Swiss cheese model on:
[Wikipedia]
[Google]
[Amazon]
The Swiss cheese model of
In the Swiss cheese model, an organization's defenses against failure are modeled as a series of imperfect barriers, represented as slices of cheese, specifically Swiss cheese with holes known as "
The framework has been applied to a range of areas including
The Swiss cheese model of accident
An accident is an unintended, normally unwanted event that was not deliberately caused by humans. The term ''accident'' implies that the event may have been caused by Risk assessment, unrecognized or unaddressed risks. Many researchers, insurers ...
causation is a model used in risk analysis
In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environ ...
and risk management
Risk management is the identification, evaluation, and prioritization of risks, followed by the minimization, monitoring, and control of the impact or probability of those risks occurring. Risks can come from various sources (i.e, Threat (sec ...
. It likens human systems to multiple slices of Swiss cheese, which have randomly placed and sized holes in each slice, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the different types of defenses which are "layered" behind each other. Therefore, in theory, lapses and weaknesses in one defense (e.g. a hole in one slice of cheese) do not allow a risk to materialize, since other defenses also exist (e.g. other slices of cheese), to prevent a single point of failure
A single point of failure (SPOF) is a part of a system that would Cascading failure, stop the entire system from working if it were to fail. The term single point of failure implies that there is not a backup or redundant option that would enab ...
.
The model was originally formally propounded by James T. Reason of the University of Manchester
The University of Manchester is a public university, public research university in Manchester, England. The main campus is south of Manchester city centre, Manchester City Centre on Wilmslow Road, Oxford Road. The University of Manchester is c ...
, and has since gained widespread acceptance. It is sometimes called the "cumulative act effect". Applications include aviation safety
Aviation safety is the study and practice of managing risks in aviation. This includes preventing aviation accidents and incidents through research, educating air travel personnel, passengers and the general public, as well as the design of airc ...
, engineering
Engineering is the practice of using natural science, mathematics, and the engineering design process to Problem solving#Engineering, solve problems within technology, increase efficiency and productivity, and improve Systems engineering, s ...
, healthcare
Health care, or healthcare, is the improvement or maintenance of health via the preventive healthcare, prevention, diagnosis, therapy, treatment, wikt:amelioration, amelioration or cure of disease, illness, injury, and other disability, physic ...
, emergency service organizations, and as the principle behind layered security, as used in computer security
Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
and defense in depth.
Although the Swiss cheese model is respected and considered a useful method of relating concepts, it has been subject to criticism that it is used too broadly, and without enough other models or support.
Holes and slices
In the Swiss cheese model, an organization's defenses against failure are modeled as a series of imperfect barriers, represented as slices of cheese, specifically Swiss cheese with holes known as "eyes
An eye is a sensory organ that allows an organism to perceive visual information. It detects light and converts it into electro-chemical impulses in neurons (neurones). It is part of an organism's visual system.
In higher organisms, the ey ...
", such as Emmental cheese
Emmental, Emmentaler, or Emmenthal is a yellow, medium-hard cheese that originated in the Emme Valley in Switzerland. It is classified as a Swiss-type cheese.
History
Emmental cheese originates from the Emme Valley in Switzerland.
It has a ...
. The holes in the slices represent weaknesses in individual parts of the system and are continually varying in size and position across the slices. The system produces failures when holes in each slice momentarily align, permitting (in Reason's words) "a trajectory of accident opportunity", so that a hazard passes through holes in all of the slices, leading to a failure.
Frosch described Reason's model in mathematical terms as a model in percolation theory
In statistical physics and mathematics, percolation theory describes the behavior of a network when nodes or links are added. This is a geometric type of phase transition, since at a critical fraction of addition the network of small, disconnected ...
, which he analyses as a Bethe lattice.
Active and latent failures
The model includes ''active'' and '' latent'' failures. Active failures encompass the unsafe acts that can be directly linked to an accident, such as (in the case of aircraft accidents) anavigation
Navigation is a field of study that focuses on the process of monitoring and controlling the motion, movement of a craft or vehicle from one place to another.Bowditch, 2003:799. The field of navigation includes four general categories: land navig ...
error. Latent failures include contributory factors that may lie dormant for days, weeks, or months until they contribute to the accident. Latent failures span the first three domains of failure in Reason's model.
