FACT SHEET

NELSON & ASSOCIATES

TH 3131 EAST 29 STREET, SUITE E, BRYAN, TEXAS 77802

979/774-7755 [email protected] FAX: 979/774-0559

CORE PRINCIPLES OF AND THE CARDINAL RULES OF CONTROL

Safety engineering, like any applied science, is The Accident Process based upon fundamental principles and rules of practice. Safety engineering involves the (a) Effective safety engineering and safety identification, (b) evaluation, and (c) control of management must also take into account what has in man-machine systems (products, come to be known as “the accident process.” This machines, equipment, or facilities) that contain a concept recognizes the fact that although personal potential to cause injury to people or damage to injury or system damage may take place at a property. moment in time, the foreseeable causative factors that ultimately produce such injury or damage are A REALISTIC VIEW OF THE TERM “ACCIDENT” typically set into motion, and could have been controlled or prevented, at an early stage in the Safety engineers recognize that accidents are system life cycle. typically dynamic events involving a combination of causative factors. The term “accident” means a That is, this concept recognizes that dynamic, multi-causal event that begins with the foreseeable causes of accidents are typically set activation of a pre-existing hazard which then into motion well in advance of the injury or flows through its host system in a logical sequence damage occurrence itself. A key element in the of events, factors, and circumstances to produce a accident process is the concept of cause final loss event (often including personal injury of “foreseeability.” A foreseeable cause is called a the system operator). “proximate cause.”

IMPORTANT FOUNDATIONAL CONCEPTS Producing vs. Proximate Cause

System Life Cycle According to the safety engineering literature (having its counterpart in law), a “producing The concept of “system life cycle” recognizes cause” means a cause which, in a natural and that every system (product, machine, facility, etc.) continuous sequence or chain of subsequent has a “life cycle” which begins in the (a) “concept producing causes, produces an event, and without or definition” stage before proceeding through the which the event (accident/injury) would not have successive stages of (b) system “design and occurred. development,” (c) “production, manufacture, construction, or fabrication,” followed by (d) Some producing causes of accidents, through system “distribution” before arriving at the (e) the use of reasonable and prudent methods of system “operation or deployment” stage, which prediction, can be reasonably foreseen or after a period of time, is inevitably followed by (f) anticipated before they actually produce an the “termination, retirement, recycle, or disposal” accident/injury event. Such a producing cause stage. may further be identified as a “proximate cause.”

INDUSTRIAL SAFETY ENGINEERING PRODUCT SAFETY ENGINEERING PREMISES SAFETY ENGINEERING

CONSTRUCTION SAFETY ENGINEERING HUMAN FACTORS ENGINEERING

That is, a proximate cause is a producing UNSAFE ACTS VS. UNSAFE CONDITIONS cause that is reasonably foreseeable (or should be reasonably anticipated) by a person exercising Unfortunately, when discussing the causative ordinary care to discover and control such causes factors of accidents, many people cling to the before they produce accident events. traditional over-simplified labels that have divided such factors into “unsafe acts” and “unsafe There can also be a hierarchy of proximate conditions.” In balance, this dichotomy approach causes. One or more proximate causes might has proven harmful to the effective control of logically be viewed as a primary, dominant, or accidents. root proximate cause; that is, a proximate cause that necessarily sets all following causes in Many otherwise sincere individuals have motion. These root proximate causes are typically mistakenly believed or assumed that these factors created during the early stages of the system life are subject to equal control and that only one or cycle and should be the primary targets for the other of the two need be of major concern in elimination or control at that time. the prevention of accidents. Typically, such focus has been on “unsafe acts,” as the majority of FORESEEABLE VS. UNFORESEEABLE practitioners do not possess the expertise to ACCIDENTS evaluate the technical issues involved, or do not recognize with what relative ease and positive Until an adequate accident causation analysis effect unsafe conditions can be controlled. has been conducted, it is unwise to conclude that its causative factors were unforeseeable. The term “unsafe act” may also contain an Therefore, one might define the following two unwarranted implication of blame or fault (rather types of “accidents:” than a genuine lack of knowledge or training). During the investigation of accidents, such an Type I Accident inordinate focus on “unsafe acts” will typically stifle the effective control of accidents, as the A Type I Accident might be considered an investigation is typically ended when the first undesired and unforeseen event that results in an immediate cause is identified (unsurprisingly some unacceptable system loss, which could have been action or inaction on the part of the accident foreseen and prevented through the prior victim). As a result, potentially more important application of recognized principles and methods root causes related to system design are of system hazard identification, evaluation, and overlooked. control. Herein, the term “unsafe condition” is Type II Accident retained, but the term “unsafe act” is rejected as historically leading to error or incomplete cause A Type II Accident might then be defined as analysis. an undesired and unforeseen event that results in an unacceptable loss, which could not have been Rather, inappropriate human actions or foreseen and prevented through the application of inactions of persons that contribute to accidents recognized principles and methods of system (resulting from error or human nature associated hazard identification, evaluation and control. with the common relevant human factor capabilities and limitations of men and women) Obviously, Type I accident events should not are called “unsafe actions,” defined as unsafe be called “accidents” at all in the traditional sense, system use methods and procedures, without any but rather, such an event should more realistically initial implication of fault or blame. be called a “foreseeable loss event.”

