HDL
Hazards, Defences & Losses Reason
Reason (1997) · Organisational accident model · Active & latent failures

Reason's Hazards–Defences–Losses scheme frames an accident as an uncontrolled trajectory from a hazard, through a defended sociotechnical system, to a loss. Losses occur when the defences erected between a hazard and its victims or assets are either absent or penetrated by a combination of active failures at the sharp end and latent conditions that lie dormant inside the organisation.

Overview of the model

In Managing the Risks of Organisational Accidents Reason integrates earlier work on error and defences into a single causal picture. Organisations deploy a portfolio of defences — hard (guards, interlocks, alarms, automatic shutdowns) and soft (procedures, licensing, training, supervision, safety culture). Each defence can fail for two distinct reasons: active failures, the unsafe acts of front-line operators whose effects are immediate, and latent conditions, the resident pathogens created upstream by designers, procedure writers, regulators and senior managers.

Latent conditions create local workplace factors (time pressure, undermanning, poor tools, fatigue) and error-producing conditions that translate into violations and slips at the sharp end. When a hazard is released, the trajectory only causes a loss if the defences-in-depth are simultaneously weakened. The model is the organisational elaboration of the Swiss-cheese metaphor and is the conceptual ancestor of HFACS and most modern SMS investigation standards.

HAZARD energy · agent Design Barriers Procedures Training Supervision Regulation LOSS people · assets · env. Active failures — sharp-end unsafe acts (slips · lapses · mistakes · violations) Latent conditions — upstream organisational & regulatory decisions Organisational factors · strategic decisions · resource allocation · safety culture · workplace conditions · maintenance programme · fatigue & roster design · regulatory oversight seed latent pathogens
Figure 1. Reason's organisational accident: a hazard trajectory penetrates successive defences weakened by active failures above and latent conditions below.

When to use it

Typical applications

  • Event investigation frameworks (HFACS, ICAO 9859)
  • Defence-in-depth audits in high-hazard industries
  • Designing the architecture of an SMS
  • Board-level safety-culture diagnostics
  • Regulatory oversight models and inspector training

Aviation relevance

  • Underpins ICAO's accident causation narrative in Doc 9859
  • HFACS taxonomy operationalises Reason's four tiers
  • Shapes EASA Annex 19-aligned SMS investigation guides
  • Used by NTSB, AAIB, TSB and BFU for organisational chapters
  • Guides fatigue, MRM and SMS integration in Part-145 audits

Benefits

Organisational reach

Moves analysis beyond the individual operator to include the designers, managers and regulators whose decisions create the conditions in which sharp-end errors occur.

Shared vocabulary

Active failure, latent condition, defence, and pathogen have become lingua franca across aviation, healthcare, rail and nuclear — enabling cross-industry learning.

Actionable leverage

Focuses remediation on defences and workplace conditions that can be engineered or managed, rather than on blaming individuals for unsafe acts.

Integration with SMS

Maps naturally onto safety assurance processes: hazard identification finds gaps; risk management strengthens defences; promotion addresses latent cultural conditions.

Limitations

Linear causation bias

The defences-in-depth picture implies a single trajectory; critics including Dekker, Hollnagel and Leveson argue that complex, nonlinear couplings are poorly captured by a sequential metaphor.

Hindsight calibration

Latent conditions are only legible after a loss. Applied prospectively the model risks a proliferation of plausible-but-unverifiable "pathogens" limited only by the analyst's imagination.

Boundary problems

It is difficult to decide where the organisation ends and the regulator, contractor or customer begins — ambiguity that complicates both investigation and accountability.

Defences as static objects

Real defences are actively maintained by people; treating them as discrete slices underweights the continuous work of monitoring, adapting and repairing them during normal operations.

In short

Reason's HDL scheme reframes accidents as organisational phenomena: losses occur when a hazard trajectory punches through defences whose integrity has already been compromised by latent conditions seeded upstream and active failures at the sharp end.

References (APA 7)

Reason, J. (1990). Human error. Cambridge University Press.

Reason, J. (1997). Managing the risks of organizational accidents. Ashgate.

Reason, J. (2008). The human contribution: Unsafe acts, accidents and heroic recoveries. Ashgate.

Reason, J., Hollnagel, E., & Paries, J. (2006). Revisiting the Swiss cheese model of accidents (EEC Note No. 13/06). EUROCONTROL.

Shappell, S. A., & Wiegmann, D. A. (2000). The human factors analysis and classification system — HFACS (DOT/FAA/AM-00/7). FAA.

International Civil Aviation Organization. (2018). Safety management manual (Doc 9859, 4th ed.). ICAO.

Further reading

Dekker, S. (2006). The field guide to understanding human error. Ashgate.

Hollnagel, E. (2004). Barriers and accident prevention. Ashgate.

Leveson, N. G. (2011). Engineering a safer world: Systems thinking applied to safety. MIT Press.

Perneger, T. V. (2005). The Swiss cheese model of safety incidents: Are there holes in the metaphor? BMC Health Services Research, 5, 71.

Underwood, P., & Waterson, P. (2014). Systems thinking, the Swiss cheese model and accident analysis. Accident Analysis & Prevention, 68, 75–94.