can flood the action channel, and triggers tuned for action can suppress detection by raising reporting cost. The failure mode is step-shifting: hardening one step migrates the failure to the other, an instance of risk_migration inside the safety program itself. Diagnostic: when reporting rates rise, check whether re-qualification actually follows; a detection win with no action change means the normalization simply moved downstream.

T4 — Pre-Committed Trigger versus Adaptive Judgment (temporal). Pre-committing to a redesign trigger defuses the rising political cost of pulling it, but a frozen trigger cannot adapt when the environment legitimately shifts the baseline. The failure mode is trigger obsolescence: a threshold set against a pre-shift climate fires spuriously or never, because the world moved and the rule did not. This is the same washout_failure-adjacent problem of an inflexible reference. Diagnostic: when was the trigger last re-derived against current envelope conditions, and does its firing rate match the expected near-miss base rate?

T5 — Local Margin versus System Margin (scalar). The prime instruments the margin at one boundary, but a system has many margins, and recovering one can consume another — adding a go-around buffer may erode crew-duty margin. The failure mode is margin tunnel vision: a celebrated recovery on the measured boundary masks erosion on an uninstrumented one. The competing concern is vulnerability_hotspot, where margins co-locate. Diagnostic: enumerate the system's margins, not just the salient one, and ask whether the recovery action drew down any other.

T6 — Just Culture versus Accountability (coupling). Separating reporting from blame raises the observable near-miss rate, which the frame needs, but fully decoupling consequence from conduct can normalize genuine recklessness as "just data." The failure mode is accountability erosion: the reporting channel becomes a shield, and margin-consuming behavior that should draw sanction is logged and absorbed. The boundary is with procedure_work_mismatch, where some deviations are protective and some are latent risk. Diagnostic: does the just-culture line distinguish honest margin reports from willful boundary-pushing, or does it absorb both into the same no-fault stream?

Structural–Framed Character

Near-miss normalization sits on the framed side of the structural–framed spectrum, consistent with its aggregate of 0.6. There is a genuine relational skeleton underneath — outcome-conditioned inference about a latent margin in a self-reinforcing feedback loop, a sampling-fallacy shape that could in principle be stated in pure statistical terms — but the prime does not run without a human-organizational interpreter, and that dependence is what holds it in the framed band.

The diagnostic that decides the grade is human-practice-bound, scored at the ceiling. The pattern requires an interpreting organization that records its near-misses, classifies each as margin-loss or normal variation, and recodes the absence of harm as evidence of robustness. There is no near-miss normalization in a substrate that does not read and re-read its own incident record: the "reinterpretation step" is constitutively an act of organizational sense-making, deeply tied to safety culture and its canonical cases — Challenger O-ring blow-by, Columbia foam strikes — where the normalization lived in committee judgments, not in physics. The remaining diagnostics read mid-scale and pull the same way. The vocabulary half-travels: "margin," "envelope," and "failure boundary" carry an engineering-safety home lexicon that a new domain must partly adopt rather than tell in its own words. Evaluative weight is moderate — the term names a pathology, a misreading to be corrected, so it is not value-neutral the way a bare loop is. Institutional origin sits at the organizational-safety / high-reliability tradition, and invoking the prime imports that interpretive frame (audit margin not outcome, treat clean records as suspect) as much as it recognizes a pattern already wired into the system.

The prime's own substrate reasoning concedes this directly: it leans toward human and organizational substrates wherever an organization interprets margin signals, which is why its broad domain reach does not lift it toward the structural end. The structural primitive — outcome-conditioned inference about a margin in a system with self-reinforcing incentives — does travel, but every destination requires an interpreting organization that carries the organizational-safety-culture context along with it. That is the signature of a framed prime: a real pattern that cannot be spotted without importing the practice that makes it legible.

