SAFE DESIGN

FOR ENGINEERING
STUDENTS
AN EDUCATIONAL RESOURCE
FOR UNDERGRADUATE
ENGINEERING STUDENTS
SAFE DESIGN
FOR ENGINEERING
STUDENTS
AN EDUCATIONAL RESOURCE
FOR UNDERGRADUATE
ENGINEERING STUDENTS

MARCH 2006
© Commonwealth of Australia 2006

ISBN 0 642326 029

This work is copyright. This resource has been developed and designed
to be reproduced for use in classroom and other educational activities.
The following citation should be used: ASCC (2006) Safe Design for
Engineering Students.

You may download, display, print and reproduce this material in unaltered
form only (retaining this notice) for your personal, non-commercial use
or use within your organisation. Apart from any use as permitted under
the Copyright Act 1968, all other rights are reserved. Requests and
inquiries concerning reproduction and rights should be addressed to
Commonwealth Copyright Administration, Attorney General’s Department,
Robert Garran Offices, National Circuit, Barton ACT 2600 or posted at
http://www.ag.gov.au/cca

FOREwORD
The Australian Safety and Compensation Council
(ASCC), formerly the National Occupational
Health and Safety Commission (NOHSC), leads
and coordinates national efforts to prevent
workplace deaths, injury and disease in
Australia and aims to improve national workers’
compensation arrangements and return to work of
injured employees.
Through the quality and relevance of the
information it provides, the ASCC seeks to influence
the awareness and activities of every person and
organisation with a role in improving Australia’s
occupational health and safety (OHS) performance.
More specifically, the ASCC aims to:
> support and enhance the efforts of the
Australian, State and Territory governments to
improve the prevention of workplace deaths,
injury and disease,
> work in alliances with others to facilitate the
development and implementation of better
preventative approaches, and
> ensure the needs of small business are
integrated into these approaches.
The National Occupational Health and Safety (OHS)
Strategy 2002-2012, which was endorsed by the
Workplace Relations Ministers’ Council on 24 May
2002, records a commitment by all Australian, State
and Territory governments, the Australian Chamber
of Commerce and Industry and the Australian
Council of Trade Unions, to share the responsibility
of ensuring that Australia’s performance in work-
related health and safety is continuously improved.
The National OHS Strategy sets out five ‘national
priorities’ to achieve short-term and long-term
improvements.
>>>>
The priorities are to:
> reduce high incidence and high severity risks,
> improve the capacity of business operators and
workers to manage OHS effectively,
> prevent occupational disease more effectively,
> eliminate hazards at the design stage, and
> strengthen the capacity of government to
influence OHS outcomes.
This resource package has been developed to
support the priority – eliminate hazards at the
design stage – of the National OHS Strategy 2002-
2012 and builds on previous educational resources
developed by the National Occupational Health and
Safety Commission (NOHSC).
The Office of the ASCC acknowledges the
assistance of all the persons and organisations who
contributed to this resource package, in particular:
> Robert McLaughlan (University of Technology,
Sydney)
> Helen McGregor (University of Technology,
Sydney)
> Craig Scott (University of Technology, Sydney)
> Prue Howard (Central Queensland University)
> Yvonne Toft (Central Queensland University)
> John Culvenor (Consulting Engineer)
> VIOSH Australia (University of Ballarat)
The Office of the ASCC is committed to reviewing
this document within 12 months of publication
and incorporating any examples, case studies or
other comments provided by engineering educators
during that time.
SAFE DESIGN FOR ENGINEERING STuDENTS iii

INTRODUCTION
Design is a fundamental engineering activity, and
engineers are frequently engaged in the design,
development and creation of new or improved
products, processes, systems and services.
Quality and safety in design should be fundamental
engineering concerns, not only because a tenet
of our Code of Ethics is to ensure the wellbeing
of the community, but also because it makes
good engineering sense to develop products,
processes and systems that ensure our profession’s
continued existence and reputation. Engineers have
a professional and legal ‘duty of care’ to design
products, processes and systems that are as safe as
is reasonably practicable.
Safe Design is concerned with eliminating hazards
at the design stage or controlling risks to health
and safety as early as possible in the planning
and design of products, process or systems and
items that comprise a workplace, or are used or
encountered at work.
Safe Design is also good business in that if you can
identify and correct design flaws early in the life
cycle, it is much less costly than trying to remedy
them later, and essentially a more effective product
exists for the entire product life cycle.
Engineers, therefore, need to learn some of the
basic principles of Occupational Health and
Safety (OHS) and understand how they apply to
professional engineering design. In their roles
as decision-makers and designers, they need to
understand how to manage risk and apply those
principles to technological projects including
their human interfaces. This resource has been
developed to help meet those needs.
>>>>
This resource is relevant to engineering students
from a wide range of discipline areas as well as
to engineering educators who are not experts in
occupational health and safety. It provides some
basic principles of OHS and integrates these with
concepts of engineering design. The activities are
designed to help engineers develop their capacity
to meet their OHS responsibilities as well as their
professional engineering competencies. In this
regard, engineers need to:
a. Have a knowledge of workplace hazards and
their harmful effects, especially where these
are not self-evident (e.g. the industrial hygiene
topics of noise, heat, chemicals, radiation).
b. Understand common law, statutory OHS
requirements, responsibilities and penalties.
c. Understand the risk management process,
including risk analysis techniques and typical
industry practices used to control the harmful
effects of hazards, for example, permit to work
systems, personal protective equipment (PPE).
d. Understand the principles of designing to
minimize human error.
e. Be aware of how design can impact on reliability,
safety (environment and people) and unwanted
capabilities.
f. Be aware of sources of information relating
to OHS, e.g. ASCC (formerly NOHSC), State
WorkCover/WorkSafe Authorities.
SAFE DESIGN FOR ENGINEERING STuDENTS v
 Engineers need to: Civil Mechanical Electrical Chemical
Understand the construction, construction, construction, construction, operation
principles of safe use, maintenance commissioning, operation, maintenance maintenance and
design in the following and demolition of maintenance, and demolition of demolition of chemical
areas: structures. operation and facilities, structures processing facilities,
decommissioning of and equipment being including intrinsic
mechanical equipment. designed for electrical safety.
transmission.
Be aware of tools > CHAIR from NSW > Relevant > Relevant > Relevant
available to assist WorkCover Standards. Standards. Standards.
with the safe design > Codes of Practice > Plant Safety > Hazardous
principles: (e.g. Safe work Regulations. substances,
on roofs) dangerous goods
Regulations.
Understand the construction projects domestic, public and the use of electrical the design and
application of risk including dams, industrial facilities, energy in homes, development of
analysis techniques bridges, pipelines, products and the community and equipment and the
to the activities roads, towers and processes. industry associated evaluation
associated with: buildings. of the operating
processes associated
with chemical plants.
Understand the Varied standards of Varied standards of Hazard level definitions
practices of permit energy control, through energy control, through – examples.
to work systems and to isolation. to isolation. Varied standards
associated energy Permit system design Permit system design of energy control
isolation practices: for failure tolerance. for failure tolerance. appropriate to
hazard level.
Reference: Viner Group International Pty Ltd, (2002) Incorporation of “Safe Design” principles into under/post graduate curricula for engineers. Paper prepared for NOHSC.

objective of this resource > Provides a range of activities to help students

learn about safe engineering design and develop
The objective of this resource is to support
appropriate skills
engineering academics in their efforts to help
students understand the importance of designing > Links to other relevant books, reports, Standards
safe products, processes and systems and and websites that extend the scope of material
to develop Safe Design skills appropriate to within this resource.
professional engineering. Our vision is for a Safe Design focus to be
Specifically, this resource incorporated into a wide variety of undergraduate
subjects so that safe engineering design is
> Summarises safety principles relevant to
recognised as an integral part of basic engineering
engineering design in a way that is easily
practice. Therefore, the material has been
accessible to engineering educators in a wide
developed in a modular fashion so that educators
range of discipline areas and specialist fields
can adapt and use sections to highlight a range
> Provides educational materials that support of Safe Design issues relevant to their own
engineering educators in integrating safe academic field.
engineering design principles into their curricula

vi australian SAFETY and compensation council

Structure of the resource
Part 1 provides the contextual framework and
underpinning principles upon which Safe Design
in Engineering is based. This section also contains
an extensive reference list, which provides a range
of links to other safety related educational materials
that are useful to both students and academics to
expand their knowledge of safety and Safe Design.
Part 2 provides a range of educational materials
specifically designed for engineering students that
can be used by educators to develop Safe Design
capabilities. Each of the student activities and case
studies is supported with separate instructions for
students and for lecturers.
How to use this resource
While the Australian Safety and Compensation
Council has developed documents to be
incorporated into this resource without specific
referencing, the source of material has been cited
wherever possible, so that students can extend their
knowledge by accessing these primary sources. If
readers wish to incorporate parts of this resource
into documents they are developing, conventional
referencing techniques should be followed.
The resource has been developed and designed
to be reproduced for use in classroom and other
educational activities. The following citation
should be used: ASCC (2006): Safe Design for
Engineering Students.
How can Safe Design be incorporated into the
Engineering curricula?
Role of Course Designer, Associate Dean Teaching
& Learning, Head of School:
> Safe Design Supporter
- Increase engineering educator awareness
amongst your Faculty staff about the need for
Safe Design and the availability of resources
> Safe Design Champion
- Recognise safety as inherently part of
Engineering education and explicitly
acknowledge safety as an ability of your
graduates. This will require embedding these
and other safety related learning in course
documentation and then mapping their impact
for Course Accreditation
- Support staff in changing subjects and
producing Safety related learning
Role of Subject Co-ordinator:
Another level of implementation may be at the
subject co-ordinator, “grass-roots” level. This
approach can therefore be adopted ad-hoc across
the Faculty without the need for a widespread,
systematic and planned implementation. There
are a range of options (levels) available depending
upon the suitability of the subject and the
capacity of an educator to integrate Safety within
their environment.
Levels of use
> Level 1: Safety Adoption: Adopt existing
materials with minimal changes to existing
subject design
- Replace an existing case study for teaching
about ethics, engineering management,
engineering economics that uses a non-Safety
topic (e.g. Sustainability, Quality) with a case
study (Section 2.4 of Part 2A) that uses Safety
as a context.
- Insert a Risk identification activity into a Design
subject to raise awareness of Safety.
- Educate the students about the fundamental
principles of Safe Design by providing the
students with a self-guided activity involving the
provided reading (Part 1) and then completing
an online quiz (Part 2C).
- Introduce Safety dimensions into activities
requiring a debriefing.
> Level 2: Safety Adaptation: Adapt subject
and materials
- Integrate Safety into an existing Technical
Design activity through using the Safe Design
and Build activity (Section 2.3 of Part 2A) and
providing student support through the Safe
Design: Concepts, Principles & Tools (Part 1).
SAFE DESIGN FOR ENGINEERING STUDENTS vii
 - Use several activities together in a subject
- Adapt materials to draw out stronger
disciplinary linkages
> Level 3: Safety Integrator: Integrate Safety into
learning outcomes, assessment and activities
- Integrate desired safety related learning
outcomes into subject learning outcomes
- Build in deeper linkages through adapting
the package case studies and activities for
the subject and/or developing further context-
specific safety related materials
- Modify an assessable design task in the subject
to incorporate a requirement for Safe Design
and integrate criteria relating to safety into the
assessment criteria for the task

viii australian SAFETY and compensation council

 >>>>
pART 1: CONCEpTS, pRINCIpLES AND TOOLS
CONTENTS

1.1 SAFETy pRINCIpLES 3

1.1.1 What does it mean to be safe? 3
1.1.2 Why focus on safety? 3
1.1.3 What is Safe Design? 4
1.1.4 Why Implement Safe Design? 8

1.2 SAFETy FRAMEwORk 11

1.2.1 Legal & Regulatory Framework 11
1.2.2 Business and Risk Framework 18
1.2.3 Professional Framework 20

1.3 SAFE ENGINEERING DESIGN 21

1.3.1 Design Context 21
1.3.2 Design Requirements 21
1.3.3 Design Options 23
1.3.4 Design Synthesis 23
1.3.5 Design Completion 24
1.3.6 Monitor and review throughout the life cycle 24
1.3.7 Communicate and Document throughout the life cycle 24

1.4 SAFE DESIGN ENGINEERING TOOLkIT 2

1.4.1 Designer Misconception checklist 25
1.4.2 Construction Hazard Analysis Implementation Review guidewords 28
1.4.3 Plant Hazard checklist 29
1.4.4 Process Flow Guideword 31
1.4.5 Failure Mode and Effects Analysis (FMEA) 31
1.4.6 Event Tree Analysis (ETA) 34
1.4.7 Fault Tree Analysis (FTA) 36
1.4.8 Hierarchy of Control 39
1.4.9 Incident Investigation 40
1.4.10 Code of Ethics 41

SAFE DESIGN FOR ENGINEERING STuDENTS 1

Resources 43
R.1 Engineering Education resources 43
R.2 Websites of interest 44
R.3 Safety Album/Safety Moments 44
R.4 Safety Software/Materials 45
R.5 OHS & Safety Multimedia Materials 45
R.6 Reference Books and journal articles 45

 australian SAFETY and compensation council

 CONCEPTS, PRINCIPLES AND TOOLS
PART 1:
CONCEPTS, PRINCIPLES AND TOOLS

AN EDUCATIONAL RESOURCE
FOR UNDERGRADUATE
ENGINEERING STUDENTS

1.1 SAFETy pRINCIpLES
1.1.1 wHAT DOES IT MEAN TO bE SAFE?
To be safe means to be free from the risk of harm,
however, nothing in life is completely safe.
As engineers, we have a professional and legal ‘duty
of care’ to ensure that all our designed products,
processes and systems are as safe as is reasonably
practicable. That means that we must understand
the risks inherent in our technology and its human
interfaces, and we must design systems that ensure
a ‘reasonable’ level of safety for all those who
interact with those systems now and in the future.
That is a real challenge!
1.1.2 wHy FOCUS ON SAFETy?
There are a number of issues that have caused us
to be more concerned with safety than we have in
the past. A few of these issues are described below:
> Technology is becoming more complex and
there are increased risks associated with human
interaction and technology.
> The complexity of many designed products
makes it difficult to identify hazards because
of the inter-relationship between products,
processes and systems.
> Complex systems may have latent faults
which may not be apparent in the individual
elements of the systems but which can lead
to serious risks when the individual elements
are combined.
> Workers and operators are often remote from
the processes they control and have lost the
added sensory inputs that warn of danger. As a
consequence of automation, they may also have
lost the skills necessary to take corrective action
in emergencies.
>>>>
> Society is also much more aware of incidents of
‘accidental’ death and is demanding that life be
made safe.
> Safety has always been considered an important
part of ‘safety critical systems’ such as nuclear
power, aviation and military applications
and much attention has been given to these
applications. With the increased use and
pervasiveness of technology in our lives there is
an increased awareness of the need to focus on
safety across all engineered products.
Some Design Related Safety Statistics
The 650,000 occupational injuries and illnesses
sustained annually in Australia costs the economy
at least $20 billion a year.
A research report revealed that for the period 1 July
2000 to 30 June 2002:
> 77 workplace deaths can be attributed to poor
design, this is 37% of all workplace fatalities;
> 13 of these fatal incidents (16.9%) were
associated with roll-over protective structures
(ROPS), 10 of these incidents involved tractors
– 5 associated with ROPS and 5 being run over
by the tractor;
> 11 deaths (14.3%) involved design issues
relation to guarding – 6 of these involved fixed
machinery in which some one became trapped,
3 involved augers or associated power transfer
shafts, and 2 involved other equipment;
> 9 workers were electrocuted in circumstances
where residual current devices did not appear
to be present; and had they been present
would have been expected to have prevented
the fatality;
SAFE DESIGN FOR ENGINEERING STuDENTS 3
> The highest number of workplace design
related fatalities occurred in the agriculture
industry. These 25 design related deaths (which
represents 52% of all agriculture work related
deaths) are associated with tractor incidents,
failures of hydraulic systems, use of augers, all
terrain vehicles and falls from heights;
> Design related issues were involved in
at least half the incidents in the mining,
transport, agriculture, construction, trade and
manufacturing industries; and
> Nearly all of the fatalities involving machinery
and fixed plant were at least partly caused by
design related issues
(Source: The Role of Design Issues in Work-Related Injuries in Australia 1997-2002,
NOHSC July 2004)
1.1.3 What is Safe Design?
In response to societal demands for safer products
and workplaces, governments, businesses,
engineers and others who are involved in innovation
are requiring that safety be a fundamental principle
in design. The concept of Safe Design attempts to
achieve that objective.
Safe Engineering Design is a process defined as
the integration of hazard identification and risk
assessment methods early in the engineering
design process to eliminate or minimize the risks
of injury or damage throughout the life of the item
being designed. The concept encompasses all
engineering design including facilities, hardware,
systems, equipment, products, tooling, materials,
energy controls, layout, and configuration.1
A safe design approach begins in the conceptual
and planning phases; with an emphasis on making
choices about design, methods of manufacture
or construction and/or materials used which
Develop Design Construct/
Concept manufacture
Figure 1.1: Life cycle of designed products
(Adapted from Christensen and Manuele (Ed.) Safety Through Design: Best Practices, National Safety Council, 1999)
1 Modified from Christensen and Manuele (Ed.) Safety Through Design: Best Practices, National Safety Council, 1999
 australian SAFETY and compensation council
enhance its safety. The designer needs to consider
how safety can best be achieved in each of the
lifecycle phases eg. designing a machine so that
maintenance activities will not require removal of
protective guards.
Safe design will always be part of a wider set of
design objectives, including practicability, aesthetics,
cost and the functionality of the designed-product.
Safe design is the process of successfully achieving
a balance of these sometimes competing objectives,
without compromising the health and safety of those
potentially affected by the designed-product over
its life.
There are many groups involved in the function of
design. They include:
> design professionals such as architects,
engineers, industrial designers, software
developers;
> other groups who can influence design
decisions, such as developers, builders,
owners, insurers, project managers, purchasers,
clients, OHS professionals, human factors and
ergonomics practitioners; and
> suppliers (including manufacturers, importers,
plant-hire), constructors, installers and trades/
maintenance personnel.
Life cycle of designed products
Safe Design requires an understanding of the each
stage in the life of a designed product, starting with
the initial conception and continuing through to
the point where the product no longer affects its
environment.
It is more costly to retrofit or modify existing
products to achieve safety than it is to ‘design out’
hazards early in the product development. By
identifying hazards and managing risks as early
Import/ Commission Maintain/ De- Disposal/
supply/install and use Modify commission recycle
in the life cycle as possible, losses in terms of life,
injury and income can be minimised and safety can
be ensured.
Poor design can result in a range of other economic
costs such as low productivity, higher maintenance,
higher employment and workers’ compensation
expenses and reduced asset life. These economic
costs are in addition to human costs of injury,
illness, disease and disability.
The opportunities to create intrinsically safer
products are greater in the earlier life cycle phases
of design, manufacture or construction. In these
early phases there is greater scope to design out
hazards and/or incorporate risk control measures
that are compatible with the original design concept
and functional requirements of the item. If risks
can be eliminated or effectively controlled in these
phases then safety problems may be overcome for
those who use or work with the item downstream.
Safety can be enhanced if each person who
controls decisions taken in the earliest life cycle
phases takes steps to ensure that risk is proactively
addressed, and effectively documented and
communicated so that users throughout the life
cycle are aware of hazards and risks and informed
of ways to manage them.
What are the Principles of Safe Design?
The key elements that impact on achieving Safe
Design are:
Safe Design is everyone’s responsibility
The responsibility for Safe Design rests with those
persons have control or influence over the design.
Safe design employs life cycle concepts
Safe Design applies to every stage in the life cycle
from conception through to disposal. Safe Design
also attempts to eliminate hazards or minimise risk
as early in the life cycle as possible.
Safe Design implements risk management
A reasonable level of safety is ensured through
implementing a systematic risk management
process of hazard identification, risk assessment
and risk control where elimination cannot be
achieved at the source.
Safe Design requires knowledge and capability
Any designer, or person with control or influence
over safe design should be able to demonstrate the
required knowledge and capability for that decision,
or have direct access to the required knowledge.
Safe Design relies on communication
Consultation with users and other stakeholders is
essential to Safe Design. Effective communication
and documentation of key information, concerning
action required to be taken to control risks, must
also be ensured from the design phase to all users
in the later phases of the life cycle, so that users
are aware of any residual risks that may affect their
health and safety.
f link: www.ascc.gov.au
Human factors engineering
Engineering designers are also concerned with
human interfaces with technology. The study of
these interactions is referred to as human factors
engineering. One of the classical case studies in
human factors engineering is summarised below:
‘The classic of all design deficiencies which have
come to our attention was a combination safety
shower and eyewash constructed at a northern
missile site. In order to operate the eyewash, it
was necessary for a man, who might already be
blinded by acid, to put his head in the eyewash
bowl and then to turn on the water valve with
his right foot. The only problem was that the
foot-operated valve was about four feet to his
rear and higher than his waist. As an additional
feature, if a man did happen to hit the valve,
he got a full shower from overhead as well as
getting his eye washed out. However, the whole
problem became academic in winter because
the whole system froze up.’
Source: Anonymous, Extract – United States Air Force ‘eyewash instructions in the
event of an acid splash’, 1959
If engineers are to be capable of designing solutions
that are safe, graduate engineers of the future
will require abilities and attributes not previously
considered ‘core’ to their professional practice. To
develop these capabilities, engineering educators
as well as engineering graduates, will require an
enhanced understanding of the ‘human’ component
in system design, development and operation.
SAFE DESIGN FOR ENGINEERING STUDENTS 
Systems should be ‘user centred’, meaning that
they are capable of being operated safely by a range
of reasonably competent users and productive for
the needs of those users. ‘Usability’ is now a key
aspect of engineering design. Within this design
framework, consideration and incorporation of
‘human factors’ reduces the likelihood of human
error, resulting in a safer, more efficient work
environment for all stakeholders. The integration
of ‘human factors’ in engineering design will
ensure that designs such as the ‘safety shower and
eyewash’ described above will not happen.
Apart from the aspects of human factors
engineering concerned with the design of systems
that can be used effectively and productively
without endangering the safety of users, Safe Design
also needs to consider the adaptive and changing
nature of human behaviour. The introduction of
a feature to improve safety may not deliver the
intended improvement because users may adapt
their behaviour in response to the change. This
concept is known as risk homeostasis and can be
considered akin to people having a risk budget.
Consider a pressurised system such as a boiler
in which a relief valve is installed to cope with
instances where the operator fails to monitor and
control the pressure. The operator, observing that
the relief valve appears to work, leaves primary
control of over-pressure to the valve and undertakes
other tasks instead. What was intended, and most
likely designed, as a backup ends up being the
primary control mechanism. Thus a system could
potentially be less safe after the installation of a
‘designed product’ intended to improve safety
because human behaviour can undermine the
intended operation.
The potential for risk homeostasis to arise in
response to a design or operational change
reinforces the need for systems to be continuously
monitored and reviewed, and for appropriate
training of all users. It is also important to document
the rationale for all decisions so that unintended use
can be identified and steps taken to restore safety.
So, how can engineers consider ‘human factors’?
The process begins by consideration of not only
2 This section on Injury and disease causation – a discussion has been prepared by J Culvenor for the Office of the ASCC, October 2005.
 australian SAFETY and compensation council
the specified technical operational needs of a
system, but also the attitudes, abilities, capacity,
expectations and understanding of users at all
stages of the system life cycle. For the modern
engineering practitioner, recognition that risk
and safety are issues of critical importance at the
interface of ‘technical’ and ‘social’ responsibilities
is vital. The integration of these two cultures
in engineering practice can be developed by
gaining an understanding of human issues and an
appreciation of the interface between equipment or
operational environments and the quality of life of
those interacting with the system.
Injury and disease causation – a discussion2
Why is this not called ‘accident’ causation?
Firstly – why are we talking about ‘injury and
disease’ causation and not ‘accident causation’?
Accident analysis would be limiting. One reason
is that accidents tend to only be about traumatic
injuries and thus proper attention would not be
given to injuries and diseases that develop over time
(such as many manual handling injuries, hearing
loss, etc). Another reason is that the term ‘accident’
can conjure up a notion that the occurrence was
beyond anyone’s control. Accidents are within
our control, because the circumstances leading
to accidents are within our control. However the
approach adopted here has been to avoid the
limiting and misunderstood term ‘accidents’ and
concentrate on injury and disease causation
– and prevention.
What’s the cause? Is there only one or is it usually
more complicated?
The first point to make about injury and disease
causation is that finding one single ‘cause’ is not
easy – nor useful. One ‘cause’ probably does not
exist. Further, there can be different ideas about
what kind of cause is meant. For instance, the
cause of a head injury to a construction worker
may be impact with the ground. The cause of the
impact may be a fall. The cause of the fall might be
an unguarded opening in a floor, and before that, a
trip over an electrical cable, and so on. Why was the
cable there? Why was the worker there? The cause
can depend on what you think is within control and we find that other factors make a contribution. We
therefore might have failed to perform as well as it can look at the incident more broadly to examine
could and what you think is fixed, unchangeable the physical environment, plant and equipment,
and out of control and hence do not consider. human knowledge and skills, systems of work or
use, the human interaction their surroundings,
For instance consider another example. Late in the
sensory inputs, physical relationship between
afternoon a forklift intending to drive out a doorway
people and equipment and environment, etc. For
collides with a doorway support after swerving to
instance in the forklift example above we have
narrowly miss a pedestrian walking into the building.
physical environment (size of door, orientation
Is this because of fatigue, rushing to complete the
to afternoon sun), equipment (the forklift type,
work, a too narrow doorway, the person walking
weight), skills (work organisation skills, hazard
through the doorway or the late afternoon sun
identification and control skills, operator skills),
shining in the doorway? Perhaps all these things
work systems (the movement of goods using a
contribute. Which are under control and by whom?
forklift, work schedules) and human interaction with
Fatigue is variable and can be controlled. Perhaps
environment and equipment (looking into the sun,
the operator contributed by staying up late watching
use or not of a pedestrian door). Decisions made
cricket? Alternatively perhaps the organiser of
about one or more of these factors might have
the work system contributed through demanding
contributed. A different decision about one or more
working hours and insufficient breaks? Perhaps
might have lead to a different outcome. Very few of
the operator contributed by rushing? Alternatively
these decisions are made by the person at the end
perhaps unreasonable schedules were demanded,
of the sequence such as the forklift driver or the
hence the demand to rush was out of the operator’s
pedestrian walking though the door.
control and in someone else’s control? Perhaps
the pedestrian could have used a pedestrian door? Looking beyond the actions of those immediately
Perhaps there is no pedestrian door, or maybe involved to a comprehensive set of issues takes
it is inconvenient, hard to use, or involves using more effort. Broader issues are harder to see as
awkward stairs? Perhaps the doorway is too narrow? they are removed from the injury in time and space
The sun itself can not be changed but the way a – the decisions might have been taken a long time
door is oriented, whether it is shaded from the early ago and some where else. Further, imagination
morning/late afternoon sun is also controllable. and creative effort is necessary to ensure that
What about the use of the forklift itself? Why is it assumptions are challenged and examined. For
used? What for? Could materials be moved about instance, in the forklift example, it might be useful
another way or not at all? How far should the net to question why a forklift is used in the first place.
be cast in the search for causal factors? There is
Developing a comprehensive understanding of
no clear answer to this question. Certainly though
the causal factors of an injury is not easy. But too
if accidents are to be better understood then the
often the search focuses not on what would be
search for a ‘single cause’ could probably well be
useful, but on what is most easily identified such
abandoned. Causation, causes, contributing factors,
as operator error, etc. The decisions set the scene
etc are probably more useful terms than ‘cause’.
for the accident can therefore be overlooked. This
These terms imply something larger, more complex,
can be seen most days in newspaper accounts of
plural, etc. as against something singular.
motor vehicle crashes where those at the scene,
Who’s to blame for injuries and diseases? Does usually the driver, are given the blame. The same
working this out help? thing happens in the case of major disasters – those
closest physically and in time to the final triggering
Blaming injuries and diseases on the person
event get the blame.
who made the last (faulty) decision in a chain of
events is unhelpful but it is unfortunately common.
Driver error, operator error, pilot error, etc. are all
manifestations of this approach. If we look deeper

SAFE DESIGN FOR ENGINEERING STUDENTS 

The danger of a very shallow and simplistic effort at Safe Design is socially responsible
finding a cause leads to very little information about
> By adopting a Safe Design approach, it is
what to do differently in the future.
possible to design-out health and safety hazards
‘Accidents are due to human failing. This is not to create a design option that meets both clients
untrue, merely unhelpful. It does not lead to needs and your obligations as an engineer
constructive action.’ 3 under your professional standards and the
OHS legislation.
Blaming the last person in the chain (operator error,
driver error, pilot error) etc. ignores all the actions > Safer products, processes and systems will
that have gone before that defined the operating result and that ultimately benefits business
system. Doing nothing to rectify those decisions and society generally, now and in the long
condemns those in the future to fall into the term, because it minimises injury and illness
same traps. and provides for a better social and workplace
environment.
> Safe Design also ensures safety throughout the
1.1.4 Why Implement Safe Design?
life cycle of the designed product, thus ensuring
There are both moral and practical reasons for that future users will be protected from hazards.
adopting a Safe Design approach and why it is a
wise choice for businesses and those involved in Safe Design is best practice engineering
creating new products and systems.
> Engineers are personally and professionally
responsible for ensuring that their products,
Safe Design makes good business sense
processes and systems are safe. They are legally
> It is cheaper to eliminate occupational health bound through law and regulations to ensure
and safety hazards at the design or planning that their designs are safe from concept through
stage with well-informed decisions, rather than to disposal.
making the changes when the hazards become
> Safe Design involves processes (including
real risks to your clients, staff or business.
human factors, organisational issues and life-
> Safe Design results in more predictable business cycle management) not just products. This is
costs because you have identified risks and technically challenging and at the forefront of
have included them in your management engineering design.
processes. Poor design can result in a range
of economic costs such as low productivity, Safe Design is ethical engineering practice
higher maintenance costs increased workers
> Safety issues, involve fundamental ideas
compensation expenses and loss of reputation.
about how we view the world and what we
However the greatest costs are the human costs
believe is important and right. Safe Design
of injury, illness and loss of life.
rests on the assumption that all people have a
> Safe Design also contributes to a quality right to be protected from unnecessary risks.
outcome which meets customer needs Designers have a responsibility to ensure
throughout the whole life cycle of the product or that their conceptions do not put others at
system of work. unnecessary risk.
> Safe Design applies principles that are common > Safety is a fundamental tenet of engineering
between quality management standards (AS/NZ codes of practice. Engineers are ethically
9000) and risk management standards (AS/NZ bound to consider the safety and welfare of
4360). the community as paramount. All members
of the Engineers Australia, in the practice of

3 Kletz, T. 1991, Plant Design for Safety: A User-Friendly Approach, Hemisphere, New York.

 australian SAFETY and compensation council

 the discipline of engineering, are committed
and obliged to apply and uphold the Cardinal
Principles of the Code of Ethics, which are:
- to respect the inherent dignity of the individual;
- to act on the basis of a well informed
conscience; and
- to act in the interest of the community.
f see Section 1.4.10: Safe Engineering Design
Toolkit*: Code of Ethics
Safe Design is a sustainable
engineering practice
> Engineering professional standards embrace the
concept of sustainability, with an expectation
placed on practising engineers to ensure that
their work strives to improve the quality of life
for this generation and future generations. The
holistic concept of sustainability stands on
the three key integrated pillars of economic,
environmental and social sustainability.
> Engineering practitioners have traditionally
considered the economic issues, and in the
last decade, environmental issues have been
accepted as issues of increasing importance.
Now, engineering as a profession is concerned
with technology and its human interfaces,
and so it must also focus on societal needs.
Where does safe design fit in this equation?
By considering safety throughout the entire
life-cycle of designed products, engineering
designers can ensure that their developments
are safe from conception through to disposal,
thus ensuring the well-being of current and
future users
Safe Design is a national priority
> The National OHS Strategy (2002-2012),
developed by members of the National
Occupational Health and Safety Commission
(NOHSC) and endorsed by the Workplace
Relations Ministers’ Council, has a vision to have
Australian workplaces free from death, injury
and disease. To achieve this ideal goal, one of
the national priorities is to eliminate hazards
* The toolkit is located in section 1.4 of this document.
at the design stage. This mandate is of special
concern to engineers and engineering educators
because design is a fundamental engineering
activity and therefore we all need to understand
how we can ensure that our designs are safe
throughout their whole life cycle.
f www.ascc.gov.au
Safe Design is required for accreditation and
professional engineering certification
> All undergraduate engineering courses
in Australia must be accredited by their
professional association, Engineers Australia,
in order for their graduates to be recognised
as engineers. Engineers Australia has set
criteria that engineers must meet as part of
accreditation. Professional Engineer Stage 1
competency corresponds to completion of a 4-
year Bachelor of Engineering degree accredited
by Engineers Australia.
Many of these Stage 1 competencies require
the enabling skills of risk management, lifecycle
concepts and engineering design that Safe Design
seeks to develop. However some of these criteria
require engineers to have abilities in relation to
Safe Design;
PE2.2 Understanding of social, cultural, global,
and environmental responsibilities and the need
to employ principles of sustainable development
- Appreciation of the interactions between
technical systems and the social, cultural,
environmental, economic and political context
in which they operate, and the relationships
between these factors
- Appreciation of the imperatives of safety and
of sustainability, and approaches to developing
and maintaining safe and sustainable systems
- Appreciation of the nature of risk, both of a
technical kind and in relation to clients, users,
the community and the environment
SAFE DESIGN FOR ENGINEERING STUDENTS 
PE2.3 Ability to utilise a systems approach
to complex problems and to design and
operational performance
- Understanding of the need to plan and quantify
performance over the life-cycle of a project or
program, integrating technical performance
with social, environmental and economic
outcomes
PE2.4 Proficiency in engineering design
- consider the impact of all development and
implementation factors including constraints
and risks
- ensure that the chosen solution maximises
functionality, safety and sustainability,
and identify any possibilities for further
improvement
> A Stage 1 engineer would be expected to work
initially under the supervision and guidance of
more experienced engineers, while experience
is gained. These engineers are encouraged
to undertake Professional Development
Programs approved by Engineers Australia while
developing the practice competencies that will
qualify them for Stage 2 assessment and the
status of Chartered Professional Engineer.
10 australian SAFETY and compensation council
Summary
> Safety is a basic attribute of a product, process
or system and needs to be embedded into the
design process at every phase.
> Engineering designers, concerned with
technology and its human interface, have a
professional responsibility to ensure that their
designed products are as safe as reasonably
possible for all users throughout the product
life cycle.
> Applying Safe Design principles in engineering
design will ensure that hazards are identified as
early as possible and that they are designed out,
or the risks are responsibly managed throughout
the entire life cycle.
> Safe Design in engineering meets an engineers’
responsibilities for sustainable, ethical and
socially responsible practice.
> Safe Design is also a sensible business
solution because it is economically sound and
contributes to total quality.
 >>>>
1.2 SAFETy FRAMEwORk

The basic framework supporting Safe Design The latter includes contractors and those who
consists of laws and regulations enacted through design, manufacture, import, supply or install plant,
governments and management processes equipment or materials used in the workplace.
enacted through business and professional Engineers, therefore, have a duty of care.
standards that guide the conduct of members of
Duty of care places into a legal form what is a
professional groups.
natural moral duty to anticipate possible causes of
injury and to do everything practicable to remove or
minimise these hazards. For employers, this means
1.2.1 LEGAL & REGULATORy FRAMEwORk providing safe premises, safe plant and equipments
Society exerts its demands for a safe environment and safe work systems.
through its government and regulatory systems.
Employees also have OHS duties and
Laws balance the interests of individual citizens,
responsibilities for the safety of themselves and
businesses and corporations with the needs of the
fellow employees. Under OHS legislation employees
nation or state as a whole. The Commonwealth
have two major duties, firstly not to endanger their
government has a responsibility to ensure that
own or others’ health and safety through any act, or
there is an overall national framework that ensures
their failure to act, and secondly they are required
safety, while the states and territories have the
to cooperate with measures introduced to protect
responsibility for making laws about health and
their own and others’ health and safety.
safety and for enforcing those laws.
Reasonably practicable means that you must
Each state and territory has a principal Occupational
demonstrate that you have done your best within
Health and Safety Act, which sets out requirements
the constraints of a business environment and in
for ensuring that workplaces are safe. These
the eyes of the law. When applied to occupational
requirements include the duties of different groups
health and safety, this concept refers to an
of people who play a role in workplace health and
objectively reasonable response to a hazard. In
safety and are known as ‘duty of care’.
doing this, a number of factors need to be taken
into account to determine what would be reasonable
What is ‘Duty of Care’?
and practicable. These factors include4:
Duty of care requires everything ‘reasonably
- Nature and severity of the hazard;
practicable’ to be done to protect the health and
safety of others. This duty is placed on: - Knowledge of the severity of the hazard;

> all employers; - Knowledge of suitable solutions;

> their employees; and - Availability of solutions;

> any others who have an influence on the - Common standards of practice; and
hazards in a workplace. - Cost of solutions.

