- Email: [email protected]
Safety design: Towards a new philosophy
Safety Science 44 (2006) 55–73 www.elsevier.com/locate/ssci
Safety design: Towards a new philosophy Elie Fadier a
a,¤
, Cecilia De la Garza
b
INRS—Working life Department, Prevention Applied Ergonomics and Psychology Laboratory, Avenue de Bourgogne, BP 27-54501 Vandoeuvre Cedex, France b Université René Descartes, Laboratoire d’Ergonomie Informatique, 45 rue des Saints-Pères, 75006 Paris, France
Abstract Thinking on safety integration right from design stage is of some interest in research terms. How can we increase the overall eYciency of a working system, whilst reducing risks at source and consequently costs? Can future operation of a working system be anticipated? What can be anticipated? Can we help designers to respond to statutory requirements by experience feedback and by structuring our knowledge of working system operational performance? Based on a “user-focused” design approach, this paper is structured in two sections. The Wrst section comprises analysis of the existing position by focusing speciWcally on the question of safety at design stage, the second part includes generic recommendations for making work equipment design safer and more “secure”. 2005 Elsevier Ltd. All rights reserved. Keywords: Ecological design; Participative ergonomics; Automation paradoxes; Proactive safety
1. Introduction The evolution of industrial systems (particularly automation and computerisation) has induced a number of changes at several levels:
*
Corresponding author. E-mail addresses: [email protected] (E. Fadier), [email protected] (C. De la Garza).
0925-7535/$ - see front matter 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.ssci.2005.09.008
56
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
• At the technical level: an increase in the theoretical reliability of technical components and in the optimisation of system productivity, but hybrid system1 are not controlled. • At the economic level: a growing renewal of the machine park, greater emphasis on cost reduction and industrial competitiveness. • At the organisational level: emphasis on just-in-time production, the almost complete disappearance of static work stations, more activity in 3 shifts, new systems of management. • At the level of prevention (safety): an increase in technical standards for integrating safety into design, a signiWcant fall in accident numbers, an evolution of safety regulation towards the new approach (obligation to meet goals not to apply deWned means), the emergence of new risks requiring new approaches and analysis methods ƒ • At the human activity level: a modiWcation of the nature of work activity (mental work rather than physical, intervention in degraded system modes, group work, increasing attention to man-machine interfaces, manifestation of paradoxes related to automation (increasing, rather than decreasing the diYculty of human intervention), the recourse to generic/tacit knowledge and autonomy rather than the forced use of the rigid procedures, which cannot cover all the situations). • At the design level: evolution of new methods and approaches, emergence of concurrent engineering tools, reduction of lead-times and costs. However, the analysis of real-life industrial situations often demonstrates a signiWcant gap between the theoretical reliability foreseen by the designer and the observed operational reliability (Fadier et al., 2003a). This gap between expected working and real working is considered as one of the most important sources of risk. Real work situations also have to take account of integrating the management of risks, the constraints of exploitation, the extension of the use envelope of the equipment, the evolution of the production system over time and use, etc. Additionally, it is necessary for the operator to deal with a range of situations not foreseen at the design stage (Neboit et al., 1993; Demor, 1996). Integration of safety and human factors into the design phase is therefore a vital necessity if we wish to translate expected performance into achieved results in industrial systems. 2. Design and prevention Prevention (health, safety and ergonomics) is a complex Weld and its links to economics, public perception, and legislation only make that complexity greater. The number of occupational accidents which still occur is an indication of this complexity. In France in the year 2000 (Statistiques Wnancières, 2000), 862,500 occupational accidents with an absence from work longer than 3 days were recorded, including 1597 fatalities. This underlines the fact that, in spite of the introduction of new technologies and the abundance of regulations and technical standards, safety margins remain insuYcient and residual risks are still signiWcant. This can be explained by three phenomena: 1 A hybrid system is a whole of elements of diVerent nature (Technique, human, organisational, ƒ) but whose functions are redundant. Ideally, it is conceived to be rather powerful in the achievement of the assigned missions, but daily one notices problems of compatibility, synergy, communication and co-operation between these various elements. This is in particular true when the automated technical functions are assisted by human operators. Daily industrial situations enriched this paradox (Karwowski et al., 1990).
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
57
(A) Migrations in system boundaries. (B) Sequential, not integral treatment of safety/ergonomics in design. (C) Little use of feedback from experience. 2.1. Any system undergoes migrations (drifts, transformations, and adaptations) from its design to its Wrst uses (Amalberti, 2001; Rasmussen, 1997; Neboit, 2003; Fadier et al., 2003a,b) In this context Rasmussen has developed the idea of the existence of a “natural migration of activities toward the boundary of acceptable performance”. For Rasmussen, the analysis of a number of accidents and industrial disasters (Bhopal, Flixborough, Zeebrugge, Tchernobyl) demonstrates that the reasons for them will not be found in a search for a combination of technical failures and human error, but in a drift of the global behaviour of the organisation under strong competitive pressure and inXuence toward eYciency. To understand and inXuence this it is necessary to take account of the interaction between the decisions taken by several actors in the system and their eVects in a normal work context, all the time under the pressure of competition. The margins for action, or the space within which the actions of an actor, or actors, evolve can be represented by an envelope. Inside the outer bounds shown here, the decision and actions remain acceptable according to the diVerent criteria (Fig. 1). When pressure is put on one of the axes, for example productivity, the actions will approach the opposite boundaries of the envelope, for example acceptable load limit for the individual or the limit of safety. Conversely, if the pressure is to decrease or limit risks, the economic proWtability will be penalized. Fadier et al. (2003b) added to this model of ‘displacement toward limits’ an additional dimension representing the lifecycle of the system, putting forward the hypothesis that these limits vary from the design to the installation, and from the installation to the exploitation stages (Fig. 2) under the inXuence of a range of factors. A second addition, arising from preceding one, is that these migrations in the limits are often accepted by all actors in the use phase of a given piece of equipment as being inevitable Boundary of functionally acceptable performance
Error margin Counter gradient from campaigns for safety culture
Resulting perceived boundary of acceptable performance
Boundary to Economic Gradient toward Failure Least Effort Experiments to improve performance creates «Brownian movement» Management Pressure toward Efficiency
Boundary to Unacceptable Work Load
Space of Possibilities: Degrees of Freedom to be Resolved According to Subjective Preferences
Fig. 1. Model of global management of risks (Rasmussen, 1997).
58
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
The process of design includes 3 stages M o d e l S T E P
functioning
Implantation
Design s
t
gra
mi
Analyses process and methods of design (methods of integration of safety by the various actors)
fac
s
tor
tor
s ion
fac
t
gra
mi
s ion
Analyses : • Activities of the designer, of establishment • identification of conditions and factors of migrations • Process of formation Of training of the users
Area : Non Area Acceptable Acceptable
Analyse : • Activities of uses of the rotary printingpresses (7 customer-users, rotary) • Identification of risks, analyses causal and modelling
feedback towards the design Fig. 2. Evolution of the deviations from nominal design during the system life.
and generated by upstream causes beyond their control. This has given rise to the label of “Boundary Conditions Tolerated by Use” (BCTU) (Fadier et al., 2003a; Neboit, 2003). 2.2. Sequential approach to safety and ergonomics in the design process: signiWcant standardisation but limited integration The models, approaches and tools of design are in constant evolution, improving the socio-technical system performance and reducing the number of occupational accidents. Nevertheless, they remain limited and there is plenty of room for improvement, particularly in their capacity to integrate prevention into the normal design process. Didelot (2001) highlighted the fact that the incorporation of safety in design follows a sequential approach, not an integrated one. It is driven by adherence to standards and regulations. The way in which safety is dealt with in the design of machinery and automated production systems provides a good illustration of the philosophy of safety in design processes (Fadier and Ciccotelli, 1999). This works by collecting into the standards technical safety measures (often tending to increased automation) and safety rules (Lacore, 1993; Council directive, 1998). However, these safety rules are often considered very late (even too late) in the design process and are supplemented by informal approaches (Blaise et al., 2003; De la Garza and Fadier, 2005). However, the increasing number of standards and the diYculties that users of standards, and even their writers, experience in mastering the resulting complexity is counter-productive for this endeavour. Safety is taken into account sequentially at the diVerent stages of design process of design, installation, exploitation (Fig. 2). This means that Wrst the proposed design is made using other criteria and then it is checked against safety considerations and criteria. In the Wgure the Wrst step represents the technical solutions chosen by the designer. These choices correspond to expressed customers needs. The designer bases his approach mainly on consideration of component reliability. This Wrst level has a restricted system area and boundary, which is proportional to the designer’s attention to the risks linked to system use. When the system is technically
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
59
designed, the designer then adds the necessary safety devices to ensure a suYcient level of safety. These safety devices are essential to market the system. For this, the designer uses the standards. The system is then “enriched” by adding diVerent safety devices: we can say it is a “regulation layer of safety” added to the technical system. The system boundary (or safe envelope) at this stage is bigger than at the previous one, because it is at this stage that the designer concentrates his eVorts on technical means protecting operators from dangerous elements. Finally, to guarantee technical performances and operator safety, the designer deWnes the use conditions which will keep the system within his designed safe envelope. However, despite all these precautions, the system as marketed does not correspond to the operational context: • When the system is installed in the factory it has to be adapted to meet the constraints of the Wrm’s site and speciWc needs. • During the exploitation phase, we can observe situations in which the users will inevitably favour productivity (considered as a rate of return) to safety (considered as a cost and constraints). To do this they modify the plant or procedures. Then a lot of risks appear representing the gap between the foreseen system and the operational system. • Faced with these circumstances, operational constraints and system failures, operators develop coping activities which are out of the prescribed frame, and they create their own safety, which we call the “operational safety layer”. In general terms designers modify their design solutions based on feedback: they often compensate for incidents by adding more devices, which often obstruct use and are therefore not eVective. They accentuate the antagonism between productivity and safety. It is a process in which the informal predominates over formal methods and approaches, and during which we go from the designed risk to the operational risk. An analysis of design activity (De la Garza, 2004) has conWrmed that, in this way, the objectives of safety come to be grafted onto a design, as an external entity or addition, in a more or less opportunistic way. This opportunism results in ad hoc choices, which do not take (suYcient) account of their impacts on working conditions or on users’ activities. Safety is not an explicit or speciWc starting objective for the designer, only for the safety expert. In the same study, the author shows that there are two ways or modalities by which safety and ergonomics are integrated into the design process. The Wrst modality is based on the explicit knowledge shared by the collective (standards, internal design rules). The second is based on the individual tacit knowledge which a designer may have, arising from experimentation, more or less oYcial feedback from operational situations, or from personal experience or initiatives. The study also showed the limitations of these modalities because of a lack of systematisation of objectives and initial design requirements. It showed that safety and ergonomics do not form part of the initial representation of the product to be designed and come to be “grafted on” according to speciWc needs or in a more or less random way. Generally one can discern the existence of two safety integration methods: • Direct methods, which correspond to the explicit modality, and operate through standards, and other formal documents, design tools and actions. • Indirect methods, which correspond to the implicit and individual modality and operate through individual characteristics of each actor (knowledge, experience).
