ByDesign_PtDSpecial_Fall2007

8/2/2019 ByDesign_PtDSpecial_Fall2007

http://slidepdf.com/reader/full/bydesignptdspecialfall2007 1/13

regulation or a standard on Preventionthrough Design is remote. It is more

probable that an ANSI standard could bedeveloped and approved, but that could

take several years. For example,ANSI/AIHA Z10-2005, the OccupationalHealth and Safety Management Systems

Standard, was published 6 years after thesecretariat received ANSI approval to

begin work on it.Assume that the NIOSH initiative,

which is a several-year undertaking, issuccessful. Since hazards analyses andrisk assessments are the core of the PtD

concept, the impact on safety practition-ers with respect to their knowledge needs

will be significant. As a primer, this paperis written to address those needs.

Promoting the acquisition of knowl-edge of safety through design/prevention

ByDesi g nAMERICAN SOCIETY OF SAFETY ENGINEERS www.asse.org

A TECHNICAL PUBLICATION OF ASSE’S ENGINEERING PRACTICE SPECIALTY

The Engineering Practice Specialty (EPS)has developed this special issue of

ByDesign to highlight the importance of designing out or minimizing hazards and risksearly in the design and redesign processes toprevent and control occupational injuries, ill-nesses and fatalities. Fred A. Manuele, P.E.,CSP, president of Hazards Limited, hasauthored this issue’s featured article, “Preven-tion through Design: Addressing OccupationalRisks in the Design and Redesign Processes.”EPS believes this article effectively explains thecore of the prevention through design concept,and we hope that such concepts will lead toestablished principles, methodologies and stan-dards for controlling hazards and risks duringthe design and redesign processes.

Bruce L. Rottner Engineering Practice Specialty

Administrator

The National Institute for Safety and

Health (NIOSH) held a workshopin July 2007 to obtain the views of

a variety of stakeholders on a major ini-

tiative to “create a sustainable nationalstrategy for Prevention through Design.”

Some of the participants expressed theview that the long-term impact of the

NIOSH initiative could be “transforma-tive,” meaning that a fundamental shiftcould occur in the practice of safety

resulting in greater emphasis being givento the higher and more effective decision

levels in the hierarchy of controls. Forthis initiative, the NIOSH Mission is:

To reduce the risk of occupational

injury and illness by integrating

decisions affecting safety and health

in all stages of the design process.

To move toward fulfillment of its mis-sion, NIOSH Director Dr. John Howard

has said that:

One important area of emphasis will be

to examine ways to create a demand for

graduates of business, architecture, and

engineering schools to have basic

knowledge in occupational health and

safety principles and concepts.

The Prevention through Design (PtD)

initiative is based on the premise, as stat-

ed in NIOSH literature, that “One of the

best ways to prevent and control occupa-tional injuries, illnesses, and fatalities isto design out or minimize hazards and

risks early in the design process.” A defi-nition of PtD was written that limited the

activity to “early in the design process.”At the July 2007 workshop, a large num-

ber of participants wanted the conceptextended to include the redesign activitiesin which they are participants. A revised

definition was written.

Prevention through Design (PtD):

Addressing occupational safety and

health needs in the design and

redesign processes to prevent or

minimize the work-related hazards

and risks associated with the con-

struction, manufacture, use, mainte-

nance, and disposal of facilities,

materials and equipment.

Enthusiasm for additional knowledge

of prevention through design principlesand practices was significant. Severalattendees said it would be helpful if a reg-

ulation or a standard was in place thatsets forth the principles and the method-

ologies to address hazards and risks in thedesign and redesign processes. The prob-

ability that OSHA could promulgate a

Prevention through Design:

Addressing Occupational Risksin the Design & Redesign ProcessesBy Fred A. Manuele, P.E., CSP

ByDesi g nAMERICAN SOCIETY OF SAFETY ENGINEERS www.asse.org

continued on page 2



through design concepts is in concert

with the ASSE position paper on design-ing for safety approved by the Board of

Directors in 1994. The opening paragraphof that paper reads as follows.

Designing for Safety (DFS) is a

principle for design planning for

new facilities, equipment, and oper-ations (public and private) to con-

serve human and natural resources,

and thereby protect people, proper-

ty and the environment.

DFS advocates systematic process

to ensure state-of-the-art engineering

and management principles are used

and incorporated into the design of

facilities and overall operations to

assure safety and health of workers,

as well as protection of the environ-

ment and compliance with current

codes and standards.

1.0 Scope & Purpose1.1 This paper provides guidance on

incorporating decisions pertaining tooccupational risks into design and

redesign processes, including considera-tion of the life cycle of facilities, materi-

als and equipment.1.2 The goals of applying prevention

through design principles are to:1.2.1Achieve safety, defined as that

state for which the risks are at an accept-

able level, and1.2.2 Minimize the occurrence of occu-

pational injuries, illnesses and fatalities.

Since this paper is prompted by a

NIOSH initiative, and since NIOSH

is exclusively an occupational safe-

ty and health entity, the scope of

this paper relates principally to the

elimination, reduction or control of

occupational risks.

But, it would be folly to ignore

the fact that the events or exposures

that have the potential to result inoccupational injuries and illnesses

can also result in damage to prop-

erty and business interruption, and

damage to the environment.

Reference is made in several places

in this paper to those additional

loss potentials.