4 Accessed on line Sept 2005 at http://www.nohsc.gov.au/SmallBusiness/BusinessEntrypoint/laws/dutycare/#top

SAFE DESIGN FOR ENGINEERING STuDENTS 11

The law takes into consideration the time and > protecting the health and safety of the public in
cost involved in ensuring a safe workplace relation to work activities.
and recognises that complete safety is seldom
achievable. However, you as the duty holder must
show that it was not reasonably practicable to
do more than what was done and that you have Acts Compliance is
mandatory
exercised due diligence. That means that you must
have safe processes in place and adequate records Voluntary guidance
Regulations material
to demonstrate that you, and all those for whom
you are responsible, have done what is reasonably
practicable to ensure a safe working environment.
Codes of Practice
Failure to exercise due diligence may result in
civil or even criminal legal action. Tort is the area
of law concerned with civil liability, and it involves
the finding of a fault, such as carelessness Standards
or negligence, on the part of the defendant.
Professional negligence can be alleged when
a plaintiff claims to have suffered a loss as a
Industry Standards/Guidance Notes
consequence of a breach of duty of care owed by
someone acting in a professional capacity. Many
professionals, therefore, purchase professional
Figure 1.2: The legal framework
indemnity insurance to protect themselves from the
financial consequences that could result from an Not complying with an Act is considered an offence
unintentional failure to provide duty of care. and can result in a fine, or the issuing of either an
improvement or prohibition notice. A breach of
How is duty of care legislated and enforced? an Act does not have to result from an accident
Australian health and safety law is governed by a or a person being injured at work. For example a
framework of Acts, Regulations and supporting dangerous piece of unguarded machinery being
guidance material such as codes of practice and used in the workplace would in itself constitute
standards (shown in figure 1.2). a breach.
The OHS Acts also specify duties for designers,
Acts
manufacturers and suppliers. Although there are
An Act or Statute is law made by parliament and
other legislative and regulatory provisions governing
enforced by government departments. In each
the safe design of buildings and structures, such as
jurisdiction (Commonwealth, State or Territory) there
building legislation in each State and Territory and
is a principal OHS Act which gives broad duties to
the Building Code of Australia, these do not cover
the workplace parties. Commonly included in each
the breadth of OHS matters which may arise in the
Act are requirements for5 :
design of buildings and structures as workplaces.
> promoting occupational health and safety in the
Regulations
workplace;
Regulations support a principal Act by outlining how
> providing systems of work that are safe and
the general obligations of an Act will be applied in a
without risk to health;
workplace. OHS regulations provide more detailed
> employers and employees participating in health requirements for specific areas of workplace
and safety issues through consultation; health and safety. For example, they may contain
provisions relating to specific processes (such as

5 Accessed on line Sept 2005 at http://www.nohsc.gov.au/OHSInformation/NOHSCPublications/fulltext/docs/h6/03297-01.htm

12 australian SAFETY and compensation council

spray painting and abrasive blasting) and specific
hazards (such as asbestos, lead, electrical safety
and confined spaces).
Not complying with a regulation is considered
an offence and can result in a fine, issuing of an
improvement or prohibition notice or imprisonment.
Codes of Practice
Codes of Practice give practical advice and
guidance on acceptable ways of complying with the
general obligations set out in Acts and Regulations.
Codes are issued by Commonwealth, State and
Territory governments and are usually designed to
be used in addition to the Acts and Regulations, but
can also be incorporated into legislation.
A breach of a code is not by itself a breach of an
Act or Regulation. However all codes of practice can
be used as evidence in court to demonstrate what
an employer should have been doing to comply
with the obligations under the Act or Regulations to
ensure the objective of the Act is achieved.
Standards
These can be developed by relevant governments,
employer associations, trade unions and industry
bodies. In regards to health and safety, there are
two main sources of standards:
National Standards produced by the Australian
Compensation and Safety Council (formerly
the National Occupational Health and Safety
Commission), in consultation with the State/Territory
OHS authorities, employee unions and employer
associations. National Standards usually deal with
workplace problems such as noise or dangerous
working environments. If National Standards are
adopted by States and Territories into their OHS
legislation they become mandatory.
Examples of National Standards:
> National Standard for Construction Work
[NOHSC:1016 (2005)]
> National Standard for the Storage and Handling
of Workplace Dangerous Goods [NOHSC:1015
(2001)]
> National Standard for Occupational Noise
[NOHSC:1007 (2000)]
Australian Standards produced by Standards
Australia, a non-government organisation that
makes standards in consultation with overseas
standards bodies (eg International Standards
Organisation [ISO]) and Australian technical
committees. Australian Standards provide technical
and design guidance. Some standards are directly
relevant to health and safety, such as safety and
emergency equipment and fire safety standards.
Other general standards will contain health and
safety provisions.
Examples of Australian Standards:
> AS/NZS 4804:2001 – Occupational health
and safety management systems – General
guidelines on principles, systems and supporting
techniques.
> AS 4024:1996 – Safeguarding of Machinery.
Standards are only enforceable by law when they
are specifically referenced in a State/Territory health
and safety regulation.
Guidance Notes
Guidance Notes usually relate to declared national
standards and/or codes of practice, and provide
detailed guidance on specific health and safety
topics. In contrast to national standards and codes
of practice, guidance notes may not be suitable for
reference in the various jurisdictional laws.
Examples of Guidance Notes
> Guidance Note on the Membrane Filter Method
for Estimating Airborne Asbestos Fibres 2nd
Edition [NOHSC:3003 (2005)]
> Guidance Note: Working Safely with Fork Lifts,
Commission for Occupational Safety and Health,
Western Australia
> Guidance Note: Guarding of Machines, Victorian
WorkCover Authority
SAFE DESIGN FOR ENGINEERING STUDENTS 13
Organisations Concerned with Safety ‘We speak for the dead to protect the living’
In addition to enacting laws and regulations, (Victorian State Coroner’s Office)
governments and other organisations set up Other non-government organisations with a
agencies whose responsibilities include preserving mandate to ensure Safe Design include:
the health and wellbeing of the community. Some
Engineers Australia
of the organisations concerned with safety include
the following: Engineers Australia is one of a number professional
bodies responsible for ensuring that members
Australian Safety and Compensation
of their profession are appropriately trained
Council (ASCC):
and competent to carry out their professional
The ASCC leads and coordinates the national responsibilities. Two key impacts are in accrediting
approach to improvements in workplace safety educational courses in undergraduate education
and workers’ compensation performance, as well and certifying professional competence and
as promoting greater consistency and uniformity providing professional development. This
amongst the various jurisdictions within Australia. responsibility includes Safe Design.
It provides policy advice to the Workplace Relations
Standards Australia
Ministers’ Council on national OHS and workers’
compensation arrangements, and has the power to Standards Australia is a non-government, not
declare national standards and codes of practice for profit organisation that develops Australian
for OHS. These are developed as the basis for Standards in consultation with overseas standards
nationally consistent OHS regulations and codes of bodies and Australian working parties.
practice. The ASCC comprises representatives from
Safe Design Legal Issues6
the Federal Government, each State and Territory
government, the Australian Council of Trade Safe design is about upstream decisions that
Unions and the Australian Chamber of Commerce impact positively on safety downstream. The
and Industry. particular context here is the workplace, however
the principles are parallel with public and consumer
The Office of the Australian Safety and
safety and for both common law and statute law
Compensation Council (Office of the ASCC)
prosecutions. This section demonstrates the duty of
supports the work of the ASCC and is also a source
care responsibilities for designers, manufacturers,
of national research and statistical information
suppliers and importers as they apply to common
relating to OHS and workers’ compensation.
and statute law case studies.
State, Territory and Commonwealth
Common Law Duty of Care
OHS Authorities:
The conventional starting point for any consideration
OHS authorities, such as NSW WorkCover, are state
of the liability of designers and manufacturers of
government statutory authorities responsible for
products is the seminal 1930s case in the UK
regulating occupational health, safety, rehabilitation
of Donoghue v Stevenson7. Stevenson was the
and compensation systems.
manufacturer of a ginger beer, which was sold to
Coroner a distributor and made its way to a café. Donohue
dined at the café with a friend who purchased the
The Coroner investigates reportable deaths and
ginger beer. Donohue drank some of the ginger
is responsible for determining the manner and
beer and subsequently discovered a decomposed
cause of death. A coroner is empowered to make
snail in the beer then suffered shock and a stomach
recommendations based on improving public health
complaint. Donohue sued and succeeded at trial,
and safety.
lost on appeal, and then succeeded in the House of
Lords. The matter of significance was that Donohue
6 The following sections on Common Law Duty of Care and Statutory Case Law have been referenced from an unpublished paper on Guide to Safe Design prepared by J Culvenor and
P Rozen for NOHSC, October 2004..
7 Donoghue v Stevenson [1932] AC 562. Also see Brooks, A; Occupational Health and Safety Law, 4th Edn, CCH, Sydney, Australia 1993, p 219

14 australian SAFETY and compensation council

had no contractual connection with Stevenson
(the manufacturer). The House of Lords decision
established clearly that the duty of care extended
to whoever might reasonably be injured by the
product regardless of the existence or otherwise of
a contractual connection8. Lord Atkin provided the
leading judgement when he described the duty of
manufacturers as follows:
[a] manufacturer of products, which he sells
in such a form as to show he intends them to
reach the ultimate consumer in the form in
which they left him with no reasonable possibility
of intermediate examination, and with the
knowledge that the absence of reasonable care
in the preparation or putting up of the products
will result in an injury to the consumer’s life or
property, owes a duty to the consumer to take
that reasonable care9.
It has been established that the term ‘manufacturer’
used in the Donoghue and Stevenson doctrine
includes all parties who work on the product. These
parties include assemblers, repairers, suppliers and
distributors (Kellam 2000)10. In exercising the duty
of care the ‘manufacturer’ must take due care in
design11, manufacture12, warnings13, instructions14,
labelling15 and packaging16. Although the Donohue
v Stevenson case was concerned with the liability of
a manufacturer of a product to a consumer of the
product, these general principles have frequently
been applied in a workplace setting, for example
in Hardchrome Engineering Pty Ltd v Kambrook
Distributing Pty Ltd17. Kambrook supplied a fryer to
Hardchrome, which subsequently caused ignition
of a fire. Kambrook, as a designer and supplier, was
determined to owe a duty of care to the purchaser.
Kambrook in their role as supplier was deemed
negligent. In Howard v Furness Houlder Argentine
Lines Ltd18, a welder employed on a ship was
able to recover damages when he was injured by
steam escaping from a boiler. Marine engineers
engaged by the welder’s employer had negligently
assembled the boiler. The fact that there was no
contract between the welder and the installer did
not limit the recovery of damages for the welder.
It was reasonably foreseeable to the installer that
negligence on its part could result in injury to the
welder, who was the ‘end-user’ of the boiler.
The duty extends to a supplier of plant and
equipment even where the employer to whom
the item was supplied did not employ the worker
injured. In Griffiths v Arch Engineering19, a grinding
machine was supplied to Arch by Griffiths. Arch
had been sub-contracted by the plaintiff’s employer
to perform some welding work. An employee of
Arch in turn lent the grinder to the plaintiff who was
injured when the grinding wheel flew off and hit
his hand. The plaintiff succeeded in an action for
damages against both the initial supplier (Griffiths)
and the immediate supplier (Arch). The court held
that it was reasonably foreseeable that a person in
the position of the plaintiff could be injured if he
was not informed about the necessary conditions for
the safe use of the grinder.
The broad nature of the duty owed is illustrated
by the case of Wright v Dunlop Rubber Co.Ltd20.
The plaintiff worked in a tyre manufacturing plant

8 Luntz, H. & Hambly, D. 2002, Torts:Cases and Commentary, 5th edn, Lexis Nexis Butterworths, Chatswood, New South Wales.
9 [1932] AC 562 at 599. (Also Brooks p 219)
10 Kellam (2000, p. 205) cites Malfoot v Noxal Limited (1935) 51 TLR 551.
11 Kellam (2000, p. 206) cites: Hindustan Steam Shipping Limited v Siemens Bros & Co Limited (1955) 1 Lloyds Rep. 167; Australian Shipbuilding Industries (WA) Pty Limited v
Packer (unreported FC SCWA 11/2/93, 192 of 1991.
12 Kellam (2000, p. 206) cites: Helicopter Sales (Australia) Pty Limited v Rotor-Work Pty Limited (1974) 132 CLR 1; Fletcher v Toppers Drinks Pty Limited (1981) 2 NSWLR 911; Grant v
Australian Knitting Mills (1936) AC 85.
13 Kellam (2000, p. 206) cites: Vacwell Engineering Co Limited v BDH Chemicals Limited (1971) 1 QB 88; Devilez v Boots Pure Drug Co (1962) 106 SJ 552; Todman v Victa (1982) VR
849; Norton v Streets Ice Cream (1968) 120 CLR 635; Thompson v Johnson & Johnson Pty Limited (1989) Aust Tort Reports 80-278; H v Royal Alexendra Hospital for Children (1990)
Aust Tort Reports 81-000.
14 Kellam (2000, p. 206) cites: British Charter Co of South Africa v Lennon (1915) 31 LTR 585; Clarke v Wife v Army & Navy Co-op Society Limited (1903) 1 KB 155; Anglo Celtic
Shipping v Elliot (1926) 42 TLR; and others.
15 Kellam (2000, p. 206) cites Blacker v Lake & Elliot (1912) 106 LT 533.
16 Kellam (2000, p. 206) cites Watson v Buckley, Osborne, Garrett & Co Limited (1940) 1 All ER 174
17 VSC 359 (13 Sept 2000).
18 [1936] 2 AllER 781 at 789
19 [1968] 3 All ER 217. (Also Brooks p 219).
20 (1972) 13 KIR 255. (Also Brooks p 220).

SAFE DESIGN FOR ENGINEERING STUDENTS 15

operated by Dunlop. He contracted bladder cancer
through exposure to ‘Nonox S’, a compound used
in the manufacture of tyres. However, he did not
work in the part of the plant where the compound
was ‘used’, but was exposed as a result of fumes
that had travelled through the plant. The court
held that ICI, who manufactured ‘Nonox S’, was
aware of the risks associated with exposure to the
fumes. Therefore, it owed a duty of care to any of
the employees of a company to which it supplied
the compound.
The duty extends, beyond the plant or substance
that is supplied, to its packaging. In Adelaide
Chemical and Fertlizer Co. Ltd v Carlyle21, the
plaintiff suffered severe burns when an earthenware
jar that contained concentrated sulphuric acid
broke when he was handling it. Although the jars
were in general use as containers of acid, the High
Court upheld a finding that the jars were inherently
unsuitable for the purpose for which they were
employed. Therefore, the manufacturer was in
breach of its duty of care to the worker.
Designers and architects are also caught by the rule
in Donoghue v Stevenson. For example, in the case
of Greaves & Co v Baynam Meikle and Partners22, a
building contractor became liable for inadequacies
in the construction of a warehouse. The contractor
had subcontracted the design of the warehouse to
a firm of architects and engineers. The firm was
told that the warehouse would be used to store
oil drums on the first floor. A code of practice that
had been issued by the British Standards Institute
warned of certain dangers associated with the
construction mode that the firm was employing.
However, the court found that the engineers had
paid insufficient regard to the warning and thereby
breached the duty of care they owed to the building
contractor to exercise reasonable care in the design
of the warehouse.
An Australian example of the duty owed by the
designer of a building is found in the case of Voli
v Inglewood Shire Council23. An architect had
designed the stage of a shire hall. The design of the
21 (1940) 64 CLR 514
22 [1975] 3 All ER 99
23 (1962) 110 CLR 74
24 (1962) 110 CLR 74 at 84
25 Brooks, A; Occupational Health and Safety Law, 4th Edn, CCH, Sydney, Australia 1993: p222
26 Ibid
16 australian SAFETY and compensation council
stage was inadequate because the floor joists were
of insufficient size having regard to the Council by-
laws and standards prescribed by the Australian
Standards Association. Despite this, the Council had
passed the drawings. Approximately one year after
the building was built, the stage collapsed during
a council meeting injuring a number of people
who were sitting on it at the time. The High Court
identified the ‘important question’ in the case as
being whether an architect in such circumstances
owed a duty of care to an end user of the stage24.
The court held that the architect owed a duty of
care to exercise reasonable care and skill to avoid
injury to any ultimate user of the structure.
Brooks25 summarises the three types of precautions
that a designer, manufacturer, etc. is required
to take:
- The inclusion in the product of safety
features, or the designing and manufacturing
of a somewhat different product omitting
the dangerous aspect and including a safe
substitute part;
- Second, if that is not possible, the
accompaniment of the product by adequate
warnings of the danger and of the safest
methods of use;
- Third, the withdrawal of the whole product
from the market.
Brooks adds that:
There is no liability, however, if these precautions
are not practicable. This is tested by looking at
cost, interference with the functioning of the work
process in which it is to be used, and the existence
of separate risks. If the precaution is inordinately
expensive in relation to the return from the
product to the designer, manufacturer, etc. it is not
practicable to take it. If the precaution itself creates
other risks, it is not practicable. If it interferes
inordinately with the operation or use of the product,
it is not practicable (subject to it being established
that it is also impracticable to discontinue the
product altogether and substitute another)26. Clark
and Kellam highlight that in Australia it is well
settled, that in most cases, a duty of care is owed
by the manufacturer and supplier of goods to the
purchaser or user. The common law provides that
the manufacturer ought reasonably to have the user
in mind when considering the issues of design,
manufacture, safety and distribution27.
In summary the common law duty of care
requires that if a person can practicably reduce a
foreseeable risk then they should do so. Those who
have influence over reductions in foreseeable risk
should use it to ensure safety downstream as far as
can practicably be achieved. Since the ‘snail in the
ginger beer’ case of Donohue and Stevenson, in the
1930s, the law has developed to a point where all
who influence a product, to whoever might later be
affected by that product, owe a duty of care.
Statutory Case Law
Generally speaking, duties of designers,
manufacturers, suppliers and importers are limited
to circumstances where the plant or substance
manufactured or supplied is ‘properly used’. Thus
a manufacturer of plant in Victoria has a duty to
‘ensure, so far as is practicable, that the plant is so
designed and constructed as to be safe and without
risks to health when properly used’. Such provisions
appear to be based on a recognition that it is
inappropriate, and perhaps unrealistic, to impose
on a third party to the workplace relationship, a duty
that extends to risks arising from the improper use
of plant and substances. After all, the employer has
a duty to supervise the work of its employees.
There is also an onus on the manufacturer and
distributor of equipment to understand the purpose
to which the equipment is likely to be put, and
ensure the equipment is designed to perform safely
in this circumstance. It is no longer acceptable
simply to label equipment as safe when used as
instructed, or when used for the purpose for which
the equipment was designed.
Two recent cases publicised by WA WorkSafe
Commission and WorkCover NSW illustrates these
concepts well.
27 Clark and Kellam (1999)
28 WA Consumer and Employment Protection, SafetyLine Magazine, October 2003, p 13. Accessed online Sept 2005 at http://www.safetyline.wa.gov.au/pagebin/wswaslmg0374.pdf
29 WA Consumer and Employment Protection, Media Statement, 23 July 2003. Accessed online January 2004 at http://www.docep.wa.gov.au/default.asp?id=media/2003/july/
20030723&media=media
30 WorkCover NSW, Media Releases, 18 May 2001. Accessed online September 2005 at http://www.workcover.nsw.gov.au/MediaResources/MediaReleases/2001/18may2001.htm
In 2001, a worker in WA sustained a significant
back injury when he fell from a grape picking
machine while he was attempting to clear a
blockage in the mechanism. His employer was
fined, but the manufacturer of the equipment was
also fined $20,000 after being found guilty of failing
to ensure that the design of a machine was safe for
use in a workplace28.
In a media release by WorkSafe WAs Acting
Executive Director29, it was stated ‘the prosecution…
was important in a number of ways. This is one of
the very few cases where WorkSafe has successfully
prosecuted the supplier or importer of a machine
involved in a workplace incident. It is also an
unusual case in that we had to utilise a section of
the Australian Constitution to cross jurisdictions
to prosecute a South Australian company. It was
decided by the court that the supplier of the
machine had not ensured that the design of the
machine was safe, and as a consequence, a worker
was very seriously injured’.
In 1997, a NSW Council employee had both arms
amputated when feeding tree branches into a wood-
chipping machine at the council’s waste transfer
station. The manufacturer/supplier of the wood
chipper was prosecuted for failing to ensure that the
wood-chipping machine was safe and without risk to
health. In the initial Industrial Relations Commission
decision, Mr Justice Marks ruled that the operating
manual provided with the wood-chipping machine
was adequate to warn of any risk to the health
and safety of persons using the equipment. On
appeal, WorkCover successfully argued that the
intended use of the machine by the purchaser
had been known by the manufacturer/supplier,
and that such use should have been known to be
inappropriate because of the regular blockages
that could be expected. The charge was brought
under the Occupational Health and Safety Act 1983
– specifically, Section 18 of the Act, which relates
to the obligations of suppliers and manufacturers
of machinery30.
SAFE DESIGN FOR ENGINEERING STUDENTS 17
WorkCover’s General Manager noted the far-
reaching implications of the judgement: The Full
Bench found that manufacturers and suppliers
of machinery must ensure that the plant is safe
and without risk to health. If the machinery is not
safe, it is not open to a supplier to argue that the
worker was not using the machine properly. The
judges also ruled that an employer’s duty to guard
against acts of inadvertence; error or negligence by
employees should also be applied to a manufacturer
or supplier of plant31.
1.2.2 Business and Risk Framework
While business may be ultimately concerned with
a return on their investment in the form of profit,
responsible firms also ensure that their businesses
are both economically and socially well managed.
They recognise that it is in their best interests to
ensure that their products and their workplace are
safe for all those who are currently using them or
will use them in the future. One of the most effective
processes for ensuring safety is Risk Management.
In the following section, we outline the basic
principles of Risk Management and briefly discuss
their relevance to safe design. In Section 1.3 we
show how this process can be integrated with
traditional engineering design.
Risk Management
Organisations ensure safety through adopting
strategies to manage risk. Risk is defined as the
chance of something happening that will have
an impact upon an organisation’s objectives. It is
measured in terms of consequences and likelihood.
Risk may arise from commercial and legal
relationships, from economic circumstances, from
management or human behaviour, as a result of
natural events or political circumstances. However,
a significant source of risk is technology and its
human interfaces.

Establish the Context

Communicate and Consult

Monitor and Review

Identify Hazards

Analyse & Evaluate Risks

Control Risks

Figure 1.3: Risk management overview

Source: Adapted from Standards Australia (2004) Risk Management AS/NZS 4360:2004. Sydney, Standards Australia, p7-9

31 WorkCover NSW, Media Releases, 18 May 2001. Accessed online September 2005 at http://www.workcover.nsw.gov.au/MediaResources/MediaReleases/2001/18may2001.htm

18 australian SAFETY and compensation council

Safe Design requires some understanding of the
underpinning principles of risk management, some
facility with the common tools and techniques, and
the ability to apply them in a design context.
Risk management is a logical and systematic
method of establishing the context, identifying,
assessing, controlling, monitoring and
communicating risks associated with any
activity, function or process in a way that will
enable organisations to minimise losses and
maximise opportunities.
The Australian Standard, AS/NZS 4360:2004 Risk
Management, provides a framework to manage risk,
however it is generic, independent of any specific
industry or economic sector, and concerned mainly
with work processes. Risk management is not
only about avoiding harm, and therefore avoiding
litigation and losses. It is as much about identifying
opportunities to ensure safety because it is ethical
professional practice, socially responsible and
economically sound to do so.
The process of Risk Management is conceptualised
in Figure 1.3 and each of the steps is briefly
summarised. A more extensive explanation can be
found in the Risk Management Standard (AS/NZS
4360:2004).
Communicate and consult
Communicate and consult with internal and external
stakeholders as appropriate for each stage of the
risk management process.
Establish the Context
Establish the external, internal and risk manage-
ment context in which the rest of the process will
take place.
Risk Management standard options
> Avoid the risk – decide not to proceed with the activity
> Eliminate the risk – design out the hazard
> Reduce likelihood of consequence – modify the hazard
> Reduce the consequences – modify the hazard
> Transfer the risk – cause another party to bear or share
the risk
> Retain the risk – accept the risk and plan to manage
its consequence
Identify hazards
Identify potential sources of harm or damage.
Analyse & Evaluate risks
Risk analysis utilises a number of qualitative and
quantitative tools to:
> identify and evaluate any existing controls;
> determine the likelihood of a harmful event oc-
curring; and
> determine the consequences of such an event.
The purpose of risk evaluation is to determine the
level of risk and make decisions about which risks
need to be controlled and allows for prioritisation in
controlling the risks.
Control risks
Develop and implement specific strategies and
action plans for increasing safety, potential benefits
and reducing potential costs.
Monitor and review
It is necessary to monitor the effectiveness of all
steps of the risk management process. This is
important for continuous improvement. Risks and
the effectiveness of control measures need to be
monitored to ensure changing circumstances do
not alter priorities. It is important to ensure that
control measures have not introduced any new
hazards, and to ensure that control measures have
eliminated or reduced the risks.
Several different approaches can be adopted for
controlling risk. OHS risks are usually managed
using the Hierarchy of Control. The higher up the
hierarchy, the more effective the risk control:
Hierarchy of Control options
> Elimination of the hazard
> Substitution of the hazard
> Engineering Control of the hazard
> Administrative/Procedural Control of the hazard
> Personal Protective Equipment to protect against
the hazard
SAFE DESIGN FOR ENGINEERING STUDENTS 19
Risks and the effectiveness of treatment measures
need to be monitored to ensure changing
circumstances do not alter priorities.

1.2.3 Professional Framework

A number of Professional organisations, such
as Engineers Australia, accept responsibility for
ensuring that members of their profession are
appropriately trained and competent to carry out
their professional duties. To achieve this objective,
they are charged with accrediting educational
courses in undergraduate education, providing and
monitoring continuing professional development,
and certifying professional competence. Individuals
wishing to be identified as certified members of
such a profession, such as CPEng, must show that
they have met their obligations as prescribed by
their professional body.
Membership in a professional organisation can
be seen by the public as an indication that the
individual has met some rigorous standards and
is a competent practitioner who is less likely to
neglect their duty of care. To facilitate this process
of self-regulation, The NSW Professional Standards
Act 1994, for example, endorses the mandate
of professional bodies to regulate standards of
professional behaviour and thus limit their liability
so that public liability insurance is much more
affordable. These aspects of professional behaviour
are especially relevant to the design of new and
innovative products, processes and systems.
Many professional organisations have endorsed
a Code of Ethics or Practice that guides the
professional conduct of their members. Such
codes form a basic framework for ensuring that
members behave in a way that is in keeping with
what the whole organisation deems to be proper
conduct, and don’t bring criticism or disrepute to
the profession as a whole. Failure to comply with
a Code of Ethics can result in disciplinary action
or disbarment. The Code of Ethics of Engineers
Australia, for example, holds the health and
wellbeing of the community as the paramount
concern of its members.

20 australian SAFETY and compensation council


1.3 SAFE ENGINEERING DESIGN
Safe Engineering Design integrates risk
management principles into engineering design by
systematically identifying hazards, or minimising
potential risk, and involving users and decision
makers in considering the full life cycle of the
product, process or system. Both approaches
complement each other so that a holistic approach
to Safe Design results. Safe Engineering Design
implements risk management principles at each
stage in the design process. By identifying hazards
as early in the life cycle as possible, losses in terms
of life, injury and costs can be minimised and safety
can be ensured for current and future users
Safe Engineering Design can be modelled as a
sequence of stages (Figure 1.4). At each stage
in engineering design, it is possible to consider
appropriate risk management strategies. The
composite model enhances the ability for
designed products to be safely manufactured,
used throughout their life cycle and disposed.
The following procedures can be drawn from this
model and form a process for Safe Engineering
Design. The tools provided within the Safe Design
for Engineering Students (SDES) can be used to
support decision-making throughout the process.
1.3.1 DESIGN CONTEXT
> Accept the professional and ethical mandate
to ensure that the safety and wellbeing of the
community is of paramount concern.
f Toolkit* 1.4.10: Code of Ethics
> Establish the external context, including
the business, social, regulatory, cultural,
competitive, financial and political environments,
* The toolkit is located in section 1.4 of this document.
>>>>
to ensure that the stakeholders objectives have
been considered.
> Define the internal context, including their risk
policy and the overall goals of the organisation.
> Establish the risk management context, setting
the scope and boundaries for the specific project
and specifying the nature of the decisions that
need to be made regarding risk.
> Identify the roles and responsibilities of various
parts of the organisation in relation to the
project, and the relationship between this project
and other projects in the whole organisation.
> Decide the criteria against which risk will
be evaluated. Decisions may be based on
operational, technical, financial, legal, social,
environmental, humanitarian or other criteria.
> Develop a Safe Engineering Design framework
for the project, by identifying the steps in the
process that need to be taken to ensure that
risks are addressed throughout the life cycle of
the designed product.
1.3.2 DESIGN REQUIREMENTS
> Review historical risks and failures for
similar projects.
Use a variety of qualitative and quantitative
techniques and tools to amass sufficient information
concerning possible and probable risk regardless
of whether they are under the control of the
organisation. Be creative and predict possible and
probably scenarios.
SAFE DESIGN FOR ENGINEERING STuDENTS 21
 Design Context

Identify Establish
Problem/ Risk
Need Context

Design Requirements

Gather Identify
Information Risks

Communicate and Document

Monitor and Review

Design Options

Generate Analyse &

Multiple Evaluate
Solutions Risks

Design Synthesis

Select Control
Solution Risks

Design Completion

Implement & Test

Figure 1.4: A Model for Safe Engineering Design

22 australian SAFETY and compensation council

Example Techniques
- Creative thinking, brainstorming and whole
brain thinking techniques (e.g. Edward
de Bono)
- Judgements based on experience and records,
flow charts, systems and scenario analysis
- Checklists and guidewords. They are applied
to various sections of a design to stimulate
discussion and risk identification. The
implications derived from the guidewords and
checklists upon an element of the design is
considered.
f Toolkit* 1.4.1: Designer misconceptions
f Toolkit 1.4.2: Construction Hazard Analysis
Implementation Review (CHAIR)
f Toolkit 1.4.3: Plant Hazard Checklist
f Toolkit 1.4.4: Process industry guidewords
> Systematically generate a list of risks and events
that might affect the project and consider
possible causes and scenarios. Some techniques
are listed in AS/NZS 3931:1998 Risk analysis of
technological systems – Application guide
> Document in appropriate ways to ensure
usability throughout the life cycle. Accurate and
complete documentation is especially important
to those 'downstream' of the process who
may need to modify or maintain the product
or process.
1.3.3 Design Options
> Consider the sources of risk and the likelihood of
their occurrence. Risk is analysed by combining
consequences and their likelihood.
> Consider both technical and human factors.
> Use both quantitative and qualitative techniques
to systematically analyse possible risks.
f Toolkit 1.4.5: Failure Mode and Effects Analysis
(FMEA)
f Toolkit 1.4.6: Event Tree Analysis (ETA)
* The toolkit is located in section 1.4 of this document.
f Toolkit 1.4.7: Fault Tree Analysis (FTA)
> Reconsider any outcomes from techniques
applied in the Design Requirement stage.
> Consider risk homeostasis, humans' ability
to change behaviour to compensate for
design changes.
> Prioritise to support design options
> Develop a set of conceptual designs that meet
the criteria for safety.
> Justify design options.
> Document rationale.
1.3.4 Design Synthesis
> Systematically assess the design options
against the risk criteria you established in the
design context.
> Reconsider the human factors, such as
homeostasis.
> Develop a risk treatment strategy. For any issues
concern OHS, apply the Hierarchy of Control
otherwise apply the Standard Risk Management
Treatment Options.
The Hierarchy of Control requires you to try to
achieve the highest level of control.
1. Control hazards by eliminating them at the
design stage.
2. Control hazards by substituting them with
lesser hazards.
3. Use engineering controls to isolate people
from the hazard.
4. Use administrative controls to train and
warn people of hazards.
5. Use personal protective equipment to
reduce exposure to hazards.
f Toolkit 1.4.8: Hierarchy of Control
> Determine the decision-making approach
to select the optimum solution. Balance the
costs of implementing against the benefits
derived. Consider all the direct and indirect
SAFE DESIGN FOR ENGINEERING STUDENTS 23
 costs and benefits, tangible or intangible, and
measured in financial or other terms, such as
human suffering.
f Toolkit* 1.4.9: Incident investigation
f Toolkit 1.4.10: Code of Ethics
> Prepare and implement risk treatment plans for
the life cycle of the designed product.
1.3.5 Design Completion
> Conduct walk throughs and test runs.
> Test with various users of the product in
its current stage and consider future users
throughout its life cycle.
> Anticipate misuse throughout its life cycle.
> Document results and observations to ensure
that users downstream in the life cycle will be
able to control risks and ensure safety.
1.3.6 Monitor and review throughout
the life cycle
> Vigilant monitoring is essential to ensure
safety throughout the life cycle of the
designed product.
> On-going review ensures that the data obtained
through monitoring is available for feedback into
the system.
> Ensure that the safety recommendations and
residual risks within the design are documented
for users 'downstream' in the life cycle.
> Take steps to ensure that essential modifications
and maintenance are carried out and
documented for future users.
* The toolkit is located in section 1.4 of this document.
24 australian SAFETY and compensation council
1.3.7 Communicate and Document
throughout the life cycle
> Communicate with relevant stakeholders at
every point.
> Consult with appropriate users, operators,
maintainers, handlers.
> Document to ensure that others can follow your
design plans and modifications.
> Document to ensure that you can demonstrate
duty of care.
> Ensure that key information, concerning actions
taken to address safety, is adequately recorded
and transferred from the design/planning phase
and that those involved at later life cycle stages
have access to information about any residual
risks that may affect their health and safety.
Summary
To achieve Safe Design in engineering,
engineers should:
> Accept their professional responsibility to ensure
the safety and wellbeing of the community as
their paramount concern
> Understand the basic principles of Safe Design
> Know and follow the underpinning legal,
business and professional framework for safety
> Integrate risk management concepts with
engineering design methodology and follow a
Safe Engineering Design process
> Consider human factors
> Apply Safe Design principles throughout the
entire life cycle of designed products
> Implement Safe Design as early in the life cycle
as possible, and
> Continually develop their professional abilities as
Safe Design engineers.

1.4 SAFE DESIGN ENGINEERING TOOLkIT
A wide range of knowledge, skills and attitudes are
needed to be able to effectively create engineered
products that meet the Safe Design principles.
There are also many tools and techniques that have
been developed to help you systematically identify
and assess risk and deal with the complexity of
socio-technical systems. Some tools and techniques
are relatively generic while others are specialised for
particular types of engineered products.
There are many tools available for identifying,
analysing, and evaluating risks. This Safe Design
Engineering Toolkit presents some simple but
powerful tools that we have adapted for this
resource. The intention of the toolkit is to provide an
introductory overview of each of the tools so that the
reader is aware of systematic approaches to safe
Design and can analyse the educational material
presented in this resource.
Guidewords and checklist tools
f Toolkit 1.4.1: Designer Misconception Checklist
f Toolkit 1.4.2: Construction Hazard Analysis
Implementation Review (CHAIR) guidewords
f Toolkit 1.4.3: Plant Hazard checklist
f Toolkit 1.4.4: Process Flow guidewords
Risk Analysis tools
f Toolkit 1.4.5: Failure Mode and Effects
Analysis (FMEA)
f Toolkit 1.4.6: Event Tree Analysis (ETA)
f Toolkit 1.4.7: Fault Tree Analysis (FTA)
Risk Treatment tool
f Toolkit 1.4.8: Hierarchy of Control (HoC)
f Toolkit 1.4.9: Incident Investigation
>>>>
Professional Responsibility tool
f Toolkit 1.4.10: Code of Ethics
1.4.1 DESIGNER MISCONCEpTION CHECkLIST
Purpose of the tool
This tool has been developed to help designers
systematically test products and processes for
design misconceptions (Health & Safety Executive,
2003). It was thought that Safe Design could be
improved through examining accident reports
and identifying the types of misconceptions that
may have been inherent in the engineered system
or operating procedures which contributed to
the accident.
This analysis resulted in categorising around 30
main types of misconceptions that designers of
these seemed to suffer and which would therefore
make their designed product contain hazards.
These misconceptions include those designers have
of operators, operators’ intentions and the operating
environment. An operator is anyone involved in the
operational life of a system, including maintenance
staff and people carrying out mid-life modifications.
A set of about 20 misconceptions that operators of
hazardous installations made was also identified,
but is not discussed in this document. Those
misconceptions include those the operator may
have about the design, its rationale and boundaries
of safe operation.
This tool was not designed to replace technical
analysis such as HAZOP* or FMEA but to
complement them and provide another perspective
on hazard identification.
* HAZard and Operability
SAFE DESIGN FOR ENGINEERING STuDENTS 2
Process for using the tool It is suggested that the use of the tool is likely to
be most effective as a collective activity and that it
The user of this tool is seeking to find out if the
provides a way of group members within a design
designed item is vulnerable to any of the designer
team understanding each others’ assumptions as
misconceptions listed in Table 1. The suggested
well as their own.
process is to systematically work through the listed
assumption types one-by-one.

Table 1.1: Designer Misconception checklist

Designers wrong beliefs Explanation about the belief Example

The belief that operators will seek information about the Clips secured fuel lines which
Active monitoring
system condition – whereas they are often passive recipients required regular monitoring
The belief that operators will update their knowledge when No cues provided on vessels’
Adaptive behaviour they use new equipment – whereas they sometimes rely on handling characteristics to pilots
knowledge acquired from using old ones used to other vessels
The belief that operating conditions are benign or have little Weighing anchor took too long for
Benign conditions effect on the use of the system – or that operators use systems a vessel to escape strong flow
differently in difficult environments
The belief that operators have good knowledge from experience Master of vessel sailed into a
Boundary knowledge about a system’s limit states – whereas operators cannot damaging storm centre
explore limit states because of the risks
The belief that design practices towards operating Use of wave loadings developed
General practices environments are general – whereas operating environments in naval practice for offshore
are more varied than the practices recognise. structures
The belief that operating procedures can avoid a harm that System left in hazardous state
Guaranteed operating is inherent in the design – whereas procedures may be too without indication after failure
procedures general and are often violated to observe permit-to-work
procedures
The belief that precautionary aids will increase system Searchlight failed when used
Reliable aids reliability – whereas operators will not routinely check and channel unlit by beacons
operate aids not in routine use
The belief that emergency conditions will only be of Evacuation system would not
Specific emergency
particular kinds – whereas emergency conditions are highly function in a partial capsize
conditions
unpredictable by their nature
The belief that operators will sustain high attention levels Lack of device to alert sleeping
Sustained attention
– whereas attention is degraded in a variety of conditions operator to hazardous condition

Designers missing Explanation about the belief Example

beliefs
Not anticipating how the design could stop an operator Operator lowered immersion suit
Confounded goal meeting a reasonable goal and resorting to a hazardous hood rendering it ineffective
behaviour
Transmission Not anticipating how a hazard could be quickly transmitted Water drains carried burning
mechanism between locations in a complex system hydrocarbons

26 australian SAFETY and compensation council

 Designers missing Explanation about the belief Example
beliefs
Not anticipating how the design requires operator to Controls located out of view of
Need for control
exercise control affected operation
Not anticipating how the design fails to provide cues needed No visible indication of equipment
Need for cues
by operators in hazardous state
Need for precautionary Not anticipating how the design requires operator to perform No service life stated for devices
instruction precautionary actions needing replacement
Not anticipating how the design allows operators to Operator fully opened wrong valve
Activating a hazard
activate hazards during startup
Ambiguity during Not anticipating how the design is opaque to operators during Layout was disorienting when
emergency emergency conditions filled with smoke
Information need in Not anticipating how the design requires operator to have Lack of valve position indication
emergency conditions particular information needs in emergency conditions during manual control
Biased information Not anticipating how the design is vulnerable to characteristic Operators are biased toward
seeking human biases in information seeking or processing looking for hazards straight ahead
Not anticipating how the design could be vulnerable to Interference between rope and
Component interference
operators causing components to interfere chain caused rope to part
Not anticipating that the design is vulnerable to operators Master continued to sail into
Gambling behaviour
knowingly taking risks for some payoff storm after minor damage
Not anticipating that the design is vulnerable to operators Operator forgot to disengage
Interrupted attention
suffering interruptions and hence lapses autopilot on condition change
Not anticipating that the design is vulnerable to operators Operator neglected to verify
Over-dependence depending on a system beyond its safe regime navigation system that gave no
indication of its own failure
Not anticipating that the design is vulnerable to operators Docking system destroyed after
Repeated attempts
having to make multiple attempts to make it work repeated attempts
Not anticipating that the design appears to be capable of Fryer element used to dry after
Unintended use
being used in unintended ways cleaning
Not anticipating that the design gives a display which can be Operator read emergency display
Wrong-sense
interpreted in a wrong sense as though it were the primary
interpretation of display
display
(After Health & Safety Executive, 2003)

Application of the tool An example of documentation arising from the

application of the tool is provided in Table 2. This
Since this tool is based on an analysis of past
documentation can be used as part of ongoing
accidents it can not be assured that it covers all
design reviews particularly during modifications
misconceptions, therefore it should be used to
to the item.
trigger thinking about hazards rather than limiting
thinking to the listed items.