2

Hazard Control: Engineering vs. Work Methods “Hazard identification” in reality can be viewed as “energy identification,” recognizing that Given the initial proposition that accidents can an unanticipated undesirable release or exchange be prevented by either controlling the design of a of energy in a system is absolutely necessary to system’s hardware, or by controlling the actions or cause an “accident” and subsequent system behavior of system operators – that is, by damage or operator injury. Therefore, an controlling the design of the product, machine, or “accident” can now be seen as “an undesired and facility (the machine or environment), or by unexpected, or at least untimely release, exchange, controlling the actions of operators or users of or action of energy, resulting, or having the such systems (the man or human factor), the potential to result in damage or injury.” This question then becomes: approach simplifies the task of hazard identification as it allows the identification of If the goal is the effective prevention of hazards by means of a finite set of search paths, accidents (personal injury), should one give initial recognizing that the common forms of energy that primary attention to the identification and control produce the vast majority of accidents can be of potential unsafe physical conditions (hazardous placed into only ten descriptive categories. system hardware components), or the identification and control of potential unsafe The goal of this first step in the hazard control actions (unsafe work methods and system use process is to prepare a list of potential hazards procedures)? (energies) in the system under study. No attempt is made at this stage to prioritize potential hazards In essence, this question is asking: Are or to determine the degree of danger associated hazardous product, machine, and facility with them – that will come later. At this first components, or the hazardous actions or behaviors stage, one is merely taking “inventory” of of people, more easily or effectively (a) identified, potential hazards (potential hazardous energies). (b) evaluated, and (c) controlled? (See Appendix A practical list of hazardous energy types to be for a discussion of this issue.) identified might include:

BASICS OF SAFETY ENGINEERING Mechanical Energy Hazards STEP #1: HAZARD IDENTIFICATION Mechanical energy hazards involve system The first step in safety engineering is “hazard hardware components that cut, crush, bend, shear, identification.” A hazard is anything that has the pinch, wrap, pull, and puncture. Such hazards are potential to cause harm when combined with some associated with components that move in circular, initiating stimulus. transverse (single direction), or reciprocating (“back and forth”) motion. Traditionally, such Many system safety techniques have been hazards found in typical industrial machinery have pioneered to aid in the identification of potential been associated with the terms “power system hazards. None is more basic than “energy transmission apparatus,” “functional components,” analysis.” Here, potential hazards associated with and the “point of operation.” various physical systems and their associated operation, including common industrial and Electrical Energy Hazards consumer related activities, can be identified (for later evaluation and control) by first recognizing Electrical energy hazards have traditionally that system and product “hazards” are directly been divided by the general public into the related to various common forms of “energy.” categories of low voltage electrical hazards (below That is, system component or operator “damage” 440 volts) and high voltage electrical hazards or “injury” cannot occur without the presence of (greater than 440 volts). some form of hazardous “energy.”

3

Chemical Energy Hazards Atmospheric/Geological/Oceanographic Hazards Chemical energy hazards involve substances that are corrosive, toxic, flammable, or reactive, to These hazards are associated with atmospheric include chemical explosives. weather situations such as excessive wind and storm conditions, destructive geological events Kinetic (Impact) Energy Hazards such as instabilities of the earth’s surface (rock or mud slides and earthquakes), and oceanographic Kinetic energy hazards involve “things in currents and wave action, etc. motion” and “impact,” and are associated with the collision of objects in relative motion to each Biological Hazards other. This would include impact of objects moving toward each other, impact of a moving These hazards are associated with poisonous object against a stationary object, falling objects, plants, dangerous animals, biting or poisonous flying objects, and flying particles. insects, and disease carrying bacteria, etc.