Thus, the definition of safety

through design, a broader definition

than that for PtD, is included in the

list of definitions.

2.0 Application2.1 While these guidelines apply to all

occupational settings, the focus is on pro-viding assistance to managements, design

engineers, and safety professionals atsmaller locations, say with 500 or feweremployees.

2.2 These guidelines apply to the threemajor elements in the practice of safety:

2.2.1 Pre-operational, in the designprocess – where the opportunities are

greatest and the costs are lower for hazardand risk avoidance, elimination, or control.

2.2.2 In the operational mode – wherehazards are to be eliminated or controlledand risks reduced before their potentials

are realized and hazards-related incidentsor exposures occur.

2.2.3 Post-incident as investigationsare made of hazards-related incidents and

exposures to determine causal factors andrisk reduction measures.

3.0 DefinitionsAcceptable risk: That risk for which

the probability of a hazard-related incidentor exposure occurring and the severity of

harm or damage that may result are as lowas reasonably practicable, and tolerable inthe setting considered. (This definition

incorporates the ALARP concept.)ALARP: That level of risk which can

be further lowered only by an incrementin resource expenditure that cannot be jus-

tified by the resulting decrement of risk.Design: The process of converting an

idea or market need into the detailedinformation from which a product ortechnical system can be produced.

Hazard: Potential for harm. Hazardsinclude all aspects of technology and

activity that produce risk. Hazardsinclude the characteristics of things

(equipment, dusts) and the actions orinactions of people.

Hazard analysis: A process that com-

mences with recognition of a hazard and

proceeds into an estimate of the severityof harm or damage that could result if ahazard’s potential is realized and a haz-

ard-related incident or exposure occurs.Hierarchy of controls: A systematic

way of thinking, considering steps in a

ranked and sequential order, to choose themost effective means of eliminating or

reducing hazards and the risks that derivefrom them.

Life cycle: The phases of the facility,equipment and material, including: design

OFFICERSADMINISTRATOR

Bruce L. Rottner201.287.1766

[email protected]

ASSISTANT ADMINISTRATOR

J. Nigel Ellis302.571.8470

[email protected]

NEWSLETTER EDITOR

J. Nigel [email protected]

COMMITTEESA WARDS & HONORS

Open

BODY OF KNOWLEDGE

Dennis [email protected]

CONFERENCES & SEMINARS

Open

MEMBERSHIP DEVELOPMENT

Gina Mayer-Costa [email protected]

NOMINATIONS

John W. [email protected]

WEBSITE DEVELOPMENT

Magdy [email protected]

STAFF LIAISON

Rennie Heath

847.768.3436

[email protected]

NEWSLETTER DESIGN &PRODUCTION

Susan Carlson

ASSE headquarters staff [email protected]

ByDesign is a publication of ASSE’s Engineering

Practice Specialty, 1800 E. Oakton St., Des Plaines,

IL 60018, and is distributed free of charge to mem-

bers of the Engineering Practice Specialty. The opin-

ions expressed in articles herein are those of the

author(s) and are not necessarily those of ASSE.

Technical accuracy is the responsibility of the

author(s). Please send address changes to the

address above; fax to (847) 768-3434; or send via

e-mail to [email protected].

ByDesi g n

Engineering Practice Specialty

2

Special Issue

Prevention through Design

continued from page 1



and construction, operation, maintenance,

and disposal.Prevention through Design:Address-

ing occupational safety and health needs in

the design and redesign processes to pre-

vent or minimize the work-related hazardsand risks associated with the construction,

manufacture, use, maintenance, and dispos-

al of facilities, materials and equipment.

Probability:The likelihood of an inci-dent or exposure occurring that could

result in harm or damage—for a selectedunit of time, events, population, items oractivity considered.

Residual risk: The risk remaining afterpreventive measures have been taken. Nomatter how effective the preventive actions,there will always be residual risk if a facili-ty or operation continues to exist.

Risk: An estimate of the probability of a hazards-related incident or exposureoccurring and the severity of harm or

damage that could result.Risk assessment: A process that com-mences with hazard identification andanalysis, through which the probable sever-ity of harm or damage is established, andconcludes with an estimate of the probabil-ity of the incident or exposure occurring.

Safety: That state for which the risksare at an acceptable level, and tolerable inthe setting being considered.

Safety through Design: The integra-tion of hazard analysis and risk assess-ment methods early in the design and

redesign processes and taking the actionsnecessary so that the risks of injury ordamage are at an acceptable level. Thisconcept encompasses facilities, hardware,equipment, tooling, materials, layout andconfiguration, energy controls, environ-mental concerns, and products.

Severity: The extent of harm or dam-age that could result from a hazard-relat-ed incident or exposure.

4.0 Responsibility4.1 Location management shall provide

the leadership to institute and maintain apolicy and procedures within the designand redesign processes through which:

4.1.1 Hazards are identified and ana-lyzed.

4.1.2 Risks deriving from identified

hazards are assessed and prioritized.

4.1.3 Risks are reduced to an acceptable

level through the application of the hierar-chy of controls described in Section 13.

4.2 These methods are to be appliedwhen:

4.2.1 New facilities, equipment, and

processes are acquired.

4.2.2Alterations are made in existing

facilities, equipment, and processes.

4.2.3 Incident investigations are made.

4.3All who have design responsibilities,the operations personnel who will be affect-

ed, and safety practitioners are to be involv-ed as participants in the decision making.