SAFE DESIGN FOR ENGINEERING STUDENTS 27

Table 1.2: Example of design documentation.

Scope Design of marine docking area

Type of misconception Expectation of boundary knowledge
What are the assumptions? Boat crew will know how close they can approach the platform before
disengaging autopilot
Boat crew will know if any collision damage from repeated attempts at approach
is catastrophic
Boat crew will know if sea condition too severe for intended approach
Under what conditions this assumption Crew may be distracted during the approach
could be contradicted? Crew may be unfamiliar with vessel type or autopilot if this differs from others in
the fleet.
Actions needed
Criticality High-Medium-Low
(Adapted Health & Safety Executive, 2003)
Reference
Health and Safety Executive (2003) Mutual misconceptions between designers and operators of hazardous installations, Research Report 054, ISBN 0-7176-2622-9, HSE books,
available online

1.4.2 Construction Hazard Analysis The overview guidewords used for the whole design
Implementation Review concept are:
guidewords > Environmental Conditions
In the construction industry the HAZOP process
> Toxicity
has been adapted by Workcover NSW and industry
partners to create the Construction Hazard > Environmental Impact
Assessment Implication review (CHAIR). CHAIR-1 > Inspection and Testing
is a conceptual design review. There are two sets of
> Documentation and Quality Control
guidewords.
> External Safety interfaces
The generic guideword used for each design
element are: > Fire/Explosion identified
> Size > Utilities and Services
> Position/Location > Maintenance.
> Movement/Direction
Process of using the tool
> Energy
The user systematically works through the
> Egress/Access guidewords one-by-one. The guidewords are used
> Heights/Depths to trigger thinking about hazards.

> Poor Ergonomics

Application of the tool
> Load/Force
An example of documentation arising from the
> Timing. application of the tool is provided in Table 1.3. This
documentation can be used as part of ongoing
design reviews particularly during modifications to
the item.

28 australian SAFETY and compensation council

Table 1.3: Outcome from CHAIR-1 using the Heights/Depths guideword.

Consequences

Person Resp..
Safeguards
Guideword

Risk Issue

Causes

Action
No.

2.1 Height/ Construction of Construction/access Confined Designated Drain design

Depths drains to drain is possible space confined space should avoid where
confined space injury procedure possible the need
to be classed as
confined space
2.2 Height/ Interference with Plant equipment Injury/ Safe management Designer to indicate
Depths powerlines in contact with fatality procedures position and height
powerlines of all powerlines
to assist with site
safety procedure
(From WorkCover NSW, 2001)
Reference
WorkCover, NSW (2001) CHAIR Safety in Design tool. Contains extensive documentation and further examples.
http://www.workcover.nsw.gov.au/Publications/OHS/SafetyGuides/chairsafetyindesigntool.htm

1.4.3 Plant Hazard checklist > coming in contact with moving parts of the
plant during testing, inspection, operation,
As a designed item, Plant are a major source of
maintenance, cleaning or repair?
hazards. The checklist reproduced below was
developed by WorkSafe Victoria. > being trapped between the plant and materials
or fixed structures?
a) Entanglement > other factors not mentioned?
Can anyone’s hair, clothing, gloves, necktie,
jewellery, cleaning brushes, rags or other materials c) Cutting, stabbing and puncturing
become entangled with moving parts of the plant, or Can anyone be cut, stabbed or punctured due to:
materials in motion?
> coming in contact with sharp or flying objects?
b) Crushing > coming in contact with moving parts of the
Can anyone be crushed due to: plant during testing, inspection, operation,
maintenance, cleaning or repair of the plant?
> material falling off the plant?
> the plant, parts of the plant or work pieces
> lack of capacity for the plant to be slowed, disintegrating?
stopped or immobilised?
> work pieces being ejected?
> parts of the plant collapsing?
> the mobility of the plant?
> being thrown off or under the plant?
> uncontrolled or unexpected movement of
> uncontrolled or unexpected movement of the the plant?
plant or its load?
> other factors not mentioned?
> the plant tipping or rolling over?

SAFE DESIGN FOR ENGINEERING STUDENTS 29

d) Shearing
Can anyone’s body parts be sheared between two
parts of the plant, or between a part of the plant and
a work piece or structure?
e) Friction
Can anyone be burnt due to contact with moving
parts or surfaces of the plant, or material handled
by the plant?
f) Striking
Can anyone be struck by moving objects due to:
> uncontrolled or unexpected movement of the
plant or material handled by the plant?
> the plant, parts of the plant or work
pieces disintegrating?
> work pieces being ejected?
> mobility of the plant?
> other factors not mentioned?
g) High pressure fluid
Can anyone come into contact with fluids under
high pressure, due to plant failure or misuse of
the plant?
h) Electrical
Can anyone be injured by electrical shock or burnt
due to:
> the plant contacting live electrical conductors?
> the plant working in close proximity to
electrical conductors?
> overload of electrical circuits?
> damaged or poorly maintained electrical
leads and cables?
> damaged electrical switches?
> water near electrical equipment?
> lack of isolation procedures?
> other factors not mentioned?
30 australian SAFETY and compensation council
i) Explosion
Can anyone be injured by explosion of gases,
vapours, liquids, dusts or other substances,
triggered by the operation of the plant or by material
handled by the plant?
j) Slipping, tripping and falling
Can anyone using the plant, or in the vicinity of the
plant, slip, trip or fall due to:
> uneven or slippery work surfaces?
> poor housekeeping, eg. swarf in the vicinity of
the plant, spillage not cleaned up?
> obstacles being placed in the vicinity of
the plant?
> other factors not mentioned?
Can anyone fall from a height due to:
> lack of a proper work platform?
> lack of proper stairs or ladders?
> lack of guardrails or other suitable
edge protection?
> unprotected holes, penetrations or gaps?
> poor floor or walking surfaces, such as the lack
of a slip-resistant surface?
> steep walking surfaces?
> collapse of the supporting structure?
> other factors not mentioned?
k) Ergonomic
Can anyone to be injured due to:
> poorly designed seating?
> repetitive body movement?
> constrained body posture or the need for
excessive effort?
> design deficiency causing mental or
psychological stress?
> inadequate or poorly placed lighting?
> lack of consideration given to human error or
human behaviour?
> mismatch of the plant with human traits and 1.4.4 Process Flow Guideword
natural limitations?
In the chemical and petroleum industries HAZOPs
> other factors not mentioned? have been particularly used to identify deviations
in the process design intent and their subsequent
l) Suffocation effects on the process as a whole. When the
Can anyone be suffocated due to lack of oxygen, guidewords are combined with process parameters
or atmospheric contamination? or conditions (keywords) then a possible deviation
from the design might result. The credible
m) High temperature or fire causes for that condition can then be listed and
if this results in a hazard then safeguards can
Can anyone come into contact with objects at be developed.
high temperatures?
Guidewords Keywords
Can anyone be injured by fire?
> High > Flow
n) Temperature (thermal comfort) > Low > Temperature
> Zero > Pressure
Can anyone suffer ill-health due to exposure to
high or low temperatures? > Empty > Level
> Reverse > Isolate
o) Other hazards > Also > React
Can anyone be injured or suffer ill-health from > Other > Mix
exposure to: > Testing > Drain

> chemicals? > Plant items > Inspect

> Electrical > Maintain
> noise?
> Composition > Start-up
> toxic gases or vapours?
> Shutdown
> vibration?
> fumes? Application of the tool

> radiation? The combination of the low (guideword) with Flow

(keyword) would lead to the possible causes for
> dust? the condition of low flow to be identified. The
> other factors not mentioned? causes could then be used to identify hazards. The
causes identified could include; line restriction,
Reference
filter blockage, defective pumps, fouling of vessels,
WorkSafe Victoria
valves, restrictor or orifice plates, density or viscosity
Go to http://www.workcover.vic.gov.au then search the site for ‘Plant Hazard checklist’
problems, incorrect specification of process fluid.

1.4.5 Failure Mode and Effects

Analysis (FMEA)

Purpose of this tool

FMEA is a risk assessment procedure by which
each potential failure mode in a system is analysed
to determine the results, or effects thereof, on the
system and to classify each potential failure mode
according to its severity.

SAFE DESIGN FOR ENGINEERING STUDENTS 31

This is an analytical technique, which explores
the effects of failures or malfunctions of individual
components in a system – i.e. ‘If this part fails,
in this manner, what will be the result?’ First the
system under consideration must be defined, so
that system boundaries are established. Thereafter
the essential questions are:
> How can each component/part fail?
> What might cause these modes of failure?
> What could the effects be if the failures
did occur?
> How serious are these failure modes?
> How is each failure mode detected?
The methodology used below is illustrative of the
technique rather than definitive.
Process of using the tool
1. Scope the analysis
> Decide on the appropriate level at which to
perform FMEA (e.g. subsystem, assembly,
component, part).
> Decide on focus of FMEA (e.g. safety, reliability,
repair cost).
Rank Category Degree
1-3 I Minor
4-6 II Critical
7-9 III Major
10 IV Catastrophic
32 australian SAFETY and compensation council
2. Failure modes, consequences & severity (SEV)
> Determine failure mode for specified object or
process. Include everyway it could fail involving
both random and degradation failures. (e.g.
crack, deform, fracture, loosen, worn, leaking,
sticking, slipping, corrosion).
> Determine potential effect/consequence of the
failure as perceived by the affected party (e.g.
noise, loss of power, seizure, odour, loss of
function, erratic operation).
> Determine the severity according to specific
criteria (e.g. environmental, safety and health or
customer satisfaction).
Severity ranking using Environmental, Safety and
Health criteria:
These criteria can be used to describe the worst
case incident resulting from equipment or process
failure. Category II, III and IV are considered
unacceptable risks.
Description
Functional failure of part of machine or process – no
injury or exposure to personnel or release of chemicals to
the environment
Failure will probably incur minor injury and damage. Minor
injury (e.g. small cut or burn) can be handled by First Aid but
are not considered lost time cases.
Major damage to system and/or potential serious injury to
personnel (requiring medical attention other than first aid)
Failure causes complete system loss and/or potential for
fatal injury
Severity ranking using customer satisfaction criteria: The customer and supplier should collaborate in
formalising these criteria.

Rank Degree Description

1-2 Minor Failure is of a minor nature and the customer will probably not notice or is of a
cosmetic nature
3-5 Low Failure will result in slight customer annoyance and/or slight deterioration of part or
system performance
6-7 Moderate Failure will result in customer dissatisfaction and/or deterioration of part or
system performance
8-9 High Failure will result in high degree of customer dissatisfaction and cause non-
functionality of a system
10 Major Failure will result in major customer dissatisfaction and cause non-system operation or
non-compliance with government regulations.

3. Failure causes & occurrence (OCC) Occurrence ranking:

> Determine the causes of the failure mode (eg.
vibration, contamination, temperature, overload,
electric power interrupt, insufficient material
thickness)
> Determine the occurrence of the failure.
Example criteria that can be used to describe the
likelihood or frequency of the failure mode occurring
due to its related cause. It can use qualitative and
quantitative data.

Rank Probability Notional probability of failure

1 <0.001 Improbable
2-3 >0.001 but <0.01 Remote (e.g. 1 in 100 hours0
4-6 >0.01 but <0.1 Occasional
7-9 >0.1 but <0.2 Moderate: Fail often (eg 1 failure in 10 hours)
10 >0.2 High: Failure almost inevitable

4. Failure detection (DET) Detection ranking:

> Determine the detection of the failure. Example criteria that can be used to describe the
probability or ability that the current design controls
will detect a failure or process weakness.

Rank Probability of detection Description

1-2 Very high Verification or controls almost certainly detect existence of a deficiency
or defect
3-4 High Verification or controls have a good chance of detecting the existence
of a deficiency or defect
5-7 Moderate Verification or controls are likely to detect the existence of a deficiency
or defect
8-9 Low Verification or controls are not likely to detect the existence of a
deficiency or defect
10 Very low Verification or controls will not or can detect the existence of a
deficiency or defect

SAFE DESIGN FOR ENGINEERING STUDENTS 33

5. Risk Priority Number (RPN) Application of this tool
> Determine the Risk Priority Number (RPN) = An example of a FMEA for a ballpoint pen has been
(SEV) * (OCC) * (DET) provided to show at a conceptual level how the
Ranges from 1 (failure highly unlikely and FMEA process can be applied to a designed item
unimportant) to 1000 (failure hazardous and (Table 1.4).
harmful). Ratings below 30 are reasonable for
typical applications.

Table 1.4: Failure Mode and Effect Analysis table for a ball point pen
Potential effects of

Potential causes of

potential failure be
Potential Failure

OCCURRENCE

How will the

DETECTION
detected?
SEVERITY
Function

Actions
failure

failure
Mode
Part

RPN
Provides Vacuum on Debris Check
Outer Hole gets Make hole
grip for ink supply 7 ingress into 3 clearance of 5 105
tube blocked larger
writer stops flow hole hole
Provide Introduce
Incorrect Too much QC on ink
Ink writing High flow 4 2 4 32 more rigid
viscosity solvent supply
medium QC
Provide
Incorrect Too little QC on ink No action
Ink writing Low flow 4 2 3 24
viscosity solvent supply required
medium
(Adapted http://www.nomogen.co.uk/QualityPublications/fmea.htm)

1.4.6 Event Tree Analysis (ETA) most risk analysts. Which events are worth investing
resources for an event tree analysis is a judgement
Purpose of this tool process, which should take into account the overall
risk management strategy. Of particular importance,
Fundamentally, event trees provide a means for
though, will be those events, which have a direct
quantitatively analysing the probability that a system
causal relationship with system failure.
will respond successfully or end up in failure
given that an undesired event has occurred. The
Process of using the tool
initiating event may be a failure within a system or
an external event. ETA starts with an initiating event Event tree analysis is suitable for situations, which
and then searches forward through time to identify meet two criteria. Firstly, a given component’s
the possible sequences of events that could arise in response to an event will be classified as success
response. or failure; there is no scope for partial success or
failure. Secondly, the system design is such that
The initiating (undesired) event is the starting point
in response to the initiating event there is a logical
for the analysis. In a given system there will be
sequence of components that will be engaged in
many events that could be analysed via an event
response to the event.
tree. In a complex system there will be so many
events that performing event tree analysis for each The construction of the event tree is straight
of them will probably be beyond the resources of forward. Once an initiating event has been chosen
for analysis, the system components that are

34 australian SAFETY and compensation council

affected are determined along with the sequence in probability of the system successfully responding
which the affected components will respond. Each to the initiating event is then the sum of all of the
component is dealt with in turn to determine the paths that lead to system success. For the generic
effect on the system due to the success or failure of example in Figure 1, the probability that the system
that component to respond correctly. The branches will respond successfully to the initiating event
of the tree terminate in either overall system is (1-PFA) * (1-PFB) + (1-PFA) * PFB * (1-PFC). The
success or system failure. computed probability of failure would then be
compared against the benchmark set as part of the
Figure 1.5 illustrates a generic event tree.
risk management strategy and the risk then treated
Component A is the first component of the system
accordingly if the probability of failure was too
expected to respond as a result of the occurrence of
high. Note that this probabilistic analysis assumes
the initiating event. Failure of Component A results
that the failures of components are statistically
in an unrecoverable failure of the system and thus
independent. Issues such as poor maintenance,
this branch of the tree is a terminating branch.
components from the same defective batch could
Successful operation of Component A in response
violate this assumption.
to the event leads to consideration of Component B.
Successful operation of Component B leads to an
Application of the tool
overall success. Failure of Component B requires
analysis of Component C. Event trees are particularly suited to the analysis
of failsafe mechanisms in safety critical systems.
The next step in the process is to assign
Such system often have a series of fail-safes to
probabilities for the failure-on-demand of each
provide a greater level of safety. Consider a nuclear
component; the probability of success being one
power plant in which there are two pressure relief
minus the probability of failure. These probabilities
valves. If the pressure in the boiler gets too high,
can be obtained from data sheets, historical
correct operation of either relief valve will result in
information, experiments, etc. The initiating event
the pressure being dropped to a safe level. The first
is expressed as a frequency, for example the
valve is designed to operate automatically under
number of occurrences per year. In Figure 1.5 the
computer control. The second valve is a manual
conditional probability of failure for component
backup to be activated by an operator should the
x has been denoted PFx. The probability that the
computer fail to respond. The event tree for this
system’s response will follow a given path is the
system is shown in Figure 1.6.
product of the probabilities on each step. The

Component A Component B Component C

Success System
(1-PFB) Success

Success
(1-PFA) Success System
(1-PFC) Success
Failure
Initiating PFB
Failure System
Event
PFC Failure

Failure System
PFA Failure

Figure 1.5: Generic Event Tree Diagram

SAFE DESIGN FOR ENGINEERING STUDENTS 35

 Relief valve 1 Relief valve 2

Opens Pressure
(1-PF1) Decreases

Pressure
Too High Opens Pressure
(1-PF2) Decreases
Fails
PF1
Fails
Explosion
PF2

Figure 1.6: Event Tree for excessive pressure in a nuclear plant (After Leveson, 1995)
Reference
Leveson,N.G. (1995) Safeware: System Safety and Computers, Addison-Wesley Publishing Company, 1995

Examination of the event tree in Figure 1.6 1.4.7 Fault Tree Analysis (FTA)
reveals that there are two branches that resolve
to a successful outcome and one that does not. Purpose of this tool
Calculation of the probability of failure in the event
Fault Tree Analysis (FTA) is a technique for
of an over pressure event is a straight forward
determining the fundamental fault or sets of faults
computation based on the process described in
that lead to an undesirable event. As such FTA is a
the previous section. Examination of the event
suitable tool to further analyze undesirable events
tree, however, does not reveal any information
identified by other tools such as ETA and HAZOP.
concerning the mechanism or mechanisms that
Analysis of the probabilities associated with the
led to either of the valves failing. Should the
fundamental causes enables the system designer
probability of failure be intolerable, then other risk
to focus on those causes/faults that are most severe
assessment tools would have to be applied to the
in their consequences or most frequent in their
scenario to determine the possible failure modes
occurrence.
and, if required, the likelihood of each of these
failure modes. Fault trees are one such tool and this
Process of using the tool
scenario is also used as the example application for
the fault tree toolkit. FTA starts with a pre-identified undesirable event.
This event is then drilled-down through the system
structure to determine the fundamental faults that
can trigger the undesired event. The Fault Tree
diagrams used to capture this analysis are based
on logic symbols. A subset of the symbols used is
shown in Table 1.5.

36 australian SAFETY and compensation council

Table 1.5: Subset of FTA symbols
Symbol Name
Output Event
Independent Event
OR Gate
AND Gate
Events in the diagram are represented by a
rectangular block. The undesired event at the top
of the diagram is referred to as the top event. Sub-
events, which are triggered by combinations of
other events are also denoted by the rectangular
block and are referred to as intermediate
events. The use of logic ‘gates’ enables different
combinations events to be specified as the
trigger for an event. If the events serving as an
input to a higher event are combined through an
AND gate, then all of these subordinate events
Top Event
External
Trigger
Fault A
Figure 1.7: Generic Fault Tree
Meaning
Event resulting from events occurring lower in the tree
An event for which there are no preceding events or no further
breakdown to determine sub-events.
Event immediately above the OR gate occurs if one or more of the
events immediately below the gate have occurred
Event immediately above the AND gate occurs if all of the events
immediately below the gate have occurred
must have occurred for the higher event to be
triggered. Conversely an event fed by an OR-
gated combination of events is triggered if any of
the subordinate events has occurred. Events are
decomposed through the system through the use
of gated event combinations until such time as the
basic events have been identified. Such events are
denoted by the circle symbol. Figure 1.7 illustrates
a generic fault tree highlighting the use of each of
the diagram components.
Intermediate Event
Fault B Fault C
SAFE DESIGN FOR ENGINEERING STUDENTS 37
From the logic within the fault tree the ‘cut set’ can
be derived. The cut set is the set of all combinations
of basic events that can cause the top event. When
all of the events of a cut set element occur, the top
event is triggered. For the generic fault tree of figure
3, the cut set elements are {‘External Trigger’, ‘Fault
A’}, {‘External Trigger’, ‘Fault B’}, and {‘External
Trigger’, ‘Fault C’}.
Application of the tool
In a nuclear power plant an explosion is most
definitely an undesired event. A prior analysis has
determined that an explosion could occur if both
pressure relief valves fail to operate when demand
is placed upon them by high pressure. The first
valve is designed to operate automatically under
computer control. The second valve is a manual
backup to be activated by an operator should the
computer fail to respond. However the analysis
that revealed the possibility of an explosion did not
reveal any details as to the modes by which each of
the valves could fail nor which of these modes was
the more likely to be the cause of failure. A fault tree
has thus been developed (Figure 1.8) to drill down
into the failure modes for each of the valves.
The first level of event decomposition of the Fault
Tree of figure 1.8 reveals the key information that
the explosion is triggered by the combination of
three events: high pressure and the failure of both
relief valves. The high pressure is the key event and

Explosion

Relief Valve 1 Relief Valve 2

Pressure
does not open does not open
too high

Computer does Valve 2 Operator ignorant of Operator

Valve 1 not open valve 1 need to open valve 2 Inattentive
Failure
Failure

Valve 1 Valve 2
Pressure Computer Computer position position
Monitor Response Fails to Issue indicator indicator
Failure Too Slow Command
fails on fails on

Figure 1.8: Fault Tree for an explosion in a nuclear plant (After Leveson, 1995)
Reference
Leveson, N.G. (1995) Safeware: System Safety and Computers, Addison-Wesley Publishing Company, 1995

38 australian SAFETY and compensation council

the events leading up to there being a high pressure
are not part of this analysis. Rather, the causes for
high pressure could be the subject of a different
fault tree analysis or the subject of a different
analysis tool. The modes of failure for each of the
valves are then examined in turn. Combinatorial
explosion means that the cut set for the example of
Figure 1.8 contains 12 entries. Examples of the cut
set elements include {‘Pressure too high’, ‘Valve 1
failure’, ‘Valve 2 failure’} and {‘Pressure too high’,
‘Valve 1 failure’, ‘Valve 1 position indicator fails on’,
‘Valve 2 position indicator fails on’}.
Of particular note is the effect of ANDed events
versus ORed events. An intermediate event that
is triggered by ANDed events can only occur if all
of the subordinate events occur. In contrast, an
intermediate event that is triggered by ORed events
occurs if any of the subordinate events occurs.
As a design guideline, the more ANDed triggers
the safer a system will be. Also worth noting is the
comparison of the fault tree and event tree for the
same system. The event tree collapses all of the
complexity of valve failure modes into a single even
and assigns a single probability to the failure. This
abstraction enables event trees to focus on the
systems ability to recover from an event. Conversely,
fault trees enable the causes of undesirable
events to be determined. Subsequent analysis
of the causes would reveal which of the causes
need addressing.
1.4.8 Hierarchy of Control
Purpose of this tool
Hierarchy of control is a risk treatment process
which involves a sequence of options which offers
you a number of ways to approach the hazard
control process to manage risk. This is described
in: AS/NZS 4801:2001 & 4804. All risks should
be controlled at the highest level (Elimination) of
control rather than the lowest (Personal Protective
Equipment). However, it may be necessary to use
a combination of measures to achieve the desired
level of control.
Elimination
Design the hazard out and therefore remove the
cause of harm permanently. This approach should
be attempted in the first instance.
> To eliminate the risk of electrocution from 240v
power tools then battery or compressed air
power tools could be used.
Substitution
Substitute the hazard by another process or
substance that presents a lower risk. This could
involve the substitution of a hazardous material
with one that has less toxicity, less impurities,
lower flammability or lower amounts of associated
particulates (e.g. ‘dustless’ pellets).
> To substitute risks associated with particulates
during spraying, processes such as airless
spraying, electrolytic spraying or brush
application could be used.
Engineering controls
Implement some structural change to the work
environment or work process to place a barrier to,
or interrupt the transmission path between, the
worker and the hazard. Caution must be used to
ensure engineered controls do not interfere with the
basic function of an engineered system or process.
> Engineering controls include process
automation, machine guards, isolation or
enclosure of hazards, the use of extraction
ventilation and manual handling devices.
Controls that isolate workers from the hazard
can also involve the use of time and distance
by job redesign.
Administrative (procedural) controls
Reduce or eliminate exposure to a hazard
by adherence to procedures or instructions.
Documentation should emphasize all the steps to
be taken and the controls to be used in carrying out
a task safely. Administrative controls are dependent
on appropriate human behaviour for success and
may involve training and supervision. Administrative
controls can be documented within National
Standards, Codes and Guidance Notes.
SAFE DESIGN FOR ENGINEERING STUDENTS 39
> Administrative controls include safety warnings,
operator certification for machinery and ‘Permit
to Work’ systems for Confined Spaces.
Personal protective equipment
Create a barrier between the user and the hazard
in the form of clothing or personal equipment.
The success of this control is dependent on the
protective equipment being chosen correctly,
as well as fitted correctly and worn at all times
when required.
> Personal protective equipment includes
skin protection, face masks, earmuffs and
breathing apparatus.
1.4.9 Incident Investigation
Purpose of this tool
The Risk Management Framework (AS/NZ 4360)
is a generic framework that has been developed to
be a high-level approach for managing risk across
a number of sectors. Within other standards (AS/
NZS 4804) there is a context specific adaptation
which has been developed within the Occupational
Health and Safety community to manage risk. This
Incident Investigation tool has been developed to
guide an Incident Investigation which can examine
many aspects of the operation of an organization’s
Occupational Health and Management System
(e.g. training, hazard identification, hazard/
risk assessment, control of hazards/risks and
emergency preparedness.). The focus of the
Incident Investigation should be on identifying
system deficiencies and preventing a recurrence of
the incident rather than apportioning blame.
40 australian SAFETY and compensation council
Process of using the tool
An incident investigation team typically includes;
the supervisor or manager; the individual(s) involved
in the incident; and employee representatives.
The main stages of an incident investigation are
(adapted from AS 4804):
Step 1 Gather objective information and establish
the facts about the context in which the Incident
happened, however there are no set ways of
categorising the causal factors
Different examples of the types of data collected;
1. Machine, environment and human factors (i.e.
regarding hazard identification, hazard/risk
assessment and controls, sequence of events,
operating procedures, training, induction,
supervision, emergency arrangements).
2. Physical accident sequence, Organisation
factors; Company level factors; Government/
regulatory factors; and Societal factors. (from
Hopkins, 2000)
3. Equipment; environment; skills and experience;
operating/work system and other ergonomic
factors (relationship between people and their
environment and equipment).
Step 2 Isolate the contributory factors (i.e.
incidents may be multi-causal and there may
be many interactions between causal factors).
Identify relationships between the factors. This can
diagrams such as mind maps and flowcharts.
Step 3 Determine corrective and preventive
actions (the incident investigation team should
propose recommended actions to eliminate or
modify the contributory factors that either led to the
incident or affected the consequence of the incident
outcomes). The focus should be on the Hierarchy
of Control.
Step 4 Prepare a report (i.e. the report should
contain a proposed action plan for management
consideration and implementation).
Reference
AS/NZS 4804:2001 Occupational health and safety management systems – General
guidelines on principles, systems and supporting techniques
Hopkins, A., (2000) ‘Lessons from Longford: The Esso Gas Plant Explosion’, 1st edition, pp
179, CCH Australia Ltd, Sydney, Australia
1.4.10 Code of Ethics 6. Members shall take all reasonable steps
to inform themselves, their clients and
Purpose of the tool employers and the community of the social and
environmental consequences of the actions and
This tool can be used by Engineers when they are
projects in which they are involved;
making a judgement based engineering decision.
Many engineering organisations have committed 7. Members shall express opinions, make
themselves to abide by the Engineers Australia Code statements or give evidence with fairness
of Ethics. Many organisations have also developed and honesty and on the basis of adequate
their own Codes of Ethics or codes of practice. A knowledge;
review of these codes makes it clear that safety is a 8. Members shall continue to develop relevant
prime ethical consideration. knowledge, skill and expertise throughout their
careers and shall actively assist and encourage
Process of using the tool those under their direction to do likewise; and
Prior to making a complex Safety based decision, 9. Members shall not assist, induce or be involved
the Code of Ethics can be reviewed to ensure that in a breach of these Tenets and shall support
a proposed decision upholds and does not breach those who seek to uphold them.
any of the Tenets.
f Link – http://www.ieaust.org.au/about_us/res/
The Tenets of the IEAust Code of Ethics are: downloads/Code_of_Ethics_2000.pdf
1. Members shall at all times place their
responsibility for the welfare, health and safety
of the community before their responsibility
to sectional or private interests, or to
other members;
2. Members shall act in order to merit the trust of
the community and membership in the honour,
integrity and dignity of the members and the
profession;
3. Members shall offer services, or advise on or
undertake engineering assignments, only in
areas of their competence and shall practise in a
careful and diligent manner;
4. Members shall act with fairness, honesty and
in good faith towards all in the community,
including clients, employers and colleagues;
5. Members shall apply their skill and knowledge in
the interest of their employer or client for whom
they shall act as faithful agents or advisers,
without compromising the welfare, health and
safety of the community;

SAFE DESIGN FOR ENGINEERING STUDENTS 41

42 australian SAFETY and compensation council

RESOURCES
The materials in Part 1 and Part 2 of this Safe
Design for Engineering Students package contain
materials specifically developed for undergraduate
engineering educators about Safe Design. Those
materials should be considered a generic and
basic platform upon which a deeper and more
sophisticated understanding of Safe Design and the
broader domain of Occupational Health and Safety
can be based. This resource list provides reference
to other teaching materials that can extend the
scope of material within this package.
There are a range of existing resources from
other sources which can be used by engineering
educators who wish to integrate health and safety
issues into their subjects. Some of these resources
can be used to help contextualise the principles
within the Safe Design for Engineering Students
package to a specific disciplinary context or build
upon the learning activities given within package.
Whilst many of these resources have a strong
Occupational Health and Safety focus they do
contain materials that can be used to support
teaching and learning about Safe Design.
R.1 ENGINEERING EDUCATION RESOURCES
> Incorporating Safety, Health and Environmental
Risk issues in Undergraduate Engineering
Courses by Institution of Electrical Engineers
- http://www.iee.org/Policy/Areas/Health/
she.cfm
> Ethics and Safety case studies
These websites provide extensive, well
documented and engaging cases, some of which
explore the boundaries between design, safety
and professional responsibilities.
>>>>
- http://ethics.tamu.edu/
- http://onlineethics.org/index.html
- http://www.murdough.ttu.edu/
> NIOSH: Safety/Health Awareness for
Preventative Engineering
These resources are Safety and Health
Instructional Modules developed by NIOSH,
engineering professional societies, and
engineering schools for undergraduate
engineering education.
- http://www.cdc.gov/niosh/topics/SHAPE/
> Safety & Ergonomics for Mechanical, Civil, and
Electrical Engineering subjects
This resource gives examples of how to embed
health and safety oriented content in a wide
range of technically oriented subjects across
various engineering disciplinary areas.
- http://www.mech.utah.edu/ergo/educate/
> Safety Materials for Construction Engineers
This websites contains an excellent range of
resources for educators seeking material on
Health and Safety for the Built Environment.
- http://www.learning-hse.com/hse/index.php
> Failure Cases in Civil Engineering
This resource for Civil Engineers contain
documented case studies and links focused
around learning from failures
- http://www.eng.uab.edu/cee/faculty/ndelatte/
case_studies_project/
SAFE DESIGN FOR ENGINEERING STuDENTS 43
> Occupational Health and Safety for Engineers
– A Resource for Engineering Education, 1990
This resource was developed for NOHSC to
support the integration of Occupational Health
and Safety into the undergraduate Engineering
curricula. It contain six case studies and
educator support.
- www.ascc.gov.au
> System Safety and Risk Management
An excellent website by Jacobs Sverdrup that
has extensive presentation and workshop
materials suited to engineering education
- http://www.sverdrup.com/safety/welcome.
shtml
R.2 Websites of interest
> The Australian Safety and Compensation
Council website.
This site hosts a range of resources relevant to
Safe Design. There are a range of publications
that extend the material covered in the Safe
Design: An Engineering Resource Package
to a much greater depth and more generally
about Occupational Health and Safety in the
Australian context.
- http://www.ascc.gov.au
> The National Committee of Engineering
Design website.
The NCED aims to promote design excellence
and awareness through media of publications,
conferences and both national and international
exhibitions. Engineering Design addresses issues
of creating and delivering innovative, useful,
reliable and economical technical solutions to
meet human wants or needs. One of NCED’s
main objectives is to promote links between
industry, and tertiary and secondary learning
institutions for the strategic development of
design learning and experience in all aspects
of design.
- http://www.ncedaust.org/index.htm

44 australian SAFETY and compensation council
> Gateways for Safety and Health Information
resources
- http://www.osh.net
- http://www.safetylink.com/
> Safety in Design
This site has a number of design guides for the
built environment.
- http://www.safetyindesign.org/index.htm

R.3 Safety Album/Safety Moments
These databases contain examples that can be
used to illustrate either unsafe designs and/or
behaviours and show the problem which Safe
Design is trying to address.
> NOHSC Practical Solutions Database
A database of over 720 examples of solutions
to overcoming OHS problems. Many of these
include examples of Safe design.
- http://www.ascc.gov.au
> Bad Human Factors Design
Over 90 examples of designed items which
because of bad design are difficult to use
or hazardous.
- http://www.baddesigns.com/examples.html

> NIOSH Fatality Assessment and Control
Evaluation (FACE) Program
An accident database containing a brief synopsis
of an accident which led to a fatality.
- http://www.cdc.gov/niosh/face/

> Safety resources from the military
Check the archive of Safety photos and
success stories
- http://www.safetycenter.navy.mil/

> Google image search:
Images to help illustrate Unsafe and Safe Design
can often be found here
- http://www.google.com.au/imghp?hl=en&tab=wi&q=
> Safety Materials for Chemical Engineers > Hopkins, A., (2000) Lessons from Longford:
The Esso Gas Plant Explosion, 1st edition, CCH
This site by the UK Chemical Reaction Hazards
Australia Ltd, Sydney, Australia.
Forum comprises over 120 incidents from
chemical and pharmaceutical industry. > Hunter, T. A., (1992), Engineering design for
safety, McGraw, Hill, Inc. New York, USA.
- http://www.crhf.org.uk/index.html

> Kletz, Trevor (2001), An Engineer’s View of
> Product Safety recall alerts
Human Error (3rd edition), Institution of Chemical
These websites often have images where the Engineers, Rugby, Warwickshire, UK.
safety hazard is obvious from a visual inspection
> Keltz, T. (1991), Plant Design for Safety: A User-
- http://www.cpsc.gov/cpscpub/prerel/prerel.
 Friendly Approach, Hemisphere Publishing
html Corporation, New York.
> Leveson, N. (1995) Safeware: System Safety and
Computers, Sphigs Software, Addison Wesley
R.4 Safety Software/Materials
Professional, USA.
Software can be used to systematically predict and
> Petroski, H., (1982) To engineer is human – the
document safety related design issues
role of failure in successful design, St. Martins
- http://www.designsafe.com/dsesoftware.shtml Press, New York USA
- http://www.ehsfreeware.com > Petroski, H., (1994), Design paradigms – case
histories of error and judgement in engineering,
Cambridge University Press, Cambridge, UK
R.5 OHS & Safety Multimedia Materials
> Safety by Design: An Engineer’s Responsibility
The use of engineering failures to illustrate the need for Safety: ISBN 0-9525103-1-6 (1996) by the
for a greater focus on Safety in Engineering is a Hazards Forum (http://www.hazardsforum.
common approach in Engineering Education. There co.uk)
are a range of excellent materials to support this.
> Stevenson (2003) Safety by Design, ISBN0-
> BBC Disaster Special Collection of videos 646-42540-4, Mike Stevenson Ergonomics,
> Insight Media videos on Engineering failures Balgowah, NSW, Australia. Available from
Engineers Australia bookshop.
- http://www.safetycare.com.au/
> Voland, G. (2004) Engineering by Design,
Pearson Education Inc, Upper Saddle River, N J,
R.6 Reference Books and journal USA.
articles
> Brauer, R. L. (1994) Safety and health for
engineers, Van Nostrand Reinhold, New York,
USA
> Brown, David B. (1976) Systems analysis and
design for safety, Prentice Hall, Inc. Englewood
Cliffs, New Jersey, USA (a bit old)
> Christensen, W.C & Manuele, F.A (Eds) (1999),
Safety Through Design, National Safety Council,
USA
- http://www.nsc.org/issues/isd/isdsynop.htm

SAFE DESIGN FOR ENGINEERING STUDENTS 45

46 australian SAFETY and compensation council
PART 2A:
SAFE DESIGN — STUDENT ACTIVITIES

STUDENT ACTIVITIES
AN EDUCATIONAL RESOURCE
FOR UNDERGRADUATE
ENGINEERING STUDENTS
 >>>>
part a: Safe DeSign – StUDent
actiVitieS
contentS

.1 introDUction 3

. gUiDeD actiVitieS 5

2.2.1 Designer Misconception 5
2.2.2 Construction Hazard Assessment Implementation Review 9
2.2.3 Plant Hazard Checklist 13
2.2.4 Incident Investigation: Waste Collection 19
2.2.5 Failure Modes and Effects Analysis 23
2.2.6 Event Tree Analysis 25
2.2.7 Fault Tree Analysis 26
2.2.8 Risk Control 27
2.2.9 Incident Investigation 29

.3 DeSign actiVitieS 31

2.3.1 Safe Design and Build 31

. caSe StUDieS 35

2.4.1 Ford Pinto Case Study 35
2.4.2 Mercedes A-Class Case Study 37
2.4.3 F-111 Deseal/Reseal Case 39
2.4.4 Onsite Safety Activity 42

saFE dEsiGn For EnGinEErinG studEnts 1

 australian SAFETY and compensation council
 >>>>
.1 introDUction

.1.1 intenDeD learning oUtcoMeS

Engineers Australia have specified the types of
capabilities that an undergraduate engineer would
be expected to have upon entering the workforce
as a graduate engineer. These capabilities provide
a useful foundation for promoting Safe Design,
however there are additional capabilities and
their enabling knowledge, skills and attitudes that
we believe engineering educators should aspire
to develop within their students. By achieving
these capabilities we can ensure that Safe
Design becomes a fundamental and explicit part
of engineering.
The following capabilities have been adapted
from those articulated in the UK by the Board of
Moderators Guideline (Appendix C) http://www.
learning-hse.com/hse/info_frameset.phtml

attitude Ability to:

> appreciate the ethical view;
> recognise that health and safety is integral with all we do;
> accept that safety is everyone’s responsibility

competence Ability to:

> be able to implement a basic, systematic risk management process;
> communicate safe design;
> implement a life-cycle approach in design

Knowledge Ability to:

> fulfil legal responsibility,
> understand the legal framework,
> understand the value of health and safety and its role in the engineering process;
> recognise the influence of human behaviour;
> appreciate the benefits of learning from history.

saFE dEsiGn For EnGinEErinG studEnts 3

2.1.2 Safe Design Keywords
The following are the key concepts, principles and
terminology needed to be an effective practitioner of
Safe Design.
> Safe Design Process:
Designed product, Designers, Five principles
of Safe Design, Human factors.
> Lifecycle Framework:
Lifecycle concepts and stages.
> Legal, Regulatory & Professional Framework:
Duty of Care, Reasonably practicable, Due
Diligence, Act, Regulation, Code of Practice,
Standard, Guidance Note, Code of Ethics.
> Risk Management process:
Stages in Risk Management process, risk,
hazard.
> Risk Assessment techniques
Guidewords, Checklists, Failure Mode and
Effects Analysis, Event Tree Analysis, Fault
Tree Analysis.
> Risk Control:
Hierarchy of Control, Elimination, Substitution,
Engineering Control, Administrative Control,
Personal Protective Equipment.
 australian SAFETY and compensation council
2.1.3 Assessing Safe Design capabilities
Providing guidelines on assessing the ability of
students to recall and comprehend Safe Design
key concepts and terminology is relatively
straightforward. Activities which test this knowledge
can be highly structured, have clear cut answers
and can be universally applied across many of the
branches of engineering. Examples of these types of
teaching and learning activities are the quizzes and
short answer tests that could be developed for the
risk assessment techniques.
Providing generic guidance on how to assess the
extent to which higher order learning has occurred
and whether Safe Design capabilities have been
developed within students is more difficult. This
requires that knowledge, skills and attitudes are
integrated into disciplinary specific knowledge and
applied to an example meaningful to that discipline.
In these more complex application contexts
different engineering disciplines can use different
risk management tools and they often have different
design processes.
Another challenge is to provide guidelines on
the extent to which learning related to the values
and attitudes of the students have occurred.
The activities that suit developing these types of
learning are more likely to be open–ended and the
appropriate learning outcomes will need to be more
thoroughly negotiated with the students and be
specific to your learning environment. Examples of
these types of teaching and learning activities are
those that involve the cases and scenarios and the
problem-based activities. The assessment criteria
for these activities can follow the generic pattern
included in the Lecturer Notes or alternatively, can
be developed to be more specific to the discipline
area or be negotiated with the students to meet their
own learning objectives.
 >>>>
. gUiDeD actiVitieS

..1 DeSigner MiSconception

StUDent noteS

Overview
This activity has been designed to help you develop
the ability to identify hazards and risks. You will also
learn about some of the common misconceptions
that designers have, based on those which have
been embedded in design and caused fatalities.
During the activity a list of known hazard inducing
design assumptions are tested against the item
represented in the image. Through completing this
activity, you will develop your skills in identifying
risks and develop a greater understanding of how
incorrect assumptions and misconceptions can
contribute to unsafe design.