Substrate Independence

Near-miss normalization is a moderately substrate-independent prime — composite 3 / 5 on the substrate-independence scale. Its domain breadth is genuinely wide: the identical pattern operates with the same structural force across aviation (unstable approaches logged as windy weather), medicine (medication near-misses absorbed into workflow), nuclear and process safety (tolerated excursions in temperature and pressure), spacecraft operations (the canonical O-ring and foam-strike cases), finance (risk-limit breaches read as conservative-margin proof), cybersecurity (non-incident alerts taken as defense-validation), and climate operations (within-envelope storms re-baselined despite a shifting climate). What caps the structural-abstraction component at the middle is that the signature is not medium-neutral the way a bare feedback loop is: the load-bearing "reinterpretation step" is constitutively an act of organizational sense-making, requiring an interpreter that records its own near-misses and recodes margin loss as robustness — there is no physical or biological substrate that normalizes a margin without an organization reading its incident record. Transfer evidence is strong and forensically convergent (the same intervention pattern — instrument margin, pre-commit to triggers, separate reporting from blame — transports without modification across the documented aviation, Columbia, and trading-desk cases), but every destination drags the organizational-safety-culture frame along with it, which is exactly what holds the composite at a 3 rather than higher.

  • Composite substrate independence — 3 / 5
  • Domain breadth — 4 / 5
  • Structural abstraction — 3 / 5
  • Transfer evidence — 4 / 5

Relationships to Other Primes

One-hop neighborhood: parents above, mutual partners to the right, children below.Near-MissNormalizationsubsumption: BiasBiassubsumption: Benign-Sampling Safety DriftBenign-SamplingSafety Drift

Parents (2) — more general patterns this builds on

  • Near-Miss Normalization is a kind of Benign-Sampling Safety Drift

    child of emergent benign_sampling_safety_drift

  • Near-Miss Normalization is a kind of, typical Bias

    An organization-level outcome-conditioned inference error: reading absence-of-harm in a narrowly-averted event as robustness rather than lost margin, then resetting the margin smaller — a systematic directional misreading of risk evidence. is-a an inferential bias (the file calls it the inverse of Bayesian updating / survivorship bias on near-misses).

Path to root: Near-Miss NormalizationBias

Neighborhood in Abstraction Space

Near-Miss Normalization sits in a sparse region of abstraction space (74th percentile for distinctiveness): few abstractions share its structure, so a faithful description tends to retrieve it precisely rather than landing on a neighbor.

Family — Cue-Outcome Drift & Silent Failure (18 primes)

Nearest neighbors

Computed from structural-signature embeddings · 2026-06-14

Not to Be Confused With

The sharpest confusion is with risk, the nearest existing prime by embedding. Risk is the standing structure of exposure: a probability distribution over outcomes, a hazard, and the magnitude of loss should the hazard land. It is a static description of how exposed a system is at a moment in time. Near-miss normalization is not a description of exposure but a dynamic about how an organization updates its belief about exposure from a particular kind of evidence. The two relate as object and inference-about-object: risk is the territory, and near-miss normalization is a systematic error in the map-making process — specifically, the error of reading "no harm occurred" as "exposure is low" when the harm was averted by chance rather than by margin. A practitioner who only deploys risk can quantify current exposure but has no vocabulary for why an organization's own measurement systematically understates that exposure over time; this prime supplies exactly that missing dynamic.

The second genuine confusion is with robustness. Robustness is the property of a system whose performance degrades gracefully under perturbation — it actually has margin, and that margin actually holds. The entire pathology this prime names is the counterfeiting of robustness: an organization accumulates evidence that looks like robustness (a clean record) while the underlying margin contracts. The distinction is load-bearing because the two prescribe opposite actions on identical data. Faced with a long no-incident stretch, a robustness reading says "the system is sound, continue"; the near-miss-normalization reading says "check whether the margin that produced these clean outcomes is shrinking." Robustness is a property to be verified by instrumenting margin directly; near-miss normalization is the failure that occurs when that verification is replaced by outcome inspection.

A third confusion worth drawing is with black_swan_high_impact_low_probability_events. Both involve a catastrophic event that "no one saw coming," and both critique naive inference from quiet histories. But the black swan's defining feature is genuine unforeseeability — the event lies outside the reference class the observer could have constructed from prior data. Near-miss normalization is the opposite epistemics: the warning data was present and abundant in the form of recorded near-misses, and the failure was the active reinterpretation of that data as reassurance. A black swan is an information deficit in principle; near-miss normalization is an information suppression in practice. Calling a normalization-driven accident a black swan launders an organizational failure into bad luck.