4.4 In carrying out these responsibili-ties, management may:

4.4.1 Designate qualified in-house per-

sonnel to identify and analyze hazardsand assess the risks deriving from them

for operations in place. 4.4.2 Engage independent contractors

with capabilities in hazard identificationand analysis and risk assessments as con-sultants to assist with respect to opera-

tions in place and in the acquisition of new facilities, equipment or materials.

4.4.3 Enter into arrangements withsuppliers of newly acquired facilities,

equipment or materials to fulfill theseresponsibilities, as in 5.0.

5.0 Relationships with Suppliers5.1 A large majority of employers will

not have design or technical staffs indepth to fulfill the requirements of 4.0.Thus, to avoid bringing hazards and risksinto the workplace when new facilities,equipment and processes are consideredand to assure that hazards and risks areproperly considered when alterations are

made in existing operations by contrac-tors, location management should:

5.1.1 Establish its design specificationsand objectives.

5.1.2 Have an in-depth dialogue withsuppliers and contractors on the expecteduse of the facilities, equipment andprocesses.

5.1.3 Include specifications in purchas-ing agreements and contracts for servicesto minimize bringing hazards and theirrelated risks into the workplace.

5.1.4 Ask suppliers of services to attest

that processes have been applied to iden-tify and analyze hazards and to reduce therisks deriving from those hazards to anacceptable level.

There is a precedent for such an

arrangement. Manufacturers of

equipment to go into a workplace in

the European Community are

required by International Organiza-

tion for Standardization (ISO) stan-

dards to certify that they have met

applicable standards, among which

is ISO 12100-1, Safety of Machinery:

Basic concepts, general principles

for design; Part 1, Basic terminolo-

gy, methodology. That standard

requires that risk assessments be

made as outlined in ISO 14121,

Safety of Machinery: Principles for

risk assessments.

5.1.5Arrange for persons on the orga-nization’s staff (design engineers, safetypractitioners, and maintenance personnel)

to visit the supplier of equipment that thestaff may consider hazardous or for

which design specifications have beenprovided the supplier before the equip-ment is shipped to assure that safety

needs have been met.

5.1.6 See that a test run of the equip-

ment is made during that visit.

5.1.7 Have an additional validation test

run made after the equipment has been

installed during which safety personnel orothers sign off that safety needs have

been met.

6.0 Making Hazards Analyses& Risk Assessments

6.1 For many hazards and the risks

that derive from them, knowledge gainedby management personnel, design engi-

neers and safety practitioners througheducation and experience will lead toproper conclusions on how to attain an

acceptable risk level without bringingteams of people together for discussion.

6.2 For more complex risk situations, itis vital to seek the counsel of experienced

personnel at all levels who are close to thework or process. Reaching group consen-

sus is a highly desirable goal. Sometimes,for what a safety professional considersobvious, achieving consensus is still desir-

able so that buy-in is obtained for theactions to be taken.

6.3 The goal of the risk assessmentprocess is to achieve acceptable risk levels.

The process is not complete until accept-able risk levels are achieved.

6.4 A general guide follows in 7.0 onhow to make a hazard analysis and how to

extend the process into a risk assessment.

6.5Whatever the simplicity or complexi-

ty of the hazard/risk situation, and whatev-

er analysis method is used (there are

many), the thought and action process in

7.0 applies.

By Design

3

continued on page 4



7.0 The Hazard Analysis& Risk Assessment Process

Although the focus in this paper is on

eliminating, reducing, and control-

ling occupational risks, the process

outlined here is equally applicable in

avoiding injury to the public, damage

to property and business interruption,damage to the environment, and

product liability incidents.

7.1 Establish the analysis parameters.

Select a manageable task, system, process

or product to be analyzed, and establish its

boundaries and operating phase (e.g., stan-

dard operation, maintenance, startup).

7.1.1 Define its interface with othertasks or systems, if appropriate.

7.1.2 Determine the scope of the

analysis in terms of what can be harmedor damaged—people (employees, the

public); property; equipment; productivi-ty; the environment.

7.2 Identify the hazard.A frame of thinking should be adopted that gets to

the bases of causal factors, which are haz-ards. These questions should be asked:

7.2.1What are the aspects of technolo-gy or activity that produce risk?

7.2.2What are the characteristics of

things (equipment, dusts) or the actions orinactions of people that present a poten-

tial for harm?

7.2.3 Depending on the complexity of the hazardous situation, some or all of thefollowing may apply.

a) Use intuitive engineering and opera-tional sense.

b) Examine system specifications and

expectations.c) Review codes, regulations, and con-

sensus standards.d) Interview current or intended sys-

tem users or operators.

e) Consult checklists.f) Review studies from similar systems.

g) Consider the potential for unwantedenergy releases.

h) Take into account possible expo-sures to hazardous environments.

i) Review historical data – industryexperience, incident investigation reports,OSHA and National Safety Council data,

manufacturer’s literature. j) Brainstorm.

7.3 Consider the failure modes. De-fine the possible failure modes that would

result in realization of the potentials of the

hazards. Both the intentional and foresee-able misuse of facilities, equipment, and

materials should be considered. Ask:7.3.1What circumstances can arise

that would result in the occurrence of anundesirable event?