Intended learning outcomes

> Ability to identify risks/hazards from visual
information using the Designer Misconception
tool.
> Knowledge of common misconceptions that
have resulted in poor design.
> Understanding of how misconception can lead
to poor design.

Activity
For each the following Images (A, B & C), identify
the risk issues through using the designer
misconception checklist (Safe Design Engineering
Toolkit 1.4.1).
> Fill out the documentation for each of the
images.

saFE dEsiGn For EnGinEErinG studEnts 5

Image A: Vehicle Dashboard

Photograph courtesy of: http://www.baddesigns.com

Scenario
You have just hired a car from Los Angeles Airport. This photograph represents part of the dashboard from
that vehicle containing the speedometer and tachometer.

Documentation from Designer Misconception tool

Scope Vehicle dashboard

Type of misconception

What are the assumptions?

Under what conditions this

assumption could be contradicted?

Actions needed

Criticality

 australian SAFETY and compensation council

Image B: Stairway

Photo: J Culvenor

Scenario
This is an emergency stairway in a hotel. This stairway is used as a permanent access to a swimming pool
on the top floor. The stairwell is used many times per day. The stairs are constructed of concrete with a
metal railing

Documentation from Designer Misconception tool

Scope Stairway
Type of misconception

What are the assumptions?

Under what conditions this

assumption could be contradicted?

Actions needed

Criticality

SAFE DESIGN FOR ENGINEERING STUDENTS 

Image C: Road Lighting

Photograph courtesy of: http://www.baddesigns.com

Scenario
The image is of yellow street lights at night. The arrow points to a different type of light (this is a HINT)

Documentation from Designer Misconception tool

Scope Road lighting

Type of misconception

What are the assumptions?

Under what conditions this

assumption could be contradicted?

Actions needed

Criticality

 australian SAFETY and compensation council

2.2.2 Construction Hazard Assessment
Implementation Review
Student Notes

Overview
This activity should help you to develop your
ability to identify hazards and risks through using
guidewords. By completing this activity, you should
be more proficient at recognising hazards and be
better able to understand the implications of poor
design regarding safety. Through discussion and
debate, you should also be developing the ability to
conceptualise safer design.

Intended learning outcomes

> Ability to identify risks/hazards from visual
information using the Construction Hazard
Assessment Implementation Review tool.
> Knowledge of common causes of unsafe design
for construction projects.
> Ability to use guidewords/checklists as a
mechanism for risk/hazard identification.

Activity
For each the following Images (A, B & C),
> identify the risk issue using the Construction
Hazard Assessment Implementation Review
(Safe Design Engineering Toolkit 1.4.2).
> Fill out the CHAIR documentation.
> Suggest alternate design options to eliminate or
reduce the risk issue.
The generic guidewords to be used for this
activity are:

> Size; > Movement/Direction;

> Heights/Depths; > Load/Force;
> Position/Location; > Energy;
> Poor Ergonomics; > Timing; and
> Egress/Access

SAFE DESIGN FOR ENGINEERING STUDENTS 

Image A: Livestock Loading/Unloading Ramp

Photo: J Culvenor

Scenario
This wooden structure is used for loading and unloading livestock from semi-trailers into a livestock holding
yard. These structures are often located near a public road and on a property boundary.

Documentation for Construction Hazard Assessment Implementation Review

Consequences

Safeguards
Guideword

Risk Issue

Causes

Action
No.

10 australian SAFETY and compensation council

Image B: Air Conditioning Units

Photo: J Culvenor

Scenario
Split systems and other air conditioning systems are a relatively common feature in multi-level buildings

Documentation for Construction Hazard Assessment Implementation Review

Consequences

Safeguards
Guideword

Risk Issue

Causes

Action
No.

SAFE DESIGN FOR ENGINEERING STUDENTS 11

Image C: Traffic Crossing Point

Photo: J Culvenor

Scenario
A common sight on many roads in rural Australia is a stock crossing point used to move livestock from one
part of a property to another.

Documentation for Construction Hazard Assessment Implementation Review

Consequences

Safeguards
Guideword

Risk Issue

Causes

Action
No.

12 australian SAFETY and compensation council

2.2.3 Plant Hazard Checklist
Student notes
Overview
This activity should help you to develop your
ability to identify hazards and risks through using
guidewords. By completing this activity, you should
be more proficient at recognising hazards and be
better able to understand the implications of poor
design regarding safety. Through discussion and
debate, you should also be developing the ability to
conceptualise safer design.
Intended learning outcomes
> Ability to identify risks/hazards from visual
information using the Plant Hazard checklist.
> Knowledge of common causes of unsafe design
for plant items.
> Ability to use guidewords/checklists as a
mechanism for risk/hazard identification.
> Use the hierarchy of control to describe risk
control options.
Activity
For each the following Examples (A, B, C, D),
> Identify the hazards using the Plant Hazard
checklist (Safe Design Engineering Toolkit
section 1.4.3 or below) and document them.
> Suggest alternate design options based on the
Hierarchy of Control to eliminate or reduce the
hazard. Please note that if systems of work or
operator competency are factors in the control of
risk, the designer is required to specify these in
information provided by the manufacturer.
Plant Hazard checklist: summary
a) Entanglement
Can anyone’s hair, clothing, gloves, necktie,
jewellery, cleaning brushes, rags or other materials
become entangled with moving parts of the plant, or
materials in motion?
b) Crushing
Can anyone be crushed due to: material falling
off the plant: lack of capacity for the plant to; be
slowed, stopped or immobilised; parts of the plant
collapsing; being thrown off or under the plant;
uncontrolled or unexpected movement of the
plant or its load; the plant tipping or rolling over;
coming in contact with moving parts of the plant
during testing, inspection, operation, maintenance,
cleaning or repair; being trapped between the plant
and materials or fixed structures and other factors
not mentioned?
c) Cutting, stabbing and puncturing
Can anyone be cut, stabbed or punctured due
to: coming in contact with sharp or flying objects;
coming in contact with moving parts of the plant
during testing, inspection, operation, maintenance,
cleaning or repair of the plant; the plant, parts of
the plant or work pieces disintegrating; work pieces
being ejected; the mobility of the plant; uncontrolled
or unexpected movement of the plant; other factors
not mentioned?
d) Shearing
Can anyone’s body parts be sheared between two
parts of the plant, or between a part of the plant and
a work piece or structure?
e) Friction
Can anyone be burnt due to contact with moving
parts or surfaces of the plant, or material handled
by the plant?
f) Striking
Can anyone be struck by moving objects due to:
uncontrolled or unexpected movement of the plant
or material handled by the plant; the plant, parts of
the plant or work pieces disintegrating; work pieces
being ejected; mobility of the plant; other factors
not mentioned?
g) High pressure fluid
Can anyone come into contact with fluids under
high pressure, due to plant failure or misuse of
the plant?
SAFE DESIGN FOR ENGINEERING STUDENTS 13
h) Electrical
Can anyone be injured by electrical shock or
burnt due to: the plant contacting live electrical
conductors; the plant working in close proximity to
electrical conductors; overload of electrical circuits;
damaged or poorly maintained electrical leads and
cables; damaged electrical switches; water near
electrical equipment; lack of isolation procedures;
other factors not mentioned?
i) Explosion
Can anyone be injured by explosion of gases,
vapours, liquids, dusts or other substances,
triggered by the operation of the plant or by material
handled by the plant?
j) Slipping, tripping and falling
Can anyone using the plant, or in the vicinity of the
plant, slip, trip or fall due to: uneven or slippery
work surfaces; poor housekeeping, eg. swarf in
the vicinity of the plant, spillage not cleaned up;
obstacles being placed in the vicinity of the plant;
other factors not mentioned?
Can anyone fall from a height due to: lack of a
proper work platform; lack of proper stairs or
ladders; lack of guardrails or other suitable edge
protection; unprotected holes, penetrations or gaps;
poor floor or walking surfaces, such as the lack of
a slip-resistant surface; steep walking surfaces;
collapse of the supporting structures; other factors
not mentioned?
k) Ergonomic
Can anyone to be injured due to: poorly designed
seating; repetitive body movement; constrained
body posture or the need for excessive effort;
design deficiency causing mental or psychological
stress; inadequate or poorly placed lighting; lack
of consideration given to human error or human
behaviour; mismatch of the plant with human traits
and natural limitations; other factors not mentioned?
m) High temperature or fire
Can anyone come into contact with objects at high
temperatures? Can anyone be injured by fire?
n) Temperature (thermal comfort)
Can anyone suffer ill-health due to exposure to high
or low temperatures?
o) Other hazards
Can anyone be injured or suffer ill-health from
exposure to: chemicals; noise; toxic gases or
vapours; vibration; fumes; radiation; dust; other
factors not mentioned?
Hierarchy of Control Risk Control
Options: summary
> Elimination
Design the hazard out and therefore remove the
cause of harm permanently.
> Substitution
Substitute the hazard by another process or
substance that presents a lower risk.
> Engineering controls
Implement some structural change to the work
environment or work process to place a barrier to,
or interrupt the transmission path between, the
worker and the hazard.
> Administrative (procedural) controls
Reduce or eliminate exposure to a hazard by
adherence to procedures or instructions.
> Personal protective equipment
Create a barrier between the user and the hazard in
the form of clothing or personal equipment.

l) Suffocation
Can anyone be suffocated due to lack of oxygen, or
atmospheric contamination?

14 australian SAFETY and compensation council

Example A: Tractor Access

Photo: J Culvenor

Scenario
Access to tractors is often positioned between the wheels.

Risk/hazard identified from plant hazard checklist

a) Entanglement b) Crushing c) Cutting, stabbing and puncturing

d) Shearing e) Friction f) Striking
g) High pressure fluid h) Electrical i) Explosion
j) Slipping, tripping and falling k) Ergonomic l) Suffocation
m) High temperature or fire n) Temperature (thermal comfort) o) Other hazards

Risk/Hazard Identification explanation

Risk Control Options

Elimination Substitution Engineering controls

Administrative (procedural) controls Personal protective equipment

Risk control explanation

SAFE DESIGN FOR ENGINEERING STUDENTS 15

Example B: Grain Auger

Photo: J Culvenor

Scenario
The grain auger is an essential piece of farm equipment which is used to move grain from one location
to another.

Risk/hazard identified from plant hazard checklist

a) Entanglement b) Crushing c) Cutting, stabbing and puncturing

d) Shearing e) Friction f) Striking
g) High pressure fluid h) Electrical i) Explosion
j) Slipping, tripping and falling k) Ergonomic l) Suffocation
m) High temperature or fire n) Temperature (thermal comfort) o) Other hazards

Risk/Hazard Identification explanation

Risk Control Options

Elimination Substitution Engineering controls

Administrative (procedural) controls Personal protective equipment

Risk control explanation

16 australian SAFETY and compensation council

Example C: Silo Access

Photo: J Culvenor

Scenario
Silos need a system for operating the opening at the top of the structure. Access is often provided by a
ladder up the side of the structure.

Risk/hazard identified from plant hazard checklist

a) Entanglement b) Crushing c) Cutting, stabbing and puncturing

d) Shearing e) Friction f) Striking
g) High pressure fluid h) Electrical i) Explosion
j) Slipping, tripping and falling k) Ergonomic l) Suffocation
m) High temperature or fire n) Temperature (thermal comfort) o) Other hazards

Risk/Hazard Identification explanation

Risk Control Options

Elimination Substitution Engineering controls

Administrative (procedural) controls Personal protective equipment

Risk control explanation

SAFE DESIGN FOR ENGINEERING STUDENTS 17

Example D: Bench Grinder

Scenario
Bench grinders are a commonly used product both at home and in the workplace. Examples of use include
to shape metal, sharpen tools or prepare metal for welding.

Risk/hazard identified from plant hazard checklist

a) Entanglement b) Crushing c) Cutting, stabbing and puncturing

d) Shearing e) Friction f) Striking
g) High pressure fluid h) Electrical i) Explosion
j) Slipping, tripping and falling k) Ergonomic l) Suffocation
m) High temperature or fire n) Temperature (thermal comfort) o) Other hazards

Risk/Hazard Identification explanation

Risk Control Options

Elimination Substitution Engineering controls

Administrative (procedural) controls Personal protective equipment

Risk control explanation

18 australian SAFETY and compensation council

2.2.4 Incident Investigation:
Waste Collection
Student notes
Overview
An injury case study is presented, as a set of
witness statements. The case study is about
the collection of roadside waste. This activity
is designed to draw out complex issues about
occupational safety including the role of work
systems, plant and equipment, work environment,
and the roles of designers of work systems
and equipment.
Intended learning outcomes
> Ability to document an injury event from a set of
witness statements.
> Identify precursor factors (work systems; plant
and equipment; work environment; people
issues; and interactions) that led to the injury.
> Understand the methodology used in an
Incident Investigation.
> An ability to recognise the roles of all parties and
examine how their decisions affected safety.
> Identify measures that would control the risk(s).
Activity
1. Identify all the parties/stakeholders including
both individual people and organisations from
the scenario.
2. Identify sequence of events for accident.
3. Identify contributory factors that could have
impacted the accident and management of that
accident (Environment, Equipment; Skills and
experience; Operating/work system, Ergonomic
factors (relationship between people and their
environment, equipment etc).
4. Identify the design decisions that each of the
organisations (City Council, PaperMunchers, Top
Trucks) took which may have contributed to the
accident. Consider what other options they had
which may have reduced the risk to the workers
Scenario: an injury while collecting
recyclable paper
You are Mo McErgo, WorkSafe Inspector
You are Mo McErgo. You are a WorkSafe Inspector.
You receive a call during the day on New Year’s
Eve from a health and safety representative at
PaperMunchers, a local company that collects and
sorts recycling material (papers, bottles, cans, etc).
The health and safety representative says that there
was an accident a few days ago when a worker was
lifting papers to the truck and was nearly struck
by a car. The worker was taken by ambulance to
hospital after falling on the road. Also, there have
been other manual handling injuries. The managers
have introduced elastic back belts and the idea
of workers looking over each others shoulders
for breaches of safety rules is being considered.
The workers don’t believe these measures solve
the problems.
Cyril the Director of Waste Services for Tidy
Town Council
He has been the Director of Waste Services at
the Council for five years. Prior to that he worked
for the Council designing water, waste and other
infrastructure is a Civil Engineer by training. As
the Director of Waste Services he is responsible
for Waste Collection within the Council and
engaging contractors to undertake the work
through a competitive tender process. He has
been contacted by WorkSafe to assist the Accident
Investigation team.
You visit PaperMunchers
You visited PaperMunchers that day and talk with
the directors, Ty and Flo. You asked about the
recent accident and asked to be taken to the site.
You also wanted to speak to the workers and the
health and safety representative.
SAFE DESIGN FOR ENGINEERING STUDENTS 19
Figure 1: Paper Collection by PaperMuncher
Photos: J. Culvenor Trek: ‘On Christmas Eve, I was working with Jo
Flo took you to where the truck was working. As
you arrived the workers were collecting paper.
They were collecting from both sides of the road
at once. Flo said that they are not meant to
work from both sides of the road and that’s what
caused the accident. Flo said ‘that’s typical, I’m
glad you’re here, that’s Jay, the health and safety
representative. Ty told Jay years ago not to cross
the road’.
You spoke with Flo, Ty, Jay and Trek about the
accident and about the work system. You observed
the work (photos above) and you also visited
the council.
20 australian SAFETY and compensation council
Here’s what you found out:
– who is off work because of the accident. I was
driving the truck as I have a shoulder injury from
working in the sorting area. Jo was doing all the
lifting work. We were keen to get the run done
quickly to spend the afternoon on last minute
arrangements for holidays. But we weren’t rushing.
The accident happened at about 11am. There had
been a thunderstorm overnight, the road was wet
and slippery, and the paper was wet and heavier
than usual. Jo was carrying a large bundle across
the road when a car appeared from around a
corner. Jo probably didn’t hear the car because of
the noise of the paper crushing unit. I saw Jo throw
the paper toward the hopper and jump behind the
truck. I think it was a close call but Jo wasn’t hit.
The car wasn’t driving fast it’s just that it is hard to
see at the spot where it happened.
Jo had fallen on the kerb and complained of a
massive headache and a stabbing back pain. The
car driver, Lenni stopped and came to help. Luckily
Lenni had a mobile and called an ambulance. The
radio in the truck has been out of order for three
months. They say it’s going to be fixed but who
knows when. I also used Lenni’s mobile to call the
office and report the accident.’
Jay: ‘I was working in the recycling area when the
accident happened but I know about this job and I
am the health and safety representative. When the
job began about 18 months ago I worked with Jo on
the truck. We shared the lifting and driving work. It
was hard work and our arms and back was usually
sore at the end of a run. Flo, one of the bosses,
made me move into the sorting area after about one
year (six months ago). This was because Trek had
a shoulder injury in the recycling area and needed
a light job. There are no light jobs in the recycling
area. The truck driving is easy enough but because
Trek had the injury, Jo had to do all the lifting. That
was far too much and I said that to Flo – who said
there was no choice as the insurance company said
a light job was needed. It was really too hard already
let alone one person now doing twice as much. I
complained also to Ty who then bought everyone
elastic back belts. I don’t think the back belts really
do anything about the problem. After Jo’s accident
I complained again and said we should call you
(WorkSafe) to look at the problems. Ty said ‘no’ but
promised something better would be done. When
we came back after Christmas I found out that the
new ‘improvement’ was to be a consultant telling
everyone how to watch out for unsafe behaviours.
How does that change anything about the huge
amount of paper that has to be lifted, and all
the bending, and the heat, sunburn, cold, rain,
passing cars, sharp objects in the bundles, slippery
ground, kerbs to trip over, and so on? That’s when I
called you.’
You asked about working on both sides of the road
and instruction: ‘When we started, Ty told us about
the job. We were meant to drive back and forth
along the streets. We did it that way for a couple
of weeks but it took at lot of extra time and extra
running. We could go home whenever we finished
so we did both sides at once. No one ever said
anything about it. No one ever asked how we do the
work. No one ever came to have a look.’
Ty: ‘PaperMunchers Pty Ltd is a small family owned
business. Flo and I run the business. We formed
when the council created the new waste system and
we started work on this contract about 18 months
ago after buying the trucks and setting up the
sorting centre.
We collect recycling wheelie bins (cans, bottles,
plastic, etc) using trucks with side lifters. Then
we sort this material in the sorting centre. We also
collect paper but this is done manually.
We bought the trucks from Top Trucks Pty Ltd,
some with bin lifters for the recycling (cans and
bottles) and some with hoppers for hand loading
the paper. The bin lifter for recycling is good
because there is only a driver and no manual work.
We couldn’t use that kind of truck for the paper
because the council set up the system with the
paper on the ground, bundled or in a box.
About working on both sides of the road – I told Jo
and Jay not to do that when they started. I didn’t
know they were breaking the rules. Jay is the health
and safety rep so I figured it would be all under
control. When Trek started with Jo, I figured Jo
would pass on the instructions on how to do the job.
The lifting work is fairly hard so I bought everyone
elastic back belts that I saw at an expo. Jo took it off
on the day of the accident, perhaps because it was
hot. We did have a system of sharing the driving
and lifting work. That broke down a little bit because
we needed to create a light job.
After the accident, I could see that the workers were
not working safely. A friend who is a safety advisor
at a local manufacturing firm suggested SSAFeTy
System (Super Safety Action Friendly Tips System).
The idea is that the workers monitor each other’s
unsafe acts and issue them with ‘friendly’ reminders
when they are doing something dangerous. It’s from
the USA! I am getting a consultant to come and
teach everyone.’
Flo: ‘Trek worked in the recycling area for about a
year and then was off work with a shoulder injury.
The insurance company told me to create a light
job. The recycling jobs are all the same so I thought
SAFE DESIGN FOR ENGINEERING STUDENTS 21
truck driving would be ok. I had Trek drive the You asked about why the paper is not in a
truck with Jo and moved Jay into the sorting area. wheelie bin?
Jay complained, as usual, about the lifting and ‘The residents did not want too many bins on the
that Jo would now need to do it all. But out on the street on one day. It would be untidy and take
collection they can work at their own pace so if it up space for parking. Since not everyone gets
gets a bit too much for Jo toward the end of the day newspapers it seemed that if something was going
they can just slow down. I think it worked quite well to be on the ground then newspapers would be
until the accident. Jo must have been crossing the best. A box of newspapers is also fairly easy to
road. I know Ty told them not to when they started handle. I can easily lift one box with two weeks
so it’s Jo’s own fault. papers. It’s not heavy.’
Your visit to the City of TidyTown and talk to Cyril, Reference: WorkSafe Victoria 2003, Non-Hazardous Waste and Recyclable Materials:
Occupational Health and Safety Guidelines for the Collection, Transport and Unloading
the Chief Executive Officer of TidyTown Council: of Non-Hazardous Waste and Recyclable Materials, WorkSafe Victoria, Melbourne, http://
www.worksafe.vic.gov.au/
‘Over two years ago we decided to improve waste
management. A key problem was the amount
of recyclable material being sent to landfill and I
developed a new waste collection system. We asked
residents what they wanted and came up with a
great system involving four collections:
1. Garbage Wheelie Bin (every week) for normal
household garbage.
2. Recycling Wheelie Bin (every second week) for
glass, plastic, aluminium, steel cans, etc.
3. Green Waste Wheelie Bin (every second week).
4. Paper (every second week) in a cardboard box
or tied in bundles.
The four waste collections are on the same day of
the week. A notice explaining the collection of the
waste was posted to all TidyTown residents.
After we thought up the ideas for the collection
system, we invited tenders for collection. The
garbage and green-waste collection was awarded to
our own waste department. The recycling and paper
collections were awarded to PaperMunchers for two
years (they have about six months to run).’

22 australian SAFETY and compensation council

2.2.5 Failure Modes and Effects Analysis
Student notes
Overview
The aim of this exercise is to deepen your
understanding of Failure Modes and Effects
Analysis (FMEA) through the analysis of a simple
hydraulic jack.
Learning Outcomes
> Understand how to analyse a simply system
using FMEA.
> Understand how to use FMEA to evaluate
proposed changes to a system.
> Be aware that although FMEA is a quantitative
analysis technique that there is a degree of
subjectivity in the interpretation of the system
and thus the values applied during the analysis.
Activity
For the following scenario,
> Fill in the FMEA template supplied using the
procedure outlined in the FMEA section 1.4.5 of
the Safe Design Engineering Toolkit.
> Recommend corrective actions and indicate
to what degree the actions would modify the
FMEA ranking.
Scenario
A portable hydraulic jack has been designed for
use in medium-sized engineering tasks such as
jacking up large trucks, cranes, etc. A 7.5kW petrol
engine has been selected to power the pump which
in turn pushes the fluid that extend the hydraulic
ram within the jack. The pump is connected to
the ram by a wire-reinforced hose. The product
development team has identified that a fluid leak
is a possible failure mode for the hose. Such a leak
would result in the jack not working but if the leak
occurred whilst the jack was in use the leak could
have more severe consequences in terms of the
jack dropping the load it was supporting.
Fluid leaks have been caused in the past by poor
hose material supplied by vendors. Also, during
manufacture, an automated assembly machine has
been known to occasionally cut the hose. The team
estimates that the likelihood of a ‘poor material’ is
about 5% and a ‘cut’ about 0.5%. When a hose
made from poor material leaks, the jack still works
but the load it is supporting gradually lowers.
That is, a leak could be considered to be a partial
malfunction. When a cut hose leaks, the oil empties
onto the ground and the pump is damaged. The
oil spill also represents an environmental problem.
50% of the wire-reinforced hose is inspected upon
delivery. Cuts in the hose are likely to be detected
during manufacture as the assembly machine
usually jams if it strikes the hose.
(Adapted from ‘Safeware’ N. Leveson)
SAFE DESIGN FOR ENGINEERING STUDENTS 23
 Blank FMEA template

FMEA Template

Severity (S) Occurrence (O) Detection (D)

RPN Recommended Action
Effects S Rating Causes O Rating Control Tests D Rating
Failure Mode

24 australian SAFETY and compensation council

2.2.6 Event Tree Analysis Perform an Event Tree Analysis on the system (S, P,
A, B) assuming that water has started to flood into
Student notes the basement. You can assume the following:
> That the power supply to the pump does not
Overview
need to be included in the analysis.
The aim of this exercise is to deepen your
> The failure of the manual pumping system
understanding of Event Tree Analysis (ETA) through
operator error.
the analysis of a simple pumping application.
Given the following probability table, what is the
Intended Learning Outcomes probability that the basement will end up flooded in
the event that water flows into the basement?
> Understand how to qualitatively and
quantitatively analyse a simple system Component Probability of Failure on
using ETA. Demand
> Awareness of how ETA enables critical elements Automatic Pump (P) 1e-4
of a system to be identified. Switch (S) 1e-6
Alarm (A) 1e-5
Activity Manual pumping (B) 1e-4
The facilities for the passenger reservations division Which element of the system would you improve
of a major airline occupy a 10 story building. to gain the greatest improvement with respect to
The basement of the building contains a backup minimising the chance of the basement flooding?
generator so that 24/7 availability can be maintained
even during black-outs. In heavy rain the basement
is prone to minor flooding. The basement is
protected from flooding by the system shown in
Figure 1. Rising flood waters close the float switch
S, powering the pump P from an uninterruptible
power supply. An Alarm A is also sounded, alerting
operators to perform manual pumping using a bilge
pump, B, should the automatic pump fail. Correct
operation of either of the pumps will effectively keep
the basement from flooding.

Figure 1: Basement pumping system

(Adapted from ‘Event Tree Analysis’, P.L. Clemens, Feb 2002, Jacobs Sverdrup)

SAFE DESIGN FOR ENGINEERING STUDENTS 25

2.2.7 Fault Tree Analysis Activity
The reservations division system for a major airline
Student notes
occupy a 10 story building. The basement of the
building contains a backup generator so that 24/7
Overview
availability can be maintained even during black-
The aim of this exercise is to deepen your outs. In heavy rain the basement is prone to minor
understanding of FTA through the analysis of a flooding. The basement is protected from flooding
simple pumping application. by the system shown in Figure 1. Rising flood
waters close the float switch S, powering the pump
Learning Outcomes P from an uninterruptible power supply. An Alarm
> Understand how to qualitatively analyse a simple A is also sounded, alerting operators to perform
system using FTA. manual pumping using a bilge pump, B, should
the automatic pump fail. Correct operation of either
> Be aware of how FTA enables single points of of the pumps will effectively keep the basement
failure in a system to be identified. from flooding.
Perform a Fault Tree Analysis on the system to
determine the causes of a flooded basement. You
can assume that the power supply to the pump
does not need to be included in the analysis.
Use cut set analysis to determine if there is any
single point of failure within the system.

Figure 1: Basement pumping system

(Adapted from ‘Event Tree Analysis’, P.L. Clemens, Feb 2002, Jacobs Sverdrup)

26 australian SAFETY and compensation council

2.2.8 Risk CONTROL
Student notes

Overview
A Risk Management problem associated with road
safety is presented. This activity is designed to
develop the student capabilities associated with
Risk Identification and Risk Control.

Intended learning outcomes

Through completing this activity students will be
better able to;
> Identify hazard(s) from written scenario.
> Assess the risk(s) posed by the identified hazard.
> Identify measures that would control the risk(s).
> Ability to prioritise risk control options according
to the Hierarchy of Control.

Activity
For the following scenario,
> fill in the hazard identification and
significance table.
> fill in the risk control table.

Scenario
Bob, driving his car, was in a single-vehicle road
accident. The accident occurred on a country road
in Victoria at night. The road was relatively straight,
flat, horizontal and dry. His car collided with the
left hand side of a bridge railing. The bridge railing
is approximately fifty years old and made of stone.
There are many bridge railings of this type. Bob
was nineteen years old at the time and recorded a
blood alcohol reading of 0.03%. He suffered major
injuries and survived. No other passengers were in
the vehicle. (example J. Culvenor 1997)

SAFE DESIGN FOR ENGINEERING STUDENTS 27

Risk Documentation
1. Identify the hazards and make a judgement about the significance of the risk (major, minor, negligible)

No. Hazards Major Minor Negligible

2. Risk Control and type of Control

No. Risk control Hierarchy of Control classifier

e.g Air bag Engineered Control

Reference:
Culvenor, J (1997), Breaking the Safety Barrier: Engineering New paradigms in Safety Design, PhD Thesis, University of Ballarat

28 australian SAFETY and compensation council

2.2.9 Incident Investigation
Student notes
Overview
This activity is about applying Incident Investigation
principles to a motor vehicle crash scenario. It
is intended to help students develop their ability
to identify the causes of incidents, injuries and
diseases through the application of various accident
analysis models. By completing this activity,
students should be more proficient at recognising
hazards, better able to understand there are often
multiple causes for any incident and that learning
from incidents is the best way to understand
the most appropriate preventative measures for
the future.
Intended learning outcomes
> Identify a full range of causal factors using the
accident analysis models.
> Recognition of precursor factors (work systems;
plant and equipment; work environment; people
issues; and interactions) that lead to the injury.
> Ability to identify measures that would control
the risk(s) using the hierarchy of control.
Activity
1. Identify the ergonomic factors relevant to the
hazard in the following categories:
> work environment (the place where work
is done);
> plant and equipment (physical things);
> people (eduction, skills, capacity); and
> systems (how things are done).
2. Identify the relevant issues under
Hopkins factors:
> Physical accident sequence,
> Organisation /Company level factors;
> Government/regulatory factors;
> Societal factors.
3. Determine corrective and preventative actions
using the hierarchy of control
> elimination;
> substitution;
> isolation;
> engineering;
> administration; and
> personal protective equipment.
SAFE DESIGN FOR ENGINEERING STUDENTS 29
Scenario: Work related vehicle crash
Many people drive on the public roads for
work purposes. The public roads are therefore
workplaces. Driving West late in the afternoon in the
winter (wet road), the car driver is making the last
of a number of parts deliveries using a utility. The
vehicle is only about one year old but has neither
anti-lock brakes, nor air bags. Imagine a rear end
collision with a truck such as shown below. The
truck is ironically being used by the same company
to distribute its goods nationally.
What is the cause of the crash and the injuries that
might follow? Following too close? Fatigue? Lack of
concentration? Fatigue and lack of concentration
might be involved but it is self-evident that the
driver ended up too close.
Rear end collision truck fleet owners are just a few who can make a
Photos: J. Culvenor
30 australian SAFETY and compensation council
If we look deeper, perhaps we could examine both
vehicles involved? Does the car have the best
practicable features to avoid a rear end collision?
What might that be – anti-lock brakes, maintained
brakes and tires, collision avoidance radar? Does
the car provide good survivability features such as
crush zones, a protected passenger compartment,
airbags, etc. How far can the thinking be extended?
Why are trucks used for national transport and not
rail? The answer to this is ‘what is practicable’? It
is practicable for a person choosing a fleet vehicle
to seek good current standards for vehicles. What
about the rear of the truck. Is it designed to provide
the best survivability for vehicles that might strike
the rear? Examining these issues takes the thinking
about the accident and injury causation well beyond
the scene on the road. Decision makers thinking
about car choices for a fleet, truck designers, and
difference through their actions.
Rear end collision
Photo: J. Culvenor

.3 DeSign actiVitieS
.3.1 Safe DeSign anD bUilD
Overview
The goal of this activity is to give students an
opportunity to develop and utilise their Safe Design
abilities while undertaking a design and build
exercise. It is intended to be used in conjunction
with any existing design and build project that
is currently used by an engineering educator
within their undergraduate engineering course.
By broadening the design requirements of the
existing project to include safe design it provides
an opportunity for educators to introduce a greater
degree of ‘real-world’ constraints to these design
and build activities.
Intended learning outcomes
> Awareness of engineers' responsibilities for
safe design.
> Ability to identify safety issues and risks.
> Ability to integrate safety principles into
engineering design.
> Ability to understand inter-relationships between
safety and other design requirements.
> Awareness of the need to consider safety
implications in a design activity.
Context in which it could be used
All Engineering courses are required to develop
student design capabilities. This is achieved in a
variety of ways, ranging from unstructured problem
based activities to integrated design projects.
Undergraduate engineering course accreditation
(Stage 1 from Engineers Australia) requires students
to undertake two or more construction projects
>>>>
and at least one major design project. Many
engineering faculties initiate design experiences in
the early stages of a course with challenging design
and build exercises such as spaghetti bridges,
gravity-powered vehicles or website development.
In addition, a number of undergraduate design
competitions, such as the Weir-Warman competition
for Mechanical engineers, are available to
encourage students to think creatively and solve
problems in an innovative way. These various
design-and-build projects can be used to as a
mechanism to introduce or reinforce safe design
principles and concepts.
The following activities can be used to enhance
existing design oriented projects to ensure that
students develop an awareness of safety issues and
ultimately the ability to accept their responsibilities
for safe design. The activities have been designed to
apply to a wide range of design activities from basic
to complex and to be easily integrated into existing
subjects and projects.
Approach to adding Safe Design to Design and
Build Projects
This activity is designed to illustrate how safe
design concepts can be embedded within a
design-and-build project using the tools available
in the Safe Design Guide. The intention is not to
provide a definitive mechanism for embedding safe
design within any design and build projects since
there is too much diversity in the currently used
projects to specify which Safe Design tools are the
most appropriate. For example, a project in civil
engineering or construction would most likely find
the CHAIR guidewords are the most suitable risk
identification tool whereas a project in Mechanical
Engineering may find the Plant Hazard Checklist the
saFE dEsiGn For EnGinEErinG studEnts 31
most appropriate. So to illustrate how safe design
can be embedded in a design-and-build project,
an example project in Mechanical Engineering has
been developed as a case study.
Indicative Example
Introduction to Mechanical and Mechatronic
Engineering – Into-the-Wind Design-and-
Build Project
This is an adaptation of a project for a 1st year
Mechanical Engineering subject at the University of
Technology, Sydney developed by Terry Brown.
The following document provides the details for the
major design project for this subject. The project is
worth a total of 25% of the marks. It is to be done
as a group of no less than 3 and no more than 5.
The objectives of this project are:
> to encourage students to creatively approach a
specific problem;
> to allow students to experiment with a variety of
solutions to a problem;
> to encourage teamwork and to allow students to
learn from the work of their colleagues;
> for students to implement engineering design
methodologies to a practical problem;
> for students to have some fun learning some
engineering fundamentals.
Direction of travel
Your vehicle
32 australian SAFETY and compensation council
As should be quite obvious this project will require
consistent effort over a number of weeks. Do not
leave everything to the last minute, you won’t be
able to do it.
Scenario
The Federal Government’s Sustainable Technologies
Department is looking to provide funds to support
small companies in developing sustainable
technologies. They currently have a project that
requires a company to design, develop and
manufacture several small wind powered vehicles.
Companies are invited to design and build one
vehicle. The selection of the successful company
will be based in part on the performance of the
vehicle in a competition between rival companies.
Supporting documentation in the form of a design
report and the ability of the company design team
to explain and demonstrate the strength and
weaknesses of their design will also be taken into
account in selecting the successful company. The
Sustainable Technologies Department will fund each
stage of the design process, subject to satisfactory
progress, to provide incentive and to help cover
the costs of those companies that are eventually
eliminated. This project is offered to small
companies with a design team of 3-5 engineers.
Design task
Design and build a vehicle that starts from rest and
travels into the wind using the power of the wind as
its only source of energy.
500mm
225mm
Stop
395mm
50mm
Specifications The competition performance criteria:
> It has been estimated that the strength of the To carry the heaviest "payload" (m) across a
wind in the location where the vehicles must distance of 2m in the least amount of time (t), i.e.
operate is about the same as that produced by a the greatest m/t ratio.
domestic electric fan set on high speed.
Safe Design component of the ‘Into-The-Wind
> The wind source will be a domestic electric fan Design-and-Build Project’
with overall dimensions as shown above.
The following table is a generic example of the result
> The fan will be set to the highest speed setting. of applying safe design tools to a typical vehicle that
may be expected to be created for the ‘Into-The-
> The vehicle must carry a "payload" across a
Wind Design-and-Build Project’. As the project is of
"track" a distance of 2m.
a mechanical engineering nature, the Plant Hazard
> The vehicle design should maximise the ratio Checklist was used to help identify risks. For each
of "payload" (m) to time (t) taken to cover the life cycle phase, the keywords that triggered a risk
distance of 2m, i.e. (m/t). issue are noted. Each risk issue is then examined
> The vehicle should not take longer than 5 in more detail and actions to reduce the risk
minutes to cover the 2m distance. and safeguards to deal with the residual risk are
determined. The students could also be requested
> The "payload" must be a separate entity and
to produce a short report detailing those aspects of
easily removed from the vehicle to facilitate
the proposed assessment criteria not evident in the
weighing but must be wholly contained on or
table. In the column under Action, students would
within the vehicle and must travel the full 2m
be expected to give detailed and specific actions for
with the vehicle. The vehicle must be operational
their own vehicle.
both with, and without, the payload on board.
> The starting position is 2.5m from the front of
the fan.
> All parts of the vehicle must start from behind
the start line and no part of the vehicle is allowed
to be moving before timing begins.
> No part of the vehicle may be further than 0.5m
behind the start line.
> The "track" will be a hard flat surface (MDF
board or similar).
> The vehicle is to remain in contact with the
ground at all times.
> Overall dimensions of the vehicle are to remain
essentially unchanged throughout the travel.
> Any materials may be used in the construction of
the vehicle.
> No other source of energy may be used to
propel the vehicle, eg batteries, pre-compressed
or extended springs (or "gentle nudges"
by participants).

