Also known as: Swiss Cheese Model
Reason's Swiss Cheese Model, introduced by psychologist James Reason (1990), describes safety as consisting of multiple layers of defence — each with its own weaknesses or "holes." In any single layer, the holes may allow some hazards through; but when multiple layers are arranged in series, a hazard must find aligned holes in every layer simultaneously to cause harm.
The metaphor: each slice of Swiss cheese has holes, but the holes are in different places. To get through a whole block, a hazard must thread through aligned holes across many slices. Accidents occur only when the holes line up.
Layers of defence in a typical safety-critical system:
- Engineering design (robust equipment)
- Procedures and training
- Supervision and monitoring
- Automated checks and interlocks
- Human vigilance
- External regulation and audit
Each layer catches some errors the others miss. No single layer is expected to be perfect; safety comes from the independence and diversity of the layers.
Applied to interface design, the model argues for defence in depth: input validation, confirmation dialogs, undo capability, and audit logs each catch errors that the others miss. The goal is not to make any single mechanism bulletproof, but to ensure that multiple independent safeguards must fail simultaneously for an error to cause harm.
The model underlies modern approaches to accident investigation in aviation, healthcare, and nuclear power.
Related terms: Human Error, Slip, Lapse, Mistake
Discussed in:
- Chapter 10: Design Laws from Aviation and Engineering — Error Tolerance and Fail-Safe Design
Also defined in: Textbook of Usability