Designing Safe Products and Minimizing Risk
One of the key issues that must be decided by any manufacturer when designing new products or improving current products is how safe is safe enough and whether there is a reasonable alternative design that can be adopted at a reasonable cost. Unfortunately, the law and standards don’t answer the question. And a risk assessment, although helpful in quantifying risk and identifying alternative designs that might improve safety, also does not answer the question.
So how does a manufacturer make a final design decision? The manufacturer should first consider all applicable safety standards that affect the product’s design and whether competitors comply with or exceed those standards. The manufacturer should then engage in some type of risk assessment that identifies and quantifies risks in the contemplated design, as well as the various ways in which those risks could be reduced, such as by using a different design, guarding, warnings, instructions, training, etc.
At that point, the manufacturer must decide what design features to apply to their product, including any guarding, and when can they rely on these techniques to sufficiently reduce overall risk. This decision is most critical to the safety of the product in actual use, as well as a possible defense against potential claims that the product is unsafe.
The Safety Hierarchy
In connection with this decision, the engineering profession has accepted something generally called the safety hierarchy. The safety hierarchy is a simplistic and obvious concept that says that the manufacturer should first try to eliminate the hazard through design. Then, if it can’t, it can implement the necessary safeguards to minimize the risk of such hazards or, as a last resort, provide warnings to the end-user. The hierarchy is based on the fact that guards can be removed, and warnings and instructions can be ignored. So, eliminating the hazard by design is viewed as a more effective method of providing a safe product.
This theory is also often used in litigation by plaintiff’s experts to argue that the manufacturer should have made a safer design and should not have taken the less effective way out by adding a guard or by relying on warnings and instructions. In addition, some human factors experts from government safety agencies tout the safety hierarchy as the reason why manufacturers should not rely on warnings.
However, this simplistic view does not accommodate the complexities of risk and risk reduction techniques and the fact that, in most cases, multiple methods are needed to provide a safe product. In addition, the safety hierarchy provides no guidance on when guarding and warning is acceptable in lieu of design changes.
There is a consensus in the engineering literature about the existence of this hierarchy but little clear guidance about how it works in practice. Ralph Barnett, one of the early proponents of this hierarchy, said in 1985:
“In spite of the fact that the safety hierarchy…constitutes an important tool for improving safety, it does not rise to the level of a mathematical theorem or a scientific law. This safety hierarchy was born out of consensus, not research, and its general validity can be disproved by numerous counter examples. For example, on complicated machines such as automobiles and aircraft, there are hundreds of hazards that cannot be eliminated or technically safeguarded. Even if it is possible to invoke the third priority and produce suitable warnings for these individual hazards, the sheer number of warnings destroys their effectiveness.”
Despite the vagueness of this concept and the lack of guidance, the law has also accepted the safety hierarchy. In the Restatement of the Law (Third): Products Liability, it says:
“In general, when a safer design can reasonably be implemented and risks can reasonably be designed out of a product, adoption of the safer design is required over a warning that leaves a significant residuum of such risks…Warnings are not, however, a substitute for the provision of a reasonably safe design.”
Of course, if a lawsuit is brought and goes to trial, it is the jury that gets to decide whether the manufacturer has been reasonable.
This statement also has some support in the case law. In Uloth v. City Tank Corp., 384 N.E.2d 1188 (Mass. 1978), the court said:
“If a slight change in design would prevent serious, perhaps fatal, injury, the designer may not avoid liability by simply warning of the possible injury. We think that in such a case the burden to prevent needless injury is best placed on the designer or manufacturer rather than on the individual user of a product. 384 N.E.2d at 1192.”
Another court said that “[i]t is thus not correct that a manufacturer may … merely slap a warning onto its dangerous product and absolve itself of any obligation to do more.”
Unfortunately, as these excerpts illustrate, the Restatement and case law provide no further guidance on the use of the safety hierarchy in reducing product safety risks.
In many situations, manufacturers perform a risk assessment of their product during the design phase to identify potential hazards, the probability that they will occur, and the consequences or severity of the injury, damage, or loss associated with them. Then, the manufacturer will identify the ways in which risk can be reduced and can then decide what action to take.