SAFE DESIGN FOR ENGINEERING STUDENTS 33

 Student Template:

Lifecycle Phase Risk Issue Causes(s) Consequence(s) Safeguard(s) Action(s)

Develop Concept

Design

34 australian SAFETY and compensation council

Construct / Manufacture

Supply / Install

Commission / Use

Maintain

Decommission

Disposal / Recycle

. caSe StUDieS
..1 forD pinto caSe StUDy
StUDent noteS
Overview
The scenario used is a classic case that has been
influential in automotive safety. It contains many
of the challenges of engineering design which are
still relevant today and which must be addressed
if Safe Design is to become a fundamental part
of engineering.
This discussion oriented activity is designed to
explore an Engineers professional responsibilities,
ethical frameworks when dealing with issues related
to safety and approaches to making decisions about
public safety. It recognises that decision-making in
engineering can involve ambiguity and differences
in opinion.
Intended learning outcomes
> Awareness of legal and moral professional
responsibilities of engineers in relation to safety.
> Awareness of Institute of Engineers, Australia
Code of Ethics.
> Awareness of the use of cost-benefit analysis for
public safety decisions.
Activity
Read the following scenario and be prepared to
answer the discussion points.
>>>>
Scenario
In the 1960’s there was strong competition in the
American small car market. To be competitive in
this market, Ford needed to have a product that
had the size and weight of a small car, had a low
cost of ownership and clear product superiority. The
Ford Pinto went on to become one of the 1970’s
best selling cars.
The Ford Pinto was designed to meet these criteria.
The strict design specifications were that the car
was to weigh less than 2000 pounds and cost
less than $2000. Ford also decided on a short
production schedule. Instead of the normal time
from conception to production of 43 months for a
new model, the Pinto was scheduled for 25 months.
Under conditions of reduced product-time to market
then tooling up for manufacture which involves
making the machines that stamp, press and grind
car parts into shape must be done whilst product
development is underway rather than after product
design. Ford wanted the car in the showrooms
with the other 1971 models and tooling had a fixed
timeframe of about 18 months.
Investigative journalism by Mother Jones
established that;
> ‘Ford engineers discovered in pre-production
crash tests that rear-end collisions would rupture
the Pinto’s fuel system extremely easily’
> ‘Because assembly-line machinery was already
tooled when engineers found this defect, top
Ford officials decided to manufacture the
car anyway’
saFE dEsiGn For EnGinEErinG studEnts 35
> ‘For more than eight years afterwards, Ford
successfully lobbied against a key government
safety standard that would have forced the
company to change the Pinto’s fire prone
gas tank’
It was concluded by Mother Jones from Pinto
accident reports and crash test studies that
‘if you ran into that Pinto you were following at
over 30 miles per hour, the rear end of the car
would buckle like an accordion, right up to the
back seat. The tube leading to the gas-tank
cap would be ripped away from the tank itself,
and gas would immediately begin sloshing onto
the road around the car. The buckled gas tank
would be jammed up against the differential
housing (that big bulge in the middle of your
rear axle), which contains four sharp, protruding
bolts likely to gash holes in the tank and spill
still more gas. Now all you need is a spark from
a cigarette, ignition, or scraping metal, and
both cars would be engulfed in flames. If you
gave that Pinto a really good whack—say, at 40
mph—chances are excellent that its doors would
jam and you would have to stand by and watch
its trapped passengers burn to death’
An accepted approach by federal Automotive Safety
regulators at that time for decision-making was risk/
cost-benefit analysis. Ford applied this method to
decide how to treat the fuel tank explosion risk.
An internal Ford memo calculated;
The cost at the manufacturing stage to fix the
problem was $11 per vehicle and the benefit
would be no payouts resulting from the fuel tank
explosion risk.
Benefits
> 180 burn death, 180 serious injuries, 2100
burned vehicles
> Unit cost: $200,000 per death, $67,000 per
injury, $700 per vehicle
> Total Benefit (180* $200k) + (180* $67k) +
(2100*$700)= $49.5M
36 australian SAFETY and compensation council
Risks/Costs
> Sales: 11 Million cars, 1.5 Million light trucks
> Unit cost: $11 per vehicle
> Total cost: (12.5*$11) = $137.5M
Ford believed that it was therefore not ‘reasonably
practicable’ to fix the problem during manufacture.
It preferred to ‘retain the risk’ and make payments
as required. There were no Standards for
withstanding rear–end collisions at a specified
speed until after 1977.
The Department of Transportation announced in
May 1978 that the Pinto fuel system had a ‘safety
related defect’. Ford recalled 1.5 million Pintos. The
modifications included a longer fuel filler neck and
a better clamp to keep it securely in the fuel tank, a
better gas cap in some models, and placement of a
plastic shield between the front of the fuel tank and
the differential to protect the tank from the nuts and
bolts on the differential and another along the right
corner of the tank to protect it from the right rear
shock absorber.
The consequences of Ford’s actions were
significant. Millions of dollars of civil lawsuits were
filed against Ford and awarded against the car
maker. In 1979 Ford Motor Company was charged
with reckless homicide but was acquitted in 1980.
The Ford Pinto ceased production within months.
The damage to the company has been incalculable
and it is conservatively estimated there are over 500
burns deaths to people who would not have been
seriously injured if the car had not burst into flames.
Lee Iacocca, who was the Head Engineer for the
project has said ‘The guys who built the Pinto had
kids in college who were driving that car. Believe
me, nobody sits down and thinks: ‘I’m deliberately
going to make this car unsafe’.
Discussion Points
1. Is cost/benefit analysis an appropriate approach
for deciding public safety?
2. Should the engineering professions Code of
Ethics impose a higher standard than that
required by regulatory requirements?
3. What would you consider when making
a judgement about what was ‘reasonably
practicable’ for Ford to meet its ‘duty of care’
responsibilities?
4. As a design engineer working on the Ford Pinto,
what could you have done to demonstrate your
‘duty of care’ responsibilities?
5. Designers of Extra-light vehicles face
tremendous technical challenges in designing
safety into those vehicles. How would you decide
what appropriate safety measures are?
6. When other costs have been cut as much
as they can, one way to increase revenue is
to get products to the market as quickly as
possible. This will increasingly be a challenge to
implement whilst ensuring there is a thorough
and integrated approach to Safe Design. How
can this challenge be met?
Primary resources for information about this case
Mother Jones News Magazine, ‘Pinto Madness’
by Mark Dowie, Sept/Oct, 1977. There is video at
the site showing crash testing of the vehicle and
other articles.
Centre for Auto Safety, http://www.autosafety.org,
search using term, Ford Pinto
Lee (1998) The Ford Pinto Case and the
Development of Auto Safety Regulations, 1893-
1978, Business and Economic History, v27(2).
http://www.thebhc.org/publications/BEHprint/
v027n2/p0390-p0401.pdf
2.4.2 Mercedes A-Class Case Study
Student notes
Overview
This activity includes a case study of how an
automotive manufacturer dealt with a safety issue
discovered immediately after the launch of their
vehicle. It provides a contrast to the handling of a
safety issue in some other vehicles. by other car
makers. It explores some of the factors that can be
considered when evaluating how safety should be
handled during the design of products.
Intended learning outcomes
> Awareness of professional responsibilities of
engineers in relation to safety.
> Awareness of the factors which can impact an
organisations response to a public safety issue.
Activity
Read the following scenario and be prepared to
answer the discussion points.
Scenario
Until the 1990’s Mercedes-Benz had focused
on the premium car market. They, like BMW,
pioneered the use of safety features such as Air
Bags, Electronic Braking Systems (EBS), and
Electronic Stability Control (ESC). A long history of
innovation in motor vehicle safety gave Mercedes-
Benz a considerable reputation. Mercedes then
decided to enter the small car market. The
Mercedes A-Class was a microcar priced cheaper
than a VW Golf.
Although the A-Class was a cheaper car, Mercedes
did not intend to compromise on safety; ‘The
car had gone through rigid testing procedures
for years’ (Ihlen, 2002). For example, the engine
was installed at an angle such that in the event
of a crash, the engine would go under the front
passenger. The A-Class underwent extensive
testing, including over 400,000 kilometres of testing
by a thousand journalists.
The A-Class was launched on October 18 1997 but
on the October 21 1997 a passenger was injured
when the A-Class being driven by a motoring
journalist rolled over during an extreme driving
manoeuvre known as the Moose Test (also known
as the Elk Test). This test, unknown in Germany, is a
Nordic test designed to simulated a car swerving at
constant speeds (>60 km/h) onto the wrong side of
the road and back again in order to avoid a moose.
The test is conducted with the car fully loaded with
luggage and 4 passengers.
The journalist injured was one of a group who
had gathered in Tannishus, Denmark to judge
the Car of the Year award. ‘The A-Class seemed
the obvious choice: no other rival had pushed the
design and technical envelope with such bravado
SAFE DESIGN FOR ENGINEERING STUDENTS 37
and excellence.’ (Whitworth, 1998). Instead of a
prestigious award and the positive publicity that
would ensue, the media ran with the Moose Test
failure. The extent of this publicity was such that
the term Moose Test is now used to represent any
stringent test on the quality of a product.
‘Initially, Daimler-Benz defended its ‘Baby
Benz’ saying the company did not think it was
necessary to issue a statement ‘just because
a car flipped over somewhere’. The huge
media reaction against the company reportedly
with ‘a reputation as the ultimate in German
engineering and safety’ soon forced Daimler to
acknowledge that modification was required.’
(Knight and Pretty, 2000).
So despite having no technical evidence that the
A-Class was unsafe, quite the contrary based on
their own testing, Mercedes halted production. By
this stage there were 2,500 A-Class in the hands of
owners and a further 15,000 off the production line.
Mercedes offered to rework the cars to improve their
handling. Apart from changing to larger wheel rims
and lower profile tyres, Mercedes took the radical
step of installing the Electronic Stability Program
(Mercedes-Benz version of ESC) to the A-Class;
a most significant upgrade when you consider
that ESP was only available as an option on their
more expensive models. During the 2 weeks that
the modifications took, the 200 owners that took
up Mercedes’ recall offer were given C-Class
Mercedes to drive. A-Class production was halted
for approximately 12 weeks while the modifications
were designed and changes to the production line
made. The total cost to Mercedes-Benz to modify
the A-Class are estimated to be $150 million. At
the re-launch of the A-Class in late January 1998,
journalists were unable to make the A-Class rollover.
‘So why did the A-Class fail the elk test? Listen to
Ulrich Brunke, chief engineer for the A and C-Class
cars and he will tell you that any car, given the right
number of turns over the right distance can be
made to fall over. The elk test is a violent test for any
car to endure’ (Whitworth, 1998).
38 australian SAFETY and compensation council
Discussion Points
1. Compare and contrast the different approaches
taken by the manufacturers of Mercedes
A-Class, Ford Pinto (Section 2.6.1) and
Suzuki Samurai to manage the safety issue
in their vehicle.
2. Did Mercedes go beyond its ‘Duty of Care’ to
consumers in recalling the A-Class?
3. What sorts of factors could Mercedes have taken
into account when they decided to recall the A-
Class car?
Primary resources for information about this case
Ihlen, O (2002) Defending the Mercedes A-
Class: Combining and Changing Crisis-Response
Strategies, Journal of Public Relations Research,
v14(3): 185-206
Whitworth, B (1998) ‘Of Moose and Men’,
Automotive Engineering, April 1998, pp39-42
Breuer, J.J. (1998) Analysis Of Driver-Vehicle-
Interactions In An Evasive Manoueuvre – Results Of
‘Moosetest’ Studies’, Daimler-Benz AG, Germany,
International Technical Conference on the
Enhanced Safety of Vehicles (ESV), Paper Number
98-S2-W-35, http://www.nhtsa.dot.gov/esv/16/
98S2W35.PDF
Knight, R.F. and Pretty, D. (2000) Brand Risk
Management in a Value Context’, Templeton
Briefing 05, University of Oxford, UK, ISBN:
1 873955 09 X
Rollover Lawsuits, Suzuki Rollover Accidents &
Roof Crush Injuries: http://www.rolloverlawyer.com/
suzuki_samurai.htm
Consumer Reports (1998). Front Lines – Auto
Safety : What Suzuki could learn from Mercedes,
Jan 1998 p10’
2.4.3 F-111 Deseal/Reseal Case
Student notes
Overview
This case study is a summary of the events
surrounding the F-111 Deseal/Reseal case that
were presented at a Board of Inquiry in September
2001. The case shows how major safety issues
in the workplace can arise from a combination
of workplace culture and the use of hazardous
materials. While some of the organisational and
cultural features of the workplace described here
are unique to the military, others are relevant
to many other large industrial organisations. It
highlights the importance of the need to design
effective processes and systems not just products
for ensuring safety. It shows the ‘downstream’
consequences of not addressing safety ‘upstream’
at a design stage. It recognises that decision-
making in engineering can involve ambiguity and
differences in opinion.
Intended learning outcomes
> Awareness of hazards 'downstream' due to the
design of products.
> Understanding of the complexity of designing
safe processes.
> Appreciation of organisational and cultural
factors which impact the effective design
and enforcement of safe processes within a
workplace.
> Ability to identify risk control strategies to deal
with hazardous substances.
Activity
Read the following scenario and be prepared to
answer the discussion points.
Scenario
Image: http://www.defence.gov.au/raaf/images/for_site/wallpaper/
F111.jpg
In 1963, the Royal Australian Air Force (RAAF)
ordered 24 F-111 aircraft but it was not until 1973
that the aircraft arrived at Amberley Air Force
Base. The fuel tanks in the F-111 were designed
to be integral to the aircraft’s structure and unlike
many other aircraft the fuel tanks did not contain
an internal bladder but required a sealant for the
joints and mating surfaces to prevent leaks. A
specially developed sealant that could withstand the
environmental conditions arising from supersonic
flight was developed. However, fuel leaks were
discovered soon after delivery and it became
evident that the fuel tanks would need to have the
original sealant removed and a new sealant applied.
A deseal/reseal program was initiated and the
desealant used had potential risks due to its toxicity
and very low flash point. There are seven fuel tanks
located within the aircraft; in the fuselage ahead of
the wings, within the wings, behind the wings and
either side of the tail.
Consequently, for more than 20 years, the RAAF
maintenance personnel have been working in
cramped and confined spaces, using highly toxic
chemicals to deseal and reseal the fuel tanks of F-
111 aircraft. Although personal protective clothing
was provided (gloves, respirators, coveralls), the
high temperatures of the tropical climate and the
difficulty of working with such restrictions in a
confined space led to staff not always using the
protective gear that was provided. The personal
SAFE DESIGN FOR ENGINEERING STUDENTS 39
protective gear was often inadequate with protective
gloves dissolving, chemical seepage through
coveralls, and inadequate filtration through
respirators. This meant that staff were directly
exposed to the effects of the hazardous substances
with which they worked. Staff reported symptoms of
skin rash, gastrointestinal problems, headaches and
loss of memory to medical personnel, but because
the symptoms were so vague little action was taken.
In addition, because the workers absorbed the
exceedingly foul smell of the desealant, they were
socially ostracised and excluded on the Base from
recreational gatherings such as the workers’ club
and the picture theatre. The highly disciplined
work culture of the military meant that any workers
who complained of the working conditions ran the
risk of facing disciplinary procedures and being
considered ‘a traitor’.
‘It is my belief that the consequence of not
undertaking the tasks would be that I might be
subject to ‘contact counseling’ (I would be taken
out the back and given a clip under the ear).’
In 2000, a RAAF Board of Inquiry into the Deseal/
Reseal program was finally constituted and the fuel
tank repair program suspended. A large number of
personnel have been affected by toxic substances
during their tours of maintenance duty. The
following narrative of one of the victims captures the
human cost of this safety problem.
‘I have skin cancers or solar skin damage on
my scalp, forehead, face and arms. I also have
claw toes and my left foot bows out…I continue
to suffer blood pressure problems…and
hemorrhoids with intermittent bleeding from
the bowel. I have a lump on the palm of my left
hand and a lump in the throat, which makes
it intermittently hard to swallow…I have bad
breath and my wife is always telling me that I
have an awful smell from my body which is not
regular body odor. I also get a red rash on my
face and suffer from headaches and dizziness…
I am at times very depressed…’
The Board of Inquiry identified a number of
contributory factors and made 53 recommendations
to rectify the problems uncovered and to establish
a climate of occupational health and safety in the
Defence Force.
40 australian SAFETY and compensation council
It was noted that in the RAAF, operations almost
always take priority over logistics. That means that
the aim of a maintenance squadron or wing is to
produce serviceable aircraft for use by operational
squadrons. The maintenance personnel were under
considerable pressure to complete the deseal/
reseal activity in minimum time so that the planes
could return to action. Consequently staff worked
long hours in confined spaces in claustrophobic
protective suits with production schedules that were
tight and performed extended duty periods. The
discipline of the Defence Forces results in staff who
perform commands without questioning.
The Board’s investigation however revealed
numerous incidents of non-compliance by
maintenance workers with the safety requirements
including that they wear personal protective
equipment (PPE) such as goggles, respirator, gloves
and coveralls. There was a failure on the part of
supervisors to ensure that these regulations were
observed. It was recognized that failure to wear PPE
was symptomatic of the organisational culture. In
a high-pressure environment, problems with the
personal protective equipment were brushed aside.
Gloves disintegrated within five minutes of contact
with the chemicals, but rather than continually
interrupting the job to get new ones, people worked
with bare hands. When the respirator restricted
vision, workers would simply remove it to get the
job done. The coveralls that were required as
a precaution against damage to the aircraft did
not provide workers with protection from fluids.
There were requirements that the vapors from the
desealant be below exposure and explosion limits.
Ventilation was therefore required within the fuel
tanks during cleaning, but it was not used due
to excess noise and space problems. The Board
concluded that without ventilation it was likely that
the atmosphere inside the tanks exceeded these
limits. People who complained were seen as trouble
makers and ‘getting the job done’ was the goal.
The RAAF also did not learn from previous
accidents and incidents and did not implement the
recommendations of other previous inquiries into its
maintenance programs.
The chain of command that is an integral part
of RAAF culture also worked to inhibit the
communication of safety issues upwards. While the
top-down model of command ensures that orders
are followed without question, Senior Commanders
remained unaware of the problems with the deseal/
reseal project because lower ranking officers were
reluctant to admit to such a serious safety problem
hoping that they could solve it without it coming
to the attention of their superiors. Workers who
found it difficult to complete the task as prescribed,
developed unapproved ways of doing things and the
staff training model employed ensured that these
inappropriate techniques were then passed on to
the next crew.
The RAAF also experienced economic restrictions
and the number of engineering staff was reduced.
In one case a young engineer who had been
graduated for three years was placed in charge of
170 maintenance workers. While this officer had
several highly experienced, non-commissioned
officers reporting to him, because of the ‘complex
and involved processes’ within the deseal/reseal
program the engineer had no real understanding
of the situation. He assumed the section was
being managed competently and that approved
procedures were being followed. The Board
recognized the engineer was placed in an untenable
position and could not effectively supervise sub-
ordinates. Engineering expertise was needed to
understand the implications of the various parts of
the maintenance process as well as to ensure that
when workers encounter difficulties an appropriate
systemic solution could be reached. But the
withdrawal of engineers from site as a cost-cutting
measure led to completely inadequate supervision
of trade staff.
The Board also found that at the Amberley Air
Force Base , there was a low priority on industrial
medicine as part of safety management. This is
significant since it was estimated that in Australia
four times as many people die from diseases
caused by exposure to hazardous substances in the
workplace as die from traumatic injury on the job.
When RAAF staff complained of headaches and
nausea to the Amberley Medical Section, little action
was taken because these symptoms were vague
and hard to specifically attribute to a single cause.
The Board recognised that despite the knowledge
that the workers were using a variety of potentially
harmful chemicals, the health care facilities at the
Air Force base was organised as a private medical
practice with doctors having no qualifications in
occupational medicine, no direct knowledge of the
working conditions for the affected staff and little
incentive to do the extra research to discover the
underlying cause of the distress.
Since the RAAF is planning to retain the F-111 in
service for up to a further twenty years, the fuel
tank leaks are problematic. The deseal/reseal issue
means their availability for Australia’s defence has
been compromised. It was estimated in 2001 that
in excess of 400 personnel have suffered long-term
damage to their health as a result of exposure to
chemicals in the various deseal/reseal programs.
A major study into the health of those who
participated in the program released in 2004 found
an association between involvement in the deseal/
reseal programs and a lower quality of life and more
common erectile dysfunction, depression, anxiety,
and subjective memory impairment. There is also
evidence, albeit less compelling, of an association
between the program and dermatitis, obstructive
lung disease (i.e. bronchitis and emphysema),
and neuropsychological deficits. The results of the
Board of Inquiry have had far reaching implications
for the entire Defence Force and for industry in
general. In his response to the Inquiry Report, Air
Marshal Houston said ‘My first priority is for the
health and welfare of serving and ex-members of
the Air Force…today’s Air Force puts people first…’
Primary resources for information about this case
Department of Defence, F-111 Deseal Reseal Board
of Inquiry (BOI) website, http://www.defence.gov.
au/raaf/organisation/info_on/units/f111/
Discussion Points
1. Identify the safety management (risk control)
approaches used, their effectiveness and the
hazards they targeted. (hint Hierarchy of Control)
2. What were the key design decision that
engineers made which impacted on the Deseal/
Reseal safety issue?
SAFE DESIGN FOR ENGINEERING STUDENTS 41
3. What were the key organisational and cultural
factors which lead to the Deseal/Reseal
problem?
4. What were the key ethical and regulatory issues
and how did they affect the safety problem? (hint
Apply the Code of Ethics)
5. General discussion questions to extend and
personalise the discussion:
> How could a junior Engineer onsite go about
being a ‘whistleblower’ when there was no clear
option to resolve the problems through the chain
of command?
> What issues have you faced when trying to
supervise staff when undertaking hazardous
work requiring their use of personal protective
equipment?
> What have we learned about safe engineering
design from this scenario?
2.4.4 Onsite Safety Activity
Students Notes
Overview
A discussion oriented activity designed to explore
an Engineers professional responsibilities and
your ethical framework when dealing with issues
related to safety. It is designed to explore your value
and belief system and how that can impact upon
your actions.
Intended learning outcomes
> Awareness of professional responsibilities of
engineers in relation to safety.
> Awareness of Engineers, Australia Code
of Ethics.
Activity
Please read the following scenario and then pick a
choice of action. Be prepared to discuss why you
thought the action chosen was appropriate after
considering your own ethics and your professional
responsibilities.
42 australian SAFETY and compensation council
Scenario
You and a fellow student engineer are undertaking
part-time work with a tank installation and
maintenance service firm. The firm has been
contracted to inspect the condition of petroleum
storage tanks at 50 sites across New South Wales.
The company which owns the fuel supply sites
is concerned about environmental liability from
leaking fuel due to corrosion of the mild steel casing
or welds in the tanks. Their company is proud of
its reputation within the industry of being safety
conscious and has developed a set of Safety Rules
for Contractors which sub-contractors are bound to
under the terms of their contract.
Your task is to supervise the onsite inspection of the
tanks by contract staff employed by the company.
These contract staff have a long history of working
with your firm and include a licensed gas fitter with
over 20 years of experience and his trades assistant.
Your immediate supervisor is located at head office.
The inspection process requires purging the tank
with nitrogen and staff entering the tank through a
manhole on the uppermost surface. The inspection
comprises searching the tank using torches to
locate visually areas of corrosion.
On your first day at the Company they gave you
and your fellow student engineer a half-day briefing
about what you were expected to do onsite. They
did not cover much on safety but did mention that
there would be some safety equipment onsite in the
unlikely chance you needed it.
Upon arriving at the site the next day you meet
George the gas fitter and his assistant Tom. You also
notice various signs around the depot mentioning
the Safety Rules for Contractors and Confined
Space Entry. You ask George about the safety
equipment and what these rules are and he say he
does not know but ‘ everything has been OK when
he has worked at their other depots and that if he
had a dollar for every tank he had inspected he
would be a rich man’.
You decide to seek confirmation from Peter your
immediate supervisor who is located at head office.
He tells you not to worry and that they only hire
safety equipment for the dangerous jobs and yours
is not one of those. He also says that George is the
most experienced contractor they have and to make
sure you get through the inspection quickly because
they are on a tight budget for the job.
You still feel uneasy and ring Gina your fellow
student engineer at another site. She says that you
are just a bit nervous about supervising staff onsite
for the first time and that their first inspection was
well underway. Her sub-contractor also told her that
safety equipment is not usually needed for these
types of jobs.

Choice of Action
a) Keep on working as directed by your supervisor
and try to catch up on lost time.
b) Keep on working as directed by your supervisor
and decide to have a meeting with your
supervisor at the end of the day.
c) Refuse to continue working on the site and go
back to head office to sort it out.
d) Contact the Depot Manager onsite to see if he
has a copy of the rules and seek clarification
about the safety equipment.
e) Try to contact your supervisor’s boss, who
happens to be a family friend.

SAFE DESIGN FOR ENGINEERING STUDENTS 43

44 australian SAFETY and compensation council
PART 2B:
SAFE DESIGN — STUDENT ACTIVITIES
— LECTURE NOTES

LECTURE NOTES

AN EDUCATIONAL RESOURCE
FOR UNDERGRADUATE
ENGINEERING STUDENTS
 >>>>
part b: Safe DeSign – StUDent
actiVitieS – lectUrer noteS
contentS

.1 introDUction 3

. gUiDeD actiVitieS 5

2.2.1 Designer Misconception 5
2.2.2 Construction Hazard Assessment Implementation Review 9
2.2.3 Plant Hazard Checklist 13
2.2.4 Incident Investigation: Waste Collection 19
2.2.5 Failure Modes and Effects Analysis 25
2.2.6 Event Tree Analysis 28
2.2.7 Fault Tree Analysis 31
2.2.8 Risk Control 33
2.2.9 Incident Investigation 34
2.2.10 What is Safe Design? 37

.3 DeSign actiVitieS 3

2.3.1 Safe Design and Build 39

. caSe StUDieS 5

2.4.1 Ford Pinto Case Study 45
2.4.2 Mercedes A-Class Case Study 48
2.4.3 F-111 Deseal/Reseal Case 51
2.4.4 Onsite Safety Activity 56

saFE dEsiGn For EnGinEErinG studEnts 1

 australian SAFETY and compensation council
 >>>>
.1 introDUction

.1.1 intenDeD learning oUtcoMeS to develop within their students. By achieving

Engineers Australia have specified the types of
capabilities that an undergraduate engineer would
be expected to have upon entering the workforce
as a graduate engineer. These capabilities provide
a useful foundation for promoting Safe Design,
however there are additional capabilities and
their enabling knowledge, skills and attitudes that
we believe engineering educators should aspire
these capabilities we can ensure that Safe
Design becomes a fundamental and explicit part
of engineering.
The following capabilities have been adapted
from those articulated in the UK by the Board of
Moderators Guideline (Appendix C) http://www.
learning-hse.com/hse/info_frameset.phtml

attitude ability to:

> appreciate the ethical view;
> recognise that health and safety is integral with all we do;
> accept that safety is everyone’s responsibility

competence Ability to:

> be able to implement a basic, systematic risk management process;
> communicate safe design;
> implement a life-cycle approach in design

Knowledge Ability to:

> fulfil legal responsibility,
> understand the legal framework,
> understand the value of health and safety and its role in the engineering process;
> recognise the influence of human behaviour;
> appreciate the benefits of learning from history.

saFE dEsiGn For EnGinEErinG studEnts 3

2.1.2 Safe Design Keywords integrated into disciplinary specific knowledge and
applied to an example meaningful to that discipline.
The following are the key concepts, principles
In these more complex application contexts
and terminology that is needed to be an effective
different engineering disciplines can use different
practitioner of Safe Design.
risk management tools and they often have different
> Safe Design Process: design processes.
Designed product, Designers, Five principles of Another challenge is to provide guidelines on
Safe Design, Human factors. the extent to which learning related to the values
and attitudes of the students have occurred.
> Lifecycle Framework:
The activities that suit developing these types of
Lifecycle concepts and stages. learning are more likely to be open–ended and the
> Legal, Regulatory & Professional Framework: appropriate learning outcomes will need to be more
thoroughly negotiated with the students and be
Duty of Care, Reasonably practicable, Due
specific to your learning environment. Examples of
Diligence, Act, Regulation, Code of Practice,
these types of teaching and learning activities are
Standard, Guidance Note, Code of Ethics.
those that involve the cases and scenarios and the
> Risk Management process: problem-based activities. The assessment criteria
for these activities can follow the generic pattern
Stages in Risk Management process, risk,
we include in this resource or alternatively, can be
hazard.
developed to be more specific to the discipline area
> Risk Assessment techniques: or be negotiated with the students to meet their own
Guidewords, Checklists, Failure Mode and learning objectives.
Effects Analysis, Event Tree Analysis, Fault Tree
Analysis.
> Risk Control:
Hierarchy of Control, Elimination, Substitution,
Engineering Control, Administrative Control,
Personal Protective Equipment.

2.1.3 Assessing Safe Design capabilities

Providing guidelines on assessing the ability of
students to recall and comprehend Safe Design
key concepts and terminology is relatively
straightforward. Activities which test this knowledge
can be highly structured, have clear cut answers
and can be universally applied across many of the
branches of engineering. Examples of these types of
teaching and learning activities are the quizzes and
short answer tests that could be developed for the
risk assessment techniques.
Providing generic guidance on how to assess the
extent to which higher order learning has occurred
and whether Safe Design capabilities have been
developed within students is more difficult. This
requires that knowledge, skills and attitudes are

 australian SAFETY and compensation council

 >>>>
. gUiDeD actiVitieS

..1 DeSigner MiSconception Resources required (time, handouts)

> 15-30 minutes depending on the extent to which
inStrUctor noteS the student’s own design and user experiences
are explored.
Overview
> Designer Misconception checklist (Safe Design
This activity has been designed to help students Engineering Toolkit* 1.4.1).
develop the ability to identify hazards and risks.
Risk identification is based around designer > Students Notes for this example.
misconceptions that have led to fatalities. Through
completing this activity, they will develop a greater Suggested Assessment criteria/guidelines
understanding of how incorrect assumptions and No assessment criteria are provided for this activity.
misconceptions can contribute to unsafe design.
Method of presentation
Intended learning outcomes
Describe the purpose of this activity to the students
> Ability to identify risks/hazards from and distribute a copy of the Student Notes to each
visual information using the Designer student. Alternately you can illustrate the image
Misconception tool. using a visual projector.
> Knowledge of common misconceptions that 1. Form students into small groups (2-4 students).
have resulted in poor design. This activity can also be done by having
> Understanding of how misconception can lead individuals do the activity and then combine to
to poor design. discuss their opinions.
2. Handout required resources to each group.
Context in which it could be used Electronic copies of the images from the Safety
This activity can be used as an individual or small Album may also be used by the instructor to
group activity. It can also be used as an ice-breaker project the images.
to get students to explore their own experiences 3. Get students to work through the designer
with poorly designed items. This activity could be assumptioner checklist for each image,
used in early to mid stage design subjects and discuss their opinions and then complete the
communications subjects. It would also be possible documentation.
to adapt this activity to an online quiz environment
by providing multiple choice selection of a subset of 4. Discuss any issues arising.
the design misconceptions. In the Safety Album (R3 > the difficulty in predicting hazards during design;
of Resources listed in Part 1) there are lots of links > what they see as the benefits and limitations
to sites that have extensive databases of images of this tool to trigger discussion, identify and
that can be substituted for the images given in this document hazards;
activity. This would allow the instructor to customise
> importance of visual clues when designing user
the activity for their discipline and context.
interface with safety information; and
> students own examples of poorly designed items.
* toolkit content can be found at section 1.4 of part 1 – concepts, principles & tools

saFE dEsiGn For EnGinEErinG studEnts 5

Solution

Image A: Vehicle Dashboard

Photograph courtesy of: http://www.baddesigns.com

Scenario given to students

You have just hired a car from Los Angeles Airport. This photograph represents part of the dashboard from
that vehicle containing the speedometer and tachometer.

Documentation from application of Designer Misconception tool

Scope Vehicle Dashboard

Type of misconception Need for cues, Wrong-sense interpretation of display.
What are the assumptions? Operator can distinguish between speedometer and tachometer.
Under what conditions this assumption Driver briefly looking at the dashboard.
could be contradicted?
Driver unfamiliar with the dashboard layout.
Actions needed Change number scale on tachometer (eg 3000 not 30) to give driver more clues it is a
tachometer.
Criticality Low.

 australian SAFETY and compensation council

Image B: Stairway

Photo: J. Culvenor

Scenario
This is an emergency stairway in a hotel. This stairway is used as a permanent access to a swimming pool
on the top floor. The stairwell is used many times per day. The stairs are constructed of concrete with a
metal railing.

Documentation from application of Designer Misconception tool

Scope Stairway
Type of misconception Benign condition.
What are the assumptions? Operating conditions have no impact upon the function of the guard rail.
Under what conditions this assumption Person (especially child) who has wet feet after exiting the pool could slip and fall
could be contradicted? through the rails.
Stairway may not have originally been designed as an access point for a pool.
Actions needed Remove possibility of falling through guard rail by placing extra rails, timber sheet or
mesh across the gaps.
Criticality Medium.

SAFE DESIGN FOR ENGINEERING STUDENTS 

Image C: Road Lighting

Photograph courtesy of: http://www.baddesigns.com

Scenario
The image is of yellow street lights at night. The arrow points to a different type of light (this is a HINT)

Documentation from application of Designer Misconception tool

Scope Road lighting

Type of misconception
What are the assumptions?
Under what conditions this
assumption could be contradicted?
Actions needed
Criticality
Need for clues.
Driver can distinguish between lights used for illuminating the road and traffic
lights.
At night-time when traffic lights in caution (yellow) they blend into the street lights.
Replace street lamp globe with different colors.
Medium.

 australian SAFETY and compensation council

2.2.2 Construction Hazard Assessment Resources required (time, handouts)
Implementation Review > 30-45 minutes depending on the extent to which
students own design and user experiences
Instructor Notes
are explored.
Overview > Construction Hazard Assessment
Implementation Review (Safe Design
This activity should help students develop their
Engineering Toolkit* 1.4.2) – although the
ability to identify hazards and risks through using
guidewords to be used are reproduced in the
guidewords. By completing this activity, they should
student notes.
be more proficient at recognising hazards and be
better able to understand the implications of poor > Students Notes for this example.
design regarding safety. Through discussion and
debate, they should also be developing the ability to Suggested Assessment criteria/guidelines
conceptualise safer design.
No assessment criteria are provided for this activity

Intended learning outcomes

Method of presentation
> Ability to identify risks/hazards from visual
1. Form students into small groups (2-4 students).
information using the Construction Hazard
This activity can also be done by having
Assessment Implementation Review tool.
individuals do the activity and then combine to
> Knowledge of common causes of unsafe design discuss their opinions.
for construction projects.
2. Handout required resources to each group.
> Ability to use guidewords/checklists as a Electronic copies of the images from the Safety
mechanism for risk/hazard identification. Album may also be used by the instructor to
project the images.
Context in which it could be used
3. Get students to work through the Construction
This activity can be used as an individual or small Hazard Assessment Implementation Review
group activity. It can also be used as an ice-breaker guidewords for each image and discuss their
to get students to explore their own experiences opinions and then complete the documentation.
with poorly designed items. This activity could be
4. Discuss any issues arising:
used in early to mid stage design subjects and
communications subjects. It would also be possible a. The difficulty in predicting hazards
to adapt this activity to an online quiz environment during design;
by providing multiple choice selection of a subset b. What they see as the benefits and limitations
of the design guidewords. In the Safety Album of this tool to trigger discussion, identify and
(R3 of Resources listed in Part 1) there are lots document hazards; and
of links to site that have extensive databases of
images that can be substituted for the images given c. Students own examples of poorly
in this resource. This would allow the instructor designed items.
to customise the activity for their discipline
and context.

* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

SAFE DESIGN FOR ENGINEERING STUDENTS 

Solution

Image A: Livestock Loading/Unloading Ramp

Photos: J Culvenor

Image with ramp in hazardous orientation Image with ramp in ‘Safe Design’ orientation
(This image provided to students) (This image not provided in student handout and
shows potential design solution)

Scenario
This wooden structure is used for loading and unloading livestock from semi-trailers into a livestock holding
yard. These structures are often located near a public road and on a property boundary.

Documentation from Construction Hazard Assessment Implementation Review (CHAIR)

Consequences

Safeguards
Guideword

Risk Issue

Causes

Action

Heights/ Interference Large vehicle Injury/ Redesign ramp so it is re-oriented

Depths with powerlines may contact fatality parallel with the road. Truck is now away
powerlines from road and to the side of the power
lines.
Position/ Loading vehicle Long vehicle may Injury/ Warnings As above
Location may interfere protrude fatality
with traffic
This example also has broader relevance to designing entrance and exit strategies to work areas.

10 australian SAFETY and compensation council

Image B: Air Conditioning Units

Photos: J Culvenor

Image with air conditioning unit in hazardous Image with air conditioning units in ‘Safe Design
location (This image provided to students) location. (This image not provided in student
handout and shows potential design solution)

Scenario
Split systems and other air conditioning systems are a relatively common feature in multi-level buildings.

Documentation from Construction Hazard Assessment Implementation Review (CHAIR)

Consequences

Safeguards
Guideword

Risk Issue

Causes

Action

Heights/ Injury of Fall Injury/ Warning, Fall Relocate air-conditioning unit to ground
Depth OR maintenance fatality restraint level for improved access
worker
Egress/
Access

SAFE DESIGN FOR ENGINEERING STUDENTS 11

Image C: Traffic Crossing Point

Photos: J Culvenor

Image with traffic crossing point in hazardous Image with traffic crossing point in ‘Safe Design
location (This image provided to students) location. (This image not provided in student
handout and shows potential design solution.)

Scenario
A common sight on many roads in rural Australia is a stock crossing point used to move livestock from one
part of a property to another.

