For about fifty years, the United States has run a system that the rest of the safety-critical world looks at, agrees is excellent, and quietly fails to copy.
The Aviation Safety Reporting System, NASA-administered since 1976, is non-punitive: a pilot, controller, mechanic, or flight attendant can report a near-miss, a procedure violation, or an unsafe condition with the implicit guarantee that — except in cases of criminal intent or willful misconduct — the report will not be used as the basis for FAA enforcement. The reporter is granted protection. The data is collected, anonymized, analyzed, and fed back to the industry as bulletins, advisories, and design recommendations. The result, after fifty years, is the safest mass-transportation system in human history.
Healthcare has spent thirty years trying to copy the model. The NHS spun up the National Patient Safety Agency in 2001 (closed in 2012). The Joint Commission’s Sentinel Event reporting program in the US has been pushing voluntary disclosure since 1995. Various state-level near-miss systems have come and gone. None has reproduced the aviation result. Patient harm is, by most measures, no better than it was when the programs started.
The standard explanation is that aviation has a “safety culture” and healthcare doesn’t, or that aviation has stronger unions, or stronger regulators, or weaker malpractice exposure, or — variously — that doctors are more arrogant than pilots. These explanations are not wrong, but they are downstream of something more structural.
What aviation actually trades
The deal that ASRS offers — confess in advance, we won’t punish you — works because it is a real trade. The pilot is giving up something the FAA already mostly has. The FAA is giving up something it already mostly couldn’t enforce.
When an airliner has a near-miss, the event is detected from multiple sources independent of the pilot’s confession. Radar tracks. ATC recordings. ACARS data. Black-box telemetry. Other aircraft involved. If the FAA wanted to enforce against the pilot, they could, with or without the report. The pilot’s voluntary disclosure provides additional context — what they saw, what they thought, what the cockpit was like — but the fact of the near-miss is established by the system’s instrumentation regardless.
So the trade is: you tell us why, and in exchange we give up the small marginal enforcement advantage we would have had from your testimony. That is a trade the FAA can afford to make, because the underlying fact is already documented elsewhere.
In healthcare, this is reversed. The vast majority of patient-safety events are detected from the clinician’s own report or not at all. There is no equivalent of radar tracking. There is no black box. The patient often doesn’t know what happened. The medical record is constructed by the same clinician who would be reporting the near-miss. If the clinician doesn’t disclose, in most cases the event simply does not exist as a documented fact.
This means the trade healthcare offers — confess and we won’t punish — is structurally different. The clinician is being asked to give up all of the evidence, not just additional context. The reporting institution gets a fact it would never otherwise have. The clinician absorbs the entire risk of disclosure with no asymmetric instrumentation backing them up.
The non-punitive promise can be made. It can be honored. It still doesn’t produce the same incentive geometry, because the clinician’s confession is not redundant with anything else.
Where the model can travel
Once you see the asymmetry, the question of where the aviation model works becomes tractable. It works in industries where bad outcomes are already independently documented. Confession adds context but not facts.
Nuclear plant operations: yes. INPO, the Institute of Nuclear Power Operations, runs a near-miss reporting system that genuinely works, modeled on ASRS. Why does it work? Because nuclear plants are heavily instrumented. Every action by an operator is logged. Every alarm is captured. The reporter is providing context for events the system already detected.
Maritime: partially. The IMO’s near-miss reporting works for collisions and groundings (AIS tracking, port logs) and fails for crew-related events that are not externally instrumented.
Healthcare: structurally hard. The instrumentation gap is enormous. EHR systems don’t capture the kind of decision-context-action chain that radar plus ATC plus ACARS captures in aviation. Even if the legal protections were as strong (they aren’t), the underlying fact-establishment infrastructure is missing.
Pharmaceutical clinical trials: improving. Adverse-event reporting works where the trial protocol is heavily instrumented and fails in real-world post-approval surveillance, where it isn’t. The pattern holds.
Software security: actively reverse-engineering the aviation model right now. Bug bounty programs, CVE coordination, ISAC sharing — all attempts to create non-punitive disclosure regimes. They work where the bugs are externally detectable (CVE-publishable vulnerabilities, exploit-in-the-wild observations) and fail where the bugs are only knowable to the developer (internal code review failures, unreleased products).
The general principle
A non-punitive disclosure system works when the disclosed fact is already approximately known to the system collecting it. It fails when the disclosure is the only path the system has to learning the fact.
This is uncomfortable because it implies that the most ethically attractive feature of the aviation model — its trust-based, non-punitive, professional-collaborative tone — is actually a downstream effect of an instrumentation regime that makes the trust feasible. It is easy to be magnanimous when you don’t actually need the disclosure to establish the fact. The asymmetry that makes the system work also makes it impossible to scale to industries that lack the underlying fact-establishment infrastructure.
The implication for healthcare is unpleasant. Building a culture of disclosure on top of an under-instrumented system produces either coerced confessions (which destroy trust) or genuinely voluntary confessions (which are too rare to drive system-level learning). The fix is not more “psychological safety training.” It is more instrumentation — EHR data, real-time clinical decision logging, automated flag systems for deviations from protocol — that makes the underlying fact discoverable independently of the clinician’s report. Once the fact can be established without the report, the report becomes a contextual contribution rather than an existential disclosure, and the aviation deal becomes feasible.
The hard part of replicating aviation safety is not the reporting program. It is the fifty years of black-box data, ATC infrastructure, and ACARS telemetry that made the reporting program optional rather than load-bearing.
You cannot copy the politics of trust without copying the instruments that made trust cheap.