Swiss cheese model

Last updated
The Swiss cheese model of accident causation illustrates that, although many layers of defense lie between hazards and accidents, there are flaws in each layer that, if aligned, can allow the accident to occur. In this diagram, three hazard vectors are stopped by the defences, but one passes through where the "holes" are lined up. Swiss cheese model textless.svg
The Swiss cheese model of accident causation illustrates that, although many layers of defense lie between hazards and accidents, there are flaws in each layer that, if aligned, can allow the accident to occur. In this diagram, three hazard vectors are stopped by the defences, but one passes through where the "holes" are lined up.

The Swiss cheese model of accident causation is a model used in risk analysis and risk management, including aviation safety, engineering, healthcare, emergency service organizations, and as the principle behind layered security, as used in computer security and defense in depth. It likens human systems to multiple slices of Swiss cheese, which has randomly placed and sized holes in each slice, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the differing layers and types of defenses which are "layered" behind each other. Therefore, in theory, lapses and weaknesses in one defense do not allow a risk to materialize (e.g. a hole in each slice in the stack aligning with holes in all other slices), since other defenses also exist (e.g. other slices of cheese), to prevent a single point of failure. The model was originally formally propounded by James T. Reason of the University of Manchester, [1] and has since gained widespread acceptance. It is sometimes called the "cumulative act effect".

Contents

Although the Swiss cheese model is respected and considered a useful method of relating concepts, it has been subject to criticism that it is used too broadly, and without enough other models or support. [2]

Holes and slices

Emmental cheese with eyes. Each slice will have holes of varying sizes and positions. Emmentaler aoc block.jpg
Emmental cheese with eyes. Each slice will have holes of varying sizes and positions.

In the Swiss cheese model, an organization's defenses against failure are modeled as a series of imperfect barriers, represented as slices of cheese, specifically Swiss cheese with holes known as "eyes", such as Emmental cheese. The holes in the slices represent weaknesses in individual parts of the system and are continually varying in size and position across the slices. The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason's words) "a trajectory of accident opportunity", [3] so that a hazard passes through holes in all of the slices, leading to a failure. [4] [5] [6] [7]

Frosch [8] described Reason's model in mathematical terms as a model in percolation theory, which he analyses as a Bethe lattice.

Active and latent failures

The model includes active and latent failures. Active failures encompass the unsafe acts that can be directly linked to an accident, such as (in the case of aircraft accidents) a navigation error. Latent failures include contributory factors that may lie dormant for days, weeks, or months until they contribute to the accident. Latent failures span the first three domains of failure in Reason's model. [9]

In the early days of the Swiss cheese model, late 1980 to about 1992, attempts were made to combine two theories: James Reason's multi-layer defence model and Willem Albert Wagenaar's tripod theory of accident causation. This resulted in a period in which the Swiss cheese diagram was represented with the slices of cheese labelled 'active failures', 'preconditions' and 'latent failures'.

These attempts to combine these theories still causes confusion today. A more correct version of the combined theories is shown with the active failures (now called immediate causes), preconditions and latent failures (now called underlying causes) shown as the reason each barrier (slice of cheese) has a hole in it, and the slices of cheese as the barriers.

Examples of applications

New Zealand's Swiss cheese model for managing COVID-19 Covid-19-Cheese-Model-animation-02-short.gif
New Zealand’s Swiss cheese model for managing COVID-19

The framework has been applied to a range of areas including aviation safety, various engineering domains, emergency service organizations, and as the principle behind layered security, as used in computer security and defense in depth. [11]

The model was used in some areas of healthcare. For example, a latent failure could be the similar packaging of two drugs that are then stored close to each other in a pharmacy. This failure would be a contributory factor in the administration of the wrong drug to a patient. Such research led to the realization that medical error can be the result of "system flaws, not character flaws", and that greed, ignorance, malice or laziness are not the only causes of error. [12]

The Swiss cheese model is nowadays widely used within process safety. Each slice of cheese is usually associated to a safety-critical system, often with the support of bow-tie diagrams. This use has become particularly common when applied to oil and gas drilling and production, both for illustrative purposes and to support other processes, such as asset integrity management and incident investigation. [13]

