# Manufacturing risk mitigation, re-assessment, and the future

## Tutorial: The first pass at making a risk assessment looks at the machine in its raw condition – without interlocks, guards, and other safety features. This allows us to clearly identify the possible failure conditions, and how likely they are to arise on their own. The second step is to...

October 26, 2010

A prior tutorial, "Risk assessment: How do I weight manufacturing hazards that I’ve found?" looks at a risk assessment model wherein we separated different possible failure modes of a piece of manufacturing equipment, and calculated a risk value for each one consisting of the product of two factors: the severity of outcome, should the failure happen; and the probability of that outcome happening. We noted that, although it was an extremely useful conceptual model, quantitatively evaluating the cofactors with any precision was difficult.

We sidestepped the problem by using fuzzy logic to form a decision matrix that classified severity of harm into four categories from minor to catastrophic, and likelihood into four categories from remote to very likely. The matrix decoded any given combination of severity and likelihood into four risk-level categories from negligible to high. What this strategy lacks in mathematical elegance and precision, it makes up for in practicality.

The next step is to know what to do with the results. Specifically, we want to identify unacceptably dangerous failure modes, so that we can take steps to mitigate them.

1. First, it is important to recognize that our first pass at making the risk assessment looks at the machine in its raw condition – without interlocks, guards, and other safety features. This allows us to clearly identify the possible failure conditions, and how likely they are to arise on their own.

2. The second step is to set an acceptable safety level. For example, one might set the acceptable risk level at “low,” meaning that any failure modes posing a risk level of medium or high should call for mitigation steps. Those that the matrix categorizes as low or negligible can be reviewed for mitigation in the area of training, placards and processes of these types.

3. Of course, the third step is to actually take steps to reduce those risk levels to low or negligible. We do that by adding interlocks, guards, and other safety features to lower the probability that the failure will occur. It is important to note that the lowered risk levels obtained only when the specified safety features are present and active. Should someone, say, bypass an interlock, the risk for that failure mode would rise back to the non-interlocked level.

Risk mitigation

When thinking about risk mitigation, it is also important to recognize that the hazard is still there, and its severity is still the same as it would be without safety features. Features to mitigate safety risks do not affect the severity of the hazard. All they affect are the probabilities that the failure will arise.

If, for example, the failure is someone might get their fingers caught in a gear train, thus crushing the fingers, putting a guard over the gear train does not affect the hazard posed by the gear train. If somebody manages to stick their fingers in there, they’re going to the hospital! It just drives the probability that someone will stick their fingers into the gears to zero (as long as the guard is in place).

When designing safety features, it is also important to recognize that there are two modes for operating any automated production machinery: automatic operational mode, and maintenance/repair mode. In operational mode, the machine is running automatically, and all the safety features must be in place and active.

Very often, however, it will be infeasible to run the machine in maintenance mode with all safety features active. It might be impossible, for example, to observe proper alignment of the geartrain while the guard is in place. In such cases, it is important to explicitly provide an alternate risk mitigation strategy, such as establishing a generous minimum distance the technician(s) must maintain while the guard is removed. Whatever such safety measures are, they must allow the operation to continue, while keeping technicians safe.

Maintenance and repair technicians typically spend much of their time in this “danger zone,” where some of the safety features on the equipment they operate have been defeated. Part of their training must be to recognize this heightened risk level, and know how to mitigate it with temporary measures and good safety practices.

As a senior test engineer working around high voltage power supplies, one of us (Masi) made it a habit to always keep his left hand well away from the equipment under test when it might be energized. This lowered the probability that, should accidental contact be made, any current path wouldn’t cross the heart. In such an event, a shock might be painful, but perhaps not lethal, depending on conditions.

Risk assessments should be done at three stages of the equipment’s product life cycle: during design, after fabrication, and after installation. The best time to identify potential failure modes is during design. At that stage, mitigation efforts are least costly and most effective.

It is not, however, possible to always identify all possible failure modes at the design stage. Experience shows that there will always be some modes that can only be seen by inspection and testing of the physical equipment after construction.

Additional failure modes arise when the equipment is installed, due to interaction of the equipment with its immediate surroundings. Since the “use” environment can almost never be adequately specified beforehand, it is necessary to perform a risk assessment at that stage.

Of course, any time the “use” environment changes by, for example, moving neighboring machinery to new locations, the risk assessment must be renewed to account for the changes. Even if there is no change in the level of risk, the only way to know that is through a risk assessment.

These additional risk assessments may not need to be as comprehensive as the initial one. If, for example, another machine is moved in such a way as to reduce the walkway on one side of the machine in question, it likely would have no affect on activities on the other side. Only activities on the one side would likely be affected, so only they need be included in the re-assessment.

Finally, it is recommended that, in the absence of anything triggering a risk assessment, every machine should be reevaluated once per year to make sure nothing has been overlooked.

ISO standards on the horizon

In some ways, European countries are far ahead of the U.S. in their approach to safety. At present there are five standards promulgated by ANSI, ISO, and other bodies that specify how to make risk assessments. OEMs and users are free to apply whichever fits their needs best.

In 2012, however, the international safety community plans to harmonize U.S. standards with those used in Europe by replacing the five current standards (specifically EN-954-1) with ISO standards 13849-1 (2006), and 13849-2 (2003). These take a more quantitative approach to risk assessment.

This harmonization effort will help U.S. manufacturers because all OEM equipment exported to Europe needs to conform to these standards. Adopting them in the U.S. will level the playing field by requiring equipment imported to the U.S. to conform as well.

Scott Krumwiede, manager, RWD Technologies and C.G. Masi, contributing content specialist for Control Engineering.

For more on equipment safety, visit the Siemens Website at www.sea.siemens.com/safety.

For more on risk assessments, visit the RWD Technologies Website at www.rwd.com.