Core Principles of Safety Engineering and the Cardinal Rules of Hazard Control

SAFETY ENGINEERING

Safety engineering, like any applied science, is based upon fundamental principles and rules of practice. Safety engineering involves the identification, evaluation, and control of hazards in man-machine systems (products, machines, equipment, or facilities) that contain a potential to cause injury to people or damage to property.

SAFETY MANAGEMENT

Safety management consists of a set of safety program elements, policies, and procedures that manage the conduct of safety activity. Safety engineering and safety management make up an integrated whole. While safety engineering can be viewed as being the physical and mathematical side of injury and damage prevention, safety management can be viewed as being the administrative or software side of such prevention. Safety management provides the structure within which the techniques of safety engineering are applied.

A REALISTIC VIEW OF THE TERM "ACCIDENT"

Safety engineers recognize that accidents are typically dynamic events involving a combination of causative factors. The term "accident" means a dynamic (typically multi-causal) event that begins with the activation of a pre-existing hazard that flows through its host system in a logical sequence of preceding events, factors, and circumstances to produce a final loss event (typically personal injury of the system operator).

Unfortunately, when discussing the causative factors of accidents, many people cling to the traditional over-simplified labels that have divided such factors into "unsafe acts" and "unsafe conditions." In balance, this dichotomy approach has proven harmful to the effective control of accidents. Many otherwise sincere individuals have mistakenly believed or assumed that these factors are subject to equal control and that only one or the other of the two need be of major concern in the prevention of accidents. Typically, such focus has been on "unsafe acts," as the majority of practitioners do not possess the expertise to evaluate the technical issues involved or do not perceive with what relative ease and positive effect unsafe conditions can be controlled. During the investigation of accidents, such an inordinate focus on "unsafe acts" will typically stifle the effective control of accidents, as the investigation is typically ended when the first immediate cause (in terms of time) is identified (naturally some action or inaction on the part of the accident victim). As a result, potentially more important root causes related to system design are overlooked.

Herein, the terms "unsafe act" and "unsafe condition" are rejected as historically leading to error or incomplete cause analysis. Rather, system conditions resulting from system use, deterioration, or original design error, that result in the creation of an unsafe system condition, are called "system condition or physical state factors (hazards)," while inappropriate human actions or inactions experienced during system use or operation (resulting from human error or human nature, categorized as one or the other after considering the capabilities and limitations of men and women in the relevant areas under study) are called "system personnel or human factors."

IMPORTANT FOUNDATIONAL CONCEPTS

Before proceeding, it is necessary to understand three concepts: "system life cycle," "the accident process," and "producing vs. proximate cause."

System Life Cycle.

The concept of "system life cycle" recognizes that every system (product, machine, facility, etc.) has a "life cycle" which begins in (a) the "concept or definition" stage before proceeding through the successive stages of (b) system "design and development," (c) "production, manufacture, construction or fabrication," followed by (d) system "distribution" before arriving at the (e) system "operation or deployment" stage, which after a period of time, is inevitably followed by (f) the "disposal, termination, or retirement" stage.

The Accident Process.

Effective safety engineering and safety management must also take into account what has come to be known as "the accident process." This concept recognizes the fact that although personal injury or system damage may take place at a moment in time, the foreseeable causative factors that ultimately produce such injury or damage are typically set into motion, and could have been controlled or prevented, at an early stage in the system life cycle.

That is, this concept recognizes that foreseeable causes of accidents are typically set into motion well in advance of the injury or damage occurrence itself. A key element in the accident process is the concept of cause "foreseeability." A foreseeable cause is called a "proximate cause."

Producing vs. Proximate Cause.

According to the safety engineering literature [having its counterpart in law], a "producing cause" means a cause which, in a natural and continuous sequence or chain of preceding and subsequent producing causes, produces an event, and without which the event (accident/injury) would not have occurred.

Some producing causes of accidents, through the use of reasonably prudent methods of prediction, can be reasonably foreseen or anticipated before they actually produce an accident/injury event. Such a producing cause may further be identified as a "proximate cause." That is, a "proximate cause" is a producing cause that is reasonably foreseeable (or should be reasonably anticipated) by a person exercising ordinary care to discover and control such causes before they produce accident events.

There can also be a hierarchy of proximate causes. One or more proximate cause might logically be viewed as a primary, dominant, or root proximate cause; that is, a proximate cause that necessarily sets all following causes in motion.

