SAFE DESIGN FOR ENGINEERING STUDENTS AN EDUCATIONAL RESOURCE FOR UNDERGRADUATE ENGINEERING STUDENTS

Transcription

1 SAFE DESIGN FOR ENGINEERING STUDENTS AN EDUCATIONAL RESOURCE FOR UNDERGRADUATE ENGINEERING STUDENTS

2 SAFE DESIGN FOR ENGINEERING STUDENTS AN EDUCATIONAL RESOURCE FOR UNDERGRADUATE ENGINEERING STUDENTS MARCH 2006

3 Commonwealth of Australia 2006 ISBN This work is copyright. This resource has been developed and designed to be reproduced for use in classroom and other educational activities. The following citation should be used: ASCC (2006) Safe Design for Engineering Students. You may download, display, print and reproduce this material in unaltered form only (retaining this notice) for your personal, non-commercial use or use within your organisation. Apart from any use as permitted under the Copyright Act 1968, all other rights are reserved. Requests and inquiries concerning reproduction and rights should be addressed to Commonwealth Copyright Administration, Attorney General s Department, Robert Garran Offices, National Circuit, Barton ACT 2600 or posted at

4 >>> FOREwORD The Australian Safety and Compensation Council (ASCC), formerly the National Occupational Health and Safety Commission (NOHSC), leads and coordinates national efforts to prevent workplace deaths, injury and disease in Australia and aims to improve national workers compensation arrangements and return to work of injured employees. Through the quality and relevance of the information it provides, the ASCC seeks to infl uence the awareness and activities of every person and organisation with a role in improving Australia s occupational health and safety (OHS) performance. More specifi cally, the ASCC aims to: > support and enhance the efforts of the Australian, State and Territory governments to improve the prevention of workplace deaths, injury and disease, > work in alliances with others to facilitate the development and implementation of better preventative approaches, and > ensure the needs of small business are integrated into these approaches. The National Occupational Health and Safety (OHS) Strategy , which was endorsed by the Workplace Relations Ministers Council on 24 May 2002, records a commitment by all Australian, State and Territory governments, the Australian Chamber of Commerce and Industry and the Australian Council of Trade Unions, to share the responsibility of ensuring that Australia s performance in workrelated health and safety is continuously improved. The National OHS Strategy sets out fi ve national priorities to achieve short-term and long-term improvements. The priorities are to: > reduce high incidence and high severity risks, > improve the capacity of business operators and workers to manage OHS effectively, > prevent occupational disease more effectively, > eliminate hazards at the design stage, and > strengthen the capacity of government to infl uence OHS outcomes. This resource package has been developed to support the priority eliminate hazards at the design stage of the National OHS Strategy and builds on previous educational resources developed by the National Occupational Health and Safety Commission (NOHSC). The Offi ce of the ASCC acknowledges the assistance of all the persons and organisations who contributed to this resource package, in particular: > Robert McLaughlan (University of Technology, Sydney) > Helen McGregor (University of Technology, Sydney) > Craig Scott (University of Technology, Sydney) > Prue Howard (Central Queensland University) > Yvonne Toft (Central Queensland University) > John Culvenor (Consulting Engineer) > VIOSH Australia (University of Ballarat) The Offi ce of the ASCC is committed to reviewing this document within 12 months of publication and incorporating any examples, case studies or other comments provided by engineering educators during that time. SAFE DESIGN FOR ENGINEERING STuDENTS iii

5

6 >>> INTRODUCTION Design is a fundamental engineering activity, and engineers are frequently engaged in the design, development and creation of new or improved products, processes, systems and services. Quality and safety in design should be fundamental engineering concerns, not only because a tenet of our Code of Ethics is to ensure the wellbeing of the community, but also because it makes good engineering sense to develop products, processes and systems that ensure our profession s continued existence and reputation. Engineers have a professional and legal duty of care to design products, processes and systems that are as safe as is reasonably practicable. Safe Design is concerned with eliminating hazards at the design stage or controlling risks to health and safety as early as possible in the planning and design of products, process or systems and items that comprise a workplace, or are used or encountered at work. Safe Design is also good business in that if you can identify and correct design fl aws early in the life cycle, it is much less costly than trying to remedy them later, and essentially a more effective product exists for the entire product life cycle. Engineers, therefore, need to learn some of the basic principles of Occupational Health and Safety (OHS) and understand how they apply to professional engineering design. In their roles as decision-makers and designers, they need to understand how to manage risk and apply those principles to technological projects including their human interfaces. This resource has been developed to help meet those needs. This resource is relevant to engineering students from a wide range of discipline areas as well as to engineering educators who are not experts in occupational health and safety. It provides some basic principles of OHS and integrates these with concepts of engineering design. The activities are designed to help engineers develop their capacity to meet their OHS responsibilities as well as their professional engineering competencies. In this regard, engineers need to: a. Have a knowledge of workplace hazards and their harmful effects, especially where these are not self-evident (e.g. the industrial hygiene topics of noise, heat, chemicals, radiation). b. Understand common law, statutory OHS requirements, responsibilities and penalties. c. Understand the risk management process, including risk analysis techniques and typical industry practices used to control the harmful effects of hazards, for example, permit to work systems, personal protective equipment (PPE). d. Understand the principles of designing to minimize human error. e. Be aware of how design can impact on reliability, safety (environment and people) and unwanted capabilities. f. Be aware of sources of information relating to OHS, e.g. ASCC (formerly NOHSC), State WorkCover/WorkSafe Authorities. SAFE DESIGN FOR ENGINEERING STuDENTS v

7 Engineers need to: Civil Mechanical Electrical Chemical Understand the principles of safe design in the following areas: Be aware of tools available to assist with the safe design principles: Understand the application of risk analysis techniques to the activities associated with: Understand the practices of permit to work systems and associated energy isolation practices: construction, use, maintenance and demolition of structures. > CHAIR from NSW WorkCover > Codes of Practice (e.g. Safe work on roofs) construction projects including dams, bridges, pipelines, roads, towers and buildings. construction, commissioning, maintenance, operation and decommissioning of mechanical equipment. > Relevant Standards. > Plant Safety Regulations. domestic, public and industrial facilities, products and processes. Varied standards of energy control, through to isolation. Permit system design for failure tolerance. construction, operation, maintenance and demolition of facilities, structures and equipment being designed for electrical transmission. > Relevant Standards. the use of electrical energy in homes, the community and industry Varied standards of energy control, through to isolation. Permit system design for failure tolerance. construction, operation maintenance and demolition of chemical processing facilities, including intrinsic safety. > Relevant Standards. > Hazardous substances, dangerous goods Regulations. the design and development of equipment and the associated evaluation of the operating processes associated with chemical plants. Hazard level definitions examples. Varied standards of energy control appropriate to hazard level. Reference: Viner Group International Pty Ltd, (2002) Incorporation of Safe Design principles into under/post graduate curricula for engineers. Paper prepared for NOHSC. objective of this resource The objective of this resource is to support engineering academics in their efforts to help students understand the importance of designing safe products, processes and systems and to develop Safe Design skills appropriate to professional engineering. Specifically, this resource > Summarises safety principles relevant to engineering design in a way that is easily accessible to engineering educators in a wide range of discipline areas and specialist fields > Provides educational materials that support engineering educators in integrating safe engineering design principles into their curricula > Provides a range of activities to help students learn about safe engineering design and develop appropriate skills > Links to other relevant books, reports, Standards and websites that extend the scope of material within this resource. Our vision is for a Safe Design focus to be incorporated into a wide variety of undergraduate subjects so that safe engineering design is recognised as an integral part of basic engineering practice. Therefore, the material has been developed in a modular fashion so that educators can adapt and use sections to highlight a range of Safe Design issues relevant to their own academic field. vi australian SAFETY and compensation council

8 Structure of the resource Part 1 provides the contextual framework and underpinning principles upon which Safe Design in Engineering is based. This section also contains an extensive reference list, which provides a range of links to other safety related educational materials that are useful to both students and academics to expand their knowledge of safety and Safe Design. Part 2 provides a range of educational materials specifically designed for engineering students that can be used by educators to develop Safe Design capabilities. Each of the student activities and case studies is supported with separate instructions for students and for lecturers. How to use this resource While the Australian Safety and Compensation Council has developed documents to be incorporated into this resource without specific referencing, the source of material has been cited wherever possible, so that students can extend their knowledge by accessing these primary sources. If readers wish to incorporate parts of this resource into documents they are developing, conventional referencing techniques should be followed. The resource has been developed and designed to be reproduced for use in classroom and other educational activities. The following citation should be used: ASCC (2006): Safe Design for Engineering Students. How can Safe Design be incorporated into the Engineering curricula? Role of Course Designer, Associate Dean Teaching & Learning, Head of School: > Safe Design Supporter - Increase engineering educator awareness amongst your Faculty staff about the need for Safe Design and the availability of resources > Safe Design Champion - Recognise safety as inherently part of Engineering education and explicitly acknowledge safety as an ability of your graduates. This will require embedding these and other safety related learning in course documentation and then mapping their impact for Course Accreditation - Support staff in changing subjects and producing Safety related learning Role of Subject Co-ordinator: Another level of implementation may be at the subject co-ordinator, grass-roots level. This approach can therefore be adopted ad-hoc across the Faculty without the need for a widespread, systematic and planned implementation. There are a range of options (levels) available depending upon the suitability of the subject and the capacity of an educator to integrate Safety within their environment. Levels of use > Level 1: Safety Adoption: Adopt existing materials with minimal changes to existing subject design - Replace an existing case study for teaching about ethics, engineering management, engineering economics that uses a non-safety topic (e.g. Sustainability, Quality) with a case study (Section 2.4 of Part 2A) that uses Safety as a context. - Insert a Risk identification activity into a Design subject to raise awareness of Safety. - Educate the students about the fundamental principles of Safe Design by providing the students with a self-guided activity involving the provided reading (Part 1) and then completing an online quiz (Part 2C). - Introduce Safety dimensions into activities requiring a debriefing. > Level 2: Safety Adaptation: Adapt subject and materials - Integrate Safety into an existing Technical Design activity through using the Safe Design and Build activity (Section 2.3 of Part 2A) and providing student support through the Safe Design: Concepts, Principles & Tools (Part 1). SAFE DESIGN FOR ENGINEERING STUDENTS vii

9 - Use several activities together in a subject - Adapt materials to draw out stronger disciplinary linkages > Level 3: Safety Integrator: Integrate Safety into learning outcomes, assessment and activities - Integrate desired safety related learning outcomes into subject learning outcomes - Build in deeper linkages through adapting the package case studies and activities for the subject and/or developing further contextspecific safety related materials - Modify an assessable design task in the subject to incorporate a requirement for Safe Design and integrate criteria relating to safety into the assessment criteria for the task viii australian SAFETY and compensation council

10 >>> part 1: CONCEpTS, principles AND TOOLS CONTENTS 1.1 SAFETy principles What does it mean to be safe? Why focus on safety? What is Safe Design? Why Implement Safe Design? SAFETy FRAMEwORk Legal & Regulatory Framework Business and Risk Framework Professional Framework SAFE ENGINEERING DESIGN Design Context Design Requirements Design Options Design Synthesis Design Completion Monitor and review throughout the life cycle Communicate and Document throughout the life cycle SAFE DESIGN ENGINEERING TOOLkIT Designer Misconception checklist Construction Hazard Analysis Implementation Review guidewords Plant Hazard checklist Process Flow Guideword Failure Mode and Effects Analysis (FMEA) Event Tree Analysis (ETA) Fault Tree Analysis (FTA) Hierarchy of Control Incident Investigation Code of Ethics 41 SAFE DESIGN FOR ENGINEERING STuDENTS 1

11 RESOURCES 43 R.1 Engineering Education resources 43 R.2 Websites of interest 44 R.3 Safety Album/Safety Moments 44 R.4 Safety Software/Materials 45 R.5 OHS & Safety Multimedia Materials 45 R.6 Reference Books and journal articles 45 2 australian SAFETY and compensation council

12 PART 1: CONCEPTS, PRINCIPLES AND TOOLS CONCEPTS, PRINCIPLES AND TOOLS AN EDUCATIONAL RESOURCE FOR UNDERGRADUATE ENGINEERING STUDENTS

13 >>> 1.1 SAFETy principles what DOES IT MEAN TO be SAFE? To be safe means to be free from the risk of harm, however, nothing in life is completely safe. As engineers, we have a professional and legal duty of care to ensure that all our designed products, processes and systems are as safe as is reasonably practicable. That means that we must understand the risks inherent in our technology and its human interfaces, and we must design systems that ensure a reasonable level of safety for all those who interact with those systems now and in the future. That is a real challenge! why FOCUS ON SAFETy? There are a number of issues that have caused us to be more concerned with safety than we have in the past. A few of these issues are described below: > Technology is becoming more complex and there are increased risks associated with human interaction and technology. > The complexity of many designed products makes it diffi cult to identify hazards because of the inter-relationship between products, processes and systems. > Complex systems may have latent faults which may not be apparent in the individual elements of the systems but which can lead to serious risks when the individual elements are combined. > Workers and operators are often remote from the processes they control and have lost the added sensory inputs that warn of danger. As a consequence of automation, they may also have lost the skills necessary to take corrective action in emergencies. > Society is also much more aware of incidents of accidental death and is demanding that life be made safe. > Safety has always been considered an important part of safety critical systems such as nuclear power, aviation and military applications and much attention has been given to these applications. With the increased use and pervasiveness of technology in our lives there is an increased awareness of the need to focus on safety across all engineered products. Some Design Related Safety Statistics The 650,000 occupational injuries and illnesses sustained annually in Australia costs the economy at least $20 billion a year. A research report revealed that for the period 1 July 2000 to 30 June 2002: > 77 workplace deaths can be attributed to poor design, this is 37% of all workplace fatalities; > 13 of these fatal incidents (16.9%) were associated with roll-over protective structures (ROPS), 10 of these incidents involved tractors 5 associated with ROPS and 5 being run over by the tractor; > 11 deaths (14.3%) involved design issues relation to guarding 6 of these involved fi xed machinery in which some one became trapped, 3 involved augers or associated power transfer shafts, and 2 involved other equipment; > 9 workers were electrocuted in circumstances where residual current devices did not appear to be present; and had they been present would have been expected to have prevented the fatality; SAFE DESIGN FOR ENGINEERING STuDENTS 3

14 > The highest number of workplace design related fatalities occurred in the agriculture industry. These 25 design related deaths (which represents 52% of all agriculture work related deaths) are associated with tractor incidents, failures of hydraulic systems, use of augers, all terrain vehicles and falls from heights; > Design related issues were involved in at least half the incidents in the mining, transport, agriculture, construction, trade and manufacturing industries; and > Nearly all of the fatalities involving machinery and fixed plant were at least partly caused by design related issues (Source: The Role of Design Issues in Work-Related Injuries in Australia , NOHSC July 2004) What is Safe Design? In response to societal demands for safer products and workplaces, governments, businesses, engineers and others who are involved in innovation are requiring that safety be a fundamental principle in design. The concept of Safe Design attempts to achieve that objective. Safe Engineering Design is a process defined as the integration of hazard identification and risk assessment methods early in the engineering design process to eliminate or minimize the risks of injury or damage throughout the life of the item being designed. The concept encompasses all engineering design including facilities, hardware, systems, equipment, products, tooling, materials, energy controls, layout, and configuration. 1 A safe design approach begins in the conceptual and planning phases; with an emphasis on making choices about design, methods of manufacture or construction and/or materials used which enhance its safety. The designer needs to consider how safety can best be achieved in each of the lifecycle phases eg. designing a machine so that maintenance activities will not require removal of protective guards. Safe design will always be part of a wider set of design objectives, including practicability, aesthetics, cost and the functionality of the designed-product. Safe design is the process of successfully achieving a balance of these sometimes competing objectives, without compromising the health and safety of those potentially affected by the designed-product over its life. There are many groups involved in the function of design. They include: > design professionals such as architects, engineers, industrial designers, software developers; > other groups who can influence design decisions, such as developers, builders, owners, insurers, project managers, purchasers, clients, OHS professionals, human factors and ergonomics practitioners; and > suppliers (including manufacturers, importers, plant-hire), constructors, installers and trades/ maintenance personnel. Life cycle of designed products Safe Design requires an understanding of the each stage in the life of a designed product, starting with the initial conception and continuing through to the point where the product no longer affects its environment. It is more costly to retrofit or modify existing products to achieve safety than it is to design out hazards early in the product development. By identifying hazards and managing risks as early Develop Concept Design Construct/ manufacture Import/ supply/install Commission and use Maintain/ Modify Decommission Disposal/ recycle Figure 1.1: Life cycle of designed products (Adapted from Christensen and Manuele (Ed.) Safety Through Design: Best Practices, National Safety Council, 1999) 1 Modified from Christensen and Manuele (Ed.) Safety Through Design: Best Practices, National Safety Council, australian SAFETY and compensation council

15 in the life cycle as possible, losses in terms of life, injury and income can be minimised and safety can be ensured. Poor design can result in a range of other economic costs such as low productivity, higher maintenance, higher employment and workers compensation expenses and reduced asset life. These economic costs are in addition to human costs of injury, illness, disease and disability. The opportunities to create intrinsically safer products are greater in the earlier life cycle phases of design, manufacture or construction. In these early phases there is greater scope to design out hazards and/or incorporate risk control measures that are compatible with the original design concept and functional requirements of the item. If risks can be eliminated or effectively controlled in these phases then safety problems may be overcome for those who use or work with the item downstream. Safety can be enhanced if each person who controls decisions taken in the earliest life cycle phases takes steps to ensure that risk is proactively addressed, and effectively documented and communicated so that users throughout the life cycle are aware of hazards and risks and informed of ways to manage them. What are the Principles of Safe Design? The key elements that impact on achieving Safe Design are: Safe Design is everyone s responsibility The responsibility for Safe Design rests with those persons have control or influence over the design. Safe design employs life cycle concepts Safe Design applies to every stage in the life cycle from conception through to disposal. Safe Design also attempts to eliminate hazards or minimise risk as early in the life cycle as possible. Safe Design implements risk management A reasonable level of safety is ensured through implementing a systematic risk management process of hazard identification, risk assessment and risk control where elimination cannot be achieved at the source. Safe Design requires knowledge and capability Any designer, or person with control or influence over safe design should be able to demonstrate the required knowledge and capability for that decision, or have direct access to the required knowledge. Safe Design relies on communication Consultation with users and other stakeholders is essential to Safe Design. Effective communication and documentation of key information, concerning action required to be taken to control risks, must also be ensured from the design phase to all users in the later phases of the life cycle, so that users are aware of any residual risks that may affect their health and safety. f link: Human factors engineering Engineering designers are also concerned with human interfaces with technology. The study of these interactions is referred to as human factors engineering. One of the classical case studies in human factors engineering is summarised below: The classic of all design deficiencies which have come to our attention was a combination safety shower and eyewash constructed at a northern missile site. In order to operate the eyewash, it was necessary for a man, who might already be blinded by acid, to put his head in the eyewash bowl and then to turn on the water valve with his right foot. The only problem was that the foot-operated valve was about four feet to his rear and higher than his waist. As an additional feature, if a man did happen to hit the valve, he got a full shower from overhead as well as getting his eye washed out. However, the whole problem became academic in winter because the whole system froze up. Source: Anonymous, Extract United States Air Force eyewash instructions in the event of an acid splash, 1959 If engineers are to be capable of designing solutions that are safe, graduate engineers of the future will require abilities and attributes not previously considered core to their professional practice. To develop these capabilities, engineering educators as well as engineering graduates, will require an enhanced understanding of the human component in system design, development and operation. SAFE DESIGN FOR ENGINEERING STUDENTS

16 Systems should be user centred, meaning that they are capable of being operated safely by a range of reasonably competent users and productive for the needs of those users. Usability is now a key aspect of engineering design. Within this design framework, consideration and incorporation of human factors reduces the likelihood of human error, resulting in a safer, more efficient work environment for all stakeholders. The integration of human factors in engineering design will ensure that designs such as the safety shower and eyewash described above will not happen. Apart from the aspects of human factors engineering concerned with the design of systems that can be used effectively and productively without endangering the safety of users, Safe Design also needs to consider the adaptive and changing nature of human behaviour. The introduction of a feature to improve safety may not deliver the intended improvement because users may adapt their behaviour in response to the change. This concept is known as risk homeostasis and can be considered akin to people having a risk budget. Consider a pressurised system such as a boiler in which a relief valve is installed to cope with instances where the operator fails to monitor and control the pressure. The operator, observing that the relief valve appears to work, leaves primary control of over-pressure to the valve and undertakes other tasks instead. What was intended, and most likely designed, as a backup ends up being the primary control mechanism. Thus a system could potentially be less safe after the installation of a designed product intended to improve safety because human behaviour can undermine the intended operation. The potential for risk homeostasis to arise in response to a design or operational change reinforces the need for systems to be continuously monitored and reviewed, and for appropriate training of all users. It is also important to document the rationale for all decisions so that unintended use can be identified and steps taken to restore safety. So, how can engineers consider human factors? The process begins by consideration of not only the specified technical operational needs of a system, but also the attitudes, abilities, capacity, expectations and understanding of users at all stages of the system life cycle. For the modern engineering practitioner, recognition that risk and safety are issues of critical importance at the interface of technical and social responsibilities is vital. The integration of these two cultures in engineering practice can be developed by gaining an understanding of human issues and an appreciation of the interface between equipment or operational environments and the quality of life of those interacting with the system. Injury and disease causation a discussion 2 Why is this not called accident causation? Firstly why are we talking about injury and disease causation and not accident causation? Accident analysis would be limiting. One reason is that accidents tend to only be about traumatic injuries and thus proper attention would not be given to injuries and diseases that develop over time (such as many manual handling injuries, hearing loss, etc). Another reason is that the term accident can conjure up a notion that the occurrence was beyond anyone s control. Accidents are within our control, because the circumstances leading to accidents are within our control. However the approach adopted here has been to avoid the limiting and misunderstood term accidents and concentrate on injury and disease causation and prevention. What s the cause? Is there only one or is it usually more complicated? The first point to make about injury and disease causation is that finding one single cause is not easy nor useful. One cause probably does not exist. Further, there can be different ideas about what kind of cause is meant. For instance, the cause of a head injury to a construction worker may be impact with the ground. The cause of the impact may be a fall. The cause of the fall might be an unguarded opening in a floor, and before that, a trip over an electrical cable, and so on. Why was the cable there? Why was the worker there? The cause 2 This section on Injury and disease causation a discussion has been prepared by J Culvenor for the Office of the ASCC, October australian SAFETY and compensation council

17 can depend on what you think is within control and therefore might have failed to perform as well as it could and what you think is fixed, unchangeable and out of control and hence do not consider. For instance consider another example. Late in the afternoon a forklift intending to drive out a doorway collides with a doorway support after swerving to narrowly miss a pedestrian walking into the building. Is this because of fatigue, rushing to complete the work, a too narrow doorway, the person walking through the doorway or the late afternoon sun shining in the doorway? Perhaps all these things contribute. Which are under control and by whom? Fatigue is variable and can be controlled. Perhaps the operator contributed by staying up late watching cricket? Alternatively perhaps the organiser of the work system contributed through demanding working hours and insufficient breaks? Perhaps the operator contributed by rushing? Alternatively perhaps unreasonable schedules were demanded, hence the demand to rush was out of the operator s control and in someone else s control? Perhaps the pedestrian could have used a pedestrian door? Perhaps there is no pedestrian door, or maybe it is inconvenient, hard to use, or involves using awkward stairs? Perhaps the doorway is too narrow? The sun itself can not be changed but the way a door is oriented, whether it is shaded from the early morning/late afternoon sun is also controllable. What about the use of the forklift itself? Why is it used? What for? Could materials be moved about another way or not at all? How far should the net be cast in the search for causal factors? There is no clear answer to this question. Certainly though if accidents are to be better understood then the search for a single cause could probably well be abandoned. Causation, causes, contributing factors, etc are probably more useful terms than cause. These terms imply something larger, more complex, plural, etc. as against something singular. Who s to blame for injuries and diseases? Does working this out help? Blaming injuries and diseases on the person who made the last (faulty) decision in a chain of events is unhelpful but it is unfortunately common. Driver error, operator error, pilot error, etc. are all manifestations of this approach. If we look deeper we find that other factors make a contribution. We can look at the incident more broadly to examine the physical environment, plant and equipment, human knowledge and skills, systems of work or use, the human interaction their surroundings, sensory inputs, physical relationship between people and equipment and environment, etc. For instance in the forklift example above we have physical environment (size of door, orientation to afternoon sun), equipment (the forklift type, weight), skills (work organisation skills, hazard identification and control skills, operator skills), work systems (the movement of goods using a forklift, work schedules) and human interaction with environment and equipment (looking into the sun, use or not of a pedestrian door). Decisions made about one or more of these factors might have contributed. A different decision about one or more might have lead to a different outcome. Very few of these decisions are made by the person at the end of the sequence such as the forklift driver or the pedestrian walking though the door. Looking beyond the actions of those immediately involved to a comprehensive set of issues takes more effort. Broader issues are harder to see as they are removed from the injury in time and space the decisions might have been taken a long time ago and some where else. Further, imagination and creative effort is necessary to ensure that assumptions are challenged and examined. For instance, in the forklift example, it might be useful to question why a forklift is used in the first place. Developing a comprehensive understanding of the causal factors of an injury is not easy. But too often the search focuses not on what would be useful, but on what is most easily identified such as operator error, etc. The decisions set the scene for the accident can therefore be overlooked. This can be seen most days in newspaper accounts of motor vehicle crashes where those at the scene, usually the driver, are given the blame. The same thing happens in the case of major disasters those closest physically and in time to the final triggering event get the blame. SAFE DESIGN FOR ENGINEERING STUDENTS

18 The danger of a very shallow and simplistic effort at finding a cause leads to very little information about what to do differently in the future. Accidents are due to human failing. This is not untrue, merely unhelpful. It does not lead to constructive action. 3 Blaming the last person in the chain (operator error, driver error, pilot error) etc. ignores all the actions that have gone before that defined the operating system. Doing nothing to rectify those decisions condemns those in the future to fall into the same traps Why Implement Safe Design? There are both moral and practical reasons for adopting a Safe Design approach and why it is a wise choice for businesses and those involved in creating new products and systems. Safe Design makes good business sense > It is cheaper to eliminate occupational health and safety hazards at the design or planning stage with well-informed decisions, rather than making the changes when the hazards become real risks to your clients, staff or business. > Safe Design results in more predictable business costs because you have identified risks and have included them in your management processes. Poor design can result in a range of economic costs such as low productivity, higher maintenance costs increased workers compensation expenses and loss of reputation. However the greatest costs are the human costs of injury, illness and loss of life. > Safe Design also contributes to a quality outcome which meets customer needs throughout the whole life cycle of the product or system of work. > Safe Design applies principles that are common between quality management standards (AS/NZ 9000) and risk management standards (AS/NZ 4360). Safe Design is socially responsible > By adopting a Safe Design approach, it is possible to design-out health and safety hazards to create a design option that meets both clients needs and your obligations as an engineer under your professional standards and the OHS legislation. > Safer products, processes and systems will result and that ultimately benefits business and society generally, now and in the long term, because it minimises injury and illness and provides for a better social and workplace environment. > Safe Design also ensures safety throughout the life cycle of the designed product, thus ensuring that future users will be protected from hazards. Safe Design is best practice engineering > Engineers are personally and professionally responsible for ensuring that their products, processes and systems are safe. They are legally bound through law and regulations to ensure that their designs are safe from concept through to disposal. > Safe Design involves processes (including human factors, organisational issues and lifecycle management) not just products. This is technically challenging and at the forefront of engineering design. Safe Design is ethical engineering practice > Safety issues, involve fundamental ideas about how we view the world and what we believe is important and right. Safe Design rests on the assumption that all people have a right to be protected from unnecessary risks. Designers have a responsibility to ensure that their conceptions do not put others at unnecessary risk. > Safety is a fundamental tenet of engineering codes of practice. Engineers are ethically bound to consider the safety and welfare of the community as paramount. All members of the Engineers Australia, in the practice of 3 Kletz, T. 1991, Plant Design for Safety: A User-Friendly Approach, Hemisphere, New York. australian SAFETY and compensation council

19 the discipline of engineering, are committed and obliged to apply and uphold the Cardinal Principles of the Code of Ethics, which are: - to respect the inherent dignity of the individual; - to act on the basis of a well informed conscience; and - to act in the interest of the community. f see Section : Safe Engineering Design Toolkit*: Code of Ethics Safe Design is a sustainable engineering practice > Engineering professional standards embrace the concept of sustainability, with an expectation placed on practising engineers to ensure that their work strives to improve the quality of life for this generation and future generations. The holistic concept of sustainability stands on the three key integrated pillars of economic, environmental and social sustainability. > Engineering practitioners have traditionally considered the economic issues, and in the last decade, environmental issues have been accepted as issues of increasing importance. Now, engineering as a profession is concerned with technology and its human interfaces, and so it must also focus on societal needs. Where does safe design fit in this equation? By considering safety throughout the entire life-cycle of designed products, engineering designers can ensure that their developments are safe from conception through to disposal, thus ensuring the well-being of current and future users Safe Design is a national priority > The National OHS Strategy ( ), developed by members of the National Occupational Health and Safety Commission (NOHSC) and endorsed by the Workplace Relations Ministers Council, has a vision to have Australian workplaces free from death, injury and disease. To achieve this ideal goal, one of the national priorities is to eliminate hazards at the design stage. This mandate is of special concern to engineers and engineering educators because design is a fundamental engineering activity and therefore we all need to understand how we can ensure that our designs are safe throughout their whole life cycle. f Safe Design is required for accreditation and professional engineering certification > All undergraduate engineering courses in Australia must be accredited by their professional association, Engineers Australia, in order for their graduates to be recognised as engineers. Engineers Australia has set criteria that engineers must meet as part of accreditation. Professional Engineer Stage 1 competency corresponds to completion of a 4- year Bachelor of Engineering degree accredited by Engineers Australia. Many of these Stage 1 competencies require the enabling skills of risk management, lifecycle concepts and engineering design that Safe Design seeks to develop. However some of these criteria require engineers to have abilities in relation to Safe Design; PE2.2 Understanding of social, cultural, global, and environmental responsibilities and the need to employ principles of sustainable development - Appreciation of the interactions between technical systems and the social, cultural, environmental, economic and political context in which they operate, and the relationships between these factors - Appreciation of the imperatives of safety and of sustainability, and approaches to developing and maintaining safe and sustainable systems - Appreciation of the nature of risk, both of a technical kind and in relation to clients, users, the community and the environment * The toolkit is located in section 1.4 of this document. SAFE DESIGN FOR ENGINEERING STUDENTS

20 PE2.3 Ability to utilise a systems approach to complex problems and to design and operational performance - Understanding of the need to plan and quantify performance over the life-cycle of a project or program, integrating technical performance with social, environmental and economic outcomes PE2.4 Proficiency in engineering design - consider the impact of all development and implementation factors including constraints and risks - ensure that the chosen solution maximises functionality, safety and sustainability, and identify any possibilities for further improvement > A Stage 1 engineer would be expected to work initially under the supervision and guidance of more experienced engineers, while experience is gained. These engineers are encouraged to undertake Professional Development Programs approved by Engineers Australia while developing the practice competencies that will qualify them for Stage 2 assessment and the status of Chartered Professional Engineer. Summary > Safety is a basic attribute of a product, process or system and needs to be embedded into the design process at every phase. > Engineering designers, concerned with technology and its human interface, have a professional responsibility to ensure that their designed products are as safe as reasonably possible for all users throughout the product life cycle. > Applying Safe Design principles in engineering design will ensure that hazards are identified as early as possible and that they are designed out, or the risks are responsibly managed throughout the entire life cycle. > Safe Design in engineering meets an engineers responsibilities for sustainable, ethical and socially responsible practice. > Safe Design is also a sensible business solution because it is economically sound and contributes to total quality. 10 australian SAFETY and compensation council

21 >>> 1.2 SAFETy FRAMEwORk The basic framework supporting Safe Design consists of laws and regulations enacted through governments and management processes enacted through business and professional standards that guide the conduct of members of professional groups LEGAL & REGULATORy FRAMEwORk Society exerts its demands for a safe environment through its government and regulatory systems. Laws balance the interests of individual citizens, businesses and corporations with the needs of the nation or state as a whole. The Commonwealth government has a responsibility to ensure that there is an overall national framework that ensures safety, while the states and territories have the responsibility for making laws about health and safety and for enforcing those laws. Each state and territory has a principal Occupational Health and Safety Act, which sets out requirements for ensuring that workplaces are safe. These requirements include the duties of different groups of people who play a role in workplace health and safety and are known as duty of care. What is Duty of Care? Duty of care requires everything reasonably practicable to be done to protect the health and safety of others. This duty is placed on: > all employers; > their employees; and > any others who have an infl uence on the hazards in a workplace. The latter includes contractors and those who design, manufacture, import, supply or install plant, equipment or materials used in the workplace. Engineers, therefore, have a duty of care. Duty of care places into a legal form what is a natural moral duty to anticipate possible causes of injury and to do everything practicable to remove or minimise these hazards. For employers, this means providing safe premises, safe plant and equipments and safe work systems. Employees also have OHS duties and responsibilities for the safety of themselves and fellow employees. Under OHS legislation employees have two major duties, fi rstly not to endanger their own or others health and safety through any act, or their failure to act, and secondly they are required to cooperate with measures introduced to protect their own and others health and safety. Reasonably practicable means that you must demonstrate that you have done your best within the constraints of a business environment and in the eyes of the law. When applied to occupational health and safety, this concept refers to an objectively reasonable response to a hazard. In doing this, a number of factors need to be taken into account to determine what would be reasonable and practicable. These factors include 4 : - Nature and severity of the hazard; - Knowledge of the severity of the hazard; - Knowledge of suitable solutions; - Availability of solutions; - Common standards of practice; and - Cost of solutions. 4 Accessed on line Sept 2005 at SAFE DESIGN FOR ENGINEERING STuDENTS 11

22 The law takes into consideration the time and cost involved in ensuring a safe workplace and recognises that complete safety is seldom achievable. However, you as the duty holder must show that it was not reasonably practicable to do more than what was done and that you have exercised due diligence. That means that you must have safe processes in place and adequate records to demonstrate that you, and all those for whom you are responsible, have done what is reasonably practicable to ensure a safe working environment. Failure to exercise due diligence may result in civil or even criminal legal action. Tort is the area of law concerned with civil liability, and it involves the finding of a fault, such as carelessness or negligence, on the part of the defendant. Professional negligence can be alleged when a plaintiff claims to have suffered a loss as a consequence of a breach of duty of care owed by someone acting in a professional capacity. Many professionals, therefore, purchase professional indemnity insurance to protect themselves from the financial consequences that could result from an unintentional failure to provide duty of care. How is duty of care legislated and enforced? Australian health and safety law is governed by a framework of Acts, Regulations and supporting guidance material such as codes of practice and standards (shown in figure 1.2). Acts An Act or Statute is law made by parliament and enforced by government departments. In each jurisdiction (Commonwealth, State or Territory) there is a principal OHS Act which gives broad duties to the workplace parties. Commonly included in each Act are requirements for 5 : > promoting occupational health and safety in the workplace; > providing systems of work that are safe and without risk to health; > employers and employees participating in health and safety issues through consultation; > protecting the health and safety of the public in relation to work activities. Acts Regulations Codes of Practice Standards Industry Standards/Guidance Notes Figure 1.2: The legal framework Compliance is mandatory Voluntary guidance material Not complying with an Act is considered an offence and can result in a fine, or the issuing of either an improvement or prohibition notice. A breach of an Act does not have to result from an accident or a person being injured at work. For example a dangerous piece of unguarded machinery being used in the workplace would in itself constitute a breach. The OHS Acts also specify duties for designers, manufacturers and suppliers. Although there are other legislative and regulatory provisions governing the safe design of buildings and structures, such as building legislation in each State and Territory and the Building Code of Australia, these do not cover the breadth of OHS matters which may arise in the design of buildings and structures as workplaces. Regulations Regulations support a principal Act by outlining how the general obligations of an Act will be applied in a workplace. OHS regulations provide more detailed requirements for specific areas of workplace health and safety. For example, they may contain provisions relating to specific processes (such as 5 Accessed on line Sept 2005 at 12 australian SAFETY and compensation council