For a practitioner, these distinctions partition the diagnostic space. Ask first whether you are describing exposure (risk) or a property that withstands it (robustness); then ask whether a quiet record reflects genuine margin (robustness verified), an unforeseeable tail (black_swan_high_impact_low_probability_events), or suppressed margin-loss evidence (near-miss normalization). Only the last is correctable by changing what the organization measures and how it reads its own near-misses, which is why naming it separately matters.

Solution Archetypes

No catalogued solution archetypes reference this prime yet.

References

[1] Reason, James. Managing the Risks of Organizational Accidents. Aldershot: Ashgate, 1997. Develops the latent-condition / defense-in-depth (Swiss-cheese) model and the role of near-misses as warnings of eroding margin in high-hazard operations; foundation for treating close calls as margin signals rather than reassurance.

[2] Perrow, Charles. Normal Accidents: Living with High-Risk Technologies. New York: Basic Books, 1984. Argues that tightly coupled, complex systems (nuclear, process, aviation) drift toward failure as small excursions in temperature, pressure, and procedure are tolerated until an excursion is no longer a recoverable transient.

[3] Vaughan, Diane. The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA. Chicago: University of Chicago Press, 1996. The canonical source for 'normalization of deviance' — O-ring blow-by reclassified as acceptable 'experience' rather than as evidence the design was outside its qualification envelope, with the same dynamic generalized.

[4] Lewis, Kevin Townsend. "Alert Fatigue Is Becoming a Security Threat of Its Own". SecurityWeek, 2025. Documents how high volumes of non-incident security alerts produce false reassurance ('nothing critical has happened') and increase dwell time and blast radius — the security-operations form of reading non-incidents as defense-validation.

[5] Pelletier, Jon D., et al. (NOAA / National Academies). "Climate and Floods: Role of Non-Stationarity," in Improving American River Flood Frequency Analyses. Washington, DC: National Academy Press, 1999. Establishes that flood-frequency design assumptions built on a stationary historical envelope systematically underestimate risk under a shifting climate, so within-historical-envelope events get re-baselined while design lags the hazard.

[6] International Air Transport Association. Unstable Approaches: Risk Mitigation Policies, Procedures and Best Practices, 2nd ed. Montreal: IATA, 2016. Documents that unstable approaches are the dominant contributor to runway overruns and that the overwhelming majority of crews fail to convert an unstable approach into a go-around — the margin-consuming near-miss stream whose clean-landing record masks erosion until an overrun.

[7] Columbia Accident Investigation Board. Report Volume I. Washington, DC: NASA / U.S. Government Printing Office, 2003. Documents the foam-strike normalization on Columbia — recurring debris events reclassified as in-family rather than as margin loss — the structurally identical successor to the Challenger case.

[8] Flight Safety Foundation Approach-and-Landing Accident Reduction (ALAR) Task Force. "FSF ALAR Briefing Note 7.1 — Stabilized Approach" (Flight Safety Digest, Aug.–Nov. 2000). Alexandria, VA: Flight Safety Foundation, 2000. Defines the approach gate (1,000 ft IMC / 500 ft VMC) and the stabilized-approach criteria (height, speed, descent rate) and recommends FOQA/flight-data monitoring to log unstable-but-landed approaches as a safety-trend signal.

[9] Nanji, Karen C., et al. "Overrides of medication-related clinical decision support alerts in outpatients". Journal of the American Medical Informatics Association 21, no. 3 (2014): 487–491. Documents high override rates of medication (including dose) alerts and alert fatigue, supporting auditing override frequency as a margin signal rather than waiting for a harmful administration.

[10] Correia, Ricardo, et al. (Board of Governors of the Federal Reserve System). "The Role of Trading Desk Risk Limits" (Finance and Economics Discussion Series 2025-034). Washington, DC: Federal Reserve Board, 2025. Documents how VaR and other trading-desk limit breaches function as risk-governance signals and how repeated small breaches absent loss are handled, supporting instrumenting breach magnitude/frequency rather than reading a loss-free record as proof the limit is conservative.