Many of the annual 3.3 million workplace injuries result from broken OSHA rules. And of the top 10 OSHA rules most frequently broken, two directly concern machine design: lockout/tagout procedures (LO/TO) and machine guarding. Engineers designing machinery must often choose whether to protect workers by designing-in interlocked guards or adding them later, or by relying on operators and maintenance technicians adhering to LO/TO. The safest route is to use interlocked guards.
Let’s see why.
Interlocked Guards & LO/TO
Engineers designing machinery should always eliminate hazards if they can, according to the System Safety Design in Order of Precedence for Mitigating Hazards, often called the Safety Hierarchy. If they can’t, then they should design safeguards into the machine that prevent workers from coming into contact with hazards.
One effective safeguard, interlocked guards, stops machines from operating when a barrier is opened or removed. They are more effective in preventing injuries than LO/TO procedures that workers might not follow and companies might not enforce. If safeguards are not feasible, warnings must be issued about the machine’s hazards and risks. Finally, proper training and procedures such as the company’s LO/TO policy should be established, promulgated, and followed.
Properly implemented, LO/TO provides a high degree of protection. Its weakness lies in the foreseeable, predictable failures of workers to always follow the policy.
It is common for employers to fault workers for accidental injuries or deaths because “they were trained and should have known better.” Employers often terminate workers for failing to properly LO/TO a machine before it is serviced, a violation of OSHA standards that can result in an OSHA citation. Most workers know that violating LO/TO policies is an “at-risk” behavior that can cause serious injury or death, and even if there are no accidents, violations could still get them fired. Therefore, it seems illogical that any employee would violate LO/TO standards. Yet it happens.
It’s easy for engineers to ensure a paragraph is put in the operator’s manual saying that employees should LO/TO a machine before removing a guard to service or maintain it. This makes it easy for engineers to fault employers who receive OSHA LO/TO citations and injured employees who commit violations.
However, the ultimate goal for machine designers should be to come up with machines that have proper safeguards, if reasonably possible, that anticipate and tolerate user errors, mistakes, and violations. It is irresponsible for engineers and machine manufacturers to shift responsibility to employer or employees by requiring LO/TO when a hazard should really be eliminated or safeguarded through design. Therefore, engineers should always determine if an interlocked guard should be installed on machines requiring routine, repetitive service or maintenance during normal production. Only as a last resort should engineers or machine manufacturers rely solely on LO/TO.
Failure to provide interlocked guards on machines that should have them is a design defect that may lead to product liability claims against the machine manufacturer. But other than avoiding large verdicts, why provide interlocked guards? The answer is that interlocked guards provide an effective, alternative form of protection that tolerates worker errors and prevents workers from being injured. And worker errors, mistakes, and rule violations are inevitable.
Why LO/TO Fails
Workers do not wake in the morning and decide to go to work, make mistakes, and get hurt. In behavioral science, there is significant research on human error and why people make mistakes. Designers should understand this science. For example, in the recent book, Safe by Accident: How to Take the Luck Out of Safety (2010), the authors describe the ABC model of behavior. It says that behavior (B) is influenced by the antecedent (A) or what comes before, and the consequences (C), or what follows.
Every behavior has consequences that have one of two effects: they either increase or decrease the likelihood of repeating that behavior. The pattern of consequences determines the performer’s behavior.
Authors Agnew and Daniels note that “if the pattern of consequences favors at-risk behavior, then at-risk behavior will occur. If the pattern favors safe behavior, then safe behavior will occur.” If a worker believes that cleaning a machine without shutting it down properly contributed to (or favored) increased productivity, then they would continue that behavior--especially if there were no perceived negative consequences to themselves.
The power or strength of each consequence is also determined by the timing and probability of a consequence. Daniels and Agnew state, “Consequences that are immediate are much more powerful than those that are in the future.” Furthermore, consequences that are certain are much more powerful than uncertain ones. The strength or power of any consequence can be analyzed by determining whether it is positive or negative, immediate or future, certain or uncertain (as shown in the PIC/NIC Analysis diagram).
As Daniels and Agnew document, “It is all too clear that employees can and will engage in unsafe behavior to get stuff out the door.”
Machine design can tolerate and resist at-risk behavior by including safety mechanisms such as interlocked guards. Therefore, designing machines that can be used safely and tolerate foreseeable human behavior is paramount.