23 spray painting and abrasive blasting) and specific hazards (such as asbestos, lead, electrical safety and confined spaces). Not complying with a regulation is considered an offence and can result in a fine, issuing of an improvement or prohibition notice or imprisonment. Codes of Practice Codes of Practice give practical advice and guidance on acceptable ways of complying with the general obligations set out in Acts and Regulations. Codes are issued by Commonwealth, State and Territory governments and are usually designed to be used in addition to the Acts and Regulations, but can also be incorporated into legislation. A breach of a code is not by itself a breach of an Act or Regulation. However all codes of practice can be used as evidence in court to demonstrate what an employer should have been doing to comply with the obligations under the Act or Regulations to ensure the objective of the Act is achieved. Standards These can be developed by relevant governments, employer associations, trade unions and industry bodies. In regards to health and safety, there are two main sources of standards: National Standards produced by the Australian Compensation and Safety Council (formerly the National Occupational Health and Safety Commission), in consultation with the State/Territory OHS authorities, employee unions and employer associations. National Standards usually deal with workplace problems such as noise or dangerous working environments. If National Standards are adopted by States and Territories into their OHS legislation they become mandatory. Examples of National Standards: > National Standard for Construction Work [NOHSC:1016 (2005)] Australian Standards produced by Standards Australia, a non-government organisation that makes standards in consultation with overseas standards bodies (eg International Standards Organisation [ISO]) and Australian technical committees. Australian Standards provide technical and design guidance. Some standards are directly relevant to health and safety, such as safety and emergency equipment and fire safety standards. Other general standards will contain health and safety provisions. Examples of Australian Standards: > AS/NZS 4804:2001 Occupational health and safety management systems General guidelines on principles, systems and supporting techniques. > AS 4024:1996 Safeguarding of Machinery. Standards are only enforceable by law when they are specifically referenced in a State/Territory health and safety regulation. Guidance Notes Guidance Notes usually relate to declared national standards and/or codes of practice, and provide detailed guidance on specific health and safety topics. In contrast to national standards and codes of practice, guidance notes may not be suitable for reference in the various jurisdictional laws. Examples of Guidance Notes > Guidance Note on the Membrane Filter Method for Estimating Airborne Asbestos Fibres 2nd Edition [NOHSC:3003 (2005)] > Guidance Note: Working Safely with Fork Lifts, Commission for Occupational Safety and Health, Western Australia > Guidance Note: Guarding of Machines, Victorian WorkCover Authority > National Standard for the Storage and Handling of Workplace Dangerous Goods [NOHSC:1015 (2001)] > National Standard for Occupational Noise [NOHSC:1007 (2000)] SAFE DESIGN FOR ENGINEERING STUDENTS 13

24 Organisations Concerned with Safety In addition to enacting laws and regulations, governments and other organisations set up agencies whose responsibilities include preserving the health and wellbeing of the community. Some of the organisations concerned with safety include the following: Australian Safety and Compensation Council (ASCC): The ASCC leads and coordinates the national approach to improvements in workplace safety and workers compensation performance, as well as promoting greater consistency and uniformity amongst the various jurisdictions within Australia. It provides policy advice to the Workplace Relations Ministers Council on national OHS and workers compensation arrangements, and has the power to declare national standards and codes of practice for OHS. These are developed as the basis for nationally consistent OHS regulations and codes of practice. The ASCC comprises representatives from the Federal Government, each State and Territory government, the Australian Council of Trade Unions and the Australian Chamber of Commerce and Industry. The Office of the Australian Safety and Compensation Council (Office of the ASCC) supports the work of the ASCC and is also a source of national research and statistical information relating to OHS and workers compensation. State, Territory and Commonwealth OHS Authorities: OHS authorities, such as NSW WorkCover, are state government statutory authorities responsible for regulating occupational health, safety, rehabilitation and compensation systems. Coroner The Coroner investigates reportable deaths and is responsible for determining the manner and cause of death. A coroner is empowered to make recommendations based on improving public health and safety. We speak for the dead to protect the living (Victorian State Coroner s Office) Other non-government organisations with a mandate to ensure Safe Design include: Engineers Australia Engineers Australia is one of a number professional bodies responsible for ensuring that members of their profession are appropriately trained and competent to carry out their professional responsibilities. Two key impacts are in accrediting educational courses in undergraduate education and certifying professional competence and providing professional development. This responsibility includes Safe Design. Standards Australia Standards Australia is a non-government, not for profit organisation that develops Australian Standards in consultation with overseas standards bodies and Australian working parties. Safe Design Legal Issues 6 Safe design is about upstream decisions that impact positively on safety downstream. The particular context here is the workplace, however the principles are parallel with public and consumer safety and for both common law and statute law prosecutions. This section demonstrates the duty of care responsibilities for designers, manufacturers, suppliers and importers as they apply to common and statute law case studies. Common Law Duty of Care The conventional starting point for any consideration of the liability of designers and manufacturers of products is the seminal 1930s case in the UK of Donoghue v Stevenson 7. Stevenson was the manufacturer of a ginger beer, which was sold to a distributor and made its way to a café. Donohue dined at the café with a friend who purchased the ginger beer. Donohue drank some of the ginger beer and subsequently discovered a decomposed snail in the beer then suffered shock and a stomach complaint. Donohue sued and succeeded at trial, lost on appeal, and then succeeded in the House of Lords. The matter of significance was that Donohue 6 The following sections on Common Law Duty of Care and Statutory Case Law have been referenced from an unpublished paper on Guide to Safe Design prepared by J Culvenor and P Rozen for NOHSC, October Donoghue v Stevenson [1932] AC 562. Also see Brooks, A; Occupational Health and Safety Law, 4th Edn, CCH, Sydney, Australia 1993, p australian SAFETY and compensation council

25 had no contractual connection with Stevenson (the manufacturer). The House of Lords decision established clearly that the duty of care extended to whoever might reasonably be injured by the product regardless of the existence or otherwise of a contractual connection 8. Lord Atkin provided the leading judgement when he described the duty of manufacturers as follows: [a] manufacturer of products, which he sells in such a form as to show he intends them to reach the ultimate consumer in the form in which they left him with no reasonable possibility of intermediate examination, and with the knowledge that the absence of reasonable care in the preparation or putting up of the products will result in an injury to the consumer s life or property, owes a duty to the consumer to take that reasonable care 9. It has been established that the term manufacturer used in the Donoghue and Stevenson doctrine includes all parties who work on the product. These parties include assemblers, repairers, suppliers and distributors (Kellam 2000) 10. In exercising the duty of care the manufacturer must take due care in design 11, manufacture 12, warnings 13, instructions 14, labelling 15 and packaging 16. Although the Donohue v Stevenson case was concerned with the liability of a manufacturer of a product to a consumer of the product, these general principles have frequently been applied in a workplace setting, for example in Hardchrome Engineering Pty Ltd v Kambrook Distributing Pty Ltd 17. Kambrook supplied a fryer to Hardchrome, which subsequently caused ignition of a fire. Kambrook, as a designer and supplier, was determined to owe a duty of care to the purchaser. Kambrook in their role as supplier was deemed negligent. In Howard v Furness Houlder Argentine Lines Ltd 18, a welder employed on a ship was able to recover damages when he was injured by steam escaping from a boiler. Marine engineers engaged by the welder s employer had negligently assembled the boiler. The fact that there was no contract between the welder and the installer did not limit the recovery of damages for the welder. It was reasonably foreseeable to the installer that negligence on its part could result in injury to the welder, who was the end-user of the boiler. The duty extends to a supplier of plant and equipment even where the employer to whom the item was supplied did not employ the worker injured. In Griffiths v Arch Engineering 19, a grinding machine was supplied to Arch by Griffiths. Arch had been sub-contracted by the plaintiff s employer to perform some welding work. An employee of Arch in turn lent the grinder to the plaintiff who was injured when the grinding wheel flew off and hit his hand. The plaintiff succeeded in an action for damages against both the initial supplier (Griffiths) and the immediate supplier (Arch). The court held that it was reasonably foreseeable that a person in the position of the plaintiff could be injured if he was not informed about the necessary conditions for the safe use of the grinder. The broad nature of the duty owed is illustrated by the case of Wright v Dunlop Rubber Co.Ltd 20. The plaintiff worked in a tyre manufacturing plant 8 Luntz, H. & Hambly, D. 2002, Torts:Cases and Commentary, 5th edn, Lexis Nexis Butterworths, Chatswood, New South Wales. 9 [1932] AC 562 at 599. (Also Brooks p 219) 10 Kellam (2000, p. 205) cites Malfoot v Noxal Limited (1935) 51 TLR Kellam (2000, p. 206) cites: Hindustan Steam Shipping Limited v Siemens Bros & Co Limited (1955) 1 Lloyds Rep. 167; Australian Shipbuilding Industries (WA) Pty Limited v Packer (unreported FC SCWA 11/2/93, 192 of Kellam (2000, p. 206) cites: Helicopter Sales (Australia) Pty Limited v Rotor-Work Pty Limited (1974) 132 CLR 1; Fletcher v Toppers Drinks Pty Limited (1981) 2 NSWLR 911; Grant v Australian Knitting Mills (1936) AC Kellam (2000, p. 206) cites: Vacwell Engineering Co Limited v BDH Chemicals Limited (1971) 1 QB 88; Devilez v Boots Pure Drug Co (1962) 106 SJ 552; Todman v Victa (1982) VR 849; Norton v Streets Ice Cream (1968) 120 CLR 635; Thompson v Johnson & Johnson Pty Limited (1989) Aust Tort Reports ; H v Royal Alexendra Hospital for Children (1990) Aust Tort Reports Kellam (2000, p. 206) cites: British Charter Co of South Africa v Lennon (1915) 31 LTR 585; Clarke v Wife v Army & Navy Co-op Society Limited (1903) 1 KB 155; Anglo Celtic Shipping v Elliot (1926) 42 TLR; and others. 15 Kellam (2000, p. 206) cites Blacker v Lake & Elliot (1912) 106 LT Kellam (2000, p. 206) cites Watson v Buckley, Osborne, Garrett & Co Limited (1940) 1 All ER VSC 359 (13 Sept 2000). 18 [1936] 2 AllER 781 at [1968] 3 All ER 217. (Also Brooks p 219). 20 (1972) 13 KIR 255. (Also Brooks p 220). SAFE DESIGN FOR ENGINEERING STUDENTS 15

26 operated by Dunlop. He contracted bladder cancer through exposure to Nonox S, a compound used in the manufacture of tyres. However, he did not work in the part of the plant where the compound was used, but was exposed as a result of fumes that had travelled through the plant. The court held that ICI, who manufactured Nonox S, was aware of the risks associated with exposure to the fumes. Therefore, it owed a duty of care to any of the employees of a company to which it supplied the compound. The duty extends, beyond the plant or substance that is supplied, to its packaging. In Adelaide Chemical and Fertlizer Co. Ltd v Carlyle 21, the plaintiff suffered severe burns when an earthenware jar that contained concentrated sulphuric acid broke when he was handling it. Although the jars were in general use as containers of acid, the High Court upheld a finding that the jars were inherently unsuitable for the purpose for which they were employed. Therefore, the manufacturer was in breach of its duty of care to the worker. Designers and architects are also caught by the rule in Donoghue v Stevenson. For example, in the case of Greaves & Co v Baynam Meikle and Partners 22, a building contractor became liable for inadequacies in the construction of a warehouse. The contractor had subcontracted the design of the warehouse to a firm of architects and engineers. The firm was told that the warehouse would be used to store oil drums on the first floor. A code of practice that had been issued by the British Standards Institute warned of certain dangers associated with the construction mode that the firm was employing. However, the court found that the engineers had paid insufficient regard to the warning and thereby breached the duty of care they owed to the building contractor to exercise reasonable care in the design of the warehouse. An Australian example of the duty owed by the designer of a building is found in the case of Voli v Inglewood Shire Council 23. An architect had designed the stage of a shire hall. The design of the stage was inadequate because the floor joists were of insufficient size having regard to the Council bylaws and standards prescribed by the Australian Standards Association. Despite this, the Council had passed the drawings. Approximately one year after the building was built, the stage collapsed during a council meeting injuring a number of people who were sitting on it at the time. The High Court identified the important question in the case as being whether an architect in such circumstances owed a duty of care to an end user of the stage 24. The court held that the architect owed a duty of care to exercise reasonable care and skill to avoid injury to any ultimate user of the structure. Brooks 25 summarises the three types of precautions that a designer, manufacturer, etc. is required to take: - The inclusion in the product of safety features, or the designing and manufacturing of a somewhat different product omitting the dangerous aspect and including a safe substitute part; - Second, if that is not possible, the accompaniment of the product by adequate warnings of the danger and of the safest methods of use; - Third, the withdrawal of the whole product from the market. Brooks adds that: There is no liability, however, if these precautions are not practicable. This is tested by looking at cost, interference with the functioning of the work process in which it is to be used, and the existence of separate risks. If the precaution is inordinately expensive in relation to the return from the product to the designer, manufacturer, etc. it is not practicable to take it. If the precaution itself creates other risks, it is not practicable. If it interferes inordinately with the operation or use of the product, it is not practicable (subject to it being established that it is also impracticable to discontinue the product altogether and substitute another) 26. Clark 21 (1940) 64 CLR [1975] 3 All ER (1962) 110 CLR (1962) 110 CLR 74 at Brooks, A; Occupational Health and Safety Law, 4th Edn, CCH, Sydney, Australia 1993: p Ibid 16 australian SAFETY and compensation council

27 and Kellam highlight that in Australia it is well settled, that in most cases, a duty of care is owed by the manufacturer and supplier of goods to the purchaser or user. The common law provides that the manufacturer ought reasonably to have the user in mind when considering the issues of design, manufacture, safety and distribution 27. In summary the common law duty of care requires that if a person can practicably reduce a foreseeable risk then they should do so. Those who have influence over reductions in foreseeable risk should use it to ensure safety downstream as far as can practicably be achieved. Since the snail in the ginger beer case of Donohue and Stevenson, in the 1930s, the law has developed to a point where all who influence a product, to whoever might later be affected by that product, owe a duty of care. Statutory Case Law Generally speaking, duties of designers, manufacturers, suppliers and importers are limited to circumstances where the plant or substance manufactured or supplied is properly used. Thus a manufacturer of plant in Victoria has a duty to ensure, so far as is practicable, that the plant is so designed and constructed as to be safe and without risks to health when properly used. Such provisions appear to be based on a recognition that it is inappropriate, and perhaps unrealistic, to impose on a third party to the workplace relationship, a duty that extends to risks arising from the improper use of plant and substances. After all, the employer has a duty to supervise the work of its employees. There is also an onus on the manufacturer and distributor of equipment to understand the purpose to which the equipment is likely to be put, and ensure the equipment is designed to perform safely in this circumstance. It is no longer acceptable simply to label equipment as safe when used as instructed, or when used for the purpose for which the equipment was designed. Two recent cases publicised by WA WorkSafe Commission and WorkCover NSW illustrates these concepts well. In 2001, a worker in WA sustained a significant back injury when he fell from a grape picking machine while he was attempting to clear a blockage in the mechanism. His employer was fined, but the manufacturer of the equipment was also fined $20,000 after being found guilty of failing to ensure that the design of a machine was safe for use in a workplace 28. In a media release by WorkSafe WAs Acting Executive Director 29, it was stated the prosecution was important in a number of ways. This is one of the very few cases where WorkSafe has successfully prosecuted the supplier or importer of a machine involved in a workplace incident. It is also an unusual case in that we had to utilise a section of the Australian Constitution to cross jurisdictions to prosecute a South Australian company. It was decided by the court that the supplier of the machine had not ensured that the design of the machine was safe, and as a consequence, a worker was very seriously injured. In 1997, a NSW Council employee had both arms amputated when feeding tree branches into a woodchipping machine at the council s waste transfer station. The manufacturer/supplier of the wood chipper was prosecuted for failing to ensure that the wood-chipping machine was safe and without risk to health. In the initial Industrial Relations Commission decision, Mr Justice Marks ruled that the operating manual provided with the wood-chipping machine was adequate to warn of any risk to the health and safety of persons using the equipment. On appeal, WorkCover successfully argued that the intended use of the machine by the purchaser had been known by the manufacturer/supplier, and that such use should have been known to be inappropriate because of the regular blockages that could be expected. The charge was brought under the Occupational Health and Safety Act 1983 specifically, Section 18 of the Act, which relates to the obligations of suppliers and manufacturers of machinery Clark and Kellam (1999) 28 WA Consumer and Employment Protection, SafetyLine Magazine, October 2003, p 13. Accessed online Sept 2005 at 29 WA Consumer and Employment Protection, Media Statement, 23 July Accessed online January 2004 at &media=media 30 WorkCover NSW, Media Releases, 18 May Accessed online September 2005 at SAFE DESIGN FOR ENGINEERING STUDENTS 17

28 WorkCover s General Manager noted the farreaching implications of the judgement: The Full Bench found that manufacturers and suppliers of machinery must ensure that the plant is safe and without risk to health. If the machinery is not safe, it is not open to a supplier to argue that the worker was not using the machine properly. The judges also ruled that an employer s duty to guard against acts of inadvertence; error or negligence by employees should also be applied to a manufacturer or supplier of plant Business and Risk Framework While business may be ultimately concerned with a return on their investment in the form of profit, responsible firms also ensure that their businesses are both economically and socially well managed. They recognise that it is in their best interests to ensure that their products and their workplace are safe for all those who are currently using them or will use them in the future. One of the most effective processes for ensuring safety is Risk Management. In the following section, we outline the basic principles of Risk Management and briefly discuss their relevance to safe design. In Section 1.3 we show how this process can be integrated with traditional engineering design. Risk Management Organisations ensure safety through adopting strategies to manage risk. Risk is defined as the chance of something happening that will have an impact upon an organisation s objectives. It is measured in terms of consequences and likelihood. Risk may arise from commercial and legal relationships, from economic circumstances, from management or human behaviour, as a result of natural events or political circumstances. However, a significant source of risk is technology and its human interfaces. Establish the Context Communicate and Consult Identify Hazards Analyse & Evaluate Risks Monitor and Review Control Risks Figure 1.3: Risk management overview Source: Adapted from Standards Australia (2004) Risk Management AS/NZS 4360:2004. Sydney, Standards Australia, p WorkCover NSW, Media Releases, 18 May Accessed online September 2005 at 18 australian SAFETY and compensation council

29 Safe Design requires some understanding of the underpinning principles of risk management, some facility with the common tools and techniques, and the ability to apply them in a design context. Risk management is a logical and systematic method of establishing the context, identifying, assessing, controlling, monitoring and communicating risks associated with any activity, function or process in a way that will enable organisations to minimise losses and maximise opportunities. The Australian Standard, AS/NZS 4360:2004 Risk Management, provides a framework to manage risk, however it is generic, independent of any specific industry or economic sector, and concerned mainly with work processes. Risk management is not only about avoiding harm, and therefore avoiding litigation and losses. It is as much about identifying opportunities to ensure safety because it is ethical professional practice, socially responsible and economically sound to do so. The process of Risk Management is conceptualised in Figure 1.3 and each of the steps is briefly summarised. A more extensive explanation can be found in the Risk Management Standard (AS/NZS 4360:2004). Communicate and consult Communicate and consult with internal and external stakeholders as appropriate for each stage of the risk management process. Establish the Context Establish the external, internal and risk management context in which the rest of the process will take place. Identify hazards Identify potential sources of harm or damage. Analyse & Evaluate risks Risk analysis utilises a number of qualitative and quantitative tools to: > identify and evaluate any existing controls; > determine the likelihood of a harmful event occurring; and > determine the consequences of such an event. The purpose of risk evaluation is to determine the level of risk and make decisions about which risks need to be controlled and allows for prioritisation in controlling the risks. Control risks Develop and implement specific strategies and action plans for increasing safety, potential benefits and reducing potential costs. Monitor and review It is necessary to monitor the effectiveness of all steps of the risk management process. This is important for continuous improvement. Risks and the effectiveness of control measures need to be monitored to ensure changing circumstances do not alter priorities. It is important to ensure that control measures have not introduced any new hazards, and to ensure that control measures have eliminated or reduced the risks. Several different approaches can be adopted for controlling risk. OHS risks are usually managed using the Hierarchy of Control. The higher up the hierarchy, the more effective the risk control: Risk Management standard options Hierarchy of Control options > Avoid the risk decide not to proceed with the activity > Elimination of the hazard > Eliminate the risk design out the hazard > Substitution of the hazard > Reduce likelihood of consequence modify the hazard > Engineering Control of the hazard > Reduce the consequences modify the hazard > Administrative/Procedural Control of the hazard > Transfer the risk cause another party to bear or share the risk > Retain the risk accept the risk and plan to manage its consequence > Personal Protective Equipment to protect against the hazard SAFE DESIGN FOR ENGINEERING STUDENTS 19

30 Risks and the effectiveness of treatment measures need to be monitored to ensure changing circumstances do not alter priorities Professional Framework A number of Professional organisations, such as Engineers Australia, accept responsibility for ensuring that members of their profession are appropriately trained and competent to carry out their professional duties. To achieve this objective, they are charged with accrediting educational courses in undergraduate education, providing and monitoring continuing professional development, and certifying professional competence. Individuals wishing to be identified as certified members of such a profession, such as CPEng, must show that they have met their obligations as prescribed by their professional body. Membership in a professional organisation can be seen by the public as an indication that the individual has met some rigorous standards and is a competent practitioner who is less likely to neglect their duty of care. To facilitate this process of self-regulation, The NSW Professional Standards Act 1994, for example, endorses the mandate of professional bodies to regulate standards of professional behaviour and thus limit their liability so that public liability insurance is much more affordable. These aspects of professional behaviour are especially relevant to the design of new and innovative products, processes and systems. Many professional organisations have endorsed a Code of Ethics or Practice that guides the professional conduct of their members. Such codes form a basic framework for ensuring that members behave in a way that is in keeping with what the whole organisation deems to be proper conduct, and don t bring criticism or disrepute to the profession as a whole. Failure to comply with a Code of Ethics can result in disciplinary action or disbarment. The Code of Ethics of Engineers Australia, for example, holds the health and wellbeing of the community as the paramount concern of its members. 20 australian SAFETY and compensation council

31 >>> 1.3 SAFE ENGINEERING DESIGN Safe Engineering Design integrates risk management principles into engineering design by systematically identifying hazards, or minimising potential risk, and involving users and decision makers in considering the full life cycle of the product, process or system. Both approaches complement each other so that a holistic approach to Safe Design results. Safe Engineering Design implements risk management principles at each stage in the design process. By identifying hazards as early in the life cycle as possible, losses in terms of life, injury and costs can be minimised and safety can be ensured for current and future users Safe Engineering Design can be modelled as a sequence of stages (Figure 1.4). At each stage in engineering design, it is possible to consider appropriate risk management strategies. The composite model enhances the ability for designed products to be safely manufactured, used throughout their life cycle and disposed. The following procedures can be drawn from this model and form a process for Safe Engineering Design. The tools provided within the Safe Design for Engineering Students (SDES) can be used to support decision-making throughout the process DESIGN CONTEXT > Accept the professional and ethical mandate to ensure that the safety and wellbeing of the community is of paramount concern. f Toolkit* : Code of Ethics > Establish the external context, including the business, social, regulatory, cultural, competitive, fi nancial and political environments, to ensure that the stakeholders objectives have been considered. > Defi ne the internal context, including their risk policy and the overall goals of the organisation. > Establish the risk management context, setting the scope and boundaries for the specifi c project and specifying the nature of the decisions that need to be made regarding risk. > Identify the roles and responsibilities of various parts of the organisation in relation to the project, and the relationship between this project and other projects in the whole organisation. > Decide the criteria against which risk will be evaluated. Decisions may be based on operational, technical, fi nancial, legal, social, environmental, humanitarian or other criteria. > Develop a Safe Engineering Design framework for the project, by identifying the steps in the process that need to be taken to ensure that risks are addressed throughout the life cycle of the designed product DESIGN REQUIREMENTS > Review historical risks and failures for similar projects. Use a variety of qualitative and quantitative techniques and tools to amass suffi cient information concerning possible and probable risk regardless of whether they are under the control of the organisation. Be creative and predict possible and probably scenarios. * The toolkit is located in section 1.4 of this document. SAFE DESIGN FOR ENGINEERING STuDENTS 21

32 Design Context Identify Problem/ Need Establish Risk Context Design Requirements Gather Information Identify Risks Monitor and Review Generate Multiple Solutions Design Options Design Synthesis Analyse & Evaluate Risks Communicate and Document Select Solution Control Risks Design Completion Implement & Test Figure 1.4: A Model for Safe Engineering Design 22 australian SAFETY and compensation council

33 Example Techniques - Creative thinking, brainstorming and whole brain thinking techniques (e.g. Edward de Bono) - Judgements based on experience and records, flow charts, systems and scenario analysis - Checklists and guidewords. They are applied to various sections of a design to stimulate discussion and risk identification. The implications derived from the guidewords and checklists upon an element of the design is considered. f Toolkit* 1.4.1: Designer misconceptions f Toolkit 1.4.2: Construction Hazard Analysis Implementation Review (CHAIR) f Toolkit 1.4.3: Plant Hazard Checklist f Toolkit 1.4.4: Process industry guidewords > Systematically generate a list of risks and events that might affect the project and consider possible causes and scenarios. Some techniques are listed in AS/NZS 3931:1998 Risk analysis of technological systems Application guide > Document in appropriate ways to ensure usability throughout the life cycle. Accurate and complete documentation is especially important to those 'downstream' of the process who may need to modify or maintain the product or process Design Options > Consider the sources of risk and the likelihood of their occurrence. Risk is analysed by combining consequences and their likelihood. > Consider both technical and human factors. > Use both quantitative and qualitative techniques to systematically analyse possible risks. f Toolkit 1.4.5: Failure Mode and Effects Analysis (FMEA) f Toolkit 1.4.6: Event Tree Analysis (ETA) f Toolkit 1.4.7: Fault Tree Analysis (FTA) > Reconsider any outcomes from techniques applied in the Design Requirement stage. > Consider risk homeostasis, humans' ability to change behaviour to compensate for design changes. > Prioritise to support design options > Develop a set of conceptual designs that meet the criteria for safety. > Justify design options. > Document rationale Design Synthesis > Systematically assess the design options against the risk criteria you established in the design context. > Reconsider the human factors, such as homeostasis. > Develop a risk treatment strategy. For any issues concern OHS, apply the Hierarchy of Control otherwise apply the Standard Risk Management Treatment Options. The Hierarchy of Control requires you to try to achieve the highest level of control. 1. Control hazards by eliminating them at the design stage. 2. Control hazards by substituting them with lesser hazards. 3. Use engineering controls to isolate people from the hazard. 4. Use administrative controls to train and warn people of hazards. 5. Use personal protective equipment to reduce exposure to hazards. f Toolkit 1.4.8: Hierarchy of Control > Determine the decision-making approach to select the optimum solution. Balance the costs of implementing against the benefits derived. Consider all the direct and indirect * The toolkit is located in section 1.4 of this document. SAFE DESIGN FOR ENGINEERING STUDENTS 23

34 costs and benefits, tangible or intangible, and measured in financial or other terms, such as human suffering. f Toolkit* 1.4.9: Incident investigation f Toolkit : Code of Ethics > Prepare and implement risk treatment plans for the life cycle of the designed product Design Completion > Conduct walk throughs and test runs. > Test with various users of the product in its current stage and consider future users throughout its life cycle. > Anticipate misuse throughout its life cycle. > Document results and observations to ensure that users downstream in the life cycle will be able to control risks and ensure safety Monitor and review throughout the life cycle > Vigilant monitoring is essential to ensure safety throughout the life cycle of the designed product. > On-going review ensures that the data obtained through monitoring is available for feedback into the system. > Ensure that the safety recommendations and residual risks within the design are documented for users 'downstream' in the life cycle. > Take steps to ensure that essential modifications and maintenance are carried out and documented for future users Communicate and Document throughout the life cycle > Communicate with relevant stakeholders at every point. > Consult with appropriate users, operators, maintainers, handlers. > Document to ensure that others can follow your design plans and modifications. > Document to ensure that you can demonstrate duty of care. > Ensure that key information, concerning actions taken to address safety, is adequately recorded and transferred from the design/planning phase and that those involved at later life cycle stages have access to information about any residual risks that may affect their health and safety. Summary To achieve Safe Design in engineering, engineers should: > Accept their professional responsibility to ensure the safety and wellbeing of the community as their paramount concern > Understand the basic principles of Safe Design > Know and follow the underpinning legal, business and professional framework for safety > Integrate risk management concepts with engineering design methodology and follow a Safe Engineering Design process > Consider human factors > Apply Safe Design principles throughout the entire life cycle of designed products > Implement Safe Design as early in the life cycle as possible, and > Continually develop their professional abilities as Safe Design engineers. * The toolkit is located in section 1.4 of this document. 24 australian SAFETY and compensation council

35 >>> 1.4 SAFE DESIGN ENGINEERING TOOLkIT A wide range of knowledge, skills and attitudes are needed to be able to effectively create engineered products that meet the Safe Design principles. There are also many tools and techniques that have been developed to help you systematically identify and assess risk and deal with the complexity of socio-technical systems. Some tools and techniques are relatively generic while others are specialised for particular types of engineered products. There are many tools available for identifying, analysing, and evaluating risks. This Safe Design Engineering Toolkit presents some simple but powerful tools that we have adapted for this resource. The intention of the toolkit is to provide an introductory overview of each of the tools so that the reader is aware of systematic approaches to safe Design and can analyse the educational material presented in this resource. Guidewords and checklist tools f Toolkit 1.4.1: Designer Misconception Checklist f Toolkit 1.4.2: Construction Hazard Analysis Implementation Review (CHAIR) guidewords f Toolkit 1.4.3: Plant Hazard checklist f Toolkit 1.4.4: Process Flow guidewords Risk Analysis tools f Toolkit 1.4.5: Failure Mode and Effects Analysis (FMEA) f Toolkit 1.4.6: Event Tree Analysis (ETA) f Toolkit 1.4.7: Fault Tree Analysis (FTA) Risk Treatment tool f Toolkit 1.4.8: Hierarchy of Control (HoC) f Toolkit 1.4.9: Incident Investigation Professional Responsibility tool f Toolkit : Code of Ethics DESIGNER MISCONCEpTION CHECkLIST Purpose of the tool This tool has been developed to help designers systematically test products and processes for design misconceptions (Health & Safety Executive, 2003). It was thought that Safe Design could be improved through examining accident reports and identifying the types of misconceptions that may have been inherent in the engineered system or operating procedures which contributed to the accident. This analysis resulted in categorising around 30 main types of misconceptions that designers of these seemed to suffer and which would therefore make their designed product contain hazards. These misconceptions include those designers have of operators, operators intentions and the operating environment. An operator is anyone involved in the operational life of a system, including maintenance staff and people carrying out mid-life modifi cations. A set of about 20 misconceptions that operators of hazardous installations made was also identifi ed, but is not discussed in this document. Those misconceptions include those the operator may have about the design, its rationale and boundaries of safe operation. This tool was not designed to replace technical analysis such as HAZOP* or FMEA but to complement them and provide another perspective on hazard identifi cation. * HAZard and Operability SAFE DESIGN FOR ENGINEERING STuDENTS 2

36 Process for using the tool The user of this tool is seeking to find out if the designed item is vulnerable to any of the designer misconceptions listed in Table 1. The suggested process is to systematically work through the listed assumption types one-by-one. It is suggested that the use of the tool is likely to be most effective as a collective activity and that it provides a way of group members within a design team understanding each others assumptions as well as their own. Table 1.1: Designer Misconception checklist Designers wrong beliefs Explanation about the belief Example Active monitoring Adaptive behaviour Benign conditions Boundary knowledge General practices Guaranteed operating procedures Reliable aids Specific emergency conditions Sustained attention The belief that operators will seek information about the system condition whereas they are often passive recipients The belief that operators will update their knowledge when they use new equipment whereas they sometimes rely on knowledge acquired from using old ones The belief that operating conditions are benign or have little effect on the use of the system or that operators use systems differently in difficult environments The belief that operators have good knowledge from experience about a system s limit states whereas operators cannot explore limit states because of the risks The belief that design practices towards operating environments are general whereas operating environments are more varied than the practices recognise. The belief that operating procedures can avoid a harm that is inherent in the design whereas procedures may be too general and are often violated The belief that precautionary aids will increase system reliability whereas operators will not routinely check and operate aids not in routine use The belief that emergency conditions will only be of particular kinds whereas emergency conditions are highly unpredictable by their nature The belief that operators will sustain high attention levels whereas attention is degraded in a variety of conditions Clips secured fuel lines which required regular monitoring No cues provided on vessels handling characteristics to pilots used to other vessels Weighing anchor took too long for a vessel to escape strong flow Master of vessel sailed into a damaging storm centre Use of wave loadings developed in naval practice for offshore structures System left in hazardous state without indication after failure to observe permit-to-work procedures Searchlight failed when used channel unlit by beacons Evacuation system would not function in a partial capsize Lack of device to alert sleeping operator to hazardous condition Designers missing beliefs Confounded goal Transmission mechanism Explanation about the belief Not anticipating how the design could stop an operator meeting a reasonable goal and resorting to a hazardous behaviour Not anticipating how a hazard could be quickly transmitted between locations in a complex system Example Operator lowered immersion suit hood rendering it ineffective Water drains carried burning hydrocarbons 26 australian SAFETY and compensation council

37 Designers missing beliefs Need for control Need for cues Need for precautionary instruction Activating a hazard Ambiguity during emergency Information need in emergency conditions Biased information seeking Component interference Gambling behaviour Interrupted attention Over-dependence Repeated attempts Unintended use Wrong-sense interpretation of display (After Health & Safety Executive, 2003) Explanation about the belief Not anticipating how the design requires operator to exercise control Not anticipating how the design fails to provide cues needed by operators Not anticipating how the design requires operator to perform precautionary actions Not anticipating how the design allows operators to activate hazards Not anticipating how the design is opaque to operators during emergency conditions Not anticipating how the design requires operator to have particular information needs in emergency conditions Not anticipating how the design is vulnerable to characteristic human biases in information seeking or processing Not anticipating how the design could be vulnerable to operators causing components to interfere Not anticipating that the design is vulnerable to operators knowingly taking risks for some payoff Not anticipating that the design is vulnerable to operators suffering interruptions and hence lapses Not anticipating that the design is vulnerable to operators depending on a system beyond its safe regime Not anticipating that the design is vulnerable to operators having to make multiple attempts to make it work Not anticipating that the design appears to be capable of being used in unintended ways Not anticipating that the design gives a display which can be interpreted in a wrong sense Example Controls located out of view of affected operation No visible indication of equipment in hazardous state No service life stated for devices needing replacement Operator fully opened wrong valve during startup Layout was disorienting when filled with smoke Lack of valve position indication during manual control Operators are biased toward looking for hazards straight ahead Interference between rope and chain caused rope to part Master continued to sail into storm after minor damage Operator forgot to disengage autopilot on condition change Operator neglected to verify navigation system that gave no indication of its own failure Docking system destroyed after repeated attempts Fryer element used to dry after cleaning Operator read emergency display as though it were the primary display Application of the tool Since this tool is based on an analysis of past accidents it can not be assured that it covers all misconceptions, therefore it should be used to trigger thinking about hazards rather than limiting thinking to the listed items. An example of documentation arising from the application of the tool is provided in Table 2. This documentation can be used as part of ongoing design reviews particularly during modifications to the item. SAFE DESIGN FOR ENGINEERING STUDENTS 27