7.3.2 What controls are in place that

mitigate against the occurrence of such an

event or exposure?7.3.3 How effective are the controls?7.3.4 Can controls be maintained easily?

7.3.5 Can controls be defeated easily?

7.4 Determine the frequency and

duration of exposure. For each harm ordamage category selected for the scope of the analysis (people, property, business

interruption etc.), estimate the frequencyand duration of the exposure to the haz-

ard. This is a very important part of thisexercise. For instance, in a workplace sit-

uation, more judgments than one might

realize will be made in this process. Ask:7.4.1 How often is a task performed?

7.4.2 How long is the exposure period?

7.4.3 How many people are exposed?

7.4.4What property or aspects of theenvironment are exposed?

7.5 Assess the severity of conse-

quences. On a subjective basis, the goal

is to decide on the worst credible conse-quences should an incident occur, not theworst conceivable consequence. (In

Section 11.0, see Tables 7 and 8 for

examples of severity categories.)Historical data can be of great value as abaseline. Informed speculations are made

to establish the consequences of an inci-dent or exposure. Consider the:

7.5.1 Number of injuries or illnesses

and their severity and fatalities.

7.5.2Value of property or equipment

damaged.

7.5.3 Time for which the business will

be interrupted and productivity will be lost.7.5.4 Extent of environmental damage.

When the severity of the outcome of

a hazards-related incident or expo-sure is determined, a hazard analy-

sis has been completed .

7.6 Determine occurrence probabili-

ty. Extending the hazard analysis into arisk assessment requires the one additional

step of estimating the likelihood or proba-bility of a hazardous event or exposureoccurring. (In Section 11.0, see Tables 5

and 6 for possible probability categories.)

7.6.1 Unless empirical data are avail-

able (and that would be a rarity), the

process for selecting the probability thatan incident or exposure will occur is

subjective.

7.6.2 For the more complex hazardous

situation, brainstorming with knowledge-able people is necessary.

7.6.3 To be meaningful, probability

must be related to an interval base of

some sort, such as a unit of time or activi-ty, events, units produced, or the lifecycle of a facility, equipment, process, or

a product.

7.7 Define the risk. Conclude with astatement that includes the:

7.7.1 Probability of a hazards-relatedincident or exposure occurring.

7.7.2 Expected severity of adverseresults.

7.7.3 Risk category. (For example,high, serious, moderate or low.)

7.7.4A risk assessment matrix should

be used to identify risk categories. Amatrix assists in communicating with the

decision makers on the risk levels. (SeeSection 9.0 for examples of risk assess-

ment matrices.)

7.8 Rank risks in priority order. A

risk ranking system should be adopted sothat priorities can be established.

7.8.1 Since the risk assessment exer-cise is subjective, the risk ranking systemwould also be subjective.

7.8.2 Prioritizing risks gives manage-

ment the knowledge needed on the poten-tials risks produce for harm or damage sothat intelligent resource allocations can be

made for their elimination or reduction.

7.9 Develop remediation proposals.

When the results of the risk assessmentindicate that risk elimination, reduction,

or control measures are to be taken toachieve acceptable risk levels:

7.9.1Alternate proposals for the

design and operational changes necessaryto achieve an acceptable risk level would

be recommended.7.9.2 The actions as shown in the hierar-

chy of controls (Section 13.0) would be the

base upon which remedial proposals are

made, in the order of their effectiveness.

7.9.3 Remediation cost for each pro-posal would be determined and an esti-

mate would be given of its effectivenessin achieving risk reduction.

7.9.4 Risk elimination or reduction

methods would be selected and imple-mented to achieve an acceptable risk level


4

Special Issue




7.10 Follow up on actions taken.

Although a hazard analysis and a risk assessment results from applying the

steps in the preceding outline, good man-agement requires that the effectiveness of

the actions taken be determined. Follow-up activity would determine that the:

7.10.1 The hazard/risk problem was

resolved, only partially resolved, or not

resolved.7.10.2 Actions taken did or did notcreate new hazards.

7.10.3 If an acceptablerisk level is not achieved,or if new hazards are

introduced, the risk is tobe re-evaluated and other

countermeasures are tobe proposed.

7.11 Document the

results. Documentation,

whether compiled under

the direction of locationmanagement or by the

provider of equipment or services, shouldinclude comments on the:

7.11.1 Risk assessment method(s) used.

7.11.2 Hazards identified.

7.11.3 Risks deriving from the hazards.7.11.4 Reduction measures taken to

attain acceptable risk levels.

8.0 Residual Risk8.1 Residual risk is the risk remaining

after preventive measures have beentaken. No matter how effective the pre-ventive actions, there will always be

residual risk if an activity continues.Attaining zero risk is not possible.

8.2 If the residual risk is not accept-

able, the action outline set forth in theforegoing hazard analysis and risk assess-

ment process (7.0) would be appliedagain. (Addendum A is an outline of one

company’s risk assessment process.)

9.0 Risk Assessment Matrices9.1 A risk assessment matrix provides

a method to categorize combinations of probability of occurrence and severity of

harm, thus establishing risk levels. Amatrix helps in communicating with deci-sion makers on risk reduction actions to

be taken. Also, risk assessment matricescan be used to compare and prioritize

risks, and to effectively allocate mitiga-

tion resources. Safety practitioners mustunderstand that definitions of the terms

used for incident probability and severityand for risk levels vary greatly in the

many risk assessment matrices in use.