In the early days of the Swiss cheese model, late 1980 to about 1992, attempts were made to combine two theories: James Reason's multi-layer defence model and Willem Albert Wagenaar's tripod theory of accident causation. This resulted in a period in which the Swiss cheese diagram was represented with the slices of cheese labelled 'active failures', 'preconditions' and 'latent failures'.
The attempts to combine these theories still cause confusion today. A more correct version of the combined theories is shown with the active failures (now called ''immediate causes''), preconditions and latent failures (now called ''underlying causes'') shown as the reason each barrier (slice of cheese) has a hole in it, and the slices of cheese as the barriers.
Examples of applications
The framework has been applied to a range of areas including aviation safety
Aviation safety is the study and practice of managing risks in aviation. This includes preventing aviation accidents and incidents through research, educating air travel personnel, passengers and the general public, as well as the design of airc ...
, various engineering
Engineering is the practice of using natural science, mathematics, and the engineering design process to Problem solving#Engineering, solve problems within technology, increase efficiency and productivity, and improve Systems engineering, s ...
domains, emergency service organizations, and as the principle behind layered security, as used in computer security
Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
and defense in depth.
The model was used in some areas of healthcare
Health care, or healthcare, is the improvement or maintenance of health via the preventive healthcare, prevention, diagnosis, therapy, treatment, wikt:amelioration, amelioration or cure of disease, illness, injury, and other disability, physic ...
. For example, a latent failure could be the similar packaging of two drugs that are then stored close to each other in a pharmacy. This failure would be a contributory factor in the administration of the wrong drug to a patient. Such research led to the realization that medical error
A medical error is a preventable adverse effect of care (" iatrogenesis"), whether or not it is evident or harmful to the patient. This might include an inaccurate or incomplete diagnosis or treatment of a disease, injury, syndrome, behavior, ...
can be the result of "system flaws, not character flaws", and that greed, ignorance, malice or laziness are not the only causes of error.
The Swiss cheese model is nowadays widely used within process safety. Each slice of cheese is usually associated to a safety-critical system
A safety-critical system or life-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes:
* death or serious injury to people
* loss or severe damage to equipment/property
* environmental h ...
, often with the support of bow-tie diagrams. This use has become particularly common when applied to oil and gas drilling and production, both for illustrative purposes and to support other processes, such as asset integrity management and incident investigation.
Lubnau, Lubnau II, and Okray apply the model to the engineering of firefighting systems, aiming to reduce human errors by "inserting additional layers of cheese into the system", namely the techniques of Crew Resource Management.
Olson and Raz apply the model to improve deception in the methodology of experimental studies, with multiple thin layers of cheese representing subtle components of deception which hide the study hypothesis.
See also
* Chain of events (accident analysis) * Healthcare error proliferation model *Iteration
Iteration is the repetition of a process in order to generate a (possibly unbounded) sequence of outcomes. Each repetition of the process is a single iteration, and the outcome of each iteration is then the starting point of the next iteration.
...
* Latent human error
* Mitigation
Mitigation is the reduction of something harmful that has occurred or the reduction of its harmful effects. It may refer to measures taken to reduce the harmful effects of hazards that remain ''in potentia'', or to manage harmful incidents that ...
* Proximate and ultimate causation
* Proximate cause
In law and insurance, a proximate cause is an event sufficiently related to an injury that the courts deem the event to be the cause of that injury. There are two types of causation in the law: cause-in-fact, and proximate (or legal) cause. Ca ...
* Redundancy (engineering)
In engineering and systems theory, redundancy is the intentional duplication of critical components or functions of a system with the goal of increasing reliability of the system, usually in the form of a backup or fail-safe, or to improve a ...
* Root cause analysis
In science and engineering, root cause analysis (RCA) is a method of problem solving used for identifying the root causes of faults or problems. It is widely used in IT operations, manufacturing, telecommunications, industrial process control, ...
* System accident
* Systems engineering
Systems engineering is an interdisciplinary field of engineering and engineering management that focuses on how to design, integrate, and manage complex systems over their Enterprise life cycle, life cycles. At its core, systems engineering uti ...
* Systems modelling
A system is a group of interacting or interrelated elements that act according to a set of rules to form a unified whole. A system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and is exp ...
References
{{Reflist, 2 Aviation safety Error Failure Metaphors referring to food and drink Process safety Safety engineering Scientific models