60
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
2.3. Experience feedback is very little exploited by the designer Examination of industrial practice shows that there are very few totally new designs and that design is often a process of re-use of old solutions, which resolve completely, or at least partially the problems arising. This being the case it is vitally important to collect information on, and assess the consequences of any design which may be reused, and to pinpoint any badly adapted designs (either of a product or a means of production). But, it is very rare that information is recorded about these consequences at the work situation level, and even less at the activity level. The designer generally considers this activity to be outside his sphere of inXuence and responsibility. This means that designers have diYculty in anticipating the eVects of their design and learning from their mistakes. In addition, although design is a key stage in establishing eVective prevention and adapting systems to the real conditions of production, it cannot solve everything. Beyond the technical system, and the human role in safety, which are of primary concern to the designer, it is necessary to consider also organisational and management aspects in safety. Indeed, the analyses of occupational accidents in various Welds show how these aspects play a major role in the combination of factors which have led to the accident. By taking into account in design process the variability in work situations and the human use requirements, one could deWne an integrative design which would take better account of use situations and in particular the prevention requirements. But these have to be seen within the context of the organisations doing and using the design. The next section develops these ideas further into a new design philosophy for integrated safety and human factors. 3. Towards a new philosophy in safety design When it comes to safety, the design of automated systems has revealed a number of paradoxes, which many authors have already pointed out (Bainbridge, 1982; Neboit and Fadier, 1998). The more complex the system the greater the attempt made to compensate for this complexity by the abundant and increasing use of procedures, instructions, and safety and control systems (“add-on” safety solutions). In this way, there is a risk that the system becomes more and more opaque for the user. This means that it becomes increasingly diYcult to anticipate everything, and the surveillance and control role of the operators is therefore increased. This leaves a number of choices at the discretion of the operators, which means that the operator’s work sometimes becomes transformed into a major intellectual and creative assignment rather than a set of well-deWned tasks (de Terssac, 1992). From the design point of view, the performance of these complex systems is currently founded on analysis and design of the (hardware) reliability of this complexity (components, interactions, completeness, etc.), with “priority” given to safety in the case of “safety-productivity” conXict. This vision of the designer, which is both normative and “optimistic”, is based on the fact that, during design, he aims to guarantee a level of reliability and availability, such that there will be no such conXict and in the worst situation that this conXict will remain minimal. However, it has been shown time and again that this vision is not viable (Fadier et al., 2003a; Hollnagel, 2003; Rasmussen, 1997). Dealing with work requirements and constraints necessitates considerable autonomy for, and taking of responsibility by the operators in order to take decisions during diYcult and sometimes delicate situations.
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
61
Although they do not solve every problem, the suggested generic recommendations as articulated by de la Garza (De la Garza, 2004) stem from a “user-focused” approach based on user needs and interests. This approach is aimed at designing products whose functionality is understandable and whose interfaces can be easily used. This approach tries to adapt technical system characteristics in the best possible way to Wnal user characteristics, with a view to improving reliability of usage and thereby avoiding accidents (Vicente and Rasmussen, 1992). This involves “designing for error” (Lewis and Norman, 1986) through greater knowledge of the characteristics of the end-user, the task and its constraints. A real approach focusing on the user must in fact be “ecological”, i.e. it should integrate and resolve the health and safety problems and not simply anticipate and absorb their consequences on the system. Impacts on end-users need to be taken into account in more ways than just through “user satisfaction” assessment. Since occupational diseases and the health and safety impact of malfunctions are widespread in the industrial sector, they need to be taken account of as well. This means resorting to “user” models which are more broadly based and probably not uniquely cognitive (e.g. creating a model that integrates both task cognitive and physiological requirements, as well as user development and diversity: diVerent ages, the aging process, diVerent training, qualiWcation level, experience, etc.). The end-purpose of safe design should not only be to prevent errors and reduce technical malfunctions, it should also prevent accidents, occupational diseases and ultimately eliminate work-induced social exclusion. Unlike “reactive” safety, i.e. dealing in hindsight with a critical event, proactive safety can be deWned as the combined studies, analyses and projected integration options implemented in foresight with respect to the critical event. This is prevention based on the anticipated work situation and not solely on the work equipment. This then raises several important issues. How do we encourage the diVerent design players to build up an appropriate use representation, which is closer to the reality of using the work equipment? What rules and criteria for usage, and forms of usage should be integrated as a priority? What everyday, occasional and unintended (accident & emergency) situations should be foreseen? What risks for overall system safety and for operator health should be foreseen? What safety barriers should be implemented? etc. We can derive a number of elements of solutions and recommendations by considering the following “key points” for a safe proactive design approach. 3.1. Ecological design The notion of ecological design refers to the idea of making accessible to operators all of the resources with respect to diVerent work situations which they need. These are human, technical, informational, statutory, procedural, time-based, physical, etc. Thus, an ecological structure corresponds to a structure suited to the needs of the work and safety requirements of the diVerent users. Transposed to industrial equipment, this notion refers to a number of aspects necessitating systemic analysis of critical situations and involving a work analysis of the activity. Participation of the ergonomist as well as the occupational safety specialist engineer is a necessity for this. So-called ecological design should take into account at least the following points: • Greater user accessibility to equipment. This accessibility is at two levels. Firstly, physical accessibility (Cabon and Mollard, 2003; Sagot et al., 2003), which should take into
62
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
account the nature and complexity of the system to be designed. This involves integration of anthropometrical standards, consideration of accessible areas with respect to production tasks, incident recovery and maintenance. The second level concerns cognitive accessibility (Vicente and Rasmussen, 1992), which is an important aspect with respect to automation. The existence of paradoxes of automation inXuencing safety and human activity clearly highlight the need for this accessibility, or understanding of how the system works in all of its modalities. It involves not only internal coherence of the activity, but also the quality of the interface for better usability. These cognitive accessibility aspects recall the need to extend the designer’s knowledge of system and use requirements and both physical and cognitive constraints from the everyday situations to broader incident situations; this knowledge requires work analysis of these situation as they will exist. It should provide designers with models of both cognitive and physiological operation (Boy, 2003), namely what types of function is the production and/or maintenance operator required to master, the signals the technical devices must transmit to the operator for rapid problem identiWcation and better situation recovery, etc. • Increased robustness of the technological solutions designed, especially in relation to the complexity of the industrial equipment. Lack of robustness leads to frequent risks and malfunctions requiring multiple human interventions. This leads not only to less error tolerance in the system, but also weakens system performance (production, operator health and safety). 3.2. Necessary support of the work equipment by the organisations in which operators will work Work equipment use must be supported by a reliable organisation, suited to the diVerent user requirements for working and for safety (De la Garza, 2004). It is important to have a real, operational safety management system in a company to organise work and the resources it requires in terms of: (1) Human resources. Personnel management is a prerequisite for reliability, in order to anticipate the number, qualiWcations, training, experience and length of service of required personnel suitable for safety-critical tasks. This also covers the type of training to be given in relation to the real working requirements, as well as the career advancement opportunities to prevent, for example, premature aging, work exclusion, occupational accidents, occupational diseases, etc. (2) Physical resources. Organisational design should anticipate work equipment aging and maintenance to prevent situations in which recurrent failures create risks and increase workload and recovery actions. Equipment should be suited to working conditions and to both physical and cognitive requirements. For example, relatively simple, known and controlled situations can become accident situations because detection and diagnosis could not be undertaken in time, in a rapidly evolving situation. (3) Evaluation and validation of safety solutions. This must be based on safety-related regulations and work procedures. This validation needs to be performed by confronting proposed solutions in the Weld with the expected (indeed classic) examples of incompatibilities leading to errors and the known conXicts between safety and production and to conWrm what human resources and skills as required. It also needs to check
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
63
which of the situations that can be anticipated the solutions cover and to organise that the remainder be covered (De la Garza et al., 1999). (4) Knowledge of and oYcial recognition of critical situations, risks and their characteristic diYculties. Analysis of the work enables a list of critical scenarios to be drawn up, based on observation and interviews focused on experience of critical events. (5) Functional networks, work groups and collective interactions. Based on the diagnosis of the current situation, it is necessary to anticipate the group interactions that will characterize the future situation and manage these eVectively. 3.3. Anticipating future operation though identiWcation of tools and knowledge used for design (Fadier et al., 2004) In the Weld of design and especially in work equipment design, designers are often blamed for not anticipating the future “uses” to which the equipment may be put. They are also criticised for reusing or adapting old solutions to new problems without eVective validation. This type of expedient, involving reuse of a past solution, is not speciWc to design, but is directly related to the notion of anticipation itself (Denecker, 1999). Within design processes, there is a growing need to anticipate in order to design work equipment which responds to real user needs (thereby reducing costs of equipment adaptation, training or other modiWcations) (Garrigou and Thibault, 2001). This anticipation is essentially based on reducing design-related resources (time, cost, etc.) and responding to future usage requirements of operators. We can add to these another objective, namely to minimise the costs (Wnancial or in terms of image) associated with the risk of legal proceedings following the implication of designers in user health/safety problems. From a legal standpoint, the designer must take necessary steps to ensure that future equipment usage has been anticipated and entails no adverse consequences for the health/safety of the persons who will use it. Various approaches are followed in this Weld: • Modelling (of physiological or psychological processes, accidents or man–system interactions). • Use of a 3D dummy. • Interaction simulation, i.e. model implementation, user trials, etc. These approaches can contribute to a more plausible and realistic anticipation of the activities of future system or work situation actors (operators, maintenance Wtters, cleaners, etc.) and to more accurate prediction of usage methods and their safety-related consequences. Better opportunities to improve anticipation are fundamental within the framework of integrating prevention into the design process. On the designers’ side, methods as functional analysis (Ligeron et al., 1991), and concurrent engineering (Brossard et al., 1997; Jamal and Sahraoui, 2005) have evolved to take into account future usage of equipment produced. However, when subjected to constraints (e.g. of time or resources), designers tend to revert to their natural behaviour (Beguin and Darses, 1998) and draw inferences based on their own experience or known situations. It remains true that it has always been diYcult to assess, in the product’s initial design stage, how work equipment will be handled in a real-life situation. The literature on the diVerences between design requirement and actual activity in use contains a wealth of examples of this. (One of the reasons is that the arrival of a new tool is likely to have repercussions
64
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
on the way the operators perceive their work and the place given to their skills within the company (Rabardel, 1995), which lead them to use that tool in new and unanticipated ways.) Resorting to simulation has two advantages: it allows “discussion areas” about potential situations to be set up through solution testing and it develops knowledge by updating the situation model tested in the simulation. Despite the well-known limits of these methods, there is still much scope for expanding the use of simulation. Computing developments make simulators ever cheaper and allow continuous improvement in their performance (realism, immersion, etc.), as well as “real-time” display of simulation results. Recourse to virtual reality (Burkhardt, 2003; Ciccotelli, 2002) represents today a resource that must be explored by designers as a way of anticipating future situations at the stage even before physical manufacture of the work equipment. In a proactive approach, structuring of the design situation should be based on both a user-focused design approach (including work and critical event analysis methods, etc.) and an approach based on technical device assessment (using methods speciWcally associated with creating scenarios, simulation situations, testing phases, etc.). It is a multidisciplinary approach requiring major investment in time, but it can prove proWtable in the long term. Redesigning or reworking a Wnished, but non-conforming product represents higher cost and often ends up as a “makeshift job” undertaken by the user-client, especially when industrial equipment with a service life of between 10 and 20 years is involved. 3.4. Going beyond technical know-how Analysis of automated system design shows that decision choices are currently justiWed on the basis of the assumed eVectiveness of the technical solution options. However, if we compare this technological certainty (high reliability, process stability, etc.) with the reality of industrial system operation, we see that: • Whereas the designer assumes a unique, deWned use-situation (however wide that deWnition may be), there is much more situation variability and not only multiple working contexts are present, but also human variability (both within and between people). This highlights the diversity of the real situation representations and the meaning that operators give to their actions. • It is essential to consider the dynamic aspect of work situations, which means that we cannot modify one system component without upsetting the whole structure. • Through analysis of real activities ergonomics has highlighted the fact that work comprises adaptations and adjustments, and that optimum operating conditions are only rarely met. Many technical malfunctions lead operators to intervene in a system operating in degraded mode. This diVerence between expected (basic) and real (integrating risk management) operation is considered one of the most important causes of “risk taking” because the operator/user must deal with a situation unforeseen at the design stage. Thus, analyses based exclusively on technical knowledge provide only a partial solution for confronting real work needs. They could usefully be complemented and enriched by contributions from real work ergonomic analyses. The MAFERGO methodology (Fadier et al., 1991) provides this enrichment because it combines technical reliability analyses with ergonomic activity analyses to better understand diVerent work situations and compare them with technical solutions proposed at the design stage.