9.2 Thus, safety practitioners should

create and obtain broad approval for a risk

assessment matrix that is suitable to the

hazards and risks with which they deal.

9.3 Three examples of risk assessment

matrices are provided here to serve as ref-erences.

9.3.1 Table 1 is an adaptation from a

matrix in MIL-STD-882 D, the Depart-ment of Defense Standard Practice forSystem Safety. (MIL-STD-882, first

issued in 1969, is the grandfather of risk assessment matrices.) 9.3.2 This second exhibit of a risk

assessment matrix (Table 2) is a composite

of matrices that include numerical values

for probability and severity levels that are

transposed into risk scorings. It is presented

here for people who prefer to deal with

numbers rather than qualitative indicators.

(A word of caution: The numbers are

arrived at judgmentally and are qualitative.)

9.3.3 Table 3 is taken from the Risk Estimation Matrix that appears in ANSI

B11.TR3-2000, the ANSI TechnicalReport titled Risk Assessment and Risk Reduction: A Guide to Estimate, Evaluate

and Reduce Risks Associated with

By Design

5

continued on page 6

TABLE 1 Risk Assessment Matrix

Occurrence Severity of Consequence

Probability Catastrophic Critical Marginal Negligible

Frequent High High Serious Medium

Probable High High Serious Medium

Occasional High Serious Medium Low

Remote Serious Medium Medium Low

Improbable Medium Medium Medium Low

TABLE 2 Risk Assessment Matrix: Numerical Gradings

Severity Levels Occurrence Probabilities & Values

& Values Frequent (5) Likely (4) Occasional (3) Seldom (2) Unlikely (1)

Catastrophic(5) 25 20 15 10 5

Critical (4) 20 16 12 8 4

Marginal (3) 15 12 9 6 3

Negligible (2) 10 8 6 4 2

Insignificant (1) 5 4 3 2 1

Very high risk: 15 or greater High risk: 9 to 14 Moderate risk: 4 to 8 Low risk: Under 4

TABLE 3 Risk Assessment Matrix: ANSI B11.TR3-2000

Occurrence Severity of Harm

Probability Catastrophic Serious Moderate Minor

Very likely High High High Medium

Likely High High Medium Low

Unlikely Medium Medium Low Negligible

Remote Low Low Negligible Negligible

TABLE 4 Management Decision Levels

Risk Category Remedial Action or Acceptance

High Operation not permissible.

Serious Remedial action to have high priority.

Medium Remedial action to be taken in appropriate time.

Low Risk is acceptable; remedial action discretionary.



Special Issue


Machine Tools. It is the basis on whichthe risk assessments shown in Addendum

B were made.

10.0 Management Decision Levels10.1 Remedial action or acceptance lev-

els must be attached to the risk categoriesto permit intelligent management decision-making. Table 4 provides a basis forreview and discussion. Other safety practi-

tioners who craft risk assessment matricesmay have differing ideas about acceptable

risk levels and the management actions tobe taken in a given risk situation.

11.0 Descriptions of the Terms:Probability & Severity

11.1 There is no one right method in

selecting probability (likelihood) andseverity categories and their descriptions,and many variations are in use. Examplesin Tables 5 through 8 show variations in

the terms and their descriptions as used inapplied risk assessment processes for

probability of occurrence and severity of consequence.

12.0. Descriptions of Hazards Analyses& Risk Assessment Techniques

12.1 Over the past 40 years, many

hazard analysis and risk assessment tech-niques have been developed. For exam-ple, Pat Clemens gave brief descriptions

of 25 techniques in “A Compendium of

Hazard Identification & Evaluation

Techniques for System SafetyApplications.” In the System Safety

Analysis Handbook, 101 methods aredescribed. Brief descriptions are given

here of purposely selected hazard analysistechniques.

If a safety practitioner understands all

of them and is capable of bringing them

to bear in resolving hazards and risk situ-ations, he or she will be exceptionallywell qualified to give counsel on risk

assessments. As a practical matter, havingknowledge of three risk assessment con-cepts will be sufficient to address most

risk situations. They are initial hazardanalysis and risk assessment; the what-

if/checklist analysis methods; and failuremode and effects analysis (FMEA).

12.2 It is important to understand that

each of those techniques complements,rather than supplants, the others.

Selecting the technique or a combinationof techniques to be used to analyze a haz-

ardous situation requires good judgmentbased on knowledge and experience.

12.3 Qualitative rather than quantita-tive judgments will prevail. For all but the

complex risks, qualitative judgments willbe sufficient.

12.4 Sound quantitative data on inci-

dent and exposure probabilities is seldomavailable. Many quantitative risk assess-

ments are really qualitative risk assess-

ments because so many judgments mustbe made in the process to decide on the

probability levels selected.

12.5

Preliminary

Hazard

Analysis

(PHA): Initial

Hazard

Analysis and

Risk Assess-

ment

12.5.1 Theorigin of thePHA tech-

nique is in sys-tem safety. Itwas to identify

and evaluatehazards in the

very earlystages of the

designprocess.

