Swiss cheese model on:
[Wikipedia]
[Google]
[Amazon]
The Swiss cheese model of
In the Swiss cheese model, an organisation's defenses against failure are modeled as a series of imperfect barriers, represented as slices of cheese, specifically Swiss cheese with holes known as "
The same framework can be applicable in some areas of healthcare. For example, a latent failure could be the similar packaging of two drugs that are then stored close to each other in a pharmacy. This failure would be a contributory factor in the administration of the wrong drug to a patient. Such research led to the realization that
The Swiss cheese model of accident
An accident is an unintended, normally unwanted event that was not directly caused by humans. The term ''accident'' implies that nobody should be blamed, but the event may have been caused by unrecognized or unaddressed risks. Most researche ...
causation is a model used in risk analysis and risk management, including aviation safety
Aviation safety is the study and practice of managing risks in aviation. This includes preventing aviation accidents and incidents through research, educating air travel personnel, passengers and the general public, as well as the design of airc ...
, engineering
Engineering is the use of scientific method, scientific principles to design and build machines, structures, and other items, including bridges, tunnels, roads, vehicles, and buildings. The discipline of engineering encompasses a broad rang ...
, healthcare, emergency service organizations, and as the principle behind layered security, as used in computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
and defense in depth
Defence in depth (also known as deep defence or elastic defence) is a military strategy that seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating ...
. It likens human systems to multiple slices of Swiss cheese, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the differing layers and types of defenses which are "layered" behind each other. Therefore, in theory, lapses and weaknesses in one defense do not allow a risk to materialize, since other defenses also exist, to prevent a single point of failure
A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working. SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software appl ...
. The model was originally formally propounded by James T. Reason of the University of Manchester
The University of Manchester is a public university, public research university in Manchester, England. The main campus is south of Manchester city centre, Manchester City Centre on Wilmslow Road, Oxford Road. The university owns and operates majo ...
, and has since gained widespread acceptance. It is sometimes called the "cumulative act effect".
Although the Swiss cheese model is respected and considered to be a useful method of relating concepts, it has been subject to criticism that it is used too broadly, and without enough other models or support.
Holes and slices
In the Swiss cheese model, an organisation's defenses against failure are modeled as a series of imperfect barriers, represented as slices of cheese, specifically Swiss cheese with holes known as "eyes
Eyes are organs of the visual system. They provide living organisms with vision, the ability to receive and process visual detail, as well as enabling several photo response functions that are independent of vision. Eyes detect light and c ...
", such as Emmental cheese. The holes in the slices represent weaknesses in individual parts of the system and are continually varying in size and position across the slices. The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason's words) "a trajectory of accident opportunity", so that a hazard passes through holes in all of the slices, leading to a failure.
Frosch described Reason's model in mathematical terms as a model in percolation theory
In statistical physics and mathematics, percolation theory describes the behavior of a network when nodes or links are added. This is a geometric type of phase transition, since at a critical fraction of addition the network of small, disconnecte ...
, which he analyses as a Bethe lattice
In statistical mechanics and mathematics, the Bethe lattice (also called a regular tree) is an infinite connected cycle-free graph where all vertices have the same number of neighbors. The Bethe lattice was introduced into the physics literatur ...
.
Active and latent failures
The model includes Active and Passive failures. Active failures encompass the unsafe acts that can be directly linked to an accident, such as (in the case of aircraft accidents) anavigation
Navigation is a field of study that focuses on the process of monitoring and controlling the movement of a craft or vehicle from one place to another.Bowditch, 2003:799. The field of navigation includes four general categories: land navigation, ...
error. Latent failures include contributory factors that may lie dormant for days, weeks, or months until they contribute to the accident. Latent failures span the first three domains of failure in Reason's model.
In the early days of the Swiss Cheese model, late 1980 to about 1992, attempts were made to combine two theories: James Reason's multi-layer defence model and Willem Albert Wagenaar's tripod theory of accident causation. This resulted in a period in which the Swiss Cheese diagram was represented with the slices of cheese labelled as Active Failures, Preconditions and Latent Failures.
