What Digital Health Should Steal From Aviation — and What It Shouldn't

Say "medicine should be more like aviation" in a room full of patient safety people and watch the heads nod. It is the field's most reliable applause line. It is also, almost always, said by someone who would be genuinely startled to learn how aviation actually earned its safety record — not through checklists and crisp cockpit discipline, which is the part everyone pictures, but through decades of mandatory, public, blame-protected reporting of its own failures. The laminated card is the souvenir. The reporting culture is the engine, and it is the part nobody wants to import, because importing it means writing down, on the record, the thing that went wrong on your watch.

So the comparison gets made backwards. People reach for aviation's outputs — the checklist, the huddle, the standard phrase — and skip the machinery that made those outputs mean anything. The result is a great deal of cargo-cult safety: the runway lights are out and the bamboo control tower is built, but no plane lands. It is worth sorting carefully, then, which imports from aviation actually pay for themselves, which transfer badly because medicine is not flying, and which are being shipped over with the culture left behind at customs.

What genuinely transfers

Start with the imports worth paying full price for, because they are real and medicine has under-bought them.

The first is blameless reporting with teeth — meaning legal teeth. Aviation's near-miss systems work not because pilots are unusually honest but because the structures around them make honesty survivable: report what happened, including your own error, and the report cannot be turned into the instrument of your punishment. That protection is the whole mechanism. Strip it out and reporting collapses into the thing it is everywhere people fear blame — sparse, defensive, and silent on exactly the close calls that carry the most information. Medicine has reporting systems. What it more often lacks is the credible promise that telling the truth into them won't end a career, and that gap, not a shortage of forms, is why so much of what nearly went wrong is never written down.

The second is the checklist — but only where the task is genuinely procedural. The surgical safety checklist became the field's favourite example for good reason; checking that the right patient is having the right procedure on the right side is exactly the kind of fixed, verifiable, sequence-able task a checklist was built for. The honesty the import requires is admitting the boundary. A checklist works where the steps are known and the order matters. It does nothing for the genuinely diagnostic problem — the undifferentiated patient, the atypical presentation, the judgement call under uncertainty — and pretending otherwise produces forms that get ticked without being read. The aviation version knows this. A pre-flight checklist confirms the flaps are set; it does not tell the pilot what to do when the weather is doing something the manual never anticipated.

The third is simulation for the rare, high-stakes event — the emergency that happens too seldom to learn on the job and too catastrophically to learn on the patient. Pilots rehearse engine failures they may never see in a career, precisely so that if the day comes, the response is rehearsed rather than improvised. Medicine has every reason to borrow this, and increasingly does: the crashing airway, the massive haemorrhage, the paediatric arrest are exactly the events where the first real attempt should not be the first attempt.

The fourth is standardised handover language — a shared structure for moving critical information between people without dropping the load-bearing detail in transit. Aviation does not leave the transfer of a control to improvisation, and medicine's handovers, conducted at shift change by tired people about complex patients, are one of the most reliable places for harm to enter through an information gap. A common structure is cheap and it travels well.

Notice the thread. Every genuine import is a piece of culture or discipline — how failure is reported, where procedure is honoured, how rehearsal and handover are structured. None of them is the laminated card itself.

What transfers badly

Now the imports that break in transit, because the two domains are not the same shape, and pretending they are is its own small hazard.

Aircraft are standardised; patients are not. A 737 is, to a useful approximation, every other 737. The procedure that is correct for one is correct for the fleet, which is what makes a checklist a checklist and a fix a fix-for-all. Patients arrive as a population of one each — different physiology, different histories, different ways the same disease decides to present. A protocol that is exactly right for the modal patient can be wrong, sometimes dangerously, for the one in front of you, and medicine's hardest skill is the judgement of when the standard does not apply. Aviation's safety gains lean heavily on a uniformity medicine does not have and cannot manufacture.

Aviation can ground the fleet; medicine cannot ground the ward. When a model shows a systemic fault, regulators can stop every one of those airframes flying until it is understood and fixed, and they do. There is no equivalent move in medicine. You cannot suspend the emergency department while you investigate. The resuscitation in front of you cannot be cancelled pending review. The work continues, with the fault still in the system, because the alternative to imperfect care under load is not safe care — it is no care, which is worse. Much of aviation's discipline assumes a pause button medicine is never allowed to press.