Documentation from Construction Hazard Assessment Implementation Review (CHAIR)

Consequences

Safeguards
Guideword

Risk Issue

Causes

Action

Egress/ Contact between Animal crossing Injury/ Warning Eliminate interaction between traffic and
Access animals & road fatality, loss animals.
traffic of life

12 australian SAFETY and compensation council

2.2.3 Plant Hazard Checklist Resources required (time, handouts)
> 30-45 minutes depending on the extent to which
Instructor Notes
student’s own design and user experiences
are explored.
Overview
> Plant Hazard checklist (Safe Design Engineering
This activity should help students develop their
Toolkit* section 1.4.3, summary reproduced in
ability to identify hazards and risks through using
Student notes for this example).
guidewords. By completing this activity, they should
be more proficient at recognising hazards and be > Hierarchy of Control (Safe Design Engineering
better able to understand the implications of poor Toolkit Section 1.4.8, summary reproduced in
design regarding safety. Through discussion and Student Notes for this example).
debate, they should also be developing the ability to
> Students Notes for this example.
conceptualise safer design.
Suggested Assessment criteria/guidelines
Intended learning outcomes
This activity is not assessable.
> Ability to identify risks/hazards from visual
information using the Plant Hazard checklist.
Method of presentation
> Knowledge of common causes of unsafe design
1. Form students into small groups (2-4 students).
for plant items.
This activity can also be done by having
> Ability to use guidewords/checklists as a individuals do the activity and then combine to
mechanism for risk/hazard identification. discuss their opinions.

> Use the hierarchy of control to describe risk 2. Handout required resources to each group.
control options. Electronic copies of the images from the Safety
Album may also be used by the instructor to
Context in which it could be used project the images.

This activity can be used as an individual or small 3. Get students to work through the Plant Hazard
group activity. It can also be used as an ice-breaker checklist for each image and discuss their
to get students to explore their own experiences opinions and then complete the documentation
with poorly designed items. This activity could be for hazard/risk identification and risk control.
used in early to mid stage design subjects and
4. Discuss any issues arising:
communications subjects. It would also be possible
to adapt this activity to an online quiz environment a. the difficulty in predicting hazards during design;
by providing multiple choice selection of a subset b. What they see as the benefits and limitations
of the plant hazard checklist. In the Safety Album of this tool to trigger discussion, identify and
(R3 of Resources listed in Part 1) there are lots document hazards; and
of links to sites that have extensive databases of
c. Students own examples of poorly designed items.
images that can be substituted for the images given
in this resource. This would allow the instructor
to customise the activity for their discipline and
context. The hazards covered by the checklist are
quite broad and apply to both lifestyle items as well
as workplace items.

* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

SAFE DESIGN FOR ENGINEERING STUDENTS 13

Plant Hazard checklist: summary
a) Entanglement
Can anyone’s hair, clothing, gloves, necktie,
jewellery, cleaning brushes, rags or other materials
become entangled with moving parts of the plant, or
materials in motion?
b) Crushing
Can anyone be crushed due to: material falling
off the plant: lack of capacity for the plant to be
slowed, stopped or immobilised; parts of the plant
collapsing; being thrown off or under the plant;
uncontrolled or unexpected movement of the
plant or its load; the plant tipping or rolling over;
coming in contact with moving parts of the plant
during testing, inspection, operation, maintenance,
cleaning or repair; being trapped between the plant
and materials or fixed structures and other factors
not mentioned?
c) Cutting, stabbing and puncturing
Can anyone be cut, stabbed or punctured due
to: coming in contact with sharp or flying objects;
coming in contact with moving parts of the plant
during testing, inspection, operation, maintenance,
cleaning or repair of the plant; the plant, parts of
the plant or work pieces disintegrating; work pieces
being ejected; the mobility of the plant; uncontrolled
or unexpected movement of the plant; other factors
not mentioned?
d) Shearing
Can anyone’s body parts be sheared between two
parts of the plant, or between a part of the plant and
a work piece or structure?
e) Friction
Can anyone be burnt due to contact with moving
parts or surfaces of the plant, or material handled
by the plant?
f) Striking
Can anyone be struck by moving objects due to:
uncontrolled or unexpected movement of the plant
or material handled by the plant; the plant, parts of
the plant or work pieces disintegrating; work pieces
being ejected; mobility of the plant; other factors not
mentioned?
14 australian SAFETY and compensation council
g) High pressure fluid
Can anyone come into contact with fluids under
high pressure, due to plant failure or misuse of
the plant?
h) Electrical
Can anyone be injured by electrical shock or
burnt due to: the plant contacting live electrical
conductors; the plant working in close proximity to
electrical conductors; overload of electrical circuits;
damaged or poorly maintained electrical leads and
cables; damaged electrical switches; water near
electrical equipment; lack of isolation procedures;
other factors not mentioned?
i) Explosion
Can anyone be injured by explosion of gases,
vapours, liquids, dusts or other substances,
triggered by the operation of the plant or by material
handled by the plant?
j) Slipping, tripping and falling
Can anyone using the plant, or in the vicinity
of the plant, slip, trip or fall due to: uneven or
slippery work surfaces; poor housekeeping, eg.
wood shavings or metal filings in the vicinity of the
plant, spillage not cleaned up; obstacles being
placed in the vicinity of the plant; other factors
not mentioned?
Can anyone fall from a height due to: lack of a
proper work platform; lack of proper stairs or
ladders; lack of guardrails or other suitable edge
protection; unprotected holes, penetrations or gaps;
poor floor or walking surfaces, such as the lack of
a slip-resistant surface; steep walking surfaces;
collapse of the supporting structures; other factors
not mentioned?
k) Ergonomic
Can anyone to be injured due to: poorly designed
seating; repetitive body movement; constrained
body posture or the need for excessive effort;
design deficiency causing mental or psychological
stress; inadequate or poorly placed lighting; lack
of consideration given to human error or human
behaviour; mismatch of the plant with human traits
and natural limitations; other factors not mentioned?
l) Suffocation Solution
Can anyone be suffocated due to lack of oxygen, or
atmospheric contamination? Example A: Tractor Access

Photo: J Culvenor (top) and WorkSafe Victoria (bottom)

m) High temperature or fire
Can anyone come into contact with objects at high
temperatures? Can anyone be injured by fire?

n) Temperature (thermal comfort)

Can anyone suffer ill-health due to exposure to high
or low temperatures?

o) Other hazards
Can anyone be injured or suffer ill-health from
exposure to: chemicals; noise; toxic gases or Image with tractor access ladder in hazardous
vapours; vibration; fumes; radiation; dust; other location. (This image provided to students.)
factors not mentioned?

Hierarchy of Control Risk Control Options:

summary
> Elimination
Design the hazard out and therefore remove the
cause of harm permanently.
> Substitution
Substitute the hazard by another process or
substance that presents a lower risk.
> Engineering controls
Implement some structural change to the work
environment or work process to place a barrier
to, or interrupt the transmission path between,
the worker and the hazard.
> Administrative (procedural) controls
Reduce or eliminate exposure to a hazard by
adherence to procedures or instructions.
> Personal protective equipment
Create a barrier between the user and
the hazard in the form of clothing or
personal equipment.
Image with ramp in ‘Safe Design’ location. (This
image not provided in student handout and shows
potential design solution.)
Example A: Scenario
Access to tractors is often positioned between
the wheels.
Example A: Risk/hazard identified from Plant
Hazard checklist
b) Crushing
Access to tractors can often require the operator
to stand in line with the wheels which can lead to
tractor run over accidents.
Example A: Risk Control Options
A design option to eliminate the hazard is to create
a platform which fills the space between the wheels
and extends the ladder beyond the wheels. This is
a design solution to minimise the possibility of a run
over. In the image the unit is a dual wheel model,
but the safety protection is only adequate for single
wheel models. Farmsafe Australia has developed a
guideline on Safe Tractor Access Platforms.

SAFE DESIGN FOR ENGINEERING STUDENTS 15

Example B: Grain Auger Example B: Risk control options
> Use risk substitution by using a belt system
Photos: J Culvenor
rather than a rotating auger (see image).
The belt system removes the screw that can
amputate and entangle both arms and legs.
The belt can present its own hazards and under
some circumstances might not be as effective as
the screw auger.
> Use risk substitution by manufacturing the
exposed parts of the screw auger from a material
of greater flexibility to minimise the resultant
injury from entanglement.

Example C: Silo Access

Photos: J Culvenor
Image with unguarded grain auger. (This image
provided to students.)

Image with ‘Safe Design’ option that has a lower risk

belt drive substituted for a higher risk auger. (This
image not provided in student handout and shows
potential design solution.)

Example B: Scenario Image with hazardous silo access. Access is often

The grain auger is an essential piece of farm by a ladder up the side of the silo. (This image
equipment which is used to move grain from one provided to students.)
location to another.

Example B: Risk/hazard identified from Plant

Hazard checklist
Sections a, b and d from the list in section 1.4.3 of
Part 1 Safe Design Engineering Toolkit*. These are:
a) Entanglement
The operator’s body parts or clothing may get
entangled between the moving auger and the frame
of the auger.
b) Crushing & d) Shearing
The operator after entanglement may have their
Image with safer guarded silo access. (This image
body parts crushed or sheared.
not provided in student handout and shows
potential design solution.)
* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

16 australian SAFETY and compensation council


Image with ‘Safe Design’ option that has substituted
cable operated system (see right of ladder) to
remotely operate top cover. Access via ladder
is retained for maintenance. (This image not
provided in student handout and shows potential
design solution.)
Example C: Scenario
Silos need a system for operating the opening at the
top of the structure.
Example C: Risk/hazard identified from Plant
Hazard checklist
j) Slipping, tripping and falling
Operator may slip while in transit up the ladder.
l) Suffocation
Operator may fall in silo.
Example C: Risk control options
> Eliminate the hazard by designing a remotely
operated hatch to open the silo from the ground
level, thereby minimising the frequency the
operator is required to use a ladder to access
the hatch.
> Use an engineered control by creating a guard
rail to minimise the hazard from operators
falling from the ladder during access. (see
images above).
Example D: Bench Grinder
Example D: Scenario
Bench grinders are a commonly used product
both at home and in the workplace. Examples of
use include shaping metal, sharpening tools, and
preparing metal for welding.
Example D: Risk/hazard identified from Plant
Hazard checklist
a) Entanglement
> Entanglement may occur from the operator’s
body parts or clothing coming into contact
with the wheel and being drawn in and caught
between the rotating and fixed parts of the
grinder. This could lead to entanglement as well
as friction, shearing and crushing.
> Entanglement may occur after uncontrolled and
unexpected movement of the grinder resulting
from accidental jamming of the workpiece.
d) Shearing
> Shearing of body parts may occur after
entanglement.
e) Friction
> Friction may occur after entanglement.
> Friction may also occur through contact between
the operator’s body and the wheel.
f) Striking
> Flying particles may be generated from the
workpiece being ground, wear upon the grinding
wheel and disintegration of the grinding wheel.
> The workpiece may become entangled and then
disintegrate and/or be suddenly ejected from
the grinder.
h) Electrical
> Damage to the grinder while in operation
causing it to become live.
> Incorrect installation or alteration to the grinder
or the power supply.
> Repair to the grinder without isolating it from the
power source.
SAFE DESIGN FOR ENGINEERING STUDENTS 17
k) Ergonomic
> The grinder can be placed on a bench that does
not promote safe use of the item. The bench
maybe of inappropriate height, and layout. This
can lead to operator fatigue, discomfort and
psychological stress.
> The location of the grinder in the workplace may
make it difficult to access and operate or with
low security so that unauthorised people may
gain access.
> Poorly designed or located operator controls (eg
on/off switch) can confuse or delay the operator,
be accidentally activated or make it difficult to
stop the grinder quickly.
m) High temperature or fire
> Sparks from grinding the workpiece may be a
potential ignition source or burn the operator.
o) Other hazards
> Dust: Airborne particles and dust from grinding
may be a hazard if they enter the breathing zone
of the operator.
> Vibration: Vibration from holding the workpiece
against the grinding wheel may cause ‘Vibration
White Finger’. The vibration can cause a
restriction of blood to the extremities, leading
to significant pain, numbness or a tingling
sensation and permanent injury.
Example D: Risk Control Options
Engineering Controls
> Guard to cover rotating shafts or exposed
moving parts.
> Design a guard on the grinder to direct sparks
towards the floor and away from the operator.
> Incorporate a guard to prevent a disintegrating
grinding wheel striking the operator.
> Ensure design is compliant with relevant
electrical standards.
18 australian SAFETY and compensation council
Administrative (procedural) Controls
Note: if systems of work or operator competency
are factors in the control of risk, the designer is
required to specify these in information provided by
the manufacturer.
> Incorporate warnings about safe operating
conditions and operations which the grinder may
be expected to be used for but for which it has
not been designed.
> Provide information on safety features and
the need for personal protective equipment
during operation.
> Provide information on the installation, testing,
maintenance and cleaning requirements for the
safe operation of the grinder.
> Provide the procedures considered necessary
to carry out repairs, testing, and inspection,
maintenance and cleaning to ensure as far as
practicable the safety of people undertaking
these tasks.
> Provide information on training, qualifications,
and/or experience necessary for people
operating the bench grinder or carrying out
inspection or testing, maintenance, cleaning
or repair.
> Provide information on electrical hazards that
may arise from damage to the bench grinder
or while repairing, inspecting, maintaining or
cleaning the grinder.
> Provide information on ergonomic considerations
relating to the use, placement and access to
the grinder.
Personal Protective Equipment
> Glasses for protection from flying objects.
> Dust mask for protection against airborne
particulates.
> Gloves for protection against friction and burns.
Links
WorkSafe Victoria 2003, Roll Over Protection
Structure (ROPS): Farm Safety Series, Worksafe,
Melbourne, www.worksafe.vic.gov.au
2.2.4 Incident Investigation: Suggested Assessment criteria/guidelines
Waste Collection No assessment criteria are provided for this activity
Instructor Notes
Method of presentation
Overview Form students into small groups (2-4 students).
This activity can also be done by having individuals
An injury case study is presented, as a set of
do the activity and then combine to discuss
witness statements. The activity is about the
their opinions.
collection of roadside waste and designed to draw
out complex issues about occupational safety 1. Handout required resources to each group.
including the role of work systems, plant and
2. Get students to read the scenario, brainstorm
equipment, work environment, and the roles of
and then answer the set of questions
designers of work systems and equipment.
3. Discuss any issues arising.
Intended learning outcomes
Activity
> Ability to document an injury event from a set of
witness statements. 1. Identify all the parties/stakeholders including
both individual people and organisations from
> Identify precursor factors that lead to the injury:
the scenario.
work systems; plant and equipment; work
environment; people issues; and interactions. 2. Identify sequence of events for accident

> An ability to recognise the roles of all parties and
examine how their decisions affected safety.
> Understand the methodology used in an
Accident Investigation.
> Identify measures that would control the risk(s).
Context in which it could be used
This activity can be used as an individual or small
group activity. This activity could be used in design
or management subjects where the significance of
human factors upon technology and work system
design is stressed.
3. Identify contributory factors that could have
impacted the accident and management of that
accident (Environment, Equipment; Skills and
experience; Operating/work system, Ergonomic
factors (relationship between people and their
environment, equipment etc). A mind map
or other graphical tool could be used to show
relationships between contributory factors.
4. Identify the design decisions that each of the
organisations (City Council, PaperMunchers, Top
Trucks) took which may have contributed to the
accident. Consider what other options they had
which may have reduced the risk to the workers

Resources required (time, handouts) Scenario: an injury while collecting

recyclable paper
> 45 minutes depending on the extent to which
students own views are presented to the Mo McErgo, WorkSafe Inspector
entire class.
You are Mo McErgo, he is the WorkSafe Inspector.
> Incident investigation toolkit (Safe Design You receive a call during the day on New Year’s
Engineering Toolkit* section 1.4.9). Eve from a health and safety representative at
PaperMunchers, a local company that collects and
> Students Notes for this example.
sorts recycling material (papers, bottles, cans, etc).
The health and safety representative says that there
was an accident a few days ago when a worker was

* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

SAFE DESIGN FOR ENGINEERING STUDENTS 19

lifting papers to the truck and was nearly struck by a been contacted by WorkSafe to assist the Accident
car. The worker was taken by ambulance to hospital Investigation team.
after falling on the road. Also, there have been
You visit PaperMunchers
other manual handling injuries. The managers have
introduced elastic back belts and the idea of workers You visited PaperMunchers that day and talk with
looking over each others shoulders for breaches of the directors, Ty and Flo. You asked about the
safety rules is being considered. The workers don’t recent accident and asked to be taken to the site.
believe these measures solve the problems. You also wanted to speak to the workers and the
health and safety representative.
Cyril the Director of Waste Services for Tidy
Flo took you to where the truck was working. As
Town Council
you arrived the workers were collecting paper.
He has been the Director of Waste Services at
They were collecting from both sides of the road
the Council for five years. Prior to that he worked
at once. Flo said that they are not meant to
for the Council designing water, waste and
work from both sides of the road and that’s what
other infrastructure. He is a Civil Engineer by
caused the accident. Flo said ‘that’s typical, I’m
training. As the Director of Waste Services he is
glad you’re here, that’s Jay, the health and safety
responsible for Waste Collection within the Council
representative. Ty told Jay years ago not to cross
and engaging contractors to undertake the work
the road’.
through a competitive tender process. He has

Figure 1: Paper Collection by PaperMunchers

Photos: J Culvenor

20 australian SAFETY and compensation council

You spoke with Flo, Ty, Jay and Trek about the
accident and about the work system. You observed
the work (as shown in photos) and you also visited
the council.
Here’s what you found out:
Trek: ‘On Christmas Eve, I was working with Jo
– who is off work because of the accident. I was
driving the truck as I have a shoulder injury from
working in the sorting area. Jo was doing all the
lifting work. We were keen to get the run done
quickly to spend the afternoon on last minute
arrangements for holidays. But we weren’t rushing.
The accident happened at about 11am. There had
been a thunderstorm overnight, the road was wet
and slippery, and the paper was wet and heavier
than usual. Jo was carrying a large bundle across
the road when a car appeared from around a
corner. Jo probably didn’t hear the car because of
the noise of the paper crushing unit. I saw Jo throw
the paper toward the hopper and jump behind the
truck. I think it was a close call but Jo wasn’t hit.
The car wasn’t driving fast it’s just that it is hard to
see at the spot where it happened.
Jo had fallen on the kerb and complained of a
massive headache and a stabbing back pain. The
car driver, Lenni stopped and came to help. Luckily
Lenni had a mobile and called an ambulance. The
radio in the truck has been out of order for three
months. They say it’s going to be fixed but who
knows when. I also used Lenni’s mobile to call the
office and report the accident.’
Jay: ‘I was working in the recycling area when the
accident happened but I know about this job and I
am the health and safety representative. When the
job began about 18 months ago I worked with Jo on
the truck. We shared the lifting and driving work. It
was hard work and our arms and back was usually
sore at the end of a run. Flo, one of the bosses,
made me move into the sorting area after about one
year (six months ago). This was because Trek had
a shoulder injury in the recycling area and needed
a light job. There are no light jobs in the recycling
area. The truck driving is easy enough but because
Trek had the injury, Jo had to do all the lifting. That
was far too much and I said that to Flo – who said
there was no choice as the insurance company said
a light job was needed. It was really too hard already
let alone one person now doing twice as much. I
complained also to Ty who then bought everyone
elastic back belts. I don’t think the back belts really
do anything about the problem. After Jo’s accident
I complained again and said we should call you
(WorkSafe) to look at the problems. Ty said ‘no’ but
promised something better would be done. When
we came back after Christmas I found out that the
new ‘improvement’ was to be a consultant telling
everyone how to watch out for unsafe behaviours.
How does that change anything about the huge
amount of paper that has to be lifted, and all
the bending, and the heat, sunburn, cold, rain,
passing cars, sharp objects in the bundles, slippery
ground, kerbs to trip over, and so on? That’s when I
called you.’
You asked about working on both sides of the road
and instruction:
‘When we started, Ty told us about the job. We were
meant to drive back and forth along the streets. We
did it that way for a couple of weeks but it took a lot
of extra time and extra running. We could go home
whenever we finished so we did both sides at once.
No one ever said anything about it. No one ever
asked how we do the work. No one ever came to
have a look.’
Ty: ‘PaperMunchers Pty Ltd is a small family owned
business. Flo and I run the business. We formed
when the council created the new waste system and
we started work on this contract about 18 months
ago after buying the trucks and setting up the
sorting centre.
We collect recycling wheelie bins (cans, bottles,
plastic, etc) using trucks with side lifters. Then
we sort this material in the sorting centre. We also
collect paper but this is done manually.
We bought the trucks from Top Trucks Pty Ltd,
some with bin lifters for the recycling (cans and
bottles) and some with hoppers for hand loading
the paper. The bin lifter for recycling is good
because there is only a driver and no manual work.
We couldn’t use that kind of truck for the paper
because the council set up the system with the
paper on the ground, bundled or in a box.
SAFE DESIGN FOR ENGINEERING STUDENTS 21
About working on both sides of the road – I told Jo
and Jay not to do that when they started. I didn’t
know they were breaking the rules. Jay is the health
and safety rep so I figured it would be all under
control. When Trek started with Jo, I figured Jo
would pass on the instructions on how to do the job.
The lifting work is fairly hard so I bought everyone
elastic back belts that I saw at an expo. Jo took it off
on the day of the accident, perhaps because it was
hot. We did have a system of sharing the driving
and lifting work. That broke down a little bit because
we needed to create a light job.
After the accident, I could see that the workers were
not working safely. A friend who is a safety advisor
at a local manufacturing firm suggested SSAFeTy
System (Super Safety Action Friendly Tips System).
The idea is that the workers monitor each other’s
unsafe acts and issue them with ‘friendly’ reminders
when they are doing something dangerous. It’s from
the USA! I am getting a consultant to come and
teach everyone.’
Flo: ‘Trek worked in the recycling area for about a
year and then was off work with a shoulder injury.
The insurance company told me to create a light
job for him. The recycling jobs are all the same so I
thought truck driving would be ok. I had Trek drive
the truck with Jo and moved Jay into the sorting
area. Jay complained, as usual, about the lifting and
that Jo would now need to do it all. But out on the
collection they can work at their own pace so if it
gets a bit too much for Jo toward the end of the day
they can just slow down. I think it worked quite well
until the accident. Jo must have been crossing the
road. I know Ty told them not to when they started
so it’s Jo’s own fault.’
You visit the City of TidyTown and talk to Cyril,
the Chief Executive Officer of TidyTown Council:
‘Over two years ago we decided to improve waste
management. A key problem was the amount
of recyclable material being sent to landfill and I
developed a new waste collection system. We asked
residents what they wanted and came up with a
great system involving four collections:
22 australian SAFETY and compensation council
1. Garbage Wheelie Bin (every week) for normal
household garbage.
2. Recycling Wheelie Bin (every second week) for
glass, plastic, aluminium, steel cans, etc.
3. Green Waste Wheelie Bin (every second week).
4. Paper (every second week) in a cardboard box
or tied in bundles.
The four waste collections are on the same day of
the week. A notice explaining the collection of the
waste was posted to all TidyTown residents.
After we thought up the ideas for the collection
system, we invited tenders for collection. The
garbage and green-waste collection was awarded to
our own waste department. The recycling and paper
collections were awarded to PaperMunchers for two
years (they have about six months to run).’
You asked about why the paper is not in a
wheelie bin?
‘The residents did not want too many bins on the
street on one day. It would be untidy and take
up space for parking. Since not everyone gets
newspapers it seemed that if something was going
to be on the ground then newspapers would be
best. A box of newspapers is also fairly easy to
handle. I can easily lift one box with two weeks
papers. It’s not heavy.’
Solution
Identify all the parties/stakeholders including
both individual people and organisations
Employers/Employees
> Cyril the Chief Executive Officer of Tidy Town
City Council which is responsible for Waste
collection.
> Ty and Flo who are Directors of PaperMunchers
the Waste Collection contracting company.
> Jay, Jo and Trek who are waste collectors
employed by PaperMunchers.
Public
> Lenni is the car driver who is a member of
the public.
Plant/System Supplier
> TopTrucks (plant designer, manufacturer
and supplier).
> Back belt supplier (a supplier of plant).
> American SSAFeTY System consultant (a
supplier of a system).
Regulatory roles
> Mo the WorkSafe inspector.
> Jay is also the Health and Safety representative
for PaperMunchers.
Identify sequence of events for accident
> At 11 am on Christmas Eve the waste collection
operators (Jo & Trek from PaperMunchers) were
doing a routine collection of waste paper worker
(Jo) was manually lifting papers to the truck.
> One worker (Jo) was crossing the road with
papers and was nearly struck by a motorist
(Lenni) who was driving along the road. Jo then
fell over and reported massive back ache and
stabbing back pain.
> Lenni called an ambulance on his mobile phone.
> Trek used Lenni’s phone to contact his office
and report the accident
Identify contributory factors that could have
impacted on the accident and the management
of that accident
Environment
> Road conditions were wet after a thunderstorm.
> Noise from the waste collection truck obscured
the noise of the approaching vehicle from the
worker.
> The layout of the road made it difficult for the
driver to see the worker crossing the road.
> The worker was carrying a large bundle of
papers which may have obscured his vision of
the approaching vehicle.
Equipment
> A back belt which was provided to the worker
was not being used.
> Emergency radio in the vehicle was out of order.
Skills and experience
> All operators were experienced in undertaking
tasks.
Operating/work system
> Driving and collection work was normally shared
by two people, however due to injury one worker
was doing the lifting for the whole shift.
> Workers changed the operating procedure of
working only one side of the road and then the
other (therefore no road crossing) to a system
where they drove down a road once and crossed
the road to collect waste.
> Paper either bundled or in a cardboard box
placed on the ground is collected every
second week.
> Was the car driver operating his vehicle at
an appropriate speed for the environmental
conditions?
> Did the workers compromise their work
practices because it was Christmas Eve and
they acknowledge they wanted to get the job
done quickly.
> Little auditing of waste collection work practices
used by PaperMunchers.
Ergonomic factors (relationship between people
and their environment, equipment etc).
> Weight of the newspapers – newspapers were
wet due to the rain and were heavier than usual.
> Work posture – continual bending and twisting
to lift the newspapers off the ground; bundles
of newspapers raised above shoulder height to
be thrown into the truck; increased distance
carrying weight (continually crossing road).
> Frequency of lifting – this has now doubled,
initially the lifting was a shared task, now
undertaken by a single worker.
> Environmental conditions – wet and slippery
road and noise from the paper crushing unit.
SAFE DESIGN FOR ENGINEERING STUDENTS 23
Identify the design decisions that each of the
organisations (City Council, PaperMunchers,
Top Trucks) took which may have contributed
to the accident. Consider what other options
they had which may have reduced the risk to
the workers.
City Council (broad system design of waste
collection)
Manual collection – This is the main problem.
Everything (except the sorting injury) stems from the
manual collection. The council is the source of this
decision. A bin could have been used a bin except
for concerns about taking up space on the street.
What about collecting the bin on another day? The
same bin could even be used (i.e. recycling one
week, paper the next, in the same bin). What about
a split bin?
Hazard assessment of manual collection –
Once set up should the council have required
a hazard management plan for this reasonably
dangerous activity?
Crossing the road – Given there was to be manual
collection, could the Council have solved the road
crossing problem by having separate sides of
roads on separate days (i.e. odds one week, evens
the next). There would then be no temptation
for a worker to cross the road as there would
be nothing to collect. An alternative might be to
require residents to move bins across the road (this
is actually already done in some narrow streets
to avoid reversing manoeuvres where trucks can
not turn).
PaperMunchers (implement waste collection
system and design to some degree)
Perhaps should have engaged with council at
tender stage regarding manual collection. Might
have limited opportunities to change but could
perhaps have put in complying tender (manual
paper collection) and non-complying (but safer)
alternative tender based on a wheelie bin.
24 australian SAFETY and compensation council
Back belts – are not a solution (see Victoria Code
of Practice for Manual Handling (www.workcover.
vic.gov.au) or NIOSH review ‘Back Belts: Do They
Prevent Injury, www.cdc.gov/niosh/backbelt.html).
Consider here also the role of the back belt supplier.
They are a supplier of plant. What are their duties?
Supervision – safety rules (crossing the road) were
set up but there was no follow up or supervision.
There was no follow-up even after the accident.
Would this make much difference? Are all the
hazards addressed through this measure?
Work to finish – set up work to finish system and
should know this would lead to workers finding the
quickest way.
Consultation – lack of consultation about swapping
work positions, introducing back belts, and
introducing new safety system.
Maintenance – Lack of maintenance on the radio.
SSAFeTY system – PaperMunchers need to ensure
supervision regardless of how workers look out for
each other. More importantly as Jay suggests the
work has many hazards.
Hazard management – generally. Discuss the need
for hazard assessment. What really can supervision
(by each other through SSAFeTY system or the
employers themselves) really achieve? Even done
the ‘ideal’ way, is the job safe?
TopTrucks (equipment designer)
Should TopTrucks alert buyers about the serious
manual handling hazards associated with a manual
load truck?
Collecting from one side of the road – The manual
truck has a rear load hopper. Could Toptrucks
design the manual truck as a side load system
thereby discouraging collection from both sides of
the road. This would also remove the need to stand
behind the truck which exposes the worker to a car
collision from the rear or possibly being run over if
the truck reverses.
Noise levels – Should TopTrucks design the paper
compactor to be as quiet as possible. Is there a
designer duty for this and is there a limit?
Issues which may arise > Understand how to use FMEA to evaluate
proposed changes to a system.
> Specifying Safety requirements within contracts
and the responsibility of Cyril the Director of > Recognise that although FMEA is a quantitative
Waste Services at the Council. analysis technique that there is a degree of
subjectivity in the interpretation of the system
> The procurement of services is very important
and thus the values applied during the analysis.
in influencing effective OHS outcomes,
incorporating safe design. This is the phase
Required Resources
in which a client or customer gives specific
directions or imposes particular requirements, > 30-45 minutes.
which influence the design and construction
> Student Notes and FMEA template for
of the product. While the client does not (in
each student.
general) carry out design or construction, their
requirements may serve to direct the designer, > FMEA tool (section 1.4.5 from Safe Design
constructor or manufacturer about health and Engineering Toolkit*).
safety issues that need to be addressed. To
what extent does Cyril have responsibility for Assessment Criteria / Guidelines
the outcomes in this situation? How can OHS No assessment criteria are provided for this activity.
requirements be built into contracts?
Method of Presentation
Links
Review FMEA based on FMEA toolkit from Safe
WorkSafe Victoria 2003, Non-Hazardous Waste Design Engineering Toolkit. Key points to highlight:
and Recyclable Materials: Occupational Health and
> Each risk is characterised by severity, likelihood,
Safety Guidelines for the Collection, Transport and
and detectability.
Unloading of Non-Hazardous Waste and Recyclable
Materials, WorkSafe Victoria, Melbourne, www. > Risk characterisation is resolved to a single
worksafe.vic.gov.au. number, the risk priority number (RPN) thus
enabling risk control to be prioritised.
> RPN also provides basis for not treating a risk (ie
2.2.5 Failure Modes and Effects Analysis acceptance of the risk).
Instructor Notes > Determination of what risks exist is a creative
process. Failure to identify a risk means that it
Overview will not get analysed in FMEA. The corollary is
The aim of this exercise is to deepen students’ that FMEA in and of itself cannot guarantee a
understanding of Failure Modes and Effects system is free of risk.
Analysis (FMEA) through the analysis of a simple > FMEA criteria are designed according to the
hydraulic jack. risk focus.
> Classification of criteria categories is somewhat
Learning Outcomes
subjective. You cannot compare, in an absolute
Through completing this activity students will be sense, RPNs from different FMEAs.
better able to;
Students are then to work on their own on doing an
> Understand how to analyse a simply system FMEA on the scenario.
using FMEA.

* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

SAFE DESIGN FOR ENGINEERING STUDENTS 25

Issues students need to resolve when filling in the
FMEA. The facilitator can point out that judgements
need to be made on these issues:
> Which severity ranking to use. The scenario
is more customer focussed so the customer
satisfaction criteria is the more relevant. If the
students decide that someone could be working
under the jacked-up object then OHS criteria
could be justified.
> Which rank to apply given that the description
for some of the FMEA criteria cover a range
of ranks.
Have students form pairs and compare their
analysis with each other. Ask them to determine
the reason for any difference. This will highlight, to
some extent, the subjective nature of interpreting
the information presented in the scenario and in the
FMEA criteria descriptions.
The students now need to use the FMEA to
determine which of the risks need to be treated.
This raises this question of what is the RPN, under
which the risk may be accepted. Explain that this is
usually done in advance so that the decision is not
biased by the outcomes of the analysis.
Raise issue of safety in terms of redundancy. Should
not rely on a jack when working under an object.
Object should be held up by solid supports; the jack
only being used primarily for raising and lowering
and only as a backup support.

Solutions
The FMEA for the existing jack and an FMEA
based on the corrective actions listed in the FMEA
are included in the tables on the following page.
Comments are attached to each of the corrective
actions to explain the anticipated effect they will
have on the system.

* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

26 australian SAFETY and compensation council

 FMEA for existing jack

FMEA Template

Severity (S) Occurrence (O) Detection (D)

Failure Mode Effects S Rating Causes O Rating Control Tests D Rating RPN Recommended Action

Hose leaks Jacking 8 Poor hose 5 50% hose 7 280 Introduce pressure test for all hose
function material inspected
impaired
Hose leaks Oil mess, pump 9 Cut hose 5 None 3 135 Modify assembly machine to reduce
damage hose damage

FMEA Post Corrective Action

FMEA Template

Severity (S) Occurrence (O) Detection (D)

Failure Mode Effects S Rating Causes O Rating Control Tests D Rating RPN Recommended Action

Hose leaks Jacking 8 Poor hose 5 50% hose 1 40

function material inspected
impaired
Hose leaks Oil mess, pump 8 Cut hose 5 None 3 120
damage

SAFE DESIGN FOR ENGINEERING STUDENTS 27

2.2.6 Event Tree Analysis
Instructor Notes
Overview
The aim of this exercise is to deepen your
understanding of Event Tree Analysis (ETA) through
the analysis of a simple pumping application.
Learning Outcomes
> Understand how to qualitatively and
quantitatively analyse a simply system
using ETA.
> Awareness of how ETA enables critical elements
of a system to be identified.
Required Resources
> 30-45 minutes.
> Copy of tutorial exercise for each student.
> Copy of the ETA tool (section 1.4.6 from Safe
Design Engineering Toolkit*).
Assessment Criteria / Guidelines
No assessment criteria are provided for this activity.
Method of Presentation
Review Event Tree Analysis (ETA) concepts based
on ETA toolkit from section 1.4.6 from Safe Design
Engineering Toolkit. Key points to highlight at
relevant stages of the exercise:
> Need to establish sequence of operation for
components. With regard to the exercise the
pump and alarm will operate simultaneously but
in terms of design the pump is primary and the
alarm is only of consequence if the pumps fails.
> A component’s operation is either success or
failure. There is no partial success. For example
a damaged pump may have sufficient capacity
to deal with some floods. ETA cannot handle
partial operation. Such a pump is treated as
being a failure.
28 australian SAFETY and compensation council
> The quantitative analysis component does
not consider correlated failures. For example
consider the situation where the automatic
pump fails due to poor maintenance practices.
The likelihood that the manual bilge pump will
also fail is higher due to poor maintenance.
> This exercise doe not include the phase of
system analysis in which the events to be
analysed via ETA are identified.
Get students to first work on the qualitative ETA.
That is the component sequence and the effect of
success or failure for each as it flows through.
Once the students have individually completed the
qualitative ETA task then get then to compile their
solutions into a common view so that they have
an agreed model. This will allow the students to
complete the quantitative probabilistic analysis on
the same model.
Finally have the students determine a means for
identifying the most critical component in the
system with regard to improving the likelihood of
keeping the basement dry in the event of a flood.
This element of the tutorial could be left out to
create a shorter tutorial.
This tutorial is based on the same scenario as that
used for Fault Tree Analysis. An optional exercise
if both tutorials are run is to compare the FTA and
ETA analyses. This will highlight the ways in which
ETA and FTA focus on different aspects of the same
system. FTA focuses on the causes for failure. ETA
focuses on the likelihood of the system recovering
from an undesired event.
Activity
The reservations division system for a major airline
occupy a 10 story building. The basement of the
building contains a backup generator so that 24/7
availability can be maintained even during black-
outs. In heavy rain the basement is prone to minor
flooding. The basement is protected from flooding
by the system shown in Figure 1. Rising flood
waters close the float switch S, powering the pump
P from an uninterruptible power supply. An Alarm
A is also sounded, alerting operators to perform
manual pumping using a bilge pump, B, should
the automatic pump fail. Correct operation of either The probability of flooding as a result of water
of the pumps will effectively keep the basement flowing into the basement is
from flooding.
P(flood | water) = PF = P1 + P2 + P3
= (1-PFS) * PFP * (1-PFA) * PFB + (1-PFS) * PFP * PFA
Solutions
+ PFS
Qualitative ETA Note that a useful approximation in many fail-safe
Event tree for the basement is shown in Figure 2. type systems is that the probability of failure of any
Note order of component activation. The switch is given device is much less than one. Thus (1-PF) ≈
first as it controls all bailing procedures. The pump 1. Thus, using the data from the supplied table of
is next as it is the primary solution for flooding. probability of failure-on-demand
The alarm follows next as it is the first step in the
PF = PFP * PFB + PFP * PFA + PFS = PFP * (PFA + PFB) +
manual pumping process. Upon hearing the alarm
PFS
operators inspect the basement and if the pump is
= 1e-4 * (1e-5 + 1e-4) + 1e-6
not working they use the manual bilge pump.
= 1.1e-8 + 1e-6
Quantitative ETA = 1.011e-6
To determine the likelihood of the basement Showing that the assumption (1-PF ≈ 1) produces
remaining dry given water flooding in, the paths an answer that is very close to that above can be left
to success through the event tree need to be as an exercise for the students.
identified. These are highlighted in Figure 3.
System Improvement
The probability of the system following a give path is
the product of the probability associated with each By inspection the switch is the critical element.
branch. The probability of the basement flooding is Based on the failure-on-demand probabilities
the sum of all of the probabilities for each path that provided, the switch is two orders of magnitude
leads to flooding.
The probability of path 1 is:
P1 = (1-PFS) * PFP * (1-PFA) * PFB
The probability of path 2 is:
P2 = (1-PFS) * PFP * PFA
The probability of path 3 is:
P2 = PFS

Figure 1: Basement pumping system

(Adapted from ‘Event Tree Analysis’, P.L. Clemens, Feb 2002, Jacobs Sverdrup)

SAFE DESIGN FOR ENGINEERING STUDENTS 29

Figure 2: ETA Analysis of basement flooding

Automatic Manual Basement

Switch S Alarm A
Pump P Bilge B

Operates
Dry
(1-PFS)
Operates
Closes Dry
Sounds (1-PFB)
(1-PFS)
(1-PFA) Fails
Fails Flooded
PFB
Basement PFP
Flooding Silence
Flooded
PFA
Remains
Open
Flooded
PFS

Figure 3: ETA Analysis of basement flooding highlighting paths through the tree that lead to overall success

Automatic Manual Basement

Switch S Alarm A
Pump P Bilge B

Operates
Dry
(1-PFS)
Operates
Closes Dry
Sounds (1-PFB)
(1-PFS)
(1-PFA) Fails 1
Fails Flooded
PFB
Basement PFP
Flooding Silence 2
Flooded
PFA
Remains
Open 3
Flooded
PFS

30 australian SAFETY and compensation council

2.2.7 Fault Tree Analysis Get students to work on the qualitative FTA.
Once the students have completed this consolidate
Instructor Notes
their solutions into a common view so that all are
performing the cut-set analysis on the same model.
Overview
Finally have the students determine if there are
The aim of this exercise is to deepen your
any single points of failure. What could be done to
understanding of Fault Tree Analysis (FTA) through
improve the system to remove these single points
the analysis of a simple pumping application.
of failure.