However, in actual practice the techniquehas attained much broader use. The prin-ciples on which preliminary hazards

analyses are based are used not only inthe initial design process, but also in

assessing the risks of existing products oroperations. Thus, the technique needs a

new name: Initial Hazard Analysis andRisk Assessment. (Take note to avoid

confusion, for OSHA’s Rule For ProcessSafety Management Of HighlyHazardous Chemicals and for EPA’s Risk

Management Program for ChemicalAccidental Release Prevention, PHA

stands for process hazard analysis.)12.5.2 Headings on initial hazard

analysis forms will include the typicalidentification data: date, names of evalua-tors, department and location. The follow

ing information is usually included in aninitial hazard analysis process.

a) Hazard description, sometimes

called a hazard scenario.b) Description of the task, operation,

system, subsystem or product analyzed.c) Exposures to be analyzed: people

(employees, the public); facility, productor equipment loss; operation down time;

environmental damage.d) Probability interval to be consid-

ered: unit of time or activity; events; unitsproduced; life cycle.

e) Risk assessment code, using the

agreed upon risk assessment matrix.f) Remedial action to be taken, if risk

reduction is needed.12.5.3 A communication accompanies

the analysis, indicating the assumptionsmade and the rationale for them.

Comment would be made on the assign-ment of responsibilities for the remedialactions to be taken and expected comple-

tion dates. An initial hazard analysis andrisk assessment worksheet appears as

Addendum B in this paper, courtesy of Design Safety Engineering Inc.

12.6 What-if analysis

12.6.1For a what-if analysis, a groupof people (as little as two, but often sever-

al more) use a brainstorming approach toidentify hazards, hazard scenarios, failure

modes, how incidents can occur and theirprobable consequences.

12.6.2 Questions posed during thebrainstorming session may commence

with what-if, as in “What if the air condi-tioning fails in the computer room?” ormay express general concerns, as in “I

worry about the possibility of spillage


TABLE 5 Probability Descriptions: Example ADescriptive Word Probability Descriptions

Frequent Likely to occur repeatedly

Probable Likely to occur several times

Occasional Likely to occur sometime

Remote Not likely to occur

Improbable So unlikely, can assume occurrence

will not be experienced

TABLE 6 Probability Descriptions: Example BDescriptive Word Probability Descriptions

Frequent Could occur annually

Likely Could occur once in 2 years

Possible Not more than once in 5 years

Rare Not more than once in 10 years

Unlikely Not more than once in 20 years



and chemical contamination during truck offloading.”

12.6.3All of the questions are recorded,

and assigned for investigation. Each sub- ject of concern is then addressed by one ormore team members. They would considerthe potential of the hazardous situation and

the adequacy or inadequacy of risk con-trols in effect, suggesting additional risk

reduction measures if appropriate.

12.7 Checklist analysis

12.7.1 Checklists are primarily adapta-tions from published standards, codes,and industry practices. There are many

such checklists. They consist of questions

pertaining to the applicable standards andpractices, usually with a yes or no or notapplicable response. Their purpose is to

identify deviations from the expected, andthereby possible hazards. A checklist

analysis requires a walk-through of thearea to be surveyed. Checklists are easyto use and provide a cost-effective way to

identify customarily recognized hazards.

12.7.2 Nevertheless, the quality of

checklists depends on the experience of the people who develop them. Further,

they must be crafted to suit particularfacility/operations needs. If a checklist is

incomplete, the analysis may not identify

some hazardous situations.

12.8 What-if/checklist analysis

12.8.1 A what-if/checklist hazardanalysis technique combines the creative,

brainstorming aspects of the What-If method with the systematic approach of aChecklist. Combining the techniques can

compensate for the weaknesses of each.

12.8.2 The what-if part of the process,

using a brainstorming method, can helpthe team identify hazards that have the

potential to be the causal factors for inci-

dents, even though no such incidents haveyet occurred. The checklist provides asystematic approach for review that canserve as an idea generator during the

brainstorming process. Usually, a teamexperienced in the design, operation, and

maintenance of the operation performsthe analysis.

12.9 Hazard and operability analysis

12.9.1 The hazard and operabilityanalysis (HAZOP) technique was devel-

oped to identify both hazards and oper-

ability problems in chemical processplants. It has subsequently been appliedto a wide range of industry processes and

equipment. An interdisciplinary team andan experienced team leader are required.

12.9.2 In a HAZOP application, aprocess or operation is systematically

reviewed to identify deviations fromdesired practices that could lead to

adverse consequences. HAZOPs can beused at any stage in the life of a process.

12.9.3 HAZOPs usually require pre-

work in gathering materials and a seriesof meetings in which the team, using

process drawings, systematically evalu-ates the impact of deviations from thedesired practices. The team leader uses a

set of guide words to develop discussions

12.9.4 As the team reviews each step

in a process, recordings are made of:a) deviations;

b) their causal factors;

c) consequences should an incidentoccur;

d) safeguards in place;e) required actions, or the need for more

information to evaluate the deviation.

12.10 Failure modes & effects analysis

12.10.1 In several industries, failuremodes and effects analyses (FMEA) havebeen the techniques of choice by design

engineers for reliability and safety con-siderations. They are used to evaluate the

ways in which equipment fails and theresponse of the system to those failures.

12.10.2 Although FMEA is typicallymade early in the design process, thetechnique can also serve well as an analy-

sis tool throughout the life of equipmentor a process.

12.10.3 An FMEA produces qualitative,systematic lists that include the failure

modes, the effects of each failure, safe-guards that exist, and additional actions

that may be necessary. For example, for apump, the failure modes would includefails to stop when required; stops when

required to run; seal leaks or ruptures; andpump case leaks or ruptures.

