Safety Hierarchy: Design Vs. Warnings
Marc Green
We cannot change the human condition, but we can change the conditions
under which humans
work (Reason, 2000).
Disputes over warnings frequently bleed into issues of product design. Warning and design are closely connected because they are alternative mechanisms for controlling hazards and for promoting safety. Moreover, they represent polar extremes in viewpoints on responsibility, blame and legal interests. The design approach makes the designer responsible for product safety. Conversely, the warning approach downloads responsibility for safety on to the user, who is required to ensure that the product/environment works safely by avoiding accidents due to hazards inherent in the design.
Design and warnings both have advantages and disadvantages. The major advantage of warnings is that they are relatively cheap, so naturally businesses and authorities prefer them. This is fine, since there is no denying that practical considerations always play a role in safety, as in everything else. However, warnings also have a major downside; they are highly unreliable. Research (e.g., Arndt, Ayres, McCarthy, Schmidt, Wood, & Young , 1998; Ayres, 2004; Ayres, Wood, Schmidt, & McCarthy, 1998; McCarthy, Finnegan, Krumm-Scott, & McCarthy, 1984.) has repeatedly shown that outside of the artificial world of university laboratories, warnings frequently, and some would say usually, fail.
Certainly, there are factors which can promote or reduce warning effectiveness. Users learn to trust some warnings. Few people drive through a "Bridge Out" sign (although many frequently go through a flashing railroad crossing signal). Otherwise, warnings are generally most effective when the user is new to the task and especially when the user already believes that risk exists. On the other hand, warnings are least effective when there is no perceived risk. In other words, they are most likely to fail in the very circumstances where they are most needed.
Design costs more but has the advantage of being, in principle, a more certain means for preventing accidents. Human factors professionals widely recognize the unreliability of warnings and superiority of design. This is illustrated by the various safety protocols that human factors and ergonomic professionals employ. The most common is called the "Safety Hierarchy." The simplest and most common version is:
- Design;
- Guard; and
- Warn.
When a hazard is identified, the safest approach is to perform a redesign which removes the hazard. If redesign is not feasible, then the next best approach is to employ a guard or barrier to separate the user from the hazard. If the guard is not feasible, then the next step is to use a warning. Use of the Safety Hierarchy is standard safety practice. The International Ergonomics Association, for example, says that application of the safety hierarchy is a "core competency" for professionals.
The safety hierarchy, however, is not a scientific principle but instead is a useful rule-of-thumb that is almost universally applied. Different authors have slightly different versions, some including additional safety mechanisms:
"Safety Decision Hierarchy" (Manuele, 2003)
- Eliminate hazards and risks through system design and redesign,
- Reduce risks by substituting less hazardous methods or materials,
- Incorporate safety devices (fixed guards, interlocks),
Provide warning systems,
- Apply administrative controls (work methods, training, etc.), and
- Provide personal protective equipment.
"Design Order Of Precedence" (Brauer, 2006)
- Eliminate the hazard;
- Reduce the hazard level;
- Provide safety devices;
- Provide warnings; and
- Provide safety procedures (and protective equipment).
"Safety Precedence Sequence." (Stephans, 2004)
- Design for minimum hazard;
- Provide safety devices;
- Provide warning devices;
- Control with procedures and training; and
- Accept remaining residual hazards.
ANSI B11-2008
Stage 1: Hazards eliminated
- Change task, function, location, etc.; and
- Substitution of materials;
Stage 2: Reduce Risks
- Engineering control;
- Awareness (warnings, signs, etc);
- Training; and
- Personal protective equipment.
The different conceptions of the hierarchy have some minor variations among the mechanisms. ANSI uses the term "engineering controls," which roughly equates to guards, e.g., a fume hood. Some hierarchies are based on factors in specific industries. Some suggest the use of less hazardous materials (Manuele, 2003), which may apply to a chemical industry but may not apply to a domain that does not employ hazardous materials. Some authors also include protective clothing, procedures and training as options. Again, these are less general solutions that may apply in specific situations. The exact order of these lower level items is also somewhat situation dependent. There are doubtless circumstances, for example, where training is a superior option to warning. Lastly, the alternatives are not mutually exclusive. Users might receive training, but warnings would be used to act as reminders.
The main point, however, is that despite variations in safety hierarchy, all agree that warnings and other methods that depend on user behavior are inferior compared to design or other measures that eliminate the hazard and to a lesser extent guard against the hazard. In fact, the methods might be classified into three preference strata ordered by their reliance on user behavior:
Those which do not depend on user behavior - design, use of less hazardous materials and guards that are tamper-proof and that provide complete separation of the user from the hazard;
Those which may depend somewhat on human behavior - guards that are not complete or tamper-proof. In some cases, users can circumvent guards, forget to use them or actively attempt to defeat them, i.e., disabling a lockout;
Those which depend almost entirely on user behavior - warnings, training, procedures and protective clothing (since the user must put them on).