38 Table 1.2: Example of design documentation. Scope Type of misconception What are the assumptions? Under what conditions this assumption could be contradicted? Actions needed Criticality Design of marine docking area Expectation of boundary knowledge Boat crew will know how close they can approach the platform before disengaging autopilot Boat crew will know if any collision damage from repeated attempts at approach is catastrophic Boat crew will know if sea condition too severe for intended approach Crew may be distracted during the approach Crew may be unfamiliar with vessel type or autopilot if this differs from others in the fleet. High-Medium-Low (Adapted Health & Safety Executive, 2003) Reference Health and Safety Executive (2003) Mutual misconceptions between designers and operators of hazardous installations, Research Report 054, ISBN , HSE books, available online Construction Hazard Analysis Implementation Review guidewords In the construction industry the HAZOP process has been adapted by Workcover NSW and industry partners to create the Construction Hazard Assessment Implication review (CHAIR). CHAIR-1 is a conceptual design review. There are two sets of guidewords. The generic guideword used for each design element are: > Size > Position/Location > Movement/Direction > Energy > Egress/Access > Heights/Depths > Poor Ergonomics > Load/Force > Timing. The overview guidewords used for the whole design concept are: > Environmental Conditions > Toxicity > Environmental Impact > Inspection and Testing > Documentation and Quality Control > External Safety interfaces > Fire/Explosion identified > Utilities and Services > Maintenance. Process of using the tool The user systematically works through the guidewords one-by-one. The guidewords are used to trigger thinking about hazards. Application of the tool An example of documentation arising from the application of the tool is provided in Table 1.3. This documentation can be used as part of ongoing design reviews particularly during modifications to the item. 28 australian SAFETY and compensation council

39 Table 1.3: Outcome from CHAIR-1 using the Heights/Depths guideword. No. Guideword Risk Issue Causes Consequences Safeguards Action Person Resp Height/ Depths Construction of drains Construction/access to drain is possible confined space Confined space injury Designated confined space procedure Drain design should avoid where possible the need to be classed as confined space 2.2 Height/ Depths Interference with powerlines Plant equipment in contact with powerlines Injury/ fatality Safe management procedures Designer to indicate position and height of all powerlines to assist with site safety procedure (From WorkCover NSW, 2001) Reference WorkCover, NSW (2001) CHAIR Safety in Design tool. Contains extensive documentation and further examples Plant Hazard checklist As a designed item, Plant are a major source of hazards. The checklist reproduced below was developed by WorkSafe Victoria. a) Entanglement Can anyone s hair, clothing, gloves, necktie, jewellery, cleaning brushes, rags or other materials become entangled with moving parts of the plant, or materials in motion? b) Crushing Can anyone be crushed due to: > material falling off the plant? > lack of capacity for the plant to be slowed, stopped or immobilised? > parts of the plant collapsing? > being thrown off or under the plant? > uncontrolled or unexpected movement of the plant or its load? > the plant tipping or rolling over? > coming in contact with moving parts of the plant during testing, inspection, operation, maintenance, cleaning or repair? > being trapped between the plant and materials or fixed structures? > other factors not mentioned? c) Cutting, stabbing and puncturing Can anyone be cut, stabbed or punctured due to: > coming in contact with sharp or flying objects? > coming in contact with moving parts of the plant during testing, inspection, operation, maintenance, cleaning or repair of the plant? > the plant, parts of the plant or work pieces disintegrating? > work pieces being ejected? > the mobility of the plant? > uncontrolled or unexpected movement of the plant? > other factors not mentioned? SAFE DESIGN FOR ENGINEERING STUDENTS 29

40 d) Shearing Can anyone s body parts be sheared between two parts of the plant, or between a part of the plant and a work piece or structure? e) Friction Can anyone be burnt due to contact with moving parts or surfaces of the plant, or material handled by the plant? f) Striking Can anyone be struck by moving objects due to: > uncontrolled or unexpected movement of the plant or material handled by the plant? > the plant, parts of the plant or work pieces disintegrating? > work pieces being ejected? > mobility of the plant? > other factors not mentioned? g) High pressure fluid Can anyone come into contact with fluids under high pressure, due to plant failure or misuse of the plant? h) Electrical Can anyone be injured by electrical shock or burnt due to: > the plant contacting live electrical conductors? > the plant working in close proximity to electrical conductors? > overload of electrical circuits? > damaged or poorly maintained electrical leads and cables? > damaged electrical switches? > water near electrical equipment? > lack of isolation procedures? > other factors not mentioned? i) Explosion Can anyone be injured by explosion of gases, vapours, liquids, dusts or other substances, triggered by the operation of the plant or by material handled by the plant? j) Slipping, tripping and falling Can anyone using the plant, or in the vicinity of the plant, slip, trip or fall due to: > uneven or slippery work surfaces? > poor housekeeping, eg. swarf in the vicinity of the plant, spillage not cleaned up? > obstacles being placed in the vicinity of the plant? > other factors not mentioned? Can anyone fall from a height due to: > lack of a proper work platform? > lack of proper stairs or ladders? > lack of guardrails or other suitable edge protection? > unprotected holes, penetrations or gaps? > poor floor or walking surfaces, such as the lack of a slip-resistant surface? > steep walking surfaces? > collapse of the supporting structure? > other factors not mentioned? k) Ergonomic Can anyone to be injured due to: > poorly designed seating? > repetitive body movement? > constrained body posture or the need for excessive effort? > design deficiency causing mental or psychological stress? > inadequate or poorly placed lighting? > lack of consideration given to human error or human behaviour? 30 australian SAFETY and compensation council

41 > mismatch of the plant with human traits and natural limitations? > other factors not mentioned? l) Suffocation Can anyone be suffocated due to lack of oxygen, or atmospheric contamination? m) High temperature or fire Can anyone come into contact with objects at high temperatures? Can anyone be injured by fire? n) Temperature (thermal comfort) Can anyone suffer ill-health due to exposure to high or low temperatures? o) Other hazards Can anyone be injured or suffer ill-health from exposure to: > chemicals? > noise? > toxic gases or vapours? > vibration? > fumes? > radiation? > dust? > other factors not mentioned? Reference WorkSafe Victoria Go to then search the site for Plant Hazard checklist Process Flow Guideword In the chemical and petroleum industries HAZOPs have been particularly used to identify deviations in the process design intent and their subsequent effects on the process as a whole. When the guidewords are combined with process parameters or conditions (keywords) then a possible deviation from the design might result. The credible causes for that condition can then be listed and if this results in a hazard then safeguards can be developed. Guidewords Keywords > High > Flow > Low > Temperature > Zero > Pressure > Empty > Level > Reverse > Isolate > Also > React > Other > Mix > Testing > Drain > Plant items > Inspect > Electrical > Maintain > Composition > Start-up > Shutdown Application of the tool The combination of the low (guideword) with Flow (keyword) would lead to the possible causes for the condition of low flow to be identified. The causes could then be used to identify hazards. The causes identified could include; line restriction, filter blockage, defective pumps, fouling of vessels, valves, restrictor or orifice plates, density or viscosity problems, incorrect specification of process fluid Failure Mode and Effects Analysis (FMEA) Purpose of this tool FMEA is a risk assessment procedure by which each potential failure mode in a system is analysed to determine the results, or effects thereof, on the system and to classify each potential failure mode according to its severity. SAFE DESIGN FOR ENGINEERING STUDENTS 31

42 This is an analytical technique, which explores the effects of failures or malfunctions of individual components in a system i.e. If this part fails, in this manner, what will be the result? First the system under consideration must be defined, so that system boundaries are established. Thereafter the essential questions are: > How can each component/part fail? > What might cause these modes of failure? > What could the effects be if the failures did occur? > How serious are these failure modes? > How is each failure mode detected? The methodology used below is illustrative of the technique rather than definitive. Process of using the tool 1. Scope the analysis > Decide on the appropriate level at which to perform FMEA (e.g. subsystem, assembly, component, part). 2. Failure modes, consequences & severity (SEV) > Determine failure mode for specified object or process. Include everyway it could fail involving both random and degradation failures. (e.g. crack, deform, fracture, loosen, worn, leaking, sticking, slipping, corrosion). > Determine potential effect/consequence of the failure as perceived by the affected party (e.g. noise, loss of power, seizure, odour, loss of function, erratic operation). > Determine the severity according to specific criteria (e.g. environmental, safety and health or customer satisfaction). Severity ranking using Environmental, Safety and Health criteria: These criteria can be used to describe the worst case incident resulting from equipment or process failure. Category II, III and IV are considered unacceptable risks. > Decide on focus of FMEA (e.g. safety, reliability, repair cost). Rank Category Degree Description 1-3 I Minor Functional failure of part of machine or process no injury or exposure to personnel or release of chemicals to the environment 4-6 II Critical Failure will probably incur minor injury and damage. Minor injury (e.g. small cut or burn) can be handled by First Aid but are not considered lost time cases. 7-9 III Major Major damage to system and/or potential serious injury to personnel (requiring medical attention other than first aid) 10 IV Catastrophic Failure causes complete system loss and/or potential for fatal injury 32 australian SAFETY and compensation council

43 Severity ranking using customer satisfaction criteria: The customer and supplier should collaborate in formalising these criteria. Rank Degree Description 1-2 Minor Failure is of a minor nature and the customer will probably not notice or is of a cosmetic nature 3-5 Low Failure will result in slight customer annoyance and/or slight deterioration of part or system performance 6-7 Moderate Failure will result in customer dissatisfaction and/or deterioration of part or system performance 8-9 High Failure will result in high degree of customer dissatisfaction and cause nonfunctionality of a system 10 Major Failure will result in major customer dissatisfaction and cause non-system operation or non-compliance with government regulations. 3. Failure causes & occurrence (OCC) > Determine the causes of the failure mode (eg. vibration, contamination, temperature, overload, electric power interrupt, insufficient material thickness) > Determine the occurrence of the failure. Occurrence ranking: Example criteria that can be used to describe the likelihood or frequency of the failure mode occurring due to its related cause. It can use qualitative and quantitative data. Rank Probability Notional probability of failure 1 <0.001 Improbable 2-3 >0.001 but <0.01 Remote (e.g. 1 in 100 hours0 4-6 >0.01 but <0.1 Occasional 7-9 >0.1 but <0.2 Moderate: Fail often (eg 1 failure in 10 hours) 10 >0.2 High: Failure almost inevitable 4. Failure detection (DET) > Determine the detection of the failure. Detection ranking: Example criteria that can be used to describe the probability or ability that the current design controls will detect a failure or process weakness. Rank Probability of detection Description 1-2 Very high Verification or controls almost certainly detect existence of a deficiency or defect 3-4 High Verification or controls have a good chance of detecting the existence of a deficiency or defect 5-7 Moderate Verification or controls are likely to detect the existence of a deficiency or defect 8-9 Low Verification or controls are not likely to detect the existence of a deficiency or defect 10 Very low Verification or controls will not or can detect the existence of a deficiency or defect SAFE DESIGN FOR ENGINEERING STUDENTS 33

44 5. Risk Priority Number (RPN) > Determine the Risk Priority Number (RPN) = (SEV) * (OCC) * (DET) Ranges from 1 (failure highly unlikely and unimportant) to 1000 (failure hazardous and harmful). Ratings below 30 are reasonable for typical applications. Application of this tool An example of a FMEA for a ballpoint pen has been provided to show at a conceptual level how the FMEA process can be applied to a designed item (Table 1.4). Table 1.4: Failure Mode and Effect Analysis table for a ball point pen Part Function Potential Failure Mode Potential effects of failure SEVERITY Potential causes of failure OCCURRENCE How will the potential failure be detected? DETECTION RPN Actions Outer tube Provides grip for writer Hole gets blocked Vacuum on ink supply stops flow 7 Debris ingress into hole 3 Check clearance of hole Make hole larger Ink Provide writing medium Incorrect viscosity High flow 4 Too much solvent 2 QC on ink supply 4 32 Introduce more rigid QC Ink Provide writing medium Incorrect viscosity Low flow 4 Too little solvent 2 QC on ink supply 3 24 No action required (Adapted Event Tree Analysis (ETA) Purpose of this tool Fundamentally, event trees provide a means for quantitatively analysing the probability that a system will respond successfully or end up in failure given that an undesired event has occurred. The initiating event may be a failure within a system or an external event. ETA starts with an initiating event and then searches forward through time to identify the possible sequences of events that could arise in response. The initiating (undesired) event is the starting point for the analysis. In a given system there will be many events that could be analysed via an event tree. In a complex system there will be so many events that performing event tree analysis for each of them will probably be beyond the resources of most risk analysts. Which events are worth investing resources for an event tree analysis is a judgement process, which should take into account the overall risk management strategy. Of particular importance, though, will be those events, which have a direct causal relationship with system failure. Process of using the tool Event tree analysis is suitable for situations, which meet two criteria. Firstly, a given component s response to an event will be classified as success or failure; there is no scope for partial success or failure. Secondly, the system design is such that in response to the initiating event there is a logical sequence of components that will be engaged in response to the event. The construction of the event tree is straight forward. Once an initiating event has been chosen for analysis, the system components that are 34 australian SAFETY and compensation council

45 affected are determined along with the sequence in which the affected components will respond. Each component is dealt with in turn to determine the effect on the system due to the success or failure of that component to respond correctly. The branches of the tree terminate in either overall system success or system failure. Figure 1.5 illustrates a generic event tree. Component A is the first component of the system expected to respond as a result of the occurrence of the initiating event. Failure of Component A results in an unrecoverable failure of the system and thus this branch of the tree is a terminating branch. Successful operation of Component A in response to the event leads to consideration of Component B. Successful operation of Component B leads to an overall success. Failure of Component B requires analysis of Component C. The next step in the process is to assign probabilities for the failure-on-demand of each component; the probability of success being one minus the probability of failure. These probabilities can be obtained from data sheets, historical information, experiments, etc. The initiating event is expressed as a frequency, for example the number of occurrences per year. In Figure 1.5 the conditional probability of failure for component x has been denoted P Fx. The probability that the system s response will follow a given path is the product of the probabilities on each step. The probability of the system successfully responding to the initiating event is then the sum of all of the paths that lead to system success. For the generic example in Figure 1, the probability that the system will respond successfully to the initiating event is (1-P FA ) * (1-P FB ) + (1-P FA ) * P FB * (1-P FC ). The computed probability of failure would then be compared against the benchmark set as part of the risk management strategy and the risk then treated accordingly if the probability of failure was too high. Note that this probabilistic analysis assumes that the failures of components are statistically independent. Issues such as poor maintenance, components from the same defective batch could violate this assumption. Application of the tool Event trees are particularly suited to the analysis of failsafe mechanisms in safety critical systems. Such system often have a series of fail-safes to provide a greater level of safety. Consider a nuclear power plant in which there are two pressure relief valves. If the pressure in the boiler gets too high, correct operation of either relief valve will result in the pressure being dropped to a safe level. The first valve is designed to operate automatically under computer control. The second valve is a manual backup to be activated by an operator should the computer fail to respond. The event tree for this system is shown in Figure 1.6. Component A Component B Component C Success (1-P FB ) System Success Initiating Event Success (1-P FA ) Failure P FB Success (1-P FC ) Failure P FC System Success System Failure Failure P FA System Failure Figure 1.5: Generic Event Tree Diagram SAFE DESIGN FOR ENGINEERING STUDENTS 35

46 Relief valve 1 Relief valve 2 Opens (1-P F1 ) Pressure Decreases Pressure Too High Opens (1-P F2 ) Pressure Decreases Fails P F1 Fails P F2 Explosion Figure 1.6: Event Tree for excessive pressure in a nuclear plant (After Leveson, 1995) Reference Leveson,N.G. (1995) Safeware: System Safety and Computers, Addison-Wesley Publishing Company, 1995 Examination of the event tree in Figure 1.6 reveals that there are two branches that resolve to a successful outcome and one that does not. Calculation of the probability of failure in the event of an over pressure event is a straight forward computation based on the process described in the previous section. Examination of the event tree, however, does not reveal any information concerning the mechanism or mechanisms that led to either of the valves failing. Should the probability of failure be intolerable, then other risk assessment tools would have to be applied to the scenario to determine the possible failure modes and, if required, the likelihood of each of these failure modes. Fault trees are one such tool and this scenario is also used as the example application for the fault tree toolkit Fault Tree Analysis (FTA) Purpose of this tool Fault Tree Analysis (FTA) is a technique for determining the fundamental fault or sets of faults that lead to an undesirable event. As such FTA is a suitable tool to further analyze undesirable events identified by other tools such as ETA and HAZOP. Analysis of the probabilities associated with the fundamental causes enables the system designer to focus on those causes/faults that are most severe in their consequences or most frequent in their occurrence. Process of using the tool FTA starts with a pre-identified undesirable event. This event is then drilled-down through the system structure to determine the fundamental faults that can trigger the undesired event. The Fault Tree diagrams used to capture this analysis are based on logic symbols. A subset of the symbols used is shown in Table australian SAFETY and compensation council

47 Table 1.5: Subset of FTA symbols Symbol Name Meaning Output Event Event resulting from events occurring lower in the tree Independent Event An event for which there are no preceding events or no further breakdown to determine sub-events. OR Gate AND Gate Event immediately above the OR gate occurs if one or more of the events immediately below the gate have occurred Event immediately above the AND gate occurs if all of the events immediately below the gate have occurred Events in the diagram are represented by a rectangular block. The undesired event at the top of the diagram is referred to as the top event. Subevents, which are triggered by combinations of other events are also denoted by the rectangular block and are referred to as intermediate events. The use of logic gates enables different combinations events to be specified as the trigger for an event. If the events serving as an input to a higher event are combined through an AND gate, then all of these subordinate events must have occurred for the higher event to be triggered. Conversely an event fed by an ORgated combination of events is triggered if any of the subordinate events has occurred. Events are decomposed through the system through the use of gated event combinations until such time as the basic events have been identified. Such events are denoted by the circle symbol. Figure 1.7 illustrates a generic fault tree highlighting the use of each of the diagram components. Top Event External Trigger Intermediate Event Fault A Fault B Fault C Figure 1.7: Generic Fault Tree SAFE DESIGN FOR ENGINEERING STUDENTS 37

48 From the logic within the fault tree the cut set can be derived. The cut set is the set of all combinations of basic events that can cause the top event. When all of the events of a cut set element occur, the top event is triggered. For the generic fault tree of figure 3, the cut set elements are { External Trigger, Fault A }, { External Trigger, Fault B }, and { External Trigger, Fault C }. Application of the tool In a nuclear power plant an explosion is most definitely an undesired event. A prior analysis has determined that an explosion could occur if both pressure relief valves fail to operate when demand is placed upon them by high pressure. The first valve is designed to operate automatically under computer control. The second valve is a manual backup to be activated by an operator should the computer fail to respond. However the analysis that revealed the possibility of an explosion did not reveal any details as to the modes by which each of the valves could fail nor which of these modes was the more likely to be the cause of failure. A fault tree has thus been developed (Figure 1.8) to drill down into the failure modes for each of the valves. The first level of event decomposition of the Fault Tree of figure 1.8 reveals the key information that the explosion is triggered by the combination of three events: high pressure and the failure of both relief valves. The high pressure is the key event and Explosion Pressure too high Relief Valve 1 does not open Relief Valve 2 does not open Valve 1 Failure Computer does not open valve 1 Valve 2 Failure Operator ignorant of need to open valve 2 Operator Inattentive Pressure Monitor Failure Computer Response Too Slow Computer Fails to Issue Command Valve 1 position indicator fails on Valve 2 position indicator fails on Figure 1.8: Fault Tree for an explosion in a nuclear plant (After Leveson, 1995) Reference Leveson, N.G. (1995) Safeware: System Safety and Computers, Addison-Wesley Publishing Company, australian SAFETY and compensation council

49 the events leading up to there being a high pressure are not part of this analysis. Rather, the causes for high pressure could be the subject of a different fault tree analysis or the subject of a different analysis tool. The modes of failure for each of the valves are then examined in turn. Combinatorial explosion means that the cut set for the example of Figure 1.8 contains 12 entries. Examples of the cut set elements include { Pressure too high, Valve 1 failure, Valve 2 failure } and { Pressure too high, Valve 1 failure, Valve 1 position indicator fails on, Valve 2 position indicator fails on }. Of particular note is the effect of ANDed events versus ORed events. An intermediate event that is triggered by ANDed events can only occur if all of the subordinate events occur. In contrast, an intermediate event that is triggered by ORed events occurs if any of the subordinate events occurs. As a design guideline, the more ANDed triggers the safer a system will be. Also worth noting is the comparison of the fault tree and event tree for the same system. The event tree collapses all of the complexity of valve failure modes into a single even and assigns a single probability to the failure. This abstraction enables event trees to focus on the systems ability to recover from an event. Conversely, fault trees enable the causes of undesirable events to be determined. Subsequent analysis of the causes would reveal which of the causes need addressing Hierarchy of Control Purpose of this tool Hierarchy of control is a risk treatment process which involves a sequence of options which offers you a number of ways to approach the hazard control process to manage risk. This is described in: AS/NZS 4801:2001 & All risks should be controlled at the highest level (Elimination) of control rather than the lowest (Personal Protective Equipment). However, it may be necessary to use a combination of measures to achieve the desired level of control. Elimination Design the hazard out and therefore remove the cause of harm permanently. This approach should be attempted in the first instance. > To eliminate the risk of electrocution from 240v power tools then battery or compressed air power tools could be used. Substitution Substitute the hazard by another process or substance that presents a lower risk. This could involve the substitution of a hazardous material with one that has less toxicity, less impurities, lower flammability or lower amounts of associated particulates (e.g. dustless pellets). > To substitute risks associated with particulates during spraying, processes such as airless spraying, electrolytic spraying or brush application could be used. Engineering controls Implement some structural change to the work environment or work process to place a barrier to, or interrupt the transmission path between, the worker and the hazard. Caution must be used to ensure engineered controls do not interfere with the basic function of an engineered system or process. > Engineering controls include process automation, machine guards, isolation or enclosure of hazards, the use of extraction ventilation and manual handling devices. Controls that isolate workers from the hazard can also involve the use of time and distance by job redesign. Administrative (procedural) controls Reduce or eliminate exposure to a hazard by adherence to procedures or instructions. Documentation should emphasize all the steps to be taken and the controls to be used in carrying out a task safely. Administrative controls are dependent on appropriate human behaviour for success and may involve training and supervision. Administrative controls can be documented within National Standards, Codes and Guidance Notes. SAFE DESIGN FOR ENGINEERING STUDENTS 39

50 > Administrative controls include safety warnings, operator certification for machinery and Permit to Work systems for Confined Spaces. Personal protective equipment Create a barrier between the user and the hazard in the form of clothing or personal equipment. The success of this control is dependent on the protective equipment being chosen correctly, as well as fitted correctly and worn at all times when required. > Personal protective equipment includes skin protection, face masks, earmuffs and breathing apparatus Incident Investigation Purpose of this tool The Risk Management Framework (AS/NZ 4360) is a generic framework that has been developed to be a high-level approach for managing risk across a number of sectors. Within other standards (AS/ NZS 4804) there is a context specific adaptation which has been developed within the Occupational Health and Safety community to manage risk. This Incident Investigation tool has been developed to guide an Incident Investigation which can examine many aspects of the operation of an organization s Occupational Health and Management System (e.g. training, hazard identification, hazard/ risk assessment, control of hazards/risks and emergency preparedness.). The focus of the Incident Investigation should be on identifying system deficiencies and preventing a recurrence of the incident rather than apportioning blame. Process of using the tool An incident investigation team typically includes; the supervisor or manager; the individual(s) involved in the incident; and employee representatives. The main stages of an incident investigation are (adapted from AS 4804): Step 1 Gather objective information and establish the facts about the context in which the Incident happened, however there are no set ways of categorising the causal factors Different examples of the types of data collected; 1. Machine, environment and human factors (i.e. regarding hazard identification, hazard/risk assessment and controls, sequence of events, operating procedures, training, induction, supervision, emergency arrangements). 2. Physical accident sequence, Organisation factors; Company level factors; Government/ regulatory factors; and Societal factors. (from Hopkins, 2000) 3. Equipment; environment; skills and experience; operating/work system and other ergonomic factors (relationship between people and their environment and equipment). Step 2 Isolate the contributory factors (i.e. incidents may be multi-causal and there may be many interactions between causal factors). Identify relationships between the factors. This can diagrams such as mind maps and flowcharts. Step 3 Determine corrective and preventive actions (the incident investigation team should propose recommended actions to eliminate or modify the contributory factors that either led to the incident or affected the consequence of the incident outcomes). The focus should be on the Hierarchy of Control. Step 4 Prepare a report (i.e. the report should contain a proposed action plan for management consideration and implementation). Reference AS/NZS 4804:2001 Occupational health and safety management systems General guidelines on principles, systems and supporting techniques Hopkins, A., (2000) Lessons from Longford: The Esso Gas Plant Explosion, 1st edition, pp 179, CCH Australia Ltd, Sydney, Australia 40 australian SAFETY and compensation council

51 Code of Ethics Purpose of the tool This tool can be used by Engineers when they are making a judgement based engineering decision. Many engineering organisations have committed themselves to abide by the Engineers Australia Code of Ethics. Many organisations have also developed their own Codes of Ethics or codes of practice. A review of these codes makes it clear that safety is a prime ethical consideration. Process of using the tool Prior to making a complex Safety based decision, the Code of Ethics can be reviewed to ensure that a proposed decision upholds and does not breach any of the Tenets. The Tenets of the IEAust Code of Ethics are: 1. Members shall at all times place their responsibility for the welfare, health and safety of the community before their responsibility to sectional or private interests, or to other members; 6. Members shall take all reasonable steps to inform themselves, their clients and employers and the community of the social and environmental consequences of the actions and projects in which they are involved; 7. Members shall express opinions, make statements or give evidence with fairness and honesty and on the basis of adequate knowledge; 8. Members shall continue to develop relevant knowledge, skill and expertise throughout their careers and shall actively assist and encourage those under their direction to do likewise; and 9. Members shall not assist, induce or be involved in a breach of these Tenets and shall support those who seek to uphold them. f Link downloads/code_of_ethics_2000.pdf 2. Members shall act in order to merit the trust of the community and membership in the honour, integrity and dignity of the members and the profession; 3. Members shall offer services, or advise on or undertake engineering assignments, only in areas of their competence and shall practise in a careful and diligent manner; 4. Members shall act with fairness, honesty and in good faith towards all in the community, including clients, employers and colleagues; 5. Members shall apply their skill and knowledge in the interest of their employer or client for whom they shall act as faithful agents or advisers, without compromising the welfare, health and safety of the community; SAFE DESIGN FOR ENGINEERING STUDENTS 41

52 42 australian SAFETY and compensation council

53 >>> RESOURCES The materials in Part 1 and Part 2 of this Safe Design for Engineering Students package contain materials specifi cally developed for undergraduate engineering educators about Safe Design. Those materials should be considered a generic and basic platform upon which a deeper and more sophisticated understanding of Safe Design and the broader domain of Occupational Health and Safety can be based. This resource list provides reference to other teaching materials that can extend the scope of material within this package. There are a range of existing resources from other sources which can be used by engineering educators who wish to integrate health and safety issues into their subjects. Some of these resources can be used to help contextualise the principles within the Safe Design for Engineering Students package to a specifi c disciplinary context or build upon the learning activities given within package. Whilst many of these resources have a strong Occupational Health and Safety focus they do contain materials that can be used to support teaching and learning about Safe Design. R.1 ENGINEERING EDUCATION RESOURCES > Incorporating Safety, Health and Environmental Risk issues in Undergraduate Engineering Courses by Institution of Electrical Engineers - she.cfm > Ethics and Safety case studies These websites provide extensive, well documented and engaging cases, some of which explore the boundaries between design, safety and professional responsibilities > NIOSH: Safety/Health Awareness for Preventative Engineering These resources are Safety and Health Instructional Modules developed by NIOSH, engineering professional societies, and engineering schools for undergraduate engineering education. - > Safety & Ergonomics for Mechanical, Civil, and Electrical Engineering subjects This resource gives examples of how to embed health and safety oriented content in a wide range of technically oriented subjects across various engineering disciplinary areas. - > Safety Materials for Construction Engineers This websites contains an excellent range of resources for educators seeking material on Health and Safety for the Built Environment. - > Failure Cases in Civil Engineering This resource for Civil Engineers contain documented case studies and links focused around learning from failures - case_studies_project/ SAFE DESIGN FOR ENGINEERING STuDENTS 43

54 > Occupational Health and Safety for Engineers A Resource for Engineering Education, 1990 This resource was developed for NOHSC to support the integration of Occupational Health and Safety into the undergraduate Engineering curricula. It contain six case studies and educator support. - > System Safety and Risk Management An excellent website by Jacobs Sverdrup that has extensive presentation and workshop materials suited to engineering education - shtml R.2 Websites of interest > The Australian Safety and Compensation Council website. This site hosts a range of resources relevant to Safe Design. There are a range of publications that extend the material covered in the Safe Design: An Engineering Resource Package to a much greater depth and more generally about Occupational Health and Safety in the Australian context. - > The National Committee of Engineering Design website. The NCED aims to promote design excellence and awareness through media of publications, conferences and both national and international exhibitions. Engineering Design addresses issues of creating and delivering innovative, useful, reliable and economical technical solutions to meet human wants or needs. One of NCED s main objectives is to promote links between industry, and tertiary and secondary learning institutions for the strategic development of design learning and experience in all aspects of design. - > Gateways for Safety and Health Information resources > Safety in Design This site has a number of design guides for the built environment. - R.3 Safety Album/Safety Moments These databases contain examples that can be used to illustrate either unsafe designs and/or behaviours and show the problem which Safe Design is trying to address. > NOHSC Practical Solutions Database A database of over 720 examples of solutions to overcoming OHS problems. Many of these include examples of Safe design. - > Bad Human Factors Design Over 90 examples of designed items which because of bad design are difficult to use or hazardous. - > NIOSH Fatality Assessment and Control Evaluation (FACE) Program An accident database containing a brief synopsis of an accident which led to a fatality. - > Safety resources from the military Check the archive of Safety photos and success stories - > Google image search: Images to help illustrate Unsafe and Safe Design can often be found here australian SAFETY and compensation council

55 > Safety Materials for Chemical Engineers This site by the UK Chemical Reaction Hazards Forum comprises over 120 incidents from chemical and pharmaceutical industry. - > Product Safety recall alerts These websites often have images where the safety hazard is obvious from a visual inspection - html R.4 Safety Software/Materials Software can be used to systematically predict and document safety related design issues R.5 OHS & Safety Multimedia Materials The use of engineering failures to illustrate the need for a greater focus on Safety in Engineering is a common approach in Engineering Education. There are a range of excellent materials to support this. > BBC Disaster Special Collection of videos > Insight Media videos on Engineering failures - R.6 Reference Books and journal articles > Brauer, R. L. (1994) Safety and health for engineers, Van Nostrand Reinhold, New York, USA > Hopkins, A., (2000) Lessons from Longford: The Esso Gas Plant Explosion, 1st edition, CCH Australia Ltd, Sydney, Australia. > Hunter, T. A., (1992), Engineering design for safety, McGraw, Hill, Inc. New York, USA. > Kletz, Trevor (2001), An Engineer s View of Human Error (3 rd edition), Institution of Chemical Engineers, Rugby, Warwickshire, UK. > Keltz, T. (1991), Plant Design for Safety: A User- Friendly Approach, Hemisphere Publishing Corporation, New York. > Leveson, N. (1995) Safeware: System Safety and Computers, Sphigs Software, Addison Wesley Professional, USA. > Petroski, H., (1982) To engineer is human the role of failure in successful design, St. Martins Press, New York USA > Petroski, H., (1994), Design paradigms case histories of error and judgement in engineering, Cambridge University Press, Cambridge, UK > Safety by Design: An Engineer s Responsibility for Safety: ISBN (1996) by the Hazards Forum ( co.uk) > Stevenson (2003) Safety by Design, ISBN , Mike Stevenson Ergonomics, Balgowah, NSW, Australia. Available from Engineers Australia bookshop. > Voland, G. (2004) Engineering by Design, Pearson Education Inc, Upper Saddle River, N J, USA. > Brown, David B. (1976) Systems analysis and design for safety, Prentice Hall, Inc. Englewood Cliffs, New Jersey, USA (a bit old) > Christensen, W.C & Manuele, F.A (Eds) (1999), Safety Through Design, National Safety Council, USA - SAFE DESIGN FOR ENGINEERING STUDENTS 45

56 46 australian SAFETY and compensation council

57 PART 2A: SAFE DESIGN STUDENT ACTIVITIES STUDENT ACTIVITIES AN EDUCATIONAL RESOURCE FOR UNDERGRADUATE ENGINEERING STUDENTS

58 >>> part a: Safe DeSign StUDent activities contents.1 introduction 3. guided activities Designer Misconception Construction Hazard Assessment Implementation Review Plant Hazard Checklist Incident Investigation: Waste Collection Failure Modes and Effects Analysis Event Tree Analysis Fault Tree Analysis Risk Control Incident Investigation 29.3 DeSign activities Safe Design and Build 31. case StUDieS Ford Pinto Case Study Mercedes A-Class Case Study F-111 Deseal/Reseal Case Onsite Safety Activity 42 safe design For EnGinEErinG students 1

59 australian SAFETY and compensation council

60 >>>.1 introduction.1.1 intended learning outcomes Engineers Australia have specifi ed the types of capabilities that an undergraduate engineer would be expected to have upon entering the workforce as a graduate engineer. These capabilities provide a useful foundation for promoting Safe Design, however there are additional capabilities and their enabling knowledge, skills and attitudes that we believe engineering educators should aspire to develop within their students. By achieving these capabilities we can ensure that Safe Design becomes a fundamental and explicit part of engineering. The following capabilities have been adapted from those articulated in the UK by the Board of Moderators Guideline (Appendix C) learning-hse.com/hse/info_frameset.phtml attitude competence Knowledge Ability to: > appreciate the ethical view; > recognise that health and safety is integral with all we do; > accept that safety is everyone s responsibility Ability to: > be able to implement a basic, systematic risk management process; > communicate safe design; > implement a life-cycle approach in design Ability to: > fulfi l legal responsibility, > understand the legal framework, > understand the value of health and safety and its role in the engineering process; > recognise the infl uence of human behaviour; > appreciate the benefits of learning from history. safe design For EnGinEErinG students 3

