Hockey Teams and Risk Reduction or What Makes Roberto Luongo = PPE

This entry is part 1 of 3 in the series Hierarchy of Controls

Special Co-Author, Tom Doyle

Last week we saw the Boston Bruins earn the Stanley Cup. I was rooting for the green, blue and white, and the ruin of my voice on Thursday was ample evidence that no amount of cheering helped. While I was watching the game with friends and colleagues, I realized that Roberto Luongo and Tim Thomas were their respective team’s PPE*. Sound odd? Let me explain.

Risk Assessment and the Hierarchy of Controls

Equipment designers need to understand  OHS* risk. The only proven method for understanding risk is risk assessment. Once that is done, the next play in the game is the reduction of risks by eliminating hazards wherever possible and controlling those that remain.

Control comes in a couple of flavours:

  • Hazard modification to reduce the severity of injury, or
  • probability modification to reduce the probability of a worker coming together with the hazard.

These ideas have been formalized in the Hierarchy of Controls. Briefly, the Hierarchy starts with hazard elimination or substitution, and flows down through engineering controls, information for use, administrative controls and finally PPE. As you move down through the Hierarchy, the effectiveness and the reliability of the measures declines.

It’s important to recognize that we haven’t done a risk assessment in writing this post. This step was skipped for the purpose of this example—to apply the hierarchy correctly, you MUST start with a risk assessment!

So how does this relate to Hockey?

Hockey and the Hierarchy of Controls

Hazard Identification and Exposure to Risk

If we consider the goal as the worker – the thing we don’t want “injured”, the puck is the hazard, and the act of scoring a goal as the act of injuring a person, then the rest quickly becomes clear.

Level 1: Hazard Elimination

By definition, if we eliminate the puck, we no longer have a game. We just have a bunch of big guys skating around in cool jerseys with sticks, maybe having a fight or two, because they’re bored or just don’t know what else to do. Since we want to have a game, either to play or to watch, we have to allow the risk of injury to exist. We could call this the “intrinsic risk”, as it is the risk that exists before we add any controls.

Level 2: Hazard Substitution

The Center and the Wingers (collectively the “Forwards” or the “Offensive Line”), act as hazard “substitution”. We’ve already established that elimination of the hazard results in the loss of the intended function—no puck, no game. The forwards only let the other team have the puck on rare occasion, if they’re playing well. This is a great idea, but still a little too optimistic after all. Both teams are trying to get the puck in the opposing net and both teams have qualified to play the final game. If they fail to keep the puck beyond the other team’s blue line, or at least beyond the center line, then the next layer of protection kicks in, with the Defensive Line.

Level 3: Engineering Controls

As the puck moves down the ice, the Defensive Line engages the approaching puck, attempting to block access to the area closer to the goal. They act as a movable barrier between the net and the puck.  They will do whatever is necessary to keep the hazard from coming in contact with the net. As engineering controls, their coordination and positioning are critical in ensuring success.

The system will fail if the controls have poor:

  • positioning,
  • choice of materials (players),
  • timing, etc.

These risk controls fail regularly, so are less desirable than having the Forward Line handle Risk Control.

Level 4: Information for Use and Awareness Means

In a hockey game, the information for use is the rule book. This information tells players, coaches, and officials how the game is to be played, and what the intended use of the game should be. Activities like spearing, tripping, and blind-side checks are not permitted.

The awareness means are provided by the roar of the fans. As the puck heads for the home-team’s goal, the home fans will roar, letting the team know, if they don’t know already, that the goal is at risk from the puck. Hopefully the defensive line can react in time and get between the puck and the net.

Level 5: Administrative Controls

Information for use from the previous step is the basis for all the following controls. The team’s coaches, or “supervisors”, use this information to give training in the form of hockey practice. The Forward Line and Defensive Line could be considered the Suppliers and Users. They all need to know what to do to avoid hazardous situations, and what to do when one arises, to reduce the number of potential failures.

