System SafetySystem Safety

R

Compromisesin the Pursuit

of SafetyNegotiation and communication improve outcomes

By George A. Peters and Barbara J. Peters

RECENT DEVELOPMENTS in the practice of safetyhave provided a broad array of robust techniquesand methods to minimize risk. The generalapproach may be to prevent human error [Petersand Peters(c)]. Another approach is by design safetyanalysis, as illustrated by the 22 most commonlyused methodologies in system safety (Ericson).Books on occupational ergonomics [Peters andPeters(a)]; legal aspects of safety practice (Peters);warnings and instructions [Peters and Peters(e)];vehicle safety [Peters and Peters(a)] and many allieddisciplines contain information that SH&E practi-tioner could use in problem solving. In fact, a recentsearch of Amazon for current books returned 4,354occupational safety titles and 2,705 safety engineer-ing titles. The Library of Congress has more than10,000 occupational safety and safety engineeringbook titles. Such a wealth of available resources sug-gests the current growth, maturity and potential ofthe safety discipline.

TeamworkA broader scope and more productive role for the

safety discipline is suggested by the ready availabilityof relevant information sources (content knowledge),the development of many different techniques andmethodologies (tools of the trade), and the ever-grow-ing expectations of others [Peters and Peters(b); USAF;GAO; Alexander]. It may be unrealistic in some situa-tions to expect just one safety specialist to know every-thing and to act alone. Instead, the SH&E professionalshould be aware of what is available and be able toorganize team efforts to effectively and efficiently usethe available knowledge and skills. The SH&E profes-sional should lead and engage those in subdisciplinesand allied disciplines. Such team efforts require nego-tiating skills, an understanding of the acts of compro-mise and a comprehension of how others’ skills can bebest used to achieve a common goal.

The Safety MatrixProblem solving for the SH&E professional

involves much more than a quick fix with common-sense remedies. Many safety problems require threemajor considerations.

1) Holistic assumptions. Start with an overviewof the general enterprise or operation. This may benecessary to establish appropriate goals, the level ofeffort to be expended, the possible conse-quences of an uncorrected safety problemand the available resources for suitablepreventive actions.

2) Develop applicable algorithms.These include the sequences, patterns,steps or rules that describe a processwhich should solve normal problems. It isa probabilistic set of instructions as towhat should occur. It is the relevant work-flow path network in which the safetyproblem is embedded and influenced.

3) Use targeted remedies. Based on thefocus achieved by holistic assumptionsand applicable algorithms, the root causeof a safety problem may be precisely iden-tified, remedies installed, follow-up initiat-ed and possible side effects determined.The permanent effectiveness and cost ofthe remedies are important variables—that is, one must realize it involves morethan the fact that some action was taken.Compromises in the pursuit of safety areclearly identified so that future remedialaction can be undertaken.

Ambiguity & Residual ProblemsFor many years, a fairly universal end-

all approach in safety was to include com-pliance with government regulations,trade standards, contract and code

George A. Peters is a licensedsafety engineer, a psychologist anda lawyer. A former ASSE vicepresident, Peters has also beenpresident of the System SafetySociety, and is a former member ofthe BCSP and BCPE boards ofdirectors. He is a Fellow of theAmerican Association for theAdvancement of Science, theInstitution of Occupational Safetyand Health, and the Human Factorsand Ergonomics Society. Peters’sarticles have been published inmany legal, medical andengineering journals.

Barbara J. Peters, J.D., specializesin solving SH&E-related legal andtechnical problems. She has taughtat the university level, lecturedworldwide and delivered presenta-tions to groups such as the Ameri-can Psychological Association,Georgia Institute of Technology,Human Factors and ErgonomicsSociety, System Safety Society,Cal/OSHA and ASSE. She is a Fellowof the Roscoe Pound Foundation.With her father, George A. Peters,she has authored/edited 41 books.

www.asse.org AUGUST 2006 PROFESSIONAL SAFETY 33

33_Peters_Aug2006.qxp 7/11/2006 1:24 PM Page 33

34 PROFESSIONAL SAFETY AUGUST 2006 www.asse.org

requirement, something relating to a specific com-ponent test, an insertion copied from another draw-ing or specification sheet, or just an arbitrarynumber derived from a supplier’s submission?What if it were just one component in a series (witha multiplicative reduction in system reliability), apart scheduled to be included in a product’s lifetimewarranty (perhaps 20 years or more with continuousself-test operation) and destined for large-scale pro-duction (at least 500,000 units per year)? Certainly,many questions could be asked, particularly if thecomponent were to be part of a passive safetydevice, a critical safety assembly or a vital link in anactive high-risk product.