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
65
All of this means that it is important to: • Identify phases suitable for integrating human factors into the design process. In most cases, the speciWcation, testing and validation phases remain the most important for collecting and identifying end-user needs and usages in diVerent categories and trades. However, the representations and forms of integration of the human factor, i.e. users and usage, will vary depending on the ways in which the design process is organised, what is being designed and the ‘actors’ involved in the design, as well as with the design phases and the way these articulate with each other. • Refer explicitly to human activity- and requirement-related factors in the speciWcation. Health and safety criteria should be integrated into a design project right from the stage of deWning needs and producing the design speciWcation, as stipulated in standard ISO 13407 applicable to interactive systems. In other words, an assessment plan should be incorporated in the speciWcation for use on the diVerent solutions which have, or could have an impact on end-user health and safety. This gives rise to the need to possess accessible design tools allowing these parameters to be integrated. An ecological approach should therefore be detailed in the speciWcation to provide designers with information according to project phase as well as which aspects to seek out, check, and integrate. • Consider work analysis as an aid to identifying needs and collecting usage scenarios (practices). Assessment, simulation and testing conditions should therefore be built up based on the knowledge of real (reference) work situations and on an inventory of usage scenarios in nominal, everyday, frequent and rare incident situations. Work analysis methods allow this type of construction (Leplat, 1997). In the same way as there is a testing schedule for technical speciWcations, a testing schedule for normative or non-normative health and safety aspects should be drawn up, to ensure rigorous programming and monitoring. Results should be systematically noted to ensure that a trace or memory of the design process remains and to preserve knowledge of why a given solution was discarded or another solution evolved. This will support a better capitalisation of existing knowledge in the long term, because totally innovative design will always remain rare. 3.5. Organising participative design, reXecting on groups, participants and their roles Participative2 design is deWned (Haines et al., 1998) as the “involvement of persons in planning and controlling a signiWcant number of their work activities, these persons possessing suYcient knowledge and capacity to exercise an inXuence on both processes and results to achieve desired aims”. Its importance has continued to grow since the 1980s. Possible beneWts of participation can be consolidated into two categories: • direct beneWts such as solution ownership, commitment to change, better design process, apprenticeship and training provided earlier, and • indirect or systemic beneWts such as delegating of skills, personal involvement and development, widening of interest. 2 Developed over several decades, participative design falls within the scope of cooperation activities and especially the activity based on integrating operator viewpoints. It stems generally from the ergonomic design movement and more speciWcally from participative ergonomics (Cahour, 2001; Wilson, 2003).
66
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
However, one of the limits to this approach is that it is often considered slow, despite the demonstrated reduction in project costs and execution times. In addition, it has been shown in a study of 38 European cases (Morris et al., 2004) that not only does participation suVer from insuYcient support and resources, but, moreover, the skills needed for it were not recognized in most of these cases. User participation implies organisation and structuring based on the work situations and design phases, in which users take part (Lewkowicz and Zacklad, 2000) to avoid situations in which operators cannot express themselves or have nothing to say or are even incapable of expressing or arguing their needs (Cahour, 2001; Reuzeau, 2001; De la Garza, 2004). In using these techniques, end-users or “end-user categories” should be deWned, because there may be diVerences between novices and experts, between older and younger populations, between past and present system users. Depending on the context, this may involve administrative categories, in which “client” users and end-users are distinguished or, again, diVerent trade categories are deWned. Whilst the participation of these diVerent users may be complementary, their contributions may vary considerably and their selection therefore determines the quality of the results obtained. Participation should be representative of population characteristics (age, training, experience, tasks performed, conditions of usage, etc.) and of use contexts. Levels of involvement per design phase should be decided in advance to choose between Wve levels of increasing participation (see Jenssen, 1997): 1. 2. 3. 4. 5.
Informing end-users about the action plans decided on; Collecting of end-user information and experience; Consulting end-users to get their opinions and suggestions on current actions; Negotiating with end-users in formal committees; Making decisions jointly with the diVerent parties involved.
Jenssen does not, however, really explain how to organise these levels of participation, what types of tools or meeting procedure should be implemented for each type of design project and phase thereof. Moreover, these are not alternatives, because these diVerent levels of participation will not all commit end-users in the same way. Informing and consulting end-users does not necessarily lead to truly active participation, but can be limited to answering a questionnaire (Sen, 1988). Whilst this can turn out to be helpful, it can never be suYcient. User panel situations may indeed feature more active participation (Nielsen et al., 1994; Bruseberg and Mc-Donald-Plilp, 2002), but how to best organise such panels to ensure eVective extraction of work-related needs and viewpoints, etc. remains unsolved. Bucciarelli (1988) considers user interactive participation, i.e. the capacity and opportunity of users to react when confronted by designers and the way designers consider or take over their viewpoints, or those related to work. This last point is important because it implies that users need to be able to argue to convince the designer that the matter is of real importance, whether it be related to daily usage, critical points, or whatever. We also need to accept that participative design does not always guarantee success (Heinbokel et al., 1996). Whilst end-user participation is recommended right from the earliest design phases, only its use in the assessment and validation phase appears to be eVectively equipped with tools and well structured in the literature (Nielsen, 1997; Scapin and Bastien, 2002).
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
67
3.6. Using existing company experience feedback (EF) structures or creating speciWc structures In general, the literature (Apostolakis, 1986; Rasmussen, 1990; Bruneau and Pujos, 1992, p. 12) emphasises that experience feedback (information provided by users) is a process which is not currently used systematically either for enhancing design or for taking into account usage requirements. The designer usually considers this to be outside his area of action. There are few data available today, other than those provided by accident reports. Despite their signiWcance, these approaches are insuYcient to support the design process in taking into account work situations at the limits of foreseen conditions. Because there is a lack of explicit deWnition of designer needs in this respect, we see the following paradox. Designers put up with relatively ineYcient, even non-existent, information feedback, whilst the company may have a, more or less well organised, experience feedback structure designed for other purposes than feeding back to designers, e.g. an accident and incident registration and analysis system, which may, or may not speciWcally cover human factors. Such a system can provide a departure point for better information feedback on health and safety impacts and their subsequent consideration in design. Such an experience feedback structure should diVerentiate between forms of feedback: 1. Everyday operation and the problems and risks observed in production and maintenance situations. 2. Critical events leading to a near accident, or an accident with or without days lost. Unfortunately information conveyed by this feedback is not always informative to, nor usable by designers. Structuring and presenting collected data to the designer is a critical task. The aim is to facilitate his work and not to make it more complex, since only with this proviso can the designer eVectively use this information. Data must constitute a decisional aid for safe design. With this aim in mind, some authors (Didelot and Fadier, 2002) have proposed a tool for structuring experience feedback data for design purposes. This tool is called the logic tree. The tool they have developed aims to make these work situations “readable” for the designer who, in the current state of his knowledge, does not suspect their existence. The form of representation of the BATU contains elements on which the designer can act to improve his design. The method of representation that they propose mixes the deductive and inductive modes of reasoning. The representation is centred on the major event heading “Decision to carry out the BATU” which is positioned in the centre of the Wgure (Fig. 3) and not as a top event, as it would be in the construction of a traditional fault tree. From this position, we try to determine the events upstream and downstream, in other words: • the causes of the BATU: problems or failures in production, speciWc circumstances, elements introduced by the design process, etc.; • the events which can lead to the failure of the BATU and hence undesired consequences in the form of an incident or accident (the top event in Fig. 3): e.g. “weakening” of procedures and their consequences, inattention, etc. It is a representation method which allows, up to a point, the dynamic aspect of palliative activities and work equipment usage practices to be shown, together with how these practices are initiated by work-related constraints and tool requirements. Such practices
68
Availabilty of production system G1
Consequences Quality of production G2
G5
Injury related to the paper band
E008
Pinching of the fingers
G16
G18
G8
Fabric bit is detached E002
Involuntary movement induced by an external cause
Temporary carelessness E004
Execution of BATU putting operator in contact with the paper band
BATU in progress exposing operator to the risk
G17
G22
E003
failure Factors during the realization of BATU
Ink too diluted Temporary carelessness
involuntary movement induced by an external cause
E001
Badly folded rag
E004
E009
E003
Temporary carelessness E004
Decisionmaking
Decision to carry out BATU: cleaning strainers while rolling
Detection of an unacceptable dirty mark
Automatic cleaning does not meet the requirements of production
G21
Accessibility of the Blankets during operation E012
G20
Mark of unknown origin
Mark induced by the bad quality of consumable
E010
E011
Temporal dependence of presses on delivery scheduleof newspapers E013
Importance of not accepting losses
Insufficient effectiveness
E006
E007
Constraints related to stopping and restarting production E005
Cause decisionmaking
Fig. 3. Extract from Logical Tree Representation of the failure of the BATU: cleaning of the blanket rollers during operation (Didelot and Fadier, 2002).
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
Drop the rag
Operator presses on the band
G6
G9
Injury to operator
G4
G3
Problem involved in the material used to carry out the BATU
Rag too soaked with solvent
Equipment degradation
Rupture of paper band
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
Groups Industrialists
Designers
Researchers
Prevention managers
Concerns Daily realities: lowered system performance, accidents, Lack of data to take safety into account and of tools to make it possible to integrate it Showing the importance of this integration & bringing viable scientific and economic solutions: how to extract the data? How to treat them? How to structure them for better designer use? Propagation of good practices & proposing tools which can be generalized to allow an efficient integration of prevention
69
Actions Requests increased and active participation in R&D projects Active participation in R&D projects
Research to increase multidisciplinary collaborations (engineers, ergonomics and industrialists) Seminars, workshops and conferences
Providing means and resources (research projects, information, training). Creating working groups
Fig. 4. Some concerns and actions of actors concerned with design and prevention.
require implementation of speciWc operating procedures and can have consequences that are beneWcial (in the event of success) or harmful (in the event of failure) to operator safety and technical system integrity. Based on operational (technical and ergonomic) analyses, the logic tree should provide a decisional aid for the designer in the sense that it shows how palliative activities can be implemented and reveals main areas to be considered in the design process. Use of logic trees can help the designer to take into account the drawbacks and advantages of his design by providing feedback on real activities brought into play by users. The methods, in the upstream processes of design, to take account of possible future work situations and thus to take account of human activities and their impact on health & safety is today at the centre of the concerns of the following people (Fig. 4): 4. Conclusion Ecological and user-focused design both take into account end-user characteristics in interaction with work environment characteristics and task cognitive requirements. Although these approaches have in the past focused mainly on interface and software design, many principles can be transposed to the design of industrial equipment and organisational systems. Consideration of perception–action coupling, machine accessibility with respect to operations, integration of potential scenarios, facilitation of tool-based apprenticeship and training by taking into account usage/operating logic are all aspects which can be integrated into such design. Automation should integrate the principle of mediating tool transparency. In other words, “making the invisible visible”, and should not force cognitive control to shift to an operating level which is more complex than required. It should make the system error tolerant. These are all necessary aspects of a safe design, deWned by Amalberti as ecological safety (Amalberti, 1996, 2003).
70
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
Devices, barriers, etc..
Design
Human factors Skills, BATU
safety
Drifts, migration and reliability
Fig. 5. The central role of human factors in the industrial risk control.