12.10.4 Both the immediate effectsand the impact on other equipment wouldbe recorded. Generally, when analyzing

impacts, the probable worst case isassumed and analysts would conclude

that existing safeguards do or do notwork. Although an FMEA can be made

by one person, it is typical for a team tobe appointed when there is complexity.

By Design

7

continued on page 8

TABLE 7 Severity Descriptions for Multiple Harm& Damage Categories: Example A

Catastrophic Death or permanent total disability, system loss, major

property damage and business down time

Critical Permanent, partial or temporary disability in excess of

3 months, major system damage, significant property dam-

age and downtime

Marginal Minor injury, lost workday accident, minor system damage,minor property damage and little downtime

Negligible First-aid or minor medical treatment, minor system

impairment

TABLE 8 Severity Descriptions for Multiple Harm& Damage Categories: Example B

Catastrophic One or more fatalities, total system loss, chemical release

with lasting environmental or public health impact

Critical Disabling injury or illness, major property damage and

business down time, chemical release with temporary envi-ronmental or public health impact

Marginal Medical treatment or restricted work, minor subsystem loss

or damage, chemical release triggering external reporting

requirements

Negligible First aid only, non-serious equipment or facility damage, chemi-

cal release requiring only routine cleanup without reporting



Special Issue


12.10.5 In either case, the traditionalprocess is similar, as in the following.

a) Identify the item or function to beanalyzed

b) Define the failure modesc) Record the failure causes

d) Determine the failure effectse) Enter a severity code and a proba-

bility code for each effect

f) Enter a risk codeg) Record the actions required to

reduce the risk to an acceptable level

12.10.6 The FMEA process described

here requires entry of probability, severi-ty, and risk codes. A FMEA form onwhich those codes would be entered is

provided here as Addendum C.(Good ref-erences explaining risk coding for FMEA

purposes are the reference manual titled

Potential Failure Mode and Effects Analysis issued by the AutomotiveIndustry Action Group; and the semicon-ductor industry publication Failure Mode

and Effects Analysis (FMEA): A Guide

for Continuous Improvement for the

Semiconductor Equipment Industry.)

12.11 Fault tree analysis

12.11.1 A fault tree analysis (FTA) is a

top-down, deductive logic model that traces

the failure pathways for a predetermined,

undesirable condition or event, called the

TOP event. An FTA can be carried out

either quantitatively or subjectively.

12.11.2 It is emphasized that a subjec-tive (or qualitative) analysis can produce

suitable results, especially when quantita-tive numbers are not available. The FTA

generates a fault tree (a symbolic logicmodel) entering failure probabilities forthe combinations of equipment failures

and human errors that can result in theaccident. Each immediate causal factor is

examined to determine its subordinatecausal factors until the root causal factors

are identified.12.11.3The strength of an FTA is its

ability to identify combinations of basic

equipment and human failures that canlead to an accident, allowing the analyst

to focus preventive measures on signifi-cant basic causes.

12.11.4An FTA has particular valuewhen analyzing highly redundant systemsand high-energy systems in which high-

severity events can occur. For systemsvulnerable to single failures that can lead

to accidents, the FMEA and HAZOP

techniques are better suited.

12.11.5 FTA is often used when anoth-

er technique has identified a hazardoussituation that requires more detailed

analysis. Making a fault tree analysis of other than the simplest systems requiresthe talent of experienced analysts.

12.12 Management oversight and

risk tree12.12.1All of the hazard analysis and

risk assessment techniques previously

discussed relate principally to the initialdesign process in the pre-operationalmode, or to the redesign process to

achieve risk reduction in the operationalmode. Management Oversight and Risk

Tree (MORT) is relative to the post-inci-dent element of the practice of safety.

12.12.2 MORT was developed princi-pally for incident investigations. In theAbstract for the Guide To Use Of The

Management Oversight And Risk Tree,this is how MORT is described:

MORT is a comprehensive analyticalprocedure that provides a disciplined

method for determining the systemiccauses and contributing factors of acci-dents. MORT directs the user to the haz-

ards and risks deriving from both system

design and procedural shortcomings

(emphasis added).

12.2.3 MORT provides an excellent

resource for the post-incident element of

the practice of safety during which thehazard identification and analysis and risk assessment methods described here canbe used.

13.0 Hierarchy of Controls13.1 A hierarchy is a system of per-

sons or things ranked one above the other.A hierarchy of controls provides a sys-

tematic way of thinking, consideringsteps in a ranked and sequential order, tochoose the most effective means of elimi-

nating or reducing hazards and the risks

that derive from them. Acknowledgingthat premise—that risk reduction meas-ures should be considered and taken in a

prescribed order—represents an impor-tant step in the evolution of the practice

of safety.

13.2 A major premise to be considered

in applying a hierarchy of controls is thatthe outcome of the actions taken is to be

an acceptable risk level.

13.3 Acceptable risk, as previously

defined, is that risk for which the proba-

bility of a hazard-related incident orexposure occurring and the severity of

harm or damage that could result are aslow as reasonably practicable, and tolera-

ble in the situation being considered.

