http://romeka.rgf.rs/files/original/Monografije/BM_Risk_Assessment_Basics_and_Benchmarks/BM_Risk_Assessment_Basics_and_Benchmarks.2.pdf 74699ca52a52dfc83f2337f91e2d0a25 PDF Text Text ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������basics and benchmarks Bruce W. Main, PE, CSP design safety engineering, inc. Ann Arbor, Michigan, U.S.A. Risk Assessment: Basics and Benchmarks Bruce W. Main, PE, CSP Copyright © 2004 by design safety engineering, inc. PO Box 8109 Ann Arbor, Ml 48197 USA www.designsafe.com All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from design safety engineering, inc. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a competent professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Printed and bound in the United States of America ISBN 0-9741248-0-8 To my family TABLE OF CONTENTS Chapter 1 - Introduction 1 Key Points 1 Why You Should Care About Risk Assessment 1 About This Book 2 A Brief History 4 Limitation 4 Accepting Risk 4 A Journey 5 An International Activity 5 Section 1 - Basic Concepts 7 Chapter 2 - Which of the Many Risks? 9 Key Points 9 Introduction 9 Risk 10 Sources of Risk 10 Elements of Risk 11 Individual or Societal Risk? 11 Risk Distributions 12 Common Terms 12 Chapter 3 - Safety Through Design 13 Key Points 13 Introduction 13 Avoid Retrofitting 14 Starting Early 16 The Goal 16 The Hazard Control Hierarchy 17 Education and Training Limitation 17 Retraining Engineers 18 Forces Pushing Safety Through Design 18 What Can be Done Now 19 The Current State of the Art 19 Closure 19 Chapter 4 - Acceptable Risk 21 Key Points 21 Introduction 21 Zero Risk 22 What Risk is Acceptable? 23 Acceptable or Tolerable? 31 Chapter 5 - Design Reviews 35 Key Points 35 Introduction 35 Purpose ofa Design Review 36 Types of Design Reviews 36 Timing of a Design Review 37 Design Review Mechanics 37 The Decision Making Process 38 Separating the Analysis and Review 38 Types of Safety Analyses for Design Reviews 39 Practical Considerations 39 Closure . 40 Section 2 - Practical Guidance on How to do Risk Assessment 43 Chapter 6 - The Basics of Risk Assessment 45 Key Points. 45 Overview of the Risk Assessment Process 45 Preparing for the Risk Assessment Effort 46 The Risk Assessment Process - Step by Step 47 Some Examples 56 Cost as a Factor of Feasibility 57 Closure 58 Chapter 7 - Practical Applications and Examples 59 Key Points 59 Introduction 59 Example #1 - Robotic Manufacturing Cell 60 Example #2 - Large Oven System 61 Example #3 - Packaging System 62 Example #4 - Working with OSHA 62 Example #5 - NIOSH Power Bagel Slicer 64 Example #6 - Medical Device 69 Example #7 - The Starlink Corn Episode 76 Common Themes 76 Chapter 8 - Implementing Risk Assessment 78 Key Points 78 Introduction 79 Introducing the Risk Assessment Process to a Company 79 Changing the Design Process Who Should do the Risk Assessment 83 Cascading Risk Assessments 89 Used Equipment 91 Getting Started - Practical Guidance 93 Making Progress 95 Risk Assessment Training 99 Closure . 101 Chapter 9 - Risk Scoring Systems 103 Key Points 103 Introduction 103 Types 104 Purpose 104 Different Measures 105 Variables in Risk Scoring Systems 105 Why so Many Variations? 112 How to Select a Risk Scoring System 114 Divergence or Convergence? 114 Section 3 - Risk Assessment Benchmarks 117 Chapter 10 - Overview 119 Key Points 119 Overview 119 Benchmark 120 Consensus vs. Performance Based Standards 120 Format 121 Repetition 121^ Limitations QQ? Chapter 11 - Aviation and Aerospace Industries 122 Aviation Ground Operations 122 Spacecraft Design and Manufacturing 124 ^ Space Flight Operations 128 Locating Airports 131 FAA Risk Assessment Studies 132 Chapter 12 - Chemical and Oil 135 Content 135 , industry Overview 135 ^ Swiss Chemical Industry 139 Special Project: Chemical Accident Database. . 142 ^Chapter 13 - Company Specific Approaches; ! 145 General 145 BP Amoco 146 Exxon Mobile Corporation 147 General Motors Corporation 147 Motorola, Inc 148 ^ Oracle Corporation 148 Schlindler Management AG 149 SICK AG ; 150 SUVA 151 Closure 152 Chapter 14-Consumer Products 154 Introduction 154 U.S. Consumer Product Safety Commission 155 European Market 157 Chapter 15 - Construction J 160 Genera! 160 UK Construction Risk Assessment 164 Structure and Dams 166 Chapter 16 - Environmental 168 ISO 14000 Series 168 International Applications 171 Australian Environmental Risk Management 174 U.S. Applications 177 Ecological Risk Assessment 180 Wastes 181 OC Chapter 17-Ergonomics 184 General 184 Ergonomics in the Machine Tool industry 187 Ergonomics in the U.S. Army 189 Ergonomics in the UK 192 Manual Handling in Australia 193 A Sample Ergonomic Assessment Tool 196 Other Ergonomic Risk Assessment Activities 197 Chapter 18- Fire and Explosion 200 Fire Risk Assessment 200 NFPA551 Fire Risk Assessment Guide 204 Semiconductor Fire Risk Assessment 205 Explosive Atmospheres 207 Chapter 19-Food 212 General 212 Food Risk Analysis 213 Food Risk Assessment 216 Risk Management and Risk Communication 220 Sample Microbiological Risk Assessment 220 Food Safety Resources Organizations 221 Chapter 20 - Government Activities 224 U.S. Occupational Safety and Health Administration (OSHA) 224 U.S. Presidential/Congressional Commission 225 NIOSH Risk Assessment Evaluation Project 226 U.S. Homeland Security 227 Canadian Ministry of Labour 228 Europe 229 Australia National Standards Guide 230 Australian Occupational Health and Safety Regulation 231 Chapter 21 - Land Transport 233 Auto and Rail Transport 233 Off-road , 235 Chapter 22 - Lifts (Elevators), Escalators and Passenger Conveyors 239 Chapter 23 ~ Lockout/Tagout Standard - Reaching Across Industry Lines . 243 U.S. Standard ANSI Z244.1 243 Canadian Standard ANSI Z460, 245 Chapter 24 ~ Machinery and Machine Tools 246 Europe - General 246 United Kingdom 248 ISO Guide 51 251 Europe ~ Machine Tools 252 French Risk Analysis 255 U.S. Machine Tool Industry 257 U.S. Machinery Electrical Requirements 262 Canadian Risk Graph for Machinery 263 Machinery Risk Assessment 264 Chapter 25 - Maintenance Application 267 Risk Assessment for Maintenance Work 267 Chapter 26 - Medical Devices 271 Medical Device Standard 271 Australian Medical Devices 274 Food and Drug Administration 274 Veterans' Administration Approach 277 Chapter 27 - Military 283 U.S. Military Standard 882 283 U.S. Army 286 U.S. Navy and Marine Corps 290 U.S. Coast Guard 293 Australian Military 298 Chapter 28 - Nuclear Power Industry 300 Chapter 29 - Offshore 304 Quantitative Risk Assessments 304 Offshore Health Risk Assessments 308 Sample Study 309 Chapter 30 - Packaging Machinery Industry 311 ANSI/PMMI B155.1 311 Other PMMI Risk Materials 312 Chapter 31 - Process Controls Industries 315 ANSI/ISA S84 315 IEC61508/IEC 61511 318 ISO 13841/EN 954 . 320 Chapter 32 - Product Liability 324 Background 324 Description 325 Risk Scoring System 327 Status 329 Chapter 33 - Risk Assessment in Education 331 introduction 331 Vanderbilt University 331 Professional Education 333 Educator Responsibilities 333 Deployment to Educational Facilities 336 Chapter 34 - Risk Management 342 General 342 Risk Management Systems 347 The Australian Risk Management Standard 349 Other Australian Risk Management Efforts 352 Risk Management in Canada 353 Risk Management in Europe 356 ANSI Z10 Safety Management Standard 357 Chapter 35 - Robotics. 360 U.S. Robotic Applications 360 PIS Canadian Robotic Applications 362 European Robotic Applications 363 Intelligent Assist Devices 364 Chapter 36 - Semiconductors and Fiat Panels 365 /^/Chapter 37 - Other Risk Assessment Benchmarks . 370 Manuele's Study 370 ASME International 371 SERAD 372 Risk-Based inspections 373 Disaster and Emergency Preparedness 373 Industry Best Practices. 374 Section 4 - Improving the Risk Assessment Process 377 u/ Chapter 38 - Comparing the Benchmark Methods 379 ^ Key Point 379 Comparing Risk Terms 379 Comparing Risk Scoring Systems 382 Comparing Flow Charts and Lineage 383 Closure 384 Chapter 39 - Other Methods to Assess Risks 385 Key Points 385 Methods to Assess Risks 385 Comparison to FMEA 387 Comparison to PHA 388 Comparison to "What If" and Hazop 389 Comparison to FTA 390 Comparison to MORT 391 Comparison to Checklists 391 Comparison to Standards/Codes 392 Which Method(s) to Use 392 ^ Chapter 40 - The Documentation Debate 395 Key Points 395 The Conflict 395 The Opposition 395 The Supporters 396 From Good to Bad 398 The Bottom Line 398 Risk Communication 399 ^ Chapter 41 - Harmonizing the Risk Assessment Process .401 Key Points 401 Introduction 401 A Workshop on Harmonizing Risk Assessment 402 Support for Harmonizing 405 Reasons Against Harmonizing 406 Ongoing Efforts 409 Recommendations for Harmonization Efforts 409 Flexibility - A Critical Success Factor 411 Closure 411 \yiy Chapter 42 - A Roadmap to a Better System 413 Key Point 413 Introduction 413 Identify the Problem 414 Know the Audience 414 Consider the Logistics 415 Identify the Steps in the Process 417 Select of Develop a Risk Scoring System 417 Anticipate Change 421 Address Complexity 421 The Importance of Severity 422 The Best Method 423 Closure 424 Chapter 43 - Principles for Improving the Risk Assessment Process 425 ^ Introduction 425 Principle #1 - Minimize the Use of Labels 425 Principle #2 - Simplify the Risk Assessment Process 427 Principle #3 - Adopt "Risk Assessment Process" as the Overall Term 428 Principle #4 - The Risk Assessment Process Includes Risk Reduction 429 Principle #5 - Adopt the Risk Assessment Process Flow Chart 431 Principle #6 - Accept Subjective Judgment 432 Principle #7 - Accept Uncertainty 433 Principle #8 - What is Risk Assessment? 434 Closure ; 435 Chapter 44 - Projections for the Future 436 Appendix A - Comparison of Risk Assessment Terms 441 Appendix B - Comparing Benchmark Attributes: Risk Terms 462 Appendix C - Comparing Benchmark Attributes: Risk Scoring Systems., 470 Appendix D - List of Acronyms 476 Appendix E - Contents of Compact Disk 478 Index 479 LIST OF FIGURES Figure 3.1 - Safety Through Design Today/Tomorrow 15 Figure 3.2 - Safety Through Design Model 16 Figure 4.1 - As Low As Reasonably Possible (ALARP) 26 Figure 4.2 - Comparing Acceptable and Tolerable Risk 32 Figure 6.1 - The Risk Assessment Process 48 Figure 7.1 - Photo of Bagel Slicer 65 Figure 7.2 - Photo of Bagel Slicer Warning Label 65 Figure 7.3 - Bagel Slicer Risk Assessment 67 Figure 7.4 - A comparison of the heart of an HLHS patient to a normal heart 70 Figure 7.5 - Shape of proposed device 71 Figure 7.6 - Method of implanting device into the pulmonary arteries 71 Figure 7.7 - Student designsafe® Analysis 72 Figure 8.1 - Phases of Introducing Risk Assessment to a Company 80 Figure 8.2 - Design Development Process for Consumer Product or Component Supplier 85 Figure 8.3 - Risk Assessment in Joint Supplier/User Custom Product - Design Development Process 87 Figure 8.4 - Risk Assessment in Off the Shelf Product - Design Development Process 88 Figure 8.5 - Risk Assessment in New Product Idea - Design Development Process 90 Figure 8.6 - Risk Assessment in Retrofit or Used Equipment - Design Development Process 92 Figure 8.7 - Iteration in Risk Reduction 98 Figure 9.1 - Steps in Probabilistic Risk Assessment 110 Figure 11.1- Risk Management Process in Aviation Ground Operations 123 Figure 12.1 ~ Example Frequency/Number of People (F/N) Curve 136 Figure 12.2 - Quantified Risk Assessment (QRA) 137 Figure 12.3 - Chemical Process Quantitative Risk Analysis (CPQRA) Flowchart 138 Figure 12.4 - Example Risk Assessment Process in Oil and Gas Industries 139 Figure 12.5 - Sample Cumulative Frequency Distribution Graph 141 Figure 12.6 - Two Step Procedure for Hazard and Risk Assessment for Facilities and Installations Falling Under the OMA (Switzerland) 142 Figure 13.1 - Risk Analysis Process per Hale (2000) 150 Figure 14.1 -CE Mark 158 Figure 15.1 - Flow Chart of Risk Management Procedure in the Construction Industry 163 Figure 16.1 - Environmental Management System Model for ISO 14001 169 Figure 16.2 - EPA Risk Assessment Process 180 Figure 17.1 - Posture Benchmarks for Wrist Articulation 186 Figure 17.2- Sample Ergonomic Risk Assessment Worksheet, U.S. Army 191 Figure 17.3 - Three Stage Approach to Safe Manual Handling 195 Figure 18.1 - The Basic Fire Safety Design Process 201 Figure 18.2 - Risk-Informed Methodology Process per Barry (2001) 202 Figure 18.3 - RASE Fundamental Steps of Risk Assessment 208 Figure 18.4 - RASE Risk Scoring System 209 Figure 19.1 - Risk Analysis Model (Food Industry) 215 Figure 19.2 - USDA Risk Analysis Model 216 Figure 21.1 - Risk Management Process (Auto and Railway Transport Industry) 235 Figure 22.1 - Overview of Risk Analysis per ISO/TS 14798:2000E 240 Figure 24.1 - Risk Assessment per ISO 14121/ EN 1050 247 Figure 24.2 - Elements of Risk (ISO 14121/EN 1050) 248 Figure 24.3 - Methodology for Machinery Risk Assessment (HSE) 250 Figure 24.4 - Risk Assessment and Risk Reduction per ISO Guide 51 252 Figure 24.5 - Schematic of ISO 12100-1/EN 292-1 Risk Reduction Process 254 Figure 24.6 - Conditions of Occurrence of Harm (CRAMIF) 256 Figure 24.7 - Eliminating or Reducing Risk (CRAMIF) 257 Figure 24.8 - Relationship Between Supplier and User 259 Figure 24.9 - Risk Assessment and Risk Reduction Process per ANSI B11 TR3 261 Figure 24.10 - Sample Risk Graph 264 Figure 24.11 - The Steps in Machinery Safety Risk Assessment for Risk Reduction 265 Figure 25.1 - Risk Assessment for Maintenance Work 270 Figure 26.1 - Flow Diagram of Risk Analysis Procedure 273 Figure 26.2 - Flow Chart for Medical Device Risk Management 276 Figure 26.3 - Healthcare Failure Mode and Effects Analysis (HFMEA) 279 Figure 27.1 - U.S. Army Risk Management Process 287 Figure 27.2 ~ Navy and Marine Corps Operational Risk Management (ORM) Process 292 Figure 27.3 - Seven-Step Operation Risk Management (ORM) Process, U.S. Coast Guard 295 Figure 29.1 - Risk Estimation, Analysis and Evaluation (NORSOK Z-013) 307 Figure 30.1 - Risk Assessment General Steps for Packaging Machinery 313 Figure 31.1 - Safety Life Cycle (ANSI/ISA S84.01) 317 Figure 31.2 - Risk Factors Map to Risk Levels (ISO 13241-1/EN 954-1) 322 Figure 33.1 -OHS and Environmental Hazard or Incident Report (OHSOI) 337 Figure 33.2 - OHS and Environmental Hazard or Incident Report (OHS02), Page 2 339 Figure 33.3 - OHS and Environmental Hazard or Incident Report (OHS03) 340 Figure 34.1 - Risk Assessment Process (Ale) 345 Figure 34.2 - Risk Management Process (Capaul) 345 Figure 34.3 - Risk Management Process (Hoj and Kroger) 346 Figure 34.4 - Relationship Between Various Risk Management Terms 347 Figure 34.5 - Risk Management Process Steps - Schematic (OMAFRA) 355 Figure 34.6 - Risk Management Process {OMAFRA) 356 Figure 35.1 - Overview of Risk Assessment (Robotic Industries) 361 Figure 36.1 - Risk Assessment Flowchart in the Semiconductor Industries 367 Figure 39.1 - Methods to Assess Risk 386 Figure 41.1 - Risk Estimation, Analysis and Evaluation (NORSOK Z-013) 403 Figure 42.1 - Continuum of Risk Scoring Systems 420 Figure 43.1 - The Iterative Process to Achieve Safety - From IS014121:1999 426 Figure 43.2 - The Risk Assessment Process 431 PREFACE This is a very exciting time to be involved in the risk assessment process because risk assessment is in such a state of flux. The ground breaking methods developed by the military, nuclear power, and chemical and oil industries in the latter part of the prior century are being used and adapted by many industries. Today entities from a very wide diversity of fields are beginning to discover, demand, and deploy improved risk assessments in their organizations. Frequently an engineer, safety practitioner or other person in a company is given an assignment to lead the risk assessment effort. Where does one start? How to improve an existing approach that is lacking in some way? The challenge becomes whether to invent something new, or to research other existing solutions. This book addresses these questions by drawing together many of the existing methods and providing guidance on the risk assessment process. This book is written for the engineer, safety practitioner, or manager who faces responsibility for assessing the risks of equipment, product, facility or system designs. It will help them identify hazards, assess risks and reduce risks as best they can, and to help them communicate more effectively about risk. The book is intended to be a practical resource with a strong emphasis on applied material, but some theoretical discussion is necessary. In certain situations terms, definitions or methods are presented based on the author's experiences or knowledge that do not agree with existing documents used by risk assessment specialists. Where conflicts occur, the solution presented is the one best suited for the non-specialist user for them to most rapidly and effectively learn and conduct a risk assessment. The pace of improvements and deployments of the risk assessment process in industries today makes keeping up difficult. The causes behind all this progress are many, as discussed in detail in the book. In many ways it is hard to know where one stands in absolute terms or relative to others. Best practices are often hard to identify given the proprietary nature of risk assessment. This book helps sort out the issues and establishes the current state of the art in risk assessment methods at the beginning of 2004. The risk assessment movement picks up speed as the benefits to safety, productivity, cost reduction and other aspects are realized. Just a few short years ago, the precursor to this book was a 31 page technical report (Main, 2000), As the risk assessment process crosses industry lines there is a need to understand how different industries and companies approach risk assessment. The risk assessment process will continue to grow, evolve, improve, and deploy in the coming years. The rewards of implementing risk assessment are high, the costs are relatively low, and the simple concept of "getting it right the first time" is too obvious to ignore. Much of the risk assessment process is subjective. Most engineers and many safety practitioners dislike subjective methods. Efforts to improve the risk assessment process often focus on finding a more objective, repeatable and better method. This book assists the reader in understanding the elements of risk assessment, why they are subjective, and the options to consider in selecting or designing an alternate method. Or, by understanding the available options the reader may become more comfortable with the subjective aspects of the risk assessment process. This book is unique in that it crosses many industry lines in some depth. Other authors have written excellent works on how to assess risks in a given industry. This book is the first that draws together many diverse industry methods with sufficient detail to permit some comparisons among the approaches. This book is extensive but not exhaustive. I have no doubt that other risk assessment methods being used today are not included in this book. Any oversight is unintentional. I welcome information, feedback, or comments about these or other aspects of the book. Please forward comments to bmain@designsafe.com. Bruce W. Main March 2004 ACKNOWLEDGEMENTS None of us accomplishes very much alone. This book is no exception. Although only one name appears as an author, many people helped to bring this book to completion. The opportunity to exchange ideas with, and receive guidance from, three individuals has been extremely beneficial and personally fulfilling. 1 cannot express enough my gratitude for their eager willingness to critique my ideas and stomp on the bad ones, and their generosity in pointing me in better directions. They are tremendous and learned gentlemen to whom I am very grateful: Fred Manuele, Wayne Christensen, and Michael Taubitz. i would also like to acknowledge and thank the many technical reviewers that gave of their time and insights to reviewing portions of this book including: Dave Felinski, Fred Hayes, Jeff Fryman, John Etherton, David McColl, Paul King, Kyle Jones, J, Paul Frantz, Lisa Buescher, Dale Whitford, Fred Manuele, Michael Taubitz, and Wayne Christensen. Their efforts and insights lead to lively discussions that greatly improved the book. I also express my deepest appreciation and gratitude to several individuals that made significant contributions to this book in innumerable and unseen ways. Without their assistance, this book would not have materialized. They include: Michelle Sponseiler, Lindsey Hunt, Kristen McMurphy, Elizabeth Main, and Lee Lewis. Their efforts included reviewing, critiquing, correcting, executing, supporting, and producing this book. Bruce W. Main Everyone is busy. This overview summarizes the most significant points of the book for the reader in a hurry. In addition, many chapters include a summary of the key points at the beginning of those chapters. This book was written to help introduce, explain and describe the basics of the risk assessment process, and to identify risk assessment benchmarks currently in use worldwide. More specifically, the book: • discusses the basics of the risk assessment process; presents practical applications of implementing risk assessment in industry; provides numerous benchmarks on risk assessment activities across several industries and applications; • compares the benchmark methods; and presents a roadmap for those seeking to develop an improved risk assessment process including eight principles for improvement. tlitil msm Many other authors have written excellent works on the topic of risk assessment. Often the authors are specialists in one industry or method. This book draws on many of these works and extends the discussion by examining the risk assessment methods used across different industries. SECTION I - BASIC CONCEPTS The first section of this book reviews the basics of the risk assessment process including how it is a fundamental consideration in safety through design. Readers will find basic concepts about the different kinds and sources of risk, safety through design, and how risk assessment improves safety through design. There are many forces pushing safety through design including: costs, competition, quality, international influences, legal requirements, the desire to capture knowledge and the costs of retraining engineers. In general, there is considerable support that safety needs to be addressed during the design process rather than as a retrofit activity, and risk assessment pushes safety into the design process. However, an engineer's ability to integrate safety into the design process is limited by the training and education he or she has received. The goal of risk assessment is to reduce risks to an acceptable (or tolerable) level. A zero risk level is not attainable. A chapter is included on acceptable risk and how to make decisions about accepting residual risks. An argument is made that the terms "acceptable11 and "tolerable" risk should be considered synonyms within the risk assessment process. Efforts'to distinguish these terms can lead to inadvertent errors, even by organizations that wish to promote a difference in the terms. The terms are used synonymously in this book. Risk reduction efforts to achieve acceptable risk must work within the real world constraints of feasibility, practicality and cost. Resources are always limited. Cost is an important factor in obtaining acceptable risk. A practical solution to achieving acceptable risk is a good faith application of the hierarchy of controls within the risk assessment process. This approach, coupled with the As Low As Reasonably Practical (ALARP) framework, are useful guides in reducing risks to an acceptable level. Any organization discussing risk and risk assessment needs a common understanding of the applicable terms. Terms used in the risk assessment process are defined in Appendix A. Many terms have more than one meaning. Be certain that the risk assessment team is working with a common definition. Risk assessments are conducted primarily to help in the decision-making process. Decisions on the adequacy of a design usually occur during a design review. Risk assessment supports the design review process by providing the underlying analysis on which safety decisions can be made. Risk assessments take time to conduct effectively, typically more time than can occur within a design review session. In most cases the assessment should occur separately from the design review. The design review process and the role of risk assessments are examined in this section. Corrective actions that may be taken to introduce or improve safety through design efforts include formalizing existing but informal design processes that include elements of risk assessment, acquiring tools and training to conduct risk assessments, and advocating training on safety through design. SECTION II - PRACTICAL GUIDANCE ON RISK ASSESSMENT Section II is written for the practitioner who must actually conduct a risk assessment. When all is said and done, someone needs to get his or her hands dirty and actually do the risk assessment. This section focuses on the practical application of the risk assessment process and examines applications where risk assessments have actually been used, individuals who are new to risk assessment will find Section II a resource for getting up to speed quickly on the different options available and the means to introduce and implement risk assessments. The step by step basics of the risk assessment process appear in Section II. Although many companies and industries use different risk assessment methods, the fundamentals of the risk assessment process are common: • identify hazards, assess risk, reduce risk, and document the results. A general risk assessment process describes the seven basic steps in completing a risk assessment. One step in particular, identifying hazards, is critical because if hazards are omitted the associated risks will remain unknown. A task-based approach to identifying hazards has been shown to be very effective and is recommended where applicable. Several practical, real world applications of risk assessment demonstrate the risk assessment process and the results drawing on the author's experiences in conducting risk assessments in industry. The examples include work process designs, product designs, and interactions with government authorities in different industries. A detailed risk assessment of a student design for a medical device is included to illustrate the risk assessment process, and how the I process can be successfully introduced to engineering design classes. An example from the food industry is presented that illustrates a risk assessment failure. Common themes are discussed including that risk assessment :jj offers a flexible tool that can be applied to many different situations. f Integrating risk assessment in an organization is a process that generally follows a sequence of phases. A typical j sequence is discussed. To be effective, the company culture must be willing to embrace the risk assessment process, I and cultural acceptance stems from management leadership. Engineering design needs to change to include the risk assessment process to more effectively move safety into design. Only by changing the design process will risk assessment efforts succeed. Issues such as changing the design process to include risk assessment are critical to address for the risk assessment effort to be successful in a company. As with any new process or substantive change, people may resist. Guidance is shared on how to change the design process to include risk assessment, and what resistance may be encountered in doing so. A team of interested persons should conduct the risk assessment. The team members can be drawn from several areas such as engineering, operations, safety, users and others. They may include different participants as the assessment evolves. To integrate risk assessment into the design process engineers will likely need education and training on risk assessment in some form. Unfortunately, most engineering design efforts do not currently include formal risk assessments. Engineering design must include the risk assessment process to more effectively move safety into design. Introducing the risk assessment process will explicitly change the design process, allowing hazards to be identified and risk reduction methods to be incorporated early in the design process. If the design process does not change, long term efforts to improve worker and product user safety will fail even if risk assessments are deployed. Risk assessment does have limitations. Several limitations are discussed in order to minimize unrealistic expectations. Successfully integrating the risk assessment process into an organization requires time and effort. In consumer product and component product applications, the manufacturer is responsible for conducting the risk assessment, if applicable. Product users typically have no risk assessment responsibilities beyond using the product in conformance with the product information. In industrial product or process applications, both equipment suppliers and users should perform risk assessments and be involved in the risk assessment process. This section provides tips and guidance on how to most effectively introduce the risk assessment process to an organization, and how to conduct them thereafter. Practical guidance is shared to help companies get started and make progress in the risk assessment process. Topics addressed include: the time to complete an assessment, forming a team, what to expect, when to stop a risk assessment, what to do in cross industry situations, when to revise an existing risk assessment, making changes to the protocol, results of risk assessment, and others. "Risk scoring system" is the term that describes how risks are assessed. There are many variables, factors and combinations that must be considered in selecting a risk scoring system, and these are examined in detail in the book. Since there are many different systems used to arrive at risk levels, a chapter on risk scoring systems presents the different variables that are used to rate risk. The three most common types of risk scoring systems are qualitative, semi-quantitative and quantitative. A discussion explains the variables that make up a risk scoring system and how to make decisions between different systems. Given the subjective nature of rating risk, risk scoring systems will likely continue to emerge and proliferate as users refine and improve their risk assessment process. This divergence of methods should be considered healthy. In time, convergence to one or a few risk scoring systems may occur as efforts to harmonize and standardize risk assessment methods occur. This process will require some time. SECTION III - BENCHMARKS Section III of the book examines the many benchmarks methods that exist today from a variety of industries and applications. A very broad cross section of methods documents the current state of the art and wealth of activity in the risk assessment process. Often more than one approach appears within an industry. This section permits readers to identify the similarities and differences in the different benchmark methods. Both novices and specialists should find useful information in this section. Those who are familiar with the risk assessment process will find Section III useful to identify the depth and breadth of current risk assessment activity. The benchmark methods are presented based on publicly available documents. Although the benchmarks presented include great breadth, the compilation by its nature is not exhaustive. Risk assessment methods are being deployed in many industries, and that the momentum will likely continue. Performance-based standards have been a key driver in the growth of risk assessments because they are the primary means to demonstrate that risks have been reduced to an acceptable level. Although the level of sophistication varies from industry to industry and within industries, the general risk assessment process applies across all industries and applications. SECTION IV - IMPROVING THE RISK ASSESSMENT PROCESS Section IV contains an analysis and comparison of the different risk assessment benchmarks presented in Section III. Section IV is written for the advanced reader who is dissatisfied with his or her current risk assessment method, is interested in improving the risk assessment process, or seeks to harmonize the risk assessment process. A chapter compares the diiferent benchmark methods and draws conclusions concerning the differences and similarities among them. A chapter also compares a risk assessment approach to other safety analyses used to assess risk. Note that the risk assessment process comprises only one method to identify hazards, assess risks and reduce residual risks. Other methods have value and should be used as appropriate. A heated debate often occurs when discussing the issue of documenting risk assessments. There remains considerable resistance to creating risk assessment documents from the legal community primarily due to product liability concerns. However, good engineering practice, continuous improvement and risk assessment requirements all push for documenting risk assessments. Documenting the risk assessment process is required or recommended by every guideline, standard or technical description of risk assessment. Therefore, a chapter explores the arguments for and against documenting a risk assessment. There are many variations in risk scoring systems because different risk scoring systems work well in different applications. There are many risk scoring systems in use, each offering its strengths and weaknesses. This variation reflects the great diversity of opinion on risk assessment. Some of the most significant differences between risk assessment methods used today involve how risk is assessed. There is a continuum of risk scoring systems from qualitative to quantitative that effectively address a variety of risk assessment applications. Very few benchmarks use quantitative risk scoring systems. However, there is no indication that any particular risk scoring system is better than another for all applications. One of the most critical considerations in selecting an approach to risk assessment is. logistics. In many instances logistics can be the overriding criteria due to implementation challenges that arise. The costs and logistics of performing quantitative risk assessments are prohibitive in many industries. In these applications new methods, approaches, or software tools may be needed rather than those developed for the sophisticated situations. With the level of activity occurring today in risk assessment, there remains plenty to learn. In many instances an individual or organization starts with an existing risk assessment method and finds it to be lacking in one or more respects. Thus begins a search for a better method. The search can take one of two paths - look for other methods and adopt all or part of them, or modify the existing approach to create a method better suited for the application. Chapters in this section provide a framework readers can use as they explore options for a better method. The benchmarks of Section III provide a wealth of information to start researching other methods and from which the search can be quickly narrowed. Although no specific solution is proposed, the different variables that can be adjusted and the implications of doing so are discussed. Section IV also looks at international initiatives to harmonize the risk assessment process and offers some suggestions on aspects that are well-suited and less well-suited for harmonization. There are several reasons for and against harmonizing the various risk assessment methods. Although both viewpoints have merit, some basic steps toward harmonization appear achievable. However, complete harmonization is not likely to occur soon. If a harmonized risk assessment process is to be developed, flexibility will be a critical factor to its success. Although most standards specifically seek to avoid flexibility, a harmonization effort will likely fail unless a standard framework can be provided that permits flexible application of the details. There appears to be very little value in attempting to compare the results of risk assessments from vastly different applications to one another. Such comparisons provide no useful information to achieving acceptable risk. Since the goal of the risk assessment process is achieving acceptable risk, the risk assessment method one uses to attain this goal is less important than achieving the goal. Based on the Benchmarks of Section III and the analyses in Section IV, a chapter presents the following eight principles for improving the risk assessment process. PRINCIPLE #1 MINIMIZE THE USE OF LABELS The use of labels to describe portions of the risk assessment process need to be minimized. The terms used in assessing risk can be very confusing. There exists confusion or at least no common understanding as to the meanings of the following terms: Risk assessment Risk analysis • Risk estimation Risk evaluation The term "risk assessment" can mean the specific steps related to calculating a risk level, an overall term for the entire process, or to refer to any method that assesses risks. Efforts at harmonizing, standardizing or even communicating are severely hampered by the current confusion and different uses of the term "risk assessment" and others. The practitioner trying to conduct a risk assessment does not care about terms or iabels. He or she just wants to know what they need to do to complete the risk assessment. Extra terms detract from this objective. Unnecessary terms that add no value should be removed from the risk assessment process. Labels that provide no value only add confusion. PRINCIPLE#2SIMPLIFYTHE RISK ASSESSMENT PROCESS Use Active Verbs The steps of the risk assessment process should be written using active verbs rather than labels or titles. Simplify the Steps The steps of the risk assessment process need to be simple and straightforward, and provide the reader very clear direction on what he or she needs to do. There are many instances where clear direction is lacking or the steps are unnecessarily confusing or ambiguous. Simplifying the risk assessment process by using active verbs and clear and simple steps will assist those engaged in conducting risk assessments. PRINCIPLE #3 ADOPT "RISK ASSESSMENT PROCESS" AS THE OVERALL TERM The term "Risk Assessment Process" should be adopted to describe the overall process of identifying hazards, assessing risk, and reducing risk. The terms "risk analysis," "risk assessment," "risk management" and others have different definitions depending on the industry using them. The two most frequently used terms to describe the overall risk assessment effort are "risk assessment" and "risk management." Although arguments can be made for either term, the use of "the risk assessment process" seems the best for referring to the overall process of identifying hazards, assessing risks, and reducing risks. PRINCIPLE #4 THE RISK ASSESSMENT PROCESS INCLUDES RISK REDUCTION There is no point in assessing the risks of a system, design, process or product unless one plans to perform risk reduction. The risk reduction effort is always completed even though not every residual risk requires further risk reduction (the risk may already be acceptable). This implies that risk reduction is a necessary part of, and should be included in, the overall risk assessment process regardless of the term used to describe that overall process. Although other documents, guidelines and standards argue that risk reduction is not included in risk assessment, from the perspective of a person tasked with conducting a risk assessment in industry, separating risk assessment and risk reduction makes little sense. Separating risk assessment and risk reduction may make sense for government agencies or other organizations that are not involved with, or responsible for, the risk reduction effort. However, for persons in industry risk reduction is an integral part of the risk assessment process. PRINCIPLE #5 ADOPT THE RISK ASSESSMENT PROCESS FLOW CHART Figure 1 presents the risk assessment process incorporating Principles #1-4. This figure should be adopted because it simplifies the process and reflects how risk assessment is conducted in industrial practice. PRINCIPLE #6 SUBJECTIVE JUDGMENT NEEDS TO BE ACCEPTED Subjectivity is a necessary part of risk assessment. Even in quantitative risk assessments subjective judgment occurs. However, the subjectivity does not diminish the value or credibility of the risk assessment process. Safety is not an absolute state, but a relative one. Engineers, safety practitioners and decision makers need to become comfortable with subjectivity, and recognize that the subjective risk assessments do offer value. PRINCIPLE #7 ACCEPT UNCERTAINTY Uncertainty is an integral part of all the risk assessment benchmarks in Section III, whether explicitly addressed or not. Uncertainty enters risk assessment as assumptions, estimates and subjective judgments. Even in quantitative assessments there often remains substantial uncertainty. Risk is uncertain. Performing a risk assessment does not create the uncertainty. Uncertainty is, and should be accepted as, an integral part of the risk assessment process. PRINCIPLE #8 DEFINE "RISK ASSESSMENT" Very different definitions of the term "risk assessment" exist. The two primary differences tend to be whether the term is used as a verb to mean any method used to assess risk (such as FMEA, What if, HAZOP, Fault Tree Analysis, and others), or used as a noun to refer to a specific type of analysis. No current consensus exists in this regard. It could be very difficult for those seeking to harmonize the various risk assessment methods to make significant progress until some agreement is reached on the definition of the term. Engineers, safety practitioners, risk assessment teams, and standards writing committees need to develop a common definition within their working group(s). CLOSURE The current state of the art is such that most companies are not performing formal risk assessments, but this is changing. The leaders in risk assessment tend to be the companies actually performing them rather than any particular industry, country or standard. The preceding principles focus on simplifying the risk assessment process, improving it to reflect current practices in industry, and advancing deployment of the risk assessment process. The team conducting the risk assessment needs to quickly come to a common understanding of the terms it uses, its goals and objectives, and the process to attain them. These eight principles should assist. Why You Should Care About Risk Assessment About This Book A Brief History Limitation Accepting Risk A Journey An International Activity KEY POINTS 1. You should care about risk assessment because it works, 2. Risk assessment identifies more hazards, provides a competitive advantage through cost efficiencies and productivity gains, and captures knowledge as workers retire or depart, 3. This book; • discusses the basics of the risk assessment process; presents practical applications of implementing risk assessment in industry; provides numerous benchmarks on risk assessment activities across several industries; compares the benchmark methods; and • presents a roadmap for those seeking to develop an improved risk assessment process including eight principle objectives. 4. Risk assessment helps avoid taking unnecessary or senseless risks and to most efficiently use risk reduction resources. 5. Risk assessment is a journey, not an event. Implementing the risk assessment process within a company requires time. WHY YOU SHOULD CARE ABOUT RISK ASSESSMENT Many engineers, safety practitioners and managers have become interested in the risk assessment process. In some instances their interest stems from a personal curiosity, whereas others have been "volunteered" to become knowledgeable on the subject. In either event they find that they have a need to get up to speed quickly on the "what" and "how" of the risk assessment process. Some of the issues that arise include: What is risk assessment? • How does one do a risk assessment? • What is the current state of the art? • What benchmark methods exist from which a company can select an approach. • What are the pitfalls to avoid? • What if no existing method suits my needs? This book seeks to answer these and other questions on the risk assessment process. Although risk assessment methods have existed in various forms for many years, there are several reasons for the increased interest in risk assessment. Risk assessment has attracted considerable attention for one or more of the following reasons: • Risk assessments identify more hazards and enable the use of better risk reduction measures. Risk assessments are effective in helping identify hazards, in many cases the risk assessment process identifies 5-10% more hazards than would otherwise be found. Risk assessments provide a competitive advantage by preventing injuries, reducing costs, increasing productivity and reducing time to market. • Risk assessments can reduce product liability exposure. Risk assessments are required in some instances by law, by industry standards and guidelines, or by company policy. Risk assessment is required for the European CE Mark. • Risk assessments can capture knowledge as a work force retires or departs. There is considerable momentum in risk assessment efforts. Risk assessments continue to rapidly expand within and across industries as described in this book. Other authors share the following comments on the value of safety and risk assessment to their businesses: The fundamental belief at DuPont is that safety is not only a core business and personal value, but is also a source of competitive advantage . Interestingly, as safety performance improves, so does business performance. Safety-related costs go down, worker productivity goes up, and overall organizational performance is enhanced (McCabe, 2001). Risk assessment is a powerful tool as far as making the work environment a safer place is concerned Employers must ensure that they have taken reasonable steps to reduce risk to a level as low as reasonably practicable (Thompson, 2002). A sound risk assessment is vital for successful risk handling. The importance of the key elements of risk assessment cannot be overemphasized. (Capaul, 2000). Interest in risk assessment is growing quickly. Ten years ago it was rare to find a company in general industry that performed formal risk assessments or even knew much about them. Today, there are some companies that require a vendor to supply a documented risk assessment as a condition of sale. This trend will likely continue due to the successes companies derive from the risk assessment process. ABOUT THIS BOOK This book was written to help introduce, explain and describe the basics of risk assessment, and to identify risk assessment benchmarks currently in use worldwide. More specifically, the book: discusses the basics of the risk assessment process; • presents practical applications of implementing risk assessment in industry; provides numerous benchmarks on risk assessment activities across several industries; • compares the benchmark methods; and • presents a roadmap for those seeking to develop an improved risk assessment process including eight principle objectives. A detailed benchmark study examined risk assessment activities across several industries (Main, 2000). The report gathered many of these independent activities together and documented the state of the art across several industries and countries. This book is an update to the former benchmarks report. Many other authors have written excellent works on the topic of risk assessment (see Bibliography on compact disk). Often the authors are specialists in one industry or method. This book draws on many of these works and extends the discussion by examining the many risk assessment methods used across different industries. The first section of this book covers the basics of the risk assessment process. Readers will find basic concepts about the different kinds of risk, and how risk assessment works to improve safety through the design process. A chapter is included on acceptable risk and how to make decisions about the acceptability of residual risks. A chapter on design reviews explains how risk assessments fit into the design development process, individuals who are new to risk assessment will find Section 1 a resource for getting up to speed quickly on the different options available and the means to introduce and implement risk assessments. Section II is written for the practitioner. When all is said and done, someone needs to get his or her hands dirty and actually do the risk assessment. This section provides tips and guidance on how to most effectively introduce the risk assessment process to an organization, and how to conduct them thereafter. The step by step basics of the risk assessment process appear in Section II. Several case studies from different applications demonstrate the risk assessment process and the results. Practical guidance is offered about forming a team, what to expect, and when to stop a risk assessment. Guidance is shared on how to change the design process to include risk assessment, and what resistance may be encountered in doing so. Since there are many different systems used to arrive at risk levels, a chapter on risk scoring systems presents the different variables that are used to rate risk. Section III of the book examines the many benchmarks methods that exist today to perform risk assessments. A very broad cross section of methods from many different industries and applications documents the current state of the art and wealth of activity in the risk assessment process. The benchmark methods are presented based on publicly available documents with the exception of company specific proprietary methods. Although the benchmarks presented include great breadth, the compilation by its nature is not exhaustive. Several benchmark applications use very similar methods to assess risks. This leads to some repetition in coverage. However, one of the purposes of this book is to show both the similarities of, and differences between, how different industries and applications assess risk. Therefore, some repetition is unavoidable. Both novices and specialists should find useful information in this section. Those who are familiar with the risk assessment process will find Section III useful to identify the depth and breadth of current risk assessment activity. Where Section III presents the many risk assessment benchmarks, Section IV attempts to make sense of all the information. A chapter compares the different methods and draws conclusions concerning the differences and similarities among the methods. A chapter also compares a risk assessment approach to other safety analyses used to assess risk. A heated debate often occurs when discussing the issue of documenting risk assessments. Therefore, a chapter focuses on exploring the arguments for and against documenting a risk assessment. Section IV is written for the advanced reader looking for a better approach to risk assessment, including those seeking to harmonize the risk assessment process. In many instances an individual or organization starts with an existing risk assessment method and finds it to be lacking in one or more respects. Thus begins a search for a better method. The search can take one of two paths - look for other methods and adopt all or part of them, or modify the existing approach to create a method better suited for the application. Chapters in this section provide a framework readers can use as they explore options for a better method. The benchmarks of Section III provide a wealth of information to start researching other methods and from which the search can be quickly narrowed. Although no specific solution is proposed, the different variables that can be adjusted and the implications of doing so are discussed. Section IV also looks at international initiatives to harmonize the risk assessment process and offers some suggestions on aspects that are well-suited and less well-suited for harmonization. The last chapter of this section looks into the future and offers some projections as to what may occur in this quickly evolving area. Risk analysts who are immersed in sophisticated or complex quantitative risk assessment efforts will likely find this book somewhat elementary. However, the deep dive that has occurred in quantitative risk assessments and probabilistic modeling has only engaged a very limited market where risk is very high and resources are made available for extensive evaluations. The costs and logistics of performing quantitative risk assessments are RISK ASSESSMENT: BASICS AND BENCHMARKS prohibitive in many industries. In these applications new methods or approaches may be needed rather thairthose developed for the sophisticated situations. With the level of activity occurring today m risk assessment, there remains plenty to learn. A BRIEF HISTORY Evaluating and reducing risk has occurred for decades. Since the industrial revolution this process has often occurred informally. Methods to perform formal risk and reliability assessment originated in the early 1960s in U.S. aerospace and missile programs. According to Mclntyre (2000): The System Safety discipline emerged on the engineering and management scene in 1962 with the dawning of the space transportation era System Safety principles emphasize the rigorous development of effective safety risk mitigation strategies based on comprehensive and thorough risk assessment. Hoj and Kr5ger (2000) trace the more systematic use of risk analyses from the U.S. aerospace programs to nuclear plant installations in the U.S. Risk assessments subsequently spread to applications in the oil production and chemical industries, and from there to the offshore industry. Successful application in the offshore industry led to its introduction to civil engineering of transportation systems. Risk assessment gained increased visibility in Europe in 1995 with the publication of EN 1050, Safety of machinery, principles for risk assessment. This document presented the risk assessment process in a general manner. In turn, EN 1050 prompted many subsequent risk assessment development efforts in the U.S. The robotics, machine tool and semiconductor industries are a few of the many that began to develop risk assessment methods based on, or influenced by, EN 1050. In each successive application, the threat or realization of significant harm pushed the risk assessment envelope. Where actual or perceived risks were deemed unacceptably high, engineers and risk assessment specialists were challenged to develop better methods to identify hazards, assess risks, and reduce the risks to acceptable levels. In developing these methods, the work of one or more industries was used and improved on in a cascading and evolving process. The evolution of risk assessment continues today. As evidenced in Section III of this book, there are many different risk assessment methods that exist and continue to evolve. Keeping up with the many changes occurring in risk assessment has become a considerable challenge. Advances continue to be made in the many industries pushing the envelope of experience and knowledge. LIMITATION Risk assessments are just one tool of many that exist to identify hazards and reduce risks. Risk assessments are only part of the solution to improving designs. As noted throughout this book, risk assessment should be viewed as complimentary to other methods. ACCEPTING RISK There are three conditions under which people will normally accept risk: * When risk is insignificantly low. 4 * When the risk is known to be worth it. * When the risk is unknown. The third condition leads to situations of unnecessary or senseless risk taking. A fourth condition occurs when perceived risk is greater than the actual risk, which leads to excessive or inefficient use of risk reduction resources. One purpose of the risk assessment process, and this book, is to make risks known so that better decisions can be made on accepting and reducing risks. AJOURNEY The risk assessment process is a journey rather than an event. Companies that are just starting to complete risk assessments find that their first efforts will require more time and will be less complete than later efforts. As personnel involved receive training and become more familiar with the risk assessment process, more hazards will be identified, more risk reduction methods deployed and the risk assessment process will improve. As lessons are learned and experience is gained, risk assessments become more refined. However, some time and experience is required for the risk assessment process to become fully integrated to the company. How much time depends on the company and its circumstances, but it typically takes years, not months. Eventually the risk assessment process will become a part of normal business procedures. Until then, industry needs time to fully and formally implement these concepts. AN INTERNATIONAL ACTIVITY Risk assessment is an international activity. Authors from countries all over the world have written about ongoing efforts in risk assessment. This book draws on resources from many countries and authors. In keeping with the international efforts in risk assessment, excerpts and quotes from other authors retain the original spellings or grammar rather than changing to American English. Quotations used in this book contain the authors' original text in all but a very few exceptions where slight modifications were made to improve readability. All web site references were current as of the time of publication. REFERENCES Capaul, B. (2000). Standardised risk assessment - a need for man-made risk insurers. In Kirchsteiger. C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. EN 1050-1996. Safety of machinery; risk assessment, www. global, ihs. com. Hoj, N.P. & Kroger, W. (2000). Risk analysis of transportation on road and railway. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. HSE. (2001). Reducing risks, Protecting people: HSE's decision-making process. Health and Safety Executive. www.hse.gov.uk. Main, B. (2000), Risk assessment benchmarks 2000: Getting started, making progress. Ann Arbor, Michigan: design safety engineering, inc. www.designsafe.com. McCabe, W.O. (2001). Risky business: Lessons from hazardous operations. American Society of Safety Engineers, Professional Development Conference, 2001. www.asse.org. Mclntyre, G.R. (2000). The application of system safety engineering & management techniques at the U.S. Federal Aviation Administration (FAA). In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Thomson, N. (2002). Fire hazards in industry. Boston: Butterworth Heinemann. S ECT10N I BASIC CONCEPTS Which of the Many Risks? Safety Through Design Acceptable Risk Design Reviews Chapter 2 Chapter 3 Chapter 4 Chapter 5 WHICH OF THE MANY RISKS? introduction Risk Sources of Risk Elements of Risk Individual or Societal Risk? Risk Distributions Common Terms KEY POINTS 1. There are many different kinds of risk. Be certain that the risk assessment team is working with a common definition. 2. There are also many different sources of risk. Be aware of these during the risk assessment effort. 3. Risk can impact the Individual, Society, or both. Societal risk can be significant when the consequences of an incident reach beyond a company's facility or outside the intended use of its product. 4. There is the potential for conflict between what is deemed acceptable risk by society, an individual, and a company. 5. Although most risk assessment efforts address only the most credible severity level, advanced risk assessments can evaluate the risk equation for all distributions. 6. Any organization discussing risk and risk assessment needs a common understanding of the applicable terms. Terms used in the risk assessment process are defined in Appendix A. Note that more than one definition exists for many terms. INTRODUCTION Risk takes many forms. Risk can have positive or negative consequences. Risk comes from a variety of sources. Risk can impact only an individual, a company, or extend to society. Risk can be imposed or voluntarily assumed. Risk can quickly become complicated due to a distribution of consequences. Before a reasoned discussion of risk assessment can occur, these different aspects of risk must be addressed. This chapter briefly discusses these attributes of risk and helps to define the topic of risk assessment. RISK The term "risk" can have many different meanings. One technical definition shown below comes from the machine tool industry in ANSI B11 Technical Report #3-2000 (ANSI B1I TR3): risk: A combination of the probability of occurrence of harm and the seventy of that harm. Several slight variations on this definition have essentially the same meaning as reflected in Appendix A. However, risk has other meanings as well, including: • risk is the synonym of threat, danger and harm, but it has only one antonym and that is safety (the lay person's definition) • risk is the potential for financial loss that is accepted for the potential promise of financial gain (positive meanings) • risk is the disruption of a process leading to undesired results risk is the fear of wrong decisions or uncertainty • risk is fun or a thrill (daredevil actions, aggressive sports, etc.) Before a discussion of risk occurs, the participants must agree on the meaning of the term. Otherwise considerable confusion can result. A comparison of several different definitions can be found in Appendix A. At the individual equipment or facility level, the technical definition is most appropriate. SOURCES OF RISK In general, risk can relate to'one or more of the following: • Environment People • Property • Business operations • Public relations/ good will/media More detail on possible sources of risk appears in CB 018 An international guide to best business practice, Risk Management, published by Standards Australia in 1999. The Guide lists the following possible sources of risk: • Business interruption Commercial/legal relationships Custody of information including the duty to provide and to withhold access • Financial/market Management activities and controls • Natural events • Occupational health and safety • Personnel/human behaviour Political/legal • Property/assets • Public/professional/product liability Security Socio-economic • Technology/technical • The activity itself/operational A risk assessment and related discussion of risk can address one or more sources of risk. Participants in the discussion need to be certain that the appropriate risk sources are considered. Participants also should consider that at times these sources of risk may be at odds and require balancing. ELEMENTS OF RISK According to the CB 018 Guide, the concept of risk has three elements: 1. The perception that something could happen, 2. The likelihood of something happening, and 3. The consequences if it happens. Concerning the first element, the CB 018 Guide states that "the perception of risk and the associated social/political reaction is often a significant driver influencing management decisions." On occasion, risks can be perceived as very high when in fact the actual risk is extremely low. A complete discussion of risk perception extends beyond the scope of this book. However, in some instances the perceived risk may need to be addressed as a reality. Concerning the remaining elements, the Guide notes that: Technical experts tend to emphasise factors in terms of the probability of an occurrence, while a lay-person tends to emphasise factors such as: The degree of familiarity with the activity • The degree of personal control that can be exercised over the activity 0 The degree to which exposure is voluntary The distribution of the risks and benefits • The potential of an event to result in catastrophic consequences 6 Whether the consequences are dreaded INDIVIDUAL OR SOCIETAL RISK? Should a risk assessment consider individual or societal risk, or both? There are numerous applications where the consequences of an industrial event place a significant burden on the surrounding community. One example is a chemical processing facility where an incident could release to the environment large amounts of a toxic chemical. There are also situations where societal risk is negligible and only individual risk applies. Ale (2000) defines individual risk as: the probability that a person who permanently is present at a certain location in the vicinity of a hazardous activity will be killed as a consequence of an accident with that activity. Usually individual risk is expressed for a period of a year. With respect to societal risk, Marszal (2000) uses the following definition, "societal risk is the relationship between the frequency and the number of people suffering from a specified level of harm in a given population from the realization of specified hazards." Individual and societal risk concerns can be at odds. For example, Considine (2000) notes, "Unlike Individual Risk, in Societal Risk there is no distinction between particular individuals." As a result an individual may be left unprotected even though an acceptable societal risk level has been achieved. In accepting certain societal risks, the individual may have risks imposed upon them. Similarly, a company may operate within its level of acceptable risk, yet the surrounding community may not be aware of the risks involved in the operation and unknowingly accept a higher risk level than it deems appropriate. Government and policy making organizations often address societal risks with lesser focus on individual risk. Conversely, manufacturing companies tend to focus on minimizing individual risk believing that protecting a worker or customer from injury will also avoid societal consequences. This is a key difference to keep in mind when comparing the various risk assessment methods presented in Section 111. Some sophisticated analysis methods have been developed when societal risk looms a larger concern than individual risk, such as in siting a nuclear reactor, landfill or airport. RISK DISTRIBUTIONS Although many risk assessment methods evaluate the most credible threat, risk is a function of a distribution. For a given hazard such as a tripping hazard, there is a distribution of consequences ranging from none to death. Each consequence has an associated probability of occurrence. Thomson (1987) presents the relationship as Risk = 2 (probability x consequence) all consequences For the tripping hazard example, there will be a high probability of events with no consequences, a very low probability of tripping events that result in death, and trips that result in varying degrees of injury will have probabilities of different rates. To assess the risk according to Thomson's (1987) model, the distribution of all consequences and associated probabilities would need to be considered. A complete assessment would account for all elements in the risk equation. Evaluating a risk distribution complicates the risk assessment effort considerably. Evaluating and tracking all risk distributions can be cumbersome. As a practical solution, most risk assessment methods work with only the most credibly severe risk from the risk distribution rather than the most conceivable risk severity. The underlying assumption is that risk reduction methods employed for the most credible severe risk will adequately account for risks from lesser severity scenarios. As a general rule this assumption holds and this simplifying assumption has proven valuable in advancing the risk assessment process. However, as companies gain more experience with the risk assessment process they may find evaluating the risk distribution to have value. Risk distributions are discussed further in Chapter 42. COMMON TERMS Any discussion of a subjective process such as risk assessment requires a common foundation of terms. Appendix A contains a compilation of terms and definitions that appear in several risk assessment documents. The reader may be very surprised to note the differences in definitions for such fundamental terms as hazard, residual risk, safety, and others. There are also differences in the way these terms are used, some minor and others significant. Future risk assessment efforts will likely work to harmonize definitions but this will require some time to accomplish across the many industries and applications where risk assessment is performed. Understanding which risk is being discussed, and the terms used in the discussion, is very important to advancing discussions on risk assessment. Which definition is used in a single organization is less critical than being certain that everyone in the organization uses the same one. REFERENCES Ale, B. (2000). Risk assessment practices in the Netherlands. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.0r2. CB 018-1999. An international guide to best business practice - Risk management. Standards Australia, www. standards .com.au. Considine, M. (2000). Quantifying risks' in'the oil and chemical industry. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. HB 203-2000. Environmental risk management - Principles and process. Standards Australia. www.standards.com.au. Marszal, E.M. (2000). Tolerable risk guidelines. The Instrumentation, Systems and Automation Society Expo 2000. www.exida.com. Thomson, J.R. (1987). Engineering safety assessment, An introduction. New York: Longman Scientific & Technical, John Wiley & Sons, Inc. Introduction Avoid Retrofitting Starting Early The Goal The Hazard Control Hierarchy Education and Training Limitations Forces Pushing Safety Through Design What Can Be Done Now The Current State of the Art Closure KEY POINTS 1. There is considerable support and recognition that safety needs to be addressed during design rather than as a retrofit activity. 2. Risk assessment is pushing safety into the design process. 3. The goal of safety through design is to reduce risks to an acceptable level. 4. The hazard control hierarchy should be used to guide risk reduction efforts. 5. Engineers' ability to integrate safety into the design process is limited by the lack of training and education they have received. 6. There are many forces pushing safety through design including: costs, competition, quality, international influences, legal requirements, the desire to capture knowledge and the costs of retraining engineers and safety practitioners. 7. The current state of the art is such that most companies are not implementing safety through design, but this is changing. 8. Possible corrective actions that can be taken to introduce or improve safety through design efforts include formalizing existing but informal design processes that include elements of risk assessment, acquiring tools and training to conduct risk assessments, and advocating training on safety through design. INTRODUCTION Safety through design is a proactive approach to safety that uses a design methodology to implement safety effectively. Manuele (1999) defines safety through design as "the integration of hazard analysis and risk assessment methods early in the design and engineering stages and the taking of actions necessary so that the risks of injury or damage are at an acceptable level." Risk assessment is the engine needed to assure that acceptable level risk is achieved. Christensen (2003) indicates that risk assessment is one of the key factors in instituting safety through design. In some instances more than one analytical technique is necessary to implement safety through design. A preliminary hazard analysis (PHA) and failure mode and effects analysis (FMEA) in some combination with risk assessment are the most frequently used toots. Many other tools exist, some of which are best applied by a specialist (see Clemens and Simmons (1998) for additional information). The Institute for Safety Through Design (ISTD), part of the National Safety Council, has been a leader in advancing safety through design concepts. It has been a strong champion for the cause of having safety issues considered early in the design process. The comprehensive book Safety Through Design discusses in great detail the concepts and applications in many industries. The book has three parts: introducing safety through design, integrating safety into business processes, and industry applications. This book is highly recommended for readers seeking more information on this topic. In Canada, the Ontario Ministry of Labour published Guidelines for Pre-Start Health and Safety Reviews: How to Apply Section 7 of the Regulation for Industrial Establishments in 2001 that contains this passage: Integrating health and safety at the design stage and before operations begin is a cost-effective and proactive way to prevent workplace illness or injury. The benefits are numerous. They include direct savings from minimizing retrofitting; less downtime and replacement of equipment; savings in workplace insurance claims due to fewer illnesses and injuries; and, most important, maintaining productivity, health and safety in the workplace. Risk assessment is one of the primary methods that moves safety into the design process. Manuele (2003) notes that: Hazard analysis and risk assessment methods must be used in the appropriate stages in the design process to evaluate risks and .determine the risk management actions to be taken. A good hazard analysis/risk assessment model will enable decision makers to understand and categorize the risks and to determine the methods and costs to reduce risks to an acceptable level . Design engineers must have available and use a hazard analysis/risk assessment matrix suitable to their needs. Christensen (2001) explicitly links risk assessment and safety through design: It is important to recognize that risk assessment is a key element in the application of the concepts of safety through design . Designing safety into facilities, processes, equipment and products is the most efficient and cost effective method of assuring excellent prevention efforts, and risk assessment is a significant ingredient. This view is shared by Taubitz (2000), Jones (2002), and many others. Understanding safety through design concepts is important to fully integrating the risk assessment process. AVOID RETROFITTING The fundamental concept of safety through design is elementary: GET IT RIGHT THE FIRST TIME Safety should be incorporated early in the design rather than as a retrofit activity. Unfortunately, safety has often been an evolutionary learning process. Hunter (1992) euphemistically referred to the good old days of the "build 'em and bust'em" era. "An acceptable configuration was often reached by some combination of repeated experiments, endless modifications, trial and error, animal cunning, and good luck." This "build'em and bust'em" era represents an inefficient process. An easier and more efficient approach incorporates safety performance criteria before a design is released rather than trying to retrofit the design to meet these criteria at the design review (discussed in greater detail in Chapter 5). The Institute for Safety Through Design portrays these differences as shown below. Figure 3.1 - Safety Through Design Today/Tomorrow Institute for Safety Through Design {1999) In too many instances today, a system is designed, developed, and being installed or operating when safety concerns are first identified. A small panic ensues with solutions brainstormed and negotiations made as to whose budget the last minute changes will impact. In many instances, additional warnings or procedures for safe use need to be developed since design changes or guarding may not be practical at this late date. This debugging safety process is shown in the left side of Figure 3.1. The retrofit effort consumes considerable time and energy, and often results in sub-optimal systems. In many cases if the concerns are identified earlier in the development process, better solutions can be identified and implemented at a better cost. Addressing safety issues during the design process minimizes last minute retrofitting. Safety through design is the method to advance from the retrofitting of today to the improvements of tomorrow. The desired outcome is shown on the right side of Figure 3.1. Risk assessment is the practical method to apply the theoretical concepts of safety through design. r As shown in Figure 3.2, safety through design efforts continue up to the start of building tooling or facilities. Once a product or process starts being built, safety activities are considered retrofitting. Note that "retrofitting a building or equipment" is considered a new design activity and is consistent with Figure 3.2. Late changes to the retrofit design made during the build or installation of the new retrofit project would be considered "retrofitting the retrofit." The model of Figure 3.2 emphasizes that once tooling is made or production begins, safety efforts are more costly, more difficult to implement, and less eifective than addressing hazards in the design stages. Safety through design seeks to take advantage of the ease of implementing safety early in design and avoid the increasing costs of retrofit safety activities. Figure 3.2 - Safety Through Design Model Institute for Safety Through Design (1999) Reprinted with permission from the Nationai Safety Council. Safety Through Design. Itasca, IL: NSC Press, 1999. STARTING EARLY As shown in Figure 3.2, safety through design should commence very early in a product or process development process. Ideally, hazard identification and risk reduction efforts should receive consideration as early as the business analysis and conceptual development stages. During the early stages of design the performance criteria and design objectives are formed against which the design will be evaluated in later design reviews (see Chapter 5 for more on design reviews). Manuele (2003) emphasizes that safety should be considered early in design to avoid introducing hazards: In the design process, the goal is to avoid bringing uncontrolled hazardous situations into the workplace and to avoid the distribution of hazardous products.,. It is a hard truth that most of the significant, work-related and product safety decisions are made in the design process. That is why the emphasis is so strong in support of safety professionals taking an anticipatory and proactive approach and becoming involved in the design process. Morris and Simm (2000) state "risk management should be instigated right from the feasibility stage of the project's development." THEGOAL The basic goal of safety through design is to reduce risks to an acceptable level. Therefore, identifying hazards is critically important. Safety through design is built on effective hazard identification and risk assessment. To accomplish this goal, management support is necessary to move safety into the design process. For example, the Australian National OHS Strategy 2002-2012 explicitly lists "eliminate hazards at the design stage" as one of five national priorities. Once hazards are identified the hazard or safety decision hierarchy should be used to reduce risk. THE HAZARD CONTROL HIERARCHY Safety through design is an approach to safety that relies heavily on engineering controls rather than employee behavior interventions. These controls include analyses developed to identify and reduce hazards with design changes before problems emerge. Safety through design employs the prioritized approach to hazard elimination and control outlined in Table 3.1. Table 3.1 - The Hazard Control Hierarchy Excerpted from The Safety Decision Hierarchy (Manuele 2001} MOST EFFECTIVE 1. Eliminate hazards and risks through system design and redesign V 2. Reduce risks by substituting less hazardous methods or materials » 3. Incorporate safety devices V 4. Provide warning systems u 5. Apply administrative controls (work methods, training, etc.) LEAST EFFECTIVE 6. Provide personal protective equipment This hazard control hierarchy or variations of it is commonly accepted across several industries and authors (ANSI Bll TR3-2000, ANSI/RIA R15.06-1999, Roland and Moriarty (1990), Christensen and Manuele (1999), and many others). A common hierarchy for product applications uses: design changes to eliminate hazards, guarding systems, warnings, training and instruction manuals, and personal protective equipment. Part of practicing safety through design is identifying situations where hazards exist and developing the best response to the hazard according to this hierarchy. Safety through design seeks to minimize reliance on behavioral interventions that use a warning or training approach to safeguarding. Workers are more likely to work safely if doing so is easier and less complicated than defeating safety rules. Work rules that employees perceive as inhibiting operations are much less likely to be followed. For instance, if a machine guard blocks an operator's view, he will likely move the guard to get a clear view of the work, even if he was trained to leave the guard in place for his own safety. Alternatively, if the guard was designed to provide visibility, access, and protection the operator would be far more likely to use the guard. EDUCATION AND TRAINING LIMITATIONS At the same time requirements for safety through design are increasing, design engineers may have difficulty meeting these requirements. Design engineers are highly skilled in developing designs and the processes to continue those designs. However, they typically know iittle about safety through design due to limited education and training in this area. Studies have shown that design engineers receive little or no formal safety training at the university level, and they usually are not aware of the tools and techniques used in the safety community (Main and Ward, 1992). Even today, discussions with both experienced and inexperienced engineers often reveal that elementary safety concepts such as the hazard control hierarchy are unknown to many engineers. In discussing engineering education regarding safety, Dembe (1996) noted that: According to the Professional Engineers' Code of Ethics, one of the "fundamental canons" of the engineering profession is to "hold paramount the safety, health and welfare of the public in the performance of their professional duties." It is hard to image how an engineer can be expected to fulfill this maxim unless he or she receives appropriate education in safety engineering principles. To correct this situation, one might conclude that engineers need safety training and education. However, it is too simple to suggest that a lack of awareness is the root problem. In a cascade effect, engineers' awareness of safety through design is low because they have not received training in design safety methods. This lack of training has resulted from a lack of instructional materials and literature describing safety through design. The advent of risk assessments entering mainstream business and several other forces are acting to change this situation. Only recently have books, training manuals and modules, and tools on safety through design become available (see Christensen and Manuele (2001), and Bloswick (2001)). Until recently even faculty and employers motivated to teach safety through design methods have had difficulty finding instructional materials to do so. Although safety through design concepts have existed for many years, risk assessments have recently enabled safety through design to be more effectively implemented. At the same time, safety practitioners also need better education and training. Safety practitioners need a better understanding of, and how to participate in, the design development process. Since many safety practitioners lack a technical background, their ability to contribute to the design process may be very limited. The risk assessment process may be an effective way for safety practitioners to effectively participate in design development. Industry has an enormous investment in its personnel. The task of "retrofitting" engineers so that they become skilled in addressing safety through design is no small project. Many of the supporters of the ISTD are involved with the Institute to learn more about this challenge, and to help 'fix' the engineering curricula so that new engineers need not be retrained in risk assessment and safety through design. Additionally, the costs of retraining ("retrofitting") design engineers and safety practitioners who lack safety through design awareness are imposing. At a symposium held by the ISTD in 1996, Mr. James Rucker, the chair of the ISTD, noted that the costs of retrofitting future engineers and safety practitioners with safety through design training will be enormous and that business and industry cannot afford such an expense. He gave voice to the belief that the best time to address safety is early in the design process and that the best method for doing so is to have the engineers responsible for developing designs be knowledgeable, trained, and skilled in safety through design. FORCES PUSHING SAFETY THROUGH DESIGN There are several key reasons why the safety through design process is attracting interest in the past few years. Main (2002) summarizes several reasons for this increased interest including: • Time - the design cycle is under ever increasing pressure to be compressed reducing tolerance for post-build or post-sale safety fixes Costs - there are significant opportunities for productivity gains and cost efficiencies • Competition - reducing costs and increasing productivity through safety through design can provide an attractive competitive advantage • International Influences - through the CE mark, the European Union (EU) explicitly requires an analysis of the hazards in accordance with the hazard elimination and control hierarchy • Quality - safety is beginning to be addressed within quality processes such as ISO 14001, ISO 9000 and QS 9000 • Capturing knowledge - a completed risk assessment can be used to capture much of the knowledge pertinent to the design being considered which can be applied to similar designs Product liability - risk assessments help reduce exposure to hazards and can assist in building a successful defense against a product liability claim Lack of standards - when standards do not exist or have not kept pace with technological change, risk assessments provide a basis to make credible design decisions • Schedule control -a risk assessment permits a company to make reasoned decisions and move quickly to implement them Customer requirements - some advanced industrial customers are beginning to require that suppliers conduct risk assessments. WHAT CAN BE DONE NOW What can be done now if a company is not performing risk assessment and moving safety into design? There are many things that can help. Companies should examine their current design process. Some of the components of safety through design may exist in an informal manner. Companies can begin to identify those components that are part of safety through design and that are currently conducted. Another action involves acquiring the tools and training to conduct risk assessments. Although risk assessments can be conducted manually, recent software tools can greatly ease the process. By conducting a risk assessment, a manufacturer has the opportunity to: define the intended uses and foreseeable misuses associated with the design; ® take steps to prevent users from being injured in those uses and misuses; document the state of the art with respect to the product at the time of design; • identify potential improvements to the design; and reduce the risk of omitting or not fully addressing a hazard. Another starting point is to advocate educating and training engineers and corporate management regarding safety through design and risk assessment. Companies may wish to re-examine the set of safety knowledge and skills resident with their engineers. To ensure that safety analyses are conducted properly, an engineer must have the necessary skills to successfully complete the task. THE CURRENT STATE OF THE ART Currently, relatively few companies are implementing safety through design. Although many of the concepts have existed for years, it is only recently that this approach has attracted greater industry attention. Based on the current state of the art, not implementing safety through design is the norm; but this is changing. Design engineers responsible for developing designs lack the tools and safety theory developed in the safety profession. Although some safety engineering tools do exist to evaluate hazards, these methods are not widely used. This may indicate that these tools are not completely effective for current commercial or industrial applications. Safety practitioners have more methods to address safety issues than design engineers, but they are often not involved in developing the actual design. This is partly explained by the very low percentage of safety practitioners who have an engineering background - estimated to be less than 5% (M inter, 2003). For all these reasons, manufacturers who are applying the concepts and techniques of safety through design are at the forefront of the state of the art. Many safety techniques, tools, and methods have been developed within the safety community to implement hazard elimination and control and are available for use (see Chapter 39). Which particular technique is best depends on the design, its stage of development, the level of complexity and sophistication, the availability of data, and personal preference. CLOSURE Safety through design is an approach to safety that is achieving growing acceptance. There are significant activities pushing safety through design from both domestic and international sources. Meeting the most recent state of the art offers manufactures the potential to improve facility design or product design, reduce accidents, and curb liability exposure. Similar to quality, safety can be addressed on a continuum - it is easier, cheaper, and more effective if safety is considered earlier in the design process. Unfortunately, safety is an issue that often receives considerable attention only after an incident occurs. Companies who proactively seize the opportunity to improve safety through design can minimize the likelihood of such an event occurring, and reap the benefits of cost efficiencies and productivity improvements. REFERENCES ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. ANSI/RIA R15.06-1999. Safety requirements for industrial robots and robot systems. Robotic Industries Association, www.robotics.org. Bloswick, D. (2001). Safety andErgonomic. Educational Materials. University of Utah, www.mech.utah.edu/ergo. Christensen, W. & Manuele, F. (1999). Safety through design. Itasca, IL: NSC Press. Christensen, W.C. (2001), Risk assessment: Why & what you need to know! American Society of Safety Engineers, Professional Development Conference, 2001. Christensen, W.C. (2003). Safety through design. Professional Safety. American Society of Safety Engineers. www.asse.org. Clemens, P.L. & Simmons, R.J. (1998). System safety and risk management: A guide for engineering educators. U.S. Department of Health and Human Services, National Institute for Occupational Safety and Health. www. sverdrup.com/svt. Dembe, A. (1996). The future of safety and health in engineering education. Journal of Engineering Education: April, (pp 163-167). Dungan, K.W. (2001). Practical applications of risk-based methodologies. Fire Protection Engineering, Spring. www.sfpe.org. Hunter, T. A. (1992). Engineering design for safety. New York: McGraw-Hill Inc. Jones, D. (2002). How to Design Effective EH&S management Systems for Continual Improvement of Risk Reduction Performance, American Society of Safety Engineers, www.asse.org. Main, B.W., & Ward, A. C. (1992). What do engineers really know and do about safety? Implications for education, training and practice. Mechanical Engineering, Vol 114, No. 8. 44-51. Main, B.W. (2002). Risk Assessment: Solving Day-to-Day Problems. American Society of Safety Engineers 40lh Annual Professional Development Conference, Nashville, TN. Manuele F.A. (1999). Why safety through design: What's in it for you? In Christensen, W.C. & Manuele, F.A. (Eds.), Safety through design, (pp.3-8). Itasca, IL: NSC Press. Manuele, F.A. (2001). Innovations in safety management - Addressing career knowledge needs. New York: John Wiley & Sons. Manuele, F. (2003). On The Practice Of Safety, ind Edition. New York: Van Nostrand Reinhold, New York, NY. Minter, S.G. (2003). What is a Safety Engineer? Occupational Hazards, October, www.occupationalhazards.com. Morris, M. & Simm, J. (Eds.) (2000). Construction risk in river and estuary engineering, A guidance manual. Thomas Telford. National OHS Strategy 2002-2012. Commonwealth of Australia, 2002-08-08. www.nohsc.gov.au/nationalstrategy/. Ontario Ministry of Labour. (2001). Guidelines for pre-start health and safety reviews: How to apply section 7 of the regulation for industrial establishments. Queen's Printer for Ontario. http://www.gov.on.ca/LAB/english/index.html. Roland & Moriarty. (1990). System safety engineering and management, second edition. New York: John Wiley. Rucker, J. (1996, September). Integrating safety through design symposium. Institute for Safety Through Design, Itasca, IL. Taubitz, M. (2000). Risk assessment developments in US general industry. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. ACCEPTABLE RISK Introduction Zero Risk What Risk is Acceptable? Acceptable or Tolerable? KEY POINTS 1. A zero risk level is not attainable. The goal of the risk assessment process is to reduce residual risks to an acceptable or tolerable level. 2. Setting acceptable risk levels is a complex task, and currently remains a largely subjective, company-specific decision. 3. The As Low As Reasonably Practical (ALARP) framework is a useful guide in working with risks and reducing risks to an acceptable level. 4. Acceptable risk and tolerable risk should be considered synonyms within the risk assessment process. Efforts to distinguish these terms can lead to inadvertent errors, even by organizations that wish to promote a difference in the terms. INTRODUCTION1 This chapter begins by establishing that zero risk is not attainable and that risk assessment efforts should focus on reducing residual risks to an acceptable level. Several examples demonstrate that non-zero residual risk commonly occurs. The chapter discusses the complexities of setting an acceptable risk level and presents the ALARP framework for reducing risks. The chapter examines the terms "acceptable risk" and "tolerable risk" and advocates that these terms be considered synonyms. Portions of this chapter first appeared in an article by Manuele and Main (2002) in Occupational Hazards magazine. Although many individuals and organizations accept this premise, there are those that cling to the notion that the only acceptable risk is zero risk. Under this view, the only safe system is one that has no risk. Note that company safety policies or goals of "zero accidents" or "zero injuries" is not inconsistent with non-zero risk. The key objective is to reduce risks to an acceptable level. The premise that zero risk does not exist is sufficiently critical to the risk assessment process that this chapter discusses the concept of acceptable risk and how to form decisions on acceptable risk levels. Manuele and Main (2002) observe, "individually and collectively we are risk acceptors. Risk acceptance is situational: variations in the risk levels that individuals and organizations accept in given situations are exceptionally broad." The concept of non-zero risk appears in several other discussions of the topic. One of the most significant and influential books on the concept of acceptable risk was written by Lowrance (1976), Of Acceptable Risk: Science and the Determination of Safety. Lowrance notes that: Nothing can be absolutely free of risk. One can't think of anything that isn't, under some circumstances, able to cause harm. Because nothing can be absolutely free of risk, nothing can be said to be absolutely safe. There are degrees of risk, and consequently there are degrees of safety. In the real world, attaining zero risk, whether in designing or operating, is not possible. For some situations, the residual risk may be high and still be judged by the participants in an activity to be acceptable. Examples include working with live 440V electrical panels, chainsaws, overhead power lines, explosives, and others. Nevertheless, the residual risk, after risk avoidance, elimination, or control measures are taken, should be acceptable, as judged by the decision makers. There is no theoretical reason why residual risk could not approach zero in the extreme. There are situations where the residual risks are "so low as to be essentially zero." Yet this is not zero. The only way to completely eliminate a specific residual risk is to cease the activity entirely. For the vast majority of workers, engineers, safety practitioners, product users, and others, ceasing operations is not a realistic option. ZERO RISK PREMISE There is no point in starting a risk assessment until the following premise is considered, adopted and embraced by an organization. ZERO RISK DOES NOT EXIST For all real world situations, zero risk does not exist. Manuele and Main (2002) make the following observations based on their study of acceptable risk: Companies and individuals should accept that zero risk does not exist for hazards that cannot be eliminated. Where hazards cannot be eliminated, the goal should be to reduce risks so that the residual risks are acceptable. EXAMPLES OF ACCEPTABLE RISK Manuele and Main (2002) present several real world situations drawn from the contemporary press to illustrate the acceptance of the residual risk concept. Their review provides examples of the diverse views people have about acceptable risk. > An article in the February 14, 2001, issue of the Chicago Tribune discussed the history of fatalities in auto racing, as well as the notable measures taken over the years to make racing less risky. Auto racing is a form of employment. Drivers, auto owners, promoters, television broadcasters and viewers are aware of the risks, and apparently accept them. No public outcry has arisen demanding that this high risk activity be discontinued, even though the number of driver fatalities in relation to the number of drivers involved would be considered unacceptable in other employment settings. This suggests that in certain instances relatively high risks are considered acceptable to both individuals and society. V According to Injury Facts - 2003 Edition, a National Safety Council publication, motor vehicle operation resulted in 44,000 fatalities in the United States in 2000, and 2.3 million persons sustained disabling injuries. Assuming a U.S. population of 288 million, the probability of a resident, on average, being killed in 2000 was 1 in 6,500. The probability of sustaining a disabling injury was 1 in 122. Those are serious odds, on the negative side. Nevertheless, we continue to drive. Is the risk acceptable? Admittedly, we expect a continuing effort to make motor vehicle transportation safer and presume that the risks will be reduced. But, presently, no matter how skilled a person is as a defensive driver, the risk of fatality or disabling injury is substantial while in traffic. It is never zero. Always, the probability exists of being injured by the actions of another driver or oneself. > Concerning making decisions on risks, Fanning (2002) notes the factors that must be considered and shares his viewpoint on an acceptable risk level in the U.S. Army. "One must consider several factors. These factors include realism, time, money and resources. Controls that prevent a broken leg for example cannot cost the unit several thousand dollars. This is simply not cost effective." In the context of combat units training and deploying for military action, a broken leg is evidently considered acceptable given the cost. Yet in general industry expenditures of several thousand dollars to prevent broken bones is very common. WHAT RISK IS ACCEPTABLE? OVERVIEW Once the premise of non-zero risk is accepted, the next question becomes, "What risk level is acceptable?" This is one of the most frequently asked questions in risk assessment. Many long and arduous hours of debate in standards writing committees have been devoted to finding a specific answer. Unfortunately, there is no objective, universal answer. > , ' /. The actual level of acceptable risk varies with many factors including: • Voluntary, versus involuntary assumption of risk • Perceived comparative risks from other situations The value of the benefit derived Public awareness of benefits » Media influence (e.g., advertising) 8 Peer pressure (i.e., the numbers of others participating in the activity) • Other factors r ' ' ' '■ c ■ , ■ • In evaluating risks, Ale (2000) suggests: • Consequences [severity] weigh more than probabilities ° The involuntary weighs more than the voluntary jj 9 The unfamiliar weighs more than the familiar ;. e The distrusted weighs more than the trusted . ^ ' HB-203-2000 includes an Appendix D that examines the criteria of what is an acceptable risk. "Although guidelines and regulations provide great detail on risk identification and characterization, there is less guidance on what constitutes an acceptable level of risk." Table D1 in HB-203-2000 lists the descriptive basis for choosing risk criteria used by regulators. The table shown below illustrates the range of, and basis for, acceptable risk criteria. Table 4.1 - Basis for Choosing Risk Criteria Used by Regulators (HSE 203:2000 Table Dl) Criteria Comments Examples a; Zero Risk Regardless of the costs or benefits. Impossible to achieve. United States Food and Drug Administration (USFDA) Delaney clause 'substances demonstrated to be carcinogens banned'. To the extent economically feasible Considers costs only Regardless of how trivial the benefit''' : US CAA MACT (USEPA, 1990), Best Available Technique not Entailing Excessive Cost (Duffus & Worth, 1996), etc. Realistically ' \ achievable Judged by a consensus of health professionals Air National Environmental Protection . ' - Measure (see earlier reference) No Observable Adverse Effect Level . (NOAEL) Widely used by the United States Environmental Protection Agency (USEPA). ( / De minimus Defined in Whipple (1987) [7] as trivial, insignificant or minimal Ignores costs of controls Natural standard Risks from naturally occurring events provide a benchmark, e.g., probability of death Unreasonable risks Considers both costs and benefits Significant risk No explicit consideration of eithercosts or benefits Determined on a.case by case basis Requires both statistical significance and 1 large enough to require remedial control action Paustenbach, 1989 (pl031) [8] USFDA definition of insignificant cancer risk As <lxl0"6 per lifetime. Reasonably necessary or appropriate Balancing of costs and benefit with substantive evidence requirement Ample margin of safety f Emphasis on serious illness or morality No explicit consideration of either costs or benefits As Low As Reasonably Achievable (ALARA) Balancing of cost and benefit The Netherlands Adequate margin of safety No explicit consideration of either costs or benefits U.S. EPA Protects health of more sensitive, portion., . ofpopulation / Precautionary Principle (see Appendix B of 'the document) Requires both a threat of serious and irreversible environmental damage and a lack of scientific certainty about these threats Intergovernmental Agreement on the Environment (IGAE, 1992) Hahn (2000) notes the difference between using a Probabilistic Risk Assessment (PRA) to calculate a numerical risk level and the decision as to whether the answer represents acceptable risk. He indicates that absolute probabilistic numbers are essentially useless if society has not adopted a policy defining a level of acceptable risk. He states that PRA experts can only provide answers to technical questions through analyses, but they cannot provide risk acceptance criteria. Although the concept of acceptable risk is becoming more commonly adopted throughout the world, a single level of acceptability cannot be universally applied. Acceptable risk is a function of many factors, and is specific to a company, culture and time-era. Risks that are acceptable in one company may not be in another. Even within a single global company the levels can vary. Local and company culture play a very important role in risk acceptability, as has been experienced in global companies. The answer also changes over time because what is acceptable today may not be acceptable tomorrow, next year or next decade. What is acceptable can also change very quickly, even overnight, within a company, such as acceptable work practices before and after an injury. Acceptable risk also varies across industries. As will be discussed further in Section IV of this book, what risk level is considered acceptable' depends greatly on the particular industry. What is considered acceptable in one industry may very well be unacceptable in another. There is little reason to believe that developing a single, distinct and commonly accepted definition of an acceptable risk level that is universally applicable is possible at the current time. Manuele and Main (2002) observe that "a universal definition of an acceptable risk level cannot be attained at this time because of the many variables in risk situations." In general terms, all that can be said is that the residual risk, after taking preventive action, must be acceptable in the particular setting being considered. FRAMEWORK FOR DECISION MAKING - ALARP A general trend has emerged toward using a three-tier framework for determining acceptable or tolerable risk. The framework is presented by the HSE guideline, Reducing Risks, Protecting People (2001). The principle presented is that risk should be reduced to a level that is "as low as reasonably practicable (ALARP)." This concept has also been termed ALARA - as low as reasonably achievable. If there is a significant difference between the terms it is elusive. The principle divides risk into three regions: 1. An upper bound, above which risks are deemed unacceptably high 2. A lower bound, below which risks are considered negligible or broadly acceptable 3. An in-between region where risks should be reduced to a level that is ALARP. The framework is shown graphically in Figure 4.1. Figure 4.1 - As Low As Reasonably Possible (ALARP) Copyright 2000 ISA - The Instrumentation, Systems, and Automation Society Reprinted with permission. All rights reserved. The principle states that there is a level of risk that is intolerable. Above this level, risk cannot be justified on any grounds. There is also a lower risk level, which is a broadly acceptable region. Below this level there is no need for risk reduction efforts as they are unwarranted. In this lower region risks are essentially negligible and risk reduction efforts cannot be justified either by a cost-benefit evaluation or management decision. Between these two levels is the ALARP region. In this region risk reduction in some form(s) is required. After risk reduction the risk levels will presumably be lower but some risk will remain. These residual risk levels are acceptable if further risk reduction is not practicable or feasible. The preliminary standard prEN 1005-4, 2001 Safety of Machinery - Human physical performance, Part 4 Evaluation of working postures in relation to machinery uses the following descriptions for the three levels of risk: Not recommended: the health risk is unacceptable for any part of the user population Conditionally acceptable: there is an increased health risk for some or all of the user population. The risk must be analysed together with contributing risk factors, followed as soon as possible by risk reduction (i.e. redesign) or if that is not possible, other suitable measures. Acceptable: the health risk is considered low or negligible for nearly all healthy adults Similarly, Danish Regulations adaptation of ISO 2631-1:1997 requirements on mechanical vibration and shock uses three risk levels of acceptable, conditionally acceptable, and unacceptable. As a means to increase ease of use and understanding, these three regions are often color coded with the familiar red-yellow-green color scheme. In these instances the unacceptable region is red and is interpreted as "stop - design or process cannot proceed until risk is reduced." All involved personnel know that the red region means that the next hurdle, whether it be a design review or a process check, will not be passed until the risk is reduced. The yellow area is known as a caution zone, where risks need to be examined for opportunities to reduce risk further and solutions implemented where feasible. However, a yellow risk is not an automatic fail on the next design or process hurdle. The green area is sometimes interpreted as a "nice to know" zone. Risk reduction does still occur when solutions are low cost and easily implemented, but energies and attention are not typically focused in this area. The concept of acceptable risk displaces zero risk as the target for risk assessments. Peeling back the onion further, the ALARP framework suggests that those risk reduction methods that are practicable or feasible should be employed as a method to attain acceptable risk. Next comes the question of "what is practicable or feasible?" The answer to this question remains largely subjective. However, the HSE 1997 The Application of Risk Assessment to Machinery offers the following guidance: For severity levels which are in the ALARP region, the risk is only acceptable if it is reduced as low as is reasonably practicable. Risk evaluation therefore hinges on an assessment of what is reasonably practicable. It is suggested that two approaches are used, and that they are applied in the following order: a) assess whether the current machine design complies with the published state-of-the-art for risk reduction for similar types of machine. Current standards on the design of similar machines, particularly European type C standards, provide information on what constitutes the current agreed European state-of-the-art. b) apply cost/benefit analysis SPECIFIC SOLUTIONS Although a universal definition of acceptable risk is elusive, specific industries, governments and individual authors have defined levels of acceptable risk. Several examples follow. > The robotic industries, discussed in greater detail in Chapter 35, have developed criteria for acceptable risk. The industry standard ANSI/RIA R15.06-1999 includes residual risk levels that are deemed to be tolerable. Residual risks that remain above the specified levels are unacceptable and require further risk reduction. Only when the residual risks are at or below the specified acceptable level can risk reduction efforts cease. >■ From the aerospace industry, the NASA Integrated Action Team (2000) provides the following definition: Acceptable Risk is the risk that is understood and agreed to by the program/project, Governing Program Management Council, and customer sufficient to achieve defined success criteria within the approved level of resources. Goldberg, Everhart, Stevens, Babbitt, Clemens and'Stout (1994) present a risk model from the U.S. military that provides the guidance shown in Table 4.2. Table 4.2 - Management Decision Levels (MIL-STD-882C) Severity of Consequences Probability Mishap** F Impossible E Improbable D Remote C Occasional B Probable A Frequent I Catastrophic n Critical HI Marginal 3 IV Negligible Risk Code/ Actions Imperative to suppress risk to lower level Operation requires written, time-limited waiver, endorsed by management. 3 Operation permissible Note: Personnel must not be exposed to hazards in Risk Zones 1 and 2 **Life Cycle = 25 yrs. In this example there are two risk levels that are considered acceptable. Referring back to Figure 4.1, the reader will note the similarities between the ALARP framework and risk levels in the matrix. The MIL-STD-882 approach uses a table format whereas the ALARP approach portrays the similar concept as a triangle. > Marszal (2000) presents an analysis of quantitative values based on the likelihood of a fatality per year. Some values proposed for the risk levels are shown in Table 4.3. Table 4.3 - Numerical Tolerable Risk Criteria Criteria Tolerable Risk Level Corporate Summary De Minimus Individual Risk (Worker) 10'D to 10"9 Corporate Summary De Manifestus Individual Risk 10*3 to 10"6 UK Government Individual Risk de Minimus (Worker) 10'5 UK Government Individual Risk de Manifestus (Worker) Seiler (2000) states that in various publications individual risk limits between 10"4 and 10"6/year have been proposed. This translates into a probability of fatality of 1 in 100,000 to 1 in 1,000,000. These values only address fatalities. Injuries are not specifically addressed in the UK HSE framework. Whiting (2001) presents a "Risk Tolerability Framework" as a variation on the ALARP model built on the Australian AS/NZS 4360:1999. Whiting extends the fatal risk tolerance levels to non-fatal injuries based on ratios of fatal and non-fatal injuries from several international sources. From this analysis he proposes a ratio formula of 1 fatality : 10 major injuries : 200 minor injuries. Whiting does note that: It must be recognized that these chosen consequence ratios 1:10: 200 are NOT absolute and are best considered as 'working definitions,' subject to on-going review. Most importantly they cannot be used for small sample sizes i.e. small work group populations and short time periods, (emphasis in original) The ratios are based on work by Heinrich (1931) and Whiting's (2001) more recent analyses of accident data. The ratios provide a thought provoking baseline but yield only very general guidelines. Manuele (2002) has recently raised serious questions about the validity of Heinrich's early work, so ratios built from that basis can be called into question. This would be consistent with Whiting's caveat on using the ratios for small sample sizes such as would occur in many industrial settings. A similar discussion on ratio formulas also appears in Brearley (2000). > There are also industries that provide a framework to assess risk without specific criteria on what constitutes acceptable risk. One such example comes from the U.S. machine tool industry where several standards and guidelines now include the concepts of residual risk and acceptable or tolerable risk, but the user of the documents must determine what level of risk is acceptable for the particular application. > Marszal (2000) raises some questions concerning the use of the ALAR? model in the U.S.: The United States is specifically opposed to setting tolerable risk guidelines. Attempts at creating formal decision criteria, sometimes referred to as "bright lines," have always failed It is unlikely that the United States will adopt Tolerable Risk Criteria at any time in the foreseeable future. In addition, international standard that attempt to stipulate risk tolerance criteria will be rejected. Yet Marszal (2000) also observes: Even though no government criteria have been imposed on industry in the United States, the nation still retains an exemplary record for safety. The reason for this exemplary record is the flexibility to apply capital where it will produce the most benefit and the unrestricted ability of the free market to determine third party liability costs. This free-market action makes tolerable risk guidelines moot and allows sound decisions about risk reduction projects to be made strictly on a cost-benefit analysis basis. Marszal's (2000) observations ring true. For the U.S. to arrive at specific tolerable risk values will likely require the government to do so. The U.S. political environment is likely to remain hostile to such activity (from many and perhaps all sides). TYPES OF ACCEPTABLE RISK MEASURES A report published jointly by the FAO/WHO (1997) noted that there are four different types of measures that can be used to set acceptable risk levels as shown in the first column of Table 4.4. The report did not rank these measures in any particular order. Table 4.4 - FAO/WHO Types of Acceptable Risk Measures and Examples Type of acceptable risk measure Example (not part of report) One type is the "near zero-risk" measure which is often implicit in applications where a de minimus level of risk is considered acceptable. Unreasonable misuse of a product, random lightening strikes, falling off a very low platform A second type are balancing measures that employ cost-benefit or ALARP approaches to setting acceptable risk. Typical industry applications such as selecting hard guards, area scanners, light curtains, perimeter fencing, etc A third type of measure is the "threshold" where a non-zero risk level is stipulated as acceptable. Permissible exposure limits for chemicals or noise The fourth type or risk measure are "procedural" measures where the acceptable risk level is arrived via a negotiation or similar process. A management/labor negotiation on safe work rules, number of employees required for certain tasks, etc. Examples of these types of acceptable risks are shown in the second column of Table 4.4. These examples are not part of the published report. QUALITATIVE OR QUANTITATIVE? Identifying a tolerable or acceptable risk level can quickly become a daunting undertaking. Researching the literature to learn of other progress in this area quickly reveals the complexity of the problem. Even adopting the quantitative guidelines from other industries can be of little help if one does not have sufficient supporting data to perform a quantitative assessment to determine where on the ALARP framework a particular risk situation resides. Strictly following the ALARP framework requires calculating fatality equivalents, performing a cost-benefit analysis and making many assumptions that may be criticized later. There is not enough time, supporting data or resources to apply the criteria in everyday risk assessment situations in general industry. What can be done in this situation? In nearly every industry, a qualitative approach is used where supporting data are not available or quantified analyses cannot be performed. Although a quantitative risk assessment tends to be preferred, in instances where a quantitative approach is precluded a qualitative approach is adopted. The qualitative approach is valid but makes strict cost-benefit analyses more difficult. Even using all available data and the best science and technology, many risk assessments cannot be undertaken without making a number of assumptions such as the relative values of risks and benefits or even the scope of the study. Parties who do not share the judgmental values implicit in those assumptions may well see the outcome of the exercise as invalid, illegitimate or even not pertinent to the problem. The ALARP concept has value as a framework but it also introduces some complexity. How does a company set the unacceptable and acceptable risk levels? If the levels are to be quantified, then doing so requires fairly sophisticated analyses or benchmarking. Complexity in the process, setting values and subsequent analyses complicates the acceptable risk problem. Appendix D to AS/NZS 4360:1999 includes many issues that should be considered in determining acceptable risk in the form of thirteen questions. In essence the single question of "what is acceptable risk?" is broken down into subtopic questions. Unfortunately, the Appendix only includes questions but no answers. In most instances, setting levels of acceptable risk remains a company or industry specific decision. Although quantitative data can be useful, in most industrial applications the analyses and decision criteria on acceptable risk remains a largely subjective evaluation. This discussion on risk assessment began by attempting to answer the question "Are risks reduced to an acceptable level?" Using the ALARP framework, the answer to the first question is "Yes" if the risks have been reduced to as low as reasonably practical. This raises the question, "So what is practical?" Merriam-Webster's (2002) dictionary defines the following terms: Practical - capable of being put to use or account: useful Practicable - capable of being put into practice or of being done or accomplished; capable of being used: usable Feasible - capable of being done or earned out With these definitions the risk assessment can proceed working within the constraints of the real world as described in more detail in Chapter 6. ACCEPTABLE OR TOLERABLE? DIFFERENT VIEWPOINTS A study of risk assessment guidelines and the technical literature quickly reveals that there are two primary terms used to describe risk levels that can be endured: acceptable and tolerable. One question becomes, "do these terms have synonymous or distinct meanings?" Looking at these terms in the ALARP framework indicates that there are two regions where the words can be, and indeed are, easily used as synonyms. In the high risk region "intolerable" and "unacceptable" equally convey the intended meaning. Similarly, in the low risk region any difference between "broadly tolerable" and "broadly acceptable" is inconsequential. Thus the only region where these two terms may have distinct meanings is in the ALARP area. Manuele and Main (2002) note the following: Meanings variously given to the terms acceptable risk and tolerable risk present a semantics problem. For some people, the terms are synonyms; for others, they have markedly different meanings. Dictionary definitions of acceptable and tolerable differ slightly. Two descriptions for each term follow. acceptable 1. capable or worthy of being accepted 2. pleasing to the receiver, satisfactory, agreeable, welcome tolerable 1. capable of being tolerated, endurable 2. fairly good, not so bad In these definitions, tolerable as a term is less demanding: endurable, but only fairly good, not so bad. To be acceptable, the risk level should be satisfactory, and agreeable. Even though these dictionary definitions differ slightly, in daily practice they are commonly used as synonyms. In Roget's Thesaurus, tolerable is given as a possible replacement for acceptable, and thus as a synonym. ISO/IEC Guide 51 defines tolerable risk as, "risk that is accepted in a given context based on the current values of society." As synonyms, the terms can be reversed with no loss of meaning: acceptable risk is "risk which is tolerated in a given context based on current values of society." The converse viewpoint is advocated by The United Kingdom's Health and Safety Executive (HSE) in its R2P2 (2001): 'tolerable' does not mean 'acceptable.1 It refers instead to a willingness by society as a whole to live with a risk so as to secure certain benefits in the confidence that the risk is one that is worth taking and that it is being properly controlled. However, it does not imply that the risk will be acceptable to everyone, i.e. that everyone would agree without reservation to take the risk or have it imposed on them. Tolerability' does not mean 'acceptability.' Tolerating a risk does not mean that it is regarded as negligible, or something we may ignore, but rather as something we need to keep under review and reduce still further, if and when we can. 