The production pressures are not the same animal. A flight can be delayed or cancelled, and the entire incentive structure, while it pushes hard against delay, ultimately permits "we are not going today." Medicine's pressure runs in a direction with no such relief valve. The patient is already here. The shift is already short. The resuscitation cannot be rescheduled to a calmer Tuesday. Safety thinking built around the option to not-fly transfers awkwardly to a setting whose defining feature is that the demand cannot be turned off.

And the deepest mismatch: the pilot crashes with the plane. This is the incentive alignment medicine can never replicate, and it sits underneath far more of aviation's record than the laminated cards do. The person making the decisions at the front shares, exactly and immediately, the fate of everyone in the back. No safety system humans have built aligns motivation more completely. In medicine the clinician, whatever the weight they carry, does not share the patient's outcome in their own body. This is not a moral failing to be exhorted away. It is a structural fact, and any honest account of why aviation is so safe has to put it near the centre — which makes it precisely the part that cannot be copied, only compensated for by everything else.

The cargo-cult problem

Which brings us to how the comparison most often goes wrong in practice. The cargo cult builds the form of the thing and waits for the function to arrive on its own. It imports the artefact — the checklist, the huddle, the safety brief — and leaves behind the culture that made the artefact work, then is puzzled when the runway stays empty.

The checklist that becomes a checkbox is the cleanest example, and it is its own quiet failure: a list introduced to force genuine verification degrades, under time pressure and without the culture that gives it meaning, into a thing ticked to be seen to be ticked. The verification it was meant to compel never happens; only the tick survives. The artefact is present and the function is absent, which is the cargo cult in a single laminated line — and it rhymes exactly with how clinical safety work more broadly decays into the production of safety-shaped objects that change nothing about the actual system.

Underneath sits the measurement error that feeds the whole pattern: safety counted by compliance instead of outcome. How many checklists were completed. How many huddles were held. How many reports were filed. These are easy to count and feel like progress, and they measure the presence of the artefact, not the absence of harm. Aviation's reporting culture is not impressive because pilots file a lot of reports; it is impressive because the reports are honest, are read, and change what happens next. Import the filing and skip the honesty and the reading and the changing, and you have built the bamboo tower — every visible feature of safety, and none of the thing itself.

The digital health version

Now point all of this at clinical software, where the gap is starkest and the opportunity most under-claimed.

Software incident reporting in health tech is closer to aviation's 1950s than its present. When a clinical system fails — the result that silently never arrives, the wrong record surfaced, the alert that didn't fire — there is rarely any structured, mandatory, blame-protected channel that captures it, analyses it, and feeds the lesson back to everyone running something similar. The failure is handled locally, quietly, often defensively, and the information in it dies where it happened. Other teams building the same class of product learn nothing, and so the next team rediscovers the same hazard the same way, at the same cost, in the dark.

The missing institution is the one aviation built and medicine, for clinical software, never has: an independent body that investigates serious failures to understand them rather than to apportion blame, and publishes what it found so the whole field can stop repeating it. There is no accident investigation board for clinical software. When a digital health product contributes to harm, there is no neutral, expert, blame-separated investigation whose output is a public lesson rather than a private settlement. The knowledge that should compound across the industry instead disperses and is lost.

Picture the thing that does not yet exist. A serious near-miss and incident system for health software would be mandatory for failures above a defined severity, legally protected so that honest reporting is survivable, genuinely independent of the vendor whose product is under examination, and — the load-bearing part — public in its findings, so that a hazard discovered in one product becomes a warning available to every team building near it. That is not a laminated card. It is the actual engine, pointed at clinical software, and it is the single import from aviation most worth fighting for.

What this means

The aviation comparison is not wrong. It is just usually made for the wrong things — reached for by people who admire the cockpit's calm and the surgeon's checklist while quietly declining the part that made either matter: a half-century habit of telling the truth about failure, in public, with the teller protected. Steal that. Steal the blameless honest reporting, the procedure-where-procedure-fits, the rehearsal of the rare disaster, the discipline of the handover. Leave the fantasy that patients are airframes and wards can be grounded, and leave, above all, the cargo-cult instinct that builds the form and prays for the function. Aviation's gift to medicine was never the laminated card. It was the willingness to write down what went wrong and let everyone read it. That is the import worth fighting for, and in clinical software it has barely arrived.