These attempts to combine these theories still causes confusion today. A more correct version of the combined theories is shown with the Active Failures (now called immediate causes) Precondition and Latent Failure (now called underlying causes) shown as the reason each barrier (slice of cheese) has a hole in it and the slices of cheese as the barriers.
Applications
The same framework can be applicable in some areas of healthcare. For example, a latent failure could be the similar packaging of two drugs that are then stored close to each other in a pharmacy. This failure would be a contributory factor in the administration of the wrong drug to a patient. Such research led to the realization that medical error
A medical error is a preventable adverse effect of care ("iatrogenesis"), whether or not it is evident or harmful to the patient. This might include an inaccurate or incomplete diagnosis or treatment of a disease, injury, syndrome, behavior, i ...
can be the result of "system flaws, not character flaws", and that greed, ignorance, malice or laziness are not the only causes of error.
The framework has also been applied to a range of other areas. For example, Lubnau, Lubnau, and Okray apply the model to the engineering of firefighting systems, aiming to reduce human errors by "inserting additional layers of cheese into the system", namely the techniques of Crew Resource Management
Crew resource management or cockpit resource management (CRM)Diehl, Alan (2013) "Air Safety Investigators: Using Science to Save Lives-One Crash at a Time." Xlibris Corporation. . http://www.prweb.com/releases/DrAlanDiehl/AirSafetyInvestigators/ ...
. Olson and Raz apply the model to improve deception in the methodology of experimental studies, with multiple thin layers of cheese representing subtle components of deception which hide the study hypothesis.
See also
*Chain of events (accident analysis)
In accident analysis, a chain of events (or error chain) consists of the contributing factors leading to an undesired outcome.
Aviation
In aviation accidents and incidents, these contributing actions typically stem from human factor-related ...
* Healthcare error proliferation model
* Iteration
Iteration is the repetition of a process in order to generate a (possibly unbounded) sequence of outcomes. Each repetition of the process is a single iteration, and the outcome of each iteration is then the starting point of the next iteration. ...
* Latent human error
Latent human error is a term used in safety work and accident prevention, especially in aviation, to describe human errors which are likely to be made due to systems or routines that are formed in such a way that humans are disposed to making thes ...
* Mitigation
* Proximate and ultimate causation
A proximate cause is an event which is ''closest'' to, or immediately responsible for causing, some observed result. This exists in contrast to a higher-level ultimate cause (or ''distal cause'') which is usually thought of as the "real" reason ...
* Proximate cause
In law and insurance, a proximate cause is an event sufficiently related to an injury that the courts deem the event to be the cause of that injury. There are two types of causation in the law: cause-in-fact, and proximate (or legal) cause. ...
* Redundancy (engineering)
In engineering, redundancy is the intentional duplication of critical components or functions of a system with the goal of increasing reliability of the system, usually in the form of a backup or fail-safe, or to improve actual system perfo ...
* Root cause analysis
In science and engineering, root cause analysis (RCA) is a method of problem solving used for identifying the root causes of faults or problems. It is widely used in IT operations, manufacturing, telecommunications, industrial process control, ...
* System accident
A system accident (or normal accident) is an "unanticipated interaction of multiple failures" in a complex system. This complexity can either be of technology or of human organizations, and is frequently both. A system accident can be easy to ...
* Systems engineering
Systems engineering is an interdisciplinary field of engineering and engineering management that focuses on how to design, integrate, and manage complex systems over their life cycles. At its core, systems engineering utilizes systems thinking ...
* Systems modelling
Systems modeling or system modeling is the interdisciplinary study of the use of models to conceptualize and construct systems in business and IT development.Philosophical Transactions of the Royal Society of London. Series B, Biological Sciences
''Philosophical Transactions of the Royal Society B: Biological Sciences'' is a biweekly peer-reviewed scientific journal published by the Royal Society. The editor-in-chief is John Pickett (Cardiff University).
Overview
Each issue covers a spe ...
, date=1990-04-12, volume=327, issue=1241, pages=475–84, title=The Contribution of Latent Human Failures to the Breakdown of Complex Systems, first=James, last=Reason, doi=10.1098/rstb.1990.0090, pmid=1970893, jstor=55319, bibcode=1990RSPTB.327..475R, doi-access=free
Error
Failure
Safety engineering
Hazard analysis
Aviation safety
Scientific models