'Acceptability' relates to risks that are at an acceptable level and do not need further consideration. The expression 'acceptable level of risk' refers to the level at which it is decided that further restricting or otherwise altering the activity is not worthwhile (p. 3). As part of the distinction between risk levels, HSE uses the following three terms: unacceptable, tolerable and broadly acceptable. Note that for those that consider the terms synonyms, reversing the words in both the above quotation and three terms yields essentially the same meaning: intolerable, acceptable, and broadly tolerable. UNINTENTIONAL MIX UPS Even organizations advocating that a distinction be recognized between the terms acceptable and tolerable can accidentally mix them up. Two examples are shared, both from Australia. HB 203 Environmental risk management - Principles and process is a guidance document that is based on the Australian risk management standard AS/NZS 4360 (1999). The guide draws a distinction between acceptable risk and tolerable risk. Appendix D of this guide is titled "Risk Criteria.* What is an Acceptable Risk? " As used in this guide, acceptable risk is the lower bound area where no further risk treatment/reduction is necessary (see Figure 4.2). Similarly, the upper region of highest risk is termed "intolerable." Risk reduction is required in this region. In Figure 4.2, both Products A and B initially fall in the intolerable region and require risk reduction. Figure 4,2 - Comparing Acceptable and Tolerable Risk Risks in the middle region fall in the "unacceptable but may be tolerable" region. The ALARP concept is to be applied to risks in this middle region. According to the text in the document, risk reduction efforts can cease once the risk is reduced to a tolerable level using ALARP. This is shown with Product B in Figure 4.2. Risk reduction is not required to reduce the risk to an acceptable level as shown with Product A. If it were, then there would only be two levels of residual risk - unacceptable and acceptable - because all risk above the acceptable level would be unacceptable. Yet the document clearly intends that there be a middle risk level termed tolerable risk between unacceptable and acceptable. Knowing the level of acceptable risk only indicates the level below which no risk reduction is required, but provides no information to determine when risk reduction efforts can cease for risks remaining above the acceptable level. Knowing when to stop risk reduction efforts requires knowing the tolerable risk level. Therefore, the operative question should be "What is the tolerable level of risk?" since that point determines when risk reduction efforts can cease. A more appropriate title of the Appendix should be "Risk Criteria: What is a Tolerable Risk? " However, that is not the title of the Appendix. A similar confusion occurs in the base standard AS/N2S 4360 (1999) in a figure on the risk treatment process. Within the standard there is a flow chart that uses a decision point of "Risk Acceptable?" If the answer is "No" then risk reduction efforts must continue. Using "acceptable" as the decision point is the wrong word. Using "Risk Acceptable?" implies that risk reduction efforts cannot stop until the risk is in the lowest, broadly acceptable region. This usage is not consistent with the language of the document. According to the language of the document, the correct decision question should be "Risk Tolerable?" These two examples highlight potential problems involved in drawing distinctions between these two very closely related terms, even by knowledgeable persons intending to draw a distinction between the terms. SO WHAT? Is this issue really significant? Absolutely, because the primary question that end users need answered is "when can 1 stop reducing risk, how much is enough?" If the answer is "only at the acceptable level" as implied above, then resources may be unnecessarily expended in reducing risk beyond necessary levels. This can result in designs that are unnecessarily costly, unproductive, and difficult to use. If the terms acceptable and tolerable are used as synonyms then the whole issue becomes moot. Used as synonyms, risk reduction efforts can cease once an acceptable or tolerable risk level is achieved using ALARP. Adopting these terms as synonyms in the risk assessment process would be especially beneficial given the global context of risk assessment. The nuances between the two terms may be (and probably are) entirely lost when translated to other-than-Engiish languages. If globalization and common understanding is one objective of the risk assessment process, then adopting "tolerable" and "acceptable" as synonyms in the risk assessment process is preferable to using various shades of gray to convey very subtle but distinct meanings. Currently there are people who believe that the term acceptable is superior to tolerable. There are also people who believe that acceptable is inferior to tolerable. Some people believe that these terms are essentially equal. Arguments for and against each of these positions are often quite passionate. Outside the risk assessment process there may be good reason for these terms to have distinct meanings. However, within the risk assessment process the best use of time and resources will result if these terms are treated as synonyms with equal meaning. A strong case for using the terms as synonyms can be made based on the following. 1. Exchanging the two terms in several passages results in essentially the same meaning. 2. Errors in usage occur, apparently even by organizations advocating that the meanings be distinct. 3. With the globalization of risk assessments, nuances between the two terms may be entirely lost when translated to other languages. 4. If the meanings are to be distinct, significant educational efforts will be required to train or correct users on the distinction. This is likely a poor use of resources. Although there may be a small technical difference between the terms acceptable and tolerable, Manuele and Main (2002) propose, "the terms can and should be accepted as synonyms, and that interchangeable use will reduce confusion." This position is adopted herein. As used in this book the terms acceptable and tolerable are considered synonyms in the risk assessment process. REFERENCES Ale, B. (2000). Risk assessment practices in the Netherlands. In Kirchsteiger, C. and Giacomo, C. (Eds,), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. ANSI/RIA R15.06-1999. Safety requirements for industrial robots and robot systems. Robotic Industries Association, www.robotics.org. AS/NZS 4360-1999. Risk Management. Standards Australia, www.standards.com.au. Brearley, S.A. (2000). UK railways: using risk information in safety decision making. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Fanning, F.E. (2002). Risk management for emergency operations. American Society of Safety Engineers. www.asse.org. FAO/WHO. (1997). Expert consultation on the application of risk management to food safety matters. Rome. January, 1997. Goldberg, B.E., Everhart, K,, Stevens, R., Babbitt III, N., Clemens, P., & Stout, L. (1994). System engineering "toolbox" for design-oriented engineers. NASA Reference Publication 1358. Hahn, L. (2000). Possible uses and limits of risk assessment in the nuclear industries. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. HB 203-2000. Environmental risk management - Principles and process. Standards Australia. www.standards.com.au. Heinrich, H.W. (1931). Industrial accident prevention: A scientific approach McGraw Hill Book Company. HSE. (2001). Reducing risks, Protecting people: HSE's decision-making process. Health and Safety Executive. www.hse.gov.uk. IEC 61508. Functional safety of electrical/electronic/programmable electronic safety-related systems, www.iec.ch. Injury Facts - 2003 Edition. National Safety Council, www.nsc.org. ISO 2631-1:1997 Mechanical vibration and shock - Evaluation of human exposure to whole-body vibration - Part 1: General requirements. International Organization for Standardization, www.iso.ch. ISO/IEC Guide 51: 1999 (E). Safety aspects - Guideline for their inclusion in standards. Second Edition. International Organization for Standardization, www.iso.ch. Lowrance, W.F. (1976). Of acceptable risk: Science and the determination of safety. Los Altos, CA: William Kaufmann. Manuele, F.A. & Main, B.W. (2002). On acceptable risk. Occupational Hazards, Januaiy. www, occupationalhazards. com. Manuele, F.A. (2002). Heinrich revisited: Truisms or myths. National Safety Council, www.nsc.org. Marszal, E.M. (2000). Tolerable risk guidelines. The Instrumentation, Systems and Automation Society Expo 2000. www.exida.com. MIL-STD-882C. (1987). Standard practice for system safety. Department of Defense, U.S.A. www. defenselink.mi 1. MIL-STD-882D (2000). Standard practice for system safety. Department of Defense, U.S.A. www. defenselink.mil. NASA. (2000). Enhancing mission success - A framework for the future. A Report by the NASA Chief Engineer and the NASA Integrated Action Team. December 21, 2000. www.nasa.gov. NASA-STD-8719.7. (1998). Facilities system safety handbook. NASA Standard, www.nasa.gov. OSHA. 29 CFR 1910.1000. Air contaminants. Occupational Safety and Health Administration, www.osha.gov. prEN 1005-4. (2001). Safety of machinery-Human physical performance, Part 4: Evaluation of working postures in relation to machinery. Seller H. (2000). Answers to the questions to be responded by the invited experts. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Whiting, J.F. (2001). Risk tolerabilityframework - Developing and implementing a practical, workable framework for your workplace. American Society of Safety Engineers, Professional Development Conference, 2001. www.asse.org. DESIGN REVIEWS Introduction Purpose of a Design Review Types of Design Reviews Timing of a Design Review Design Review Mechanics The Decision Making Process Separating the Analysis and Review Types of Safety Analyses for Design Reviews Practical Considerations Closure KEY POINTS 1. Use design reviews to ensure the machine or process design meets performance objectives. 2. Design reviews are key in the decision making process for products and process designs. 3. Risk assessment supports the design review process by providing the underlying analysis on which safety decisions can be made. 4. Be very careful in making design review decisions without a supporting safety analysis, whether a risk assessment or other analysis. 5. Risk assessments take time to conduct effectively, typically more time than can occur within a design review session. In most cases the assessment should occur separately from the design review. 6. Simultaneously trying to analyze a situation and assess if acceptable risk has been achieved can lead to trouble. 7. Design reviews are typically performed by a team either formally or informally. 8. Several types of design reviews exist with different purposes and occur at different stages of the design process. INTRODUCTION1 Risk assessment occurs in the context of design development and decision making. The primary question that a risk assessment addresses is "are the residual risks reduced to an acceptable level?" In the context of both process and product designs, the decision event usually involves some form of a design review. Before digging into the details of risk assessment, it is useful to look at how the output from the assessment will be used. Knowing how the results will be used can give direction to the assessment process. Therefore, this chapter examines the Design Review as a decision point for risk assessment and determining acceptable risk. The word "design" has different meanings to different people. Engineers use "design" to refer to the technical synthesis where a concept moves from an idea to a functioning product or system. In this chapter and throughout the book, 'design' is used in the engineering and technical context. Design reviews have been around for decades in the engineering community. According to Pugh (1991) "the design review forms an essential part of modem industrial practice. Properly instituted, it provides a mechanism whereby the total design activity can be carried out in a balanced and best compromised manner, leading to improved designs and products." Design reviews have been implemented as a means to make certain that designs for products and processes meet the necessaiy requirements before being released to production or the next phase of development. This form of checking a design before it progresses to its next phase continues today. PURPOSE OF A DESIGN REVIEW Design reviews are a formal evaluation of a design to ensure that the design meets the criteria set forth for the project. Safety is typically only one element of a design review. The nature of the design and the company culture will determine the importance of safety criteria. There are some product or process designs where safety is an absolutely critical element, and others where it is a relatively minor concern. Adams (1999) lists several objectives of a design review: • Identify and correct hazards to prevent injury and illness; • Assure compliance with applicable regulations and standards; Prevent property loss due to incidents, fires, spills, and avoidable downtime; Resolve any outstanding safety related issues; • Contain project cost by reducing redesign and rework; and Facilitate project planning, including installation and debugging. Note that these are the "safety" objectives, which are only a portion of the overall design objectives. Design engineers have the primary responsibility for making a product, machine or system work in accord with the established design criteria. This can be an extremely challenging task. Their focus tends to be on creating a functional result from new and existing components, concepts or parts. In discussing engineers' focus, Hunter (1992) notes, "the emphasis was on getting the machine to work." Safety practitioners have a very different focus. They tend to be concerned with how the design might "fail" by a component or user not performing as expected. In the latter case the engineers often feel justified that the design did not 'fail' at all; rather the foolish person using the design was the problem. Consumers, operators, maintenance personnel and other end users have yet a different perspective. They tend to want the equipment to work as expected, when desired, as easily as possible, quickly and without problems. Each perspective is important. Without the designer's focus a functional, working design will not result. Without the safety focus, foreseeable uses or misuses may be overlooked leading to problems after the design is in use. Without the end users' perspective the design will not result in a workable or usable system. At times these perspectives can be at odds. Design reviews offer the opportunity to make certain that an effective balance has been struck between the perspectives and resulting performance criteria. TYPES OF DESIGN REVIEWS There are several different types of design reviews. Designs may be reviewed according to a particular specialty, such as safety, marketing, cost, legal or others. Design reviews are most frequently comprehensive where all the specialty concerns are addressed at one time, or as appropriate according to the design maturity. Pugh suggests that there should be several design reviews during the course of a product design including the following: 1. Marketing 2. Concept 3. Detail 4. Prototype manufacturing 5. Development 6. Production In the context of a process review, Hammer (1993) presents the series of design reviews shown in Table 5.1. Table 5.1 - Design Review Series (Hammer 1993) Type Purpose Concept Establish baseline for product Preliminary Design Review initial design based on proposal selected at Concept Review Development "Go Ahead" Evaluation Evaluate technical, financial, marketing, risk and other factors Critical Design Review Evaluate detailed designs and analysis Prototype review Evaluate prototype design before it is actually built Production "Go Ahead" Evaluation Evaluate advisability of proceeding with full-scale production Across different companies, there are many variations on the types of design reviews that are used. How many design reviews occur, what they are called, and when they are held are less important than the decisions and analyses supporting the design decisions. Each company, and to a certain extent each design, may have a slightly different design review process. TIMING OF A DESIGN REVIEW Design reviews should be held whenever the need arises to make key decisions on the design. At certain times such meetings can be impromptu and informal, such as in the hallway or via email. More formal reviews are typically conducted at the early stages of design and prior to releasing the design to production. The earlier that safety criterion are included in the performance objectives the more likely the design will incorporate these concerns. Safety concerns raised after tooling is made or just before production commences have few options for risk reduction. Concerns identified early in the design process avoid retrofit actions and can be accommodated to improve safety performance. For this reason safety practitioners who are able to participate in setting performance criteria early in the design process will likely have greater success at design reviews. DESIGN REVIEW MECHANICS Design reviews are typically conducted by a team. The members of the team will vary depending on the product or facility being designed, and the stage of the design in the development process. The design engineers and others intimately involved in creating the design should certainly be part of the review team. Specialists in safety, marketing, production, finance, quality, legal, and others, should be included as appropriate. The team should be led by someone who is in a position and has the competence to take a balanced view of the process. A design review evaluates a design against the design criteria or requirements. The review seeks to ensure that the design meets all the criteria or that trade-offs made with respect to the criteria are appropriate and necessaiy. Beginning a design review without design specifications or benchmarks will almost certainly lead to frustration and lost time since issues will arise out of the review which require further analysis and examination. The design criteria or desired attributes are typically set by management, marketing, manufacturing, finance or other internal sources. Criteria can also come from outside sources such as standards, legal requirements, customers, and others. In conducting the design review the te.am will review the design and supporting analyses to reach a decision on the acceptability of the design relative to the criteria. Supporting analyses can include: structural analyses, Failure Modes and Effects Analysis (FMEA), checklists, financial, costs, compliance documents, and others. More recently design reviews are being based 011 risk assessments. The design review employs a risk assessment to be certain that all hazards have been identified and that the risks associated with the hazards have been reduced to an acceptable level. THE DECISION MAKING PROCESS Design reviews integrate into a basic decision making process. The general steps in any decision-making process are the following: 1. Identify the problem 2. State the basic objective or goal 3. State the constraints, assumptions and facts 4. Generate possible solutions 5. Evaluate and make a decision 6. Analyze 7. Create a detailed solution 8. Evaluate the solution 9. Report the results and make recommendations 10. Implement the decision 11. Check the results The design review addresses Step ## - Evaluate the solution. In many instances if the solution is found lacking, then the team begins to re-evaluate the constraints and generate new or differing possible solutions (returning to Steps #3 and #4). If sufficient information is available at the review, the team can work through the rest of the steps to arrive at a recommendation. If additional information or analyses are needed, the team usually defers a decision and reevaluates the design once the analyses have been completed. In the context of safety standards, the analysis step can be straightforward when government regulations or industry standards apply. This type of evaluation is considered a compliance evaluation. The question to be answered is simply; does the design comply with the requirements of the standard? A single design may have several standards that must be checked. In a compliance review, once the team is satisfied the design complies with the requirements of the standard the design progresses along the development or production process. However, rarely are designs an exact copy of existing systems. Engineering design is a creative process that generates new and unique solutions to ever changing customer demands and desires. In many cases, industry standards do not exist to address the specific design being developed. In this case industry standards may apply, but the new design may venture into areas not directly covered by the standard. In situations where standards are less defined or considered a minimum that needs to be exceeded, a compliance evaluation is inappropriate. In these cases a separate risk assessment or other safety analysis should be conducted to ensure that the design meets the required level of performance. A risk assessment will serve to identify opportunities for improvement and ensure the design under review reduces risks to an acceptable level. SEPARATING THE ANALYSIS AND REVIEW In the design review process, Step #6 - Analysis, is a very critical one. In the context of other engineering disciplines, the analyses are fairly well accepted; for "example, a structural question requires a finite element analysis, a ventilation question requires an air flow or heat transfer analysis, and a finance question requires calculating the net present value or breakeven production measures. These analyses provide support for making decisions. However, many decisions regarding safety have been made in the past by the design review team or management without a supporting risk assessment or safety analysis. Safety decisions are almost always subjective. These decisions are made to determine if the risks of the design are acceptable. Since we all make decisions on risk acceptability eveiy day, we all tend to believe that we have a valid basis for evaluating the design risk acceptability. Hunter (1992) blurs the difference between the analysis and decision steps as follows: Design reviews are now an essential part of the process of recognizing that a hazard exists, defining the nature and severity of that hazard, and discovering ways to design the hazard out of the product before the product is created. Although the difference is subtle, it is significant. Identifying hazards, assessing risk, and reducing risk generally should occur before the design review rather than at the same time. Although hazard recognition might occur at a review based on the team observations, the risk assessment should primarily occur away from the design review session for all but simple designs. Separating the decisions made by the design review team from the supporting risk assessment can be very important to supporting the team's decisions. Just as a heat transfer, structural or financial analysis would most likely be performed outside the design review, a risk assessment or safety analysis should be performed separately. However, in many design reviews there is no separate or formal risk assessment to support safety decisions. In these instances the review team makes a subjective assessment at the same time it is evaluating the design. Although this approach may be reasonable for relatively simple designs, a separate risk assessment or safety analysis should be made for more complex designs. TYPES OF SAFETY ANALYSES FOR DESIGN REVIEWS There are a large number of safety analyses that can be used in support of a design review (see Chapter 39 for further discussion). Just a few of these include: • Checklists • Preliminary Hazard Analysis • Risk Assessment Failure Modes and Effects Analysis (FMEA) Fault Tree Analysis (FTA) Many safety analysis methods have been discussed by other authors over the years. See Main (2000), Clemens and Simmons (1998), Roland and Moriarty (1990), Hammer (1993), Manuele (2003), Christensen & Manuele (1999), and others for further discussion. An increasingly overt design criterion has become whether the residual risks of a design have been reduced to an acceptable or tolerable level. These criteria have long been used in business but rarely was the decision explicit, formalized or documented. With newer risk assessment advances, these decisions have been brought forward and made with supporting analyses. For situations without specific design standards, risk assessments will help identify criteria for evaluating a design in a design review. Morris and Simm (2000) explicitly reference using risk assessment and management documents during the review stage of a project. The important point to note is that risk assessments take time to conduct effectively, typically more time than can occur within a design review session. In most cases the analysis should occur separate from the design review. The risk assessments should be part of the design review decision process as support for decisions regarding safety. PRACTICAL CONSIDERATIONS There are several practical challenges facing participants in a design review (Main, 2002). All team members and particularly safety practitioners must be able to work comfortably with the technical content of a design in development. Team members need to be comfortable working from engineering drawings and being able to visualize the design in three dimensions, particularly given the great volume of design that now occurs in 3D CAD. They need to be able to converse with engineers understanding the many constraints that must be balanced in developing the design solution. At the very least, the team members need to be able to understand these other constraints to participate in the discussions where safety performance is concerned. All team members must realize that safety performance is only one of many criteria that must be balanced. Although safety can play a key role, the members should realize that safety may not be the most important criteria in a design. Trade-offs in this regard are necessary and appropriate as long as the residual risks are acceptable. This may mean that the risks are not reduced to the achievable minimum. Management or the design team may determine that the balance is appropriate for that design. A risk assessment could become a written requirement and prerequisite to reach the final design review. This will help ensure that the assessment is completed before the design review is held. Such a requirement can help improve risk assessment results and speed the design review process. Finding the appropriate level of involvement for a safety practitioner in the various design projects ongoing within a company may be a challenge. Although safety concerns should be identified early, the person's level of involvement may not be very high. Involvement too late in a project can lead to problems because new design criteria may emerge from a safety review, particularly if a risk assessment or safety analysis has not been conducted. The pace of design in a company may also be a challenge. Team members are often spread thin with many differing responsibilities. If there are many designs in the pipeline, the team may be faced with trying to assess too many designs in a very short time. In this situation having the risk assessment completed before the design review can be of great assistance. In companies that do not currently use a risk assessment as part of a design review, there may be a perception that the risk assessment increases the development time and delays completion. This can be a significant hurdle as noted by Adams (1999): A big challenge for the safety professional and engineering manager is changing the design culture; for example, from one where safety is viewed as a costly add-on, to a culture where safety is fully integrated and is seen as a strategic advantage. This is made even more challenging by today's environment of outsourcing, globalization, and rapidly changing organizational structures. CLOSURE Design reviews are not the nirvana of safety. Adams (1999) noted that design reviews alone are somewhat inefficient from a cost perspective, and that such reviews may not deliver adequate incident prevention. This is particularly true if these tend to be compliance exercises, late in the design process without a supporting separate risk assessment or other safety analysis. A risk assessment often results in new design criteria or hazards being identified that will require additional engineering efforts to resolve. Therefore, late introduction may slow down the development cycle. More recently design reviews are moving to an on-line, interactive format. The real time access to design data speeds the review and finalization. Bokulich (2002) shares an excerpt from Scott Harris of Solidworks: Design reviews can be one of the most frustrating and time consuming tasks in the product design process. Quite often, design input gets lost or misinterpreted. Imagine trying to convey a complex or subtle design change using a fax, standard mail, or express delivery methods, which are slow and costly; this is literally how millions of products worldwide are designed and reviewed today. Design reviews are one of the most commonly used methods to evaluate a design before it advances to production, the market or other design milestone. Design reviews are useful because they allow a team to evaluate a design against criteria and ensure risks are, or are being, reduced to an acceptable level. As discussed in Chapter 3, safety needs to be considered early in the design process to be most effective. Design review teams are advised to pay close attention to the basis for decisions regarding safety. If decisions are being made without a supporting risk assessment or safety analysis then the team should question the process, just as a financier would question financial decisions made without a supporting basis or an engineer would questions structural decisions made without a supporting structural analysis. Design reviews are typically where risk assessments prove their worth. A documented risk assessment can aid a design review team in reaching decisions or highlighting areas where risks remain unacceptable. In the latter case the design review team can focus the discussion on feasible methods to further reduce risks. REFERENCES Adams, P. (1999). Application in general industry. In Christensen, W.C. & Manuele, F.A. (Eds.), Safety through design (pp. 155-169). Itasca, IL: NSC Press. Bokulich, F. (2002). Collaborating via the web. Automotive Engineering International. Society of Automotive Engineers, April. Christensen, W. & Manuele, F. (1999). Safety through design. Itasca, IL: NSC Press. Clemens, P.L. & Simmons, R.J. (1998). System safety and risk management; A guide for engineering educators. U.S. Department of Health and Human Services, National Institute for Occupational Safety and Health. www.sverdmp.com/svt. Hammer, W. (1993). Product safety management and engineering, second edition. American Society of Safety Engineers, www.asse.org. Hunter, T.A. (1992). Engineering design for safety. New York: McGraw-Hill Inc. Main, B. (2000). Risk assessment benchmarks 2000: Getting started, making progress. Ann Arbor, Michigan: design safety engineering, inc. www.designsafe.com. Main, B.W. (2002). Design reviews: Checkpoints for design. Professional Safety, January. Manuele, F. (2003). On The Practice Of Safety, 3ni Edition. New York: John Wiley and Sons. Morris, M. & Simm, J. (Eds.) (2000). Construction risk in river and estuaiy engineering, A guidance manual. Thomas Telford. Pugh, S. (1991). Total design, integrated methods for successful product engineering. New York: Addison Wesley. Roland & Moriarty. (1990). System safety engineering and management, second edition. New York: John Wiley. SECTION II PRACTICAL GUIDANCE ON RISK ASSESSMENT Chapter 6 The Basics of Risk Assessment Chapter 7 Practical Applications and Examples Chapter 8 implementing Risk Assessment Chapter 9 Risk Scoring Systems THE BASICS OF RISK ASSESSMENT Overview of the Risk Assessment Process Preparing for the Risk Assessment Effort The Risk Assessment Process - Step by Step Some Examples Cost as a Factor in Feasibility Closure KEY POINTS 1. The common fundamentals of all risk assessment processes include: identifying hazards, assessing risks, reducing risks, and documenting the results. 2. Before commencing a risk assessment project preparations should be made including forming a team, assigning responsibilities, and gathering appropriate information. 3. A general risk assessment process describes the seven basic steps in completing a risk assessment. 4. Identifying hazards is a critical step in the risk assessment process because if hazards are omitted the associated risks will remain unknown. A task-based approach to identifying hazards has been found to be very effective and is recommended where applicable. 5. A practical solution to reducing risks to an acceptable level is the good faith application of the hazard control hierarchy of controls within the risk assessment process. 6. Cost is an important factor in obtaining acceptable risk. Resources are always limited. 7. Risk reduction efforts must work within the real world constraints of feasibility and practicality. OVERVIEW OF THE RISK ASSESSMENT PROCESS Although many companies and industries use different risk assessment methods (see Section III), the fundamentals of the risk assessment process are common: 9 identify hazards, • assess risk, * reduce risk, and 8 document the results. The phrase "risk assessment process1' is used in this book to describe the whole effort noted above. The terms used here differ somewhat from other uses as will become apparent in Section III. A discussion of the differences and reasons for them appear in Chapter 38. Primarily the terms used below offer the simplest and most direct application for non-specialist users seeking to conduct a risk assessment. The goal of risk assessment is to reduce risks to an acceptable (or tolerable) level. The risk reduction process is not completed until tolerable risk is achieved. This chapter identifies some preparations that need to occur before a risk assessment begins, and presents the basic risk assessment process in a step by step approach to assist in achieving this goal. PREPARING FOR THE RISK ASSESSMENT EFFORT FORM A TEAM To be most effective, risk assessments should be conducted by a team. The team should consist of as many affected individuals as reasonably practical, including engineers, operators, maintenance personnel, marketing, and others. If product liability is a significant concern to the company, an attorney should be consulted by the risk assessment team. An attorney can bring the legal perspective to the project and may protect documents through the attorney- client privilege. The team members may vary from company to company and industry to industry, but there are some common elements: • Engineers should be intimately involved in a risk assessment. Since engineers make numerous design decisions during the course of development, they need to be aware of the impact of their decisions to user safety and risk. Engineers should be involved in developing risk reduction methods, particularly those involving design changes. • Workers, customers or end users should be involved, as these people tend to be most familiar with the tasks and uses to which the design will be submitted. They are best able to help identify hazards associated with their tasks, and can provide valuable insights on practical constraints and opportunities on how to reduce risk. • Safety practitioners are often involved. The safety practitioner should identify hazards, assist in proposing risk reduction methods, and follow-through on implementing risk reduction methods and completing the risk assessment. In many cases, the safety practitioner may lead the risk assessment effort due to his or her capability to identify hazards. • Management should be involved, particularly in making decisions on risk reduction methods and/or accepting residual risk levels. • If maintenance tasks will occur, then maintenance personnel should be involved to ensure maintenance tasks and hazards are identified. The team should have a leader who is familiar with the risk assessment process. This role can be assumed by consultants or knowledgeable internal personnel. • Risk assessment specialists may also be involved, particularly when quantitative analyses are conducted. The specialist may conduct or facilitate risk assessments, lead risk assessment efforts or provide follow-through on risk reduction methods. Other situations may involve legal counsel, insurers and others. McNab (2001) states very clearly that specialists should not be the sole instrument of risk assessments and risk management: "The task of risk management should not be limited to a few specialists. The power of risk management will increase if many employees use its basic principles on a daily basis" (emphasis in original). Further, the Norwegian offshore industry standard NORSOK Z-013 states "experience has shown that the users of the analysis results need to be actively involved in the risk evaluation in order for it to be effective." ASSIGN RESPONSIBILITIES Before beginning a risk assessment effort, the responsibilities of different players need to be clearly defined. Even though the risk assessment concept may be generally considered a favorable idea, responsibility for the assessment can get quickly passed from person to person because few likely candidates have spare time to take the lead. In general, the following separation of responsibilities will apply. Senior management - will allocate appropriate personnel, time and resources to permit the risk assessment process to be successfully completed; holds the ultimate responsibility to determine level(s) of acceptable risk. Project leader - responsible for leading the risk assessment process and keeping it on schedule; responsible for the overall risk assessment documentation; must be certain that all risks are reduced to an acceptable level before product released to production. Risk assessment team ~ responsible for identifying all reasonably foreseeable hazards associated with the product design; responsible for assigning risk reduction responsibility for particular hazards; must develop consensus assessments of individual hazard risk; responsible for documenting the risk assessment. Design engineers - responsible for participating on the risk assessment team; responsible for identifying hazards and being certain the risk assessment team is aware of the hazards; responsible to develop risk reduction solutions where appropriate. GATHER APPROPRIATE INFORMATION Obtain resource information that will be needed by the team to conduct the risk assessment. Such information may include: predecessor risk assessment(s) for existing or similar designs, if available; • design layout and proposed system(s) integration; • information concerning energy sources; • any accident and incident history; limits of the design; requirements for the lifecycle of the design; drawings, sketches or descriptions of the system; or information on product materials to be used and potential damage to health. Before beginning a new assessment, the risk assessment team should identify any existing risk assessment conducted on prior hardware version(s) or for similar products that might be applicable. Predecessor risk assessments can be useful templates or starting points to speed the assessment. THE RISK ASSESSMENT PROCESS - STEP BY STEP The overall risk assessment process is illustrated in Figure 6.1 and comprises seven steps. Step by step descriptions for the process follow. 1. SET THE LIMITS/SCOPE OF THE RISK ASSESSMENT Before the team begins an assessment, the parameters of the project should be clearly understood. Project parameters will be set by management with input from the risk assessment team. These limits can relate to the equipment or product design, the facility or location, the environment, uses and misuses, the exposure interval (time), or particular users. Limits can include specific tasks, locations, operational states (e.g., shut down) or space constraints. Other limits could include what can be harmed or damaged, such as people (the public, employees), property, equipment, productivity or the environment. The assessment team should document the parameters of the analysis so that it fully understands and communicates the nature of its evaluation. A key part of this step is establishing the level(s) of acceptable risk (see Chapter 4). Identifying the assessment scope helps the team focus energies and efforts to stay on track. It also helps communicate to those outside the team the focus of the particular assessment. Partial assessments that concentrate on certain aspects of the design or certain high risk uses are acceptable provided such limitations are documented with the assessment. A partial assessment that can later interpreted as being a poorly completed assessment should be avoided. 2. IDENTIFY HAZARDS Overview There are many different approaches to identifying hazards, and each has strengths and weaknesses (see Chapter 39 for more discussion). For all industries, hazard identification comprises the first and critical component of a risk assessment. Hazards not identified during this first analysis can create substantial risks. In MORT Safety Assurance Systems, Johnson (1980) noted, "hazard analysis is the most important safety process in that, if that fails, all other processes are likely to be ineffective." Similar language appears in AS/NZS 4360:1999 Risk Management. So, how are hazards identified? Many methods exist for conducting a hazard analysis. Depending on the complexity of the hazardous situation, some or all of the following may apply. Use intuitive operational and engineering sense: this is paramount, throughout. Examine system specifications and expectations, 0 Review codes, regulations, and consensus standards, • Interview current or intended system users or operators. Consult checklists. • Review studies from other similar systems. • Consider the potential for unwanted energy releases and exposures to hazardous environments. • Review historical data - industry experience, incident investigation reports, OSHA and National Safety Council data, manufacturer's literature. • Brainstorm. Generating a list of hazards is usually a brainstorming activity conducted by the risk assessment team. When developing a hazard list the basic question to answer is, "how could someone get hurt?" or other variations on this theme. Failure modes should be considered in developing the list. Manual checklists, database systems or new computer tools can guide and speed the hazard analysis effort (see software listed in References). The focus at the time should be on identifying hazards and should be divorced from issues of assessing severity or probability of occurrence. Regardless of the method used, the purpose is to ensure that all reasonably foreseeable hazards are identified. At this stage, the team should focus strictly on identifying hazards. Engineers, have a natural inclination to jump from the potential problem (the hazard) to working on solutions (risk reduction). Risk reduction occurs later in the risk assessment process. If the team wishes, efforts can move between hazard identification and risk reduction, although this will probably result in an inefficient use of time. One of the more recent advances in risk assessment methods is a task-based approach to identifying hazards. Although a task-based focus has been used for many years in creating a Job Safety Analysis (or Job Hazard Analysis), General Motors, ANSI Bll TR3 and others have moved the task-based approach further upstream in the design process to be part of the overall risk assessment effort. A task-based approach to identifying hazards has enjoyed success particularly because it excels in identifying more hazards. The task-based approach focuses on what people do, which helps the risk assessment team to better identify how someone could be injured. A typical breakdown is to first identify the various users who will interact with a design, examine the tasks they perform, and then identify the hazards associated with each task. The result is a listing of task-hazard pairs. For most risk assessment teams, a task-based approach is recommended. Identify Users Users are the people who interact with the design, machine, product, equipment, process or facility that is being assessed. Example users for an industrial machine might include: • Operators • Maintenance personnel Electrical technician Engineers Passers-by • Trainees • Set up persons A consumer product might have users identified by age (e.g. adult, youth, child, senior), by skill level (novice, intermediate, advanced), or by other logical breakdown(s). The risk assessment team should identify the users for the particular design being assessed. Identify Tasks For each user, the risk assessment team should identify all reasonably foreseeable tasks. A task is an activity that is done with, on, or around the product or equipment. Operator tasks on an industrial machine could include: normal operation, load/unload parts, clear jams, basic troubleshooting, and others. Youth tasks for a consumer product could include: play, clean, repair, aggressive play, misuse, and others. How minutely the tasks are broken down depends on the application. In some applications a task might be "replace pump," where other applications might require a step-by-step breakdown of the subtasks (e.g., remove bolts). The more detailed and specific the task definition, the more likely hazards associated with the task will be identified. However, the further a task is broken down, the more time and effort is required to fully assess the risks. In some instances too much detail can be counter productive because of the time lost to superfluous details. Early risk assessments often start with tasks at a fairly general level, (e.g., lubricating machine), and later progress to more detail, (e.g., breaking lubricating down to the ten different lubricating locations needed to maintain the machine). There is the potential that not all hazards and risks for the ten locations are equal, and that the more general evaluation may not identify that location number nine, for example, has a special hazard. Striking a balance between the task detail and benefit derived there from comes with experience in conducting risk assessments. Identify Hazards The next step is to identify hazards associated each user and task. Hazards can be equipment related, energy related, natural phenomena or various other types. ANSI Bll TR3 and other documents define hazard as "a potential source of harm." Example hazards include: crushing and pinch points, live electrical parts, excessive noise, inadequate ventilation, chemical exposure, and others. Checklists of hazards appear in several publications including ANSI Bll TR3, ISO 14121/EN 1050, and others. There are different methods to use for rooting out hazards, and the different industry approaches to hazard identification reflect these variations. Identify Hazards not related to tasks Not all hazards are task related. Risk assessment teams do need to be certain to identify hazards that are not specific to tasks. For example, seismic hazards, UV degradation of plastic insulation, and process or system hazards are not task specific. Since not ail hazards derive from tasks, hazards not associated with tasks also need to be identified. In some applications such as nuclear power or environmental waste, the hazard is easily identified but the conduit for exposure requires effort in evaluating (e.g., how the hazardous material could be released). In other applications, the challenge is reversed. Identifying how someone could be harmed is straightforward (e.g., excessive force causes back injury), but identifying the source presents the challenge (e.g., anticipating the maintenance task and conditions that require excessive force to be applied). There are situations where identifying both hazards and the means of exposure are challenging. Regardless of the method used, the purpose is to ensure that all reasonably foreseeable hazards are identified. 3. ASSESS INITIAL RISK There are a variety of ways one can use to assess the elements of risk. Some documents use different terms to describe these general ideas, such as consequence instead of severity. Different approaches analyze these elements to greater or lesser levels of complexity. The various methods are covered in greater detail in Section III - Benchmarks. Assessing risk occurs both before and after risk reduction measures are implemented. These risk levels are referred to as the initial risk level and the residual risk level. Assessing initial risks should be conducted by assuming no risk reduction methods are in place (e.g., no barrier guards, no electrical grounding, no warnings). The risk reduction methods identified for the particular hazard are assumed to be in place when assessing residual risks. There are four sub-steps involved in assessing the initial risk. Select a risk scoring system Before risks can be assessed, a risk scoring system needs to be selected. A risk scoring system is simply the factors used to assess risk and how these factors combine to obtain a risk level. Risk scoring systems attract considerable attention in discussions of the risk assessment process. Risk scoring systems can be sufficiently contentious and confusing that a separate chapter is devoted to this topic (see Chapter 9). Two-factor risk scoring systems have been in use for many years. A sample risk scoring system from the U.S. machine tool industry is shown as an example in Table 6.1. Table 6.1 - Example Risk Scoring System ANSI Bll TR3 2000 Probability of ' Occurrence of ^ •Catastrophic: Severity ' Serious of Harm Moderate ;i '■"' Minor Very Likely High -- High High Medium Likely High High Medium Low -Unlikely. Medium Medium Low Negligible Remote Low Low Negligible Negligible The risk factors used in this system include severity and probability of occurrence of harm, each with four levels. Together the risk factors in this system are used to derive a risk level shown as high, medium, low and negligible. Table 6.1 is only one example of a risk scoring system. There are many different risk scoring systems used to assess risks. If a three- or four-factor system is used, additional step(s) would need to be added to assess the additional risk factors to obtain a risk level Risk scoring systems are discussed in greater detail in Chapter 9 and in Section HI - Benchmarks. Once a risk scoring system is selected, the assessment process continues. For simplicity, a two factor risk scoring system has been selected to illustrate how risks are assessed. Assess the Severity of Consequences For each hazard or task/hazard pair, the severity of harm or consequences that could result should be assessed. Historical data can be of great value as a baseline. Severity is often assessed as persona! injury, although it can include other elements such as the number of fatalities, injuries or illnesses; the value of property or equipment damaged; the time for which productivity will be lost; the extent of environmental damage; or other factors discussed in Chapter 9. Severity of harm is also referred to as consequences of exposure in some approaches. In these instances this step is referred to as a Consequence Assessment. Assessing severity can be accomplished using a variety of scales. By way of illustration, the severity levels in ANSI B1I TR3 are: Catastrophic ~ death or permanent disabling injury or illness (unable to return to work). • Serious - severe debilitating injury or illness (able to return to work at some point). Moderate - significant injury or illness requiring more than first aid (able to return to same job). • Minor - no injury or slight injury requiring no more than first aid (little or no lost work time). Assessing severity usually focuses on the worst credible consequence rather than the worst conceivable consequence. Some advanced methods evaluate all severity levels against the associated probability distributions (see Chapter 42). Analyzing risk distributions is a relatively advanced application. Assess Probability Unless empirical data is available, and that would be rare, the process of selecting the probability of an incident occurring will again be subjective. For a complex hazardous scenario, brainstorming with knowledgeable people is advantageous. HB 203-2000 Environmental risk management ~ Principles and process states that: Probability is the likelihood of a specific event . Probability is expressed as a number between 0 and 1. By definition, probability is a numerical measure and can be used in quantitative risk approaches Likelihood is used as a qualitative description of probability or frequency. However, many methods do not distinguish between the terms probability and likelihood and use them synonymously. Probability has to be related to an interval base of some sort, such as a unit of time or activity; events; units produced; or the life cycle of a facility, equipment, process, or product. In most cases the unit of time is the useful life of the system. Occurrence probability is estimated taking into account the frequency, duration and extent of exposure, training and awareness, and the characteristics of the hazard. When estimating probability, the highest credible levei of probability should be selected. Estimating probability includes: • Frequency and duration of exposure to a hazard • Personnel who perform tasks Machine/task history Workplace environment • Human factors • Reliability of safety functions ° Possibility to defeat or circumvent protective measures • Ability to maintain protective measures Similar to severity, there are many scales used to assess the probability of occurrence of harm. The levels used in ANSI Bll TR3 include: • Very likely - near certain to occur Likely - may occur • Unlikely - not likely to occur • Remote - so unlikely as to be near zero Some risk scoring systems break probability into two components, for example, frequency of exposure and avoidance, or likelihood of the hazard occurring and the likelihood of harm occurring. The different risk scoring systems used are discussed in greater detail in Chapter 9 and Section III, More detailed information on assessing probability can be found in Manuele (2001). Regardless of the method used, the risk assessment process continues once the risk factors have been assessed. Derive initial risk level Once the severity and probability (or other factors) are assessed, an initial risk level can be derived from the selected risk scoring system. The risk scoring system maps the risk factors to risk levels either quantitatively, or qualitatively as shown in Table 6.1. This system maps the severity and probability levels to four levels of risk: high, medium, low and negligible. The risk will be defined based on a combination of the severity and probability (or other) risk factors. Using Table 6.1 as an example, a "Serious" severity and "Likely" probability yields a "High" risk level. How the risk factors of severity and probability (or subsets of probability) are combined varies with different risk scoring systems. Some combine these factors without using a mathematical equation (a simple table as in ANSI Bll TR3, MIL-STD 882D, and SEMI S10). Others employ a multiplication equation that combines two or more risk factors. Other approaches simply add the risk factors. Still other methods involve a combination of addition and multiplication (Manuele 2001). The result of this initial evaluation will typically yield an array of low to high risks. Since the risk assessment process is usually subjective, the risk ranking system will also be subjective. Once the initial risk is estimated, the risk level can be compared to acceptability levels. If the risk is not acceptable, the next step is to reduce the risk. Determining what risks are and are not acceptable is company- and situation- specific as discussed in greater detail in Chapter 4. In some instances, industries have provided guidance on levels of acceptable risk. In many instances this decision is left to the user, since the decision is culture-, situation- and time- dependent. 4. REDUCE RISK Prioritize Risk reduction activities begin after the initial risk rating is known as shown in Figure 6.1. However, not all risks are equal. Higher risks must be addressed first. Lesser risks can be subsequently considered. This screening approach makes the process more efficient so that significant risks can be more effectively addressed. Although higher risks deserve more attention than lower risks, lower risks hazards should not be forgotten. In the ongoing process of continuous improvement, the lower risks hazards can be further reduced or eliminated as time, resources, and opportunities allow. The fact that hazards have been identified and assessed as low risk should still be documented. Use the Hazard Control Hierarchy Just as not all risks are equal, not all methods of reducing risks are equal either. Table 3.1 in Chapter 3 presents the hazard control hierarchy which is the prioritized approach to hazard elimination and control. Part of practicing safety through design is identifying situations where hazards exist and developing the best response to the hazard according to this hierarchy. The hazard control hierarchy depicts a way of thinking about hazards and risks and establishes an effective order of action for risk elimination or reduction. It should be employed to resolve safety concerns. Acceptable risk can be achieved by adhering to the principle described as "The good faith application of the hierarchy of controls" (Taubitz, personal communication, 2003). This principle starts eveiy risk reduction effort at the top of the hierarchy searching for methods to eliminate hazards by design, and working sequentially down through the hierarchy in a good faith effort to use feasible methods to reduce risk. This principle discourages jumping to the lower controls such as warnings, training or PPE that may require less costs or engineering time but provide less effective risk reduction, when higher level controls such as engineered systems are feasible. This principle also directs engineers to consider the hierarchy for even relatively low risk hazards because in some instances design improvements can effectively and feasibly further reduce risk. The "good faith" portion of the principle requires an honest evaluation of candidate risk reduction methods, it recognizes that issues of feasibility, practicality, and cost must be considered and in many instances higher order controls may not be warranted for a specific situation. Identify risk reduction measures Identifying risk reduction measures involves an engineering brainstorming effort to first identify a list of potential ideas, evaluating the ideas in terms of feasibility or practicality, and selecting the best solution(s) using the hazard control hierarchy. Not all potential risk reduction measures are practical or feasible. Many factors determine feasibility or practicality such as technical, cost, usability, productivity or other considerations. Cost is sufficiently significant that it is addressed in greater detail later in this chapter. The critical piece to completing this feasibility step is "the good faith" effort. A company or manufacturer that makes a good faith effort to determine the risk reduction measures that are and are not feasible will have completed this step. Concerning risk treatment (reduction), HB203-2000 notes that: Options and strategies for treating risk are assessed in terms of • Their potential benefits • Their effectiveness in reducing losses The cost to implement the option(s) • The impact of control measures on other stakeholder objectives, including the introduction of new risks or issues. The options preferred will generally optimize the reduction in environmental impact and the costs of achieving this, and create the least adverse side effects. Check for New Hazards In some instances a risk reduction method selected for one hazard may introduce new hazards or impact risks of other tasks or hazards. For example, a decision to move a machine ten inches away from a wall to make room for maintenance work may expose an operator to fork truck traffic in an aisle. Care should be taken to determine if new hazards are introduced from the risk reduction methods employed. If that occurs, the risk should be reevaluated and other or additional risk reduction measures proposed. 5. ASSESS RESIDUAL RISK Once feasible risk reduction methods have been selected, most risk assessment guidelines call for a second assessment of the risk factors as shown in Figure 6.1. The residual risk assessment should be conducted to validate that the selected measures effectively reduce the risk. Once again severity and probability (or other risk factors) are assessed and combined to obtain a new risk level using the selected risk scoring system. The risk scoring system is almost always the same risk scoring system used in the initial assessment. The risk factors are estimated assuming that the selected risk reduction measures are in place. As discussed in Chapter 4, zero risk is not attainable. Therefore some level of residual risk always remains. 6. DECISION Once the residual risk is known, a decision needs to be made to accept or further reduce the residual risk. This decision verifies that the protective measures selected have reduced the risks to an acceptable level. The risk assessment team will determine if the risks are acceptable with input from management as necessary. In nearly all cases, if the feasible risk reduction measures are applied, then the risk is ALARP, by definition. If the residual risk is acceptable, then the risk assessment process continues with consideration of other hazards, or if none, then the documentation step. If the residual risk remains unacceptable, then additional risk reduction is required. In the extreme instance, applying the feasible risk reduction measures may not yield an acceptable risk. This could occur if the initial risk level was near the unacceptabiy high level and the feasible measures were ineffective in lowering the risk. If the residual risk is deemed unacceptable, then the process stops. The risk is too high and either fundamental changes to the design are required to eliminate the task or hazard, or the design must be abandoned. 7. RESULTS/DOCUMENTATION The final step in the risk assessment process involves documenting the results. Every risk assessment standard and guideline requires or recommends that the risk assessment be documented. For example, the Ontario Ministry of Agriculture Food and Rural Affairs (2001) states that: It is important to document the justification of risk control actions. This includes documenting any analyses that were undertaken, and how stakeholder considerations were taken into account. Such documentation is invaluable for monitoring progress in risk management and for due diligence defence if something goes wrong in the process. The risk assessment process should document the tasks, hazards and risk reduction methods employed to reduce risks to an acceptable level. The results have several uses as follows. Hazards/Risks Identified The immediate result of a risk assessment is that tasks, hazards and risks are explicitly identified. With this information, constructive discussions can take place between product design engineers and managers; or between maintenance personnel, engineers, safety practitioners and facility managers about various risk reduction methods, funding priorities, schedules, and others. New Design Criteria A second result is that the hazards and risks can and should be provided back to the product, equipment, or facility designers/engineers. If the design has not yet been finalized or built, the designers may be able to make modifications that can reduce the risk. If the design has been finalized and changes are not practicable, then the hazards and risk feedback should be used at the next opportunity to modify the design (e.g., shut down, rebuild, new line or next product iteration). The emergence of new design criteria will almost always occur from the risk assessment process because new hazards often are discovered through the risk assessment process. New hazards or unacceptabiy high risks of known hazards become new design criteria. The further along a design progresses to production before a risk assessment is completed jeopardizes the smooth transition to production or market. Retrofit activities necessary to effectively reduce risk can be very costly once a design is complete. For this reason, risk assessment activities should occur relatively early in the design process so that new design criteria can be incoiporated easily into the design. High Risk Tasks If a task-based approach is used, then a third result from the risk assessment process is a list of high risk tasks. There will be certain tasks that will still have higher risks even after risk reduction methods have been implemented. Such tasks may include those,for which administrative controls (e.g., extensive training and PPE) are the only practicable methods to reduce risks to an acceptable level. The high risk task list can then be used to heighten the necessary attention on those administrative controls and to modify future designs through engineering controls to reduce the residual risks. Hazard Checklist A fourth result from the risk assessment process comes from the hazards identified. These hazards can be pulled into a machine specific checklist that can be posted on or near the equipment or included with the product instructions. The checklist concept can be applied by employers for operations or maintenance tasks performed within a facility, and by product and equipment manufacturers. Job Safety or Hazard Analysis A fifth result from a task-based risk assessment is a job safety analysis (JSA) or job hazard analysis (JHA). The tasks can be ordered to show an assessment of hazards and the risk reduction methods necessary to avoid harm. This information would be pertinent to end users such as operators or maintenance personnel. Documented Risk Assessment A sixth result is the documented risk assessment. Documentation is required by all industry standards, guidelines and technical reports that describe risk assessment procedures. The documentation can be used to build a Technical File that supports external validations (e.g., CE Marking or quality certification) or internal process requirements. SUMMARY The key to the risk assessment process is the good faith effort. The good faith effort pertains to generating a list of potential risk reduction measures, applying the filters and exploring ways to overcome obstacles, and making decisions on which measures to implement. Through "the good faith application of the hierarchy of controls," an ALARP residual risk level will be achieved. In nearly all cases the residual risk level will be acceptable. SOME EXAMPLES The good faith application of the hierarchy of controls can be applied to every level within the ALARP framework. Some examples illustrate how. > Table saw - An open saw blade on a table saw has an initial risk level that is unacceptable. Applying the risk assessment process identifies potential design changes and guarding systems. The feasible/practical risk reduction measures likely include blade guards, warnings and instructions, and training: In this instance a manufacturer applying only warnings without the guards is not sufficient. Although a professional carpenter may choose to remove the guard and accept the risk, a manufacturer not providing a guard for the table saw blade results in an unacceptable residual risk. > Facility aisle - A wide aisle in a facility has primarily slow moving fork truck traffic but also the occasional pedestrian. Based on the initial risk level no further risk reduction is necessary as the risk falls into the broadly acceptable region. By applying the process we find that barriers separating the traffic are technically feasible but neither practical nor cost effective. Feasible risk reduction measures include painting aisle markings, providing signing and training the fork truck operators. These measures provide some additional risk reduction at minimal cost. > Troubleshooting a live electrical panel - Trouble-shooting equipment with a live 440V electrical panel involves risk in the ALARP region. The initial risk level is unacceptable without risk reduction measures. Applying the process identifies a potential risk reduction measure of lockout/tagout of the electrical source. However, power needs to be on to perform the task so lockout/tagout is not feasible. The feasible risk reduction measures could include the following: very well trained and knowledgeable personnel working without time pressures, * restricting the area to only authorized personnel, * limiting the system movements in speed or space, providing PPE such as insulated gloves, or 9 limiting the authorized work procedures to diagnosis only and performing any repairs with power off. Applying these risk reduction measures will still yield a residual risk above the broadly acceptable region. However, the residual risk will be lower than the initial risk and will be ALARP. These examples illustrate that "the good faith application of the hierarchy of controls" will yield an acceptable risk level and can be applied with any initial risk level. Looking back to the examples of Chapter 4 provides additional applications of this process. The process works equally well with high or low initial risk levels. In some cases the residual risk will remain relatively high yet still be deemed acceptable. COST AS A FACTOR OF FEASIBILITY One of the greatest benefits of conducting a risk assessment is that the real world constraints of cost, technical feasibility and residual risks must be recognized. The risk assessment process filters out risk reduction methods that are either technically or financially infeasible. When technological ideas have not yet been reduced to practical products or solutions, a risk assessment can be used to evaluate whether applying the new and unproven system lowers risk to an acceptable level. Similarly, if financial resources do not allow for specific risk reduction methods to be deployed, other financially feasible methods must be substituted to reduce the risk to an acceptable level. Although the alternate method may not be the optimal or most desired solution, the substituted risk reduction methods can yield an acceptable result. Cost is always a factor in engineering design and also with risk assessment Pretending that risk assessments can be performed divorced of cost concerns is fantasy. Resources are always limited. Not every desired or technically possible risk reduction approach can be implemented. Companies only have so many dollars to spend on risk reduction and they need to use those funds wisely to obtain the greatest improvements. Management in a company most often determines what risk level is acceptable through its direct decisions and indirect actions or inactions. Although subjective judgment is required to determine when risk is reduced to an acceptable level, the good news is that manufacturers are currently making these decisions, if only informally. At a more detailed level, risk assessment teams make decisions on whether a given risk is acceptable or whether additional risk reduction is needed. Risk assessment helps bring structure to the analyses and decisions. Risk assessments permit hazards and risks to be more carefully identified and judgments on risk acceptability, costs, and feasibility to be more clearly made. WHAT ABOUT CHEATERS? Skeptics will quickly say that "cheaters" can easily warp this guide to their own agenda and not incorporate sufficient risk reduction methods, resulting in residual risk that is too high. This is possible and a valid concern. However, risk assessment requires no small amount of resources, time and effort. Those not interested in putting in a good faith effort will not likely complete the process. Even if they do, their documentation may be a greater liability than a benefit. ! CLOSURE Risk assessment helps to better understand the tasks required so that designs permit the work to be done safely. Risk j assessment no longer provides for designs that are only safe when the tasks are not performed. Designs that require : control systems to be defeated and supervisors and management who look the other way do exist; when an incident occurs platitudes are raised showing the individual was not following proper procedures. On the other hand, designs i that prevent exposure to the hazard but also prevent the necessary work to be done will not survive a task-based risk J assessment. A practical solution to the tolerable risk question derives from three parts: j 1) applying the hierarchy of controls 2) within the risk assessment process and j 3) in a good faith effort. 1 The good faith application of the hierarchy yields acceptable risk in nearly all cases. j / REFERENCES I ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. J AS/NZS 4360-1999. Risk Management. Standards Australia, www.standards.com.au. 1 Christensen, W. & Manuele, F. (1999). Safety through design. Itasca, IL: NSC Press. designsafe® the hazard analysis and risk assessment guide, design safety engineering, inc. ww w.desi gnsafe. com. HB 203-2000. Environmental risk management ~ Principles and process. Standards Australia. www.standards.com.au. ISO 14121 /EN 1050-1999. Safety of machinery; risk assessment. International Organization for Standardization. I www.iso.ch. I Johnson, W.G. (1980). MORTsafety assurance systems. New York: Marcel Dekker. Manuele, F.A. (2001). Innovations in safety management - Addressing career knowledge needs. New York: John Wiley & Sons. 1 Merriam-Webster. (2002). On-line dictionary. Merriam-Webster, Incorporated, www.m-w.com. MIL-STD-882D (2000). Standard practice for system safety. Department of Defense, U.S.A. www.defenselink.mil. Ontario Ministry of Agriculture Food and Rural Affairs. (2001). Inspection, investigation & enforcement risk management through assessment & control; A framework for the ministry of agriculture food & rural affairs, Draft 7 Aug 200L www.gov.on.ca/OMAFRA/english/. Packsafe® Risk Assessment Software. Packaging Machinery Manufacturers Institute, www.pmmi.org. Robot Risk Assessment Software. Robotic Industries Association, www.robotics.org. SEMI S10 1103. (2003). Safety guideline for risk assessment. Semiconductor Equipment and Materials International, www.sems.org. PRACTICAL APPLICATIONS AND EXAMPLES Introduction Example #1 - Robotic manufacturing cell Example #2 - Large oven system Example #3 - Packaging system Example #4 - Working with OSHA Example #5 - NOISH bagel slicer Example #6 - Medical device Example #7 - Starlink Corn - A risk assessment failure Common Themes KEY POINTS 1. Several practical, real world applications of risk assessment are briefly described drawing on real world experiences in conducting risk assessments in industry. Examples include work process designs, product designs, and interactions with government authorities in different industries. 2. A detailed risk assessment of a student design for a medical device is included to illustrate the risk assessment process, and how the risk assessment process can be successfully introduced to engineering design classes. 3. An example from the food industry is presented that illustrates a risk assessment failure. 4. Common themes are discussed, including that risk assessment offers a flexible tool that can be applied to many different situations. INTRODUCTION One of the more frustrating situations that face those new to the risk assessment process is finding actual examples that one can use to better understand the process, results and potential pitfalls. Unfortunately, most of the risk assessments conducted in industry are considered company proprietary information. As formal risk assessment tends to be a relatively new activity in most of general industry, companies do not willingly share the information due to concerns related to liability, competition, confidentiality, and others. Although the specifics of a risk assessment for a client must remain confidential, there are general lessons that can be drawn from real world experiences in risk assessment consultations. Several examples described in this chapter highlight practical applications of the risk assessment process. The company names and identifying content have been necessarily changed or omitted. These examples highlight situations where risk assessments were used on specific projects and the value that was obtained from doing so. An alternate source of example risk assessments comes from the educational effort in the Biomedical Engineering Department at Vanderbilt University. As described further in Chapter 33, students in this department are performing risk assessments on senior design projects. One such student assessment is included as an example of the risk assessment process. Finally, a seventh example shares an experience from the food industry. This example, drawn from the technical literature, illustrates a situation where risk assessment failed. Common themes from these examples are also explored at the conclusion of this chapter. EXAMPLE #1 - ROBOTIC MANUFACTURING CELL A robot cell was undergoing prototype testing and debugging prior to widespread deployment to a manufacturing facility. The system developer needed to complete a risk assessment to comply with the industry standard requirements in ANSI/R1A R15.06-1999 (see Chapter 35). The customer also required that a risk assessment be completed before it would accept delivery. The robotic manufacturing cell included two robots and three additional workstations. The robots performed spraying functions while operators loaded and removed parts. The parts advanced from station to station via an overhead conveyor. A maintenance station area allowed for carousels to be removed from the overhead conveyor for off-line work. For this system, a task-based risk assessment was performed using the robotics industry protocol in ANS1/R1A R 15.06. The analysis was conducted by identifying the users at each work station, the tasks they needed to perform, and the hazards associated with each task. Users identified as needing to interact with or be near the equipment included: Maintenance personnel « Technicians • Passers-by Although the operations in this manufacturing cell were automated, several tasks were required of the users. Some examples include: • Removing parts from tooling Cleaning • Loading blanks Walking near the equipment Changing filters Refilling lubricators • Replacing seals • Programming the robots Spray gun maintenance Approximately 140 task/hazard pairs were identified in the assessment. Some of the hazards present included: Impact by robot Impact by carrier Crush from operating tool Hydraulic line pressures • Electrically live parts • Slips/trips Fall from height • Pinch points Hot surfaces As typically occurs in most risk assessments of existing equipment, many of the hazards were well known to the design engineers and technicians working on and around the equipment. Many protective measures had been developed for the prototype system prior to conducting the formal risk assessment. These protective measures were functioning well and protecting the users. The risk assessment did assist the design engineers to better understand the tasks that needed to be performed which enabled the selection of appropriate presence sensing devices. Specifically, the engineers were uncertain if area scanners were necessary in particular locations or if light curtains would be sufficient. The risk assessment enabled the risk assessment team to reach informed decisions on these choices and to be certain that the selected device provided adequate protection for the users at reasonable cost. The risk assessment also helped to identify hazards that would have remained unknown if the risk assessment had not been completed. As one example, several workstations required maintenance personnel to access the overhead conveyors to replace or adjust limit switches. The work had to be performed at heights of 15 feet; above the OSHA minimum for fall protection. However, no provisions had been made on the prototype equipment design to facilitate tie offs, access by lifts or other means to perform the work with fall protection. On the prototype system, the technicians would just "get up there and climb around to access the switches." As a result of the risk assessment, provisions were made for tie off points to the prototype system and fall protection was included as a design requirement for the production system. EXAMPLE #2 - LARGE OVEN SYSTEM Another occupational example of the risk assessment process applies to an oven operation. A manufacturer of large parts uses an oven to bake a finish on coated parts. The oven stands approximately seven feet tall and runs more than 90 feet in length. For a variety of reasons including maximizing the use of floor space, the oven is elevated from the ground level. Coated parts are transferred from the coating operation, raised on an elevator system, and conveyed on the oven conveyor operating in the oven. The parts are subsequently lowered at the oven exit using a similar elevator system. From time to time problems occur in the oven conveyor that requires maintenance personnel to access the oven. Parts fall off the conveyor or the conveyor itself requires maintenance. Unfortunately, access to the oven was evidently not considered by the system designers because there this no ready means to gain access nor is there any lighting once one moves away from the oven entry and exit areas. This system was a very new system and extensive maintenance had not yet been required. However, one of the major questions raised by maintenance personnel was how were they to safely perform the work that they knew would be needed in the future? « In this situation, the task-based risk assessment protocol from the machine tool industry, ANSI Bll TR3-2000, was used to develop an answer to this question. The risk assessment focused strictly on the tasks that maintenance personnel needed to perform such as lubricating the machinery, adjusting proximity switches and removing fallen objects. Some of the key maintenance tasks and hazards identified included: Slip and trip hazards (wet surfaces, obstacles, debris) • Fall hazards (floor openings) 9 Poor lighting Limited access (getting to and within oven) Hot temperatures 9 Lifting of heavy parts Some of the risk reduction measures selected were straightforward, such as waiting for the oven to cool before beginning the work and using temporary lighting. Other hazards required more extensive solutions, such as fall protection systems at the oven entry/exit area, and adapting the parts elevators for temporary personnel use. The fall protection system had to withstand the elevated temperatures and off-gassing of the coating substances. In addition, specialized training, restricted personnel, and personal protective equipment were used to further reduce risks. In this instance the risk assessment helped to identify the specific tasks that personnel needed to perform, and the hazards and risks associated with the tasks. Risk reduction measures were identified that enabled the risks to be reduced to an acceptable level. This example also highlights how performing a risk assessment early in the design process can yield great benefits. Options for fall protection anchors were severely limited by the lack of sufficient existing structure in the locations needed. Alternate access to the oven cavity could likely have been designed from above or the side had a risk assessment been performed earlier. Similarly, better access within the oven or more access points could have been provided ~ currently the conveyor and parts require maintenance personnel to climb over the equipment and parts to reach inner areas of the oven. Provisions for permanent lighting or temporary lighting supports could also have been included. Such design changes, had they been included, not only would reduce the risks for this maintenance work, but they also greatly impact productivity because repairs could be made much more quickly. EXAMPLE #3 - PACKAGING SYSTEM This example of the risk assessment process applies to product design rather than an occupational safety application. The example comes from the food processing industry. A manufacturer of packaging equipment had developed a new, proprietary system to extend the storage life of a perishable product. The manufacturer had success with a large automated system incorporating the new process. A smaller manual version of the product was requested by the sales department for potential customers wanting to try out the system before purchasing the larger equipment. This situation raised several safety concerns for the engineers because the automated product enabled stricter control of the system hazards. In particular, the manufacturer was interested to know if the risks of use could be reduced to an acceptable level, and what, if any, design or information changes might be required to do so. A prototype unit had been developed and a task-based risk assessment was performed to answer the manufacturer's questions. The only users of the product were operators. The unit is.basically self-contained so that the tasks that operators perform include normal operation, simple maintenance and clean up. Some of the hazards associated with the operator tasks included: Electrical equipment in wet environment • Unmarked/confusing controls - high probability for operator error • Complex/confusing steps • Confusing operation - equipment damage could occur if not properly done • Puncture hazards The risk assessment of the prototype design led to several product design changes. To reduce the electrical hazards, a ground fault circuit interrupter was added along with instructions specifying proper procedures for use. Several changes greatly simplified the procedures and entirely eliminated the need for the operator to adjust the controls. To reduce the risks of puncture, puncture resistant gloves are specified in the instructions. Users are also restricted since the product is not sold commercially but is only offered to specific customers for a limited time. Finally, user information was greatly improved, including developing an instruction manual and warnings. With the modifications to the design and product information, the manufacturer determined that the product did not pose an unreasonable risk of harm to users. The risk reduction measures developed helped to reduce the risks to an acceptable level and the risk assessment helped to document the decision process. Engineers initially expressed skepticism that the hand-held product could be made sufficiently safe. Yet following the risk assessment and resulting design and information changes, all agreed that the residual risks were reduced to an acceptable level, and that the product was reasonably safe. EXAMPLE #4 - WORKING WITH OSHA As the following example illustrates, risk assessment can also be useful in working with government regulatory entities such as OSHA. A small explosion at a manufacturing facility resulted in an OSHA investigation and subsequent wall-to-wall inspection of the facility. OSHA found several violations, which resulted in substantial fines. More significantly, OSHA inspectors threatened to shut down the facility and demanded substantial process changes to the facility. Although the changes, if made, would bring the facility into compliance with OSHA regulations, the magnitude of these changes were so large that they threatened to permanently close the facility. At the very least, making the changes would incur major costs and down time. There were two key areas of concern: a machine guarding situation and a means of egress situation. In the machine guarding situation, a task-based risk assessment was used following the ANSI Bll TR3 protocol. Equipment users included an operator and maintenance personnel. The tasks these users performed included: normal operation, monitoring product quality, • changing blades, • lubricating, and 0 unjamming parts. The hazards associated with the tasks included: loud noise, • pinch points, • drawing in/entrapment, flying chips, and kickbacks from jammed parts. Based on the hazards identified, the risks associated with the hazards were assessed using severity of injury and probability of occurrence risk factors. This step highlighted the differences between the company's and OSHA's assessment of the risks. Whereas the company assessed the risks based on the tasks, OSHA evaluated the machine based on the compliance with OSHA regulations. The OSHA inspector identified openings in some of the guards that exceeded the regulations. OSHA also found the noise level to be unacceptabiy high. The machine had existing guards to minimize the risks of many of the hazards, and noise containment curtains to capture some of the noise. Based on the risk assessment, the company developed additional risk reduction methods to improve guarding, noise reduction, and training. The company's risk assessment highlighted that the openings where OSHA took exception had no accompanying tasks and provided visibility to the operator to monitor the machine operation, which was a key factor to performance. The risk assessment also made explicit the trade off that was required between improving the noise enclosure and the ensuing temperature rise within the enclosure. Due to the heat generated by the equipment, the operators faced working in extremely hot conditions if the noise enclosure were buttoned up to be most effective at reducing noise levels. As a result of the risk assessment, improvements were made to the machine guarding and work area. OSHA accepted less stringent guarding than it initially demanded based on the risk assessment and the manufacturer's ability to demonstrate that the residual risks were reduced to an acceptable level. OSHA did sign off on the modifications and this area was able to return to production with minimal lost production delay. There were other results as well. With the risk assessment, the manufacturer had a document that will serve as a design requirement for future changes. For example, the higher risk hazards and tasks are now specifically identified and engineers can begin developing methods to reduce the risks. Small improvements can be developed and implemented when the opportunity arises, such as during shut down or substantial maintenance periods. More substantial design changes can be made to reduce risk further at future major line revisions and with new equipment purchases. In the means of egress situation, OSHA cited several work stations as having inadequate means of egress in the event of an emergency. OSHA found that an existing catwalk system did not meet the regulations for emergency egress and demanded changes, including changing the layout to permit a larger walkway next to the work stations. Changing this system presented a very substantial problem for the manufacturer. The interconnectedness of the conveyor lines, product flows and work stations dictated that any significant change made to one area caused changes to ail preceding and following work stations. Many of the changes OSHA proposed would have required changing much of the operational layout, and such changes would be difficult since the building was relatively old. For this situation, a risk assessment was again used to identify the users, their tasks and the hazards associated with the tasks. Potential causes that would require the need for emergency means of egress were identified. These included fire and severe weather. Causes that require normal means of egress such as shift changes, production breaks, and individual rest breaks during which production continues were also identified. The risks were assessed for the different situations, and risk reduction methods were developed for each condition. Input from the operators was critical in assessing the risks and developing protective measures. Based on the risk assessment, several improvements were made to the work area. The existing catwalk system was restricted to use for non-emergency situations and alternate procedures were developed for emergency conditions. Individual emergency stop controls were added at the individual work stations to stop movement of the conveyor table, and partial obstructions were raised or moved. Emergency egress was facilitated by operators stopping die conveyor and walking over the conveyor table to exits. This method was the most direct exit and the means used by operators to egress in a prior emergency situation. In addition, training on egress for the different situations was conducted and practiced. The manufacturer also demonstrated that OSHA's proposed solution of increasing the walkway would substantially increase risks of other hazards. Although OSHA's proposed solution of a walkway would decrease the risk for means of egress in emergencies, the manufacturer objectively demonstrated that the daily ergonomic risks associated with the proposed design would increase dramatically. OSHA accepted the manufacturer's changes as sufficient based on the risk assessment and manufacturer's ability to demonstrate that risks were reduced to an acceptable level. The final outcome of this situation was that OSHA accepted the manufacturer's more modest risk reduction methods as adequate based 011 the risk assessment. The task-based risk assessment moved the discussion from emotionally charged, abstract, worst-case concerns to specific hazards and risks. For the manufacturer, employee safety improved, production losses were minimized, and OSHA was satisfied with the results. EXAMPLE #5 - NIOSH POWER BAGEL SLICER This risk assessment example is excerpted with permission from a NIOSH report, "Risk Assessment for a Power Bagel SHcer Operated by Employees Under Age 18." For additional detail on the risk assessment, contact the principle investigator Dr. John Etherton, at NIOSH in Morgantown, WV. BACKGROUND The Department of Labor requested the National Institute for Occupational Safety and Health (NIOSH) Division of Safety Research (DSR) to provide an opinion as to whether 16- and 17-year old employees may safely operate a particular manufacturer's bagel and bun slicer. The analysis was limited to personnel under age 18. As part of the assessment a site visit to a store using the slicer was conducted. The slicer is shown in Figures 7.1-2. The slicer is equipped with a circular blade enclosed in a four-sided adjustable barrier guard that fully encloses the blade on the sides. The blade operates at a high rotational speed and coasts to a stop (no brake). The guard opening size and the distance from the opening to the blade permit a hand to extend in to touch the blade. The manufacturer also provided on-product warnings and recommended safe operating procedures. The NIOSH investigators recognized that • the availability of safe operating procedures does not guarantee training in their use by an employer, 6 workers do not always follow the safe procedures set forth in their training, and research on young workers, in general, has demonstrated that youth frequently do not receive safety training on the job. The NIOSH investigators searched the National Electronic Injury Surveillance System (NEISS) to identify injury cases associated with bagel/bun sheers. NEISS is based on a nationally representative sample of 67 hospital emergency departments in the United States. There were insufficient case descriptions and too few cases to provide a reliable national estimate. There was also insufficient data on injuries with this type of machine to proceed with a quantitative risk assessment. Also, the manufacturer claims the product has been on the market for ten years without any reports of injury or legal actions. THE RISK ASSESSMENT METHOD The NIOSH investigators conducted a categorical risk assessment based on the MIL STD 882 and ANSI B11-TR3 procedures for risk assessment (see Chapters 27 and 24 respectively). According to the report, "The desigmqfe software was selected because of its ease of use and clarity of the reports it generates, and its suitability to machinery risk assessment." The risk assessment considered the current level of guarding and available video training for using the bagel slicer; risk control measures for other machines with a similar hazard; and opinions by five NIOSH experts in machine safety or youth injury as to how likely some specific risky behaviors are. The full range of youth employees was considered (male & female, all shapes, sizes, with adequate education to be employed in a fast food establishment). A task-based machinery risk assessment for youth operating the bagel slicer was performed. Contact with the sharp, circular spinning blade was determined to be the only real hazard during the three tasks of 1) normal bagel slicing; 2) cleaning jammed bagels; and 3) cleaning the bagel slicer. RESULTS The results of the risk assessment are shown in Figure 7.3. The assessment team found that the severity of injury with this machine is deep laceration to a finger. The risk assessment shows that for all of the task/hazard combinations that would be involved in using this bagel slicer, the residual risk level is low. The team noted that if greater likelihood was assigned to any of the other risk scenarios; i.e. they were judged to be possible rather than unlikely, the risk would still be low. The three existing protective measures: the adjustable guard, the warning sign, and the training video, are satisfactory for protection at the low risk level. Four important considerations for the expert panel were: 1) this machine eliminates the risks in holding a bagel in one hand and using a kitchen knife with the other hand to slice bagels; 2) the Department of Labor does accept the risk for youth to operate single-loaf power bread slicers. Both machines are used in such a way that the hands are well-clear when baked goods are fed into the blade(s); 3) although meat slicers use a similar circular blade, fingers are near the blade frequently, and subsequently, the injury data shows many injuries; and 4) this machine would not be considered to present risks equivalent to the operation of a woodworking saw with a circular blade. The blade alone does not establish risk, but should be considered with respect to the exposure to injury during the tasks that are performed. For the circular blade on this bagel slicer, the exposure to injury is totally different than for the circular blade on most woodworking saws. There is no kickback hazard and there is no need to repetitively feed material with fingers near the blade. The investigators also note that persons knowledgeable in safety engineering or in youth injury prevention were vital to reaching well-grounded conclusions. STUDY CONCLUSIONS The NOISH team determined that Operating and cleaning the power bagel slicer with a circular blade and enclosed feed chute presents a low risk to youth. The existing protective measures: the adjustable guard, the warning sign, and the safe operating procedures, contribute to this low risk rating. Including automatic feeding and ejection devices would not appreciably reduce the risk level . The designsafe program is based on well-grounded system safety principles, designsafe was found to provide an easy way to organize and complete this machinery risk assessment . Persons knowledgeable in safety engineering or in youth injury prevention were vital to reaching well-grounded conclusions. designsafe Report Application: Bagel Slicer Description: Youth operation (under 18) Analyst Name(s): J Etherton PhD, R Current, S Pratt, D Hard PhD, A Mardis MD MPH Limits: On!y considers hazard of contact with the moving blade. The severity of injury is laceration of a fingertip. Forceful pushing is not needed and being pulled into the blade is not a factor. No kickback hazard. Blade edge for soft bread. Sources: 1) The machine manufacturer provides safe operating procedures. 2) A good training program and supervision are assumed. 3) NIOSH observations and photos Guide sentence: When doing [task], the [user] could be injured by the [hazard] due to the [failure mode]. Initial Assessment User I Hazard / Severity Task Failure Mode Probability Risk Level operator normal ergonomics / human factors : deviations from safe work Moderate Moderate operation practices (commission) ignores training not to reach in at top Likely to push bagel through operator normal ergonomics / human factors : human error (omission) Moderate Moderate operation misunderstands seriousness of biade hazard/ reaches in at Likeiy top to push bagel through operator basic ergonomics / human factors : deviations from safe work Moderate Moderate troubleshooting practices (commission) ignores training not to reach in at Likeiy bottom to pull out bagel operator basic ergonomics / human factors : human error (omission) forgets Moderate Moderate troubleshooting blade is coasting and reaches in Likely NIOSH Bage! Slicer Risk Assessment Risk Reduction Methods adjustable enclosures / barriers, warning label(s), standard procedures, instruction manuals Status / Responsible Complete [10/24/2000] manufacturer Risk Level Low Final Assessment Severity Probability Moderate Unlikely adjustable enclosures! Moderate Low Complete [10/24/2000] manufacturer barriers, warning label(s), Unlikely standard procedures, instruction manuals adjustable enclosures / Moderate Complete [10/24/20001 manufacturer Low barriers, warning labe!(s), Unlikely standard procedures, instruction manuals Complete [10/24/2000] manufacturer Low adjustable enclosures / Moderate barriers, warning iabei(s), Unlikely standard procedures, instruction manuals operator ergonomics / human factors: deviations from safe work practices Moderate Moderate warning label(s), standard Moderate Low Complete [10/24/2000] cleanup (commission) ignores training and normaiiy opens and cleans slrcer while Likely procedures, instruction manuals, Unlikely manufacturer/employer it is plugged in supervision operator ergonomics / human factors : human error (omission) forgets to unplug Moderate Moderate warning label(s), standard Moderate Low Complete [10/24/2000] cleanup and inadvertently hits "power on" switch Likely procedures, instruction manuals, Unlikely manufacturer/employer supervision operator ergonomics / human factors: distracted/inattention to task another Moderate Moderate warning label(s), standard Moderate Low Complete [10/24/2000] cleanup person or event diverts attention and start switch is inadvertently hit Likely procedures, instruction manuals, Unlikely manufacturer/employer supervision Figure 7.3 - Bagel Slicer Risk Assessment EXAMPLE #6 - MEDICAL DEVICE An ongoing project at Vanderbilt University has proven successful at teaching engineering students the risk assessment process as part of their design engineering education. King and Christensen (2002) comment on an innovative approach to teaching safety during engineering design that has proved successful. The effort involves requiring students to complete a risk assessment using software provided a grant from the Institute for Safety Through Design (ISTD). They comment: A major emphasis on safety begins with the introduction of the class to a risk assessment software program named desigmafeThis program is introduced early in the first semester and is used by the students at least twice - once in a homework assignment and once to validate their own design projects, designsafe® is a computer program that guides a user to conduct a task-based risk assessment by virtue of the structure of the prompts and menus presented during use of the program. The program is very systematic; users can do useful documentation and risk analysis after a minimal introduction to the technique. Finally, student term projects and papers must include a safety analysis per the stated course requirement which is posted as: "If applicable the results section must include a discussion of any safety issues regarding your project, the proper use of designsafe® will ensure this (document)." Although stated as an option, most student final reports must include this section. Several student projects resulted in particularly well done risk assessments. One example was developed by T. Furmanski and A. Attia (2003) under the direction of Drs. Thomas Doyle and Paul King. A portion of the project description and the risk assessment is adapted here with permission. OVERVIEW Furmanski and Attia (2003) present a risk assessment of a Pulmonary Flow Resistive Device intended to reduce the impacts of Hypoplastic Left Heart Syndrome (HLHS), a congenital disease that results in the underdevelopment of the left side of the heart. Concerning the anatomy and physiology, Sherwood (2001) and Barber (1997) indicate that: A normal heart functions with both sides of the heart simultaneously pumping equal amounts of blood. The right ventricle is responsible for receiving oxygen-poor blood from the body and pumping it to the lungs, while the left ventricle is responsible for receiving the oxygenated blood from the lungs and pumping it through the aorta and to the body. The right and left sides of the heart exist as two separate pumps and perform very important, individual tasks. However, in a hypoplastic heart, these functions cannot be completed normally because of the underdevelopment of the left side of the heart, which is the crucial mechanical component in delivering sufficient amounts of oxygenated blood to the organs of the body. According to Barber, these abnormalities result in inadequate heart function and thus reconstruction is necessary to sustain normal metabolic function. The relative ratio of pulmonary to systemic blood flow depends on the delicate balance between pulmonary and systemic vascular resistances. According to Barber, if pulmonary resistance is too low, oxygenated blood will not undergo systemic circulation. Figure 7.4 compares a normal heart and an HLHS patient heart. Figure 7.4 - A Comparison of the Heart of an HLHS Patient to a Normal Heart TREATMENTS Furmanski and Attia (2003) indicate that there are three treatment options for HLHS: drug therapy, reconstructive surgery and heart transplantation. There are no drug therapies available to treat HLHS, but there are drug treatments that increase pulmonary resistance and assist with preoperative care. Reconstructive surgery involves very intensive and pervasive stages with survival rates ranging from 73% to 94% for a 30-day hospital stay. The main problem with heart transplantation is the lack of available donors. PROPOSED DESIGN Furmanski and Attia (2003) indicate that: A goal of the present design is to eliminate the first two steps of reconstructive surgery while at the same time ensuring adequate systemic blood flow is achieved . Because the relative ratio of pulmonary to systemic blood flow depends on the balance between pulmonary and systemic vascular resistances, the proposed device focuses on raising the pulmonary resistance, thereby increasing the flow of blood through the ductus arteriosis and improving oxygenated systemic blood flow. After exploring other options, a conical shape was selected for the device. Reasons for this selection include the effectiveness of the device in impeding flow, the ease with which it can be placed in the arteries, and the low health risks it provides for the patient. Initial analyses indicate that the device decreased flow. The proposed device uses fluid dynamics of the heart and circulatory system to solve for inadequate systemic blood flow. After exploring other options, the best geometry for the device was determined to be a cone shape, as shown in Figure 7.5. This conclusion is based on the effectiveness of the device in impeding flow, the ease at which it can be placed in the arteries, and the low health risks it provides for the patient. A major design issue was the implantation of the device. The device will be implanted using a guidewire to ensure the cone is placed into the pulmonary artery (see Figure 7.6). The wire would be placed in the catheter and then inserted into the pulmonary artery, without having the catheter leave the ventricle. Next, the Nitinol wire would be released from the catheter and retain its shape. It would then reach the pulmonary arteries as the guidewire uses the blood as a force to push it along to its destination. The device would then fit snugly into the artery with scar tissue eventually forming around the device, keeping it in place. After considering all the other various designs, the cone design would provide the least amount of harm to the patient, it would not impede the blood flow, and the tissue damage caused by the device would be minimal. In addition, Nitinol is a material that is biocompatible. Hence, a very slight immune response would be initiated by placement of this device inside the patient. Figure 7.5 - Shape of Proposed Figure 7.6 - Method of Implanting Device Device into the Pulmonary Arteries There are many risk factors involved with the design of the device, as there would be with any medical device used on patients. The designscife® risk assessment is attached at Figure 7.7. As with any medical device, nothing is certain until the device is used on a patient, and even then the complete safety of the patient is not guaranteed; each patient is a special case. RiSK ASSESSMENT One of the main issues requiring investigation was the risk of having the device severely damage the vessel walls. Furmanski and Attia (2003) conclude that it is very unlikely to occur, but note that only testing can determine whether this event may or may not occur. They also observe that a key design factor was to ensure that the shape would be retained once the device was inserted in the body, and conclude that the proposed simple design achieves this goal. design safe Report Application: Pulmonary Resistive Flow Device Description: Impedes flow of blood through pulmonary arteries to allow adequate systemic blood flow Analyst Name(s): medical doctor Limits: specific use Sources: Guide sentence: When doing [task], the [user] could be injured by the [hazard] due to the [failure mode]. Initial Assessment Final Assessment Severity Severity User 1 Hazard I Exposure Exposure Status / Task Failure Mode Probability Risk Risk Reduction Methods Probability Risk Responsible Level Level operator normal mechanical : cutting / severing nitinol puncturing vessel Serious Moderate make sure metal is smooth Minimal Low On-going [Daily] operation wall Remote and no premature Remote Dr. Doyle Unlikely deployment of wire Unlikely operator normal mechanical : friction / abrasion nitinol cone pushing Minimal Low minimize size of device Minimal Low On-going [Daily] operation against vessel wall Remote Remote Dr. Doyle Possible Negligible operator normal ergonomics / human factors: human errors / behaviors Minimal Low use guidewire Minima! Low On-going [Daily] operation misplacement of cone (into wrong blood vessel) Frequent Remote Dr. Doyle Negligible Negligible operator normal ergonomics / human factors : awkward to get to resting Slight Moderate use guidewire Minima! Low On-going [Daily] operation cone between valve and blood vessel Occasional Remote Dr. Doyle Unlikely Negligible operator minor mechanical: impact nitinol cone pushing against vessel Minimal Low minimize size of device Minimal Low On-going [Daily] adjustments to Remote Remote Dr. Doyle machine Negligible Negligible operator minor mechanical : friction / abrasion nitinol cone pushing Minimal Low minimize size of device Minimal Low On-going [Daily] adjustments to; against vessel wall Remote Remote Dr. Doyle machine Possible Negligible operator minor ergonomics / human factors : human errors / behaviors Minimal None Low better trained physician Minimal None Low On-going [Daily] adjustments to correction by doctor in placement of cone Negligible Negligible Dr. Doyle machine operator minor ergonomics / human factors : awkward to get to small Slight Remote Moderate use guidewire Minimal Low On-going [Daily] adjustments to area limits scope of work Possible Remote Dr. Doyle machine Negligible operator basic mechanical: impact nitinol cone pushing against vessel Minimal troubleshooting Remote Negligible operator basic mechanical : friction / abrasion in corrective efforts, Minimal troubleshooting nitinol wire pushing against vessel wall Remote Possible operator basic ergonomics ! human factors : human errors / behaviors Minimal None troubleshooting misplacement by doctor-catheter insertion not correct Negligible operator basic ergonomics / human factors : awkward to get to difficult Slight troubleshooting insertion of catheter/nitinol cone Occasional Possible operator finishing mechanical : impact disattaching cone from catheter, Minimal task(s) nitinol cone pushing on vessel Remote Negligible operator finishing mechanical : friction / abrasion nitinol wire pushing Minimal task(s) against vessel wall Frequent Possrbie operator finishing ergonomics / human factors : awkward to get to difficult Slight Remote task(s) implantation/securing of device Possible engineer develop new ergonomics J human factors : human errors / behaviors Serious designs incorrect approach to design Frequent Unlikely engineer develop new ergonomics I human factors : unfamiliarity with hazards Serious designs and risks overlooking serious components of design Frequent Negligible engineer develop new ergonomics / human factors : lack of natural ability / skill Slight Frequent designs design more complicated than originally estimated Negligible engineer modify parts mechanical : stabbing / puncture if cone punctures. Serious / components design needs to be reevaluated Remote Unlikely engineer modify parts mechanical : friction i abrasion if friction against wail Minimal / components causes too much physical strain, design will need to be Remote changed Possible engineer modify parts mechanical ; wear on blood vessels must not be Minimal / components detrimental Remote Possible Low minimize size Minimal Low On-going [Daily] Remote Dr. Doyle Negligible Low minimize size Minimal Low On-going [Daily] Remote Dr. Doyle Negligible Low better trained physician Minimal Low On-going [Daily] Remote Dr. Doyle Negligible Moderate use guidewire Minimal Low On-going [Daily] Remote Dr. Doyle Negligible Low minimize size or use other Minimal Low On-going [Daily] material Remote Dr. Doyle Negligible Moderate minimize size or use other Minima! Low On-going [Daily] material Remote Dr. Doyle Negligible Moderate use guidewire Minimal Low On-going [Daily] Remote Dr. Doyle Negligible High more research and re-design Slight Remote Low On-going [Daily] Unlikely Albert and Taya Moderate more research and expert Slight Remote Low On-going [Daily] opinion Unlikely Albert and Taya Moderate more research Minimal None Low On-going [Daily] Negligible Albert and Taya Moderate other design schematics or Slight Remote Low On-going [Daily] materials Unlikely Albert and Taya Low other design schematics or Slight Remote Low On-going [Daily] materials Unlikely Albert and Taya Low re-think duration of Slight Remote Low On-going [Daily] implantation Unlikely Albert and Taya engineer modify parts i mechanical: fatigue nitinol wire must be able to hold its Serious / components i shape over time Frequent Possible engineer conduct mechanical : wear observe wear on blood vessels by Minimal tests nitinol wire Remote Possible engineer conduct mechanical : fatigue investigate under what conditions Serious tests nitinol loses shape, and whether or not it will maintain Frequent its resistive properties for our design Possible engineer conduct ergonomics f human factors : human errors / behaviors Serious None tests mistakes in calculations/data collection Unlikely engineer conduct ergonomics / human factors : lack of natural ability / skill Serious None tests not taking data correctly or being familiar with method Unlikely of collection engineer trouble mechanical: cutting / severing during insertion Serious shooting Remote Unlikely engineer trouble mechanical: impact during insertion Slight Remote shooting Possible engineer trouble mechanical: stabbing / puncture during insertion Serious shooting Remote Unlikely engineer trouble mechanical: friction /abrasion during implantation Slight Frequent shooting Probable engineer trouble mechanical: wear while implanted Slight Frequent shooting Possible engineer trouble mechanical : fatigue after being implanted for a certain Serious shooting i amount of time Frequent Possible engineer trouble mechanical : damage to machine after a certain amount Slight Remote shooting of time Unlikely engineer trouble ergonomics / human factors : human errors / behaviors Serious None shooting in design/insertion methods Unlikely High re-think duration of Slight Remote Low On-going [Daily] implantation, gauge of wire Unlikely Albert and Taya Low in vivo animal testing before Slight Remote Moderate On-going [Daily] human implantation Possible Albert and Taya High gauge of wire and duration of Slight Remote Low On-going [Daily] implantation Unlikely Albert and Taya Low more research and planning Minimal None Low On-going [Daily] Negligible Albert and Taya Low more education/planning Minimal None Low On-going [Daily] Negligible Albert and Taya Moderate make sure metal is smooth Minimal Low On-going [Daily] and no premature Remote Albert and Taya deployment of wire Unlikely Moderate minimize size of device Minimal Low On-going [Daily] Remote Albert and Taya Negligible Moderate minimize size of device Minimal Low On-going [Daily] Remote Albert and Taya Negligible High minimize size of device Minimal Low On-going [Daily] Remote Albert and Taya Negligible High minimize size of device Minimal Low On-going [Daily] Remote Albert and Taya Negligible High material reassessment. Minimal Low On-going [Daily] gauge of wire Remote Albert and Taya Negligible Low material strength, stress Minimal Low On-going [Daily] under implantation Remote Albert and Taya Negligible Low more research/education Minimal None Low On-going [Daily] Negligible Albert and Taya engineer trouble ergonomics / human factors : lack of natural ability / skill Slight None Low more research/education Minimal None Low On-going (Daily] shooting need for more complex/intense design Possible Negligible Albert and Taya engineer trouble change in material properties : strength of material over Serious High material reassessment, Minimal Low On-going [Daily] shooting time/maintaining shape Frequent gauge of wire Remote Albert and Taya Possible Negligible engineer ergonomics / human factors: unfamiliarity with hazards Minimal None Low more research Minimal None Low On-going [Daily] communicate with / and risks while communicating with doctor/inability to Negligible Negligible Albert and Taya supervise others discuss and receive information pertaining to obstacles in design engineer ergonomics / human factors : lack of natural ability / skill Serious High more education Minimal None Low On-going [Daily] communicate with / needing more in-depth fluid dynamics training Frequent Negligible Albert and Taya supervise others Possible engineer inspect mechanical: wear after certain amount of time device is Slight Frequent High smaller dimensions of device Minimal Low On-going [Daily] machinery implanted Possible Remote Albert and Taya Negligible engineer inspect mechanical : fatigue amount of time wire maintains its Serious High different materials/ gauge of Minimal Low On-going [Daily] machinery shape after implantation Frequent wire Remote Albert and Taya Possible Negligible engineer inspect mechanical : damage to machine after a period of time Serious Moderate different materials/ gauge of Minimal Low On-going [Daily] machinery in a different environment Frequent wire Remote Albert and Taya Negligible Negligible engineer inspect change in material properties : strength ability for Serious High different materials/ gauge of Minimal Low On-going [Daily] machinery material to maintain its shape and strength over a Frequent wire Remote Albert and Taya certain amount of time Possible Negligible installer remover Figure 7.7 — Student designsofe® Analysis EXAMPLE #7 - THE STARLiNK CORN EPISODE This example is drawn from the technical literature in the food industry and presents a situation where the risk assessment process failed. The Starlink Corn Episode concerns a situation where a biological plant was modified with a gene to improve its insect resistance. Bucchini and Goldman (2002) describe how the U.S. Environmental Protection Agency had restricted its use to animal feed due to concern about the potential for allergenicity. However, Starlink corn was later found throughout the human food supply, resulting in food recalls by the Food and Drug Administration and significant disruption of the food supply. The Starlink Corn Episode involves a situation where a risk assessment was conducted, risk reduction methods were identified (limiting distribution and use) but the implementation failed due to breakdowns in the subsequent risk management and follow-through efforts. The risk assessment was based on incomplete information and assumptions as often occurs. Bucchini and Goldman (2002) describe the situation: The Starlink episode contributes a real-life example in which, in the absence of complete scientific information, the U.S. EPA attempted to limit the introduction of a new genetically modified organism by requiring that it only be used for animal feed. In addition, there were fundamental flaws in risk management. In the absence of monitoring by the U.S. EPA or the FDA, perhaps it should not be so surprising that this variety was widely distributed in the food supply before the U.S. EPA (and Aventis) could take action to enforce the registration requirements. The credibility of this technology has been shaken by the uncertainty in the processes to assess and manage the risks of Starlink corn. Now industry is moving forward to attempt to construct better models for assessment of allergenic hazards of biotechnology, and agencies are developing more rigorous regulatory approaches. From the standpoint of risk assessment of allergenicity, the approach of the U.S. EPA and the other agencies needs to be broadened to consider not only the potential for food allergy but also the potential for workplace and community allergic responses. From the standpoint of risk management, it is clear that, in the case of Starlink, the U.S. EPA trusted seed suppliers and growers to enforce restrictions on the planting of corn that were not maintained. Evidently, there was little governmental oversight to assure that the terms of the registration were obeyed. Bucchini and Goldman (2002) indicate that the Starlink case was a severe test of U.S. regulatory agencies. One of the outcomes of the event was a call for more research to develop a fundamental basis for assessing risks of allergenicity. This type of research is likely needed and similar knowledge gaps will be identified in other situations where risk assessment lacks complete information. With new science and new technology there will always be the element of uncertainty, which must be addressed. This case demonstrates that risk assessment and risk management are not fail safe. There are opportunities for failure. Although the risk assessment itself was not necessarily lacking, the follow-through effort in risk management led to a breakdown. Alternate risk reduction measures in addition to improved enforcement need to be developed to prevent a reoccurrence. Additional information can be obtained at http://www.foodsafetvnetwork.ca/gmo/strlinkrisk.htm. COMMON THEMES These examples demonstrate that the risk assessment process can be used for both product design and occupational process design. The approach can be applied to entire wall-to-wall facility designs or to more narrow aspects related to a single machine or product. The flexibility of applying risk assessments to specific issues helps to focus time and energy where they are most needed. The risk assessments described here helped to address specific questions and to develop specific answers. As the preceding examples illustrate, risk assessment is one method that can be applied in many situations to determine what risk reduction methods are and are not warranted, in all risk assessment efforts, a good faith effort must be put forth. Although a risk assessment will clearly show where good faith efforts have been made, it will also expose perfunctory attempts at shortcutting the process. Risk assessment can be used to demonstrate what steps have been taken to identify hazards, assess risks in a logical manner and reduce risks to an acceptable level. Where necessary, a risk assessment can be used to compare alternative concepts suggested or imposed by outside authorities. In many instances a risk assessment can demonstrate why the company solution is preferred to the suggested alternate in terms of overall residual risks. REFERENCES ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. ANSI/R1A R15.06-1999. Safety requirements for industrial robots and robot systems. Robotic Industries Association, www.robotics.org. Barber, G. (1997). Hypoplastic left heart syndrome; Structural congenital defects, Section 3. In Neish, S.R., Bricker, J.T., Fisher, D.J. & Garson, A. (Eds.) Science and Practice of Pediatric Cardiology. Lippincott, Williams & Wilkinss. Bucchini, L. & Goldman, L.R. (2002). Starlink corn: A risk analysis. Environmental Health Perspectives Vol 110, No 1, Januaiy. designsafe® the hazard analysis and risk assessment guide, design safety engineering, inc. www.designsafe.com. Etherton, J. (2003). Risk assessment for a power bagel slicer operated by employees under age 18. National Institute for Occupational Safety and Health. http://www.cdc.gov/mosh/homepage.html. Furmanski, T. & Attia, A. (2003). Puhnonaiy flow resistive device. Developed at the Department of Biomedical Engineering, Vanderbilt University under the direction of Dr. Thomas Doyle and Dr. Paul King. April 22, 2003. http://vubme.vuse.vanderbilt.edu/King/contact info.htm. King, P.H. & Christensen, W.C. (2002). Teaching safety through design in biomedical engineering design, American Society of Engineering Education, Conference, Toronto. Additional information on the course can be viewed at http://vubme.vuse.vanderbilt.edu/King/bme272.htm and http://vubme.vuse.vanderbilt.edu/King/bme273.htm. MIL-STD-882D (2000). Standard practice for system safety. Department of Defense, U.S.A. www.defenselink.mil. Sherwood, L. (2001). Human physiology: From cells to systems, fourth edition. Brooks/Cole. RISK ASSESSMENT introduction Introducing the Risk Assessment Process to a Company Changing the Design Process Who Should Do a Risk Assessment? Cascading Risk Assessments Used Equipment Considerations Getting Started - Practical Guidance Making Progress Risk Assessment Training Closure KEY POINTS 1. Integrating risk assessment in an organization is a process that generally follows a sequence of phases. A typical sequence is discussed. 