While the safety hierarchy encourages manufacturers to try to eliminate hazards through the design of the product before they try other approaches, the risk assessment process does not provide sufficient guidance on where to draw the line.
One of the deficiencies of the safety hierarchy is that it doesn’t recognize that risk is not an “either/or” proposition. Reducing risk to an acceptable level could, for example, involve designing out the hazard and/or adding a guard and also adding a warning label such as one on a guard telling the user not to operate the machine with the guard removed. In addition, there may be instructions in the manual telling the user how to safely maintain and repair the product so that it remains safe. Rarely does a “safe design” remain safe without additional efforts to keep it that way.
It has been said about the safety hierarchy:
“Although the safety hierarchy can provide useful guidance at an elementary level, its utility is truly limited. The safety hierarchy does not indicate when an on-product warning sign, for example, is sufficient to not use a barrier guard to safeguard a saw blade. Most engineers would agree that eliminating a hazard may be the best safety option but eliminating hazards may also result in eliminating desirable features. Therefore, a safety hierarchy sometimes provides useful guidance about abstract design issues, but rarely proves useful for making practical engineering design decisions.”1
Unfortunately, while the safety hierarchy wants the manufacturer to design the product to eliminate hazards, it doesn’t provide criteria for deciding when the cost associated with a design change is too much or when the additional safety sufficiently destroys the product’s functionality, thus allowing the manufacturer to rely on a guard and a warning or training.
During the risk assessment process, the manufacturer must engage in what we call “risk scoring.” Sometimes the scoring is quantitative and sometimes it is qualitative. There is no consensus on what type of system is best to use and what is an acceptable risk when considering design vs. guarding vs. warning. The scoring systems are based on organizational culture and tolerability of risk. Risk assessment experts have said that:
“The primary use of a risk scoring system is to help identify risks that are too high so that risk reduction efforts can focus on those areas. The risk scoring system is basically used to rank or group risks into risk levels so that decisions can be made about risk acceptability.”
The result is that the manufacturer has little guidance during risk assessment and application of the safety hierarchy on which to base their final design decisions.
Examples of the Safety Hierarchy in Action
There are many real-life examples that I have encountered over the years in which manufacturers have struggled with whether warnings, if followed, were sufficient or whether they had to try to design out the hazard or add a guard. These examples illustrate that, while the safety hierarchy is a laudable goal, it is difficult to apply in practice.
The first situation involved the development of “Mr. Ouch.” Publicly sited transformers (the green boxes in backyards and parking lots) contain high voltage electricity. Although the electrical components are inside a locked box, there are huge risks to those who encounter hazardous electricity inside if the boxes are broken into or accidentally left unlocked.
In the 1970s, there were a number of serious accidents involving small children who were crawling into boxes that had been accidentally left unlocked. The manufacturers couldn’t get rid of the risks associated with exposure to the electrical components since that is the essential function of these boxes. They couldn’t design the boxes so that they couldn’t be opened since that would not allow for maintenance and repair. And they couldn’t include a switch that would turn off the power to the surrounding neighborhood if the door were opened.
So, in an attempt to mitigate the risk, the box manufacturers tried to make it harder to gain unauthorized access to box components and by adding a warning label intended for children and parents. The label was designed and tested to scare away children. It was also intended to warn parents that the box contained hazardous voltage and that if the box were found open, they should keep their children away and notify the power company.
To my knowledge, no child has ever been hurt from a box with this warning label. And this label has been on boxes since the early 1980s. Therefore, I would argue that it is likely that the label mostly worked. It either scared away the children, sufficiently educated parents so that they kept children away from the boxes, or encouraged power company personnel to be sure that boxes were closed when maintenance had been completed.
The next situation shows the interplay between design and guarding. One problem with guarding is that the guards can be removed and not put back on. This usually occurs because the guard somehow limits the operator’s actions when operating the product. In other cases, the guard is only necessary for certain uses and can be removed for other uses.
Back in the 1980s, I was involved in defending the adequacy of guards intended for use with chain saws. These particular chain saws, like most comparable models, used tip guards at the end of the bar to prevent the tip from hitting something hard, which would cause the saw to kick back and possibly hit the user in the face or neck.
