Shostack + Friends Blog Archive

 

More controls creates more risk?

Over at his excellent blog [http://thurston.halfcat.org/blog/], Chandler Howell referenced an interesting risk analysis [link to http://thurston.halfcat.org/blog/2007/06/22/same-facts-different-risk/ no longer works] performed by a home inspector:

“The power switch for the garbage disposal in the sink could be accidentally turned on by a person standing at the sink while their hand was in the disposal.”
That is to say, the switch is right next to the sink.
I thought about this, and realized that I preferred that situation in the “risky” state.

We joked about this in the comments a bit, and I toyed with suggesting that the convenient but ‘risky’ switch simply be augmented with a second, further-away, model. Of course, that would be pointless, since the second switch would always be left on. Clearly, a garbage disposal is not the sort of thing that two people operate cooperatively.
Anyway, I read a CNN.com news story [link to http://www.cnn.com/2007/US/06/30/amusement.park.death.ap/index.html no longer works] today that reminded me of how added controls can increase risk. It seems that Rye Playland, a popular New York amusement park, promised to add a second attendant to a ride in which a young child had been killed in 2004. The county-owned facility did not do so, but nonetheless had a second attendant on hand during a shift changeover. Unfortunately, one attendant turned on the ride while the other was still assisting some customers. The latter attendant was thrown from the ride and killed [same link, no longer works].
I should note that the news reports are uniformly confusing, stating that a second attendant was required but not present. OK. So what would this second do, check to see that the first didn’t notice any unbuckled passengers? There was, in some sense, a second attendant, and it was she who was not buckled in. Fatigue may have played a part, according to a local TV report [link to http://wcbstv.com/topstories/local_story_182083204.html no longer works].
Maybe a two-switch, two-person solution is worth investigating in this case.

5 comments on "More controls creates more risk?"

  • The common solution to some of these types of situations is affirmative two-handed controls. For example, most drill presses and other industrial equipment requires the user have both hands on two controls simultaneously when activating them.
    Ever since the bogus Audi-5000 “sudden unexplained acceleration” cases of the mid-1980’s you’ve had to have your foot on the brake to switch from Park into another gear in an automatic transmission. Cards with a manual transmission require the user to have their foot on the clutch before the starter will engage, regardless of what gear the car is in (or neutral.)
    Plenty of examples of this when we believe the risk warrants it and probably some where the manufacturer was simply paranoid of lawsuits.
    Perhaps garbage disposals aren’t in the same category?

  • Chris says:

    The disposal thing is safe enough as it is. If your hand is in the darn thing, you are highly motivated not to turn it on. The drill press example is a good one — I remember seeing such a control on some kind of metal-cutting gizmo, and I remember thinking “I’m glad THAT is there”.
    In the amusement park case, requiring two simultaneous or near-simultaneous operations at two locations sufficiently distant to preclude activation by only one person would seem to be worthy of investigation, if only for the “most dangerous” rides. I don’t know how much attendants at Playland get paid, but if it is 15 bucks per hour and the season is 1500 hours long, you’re looking at a cost increase of about 25K per additional attendant. I’d guesstimate that Playland has maybe 10 rides that could kill a person. They have had two deaths in four years (I do not count the ones involving boats). As long as each death costs Playland more than 10*25K*2, the additional switch and attendant makes sense (even by this cold-blooded calculus). Sounds to me like installing that second switch, and hiring somebody to throw it, is worth looking at.
    Full disclosure: I’ve been to Playland and paid no attention to their safety measures. For all I know, they have this very system in place.

  • Mark Curphey says:

    Maybe its the design of the control and not the quantity? Take the waste disposal for example. In Europe most of the waste disposals have a plug that you insert into the hole. It twists on and connects / locks. When you fully lock it the disposal motor engages. Essentially its impossible to start if you have your hand in the hole.

  • Anonymous Coward says:

    “When you fully lock it the disposal motor engages. Essentially its impossible to start if you have your hand in the hole.”
    In the case of a large carrot or other long cylindrical food item, would not then the user be required to reduce the size of the food item? If the user were particularly weak-handed, the logical solution to get the item in the hole would be to brandish a sharp blade and cut the item asunder.
    Surely there are more instances of users of knives in a kitchen setting being injured than there are of users of garbage disposals?
    You are correct, however, in the design of the control being more critical than sheer numbers of poorly designed controls. The goal, in this case, is to prevent the disposal mechanism from activating when a person’s hand is in the hole, right? Would it not make sense to remove functionality of the device while the user is engaging in risky behavior and not induce further risky behavior to meet the requirements of your control?
    I present for your consideration, the lowly momentary switch in the form of a fail-safe button.
    While the user is at the sink and reaching into the hole, a button on the vertical face of the sink is depressed by the user as they lean in to reach. Regardless of the position of the power switch, the depression of the fail-safe button disengages power at the source.

  • Iang says:

    The problem is complex because there are both more controls and more people involved.
    The way the military address this complexity is to assign a safety officer with over-riding power. That is, the safety officer is totally responsible for the safety and only the safety, others run the operation, he just looks at the safety.
    (There are other techniques too…)

Comments are closed.