IS FAIL-SAFE REALLY SAFE?
Published in Advanced Rescue Technology June/July 2004
There are two primary factors which lead rope rescue practitioners to incorporate what is widely considered to be the current best and safest practice: “unconditional” belays, which I’ve also heard referred to as “fool-proof” or “fail-proof”. One of those factors, thankfully, is our desire to do the best we can for our patients, our team, and ourselves – in other words, to be professional in our fields, regardless of whether we are career or serving as volunteers. The other is, unfortunately, the litigious nature of our society in which human error becomes an opportunity to blame and punish people who would otherwise be considered “good Samaritans” or even heroes.
I want to challenge some often unquestioned beliefs, raise some questions (and some eyebrows), and begin a discussion about whether these “fail/fool-proof” belays are really the safest approach to technical rope rescue.
I think there is some confusion in the field of rope rescue between the terms “fail-safe”, “fail-proof”, and “fool-proof”. So let’s start with language, since clear communication is so essential to all emergency response. We need to be able to speak the same language or, at least, understand each other.
“Fail-safe” is a term originating in the one field of technology in which human error is not an option: nuclear weapons. While we rope techs talk about building “bomb-proof” anchors, we’re not generally dealing with something as catastrophic in its failure as a real nuke. But, on the scale in which we work – removing one patient at a time from locations or situations which are immediately dangerous to life and health (IDLH), a significant human error or equipment malfunction can lead to a small but significant catastrophe. And we DO use the term “catastrophic failure” when referring to a break in the chain of life safety resulting in potential injury or death.
What “fail-safe” actually means is a system sufficiently redundant or automatic in its response to any conceivable error that, if there is a system failure – either human or technical – the system will fail (that is, cease functioning) in a safe mode.
This is, for instance, what we hope will happen with a tandem 3-wrap prusik belay when the mainline system fails: that with or without human intervention, the prusiks will perform a quick but dynamic capture of the suddenly-loaded belay rope and lock the system in a safe mode. This assumes, of course, that the prusiks are properly sized and of the appropriate stiffness or flexibility, do not interfere with each other, are not compromised by contact with any other object or by ice or mud, and are released by the attendant’s hand in the first fraction of a second (a body falling off a cliff can move 16 feet and be moving 22 mph in the first second). This fail-safe lock-off, if it DOES occur as expected, then requires a load-releasing hitch (another piece of somewhat sophisticated gear) in order to return the system to operation.
The wrist-twist or “hitchhikers” technique for lowering with tandem prusiks with no slack and no inadvertent lock-ups is not so easily mastered.
(Elliot Hospital NH Paramedic Tech Rescue Training)
“Fail-proof” and “fool-proof” are terms which are too often misapplied to modern rope rescue systems incorporating double-rope technique (DRT) and some form of automatic belay, and they are too often confused with each other. Few practitioners would call single-rope technique (SRT) “fail-proof”, though mountain and cave rescue teams in Europe, Australia, and in the U.S. have used this method for decades with no record of failure. SRT obviously requires a high level of skill, experience, and vigilance to perform with repeated success – qualities which we should expect from rope rescue technicians.
Because most of the teams and squads performing technical rope rescue in the U.S. do so as an adjunct to their main function – fire fighting, EMS, law enforcement – and because of those lawyers looking over our shoulders, almost all rope rescue in this country, including mountain and cave rescue, employs DRT to minimize the probability of catastrophic failure through the application of redundancy.
But redundancy, a central principle of fail-safe systems, is not considered sufficient to ensure safety in modern rope rescue. Nor is the traditional 8:1 or 10:1 static system safety factor (SSSF) considered sufficient by the current American standard-setter, the National Fire Protection Association (NFPA), which requires a 15:1 SSSF. This is in spite of decades of successful application of the traditional SSSF by the Australian (8:1) and the European and American (10:1) mountain and cave rescue communities.
So the tandem 3-wrap prusik was developed (and extensively tested by Arnor Larson of Rigging for Rescue, Canada) and generally accepted as the most reliable and least destructive of what have come to be known as “unconditional” belay systems. “Unconditional” refers to self-actuating or automatic belay devices which can fail safe without operator intervention or with an unexpected loss of human operation (for example, a lightning strike, swarm of killer bees, rock-fall, or structural collapse). This “unconditional” or “fail-safe” quality of the belay device is, of course, dependent upon the integrity of the rest of the links in the life-safety chain of the belay system. The rock fall or structural collapse that incapacitates the rope handlers cannot also weaken or destroy the belay rope or any part of its “bomb-proof” anchor.