In conclusion, proactive safety in design must consider and take into account: (1) DiVerent design levels and phases (client, engineer, needs analysis, speciWcations, etc. right up to industrial equipment integration and installation). (2) DiVerent management levels in the production company (general management, decision centres, local supervision, operational level). (3) DiVerent risk levels (operator health or safety risk, cognitive reliability risk, sociotechnical system reliability and performance-related risk, environmental risk, etc.). Today, the majority of research into design in relation to safety and human factors shows clearly the existence of a consensus between the people in industry (users and designers) and researchers on the fact that good industrial performance cannot be obtained without really taking human factors into account (Fig. 5). References Amalberti, R., 1996. La conduite des systèmes à risques (Operation of risky systems), PUF, 242pp. Amalberti, R., 2001. The paradoxes of almost totally safe transportation systems. Safety Science 37, 109–112. Amalberti, R., 2003. Automatisation, gestion de l’erreur humaine, et approche écologique (Automation, error management and the ecological approach). In: Boy, G. (Ed.), Ingénierie cognitive. IHM et cognition (Engineering, Man–Machine Interface and Cognition). Hermès Science Publications, Paris, pp. 81–98. Apostolakis, G., 1986. Expert judgments on probabilistic safety assessment. Accelerated life testing and experts’ opinions. In: Reliability, Proceedings of International School of Physics “Enrico Fermi”. North Holland, Amsterdam. Bainbridge, L., 1982. The ironies of automation. In: Rasmussen, J., Duncan, K.D., Leplat, J. (Eds.), New Technology & Human Error. Wiley, London, pp. 271–283. Beguin, P., Darses, F., 1998. Les concepteurs au travail et la conception des systèmes de travail: points de vue et débats (Work designers and the design of systems of work: points of view and debates). Toulouse, 9 à 11 février, 16pp. Blaise., J.C., Lhoste, P., Ciccotelli, J., 2003. Formalisation of normative knowledge for safe design. In: Fadier, E. (Guest Ed.), Safety Science, 41 (2), 241–262 (special issue “safety in design”). Boy, G., 2003 (sous la direction de). Ingénierie cognitive. IHM et cognition. Hermès Science Publications, Paris. Brossard, P., Chanchevrier, C., Leclair, P., 1997. Ingénierie concourante: de la technique au social. Editions Economia, collection Gestion, série: production et techniques quantitatives appliquées à la gestion, 166pp. Bruneau, J.M., Pujos, J.F., 1992. Le management des connaissances de l‘entreprise. Les Editions d’Organisation, Paris. Bruseberg, A., Mc-Donald-Plilp, D., 2002. Focus group to support industrial/product designer: a review based on current literature and designers’ feedback. Applied Ergonomics 33, 27–38.
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
71
Bucciarelli, L., 1988. An ethnographic perspective on engineering design. Design studies 9 (3), 149–158. Burkhardt, J.-M., 2003. Réalité virtuelle et ergonomie: Quelques apports réciproques (Virtual reality and ergonomics: some reciprocal relations). Le Travail Humain 66 (1), 65–91. Cabon, Ph., Mollard, R., 2003. Prise en compte des aspects physiologiques dans la conception et l’évaluation des IHM (Taking account of physiological aspects in the design and evaluation of man–machine interfaces). In: Boy, G. (Ed.), Ingénierie cognitive. IHM et cognition (Engineering Man–Machine Interface and Cognition). Hermès Science Publications, Paris, pp. 99–138. Cahour, B., 2001. Décalages socio-cognitifs en réunions de conception industrielle, Actes du 10ème Atelier du Travail Humain. Modéliser les activités coopératives de conception (Modelling cooperative design activities), CNAM Paris, INRIA Roquencourt, France, pp. 55–72. Ciccotelli, J., 2002. Réalité virtuelle, une aide à la décision pour la conception de systèmes sûrs (Virtual reality; a decision aid for designing safe systems). In: Proceedings of the European Conference on System Dependability and Safety “Decision Making and Risk Management”, Palais des Congrès, Lyon, 19 au 21 mars. Council directive, 98/37/EEC. The approximation of the laws of the Member States relating to Machinery. O.J.E.C. no. L 207 of 23 July 1998, ECS, Brussels, pp. 1–46. Demor, S., 1996. Les risques et leur gestion au cours de la récupération de dysfonctionnements dans un système automatisé de production séquentielle (Risks and their management during the recovery from dysfunctions in sequential automated production systems). Mémoire de DEA, CNAM Paris, Octobre. De la Garza, C., 2004. D’une approche réactive à une approche proactive en ergonomie: apports à une conception sûre d’équipements industriels et de systèmes de travail (From a reactive to a proactive approach in ergonomics: contributios to a safe design of industrial equipment and work systems). Habilitation à Diriger des Recherches, Université René Descartes-Paris 5, Paris. De la Garza, C., Fadier, E., 2005. Towards proactive safety in design: a comparison of safety integration approaches in two design processes. International Journal of Cognition Technology and Work, IJ-CTW 7 (1), 51–62. De la Garza, C., Maggi, B., Weill-Fassina, A., 1999. Tempo autonomia e discrezionalita nella manutenzione di infrastrutture ferroviarie (Time, autonomy and discretion in railway maintenance). Ergonomia 12, 36–43. Denecker, P., 1999. Les composantes symboliques et subsymboliques de l’anticipation dans la gestion des situations dynamiques. Le Travail Humain 62 (4), 363–385. de Terssac, G., 1992. Autonomie dans le Travail (Autonomy at work). Sociologie d’Aujourd’hui, PUF, Paris. Didelot, A., 2001. Contribution à l’identiWcation et au contrôle des risques dans le processus de conception (Contribution to the identiWcation and control of risks in the design process). Thèse de doctorat, Octobre. Didelot, A., Fadier, E., 2002. Activité humaine et conception: utilisation des analyses par arbres logiques comme outils d’aide à la décision (Human activity and design: using logic tree analyses as tools for supporting decisions). In: Proceedings of the ESREL’2002, Mars–Lyon, France, pp. 65–70. Fadier, E., Ciccotelli, J., 1999. How to integrate safety in design: methods and models. Journal of Human Factors and Ergonomics in Manufacturing 9 (4), 367–380. Fadier, E., Poyet, C., Neboit, M., 1991. Advantage of an integrated approach of reliability and ergonomical analysis (Application to a hybrid system of sequential production). In: Queinnec, Y., Daniellou, F. (Eds.), Designing for Everyone. Taylor & Francis, London, pp. 477–479. Fadier, E., De La Garza, C., Didelot, A., 2003a. Safe design and human activity: construction of a theoretical framework from an analysis of a printing sector. Safety Science 41 (9), 759–789. Fadier, E., Neboit, M., Ciccotelli, J., 2003b. Intégration des conditions d’usage dans la conception des systèmes de travail pour la prévention des risques professionnels (Integrating conditions of use in the design of systems of work in order to prevent occupational risks). Bilan de la thématique 1998–2002. Note ScientiWque et Technique, NS 237, INRS, p. 39. Fadier, E., Wioland, L., Marc, J., 2004. Etude d’Instruction de la Thématique: Prévention et conception: apports de l’ergonomie et de la connaissance des facteurs humains à la maˆtrise des risques santé/sécurité dans le processus de conception des équipements et des situations de travail (Study for instruction in the theme ‘prevention and design’: contributions from ergonomics and knowledge of human factors to the control of health and safety risks in the design process of equipment and work situations). Fiche d’étude thématique no. A8 4 015, 7pp. Garrigou, A., Thibault, J-F., Marçal, J., Fausto, M., 2001. Contribution et démarche de l’ergonomie dans les processus de conception. Pistes 3 (2). Haines, H., Wilson, J.R., 1998. Development of a frame work for participatory ergonomics. Contract Research, Report 174, HQSE Books (subdury). Heinbokel, T., Sonnentag, S., Frese, M., Stolte, W., Brodbeck, C., 1996. Don’t underestimate the problems of user centredness in software development projects—There are many!. Behaviour & Information Technology 15 (4), 226–236.
72
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
Hollnagel, E., 2003. From cognitive task analysis to cognitive task design. In: Proceedings of IEA, August, Seoul, Korea. Jamal, M.H.EL., Sahraoui, A.E.K., 2005. Customising systems engineering concepts: case study on concurrent engineering context. Rapport LAAS No. 04536. In: Proceeding of the 12th Annual European Concurrent Engineering Conference (ECEC’2005), Toulouse (France), 11–13 April, pp. 57–62. Jenssen, P., 1997. Can participatory ergonomics become: the way we do things in this Wrm? Ergonomics 40 (10), 1078–1087. Karwowski, W., Rahimi, M. (Eds.), 1990. Ergonomics of hybrid automated systems. In: Second International Meeting on Human Aspects of Advanced Manufacturing and Hybrid Automation Elsevier Editions, Honolulu, Hawai, USA, p. 1048. Lacore, J.P., 1993. Normes et normalisation européennes en matière de santé et de sécurité dans le cadre de la nouvelle approche (European standards and standardisation in health and safety in the framework of the new approach). Cahiers de notes documentaires, ND 1913. no. 150, ISBN 2-7389-0266-9, INRS Paris, pp. 79–86. Leplat, J., 1997. Regards sur l’activité en situation de travail. Contribution à la psychologie ergonomique (Consideration of activity in work situations. Contributions to ergonomic psychology). Paris, PUF, 263pp. Lewis, C., Norman, D.A., 1986. Designing for error. In: Norman, D.A., Draper, S.W. (Eds.), User Centered Design. IEA, Lawrence Erlbaum Assoc., Publishers, London, pp. 411–432. Lewkowicz, M., Zacklad, M., 2000. Une approche de la capitalisation des connaissances: l’analyse des processus de prise de décision collective. In: Charlet, J., Zacklad, M., Kassel, G., Bourigault, D. (Eds.), Ingénierie des connaissances. In: Evolutions récentes et nouveaux déWs Eyrolles, Paris, pp. 451–464. Ligeron, J.C., Salaün, Y., Ringler, J., 1991. L’analyse fonctionnelle en matière de sûreté de fonctionnement. Projet ISdF no. 1. Morris, W., Wilson, J.R., Koukoulaki, T., 2004. Pour une conception participative de conception des équipements de travail. Intégrer l’expérience des travailleurs (For participative design in the design of work equipment. Integrate workers’ experience). Rapport BTS/SALTSA, 196pp. Neboit, M., 2003. A support to prevention integration since design phase: the concept of limit conditions tolerated by use. In: Fadier, E. (Guest Ed.), Safety Science 41 (2), 95–110 (special issue “safety in design”). Neboit, M., Fadier, E., 1998. Sécurité du travail sur robot: gérer les paradoxes de l’automatisation. In: Laroque, Alain (Eds.), Hestion des paradoxes dans les organisations, tome 8: travail approches multiples. Presses Inter Universitaires, Québec, pp. 185–195. Neboit, M., Fadier, E., Poyet, C., 1993. Analyse systémique et analyse ergonomique: application conjointe à la reconception d’une cellule robotisée d’usinage (System analysis and ergonomic analysis: joint usage in the redesign of a factory robot cell). NST 100 de l’INRS, juillet, 175pp. Nielsen, J., 1997. The use and misuse of focus group. Available from:. Nielsen, J., Mack, R.L. (Eds.), 1994. Usability Inspection Methods. John Wiley & sons, New York, NY, pp. 105– 140. Rabardel, P., 1995. Les hommes et les technologies: approche cognitive des instruments contemporains (Men and technologies: cognitive approach of modern instruments). Editions Armand Colin, 239pp. Rasmussen, J., 1990. Learning from experience? How? Some research issues in industrial risk management (Chapitre 15, pp. 359–383). In: Leplat et de Terssac (Ed.), Les facteurs humains de la Wabilité dans les systèmes complexes (The Human Factors of Reliability in Complex Systems). Octarès éditions, 385pp, ISBN: 2-906769-03-7. Rasmussen, J., 1997. Risk Management in a dynamic society: a modelling problem. Safety Science 27 (2–3), 183– 213. Reuzeau, F., 2001. Finding the best users to involve in design: a rational approach. Le Travail Humain 64, 223– 245. Sagot, J.-C., Gouin, V., Gomez, S., 2003. Ergonomics in product design: safety factor. In: Fadier, E. (Guest Ed.), Safety Science 41, 137–154 (special issue “safety in design”). Scapin, D., Bastien, J.M.C., 2002. Les méthodes ergonomiques: de l’analyse à la conception et à l’évaluation (Ergonomic methods: from analysis to design and evaluation). In: Actes ErgoIA, L’homme et les nouvelles technologies. De l’information et de la communication. Usages et usagers (Man and new technologies: information and communication; use and users), Biarritz, France, pp. 127–143. Sen, T.K., 1988. Participative group techniques. In: Salvendy, G. (Ed.), Handbook of Human Factors. Wiley, Chisester.
