Swiss cheese model

The Swiss cheese model of accident causation is a model used in risk analysis and risk management, including aviation safety, engineering, healthcare, emergency service organizations, and as the principle behind layered security, as used in computer security and defense in depth. It likens human systems to multiple slices of swiss cheese, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the differing layers and types of defenses which are 'layered' behind each other. Therefore, in theory, lapses and weaknesses in one defense do not allow a risk to materialize, since other defenses also exist, to prevent a single point of failure. The model was originally formally propounded by Dante Orlandella and James T. Reason of the University of Manchester, and has since gained widespread acceptance. It is sometimes called the 'cumulative act effect'. The Swiss cheese model of accident causation is a model used in risk analysis and risk management, including aviation safety, engineering, healthcare, emergency service organizations, and as the principle behind layered security, as used in computer security and defense in depth. It likens human systems to multiple slices of swiss cheese, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the differing layers and types of defenses which are 'layered' behind each other. Therefore, in theory, lapses and weaknesses in one defense do not allow a risk to materialize, since other defenses also exist, to prevent a single point of failure. The model was originally formally propounded by Dante Orlandella and James T. Reason of the University of Manchester, and has since gained widespread acceptance. It is sometimes called the 'cumulative act effect'. Although the Swiss cheese model is respected and considered to be a useful method of relating concepts, it has been subject to criticism that it is used too broadly, and without enough other models or support. Reason hypothesized that most accidents can be traced to one or more of four failure domains: organizational influences, supervision, preconditions, and specific acts. For example, in aviation, preconditions for unsafe acts include fatigued air crew or improper communications practices. Unsafe supervision encompasses for example, pairing inexperienced pilots on a night flight into known adverse weather. Organizational influences encompass such things as reduction in expenditure on pilot training in times of financial austerity. In the Swiss cheese model, an organisation's defenses against failure are modeled as a series of barriers, represented as slices of cheese. The holes in the slices represent weaknesses in individual parts of the system and are continually varying in size and position across the slices. The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason's words) 'a trajectory of accident opportunity', so that a hazard passes through holes in all of the slices, leading to a failure. Frosch described Reason's model in mathematical terms as a model in percolation theory, which he analyses as a Bethe lattice. The model includes both active and latent failures. Active failures encompass the unsafe acts that can be directly linked to an accident, such as (in the case of aircraft accidents) a navigation error. Latent failures include contributory factors that may lie dormant for days, weeks, or months until they contribute to the accident. Latent failures span the first three domains of failure in Reason's model. In the early days of the Swiss Cheese model, late 1980 to about 1992, attempts were made to combine two theories: James Reason multi-layer defence model and Willem Albert Wagenaar’s Tripod theory of accident causation. This resulted in a period where the Swiss Cheese diagram was represented with the slices of cheese labels as Active Failures, Preconditions and latent failures.