If a knowledgeable engineer were the source of thereliability notation, would there be a friendly attemptto gain a further understanding while providingknowledge from the system safety perspective? Couldsuch an inquiry result in some sort of a challenge andpossible confrontation? Is it more likely to be a friend-ly accommodation and a compromise with a primaryspecialist on that topic? If the source was the projectengineer, would a long explanation and strong recom-mendation ensue, or merely quick capitulation anddeference (a compromise to an authority)? Negotia-tion for product improvement almost always involvespersonal ego and technical compromises, but the ulti-mate safety objective provides considerable leveragein obtaining desirable compromises.

New Systems & IntegrationA recent publication discussed the design of auto-

mobile rear steering-by-wire (Alexander). It statedthat in going through fault tree analysis “typically youhave to look at the single failures from a DFMEAstandpoint, but when you start dealing with these by-wire technologies, you have to look at interactions.You’ve got to protect yourself to multiple levels.” Thisstatement illustrates the fact that a more-detaileddesign safety analysis is required for new technologiessuch as electronic (by-wire) control of rear wheels, allfour wheels, throttle, steering or stability systems.

System safety specialists have long known thattheir endeavors are particularly fruitful in the designof new systems, as well as where systems interactand integrate. More teamwork is evident when deal-ing with unknowns for the first time; more coopera-tiveness emerges between established disciplineswhen attempting to identify and resolve problemson equipment compatibility and effectiveness; moreappreciation is given for information useful inachieving a common objective; and more under-standing is provided of the need to proactively re-duce predictable error variance (Peters). These aresubstantial factors in minimizing important adversecompromises on design safety.

Cost ControlsIn one passenger automobile airbag system, an

attempt was made to eliminate remote sensors (toreduce costs), along with their wiring harnesses andconnectors (to further reduce costs and complexity). A

requirements, industry practice and rel-evant legal requirements [Peters; Petersand Peters(d)]. The goals may havebeen compliance, acceptable safety, tol-erable risk, or appropriate warningsand instructions [Peters and Peters(e)].

Such ambiguous goals may not besufficient in the perspective of the cur-rent broad array of available sophisticat-ed analysis techniques and advancedmethodologies. For example, determin-ing what is acceptable or tolerable issubject to broad interpretation and vari-ation. Compliance may not result inimmediate desired results. Warningsmay address only residual risk and as aresult may be only partially effective.

A key objective for future safetyefforts is to reduce the ambiguities(uncertainties) and residual risk (knownstatistical variance), particularly wherecompromises have been made in thepursuit of safety. To illustrate this prob-lem, this article focuses on safety com-promises made in the recent past. Theemphasis is on design safety (systemsafety), but safety compromises are

common in all subdisciplines. The question is whatto do about compromises in the pursuit of a highlevel of safety.

Safety CompromisesThe system safety engineer may perform detailed

design safety analyses, make appropriate riskassessments, and determine what constitutes effec-tive alternative designs or remedies. This work maybe very good, but it is incomplete unless action istaken to implement the recommendations. This gen-erally requires negotiation—in the form of partici-pating in formal design reviews, personally workingwith project engineers or managers to obtain desiredchanges, or convincing those specialists who controlwhat appears on product engineering drawings,specifications and other relevant documents. Thesystem safety recommendations may be initiallyaccepted or rejected, modified or delayed, relegatedto further research and study, or simply ignored.

Often, however, design compromises are made toaccommodate everyone’s opinion. A compromisemay be a partial victory for each reviewer in a some-thing-is-better-than-nothing philosophy. Initial com-promises on high-risk hazards may motivate thesystem safety engineer to develop and refine the caseto achieve a better compromise in subsequent negoti-ations. In any case, a core aspect of the product or sys-tem improvement process is the art of compromise.

Reliability & AuthoritySome situations require compromise. For exam-

ple, on an engineering drawing, a system safety spe-cialist may observe the notation, “reliability 99.5%.”Does this reflect a desirable goal, a minimum

Being bestin safety is

rewarding. Beingmerely passable

in safety oftenmeans predictive

uncertainty,probable future

surprises and thepossibility of

the need forcorrective action

in the future.