These root proximate causes are typically created during the early stages of the system life cycle and should be the primary targets for elimination or control at that time.

FORESEEABLE vs. UNFORESEEABLE ACCIDENTS

Until an adequate accident causation analysis has been conducted, it is unwise to conclude that its causative factors were unforeseeable. Therefore, one might define the following two types of "accidents:"

A TYPE I ACCIDENT might be defined as an undesired and unforeseen event that results in an unacceptable system loss, which could have been foreseen and prevented through the application of recognized principles and methods of system hazard identification, evaluation, and control.

A TYPE II ACCIDENT might then be defined as an undesired and unforeseen event that results in an unacceptable system loss, which could NOT have been foreseen and prevented through the application of recognized principles and methods of hazard identification, evaluation, and control.

Obviously, TYPE I accident events should not be called "accidents" at all in the traditional sense, but rather, such an event should more realistically be called a "foreseeable loss event."

If one's goal is the effective prevention of accidents (the effective control of hazards), reasonable analysis of the opportunities to prevent man-machine system TYPE I accidents will lead rational minds to concede that in most situations, potential physical accident causative factors (physical condition hazards) that can typically be more feasibly identified, evaluated, and controlled in the early stages of a system's life cycle, are to be given priority attention over potential behavior related causative factors.

A "bonus" advantage of controlling physical system condition hazards in the early stages of a system's life cycle is that safe system design "on the drawing board" can automatically eliminate the potential effect of later "operator errors," or even the need to require special system operating methods. The fact that operator errors are typically the result of system design errors is exemplified in the safety and human factors engineering proverb: "How a system, product, or facility is designed will dictate how it can and will be used."

BASICS OF SAFETY ENGINEERING
STEP #1: HAZARD IDENTIFICATION

The first step in safety engineering is "hazard identification." A hazard is anything that has the potential to cause harm when combined with some initiating stimulus.

Many system safety techniques have been pioneered to aid in the identification of potential system hazards. None is more basic than "energy analysis." Here, potential hazards associated with various physical systems and their associated operation, including common industrial and consumer products and related activities, can be identified (for later evaluation and control) by first recognizing that system and product "hazards" are directly related to various common forms of "energy." That is, system component or operator "damage" or "injury" cannot occur without the presence of some form of hazardous "energy."

"Hazard identification" in reality can be viewed as "energy identification," recognizing that a unanticipated undesirable release or exchange of energy in a system is absolutely necessary to cause an "accident" and subsequent system damage or operator injury. Therefore, an "accident" can now be seen as "an undesired and unexpected, or at least untimely release, exchange, or action of energy, resulting, or having the potential to result, in system damage or injury." This approach simplifies the task of hazard identification as it allows the identification of hazards by means of a finite set of search paths, recognizing that the common forms of energy that produce the vast majority of accidents can be placed into only ten descriptive categories.

The goal of this first step in the hazard control process is to prepare a list of potential hazards (energies) in the system under study. No attempt is made at this stage to prioritize potential hazards or to determine the degree of danger associated with them. That will come later. At this first stage, one is merely taking an "inventory" of potential hazards (potential hazardous energies). A practical list of hazardous energy types to be identified might include:

1. MECHANICAL ENERGY HAZARDS

Mechanical energy hazards involve system hardware components that cut, crush, bend, shear, pinch, wrap, pull, and puncture. Such hazards are associated with components that move in circular, transverse (single direction), or reciprocating ("back and forth") motion. Traditionally, such hazards found in typical industrial machinery have been associated with the terms "power transmission apparatus," "functional components," and the "point of operation."

2. ELECTRICAL ENERGY HAZARDS

Electrical energy hazards have traditionally been divided by the general public into the categories of low voltage electrical hazards (below 440 volts) and high voltage electrical hazards (above 440 volts).

3. CHEMICAL ENERGY HAZARDS

Chemical energy hazards involve substances that are corrosive, toxic, flammable, or reactive (involving a release of energy ranging from "not violent" to "explosive" and "capable of detonation").

4. KINETIC (IMPACT) ENERGY HAZARDS

Kinetic energy hazards involve "things in motion" and "impact," and are associated with the collision of objects in relative motion to each other. This would include impact of objects moving toward each other, impact of a moving object against a stationary object, falling objects, flying objects, and flying particles.