A “Permit to Work” is given to the players by the coach when they form the lines. The coach ensures that the right people are on the ice for each set of circumstances, deciding when line changes happen as the game progresses, adapting the people permitted to work to the specific conditions on the ice.

Level 6: Personal Protective Equipment (PPE)

All of this brings me to Roberto Luongo and Tim Thomas. So how is a Goalie like PPE?

Goalies are the “last-ditch” protection. It’s clear that the first 5 levels of the hierarchy don’t always work, since every type of control, even hazard elimination, has failure modes. To give a bit of backup, we should make sure that we add extra protection in the form of PPE.

The puck wasn’t eliminated, since having a hockey game is the point, after all. The puck wasn’t kept distant by the Forward Line. The Defensive Line failed to maintain safe distance between the goal and the puck, and now all that is left is the goalie (or your protective eyewear, boots, hardhat, or whatever). In the 2011 Stanley Cup Final game, Luongo equaled long pants and long sleeves, while Thomas equaled a suit of armour. The Bruin’s “PPE” afforded superior protection in this case.

As anyone who has used protective eyewear knows, particles can get by your eyewear. There are lots of factors, including how well they fit, if you’re wearing them (properly or at all!), etc. If the gear is fitted and used properly by a person who understands WHY and HOW to use the equipment, then the PPE is more like Tim Thomas, and you may be able to “shut out” injury. Most of the time. Remember that even Tim Thomas misses stopping some shots on goal and the other guys can still score.

When your PPE doesn’t fit properly, isn’t selected properly, is worn out (or psyched out as the case may be), or isn’t used properly, then it’s more like Roberto Luongo. Sometimes it works perfectly, and life is good. Sometimes it fails completely and you end up injured or worse.

Goalies are also like PPE because they are RIGHT THERE. Right before injury will occur. PPE is RIGHT THERE, protecting you—5 mm from the surface of your eye, or in your ear, 2 mm from your ear drum. By this point the harmful energy is RIGHT THERE, ready to hurt you, and injury is imminent. A simple misplacement or bad fit condition and you’re blinded or deaf or… well you get the idea!

On Wednesday night, 15-Jun-2011, everything failed for the Vancouver Canucks. The team’s spirit was down, and they went into the game thinking “We just don’t want to lose!” instead of Boston’s “We’re taking that Cup home!”. Even the touted Home Ice Advantage wasn’t enough to psych out the Bruins, and in the end I think it turned on the Canucks as the fans realized that the game was lost. The warnings failed, the guards failed, and the PPE failed. Somebody got hurt, and unfortunately for Canadian fans, it was the Canucks. Luckily it wasn’t a fatality! Even being #2 in the NHL is a long stretch better than filling a cooler drawer in the morgue.

So the next time you’re setting up a job, an assembly line, a new machine, or a new workplace, check out your team and make sure that you’ve got the right players on the ice. You only get one chance to get it right. Sure, you can change the lines and upgrade when you need to, but once someone scores a goal, you have an injured person and bigger problems to deal with.

Special thanks to Tom Doyle for his contributions to this post!

*Personal Protective EquipmentOccupational Health and Safety

Understanding the Hierarchy of Controls

This entry is part 2 of 3 in the series Hierarchy of Controls

Risk assessment is the first step in reducing the risk that your customers and users are exposed to when they use your products. The second step is Risk Reduction, sometimes called Risk Control or Risk Mitigation. This article looks at the ways that risk can be controlled using the Hierarchy of Controls. Figure 2 from ISO 12100-1 (shown below) illustrates this point.

The system is called a hierarchy because you must apply each level in the order that they fall in the list. In terms of effectiveness at reducing risk, the first level in the hierarchy, elimination, is the most effective, down to the last, PPE*, which has the least effectiveness.

It’s important to understand that questions must be asked after each step in the hierarchy is implemented, and that is “Is the risk reduced as much as possible? Is the residual risk a) in compliance with legal requirements, and b) acceptable to the user or worker?”. When you can answer ‘YES’ to all of these questions, the last step is to ensure that you have warned the user of the residual risks, have identified the required training needed and finally have made recommendations for any needed PPE.

