Sie sind auf Seite 1von 8



979/774-7755 FAX: 979/774-0559


Safety engineering, like any applied science, is The Accident Process
based upon fundamental principles and rules of
practice. Safety engineering involves the (a) Effective safety engineering and safety
identification, (b) evaluation, and (c) control of management must also take into account what has
hazards in man-machine systems (products, come to be known as “the accident process.” This
machines, equipment, or facilities) that contain a concept recognizes the fact that although personal
potential to cause injury to people or damage to injury or system damage may take place at a
property. moment in time, the foreseeable causative factors
that ultimately produce such injury or damage are
A REALISTIC VIEW OF THE TERM “ACCIDENT” typically set into motion, and could have been
controlled or prevented, at an early stage in the
Safety engineers recognize that accidents are system life cycle.
typically dynamic events involving a combination
of causative factors. The term “accident” means a That is, this concept recognizes that
dynamic, multi-causal event that begins with the foreseeable causes of accidents are typically set
activation of a pre-existing hazard which then into motion well in advance of the injury or
flows through its host system in a logical sequence damage occurrence itself. A key element in the
of events, factors, and circumstances to produce a accident process is the concept of cause
final loss event (often including personal injury of “foreseeability.” A foreseeable cause is called a
the system operator). “proximate cause.”


System Life Cycle According to the safety engineering literature

(having its counterpart in law), a “producing
The concept of “system life cycle” recognizes cause” means a cause which, in a natural and
that every system (product, machine, facility, etc.) continuous sequence or chain of subsequent
has a “life cycle” which begins in the (a) “concept producing causes, produces an event, and without
or definition” stage before proceeding through the which the event (accident/injury) would not have
successive stages of (b) system “design and occurred.
development,” (c) “production, manufacture,
construction, or fabrication,” followed by (d) Some producing causes of accidents, through
system “distribution” before arriving at the (e) the use of reasonable and prudent methods of
system “operation or deployment” stage, which prediction, can be reasonably foreseen or
after a period of time, is inevitably followed by (f) anticipated before they actually produce an
the “termination, retirement, recycle, or disposal” accident/injury event. Such a producing cause
stage. may further be identified as a “proximate cause.”


That is, a proximate cause is a producing UNSAFE ACTS VS. UNSAFE CONDITIONS
cause that is reasonably foreseeable (or should be
reasonably anticipated) by a person exercising Unfortunately, when discussing the causative
ordinary care to discover and control such causes factors of accidents, many people cling to the
before they produce accident events. traditional over-simplified labels that have divided
such factors into “unsafe acts” and “unsafe
There can also be a hierarchy of proximate conditions.” In balance, this dichotomy approach
causes. One or more proximate causes might has proven harmful to the effective control of
logically be viewed as a primary, dominant, or accidents.
root proximate cause; that is, a proximate cause
that necessarily sets all following causes in Many otherwise sincere individuals have
motion. These root proximate causes are typically mistakenly believed or assumed that these factors
created during the early stages of the system life are subject to equal control and that only one or
cycle and should be the primary targets for the other of the two need be of major concern in
elimination or control at that time. the prevention of accidents. Typically, such focus
has been on “unsafe acts,” as the majority of
FORESEEABLE VS. UNFORESEEABLE practitioners do not possess the expertise to
ACCIDENTS evaluate the technical issues involved, or do not
recognize with what relative ease and positive
Until an adequate accident causation analysis effect unsafe conditions can be controlled.
has been conducted, it is unwise to conclude that
its causative factors were unforeseeable. The term “unsafe act” may also contain an
Therefore, one might define the following two unwarranted implication of blame or fault (rather
types of “accidents:” than a genuine lack of knowledge or training).
During the investigation of accidents, such an
Type I Accident inordinate focus on “unsafe acts” will typically
stifle the effective control of accidents, as the
A Type I Accident might be considered an investigation is typically ended when the first
undesired and unforeseen event that results in an immediate cause is identified (unsurprisingly some
unacceptable system loss, which could have been action or inaction on the part of the accident
foreseen and prevented through the prior victim). As a result, potentially more important
application of recognized principles and methods root causes related to system design are
of system hazard identification, evaluation, and overlooked.
Herein, the term “unsafe condition” is
Type II Accident retained, but the term “unsafe act” is rejected as
historically leading to error or incomplete cause
A Type II Accident might then be defined as analysis.
an undesired and unforeseen event that results in
an unacceptable loss, which could not have been Rather, inappropriate human actions or
foreseen and prevented through the application of inactions of persons that contribute to accidents
recognized principles and methods of system (resulting from error or human nature associated
hazard identification, evaluation and control. with the common relevant human factor
capabilities and limitations of men and women)
Obviously, Type I accident events should not are called “unsafe actions,” defined as unsafe
be called “accidents” at all in the traditional sense, system use methods and procedures, without any
but rather, such an event should more realistically initial implication of fault or blame.
be called a “foreseeable loss event.”