5. POTENTIAL (STORED) ENERGY HAZARDS

Potential energy hazards involve "stored energy." This includes things that are under pressure, tension, or compression; or things that attract or repulse one another. Potential energy hazards are associated with things that are "susceptible to sudden unexpected movement." Hazards associated with gravity are included in this category, and involve potential falling objects, potential falls of persons, and the hazards associated with an object's weight. This category also includes the forces transferred biomechanically to the human body during manual lifting.

6. THERMAL ENERGY HAZARDS

Thermal energy hazards involve things that are associated with extreme or excessive heat, extreme cold, sources of flame ignition, flame propagation, and heat related explosions.

7. ACOUSTIC ENERGY HAZARDS

Acoustic energy hazards involve excessive noise and vibration.

8. RADIANT ENERGY HAZARDS

Radiant energy hazards involve the relatively short wavelength energy forms within the electromagnetic spectrum including the potentially harmful characteristics of radar, infra-red, visible, microwave, ultra-violet, x-ray, and ionizing radiation.

9.ATMOSPHERIC/GEOLOGICAL/ OCEANOGRAPHIC ENERGY HAZARDS

These hazards are associated with atmospheric weather circumstances such as wind and storm conditions, geological structure characteristics such as underground pressure or the instability of the earth's surface, and oceanographic currents, wave action, etc.

10. BIOLOGICAL HAZARDS

These hazards are associated with poisonous plants, dangerous animals, biting insects and disease carrying bacteria, etc.

To develop a list of potential system hazards, one should consider each form of energy in turn. First, list each particular type of energy contained in the system under study, and then describe the various reasonably foreseeable circumstances under which it might become a proximate cause of an undesirable event. Here, full use of the published literature, accident statistics, system operator experience, scientific and engineering probability forecasting, system safety techniques, and team brainstorming are brought to bear on the question of how each form of energy might cause an undesirable event.

Prerequisite to such an identification of all system hazards is a thorough understanding of the system under study related to its general and specific intended purpose and all reasonably anticipated conditions of use.

Specifically, one must thoroughly understand (a) the engineering design of the system, including all physical hardware components - their functions, material properties, operating characteristics, and relationships or interfaces with other system components, (b) the intended uses as well as the reasonably anticipated misuses of the system, (c) the specific (demographic and human factor) characteristics of intended system users, as well as reasonably anticipated unintended users, taking into account such things as their educational levels, their range of knowledge and skill, and their physical, physiological, psychological, and cultural capabilities, expectancies, and limitations, and (d) the general characteristics of the physical and administrative environment in which the system will be operated. That is, one must have a thorough understanding of the man / machine / task / environment elements of the system and their interactions.

BASICS OF SAFETY ENGINEERING
STEP #2: HAZARD EVALUATION

The evaluation stage of the safety engineering process has as its goal the prioritizing or ordering of the list of potential system condition or physical state hazards, or potential system personnel of human factors compiled in Step #1.

The mere presence of a potential hazard tells us nothing about its potential danger. To know the danger related to a particular hazard, one must first examine associated risk factors. Risk can be measured as the product of three components: (a) the probability that an injury or damage producing mishap will occur during any one exposure to the hazard; (b) the potential severity or degree of injury or damage that will likely result should a mishap occur; and (c) the estimated number of times a person or persons will likely be exposed to the hazard over a specific period of time. That is...

(1) H x R = D, and since
(2) R = P x S x E, then
(3) H (P x S x E) = D
where:

H = HAZARD
R = RISK
D = DANGER
P = PROBABILITY
S = SEVERITY
E = EXPOSURE

In the evaluation of mishap probability, consideration should be given to historical incident data and reasonable methods of prediction.

Use of this equation must take into account that an accident event having a remote probability of occurrence during any single exposure or during any finite period as a result of exposure to a particular hazard IS CERTAIN TO OCCUR if exposure to that hazard is allowed to be repeated over a longer period of time. Therefore, a long term or large sample view of probability should be taken for proper evaluation.

Determination of severity potential should center on the most likely resulting injury or damage as well as the most severe potential outcome. Severity becomes the controlling factor when severe injury or death is a likely possibility among the several plausible outcomes. That is, even when other risk factors indicate a low probability of mishap over time, if severe injury or death may occur as a result of mishap, the risk associated with such hazards must be considered as being "unacceptable," and strict attention given to the control of such hazards and related mishaps.

Exposure evaluation should consider the typical life expectancy of the system containing a particular hazard, the number of systems in use, and the number of individuals who will be exposed to these systems over time.