Lubnau, Lubnau, and Okray apply the model to the engineering of firefighting systems, aiming to reduce human errors by "inserting additional layers of cheese into the system", namely the techniques of Crew Resource Management. [14]

Olson and Raz apply the model to improve deception in the methodology of experimental studies, with multiple thin layers of cheese representing subtle components of deception which hide the study hypothesis. [15]

See also

Related Research Articles

<span class="mw-page-title-main">Safety engineering</span> Engineering discipline which assures that engineered systems provide acceptable levels of safety

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

<span class="mw-page-title-main">Fault tree analysis</span> Failure analysis system used in safety engineering and reliability engineering

Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined. This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, to identify the best ways to reduce risk and to determine event rates of a safety accident or a particular system level (functional) failure. FTA is used in the aerospace, nuclear power, chemical and process, pharmaceutical, petrochemical and other high-hazard industries; but is also used in fields as diverse as risk factor identification relating to social service system failure. FTA is also used in software engineering for debugging purposes and is closely related to cause-elimination technique used to detect bugs.

Failure mode and effects analysis is the process of reviewing as many components, assemblies, and subsystems as possible to identify potential failure modes in a system and their causes and effects. For each component, the failure modes and their resulting effects on the rest of the system are recorded in a specific FMEA worksheet. There are numerous variations of such worksheets. An FMEA can be a qualitative analysis, but may be put on a quantitative basis when mathematical failure rate models are combined with a statistical failure mode ratio database. It was one of the first highly structured, systematic techniques for failure analysis. It was developed by reliability engineers in the late 1950s to study problems that might arise from malfunctions of military systems. An FMEA is often the first step of a system reliability study.

In the field of human factors and ergonomics, human reliability is the probability that a human performs a task to a sufficient standard. Reliability of humans can be affected by many factors such as age, physical health, mental state, attitude, emotions, personal propensity for certain mistakes, and cognitive biases.

Reliability engineering is a sub-discipline of systems engineering that emphasizes the ability of equipment to function without failure. Reliability describes the ability of a system or component to function under stated conditions for a specified period. Reliability is closely related to availability, which is typically described as the ability of a component or system to function at a specified moment or interval of time.

Human error is an action that has been done but that was "not intended by the actor; not desired by a set of rules or an external observer; or that led the task or system outside its acceptable limits". Human error has been cited as a primary cause contributing factor in disasters and accidents in industries as diverse as nuclear power, aviation, space exploration, and medicine. Prevention of human error is generally seen as a major contributor to reliability and safety of (complex) systems. Human error is one of the many contributing causes of risk events.

A system accident is an "unanticipated interaction of multiple failures" in a complex system. This complexity can either be of technology or of human organizations and is frequently both. A system accident can be easy to see in hindsight, but extremely difficult in foresight because there are simply too many action pathways to seriously consider all of them. Charles Perrow first developed these ideas in the mid-1980s. Safety systems themselves are sometimes the added complexity which leads to this type of accident.

<span class="mw-page-title-main">Accident analysis</span> Process to determine the causes of accidents to prevent recurrence

Accident analysis is a process carried out in order to determine the cause or causes of an accident so as to prevent further accidents of a similar kind. It is part of accident investigation or incident investigation. These analyses may be performed by a range of experts, including forensic scientists, forensic engineers or health and safety advisers. Accident investigators, particularly those in the aircraft industry, are colloquially known as "tin-kickers". Health and safety and patient safety professionals prefer using the term "incident" in place of the term "accident". Its retrospective nature means that accident analysis is primarily an exercise of directed explanation; conducted using the theories or methods the analyst has to hand, which directs the way in which the events, aspects, or features of accident phenomena are highlighted and explained. These analyses are also invaluable in determining ways to prevent future incidents from occurring. They provide good insight by determining root causes, into what failures occurred that lead to the incident.

A preventive action is a change implemented to address a weakness in a management system that is not yet responsible for causing nonconforming product or service.