The problem was that the user could not use the saw with the tip guard in place to make certain types of cuts. So many users would take the guard off to make the cut but fail to replace the guard before making other cuts because of the effort involved. The solutions available to saw manufacturers were to alter the chain’s design to reduce the likelihood of chain saw kickback, add a safety device to stop the chain from moving if a kickback occurred, or add a warning on the product or in the manual about how to avoid kickback by not putting the tip into hard wood.
Chain saw manufacturers decided that they wanted the flexibility to minimize risk in whatever way was most appropriate. So a voluntary consensus standard was approved by the U.S. Consumer Product Safety Commission (CPSC) to accommodate different designs, as well as guarding and warning techniques to minimize the risk of kickback. This illustrates that the safety hierarchy doesn’t require the manufacturer to pick one solution or another when the most effective method may be a combination of risk reduction efforts.
Gas Water Heaters
The third major situation that illustrates the difficulty of applying the safety hierarchy involves gas water heaters and their potential to explode from the ignition of flammable vapors. In order to heat water, gas water heaters require pilot lights, which traditionally have been exposed to the open air to work properly and ensure reliable operation.
However, some incidents occurred where some users were storing gasoline near the water heaters and accidentally spilling gasoline when pouring it into different containers. In such cases, vapors from the spilled gasoline would traverse the floor between the containers and the water heater and enter the area where the pilot light was located, potentially resulting in an explosion.
Some trial courts held the water heater manufacturer liable for failing to warn consumers about the pilot light (the placement of which made it difficult to see) and for failing to instruct them not to store or spill flammable liquids anywhere near the heater. As a result, the industry developed a new warning label for water heaters, a new warning label for gasoline cans, and an education and information program to educate consumers about these hazards and how to avoid them.
Many of the design and guarding changes that were being considered at the time would have been expensive to implement. But four years after coming out with the warning label program, the industry decided to retain the warning labels but also redesign water heaters to enclose the pilot light in a type of guard and locate it higher up on the water heater, thereby significantly reducing the risk of explosion.
The effort involving the warning label program, guarding, and design changes of gas water heaters spanned a total of 17 years and cost millions of dollars to implement. And the frustrating part is that the effort was undertaken to prevent accidents involving products that had nothing to do with water heaters.
Another example that illustrates the interplay of warnings and guards and design involves disposable cigarette lighters that displayed the warning “keep out of the reach of children.” Despite the warning, adults were not following the precautions and children were playing with the lighters, which resulted in serious injuries and even several deaths. As a result, the industry, at the urging of the CPSC, redesigned cigarette lighters to make them harder to light. Although potentially inconvenient for adult smokers, this change would presumably prevent some accidents involving children.
In another situation involving the CPSC, lawn mower manufacturers were required to add safety guards to make it more difficult for consumers to stick their hands into whirling blades. These safety devices were extremely costly but were arguably more effective than warnings by themselves. There were also warnings added to the guards for good measure.
The previous examples show the interplay between various risk reduction techniques and the difficulty of deciding where to draw the line on any of them. Manufacturers should do the best risk assessment they can, make a design decision based on that assessment, adequately warn and instruct users regarding residual risk, and be prepared to justify their design and level of safety if challenged by a government agency or an injured party. On this last point, it is important to be able to explain why there was no reasonable alternative design at a reasonable cost that allowed the product to perform as intended and why the product is reasonably safe when a consumer follows the safety precautions provided with the product.
Manufacturers need to undertake some type of risk assessment to justify the final design decisions they make. Unfortunately, this process can differ for each manufacturer. This, combined with the fact that there is little guidance as to which element of the safety hierarchy should be utilized in any given situation, can make this a difficult process.
There are many situations where warnings are the only feasible way to alert the consumer to the hazard because designing it out is either impossible or too costly, or where the design does not completely eliminate the hazard, and the manufacturer must also utilize guarding and warnings.
Manufacturers need to carefully document the process that they used to quantify these alternative actions and the basis of their decision to move down the safety hierarchy. Doing so will help minimize the risk that a jury or a plaintiff’s expert will believe that they took the easy way out instead of trying to prevent the risk through design.
- d’Entremont and Merryweather, Integrating Product-Safety Curriculum to Enhance Design and Reinforce Engineering Ethics, paper submitted to 2018 ASSE Annual Conference and Exposition.