2. Engineering design needs to change to include the risk assessment process to more effectively move safety into design. Only by changing the design process will risk assessment efforts succeed. 3. Introducing the risk assessment process will explicitly change the design process, allowing hazards to be identified and risk reduction methods to be incorporated early in the design process. As with any new process or substantial change, people may resist. 4. To be effective, the company culture must be willing to embrace the risk assessment process, and cultural acceptance stems from management leadership. 5. In consumer product and component product applications, the manufacturer is responsible for conducting the risk assessment, if applicable. Product users typically have no risk assessment responsibilities beyond using the product in conformance with the product information. 6. In industrial product or process applications, both equipment suppliers and users should perform risk assessments and be involved in the risk assessment process. 7. Practical guidance is shared to help companies get started and make progress in the risk assessment process. Topics addressed include: when to stop risk assessment, the time to complete an assessment, leaders in the best practices, what to do in cross industry situations, when to revise an existing risk assessment, making changes to the method, results of risk assessment and others. 8. To integrate risk assessment into the design process, engineers will likely need education and training on risk assessment in some form. INTRODUCTION Implementing the risk assessment process in a company creates change, and change can be difficult. This chapter builds on the previous discussion of safety through design and addresses the key challenges of changing the design process to include risk assessment. The chapter describes the four phases of implementing the risk assessment process to guide persons in introducing risk assessment to a company. The chapter discusses risk assessment in the context of the Design Development Process and different types of risk assessments for both consumer products and industrial equipment or operations. Practical considerations of product supplier and user responsibilities for risk assessment are presented based on three different potential relationships between suppliers and users. Understanding these differences can aid in implementing risk assessment by clarifying which assessment should be conducted by which party and when. Additionally, several practical suggestions are made to help companies get started and make progress in implementing the risk assessment process. INTRODUCING THE RISK ASSESSMENT PROCESS TO A COMPANY THE INTEGRATION SEQUENCE Companies generally follow a series of sequential steps in learning about the risk assessment process. Although there is no formal model of the sequence of events that occur in introducing the risk assessment process to a company, the phased sequence shown in Figure 8.1 is fairly typical. Each phase is described in detail. A company can enter the sequence at various points depending on its situation and the personnel involved. Figure 8.1 is illustrative rather than prescriptive. Phase 2 Detailed Evaluation The second phase of Figure 8.1 requires a time commitment. During this phase, documents on different methods of conducting risk assessment are obtained and examined, discussions are held, an individual may attend a training session, and risk assessment software may be obtained. This book may form part of the investigation. Part of this phase includes selecting which risk assessment protocol best suits the company. Obtaining the detailed document(s) from the appropriate industry(s) will assist in the selection. The decision should be based on the industry{s) in which the company operates, the ease of use, the ease of implementation, supporting tools available (training, software, documents, and others), and the "fit" of the protocol with the company culture. Customer requirements may also specify which risk assessment method should be used. Selecting one method from those discussed in Sections II and III or others will provide the basic building blocks needed to conduct a risk assessment. If existing risk assessment methods are found to be unsatisfactory, then modifications or hybrid methods will be developed. Once a particular protocol is selected, it forms the road map to conduct risk assessments. The end of this phase typically results in a proposal to management for a pilot test project, or cessation of the effort. In some cases Phases 1 and 2 may be indistinguishable. A key issue in Phase 2 is that the need for risk assessment must be clearly defined. One or more of the following needs may play a role: to decrease cost, for continuous improvement, to comply with standards requirements, to reduce injuries, or to obtain the CE mark. Clearly defining the need will greatly help in keeping the subsequent risk assessment effort focused. In most cases, management must define the need. Phase 3 Pilot Test The third phase of Figure 8.1 incurs significant time commitment from an organization. Whereas one or a few individuals can complete the first two phases, pilot testing typically involves more persons participating in the project. In this phase, the selected risk assessment approach is piloted on a new or existing equipment, product, or system. Most frequently, the risk assessment occurs on a design in development. There are benefits and weaknesses to this application. One benefit is that, being a real world experience rather than an exercise, hazards can be identified and risk reduced through the risk assessment process. One weakness stems from the fact that in this circumstance, the risk assessment test can become a side effort to the existing product development process, so the project schedule takes precedence over the pilot application of risk assessment. This can diminish the priority for the risk assessment test, and delay and detract from the risk assessment evaluation. A pilot test needs to be planned and suited to the project. Without proper planning and allowing for sufficient time in the engineering process, the pilot test may fail, not due to a failure of the risk assessment effort, but due to inadequate planning. For example, assume that the safety manager in an organization has completed the initial investigation of Phases 1 and 2 of Figure 8.1. She has identified the risk assessment protocol best suited for the organization and is ready to perform an assessment. She proposes that a pilot risk assessment project be completed. Management recommends that the test be conducted on a new design project just getting underway. However, the schedule for the new design project was set four weeks ago and there is little slack built in. The engineers have already begun work on the design, but the project still remains in the early stages of effort. The risk assessment team is formed with the engineers participating, somewhat reluctantly as they view the risk assessment as something of a sideline activity to the primary tasks of completing the design. The risk assessment team commences work and progresses, although slower than anticipated. Several project milestones loom and small delays occur due to team members needing to complete other assignments to meet deadlines. In the course of the risk assessment process, new hazards are identified that had not previously been considered. In one significant instance, the team identifies two options to reduce the risks, one much better than the other, but it requires engineering changes that would delay the schedule. The team recommends that the better option be implemented. At this point management is faced with a decision, and the decision has implications to the risk assessment test. If management supports the design change, then the product schedule slips with the potential implications of increased costs, lost windows of opportunity, damaging customer relationships, lost sales, and others. These may be very significant. This decision also firmly supports the risk assessment process. All involved will observe that hazards need to be identified early and risks reduced to an acceptable level before projects are complete. The risk assessment process will be viewed as a necessary component (if not a necessary evil) of the product or operations design process. The converse is also true. If management elects to go with the lesser option, there are consequences to the decision that undermine the risk assessment effort. Engineers and others who viewed the risk assessment effort as a sideline activity will be reinforced in that perception. Subsequent risk assessments may receive even less effort or attention. Alternatively, engineers may see the value of performing risk assessment early in the design process and be supportive. The purpose of this example pertains less to the actual outcome than to illustrate how the engineering design process may need to change to include risk assessment, and some of the potentially challenging decisions that may need to be made. To conduct a reasonable pilot study of the risk assessment process in a company, proper planning needs to occur. If time is not allotted for the risk assessment process to be conducted and personnel to learn the process, the risk assessment pilot study may fail due to poor planning rather than a failure of the risk assessment process. Fundamentally, the purpose of a pilot test is to determine how well the selected risk assessment protocol works within an organization, and the benefits of the overall risk assessment process to the organization. The pilot test attempts to figure out what does and does not work for the company. Based on the pilot test, adjustments to the risk assessment method may be made and retested, if needed. The outcome of Phase 3 is a management decision to either commit to deploying the risk assessment process in the organization or to cease the effort. Phase 4 System Deployment The fourth phase of Figure 8.1 is the large scale roll-out of the risk assessment process within the company. During this phase, the requirements are disseminated to personnel, training is provided and the risk assessment process is deployed. Even though management has committed to the risk assessment process, the integration typically occurs over time with new or smaller projects to allow people to learn the process, in some instances, local deployment is followed by organization wide use; in others the company adopts the process all at once. CHANGING THE DESIGN PROCESS With the best of intentions, a company can attempt to implement the risk assessment process, and it can train personnel to identify hazards, assess the risks and to respond appropriately. The company can make many strides in risk assessment but still be destined to fail if it does not change the design process. If the design process does not change, long-term efforts to improve worker and product user safety will fail even if risk assessments are deployed. Engineers must become involved in the risk assessment process so that more effective risk reduction methods can be included in designs. Implementing risk assessments does require a company culture willing to change current methods for improved returns in productivity, cost efficiencies, and safety. To be effective, the company culture must be willing to embrace the risk assessment process. PMM1 (2000) states that: One of the biggest challenges in implementing a system safety program is not training or knowledge. The real challenge is how to integrate risk assessment into the existing design process People do not like to change and may resist the move to risk assessment. Cultural acceptance stems from management leadership as other authors have extensively discussed. Similar to quality, using risk assessment to improve safety requires an understanding of the long-term goals. Buy-in from management and the affected individuals can be the most difficult part of implementing the risk assessment process. In most companies, risk assessment represents a change to the engineering design process. Other process changes have successfully occurred and similar preparations need to be made. Most engineering design efforts do not include formal risk assessments. Although engineers assess risks informally as they prepare the designs, few actually conduct a formal, documented assessment of risks that focus on the users and the hazards they encounter. Many engineers do complete a Failure Modes and Effects Analysis (FMEA), but as described in Chapter 39, an FMEA tends to focus on the product or component failures rather than on the users. The engineering design process needs to include risk assessment. Introducing the risk assessment process will explicitly change the design process, allowing hazards to be identified and risk reduction methods to be incorporated early in design. Once included, risk assessment will change the results of the design process. The risk assessment process will be both a cause and an effect. Introducing a new analysis such as a risk assessment may be perceived as lengthening the design process, and therefore encounter resistance. The pressures to shorten the design cycle, get products to market faster, bring processes up and running quicker, limit down time, and others can impede the risk assessment effort. Yet in the long term the risk assessment process helps to get designs right the first time, and that helps achieve these very objectives. Since engineering design processes have existed for many years without risk assessments and few organizations currently formally assess risks, to do so will require organizations to change. As with any new process or substantial change, people may resist particularly if affected individuals look at the analysis as an additional task to their already busy assignments. WHO SHOULD DO THE RISK ASSESSMENT? Often questions arise as to who should do a risk assessment. Should the supplier of equipment perform a risk assessment? What about the user? Are consumers or equipment users required to do so? The answers depend on the product and industry, and on the stage of development in the Design Development Process. THE DESIGN DEVELOPMENT PROCESS Within every organization there is a Design Development Process through which ideas for new products are conceived, refined, designed, built and produced. In this process, a concept for a new product, equipment or facility is conceived. The concept progresses in time through concept definition, design, build, distribution or installation and debugging, and eventually is run, operated and maintained. In some circumstances, a retrofit event occurs where improvements are made to equipment in the field or the product is recalled. Eventually the equipment or product is decommissioned where it is either disposed of or it enters the used equipment market. Each company has some form of this development process although the names for the stages will differ. The process also differs depending on whether the company installs the product or equipment, or not, and the nature of the business. TYPES OF RISK ASSESSMENT There are different types of risk assessments that occur at different phases of the Design Development Process. There are at least five different types of risk assessment, each serving a different purpose. Note that these types of risk assessments apply to products, processes, equipment, facilities, and services. Preliminary Risk Assessment ~ conducted based on limited information, usually during the Concept Definition stage of development. Detailed Risk Assessment - a full risk assessment based on the most complete information available, usually conducted during the Design stage of development. Validation Risk Assessment - an updating of a prior risk assessment to verify that risk reduction measures are in place and adequately reduce risk, usually conducted during the Build stage of development and during the Installation/Debug stage for field installations. Targeted Risk Assessment - a very narrow risk assessment focusing on a particular task or hazard, can be conducted at any stage of development but particularly applicable to Retrofit situations. On-going Risk Assessment - an updating and monitoring effort that evaluates small changes to an existing design or process, occurs most frequently in the Run, Operate and Maintain stage of development. The On-Going Risk Assessment remains primarily the user's .responsibility but a Retrofit situation would involve both the user and supplier. In most cases the team will be conducting a Detailed Risk Assessment. In the Retrofit stage, the risk assessment is a targeted effort, often as a result of an injury or near-miss incident. Depending on the circumstances, the risk assessment may be conducted by the supplier, user or both. In some instances, government or other authorities may also be involved. In a retrofit situation, new hazards or details of use become known that require attention from the equipment user or supplier. In this situation the task and hazard are clearly identified, and the severity of harm and probability of occurrence are known. A question that often arises is whether the risk of the subject hazard is unacceptably high. The answer is often determined through the risk assessment process. Given what is known about the hazard and risk, the primary focus of the retrofit stage is determining what, if any, additional risk reduction measures need to be taken. Options include providing retrofit guarding or information such as a warning or instructions, taking no action at all, or recalling the product and removing it from field use. Parties involved in this stage of design include the user and supplier, and may include government agencies. CONSUMER OR COMPONENT PRODUCTS There is currently no U.S. standard or requirement that manufacturers of consumer products perform a risk assessment. Products bearing the CE mark for sale in Europe do require a risk assessment as noted in Chapter 3. Similarly, there is no requirement that consumers perform a risk assessment. Figure 8.2 presents an overview of a general Design Development Process for a consumer or component product. In this situation a new product idea becomes a Concept Design. At this stage of development a Preliminary Risk Assessment should be completed based on the information available. If the new product idea has merit, the concept advances to the Design stage where engineering works out the details of the design. At this stage a Detailed Risk Assessment should be conducted. Eventually the design advances to the Build stage where the product tooling is obtained and production occurs. Risk assessment activity at this stage should be a Validation Risk Assessment. Following the Build stage, the product enters the Distribution channel for sale to customers. This is typically an arms-length, off-the-shelf transaction where the purchaser does not have the option for custom changes. Following the sale, the product enters the Use stage where it is used and perhaps abused. The product may require maintenance or servicing such as replacing a blade on a saw or a battery in a toy, or may be a disposable product or component part. In some instances a retrofit event may occur requiring a Targeted Risk Assessment. Eventually the product is recycled, reclaimed or discarded. As shown in Figure 8.2, the product manufacturer holds the primary responsibility for the risk assessment, if applicable. After it leaves the manufacturer's control, the manufacturer has little ability to influence how the user uses the product beyond the risk reduction methods built into, and provided with, the product. For a consumer product, the user has no formal risk assessment responsibilities other than using the product in a manner consistent with the product information. INDUSTRIAL PRODUCTS OR COMPONENT PARTS There are requirements for risk assessment with some industrial products. Some applications or industries place requirements on only the product supplier, while other requirements call on both the supplier and the user to perform risk assessments. For example, ISO 14121 / EN 1050 and other derivative methods in Europe focus specifically on the equipment supplier. These standards require the suppliers to conduct a risk assessment. The standards do not place requirements for risk assessment on the equipment users. In most cases the user is a manufacturer that uses equipment to manufacture goods. For example, assume a ladder manufacturer uses presses to stamp metal parts that are assembled into ladders. Under ISO 14121, the press manufacturer is required to conduct a risk assessment but the ladder manufacturer is not. Although the EU Directive 89/391/EEC requires employers to complete a risk assessment, ISO 14121 has no such requirement. This example highlights the limitations of excluding equipment users from the risk assessment process. The press manufacturer may provide guarding to protect operators during press operation. Yet certain parts may not be able to be formed with the guarding in place, so the operator must remove the guard. The manufacturer must develop alternate means to reduce risks to an acceptable level through alternate guarding or other methods, but the supplier has no control of this task. Achieving acceptable risk depends on both the ladder manufacturer and the press supplier. ANSI Bll TR3 (2000) specifically includes equipment users in the risk assessment process as stated in a clause on responsibilities for risk assessment and risk reduction: Cooperative efforts of suppliers and users are necessary to attain the goal of tolerable risk through risk assessment, and risk reduction. Where the supplier cannot attain tolerable risk, the user should apply additional protective measures. Effective communication between supplier(s) and user(s) is recommended where possible, but the success of a risk assessment is not dependent on this relationship. Both the supplier of the machine and the user of the machine have risk assessment and risk reduction responsibilities. When the supplier is not available to participate in the risk assessment for the machine, the user assumes this responsibility. Increasingly the technical literature is including user responsibilities for conducting risk assessments. Examples include ANSI Z244.1-2003, ANSI/RIA R15.06-1999, and the RASE project (Rogers, 2000). Therefore, both equipment suppliers and equipment users need to perform risk assessments. Both the user and the supplier are involved in risk assessment of an industrial product or process, but the level of activity differs depending on the kind of product and the stage of development. Consider three different potential relationships between a product supplier and user. The product could be any device from a large industrial tool to a simple component product. 1. Supplier of a completely custom product that the customer user has considerable input and influence on the design. 2. Supplier of an "off the shelf' product. The supplier designs and builds the product which is sold to customers without modification. User input to the design and use of the equipment is minimal. 3. Supplier of an in-between product that is primarily complete but can be modified to meet the users specifications. The supplier and user have different responsibilities for the risk assessment under each of these scenarios. Supplier and user risk assessment responsibilities differ according to the relationship between the supplier and user, and these responsibilities occur at different phases in the Design Development Process. Custom Product or Process Figure 8.3 shows the Design Development Process for the first scenario where the user plays an active role in setting specifications for the product and its intended use. In this scenario a custom product or process is being designed and the manufacturer works closely with an equipment supplier to develop a particular manufacturing system. Here the supplier and user risk assessments occur in parallel, benefit from cooperation, and may be jointly conducted. The level of activity in conducting the risk assessments will still differ, as the supplier risk assessment tends to be more active in the earlier stages and less so in the latter stages. Off-the-Shelf Product or Process Figure 8.4 presents the supplier/user relationship described in the second scenario where the supplier designs and builds a product or process, and the customer-user purchases it. In this situation, the risk assessments by the supplier and user are usually conducted separately and sequentially. The supplier completes its design and risk assessment of the equipment, and offers the product for sale. The customer-user buys the product and conducts its risk assessment of the workplace or operation typically with very little, if any, input from the supplier. The supplier typically has no risk assessment responsibilities beyond delivering the product or process. Risk assessment responsibilities in the event of a Retrofit situation will depend greatly on the circumstances because liability or warranty issues may be raised. In all four preceding scenarios, the risk assessment for the Decommission stage focuses on how to safely and effectively remove the equipment from service. This assessment may or may not be performed by a third party that assumes responsibility for removing the equipment. The tasks and/or hazards of decommissioning a product, process or system need to be identified, assessed, and reduced during the Design stages of the Design Development Process. CASCADING RISK ASSESSMENTS As shown in Figures 8.3 and 8.4, a risk assessment conducted at one stage of the design process cascades to all subsequent stages and risk assessments. So a risk assessment for the Build stage is simply an update to the risk assessment conducted in the preceding stage. If no risk assessment was conducted or is available, then the assessment can be started at any stage of the Design Development Process and passed along to subsequent stages, in the figures, risk assessment is shown as playing a role in each stage of the Design Development Process. However, the level of effort varies greatly depending on factors to be discussed shortly. Risk assessments also feed to subsequent products. Ideas for new products or designs can spring from a risk assessment or other analyses at any point during the Design Development Process. The risk assessment conducted for Product A can become a template for the subsequent Product B (or process design). For example, assume a new idea comes to light while conducting a risk assessment during the Install/Debug stage for Product A. The idea jumps to a Product B Concept Definition stage where the development process begins for the new Product B. As shown in Figure 8.5, the risk assessment conducted for Product A also jumps to Product B and subsequent risk assessments throughout the Product B development stages build from the Product A risk assessment. Figures 8.3 and 8.4 also highlight the benefit that derives from conducting the risk assessment early in the design process. Once the assessment has been completed, subsequent assessments can build on the predecessor(s) and be completed relatively quickly. - Design Development Process Figure 8.5 - Risk Assessment in New Product Idea USED EQUIPMENT When the original purchaser of industrial equipment no longer has use for the machinery, it often disposes of the equipment on the used machinery market. Most industrial equipment has a second life beyond the initial purchase. Used equipment is purchased and sold, often more than once. Frost (1998) notes that: "Very rarely would one party have charge across the entire lifecycle [of a machine] and it is therefore considered necessary to delineate responsibilities between manufacturers and users." In some cases, the original equipment supplier may 110 longer be in business or have information available. However, risk assessment of the equipment is still appropriate and needed to protect users from harm. Therefore, users need to be involved in the risk assessment process. The risk assessment necessary for the used equipment will vaiy slightly depending on where it re-enters the Design Development Process. Used equipment presents distinct challenges for purchasers, suppliers and third parties. One challenge involves determining who stands in the role of the equipment supplier. It could be the original manufacturer, the reseller, the integrator if one is involved, or the user. This issue is significant because it impacts the risk assessment responsibilities of the parties. To aid in solving this challenge, one can look at what is done to the used equipment before it is returned to production. Figure 8.6 shows how risk assessment is related to used equipment. Re-install The simplest application occurs when used equipment is re-installed as is in a new location. In this situation, the original equipment manufacturer has no additional risk assessment responsibilities beyond what it did when it first produced the equipment. Since the equipment remains as built, the re-installer also carries no new risk assessment responsibilities beyond that needed to install the equipment. The user is responsible for conducting a risk assessment for the use of the machine. In Figure 8.6, this situation is shown with the feedback loop that connects back to the Install/Debug stage of development. Re-Build/Repair A second situation involves re-building or repairing the equipment. In this situation, the rebuilder needs to ensure that the risk reduction measures provided with the original equipment manufacturer adequately reduce risks to currently acceptable levels. Restoring the equipment to its original condition may not provide an acceptable risk level. Whether the rebuilder is the original equipment manufacturer, the user, or a third party, used equipment may incur risk assessment responsibilities. In Figure 8.6 this situation is shown with the feedback loop that connects back to the Build stage of development. Reconfigure/Redesign A third situation occurs when used equipment is reconfigured or redesigned from one use to another. In this situation, the entity performing the reconfiguration will have responsibilities to conduct a risk assessment. Again, the entity could be the original equipment manufacturer, the user, or perhaps more likely a third party. The User's Role As a practical matter, the user often does or should assume many of the responsibilities for risk assessment when purchasing used equipment. Often the seller of the equipment such as a dealer has insufficient knowledge or expertise to conduct an effective risk assessment. The original manufacturer may or may not be available. To be certain that workers are adequately protected from injury and to avoid the business interruption that occurs following an injury incident, users have an incentive to see that the risk assessment process is appropriately completed for used equipment. Figure 8.6 Design Development Process - Risk Assessment in Retrofit or Used Equipment - GETTING STARTED - PRACTICAL GUIDANCE START SMALL Companies just getting started with risk assessments should strongly consider starting with a small project. Risk assessment rollout efforts have had the most success when implemented on a pilot project basis. A smaller, well- defined project allows a team to work through and learn the risk assessment process. The smaller project also aids organizational learning and facilitates the rollout and acceptance at a larger scale. Through the pilot project experience, minor modifications or adjustments can be identified and made to improve the implementation process. Lessons learned can then be used to aid a larger deployment of the risk assessment process. Indeed, many large organizations are currently in this process. START HIGH The risk assessment process identifies many hazards, but not all risks are equal. Higher risks must be addressed first. Lesser risks can be subsequently considered. This screening approach makes the process more efficient so that significant risks can be more effectively addressed. Cooper (1999) states: It is common to find a large number of minor risks being identified, and during evaluation these can be removed from the process, after due consideration. This screening avoids the process being bogged down by the sheer volume of information it can generate. Although higher risks deserve more attention than lower risks, lower risks hazards should not be forgotten. Many approaches to risk assessment seek to identify all tasks and hazards, without exclusion. In the ongoing process of continuous improvement, the lower risk hazards can be further reduced or eliminated as time, resources, and opportunities allow. The fact that hazards have been identified and assessed as low risk should still be documented. USE DESIGN REVIEWS So, how should the risk assessment process be integrated into engineering design? Very often risk assessment is integrated into the Design Development Process through Design Reviews. Chapter 5 on Design Reviews discusses how risk assessments can be used to support design decisions. Within any Design Development Process, certain checkpoints exist that proposed projects must pass to advance to the next stage. These existing design reviews offer a natural integration avenue for risk assessment. Participants will know that the project cannot advance until a risk assessment demonstrates that the hazards are identified and risks reduced to an acceptable level. USE THE DESIGN DEVELOPMENT PROCESS The Design Development Process presented in this chapter provides a context for understanding how the different types of risk assessments, and different relationships between the equipment supplier and user work within the risk assessment process. Understanding these differences can aid in implementing risk assessment by clarifying which assessment should be conducted by which party and when. The figures in this chapter can assist in interactions with suppliers or users accordingly. FOCUS ON IDENTIFYING HAZARDS AND REDUCING RISKS Readers must realize that risk assessment is a subjective analysis regardless of the method used. Although the subjective nature of the risk assessment process can create problems with accuracy, repeatability and general acceptance by engineers; there is considerable value derived from the discipline of working through the process of identifying hazards, assessing risks, and reducing risks to an acceptable level. Do not attempt to make risk assessment a scientific exercise - it is not. Focus energies on identifying hazards and reducing risks. The step of assess risks simply provides a means to prioritize risk reduction efforts and helps determine when those efforts can cease. IDENTIFY MORE HAZARDS Experience has shown that a typical risk assessment will uncover approximately 5-10% more hazards than previously addressed. These new hazards and associated risks become new design criteria that need to be addressed before a system is complete. If these hazards are identified early in the product or system design effort, accommodations can be effectively incorporated into the design. If these hazards are identified late in the process, such as after tooling has been machined, equipment has been installed or the product is to market, then risk reduction methods are much more difficult and often less effective to implement. Examples in Chapter 7 present situations and the consequences where hazards were not identified. WHEN TO STOP Under most methods, the "finish line" for risk assessment activities occurs when the residual risks have been reduced to an acceptable level. The U.S. machine tool ANSI Bll TR3 provides the following guidance, "if the risk is determined to not be tolerable, it is necessary to reduce that risk by implementing protective measures. Reduction of risk is the result of the application of one or more protective measures." A risk assessment stops when risks have been reduced to an acceptable level. Guidance from the European standard IS012100-1:2003 provides a very different measure of completion. According to the standard: Adequate risk reduction can be considered achieved when one is able to give a positive answer to the following questions: • have all operating conditions, all intervention procedures been taken into account? has the method stated in 5.4 [elimination of hazards or reduction of risk by protective measures] been applied? • have hazards been eliminated or risks from hazards been reduced to the lowest practicable level? is it certain that the measures taken do not generate new, unforeseen hazards? • are the users sufficiently informed and warned about the residual risks? • are the operator's working conditions and the usability of the machine not jeopardized by the protective measures taken? are the protective measures taken compatible with each other? has sufficient consideration been given to the consequences that can arise from the use of a machine designed for professional/industrial use when it is used in a non-professional/non- industrial context? is it certain that the measures taken do not excessively reduce the ability of the machine to perform its function? This is a very cumbersome guideline for users. In many industry protocols, most of these questions are integrated into the risk assessment process. In the context of risk assessment in the medical devices industry, Freeman (2000) states: The most difficult part of Risk Management is the establishment of "Acceptable Risk" bearing in mind the impossibility of comparing different Probabilities of Occurrence of a given Hazard. How do we compare: • Potentially Serious Hazard - but low probability of occurrence with Potentially Small Hazard - but possible frequent occurrence, or Any intermediate mixture of above parameters. Although this observation is true, it also conflicts with what occurs in industry on a daily basis. Manufacturers have to make these decisions and live with the consequences every day, even though so much remains unknown and unknowable. Becoming comfortable with the risk assessment process and documenting these decisions remains a challenge for management. MAKING PROGRESS TIME TO COMPLETE One question that often arises is how much time a risk assessment requires to complete. The duration depends on a number of factors such as: product or system complexity, 9 scope of the analysis, company experience with similar designs (internal experience), availability of data, 9 originality of the design (external experience), availability of industry standards and codes, and formality of the analysis. The time needed to complete a risk assessment depends on many of the same variables that affect other engineering analyses. Experience has shown that the time to complete a risk assessment depends heavily on the system complexity. A typical analysis requires about 2-5 team-days to complete, Simple designs can be assessed in a team-day or two. A wall-to-wall assessment of a facility can require a team-week or more. The familiarity of the team members with the risk assessment basics will impact the time to complete the assessment. For new users, a risk assessment facilitator can be very helpful in guiding the team down an efficient path. When integrated with engineering design effort, current anecdotal data indicate that the risk assessment effort consumes approximately 5% of the hours compared to the overall engineering effort. While not trivial, the time is not excessive provided that it does not all occur immediately before the design is to be released to production. WHO IS THE LEADER IN RISK ASSESSMENT? Very often in a discussion of risk assessment, the question arises "who is out in front?" The question is often posed by companies seeking to adopt the best practices. Various arguments are made that Europe is the leader because they have had standards requiring risk assessment since 1996. Others argue that the Canadians are leading due to their Pre Start Health and Safety Review (PSHSR) that requires a risk assessment before equipment can be put into production. Yet others assert that the U.S. is really in front because of the advances made in deploying task-based risk assessment in industry. Australia and New Zealand should also be considered leaders due to the deep deployment of risk management in these countries. Arguments are also advanced that different industries have the lead, such as robotics, packaging machinery, chemical, and others. Each of these has merit. Various counter arguments are also raised. Having legislation, standards or guidelines requiring risk assessments does not mean that risk assessments are actually done or done well. The North Sea offshore requirements for risk assessment offer an example where risk assessment is compliance-driven but viewed as offering little value in industry. Recent studies have shown that the existence of a standard or guideline does not necessarily correlate well with actual use and implementation (see Raafat and Nicholas 2000 and 2001). Those companies who are actually performing risk assessments are "out in front." Which method used is far less important than simply working through the risk assessment process. The good faith application of the hierarchy of controls in the context of a diligent risk assessment places a company at or near the forefront of risk assessment. WHO BENEFITS? Who benefits from a completed risk assessment? There are several beneficiaries. The engineer can see those hazards that incur the highest risk (from the initial risk level). These hazards need to be examined for design changes to reduce the risk, whether on the next product iteration or with existing products. As a continuous improvement tool, the risk assessment is a road map to future improvements where less hazardous methods or materials can be used or hazards can otherwise be eliminated by design. The engineer can also use this information to ensure the right kind of guard or other risk reduction measure is used for the application. The person responsible for developing written warnings benefits from a risk assessment, because much of the information needed to develop a warning is contained in the risk assessment. This person might be the product safety or warnings specialist, the facility person, legal staff or other. According to ANSI Z535.4:2002, the message pane! of a warning must "identify the hazard, indicate how to avoid the hazard, and advise of the probable consequence of not avoiding the hazard." All of these elements appear in a risk assessment. In addition, the risk assessment can be used to develop audible or visual warnings placement and performance criteria for candidate warning signals or devices. The person responsible for training personnel or users will find much needed information in the risk assessment. Training topics or modules can be selected based on the identified hazards. Priority training schedules can be developed based on the initial risk level and other risk reduction methods used to reduce the risk to an acceptable level. The person responsible for developing a product or process instruction manual will benefit from the risk assessment, particularly if a task-based approach is employed. One of the difficulties in developing manuals is lacking information on content from product engineers. The person can use the risk assessment to determine what content needs to be included in the manual. They can then focus on detailing the content and presenting the information in a useful form. The person responsible for specifying Personal Protective Equipment (PPE) also knows the hazard(s) and the tasks (if a task-based approach is used). They can then match the PPE with the application. For example, knowing the hazard allows for specifying the appropriate type of gloves, such as leather, cotton, latex, rubber, or others. CROSS INDUSTRY SITUATIONS What is a supplier company to do if its robot is being used in a semiconductor application, or if its power press is being used in a military setting? Which risk scoring system (Chapter 9) and risk assessment approach should be used, that of the supplier or that of the user? In most instances, the customer will have a significant voice, if not the last word, on the risk assessment approach used. The supplier may be contractually obligated to conform to the customer's requirements. However, in the majority of situations the risk scoring system used has little bearing on the risk reduction methods deployed and the resulting residual risks. Most industry risk assessment processes allow for other risk assessment methods to be used provided that they reduce the risks to an acceptable level and are documented. So if a risk assessment is performed with one risk scoring system, it likely will not need to be redone using a different scoring system unless the customer requires it. SEPARATING ASSESSMENT FROM DECISIONS? One of the Codex Alimentarius principles on conducting risk assessments states that there should be a functional separation between risk assessment and risk management (see Chapter 19). Buchanan (2002) identifies a paradox between the theory and practice of separating risk assessment from risk decisions in conducting food risk assessments. Buchanan observes that "[this is an] important principle that doesn't work if you achieve it." Buchanan (2002) presents several "bumps" in communications, understanding and execution during two large quantitative microbial risk assessments that led to this observation. He notes that the traditional definition of risk analysis theoretically comprises of three elements: risk management, risk assessment and risk communication. Buchanan states that his experience was much more of a "stew" of these elements plus research, general management, and others. Buchanan (2002) concludes: The CFSAN risk analysis model is more complex than that which is prescribed by Codex, which is now viewed by many to be inadequate (e.g., in contrast to the Codex model, the group felt that risk assessors and managers do need to interact in a planned and recurring manner). Center management, risk communicators, risk managers, risk assessors and researchers all need to be involved. Decisions need to be made by specific persons at specific times by specific individuals. Information needs to flow between and among the groups. REVISIONS When should a risk assessment be revisited or revised? Clemens (2002) suggests the following criteria: There's been a near miss, • The system has been changed, 0 The system maintenance has been altered, The system duty is different, or The operating environment is different. ITERATIONS Within the risk assessment process the idea of iteration frequently arises. Typically the issue concerns how to arrive at an acceptable risk level. Although many documents mention that the process is iterative, few provide much detail on what is or is not iterated. There are two different kinds of iteration that occur in the risk assessment process. One form of iteration occurs as the design progresses through the Design Development Process as shown in Figure 8.2. As the design moves from conceptual design through build and operation, the risk assessment is repeated and updated. The level of iteration will depend on how complete the preceding risk assessment was and the amount of new information available. This iteration includes the complete risk assessment process of identifying hazards, assessing risks and reducing risks as shown in Figure 6.1. The second form of iteration occurs during risk reduction within any stage of the Design Development Process. When a hazard is identified that presents an unacceptable risk, the risk needs to be reduced using the hazard control hierarchy. The engineering design team identifies potential methods to reduce risk which may include a mix of one or more design changes, guarding, warning systems, administrative controls, and others. Candidate ideas are considered, investigated, analyzed and evaluated based on effectiveness and feasibility criteria. Ideas may be combined, separated, or discarded as the best solutions are found to the particular situation. Eventually a feasible solution is found that meets the design constraints and reduces risk to an acceptable level. This brainstorming/researching/analyzing/evaluating occurrence tends to pull the best ideas and solutions to a given problem, and is naturally iterative as shown in Figure 8.7. Although this form of iteration is relatively complex to attempt to diagram, participants in the risk reduction effort seem to have little difficulty understanding and performing it. Figure 8.7 - Iteration in Risk Reduction One form of iteration that need not occur in the risk assessment process appears in a figure in ISO 12100-1:2003, and is shown in Figure 24.5. The iterative three step method shown in that figure indicates that estimates of severity and probability need to be made at each sequential step through the hazard control hierarchy. For example, a guard is selected (assess risk), a warning label identified (assess risk), training and instruction materials written (assess risk), and safety glasses specified (assess risk). This level of repetition does not typically occur in practice and provides little value. In practice a combination of risk reduction measures are usually selected to reduce risks to an acceptable level, and an estimate of the severity and probability of harm occurs after the selection to verify that the residual risk is acceptable. ALL OR NOTHING? Another concern of early risk assessment efforts is that even a fairly common facility or product design can become a large risk assessment project. Situations where there are many users performing many tasks can yield a large list of tasks and hazards (see Chapter 7). However, there is no requirement that a risk assessment must be completed all at once. Typically risk assessment efforts focus on higher risk issues before lower risk areas. This can lead to completing partial risk assessments on several machines rather than full assessments on fewer machines. There is merit to this approach. This approach sets narrow limits on the scope of the assessment rather than producing incomplete assessments. The distinction is important. Incomplete assessments can lead to liability difficulty and should be avoided. A complete assessment with a narrow scope should be permitted as long as the rationale for setting the assessment scope is reasonable. Each company will need to make decisions on the best approach to working through the risk assessment implementation process. CHANGING THE RISK ASSESSMENT PROCESS Many times the price of getting buy-in from participants requires that the proposed risk assessment protocol needs changing. The changes may be substantial (how risk factors map to risk levels, the number of factors used to assess risk), or relatively minor (e.g., descriptions, labels or text). Modifying a risk assessment protocol to better match a company's culture, concerns, or processes is entirely appropriate and encouraged. Often modifying a proposed risk assessment protocol to fit an existing design process is much easier and effective than entirely changing the design process to fit an existing risk assessment protocol. Certainly there are benefits to adopting a protocol "off the shelf," but the end goal of implementing a risk assessment process is more significant than which method(s) is used. Once a risk assessment protocol is incorporated in the design process, the company can make progress in completing the assessments. As experience is gained with the process, risk reduction solutions advance. Better understanding of hazards and risks can be incorporated into designs resulting in lower residual risks, increased production and improved cost efficiencies. RISK ASSESSMENT TRAINING EDUCATING ENGINEERS To integrate risk assessment into the design process, engineers will likely need education and training on risk assessment in some form. Too often, engineering students receive very little formal safety instruction. Studies have shown that not too long ago practicing engineers received very little formal safety training (Main, 1992). Although there have been pockets of improvement, some quite remarkable, the overall situation remains little different. Bhimavarapu and Stavrianidis (1999) highlight that not only engineers require training in risk assessment, "there is a general lack of acceptance of the concepts of risk and tolerable risk. Hence, education of all concerned in risk related methodologies is an essential step." The risk assessment process must be understood and learned. Before a risk assessment can be conducted the participants must understand the objective of the assessment, the process of conducting an assessment, and what results to expect. Although risk assessment is not rocket science, there are basics that need to be learned to effectively conduct an assessment. The basic mechanics of the risk assessment process are relatively straightforward as described in Chapter 6. Training can help the effort stay on track and focused because system complexity can quickly create problems for the risk assessment effort (see Chapter 7). GETTING HELP, TRAINING RESOURCES The amount and form of training on risk assessment will vary for different organizations. A variety of training materials are commercially available that can assist new users in learning the basics of risk assessment including computer programs, instructional videos, books, conference training sessions and consulting specialists. More information on these products and services can be found below and in the References: designsafe® risk assessment software, www.designsafe.com Packsafe software, www.pmmi.org * Risk assessment training seminars, www.nsc.org,www.pmmi.org,www.robotics.org, www.sae.org 9 Robot Risk Assessment, www.robotics.org j Safety Through Design (book), www.nsc.org • The Basics of Safety Through Design and Risk Assessment (video), www.designsafe.com The form of the training best suited to an organization depends on many factors, including the specific audience, their familiarity with safety through design and risk assessment concepts, and others. Although risk assessments have been around for many years, their integration to general industry is relatively new. Recent computer tools have become available which greatly improve risk assessment speed and depth of analysis (see the demo on the compact disk provided with this book or www.designsafe.com). For assistance with any of the industry specific approaches, readers are encouraged to contact the organizations directly listed in Section III. Complex designs may benefit from assistance from a specialist familiar with a broad "tool box" of analytical safety techniques (Clemens and Simmons, 1998). TRAINING CONTENT Caution needs to be exercised to make certain the risk assessment training meets the needs of the organization. In some cases, risk assessment training can go well beyond the basic needs. Grushka and McManus (2002) report that: A study of the risk assessment techniques currently taught in many project management training classes shows that a number of statistical methodologies that are difficult to master are taught to the attendees. Additionally, the qualitative methods taught do not go far enough for teams to rapidly master and implement in practice resulting in poorly defined data providing valid decision criteria further decreasing good risk planning. Once again, the project team will fall back on the three strategies: 1. dependence upon those doing the tasks to understand and compensate for various risks, 2. indirect pools of time or money to act as a contingency reserve; and 3. experience of the team in that they have accomplished similar projects before and have seen it all. To improve the success rate of a project and prevent injuries or equipment damage, project teams must establish and integrate early risk awareness and risk assessment environments into the project planning and implementation process. As an example of where management has not effectively defined the objectives, Alderman and Gosse (2001) observe that based on their experiences in the offshore industiy: Before beginning the risk assessment, it is critical that clear objectives are established for the assessment Most companies do not spend an adequate amount of time on determining the objective of the assessment. This means that the study can grow and become more complex as more details are learned. However, in many cases the objective will change during the study and the assessment will tend to grow. Training can help keep the risk assessment process focused and on track. WHY TRAINING END USERS IS NOT ENOUGH When suggesting changes to an engineering design process, often the issue arises why workers or end users cannot simply follow the safety procedures, or why end users do not comply with instructions. The implication is that the design is "safe enough." In many instances this may be true. However, many decisions are made during engineering design that greatly impact how the resulting product or system is used (see Manuele, 2003 for further discussion). Although some risks must be addressed through procedures and information, in some instances there are better options. Often design engineers do not fully understand or appreciate the tasks involved in performing certain work, especially maintenance (see Main, Cloutier, Manuele and Bloswick, 2003). Their ability to anticipate hazards and include design methods to facilitate maintenance is often limited because they do not know how the work is done. Without understanding the user's tasks and hazards, they cannot include these considerations in their design efforts. For example, if a pump installed at a significant height requires repair, no amount of training, procedures or methods can be deployed to avoid having to work at height. Although risk reduction methods can be used to reduce the risk such as elevated work platforms, tie offs, and others, the design requires exposure to the fall hazard. If identified early enough in the design effort, provisions may be able to move the pump to ground level, eliminating the fall hazard. Task-based risk assessment aids this problem, because workers need to be consulted to complete the assessment. As a result, engineers learn of the hazards and can respond to reduce risks through the design. Training end users to follow procedures may not be enough. Engineers and others need training in the risk assessment process to better identify hazards and efficiently work through the risk assessment process. CLOSURE Conducting hazard analyses and risk assessments is both an art and science. Whatever the methodology - the simplest or the most complicated - judgments will determine the potential hazard severity and incident probability. Fundamentally, effective execution of a risk assessment relies on the team and individuals' subjective judgments. Risk assessment is not, nor does it pretend to be, a magic solution to injury prevention. Risk assessment helps identify hazards and reduce risks. Risk assessment should not necessarily be considered a replacement for other safety methods, but rather a complementary tool to assist in the effort to prevent injuries. The risk assessment process is not magic, but it does provide a better understanding of customer requirements. Tweeddale (1989) addresses the strengths and limitations of risk assessment. The author states: The value of hazard analysis and risk assessment in investigating and managing the safety and environmental performance of process plant has been demonstrated over a number of years. There is an attractive simplicity in the concept of assessing risks, comparing them with acceptability criteria, and making decisions based on the results. This can lead to requirements for risk assessment to be undertaken in inappropriate circumstances, to unsound application of risk assessment results, or to undue reliance on them at the expense of more fruitful approaches. Schothorst (2000) shares one of the major constraints of risk assessment in the food industry: Many studies have indicated that the public is having totally different perception concerning risks of eating and, for instance, risks of smoking, drinking, driving cars, mountaineering, etc. The consumer's opinion is mostly expressed as: "Food should be safe, eating should be risk-free!" The risk assessment process can be expected to result in improved products and processes with risks reduced to an acceptable level. However, risk assessments will not necessarily prevent all injury incidents and will not yield zero risk. Successfully integrating risk assessments into the design process requires time and effort. The first assessments will not be as good as later assessments. Similar to quality, using risk assessments to improve safety through design requires a longer view than just the end of the day. This is a journey, not an event. REFERENCES Alderman, J.A. & Gosse, A. (2001). Offshore risk assessment - simple or complex? Presentation made at the Mary Kay O'Conner Process Safety Center Symposium, October, 2001. ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline. org. ANSI Z244.1-2003 (final draft). Control of hazardous energy -Lockout/tagout and alternative methods. American Society of Safety Engineers, www.asse.org. ANSI Z535.4-2002. American national standardfor product safety signs and labels. National Electrical Manufacturers Association, www.nema.org. ANSI/R1A R 15.06-1999. Safety requirements for industrial robots and robot systems. Robotic industries Association, www.robotics.org. Bhimavarapu, K. & Stavrianidis, P. (1999). Performance-based standards for process industry - development, implementation and integration. ISA TECH 1999 Conference, www.isa.org. Canadian Ministry of Labour (2001). Guidelines for pr'e-start health and safety reviews: How to apply section 7 of the regulation for industrial establishments, www.gov.ca/lab/ohs. Clemens, P.L. & Simmons, R.J. (1998). System safety and risk management; A guide for engineering educators. U.S. Department of Health and Human Services, National Institute for Occupational Safety and Health. www.sverdrup.com/svt. Clemens, P.L. (2002). System safety scrapbook. Sverdrup Technology, Inc. Ninth Edition. www .sverdrup.com/safetv. Cooper, D. (1999). Tutorial notes: The Australian and New Zealand standard on risk management, AS/NZS 4360:1999. By Broadleaf Capital International Pty Ltd. EEC 89/391/EEC. (1989). Framework health and safety directive. European Union, www.europeandocuments.com. Freeman, M.F. (2000). The assessment of risk and its place in the field of medical devices. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Frost, S. (1998). Power and control. Number 9, December 1998. The Newsletter of Technology Division's Electrical and Control Systems Unit, http://www.hse.gov.uk/dst/power/powrco9.htm. Grushka, M J., & McManus, S.M. (2002). If you manage the risk, you manage the project: Risk driven project management - 'A system that works'.' American Society of Safety Engineers, www.asse.org. ISO 12100-1. (2003). Safety of machineiy - Basic concepts and general principles for design - Part 1: Basic terminology and methodology. International Organization for Standardization, www.iso.ch. ISO 14121/EN 1050-1999. Safety of machineiy; risk assessment. International Organization for Standardization. www.iso.ch. Main, B.W., & Ward, A. C. (1992). What do engineers really know and do about safety? Implications for education, training and practice. Mechanical Engineering, Vol. 114, No. 8. 44-51. Main, B.W., Cloutier, D.R., Manuele, F.A., & Bloswick, D.S. (2003). Risk Assessment for Maintenance Work. Ann Arbor, Michigan: design safety engineering, inc. www.designsafe.com. Manuele, F. A. (2003). Hazard analysis severe injury professional: Addressing an overlooked safety management element. Professional Safety, Februaiy. 26-31. McNab, B. (2001). Inspection, investigation and enforcement risk management through assessment and control. A Framework for the Ministry of Agriculture Food and Rural Affairs, Draft Aug. 7. www.gov.on.ca/OMAFRA. NORSOK Standard Z-013. Risk and emergency preparedness analysis. Rev. 1, March 1998, and Rev. 2, 2001-09- 01. Norwegian Center for Ecological Agriculture, www.norsok.no. PMMI. (2000). Risk assessment basics - An overview for packaging machinery, first edition. Packaging Machinery Manufacturers Institute, www.pmmi.org. Raafat, H.M.N. & Nichols, R.J. (2000). Analysis of the degree of machinery suppliers compliance with relevant EU requirements. Health and Safety Unit, School of Engineering and Applied Science. Aston University, Birmingham, UK. Raafat, H.M.N. & Nichols, R.J. (2001). Root cause analysis for non-compliance with the EU machinery directive. Health and Safety Unit, School of Engineering and Applied Science. Aston University, Birmingham, UK. Rogers, R.L. (2000). The RASE project, Methodology for the risk assessment of unit operations and equipment for use in potentially explosive atmospheres. EU Project #SMT4-CT97-2169. www.safetynet.de. Schothorst, M. van (2000). Microbiological risk assessment of foods in international trade. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Stamatelatos, M., Apostolakis, G., Dezfuli, H., Everline, C., Guarro, S., Moieni, P., et al. (2002). Probabilistic risk assessment procedures guide for NASA managers and practitioners. Office of Safety and Mission Assurance, NASA Headquarters, www.nasa.gov. Tweeddale, H.M. (1989). Uses and abuses of risk assessment. Chemeca 89: Technology for our third century. Gold Coast. Queensland, Australia, (pp. 191-198). Introduction Types Purpose Different Measures Variables in Risk Scoring Systems Why So Many Variations? How to Select a Risk Scoring System Divergence or Convergence? KEY POINTS 1. Risk scoring system is the term that describes how risks are assessed. 2. The three most common types of risk scoring systems are qualitative, semi-quantitative and quantitative. 3. There are many variables, factors and combinations that must be considered in selecting a risk scoring system. 4. Given the subjective nature of rating risk, risk scoring systems will likely continue to emerge and proliferate as users refine and improve their risk assessment process. This divergence of methods should be considered healthy. 5. In time, convergence to one or a few risk scoring systems may occur as efforts to harmonize and standardize risk assessment methods occur. This process will require some time. INTRODUCTION Manuele (2001) coined the term "risk scoring systems" to describe the various matrices and risk models used to assess risks of identified hazards. This term accurately describes the concept and is herein adopted. Assessing risks is perhaps the most controversial part of the risk assessment process. Standards development committees often have heated discussions on various attributes of risk scoring systems. There are many different risk scoring systems and many opinions on which system is best. Given the subjective nature of the risk assessment process, such discussions can last a considerable time with little conclusion. The most important parts of the risk assessment process are identifying hazards and reducing risks. Assessing risk, and the risk scoring system used, is considerably less critical to the overall process. However, given the discussions that center around means to assess risks, this chapter describes different variables and considerations that occur in risk scoring systems. These concepts are also important for comparing the various risk assessment methods presented in Section III - Benchmarks. TYPES There are three basic types of risk scoring systems. The Australian standard AS/NZS 4360-1999 Risk Management provides the following descriptions: Qualitative analysis Qualitative analysis uses word form or descriptive scales to describe the magnitude of potential consequences and the likelihood that those consequences will occur. Qualitative analysis is used: i) as an initial screening activity to identify risks which require more detailed analysis; ii) where the level of risk does not justify the time and effort required for a fuller analysis; or iii) where the numerical data are inadequate for a quantitative analysis. Semi-quantitative analysis In semi-quantitative analysis, qualitative scales are given values. The objective is to produce a more detailed prioritization than is usually achieved in qualitative analysis, [but] not to suggest any realistic values for risks such as is attempted in quantitative analysis. Quantitative analysis Quantitative analysis uses numerical values (rather than the descriptive scales used in qualitative and semi-quantitative analysis) for both consequences and likelihood using data from a variety of sources. The quality of the analysis depends on the accuracy and completeness of the numerical values used. PURPOSE In examining risk scoring systems, knowing the end purpose can greatly help in understanding the different systems. The fundamental purposes of a risk scoring system are to help identify those tasks and hazards that have residual risks that are unacceptably high so that risk reduction methods can be implemented, and to verify that acceptable risk has been attained. The ratings or values that come from qualitative or semi-quantitative risk scoring systems have no specific meaning in and of themselves. The ratings are only a sorting or ranking system. As such, the significance of the values is only temporary. Even quantitative values are only useful when compared to a known acceptable risk level. As such the significance of the quantitative values is relative rather than absolute. This concept is supported by Capaul (2000) in the context of a risk insurer, wherein "it is not possible to quantify risks in absolute terms, the only thing to do is to describe their quality." WHAT HAPPENS ONCE A RISK SCORING SYSTEM IS SELECTED? Once a risk scoring system is selected it is deployed within a risk assessment effort. The primary use of a risk scoring system is to help identify risks that are too high so that risk reduction efforts can focus on these areas. The risk scoring system is basically used to rank or group risks into risk levels so that decisions can be made about risk acceptability. THE BEST RISK SCORING SYSTEM Which risk scoring system is best to assess risk? There is consensus among those knowledgeable in risk assessment methods that the specific risk scoring system chosen is far less significant than just having one method integrated into the design process. Just about every published risk assessment guideline allows for variations in the risk assessment protocol to accommodate equivalent risk assessment methods. For example, the ANSI/RiA R15.06-1999 standard includes the following: Clause 9 Safeguarding of personnel - Risk assessment method A number of methodologies are available to do a risk assessment. Any method is acceptable which prescribes safeguarding equivalent to or more stringent than the requirements of this clause. Which risk scoring system is selected is largely a matter of personal, company or industry preference. There are strengths and weaknesses to each system. The best approach for a particular company is the method that works well in the organizational culture and design processes. Industry standards or guidelines should be considered a starting point. As long as any one risk assessment method is selected, validated, and adequately integrated into the organization, there is no wrong answer. Risk assessments are not a scientific exercise; therefore, energies are best spent on risk reduction efforts rather than optimizing risk ratings. DIFFERENT MEASURES Many risk scoring systems focus strictly on the potential for injury to an individual. Other systems broaden the scope to include other factors including: 6 Damage to equipment or facilities Damage to property (such as from chemical release) ♦ Business interruption loses • Environmental damage Public relations consequences For example, Table 9.1 shows the Severity Grouping of a risk scoring system from the semiconductor industries. Table 9.1 - Example Severity Grouping SEMI S10-1103 Severity Group People2 Equipment/ Facility* Property* 1 - Catastrophic One or more fatalities System or facility loss Chemical release with lasting environmental or public health impact, 2 - Severe Disabling injury/illness. Major subsystem loss or facility damage. Chemical release with temporary environmental or public health impact. 3 - Moderate Medical treatment or restricted work activity (OSHA recordable). Minor subsystem loss or facility damage. Chemical release triggering external reporting requirements. 4 - Minor First aid only. Non-serious equipment or facility damage. Chemical release requiring only routine cleanup without reporting. * These descriptions are for example only. VARIABLES IN RISK SCORING SYSTEMS Specialists are often responsible for evaluating, selecting or creating a risk scoring system for their organization. To do so requires understanding the variables that can be adjusted in a risk scoring system. This subsection examines the variables and typical values used. There are several variables that comprise a risk scoring system. These can be a source of some initial confusion. Knowing the variables and sets of values can help in understanding why so many different risk scoring systems exist today. There are six primary variables to consider in a risk scoring system. They include: 1. Number of risk factors 2. Number of levels 3. Type of assessment 4. How the factors are combined 5. Decision guidelines 6. Mixed systems Each variable is described below. NUMBER OF RISK FACTORS The first variable in risk scoring systems is the number of factors that will be used to evaluate risk. There are many risk models available and each one uses slightly different risk factors or combines the factors in slightly different ways. Different risk scoring systems use different terms to describe the same risk factor concept. For example, some systems use "probability of occurrence" and others use "likelihood of occurrence." Other systems use similar factors but the terms convey distinct meanings (e.g., "vulnerability vs. avoidance"). In other systems, different terms are used to account for different aspects of risk (e.g., detection). Typically one to four risk factors are used to assess risk. Each of these will be discussed. One Factor Risk Scoring Systems The simplest risk scoring system uses risk as the sole factor. This system is used to obtain a direct and very general assessment of risk. This kind of system has been used in situations where detailed assessments have not been logistically feasible. For example, insurance agents conducting a walk through inspection may have only a few hours to evaluate an entire facility. To assist in their evaluation, a general checklist of items might be rated such as shown in Table 9.2. Table 9.2 - Sample Single Factor Risk Scoring System Circle Risk Rating Fire hazards High Medium Low Machine guarding exposures High Medium Low Means of egress High Medium Low Manual lifting High Medium Low Housekeeping High Medium Low Etc. High Medium Low Two Factor Risk Scoring Systems Two factor risk scoring systems are very prominent and historically the most common. The example of Table 6.1 uses two factors: severity and probability. Three Factor Risk Scoring Systems Three factor risk assessments are finding increasing use in industry. Three factor risk systems typically divide the probability component into smaller pieces that can be more effectively or accurately evaluated. There are variations on what the factors are, or are named. Some factors used in three factor scoring systems include: Probability of harm given the hazard ® Probability of failure 0 Likelihood of detection A summary of some applications that use a three factor risk scoring system and the factors used is shown in Table 9.3. Table 9.3 - Sample Applications Using Three Risk Factor Scoring Systems Application Three risk factors Robotics Severity, Exposure, Avoidance Agriculture and heavy equipment Exposure, Likelihood, Consequences Failure modes and effects analysis (FMEA) Severity, Likelihood of Detection, Probability of Failure Manuele (2001) Severity, Exposure, Probability Jackson (2001) presents a modified risk scoring system that introduces the concept of consequences of failure to complete task as a new dimension to a traditional two factor risk matrix. He proposes this third factor based on his experiences as a safety engineer and manager in emerging international countries: 1 have distinct memories of workers on scaffolding of all descriptions, atrocious designs, of materials from bamboo to old manila rope . 1 have seen fully pressurized gas cylinders being rolled off the back of a truck onto some old tires about 1.5 meters below with no bottle caps in place, and an individual checking for a gas leak on a newly installed propane gas line with a lighter. When interviewing in these and similar cases, invariably, 1 found a complete sense of acceptance with the situation - they were doing what they had to do with what resources they had available to them or what they were instructed to do. Jackson's (2001) third factor is proposed to account for "subtle/less tangible but highly significant factors that contribute to otherwise 'intelligent' men taking these unnecessary risks . The most significant of these less tangible factors is the combined effects of supervisory, peer and social pressures." Four Factor Risk Scoring Systems Four factor systems are relatively rare but can be found. The four factor systems break each of the severity and probability factors into two sub-factors that are then assessed. An example of breaking down the severity factor would include the magnitude of consequences (severity) that would likely occur, and the number of individuals exposed to the hazard. The dimensions of one four factor risk scoring system include: Degree of possible harm (severity) Number of persons exposed Likelihood of occurrence Frequency of exposure Note that in this system the second factor, number of persons exposed, addresses the societal risk rather than the individual risk (refer to Chapter 2 for further discussion). Manuele (2001) has critically discussed risk scoring systems in great detail, including the shortcomings of using a four factor system developed in Europe that uses the following four risk factors: ® Likelihood of occurrence/contact with hazard 9 Frequency of exposure to the hazard Degree of possible harm, taking into account the worst possible case • Number of persons exposed to the hazard. In this system, the four factors are rated, each holding a quantitative value and a risk level is derived by multiplying the four numbers together. Manuele (2001) analyzes this risk scoring system by focusing on the scenario where a fatality could occur with equal chance (50%) during an annual task (such as tooling change). He then' evaluates the resulting risk scores based on the numbers of persons exposed (killed). His analysis demonstrates that with the particular four factor risk scoring system used, his very plausible risk scenario never falls into the "Unacceptable" risk level even when there is an even chance that 51 persons would be killed. Manuele concludes, "that is simply not acceptable The use of number of persons exposed as a category in risk assessment requires careful consideration" (p. 189). Is this merely a calibration problem? Perhaps the four factor system could be adjusted so that Manuele's (2001) scenario falls into the Unacceptable risk level. Then again, perhaps this is only one example of how attempting to account for societal risks within a risk scoring system can yield unacceptable decisions and consequences for individuals. Calibrating the risk scoring system may solve Manuele's particular scenario but may not address the underlying conflict. NUMBER OF LEVELS The second variable to consider in a risk scoring system is the number of levels for each risk factor. The numbers typically range from 2 to 10 with most being between 2 and 5. The ANSI Bll TR3 approach uses four levels for each of the probability and severity factors as shown in Table 6.1. The robotics industry approach shown in Table 9.4 uses two levels for each factor. For example Severity can either be "serious" or "slight," Exposure is either "frequent" or "infrequent" and Avoidance is either "likely" or "not likely." Table 9.4 - Example Three Factor Risk Scoring System From ANS1/RIAR15.064999 (Prior to safeguard selection) Severity . Exposure Avoidance S2 Serious Injury E2 Frequent A2 Not Likely R1 A1 Likely R2A El Infrequent A2 Not Likely R2B A1 Likely R2B SI Slight Injury E2 Frequent A2 Not Likely R2C A1 Likely iV El Infrequent A2 Not Likely R3B A1 Likely R4 In this risk scoring system, rating the three factors yields a risk level. For example, a rating of Serious, Infrequent and Likely yields a R2B risk level. The standard provides guidance on the necessary risk reduction methods to use for the resulting risk levels. Not every risk factor must have an equal number of risk levels. The U.S. military standard M1L-STD-882D uses four levels for severity and five levels for probability. The number of levels used in a risk scoring system balances simplicity and discernment. The fewer the number of levels the simpler the system, but users are less able to distinguish between the levels. In Table 9.4, a broken finger and a fatality are both treated the same (Serious). Conversely, a system with ten levels may be attempting to draw distinctions that lack practical significance (e.g., severity of Very High versus High or Minor versus Very Minor). The simpler systems do require fewer decisions and can speed the analysis time. Many different terms are used to label the different levels of a risk scoring system. Similarly, the descriptions that attempt to clarify the labels also show large variation. Such diversity is not unexpected given the subjective nature of risk assessments and people's use of language to convey meanings. This is an area where diversity has little significant impact on the overall risk assessment process. If a company prefers a different label or description because the change improves communication or understanding within the company, then the change should be made. There is no one "right" answer for the number of levels used in a risk scoring system. Finding a risk scoring system that works within an organization is more important than which system is selected. TYPE OF ASSESSMENT Risk assessments can take one of three forms: qualitative, quantitative and semi-quantitative. Qualitative systems have existed for many decades and continue to be used with great success. A qualitative risk scoring system uses only words to evaluate and describe the risk components and results. Examples of qualitative risk scoring systems include the BII machine tool industry and robotic industry systems shown in Tables 6.1 and 9.4. A quantitative approach uses probabilistic valuations based on data that yield results such as 1 in 500,000 occurrences per year. Several sophisticated industries use quantitative risk scoring systems, particularly those with potentially high consequence outcomes, such as the nuclear power and chemical industry. Fullwood (2000) presents an historical review of Probabilistic Safety Assessments (PSAs) as an analytical method to protect the public health and safety, and he shows the progressive understanding of risk in the chemical and nuclear industries. Thomson (1987) presents the steps involved in a probabilistic risk assessment as shown in Figure 9.1. Figure 9.1 - Steps in a Probabilistic Risk Assessment Thomson (1987) However, quantitative approaches tend to be used relatively infrequently in general industry due to the lack of reliable probability data and the lack of resources to develop mathematical models to derive the data. The semi-quantitative approach falls in the broad area between qualitative and quantitative systems. In a semiquantitative approach, numerical values are assigned to each risk factor level. The values have no intrinsic meaning themselves, but are selected in a manner to be relative to the adjacent risk levels. For example, Manuele (2001) proposes a semi-quantitative risk scoring system that uses the following values for the severity factor: Catastrophic (50), Critical (40), Medium (25), and Minimal (10). A numerical risk level can be derived by combining these values with numerical values for other risk factors. However, the resulting numerical risk value has no intrinsic meaning but serves only to allow comparison to other results and to acceptable risk levels. The type of assessment, whether qualitative, quantitative or semi-quantitative, is largely determined by the following: * existing data available to use in the assessment, * the severity of potential consequences, the time and resources committed to the assessment, 9 industry practice or suggested risk scoring systems, and ® the preferences of the persons performing the assessment. HOW FACTORS ARE COMBINED The fourth variable in a risk scoring system is how the risk factors are combined to yield a risk level. In a qualitative assessment type, the risk factors are combined in a matrix or graph approach as in the machine tool and robotic industries shown in Tables 6.1 and 9.4. Quantitative and semi-quantitative approaches use mathematical manipulations to combine the risk factors. The most common usage is a straight multiplication of the factors, as in: Risk level = Severity x Probability or Risk level = Severity x Exposure x Probability Another method involves addition. Adding the values for the risk factors does occur, but less frequently than multiplication. For example: Risk level = Severity + Exposure + Probability Manuele (2001) observed that when a two factor risk scoring system is expanded to three factors, how the factors are combined can have a significant impact. If the factors are combined by multiplying, the net effect is to reduce the weighting of the severity element In a two factor system the severity factor has a 50% weighting. In a three factor system the severity element reduces to 33%. Given the importance of severity to the overall risk level, such a downgrading of this factor should be entertained with caution. Manuele (2001) proposes a risk scoring system with an equation that uses both a multiplication and addition component as follows: Risk level = Severity x [Exposure + Probability] In this system the values for exposure and probability factors are added prior to being multiplied with the severity value. With this combination the severity factor retains its 50% weighting and is not diluted by the addition of the third risk factor. DECISION GUIDELINES The fifth variable in the risk scoring system is the relationship between the resulting risk levels and the risk reduction and management approval required. Several risk scoring systems prescribe the required risk reduction measures or the management approval based on the level of risk. For example, Table 9.5 from MIL-STD-882D presents one example of the management approval required for the given risk levels. Table 9.5 - Management Approval Required for Risk Levels Mishap Risk Assessment Value Mishap Risk Category Mishap Risk Acceptance Level 1-5 High Component Acquisition Executive 6-9 Serious Program Executive Officer 10-17 Medium Program Manager 18-20 Low As directed In the robotic industry approach, as shown in Table 9.4, the highest risk level (Rl) requires that hazards be eliminated or controlled, or control reliable circuits be used. Administrative controls such as training or procedures are not sufficient for the Rl risk level. Other systems do not explicitly prescribe a risk level/risk reduction requirement, but instead allow the manufacturer, supplier or designer to develop the best solution in the context of the particular design. MIXED SYSTEMS The last variable in risk scoring systems addresses the assessments before and after risk reduction. In most risk scoring systems, risk is rated using the same system for both assessments. There are instances where these two rating systems differ, although rarely do they differ greatly. The robotic industry makes a slight change to the risk scoring system before and after risk reduction, in the before rating the three risk factors are rated in the following order: severity, exposure and avoidance, as shown in Table 9.4. In the after rating, the order is changed to exposure, avoidance and severity. There is no particular reason why a risk assessment process could not use two different risk scoring systems for the before and after rating. For example, the before rating could use a common two or three factor system and the after could use a single factor system, or vice versa. WHY SO MANY VARIATIONS? From the examples shown thus far, the reader will note that there are many different risk scoring systems. In addition, individual companies have developed variations on the published risk scoring systems and have successfully deployed them in their organizations. One might wonder, "why are there so many variations?" or "why cannot one proven risk scoring system be used so that everyone has a standardized approach?" These are not unreasonable questions. The answers are less obvious. Risk assessment is fundamentally a subjective analysis. Risk scoring systems try to capture a subjective judgmental process and create a system that is more objective, repeatable and robust. Engineers' passion for accuracy drives risk scoring systems to become more complex as the risk factors are sorted into smaller elements that can be estimated with, what is assumed, higher precision. Unfortunately, even with quantitative and semi-quantitative methods, risk assessment remains a largely subjective process. Several small judgments combined do not necessarily yield a better assessment than one simple judgment. Indeed, the added complexity does increase the assessment time and slow the process down significantly. In this situation, the added complexity may provide little benefit. Although the simpler systems may be less sophisticated and indeed less accurate, the results may be entirely sufficient to obtain acceptable risk levels. Manuele (2001) comments: Risk scoring begins with subjective judgments and those subjective judgments are translated into numbers What starts out as judgmental observations become finite numbers, which then leads to an image of preciseness. Further, those numbers are multiplied or totaled to produce a risk score, giving the risk assessment process the appearance of having attained the status of science. In reality, the risk assessment process is as much art as science. The numbers assigned to the elements to be scored are entirely judgmental, have no basis in fact or good science, and vary for the same subject in different systems (p. 171). Given the subjective basis of risk scoring systems, who is to say that "likelihood" is a better or lesser term than "probability," or that four levels of severity are better than two? There is often considerable difference of opinion among those with expertise in conducting risk assessments. Users keep trying to build a better risk scoring system, one that more accurately reflects their needs or is more repeatable among their personnel. This is expected and will likely continue. As a result, the continued spawning of various risk scoring systems should be anticipated. Risk assessment is also strongly influenced by culture. If a company culture requires that a risk scoring system be changed in order to be adopted, then the correct answer is to change the risk scoring system. A risk scoring system can be changed to reflect a company's preferences. Deploying risk assessments is far more important than attempting to optimize a risk scoring system. ON THE ISSUE OF COMPLEXITY The issue of complexity often arises in discussion of risk scoring systems. Balancing between simplicity and accuracy is a trade off. Simpler systems are easier to use and require less training, and risk ratings can be established faster. Fewer choices afford fewer decisions and require less time. Since in most risk assessments the risks must be rated twice - before and after risk reduction - even small reductions in complexity can favorably impact the overall time to complete the risk assessment process. Indeed for many industrial purposes, seldom will a complex risk assessment method be needed; the simpler methods will suffice for all but the unusual situations. In some applications, a more complex risk assessment method will be necessary. The more complex systems break down general categories into smaller elements to allow greater distinction. These more complex systems hold the possibility of being more technically accurate because they draw greater distinction between the factors affecting risk, such as distinguishing between the frequency and duration elements of exposure or between differing severity levels. Although more accurate, these complex systems require more choices to be made for each risk rated, which increases the time required to complete the assessment. The more complex systems can also be somewhat more difficult to use, require more training and sometimes require specialists to conduct. Yet engineers who loathe subjectivity may be more comfortable with the more complex systems due to the improved accuracy. Again, finding the risk scoring system that works within a particular organization is more important than which system is used. USING COLOR Many risk scoring systems now employ color coding with the system. The most common color scheme is red, yellow and green corresponding to risk levels high, moderate and low (or similar variants). Using color capitalizes on users' existing familiarity with traffic control systems. Red means STOP and risk levels in the red region require risk reduction before work or the product development can proceed. Green means GO and risks falling in the green region can proceed without great concern. Yellow means CAUTION and risks in this region need to be examined for practical or feasible risk reduction methods that can lower the risk. Risk scoring systems that have more than three risk levels use shading or color variations to convey the risk levels. One of the integrated ergonomic risk assessment methods uses five levels of risk based on a quantified valuation and breaks these into the following regions: Green area = acceptable Green-yellow area = conditionally acceptable Yellow-red area = conditionally acceptable Red area = not acceptable Color coding within the risk scoring system does seem effective in communicating risk levels. The use of color in this manner should be expected to proliferate. REPEATABILITY The proliferation of risk scoring systems stems from a desire to develop an effective, accurate and repeatable system. Many risk scoring systems have been successful in accomplishing the first two of these concerns. Unfortunately, the repeatability issue can be very difficult to accomplish. Risk assessors have had different experiences and likely harbor different perspectives on risks. The person who suffered a burn injury as a child may have a strong aversion to fire hazards and rate such risks very high. Given the variability in risk assessors, developing a repeatable risk scoring system can be very challenging. Nonetheless, risk assessments proceed even with unresolved repeatability concerns in part because the outcome of the assessment remains that of acceptable risk. Although different groups may arrive at different risk reduction measures and even different levels of acceptable risk, by working through the risk assessment process the likelihood of injury should be reduced and incidents avoided. HOW TO SELECT A RISK SCORING SYSTEM The first step in selecting a risk scoring system is to look to the standards, guidelines or practices in a particular industry. If the industry has adopted or created a particular risk scoring system then in most instances selecting that system will be beneficial. If no risk scoring system is used in the industry of interest, the next place to look is to the benchmarks in Section III of this book. This section presents many risk scoring systems and approaches to risk assessment. The reader can review the various approaches and understand what is available. Section III is not exhaustive so additional research or investigation may be appropriate. The next step is to test one or more systems to determine how well they work in a particular application. Testing need not be overly complex or formal, but enough to determine if a system works in a particular organization. There may not be a risk scoring system "off the shelf' that suits a particular company. In this instance make adjustments as necessary to optimize the system to the application. Once changes are made consider testing again to determine if the change improves the performance. Once the testing is complete, the last step in the process is deploying it to the organization and monitoring the results. If new concerns arise with the risk scoring system, adjustments can be made as appropriate. DIVERGENCE OR CONVERGENCE? Risk scoring systems continue to emerge. Risk scoring systems apply an imprecise "science" to assessing a subjective value (i.e., risk). As a result, individuals tinker with risk scoring systems to make existing systems better suit their specific application. This is reasonable, expected and should be encouraged. Until and unless a single risk scoring system emerges that adequately addresses all applications and needs, there is room for experimentation to find such a system. There may not be any particular benefit to having different companies in different industries use the same risk scoring system for risk assessment. Efforts to corral users into a "standardized" risk scoring system is premature at this time. Although convergence will likely occur in the future, the time of divergence in ideas and methods currently remains, and that is a healthy prospect. REFERENCES ANSI/RIA R 15.06-1999. Safety requirements for industrial robots and robot systems. Robotic Industries Association, www.robotics.org. AS/NZS 4360-1999. Risk Management. Standards Australia, www. standards .com .au. Capaul, B. (2000). Standardised risk assessment - a need for man-made risk insurers. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Fullwood, R.R. (2000). Probabilistic safety assessment in the chemical and nuclear industries. Boston: Butterworth Heinemann. Jackson, K.M. (2001). Effectively managing HSE risks in emerging international operations. American Society of Safety Engineers, Professional Development Conference, 2001. Manuele, F.A. (2001). Innovations in safety management - Addressing career knowledge needs. New York: John Wiley & Sons. MIL-STD-882C. (1987). Standard practice for system safety. Department of Defense, U.S.A. www.defenselink.mil. MIL-STD-882D (2000). Standard practice for system safety. Department of Defense, U.S.A. www.defenselink.mil. SEMI S10 1103. (2003). Safety guideline for risk assessment. Semiconductor Equipment and Materials International, www.semi.org. Thomson, J.R. (1987). Engineering safety assessment, An introduction. New York: Longman Scientific & Technical, John Wiley & Sons, Inc. SECTION III RISK ASSESSMENT BENCHMARKS Chapter 10 Overview Chapter 11 Aviation and Aerospace Industries Chapter 12 Chemical and Oil Chapter 13 Company Specific Approaches Chapter 14 Consumer Products Chapter 15 Construction Chapter 16 Environmental Chapter 17 Ergonomics Chapter 18 Fire and Explosion Chapter 19 Food Chapter 20 Government Activities Chapter 21 Land Transport Chapter 22 Lifts (Elevators), Escalators and Moving Walkways Chapter 23 Lockout/Tagout Standard - Reaching across industry lines Chapter 24 Machinery and Machine Tool Chapter 25 Maintenance Applications Chapter 26 Medical Devices Chapter 27 Military Chapter 28 Nuclear Power Industry Chapter 29 Offshore Chapter 30 Packaging Machinery Industry Chapter 31 Process Controls Industries Chapter 32 Product Liability Chapter 33 Risk Assessment in Education Chapter 34 Risk Management Chapter 35 Robotics Chapter 36 Semiconductors and Flat Panels Chapter 37 Other Risk Assessment Benchmarks OVERVIEW Overview Benchmark Consensus vs. Performance Based Standards Format Repetition Limitations KEY POINTS 1. Risk assessment methods are being deployed in many industries and applications, and the momentum will continue. 2. As used in this book, a benchmark refers to a written assessment method that generally follows the risk assessment process described in Chapter 6. 3. The level of sophistication varies from industry to industry and within industries, but the general risk assessment process applies across all industries and applications. 4. Performance-based standards have been a key driver in the growth of risk assessments because they are the primary means to demonstrate that risks have been reduced to an acceptable level. 5. The following survey of industries and applications is not comprehensive. Any omission or oversight is unintentional OVERVIEW Many industries are advancing down the risk assessment path. These companies are finding that risk assessment is a valuable tool for demonstrating that risks have been reduced to an acceptable level. Risk assessment continues to evolve, grow and change as new ideas are tested and new knowledge is gained through implementation. Even in industries where long used, risk assessment methods continue to advance. In some industries and applications, risk assessment has developed into a considerably sophisticated process. Often these advances have come due to major incidents (accidents) such as have occurred in the chemical industry. Situations involving military armaments or spacecraft, nuclear facilities or large chemical releases impact immediate users and surrounding communities. As a result, risk assessments for these situations have become increasingly sophisticated due, in part, to public scrutiny. The more sophisticated applications tend to have several aspects in common. • The societal loss consequences of the mission or situation are high. The application has primarily one or only a few situations. • More risk control resources are available or can be made available per situation. # Societal risk represents a significant component of the overall risk. * The systems tend to be complex. Other applications face a near opposite situation. Applications such as general industry or construction present a very different risk picture. The societal loss consequence tends to be comparatively low. • There are many more situations, work stations, tasks or operations that need to be considered. The resources available to evaluate each situation are considerably lower. ♦ Individual risk plays a much higher role in the overall risk. The systems tend to be much less complex. The applications discussed in this section include examples from both complex and simple systems, and many in between. Since the systems differ, the methods used to assess and reduce risks should be expected to differ also, and this turns out to be true. Although the resulting risks differ between the systems, the general risk assessment process applies across all applications examined. BENCHMARK What is a "benchmark" as used in this book? The dictionary definition states, "a point of reference from which measurements may be made" (Merriam-Webster, 2002). A general interpretation of benchmark then involves comparing one thing to another, or several to each other. In this book the thing being compared is the risk assessment process used in a particular application. In most instances the application is by industry, such as machine tool, robotics, lifts, and others. In other instances the application cuts across many industries such as control of hazardous energy (lockout/tagout) or risk management. Therefore, in this book a risk assessment "benchmark" refers to a written method of working through the risk assessment process generically shown in Figure 6.1. CONSENSUS VS. PERFORMANCE BASED STANDARDS In the standards writing process, there has been a significant movement away from prescriptive (specification) standards to performance-based (goal or threshold) standards. Complying with performance-based standards is relatively easy where performance levels are objective - for example, strength of materials, load levels, lumen lighting levels, and others. Far more difficult are the many subjective areas such as the general duty clause of OSHA or statements in standards that the machine "must be safe" or "provide adequate safety." The subjective situations far outnumber the objective ones. The risk assessment process provides a basis to show that an adequate and appropriate level of safety has been established. In the context of the nuclear power industry, Whipple (1988) observes: There is a movement away from consensus-based standards toward risk-based standards in engineering. The impetus for this trend has a number of sources including advances in risk assessment, pressures to increase public participation in setting safety objectives, and increasingly complex design objectives for engineered systems in terms of safety, cost, reliability and performance. The notion of good engineering practice was the traditional standard for judging if risks were acceptable . Historically, most engineering standards developed through experience, and especially from bad experiences . But many risks of current concern are not well suited for trial and error management . One aspect of many current risks is that we can't find out we are wrong and go back and fix things. Many issues of current concern involve new technologies where the cumulative operating experience is not long enough to provide a good data base on what the risks are. We now have public participation in decisions about how safe industrial facilities should be. The idea that engineers can professionally determine acceptable safety standards is becoming less and less accepted in the areas where technology itself is controversial (pp. 45-46). If the performance requirement is acceptable risk, then a risk assessment must be performed to demonstrate that risks are reduced to an acceptable level. FORMAT The following chapters present various risk assessment methods used in certain industries and applications. The benchmarks contained in this section appear in alphabetical order as listed at the beginning of this section. To the extent applicable, each industry benchmark method is outlined and summarized using the following format. • Background • Description Flow Chart (where applicable) Risk Scoring System (where applicable) • Status References for more detailed information for each industry and application are included at the end of each chapter. In this section each benchmark method is presented as drawn from the source documents without comment or critique, inclusion as a benchmark method should not be interpreted as an endorsement or criticism of any method. Observations and comments on the various benchmarks appear in Section IV. REPETITION Several benchmark applications use very similar methods to assess risks. This leads to some repetition in coverage. However, one of the purposes of this book is to show both the similarities of, and differences between, how different industries and applications assess risk. Therefore, the repetition that does occur is appropriate. LIMITATIONS The following chapters document the current state of the art across several industries and applications. By its very nature, this section cannot be, nor is it intended to be, exhaustive. There are likely risk assessment efforts occurring in applications not addressed in this review. There are also likely advances within some of the industries discussed that do not appear. Any oversight is unintentional. Omission from this compilation should not be interpreted to mean that the risk assessment method of a given industry is of lower quality or an unacceptable approach when compared to others. REFERENCES Merriam-Webster. (2002). On-line dictionary. Merriam-Webster, Incorporated, www.m-w.com. Whipple, C. (1988). Risk-based standards in engineering, Engineering applications of risk analysis. American Society of Mechanical Engineers. Winter Annual Meeting, December 1987. www.asme.org. AVIATION AND AEROSPACE INDUSTRIES Aviation Ground Operations Spacecraft Design and Manufacturing Space Flight Operations Locating Airports FAA Risk Assessment Studies AVIATION GROUND OPERATIONS BACKGROUND One risk assessment effort in the aviation industry has been coordinated by the International Air Transport Section of the National Safety Council. The International Air Transport Section comprises airlines, airport operators, and related aviation industries and services from around the world. The Section's scope includes all phases of ground and in-flight work operations except those functions under control of the flight crew. Typical activities include: ramp operations, fuel and cabin servicing, ground equipment operations and specifications, and facility maintenance. This Section has developed an Aviation Ground Operation Safety Handbook (2000) published by the National Safety Council. Within the Handbook is a chapter on Risk Management. DESCRIPTION Risk management in the aviation industry is a continuous process designed to detect, assess, and control risk while enhancing performance and maximizing effectiveness. The Handbook provides "a six-step logic-based, common sense approach to making calculated decisions on human, material, and environmental factors before, during and after operations." The Handbook uses three principles to govern the risk management actions: 1. Accept no unnecessary risk 2. Make risk decisions at the appropriate level 3. Integrate risk management into operations and planning at ail levels These principles are similar to those used in the U.S. military discussed in Chapter 27. FLOWCHART The six-step process used for risk management in the Aviation Ground Operation Safely Handbook is represented in Figure 11.1. Figure 11.1 ~ Risk Management Process in Aviation Ground Operations Reprinted with permission from the National Safety Council. Aviation Ground Operation Safety Handbook. Itasca, IL: NSC Press, 2000. RISK SCORING SYSTEM The risk scoring system presented in the Handbook uses the two risk factors: severity and probability. The risk factors appear in Tables 11.1 and 11.2. Table 11.1 - Severity Levels (Aviation Ground Operations) Label Level Catastrophic 1 Death or permanent total disability, system loss, major property damage. Critical 11 Permanent, partial or temporary total disability in excess of 3 months, major system damage, significant property damage Marginal ill Minor injuiy, lost workday incident, minor system damage, minor property damage Negligible IV First aid or minor medical treatment, minor system impairment Table 11.2 - Probability Levels (Aviation Ground Operations) Label Level Description Frequent A Occurs often, continuously experienced Likely B Occurs several times, occurs often Occasional C Occurs sporadically, occurs sometimes Seldom D Remote chance of occurrence; unlikely, but could occur at some time Unlikely E Can assume it will not occur The risk factors are combined to yield a risk level as shown in Table 11.3. Table 11.3 - Risk Assessment Matrix (Aviation Ground Operations) PROBABILITY FREQUENT LIKELY OCCASIONAL SELDOM UNLIKELY A B C D E CATASTROPHIC I ' EXTREMELY ■ > H S CRITICAL II HIGH m > MODERATE III ' MEDIUM NEGLIGIBLE IV LOW RISK LEVELS STATUS The Aviation Ground Operation Safety Handbook is a completed document. Contact the National Safety Council's International Air Transport Section at www.nsc.org for additional information. SPACECRAFT DESIGN AND MANUFACTURING BACKGROUND Large space projects in the 1970s and 1980s were initially accompanied by considerable financial budgets, so that achieving the technical objectives held priority compared to financial targets. This contributed greatly to the development of quantitative risk assessment methods. Many important NASA programs, like the Space Shuttle Program, have, for some time, been assigned explicit risk-based mission success goals. More recently, Altavilla and Garbellini (2000) state that: The manned space transportation vehicles have to achieve high levels of performance within severe limitation of cost, mass, power and volume budgets, and have to meet stringent safety and reliability requirements, together with high on-orbit availability level, necessary to guarantee the mission and safety constraints . The Manned Space Systems programs are always characterised by dedicated probabilistic analyses. Stamatelatos, Apostolakis, Dezfuli, Everline, Guarro, Moieni, et al. (2002) authored a comprehensive document on Probabilistic Risk Assessment (PRA) as applied to NASA. The document exceeds 300 pages in length. The authors note: PRA is a comprehensive, structured, and logical analysis method aimed at identifying and assessing risks in complex technological systems for the purpose of cost-effectively improving their safety and performance. Because of its logical, systematic, and comprehensive approach, PRA has repeatedly proven capable of uncovering design and operation weaknesses that had escaped even some of the best deterministic safety and engineering experts. This methodology showed that it was very important to examine not only low-probability and high-severity mishap scenarios, but also scenarios involving strings of high-probability and low-severity, nearly benign, mishaps. Contrary to common perception, the latter is oftentimes more detrimental to safety than the former. NASA intends to use PRA in all of its programs and projects to support optimal management decision for the improvement of safety and program performance. According to Stamatelatos et al. (2002), one of the PRA enhancement principles that has been implemented at NASA is to develop "a risk-informed culture." DESCRIPTION The following description of PRA is taken from Stamatelatos et al. (2002): A foremost strength of a PRA is that it is a decision support tool. In safety applications, PRA helps managers and engineers find design and operation weaknesses in complex systems and then helps them systematically and efficiently uncover and prioritize safety improvements. Development or acquisition of in-house PRA expertise has proven to be the only lasting method of PRA capability development, as seen from the experience of several industries (nuclear power, nuclear weapons, petrochemical) over the past two decades. There must be a small but robust group of in-house technical experts that can understand and appreciate the value of the PRA study, explain its meaning and usefulness to the management, and serve as in-house technical advisors to the management decision process for safety improvement. Goldberg, Everhart, Stevens, Babbitt, Clemens, Stout, (1994) present the following observations on the strengths and weaknesses of the PRA approach: + Provides methodology to assess overall system risks. + Assessing risk avoids unknowingly accepting intolerable and senseless risks, allows operating decisions to be made, and improves resource distribution for mitigation of loss resources. - Performing the techniques of this methodology requires skilled analysts. Techniques can be misapplied and results misinterpreted. - Depending on the size and complexity of the system being assessed, significant man-hour and/or computer resources may be needed. - Sufficient information and data may not be available to perform a thorough assessment. FLOWCHART According to Stamatelatos et al. (2002), a full scenario-based PRA process typically proceeds as follows: • Objectives Definition System Familiarization Identification of initiating Events Scenario Modeling • Failure Modeling Data Collection, Analysis and Development • Quantification and Integration • Uncertainty Analysis • Sensitivity Analysis • Importance Ranking RISK SCORING SYSTEM At a Symposium on Risk, Greenfield (2001) presented a risk scoring system used by NASA with the International Space Station. The risk scoring system uses two factors, likelihood and consequence. The risk factors for the Risk Summary Card for the Program Risk Management for the International Space Station appear in Tables 11.4 -11.5. Table 11.4 - International Space Station Likelihood Levels What is the likelihood the situation or circumstance will Level: Probability or the current process ; 5 Very High Cannot prevent this event, no alternate approaches or processes are available 4 High Cannot prevent this event, but a different approach or process might 3 ' Moderate May prevent this event, but additional actions will be required 2 Low Is usually sufficient to prevent this type of event 1 Very Low Is sufficient to prevent this event Table 11.5 - International Space Station Consequence Levels Given the event occurs, w hat is the magnitude of the impact to the ISS Program? Level 1 2 ■ 3 4 5 v ■:■ Technical Minimal or no impact Moderation reduction, same approach retained Moderate reduction, but workarounds available Major reduction, but workarounds available Unacceptable, no alternatives exist Schedule Minimal or no impact Additional activities required. Able to meet need dates Level 2 Milestone Slip of si month Level 2 Milestone slip of>l Month, or Program Critical Path impacted Cannot achieve major program milestone Cost Minimal impact of <$100K Budget increase between $100K and$l M Budget increase between $1 M and $10 M Budget increase between $10 M and $50 M Budget increase > $50 M The risk factors combine to obtain a risk level as shown in the risk matrix and accompanying legend in Tables 11.6 - 11.7. Table 11.6 - International Space Station Risk Matrix Table 11.7 - International Space Station Risk Matrix Legend High - Implement new process(es) or change baseline plan(s) Medium - Aggressively manage; consider alternative process Low - Monitor STATUS According to Stamatelatos et al. (2002), PR A is needed when decisions must be made that involve high stakes in a complex situation, as in a high-hazard mission with functions being performed by complex systems. The initial phase of practitioner training is based on a 3- to 4-day course taught for NASA by recognized experts in the field. Additional information can be obtained from Goldberg et al. (1994), Altavilla and Garbellini (2000), Greenfield (2001), and Stamatelatos et al. (2002). SPACE FLIGHT OPERATIONS BACKGROUND The United Space Alliance maintains a Risk Management Plan as part of its Space Flight Operations Contract with NASA (see Loomis, 1999). The Plan provides a comprehensive approach to managing and documenting the risks associated with operations of the Space Shuttle Program. The document indicates that the purpose of risk management is "to reduce the likelihood of an undesirable event occurring, and to reduce the severity of the consequences given that an undesirable event does occur." The risk management process supports the program management effort. DESCRIPTION Risk assessment in the Space Flight Operations is based on a Risk Assessment Score Card. According to the Plan: [The score card] provides a common risk language for articulating risk consequences and likelihood and for making decisions on disparate risks to the program. RISK SCORING SYSTEM The Space Flight risk scoring system uses likelihood and consequences as risk factors. The likelihood risk factor and consequence risk factor appear in Table 11.8-11.9 respectively. Table 11.8 ~ Space Flight Operations Risk Likelihood Descriptions Score : Level Description 5 High (Pr> 0.1) May be expected to occur once in 1 year of operation, or 6-10 flows*; May be expected to occur more than once in program lifetime 4 Moderate (0.01 < Pr< 0.1) May be expected to occur once in 5 years operation, or 30 -50 flows; May be expected to occur once, and could occur more than once in program lifetime 3 Unlikely (0.001 <Pr <0.01) May be expected to occur once in 10 years operation, or 60-100 flows; Could occur once in program lifetime, but multiple occurrences extremely unlikely 2 Remote (0.000001 <Pr< 0.001) May be expected to occur once in 100 years operation, or 600-1000 flows; Occurrence during program lifetime extremely unlikely; Normally outside the operational envelope, limited hardware and operational safeguards exist to prevent completion to failure 1 Improbable (PrO.OOOOOl) Occurrence theoretically possible but such an occurrence is far outside the operational envelope and robust hardware and operational safeguards exist to prevent completion to failure ows" is not defined in the source document. Table 11.9 - Space Flight Operations Risk Consequence Descriptions* Score : -Safety: :.;- Mission Success Schedule Supportability Cost 5 Death Loss of 1) Major Essential Flight Element, or 2) Critical Ground System Violation of federal or state regulations 1) OSHA: Willful, Serious, or Repeat Violation, or 2) EPA: Major Violation Pad Abort / Intact Abort Early mission termination resulting in ACLS/ELS landing Failure to provide adequate training to crew; or sufficient certified ground controllers, analysts, or planners for safe flight and ground operations > 2 flight decrease in annual flight rate Loss of all maintenance capability (expertise, spares, vendors) for 1) Major or Non-Major Essential Flight Element, or 2) Critical or Process Sensitive Ground System Major increase in maintenance time or major decrease in reliability for 1) Major or Non-Major Essential Flight Element, or 2) Critical or Process Sensitive Ground System >$25 M 4 Permanent Disability Loss of 1) Non-Major Essential Flight Element, or 2) Process Sensitive Ground System Failure to meet all Major Mission Objectives (MMO) 1 - 2 flight decrease in annual flight rate > 1 day Flight Delay occurring after L-2 Serious reduction in maintenance capability (expertise, spares, vendors) for 1) Major or Non-Major Essential Flight Element, or 2) Critical or Process Sensitive Ground System $5 M - $25 M 3 Serious Illness Significant damage to 1) Major Essential Flight Element, or 2) Critical Ground System Loss of 1) Non-Essential Flight Element, or 2) Non-Critical Ground System Violation of federal or state regulations 1) OSHA: Violation (other than serious), or 2) EPA: Moderate Violation Failure to meet one MMO Failure to meet trajectory or resource requirements for completion of 1 MMO Failure to provide adequate training to crew; or sufficient certified ground controllers, analysts, planners for completion of 1 MMO > 7 day delay of L-2 MMT from Delta LSFR Baselined Launch Date Loss of all capability (expertise, spares, vendors) for 1) N on- Essential Flight Element, or 2) Non-Critical Ground System Major increase in maintenance time or major decrease in reliability for 1) Non-Essential Flight Element, or 2) Non-Critical Ground System $1 M -$5 M NJ VO 2 Significant damage to I) Non- Major Essential Flight Element, or 2) Process Sensitive Ground System Early mission termination resulting in PLS landing Flight readiness problem for SSV, Ground / Flight Systems resulting in LCC violation < 7 day delay of L-2 MMT from Delta LSFR Baselined Launch Date Serious reduction in maintenance capability (expertise, spares, vendors) for 1) Non-Essential Flight Element, or 2) Non-Critical Ground System Minor increase in maintenance time or minor decrease in reliability for 1) Major or Non-Major Essential Flight Element, or 2) Critical or Process Sensitive Ground System $100K-$1 M I Minor injury / illness Significant damage to 1) Non- Essential Flight Elements, or 2) Non-Critical Ground System Violation of federal or state regulations I)OSHA: DeMinimus Violation, or 2) EPA: Minor Violation Flight readiness problem for SSV, Ground / Flight Systems resulting in need for multiple waivers for certification of flight readiness (COFR) Adds 1 or more new launch constraints Minor increase in maintenance time or minor decrease in reliability for 1) Non-Essential Flight Element, or 2) Non-Critical Ground System <$100K * Note: This table is shown as presented in the source document. The consequence and likelihood levels are combined to obtain a risk level from the matrix shown in Table 11.10. Table 11.10 - Space Flight Risk Scoring System Consequence 2 3 4 5 Green Yellow Red Red Red Green Yellow Yellow Red Red Green Green Yellow Yellow Red Green Green Green Yellow Yellow Green Green Green Green Green The Space Flight risk scoring system relies on three categories of risk: red, yellow, and green. The red risk requires handling action (risk reduction) due to the high likelihood and undesirable consequences. The yellow risk may require some handling action as it has medium to high likelihood and consequence. The green risk does not normally require handling action as it has relatively low likelihood and consequences. One of the innovative methods found in this approach is that a risk score is derived for each risk consequence. For example, a situation may have consequence scores of safety 3, mission success 2, schedule 5, supportability 3 and cost 1. Each of these consequences is multiplied by the likelihood score to give a risk profile. Alternatives can then be compared across each risk element. STATUS Risk management in Space Flight Operations is an on-going effort. According to the Plan, risk management training is mandatory for managers and above, and optional for all other employees. Additional information is available at http://www.unitedspacealliance.com/. LOCATING AIRPORTS BACKGROUND Hale (2000) examines the use of risk assessment for siting major airports. The purpose for risk assessment in this application has been in land use planning coupled with decisions concerning growth traffic limits at an airport. Hale notes, "the major limiting factor to both of these are the noise problems of the airport." Hale (2002) does not address other safety issues such as crash consequences or non-safety siting criteria. DESCRIPTION Hale (2002) describes an airport analysis that uses a quantitative risk assessment that is based on three sub-models. The three sub-models independently calculate the accident probability, the location in relation to the runway/flight path and the size of the effect of the crash given the terrain and the weight of the aircraft. The assessment calculates a deaths per year value and focuses on individual risk expressed in the form of risk contours drawn around the aiiport runway system. Societal risk is presented as the relationship between frequency and number of people suffering a specified harm level, usually expressed graphically. The current model is a sophistication of the model used to calculate 1990 reference risk contours. The refinements have led to a sharper choice of accidents to include. Hale observes: ■B 5 | 4 One of the main reasons for wishing to develop a causal model is to make the human (and organisational) factors in accident sequences explicit, so that they can be systematically managed. The proposal is that human failures would be modeling in fault (and event) trees in the same way as technical failures. Experience showed that the model must have explicit and compulsory branches to represent the removal of safety measures and barriers. Without these, modellers with a technical background may overlook sequences which contain errors of commission rather than omission. The quality of the human factors modelling will depend crucially on the quality of data available from incident and accident recording and analyses to fill in the fault and event trees. STATUS According to Hale (2002), the current risk assessments are hardly used in the industry. They are largely seen as imposed restrictions by regulators. The need for a casual model that more accurately depicts the risks is receiving some support in industry. FAA RISK ASSESSMENT STUDIES BACKGROUND The U.S. Federal Aviation Administration (FAA) has been involved in aviation risk assessment and safety for many years. The FAA has employed traditional risk assessment in evaluating various aspects of risk. Mclntyre (2000) reports that: It was not until 1994, that the agency's Strategic Plan identified a specific need to apply formalized risk assessment techniques to safety management as a strategic goal. Order 8040.4 Safety Risk Management prescribed procedures for implementing safety risk management as a decision making tool throughout the FAA. Since then a number of safety risk assessments have been carried out. DESCRIPTION One aviation risk assessment is the Land and Hold Short Operations Risk Assessment (LAHSO, 1999). These operations involve simultaneous operation on intersecting runways to increase airport runway utilization without increasing size or capacity. The objective of the risk assessment was to answer three questions: 1. What are the hazards associated with LAHSO? 