PDF for download President's Message From the Editor's Desk In the Spotlight: ESOH Considerations in the Selection of Alternative Energy Sources Common Statements...Trouncing Safety System Safety in Healthcare Hazards in Patient-Controlled Pain Medication Pumps Design-based Safety Safety Engineering Leadership Opinion Mattern Barondes Book Review: Safer Hospital Care, by Dev Rajeja Unintended Consequences: Communication Breakdown Technical Fellows’ Corner Corporate Sponsor Profile HCRQ Announcements International Award MacCollum Scholarship Call for Papers Chapter News Mark Your Calendar Letter to Editor About this Journal Advertising in eJSS Contact Us Puzzle







Vol. 48, No. 6 • Nov-Dec 2012
Design-based Safety
Safety Engineering Leadership

by David MacCollum

Leadership in design-based safety is a process that brings order out of chaos. Safety appliances or alternate safer designs often never see the light of day. Why? Because the traditional economic, political and operational priorities have not been satisfied. Before design-based safety can be accepted, the engineer must show how the new design effectively overcomes the traditional priorities.

In most cases, economic barriers are easily overcome, as injuries usually cost more than safety features. The injury-preventing table saw technology developed by Dr. Stephen Gass, called "Saw Stop," prevents injury as the fast-spinning saw blade is instantly arrested in one-quarter of a turn. Yet manufacturers and sales trade associations are actively opposing this safety feature, as they allege that it eliminates the sale of low-cost table saws. Their real reason is to avoid liability. It would seem that their goal is short-term profit from the sale of unsafe table saws rather than reducing the number of severe table saw injuries that cost the public billions. (See "Table-Saw Safety Bill Advances in California Over Objection of Power-Tool Industry," Engineering News Record, page 14, August 27, 2012). Proposals for inherently safer features need to include an explanation of the long-term injury and liability costs that can be reduced by design-based safety.

Today's news media reveal countless examples of hazards that never meet the public eye until the cumulative injury occurrence becomes a scandal. The reason for this oversight of hazardous design is that traditional priorities create strong incentives for covering up repetitive injury occurrences from the same hazard on the same type of machine. I have observed the same hazard in building design. On a flat roof, a 42-inch parapet wall instead of an 18-inch wall becomes a safety railing and prevents falls off the building. When life-threatening hazards are deliberately covered up so that the public is unaware of multiple occurrences from the same hazard, this anti-safety tradition becomes a disgustingly shameful disgrace. Another factor is that some people consider a hazard an acceptable risk. There are also those who feel that buying insurance to spread the risk among many is cheaper than paying for safer design to eliminate the hazard.

Political excuses may also serve as a reason to avoid safe design. In the 1930s, the passenger dirigible Hindenburg burned when docking in New Jersey, and is an example of how highly flammable hydrogen gas was used on this lighter-than-air-ship rather than unburnable helium. It was feared by some that Nazi Germany would use helium for military purposes. The memory of dirigible bombings in London during World War I led to a decision to enact an embargo on helium sales to German firms. The decision to ban the sale of helium did not include an analysis that the zeppelin was a large, slow-moving target that could be shot down easily. A different decision would have allowed the development of this type of air travel.

Operational traditions are notoriously continued for avoiding safe design. Most notable were three NASA disasters:

  • The incineration of three astronauts in a space capsule, caused by its oxygen-rich atmosphere (Apollo I)
  • A faulty fuel pipe gasket that was not resistant to cold weather (Space Shuttle Challenger)
  • The Styrofoam insulation that broke loose and was propelled at a high velocity into a wing (Space Shuttle Columbia)
All of these were hazards deemed by management as "acceptable risks." The reason for these decisions was management's blind devotion to these activities going forward to show the public that NASA was making newsworthy progress. An urgent requirement for immediate results creates strong incentives to avoid any safety delays. To stop an activity because a hazard could possibly cause a failure creates a conflict with management's goals for immediate results. Management then considers the hazard only as a possible chance of failure or a risk. Then, management speculates on the degree of risk, and the need for safe design becomes no longer relevant. Management's authority to take risks needs to be curtailed. We, as system safety engineers, need to develop for ourselves a broader public exposure. We need to speak out on safe design issues. Somehow, a public record needs to be available so that design-based safety features are made known to the public before a disaster occurs. Unfortunately, after a disaster, when the facts become available showing that design-based safety would have easily prevented the hazard, the person who makes this revelation is labeled a "whistle blower," a term used to change the subject so the need for safer design is put on the back burner and forgotten.