61 2.1.2 Safe Design Keywords The following are the key concepts, principles and terminology needed to be an effective practitioner of Safe Design. > Safe Design Process: Designed product, Designers, Five principles of Safe Design, Human factors. > Lifecycle Framework: Lifecycle concepts and stages. > Legal, Regulatory & Professional Framework: Duty of Care, Reasonably practicable, Due Diligence, Act, Regulation, Code of Practice, Standard, Guidance Note, Code of Ethics. > Risk Management process: Stages in Risk Management process, risk, hazard. > Risk Assessment techniques Guidewords, Checklists, Failure Mode and Effects Analysis, Event Tree Analysis, Fault Tree Analysis. > Risk Control: Hierarchy of Control, Elimination, Substitution, Engineering Control, Administrative Control, Personal Protective Equipment Assessing Safe Design capabilities Providing guidelines on assessing the ability of students to recall and comprehend Safe Design key concepts and terminology is relatively straightforward. Activities which test this knowledge can be highly structured, have clear cut answers and can be universally applied across many of the branches of engineering. Examples of these types of teaching and learning activities are the quizzes and short answer tests that could be developed for the risk assessment techniques. Providing generic guidance on how to assess the extent to which higher order learning has occurred and whether Safe Design capabilities have been developed within students is more difficult. This requires that knowledge, skills and attitudes are integrated into disciplinary specific knowledge and applied to an example meaningful to that discipline. In these more complex application contexts different engineering disciplines can use different risk management tools and they often have different design processes. Another challenge is to provide guidelines on the extent to which learning related to the values and attitudes of the students have occurred. The activities that suit developing these types of learning are more likely to be open ended and the appropriate learning outcomes will need to be more thoroughly negotiated with the students and be specific to your learning environment. Examples of these types of teaching and learning activities are those that involve the cases and scenarios and the problem-based activities. The assessment criteria for these activities can follow the generic pattern included in the Lecturer Notes or alternatively, can be developed to be more specific to the discipline area or be negotiated with the students to meet their own learning objectives. australian SAFETY and compensation council

62 >>>. guided activities..1 DeSigner MiSconception StUDent notes Overview This activity has been designed to help you develop the ability to identify hazards and risks. You will also learn about some of the common misconceptions that designers have, based on those which have been embedded in design and caused fatalities. During the activity a list of known hazard inducing design assumptions are tested against the item represented in the image. Through completing this activity, you will develop your skills in identifying risks and develop a greater understanding of how incorrect assumptions and misconceptions can contribute to unsafe design. Intended learning outcomes > Ability to identify risks/hazards from visual information using the Designer Misconception tool. > Knowledge of common misconceptions that have resulted in poor design. > Understanding of how misconception can lead to poor design. Activity For each the following Images (A, B & C), identify the risk issues through using the designer misconception checklist (Safe Design Engineering Toolkit 1.4.1). > Fill out the documentation for each of the images. safe design For EnGinEErinG students 5

63 Image A: Vehicle Dashboard Photograph courtesy of: Scenario You have just hired a car from Los Angeles Airport. This photograph represents part of the dashboard from that vehicle containing the speedometer and tachometer. Documentation from Designer Misconception tool Scope Type of misconception Vehicle dashboard What are the assumptions? Under what conditions this assumption could be contradicted? Actions needed Criticality australian SAFETY and compensation council

64 Image B: Stairway Photo: J Culvenor Scenario This is an emergency stairway in a hotel. This stairway is used as a permanent access to a swimming pool on the top floor. The stairwell is used many times per day. The stairs are constructed of concrete with a metal railing Documentation from Designer Misconception tool Scope Type of misconception Stairway What are the assumptions? Under what conditions this assumption could be contradicted? Actions needed Criticality SAFE DESIGN FOR ENGINEERING STUDENTS

65 Image C: Road Lighting Photograph courtesy of: Scenario The image is of yellow street lights at night. The arrow points to a different type of light (this is a HINT) Documentation from Designer Misconception tool Scope Type of misconception Road lighting What are the assumptions? Under what conditions this assumption could be contradicted? Actions needed Criticality australian SAFETY and compensation council

66 2.2. construction Hazard Assessment Implementation Review Student Notes Overview This activity should help you to develop your ability to identify hazards and risks through using guidewords. By completing this activity, you should be more proficient at recognising hazards and be better able to understand the implications of poor design regarding safety. Through discussion and debate, you should also be developing the ability to conceptualise safer design. Intended learning outcomes > Ability to identify risks/hazards from visual information using the Construction Hazard Assessment Implementation Review tool. > Knowledge of common causes of unsafe design for construction projects. > Ability to use guidewords/checklists as a mechanism for risk/hazard identification. Activity For each the following Images (A, B & C), > identify the risk issue using the Construction Hazard Assessment Implementation Review (Safe Design Engineering Toolkit 1.4.2). > Fill out the CHAIR documentation. > Suggest alternate design options to eliminate or reduce the risk issue. The generic guidewords to be used for this activity are: > Size; > Movement/Direction; > Heights/Depths; > Load/Force; > Position/Location; > Energy; > Poor Ergonomics; > Timing; and > Egress/Access SAFE DESIGN FOR ENGINEERING STUDENTS

67 Image A: Livestock Loading/Unloading Ramp Photo: J Culvenor Scenario This wooden structure is used for loading and unloading livestock from semi-trailers into a livestock holding yard. These structures are often located near a public road and on a property boundary. Documentation for Construction Hazard Assessment Implementation Review No. Guideword Risk Issue Causes Consequences Safeguards Action 1 10 australian SAFETY and compensation council

68 Image B: Air Conditioning Units Photo: J Culvenor Scenario Split systems and other air conditioning systems are a relatively common feature in multi-level buildings Documentation for Construction Hazard Assessment Implementation Review No. Guideword Risk Issue Causes Consequences Safeguards Action 1 SAFE DESIGN FOR ENGINEERING STUDENTS 11

69 Image C: Traffic Crossing Point Photo: J Culvenor Scenario A common sight on many roads in rural Australia is a stock crossing point used to move livestock from one part of a property to another. Documentation for Construction Hazard Assessment Implementation Review No. Guideword Risk Issue Causes Consequences Safeguards Action 1 12 australian SAFETY and compensation council

70 2.2.3 Plant Hazard Checklist Student notes Overview This activity should help you to develop your ability to identify hazards and risks through using guidewords. By completing this activity, you should be more proficient at recognising hazards and be better able to understand the implications of poor design regarding safety. Through discussion and debate, you should also be developing the ability to conceptualise safer design. Intended learning outcomes > Ability to identify risks/hazards from visual information using the Plant Hazard checklist. > Knowledge of common causes of unsafe design for plant items. > Ability to use guidewords/checklists as a mechanism for risk/hazard identification. > Use the hierarchy of control to describe risk control options. Activity For each the following Examples (A, B, C, D), > Identify the hazards using the Plant Hazard checklist (Safe Design Engineering Toolkit section or below) and document them. > Suggest alternate design options based on the Hierarchy of Control to eliminate or reduce the hazard. Please note that if systems of work or operator competency are factors in the control of risk, the designer is required to specify these in information provided by the manufacturer. Plant Hazard checklist: summary a) Entanglement Can anyone s hair, clothing, gloves, necktie, jewellery, cleaning brushes, rags or other materials become entangled with moving parts of the plant, or materials in motion? b) Crushing Can anyone be crushed due to: material falling off the plant: lack of capacity for the plant to; be slowed, stopped or immobilised; parts of the plant collapsing; being thrown off or under the plant; uncontrolled or unexpected movement of the plant or its load; the plant tipping or rolling over; coming in contact with moving parts of the plant during testing, inspection, operation, maintenance, cleaning or repair; being trapped between the plant and materials or fixed structures and other factors not mentioned? c) Cutting, stabbing and puncturing Can anyone be cut, stabbed or punctured due to: coming in contact with sharp or flying objects; coming in contact with moving parts of the plant during testing, inspection, operation, maintenance, cleaning or repair of the plant; the plant, parts of the plant or work pieces disintegrating; work pieces being ejected; the mobility of the plant; uncontrolled or unexpected movement of the plant; other factors not mentioned? d) Shearing Can anyone s body parts be sheared between two parts of the plant, or between a part of the plant and a work piece or structure? e) Friction Can anyone be burnt due to contact with moving parts or surfaces of the plant, or material handled by the plant? f) Striking Can anyone be struck by moving objects due to: uncontrolled or unexpected movement of the plant or material handled by the plant; the plant, parts of the plant or work pieces disintegrating; work pieces being ejected; mobility of the plant; other factors not mentioned? g) High pressure fluid Can anyone come into contact with fluids under high pressure, due to plant failure or misuse of the plant? SAFE DESIGN FOR ENGINEERING STUDENTS 13

71 h) Electrical Can anyone be injured by electrical shock or burnt due to: the plant contacting live electrical conductors; the plant working in close proximity to electrical conductors; overload of electrical circuits; damaged or poorly maintained electrical leads and cables; damaged electrical switches; water near electrical equipment; lack of isolation procedures; other factors not mentioned? i) Explosion Can anyone be injured by explosion of gases, vapours, liquids, dusts or other substances, triggered by the operation of the plant or by material handled by the plant? j) Slipping, tripping and falling Can anyone using the plant, or in the vicinity of the plant, slip, trip or fall due to: uneven or slippery work surfaces; poor housekeeping, eg. swarf in the vicinity of the plant, spillage not cleaned up; obstacles being placed in the vicinity of the plant; other factors not mentioned? Can anyone fall from a height due to: lack of a proper work platform; lack of proper stairs or ladders; lack of guardrails or other suitable edge protection; unprotected holes, penetrations or gaps; poor floor or walking surfaces, such as the lack of a slip-resistant surface; steep walking surfaces; collapse of the supporting structures; other factors not mentioned? k) Ergonomic Can anyone to be injured due to: poorly designed seating; repetitive body movement; constrained body posture or the need for excessive effort; design deficiency causing mental or psychological stress; inadequate or poorly placed lighting; lack of consideration given to human error or human behaviour; mismatch of the plant with human traits and natural limitations; other factors not mentioned? m) High temperature or fire Can anyone come into contact with objects at high temperatures? Can anyone be injured by fire? n) Temperature (thermal comfort) Can anyone suffer ill-health due to exposure to high or low temperatures? o) Other hazards Can anyone be injured or suffer ill-health from exposure to: chemicals; noise; toxic gases or vapours; vibration; fumes; radiation; dust; other factors not mentioned? Hierarchy of Control Risk Control Options: summary > Elimination Design the hazard out and therefore remove the cause of harm permanently. > Substitution Substitute the hazard by another process or substance that presents a lower risk. > Engineering controls Implement some structural change to the work environment or work process to place a barrier to, or interrupt the transmission path between, the worker and the hazard. > Administrative (procedural) controls Reduce or eliminate exposure to a hazard by adherence to procedures or instructions. > Personal protective equipment Create a barrier between the user and the hazard in the form of clothing or personal equipment. l) Suffocation Can anyone be suffocated due to lack of oxygen, or atmospheric contamination? 14 australian SAFETY and compensation council

72 Example A: Tractor Access Photo: J Culvenor Scenario Access to tractors is often positioned between the wheels. Risk/hazard identified from plant hazard checklist a) Entanglement b) Crushing c) cutting, stabbing and puncturing d) Shearing e) Friction f) Striking g) High pressure fluid h) Electrical i) Explosion j) Slipping, tripping and falling k) Ergonomic l) Suffocation m) High temperature or fire n) Temperature (thermal comfort) o) Other hazards Risk/Hazard Identification explanation Risk Control Options Elimination Substitution Engineering controls Administrative (procedural) controls Personal protective equipment Risk control explanation SAFE DESIGN FOR ENGINEERING STUDENTS 15

73 Example B: Grain Auger Photo: J Culvenor Scenario The grain auger is an essential piece of farm equipment which is used to move grain from one location to another. Risk/hazard identified from plant hazard checklist a) Entanglement b) Crushing c) cutting, stabbing and puncturing d) Shearing e) Friction f) Striking g) High pressure fluid h) Electrical i) Explosion j) Slipping, tripping and falling k) Ergonomic l) Suffocation m) High temperature or fire n) Temperature (thermal comfort) o) Other hazards Risk/Hazard Identification explanation Risk Control Options Elimination Substitution Engineering controls Administrative (procedural) controls Personal protective equipment Risk control explanation 16 australian SAFETY and compensation council

74 Example C: Silo Access Photo: J Culvenor Scenario Silos need a system for operating the opening at the top of the structure. Access is often provided by a ladder up the side of the structure. Risk/hazard identified from plant hazard checklist a) Entanglement b) Crushing c) cutting, stabbing and puncturing d) Shearing e) Friction f) Striking g) High pressure fluid h) Electrical i) Explosion j) Slipping, tripping and falling k) Ergonomic l) Suffocation m) High temperature or fire n) Temperature (thermal comfort) o) Other hazards Risk/Hazard Identification explanation Risk Control Options Elimination Substitution Engineering controls Administrative (procedural) controls Personal protective equipment Risk control explanation SAFE DESIGN FOR ENGINEERING STUDENTS 17

75 Example D: Bench Grinder Scenario Bench grinders are a commonly used product both at home and in the workplace. Examples of use include to shape metal, sharpen tools or prepare metal for welding. Risk/hazard identified from plant hazard checklist a) Entanglement b) Crushing c) cutting, stabbing and puncturing d) Shearing e) Friction f) Striking g) High pressure fluid h) Electrical i) Explosion j) Slipping, tripping and falling k) Ergonomic l) Suffocation m) High temperature or fire n) Temperature (thermal comfort) o) Other hazards Risk/Hazard Identification explanation Risk Control Options Elimination Substitution Engineering controls Administrative (procedural) controls Personal protective equipment Risk control explanation 18 australian SAFETY and compensation council

76 2.2. incident Investigation: Waste Collection Student notes Overview An injury case study is presented, as a set of witness statements. The case study is about the collection of roadside waste. This activity is designed to draw out complex issues about occupational safety including the role of work systems, plant and equipment, work environment, and the roles of designers of work systems and equipment. Intended learning outcomes > Ability to document an injury event from a set of witness statements. > Identify precursor factors (work systems; plant and equipment; work environment; people issues; and interactions) that led to the injury. > Understand the methodology used in an Incident Investigation. > An ability to recognise the roles of all parties and examine how their decisions affected safety. > Identify measures that would control the risk(s). Activity 1. Identify all the parties/stakeholders including both individual people and organisations from the scenario. 2. Identify sequence of events for accident. 3. Identify contributory factors that could have impacted the accident and management of that accident (Environment, Equipment; Skills and experience; Operating/work system, Ergonomic factors (relationship between people and their environment, equipment etc). Scenario: an injury while collecting recyclable paper You are Mo McErgo, WorkSafe Inspector You are Mo McErgo. You are a WorkSafe Inspector. You receive a call during the day on New Year s Eve from a health and safety representative at PaperMunchers, a local company that collects and sorts recycling material (papers, bottles, cans, etc). The health and safety representative says that there was an accident a few days ago when a worker was lifting papers to the truck and was nearly struck by a car. The worker was taken by ambulance to hospital after falling on the road. Also, there have been other manual handling injuries. The managers have introduced elastic back belts and the idea of workers looking over each others shoulders for breaches of safety rules is being considered. The workers don t believe these measures solve the problems. Cyril the Director of Waste Services for Tidy Town Council He has been the Director of Waste Services at the Council for five years. Prior to that he worked for the Council designing water, waste and other infrastructure is a Civil Engineer by training. As the Director of Waste Services he is responsible for Waste Collection within the Council and engaging contractors to undertake the work through a competitive tender process. He has been contacted by WorkSafe to assist the Accident Investigation team. You visit PaperMunchers You visited PaperMunchers that day and talk with the directors, Ty and Flo. You asked about the recent accident and asked to be taken to the site. You also wanted to speak to the workers and the health and safety representative. 4. Identify the design decisions that each of the organisations (City Council, PaperMunchers, Top Trucks) took which may have contributed to the accident. Consider what other options they had which may have reduced the risk to the workers SAFE DESIGN FOR ENGINEERING STUDENTS 19

77 Figure 1: Paper Collection by PaperMuncher Photos: J. Culvenor Flo took you to where the truck was working. As you arrived the workers were collecting paper. They were collecting from both sides of the road at once. Flo said that they are not meant to work from both sides of the road and that s what caused the accident. Flo said that s typical, I m glad you re here, that s Jay, the health and safety representative. Ty told Jay years ago not to cross the road. You spoke with Flo, Ty, Jay and Trek about the accident and about the work system. You observed the work (photos above) and you also visited the council. Here s what you found out: Trek: On Christmas Eve, I was working with Jo who is off work because of the accident. I was driving the truck as I have a shoulder injury from working in the sorting area. Jo was doing all the lifting work. We were keen to get the run done quickly to spend the afternoon on last minute arrangements for holidays. But we weren t rushing. The accident happened at about 11am. There had been a thunderstorm overnight, the road was wet and slippery, and the paper was wet and heavier than usual. Jo was carrying a large bundle across the road when a car appeared from around a corner. Jo probably didn t hear the car because of the noise of the paper crushing unit. I saw Jo throw the paper toward the hopper and jump behind the truck. I think it was a close call but Jo wasn t hit. The car wasn t driving fast it s just that it is hard to see at the spot where it happened. 20 australian SAFETY and compensation council

78 Jo had fallen on the kerb and complained of a massive headache and a stabbing back pain. The car driver, Lenni stopped and came to help. Luckily Lenni had a mobile and called an ambulance. The radio in the truck has been out of order for three months. They say it s going to be fixed but who knows when. I also used Lenni s mobile to call the office and report the accident. Jay: I was working in the recycling area when the accident happened but I know about this job and I am the health and safety representative. When the job began about 18 months ago I worked with Jo on the truck. We shared the lifting and driving work. It was hard work and our arms and back was usually sore at the end of a run. Flo, one of the bosses, made me move into the sorting area after about one year (six months ago). This was because Trek had a shoulder injury in the recycling area and needed a light job. There are no light jobs in the recycling area. The truck driving is easy enough but because Trek had the injury, Jo had to do all the lifting. That was far too much and I said that to Flo who said there was no choice as the insurance company said a light job was needed. It was really too hard already let alone one person now doing twice as much. I complained also to Ty who then bought everyone elastic back belts. I don t think the back belts really do anything about the problem. After Jo s accident I complained again and said we should call you (WorkSafe) to look at the problems. Ty said no but promised something better would be done. When we came back after Christmas I found out that the new improvement was to be a consultant telling everyone how to watch out for unsafe behaviours. How does that change anything about the huge amount of paper that has to be lifted, and all the bending, and the heat, sunburn, cold, rain, passing cars, sharp objects in the bundles, slippery ground, kerbs to trip over, and so on? That s when I called you. You asked about working on both sides of the road and instruction: When we started, Ty told us about the job. We were meant to drive back and forth along the streets. We did it that way for a couple of weeks but it took at lot of extra time and extra running. We could go home whenever we finished so we did both sides at once. No one ever said anything about it. No one ever asked how we do the work. No one ever came to have a look. Ty: PaperMunchers Pty Ltd is a small family owned business. Flo and I run the business. We formed when the council created the new waste system and we started work on this contract about 18 months ago after buying the trucks and setting up the sorting centre. We collect recycling wheelie bins (cans, bottles, plastic, etc) using trucks with side lifters. Then we sort this material in the sorting centre. We also collect paper but this is done manually. We bought the trucks from Top Trucks Pty Ltd, some with bin lifters for the recycling (cans and bottles) and some with hoppers for hand loading the paper. The bin lifter for recycling is good because there is only a driver and no manual work. We couldn t use that kind of truck for the paper because the council set up the system with the paper on the ground, bundled or in a box. About working on both sides of the road I told Jo and Jay not to do that when they started. I didn t know they were breaking the rules. Jay is the health and safety rep so I figured it would be all under control. When Trek started with Jo, I figured Jo would pass on the instructions on how to do the job. The lifting work is fairly hard so I bought everyone elastic back belts that I saw at an expo. Jo took it off on the day of the accident, perhaps because it was hot. We did have a system of sharing the driving and lifting work. That broke down a little bit because we needed to create a light job. After the accident, I could see that the workers were not working safely. A friend who is a safety advisor at a local manufacturing firm suggested SSAFeTy System (Super Safety Action Friendly Tips System). The idea is that the workers monitor each other s unsafe acts and issue them with friendly reminders when they are doing something dangerous. It s from the USA! I am getting a consultant to come and teach everyone. Flo: Trek worked in the recycling area for about a year and then was off work with a shoulder injury. The insurance company told me to create a light job. The recycling jobs are all the same so I thought SAFE DESIGN FOR ENGINEERING STUDENTS 21

79 truck driving would be ok. I had Trek drive the truck with Jo and moved Jay into the sorting area. Jay complained, as usual, about the lifting and that Jo would now need to do it all. But out on the collection they can work at their own pace so if it gets a bit too much for Jo toward the end of the day they can just slow down. I think it worked quite well until the accident. Jo must have been crossing the road. I know Ty told them not to when they started so it s Jo s own fault. Your visit to the City of TidyTown and talk to Cyril, the Chief Executive Officer of TidyTown Council: Over two years ago we decided to improve waste management. A key problem was the amount of recyclable material being sent to landfill and I developed a new waste collection system. We asked residents what they wanted and came up with a great system involving four collections: You asked about why the paper is not in a wheelie bin? The residents did not want too many bins on the street on one day. It would be untidy and take up space for parking. Since not everyone gets newspapers it seemed that if something was going to be on the ground then newspapers would be best. A box of newspapers is also fairly easy to handle. I can easily lift one box with two weeks papers. It s not heavy. Reference: WorkSafe Victoria 2003, Non-Hazardous Waste and Recyclable Materials: Occupational Health and Safety Guidelines for the Collection, Transport and Unloading of Non-Hazardous Waste and Recyclable Materials, WorkSafe Victoria, Melbourne, Garbage Wheelie Bin (every week) for normal household garbage. 2. Recycling Wheelie Bin (every second week) for glass, plastic, aluminium, steel cans, etc. 3. Green Waste Wheelie Bin (every second week). 4. Paper (every second week) in a cardboard box or tied in bundles. The four waste collections are on the same day of the week. A notice explaining the collection of the waste was posted to all TidyTown residents. After we thought up the ideas for the collection system, we invited tenders for collection. The garbage and green-waste collection was awarded to our own waste department. The recycling and paper collections were awarded to PaperMunchers for two years (they have about six months to run). 22 australian SAFETY and compensation council

80 2.2.5 Failure Modes and Effects Analysis Student notes Overview The aim of this exercise is to deepen your understanding of Failure Modes and Effects Analysis (FMEA) through the analysis of a simple hydraulic jack. Learning Outcomes > Understand how to analyse a simply system using FMEA. > Understand how to use FMEA to evaluate proposed changes to a system. > Be aware that although FMEA is a quantitative analysis technique that there is a degree of subjectivity in the interpretation of the system and thus the values applied during the analysis. Activity For the following scenario, > Fill in the FMEA template supplied using the procedure outlined in the FMEA section of the Safe Design Engineering Toolkit. > Recommend corrective actions and indicate to what degree the actions would modify the FMEA ranking. Scenario A portable hydraulic jack has been designed for use in medium-sized engineering tasks such as jacking up large trucks, cranes, etc. A 7.5kW petrol engine has been selected to power the pump which in turn pushes the fluid that extend the hydraulic ram within the jack. The pump is connected to the ram by a wire-reinforced hose. The product development team has identified that a fluid leak is a possible failure mode for the hose. Such a leak would result in the jack not working but if the leak occurred whilst the jack was in use the leak could have more severe consequences in terms of the jack dropping the load it was supporting. Fluid leaks have been caused in the past by poor hose material supplied by vendors. Also, during manufacture, an automated assembly machine has been known to occasionally cut the hose. The team estimates that the likelihood of a poor material is about 5% and a cut about 0.5%. When a hose made from poor material leaks, the jack still works but the load it is supporting gradually lowers. That is, a leak could be considered to be a partial malfunction. When a cut hose leaks, the oil empties onto the ground and the pump is damaged. The oil spill also represents an environmental problem. 50% of the wire-reinforced hose is inspected upon delivery. Cuts in the hose are likely to be detected during manufacture as the assembly machine usually jams if it strikes the hose. (Adapted from Safeware N. Leveson) SAFE DESIGN FOR ENGINEERING STUDENTS 23

81 Blank FMEA template Failure Mode FMEA Template Severity (S) Occurrence (O) Detection (D) Effects S Rating Causes O Rating Control Tests D Rating RPN Recommended Action 24 australian SAFETY and compensation council

82 2.2.6 Event Tree Analysis Student notes Overview The aim of this exercise is to deepen your understanding of Event Tree Analysis (ETA) through the analysis of a simple pumping application. Intended Learning Outcomes > Understand how to qualitatively and quantitatively analyse a simple system using ETA. > Awareness of how ETA enables critical elements of a system to be identified. Activity The facilities for the passenger reservations division of a major airline occupy a 10 story building. The basement of the building contains a backup generator so that 24/7 availability can be maintained even during black-outs. In heavy rain the basement is prone to minor flooding. The basement is protected from flooding by the system shown in Figure 1. Rising flood waters close the float switch S, powering the pump P from an uninterruptible power supply. An Alarm A is also sounded, alerting operators to perform manual pumping using a bilge pump, B, should the automatic pump fail. Correct operation of either of the pumps will effectively keep the basement from flooding. Perform an Event Tree Analysis on the system (S, P, A, B) assuming that water has started to flood into the basement. You can assume the following: > That the power supply to the pump does not need to be included in the analysis. > The failure of the manual pumping system operator error. Given the following probability table, what is the probability that the basement will end up flooded in the event that water flows into the basement? Component Probability of Failure on Demand Automatic Pump (P) 1e-4 Switch (S) 1e-6 Alarm (A) 1e-5 Manual pumping (B) 1e-4 Which element of the system would you improve to gain the greatest improvement with respect to minimising the chance of the basement flooding? Figure 1: Basement pumping system (Adapted from Event Tree Analysis, P.L. Clemens, Feb 2002, Jacobs Sverdrup) SAFE DESIGN FOR ENGINEERING STUDENTS 25

83 2.2.7 Fault Tree Analysis Student notes Overview The aim of this exercise is to deepen your understanding of FTA through the analysis of a simple pumping application. Learning Outcomes > Understand how to qualitatively analyse a simple system using FTA. > Be aware of how FTA enables single points of failure in a system to be identified. Activity The reservations division system for a major airline occupy a 10 story building. The basement of the building contains a backup generator so that 24/7 availability can be maintained even during blackouts. In heavy rain the basement is prone to minor flooding. The basement is protected from flooding by the system shown in Figure 1. Rising flood waters close the float switch S, powering the pump P from an uninterruptible power supply. An Alarm A is also sounded, alerting operators to perform manual pumping using a bilge pump, B, should the automatic pump fail. Correct operation of either of the pumps will effectively keep the basement from flooding. Perform a Fault Tree Analysis on the system to determine the causes of a flooded basement. You can assume that the power supply to the pump does not need to be included in the analysis. Use cut set analysis to determine if there is any single point of failure within the system. Figure 1: Basement pumping system (Adapted from Event Tree Analysis, P.L. Clemens, Feb 2002, Jacobs Sverdrup) 26 australian SAFETY and compensation council

84 2.2.8 Risk CONTROL Student notes Overview A Risk Management problem associated with road safety is presented. This activity is designed to develop the student capabilities associated with Risk Identification and Risk Control. Intended learning outcomes Through completing this activity students will be better able to; > Identify hazard(s) from written scenario. > Assess the risk(s) posed by the identified hazard. > Identify measures that would control the risk(s). > Ability to prioritise risk control options according to the Hierarchy of Control. Activity For the following scenario, > fill in the hazard identification and significance table. > fill in the risk control table. Scenario Bob, driving his car, was in a single-vehicle road accident. The accident occurred on a country road in Victoria at night. The road was relatively straight, flat, horizontal and dry. His car collided with the left hand side of a bridge railing. The bridge railing is approximately fifty years old and made of stone. There are many bridge railings of this type. Bob was nineteen years old at the time and recorded a blood alcohol reading of 0.03%. He suffered major injuries and survived. No other passengers were in the vehicle. (example J. Culvenor 1997) SAFE DESIGN FOR ENGINEERING STUDENTS 27

85 Risk Documentation 1. Identify the hazards and make a judgement about the significance of the risk (major, minor, negligible) No. Hazards Major Minor Negligible 2. Risk Control and type of Control No. Risk control Hierarchy of Control classifier e.g Air bag Engineered Control Reference: Culvenor, J (1997), Breaking the Safety Barrier: Engineering New paradigms in Safety Design, PhD Thesis, University of Ballarat 28 australian SAFETY and compensation council

86 2.2.9 Incident Investigation Student notes Overview This activity is about applying Incident Investigation principles to a motor vehicle crash scenario. It is intended to help students develop their ability to identify the causes of incidents, injuries and diseases through the application of various accident analysis models. By completing this activity, students should be more proficient at recognising hazards, better able to understand there are often multiple causes for any incident and that learning from incidents is the best way to understand the most appropriate preventative measures for the future. Intended learning outcomes > Identify a full range of causal factors using the accident analysis models. > Recognition of precursor factors (work systems; plant and equipment; work environment; people issues; and interactions) that lead to the injury. > Ability to identify measures that would control the risk(s) using the hierarchy of control. Activity 1. Identify the ergonomic factors relevant to the hazard in the following categories: > work environment (the place where work is done); > plant and equipment (physical things); > people (eduction, skills, capacity); and > systems (how things are done). 2. Identify the relevant issues under Hopkins factors: > Physical accident sequence, > Organisation /Company level factors; > Government/regulatory factors; > Societal factors. 3. Determine corrective and preventative actions using the hierarchy of control > elimination; > substitution; > isolation; > engineering; > administration; and > personal protective equipment. SAFE DESIGN FOR ENGINEERING STUDENTS 29

87 Scenario: Work related vehicle crash Many people drive on the public roads for work purposes. The public roads are therefore workplaces. Driving West late in the afternoon in the winter (wet road), the car driver is making the last of a number of parts deliveries using a utility. The vehicle is only about one year old but has neither anti-lock brakes, nor air bags. Imagine a rear end collision with a truck such as shown below. The truck is ironically being used by the same company to distribute its goods nationally. What is the cause of the crash and the injuries that might follow? Following too close? Fatigue? Lack of concentration? Fatigue and lack of concentration might be involved but it is self-evident that the driver ended up too close. Rear end collision Photos: J. Culvenor If we look deeper, perhaps we could examine both vehicles involved? Does the car have the best practicable features to avoid a rear end collision? What might that be anti-lock brakes, maintained brakes and tires, collision avoidance radar? Does the car provide good survivability features such as crush zones, a protected passenger compartment, airbags, etc. How far can the thinking be extended? Why are trucks used for national transport and not rail? The answer to this is what is practicable? It is practicable for a person choosing a fleet vehicle to seek good current standards for vehicles. What about the rear of the truck. Is it designed to provide the best survivability for vehicles that might strike the rear? Examining these issues takes the thinking about the accident and injury causation well beyond the scene on the road. Decision makers thinking about car choices for a fleet, truck designers, and truck fleet owners are just a few who can make a difference through their actions. Rear end collision Photo: J. Culvenor 30 australian SAFETY and compensation council

88 >>>.3 DeSign activities.3.1 Safe DeSign and build Overview The goal of this activity is to give students an opportunity to develop and utilise their Safe Design abilities while undertaking a design and build exercise. It is intended to be used in conjunction with any existing design and build project that is currently used by an engineering educator within their undergraduate engineering course. By broadening the design requirements of the existing project to include safe design it provides an opportunity for educators to introduce a greater degree of real-world constraints to these design and build activities. Intended learning outcomes > Awareness of engineers' responsibilities for safe design. > Ability to identify safety issues and risks. > Ability to integrate safety principles into engineering design. > Ability to understand inter-relationships between safety and other design requirements. > Awareness of the need to consider safety implications in a design activity. Context in which it could be used All Engineering courses are required to develop student design capabilities. This is achieved in a variety of ways, ranging from unstructured problem based activities to integrated design projects. Undergraduate engineering course accreditation (Stage 1 from Engineers Australia) requires students to undertake two or more construction projects and at least one major design project. Many engineering faculties initiate design experiences in the early stages of a course with challenging design and build exercises such as spaghetti bridges, gravity-powered vehicles or website development. In addition, a number of undergraduate design competitions, such as the Weir-Warman competition for Mechanical engineers, are available to encourage students to think creatively and solve problems in an innovative way. These various design-and-build projects can be used to as a mechanism to introduce or reinforce safe design principles and concepts. The following activities can be used to enhance existing design oriented projects to ensure that students develop an awareness of safety issues and ultimately the ability to accept their responsibilities for safe design. The activities have been designed to apply to a wide range of design activities from basic to complex and to be easily integrated into existing subjects and projects. Approach to adding Safe Design to Design and Build Projects This activity is designed to illustrate how safe design concepts can be embedded within a design-and-build project using the tools available in the Safe Design Guide. The intention is not to provide a defi nitive mechanism for embedding safe design within any design and build projects since there is too much diversity in the currently used projects to specify which Safe Design tools are the most appropriate. For example, a project in civil engineering or construction would most likely fi nd the CHAIR guidewords are the most suitable risk identifi cation tool whereas a project in Mechanical Engineering may fi nd the Plant Hazard Checklist the safe design For EnGinEErinG students 31

89 most appropriate. So to illustrate how safe design can be embedded in a design-and-build project, an example project in Mechanical Engineering has been developed as a case study. Indicative Example Introduction to Mechanical and Mechatronic Engineering Into-the-Wind Design-and- Build Project This is an adaptation of a project for a 1st year Mechanical Engineering subject at the University of Technology, Sydney developed by Terry Brown. The following document provides the details for the major design project for this subject. The project is worth a total of 25% of the marks. It is to be done as a group of no less than 3 and no more than 5. The objectives of this project are: > to encourage students to creatively approach a specific problem; > to allow students to experiment with a variety of solutions to a problem; > to encourage teamwork and to allow students to learn from the work of their colleagues; > for students to implement engineering design methodologies to a practical problem; > for students to have some fun learning some engineering fundamentals. As should be quite obvious this project will require consistent effort over a number of weeks. Do not leave everything to the last minute, you won t be able to do it. Scenario The Federal Government s Sustainable Technologies Department is looking to provide funds to support small companies in developing sustainable technologies. They currently have a project that requires a company to design, develop and manufacture several small wind powered vehicles. Companies are invited to design and build one vehicle. The selection of the successful company will be based in part on the performance of the vehicle in a competition between rival companies. Supporting documentation in the form of a design report and the ability of the company design team to explain and demonstrate the strength and weaknesses of their design will also be taken into account in selecting the successful company. The Sustainable Technologies Department will fund each stage of the design process, subject to satisfactory progress, to provide incentive and to help cover the costs of those companies that are eventually eliminated. This project is offered to small companies with a design team of 3-5 engineers. Design task Design and build a vehicle that starts from rest and travels into the wind using the power of the wind as its only source of energy. 500mm 225mm Direction of travel Your vehicle Stop 50mm 395mm 32 australian SAFETY and compensation council

90 Specifications > It has been estimated that the strength of the wind in the location where the vehicles must operate is about the same as that produced by a domestic electric fan set on high speed. > The wind source will be a domestic electric fan with overall dimensions as shown above. > The fan will be set to the highest speed setting. > The vehicle must carry a "payload" across a "track" a distance of 2m. > The vehicle design should maximise the ratio of "payload" (m) to time (t) taken to cover the distance of 2m, i.e. (m/t). > The vehicle should not take longer than 5 minutes to cover the 2m distance. > The "payload" must be a separate entity and easily removed from the vehicle to facilitate weighing but must be wholly contained on or within the vehicle and must travel the full 2m with the vehicle. The vehicle must be operational both with, and without, the payload on board. The competition performance criteria: To carry the heaviest "payload" (m) across a distance of 2m in the least amount of time (t), i.e. the greatest m/t ratio. Safe Design component of the Into-The-Wind Design-and-Build Project The following table is a generic example of the result of applying safe design tools to a typical vehicle that may be expected to be created for the Into-The- Wind Design-and-Build Project. As the project is of a mechanical engineering nature, the Plant Hazard Checklist was used to help identify risks. For each life cycle phase, the keywords that triggered a risk issue are noted. Each risk issue is then examined in more detail and actions to reduce the risk and safeguards to deal with the residual risk are determined. The students could also be requested to produce a short report detailing those aspects of the proposed assessment criteria not evident in the table. In the column under Action, students would be expected to give detailed and specific actions for their own vehicle. > The starting position is 2.5m from the front of the fan. > All parts of the vehicle must start from behind the start line and no part of the vehicle is allowed to be moving before timing begins. > No part of the vehicle may be further than 0.5m behind the start line. > The "track" will be a hard flat surface (MDF board or similar). > The vehicle is to remain in contact with the ground at all times. > Overall dimensions of the vehicle are to remain essentially unchanged throughout the travel. > Any materials may be used in the construction of the vehicle. > No other source of energy may be used to propel the vehicle, eg batteries, pre-compressed or extended springs (or "gentle nudges" by participants). SAFE DESIGN FOR ENGINEERING STUDENTS 33

