Human Performance Improvement Part 4:
"Defense in Depth"
In previous articles in this series, I have used the term “Defense in Depth,” which is defined as: “successive layers of detection and prevention of errors to provide protection for workers from the consequence of error.”
The goal is to prevent and protect workers from the consequence of error. It is consistent with the first principle of HPI: workers are human and humans make errors. We all have made errors, some with low and some with severe consequence.
Defense in Depth is important because it facilitates the detection of human errors, and uses preventative measures to protect against injury.
The picture below is a model of defense in depth. (Adapted from Reason)
The goal is to prevent and protect workers from the consequence of error. It is consistent with the first principle of HPI: workers are human and humans make errors. We all have made errors, some with low and some with severe consequence.
Defense in Depth is important because it facilitates the detection of human errors, and uses preventative measures to protect against injury.
The picture below is a model of defense in depth. (Adapted from Reason)
The best place to eliminate the hazard is during design. In some cases it is, unfortunately, not practical. For example, it would be safer to eliminate nuclear fuel rods at a power plant, but then the power plant wouldn't produce much power!
Any enterprise has risks that would be nearly impossible to eliminate. The NASA manned space program, in which we put people on top of a rocket and blasted them off the planet, is an example.
Using multiple fail-safes, the Engineering, Administrative, Cultural and Oversight Defense mechanisms serve to protect the worker from hazards and prevent injury.
Layered defenses are designed to work separately and together, allowing for failure with little or no consequence. The worker’s engagement is a factor at every level. From the design phase to task completion, worker involvement provides a critical ownership factor, accurate risk assessment, and hands-on insight into the effectiveness of the control measures.
Consider the operation of a motor vehicle. There are risks associated with this task. Eliminating the hazard (by not driving) is impractical.
Engineered defenses include seat belts, airbags, anti-lock brakes, back up warning systems, rear view mirrors, a steering wheel, etc. All of these and more are there to protect from, or lessen, the consequence of the inevitable error.
Among the administrative defenses we include are driver education, insurance, licensure, qualification and testing, speed limits and rules of the road.
Cultural defenses can take the form of agreed-upon rules of the road unique to a location. In the U.S. we drive on the right side of the road. Some countries use the left side. The introduction of traffic circles or roundabouts has gained popularity throughout the US. The protocols involved for entry and exit are clearly different in the United States than those in the United Kingdom:
Any enterprise has risks that would be nearly impossible to eliminate. The NASA manned space program, in which we put people on top of a rocket and blasted them off the planet, is an example.
Using multiple fail-safes, the Engineering, Administrative, Cultural and Oversight Defense mechanisms serve to protect the worker from hazards and prevent injury.
Layered defenses are designed to work separately and together, allowing for failure with little or no consequence. The worker’s engagement is a factor at every level. From the design phase to task completion, worker involvement provides a critical ownership factor, accurate risk assessment, and hands-on insight into the effectiveness of the control measures.
Consider the operation of a motor vehicle. There are risks associated with this task. Eliminating the hazard (by not driving) is impractical.
Engineered defenses include seat belts, airbags, anti-lock brakes, back up warning systems, rear view mirrors, a steering wheel, etc. All of these and more are there to protect from, or lessen, the consequence of the inevitable error.
Among the administrative defenses we include are driver education, insurance, licensure, qualification and testing, speed limits and rules of the road.
Cultural defenses can take the form of agreed-upon rules of the road unique to a location. In the U.S. we drive on the right side of the road. Some countries use the left side. The introduction of traffic circles or roundabouts has gained popularity throughout the US. The protocols involved for entry and exit are clearly different in the United States than those in the United Kingdom:

Drivers in the UK commonly use their turn signals when entering and leaving traffic circles, since traffic circles are everywhere. In the US traffic circles are fairly rare by comparison, most drivers don't practice the correct safe technique of entry and exit.
Another cultural defense can be found in the color of the traffic signals. Green means go. Red is stop. But a yellow or amber traffic light can either mean "accelerate to clear the intersection" or "prepare to stop".
Oversight defenses include the police, speed control radar (manned or unmanned), cameras at intersections, etc… Other drivers can act as an oversight defense (especially from the rear seat location). Oversight is one sure way to demonstrate that, when behavior is observed, it changes.
Process changes, improvements, and procedural drift are inevitable in any system. An effective Defense in Depth strategy requires a constant review of tasks, and adjusting the controls in the Defense in Depth model as circumstances warrant.
The ultimate goal is to design a system that allows for an unanticipated failure, while preventing that failure from breaching all defenses and resulting in an injury.
Another cultural defense can be found in the color of the traffic signals. Green means go. Red is stop. But a yellow or amber traffic light can either mean "accelerate to clear the intersection" or "prepare to stop".
Oversight defenses include the police, speed control radar (manned or unmanned), cameras at intersections, etc… Other drivers can act as an oversight defense (especially from the rear seat location). Oversight is one sure way to demonstrate that, when behavior is observed, it changes.
Process changes, improvements, and procedural drift are inevitable in any system. An effective Defense in Depth strategy requires a constant review of tasks, and adjusting the controls in the Defense in Depth model as circumstances warrant.
The ultimate goal is to design a system that allows for an unanticipated failure, while preventing that failure from breaching all defenses and resulting in an injury.