33_Peters_Aug2006.qxp 7/11/2006 1:24 PM Page 34

www.asse.org AUGUST 2006 PROFESSIONAL SAFETY 35

used in structural members which can suffer damagein routine parts handling) and cable harnesses (withconnectors to sensitive electronic assemblies that areinadvertently damaged during conventional installa-tion procedures). Should system safety become moreinvolved in manufacturing operations or, at least,preliminary (prototype) assembly and field opera-tions testing? It would give full meaning and value tothe word “system” in system safety [Peters andPeters(b)]. It could reduce problems in handling,installation and service. It could bring the lessonslearned back home to engineering design and pro-vide fodder for subsequent remedial changes andnext-generation design improvements. More realisticdesign compromises can be made if system use isbetter understood [Peters and Peters(b); (d)].

The GatewayThe negotiation of design safety improvements is

the gateway to preventive action. When design deci-sions and approvals are made, the devil is often in thedetails. Thus, there should be informed design com-promises with some consideration of the rule-set(legal context) of a largely globalized world. It mayinclude overcoming resistant managerial obstacles,yet remaining a good team player. It may involve per-sistence when rejections are snap decisions, particu-larly in preemptive corrective actions including recallplanning and execution. While the term “design safe-ty” often operates, to some degree, as a broad license,it also carries with it an inherent defined responsibili-ty and accountability. This requires adherence to eth-ical codes and self-protection [Peters and Peters(d);GAO]. Self-protection includes transparency so thatwhen scapegoats, whistleblowers and covert actionsare uncovered, the system safety activities will befound to have provided appropriate information tothose ultimately responsible.

Most system safety specialists are well aware ofthe media coverage of events involving moral andethical transgressions, regulatory violations, classaction and product liability awards, and unsettlingreports of serious personal injury, property damage,forced mergers and corporate bankruptcies. The sys-tem safety engineer may feel as if the crosshairsof responsibility and accountability are targetingsafety endeavors.

If system safety recommendations are compro-mised during negotiations with other specialists andmanagers within the organization, what could bethe result if a major safety problem became manifesta few years later? Typically, the system safety spe-cialist’s name and function do not appear on thedesign drawings and specifications (i.e., there isanonymity). Others within the organization makethe design decisions, initiate and approve the com-promises, and assume ultimate responsibility andaccountability for the final (released) design.

As employees of a corporation, system safety spe-cialists are usually given personal immunity. Theygenerally must rely on data and information madeavailable, in part, by others. Thus, these specialists are

centralized integrated design seemed to meetcost/benefit requirements and its simplicity met cus-tomer cost reduction objectives (manufacturing,installation and servicing). However, the system con-troller (computer) had programmable discriminationalgorithms that required either expensive testing orsubjective extrapolation (gross estimation with a lossof sensitivity and accuracy). The resultant algorithmswere based on minimal testing, past experience withother systems and “educated” extrapolations. It was adesign compromise that favorably considered cost/benefit factors, but actually compromised (degraded)design safety in a final analysis of product perform-ance. This was because continued cost controls mini-mized the testing actually needed, a predictable eventby others in the chain of use of the system.

Information SourcesA company became aware of significant safety

problems from comparative warranty summariesand other in-field sources. A special committee wascreated to discover the root cause of the problem.Two years passed, with vigorous committee activityand increasing management pressure, yet no specif-ic cause was identified and validated.

At the end of 2 years, one member left the commit-tee. Several months later, he found a book thatdescribed the problem and outlined remedies. Reviewof engineering drawings revealed ongoing dimen-sional, geometric and material changes made over thecourse of the 2 years. They were made without refer-ence to, consideration of or knowledge about the rootcause of the problem. The design had been compro-mised many times during the 2-year committee activ-ity. No system safety analysis had been conducted,merely attempts to apply past experience as remem-bered by senior staff, key technicians and project engi-neers. Design compromises were speculative at best.

Technical books and reports are also oftenignored. There seem to be cycles in which problemsemerge, are studied and resolved, only to reappearin a cycle a decade or 2 later. Fortunately, the systemsafety engineer can be armed, either with informa-tion from company archives or with the vast amountof information available on the Internet.

Many external technical and research reports canbe instructive and useful as well. Worldwide patentsserve to identify problems and solutions. Trade stan-dards may help but are not crutches. Chat roomsprovide informal contact with peers. Internationalconferences provide opportunities for informal tech-nical discussions that may provide insight, concepts,methodology and information on new instrumenta-tion and technical equipment, all without a loss ofproprietary information or decline in company loyal-ty. These external sources of information have becomeincreasingly valuable to design safety efforts.