2. Given the hazards and controls, what are the residual risks associated with LAHSO? 3. How can the residual risks be reduced? The analysis was conducted following a "MIL-STD 882D-like" risk assessment process described by Mclntyre (2002) (see Chapter 27 for more information on this military standard). The FAA has funded recent studies on aviation risk assessment, in the first quarter of 2002, a 30-month contract was awarded titled Risk Assessment Methods For Aircraft Electrical Systems. A similar study, Design of Advanced Risk Assessment Tools For Aircraft Electrical Interconnection Systems, commenced in late 2001. These electrical risk assessment studies focus, on the aircraft electrical interconnect subsystems (EIS) that are comprised predominately of wire, wire insulation, and connectors. According to the request for proposal for the second study: The EIS is a critical subsystem in modern aircraft. Functionally, EIS in modern transport aircraft provides the means of communication and/or power for nearly every subsystem aboard the aircraft. In addition, the severity of EIS failures can be catastrophic . The EIS requires appropriate tools to assure it is designed and maintained in a way that maximizes the safety of the entire aircraft system. The availability of sophisticated risk analysis methods is necessary, but not sufficient alone. Rather, aircraft safety will only be improved by the application of these methods to the EIS and the integration of the results into a complete aircraft risk assessment process. The stated objective of the FAA study is to develop advanced EIS risk assessment methods. FLOWCHART According to Mclntyre (2002), the FAA System Safety handbook provides the "882-Iike" Standardized Six Step Process Acquisition Management for the National Airspace System. The steps include: 1. Plan 2. Hazard identification 3. Analysis 4. Assessment 5. Decision 6. Feedback RISK SCORING SYSTEM The risk scoring system in the FAA approach uses the two risk factors: severity and frequency of occurrence. The risk factors and levels are shown in Table 11.11. This example includes criteria for software (SW) levels per published certification RTCA DO-178B SW Level. The risk levels correlate to acceptance criteria as shown in Table 11.12. , Table 11.11 - FAA Risk Hazard Classification Matrix j Per RTCA/DO-178B SW Level % ) Severity Catastrophic (I) Hazardous Major JViinor (IV) No Effect (V) RTCA/DO-178B SW Level A B c D E Frequency of Occurrence Frequent 1 3 6 10 21 Reasonably Probable 2 5 9 14 22 Remote 4 8 13 17 23 Extremely Remote 7 12 16 19 24 Extremely Improbable 11 15 18 20 25 Table 11.12 - FAA Hazard Acceptance Criteria Hazard Matrix Index Hazard Acceptance ■'■^Cnteria'::]-^^ 1-10 Unacceptable 11-18 Acceptable with review 19-25 Acceptable STATUS The studies mentioned above are 30-month programs and are in process. The Land And Hold Short Operations Risk Assessment can be viewed at http://www.asv.faa.gov/safetv analvsis/LAHSO.pdf. REFERENCES Altavilla, A. & Garbellini, L. (2000). Risk assessment in the aerospace industry. In Kirchsteiger, C. and Giacomo, C, (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. FA A. (1999). Land and hold short operations risk assessment. Office of the Assistant Administrator for System Safety. Final report, September, http://www.asv.faa.gov/safetv analvsis/LAHSO.pdf. FAA. (2001). Design of advanced risk assessment tools for aircraft electrical interconnection systems. Research grant awarded by the U.S. Federal Aviation Administration, in process. FAA. (2002). Risk assessment methods for aircraft electrical systems. Research grant awarded by the U.S. Federal Aviation Administration, in process. Goldberg, B.E., Everhart, K., Stevens, R., Babbitt III, N., Clemens, P., & Stout, L. (1994). System engineering "toolbox" for design-oriented engineers. NASA Reference Publication 1358. Greenfield, M.A. (2001). Risk management - What we have learned. Presentation made at the Symposium on Risk, Hampton, Virginia, May 9,2001. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Loomis, R. (1999). Space flight operations contract - Risk management plan. United Space Alliance. SFOC- PG9604, Rev. A. http://www.unitedspacealliance.com. Mclntyre, G.R. (2000). The application of system safety engineering & management techniques at the U.S. federal aviation administration (FAA). In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. MIL-STD-882D (2000). Standard practice for system safety. Department of Defense, U.S.A. www.defenselink.mil. National Safety Council. (2000). Aviation ground operation safety handbook. NSC Press, www.nsc.org. RTCA/DO-178B. (1992). Software considerations in airborne systems and equipment certification. Radio Technical Commission for Aeronautics, www.rtca.org. Stamatelatos, M., Apostolakis, G., Dezfuli, H., Everline, C., Guarro, S., Moieni, P., et al. (2002). Probabilistic risk assessment procedures guide for NASA managers and practitioners. Office of Safety and Mission Assurance, NASA Headquarters, www.nasa.gov. Industry Overview Swiss Chemical Industry Special Project: Chemical Accident Database INDUSTRY OVERVIEW BACKGROUND The chemical and oil industry has been involved in chemical safety and risk management methodologies from the industry's earliest days. Ale (2000) notes, "although some risk management concepts were introduced in public policies associated with nuclear power generation, most of the development resulted from some major disasters in the chemical industry in the mid seventies." Greenberg and Cramer (1991) observe that: Although many safety concepts are not new, it is true that much has happened to crystallize and focus industry's thinking since the tragic accident at Bhopal, India. Industry groups like the AIChE's new Center for Chemical Process Safety, the Chemical Manufacturers Association, the American Petroleum Institute, and the National Safety Council, to name several, have attempted to organize, prioritize, and extend the techniques for hazard management, analysis, and mitigation commonly used by the leading practitioners. As early as 19B5, the International Study Group on Risk Assessment of the Institution of Chemical Engineers published a document Nomenclature for Hazard and Risk Assessment in the Process Industries. DESCRIPTION In the oil and chemical industries, assessing the public and employee consequences of a loss of containment incident involves three main effects: dispersion of toxic or flammable gases or vapors, thermal damage resulting from fires, and damage from explosions caused by blast and flying missiles. The consequences are usually evaluated using computer modeling software that mathematically models the dispersion processes, the dose response relationship, or effects on the environment. Considerable effort has been expended on developing ever more robust mathematical models to increase the knowledge and understanding of the consequences of an event. The end result is a sophisticated analysis capability for significant releases. Considine (2000) indicates that Quantified Risk Assessment (QRA) studies typically assess the explicit impact of major accidents on people, with results expressed as risks to either individuals among the workforce or the public (individual risk), or to population groups as a whole (societal risk): In the case of occupational risks, average individual risk levels may sometimes also be expressed as a single number index termed the Fatal Accident Rate or FAR. This is defined as the estimated number of fatalities per 108 exposure hours (i.e. roughly 1000 employee working lifetimes), and is occasionally used to specify 'target' risk levels. Clearly the use of such averages are only strictly appropriate where the risk is relatively uniformly distributed over the relevant population. Otherwise these measures can be highly misleading, in that where a few individuals are exposed to high risk levels this could be concealed by averaging over a large number of people at low risk. There are mathematical calculations made to express the relationship between frequency (F) and number of people (N) suffering a specified harm level. These are generally termed 'F/N' curves. An example of an F/N curve is shown in Figure 10.1. A statistical expected value can be calculated from these curves to yield a Potential Loss of Life value. There are also efforts to incoiporate the financial costs of accidents, loss of production, repairs, and the public reaction to accidents. Efforts are increasingly being made to include financial risk measures within internal QRA studies since doing so increases the overall accuracy of the assessment. The purpose of these efforts is to make better risk-informed decisions. Figure 12.1 ~ Example Frequency/Number of People (F/N) Curve The chemical process industry uses the umbrella term risk management to include hazard identification, hazard (risk) assessment, risk mitigation and other elements (e.g., audits, incident investigation, etc.). Hazard (risk) assessment includes tools such as: Fault Tree Analysis (FTA), Explosion and Fire Analysis, Assessment of Health Effects from Chemical Releases, and Quantitative Risk Assessment. The Center for Chemical Process Safety (CCPS, 1989) defines chemical process quantitative risk analysis (CPQRA) as: a methodology designed to provide management with a tool to help evaluate overall process safety in the chemical process industry. Management systems such as engineering codes, checklists and process safety management provide layers of protection against accidents . CPQRA provides a quantitative method to evaluate risk and to identify areas for cost-effective risk reduction. FLOWCHART Considine (2000) presents an overall framework of a QRA as shown in Figure 12.2. Figure 12.2 - Quantified Risk Assessment (QRA) C. Kirchsteiger, G. Cojazzi (Eds.) Promotion of Technical Harmonisation on Risk-Based Decision Making, Proceedings of a Workshop held on May 22-24, 200G, Grand Hotel Bristol, Stresa, Italy, 2 Vol., European Commission DG JRC, S.P.I.0063, May 2000, Note that Consequence and Frequency are again considered separate and distinct analyses. Concerning the CPQRA, the major steps include: Risk Analysis 1. define the potential event sequences and potential incidents 2. evaluate the incident outcomes (consequences) 3. estimate the incident impacts on people, environment and property 4. estimate the potential incident frequencies 5. estimate the risk Risk Assessment: 6. evaluate the risk 7. identify and prioritize potential risk reduction measures The CPQRA process is shown in Figure 12.3. Another risk assessment process diagram from the oil and gas industry is shown in Figure 12.4, as presented by Rumpf, Balfanz and Marrek (2000). RISK SCORING SYSTEM A variety of risk scoring systems can be found in the chemical and oil industries. See Greenberg and Cramer (1991), Ale (2000), and Considine (2000) for additional information. STATUS The chemical and oil industry's extensive history of risk assessment has led to considerable integration of safety through design concepts throughout the industry. Chemical engineers commonly use safety analyses in their design and evaluation processes. The lack of a single risk assessment process in the chemical and oil industry may reflect a maturity with risk assessment concepts that other industries do not yet possess. Additional information can be found in literature available from the Center for Chemical Process Safety of the American Institute of Chemical Engineers ("www.aiche.org) or the American Petroleum Institute Cwww.api.org). Information on the risk assessment methods used by BP Amoco and Exxon Mobile Coiporation can be found in Chapter 13. SWISS CHEMICAL INDUSTRY BACKGROUND In Switzerland, the governing legislation is the Ordinance on Protection Against Major Accidents that became effective in 1991. The Ordinance is based on proven processes in The Netherlands and Germany. Gmunder, Schiess, and Meyer (2000) note that: The focus of the hazard and risk management process reported here is on the protection of the population and the environment from the consequences of major accidents occurring at industrial facilities handling toxic substances, processing or storing flammables and explosives. The risk assessment is quantitative and decisions are taken based on (quantitative) criteria for collective risk. DESCRIPTION GmOnder, Schiess, and Meyer (2000) report that: The risk assessment is used to (i) control the risk level in facilities where major accidents with severe consequences for the population and/or the environment could occur and to (ii) inform the public about existing risks. Considerable effort has been put into making the hazard and risk assessment simple and accessible to the facility owners. Still, it is expected that both risk analysts and reviewers (enforcement authorities) be knowledgeable in the principles of QRA. Usually, the owners of facilities contract a specialized engineering firm to perform the risk assessment. In risk estimation and risk comparison, the yearly frequencies of the relevant scenarios are plotted against the disaster values in a cumulative frequency distribution. From the cumulative frequency distribution, the acceptability or non-acceptability of the risk can be readily determined. ' The cumulative frequency distribution is plotted on a graph with four bands or areas appearing. The four areas are: • Unacceptable • Transition Acceptable No serious damage A sample cumulative frequency distribution graph is shown in Figure 12.5. Figure 12.5 - Sample Cumulative Frequency Distribution Graph C. Kirchsteiger, G. Cojazzi (Eds.) Promotion of Technical Harmonisation on Risk-Based Decision Making, Proceedings of a Workshop held on May 22-24, 2000, Grand Hotel Bristol, Stresa, Italy, 2 Vol., European Commission DG JRC, S.P.I.0063, May 2000. Legibility limited due to original Gmiinder, Schiess, and Meyer (2000) indicate that: If the cumulative frequency distribution enters the unacceptable domain the owner of the facility is asked to reduce the risk, else the authority is empowered to take actions including operational restrictions or shutdown. If the cumulative frequency distribution enters the transition domain the enforcement authority will measure the interests of the facility owner against the needs of the public and the environment for protection from accidents. Depending on the outcome of these considerations, the risk has to be reduced to a level defined by the authority. If the cumulative frequency distribution lies entirely in the acceptable domain, the risk assessment procedure is complete. However, the owner must still take all appropriate measures to reduce risk. The line marking the unacceptable domain has been adopted from Dutch regulations. FLOWCHART The procedure to control and assess relevant hazard potentials and risks consists of two steps shown in Figure 12.6. Gmiinder, Schiess, and Meyer (2000) explain the two steps: In the first step, the owner of a facility submits a summary report containing an assessment of hazards. On the basis of the hazard assessment in the summary report, the enforcement authority decides whether, in a second step, a QRA has to be performed. Figure 12.6 - Two Step Procedure for Hazard and Risk Assessment for Facilities and Installations Falling Under the OMA (Switzerland) C. Kirchsteiger, G. Cojazzi (Eds.) Promotion of Technical Harmonisation on Risk-Based Decision Making, Proceedings of a Workshop held on May 22-24, 2000, Grand Hotel Bristol, Sttesa, Italy, 2 Vol., European Commission DG JRC, S.P.I.0063, May 2000. Legibility limited due to original STATUS Additional details on the Swiss chemical industry approach to risk assessment can be found in Gmiinder, Schiess, and Meyer (2000). SPECIAL PROJECT: CHEMICAL ACCIDENT DATABASE BACKGROUND' The chemical and oil industry has developed a special chemical accident database to aid communications within the industry. The following information appears at its web site: The Chemical Accident Risk Assessment Thesaurus (CARAT) was initiated by the Organization for Economic Cooperation and Development (OECD) Working Group on Chemical Accidents, which recognized that it was difficult to communicate among the member countries about risk assessments of hazardous installations. This difficulty was, in large part, based on the fact that certain "terms of art" have different meanings in different countries and cultures. Even different organizations within a single country sometime use different terms of art to address the same concept. DESCRIPTION The CARAT is a database of the laws, regulations, guidance standards and definitions of terms related to the risk assessment of accidental releases of chemicals from fixed installations. The database also contains information on the application of risk assessment methodologies to specific examples of potential chemical releases. The CARAT contains information from a variety of sources. Entries include regulations, guidance documents, definitions, and risk assessment cases from Europe and North America, including companies and individuals. There are four classes of information that have been entered into the database: 1. Definitions of words and phrases associated with risk assessment; 2. Laws and regulations concerning risk assessment of hazardous facilities; 3. Guidelines, policies or codes related to risk assessment; and 4. Specific risk assessment studies that have been conducted on particular cases. The data are organized according a system hierarchy of elements, sub-elements, terms, categories and descriptors. FLOWCHART The four generic elements of the database structure represent the four commonly used stages in the process of assessing the risks associated with hazardous installations. They can be loosely described as: (i) hazard identification; (ii) hazard release and exposure scenarios; (iii) source and subject interaction; and (iv) expression of the risk. See CARAT (2003) for greater detail on these terms and how they are used in the CARAT system. STATUS Rosenthal, jgnatowski, & Kirchsteiger, (2000) voice support for the CARAT system to be adopted as the basis for a generic risk assessment process standard. The CARAT system is operational and available on the Internet. To learn more, visit the CARAT database at http://wwwl.oecd.Org/EHS/CARAT/v3.0. REFERENCES Ale, B. (2000). Risk assessment practices in the Netherlands. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. American Petroleum Institute. Washington, D.C. www.api.org. CARAT. (2003). The chemical accident risk assessment thesaurus. http://www 1.oecd.org/EHS/CARAT/v3.0. Center for Chemical Process Safety. (1989). Guidelines for technical management of chemical process safety. American Institute for Chemical Engineers, www.aiche.com. Considine, M. (2000). Quantifying risks in the oil and chemical industry. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Gmunder, F.K., Schiess, M., & Meyer, P. (2000). Risk-based decision making in the control of major chemical hazards in Switzerland - liquefied petroleum, ammonia and chlorine as examples. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Greenberg, H.R. & Cramer, J. J. (1991). Risk assessment and management for the chemical process industry. New York: Van Nostrand Rheinhold. Institution of Chemical Engineers. (1985). Nomenclature for hazard and risk assessment in the process industries. The International Study Group on Risk Assessment, www.icheme.org. OMA. (1991). Swiss ordinance on protection against major accidents oj'27Februaty. http://www.admin.ch/ch/d/sr/c814 012 .html. Rosenthal, I., Ignatowski, A. J., & Kirchsteiger, C. (2000). A generic standard for the risk assessment process: Discussion on a proposal made by the program committee of the EC-JRC workshop on promotion of technical harmonization of risk-based decision making. In Kirchsteiger, C. and Giacomo, C. (Eds,), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Rumpf, 3., Balfanz, H.P., & Marrek, K.H. (2000). RAMS - Audit for improving risk-based decision making experiences of application from a gas pipeline System. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. APPROACHES General BP Amoco Exxon Mobile Corporation General Motors Corporation Motorola, Inc. Oracle Corporation Schlindler Management AG SICK AG SUVA Closure GENERAL The risk assessment methods currently used by individual companies vary considerably. This variation should be expected since culture impacts the detailed design and deployment of the risk assessment process. Great variation also exists between companies making products subject to product liability concerns and other companies where liability is not significant. The variations occur at all points of the risk assessment process including how hazards are identified, the factors used to rate risk, the risk scoring systems used to combine the risk factors, and in the data accompanying the assessment. The differences among individual company approaches to risk assessment tend to be much greater than the differences across industries. This should also be expected as the success of implementing risk assessments is heavily influenced by organizational culture. A broad spectrum also exists with respect to how thoroughly risk assessments have been integrated in design processes. Some commercial companies have a wealth of experience in conducting risk assessments as their companies have been conducting these analyses for 10 or more years. U.S. military contractors have been conducting the analyses for as many as 40-50 years. These companies are typically leaders in risk assessment activities because risk assessment was a business requirement driven by management. Conversely, many companies are just starting down the risk assessment path. These companies are investigating and benchmarking the different methods available and are beginning to integrate safety through design via risk assessments. These new arrivals to risk assessments face the challenges of changing the existing design process to include risk assessment. Still other companies remain oblivious or unconvinced of the risk assessment movement. Some of these companies face significant cultural challenges to conducting risk assessments. Many companies also fall between the extremes of leader and new arrival. These companies have some form of a safety evaluation process in place, although it is typically informal and undocumented. Pencil and paper methods, checklists, databases or their word processing equivalents dominate these situations. A company may have a committee that makes decisions regarding safety although often decisions are made without an underlying analysis such as a risk assessment. These companies face the challenge of formalizing their existing processes and acquiring current methods or tools that fit their process. Other companies have had a history of risk assessment for end products, but have not applied these methodologies in the workplace. The numbers of machines, employees and designs may simply seem too overwhelming to begin. Across all companies, there continues to be an increasing emphasis on formalizing hazard analysis and risk assessment activities, including documenting the results. There is also pressure to improve the existing design processes. These pressures spark change, innovations and discovery. As risk assessments are conducted, hazards and risks come into the light and design innovations result. These innovations lead to reduced risk, increased productivity and cost efficiencies, better overall effectiveness, and decreased risks to all stakeholders. Individual companies are very active in developing risk assessment methods. The interest and activity in risk assessment creates an exciting and innovative atmosphere. Although much of the risk assessment work in companies remains proprietary, some have discussed efforts in public forums. The following samples are drawn from published documents. Many provide only general highlights, reflecting the application of proprietary restrictions. BP AMOCO Considine (2000) discusses the risk assessment and risk management processes at BP Amoco. Considine observes: Prior to the merger of BP and Amoco, BP had an agreed set of guidelines. It contained suggested values for Individual Risk tolerability limits for both workers and the public, together with a framework for the use of cost-benefit analysis to test the worth of remedial measures aimed at risk reduction. A wide range of risk matrices are in use around the BP Amoco Group, but there is no single standard approach, since the frequency, severity, risk levels and associated actions may vary greatly between different Business activities (p. 24-26). Considine (2000) presents a risk scoring system that uses two factors: severity and frequency. The three levels for severity are high, medium, and low. The three frequency levels are likely, unlikely, and remote. These risk factors map to three risk levels as shown in Table 13.1. Table 13.1 - BP Amoco Risk Matrix Severity 1 Remote 2 Unlikely 3 Likely 1 High Medium V. '.High' 2 Medium Medium Low Low Medium EXXON MOBIL CORPORATION Torget (2002) documents an interview with Frank Sprow, Vice President for Safety, Health and the Environment at Exxon Mobile Corporation. Sprow comments: Much of our recent focus has been on management systems, to foster consistent approaches to eliminate safety hazards associated with a particular operating unit. While we still strive for continuous improvement of our systems, we have identified what we call "critical success factors" from our safest-performing units that we believe are keys to achieving a step change in safety performance. There are five of them. They are: • management leadership, supervisory safety-management fundamentals, hazard recognition and mitigation, 9 workforce participation, and effective Operations Integrity Management System execution. We want everyone to get better at spotting hazards . We're sharing more broadly some recently developed tools to help our workers better recognize risks and to immediately correct any situation that might lead to risks. One tool is what we call the "last minute risk assessment." It involves assessing and mitigating risks just prior to beginning a task. GENERAL MOTORS CORPORATION The automobile industry has been very involved in risk assessments. As a primary user of machine tools and robot systems, automotive industry personnel have been influential participants in developing the machine tool, robotic and other risk assessment methods. General Motors Corporation has been a leader in developing and integrating a risk assessment protocol in its design processes. General Motors has been a strong champion of the task-based approach to hazard identification. A very telling example of the merits of task-based hazard identification is described by Taubitz (2000) where a serious injury was narrowly avoided when an employee jumped over a safety mat in order to perform a necessary maintenance task on a robot cell. The lesson learned was that employee tasks must be understood so that safeguarding can adequately accommodate the tasks. Taubitz (2000) and Andres and Taubitz (2001) report on risk assessment efforts in the U.S. machine tool industry and General Motors Corporation. The articles provide a very good overview of the path that General Motors has journeyed in integrating risk assessment and "Design-In Safety" into its operations. The journey started during a time where safeguarding was proscribed and management looked the other way when tasks had to be performed that required defeating safeguards. With the introduction of risk assessment this practice was no longer accepted. Tasks must be identified before safeguarding is selected so that all tasks can be performed safely. Taubtiz (2000) reports several lessons that General Motors learned from its experiences with risk assessment. They include: 0 High risk events are often associated with unplanned maintenance Skilled trades employees must frequently defeat machine safeguards to perform necessary work * Hazards analysis alone usually overlooks such work 6 Input from factory floor personnel during design is the only way to learn about high risk maintenance situations Taubitz (2000) stresses, "risk assessment is the driver for safety in the design process." According to Taubitz (2000): The GM and DAW approach views the identification of any task-hazard pair as an opportunity to improve design by applying the hierarchy of controls. Feasibility determines what is to be done [for risk reduction] . Thus tolerable risk is achieved by the good faith application of the hierarchy, and it varies for each task-hazard pair. General Motors has also developed and validated a task-based risk assessment process and proprietary software tool. The company also has determined that a task-based approach to risk assessment is critical to its culture and success. MOTOROLA, INC. Liska (2002) discusses Motorola's experience with implementing an environmental, health and safety (EHS) management system by presenting both the history of its evolution and its current structure. The paper presents a good history of how the management system process was developed and deployed, and the benefits derived from the system. The system was tailored after the processes of ISO 14001, ISO 9000, OHSAS 18001, OSHA Voluntary Protection Programs (VPP), the ILO-OSH Management System Guideline, and Deming's Plan-Do-Check-Act structure. The Motorola EHS Management System is the result. Liska (2002) discusses the many benefits that Motorola has derived from its EHS^ Management System. One has particular relevance to risk assessment: The other area of integrating EHS into the business is the area of product design since the EHS Management System can have impact on reducing the costs of materials and manufacturing along with potentially significant impacts on product sales. We are finding that the value of integrating an EHS Management System or at least key elements of the system such as the aspects/risks assessments are drivers for continual improvement in the product design process Our customers and stakeholders have also had a positive reaction to our success in this integration. This demonstrates the unexpected and unintended benefits derived from conducting risk assessments. This situation is not unusual. Companies that conduct risk assessments often find unanticipated spin off benefits. Trammell, Lorenzo and Davis (2003) discuss "the advantages of using an integrated hazard analysis approach to determining and evaluating system risk" at Motorola, Inc. Trammell et al. focus on continuous processing situations that "must operate virtually without interruption" where controls that only recognize failure are inadequate to preventing interruption. Example applications include: electrical power, deionized water, air handling, and waste water treatment. The authors describe a hybrid risk assessment process that blends the HazOp and FMEA methodologies (see Chapter 39 for more discussion of HazOp and FMEA): The HazOp portion of the method allows for easy selection of the system limits and hazard identification, while the FMEA portion of the method results in effective risk estimation and evaluation. Adding the [layers of protection analysis] concept to specifically evaluate and quantify existing or proposed [independent protection layers] helps ensure identification of the appropriate controls, Significant personnel time savings and synergistic design improvements have been realized by combining EHS and process reliability assessments. Furthermore, this powerful, integrated approach to system risk assessment helps to ensure that appropriate controls are implemented to consistently manage risk at a tolerable level across the facility, site, and organization. Trammell, Lorenzo and Davis (2003) indicate that a three factor risk scoring system is used comprising of severity, occurrence, and detection. Each factor is rated using a semi-quantitative system with values ranging from 1 to 10. The values are multiplied together to obtain a risk priority number that is compared against an acceptability threshold. Trammell et al. state that "this procedure allows the team to assess the risks of an array of possible cause- consequence pairs, not simply the worst-case or most credible case cause-consequence." Additional detail on the scoring system can be found at Trammell et al. ORACLE CORPORATION In Australia, the Oracle Corporation (2002) presents the main stages of a risk assessment as follows: • Establish Risk Acceptance Criteria Hazard Identification ♦ Risk Screening Consequence Modeling * Frequency Estimation 6 Quantitative Risk Analysis 9 Sensitivity Analysis Comparison with Risk Criteria Development of Risk Reduction Options 9 ALARP studies/Cost Benefit Analysis The Oracle Corporation (2002) uses two risk factors in its risk assessment process: consequences and frequency. The risk factors and levels are shown in Table 13.2. The table also shows how the risk factors map to a risk level. The risk levels are described in Table 13.3. Table 13.2 - The Oracle Corporation Risk Screening Matrix Consequences Catastrophic (>$100M) Major (S10-100M) Moderate (S1-10M) Minor (SI00K-1M) Negligible (<$100K) Freqi (per a Often jency nnum) (>0.1) Mi Fat NHi iltiph alitie s Single Fatality Severe Injury Lost Time/Injury No Harmful Effects Probable (0.1-0.01) Possible (0.01-0.001) Unlikely (0.001-0.0001) Remote :: (<0.0001) Table 13.3 ~ The Oracle Corporation Risk Levels Risk Level description A HIGH and INTOLERABLE level of risk that must be reduced or further analysed to demonstrate that it is As Low As Reasonably Practicable (ALARP). An INTERMEDIATE level of risk that is within the ALARP region and should be further analysed to demonstrate that it is ALARP. A LOW and ACCEPTABLE level of risk that should nevertheless be the subject of ongoing control through appropriate procedures and management. Additional information on this approach can be found at www.oracle-services.com.au. SCHLINDLER MANAGEMENT AG Haller (2000) presents an overview of a risk analysis process used by Schlindler Management AG, manufacturer of elevators and related equipment. The process is shown in Figure 13.1. Figure 13.1 - Risk Analysis Process per Hale (2000) C. Kirchsteiger, G. Cojazzi (Eds.) Promotion of Technical Harmonisation on Risk-Based Decision Making, Proceedings of a Workshop held on May 22-24, 2000, Grand Hotel Bristol, Stresa, Italy, 2 Vol., European Commission DG JRC, S.P.I.0063, May 2000. Legibility limited due to original SICK AG Based in Germany, SICK AG is a global supplier of industrial safety systems and sensor solutions for industrial applications. SICK has developed a Scalable Risk Assessment Method (SCRAM) that is a combination of a risk matrix and risk graph approach (Gomemann, 2003). SCRAM is based on tables from the software SafeExpert®. Additional information in German can be found at www.ibf-at.com. The approach is illustrated in Table 13.4 below. Table 13.4 - SICK Risk Elements Table Risk Elements Table Severity of Harm Exposure to Harm Harm avoidance Probability of Occurrence Low Middle High No Harm* - - 0 0 0 Low - Avoidable 0 0 1 Not avoidable 0 1 2 Low Avoidable 1 2 3 ' vt Middle Not avoidable 2 3 4 W High Avoidable 3 ■4 5 Not avoidable 4 5 6 Low Avoidable 5 6 7 High Not avoidable 6 7 8 High Avoidable 7 8 9 Not avoidable 8 9 10 Resulting Risk Level ■ * Only required to evaluate risk reduction This approach uses four risk factors in assessing risk: seventy of harm, exposure to harm, harm avoidance, and probability of occurrence. The number of risk levels for each factor range from two to four. The result of this method yields a resulting risk level number from 0 to 10. The method indicates that a resulting risk level above 1 would not be considered acceptable according to ISO 12100-1:2003. The scalable portion of the SICK method occurs with supporting tables to Table 13.4. Each of the four risk factors has a supporting table that can be used to evaluate the factor in greater detail. For example, to determine the Exposure to Harm, Table 13.4 can be used directly or the exposure can be further evaluated using four additional risk sub-factors. The risk sub-factors and the associated levels for exposure include: need for access (required/not required), exposure frequency (low/middle/high), exposure duration (short/middle/long), and persons exposed (uncertain/one/more). These risk sub-factors combine to yield a resulting harm exposure of either low or high which can be used for the evaluation in Table 13.4. The other risk factors also have supporting tables of sub-risk factors. SUVA SUVA is an insurance organization based in Switzerland, SUVA has developed a risk assessment method that closely follows the ISO 14121 approach (Florsblom-Parli, 2003). Although ISO 14121 applies specifically to machinery, SUVA uses the method to evaluate places of work and work processes. SUVA determines the limits of a process by defining the operation mode of the process and describing the activities of people, the machine and the environment for every sub-process. SUVA then identifies hazards and estimates risks for both acute and chronic hazards. The SUVA method of risk evaluation uses the two risk factors of severity of harm and probability of occurrence. The risk factors map to three levels of risk as shown in Table 13.5. Table 13.5-SUVA Matrix Additional information on this approach can be found at www.suva.ch. CLOSURE Today, few companies have fully implemented a risk assessment processes. Those that have comprise a definite minority of manufacturers. However, a few leading companies have found great success through the risk assessment process. Evidence of success can be deduced from the fact that most companies that perform risk assessments consider the methods used and results derived to be confidential information and a source of competitive advantage. Much of the risk assessment efforts in individual companies remain proprietary. The few methods included in this chapter are drawn from public documents. REFERENCES Andres, R.N. & Taubitz, M.A. (2001). Risk assessment and risk reduction ANSI B1J.TR3: A paradigm shift from prescriptive safety. American Society of Safety Engineers, Professional Development Conference, 2001. www.asse.org. Considine, M. (2000). Quantifying risks in the oil and chemical industry. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Florsblom-PSrli, U. (2003). Suva method for risk assessment for working places and working processes. Presentation to ISO TC199/WG5 committee meeting, January 9,2003. www.suva.ch. Haller, F. (2000). Risk management, A concept for the praxis. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. ILO-OSH. (2001). Guidelines on occupational safety and health management systems. International Labour Office, Programme on Safety and Health at Work and the Environment (SafeWork), Geneva, MEOSH/2001/2 (Rev), www.ilo.org. ISO 14001:1999. Environmental management systems - Specification with guidance for use. International Organization for Standardization, www.iso.ch. ISO 9000: 2000, Quality management systems. International Organization for Standardization, www.iso.ch. Liska, C.J. (2002). Integrating Environmental Management with Safety and Health - Part II. American Society of Safety Engineers, www.asse.org. OHSAS 18001:1999. Occupational health and safety management systems - Specification, British standards institution. Occupational Health and Safety Assessment Series, www.bsi.org.uk. Oracle. (2002). Risk screening, www.oracle-services.com.au/risk_screenmg.htm. OSHA Voluntary Protection Programs (VPP). (1992). www.osha.gov. Scalable Risk Analysis & Estimation Method (SCRAM). (2003). SICK AG www.ibf-at.com. Taubitz, M. (2000). Risk assessment developments in US general industry. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy; European Commission. Torget, T.L (2002). Nobody gets hurt; Journey toward an incident free workplace. The Lamp, Vol 84, No 3. ht1p://www2.exxonmobilxom/coiporate/newsroom/publications/TheLampFan02/page_2.html. Trammel!, S.R., Lorenzo, D.K., & Davis, B.J. (2003). Integrated hazards analysis: Using the strengths of multiple methods to maximize effectiveness. American Society of Safety Engineers, Professional Development Conference, www.asse.org. Introduction U.S. Consumer Product Safety Commission European Market INTRODUCTION "Consumer products" include a very broad array of products, from children's toys to kitchen appliances, power tools to clothing. The population of users is equally diverse, from infants to the elderly and those in between. As might be expected, a variety of organizations are involved with consumer product safety and assessing the risks of consumer products. Government agencies, industry trade organizations, individual manufacturers, standards committees and public interest groups all play roles in consumer product safety and risk assessment. Some examples include: • American Society for Tests and Materials (ASTM-F15 Consumer Products, and others) • Association of Equipment Manufacturers (AEM) Association of Home Appliance Manufacturers (AH AM) • Consumer Federation • Consumer Product Safety Commission (CPSC) • Environmental Protection Administration (EPA - pesticides) • European Consumer Safety Association (ECOSA) Food and Drug Administration (FDA) • International Consumer Product Health and Safety Organization (ICPHSO) • Juvenile Products Manufacturers Association (JPMA) National Highway Traffic Safety Administration (NHTSA - automobiles) • Public Interest Research Group (PIRG) State-based agencies (e.g., Kentucky Product Safety Branch) Underwriters Laboratory inc. (UL) Bowers (2000) opines, "the real challenge in consumer product risk assessment lies in understanding the ways in which an individual can become exposed." "Product stewardship" is a term used in consumer product safety circles. Product stewardship includes components of risk characterization and risk management. Risk characterization includes hazard analysis and exposure assessment. Campbell (2000) indicates that "product stewardship ultimately enhances the quality of the supplier's offering by getting them closer to the customer, and driving an understanding of the needs of the customer back up the supply chain." There is very little detailed information publicly available on the risk assessment process applicable to consumer products. A description, flow chart or risk scoring system does not surface for the general consumer products topic for several reasons. First, some organizations have adopted company-specific approaches to ensuring acceptable levels of risk for the products they produce. Second, many consumer product manufacturers use other industry risk assessment guidelines or standards, or government regulations. Third, most manufacturers consider the methods they use to assess risks as proprietary and confidential information. They are unwilling to share details on their risk assessment processes as they view the process as a source of competitive advantage. Social norms can also play a significant role in consumer product risk assessments. Even though injury data may suggest that helmets would be beneficial for recreational activities like soccer or sledding, or protective eyewear for tennis, social norms preclude their acceptance. Although no single risk assessment process emerges for consumer products, this does not suggest that there is little effort in consumer product safety. The converse is true; a great amount of activity occurs in product safety and keeping consumers free from injury. A summary of some risk assessment activities in consumer products follows. U.S. CONSUMER PRODUCT SAFETY COMMISSION BACKGROUND In the United States, the Consumer Product Safety Commission (CPSC) is an independent federal agency responsible for protecting the public from unreasonable risks of injury and death associated with consumer products. The CPSC has jurisdiction over about 15,000 products. The CPSC engages in risk assessment to determine the need for and appropriateness of various "corrective actions." The CPSC participates in the following activities: develops voluntary standards with industry; issues and enforces mandatory standards or banning consumer products if no feasible standard would adequately protect the public; requires manufacturers to recall products or arranging for their repair; • conducts research on potential product hazards; and • informs and educates consumers through the media, state and local governments, private organizations, and by responding to consumer inquiries. Since the CPSC has responsibility for consumer product safety, it has the ability to compel manufacturers to recall or take other "corrective actions" for products that present "a substantial product hazard." The CPSC carries out its tasks using risk as a guideline: The risk of injury presented by a product should be evaluated to determine if that risk is a reasonable one, in determining whether a product presents an unreasonable risk, the firm should examine the utility of the product, the level of exposure of consumers to the risk, the nature and severity of the hazard presented, and the likelihood of resulting serious injury or death. In its analysis, the firm should also evaluate the state of the manufacturing or scientific art, the availability of alternative designs or products, and the feasibility of eliminating the risk. In some instances the CPSC uses the term "risk assessment," while in other instances the term "hazard assessment" is used. Each appears to address basically the same type of analyses. DESCRIPTION The CPSC uses the structure of risk analysis to enhance the scientific basis for its regulatory decisions. To the CPSC, risk analysis includes the integration of risk assessment with risk management and risk communication. Although few details on risk assessment methods are provided by the CPSC, it does provide the following description of its risk assessment process, "for purposes of this guidance, we are defining risk as the likelihood that injury or damage is or can be caused by a substance, technology, or activity." The CPSC must follow special considerations from the Office of Management and Budget Guidelines for certain risk assessments that provide the basis for the dissemination of influential information. The Guidelines state: With regard to analysis of risks to human health, safety, and the environment maintained or disseminated by the agencies, agencies shall either adopt or adapt the quality principles applied by Congress to risk information used and disseminated pursuant to the Safe Drinking Water Act Amendments of 1996 (SDWA). The SDWA risk assessment principles tend to be focused more on quantitative assessments involving considerable scientific data. This situation raises a dilemma for the CPSC, as many of the situations it analyzes lack quantitative data to use in risk assessments. In this regard, the CPSC states: Many of our actions are based on scientific experts'judgments using available data, are essentially qualitative, and are generally carried out for non-cancer-causing hazards. Such assessments provide useful answers in most instances that are sufficient for regulatory purposes, and much more elaborate, quantitative estimates extrapolating beyond the data are unnecessary. Although we might analyze the economic costs of the regulations and consider alternatives, regulations like these do not lend themselves to the types of full quantitative risk assessments contemplated by the Safe Drinking Water Act principles. As a result, we have adapted the general principles for risk assessments from the SDWA to fit these situations, For quantitative risk assessments in support of the dissemination of influential information, CPSC intends to apply the SDWA risk assessment principles. Although the CPSC states that it rarely performs quantitative risk assessments, in situations requiring a quantitative risk assessment, it generally subscribes to the National Academy of Science risk assessment process of 1994, "in each of the areas we regulate, we apply risk assessment practices to the specific task that are widely accepted among relevant domestic and international public health agencies." To the degree that the CPSC action is based on science, the Commission indicates that it intends to use the best available, peer-reviewed science and supporting studies conducted in accordance with sound and objective scientific practices data collected by accepted methods. Concerning the dissemination of public information about risks, the CPSC indicates that it will ensure that the presentation of information about risk effects is comprehensive, informative, and understandable. The CPSC intends to share the following information in documents supporting regulations: • Each population addressed by any estimate of applicable risk effects; • The expected risk or central estimate of risk for the specific populations affected; • Each appropriate upper-bound or lower-bound estimate of risk; • Each significant uncertainty identified in the process of the assessment of risk effects and the studies that would assist in resolving the uncertainty; and • Peer-reviewed studies known to the Agency that support, are directly relevant to, or fail to support any estimate of risk effects and the methodology used to reconcile the inconsistencies in the scientific data. To provide this information either the CPSC or more typically the product manufacturers) must conduct a risk assessment. RISK SCORING SYSTEM The CPSC Recall Handbook uses three hazard levels to score risks for products that present "a substantial product hazard." The three hazard classes are based on the two risk factors of severity of injury/illness and the likelihood of occurrence. Class A Hazard ~ exists when a risk of death or grievous injury or illness is likely or very likely, or serious injury or illness is very likely. Class B Hazard ~ exists when a risk of death or grievous injury or illness is not likely to occur, but is possible, or when serious injury or illness is likely, or moderate injury or illness is very likely. Class C Hazard - exists when a risk of serious injury or illness is not likely, but is possible, or when moderate injury or illness is not necessarily likely, but is possible. This risk scoring system can be presented as shown in Table 14.1. Table 14.1 - CPSC Hazard Priority System (based on CPSC Recall Handbook) Likelihood of Occurrence Very likely Likely Not likely, but possible Death/grievous injury of illness A A B Severity Serious injury or illness A B C Moderate injury or illness B * C *not identified in class descriptions A key consideration for the CPSC in assessing risk is whether a product contains "a substantial product hazard." The CPSC uses four criteria to determine the existence of a substantial product hazard: Pattern of defect Number of defective products distributed in commerce • Severity of risk • Likelihood of injury The CPSC uses a hazard priority system as a guide for selecting the level and intensity of corrective action. STATUS The U.S. CPSC efforts in consumer product safety are current and ongoing. Additional information on the CPSC and a copy of the Recall Handbook are available at www.cpsc.gov. EUROPEAN MARKET BACKGROUND The European Directive on General Product Safety was first published in 1992 under Council Directive 92/59/EEC and subsequently revised under Directive 2001/95/EC. The Directive applies to products placed on the market supplied to or made available to consumers. The Directive is necessarily broad as it applies to a very wide array of products. The terms risk and risk assessment appear frequently in the Directive. The Directive does not explicitly require that a formal "risk assessment" be conducted as the term is used in this book. Other safety analyses or assessments will meet the general requirements. However, the Directive does require that the assessment be documented. European law requires that consumer products sold in the European Union (EU) bear the CE Mark and meet all the relevant EU directives. The CE Mark appears in Figure 14.1. The CE mark is required on consumer products sold in the EU and indicates conformity to the "common level of safety." Through the CE mark, the EU explicitly requires a risk assessment and analysis of the hazards in accordance with the hazard elimination and control hierarchy. A consumer product manufacturer must declare that its products comply with all relevant CE-marking directives and indicate so by affixing the CE mark. The manufacturer bears the responsibility to determine which EU directives apply to its products. Complying with EU directives requires expertise in the relevant fields. In some instances the manufacturer will have the necessary competence in-house. In other situations third party assistance (test laboratories, consultants, etc.) may be necessary to achieve compliance. DESCRIPTION Obtaining the CE mark requires conducting a risk assessment. The risk assessment referenced by EU documents is usually ISO 14121/EN 1050 or other processes specific to the consumer product being examined. The ISO 14121/EN 1050 process and flow chart appear in detail in Chapter 24. STATUS Additional information on CE Marking can be found from a variety of government and commercial sources on the Internet. REFERENCES American Society for Tests and Materials (ASTM-F15 Consumer Products), www.astm.org. Association of Equipment Manufacturers (AEM). Milwaukee, Wl. www.aem.org. Association of Home Appliance Manufacturers (AHAM). www.aham.com. Bowers, T.S. (2000, Spring). Measuring and modeling household exposures, trends in risk and remediation. Gradient Corporation, www.gradientcorp.com. Campbell, H.J. (2000, Spring). Measuring and modeling household exposures, trends in risk and remediation. Gradient Corporation, www.gradientcorp.com. Consumer Federation, www.consumerfed.org. Consumer Product Safety Commission. (1999). Recall handbook, May. www.cpsc.gov. Consumer Product Safety Commission, (2000). 16 CFR 1115.6 Commercial Practices. Safety Commission, Substantial Product Hazard Reports, www.cpsc.gov. Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on General Product Safety. http://www.dti.gov.uk/CACP/ca/consultation/2001 95 ec.pdf. EEC 92/59/EEC. (1992). The European Directive on General Product Safety. European Union. www.europeandocuments.com. Environmental Protection Administration (EPA), www.epa.gov. European Consumer Safety Association (ECOSA). www.epha.org. Food and Drug Administration (FDA), www.fda.gov. ISO 14121/EN 1050-1999. Sfl/e/v of machinery; risk assessment, International Organization for Standardization. www.iso.ch. Juvenile Products Manufacturers Association (JPMA). www.ipma.org. National Highway Traffic Safety Administration (NHTSA). www.nhtsa.dot.gov. Public interest Research Group (PIRG). www.pirg.org. Safe Drinking Water Act Amendments of 1996. (42 U.S.C. 3 00g~ 1(b)(3)(A) and (B)). www.epa.gov. State based agencies such as Kentucky Product Safety Branch. http://publichealth.state.kv.us/consumer product safetv.htm. The International Consumer Product Health and Safety Organization (ICPHSO) www.icphso.org. Underwriters' Laboratory (UL). www.ul.com. CONSTRUCTION General UK Construction Risk Assessment Structures and Dams GENERAL BACKGROUND The increased appearance of performance based standards and codes has impacted the construction industry. Appleyard (1995) addresses the trend away from strict building codes to a more risk based approach to structural design: The modern structural designer has been drawn into a situation for which recent professional graduate and indeed post graduate courses have left him ill-equipped . The structural designer has now been placed in a position whereby his actions are no longer taken within the limited framework of a codified design regime but, rather, within the broader context of the combination of codified design and the necessity for execution of the design process in the context of Risk- based Decision Making. The Construction Industry Research and Information Association (C1RIA) is a UK-based research entity concerned with improving the performance of all involved in construction and the environment. Morris and Simm (2000) discuss risk assessments based on concepts set forth in the CIR1A Special Publication 125 (1996), Control of risk: a guide to the systemic management of risk from construction: It is not possible to give a detailed and prescriptive approach to risk assessment - the variety of projects and perspectives is simply too large. A prescriptive approach would, in any case, tend to bypass or override engineering judgment, expertise and experience, which are ail important for effective risk assessment and management. Traditionally, risk management has been applied instinctively, with risks remaining implicit and managed by judgment informed by experience. Risk management should make risks explicit, formally describing them and making them easier to manage. In other words it is a management tool, which for best results requires practical experience and training in the use of appropriate techniques. Once learnt, it supports decision-making and assists instinctive judgment. Construction related risk assessment also appears in regulations of the State of New Hampshire. The New Hampshire Housing Finance Authority (NHHFA) is a non-profit public benefit corporation established by the state legislature. The Authority assists low and moderate income persons and families to "obtain decent, safe and affordable housing." A requirement for risk assessment for lead-based paint appears under the NHHFA Design and Construction Standards of May 2001: Unless all paint films will be assumed to contain lead and will be removed during construction, a lead-based paint risk assessment by a New Hampshire licensed Risk Assessor utilizing Housing and Urban Development protocol will be required prior to the design of rehabilitation of any pre- 1978 construction. Risk assessment findings shall be utilized in the development of a lead hazard reduction plan for such a property. The Building Futures Council is also involved in construction risk assessment, although more from a business rather than an injury prevention focus. According to the Building Futures Council (2000): The Building Futures Council is an independent, nonprofit corporation composed of senior executives of organizations engaged in all aspects of the building and construction process, representing private and public owners, planners, engineers, architects, constructors, attorneys, financiers, accountants, insurers, investors, and academia. Most problems can be avoided with thorough risk assessment planning, or RAP. The RAP process, which emphasizes the importance of communication throughout the construction process and the use of alternative dispute resolution techniques, assists all project participants in strategically planning how to handle construction risks before they become construction problems. RAP therefore helps the industry save time and money. Identifying, allocating, and managing risks at the front end of the project-planning process is the best possible way of ensuring a successful result for everyone involved at all stages of construction, including development, planning, and actual construction. DESCRIPTION The Building Futures Council (2000) presents the Risk Assessment Planning process as follows: RAP is a concept that requires first identifying and understanding risks through a systematic process, then following an organized method of managing and allocating those risks. The RAP system is most effective when these four steps are followed: 1. Identify the project risks by using the RAP checklist. 2. Communicate among the disciplines and develop mutually agreed-upon methods for managing the risks. 3. Develop voluntary methods of resolving problems before they occur. 4. Require contract language to reinforce the resolution methods agreed upon. In their discussion of risk assessment of engineering systems, Stewart and Melchers (1997) provide the following steps in the risk-based decision process: 1. Context definition (social, individual, organizational, political, technological) 2. Criteria definition 3. Hazard identification 4. Risk analysis (severity and probability ratings) 5. Sensitivity analysis 6. Presentation of results 7. Risk assessment/criteria 8. Risk treatment (avoidance, reduction, transfer, acceptance) 9. Monitoring and review In this use, the term "risk assessment" involves comparing the results of the risk analysis against acceptability criteria. The risk assessment produces a list of hazards with the greatest contribution to system risk. FLOWCHART Morris and Simm (2000) present the risk management process in the construction industry as shown in Figure 15.1. The authors provide detailed descriptions of each step in an Appendix to their book. Industry STATUS Additional information can be found in the Building Futures Council report, and at http://www.ciria.org.uk/. UK CONSTRUCTION RISK ASSESSMENT BACKGROUND The UK Health and Safety Executive (HSE) also addresses risk assessment in the construction industry, HSE (2000) states that the purpose of the HSE construction risk assessment is to "allow a safe method of work to be developed which will avoid or minimise the health and safety of workers and others affected by the work." According to the HSE (2002) "the assessment of risk in the construction industry is particularly important as the industry is inherently dangerous and is labour intensive." DESCRIPTION The HSE (2002) presents the risk assessment process for contractors in "Five steps to risk assessment." The five steps are intended to assist the designer or the contractor: Step 1 Look for the Hazards in the proposed work activity or from the adjacent area. Step 2 Consider the parties that might be harmed, and how this might arise. Step 3 Evaluate the risks arising and decide whether the existing construction methodology and requirements are satisfactory or whether more should be done to reduce or eliminate risks so far as reasonably practicable. Step 4 Record your findings. Step 5 Review your assessment and revise if necessary. The HSE (2002) indicates that: "Although there are some very sophisticated computational models for analysing risk levels and probability, there is rarely any justification to use these in the construction industry" In the UK, regulatory requirements for risk assessment in construction appear in several regulations the Health and Safety at Work Act, the Management of Health and Safety at Work Regulations 1999, Construction (Design and Management) Regulations 1994, Construction (Health, Safety and Welfare) Regulations 1996, and others. For more details about these requirements see www.learning-hse.com/hse/home.phtml. RISK SCORING SYSTEM The HSE (2002) risk scoring system uses severity and likelihood as risk factors. The three levels of severity appear in Table 15.1. The three levels of likelihood appear in Table 15.2. The HSE maps the risk factors to a risk level as shown in Table 15.3. Table 15.1. UK HSE Construction Severity Levels Seventy . Level ^'- '■Description ' 'HIGH' Fatality; major injuries or illness causing long- term disability 'MEDIUM' Injury or illness causing short-term disability. •LOW' Other injury or illness. Table 15.2. UK HSE Construction Likelihood Levels Likelihood Level Description 'HIGH' Certain or near certain to occur. •MEDIUM* Reasonably likely to occur. 'LOW* Very seldom or never occurs. Table 15.3. UK HSE Example Risk Assessment Method Likelihood High Medium Low Severity High 3 3 2 Medium 3 2 1 Low 2 1 1 The corresponding risk levels are; 3 - High risk, Action required 2 - Medium risk, Action required unless [there is a] good reason [not to] 1 - Low risk, No action required The HSE (2002) presents a basic approach to construction risk assessment where a contractor identifies an activity, the hazard/risk, and an initial risk rating based on the risk scoring system above. Using the risk scoring system, the contractor is advised to reduce risk as follows: a) Is the initial risk rating > 1? If yes, consider as a priority the need to avoid and reduce risks - see (b) and (c) below. b) Can the risk be reasonably avoided by changing the method of working? If yes, explain how and change it. c) Can the risk be reasonably reduced by changing the method of working? If yes, explain how and change it. d) If the fmal risk rating is > 1, explain why and what others need to do to minimise the risk. According to the HSE (2002): The appropriate level of risk assessment will vary from project to project and from one operation to another . [A] thorough study of the risks and a detailed method statement may be needed . The assessment may involve a detailed analysis but more often all that is appropriate is a simple judgment based on the seriousness of any incident that could result and the degree of exposure to the hazard. STATUS There are several risk models and software tools that aid construction risk assessment. Two programs available include the Construction Risk Assessment Management Software, available at www.healthandsafetv-centre.net. and designsafe®, at www.desi gnsafe. com. STRUCTURES AND DAMS BACKGROUND The primary hazard in dams is the uncontrolled release of water. According to Schueller (2000), identifying event scenarios that result in release of water is fairly well defined. Note that this situation differs from other applications where identifying hazards represents a significant challenge. Realistically modeling structures and loading conditions to which they may be exposed has long been a concern of structural engineers. Advances in computational capabilities continue to yield increasingly better analytical models. Much is known, or can be reasonably estimated, concerning the variables that serve as inputs to quantitative and probabilistic risk assessment models. As analyses methods improve the demand increases for more quantitative risk assessments. Recognizing that good engineering judgment still plays a role in even quantitative assessments, Schueller considers the structural effort of risk assessment as a semi-probabilistic approach that represents a good first step. He indicates that full probabilistic codes are currently under development but may require considerable time before they are issued. He states "sophisticated risk analysis of engineering structures will - at least for the time to come - still be carried out on a case by case basis." According to Schueller (2000), the risk assessment problem for dams is primarily one of evaluating the probability of an earthquake occurring at a given severity. He notes "each site has a certain probability of occurrence and exceedance of a certain earthquake intensity. Man made hazards, such as accidental impact, has generally a very low probability of occurrence." The US Army Corps of Engineers is also involved in construction risk assessment, particularly of dams. The Corps is responsible for approximately 600 dams, of which many are over 30 years old. One quarter of these dams have exceeded their 50 years design life. According to the Corps (US Army, 2001); Many are in need of major repair or rehabilitation to ensure their continued safety for future generations The Corps is responsible for managing these risks for its dams and protecting the public against the devastation caused by such catastrophes. With the increasing demand on available resources, government agencies have searched for a systematic method for prioritizing needed repairs to their dams. The Risk Analysis for Dam Safety Research Program was initiated to aid in allocating investments to improve the safety of Corps dams. The key objectives of the research center on prioritizing dams for analyses and repairs include selecting the optimal plan to protect resources, minimizing die disruption of service and maximizing the effectiveness of the investments. The Corps has conducted site-specific risk assessments to develop appropriate risk analysis procedures and safety decision guidelines. The Corps has also conducted assessments focusing on developing methods to determine the probability of erosion of soil and rock in spillways and channels based on the analytical models of soil and rock erosion. DESCRIPTION According to Donghi (2000), a qualitative approach to risk assessment is used in Italy. He notes that in some other countries a probabilistic approach is used. Concerning risk comparisons, he indicates that "the number of persons exposed to a possible dam failure and the likelihood of that event determine the social risk" (p. 10). Property damage apparently does not play a role in determining societal risk. As with many industries, the desire for quantitative risk assessment has extended beyond the available data in the construction industry. As a result either data must be developed or a qualitative approach must be used. STATUS According to Schueller (2000), "currently risk assessment documentation and procedures do not yet follow specific guidelines. They are generally carried out in a problem oriented form." Further, Donghi (2000) states that: At present the probabilistic approach, due to insufficient statistical data, is not yet as effective in the field of dams, it seems it could be effective for new dam design but less effective for existing dams. Risk assessment is therefore a qualitative approach (p. 13). The US Army Corps of Engineers study on risk analysis for dam safety is currently in progress. Additional information can be obtained at http://www.wes.aiTiiv.mil/lTL/damsafe. RPPFRPNfR Appleyard, L.D. (1995). An appraisal of the validity of societal risk criteria in the building and construction industry. In Melchers & Stewart (Eds.), Integrated Risk Assessment. Rotterdam: Balkema. Building Futures Council (2000). Report on risk assessment planning for the construction industry. Prepared by the Building Futures Council. Committee on management and contracting alternatives, Washington, DC. C1R1A. (1996). Control of risk: A guide to the systemic management of risk from construction. Construction Industry Research and Information Association, Special Publication 125. http://www.ciria.org.uk. Construction Risk Assessment Management Software, www.healthandsafetv-centre.net. designsafe® the hazard analysis and risk assessment guide, design safety engineering, inc. www.designsafe.com. Donghi, G. (2000). Safety aspects in hydropower dams operation. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. HSE. (2002). Identification and management of risk in undergraduate construction courses. Health and Safety Executive, www.learning-hse.com/hse/home.phtml. Morris, M. & Simm, J. (Eds.) (2000). Construction risk in river and estuary engineering, A guidance manual. Thomas Telford. New Hampshire Housing Finance Authority (2001). Design and construction standards, www.nhhfa.org. Schueller. (2000).Risk assessment of engineering structures. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Stewart, M.G. & Melchers, R.E. (1997). Probabilistic risk assessment of engineering systems. New York: Chapman & Hall. U.S. Army. (2001). Risk analysis for dam safety. U.S. Army Corps of Engineers, www. wes. armv.mil/ITL/damsafe. ISO 14000 Series International Applications Australian Environmental Risk Management U.S. Applications Ecological Risk Assessment Wastes ISO 14000 SERIES BACKGROUND The ISO 14000 series of standards pertain to environmental management, part of which includes risk assessment. ISO 14001:1996 Environmental management systems - Specification with guidance for use provides the general framework for environmental management: This International Standard specifies the requirements of an environmental management system. It has been written to be applicable to all types and sizes of organizations and to accommodate diverse geographical, cultural and social conditions. The basis of the approach is shown in [Figure 16.1] (ISO 14001) Note that this standard only applies to environmental aspects and not aspects related to occupational health and safety management or product design. However, the document does recognize that organizations may seek to integrate such management systems. Several organizations see value in this approach and have successfully integrated environmental, health and safety management systems. Examples are discussed in greater detail in Chapter 34 Risk Management. DESCRIPTION Where ISO 14001 provides the general framework of environmental management, ISO 14004:1996 Environmental management systems ~ Genera! guidelines on principles, systems and supporting techniques provides more specific guidelines for environmental management systems. The ISO 14004 planning process is presented in four steps: Step 1 - Select an activity, a product or service Step 2 - identify environmental aspects of the activity, product or service Step 3 - Identify environmental impacts Step 4 - Evaluate significance of impacts An environmental aspect could involve a discharge, an emission, consumption or reuse of material or noise. Risk assessment appears in Step 4. The ISO 14001 guidance to Step 4 includes both environmental and business concerns. Examples of each include: Environmental concerns: • the scale of the impact the severity of the impact • probability of occurrence • duration of impact Business concerns: • potential regulatory and legal exposure difficulty of changing the impact • cost of changing the impact effect of change on other activities and processes • concerns of interested parties • effect on the public image of the organization RISK SCORING SYSTEM ISO 14001 does not specify any particular risk scoring system. However, an example case study of how ISO 14001 is implemented can be found in Annex D (informative) of ISO/TR 14061:1998 Information to assist forestry organizations in the use of Environmental Management System standards ISO 14001 and ISO 14004. The case study demonstrates a method of conducting a quantitative risk assessment for environmental applications. The case study involves a pulp and paper manufacturer based in Brazil, in which each environment aspect is evaluated by using a so-called "Significance Index." This index is calculated by considering four primary risk factors: • frequency of occurrence severity • intensity • extent of impact The frequency and severity risk factors are used to determine the magnitude of the impact. The intensity and extent of impact are used to determine the importance of the impact. The scales used to rate the risk factors are shown in Tables 16.1-16.4. Table 16.1 ~~ ISO/TR 14061 Frequency Rating Scale Frequency Scale Low < 2 occurrences per year Medium Other High Continual or 1 occurrence per week Table 16.2 - ISO/TR 14061 Severity Rating Scale Severity Scale Low Changes reversible immediately Medium Changes reversible in the medium/long term High Changes not reversible Table 16.3 - ISO/TR 14061 Intensity Rating Scale Intensity Scale Low 5% of emissions based on mass flow analysis Medium 20% - 75% of emissions based on mass flow analysis High >75% of emissions based on mass flow analysis Table 16.4 - ISO/TR 14061 Extent Rating Scale Extent Scale Low Confined within companies bounds or local Medium Regional High Global The Significance Index is an overall weighting of the elements of environmental risk. The formula used to calculate the Significance Index in ISO/TR 14061 is: Is = [(f* sev) + (in * ext)} (a\ + aj + a3 + a*, + o5) Where /s - the significance index /- frequency factor sev = severity factor in = the intensity factor ext = extent factor a ~ a significance factor Significance factors are based on issues such as: legal or regulatory concerns, organizational concerns and policies, interested parties, and organizational long and short term strategy. The case study does provide sample values for the factors. The Significance Index equation shows that the more typical qualitative combinations used in most non- environmental risk assessments appear in the first part of this calculation. The frequency multiplied by severity factor appears first. STATUS ISO 14001, ISO 14004 and ISO/TR 14061 are active and approved international standards/technical reports. Copies of these documents can be obtained from www.nssn.org or other commercial sources. INTERNATIONAL APPLICATIONS BACKGROUND Benjamin and Belluck (2001) state, "the primary purpose of environmental risk assessment is to provide risk mangers with all available information in a form that facilitates scientifically informed decisions. 'Risk managers' are those persons responsible for making a decision regarding environmental risk." And MacDonell and Holoubek (2001) suggest that: Scientific, political, and community organizations working to develop and implement environmental programs often use a broad definition of environmental risk assessment that encompasses human health and welfare considerations as well as ecological risks. The risk assessment process continues to mature and is finding ever-wider applications in the regulatory and policy areas for environmental protection. Clarkson, Glaser, Kierski, Thomas, Gaccetta, Campbell (2001) review trends in environmental regulations in several countries in Europe, Asia and the Pacific. They note, "how the scientific risk assessment process can be used to make decisions about the cleanup of potential human health and ecological risks at waste sites may vary widely among countries." The following summarizes the findings from the study: [The] increased focus on contaminated land has resulted in the development of risk assessment guidance and/or risk-based cleanup numbers in many countries. However, clean up of these lands is still a low priority in many countries, especially in Asia and the Pacific. There are many issues surrounding the science of risk assessment that are as yet, unresolved [including:] 1. existence of uncertainties inherent in the risk assessment process 2. relative importance of human health versus ecological risk 3. what constitutes acceptable or unacceptable levels of risk for human and ecological receptors, and 4. the role of risk communication (i.e., consensus among all stakeholders) DESCRIPTION Concerning trends in Europe, Clarkson, et al, (2001) indicate that: No specific European Union regulations have been developed, rather the focus is on individual regulations for each country. The focus of these individual country regulations is a 'Tit for purpose" approach. This is historically different from the U.S. approach of cleaning up any site that was contaminated. Overall the trend is for site-specific quantitative risk assessments. In the United Kingdom: The legislation defined contaminated land by the phrases "significant harm" This is established by evaluating the source-pathway-receptor linkages This is in principal much the same as the risk-based corrective action process used by many states in the U.S. in order to expedite and reduce the cost of risk assessment at waste sites. The requirement for and scope of remediation will be based on risk assessment using source-target-pathway methodology on a site-specific basis. Many corporations have shown a reluctance to spend the money necessary to prepare a quantitative risk assessment. Presently, there is no formal process for evaluating ecological risks at contaminated land sites in the UK. In the Netherlands: The Dutch Soil and Groundwater Standards have been well accepted both in the Netherlands, and throughout other parts of Europe and Asia. These standards take into account both human and ecological risk. Historically, the Dutch developed human health standard for residential, industrial and agricultural land use. However, recent revisions to the guidance now require the return of contaminated land to any potential use, rather than remediating to the intended use of the land. The Dutch Standards are held in high regard and are used world wide by industries concerned with environmental risk assessment. These standards tend to be adopted particularly in locations where an independent approach has not been developed. In Italy: The Italian Ministry of the Environment Decree DM 471/99 establishes criteria procedures and provisions that apply to contaminated land including remediation. The Italian approach is different in that, quantitative risk assessment may only be applied to sites after the criteria and procedures to characterize contaminated land have been conducted and concentrations detected in the soil, subsoil, surface water, and groundwater have been compared to the published cleanup standards for the appropriate land use. Italy uses the concept of Best Available Technologies at Not Excessive Cost (BATNEC) in evaluating land remediation options. BATNEC appears to be similar to a cost-benefit analysis. Concerning trends in Asia and the Pacific, Clarkson, et a1. (2001) indicate that: There is a wide variation in regulation and their respective implementation throughout Asia and the Pacific. Undeveloped countries tend to focus on basic needs for clean air and water, as opposed to contaminated land issues. More economically developed countries have either legislation/regulations or guidance, however, enforcement trails behind this legislation. Industrial waste management options are very limited or expensive in many countries leading to illegal dumping and consequent land contamination. Risk communication, ecological risk issues, and acceptable risk levels may be very different in these countries because of cultural differences, that is, protection for the community, whereas, in Europe, and the U.S. risk assessment evaluations begin with protection of the individual. In many parts of Asia, there is a greater emphasis on benefit to the overall community, whereas in the U.S. and Europe, the protection of the individual is paramount. In Singapore: Contaminated lands are located in industrial areas and not on residential or agricultural lands. Singapore uses risk assessment methods only for petroleum sites or for investigation, evaluation, and potential cleanup of multinational industrial sites. These companies are influenced by the use of risk assessment in other countries of the world. In Japan: There is a focus on developing appropriate remediation technologies and clean up standards within the next two to three years [2003-2004]. The Japanese quality standards for soil and groundwater pollution do not specify acceptable risk levels for human health risk nor do they specify if ecological risk is considered. In the People's Republic of China, the Environmental Quality Risk Assessment Criteria for Soil at Manufacturing Facilities are National Standards that are in effect as of 1999. "This risk-based approach focuses on protecting the soil and groundwater environment and people who work at, visit, or live adjacent to an industrial facility. The regulations present generic risk-based criteria for developing soil and groundwater standards." In Hong Kong, Wrigley and Tromp (1995) share that: The risk management programme for potentially hazardous installations has used quantitative risk assessment to estimate risks to the public and identify risk mitigation measures The Government is now using quantitative risk assessment techniques to address the difficult problem of dangerous goods transport in Hong Kong. In Taiwan, Clarkson, et al. (2001) indicate that: The focus of the Environmental Act is prevention. It is intended to prevent future contaminated land issues, and as time and resources permit, to remediate past pollution problems, unless they constitute an immediate threat to public health. The central authority uses risk-based information and Taiwan-specific research data to establish monitoring and control standards for soil and groundwater pollution. In Australia: Well-established site assessment and remediation programs exist in New South Wales and Victoria. One of the unique features of the Australian regulations is the use of a benchmark dose approach to assess carcinogenic effects, rather than the traditional estimation of cancer risks. As a consequence of this approach, Australia has not established a level or range of acceptable cancer risks. Australia is also unusual in that it has a formally developed set of ecological risk assessment guidance, and it also has guidance for quantitative as well as qualitative uncertainty analysis. In New Zealand, Zach and Keey (1995) note that the first environmental risk assessment was prompted by The National Development Act (1971) that legislated Environmental Impact Reports for projects of certain size. Clarkson, et al. (2001) note that: A key separation is between countries such as the U.S., UK, and Australia that base decisions on a risk assessment process, versus other countries such as the Netherlands/ China, and Japan that make decisions based on a comparison to established criteria. Other countries such as Italy and Singapore have a hybrid system whereby a comparison to criteria is used in some instances and a risk assessment is employed in others. As the exchange of technical information among risk assessment scientists increases, the continued development of risk assessment methodologies in different countries will most likely be similar, but tempered by their cultural, socioeconomic, and regulatory needs. The use of risk assessment as a tool to evaluate potential harm to human and ecological health still contains many uncertainties and significant basic science data gaps. However, it is this increased communication among scientists throughout the world that will ultimately allow the risk analysis and risk management process for contaminated land to be explored. STATUS The study by Clarkson, et al. (2001) is current as of 2001. Additional information can be obtained from the report. AUSTRALIAN ENVIRONMENTAL RISK MANAGEMENT BACKGROUND HB 203-2000 Environmental risk management - Principles and process, is published by Standards Australia. This document is based on AS/NZS 4360. The Scope of AS/NZS 4360 indicates, "this guide presents an integrated framework of principles, practices and criteria for implementing best practice in environmental risk management." This Guide recognizes that environmental risk management potentially covers a very wide range of issues: Environmental risk management provides a structured, systematic approach to environmental decision making. The strength of the risk management approach is that it combines various technical assessments and consultative approaches into a process that supports informed, consistent and defensible decision making. Environmental risk management differs from managing other types of risk because its particular characteristics reflect the complexity of the environment. The large number of ecosystems and organisms, and how they interact with one another and their surroundings, creates a high degree of complexity and introduces significant uncertainty. Some of the factors that affect environmental risk management include: lack of data natural variability • immature sciences 9 long time spans • potential effects and irreversible outcomes complex and extensive web of stakeholders lack of clear relationships between effects and causes. Part of the difficulty in environmental risk management stems from the long time spans and the assumptions that need to be made about the projected impacts of environmental situations. Additionally, the Guide notes that "many arguments and disagreements on environmental issues occur because the parties involved are using different criteria for assessment, and because these criteria have never been articulated and negotiated." DESCRIPTION HB 203 states that the purpose of conducting a risk evaluation: is to compare risks against previously established criteria, to determine • Whether to proceed or continue with an activity Whether risk treatment is required, and • Whether to prioritize (rank) the risks for treatment. In conducting an environmental risk assessment, HB203 suggests that: The following steps provide a practical guide on how to identify sources of risk and potential environmental impacts: Identify sources of risk. Describe the surrounding environment. Identify potential environmental impacts. According to HB203, environmental risks can be grouped into two categories: 1. Risks to the environment: flora and fauna, human health, human social and cultural welfare, earth, 6 air and water resources, energy and climate. 2. Risks to an organization from environment-related issues • not complying with legislation, 6 business losses, loss of reputation, fines, • costs of litigation, • failure to secure permits, etc. HB 203 notes that: semi-quantitative analysis does not properly differentiate between risks when either likelihood or consequences are extreme The analysis of environmental risk often produces results with a high degree of uncertainty. Reasons for this are: • complexity statistical fluctuations (variability) • lack of reliable data time factors HB 203 suggests that quantitative risk analysis can provide a more objective approach for setting environmental standards, yet it recognizes that communicating the results of a quantitative analysis to stakeholders can be difficult. This difficulty arises in part because risk evaluation needs to take into account society's values, perceptions and attitudes. The document indicates that the outcome of risk evaluation is a decision as to the acceptability of a given risk for a particular activity. To make this determination HB 203 assumes that the criteria for acceptable risk have been previously determined. FLOWCHART HB 203 shares the same basic approach to risk management as shown in AS/NZS 4360. The approach includes the following steps: • Establish the context • Identify risks • Analyse risks Evaluate risks • Treat risks RISK SCORING SYSTEM HB 203 uses a qualitative risk analysis adapted from AS/NZS 4360. Examples are presented in the document and appear in Tables 16.5-16.6. Table 16.5 - Example Qualitative Likelihood Measures, HB 203-2000 Descriptor Description A Almost certain Is expected to occur in most circumstances B Likely Will probably occur in most circumstances C Possible Could occur D Unlikely Could occur but not expected E Rare Occurs only in exceptional circumstances Table 16.6 - Example Qualitative Impact Measures, HB 203-2000 Level Descriptor Description • 1 Catastrophic Death, toxic release off-site with detrimental effect, huge financial loss 2 Major Extensive injuries, loss of production capability, off-site release contained with outside assistance and little detrimental impact, major financial loss 3 Moderate Medical treatment required, on-site release contained with outside assistance, high financial loss 4 Minor First aid treatment, on-site release immediately contained, medium financial loss 5 Insignificant No injuries, low financial loss, negligible environmental impact Impact can address other than just human health. HB-203 presents examples of potential environmental impact consequences in an Appendix F. The list of areas impacted include: General environmental and social impacts 0 Human health Land-based ecosystem Aquatic ecosystem Cultural heritage For each impacted area example descriptions of the consequences and ratings are provided. For instance, a Level 3 consequence for the Aquatic eco-system area has the following description "significant localized impacts but without longer-term impact on aquatic ecosystems, and/or short term impacts on water resources." Once the likelihood and consequence risk factors are rated, these factors are combined to obtain a risk level as shown in Table 16.7. Table 16.7 - Example Risk Matrix, HB 203-2000 Consequences Likelihood Catastrophic Major Moderate Minor Insignificant Almost certain E E E H H Likely E E H H M ' Possible E E H M L Unlikely : E H M L L Rare H H M L L Legend E: Extreme risk, immediate action required H: High risk, management attention needed M: Moderate risk, management responsibility must be specified L: Low risk, manage by routine procedures NOTE: The number of categories should reflect the needs of the study, and the ability to distinguish between categories reliably. STATUS Environmental risk management and HB 203-2000 currently apply in Australia. Additional information is available at www.standards.com.au U.S. APPLICATIONS BACKGROUND The National Center for Environmental Assessment (NCEA) is a part of Office for Research and Development (ORD) within the U.S. Environmental Protection Agency. The following information comes from the www.epa.gov/ncea web site: A major goal of the ORD/NCEA is to perform the research necessary to develop an accessible, seamless, common methodology for combined human health and ecological risk assessments, so that decision-makers at all levels can have the integrated view of risk needed to make sound decisions. NCEA research activities are focused on developing and evaluating model-based methodologies and techniques to improve the risk assessor's ability to synthesize, put into context and use exposure and effects data in risk assessment. Research is performed to evaluate different risk assessment approaches and the implications of using them. NCEA's goal is to advance the science of multiple-scale, multiple-stressor and multiple-endpoint ecological assessments. This will be accomplished by emphasizing research in three areas: 1. Developing risk assessment guidance. 2. Performing risk assessments, and 3. Conducting research on methods. The ability to assess risks to ecosystems must be based on a knowledge of ecosystem behavior and herein may lie the greatest risk to ecosystems: lack of knowledge of how ecosystems respond to multiple stressors. Garrick (2000) lists the following significant federal laws relating to the management and disposal of solid and hazardous waste in the U.S.: 1965 Solid Waste Disposal Act 1976 Resource Conservation and Recovery Act (RCRA) 1980 Comprehensive Environmental Response, Compensation and Liability Act (CERCLA, Superfund Act) 1984 Hazardous and Solid Waste Amendments, Resource Conservation and Recovery Act 1986 Superfund Amendments and Reauthorization (SARA) 1990 Pollution Prevention Act 1992 Federal Facility Compliance Act However, Garrick (2000) does indicate that most of these laws are light on the use of risk assessment methods. For many years environmental clean up efforts were based on meeting specific remediation levels. In the early 1990's a different approach emerged as a means to lower clean up costs based on risks posed to human health and the environment. Risk-Based Corrective Action (RBCA or "Rebecca Standards") are defined by the U.S. EPA as: "A streamlined approach in which exposure and risk assessment practices are integrated with traditional components of the corrective action process to ensure that appropriate and cost-effective remedies are selected, and that limited resources are properly allocated." The stated goals of a RBCA effort are: 1. Protection of human health and environment 2. Practical and cost-effective application of risk-based decision-making 3. Consistent and technically-defensible administrative process. Nielsen (1997) states that "RBCA is a streamlined cookie-cutter cleanup process developed as a consensus standard by the stakeholders . It is a formulaic version of the risk assessment principles used in CERLA, Superfund and RCRA." Kauffman (2003) states that "The EPA, FDA, Department of Energy, Department of Defense, and many states support and have adopted this approach. RBCA has been successfully utilized in the assessment and cleanup of releases from petroleum underground storage tanks." In California, the Office of Environmental Health Hazard Assessment (OEHHA) is responsible for developing and providing risk managers in state and local government agencies with information relevant to decisions involving public health. Therefore, the OEHHA has risk assessment responsibilities. OEHHA has developed A Guide to Health Risk Assessment, which contains a basic explanation of the risk assessment process for lay people involved in environmental health. In 1993, the California state legislature directed the OEHHA to conduct an external scientific peer review of the risk assessment practices used by the California EPA. The final report of the 34 member committee was published in 1996 as A Review of the California Environmental Protection Agency's Risk Assessment Practices, Policies, and Guidelines. The committee expressed "strong endorsement of risk assessment as the primary tool for characterizing, quantifying and prioritizing risk associated with chemical hazards." DESCRIPTION According to the NCEA: The risk assessment process provides a way to develop, organize and present scientific information so that it is relevant to environmental decisions Risk assessments can also provide a focal point for cooperation among local communities and state and federal government agencies. Risk assessment results provide a basis for comparing different management options, enabling decision makers and the public to make better informed decisions about the management of ecological resources. The Integrated Risk Information System (IRIS), prepared and maintained by the U.S. EPA, is an electronic database containing information on human health effects that may result from exposure to various chemicals in the environment. IRIS was initially developed for EPA staff in response to a growing demand for consistent information on chemical substances for use in risk assessments, decision-making and regulatory activities. The heart of the IRIS system is its collection of computer files covering individual chemicals. These chemical files contain descriptive and quantitative information in the following categories: Oral reference doses and inhalation reference concentrations for chronic noncarcinogenic health effects. Hazard identification, oral slope factors, and oral and inhalation unit risks for carcinogenic effects. IRIS is a tool that provides hazard identification and dose-response assessment information, but does not provide situational information on individual instances of exposure. Combined with specific exposure information, the data in IRIS can be used for characterization of the public health risks of a given chemical in a given situation, that can then lead to a risk management decision designed to protect public health. FLOWCHART The EPA conducts risk assessments in four steps: Hazard identification Dose response assessment Exposure assessment * Risk characterization This process is shown in Figure 16.2. STATUS NCEA has developed several guidelines and guidance documents for environmental risk assessment methodologies. Additional information is available at www.epa.gov. There are several risk models and software tools that aid environmental risk assessment. These can be found at http://cfpub.epa.gov/ncea/cfm/ncearisktools.cfm. Most state and even some county or municipal agencies also have risk assessment guidelines. ECOLOGICAL RISK ASSESSMENT BACKGROUND The U.S. EPA (1998) defines ecological risk assessment as "the process that evaluates the likelihood that adverse ecological effects may occur or are occurring as a result of exposure to one or more stressors " Suter (2001) notes, "ecological risk assessments are simply those risk assessments that support decisions concerning a hazard to nonhuman biological systems." DESCRIPTION In citing several lessons learned in performing ecological risk assessments, Suter (2001) shares: The identity of the site matters - site-specific issues require the use of site-specific data and the involvement of the local community to ensure the relevance of assessment results. This contrasts with practice in human health risk assessment which tends to ignore variances in properties of human environments. Risk assessments should be comparative - comparative assessment requires estimates of effects, not just thresholds for acceptability or exclusionary rules. Disparate risks must be balanced - the problem of comparing trees to fish or changes in trophic status of a stream to changes in the area of wetlands are difficult enough, but comparisons of human risks to ecological risks are extremely difficult the balancing process may demand more explicit and complete predictions from the risk assessors than are commonly provided. Ecological risk assessments must be timely as well as informative Ecological risk assessments should be made as simple as possible, but no simpler. Ecological risk assessments should be useful decision-support documents, not voluminous full-disclosure documents. Ecological risk assessment has been largely devoted to assessing risks from chemicals and chemical mixtures. Ecological risk assessment is diversifying to include risks from exotic species, habitat modifications, harvesting, climate change, and other anthropogenic and natural agents. If ecological resources are to be protected and enhanced, all agents acting upon them must be subject to ecological risk assessment. Concerning the results of an international working group on ecological risk assessment, MacDonell and Holoubek (2001) note that: The working group identified the following primary research gaps and needs that affect ecological risk assessment applications in Eastern Europe and developing countries: 1. integrated methods and tools for a spectrum of environmental problems 2. basic and baseline ecological information 3. streamlined and consistent databases 4. guidelines for interpreting data and model outputs 5. effective approaches for increasing awareness of ecological risk assessment 6. mixtures assessment data and methodology 7. cumulative risk methodology The seven recommendations from the working group to facilitate effective implementation of ecological risk assessment in Eastern Europe and developing countries include: 1. prepare an integrating ecological risk assessment handbook 2. construct an integrated environmental/ecological database 3. harmonize ecological methods and tools 4. enhance interactions among practitioners by establishing an international ecological risk assessment network 5. assist with implementing ecological risk assessment for decision-making through a hands- on support service 6. conduct an ecological risk assessment awareness program and maintain . educational/outreach activities 7. prepare joint proposals to pursue funding so these recommendations can become realities STATUS Ecological risk assessments tend to be performed only when an agency requires one, in part because these assessments tend to be viewed as offering little value to industry. Additional information is available from Suter (2001), MacDonell and Holoubek (2001), and the U.S. EPA. WASTES BACKGROUND Treatment plants present a different risk assessment situation than process facilities such as in the oil and chemical industries. Treatment plants can be publicly owned treatment works such as a municipal waste water treatment plant, an industrial waste water treatment plant that discharges to a publicly owned treatment works, or a hazardous materials or solid waste recycling/processing facility. Petersen (2000) summaries the primary difficulties: • Numerous substances and mixtures Unpredictable composition of the actual waste * Numerous possibilities for unwanted mixtures • Difficulties in assessing the frequency of occurrence of each identified mixture * Difficulties in setting up an appropriate risk management system DESCRIPTION Garrick (2000) addresses nonradioactive waste disposal in the U.S. He indicates that: Risk assessment activities in the waste disposal area are primarily undertaken by the regulatory agencies to develop prescriptive effluent standards. Only in unusual situations such as when applying for a waiver are any site-specific analyses undertaken . It should also be noted that this is an open process in that the risk assessments do undergo peer review and are open to public comment. Garrick (2000) also notes that: Although the U.S. EPA has been reasonably aggressive in pushing risk assessment models, there is still little application to solid waste disposal. The risk assessment work that is selectively performed in the waste disposal area is primarily based on deterministic models whose objective is to establish the migration of the contaminants from the source to the receptor by various pathways. These models do turn out to be quite complex. Risk assessment concepts appear in several locations in OSHA regulations concerning hazardous waste operations. Under 29 CFR 1910.120 Hazardous waste operations and emergency responset OSHA requires that: Employers shall develop and implement a written safety and health program for their employees involved in hazardous waste operations. The program shall be designed to identify, evaluate, and control safety and health hazards, and provide for emergency response for hazardous waste operations. [1910.120(b)(l)(i)j The regulation further requires that both hazard identification and risk identification be conducted. Hazard identification addresses suspected conditions that may pose inhalation or skin absorption hazards. Under risk identification, the regulation states: Once the presence and concentrations of specific hazardous substances and health hazards have been established, the risks associated with these substances shall be identified. Employees who will be working on the site shall be informed of any risks that have been identified. [1910.120(c)(7)] (emphasis added) The risk assessment method used in the waste industry is essentially identical to the U.S. EPA procedure described previously. To be most effective, companies should perform risk assessments early in the design process of products and manufacturing systems. For example, the choice of solvents, paints, adhesives, and components that impact the air, water and hazardous wastes can significantly impact system performance positively or negatively. Performing an environmental risk assessment can help minimize risks posed by wastes. Inadvertent contamination is also a waste challenge. At many manufacturing facilities spills occur that require remedial environmental risk assessments to determine what needs to be remediated to what concentrations, if at all. FLOWCHART Refer to Figure 16.2 for the risk assessment method used by the EPA in the U.S. waste industry. STATUS OSHA regulations are current and apply to employers in the U.S. Additional information is available at www.osha.gov and www.epa.gov. REFERENCES 1996 as A Review of the California Environmental Protection Agency's Risk Assessment Practices, Policies, and Guidelines. AS/NZS 4360-1999. Risk Management. Standards Australia, www. standards .com. au. Benjamin, S.L. & Belluck, D.A. (Eds.). (2001). A practical guide to understanding, managing, and reviewing environmental risk assessment reports. Boca Raton, FL: CRC Press/Lewis Publishers, Inc. Clarkson, )., Glaser, S., Kierski, M., Thomas, T., Gaccetta, J., Campbell, C., et al. (2001). Application of risk assessment in different countries. In Linkov, I. & Palma-Oiiveira J. (Eds.), Assessment and management of environmental risks, (pp. 3-9). Netherlands: Kluwer Academic Publishers. Garrick, B.J. (2000). Invited expert presentation, Radioactive waste disposal. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. HB 203-2000. Environmental risk management - Principles and process. Standards Australia. www, standards. com. au. ISO 14001:1999. Environmental management systems - Specification with guidance for use. International Organization for Standardization, www.iso.ch. ISO 14004:1996 Environmental management systems - General guidelines on principles, systems and supporting techniques, International Organization for Standardization, www.iso.ch 1SO/TR 14061:1998. Information to assist forestry organizations in the use of environmental management system standards ISO 14001 and ISO 14004. International Organization for Standardization, www.iso.ch. Italian Ministry of the Environment Decree DM 471/99. www.mmambieme.it/Sito/home.asp. Kauffman, J.S. (2003). Risk-based corrective action determines analytical approach. Lancaster Laboratories. www.lancasterlabs.com/whatsnew/envpersp/spring2003/riskbased.htm. MacDonell, M. & Holoubek, I. (2001). Methods and tools for assessment and management of environmental risks. In Linkov I. & Palma-Oliveira J. (Eds.), Assessment and management of environmental risks. (pp. 3-9). Netherlands: Kluwer Academic Publishers. Neilsen, J. (1997). Analytical testing recommended for risk-based corrective action (RBCA). Overview of the state ofRBCA implementation in the U.S. with emphasis on the state of California. www.zvmaxusa.com/technotes/rbca-aug97.html. OSHA. (1999). 29 CFR 1910.120. Hazardous waste operations and emergency response. Occupational Safety and Health Administration, www.osha.gov. People's Republic of China. (1999). Environmental Quality Risk Assessment Criteria for Soil at Manufacturing Facilities. Petersen, K. (2000). Specific issues in risk assessment for waste repositories/treatment plants. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Suter, G.W. (2001). Developments and trends in ecological risk assessment. In Linkov 1, & Palma-Oliveira J. (Eds.). Assessment and management of environmental risks, (pp. 3-9). Netherlands: Kluwer Academic Publishers. The Integrated Risk Information System (IRIS), www.epa.gov/iris/. The National Center for Environmental Assessment (NCEA), Office for Research and Development (ORD) within the U.S. Environmental Protection Agency, www.epa.gov/ncea The National Development Act (1971). Wellington, New Zealand. Government Print. U.S. Environmental Protection Agency. (1998). Guidelines for ecological risk assessment. Risk Assessment Forum, Washington, D.C. www.epa.gov. Wrigley, J. & Tromp, F. (1995). Risk management of major hazards in Hong Kong. In Melchers & Stewart (Eds.), Integrated risk assessment, (pp. 37-41). Rotterdam: Balkema. Zach L.S. & Keey, R.B. (1995). Towards a methodology for environmental risk analysis. In Melchers & Stewart (Eds.), Integrated risk assessment, (pp. 235-242). Rotterdam: Balkema. ERGONOMICS General Ergonomics in the Machine Tool Industry Ergonomics in the U.S. Army Ergonomics in the United Kingdom Manual Handling in Australia A Sample Ergonomic Assessment Tool Other Ergonomic Risk Assessment Activities GENERAL BACKGROUND The Board of Certification for Professional Ergonomics has adopted the following definition of ergonomics: a body of knowledge about human abilities, human limitations and human characteristics that are relevant to design. Ergonomic design is the application of this body of knowledge to the design of tools, machines, systems, tasks, jobs, and environments for safe, comfortable and effective human use. This definition is based on the work of Chapanis (1988). A similar definition can also be found at Chaffin and Andersson (1984), Ergoweb (2002), the U.S. Navy (2002), and others. Some authors succinctly describe ergonomic activities as "fitting the task to the person." The following terms are used to describe ergonomic injuries: • Cumulative Trauma Disorders (CTDs) Musculoskeletal Disorders (MSD) • Musculoskeletal Injuries (MSI) • Overuse Syndrome • Repetitive Strain Injuries (RSI) • Work-Related Musculoskeletal Disorders (WMSDs) The World Health Organization (WHO) and the National Institute for Occupational Safety and Health (NIOSH) have moved to the WMSD term. The idea of making work easier and more productive has been around for decades. However, the last twenty years has seen more scientific and methodical approaches to learning about human capabilities, limitations and reactions. This attention has resulted in many advanced ergonomic tools and simulation capabilities to conduct ergonomic risk assessments. At the same time, ergonomists have desired simple tools that can be applied by individuals without advanced ergonomic training. This has lead to tools that are easily applied and very effective for industry. The results have created an array of new ergonomic tools available for use. A variety of analytical tools are now used to identify ergonomic risks. The tools often focus on a specific type of work or a particular body part. Checklists are commonly used whether in worksheet form or incorporated into software tools. Many of the more advanced tools are based on research found in Snook and Ciriello (1991) and NIOSH (1994). Ifli A wide variety of checklists, interview worksheets and analytical ergonomic assessment tools are available free on the Internet, commercially and in software form. In some cases the list of items are posed as questions requiring a Yes/No or a rating answer, where others more concisely list only the ergonomic risk factor and providing a rating area. The reader is cautioned on the use of any tool as not all tools have been tested for reliability and validity. DESCRIPTION Assessing a workplace for ergonomic risks generally involves two steps: 1. Identifying the existence of ergonomic risks, and 2. Quantifying the degree of ergonomic risk The assessment is often based on the affected body region(s) such as hand, shoulder, back, and others. The second step requires examining specific factors that contribute to ergonomic risk. Most ergonomic risk assessment tools include the following risk factors that act between the worker and the work setting: • Posture Force (static exertion, grip, contact trauma) Repetition Duration • Segmental vibration In addition, the following risk factors address the working environment: • Heat stress Cold stress Whole body vibration Lighting Noise The list of ergonomic risk factors depends on the particular application. Adding or substituting risk factors commonly occurs. In certain applications one or more of the following more specific risk factors may be used: • Continued elbow or shoulder elevation • Excessive bending, twisting, over-reaching Excessive pinch gripping Excessive use of small muscle groups Frequency • Heavy dynamic exertion 6 Improper seating or support • Inappropriate hand tools • Mechanical compression 6 Overexertion Overhead work 6 Recovery time 0 Restrictive personal protective equipment ♦ Restrictive workstation Sustained positions Velocity/acceleration With most of these risk factors the more frequent, more severe, or longer the at-risk action occurs the greater the risk. Risk factors are not independent nor do they impact the risk of injury equally. For example, the number of permissible repetitions is influenced by the duration and force required during the task. Ringelberg and Koukoulaki (2002) review several integrated methods that take into account combinations of risk factors. Ergonomic risk assessments usually use drawings, pictures or diagrams to show situations that have higher ergonomic risk. The diagrams typically identify different severity levels in terms of angles or deviation from the neutral position. An example of a visual presentation for the posture risk factor for wrist articulation is shown in Figure 17.1. Figure 17.1 -Posture Benchmarks for Wrist Articulation Visually portraying differing positions, postures, exposures or situations helps in properly assessing the ergonomic risks. RISK SCORING SYSTEM The general ergonomic risk assessment process closely follows other risk assessment methods except that the specific risk factors used pertain specifically to ergonomics. Common ergonomic risk factors include: • Force • Duration • Posture • Repetition In many ergonomic risk assessment tools, the risk scoring system used is based on a High-Moderate-Low, color coded system as shown in Table 17.1. Table 17.1 ~ Sample Ergonomic Risk Rating Risk Rating Color High Red Moderate Amber/yellow Low Green Each risk factor is typically rated as High/Moderate/Low for a given task. The individual risk factors are then combined to provide an overall risk level for the task. How the risk factors map to an overall risk level varies from tool to tool. Examples of different ergonomic risk assessment methods are contained in the rest of this chapter. STATUS Additional information on analytical ergonomic assessment tools can be found at Hagber et al (1995), Lifshitz and Armstrong (1986), Bhattacharya and McGlothlin (1996), Keyserling et al. (1992), Keyserling et al. (1993), Waters (1993), and the University of Utah Research Foundation Ergoweb Internet site, www.ergoweb.com. Additional information on ergonomic risk factors is available from Ergoweb (2002), Wilsey (undated), OPNAV1NST (2002) and others. ERGONOMICS IN THE MACHINE TOOL INDUSTRY BACKGROUND The U.S. machine tool industry published ANSI Bll Technical Report #1 Ergonomic Guidelines for the Design, Installation and Use of Machine Tools in 1993. The purpose of the Guidelines is "to provide a uniform approach to ergonomic considerations for machine tools within the workplace. This document addresses those considerations which will assist in design installation and use of manufacturing systems, including individual and integrated machine tools and auxiliary components." ANSI Bll TR1 contains background information on basic ergonomic factors and guidelines to be used in the design of machine tools. Areas covered include anthropometrics, layout of machine elements, controls, displays and maintainability. The document also discusses environmental hazards that can impact human performance. More recently, Ringelberg and Koukoulaki (2002) published an Ergonomic Guide for machinery design where they note "ergonomics is one thing that cannot be tacked on after a machine has been manufactured, but must be designed~in at the earliest stages Improvement of regulation and technical standards development, however, cannot wait on better information." The Guide is mainly addressed to machinery designers. The document addresses the hazards of musculoskeletal disorders (MSD): The document offers a collection of estimation methods from a range of sources in a quest for a European consensus on better ways of preventing MSD. We mean to factor the 'end users' perspectives into the design process by showing how workplace knowledge can be channelled into the conceptual stage of machinery design. We strongly believe that end-users can contribute to improved machinery design by informing the process with their real-life experience of integrating with machines and the problems they have met. The Guide also addresses activity in Europe: The General Product Safety Directive requires manufacturers to take measures to inform themselves about whatever risks their products present in actual use. The Framework Health and Safety Directive 89/391/EEC lays a duty on all employers to perform a risk assessment for all the risks at the workplace. Even CE marked machinery still needs to be evaluated in the working environment. Ergonomic risks should be included in the assessment process. Workers have the right to participate in the risk assessment. In their discussion of ergonomics in the European machine tool industry, Ringelberg and Koukoulaki (2002) are critical of the European standard for risk assessment EN 1050 because: As stated in the foreword, EN 1050 as it stands makes no reference to data drawn from users' experience the standards provide no channel for users' opinions. There is a break in the chain between manufacturers and workplace information, (emphasis in original) Workers interact with machines on a day-to-day basis. They know what risk factors are associated with a machine and can also identify which phases of the production process and specific activities most endanger them. The difference between what really happens and what designers have in mind seems to be one big cause of inefficiently or dangerously designed production facilities. Please see Chapter 24 for more discussion on EN 1050. DESCRIPTION ANSI B11.TR1 contains considerable quantitative and qualitative guideline information in the Annexes for conducting ergonomic analyses. These Annexes provide performance measures for ergonomic concerns such as: • reach and grasp dimensions; body dimensions; • lifting, lower, pushing, pulling and carrying guidelines; • standing work task height guidelines; direction of control movement; and press palm buttons and machine controls. The information provided in ANSI B11.TR1 is intended to yield acceptable risk levels when used in machine tool design, installation and use. Ringelberg and Koukoulaki (2002) present a three step approach to risk assessment as follows: Step 1 Defining the problem Step 2 Hazard identification Step 3 Risk estimation The outcome of the last step is a risk level. RISK SCORING SYSTEM The risk scoring system used in the Ringelberg and Koukoulaki (2002) approach is described as a "three-zone model" such as appears in Table 17.2. Table 17.2 - Three Zone Risk Model (Ergonomics) ■7K Colo Risk Red Not acceptable Yellow Conditionally acceptable Green Acceptable Ringelberg and Koukoulaki (2002) describe the implications of the results as follows: If the outcome is that the risk is acceptable, then the risk assessment is complete. If the outcome is that the risk is conditionally acceptable, then ways must be found of making improvements to the design of the product. Experts may carry out a more detailed risk evaluation. If the outcome is that the risk is not acceptable, then appropriate steps must be taken to change the machine design (then start over at Step 1). STATUS ANSI Bli Technical Report #1 is an approved and current technical report. It is an informative rather than normative document as it not an ANSI standard. The report can be obtained from www.amtoniine.org. Two more machinery related ergonomic EN standards remain in development: prEN 1005-2 Part 2: Manual handling of machinery and component parts of machinery. prEN 1005-5: Part 5: Risk assessment for repetitive handling at high frequency. Information on these standards was not available at press time. ERGONOMICS IN THE U.S. ARMY BACKGROUND Wilsey (undated) prepared an ergonomics standard operating procedure for the U.S. Army. The stated purpose and policy of the procedure is: "to provide procedures for the integration of risk management into the ergonomics program. All ergonomic evaluations will be completed by a trained ergonomics person utilizing the Ergonomics Risk Assessment Worksheet." DESCRIPTION The procedure includes five steps in the ergonomic risk management process: 1. Identify ergonomic risk/hazards. 2. Assess ergonomic risk/hazards. 3. Make decisions and develop controls. 4. Recommend implementation of controls 5. Train employees and supervisors. RISK SCORING SYSTEM This U.S. Army procedure uses two risk factors, severity and probability. The risk factors appear in Tables 17.3- 17.4. These risk factors are combined to yield a risk level as shown in Table 17.5. The risk levels are described in Table 17.6. Table 17.3 - Severity Risk Factor (U.S. Army) Level Label Description 1. CATASTROPHIC Death or permanent total disability, system loss, major property damage. 2. CRITICAL Permanent partial disability, temporary total disability in excess of 3 months. 3. MODERATE Minor injury, lost workdays, compensable injury/illness, minor system damage, minor property damage. 4. NEGLIGIBLE First aid or minor supportive medical treatment, minor system impairment. Table 17.4 - Hazard Probability (U.S. Army) Level Label Description A. FREQUENT Occurs often - Person continuously exposed. B. LIKELY Occurs frequently - Person exposed several times. C. OCCASIONAL Occurs sometimes - Person exposed sporadically. D. SELDOM Remote occurrence - Person possibly exposed. E UNLIKELY Rare occurrence of exposure. Table 17.5 -Ergonomic Risk Assessment Matrix (U.S. Army) Hazard Probability ~ Severity Frequent-A Likely-B Occasional~C Seldom-D Unlikely-E Catastrophic-I Extremely High Extremely High High High Medium Critical-II Extremely High High High Medium Low Moderate-Ill High Medium Medium Low Low Table 17.6 - Risk Levels (U.S. Army) Level Description EXTREMELY HIGH Loss of ability to accomplish mission. HIGH Significantly degrades mission capability. MEDIUM Degrades mission capability. LOW Little or no impact to mission capability. The procedure uses an Ergonomics Risk Management Worksheet that considers both short term risk and long term risk. A sample worksheet appears at Figure 17.2. I. Employee's Name/Job Title 2. Work Location 3. Date JANE DOE, SECRETARY GS-05 4. Prepared By 5. Supervisor's Name/Job Title 6. HAZARDS 7. SHORT TERM RISKS 8.LONG TERM RISK 9. HAZARD PREVENTIONS AND CONTROLS 10. RISIDUAL RISK 11. WHO IMPLEMENTS 12. BENEFITS 13. APPROX COST Computer Work Station M H Education/Training Work Station adjustments Exercise L OSH Moral/Caring Attitude Emotional/Physical Stress Reduced $0 Employee Chair M EH Purchase Ergonomic Chair L DEPT Back support Height Adjustments Reduce risk CTD $300 Poor Lighting L M Purchase Screen Glare Reducer L DEPT Productivity increase $10 14. OVERALL RISK LEVEL AFTER CONTROLS ARE IMPLEMENTED (CIRCLE ONE) 1. DIRECTOR/MACOM APPROVAL LOW MEDIUM HIGH EXTREMELY HIGH SIGNATURE NOTE: ATTANC THIS WORKSHEET TO DA FORM 3953 PURCHASE REQUEST RANK/LAST NAME/DUTY POSITION m O O ^ r\ iS> VO Figure 17.2 - Sample Ergonomic Risk Assessment Worksheet, U.S. Army ERGONOMICS IN THE UK BACKGROUND Morris (2002) indicates that: Prevention and control of work related musculoskeletal disorders (WRMSD) is now a major Health and Safety Commission priority and the key to improving occupational health. It can be particularly difficult to establish the degree of risk in relation to WRMSD because of the lack of quantitative exposure-response relationships, the wide range of risk factors and the interactions between them. A user-friendly screening tool was needed that would help inspectors to identify key musculoskeletal risk factors without necessarily having to call on specialist back-up in the first instance. DESCRIPTION Based on this need, Morris (2002) has developed "a practical workplace risk assessment tool." He describes the tool as follows: Initial trials suggested that a flow chart approach would be most likely to meet the Health and Safety Executive's (HSE) specification, showing that users were able to obtain consistent scores with minimal training. Further trials resulted in improvements to the layout and scoring system and led to the development of three charts covering lifting, carrying, and team handling operations, respectively. Morris continues: All follow a similar approach, requiring the inspector to rank manual handling risk factors against 'purple', 'red', 'amber' or 'green' criteria. The colour bands give an indication of the level of risk and are based on ergonomics data derived from HSE's guidance on the Manual Handling Operations Regulations. A load-frequency relationship used in the charts derives from the psychophysical studies of Snook and Ciriello. Each flow chart requires the user to work through a sequence of risk factors commencing with load and lifting/carrying frequency. A colour band and numerical score is allocated for each risk factor and the latter are aggregated to give a cumulative risk ranking score which is used as a comparative measure of risk. The charts are an initial screening tool for identifying high risk activities. Purple or red scores for any risk factor are generally considered to be indicative of a high risk of injury needing prompt action to reduce the risk. For amber scores a more detailed assessment will usually be necessary looking at the scope for reducing the overall risk. Task components with green scores cannot be assumed to be entirely free from risk. RISK SCORING SYSTEM Morris (2002) presents the assessment criteria as shown in Table 17.7. Table 17.7 - Risk Scoring System per Morris (2002) Risk Color Description Purple (very high risk of injury) Loads of this magnitude should not be manually handled by a single operator Red (high level of risk) Prompt action needed Amber (medium level of risk) Examine tasks more closely' Green (low level of risk) The risk of injury is low for the majority of employees except for those with limited capability (e.g., those with a health problem) STATUS According to Morris (2002), HSE inspectors have been using the tool on a trial basis for manual handling activities. However, the tool is still under development. The trial and validation studies are expected to be completed soon. Additional information is available at http://www.ergonomics.org.uk/resources/newsinfo/hsenews.htm MANUAL HANDLING IN AUSTRALIA BACKGROUND The Australian National Standard for Manual Handling (1990) includes risk assessment explicitly in its purpose: The principal feature of this national code of practice is the provision of a multifactorial approach to risk identification, assessment and control to be applied to manual handling tasks. This was considered to be a more appropriate method than the exclusive use of weight limits alone. The National Standard for Manual Handling (1990) provides that: an employer shall ensure that manual handling, which is likely to be a risk to health and safety, is examined and assessed. Risk assessment is particularly critical whenever: a) An injury has occurred arising from a work process and/or practice; and b) A work process and/or practice is introduced or modified. The document indicates that: Objectives in relation to training should be established and should include the prevention of manual handling injuries by an approach based on risk identification and assessment, and primary control through job and task design. The purpose of risk identification is to: a) Identify, and b) Place in priority order, the jobs and tasks which require risk assessment. This national code of practice provides guidance on the following three key stages in the process of reducing manual handling injuries: a) Identification of risk factors in the workplace likely to cause manual handling injury; b) Detailed assessment of particular risk factors; and c) Principles and examples of control measures to eliminate or reduce risk. DESCRIPTION According to the Standard: There are three basic steps to risk identification: a) Analysis of workplace injury records, b) Consultation with employees, and c) Direct observation or inspection of the task or work area. The National Standard for Material Handling (1990) requires: An employer shall ensure, as far as workable, that the risks associated with manual handling are controlled. The employer shall, if manual handling has been assessed as a risk: a) Redesign the manual handling task to eliminate or control the risk factors; and b) Ensure that employees involved in manual handling receive appropriate training, including training in safe manual handling techniques. FLOWCHART Figure 17.3 of the Code of Practice highlights the role risk assessment plays in the document. 1. RISK IDENTIFICATION Analysis of Workplace Injury Records • Consultation with Employees • Direct Observation 2. RISK ASSESSMENT » Actions and Movements 4 Workplace and Workstation Layout 6 Working Posture and Position • Duration and Frequency of Manual Handling • Locations of Loads and Distances Moved 4 Weights and Forces 9 Characteristics of Loads and Equipment • Work Organisation • Work Environment • Skills and Experience • Age • Clothing • Special Needs 3. RISK CONTROL • Job Redesign Modify Object Modify Workplace Layout Different Actions, Movements, Forces Rearrange Materials Flow Modify Task - Mechanical Assistance Modify Task - Team Lifting » Mechanical Handling Equipment Examples of Mechanical Handling Equipment • Training Particular Training Training in the Principles of Correct Manual Handling and Lifting • Other Administrative Controls Figure 17.3 - Three Stage Approach to Safe Manual Handling Per National Code of Practice for Manual Handling (Australia) RISK SCORING SYSTEM There is no explicit risk scoring system in this Standard. The Standard focuses on hazard identification and risk assessment via a checklist of questions. Risk assessment as used above does not include the risk assessment process as typically used in other benchmark applications discussed in this book, but presents the results of a risk assessment in question format. The questions comprise the risk factors. The questions are phrased such that a "yes" answer to any questions indicates increased risk. The Standard does not explicitly instruct on how to assess risks other than via the checklist. STATUS The Australian National Standard for Material Handling is an approved and current standard. Additional information is available from http://www.nohsc.gov.au/PDF/Standards/manualhandling _standardNOHSC1001_1990.pdf and http://www.nohsc.gov.au/PDF/Standards/manualhandling cop2005 1990.pdf. A SAMPLE ERGONOMIC ASSESSMENT TOOL BACKGROUND JRidyard, Tapp, and Wylie (2001) describe a sample ergonomic risk assessment tool as follows: Often, the most significant challenge the facility team faces is how to assess ergonomic risk factors. It can be a challenge to determine whether manual materials handling activities present high, moderate or low risk of MSDs. It can be even more difficult to express this information to management in a manner that will impact ergonomic risk reduction decision making. An ergonomic job measurement system (EJMS) was developed to provide a comprehensive, systematic, easy-to-use method for facility-based teams to assess workplace ergonomic risk factors. The objective of this system is to identify, evaluate and rank cost-effective ergonomic improvements, then drive their implementation to reduce the incidence of significant MSDs. The goal was to create a simplified assessment tool that required no calculations or extensive computer modeling. DESCRIPTION TTTie tool uses two major elements in determining ergonomic risk: repetitive motion/awkward posture and lifting. For the first risk factor, a three level Low-Moderate-High approach is used to rate the risk for each risk factor and a score is assigned based on the ratings. The second factor also uses a numerical rating system of 1, 5, 10, 20 or 30 jpoints. The system reportedly does not require graphs or numerical interpretations. An overall risk level is derived "toy adding the individual risk scores. RISK SCORING SYSTEM TTlae risk scoring system used by Ridyard, Tapp, and Wylie (2001) for the repetitive motion/awkward posture *=?A/aluation is force and frequency. Each factor is rated on three levels: high, moderate and low. These factors are <3 ombined to yield a score as shown in Table 17.8. Table 17.8 - Repetitive Motion/Awkward Posture Evaluation Frequency Low | Medium High Force Low 0 5 10 Moderate 5 10 15 High 10 1 15 20 j^F^SLi dyard, Tapp, and Wylie (2001) address the ergonomic risks of lifting separately from repetitive motion and gr»osture. For the lifting evaluation Ridyard et al. assign points based on various elements of a lift such as load starting load height, body twisting, and others. The point values are {1, 5, 10, 20, and 30} with the higher «rr~i sic receiving higher points. The points for all the lifting elements are summed to obtain a lifting score. The lifting score is added to the Repetitive Motion/Awkward Posture evaluation score to obtain a Total Risk Score. The total risk score correlates to a risk classification as shown in Table 17.9. Table 17.9 - Total Risk Score Total risk score Risk Classification 85+ High-risk task. 45-84 Moderate-risk task 0-44 Low-risk task. Ridyard, Tapp, and Wylie (2001) report that field tests of the system show that the tool has proven to be effective in presenting risk assessment data to management, and that it provides an objective method for documenting ergonoraic improvements. Ridyard et al. state, "while no ergonomic evaluation system is all-encompassing, the EJMS has been demonstrated to be a practical, results-oriented ergonomic risk assessment and risk management tool." STATUS The method developed by Ridyard, Tapp, and Wylie (2001) has been field tested and validated. Additional information is available at http://www.asse.org/ridvardtappQ 101 .pdf OTHER ERGONOMIC RISK ASSESSMENT ACTIVITIES SEMICONDUCTOR INDUSTRY The semiconductor industry has published SEMI 88-1103 Safety Guidelines for Ergonomics Engineering of Semiconductor Manufacturing Equipment, The purpose of the guidelines is to "promote compatibility between the user and the equipment in the manufacturing environment." The document includes three general principles for ergonomic design and evaluation including: Distributing tasks among hardware, software and users Minimizing potential for errors and mishaps Reducing fatigue and injury by fitting equipment to users' body size, strength and range of motion The document includes several general guidelines that provide additional detail on these principles. SEMI SB includes a Supplier Ergonomic Success Criteria Checklist as an Appendix to the document. In this Appendix the risk assessment has been transformed into a specific checklist that addresses different kinds of known hazards and applications with acceptance criteria for these applications. Additional attachments to SEMI S8 provide performance related ergonomic design information. SEMI S8 does not require a specific risk assessment as the term is used in this book. However, the principles of risk assessment have been applied in developing the ergonomic design guidelines. Through industry experience, separate analyses or other means performance levels have been established. Thus guidelines for lifting, sizes, forces, methods, and others, have been determined that yield acceptable risk. LABORATORY APPLICATIONS Kerst (1998) presents a nine-step model to implement an effective laboratory ergonomics agenda: NINE STEPS TO SUCCESS L Identify your opportunity using: injury and illness data, technician feedback, testing and quality data, and ergonomic risk assessment. 2. Form a cross-functional team. 3. Define specific problems within the current process. 4. Define desired outcomes. 5. Define root causes and solutions. 6. Evaluate the solutions for feasibility. 7. Implement solutions and track projects to completion. 8. Measure progress. 9. Reward and recognize. This represents yet another different application of the ergonomic risk assessment process. NIOSHTOOLBOX NIOSH developed an ergonomic toolbox in 1997 that presents assorted techniques for identifying, analyzing, and ultimately controlling WMSDs. The Toolbox includes the following description: This Toolbox contains examples of various data gathering techniques and procedures along with reference materials for elaborating on their use. Also included are information guides and lists of reports that can prove helpful in efforts to address specific problems. The material is organized into sections or "trays." Most of the tools and techniques described are easy to use and adaptable for many purposes. Procedures are stressed that do not require special equipment or laborious data collection and analyses. Some of these tools are based on professional practice, others on scientific research, and still others on a combination of both. While few have been extensively validated and have other limitations, NIOSH has found these tools to be useful. Even with their shortcomings, they should enable readers to take some first steps in determining whether workplace conditions pose a risk of WMSDs and in suggesting remedial actions. The Toolbox includes the following: Tray 1 Looking For Signs Of WMSDS Tray 2 Setting The Stage For Action Tray 3 Training - Building In-House Expertise Tray 4 Data Gathering - Medical & Health Indicators Tray 5 Data Gathering - Job Risk Factors Tray 6 Evaluating Job Risk Factors Tray 7 Evaluating Control Effectiveness Tray 8 Health Care Management Tray 9 Proactive Ergonomics Tray 10 Other Primers And Manuals WORK-RELATED CUMULATIVE TRAUMA DISORDERS In 1992 a committee began to compose a standard ANSI Z-365 Control of Work-Related Cumulative Trauma Disorders. This effort addresses ergonomic risks across many industries rather than within any one industry. A similar activity was occurring in OSHA in the mid 1990s and these projects worked in parallel. Several drafts of ANSI Z-365 have been developed but the document remains in a draft status. The draft standard includes sections on identifying and evaluating risk factors related to CTDs, and developing methods to reduce risks. Information on the 1995 draft can be found at http://www.ergoweb.com/resources/reference/guidelines/ansiz365.cfm. REFERENCES ANSI B11 Technical Report #1 (1993). Ergonomic guidelines for the design, installation and use of machine tools (TR1). The Association for Manufacturing Technology, www.amtonline.org. ANSI Z-365. (1995 draft). Control of work-related cumulative trauma disorders, http://www.ergoweb.com/resources/reference/guidelines/ansiz365.cfm. Bhattacharya A. & McGlothlin J.D. (Eds.). (1996). Occupational ergonomics. [Appendix BJ. New York: Marcel Dekker, Inc. Board of Certification for Professional Ergonomics. Bellingham WA. www.bcpe.org. Chaffm, D., Andersson, G., & Martin, B. (1999). Occupational Biomechanics, third edition. John Wiley & Sons, Inc. Chapnis, A. (1983). Engineering psychology. In M. D. Dunnette & Hough, L (Eds.), The handbook of industrial and organizational psychology. New York: Wiley. EEC 89/391/EEC. (1989). Framework health and safety directive. European Union, www.europeandocuments.com. EN 1050-1996. Safety of machineiy; risk assessment, www.global.ihs.com. Ergoweb. (2002). University of Utah Research Foundation, www.ergoweb.com. Hagber, M., Silverstein, B., Wells, R., Smith, H,, Hendrick, P., Carayon, P., Perusse, M. (1995). Work related musculoskeletal disorders: A references book for prevention. London: Taylor & Francis Ltd. HSE. (1992). Manual handling operations regulations. www.ergonomics.org.uk/resources/newsinfo/hsenews.htm. Kerst, J. (1998). Improving productivity through ergonomic design. Today's Chemist at Work, 7(5), 38-40,42. Keyserling, W.M., Brouwer, M., & Silverstein B.A. (1992). A checklist for evaluating ergonomic risk factors resulting from awkward postures of the legs, trunk and neck. Int J Ind Ergonomics 9:283-301. Keyserling, W.M., Stetson, B.A., Silverstein, B.A., & Brouwer, M.L. (1993). A checklist for evaluating ergonomic risk factors associated with upper extremity disorders. Ergonomics 36(7). 807-831. ' Lifshitz. Y. & Armstrong, T. (1986). A design checklist for control and prediction of cumulative trauma disorders in hand intensive-manual jobs. Vol. 2. Proceedings of the 30 th Meeting of the Human Factors Society, Daytona, Florida, (pp. 837-841.) Manual Handling. (1990). Australian National Standard NOHSC: 1001. National Code of Practice: NOHSC 2005. http://www.nohsc.gov.au/PDF/Standards/manualhandling standardNOHSC 1001 1990.pdf Morris, M. & Simm, J. (Eds.) (2000). Construction risk in river and estuary engineering, A guidance manual. Thomas Telford. NIOSH (1994) Applications Manual for the Revised N10SH Lifting Equation, National Institute for Occupational Safety and Health, DHHS Pub. No. 94-110, Cincinnati, OH. NIOSH (1997) Elements of Ergonomics Programs, A Primer Based on Workplace Evaluations of Musculoskeletal Disorders, National Institute for Occupational Safety and Health, Cincinnati, OH. NIOSH. (1994). Applications manual for the revised NIOSH lifting equation. National Institute for Occupational Safety and Health. DHHS Pub. No. 94-110. www.cdc.gov/niosh/homepage.html. NIOSH. (1997). Elements of ergonomics programs, A primer based on workplace evaluations of musculoskeletal disorders. National Institute for Occupational Safety and Health, http://www.cdc.gov/niosli/eptolbox.html. OPNAV1NST. (2002). 5100.23F, Chapter 23, Ergonomics program, July, U.S. Navy. http://neds.nebt.daps.mi1/Directives/5100/23.pdf. prEN 1005-2. (2001). Manual handling of machines and component parts of machineiy. prEN 1005-5. (2001). Risk assessment for repetitive handling at high frequency. Ridyard, D, Tapp, L, Wylie L (2001) Ergonomic Job Measurement System, Professional Safety, ASSE, January, http://www.asse.org/ridvardtapD0101.pdf Ringelberg J.A. & Koukoulaki, T. (2002). Risk estimation for musculoskeletal disorders in machinery design ~ Integrating a user perspective. European Trade Union for Health and Safety, Brussels, www.etuc.org. SEMI S8-1103. (2002), Safety guidelines for ergonomics engineering of semiconductor manufacturing equipment. Semiconductor Equipment and Materials International, www.semi.org. Snook, S. H. & Ciriello, V. M. (1991). The design of manual handling tasks: Revised tables of maximum acceptable weights and forces. Ergonomics, 34(9). 1197-1213. Wilsey A.W. (undated). Risk management in ergonomics. http://safetv.army.mil/pages/guidance/RM%20in%20ERG0N0MICS-l.dQc. wmmm StSfWi Fire Risk Assessment NFPA551 Fire Risk Assessment Guide Semiconductor Fire Risk Assessment Explosive Atmospheres FIRE RISK ASSESSMENT BACKGROUND Fire presents a very complex phenomenon. Fire specialists model the ignition, rate of flame advance, smoke development, effects of suppression, and many other characteristics to predict fire behavior. In developing models of fires, specialists delve into the sciences of thermodynamics, ventilation, heat transfer, combustion and others in great quantitative detail. The complexity of fire dynamics extends beyond the scope of this book. However, the results of advanced modeling play a key role in fire risk assessment. Thomson (2002) notes, "the main priority when dealing with fire precautions is to ensure that people can escape safely in the event of a fire," In examining a fire incident, Thomson (2002) reports that: Risk assessment plays an extremely important role in preventing fire and explosion, human suffering and damage to property It is mandatory for employers to carry out fire risk assessment regardless of the size and complexity of the premises or work operation The important aspects of fire risk assessment is that it matches the complexity of hazards and risks within a particular workplace A fire risk assessment for [low-risk premises] may be quite simple only significant risks need to be recorded. Thompson's (2002) statement that fire risk assessment is mandatory stems from a fire safety perspective rather than a specific regulatory or industry requirement. A complicating factor in fire risk assessments concerns human behavior and individuals' responses to fire situations. People respond to fires in widely differing ways from the very logical to the completely illogical. Although human behavior is a complex subject, Thomson indicates that it plays an extremely important part of the risk assessment process. DESCRIPTION Meacham (2001) describes the fire risk assessment process as follows: Fire risk analysis can be considered the process of understanding and characterizing the fire hazard(s) in a building, the unwanted outcomes that may result from a fire, and the likelihood of fire and unwanted outcomes occurring, taking into due consideration the issues of uncertainty and valuation. The purpose of a fire hazard assessment is to identify possible sources of fire ignition and various conditions that may result from the fire without consideration of the likelihood of occurrence one then estimates or predicts the fire growth, spread, and impact under a variety of fuel, compartment, and fire protections systems configurations. Identification of ignition sources requires knowledge of how ignition can occur and often involves simply a visual survey. A typical outcome of a hazard assessment is the identification of consequences. Risk characterization requires a well-defined problem agreed to by those involved, a sound • scientific base, the proper use of analytical techniques with due consideration of uncertainties and unknowns, and sufficient discussion and deliberation so that everyone understands all the issues. Barry (2001) outlines an eight-step process for using risk methods to address fire safety problems. The steps are shown in Figure 18.2. Because fire data are sparse and conditions are likely to change over the life of a building, quantifying risk can be difficult; uncertainty, variability, and indeterminacy will play a significant role Again, data are sparse, but realistically addressing system reliability and effectiveness is critical to performance-based fire protection engineering. FLOWCHART Several variations of the fire risk assessment process exist. Nystedt (2001) presents the basic fire safety design process as shown in Figure 18.1. Figure 18.2 - Risk-Informed Methodology Process per Barry (2001) Legibility limited due to original Considerable more detail for each step is included in Barry's (2001) book. Thomson (2002) reports that fire risk assessment can be divided into the following stages: Stage 1 Identify fire hazards Stage 2 Identify the location of people (and types of people) at significant risk in the event of fire Stage 3 Evaluate the risk Stage 4 Consider existing controls that are in place Stage 5 Consider further controls that may need to be put in place Stage 6 Consider other legislation that may be applicable Stage 7 Record the findings Stage 8 Produce an action plan and implement the plan Stage 9 Communicate the findings to employees and others Stage 10 Review the assessment RISK SCORING SYSTEM Wolski (2001) presents a type of risk scoring system used in fire risk assessments in the International Performance Code Performance Matrix. This system uses a measure of magnitude of design event (severity) and a building performance group based on the "importance" of the building to the user. The magnitude and performance levels map to risk levels in similar fashion as other two factor matrices. Wolski notes that "this process results in forcing the designer to provide a higher level of safety for facilities that are perceived as more hazardous (high-rises) than others (single-family homes). Dtmgan (2001) emphasizes, "using risk (likelihood x consequence) as opposed to hazard (consequence) is necessary for the success of performance-based fire safety." Thomson (2002) presents a risk scoring system for fire risk assessment. The system uses two factors, probability and consequence. Each factor has three levels as shown in Tables 18.2-18.3. Thomson's (2002) risk factors are combined to derive a risk level as shown in Table 18.4. The risk level is translated into an action plan based on the risk rating shown in Table 18.5. Table 18.2 - Fire Risk Assessment - Probability Risk Factor Probability Description Unlikely (1) The task that involves the hazard is not normally carried out or is carried out only occasionally, perhaps once per month Likely (2) The task that involves the hazard is carried out frequently, perhaps weekly Very likely (3) The task that involves the hazard is carried out routinely, perhaps daily or more than once per day Table 18.3 - Fire Risk Assessment - Consequence Risk Factor Consequence Description ;; . Minor (1) A fire may be possible from the hazard that exists; however, owing to the present control measures, the escape routes and the number of people in the area, it is unlikely that a person may become trapped or overcome by heat and smoke. Major (2) A fire may be possible from the hazard that exists and the fire may develop quickly, resulting in a higher probability that a person may become trapped, in addition, given the reduced level of control at present or the large numbers of people in the area, the probability that people may be overcome by heat and smoke is higher than the above category. Serious (3) A fire is likely to start from the hazard and, given the reduced level of controls at present, would probably trap a person or impede their ability to escape. The hazard is such that a fire may develop rapidly. In addition, large numbers of people are present in the area, which significantly increases the probability of a person being overcome by heat and smoke. Table 18.4 - Fire Risk Assessment - Risk-level Estimator From Thomson (2002) Unlikely Likely Very likely (1) (2) (3) Minor (1) l 2 3 Major (2) 2 4 6 Serious (3) 3 6 9 Table 18.5 - Fire Risk Assessment - Risk-based action plan From Thomson (2002) Risk Rating Action and timescale 1 The current level of risk is considered acceptable and therefore no further action is required. Existing controls should be maintained in their present condition. 2 Although the current level of risk is acceptable, consideration should be given to a cost-effective method of reducing the risk to a lower level. Monitoring is required to ensure that the existing controls are maintained. 3-4 A moderate fire risk exists, and efforts should be made to reduce the risk. The cost of control measures should be carefully measured and selected to give a cost- effective return. Risk-reductions measures should be implemented within a defined time period. Monitoring is required to ensure that the existing controls, and additional controls, are maintained. 6 Work should not be started until the fire risk has been reduced. Considerable resources may have to be allocated to reduce the risk. Where the risk involves work in progress, immediate action, should be taken. Monitoring is required to ensure that the existing controls, and additional controls, are maintained. 9 Work should not be started or continued until the fire risk has been reduced. If it is not possible to reduce risk even with unlimited resources, work has to remain prohibited. STATUS According to Nystedt (2001) "the use of semi-quantitative methods have only recently begun in the design process of buildings." Additional information can be found in Thomson (2002), Barry (2001), Nystedt (2001), Meacham (2001), and Dungan (2001). NFPA 551 FIRE RISK ASSESSMENTS GUIDE BACKGROUND Founded in 1896, the National Fire Protection Association (NFPA) has long been a leader in assessing and preventing the risk of fire. The NFPA focuses on providing fire, electrical, and life safety to the public. The NFPA has commenced writing a document specifically pertaining to fire risk assessments, NFPA 551 Guide for Evaluation of Fire Risk Assessments. NFPA 551 came into being as described in the Origin and Development section of the draft document: With the emergence of performance-based codes and standards and performance-based design, fire and building officials and other authorities having jurisdiction are increasingly being required to evaluate fire risk assessments as evidence of compliance with codes, standards and other fire regulations. In recognition of the fact that these officials are seeking means to assist them to evaluate the validity of fire risk assessments, NFPA established the project on fire risk assessment methods in January 1999. DESCRIPTION The intended audience of NFPA 551 is primarily 'authorities having jurisdiction.' An authority having jurisdiction is defined as "the organization, office or individual responsible for approving equipment, an installation or a procedure" (NFPA, 1997). Typical authorities having jurisdiction include fire marshals, building official or an insurance engineering department. The Guide is intended to provide assistance in evaluating the appropriateness and execution of a risk assessment for fire safety problems. As with most other risk assessment guidelines, NFPA 551 will not address methods to demonstrate acceptable risk, but it will describe the technical review process and documentation needed to evaluate a fire risk assessment. STATUS NFPA 551, Guide for Evaluation of Fire Risk Assessments is a work in progress. Completion of the document is expected in 2004. Additional information on this effort can be obtained at www.nfpa.org. SEMICONDUCTOR FIRE RISK ASSESSMENT BACKGROUND The Semiconductor Equipment and Materials International (SEMI) is the trade organization for the semiconductor and flat panel display industries. SEMI promulgates safety guidelines for these industries including a fire risk assessment guideline SEMI SI 4-II03, Safety Guidelines for Fire Risk Assessment and Mitigation for Semiconductor Manufacturing Equipment. DESCRIPTION Part of the purpose and scope of SEMI S14 include: This document provides considerations to the manufacturers of semiconductor manufacturing equipment that will assist them in assessing and mitigating the risk to equipment and product associated with fire and combustion by-products. This document identifies considerations for assessing the fire risk of semiconductor manufacturing equipment, means of categorizing the risks, and means of mitigating the risks. RISK SCORING SYSTEM SEMI S14 (2003) uses a risk scoring system with two risk factors severity and likelihood. The SEMI S14 severity groupings address several aspects of loss as shown in Table 18.6. The SEMI S14 risk scoring system presents likelihood groupings using descriptive labels/words for quantitative values as shown in Table 18.7. The severity and likelihood ratings are combined to obtain a risk category as shown in Table 18.8. Table 18.6 - SEMI S14 Fire Risk Assessment Severity Groupings Severity Group Equipment Physical Damage Equipment Loss of Use Facility Loss of Use (Minimum Times) Environmental and Real Property Contamination 1 Catastrophic Loss of entire piece of equipment One year One week Lasting facility or environmental impact 2 Severe Loss of major subsystem One month One day Temporary facility or environmental impact 3 Moderate Loss of minor subsystem One week One shift Limited to the equipment, but requiring more than routine cleanup 4 Minor Non-serious equipment loss One day Less than one shift Requiring routine cleanup but not external reporting Table 18.7 - SEMI S14 Fire Risk Assessment Likelihood Groupings Likelihood Group Expected Frequency (% of Systems per Year) A Frequent More than 1% B Likely More than 0.2% but not more than 1% C Possible More than 0.04% but not more than 0.2% D Rare More than 0.02% but not more than 0.04% E Unlikely Not more than 0.02% Table 18.8 - SEMI S14 Fire Risk Assessment Risk Categories Likelihood SEVERITY A B C D E i Critical Critical High Medium Low 2 Critical High Medium Low Low 3 High Medium Low Low Slight 4 Medium Low Low Slight Slight Unlike SEMI S10-1103 (2003), the general risk assessment guideline for this industry, SEMI S14 defines the severity, likelihood and risk descriptions that are to be used. In SEMI S10 the descriptions are examples only. SEMI S14 does indicate that severity levels for each grouping need to be assessed, but that only the most severe should be used in determining the risk. SEMI S14 does not set criteria for acceptable levels of residual risk. STATUS SEMI S14 is an approved and current guideline. Additional information can be obtained at www.semi.org. EXPLOSIVE ATMOSPHERES BACKGROUND A recent European study examined risk assessment in explosive atmospheres - the RASE project (Methodology for the Risk Assessment of Unit Operations and Equipment for Use in Potentially Explosive Atmospheres). According to Rogers (2000): The RASE project objective was to develop a Risk Assessment Methodology for Unit Operations and Equipment to help manufacturers of equipment and protective systems intended for use in potentially explosive atmospheres meet the requirements of the EU Directives 89/392/EC (machinery directive) and 94/9/EC (ATEX 100A). It will also be useful to satisfy the requirements in Directive 99/92/EC (ATEX 137A) for users of such equipment to produce an explosion protection document. The author notes that: ATEX 100a Directive is a risk-related Directive and consequently a risk assessment has to be made. This is a challenge, because the traditional approach to safety in the process industries was an ad-hoc one of learning from experience To meet the requirements of ATEX 100a Directive it is therefore absolutely necessary to conduct a risk assessment. The project involved surveying over 200 manufacturers and users concerning existing risk assessment techniques. A draft methodology was prepared and tested with success in that the methodology can be followed. However: It was clear from the trials that manufacturers have extreme difficulty in applying the methodology, as the subject of risk assessment is extremely complex and it is unlikely that someone without experience in the field can simply take the proposed draft and directly apply it to their problem. Rogers (2000) identifies a very critical element of conducting an effective risk assessment: It is in both the manufacturer's and user's interest to establish a common methodology for achieving safety, reliability and efficacy in functioning and operation of equipment and protective systems with respect to the risks of explosion. In this respect, risk assessment is a tool which provides the essential link between manufacturers and users. Whereas the products must be used in accordance with the equipment group and category and with all the information supplied by the manufacturer, often the severity or consequences of an incident can only be defined by the users themselves. Thus both the knowledge base of the manufacturer plus the plant specific experience of users is required to cany out an effective risk assessment. DESCRIPTION The RASE report presents an approach to risk assessment with the following five steps: 1. Determination of intended use 2. Identification of hazards, hazardous situations and hazardous events 3. Risk estimation of consequences/likelihood 4. Risk evaluation 5. Risk reduction option analysis The report indicates that the first three steps are referred to as risk analysis. The report also notes that the process is iterative. Note that this usage differs from some other industries where risk analysis refers to the entire process. Rogers (2000) devote special attention to the hazard identification step of the process "hazard identification is the most important part of any risk assessment The main aim of hazard identification is that all possible hazards are found and none are missed." The author recognizes that there are many different techniques that can be used to identify hazards and provide an extensive compilation of methods to do so including: checklists, codes, HAZOP, FMEA, Fault Tree Analysis, and others. FLOWCHART The steps to risk assessment in the RASE Project are shown in Figure 18.3. Figure 18.3 - RASE Fundamental Steps of Risk Assessment A more explosion specific flow chart is shown in Figure 18.4. The RASE report presents a two factor risk scoring system using severity and frequency of occurrence as shown in Tables 18.9-18.11. Table 18.9 - RASE Severity Levels Description Definition Catastrophic Death or system loss. Major Severe injury, severe occupational illness, or major system damage Minor Minor injury, minor occupational illness, or minor system damage Negligible Less than minor injury, occupational illness or system damage Table 18.10 - RASE Frequency Levels Description Specific Individual Item Inventory Frequent Likely to occur often frequently Continuously experienced Probable Will occur several times in the life of an item Will occur frequently Occasional Likely to occur some time in the life of an item Will occur several times Remote Unlikely but possible to occur in the life of an item Unlikely, but can reasonably be expected to occur Improbable So unlikely, it can be assumed occurrence may not be experienced Unlikely to occur, but possible Table 18.11 - RASE Frequency-Severity Matrix Wi.>^: > ■ :^Severity ;U^ Mfcfi Occurrence Catastrophic Critical Marginal Negligible i&qiuehta'iBill^ A A C Probable A A B C Occasional A B B D Remote A B C D Improbable B C C D The risk levels A-D correlate to decreasing risk with A being a "high risk level" that is intolerable, and D being a "Low risk level" that is acceptable. The report indicates that the B and C risk levels normally require some form of risk reduction measures. The report also recognizes that quantitative and semi-quantitative risk assessment methods can be used. STATUS The RASE Project was completed in 2000. The report can be obtained at www.safetvnet.de. REFERENCES Barry T.F. & Stone, T. (2002). Risk-informed performance-Basedfire protection. Bethesda, MD: Society of Fire Protection Engineers, www.sfpe.org. Dungan, K.W. (2001). Practical applications of risk-based methodologies. Fire Protection Engineering, Spring. www.sfpe.org. International Code Council. (2000). Final Draft - ICC performance code for buildings andfacilities. August, 2000. www.intlcode.org. Meacham, B.J. (2001). Addressing risk and uncertainty in performance-based. Fire Protection Engineering, Spring. 16-25. NFPA (1997), Life Safety Code Handbook, 7th edition, National Fire Protection Association, Quincy, MA, www.nfpa.org NFPA 551. (draft). Guide for evaluation of fire risk assessments. National Fire Protection Association. www.nfpa.org. Nystedt, F. (2001). A quantified fire risk design method. Fire Protection Engineering, Spring. 41-42,45. www.sfpe.org. Rogers, R.L. (2000). The RASE project, Methodology for the risk assessment of unit operations and equipment for use in potentially explosive atmospheres. EU Project #SMT4-CT97-2169. www.safetvnet.de. SEMI SI 4-1103. (2003), Safety guidelines for fire risk assessment and mitigation for semiconductor manufacturing equipment. Semiconductor Equipment and Materials International, www.semi.org. Thomson, N. (2002). Fire hazards in industry. Boston: Butterworth Heinemann. Wolski, A. (2001). The importance of risk perceptions in building and fire safety codes. Fire Protection Engineering, Spring. 27, 30-33. FOOD General Food Risk Analysis Food Risk Assessment Risk Management and Risk Communication Sample Microbiological Risk Assessment Food Safety Resource Organizations GENERAL t There are two major drivers of risk assessment that can be pulled from the extensive literature on food safety and t risk assessment. Schothorst (2000) shares the first: Many studies have indicated that the public is having totally different perception concerning risks [ of eating and, for instance, risks of smoking, drinking, driving cars, mountaineering, and others. The consumer's opinion is mostly expressed as: j "Food should be safe, eating should be risk-free!" The second risk assessment driver involves how decisions are made. Separating food related risk assessment decisions from political and trade influences can be very difficult. Policy decisions on food acceptability impact the ' movement of food goods within and across borders to the potential benefit or detriment of consumers and producers. In the past, some decisions regarding food safety have been questioned as unjustified barriers to free trade. To f minimize the potential for disagreement in the food industry, great emphasis has been placed on making the risk ( assessment process scientific-based, and transparent. One of the more significant milestones in food risk assessment occurred in 1995 when the World Trade Organization j created the Agreement on Sanitary Phytosanitary Measures (SPS). SPS defines the basic rules for food safety and animal and plant health standards. SPS does allow countries to set their own standards, but these standards must be ■ r based on science. SPS applies to domestically produced food, local animal and plant diseases, and to products coming from other countries. The Agreement requires that countries develop SPS measures based on assessment of the risk involved, make available the factors and procedures used in the assessment, and indicate the risk level they determine to be acceptable. J The Codex Alimentarius Commission has played a very large role in developing food standards and guidelines. In the report of the Commission, Principles and Guidelines for the Conduct of Microbiological Risk Assessment j (1997), the Commission states that "risks from microbiological hazards are of immediate and serious concern to j human health." \ A similar message was delivered in a speech by Henney (1999), the U.S. Food and Drug Administration (FDA) J Commissioner of Food and Drugs: Today's challenges with respect to the food supply are complex . It is my strong conviction that through the development and application of sound scientific principles, we will solve the numerous public health threats posed by an ever changing world. Risk Assessment is leading the Department's food safety regulation and policy to effective and efficient, science-based solutions to these complex food safety challenges. Risk assessment in the FDA world is extensive and complex. The FDA reviews the results of laboratory, animal and human clinical testing done by companies to determine if products they want to put on the market are safe and effective. The FDA does not develop or test products itself. The FDA oversees safety issues for many different kinds of products including: Drugs 9 Foods Dietary Supplements • Medical Devices Biologies Animal Feed and Drugs Cosmetics Radiation-Emitting Products Combination Products Program There are many regulations that must be met related to risk assessments for the FDA. Part of the complexity derives from the many regulatory parties involved and the difficult and challenging problems being addressed. The food industry uses the term "risk analysis" to describe the umbrella process that includes risk assessment. The risk analysis framework will be examined before attention turns to the risk assessment and risk management portions. FOOD RISK ANALYSIS BACKGROUND Kaferstein (2000) presents a very good summary of international initiatives and history of risk analysis in food safety assurance. Kaferstein highlights results from the Uruguay Round on Multilateral Trade Negotiations, Joint FAO/WHO conferences on food standards, advances made by Codex, and the development of the Food Safety Risk Analysis Clearinghouse by the Joint Institute for Food Safety and Applied Nutrition (JIFSAN). Kaferstein observes that the "demand for food safety data and risk analysis tools is growing exponentially." The Codex Commission recognized in the 1995 that risk analysis comprises three separate but integrated elements, namely risk assessment, risk management, and risk communication. The Codex Alimentarius Commission has developed principles for risk analysis intended for use in food safety and health standards. The principles are contained in Appendix II, Proposed Draft Working Principles For Risk Analysis For Application In The Framework Of The Codex Alimentarius, "risk analysis is widely recognized as the fundamental methodology underlying the development of food safety standards." One of the key European food safety regulations is Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002. The regulation defines the general principles and requirements of food law, establishes the European Food Safety Authority and identifies key procedures in matters of food safety. The regulation was formed in part to facilitate the free movement of safe and wholesome foods in the EU internal market. A key passage includes "(16) Measures adopted by the Member States and the Community governing food and feed should generally be based on risk analysis Recourse to a risk analysis should facilitate the avoidance of unjustified barriers to the free movement of foodstuffs." The Codex Draft Working Principles provide guidance so that decisions on food safety and health aspects of Codex standards and related texts are based on risk analysis. Within the FDA, the Center for Food Safety and Applied Nutrition (CFSAN) Risk Analysis Working Group prepared a report Initiation and Conduct of All 'Major' Risk Assessments within a Risk Analysis Framework, which was released in March 2002. According to the report, the overall goal of the CFSAN Risk Analysis Working Group was to improve the quality and consistency of risk assessments conducted within the Center. Specific tasks of the working group were as follows: Identify boundaries and responsibilities of key participants in the risk analysis process. Develop a process for identifying and selecting risk assessments conducted within the Center. Establish procedures for the conduct of risk assessments within a risk analysis framework. The report provides an overview of the procedures needed to initiate and conduct risk assessments within a risk analysis framework. The report comprises two parts: Part I is a description of the CFSAN risk analysis framework, including roles and responsibilities of participants, in Part II, the proposed decision-based approach to identify and select risk assessments is described in detail. DESCRIPTION The CFSAN Risk Analysis Working Group recommends the following: Risk analysis is a powerful tool that should be used to enhance the scientific basis of regulatory decisions. It should be conducted within CFSAN through the efforts of risk assessment, risk management, and risk communication teams. Risk assessment should be conducted in an iterative manner that allows refinement of the risk assessment question(s), key assumptions, and data used in the model. To support and promote the use of a risk analysis framework for initiating and conducting 'major' risk assessments, CFSAN should: 1. Adopt a decision-based approach to identify and select risk assessments conducted by CFSAN, particularly those that are 'major' (complex and impact or involve multiple offices). 2. Establish a procedure for the conduct of risk assessment within a risk analysis framework. 3. Develop criteria to evaluate the quality of data used for risk assessments and specify what information is needed to scientifically evaluate the usefulness of a study or data set used for risk assessment. 4. Develop guidelines to evaluate risk assessments. 5. Formalize a peer review process that will encourage critical review and evaluation of CFSAN's risk assessments by government and non-government experts in a manner that improves the science and acceptance of complex risk assessments. 6. Build capacity to conduct complex risk assessments by providing training opportunities for current staff, hiring new staff or using contractors (as needed), and acquiring additional resources such as computers, software, and dedicated workspace. One of the guiding principles of risk assessment within the CFSAN approach'is that risk assessment should be as simple as possible yet provide risk managers with sufficient information needed to make decisions. According to the Codex Principles for Risk Analysis, the general guidelines for risk analysis include: The risk analysis process should follow a structured approach comprising the three distinct but closely linked components of risk analysis (risk assessment, risk management and risk communication) each component being integral to the overall risk analysis process. The three components of risk analysis should be documented fully and systematically in a transparent manner. There should be a functional separation of risk assessment and risk management, in order to ensure the scientific integrity of the risk assessment, to avoid confusion over the functions to be performed by risk assessors and risk managers and to reduce any conflict of interest. However, it is recognized that risk analysis is an iterative process, and interaction between risk managers and risk assessors is essential for practical application. Precaution is an inherent element of risk analysis. Many sources of uncertainty exist in the process of risk assessment and risk management of food related hazards to human health. FLOWCHART The structure of risk analysis in the food industry is shown in Figure 19.1. The United States Department of Agriculture (USDA) is yet another government agency involved in food risk analysis. The USDA uses a slightly different presentation as shown in Figure 19.2. STATUS Risk analysis in foods is a relatively new discipline. The 1997 Codex report stated: Food safety risk analysis is an emerging discipline, and the methodological basis for assessing and managing risks associated with food hazards is still in a developing phase . Codex is increasingly recognising the need for application of the broad mandate of risk analysis approach to all aspects of food safety (emphasis in original). Additional information can be found at http://www.cfsan.fda.gov/-dms/rafw-toc.html. Interested readers should view www.fda.gov for more information. FOOD RISK ASSESSMENT BACKGROUND In the food industry, risk assessment is a sub-process of risk analysis. Schothorst (2000) observes that microbiological risk assessment in the food industry closely follows the practice developed for chemicals in foods. Schothorst also indicates that microbiological risk assessment often starts with the outcome of epidemiological investigations. People get ill from a certain food and a laboratory isolates a specific microorganism, which is considered to be the cause. Because illness occurs all over the world, food risk assessment concerns many countries throughout the world (see Liu, 2002). The U.S. FDA (2000) observes, "risk assessment provides the scientific basis for risk analysis. it helps characterize the nature and magnitude of risks." Woteki (1998) describes the risk assessment element as follows: Risk assessment is a structured process for determining the risks associated with any type of hazard It has as its objective a characterization of the nature and likelihood of harm resulting from human exposure to agents in the environment typically contains both qualitative and quantitative information and is associated with a certain degree of scientific uncertainty. Woteki {1998) also notes that: Risk assessment has its roots in toxicology and carcinogenticity studies, and its application to other disciplines poses significant challenges. For food safety unlike chemical, environmental, or toxicological contaminants, bacteria can multiply and produce toxins. For nutritional risk assessments, one must consider that nutrients are not substances to be avoided, like pathogens or toxic chemicals, but are essential for human well-being and often for life. The significance of food risk assessment to the overall food risk analysis process has received considerable support. In 1995, a consultation of technical experts recognized a need for greater application of risk assessment in the Codex decision-making process because: Risk assessment techniques must be applied to determine the significance of hazards and be used as a tool to evaluate risk management strategies The utilization of risk assessment techniques to provide an estimate of potential adverse health effects will be an essential component of the process for establishing international trade policies. In 1999, the 23rd Session of the Codex Alimentarius Commission adopted The Principles and Guidelines for the Conduct of Microbiological Risk Assessment which states: [risk assessment] is a key element in assuring that sound science is used to establish standards, guidelines and other recommendations for food safety to enhance consumer protection and facilitate international trade. The microbiological risk assessment process should include quantitative information to the greatest extent possible in the estimation of risk. Risk assessment must often be conducted without complete information. The General Principles of Microbial Risk Assessment indicates "scientific evidence may be limited, incomplete or conflicting The use of quantitative information is encouraged to the extent possible, but the value and utility of qualitative information should not be discounted." Woteki (1998) notes, "oftentimes, these decisions must be made without the benefit of complete information. Public health decisions cannot always wait for more scientific data We will never reach a point where we have all of the information we need." Schothorst (2000) expresses similar sentiments. The Draft Working Principles also indicates the importance of including all interested parties in the risk assessment process and stresses the importance of full and systematic documentation. Vose (2002) describes the microbial quantitative risk assessment (QRA) efforts as mostly producing ' farm-to-fork' analyses. He indicates that these analyses model the whole system but do not do so very well. Vose notes the limitations of the current models: Often rely on poor data, surrogates, and guesses. * Very little data available, system being modelled is hugely complex * Take too long to complete, too easy to make mistakes Little cost-benefit analysis effort made Requires enormous resources - impractical for many countries Vose (2002) indicates that "assessors have probably over-sold QRA's usefulness, and managers have expected too much." He notes the fact that risk managers usually require rapid response to questions, but farm-to-fork risk assessment projects require several years to complete. This is an inherent conflict in the QRA process. Vose echoes themes offered by many experienced risk assessors: * Make it as simple as possible Risk assessment uses science but is not itself scientific research. So we have to go with the best we've got A key passage of the European Regulation (EC) No 178/2002 relating to risk assessment includes the following: (19) It is recognised that scientific risk assessment alone cannot, in some cases, provide all the information on which a risk management decision should be based, and that other factors relevant to the matter under consideration should legitimately be taken into account including societal, economic, traditional, ethical and environmental factors and the feasibility of controls. DESCRIPTION The risk assessment process in the food industry comprises four steps. The Codex Alimentarius Commission presented the four steps in The Principles and Guidelines for the Conduct of Microbiological Risk Assessment (1999) as follows: Hazard identification - the purpose is to identify the microorganisms or the microbial toxins of concern with food. Exposure assessment - assessing the extent of actual or anticipated human exposure including descriptions of the pathway from production to consumption. Hazard characterization - provides a qualitative or quantitative description of the severity and duration of adverse effects that may result from the ingestion of a microorganism or its toxin in food. A dose-response assessment should be performed if the data are obtainable. Risk Characterization - represents the integration of the hazard identification, hazard characterization, and exposure assessment determinations to obtain a risk estimate Risk characterization brings together all of the qualitative or quantitative information of the previous steps to provide a soundly based estimate of risk for a given population. The Commission Report (1997) includes two additional steps. Its first step is a statement of purpose, and the last step is documentation. The Codex Commission notes that: Risk Characterization brings together all of the qualitative or quantitative information of the previous steps to provide a soundly based estimate of risk for a given population. Risk Characterization depends on available data and expert judgments. The weight of evidence integrating quantitative and qualitative data may permit only a qualitative estimate of risk. Woteki (1998) presents a slightly different view of the four steps in the risk assessment process as follows: • Hazard identification Dose-response assessment Exposure assessment * Risk characterization / evaluating the risk In this approach the term a dose-response assessment replaces the hazard characterization element. This approach is used by the FDA for microbial, as well as chemical food contaminates. The General Principles of Microbiological Risk Assessment provide additional guidance concerning how risk assessment should be conducted: 1. Microbiological risk assessment should be soundly based upon science. 2. There should be a functional separation between risk assessment and risk management. 3. Microbiological risk assessment should be conducted according to a structured approach that includes hazard identification, hazard characterization, exposure assessment, and risk characterization. 4. A microbiological risk assessment should clearly state the purpose of the exercise, including the form of risk estimate that will be the output. 5. The conduct of a microbiological risk assessment should be transparent. 6. Any constraints that impact on the risk assessment such as cost, resources or time, should be identified and their possible consequences described. 7. The risk estimate should contain a description of uncertainty and where the uncertainty arose during the risk assessment process. 8. Data should be such that uncertainty in the risk estimate can be determined; data and data collection systems should, as far as possible, be of sufficient quality and precision that uncertainty in the risk estimate is minimized. 9. A microbiological risk assessment should explicitly consider the dynamics of microbiological growth, survival, and death in foods and the complexity of the interaction (including sequelae) between human and agent following consumption as well as the potential for further spread. 10. Wherever possible, risk estimates should be reassessed over time by comparison with independent human illness data. 11. A microbiological risk assessment may need reevaluation, as new relevant information becomes available. FLOWCHART The steps for conducting a microbiological risk assessment according to the Codex Commission report of 1997 are the same as shown in Figure 19.1. STATUS Schothorst (2000) states: Microbiological risk assessment models are currently under development for government use, food industries concentrate more on models for food safety assessment (i.e. determination of levels of hazards rather than the likelihood of their effects). At this moment a number of studies have been performed, but many uncertainties still exists as far as the practicality is concerned, and how useful it will to assist decision making in the context of Codex Alimentarius and thus in regulating foods in international trade. The methodology is currently not used in the food industry, although some modelling aspects are used for food safety management purposes. Microbiological risk assessments are currently not performed in the Food Industry Risk estimates are used by Governmental Authorities to decide whether or not control measures have to be taken. The Codex Commission observes: Since microbiological risk assessment is a developing science, implementation of these guidelines may require a period of time and may also require specialized training in the countries that consider it necessary. The Principles and Guidelines document and Vose (2002) concur. Additional information on food risk assessment can be obtained as noted in Woteki (1998), Schothorst (2000), Liu (2002), and Vose (2002). RISK MANAGEMENT AND RISK COMMUNICATION BACKGROUND Risk assessment and risk management are closely linked in the food industry. The Codex Draft Working Principles state: 28) Risk management should follow a structured approach including risk evaluation, assessment of risk management options, monitoring and review of the decision taken. The decisions should be based on risk assessment. 31) The risk management process should be transparent, consistent and folly documented. Codex decisions and recommendations on risk management should be documented. 35) Risk management should take into account the economic consequences and the feasibility of risk management options. Risk management should also recognize the need for alternative options in the establishment of standards, guidelines and other recommendations, consistent with the protection of consumers' health. Woteki (1998) describes the risk management element as follows, "risk management is the process of weighing policy alternatives and selecting and implementing appropriate control options." The Codex Draft Working Principles also indicate that the risk communication should include a transparent explanation of the risk assessment policy, the risk assessment and its uncertainty. A consultation of technical experts reported to the Codex Commission in 1997 that "the primary goal of the management of risks associated with food is to protect public health by controlling such risks as effectively as possible through the selection and implementation of appropriate measures." FLOWCHART The relationship of risk management to the overall risk analysis process is shown in Figure 19.1. STATUS Risk management remains an on-going process in the food industry. See Woteki (1998) and the Codex Draft Working Principles for additional details. SAMPLE MICROBIOLOGICAL RISK ASSESSMENT BACKGROUND In January 1999, the FDA began a risk assessment to characterize the public health impact associated with consumption of raw oysters containing a specific pathogenic. One objective of the risk assessment was to develop a mathematical model of the risk of illness incurred by consumers of raw oysters containing the pathogenic. DESCRIPTION According to the FDA report: This risk assessment utilized quantitative risk assessment modeling Quantitative risk assessment modeling is a relatively new approach to the field of microbial risk. The data are represented as large sets of numbers called distributions rather than as point estimates, which offer several potential advantages over traditional approaches. One advantage is that distributions may represent the spread of real world data more accurately than point estimates like a mean. Distributions can also reflect the presence of uncertainty in the data. Another potential advantage is that modeling allows risk assessors to test which factors are most important in determining the magnitude of a risk or what effect control measures will have on a risk. Quantitative models are also flexible; inputs and model components can be changed readily as new data become available. The results of this quantitative risk assessment model include evaluating the risk of illness caused by this organism. The report states that "this risk assessment significantly advances our ability to describe our current state of knowledge about this important foodborne pathogen, while simultaneously providing a framework for integrating and evaluating the impact of new scientific knowledge on enhancing public health." STATUS The FDA report was released in 2000. Details can be found at www.cfsan.fda.gov/~dms/vprisk.html FOOD SAFETY RESOURCE ORGANIZATIONS There are several resource organizations that provide more information on food risk analysis and risk assessment. Some information on these organizations appears below. THE FOOD SAFETY RISK ANALYSIS CLEARINGHOUSE The Food Safety Risk Analysis Clearinghouse is: the responsibility of the Joint Institute for Food Safety and Applied Nutrition (JIFSAN), a collaboration between the University of Maryland (UM) and the FDA. The Clearinghouse is created and operated by a group of scientific collaborators from the Veterinary Medicine Department at UM, and from the FDA's Center for Food Safety and Applied Nutrition (CFSAN). [The] mission is to establish a clearinghouse that would collect and catalogue available data and methodology on food safety risk analysis offered by the private sector, trade associations, federal and state agencies, and international sources. Two of the goals of the Clearinghouse are to consolidate risk analysis research data and methodology from public and proprietary sources, and to assist the development of food safety risk assessment models. THE RISK ASSESSMENT CONSORTIUM The Risk Assessment Consortium (RAC) consists of representatives from U.S. government with food safety responsibilities such as the FDA, USDA, CDC, N1H and others. The RAC was formed in 1997 to improve coordination and reduce redundancies between these groups. The RAC provides guidance for the Food Safety Risk Analysis Clearinghouse. The goals of the Risk Assessment Consortium include reducing uncertainties inherent in risk assessment and improving risk assessment research by: ♦ Reducing unnecessary research redundancies Encouraging multi-disciplinary efforts ♦ Identifying and cataloguing risk assessment methods, models, and data sets, and providing broad access through the establishment of a Risk Assessment Clearinghouse ♦ Providing advice and serving as a technical resource for member agencies Through the Risk Assessment Consortium the agencies will collectively work to enhance- communication and coordination between federal agencies and promote the conduct of scientific research that will facilitate risk assessments. Such research will assist the regulatory agencies in fulfilling their specific food-safety risk management mandates. Additional information is available at http://www.foodriskclearinghouse.umd.edu. EUROPEAN FOOD SAFETY AUTHORITY One of the results of the European food safety regulation (EC) No 178/2002 was the authorization of the European Food Safety Authority. According to the regulation, the European Food Safety Authority assumes the following duties: (34) the Authority should take on the role of an independent scientific point of reference in risk assessment and in so doing should assist in ensuring the smooth functioning of the internal market whilst helping avoid the fragmentation of the internal market through the adoption of unjustified or unnecessary obstacles to the free movement of food and feed. Additional information can be found at http://www.efsa.eu.int/pdf/En Base.pdf. OFFICE OF RISK ASSESSMENT AND COST-BENEFIT ANALYSIS The Office of Risk Assessment and Cost-Benefit Analysis was established to review and ensure that major regulations proposed by USDA are based on sound scientific and economic analyses. More information can be found at http://www.usda. gov/agencv/oce/oracba. OFFICE INTERNATIONAL DES EPIZOOTIES Office International Des Epizooties (01E) focuses on animal diseases. The OIE uses an interrelated four step risk assessment process similar to others in the food industry. 1. Release assessment 2. Exposure assessment 3. Consequence assessment 4. Risk estimation Additional information can be obtained at www.oie.int. Depp ^ SaSrafl Bb3 BBsllI CFSAN (2002). Initiation and conduct of all 'major' risk assessments within a risk analysis framework, The Center for Food Safety and Applied Nutrition Risk Analysis Working Group, U. S. Food and Drug Administration, Center for Food Safety and Applied Nutrition, March. Codex Alimentarius Commission. Proposed Draft Working Principles For Risk Analysis For Application In The Framework Of The Codex Alimentarius, Appendix U. www.codexalimentarius.net. Codex Alimentarius Commission. (1999). CAC/GL-30 ALINORM 99/I3A, Appendix II. Principles and guidelines for the conduct of microbiological risk assessment, www. codexal imentar ius. net. Codex Alimentarius Commission. (2002). Report of the seventeenth session of the Codex Committee on General Principles. Joint FAO/WHO Food Standards Programme. Codex Alimentarius Commission, Paris, France, April 15-19,2002. www.codexalimentarius.net FDA. (2000). Draft risk assessment on the public health impact of vibrio parahaemolyticus in raw molhtscan shellfish. U. S. Food and Drug Administration. Center for Food Safety and Applied Nutrition, January. Hemiey, J.E. (1999). Good science: Critical to regulatofy decision-making. Food Safety Policy, Science And Risk Assessment: Strengthening The Connection, Food Forum, institute Of Medicine, Washington, DC, July 13, 1999. http://www.fda.gov/oc/speeches/foodforum.html. Kaferstein , F.K. (2000). On Risk Analysis: the new paradigm in food safety assurance, a summary of international initiatives. www.foodriskclearinghouse.umd.edu/powerpoint/JIFSAN 3 14 001. Liu, X. (2002). Microbiological risk assessment in China: Current situation and challenges. Institute of Nutrition and Food Safety, China CDC. www.foodclearinghouse.umd.edu/powerpoint/racconf/liu.html. Regulation (EC). No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety. http://www.efsa.eu.int/pdf/En Base.pdf. Schothorst, M. van (2000). Microbiological risk assessment of foods in international trade. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Tuskegee University, (undated). Chapter 1 - Risk analysis: An art and necessity, center for risk analysis. Tuskegee University, http://compepid.tusk.edu/RiskAnalvsis/course/Chl RA.htm. Vose, D. (2002). Use of microbial risk assessment in decision-making. V1 International Conference on Microbiological Risk Assessment, Foodborne Hazards. Adelphi, MD, USA, July 24-26. www.foodriskcIearinghouse.umd.edu/powerpoint/racconf/Vose.html. World Trade Organization. (1995). The agreement on sanitary phytosanitary measures (SPS). Woteki, C. (1998). Nutrition, food safety, and risk assessment - A policy-maker's viewpoint. Remarks by the Under Secretary for Food Safety, before Purdue University, West Lafayette, IN, June 18, www.fsis.usda.gov. jCTIVITIES U.S. Occupational Safety and Health Administration U.S. Presidential/Congressional Commission NIOSH Risk Assessment Evaluation Project Canadian Ministry of Labour Europe Australia National Standards Guide Australian Occupational Health and Safety Regulation Governments are also involved in the risk assessment process. Although few state in detail how to conduct a risk assessment, the following excerpts highlight that governments are requiring risk assessment be conducted in certain instances. U.S. OCCUPATIONAL SAFETY AND HEALTH ADMINISTRATION (OSHA) BACKGROUND The U.S. Occupational Safety and Health Administration (OSHA) promulgates workplace safety regulations. The OSHA requirements apply to a broad array of U.S. industries. The OSHA regulations apply specifically to employers (occupational safety) but not to product manufacturers (product safety). In the U.S., OSHA is only concerned with risk to individual workers. Societal risk might enter into the size of a monetary fine for a violation, but risk reduction methods focus on protecting the individual worker. OSHA regulations include risk assessment concepts in at least three areas: personal protective equipment (PPE), hazardous waste operations and the safety and health program. DESCRIPTION Personal Protective Equipment The OSHA safety regulation 29 CFR 1910 Subpart 1 Personal Protective Equipment requires a form of risk assessment in selecting PPE. OSHA uses the term hazard assessment, but the process is essentially the same as risk assessment. OSHA requires the following: 1910.132 (d)(1) Hazard assessment and PPE selection The employer shall assess the workplace to determine if hazards are present, or are likely to be present, which necessitate the use of personal protective equipment. The regulations provide guidance on procedures that would comply with the requirement for hazard assessment in Appendix B, Non-mandatory Compliance Guidelines for Hazard Assessment and Personal Protective Equipment Selection. Appendix B provides assistance in implementing requirements for a hazard assessment and the selection of PPE. The recommended process includes using PPE in conjunction with guards, engineering controls, and sound manufacturing practices to control hazards; and assessing and selecting PPE so that the protective device matches the particular hazard. Guidelines for selecting PPE are included in the regulation. Hazardous Waste Operations Under the safety standards for hazardous waste operations and emergency response 29 CFR 1910.120, OSHA requires the following for a site-specific safety and health plan: 1910.120 (b)(4) (ii) The site safety and health plan, as a minimum, shall address the following: (A) A safety and health risk or hazard analysis for each site task and operation found in the workplan. Safety and Health Programs OSHA also has proposed requirements for hazard assessment in its working draft of a proposed general industry safety and health program standard OSHA (1996). The proposed program includes the following elements: • Management leadership and employee participation • Hazard assessment Hazard prevention and control Information and training Evaluation of program effectiveness STATUS OSHA safety regulations are current and enforceable government regulations. Employers in U.S. facilities are required to comply with these regulations. The information in Appendix B of the regulations is informative and not mandatory. The information in the draft proposed standard is not mandatory. If a standard of safety and health programs is promulgated, refer to those requirements. Additional information is available at www.osha.gov. U.S. PRESIDENTIAL/CONGRESSIONAL COMMISSION BACKGROUND In the 1990 Clean Air Act Amendments, the U.S. Congress mandated that a Commission on Risk Assessment and Risk Management be formed to: make a full investigation of the policy implications and appropriate uses of risk assessment and risk management in regulatory programs under various Federal laws to prevent cancer and other chronic human health effects which may result from exposure to hazardous substances. The Commission was assembled in May 1994 and documented its findings in a two volume report published in 1997 (see Omenn et al. 1997). DESCRIPTION The Commission presents a risk management model that includes risk assessment as one part. The report includes a general description of the ecological risk assessment effort based on work by the Environmental Protection Agency, but does not provide great detail of how to conduct the assessment. The Commission's findings include the following: Risk assessment is the systematic, scientific characterization of potential adverse effects of human or ecological exposures to hazardous agents or activities. Risk assessment is performed by considering the types of hazards, the extent of exposure to the hazards, and information about the relationship between exposures and responses, including variation in susceptibility. Adverse effects or responses could result from exposures to chemicals, microorganisms, radiation or natural events. Risk assessment provides the scientific foundation for risk management decision-making. Risk assessment can be controversial. Lack of data is a major barrier to reliable risk assessments. Usually, the technical information that is available on which to base a risk management decision is incomplete. Because so many judgments must be made based on limited information, it is critical that all reliable information be considered. The Commission considers risk assessment a useful analytic process that provides valuable contributions to risk management, public health, and environmental policy decisions. We recommend that the performance of risk assessments be guided by an understanding of the issues that will be important to managers' decisions and to the public's understanding of what is needed to protect public health and the environment. STATUS The Commission's report is complete and is available to the public at www.riskworld.com. NIOSH RISK ASSESSMENT EVALUATION PROJECT BACKGROUND The U.S. National Institute for Occupational Safety and Health (NIOSH), part of the Centers for Disease Control and Prevention, commenced a research project in 2002 to evaluate the U.S. machine tool industry's approach to risk assessment. The Association for Manufacturing Technology's Technical Report #3 (TR3) on risk assessment, developed by the U.S. Bll machine'tool-"industry; was published in 2000 (discussed further in Chapter 22). The NIOSH study focuses on evaluating the effectiveness of this risk assessment process. DESCRIPTION The evaluation project has five goals: 1. To introduce TR3 into manufacturing workplaces where it is expected to promote a reduction in machine-related injury; 2. Train personnel who will apply it; 3. Facilitate them in using it; 4. Collect planned measures of TR3's effectiveness; and 5. Analyze the data collected and report to the machine safety community on 1) its injury- prevention capability, 2) related measures of effectiveness, and 3) identify ways to extend that effectiveness to more workplaces. The structure of the project is to work with manufacturers that use machine tools and plan to purchase or retrofit a machine tool for or in their facility. Two company representatives attended an in-depth training session to learn the TR3 risk assessment process in sufficient detail that they can in turn train others at their facility. Participating companies received a training videotape on risk assessment. They also received the designsafe® risk assessment software to assist their risk assessment efforts. STATUS This research project commenced in the summer of 2002 and is currently ongoing. The results are expected in 2004. Additional information about the project will be available at www.cdc.gov/niosh when the final report is complete. U.S. HOMELAND SECURITY BACKGROUND Following the terrorist attacks on the U.S. on 11 September 2001, the Executive Office of the President's Office of Science and Technology Policy (OSTP) sponsored a workshop on Critical Infrastructure Protection Priorities. The workshop was held on 23-24 September 2002 in Washington, D.C. The workshop focused on addressing the role of science and technology in implementing the National Strategy to prevent terrorist attacks, reduce the vulnerability to terrorism, and minimize the damage for attacks that do occur. Over ninety industry leaders and government officials attended the workshop. The participants identified seventeen proposals for actions to improve homeland security, primarily focusing on infrastructure. According to Sims (2003a), "the proposal to develop a process for risk-based decision-making was voted the top proposal by the Workshop participants." Following the workshop the American Society of Mechanical Engineers (ASME) was awarded a grant to develop a guidance document on risk analysis. According to Sims (2003b), "The primary focus will be on the use of risk analysis in public policy decision-making, although the methods are broadly applicable." DESCRIPTION Although the project remains a work in progress, according to Sims (2003b) the document is expected to contain the following: * Simple qualitative methods that can be used for preliminary screening of concepts Detailed probabilistic risk analysis (PRA) methods Intermediate methods that can be used as appropriate Provide for the continued use of established methods Common terminology » A common basis for reporting results * Approaches for quantifying risks in dollars, even when simple qualitative methods are used Review and commentary on currently used risk analysis methods References to databases that can be used to develop probability estimates * A discussion of methods of expert-opinion elicitation that can be used to determine probabilities when data are sparse Methods for quantifying consequences that involve injuries and fatalities as well as environmental damage and other difficult to quantify consequences • Guidance on risk communication to obtain broad acceptance of the decisions that are made The focus of the project appears to be on societal risk and improving the effectiveness of resource allocations. How, or if, the project will address individual risk remains uncertain. RISK SCORING SYSTEM The materials available indicate that different complexities of systems may be accommodated. This study will define risk as a mathematical product of severity of consequences and probability of occurrence. In this method severity is intended to be quantified in terms of the costs in dollars and probability is a quantitative value between 0 and 1. Then the risk can be calculated as a quantitative dollar value. If valid estimates for severity and probability can be obtained for different risk reduction methods being considered, the benefit of each approach can be evaluated based on the following equation: Benefit = unmitigated risk - mitigated risk Where the unmitigated risk is the risk' (in dollars) with no risk reduction measures in place, and the mitigated risk is the risk (in dollars) with the risk reduction method(s) being considered. Sims (2003a) provides examples of this calculation for different applications with assumed quantitative values for severity and probability. There is no discussion provided on where or how the estimates are obtained. There is also no discussion on how to value individual risk and the potential legal liabilities that might result, such as how to value an individual life or body part versus the costs of implementing a particular risk reduction method. STATUS The ASME Critical Assets Protection Initiative remains a work in progress. A target deliverable for a guidance document is scheduled for 1 September 2004. Additional information can be obtained at www.becht.com. CANADIAN MINISTRY OF LABOUR BACKGROUND In 2000, the Canadian Ministry of Labour issued a requirement for a Pre-Development Review under Section 7 of the Regulations for Industrial Establishments of the Occupational Health and Safety Act (OHSA). Under this regulation a Pre-Development Review required that "owners or lessees of certain hazardous equipment, or equipment used in hazardous processes obtain a professional engineer's report on the equipment in the design stage which stated that it was safe and complied with the regulations of the OHSA," This regulation was amended to clarify the responsibility for the examination of new or modified equipment, machinery and devices. The amendment also specifies the situations which require a review and who may perform them. In April 2001, the Ministry of Labour published Guidelines for Pre-Start Health and Safety Reviews: How to Apply Section 7 of the Regulation for Industrial Establishments. The document includes information for employers on the levels of diligence, methodology and reporting required to comply with the regulations. DESCRIPTION According to the Guidelines: The Pre-Start Health and Safety Review is intended to ensure worker protection as required under the applicable provisions of the Regulation for Industrial Establishments. A Pre-Start Health and Safety Review includes a written report on the construction, addition or installation of a new apparatus, structure, protective element or process, or modifications to an existing apparatus, structure, protective element or process. The employer must address any measures necessary to bring the construction, addition, installation or modification into compliance before production begins. The Guideline specifically requires a risk assessment for deviations from Canadian standards requirements. The risk assessment is to be carried out in accordance with ISO 14121/EN 1050. STATUS The Ministry of Labour regulations, and the Guideline are current. Additional information is available at http://www.gov.on.ca/LAB/english. EUROPE BACKGROUND The Council of the European Communities issued directive 89/391/EEC on the introduction of measures to encourage improvements in the safety and health of workers at work. Under Section 1 General Provisions, Article 9 addresses employer obligations and includes "the employer shall be in possession of an assessment of the risks to safety and health at work, including those facing groups of workers exposed to particular risks." Article 10 of Section I addresses worker information: The employer shall take appropriate measures so that workers with specific functions in protecting the safety and health of workers shall have access to, to carry out their functions and in accordance with national laws and/or practices, to the risk assessment and protective measures referred to in Article 9. Although the Directive does not specify what kind of risk assessment is required, it does require employers to have completed a risk assessment. In the UK, the HSE outlines its decision-making process in Reducing risks, protecting people (2001). The following excerpts illustrate why risk assessments are increasingly being adopted throughout the world: A fundamental principle underpinning the HSW Act is that those who create risks from work activity are responsible for protecting workers and the public from the consequences. The results of the risk assessment are used to inform rather than to dictate decisions and are only one of the many factors taken into account in reaching a decision. HSE uses risk assessment essentially as a tool to inform its decisions by assisting in the understanding of the nature and degree of risk. STATUS European Community directive 89/391/EEC is an approved and existing directive that requires risk assessment. Additional information can be obtained from www.europeandocuments.com and other sources. Considerably more detail on the HSE process can be found in HSE (2001). AUSTRALIA NATIONAL STANDARDS GUIDE BACKGROUND Australia is a federation of six States and two Territories, and each State and Territory has responsibility for making and enforcing laws about workplace health and safety. Each State and Territory has a principal Occupational Health and Safety Act, which sets out the requirements for ensuring that workplaces are safe and healthy. The National Standards Guide (1997) includes part of the requirements as the Duty of Care, "Duty of Care requires everything 'reasonably practicable' to be done to protect the health and safety of others at the workplace." This duty is placed on all employers, their employees and others who influence the hazards in a workplace such as contractors: "Reasonably practicable" means that the requirements of the law vary with the degree of risk in a particular activity or environment which must be balanced against the time, trouble and cost of taking measures to control risk. It allows the duty holder to choose the most efficient means for controlling a particular risk from the range of feasible possibilities preferably in accordance with ' the 'hierarchy of control.' The duty holder must show that it was not reasonably practicable to do more than what was done or that they have taken 'reasonable precautions and exercised due diligence.' National codes of practice advise employers and workers of an acceptable way of meeting the national standards. National standards deal with specific workplace hazards such as noise or hazardous environments. Both national standards and codes of practice are declared by the National Occupational Health and Safety Commission (NOHSC). These standards are distinct from the standards promulgated by Standards Australia, an independent body founded in 1922. DESCRIPTION The National Standards Guide is separated into two parts. The first part contains information on common requirements for all NOHSC material including an explanation of the generic process of hazard identification, risk assessment and risk control and review. The second part of the Guide focuses on specific types of workplace hazards. For each type of hazard the Guide provides advice on completing the process of hazards identification, risk assessment and control. The Guide indicates, "under all NOHSC standards and codes, employers have a duty to implement a systematic process of hazard identification, risk assessment, risk control and review in the workplace." The Guide specifies that training programs should include the process of hazard identification, risk assessment and control (among others). That employers are required to train employees in risk assessment methods indicates just how integrated risk assessment has become in Australia and New Zealand codes. In the case of hazardous substances, the Guide directs that employers must assess risks at appropriate intervals but not more than five years. In addition, employers must keep records of risk assessments for five years if there is no need for monitoring or health surveillance, and 30 years if there is such a need. FLOWCHART The Guide provides a four step approach to systematically keep the risks controlled as follows: Step 1 Identify hazards Step 2 Assess risks Step 3 Control the risks Step 4 Review RISK SCORING SYSTEM Under the second step Assess risks, the Guide defines risk as a combination of likelihood of injury or illness occurring, and the consequences of its occurring. However, the Guide provides no information on the details of how to assess risks within the construct of its definition either the likelihood of injury or consequence of occurrence, or how these combine to yield a risk level The Guide does provide several checklists on particular hazards and indicates that the presence of the hazard is an indication of increased risk. STATUS The Final Draft of the Australian National Standards Guide was released in 1997. The document is currently under revision. Additional information can be found at http://www.nohsc.gov.au. AUSTRALIAN OCCUPATIONAL HEALTH AND SAFETY REGULATION DESCRIPTION In Australia, the New South Wales Occupational Health and Safety Act of2000 lead to the Occupational Health and Safety Regulation 2001. The Occupational Health and Safety Regulation 2001 requires that employers, premises owners, facility designers and plant manufactures (those who construction the facility) conduct risk assessments. The requirements under Chapter 2 of the regulation include: An employer must take reasonable care to identify any foreseeable hazard that may arise from the conduct of the employer's undertaking and that has the potential to harm the health or safety of [employees or others legally on the premises]. The employer is explicitly required to identify hazards arising from the following: The work premises Work practices, work systems, shift working arrangements The plant [construction, use] • Hazardous substances • Asbestos Manual handling The layout and condition of a place of work • Biological organisms, products or substances • The physical working environment • The potential for workplace violence Employers with 20 or fewer employees are exempt from these requirements. The regulation also requires that an employer: • Must eliminate any reasonably foreseeable risk to the health or safety of [an employee or others] • If it is not reasonably practicable to eliminate the risk, the employer must control the risk, and * Must ensure that ail measures (including procedures and equipment) that are adopted to eliminate or control risks to health and safety are properly used and maintained. * Consult with the employees concerning hazards and risks The regulation requires that employers include employees in the risk assessment process. In some instances an entity other than the employer controls the premises where the work is completed. Chapter 4 of the regulations applies to premises controllers and requires that the controllers identify hazards, assess the risks of harm and eliminate or reduce risks. STATUS The Occupational Health and Safety Regulation has been active since 2001. Copies of the regulation can be obtained from www.workcover.nsw.gov.au. REFERENCES ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. Canadian Ministry of Labour (2000). Pre-development review under section 7 of the regulations for industrial establishments of the Occupational Health and Safety Act (OHSA). Canadian Ministry of Labour (2001). Guidelines for pre-s tart health and safety reviews: How to apply section 7 of the regulation for industrial establishments. www.gov.ca/lab/ohs. EEC 89/391 /EEC. (1989). Framework health and safety directive. European Union, www.europeandocuments.com. HSE. (2001). Reducing risks, Protecting people: HSE's decision-making process. Health and Safety Executive. www.hse.gov.uk. ISO 1412 I/EN 1050-1999. Safety of machinery; risk assessment. International Organization for Standardization. www.iso.ch. National Standards Guide. (Final Draft). National Occupational Health and Safety Commission. http://www.nohsc.gov.au/QHSInfonnation/NOHSCPublications/fulltext/toc/03297-01.htm. Omenn, G.S., Kessler, A.C., Anderson, N.T., Chiu, P.Y., Doull, j., & Goldstein, B., et al. (1997). Risk assessment and risk management in regulatory decision-making. The Presidential/Congressional Commission on Risk Assessment and Risk Management, Volumes 1 and II. www.riskworld.com. OSHA. (1996). OSHA's working draft of a proposed safety and health program standard, Occupational Safety and Health Administration, www.osha.gov. OSHA. 29 CFR 1910. Subpart I, Appendix B. Non-mandatory compliance guidelines for hazard assessment and personal protective equipment selection. Occupational Safety and Health Administration, www, osha.gov. OSHA. (1998). 29 CFR 1910.132. Agency information collection activities; Proposed collection; Comment request; Personal protective equipment. Occupational Safety and Health Administration, www.osha.gov. OSHA. (1999). 29 CFR 1910,120. Hazardous waste operations and emergency response. Occupational Safety and Health Administration, www.osha.gov. Sims, J.R. (2003a) The Use of Risk Analysis in Decision-Making, Lyondell/Equistar 2003 Worldwide Reliability Forum, 19 February 2003. www.becht.com. Sims, J .R. (2003b) Proposal far Development of a Guidance Document on Risk Analysis, ASME Critical Assets Protection Initiative (CAPI) Risk Analysis Team, www.becht.com. LAND TRANSPORT Auto and Rail Transport Off-road AUTO AND RAIL TRANSPORT BACKGROUND In the auto and railway transport industry, quantitative risk assessment (QRA) procedures are used whenever data make this possible. Qualitative measures of hazards are used when quantitative methods are not possible. Hej and Kroger (2000) indicate that risk assessment has been widely applied in transportation in recent years, and that risk assessment has been applied to many types of problems in different contexts. They mention the following as examples: Risk analyses can be used to analyse the effect of wearing seat belts, the cost efficiency of air bags, reliability of ABS brakes, further it can verify the feasibility of speed limits or of creating a pedestrian crossing. It has also been used to evaluate the introduction of automatic train control and as an integrated part of design of new traffic links. In his discussion of road safety, Petersen (2000) indicates that risk assessments are based on retrospective analysis of past accident experience. The analyses are conducted at the national level in preparing road safety plans whereas regional assessments focus on 'black spot' investigations of geographical locations where the number of accidents is significantly higher than expected. DESCRIPTION Cassini and Pons (2000) discuss quantitative risk assessment as related to transport of goods through road tunnels. Cassini and Pons have been involved in developing modeling software that produces quantitative information about risk levels due to the transport of dangerous good on given routes, some of them including tunnels. The approach used was to develop probable incident scenarios that could be evaluated using the modeling software. Cassini and Pons (2000) state that: In UK, in Switzerland and in The Netherlands, QRA techniques are used so as to produce societal risk and/or individual risk assessment for dangerous goods transport that can be compared to acceptance criteria. In France, such QRA techniques are used to compare the risks due to transport of dangerous goods on two (or more) possible routes. The latter is a relative comparison one to the other versus the absolute comparison against the firm criteria of the former. The main outputs are F/N curves and individual risk contours for fatalities. Risks of injuries, damage to the tunnel and the environment are dealt with in a more qualitative way. An example F/N curve appears in Figure 12.1, The QRA process used in the auto and railway transport industry is similar to those used in other industries. The popular F-N curve is a cumulative presentation of accident frequencies as function of the size of the accidents. In the UK rail industry, Brearley (2000) states: Since early 1999, a new system-wide Safety Risk Model has been under development, which forms the foundation for our risk information. The model provides a structured representation of the causes and consequences of potential accidents arising from the operation and maintenance of Railtrack controlled infrastructure. It will generate a comprehensive railway risk profile, covering all known hazards and their consequences to the exposed populations of passengers, workers and members of the public. The Safety Risk Model predicts the frequency of hazardous events per year and the expected outcomes (risk) in terms of equivalent fatalities per year. For a number of reasons, the UK railway industry has given considerable thought to risk decision making recently. This has caused us to question whether traditional tools and methods to support decision making are adequate to ensure that safety decisions meet public expectations. These factors led us to develop a more general framework for taking decisions that affect railway safety Depending on the characteristics of the decision: • A different mix of tools and techniques will be used to inform the decision • A different set of parties may need to be consulted or to participate in the decision making process, and • The decision will be made at different levels within organisations. Recent thinking recognises that different types of decisions will require different decision processes and different levels of stakeholder involvement and participation. FLOWCHART Hoj and Kroger (2000) present a view of the Risk Management Process in the auto and railway transport industry as shown in Figure 21.1. Figure 21.1 - Risk Management Process (Auto and Railway Transport Industry) C. Kirclisteiger, G. Cojazzi (Eds.) Promotion ofTechnical Hartnonisation on Risk-Based Decision Making, Proceedings of a Workshop held on May 22-24, 2000, Grand Hotel Bristol, Stresa, Italy, 2 Vol, European Commission DG JRC, S.P.I.0063, May 2000. Legibility limited due to original RISK SCORING SYSTEM According to the literature, the auto and rail transport industry use a quantitative risk scoring system. Details of this system do not appear in the literature. STATUS QRA has been developed as an aid to decision making in the auto and railway transport industry. Although focusing only on a limited number of dangerous goods transported in different ways, the tools effectively aid the decision process. Further refinements of the QRA process in this industry will continue and will likely lead to improved results and applications. Brearley (2000) shares that: The Safety Risk Model is already in high demand within the UK Safety and Standards Directorate to inform our core activities. The rail industry too has shown enthusiasm for the concept, and expressed keen interest in having access to the model as a foundation for more detailed analysis. Additional information can be found in Brearley (2000), Cassini and Pons (2000), Hoj and Kroger (2000), and Peterson (2000). OFF-ROAD BACKGROUND Off-road transportation includes machinery and equipment designed for construction, agricultural, mining, industrial, forestiy and utility applications. The trade organization that represents many manufacturers of this type of equipment is the Association of Equipment Manufacturers (AEM). AEM sponsors an annual seminar where risk assessment methods are often discussed. DESCRIPTION Risk assessment in manufacturing of off-road equipment follows a general approach consistent with many other industries, Ahlschwede (2000) presents the process as follows: • Preparation • Review the design • Brainstorm hazard scenarios • Individual and group consensus ratings • Action plan The consensus ratings address the risk scoring system shown below. The Action plan is based on the results of the risk scores and any additional risk reduction necessary to reduce risk to an acceptable level. RISK SCORING SYSTEM Ahlschwede (2000) presents a typical risk scoring system used in production agriculture and other off-road equipment manufacturing. The system is based in part on the work of Murphy (1997). The risk scoring system uses three risk factors of frequency of exposure, vulnerability, and severity. Table 21,1 defines the risk factors. The risk levels for each risk factor appear in Tables 21.2-21.4. Table 21.1 - Risk factors (Off-road Industries) Risk Factor v:;v Description Frequency An estimate of how often a product user or bystander may be exposed to a hazard. The hazard may result from a machine part or system failure or from a man-machine interface failure. Vulnerability The likelihood that personal injury will occur once exposure to a hazard has occurred taking into account the detectability of a hazard, risk assumptions, operator skills and attitude, environmental or stress conditions, foreseeable misuse. Severity The most probable injury which would be expected from an accident. Table 21.2 - Frequency Scale (Off-road Industries) Level ■■/!=:7:;<.;' Description i Theoretically possible, but highly unlikely during life of the machine population 3 Only once in life of small percentage (10%) of product Once per use season or once annually 7 Once daily 9 Continuous exposure Table 21.3 - Vulnerability Scale used in Off-road Industries Level Description 1 Practically impossible to complete injury sequence. 3 Remotely possible, but not likely. 5 Some conditions favorable to completing injury sequence. 7 Very possible, but not assured. 9 Almost certain to complete injury sequence. Table 21.4 - Severity Scale (Off-road Industries) Level Description 1 Minor first aid. Immediate return to work/activity. 3 Doctor's office or emergency room treatment. Up to one week lost work time. 5 Hospitalization. Up to one month lost work time. No loss in work capacity. 7 Permanent partial loss in work capacity. Increased work difficulty. 9 Death or complete disability. The individual ratings for the three factors are combined by multiplying them together to obtain a composite risk score. Risk - Frequency x Vulnerability x Severity Levels for risk reduction and acceptable risk are determined on a company rather than industry basis. Murphy (1997) indicates that: Risk scoring is somewhat subjective as equally qualified experts may assign different scores to a given product. Therefore, the technique is best used by teams of experts so that each expert's composite score can be averaged to find a final hazard risk score. STATUS Risk assessment in the off-road equipment industries is entirely on a voluntary basis. No specific standard, guideline or technical requirement currently exists in this industry. Additional information about off-road equipment risk assessment can be obtained from www.aem.org. REFERENCES Ahlschwede, B. (2000). Hazard analysis system. Presentation made at the Association of Equipment Manufacturers annual product safety seminar, www.aem.org. Brearley, S.A. (2000). UK railways: using risk information in safety decision making. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Cassini, Ph., & Pons, Ph. (2000). Risk assessment for the transport of goods through road tunnels. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Hoj, N.P. & Kroger, W. (2000). Risk analysis of transportation on road and railway. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Murphy, D. (1997). Safety and health for production agriculture. ASAE Textbook #5. American Society of Agricultural Engineers, www.asae.org. Petersen, K. (2000). Safety in transport by road. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. LIFTS (ELEVATORS), ESCALATORS AND PASSENGER CONVEYORS ISO/TS 14798 provides guidance on each step, particularly on various ways to identify hazards. The document includes the hazard control hierarchy for risk reduction under Step 6. FLOWCHART The risk analysis process used in ISO/TS 14798 appears in Figure 22.1. Stop V, ,.:■.,;„■„■ ■ Ml,,,, / Figure 22.1 - Overview of Risk Analysis per ISO/TS 14798:2000E RISK SCORING SYSTEM ISO/TS 14798 presents a risk scoring system in an Appendix to the document. The risk scoring system uses two risk factors, severity and frequency. The severity categories and levels of frequency appear in Tables 22.1-22.2. The risk factors map to a risk profile as shown in Table 22.3. Table 22.1 - Severity Categories per ISO/TS 14798:2000(E) Category of severity Definition I Catastrophic Death, system loss, or severe environmental damage II Critical Severe injury, severe occupational illness, major system or environmental damage 111 Marginal Minor injury, minor occupational illness, minor system or environmental damage IV Negligible Will not result in injuiy, occupational illness, system or environmental damage NOTE: The definition categories of severity needs to reflect the generic task being analyzed, for example: 1) use of fire-fighting elevators; 2) use of elevators by persons with physical disabilities Table 22.2 - Levels of Frequency per ISO/TS 14798:2000(E) Level of Frequency Definition A Frequent Likely to occur often B Probable Will occur several times in the life cycle of the system C Occasional Will occur at least once in the life cycle of the system D Remote Unlikely, but may possibly occur in the life cycle of the system E Improbable So unlikely that it can be assumed occurrence will not be experienced F Impossible The hazard incident cannot occur unless caused by a deliberate act Table 22.3 - Risk Profile per ISO/TS 14798:2000(E) Frequency "L-XV:" -T.V-:-: "--."J-.^i I Catastrophic 11 Critical III Marginal IV Negligible A Frequent . TA X • : MA: ' 1IIA . • IVA - B Probable 1TB 111)3 C: Occasional ■ . ■ J.V.- . I1C 1VC D Remote : - ID HD HID ^ V : IVD E Improbable : HE HIE IVE F Impossible / IF IIF 1IIF IVF Unacceptable ~ 1A, IB, IC, IIA, I1B, I11A Corrective action required to eliminate the risks • .