Potential (Stored) Energy Hazards Systematic Inventory of Potential Hazards

Potential energy hazards involve “stored To develop a list of potential system hazards, energy.” This includes things that are under one should consider each form of energy in turn. , tension, or compression; or things that First, list each particular type of energy contained attract or repulse one another. Potential energy in the system under study, and then describe the hazards involve things that are “susceptible to various reasonably foreseeable circumstances sudden unexpected movement.” Hazards under which it might become a proximate cause of associated with gravity are included in this an undesirable event. Here, full use of the category and pertain to potential falling objects or published literature, accident statistics, system persons. This category also includes the of operator experience, scientific and engineering gravity transferred biomechanically to the human probability forecasting, system safety techniques body during manual lifting. (such as Preliminary , Fault Tree Analysis, Hazard Mode and Effects Analysis, and Thermal Energy Hazards What-If Analysis), as well as team brainstorming are brought to bear on the question of how each Thermal energy hazards involve things that form of energy might cause an undesirable event. are associated with extreme or excessive heat, extreme cold, sources of flame ignition, flame Prerequisite to such an identification of all propagation, and heat related explosions. system hazards is a thorough understanding of the system under study related to its general and Acoustic Energy Hazards specific intended purpose and all reasonably anticipated conditions of use. Acoustic energy hazards involve excessive noise and vibrations. Specifically, one must thoroughly understand (a) the engineering design of the system, including Radiant Energy Hazards all physical hardware components - their functions, material properties, operating Radiant energy hazards involve the relatively characteristics, and relationships or interfaces with short wavelength energy forms within the other system components, (b) the intended uses as electromagnetic spectrum to include the harmful well as the reasonably anticipated misuses of the characteristics of visible, infrared, microwave, system, (c) the specific (demographic and human ultra-violet, x-ray, and ionizing radiation. factor) characteristics of intended system users,

4

taking into account such things as their Use of this equation must take into account educational levels, their range of knowledge and that an accident event having a remote probability skill, and their physical, physiological, of occurrence during any single exposure, or psychological, and cultural capabilities, during any finite period of exposure to a particular expectancies, and limitations, and (d) the general hazard, IS CERTAIN TO OCCUR if exposure to characteristics of the physical and administrative that hazard is allowed to be repeated over a environment in which the system will be operated. longer period of time. Therefore, a long term or That is, one must have a thorough understanding large sample view should be taken for proper of the man/ machine/ task/ environment elements evaluation. of the system and their interactions. Determination of potential severity should BASICS OF SAFETY ENGINEERING center on the most likely resulting injury or STEP #2: HAZARD EVALUATION damage as well as the most severe potential outcome. Severity becomes the controlling factor The evaluation stage of the safety engineering when severe injury or death is a likely possibility process has as its goal the prioritizing or ordering among the several plausible outcomes. That is, of the list of potential system condition or physical even when other risk factors indicate a low state hazards, or potential system personnel of probability of mishap over time, if severe injury or human factors compiled in Step #1. death may occur as a result of mishap, the risk associated with such hazards must be considered The mere presence of a potential hazard tells as being “unacceptable,” and strict attention given us nothing about its potential danger. To know the to the control of such hazards and related mishaps. danger related to a particular hazard, one must first examine associated risk factors. Exposure evaluation should consider the Risk can be measured as the product of three typical life expectancy of the system containing a components: (a) the probability that an injury or particular hazard, the number of systems in use, damage producing mishap will occur during any and the number of individuals who will be one exposure to the hazard; (b) the likely severity exposed to these systems over time. or degree of injury or damage that will likely result should a mishap occur; and (c) the estimated Acceptable vs. Unacceptable Risk number of times a person or persons will likely be exposed to the hazard over a specific period of This step in the hazard evaluation process will time. That is… ultimately serve to divide the list of potential hazards into a group of “acceptable” hazards and a (1) H x R = D, and since group of “unacceptable” hazards. Acceptable hazards are those associated with acceptable risk (2) R = P x S x E, then factors; unacceptable hazards are those associated (3) H (P x S x E) = D with unacceptable risk factors.