PrototypesFabrication of parts with unconventional materi-

als may present novel problems with design safetyimplications. Examples are carbon fiber (like that

33_Peters_Aug2006.qxp 7/11/2006 1:24 PM Page 35

36 PROFESSIONAL SAFETY AUGUST 2006 www.asse.org

decisions. However, some system safety engineersignore the human factors aspects of a system byassuming that this is largely an uncontrollable userproblem. Others may not share that belief.

For example, a driver may become inattentive,drowsy and distracted and be drifting out of a laneon a crowded highway. What can be done in designabout such a vehicle user problem? One vehiclemanufacturer now has a lane departure warningsystem to alert the driver via an instrument panelwarning light and an audible warning buzzer if thevehicle is about to move out of its lane. It senses lanemarkings, distance and lateral velocity at speedsabove 45 mph. Human error should not always beconsidered intractable or ungovernable.

Tolerance for risk is in the eye of the beholder andmay be quite different as perceived or understood bythe producer as opposed to the target (user). Testingmay help to establish the risk tolerance boundariesfor those involved with the system. Appropriate test-ing should help to define what constitutes a reason-able compromise under the circumstances.

Conclusion1) Safety compromises are customary even when

dealing with important safety issues. The clarity ofexpressed logic, the abundance of relevant informationand a demonstrable personal value system all tend toprevail at critical decision points in the design process.Compromises are to be expected and can be potential-ly good, ineffectual or adverse to safety objectives.

2) The degree and character of past and currentcompromises generates a personal reputation. Thepeer acceptance of recommended design changes oractions depends on the imputed credibility of theperson making the recommendations, as well as the

subject to the personal perspectives, motivations, bias-es, objectives and other limitations of the ultimatedecision makers. Therefore, compromise is both a factof life in system safety and a means of shifting ulti-mate responsibility to others in the organization.

However, one must still conform to customarycore practice (USAF), act prudently and responsibly[Peters and Peters(d)] and not ignore the obvious[Peters and Peters(b)]. The safety engineer is moral-ly and ethically responsible for the proper perform-ance of assigned duties regardless of opinionsregarding possible anonymity, shifting of responsi-bility or the decisions of others.

TestingIn-field tests should include tests of warnings and

instructions. Warnings are used for residual risks[Peters and Peters(e)], but are they effective enough?What residual risk remains after a warning is used? Adesign compromise to use a warning—rather thanaltering a component—may be good or bad depend-ing on the effectiveness of the warning. Without test-ing, what residual risk remains in any design change?

Testing should yield results that can be used toprepare a design checklist which could be used infault tree analysis, design review sessions anddesign audits. It could be bolstered by a review ofhistorical company documents. Such informationcould be the basis of better-informed design com-promises. It may be the data that tilt the balance orproduce a small gain (rather than settling for less)when negotiating a design improvement related topersonal and property damage. Testing helps toremove uncertainty [Peters; Peters and Peters(a)].

Testing is crucial in human error reduction andcontrol. It provides an objective basis for design

33_Peters_Aug2006.qxp 7/11/2006 1:24 PM Page 36

www.asse.org AUGUST 2006 PROFESSIONAL SAFETY 37

7) As with all aspects of system safety, opinionsdiffer considerably as to the application of specificbasic system safety techniques (tools) to varied situ-ations, demands, objectives, needs and availableresources. Legitimate arguments may arise withrespect to risk assessments or the scope of systemsafety. Not all industries are alike organizationally, inacceptable practice or in what may be consideredreasonable in design compromises. Contractual,technical, political or societal constraints or require-ments may exist as well. In essence, what might be agood (appropriate) compromise in one context maybe a bad (inadequate) compromise in another. Inother words, one should expect some diversity inapplying system safety theory, practice, tools, evalu-ation criteria and procedures in various organ-izational interrelationships. Negotiated designcompromise may be a relative, conditional, creative,interpersonal, tolerant and persistent affair. It maybe direct or result from alternative creative means.