Hazard Control:
Engineering vs. Work Methods “Hazard identification” in reality can be
viewed as “energy identification,” recognizing that
Given the initial proposition that accidents can an unanticipated undesirable release or exchange
be prevented by either controlling the design of a of energy in a system is absolutely necessary to
system’s hardware, or by controlling the actions or cause an “accident” and subsequent system
behavior of system operators – that is, by damage or operator injury. Therefore, an
controlling the design of the product, machine, or “accident” can now be seen as “an undesired and
facility (the machine or environment), or by unexpected, or at least untimely release, exchange,
controlling the actions of operators or users of or action of energy, resulting, or having the
such systems (the man or human factor), the potential to result in damage or injury.” This
question then becomes: approach simplifies the task of hazard
identification as it allows the identification of
If the goal is the effective prevention of hazards by means of a finite set of search paths,
accidents (personal injury), should one give initial recognizing that the common forms of energy that
primary attention to the identification and control produce the vast majority of accidents can be
of potential unsafe physical conditions (hazardous placed into only ten descriptive categories.
system hardware components), or the
identification and control of potential unsafe The goal of this first step in the hazard control
actions (unsafe work methods and system use process is to prepare a list of potential hazards
procedures)? (energies) in the system under study. No attempt
is made at this stage to prioritize potential hazards
In essence, this question is asking: Are or to determine the degree of danger associated
hazardous product, machine, and facility with them – that will come later. At this first
components, or the hazardous actions or behaviors stage, one is merely taking “inventory” of
of people, more easily or effectively (a) identified, potential hazards (potential hazardous energies).
(b) evaluated, and (c) controlled? (See Appendix A practical list of hazardous energy types to be
for a discussion of this issue.) identified might include:


Mechanical energy hazards involve system
The first step in safety engineering is “hazard hardware components that cut, crush, bend, shear,
identification.” A hazard is anything that has the pinch, wrap, pull, and puncture. Such hazards are
potential to cause harm when combined with some associated with components that move in circular,
initiating stimulus. transverse (single direction), or reciprocating
(“back and forth”) motion. Traditionally, such
Many system safety techniques have been hazards found in typical industrial machinery have
pioneered to aid in the identification of potential been associated with the terms “power
system hazards. None is more basic than “energy transmission apparatus,” “functional components,”
analysis.” Here, potential hazards associated with and the “point of operation.”
various physical systems and their associated
operation, including common industrial and Electrical Energy Hazards
consumer related activities, can be identified (for
later evaluation and control) by first recognizing Electrical energy hazards have traditionally
that system and product “hazards” are directly been divided by the general public into the
related to various common forms of “energy.” categories of low voltage electrical hazards (below
That is, system component or operator “damage” 440 volts) and high voltage electrical hazards
or “injury” cannot occur without the presence of (greater than 440 volts).
some form of hazardous “energy.”

Chemical Energy Hazards Atmospheric/Geological/Oceanographic
Chemical energy hazards involve substances
that are corrosive, toxic, flammable, or reactive, to These hazards are associated with atmospheric
include chemical explosives. weather situations such as excessive wind and
storm conditions, destructive geological events
Kinetic (Impact) Energy Hazards such as instabilities of the earth’s surface (rock or
mud slides and earthquakes), and oceanographic
Kinetic energy hazards involve “things in currents and wave action, etc.
motion” and “impact,” and are associated with the
collision of objects in relative motion to each Biological Hazards
other. This would include impact of objects
moving toward each other, impact of a moving These hazards are associated with poisonous
object against a stationary object, falling objects, plants, dangerous animals, biting or poisonous
flying objects, and flying particles. insects, and disease carrying bacteria, etc.