Partly because the tandem 3-wrap prusik belay is a little time-consuming to apply and remove, requires the proper matching of cordage to rope, and depends for its smooth function on the training and expertise of its operator – and partly because there are always inventors and entrepreneurs willing to offer a better mousetrap – there are now several mechanical “fail-safe” devices designed specifically for rescue.
The Traverse Rescue 540, the Petzl I’D, and the BMS Nano-Belay are each quite different approaches to a mechanical unconditional belay. The I’D can operate as a self-locking lowering or rappel device, or for changeover from lower to raise. The Nano-Belay works as both a belay and a lowering device (with the Unloader). The Traverse 540 functions only as a belay. But each device also has its drawbacks, quirkiness, and what I will call “distraction factor”. All three do, however, eliminate the need for a load-release hitch (LRH) to resume function after fail-safe lock-up, and this arguably simplifies the systems in which they’re used. The prusik belay requires a LRH and an operator trained in its use, thus complicating the system.
From my experience and that of others I’ve communicated with, The 540 can inadvertently lock up, the I’D release lever is a bit touchy, and the Nano-Belay can be difficult to operate without its complementary and separate Unloader. Each of these quirks creates the possibility for distracting the operator from their essential task. And further, the reliance on the mechanical “fail-safe” can foster a degree of complacency on the part of the operator, or an assumption that less training is required because of the “built-in” safety.
It’s almost never considered that ice, mud, sand, heat, cold, caustic atmospheres, or just wear and tear might disable these “fail-proof” devices (the I’D and the 540 have plastic and aluminum elements and depend on internal moving parts not visible during operation – the Nano-Belay is a much simpler device which can be visibly inspected during use and is entirely stainless steel).
We must keep in mind that a silent partner in all rescue operations is Murphy and his laws: whatever can go wrong will, and at the most inopportune moment.
Which brings us to the final term: “fool-proof”. First, it must be said that there is no such thing. A fool – or a foolish moment brought on by stress, exhaustion, inattention, or any of the three devils of austere environments: hypo/hyperthermia, hypovolemia, and hypoglycemia (cold/hot, dehydration, and low blood sugar) can quickly turn a functional rescue operation into a disaster. And let us keep in mind that catastrophes are caused much more often by human error than by equipment failure. The way to shift that ratio, however, is by the use of more complicated equipment with more inherent modes of failure. While nothing is truly “fool-proof”, simplicity leans in that direction.
As an example from ordinary life, I’ve had a number of experiences with cold motor vehicles on frigid mornings trying to crap out during acceleration. With my old carbureted engines, I could often compensate by pumping the accelerator. Even with my first couple of mechanically-linked fuel-injected engines, I could usually manage to keep them going. But my new truck has so many electronic sensors and controls that when it malfunctioned as I recently pulled into 55 mph traffic on a subzero morning, there was nothing I could do other than gawk at the “check engine” light and try to drift onto the shoulder before being rear-ended by oncoming traffic. The technical sophistication of my new truck (a reliable Toyota, by the way) actually made the vehicle less safe in a failure mode.
There is only one way to make a device or a system more “fool-proof”, and that is to keep it as simple as possible while still adequately performing its intended function. This is as much a law of nature (and human nature) as is gravity.
My contention is that the reliance on sophisticated mechanical safety and the consequent “complacency tendency” as well as the “distraction factor” of fidgety equipment can result in a system which is less safe than a more “fool-proof” simple system.
System redundancy is the most universal element of fail-safe systems. We have accomplished that by the use of two ropes on separate anchors: a mainline and a belay line. The simplest of all redundant rope rescue systems would be the use of two identical rope setups, each of which could serve the function of the other in the event of a failure of one element.
On that basis, when I teach high-angle lowering to teams which would rarely have occasion to apply the skills (such as fire departments or industrial on-site rescue teams), and which would rarely, if ever, have the need to convert from lower to raise (for instance, lowering a patient from a structure to the ground), I use two identical but differently-colored ropes, independently-anchored, each rigged onto a BMS Belay Spool – one to take the primary load and the other as a belay/back-up.