*PPE – Personal Protective Equipment. e.g. Protective eye wear, safety boots, bump caps, hard hats, clothing, gloves, respirators, etc. CSA Z1002 includes ‘…anything designed to be worn, held, or carried by an individual for protection against one or more hazards.’  in this definition.

Risk Reduction from the Designer's Viewpoint
ISO 12100:2010 – Figure 2


Introducing the Hierarchy of Controls

The Hierarchy of Controls was developed in a number of different standards over the last 20 years or so. The idea was to provide a common structure that would provide guidance to designers when controlling risk.

Typically, the first three levels of the hierarchy may be considered to be ‘engineering controls’ because they are part of the design process for a product. This does not mean that they must be done by engineers!

We’ll look at each level in the hierarchy in detail. First, let’s take a look at what is included in the Hierarchy.

The Hierarchy of Controls includes:

1)    Hazard Elimination or Substitution (Design)
2)    Engineering Controls (see [1, 2, 8, 9, 10, and 11])

a)    Barriers

b)    Guards (Fixed, Movable w/interlocks)

c)    Safeguarding Devices

d)    Complementary Protective Measures

3)    Information for Use (see [1, 2, 4, 7, 8, 12, and 13])

a)    Hazard Warnings

b)    Manuals

c)    HMI* & Awareness Devices (lights, horns)

4)    Administrative Controls (see [1, 2, 4, 5, 7, and 8])

a)    Training

b)    SOP’s,

c)    Hazardous Energy Control Procedures (see [5, 14])

d)    Authorization

5)    Personal Protective Equipment

a)    Specification

b)    Fitting

c)    Training in use

d)    Maintenance

*HMI – Human-Machine Interface. Also called the ‘console’ or ‘operator station’. The location on the machine where the operator controls are located. Often includes a programmable screen or operator display, but can be a simple array of buttons, switches and indicator lights.

The manufacturer, developer or integrator of the system should provide the first three levels of the hierarchy. Where they have not been provided, the workplace or user should provide them.

The last two levels must be provided by the workplace or user.


Each layer in the hierarchy has a level of effectiveness that is related to the failure modes associated with the control measures and the relative effectiveness in reducing risk in that layer. As you go down the hierarchy, the reliability and effectiveness decrease as shown below.

Effectiveness of the Hierarchy of ControlsThere is no way to measure or specifically quantify the reliability or effectiveness of each layer of the hierarchy – that must wait until you make some selections from each level, and even then it can be very hard to do. The important thing to understand is that Elimination is more effective than Guarding (engineering controls), which is more effective than Awareness Means, etc.

1. Hazard Elimination or Substitution

Hazard Elimination

Hazard elimination is the most effective means of reducing risk from a particular hazard, for the simple reason that once the hazard has been eliminated there is no remaining risk. Remember that risk is a function of severity and probability. Since both severity and probability are affected by the existence of the hazard, eliminating the hazard reduces the risk from that particular hazard to zero. Some practitioners consider this to mean the elimination is 100% effective, however it’s my opinion that this is not the case because even elimination has failure modes that can re-introduce the hazard.

Failure Modes:

Hazard elimination can fail if the hazard is reintroduced into the design. With machinery this isn’t that likely to occur, but in processes, services and workplaces it can occur.


Substitution requires the designer to substitute a less hazardous material or process for the original material or process. For example, beryllium is a highly toxic metal that is used in some high tech applications. Inhalation or skin contact with beryllium dust can do serious harm to a person very quickly, causing acute beryllium disease. Long term exposure can cause chronic beryllium disease. Substituting a less toxic material with similar properties in place of the beryllium in the process  could reduce or eliminate the possibility of beryllium disease, depending on the exact content of the substitute material. If the substitute material includes any amount of beryllium, then the risk is only reduced. If it contains no beryllium, the risk is eliminated. Note that the risk can also be reduced by ensuring that the beryllium dust is not created by the process, since beryllium is not toxic unless ingested.