Note that the order is also the order of effectiveness. Safety mechanisms become increasingly unreliable as their dependence on human behavior grows. However, enforcement can increase the effectiveness of warnings and other methods that rely on human behavior. Everyone drives below the speed limit when seeing the cop with the radar gun. Unfortunately, enforcement costs money and inconvenience, which counteracts the major advantage of warnings.
There are many reasons why the effectiveness of a safety mechanism declines with reliance on user behavior. People become tired and distracted. They work under pressure to get the job done. They know that warnings are often for legal "cover-your-ass" purposes rather than safety ones. They act on unintended
affordances. They see everyone else ignoring the warning or not following procedures with no bad consequences. They have learned that warnings are common but accidents are rare, and they have been operantly conditioned to ignore warnings throughout their lives. They believe that they can control the risk. They believe that there is no risk. Most common, they don't even think about risk.
Moreover, safety is a pain because it has a "cost of compliance," a fact that is succinctly captured by two quotes:
The conscious pursuit of health and safety is usually a very minor concern of the individual, (and) is only incidental to the pursuit of other goals, which may at times be in conflict with safety. (Hale and Glendon, 1987).
Safety is usually a continuous fight with human nature. (Geller, 2001).
People don't use products or environments in order to be safe. They use them in order to perform a task which allows them to reach a goal. They will attempt to perform the task as efficiently and as easily as possible, especially as they become more experienced and more skilled. The behavior becomes automatic and they cease noticing information that is not directly task-related. Safety considerations just get in the way by making the task more difficult to complete and by forcing users into less efficient, controlled, conscious behavior. If a safety mechanism causes a significant inconvenience, the user will almost certainly attempt to find a way to circumvent it and to increase efficiency. This is human nature and is the starting point for safety interventions.
There are two responses that businesses and authorities might make to the realities of human nature. They can continue to plan for safety based on what they think people should do, pay close attention 100% of the time, consciously consider every risk, notice and comply with every warning, willingly pay the cost of compliance, etc. This response is very convenient, since it allows the use of cheap safety mechanisms, warnings and procedures, which also shifts blame to the user when there is an accident. (Ironically, businesses and authorities really don't want users to act this way all the time. Want to bring any organization to its knees? Have everyone follow procedures exactly and comply with every warning.) Obviously, this view of safety has many advantages. The only problem is that it amounts to wishful thinking.
Conversely, businesses and authorities can promote safety based on the realities of human nature and on what people actually do rather than what would be convenient for them to do. Human nature is unlikely to change anytime soon. The best approach to safety is to avoid relying on user behavior as much as possible. This is not to say that warnings and procedures are always useless but rather that the best safety mechanisms do not rely on humans to act contrary to their nature 100% of the time. This is why designing the hazard out of the system, if feasible, is the best approach to safety.
References
Arndt, S., Ayres, T., McCarthy, R., Schmidt, R., Wood, C. & Young ,D. (1998). Warning Labels and Accident Data.
Human Factors and Ergonomics Society Annual Meeting Proceedings, 550-553.
Ayres, T. (2004). Facing a pervasive bias in warnings research.
Human Factors and Ergonomics Society Annual Meeting Proceedings,
28, 2035-2039.
Ayres, T., Wood, C., Schmidt, R., & McCarthy, R. (1998). Risk perception and behavioral choice.
International Journal of Cognitive Ergonomics,
2, 35-52.
Ayres, T., Wood, C, Schmidt, R., Young, D. & Murray, J. (1998). Effectiveness of Warning Labels and Signs: An Update on Compliance Research.
Proceedings of the Silicon Valley Ergonomics Conference & Exposition, 199-205.
Brauer, R. (2006)
Safety And Health For Engineers. John Wiley & Sons, Inc: Hoboken, New Jersey.
Geller, E (2000).
The Psychology of Safety Handbook. Lewis Publishers Inc.
Hale, A. & Glendon, I. (1987). Individual Behaviour in the Face of Danger. http://www.hastam.co.uk/personnel/publications/hale_and_glendon.html.
Manuele, J. (2003).
On The Practice of Safety. John Wiley & Sons, Inc: Hoboken, New Jersey.
McCarthy, R, Finnegan, J., Krumm-Scott, S., McCarthy, G. (1984) Product information presentation, user behavior, and safety.
Human Factors and Ergonomics Society Annual Meeting Proceedings, 81-85.
Reason J. (2000) Human error: models and management.
British Medical Journal,
320, 768-770.
Stephans, R. (2004).
System Safety For the 21st Century. The Updated And Revised Edition Of System Safety 2000. John Wiley & Sons, Inc: Hoboken, New Jersey.