91 Student Template: Lifecycle Phase Risk Issue Causes(s) Consequence(s) Safeguard(s) Action(s) Develop Concept Design Construct / Manufacture Supply / Install Commission / Use Maintain Decommission Disposal / Recycle 34 australian SAFETY and compensation council

92 >>>. case StUDieS..1 ford pinto case StUDy StUDent notes Overview The scenario used is a classic case that has been infl uential in automotive safety. It contains many of the challenges of engineering design which are still relevant today and which must be addressed if Safe Design is to become a fundamental part of engineering. This discussion oriented activity is designed to explore an Engineers professional responsibilities, ethical frameworks when dealing with issues related to safety and approaches to making decisions about public safety. It recognises that decision-making in engineering can involve ambiguity and differences in opinion. Intended learning outcomes > Awareness of legal and moral professional responsibilities of engineers in relation to safety. > Awareness of Institute of Engineers, Australia Code of Ethics. > Awareness of the use of cost-benefi t analysis for public safety decisions. Activity Read the following scenario and be prepared to answer the discussion points. Scenario In the 1960 s there was strong competition in the American small car market. To be competitive in this market, Ford needed to have a product that had the size and weight of a small car, had a low cost of ownership and clear product superiority. The Ford Pinto went on to become one of the 1970 s best selling cars. The Ford Pinto was designed to meet these criteria. The strict design specifi cations were that the car was to weigh less than 2000 pounds and cost less than $2000. Ford also decided on a short production schedule. Instead of the normal time from conception to production of 43 months for a new model, the Pinto was scheduled for 25 months. Under conditions of reduced product-time to market then tooling up for manufacture which involves making the machines that stamp, press and grind car parts into shape must be done whilst product development is underway rather than after product design. Ford wanted the car in the showrooms with the other 1971 models and tooling had a fi xed timeframe of about 18 months. Investigative journalism by Mother Jones established that; > Ford engineers discovered in pre-production crash tests that rear-end collisions would rupture the Pinto s fuel system extremely easily > Because assembly-line machinery was already tooled when engineers found this defect, top Ford offi cials decided to manufacture the car anyway safe design For EnGinEErinG students 35

93 > For more than eight years afterwards, Ford successfully lobbied against a key government safety standard that would have forced the company to change the Pinto s fire prone gas tank It was concluded by Mother Jones from Pinto accident reports and crash test studies that if you ran into that Pinto you were following at over 30 miles per hour, the rear end of the car would buckle like an accordion, right up to the back seat. The tube leading to the gas-tank cap would be ripped away from the tank itself, and gas would immediately begin sloshing onto the road around the car. The buckled gas tank would be jammed up against the differential housing (that big bulge in the middle of your rear axle), which contains four sharp, protruding bolts likely to gash holes in the tank and spill still more gas. Now all you need is a spark from a cigarette, ignition, or scraping metal, and both cars would be engulfed in flames. If you gave that Pinto a really good whack say, at 40 mph chances are excellent that its doors would jam and you would have to stand by and watch its trapped passengers burn to death An accepted approach by federal Automotive Safety regulators at that time for decision-making was risk/ cost-benefit analysis. Ford applied this method to decide how to treat the fuel tank explosion risk. An internal Ford memo calculated; The cost at the manufacturing stage to fix the problem was $11 per vehicle and the benefit would be no payouts resulting from the fuel tank explosion risk. Benefits > 180 burn death, 180 serious injuries, 2100 burned vehicles > Unit cost: $200,000 per death, $67,000 per injury, $700 per vehicle > Total Benefit (180* $200k) + (180* $67k) + (2100*$700)= $49.5M Risks/Costs > Sales: 11 Million cars, 1.5 Million light trucks > Unit cost: $11 per vehicle > Total cost: (12.5*$11) = $137.5M Ford believed that it was therefore not reasonably practicable to fix the problem during manufacture. It preferred to retain the risk and make payments as required. There were no Standards for withstanding rear end collisions at a specified speed until after The Department of Transportation announced in May 1978 that the Pinto fuel system had a safety related defect. Ford recalled 1.5 million Pintos. The modifications included a longer fuel filler neck and a better clamp to keep it securely in the fuel tank, a better gas cap in some models, and placement of a plastic shield between the front of the fuel tank and the differential to protect the tank from the nuts and bolts on the differential and another along the right corner of the tank to protect it from the right rear shock absorber. The consequences of Ford s actions were significant. Millions of dollars of civil lawsuits were filed against Ford and awarded against the car maker. In 1979 Ford Motor Company was charged with reckless homicide but was acquitted in The Ford Pinto ceased production within months. The damage to the company has been incalculable and it is conservatively estimated there are over 500 burns deaths to people who would not have been seriously injured if the car had not burst into flames. Lee Iacocca, who was the Head Engineer for the project has said The guys who built the Pinto had kids in college who were driving that car. Believe me, nobody sits down and thinks: I m deliberately going to make this car unsafe. Discussion Points 1. Is cost/benefit analysis an appropriate approach for deciding public safety? 2. Should the engineering professions Code of Ethics impose a higher standard than that required by regulatory requirements? 36 australian SAFETY and compensation council

94 3. What would you consider when making a judgement about what was reasonably practicable for Ford to meet its duty of care responsibilities? 4. As a design engineer working on the Ford Pinto, what could you have done to demonstrate your duty of care responsibilities? 5. Designers of Extra-light vehicles face tremendous technical challenges in designing safety into those vehicles. How would you decide what appropriate safety measures are? 6. When other costs have been cut as much as they can, one way to increase revenue is to get products to the market as quickly as possible. This will increasingly be a challenge to implement whilst ensuring there is a thorough and integrated approach to Safe Design. How can this challenge be met? Primary resources for information about this case Mother Jones News Magazine, Pinto Madness by Mark Dowie, Sept/Oct, There is video at the site showing crash testing of the vehicle and other articles. Centre for Auto Safety, search using term, Ford Pinto Lee (1998) The Ford Pinto Case and the Development of Auto Safety Regulations, , Business and Economic History, v27(2). v027n2/p0390-p0401.pdf Mercedes A-Class Case Study Student notes Overview This activity includes a case study of how an automotive manufacturer dealt with a safety issue discovered immediately after the launch of their vehicle. It provides a contrast to the handling of a safety issue in some other vehicles. by other car makers. It explores some of the factors that can be considered when evaluating how safety should be handled during the design of products. Intended learning outcomes > Awareness of professional responsibilities of engineers in relation to safety. > Awareness of the factors which can impact an organisations response to a public safety issue. Activity Read the following scenario and be prepared to answer the discussion points. Scenario Until the 1990 s Mercedes-Benz had focused on the premium car market. They, like BMW, pioneered the use of safety features such as Air Bags, Electronic Braking Systems (EBS), and Electronic Stability Control (ESC). A long history of innovation in motor vehicle safety gave Mercedes- Benz a considerable reputation. Mercedes then decided to enter the small car market. The Mercedes A-Class was a microcar priced cheaper than a VW Golf. Although the A-Class was a cheaper car, Mercedes did not intend to compromise on safety; The car had gone through rigid testing procedures for years (Ihlen, 2002). For example, the engine was installed at an angle such that in the event of a crash, the engine would go under the front passenger. The A-Class underwent extensive testing, including over 400,000 kilometres of testing by a thousand journalists. The A-Class was launched on October but on the October a passenger was injured when the A-Class being driven by a motoring journalist rolled over during an extreme driving manoeuvre known as the Moose Test (also known as the Elk Test). This test, unknown in Germany, is a Nordic test designed to simulated a car swerving at constant speeds (>60 km/h) onto the wrong side of the road and back again in order to avoid a moose. The test is conducted with the car fully loaded with luggage and 4 passengers. The journalist injured was one of a group who had gathered in Tannishus, Denmark to judge the Car of the Year award. The A-Class seemed the obvious choice: no other rival had pushed the design and technical envelope with such bravado SAFE DESIGN FOR ENGINEERING STUDENTS 37

95 and excellence. (Whitworth, 1998). Instead of a prestigious award and the positive publicity that would ensue, the media ran with the Moose Test failure. The extent of this publicity was such that the term Moose Test is now used to represent any stringent test on the quality of a product. Initially, Daimler-Benz defended its Baby Benz saying the company did not think it was necessary to issue a statement just because a car flipped over somewhere. The huge media reaction against the company reportedly with a reputation as the ultimate in German engineering and safety soon forced Daimler to acknowledge that modification was required. (Knight and Pretty, 2000). So despite having no technical evidence that the A-Class was unsafe, quite the contrary based on their own testing, Mercedes halted production. By this stage there were 2,500 A-Class in the hands of owners and a further 15,000 off the production line. Mercedes offered to rework the cars to improve their handling. Apart from changing to larger wheel rims and lower profile tyres, Mercedes took the radical step of installing the Electronic Stability Program (Mercedes-Benz version of ESC) to the A-Class; a most significant upgrade when you consider that ESP was only available as an option on their more expensive models. During the 2 weeks that the modifications took, the 200 owners that took up Mercedes recall offer were given C-Class Mercedes to drive. A-Class production was halted for approximately 12 weeks while the modifications were designed and changes to the production line made. The total cost to Mercedes-Benz to modify the A-Class are estimated to be $150 million. At the re-launch of the A-Class in late January 1998, journalists were unable to make the A-Class rollover. So why did the A-Class fail the elk test? Listen to Ulrich Brunke, chief engineer for the A and C-Class cars and he will tell you that any car, given the right number of turns over the right distance can be made to fall over. The elk test is a violent test for any car to endure (Whitworth, 1998). Discussion Points 1. Compare and contrast the different approaches taken by the manufacturers of Mercedes A-Class, Ford Pinto (Section 2.6.1) and Suzuki Samurai to manage the safety issue in their vehicle. 2. Did Mercedes go beyond its Duty of Care to consumers in recalling the A-Class? 3. What sorts of factors could Mercedes have taken into account when they decided to recall the A- Class car? Primary resources for information about this case Ihlen, O (2002) Defending the Mercedes A- Class: Combining and Changing Crisis-Response Strategies, Journal of Public Relations Research, v14(3): Whitworth, B (1998) Of Moose and Men, Automotive Engineering, April 1998, pp39-42 Breuer, J.J. (1998) Analysis Of Driver-Vehicle- Interactions In An Evasive Manoueuvre Results Of Moosetest Studies, Daimler-Benz AG, Germany, International Technical Conference on the Enhanced Safety of Vehicles (ESV), Paper Number 98-S2-W-35, 98S2W35.PDF Knight, R.F. and Pretty, D. (2000) Brand Risk Management in a Value Context, Templeton Briefing 05, University of Oxford, UK, ISBN: X Rollover Lawsuits, Suzuki Rollover Accidents & Roof Crush Injuries: suzuki_samurai.htm Consumer Reports (1998). Front Lines Auto Safety : What Suzuki could learn from Mercedes, Jan 1998 p10 38 australian SAFETY and compensation council

96 2.4.3 F-111 Deseal/Reseal Case Scenario Student notes Overview This case study is a summary of the events surrounding the F-111 Deseal/Reseal case that were presented at a Board of Inquiry in September The case shows how major safety issues in the workplace can arise from a combination of workplace culture and the use of hazardous materials. While some of the organisational and cultural features of the workplace described here are unique to the military, others are relevant to many other large industrial organisations. It highlights the importance of the need to design effective processes and systems not just products for ensuring safety. It shows the downstream consequences of not addressing safety upstream at a design stage. It recognises that decisionmaking in engineering can involve ambiguity and differences in opinion. Intended learning outcomes > Awareness of hazards 'downstream' due to the design of products. > Understanding of the complexity of designing safe processes. > Appreciation of organisational and cultural factors which impact the effective design and enforcement of safe processes within a workplace. > Ability to identify risk control strategies to deal with hazardous substances. Activity Read the following scenario and be prepared to answer the discussion points. Image: F111.jpg In 1963, the Royal Australian Air Force (RAAF) ordered 24 F-111 aircraft but it was not until 1973 that the aircraft arrived at Amberley Air Force Base. The fuel tanks in the F-111 were designed to be integral to the aircraft s structure and unlike many other aircraft the fuel tanks did not contain an internal bladder but required a sealant for the joints and mating surfaces to prevent leaks. A specially developed sealant that could withstand the environmental conditions arising from supersonic flight was developed. However, fuel leaks were discovered soon after delivery and it became evident that the fuel tanks would need to have the original sealant removed and a new sealant applied. A deseal/reseal program was initiated and the desealant used had potential risks due to its toxicity and very low flash point. There are seven fuel tanks located within the aircraft; in the fuselage ahead of the wings, within the wings, behind the wings and either side of the tail. Consequently, for more than 20 years, the RAAF maintenance personnel have been working in cramped and confined spaces, using highly toxic chemicals to deseal and reseal the fuel tanks of F- 111 aircraft. Although personal protective clothing was provided (gloves, respirators, coveralls), the high temperatures of the tropical climate and the difficulty of working with such restrictions in a confined space led to staff not always using the protective gear that was provided. The personal SAFE DESIGN FOR ENGINEERING STUDENTS 39

97 protective gear was often inadequate with protective gloves dissolving, chemical seepage through coveralls, and inadequate filtration through respirators. This meant that staff were directly exposed to the effects of the hazardous substances with which they worked. Staff reported symptoms of skin rash, gastrointestinal problems, headaches and loss of memory to medical personnel, but because the symptoms were so vague little action was taken. In addition, because the workers absorbed the exceedingly foul smell of the desealant, they were socially ostracised and excluded on the Base from recreational gatherings such as the workers club and the picture theatre. The highly disciplined work culture of the military meant that any workers who complained of the working conditions ran the risk of facing disciplinary procedures and being considered a traitor. It is my belief that the consequence of not undertaking the tasks would be that I might be subject to contact counseling (I would be taken out the back and given a clip under the ear). In 2000, a RAAF Board of Inquiry into the Deseal/ Reseal program was finally constituted and the fuel tank repair program suspended. A large number of personnel have been affected by toxic substances during their tours of maintenance duty. The following narrative of one of the victims captures the human cost of this safety problem. I have skin cancers or solar skin damage on my scalp, forehead, face and arms. I also have claw toes and my left foot bows out I continue to suffer blood pressure problems and hemorrhoids with intermittent bleeding from the bowel. I have a lump on the palm of my left hand and a lump in the throat, which makes it intermittently hard to swallow I have bad breath and my wife is always telling me that I have an awful smell from my body which is not regular body odor. I also get a red rash on my face and suffer from headaches and dizziness I am at times very depressed The Board of Inquiry identified a number of contributory factors and made 53 recommendations to rectify the problems uncovered and to establish a climate of occupational health and safety in the Defence Force. It was noted that in the RAAF, operations almost always take priority over logistics. That means that the aim of a maintenance squadron or wing is to produce serviceable aircraft for use by operational squadrons. The maintenance personnel were under considerable pressure to complete the deseal/ reseal activity in minimum time so that the planes could return to action. Consequently staff worked long hours in confined spaces in claustrophobic protective suits with production schedules that were tight and performed extended duty periods. The discipline of the Defence Forces results in staff who perform commands without questioning. The Board s investigation however revealed numerous incidents of non-compliance by maintenance workers with the safety requirements including that they wear personal protective equipment (PPE) such as goggles, respirator, gloves and coveralls. There was a failure on the part of supervisors to ensure that these regulations were observed. It was recognized that failure to wear PPE was symptomatic of the organisational culture. In a high-pressure environment, problems with the personal protective equipment were brushed aside. Gloves disintegrated within five minutes of contact with the chemicals, but rather than continually interrupting the job to get new ones, people worked with bare hands. When the respirator restricted vision, workers would simply remove it to get the job done. The coveralls that were required as a precaution against damage to the aircraft did not provide workers with protection from fluids. There were requirements that the vapors from the desealant be below exposure and explosion limits. Ventilation was therefore required within the fuel tanks during cleaning, but it was not used due to excess noise and space problems. The Board concluded that without ventilation it was likely that the atmosphere inside the tanks exceeded these limits. People who complained were seen as trouble makers and getting the job done was the goal. The RAAF also did not learn from previous accidents and incidents and did not implement the recommendations of other previous inquiries into its maintenance programs. 40 australian SAFETY and compensation council

98 The chain of command that is an integral part of RAAF culture also worked to inhibit the communication of safety issues upwards. While the top-down model of command ensures that orders are followed without question, Senior Commanders remained unaware of the problems with the deseal/ reseal project because lower ranking officers were reluctant to admit to such a serious safety problem hoping that they could solve it without it coming to the attention of their superiors. Workers who found it difficult to complete the task as prescribed, developed unapproved ways of doing things and the staff training model employed ensured that these inappropriate techniques were then passed on to the next crew. The RAAF also experienced economic restrictions and the number of engineering staff was reduced. In one case a young engineer who had been graduated for three years was placed in charge of 170 maintenance workers. While this officer had several highly experienced, non-commissioned officers reporting to him, because of the complex and involved processes within the deseal/reseal program the engineer had no real understanding of the situation. He assumed the section was being managed competently and that approved procedures were being followed. The Board recognized the engineer was placed in an untenable position and could not effectively supervise subordinates. Engineering expertise was needed to understand the implications of the various parts of the maintenance process as well as to ensure that when workers encounter difficulties an appropriate systemic solution could be reached. But the withdrawal of engineers from site as a cost-cutting measure led to completely inadequate supervision of trade staff. The Board also found that at the Amberley Air Force Base, there was a low priority on industrial medicine as part of safety management. This is significant since it was estimated that in Australia four times as many people die from diseases caused by exposure to hazardous substances in the workplace as die from traumatic injury on the job. When RAAF staff complained of headaches and nausea to the Amberley Medical Section, little action was taken because these symptoms were vague and hard to specifically attribute to a single cause. The Board recognised that despite the knowledge that the workers were using a variety of potentially harmful chemicals, the health care facilities at the Air Force base was organised as a private medical practice with doctors having no qualifications in occupational medicine, no direct knowledge of the working conditions for the affected staff and little incentive to do the extra research to discover the underlying cause of the distress. Since the RAAF is planning to retain the F-111 in service for up to a further twenty years, the fuel tank leaks are problematic. The deseal/reseal issue means their availability for Australia s defence has been compromised. It was estimated in 2001 that in excess of 400 personnel have suffered long-term damage to their health as a result of exposure to chemicals in the various deseal/reseal programs. A major study into the health of those who participated in the program released in 2004 found an association between involvement in the deseal/ reseal programs and a lower quality of life and more common erectile dysfunction, depression, anxiety, and subjective memory impairment. There is also evidence, albeit less compelling, of an association between the program and dermatitis, obstructive lung disease (i.e. bronchitis and emphysema), and neuropsychological deficits. The results of the Board of Inquiry have had far reaching implications for the entire Defence Force and for industry in general. In his response to the Inquiry Report, Air Marshal Houston said My first priority is for the health and welfare of serving and ex-members of the Air Force today s Air Force puts people first Primary resources for information about this case Department of Defence, F-111 Deseal Reseal Board of Inquiry (BOI) website, au/raaf/organisation/info_on/units/f111/ Discussion Points 1. Identify the safety management (risk control) approaches used, their effectiveness and the hazards they targeted. (hint Hierarchy of Control) 2. What were the key design decision that engineers made which impacted on the Deseal/ Reseal safety issue? SAFE DESIGN FOR ENGINEERING STUDENTS 41

99 3. What were the key organisational and cultural factors which lead to the Deseal/Reseal problem? 4. What were the key ethical and regulatory issues and how did they affect the safety problem? (hint Apply the Code of Ethics) 5. General discussion questions to extend and personalise the discussion: > How could a junior Engineer onsite go about being a whistleblower when there was no clear option to resolve the problems through the chain of command? > What issues have you faced when trying to supervise staff when undertaking hazardous work requiring their use of personal protective equipment? > What have we learned about safe engineering design from this scenario? Onsite Safety Activity Students Notes Overview A discussion oriented activity designed to explore an Engineers professional responsibilities and your ethical framework when dealing with issues related to safety. It is designed to explore your value and belief system and how that can impact upon your actions. Intended learning outcomes > Awareness of professional responsibilities of engineers in relation to safety. > Awareness of Engineers, Australia Code of Ethics. Activity Please read the following scenario and then pick a choice of action. Be prepared to discuss why you thought the action chosen was appropriate after considering your own ethics and your professional responsibilities. Scenario You and a fellow student engineer are undertaking part-time work with a tank installation and maintenance service firm. The firm has been contracted to inspect the condition of petroleum storage tanks at 50 sites across New South Wales. The company which owns the fuel supply sites is concerned about environmental liability from leaking fuel due to corrosion of the mild steel casing or welds in the tanks. Their company is proud of its reputation within the industry of being safety conscious and has developed a set of Safety Rules for Contractors which sub-contractors are bound to under the terms of their contract. Your task is to supervise the onsite inspection of the tanks by contract staff employed by the company. These contract staff have a long history of working with your firm and include a licensed gas fitter with over 20 years of experience and his trades assistant. Your immediate supervisor is located at head office. The inspection process requires purging the tank with nitrogen and staff entering the tank through a manhole on the uppermost surface. The inspection comprises searching the tank using torches to locate visually areas of corrosion. On your first day at the Company they gave you and your fellow student engineer a half-day briefing about what you were expected to do onsite. They did not cover much on safety but did mention that there would be some safety equipment onsite in the unlikely chance you needed it. Upon arriving at the site the next day you meet George the gas fitter and his assistant Tom. You also notice various signs around the depot mentioning the Safety Rules for Contractors and Confined Space Entry. You ask George about the safety equipment and what these rules are and he say he does not know but everything has been OK when he has worked at their other depots and that if he had a dollar for every tank he had inspected he would be a rich man. You decide to seek confirmation from Peter your immediate supervisor who is located at head office. He tells you not to worry and that they only hire safety equipment for the dangerous jobs and yours 42 australian SAFETY and compensation council

100 is not one of those. He also says that George is the most experienced contractor they have and to make sure you get through the inspection quickly because they are on a tight budget for the job. You still feel uneasy and ring Gina your fellow student engineer at another site. She says that you are just a bit nervous about supervising staff onsite for the first time and that their first inspection was well underway. Her sub-contractor also told her that safety equipment is not usually needed for these types of jobs. Choice of Action a) Keep on working as directed by your supervisor and try to catch up on lost time. b) Keep on working as directed by your supervisor and decide to have a meeting with your supervisor at the end of the day. c) Refuse to continue working on the site and go back to head office to sort it out. d) Contact the Depot Manager onsite to see if he has a copy of the rules and seek clarification about the safety equipment. e) Try to contact your supervisor s boss, who happens to be a family friend. SAFE DESIGN FOR ENGINEERING STUDENTS 43

101 44 australian SAFETY and compensation council

102 PART 2B: SAFE DESIGN STUDENT ACTIVITIES LECTURE NOTES LECTURE NOTES AN EDUCATIONAL RESOURCE FOR UNDERGRADUATE ENGINEERING STUDENTS

103 >>> part b: Safe DeSign StUDent activities lecturer notes contents.1 introduction 3. guided activities Designer Misconception Construction Hazard Assessment Implementation Review Plant Hazard Checklist Incident Investigation: Waste Collection Failure Modes and Effects Analysis Event Tree Analysis Fault Tree Analysis Risk Control Incident Investigation What is Safe Design? 37.3 DeSign activities Safe Design and Build 39. case StUDieS Ford Pinto Case Study Mercedes A-Class Case Study F-111 Deseal/Reseal Case Onsite Safety Activity 56 safe design For EnGinEErinG students 1

104 australian SAFETY and compensation council

105 >>>.1 introduction.1.1 intended learning outcomes Engineers Australia have specifi ed the types of capabilities that an undergraduate engineer would be expected to have upon entering the workforce as a graduate engineer. These capabilities provide a useful foundation for promoting Safe Design, however there are additional capabilities and their enabling knowledge, skills and attitudes that we believe engineering educators should aspire to develop within their students. By achieving these capabilities we can ensure that Safe Design becomes a fundamental and explicit part of engineering. The following capabilities have been adapted from those articulated in the UK by the Board of Moderators Guideline (Appendix C) learning-hse.com/hse/info_frameset.phtml attitude ability to: > appreciate the ethical view; > recognise that health and safety is integral with all we do; > accept that safety is everyone s responsibility competence Ability to: > be able to implement a basic, systematic risk management process; > communicate safe design; > implement a life-cycle approach in design Knowledge Ability to: > fulfi l legal responsibility, > understand the legal framework, > understand the value of health and safety and its role in the engineering process; > recognise the infl uence of human behaviour; > appreciate the benefits of learning from history. safe design For EnGinEErinG students 3

106 2.1.2 Safe Design Keywords The following are the key concepts, principles and terminology that is needed to be an effective practitioner of Safe Design. > Safe Design Process: Designed product, Designers, Five principles of Safe Design, Human factors. > Lifecycle Framework: Lifecycle concepts and stages. > Legal, Regulatory & Professional Framework: Duty of Care, Reasonably practicable, Due Diligence, Act, Regulation, Code of Practice, Standard, Guidance Note, Code of Ethics. > Risk Management process: Stages in Risk Management process, risk, hazard. > Risk Assessment techniques: Guidewords, Checklists, Failure Mode and Effects Analysis, Event Tree Analysis, Fault Tree Analysis. integrated into disciplinary specific knowledge and applied to an example meaningful to that discipline. In these more complex application contexts different engineering disciplines can use different risk management tools and they often have different design processes. Another challenge is to provide guidelines on the extent to which learning related to the values and attitudes of the students have occurred. The activities that suit developing these types of learning are more likely to be open ended and the appropriate learning outcomes will need to be more thoroughly negotiated with the students and be specific to your learning environment. Examples of these types of teaching and learning activities are those that involve the cases and scenarios and the problem-based activities. The assessment criteria for these activities can follow the generic pattern we include in this resource or alternatively, can be developed to be more specific to the discipline area or be negotiated with the students to meet their own learning objectives. > Risk Control: Hierarchy of Control, Elimination, Substitution, Engineering Control, Administrative Control, Personal Protective Equipment Assessing Safe Design capabilities Providing guidelines on assessing the ability of students to recall and comprehend Safe Design key concepts and terminology is relatively straightforward. Activities which test this knowledge can be highly structured, have clear cut answers and can be universally applied across many of the branches of engineering. Examples of these types of teaching and learning activities are the quizzes and short answer tests that could be developed for the risk assessment techniques. Providing generic guidance on how to assess the extent to which higher order learning has occurred and whether Safe Design capabilities have been developed within students is more difficult. This requires that knowledge, skills and attitudes are australian SAFETY and compensation council

107 >>>. guided activities..1 DeSigner MiSconception instructor notes Overview This activity has been designed to help students develop the ability to identify hazards and risks. Risk identification is based around designer misconceptions that have led to fatalities. Through completing this activity, they will develop a greater understanding of how incorrect assumptions and misconceptions can contribute to unsafe design. Intended learning outcomes > Ability to identify risks/hazards from visual information using the Designer Misconception tool. > Knowledge of common misconceptions that have resulted in poor design. > Understanding of how misconception can lead to poor design. Context in which it could be used This activity can be used as an individual or small group activity. It can also be used as an ice-breaker to get students to explore their own experiences with poorly designed items. This activity could be used in early to mid stage design subjects and communications subjects. It would also be possible to adapt this activity to an online quiz environment by providing multiple choice selection of a subset of the design misconceptions. In the Safety Album (R3 of Resources listed in Part 1) there are lots of links to sites that have extensive databases of images that can be substituted for the images given in this activity. This would allow the instructor to customise the activity for their discipline and context. * toolkit content can be found at section 1.4 of part 1 concepts, principles & tools Resources required (time, handouts) > minutes depending on the extent to which the student s own design and user experiences are explored. > Designer Misconception checklist (Safe Design Engineering Toolkit * 1.4.1). > Students Notes for this example. Suggested Assessment criteria/guidelines No assessment criteria are provided for this activity. Method of presentation Describe the purpose of this activity to the students and distribute a copy of the Student Notes to each student. Alternately you can illustrate the image using a visual projector. 1. Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. 2. Handout required resources to each group. Electronic copies of the images from the Safety Album may also be used by the instructor to project the images. 3. Get students to work through the designer assumptioner checklist for each image, discuss their opinions and then complete the documentation. 4. Discuss any issues arising. > the difficulty in predicting hazards during design; > what they see as the benefits and limitations of this tool to trigger discussion, identify and document hazards; > importance of visual clues when designing user interface with safety information; and > students own examples of poorly designed items. safe design For EnGinEErinG students 5

108 Solution Image A: Vehicle Dashboard Photograph courtesy of: Scenario given to students You have just hired a car from Los Angeles Airport. This photograph represents part of the dashboard from that vehicle containing the speedometer and tachometer. Documentation from application of Designer Misconception tool Scope Type of misconception What are the assumptions? Under what conditions this assumption could be contradicted? Actions needed Criticality Vehicle Dashboard Need for cues, Wrong-sense interpretation of display. Operator can distinguish between speedometer and tachometer. Driver briefly looking at the dashboard. Driver unfamiliar with the dashboard layout. Change number scale on tachometer (eg 3000 not 30) to give driver more clues it is a tachometer. Low. australian SAFETY and compensation council

109 Image B: Stairway Photo: J. Culvenor Scenario This is an emergency stairway in a hotel. This stairway is used as a permanent access to a swimming pool on the top floor. The stairwell is used many times per day. The stairs are constructed of concrete with a metal railing. Documentation from application of Designer Misconception tool Scope Type of misconception What are the assumptions? Under what conditions this assumption could be contradicted? Actions needed Criticality Stairway Benign condition. Operating conditions have no impact upon the function of the guard rail. Person (especially child) who has wet feet after exiting the pool could slip and fall through the rails. Stairway may not have originally been designed as an access point for a pool. Remove possibility of falling through guard rail by placing extra rails, timber sheet or mesh across the gaps. Medium. SAFE DESIGN FOR ENGINEERING STUDENTS

110 Image C: Road Lighting Photograph courtesy of: Scenario The image is of yellow street lights at night. The arrow points to a different type of light (this is a HINT) Documentation from application of Designer Misconception tool Scope Type of misconception What are the assumptions? Under what conditions this assumption could be contradicted? Actions needed Criticality Road lighting Need for clues. Driver can distinguish between lights used for illuminating the road and traffic lights. At night-time when traffic lights in caution (yellow) they blend into the street lights. Replace street lamp globe with different colors. Medium. australian SAFETY and compensation council

111 2.2. construction Hazard Assessment Implementation Review Instructor Notes Overview This activity should help students develop their ability to identify hazards and risks through using guidewords. By completing this activity, they should be more proficient at recognising hazards and be better able to understand the implications of poor design regarding safety. Through discussion and debate, they should also be developing the ability to conceptualise safer design. Intended learning outcomes > Ability to identify risks/hazards from visual information using the Construction Hazard Assessment Implementation Review tool. > Knowledge of common causes of unsafe design for construction projects. > Ability to use guidewords/checklists as a mechanism for risk/hazard identification. Context in which it could be used This activity can be used as an individual or small group activity. It can also be used as an ice-breaker to get students to explore their own experiences with poorly designed items. This activity could be used in early to mid stage design subjects and communications subjects. It would also be possible to adapt this activity to an online quiz environment by providing multiple choice selection of a subset of the design guidewords. In the Safety Album (R3 of Resources listed in Part 1) there are lots of links to site that have extensive databases of images that can be substituted for the images given in this resource. This would allow the instructor to customise the activity for their discipline and context. Resources required (time, handouts) > minutes depending on the extent to which students own design and user experiences are explored. > Construction Hazard Assessment Implementation Review (Safe Design Engineering Toolkit * 1.4.2) although the guidewords to be used are reproduced in the student notes. > Students Notes for this example. Suggested Assessment criteria/guidelines No assessment criteria are provided for this activity Method of presentation 1. Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. 2. Handout required resources to each group. Electronic copies of the images from the Safety Album may also be used by the instructor to project the images. 3. Get students to work through the Construction Hazard Assessment Implementation Review guidewords for each image and discuss their opinions and then complete the documentation. 4. Discuss any issues arising: a. The difficulty in predicting hazards during design; b. What they see as the benefits and limitations of this tool to trigger discussion, identify and document hazards; and c. Students own examples of poorly designed items. * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools SAFE DESIGN FOR ENGINEERING STUDENTS

112 Solution Image A: Livestock Loading/Unloading Ramp Photos: J Culvenor Image with ramp in hazardous orientation (This image provided to students) Image with ramp in Safe Design orientation (This image not provided in student handout and shows potential design solution) Scenario This wooden structure is used for loading and unloading livestock from semi-trailers into a livestock holding yard. These structures are often located near a public road and on a property boundary. Documentation from Construction Hazard Assessment Implementation Review (CHAIR) Guideword Risk Issue Causes Consequences Safeguards Action Heights/ Depths Interference with powerlines Large vehicle may contact powerlines Injury/ fatality Redesign ramp so it is re-oriented parallel with the road. Truck is now away from road and to the side of the power lines. Position/ Location Loading vehicle may interfere with traffic Long vehicle may protrude Injury/ fatality Warnings As above This example also has broader relevance to designing entrance and exit strategies to work areas. 10 australian SAFETY and compensation council

113 Image B: Air Conditioning Units Photos: J Culvenor Image with air conditioning unit in hazardous location (This image provided to students) Image with air conditioning units in Safe Design location. (This image not provided in student handout and shows potential design solution) Scenario Split systems and other air conditioning systems are a relatively common feature in multi-level buildings. Documentation from Construction Hazard Assessment Implementation Review (CHAIR) Guideword Risk Issue Causes Consequences Safeguards Action Heights/ Depth OR Egress/ Access Injury of maintenance worker Fall Injury/ fatality Warning, Fall restraint Relocate air-conditioning unit to ground level for improved access SAFE DESIGN FOR ENGINEERING STUDENTS 11

114 Image C: Traffic Crossing Point Photos: J Culvenor Image with traffic crossing point in hazardous location (This image provided to students) Image with traffic crossing point in Safe Design location. (This image not provided in student handout and shows potential design solution.) Scenario A common sight on many roads in rural Australia is a stock crossing point used to move livestock from one part of a property to another. Documentation from Construction Hazard Assessment Implementation Review (CHAIR) Guideword Risk Issue Causes Consequences Safeguards Action Egress/ Contact between Animal crossing Injury/ Warning Eliminate interaction between traffic and Access animals & road fatality, loss animals. traffic of life 12 australian SAFETY and compensation council