The system safety concept calls for a risk management strategy based on identification, analysis of hazards and application of remedial controls using a systems-based approach. This is different from traditional safety strategies which rely on control of conditions and causes of an accident based either on the epidemiological analysis or as a result of investigation of individual past accidents. The concept of system safety is useful in demonstrating adequacy of technologies when difficulties are faced with probabilistic risk analysis. The underlying principle is one of synergy: a whole is more than sum of its parts. Systems-based approach to safety requires the application of scientific, technical and managerial skills to hazard identification, hazard analysis, and elimination, control, or management of hazards throughout the life-cycle of a system, program, project or an activity or a product. "Hazop" is one of several techniques available for identification of hazards.

Process safety is an interdisciplinary engineering domain focusing on the study, prevention, and management of large-scale fires, explosions and chemical accidents in process plants or other facilities dealing with hazardous materials, such as refineries and oil and gas production installations. Thus, process safety is generally concerned with the prevention of, control of, mitigation of and recovery from unintentional hazardous materials releases that can have a serious effect to people, plant and/or the environment.

Latent human error is a term used in safety work and accident prevention, especially in aviation, to describe human errors which are likely to be made due to systems or routines that are formed in such a way that humans are disposed to making these errors. Latent human errors are frequently components in causes of accidents. The error is latent and may not materialize immediately, thus, latent human error does not cause immediate or obvious damage. Discovering latent errors is therefore difficult and requires a systematic approach. Latent human error is often discussed in aviation incident investigation, and contributes to over 70% of the accidents.

The healthcare error proliferation model is an adaptation of James Reason’s Swiss Cheese Model designed to illustrate the complexity inherent in the contemporary healthcare delivery system and the attribution of human error within these systems. The healthcare error proliferation model explains the etiology of error and the sequence of events typically leading to adverse outcomes. This model emphasizes the role organizational and external cultures contribute to error identification, prevention, mitigation, and defense construction.

Accident classification is a standardized method in accident analysis by which the causes of an accident, including the root causes, are grouped into categories. Accident classification is mainly used in aviation but can be expanded into other areas, such as railroad or health care. While accident reports are very detailed, the goal of accident classification is to look at a broader picture. By analysing a multitude of accidents and applying the same standardized classification scheme, patterns in how accidents develop can be detected and correlations can be built. The advantage of a standardized accident classification is that statistical methods can be used to gain more insight into accident causation.

Organizational safety is a contemporary discipline of study and research developed from the works of James Reason, creator of the Swiss cheese model, and Charles Perrow author of Normal Accidents. These scholars demonstrated the complexity and system coupling inherent in organizations, created by multiple process and various people working simultaneously to achieve organizational objectives, is responsible for errors ranging from small to catastrophic system failures. The discipline crosses professions, spans industries, and involves multiple academic domains. As such, the literature is disjointed and the associated research outcomes vary by study setting. This page provides a comprehensive yet concise summary of safety and accidents organizational knowledge using internal links, external links, and seminal literature citations.

<span class="mw-page-title-main">Accident</span> Unforeseen event, often with a negative outcome

An accident is an unintended, normally unwanted event that was not directly caused by humans. The term accident implies that nobody should be blamed, but the event may have been caused by unrecognized or unaddressed risks. Most researchers who study unintentional injury avoid using the term accident and focus on factors that increase risk of severe injury and that reduce injury incidence and severity. For example, when a tree falls down during a wind storm, its fall may not have been caused by humans, but the tree's type, size, health, location, or improper maintenance may have contributed to the result. Most car wrecks are not true accidents; however, English speakers started using that word in the mid-20th century as a result of media manipulation by the US automobile industry.

Human factors are the physical or cognitive properties of individuals, or social behavior which is specific to humans, and influence functioning of technological systems as well as human-environment equilibria. The safety of underwater diving operations can be improved by reducing the frequency of human error and the consequences when it does occur. Human error can be defined as an individual's deviation from acceptable or desirable practice which culminates in undesirable or unexpected results.

Dive safety is primarily a function of four factors: the environment, equipment, individual diver performance and dive team performance. The water is a harsh and alien environment which can impose severe physical and psychological stress on a diver. The remaining factors must be controlled and coordinated so the diver can overcome the stresses imposed by the underwater environment and work safely. Diving equipment is crucial because it provides life support to the diver, but the majority of dive accidents are caused by individual diver panic and an associated degradation of the individual diver's performance. - M.A. Blumenberg, 1996

The AcciMap approach is a systems-based technique for accident analysis, specifically for analysing the causes of accidents and incidents that occur in complex sociotechnical systems.