where: An “acceptable risk” can be thought of as a risk that a group of rational, well-informed, ethical H= Hazard P = Probability individuals would deem acceptable to expose R = Risk S = Severity themselves to in order to acquire the clear benefits D = Danger E = Exposure of such exposure. An “unacceptable risk” can be thought of as a risk that a group of rational, well- In the evaluation of mishap probability, informed, ethical individuals would deem consideration should be given to historical incident unacceptable to expose themselves to in order to data and reasonable methods of prediction. acquire the exposure benefits.

5

Hazards associated with an acceptable risk are Cardinal Rule #1 traditionally called “safe,” while hazards associated with an unacceptable risk are The first cardinal rule of hazard control (safe traditionally called “unsafe.” Therefore, what is design) is “hazard elimination” or “inherent called “safe” does contain elements of risk that are safety.” That is, if practical, control (eliminate or judged to be “acceptable.” Once again, the mere minimize) potential hazards by designing them out presence of a hazard does not automatically mean of products and facilities “on the drawing board.” that the hazard is associated with any real danger. This is accomplished through the use of such It must first be measured as being unacceptable. interrelated techniques as hazard removal, , hazard attenuation, and/or hazard The result of this evaluation process will be isolation through the use of the principles and the compiling of a list of hazards (or risks and techniques of system and product safety dangers) that are considered unacceptable. These engineering, system and product safety unacceptable hazards (rendering the system within management, and human factors engineering, which they exist “unreasonably dangerous”) are beginning with the concept and initial planning then carried to the third stage of the safety stages of the system design process. engineering process, called “hazard control.” Cardinal Rule #2 BASICS OF SAFETY ENGINEERING STEP #3: HAZARD CONTROL The second cardinal rule of hazard control (safe design) is the minimization of system The primary purpose of engineering and the hazards through the use of add-on safety devices design of products and facilities is the physical or safety features engineered or designed into “control” of various materials and processes to products or facilities, also “on the drawing board,” produce a specific benefit. The central purpose of to prevent the exposure of product or facility users safety engineering is the control of system to inherent potential hazards or dangerous “hazards” which may cause system damage, combinations of hazards; called “extrinsic safety.” system user injury, or otherwise decrease system A sample of such devices would include shields or benefits. and historic safety engineering barriers that guard or enclose hazards, component references have advocated a specific order or interlocks, pressure relief valves, stairway priority in which hazards are best controlled. handrails, adequate lighting, and passive vehicle occupant restraint and crashworthiness systems. For decades, it has been well established by the authoritative safety literature (as well as by Passive vs. Active Hazard Controls logic and sound engineering practice) that, in the order of preference and effectiveness, regardless A principle that applies equally to the first of the system being examined, hazards are first to two cardinal rules of safe design is that of “passive be controlled through (a) “hazard removal,” vs. active” hazard control. Simply, a passive followed by (b) the use of “physical safeguards,” control is a control that works without requiring and then, after all reasonable opportunities have the continuous or periodic involvement or action been exhausted related to hazard removal and of system users. An active control, in contrast, safeguarding, (c) remaining hazards are to be requires the system operator or user to “do controlled through the development and use of something” before system use, continuously or adequate warnings and instructions (to include periodically during system operation in order for prescribed work methods and procedures). the control to work and avoid injury. Passive controls are “automatic” controls, whereas active Listed in order of preference and controls can be thought of as “manual” controls. effectiveness, these control methods may be called Passive controls are unquestionably more effective the “ cardinal rules of safe design,” or the than active controls. “cardinal rules of hazard control.”

6

Cardinal Rule #3

The third cardinal rule of hazard control (safe Among other things, the methods and design) is the control of hazards through the materials used to communicate required safe use development of warnings and instructions; that is, or operating methods and procedures must give through the development and effective adequate attention to the nature and potential communication of safe system use (and severity of the hazards involved, as well as maintenance) methods and procedures that first reasonably anticipated user capabilities and warn persons of the associated system dangers limitations (human factors). that may potentially be encountered under reasonably foreseeable conditions of system use, Briefly stated, the cardinal rules of hazard misuse, or service, and then instruct them controls involve system design, the use of physical regarding the precise steps that must be followed safeguards, and user training. It must further be to cope with or avoid such dangers. This third thoroughly understood that no warning or safe approach must only be used after all reasonably procedure can equal or replace an effective feasible design and safeguarding opportunities safety device, and no safety device can equal or (first and second rule applications) have been replace the elimination of a hazard on the exhausted. drawing board.

