IS FAIL-SAFE REALLY SAFE?
Published in Advanced Rescue Technology June/July 2004
Published in Advanced Rescue Technology June/July 2004
There are two primary factors which lead rope rescue practitioners to
incorporate what is widely considered to be the current best and safest
practice: “unconditional” belays, which I’ve also heard referred to as
“fool-proof” or “fail-proof”. One of those factors, thankfully, is our
desire to do the best we can for our patients, our team, and ourselves –
in other words, to be professional in our fields, regardless of whether
we are career or serving as volunteers. The other is, unfortunately,
the litigious nature of our society in which human error becomes an
opportunity to blame and punish people who would otherwise be considered
“good Samaritans” or even heroes.
I want to challenge some often unquestioned beliefs, raise some
questions (and some eyebrows), and begin a discussion about whether
these “fail/fool-proof” belays are really the safest approach to
technical rope rescue.
I think there is some confusion in the field of rope rescue between the
terms “fail-safe”, “fail-proof”, and “fool-proof”. So let’s start with
language, since clear communication is so essential to all emergency
response. We need to be able to speak the same language or, at least,
understand each other.
“Fail-safe” is a term originating in the one field of technology in
which human error is not an option: nuclear weapons. While we rope
techs talk about building “bomb-proof” anchors, we’re not generally
dealing with something as catastrophic in its failure as a real nuke.
But, on the scale in which we work – removing one patient at a time from
locations or situations which are immediately dangerous to life and
health (IDLH), a significant human error or equipment malfunction can
lead to a small but significant catastrophe. And we DO use the term
“catastrophic failure” when referring to a break in the chain of life
safety resulting in potential injury or death.
What “fail-safe” actually means is a system sufficiently redundant or
automatic in its response to any conceivable error that, if there is a
system failure – either human or technical – the system will fail (that
is, cease functioning) in a safe mode.
This is, for instance, what we hope will happen with a tandem 3-wrap
prusik belay when the mainline system fails: that with or without human
intervention, the prusiks will perform a quick but dynamic capture of
the suddenly-loaded belay rope and lock the system in a safe mode. This
assumes, of course, that the prusiks are properly sized and of the
appropriate stiffness or flexibility, do not interfere with each other,
are not compromised by contact with any other object or by ice or mud,
and are released by the attendant’s hand in the first fraction of a
second (a body falling off a cliff can move 16 feet and be moving 22 mph
in the first second). This fail-safe lock-off, if it DOES occur as
expected, then requires a load-releasing hitch (another piece of
somewhat sophisticated gear) in order to return the system to operation.
The wrist-twist or “hitchhikers” technique for lowering with tandem prusiks
with no slack and no inadvertent lock-ups is not so easily mastered.
(Elliot Hospital NH Paramedic Tech Rescue Training - picture by Robert Riversong)
“Fail-proof” and “fool-proof” are terms which are too often misapplied
to modern rope rescue systems incorporating double-rope technique (DRT)
and some form of automatic belay, and they are too often confused with
each other. Few practitioners would call single-rope technique (SRT)
“fail-proof”, though mountain and cave rescue teams in Europe,
Australia, and in the U.S. have used this method for decades with no
record of failure. SRT obviously requires a high level of skill,
experience, and vigilance to perform with repeated success – qualities
which we should expect from rope rescue technicians.
Because most of the teams and squads performing technical rope rescue
in the U.S. do so as an adjunct to their main function – fire fighting,
EMS, law enforcement – and because of those lawyers looking over our
shoulders, almost all rope rescue in this country, including mountain
and cave rescue, employs DRT to minimize the probability of catastrophic
failure through the application of redundancy.
But redundancy, a central principle of fail-safe systems, is not considered sufficient to ensure safety in modern rope rescue. Nor
is the traditional 8:1 or 10:1 static system safety factor (SSSF)
considered sufficient by the current American standard-setter, the
National Fire Protection Association (NFPA), which requires a 15:1
SSSF. This is in spite of decades of successful application of the
traditional SSSF by the Australian (8:1) and the European and American
(10:1) mountain and cave rescue communities.
