Breaking the Chain

On the evening of December 28, 1978, United Airlines Flight 173 was on approach to Portland, Oregon when the flight crew noticed an anomaly with the landing gear indication. The gear appeared to be down, but the nose gear light was not illuminating normally. The captain elected to enter a holding pattern while the crew troubleshot the problem.

The troubleshooting took time. The captain was experienced and methodical, and he wanted to be certain about the gear before landing. While he worked the problem, the aircraft burned fuel. The first officer made several mentions of the fuel state, growing more urgent as time passed. The flight engineer calculated their situation directly at one point. The captain acknowledged and said they would be going in shortly.

They did not go in shortly. The aircraft continued to hold. The fuel continued to burn.

At 18:15 local time, approximately thirty-five miles southeast of Portland, all four engines flamed out. The crew declared an emergency and executed a forced landing in a suburban neighborhood. Eight passengers and two crew members were killed. The aircraft was destroyed.

The landing gear, the investigation later determined, had been down and locked the entire time. The indicator light had burned out.

The Swiss Cheese Model

James Reason, a British psychologist, developed what he called the Swiss Cheese Model of accident causation in the 1990s. The model has become fundamental to aviation safety — and to safety thinking in medicine, nuclear power, and any field where the consequences of error are catastrophic.

The core insight is this: accidents rarely have a single cause. They happen when multiple failures — mechanical, procedural, human — align in a specific sequence that allows the error to propagate all the way to the outcome.

Reason's cheese slices represent the defenses that exist in any complex system: checklists, procedures, automation, regulations, crew resource management training, maintenance programs. Each slice has holes — points where the defense is incomplete or can fail. Most of the time, the holes don't align. A failure at one layer is caught by the defense at the next. The accident chain is broken.

But when the holes align — when multiple defenses fail simultaneously, or fail in sequence — the error propagates through every layer and reaches the outcome. The accident that "should have been impossible" given the number of defenses in place becomes, in retrospect, the almost inevitable result of a specific combination of failures that the individual defenses were each insufficient to catch.

The Chain in Portland

United 173 illustrates the Swiss Cheese Model with painful clarity.

The initiating event — the burned-out indicator light — was a minor maintenance failure. In isolation, it was harmless. The landing gear was functional. The problem was in the indication, not the mechanism.

The first hole was the captain's fixation on the gear problem. His attention was fully occupied with troubleshooting, and his awareness of the fuel situation degraded as a result. This is a well-documented human factors phenomenon called cognitive tunneling — the tendency, under stress, to focus narrowly on the most salient problem at the expense of peripheral awareness.

The second hole was crew resource management — or rather, its absence. The first officer and flight engineer both recognized the fuel emergency that was developing. They communicated it. But they communicated it in ways that were too deferential, too ambiguous, insufficiently direct. The hierarchical culture of 1970s cockpits made it difficult for junior crew members to directly confront a senior captain, even when his life and the lives of everyone aboard depended on it.

The third hole was the procedural framework of the era. Fuel management checklists existed, but the crew was not using them systematically in the chaos of the gear indication problem.

The holes aligned. The engines stopped. People died.

The Conservative Instinct

There is a political philosophy embedded in the Swiss Cheese Model that I believe Edmund Burke would have recognized.

The model teaches that complex systems are most safely governed by multiple, overlapping, redundant defenses — that relying on any single safeguard, no matter how well-designed, is insufficient. This is a deeply conservative insight. It is the argument for institutional checks and balances translated into operational safety terms.

The radical impulse — whether in governance, in engineering, or in organizational design — is toward simplicity and efficiency. Why maintain multiple overlapping defenses when a single sufficiently robust one would do? Why preserve redundant institutions when a unified, streamlined structure could accomplish the same goals more efficiently?

The answer is that complex systems fail in complex ways, and the failures rarely announce themselves clearly before they propagate. The defense that seemed unnecessary is often the one that catches the error the primary defense missed. The institution that seemed redundant is often the one that remains functional when the primary institution fails. The crew member whose objection seemed impertinent is often the one who broke the chain.

The Swiss Cheese Model is, in this sense, a technical argument for the kind of institutional humility that Burke spent his career advocating. Systems that survive catastrophic failure are systems built with the assumption that any single component can fail, and defended accordingly.

Breaking the Chain

The most important lesson of the Swiss Cheese Model is not that accidents are inevitable. It is that they are almost always preventable — because error chains can always be broken.

United 173 was not doomed when the indicator light burned out. It was not doomed when the captain fixated on the gear problem. It was not doomed, arguably, even when the fuel state became critical. At every step of the sequence, someone in the cockpit had the information, the authority, and the opportunity to break the chain.

The first officer who states clearly: "Captain, we have approximately twenty minutes of fuel remaining and we need to land now." The flight engineer who physically hands the captain a fuel calculation and says, "Sir, this is an emergency." The captain who recognizes his own cognitive tunneling and explicitly breaks out of the gear troubleshooting to ask: "What's our fuel state, and what's our emergency plan?"

Any one of these interventions breaks the chain. The cheese slices don't align. The accident doesn't happen.

This is also the conservative political instinct — not the pessimistic one that says nothing can be prevented, but the practical one that says prevention requires active engagement, not passive reliance on systems to work as designed. The citizen who participates in civic life, who speaks when something seems wrong, who doesn't assume that the institutions will catch the error on their own — that citizen is breaking error chains before they propagate.

The error chain is always present. It is always building. The question is whether someone will interrupt it before the holes align.

Someone can. Someone must. It might as well be you.