Think twice about climbing with a GriGri
This post makes use of the Safety by Design Index, a common language and set of levels for discussing device safety and encouraging safer-by-design development. The index was created by the author.
I climb, but in the same way some people, myself included, “speak French”: somewhere between a beginner and a liability. Mostly sport, and mostly outdoors.
So naturally, like many other recreational climbers, I’ve also developed strong opinions about gear, safety systems, and load paths I probably have no business having.
Case in point, a climber (typical gear-head equipment collector type) was recently talking up his Petzl GriGri as the obviously safer choice compared to a tube-style ATC, and suggesting everybody try belaying with it.
His argument went roughly: the GriGri locks automatically when the rope is pulled, so even if the belayer lets go while the climber is falling, they’re still held safely.
As it turns out, that’s true, but only partly.
The GriGri does have a failure mode: the cam only engages if the rope geometry, tension, orientation, and user behaviour remain within the operating envelope the device was designed around.
But wait, that’s the exact same failure mode as the ATC, isn’t it?
Well, yes. Except that the GriGri introduces an extra safeguard: the cam mechanism is designed to automatically grip the rope harder as tension rises under load, or it grabs harder when things get spicy.
So that’s an unambiguous win then. Right? The GriGri’s cam locks the rope automatically, therefore it’s safer.
Well, sort of, but of course it’s more complicated than that.
There are videos online of climbers hitting the deck as their experienced belayer unexpectedly discovered the edges of the GriGri’s safe operating envelope. That’s the kind of footgun you really don’t want in a safety device: a failure mode you only discover by using it incorrectly in the field.
And that’s the thing about ATCs: they don’t have hidden failure modes. The instant you use one incorrectly, everybody knows, because the device continuously forces its failure modes into the user’s awareness. If your brake hand comes off, the rope runs free and the climber falls. The cognitive model of the device matches its physics.
So how does the GriGri have a failure mode that ends up hidden from some users? How does a device designed, marketed, sold (and then bought) as a safer alternative to the ATC become actively less safe in the field?
It’s a phenomenon that emerges not just with the GriGri, but with many other devices too. It arises when users believe that devices are actively safe, without understanding that failure conditions still exist, or what they are.
In the case of the GriGri, if the user misunderstands its safety properties, it’s easy to see how their attention can drift, or brake-hand discipline can soften. It also explains why users sometimes start to override cams for convenience, or anthropomorphise the device as “automatic”. In each case, the lapse in correct operating procedure is underpinned by the dangerously flawed belief that the GriGri will automatically catch the climber.
Without appreciating that failure modes exist, users often stop actively defending against them.
Said another way, users will often treat Level 3: Safety Assisted devices as Level 4: Fail-Safe devices if their failure modes are not apparent during normal use, or cannot be discovered without training.
And that’s a much harder catch in the field, because the user doesn’t know what they don’t know. Asking “can you use that device competently and safely?” yields an honest, well-intentioned answer which is insidiously difficult to verify.
Does the belayer understand exactly when and how their belay device will fail? Hopefully. But if they’re using a GriGri, that becomes a lot harder to reason about.
| Level | Name | What the device provides |
|---|---|---|
| 0 | No Protection | No protection. Hazard fully exposed. |
| 1 | Safe Only With Correct Use | No engineering controls. Safety depends on the operator. |
| 2 | Safety Encouraged | Cues and warnings, but no enforcement. |
| 3 | Safety Assisted | Automatic protection, but incorrect technique or misuse can still cause harm. |
| 4 | Fail-Safe | Enforced safe state. Cannot be overridden by operator. |
| 5 | Inherently Safe | Hazard designed out. Cannot cause serious harm. |
And that’s the paradox: the GriGri is materially safer than an ATC, but it shares the same predisposition that many other devices in its safety class do, which is to subconsciously present in the minds of operators as a Level 4 device, leading to behaviours that unintentionally reintroduce catastrophic risk.
It’s a symptom of many Level 3 devices, and generalises far beyond climbing.
Ask any motorcyclist about the first time they experienced thermal brake fade. Halfway down a long descent, the brake lever loses resistance and the bike just… doesn’t slow down anymore. In that moment, without training beforehand, the rider likely discovered for the first time that what they thought was a Level 4: Fail-Safe system was actually a Level 3: Safety Assisted system with a failure mode they just didn’t know about.
In both cases, failure modes tend to be subtle, rare, or counterintuitive, and invisible right up until the operator hits them. And because the system usually works, operators can go years without ever learning where those edges are, until it’s too late.
This is what makes upgrading Level 1 or Level 2 devices to Level 3 so dangerous; without mandatory training, the operator is often unwittingly swapping a dangerous-by-default device they fully understood for one that will fail in ways they can’t anticipate.
See https://safety-framework.fawltea.net/ for the full Safety by Design Index.