Prevention through Design: 7 Decisions Before PPE Becomes the Plan

Prevention through Design asks a hard question that many safety systems avoid because it arrives too early for the usual forms: why did the hazardous exposure survive long enough to require a permit, a warning sign, a toolbox talk, and PPE?

The thesis is direct. When risk management starts after equipment, layout, staffing, and workflow are already fixed, EHS inherits risk instead of shaping it. ANSI/ASSP Z590.3 frames Prevention through Design as a process for addressing hazards during design and redesign, which makes it a leadership decision rather than a technical afterthought.

Why Prevention through Design belongs in risk management

Prevention through Design means identifying and reducing occupational risk during the design or redesign of facilities, equipment, tools, tasks, materials, and work organization. It moves decisions upstream, where elimination, substitution, and engineering controls are still realistic.

As Andreza Araujo argues in Safety Culture: From Theory to Practice, safety culture becomes visible in repeated decisions, not in declared values. Design decisions are among the strongest cultural evidence because they decide whether a worker faces the hazard every shift or whether the hazard is removed before the job begins.

This article is not an argument against PPE, training, or permits. Those controls still matter. The risk appears when a company treats them as the first plan for serious exposure, even though the hierarchy of controls places them below elimination, substitution, and engineering measures.

That is why Prevention through Design should sit beside risk matrix discipline and Bow-Tie critical-control thinking. If the design creates the exposure, the dashboard can only manage the consequences of a decision already made.

1. Decide whether the hazard should exist at all

The first design decision is whether the organization needs the hazard in its current form. That sounds obvious, although many risk reviews skip straight to procedures because the equipment, chemical, layout, or production method is treated as nonnegotiable.

Across 25+ years leading EHS at multinationals, Andreza Araujo has observed that teams often accept exposure as the price of production before they have tested whether another process, material, height, access point, or equipment configuration could remove it. That early surrender turns risk management into damage control.

For example, a team reviewing work at height should ask whether the task can be moved to ground level, whether a permanent platform can replace temporary access, or whether remote inspection can remove the climb. A chemical operation should ask whether a less hazardous substance or closed transfer system can replace manual handling.

The trap is to call the remaining exposure inevitable without proving that elimination and substitution were examined. When that proof is missing, the later permit becomes a record of design failure.

2. Put SIF exposure ahead of convenience

Prevention through Design should prioritize serious injury and fatality exposure because the strongest design effort belongs where failure can kill or permanently disable someone. A low-frequency, high-energy task deserves more attention than a frequent irritation that carries limited consequence.

This is where a standard risk matrix often misleads leaders. If likelihood is underestimated because the task is rare, the risk score may fall below the capital threshold even though the consequence remains severe. The better question is whether a credible single failure could expose a person to stored energy, moving equipment, fall distance, confined atmosphere, line of fire, or chemical release.

In more than 250 cultural-transformation projects supported by Andreza Araujo's team, one repeated pattern is that severe-risk controls are often accepted as administrative routines because the capital decision belongs to another function. EHS then manages a hazard whose strongest control was rejected before the safety review began.

Design review should therefore tag SIF exposure separately from the general risk score. If a credible fatality path exists, the decision needs a higher level of review, even when historical injury frequency looks low.

3. Require engineering options before administrative controls

A design review should document which engineering options were considered before the team accepts administrative controls. Without that step, the easiest control usually wins because it costs less today and transfers complexity to the worker tomorrow.

Engineering controls include machine guarding, interlocks, local exhaust ventilation, fixed access, isolation points, automation, ergonomic assists, guarded walkways, and physical separation from mobile equipment. They change the work condition, while administrative controls ask people to compensate for the condition.

The distinction matters in operations where machine guarding bypass signals already appear. If a guard makes the task impossible, slows the cycle in a way no one accepts, or forces awkward manual clearing, the design review should solve the work problem instead of adding another reminder not to bypass the guard.

A practical rule helps. Before approving PPE, a permit, or retraining as the main control for a high-energy task, require one written engineering alternative with a reasoned rejection if it cannot be adopted. That record changes the quality of the decision.

4. Test maintainability, not only normal operation

Many designs look safe during normal operation and become dangerous during cleaning, maintenance, troubleshooting, line breaking, and restart. Prevention through Design must review those nonroutine moments because serious exposure often appears when production stops behaving like the drawing.