Intended Learning Outcomes This tutorial is based on the same scenario as that
used for Event Tree Analysis. An optional exercise
> Understand how to qualitatively analyse a simple
if both tutorials are run is to compare the FTA and
system using FTA.
ETA analyses. This will highlight the ways in which
> Be aware of how FTA enables single points of ETA and FTA focus on different aspects of the same
failure in a system to be identified. system. FTA focuses on the causes for failure. ETA
focuses on the likelihood of the system recovering
Required Resources from an undesired event.
> 30-45 minutes.
Activity
> Copy of tutorial exercise for each student.
The reservations division system for a major airline
> Copy of the FTA tool, section 1.47 from Safe occupy a 10 story building. The basement of the
Design Engineering Toolkit*. building contains a backup generator so that 24/7
availability can be maintained even during black-
Assessment Criteria / Guidelines outs. In heavy rain the basement is prone to minor
No assessment criteria are provided for this activity. flooding. The basement is protected from flooding
by the system shown in Figure 1. Rising flood
Method of Presentation waters close the float switch S, powering the pump
P from an uninterruptible power supply. An Alarm
Review Fault Tree Analysis (FTA) concepts based
A is also sounded, alerting operators to perform
on FTA toolkit from section 1.47 from Safe Design
manual pumping using a bilge pump, B, should
Engineering Toolkit.
the automatic pump fail. Correct operation of either
Key points to highlight at relevant stages of of the pumps will effectively keep the basement
the exercise: from flooding.
> AND-gate and OR-gate logic. The cut set elements are:
> Impact ORed events have on system failure {1, 2}
compare to ANDed events.
{1, 3, 4}
> This exercise does not include the quantitative
{1, 3, 5, 6}
aspects of FTA whereby probabilities are
assigned to each of the causes thus enabling the Single points of failure are identified by the cut sets
prioritisation of corrective actions. elements containing only two events, the driving
event (water present in the basement) and the point
> Cut set generation is to be done via inspection.
of failure. So in this example, the float switch is a
More rigorous techniques exist for the generation
single point of failure.
of cut sets and these aid correctness.

* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

SAFE DESIGN FOR ENGINEERING STUDENTS 31

 Figure 1: Basement pumping system

(Adapted from ‘Event Tree Analysis’, P.L. Clemens, Feb 2002, Jacobs Sverdrup)

Solutions

Figure 2: FTA Analysis of basement flooding. Note numbers included in independent events to aid listing of the cut set

Flooded
Basement

1 Pump System
Water Not Activated
Present in
Basement

2 Pumping
Float Fails
Switch Fails
to Close

3
Manual Pumping
Automatic
Fails
Pump
Fails

4 Bildge Pump
Alarm Fails
Fails

5 6
Bilge Pump Operator
Broken Inattentive

32 australian SAFETY and compensation council

2.2.8 Risk CONTROL
Instructor Notes
Overview
A Risk Management problem associated with Road
Safety is presented. This activity is designed to
develop the student capabilities associated with
Risk identification and Risk Control.
Intended learning outcomes
> Identify hazard(s) from written scenario.
> Assess the risk(s) posed by the identified
hazard.
> Identify measures that would control the risk(s).
> Prioritise the risk control options according to the
Hierarchy of Control Measures
Context in which it could be used
This activity can be used as an individual or small
group activity. This activity could be used in early
to mid stage design subjects. This activity has also
been adapted in a more limited and closed form
to suit a quiz format. Various scenarios can be
developed to customise the activity to fit different
disciplines and contexts.
Resources required (time, handouts)
2. Handout required resources to each group.
3. Get students to read the scenario, brainstorm
and then document the hazards and the
significance of the identified risks.
4. Get students to brainstorm and then document
risk control measures. These should be
classified and then prioritised according to the
hierarchy of control. This exercise can continue
until there is sufficient diversity across the
hierarchy of control (i.e. eliminate, substitute
etc measures). The instructor can stimulate
various categories of controls from the list they
are provided.
5. Discuss any issues arising.
a. difficulty in categorising various options
e.g. warnings;
b. the expected effectiveness of the various
categories of control options in relation to the
example given;
c. how effective the proposed new proposed
restrictions on young drivers may be;
d. the limitations in using the Hierarchy of Control
Measures to manage risks.
Activity
Identify the hazards and make a judgement about
the significance of the risk (major, minor, negligible).

> 30-45 minutes depending on the extent to

Scenario
which students own views are presented to the
entire class. Bob, driving his car, was in a single-vehicle road
accident. The accident occurred on a country road
> Hierarchy of Control measures (Safe Design
in Victoria at night. The road was relatively straight,
Engineering Toolkit* section 1.4.8).
flat, horizontal and dry. His car collided with the
> Students Notes for this example. left hand side of a bridge railing. The bridge railing
is approximately fifty years old and made of stone.
Suggested Assessment criteria/guidelines There are many bridge railings of this type. Bob
No assessment criteria are provided for this activity. was nineteen years old at the time and recorded a
blood alcohol reading of 0.03%. He suffered major
Method of presentation injuries and survived. No other passengers were in
the vehicle. (example J. Culvenor 1997 )
1. Form students into small groups (2-4 students).
This activity can also be done by having
individuals do the activity and then combine to
discuss their opinions.

* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

SAFE DESIGN FOR ENGINEERING STUDENTS 33

Solution 2.2.9 Incident Investigation
Some Risk Control options and their classification
Instructor Notes
according to the hierarchy of control. Listed from
the preferred option (eliminate) to least preferred
Overview
(personal protective).
This activity is about applying Incident Investigation
Other transport (Eliminate)
principles to a motor vehicle crash scenario. It
Remove bridges (Eliminate) is intended to help students develop their ability
to identify the causes of incidents, injuries and
Widen bridge (Substitute)
diseases through the application of various accident
Slow cars (Substitute) analysis models. By completing this activity,
Speed humps (Substitute) students should be more proficient at recognising
hazards, better able to understand there are often
Traffic islands (Engineering Control)
multiple causes for any incident and that learning
Shock absorbing railing (Engineered Control) from incidents is the best way to understand
the most appropriate preventative measures for
Shock absorbing cars (Engineered Control)
the future.
Air bags (Engineered Control)
Ignition link to alcohol level (Administrative) Intended learning outcomes

Rumble strips (Administrative) > Identify a full range of causal factors using the
accident analysis models.
Reflective strips (Administrative)
> Recognition of precursor factors (work systems;
Warning devices in cars (Administrative)
plant and equipment; work environment; people
Training (Administrative) issues; and interactions) that lead to the injury:
Alcohol limits (Administrative) > Ability to identify measures that would control
the risk(s) using the hierarchy of control.
Age limits (Administrative)
Speed limits (Administrative) Context in which it could be used
Warning signs (Administrative) This activity can be used as an individual or small
Helmets (Personal Protective Equipment) group activity. This activity could be used in design
or management subjects where the significance of
(Example: J Culvenor 1997)
human factors upon technology and work system
Reference: Culvenor, J (1997), Breaking the Safety Barrier: Engineering New paradigms in
design is stressed.
Safety Design, PhD Thesis, University of Ballarat

Resources required (time, handouts)

> 45 minutes depending on the extent to which
students own views are presented to the
entire class.
> Incident Investigation toolkit (Safe Design
Engineering Toolkit* 1.4.9).
> Students Notes for this example.

* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

34 australian SAFETY and compensation council

Suggested Assessment criteria/guidelines Scenario: Work related vehicle crash
No assessment criteria are provided for this activity Many people drive on the public roads for
work purposes. The public roads are therefore
Method of presentation workplaces. Driving West late in the afternoon in the
winter (wet road), the car driver is making the last
1. Form students into small groups (2-4 students).
of a number of parts deliveries using a utility. The
This activity can also be done by having
vehicle is only about one year old but has neither
individuals do the activity and then combine to
anti-lock brakes, nor air bags. Imagine a rear end
discuss their opinions.
collision with a truck such as shown below. The
2. Handout required resources to each group. truck is ironically being used by the same company
3. Get students to read the scenario, brainstorm to distribute its goods nationally.
and then answer the set of questions What is the cause of the crash and the injuries that
4. Discuss any issues arising. might follow? Following too close? Fatigue? Lack of
concentration? Fatigue and lack of concentration
Activity might be involved but it is self-evident that the
driver ended up too close.
1. Identify the ergonomic factors relevant to the
hazard in the following categories:
Rear end collision
> work environment (the place where work
Photos: J. Culvenor
is done);
> plant and equipment (physical things);
> people (eduction, skills, capacity); and
> systems (how things are done).
2. Identify the relevant issues under
Hopkins factors:
> Physical accident sequence,
> Organisation /Company level factors;
> Government/regulatory factors;
> Societal factors.
3. Determine corrective and preventative
actions using the hierarchy of control (e.g.
elimination; substitution; isolation; engineering;
administration; and personal protective
equipment)

SAFE DESIGN FOR ENGINEERING STUDENTS 35

If we look deeper, perhaps we could examine both > Government/regulatory factors Lack of specific
vehicles involved? Does the car have the best regulation about passenger vehicle crash
practicable features to avoid a rear end collision? standards (tend to rely on consumer pressure/
What might that be – anti-lock brakes, maintained choice for safety; or the ‘best practicable’
brakes and tires, collision avoidance radar? Does approach in the OHS setting. Lack of specific
the car provide good survivability features such as regulation about truck safety standards for
crush zones, a protected passenger compartment, ‘aggressiveness’ toward other road users (relying
airbags, etc. How far can the thinking be extended? only on ‘best practicable’ approach in the OHS
Why are trucks used for national transport and not setting).
rail? The answer to this is ‘what is practicable’? It
> Societal factors Demand for goods, transport,
is practicable for a person choosing a fleet vehicle
tend toward private enterprise (hence trucks
to seek good current standards for vehicles. What
versus rail)
about the rear of the truck. Is it designed to provide
the best survivability for vehicles that might strike 3. Determine corrective and preventative
the rear? Examining these issues takes the thinking actions using the hierarchy of control (e.g.
about the accident and injury causation well beyond elimination; substitution; isolation; engineering;
the scene on the road. Decision makers thinking administration; and personal protective
about car choices for a fleet, truck designers, and equipment)
truck fleet owners are just a few who can make a > Elimination (send goods by rail);
difference through their actions.
> Substitution (safer car – e.g. below);
Solution > Isolation (remote control vehicles (now done
in mining);
1. Identify the ergonomic factors relevant to the
hazard in the following categories: > Engineering (collision avoidance radar, anti-
lock brakes, airbags; under run barrier; energy
> work environment (the place where work is
absorbing under run barrier, crush zones, a
done); public road, traction of surface, presence
protected passenger compartment);
of water, drainage issues, weather, sunlight
> Administration (work scheduling to avoid
> plant and equipment (physical things);
fatigue); and
Braking features of car, lack of rear end barrier
on truck, could rear end barriers be energy > Personal protective equipment (helmet).
absorbing?, could vehicle radar systems be used
to prevent rear-end collisions?, crash ability of
car including crush zone, airbags, seat belts,
pretensioners, etc.
> people (eduction, skills, capacity); skills of
driver, alertness/fatigue
> systems (how things are done); work schedules.
2. Identify the relevant issues under Hopkins
factors:
> Physical accident sequence Driving car, tired,
sun in eyes, collide with truck, underrun tray,
no airbags.
> Organisation/Company level factors Courier
company choice of vehicle/features and work
schedules. Transport company choice of truck.

36 australian SAFETY and compensation council

2.2.10 What is Safe Design?
Instructor Notes
Overview
To develop a shared understanding about the
definition and implications of Safe Design. The
facilitator picks a target question around which the
activity is based. Examples of target statements
could be ‘What is Safe Design’, ‘What links Safe
Design to Engineering’, ‘Safety’, ‘What is Safe’.
Method of presentation
1. Form students into small groups (2-4 students).
This activity can also be done by having
individuals do the activity and then combine to
discuss their opinions.
2. Handout required resources to each group.
3. Get students in each group to read the activity,
brainstorm and then document the outcomes.
4. The facilitator can collect responses from each
group and create a mind map or list.

Intended learning outcomes Activity

> Identify the principles and frameworks that
underpin Safe Design.
Context in which it could be used
This activity can be used as a small group activity
either in its own right or as a lead into other major
activities. It can be used at all stages of the course
and can be used to actively engage students
with the material in Part 1 of the Safe Design for
Engineering Students.
The facilitator will announce what the target
question for the activity will be. On a sheet of paper,
write the target word in the middle and circle it.
Elicit words and statements from within the group
and write them around the circle. Think fast and get
as many images, concepts and associations down
as you can. You can then either categorise them or
connect interlinked concepts with lines.

Resources required (time, handouts)

> 15 minutes depending on the extent to which
students own views are presented to the
entire class.
> Safety Principles and Safety Framework (section
1.1 and 1.2 of the Safe Design for Engineering
Students notes) if relevant to the target question.
> Students Notes for this example.

Suggested Assessment criteria/guidelines

No assessment criteria are provided for this activity.

SAFE DESIGN FOR ENGINEERING STUDENTS 37

38 australian SAFETY and compensation council

.3 DeSign actiVitieS
.3.1 Safe DeSign anD bUilD
inStrUctor noteS
Overview
The goal of this activity is to give students an
opportunity to develop and utilise their Safe Design gravity-powered vehicles or website development.
abilities while undertaking a design and build
exercise. It is intended to be used in conjunction
with any existing design and build project that
is currently used by an engineering educator
within their undergraduate engineering course.
By broadening the design requirements of the
existing project to include safe design it provides
an opportunity for educators to introduce a greater
degree of ‘real-world’ constraints to these design
and build activities.
Intended learning outcomes
> Awareness of engineers' responsibilities for
safe design.
> Ability to identify safety issues and risks.
> Ability to integrate safety principles into
engineering design.
> Ability to understand inter-relationships between
safety and other design requirements.
> Awareness of the need to consider safety
implications in a design activity.
Context in which it could be used
All Engineering courses are required to develop
student design capabilities. This is achieved in a
variety of ways, ranging from unstructured problem
based activities to integrated design projects.
Undergraduate engineering course accreditation
>>>>
(Stage 1 from Engineers Australia) requires students
to undertake two or more construction projects
and at least one major design project. Many
engineering faculties initiate design experiences in
the early stages of a course with challenging design
and build exercises such as spaghetti bridges,
In addition, a number of undergraduate design
competitions, such as the Weir-Warman competition
for Mechanical engineers, are available to
encourage students to think creatively and solve
problems in an innovative way. These various
design-and-build projects can be used to as a
mechanism to introduce or reinforce safe design
principles and concepts.
The following activities can be used to enhance
existing design oriented projects to ensure that
students develop an awareness of safety issues and
ultimately the ability to accept their responsibilities
for safe design. The activities have been designed to
apply to a wide range of design activities from basic
to complex and to be easily integrated into existing
subjects and projects.
Approach to adding Safe Design to Design and
Build Projects
This activity is designed to illustrate how safe
design concepts can be embedded within a
design-and-build project using the tools available
in the Safe Design Guide. The intention is not to
provide a definitive mechanism for embedding safe
design within any design and build projects since
there is too much diversity in the currently used
projects to specify which Safe Design tools are the
most appropriate. For example, a project in civil
engineering or construction would most likely find
the CHAIR guidewords are the most suitable risk
saFE dEsiGn For EnGinEErinG studEnts 3
identification tool whereas a project in Mechanical
Engineering may find the Plant Hazard Checklist the
most appropriate. So to illustrate how safe design
can be embedded in a design-and-build project,
an example project in Mechanical Engineering has
been developed as a case study.
The proposed methodology is to take the product
lifecycle and consider safety at each phase. All
design and build projects will go through the full
product lifecycle. While many student projects
would be best described as scale models or
prototypes, the product lifecycle can still be
considered by treating the prototype as an
engineered product. Many current design and build
projects only focus on the Commission/Use stage
of the lifecycle and have developed performance
criteria for the project based on that stage only.
The material provided in this activity supplements
that by adding additional performance criteria to
support outcomes related to Safe Design. Therefore
educators can chose the emphasis they place on
meeting both sets of performance related outcomes
through their assessment schemes. There may well
be compromises that the student designers will
need to make to meet Safe Design outcomes. These
may well be some of the same types of challenges
they will face when undertaking design activities
in professional practice. In the design phase the
students would consider the risks arising in each
of the lifecycle phases and document the actions
they have taken to reduce the risk and safeguards
in place to protect against any residual risk. The
approach taken in the example provided is to
identify risks using one of the risk identification
tools and document the overall risk management
process using the proforma adapted from the
CHAIR process.
Resources required (time, handouts)
This is context dependent
Method of presentation
Instructors may choose elements from these
activities to suit their individual needs and
constraints. Ideally the activities require a briefing
component, using Part 1 of this resource, and
adapting the lecture slides (Part 2.2) to their
40 australian SAFETY and compensation council
specific project or assignment to help students
focus on the basic principles of safe engineering
design. The activity itself should require an
application of safe design principles and the
templates and activity sheets provided for this
activity should guide this development. The
debriefing exercises should consolidate the learning
outcomes of the activity, and help students confirm
their growing expertise in safe engineering design.
The deliverables associated with the safe design
aspects of the project are expected to be described
in the main project document.
Suggested Assessment criteria/guidelines
The assessment criteria will vary from project to
project, depending on the nature of the project
and the level of safe design ability expected. The
following assessment criteria could be adapted to
suit your specific needs
> Understanding of intended operating
environment for vehicle testing.
> Identification of the risks associated with each
lifecycle stage.
> Degree to risks were managed through the
vehicle design.
> Degree to risks were managed via operational
procedures during each phase of the product
lifecycle.
> Appreciation of the impact design changes to
improve safety had upon other characteristics,
eg performance, cost, ease of construction, etc.
> Capability to identify and describe options that
would improve safety but were not incorporated
in the final design.
Indicative Example
Introduction to Mechanical and Mechatronic
Engineering – Into-the-Wind Design-and-
Build Project
This is an adaptation of a project for a 1st year
Mechanical Engineering subject at the University of
Technology, Sydney developed by Terry Brown.
The following document provides the details for the
major design project for this subject. The project is
worth a total of 25% of the marks. It is to be done
as a group of no less than 3 and no more than 5.
The objectives of this project are:
> to encourage students to creatively approach a
specific problem;
> to allow students to experiment with a variety of
solutions to a problem;
> to encourage teamwork and to allow students to
learn from the work of their colleagues;
> for students to implement engineering design
methodologies to a practical problem;
> for students to have some fun learning some
engineering fundamentals.
As should be quite obvious this project will require
consistent effort over a number of weeks. Do not
leave everything to the last minute, you won’t be
able to do it.
Scenario
The Federal Government’s Sustainable Technologies
Department is looking to provide funds to support
small companies in developing sustainable
technologies. They currently have a project that
requires a company to design, develop and
manufacture several small wind powered vehicles.
Companies are invited to design and build one
vehicle. The selection of the successful company
will be based in part on the performance of the
vehicle in a competition between rival companies.
Direction of travel
Your vehicle
Supporting documentation in the form of a design
report and the ability of the company design team
to explain and demonstrate the strength and
weaknesses of their design will also be taken into
account in selecting the successful company. The
Sustainable Technologies Department will fund each
stage of the design process, subject to satisfactory
progress, to provide incentive and to help cover
the costs of those companies that are eventually
eliminated. This project is offered to small
companies with a design team of 3-5 engineers.
Design task
Design and build a vehicle that starts from rest and
travels into the wind using the power of the wind as
its only source of energy.
Specifications
> It has been estimated that the strength of the
wind in the location where the vehicles must
operate is about the same as that produced by a
domestic electric fan set on high speed.
> The wind source will be a domestic electric fan
with overall dimensions as shown above.
> The fan will be set to the highest speed setting.
> The vehicle must carry a "payload" across a
"track" a distance of 2m.
> The vehicle design should maximise the ratio
of "payload" (m) to time (t) taken to cover the
distance of 2m, i.e. (m/t).
500mm
225mm
Stop
395mm
50mm
SAFE DESIGN FOR ENGINEERING STUDENTS 41
> The vehicle should not take longer than 5 Safe Design component of the ‘Into-The-Wind
minutes to cover the 2m distance. Design-and-Build Project’
> The payload must be a separate entity and easily The following table is a generic example of the result
removed from the vehicle to facilitate weighing of applying safe design tools to a typical vehicle that
but must be wholly contained on or within the may be expected to be created for the ‘Into-The-
vehicle and must travel the full 2m with the Wind Design-and-Build Project’. As the project is of
vehicle. The vehicle must be operational both a mechanical engineering nature, the Plant Hazard
with, and without, the payload on board. Checklist was used to help identify risks. For each
life cycle phase, the keywords that triggered a risk
> The starting position is 2.5m from the front of
issue are noted. Each risk issue is then examined
the fan.
in more detail and actions to reduce the risk
> All parts of the vehicle must start from behind and safeguards to deal with the residual risk are
the start line and no part of the vehicle is allowed determined. The students could also be requested
to be moving before timing begins. to produce a short report detailing those aspects of
the proposed assessment criteria not evident in the
> No part of the vehicle may be further than 0.5m
table. In the column under Action, students would
behind the start line.
be expected to give detailed and specific actions for
> The "track" will be a hard flat surface (MDF their own vehicle.
board or similar).
> The vehicle is to remain in contact with the
ground at all times.
> Overall dimensions of the vehicle are to remain
essentially unchanged throughout the travel.
> Any materials may be used in the construction of
the vehicle.
> No other source of energy may be used to
propel the vehicle, eg batteries, pre-compressed
or extended springs (or ‘gentle nudges’ by
participants).

The competition performance criteria:

To carry the heaviest ‘payload’ (m) across a distance
of 2m in the least amount of time (t), i.e. the
greatest m/t ratio.

42 australian SAFETY and compensation council

 Safe Design Report for Into-the Wind vehicle

Lifecycle Phase Risk Issue Causes(s) Consequence(s) Safeguard(s) Action(s)

Develop Concept N/A
Design N/A
Construct / Chemicals Glue (Fumes, contact Poisoning PPE (Gloves, goggles), Ventilation Minimise use of adhesives eg use fasteners
Manufacture toxicity) instead. Seek low toxicity glues
Dust Fabricate (eg sanding) parts Respiratory problems PPE (dust mask), Ventilation Maximise use of off-the-shelf parts in design
Cutting, stabbing, Fabricating parts Bodily injury Use appropriate tool (eg scissors, Maximise use of off-the-shelf parts in design
puncturing not knife for cutting cardboard)
Electrical Fabricating parts, power tool Electrocution Ensure power point protected by Maximise use of off-the-shelf parts in design
cuts cord RCD, good working environment
Supply / Install Slip, Trip, Fall Transporting project vehicle Bodily injury, damage Assistance with moving vehicle Choose most suitable form of transport, design
to commissioning facility (eg to vehicle vehicle into transportable sub-assemblies
from home to university)
Commission / Use Striking, Cutting, Disintegration of moving Bodily injury Separate test area from audience Minimize potential for projectile motion resulting
Stabbing, and parts via space or screen from part detachment or breakage; eg minimise
Puncturing moving parts, physically enclose moving parts
Entanglement Human proximity during Bodily injury Separate test area from audience physically enclose moving parts; remote
operation via space or screen; operation activation of vehicle
procedure for fan
Maintain N/A
Decommission N/A
Disposal / Recycle Cutting, Stabbing, Breaking vehicle into Bodily injury Personal Protective Protection (PPE) Design for disassembly
and puncturing manageable parts for
disposal or recycling
Slip, trip, fall Transporting project vehicle Bodily injury Design for disassembly
to commissioning facility (eg
from test area to home or
rubbish area)

SAFE DESIGN FOR ENGINEERING STUDENTS 43

44 australian SAFETY and compensation council

. caSe StUDieS
..1 forD pinto caSe StUDy
inStrUctor noteS
Overview
The scenario used is a classic case that has been
influential in automotive safety. It contains many
of the challenges of engineering design which are
still relevant today and which must be addressed
if Safe Design is to become a fundamental part
of engineering.
This discussion oriented activity is designed to
explore an Engineers professional responsibilities,
ethical frameworks when dealing with issues related
to safety and approaches to making decisions about
public safety
Intended learning outcomes
> Awareness of professional responsibilities of
engineers in relation to safety.
> Awareness of Institute of Engineers, Australia
Code of Ethics.
> Awareness of the appropriateness of risk/cost-
benefit analysis for public safety decisions.
Context in which it could be used
Small group activity suitable for extensive
discussion. The example is suitable for discussions
about ethics, engineering economics and design.
Resources required (time, handouts)
> 30-45 minutes depending on the extent to
which students own views are presented to the
entire class.
* toolkit content can be found at section 1.4 of part 1 – concepts, principles & tools
>>>>
> Code of Ethics (Safe Design Engineering Toolkit*
section 1.4.10)
> Students Notes for this example.
Suggested Assessment criteria/guidelines
No assessment criteria are provided for this activity.
Method of presentation
1. Form students into small groups (2-4 students).
This activity can also be done by having
individuals do the activity and then combine
to discuss their opinions. There are extensive
online resources (listed in Student Notes)
available on this topic and instructors could get
students to do pre-reading prior to class.
2. Handout required resources to each group.
3. Get students to read the scenario
4. Discuss the suggested discussion points and
other relevant issues.
Scenario
In the 1960’s there was strong competition in the
American small car market. To be competitive in
this market, Ford needed to have a product that
had the size and weight of a small car, had a low
cost of ownership and clear product superiority. The
Ford Pinto went on to become one of the 1970’s
best selling cars.
The Ford Pinto was designed to meet these criteria.
The strict design specifications were that the car
was to weigh less than 2000 pounds and cost
less than $2000. Ford also decided on a short
production schedule. Instead of the normal time
from conception to production of 43 months for a
new model, the Pinto was scheduled for 25 months.
saFE dEsiGn For EnGinEErinG studEnts 5
Under conditions of reduced product-time to market
then tooling up for manufacture which involves
making the machines that stamp, press and grind
car parts into shape must be done whilst product
development is underway rather than after product
design. Ford wanted the car in the showrooms
with the other 1971 models and tooling had a fixed
timeframe of about 18 months.
Investigative journalism by Mother Jones
established that;
> ‘Ford engineers discovered in pre-production
crash tests that rear-end collisions would rupture
the Pinto’s fuel system extremely easily.’
> ‘Because assembly-line machinery was already
tooled when engineers found this defect, top
Ford officials decided to manufacture the
car anyway.’
> ‘For more than eight years afterwards, Ford
successfully lobbied against a key government
safety standard that would have forced the
company to change the Pinto’s fire prone
gas tank.’
It was concluded by Mother Jones from Pinto
accident reports and crash test studies that
‘if you ran into that Pinto you were following at
over 30 miles per hour, the rear end of the car
would buckle like an accordion, right up to the
back seat. The tube leading to the gas-tank
cap would be ripped away from the tank itself,
and gas would immediately begin sloshing onto
the road around the car. The buckled gas tank
would be jammed up against the differential
housing (that big bulge in the middle of your
rear axle), which contains four sharp, protruding
bolts likely to gash holes in the tank and spill
still more gas. Now all you need is a spark from
a cigarette, ignition, or scraping metal, and
both cars would be engulfed in flames. If you
gave that Pinto a really good whack—say, at 40
mph—chances are excellent that its doors would
jam and you would have to stand by and watch
its trapped passengers burn to death.’
46 australian SAFETY and compensation council
An accepted approach by federal Automotive Safety
regulators at that time for decision-making was risk/
cost-benefit analysis. Ford applied this method to
decide how to treat the fuel tank explosion risk.
An internal Ford memo calculated;
The cost at the manufacturing stage to fix the
problem was $11 per vehicle and the benefit
would be no payouts resulting from the fuel tank
explosion risk.
Benefits
> 180 burn death, 180 serious injuries, 2100
burned vehicles.
> Unit cost: $200,000 per death, $67,000 per
injury, $700 per vehicle.
> Total Benefit (180* $200k) + (180* $67k) +
(2100*$700)= $49.5M.
Risks/Costs
> Sales: 11 Million cars, 1.5 Million light trucks.
> Unit cost: $11 per vehicle.
> Total cost: (12.5*$11) = $137.5M.
Ford appear to have decided that it was not
‘reasonably practicable’ to fix the problem during
manufacture. It preferred to ‘retain the risk’ and
make payments as required. There were no
Standards for withstanding rear–end collisions at a
specified speed until after 1977.
The Department of Transportation announced in
May 1978 that the Pinto fuel system had a ‘safety
related defect’. Ford recalled 1.5 million Pintos. The
modifications included a longer fuel filler neck and
a better clamp to keep it securely in the fuel tank, a
better gas cap in some models, and placement of a
plastic shield between the front of the fuel tank and
the differential to protect the tank from the nuts and
bolts on the differential and another along the right
corner of the tank to protect it from the right rear
shock absorber. (Centre for Auto Safety)
The consequences of Ford’s actions were
significant. Millions of dollars of civil lawsuits were
filed against Ford and awarded against the car
maker. In 1979 Ford Motor Company was charged
with reckless homicide but was acquitted in 1980.
The Ford Pinto ceased production within months.
The damage to the company has been incalculable
and it is conservatively estimated there are over 500
burns deaths to people who would not have been
seriously injured if the car had not burst into flames.
Solution
1. Is cost/benefit analysis an appropriate approach
for deciding public safety?
Ford stated it used a risk/benefit approach because
the National Highway Traffic Safety Administration
required them to do so. This approach excuses
a defendant if the monetary cost of making a
production change is greater than the ‘societal
benefit’ of that change.
Issues that could be raised in discussion
> Risk/Cost-Benefit is based on the premise that
decisions which create the greatest utility are
the ‘right’ decision because they lead to an
economically efficient use of resources. They
require risks/costs and benefits to be specified
in monetary terms. They are commonly used by
Government agencies to inform their decision-
making. Whether they should be used to
inform rather than determine decisions is an
important distinction. Whether its use by Ford
in the circumstances surrounding the Pinto is
justifiable is central to this question.
> Risk/Benefit approach disregards the ‘human
rights’ perspective which contends that humans
have basic rights that can never be infringed
no matter the circumstances. This approach
considers human life a ‘non-economic good’
and therefore priceless. Some people consider
the right to vote and the freedom of speech as
basic rights.
> Whether all the ‘benefits’ were fully detailed by
Ford. What about the loss of reputation by Ford,
the bad publicity, the millions in civil lawsuits
that could have happened and the potential
product recall.
> Whether for health and safety issues it may be
unwise to make a particular decision even when
the benefits do not exceed the costs. Other
examples may include pollution issues and
decisions that impact vulnerable and minority
members of society.
2. Should the engineering professions Code of
Ethics impose a higher standard than that
required by regulatory requirements?
During product development and crash testing the
law did not require Ford to redesign the fuel system.
It was only after 1977 the law required the changes.
Issues that could be raised in discussion
> Whether clear limits can be provided to decision-
makers when guidelines such as Code of Ethics
can appear vague compared with regulatory
requirements and Standards.
> In the Ford reckless homicide case, the jury (as
representatives of society) who awarded millions
of dollars against Ford clearly expected Ford to
have a higher standard of obligation to the public
than the law required.
> The actions of Ford management (at least one
who was an engineer) appear to violate the first
and fifth Tenet of the Code of Ethics.
3. As an engineer working on the Ford Pinto, what
would you consider when making a judgement
about what was ‘reasonably practicable’ for
Ford to meet its ‘duty of care’ responsibilities?
Issues that could be raised in discussion
> Appropriateness of using a risk/benefit analysis
as the only factor in the decision.
> Whether there were other design options
available.
> Whether the public had been adequately
informed of the risks.
> Whether the decision-makers at Ford
understood the risks inherent in the design.
> What ‘societal expectations’ would be in relation
to the issue.
SAFE DESIGN FOR ENGINEERING STUDENTS 47
4. As a design engineer working on the
Ford Pinto, what could you have done
to demonstrate your ‘duty of care’
responsibilities?
Issues that could be raised in discussion
> Be a whistleblower. Discussion could explore
how this could be done.
> Provide advice to the decision-makers at Ford
about the risks and alternative design options.
5. Designers of Extra-light vehicles face
tremendous technical challenges in designing
safety into those vehicles. How would
you decide what the appropriate safety
measures are?
Issues that could be raised in discussion
> Whether all road vehicles should meet the same
minimum level of safety or whether different
types of vehicles should be distinguished (e.g.
motorcycles, light vehicles etc) that each have
different safety standards.
> How to effectively inform the public about the
increased safety risks associated with certain
types of vehicles.
6. When other costs have been cut as much as
they can, one way to increase revenue is to get
products to the market as quickly as possible.
This happened in the Ford Pinto case. This
will increasingly be a challenge to implement
whilst ensuring there is a thorough and
integrated approach to Safe Design. How can
this challenge be met?
Issues that could be raised in discussion
> Could companies more explicitly document
how safety issues that arise during product
design can be accommodated during the
manufacturing process?
> Could systematic approaches to Safe Design be
built into existing Standards.
> If sub-contracting is used to speed up
concurrent product development, can
contractual obligations be used to specify Safe
Design requirements?
48 australian SAFETY and compensation council
2.4.2 Mercedes A-Class Case Study
Instructor Notes
Overview
This activity includes a case study of how an
automotive manufacturer dealt with a safety issue
discovered immediately after the launch of their
vehicle. It provides a contrast to the handling of a
safety issue in some other vehicles. by other car
makers. It explores some of the factors that can be
considered when evaluating how safety should be
handled during the design of products.
Intended learning outcomes
> Awareness of professional responsibilities of
engineers in relation to safety.
> Awareness of the factors which can impact an
organisations response to a public safety issue.
Context in which it could be used
Small group activity suitable for extensive
discussion. The example is suitable for discussions
about ethics, engineering economics and design.
Resources required (time, handouts)
> 20 minutes depending on the extent to which
students own views are presented to the entire
class.
> Students Notes for this example.
Suggested Assessment criteria/guidelines
No assessment criteria are provided for this activity.
Method of presentation
1. Form students into small groups (2-4 students).
This activity can also be done by having
individuals do the activity and then combine
to discuss their opinions. There are extensive
online resources (listed in Student Notes)
available on this topic and instructors could get
students to do pre-reading prior to class.
2. Handout required resources to each group.
3. Get students to read the scenario.
4. Discuss the suggested discussion points and
other relevant issues.
Activity
Read the following scenario and be prepared to
answer the discussion points.
Scenario
Until the 1990’s Mercedes-Benz had focused
on the premium car market. They, like BMW,
pioneered the use of safety features such as Air
Bags, Electronic Braking Systems (EBS), and
Electronic Stability Control (ESC). A long history of
innovation in motor vehicle safety gave Mercedes-
Benz a considerable reputation. Mercedes then
decided to enter the small car market. The
Mercedes A-Class was a microcar priced cheaper
than a VW Golf.
Although the A-Class was a cheaper car, Mercedes
did not intend to compromise on safety; ‘The
car had gone through rigid testing procedures
for years’ (Ihlen, 2002). For example, the engine
was installed at an angle such that in the event
of a crash, the engine would go under the front
passenger. The A-Class underwent extensive
testing, including over 400,000 kilometres of testing
by a thousand journalists.
The A-Class was launched on October 18 1997 but
on the October 21 1997 a passenger was injured
when the A-Class being driven by a motoring
journalist rolled over during an extreme driving
manoeuvre known as the Moose Test (also known
as the Elk Test). This test, unknown in Germany, is a
Nordic test designed to simulated a car swerving at
constant speeds (>60 km/h) onto the wrong side of
the road and back again in order to avoid a moose.
The test is conducted with the car fully loaded with
luggage and 4 passengers.
The journalist injured was one of a group who
had gathered in Tannishus, Denmark to judge
the Car of the Year award. ‘The A-Class seemed
the obvious choice: no other rival had pushed the
design and technical envelope with such bravado
and excellence.’ (Whitworth, 1998). Instead of a
prestigious award and the positive publicity that
would ensue, the media ran with the Moose Test
failure. The extent of this publicity was such that
the term Moose Test is now used to represent any
stringent test on the quality of a product.
‘Initially, Daimler-Benz defended its ‘Baby
Benz’ saying the company did not think it was
necessary to issue a statement ‘just because
a car flipped over somewhere’. The huge
media reaction against the company reportedly
with ‘a reputation as the ultimate in German
engineering and safety’ soon forced Daimler to
acknowledge that modification was required.’
(Knight and Pretty, 2000).
So despite having no technical evidence that the
A-Class was unsafe, quite the contrary based on
their own testing, Mercedes halted production. By
this stage there were 2,500 A-Class in the hands of
owners and a further 15,000 off the production line.
Mercedes offered to rework the cars to improve their
handling. Apart from changing to larger wheel rims
and lower profile tyres, Mercedes took the radical
step of installing the Electronic Stability Program
(Mercedes-Benz version of ESC) to the A-Class;
a most significant upgrade when you consider
that ESP was only available as an option on their
more expensive models. During the 2 weeks that
the modifications took, the 200 owners that took
up Mercedes’ recall offer were given C-Class
Mercedes to drive. A-Class production was halted
for approximately 12 weeks while the modifications
were designed and changes to the production line
made. The total cost to Mercedes-Benz to modify
the A-Class are estimated to be $150 million. At
the re-launch of the A-Class in late January 1998,
journalists were unable to make the A-Class rollover.
‘So why did the A-Class fail the elk test? Listen to
Ulrich Brunke, chief engineer for the A and C-
Class cars and he will tell you that any car, given
the right number of turns over the right distance
can be made to fall over. The elk test is a violent
test for any car to endure’ (Whitworth, 1998).
SAFE DESIGN FOR ENGINEERING STUDENTS 49
Discussion Points
1. C
 ompare and contrast the different approaches
taken by the manufacturers of Mercedes
A-Class, Ford Pinto (Section 2.6.1) and
Suzuki Samurai to manage the safety issue in
their vehicle.
The Suzuki Samurai was introduced in 1986
and phased out in 1989 due to declining sales
and threats of continued litigation as a result of
rollover accidents.
‘Then there’s Suzuki. The carmaker made
news in October, when a St. Louis jury awarded
31–year-old Katie Rodriguez $36.9 million in
compensatory and punitive damages after she
was paralysed in a rollover accident involving a
Suzuki Samurai sport utility vehicle. Documents
introduced at the trial showed that Suzuki
continued to sell the Samurarai after it learned
that the SUV had a stability problem. To date,
213 people have died and 8200 have been
injured in Samurai rollovers, Suzuki’s trial
experts have estimated’ Consumer Report ,
Jan 1998).
Issues that could be raised in discussion
> In the Ford Pinto, a decision during the product
testing phase was made not to eliminate the
risk of the exploding fuel tank through a design
solution. It was decided to manage the risk
through litigation.
> In the Suzuki case, the product was very short-
lived (3 years) due to low sales. Apparently a
significant redesign of the chassis was needed
to decrease rollover, so a product recall may not
have been viable. Suzuki handled the Samurai
safety issue through litigation Apparently
the rollover risk is well known for Sports
Utilility Vehicles.
> In the Mercedes A-Class, the safety risk was
handled through a product recall and involved a
redesign and significant upgrade to the vehicle.
The risk was managed through design rather
than litigation.
2. D
 id Mercedes go beyond its ‘Duty of Care’ to
consumers in recalling the A-Class
Issues that could be raised in discussion
> Exceeded generally acceptable standards
> Mercedes appear not to have been aware of the
issue. There is no information in the scenario
which suggests they were aware of the problem
prior to the failure.
3. W
 hat sorts of factors could Mercedes have
taken into account when they decided to recall
the A-Class car?
Issues that could be raised in discussion
> Regulatory compliance: It appears the A-Class
vehicle was thoroughly tested except for a
relatively obscure Moose test.
> Reputation: Mercedes had already built their
reputation on safety. This action would be seen
to reinforce rather than undermine that.
> Economics: A safety crisis which impacted
the Mercedes brand could damage their share
price and hence stockholder value. There
could potentially have been liability issues into
the future.
> Brand Risk Management: In particular an
association between the Mercedes brand
and trust. Factors such as ethics, reliability
and stability are important. How Mercedes
was perceived to respond to the safety issue
was important.
> Access to required technology: Mercedes were
able to modify the A-Class quite easily using
technology already at their disposal and used on
their luxury vehicles.
Primary resources for information about
these cases
Ihlen, O (2002) Defending the Mercedes A-
Class: Combining and Changing Crisis-Response
Strategies, Journal of Public Relations Research,
v14(3): 185-206
Whitworth, B (1998) ‘Of Moose and Men’,
Automotive Engineering, April 1998, pp39-42