Potential (Stored) Energy Hazards Systematic Inventory of Potential Hazards

Potential energy hazards involve “stored To develop a list of potential system hazards,
energy.” This includes things that are under one should consider each form of energy in turn.
pressure, tension, or compression; or things that First, list each particular type of energy contained
attract or repulse one another. Potential energy in the system under study, and then describe the
hazards involve things that are “susceptible to various reasonably foreseeable circumstances
sudden unexpected movement.” Hazards under which it might become a proximate cause of
associated with gravity are included in this an undesirable event. Here, full use of the
category and pertain to potential falling objects or published literature, accident statistics, system
persons. This category also includes the forces of operator experience, scientific and engineering
gravity transferred biomechanically to the human probability forecasting, system safety techniques
body during manual lifting. (such as Preliminary Hazard Analysis, Fault Tree
Analysis, Hazard Mode and Effects Analysis, and
Thermal Energy Hazards What-If Analysis), as well as team brainstorming
are brought to bear on the question of how each
Thermal energy hazards involve things that form of energy might cause an undesirable event.
are associated with extreme or excessive heat,
extreme cold, sources of flame ignition, flame Prerequisite to such an identification of all
propagation, and heat related explosions. system hazards is a thorough understanding of the
system under study related to its general and
Acoustic Energy Hazards specific intended purpose and all reasonably
anticipated conditions of use.
Acoustic energy hazards involve excessive
noise and vibrations. Specifically, one must thoroughly understand
(a) the engineering design of the system, including
Radiant Energy Hazards all physical hardware components - their
functions, material properties, operating
Radiant energy hazards involve the relatively characteristics, and relationships or interfaces with
short wavelength energy forms within the other system components, (b) the intended uses as
electromagnetic spectrum to include the harmful well as the reasonably anticipated misuses of the
characteristics of visible, infrared, microwave, system, (c) the specific (demographic and human
ultra-violet, x-ray, and ionizing radiation. factor) characteristics of intended system users,

taking into account such things as their Use of this equation must take into account
educational levels, their range of knowledge and that an accident event having a remote probability
skill, and their physical, physiological, of occurrence during any single exposure, or
psychological, and cultural capabilities, during any finite period of exposure to a particular
expectancies, and limitations, and (d) the general hazard, IS CERTAIN TO OCCUR if exposure to
characteristics of the physical and administrative that hazard is allowed to be repeated over a
environment in which the system will be operated. longer period of time. Therefore, a long term or
That is, one must have a thorough understanding large sample view should be taken for proper
of the man/ machine/ task/ environment elements evaluation.
of the system and their interactions.
Determination of potential severity should
BASICS OF SAFETY ENGINEERING center on the most likely resulting injury or
STEP #2: HAZARD EVALUATION damage as well as the most severe potential
outcome. Severity becomes the controlling factor
The evaluation stage of the safety engineering when severe injury or death is a likely possibility
process has as its goal the prioritizing or ordering among the several plausible outcomes. That is,
of the list of potential system condition or physical even when other risk factors indicate a low
state hazards, or potential system personnel of probability of mishap over time, if severe injury or
human factors compiled in Step #1. death may occur as a result of mishap, the risk
associated with such hazards must be considered
The mere presence of a potential hazard tells
as being “unacceptable,” and strict attention given
us nothing about its potential danger. To know the
to the control of such hazards and related mishaps.
danger related to a particular hazard, one must first
examine associated risk factors.
Exposure evaluation should consider the
Risk can be measured as the product of three typical life expectancy of the system containing a
components: (a) the probability that an injury or particular hazard, the number of systems in use,
damage producing mishap will occur during any and the number of individuals who will be
one exposure to the hazard; (b) the likely severity exposed to these systems over time.
or degree of injury or damage that will likely
result should a mishap occur; and (c) the estimated Acceptable vs. Unacceptable Risk
number of times a person or persons will likely be
exposed to the hazard over a specific period of This step in the hazard evaluation process will
time. That is… ultimately serve to divide the list of potential
hazards into a group of “acceptable” hazards and a
(1) H x R = D, and since group of “unacceptable” hazards. Acceptable
hazards are those associated with acceptable risk
(2) R = P x S x E, then
factors; unacceptable hazards are those associated
(3) H (P x S x E) = D with unacceptable risk factors.

where: An “acceptable risk” can be thought of as a

risk that a group of rational, well-informed, ethical
H= Hazard P = Probability individuals would deem acceptable to expose
R = Risk S = Severity themselves to in order to acquire the clear benefits
D = Danger E = Exposure of such exposure. An “unacceptable risk” can be
thought of as a risk that a group of rational, well-
In the evaluation of mishap probability,
informed, ethical individuals would deem
consideration should be given to historical incident
unacceptable to expose themselves to in order to
data and reasonable methods of prediction.
acquire the exposure benefits.