Alternatively, using processes to handle the beryllium without creating dust or particles could reduce the exposure to the material in forms that are likely to cause beryllium disease. An example of this could be substitution of water-jet cutting instead of mechanical sawing of the material.

Failure Modes:

Reintroduction of the substituted material into a process is the primary failure mode, however there may be others that are specific to the hazard and the circumstances. In the above example, pre- and post-cutting handling of the material could still create dust or small particles, resulting in exposure to beryllium. A substituted material might introduce other, new hazards, or might create failure modes in the final product that would result in risks to the end user. Careful consideration is required!

If neither elimination or substitution is possible, we move to the next level in the hierarchy.

2. Engineering Controls

Engineering controls typically include various types of mechanical guards [16, 17, & 18], interlocking systems [9, 10, 11, & 15], and safeguarding devices like light curtains or fences, area scanners, safety mats and two-hand controls [19]. These systems are proactive in nature, acting automatically to prevent access to a hazard and therefore preventing injury. These systems are designed to act before a person can reach the danger zone and be exposed to the hazard.

Control reliability

Barrier guards and fixed guards are not evaluated for reliability because they do not rely on a control system for their effectiveness. As long as they are placed correctly in the first place, and are otherwise properly designed to contain the hazards they are protecting, then nothing more is required. On the other hand, safeguarding devices, like interlocked guards, light fences, light curtains, area scanners, safety mats, two-hand controls and safety edges, all rely on a control system for their effectiveness. Correct application of these devices requires correct placement based on the stopping performance of the hazard and correct integration of the safety device into the safety related parts of the control system [19]. The degree of reliability is based on the amount of risk reduction that is being required of the safeguarding device and the degree of risk present in the unguarded state [9, 10].

There are many detailed technical requirements for engineering controls that I can’t get into in this article, but you can learn more by checking out the references at the end of this article and other articles on this blog.

Failure Modes

Failure modes for engineering controls are as many and as varied as the devices used and the methods of integration chosen. This discussion will have to wait for another article!

Awareness Devices

Of special note are ‘awareness devices’. This group includes warning lights, horns, buzzers, bells, etc. These devices have some aspects that are similar to engineering controls, in that they are usually part of the machine control system, but they are also sometimes classed as ‘information for use’, particularly when you consider indicator or warning lights and HMI screens. In addition to these ‘active’ types of devices, awareness devices may also include lines painted or taped on the floor or on the edge of a step or elevation change, warning chains, signage, etc. Signage may also be included in the class of ‘information for use’, along with HMI screens.

Failure Modes

Failure modes for Awareness Devices include:

  • Ignoring the warnings (Complacency or Failure to comprehend the meaning of the warning);
  • Failure to maintain the device (warning lights burned out or removed);
  • Defeat of the device (silencing an audible warning device);
  • Inappropriate selection of the device (invisible or inaudible in the predominating conditions).

Complementary Protective Measures

Complementary Protective measures are a class of controls that are separate from the various types of safeguarding because they generally cannot prevent injury, but may reduce the severity of injury or the probability of the injury occurring. Complementary protective measures are reactive in nature, meaning that they are not automatic. They must be manually activated by a user before anything will occur, e.g. pressing an emergency stop button. They can only complement the protection provided by the automatic systems.

A good example of this is the Emergency Stop system that is designed into many machines. On its own, the emergency stop system will do nothing to prevent an injury. The system must be activated manually by pressing a button or pulling a cable. This relies on someone detecting a problem and realizing that the machine needs to be stopped to avoid or reduce the severity of an injury that is about to occur or is occurring. Emergency stop can only ever be a back-up measure to the automatic interlocks and safeguarding devices used on the machine. In many cases, the next step in emergency response after pressing the emergency stop is to call 911.