- • Undesirable-ID, I1C, IIIB Corrective action required to mitigate the risks Acceptable with review ~ IE, IID, 1IE, I1IC, HID, IVA, IVB Review required to determine whether any action is necessary Acceptable without review - IF, IIF, 1I1E, IIIF, IVD, IVE, IVF No action required STATUS ISO/TS 14798:2000(E) is currently under revision. Feedback from users has been collected and an effort to revise and improve the document is under way. Additionally, information on the risk assessment methods used by Schlindler Management AG can be found in Chapter 13. REFERENCES ISO/IEC Guide 51: 1999 (E). Safety aspects - Guideline for their inclusion in standards. Second Edition. International Organization for Standardization, www.iso.ch. 1S0/TS 14798: 2000(E). Lifts (elevators), escalators and passenger conveyors ~ Risk analysis methodology. International Organization for Standardization, www.iso.ch. LOCKOUT/TAGOUT STANDARD- REACHING ACROSS INDUSTRY LINES U.S. Standard ANSI Z244.1 Canadian Standard CSA Z460 U.S. STANDARD ANSI Z244.1 BACKGROUND The first version of ANSI Z244.1 was released in 1982 under the title of American National Standard for Personnel Protection - Lockout/Tagout of Energy Sources - Minimum. Safety Requirements. This standard was re-affirmed several times over the years without changes until 1997 when a writing subcommittee was reconstituted to update the standard. The committee has updated the standard considerably and revised the title to ANSI Z244.1 Control of Hazardous Energy ~ Lockout/Tagout and Alternative Methods. In the past, the lockout/tagout standard had a narrow focus that tended to concentrate on procedures. The revised standard changes the focus considerably. According to the Foreword: The standard now more effectively addresses the need for greater flexibility through the use of alternative methods based on risk assessment and application of the hazard control hierarchy. In addition, the standard emphasizes management's responsibility for protection of personnel against the release of hazardous energy. The emphasis moves from employees following procedures to management responsibility to protect personnel. This change in emphasis represents a significant modification to the standard. Throughout the document risk assessment is tightly integrated into the standard. The standard includes risk assessment as one of the responsibilities of the manufacturer, integrator, modifier, and remanufacturer, "a risk assessment shall be performed during the engineering design stage of development to determine the need for and design sufficiency of appropriate energy isolating devices and systems." Note that the use of the word "shall" is prescriptive meaning a mandatory requirement to comply with the standard. Under this standard, risk assessment is not considered an option during engineering design. One of the benefits that comes from risk assessment is the recognition of real world situations that need better safety precautions. In the past, equipment designers provided for lockout/tagout so that the equipment could be de- eiiergized during maintenance or other work. However, the design did not provide for troubleshooting or other diagnostic work that required the power to remain on. Risk assessment helps to identify all tasks including those that require power on, and prompt risk reduction efforts to accommodate the necessary tasks. The ANSI Z244.1 standard explicitly addresses these types of situations in a clause devoted to partial energization (clause 4.1.2). Risk assessment is required within the clause. Users also have risk assessment responsibilities under clauses 5.2 and 5.4 of the standard related to alternative methods of control of hazardous energy. These passages relate to situations where lockout/tagout prohibits completing certain tasks and thus alternate methods of controlling hazardous energy are necessary. The standard requires that "selection of an alternative control method by the user shall be based on a risk assessment of the machine, equipment or process " ANSI Z244.1 will likely advance risk assessment into main stream business decision making. The content of this standard touches just about every manufacturer in the U.S. Other countries will also be touched by the content of this standard. From the Foreword "the (unexpected release of hazardous energy) issue is of global concern since all of the major industrialized countries of the world are actively addressing the problem in various ways." Although other countries may not adopt the current ANSI Z244.1 approach outright, the content will be studied and the key ideas used. As a result, risk assessment will likely continue to gain acceptance. DESCRIPTION The risk assessment process used in the draft standard includes the following elements: • Identification of the tasks and related hazards • Qualitative estimation of exposure and severity to determine the level of risk Assessment and evaluation of the risk • Identification of potential control actions considered to reduce the risk of each hazard Identification of control actions selected as the best protective alternative Verification of the effectiveness of the selected alternative • Documentation of the risk assessment process FLOWCHART Clause 5.4.1 and Annex A (Informative) describe the ANSI Z244.1 risk assessment process. The steps are shown below: • Identify all tasks • Identify hazards • Assess the potential consequences • Assess the potential exposure to the hazards • Assess the probability of occurrence Evaluate the risk Acceptable level of risk - if acceptable, then process is completed until a review is required - if unacceptable, then risk reduction is necessary Risk reduction (following the hierarchy of controls) 0 Repeat the risk assessment process • Review the risk assessment and risk reduction RISK SCORING SYSTEM ANSI Z244.1 does not specify a particular risk scoring system but references several other documents such as M1L- STD 882D, ANSI BII TR3, ANSI/RIA R15.06 and others that contain additional details. The standard does include an example in an informative Annex that uses the risk factors severity (four levels - Catastrophic, Serious, Moderate and Minor) and probability (three levels - Frequent, Periodic, and Infrequent), and three risk levels (High, Moderate, and Low). There is no detailed indication in the example how the risk factors map to the risk levels. STATUS The ANSI Z244.1 standard was approved in July 2003. Due to a change in the Secretariat of the standard, the release of the final standard is pending. Additional information can be obtained at www.asse.org. CANADIAN STANDARD ANSI Z460 Risk assessment also appears in a Canadian standard for machinery lockout. CSA Z460 Machinery Lockout and Hazardous Energy Control is in the early stages of development. The writing committee has started drafting the standard. Risk assessment will be part of this Canadian standard. This standard is a work in process. The committee expects to publish the standard in 2005. REFERENCES ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. ANSI Z244.1-2003 (final draft). Control of hazardous energy ~ Lockout/logout and alternative methods. American Society of Safety Engineers, www.asse.org. ANSI/R1A R15.06-1999. Safety requirements for industrial robots and robot systems. Robotic Industries Association, www.robotics.org. MIL-STD-882D (2000). Standard practice for system, safety. Department of Defense, U.S.A. www.defenselink.mil. MACHINERY AND MACHINE TOOLS Europe - General United Kingdom ISO Guide 51 Europe Machine Tools French Risk Analysis U.S. Machine Tool Industry U.S. Machine Electrical Requirements Canadian Risk Graph for Machinery Machinery Risk Assessment The sub-sections in this chapter appear in approximate chronological order of when the activity or document was completed. EUROPE-GENERAL BACKGROUND The European approach to risk assessment originally appeared in the standard EN 1050-1996, Safety of machinery, risk assessment. The current version of this standard was adopted as ISO 14121:1999. This standard has had a very significant impact to all manufacturers that produce equipment used in workplaces in the European Union (EU). Through the CE mark, the countries of the EU explicitly require an analysis of the hazards in accordance with the hazard elimination and control hierarchy. The first step in obtaining the CE mark is to conduct a risk assessment in accordance with IS014121/EN1050. Therefore, manufacturers of products to be sold in the EU are required to conduct a hazard analysis and risk assessment, and have been greatly impacted by this standard. DESCRIPTION The ISO 14121/EN 1050 scope includes the following: This International Standard establishes general principles for the procedure known as risk assessment, by which the knowledge and experience of the design, use, incidents, accidents and harm related to machinery is brought together in order to assess the risks during all phases of the life of the machinery. This International Standard gives guidance on the information required to allow risk assessment to be carried out. Procedures are described for identifying hazards and estimating and evaluating risk. The purpose of the International Standard is to provide advice for decisions to be made on the safety of machinery and the type of documentation required to verify the risk assessment carried out. FLOWCHART The approach in ISO 14121/EN1050 is outlined in Figure 24.1. RISK SCORING SYSTEM ISO 14121/EN 1050 does not include a risk scoring system. The document only provides general guidance on the risk assessment process. This has become a significant criticism of the document because users seek information on how to actually perform risk assessments. The document does state that the elements of risk include severity and probability of occurrence of harm as shown in Figure 24.2. Figure 24.2 - Elements of Risk (ISO 14121/EN 1050) Legibility limited clue to original STATUS ISO 14121/EN 1050 is an active and approved European Standard, Manufacturers of machines to be sold in Europe should comply with the requirements of this standard. The standard can be obtained from several sources. ISO 14121/EN 1050 has been the subject of both credits and critique. The standard is credited with prompting considerable ground breaking efforts in risk assessment. The standard provides the general direction and guidance for conducting a risk assessment. However, a significant criticism of the standard includes that it lacks specific information necessary to conduct a risk assessment. The limitations of the current standard led to the formation of a working group to revise the standard, ISO Technical Committee 199 (machinery), Working Group 5 (risk assessment) began the revision effort in early 2003. The revision remains a work in progress with final results not expected until 2005. UNITED KINGDOM BACKGROUND In 1997, the British Health and Safety Executive (HSE) published a document addressing The Application of Risk Assessment to Machinery. The document states that; The objective of the [subject] project was to develop a practical risk assessment methodology for use by machinery designers in order to fulfill the requirements of the above legislation, since no such methodology existed. Methods of "Risk Assessment" are relatively new within the context of machinery design. Those engaged in chemical/petrochemical/process/nuclear plant design and/or operation will no doubt be much more familiar with risk assessment methods, because in those industries catastrophic failure of plants or systems may lead to possible consequences many orders of magnitude worse than in the case of singular machines, usually operated by a single person. DESCRIPTION There are four steps in the HSE risk assessment process: • Hazard identification • Risk estimation Risk evaluation • Risk reduction option analysis The document notes that: A good hazard identification technique has the following attributes: 0 it is systematic It employs brainstorming The main aim of hazard identification is that ail possible hazards are found and none are missed. FLOWCHART The overall methodology for the machinery risk assessment is shown in Figure 24.3. Figure 24.3 - Methodology for Machinery Risk Assessment (HSE) Legibility limited due to original RISK SCORING SYSTEM The HSE risk assessment process uses severity and frequency as risk factors. Three severity levels appear in the first column of Table 24.1. The two remaining columns present suggested values for the frequency factor. The document stresses that these frequency values are suggested values only. Table 24.1 - HSE Suggested Risk Scoring System Severity Level Intolerable Broadly acceptable Fatality and severe major >10" <10*6 injury Other major injury >10"" clO"3 Greater than 3 day lost-work >10"! <10'4 time This risk assessment process uses the ALARP concept as described in Chapter 4. Rather than working with the most severe situation, this risk assessment approach works with all severity levels as it recognizes that different levels of tolerable risk may exist for each severity level. For example, society may tolerate a higher frequency rate for lost-work time injuries than fatalities. STATUS The HSE risk assessment methodology is currently applicable in the United Kingdom. Additional information can be obtained at www.hsl.gov.uk/publications/public.htm. ISO GUIDE 51 BACKGROUND ISO Guide 51:1999 Safety aspects ~ Guidelines for their inclusion in standards was written primarily for standards writing committees. The Guide provides a general framework for how safety should and should not be addressed as writing committees develop standards. Although the Guide does not apply to any specific industry or product, it provides general guidance that can be adapted as needed. DESCRIPTION Part of the Scope of Guide 51 reads "this Guide provides standards writers with guidelines for the inclusion of safety aspects in standards. It is applicable to any safety aspect related to people, property or the environment." The Guide provides definitions for terms pertinent to risk assessment. Selected definitions are included in the analysis in Appendix A. The Guide presents a procedure to achieve tolerable risk. Recall the primary audience for this Guide is standards writing committees so the content pertains to how to write a standard rather than specifying risk assessment procedures or tolerable risk levels. FLOWCHART ISO Guide 51 presents the risk assessment and risk reduction process shown in Figure 24.4. Figure 24.4 - Risk Assessment and Risk Reduction per ISO Guide 51 STATUS ISO Guide 51:1999 is a published guide and can be obtained from a variety of commercial sources such as www. global. ihs. com/. EUROPE - MACHINE TOOLS BACKGROUND In 1999, the EN 1050 protocol was incorporated directly into the European standard ISO 12100-1/ EN 292-1, Safety of machinery - Basic concepts, general principles for design, Basic terminology, methodology. Through this incorporation, risk assessment was introduced into requirements for machinery which includes a subset called machine tools. ISO 12100-1 was revised in 2003. DESCRIPTION According to the ISO 12100-1/ EN 292-1 standard, the designer is required to: specify the limits and intended uses of the machine; • identify the hazards and associated hazardous situations; • estimate the risk for each identified hazard and hazardous situation; 0 evaluate the risk and take decisions about the need for risk reduction; eliminate the hazard or reduce the risk associated with the hazard by protective measures. The first four items above relate to risk assessment and are to be implemented in accordance with ISO 14121 / EN 1050. There is a complementary Part 2 to Part 1 of the ISO 12100/ EN 292 standard: ISO 12100-2/ EN 292-2, Safety of machinery - Basic concepts, general principles for design, Technical principles. This part of the standard explicitly requires that "the exact choice of a safeguard for a particular machine shall be made on the basis of the risk assessment for that machine, and the chosen safeguard shall be described in detail in a "C" standard." A "C" level standard identifies specific types or groups of machinery and informs manufacturers and users about the specific safety precautions they should take and safety devices they should use. FLOWCHART The schematic presentation of the risk assessment process in the European machine tool industry is shown in Figure 24.5. Figure 24.5 - Schematic of ISO 12100-1/ EN 292-1 Risk Reduction Process The schematic presentation of the relationship between the designer and user in the ISO 12100-1 /EN292-1 standard is essentially the same as shown in the U.S. machine tool risk assessment effort and is discussed shortly. RISK SCORING SYSTEM IS012100-1/EN292-1 does not include a risk scoring system. The standards defer the details of risk assessment to ISO 14121/EN 1050. STATUS ISO 12100-1/HN292-1 is an active and approved European Standard. Manufacturers of machines sold in Europe should comply with the requirements of these standards. The documents can be obtained from a variety of commercial sources such as www, global, ihs. com/. FRENCH RISK ANALYSIS BACKGROUND The French CRAM1F and l'Assurance Maladie securite sociale has issued a guide for the safety of work equipment. The original document is written in French. The Guide for Risk Analysis and choice of protective measures presents an approach to addressing risks based on the requirements of the European machinery directive 98/37 of 22 June 1998 and the related French regulations of Article R.233.84. The document uses a task-based approach by focusing on operator's activities and work situations, "machinery for which a certificate of conformity has been provided and the CE marking affixed often entails risks that could have been detected and remedied by further analysis." The document indicates that in training sessions held at the CRAMIF the approach has been shown to be simple and understandable without being exhaustive or universal. DESCRIPTION The Guide focuses on three steps of risk analysis, determining the limits, identifying hazards and estimating risk. The Guide presents the process shown in Figure 24.6 to assist in identifying hazards. Note that for actual harm to result all elements in Figure 24,6 must occur. FLOWCHART Figure 24.6 presents the process used to identify hazards and conditions where harm could occur. RISK SCORING SYSTEM The Guide incorporates the EN 1050 approach to risk estimation where risk is a function of the probability of occurrence of harm and the severity. Example levels for the risk factors appear in Tables 24.2-24.3. Table 24.2 - Severity (CRAMIF) Severity - maximum severity of the 1. Negligible 2. Low 3. Serious 4. Fatal Table 24.3 - Probability of occurrence of harm (CRAMIF) Probability = probability of occurrence of harm A: Unlikely B: Seldom C: Occasional D: High No information is provided on how the risk factors map to a risk level. The Guide presents the process of Figure 24.7 as a method to reduce risk. Figure 24.7 - Eliminating or Reducing Risk (CRAMIF) Legibility limited due to original STATUS The French approach to risk analysis is current. The Guide suggests that the method presented can be applied to many other fields of use. The original document published in the French language can be obtained at http://www.cramif.fr/. U.S. MACHINE TOOL INDUSTRY BACKGROUND The Association for Manufacturing Technology is the ANSI accredited Standards Developing Organization for the U.S. machine tool industry {ANSI Bll Machine Tool Safety Standards). The Bll community writes the safety standards for power-driven machine tools (not hand portable tools). The standards apply to the design, construction, installation, maintenance, and use of power-driven machines used to shape or form metal or other materials by cutting, impact, pressure, electrical techniques or a combination of these processes. The purpose of the ANSI Bll series of machine tool safety standards is: to devise and propose ways to minimize risks associated with existing and potential hazards. This can be accomplished by an appropriate machine design, by restricting personnel access to hazardous areas or by devising work procedures to minimize personnel exposure to hazardous situations. By 1995, members of the Bll community were discussing the concepts of risk assessment, particularly in light of the then new European standard EN 1050 Safety of machinery; risk assessment (now ISO 14121). A subcommittee was formed "to develop a technical report to provide guidance for the application of risk assessment principles to machine tools during the design, installation and use phases." An explicit goal of the subcommittee was to develop a single risk assessment process that was appropriate for the U.S. machine tool industry that could be integrated into all Bll standards. This subcommittee developed ANSI Bll Technical Report #3 (2000) Risk assessment and risk reduction - A guide to estimate, evaluate and reduce risks associated with machine tools. This document is commonly known as 'TR3' due to its being the third technical report published by ANSI Bll. TR3 was released as an informative resource equivalent to other technical information. There is no industry or government requirement that the content of a technical report be followed. As with all ANSI standards, the Bll standards face a five year renewal/approval cycle. Every standard must be renewed, re-approved or revised every ten years or else it is automatically withdrawn. Each Bll standard will be revised and updated to include the risk assessment process. The first standards to complete this process were approved in 2001. DESCRIPTION The following excerpt comes from the Abstract of TR3: Abstract This technical report is part of the ANSI B11 series of reports and standards pertaining to the design, construction, care and use of machine tools. It is a guideline - not a standard. This report defines a method for conducting a risk assessment and risk reduction for machine tools, provides some guidance in the selection of appropriate protective measures to achieve tolerable risk, and describes the risk assessment and risk reduction responsibilities of both the machine tool supplier and user. This method requires gathering the appropriate information, determining the limits of the machine, identifying tasks and hazards over the life-cycle of the machine using a task-based approach, estimating risk associated with the task-hazard pairs, reducing risk according to a prioritized procedure, and documenting the results. The risk reduction process is not completed until tolerable risk is achieved. Flow charts illustrate the process. Checklists of tasks and hazards are included in the document. This technical report explicitly recognizes that zero risk is not attainable. This guideline is intended for use on all new or modified machines and equipment designs and processes. The user may also utilize it to assist with risk assessment and risk reduction for existing tasks and hazards. One of the significant advances made in the TR3 effort is the recognition that both the machine supplier and the machine user have risk assessment and risk reduction responsibilities. The European approach in EN 1050 does not make this distinction and therefore places the responsibility for risk assessment strictly with the machine supplier. In the U.S. machine tool industry, cooperative efforts of suppliers and users are necessary to attain the goal of tolerable risk through risk assessment and risk reduction. Figure 24.8 illustrates this process. Figure 24.8 - Relationship Between Supplier and User ANSI B11 Technical Report #3 Suppliers (raost often manufacturers) typically reduce risks through design techniques, safeguards and information for use following the hierarchy presented in Table 3.1 in Chapter 3. Users (most often employers) typically reduce risk further with additional safeguards, organizational measures, training, and personal protective equipment. According to TR3, when the user designs, constructs, modifies or reconstructs the machine, the user is considered to be the supplier and assumes the risk assessment responsibilities of the supplier. FLOWCHART The general approach for risk assessment and risk reduction in the U.S. machine tool industry is shown in Figure 24.9. Note that the basic hierarchy concepts of Table 3.1 are also shown in this figure. See TR3 for greater detail. RISK SCORING SYSTEM TR3 uses two risk factors of severity and probability with four levels each as shown in Tables 24.4-24.5. The two risk factors map to levels of risk as shown in Table 24.6. Table 24.4 -Severity Levels (ANSI Bll TR3) Severity Levels Description Catastrophic death or permanently disabling injury or illness (unable to return to work) Serious severe debilitating injury or illness (able to return to work at some point) Moderate significant injury or illness requiring more than first aid (able to return to same job) Minor no injury or slight injury requiring no more than first aid (little or no lost work time) Table 24.5 -Probability Levels (ANSI Bll TR3) Probability Level Description Very likely near certain to occur Likely may occur Unlikely not likely to occur Remote so unlikely as to be near zero Table 24.6 -Risk Estimation Matrix (ANSI Bll TR3) Probability of Occurrence of Catastrophic Severity -.Serious : of Harm Moderate . • 'Minor. ' - ;;• JLiiilcel^ High High High Medium High High Medium Low ■ Unlikely Medium Medium Low Negligible Remote Low Low Negligible Negligible STATUS The ANSI B11 Technical Report #3 was completed in 2000 and is available from AMT at www.amtonline.org. U.S. MACHINERY ELECTRICAL REQUIREMENTS BACKGROUND The voluntary industry standard NFPA 79 Electrical Standard for Industrial Machinery is promulgated by the National Fire Protection Association (www.nfoa.org). According to the Scope, the standard applies to "the electrical/electronic equipment, apparatus, or systems of industrial machines operating from a nominal voltage of 600 volts or less, and commencing at the point of connection of the supply to the electrical equipment of the machine." DESCRIPTION The purpose of the standard is " [to] provide detailed information for the application of electrical/electronic equipment, apparatus, or systems supplied as part of industrial machines that will promote safety to life and property." This standard includes mention of risk assessment. Concerning the general operating conditions of industrial machinery, NFPA 79 indicates that "the risks associated with the hazards relevant to the electrical equipment shall be assessed as part of the overall requirements for risk assessment of the machine." The standard does not provide details on how risk assessment should be conducted but it does reference the ANSI B11 TR3 document. STATUS NFPA 79 is approved and released as an NFPA standard. Additional information can be obtained at www.nfpa.org. CANADIAN RISK GRAPH FOR MACHINERY BACKGROUND Paque, Borbonniere, and Gauthier (2002) discuss the risk graph approach to assessing risks for machinery. Paques et al. trace the origin of the risk graph to research and experimentation conducted in developing the German standard DIN VDE 19250. The authors suggest that for machine safety, a quantified risk scoring system does not present a practical option for machine safety risk assessment due to the lack of probabilistic data. They present the risk graph approach as an alternative. DESCRIPTION A risk graph can be thought of as beginning with a risk matrix that has more than two risk factors. A risk graph typically uses three or four risk factors. If each risk factor in the matrix has three or four levels the resulting combinations can become very cumbersome to manage and understand, particularly for persons new to risk assessment. A semi-quantitative approach represents one solution to this difficulty. In the semi-quantitative approach numerical values are assigned to each risk factor level. The values are then manipulated in a risk equation, most frequently by multiplying or adding the values. The resulting risk score can then be categorized in risk levels. The risk graph is an alternative approach to the complexity problem noted above. The risk graph approach becomes quite attractive when three or more risk factors are used to rate risk and simplifying assumptions can be made that limit the possible combinations. The attractiveness of the method comes from the ability to present the approach visually. FLOWCHART Several risk graphs exist. Paques, Borbonniere, and Gauthier (2002) present the sample risk graph in Figure 24.10. Figure 24.10 - Sample Risk Graph (Paques, Borbonnier and Gauther (2002)) Legibility limited due to original RISK SCORING SYSTEM The sample risk graph in Figure 24.10 uses four risk factors. The example severity factors include Slight (Gl) and Serious (G2). Example frequency or duration of exposure factors are Seldom (Fl) and Frequent (F2). Example possibility of avoidance of the hazard include Likely (PI) and Not likely (P2). The example levels for the probability of occurrence of a hazardous event include Very Low (01), Low (02), and High (03). These risk factors combine to form a level of risk as shown in the Figure 24.10. No information is provided in the example regarding the differences in the risk levels. Different variations on risk graph scoring systems exist. Paque, Borbonniere, and Gauthier (2002) suggest that the robotics industry ANS1/R1A R15.06:1999 approach can also be viewed as a risk graph. To be most effective, risk graph systems tend to limit levels for most risk factors to two. STATUS Variations of risk graphs are used in several industries including process controls, machine tool and robotics. MACHINERY RISK ASSESSMENT BACKGROUND A paper by Etherton, Taubitz, Raafat, Russell, and Roudebush (2001) discusses risk assessments in Europe and the U.S., and presents a methodology titled Machinery Safety Risk Assessment (MSRA). DESCRIPTION Etherton, Taubit2, Raafat, Russell, and Roudebush (2001) describe MSRA as follows: The purpose of MSRA is to rational istical ly guide machinery risk reduction choices across a wide array of protective measures options. Risk is reduced when a protective measure (change of design, use of safeguard, and/or implementation of safe procedure) is implemented that meaningfully reduces severity of injury or probability of occurrence of harm. The focus on discrete protective measures selection means that iterative assessments are the norm in MSRA. FLOWCHART The MSRA is shown in Figure 24.11, STATUS Additional information can be found in Etherton, Taubitz, Raafat, Russell, and Roudebush (2001). NOTE The General Motors Corporation is a significant user of machinery and machine tools. Information on the risk assessment methods used by General Motors Corporation can be found in Chapter 13, Company Specific Approaches. REFERENCES ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. ANS1/R1A R15.06-1999. Safety requirements for industrial robots and robot systems. Robotic Industries Association, www.robotics.org. CRAMIF. (2002). Guide for risk analysis and choice ofprotective measures, Safety of work equipment. V Assurance Maladie securite sociale. www.cramif.fr. Etherton, J., Taubitz, M., Raafat, H., Russell, J., & Roudebush, C. (2001). Machineiy risk assessment for risk reduction. Human and Ecological Risk Assessment: Vol. 7, No. 7. (pp. 1787-1799). HSE. (1997). The application of risk assessment to machinery. Health and Safety Laboratory division of UK Health and Safety Executive, www.hst.gov.uk/publications/public.htm. ISO 12100-1 (2003). Safety of machinery - Basic concepts and general principles for design - Part 1: Basic terminology and methodology. International Organization for Standardization, www.iso.ch. ISO 12100-2 (2003). Safety of machineiy - Basic concepts and general principles for design-Part 2: Technical principles. International Organization for Standardization, www.iso.ch. ISO 14121 /EN 1050-1999. Safety of machineiy; risk assessment. International Organization for Standardization. www.iso.ch. ISO/I EC Guide 51: 1999 (E). Safety aspects - Guideline for (heir inclusion in standards. Second Edition. International Organization for Standardization, www.iso.ch. NFPA 79. (2003). Electrical standard for industrial machineiy. National Fire Protection Association. www.nfpa.org. Paque, J .J., Borbonniere, R., & Gauthier, F. (2002). The risk graph: a simple tool for estimating the risks associated with hazardous machines. Institut de recherche en sante et en securite du travail du Quebec IRS ST and Universite du Quebec a Trois-Rivieres (Quebec), www.irsst.qc.ca. MAINTENANCE APPLICATIONS RISK ASSESSMENT FOR MAINTENANCE WORK BACKGROUND Maintenance is common to all industries yet unique unto itself. Maintenance activities involve very special sets of circumstances. Unlike operators, maintenance tasks are rarely repetitive. Frequently, maintenance involves a great deal of trouble-shooting and problem-solving skills. These tasks often require observation and testing of equipment in order to effectively diagnose problems. Frequently the skill set needed and hazards potentially encountered cannot be fully appreciated until the tasks are underway, thus making risk assessment an ongoing process while working the maintenance problem. Although most existing hazard analysis and risk assessment methods theoretically apply to maintenance work, maintenance activities have not been the primary focus of these methods. Even though there are many safety tools available, very few are well suited to maintenance activities. For example, some of the existing risk assessment methods focus on overall system risk (equipment and operations) and resulting economic resource allocation, rather than the specific risks to maintenance personnel (see Latkovich, Michalopoulos, and Selig, 1998). Main, Cloutier, Manuele, and Bloswick (2003) present results from a study examining the constraints and applications of risk assessment to maintenance work. As part of the study, the authors conducted a survey to: obtain ideas, thoughts and comments 011 how to improve maintenance risk assessment and maintenance safety, obtain data on the practical constraints and specific needs affecting hazard analysis and risk assessment for maintenance activities, and solicit feedback on risk assessment methods with potential application to maintenance work. The survey sought to identify shortcomings in current hazard analysis and risk assessment methods as applied to maintenance activities, and sought comment on proposed methods. Pertinent study results are summarized as follows: 1. The survey identified shortcomings in current hazard analysis and risk assessment methods as applied to maintenance activities, and the knowledge maintenance personnel have of these methods. 2. The results indicate that maintenance personnel widely recognized the need for better equipment and facility designs to accommodate maintenance work. 3. Maintenance workers need, and are asking for, more and better training, including training on risk assessment. 4. A key challenge in risk assessment for maintenance applications involves helping engineers and manufacturers to create new designs that better accommodate maintenance work. Manufacturers and engineers play a very important role in risk assessment, particularly for new equipment designs. Yet engineers often have little knowledge of maintenance tasks or conditions. 5. A second challenge involves assessing maintenance risks on existing equipment. Maintenance workers need to be involved in this activity because they face the legacy of past hazards and risks of designs on a daily basis. 6. Maintenance personnel need a straightforward and quick method to identify hazards and assess risks on existing equipment. A practical maintenance risk assessment method must focus on the unique aspects of maintenance activities and the difficulties of assessing the risks of these tasks. Main, Cloutier, Manuele, and Bloswick (2003) suggest that a practical risk assessment for maintenance applications should be: • simple • easy to use • quick • able to allow a quick 'out' for low risk task/hazards • a visual system flexible enough to accommodate various risk situations • pocket size • used without requiring extensive training able to point users to advanced risk assessments where warranted The study results in a risk assessment method tailored specifically to maintenance applications that meet these criteria. DESCRIPTION Maintenance personnel make subjective risk assessments every day. When a maintenance worker identifies a hazard and its potential for harm, and estimates the likelihood that he will be injured from the hazard, he has made a risk assessment. For the simpler hazards, that assessment may be informal and based entirely on prior knowledge and experience, without any documentation. Consequently, performing informal risk assessments always has been an integral part of the maintenance work. Maintenance work includes a wide variety of tasks ranging from high to low-risk. Completing the assessment and completing the maintenance work both vie for the worker's time. Since resources and time are limited, not all tasks can be immediately assessed via a formal risk assessment. Yet maintenance work can be hazardous and provides a great opportunity for risk reduction. Main, Cloutier, Manuele, and Bloswick (2003) present a risk assessment method for maintenance work as shown in Figure 25.1. The flow chart uses three filtering questions pertaining to training, hazard identification and risk level Failure on any one of the questions results in work stopping. These filters are subjective and rely on the experience and good judgment of maintenance personnel. Tasks for which the risks are considered low or acceptable can be executed immediately. The first filter applied in the flow chart is whether the maintenance individual has been trained for the task. Training could include specific instruction on the particular task, or qualification by experience or familiarity with the task. The second filter is whether the hazards have been identified. This would include whether the hazards are well known and familiar, or unknown or uncertain. The third filter applied in the flow chart is whether the work is high- risk. The primary purpose of the flow chart is to provide maintenance workers with a simple method to identify tasks that require more extensive risk assessment from those that do not. This approach promotes a method to think about risk. The maintenance risk assessment flow chart is also a quick process intended for maintenance personnel to use in making assessments of their tasks. This tool is primarily intended for maintenance individuals who have little knowledge or specialized training in risk assessment. if the risks resulting from this flow chart are low or acceptable, then work proceeds. If not, the work is stopped and a more detailed risk assessment should be conducted. Tasks that have a higher risk level should be evaluated using a more detailed risk assessment. The primary puipose of the maintenance risk assessment flow chart is to permit timely execution of those tasks that pass the filters and represent lower risk. Little practical benefit and certain detrimental consequences to the general risk assessment effort can result from requiring personnel to conduct extensive analyses on low-risk tasks. Specifically, requiring extensive analysis of low risk tasks will only serve to increase time pressures and may increase overall risk. Successful implementation of maintenance risk assessment requires that when high-risk tasks are identified, management must respond with resources to further assess the risks. A "Stop Work" message will not likely be permanent. The work must be completed one way or another. If management does not respond to the high-risk task in some proactive way, then this system will most likely fail. The authors state that "the flow chart can and should be adapted to company needs. If additional or alternative questions are preferred, then the flow chart should be modified to include the changes." The maintenance risk assessment flow chart received strong support from the survey respondents and appears to provide maintenance personnel with an effective tool FLOWCHART The risk assessment method for maintenance work presented by Main, Cloutier, Manuele, and Bloswick (2003) is shown in Figure 25.1. Figure 25.1 - Risk Assessment for Maintenance Work Main, Cioutier, Manuele, and Bloswick (2003) report that the survey results strongly suggest that there is value in the flow chart of Figure 25.1. STATUS Risk assessment in maintenance activities remains an ongoing task and an area that would benefit from continued research. The complexity of maintenance tasks and the hazards associated with the work make risk reduction challenging. Additional information can be obtained at www.designsafe.com. Readers should also consult industry- or application-specific chapters in this book for additional information because most benchmark methods consider maintenance tasks to be part of the risk assessment processes. REFERENCES Latcovich, J., Michalopoulos, E., & Selig, B. (1998). Risk-based analysis tools. Mechanical Engineering, November. 72-75. Main, B.W., Cioutier, D.R., Manuele, F.A., & Bloswick, D.S. (2003). Risk assessment for maintenance work, design safety engineering, inc. www.designsafe.com. MEDICAL DEVICES Medical Device Standard Australian Medical Devices Food and Drug Administration Veterans' Administration Approach Health FMEA MEDICAL DEVICE STANDARD BACKGROUND In Europe, Article 2 of the Medical Devices Directives (MDD 93/42/EEC) states: Member States shall take all necessary steps to ensure that devices may be placed 011 the market and put into service only if they do not compromise the safety and health of patients, users and, where applicable, other persons - when properly installed, maintained and used in accordance with their intended purpose According to Freeman (2000), the manufacturer of a medical device must document the process by which he has established his judgment of compliance with this requirement. Risk assessment in the medical device industry appears in ANS1/AAM1/1SO 14971-2000 Medical devices-Risk Management ~ Part 1: Application of risk analysis. The Association for the Advancement of Medical Instrumentation (AAMI) is the secretariat for the ANSI/AAMI/ISO 14971 standard. DESCRIPTION ANSI/AAMI/ISO 14971 specifies a procedure for investigating the safety of a medical device. It provides a general procedure to identify hazards and estimate the risks associated with the device. The document "describes techniques for risk analysis based on quantitative or qualitative estimation of the probability of possible consequences of a postulated event relating to the application of a medical device." ANSI/AAMI/ISO 14971 draws a distinction between risk assessment and risk management, the former being a subset of the latter. The overall process for the control of risks is referred to as risk management. Risk management includes risk analysis, risk evaluation and risk reduction/control (refer to Chapter 38 and Appendix A for further discussion of these and other terms). The risk assessment process refers only to the risk analysis and risk evaluation sub-processes. ANSI/A AMI/ISO 14971 presents a detailed thirteen step approach of the risk management activities applied to medical devices. The steps are: L Identify characteristics, intended use/purpose 2. Identify known or foreseeable hazards 3. Estimate risk(s) for each hazard 4. Is risk reduction necessary? 5. Identify appropriate risk control measure(s), is risk reducible? 6. Implement, record and verify appropriate measures 7. Is the residual risk acceptable? 8. Do medical benefits outweigh the residual risks? 9. Are other hazards generated? 10. Are all identified hazards considered? 11. Is overall residual risk acceptable? 12. Complete risk management report 13. Review post-production information, is reassessment necessary? FLOWCHART Figure 26.1 illustrates a generalization of the risk assessment process for this industry. A detailed flow chart of the thirteen steps can be found in ANSI/AAMI/ISO 14971:2000. Figure 26.1 - Flow Diagram of Risk Analysis Procedure Legibility limited due to original RISK SCORING SYSTEM ANSI/AAMl/ISO 14971-2000 does not include a risk scoring system. An informative Annex to the standard discusses the risk factors probability of occurrence of harm, and consequences of harm; and describes methods that can be used to rate these risk factors. The Annex also discusses risk acceptability including the ALARP concept. STATUS ANSI/AAMl/ISO 14971-2000 is an approved and active standard. Copies of the standard and additional information and resources on medical device safety can be obtained at www.aami.org. AUSTRALIAN MEDICAL DEVICES AS/NZS 4810.1:2000 Medical devices - Risk management - Application of risk analysis specifies a procedure for investigating the safety of a medical device using available information. The standard is identical to ISO 14971- 1:1998. Copies of the standard are available from Standards Australia at www.standards.com.au FOOD & DRUG ADMINISTRATION BACKGROUND In the U.S., the Food and Drug Administration (FDA) regulates all medical devices, from very simple items like tongue depressors or thermometers to very complex technologies such as orthopedic implants and the technology used to manufacture them. However, only the most complex medical devices are reviewed by the agency before marketing. The FDA uses risk assessment in evaluating medical devices. A Proposal for Establishing Mechanisms for Setting Review Priorities Using Risk Assessment and Allocating Review Resources was published in 1993. The document was issued in recognition of the fact that: It is important to ensure that proper time, attention, and scientific expertise is given to ail premarket approval applications, 510(k) and investigational device exemptions (IDE) applications. Because devices vary in their complexity and risk, the level of effort in evaluation should be appropriate for each type of device. The FDA states, "the basic criteria for approval of an IDE are that the risk to human subjects who participate in the research study is reasonable and that the experimental design will give useful data." Risk plays a very prominent role in FDA evaluations of medical devices. Within the FDA, the Center for Devices and Radiological Health oversees approval of medical devices and studies to evaluate the performance and risks of medical devices. The FDA IDE regulations (21 CFR Part 812) describe two types of device studies, significant risk (SR) and nonsignificant risk (NSR). NSR device studies have fewer regulatory controls. The major differences between SR and NSR device studies are in the approval process and in the record keeping and reporting requirements. Prior to conducting a device study, the sponsor of a device provides an Institutional Review Board (IRB) with a risk assessment and the rationale used in making its risk determination. The assessment of whether a device study presents a NSR is initially made by the sponsor, "the risk determination should be based on the proposed use of a device in an investigation, and not on the device alone IRB must consider the nature of the harm that may result from use of the device." The FDA makes it very clear that it has the ultimate decision in determining if a device study is SR or NSR (FDA, 1995). Kaye and Crowley (2000) provide guidance for industry and FDA premarket and design control reviewers: This guidance describes how hazards related to medical device use should be addressed during device development as part of the risk management process. Following a thorough understanding of device use, specific ways that devices could be used that are likely to result in hazards should be identified and investigated through analysis and testing. Kaye and Crowley (2000) address hazards resulting from interactions between users (the health practitioners) and devices. They do not focus on hazards inherent to medical treatment or caused by device failure. The authors indicate that the hazards associated with device use comprise a serious problem because the frequency and consequence of hazards resulting from medical device use may greatly exceed those arising from device failures. Use-related hazards include misdiagnoses, failure to recognize and act on information from monitoring devices, and improper treatment. The authors indicate that use-related hazards occur for one or more of the following reasons: Devices are used in ways that were not anticipated Devices are used in ways that were anticipated, but inadequately controlled for Device use requires physical, perceptual, or cognitive abilities that exceed those of the user • Device use is inconsistent with user's expectations or intuition about device operation 9 The use environment effects device operation and this effect is not understood by the user The'user's physical, perceptual, or cognitive capacities are exceeded when using the device in a particular environment. Problems with device use that could result in hazards are often difficult to anticipate due to the many ways and conditions under which users interact with devices. DESCRIPTION Kaye and Crowley (2000) describe how human factors engineering: can be integrated into Risk Management to help identify, understand, control, and prevent failures that can result in hazards when people use medical devices. Risk management is a systematic application of policies, procedures, and practices to the analysis, evaluation, and control of risks. It is a key component of quality management systems Risk management involves the identification and description of hazards and how they could occur, their expected consequences, and estimations or assessments of their relative likelihood. Thorough consideration of use-related hazards in risk management processes should include the following tasks: 1. Identify and describe use-related hazards through analysis of existing information. 2. Apply empirical approaches, using representative device users, to identify and describe hazards that do not lend themselves to identification or understanding through analytic approaches. 3. Estimate the risk of each use-related hazard scenario. 4. Develop strategies and controls to reduce the likelihood or mitigate the consequences of use-related hazard scenarios. 5. Select and implement control strategies. 6. Ensure controls are appropriate and effective in reducing risk. 7. Determine if new hazards have been introduced as a result of implementing control strategies. 8. Verify that functional and operational requirements are met. 9. Validate safe and effective device use. The type and extent of [human factors engineering] in design and risk management efforts necessary to control risk associated with device use will vary. Effort applied to identification, description, and mitigation of use-related hazards scenarios should be determined by reasonable assessment of the potential harm of each scenario. In general, the set of scenarios to be considered should be kept manageable, although care should be taken not to dismiss scenarios involving atypical, unexpected, or unusual device use that could result in serious consequences. The central question to be answered in use-related hazard identification and control efforts is: Can the intended users use the device safely and effectively? Kaye and Crowley (2000) provide an overview of how human factors engineering approaches can be included in the design and risk management processes. The authors identify four steps as being essential: Identify anticipated (derived analytically) and unanticipated (derived empirically) use- related hazards, • Describe how hazardous use scenarios occur, Develop and apply strategies to control use-related hazards, and ♦ Demonstrate safe and effective device use (validation). FLOWCHART A flow chart for medical device risk management concerning use-related hazards appears in Figure 26.2. RISK SCORING SYSTEM Kaye and Crowley (2000) describe a risk scoring system that includes two risk factors. The two risk factors are the likelihood of its occurrence and the severity of harm resulting from its consequences. They do not provide details on how these factors combine to yield risk. STATUS Medical devices remain under FDA jurisdiction. Additional information can be obtained at www.fda.gov. VETERANS' ADMINISTRATION APPROACH BACKGROUND The U.S. Department of Veterans' Affairs (VA) has developed a patient safety program and associated web site. The purpose is as follows: The National Center for Patient Safety (NCPS) embodies the VA's uncompromising commitment to reducing and preventing adverse medical events while enhancing the care given our patients. The NCPS represents a unified and cohesive patient safety program, with active participation by all of the VA hospitals supported by dedicated patient safety managers. Our program is unique in healthcare; we focus on prevention not punishment, applying human factor analysis and the safety research of high reliability organizations (aviation and nuclear power) targeted at identifying and eliminating system vulnerabilities. The VA states that from a historical perspective "accident prevention has not been a primary focus of hospital medicine hospital systems were not designed to prevent or absorb errors; they just reactively changed and were not typically proactive." DESCRIPTION The VA indicates that effective in July 2001, the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) Standard LD.5.2 for selecting high risk process for proactive risk assessment requires that "leaders ensure that an ongoing, proactive program for identifying risks to patient safety and reducing medical/health care errors is defined and implemented." The reported intent of LD.5.2 is: to reduce the risk of sentinel events and medical/health care system error-related occurrences by conducting its own proactive risk assessment activities and by using available information about sentinel events know to occur in health care organizations that provide similar care and services. The project starts with high risk processes and works through them with at least one a year. The hazard analysis includes rating severity and probability in this system. The VA defines the following terms as part of its process: Effective Control Measure - A barrier that eliminates or substantially reduces the likelihood of a hazardous event occurring. Healthcare Failure Mode & Effect Analysis (HFMEA) - (1) A prospective assessment that identifies and improves steps in a process thereby reasonably ensuring a safe and clinically desirable outcome. (2) A systematic approach to identify and prevent product and process problems before they occur. Hazard Analysis - The process of collecting and evaluating information on hazards associated with the selected process. The purpose of the hazard analysis is to develop a list of hazards that are of such significance that they are reasonably likely to cause injury or illness if not effectively controlled. The VA indicates that: The Safety Assessment Code (SAC) is a method for determining whether any further definitive action is required concerning a particular incident based on the severity of the incident and its probability of occurrence. While there is undoubtedly and necessarily a level of subjectivity/judgment involved in this classification it provides a yardstick, from a systems perspective, by which to prioritize actions. It is certainly possible that the level of severity and the probability that is assessed at the outset of this process may be found to be in need of revision in cases where a root cause analysis (RCA) is subsequently performed. The utility of the SAC is at the start of the process so that resources are applied where they have the greatest opportunity to improve the level of safety from a systems perspective. It should be noted that the SAC score is also of value for incidents that did not actually result in an actual adverse event such as close calls. This is a valuable feature since close calls generally occur far more frequently than actual adverse events and provide an opportunity to improve the system without having had to experience an actual untoward event. While either the severity or probability of occurrence could be determined first, it is usually more productive to assess the severity first. This is true since until one has determined the severity of an incident it would be difficult if not impossible to assess an appropriate probability level. The VA promotes the use of HFMEA. According to the VA: The JCAHO Standard LD.5,2 requires facilities to select at least one high-risk process for proactive risk assessment each year. This selection is to be based, in part, on information published periodically by the JCAHO that identifies the most frequently occurring types of sentinel events. The NCPS will also identify patient safety events and high risk processes that may be selected for this annual risk assessment. HFMEA has been designed by the VA NCPS specifically for healthcare. HFMEA streamlines the hazard analysis steps found in the traditional Failure Modes and Effects Analysis (FMEA) process by combining the detectability and criticality steps of the traditional FMEA into an algorithm presented as a Decision Tree. It also replaces calculation of the risk priority number with a hazard score that is read directly from the Hazard Matrix Table. This table was developed by NCPS specifically for this purpose. FLOWCHART There are five steps involved in the HFMEA approach. They include: STEP 1 Define the HFMEA Topic STEP 2 Assemble the Team STEP 3 Graphically Describe the Process STEP 4 Conduct a Hazard Analysis STEP 5 Actions and Outcome Measures The HFMEA approach is shown in Figure 26.3. Figure 26.3 - Healthcare Failure Mode and Effects Analysis (HFMEA) Legibility limited due to original RISK SCORING SYSTEM The VA presents a risk scoring systems that uses the two risk factors of severity and probability of occurrence. The severity factor is rated as shown in Table 26.1. The probability risk factor includes the levels shown in Table 26.2. Table 26.1 - Severity Rating per HFMEA Patient Outcome Visitor Outcome Staff Outcome Equipment or Facility Fire Catastrophic Event- Traditional FMEA rating of 10- Failure could cause death or injury Death or major permanent loss of function (sensory, motor, physiologic, or intellectual), suicide, rape, hemolytic transfusion reaction, surgery/procedure on the wrong patient or wrong body part, infant abduction or infant discharge to the wrong family Death; or hospitalization of 3 or more visitors A death or hospitalization of 3 or more staff Damage equal to or more than $250,000 Any fire that grows larger than an incipient Major Event- Traditional FMEA rating of 7-Failure causes a high degree : ; of customer dissatisfaction Permanent lessening of bodily functioning (sensory, motor, physiological, or intellectual), disfigurement, surgical intervention required, increased length of stay for 3 or more patients, increased level of care for 3 or more patients Hospitalization of 1 or 2 visitors Hospitalization of 1 or 2 staff OR 3 or more staff experiencing lost time or restricted duty injuries or illnesses Damage equal to or more than SI 00,000 Not Applicable- see moderate and catastrophic Moderate Event-Traditional FMEA rating of 4- Failure can be • overcome with: ;'. modifications to the ■ process or product, . but there is minor ; . performance loss, Increased length of stay OR increased level of care for 1 or 2 patients Evaluation AND treatment for 1 or 2 visitors (less than hospitalization Medical expenses, lost time or restricted duty injuries or illness for 1 or 2 staff Damage more thanS 10,000 but less than $100,000 Incipient stage or small Minor Event- Traditional FMEA rating of 1-Failure would not be : noticeable to the customer and would not affect delivery of the service or product . No injury, nor increased length of stay nor increased level of care Evaluated and no treatment required OR refused treatment First aid treatment only with no lost time, nor restricted duty injuries nor illnesses Damage less than $10,000 or loss of any utility N/A Table 26.2 - Probability Rating per HFMEA Level Description Frequent Likely to occur immediately or within a short period (may happen several times in one year) Occasional Probably will occur (may happen several times in 1 to 2 years) Uncommon Possible to occur (may happen sometime in 2 to 5 years) Remote Unlikely to occur (may happen sometime in 5 to 30 years) The VA combines the two risk factors in a Hazard Scoring Matrix as shown in Table 26.3. Table 26.3 - Hazard Scoring Matrix per HFMEA •«»< . « , ©. & : Severii ty of Efj feet Catastrophic Major Moderate Minor Frequent 16 12 8 Occasional 12 9 Uncommon 8 6 Remote A score of 8 or higher indicates that the risk warrants control by appropriate means. The VA has also produced a second matrix using the same two risk factors with a somewhat simpler presentation. The Safety Assessment Code (SAC) Matrix appears in Table 26.4. Table 26.4 - Safety Assessment Code Matrix Severity Probability Catastrophic Major Moderate Minor Frequent 3 3 2 1 Occasional 3 2 1 I Uncommon 3 2 1 1 Remote 3 2 1 1 The SAC matrix risk levels correspond to 3 being the highest risk, 2 being an intermediate risk, and 1 being the lowest risk. STATUS The VA systems are current as of 12 June 2002. Additional information can be found at http://www.patientsafetv.gov. Additionally, an excellent Powerpoint slide show on HFMEA appears at http://www.patientsafetv.gov/FMEA2 files/frame .htm REFERENCES ANSI/AAMI/iSO 14971-2000. Medical devices, risk management, Part 1: Application of risk analysis. Association for the Advancement of Medical Instrumentation, www.aami.org. AS/NZS 4810.1:2000. Medical devices ~ Risk management - Application of risk analysis. www.standards.com.au. FDA IDE regulations 21 CFR Part 812. U.S. Food and Drug Administration, www.fda.gov. FDA. (1993). Proposal for establishing mechanisms for setting review priorities using risk assessment and allocating review resources, www.fda.gov/cdrh/ode/931 .pdf FDA, (1995). Information sheet 1 October 1995. Significant risk and nonsignificant risk medical device studies, www.fda.gov/cdrh/d861 .html. Freeman, M.F. (2000). The assessment of risk and its place in the field of medical devices. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making, Stresa Italy: European Commission. Kaye, R. & Crowley, J. (2000). Medical device use-safety: Incorporating human factors engineering into risk management. U.S. Department of Health and Human Services, Food and Drug Administration. www.fda.gov/cdrh/humfac/1497.pdf. VA National Center for Patient Safety (NCPS). Healthcare failure mode and effect analysis (HFMEA™). www.natientsafetv.gov. MILITARY U.S. Military Standard 882 U.S. Army U.S. Navy and Marines U.S. Coast Guard Australian Military The military faces considerable challenges in completing its mission. Unlike other industries described in this book, the military environment includes direct threats to personnel, equipment and facilities during war or war-like conditions. Mishaps that injure personnel or damage equipment seriously degrade the military's ability to complete its mission. As a result, considerable efforts have been exercised in developing and deploying methods to assess and minimize risks. Much of the risk assessment processes used in the military remains restricted information. The materials below are taken from public sources. U.S. MILITARY STANDARD 882 BACKGROUND The U.S. military developed one of the earliest and still most pervasive risk assessment approaches. Many variations on risk assessment methods have striking resemblance to this standard. The approach contained in MIL-STD-882D Standard Practice for System Safety applies to defense contractors and military projects. The current version (D) was released on 10 February 2000. According to the Foreword to the standard: This standard practice addresses an approach (a standard practice normally identified as system safety) useful in the management of environmental, safety, and health mishap risks encountered in the development, test, production, use, and disposal of Department of Defense systems, subsystems, equipment, and facilities. This military standard details an entire system safety program of which risk assessment is just one small component. The standard explicitly requires that risk assessment be conducted. DESCRIPTION The standard specifies the system safety requirements that are to be performed throughout the life cycle for any system, new development, upgrade, modification, and resolution of deficiencies or technology development. When properly applied, these requirements ensure the identification and understanding of all potential hazards and their associated risks, and that mishap risk is eliminated or reduced to known and accepted levels. The objective of system safety is to achieve acceptable mishap risk through a systematic approach of hazard and risk analysis and management. Note that in this standard mishap risk inciudes risks to personnel, facilities, equipment, operations, the public, the environment and the system itself. According to the standard, system safety requirements consist of the following: 1. Documentation of the system safety approach 2. Identification of hazards 3. Assessment of mishap risk 4. Identification of mishap risk mitigation measures a. Eliminate hazards through design selection b. Incorporate safety devices c. Provide warning devices d. Develop procedures and training 5. Reduction of mishap risk to an acceptable level 6. Review and acceptance of residual risk by the appropriate authority 7. Tracking hazards, their closures, and residual mishap risk. Details of each requirement may be found in the standard. Goldberg, Everhart, Stevens, Babbitt, Clemens, and Stout (1994) present the following observations on the strengths and weaknesses of the basic risk assessment matrix approach in MIL STD 882: + provides a useful guide for prudent engineering + provides standard tool to subjectively assess risk + provides a standard tool of treating the relationship between severity and probability in assessing risk for a given hazard • + assessing risk subjectively avoids unknowingly accepting intolerable and senseless risks, allows operating decisions to be made, and improves resource distribution for mitigation of loss resources - only used to assess risk of hazards, does not identify hazards - method is subjective without data and is a comparative analysis only RISK SCORING SYSTEM The risk scoring system presented in Appendix A to the standard uses risk factors of mishap severity and mishap probability levels. Severity levels include suggested values for environmental, safety and health criteria as shown in Table 27.1. Probability levels include quantitative estimates for the frequency of occurrence as shown in Table 27.2. The severity and probability factors are combined into a risk assessment value as shown in Table 27.3. The mishap risk assessment values map to the risk acceptance levels as shown in Table 27.4. Table 27.1 - Suggested Mishap Severity Categories (MIL-STD 882) Description Category Definition Catastrophic 1 Could result in death or permanent total disability, loss exceeding SIM, or irreversible severe environmental damage that violates law or regulation. Critical ll Could result in permanent partial disability, injuries or occupational illness that may result in hospitalization of a least three personnel, loss exceeding $200K but less than SIM, or reversible environmental damage causing a violation of law or regulation. Marginal in Could result in injury or occupational illness resulting in one or more lost work days(s), loss exceeding $10K but less than S200K, or mitigatible environmental damage without violation of law or regulation where restoration activities can be accomplished. Negligible IV Could result in injury or illness not resulting in lost work day, loss exceeding $2K but less than $10K, or minimal environmental damage not violating law or regulation. Table 27.2 - Suggested Mishap Probability Levels (MIL-STD 882) Description Category Specific Individual Item Meet or Inventory Frequent A Likely to occur often in the life of an item, with a probability of occurrence greater than 10'1 Continuously experienced Probable B Will occur several times in the life of an item, with a probability of occurrence less than 10"1 but greater than 10~2 in that life Will occur frequently Occasional C Likely to occur some time in the life of an item, with a probability of occurrence less than 10"2 but greater than 10'3 in that life Will occur several times Remote D Unlikely but possible to occur in the life of an item, with a probability of occurrence less than 10"3 but greater than 10"6 in that life Unlikely, but can reasonably be expected to occur Improbable E So unlikely, it can be assumed occurrence may not be experienced, with a probability of occurrence less than 1(T6 Unlikely to occur, but possible Table 27.3 - Example Mishap Risk Assessment Values (MIL-STD 882) ■ Severity , Probability Catastrophic Critical Marginal Negligible Frequent 1 3 7 13 Probable 2 5 9 16 Occasional 4 6 11 18 Remote 8 10 14 19 Improbable 12 15 17 20 Table 27.4 - Example Mishap Risk Categories and Mishap Risk Acceptance Levels (MIL-STD 882) Mishap Risk Assessment Value Mishap Risk Category Mishap Risk Acceptance Level 1-5 High Component Acquisition Executive 6-9 Serious Program Executive Officer 10-17 Medium Program Manager 18-20 Low As directed STATUS MIL-STD 882D is an active U.S. military standard. Defense contractors are required to meet the standard requirements on many projects. Additional information can be obtained from http://www.koiacki.com/MlL-STD- 882.htm or the System Safety Society at http://www.svstem-safetv.org. U.S. ARMY BACKGROUND The U.S. Army has also adopted a risk management approach to operations. The Army Safety Program, Army Regulation 385-10 (2000) provides policy on Army safety management procedures. Army Regulation 385-10 indicates, "risk management is now the Army's principal risk reduction process to assist leaders in identifying and controlling hazards and making informed decisions. Leaders and managers are responsible for integrating risk management into all Army processes and operations." According to the regulation, training is to be provided so that all personnel can "recognize the hazards and accident risks associated with their duties and work environment and know the procedures necessary to control these risks and work safely." The Army System Safety Engineering and Management, Army Regulation 385-16 (2001) prescribes: policies and procedures, and identifies responsibilities to ensure hazards in Army systems and facilities are identified and the risks associated with these hazards are properly managed. It applies to all Army materiel systems and facilities. It applies during all phases of the life cycle of systems or facilities. According to Fanning (2002) "risk management is credited with reducing the numbers of accidents experienced by the Army each year for nearly ten years." Part of the Army's objective in risk management is to ensure that an informed decision is made at the appropriate level. According to the Army Regulation 385-16, the primary objectives of system safety include: Ensure hazards are eliminated or controlled through design and that risk associated with residual hazards is formally identified, accepted by the appropriate management decision level, and documented. Identify hazards and manage the risk associated with these hazards for each system or facility throughout its life cycle in all possible configurations and all mission variations. DESCRIPTION The U.S. Army uses a risk management process with five steps: a) identify hazards b) assess hazards c) develop controls and make risk decisions d) implement controls e) supervise and evaluate Fanning (2002) observes, uthe term risk assessment is often confused with risk management. Risk assessment is the first two steps of the risk management process." Army Regulation 385-10 states that: The five-step process is the commander's principal risk reduction process to identify and control hazards and make informed decisions. An analysis of all hazards will be made to determine the degree of risk Hazards will be risk assessed in terms of hazard severity and accident probability, and assigned a risk assessment code. Army Regulation 385-16 refers to a System Safety Risk Assessment. The risk assessment process includes: 1. Item and system identification 2. For each residual hazard, provide the following:. a. Hazard topic b. Hazard description and consequences or risk acceptance of the proposed configuration c. Hazard classification (severity and frequency according to MIL-STD-882) d. Source document or reference e. Alternative actions that could reduce hazard level, 3. Recommendations regarding risk acceptance. FLOWCHART R!SK SCORING SYSTEM The risk scoring system for hazard severity and accident probability used in Army regulation 385-10 is shown in Tables 25.5-25.6 The severity and probability values are translated to a risk assessment code using Table 27.7. Note that although this system closely follows the MIL-STD-882 format, the two systems differ slightly in the definitions, description and risk assessment codes. Table 27.5 - Hazard Seventy (U.S. Array) Category Description Definition I Catastrophic Loss of ability to accomplish the mission or mission failure. Death or permanent total disability (accident risk). Loss of major or mission-critical system or equipment. Major property (facility) damage. Severe environmental damage. Mission-critical security failure. Unacceptable collateral damage. II Critical Significantly (severely) degraded mission capability or unit readiness. Permanent partial disability, temporary total disability exceeding 3 months time (accident risk). Extensive (major) damage to equipment or systems. Significant damage to property or the environment. Security failure. Significant collateral damage. III Marginal Degraded mission capability or unit readiness. Minor damage to equipment or systems, property, or the environment. Lost day due to injury or illness not exceeding 3 months (accident risk). Minor damage to property or the environment. IV Negligible Little or no adverse impact on mission capability. First aid or minor medical treatment (accident risk). Slight equipment or system damage, but fully functional and serviceable. Little or no property or environmental damage. Table 27.6 - Accident Probability (U.S. Army) Category Description Definition Single Item Fleet or Inventory Item Individual soldier All soldiers exposed A Frequent Occurs very often, continuously experienced Occurs very often in service life. Expected to occur several times over duration of a specific mission or operation. Always occurs. Occurs continuously during a specific mission or operation, or over a service life. Occurs very often in career. Expected to occur several times during mission or operation. Always occurs. Occurs continuously during a specific mission or operation. B Likely Occurs several times Occurs several times in service life. May occur about as often as not during a specific mission or operation. Occurs at a high rate, but experienced intermittently (regular intervals, generally often). Occurs several times in a career. Expected to occur during a specific mission or operation. Occurs at a high rate, but experienced intermittently. C Occasional Occurs sporadically Occurs some time in service life. May occur about as often as not during a specific mission or operation. Occurs several times in service life Occurs some re during a specific mission or operation, but not often. Occurs sporadically (irregularly, sparsely, or sometimes). D Seldom Remotely possible, could occur at some time Occurs in service life, but only remotely possible. Not expected to occur during a specific mission or operation Occurs as isolated incidents. Possible to occur some time in service life, but rarely. Usually does not occur. Occurs as isolated incident during career. Remotely possible, but not expected to occur during a specific mission or operation. Occurs rarely within exposed population as isolated incidents. E Unlikely Can assume will not occur, but not impossible Occurrence not impossible, but can assume will almost never occur in service life. Can assume will not occur during a specific mission or operation. Occurs very rarely (almost never or improbable). Incidents items may occur over service life. Occurrence not impossible, but may assume will not occur in career or during a specific mission or operation, Occurs very rarely, but no impossible. Table 27.7 - Risk Assessment Code Matrix (U.S. Army) Accident Probability Hazard A B C D E Severity ■v. V; 1 1 2 3 5 II 1 2 3 4 5 III 2 3 4 5 5 IV 3 4 5 5 5 for risk The regulation requires that hazards be eliminated on a "worst-first" basis. An abatement plan is required assessment code levels 1 or 2. STATUS The Army Safety Program, Army Regulation 385-10, and System Safety Engineering and Management, Army Regulation 385-16 are current. Additional information is available at http://safetv.armv.mil/pages/guidance/safepol.htm. U.S. NAVY AND MARINE CORPS BACKGROUND 0PNAV1NST 3500.39A is an instruction order issued in September 2000 to all U.S. Navy and Marine Corps personnel concerning Operational Risk Management (ORM). The Chief of Naval Operations and the Commandant of the Marine Corps, the leaders of these armed services, signed the order (USN/USMC, 2000). The order clearly defines the importance of and responsibilities for deploying ORM: The success of the Naval Services is based upon a willingness to balance risk with opportunity in taking the bold and decisive action necessary to triumph in battle . Historically, the greater percentage of losses during combat operations was due to mishaps Since 1991, ORM, applied both in day-to-day operations and during crisis periods, has produced dramatic results in reducing these losses. The naval vision is to develop an environment where every leader, Sailor, Marine and civilian is trained and motivated to personally manage risk in everything they do, both in peacetime and during conflict, thus successfully completing all operations with minimum risk. ORM will be included in the orientation and training of all military personnel The ORM process shall be integrated into all levels of a command. All Navy and Marine Corps activities shall apply the principles of ORM in planning, operations and training. ORM decisions are made by the leader directly responsible for the mission. Prudence, experience, judgment, intuition and situational awareness are critical elements in making effective risk management decisions. The ORM process includes provisions for databases where lessons learned are recorded and deployed. Responsibility for deploying ORM is clearly stated: Unit Commanders shall provide training to personnel, incorporate identified hazards, risk assessments and controls into briefs, notices and written plans conduct a thorough risk assessment for all new or complex evolutions, defining acceptable risk and possible contingencies for the evolution. The ORM process is based on four principles: 1. Accept risk when benefits outweigh the cost. 2. Accept no unnecessary risk. 3. Anticipate and manage risk by planning. 4. Make risk decisions at the right level. DESCRIPTION The U.S. Navy and Marine Corps use the five step ORM process shown below: 1. Identify Hazards 2. Assess Hazards 3. Make Risk Decisions 4. Implement Controls 5. Supervise Under the fourth step, the order includes a prioritized set of controls as follows: 1. Administrative Controls 2. Engineering Controls 3. Personal Protective Equipment This list is unique. Most hierarchical lists present Engineering Controls as more preferred than Administrative Controls. This ordering may reflect the military culture of strict discipline in following orders and procedures, or the recognition that in a combat setting engineering controls may be rendered inoperable. There are three ORM levels as follows: 1. Time critical - an "on the run" mental or oral review using the five step process without recording the information on paper 2. Deliberate - application of the five step process 3. In-Depth - a more thorough risk assessment involving research of available data, tools, formal testing, long term tracking The Navy and Marine Corps indicate that "one of the objectives of Operational Risk Management training is to develop sufficient proficiency in applying the process such that Operation Risk Management becomes an automatic or intuitive part of our decision making methodology." FLOWCHART The Navy and Marine Corps ORM process is shown in Figure 27.2, Figure 27.2 - Navy and Marine Corps Operational Risk Management (ORM) Process Based on OPNAVINST 3500.39A Legibility Unwed due to original RISK SCORING SYSTEM The ORM process includes a risk assessment matrix based on two risk factors: hazard severity and mishap probability. The hazard severity levels appear in Table 27.8. The mishap probability levels appear in Table 27.9. These risk factors combine to yield a risk assessment code as shown in Table 27.10. Table 27.8 - Hazard Severity (Navy/Marine ORM Process) Hazard Severity Description Category I The hazard may cause death, loss of facility/asset or result in grave damage to national interests. Category II The hazard may cause severe injury, illness, property damage, damage to national or service interests or degradation to efficient use of assets. Category III The hazard may cause minor injury, illness, property damage, damage to national, service or command interests or degradation to efficient use of assets. Category IV The hazard presents a minimal threat to personnel safety or health, property, national, service or command interests or efficient use of assets. Table 27.9 - Mishap Probability (Navy/Marine ORM Process) Mishap Probability Description Sub-category A Likely to occur immediately or within a short period of time. Expected to occur frequently to an individual item or person or continuously to a fleet, inventory or group. Sub-category B Probably will occur in time. Expected to occur several times to an individual item or person or frequently to a fleet, inventory or group. Sub-category C May occur in time. Can reasonably be expected to occur some time to an individual item or person or several times to a fleet, inventory or group. Sub-category D Unlikely to occur. Table 27.10. Risk Assessment Code (Navy/Marine ORM Process) Mishap Probability Hazard A B C D ' E . Severity l 1 1 2 3 5 II 1 2 3 4 5 /""'" III 2 3 4 5 5 /IV 3 4 5 5 5 The Risk Assessment Codes are defined as: 1 - Critical, 2 - Serious, 3 - Moderate, 4 - Minor, and 5 - Negligible. STATUS OPNAVINST 3500.39A is a current document. Additional information can be found at http://neds.nebt.daps.mil/Directives/3500 39a.pdf and www.hqmc.usmc.mil/safetv.nsf. U.S. COAST GUARD BACKGROUND The U.S. Coast Guard has taken steps to develop a fonnal, universal risk management plan (USCG, 1999). This plan was developed as a means to improve operations because "many times faulty risk decisions have placed our personnel at greater risk than necessary." To combat human error, the Coast Guard formed a Team Coordination Training program that includes risk management principles. The Coast Guard has advocated these basic principles for many years and data measuring boats' and cutters' mishap rates have shown these principles to be effective and the tools used valid. The document Operational Risk Management (ORM) (1999) contains the Coast Guard approach to risk assessment and risk management. The document notes that: While compatible with other armed forces' efforts, the Coast Guard's standard risk management plan is specifically tailored for our organization's unique size and multi-mission nature. Every command level and every person is responsible for identifying potential risks and adjusting or compensating accordingly. Therefore, ORM's target audience includes all those involved in operations, maintenance, and support activities. Traditional risk management practices assert risk is "bad." in reality that may not be so. Taking calculated risks is essential for an organization to grow and capitalize on its capabilities. The Coast Guard's aim is to increase mission success while reducing the risk to personnel, resources, and the environment to a level acceptable to a particular unit for a given situation. Units should identify risk using the same disciplined, organized, logical thought processes that govern all other aspects of military endeavors. A key objective is to implement the ORM process as an integrated aspect of daily activities and operations. As the Coast Guard continues to operate in a streamlined environment, preventing mishaps and reducing losses become even more important to maintain mission readiness. To accomplish these goals, the Coast Guard must change its business focus from a compliance-based to a risk-based philosophy. The Coast Guard approach allows for variations in how risk assessment is conducted rather than attempting to achieve a single unified method: Understandably, each facility and activity will differ in how it interprets risk assessment and risk management results in its own community due to unique mission differences and its members' varying degrees of knowledge, skill, experience, and maturity. Devise simple implementation plans for simple processes. Discussions of risk among various Coast Guard activities will use the terms low, medium, and high, but each operational community will define those terms meaningfully for its own operators. DESCRIPTION The Coast Guard's ORM process "is a decision making tool people at all levels use to increase operational effectiveness by anticipating hazards and reducing the potential for loss, thereby increasing the probability of a successful mission." The Coast Guard identifies three levels of risk management: 1. time-critical (an undocumented "on the run" mental or verbal review) 2. deliberate (based on known information, documented, applies the complete process) 3. strategic (includes researching information and solutions, testing, documented) By identifying these levels, the Coast Guard explicitly recognizes that different kinds of risk assessment are necessary in different situations. The ORM process asks users to apply four basic decision-making principles before executing any anticipated job, action or mission: 1. Accept no unnecessary risk 2. Accept necessary risk when benefits outweigh costs 3. Make risk decisions at the appropriate level 4. ORM is just as critical in executing as in planning all activities The document includes ORM competencies based on job level from entry to senior level, and rank and proficiency criteria. The management roles and responsibilities are clearly detailed from commanders through staff officers, supervisors and individuals. To identify hazards, the Coast Guard uses a "PEACE" model (Planning, Event Complexity, Asset Selection, Communications (and Supervision), and Environmental) to ensure hazards are identified for equipment, the environment and personnel. The document emphasizes that "the key to successfully analyzing risk is to carefully define the hazards and identify and evaluate safeguards." FLOWCHART Figure 27.3 illustrates the Coast Guard's seven-step ORM process. Figure 27.3 - Seven-Step Operation Risk Management (ORM) Process, U.S. Coast Guard RISK SCORING SYSTEM The Coast Guard uses three risk scoring systems to assess risk. The first is the Severity, Probability, and Exposure (SPE) system; the second is the Green, Amber, and Red (GAR) system; and the third is a simple risk assessment questions approach. The SPE Risk Assessment System The SPE Risk Assessment system uses the following risk calculation formula: Risk ~ Severity x Probability x Exposure In this risk scoring system, severity addresses the following areas: Injury or Death Equipment Damage Mission Degradation * Reduced Morale * Adverse Publicity ° Administrative and/or Disciplinary Actions. The severity risk factor rating options appear in Table 27.11. The probability risk factor addresses the likelihood that the potential consequences will occur. The values are shown in Table 27.12. The exposure risk factor addresses the amount of time, number of occurrences, number of people, and/or amount of equipment involved in an event, expressed in time, proximity, volume, or repetition. The exposure rating options appear in Table 27.13. The risk is derived from the formula multiplying the three risk factor values together. The resulting risk level and associated guidance are defined in Table 27.14. Table 27.11 - Severity levels (U.S. Coast Guard) Severity Description rating 1 None or slight 2 Minimal 3 Significant 4 Major 5 Catastrophic Table 27.12 - Probability levels (U.S. Coast Guard) Probability Description rating I Impossible or remote under any conditions 2 Unlikely under normal conditions 3 About 50-50 4 Greater than 50% 5 Very likely to happen Table 27.13 - Exposure levels (U.S. Coast Guard) Exposure rating Description = 1 None or below average 2 Average 3 Above Average 4 Great Table 27.14 - Risk Level and Guidance (U.S. Coast Guard) Values Degree of Risk Guidance 80-100 Veiy High Discontinue, Stop 60-79 High Correct Immediately 40-59 Substantial Correction Required 20-39 Possible Attention Needed 1-19 Slight Possibly Acceptable Concerning methods to reduce risk, the Coast Guard notes that: Using protective devices, engineering controls, and personal protective equipment usually helps control severity. Training, situational awareness, attitude change, rest, and stress reduction usually help control probability. * Reducing the number of people involved or the number of events, cycles, or evolutions usually helps control exposure. The GAR Risk Assessment Model The Green, Amber, and Red (GAR) Risk Assessment system uses the following six risk factors in Table 27.15 that contribute to the majority of risk in Coast Guard operations. Each risk factor is assigned a risk level from 0 (no risk) to 10 (maximum risk). Summing the risk factor levels yields a total risk score. The risk score translates to an overall risk level as shown in Table 27.16. Table 27.15 - GAR Risk Factors (U.S. Coast Guard) Risk Factor Rating Supervision 0-10 Crew Selection 0-10 Environment 0-10 Planning 0-10 Crew Fitness. 0-10 Event/Evolution 0-10 Complexity Total Risk Score 0-60 Table 27.16 - GAR Risk Assessment Model (U.S. Coast Guard) Total risk score Degree of 45-60 Red 24-44 Amber 0-23 Green Concerning the two approaches, the Coast Guard notes: The GAR model is good to assess an operation or mission generally. If the degree of risk appears unduly high in one or more of the elements above, perform a second assessment using the SPE model for each element of concern, since the SPE model is more specific. The ability to assign numerical values or color codes to risk elements in either the SPE or GAR model is not the most important part of risk assessment. What is critical in this ORM step is team discussion to understand the risks and how the team will manage them. Different Coast Guard operational communities have adopted the GAR model, but may interpret green, amber, and red differently for their own missions and operators. Simple Risk Assessment Questions Technique Another method the Coast Guard uses is a Simple Risk Assessment Questions Technique. This method can be used for situations where more formal methods would be neither feasible nor appropriate. Sample questions include: (1) Why am 1 doing this task? (2) What could go wrong? (3) How could it affect me or others? (4) How likely is it to happen? (5) What can I do about it? RISK-GAIN ANALYSIS One of the very unusual features of the Coast Guard system involves the guidance provided on how to evaluate risks and benefits. Many risk assessment methods indicate that decisions on risk acceptability should be made using a cost-benefit approach. The ALARP concept is based on cost-benefit tradeoffs (see Chapter 4). However, few approaches provide guidance on how to evaluate this tradeoff. The Coast Guard presents guidance on conducting a risk-gain analysis as shown in Table 27.17. Table 27.17 - Risk vs. Gain Chart (U.S. Coast Guard) High Gain Medium Gain Low Gain Low Risk Accept the mission. Continue to monitor risk factors, if conditions or mission changes. Accept the mission. Continue to monitor risk factors, if conditions or mission changes. Accept the mission. Reevaluate risk vs. Gain, should risk factors change. Medium Risk Accept the mission. Continue to monitor risk factors and employ control options when available. Accept the mission. Continue to monitor risk factors and employ control options when available. Accept the mission. Continue to monitor risk factors and actively pursue control options to reduce risk. High Risk Accept the mission only with command endorsement. Communicate risk vs. Gain to chain of command. Actively pursue control options to reduce risk. Accept the mission only with command endorsement. Communicate risk vs. Gain to chain of command. Actively pursue control options to reduce risk. Do not accept the mission. Communicate to chain of command. Wait until risk factors change or control options warrant. The Coast Guard instructs its personnel to "utilize the matrix above to receive a recommendation on whether, or how to proceed with the mission." STATUS The U.S. Coast Guard Operational Risk Management (1999) program is current. Additional information can be obtained at http://www.uscg.mil/hq/G-W/g-wk/g-wks/g-wks-l/Operational%20Risk%20Management.pdf AUSTRALIAN MILITARY BACKGROUND The Australian military has also been active in risk assessment. However, much of the details of its processes remain restricted. One example of how risk assessment is deployed in the Australia military follows. In Australia, the Joint Logistics Command is part of the Defense Materiel Organisation of the Australian Defence Organisation. Within this Command is a group that focuses on risk assessments of ordnance. The Ordnance Safety Group (OSG) is a "Centre of Excellence" in explosive safety. The Group focuses on: The assurance of the safety of ammunition intended for use by the Australian Defence Force is at the core of OSG activities, which are centered on two processes: Assessment of safety and suitability for service, and The technical regulation of safety principles for the handling of explosives. The Group uses both qualitative and quantitative risk management tools in performing its work. Safety and Suitability for Service (S3) refers to a risk based assessment, set against internationally recognised standards, of an individual item of explosive ordnance to determine its ability to remain safe and suitable for service within the ADF Given the nature of ammunition and explosives, the Australian Government'Solicitor has advised that the Commonwealth's Duty of Care to its personnel is absolute, in keeping with the Minister's requirements for corporate governance, USDM has directed that S3 is the process necessary to apply due rigour to the attainment of explosives safety at procurement. The necessary evidence comes from a multiplicity of sources including design specifications, trial results and demonstrated experience of service use in the ADF and other nations' forces. The result is presented to the OSG which will then form the S3 assessment of the explosive ordnance, including an assessment of the risk of death or injury. Details on these methods are not provided. STATUS Additional information can be found at http://www.defence.gov.au/dmo/ilc/aoc/aoc.cfm Given the deployment of risk assessment in other Australian industries, one can surmise that the Australian military also employs risk assessment and risk management methods. REFERENCES Australian Defence Organisation. Defense Materiel Organisation, Ordnance Safety Group. (2002). http://www.defence.gov.au. Fanning, F.E. (2002). Risk management for emergency operations. American Society of Safety Engineers. www.asse.org. Goldberg, B.E., Everhart, K., Stevens, R., Babbitt III, N., Clemens, P., & Stout, L. (1994). System engineering "toolbox" for design-oriented engineers. NASA Reference Publication 1358. MIL-STD-882D (2000). Standard practice for system safety. Department of Defense, U.S.A. www.defenselink.mil. System Safety Society (2002). http://www.svstem-safetv.org. U.S. Army Regulation 385-10. (2000). The army safety program. February. http://safetv.armv.mil/pages/guidance/safepol.htm. U.S. Army Regulation 385-16. (2001). The army system safety engineering and management. November. http://safetv.armv.mil/pages/guidance/safepol .htm. U.S. Coast Guard. (1999). Operational risk management (ORM) COMDTINST 3500.3. http://www.uscg.mil/hq/G- W / g-wk/g-wks/g-wks-1 /Qperational%20Risk%20Managementpdf. USN/USMC. (2000). OPNAVINST 3500.39A, Operational risk management. U.S. Navy and U.S. Marine Corps, 26 Sept 2000. http://neds.nebt.daps.mil/Directives/3500 39a.pdf, NUCLEAR POWER INDUSTRY BACKGROUND < DeGaspari (2002) states, "risk analysis is routinely used in the nuclear power industry to identify areas of a plant that have the highest likelihood of failure and pose the most serious consequences." He states that risk assessment , "has proven itself to be a useful tool in making industries safer and more reliable, and could have larger societal j benefits as well." ' Much of the more advanced risk assessment methods such as probabilistic risk assessment (PRA) have been ) developed in the nuclear area. Whipple (1988) observes: I So, if the logic of the plant and how its components contribute to its risk can be figured out, the j failure rate of the basic pieces can be entered into the analysis with assurance. The hard part of | course, is getting the systems analysis right that is, figuring out how a particular component contributes to overall safety. Even harder is accounting properly for human actions and errors. This sort of analysis has been going on in a major way [since about 1976] for nuclear plants. J i According to Stamatelatos et al. (2002): the nuclear industry picked up PRA to assess safety almost as a last resort in defense of its very 1 existence. This analytical method has gained momentum and credibility over the past two decades, not only in the nuclear industry, but also in other industries like petrochemical, offshore platforms, and defense. The first modem PRA, the Reactor Safety Study (WASH-1400), was completed in the mid-1970's. Stamatelatos et al. (2002) state, "WASH-1400 was arguably the first large-scale analysis of a large, complex facility to claim to have comprehensively identified the risk-significant scenarios at the plants analyzed." Among the many discoveries from that study was that it showed that: some of the more frequent, less severe Initiating Events (e.g., 'transients') lead to severe accidents at higher expected frequencies than do some of the less frequent, more severe Initiating Events (e.g., very large pipe breaks). It led to the beginning of the understanding of the level of design detail that must be considered in PRA if the scenario set is to support useful findings. In 1995 the U.S. Nuclear Regulatory Commission published a policy statement on the use of probabilistic risk assessment methods in nuclear regulatory activity. This policy statement encouraged the use of probabilistic risk assessments by the staff of the USNRC. This was only a policy statement and had no legal requirements. Garrick and Christie (2000) indicate that: Starting in 1997 there have been a number of attempts to produce a set of risk-informed, performance-based regulations that will be more effective and efficient than the existing regulations which are based on design basis events. Probabilistic risk assessment for commercial nuclear power plants in the United States is in various stages of development and maturity. Since the Reactor Safety Study in the mid-1970s, the data and models have evolved to a level of maturity that is seen in few other industries. The perception of risk can drive analysis as Garrick and Christie (2000) note: There is a high amount of distrust and fear among much of the public in the United States concerning 'anything nuclear.' Consistently, public opinion polls indicate that the general public considers nuclear power plants to be one of the most 'risky' technologies in the United States. This is in spite of the fact that the general public recognizes that there have been no deaths or fatalities from the operation of commercial nuclear power plants. This no deaths or fatalities comprises an impressive safety record. Most industries cannot make this same claim. DESCRIPTION In the nuclear power industry, risk assessment is undertaken by the facility licensees as part of their process for demonstrating that an operation is adequately safe. Davies (2000) describes the hazard identification process in the nuclear power industry: the hazard of concern is the radiological effects from reactor operation and related activities, either from direct radiation or as a result of dispersion of material leading to contamination of people or the environment. Identification of the hazard is therefore relatively straightforward as it consists of identifying the sources of radioactivity. Indeed risk-based inspection and inservice testing guidelines have been developed in considerable detail. Further information can be found in Light Water Reactor Nuclear Power Plant Components, Risk-Based Inservice Testing - Development of Guidelines (1996) and Light Water Reactor Nuclear Power Plant Components, Risk-Based Inspection - Development of Guidelines (1992). Davies (2000) indicates that: The design of nuclear power plant and its safety justification are based on deterministic ground rules with the risk assessment used as an aid to judgment on the acceptability of the plant. The principle risk assessment is the Probabilistic Safety Analysis undertaken as part of the Periodic Safety Review and is used to justify that the risk of continued operation is tolerable and ALARP. In nuclear power, the complexity of a risk assessment comes in the form of identifying the initiating event and evaluating the consequences. These are different concerns than much of general industry or other industries where identifying the hazard is of great concern and the event and consequence is usually more straightforward. According to Neihaus (2000), documents from the International Atomic Energy Agency (IAEA) require 'that the risk is as low as reasonably achievable'. Although some countries are reported to be using cost/benefit analyses in the nuclear safety area, no recommendations are made on its use by the IAEA. One of the by products of nuclear power generation is nuclear waste. Concerning nuclear wastes, Garrick (2000) states that: The safety studies of low level waste facilities embrace probabilistic risk assessment methods very little, while on the other end of the scale, the high level waste repositories have become very sophisticated users of probabilistic methods. Led by the U.S. Nuclear Regulatory Commission and the U.S. Environmental Protection Agency there is clearly a movement towards risk-informed regulation and, therefore, it is expected with time that the risk assessment practices will indeed become standardized throughout the nuclear waste field. There is essentially an infinite number of scenarios that can evolve over thousands of years that could affect the performance of a repository. The key is to identify a manageable set of scenarios that are representative of the conditions most important to providing reasonable assurance of the safety of the public and the protection of the environment. While the use of risk assessment methods vary from very little for low level waste to major emphasis for high level waste, the analysis methods are all intended to identify the radiation threats to public safety. In general, the methods of analysis are in transition between deterministic and probabilistic methods Clearly, there has not yet been a commitment to full scope probabilistic risk assessments for low level waste facilitates. For high level waste there is a clear commitment to use the probabilistic risk methods. The disparities between the nuclear power and waste risk assessment situations and that of general industry are considerable. These applications employ considerably different levels of sophistication. Although the risk assessment fundamentals are conceptually similar, the applications are substantially different and this difference is reflected in the methods used in differing industries. Risk assessment in the nuclear power industiy tends to be quite advanced compared to general industry applications. The assessments are often probabilistic and complex. However, DeGaspari (2002) states, "fully quantitative risk analysis is often viewed as overly complex and expensive, requiring too many resources. A fully quantitative analysis can cost 10 times as much as a qualitative analysis." STATUS In the nuclear power industry, risk assessment (probabilistic risk assessment or probabilistic safety assessments) are well integrated into the design and operation processes. Regulators use the results of the risk assessment together with other information including qualitative judgments in making decisions on the level of safety achieved. Indeed, Neihaus (2000) reports, "most countries require a PSA for their nuclear power plants. It is part of the 'Safety Analysis Report' required during the licensing process." In some countries periodic updates to the risk assessment are required for continued operation. REFERENCES (llnl 1MM I %&•« ft V V* 1MM ASME (1992). Risk-based inspection - Development of guidelines, Volume 2, Part 1 light water reactor nuclear power plant components. American Society of Mechanical Engineers, www.asme.org. ASME (1996). Risk-based inservice testing ~ Development of guidelines, Volume 2, light water reactor nuclear power plant components. American Society of Mechanical Engineers, www.asme.org. Davies, L.P. (2000). Responses to questionnaire for UK nuclear power plant. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. DeGaspari, J. (2002). Risky business. Mechanical engineering, July. American Society of Mechanical Engineers. www.asme.org. Garrick, B.J. & Christie, R.F. (2000). Invited expert presentation, Nuclear power plants. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Garrick, BJ. (2000). Invited expert presentation, Radioactive waste disposal. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Niehaus, F. (2000). Use of probabilistic safety assessment (PSA) for nuclear installations. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Rasmussen, N.C. (1975). Reactor Safety Studv-WASH-1400. www.state.nv.us/nucwaste/news/rpccna/pcrcnal2.htm. Stamatelatos, M, Apostolakis, G., Dezfuli, H., Everline, C., Guarro, S„ Moieni, P., (2002). Probabilistic risk assessment procedures guide for NASA managers and practitioners. Office of Safety and Mission Assurance, NASA Headquarters, www.nasa.gov. Whipple, C. (1988). Risk-based standards in engineering, Engineering applications of risk analysis. American Society of Mechanical Engineers. Winter Annual Meeting, December 1987. www.asme.org. OFFSHORE Quantitative Risk Assessments Offshore Health Risk Assessments Sample Study QUANTITATIVE RISK ASSESSMENTS BACKGROUND Vinnem (1999) has authored an extensive text focusing on the offshore industry, Offshore Risk Assessment: Principles, Modelling and Applications of QRA Studies. There is a wealth of information in the book. Vinnem notes that some confusion exists with the various terms used to describe quantified risk assessment (QRA) such as quantitative risk assessment, probabilistic safety assessment, and others. He states, "in spite of more than a decade of use and development, no convergence towards a universally accepted term has been seen and these terms are used in parallel." Vinnem (1999) briefly traces the history of QRA studies: Quantified Risk Assessment in the offshore industry dates back to the second half of 1970s at those times, the methodologies and data were mainly adaptations of what had been used for some few years within the nuclear power generation industry, most notably WASH 1400 (NRC, 1975) which had been developed 3-4 years earlier. The next step in the development of QRA came in 1981 when the Norwegian Petroleum Directorate issued guidelines for safety evaluation of platform conceptual design (NPD, 1980). These regulations required QRA be carried out for all new offshore installations in the conceptual design phase for many years Norway was the only country using QRAs systematically. In 1991 the Norwegian Petroleum Directorate replaced the 1981 guidelines for risk assessment by Regulations for Risk Analysis (NPD, 1990) which considerably extended the scope of these saidies. Both Alderman and Gosse (2001) and Vinnem (1999) point to the severe accident on the Piper Alpha platform in 1988 as the point when the UK became seriously involved in risk assessment for the offshore industry. The Piper Alpha incident involved a platform fire and explosion that resulted in 167 fatalities and total loss of the platform. An investigation led by Lord Cullen (1990) resulted in recommendations that UK legislation introduce QRAs in a manner similar to Norway. Following the Piper Alpha incident the UK Health and Safety Executive (HSE) issued the Safety Case Regulations for offshore installations. A Safety Case involves three components including a facility description, a formal safety assessment (including hazard identification and quantitative risk assessment among other elements), and a safety management system. These requirements came into force in 1992 for both existing and new installations. In this manner QRA became required in the UK offshore industry. Vinnem (1999) indicates that since then the UK has rapidly been taking over the initiative and advancing the QRA effort for offshore applications. Brandseeter (2000) has noted that: The development of offshore QRA has been lead by a mutual influence and interaction between the regulatory authorities for the UK and Norwegian waters as well as the oil companies operating here. Risk assessments are required by Authorities in order to document the risk level to be within specified acceptance criteria. To some extent, this is believed to have been an important reason for doing risk assessments - initially. Later it has been taken into active use as support for decisions, regarding design, construction as well as operation of offshore installations. The Norwegian standard NORSOK Z-013 (2001) indicates that: Risk analyses shall be carried out as an integrated part of the field development project work, so that these studies form part of the decision-making basis for design of safe technical, operational and organisational solutions for the activity in question. Risk analyses shall be carried out in connection with major modifications, change of area of applications, or decommissioning and disposal of installations, as well as in connection with major changes in organisation and manning levels. The main purpose of using risk and emergency preparedness analyses is to formulate a decisionmaking basis that may contribute to selecting safety-wise optimum solutions and risk reducing measures on a sound technical and organisational basis. DESCRIPTION Alderman and Gosse (2001) describe the offshore risk assessment process as follows: "Risk assessment is a process where the results of a risk analysis are used to make decisions, either through a risk ranking of hazard reduction strategies or through comparison to target risk levels." The ALARP concept is used in this industry. Brandsaster (2000) presents the "typical" offshore QRA of risk estimation, analysis and evaluation as described in the Norwegian offshore standardization organization (NORSOK) document Risk and Emergency Preparedness Analysis (NTS, 1998), The offshore risk assessment process includes the following major components: Hazard identification Frequency analysis * Consequence analysis B Risk picture e Risk evaluation In this model, the term Risk Estimation is used to describe the frequency and consequence analyses. The term Risk Analysis describes the first four steps. The term Risk Assessment is used to describe the overall process. The NORSOK Z-013 standard emphasizes that risk acceptance criteria need to be available prior to starting the risk analysis. Brandsaeter (2000) notes that: During the process of hazard identification, a wide range of hazards may be suggested. In general, the hazard identification is qualitative. However, a coarse quantification may be done during selection of failure cases for further assessment. Allowing for all possible combinations of parameters, this leaves several thousand possible scenarios to be modeled. It is not feasible to model so many and, in practice, the analyst simplifies the event tree using judgment to discard branches that are not expected to affect the results significantly. In a typical full QRA of an offshore process system the total number of accident scenarios may be several hundreds. Grouping or categorising of scenarios, in order to limit the number of scenarios to consider, is common. Alderman and Gosse (2001) describe four methods to simplify the risk assessment process. The first involves a Design Option Safety Assessment (DOSA) where a qualitative risk-ranking matrix is used to reduce the number of scenarios being evaluated (see Jordan and Poblete, 1991). The method relies on experienced personnel but does result in a quantitative relative score (a semi-quantitative approach). The second method focuses only on consequence by identifying scenarios where risk reduction will be required so a complete assessment is unnecessary, for example, the outcome of unacceptably high risk is known before the assessment. A third method involves using computer models to analyze the scenarios thus avoiding complex computation by hand. The fourth method is relying on personnel experience. Alderman and Gosse (2001) opine, "the experience level of the analyst is very important experience is important to recognize that the numbers calculated may be wrong." Brandsaeter (2000) asserts that in the UK "risk assessment provides a part of the basis for selection between alternative solutions, and is the main tool for identifying possible needs for risk reducing measures. Risk assessments are also used to increase the efficiency of inspection and maintenance." In terms of qualitative risk analysis, NORSOK Z-013 presents the following steps: a) Planning of the analysis b) System/Job description and limitation c) Identification of hazards d) Analysis of causes and potential consequences e) Risk evaluation f) Identification of possible risk reducing measures For a qualitative assessment, NORSOK Z-013 observes that a risk matrix is: not particularly suitable for decision-making because the risk is expressed on a coarse scale and often subjectively expressed. Thus several risk reducing actions may be taken without having any effect on the risk matrix [It provides] a low level of precision The risk matrix is relatively insensitive to uncertainty as the separation into categories is relatively coarse and the possibility of ending up in the wrong cell is relatively low. In terms of quantitative risk analysis, NORSOK Z-013 presents the following elements: Inner level: Risk estimation Second level: Risk analysis Third level: Risk assessment Outer level: HES management The guidelines in the NORSOK Z-013 standard do not provide any indications as to the level of risk that may be considered acceptable for Norwegian offshore operations. NORSOK Z-013 does include a list of recognized data bases and computer software that can be used to evaluate hazards such as: process leak, blowout, collision, human tolerability limits, and others. FLOWCHART The NORSOK Z-013 standard on risk and emergency preparedness analysis presents the risk assessment process as shown in Figure 29.1. Figure 29.1 - Risk Estimation, Analysis and Evaluation (NORSOK Z-013) NORSOK 2-013 primarily focuses on quantitative risk analysis/The HES management element is beyond the scope of Z-013. Note that in this presentation the term "risk analysis" represents a subset of the overall "risk assessment" process. This presentation conflicts with that in the food and other industries where 'risk assessment' refers to a subset of 'risk analysis.' This does not imply one or the other is incorrect, only different. STATUS Brandsseter (2000) asserts that in the UK: QRA is one of the most important techniques used to identify major accident hazards and to show that the risks have been made ALARP, and is explicitly required under the regulations. Several other countries have followed the new UK approach, greatly increasing the requirement for offshore QRA world-wide. Alderman and Gosse (2001) note that: Such risk assessments in the North Sea have historically been very complex and costly, with limited benefit other than meeting a regulatory requirement. Companies are now recognizing that performing a risk assessment on new and existing offshore facilities is a good business practice, (emphasis in original) Additional details can be found in Vinnem (1999), Brandsaster (2000), Alderman and Gosse (2001), and NORSOK Z-013. Information on the risk assessment methods used by the Oracle Corporation can be found in Chapter 13, Company Specific Approaches. OFFSHORE HEALTH RISK ASSESSMENTS BACKGROUND Gardner (2002) reviews the nature of health risks in the offshore oil and gas industry focusing on the occupational hygiene perspective of the Health and Safety Executive in the UK. He observes that: Indeed the experience of HSE and others suggests that assessment and control of chemical and physical risks has lagged behind other safety and health aspects of offshore work. However, this has to be seen in the context of the challenge of working in a remote and hostile environment where attention to safety and the need for emergency response to acute, rather than chronic, medical events are vital. Singh (2002) discusses Occupational Hygiene Assessments conducted at offshore platforms in the South China Sea. Singh notes, "detailed and systematic occupational hygiene assessments, however, have not been conducted at many rigs." Indeed, NORSOK Z-013 states that "occupational health risk assessments are not normally part of a risk analysis scope, but may be included as part of the analysis of occupational accidents." Hughes, Kellie, and Hawkes, (2002) examine the logistical challenges of providing regular health and safety training to the offshore oil and gas industry. The authors discuss the future potential of computer-based multimedia systems for training offshore workers including risk assessments related to work with hazardous substances. Tiltnes (2002) states: The Norwegian continental shelf regulations require a systematic management of health, environment and safety (HES) during the lifetime of an installation, including the engineering project. Further, the regulations lay down the principles for risk reduction, applicable also in the field of occupational health and safety. DESCRIPTION Ssetersdal, Grove, Kobbeltvedt, and Skeggs, (2002) observe that: Monitoring health of employees in order to detect possible long-term effects of adverse working environment conditions has been a task for several years and is also a demand regarding the regulations related to a systematic follow-up of the working environment in the petroleum industry. The theoretic approach we chose has been similar to the safety risk analysis models, but the terms likelihood and consequence are replaced with probable/documented exposure and potential health risk effect. We also introduce the term "health-risk score" which is the product of the two above mentioned. This health risk score will trigger off different actions: the possible need for follow-up exposure measures in the working environment, an evaluation of the use of personal protective equipment, the need for further education/training among the employers/employees and of course; what kind of specific measures are to be chosen and included in the health monitoring programme and to what interval. Saetersdal, Grove, Kobbeltvedt, and Skeggs (2002) also discusses a software program, which assists in conducting the health risk assessments. STATUS Health risk assessments are relatively new additions to the offshore industry. Additional information can be found at www.nvf.no/bergen2002/papers. SAMPLE STUDY DESCRIPTION A sample risk assessment conducted in the offshore industry was prepared by Team Energy Resources Limited for the UK Health and Safety Executive 2002. Research Report 013, Hazard assessment of wel! operations from vessels, assess the hazards specific to well operations from vessels other than mobile drilling units: The hazard assessment of well operations from vessels is an HSE funded study to identify the risks associated with well operations from mono-hull vessels The study identifies the risks associated with general well intervention and for various complexities of well intervention operations. Conclusions of the study included: The biggest risks centre on inexperienced and untrained crews working under extreme commercial pressures, using equipment with which they are unfamiliar. The prime objective for management is to ensure that adequate time and resources are allowed for quality personnel to gain experience and become familiar with the equipment, and to ensure that a continuous training and competence programme is employed. Since dynamic positioning vessels offer a cost effective solution for well intervention there will be a large incentive for vessel owners with limited experience of well intervention to attempt such workscopes. Unless these companies employ competent well specialists in their intervention teams the risks of failure will be high. There must be no confusion as to what is acceptable and there must be no allowances for deviation from the predefined operating criteria. Diving is a high risk activity, though when properly managed it has an excellent safety record Supervision and management must assure a comprehensive understanding of the risks in all aspects of the operations and include clear definitions of roles and responsibilities between disciplines. Weil operators and contractors must state their isolations standards for hydrocarbon containment and pressure systems and ensure that these are met in all failure scenarios. Any deviation from these standards must be fully justified through a risk assessment and recorded. STATUS This study demonstrates one application of how risk assessment is used in the offshore industry. Additional information on the study is available at www.hsebooks.co.ukorwww.hse.gov.uk REFERENCES Alderman, J.A. & Gosse, A. (2001). Offshore risk assessment - simple or complex? Presentation made at the Mary Kay 0'Conner Process Safety Center Symposium, October, 2001. Brandsaster, A. (2000). Risk assessment in the offshore industry. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Gardner, R. (2002). Overview and Characteristics of Occupational Exposures and Health Risks on Offshore Oil and Gas Installations, Offshore Division, Hazardous Industries Directorate, Health and Safety Executive, Merton House, Stanley Road, Bootle, Merseyside, UK, L20 3DL. HSE. (2002). Hazard assessment of well operations from vessels. Prepared by Team Energy Resources Limited for the Health and Safety Executive, Research Report 013. Health and Safety Executive, www.hse.gov.uk. Hughes, J., Kellie, I., & Hawkes, D. (2002). An alternative approach to health and safety training for offshore personnel. Jordan, D. & Poblete, B.R. (1991). Design option safety assessment (DOSA): Methodfor the assessment and selection of least hazardous design option. First International Conference of Health, Safety and the Environment. Society of Petroleum Engineers. The Hague, Netherlands, www.spe.org. Lord Cullen. (1990). The public inquiry into the Piper Alpha disaster. UK Department of Energy 1990. NORSOK Standard Z-013. Risk and emergency preparedness analysis. Rev. 1, March 1998, and Rev. 2,2001-09- 01. Norwegian Center for Ecological Agriculture, www.norsok.no. NPD. (1980). Norwegian Petroleum Directorate, www.npd.no. NPD. (1990). Norwegian Petroleum Directorate, www.npd.no. Rasmussen, N.C. (1975). Reactor Safety Study- WASH-1400. www.state.nv.us/nucwaste/news/rpccna/pcrcnal2.htm. Ssetersdal L., Grove, K., Kobbeltvedt, S., & Skeggs, J. (2002). Health risk assessment and health monitoring; - A presentation of a theoretical and practical model combining the two and the implementation within three mobile drilling installations offshore. Paper presented at the 5th International Scientific Conference. June 10-14,2002. http://www.nvf.no/bergen2002. Singh, J. (2002). Occupational hygiene concerns in the upstream petroleum industiy. ModuSpec Risk Management Services, www.moduspec .com. Tiltnes, A. (2002). Designing for a safe working environment - Engineering practices and tools in Norwegian petroleum industry. Presentation at Bergen 2002. http://www.nvf.no/bergen2002/program/tuesdav.htm. Vinnem, J.E. (1999). Offshore risk assessment: Principles, modelling and applications of QRA studies. Kluwer Academic Publishers. PACKAGING MACHINERY INDUSTRY ANSI/PMMI B155.1 Other PMMI Risk Materials ANSI/PMMI B155.1 BACKGROUND Chartered in 1933, the Packaging Machinery Manufacturers Institute (PMMI) is a non-profit trade association whose members manufacture packaging and packaging-related converting machinery in the United States and Canada. PMMFs mission states that it is committed to improving, leading and unifying all segments of the packaging industry worldwide. PMMI provides programs and services to meet the needs of both its members and their customers. The Institute is headquartered in Arlington, VA and has offices in Mexico City, Mexico and Shanghai, China. PMMI promulgates voluntary safety guidelines for these industries including the standard ANSI/PMMI B 155.1- 2000 Safety Requirements for Construction, Care, arid Use for Packaging Machinery and Packaging-Related Converting Machineiy. The most recent version of this standard was published in 2000. The Foreword of the standard includes: This version of the standard has been harmonized with European (EN) and international (ISO) standards by the introduction of hazard identification and risk assessment as the principal method for analyzing hazards to personnel and achieving a level of acceptable risk. Another PMMI document, Risk Assessment Basics - An Overview for Packaging Machinery (2000), provides additional details on the risk assessment process. According to the document "since 1995, risk assessment has become an important safety concept within the packaging machinery industry." DESCRIPTION The ANSI/PMMI B 155.1 standard includes a clause on "Hazard Identification and Risk Assessment." This clause is referenced for selecting the proper safeguard implying that a risk assessment should be used to select safeguarding. The clause reads in part "to the extent that hazard analyses and risk assessments of machinery are to be made by the manufacturer, the manufacturer should document the findings and any countermeasures." ANSI/PMMl B 155.1 does not include a specific risk assessment process, flow chart or risk scoring system. PMM1 provides additional details on risk assessment in separate documentation (see below). PMMI encourages users to adopt existing risk assessment methods including MIL-STD-882D, ANSI B11 TR3 or other methods. As a performance standard, ANS1/PMMI B155.1 does not explicitly define what safeguards or protective measures should be provided with packaging machinery. Instead it refers the reader to the risk assessment clause to determine when and what kind of risk reduction method(s) are appropriate and necessary. STATUS ANSl/PMMI B155.1-2000 is an approved and active standard. More information can be obtained from www.pmmi.org OTHER PMMI RISK MATERIALS BACKGROUND In addition to ANSI/PMMI B155.1-2000, PMMI also publishes several tools and documents to assist packaging machine manufacturers to develop safe equipment. Packsafe® is a software program that guides users through the risk assessment process. PMMI also offers a Safety & Standards Toolkit. The Toolkit contains the following: ANSI/PMMI B155.1 -2000 for Packaging Machinery and Packaging-Related Converting Machinery - Safety Requirements for Construction, Care and Use;>; Risk Assessment Basics - An Overview for Packaging Machinery • PMMI's Product Liability Prevention Manual • PMMI's Guide to the Key European Directives The Risk Assessment Basics presents the methodology for risk assessment in the packaging machinery industry. DESCRIPTION Risk Assessment Basics - An Overview for Packaging Machinery was published in 2000. Excerpts from the Purpose include: Risk assessment is a critical factor in successfully reducing risks to an acceptable level. Hazard identification and risk assessment enables engineers to identify possible hazards and to choose alternative designs or solutions to eliminate, mitigate or control the risks. A hazard analysis and risk assessment offers a designer the opportunity to identify hazards associated with the intended uses and reasonably foreseeable misuses of a machine, and to take steps to eliminate or control them before an injury occurs. Risk assessment is a structured, engineering based analysis that is best performed using a team approach. The guide is intended to provide a general understanding of the principals of risk assessment and how these can be applied to packaging machinery. The document includes a general description of safety, risk management, risk assessment, system safety and definitions of key terms (applicable terms are included in Appendix A of this book). The guide discusses approaches to countermeasures that can reduce risk. These include: • Effectiveness • Feasibility Cost • Introducing new hazards Impairing the machine/system performance The guide sagely notes "any countermeasure that makes the job of the operator more difficult will be bypassed or not used." The guide also discusses documentation in some detail including when and what to document. Considerable resistance to documentation exists primarily linked to product liability litigation concerns. The guide concludes that hazard identification and risk assessment affords a manufacturer the ability to achieve the requirements of clause 4 of ANSI/PMMI B155.I-2000. FLOWCHART The guide includes a general flow chart of the risk assessment process as shown in Figure 30.1. RISK SCORING SYSTEM The risk scoring system used in the guide is the M1L-STD-882 matrix and includes four levels of severity and five levels of probability. Refer to Chapter 27 Military for additional information. STATUS The risk assessment software program Packsafe® and the Safety & Standards Toolkit are current. A free demonstration version of the software and additional information can be obtained from www.pmmi.org REFERENCES ANSI Bi 1 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. ANSI/PMMI B155.1 -2000. For packaging machinery and packaging-related converting machinery - safety requirements for construction, care and use. Packaging Machinery Manufacturers Institute. www.pmmi.org M1L-STD-882D (2000), Standard practice for system safety. Department of Defense, U.S.A. www.defenseUnk.mil. Packsafe® Risk Assessment Software. Copyright (2001-2003). Packaging Machinery Manufacturers Institute. www.pmmi.org. PMMI. (2000). PMMl's guide to the key European Directives, third edition. Packaging Machinery Manufacturers Institute, www.pmmi.org. PMMI. (2000). Risk assessment basics - An overview for packaging machinery, first edition. Packaging Machinery Manufacturers Institute, www.pmmi.org. PMMI. (2001). Safety & standards toolkit. Packaging Machinery Manufacturers Institute, www.pmmi.org. PMMI. (2002), PMMl's product liability prevention manual, third edition. Packaging Machinery Manufacturers Institute, www.pmmi.org. PROCESS CONTROLS INDUSTRIES ANSI/ISA S84 IEC 61508/iEC 61511 ISO 13841/EN 954 ANSI/ISA S84 BACKGROUND As the title indicates, ANSI/ISA S84-1996 Application of Safety Instrumented Systems for the Process Industries applies to the process industries. ANSI/ISA S84-1996 defines the process industry sector as "those processes involved in, but not limited to, the production, generation, manufacture and/or treatment of oil, gas, wood, metals, food, plastics, petrochemicals, chemicals, steam, electric power, pharmaceuticals, and waste material(s)." Technologies that this standard includes are: Electromechanical relays • Solid state logic ♦ Programmable electronic systems 0 Motor-driven timers 9 Solid state relays and timers * Hard-wired logic 6 Combinations of the above The standard does not address the hazard identification effort. That effort is referred to as the Process Hazard Analysis. The objective of the standard is to define the requirements for Safety Instrumented Systems (SIS). The document is intended for those involved with SIS in the areas of: • Design and manufacture of SIS products, selection and application 0 Installation, commissioning and pre- start up acceptance test 9 Operation maintenance documentation and testing The SIS includes all elements from the sensor to the final element, including inputs, outputs, power supply, and logic solvers. The SIS user interface may also be in the SIS. In discussing the process industries, Turney (2000) notes that: From the early 1960's the increasing scale of operations and the introduction of new technology made it clear that a more analytical approach was required [as opposed to only accident investigations] The way in which risks are assessed still shows a very wide range of approaches within the industry. A number of different approaches to risk assessment have been developed including deterministic, semi-quantitative and quantitative risk techniques. The approach to risk estimation and comparison is strongly influenced by the national legal framework and the approach of the regulators. DESCRIPTION In the process control industries, the concept of Safety Integrity Level (SIL) appears. According to the definition in ANSI/ISA S84, a SIL is "one of three possible discrete integrity levels (SIL 1, SIL 2, SIL 3) of a safety instrumented system. SILs are defined in terms of probability of failure on demand (PFD)." Safety Integrity Levels are used within the framework of safety life cycle steps. SILs are based on the quantitative probability that the device will work, or more specifically the probability of failure on demand (PFD). The Safety Integrity Levels are order of magnitude differences in the PFD with the higher the SIL the less likely the device will fail on demand, or the more likely the device will be available when demanded. Table 31.1 shows the SIL levels, which appear in ANSI/ISA S84. Table 31.1 Safety Integrity Level (SIL) ANSI/ISA S84 Safety Integrity Level Probability of Failure on Demand Average Range SIL 1 iO"1 to io" SIL 2 10"- to I0*3 SIL 3 10*J to 10"4 There are several safety life cycle steps. Activities that would be included in the safety life cycle are: • Performing process hazard analysis and risk assessment Defining non-SIS protection layers Defining the need for an SIS ♦ Determining the required SIL According to ANSI/ISA S84: The first step in the safety life cycle addresses conceptual process design. The second step is concerned with identifying the hazards and hazardous events for a process and assessing the level of risk involved. This standard does not address the methods for performing this analysis and evaluation but assumes it has taken place prior to applying the principles in the document. The method(s) for accomplishing this step is outside the scope of this standard. (emphasis added) The approach described in ANSI/ISA S84-1996 relies on risk assessment being completed. This standard applies to control systems. The standard relies on non-SIS means for risk reduction being applied before a control system is used. If a control system is needed, the standard details the process to use in designing and applying a SIS. The SIL serves as an index to identify the type(s) of process controls considered acceptable for different applications. FLOWCHART The Safety Life Cycle in the process industries is shown in Figure 31.1. Figure 31,1 - Safety Life Cycle (ANSI/ISA S84.01) From ANSI/1 S A-S84.01 -1996, Application of Safety Instrumented Systems for the Process industries. Copyright ISA 1996. Used with permission. Contact www.isa.om. Legibility limited due to original As shown in this figure, the risk assessment effort occurs prior to applying the SIL concepts. S1L primarily involves risk reduction efforts and ensuring that the SIS performs to the appropriate level. STATUS ANSI/ISA S84 is an active and approved standard. ANSI/ISA S84 was developed with the express intent that it will eventually become part of a group of IEC standards. That process is underway. The document can be obtained from www.isa.org. IEC 61508 / IEC 61511 BACKGROUND The International Electrotechnical Commission (IEC) 61508 Functional Safety of electrical/electronic/programmable electronic safety-related systems is a generic standard that can be applied to any industry that uses programmable systems for safety functions. A similar standard is being developed specific to the process controls industry, IEC 61511 Functional Safety: Safety Instrumented Systems for the Process Industry. IEC 61511 is considered primarily a standard for users. IEC 61511 is based on ANSI/ISA S84-1996. There are three primary parts to IEC 61511: IEC 61511-1: Framework, definitions, system, hardware and software requirements IEC 61511-2: Guidelines in the application of IEC 61511-1 ~Informative IEC 61511-3: Guidance for the determination of safety integrity levels - Informative Bhimavarapu and Stavrianidis (1999) describe the IEC process industry standards as follows: The standards IEC 61508, IEC 61511 and ANSI/ISA S84.01 mandate the use of performance- based techniques to support the use of safety instrumented systems (SISs). IEC 61508, a performance-based standard, has been developed as an umbrella standard that can be applied to any industrial process that uses electrical, electronic and programmable electronic products and systems for safety. It employs a life-cycle model covering the safety system from design to decommmissioning, relies on performance-based parameters of process risk and system reliability and can therefore be objectively and systematically applied by industry, manufacturers of systems, industiy regulators and approval agencies. The standard provides guidance on the safety integrity level of SISs in terms of the actual reduction of process risk. Bhimavarapu and Stavrianidis (1999) continue: The standard is comprised of seven parts. The significant parts are the first three. They present the industrial process risk assessment requirements; provide guidance on the life-cycle activities; define classification scheme for the safety related system referred to as Safety Integrity Levels and provide guidance for the design, testing, reliability certification and integration of the hardware and software of the SIS system. The IEC 61511 international standard addresses the application of safety instrumented systems for the process industries. It requires a process hazard and risk assessment to be performed. The standard remains a work in progress but descriptions of the work note that: Any safety strategy should consider each individual safety instrumented system in the context of the other protective systems. To facilitate this approach, IEC 61511: • requires that a hazard and risk assessment is carried out to identify the overall safety requirements; requires that an allocation of the safety requirements to the safety instrumented system(s) is carried out; 0 works within a framework which is applicable to all instrumented methods of achieving functional safety; • details the use of certain activities, such as safety management, which may be applicable to all methods of achieving functional safety. The third part of IEC 61511 pertains to risk assessment. IEC 61511-3 provides guidance in determining the required safety integrity level in hazards and risk assessment. The information provides an overview of the many global methods used to implement risk assessment. However, the information provided in the standard is illustrative but not sufficiently detailed to implement any of these approaches. In particular, 1EC 61511-3: * illustrates typical hazard and risk assessment methods that may be carried out to define the safety functional requirements and safety integrity levels of each safety instrumented function; 4 illustrates techniques/measures available for determining the required safety integrity levels; 9 provides a framework for establishing safety integrity levels but does not specify the safety integrity levels required for specific applications; and ♦ does not give examples of determining the requirements for other methods of risk reduction. IEC 61511 -3 uses four S1L levels rather than the three used in ANSI/ISA S84. DESCRIPTION According to Bhimavarapu and Stavrianidis (1999) the basic steps to comply with these standards are as follows: 1. Establish the target risk or safety level(s) for the process under consideration. 2. Perform a hazard analysis of the process. 3. Identify the hazardous events that can affect the target risk levels. 4. Estimate the risk associated with hazardous events. ' 5. Identify the hazardous events that do not meet the target risk levels. 6. Evaluate the possible risk reduction through non-SIS safety systems. 7. If non-SIS safety systems are not viable or adequate to meet the target risk levels, consider use of SlS(s); define the safety function to be implemented in the SlS(s), and the integrity required for the safety function. 8. Design, implement, and validate the safety instrumented system(s). RISK SCORING SYSTEMS IEC 61511-3 recognizes that there are a number of methods available to establish the required safety integrity level for a specific application. The document includes several methods in Annexes. The Annexes in IEC 61511-3 address the following: Annex A provides an overview of the concepts of tolerable risk and ALARP; Annex B provides an overview of a semi-quantitative method used to determine the required SIL; Annex C provides an overview of a safety matrix method to determine the required SIL; Annex D provides an overview of a method using a semi-qualitative risk graph approach to determine the required SIL; Annex E provides an overview of a method using a layer of protection analysis approach to select the required SIL. One of the example methods in a draft version of IEC 61511-3 includes a risk scoring system very similar to MIL- STD-882 and to IEC 61508. ERA Technology (2000) presents the IEC 61508 as follows: The concept of risk is defined in IEC 61508 Part 4 as the 'probable rate of occurrence of a hazard causing harm and the degree of severity of harm'. Two points of note arise: 1. risk is a property of a hazard and accident relationship 2. risk is determined via a combination of the frequency of an accident and its severity The consequence risk factor has four levels in the IEC 61508 risk scoring system. The frequency risk factor has six levels. The consequence and frequency risk factors are combined to yield a risk level as shown in Table 31.2. The risk levels are described in Table 31.3. Table 31.2 -Risk Scoring System (IEC 61508) Consecj uences Catastrophic Critical Marginal Negligible Frequency Frequent 1 1 I II Probable 1 1 II III Occasional I II III III Remote II III III IV Improbable III III IV IV Incredible IV IV IV IV ■ Table 31.3 - Risk Levels and Descriptions (IEC 61508) Risk Level Description 1 Intolerable risk II Undesirable risk, and tolerable only is risk reduction is impractical or if the costs are grossly disproportionate to the improvement gained 111 Tolerable risk if the cost of the risk reduction would exceed the improvement gained IV Negligible (acceptable) risk The example risk scoring system is presented as an example rather than a definitive approach to risk assessment in the process industry. Modifications to the risk scoring system may occur for different applications or uses. STATUS IEC 61508 is an active and approved standard. The IEC is currently working to convert the ANSI/ISA S84.01 standard to IEC 61511. IEC 61511 remains a draft standard at press time but should soon be complete. Additional information can be obtained through ISA at www.isa.org or http://www.iec.ch/zone/fsafetv/61511 .htm. ISO 13841 / EN 954 BACKGROUND EN 954-1 (1996) Safety of machinery. Safety related parts of control systems. Part I: general principles for design is intended for equipment designers to help them develop appropriate control system designs. The document has also been published as ISO 13841-1:1999. When properly deployed, EN 954-1 guides a designer down the path of risk assessment (in conjunction with ISO 14121/EN 1050) to the appropriate risk reduction methods. According to Chairman Makin (2001): When the European Committee for Standardization (CEN) started to produce standards for machinery safety, it was decided early on in the programme that there should be a standard for the design of safety-related parts of control systems. This standard (EN 954-1996) was subsequently introduced to the international arena by 1SO/TC 199, Safety of machinery as ISO 13841-1-1999, Safety related parts of control systems. Makin (2001) states that "when ISO 13841-1:1999 was published, it represented the state of the art for control systems. This was a breakthrough in safety technology, and was widely welcomed by machine designers." Although ISO 13841-1 is the international citation, the standard is still commonly referred to as EN 954-1. DESCRIPTION ISO 13841-1/EN 954-1 is general in nature to enable its principles to be applied to various technologies. It is essentially qualitative in its approach and does not give a great deal of specific assistance when dealing with programmable electronic systems. Instead it guides the user towards IEC 61508 which has a more relevant quantitative approach. Examining the approaches in IEC 61508 and EN 954-1, Frost (1998) indicates that: A full analysis of the issues associated with the application of these standards to safety-related control systems at machinery was completed [in 1998]. The work undertaken has shown that there are considerable difficulties in attempting to establish a linkage between their respective methodologies. The conclusions were: A linear mapping of the safety integrity levels of IEC 61508 to the categories of EN 954-1 could not be made since the category definitions in EN 954-1 have no quantifiable requirement regarding the rate of failure of safety functions; The qualitative approach of EN 954-1 is desirable for the machinery sector and could be usefully developed and linked to IEC 61508; The principles of IEC 61508 can be applied to electrical/electronic/programmable electronic systems (E/E/PE) control systems in machinery. However, whilst IEC 61508 could replace EN 954-1 for E/E/PE systems, an approach may need to be developed for low complexity systems. 8 The non-hierarchical.structure of EN 954-1 categories are often misinterpreted to become hierarchical selection criteria; • Although categories are difficult to relate to risk, EN 954-1 provides useful guidance into design strategies for safety and the requirements for safety functions, and IEC 61508 covers all phases of an equipment's life from concept through to decommissioning and, in the machinery sector, very rarely would one party have charge across the entire lifecycie and it is therefore considered necessary to delineate responsibilities between . manufacturers and users. By 2000 a research project of Assuring Programmable Electronic Systems (APES) was completed that focused on IEC 61508. The aim of the APES project was to identify and resolve some of the technical issues arising from the use of international standard IEC 61508 and machine safety standards for developing safety critical programmable electronic systems. The study occurred in part due to frequent attempts made by end users to correlate the ISO 13841-1/ EN 954-1 risk categories with IEC 61508 SIL or other risk level classifications. ERA Technology notes that: Because of the different technical criteria used in IEC 61508 and EN 954-1, these two standards do not provide a sufficient technical basis for directly linking a measure of safety performance based on the requirements for categories in EN 954-1:1996 with a similar measure of performance based on the requirements for safety integrity levels in IEC 61508. IEC 61511-3 explicitly states this important distinction "there is no relationship between risk class and SIL." Makin (2001) and the Norwegian standard for the offshore industiy NORSOK Z-013 also support this position. RISK SCORING SYSTEM The ISO 13841-1 / EN 954-1 approach to assessing risk uses three risk factors: severity of injury, frequency or exposure, and possibility of avoiding the hazard. Only two levels are used for each risk factor. The risk factors map to risk levels as shown in Figure 31.2. Figure 31.2 - Risk Factors Map to Risk Levels (ISO 13241-1/EN 954-1) Legibility limited due to original STATUS 1SO/TC 199 has started a complete revision of ISO 13841-1:1999 / EN 954-1. Makin (2001) indicates that the revision: Will make the relationship between risk reduction and the selection of 'categories' easier to understand, and introduce a reliability element into the 'category' requirements to establish a performance requirement for the safety function. The relationship between 'categories' and 'SILs' of IEC 61508 will be clearly established. However, this revision will not occur quickly. Makin (2001) continues: Although there is a high level of activity within the standards bodies, it has to be recognized that this is difficult and complex work which is being undertaken by a small group of experts who have many other demands on their time and expertise. Therefore, it is inevitable that the final fruits of their work will not be ready for several years. Additional information can be found at Bhimavarapu and Stavrianidis (1999), Turney (2000), Makin (2001), and the standards referenced in this chapter. Information on the risk assessment methods used by Sick AG can be found in Chapter 13, Company Specific Approaches. REFERENCES ANSI/ISA S84-1996. Application of safety instrumented systems for the process industries. Instrumentation, Systems, and Automation Society, www.isa.org APES (2000). Assuring programmable electronic systems, Background to trials, IEC 61508 in industry sectors. http://www.era.co.uk/apes/trials.htm Bhimavarapu, K. & Stavrianidis, P. (1999). Performance-based standards for process industry - development, implementation and integration. ISA TECH 1999 Conference, www.isa.org. EN 954-1. (1996). Safety of machinery. Safety related parts of control systems. Part I: general principles for design. www.global.ihs.com. ERA Technology. (2000), http://www.era.co.uk/apes/Apes.htm. Frost, S. (1998). Power and control. Number 9, December 1998, The Newsletter of Technology Division's Electrical and Control Systems Unit. http://www.hse.gov.uk/dst/DQwer/powrco9.htm. IEC 61508. Functional Safety of electrical/electronic/programmable electronic safety-related systems, www.iec.ch. IEC 61511. Functional safety: Safety instrumented systems for the process industry>. www.iec.ch. ISO 13841-I-I999. Safety related parts of control systems. International Organization for Standardization. www.iso.ch. Makin, P. (2001). Safety of machinery, Designed for safe control. ISO Bulletin, April. http://www.isoxlT/iso/en/commcentre/pdf/SafetvmachinervO 104.pdf M1L-STD-882D (2000). Standard practice for system safety. Department of Defense, U.S.A. www.defenselink.mil. Turney, R.D. (2000). Application of risk assessment in the process industries. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. PRODUCT LIABILITY BACKGROUND In the U.S., product liability concerns have a major influence on the design process for many manufacturers. For better or worse, the U.S. tends to lead the world in product liability law. Yet, there is considerable product liability activity elsewhere in the world. This very brief review of product liability as related to risk assessment has a limited scope. This review is not intended to be comprehensive or even very thorough. The purpose of this chapter is to present a general overview of product liability .concerns related to risk assessment, examine a few similarities between U.S. and other countries, and to discuss the risk-utility test as compared to the risk assessment process. The author is an engineer and not an attorney. Please consult legal counsel for legal advice or opinions on specific applications. One of the key factors that must be clarified when discussing risk assessment is understanding if the assessment is conducted for occupational safety or product safety Occupational safety applications in the U.S. tend to be largely free of product liability concerns for the employer. This freedom results from the Workers' Compensation bar to recovery. In the U.S., workers yield their ability to sue an employer in exchange for guaranteed assistance with medical treatment. As a result, risk assessments conducted in the occupational setting usually need not be concerned with product liability issues. However, risk assessments conducted in product safety applications do have product liability concerns. Products that are involved in accidents may be subject to a product liability lawsuit. A risk assessment conducted in the design or development of the product will likely be discoverable and subject to legal scrutiny. A risk assessment conducted for a product is likely to be critically examined by a plaintiffs attorney after an injury. Therefore, a product risk assessment faces greater scrutiny concerning what is and is not documented in the assessment. Just as in the general engineering community, formal risk assessments are relatively new to the legal community. Ross and Main (2001) observe, "attorneys have commonly counseled manufacturers that documents are potential smoking guns that can mortally wound the defense, especially documents relating to safety and risk decisions. Yet legal counsel also necessarily advise manufacturers to remain current with the state-of-the-art." The simultaneous and contrary pull of risk assessment documentation creates conflicts for legal departments. The fear of an engineer or safety practitioner unknowingly creating a "smoking gun document" has led defense counsel to advise manufacturers against documenting analyses. Yet the danger of a manufacturer being viewed as having product development processes that are sub-standard to the current state of the art can also be threatening. Such fear can lead to resisting the risk assessment effort. Ross and Main (2001) state, "defense counsel may raise an objection that risk assessments have not been thoroughly tested, that there are problems with documentation requirements, and that, if not conducted correctly, the risk assessment could be very damaging. These criticisms are not unfair." Ross and Main (2001) also note the following: No matter which actions the manufacturer took, the plaintiff will argue that more could have been done and should have been done. Or, the plaintiff will argue that the manufacturer intentionally quantified the level of risk so low that it would not be required to "design out" the hazard. In many ways a product manufacturer finds itself in a very difficult situation; there are risks in completing a risk assessment and risks in not doing so. DESCRIPTION U.S. LEGAL REQUIREMENTS A very good overview of the U.S. product liability process is contained in An Overview of Product Liability for the Packaging Machinery Manufacturer by PMMI (1998). Although the document is written primarily for the packaging machineiy industry, most of the information applies to other products. Additional information on product liability can be found in Ross (2002), Main (1999), and many other sources. Interested readers should consult these references for a more thorough discussion. In United States v. Carroll Towing Co., 159 F.2d 169 (2d Cir. 1947), Judge Learned Hand set forth three criteria for determining whether a person's conduct was negligent: 1. the probability that injury would result from the actor's conduct; 2. the gravity of the harm that could be expected to result should injury occur; and 3. the burden of taking adequate precautions to avoid or minimize injury. Ross and Main (2001) observe: The Restatement (Third) of Torts: Products Liability, published in 1998, continued the tradition of the Learned Hand formula and made it clear that the predominant legal theory for holding a manufacturer liable for product liability is consideration of whether the manufacturer should have made a safer product. Did the level of risk outweigh the burden of taking more precautions? There are obvious similarities to today's risk assessment process. The first and second criteria address the probability of occurrence of harm and the resulting severity of injury. These two elements are part of current risk assessment processes. The third element addresses the issue of "feasibility." Feasibility can take many forms. For example, the following guidance comes from the U.S. machine tool industry ANSI Bll TR3 (note these are not legal requirements): In determining if the risk is tolerable at each step of the risk reduction process, it is necessary to evaluate the application of the protective measures against the following factors: risk-reduction benefit • technological feasibility economic impact ergonomic impact 9 productivity 9 durability and maintainability usability Feasibility, the third element of the negligence test, lead to a legal analysis termed the risk-utility test discussed further as a risk scoring system. UK LEGAL REQUIREMENTS In the UK, a test similar to the risk-utility test has been developed. The Health and Safety at Work Act introduces a duty which case law has qualified by 'so far as is reasonably practicable (SFA1RP). According to Appendix 3 of HSE R2P2 (2001): Of particular importance in the interpretation of SFAIRP is Edwards v The National Coal Board (1949). This case established that a computation must be made in which the quantum of risk is placed on one scale and the sacrifice, whether in money, time or trouble, involved in the measures necessary to avert the risk is placed in the other; and that, if it be shown that there is a gross disproportion between them, the risk being insignificant in relation to the sacrifice, the person upon whom the duty is laid discharges the burden of proving that compliance was not reasonably practicable. The document continues: A suitable and sufficient assessment of cost and risk can often be done without the explicit valuation of the benefits, on the basis of common sense judgments while, in other situations, the benefits of reducing risk will need to be valued explicitly. The latter is far from easy yet a monetary value has to be attributed to matters such as the prevention of death, personal injury, pain, grief and suffering. EUROPEAN LEGAL REQUIREMENTS On 3 December 2001 The European Parliament and the Council of the European Union adopted the European Directive on General Product Safety ~ 2001/95/EC. The stated purpose of the Directive is "to ensure that products placed on the market are safe." The Directive addresses product safety in terms of risk. The Directive contains the following relevant passages many of which reflect similar ideas also found in U.S. product liability laws. 'safe product' shall mean any product which, under normal or reasonably foreseeable conditions of use does not present any risk or only the minimum risks compatible with the product's use, considered to be acceptable and consistent with a high level of protection for the safety and health of persons. [Article 2] The feasibility of obtaining higher levels of safety or the availability of other products presenting a lesser degree of risk shall not constitute grounds for considering a product to be 'dangerous.' [Article 2] A product shall be presumed safe as far as the risks and risk categories covered by relevant national standards are concerned when it conforms to voluntary national standards transposing European standards. [Article 3] Within the limits of their respective activities, producers shall provide consumers with the relevant information to enable them to assess the risks inherent in a product throughout the normal or reasonably foreseeable period of its use, where such risks are not immediately obvious without adequate warnings, and to take precautions against those risks. [Article 5] In Article 10 of the Directive, The Commission is directed to develop an information network operation (RAPEX - Rapid Alert System) that is to facilitate among other things: The exchange of information on risk assessment, dangerous products, test methods and results, recent scientific developments as well as other aspects relevant for control activities [emphasis added]. The RAPEX system is essentially aimed at a rapid exchange of information in the event of a "serious risk." The information to be shared through this system is presented in terms of risk. The General Product Safety Directive is significant to the discussion of risk assessment because it • requires that products be evaluated in terms of risk, a requires that the risk evaluation be documented, and provides for the exchange of risk assessment documentation in the event of an incident. The Directive does not explicitly require a formal "risk assessment" as the term is used in this book. However, it does require product safety to be evaluated in terms of risk. A formal risk assessment would meet the requirements, but other forms of safety analyses could also meet the requirement. Article 21 of the Directive states that Member States are to comply with the Directive by 15 January 2004. Consult Ross (2002) for further discussion on the significance of the Directive, especially on the implications on the increased producer duty to take post-sale remedial action. PD Dr. iur. Hansjorg Seiler is an Extraordinary Judge at the Swiss Federal Supreme Court in Lausanne. Concerning risk assessments and Swiss law, Seiler (2000) notes that in Switzerland the traditional legal term in the field of technical activities is the term 'danger.' The law forbids to create a danger A certain minimal risk is usually considered as being 'socially adequate,' for example, accepted by the society . In this sense the traditional legal term of danger is in principle similar to the notion of risk: it contains the elements of probability and of dimension at damage. But traditionally the legal practice does not use systematic risk assessments in order to decide, whether a given situation is to be considered as a danger. As noted above, the concept of balancing risks and benefits appears common to the U.S., UK, and European product liability systems. Implementing the balance has lead to a risk-utility test. RISK SCORING SYSTEM THE RISK-UTILITY TEST In design defect and other product liability cases, a risk-utility balancing test is the metric U.S. juries use to determine if products are reasonably safe. Juries conduct the risk-utility test based on instructions given to them by the judge. Under the risk-utility test, a product is reasonably safe if its utility outweighs the risks associated with the design of the product; for example, the residual risk is tolerable. The test itself requires an analysis to determine a) the risk, b) the utility, and c) whether these balance appropriately. In a product liability lawsuit, the jury conducts the analysis based on the testimony and facts in evidence for the particular case in litigation. The risk-utility test can be viewed as a form of a risk scoring system. Although intuitively attractive, the risk-utility test presents some significant technical problems that warrant discussion. The limitations include the following. The risk-utility test is very difficult to implement in a practical manner, both by juries and manufacturers with pro-active intentions. Jurors are usually novices in conducting a risk-utility test. They receive no prior training in conducting a risk-utility test. Few, if any, have ever conducted such an analysis prior to a trial so they have no opportunity to learn or become familiar with the risk-utility test. Therefore, the risk-utility test becomes a "blank page" risk assessment based on very limited information. As with any other skilled analysis, one would expect novices to make mistakes and achieve little success without practice or training. • There is no fonnal methodology, handbook, or objective benchmarks describing how to conduct a risk-utility test. There is no rating or ranking system against which a jury can evaluate a specific product. There is no common risk scoring system used to rate the elements of risk or utility. There is no measure the jury can use to compare the relative safety of the product in question to other products then existent (e.g., how does one compare a mechanical power press, a table saw, and a toaster?). • Jury members are not familiar with the terms used in conducting the risk-utility test Few jurors have a common understanding of the definitions of the terms "risk" and "utility" Fewer still understand how to apply these definitions to conduct the analysis. Juries are not alone in struggling with definitions. Technical committees of experts spend many hours wrestling with the definitions of risk and other terms. Often different committees or industries have different definitions of these terms. Appendix A presents ample evidence of this situation. If different jurors or juries define these terms differently, chances are the manner in which they apply the test and the test results will vary greatly. • The risk-utility test can be very difficult to conduct in a repeatable fashion. Two juries applying the same test to the same case facts may not likely come to the same conclusion. There is very little, if any, objective data available for risk or utility measurements in the context of a product liability lawsuit. Given the variations in inputs (people, instructions, understanding, etc) one would not expect the results to be repeatable. Therefore, the test itself introduces variability to the outcome. Given the existence of the risk-utility test, one might expect manufacturers or designers to apply a risk-utility test during the design process. However, a manufacturer also has difficulty assessing risk-utility. The limitations of the risk-utility test, particularly in the subjective definitions, lack of training and instruction, and application make it a poor test. In engineering terms, this test is not reliable, repeatable, robust or very useful. These limitations can lead to errors and unfair results (to the benefit or detriment of either litigant). However, the risk-utility test applied by the jury can and perhaps should be based, in part, on the manufacturer's risk assessment. Whether expressed in terms of risk-utility, practicality, or feasibility, many legal systems appear to recognize that a trade off must be made between that which is possible and that which can be accomplished. The general concept that these constraints must be balanced appears well accepted, but the details of how to implement the trade off remain a struggle. RISK ASSESSMENT AS AN ALTERNATIVE Risk assessment may be the closest engineering analysis related to the risk-utility test. Risk assessment provides manufacturers a practical means to get nearer to the risk-utility test by placing the analysis portion of the risk-utility test largely in the control of the manufacturer. Risk assessments offer the manufacturer the opportunity to identify hazards associated with its intended uses and anticipated misuses, assess the severity of injury and the probability of occurrence, and implement protective measures to reduce risks to an acceptable level. With appropriate training or new computerized risk assessment tools, manufacturers can conduct risk assessments during the design development. In turn, the risk assessment permits a jury to evaluate the manufacturer's risk assessment effort and its results rather than the jury attempting to conduct the analysis on its own. This approach allows the manufacturer to present a more complete picture of its product and conduct in developing the product. The jury has the opportunity to judge whether the manufacturer's conduct and assessment met the standards of society rather than attempting to conduct a "blank page" risk-utility test for which it is ill prepared. Frank (2003) adds that The legal concept of negligence requires stakeholders to provide a safe facility as well as safe . products for "reasonably foreseeable use and misuse" as well as normal use. A prudent stakeholder would act to demonstrate that he has a facility or product that is as safe as the state of the art will allow. One obvious action would be an a-priori attempt to foresee or predict accident scenarios. [Risk assessment] is used for this predictive purpose. An additional benefit to a manufacturer from conducting a risk assessment prior to an incident occurring with it product is that it may avoid the threat of punitive damages. Ross and Main (2001) opine: Performing a risk assessment may not prevent a plaintiff from convincing a jury that a safer product could and should have been produced. Despite that, the existence of a conscientiously performed assessment should allow defense counsel to argue that punitive damages are not warranted and should not even be allowed to go to a jury. This position is supported by other organizations too. The American Society of Mechanical Engineers (2002) has advanced a similar sentiment by advocating that parties that make a good faith effort to conduct a risk assessment should not be liable for punitive damages (see Chapter 32 for additional detail). The Australian risk management standard AS/NZS 4360 (1999) contains similar ideas: Management of risk involves making decisions that must stand up to scrutiny from the relevant regulatory and accountability authorities . Provided risks have been managed in accordance with the process set out in The Standard, protection occurs on two levels. Firstly, the adverse outcome may not be as severe as it might otherwise have been. Secondly, those accountable can, in their defence, demonstrate that they have exercised a proper level of diligence . Thorough adherence to the process will inevitably reveal deficiencies that must be documented, prioritised and addressed. Unfortunately such clarity also facilitates critical comment by external scrutinizes. A sensible balance will need to be struck in order to allow responsible risk managers sufficient lead time to correct such deficiencies. STATUS Product liability law continues to evolve in the U.S. and elsewhere in the world. Documented risk assessments tend to be relatively new to the legal community, strongly resisted by some yet embraced by others. The requirements for documented risk assessments noted elsewhere in this text are helping the legal community accept and implement the risk assessment process, albeit begrudgingly in some circles. Ross and Main (2001) note the following: The reality is that risk assessment standards, requirements, and guidelines exist. If they apply to a particular product, the manufacturer must decide whether to perform the assessment. If it is performed, it must be documented. If the assessment is conducted, very little leeway can be found in how to document it. Under any type of risk assessment, the manufacturer will need to list the hazard, the probability and severity of harm, and the methods by which the risk can be minimized. The best advice is to perform the appropriate assessment and be prepared to stand behind the process and conclusions. While a plaintiff and his or her expert may disagree with your analysis, you can argue that you employed state-of-the-art safety analyses to produce a reasonably safe product and you believe that you succeeded. At the very least, performing risk assessments will minimize the number of accidents. Then, if they do occur, a plaintiff will not be able to claim that you consciously disregarded safety, with the prospect of a punitive damages award. Indeed, product liability is so influential that in some large U.S. companies the risk assessment documents are discarded once the design goes into production as part of the corporate document retention policy. The only documentation retained pertains to the process completed but not the hazards identified or the risk levels. Without the detailed risk assessment document there remains little liability for the data. Yet there is a down side to this approach too. Efforts to improve designs, integrate best practices, and encourage continuous improvement can be greatly hampered by discarding the risk assessment data. Although still rare, terms "hazard analysis" and "risk assessment" are beginning to appear in plaintiffs complaints and allegations of negligent design (e.g., "failed to complete an adequate hazard analysis and risk assessment"). Manufacturers are beginning to face difficult questions about risk assessments conducted during the design process, and explaining why a risk assessment was not conducted. The current state of the art on risk assessment is mixed. Although there is much standards activity in risk assessment as shown in this book, not very many companies are actually performing risk assessments today. On the other hand, there are some companies that are well down the path of integrating risk assessments into their way of doing business. Risk assessment is sufficiently new that companies not yet doing risk assessment cannot be characterized as being behind the state of the art or common practice. Companies that are performing risk assessments are leading the state of the art and common practice, and are finding that the risk assessments can bolster a liability defense provided it is well done (as with any other engineering analysis), A risk assessment can provide documented evidence of the manufacturer's intent to produce safe processes, products and facilities that meet the state of the art. Readers should consult with legal counsel and other sources when making decisions specific to their situation. REFERENCES American Law Institute. (1998). Restatement (Third) of Torts: Products Liability, www.ali.org. ANSI Bll Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. AS/NZS 4360-1999. Risk Management. Standards Australia, www.standards.com.au. ASME (2002). Position statement, ID #02-15, Statement on role of risk analysis in decision making, April. American Society of Mechanical Engineers, www.asme.org. Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on General Product Safety, http://ww.dti.srov.uk/CACP/ca/consuItation/2001 95 ec.pdf. Edwards v The National Coal Board. (1949). 1 AER 743. Frank, M. V. (2003). Concepts of risk assessment for minimizing product liability; An executive summary. Safety Factor Associates, Inc. http://home.pacbell.net/sfamc/semmar.htm. HSE. (2001). Reducing risks, Protecting people: HSE's decision-making process. Health and Safety Executive.' www.hse.eov.uk. Main, B.W. (1999). Applying concepts to product liability prevention. In Christensen, W.C. & Manuele, F.A. (Eds.), Safety through design (pp. 139-151). Itasca, IL: NSC Press. PMMI. (1998), An overview ofproduct liability for the packaging machinery manufacturer, Second edition. Packaging Machine Manufacturers Institute, www.pmmi.org. Ross, K. (2002). The increased duty to take post-sale remedial action. For The Defense, April. Defense Research Institute, Inc. www.dri.org. Ross, K., & Main, B., (2001). Risk assessment and product liability. For The Defense, April The Defense Research Institute, Inc. www.dri.org. Seiler H. (2000). Answers to the questions to be responded by the invited experts. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. United States v. Carroll Towing Co. 159 F.2d 169. (2d Cir. 1947). introduction Vanderbilt University Professional Education Educator Responsibilities Deployment in Educational Facilities INTRODUCTION The way safety is addressed in education needs improvement. Main and Ward (1992) presented data on what engineers know and do about safety in undergraduate engineering curricula. The results revealed major limitations in the education young engineers receive concerning safety. In 1996, Dembe observed: Despite calls for the integration of safety into engineering curricula and the establishment of ABET requirements for safety-related instruction, few engineering colleges have instituted formal course offerings focusing on safety and health. Impediments include the lack of room for additional coursework in the standard curriculum, the perceived unavailability of qualified faculty and instructional materials, and a widespread conviction among faculty and administrators that safety is not critical to engineering education. Attempts to address this need by developing special instructional safety modules or enrolling students in full-semester safety courses have met with limited success. More recently Bloswick, Elliott and Jones (2000) discuss an effort to develop and introduce safety modules into the existing undergraduate mechanical engineering curriculum. The effort includes developing modules on safety, health and ergonomic topics within the context of traditional mechanical engineering courses. Activity continues to move risk assessment and safety into the educational process, both in educating students and in the educational organizations in which they learn. The following excerpts examine some examples. VANDERBILT UNIVERSITY BACKGROUND Risk assessment is being introduced in several undergraduate engineering programs under grants sponsored by the Institute for Safety Through Design. As an example, King and Christensen (2002) discuss the results of methods used to teach safety in a two semester biomedical engineering design class at Vanderbilt University. Risk assessment is included as one of the methods. The course falls under the ABET requirements for an engineering design class. King and Christensen refer to the ABET requirements for design: Students must be prepared for engineering practice through the curriculum culminating in a major design experience based upon the knowledge and skills acquired in earlier coursework and incorporating engineering standards and realistic constraints that include most of the following considerations: • ' Economic Environmental • Sustainability * Manufacturability Ethical * Health and safety Social and Political King and Christensen (2002) note that: Some of the methods employed include more traditional statistics, case studies and special topic lectures. An innovative approach that has proved successful has been to require that students complete a safety analysis using risk assessment software under a grant from the Institute for Safety Through Design. More specifically, the course includes discussions of safety and exercises involving safety interspersed throughout the year. Examples provided by the authors include: 1. Medical error statistics ~ involves the number of deaths attributed to medical errors and comparisons to other accidental death causes. The magnitude of the numbers serves to impress on the class the need for safety and good protocols. 2. Medical case studies 3. Drug interactions and materials 4. Quality improvements 5. Selected topic lectures - human factors, problems resulting from bad designs, patent medicines, "quack medical devices " and others. 6. Risk assessment software Concerning risk assessment, King and Christensen (2002) share the following: A major emphasis on safety begins with the introduction of the class to a risk assessment software program named designsafe®. This program is introduced early in the first semester and is used by the students at least twice ~ once in a homework assignment and once to validate their own design projects, designsafe® is a computer program that guides a user in conducting a task-based risk assessment by virtue of the structure of the prompts and menus presented during use of the program. The designsafe<D software was first used in this course in 1998 and it has continued to be a mandatory part of the course since. According to the King and Christensen (2002), the student term projects and papers must include a safety analysis. A sample from one student team assessment appears in Chapter 7. Concerning the impact of having students conduct a risk assessment, the authors note the following: Although extensive in length, their confidence in the results and understanding of the potential hazards is necessarily high . These methods have been well received by students and have been effective in integrating safety into the design course. STATUS Additional information on the course can be found at http://vubme.vuse.vanderbilt.edu/King/contact info .htm. The risk assessment software grant program remains available to other universities. Information on the software grant program can be obtained at www.nsc.org or www.designsafe.com. Final reports can be viewed at http://vubme.vuse.vanderbilt.edu/King/bme272.htm. PROFESSIONAL EDUCATION Clemens and Simmons (1998) present a module with fifteen techniques from system safety practice. Much of the information is available at www.sverdrup.com/svt. The first and second lessons are on risk assessment. Clemens and Simmons (1998) provide a very good overview of the development and history of system safety techniques and how these techniques have been deployed into a number of standards. From the lessons, the authors note that the advantage of probabilistic risk assessment is that it provides a methodology to assess overall system risk and avoids accepting unknown, intolerable and senseless risk. The disadvantages are that performing the techniques require skilled analysts, and the techniques can be misapplied and results misinterpreted. Since 1998 the National Safety Council has offered a professional development course on Safety Through Design. The course was developed by the Institute for Safety Through Design and includes risk assessment in the content. Various technical safety conferences have also offered professional education opportunities on risk assessment. The ASME, ASSE, PMMI, RIA, SEMI and several others continue to have increased discussions and technical presentations on risk assessment topics. EDUCATOR RESPONSIBILITIES BACKGROUND In Queensland, Australia, the Workplace Health and Safety Act 1995 and subsequent regulations detail the minimum occupational health and safety standards to be achieved in educational facilities. Departmental policy in State schools is based on the regulations. The policy clearly defines accountability for health and safety: The Director-General, as Chief Executive Officer for Education Queensland, has an obligation to ensure the workplace health and safety of all individuals in educational facilities be they employees, students, volunteers, visitors, contractors or others. DESCRIPTION Risk assessment is explicitly included in the responsibilities of the Director-General and those he or she delegates: Workplace Health and Safety must be ensured by: (a) identifying hazards; (b) assessing the risks that may arise as a result of those hazards; (c) deciding on control measures to prevent or minimise the level of those risks; (d) implementing those control measures; and (e) monitoring and reviewing the effectiveness of those measures. [Those] persons who have control of or access to schools and workplaces, and who fail to ensure that these schools and workplaces are safe, commits an offence against the Workplace Health and Safety Act 1995. The responsibilities for risk assessment trickle down to teachers and supervisors as noted in HS-07 (1999) Occupational Health and Safety: Teachers and supervisors are responsible for: (a) maintaining healthy and safe procedures and practices; (b) in collaboration with district offices, employees, occupational health and safety representatives or occupational health and safety committees assessing any hazards which exist in the school or workplace and eliminating or reducing the associated risks as required; (c) assessing and reducing risks in subject-specific areas (e.g., art, manual arts, home economics, science disciplines); HS-10 (1998) Workplace Health and Safety - Curriculum provides additional detail on risk assessment in the Queensland educational facilities. HS-10 includes a section on Risk Management that states the teacher and/or leader duties: 2.1 When evaluating the health and safety factors of any curriculum activity, teachers and/or leaders should apply the risk management process. 2.3 Teachers and/or leaders must consider workplace health and safety requirements that apply to a particular activity, in view of the potential risk of injury to themselves or students, and make an assessment of the risks involved. 2.6 Teachers and/or leaders must apply the following components of the risk management process: (a) identifying the hazards (possible sources of injury or disease); (b) assessing the risk (likelihood of the hazard resulting in injury or disease); (c) controlling the risk (determining what action to take to remove or reduce the risk); and (d) reviewing and evaluating control (to ensure continued effectiveness). Risk assessment is an explicit component of HS-10: Risk Assessment 2.10 Teachers and/or leaders must examine the activities related to the work processes and equipment to be used, to identify and assess potential hazards. 1.11 Teachers and/or leaders must consider the following factors in the risk-assessment process: (a) the appropriateness of the activity to the students; (i) probability of occurrence; (ii) frequency of exposure; and/or (iii) severity of outcomes; (b) the teacher's or leader's qualifications; (c) the physical environment for the activity; and (d) the ratio of students to teachers and/or leaders. The hazard control hierarchy for hazard elimination or control is also explicitly used in HS-10. RISK SCORING SYSTEM HS-10 uses a risk scoring system with the following five risk factors: (a) identifying the hazards associated with the materials used in the activity; (b) examining the complexity of the activity; (c) determining the severity of the consequences of any potential accident; (d) evaluating the risks associated with the environment and/or in the operation of the machinery or equipment being used; and (e) evaluating the knowledge and ability of the persons involved to safely undertake the activity. These risk factors are used subjectively to obtain one of four risk levels as shown in Table 33.1. Table 33.1 - HS-10 Risk Scoring System Risk Level Description Low l (i) students are at minimal risk of injury if the equipment or procedures in the activity are employed correctly; (ii) students have received teacher approval to operate the equipment or proceed with the activity; and (iii) students will not be hindered or impeded while using die equipment or engaging in the activity. Medium 2 (i) there is a degree of risk of injury to a student using this equipment or engaging in this activity to the extent that all the risk cannot be eliminated; (ii) students require a safe working space to be able to operate the equipment or engage in the activity; and (iii) personal protective equipment may be required to further reduce the risk of injury. High 3 (i) there is a high risk of injury to the student or other persons if the equipment or procedures described in the activity are not employed in the prescribed manner; (ii) the teacher should maintain close supervision of all aspects of this activity; and (iii) there is a need for the teacher and/or student to operate in a defined area. Very High 4 (i) there is a high risk of injury to the student or other persons if the equipment or procedures described in the activity are not employed in the prescribed manner; (ii) an injury sustained during this activity could result in a permanent disability or death; (iii) a high level of supervision by the teacher is required (a maximum of one student at any one time working with teacher guidance may be appropriate); and (iv) the activity is undertaken in a defined, restricted area. No specific guidance is offered on how the risk factors map to the risk levels. Within HS-10 are 121 sub documents that pertain to individual instructional activities. Example activities include: metalworking, cookery, a wide variety of athletics, agricultural, construction, and others. The various documents define in more detail the hazards, if any, which yield resulting risk levels according to the four level risk scoring system of HS-10. STATUS HS-07 Occupational Health and Safety and the HS-10 series of documents are active and current guidelines. Additional information can be found at http://education.qld.gov.au/corporate/doem/healthsa/healthsa.htm and at http://education.qld. eov.au/coiporate/doem/health 10/health 10.htm DEPLOYMENT TO EDUCATIONAL FACILITIES BACKGROUND The extent that risk assessment has deployed in Australian Universities is evidenced by information from The University of New South Wales located in Sydney, Australia. DESCRIPTION The University of New South Wales includes risk management and risk assessment in its operational procedures rather than only in the classroom. As part of its Hazard and incident Reporting and Investigation Procedure there are three forms. The first form applies to an incident where no injury or illness resulted. The form is shown in Figure 33.1. Figure 33.1 - OHS and Environmental Hazard or Incident Report (OHSOl) Note that in this form a Hazard Rating scale is included. This scale rates the severity of injury. Also significant is that hazard elimination occupies a significant position in the report. The second University of New South Wales form is used when an injury or illness has occurred. The first page of the form provides for typical information about the individual harmed, the facts of the occurrence and medical treatment provided. The second page of the form OHS002 is shown in Figure 33.2. The second page is remarkable because it requires a rating for severity of injury and frequency of occurrence rating, a risk priority rating, and a risk score. Also significant is that the hierarchy of controls is explicitly listed in the Corrective Action Plan. This is very beneficial to prompt people to consider risk reduction methods that appear higher in the hierarchy than they might otherwise consider. Figure 33.2 - OSH and Environmental Hazard or Incident Report (QHS02), Page 2 The third form is a confidential Accident and Incident Investigation Form OHSA03, shown in Figure 31.3. Most remarkably, Section 5 of this form addresses risk assessment. Figure 33.3 - OHS and Environmental Hazard or Incident Report (OHS03) STATUS These forms indicate of how deep risk assessment concepts have been deployed in Australia. The fact that an accident/incident report form includes a risk assessment section is highly unusual in businesses today, but will likely become more regular. Additional information on this application can be found at http://www.riskman.misw.edu.aufo^ and http://www.riskman.unsw.edu.au/ohs/Acclnvv2.PDF. REFERENCES Bloswick, D., Elliott, C., & Jones, K. (2000). Integration of safety and ergonomics materia! into the mechanical engineering curriculum. Proceedings from ASME Annual Conference, SERA-Vol. 10, Safety Engineering & Risk Analysis, 213-219, W. Doerr, editor, Orlando, Florida, November. Clemens, P.L. & Simmons, RJ. (1998). System safety and risk management; A guide for engineering educators. U.S. Department of Health and Human Services, National Institute for Occupational Safety and Health. www, sverdrup .com/svt. Dembe, A. (1996). The future of safety and health in engineering education. Journal of Engineering Education: April. (pp 163-167). designsafe® Jhe hazard analysis and risk assessment guide, design safety engineering, inc. www.designsafe.com. HS-07. (2000). Occupational health and safety. Standards Australia. http://education.qld.gov.au/corporate/doem/heaIthsa/healthsa.htm. HS-10. (1998). Workplace health and safety - Curriculum, departmental policy, procedures and advice for use by schools and administrative offices. Standards Australia. http://education.qld. gov.au/coi~porate/doem/health 10/health 10.htm. HS-10-15. (1996). Agricultural construction—Risk assessment criteria. Standards Australia. http://education.qld.gov.au/corporate/doem/healths2/lis-l 0015/hs-10015 .htm. King, P.H. & Christensen, W.C. (2002). Teaching safety through design in biomedical engineering design, American Society of Engineering Education, Conference, Toronto. Additional information on the course can be viewed at http://vubme.vuse.vanderbilt.edu/King/bme272.htm and http://vubme.vuse.vanderbilt.edu/King/bme273.htm. Main, B.W., & Ward, A. C. (1992). What do engineers really know and do about safety? implications for education, training and practice. Mechanical Engineering, Vol 114, No. 8.44-51. The University of New South Wales. Hazard and incident reporting and investigation procedure, OHS and Environmental Hazard or Incident Report OHSOL http.7/www.bees.unsw.edu.au/ohs/accidents.html. The Workplace Health and Safety Act. (1995). Queensland, Australia, http://www.whs.qld. gov.au/whsact/. Risk Management General Risk Management Systems The Australian Risk Management Standard Other Australian Risk Management Efforts Risk Management in Canada Risk Management in Europe ANSI Z10 Safety Management Standard GENERAL BACKGROUND There is a great deal of activity in risk management occurring in governments and industry, far more than can be accounted for in a single chapter in this book. Risk assessment and risk management have been extensively incorporated into government standards, codes of practice and guides. The U.S. Army has a considerable risk management effort underway as described in greater detail in Chapter 25-Military. The current chapter attempts to address some of the more prominent documents. Examples of the level of integration are also presented. This chapter is not comprehensive nor is it intended to be. Risk management is a term that has several definitions. Different organizations use slightly different definitions of risk management as can be seen in Appendix A. Generally speaking, risk management is the systematic dealing with risks. According to McNab (2001): The overall objective is to manage risks as effectively as we can. This will involve trade-offs between risks, benefits and costs. In order to manage risks associated with specific hazards, we must identify hazards and assess the risks by analyzing the probability, impact and uncertainty components of the various risk scenarios. We must then identify options for controlling and reducing the risks to acceptable levels, and then choose and implement control measures that are effective and efficient. Finally, we must monitor the system to ensure it remains under control and we must acquire new data, re-assess and modify controls as appropriate. This entire process is known as risk management. Benjamin and Belluck (2001) add, "risk management is the process of identifying, evaluating, selecting, and implementing actions to reduce risk to human health and to ecosystems." They also note that "risk managers tend to be non-scientists." Risk management has a broader scope than risk assessment. Risk assessment tends to focus on the more technical mechanics of the evaluation process such as identifying hazards, working with risk scoring systems, implementing risk reduction and arriving at a residual risk level. Risk management tends to pay less attention to the technical question of how risk is assessed, but focuses on the decision(s) made with the assessment results. Risk management typically concerns a management audience such as directors, CEOs, line managers, and others. A significant part of risk management involves setting criteria for acceptable risk levels. Amendola (2000) offers the following insight, "deliberations about risk include discussions of the role, subjects, methods, and results of analysis. The important point is that the process of risk management is an interactive process involving both analysis and deliberation." Reporting on the results of a Netherlands Health Council committee report on environmental policy, Passchier and Reij (2001) indicate that: Risk management questions are questions about the structuring of society. The answers are determined by beliefs about the vulnerability of nature, concern for future generations, and freedom of action. A transparent, orderly approach to risk assessment and risk management can lead to a result with which the people involved can live. In many cases, this requires much more than just a number. Passchier and Reij (2001) continue: It can be helpful to make a link between the costs of risk management measures and the level of risk reduction which they aim to achieve. The committee recommends that the following risk attributes should be taken into account: • reduction in life expectancy and quality of life 9 nuisance * negative appreciation of the environment e reduction of biodiversity reduced functioning of ecosystems reduction of environmental functions An Australian document on risk management (CB018-1999) notes that "the alternative to risk management is risky management, or making reckless decisions." DESCRIPTION Grushka and McManus (2002) present five major components of risk management planning: 1. Identification 2. Analysis 3. Response planning 4. Implementation 5. Evaluation Grushka and McManus (2002) state that there are four basic risk management response options once a hazard has been identified and evaluated. They are the "4 T's" and include: 1. Terminate the risk or the project 2. Tolerate the risk 3. Treat the risk 4. Transfer the risk Effective integration of risk management and project management into a project adds significant value towards achieving organizational objectives. It requires at least three things: committed leadership; a defined process and project personnel who are ready, willing and able to accept change. Stern and Fineberg (1996) present results of a report by The National Research Council that recommended an analytical-deliberative process that allows a broad interpretation of risk management. The Council states that: The analysis uses rigorous, repiicable methods, evaluated under the agreed protocols of an expert community to arrive at answers to factual questions. Deliberation is any formal or informal process for communication and collective consideration of issues. The risk management process tends to move decision making from a project or design based approach to a risk based approach. Stamatelatos et al. (2002) point out one of the shortcomings of using a design based evaluation versus a risk based evaluation: Traditionally, many system designs were evaluated with respect to a design basis, or a design reference mission. In this kind of approach, a particular functional challenge is postulated, and the design evaluation is based on the likelihood that the system will do its job, given that challenge.,. Because this approach can lead to adequate designs but does not reflect a quantitative risk perspective, it does not typically lead to an allocation of resources over safety functions that is optimal from a risk point of view, even in cases where the designs can be considered * adequate' from a safety point of view in general, optimal resource allocation demands some kind of integrated risk assessment: not just a finding regarding adequacy, and not a series of unrelated system-level assessments. As part of the NASA risk management effort, the program/project develops and maintains the following in the risk sections of the Program/Project Plans, as appropriate: 1. Description of the risk, including primary causes and contributors, actions embedded in the program/project to date to reduced or control it, and information collected for tracking purposes 2. Primary consequences, should the undesired event occur. 3. Estimate of the probability (qualitative or quantitative) of occurrence, along with the uncertainty of the estimate. The probability of occurrence should take into account the effectiveness of any implemented measures to prevent or mitigate the risk. 4. Additional potential mitigation measures, including a cost comparison, which addresses the probability of occurrence multiplied by the cost of occurrence versus the cost of risk mitigation 5. Characterization of the risk as 'acceptable' or 'unacceptable' with supporting rationale This list is applicable to most any industry with the possible exception of item #4. In the context of product design where product liability is a concern, item #4 may not be advisable. FLOWCHART Ale (2000) states that risk management is divided into four phases: * Identification Quantification 0 Reduction Control Between the Quantification and Reduction phases a decision must be made. This process is shown in Figure 34.1. The risk management system Capaul (2000) uses is shown in Figure 34.2 Figure 34.2 - Risk Management Process (Capaul) C. Kirchsteiger, G. Cojazzi (Eds.) Promotion of Technical Harmonisarion on Risk-Based Decision Making, Proceedings of a Workshop held on May 22-24, 2000, Grand Hotel Bristol, Stresa, Italy, 2 Vol., European Commission DG JRC, S.P.I.0063, May 2000. Legibility limited due to original Hoj and Kroger (2000) discuss the risk management process shown in Figure 34.3 ISO Guide 73 (2002) presents the relationship between the various risk management terms as defined in the Guide. These relationships are shown in Figure 34.4. RISK MANAGEMENT (3.19) RISK ASSESSMENT (3.10) RISK ANALYSIS (3.9) SOURCE IDENTIFICATION (3.28) RISK ESTIMATION (3.1 S) RISK EVALUATION (3,16) RISK TREATMENT (3.26) RISK AVOIDANCE (3.11} RISK OPTIMIZATION (3,21) j RISK TRANSFER (3.25) RISK RETENTION (3.24) RISK ACCEPTANCE (3.8) RISK COMMUNICATION (3.12) Key A B C The terms B and C are used in the definition of tJve term A or the notes to defhvl^on A, Figure 34.4 - Relationship Between Various Risk Management Terms The terms and definitions taken from 1SO/IEC- Guide 73:2002, Fig \ - Risk management - Vocabulary - Guidelines for the use in standards - are reproduced with the permission of the Internationa! Organization for Standardization, ISO. This guide can be obtained from any ISO member and from the Web site of the ISO Central Secretariat at the following address: www,iso.org. Copyright remains with ISO. In addition, Brandsseter (2000) presents risk management in the context of the Offshore industry as discussed in Chapter 29 - see Figure 29.1. STATUS Ale (2000) opines, "in the risk management process quantification plays a central role." As shown in the diversity of risk assessment benchmarks presented in this book, this statement is true in some industries, but not in others. Whether formal or informal, risk management comprises an ongoing process in industry. The following passages describe example risk management processes in greater detail. RISK MANAGEMENT SYSTEMS BACKGROUND Dr. W. Eduards Deming was a champion of the quality movement. Part of his work resulted in a basic four step approach to quality management of Plan-Do-Check-Act. Since Deming's early efforts, much of his concepts have advanced through many industries and play a central role in risk management systems. Many of the concepts are contained in the ISO 9000 Quality management system. DESCRIPTION Tess (2002) notes that there are three major management system standard audits including: * Quality (ISO 9000) Environment (ISO 14000) • Occupational Safety and Health (OSHAS 18001) These risk management initiatives are similar in content and build from Dr. Deming's basic approach. Several authors have constructed comparisons between the various management systems. Risk management procedures have been established in several international standards and guides. According to OSHAS 18001: OHSAS 18001:1999 has been developed to be compatible with the ISO 9001:1994 (Quality) and ISO 14001:1996 (Environmental) management systems standards, in order to facilitate the integration of quality, environmental and occupational health and safety management systems by organizations, should they wish to do so. Annex A (informative) of OSHAS 18001 includes a table showing the correspondence between three management system standards/specifications: OHSAS 18001-1999, ISO 14001:1996, and ISO 9001:1994. Given their similarities and basic objectives, efforts are underway to combine these separate systems into a unified approach. Passchier and Reij (2001) opine, "risk management should be a part of a system of quality control." Tess (2002) describes the experiences of Rockwell Automation in implementing and integrating a Safety Management System within an ISO 14000 and ISO 9000 certified facility. Tess describes the purpose as "a Safety Management System is designed to increase the efficiency of an organization's processes, increase the effectiveness of its safety and health programs, and strengthen its safety credibility with customers, governments and communities." Tess notes that although "prioritizing safety resources based on risk within a management system is a different approach for many businesses" it is useful because it "assigns priorities based on significant risk to the facility." Tess (2002) states: The hazard identification, risk assessment and risk control process is the most important element of the safety management system in support of the policy. At Rockwell Automation, a significant risk evaluation tool was designed, piloted and implemented to assist facilities. The process provides the means to prioritize the risks in the facility in order to determine which functional areas and hazards are the highest risks in the facility. Top risks are addressed first in objectives and targets. Rockwell Automation's efforts to integrate their Safety Management System into their business processes is also intended to align all three management systems and permit performing only one audit. In the UK, the OHSAS 18002 guideline applies to occupational safety and health rather than product safety or safety services. Some reference documents use the term "risk assessment" to encompass the entire process of hazard identification, determination of risk, and the selection of appropriate risk reduction or risk control measures. OHSAS 18001 and OHSAS 18002 refer to the individual elements of this process separately and use the term "risk assessment" to refer to the second of its steps, namely the determination of risk. OHSAS 18001 and 18002 include the following: The organization should have a total appreciation of all significant OH&S hazards in its domain, after using the processes of hazard identification, risk assessment and risk control. The purpose of this OHSAS guideline is to establish principles by which the organization can determine whether or not given hazard identification, risk assessment and risk control processes are suitable and sufficient. It is not the purpose to make recommendations on how these activities should be conducted. The hazard identification, risk assessment and risk control processes should enable the organization to identify, evaluate and control its OH&S risks on an ongoing basis. Hazard identification, risk assessment and risk control processes are key tools in the management of risk. Hazard identification, risk assessment and risk control processes vary greatly across industries, ranging from simple assessments to complex quantitative analyses with extensive documentation. It is for the organization to plan and implement appropriate hazard identification, risk assessment and risk control processes that suit its needs and its workplace situations, and to assist it to conform to any OH&S legislative requirements. STATUS The risk management standards series ISO 9000 and ISO 14000 are current standards. OHSAS 18000 is a current guideline. Additional information can be obtained from commercial sources. THE AUSTRALIAN RISK MANAGEMENT STANDARD BACKGROUND AS/NZS 4360:1999 Risk Management is published by Standards Australia (www.standards.com.au). A companion document, HB 142-1999: A basic introduction to managing risk provides additional guidance on the risk management process contained in AS/NZS 4360. HB 142-1999 provides a generic framework for managing risk in a business based on the AS/NZS 4360:1999 approach to risk management. According to AS/NZS 4360: [The Standard] is generic and independent of any specific industry or economic sector. r i Risk management is an iterative process consisting of well-defined steps which, taken in sequence, support better decision-making by contributing a greater insight into risks and their impacts. ' Risk management is recognized as an integral part of good management practice. To be most effective, risk management should become part of an organization's culture. The AS/NZS 4360 standard is written very broadly. It is intended to be applied to a very wide range of organizations including public, commercial and voluntary. DESCRIPTION According to the Standard: Scope: This Standard provides a generic guide for the establishment and implementation of the risk management process involving establishing the context and the identification, analysis, evaluation, treatment, communication and ongoing monitoring of risks. Application: Risk management is recognized as an integral part of good management practice. It is an iterative process consisting of steps, which, when undertaken in sequence, enable continual improvement in decision-making. Risk management is a multifaceted process, appropriate aspects of which are often best carried out by a multi-disciplinary team. It is an iterative process of continual improvement. Decisions concerning risk acceptability and risk treatment may be based on operational, technical, financial, legal, social, humanitarian or other criteria. AS/NZS 4360:1999 breaks the risk identification step into a very practical approach of identifying what can happen, and how and why it can happen. According to the Standard, risk is to be analyzed by combining estimates of consequences and likelihood that the consequences may occur: Consequences and likelihood may be determined using statistical analysis and calculations. Alternatively where no past data are available, subjective estimates may be made which reflect an individual's or group's degree of belief that a particular event or outcome will occur. The Standard lists five methods of treating the risk: 1. Avoid the risk 2. Reduce the likelihood 3. Reduce the consequences 4. Transfer the risk using contracts or insurance 5. Retain the risk Selection of the most appropriate option involves balancing the cost of implementing each option against the benefits derived from it. Note that cost plays an explicit role in risk reduction. Most often risk management efforts focus on avoiding negative outcomes. However, risk management can be used to identify positive outcomes as well as negatives. When benefits and risks are considered together a positive/negative scale can be used. For example, the consequences scale can range from high negative to neutral to high positive. FLOWCHART The AS/NZS 4360 risk management process includes the following steps: Establish the context Identify risks Analyse risks Evaluate risks • Treat risks RISK SCORING SYSTEM A risk scoring system uses the risk factors of Likelihood and Consequences. Examples of Likelihood are shown in Tables 34.1 and 34.2. The Guide provides an example scoring system for consequences focusing on financial and political impacts shown in Table 34.3. These risk factors are combined to obtain a risk level as shown in Table 34.4. Table 34.1 - Likelihood Example - General (AS/NZS 4360) Level Descriptor Description A Almost certain Is expected to occur in most circumstances B Likely Will probably occur in most circumstances C Possible Might occur at some time D Unlikely Could occur at some time E Rare May occur only in exceptional circumstances Table 34.2 - Likelihood Example - Very Unlikely Events (AS/NZS 4360) ■ -Level Descriptor Description Almost certain Is expected to occur in most circumstances Will occur once a year/or more frequently Likely Will probably occur in most circumstances Will occur once every three years Possible Might occur at some time Will occur once every ten years Unlikely Could occur at some time Will occur once every 30 years Rare May occur only in exceptional circumstances Will occur once every 100 years Veiy rare Have never heard of this happening One in 300 years Almost incredible One off event in exceptional circumstances One in 1000 years Table 34.3 - Example of Consequences Focusing on Financial and Political Impacts (AS/NZS 4360) Level Descriptor Description 5 Catastrophic The consequences would threaten the survival of not only the programme, but also the organization. Revenue loss greater than x% of total revenue being managed would have extreme consequences for the Organization both financially and politically. 4 Major The consequences would threaten the survival or continued effective function of the programme. Revenue loss greater than y% of total revenue being managed would have very high consequences for the organization both financially and politically. 3 Moderate The consequences would not threaten the programme, but would mean that the administration of the programme could be subject to significant review or changed ways of operating. Revenue loss greater than z% of total revenue being managed would have medium consequences for the organization both financially and politically. Minor The consequences would threaten the efficiency or effectiveness of some aspects of the programme, but would be dealt with internally. A loss of revenue below the tolerance level of 5% (audit materiality) applied to clients would be of low consequence. 1 Insignificant The consequences are dealt with by routine operations. A loss of revenue below the programme tolerance level of w% (less than audit materiality) applied to clients would be of negligible consequence. Table 34.4 - Example Risk Matrix (AS/NZS 4360) Likelihood Consequences Insignificant Minor Moderate Major Catastrophic 1 2 3 4 5 A (almost certain) H H E E E B (likely) M H H E E C (moderate) L M H E E D (unlikely) L L M H E E (rare) L L M H H Legend E: extreme risk, immediate action required, senior management will usually be involved H: high risk, management responsibility should be specified and appropriate action taken M: moderate risk, managed by specific monitoring or response procedures L: low risk, manage by routine procedures STATUS AS/NZS 4360:1999 is an active and current standard. The Standard is available from Standards Australia at www.standards.au.com OTHER AUSTRALIAN RISK MANAGEMENT EFFORTS BACKGROUND There are a number of risk management efforts occurring in Australia. This subsection describes a few of them. DESCRIPTION Risk Management at Work WorkCover of New South Wales, Australia has developed a guide booklet Risk Management at Work. This government guide presents a very concise risk management process. The guide states: This guidance material provides a model for the systematic management of workplace hazards that can be used by: owners or managers of small or medium sized companies; OHS Committees; OHS Representatives; or anyone wanting to improve workplace health and safety. The guide provides the following definition, "risk management is the process of identifying and managing risks to avoid exposure or loss." The guide presents the risk management process as having three steps: Step 1. Hazard Identification Step 2. Risk Assessment Step 3. Risk Elimination or Control The guide provides very practical guidance on how to work through these steps. Plumbing Products In the U.S., most companies are just beginning to struggle with risk assessment concepts. These concepts are much more familiar in the Australian and New Zealand industries as evidenced by SAA MP78 (1999) Manual for the assessment of risks of plumbing products: SAA MP78 (1999) is a reference document for those involved in the process of risk identification, risk analysis and assessment and risk treatment of plumbing and drainage products, appliances and equipment within the scope of the National Certification Plumbing and Drainage Products Scheme. The development of MP78 followed the restructuring of the water industry in Australia. In particular, the regulatory framework within which the plumbing industry operates, has led to greater emphasis on performance-based Standards and codes of practice based on acceptable risk to stakeholders. According to Solness (1999), who was instrumental in developing the new approach "the learning and methodology for risk analysis contained in MP78 will enable assessment of all new plumbing products to be earned out in a much more transparent and efficient way." STATUS Risk management efforts in Australia continue. For additional information see Solness (1999), SAA MP78 (1999), Williams (2002), Cooper (1999), and AS/NZS 4360-1999. RISK MANAGEMENT IN CANADA BACKGROUND The Ontario Ministry of Agriculture Food and Rural Affairs (OMAFRA) has long been active in risk assessment and risk management. McNab (2001) notes that: Since 1995, OMAFRA has been promoting the principles of risk analysis, risk assessment, risk management and risk communication for its food safety, animal health and plant health programs Risk management has been officially identified as one of the Ministry's four core businesses since 1998. Risk management is not currently integrated and co-ordinated between programs as well as it could be within the Ministry. One opportunity is for better use of risk management as a priority setting and resource management tool. There is a need to develop and integrate into the management process, a common risk terminology and a formal and systematic risk management process. Risk management is the process of identifying potential hazards and undesirable events; understanding their likelihood and consequences; and taking steps to control the risks if necessary. The terminology used in the discipline of risk continues to evolve internationally. Various agencies and organisations use different terms to refer to the same process and, in some cases, the same terms to refer to different processes. It is important to maintain flexibility throughout the process. Using a flexible approach can lead to more effective and more acceptable risk management decisions. Application of formal and systematic risk management will promote: A consistent approach to compliance priority setting across the Ministry, improved ability to manage competing interests, and greater attention to higher risk areas More effective resource allocation 9 Improved protection of public interest and safety 0 Identification of threats and opportunities • Increased accountability • Improved identification of regulatory gaps, resulting in reduced regulatory negligence and liability exposure. Health Canada (1999) indicates that: Canadians subscribe to the notion of "risk management," which involves assessing and managing risks to public health to ensure they are minimized to the extent possible and practicable. Risk assessment determines the nature and degree of risk, based on scientific evidence. The Department's primary risk management goal is to protect and improve the health of Canadians by defining, assessing and managing risks to health associated with: • the food supply • the manufacture, sale and use of drugs and medical devices • consumer products and tobacco • pesticides • the environment, including the workplace • disease threats • natural and civilian disasters Health Canada's Health Protection Branch oversees a range of risk management activities including conducting risk assessments, developing risk management strategies, evaluating risk management options and providing Canadians with the sound science and the necessary information about the nature and extent of risk on which to make informed choices. In addition, Health Canada monitors health and safety risks related to the sale and use of drugs, food, chemicals, pesticides, medical devices and certain consumer products. Health Canada focuses primarily on regulating industry and maintaining national health and safety standards. DESCRIPTION The Health Canada (1999) risk management process steps are outlined below: Step 1 Initiation Step 2 Scope Definition Step 3 Risk Assessment - Risk Analysis - Risk Acceptability Evaluation Step 4 Risk Control Step 5 Risk Monitoring Step 6 Learning Step 7 Stakeholder Participation OMAFRA lists the following success factors in risk management: Fundamental Requirements: • An understanding of Ministry core businesses and objectives • Integrated consideration of stakeholders' needs and exposures to potential hazards • Integration of risk-based thinking into design of strategic policies, programs and training Integration of risk management responsibilities into day-to-day line-management and decision making Organizational Requirements: ° Senior management commitment ♦ Line organizational structure conducive to effective communication and cooperation « Risk management process model which is understood by all » Risk assessment and cost/benefit tools of varying complexity which can be used to determine the level of risk and evaluate the suitability of risk control actions Sufficient human resources with the appropriate level of training Although these organizational success factors pertain to OMAFRA, they also apply more generally to any risk management effort. FLOWCHART The OMAFRA risk management steps are shown schematically in Figure 34.5. The OMAFRA Risk Management Process is shown in Figure 34.6. Figure 34.5 - Risk Management Process Steps - Schematic (OMAFRA) According to the document "risk assessment includes risk analysis and risk evaluation, as shown in the figure. Note this is somewhat of a reversal of terms used in the WTO and Codex systems where risk analysis is the larger concept." STATUS The OMAFRA document is current. Additional details on Canadian risk management efforts can be found at http://www.gov.on.ca/OMAFRA or at www.hc-sc.gc.ca. RISK MANAGEMENT IN EUROPE BACKGROUND In 2001, The International Labour Office in Geneva published Guidelines on occupational safety and health management systems 1LO-OSH 2001. The Guideline recognizes that in addition to intense competitive pressures existing in the current workplace "organizations must also be able to tackle occupational safety and health challenges continuously and to build effective responses into dynamic management strategies." The Guideline was developed to support this effort. The Guideline focuses on organizations such as companies, manufacturers or firms rather than governments. The Guideline states, "the employer is accountable for and has a duty to organize occupational safety and health. The implementation of an OSH management system is one useful approach to fulfilling this duty." DESCRIPTION The ILO-OSH Guideline includes a continuous improvement process for the OSH management system that is generally based on the Deming cycle of Plan-Do-Check-Act. The system includes the following elements: • Policy Organizing Planning and Implementation Evaluation • Action for improvement A passage on responsibility and accountability in the Organizing section includes the following "the employer should have overall responsibility for the protection of workers' safety and health, and provide leadership for OSH activities in the organization." Under the Planning and Implementation section, an initial review of the OSH management system is recommended. In addition to other items, the review should include the following: • Identify, anticipate and assess hazards and risks to safety and health arising from the existing or proposed work environment and work organization; and • Determine whether planned or existing controls are adequate to eliminate hazards or control risks. The Guideline states "hazards and risks to workers' safety and health should be identified and assessed on an ongoing basis." The Guideline indicates that preventive and protective measures should be implemented consistent with the hazard hierarchy. Under a passage on management of change, the following appears: A workplace hazard identification and risk assessment should be carried out before any modification or introduction of new work methods, materials, processes or machinery. Such assessment should be done in consultation with and involving workers and their representatives, and the safety and health committee, where appropriate. This passage is significant in that not only does it call for a risk assessment, but that it should include workers. Under the Evaluation section, the Guideline recognizes that both qualitative and quantitative measures should be considered as appropriate for the organization. The Guideline emphasizes in several locations the importance of documenting the process and the results. This emphasis is consistent with other continuous improvement and management system approaches. The Guideline demonstrates how risk assessment can, should be, and is becoming integrated into business practices. Management systems address the overall process of addressing safety in an organization's operations and resulting products. One of management's responsibilities is to manage risk. Although risk can be managed out of ignorance or "gut feel" spot decisions, the opportunities for continuous improvement and more effective decisions can be realized with a more diligent decision process. Risk assessment plays a critical role in this overall process. Risk decisions cannot be made effectively until the risks are assessed and understood. STATUS ILO-OSH 2001 is an active Guideline. Additional information can be obtained http://www.ilo.org/public/english/support/publ/pdf/guidelin.r)df. ANSI Z10 SAFETY MANAGEMENT STANDARD BACKGROUND Risk assessment and risk management form key components in a draft ANSI standard being developed under the leadership of the American Industrial Hygiene Association. ANSI Z10 addresses Occupational Health and Safety Management Systems. The Z10 committee began working in 1999 focusing on the need to develop and apply management system tools to improving occupational health and safety performance. The Scope of draft standard ANSI Z10 Occupational Health and Safety Systems states: Develop a standard of management principles and systems to help organizations design and implement deliberate and documented approaches to continuously improve their occupational health and safety (OHS) performance. The standard will enable organizations to integrate OHS management into their overall business management systems; it will focus on principles that are broadly applicable to organizations of all sizes and types, not on detailed specifications. The standard will be compatible with relevant OHS, environmental, and quality management standards (e.g., ISO 9000 and 14000) and with approaches to OHS management in common use in the US. DESCRIPTION The standard establishes minimum requirements for designing, implementing and continual improving of occupational health and safety management systems. It does not provide details for occupational health and safety programs. The standard defines requirements for what must be accomplished but it does not define how the objectives shall be met. This performance based approach will allow users to develop and implement solutions suitable to their particular organizations. Since this standard applies to organizations of all sizes and types, the document must necessarily allow flexibility in its implementation. The standard includes risk assessment as one element of an occupational health and safety management system. The standard includes information on how to perform a risk assessment in an annex. According to Schroll (2001) "[the ANSI Z10] effort will emphasize principles and practices that may be broadly applied to any type of organization. The standard will focus on the what and why not the who and how of occupational health and safety." STATUS ANSI Z10 is a work in progress. Note that the document is subject to change until it is finalized and formally approved. Additional information can be obtained by contacting the AIHA at www.aiha.org REFERENCES Ale, B. (2000). Risk assessment practices in the Netherlands. In Kirchsteiger, C. and Giacomo, C, (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Amendola, A. (2000). Recent paradigms for risk informed decision-making. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. AS/NZS 4360-1999. Risk Management. Standards Australia, www.standards.com.au. Benjamin, S.L. & Belluck, D.A. (Eds.). (2001). A practical guide to understanding, managing, and reviewing . environmental risk assessment reports. Boca Raton, FL: CRC Press/Lewis Publishers, Inc. Blotch, A.T. (2002). Accident investigation - The legal perspective: Minimize inadvertent liability and maximize effectiveness. ASSE Professional Development Conference, 2002. Brandseeter, A. (2000). Risk assessment in the offshore industry. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Brearley, S.A. (2000). UK railways: using risk infonnation in safety decision making. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Capaul, B. (2000). Standardised risk assessment - a need for man-made risk insurers. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. CB 018-1999. An international guide to best business practice - Risk management. Standards Australia. www.standards. com, au. Cooper, D. (1999), Tutorial notes: The Australian and New Zealand standard on risk management, AS/NZS 4360:1999. By Broadleaf Capital International Pty Ltd. Grushka, M.J., & McManus, S.M. (2002). If you manage the risk, you manage the project: Risk driven project management - 'A system that works!' American Society of Safety Engineers, www.asse.org. HB 142-1999. A basic introduction to managing risk. Standards Australia, www.standards.com.au. Health Canada. (1999). Striking a balance: Risk management in Canada. http://www.hc-sc.gc.ca/datapcb/iad/balance-e.htm. Hoj, N.P. & Kroger, W. (2000). Risk analysis of transportation on road and railway, in Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. JLO-OSH. (2001). Guidelines on occupational safety and health management systems. International Labour Office, Programme on Safety and Health at Work and the Environment (SafeWork), Geneva, MEOSH/2001/2 (Rev), www.ilo.org. ISO 14001:1999. Environmental management systems - Specification with guidance for use. International Organization for Standardization, www.iso.ch. ISO 9001: 1994. Quality systems - Model for quality assurance in design, development, production, installation and servicing. International Organization for Standardization, www.iso.ch. ISO Guide 73:2001 Draft. Risk management - vocabulary - Guidelines for use in standards. International Organization for Standardization, www.iso.ch. McNab, B. (2001). Inspection, investigation and enforcement risk management through assessment and control. A Framework for the Ministry of Agriculture Food and Rural Affairs, Draft Aug. 7. www.gov.on.ca/OMAFRA. OHS AS 18001:1999. Occupational health and safety management systems - Specification, British standards institution. Occupational Health and Safety Assessment Series, www.bsi.org.uk. OHS AS 18002: 2000. Occupational health and safety management systems - Guidelines for the implementation of OHSAS18001. Occupational Health and Safety Assessment Series, www.bsi.org.uk. Passchier, W.F. & Reij, W.C. (2001). Risk is more than just a number. www, fplc .edu7RiSK7vol 8/sprmg/passchie .htm. SAA MP78:1999. Manual for the assessment of risks of plumbing products. Standards Australia. www.standards.com.au. Schroll, C. (2001). Standards and regulations: ANSI Z10 Update, 1 June, www.ndx.com. Solness, E. (1999). Statement as quoted by F. Pontoni in TAS Magazine Editorial, June. Stamatelatos, M., Apostolakis, G., Dezfuli, H., Everline, C., Guarro, S., Moieni, P., et al. (2002). Probabilistic risk assessment procedures guide for NASA managers and practitioners. Office of Safety and Mission Assurance, NASA Headquarters, www.nasa.gov. Stem , P.C. & Fineberg, H.V. (Eds.). (1996). Understanding risk: Informing decisions in a democratic society. Committee on Risk Characterization, National Research Council. The National Academies Press. http://www.nap. edu/catalog/5138.html. Tess, L. (2002). Case study: Implementation and integration of a safety management system within an ISO 14000 and ISO 9000 certified facility. American Society of Safety Engineers, www.asse.org. Wettig, J. (2000), New developments in standardization in the past 15 years ~ Product versus process related standards. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decisionmaking. Stresa Italy: European Commission. Williams, J. (2002). OHS management systems in Australia. American Society of Safety Engineers, www.asse.org. WorkCover, (2001). Risk management at work, Guide 2001. New South Wales Health and Safety Guide. www.workcover.nsw. gov. au/publications. Robotics U.S. Robotic Applications Canadian Robotic Applications European Robotic Applications Intelligent Assist Devices U.S. ROBOTIC APPLICATIONS BACKGROUND The Robotic Industries Association (RIA) is the secretariat of the ANSI/RIAR15 series standards. The most recent revision of the robot safety standard ANSI/RIA RI5.06 Safety requirements for Industrial Robots and Robot Systems was formally approved in 1999. According to the Scope of the standard: This standard applies to the manufacture, remanufacture, rebuild, installation, safeguarding, maintenance, testing and start-up, and training requirements for industrial robots and robot systems. The stated purpose of the standard is: to provide requirements for industrial robot manufacture, remanufacture and rebuild; robot system integration/installation; and methods of safeguarding to enhance the safety of personnel associated with the use of robots and robot systems. ANSI/RIA R15.06 has had wide reaching influence. The risk scoring system developed by the RIA has migrated to several other applications including Canadian robotic standards, and other applications. DESCRIPTION Included in ANSI/RIA R15.06-1999 is a requirement that suppliers and users of robots either apply the highest level of safeguarding specified in the standard to their robot systems, or conduct a risk assessment of those systems: A safeguarding strategy shall be developed for identifying and controlling hazards, including process-specific hazards, and either: a) installing the safeguards required under (the prescribed method) ; or b) conducting a comprehensive risk assessment In practice, most users of this standard conduct a risk assessment of their robots and robot systems due to the more stringent requirements of the prescribed method. Under the prescribed method safeguarding shall prevent access to the hazard or cause the hazard to cease with out action by the persons being protected. Control reliable control circuitry is also required for safeguarding devices under the prescribed method. Figure 35.1 The risk assessment method in the ANSI/RIA R 15.06 standard uses a task-based approach to identifying hazards. A representation of the risk assessment process described in this standard is shown in Figure 35.1. Overview of Risk Assessment (Robotic Industries) RISK SCORING SYSTEM The risk scoring system presented in R15.06 uses three factors: severity of injury, exposure and avoidance. These factors are shown in Table 35.1. Table 35 J - Risk Reduction Decision Matrix Prior To Safeguard Selection (ANSI/RIA R15.06-1999) Severity of Injury Exposure Avoidance Risk Reduction Index S2 Serious Injury More than First-aid E2 Frequent Exposure A2 Not Likely R1 A1 Likely El Infrequent Exposure A2 Not Likely R2B A1 Likely R2B SI Slight Injury-First-aid E2 Frequent Exposure A2 Not Likely R2C A1 Likely R3A El Infrequent Exposure A2 Not Likely R3B A1 Likely R4 The risk reduction categories correlate the risk level to the minimum required safeguard performance and circuit performance. Note that the term "category" as used in the robotic standard does NOT equate to the term "category" as used in EN 954. The robotic "category" is merely an index to risk reduction. The robot risk assessment process includes two assessments of the risks. The initial assessment is conducted assuming that no safeguards are installed. From this assessment the appropriate risk reduction solutions are identified using the standard. A second assessment is conducted assuming that the safeguards are installed. The second assessment uses a similar but slightly different presentation of the risk factors in Table 35.1. The standard specifies that a residual risk level of R3 or R4 is required before the risk reduction effort is complete. STATUS ANSI/RIA R15.06-1999 is an approved and active voluntary industry standard. Robot users and suppliers should follow the requirements prescribed in the standard. Copies can be obtained at www.roboticsonline.com. CANADIAN ROBOTIC APPLICATIONS BACKGROUND The Canadian Standards Association developed the standard CAN/CSA Z434 Industrial Robots and Robot Systems - General Safety Requirements for robot applications in Canada. This standard was based on ANSI/RIA R15.06-1999, and the documents are very similar. The most recent version of Z434 was approved in 2003. The Canadian and U.S. documents do vary in some minor details, but the overall processes remain very similar. FLOWCHART The risk assessment process in the Z434 standard is essentially the same as that in R15,06-1999. RISK SCORING SYSTEM The Z434 risk scoring system varies slightly but significantly from the R15.06 method. Both methods use the risk factors of severity, exposure and avoidance. However as shown in Table 35.2, the risk factors of S2, Ei, and A2 result in a risk level of R2A in Z434. In the R15.06 standard this combination results in a risk level of R2B. The significance of this difference involves primarily the level of control circuitry required for risk reduction. Also, the Z434 table replaces the word "categoiy" with "index" to help avoid confusion with EN 954 usage. Table 35.2 -Risk Reduction Decision Matrix Prior To Safeguard Selection (CAN/CSA Z434) Severity of Injury Exposure Avoidance Risk Reduction Index S2 Serious Injury More than First- aid E2 Frequent Exposure A2 Not Likely R1 A1 Likely R2A El Infrequent Exposure A2 Not Likely R2A A1 Likely R2B SI Slight Injury-First-aid E2 Frequent Exposure A2 Not Likely R2C Al Likely R3A El Infrequent Exposure A2 Not Likely R3B Al Likely R4 STATUS The Canadian Z434-2003 is an approved Canadian standard. Additional information can be obtained at http://www.csa-intl.org/onlinestore. EUROPEAN ROBOTIC APPLICATIONS BACKGROUND There are also harmonization efforts in process to coordinate the U.S. robotic standard with ISO efforts. An ISO/TC 184 subcommittee is working to revise the standard ISO 10218, Manipulating industrial robots - Safety (1992). The ISO 10218 document has received little acceptance outside of Europe. ISO/CD 10218 Manipulating Industrial Robots ~ Safety: Part 1 - Design, Construction and Installation applies primarily to robot and robot system suppliers. Part 2 of ISO/CD 10218 is also a work in progress and applies primarily to users of robots and robotic systems. DESCRIPTION The ISO/CD 10218 document as currently drafted includes a requirement for risk assessment. A method for conducting risk assessment is recommended in an Annex to Part 2 of the document and very closely follows the process and risk scoring system of ANSI/RIA R15.06-1999. The document does allow that other risk assessment methods can be used to meet the requirements for risk assessment. Much of the interest in harmonizing the different international robotic standards stems from a strong desire of robot manufacturers and users to be able to develop and purchase one robot that can be used around the world. Harmonization efforts are expected to attain all or nearly all of this goal. STATUS ISO/CD 10218 remains a work in progress. A finished document of Part 1 is expected to be complete in late 2004 or early 2005. Additional information is available at http://www.iso.ch. INTELLIGENT ASSIST DEVICES BACKGROUND The RIA is also the secretariat for the T15 on intelligent assist devices. A subcommittee is drafting a standard BSR/TI5.1 Personnel Safety Requirements for Intelligent Assist Devices (Draft). IADs employ a hybrid programmable computer-human control system to provide human strength amplification. These devices differ from robot applications in that end users contact the devices to perform their work. In robot applications end users are typically prevented from entering the robot work space. DESCRIPTION The draft standard includes risk assessment requirements and protocols based on the R15.06 methodology. STATUS This draft standard was released in March 2002 for trial use and comments on the draft were received by March 2003. T15.1 is expected to be released as an approved standard in 2004. Additional information can be found at www.roboticsonline.com. REFERENCES ANSI/RIA R15.06-1999. Safety requirements for industrial robots and robot systems. Robotic Industries Association, www.robotics.om. BSR/T15.1. (draft, 2002). Personnel safety requirements for intelligent assist devices (Draft), Robotic Industries Association, www.robotics.org. CAN/CSA Z434-2003. Industrial robots and robot systems - General safety requirements. Canadian Standards Association, www.csa.ca. ISO/CD 10218-1. (1992). Manipulating industrial robots - Safety: Part 1 - Design, construction and installation. www.iso.ch. ISO/CD 10218-2. (1992). Manipulating industrial robots ~ Safety: Part 2 - Rebuilding, redeployment and use. www.iso.ch. SEMICONDUCTORS AND FLAT PANELS BACKGROUND The Semiconductor Equipment and Materials International (SEMI) is the trade organization for the semiconductor and flat panel display industries. SEMI promulgates safety guidelines for these industries including SEMI S2-0703 Environmental, Health and Safety Guideline for Semiconductor Manufacturing Equipment, and SEMI SI0-1103 Safety Guideline for Risk Assessment and Risk Evaluation Process. SEMI S2 provides performance-based guidelines for suppliers and users of semiconductor manufacturing equipment and serves as the basic safety guideline for semiconductor equipment, SEMI S10 establishes the general principles for risk assessment and is used to characterize risks associated with semiconductor equipment. The SEMI S2 and SEMI S10 guidelines should be used concurrently. SEMI also has a risk assessment method for fire hazards published as SEMI SI4-1103 Safety Guidelines for Fire Risk Assessment and Mitigation for Semiconductor Manufacturing Equipment. This method is discussed in Chapter 16 on Fire and Explosion. Similarly, SEMI S8-1103 Safety Guidelines for Ergonomics Engineering of Semiconductor Manufacturing Equipment addresses ergonomic risk and is discussed in Chapter 17. Foster, Beasley, Davis, Kryska, Liu, Mclntyre, Sherman, Stinger and Wright (1999) note the following: The key factor that separates the semiconductor industry from most others is the extraordinary rate of change in manufacturing and product technologies. This rate of change far exceeds the rate of change of the various Environmental, Safety & Health (ESH) codes, standards, or guidelines. SEMI S2 includes information on an Equipment/Product Safety Program under Related Information 1. This is an informative attachment to SEMI S2. The Preface to the attachment highlights the importance of the risk assessment process: Compliance with design-based safety standards does not necessarily ensure adequate safety in complex or state-of-the-art systems. It is often necessary to perform hazard analyses to identify hazards that are specific to the system, and develop hazard control measures that adequately control the associated risk beyond those that are covered in existing design-based standards. Note that in SEMI S2 the term "hazard analysis" includes the steps of risk assessment. This usage differs from other industry guidelines and standards, such as ISO 14121-1999, where a hazard analysis is a sub-process of the risk assessment. DESCRIPTION In clause 6 Safety Philosophy of SEMI S2, the document states: 6.8 A hazard analysis should be performed to identify and evaluate hazards. The hazard analysis should be initiated early in the design phase, and updated as the design matures. 6.8.1 The hazard analysis should include consideration of: • the application or process; • the hazards associated with each task; anticipated failure modes; • the probability of occurrence and severity of a mishap; the level of expertise of exposed personnel and the frequency of exposure; the frequency and complexity of operating, servicing and maintenance tasks; and • safety critical parts. 6.8.2 The risks associated with hazards should be characterized using SEMI S10. SEMI S10 provides a framework for carrying out risk assessments on semiconductor processes, equipment and facilities. According to the revised document: The purpose of this guideline is to establish general principles for risk assessment to enable identification of hazards, risk estimation and risk evaluation in a consistent and practical manner. The document provides a framework for carrying out risk assessments on equipment in the semiconductor and similar industries and is intended for use by supplier and purchaser as a reference for EHS considerations. Both SEMI S2 and SEMI S10 indicate that the risk assessment needs to be documented and provided to an evaluator or user. FLOWCHART SEMI SI0-1103 includes the flow chart shown in Figure 36.1. Note that in this figure that risk reduction is a separate process from the risk assessment. The SEMI S10 guideline does not address risk reduction methods as these are addressed in SEMI S2 and other SEMI publications. RISK SCORING SYSTEM SEMI S10 recommends a preferred risk scoring system that is similar to the MIL-STD 882 system (see Chapter 27 Military). Although other risk scoring systems can be used, the preferred system is the most common in this industry. The risk factors include Severity and Likelihood of Mishap. Examples of the severity descriptions include those shown in Table 36,1. Example Likelihood groupings are shown in Table 36.2. The risk factors are combined to form five levels of risk in a risk table shown in Table 36.3. SEMI S10 requires that the risks for each severity/likelihood combination be determined and the greatest risk from all combinations be considered the overall risk for the hazard. So for a particular hazard, the severity level to people, equipment and property is determined each with an associated likelihood rating. The highest risk combination is then used for the hazard. Table 36.1 - SEMI S10 Severity Groups Severity Group People* Equipment/Facility* Property* 1 - Catastrophic One or more fatalities. System or facility loss. Chemical release with lasting environmental or public health impact. 