Hazards associated with an acceptable risk are Cardinal Rule #1
traditionally called “safe,” while hazards
associated with an unacceptable risk are The first cardinal rule of hazard control (safe
traditionally called “unsafe.” Therefore, what is design) is “hazard elimination” or “inherent
called “safe” does contain elements of risk that are safety.” That is, if practical, control (eliminate or
judged to be “acceptable.” Once again, the mere minimize) potential hazards by designing them out
presence of a hazard does not automatically mean of products and facilities “on the drawing board.”
that the hazard is associated with any real danger. This is accomplished through the use of such
It must first be measured as being unacceptable. interrelated techniques as hazard removal, hazard
substitution, hazard attenuation, and/or hazard
The result of this evaluation process will be isolation through the use of the principles and
the compiling of a list of hazards (or risks and techniques of system and product safety
dangers) that are considered unacceptable. These engineering, system and product safety
unacceptable hazards (rendering the system within management, and human factors engineering,
which they exist “unreasonably dangerous”) are beginning with the concept and initial planning
then carried to the third stage of the safety stages of the system design process.
engineering process, called “hazard control.”
Cardinal Rule #2
STEP #3: HAZARD CONTROL The second cardinal rule of hazard control
(safe design) is the minimization of system
The primary purpose of engineering and the hazards through the use of add-on safety devices
design of products and facilities is the physical or safety features engineered or designed into
“control” of various materials and processes to products or facilities, also “on the drawing board,”
produce a specific benefit. The central purpose of to prevent the exposure of product or facility users
safety engineering is the control of system to inherent potential hazards or dangerous
“hazards” which may cause system damage, combinations of hazards; called “extrinsic safety.”
system user injury, or otherwise decrease system A sample of such devices would include shields or
benefits. Current and historic safety engineering barriers that guard or enclose hazards, component
references have advocated a specific order or interlocks, pressure relief valves, stairway
priority in which hazards are best controlled. handrails, adequate lighting, and passive vehicle
occupant restraint and crashworthiness systems.
For decades, it has been well established by
the authoritative safety literature (as well as by Passive vs. Active Hazard Controls
logic and sound engineering practice) that, in the
order of preference and effectiveness, regardless A principle that applies equally to the first
of the system being examined, hazards are first to two cardinal rules of safe design is that of “passive
be controlled through (a) “hazard removal,” vs. active” hazard control. Simply, a passive
followed by (b) the use of “physical safeguards,” control is a control that works without requiring
and then, after all reasonable opportunities have the continuous or periodic involvement or action
been exhausted related to hazard removal and of system users. An active control, in contrast,
safeguarding, (c) remaining hazards are to be requires the system operator or user to “do
controlled through the development and use of something” before system use, continuously or
adequate warnings and instructions (to include periodically during system operation in order for
prescribed work methods and procedures). the control to work and avoid injury. Passive
controls are “automatic” controls, whereas active
Listed in order of preference and controls can be thought of as “manual” controls.
effectiveness, these control methods may be called Passive controls are unquestionably more effective
the “ cardinal rules of safe design,” or the than active controls.
“cardinal rules of hazard control.”

Cardinal Rule #3

The third cardinal rule of hazard control (safe Among other things, the methods and
design) is the control of hazards through the materials used to communicate required safe use
development of warnings and instructions; that is, or operating methods and procedures must give
through the development and effective adequate attention to the nature and potential
communication of safe system use (and severity of the hazards involved, as well as
maintenance) methods and procedures that first reasonably anticipated user capabilities and
warn persons of the associated system dangers limitations (human factors).
that may potentially be encountered under
reasonably foreseeable conditions of system use, Briefly stated, the cardinal rules of hazard
misuse, or service, and then instruct them controls involve system design, the use of physical
regarding the precise steps that must be followed safeguards, and user training. It must further be
to cope with or avoid such dangers. This third thoroughly understood that no warning or safe
approach must only be used after all reasonably procedure can equal or replace an effective
feasible design and safeguarding opportunities safety device, and no safety device can equal or
(first and second rule applications) have been replace the elimination of a hazard on the
exhausted. drawing board.