So the tandem 3-wrap prusik was developed (and extensively tested by
Arnor Larson of Rigging for Rescue, Canada) and generally accepted as
the most reliable and least destructive of what have come to be known as
“unconditional” belay systems. “Unconditional” refers to
self-actuating or automatic belay devices which can fail safe without
operator intervention or with an unexpected loss of human operation (for
example, a lightning strike, swarm of killer bees, rock-fall, or
structural collapse). This “unconditional” or “fail-safe” quality of
the belay device is, of course, dependent upon the integrity of the rest of the links in the life-safety chain of the belay system.
The rock fall or structural collapse that incapacitates the rope
handlers cannot also weaken or destroy the belay rope or any part of its
“bomb-proof” anchor.
Partly because the tandem 3-wrap prusik belay is a little
time-consuming to apply and remove, requires the proper matching of
cordage to rope, and depends for its smooth function on the training and
expertise of its operator – and partly because there are always
inventors and entrepreneurs willing to offer a better mousetrap – there
are now several mechanical “fail-safe” devices designed specifically for
rescue.
The Traverse Rescue 540, the Petzl I’D, and the BMS Nano-Belay are each
quite different approaches to a mechanical unconditional belay. The
I’D can operate as a self-locking lowering or rappel device, or for
changeover from lower to raise. The Nano-Belay works as both a belay
and a lowering device (with the Unloader). The Traverse 540 functions
only as a belay. But each device also has its drawbacks, quirkiness,
and what I will call “distraction factor”. All three do, however,
eliminate the need for a load-release hitch (LRH) to resume function
after fail-safe lock-up, and this arguably simplifies the systems in
which they’re used. The prusik belay requires a LRH and an operator
trained in its use, thus complicating the system.
From my experience and that of others I’ve communicated with, The 540
can inadvertently lock up, the I’D release lever is a bit touchy, and
the Nano-Belay can be difficult to operate without its complementary and
separate Unloader. Each of these quirks creates the possibility for
distracting the operator from their essential task. And further, the
reliance on the mechanical “fail-safe” can foster a degree of
complacency on the part of the operator, or an assumption that less
training is required because of the “built-in” safety.
It’s almost never considered that ice, mud, sand, heat, cold, caustic
atmospheres, or just wear and tear might disable these “fail-proof”
devices (the I’D and the 540 have plastic and aluminum elements and
depend on internal moving parts not visible during operation – the
Nano-Belay is a much simpler device which can be visibly inspected
during use and is entirely stainless steel).
We must keep in mind that a silent partner in all rescue operations is
Murphy and his laws: whatever can go wrong will, and at the most
inopportune moment.
Which brings us to the final term: “fool-proof”. First, it must be
said that there is no such thing. A fool – or a foolish moment brought
on by stress, exhaustion, inattention, or any of the three devils of
austere environments: hypo/hyperthermia, hypovolemia, and hypoglycemia
(cold/hot, dehydration, and low blood sugar) can quickly turn a
functional rescue operation into a disaster. And let us keep in mind
that catastrophes are caused much more often by human error than by
equipment failure. The way to shift that ratio, however, is by the use
of more complicated equipment with more inherent modes of failure.
While nothing is truly “fool-proof”, simplicity leans in that direction.
As an example from ordinary life, I’ve had a number of experiences with
cold motor vehicles on frigid mornings trying to crap out during
acceleration. With my old carbureted engines, I could often compensate
by pumping the accelerator. Even with my first couple of
mechanically-linked fuel-injected engines, I could usually manage to
keep them going. But my new truck has so many electronic sensors and
controls that when it malfunctioned as I recently pulled into 55 mph
traffic on a subzero morning, there was nothing I could do other than
gawk at the “check engine” light and try to drift onto the shoulder
before being rear-ended by oncoming traffic. The technical
sophistication of my new truck (a reliable Toyota, by the way) actually
made the vehicle less safe in a failure mode.
There is only one way to make a device or a system more “fool-proof”,
and that is to keep it as simple as possible while still adequately
performing its intended function. This is as much a law of nature (and
human nature) as is gravity.
My contention is that the reliance on sophisticated mechanical safety
and the consequent “complacency tendency” as well as the “distraction
factor” of fidgety equipment can result in a system which is less safe than a more “fool-proof” simple system.
System redundancy is the most universal element of fail-safe systems.
We have accomplished that by the use of two ropes on separate anchors: a
mainline and a belay line. The simplest of all redundant rope rescue
systems would be the use of two identical rope setups, each of which
could serve the function of the other in the event of a failure of one
element.
