Pilot training

Safety-II: the brand new concept of the “complex” Swiss cheese model 1/2

Pilot training and pilot debriefing are some linchpins of flight safety. Before the World Aviation Training Summit (WATS) 2019, let’s discuss openly this subject! Here is a new series of articles by our Senior Advisor, Captain Piere Wannaz, that will be published every Tuesday before the conference & trade show opens on April 30th, 2019.
By Capt. Pierre Wannaz - Apr 03, 2019

Part 1/2: A new approach applied to the aviation industry

#PilotTraining #LineTraining #FlightSafety #SafetyII #SwissCheese #CRM #investigation #FlightDebriefing #incident #accident #prevention #APilotsView

A free adaptation of the Safety-II approach applied to civil aviation

During decades, flight safety has been focusing on the so called Safety-I approach. Flight safety has been improved by learning from accidents and serious incidents.

This approach has been extremely successful as the accident rate has been drastically reduced.

aircraft accident reduction

The safety improvement reached in aviation is fantastic. Unfortunately, it is easy to see that the progress curve is today almost flat!

“Most probably, the Safety-I system has reached its limits.”


To achieve further safety improvements, we need a new approach.

The classical approach of Safety-I was depicted by the model created by Dante Orlandella and James T. Reason of the University of Manchester called the Swiss Cheese model or the “cumulative act effect” (see more in the FSF Skybrary here).The Swiss cheese model: hazards / lossesWith this approach, flight safety has analyzed the serious incidents and accidents in order to improve safety. The “safety plates” put in place in the model became tighter (less potential holes in the plates) or new plates have been added in order to stop a hazard potentially leading to a disaster (the red arrow).

Safety-I has failed! A concrete example

“One crash could have most probably been avoided applying an efficient Safety-II approach.”


Relatively soon after the Lion Air 737 Max accident, it was clear that a failure of the AoA activated the MCAS (Maneuvering Characteristics Augmentation System) (system explained here). The crew could not cope with the MCAS activation as the nose down input eventually was greater than the authority of the elevator. After this accident, some information was spread in written form to the 737 Max pilots.Lion Air crashThe accident investigation, following the classical industry Safety-I approach, started as a long and detailed investigation on flight LNI610. This investigation will in a few months or years bring some conclusions.

In the meantime, while the accident investigation was still ongoing, a second 737 Max facing similar problems was also lost.

Experts have realized in the simulator that the pilots only had about 40 seconds to react correctly to the MCAS activation, thereafter, it was too late.

40 seconds might seem a long time, but… If you are fighting in a cockpit against automation that goes wrong, if you try to keep the aircraft under control with numerous apparent warnings, having the stick shaker operating, having to navigate out of potential obstacles and communicate with the copilot, the tower, if not the pax or cabin crew… 40 seconds is an extremely short period of time!

How could Safety-II have changed the situation for the second crew facing a similar issue?

One day before the Lion Air crash, during flight LNI043 in the same aircraft, an off-duty pilot that was seating on the jump seat was able to realize that the trouble might be related to a trim issue and the crew cut both trim switches. This action most probably saved this flight that continued normally to the intended destination. That was a non-issue (except for the technical part) for the airline.

The next crew that took the defective plane did not have this chance…

The Lion Air crash most probably couldn’t be avoided with the crippled aircraft, except if the information of the crew that saved the aircraft on the previous flight could have been forwarded to the next crew in an efficient way – for example, if there had been the possibility to link an animation into the technical logbook… But this is still science fiction. For the time being, it is impossible in many countries due to data protection issues. Technically, it is possible with CEFA AMS within minutes after landing.

But what about the second lost? How could the Safety-II concept have a positive impact, instead of waiting for the accident investigation conclusions?

The crew operating the plane previous to the Lion Air crash had found the solution and saved this aircraft!

Spreading the news in an understandable form among the 737 Max could have been a game-changer and we had time to do it. The written form seems to have been insufficient and there are some reasons for that:

  • The bulletins sent to pilots are usually very focused on technical explanations given by engineers, perfectly correct but sometimes hard to translate into practical information for the pilots ;
  • The dynamic of the situation and the limited time available in case of such a failure are almost impossible to be understood from the classical written form approach.

Try to imagine if an animation of the flight, which had been saved on the day previous to the first loss, would have been created with a tool like CEFA AMS, and if this animation had been spread together with technical information among the 737 Max pilots…

The situation awareness could have been massively raised. By being able to see all implication on instruments like stick shaker, trim movement, pilots that would have studied such an animation would have been much better prepared and aware of the problem and consequences, the initial startle effect would have been much shorter and so, a correct reaction and manipulation could have been performed before theses 40 seconds are elapsed.

Safety-I is efficient in the long term, but it is time-consuming, as Safety-II is learning from good practice, it can be implemented very rapidly with the correct tools.

“The industry approach has to be adapted to these new possibilities… because such a double crash related to similar failures can and must definitely be avoided!”


How can Safety-II change and bring improvement compared to the classical Safety-I approach?

Have a look at the following picture, this graph represents the pilots’ reactions confronted to an event.

improving pilot training

The zero on the base scale represents a nominal reaction (as expected from the airline/ manufacturer and regulator). As seen on the graph, most pilots react very close to the nominal demanded response as expected.

A few pilots are massively overperforming, they are located on the far right of the scale. Here I think about Captain Sullenberger on the Hudson River or Captain de Crespigny of QF 92 in Singapore in his massively crippled A380…

Unfortunately, the ones at the far left side of the scale in the red zone have been massively underperforming.

The Safety-I approach has been focusing mainly on these underperforming crews.

The Safety-II approach is a much more holistic approach…


See the green square on the graph

The Safety-II approach looks if it is possible to use the whole envelope of reactions in order to learn out of positive or minor negative outcomes instead of only focusing on the massive sub-performers.

“By learning from all these outcomes, the resilience of the system can be improved and the model of the Swiss cheese becomes a little more complex.”


In this new approach, the main difference is that we do not consider an event as a single linear occurrence that needs to be stopped by filing a hole or adding a safety plate.

In the graph shown above, there are yellow stars between each plate. This is the place where the resilience of a crew can make a difference! The path of an event can be changed on multiple occasions during the propagation of a hazard. If the crew is in a position to change the course of the event by having it blocked by the next safety plate (represented by the green arrows), an unwanted outcome can be stopped (the orange arrow).

Now, what do you think? Share your personal thoughts in the comments below!

Also, you can come & discuss with Pierre personally on CEFA Aviation booth #210 during the World Aviation Training Summit (WATS) in Orlando, USA,  from 30th April to 2nd May 2019.

Next to be read: “Safety-II – The brand new concept of the “complex” Swiss Cheese Model – Part 2/2: A closer look at a tragic accident: lessons learned” 

Find all the other blog articles gathered here.

You can also contact Pierre via LinkedIn or via this link. Talk to you soon!