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
73
Statistiques Wnancières et technologiques des accidents du travail (Financial and technological statistics of work accidents), 2000. Edité par la CNAM . ISBN 0761-327X. Année2000. Vicente, K.J., Rasmussen, J., 1992. Ecological interface design: theoretical foundations. IEEE Transactions on System, Man, and Cybernetics 22, 589–606. Wilson, J., 2003. Participatory design of work equipment and standardisation process in Europe. Consolidated Report. In: Proceedings of the Safety of work Equipment: User-oriented Strategies for Improving Technical Standards. TUTB-SALTSA Conference, Brussels, 68pp.
Safety design: Towards a new philosophy Elie Fadier a
a,¤
, Cecilia De la Garza
b
INRS—Working life Department, Prevention Applied Ergonomics and Psychology Laboratory, Avenue de Bourgogne, BP 27-54501 Vandoeuvre Cedex, France b Université René Descartes, Laboratoire d’Ergonomie Informatique, 45 rue des Saints-Pères, 75006 Paris, France
Abstract Thinking on safety integration right from design stage is of some interest in research terms. How can we increase the overall eYciency of a working system, whilst reducing risks at source and consequently costs? Can future operation of a working system be anticipated? What can be anticipated? Can we help designers to respond to statutory requirements by experience feedback and by structuring our knowledge of working system operational performance? Based on a “user-focused” design approach, this paper is structured in two sections. The Wrst section comprises analysis of the existing position by focusing speciWcally on the question of safety at design stage, the second part includes generic recommendations for making work equipment design safer and more “secure”. 2005 Elsevier Ltd. All rights reserved. Keywords: Ecological design; Participative ergonomics; Automation paradoxes; Proactive safety
1. Introduction The evolution of industrial systems (particularly automation and computerisation) has induced a number of changes at several levels:
*
Corresponding author. E-mail addresses: [email protected] (E. Fadier), [email protected] (C. De la Garza).
0925-7535/$ - see front matter 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.ssci.2005.09.008
56
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
• At the technical level: an increase in the theoretical reliability of technical components and in the optimisation of system productivity, but hybrid system1 are not controlled. • At the economic level: a growing renewal of the machine park, greater emphasis on cost reduction and industrial competitiveness. • At the organisational level: emphasis on just-in-time production, the almost complete disappearance of static work stations, more activity in 3 shifts, new systems of management. • At the level of prevention (safety): an increase in technical standards for integrating safety into design, a signiWcant fall in accident numbers, an evolution of safety regulation towards the new approach (obligation to meet goals not to apply deWned means), the emergence of new risks requiring new approaches and analysis methods ƒ • At the human activity level: a modiWcation of the nature of work activity (mental work rather than physical, intervention in degraded system modes, group work, increasing attention to man-machine interfaces, manifestation of paradoxes related to automation (increasing, rather than decreasing the diYculty of human intervention), the recourse to generic/tacit knowledge and autonomy rather than the forced use of the rigid procedures, which cannot cover all the situations). • At the design level: evolution of new methods and approaches, emergence of concurrent engineering tools, reduction of lead-times and costs. However, the analysis of real-life industrial situations often demonstrates a signiWcant gap between the theoretical reliability foreseen by the designer and the observed operational reliability (Fadier et al., 2003a). This gap between expected working and real working is considered as one of the most important sources of risk. Real work situations also have to take account of integrating the management of risks, the constraints of exploitation, the extension of the use envelope of the equipment, the evolution of the production system over time and use, etc. Additionally, it is necessary for the operator to deal with a range of situations not foreseen at the design stage (Neboit et al., 1993; Demor, 1996). Integration of safety and human factors into the design phase is therefore a vital necessity if we wish to translate expected performance into achieved results in industrial systems. 2. Design and prevention Prevention (health, safety and ergonomics) is a complex Weld and its links to economics, public perception, and legislation only make that complexity greater. The number of occupational accidents which still occur is an indication of this complexity. In France in the year 2000 (Statistiques Wnancières, 2000), 862,500 occupational accidents with an absence from work longer than 3 days were recorded, including 1597 fatalities. This underlines the fact that, in spite of the introduction of new technologies and the abundance of regulations and technical standards, safety margins remain insuYcient and residual risks are still signiWcant. This can be explained by three phenomena: 1 A hybrid system is a whole of elements of diVerent nature (Technique, human, organisational, ƒ) but whose functions are redundant. Ideally, it is conceived to be rather powerful in the achievement of the assigned missions, but daily one notices problems of compatibility, synergy, communication and co-operation between these various elements. This is in particular true when the automated technical functions are assisted by human operators. Daily industrial situations enriched this paradox (Karwowski et al., 1990).
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
57
(A) Migrations in system boundaries. (B) Sequential, not integral treatment of safety/ergonomics in design. (C) Little use of feedback from experience. 2.1. Any system undergoes migrations (drifts, transformations, and adaptations) from its design to its Wrst uses (Amalberti, 2001; Rasmussen, 1997; Neboit, 2003; Fadier et al., 2003a,b) In this context Rasmussen has developed the idea of the existence of a “natural migration of activities toward the boundary of acceptable performance”. For Rasmussen, the analysis of a number of accidents and industrial disasters (Bhopal, Flixborough, Zeebrugge, Tchernobyl) demonstrates that the reasons for them will not be found in a search for a combination of technical failures and human error, but in a drift of the global behaviour of the organisation under strong competitive pressure and inXuence toward eYciency. To understand and inXuence this it is necessary to take account of the interaction between the decisions taken by several actors in the system and their eVects in a normal work context, all the time under the pressure of competition. The margins for action, or the space within which the actions of an actor, or actors, evolve can be represented by an envelope. Inside the outer bounds shown here, the decision and actions remain acceptable according to the diVerent criteria (Fig. 1). When pressure is put on one of the axes, for example productivity, the actions will approach the opposite boundaries of the envelope, for example acceptable load limit for the individual or the limit of safety. Conversely, if the pressure is to decrease or limit risks, the economic proWtability will be penalized. Fadier et al. (2003b) added to this model of ‘displacement toward limits’ an additional dimension representing the lifecycle of the system, putting forward the hypothesis that these limits vary from the design to the installation, and from the installation to the exploitation stages (Fig. 2) under the inXuence of a range of factors. A second addition, arising from preceding one, is that these migrations in the limits are often accepted by all actors in the use phase of a given piece of equipment as being inevitable Boundary of functionally acceptable performance
Error margin Counter gradient from campaigns for safety culture
Resulting perceived boundary of acceptable performance
Boundary to Economic Gradient toward Failure Least Effort Experiments to improve performance creates «Brownian movement» Management Pressure toward Efficiency
Boundary to Unacceptable Work Load
Space of Possibilities: Degrees of Freedom to be Resolved According to Subjective Preferences
Fig. 1. Model of global management of risks (Rasmussen, 1997).
58
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
The process of design includes 3 stages M o d e l S T E P
functioning
Implantation
Design s
t
gra
mi
Analyses process and methods of design (methods of integration of safety by the various actors)
fac
s
tor
tor
s ion
fac
t
gra
mi
s ion
Analyses : • Activities of the designer, of establishment • identification of conditions and factors of migrations • Process of formation Of training of the users
Area : Non Area Acceptable Acceptable
Analyse : • Activities of uses of the rotary printingpresses (7 customer-users, rotary) • Identification of risks, analyses causal and modelling
feedback towards the design Fig. 2. Evolution of the deviations from nominal design during the system life.
and generated by upstream causes beyond their control. This has given rise to the label of “Boundary Conditions Tolerated by Use” (BCTU) (Fadier et al., 2003a; Neboit, 2003). 2.2. Sequential approach to safety and ergonomics in the design process: signiWcant standardisation but limited integration The models, approaches and tools of design are in constant evolution, improving the socio-technical system performance and reducing the number of occupational accidents. Nevertheless, they remain limited and there is plenty of room for improvement, particularly in their capacity to integrate prevention into the normal design process. Didelot (2001) highlighted the fact that the incorporation of safety in design follows a sequential approach, not an integrated one. It is driven by adherence to standards and regulations. The way in which safety is dealt with in the design of machinery and automated production systems provides a good illustration of the philosophy of safety in design processes (Fadier and Ciccotelli, 1999). This works by collecting into the standards technical safety measures (often tending to increased automation) and safety rules (Lacore, 1993; Council directive, 1998). However, these safety rules are often considered very late (even too late) in the design process and are supplemented by informal approaches (Blaise et al., 2003; De la Garza and Fadier, 2005). However, the increasing number of standards and the diYculties that users of standards, and even their writers, experience in mastering the resulting complexity is counter-productive for this endeavour. Safety is taken into account sequentially at the diVerent stages of design process of design, installation, exploitation (Fig. 2). This means that Wrst the proposed design is made using other criteria and then it is checked against safety considerations and criteria. In the Wgure the Wrst step represents the technical solutions chosen by the designer. These choices correspond to expressed customers needs. The designer bases his approach mainly on consideration of component reliability. This Wrst level has a restricted system area and boundary, which is proportional to the designer’s attention to the risks linked to system use. When the system is technically
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
59
designed, the designer then adds the necessary safety devices to ensure a suYcient level of safety. These safety devices are essential to market the system. For this, the designer uses the standards. The system is then “enriched” by adding diVerent safety devices: we can say it is a “regulation layer of safety” added to the technical system. The system boundary (or safe envelope) at this stage is bigger than at the previous one, because it is at this stage that the designer concentrates his eVorts on technical means protecting operators from dangerous elements. Finally, to guarantee technical performances and operator safety, the designer deWnes the use conditions which will keep the system within his designed safe envelope. However, despite all these precautions, the system as marketed does not correspond to the operational context: • When the system is installed in the factory it has to be adapted to meet the constraints of the Wrm’s site and speciWc needs. • During the exploitation phase, we can observe situations in which the users will inevitably favour productivity (considered as a rate of return) to safety (considered as a cost and constraints). To do this they modify the plant or procedures. Then a lot of risks appear representing the gap between the foreseen system and the operational system. • Faced with these circumstances, operational constraints and system failures, operators develop coping activities which are out of the prescribed frame, and they create their own safety, which we call the “operational safety layer”. In general terms designers modify their design solutions based on feedback: they often compensate for incidents by adding more devices, which often obstruct use and are therefore not eVective. They accentuate the antagonism between productivity and safety. It is a process in which the informal predominates over formal methods and approaches, and during which we go from the designed risk to the operational risk. An analysis of design activity (De la Garza, 2004) has conWrmed that, in this way, the objectives of safety come to be grafted onto a design, as an external entity or addition, in a more or less opportunistic way. This opportunism results in ad hoc choices, which do not take (suYcient) account of their impacts on working conditions or on users’ activities. Safety is not an explicit or speciWc starting objective for the designer, only for the safety expert. In the same study, the author shows that there are two ways or modalities by which safety and ergonomics are integrated into the design process. The Wrst modality is based on the explicit knowledge shared by the collective (standards, internal design rules). The second is based on the individual tacit knowledge which a designer may have, arising from experimentation, more or less oYcial feedback from operational situations, or from personal experience or initiatives. The study also showed the limitations of these modalities because of a lack of systematisation of objectives and initial design requirements. It showed that safety and ergonomics do not form part of the initial representation of the product to be designed and come to be “grafted on” according to speciWc needs or in a more or less random way. Generally one can discern the existence of two safety integration methods: • Direct methods, which correspond to the explicit modality, and operate through standards, and other formal documents, design tools and actions. • Indirect methods, which correspond to the implicit and individual modality and operate through individual characteristics of each actor (knowledge, experience).