This intuitively simple and symmetrically redundant system has several advantages. In training, learning is quicker and skill retention is better – even for those who rarely have occasion to use or practice these skills. The simplicity reduces the scope of human error, virtually eliminates the possibility of mechanical failure, and saves time. With a seriously injured or unconscious patient, particularly given what we now know about the rapid onset of harness suspension trauma (as little as five minutes), time is a life-threatening factor. And the system can be operated with no slack in the belay line.
This last characteristic challenges another element of accepted (and almost unquestioned) practice – that the belay system should never come under load except in the event of mainline system failure. A no-load belay is necessary when using autolocking systems, such as tandem prusiks or the Rescue 540 to avoid inadvertent lockups. Parallel Belay Spools allow some load sharing, thus reducing individual anchor loads, and the absence of slack in the belay eliminates any shock-loading of the system in the event of mainline failure, thus reducing both the possibility of secondary failure and the likelihood of further trauma to the patient.
Tandem Belay Spools used in training of high-angle rescue team at Yankee Atomic, Rowe MA (nuclear fuel dry cask storage in background)
The simplicity, reversibility, and efficiency of the Belay Spool (15 pounds of grip to control a 600 pound load), in addition to its strength (15,000 lbs) make it a nearly ideal tool. For straightforward DRT lowers, a fully-redundant Belay Spool system is as close to “fool-proof” as possible. Obviously, more complicated rescues will require a more complicated system and more highly-trained personnel, but with a consequent increase in the scope and probability of failure.
My experience in municipal emergency management leads me to consider another element of effective safety planning: the risk vs. frequency matrix. If you can imagine a 2×2 matrix (see diagram) with the vertical axis labeled “frequency” and the horizontal axis labeled “risk”, you could place into each of the four quadrants various disaster scenarios you might anticipate. There will be many which are high-frequency events with little risk (like tripping on the ropes), and a few relatively high-frequency events with a lot of risk (like sudden weather changes). There will be oodles of low-frequency events with low risk (such as minor equipment damage) and there will be a miniscule number of very low-frequency events with very high risk (such as lightning strikes, killer bees, rock-fall, or structural collapse).
Effective emergency planners mostly ignore low risk events and gear their primary response systems toward high-frequency, high-risk scenarios (like flooding of rivers and ice storms) and have a plan filed away for those rare but catastrophic events (such as a dam bursting, a terrorist attack, or a nuclear power plant meltdown). Firefighters always put on breathing apparatus before going into a burning structure, but they don’t fight fires in hazmat suits on the off chance that there might be bio-weapons in the building. This would not only make fire-fighting absurdly cumbersome, but also significantly less safe.
Most of the low-frequency, high-risk scenarios that we consider in rope rescue would be so catastrophic that no amount of planning and no fail-safe device is going to prevent the course of events. If structural collapse or rock-fall knocks out the entire rescue team, then it’s likely going to destroy the equipment and the patient as well no matter what kind of system we’ve built.
Consequently, if we make every rope rescue complicated enough to prevent even the most unlikely catastrophes, then are we making them more cumbersome and hence more time-consuming (time is a life-safety factor), and ultimately perhaps less safe?
I’m offering these considerations more as question than answer. But it is a question that rope rescue professionals often fail to address. At what point of sophistication does a “fail-safe” system become less “fool-proof” and actually create more opportunities for catastrophic failure?
When you figure the calculus of safety, remember to include the “complacency tendency” and the “distraction factor”. Remember that the best way to outsmart a fool is by being simple-minded. And remember, above all, that the KISS principle really stands for Keep It Simple and Safe!
by Robert Riversong: may be reproduced with attribution for non-commercial purposes
BMS Belay Spools for Sale
When Basset Metal Studio (BMS) was ending production of their excellent and versatile Belay Spool some years ago because the popularity of auto-locking belay devices was cutting into the sales of the simpler and more effective device, I asked Carroll Bassett whether he would do another production run if I agreed to order half the 100-unit run, and I ended up with 50 Belay Spools. When my article helped revive sales of the Belay Spool, Carroll had to ask me to ship 25 of mine back to him in order to keep up with the demand. I sold a bunch to the rescue teams I trained, but still have a few left which I’m willing to sell for a bargain price (plus shipping). You can see the product at Craigslist and contact me through them or at Avert (at) Ponds-Edge (dot) net.