Further, it must be recognized that the (attempted) control of system hazards through the © NELSON & ASSOCIATES, 1978,1983,1988,1993,1996, use of warnings and instructions, the least 2007 effective method of hazard control, requires the development of a variety of state-of-the-art communication methods and materials to assure that such warnings and instructions are received and understood by system users.

Appendix

Behavioral Human Factor Causes vs. Physical Condition Causes of Accident Events

Are hazardous product, machine, and facility Answer – In most systems, the set of components, or the hazardous actions or potential unsafe condition hazards is typically behaviors of people, more easily or effectively fewer in number (more finite) than the set of (a) identified , (b) evaluated, and (c) controlled? potential human errors or potential deviations from prescribed safe system use methods or Question #1 – Within any man-machine procedures resulting from fatigue, distraction, system, are potential unsafe conditions (unsafe and various hardwired (intrinsic and relatively system hardware components) or potential unmodifiable) human factor capabilities and unsafe actions (unsafe system use methods and limitations). procedures) easier to IDENTIFY? That is, how many potential unsafe system hardware Logically, one must choose to analyze and conditions can be reasonably foreseen as control the finite over the comparatively infinite. compared with reasonably foreseeable potential That is, potential unsafe system condition unsafe actions (unsafe system use methods and hazards are potentially easier to identify. It procedu res) or human error factors associated follows then that it is more effective to give one’s with system operation? initial primary attention to “the machine” rather than to “the man.”

7

Question #2 – Are potential unsafe For the third time, this recognized hierarchy conditions (unsafe system hardware dictates that, at the earliest stage in a system’s components) or potential unsafe behaviors life cycle that potential system hardware hazards (unsafe system use methods and procedures) can be foreseen, primary attention should be easier to EVALUATE? That is, are the given to the elimination or engineering control of probabilities (and related injury severities) hazards. associated with foreseeable exposures to potential system unsafe condition hazards and A “bonus” advantage of controlling physical resulting loss events easier to calculate or system condition hazards in the early stages of a estimate than similar determinations of systems life cycle is the safe system design “on probability associated with potential unsafe the drawing board” can automatically eliminate actions or human error factors related to system the potential effect of later “operator errors.” The operation? fact that operator errors are typically the result of system design errors is exemplified in the safety Answer – In most situations, it is typically and human factors engineering proverb: “How a easier, more predictable, and more accurate to system, product, or facility is designed will calculate or estimate the failure rates (accident dictate how it can and will be used.” probabilities and severities) associated with hardware system hazards (defects/wear/failures) CAUTION: The fact that control of system than it is to predict the multitude of potential hazards and resulting potential personal injury to human errors or deviations from prescribed safe system operators and users is recognized as first system use methods or procedures. Once again, involving attention to designing hazards out, and this indicates that it is more effective to give designing safety into various product, machine, primary attention to “the machine” rather than to and facility systems, should not detract from the “the man.” vital importance of giving paramount attention to the use of adequate warnings and Question #3 – Are potential unsafe instructions and the development and effective conditions (unsafe system hardware communication of safe system operating components) or potential unsafe behaviors methods and procedures to system users at the (unsafe system use methods and procedures) proper time in the system design process. easier to CONTROL? That is, if the ultimate goal is overall “hazard control,” are hazardous In every hardware system, not only must physical conditions of hardware systems, or human factors be considered early in the design potential human error and deviations from process to learn how people might be exposed to prescribed safe system use methods or system hazards, so that these hazards can be procedures, more susceptible to effective, removed or minimized in the design process, positive, and more permanent control? residual hazards that cannot be designed out of such systems through engineering means must Answer – As verified by the authoritative safety be given proper attention in the form of literature for the past several decades, adequate warnings and instructions, and in (the removal or physical many situations, required formal training (and safeguarding of potential hazardous product, subsequent supervision). If the training becomes machine, or facility system components) are complex, a formal certification program must universally recognized as being more effective be developed. and long lasting than behavioral or .

8