115 2.2.3 Plant Hazard Checklist Instructor Notes Overview This activity should help students develop their ability to identify hazards and risks through using guidewords. By completing this activity, they should be more proficient at recognising hazards and be better able to understand the implications of poor design regarding safety. Through discussion and debate, they should also be developing the ability to conceptualise safer design. Intended learning outcomes > Ability to identify risks/hazards from visual information using the Plant Hazard checklist. > Knowledge of common causes of unsafe design for plant items. > Ability to use guidewords/checklists as a mechanism for risk/hazard identification. > Use the hierarchy of control to describe risk control options. Context in which it could be used This activity can be used as an individual or small group activity. It can also be used as an ice-breaker to get students to explore their own experiences with poorly designed items. This activity could be used in early to mid stage design subjects and communications subjects. It would also be possible to adapt this activity to an online quiz environment by providing multiple choice selection of a subset of the plant hazard checklist. In the Safety Album (R3 of Resources listed in Part 1) there are lots of links to sites that have extensive databases of images that can be substituted for the images given in this resource. This would allow the instructor to customise the activity for their discipline and context. The hazards covered by the checklist are quite broad and apply to both lifestyle items as well as workplace items. Resources required (time, handouts) > minutes depending on the extent to which student s own design and user experiences are explored. > Plant Hazard checklist (Safe Design Engineering Toolkit * section 1.4.3, summary reproduced in Student notes for this example). > Hierarchy of Control (Safe Design Engineering Toolkit Section 1.4.8, summary reproduced in Student Notes for this example). > Students Notes for this example. Suggested Assessment criteria/guidelines This activity is not assessable. Method of presentation 1. Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. 2. Handout required resources to each group. Electronic copies of the images from the Safety Album may also be used by the instructor to project the images. 3. Get students to work through the Plant Hazard checklist for each image and discuss their opinions and then complete the documentation for hazard/risk identification and risk control. 4. Discuss any issues arising: a. the difficulty in predicting hazards during design; b. What they see as the benefits and limitations of this tool to trigger discussion, identify and document hazards; and c. Students own examples of poorly designed items. * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools SAFE DESIGN FOR ENGINEERING STUDENTS 13

116 Plant Hazard checklist: summary a) Entanglement Can anyone s hair, clothing, gloves, necktie, jewellery, cleaning brushes, rags or other materials become entangled with moving parts of the plant, or materials in motion? b) Crushing Can anyone be crushed due to: material falling off the plant: lack of capacity for the plant to be slowed, stopped or immobilised; parts of the plant collapsing; being thrown off or under the plant; uncontrolled or unexpected movement of the plant or its load; the plant tipping or rolling over; coming in contact with moving parts of the plant during testing, inspection, operation, maintenance, cleaning or repair; being trapped between the plant and materials or fixed structures and other factors not mentioned? c) Cutting, stabbing and puncturing Can anyone be cut, stabbed or punctured due to: coming in contact with sharp or flying objects; coming in contact with moving parts of the plant during testing, inspection, operation, maintenance, cleaning or repair of the plant; the plant, parts of the plant or work pieces disintegrating; work pieces being ejected; the mobility of the plant; uncontrolled or unexpected movement of the plant; other factors not mentioned? d) Shearing Can anyone s body parts be sheared between two parts of the plant, or between a part of the plant and a work piece or structure? e) Friction Can anyone be burnt due to contact with moving parts or surfaces of the plant, or material handled by the plant? f) Striking Can anyone be struck by moving objects due to: uncontrolled or unexpected movement of the plant or material handled by the plant; the plant, parts of the plant or work pieces disintegrating; work pieces being ejected; mobility of the plant; other factors not mentioned? g) High pressure fluid Can anyone come into contact with fluids under high pressure, due to plant failure or misuse of the plant? h) Electrical Can anyone be injured by electrical shock or burnt due to: the plant contacting live electrical conductors; the plant working in close proximity to electrical conductors; overload of electrical circuits; damaged or poorly maintained electrical leads and cables; damaged electrical switches; water near electrical equipment; lack of isolation procedures; other factors not mentioned? i) Explosion Can anyone be injured by explosion of gases, vapours, liquids, dusts or other substances, triggered by the operation of the plant or by material handled by the plant? j) Slipping, tripping and falling Can anyone using the plant, or in the vicinity of the plant, slip, trip or fall due to: uneven or slippery work surfaces; poor housekeeping, eg. wood shavings or metal filings in the vicinity of the plant, spillage not cleaned up; obstacles being placed in the vicinity of the plant; other factors not mentioned? Can anyone fall from a height due to: lack of a proper work platform; lack of proper stairs or ladders; lack of guardrails or other suitable edge protection; unprotected holes, penetrations or gaps; poor floor or walking surfaces, such as the lack of a slip-resistant surface; steep walking surfaces; collapse of the supporting structures; other factors not mentioned? k) Ergonomic Can anyone to be injured due to: poorly designed seating; repetitive body movement; constrained body posture or the need for excessive effort; design deficiency causing mental or psychological stress; inadequate or poorly placed lighting; lack of consideration given to human error or human behaviour; mismatch of the plant with human traits and natural limitations; other factors not mentioned? 14 australian SAFETY and compensation council

117 l) Suffocation Can anyone be suffocated due to lack of oxygen, or atmospheric contamination? m) High temperature or fire Can anyone come into contact with objects at high temperatures? Can anyone be injured by fire? Solution Example A: Tractor Access Photo: J Culvenor (top) and WorkSafe Victoria (bottom) n) Temperature (thermal comfort) Can anyone suffer ill-health due to exposure to high or low temperatures? o) Other hazards Can anyone be injured or suffer ill-health from exposure to: chemicals; noise; toxic gases or vapours; vibration; fumes; radiation; dust; other factors not mentioned? Image with tractor access ladder in hazardous location. (This image provided to students.) Hierarchy of Control Risk Control Options: summary > Elimination Design the hazard out and therefore remove the cause of harm permanently. > Substitution Substitute the hazard by another process or substance that presents a lower risk. > Engineering controls Implement some structural change to the work environment or work process to place a barrier to, or interrupt the transmission path between, the worker and the hazard. > Administrative (procedural) controls Reduce or eliminate exposure to a hazard by adherence to procedures or instructions. > Personal protective equipment Create a barrier between the user and the hazard in the form of clothing or personal equipment. Image with ramp in Safe Design location. (This image not provided in student handout and shows potential design solution.) Example A: Scenario Access to tractors is often positioned between the wheels. Example A: Risk/hazard identified from Plant Hazard checklist b) Crushing Access to tractors can often require the operator to stand in line with the wheels which can lead to tractor run over accidents. Example A: Risk Control Options A design option to eliminate the hazard is to create a platform which fills the space between the wheels and extends the ladder beyond the wheels. This is a design solution to minimise the possibility of a run over. In the image the unit is a dual wheel model, but the safety protection is only adequate for single wheel models. Farmsafe Australia has developed a guideline on Safe Tractor Access Platforms. SAFE DESIGN FOR ENGINEERING STUDENTS 15

118 Example B: Grain Auger Photos: J Culvenor Example B: Risk control options > Use risk substitution by using a belt system rather than a rotating auger (see image). The belt system removes the screw that can amputate and entangle both arms and legs. The belt can present its own hazards and under some circumstances might not be as effective as the screw auger. > Use risk substitution by manufacturing the exposed parts of the screw auger from a material of greater flexibility to minimise the resultant injury from entanglement. Example C: Silo Access Image with unguarded grain auger. (This image provided to students.) Photos: J Culvenor Image with Safe Design option that has a lower risk belt drive substituted for a higher risk auger. (This image not provided in student handout and shows potential design solution.) Example B: Scenario The grain auger is an essential piece of farm equipment which is used to move grain from one location to another. Image with hazardous silo access. Access is often by a ladder up the side of the silo. (This image provided to students.) Example B: Risk/hazard identified from Plant Hazard checklist Sections a, b and d from the list in section of Part 1 Safe Design Engineering Toolkit *. These are: a) Entanglement The operator s body parts or clothing may get entangled between the moving auger and the frame of the auger. b) Crushing & d) Shearing The operator after entanglement may have their body parts crushed or sheared. * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools Image with safer guarded silo access. (This image not provided in student handout and shows potential design solution.) 16 australian SAFETY and compensation council

119 Example D: Bench Grinder Example D: Scenario Bench grinders are a commonly used product both at home and in the workplace. Examples of use include shaping metal, sharpening tools, and preparing metal for welding. Example D: Risk/hazard identified from Plant Hazard checklist Image with Safe Design option that has substituted cable operated system (see right of ladder) to remotely operate top cover. Access via ladder is retained for maintenance. (This image not provided in student handout and shows potential design solution.) Example C: Scenario Silos need a system for operating the opening at the top of the structure. Example C: Risk/hazard identified from Plant Hazard checklist j) Slipping, tripping and falling Operator may slip while in transit up the ladder. l) Suffocation Operator may fall in silo. Example C: Risk control options > Eliminate the hazard by designing a remotely operated hatch to open the silo from the ground level, thereby minimising the frequency the operator is required to use a ladder to access the hatch. > Use an engineered control by creating a guard rail to minimise the hazard from operators falling from the ladder during access. (see images above). a) Entanglement > Entanglement may occur from the operator s body parts or clothing coming into contact with the wheel and being drawn in and caught between the rotating and fixed parts of the grinder. This could lead to entanglement as well as friction, shearing and crushing. > Entanglement may occur after uncontrolled and unexpected movement of the grinder resulting from accidental jamming of the workpiece. d) Shearing > Shearing of body parts may occur after entanglement. e) Friction > Friction may occur after entanglement. > Friction may also occur through contact between the operator s body and the wheel. f) Striking > Flying particles may be generated from the workpiece being ground, wear upon the grinding wheel and disintegration of the grinding wheel. > The workpiece may become entangled and then disintegrate and/or be suddenly ejected from the grinder. h) Electrical > Damage to the grinder while in operation causing it to become live. > Incorrect installation or alteration to the grinder or the power supply. > Repair to the grinder without isolating it from the power source. SAFE DESIGN FOR ENGINEERING STUDENTS 17

120 k) Ergonomic > The grinder can be placed on a bench that does not promote safe use of the item. The bench maybe of inappropriate height, and layout. This can lead to operator fatigue, discomfort and psychological stress. > The location of the grinder in the workplace may make it difficult to access and operate or with low security so that unauthorised people may gain access. > Poorly designed or located operator controls (eg on/off switch) can confuse or delay the operator, be accidentally activated or make it difficult to stop the grinder quickly. m) High temperature or fire > Sparks from grinding the workpiece may be a potential ignition source or burn the operator. o) Other hazards > Dust: Airborne particles and dust from grinding may be a hazard if they enter the breathing zone of the operator. > Vibration: Vibration from holding the workpiece against the grinding wheel may cause Vibration White Finger. The vibration can cause a restriction of blood to the extremities, leading to significant pain, numbness or a tingling sensation and permanent injury. Example D: Risk Control Options Engineering Controls > Guard to cover rotating shafts or exposed moving parts. > Design a guard on the grinder to direct sparks towards the floor and away from the operator. > Incorporate a guard to prevent a disintegrating grinding wheel striking the operator. > Ensure design is compliant with relevant electrical standards. Administrative (procedural) Controls Note: if systems of work or operator competency are factors in the control of risk, the designer is required to specify these in information provided by the manufacturer. > Incorporate warnings about safe operating conditions and operations which the grinder may be expected to be used for but for which it has not been designed. > Provide information on safety features and the need for personal protective equipment during operation. > Provide information on the installation, testing, maintenance and cleaning requirements for the safe operation of the grinder. > Provide the procedures considered necessary to carry out repairs, testing, and inspection, maintenance and cleaning to ensure as far as practicable the safety of people undertaking these tasks. > Provide information on training, qualifications, and/or experience necessary for people operating the bench grinder or carrying out inspection or testing, maintenance, cleaning or repair. > Provide information on electrical hazards that may arise from damage to the bench grinder or while repairing, inspecting, maintaining or cleaning the grinder. > Provide information on ergonomic considerations relating to the use, placement and access to the grinder. Personal Protective Equipment > Glasses for protection from flying objects. > Dust mask for protection against airborne particulates. > Gloves for protection against friction and burns. Links WorkSafe Victoria 2003, Roll Over Protection Structure (ROPS): Farm Safety Series, Worksafe, Melbourne, 18 australian SAFETY and compensation council

121 2.2. incident Investigation: Waste Collection Instructor Notes Overview An injury case study is presented, as a set of witness statements. The activity is about the collection of roadside waste and designed to draw out complex issues about occupational safety including the role of work systems, plant and equipment, work environment, and the roles of designers of work systems and equipment. Intended learning outcomes > Ability to document an injury event from a set of witness statements. > Identify precursor factors that lead to the injury: work systems; plant and equipment; work environment; people issues; and interactions. > An ability to recognise the roles of all parties and examine how their decisions affected safety. > Understand the methodology used in an Accident Investigation. > Identify measures that would control the risk(s). Context in which it could be used This activity can be used as an individual or small group activity. This activity could be used in design or management subjects where the significance of human factors upon technology and work system design is stressed. Resources required (time, handouts) > 45 minutes depending on the extent to which students own views are presented to the entire class. > Incident investigation toolkit (Safe Design Engineering Toolkit * section 1.4.9). > Students Notes for this example. Suggested Assessment criteria/guidelines No assessment criteria are provided for this activity Method of presentation Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. 1. Handout required resources to each group. 2. Get students to read the scenario, brainstorm and then answer the set of questions 3. Discuss any issues arising. Activity 1. Identify all the parties/stakeholders including both individual people and organisations from the scenario. 2. Identify sequence of events for accident 3. Identify contributory factors that could have impacted the accident and management of that accident (Environment, Equipment; Skills and experience; Operating/work system, Ergonomic factors (relationship between people and their environment, equipment etc). A mind map or other graphical tool could be used to show relationships between contributory factors. 4. Identify the design decisions that each of the organisations (City Council, PaperMunchers, Top Trucks) took which may have contributed to the accident. Consider what other options they had which may have reduced the risk to the workers Scenario: an injury while collecting recyclable paper Mo McErgo, WorkSafe Inspector You are Mo McErgo, he is the WorkSafe Inspector. You receive a call during the day on New Year s Eve from a health and safety representative at PaperMunchers, a local company that collects and sorts recycling material (papers, bottles, cans, etc). The health and safety representative says that there was an accident a few days ago when a worker was * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools SAFE DESIGN FOR ENGINEERING STUDENTS 19

122 lifting papers to the truck and was nearly struck by a car. The worker was taken by ambulance to hospital after falling on the road. Also, there have been other manual handling injuries. The managers have introduced elastic back belts and the idea of workers looking over each others shoulders for breaches of safety rules is being considered. The workers don t believe these measures solve the problems. Cyril the Director of Waste Services for Tidy Town Council He has been the Director of Waste Services at the Council for five years. Prior to that he worked for the Council designing water, waste and other infrastructure. He is a Civil Engineer by training. As the Director of Waste Services he is responsible for Waste Collection within the Council and engaging contractors to undertake the work through a competitive tender process. He has been contacted by WorkSafe to assist the Accident Investigation team. You visit PaperMunchers You visited PaperMunchers that day and talk with the directors, Ty and Flo. You asked about the recent accident and asked to be taken to the site. You also wanted to speak to the workers and the health and safety representative. Flo took you to where the truck was working. As you arrived the workers were collecting paper. They were collecting from both sides of the road at once. Flo said that they are not meant to work from both sides of the road and that s what caused the accident. Flo said that s typical, I m glad you re here, that s Jay, the health and safety representative. Ty told Jay years ago not to cross the road. Figure 1: Paper Collection by PaperMunchers Photos: J Culvenor 20 australian SAFETY and compensation council

123 You spoke with Flo, Ty, Jay and Trek about the accident and about the work system. You observed the work (as shown in photos) and you also visited the council. Here s what you found out: Trek: On Christmas Eve, I was working with Jo who is off work because of the accident. I was driving the truck as I have a shoulder injury from working in the sorting area. Jo was doing all the lifting work. We were keen to get the run done quickly to spend the afternoon on last minute arrangements for holidays. But we weren t rushing. The accident happened at about 11am. There had been a thunderstorm overnight, the road was wet and slippery, and the paper was wet and heavier than usual. Jo was carrying a large bundle across the road when a car appeared from around a corner. Jo probably didn t hear the car because of the noise of the paper crushing unit. I saw Jo throw the paper toward the hopper and jump behind the truck. I think it was a close call but Jo wasn t hit. The car wasn t driving fast it s just that it is hard to see at the spot where it happened. Jo had fallen on the kerb and complained of a massive headache and a stabbing back pain. The car driver, Lenni stopped and came to help. Luckily Lenni had a mobile and called an ambulance. The radio in the truck has been out of order for three months. They say it s going to be fixed but who knows when. I also used Lenni s mobile to call the office and report the accident. Jay: I was working in the recycling area when the accident happened but I know about this job and I am the health and safety representative. When the job began about 18 months ago I worked with Jo on the truck. We shared the lifting and driving work. It was hard work and our arms and back was usually sore at the end of a run. Flo, one of the bosses, made me move into the sorting area after about one year (six months ago). This was because Trek had a shoulder injury in the recycling area and needed a light job. There are no light jobs in the recycling area. The truck driving is easy enough but because Trek had the injury, Jo had to do all the lifting. That was far too much and I said that to Flo who said there was no choice as the insurance company said a light job was needed. It was really too hard already let alone one person now doing twice as much. I complained also to Ty who then bought everyone elastic back belts. I don t think the back belts really do anything about the problem. After Jo s accident I complained again and said we should call you (WorkSafe) to look at the problems. Ty said no but promised something better would be done. When we came back after Christmas I found out that the new improvement was to be a consultant telling everyone how to watch out for unsafe behaviours. How does that change anything about the huge amount of paper that has to be lifted, and all the bending, and the heat, sunburn, cold, rain, passing cars, sharp objects in the bundles, slippery ground, kerbs to trip over, and so on? That s when I called you. You asked about working on both sides of the road and instruction: When we started, Ty told us about the job. We were meant to drive back and forth along the streets. We did it that way for a couple of weeks but it took a lot of extra time and extra running. We could go home whenever we finished so we did both sides at once. No one ever said anything about it. No one ever asked how we do the work. No one ever came to have a look. Ty: PaperMunchers Pty Ltd is a small family owned business. Flo and I run the business. We formed when the council created the new waste system and we started work on this contract about 18 months ago after buying the trucks and setting up the sorting centre. We collect recycling wheelie bins (cans, bottles, plastic, etc) using trucks with side lifters. Then we sort this material in the sorting centre. We also collect paper but this is done manually. We bought the trucks from Top Trucks Pty Ltd, some with bin lifters for the recycling (cans and bottles) and some with hoppers for hand loading the paper. The bin lifter for recycling is good because there is only a driver and no manual work. We couldn t use that kind of truck for the paper because the council set up the system with the paper on the ground, bundled or in a box. SAFE DESIGN FOR ENGINEERING STUDENTS 21

124 About working on both sides of the road I told Jo and Jay not to do that when they started. I didn t know they were breaking the rules. Jay is the health and safety rep so I figured it would be all under control. When Trek started with Jo, I figured Jo would pass on the instructions on how to do the job. The lifting work is fairly hard so I bought everyone elastic back belts that I saw at an expo. Jo took it off on the day of the accident, perhaps because it was hot. We did have a system of sharing the driving and lifting work. That broke down a little bit because we needed to create a light job. After the accident, I could see that the workers were not working safely. A friend who is a safety advisor at a local manufacturing firm suggested SSAFeTy System (Super Safety Action Friendly Tips System). The idea is that the workers monitor each other s unsafe acts and issue them with friendly reminders when they are doing something dangerous. It s from the USA! I am getting a consultant to come and teach everyone. Flo: Trek worked in the recycling area for about a year and then was off work with a shoulder injury. The insurance company told me to create a light job for him. The recycling jobs are all the same so I thought truck driving would be ok. I had Trek drive the truck with Jo and moved Jay into the sorting area. Jay complained, as usual, about the lifting and that Jo would now need to do it all. But out on the collection they can work at their own pace so if it gets a bit too much for Jo toward the end of the day they can just slow down. I think it worked quite well until the accident. Jo must have been crossing the road. I know Ty told them not to when they started so it s Jo s own fault. You visit the City of TidyTown and talk to Cyril, the Chief Executive Officer of TidyTown Council: Over two years ago we decided to improve waste management. A key problem was the amount of recyclable material being sent to landfill and I developed a new waste collection system. We asked residents what they wanted and came up with a great system involving four collections: 1. Garbage Wheelie Bin (every week) for normal household garbage. 2. Recycling Wheelie Bin (every second week) for glass, plastic, aluminium, steel cans, etc. 3. Green Waste Wheelie Bin (every second week). 4. Paper (every second week) in a cardboard box or tied in bundles. The four waste collections are on the same day of the week. A notice explaining the collection of the waste was posted to all TidyTown residents. After we thought up the ideas for the collection system, we invited tenders for collection. The garbage and green-waste collection was awarded to our own waste department. The recycling and paper collections were awarded to PaperMunchers for two years (they have about six months to run). You asked about why the paper is not in a wheelie bin? The residents did not want too many bins on the street on one day. It would be untidy and take up space for parking. Since not everyone gets newspapers it seemed that if something was going to be on the ground then newspapers would be best. A box of newspapers is also fairly easy to handle. I can easily lift one box with two weeks papers. It s not heavy. Solution Identify all the parties/stakeholders including both individual people and organisations Employers/Employees > Cyril the Chief Executive Officer of Tidy Town City Council which is responsible for Waste collection. > Ty and Flo who are Directors of PaperMunchers the Waste Collection contracting company. > Jay, Jo and Trek who are waste collectors employed by PaperMunchers. Public > Lenni is the car driver who is a member of the public. 22 australian SAFETY and compensation council

125 Plant/System Supplier > TopTrucks (plant designer, manufacturer and supplier). > Back belt supplier (a supplier of plant). > American SSAFeTY System consultant (a supplier of a system). Regulatory roles > Mo the WorkSafe inspector. > Jay is also the Health and Safety representative for PaperMunchers. Identify sequence of events for accident > At 11 am on Christmas Eve the waste collection operators (Jo & Trek from PaperMunchers) were doing a routine collection of waste paper worker (Jo) was manually lifting papers to the truck. > One worker (Jo) was crossing the road with papers and was nearly struck by a motorist (Lenni) who was driving along the road. Jo then fell over and reported massive back ache and stabbing back pain. > Lenni called an ambulance on his mobile phone. > Trek used Lenni s phone to contact his office and report the accident Identify contributory factors that could have impacted on the accident and the management of that accident Environment > Road conditions were wet after a thunderstorm. > Noise from the waste collection truck obscured the noise of the approaching vehicle from the worker. > The layout of the road made it difficult for the driver to see the worker crossing the road. > The worker was carrying a large bundle of papers which may have obscured his vision of the approaching vehicle. Equipment > A back belt which was provided to the worker was not being used. > Emergency radio in the vehicle was out of order. Skills and experience > All operators were experienced in undertaking tasks. Operating/work system > Driving and collection work was normally shared by two people, however due to injury one worker was doing the lifting for the whole shift. > Workers changed the operating procedure of working only one side of the road and then the other (therefore no road crossing) to a system where they drove down a road once and crossed the road to collect waste. > Paper either bundled or in a cardboard box placed on the ground is collected every second week. > Was the car driver operating his vehicle at an appropriate speed for the environmental conditions? > Did the workers compromise their work practices because it was Christmas Eve and they acknowledge they wanted to get the job done quickly. > Little auditing of waste collection work practices used by PaperMunchers. Ergonomic factors (relationship between people and their environment, equipment etc). > Weight of the newspapers newspapers were wet due to the rain and were heavier than usual. > Work posture continual bending and twisting to lift the newspapers off the ground; bundles of newspapers raised above shoulder height to be thrown into the truck; increased distance carrying weight (continually crossing road). > Frequency of lifting this has now doubled, initially the lifting was a shared task, now undertaken by a single worker. > Environmental conditions wet and slippery road and noise from the paper crushing unit. SAFE DESIGN FOR ENGINEERING STUDENTS 23

126 Identify the design decisions that each of the organisations (City Council, PaperMunchers, Top Trucks) took which may have contributed to the accident. Consider what other options they had which may have reduced the risk to the workers. City Council (broad system design of waste collection) Manual collection This is the main problem. Everything (except the sorting injury) stems from the manual collection. The council is the source of this decision. A bin could have been used a bin except for concerns about taking up space on the street. What about collecting the bin on another day? The same bin could even be used (i.e. recycling one week, paper the next, in the same bin). What about a split bin? Hazard assessment of manual collection Once set up should the council have required a hazard management plan for this reasonably dangerous activity? Crossing the road Given there was to be manual collection, could the Council have solved the road crossing problem by having separate sides of roads on separate days (i.e. odds one week, evens the next). There would then be no temptation for a worker to cross the road as there would be nothing to collect. An alternative might be to require residents to move bins across the road (this is actually already done in some narrow streets to avoid reversing manoeuvres where trucks can not turn). PaperMunchers (implement waste collection system and design to some degree) Perhaps should have engaged with council at tender stage regarding manual collection. Might have limited opportunities to change but could perhaps have put in complying tender (manual paper collection) and non-complying (but safer) alternative tender based on a wheelie bin. Back belts are not a solution (see Victoria Code of Practice for Manual Handling ( vic.gov.au) or NIOSH review Back Belts: Do They Prevent Injury, Consider here also the role of the back belt supplier. They are a supplier of plant. What are their duties? Supervision safety rules (crossing the road) were set up but there was no follow up or supervision. There was no follow-up even after the accident. Would this make much difference? Are all the hazards addressed through this measure? Work to finish set up work to finish system and should know this would lead to workers finding the quickest way. Consultation lack of consultation about swapping work positions, introducing back belts, and introducing new safety system. Maintenance Lack of maintenance on the radio. SSAFeTY system PaperMunchers need to ensure supervision regardless of how workers look out for each other. More importantly as Jay suggests the work has many hazards. Hazard management generally. Discuss the need for hazard assessment. What really can supervision (by each other through SSAFeTY system or the employers themselves) really achieve? Even done the ideal way, is the job safe? TopTrucks (equipment designer) Should TopTrucks alert buyers about the serious manual handling hazards associated with a manual load truck? Collecting from one side of the road The manual truck has a rear load hopper. Could Toptrucks design the manual truck as a side load system thereby discouraging collection from both sides of the road. This would also remove the need to stand behind the truck which exposes the worker to a car collision from the rear or possibly being run over if the truck reverses. Noise levels Should TopTrucks design the paper compactor to be as quiet as possible. Is there a designer duty for this and is there a limit? 24 australian SAFETY and compensation council

127 Issues which may arise > Specifying Safety requirements within contracts and the responsibility of Cyril the Director of Waste Services at the Council. > The procurement of services is very important in influencing effective OHS outcomes, incorporating safe design. This is the phase in which a client or customer gives specific directions or imposes particular requirements, which influence the design and construction of the product. While the client does not (in general) carry out design or construction, their requirements may serve to direct the designer, constructor or manufacturer about health and safety issues that need to be addressed. To what extent does Cyril have responsibility for the outcomes in this situation? How can OHS requirements be built into contracts? Links WorkSafe Victoria 2003, Non-Hazardous Waste and Recyclable Materials: Occupational Health and Safety Guidelines for the Collection, Transport and Unloading of Non-Hazardous Waste and Recyclable Materials, WorkSafe Victoria, Melbourne, www. worksafe.vic.gov.au Failure Modes and Effects Analysis Instructor Notes Overview The aim of this exercise is to deepen students understanding of Failure Modes and Effects Analysis (FMEA) through the analysis of a simple hydraulic jack. Learning Outcomes Through completing this activity students will be better able to; > Understand how to analyse a simply system using FMEA. > Understand how to use FMEA to evaluate proposed changes to a system. > Recognise that although FMEA is a quantitative analysis technique that there is a degree of subjectivity in the interpretation of the system and thus the values applied during the analysis. Required Resources > minutes. > Student Notes and FMEA template for each student. > FMEA tool (section from Safe Design Engineering Toolkit * ). Assessment Criteria / Guidelines No assessment criteria are provided for this activity. Method of Presentation Review FMEA based on FMEA toolkit from Safe Design Engineering Toolkit. Key points to highlight: > Each risk is characterised by severity, likelihood, and detectability. > Risk characterisation is resolved to a single number, the risk priority number (RPN) thus enabling risk control to be prioritised. > RPN also provides basis for not treating a risk (ie acceptance of the risk). > Determination of what risks exist is a creative process. Failure to identify a risk means that it will not get analysed in FMEA. The corollary is that FMEA in and of itself cannot guarantee a system is free of risk. > FMEA criteria are designed according to the risk focus. > Classification of criteria categories is somewhat subjective. You cannot compare, in an absolute sense, RPNs from different FMEAs. Students are then to work on their own on doing an FMEA on the scenario. * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools SAFE DESIGN FOR ENGINEERING STUDENTS 25

128 Issues students need to resolve when filling in the FMEA. The facilitator can point out that judgements need to be made on these issues: > Which severity ranking to use. The scenario is more customer focussed so the customer satisfaction criteria is the more relevant. If the students decide that someone could be working under the jacked-up object then OHS criteria could be justified. > Which rank to apply given that the description for some of the FMEA criteria cover a range of ranks. Have students form pairs and compare their analysis with each other. Ask them to determine the reason for any difference. This will highlight, to some extent, the subjective nature of interpreting the information presented in the scenario and in the FMEA criteria descriptions. The students now need to use the FMEA to determine which of the risks need to be treated. This raises this question of what is the RPN, under which the risk may be accepted. Explain that this is usually done in advance so that the decision is not biased by the outcomes of the analysis. Raise issue of safety in terms of redundancy. Should not rely on a jack when working under an object. Object should be held up by solid supports; the jack only being used primarily for raising and lowering and only as a backup support. Solutions The FMEA for the existing jack and an FMEA based on the corrective actions listed in the FMEA are included in the tables on the following page. Comments are attached to each of the corrective actions to explain the anticipated effect they will have on the system. * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools 26 australian SAFETY and compensation council

129 FMEA for existing jack FMEA Template Severity (S) Occurrence (O) Detection (D) Failure Mode Effects S Rating Causes O Rating Control Tests D Rating RPN Recommended Action Hose leaks Jacking function impaired Hose leaks Oil mess, pump damage 8 Poor hose material 5 50% hose inspected Introduce pressure test for all hose 9 Cut hose 5 None Modify assembly machine to reduce hose damage FMEA Post Corrective Action FMEA Template Severity (S) Occurrence (O) Detection (D) Failure Mode Effects S Rating Causes O Rating Control Tests D Rating RPN Recommended Action Hose leaks Jacking function impaired Hose leaks Oil mess, pump damage 8 Poor hose material 5 50% hose inspected Cut hose 5 None SAFE DESIGN FOR ENGINEERING STUDENTS 27

130 2.2.6 Event Tree Analysis Instructor Notes Overview The aim of this exercise is to deepen your understanding of Event Tree Analysis (ETA) through the analysis of a simple pumping application. Learning Outcomes > Understand how to qualitatively and quantitatively analyse a simply system using ETA. > Awareness of how ETA enables critical elements of a system to be identified. Required Resources > minutes. > Copy of tutorial exercise for each student. > Copy of the ETA tool (section from Safe Design Engineering Toolkit * ). Assessment Criteria / Guidelines No assessment criteria are provided for this activity. Method of Presentation Review Event Tree Analysis (ETA) concepts based on ETA toolkit from section from Safe Design Engineering Toolkit. Key points to highlight at relevant stages of the exercise: > Need to establish sequence of operation for components. With regard to the exercise the pump and alarm will operate simultaneously but in terms of design the pump is primary and the alarm is only of consequence if the pumps fails. > A component s operation is either success or failure. There is no partial success. For example a damaged pump may have sufficient capacity to deal with some floods. ETA cannot handle partial operation. Such a pump is treated as being a failure. > The quantitative analysis component does not consider correlated failures. For example consider the situation where the automatic pump fails due to poor maintenance practices. The likelihood that the manual bilge pump will also fail is higher due to poor maintenance. > This exercise doe not include the phase of system analysis in which the events to be analysed via ETA are identified. Get students to first work on the qualitative ETA. That is the component sequence and the effect of success or failure for each as it flows through. Once the students have individually completed the qualitative ETA task then get then to compile their solutions into a common view so that they have an agreed model. This will allow the students to complete the quantitative probabilistic analysis on the same model. Finally have the students determine a means for identifying the most critical component in the system with regard to improving the likelihood of keeping the basement dry in the event of a flood. This element of the tutorial could be left out to create a shorter tutorial. This tutorial is based on the same scenario as that used for Fault Tree Analysis. An optional exercise if both tutorials are run is to compare the FTA and ETA analyses. This will highlight the ways in which ETA and FTA focus on different aspects of the same system. FTA focuses on the causes for failure. ETA focuses on the likelihood of the system recovering from an undesired event. Activity The reservations division system for a major airline occupy a 10 story building. The basement of the building contains a backup generator so that 24/7 availability can be maintained even during blackouts. In heavy rain the basement is prone to minor flooding. The basement is protected from flooding by the system shown in Figure 1. Rising flood waters close the float switch S, powering the pump P from an uninterruptible power supply. An Alarm A is also sounded, alerting operators to perform manual pumping using a bilge pump, B, should 28 australian SAFETY and compensation council

131 the automatic pump fail. Correct operation of either of the pumps will effectively keep the basement from flooding. Solutions Qualitative ETA Event tree for the basement is shown in Figure 2. Note order of component activation. The switch is first as it controls all bailing procedures. The pump is next as it is the primary solution for flooding. The alarm follows next as it is the first step in the manual pumping process. Upon hearing the alarm operators inspect the basement and if the pump is not working they use the manual bilge pump. Quantitative ETA To determine the likelihood of the basement remaining dry given water flooding in, the paths to success through the event tree need to be identified. These are highlighted in Figure 3. The probability of the system following a give path is the product of the probability associated with each branch. The probability of the basement flooding is the sum of all of the probabilities for each path that leads to flooding. The probability of flooding as a result of water flowing into the basement is P(flood water) = P F = P 1 + P 2 + P 3 = (1-P FS ) * P FP * (1-P FA ) * P FB + (1-P FS ) * P FP * P FA + P FS Note that a useful approximation in many fail-safe type systems is that the probability of failure of any given device is much less than one. Thus (1-P F ) 1. Thus, using the data from the supplied table of probability of failure-on-demand P F = P FP * P FB + P FP * P FA + P FS = P FP * (P FA + P FB ) + P FS = 1e-4 * (1e-5 + 1e-4) + 1e-6 = 1.1e-8 + 1e-6 = 1.011e-6 Showing that the assumption (1-P F 1) produces an answer that is very close to that above can be left as an exercise for the students. System Improvement By inspection the switch is the critical element. Based on the failure-on-demand probabilities provided, the switch is two orders of magnitude The probability of path 1 is: P 1 = (1-P FS ) * P FP * (1-P FA ) * P FB The probability of path 2 is: P 2 = (1-P FS ) * P FP * P FA The probability of path 3 is: P 2 = P FS Figure 1: Basement pumping system (Adapted from Event Tree Analysis, P.L. Clemens, Feb 2002, Jacobs Sverdrup) SAFE DESIGN FOR ENGINEERING STUDENTS 29

132 Figure 2: ETA Analysis of basement flooding Switch S Automatic Pump P Alarm A Manual Bilge B Basement Basement Flooding Closes (1-P FS ) Operates (1-P FS ) Fails P FP Sounds (1-P FA ) Silence P FA Operates (1-P FB ) Fails P FB Dry Dry Flooded Flooded Remains Open P FS Flooded Figure 3: ETA Analysis of basement flooding highlighting paths through the tree that lead to overall success Switch S Automatic Pump P Alarm A Manual Bilge B Basement Basement Flooding Closes (1-P FS ) Operates (1-P FS ) Fails P FP Sounds (1-P FA ) Silence P FA Operates (1-P FB ) Fails P FB 1 2 Dry Dry Flooded Flooded Remains Open P FS 3 Flooded 30 australian SAFETY and compensation council