Failure Modes:

The failure modes for these kinds of controls are too numerous to list here, however they range from simple failure to replace a fixed guard or barrier fence, to failure of electrical, pneumatic or hydraulic controls. These failure modes are enough of a concern that a new field of safety engineering called ‘Functional Safety Engineering’ has grown up around the need to be able to analyze the probability of failure of these systems and to use additional design elements to reduce the probability of failure to a level we can tolerate. For more on this, see [9, 10, 11].

Once you have exhausted all the possibilities in Engineering Controls, you can move to the next level down in the hierarchy.

3. Information for Use

This is a very broad topic, including manuals, instruction sheets, information labels on the product, hazard warning signs and labels, HMI screens, indicator and warning lights, training materials, video, photographs, drawings, bills of materials, etc. There are some excellent standards now available that can guide you in developing these materials [1, 12 and 13].

Failure Modes:

The major failure modes in this level include:

  • Poorly written or incomplete materials;
  • Provision of the materials in a language that is not understood by the user;
  • Failure by the user to read and understand the materials;
  • Inability to access the materials when needed;
  • Etcetera.

When all possibilities for informing the user have been covered, you can move to the next level down in the hierarchy. Note that this is the usual separation point between the manufacturer and the user of a product. This is nicely illustrated in Fig 2 from ISO 12100 above. It is important to understand at this point that the residual risk posed by the product to the user may not yet be tolerable. The user is responsible for implementing the next two levels in the hierarchy in most cases. The manufacturer can make recommendations that the user may want to follow, but typically that is the extent of influence that the manufacturer will have on the user.

4. Administrative Controls

This level in the hierarchy includes:

  • Training;
  • Standard Operating Procedures (SOP’s);
  • Safe working procedures e.g. Hazardous Energy Control, Lockout, Tagout (where permitted by law), etc.;
  • Authorization; and
  • Supervision.

Training is the method used to get the information provided by the manufacturer to the worker or end user. This can be provided by the manufacturer, by a third party, or self-taught by the user or worker.
SOP’s can include any kind of procedure instituted by the workplace to reduce risk. For example, requiring workers who drive vehicles to do a walk-around inspection of the vehicle before use, and logging of any problems found during the inspection is an example of an SOP to reduce risk while driving.
Safe working procedures can be strongly influenced by the manufacturer through the information for use provided. Maintenance procedures for hazardous tasks provided in the maintenance manual are an example of this.
Authorization is the procedure that an employer uses to authorize a worker to carry out a particular task. For example, an employer might put a policy in place that only permits licensed electricians to access electrical enclosures and carry out work with the enclosure live. The employer might require that workers who may need to use ladders in their work take a ladder safety and a fall protection training course. Once the prerequisites for authorization are completed, the worker is ‘authorized’ by the employer to carry out the task.
Supervision is one of the most critical of the Administrative Controls. Sound supervision can make all of the above work. Failure to properly supervise work can cause all of these measures to fail.

Failure Modes

Administrative controls have many failure modes. Here are some of the most common:

  • Failure to train;
  • Failure to inform workers regarding the hazards present and the related risks;
  • Failure to create and implement SOP’s;
  • Failure to provide and maintain special equipment needed to implement SOP’s;
  • No formal means of authorization – i.e. How do you KNOW that Joe has his lift truck license?;
  • Failure to supervise adequately.

I’m sure you can think of MANY other ways that Administrative Controls can go wrong!

5. Personal Protective Equipment (PPE)

PPE includes everything from safety glasses, to hardhats and bump caps, to fire-retardant clothing, hearing defenders, and work boots. Some standards even include warning devices that are worn by the user, such as gas detectors and person-down detectors, in this group.
PPE is probably the single most over-used and least understood risk control measure. It falls at the bottom of the hierarchy for a number of reasons:

  1. It is a measure of last resort;
  2. It permits the hazard to come as close to the person as their clothing;
  3. It is often incorrectly specified;
  4. It is often poorly fitted;
  5. It is often poorly maintained; and
  6. It is often improperly used.

