Edited by Leland Teschler
Design engineers routinely make engineering judgments about safety. Often, these judgments are to comply with a technical standard, as perhaps from ANSI, or for a CE marking requirement. But perhaps more frequently, a safety-related design decision is based on a feeling of common sense, or adherence to historical precedent, as in, “That’s how we’ve always done that.”
Some engineering judgments have the misfortune of being viewed in the hindsight that comes with litigation. It isn’t possible to have hindsight in advance of any given personal-injury or property-damage case. But the analytical approach used in court can also be used prospectively. That is, designers can ask the same questions that would arise if an injury took place.
Take an example of a company that uses a lever-operated limit switch to prevent machine operation when a guard door opens. The switch got criticized as being easy to defeat during a safety review for CE marking purposes. So, “for CE marking purposes,” the company opted for a more expensive key-type switch.
This decision has at least two important side effects. First, is the key-switch design to be used only for CE-marked machines? If the answer is yes, an injured party in the U.S. will ask, “Why do Europeans get to keep their fingers, but people in the U.S. are put at risk?” There is no good answer to this. The result is apt to be a liability for the machine builder.
The second effect concerns historical production. If the company decides the key-switch design is appropriate for all machines regardless of their destination, what does it do about existing machines with the lever-operated limit switch?
Unfortunately, there is no clear answer. Companies must evaluate each case of design evolution on its own merits.
The fact that the full range of product design options can be used to attack a given design can’t be used as an excuse for resisting change. It’s also a mistaken notion that liability can be avoided by adhering to whatever design is now in production.
The touchstone of the law is “reasonableness.” This touchstone is malleable. It tends to evolve with technology and the times. The judge (or jury) is confronted with one question: How do we allocate responsibility for THIS injury between the machine designer and the injured person? The designer is expected to take all reasonable precautions to prevent injury, and to be particularly aware and mindful of hazards that pose a risk of serious injury or death.
The law will look to three factors as it assesses the reasonableness of a design. The general principle is that measuring a hazard, and addressing it through design, is a multifaceted inquiry. The first facet accounts for the severity of injury. The second is how often that “accident” or situation is expected to exist. The third is the ability of a person to avoid injury.
The law expects that the more severe the harm, or more likely or unavoidable an injury, the more care and effort warranted at the design stage to prevent a situation that causes the injury.
Again consider the interlocked guard example. The interlock function is expected to be quite reliable when the injury associated with a hazard is serious and unavoidable, in combination with frequent or repetitive exposure to the hazard. For a concrete example of frequent exposure to a hazard that can cause serious injury, consider a person reaching into a die space on each and every machine cycle.
The notion of “frequency” isn’t always embodied in how often a person reaches into a dangerous space. A hazardous condition could be considered “frequent” as a matter of owners chronically failing to notice safety-critical parts wearing out, or failing to undertake an arguably reasonable inspection or maintenance regime.
A designer looks to catalogs and standards to accommodate many detail design decisions, but there are pitfalls and traps hidden here as well. It’s generally true that conformity with a technical standard is a minimum prudent step. But sometimes a technical standard (or catalog), which is written for the “generic” piece of equipment, doesn’t probe all the relevant issues, or overlooks the intended design approach.
A designer must think about the expected environments and uses of the equipment. A standard may not account for that range of use.
For example, the generic standard for household electrical devices forces designers to think about the choice of insulation on a power cord, in light of elevated temperatures. (Thermoplastics aren’t suitable for use around hot appliances like irons or deep fryers.) Similarly, it forces thought about resistance to abrasion and expected chemicals.
But the standard does not prompt the designer to think about how the insulation performs in the cold; highly important for an appliance to be used outdoors in the winter. Some (but not all) thermoplastic insulating materials are flexible at temperatures below 20°F. Neither the technical standard nor wire catalogs can be counted on to probe the particular design requirement of flexibility at low temperatures.
Beware, too, of approaching a design problem with an unconventional solution, then justifying the approach on the grounds that the relevant standards don’t forbid it. Standards can’t possibly express all the inappropriate ways components can be combined. A three-phase disconnect switch is nominally intended to be a stationary, but can certainly be reliably secured to the hinged door of an electrical control cabinet. The standards that describe power and control circuits don’t forbid it. Is the on-door location of a disconnect unreasonably dangerous?
The answer requires knowing at least: whether or not the attached supply cord is rated for flexing; whether or not the grounding circuit can handle full-power shorts to the door; and whether or not the power cord is retained in a way to prevent direct human contact with live power.