Aviation accident analysis is performed to determine the cause of errors once an accident has happened. In the modern aviation industry, it is also used to analyze a database of past accidents in order to prevent an accident from happening. Many models have been used not only for the accident investigation but also for educational purpose.

Tripod Beta is an incident and accident analysis methodology made available by the Stichting Tripod Foundation via the Energy Institute. The methodology is designed to help an accident investigator analyse the causes of an incident or accident in conjunction with conducting the investigation. This helps direct the investigation as the investigator will be able to see where more information is needed about what happened, or how or why the incident occurred.

References

  1. Reason, James (1990-04-12). "The Contribution of Latent Human Failures to the Breakdown of Complex Systems". Philosophical Transactions of the Royal Society of London. Series B, Biological Sciences . 327 (1241): 475–84. Bibcode:1990RSPTB.327..475R. doi:10.1098/rstb.1990.0090. JSTOR   55319. PMID   1970893.
  2. "Revisiting the Swiss cheese model of accidents". Eurocontrol. October 2006.
  3. Reason, James (1990). Human Error. New York, N.Y.: Cambridge University Press. ISBN   978-0-521-30669-0.
  4. Daryl Raymond Smith; David Frazier; L W Reithmaier & James C Miller (2001). Controlling Pilot Error. McGraw-Hill Professional. p. 10. ISBN   0071373187.
  5. Jo. H. Wilson; Andrew Symon; Josephine Williams & John Tingle (2002). Clinical Risk Management in Midwifery: the right to a perfect baby?. Elsevier Health Sciences. pp. 4–6. ISBN   0750628510.
  6. Tim Amos & Peter Snowden (2005). "Risk management". In Adrian J. B. James; Tim Kendall & Adrian Worrall (eds.). Clinical Governance in Mental Health and Learning Disability Services: A Practical Guide. Gaskell. p. 176. ISBN   1904671128.
  7. Stranks, J. (2007). Human Factors and Behavioural Safety. Butterworth-Heinemann. pp. 130–31. ISBN   9780750681551.
  8. Robert A. Frosch (2006). "Notes toward a theory of the management of vulnerability". In Philip E Auerswald; Lewis M Branscomb; Todd M La Porte; Erwann Michel-Kerjan (eds.). Seeds of Disaster, Roots of Response: How Private Action Can Reduce Public Vulnerability. Cambridge University Press. p. 88. ISBN   0521857961.
  9. Wiegmann, Douglas A.; Shappell, Scott A. (2003). A Human Error Approach to Aviation Accident Analysis: The Human Factors Analysis and Classification System. Ashgate Publishing. pp. 48–49. ISBN   0754618730.
  10. Wiles, Siouxsie (22 October 2020). "Siouxsie Wiles & Toby Morris: Covid-19 and the Swiss cheese system". The Spinoff. Retrieved 28 October 2020.
  11. Taylor, G. A.; Easter, K. M.; Hegney, R. P. (2004). Enhancing Occupational Safety and Health. Elsevier. pp. 140–41, 147–53, 241–45. ISBN   0750661976.
  12. Patricia Hinton-Walker; Gaya Carlton; Lela Holden & Patricia W. Stone (2006-06-30). "The intersection of patient safety and nursing research". In Joyce J. Fitzpatrick & Patricia Hinton-Walker (eds.). Annual Review of Nursing Research Volume 24: Focus on Patient Safety. Springer Publishing. pp. 8–9. ISBN   0826141366.
  13. CCPS in association with Energy Institute (2018). Bow Ties in Risk Management: A Concept Book for Process Safety. New York, N.Y. and Hoboken, N.J.: AIChE and John Wiley & Sons. ISBN   9781119490395.
  14. Thomas Lubnau II; Randy Okray & Thomas Lubnau (2004). Crew Resource Management for the Fire Service. PennWell Books. pp. 20–21. ISBN   1593700067.
  15. Olson, Jay A.; Raz, Amir (2021). "Applying insights from magic to improve deception in research: The Swiss cheese model". Journal of Experimental Social Psychology. 92: 104053. doi:10.1016/j.jesp.2020.104053. S2CID   228919455.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.