The problems with PPE are hard to deal with. You cannot glue or screw a set of safety glasses to a person’s face, so ensuring the the protective equipment is used is a big problem that goes back to supervision.

Many small and medium sized enterprises do not have the expertise in the organization to properly specify, fit and maintain the equipment.

User comfort is extremely important. Uncomfortable equipment won’t be used for long.

Finally, by the time that properly specified, fitted and used equipment can do it’s job, the hazard is as close to the person as it can get. The probability of failure at this point is very high, which is what makes PPE a measure of last resort, complementary to the more effective measures that can be provided in the first three levels of the hierarchy.

If workers are not properly trained and adequately informed about the hazards they face and the reasons behind the use of PPE, they are deprived of the opportunity to make safe choices, even if that choice is to refuse the work.

Failure Modes

Failure modes for PPE include:

  • Incorrect specification (not suitable for the hazard);
  • Incorrect fit (allows hazard to bypass PPE);
  • Poor maintenance (prevents or restricts vision or movement, increasing the risk; causes PPE failure under stress or allows hazard to bypass PPE);
  • Incorrect usage (failure to train and inform users, incorrect selection or specification of PPE).

Time to Apply the Hierarchy

So now you know something about the ‘hierarchy of controls’. Each layer has its own intricacies and nuances that can only be learned by training and experience. With a documented risk assessment in hand, you can begin to apply the hierarchy to control the risks. Don’t forget to iterate the assessment post-control to document the degree of risk reduction achieved. You may create new hazards when control measures are applied, and you may need to add additional control measures to achieve effective risk reduction.

The documents referenced below should give you a good start in understanding some of these challenges.


5% Discount on All Standards with code: CC2011

NOTE: [1], [2], and[3]  were combined by ISO and republished as ISO 12100:2010. This standard has no technical changes from the preceding standards, but combines them in a single document. ISO/TR 14121-2 remains current and should be used with the current edition of ISO 12100.

[1]             Safety of machinery – Basic concepts, general principles for design – Part 1: Basic terminology and methodology, ISO Standard 12100-1, 2003.
[2]            Safety of machinery – Basic concepts, general principles for design – Basic terminology and methodology, Part 2: Technical principles, ISO Standard 12100-2, 2003.
[3]            Safety of Machinery – Risk Assessment – Part 1: Principles, ISO Standard 14121-1, 2007.
[4]            Safety of machinery — Prevention of unexpected start-up, ISO 14118, 2000
[5]            Control of hazardous energy – Lockout and other methods, CSA Z460, 2005
[6]            Fluid power systems and components – Graphic symbols and circuit diagrams – Part 1: Graphic symbols for conventional use and data-processing applications, ISO Standard 1219-1, 2006
[7]            Pneumatic fluid power — General rules and safety requirements for systems and their components, ISO Standard 4414, 1998
[8]            American National Standard for Industrial Robots and Robot Systems — Safety Requirements, ANSI/RIA R15.06, 1999.
[9]            Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006
[10]          Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, 2005
[11]           Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC Standard 61508-X, seven parts.
[12]          Preparation of Instructions — Structuring, Content and Presentation, IEC Standard 62079, 2001
[13]          American National Standard For Product Safety Information in Product Manuals, Instructions, and Other Collateral Materials, ANSI Standard Z535.6, 2010.
[14]          Control of Hazardous Energy Lockout/Tagout and Alternative Methods, ANSI Standard Z244.1, 2003.
[15]          Safety of Machinery — Interlocking devices associated with guards — principles for design and selection, EN 1088+A1:2008.
[16]          Safety of Machinery — Guards – General requirements for the design and construction of fixed and movable guards, EN 953+A1:2009.
[17]          Safety of machinery — Guards — General requirements for the design and construction of fixed and movable guards, ISO 14120.
[18]         Safety of machinery — Safety distances to prevent hazard zones being reached by upper and lower limbs, ISO 13857:2008.
[19]         Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855:2010.