On that basis, when I teach high-angle lowering to teams which would
rarely have occasion to apply the skills (such as fire departments or
industrial on-site rescue teams), and which would rarely, if ever, have
the need to convert from lower to raise (for instance, lowering a
patient from a structure to the ground), I use two identical but
differently-colored ropes, independently-anchored, each rigged onto a
BMS Belay Spool – one to take the primary load and the other as a
belay/back-up.
This intuitively simple and symmetrically redundant system has several
advantages. In training, learning is quicker and skill retention is
better – even for those who rarely have occasion to use or practice
these skills. The simplicity reduces the scope of human error,
virtually eliminates the possibility of mechanical failure, and saves
time. With a seriously injured or unconscious patient, particularly
given what we now know about the rapid onset of harness suspension
trauma (as little as five minutes), time is a life-threatening factor.
And the system can be operated with no slack in the belay line.
This last characteristic challenges another element of accepted (and
almost unquestioned) practice – that the belay system should never come
under load except in the event of mainline system failure. A no-load
belay is necessary when using autolocking systems, such as tandem
prusiks or the Rescue 540 to avoid inadvertent lockups. Parallel Belay
Spools allow some load sharing, thus reducing individual anchor loads,
and the absence of slack in the belay eliminates any shock-loading of
the system in the event of mainline failure, thus reducing both the
possibility of secondary failure and the likelihood of further trauma to
the patient.
Tandem Belay Spools used in training of high-angle rescue team at Yankee Atomic, Rowe MA
(picture by Robert Riversong)
The simplicity, reversibility, and efficiency of the Belay Spool (15
pounds of grip to control a 600 pound load), in addition to its strength
(15,000 lbs) make it a nearly ideal tool. For straightforward DRT
lowers, a fully-redundant Belay Spool system is as close to “fool-proof”
as possible. Obviously, more complicated rescues will require a more
complicated system and more highly-trained personnel, but with a
consequent increase in the scope and probability of failure.
My experience in municipal emergency management leads me to consider
another element of effective safety planning: the risk vs. frequency
matrix. If you can imagine a 2x2 matrix (see diagram) with the vertical
axis labeled “frequency” and the horizontal axis labeled “risk”, you
could place into each of the four quadrants various disaster scenarios
you might anticipate. There will be many which are high-frequency
events with little risk (like tripping on the ropes), and a few
relatively high-frequency events with a lot of risk (like sudden weather
changes). There will be oodles of low-frequency events with low risk
(such as minor equipment damage) and there will be a miniscule number of
very low-frequency events with very high risk (such as lightning
strikes, killer bees, rock-fall, or structural collapse).
HIGH FREQUENCY
LOW RISK
|
HIGH FREQUENCY
HIGH RISK
|
LOW FREQUENCY
LOW RISK
| LOW FREQUENCY
HIGH RISK
|
Effective emergency planners mostly ignore low risk events and gear
their primary response systems toward high-frequency, high-risk
scenarios (like flooding of rivers and ice storms) and have a plan filed
away for those rare but catastrophic events (such as terrorist
attacks). Firefighters always put on breathing apparatus before going
into a burning structure, but they don’t fight fires in hazmat suits on
the off chance that there might be bio-weapons in the building. This
would not only make fire-fighting absurdly cumbersome, but also
significantly less safe.
Most of the low-frequency, high-risk scenarios that we consider in rope
rescue would be so catastrophic that no amount of planning and no
fail-safe device is going to prevent the course of events. If
structural collapse or rock-fall knocks out the entire rescue team, then
it’s likely going to destroy the equipment and the patient as well no
matter what kind of system we’ve built.
Consequently, if we make every rope rescue complicated enough to
prevent even the most unlikely catastrophes, then are we making them
more cumbersome and hence more time-consuming (time is a life-safety
factor), and ultimately perhaps less safe?
I’m offering these considerations more as question than answer. But it
is a question that rope rescue professionals often fail to address. At
what point of sophistication does a “fail-safe” system become less
“fool-proof” and actually create more opportunities for catastrophic
failure?
When you figure the calculus of safety, remember to include the
“complacency tendency” and the “distraction factor”. Remember that the
best way to outsmart a fool is by being simple-minded. And remember,
above all, that the KISS principle really stands for Keep It Simple and
Safe!