133 2.2.7 Fault Tree Analysis Instructor Notes Overview The aim of this exercise is to deepen your understanding of Fault Tree Analysis (FTA) through the analysis of a simple pumping application. Intended Learning Outcomes > Understand how to qualitatively analyse a simple system using FTA. > Be aware of how FTA enables single points of failure in a system to be identified. Required Resources > minutes. > Copy of tutorial exercise for each student. > Copy of the FTA tool, section 1.47 from Safe Design Engineering Toolkit *. Assessment Criteria / Guidelines No assessment criteria are provided for this activity. Method of Presentation Review Fault Tree Analysis (FTA) concepts based on FTA toolkit from section 1.47 from Safe Design Engineering Toolkit. Key points to highlight at relevant stages of the exercise: > AND-gate and OR-gate logic. > Impact ORed events have on system failure compare to ANDed events. > This exercise does not include the quantitative aspects of FTA whereby probabilities are assigned to each of the causes thus enabling the prioritisation of corrective actions. > Cut set generation is to be done via inspection. More rigorous techniques exist for the generation of cut sets and these aid correctness. Get students to work on the qualitative FTA. Once the students have completed this consolidate their solutions into a common view so that all are performing the cut-set analysis on the same model. Finally have the students determine if there are any single points of failure. What could be done to improve the system to remove these single points of failure. This tutorial is based on the same scenario as that used for Event Tree Analysis. An optional exercise if both tutorials are run is to compare the FTA and ETA analyses. This will highlight the ways in which ETA and FTA focus on different aspects of the same system. FTA focuses on the causes for failure. ETA focuses on the likelihood of the system recovering from an undesired event. Activity The reservations division system for a major airline occupy a 10 story building. The basement of the building contains a backup generator so that 24/7 availability can be maintained even during blackouts. In heavy rain the basement is prone to minor flooding. The basement is protected from flooding by the system shown in Figure 1. Rising flood waters close the float switch S, powering the pump P from an uninterruptible power supply. An Alarm A is also sounded, alerting operators to perform manual pumping using a bilge pump, B, should the automatic pump fail. Correct operation of either of the pumps will effectively keep the basement from flooding. The cut set elements are: {1, 2} {1, 3, 4} {1, 3, 5, 6} Single points of failure are identified by the cut sets elements containing only two events, the driving event (water present in the basement) and the point of failure. So in this example, the float switch is a single point of failure. * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools SAFE DESIGN FOR ENGINEERING STUDENTS 31

134 Figure 1: Basement pumping system (Adapted from Event Tree Analysis, P.L. Clemens, Feb 2002, Jacobs Sverdrup) Solutions Figure 2: FTA Analysis of basement flooding. Note numbers included in independent events to aid listing of the cut set Flooded Basement 1 Water Present in Basement Pump System Not Activated 2 Float Switch Fails to Close Pumping Fails 3 Automatic Pump Fails Manual Pumping Fails 4 Alarm Fails Bildge Pump Fails 5 Bilge Pump Broken 6 Operator Inattentive 32 australian SAFETY and compensation council

135 2.2.8 Risk CONTROL Instructor Notes Overview A Risk Management problem associated with Road Safety is presented. This activity is designed to develop the student capabilities associated with Risk identification and Risk Control. Intended learning outcomes > Identify hazard(s) from written scenario. > Assess the risk(s) posed by the identified hazard. > Identify measures that would control the risk(s). > Prioritise the risk control options according to the Hierarchy of Control Measures Context in which it could be used This activity can be used as an individual or small group activity. This activity could be used in early to mid stage design subjects. This activity has also been adapted in a more limited and closed form to suit a quiz format. Various scenarios can be developed to customise the activity to fit different disciplines and contexts. Resources required (time, handouts) > minutes depending on the extent to which students own views are presented to the entire class. > Hierarchy of Control measures (Safe Design Engineering Toolkit * section 1.4.8). > Students Notes for this example. Suggested Assessment criteria/guidelines No assessment criteria are provided for this activity. Method of presentation 1. Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. 2. Handout required resources to each group. 3. Get students to read the scenario, brainstorm and then document the hazards and the significance of the identified risks. 4. Get students to brainstorm and then document risk control measures. These should be classified and then prioritised according to the hierarchy of control. This exercise can continue until there is sufficient diversity across the hierarchy of control (i.e. eliminate, substitute etc measures). The instructor can stimulate various categories of controls from the list they are provided. 5. Discuss any issues arising. a. difficulty in categorising various options e.g. warnings; b. the expected effectiveness of the various categories of control options in relation to the example given; c. how effective the proposed new proposed restrictions on young drivers may be; d. the limitations in using the Hierarchy of Control Measures to manage risks. Activity Identify the hazards and make a judgement about the significance of the risk (major, minor, negligible). Scenario Bob, driving his car, was in a single-vehicle road accident. The accident occurred on a country road in Victoria at night. The road was relatively straight, flat, horizontal and dry. His car collided with the left hand side of a bridge railing. The bridge railing is approximately fifty years old and made of stone. There are many bridge railings of this type. Bob was nineteen years old at the time and recorded a blood alcohol reading of 0.03%. He suffered major injuries and survived. No other passengers were in the vehicle. (example J. Culvenor 1997 ) * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools SAFE DESIGN FOR ENGINEERING STUDENTS 33

136 Solution Some Risk Control options and their classification according to the hierarchy of control. Listed from the preferred option (eliminate) to least preferred (personal protective). Other transport (Eliminate) Remove bridges (Eliminate) Widen bridge (Substitute) Slow cars (Substitute) Speed humps (Substitute) Traffic islands (Engineering Control) Shock absorbing railing (Engineered Control) Shock absorbing cars (Engineered Control) Air bags (Engineered Control) Ignition link to alcohol level (Administrative) Rumble strips (Administrative) Reflective strips (Administrative) Warning devices in cars (Administrative) Training (Administrative) Alcohol limits (Administrative) Age limits (Administrative) Speed limits (Administrative) Warning signs (Administrative) Helmets (Personal Protective Equipment) (Example: J Culvenor 1997) Reference: Culvenor, J (1997), Breaking the Safety Barrier: Engineering New paradigms in Safety Design, PhD Thesis, University of Ballarat Incident Investigation Instructor Notes Overview This activity is about applying Incident Investigation principles to a motor vehicle crash scenario. It is intended to help students develop their ability to identify the causes of incidents, injuries and diseases through the application of various accident analysis models. By completing this activity, students should be more proficient at recognising hazards, better able to understand there are often multiple causes for any incident and that learning from incidents is the best way to understand the most appropriate preventative measures for the future. Intended learning outcomes > Identify a full range of causal factors using the accident analysis models. > Recognition of precursor factors (work systems; plant and equipment; work environment; people issues; and interactions) that lead to the injury: > Ability to identify measures that would control the risk(s) using the hierarchy of control. Context in which it could be used This activity can be used as an individual or small group activity. This activity could be used in design or management subjects where the significance of human factors upon technology and work system design is stressed. Resources required (time, handouts) > 45 minutes depending on the extent to which students own views are presented to the entire class. > Incident Investigation toolkit (Safe Design Engineering Toolkit * 1.4.9). > Students Notes for this example. * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools 34 australian SAFETY and compensation council

137 Suggested Assessment criteria/guidelines No assessment criteria are provided for this activity Method of presentation 1. Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. 2. Handout required resources to each group. 3. Get students to read the scenario, brainstorm and then answer the set of questions 4. Discuss any issues arising. Activity 1. Identify the ergonomic factors relevant to the hazard in the following categories: > work environment (the place where work is done); Scenario: Work related vehicle crash Many people drive on the public roads for work purposes. The public roads are therefore workplaces. Driving West late in the afternoon in the winter (wet road), the car driver is making the last of a number of parts deliveries using a utility. The vehicle is only about one year old but has neither anti-lock brakes, nor air bags. Imagine a rear end collision with a truck such as shown below. The truck is ironically being used by the same company to distribute its goods nationally. What is the cause of the crash and the injuries that might follow? Following too close? Fatigue? Lack of concentration? Fatigue and lack of concentration might be involved but it is self-evident that the driver ended up too close. Rear end collision Photos: J. Culvenor > plant and equipment (physical things); > people (eduction, skills, capacity); and > systems (how things are done). 2. Identify the relevant issues under Hopkins factors: > Physical accident sequence, > Organisation /Company level factors; > Government/regulatory factors; > Societal factors. 3. Determine corrective and preventative actions using the hierarchy of control (e.g. elimination; substitution; isolation; engineering; administration; and personal protective equipment) SAFE DESIGN FOR ENGINEERING STUDENTS 35

138 If we look deeper, perhaps we could examine both vehicles involved? Does the car have the best practicable features to avoid a rear end collision? What might that be anti-lock brakes, maintained brakes and tires, collision avoidance radar? Does the car provide good survivability features such as crush zones, a protected passenger compartment, airbags, etc. How far can the thinking be extended? Why are trucks used for national transport and not rail? The answer to this is what is practicable? It is practicable for a person choosing a fleet vehicle to seek good current standards for vehicles. What about the rear of the truck. Is it designed to provide the best survivability for vehicles that might strike the rear? Examining these issues takes the thinking about the accident and injury causation well beyond the scene on the road. Decision makers thinking about car choices for a fleet, truck designers, and truck fleet owners are just a few who can make a difference through their actions. Solution 1. Identify the ergonomic factors relevant to the hazard in the following categories: > work environment (the place where work is done); public road, traction of surface, presence of water, drainage issues, weather, sunlight > plant and equipment (physical things); Braking features of car, lack of rear end barrier on truck, could rear end barriers be energy absorbing?, could vehicle radar systems be used to prevent rear-end collisions?, crash ability of car including crush zone, airbags, seat belts, pretensioners, etc. > Government/regulatory factors Lack of specific regulation about passenger vehicle crash standards (tend to rely on consumer pressure/ choice for safety; or the best practicable approach in the OHS setting. Lack of specific regulation about truck safety standards for aggressiveness toward other road users (relying only on best practicable approach in the OHS setting). > Societal factors Demand for goods, transport, tend toward private enterprise (hence trucks versus rail) 3. Determine corrective and preventative actions using the hierarchy of control (e.g. elimination; substitution; isolation; engineering; administration; and personal protective equipment) > Elimination (send goods by rail); > Substitution (safer car e.g. below); > Isolation (remote control vehicles (now done in mining); > Engineering (collision avoidance radar, antilock brakes, airbags; under run barrier; energy absorbing under run barrier, crush zones, a protected passenger compartment); > Administration (work scheduling to avoid fatigue); and > Personal protective equipment (helmet). > people (eduction, skills, capacity); skills of driver, alertness/fatigue > systems (how things are done); work schedules. 2. Identify the relevant issues under Hopkins factors: > Physical accident sequence Driving car, tired, sun in eyes, collide with truck, underrun tray, no airbags. > Organisation/Company level factors Courier company choice of vehicle/features and work schedules. Transport company choice of truck. 36 australian SAFETY and compensation council

139 What is Safe Design? Instructor Notes Overview To develop a shared understanding about the definition and implications of Safe Design. The facilitator picks a target question around which the activity is based. Examples of target statements could be What is Safe Design, What links Safe Design to Engineering, Safety, What is Safe. Intended learning outcomes > Identify the principles and frameworks that underpin Safe Design. Context in which it could be used This activity can be used as a small group activity either in its own right or as a lead into other major activities. It can be used at all stages of the course and can be used to actively engage students with the material in Part 1 of the Safe Design for Engineering Students. Method of presentation 1. Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. 2. Handout required resources to each group. 3. Get students in each group to read the activity, brainstorm and then document the outcomes. 4. The facilitator can collect responses from each group and create a mind map or list. Activity The facilitator will announce what the target question for the activity will be. On a sheet of paper, write the target word in the middle and circle it. Elicit words and statements from within the group and write them around the circle. Think fast and get as many images, concepts and associations down as you can. You can then either categorise them or connect interlinked concepts with lines. Resources required (time, handouts) > 15 minutes depending on the extent to which students own views are presented to the entire class. > Safety Principles and Safety Framework (section 1.1 and 1.2 of the Safe Design for Engineering Students notes) if relevant to the target question. > Students Notes for this example. Suggested Assessment criteria/guidelines No assessment criteria are provided for this activity. SAFE DESIGN FOR ENGINEERING STUDENTS 37

140 38 australian SAFETY and compensation council

141 >>>.3 DeSign activities.3.1 Safe DeSign and build instructor notes Overview The goal of this activity is to give students an opportunity to develop and utilise their Safe Design abilities while undertaking a design and build exercise. It is intended to be used in conjunction with any existing design and build project that is currently used by an engineering educator within their undergraduate engineering course. By broadening the design requirements of the existing project to include safe design it provides an opportunity for educators to introduce a greater degree of real-world constraints to these design and build activities. Intended learning outcomes > Awareness of engineers' responsibilities for safe design. > Ability to identify safety issues and risks. > Ability to integrate safety principles into engineering design. > Ability to understand inter-relationships between safety and other design requirements. > Awareness of the need to consider safety implications in a design activity. Context in which it could be used All Engineering courses are required to develop student design capabilities. This is achieved in a variety of ways, ranging from unstructured problem based activities to integrated design projects. Undergraduate engineering course accreditation (Stage 1 from Engineers Australia) requires students to undertake two or more construction projects and at least one major design project. Many engineering faculties initiate design experiences in the early stages of a course with challenging design and build exercises such as spaghetti bridges, gravity-powered vehicles or website development. In addition, a number of undergraduate design competitions, such as the Weir-Warman competition for Mechanical engineers, are available to encourage students to think creatively and solve problems in an innovative way. These various design-and-build projects can be used to as a mechanism to introduce or reinforce safe design principles and concepts. The following activities can be used to enhance existing design oriented projects to ensure that students develop an awareness of safety issues and ultimately the ability to accept their responsibilities for safe design. The activities have been designed to apply to a wide range of design activities from basic to complex and to be easily integrated into existing subjects and projects. Approach to adding Safe Design to Design and Build Projects This activity is designed to illustrate how safe design concepts can be embedded within a design-and-build project using the tools available in the Safe Design Guide. The intention is not to provide a defi nitive mechanism for embedding safe design within any design and build projects since there is too much diversity in the currently used projects to specify which Safe Design tools are the most appropriate. For example, a project in civil engineering or construction would most likely fi nd the CHAIR guidewords are the most suitable risk safe design For EnGinEErinG students 3

142 identification tool whereas a project in Mechanical Engineering may find the Plant Hazard Checklist the most appropriate. So to illustrate how safe design can be embedded in a design-and-build project, an example project in Mechanical Engineering has been developed as a case study. The proposed methodology is to take the product lifecycle and consider safety at each phase. All design and build projects will go through the full product lifecycle. While many student projects would be best described as scale models or prototypes, the product lifecycle can still be considered by treating the prototype as an engineered product. Many current design and build projects only focus on the Commission/Use stage of the lifecycle and have developed performance criteria for the project based on that stage only. The material provided in this activity supplements that by adding additional performance criteria to support outcomes related to Safe Design. Therefore educators can chose the emphasis they place on meeting both sets of performance related outcomes through their assessment schemes. There may well be compromises that the student designers will need to make to meet Safe Design outcomes. These may well be some of the same types of challenges they will face when undertaking design activities in professional practice. In the design phase the students would consider the risks arising in each of the lifecycle phases and document the actions they have taken to reduce the risk and safeguards in place to protect against any residual risk. The approach taken in the example provided is to identify risks using one of the risk identification tools and document the overall risk management process using the proforma adapted from the CHAIR process. Resources required (time, handouts) This is context dependent Method of presentation Instructors may choose elements from these activities to suit their individual needs and constraints. Ideally the activities require a briefing component, using Part 1 of this resource, and adapting the lecture slides (Part 2.2) to their specific project or assignment to help students focus on the basic principles of safe engineering design. The activity itself should require an application of safe design principles and the templates and activity sheets provided for this activity should guide this development. The debriefing exercises should consolidate the learning outcomes of the activity, and help students confirm their growing expertise in safe engineering design. The deliverables associated with the safe design aspects of the project are expected to be described in the main project document. Suggested Assessment criteria/guidelines The assessment criteria will vary from project to project, depending on the nature of the project and the level of safe design ability expected. The following assessment criteria could be adapted to suit your specific needs > Understanding of intended operating environment for vehicle testing. > Identification of the risks associated with each lifecycle stage. > Degree to risks were managed through the vehicle design. > Degree to risks were managed via operational procedures during each phase of the product lifecycle. > Appreciation of the impact design changes to improve safety had upon other characteristics, eg performance, cost, ease of construction, etc. > Capability to identify and describe options that would improve safety but were not incorporated in the final design. Indicative Example Introduction to Mechanical and Mechatronic Engineering Into-the-Wind Design-and- Build Project This is an adaptation of a project for a 1st year Mechanical Engineering subject at the University of Technology, Sydney developed by Terry Brown. The following document provides the details for the major design project for this subject. The project is 40 australian SAFETY and compensation council

143 worth a total of 25% of the marks. It is to be done as a group of no less than 3 and no more than 5. The objectives of this project are: > to encourage students to creatively approach a specific problem; > to allow students to experiment with a variety of solutions to a problem; > to encourage teamwork and to allow students to learn from the work of their colleagues; > for students to implement engineering design methodologies to a practical problem; > for students to have some fun learning some engineering fundamentals. As should be quite obvious this project will require consistent effort over a number of weeks. Do not leave everything to the last minute, you won t be able to do it. Scenario The Federal Government s Sustainable Technologies Department is looking to provide funds to support small companies in developing sustainable technologies. They currently have a project that requires a company to design, develop and manufacture several small wind powered vehicles. Companies are invited to design and build one vehicle. The selection of the successful company will be based in part on the performance of the vehicle in a competition between rival companies. Supporting documentation in the form of a design report and the ability of the company design team to explain and demonstrate the strength and weaknesses of their design will also be taken into account in selecting the successful company. The Sustainable Technologies Department will fund each stage of the design process, subject to satisfactory progress, to provide incentive and to help cover the costs of those companies that are eventually eliminated. This project is offered to small companies with a design team of 3-5 engineers. Design task Design and build a vehicle that starts from rest and travels into the wind using the power of the wind as its only source of energy. Specifications > It has been estimated that the strength of the wind in the location where the vehicles must operate is about the same as that produced by a domestic electric fan set on high speed. > The wind source will be a domestic electric fan with overall dimensions as shown above. > The fan will be set to the highest speed setting. > The vehicle must carry a "payload" across a "track" a distance of 2m. > The vehicle design should maximise the ratio of "payload" (m) to time (t) taken to cover the distance of 2m, i.e. (m/t). 500mm 225mm Direction of travel Your vehicle Stop 50mm 395mm SAFE DESIGN FOR ENGINEERING STUDENTS 41

144 > The vehicle should not take longer than 5 minutes to cover the 2m distance. > The payload must be a separate entity and easily removed from the vehicle to facilitate weighing but must be wholly contained on or within the vehicle and must travel the full 2m with the vehicle. The vehicle must be operational both with, and without, the payload on board. > The starting position is 2.5m from the front of the fan. > All parts of the vehicle must start from behind the start line and no part of the vehicle is allowed to be moving before timing begins. > No part of the vehicle may be further than 0.5m behind the start line. > The "track" will be a hard flat surface (MDF board or similar). Safe Design component of the Into-The-Wind Design-and-Build Project The following table is a generic example of the result of applying safe design tools to a typical vehicle that may be expected to be created for the Into-The- Wind Design-and-Build Project. As the project is of a mechanical engineering nature, the Plant Hazard Checklist was used to help identify risks. For each life cycle phase, the keywords that triggered a risk issue are noted. Each risk issue is then examined in more detail and actions to reduce the risk and safeguards to deal with the residual risk are determined. The students could also be requested to produce a short report detailing those aspects of the proposed assessment criteria not evident in the table. In the column under Action, students would be expected to give detailed and specific actions for their own vehicle. > The vehicle is to remain in contact with the ground at all times. > Overall dimensions of the vehicle are to remain essentially unchanged throughout the travel. > Any materials may be used in the construction of the vehicle. > No other source of energy may be used to propel the vehicle, eg batteries, pre-compressed or extended springs (or gentle nudges by participants). The competition performance criteria: To carry the heaviest payload (m) across a distance of 2m in the least amount of time (t), i.e. the greatest m/t ratio. 42 australian SAFETY and compensation council

145 Safe Design Report for Into-the Wind vehicle Lifecycle Phase Risk Issue Causes(s) Consequence(s) Safeguard(s) Action(s) Develop Concept N/A Design N/A Construct / Manufacture Chemicals Glue (Fumes, contact toxicity) Poisoning PPE (Gloves, goggles), Ventilation Minimise use of adhesives eg use fasteners instead. Seek low toxicity glues Dust Fabricate (eg sanding) parts Respiratory problems PPE (dust mask), Ventilation Maximise use of off-the-shelf parts in design Maximise use of off-the-shelf parts in design Cutting, stabbing, puncturing Fabricating parts Bodily injury Use appropriate tool (eg scissors, not knife for cutting cardboard) Electrical Fabricating parts, power tool cuts cord Supply / Install Slip, Trip, Fall Transporting project vehicle to commissioning facility (eg from home to university) Commission / Use Striking, Cutting, Stabbing, and Puncturing Maintain N/A Decommission N/A Disposal / Recycle Cutting, Stabbing, and puncturing Disintegration of moving parts Entanglement Human proximity during operation Breaking vehicle into manageable parts for disposal or recycling Slip, trip, fall Transporting project vehicle to commissioning facility (eg from test area to home or rubbish area) Electrocution Ensure power point protected by RCD, good working environment Bodily injury, damage to vehicle Maximise use of off-the-shelf parts in design Assistance with moving vehicle Choose most suitable form of transport, design vehicle into transportable sub-assemblies Bodily injury Separate test area from audience via space or screen Bodily injury Separate test area from audience via space or screen; operation procedure for fan Minimize potential for projectile motion resulting from part detachment or breakage; eg minimise moving parts, physically enclose moving parts physically enclose moving parts; remote activation of vehicle Bodily injury Personal Protective Protection (PPE) Design for disassembly Bodily injury Design for disassembly SAFE DESIGN FOR ENGINEERING STUDENTS 43

146 44 australian SAFETY and compensation council

147 >>>. case StUDieS..1 ford pinto case StUDy instructor notes Overview The scenario used is a classic case that has been infl uential in automotive safety. It contains many of the challenges of engineering design which are still relevant today and which must be addressed if Safe Design is to become a fundamental part of engineering. This discussion oriented activity is designed to explore an Engineers professional responsibilities, ethical frameworks when dealing with issues related to safety and approaches to making decisions about public safety Intended learning outcomes > Awareness of professional responsibilities of engineers in relation to safety. > Awareness of Institute of Engineers, Australia Code of Ethics. > Awareness of the appropriateness of risk/costbenefi t analysis for public safety decisions. Context in which it could be used Small group activity suitable for extensive discussion. The example is suitable for discussions about ethics, engineering economics and design. Resources required (time, handouts) > minutes depending on the extent to which students own views are presented to the entire class. * toolkit content can be found at section 1.4 of part 1 concepts, principles & tools > Code of Ethics (Safe Design Engineering Toolkit * section ) > Students Notes for this example. Suggested Assessment criteria/guidelines No assessment criteria are provided for this activity. Method of presentation 1. Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. There are extensive online resources (listed in Student Notes) available on this topic and instructors could get students to do pre-reading prior to class. 2. Handout required resources to each group. 3. Get students to read the scenario 4. Discuss the suggested discussion points and other relevant issues. Scenario In the 1960 s there was strong competition in the American small car market. To be competitive in this market, Ford needed to have a product that had the size and weight of a small car, had a low cost of ownership and clear product superiority. The Ford Pinto went on to become one of the 1970 s best selling cars. The Ford Pinto was designed to meet these criteria. The strict design specifi cations were that the car was to weigh less than 2000 pounds and cost less than $2000. Ford also decided on a short production schedule. Instead of the normal time from conception to production of 43 months for a new model, the Pinto was scheduled for 25 months. safe design For EnGinEErinG students 5

148 Under conditions of reduced product-time to market then tooling up for manufacture which involves making the machines that stamp, press and grind car parts into shape must be done whilst product development is underway rather than after product design. Ford wanted the car in the showrooms with the other 1971 models and tooling had a fixed timeframe of about 18 months. Investigative journalism by Mother Jones established that; > Ford engineers discovered in pre-production crash tests that rear-end collisions would rupture the Pinto s fuel system extremely easily. > Because assembly-line machinery was already tooled when engineers found this defect, top Ford officials decided to manufacture the car anyway. > For more than eight years afterwards, Ford successfully lobbied against a key government safety standard that would have forced the company to change the Pinto s fire prone gas tank. It was concluded by Mother Jones from Pinto accident reports and crash test studies that if you ran into that Pinto you were following at over 30 miles per hour, the rear end of the car would buckle like an accordion, right up to the back seat. The tube leading to the gas-tank cap would be ripped away from the tank itself, and gas would immediately begin sloshing onto the road around the car. The buckled gas tank would be jammed up against the differential housing (that big bulge in the middle of your rear axle), which contains four sharp, protruding bolts likely to gash holes in the tank and spill still more gas. Now all you need is a spark from a cigarette, ignition, or scraping metal, and both cars would be engulfed in flames. If you gave that Pinto a really good whack say, at 40 mph chances are excellent that its doors would jam and you would have to stand by and watch its trapped passengers burn to death. An accepted approach by federal Automotive Safety regulators at that time for decision-making was risk/ cost-benefit analysis. Ford applied this method to decide how to treat the fuel tank explosion risk. An internal Ford memo calculated; The cost at the manufacturing stage to fix the problem was $11 per vehicle and the benefit would be no payouts resulting from the fuel tank explosion risk. Benefits > 180 burn death, 180 serious injuries, 2100 burned vehicles. > Unit cost: $200,000 per death, $67,000 per injury, $700 per vehicle. > Total Benefit (180* $200k) + (180* $67k) + (2100*$700)= $49.5M. Risks/Costs > Sales: 11 Million cars, 1.5 Million light trucks. > Unit cost: $11 per vehicle. > Total cost: (12.5*$11) = $137.5M. Ford appear to have decided that it was not reasonably practicable to fix the problem during manufacture. It preferred to retain the risk and make payments as required. There were no Standards for withstanding rear end collisions at a specified speed until after The Department of Transportation announced in May 1978 that the Pinto fuel system had a safety related defect. Ford recalled 1.5 million Pintos. The modifications included a longer fuel filler neck and a better clamp to keep it securely in the fuel tank, a better gas cap in some models, and placement of a plastic shield between the front of the fuel tank and the differential to protect the tank from the nuts and bolts on the differential and another along the right corner of the tank to protect it from the right rear shock absorber. (Centre for Auto Safety) The consequences of Ford s actions were significant. Millions of dollars of civil lawsuits were filed against Ford and awarded against the car maker. In 1979 Ford Motor Company was charged with reckless homicide but was acquitted in The Ford Pinto ceased production within months. 46 australian SAFETY and compensation council

149 The damage to the company has been incalculable and it is conservatively estimated there are over 500 burns deaths to people who would not have been seriously injured if the car had not burst into flames. Solution 1. Is cost/benefit analysis an appropriate approach for deciding public safety? Ford stated it used a risk/benefit approach because the National Highway Traffic Safety Administration required them to do so. This approach excuses a defendant if the monetary cost of making a production change is greater than the societal benefit of that change. Issues that could be raised in discussion > Risk/Cost-Benefit is based on the premise that decisions which create the greatest utility are the right decision because they lead to an economically efficient use of resources. They require risks/costs and benefits to be specified in monetary terms. They are commonly used by Government agencies to inform their decisionmaking. Whether they should be used to inform rather than determine decisions is an important distinction. Whether its use by Ford in the circumstances surrounding the Pinto is justifiable is central to this question. > Risk/Benefit approach disregards the human rights perspective which contends that humans have basic rights that can never be infringed no matter the circumstances. This approach considers human life a non-economic good and therefore priceless. Some people consider the right to vote and the freedom of speech as basic rights. > Whether all the benefits were fully detailed by Ford. What about the loss of reputation by Ford, the bad publicity, the millions in civil lawsuits that could have happened and the potential product recall. decisions that impact vulnerable and minority members of society. 2. Should the engineering professions Code of Ethics impose a higher standard than that required by regulatory requirements? During product development and crash testing the law did not require Ford to redesign the fuel system. It was only after 1977 the law required the changes. Issues that could be raised in discussion > Whether clear limits can be provided to decisionmakers when guidelines such as Code of Ethics can appear vague compared with regulatory requirements and Standards. > In the Ford reckless homicide case, the jury (as representatives of society) who awarded millions of dollars against Ford clearly expected Ford to have a higher standard of obligation to the public than the law required. > The actions of Ford management (at least one who was an engineer) appear to violate the first and fifth Tenet of the Code of Ethics. 3. As an engineer working on the Ford Pinto, what would you consider when making a judgement about what was reasonably practicable for Ford to meet its duty of care responsibilities? Issues that could be raised in discussion > Appropriateness of using a risk/benefit analysis as the only factor in the decision. > Whether there were other design options available. > Whether the public had been adequately informed of the risks. > Whether the decision-makers at Ford understood the risks inherent in the design. > What societal expectations would be in relation to the issue. > Whether for health and safety issues it may be unwise to make a particular decision even when the benefits do not exceed the costs. Other examples may include pollution issues and SAFE DESIGN FOR ENGINEERING STUDENTS 47

150 4. As a design engineer working on the Ford Pinto, what could you have done to demonstrate your duty of care responsibilities? Issues that could be raised in discussion > Be a whistleblower. Discussion could explore how this could be done. > Provide advice to the decision-makers at Ford about the risks and alternative design options. 5. Designers of Extra-light vehicles face tremendous technical challenges in designing safety into those vehicles. How would you decide what the appropriate safety measures are? Issues that could be raised in discussion > Whether all road vehicles should meet the same minimum level of safety or whether different types of vehicles should be distinguished (e.g. motorcycles, light vehicles etc) that each have different safety standards. > How to effectively inform the public about the increased safety risks associated with certain types of vehicles. 6. When other costs have been cut as much as they can, one way to increase revenue is to get products to the market as quickly as possible. This happened in the Ford Pinto case. This will increasingly be a challenge to implement whilst ensuring there is a thorough and integrated approach to Safe Design. How can this challenge be met? Issues that could be raised in discussion > Could companies more explicitly document how safety issues that arise during product design can be accommodated during the manufacturing process? > Could systematic approaches to Safe Design be built into existing Standards. > If sub-contracting is used to speed up concurrent product development, can contractual obligations be used to specify Safe Design requirements? Mercedes A-Class Case Study Instructor Notes Overview This activity includes a case study of how an automotive manufacturer dealt with a safety issue discovered immediately after the launch of their vehicle. It provides a contrast to the handling of a safety issue in some other vehicles. by other car makers. It explores some of the factors that can be considered when evaluating how safety should be handled during the design of products. Intended learning outcomes > Awareness of professional responsibilities of engineers in relation to safety. > Awareness of the factors which can impact an organisations response to a public safety issue. Context in which it could be used Small group activity suitable for extensive discussion. The example is suitable for discussions about ethics, engineering economics and design. Resources required (time, handouts) > 20 minutes depending on the extent to which students own views are presented to the entire class. > Students Notes for this example. Suggested Assessment criteria/guidelines No assessment criteria are provided for this activity. Method of presentation 1. Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. There are extensive online resources (listed in Student Notes) available on this topic and instructors could get students to do pre-reading prior to class. 2. Handout required resources to each group. 48 australian SAFETY and compensation council

151 3. Get students to read the scenario. 4. Discuss the suggested discussion points and other relevant issues. Activity Read the following scenario and be prepared to answer the discussion points. Scenario Until the 1990 s Mercedes-Benz had focused on the premium car market. They, like BMW, pioneered the use of safety features such as Air Bags, Electronic Braking Systems (EBS), and Electronic Stability Control (ESC). A long history of innovation in motor vehicle safety gave Mercedes- Benz a considerable reputation. Mercedes then decided to enter the small car market. The Mercedes A-Class was a microcar priced cheaper than a VW Golf. Although the A-Class was a cheaper car, Mercedes did not intend to compromise on safety; The car had gone through rigid testing procedures for years (Ihlen, 2002). For example, the engine was installed at an angle such that in the event of a crash, the engine would go under the front passenger. The A-Class underwent extensive testing, including over 400,000 kilometres of testing by a thousand journalists. The A-Class was launched on October but on the October a passenger was injured when the A-Class being driven by a motoring journalist rolled over during an extreme driving manoeuvre known as the Moose Test (also known as the Elk Test). This test, unknown in Germany, is a Nordic test designed to simulated a car swerving at constant speeds (>60 km/h) onto the wrong side of the road and back again in order to avoid a moose. The test is conducted with the car fully loaded with luggage and 4 passengers. The journalist injured was one of a group who had gathered in Tannishus, Denmark to judge the Car of the Year award. The A-Class seemed the obvious choice: no other rival had pushed the design and technical envelope with such bravado and excellence. (Whitworth, 1998). Instead of a prestigious award and the positive publicity that would ensue, the media ran with the Moose Test failure. The extent of this publicity was such that the term Moose Test is now used to represent any stringent test on the quality of a product. Initially, Daimler-Benz defended its Baby Benz saying the company did not think it was necessary to issue a statement just because a car flipped over somewhere. The huge media reaction against the company reportedly with a reputation as the ultimate in German engineering and safety soon forced Daimler to acknowledge that modification was required. (Knight and Pretty, 2000). So despite having no technical evidence that the A-Class was unsafe, quite the contrary based on their own testing, Mercedes halted production. By this stage there were 2,500 A-Class in the hands of owners and a further 15,000 off the production line. Mercedes offered to rework the cars to improve their handling. Apart from changing to larger wheel rims and lower profile tyres, Mercedes took the radical step of installing the Electronic Stability Program (Mercedes-Benz version of ESC) to the A-Class; a most significant upgrade when you consider that ESP was only available as an option on their more expensive models. During the 2 weeks that the modifications took, the 200 owners that took up Mercedes recall offer were given C-Class Mercedes to drive. A-Class production was halted for approximately 12 weeks while the modifications were designed and changes to the production line made. The total cost to Mercedes-Benz to modify the A-Class are estimated to be $150 million. At the re-launch of the A-Class in late January 1998, journalists were unable to make the A-Class rollover. So why did the A-Class fail the elk test? Listen to Ulrich Brunke, chief engineer for the A and C- Class cars and he will tell you that any car, given the right number of turns over the right distance can be made to fall over. The elk test is a violent test for any car to endure (Whitworth, 1998). SAFE DESIGN FOR ENGINEERING STUDENTS 49