5% Discount on All Standards with code: CC2011

The Third Level of the Hierarchy: Information for Use

This entry is part 3 of 3 in the series Hierarchy of Controls

I’ve written about the Hierarchy of Controls in past posts, but I’ve focused on the ‘engineering’ side of the control equation: Physical changes to machine design to eliminate hazards, and mechanical or electrical control systems that can reduce risk.

The first two levels of the Hierarchy, Elimination/Substitution and Engineering Controls, are typically more challenging to apply in most people’s minds, because expert knowledge is required. These levels are also more effective in controlling risk than the subsequent levels.

The Third Level

iStock_000009386795Small - Photo of Instruction manualThe third level of the Hierarchy is ‘Information for Use’, sometimes abbreviated as ‘IFU.’ This level is deceptively simple, and is frequently the level people want to jump to when the other controls seem too difficult to implement. Done well, information for use can make a significant contribution to risk control. Unfortunately, it’s done poorly or not at all more often than it’s done well.

Information for use includes:

  • Instructions and Manuals;
  • Operator Device tags and Legend Plates;
  • HMI screens;
  • Hazard Warning signs and labels;
  • Training Materials (text, video, audio) and Training (face-to-face, webinars, self-directed);
  • Sales and marketing materials.

Information for use is needed in all the stages of the product life cycle: Transportation, Installation, Commissioning, Use, Maintenance, Service, Decommissioning and Disposal [1]. At each stage in the life cycle, the content of the information and the presentation may be different. In every stage it can make a significant contribution to risk reduction by communicating the safe approach to the tasks in that stage, and the risks related to those tasks. The information should include the intended use and the foreseeable misuses of the product. This is a legal requirement in the EU [2], and is a best-practice in North America.

In this article I’m going to focus on instruction manuals. If you’re interested in Hazard Warnings, including signs, labels, and integration into manuals and instructions, watch for a future post on this topic.

Legal requirements and standards

In the European Union, the legal obligation to provide information with a product is enshrined in law [2].
No North American jurisdictions make an explicit requirement for instructions or information for use in law, but many product specific standards include requirements for the content of manuals.

CSA Z432 [3] outlines requirements for content in Clause 17, and in EN 60204-1 [7]. IEC 62079 [4], provides guidance on the design and presentation of instructions. ANSI Z535.6 [5], provides specific instructions on inclusion of hazard warnings in manuals and instructions.

Training requirements are also discussed in CSA Z432 [3], Clause 18.

5% Discount on ISO and IEC Standards with code: CC2011

In the USA, providing information for use with a product is considered to be sound ‘due diligence’, however, providing information on residual risk is often seen by liability lawyers as dangerous, since manufacturers are providing information, in writing, that their product is not ‘perfectly safe.’ If you’ve read anything I’ve written on risk assessment, you’ll know that there is no such state as ‘perfectly safe.’ If a hazard exists, a potential for harm exists, a probability can be assessed and thus risk exists, however remote that risk may be. I think that this argument by some liability lawyers is fatuous at best.

Kenneth Ross, one of the leading product liability lawyers in the USA, discusses the requirements for warnings and instructions in an article published in 2007 [6]. In the article, he explains the US requirements:

“Product sellers must provide “reasonable warnings and instructions” about their products’ risks. The law differentiates warnings and instructions as follows:

“Warnings alert users and consumers to the existence and nature of product risks so that they can prevent harm either by appropriate conduct during use or consumption or by choosing not to use or consume.”

Instructions “inform persons how to use and consume products safely.”

A court has held that warnings, standing alone, may have no practical relevance without instructions and that instructions without warnings may not be adequate.

Therefore, when the law talks about the “duty to warn,” it includes warnings on products in the form of warning labels; safety information in instructions; instructions that affirmatively describe how to use a product safely; and safety information in other means of communication such as videos, advertising, catalogs and websites.

The law says that a manufacturer has a duty to warn where: (1) the product is dangerous; (2) the danger is or should be known by the manufacturer; (3) the danger is present when the product is used in the usual and expected manner; and (4) the danger is not obvious or well known to the user.”