Acceptable vs. Unacceptable Risk.

This step in the hazard evaluation process will ultimately serve to divide the list of potential hazards into a group of "acceptable" hazards and a group of "unacceptable" hazards. Acceptable hazards are those associated with acceptable risk factors; unacceptable hazards are those associated with unacceptable risk factors.

An "acceptable risk" can be thought of as a risk that a group of rational, well-informed, ethical individuals would deem acceptable to expose themselves to in order to acquire the clear benefits of such exposure. An "unacceptable risk" can be thought of as a risk that a group of rational, well-informed, ethical individuals would deem unacceptable to expose themselves to in order to acquire the exposure benefits.

Hazards associated with an acceptable risk are traditionally called "safe," while hazards associated with an unacceptable risk are traditionally called "unsafe." Therefore, what is called "safe" does contain elements of risk; it is just that such elements have been judged to be "acceptable." Once again, the mere presence of a hazard does not automatically mean that the hazard is associated with any real danger. It must first be measured as being unacceptable.

The result of this evaluation process will be the compiling of a list of hazards (or risks and dangers) that are considered unacceptable. These unacceptable hazards (which render the system within which they exist "unreasonably dangerous") are then carried to the third stage of the safety engineering process, called hazard control.

BASICS OF SAFETY ENGINEERING
STEP #3: HAZARD CONTROL

The primary purpose of engineering and the design of products and facilities is the physical "control" of various materials and processes to produce a specific benefit. The central purpose of safety engineering is the control of system "hazards" which may cause system damage, system user injury, or otherwise decrease system benefits. Current and historic safety engineering references have advocated a specific order or priority in which hazards are best controlled. Listed in order of preference and effectiveness, these control methods have come to be called "cardinal rules of safe design," or the "cardinal rules of hazard control."

The first cardinal rule of hazard control (safe design) is "hazard elimination" or "inherent safety." That is, if practical, one should control (eliminate or minimize) potential hazards by designing them out of products and facilities "on the drawing board." This is accomplished through the use of such interrelated techniques as "hazard removal, hazard substitution, and/or hazard attenuation," through the use of the principles and techniques of system and product safety engineering, system and product safety management, and human factors engineering, beginning with the concept and initial planning stages of the system design process.

The second cardinal rule of hazard control (safe design) is the minimization of system hazards through the use of add-on "safety devices" or "safety features" engineered or designed into products or facilities "on the drawing board" to prevent the exposure of product or facility users to inherent potential hazards or dangerous combinations of hazards; called "extrinsic safety." A sample of such devices would include shields or barriers which guard or enclose hazards, component interlocks, pressure relief valves, stairway handrails, and passive vehicle occupant restraint and crashworthiness systems.

Passive vs. Active Hazard Controls. A principle that applies equally to the first two cardinal rules of safe design is that of "passive vs. active" hazard control. Simply, a passive control is a control that works without requiring the continuous or periodic involvement or action of system users. An active control, in contrast, requires the system operator or user to "do something" before system use, continuously or periodically during system operation in order for the control to work and avoid injury. Passive controls are "automatic" controls, whereas active controls can be thought of as "manual" controls. Passive controls are unquestionably more effective than active controls.

The third cardinal rule of hazard control (safe design) is the control of hazards through the development of warnings and instructions; that is, through the development and effective communication of safe system use (and maintenance) methods and procedures that first warn persons of the associated system dangers that may potentially be encountered under reasonably foreseeable conditions of system use, misuse, or service, and then instruct them regarding the precise steps that must be followed to cope with or avoid such dangers.

This third approach must only be used after all reasonably feasible design and safeguarding opportunities (first and second rule applications) have been exhausted.

Further, it must be recognized that the (attempted) control of system hazards through the use of warnings and instructions, the least effective method of hazard control, requires the development of a variety of state-of-the-art communication methods and materials to assure that such warnings and instructions are received and understood by system users.

Among other things, the methods and materials used to communicate required safe use or operating methods and procedures must give adequate attention to the nature and potential severity of the hazards involved, as well as reasonably anticipated user capabilities and limitations (human factors).

Briefly stated, the cardinal rules of hazard control involve system design, the use of physical safeguards, and user training. Further, it must be thoroughly understood that no safety device equals the elimination of a hazard on the drawing board, and no safety procedure equals the use of an effective safety device. This approach has been advocated by the safety literature and successfully practiced by safety professionals for decades.