Safety in the design process: opening Pandora’s box

The topic of NeTWork’s 2003 workshop was Safety in the design process: opening Pandora’s box.


We have been preaching the necessity of including safety at the design stage of projects, processes and products for more than two generations. The first techniques for conducting design reviews, such as HAZOP, were developed in the 1960s. From around the same time date the first attempts to include ergonomics and elements of safety into the education of the engineers who would become designers of the future.

It is therefore surprising how slow these approaches have been to produce an effect and how difficult has been the process of expanding them to other industries and products. It is timely to look again at the successes and failures and to take stock of where the problem really lies and how we might be more successful in the future. The 2003 NeTWork workshop will undertake this task.

In order to focus the workshop more sharply and to make its task manageable, there follow a number of considerations.

Much research has been concentrated on what we would like designers to take account of in the design process. The whole of ergonomics treats this, as do substantial aspects of risk analysis and safety science. What has been severely under-researched and specified is the way in which this can be achieved. The design process itself is in many cases and ways treated as a black box. The naïve assumption is made that the designer simply has to be given the right information and all will be well. Little attention has been paid to the fact that design is often not an ordered, progressive or even explicit process. The design process is divided up into many steps, often performed by very different individuals or teams, with poor communication. It makes great use of previous building blocks put together in new combinations. It creates, or tolerates, large distances between the designers and the users (constructors and maintainers). It is poor at providing feedback from practice and at making what feedback there is live in the minds of the designers. It relies strongly on the use of standards as a way of convincing itself that construction and user risks are solved. This reliance on rules smothers, rather than stimulating creative thinking about risks and their control. Designers also tend to design for idealized user circumstances, which are not realized in practice. They do not take account of the fact that much complex hardware and software does not perform to specifications for more than 70% of the time. Their designs are modified in the process of construction, layout, fitting to the available site and budget; they turn out to have peculiarities or shortcomings which mean that they do not function as expected or planned and require ingenious adaptation by constructors or users to keep them operating. All of this is not, and arguably cannot be sufficiently foreseen by the designer. Yet the safeguards built in to the design will often be designed base don the assumption that the technology will be used as imagined and ideally intended.

We want to concentrate in this workshop on the question of how we can understand the thinking processes and the mental models of designers and the processes of design better, so that we can support the designer in incorporating considerations of risk (safety, health, environment) from the earliest stages of design. How can the design process be made more transparent and coherent? How can we understand when to provide what information about risk so that it can be effectively incorporated in the design process before it is too late? How can the assumptions on which risk controls are designed be made explicit and transparent and carried with the design in its later life cycle so that they can be adapted to any changes made at construction, layout, use and modification — a living design and risk control.

Designers have a tendency to design either from an aesthetic or a hardware-technical viewpoint. Human-centred design is a relatively new approach in a vast range of technologies and activities. The model of the human used in thought experiments by the designers to ‘test’ the developing design is too often based on their own personal risk perceptions. This, coupled with reliance on coded standards, leads designers to dismiss user behaviour leading to accidents or damage as incompetent, stupid, or rash and hence not their problem. There are many techniques used already in this process, from user trials to mock-ups and simulations. But, techniques are needed to help designers to transplant themselves better into the position or skin of the user. Various design tools are now making this possible through the use of virtual or augmented reality, 3-D walk throughs, etc. but there is still remarkably little systematic knowledge which tells designers what sort of clues alert users to danger when using hardware, trigger them to take care, or lead them into unexpected danger.

We want to use the workshop to discuss ways in which a human centred approach to design can be effectively implemented. What tools really help designers to understand and empathise with the constructors, users and maintainers of their designs? What information is needed to feed them? How can the process from design, through installation to use be informed by these techniques? How can designers take sufficient account of the vast range of potential situations in which designs will be used, so that the process stays manageable and does not overwhelm them, so that they throw up their hands in despair? What is an adequate set of scenarios to test a design against, which balances creativity with credibility?

Traditional design tools in risk control have consisted of design reviews. HAZOP has been applied with great success and enthusiasm in the process industries. It offers an attractive combination of creativity, a systematic approach and room for experience from several relevant parties. Other industries and technologies seem not to have comparable tools offering a combination of formalism and flexibility. Is this true? Are there other tools being used? How successful are these tools? Do we know? Can their use be extended to other industries, technologies and activities?

The workshop focused on the tools which can be used to involve designers with other relevant parties (users, maintainers, regulators) in steering design, preferably from its earliest stages. Participants tried to answer the questions above about effectiveness.

The workshop structure will be in three parts, as shown below. These parts centre around trying first to understand the design process, the ‘black box’ of the designer. This must not just cover the design processes, which are an analyst’s modelling of design, but also the culture and values of designers themselves. The next part of the workshop will consider how it is that we try to influence designers, including some success stories, but also exploring the difficulties of achieving successful integration of safety and human factors into design. The final part considers some practical, social and legal issues about where design finishes and other activities and responsibilities begin – this is crucial to understanding how design can receive feedback and feed-forward in its activities.

Part A: Inside the black box — understanding design

  1. Modelling the design process — understanding its complexity, mechanisms, currency, and constraints

  2. On being a designer — the creative process and designer’s values

  3. Dealing with safety and human factors — views from the designer’s side

  4. User testing — how far can we go, how far should we go?

Part B: Outside the black box — safety trying to get in

  1. Success stories in safety & Human Factors integration in the design process

  2. Can mature systems adapt their existing safety-in-design processes to new design challenges?

  3. Human Centred Automation — what do we want to say to designers?

  4. Learning from simulations.

  5. Safety learning and imagination in design, versus safety bureaucracy — thinking outside of the box

  6. Safety in the requirements engineering process – getting safety into the small print

  7. Safety at the concept design stage

  8. Integrated safe design versus compartmentalised safety

  9. Who comes knocking next? The organizational sociologist

Part C: The edges of the box — establishing the boundaries of design

  1. The designer’s horizon — ‘that’s not what it was intended for…’

  2. Designers and liability

  3. Dialogues with the customer — the designer interface with Operations personnel

  4. Dialogues with the customer — the designer’s relationship with the consumer

The workshop aimed to gather people from the following areas: medical; civil engineering; chemical; nuclear; aviation; defence; product design; design departments.

The major outputs should be an enhanced understanding of design and how safety and Human Factors can be integrated more effectively into the entire design process. This understanding and insight will be enhanced by having a range of industries represented, including process and product design contexts, and having both analysts and designers present at the workshop.

Workshop organizers

  • Andrew Hale, TU Delft

  • Barry Kirwan, Eurocontrol


The papers presented during the workshop and the following discussions led to the publication of a special issue of the journal Safety Science.

  • Hale, A.R., Kirwan, B & Kjellén U. (Eds) (2007). Safety by design. Safety Science, 45(1-2).

Image credit: Banksy