Errors, Mistakes, and Violations
In general, two main types of errors cause workplace accidents: slips and lapses. Slips are actions that do not go as planned, such as a slip of the hand, slip of the tongue, or slip of the pen. They are often preceded by a distraction or preoccupation.
Distractions are common in workplace environments. Lapses, on the other hand, are largely failures of memory. Lapses do not necessarily show up in actual behavior and may only be obvious to those who experience them. Errors of any kind are a guaranteed part of human behavior and an unfortunate certainty in the workplace.
Mistakes differ from errors. Errors are unplanned. Mistakes can happen when actions are performed according to plan, but the plan is inadequate to yield the desired outcome. Mistakes can also be failures in judgment. In terms of human behavior, mistakes are more subtle, more complex, and less understood than slips or lapses. As a result, they constitute a far greater danger.
Violations are somewhat different. They are not a direct component of individual human behavior, but are made in the context of some society norm in which behavior is governed by operating procedures, rules, and codes of practice. Violations are deviations from those practices deemed necessary by designers, managers, or regulatory agencies to maintain safe operations of a potentially hazardous system. They can be inadvertent or intentional, and unfortunately can become routine.
People often make routine violations because of a natural tendency to take the path of least resistance. Violations frequently occur when employees work in relatively indifferent environments and rarely get punished for noncompliance or, conversely, are rarely rewarded for compliance. In his book, Human Error (1990), James Reason states, “Everyday observation shows that if the quickest and most convenient path between two task-related points involves transgressing an apparently trivial and rarely sanctioned safety procedure, it will be violated routinely by operators.”
Sadly, it only takes one mistake, error, or violation to be fatal. Reason adds, “Such a principle suggests that routine violations could be minimized by designing systems with human beings in mind at the outset.”
While designers, manufacturers, employers, and policy creators encourage workers to be careful, minimize errors, and follow proper procedures for safety, expecting workers to be “perfect” is unrealistic. It won’t happen. Therefore, machine designers should expect the worst and design machines to accommodate errors, mistakes, and violations where reasonable, or technologically and economically feasible. Machines should tolerate errors, mistakes, and violations, if the risk is acceptable and it is reasonable to do so.
The science of human behavior demonstrates that errors, mistakes, and violations are inevitable. Safety through design tolerates these errors. Safety through design also tolerates human at-risk behavior, and interlocked guards are a shining example. A machine with an uncontrolled hazard that can result in death or serious injury is, in most circumstances, unreasonably dangerous and defective if the risk is unacceptable and it is technologically and economically feasible to install a safeguard such as an interlocked guard. Furthermore, failing to provide interlocked guards may result in a products liability case against the machine manufacturer.
OSHA created the lockout/tagout (LO/TO) standard to reduce the number of workplace injuries and fatalities. As defined by OSHA 1910.147(a) (1) (i), LO/TO refers to “specific practices and procedures to safeguard employees from the unexpected energization or startup of machinery and equipment, or the release of hazardous energy during service or maintenance activities.”
In practice, it requires an operator or maintenance worker to turn off the machine, activate all energy-isolating devices, dissipate or release all energy stored in the machine, and place a tag on the machine identifying why the machine is locked out and who did it, along with a lock that prevents the machine from being turned on. The worker secures the lock and keeps the key until he completes the work.
The LO/TO standard also covers servicing and maintenance activities. OSHA standard 1910.147(b) defines servicing and/or maintenance as workplace activities in which employees may be exposed to unexpected energization or startup of equipment or release of hazardous energy (OSHA, 1989). However, OSHA recognizes several circumstances in which some minor servicing and maintenance activities would and could be performed during normal production without LO/TO. In particular is the minor servicing exception in OSHA 1910.147(a)(2)(ii), which acknowledges that “if the servicing operation is routine, repetitive, and must be performed as an integral part of the production process, lockout or tagout may not be necessary because these procedures would prevent the machine from economically being used in production.” It is important to note that LO/TO standards only apply if employees are exposed to hazardous energy during service and maintenance. Minor servicing activities, such as cleaning, lubricating, or adjusting, are not covered by the standard if they are routine, repetitive, and integral to production--as long as alternative measures provide protection.
The exception lets machine designers offer protective measures that will keep their workers safe. An interlocked guard with control logic that gives a single operator exclusive control over the machine is an example of an effective, alternative protection that precludes LO/TO.
Jeff Warren is the CEO and Chief Engineer at The Warren Group in Irmo, S.C.