Planning documents should first be reviewed by a safety engineer, who would list each hazard. Test results always need to be available to the public and the press. Safety engineering leadership based on fact will then become a protector of both management and the public.
The current role of the system safety engineer as an advisor to management is a step in the right direction. This is not enough, however, as it only puts the ball in the manager's court where there is often little accountability. What is missing is the absence of public awareness of a specific hazard and how to control it by design. The system safety function needs access to independent funding to conduct tests so the hazard can be validated as fact, not nebulous risk. An independent test would have shown that ignition in an oxygen-rich capsule would result in complete incineration. A test would have shown how a gasket can become inflexible in cold weather and not function properly. A test also would have shown that Styrofoam propelled at high velocity could pierce a shuttle's wing. With system safety testing done during development, the opportunity would be reduced for management to engage in speculative risk-taking at a time of "go or no go" decision making.

Planning documents should first be reviewed by a safety engineer, who would list each hazard. Test results always need to be available to the public and the press. Safety engineering leadership based on fact will then become a protector of both management and the public.

I have always been amazed by how Frank Lloyd Wright, the famous architect, was able to project himself to the public as the ultimate visionary leader of his profession. He stated, "Architecture is man's great sense of himself embodied in a world of his own making. It may rise as high in quality only as its source because great art is great life."

Design-based safety is an even greater calling than art, since it is a protector of life! To become a leader, one must serve an apprenticeship to learn the basics. Wright began his career by studying civil engineering, and then he became a draftsman for a leading architect. In 1893, after learning the basics, he opened his own office to pursue an independent practice. On his own, he designed and supervised the construction of the first air-conditioned building. In 1922, after 19 years of practice, he was ridiculed for building the Imperial Hotel in Tokyo on a big flat reinforced concrete saucer rather than on conventional pilings. Frank Lloyd Wright understood why the buildings built on fill in San Francisco collapsed during the 1906 earthquake. When the 1923 earthquake leveled Tokyo, his building was undamaged. Now, he had worldwide fame. In 1938, he founded his western headquarters at Taliesin outside Phoenix, Arizona, which soon became a mecca for those who wanted to become architects. During the last years of his life, he designed the famous Guggenheim Museum in New York. The lesson Frank Lloyd Wright taught is to have enough confidence to stand up to traditional ideology and push to develop safer designs.

Another famed leader, Lee Iacocca, when president of Ford Motor Company, installed an interlock to prevent the driver from starting a car until the seatbelt was attached. The public rejected this approach, and Ford's car sales dropped dramatically. Later, as president of Chrysler Motor Company, Iacocca met with President Richard Nixon and objected to a mandatory federal regulation for airbags, coining the phrase "Safety does not sell!" Design-based safety needs to be scoped to create no conflicts with user priorities. Ultimately, the driver just wants to start the car. The seatbelt interlock was a barrier to this objective. Seatbelts are a voluntary safety feature and user acceptance requires time to develop. Today, voluntary seatbelt usage is generally between 80 to 90 percent. Airbags are not barriers to starting or driving a car, and have been an outstanding success in reducing injuries and deaths in the event of an automobile crash.

Another exemplary function of safety engineering leadership is community stewardship. Washington Group, a large international design-and-build construction company and now part of URS, knows the value of investing in its immediate community. It gave the gift of a Saw Stop table saw to Idaho school districts' manual training shops. These table saws have been designed with a patented safety feature that stops its spinning circular saw blade in a millisecond, making it safer than a cumbersome guard. Students using this saw learn how design overcomes hazards. This gift to the public schools gained Washington Group much community good will.

System safety practitioners grow in professional leadership by using each of these seven skills or functions:
  • In all presentations, studies or recommendations, tell how the proposed alternate safer design or safety feature will meet or surpass traditional economic, political and operational priorities.
  • Always review engineering plans and specifications, product prototypes or existing machines to identify hazardous conditions or circumstances of use. Our duty is to identify hazards and eliminate them by design. This sets our profession apart from the marketplace priorities.
  • Enhance your competency through continuing education, training, experience, professional license or certification to develop alternate safer designs, and apply technology transfer or select appropriate safe appliances to ensure for reliable hazard prevention by design. This function identifies our professional life-protecting skills.
  • Have professional independence from peer pressures that favor anti-safety economic, political and operational biases.
  • Gain community support and goodwill wherever possible.
  • Develop the ability to show the public design-based safety features that you have had a hand in developing.
  • Become a spokesperson for our profession. The public needs to hear about safety from us, not groundless speculation from self-proclaimed publicists. Design is the Holy Grail of safety.
Focusing on the seven key issues will help ensure that your system safety engineering will bring "order out of chaos" and be welcomed by management and the public.

Copyright © 2013 by the System Safety Society. All rights reserved. The double-sigma logo is a trademark of the System Safety Society. Other corporate or trade names may be trademarks or registered trademarks of their respective holders.