One of the key concepts associated with error management is that of “defences in depth”, based on the premise that there are many stages in any system where errors can occur, and similarly many stages where defences can be built to prevent and trap errors. Professor James Reason covers error management in his book “Human Error”.
Reason’s ‘Swiss Cheese Model’
In his research, Reason has highlighted the concept of “defences” against human error within an organisation, and has coined the notion of “defences in depth”. Examples of defences are pre-flight checks, automatic warnings, challenge-response procedures, etc., which help prevent to “trap” human errors, reducing the likelihood of negative consequences. It is when these defences are weakened and breached that human errors can result in incidents or accidents. These defences have been portrayed diagrammatically, as several slices of Swiss cheese (and hence the model has become known as Professor Reason’s Swiss cheese? model).
Some failures are ‘latent’, meaning that they have been made at some point in the past and lay dormant. This may be introduced at the time an aircraft was designed or may be associated with a management decision. Errors made by front line personnel, such as flight crew, are “active” failures. The more holes in a system’s defences, the more likely it is that errors result in incidents or accidents, but it is only in certain circumstances, when all holes ‘line up’, that these occur. Usually, if an error has breached the design or engineering defences, it reaches the flight operations defences (e.g. in flight warning) and is detected and handled at this stage. However, occasionally in aviation, an error can breach all the defences (e.g. a pilot ignores an in flight warning, believing it to be a false alarm) and a catastrophic situation ensues.
Error Detection and Prevention
The concept of redundancy should be applied at all stages of the aviation system, never assuming that one single mechanism, especially if human, will detect and prevent an error. CRM provides a form of redundancy in that it emphasises the role of the second pilot to check what the first pilot has done. There is a potential danger with independent checks that the second person will trust the first person not to have done anything wrong, and therefore not to carry out the second check properly. CRM dual checking is one of the last lines of defence, especially if no automatic system checks and alerts are present, and pilots should always be alert for the possibility that their colleague may have made an error, when carrying running through SOPs which require challenge-response checks, no matter how much they might trust and respect the other pilot. Similarly, the pilot carrying out the first action should never become complacent and rely upon the other pilot detecting an error. (The same applies with pilot-ATC communications and readbacks).
It is essential to remember that we are all human therefore we all make mistakes from time to time, so assume the worst.
The following Animation, of a military C5 Galaxy crash shows how a simple error can have disastrous consequences. The number 2 engine was inoperative, however during the approach the number 3 engine thrust lever was also inadvertently retarded to idle leaving only number1 and 3 to provide thrust.