8) Design compromises are at the heart of thecommunication process essential to implementationof most system safety recommendations. Therefore,the negotiation process and the art of compromiseshould be the subject of considerable peer dialogueand learning among system safety specialists. Itcould substantially improve the effectiveness of whatresults from system safety hazard identification, riskevaluation and the formulation of feasible remedies.It could be a key aspect of future professional growthand the enhancement of the discipline. �

ReferencesAlexander, D. “Chassis Integration.” Automotive Engineering

International. May 2004: 54-58.Center for Chemical Process Safety. Inherently Safer Chemical

Process: A Life Cycle Approach. New York: American Institute ofChemical Engineers, Center for Chemical Process Safety, 1996.

Ericson, C.A. Hazard Analysis Techniques for System Safety.Hoboken, NJ: John Wiley & Sons, 2005.

Peters, G.A. “Product Liability and Safety.” In The CRC Hand-book of Mechanical Engineering, 2nd ed., F. Kreith and D.Y.Goswami, eds. Boca Raton, FL: CRC Press, 2005. 20-11 to 20-15.

Peters, G.A. and B.J. Peters(a). Automotive Vehicle Safety. NewYork: Taylor & Francis, 2002.

Peters, G.A. and B.J. Peters(b). “The Expanding Scope ofSystem Safety.” Journal of System Safety. 38(2002): 12-16.

Peters, G.A. and B.J. Peters(c). Human Error: Causes and Con-trol. Boca Raton, FL: CRC Press, 2005.

Peters, G.A. and B.J. Peters(d). “Legal Issues in OccupationalErgonomics.” In Fundamentals & Assessment Tools for OccupationalErgonomics, W. Karwowski and W.S. Marras, eds. Boca Raton, FL:CRC Press, 2005. 3-1 to 3-17.

Peters, G.A. and B.J. Peters(e). Warnings, Instructions andTechnical Communications. Tucson, AZ: L&J Publishing Co., 1999.

U.S. Air Force (USAF). “Safety Engineering of Systems andAssociated Systems, and Equipment, General Requirements forMilitary Specification MIL-S-38130” (Preceded MIL-STD-882D,Standard Practice for System Safety, 2000). Washington, DC: U.S.Department of Defense, Sept. 30, 1963.

U.S. Government Printing Office (GAO). Trials of WarCriminals Before the Military Tribunals Under Control CouncilLaw. No. 10, Vol. 2, Oct. 1946-April 1949. Washington, DC: U.S.Government Printing Office, 1947. 181-183 (The Nuremberg Code).

AcknowledgementThis article was adapted in part from the article, “Design SafetyCompromises,” which appeared in the Nov./Dec. 2004 issue ofthe Journal of System Safety.

apparent significance of the foundational facts andthe perceived consequences. Personalities can pre-vail over poorly presented analytical logic.

3) Inappropriate safety compromises may lead tohidden or latent problems that are time-delayed intheir manifestations. Safety problems are created;they are not an undiscoverable, inevitable, unpre-ventable or a necessary trial-and-error impediment toprogress. System safety should be an objective searchfor all potential problems past, present and future.

4) Safety compromises made to serve one narrow(domestic) market may not be acceptable in othermajor markets and could lead to unexpected prob-lems. Compromises should be made keeping inmind the utility of international standards, the gen-eral aspirations for world-class products, the pre-dictable human cultural user differences, andsuccessive or remote customer satisfaction. Beingbest in safety is rewarding. Being merely passable insafety often means predictive uncertainty, probablefuture surprises and the possibility of the need forcorrective action in the future. Design to exceed,rather than rely on good luck, regulatory exceptionsor future evasive maneuvers.

5) Safety compromises should be modified bymoral, ethical and liability considerations. These soci-etal principles have been long standing, enforcementoften faltering and future penalties uncertain. Cor-porate and personal risk may be manageable, even ina world trade context, by informed specialists able touse appropriate guidelines and safeguards.

6) The quality of compromises can be improved byaccessing available information sources. External datacan enrich the process, particularly when in-housedata are scarce or unreliable. Books, patents and sup-plier representations are often underused as well.

The negotiation processand the art of compromise

should be the subject of peerdialogue and learning.It could substantially

improve the effectiveness ofwhat results from system

safety hazard identification,risk evaluation andthe formulation offeasible remedies.

The negotiation processand the art of compromise

should be the subject of peerdialogue and learning.It could substantially

improve the effectiveness ofwhat results from system

safety hazard identification,risk evaluation andthe formulation offeasible remedies.

33_Peters_Aug2006.qxp 7/11/2006 1:24 PM Page 37