The Swiss Cheese Model is a way of explaining how accidents happen in complex, defended systems, introduced by the psychologist James Reason. In his 2000 British Medical Journal article “Human error: models and management,” Reason describes the defenses in a high-technology system as resembling “slices of Swiss cheese, having many holes.” The holes are not fixed; they are continually “opening, shutting, and shifting their location.” An accident occurs only when, as he puts it, “holes in many layers momentarily line up to permit a trajectory of accident opportunity.”
The key insight is that no single failure is usually enough to cause harm, because a well-designed system has multiple independent layers of defense: training, procedures, alarms, automated safeguards, reviews. For a hazard to reach the end and cause damage, a weakness must exist in each layer at the same moment. Most of the time at least one layer holds and the would-be accident is stopped. Disaster requires an unlucky alignment of many holes at once.
Reason distinguishes two kinds of holes. Active failures are “unsafe acts committed by people who are in direct contact” with the system, taking the form of “slips, lapses, fumbles, mistakes, and procedural violations,” with direct and usually short-lived effects. Latent conditions are the deeper, dormant weaknesses built in by designers and managers, the “inevitable resident pathogens within the system.” Latent conditions “may lie dormant within the system for many years” before they combine with an active failure to open a complete path through the defenses.
This framing led Reason to contrast two approaches to error. The person approach focuses on the individuals at the sharp end and tries to reduce error through blame, retraining, and exhortation. The system approach concentrates on the conditions under which people work and builds defenses to catch the errors that will inevitably occur. Reason argued that the system approach is more effective, because human fallibility cannot be eliminated but the systems people work within can be redesigned.
Though it came from healthcare and broader safety science, the Swiss Cheese Model has been widely adopted in software reliability. It explains why outages so often trace back to a chain of small problems rather than a single dramatic failure, and it provides the intellectual basis for blameless analysis and for adding layers of defense rather than punishing the last person to touch a system. Its emphasis on latent conditions also complements normal accident theory’s argument that complex, tightly coupled systems are prone to failures that no single safeguard can prevent.