2 - Severe Disabling injury/illness. Major subsystem loss or facility damage. Chemical release with temporary environmental or public health impact. 3 - Moderate Medical treatment or restricted work activity (OSHA recordable). Minor subsystem loss or facility damage. Chemical release triggering external reporting requirements. 4 - Minor First aid only. Non-serious equipment or facility damage. Chemical release requiring only routine cleanup without reporting. * These descriptions used are for example only. Table 36.2 - SEMI S10 Likelihood Groups Likelihood Group Expected Rate of Occurrence of each hazard per number of machines* A - Frequent More than 1 % B- Likely More than 0.2%, but not more than 1% C - Possible More than 0.04%, but not more than 0.2% D ~ Rare More than 0.02%, but not more than 0.04% E - Unlikely Not more than 0.02%. Table 36.3 - SEMI S10 Risk Ranking Matrix SEMI S10 also includes information on other risk scoring systems in an informative attachment to SEMI S10. The information describes alternate ways to obtain a risk rating number in terms of two equations. The first uses two risk factors: severity and probability of occurrence of harm. The second equation uses four risk factors: severity, frequency of exposure, probability of occurrence of hazardous situation, and possibility to avoid the harm. There is also information on numerical risk ranking methods, and how to arrive at a risk rating number for severity when multiple persons are at risk. Additional details can be found in SEMI SI0-1103. STATUS SEMI S2 and S10 are current guidelines available from www.semi.org. Additional information can be obtained at www.semi.org. In addition, information on the risk assessment methods used by Motorola, Inc. can be found in Chapter 13, Company Specific Approaches. REFERENCES Foster, M., Beasley, J., Davis, B,, Kryska, P., Liu, E., Mclntyre, A., et al. (1999). Hazards analysis guide: A reference manual for analyzing safety hazards on semiconductor manufacturing equipment. Technology Transfer #99113846A-ENG. International SEMATECH. www.sematech.org. SEMI S2-0703. (2003). Environmental, health and safety guideline for semiconductor manufacturing equipment. Semiconductor Equipment and Materials International, www.semi.org. SEMI S8-1103. (2003). Safety guidelines for ergonomics engineering of semiconductor manufacturing equipment. Semiconductor Equipment and Materials International, www.semi.org. SEMI S10-1103. (2003). Safety guideline for risk assessment. Semiconductor Equipment and Materials International, www.semi.org. SEMI S14-1103. (2003). Safety guidelines for fire risk assessment and mitigation for semiconductor manufacturing equipment. Semiconductor Equipment and Materials International, www.semi.org. OTHER RISK ASSESSMENT BFNCHMARKS Manuele's Study ASME International SERAD Risk-Based Inspections Disaster and Emergency Preparedness Industry Best Practices MANUELE'S STUDY IV If* I » w ImIM «# I w U I Manuele (2001) devotes a complete chapter in Innovations in Safety Management to risk scoring systems. He discusses the movement toward semi-quantitative methods driven in part by the influence of engineers and their passion for numerical precision. Although Manuele supports increased precision in risk assessment efforts, he cautions against placing too great faith in numerical results as the numerical values used in such analyses are often entirely judgmental. Manuele (2001) examines risk scoring systems using three and four risk factors in different industries. He strongly questions the validity of four factor risk scoring systems. He presents a hypothetical scenario involving a fatality that reasonably appears an unacceptable risk. However, the scenario comes through the four factor risk scoring system as acceptable. Manuele uses this flaw to highlight that the more complex methods of the four factor systems may unexpectedly introduce problems to the risk assessment process. Manuele (2001) does present a three factor, semi-quantitative risk scoring system. He uses the three risk factors of probability, frequency of exposure and severity. The rating levels for each risk factor are shown in Tables 37.1-37.3. The semi-quantitative values Manuele (2001) provides in this risk scoring system appear in Table 37.4. Table 37.1 - Incident Probability Descriptions per Manuele (2001) Category: Descriptive Word Definition: Applies to the selected units of time, events, ^ P^ activity. Frequent Likely to occur repeatedly, to even chance Likely Likely to occur several times Occasional Occurs sporadically, likely to occur sometimes Remote Not likely to occur, but could possibly occur Improbable So unlikely, can assume occurrence will not be experienced Table 37.2 - Frequency of Exposure Descriptions per Manuele (2001) Category: Descriptive Word Definition Often Continuous to daily Occasional Daily to monthly Infrequent Monthly to yearly Seldom Less than yearly Table 37.3 - Severity of Consequences per Manuele (2001) Category: Descriptive ^ylvWord' ■:>■:■; People: Employees, Public Facilities, Product, or Equipment ' Loss Operations Down Time Environmental Damage Catastrophic One or more Fatalities Exceeds $2M Exceeds 4 months Major event, requiring several years recovery Critical Disabling injury or illness 500K to $2M 2 weeks to 4 months Event requires 1 to 5 years for recovery Medium Minor injury, lost work day 5K to 500K 1 day to 2 weeks Recovery time is less than 1 year Minimal First aid case, minor medical treatment Less than 5K Less than I day Minor damage, easily repaired Table 37.4 - Risk Factor Ratings per Manuele (2001) Risk Category Score Levels Remedial Action, or Acceptance High 800 and above Operation not permissible Serious 500-799 Remedial actions to have high priority Moderate 200-499 Remedial actions to be taken in appropriate time Low 199 and below Risk is acceptable: remedial action discretionary Manuele (2001) observes that risk factors are commonly combined mathematically to obtain a risk score. Many systems multiply the risk factors together, in a typical two factor system the severity element receives a 50% weighting of the resulting score. Manuele astutely identifies that in typical three factor systems the severity factor becomes discounted to only 33% of the total. Given the significance of severity to incident outcomes, he suggests an alternative equation that maintains the 50% severity weighting. Risk = (Probability + Frequency of Exposure) x Severity Manuele (2001) opines, "risk scoring systems can serve a real need. But, it should be remembered that they provide numerics on subjective judgments. Risk assessment is still as much art as science." Addition details and discussion can be found in Manuele's (2001) text available at www.wilev.com. ASME INTERNATIONAL The American Society of Mechanical Engineers (ASME International) issued a Position Statement in April 2002. The purpose of the Statement is "to promote risk analysis as a technically sound and socially responsible way to help in decision-making by industry, government, and the general public." ASME uses risk analysis as the umbrella term that includes risk assessment, risk reduction and other activities. The Statement includes several Guiding Principles. These include: No course of action, including taking no action, is risk free. Risk analysis must be open and transparent - underlying assumptions, uncertainties, and methods must be understood, communicated, and documented. Free and open discussion of uncertainties must occur for the effective use of risk analysis. Open discussion of uncertainties requires an environment that is unfettered by unreasonable exposure to legal and financial liabilities Unfortunately, this openness can expose individuals, standards development organizations, and corporations to legal liability. We believe that free and open discussion and documentation of the risks associated with various courses of action will be greatly facilitated if appropriate statutory and regulatory protections are provided. This does not mean that parties should be relieved of liability for actual damages that they have caused, but that parties that have acted in good faith, and have responsibly used credible risk analysis methods as part of their decision-making processes, should not be liable for punitive damages. Expanding on the issue of free and open discussions, the Statement explains: While some significant elements of the risk analysis process cannot be readily quantified, these elements should neither be excluded nor be exempted from rigorous and consistent treatment. The trade-offs that are inevitable in any decision can be communicated more effectively if they are quantified. Although it is difficult to quantify safety, health, environmental, and quality of life issues, they should be treated as rigorously as possible. Risk analysis is a technically sound and socially responsible method to facilitate decision-making by government, industry, and the general public. It is a structured process that is directed toward developing a better understanding of the risks associated with a proposed course of action ASME International supports advancing the understanding, use, and acceptance of risk analysis, and encourages the larger community to join with us in advancing this critical process. Additional information can be found at www.asme.org. Information on the ASME Homeland Security initiative can be found in Chapter 20. SERAD Within the ASME, the Safety Engineering and Risk Analysis Division (SERAD) was originally formed in 1991 by merging ASME's Safety Division and the Risk Analysis Task Force. Its function is to stimulate interest in and disseminate risk analysis and safety information as applied to the process of mechanical engineering. Member activity has expanded to include product liability, loss prevention and occupational health. SERAD sponsors conferences and technical presentations. SERAD's goals and objectives include: * To educate ASME members and others about the importance of risk analysis, safety engineering, and environmental and occupational health * To encourage members to provide their expertise in the standards-setting process To promote codes and standards for new areas in risk analysis, safety engineering and environmental and occupational health To provide closer interface with other ASME Technical Divisions through joint efforts • To enhance the quality of technical papers on safety to increase active participation by more ASME members in Division affairs • To help members keep pace with the latest developments SERAD members play a very active role in the risk assessment process. Many advances in the benchmark industries have resulted from SERAD members' involvement. Additional information and technical papers can be found online at the SERAD web page http://www.asme.org/divisions/serad/index.html RISK-BASED INSPECTIONS Risk is also becoming the basis for inspection and maintenance efforts. Not all components of a system represent the same risk of failure. Several efforts have emerged that use risk as a basis to determine the most effective use of inspection and monitoring resources. For example: The mechanical integrity provision of the OSHA Process Safety Management Rule emphasizes inspecting hazardous materials containment vessels and piping under 29 CFR 1910.119. * The American Petroleum Institute has an inspection methodology that is risk-based (see Aller, 1995), • In addition to the chemical and petrochemical industries, the gas and electric utilities industries apply risk-based methods to determine what, when and how to inspect and maintain systems. The Gas Research Institutes has developed several risk management tools to optimize pipeline inspection and maintenance activities. The nuclear power industry is also adopting risk-based inspection methods as described in 10 CFR 50.65, ASME (1992,1996) and USNRC (1998). Latcovich, Michalopoulos and Selig (1998) describe the five primary steps in developing risk-based inspection programs: 1. System definition 2. Qualitative risk assessment 3. System assessment ranking 4. Inspection program development 5. Economic optimization Finally, the Norwegian offshore industry standard NORSOK Z-013 states: Risk-based inspection is a methodology which aims at establishing an inspection programme based on failure mechanisms which may be subject to inspection (corrosion, vibration, etc.) The methodology combines availability and risk analysis work and is typically applied for static process equipment Risk analysis will correspondingly give input to optimisation of inspection programs, in relation to which equipment and pipe systems that have the highest contribution to risk to life and assets. DISASTER AND EMERGENCY PREPAREDNESS In January 2000, the NFPA promulgated NFPA 1600 Disaster/Emergency Management and Business Continuity Programs. This document establishes a common set of criteria to mitigate, prepare for, respond to, and recover from disasters and emergencies. NFPA 1600 outlines the important components of a comprehensive plan so organizations can develop a program that meet their unique needs. One of the key elements of NFPA 1600 is risk assessment. According to the document: All entities, public and private, should identify and assess every hazard that might have an impact on their people, property, operations, and environment. Risk assessment should quantify the probability of these occurrences and the severity of their consequences, making the health and safety of people, including emergency responders, a top priority. Organizations should also quantify the impact a disaster will have on their buildings, equipment, and business operations, including the organizations' missions, as well as the direct and indirect financial consequences, (emphasis added) The expectation that a comprehensive quantified risk assessment (as defined in this book) can be conducted as outlined above would appear to be very optimistic. It is not clear how this approach applies given the many constraints, limitations and capabilities that exist in industry today. Such an assessment would be the rare exception rather than the rule in 2003. NFFA 1600 is an approved and active industry standard. Additional information can be obtained at www.nfpa.org Similarly, NyBlom (2003) discusses the key role that risk assessment plays in crisis management. NyBlom presents a very general risk assessment matrix as a method to allow crisis managers anticipate and prioritize possible responses to risks. He states: "Once risks are placed on a matrix, a business decision can be made regarding which risks to address through controls and financing options and which to acknowledge but not address." INDUSTRY BEST PRACTICES The Industry Cooperation on Standards & Conformity Assessment (ICSCA) is an informally organized, but broadly leveraged international group of corporate standards professionals and business executives from many industries and companies. ICSCA (2002) published a report Industry Best Practice on Health <£ Safety at Work. According to the report: Protecting workplace health and safety is a fundamental duty for all organizations and their employees. This shared goal is best achieved if organizations implement a structured approach to the identification of hazards and evaluation and control of work related risks. This approach to the management of occupational health and safety is not new; organizations have been successfully protecting worker health and safety using management techniques for decades. The approach enables organizations to systematically: • identify potential or actual job hazards; • establish measurable objectives to eliminate or reduce those hazards and control any residual risks; • implement programs and procedures to achieve these objectives; and • measure and check to verify performance, the effectiveness of the arrangements and to identify opportunities for continuous improvement. Each organization should develop the detail of its own structured approach to suit its needs. Part of the approach is planning. The document states that planning includes the following: Conduct Hazard and Risk Assessment. The organization should implement a risk assessment procedure for identifying workplace and process hazards that pose potential or actual risks of injury or ill health. Hazards and risks should be prioritized so that they can be managed and controlled in a planned manner. The assessment should include risks to visitors or the public, emergencies and the impact of work by contractors, though contractors remain ultimately responsible for the safety of their own employees. Arrangements should also be made to provide specialist advice and services relevant to the nature of the organizations activities. Hazard Control During Design. The first goal in controlling hazards/risks identified by the assessments should be elimination of the hazards/risks by design. Application of the hierarchy of controls during design will lead to reduced risk in the workplace. The goal is to avoid bringing hazards into the workplace by defining requirements and working with suppliers. Training, warnings and personal protective equipment are the last option and are used to control residual risk. ICSCA does not detail a risk assessment process nor does it provide a risk scoring system. The document references numerous global resources to supplement those areas. Additional information is available at www.icsca.org.au. REFERENCES Aller, J.E. (1995). Risk-based inspection for the petrochemical industry, PVP-Vol. 296/SErisk assessment-Vol. 3, Risk and safety assessment's where is the balance? New York: ASME. ASME (1992). Risk-based inspection - Development of guidelines, Volume 2, Part I light water reactor nuclear power plant components. American Society of Mechanical Engineers, www.asme.org. ASME (1996). Risk-based inservi.ce testing - Development of guidelines, Volume 2, light water reactor nuclear power plant components. American Society of Mechanical Engineers, www.asme.org. ASME (2002). Position statement, ID #02-15, Statement on role of risk analysis in decision making, April. American Society of Mechanical Engineers, www.asme.org. ICSCA. (2002). Industry Best Practice on Health & Safety at Work. Industry Cooperation on Standards and Conformity Assessment, www.icsca.org.au. Latcovich, J., Michalopoulos, E., & Selig, B, (1998). Risk-based analysis tools. Mechanical Engineering, November. 72-75. Manuele, F.A. (2001). Innovations in safety management - Addressing career knowledge needs. New York: John Wiley & Sons. NFPA 1600. (2000). Disaster/emergency management and business continuity programs. National Fire Protection Association, www.nfpa.org. NORSOK Standard Z-013. Risk and emergency preparedness analysis. Rev. 1, March 1998, and Rev. 2, 2001-09- 01. Norwegian Center for Ecological Agriculture, www.norsok.no. Nuclear Regulatory Commission. 10 CFR 50.65. Requirements for monitoring the effectiveness of maintenance al nuclear power plants, www.nrc.gov. NyBlom, S. (2003). Understanding crisis management. Professional Safety, March. American Society of Safety Engineers, www.asse.org. OSH A. 29 CFR 1910.119. Process safety management of highly hazardous chemicals. Occupational Safety and Health Administration, www.osha.gov. USNRC Regulatory Guide 1.175. An approach for plant-specific, Risk-informed decision-making: inservice inspection. USNRC, 3/98. www.nrc.gov. USNRC Regulatory Guide 1.178. An approach for plant-specific, risk-informed decision-making: inspection of piping USNRC, 9/98. www.nrc.gov. SECTION IV IMPROVING THE RISK ASSESSMENT PROCESS Chapter 38 Comparing the Benchmark Methods Chapter 39 Comparing Other Methods to Assess Risks Chapter 40 Comparing The Documentation Debate Chapter 41 Comparing Harmonizing the Risk Assessment Process Chapter 42 Comparing A Roadmap to a Better System Chapter 43 Comparing Principles for Improvement Chapter 44 Comparing Projections for the Future Comparing Risk Terms Comparing Risk Scoring Systems Comparing Flow Charts and Lineage Closure KEY POINTS 1. The terms used in assessing risk can be very confusing. In particular, the term 'risk assessment' is elusive. It can mean the specific steps related to calculating a risk level, an overall term for the entire process, or to refer to any method that assesses risks. 2. There are many variations in risk scoring systems because different risk scoring systems work well in different applications. This variation reflects the great diversity of opinion on risk assessment. 3. There is no indication that any particular risk scoring system is better than another for all applications. 4. Very few benchmarks use quantitative risk scoring systems. 5. A flow chart of the risk assessment method or at least discrete steps appears to have value because most benchmarks include a flow chart or procedural steps to help convey the risk assessment processes 6. Most benchmark systems have been developed based on methods that precede them. The lineage of risk assessment methods tends to trace back to just a few approaches. The methods should neither be treated as independent nor should they be dismissed. 7. Analysis of the benchmarks resulted in principles to improve the risk assessment process discussed in Chapter 43. COMPARING RISK TERMS The terms used in assessing risk can be confusing. Although several definitions for terms exist in the technical literature and shown in Appendix A, consensus definitions do not yet exist. An inventory of the industry benchmark methods and the use of risk terms discussed in Section III appears in Appendix B of this book. A summary of the analysis in Appendix B appears in Table 38.1. Table 38.1 - Evaluation of Benchmark Term Usage Industry Benchmark Risk Analysis Used? Risk Estimation Used? Risk Evaluation Used? Risk Reduction/control/treatment is part of Risk Assessment? Total Yes 20 19 20 22 Total No 45 29 35 21 Total Not Mentioned 22 39 32 44 i The results of Table 38.1 show that there is great diversity in term usage. This has negative implications for efforts that seek to converge the use of risk terms. From Appendix B, the different terms used to describe the overall risk assessment process are shown in Table 38.2. Table 38.2 - Terms used to describe the Overall Risk Assessment Process Term Frequency Used Risk Management 25 Risk Assessment 21 Risk Analysis 8 Risk Assessment Process 3 Risk Assessment and Risk Management 2 Risk Assessment and Risk Reduction Process 2 Risk Assessment and Risk Reduction 1 Risk Assessment Planning 1 Quantitative Risk Assessment 1 Probabilistic Risk Assessment 1 System Safety Risk Assessment 1 Hazard Analysis 1 Quantitative Risk Analysis 1 Risk-based Decision Process 1 Risk-based Inspection I Risk-informed methodology process 1 Risk Reduction Process 1 Occupational Health and Safety Management I System Pre-Start Health and Safety Review 1 Product Stewardship 1 Safety Life Cycle 1 Safety Management and Risk Control 1 System Safety 1 The iterative Process to Achieve Safety 1 No overall term used, not mentioned 7 A simple tally of the frequency each term is used appears in the second column of the above table. The most frequently used terms to describe the overall process of assessing risks are "risk management" and "risk assessment." If the variations of risk assessment such as 'risk assessment and risk reduction' are considered, "risk assessment" obtains slightly more usage. Two caveats should be noted before drawing broad conclusions from this table. First, the entries in the table are not exhaustive. Other risk assessment benchmark methods exist and are not accounted for in this table. Second, the benchmark methods are not independent. Many methods adopt definitions and terms from other documents. An argument can be made that these should only count once, and the converse could also be argued. Nonetheless, the two most common terms "risk management" and "risk assessment" stand out from the others. The general process and analysis of identifying hazards, rating risks and determining if, and how much, to reduce risks can be termed any one of several names. There remains no small amount of confusion as to what the following terms mean and how they differ from one another: • Risk assessment Risk analysis Risk characterization • Risk estimation 9 Risk evaluation Risk management A consensus meaning of the term risk assessment does not exist. This becomes apparent from Appendix B as different industries use the term to describe different portions of the same process. Some use the term to apply to only specific steps related to calculating a risk level. Others use the term very broadly to include the entire process. Still others use the term so generically to refer to any analysis that assesses risks. Different industries, organizations and authors have defined the term in different ways. An argument can be made that risk management should not be the term to describe the process in question. Risk management typically involves much more than the technical aspects of assessing risk, including insurance issues, Worker Compensation, contractual indemnification, and others discussed in Chapter 34. Often risk assessment becomes an input to, or is contained in, risk management. Adopting risk management as the term for the overall risk assessment process omits many other important aspects of risk management. In numerous standards development committee meetings, many relatively unfruitful hours have been spent in committee discussions attempting to make sense of the individual terms. In these discussions the confusion did not arise from what was to be done at particular points in the risk assessment process, but with the individual labels used to describe the process. The arguments for and against different uses of terms involve the following concerns: 0 Technical accuracy * Grammatical accuracy 9 Leveraging existing knowledge and understanding in spite of inaccuracies Complexity Ease of use Engineers typically have a strong passion for technical accuracy. This passion stems from the training and indoctrination engineers receive over the course of their formal education. If there are two answers to a question and one is more accurate than the other, the more accurate solution receives preference. If one answer is adequate but inaccurate and the other is accurate but complex, engineers typically prefer the more accurate selection. This passion for accuracy may explain in part the many risk scoring systems that now exist and the drive to adopt quantitative risk assessment methods. Conversely, managers and implemented tend to focus on value and effectiveness and often lack passion for technical accuracy. Managers may willingly accept some inaccurate but effective solutions that are easily implemented. Discussions of risk assessment terms continue in companies, industries, standards writing committees, safety workshops, and conferences. The discussion is largely healthy and will continue as the many risk assessment methods converge in time. Yet given the present plethora of risk assessment approaches, divergence may continue for some time. How these discussions resolve to a single solution remains to be seen. COMPARING RISK SCORING SYSTEMS When comparing the benchmark methods of conducting risk assessment, the most remarkable difference occurs in the risk scoring systems. Appendix C of this book compares the risk scoring system type, description and number of risk factors, number of levels of risk, and the format of the risk scoring system. Studying Appendix C leads to the following observations: • The many variations in risk scoring systems reflect the great diversity of opinion on risk assessment. The variations reflect the current state of the art, and that different risk scoring systems work well in different applications. There is no indication that any particular risk scoring system is better than another for all applications. There is great debate regarding which of the three types of risk scoring systems should be used: qualitative, semi-quantitative or quantitative. Strong views are expressed on all sides. • Very few benchmarks use quantitative risk scoring systems. Most benchmarks use either a semiquantitative or qualitative approach. • In most cases, the lack of useful data is a leading limitation to using quantitative systems. Although most engineers and safety practitioners agree in principle that a quantitative system is preferable to other systems, the vast majority of applications preclude a quantitative assessment. Although there are reasoned arguments for and against different risk scoring systems, most approaches to risk assessment must use a semi-quantitative or qualitative system. • The risk scoring question is best viewed as a continuum of systems that address different risk assessment needs. Different risk scoring systems may be appropriate for different applications at different times or stages of development. A basic tally of the methods in Appendix C results in the data of Table 38.3. Table 38.3 - Risk Scoring System Method Type and Frequency Method Type Frequency Qualitative 25 Semi-quantitative 17 Quantitative 7 Multiple/not published/other 33 Total 82 Table 38.3 demonstrates that of the methods contained in Section III, at least half use qualitative or semi-quantitative methods. The table also demonstrates that quantitative risk scoring systems are in the minority. Table 38.4 shows a summary of the frequency that risk factors levels occur in Appendix C. The data show that the number of risk factors used in the risk scoring systems varies from two to five. The data in Appendix C also show that the levels used for each risk factor ranges from 2 to 10, with most systems having 3 to 5 levels for each risk factor. At least half of the methods in Section 111 use either two or three risk factor levels. Most systems use only two or three factors. A common approach employs the red/amber/green stop light color system for risk levels. Table 38.4 - Risk Scoring System Frequency of Risk Factor Levels Risk Factor Levels Frequency 2 32 3 10 4 2 5 1 Multiple/not 37 published/varies/other Total 82 Risk scoring system formats include: matrices, weighted equations, checklists or questions, quantitative values, graphs and general descriptions. The most common method is a table or matrix presentation using two factors such as severity and probability. Many benchmarks accommodate a variety of risk scoring systems. For example, they provide a generic structure without details of how the structure should be implemented. This permits users to choose a system, but also introduces the opportunity for confusion due to a lack of specific direction. Many benchmark methods do not publish the details of the risk scoring system used. This may be due to accommodating many approaches, not having sufficient detail to publish the method, or consideration of the details as proprietary information. COMPARING FLOW CHARTS AND LINEAGE FLOWCHARTS A picture is worth a thousand words. As shown in Section 111, many of the risk assessment benchmark methods use a flow chart to help present and describe the risk assessment process. For the more complex approaches, a flow chart can greatly assist in communicating the overall process. For simpler approaches, a flow chart may not be necessary. The use of a flow chart to illustrate a method is an attribute that can be compared across the various industry benchmarks. Based on a comparison of the risk assessment benchmarks, there appears to be value in including a flow chart of the method or at least discrete steps. LINEAGE A great many methods exist to perform risk assessment. The many benchmark industries and methods can be very confusing. Not only are they many in number, they also differ greatly in complexity. More than one method can exist within an industry or even within a company. One application may require very sophisticated quantitative methods, yet another application may need only a simple qualitative assessment. Most benchmark systems have been developed based on methods that precede them. The lineage of risk assessment methods tends to trace back to just a few approaches, particularly MIL STD 882 and ISO Guide 51. The lineage of some methods is readily discernable, but others preclude easy categorization. Often a new method will adopt much of a preceding approach and then modify portions to better suit its particular application. In some instances, the alterations are substantial enough to make identifying a predecessor difficult. Adopting one industry approach by another industry should neither be considered a complete validation of the method, nor a reason to discount the method. In some cases adopting, and then adapting an existing approach is expedient; for example, a committee may be tasked not to invent a new risk assessment method but only to adapt an existing approach to its specific application. Be aware of the lack of independence of these methods. Caution should be exercised against drawing broad conclusions of merit based on simply tallying and yielding to the majority. The methods are not independent. For example, ISO Guide 51 forms the basis for many benchmark approaches. These many approaches should not necessarily be counted as independent validation of the ISO Guide 51 method. The key point is that the methods are not independent. The methods should neither be treated as independent nor should they be dismissed. CLOSURE There are many approaches to risk assessment, yet common themes run through all. Every benchmark approach seeks to identify hazards, assess risks, and reduce risks. The primary differences occur in the details of how risk is assessed through different risk scoring systems and in ways to describe an acceptable level of risk. Unfortunately, there is also a great dispersion in the terms used to describe the various parts of the risk assessment process, or in the meaning of common terms like "risk assessment." The "best" risk scoring system is the one that works for a particular application. There is no single or universal answer. REFERENCES ANSI B11 Technical Report #3 (2000). Risk Assessment ~ A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. Benjamin, S.L. & Belluck, D.A, (Eds.). (2001). A practical guide to understanding, managing, and reviewing environmental risk assessment reports. Boca Raton, FL: CRC Press/Lewis Publishers, Inc. Canadian Ministry of Labour (2001). Guidelines for pre-start health and safety reviews: How to apply section 7 of the regulation for industrial establishments, www, gov.ca/lab/ohs. Considine, M. (2000). Quantifying risks in the oil and chemical industry. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Cooper, D. (1999). Tutorial notes: The Australian and New Zealand standard on risk management, AS/NZS 4360:1999. By Broadleaf Capital International Pty Ltd. EN 292-1/ISO 12100-1. Safety of machinery - Basic concepts, general principles for design, basic terminology, methodology, 1999. www.global.ihs.com. HSE, (2001). Reducing risks, Protecting people: HSE's decision-making process. Health and Safety Executive, www.hse.gov.uk. ISO 12100-1. (2003). Safety of machinery ~ Basic concepts and general principles for design - Part 1: Basic terminology and methodology. International Organization for Standardization, www.iso.ch. ISO 14121/EN 1050-1999. Safety of machinery; risk assessment. International Organization for Standardization. www.iso.ch. ISO/1EC Guide 51: 1999 (E). Safety aspects ~ Guideline for their inclusion in standards. Second Edition. International Organization for Standardization, www.iso.ch. M1L-STD-882D (2000). Standard practice for system safety. Department of Defense, U.S.A. www.defenselink.mil. SEMI S10 1103. (2003). Safety guideline for risk assessment. Semiconductor Equipment and Materials International, www.semi.org. Tweeddale, H.M. (1989). Uses and abuses of risk assessment. Chemeca 89: Technology for our third century. Gold Coast. Queensland, Australia, (pp. 191-198). Wang, J.X. & Roush, M.L. (2000). What every engineer should know about risk engineering and management. New York: Marcel Dekker, Inc. Whipple, C. (1988). Risk-based standards in engineering, Engineering applications of risk analysis. American Society of Mechanical Engineers. Winter Annual Meeting, December 1987. www.asme.org. OTHER METHODS TO ASSESS RISKS Methods to Assess Risks Comparison to FMEA Comparison to PHA Comparison to "What If' and HAZOP Comparison to FTA Comparison to MORT Comparison to Checklists Comparison to Standards/Codes Which Method(s) To Use Many people are becoming involved in the risk assessment process. A good number of them may not be familiar with the many methods available to assess risk, in part because they have not had training in safety methods. There exists a potential for confusion as to how risk assessment compares to the other methods. This chapter provides a very basic and brief overview of the most prominent methods. Readers familiar with these other methods may wish to skip this chapter. KEY POINTS 1. This chapter provides a basic overview of several methods available to assess risk. 2. The risk assessment process comprises only one method to identify hazards, assess risks and reduce residual risks. Other methods have value and should be used as appropriate. METHODS TO ASSESS RISKS There are a great many methods and variations of safety analyses; probably too many. Goldberg, Everhart, Stevens, Babbitt, Clemens and Stout (1994) discuss in detail fifteen different system safety analysis tools for identifying hazards. Clark (1985) documented 84 different methods from the technical literature for use in assessing safety. Clemens (2002) indicates, "one of the problems with system safety is its stupefying proliferation of analytical approaches. The 2nd edition of the System Safety Society's System Safety Analysis Handbook describes 101 analytical approaches." The number of analyses reflects that there are many approaches to evaluating system designs. The numerous methods exist because many of these tools are slight variations on similar themes with some overlap. Each offers a slightly different perspective on system problems. Even if one boils down the list to primary families of methods, there remain several options to choose from. Yet the reason so many different approaches exist is because there is no one universal, ideal approach. No one approach reigns superior to all others, including risk assessment. Methods of identifying hazard and assessing risks take many forms. Some of the most frequently used tools include: Failure Mode and Effects Analysis (FMEA) Risk Assessment Preliminary Hazard Analysis (PHA) "WhaMf method Fault Tree Analysis (FTA) Hazardous Operations (HAZOP) Management Oversight Risk Tree (MORT) Checklists Standards/Codes Of the available analysis methods, the preliminary hazard analysis and FMEA in some combination with risk assessment are the most frequently used tools. Many of the tools not listed here are best applied by a specialist. A simple illustration of these methods appears in Figure 39.1. Note that the pie slice sizes are simply for illustration. The system design appears at the center of these methods. Each method offers a different perspective and with it differing strengths and weaknesses. The methods overlap in certain instances. Figure 39.1 - Methods to Assess Risk There are great similarities to these methods. Each method begins with potential hazards or failures, each uses a system to evaluate risks, and each is conducted to identify necessary protective measures. Indeed the methods are quite similar. However, there are also important distinctions between them. Many risk assessment guidelines provide little specific direction on how to identify hazards. Most include a checklist of hazards in some form. Since hazard analysis is a brainstorming activity based largely on experience, little specific direction is possible. In some industries, task-based approaches are strongly recommended. In others a hazard-based approach is suggested. Still other approaches do not provide specific guidance on how to identify hazards but simply state that they need to be identified. To aid in understanding how different methods to assess risk fit into the overall product and process development effort, this chapter briefly outlines a few of the primary methods and compares them to risk assessment. The reader is cautioned that this presentation is a loose interpretation of the methods. Other authors have written extensively on the methods. For more detail interested readers should review Clemens (2002), Manuele (2003), Roland and Moriarty (1990), and others. COMPARISON TO FMEA Many readers will be familiar with Failure Modes and Effects Analysis (FMEA). FMEA is widely used in the automotive and medical devices industries to evaluate system failures. FMEA is a technique that is very similar to risk assessment. Of all the analytical methods developed in the safety community, design engineers tend to be most familiar with the FMEA. In some industries FMEA has been widely implemented. The FMEA process has been standardized in the automotive industry through SAE J-1739 (1994) and in the semiconductor industry through Villacouit/SEMATECH (1992). Compared to FMEA, risk assessments are a relatively new entrant to industry. FMEA is often considered a form of reliability analysis. Hammer (1993) describes FMEA as follows: [FMEA] is oriented toward investigating the results that malfunctions of components can generate Failure modes and effects analysis was developed by reliability engineers to permit them to predict the reliability of complex products. To do this it was necessary to establish how and how often components of a product could fail. FMEA was then extended to evaluate the effects of such failures. FMEA identifies potential failure modes that could lead to incidents. It breaks down designs into components or sub-components, then systematically evaluates the potential for and effects of individual failures, focusing on how they can lead to hazards or negative consequences. Data such as mean time between failure (MTBF) can be obtained and used in the evaluations. Results of the analysis are used to evaluate and implement protective measures to eliminate or control hazards. The following steps are part of the FMEA: 1. identify the failure and its causes. 2. describe the potential effect of the failure. 3. identify and quantify the severity or seriousness of the effect of the failure. 4. quantify the probability of the cause occurring. 5. list of ways in which the failure can be prevented. 6. a "Risk Priority Number" is identified which quantifies the design risk. This number is a product of the severity, probability and ability to detect the cause. 7. risks are ranked and decisions made as to what failure modes will be addressed with corrective action. FMEA offers several advantages especially in its ability to quantify overall risk and consequences. Quantifying risk can reduce much of the subjectivity in safety analyses. FMEA is particularly well suited to situations where engineers are unsure what problems might occur or how small problems could lead to larger ones. This kind of analysis is very strong when the interactions between failures are not complex, and when system and hardware problems are more likely to occur than problems of human interactions or error. FMEA is also useful in determining which of several potential problems should receive priority attention. Although FMEA is a powerful tool, it does have limitations. A thorough FMEA can also be costly and may not always be necessary. Completing it can consume time evaluating non-critical components or failure modes, which do not result in accidents. FMEA typically does not look at system linkages and interactions or multiple-element failures. Finally, the level of design maturity required for a quantitative FMEA is not generally reached until late in the design phase. The focus of an FMEA is identifying product or component "failures" and looking at the potential effects on the overall system. While failures identified and analyzed in an FMEA are typically different from the type of safety hazards identified in a risk assessment, many of the same analytical processes are used. Perhaps the largest drawback of FMEA is that it does not include human error. A FMEA is not well suited to identifying situations where the people who interact with a system "fail." The "failure" occurs when users interact with the system in ways the designer did not expect, in some instance the "failure"1 may be necessary to complete a task, such as jumpering switches to troubleshoot or perform maintenance. Since many accidents involve human error, this drawback can be critical. This limitation explains why a risk assessment is a very complementary analysis to FMEA because the risk assessment focuses on the people side of the puzzle. Risk assessment looks at preventing negative consequences from a slightly different perspective. The primary focus of a risk assessment is to identify and design work methods to avoid people's "failures." In many instances, injuries occur because the person(s) interacting with the equipment behaved in a way(s) not considered by the designer. Such behavior may be a direct result of the equipment design (e.g., a long distance to power lockout or confusing instructions), design induced human error or other reasons. The primary difference between these methods is that where the FMEA looks at design or component "failures," a risk assessment focuses on the human interactions and "failures" with the product or system. A risk assessment focuses on understanding the tasks personnel perform on or around equipment, and the hazards associated with the tasks. These two analysis methods should be viewed as complementary rather than competing. Additional information about FMEA can be found at SAE J1739 (1994), Villacourt/SEMATECH (1992), Clemens and Simmons (1998), Manuele (2003) and others. COMPARISON TO PHA The Preliminary Hazards Analysis (PHA) is a fundamental method of identifying hazards. A PHA is best conducted early in the design process so that hazards and risks can be effectively addressed during design. Roland and Moriarty (1990) note the following about the PHA: Its purposes are to identify safety critical areas within the system, identify and roughly evaluate hazards, and begin to consider safety design criteria. It is primarily an analysis of hazard discovery. It is a first and most important examination of the state of safety of the system. In addition, Clemens (2002) observes that: [The PHA] produces a hazard-by-hazard inventory of system hazards and an assessment of the risk of each of them. A PHA is also a screening or prioritizing operation. It helps separate hazards that pose obviously low, acceptable risk from the intolerable ones for which countermeasures must be developed. A PHA does not readily recognize calamities that can be brought about by co-existing faults/failures at scattered points in a system. Traditionally, the PHA is used only to identify hazards although often the analysis is extended to assess risks and reduce them. In this regard, the PHA is very adaptable. Compared to the risk assessment, the methods are very similar. The PHA often comprises the front part of the assessment. Once the hazards are identified, the risks are assessed and reduced. Manuele (2003) notes "in reality, the technique needs a new name because it has achieved broader use than the original intent, which was a preliminary assessment system to be used in early concept and design stages for a product or system." An argument can be made that the new name of the PHA could be risk assessment. COMPARISON TO "WHAT IF" AND HAZOP The "What If' analysis method is a structured approach to identifying potential hazards and hazardous situations, and evaluating the consequences from them. "What If is a more formalized approach to a process that nearly everyone does ~ identifying potential problems and developing ways to avoid them. Typically a team will brainstorm various scenarios related to how a person might be injured or a system might fail with a product or process design. The team develops the scenarios and then works through protective measures needed to prevent injury or failures. The "What If method is frequently used to anticipate safety problems in a variety of applications. Fullwood (2000) states: "What-ir analysis considers deviations from the design, construction, modification, or operating intent of a process or facility. It is applicable at any life stage of a process. "What-if' is a creative, brainstorming examination of a process or operation conducted by knowledgeable individuals asking questions Through questions, the team generates a table of possible accidents, their consequences, safety margins, and mitigation. The accidents are not ranked or evaluated. Hazards and Operability (HAZOP) studies are common in the chemical processing industry. A HAZOP is similar to "What If' but is tailored to the processing industries. HAZOP is a formal procedure to identify all the ways a process might fail and how such failures can be avoided. A HAZOP can be tedious and require a large investment of resources to complete. Vansina (2000) provides the following observations: Risk analysis such as "Hazop" or "What if' is common practice in the process industries. The problem, however, is that these types of studies are normally conducted at the end of the design process, when the [facilities] are almost definitive. As Trevor Kletz mentioned in his book "Hazop and Hazan": Hazop is a final check on a basically sound design to make sure that no unforeseen effects have been overlooked. It should not replace the normal consultations and discussions that take place while a design is being developed. In a lot of cases however, no evidence can be found that these 'consultations and discussions' are scheduled and carried out during the design process or that they are supported by some sort of methodology to guarantee a systematic approach. When the only systematic identification of risks takes place at the end of the project, risk assessors will be inclined to solve safety problems by adding additional protection systems (interlocks, alarm, additional instructions, etc) rather than by making the process inherently safer. A Hazop on an almost definite [facility] can make the installation less unsafe, but it is not a tool to design it safely. Trammell, Lorenzo, and Davis (2003) add that "a typical HazOp is not strong or necessarily effective in prioritizing the effects of the failures, and it usually does not study the relative effectiveness of proposed corrective actions." Although the "What If' method has long been used, there are some difficulties with this approach. In addition to the problems Vasina (2000) notes, a primary shortcoming is that it leads to an inefficient use of resources. The team spends inordinate amounts of time and energy working through increasingly less significant scenarios. A considerable challenge with this method is knowing when to end the analysis. "What If can be especially difficult in liability situations where an injured party can claim that the team was negligent in completing its work because it did not address the particular scenario that resulted in injury; and if it had been more diligent the injury would have been avoided. This addresses the issue of foreseeability and can be very difficult to defend. A risk assessment contrasts with the "What If and HAZOP methods in that there is a definite end point - the assessment is complete when all tasks and hazards are identified and the risks are reduced to an acceptable level. Although a risk assessment still requires time and effort to complete, resources can be used more efficiently. COMPARISON TO FTA The Fault Tree Analysis (FTA) is a top down approach to assessing risks, meaning a specific negative outcome such as an accident is identified and the ensuing analysis examines the things that must occur to result in the outcome. Roland and Moriarty (1990) provide the following background on the FTA: FTA has, since its development in 1961, gained widespread recognition as one of the more powerful analytic tools for analyzing sets of events arranged in systems. The method structure relations between events in a system into a Boolean logic model that leads to accident causation. These events are structured so that they lead to a specified outcome. This approach to analysis is called deductive. The method is unusually versatile in that it allows dynamic considerations to be considered, sensitivity analysis performed, and the results of analysis quantified. It allows the analyst to evaluate alternatives in system design - to judge tradeoffs. The fault tree method has four major advantages over other forms of system analysis: 1. It directs the analyst deductively to accident-related events; 2. It provides a depiction of system functions that lead to undesired outcomes; 3. It provides options for both qualitative and quantitative analysis; and 4. It provides the analyst with insight into system behavior. Clemens (2002) describes the FTA as follows: A top down symbolic logic technique that models failure pathways within the system, tracing them from a predetermined, undesirable condition or event to the failures/faults that may induce it. The fault tree uses tools of logic to model the system and to guide the analysis of paths to system failure. Particularly useful for high-energy systems a powerful diagnostic tool for analysis of complex systems and as an aid to design improvement. Enables analysis of probabilities of combined faults/failures within a complex system. Identifies areas of system vulnerability and low-payoff countermeasuring, thereby guiding deployment of resources for improved control of risk. Treats only one undesirable condition/event. Thus, several or many tree analyses may be needed for a particular system. The FTA differs from risk assessment in that the FTA focuses on avoiding single outcomes. A risk assessment typically evaluates a system in greater breadth (many tasks and hazards) but at less depth. A FTA tends to be system focused. Although user involvement with a system can be included in an FTA, the perspective of the assessment is on the system. Conversely, the risk assessment focuses on the user perspective. COMPARISON TO MORT The Management Oversight and Risk Tree (MORT) system shares many attributes with the FTA. The Department of Energy (1994) describes MORT as follows: MORT is a comprehensive analytical procedure that provides a disciplined method for determining the systemic causes and contributing factors of accidents. Alternatively, it serves as a tool to evaluate the quality of an existing system. While similar in many respects to fault tree analysis, MORT is more generalized and presents over 1,500 specific elements of an ideal 'universal' management program for optimizing environment, safety and health, and other programs. Clemens (2002) adds that: MORT is often used as a non-quantitative System Safety tool The all-purpose, pre-cooked logic tree which serves as the basis for MORT is exhaustively thorough] The tree is of great value in mishap investigation and is also useful as a subjective "comparator" against which to gage safety program effectiveness, (emphasis in original) Manuele (2003) favorably recommends MORT as a method to evaluate contributing factors of accidents. However, Clemens (2002) notes "as a diagnostic device, MORT is sometimes unrealistically pessimistic." Similar to FTA, MORT assists users to assess risks for specific hazards or accident scenarios. This differs from risk assessment, which tends to focus more broadly but at less depth in the analysis. COMPARISON TO CHECKLISTS Most people are familiar with using checklists. Although creating a checklist requires identifying hazards and assessing the risks, using one does not. Items on a checklist represent hazards with risks that need to be eliminated or avoided via means expressed in the checklist. Checklists tend to be static assessment tools in that the checklist only guides users to consider items on the list. It does not prompt users to identify new or unknown hazards. In many instance checklists have been created for using existing processes, equipment, or facilities, but are not specifically checklists for design considerations. Clemens (2002) emphasizes, "NEVER rely on a checklist alone as a means of identifying system hazards!" A checklist can be very beneficial in ensuring that known hazards are addressed appropriately. Checklists can be used as Yes/No or Applicable/Not Applicable lists, or they can incorporate a simple rating system, A risk assessment differs from a checklist in that the risk assessment is a dynamic analysis. Although checklists may be helpful in identifying hazards in the risk assessment, the task-based approach helps ensure that the hazards associated with the tasks will be identified. A risk assessment is better than checklists at prompting risk appropriate protective measures to reduce risks. COMPARISON TO STANDARDS/CODES Both checklists and standards/codes involve comparing a design to specifications rather than conducting a specific analysis. Historically, industry standards have been prescriptive. They specified in detail what needed to be done to meet the standard. For example, the dimensions of a ladder rail, a minimum conductor size for electrical equipment, or the warning label text for a trampoline might be specified. An engineer using the standard had very clear guidance on how to comply with the standard. Unfortunately, the prescriptive nature of the standards stymied innovation because it did not allow other designs to adapt the requirements to differing circumstances. For instance, new materials might provide identical strength characteristics, advances in electrical systems might render the minimum conductor requirements obsolete, and trampoline designs may cause the warnings to become outdated. However, in each of these instances a prescriptive standard excludes innovations. Bhimavarapu and Stavrianidis (1999) observe: In the highly globalized business atmosphere where process life cycle costs are to be minimized in order to remain competitive, performance-based standards are viewed as an alternative approach to a) optimize the performance of protection and control systems; b) maximize process safety at a reduced cost; and c) establish common and simpler safety requirements for a variety of sophisticated and novel processes without having a significant historical experience base. In view of the limitations of prescriptive standards, efforts have been directed in the last two decades toward establishing performance-based standards and regulations using risk as the basic performance parameter. The objective of these efforts is to establish a consistent and widely accepted methodology to evaluate process risks and propose alternative solutions that reduce risk to acceptable levels. As technologies become more sophisticated and profit margins grow tighter because of increased global competition, performance-based regulations and standards will become the order of the day. Today, performance standards have largely replaced prescriptive standards. Performance standards specify the level of performance necessary to meet the standard. For example the ladder rail may be required to meet static and dynamic loading levels versus specific size dimensions. A performance standard allows for greater flexibility in designs. However, not all performance standard clauses provide explicit guidance such as test load levels. Many requirements use language such as, "consideration should be given to the hazards associated with power-driven hand wheels," (ANSI/PMMI B155.1-2000). Demonstrating compliance with this type of language presents some challenges. Risk assessment helps to establish that such concerns were considered and any risks were reduced to an acceptable level. With prescriptive standards, compliance audits could be performed to ensure designs met the requirements. Now, risk assessments are increasingly used as a method to demonstrate compliance with performance-based standards. In this way, performance-based standards have been a driver of risk assessment. WHICH METH0D(S)TO USE Does a company have to do a risk assessment if they already have an FMEA or FTA? As with many engineering questions, the answer is "it depends." One can always do more analyses. If an FMEA is complete, human exposures are addressed and the manufacturer believes all risks are reduced to an acceptable level, then it need not conduct a risk assessment. Recall from Figure 39.1 that many of the methods to assess risk overlap or offer a different perspective on the problem. If an FMEA has been completed and the resulting design is considered reliable, a risk assessment may not be needed. However, since the risk assessment focuses on the users and the tasks they perform, it can be a very complementary analysis to an FMEA. For example, the FMEA addresses the product and the risk assessment focuses on the user interactions. Depending on the system design and the user interactions with it, one or more methods can be used to assess risks. Which particular method best suits the application depends on the application. None of the methods discussed will be necessary or appropriate in all applications. Clemens and Simmons (1998) have discussed the lack of "one size fits all" concept that gives rise to the many methods. They observe: The search continues for the ideal system safety analytical method. The notion that one analytical approach exists that is overwhelmingly superior to all others will not die as long as charlatans and shallow thinkers perpetuate the myth. Each analytical technique has its advantages and its shortcomings. The design engineer/analyst is well-served by a "toolbox" of system safety analytical techniques, each of which is cherished for the insights it provides. In discussing risk assessment, Whipple (1988) observes a very real constraint to the risk assessment process; "while risk assessment can and has led to many instances of risk reduction, not all risk sequences can be identified, and not all those identified can be eliminated." Additionally, McNab (2001) notes, "the 'tool' of risk assessment does not provide a 'magic1 solution to problems. It can however, document and clarify the components of risk, leading to a more efficient and effective utilisation of resources, and better decisions." The risk assessment process comprises only one method to identify hazards, assess risks and reduce residual risks to an acceptable level. Other methods have value and should be used as appropriate. ntrHiiwi ANSI Bl I Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. ANSI/PMMI B155.1-2000. For packaging machinery and packaging-related converting machineiy - safety requirements for construction, care and use. Packaging Machineiy Manufacturers Institute. www.pmmi.org Bhimavarapu, K & Stavrianidis, P. (1999). Performance-based standards for process industry - development, implementation and integration. ISA TECH 1999 Conference, www.isa.org Clark, D.R. (1985). Promoting safe design by developing a more effective, user-friendly hazard analysis and control information retrieval technique. Master's thesis, University of Michigan, Ami Arbor, Michigan, USA. Clemens, P.L. (2002). System safety scrapbook. Sverdrup Technology, Inc. Ninth Edition, www.sverdrup.com/safety Clemens, P.L. & Simmons, R.J. (1998). System safety and risk management; A guide for engineering educators. U.S. Department of Health and Human Services, National Institute for Occupational Safety and Health. www.sverdmp.com/svt. Fullwood, R.R. (2000). Probabilistic safety assessment in the chemical and nuclear Industries. Boston: Butterworth Heinemann. Goldberg, B.E., Everhart, K., Stevens, R., Babbitt III, N., Clemens, P., & Stout, L. (1994). System engineering "toolbox " for design-oriented engineers. NASA Reference Publication 1358. Hammer, W. (1993). Product safety management and engineering, second edition. American Society of Safety Engineers, www.asse.org. Manuele, F.A. (2003). Severe injury potential: Addressing an overlooked safety management element. Professional Safety, February. 26-31. McNab, B. (2001). Inspection, investigation and enforcement risk management through assessment and control A Framework for the Ministry of Agriculture Food and Rural Affairs, Draft Aug. 7. www.gov.on.ca/OMAFRA. Roland & Moriarty. (1990). System safety engineering and management, second edition. New York: John Wiley. SAE J1739. (1994). Potential failure mode and effects analysis in design (Design FMEA) and potential failure mode and effects analysis in manufacturing and assembly processes (Process FMEA). Reference Manual. Society of Automotive Engineers, Inc. www.sae.org. SSDC-103. (1994). Guide to the use of the management oversight and risk tree. Idaho Falls, ID: U.S. Department of Energy, Office of Safety and Quality Assurance, Idaho National Engineering Laboratory, www.energy.gov. System Safety Society. System safety analysis handbook, second edition, ww w. system-safety .or g. Trammell, S.R., Lorenzo, D.K., & Davis, B.J. (2003). Integrated hazards analysis: Using the strengths of multiple methods to maximize effectiveness. American Society of Safety Engineers, Professional Development Conference, www.asse.org. Vansina, P. (2000). Recommendations to improve risk analysis based on inspection findings in the Belgian "Seveso" companies. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Villacourt, M. /SEMATECH. (1992). Failure mode and effects analysis (FMEA): A guide for continuous improvement for the semiconductor equipment industry, www.sematech.org. Whipple, C. (1988). Risk-based standards in engineering, Engineering applications of risk analysis. American Society of Mechanical Engineers. Winter Annual Meeting, December 1987. www.asme.org. THE DOCUMENTATION DEBATE The Conflict The Opposition The Supporters From Bad to Good The Bottom Line Risk Communication KEY POINTS 1. A conflict exists concerning documenting risk assessments. 2. There remains considerable resistance from the legal community to documenting risk assessments primarily due to product liability concerns. 3. Good engineering practice, continuous improvement, and risk assessment requirements all push for documenting risk assessments. 4. Documenting the risk assessment process is required or recommended by every guideline, standard or technical description of risk assessment. THE CONFLICT One of the most difficult issues in implementing risk assessments is the resistance to documentation. Strong arguments can be made both for and against documenting a risk assessment. Differing and equally valid views exist on the positive and negative aspects of documenting the risk assessment. A discussion of each follows. THE OPPOSITION Time pressures can lead to documentation not being completed. The time required to document a risk assessment leads to opposition against documentation. As with other analyses, documenting the analysis can extend the time required to complete an assessment. Given the time pressures on everyone in industry to complete the assessment and implement improvements, documentation falls low on the list of things to do. Other projects and tasks are more pressing and frankly less tedious. The introduction of risk assessment software that guides users through the risk assessment process has greatly reduced the time demands for separate documentation actions. Software typically generates reports automatically once the risk assessment is complete. A second and more threatening factor opposing documentation stems from product liability. Product liability creates a fear of a discoverable "smoking gun" document, which could be used against a manufacturer to prove a plaintiffs case. Examples of "smoking gun" documents can be found in case law and abound in legal folklore. Often such cases return large plaintiff verdicts or settlements due to the manufacturer's actions or inactions as contained in the associated documents such as analyses, correspondence, emails, notes, and others. Defense attorneys are trained to look for and avoid creating documentation that could be used against a manufacturer. Legal counsel has long advised manufacturers from creating documents out of fear of creating a "smoking gun" document. Plaintiff attorneys dig deep in hopes of finding a damaging document. As a result there exists considerable resistance to and fear of creating discoverable documents related to risk. Additional discussion of the product liability influences on risk assessment appears in Chapter 32. THE SUPPORTERS The forces driving risk assessment documentation include: good engineering practice, continuous improvement, and the requirements in risk assessment specifications. Each is discussed in detail. GOOD ENGINEERING PRACTICE The scientific method is a basic principle of good engineering practice taught in engineering schools. The scientific method directs that engineering analyses be conducted and documented in a manner such that another qualified engineer or scientist could repeat the analysis and verify the results. This concept explicitly appears in HB 203 (2000) "document the analysis, so that sufficient information is available to allow the process' to be repeated and validated." In a discussion of the EH&S management system used at FMC Energy Systems, Jones (2002) shared that "well- designed EH&S management systems are characteristically: holistic in form; integrated in function; formally documented in content." [emphasis in original] Much of engineering instruction and performance uses the scientific method. Engineers who perform analyses of structures, fluids, heat transfer, and others all show the results of an analysis and share information on how the results were obtained. Even in general business discussions on finances, marketing or strategy, analyses methods are reported with the results. Yet companies often cannot demonstrate how they arrive at decisions concerning safety. In occupational safety settings, time may not be made to document the decisions. In the products liability forum, much of the processes used to reach safety decisions are undocumented, often intentionally. By documenting the assessment both the process and rationale for the decisions can be better determined. Documenting a risk assessment is an example of good engineering practice. CONTINUOUS IMPROVEMENT Continuous improvement is a well-established concept that gained acceptance with the quality movement. Documenting a risk assessment falls within the practice of continuous improvement. One element of continuous improvement requires understanding system breakdowns so that changes can be made to avoid a future reoccurrence. Without documentation, understanding and assessing breakdowns can be very difficult, A documented risk assessment helps engineers, safety practitioners and managers better understand the system and why breakdowns occur in the design, the controls, the tasks, the risk reduction methods, and others. Understanding the breakdowns helps to identify methods for improvement in a systematic manner. A documented risk assessment helps to: s identify where the breakdown occurred and why (such as which user, task and hazard); 9 highlight why existing risk reduction methods were insufficient either in design or deployment; and • prompt systematic improvements to reduce risks. THE REQUIREMENTS Nearly every risk assessment guideline, standard, recommended practice, or technical guideline requires or recommends that the assessment be documented. In all instances, this is a requirement rather than in option. Although the risk assessment methods examined in this book do vary somewhat in what must be documented, the requirement for documentation does not. Several examples illustrate this point: > From the machine tool industry, ANSI Bll TR3 specifies, "the steps in this procedure are to be documented.1' TR3 includes a list of the necessary items to be documented (assumptions, hazardous situations identified, protective measures implemented, and residual risks). > In the food industry, the Codex Commission notes, "the risk assessment' should be fully and systematically documented and communicated to the risk manager." > A third example comes from the AS/NZS 4360 standard on the risk management process, "each step of the risk management process should be documented. Documentation should include assumptions, methods, data sources and results." > The Norwegian standard for the offshore industry NORSOK Z-013 states that at a minimum, a QRA should include the following documentation: Statement of objectives, scope and limitations • Description of the object (or system) of the analysis • Statement of the assumption, presumptions and premises on which the study is based, so that they may be evaluated and accepted Data basis • Description of the analytical approach used • Quality assurance, including personnel competence ° Presentation of conclusions from the study • Presentation of possible measures that may be used for reduction of risk and their risk reducing effect. > The U.S. military states in OPNAVINST (2002) the following concerning documenting ergonomic risk assessments: "the risk factor analysis and decision rationale shall be documented in writing and kept on file for at least 5 years." >- According to OHSAS 18002, documentation should include the following elements: Identification of hazards Evaluation of risks with existing (or proposed) control measures in place • Evaluation of the tolerability of residual risk • Identification of any additional risk control measures needed 9 Evaluation of whether the risk control measures are sufficient to reduce the risk to a tolerable level The requirements for documenting a risk assessment leave little room for question. Documentation is required. Even so, resistance to documenting the assessment abounds. FROM BAD TO GOOD Although feared to be a negative, a documented risk assessment can prove to be a benefit to a company. In practice, a documented risk assessment increases the likelihood that hazards will be identified and that risks will be reduced to an acceptable level, thereby decreasing the likelihood of an incident and resulting product liability exposures. There is far less likelihood that hazards or risks will be overlooked or "slip through the cracks" with a documented risk assessment. In litigation, a company would like the jury to find that the company's decisions and resulting design were acceptable. A documented risk assessment can demonstrate the company's intent and the methods used to create reasonably safe and acceptable designs. Documented analyses can provide evidence that a manufacturer made reasonable efforts to identify hazards and minimize risks associated with the hazards. A documented risk assessment provides credible evidence that can be used in defending a design in a product liability lawsuit. PMMI (2000) states that: Documentation can also be used as evidence that a manufacturer made a reasonable effort to identify hazards and minimize the risks associated with those hazards. This can be useful in defending the design of a machine in product liability litigation. Ross and Main (2001) suggest: The best advice is to perform the appropriate assessment and be prepared to stand behind the process and conclusions. The existence of a conscientiously performed assessment should allow defense counsel to argue that punitive damages are not warranted and should not even be allowed to go to a jury. As with any documented analysis, appropriate follow-through needs to occur to ensure that all risks are reduced to an acceptable level and that no unacceptable risks remain. THE BOTTOM LINE The decision to document a risk assessment must be made by each company. Even though industry guidelines and standards exist that include documentation requirements, the company must make the decision whether to follow that part of the requirement. Companies wrestling with the documentation decision need to develop a policy on documentation. If a company decides not to document its risk assessments, then it will likely need to use or create company policy stating such. The policy should clearly state what should and should not be included in the documentation, if any. The policy should be supportable in the event that the policy decision comes under outside scrutiny. For example, one equipment manufacturer known to the author has product liability concerns of documentation. It has a risk assessment process in place. This company developed a solution to the documentation dilemma where only the minutes of the safety review committee meetings are retained. When the risk assessment is complete and the product goes into production, the minutes reflect that the company risk assessment process was completed satisfactorily. This company does not retain documentation on the hazards or individual risk level ratings derived in the product development process. Once the product goes into production the company policy dictates that the details of the assessment be destroyed. Is this a good policy? Yes, for that company because they have crafted a solution that works for them. The documentation issue itself should NOT be a reason not to perform risk assessments. A company can derive most of the benefits of completing the risk assessment even if the documentation is not created or kept. There are good reasons to document a risk assessment, but strong opposition in some companies. The challenge to all companies is to find a solution that works within the culture, constraints and environment of each company. RISK COMMUNICATION Risk communication is a very broad and interesting topic. Documentation comprises only one small part of the risk communication puzzle. Much has been written on the topic of risk communication and the interested reader should refer to the wealth of information elsewhere. One form of risk communication involves how a company responds following a significant incident at their facility or with their product. Companies have risen to new heights or disappeared in part due to how well or poorly they communicated. Many "high potential hazard" companies and industries actively engage in risk communication as part of their crisis management strategies. There is no question that risk communication plays a major and fascinating role in the whole subject of risk. A detailed handling of this important topic extends beyond the scope of this text. MacDonell and Holoubek (2001) state: The working group acknowledged that effective communication of the assessment results is a major factor in the usefulness of ecological risk assessments. It was emphasized that each risk assessment should be developed with that end in mind, by specifically asking: What information does the decision maker need, and how can we provide it in the best manner to lead to a good decision? (emphasis in original) This passage highlights that although significant challenges appear when conducting a risk assessment, a risk assessment is not an end, but rather a means to an end - acceptable risk. The many different uses and meanings of the term "risk assessment" cause communication problems for both technical and non-technical people. Risk communications need to occur within a team, with management, outside the team, with the users and potentially outside the organization. An unfortunate obstacle to more effective risk communications remains the many different definitions and meanings that the different risk assessment terms have. In order to effectively conduct a risk assessment, considerable communications are required. Users need to communicate with equipment suppliers so that proper guarding, controls and information can be provided with equipment to meet the users needs. Operators and maintenance workers need to have input to the risk assessment process so that engineers understand the work that will be done and all hazards can be identified. Excluding the equipment user or the persons conducting the work with the equipment can lead to breakdowns in the risk assessment process and hazards being missed. User input is essential in conducting risk assessments in the real world. Suppliers cannot perform risk assessments without knowing how equipment will be used. Similarly, equipment design engineers cannot complete a risk assessment without input from workers and end users. Equipment users need to perform risk assessments in their facilities to better identify hazards and to ensure that residual risks are acceptable. REFERENCES ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. AS/NZS 4360-1999. Risk Management. Standards Australia, www.standards.com.au. Codex Alimentarius Commission. (2002). Report of the seventeenth session of the Codex Committee on General Principles. Joint FA0/WH0 Food Standards Programme. Codex Alimentarius Commission, Paris, France, April 15-19, 2002. www.codexalimentarius.net HB 203-2000. Environmental risk management - Principles and process. Standards Australia. www. standards .com .au. Jones, D. (2002). How to Design Effective EH&S management Systems for Continual Improvement of Risk Reduction Performance, American Society of Safety Engineers, www.asse.org. MacDonell, M. & Holoubek, I. (2001). Methods and tools for assessment and management of environmental risks. In Linkov I. & Palma-Oliveira J. (Eds.), Assessment and management of environmental risks, (pp. 3-9). Netherlands: Kluwer Academic Publishers. NORSOK Standard Z-013. Risk and emergency preparedness analysis. Rev. 1, March 1998, and Rev. 2,2001-09- 01. Norwegian Center for Ecological Agriculture, www.norsok.no. OPNAVINST. (2002). 5100.23F, Chapter 23, Ergonomics program, July, U.S. Navy, http://neds.nebt.daps.mi1/Directives/5100/23.pdf. PMM1. (2000). Product liability prevention manual. Packaging Machinery Manufacturers Institute, www.pmmi.org:. Ross, K. & Main, B., (2001). Risk assessment and product liability. For The Defense, April The Defense Research Institute, Inc. www.dri.org. HARMONIZING THE RISK ASSESSMENT PROCESS Introduction A Workshop on Harmonizing Risk Assessment Support for Harmonizing Reasons Against Harmonizing Ongoing Efforts Recommendations for Harmonizing Efforts Flexibility - A Critical Success Factor Closure KEY POINTS 1. There are several reasons to harmonize the various risk assessment methods. There are also several reasons not to harmonize the various risk assessment methods. Both viewpoints have merit. 2. Some basic steps toward harmonization appear achievable. However, complete harmonization is not likely to occur soon. 3. There appears to be very little value in attempting to compare the results of risk assessments from very different applications to one another. Such comparisons provide no useful information to achieving acceptable risk. 4. If a harmonized risk assessment process is to be developed, flexibility will be a critical factor to its success. Although most standards specifically seek to avoid flexibility, a harmonization effort will likely fail unless a standard framework can be provided that permits flexible application of the details. INTRODUCTION The word "harmonizing" is used to describe the process of bringing two or more documents into accord or agreement A typical application can be found where two or more countries have individual standards that apply to one product, machine or component. Representatives from the countries form a committee to work out the differences and create one standard that then applies in both countries. Harmonization does not require that the resulting standards be identical. Although the individual country standards may still exist, the differences remain minor. The harmonization process allows for local control for individual countries, yet provides typically common standards for industry. The great interest in harmonizing standards is driven by manufacturers who make machines or products that they sell in more than one country. If each country has an independent standard, then the manufacturer must develop separate machines for each country or market. If a single harmonized standard can be developed, then the manufacturer can build one machine and sell it in all markets. Discussions of harmonizing a risk assessment approach are met with strong opinions about the risk assessment methods found to be successful. In particular, there is great effort applied to finding the "best" method to use as the standard. Much discussion about risk assessment currently centers around harmonizing or standardizing the various approaches to risk assessment. A workshop was held in 2000 in Stresa, Italy specifically on this topic. Many of the resources used to document the benchmark methods in Section III derive from this workshop. Currently, an effort to revise the international risk assessment standard for machinery (ISO 14121) is underway. However, there are differing opinions concerning the harmonization topic that deserve examination. A WORKSHOP ON HARMONIZING RISK ASSESSMENT BACKGROUND In May 2000, the European Commission Directorate General Joint Research Centre (DG JRC), Institute for Systems, Informatics and Safety (ISIS) held a workshop for the "Promotion of Technical Harmonization on Risk- Based Decision-Making." The workshop was held in Stresa, Italy with the expressed purpose of discussing the possible development of an internationally accepted generic "standard" for risk-based decision making. The Stresa workshop was a gathering of experts from several industries where papers were presented and panel discussions were held. Proceedings from the workshop have been published. The aim of the workshop was to identify the need for further standardization and to develop a "top-level" risk assessment standard across different technologies. The conference started with a basic assumption "that consideration of risk would be greatly facilitated by an internationally accepted generic "standard" for risk-based decisionmaking." The workshop focused on the following industries: • Chemical process industry • Waste Nuclear power industry Structures, dams and offshore • Air transport and aerospace • Transport by cars and railways • Food and healthcare • Running activities and projects The primary focus of the workshop tended to be large-scale industries where societal risk plays a significant role, and risk assessment efforts typically include a quantitative approach. Much of the discussion centered on risk management issues of balancing individual risks versus societal risks. DESCRIPTION The workshop organizers presented a four-step approach to risk assessment for discussion: Step I - Hazard identification Identification of sources with the potential to cause undesired outcomes to subjects of concerns that is the focus of the situation of likelihood. Step H - Event Scenario Assessment Identification of the initiators and sequences of events that can lead to the realisation of the hazard. Step III - Consequence Assessment Identification and assessment of the consequences of the realised hazard Step IV ~ Risk evaluation A Risk assessment - assessing and expressing the likelihood of the consequences and describing the quality of such estimates B Risk comparison - Comparing derived risk estimates to specified guidelines/criteria/goals and describing the dependence of these estimates on explicitly specified assumptions Step V - Decision Making Deciding on actions based on risk evaluation. This approach is discussed in Chapter 29 Offshore, and reproduced in Figure 41.1. Figure 41.1 - Risk Estimation, Analysis and Evaluation (NORSOK Z-013) The workshop participants were encouraged to comment on this generic process and to share whether their organization or industry could accept this approach. RESULTS Kirchsteiger and Cojazzi (2000) summarize the results of the Stresa Conference as follows: Several national and international standarisation organizations are developing standards to be applied in various specialised sectors such as medical devices, machinery and offshore equipment. However, these standards are often very industry-specific and frequently adopt different definitions, models and approaches to risk analysis. Each step in 'risk assessment' is heavily dependent on its specific cultural and regulatory context. Throughout the workshop's presentation and discussion of risk assessment practices across different industries and countries, it became clear that there are many similarities in risk assessment at a generic technical level. Risk perception has its own role in the political debate risk acceptance and the judgment on hazardous activities is a highly contextual topic, the use of acceptance criteria strongly depends on country, on time, on activity, on risks and related benefits. For these reasons, it was generally felt that any successful 'standardisation' should focus on the process underlying risk assessment, and not attempt to harmonise risk criteria. Based 011 a review of the papers from the Stresa Conference, there was mixed endorsement for a harmonized standard. On the supportive view, Wettig (2000) believes that: Process-related generic standards have already been developed in the areas of quality management and environmental- management. The development of a generic standard for risk-based decision making would certainly represent a major step forward in achieving a common language in risk assessment across different technical areas and sectors. The many authors that supported a harmonized risk assessment standard agreed that value would be found from common definitions, a common process, and particularly a common risk acceptance criteria. However, there was little consensus on how to achieve such an end. Detractors of a harmonization effort were also numerous, and they identified several practical challenges that would jeopardize such a project. Although these voices tended to agree that a harmonized standard, once complete, would be nice to have, they seriously questioned the ability to surmount the many practical hurdles to achieving the proposed outcome. Examples of the issues raised follow. Ale (2000) notes that risk assessments methods differ, risk acceptability differs, and risks differ. Therefore standards for too much too soon can be counter productive. Ale quotes the OECD Expert Group on Chemical Accidents who participated in a similar industry specific workshop, "in summary, the workshop participants concluded that standardization of the risk assessment process, and approaches/methodologies used in each step of the process, is neither desirable nor feasible." Davies (2000) suggests that harmonization of risk assessment across industries will be difficult, and that harmonization of risk informed decision-making may well be even more difficult. There were some participants who did not see the value in a generic risk assessment standard. For example, Turney (2000) observes, "the study 'A view of Risk Control' by the Dutch 'Directorate-General Miliebeheer' looked at approaches to risk assessment in five European countries and the USA. Amongst its conclusions was, 'There is apparently no single outstandingly superior approach.'" A very telling opinion is offered by Hale (2000). He views the potential users of a generic risk assessment standard as risk analysts, those commissioning risk assessments, and regulators reviewing risk assessments. In his view, industry is not a potential user. Although this does not suggest that harmonization should not be pursued, he clearly indicates that the value from any harmonization effort will be limited to a small minority of users. If true, then the ultimate value of or need for a generic standard for such a small community can be questioned. OBSERVATIONS Based on the results of the Stresa workshop, several observations can be made: 0 There seems to be a general consensus that harmonizing the terms used in conducting a risk assessment would be beneficial. This may not be as simple as it sounds. In some industries considerable efforts have been made to develop a common set of terms related to risk assessment efforts in that industry. These terms are often slightly or even substantially different than those used in unrelated industries. Asking "Industry A" to change its terms of usage simply to harmonize with other unrelated industries may meet with resistance. Nonetheless, there seems to be value in working towards harmonization in this regard. There also appears to be value in harmonizing risk assessment approaches between industries where the applications are similar in terms of available data and quantification practices. For example, the oil and chemical industries may well find that harmonizing with the offshore industry yields value. * There appears to be little value, and potential detriment, to harmonization efforts in applications where significant dissimilarities exist in approaches to risk assessment. For example, attempts to harmonize the nuclear industry with the packing machine industry or medical devices makes little sense. 6 There does not appear to be any value in comparing residual risk levels across applications that are dissimilar. Comparing risks in rail transport, nuclear power industries and food are largely meaningless because the residual risk level that is considered acceptable differs greatly. Any risk assessment harmonization or standard must be flexible rather than rigid. Any resulting method must allow an industry or an individual company to adapt the system to its particular needs. There seems to be consensus in this regard. STATUS Although Kirchsteiger and Cojazzi (2000) state, "there is a common 'generic' basis for risk assessment," the basis is somewhat open to interpretation. The process proposed at the start of the workshop was endorsed by some industries, but not by others. Further, there were many industries that are involved in risk assessment activities that were not represented at the Stresa workshop. Many of the absent industries do not use a quantitative approach to risk assessment, nor do they follow the process proposed at the workshop. Yet Kirchsteiger and Cojazzi are correct in that all risk assessment protocols share a common "generic" basis at some level, if only at the "black box" level of identifying hazards, assessing risks, and reducing risks. However, there may be questionable value of developing a "generic" risk assessment process at too generic a level. In this case, energies may be better spent on improving and refining the risk assessment methods within each industry rather than on one "generic" approach. The workshop proceedings are published documents. Additional information can be obtained at http://www.irc.org. SUPPORT FOR HARMONIZING One of the most striking observations from the several benchmark methods reviewed in Section III is the similarities between the approaches. Viewed at a very high level, the general process of risk assessment tends to be quite consistent across many industries. Supporters of the harmonizing effort believe that the differences tend to be in the details, and that there is value in merging the various methods into one. For example, Ale (2000) endorses the CARAT system as a basis for any harmonization effort (see Chapter 12 Chemical and Oil). He opines that: The CARAT system proves to be a generally applicable framework, which could be the template for all kinds of risk management activities This does not take away that risk acceptance and the judgment on hazardous activities is a highly contextual exercise. The use of criteria, the use of methods and the level of risk depend on country, on time, on activity, on risks, and on benefits. Companies that operate on a global basis also tend to support harmonization, or more accurately resist the proliferation of multiple methods. A company that completes a risk assessment for a product or process in one country will understandably resist having to repeat the assessment for a second country to comply with a different risk assessment method or different risk scoring system. No company will willingly complete two risk assessments for the same equipment simply because a standard requires that it be done "their way." Companies facing this circumstance support harmonizing the methods so that only one risk assessment needs to be completed. Similarly, there is also support for harmonization from companies that operate across industries. A robot used in manufacturing medical devices could fall under the robot ANSI/RIA RI5.06-1999 or medical device ANSI/A AMI/I SO 14971-2000 standards. Understandably, the company would resist having to perform two risk assessments. Additional support for harmonization stems from confusion surrounding the terms of risk assessment. Many of the terms used in the risk assessment process have slightly different definitions, some substantive others more semantic. Appendix A demonstrates this rather well. Supporters suggest that harmonizing on common definitions will decrease confusion, and thus harmonization is warranted. Another basis of support comes from the spreading of certain risk assessment methods, in particular the robotics industries approach to risk assessment has dispersed into other industries. The RIA approach described in Chapter 35 appears in the Intelligent Assist Devices draft standard BSR/TI5.1, the Canadian robot standard CSA Z434, and the ANSI Z244.1 standard on control of hazardous energy (lockout tagout). This proliferation appears to be related, in part, to the participation of persons from the robotics industry in these other standardization efforts. However, as the method migrates to other applications, harmonizing becomes easier. REASONS AGAINST HARMONIZING Strong opinions can also be found resisting harmonization. The arguments can be categorized into value, change, differences, levels of detail and comparisons. VALUE A very significant argument raised against harmonizing risk assessment methods is that the value derived does not warrant the effort. This voice most frequently comes from industries with established risk assessment methods that have proven successful and are well integrated into their way of doing business. Even in an industry where one risk scoring system has been adopted, individual companies may not use that system if the company implemented its system before the industry method was adopted. Even if a harmonized method were developed, these industries would likely resist changing, as they see no value in doing so. Conversely, they would resist moving from a proven process to a new unproven process simply to satisfy an external benchmark. This argument has merit as there appears little value to making such a change. CHANGE A second reason raised against harmonization is a general resistance to change. The thinking goes, "harmonizing is a great idea as long as everyone else adopts my method." This is particularly true in industries or companies where risk assessment has been deployed successfully. A number of the 2000 Stresa Harmonization Workshop authors recommended their industry approach as the basis for a harmonized methodology. Many risk assessment methods tend to be chimney efforts without need or effort to change. Indeed there seems little cause for a hydraulic power press standard and a semiconductor guideline to try and harmonize their risk assessment approaches. DIFFERENCES The risk assessment process is usually viewed as a generic process that can be applied to most any industry and any company. Although this is generally true at a high level, comparing the various risk assessment methods described herein at a detailed level reveals many differences. These differences may be sufficiently significant as to require different risk assessment processes - and resist harmonization. For example, risk assessment efforts are quite sophisticated in some industries. Yet in other industries risk assessment processes are quite simple and yield entirely satisfactory results. Efforts to move either camp to the other will meet with resistance. Users of sophisticated, validated models will find the simple methods lacking. Users of simple models will find the more complex models unnecessarily difficult to use, comprehend, introduce and implement. One of the open questions today concerns harmonizing risk scoring systems. There does seem to be concerted efforts to select a single risk scoring system within a single industry that all industry members would use. This concerted effort does not tend to extend beyond industry lines. Differences between risk scoring systems used in the semiconductor, machine tool, packaging machinery and medical device industries do not create any call for harmonization. There are also differences in what is known for a given application. In some applications, the event is easily discemable - such as dam leaks, chemical release, known chemical toxicity, and others. Considine (2000) notes that in the chemical and oil industries, most major hazard events involve a loss of containment of a hazardous substance; In the oil and chemical industries, there is usually sufficient incident experience that extensive fault and event tree modelling is not usually necessary A useful high level validation on the overall predicted event frequencies can usually be obtained by comparing predicted release, fire and explosion frequencies with industry experience (p. 15). In these applications, the difficulty resides in evaluating the consequences. In other applications the consequence is well known but predicting the event proves difficult, such as an unexpected start up or energy release. Still for other applications, very little is known about either the event or the consequence, such as with environmental impacts- Detractors of the harmonization effort point out that adopting a method that suits one application will not suit the other. Worse yet would be to split the difference and come up with an in-between method that suits neither application. Detractors point to this as a substantial difference and a barrier to harmonization. Bhimavarapu and Stavrianidis (1999) note that: Different European countries adopted the Seveso Directive in different ways, and the role of risk analysis varies. In the United Kingdom, probabilistic assessment is not mandatory. In the Netherlands, a quantified assessment is required in the safety report for addressing the safety issues outside the plant boundaries. Italy has issued detailed guidelines for compilation of safety reports, and safety declarations. In Germany, the safety report does not mandate any risk assessment but asks details of possible hazards and details of the measures taken to prevent failures and consequences. These represent significant differences in risk assessment requirements. Any harmonization effort needs to recognize that there are obvious and non-obvious reasons for the differences. In some instances there may be willingness to change an existing risk assessment requirement to accommodate harmonization efforts. In other instances the resistance to change may be quite fierce. Harmonizing efforts should focus on developing a flexible system that accommodates different approaches or details to conducting risk assessment. If risk scoring systems and an acceptable level of risk cannot be harmonized within a single, albeit large, company, one should hold little expectation that such harmonization could be reached across many industries and countries. INERTIA One force resisting global standardization is inertia. The longer a risk assessment protocol exists within an industry the greater the resistance will be to changing it. Manufacturers in any industry who have been completing risk assessments for a period of time will develop an inventory of assessments that can be quickly opened and updated for modest design changes. If changing a risk assessment protocol requires re-doing existing work, then one should expect resistance to any change in the method, for harmonization or otherwise. LEVELS OF DETAIL A close examination of the various risk assessment methods reveals considerable differences in the level of detail provided by the different industries. Some methods provide detailed guidance on how the risk assessment should be conducted (e.g., the machine tool industry in ANSI Bll TR3). Some methods actually correlate risk levels to recommended risk reduction methods (e.g., the robotics industry in ANSI/RIA R15.06). Other methods provide only a general framework and leave the detailed implementation to the user (e.g., the medical industry in ANSI/AAMI/ISO 14971). One reason for these differences comes from the scope of the applications - a larger scope necessarily requires greater flexibility to accommodate alternate implementations. A second reason for the differences stems from the experience of the industry in conducting risk assessments. Before one jumps into the intellectual puzzle of crafting an improved risk assessment model, the ultimate use needs to be considered and the level of detail required. The adage that a better mouse trap can always be built applies. The higher the risk of negative consequences, the greater the resources can be justified to develop a more sophisticated risk model. For situations such as chemical processing plants, siting new airports, locating nuclear reactors, or handling advanced military weapons, the overall risks are wide ranging and sophisticated risk assessment studies are warranted. Conversely, for industrial applications where the risks are relatively narrow, simple risk assessment methods are more appropriate. COMPARING ACCEPTABLE RISK LEVELS Some authors attempt to draw comparisons between different risk assessment applications. Quantified or known risk levels in one industry are compared to unknown risk levels in another industry. For example, annual fatality data are available for situations such as motor vehicle accidents, fires, air travel, electrocution, and others. These data can be converted to an annual risk of fatality using a baseline population. The results are then assumed to represent the current level of acceptable risk for that application, particularly if the fatality rate remains relatively unchanged over several years. Attempts are then made to extrapolate these acceptable risk levels to other applications. Although there is nothing theoretically wrong with the approach, there is no indication that this type of analysis provides valid or meaningful results. Even though society may apparently find a certain level of risk acceptable for highway transportation, there is little reason to believe that the same risk level will be considered acceptable for the food, nuclear power or other industries. Comparisons within an industry are far more relevant; for example, should dangerous goods be shipped by open roadway or tunnel? Being willing to accept high risk in one aspect of life does not necessarily correlate to being willing to accept high risk in other aspects of life or work. As a result, a generic risk assessment standard with a single level for acceptable risk may be meaningless. For each individual, risk acceptance is a subjective and an emotional decision. Pointing out that risk levels for other activities that an individual or society consider acceptable as an argument to support a proposed acceptable risk level in another activity does not make it valid. A farmer who handles chemicals regularly may avoid standing in front of an operating microwave oven. A motorcycle enthusiast who does not use a helmet while riding may not be willing to live near high voltage power transmission lines. Whereas the former they consider acceptable, the latter they do not. In the context of risk management, Amendola (2000) suggests that risk assessment occurs in a socio-cultural environment that requires reliable risk assessment procedures that need to be conducted with public participation. This view is certainly valuable in the context of evaluating societal risk and setting public policy. However, this concept is too cumbersome for the general industry application focusing on minimizing individual risk. For general application in industry, risk assessment needs to be a relatively simple, straightforward process that an individual company can apply on the plant floor. ONGOING EFFORTS One of the key documents in recent risk assessment efforts has been ISO 14121 which started as EN 1050. EN 1050 was initially released in 1996. In 1999, the standard was adopted by ISO and renamed ISO 14121. No changes were made to the content of the standard at that time. Recently, an effort started to revise this standard. At the time of publication, a working group is updating the basic document and developing additional explanatory information on the risk assessment process that will appear in a new annex to the document. Similarly, other working groups and committees in Europe and elsewhere are modifying, updating, and improving many of the risk assessment benchmarks methods that appear in Section III. As part of these efforts, the writing committees seek ways to minimize differences and harmonize the language in their documents. RECOMMENDATIONS FOR HARMONIZATION EFFORTS GENERAL There are valid reasons for and against harmonizing the risk assessment process. Whether a single risk assessment method can be produced remains to be determined. However, there appears consensus that harmonizing at least portions of the risk assessment process provides value. At the very least such initial harmonization can be a starting point to what potentially may become a single method in the years ahead. There are two parts of the overall process that most voices tend to support for harmonization, terms and definitions, and documentation requirements. Two other areas of potential harmonization exist but not many participants have voiced opinions on the possibilities. The first involves the overall risk assessment process and the second involves risk scoring systems. COMMON TERMS AND DEFINITIONS The terms and definitions used in the risk assessment process should be harmonized. Appendix A collects many of the key terms and contemporary definitions in use. This collection could form the basis of an effort to harmonize the definitions. Some definitions should require little harmonization effort, such as the meaning of "residual risk " Other terms will require some discussion, such as "risk assessment." There are significant challenges to harmonizing terms due to language translations. Some words in one language do not translate well or at all into other languages. Other terms that have specific meanings in one language have distinctly different connotations in another. For example, the term "acceptable risk" and "tolerable risk" have been suggested by some authors as having distinct meanings (see Chapter 4). Yet there are no equivalent words in either the German or French languages. In some instances, the direct translation of a term creates political resistance due to the different meaning in the translation. COMMON DOCUMENTATION REQUIREMENTS Documenting risk assessment forms a common element of all risk assessment processes. Every risk assessment guideline, standard, recommended practice, or technical description requires or recommends that the assessment be documented. However, what exactly is to be documented or included in the documentation does vary slightly. Harmonization efforts should be able to set common documentation requirements. PROBABILITY OR LIKELIHOOD? Some industries use the term "probability" while others use the term "likelihood" in assessing risk. In many instances these terms are considered synonyms, or at least no distinction is made in how they are used. However, other applications draw a distinction. HB 203:2000 Environmental risk management - Principles and process states that: Probability is the likelihood of a specific event probability is expressed as a number between 0 and 1. By definition, probability is a numerical measure and can be used in quantitative risk approaches . Likelihood is used as a qualitative description of probability or frequency. This distinction finds utility in applications that use both qualitative and quantitative risk scoring systems. In these situations, using the terms interchangeably could lead to confusion as to the risk scoring system being discussed. In applications where only one or the other risk scoring system is used, there is no loss in continuity if the terms are used interchangeably. One potential drawback to drawing a distinction between these two terms involves how the meanings translate to languages other than English. This remains to be determined. BASIC PROCESS FLOW CHART Although the overall risk assessment process is common at a very high level, there are substantive differences in the details. Flow charts of the risk assessment process shown in the benchmark methods of Section III highlight the common points'and differences. Some of the differences are substantive and likely should remain. Little effort should be made to harmonize to one risk assessment approach if it will not accommodate the varying needs. A basic risk assessment process flow chart should accommodate the differences. A flow chart of a common risk assessment process that accommodates different risk assessment methods likely can and should be developed. Figure 6.1 may serve as the basis for such a flow chart. The risk assessment process in Figure 6.1 [reproduced in 43.2] accommodates many different risk scoring systems. FLEXIBLE RISK SCORING SYSTEMS Any harmonized risk assessment process must accommodate different risk scoring systems. At the present time, attempts to harmonize to a single risk scoring system will likely fail. There remains too much unknown about the risk assessment processes to attempt to standardize to one inflexible risk scoring system at this time. The diversity of methods in Section III attests to the fact that many risk assessment systems work satisfactorily, and that which system is used is less important than finding one system that works well within a company, organization or industry. As companies and individuals gain more experience with risk assessments, the perceived differences between the models will lessen and consensus may develop on one or a few approaches. However, the time of convergence still lies ahead. Divergence should be accommodated and expected to continue before standardizing on one or a few approaches. Until the time of convergence is possible, standards writing bodies should write industry standards and guidelines to accommodate different risk scoring systems. There is strong support for the position that which particular risk scoring system is used is far less important that the fact that one is employed. For any industry or international standard to be successful, it must allow end users to tinker with or use alternates to any risk scoring system identified in the document. Time will tell whether the need for accuracy and precision in a risk scoring system will succumb or win out over the need for speed and simplicity, or if both can be obtained simultaneously. FLEXIBLE ACCEPTABLE RISK LEVELS There are several challenges in attempting to set acceptable risk levels. Users often seek clear direction on what can be considered acceptable risk. They want the answer rather than a long discussion. They want to know when they can stop the risk assessment process. Unfortunately, such guidance is rarely available, especially across a broad spectrum of applications. In the context of the nuclear power industry, Whipple (1988) observed: The idea that risk-based standards is something new is incorrect; what is new is that risk targets are often expressed in terms of acceptable risk . While it would be simple and appear fair to set a standard for risk such as one in a million per year for all activities and exposures, as far as risk- based standards are concerned, there is no simple numerical level that fits all occasions. Risk targets are always context-specific. To be successful, any harmonization effort must accommodate differences in levels of risk considered to be acceptable. Harmonization efforts should focus on providing guidance on how an individual company or industry can set an acceptable risk level rather than a specific level to be achieved. Acceptable risk levels must be determined by individual companies or perhaps by specific industries. However, a universal level of acceptable risk is not likely to be found or to be accepted if one is selected. FLEXIBILITY - A CRITICAL SUCCESS FACTOR If a harmonized risk assessment process is to be developed, flexibility will be a critical factor to its success. This is somewhat contrary to the fundamental idea of a standard. Most standards specifically seek to avoid flexibility. Yet the effort will likely fail unless a standard framework can be provided that permits flexible application of the details. The U.S. Coast Guard has demonstrated how to provide structure and flexibility in a standard. The document Operational Risk Management (USCG, 1999) contains the Coast Guard approach to risk assessment and risk management. The document notes that: While compatible with other armed forces' efforts, the Coast Guard's standard risk management plan is specifically tailored for our organization's unique size and multi-mission nature. Understandably, each facility and activity will differ in how it interprets risk assessment and risk management results in its own community due to unique mission differences and its members' varying degrees of knowledge, skill, experience, and maturity. The Coast Guard system provides structure for the risk assessment process but allows sufficient flexibility such that individual users can make modifications to suit their applications. Considine (2000) supports the flexible approach in discussing the risk assessment and risk management processes at BP Amoco: It is important that any standard does not impose too rigid approach, such that it prevents an assessment properly reflecting site specific or regional considerations. With regard to the latter, it must be acknowledged that there is probably little scope for standardisation of when and where a quantitative risk assessment approach should be adopted or what constitutes an acceptable level of risk (p.36). Different industries and companies face different risk assessment challenges, and therefore require flexibility in any harmonized standard in order to address the risks they face. Without flexibility, an effort to develop a harmonized risk assessment standard will likely fail. CLOSURE The fundamental goal of a risk assessment should not be lost in the dust cloud of discussing harmonizing the risk assessment process. The goal of conducting a risk assessment is to reduce risks to an acceptable level. Brearley (2000) observes, "it should not be forgotten that [risk analysis techniques] are not an end in themselves. Creation of good quality risk information is important only to inform and support decision making. The real focus is decision making, not risk analysis." Conducting a risk assessment and documenting that the residual risks are acceptable is more important than the path followed to achieve these ends. Harmonization efforts need to focus on this goal and facilitate its realization. Elements that distract from achieving this goal, such as limiting flexibility, should be avoided. REFERENCES Ale, B. (2000). Risk assessment practices in the Netherlands. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. Amendola, A. (2000). Recent paradigms for risk informed decision-making. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. ANSI B11 Technical Report #3 (2000). Risk Assessment - A guideline to estimate, evaluate and reduce risks associated with machine tools. The Association for Manufacturing Technology, www.amtonline.org. ANSI Z244.1-2003 (final draft). Control of hazardous energy ~ Lockout/tagout and alternative methods. National Safety Council, www.nsc.org. ANS1/AAMI/ISO 14971-2000. Medical devices, risk management. Part 1: Application of risk analysis. Association for the Advancement of Medical Instrumentation, www.aami.org. ANSI/RIA R15.06-1999. Safety requirements for industrial robots and robot systems. Robotic Industries Association, www.robotics.org. Bhimavarapu, K. & Stavrianidis, P. (1999). Performance-based standards for process industry - development, implementation and integration. ISA TECH 1999 Conference, www.isa.org Brearley, S.A. (2000). UK railways: using risk information in safety decision making. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making, Stresa Italy: European Commission. BSR/T15.1. (draft, 2002). Personnel safety requirements for intelligent assist devices (Draft), Robotic Industries Association, www.robotics.org. CARAT. (2003). The chemical accident risk assessment thesaurus, http://www 1 .oecd.org/EHS/CARAT/v3.0. Considine, M. (2000), Quantifying risks in the oil and chemical industry. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. CSA Z434-03. Industrial robots and robot systems - General safety requirements. Canadian Standards Association. www.csa.ca. Davies, L.P. (2000). Responses to questionnaire for UK nuclear power plant. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission, Hale, A. (2000). Risk contours and risk management criteria for major airports: Response to 10 questions. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. ISO 14121/EN 1050-1999. Safety of machineiy; risk assessment. International Organization for Standardization. www.iso.ch. Kirchsteiger, C. & Giacomo, C. (Eds.). (2000). Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. NORSOK Standard Z-013. Risk and emergency preparedness analysis. Rev. I, March 1998, and Rev. 2,2001-09- 01. Norwegian Center for Ecological Agriculture, www.norsok.no. Turney, R.D. (2000). Application of risk assessment in the process industries. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decision-making. Stresa Italy: European Commission. U.S. Coast Guard. (1999). Operational risk management (ORM) COMDTINST 3500.3, http://www.uscg.mil/hq/G- W/g-wk/g-wks/g-wks-I/QperationaI%20Risk%20Management.pdf. Wettig, J. (2000). New developments in standardization in the past 15 years - Product versus process related standards. In Kirchsteiger, C. and Giacomo, C. (Eds.), Promotion of harmonization on risk-based decisionmaking. Stresa Italy: European Commission. Whipple, C. (1988). Risk-based standards in engineering, Engineering applications of risk analysis. American Society of Mechanical Engineers. Winter Annual Meeting, December 1987. www.asme.org. A ROADMAP TO A BETTER SYSTEM Introduction Identify the Problem Know the Audience Consider the Logistics Identify the Steps in the Process Select or Develop a Risk Scoring System Anticipate Change Address Complexity The Importance of Severity The Best Method Closure KEY POINTS 1. Readers have a choice to make - either adopt an existing risk assessment benchmark, or create one better suited to their specific application. 2. There are several considerations that should be addressed in developing a bett