James Reason's work on latent conditions is useful here because design weaknesses can remain hidden until a task variation exposes them. A valve that is reachable during commissioning may be unreachable after insulation, scaffolding, or adjacent equipment is installed. A lockout point that looks clear on paper may require a worker to stand in a line of fire during real isolation.

That is why design review should include maintainers, operators, supervisors, and contractors, not only engineers and project leaders. The worker who clears jams, replaces filters, opens covers, tests energy, or enters the space will see access problems that a design meeting can miss.

The link to LOTO verification before restart is direct. If the design makes verification awkward or ambiguous, the operation will eventually rely on memory, habit, and production pressure at the worst possible moment.

5. Make procurement prove safety requirements

Procurement often decides safety before EHS sees the equipment. If specifications ask only for price, capacity, delivery time, and general legal compliance, the purchasing process may import risks that the operation will spend years controlling manually.

Prevention through Design needs safety requirements inside the buying decision. That includes guarding performance, access for maintenance, noise, vibration, ergonomics, isolation capability, emergency stop placement, safe cleaning method, chemical exposure, and compatibility with existing emergency response.

During the tenure at PepsiCo South America, where the accident ratio fell 50% in six months, the practical lesson was that prevention improves when routines change before exposure reaches the floor. Procurement routines matter because they decide which hazards arrive packaged as equipment, tooling, layout, or contractor method.

The market often treats procurement as a commercial function with a safety review attached. For Prevention through Design, that order is wrong. Safety requirements must shape the specification before vendors compete, because adding them after purchase usually costs more and solves less.

6. Connect design controls to field verification

A design control is not finished when it is installed. It has to remain effective during real work, which means the organization needs a verification routine after commissioning, after change, and after repeated weak signals.

This is where control effectiveness metrics protect the design intent. The dashboard should not ask only whether the guard, interlock, ventilation system, access platform, or isolation point exists. It should ask whether the control still prevents the exposure under field conditions.

Araujo's Safety Culture Diagnosis: Learn how to do your own treats diagnosis as a bridge to action rather than a report that sits still. Applied to design, the same principle means each failed verification should trigger a decision about redesign, maintenance, supervision, or capital, not just another corrective-action closure.

This prevents a common failure. The project team celebrates installation, operations gradually adapts around weaknesses, and EHS discovers the gap only after a near miss or serious incident.

7. Treat Management of Change as a design review

Management of Change should function as a design review whenever work conditions, equipment, staffing, materials, software, layout, pace, or contractor methods change. If MOC only checks documents, the organization may approve a new risk path without recognizing it.

The review should ask what exposure changed, which control became weaker, which task became more manual, where the worker now stands, what energy source is harder to isolate, and whether emergency response still fits the new condition. Those questions are practical because they connect change to the worker's body in the workplace.

Andreza Araujo's Portuguese title A Ilusao da Conformidade, commonly glossed as The Illusion of Compliance, is relevant because a compliant change can still degrade real protection. The paperwork can be correct while the task has become more exposed, more rushed, or harder to supervise.

The strongest MOC meetings therefore include a field walk before approval. Drawings, procedures, and risk registers that keep controls alive matter, but the final question is whether the person doing the work will face less exposure or more.

Prevention through Design decision table

What EHS leaders should do next

Start with one high-energy work family rather than trying to redesign the whole safety system. Choose mobile equipment interface, machine access, working at height, confined space, electrical isolation, line breaking, or manual handling, then map where design decisions still force workers to depend on behavior and PPE.

Use the hierarchy of controls as a decision record, not as a poster. For each credible SIF exposure, document elimination, substitution, engineering, administrative, and PPE options in that order, with the rejection reason for any stronger control that is not adopted.

Then connect the result to pre-task risk assessment. Supervisors should know which exposures were designed out, which controls remain critical, and which weak signals require stopping the work before the task starts.

Prevention through Design is not a paperwork upgrade. It is the discipline of refusing to make the worker the last design control when a better decision could have removed the exposure earlier. Safety is about coming home, and design is one of the earliest places where that promise becomes real or fragile.

Conclusion

Prevention through Design gives risk management a stronger starting point because it asks leaders to remove, substitute, or engineer out serious exposure before the organization depends on permits, training, and PPE. The most useful review tests whether the hazard should exist, whether SIF exposure has been prioritized, whether engineering options were considered, whether maintenance work is safe, and whether procurement and change control protect the field.

If your organization needs to find where design decisions are pushing risk downstream, request a safety culture and risk-management diagnostic with Andreza Araujo.