Another example of an unconventional approach is embodied in the use of a circuit breaker doubling as a master control, master E-stop contact. Most E-stop functions open power contacts when voltage is removed from an operating coil. The unconventional approach relies on delivering voltage to a circuit breaker trip coil to open the circuit breaker power contacts. Now suppose standard control-circuit design practices are otherwise followed. Then the designer will include a fuse in the trip-coil circuit. This design decision results in total loss of E-stop function in the event a fuse blows or is removed.
When the designer doesn’t fully complete the construction of an unconventional approach, the unconventional installation requirement must be prominently and reasonably imposed on the installer. Even then, the unconventional approach makes a dangerous installation more likely because others tend to follow “normal” practices.
The general point of these examples is that designers are well served by thinking through design decisions in terms of engineering fundamentals instead of in terms adopted by standards bodies.
As the discussion moves away from the technical and toward the legal, the “reasonableness deck” is stacked, ever so slightly, against the designer. The equipment must be safe not only when used as intended, but also when misused in a reasonably foreseeable way. The designer is expected to confront the real-world users and uses of the equipment. It is not a defense to complain that the real world is always unreasonable.
The strongest defense is one that accurately and precisely confronts the full extent of the hazards created by the interaction of a machine with the incredible range of real-world users. Should the designer admit in writing, as in a risk assessment, that the machine creates hazards capable of causing death or serious injury? Emphatically, yes! In hindsight, it will be clear to the jury that the equipment was capable of causing a particular injury. It behooves the designer to be one step ahead of seeing the hazard, and into the realm of dealing with it.
The strongest design defense builds from the recognition of hazards. What does the law expect a designer to do with a hazard, once uncovered? First, if possible, eliminate it. If a crush zone can be eliminated by relocating a stop or shortening a stroke, then eliminate the crush zone.
Some hazards, like the in-running nip between a belt and a sheave, can’t be eliminated. When a hazard can’t be eliminated, the designer is expected to render the hazard inaccessible. This usually reduces to guarding, but some hazards are rendered safe by being out of reach. The last resort, and ironically the remedy most often suggested by injured machine misusers, is to provide a warning.
Why is the least preferable safety solution, yet another warning label, the most often claimed design deficiency? There are several reasons. Warning labels are inexpensive. An injured user can contrast his loss, a debilitating injury, with the modest cost of a warning label. But don’t be fooled. A company that relies on warning labels, and fails to describe why “design out” and “guard against” are unreasonable, is at risk of a loss in court.
Another reason injured plaintiffs favor “add a warning label” is that they are required to offer an alternative design that would have prevented their injury. “Add a label” is easier than performing mechanical or electrical design, and avoids counter-arguments of increased cost or diminished utility.
Assuming a hazard can’t be designed out nor guarded against, the designer may be tempted to add a warning label, as a rule. That temptation should be tempered, because society as a whole loses when warnings become jokes. The fact that somebody can (or will) argue that a warning would prevent a particular injury, does not automatically mean a warning is a good idea. Users will remember a funny warning over an important one. “Warning: Never iron clothes on the body” sticks in the mind because most people appreciate, without being reminded, that an iron is dangerously hot.
Not to say that a warning is never appropriate. Understand that warnings are a last resort and, because the designer is engaged in averting serious personal injury, warnings deserve serious deliberation. A warning is a last-minute appeal to the only person who can prevent a harm, and it’s in everybody’s interest that the warning be understood and heeded.
The second-most-often-claimed design deficiency? The warning label was inadequate. Either it sat where the injured person (or the person causing the injury of another) couldn’t see it, or it didn’t have the right message. An effective warning message informs the reader of three things: the nature of the hazard; the extent of injury, the “downside risk”; and exactly what to do to avoid the injury. Furthermore, it must be understood by the typical user.
Instructive language must be precise and unequivocal. The words of a well-done label do not admit the injured person to substitute his judgment for the designer’s. “Safe distance,” “safe pressure” and similar vagaries are whatever the reader chooses as “safe.” And in the case of an injured person, their interpretation may be the very cause of their injury. The words of a well-done label will be understood in a way that produces behavior modification. In other words, avoid technical jargon. Put less emphasis on being technically correct, and more emphasis on causing the reader to take appropriate precautions.
There is only one way to insure you’ll never lose in court, and that is to never have the design tested in court. In this regard, a designer and an injured person have exactly the same objective, that there be no injury.
Approach design and safety analysis with that objective firmly in mind. When a hazard results in the misfortune of an injury, the best defense the designer can have, in court, is awareness of the hazard accompanied by a credible explanation of the care and thought that went into preventing injury.