60
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
2.3. Experience feedback is very little exploited by the designer Examination of industrial practice shows that there are very few totally new designs and that design is often a process of re-use of old solutions, which resolve completely, or at least partially the problems arising. This being the case it is vitally important to collect information on, and assess the consequences of any design which may be reused, and to pinpoint any badly adapted designs (either of a product or a means of production). But, it is very rare that information is recorded about these consequences at the work situation level, and even less at the activity level. The designer generally considers this activity to be outside his sphere of inXuence and responsibility. This means that designers have diYculty in anticipating the eVects of their design and learning from their mistakes. In addition, although design is a key stage in establishing eVective prevention and adapting systems to the real conditions of production, it cannot solve everything. Beyond the technical system, and the human role in safety, which are of primary concern to the designer, it is necessary to consider also organisational and management aspects in safety. Indeed, the analyses of occupational accidents in various Welds show how these aspects play a major role in the combination of factors which have led to the accident. By taking into account in design process the variability in work situations and the human use requirements, one could deWne an integrative design which would take better account of use situations and in particular the prevention requirements. But these have to be seen within the context of the organisations doing and using the design. The next section develops these ideas further into a new design philosophy for integrated safety and human factors. 3. Towards a new philosophy in safety design When it comes to safety, the design of automated systems has revealed a number of paradoxes, which many authors have already pointed out (Bainbridge, 1982; Neboit and Fadier, 1998). The more complex the system the greater the attempt made to compensate for this complexity by the abundant and increasing use of procedures, instructions, and safety and control systems (“add-on” safety solutions). In this way, there is a risk that the system becomes more and more opaque for the user. This means that it becomes increasingly diYcult to anticipate everything, and the surveillance and control role of the operators is therefore increased. This leaves a number of choices at the discretion of the operators, which means that the operator’s work sometimes becomes transformed into a major intellectual and creative assignment rather than a set of well-deWned tasks (de Terssac, 1992). From the design point of view, the performance of these complex systems is currently founded on analysis and design of the (hardware) reliability of this complexity (components, interactions, completeness, etc.), with “priority” given to safety in the case of “safety-productivity” conXict. This vision of the designer, which is both normative and “optimistic”, is based on the fact that, during design, he aims to guarantee a level of reliability and availability, such that there will be no such conXict and in the worst situation that this conXict will remain minimal. However, it has been shown time and again that this vision is not viable (Fadier et al., 2003a; Hollnagel, 2003; Rasmussen, 1997). Dealing with work requirements and constraints necessitates considerable autonomy for, and taking of responsibility by the operators in order to take decisions during diYcult and sometimes delicate situations.
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
61
Although they do not solve every problem, the suggested generic recommendations as articulated by de la Garza (De la Garza, 2004) stem from a “user-focused” approach based on user needs and interests. This approach is aimed at designing products whose functionality is understandable and whose interfaces can be easily used. This approach tries to adapt technical system characteristics in the best possible way to Wnal user characteristics, with a view to improving reliability of usage and thereby avoiding accidents (Vicente and Rasmussen, 1992). This involves “designing for error” (Lewis and Norman, 1986) through greater knowledge of the characteristics of the end-user, the task and its constraints. A real approach focusing on the user must in fact be “ecological”, i.e. it should integrate and resolve the health and safety problems and not simply anticipate and absorb their consequences on the system. Impacts on end-users need to be taken into account in more ways than just through “user satisfaction” assessment. Since occupational diseases and the health and safety impact of malfunctions are widespread in the industrial sector, they need to be taken account of as well. This means resorting to “user” models which are more broadly based and probably not uniquely cognitive (e.g. creating a model that integrates both task cognitive and physiological requirements, as well as user development and diversity: diVerent ages, the aging process, diVerent training, qualiWcation level, experience, etc.). The end-purpose of safe design should not only be to prevent errors and reduce technical malfunctions, it should also prevent accidents, occupational diseases and ultimately eliminate work-induced social exclusion. Unlike “reactive” safety, i.e. dealing in hindsight with a critical event, proactive safety can be deWned as the combined studies, analyses and projected integration options implemented in foresight with respect to the critical event. This is prevention based on the anticipated work situation and not solely on the work equipment. This then raises several important issues. How do we encourage the diVerent design players to build up an appropriate use representation, which is closer to the reality of using the work equipment? What rules and criteria for usage, and forms of usage should be integrated as a priority? What everyday, occasional and unintended (accident & emergency) situations should be foreseen? What risks for overall system safety and for operator health should be foreseen? What safety barriers should be implemented? etc. We can derive a number of elements of solutions and recommendations by considering the following “key points” for a safe proactive design approach. 3.1. Ecological design The notion of ecological design refers to the idea of making accessible to operators all of the resources with respect to diVerent work situations which they need. These are human, technical, informational, statutory, procedural, time-based, physical, etc. Thus, an ecological structure corresponds to a structure suited to the needs of the work and safety requirements of the diVerent users. Transposed to industrial equipment, this notion refers to a number of aspects necessitating systemic analysis of critical situations and involving a work analysis of the activity. Participation of the ergonomist as well as the occupational safety specialist engineer is a necessity for this. So-called ecological design should take into account at least the following points: • Greater user accessibility to equipment. This accessibility is at two levels. Firstly, physical accessibility (Cabon and Mollard, 2003; Sagot et al., 2003), which should take into
62
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
account the nature and complexity of the system to be designed. This involves integration of anthropometrical standards, consideration of accessible areas with respect to production tasks, incident recovery and maintenance. The second level concerns cognitive accessibility (Vicente and Rasmussen, 1992), which is an important aspect with respect to automation. The existence of paradoxes of automation inXuencing safety and human activity clearly highlight the need for this accessibility, or understanding of how the system works in all of its modalities. It involves not only internal coherence of the activity, but also the quality of the interface for better usability. These cognitive accessibility aspects recall the need to extend the designer’s knowledge of system and use requirements and both physical and cognitive constraints from the everyday situations to broader incident situations; this knowledge requires work analysis of these situation as they will exist. It should provide designers with models of both cognitive and physiological operation (Boy, 2003), namely what types of function is the production and/or maintenance operator required to master, the signals the technical devices must transmit to the operator for rapid problem identiWcation and better situation recovery, etc. • Increased robustness of the technological solutions designed, especially in relation to the complexity of the industrial equipment. Lack of robustness leads to frequent risks and malfunctions requiring multiple human interventions. This leads not only to less error tolerance in the system, but also weakens system performance (production, operator health and safety). 3.2. Necessary support of the work equipment by the organisations in which operators will work Work equipment use must be supported by a reliable organisation, suited to the diVerent user requirements for working and for safety (De la Garza, 2004). It is important to have a real, operational safety management system in a company to organise work and the resources it requires in terms of: (1) Human resources. Personnel management is a prerequisite for reliability, in order to anticipate the number, qualiWcations, training, experience and length of service of required personnel suitable for safety-critical tasks. This also covers the type of training to be given in relation to the real working requirements, as well as the career advancement opportunities to prevent, for example, premature aging, work exclusion, occupational accidents, occupational diseases, etc. (2) Physical resources. Organisational design should anticipate work equipment aging and maintenance to prevent situations in which recurrent failures create risks and increase workload and recovery actions. Equipment should be suited to working conditions and to both physical and cognitive requirements. For example, relatively simple, known and controlled situations can become accident situations because detection and diagnosis could not be undertaken in time, in a rapidly evolving situation. (3) Evaluation and validation of safety solutions. This must be based on safety-related regulations and work procedures. This validation needs to be performed by confronting proposed solutions in the Weld with the expected (indeed classic) examples of incompatibilities leading to errors and the known conXicts between safety and production and to conWrm what human resources and skills as required. It also needs to check
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
63
which of the situations that can be anticipated the solutions cover and to organise that the remainder be covered (De la Garza et al., 1999). (4) Knowledge of and oYcial recognition of critical situations, risks and their characteristic diYculties. Analysis of the work enables a list of critical scenarios to be drawn up, based on observation and interviews focused on experience of critical events. (5) Functional networks, work groups and collective interactions. Based on the diagnosis of the current situation, it is necessary to anticipate the group interactions that will characterize the future situation and manage these eVectively. 3.3. Anticipating future operation though identiWcation of tools and knowledge used for design (Fadier et al., 2004) In the Weld of design and especially in work equipment design, designers are often blamed for not anticipating the future “uses” to which the equipment may be put. They are also criticised for reusing or adapting old solutions to new problems without eVective validation. This type of expedient, involving reuse of a past solution, is not speciWc to design, but is directly related to the notion of anticipation itself (Denecker, 1999). Within design processes, there is a growing need to anticipate in order to design work equipment which responds to real user needs (thereby reducing costs of equipment adaptation, training or other modiWcations) (Garrigou and Thibault, 2001). This anticipation is essentially based on reducing design-related resources (time, cost, etc.) and responding to future usage requirements of operators. We can add to these another objective, namely to minimise the costs (Wnancial or in terms of image) associated with the risk of legal proceedings following the implication of designers in user health/safety problems. From a legal standpoint, the designer must take necessary steps to ensure that future equipment usage has been anticipated and entails no adverse consequences for the health/safety of the persons who will use it. Various approaches are followed in this Weld: • Modelling (of physiological or psychological processes, accidents or man–system interactions). • Use of a 3D dummy. • Interaction simulation, i.e. model implementation, user trials, etc. These approaches can contribute to a more plausible and realistic anticipation of the activities of future system or work situation actors (operators, maintenance Wtters, cleaners, etc.) and to more accurate prediction of usage methods and their safety-related consequences. Better opportunities to improve anticipation are fundamental within the framework of integrating prevention into the design process. On the designers’ side, methods as functional analysis (Ligeron et al., 1991), and concurrent engineering (Brossard et al., 1997; Jamal and Sahraoui, 2005) have evolved to take into account future usage of equipment produced. However, when subjected to constraints (e.g. of time or resources), designers tend to revert to their natural behaviour (Beguin and Darses, 1998) and draw inferences based on their own experience or known situations. It remains true that it has always been diYcult to assess, in the product’s initial design stage, how work equipment will be handled in a real-life situation. The literature on the diVerences between design requirement and actual activity in use contains a wealth of examples of this. (One of the reasons is that the arrival of a new tool is likely to have repercussions
64
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
on the way the operators perceive their work and the place given to their skills within the company (Rabardel, 1995), which lead them to use that tool in new and unanticipated ways.) Resorting to simulation has two advantages: it allows “discussion areas” about potential situations to be set up through solution testing and it develops knowledge by updating the situation model tested in the simulation. Despite the well-known limits of these methods, there is still much scope for expanding the use of simulation. Computing developments make simulators ever cheaper and allow continuous improvement in their performance (realism, immersion, etc.), as well as “real-time” display of simulation results. Recourse to virtual reality (Burkhardt, 2003; Ciccotelli, 2002) represents today a resource that must be explored by designers as a way of anticipating future situations at the stage even before physical manufacture of the work equipment. In a proactive approach, structuring of the design situation should be based on both a user-focused design approach (including work and critical event analysis methods, etc.) and an approach based on technical device assessment (using methods speciWcally associated with creating scenarios, simulation situations, testing phases, etc.). It is a multidisciplinary approach requiring major investment in time, but it can prove proWtable in the long term. Redesigning or reworking a Wnished, but non-conforming product represents higher cost and often ends up as a “makeshift job” undertaken by the user-client, especially when industrial equipment with a service life of between 10 and 20 years is involved. 3.4. Going beyond technical know-how Analysis of automated system design shows that decision choices are currently justiWed on the basis of the assumed eVectiveness of the technical solution options. However, if we compare this technological certainty (high reliability, process stability, etc.) with the reality of industrial system operation, we see that: • Whereas the designer assumes a unique, deWned use-situation (however wide that deWnition may be), there is much more situation variability and not only multiple working contexts are present, but also human variability (both within and between people). This highlights the diversity of the real situation representations and the meaning that operators give to their actions. • It is essential to consider the dynamic aspect of work situations, which means that we cannot modify one system component without upsetting the whole structure. • Through analysis of real activities ergonomics has highlighted the fact that work comprises adaptations and adjustments, and that optimum operating conditions are only rarely met. Many technical malfunctions lead operators to intervene in a system operating in degraded mode. This diVerence between expected (basic) and real (integrating risk management) operation is considered one of the most important causes of “risk taking” because the operator/user must deal with a situation unforeseen at the design stage. Thus, analyses based exclusively on technical knowledge provide only a partial solution for confronting real work needs. They could usefully be complemented and enriched by contributions from real work ergonomic analyses. The MAFERGO methodology (Fadier et al., 1991) provides this enrichment because it combines technical reliability analyses with ergonomic activity analyses to better understand diVerent work situations and compare them with technical solutions proposed at the design stage.