Further, it must be recognized that the

(attempted) control of system hazards through the © NELSON & ASSOCIATES, 1978,1983,1988,1993,1996,
use of warnings and instructions, the least 2007
effective method of hazard control, requires the
development of a variety of state-of-the-art
communication methods and materials to assure
that such warnings and instructions are received
and understood by system users.

Behavioral Human Factor Causes vs. Physical Condition Causes of Accident Events

Are hazardous product, machine, and facility Answer – In most systems, the set of
components, or the hazardous actions or potential unsafe condition hazards is typically
behaviors of people, more easily or effectively fewer in number (more finite) than the set of
(a) identified, (b) evaluated, and (c) controlled? potential human errors or potential deviations
from prescribed safe system use methods or
Question #1 – Within any man-machine procedures resulting from fatigue, distraction,
system, are potential unsafe conditions (unsafe and various hardwired (intrinsic and relatively
system hardware components) or potential unmodifiable) human factor capabilities and
unsafe actions (unsafe system use methods and limitations).
procedures) easier to IDENTIFY? That is, how
many potential unsafe system hardware Logically, one must choose to analyze and
conditions can be reasonably foreseen as control the finite over the comparatively infinite.
compared with reasonably foreseeable potential That is, potential unsafe system condition
unsafe actions (unsafe system use methods and hazards are potentially easier to identify. It
procedures) or human error factors associated follows then that it is more effective to give one’s
with system operation? initial primary attention to “the machine” rather
than to “the man.”

Question #2 – Are potential unsafe For the third time, this recognized hierarchy
conditions (unsafe system hardware dictates that, at the earliest stage in a system’s
components) or potential unsafe behaviors life cycle that potential system hardware hazards
(unsafe system use methods and procedures) can be foreseen, primary attention should be
easier to EVALUATE? That is, are the given to the elimination or engineering control of
probabilities (and related injury severities) hazards.
associated with foreseeable exposures to
potential system unsafe condition hazards and A “bonus” advantage of controlling physical
resulting loss events easier to calculate or system condition hazards in the early stages of a
estimate than similar determinations of systems life cycle is the safe system design “on
probability associated with potential unsafe the drawing board” can automatically eliminate
actions or human error factors related to system the potential effect of later “operator errors.” The
operation? fact that operator errors are typically the result of
system design errors is exemplified in the safety
Answer – In most situations, it is typically and human factors engineering proverb: “How a
easier, more predictable, and more accurate to system, product, or facility is designed will
calculate or estimate the failure rates (accident dictate how it can and will be used.”
probabilities and severities) associated with
hardware system hazards (defects/wear/failures) CAUTION: The fact that control of system
than it is to predict the multitude of potential hazards and resulting potential personal injury to
human errors or deviations from prescribed safe system operators and users is recognized as first
system use methods or procedures. Once again, involving attention to designing hazards out, and
this indicates that it is more effective to give designing safety into various product, machine,
primary attention to “the machine” rather than to and facility systems, should not detract from the
“the man.” vital importance of giving paramount attention
to the use of adequate warnings and
Question #3 – Are potential unsafe instructions and the development and effective
conditions (unsafe system hardware communication of safe system operating
components) or potential unsafe behaviors methods and procedures to system users at the
(unsafe system use methods and procedures) proper time in the system design process.
easier to CONTROL? That is, if the ultimate goal
is overall “hazard control,” are hazardous In every hardware system, not only must
physical conditions of hardware systems, or human factors be considered early in the design
potential human error and deviations from process to learn how people might be exposed to
prescribed safe system use methods or system hazards, so that these hazards can be
procedures, more susceptible to effective, removed or minimized in the design process,
positive, and more permanent control? residual hazards that cannot be designed out of
such systems through engineering means must
Answer – As verified by the authoritative safety be given proper attention in the form of
literature for the past several decades, adequate warnings and instructions, and in
engineering controls (the removal or physical many situations, required formal training (and
safeguarding of potential hazardous product, subsequent supervision). If the training becomes
machine, or facility system components) are complex, a formal certification program must
universally recognized as being more effective be developed.
and long lasting than behavioral or administrative