152 Discussion Points 1. Compare and contrast the different approaches taken by the manufacturers of Mercedes A-Class, Ford Pinto (Section 2.6.1) and Suzuki Samurai to manage the safety issue in their vehicle. The Suzuki Samurai was introduced in 1986 and phased out in 1989 due to declining sales and threats of continued litigation as a result of rollover accidents. Then there s Suzuki. The carmaker made news in October, when a St. Louis jury awarded 31 year-old Katie Rodriguez $36.9 million in compensatory and punitive damages after she was paralysed in a rollover accident involving a Suzuki Samurai sport utility vehicle. Documents introduced at the trial showed that Suzuki continued to sell the Samurarai after it learned that the SUV had a stability problem. To date, 213 people have died and 8200 have been injured in Samurai rollovers, Suzuki s trial experts have estimated Consumer Report, Jan 1998). Issues that could be raised in discussion > In the Ford Pinto, a decision during the product testing phase was made not to eliminate the risk of the exploding fuel tank through a design solution. It was decided to manage the risk through litigation. > In the Suzuki case, the product was very shortlived (3 years) due to low sales. Apparently a significant redesign of the chassis was needed to decrease rollover, so a product recall may not have been viable. Suzuki handled the Samurai safety issue through litigation Apparently the rollover risk is well known for Sports Utilility Vehicles. > In the Mercedes A-Class, the safety risk was handled through a product recall and involved a redesign and significant upgrade to the vehicle. The risk was managed through design rather than litigation. 2. Did Mercedes go beyond its Duty of Care to consumers in recalling the A-Class Issues that could be raised in discussion > Exceeded generally acceptable standards > Mercedes appear not to have been aware of the issue. There is no information in the scenario which suggests they were aware of the problem prior to the failure. 3. What sorts of factors could Mercedes have taken into account when they decided to recall the A-Class car? Issues that could be raised in discussion > Regulatory compliance: It appears the A-Class vehicle was thoroughly tested except for a relatively obscure Moose test. > Reputation: Mercedes had already built their reputation on safety. This action would be seen to reinforce rather than undermine that. > Economics: A safety crisis which impacted the Mercedes brand could damage their share price and hence stockholder value. There could potentially have been liability issues into the future. > Brand Risk Management: In particular an association between the Mercedes brand and trust. Factors such as ethics, reliability and stability are important. How Mercedes was perceived to respond to the safety issue was important. > Access to required technology: Mercedes were able to modify the A-Class quite easily using technology already at their disposal and used on their luxury vehicles. Primary resources for information about these cases Ihlen, O (2002) Defending the Mercedes A- Class: Combining and Changing Crisis-Response Strategies, Journal of Public Relations Research, v14(3): Whitworth, B (1998) Of Moose and Men, Automotive Engineering, April 1998, pp australian SAFETY and compensation council

153 Breuer, J.J. (1998) Analysis Of Driver-Vehicle- Interactions In An Evasive Manoueuvre Results Of Moosetest Studies, Daimler-Benz AG, Germany, International Technical Conference on the Enhanced Safety of Vehicles (ESV), Paper Number 98-S2-W-35, 98S2W35.PDF Knight, R.F. and Pretty, D. (2000) Brand Risk Management in a Value Context, Templeton Briefing 05, University of Oxford, UK, ISBN: X Rollover Lawsuits, Suzuki Rollover Accidents & Roof Crush Injuries: suzuki_samurai.htm Consumer Reports (1998). Front Lines Auto Safety: What Suzuki could learn from Mercedes, Jan 1998 p10 Mother Jones News Magazine, Pinto Madness by Mark Dowie, Sept/Oct, There is video at the site showing crash testing of the vehicle and other articles. Centre for Auto Safety, search using term, Ford Pinto Lee (1998) The Ford Pinto Case and the Development of Auto Safety Regulations, , Business and Economic History, v27(2). v027n2/p0390-p0401.pdf F-111 Deseal/Reseal Case Instructor Notes Overview This case study is a summary of the events surrounding the F-111 Deseal/Reseal case that were presented at a Board of Inquiry in September The case shows how major safety issues in the workplace can arise from a combination of workplace culture and the use of hazardous materials. While some of the organisational and cultural features of the workplace described here are unique to the military, others are relevant to many other large industrial organizations. It highlights the importance of the need to design effective processes and systems not just products for ensuring safety. It shows the downstream consequences of not addressing safety upstream at a design stage. It recognises that decisionmaking in engineering can involve ambiguity and differences in opinion. Intended learning outcomes > Awareness of hazards 'downstream' due to the design of products. > Understanding of the complexity of designing safe processes. > Appreciation of organisational and cultural factors which impact the effective design and enforcement of safe processes within a workplace. > Ability to identify risk control strategies to deal with hazardous substances. Context in which it could be used This case has many different aspects that make it particularly applicable for use in engineering subjects that focus on management, professional practice and engineering design and maintenance. Aspects to the problem such as the relationship between financial, organisational and cultural factors with safety, ethics and the downstream implications of engineering design could be explicitly addressed. Resources required (time, handouts) > minutes including reading and discussion time. More time for discussion can certainly be allocated especially for extended discussions involving students relating this case to their experiences in the workplace. > Student Notes and Discussion Questions provided for this case. Method of presentation The case can be approached in several ways. Out of session preparation Appoint a discussion leader or leaders prior to the session whose task is to thoroughly research the case by reviewing the suggested website in addition SAFE DESIGN FOR ENGINEERING STUDENTS 51

154 to reading the notes provided prior to the class discussion. The role of this leader is to encourage discussion of colleagues based on this scenario and to prepare and present a more extensive summary report to the whole class. In session preparation During class, students can read the case narrative and in groups of 4-5 discuss the questions supplied. A reporter within each group can be appointed to sum up the group s discussion to the whole class. Each group could sequentially do each discussion question or each group could do a different question. Suggested Assessment criteria/guidelines The purpose of this case study was to raise student awareness of safe design principles and the impact of the downstream workplaces upon the safety of designed items. No assessment criteria have been developed for this case study. Educators seeking to assess student learning from this activity could develop criteria relating to the depth of understanding students show during classroom discussion or a written report where the number of pertinent points raised for each of the discussion questions is assessed. Some relevant issues are highlighted in the Solution section. By restricting the ability of students to research the case out of class, educators can better assess their ability to identify issues from limited data. Scenario Image: F111.jpg In 1963, the Royal Australian Air Force (RAAF) ordered 24 F-111 aircraft but it was not until 1973 that the aircraft arrived at Amberley Air Force Base. The fuel tanks in the F-111 were designed to be integral to the aircraft s structure and unlike many other aircraft the fuel tanks did not contain an internal bladder but required a sealant for the joints and mating surfaces to prevent leaks. A specially developed sealant that could withstand the environmental conditions arising from supersonic flight was developed. However, fuel leaks were discovered soon after delivery and it became evident that the fuel tanks would need to have the original sealant removed and a new sealant applied. A deseal/reseal program was initiated, however the desealant used had potential risks due to its toxicity and very low flash point. There are seven fuel tanks located within the aircraft; in the fuselage ahead of the wings, within the wings, behind the wings and either side of the tail. Consequently, for more than 20 years, the RAAF maintenance personnel have been working in cramped and confined spaces, using highly toxic chemicals to deseal and reseal the fuel tanks of F- 111 aircraft. Although personal protective clothing was provided (gloves, respirators, coveralls), the high temperatures of the tropical climate and the difficulty of working with such restrictions in a confined space led to staff not always using the protective gear that was provided. The personal protective gear was often inadequate with protective gloves dissolving, chemical seepage through coveralls, and inadequate filtration through respirators. This meant that staff were directly exposed to the effects of the hazardous substances with which they worked. Staff reported symptoms of skin rash, gastrointestinal problems, headaches and loss of memory to medical personnel, but because the symptoms were so vague little action was taken. In addition, because the workers absorbed the exceedingly foul smell of the desealant, they were socially ostracised and excluded on the Base from recreational gatherings such as the workers club and the picture theatre. The highly disciplined work culture of the military meant that any workers who complained of the working conditions ran the risk of facing disciplinary procedures and being considered a traitor. 52 australian SAFETY and compensation council

155 It is my belief that the consequence of not undertaking the tasks would be that I might be subject to contact counseling ( I would be taken out the back and given a clip under the ear). In 2000, a RAAF Board of Inquiry into the Deseal/ Reseal program was finally constituted and the fuel tank repair program suspended. A large number of personnel have been affected by toxic substances during their tours of maintenance duty. The following narrative of one of the victims captures the human cost of this safety problem. I have skin cancers or solar skin damage on my scalp, forehead, face and arms. I also have claw toes and my left foot bows out I continue to suffer blood pressure problems and hemorrhoids with intermittent bleeding from the bowel. I have a lump on the palm of my left hand and a lump in the throat, which makes it intermittently hard to swallow I have bad breath and my wife is always telling me that I have an awful smell from my body which is not regular body odor. I also get a red rash on my face and suffer from headaches and dizziness I am at times very depressed The Board of Inquiry identified a number of contributory factors and made 53 recommendations to rectify the problems uncovered and to establish a climate of occupational health and safety in the Defence Force. It was noted that in the RAAF, operations almost always take priority over logistics. That means that the aim of a maintenance squadron or wing is to produce serviceable aircraft for use by operational squadrons. The maintenance personnel were under considerable pressure to complete the deseal/ reseal activity in minimum time so that the planes could return to action. Consequently staff worked long hours in confined spaces, in claustrophobic protective suits, with production schedules that were tight and performed extended duty periods. The discipline of the Defence Forces results in staff who perform commands without questioning. The Board s investigation however revealed numerous incidents of non-compliance by maintenance workers with the safety requirements including that they wear personal protective equipment (PPE) such as goggles, respirator, gloves and coveralls. There was a failure on the part of supervisors to ensure that these regulations were observed. It was recognized that failure to wear PPE was symptomatic of the organisational culture. In a high-pressure environment, problems with the personal protective equipment were brushed aside. Gloves disintegrated within five minutes of contact with the chemicals, but rather than continually interrupting the job to get new ones, people worked with bare hands. When the respirator restricted vision, workers would simply remove it to get the job done. The coveralls that were required as a precaution against damage to the aircraft did not provide workers with protection from fluids. There were requirements that the vapors from the desealant be below exposure and explosion limits. Ventilation was therefore required within the fuel tanks during cleaning, but it was not used due to excess noise and space problems. The Board concluded that without ventilation it was likely that the atmosphere inside the tanks exceeded these limits. People who complained were seen as trouble makers and getting the job done was the goal. The RAAF also did not learn from previous accidents and incidents and did not implement the recommendations of other previous inquiries into its maintenance programs. The chain of command that is an integral part of RAAF culture also worked to inhibit the communication of safety issues upwards. While the top-down model of command ensures that orders are followed without question, Senior Commanders remained unaware of the problems with the deseal/ reseal project because lower ranking officers were reluctant to admit to such a serious safety problem hoping that they could solve it without it coming to the attention of their superiors. Workers who found it difficult to complete the task as prescribed, developed unapproved ways of doing things and the staff training model employed ensured that these inappropriate techniques were then passed on to the next crew. The RAAF also experienced economic restrictions and the number of engineering staff was reduced. SAFE DESIGN FOR ENGINEERING STUDENTS 53

156 In one case a young engineer who had been graduated for three years was placed in charge of 170 maintenance workers. While this officer had several highly experienced, non-commissioned officers reporting to him, because of the complex and involved processes within the deseal/reseal program the engineer had no real understanding of the situation. He assumed the section was being managed competently and that approved procedures were being followed. The Board recognized the engineer was placed in an untenable position and could not effectively supervise subordinates. Engineering expertise was needed to understand the implications of the various parts of the maintenance process as well as to ensure that when workers encounter difficulties an appropriate systemic solution could be reached. But the withdrawal of engineers from site as a cost-cutting measure led to completely inadequate supervision of trade staff. The Board also found that at the Amberley Air Force Base, there was a low priority on industrial medicine as part of safety management. This is significant since it was estimated that in Australia four times as many people die from diseases caused by exposure to hazardous substances in the workplace as die from traumatic injury on the job. When RAAF staff complained of headaches and nausea to the Amberley Medical Section, little action was taken because these symptoms were vague and hard to specifically attribute to a single cause. The Board recognised that despite the knowledge the workers were using a variety of potentially harmful chemicals, the health care facilities at the Air Force base was organised as a private medical practice with doctors having no qualifications in occupational medicine, no direct knowledge of the working conditions for the affected staff and little incentive to do the extra research to discover the underlying cause of the distress. Since the RAAF is planning to retain the F-111 in service for up to a further twenty years, the fuel tank leaks are problematic. The deseal/reseal issue means their availability for Australia s defence has been compromised. It was estimated in 2001 that in excess of 400 personnel have suffered long-term damage to their health as a result of exposure to chemicals in the various deseal/reseal programs. A major study into the health of those who participated in the program released in 2004 found an association between involvement in the deseal/ reseal programs and a lower quality of life and more common erectile dysfunction, depression, anxiety, and subjective memory impairment. There is also evidence, albeit less compelling, of an association between the program and dermatitis, obstructive lung disease (i.e. bronchitis and emphysema), and neuropsychological deficits. The results of the Board of Inquiry have had far reaching implications for the entire Defence Force and for industry in general. In his response to the Inquiry Report, Air Marshal Houston said My first priority is for the health and welfare of serving and ex-members of the Air Force today s Air Force puts people first Primary resources for information about this case Department of Defence, F-111 Deseal Reseal Board of Inquiry (BOI) website, units/f111/ Discussion Points: Solution 1. Identify the safety management (risk control) approaches used, their effectiveness and the hazards they targeted. (hint Hierarchy of Control) Issues that could be considered include > Engineering Control: Ventilation of confined spaces was required. However this was often not done due to noise problems and the restrictions it placed on space within the service area. > Administrative Control: Limits were set on the atmospheric concentrations allowed for the desealant to prevent exposure and explosions. These limits did not appear to be monitored. > Personal Protective Equipment: - Goggles, often removed due to vision problems. 54 australian SAFETY and compensation council

157 - Overalls, these were permeable to the desealant and therefore ineffective. - Gloves: these would dissolve and were therefore often not worn. - Respirators; inadequate filtration and they blocked vision so they were often removed. > Amberley Medical Facility: This facility was designed to deal with injuries but it was ineffective in monitoring and treating the health impacts from the Deseal/Reseal program. 2. What were the key design decision that engineers made which impacted on the Deseal/ Reseal safety issue? Issues that could be considered include > Design of fuel tanks required a sealant. Engineers could have designed the tank to use a bladder and therefore not need a sealant. > Location of fuel tanks in locations that had limited maintenance access. Recognising that the design of the fuel tank was untested technology, the design engineers could have managed the risk better by recognising maintenance may be involved and designed safer access to the fuel tank access or easier tank removal. > Choice of untested sealant. The tank design required a sealant that had to be specially developed. The Board of Inquiry heard that any chemist would have known that the sealant would be unsatisfactory just by knowing its composition. > Choice of a hazardous desealant. If the engineers involved in designing the deseal/reseal program were required to consider the toxicity of the desealant rather than just its performance they may have chosen an alternative that was not as effective chemically but still satisfactory and therefore was a lower risk. 3. What were the key organisational and cultural factors which lead to the Deseal/Reseal problem? Issues that could be considered include > Poor communication upwards about safety issues. The Board recognised that bad news does not move easily up organisational hierarchies. Only issues that could not be rectified at the level below were bought up the level of command. Safety issues stayed at the lower levels and did not get high enough up the level of command to change. > Poor communication of safe work practices. There were no specified induction procedures and so staff learnt from others on the job. These work practices comprised safety. > Inadequate training of junior engineers. To effectively supervise staff, a supervisor (e.g. junior engineer) needs to understand the consequences of incorrect work practices. In this case the engineer should have an understanding of the symptoms of chemical exposure and conditions likely to lead to explosions. > Valuing of equipment over personnel. The priority was to have the planes ready for operation rather than ensuring worker safety during maintenance. > Inadequate monitoring and reviewing of the engineering maintenance process by senior staff. There were inadequate ways of reporting occupational hazards in the workplace. The Medical Facility did not perform this role. > Learning from history. Recommendations from earlier RAAF reports related to these issues were not incorporated into the Reseal/Deseal program. > Design of maintenance program. If a longer period for servicing was allowed then the fuel tanks could have been removed from the aircraft and then disassembled therefore avoiding confined space issues. * Toolkit content can be found at section 1.4 of PART 1 Concepts, Principles & Tools SAFE DESIGN FOR ENGINEERING STUDENTS 55

158 4. What were the key ethical and regulatory issues and how did they affect the safety problem? (hint Apply the Code of Ethics) Issues that could be considered include > To what extent the junior engineer had a responsibility to act under the ethic responsibilities of an engineer. There are at least three tenets of the Engineers Australia Code of Ethic which are relevant. Members shall at all times place their responsibility for the welfare, health and safety of the community before their responsibility to sectional or private interests, or to other members; Members shall offer services, or advise on or undertake engineering assignments, only in areas of their competence and shall practise in a careful and diligent manner; Members shall take all reasonable steps to inform themselves, their clients and employers and the community of the social and environmental consequences of the actions and projects in which they are involved; > To what extent did the junior engineer exercise their Duty of Care responsibilities under the Occupational Health and Safety Acts. What would constitute reasonably practicable in this situation? Duty of care requires everything reasonably practicable to be done to protect the health and safety of others. Duty of care places into a legal form what is a natural moral duty to anticipate possible causes of injury and to do everything practicable to remove or minimise these hazards. > To what extent did the junior engineer breach their responsibility under supervising staff who are working in confined spaces? > Were the senior staff with greater supervisory responsibility more liable for compromising worker safety than the junior engineer directly supervising them? 5. General discussion questions to extend and personalise the discussion > How could a junior engineer onsite go about being a whistleblower when there was no clear option to resolve the problems through the chain of command? > What issues have you faced when trying to supervise staff when undertaking hazardous work requiring their use of personal protective equipment? > What have we learned about safe engineering design from this scenario? Onsite Safety Activity Instructor Notes Overview A discussion oriented activity designed to explore an Engineers professional responsibilities and your ethical framework when dealing with issues related to safety. It is designed to explore your value and belief system and how that can impact upon your actions. Intended learning outcomes > Awareness of professional responsibilities of engineers in relation to safety. > Awareness of Engineers Australia Code of Ethics. Context in which it could be used Small group activity suitable for extensive discussion. This can also be used as an ice-breaker to get students to explore their own experiences with workplace practices concerning safety. This activity could be used in subjects where ethics, safety or communication are covered. Resources required (time, handouts) > minutes depending on the extent to which students own views are presented to the entire class. 56 australian SAFETY and compensation council

159 > Engineers Australia Code of Ethics (Safe Design Engineering Toolkit * section ). > Students Notes for this example. Suggested Assessment criteria/guidelines No assessment criteria are provided for this activity. Method of presentation 1. Form students into small groups (2-4 students). This activity can also be done by having individuals do the activity and then combine to discuss their opinions. 2. Handout required resources to each group. 3. Get students to read the scenario. 4. Discuss the suggested discussion points and other relevant issues. Scenario You and a fellow student engineer are undertaking part-time work with a tank installation and maintenance service firm. The firm has been contracted to inspect the condition of petroleum storage tanks at 50 sites across New South Wales. The company which owns the fuel supply sites is concerned about environmental liability from leaking fuel due to corrosion of the mild steel casing or welds in the tanks. Their company is proud of its reputation within the industry of being safety conscious and has developed a set of Safety Rules for Contractors which sub-contractors are bound to under the terms of their contract. Your task is to supervise the onsite inspection of the tanks by contract staff employed by the company. These contract staff have a long history of working with your firm and include a licensed gas fitter with over 20 years of experience and his trades assistant. Your immediate supervisor is located at head office. The inspection process requires purging the tank with nitrogen and staff entering the tank through a manhole on the uppermost surface. The inspection comprises searching the tank using torches to locate visually areas of corrosion. On your first day at the Company they gave you and your fellow student engineer a half-day briefing about what you were expected to do onsite. They did not cover much on safety but did mention that there would be some safety equipment onsite in the unlikely chance you needed it. Upon arriving at the site the next day you meet George the gas fitter and his assistant Tom. You also notice various signs around the depot mentioning the Safety Rules for Contractors and Confined Space Entry. You ask George about the safety equipment and what these rules are and he say he does not know but everything has been OK when he has worked at their other depots and that if he had a dollar for every tank he had inspected he would be a rich man. You decide to seek confirmation from Peter your immediate supervisor who is located at head office. He tells you not to worry and that they only hire safety equipment for the dangerous jobs and yours is not one of those. He also says that George is the most experienced contractor they have and to make sure you get through the inspection quickly because they are on a tight budget for the job. You still feel uneasy and ring Gina your fellow student engineer at another site. She says that you are just a bit nervous about supervising staff onsite for the first time and that their first inspection was well underway. Her sub-contractor also told her that safety equipment is not usually needed for these types of jobs. Choice of Action a) Keep on working as directed by your supervisor and try to catch up on lost time. b) Keep on working as directed by your supervisor and decide to have a meeting with your supervisor at the end of the day. c) Refuse to continue working on the site and go back to head office to sort it out. d) Contact the Depot Manager onsite to see if he has a copy of the rules and seek clarification about the safety equipment. e) Try to contact your supervisor s boss, who happens to be a family friend. SAFE DESIGN FOR ENGINEERING STUDENTS 57

160 Solution > There are at least three Tenets that have aspects which are relevant to the case. Members shall at all times place their responsibility for the welfare, health and safety of the community before their responsibility to sectional or private interests, or to other members; Members shall offer services, or advise on or undertake engineering assignments, only in areas of their competence and shall practise in a careful and diligent manner; Members shall take all reasonable steps to inform themselves, their clients and employers and the community of the social and environmental consequences of the actions and projects in which they are involved; > Your company has not undertaken such work before. Perhaps it does not possess enough skill and the requisite knowledge to complete the works. As the scenario unfolded there was evidence that this may well be the case. The regulation defines a confined space at a place of work as a space of any volume which a person may at any time enter or be allowed to enter and in which: > The atmosphere is liable to be contaminated at any time by dust, fumes, mist, vapour, gas or other harmful substances; > The atmosphere is liable at any time to be oxygen deficient. > As the onsite Engineer you also have a moral obligation to make yourself aware of the expertise/knowledge needed to perform the work with regards to fulfilling regulatory requirements, meeting the clients Safety policies in addition to Safety policies of the company you work for. By not ensuring that these requirements were met the onsite engineer did not uphold Tenets of the Code of Ethics. > An engineer may accept the assignment requiring expertise outside their own fields of competence provided they are restricted to the phases of the project in which they are qualified. Was the onsite engineer qualified to supervise the tank cleaning work? > Entry into the tanks is governed by a regulation. The confined spaces regulation supplements the Occupational Health and Safety Act, 2000 (NSW). The Regulation sets out minimum standards to ensure the safety of persons working in a confined space. It does this by requiring employers to comply with the Australian Standard (AS ) SAFE WORKING IN A CONFINED SPACE and by Occupational Health and Safety (Confined Spaces) Regulation This standard has specific requirements that must be met. As the Engineer onsite you would have been breaching your legal responsibilities by allowing the work to proceed. 58 australian SAFETY and compensation council

161 PART 2C: SAFE DESIGN QUIZ AN EDUCATIONAL RESOURCE FOR UNDERGRADUATE ENGINEERING STUDENTS QUIZ

162 >>> part C: safe design QuiZ This section aims to both develop and assess aspects of student learning about Safe Design. The quiz uses multiple choice, matching and ordering types of questions. Content in which the QuiZ CAn Be used The quizzes are particularly useful as formative or summative assessment of student learning of principles, concepts and terminology. They can be used to compliment teaching using lecture slide delivery and student directed learning of the material contained in Part 1 of this resource. Many of the questions can be used either in paper based or online delivery using quiz software in a Learner Management system (eg Blackboard, WebCT) or specialised quiz software. Question 1 MAtChing Pair up defi nitions with terms: 1. An error is 2. A near miss (aka incident) 3. A failure is 4. Reliability is 5. A hazard is 6. An accident is 7. Safety is A. freedom from accident or loss. B. freedom from failures. C. an undesired and unplanned event that results in a specifi ed level of loss. D. an event that involves no loss but with the potential for loss in other circumstances. E. a state or set of conditions of a system, that together with other conditions in the environment will lead inevitably to an accident. F. non-performance or inability of the system or component to perform its intended function. G. a fl aw or deviation from a desired or intended state. Answer 1 1 G; 2 D; 3 F; 4 B; 5 E; 6 C; 7 A safe design For EnGinEErinG students 1

163 Question 2 Multiple Answer Which of the following are true statements: Safe systems are reliable Reliable systems are safe Unsafe systems can be reliable Safety can only be compromised when there is a system failure Answer 2 S Safe systems are reliable S Reliable systems are safe R Unsafe systems can be reliable S Safety can only be compromised when there is a system failure Question 3 True/False You are a professional mechanical engineer. You have designed and overseen construction of a playground for the local school, a task for which you did not charge. Since you are not being paid for your professional services you are absolved of any duty of care. True False Answer 3 S True R False Question 4 Ordering Order these elements of the OHS regulatory framework from those having overarching influence to least influence over engineering practice: Industry Standards/Guidance Notes Standards Codes of Practice Regulations Acts Answer 4 1 Acts; 2 Regulations; 3 Codes of Practice; 4 Standards; 5 Industry Standards/Guidance Notes australian SAFETY and compensation council

164 Question 5 Multiple Answer Compliance with which of these elements of the OHS regulatory framework is mandatory? Acts Industry Standard/Guidance Notes Australian and International Standards Regulations Codes of Practice Answer 5 R Acts S Industry Standard/Guidance Notes S Australian and International Standards* R Regulations S Codes of Practice * Unless Australian standards are contained/called up in regulation or an Act. Question 6 Multiple Answer Which of the following groups are covered by a Duty of Care (according to the OHS Acts) in the workplace? Contractors and sub-contractors Employees Employers Answer 6 R Contractors and sub-contractors R Employees R Employers SAFE DESIGN FOR ENGINEERING STUDENTS 3

165 Question 7 Multiple Answer Compliance with a Duty of care can be enforced through which of the following: Acts Regulations Risk Management Standards Criminal and Civil Legal action Disciplinary action by the Institute of Engineers, Australia or the Professional Standards Association Answer 7 R Acts R Regulations S Risk Management Standards R Criminal and Civil Legal action R Disciplinary action by the Institute of Engineers, Australia or the Professional Standards Association Question 8 Multiple Answer When an injury occurs in the workplace, who can be subjected to civil or criminal legal action? Contractors and sub-contractors Employers Employees Answer 8 R Contractors and sub-contractors R Employers R Employees 4 australian SAFETY and compensation council

166 Question 9 Multiple Choice When is adherence to an Australian/NZ standard a legal requirement? When referred to in a Code of Practice When explicitly referred to in an Act or Regulation Always None of the above Answer 9 S When referred to in a Code of Practice R When explicitly referred to in an Act or Regulation S Always S None of the above Question 10 Multiple Answer Which of the following statements are true about AS/NZS 4360? it is a framework for risk management that is focussed specifically in engineering risks its purpose is to enforce uniform risk management systems in all contents it is designed to be a stand-alone, comprehensive standard that does not require interaction with other professional standards none of the statements above. Answer 10 S it is a framework for risk management that is focussed specifically in engineering risks S its purpose is to enforce uniform risk management systems in all contents S it is designed to be a stand-alone, comprehensive standard that does not require interaction with other professional standards R none of the statements above. AS/NZS 4360:1999, Risk Management provides a generic framework for establishing the content, identifying, analysing, evaluating, treating, monitoring and communicating risk. SAFE DESIGN FOR ENGINEERING STUDENTS 5

167 Question 11 Multiple Choice According to AS/NZS 4360, risk management systems: must reflect the culture and practices of the organisations in which they are applied. must not be influenced by the particular cultures and organisational practices in which they are applied. Answer 11 R must reflect the culture and practices of the organisations in which they are applied. S must not be influenced by the particular cultures and organisational practices in which they are applied. Question 12 Matching The following diagram shows an overview of the Risk Management process. Match the letters in the diagram with the appropriate term. B C A F D E A is B is C is D is E is F is Answer 12 A is Communicate & Consult B is Establish the Context C is Identify risks D is Analyse & Evaluate risks E is Control risks F is Monitor and Review 6 australian SAFETY and compensation council

168 Question 13 Multiple Answer In AS/NZS 4360, risk is measured in terms of: the probability of an event that impacts upon the organisation s objectives the consequences of an event upon the objectives of an organisation the likelihood of people s exposure to an event that has an impact upon an organisation s objectives Answer 13 R the probability of an event that impacts upon the organisation s objectives R the consequences of an event upon the objectives of an organisation S the likelihood of people s exposure to an event that has an impact upon an organisation s objectives Question 14 Multiple Answer According to AS/NZS 4360, risk assessment consists of risk identification risk analysis risk evaluation risk treatment Answer 14 R risk identification R risk analysis R risk evaluation S risk treatment SAFE DESIGN FOR ENGINEERING STUDENTS 7

169 Question 15 Multiple Answer According to AS/NZS 4360, decisions about the acceptability and treatment of risk may be based on: financial criteria legal criteria humanitarian criteria technical criteria Answer 15 R financial criteria R legal criteria R humanitarian criteria R technical criteria Question 16 Multiple Choice Two people are walking in the forest when they encounter a hazard; an angry grizzly bear. They both turn and run. The bear follows and is gaining ground quickly. The first says It s no use, we can t outrun the bear. The second responds I know, but I can outrun you. Which of the five methods for dealing with risk best describes the strategy adopted by the second person from the viewpoint of the second person? Avoid Treat Transfer Accept Ignore Answer 16 S Avoid S Treat R Transfer S Accept S Ignore 8 australian SAFETY and compensation council

170 Question 17 Multiple Choice According to AS/NZS 4360, the risk evaluation criteria should not be developed until after the risk treatment is completed must be determined before any of the risk management processes commence must be established before the risk identification process begins, but may be subsequently refined must be firmly established before the risk identification process begins, and must not be altered are universally set and not subject to how the risks emerge in individual contents. Answer 17 S should not be developed until after the risk treatment is completed S must be determined before any of the risk management processes commence R must be established before the risk identification process begins, but may be subsequently refined S must be firmly established before the risk identification process begins, and must not be altered S are universally set and not subject to how the risks emerge in individual contents. Question 18 Matching Once a hazard is identified and the risk analysed, there are 4 strategies for dealing with hazard. Match the strategy with the correct definition. 1. Accept 2. Avoid 3. Treat 4. Ignore 5. Transfer A. Redesign the system so that the hazard doesn t affect it B. Set up a contract or some other form of agreement, or work in such a way that the legal framework places the burden of risk (or part thereof) onto another party C. Modify the frequency or the consequences (severity) of the hazard D. Understand the consequences of the risk and be prepared to fully compensate for any losses incurred E. Be liable for but not prepared to compensate for any losses incurred due to the hazard Answer 18 1 D; 2 A; 3 C; 4 E; 5 B SAFE DESIGN FOR ENGINEERING STUDENTS 9

171 Question 19 Multiple Answer According to AS/NZS 4360, communication and consultation must take place during the process of Establishing the content of risk management Risk identification Risk analysis Risk evaluation Risk treatment Answer 19 R Establishing the content of risk management R Risk identification R Risk analysis R Risk evaluation R Risk treatment Question 20 Multiple Answer According to AS/NZS 4360, which of the following processes are subject to ongoing monitoring and review? establishment of the content risk identification risk analysis risk evaluation risk treatment Answer 20 R establishment of the content R risk identification R risk analysis R risk evaluation R risk treatment 10 australian SAFETY and compensation council

172 Question 21 Multiple Choice According to AS/NZS 4360, which type of analysis is most likely to be used as an initial screen activity to identify risks which require more detailed analysis? semi-quantitative analysis quantitative analysis qualitative analysis Answer 21 S semi-quantitative analysis S quantitative analysis R qualitative analysis Question 22 Multiple Answer Which of the following actions is or are examples of risk treatment, according to AS/NZS 4360? reducing the likelihood reducing the consequences transfer the risk avoid the risk Answer 22 R reducing the likelihood R reducing the consequences R transfer the risk R avoid the risk SAFE DESIGN FOR ENGINEERING STUDENTS 11

173 Question 23 Multiple Answer In AS/NZS 4360 provides a list of suitable information sources for analysing consequences and likelihood of a given event. Which of the following would be suitable sources? Experiments and prototypes Relevant published literature Economic, engineering or other models Personal opinion Answer 23 R Experiments and prototypes R Relevant published literature R Economic, engineering or other models S Personal opinion Question 24 Ordering The Hierarchy of Control is a variety of risk control options that are used to manage occupational health and safety risk. Please order these, with the most protective and therefore preferred option at the top and decreasing through to the least preferred option. Elimination Administrative (procedural) controls Engineering controls Personal Protective Equipment Substitution Answer 24 1 Elimination; 2 Substitution; 3 Engineering controls; 4 Administrative (procedural) controls; 5 Personal Protective Equipment 12 australian SAFETY and compensation council

174 Question 25 True/False Controlling risk through the use of Personal Protective Equipment is always effective. True False Answer 25 S True R False Question 26 True/False Controlling risk through the use of administrative controls (e.g. guidance and training on the safe use of forklifts) is always effective. True False Answer 26 S True R False Question 27 True/False Controlling risk through the use of administrative contrls (e.g. pilot and air traffic controller training) and technology is always effective. True False Answer 27 S True R False SAFE DESIGN FOR ENGINEERING STUDENTS 13

175 Question 28 Ordering Aircraft fitters inspect aircraft before each flight. To gain access for inspection Jim, an aircraft fitter, stood on a tug. A tug is a flat topped vehicle designed for towing aircraft and luggage trailers, etc. Jim was able, to stand on the tug, inspect the aircraft and drive around underneath the aircraft by operating the controls away from the driver s seat. Jim was moving the tug to a new inspection point when he collided with the aircraft. The collision trapped Jim between the tug and the aircraft fuselage. Jim received multiple fractures to his upper body. Company rules insist tugs are operated only if the driver is seated in the driver s seat. (example J. Culvenor) Please ORDER the risk control options from preferred to least preferred based on the hierarchy of control. Increase supervision to ensure compliance with safety rules Provide a special motorised maintenance trolley Increase aircraft component reliability Reduce the height of aircraft landing gear Answer Reduce the height of aircraft landing gear 2. Increase aircraft component reliability 3. Provide a special motorised maintenance trolley 4. Increase supervision to ensure compliance with safety rules Question 29 Ordering Kelly is a gardener at a metropolitan hospital. Kelly was cleaning a gang mower when she cut her foot. Kelly had seen other gardeners clean the mower by hosing the blades with water while operating them in reverse. Kelly was washing the mower in this way when her left foot touched the moving blades. The blades left deep cuts in her big toe and two adjacent toes. There had been no verbal or written instruction about how to wash the mower safely. The hospital provides safety boots but Kelly was not wearing them at the time of the accident. Often outdoor workers wear their own shoes claiming that they are more comfortable. The hospital has now developed a code of practice for the safe operation of the gang (example J. Culvenor). Please ORDER the risk control options from preferred to least preferred based on the hierarchy of control Remind all outdoor staff to wear safety boots Provide training in the new code of practice Re-sow the grass with a slower growing native variety Use sheep to graze the grass Answer Use sheep to graze the grass 2. Re-sow the grass with a slower growing native variety 3. Provide training in the new code of practice 4. Remind all outdoor staff to wear safety boots 14 australian SAFETY and compensation council

176 Question 30 Ordering Karen worked in a food processing factory as a production engineer. A forklift collided with Karen causing multiple fractures and severe bruising. Bill, a storeman, uses a forklift to shift drums of liquid. He moves the drums from the receiving storage area to the production area. The accident happened at 7pm on a winter night. The lighting in the production area was good but the lighting in the storage and forklift roadway area was poor. Karen was walking from the well-lit Tea Room across the roadway when struck by the forklift. The load obstructed Bill s view. The noise of the production line obscured the forklift motor noise. People can walk around the factory on an elevated walkway, but this is not always convenient and often not used despite a company rule (example J. Culvenor). Please ORDER the risk control options from preferred to least preferred based on the hierarchy of control. Create a strict rule that in the interests of safety the existing walkways must be used Improve the lighting in the roadway section of the factory Provide forklifts with dual controls such that they can be driven in reverse Pipe the liquid from the receiving storage area to the production line Answer Pipe the liquid from the receiving storage area to the production line 2. Provide forklifts with dual controls such that they can be driven in reverse 3. Improve the lighting in the roadway section of the factory 4. Create a strict rule that in the interests of safety the existing walkways must be used SAFE DESIGN FOR ENGINEERING STUDENTS 15

177 16 australian SAFETY and compensation council

178