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
65
All of this means that it is important to: • Identify phases suitable for integrating human factors into the design process. In most cases, the speciWcation, testing and validation phases remain the most important for collecting and identifying end-user needs and usages in diVerent categories and trades. However, the representations and forms of integration of the human factor, i.e. users and usage, will vary depending on the ways in which the design process is organised, what is being designed and the ‘actors’ involved in the design, as well as with the design phases and the way these articulate with each other. • Refer explicitly to human activity- and requirement-related factors in the speciWcation. Health and safety criteria should be integrated into a design project right from the stage of deWning needs and producing the design speciWcation, as stipulated in standard ISO 13407 applicable to interactive systems. In other words, an assessment plan should be incorporated in the speciWcation for use on the diVerent solutions which have, or could have an impact on end-user health and safety. This gives rise to the need to possess accessible design tools allowing these parameters to be integrated. An ecological approach should therefore be detailed in the speciWcation to provide designers with information according to project phase as well as which aspects to seek out, check, and integrate. • Consider work analysis as an aid to identifying needs and collecting usage scenarios (practices). Assessment, simulation and testing conditions should therefore be built up based on the knowledge of real (reference) work situations and on an inventory of usage scenarios in nominal, everyday, frequent and rare incident situations. Work analysis methods allow this type of construction (Leplat, 1997). In the same way as there is a testing schedule for technical speciWcations, a testing schedule for normative or non-normative health and safety aspects should be drawn up, to ensure rigorous programming and monitoring. Results should be systematically noted to ensure that a trace or memory of the design process remains and to preserve knowledge of why a given solution was discarded or another solution evolved. This will support a better capitalisation of existing knowledge in the long term, because totally innovative design will always remain rare. 3.5. Organising participative design, reXecting on groups, participants and their roles Participative2 design is deWned (Haines et al., 1998) as the “involvement of persons in planning and controlling a signiWcant number of their work activities, these persons possessing suYcient knowledge and capacity to exercise an inXuence on both processes and results to achieve desired aims”. Its importance has continued to grow since the 1980s. Possible beneWts of participation can be consolidated into two categories: • direct beneWts such as solution ownership, commitment to change, better design process, apprenticeship and training provided earlier, and • indirect or systemic beneWts such as delegating of skills, personal involvement and development, widening of interest. 2 Developed over several decades, participative design falls within the scope of cooperation activities and especially the activity based on integrating operator viewpoints. It stems generally from the ergonomic design movement and more speciWcally from participative ergonomics (Cahour, 2001; Wilson, 2003).
66
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
However, one of the limits to this approach is that it is often considered slow, despite the demonstrated reduction in project costs and execution times. In addition, it has been shown in a study of 38 European cases (Morris et al., 2004) that not only does participation suVer from insuYcient support and resources, but, moreover, the skills needed for it were not recognized in most of these cases. User participation implies organisation and structuring based on the work situations and design phases, in which users take part (Lewkowicz and Zacklad, 2000) to avoid situations in which operators cannot express themselves or have nothing to say or are even incapable of expressing or arguing their needs (Cahour, 2001; Reuzeau, 2001; De la Garza, 2004). In using these techniques, end-users or “end-user categories” should be deWned, because there may be diVerences between novices and experts, between older and younger populations, between past and present system users. Depending on the context, this may involve administrative categories, in which “client” users and end-users are distinguished or, again, diVerent trade categories are deWned. Whilst the participation of these diVerent users may be complementary, their contributions may vary considerably and their selection therefore determines the quality of the results obtained. Participation should be representative of population characteristics (age, training, experience, tasks performed, conditions of usage, etc.) and of use contexts. Levels of involvement per design phase should be decided in advance to choose between Wve levels of increasing participation (see Jenssen, 1997): 1. 2. 3. 4. 5.
Informing end-users about the action plans decided on; Collecting of end-user information and experience; Consulting end-users to get their opinions and suggestions on current actions; Negotiating with end-users in formal committees; Making decisions jointly with the diVerent parties involved.
Jenssen does not, however, really explain how to organise these levels of participation, what types of tools or meeting procedure should be implemented for each type of design project and phase thereof. Moreover, these are not alternatives, because these diVerent levels of participation will not all commit end-users in the same way. Informing and consulting end-users does not necessarily lead to truly active participation, but can be limited to answering a questionnaire (Sen, 1988). Whilst this can turn out to be helpful, it can never be suYcient. User panel situations may indeed feature more active participation (Nielsen et al., 1994; Bruseberg and Mc-Donald-Plilp, 2002), but how to best organise such panels to ensure eVective extraction of work-related needs and viewpoints, etc. remains unsolved. Bucciarelli (1988) considers user interactive participation, i.e. the capacity and opportunity of users to react when confronted by designers and the way designers consider or take over their viewpoints, or those related to work. This last point is important because it implies that users need to be able to argue to convince the designer that the matter is of real importance, whether it be related to daily usage, critical points, or whatever. We also need to accept that participative design does not always guarantee success (Heinbokel et al., 1996). Whilst end-user participation is recommended right from the earliest design phases, only its use in the assessment and validation phase appears to be eVectively equipped with tools and well structured in the literature (Nielsen, 1997; Scapin and Bastien, 2002).
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
67
3.6. Using existing company experience feedback (EF) structures or creating speciWc structures In general, the literature (Apostolakis, 1986; Rasmussen, 1990; Bruneau and Pujos, 1992, p. 12) emphasises that experience feedback (information provided by users) is a process which is not currently used systematically either for enhancing design or for taking into account usage requirements. The designer usually considers this to be outside his area of action. There are few data available today, other than those provided by accident reports. Despite their signiWcance, these approaches are insuYcient to support the design process in taking into account work situations at the limits of foreseen conditions. Because there is a lack of explicit deWnition of designer needs in this respect, we see the following paradox. Designers put up with relatively ineYcient, even non-existent, information feedback, whilst the company may have a, more or less well organised, experience feedback structure designed for other purposes than feeding back to designers, e.g. an accident and incident registration and analysis system, which may, or may not speciWcally cover human factors. Such a system can provide a departure point for better information feedback on health and safety impacts and their subsequent consideration in design. Such an experience feedback structure should diVerentiate between forms of feedback: 1. Everyday operation and the problems and risks observed in production and maintenance situations. 2. Critical events leading to a near accident, or an accident with or without days lost. Unfortunately information conveyed by this feedback is not always informative to, nor usable by designers. Structuring and presenting collected data to the designer is a critical task. The aim is to facilitate his work and not to make it more complex, since only with this proviso can the designer eVectively use this information. Data must constitute a decisional aid for safe design. With this aim in mind, some authors (Didelot and Fadier, 2002) have proposed a tool for structuring experience feedback data for design purposes. This tool is called the logic tree. The tool they have developed aims to make these work situations “readable” for the designer who, in the current state of his knowledge, does not suspect their existence. The form of representation of the BATU contains elements on which the designer can act to improve his design. The method of representation that they propose mixes the deductive and inductive modes of reasoning. The representation is centred on the major event heading “Decision to carry out the BATU” which is positioned in the centre of the Wgure (Fig. 3) and not as a top event, as it would be in the construction of a traditional fault tree. From this position, we try to determine the events upstream and downstream, in other words: • the causes of the BATU: problems or failures in production, speciWc circumstances, elements introduced by the design process, etc.; • the events which can lead to the failure of the BATU and hence undesired consequences in the form of an incident or accident (the top event in Fig. 3): e.g. “weakening” of procedures and their consequences, inattention, etc. It is a representation method which allows, up to a point, the dynamic aspect of palliative activities and work equipment usage practices to be shown, together with how these practices are initiated by work-related constraints and tool requirements. Such practices
68
Availabilty of production system G1
Consequences Quality of production G2
G5
Injury related to the paper band
E008
Pinching of the fingers
G16
G18
G8
Fabric bit is detached E002
Involuntary movement induced by an external cause
Temporary carelessness E004
Execution of BATU putting operator in contact with the paper band
BATU in progress exposing operator to the risk
G17
G22
E003
failure Factors during the realization of BATU
Ink too diluted Temporary carelessness
involuntary movement induced by an external cause
E001
Badly folded rag
E004
E009
E003
Temporary carelessness E004
Decisionmaking
Decision to carry out BATU: cleaning strainers while rolling
Detection of an unacceptable dirty mark
Automatic cleaning does not meet the requirements of production
G21
Accessibility of the Blankets during operation E012
G20
Mark of unknown origin
Mark induced by the bad quality of consumable
E010
E011
Temporal dependence of presses on delivery scheduleof newspapers E013
Importance of not accepting losses
Insufficient effectiveness
E006
E007
Constraints related to stopping and restarting production E005
Cause decisionmaking
Fig. 3. Extract from Logical Tree Representation of the failure of the BATU: cleaning of the blanket rollers during operation (Didelot and Fadier, 2002).
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
Drop the rag
Operator presses on the band
G6
G9
Injury to operator
G4
G3
Problem involved in the material used to carry out the BATU
Rag too soaked with solvent
Equipment degradation
Rupture of paper band
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
Groups Industrialists
Designers
Researchers
Prevention managers
Concerns Daily realities: lowered system performance, accidents, Lack of data to take safety into account and of tools to make it possible to integrate it Showing the importance of this integration & bringing viable scientific and economic solutions: how to extract the data? How to treat them? How to structure them for better designer use? Propagation of good practices & proposing tools which can be generalized to allow an efficient integration of prevention
69
Actions Requests increased and active participation in R&D projects Active participation in R&D projects
Research to increase multidisciplinary collaborations (engineers, ergonomics and industrialists) Seminars, workshops and conferences
Providing means and resources (research projects, information, training). Creating working groups
Fig. 4. Some concerns and actions of actors concerned with design and prevention.
require implementation of speciWc operating procedures and can have consequences that are beneWcial (in the event of success) or harmful (in the event of failure) to operator safety and technical system integrity. Based on operational (technical and ergonomic) analyses, the logic tree should provide a decisional aid for the designer in the sense that it shows how palliative activities can be implemented and reveals main areas to be considered in the design process. Use of logic trees can help the designer to take into account the drawbacks and advantages of his design by providing feedback on real activities brought into play by users. The methods, in the upstream processes of design, to take account of possible future work situations and thus to take account of human activities and their impact on health & safety is today at the centre of the concerns of the following people (Fig. 4): 4. Conclusion Ecological and user-focused design both take into account end-user characteristics in interaction with work environment characteristics and task cognitive requirements. Although these approaches have in the past focused mainly on interface and software design, many principles can be transposed to the design of industrial equipment and organisational systems. Consideration of perception–action coupling, machine accessibility with respect to operations, integration of potential scenarios, facilitation of tool-based apprenticeship and training by taking into account usage/operating logic are all aspects which can be integrated into such design. Automation should integrate the principle of mediating tool transparency. In other words, “making the invisible visible”, and should not force cognitive control to shift to an operating level which is more complex than required. It should make the system error tolerant. These are all necessary aspects of a safe design, deWned by Amalberti as ecological safety (Amalberti, 1996, 2003).
70
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
Devices, barriers, etc..
Design
Human factors Skills, BATU
safety
Drifts, migration and reliability
Fig. 5. The central role of human factors in the industrial risk control.