Read Mr. Ross’ latest article on warnings.

This practical and sensible approach is very similar to that in the EU. Note the requirement that “instructions that affirmatively describe how to use a product safely.” The  old list of “don’ts” doesn’t cut it – you must tell your user how to use the product in an affirmative way.

Second Best

So why is it that so many manufacturers settle for manuals that are barely ‘second best’? In many companies, the documentation function is:

  • Not seen to add value to the product;
  • not understood to have legal import in limiting product liability;
  • given little effort.

The perception seems to be that manuals are produced primarily to fill filing cabinets and that customers don’t use the information provided. This leads to manuals that are written after-the-fact by engineers, or worse, the role of ‘technical writer’ is seen to be an entry level position often filled by interns or co-op students.

End-user training is frequently given even less thought than the manuals. When designed together, the manual will support the training program, and the trainers can use the manual as one of the primary training tools. This provides continuity, and ensures that the training process is properly documented.

iStock_000012657812Small - Techncial ManualMy experience is that few engineers are excellent writers. There are some, no doubt. Writing manuals takes a sound understanding of educational theory, including an understanding of the audience to whom the material is directed. The level of technical sophistication required for a simple household product is completely different from that required for the technical support manual for an industrial welding laser.
The engineers designing and integrating an industrial system are often too close to the design of the product to be able to write effectively to the target audience. Assumptions about the level of education that the user will have are often incorrect, and key steps may be skipped because they are assumed to be ‘common knowledge.’

Quality documentation is also a customer service issue. Products that are well documented require less customer service support, and when customers do need support, they are generally more satisfied with the result.

New Delivery Methods

The delivery methods for technical documents have changed considerably in recent years. Large, ring-bound paper manuals are being displaced by on-line, interactive documentation that can be accessed at the user interface. The use of PDF-format manuals has jumped, and this brings in the ability to link error messages generated by the control system to the sections of the manual that related to that aspect of the system. Video and animations can be added that provide at-a-glance understanding of the operation of the machinery. WiFi networks in industrial facilities, along with the acceptance of mobile pad-computing devices like the Apple iPad, mean users can have the instructions where they need them, and technicians and service personnel can take the manual with them to the area where a problem exists, and can use the documents even in very low-light conditions.

Finding technical writing resources can be a challenge, particularly if you are looking to move away from paper to electronic documentation. The standards mentioned in this article are a good place to start.
Documentation can range from writing through technical illustrations, animation and video production. Finding individuals who can provide you with professional services in these areas in a timely way and at a reasonable price is not an easy task. If you need assistance ranging from a few questions that need answers to hiring a technical writer, Compliance InSight Consulting can help. Contact me for more information!

Are your product manuals as good as they could be? What kinds of challenges have you had with getting them written, or used? Add your comments below!


5% Discount on ISO and IEC Standards with code: CC2011

[1]    “Safety of machinery – General principles for design – Risk assessment and risk reduction”, ISO Standard 12100, 2010

[2]    “DIRECTIVE 2006/42/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 May 2006 on machinery, and amending Directive 95/16/EC”, Annex 1, Clause 1.7, European Commission, 2006.

[3]    “Safeguarding of Machinery”, CSA Standard Z432, Canadian Standards Association, 2004.

[4]    “Preparation of instructions – Structuring, content and presentation”, IEC Standard 62079, International Electrotechnical Commission, 2001.

[5]    “American National Standard For Product Safety Information in Product Manuals, Instructions, and Other Collateral Materials”, ANSI Standard Z535.6, American National Standards Institute, 2006.

[6]    K. Ross. “Danger! The Legal Duty to Warn and Instruct”, Risk Management Magazine, [web] 2007, Available: No longer available.

[7]      “Safety of machinery — Electrical equipment of machines — Part 1: General requirements”, CENELEC Standard EN 60204-1, CENELEC, 2009.