50 australian SAFETY and compensation council

Breuer, J.J. (1998) Analysis Of Driver-Vehicle-
Interactions In An Evasive Manoueuvre – Results Of
‘Moosetest’ Studies’, Daimler-Benz AG, Germany,
International Technical Conference on the
Enhanced Safety of Vehicles (ESV), Paper Number
98-S2-W-35, http://www.nhtsa.dot.gov/esv/16/
98S2W35.PDF
Knight, R.F. and Pretty, D. (2000) Brand Risk
Management in a Value Context’, Templeton
Briefing 05, University of Oxford, UK, ISBN: 1
873955 09 X
Rollover Lawsuits, Suzuki Rollover Accidents &
Roof Crush Injuries: http://www.rolloverlawyer.com/
suzuki_samurai.htm
Consumer Reports (1998). Front Lines – Auto
Safety: What Suzuki could learn from Mercedes,
Jan 1998 p10’
Mother Jones News Magazine, ‘Pinto Madness’
by Mark Dowie, Sept/Oct, 1977. There is video at
the site showing crash testing of the vehicle and
other articles.
Centre for Auto Safety, http://www.autosafety.org,
search using term, Ford Pinto
Lee (1998) The Ford Pinto Case and the
Development of Auto Safety Regulations, 1893-
1978, Business and Economic History, v27(2).
http://www.thebhc.org/publications/BEHprint/
v027n2/p0390-p0401.pdf
2.4.3 F-111 Deseal/Reseal Case
Instructor Notes
Overview
This case study is a summary of the events
surrounding the F-111 Deseal/Reseal case that
were presented at a Board of Inquiry in September
2001. The case shows how major safety issues
in the workplace can arise from a combination
of workplace culture and the use of hazardous
materials. While some of the organisational and
cultural features of the workplace described here
are unique to the military, others are relevant
to many other large industrial organizations. It
highlights the importance of the need to design
effective processes and systems not just products
for ensuring safety. It shows the ‘downstream’
consequences of not addressing safety ‘upstream’
at a design stage. It recognises that decision-
making in engineering can involve ambiguity and
differences in opinion.
Intended learning outcomes
> Awareness of hazards 'downstream' due to the
design of products.
> Understanding of the complexity of designing
safe processes.
> Appreciation of organisational and cultural
factors which impact the effective design
and enforcement of safe processes within a
workplace.
> Ability to identify risk control strategies to deal
with hazardous substances.
Context in which it could be used
This case has many different aspects that make
it particularly applicable for use in engineering
subjects that focus on management, professional
practice and engineering design and maintenance.
Aspects to the problem such as the relationship
between financial, organisational and cultural
factors with safety, ethics and the downstream
implications of engineering design could be
explicitly addressed.
Resources required (time, handouts)
> 30-45 minutes including reading and discussion
time. More time for discussion can certainly be
allocated especially for extended discussions
involving students relating this case to their
experiences in the workplace.
> Student Notes and Discussion Questions
provided for this case.
Method of presentation
The case can be approached in several ways.
Out of session preparation
Appoint a discussion leader or leaders prior to the
session whose task is to thoroughly research the
case by reviewing the suggested website in addition
SAFE DESIGN FOR ENGINEERING STUDENTS 51
to reading the notes provided prior to the class
discussion. The role of this leader is to encourage
discussion of colleagues based on this scenario and
to prepare and present a more extensive summary
report to the whole class.
In session preparation
During class, students can read the case narrative
and in groups of 4-5 discuss the questions
supplied. A reporter within each group can be
appointed to sum up the group’s discussion to
the whole class. Each group could sequentially do
each discussion question or each group could do a
different question.
Suggested Assessment criteria/guidelines
The purpose of this case study was to raise student
awareness of safe design principles and the impact
of the ‘downstream’ workplaces upon the safety
of designed items. No assessment criteria have
been developed for this case study. Educators
seeking to assess student learning from this activity
could develop criteria relating to the depth of
understanding students show during classroom
discussion or a written report where the number of
pertinent points raised for each of the discussion
questions is assessed. Some relevant issues are
highlighted in the Solution section. By restricting the
ability of students to research the case out of class,
educators can better assess their ability to identify
issues from limited data.
Scenario
Image: http://www.defence.gov.au/raaf/images/for_site/wallpaper/
F111.jpg
52 australian SAFETY and compensation council
In 1963, the Royal Australian Air Force (RAAF)
ordered 24 F-111 aircraft but it was not until 1973
that the aircraft arrived at Amberley Air Force
Base. The fuel tanks in the F-111 were designed
to be integral to the aircraft’s structure and unlike
many other aircraft the fuel tanks did not contain
an internal bladder but required a sealant for the
joints and mating surfaces to prevent leaks. A
specially developed sealant that could withstand the
environmental conditions arising from supersonic
flight was developed. However, fuel leaks were
discovered soon after delivery and it became
evident that the fuel tanks would need to have the
original sealant removed and a new sealant applied.
A deseal/reseal program was initiated, however the
desealant used had potential risks due to its toxicity
and very low flash point. There are seven fuel tanks
located within the aircraft; in the fuselage ahead of
the wings, within the wings, behind the wings and
either side of the tail.
Consequently, for more than 20 years, the RAAF
maintenance personnel have been working in
cramped and confined spaces, using highly toxic
chemicals to deseal and reseal the fuel tanks of F-
111 aircraft. Although personal protective clothing
was provided (gloves, respirators, coveralls), the
high temperatures of the tropical climate and the
difficulty of working with such restrictions in a
confined space led to staff not always using the
protective gear that was provided. The personal
protective gear was often inadequate with protective
gloves dissolving, chemical seepage through
coveralls, and inadequate filtration through
respirators. This meant that staff were directly
exposed to the effects of the hazardous substances
with which they worked. Staff reported symptoms of
skin rash, gastrointestinal problems, headaches and
loss of memory to medical personnel, but because
the symptoms were so vague little action was taken.
In addition, because the workers absorbed the
exceedingly foul smell of the desealant, they were
socially ostracised and excluded on the Base from
recreational gatherings such as the workers’ club
and the picture theatre. The highly disciplined
work culture of the military meant that any workers
who complained of the working conditions ran the
risk of facing disciplinary procedures and being
considered ‘a traitor’.
 ‘It is my belief that the consequence of not
undertaking the tasks would be that I might be
subject to ‘contact counseling’ ( I would be taken
out the back and given a clip under the ear).’
In 2000, a RAAF Board of Inquiry into the Deseal/
Reseal program was finally constituted and the fuel
tank repair program suspended. A large number of
personnel have been affected by toxic substances
during their tours of maintenance duty. The
following narrative of one of the victims captures the
human cost of this safety problem.
‘I have skin cancers or solar skin damage on
my scalp, forehead, face and arms. I also have
claw toes and my left foot bows out…I continue
to suffer blood pressure problems…and
hemorrhoids with intermittent bleeding from the
bowel. I have a lump on the palm of my left
hand and a lump in the throat, which makes
it intermittently hard to swallow…I have bad
breath and my wife is always telling me that I
have an awful smell from my body which is not
regular body odor. I also get a red rash on my
face and suffer from headaches and dizziness…
I am at times very depressed…’
The Board of Inquiry identified a number of
contributory factors and made 53 recommendations
to rectify the problems uncovered and to establish
a climate of occupational health and safety in the
Defence Force.
It was noted that in the RAAF, operations almost
always take priority over logistics. That means that
the aim of a maintenance squadron or wing is to
produce serviceable aircraft for use by operational
squadrons. The maintenance personnel were under
considerable pressure to complete the deseal/
reseal activity in minimum time so that the planes
could return to action. Consequently staff worked
long hours in confined spaces, in claustrophobic
protective suits, with production schedules that
were tight and performed extended duty periods.
The discipline of the Defence Forces results in staff
who perform commands without questioning.
The Board’s investigation however revealed
numerous incidents of non-compliance by
maintenance workers with the safety requirements
including that they wear personal protective
equipment (PPE) such as goggles, respirator, gloves
and coveralls. There was a failure on the part of
supervisors to ensure that these regulations were
observed. It was recognized that failure to wear PPE
was symptomatic of the organisational culture. In
a high-pressure environment, problems with the
personal protective equipment were brushed aside.
Gloves disintegrated within five minutes of contact
with the chemicals, but rather than continually
interrupting the job to get new ones, people worked
with bare hands. When the respirator restricted
vision, workers would simply remove it to get the
job done. The coveralls that were required as
a precaution against damage to the aircraft did
not provide workers with protection from fluids.
There were requirements that the vapors from the
desealant be below exposure and explosion limits.
Ventilation was therefore required within the fuel
tanks during cleaning, but it was not used due
to excess noise and space problems. The Board
concluded that without ventilation it was likely that
the atmosphere inside the tanks exceeded these
limits. People who complained were seen as trouble
makers and ‘getting the job done’ was the goal.
The RAAF also did not learn from previous
accidents and incidents and did not implement the
recommendations of other previous inquiries into its
maintenance programs.
The chain of command that is an integral part
of RAAF culture also worked to inhibit the
communication of safety issues upwards. While the
top-down model of command ensures that orders
are followed without question, Senior Commanders
remained unaware of the problems with the deseal/
reseal project because lower ranking officers were
reluctant to admit to such a serious safety problem
hoping that they could solve it without it coming
to the attention of their superiors. Workers who
found it difficult to complete the task as prescribed,
developed unapproved ways of doing things and the
staff training model employed ensured that these
inappropriate techniques were then passed on to
the next crew.
The RAAF also experienced economic restrictions
and the number of engineering staff was reduced.
SAFE DESIGN FOR ENGINEERING STUDENTS 53
In one case a young engineer who had been
graduated for three years was placed in charge of
170 maintenance workers. While this officer had
several highly experienced, non-commissioned
officers reporting to him, because of the ‘complex
and involved processes’ within the deseal/reseal
program the engineer had no real understanding
of the situation. He assumed the section was
being managed competently and that approved
procedures were being followed. The Board
recognized the engineer was placed in an untenable
position and could not effectively supervise sub-
ordinates. Engineering expertise was needed to
understand the implications of the various parts of
the maintenance process as well as to ensure that
when workers encounter difficulties an appropriate
systemic solution could be reached. But the
withdrawal of engineers from site as a cost-cutting
measure led to completely inadequate supervision
of trade staff.
The Board also found that at the Amberley Air
Force Base , there was a low priority on industrial
medicine as part of safety management. This is
significant since it was estimated that in Australia
four times as many people die from diseases
caused by exposure to hazardous substances in the
workplace as die from traumatic injury on the job.
When RAAF staff complained of headaches and
nausea to the Amberley Medical Section, little action
was taken because these symptoms were vague
and hard to specifically attribute to a single cause.
The Board recognised that despite the knowledge
the workers were using a variety of potentially
harmful chemicals, the health care facilities at the
Air Force base was organised as a private medical
practice with doctors having no qualifications in
occupational medicine, no direct knowledge of the
working conditions for the affected staff and little
incentive to do the extra research to discover the
underlying cause of the distress.
Since the RAAF is planning to retain the F-111 in
service for up to a further twenty years, the fuel
tank leaks are problematic. The deseal/reseal issue
means their availability for Australia’s defence has
been compromised. It was estimated in 2001 that
in excess of 400 personnel have suffered long-term
damage to their health as a result of exposure to
54 australian SAFETY and compensation council
chemicals in the various deseal/reseal programs.
A major study into the health of those who
participated in the program released in 2004 found
an association between involvement in the deseal/
reseal programs and a lower quality of life and more
common erectile dysfunction, depression, anxiety,
and subjective memory impairment. There is also
evidence, albeit less compelling, of an association
between the program and dermatitis, obstructive
lung disease (i.e. bronchitis and emphysema),
and neuropsychological deficits. The results of the
Board of Inquiry have had far reaching implications
for the entire Defence Force and for industry in
general. In his response to the Inquiry Report, Air
Marshal Houston said ‘My first priority is for the
health and welfare of serving and ex-members of
the Air Force…today’s Air Force puts people first…’
Primary resources for information about
this case
Department of Defence, F-111 Deseal Reseal Board
of Inquiry (BOI) website,
http://www.defence.gov.au/raaf/organisation/info_on/
units/f111/
Discussion Points: Solution
1. Identify the safety management (risk control)
approaches used, their effectiveness and
the hazards they targeted. (hint Hierarchy of
Control)
Issues that could be considered include
> Engineering Control:
Ventilation of confined spaces was required.
However this was often not done due to noise
problems and the restrictions it placed on space
within the service area.
> Administrative Control:
Limits were set on the atmospheric
concentrations allowed for the desealant to
prevent exposure and explosions. These limits
did not appear to be monitored.
> Personal Protective Equipment:
- Goggles, often removed due to vision problems.
 - Overalls, these were permeable to the 3. W
 hat were the key organisational and cultural
desealant and therefore ineffective. factors which lead to the Deseal/Reseal
problem?
- Gloves: these would dissolve and were
therefore often not worn. Issues that could be considered include
- Respirators; inadequate filtration and they > Poor communication upwards about safety
blocked vision so they were often removed. issues. The Board recognised that bad
news does not move easily up organisational
> Amberley Medical Facility: This facility was
hierarchies. Only issues that could not be
designed to deal with injuries but it was
rectified at the level below were bought up the
ineffective in monitoring and treating the health
level of command. Safety issues stayed at the
impacts from the Deseal/Reseal program.
lower levels and did not get high enough up the
2. What were the key design decision that level of command to change.
engineers made which impacted on the Deseal/ > Poor communication of safe work practices.
Reseal safety issue? There were no specified induction procedures
Issues that could be considered include and so staff learnt from others on the job. These
work practices comprised safety.
> Design of fuel tanks required a sealant.
Engineers could have designed the tank to use > Inadequate training of junior engineers. To
a bladder and therefore not need a sealant. effectively supervise staff, a supervisor (e.g.
junior engineer) needs to understand the
> Location of fuel tanks in locations that had
consequences of incorrect work practices.
limited maintenance access. Recognising
In this case the engineer should have an
that the design of the fuel tank was untested
understanding of the symptoms of chemical
technology, the design engineers could have
exposure and conditions likely to lead
managed the risk better by recognising
to explosions.
maintenance may be involved and designed
safer access to the fuel tank access or easier > Valuing of equipment over personnel. The
tank removal. priority was to have the planes ready for
operation rather than ensuring worker safety
> Choice of untested sealant. The tank design
during maintenance.
required a sealant that had to be specially
developed. The Board of Inquiry heard that > Inadequate monitoring and reviewing of the
any chemist would have known that the sealant engineering maintenance process by senior
would be unsatisfactory just by knowing its staff. There were inadequate ways of reporting
composition. occupational hazards in the workplace. The
Medical Facility did not perform this role.
> Choice of a hazardous desealant. If the
engineers involved in designing the deseal/reseal > Learning from history. Recommendations from
program were required to consider the toxicity earlier RAAF reports related to these issues
of the desealant rather than just its performance were not incorporated into the Reseal/Deseal
they may have chosen an alternative that was program.
not as effective chemically but still satisfactory
and therefore was a lower risk.
> Design of maintenance program. If a longer
period for servicing was allowed then the fuel
tanks could have been removed from the aircraft
and then disassembled therefore avoiding
confined space issues.

* Toolkit content can be found at section 1.4 of PART 1 – Concepts, Principles & Tools

SAFE DESIGN FOR ENGINEERING STUDENTS 55

4. W
 hat were the key ethical and regulatory issues 5. General discussion questions to extend and
and how did they affect the safety problem? personalise the discussion
(hint Apply the Code of Ethics)
> How could a junior engineer onsite go about
Issues that could be considered include being a ‘whistleblower’ when there was no clear
> To what extent the junior engineer had option to resolve the problems through the chain
a responsibility to act under the ethic of command?
responsibilities of an engineer. There are at least > What issues have you faced when trying to
three tenets of the Engineers Australia Code of supervise staff when undertaking hazardous
Ethic which are relevant. work requiring their use of personal protective
‘Members shall at all times place their equipment?
responsibility for the welfare, health and safety > What have we learned about safe engineering
of the community before their responsibility design from this scenario?
to sectional or private interests, or to
other members;’
‘Members shall offer services, or advise on or 2.4.4 Onsite Safety Activity
undertake engineering assignments, only in
Instructor Notes
areas of their competence and shall practise in a
careful and diligent manner;’
Overview
‘Members shall take all reasonable steps
A discussion oriented activity designed to explore
to inform themselves, their clients and
an Engineers professional responsibilities and
employers and the community of the social and
your ethical framework when dealing with issues
environmental consequences of the actions and
related to safety. It is designed to explore your value
projects in which they are involved;‘
and belief system and how that can impact upon
> To what extent did the junior engineer exercise your actions.
their Duty of Care responsibilities under the
Occupational Health and Safety Acts. What Intended learning outcomes
would constitute ‘reasonably practicable’ in
> Awareness of professional responsibilities of
this situation?
engineers in relation to safety.
Duty of care requires everything ‘reasonably
> Awareness of Engineers Australia Code of Ethics.
practicable’ to be done to protect the health
and safety of others. Duty of care places into
Context in which it could be used
a legal form what is a natural moral duty to
anticipate possible causes of injury and to do Small group activity suitable for extensive
everything practicable to remove or minimise discussion. This can also be used as an ice-breaker
these hazards. to get students to explore their own experiences
with workplace practices concerning safety. This
> To what extent did the junior engineer breach
activity could be used in subjects where ethics,
their responsibility under supervising staff who
safety or communication are covered.
are working in confined spaces?
> Were the senior staff with greater supervisory Resources required (time, handouts)
responsibility more liable for compromising
> 30-45 minutes depending on the extent to
worker safety than the junior engineer directly
which students own views are presented to the
supervising them?
entire class.

56 australian SAFETY and compensation council

> Engineers Australia Code of Ethics (Safe Design
Engineering Toolkit* section 1.4.10).
> Students Notes for this example.
Suggested Assessment criteria/guidelines
No assessment criteria are provided for this activity.
Method of presentation
1. Form students into small groups (2-4 students).
This activity can also be done by having
individuals do the activity and then combine to
discuss their opinions.
2. Handout required resources to each group.
3. Get students to read the scenario.
4. Discuss the suggested discussion points and
other relevant issues.
Scenario
You and a fellow student engineer are undertaking
part-time work with a tank installation and
maintenance service firm. The firm has been
contracted to inspect the condition of petroleum
storage tanks at 50 sites across New South Wales.
The company which owns the fuel supply sites
is concerned about environmental liability from
leaking fuel due to corrosion of the mild steel casing
or welds in the tanks. Their company is proud of
its reputation within the industry of being safety
conscious and has developed a set of Safety Rules
for Contractors which sub-contractors are bound to
under the terms of their contract.
Your task is to supervise the onsite inspection of the
tanks by contract staff employed by the company.
These contract staff have a long history of working
with your firm and include a licensed gas fitter with
over 20 years of experience and his trades assistant.
Your immediate supervisor is located at head office.
The inspection process requires purging the tank
with nitrogen and staff entering the tank through a
manhole on the uppermost surface. The inspection
comprises searching the tank using torches to
locate visually areas of corrosion.
On your first day at the Company they gave you
and your fellow student engineer a half-day briefing
about what you were expected to do onsite. They
did not cover much on safety but did mention that
there would be some safety equipment onsite in the
unlikely chance you needed it.
Upon arriving at the site the next day you meet
George the gas fitter and his assistant Tom. You also
notice various signs around the depot mentioning
the Safety Rules for Contractors and Confined
Space Entry. You ask George about the safety
equipment and what these rules are and he say he
does not know but ‘ everything has been OK when
he has worked at their other depots and that if he
had a dollar for every tank he had inspected he
would be a rich man’.
You decide to seek confirmation from Peter your
immediate supervisor who is located at head office.
He tells you not to worry and that they only hire
safety equipment for the dangerous jobs and yours
is not one of those. He also says that George is the
most experienced contractor they have and to make
sure you get through the inspection quickly because
they are on a tight budget for the job.
You still feel uneasy and ring Gina your fellow
student engineer at another site. She says that you
are just a bit nervous about supervising staff onsite
for the first time and that their first inspection was
well underway. Her sub-contractor also told her that
safety equipment is not usually needed for these
types of jobs.
Choice of Action
a) Keep on working as directed by your supervisor
and try to catch up on lost time.
b) Keep on working as directed by your supervisor
and decide to have a meeting with your
supervisor at the end of the day.
c) Refuse to continue working on the site and go
back to head office to sort it out.
d) Contact the Depot Manager onsite to see if he
has a copy of the rules and seek clarification
about the safety equipment.
e) Try to contact your supervisor’s boss, who
happens to be a family friend.
SAFE DESIGN FOR ENGINEERING STUDENTS 57
Solution The regulation defines a confined space at a
> There are at least three Tenets that have aspects place of work as a space of any volume which
which are relevant to the case. a person may at any time enter or be allowed to
enter and in which:
Members shall at all times place their
responsibility for the welfare, health and safety > The atmosphere is liable to be contaminated at
of the community before their responsibility any time by dust, fumes, mist, vapour, gas or
to sectional or private interests, or to other other harmful substances;
members; > The atmosphere is liable at any time to be
Members shall offer services, or advise on or oxygen deficient.
undertake engineering assignments, only in > As the onsite Engineer you also have a moral
areas of their competence and shall practise in a obligation to make yourself aware of the
careful and diligent manner; expertise/knowledge needed to perform the work
Members shall take all reasonable steps with regards to fulfilling regulatory requirements,
to inform themselves, their clients and meeting the clients Safety policies in addition to
employers and the community of the social and Safety policies of the company you work for. By
environmental consequences of the actions and not ensuring that these requirements were met
projects in which they are involved; the onsite engineer did not uphold Tenets of the
Code of Ethics.
> Your company has not undertaken such work
before. Perhaps it does not possess enough
skill and the requisite knowledge to complete
the works. As the scenario unfolded there was
evidence that this may well be the case.
> An engineer may accept the assignment
requiring expertise outside their own fields of
competence provided they are restricted to the
phases of the project in which they are qualified.
Was the onsite engineer qualified to supervise
the tank cleaning work?
> Entry into the tanks is governed by a regulation.
The confined spaces regulation supplements
the Occupational Health and Safety Act, 2000
(NSW). The Regulation sets out minimum
standards to ensure the safety of persons
working in a confined space. It does this
by requiring employers to comply with the
Australian Standard (AS 2865-1986) ‘SAFE
WORKING IN A CONFINED SPACE’ and by
Occupational Health and Safety (Confined
Spaces) Regulation 2001. This standard has
specific requirements that must be met. As the
Engineer onsite you would have been breaching
your legal responsibilities by allowing the work
to proceed.

58 australian SAFETY and compensation council

PART 2C:
SAFE DESIGN QUIZ

AN EDUCATIONAL RESOURCE
FOR UNDERGRADUATE
ENGINEERING STUDENTS
QUIZ
 >>>>
pArt C: sAFe design QuiZ

This section aims to both develop and assess aspects of student learning about Safe Design. The quiz uses
multiple choice, matching and ordering types of questions.

Content in whiCh the QuiZ CAn Be used

The quizzes are particularly useful as formative or summative assessment of student learning of principles,
concepts and terminology. They can be used to compliment teaching using lecture slide delivery and
student directed learning of the material contained in Part 1 of this resource. Many of the questions can
be used either in paper based or online delivery using quiz software in a Learner Management system (eg
Blackboard, WebCT) or specialised quiz software.

Question 1 MAtChing
Pair up definitions with terms:

1. An error is … A. freedom from accident or loss.

2. A near miss (aka incident) … B. freedom from failures.
3. A failure is … C. an undesired and unplanned event that results
in a specified level of loss.
4. Reliability is …
D. an event that involves no loss but with the
5. A hazard is …
potential for loss in other circumstances.
6. An accident is …
E. a state or set of conditions of a system,
7. Safety is … that together with other conditions in the
environment will lead inevitably to an accident.
F. non-performance or inability of the system or
component to perform its intended function.
G. a flaw or deviation from a desired or
intended state.

Answer 1
1–G; 2–D; 3–F; 4–B; 5–E; 6–C; 7–A

saFE dEsiGn For EnGinEErinG studEnts 1

Question 2 Multiple Answer
Which of the following are true statements:
Safe systems are reliable Unsafe systems can be reliable
Reliable systems are safe Safety can only be compromised when there is a
system failure

Answer 2

S Safe systems are reliable R Unsafe systems can be reliable

S Reliable systems are safe S Safety can only be compromised when there is a
system failure

Question 3 True/False
You are a professional mechanical engineer. You have designed and overseen construction of a playground
for the local school, a task for which you did not charge. Since you are not being paid for your professional
services you are absolved of any duty of care.
True
False

Answer 3
S True
R False

Question 4 Ordering
Order these elements of the OHS regulatory framework from those having overarching influence to least
influence over engineering practice:
Industry Standards/Guidance Notes
Standards
Codes of Practice
Regulations
Acts

Answer 4
1–Acts; 2–Regulations; 3–Codes of Practice; 4–Standards; 5–Industry Standards/Guidance Notes

 australian SAFETY and compensation council

Question 5 Multiple Answer
Compliance with which of these elements of the OHS regulatory framework is mandatory?
Acts
Industry Standard/Guidance Notes
Australian and International Standards
Regulations
Codes of Practice

Answer 5
R Acts R Regulations
S Industry Standard/Guidance Notes S Codes of Practice
S Australian and International Standards*
* Unless Australian standards are contained/called up in regulation or an Act.

Question 6 Multiple Answer

Which of the following groups are covered by a Duty of Care (according to the OHS Acts) in the workplace?
Contractors and sub-contractors
Employees
Employers

Answer 6
R Contractors and sub-contractors
R Employees
R Employers

SAFE DESIGN FOR ENGINEERING STUDENTS 

Question 7 Multiple Answer
Compliance with a Duty of care can be enforced through which of the following:
Acts
Regulations
Risk Management Standards
Criminal and Civil Legal action
Disciplinary action by the Institute of Engineers, Australia or the Professional Standards Association

Answer 7
R Acts
R Regulations
S Risk Management Standards
R Criminal and Civil Legal action
R Disciplinary action by the Institute of Engineers, Australia or the Professional Standards Association

Question 8 Multiple Answer

When an injury occurs in the workplace, who can be subjected to civil or criminal legal action?
Contractors and sub-contractors
Employers
Employees

Answer 8
R Contractors and sub-contractors
R Employers
R Employees

 australian SAFETY and compensation council

Question 9 Multiple Choice
When is adherence to an Australian/NZ standard a legal requirement?
When referred to in a Code of Practice
When explicitly referred to in an Act or Regulation
Always
None of the above

Answer 9
S When referred to in a Code of Practice
R When explicitly referred to in an Act or Regulation
S Always
S None of the above

Question 10 Multiple Answer

Which of the following statements are true about AS/NZS 4360?
it is a framework for risk management that is focussed specifically in engineering risks
its purpose is to enforce uniform risk management systems in all contents
it is designed to be a stand-alone, comprehensive standard that does not require interaction with other
professional standards
none of the statements above.

Answer 10
S it is a framework for risk management that is focussed specifically in engineering risks
S its purpose is to enforce uniform risk management systems in all contents
S it is designed to be a stand-alone, comprehensive standard that does not require interaction with other
professional standards
R none of the statements above.
AS/NZS 4360:1999, Risk Management provides a generic framework for establishing the content,
identifying, analysing, evaluating, treating, monitoring and communicating risk.

SAFE DESIGN FOR ENGINEERING STUDENTS 

Question 11 Multiple Choice
According to AS/NZS 4360, risk management systems:
must reflect the culture and practices of the organisations in which they are applied.
must not be influenced by the particular cultures and organisational practices in which they are applied.

Answer 11
R must reflect the culture and practices of the organisations in which they are applied.
S must not be influenced by the particular cultures and organisational practices in which they are applied.

Question 12 Matching
The following diagram shows an overview of the Risk Management process. Match the letters in the
diagram with the appropriate term.

A F

A is D is
B is E is
C is F is

Answer 12
A is Communicate & Consult D is Analyse & Evaluate risks
B is Establish the Context E is Control risks
C is Identify risks F is Monitor and Review

 australian SAFETY and compensation council

Question 13 Multiple Answer
In AS/NZS 4360, risk is measured in terms of:
the probability of an event that impacts upon the organisation’s objectives
the consequences of an event upon the objectives of an organisation
the likelihood of people’s exposure to an event that has an impact upon an organisation’s objectives

Answer 13
R the probability of an event that impacts upon the organisation’s objectives
R the consequences of an event upon the objectives of an organisation
S the likelihood of people’s exposure to an event that has an impact upon an organisation’s objectives

Question 14 Multiple Answer

According to AS/NZS 4360, risk assessment consists of
risk identification
risk analysis
risk evaluation
risk treatment

Answer 14
R risk identification
R risk analysis
R risk evaluation
S risk treatment

SAFE DESIGN FOR ENGINEERING STUDENTS 

Question 15 Multiple Answer
According to AS/NZS 4360, decisions about the acceptability and treatment of risk may be based on:
financial criteria
legal criteria
humanitarian criteria
technical criteria

Answer 15
R financial criteria
R legal criteria
R humanitarian criteria
R technical criteria

Question 16 Multiple Choice

Two people are walking in the forest when they encounter a hazard; an angry grizzly bear. They both turn
and run. The bear follows and is gaining ground quickly. The first says ‘It’s no use, we can’t outrun the
bear.’ The second responds ‘I know, but I can outrun you’.
Which of the five methods for dealing with risk best describes the strategy adopted by the second person
from the viewpoint of the second person?
Avoid
Treat
Transfer
Accept
Ignore

Answer 16
S Avoid
S Treat
R Transfer
S Accept
S Ignore

 australian SAFETY and compensation council

Question 17 Multiple Choice
According to AS/NZS 4360, the risk evaluation criteria
should not be developed until after the risk treatment is completed
must be determined before any of the risk management processes commence
must be established before the risk identification process begins, but may be subsequently refined
must be firmly established before the risk identification process begins, and must not be altered
are universally set and not subject to how the risks emerge in individual contents.

Answer 17
S should not be developed until after the risk treatment is completed
S must be determined before any of the risk management processes commence
R must be established before the risk identification process begins, but may be subsequently refined
S must be firmly established before the risk identification process begins, and must not be altered
S are universally set and not subject to how the risks emerge in individual contents.

Question 18 Matching
Once a hazard is identified and the risk analysed, there are 4 strategies for dealing with hazard. Match the
strategy with the correct definition.

1. Accept A. Redesign the system so that the hazard

doesn’t affect it
2. Avoid
B. Set up a contract or some other form of
3. Treat
agreement, or work in such a way that the legal
4. Ignore framework places the burden of risk (or part
5. Transfer thereof) onto another party
C. Modify the frequency or the consequences
(severity) of the hazard
D. Understand the consequences of the risk
and be prepared to fully compensate for any
losses incurred
E. Be liable for but not prepared to compensate
for any losses incurred due to the hazard

Answer 18
1–D; 2–A; 3–C; 4–E; 5–B

SAFE DESIGN FOR ENGINEERING STUDENTS 

Question 19 Multiple Answer
According to AS/NZS 4360, communication and consultation must take place during the process of
Establishing the content of risk management
Risk identification
Risk analysis
Risk evaluation
Risk treatment

Answer 19
R Establishing the content of risk management
R Risk identification
R Risk analysis
R Risk evaluation
R Risk treatment

Question 20 Multiple Answer

According to AS/NZS 4360, which of the following processes are subject to ongoing monitoring and review?
establishment of the content
risk identification
risk analysis
risk evaluation
risk treatment

Answer 20
R establishment of the content
R risk identification
R risk analysis
R risk evaluation
R risk treatment

10 australian SAFETY and compensation council

Question 21 Multiple Choice
According to AS/NZS 4360, which type of analysis is most likely to be used as an initial screen activity to
identify risks which require more detailed analysis?
semi-quantitative analysis
quantitative analysis
qualitative analysis

Answer 21
S semi-quantitative analysis
S quantitative analysis
R qualitative analysis

Question 22 Multiple Answer

Which of the following actions is or are examples of risk treatment, according to AS/NZS 4360?
reducing the likelihood
reducing the consequences
transfer the risk
avoid the risk

Answer 22
R reducing the likelihood
R reducing the consequences
R transfer the risk
R avoid the risk

SAFE DESIGN FOR ENGINEERING STUDENTS 11

Question 23 Multiple Answer
In AS/NZS 4360 provides a list of suitable information sources for analysing consequences and likelihood
of a given event. Which of the following would be suitable sources?
Experiments and prototypes
Relevant published literature
Economic, engineering or other models
Personal opinion

Answer 23
R Experiments and prototypes
R Relevant published literature
R Economic, engineering or other models
S Personal opinion

Question 24 Ordering
The Hierarchy of Control is a variety of risk control options that are used to manage occupational health
and safety risk. Please order these, with the most protective and therefore preferred option at the top and
decreasing through to the least preferred option.
Elimination
Administrative (procedural) controls
Engineering controls
Personal Protective Equipment
Substitution

Answer 24
1–Elimination; 2–Substitution; 3–Engineering controls; 4–Administrative (procedural) controls; 5–Personal
Protective Equipment

12 australian SAFETY and compensation council

Question 25 True/False
Controlling risk through the use of Personal Protective Equipment is always effective.
True
False

Answer 25
S True
R False

Question 26 True/False
Controlling risk through the use of administrative controls (e.g. guidance and training on the safe use of
forklifts) is always effective.
True
False

Answer 26
S True
R False

Question 27 True/False
Controlling risk through the use of administrative contrls (e.g. pilot and air traffic controller training) and
technology is always effective.
True
False

Answer 27
S True
R False

SAFE DESIGN FOR ENGINEERING STUDENTS 13

Question 28 Ordering
Aircraft fitters inspect aircraft before each flight. To gain access for inspection Jim, an aircraft fitter, stood
on a tug. A tug is a flat topped vehicle designed for towing aircraft and luggage trailers, etc. Jim was able,
to stand on the tug, inspect the aircraft and drive around underneath the aircraft by operating the controls
away from the driver’s seat. Jim was moving the tug to a new inspection point when he collided with the
aircraft. The collision trapped Jim between the tug and the aircraft fuselage. Jim received multiple fractures
to his upper body. Company rules insist tugs are operated only if the driver is seated in the driver’s seat.
(example J. Culvenor)
Please ORDER the risk control options from preferred to least preferred based on the hierarchy of control.
Increase supervision to ensure compliance with safety rules
Provide a special motorised maintenance trolley
Increase aircraft component reliability
Reduce the height of aircraft landing gear

Answer 28
1. Reduce the height of aircraft landing gear
2. Increase aircraft component reliability
3. Provide a special motorised maintenance trolley
4. Increase supervision to ensure compliance with safety rules

Question 29 Ordering
Kelly is a gardener at a metropolitan hospital. Kelly was cleaning a ‘gang’ mower when she cut her foot.
Kelly had seen other gardeners clean the mower by hosing the blades with water while operating them in
reverse. Kelly was washing the mower in this way when her left foot touched the moving blades. The blades
left deep cuts in her big toe and two adjacent toes. There had been no verbal or written instruction about
how to wash the mower safely. The hospital provides safety boots but Kelly was not wearing them at the
time of the accident. Often outdoor workers wear their own shoes claiming that they are more comfortable.
The hospital has now developed a code of practice for the safe operation of the gang (example J. Culvenor).
Please ORDER the risk control options from preferred to least preferred based on the hierarchy of control
Remind all outdoor staff to wear safety boots
Provide training in the new code of practice
Re-sow the grass with a slower growing native variety
Use sheep to graze the grass

Answer 29
1. Use sheep to graze the grass
2. Re-sow the grass with a slower growing native variety
3. Provide training in the new code of practice
4. Remind all outdoor staff to wear safety boots

14 australian SAFETY and compensation council

Question 30 Ordering
Karen worked in a food processing factory as a production engineer. A forklift collided with Karen causing
multiple fractures and severe bruising. Bill, a storeman, uses a forklift to shift drums of liquid. He moves
the drums from the receiving storage area to the production area. The accident happened at 7pm on
a winter night. The lighting in the production area was good but the lighting in the storage and forklift
‘roadway’ area was poor. Karen was walking from the well-lit Tea Room across the ‘roadway’ when struck
by the forklift. The load obstructed Bill’s view. The noise of the production line obscured the forklift motor
noise. People can walk around the factory on an elevated walkway, but this is not always convenient and
often not used despite a company rule (example J. Culvenor).
Please ORDER the risk control options from preferred to least preferred based on the hierarchy of control.
Create a strict rule that in the interests of safety the existing walkways must be used
Improve the lighting in the ‘roadway’ section of the factory
Provide forklifts with dual controls such that they can be driven in reverse
Pipe the liquid from the receiving storage area to the production line

Answer 30
1. Pipe the liquid from the receiving storage area to the production line
2. Provide forklifts with dual controls such that they can be driven in reverse
3. Improve the lighting in the ‘roadway’ section of the factory
4. Create a strict rule that in the interests of safety the existing walkways must be used

SAFE DESIGN FOR ENGINEERING STUDENTS 15

16 australian SAFETY and compensation council