In conclusion, proactive safety in design must consider and take into account: (1) DiVerent design levels and phases (client, engineer, needs analysis, speciWcations, etc. right up to industrial equipment integration and installation). (2) DiVerent management levels in the production company (general management, decision centres, local supervision, operational level). (3) DiVerent risk levels (operator health or safety risk, cognitive reliability risk, sociotechnical system reliability and performance-related risk, environmental risk, etc.). Today, the majority of research into design in relation to safety and human factors shows clearly the existence of a consensus between the people in industry (users and designers) and researchers on the fact that good industrial performance cannot be obtained without really taking human factors into account (Fig. 5). References Amalberti, R., 1996. La conduite des systèmes à risques (Operation of risky systems), PUF, 242pp. Amalberti, R., 2001. The paradoxes of almost totally safe transportation systems. Safety Science 37, 109–112. Amalberti, R., 2003. Automatisation, gestion de l’erreur humaine, et approche écologique (Automation, error management and the ecological approach). In: Boy, G. (Ed.), Ingénierie cognitive. IHM et cognition (Engineering, Man–Machine Interface and Cognition). Hermès Science Publications, Paris, pp. 81–98. Apostolakis, G., 1986. Expert judgments on probabilistic safety assessment. Accelerated life testing and experts’ opinions. In: Reliability, Proceedings of International School of Physics “Enrico Fermi”. North Holland, Amsterdam. Bainbridge, L., 1982. The ironies of automation. In: Rasmussen, J., Duncan, K.D., Leplat, J. (Eds.), New Technology & Human Error. Wiley, London, pp. 271–283. Beguin, P., Darses, F., 1998. Les concepteurs au travail et la conception des systèmes de travail: points de vue et débats (Work designers and the design of systems of work: points of view and debates). Toulouse, 9 à 11 février, 16pp. Blaise., J.C., Lhoste, P., Ciccotelli, J., 2003. Formalisation of normative knowledge for safe design. In: Fadier, E. (Guest Ed.), Safety Science, 41 (2), 241–262 (special issue “safety in design”). Boy, G., 2003 (sous la direction de). Ingénierie cognitive. IHM et cognition. Hermès Science Publications, Paris. Brossard, P., Chanchevrier, C., Leclair, P., 1997. Ingénierie concourante: de la technique au social. Editions Economia, collection Gestion, série: production et techniques quantitatives appliquées à la gestion, 166pp. Bruneau, J.M., Pujos, J.F., 1992. Le management des connaissances de l‘entreprise. Les Editions d’Organisation, Paris. Bruseberg, A., Mc-Donald-Plilp, D., 2002. Focus group to support industrial/product designer: a review based on current literature and designers’ feedback. Applied Ergonomics 33, 27–38.
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
71
Bucciarelli, L., 1988. An ethnographic perspective on engineering design. Design studies 9 (3), 149–158. Burkhardt, J.-M., 2003. Réalité virtuelle et ergonomie: Quelques apports réciproques (Virtual reality and ergonomics: some reciprocal relations). Le Travail Humain 66 (1), 65–91. Cabon, Ph., Mollard, R., 2003. Prise en compte des aspects physiologiques dans la conception et l’évaluation des IHM (Taking account of physiological aspects in the design and evaluation of man–machine interfaces). In: Boy, G. (Ed.), Ingénierie cognitive. IHM et cognition (Engineering Man–Machine Interface and Cognition). Hermès Science Publications, Paris, pp. 99–138. Cahour, B., 2001. Décalages socio-cognitifs en réunions de conception industrielle, Actes du 10ème Atelier du Travail Humain. Modéliser les activités coopératives de conception (Modelling cooperative design activities), CNAM Paris, INRIA Roquencourt, France, pp. 55–72. Ciccotelli, J., 2002. Réalité virtuelle, une aide à la décision pour la conception de systèmes sûrs (Virtual reality; a decision aid for designing safe systems). In: Proceedings of the European Conference on System Dependability and Safety “Decision Making and Risk Management”, Palais des Congrès, Lyon, 19 au 21 mars. Council directive, 98/37/EEC. The approximation of the laws of the Member States relating to Machinery. O.J.E.C. no. L 207 of 23 July 1998, ECS, Brussels, pp. 1–46. Demor, S., 1996. Les risques et leur gestion au cours de la récupération de dysfonctionnements dans un système automatisé de production séquentielle (Risks and their management during the recovery from dysfunctions in sequential automated production systems). Mémoire de DEA, CNAM Paris, Octobre. De la Garza, C., 2004. D’une approche réactive à une approche proactive en ergonomie: apports à une conception sûre d’équipements industriels et de systèmes de travail (From a reactive to a proactive approach in ergonomics: contributios to a safe design of industrial equipment and work systems). Habilitation à Diriger des Recherches, Université René Descartes-Paris 5, Paris. De la Garza, C., Fadier, E., 2005. Towards proactive safety in design: a comparison of safety integration approaches in two design processes. International Journal of Cognition Technology and Work, IJ-CTW 7 (1), 51–62. De la Garza, C., Maggi, B., Weill-Fassina, A., 1999. Tempo autonomia e discrezionalita nella manutenzione di infrastrutture ferroviarie (Time, autonomy and discretion in railway maintenance). Ergonomia 12, 36–43. Denecker, P., 1999. Les composantes symboliques et subsymboliques de l’anticipation dans la gestion des situations dynamiques. Le Travail Humain 62 (4), 363–385. de Terssac, G., 1992. Autonomie dans le Travail (Autonomy at work). Sociologie d’Aujourd’hui, PUF, Paris. Didelot, A., 2001. Contribution à l’identiWcation et au contrôle des risques dans le processus de conception (Contribution to the identiWcation and control of risks in the design process). Thèse de doctorat, Octobre. Didelot, A., Fadier, E., 2002. Activité humaine et conception: utilisation des analyses par arbres logiques comme outils d’aide à la décision (Human activity and design: using logic tree analyses as tools for supporting decisions). In: Proceedings of the ESREL’2002, Mars–Lyon, France, pp. 65–70. Fadier, E., Ciccotelli, J., 1999. How to integrate safety in design: methods and models. Journal of Human Factors and Ergonomics in Manufacturing 9 (4), 367–380. Fadier, E., Poyet, C., Neboit, M., 1991. Advantage of an integrated approach of reliability and ergonomical analysis (Application to a hybrid system of sequential production). In: Queinnec, Y., Daniellou, F. (Eds.), Designing for Everyone. Taylor & Francis, London, pp. 477–479. Fadier, E., De La Garza, C., Didelot, A., 2003a. Safe design and human activity: construction of a theoretical framework from an analysis of a printing sector. Safety Science 41 (9), 759–789. Fadier, E., Neboit, M., Ciccotelli, J., 2003b. Intégration des conditions d’usage dans la conception des systèmes de travail pour la prévention des risques professionnels (Integrating conditions of use in the design of systems of work in order to prevent occupational risks). Bilan de la thématique 1998–2002. Note ScientiWque et Technique, NS 237, INRS, p. 39. Fadier, E., Wioland, L., Marc, J., 2004. Etude d’Instruction de la Thématique: Prévention et conception: apports de l’ergonomie et de la connaissance des facteurs humains à la maˆtrise des risques santé/sécurité dans le processus de conception des équipements et des situations de travail (Study for instruction in the theme ‘prevention and design’: contributions from ergonomics and knowledge of human factors to the control of health and safety risks in the design process of equipment and work situations). Fiche d’étude thématique no. A8 4 015, 7pp. Garrigou, A., Thibault, J-F., Marçal, J., Fausto, M., 2001. Contribution et démarche de l’ergonomie dans les processus de conception. Pistes 3 (2). Haines, H., Wilson, J.R., 1998. Development of a frame work for participatory ergonomics. Contract Research, Report 174, HQSE Books (subdury). Heinbokel, T., Sonnentag, S., Frese, M., Stolte, W., Brodbeck, C., 1996. Don’t underestimate the problems of user centredness in software development projects—There are many!. Behaviour & Information Technology 15 (4), 226–236.
72
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
Hollnagel, E., 2003. From cognitive task analysis to cognitive task design. In: Proceedings of IEA, August, Seoul, Korea. Jamal, M.H.EL., Sahraoui, A.E.K., 2005. Customising systems engineering concepts: case study on concurrent engineering context. Rapport LAAS No. 04536. In: Proceeding of the 12th Annual European Concurrent Engineering Conference (ECEC’2005), Toulouse (France), 11–13 April, pp. 57–62. Jenssen, P., 1997. Can participatory ergonomics become: the way we do things in this Wrm? Ergonomics 40 (10), 1078–1087. Karwowski, W., Rahimi, M. (Eds.), 1990. Ergonomics of hybrid automated systems. In: Second International Meeting on Human Aspects of Advanced Manufacturing and Hybrid Automation Elsevier Editions, Honolulu, Hawai, USA, p. 1048. Lacore, J.P., 1993. Normes et normalisation européennes en matière de santé et de sécurité dans le cadre de la nouvelle approche (European standards and standardisation in health and safety in the framework of the new approach). Cahiers de notes documentaires, ND 1913. no. 150, ISBN 2-7389-0266-9, INRS Paris, pp. 79–86. Leplat, J., 1997. Regards sur l’activité en situation de travail. Contribution à la psychologie ergonomique (Consideration of activity in work situations. Contributions to ergonomic psychology). Paris, PUF, 263pp. Lewis, C., Norman, D.A., 1986. Designing for error. In: Norman, D.A., Draper, S.W. (Eds.), User Centered Design. IEA, Lawrence Erlbaum Assoc., Publishers, London, pp. 411–432. Lewkowicz, M., Zacklad, M., 2000. Une approche de la capitalisation des connaissances: l’analyse des processus de prise de décision collective. In: Charlet, J., Zacklad, M., Kassel, G., Bourigault, D. (Eds.), Ingénierie des connaissances. In: Evolutions récentes et nouveaux déWs Eyrolles, Paris, pp. 451–464. Ligeron, J.C., Salaün, Y., Ringler, J., 1991. L’analyse fonctionnelle en matière de sûreté de fonctionnement. Projet ISdF no. 1. Morris, W., Wilson, J.R., Koukoulaki, T., 2004. Pour une conception participative de conception des équipements de travail. Intégrer l’expérience des travailleurs (For participative design in the design of work equipment. Integrate workers’ experience). Rapport BTS/SALTSA, 196pp. Neboit, M., 2003. A support to prevention integration since design phase: the concept of limit conditions tolerated by use. In: Fadier, E. (Guest Ed.), Safety Science 41 (2), 95–110 (special issue “safety in design”). Neboit, M., Fadier, E., 1998. Sécurité du travail sur robot: gérer les paradoxes de l’automatisation. In: Laroque, Alain (Eds.), Hestion des paradoxes dans les organisations, tome 8: travail approches multiples. Presses Inter Universitaires, Québec, pp. 185–195. Neboit, M., Fadier, E., Poyet, C., 1993. Analyse systémique et analyse ergonomique: application conjointe à la reconception d’une cellule robotisée d’usinage (System analysis and ergonomic analysis: joint usage in the redesign of a factory robot cell). NST 100 de l’INRS, juillet, 175pp. Nielsen, J., 1997. The use and misuse of focus group. Available from:
E. Fadier, C. De la Garza / Safety Science 44 (2006) 55–73
73
Statistiques Wnancières et technologiques des accidents du travail (Financial and technological statistics of work accidents), 2000. Edité par la CNAM . ISBN 0761-327X. Année2000. Vicente, K.J., Rasmussen, J., 1992. Ecological interface design: theoretical foundations. IEEE Transactions on System, Man, and Cybernetics 22, 589–606. Wilson, J., 2003. Participatory design of work equipment and standardisation process in Europe. Consolidated Report. In: Proceedings of the Safety of work Equipment: User-oriented Strategies for Improving Technical Standards. TUTB-SALTSA Conference, Brussels, 68pp.