13.4 That definition requires taking

into consideration:a) avoiding, eliminating or reducing

the probability of a hazard-related inci-dent or exposure occurring;

b) reducing the severity of harm or

damage that may result, if an incident orexposure occurs;

c) the feasibility and effectiveness of the risk reduction measures to be taken,and their costs, in relation to the amount

of risk reduction to be achieved.

13.5 Decision makers should under-

stand that, with respect to the six levels ofaction shown in the hierarchy of controls

in 13.6 that:13.5.1 The ameliorating actions de-

scribed in the first, second, and third actionlevels are more effective because they:

a) are preventive actions that eliminate

or reduce risk by design, substitution, andengineering measures;

b) rely the least on the performance of personnel;

c) are less defeatable by supervisors orworkers.

13.5.2 Actions described in the fourth,

fifth and sixth levels are contingent

actions and rely greatly on the perform-ance of personnel for their effectiveness.

13.6 The following hierarchy of con-

trols is considered state-of-the-art. It iscompatible with the hierarchy of controls

in ANSI/AIHA Z10-2005.a) Eliminate or reduce risks in the

design and redesign processes.

b) Reduce risks by substituting lesshazardous methods or materials.

c) Incorporate safety devices.d) Provide warning systems.

e) Apply administrative controls (work

methods, training, work scheduling, etc.).f) Provide PPE.

14.0. The Logic of Taking Actionin the Order Given

Comments follow on each of the

action elements listed in the preced-

ing hierarchy of controls, including

the rationale for listing actions to

be taken in the order given. Taking

actions in the prescribed order, as




feasible and practicable, is the most

effective means to achieve risk

reduction.

14.1 Eliminate or reduce risks in the

design and redesign processes

14.1.2 The theory is plainly stated. If

hazards are eliminated in the design and

redesign processes, risks that derive from

those hazards are also eliminated. But, elim-

ination of hazards completely by modifyingthe design may not always be practicable.

Then, the goal is to modify the design, with-

in practicable limits, so that the:

a) probability of personnel makinghuman errors because of design inade-

quacies is at a minimum;b) ability of personnel to defeat the

work system and the work methods pre-

scribed, as designed, is at a minimumExamples are designing to eliminate

or reduce the risk from fall hazards;ergonomic hazards; confined space entry

hazards; electrical hazards; noise hazards;and chemical hazards.

14.2 Substitution of less hazardous

methods or materials

14.2.1 Substitution of a less hazardous

method or material may or may not resultin equivalent risk reduction in relation to

what might be the case if the hazards andrisks were reduced to a practical mini-

mum through system design or redesign.Consider this example.

Considerable manual material handling

is necessary in a mixing process for chemi-cals. A reaction takes place and an employ-

ee sustains serious chemical burns. Thereare identical operations at two of the com-

pany’s locations. At one, the operation isre-designed so that it is completely

enclosed, automatically fed, and operatedby computer from a control panel, thusgreatly eliminating operator exposure.

At the other location, funds for doingthe same were not available. To reduce the

risk, it was arranged for the supplier to pre-mix the chemicals before shipment (substi-

tution). Some mechanical feed equipmentfor the chemicals was also installed. The

risk reduction achieved by substitution wasnot equivalent to that attained by re-design-ing the operation. Additional administrative

controls had to be applied.Methods that illustrate substituting less

hazardous methods, materials, or process-es for that which is more hazardousinclude using automated material han-

dling equipment rather than manual mate-rial handling; providing an automatic feed

system to reduce machine hazards; using

a less hazardous cleaning material; reducespeed, force, amperage; reduce pressure,

temperature; replace an ancient steamheating system and its boiler explosion

hazards with a hot air system.

14.3 Incorporate safety devices

14.3.1 When safety devices are incor-porated in the system in the form of engi-

neering controls, substantial risk reduction can be achieved.

14.3.2 Engineered safety devices are to

prevent access to the hazard by workers.They are to separate hazardous energy

from the worker and deter worker error.Examples are machine guards; inter-

lock systems; circuit breakers; start-up

alarms; presence-sensing devices; safetynets; ventilation systems; sound enclo-

sures; fall prevention systems; and lifttables, conveyors and balancers.

14.4 Warning systems

14.4.1Warning system effectiveness

relies considerably on administrative con-

trols, such as training, drills, and the quality

of maintenance, and the reactions of people.

14.4.2 Although vital in many situa-

tions, warning systems may be reac-tionary in that they alert persons onlyafter a hazard's potential is in the process

of being realized (e.g., a smoke alarm).Examples are smoke detectors; alarm

systems; backup alarms; chemical detec-tion systems; signs; and alerts in operat-

ing procedures or manuals.14.5 Administrative controls

14.5.1Administrative controls rely on

the methods chosen as appropriate in rela-tion to the needs, the capabilities of peo-

ple responsible for their delivery andapplication, the quality of supervision, and

the expected performance of the workers.Some administrative controls are per-

sonnel selection; developing and applying

appropriate work methods and proce-dures; training; supervision; motivation,

behavior modification; work scheduling; job rotation; scheduled rest periods;

maintenance; management of change;investigations; and inspections.

14.5.3Achieving a superior level of

effectiveness in all of these administrativemethods is difficult and not often attained.

14.6 Provide PPE

14.6.1 The proper use of personal pro-tective equipment relies on an extensive

series of supervisory and personnel actions,such as the identification of the type of

equipment needed, its selection, fitting,training, inspection, maintenance, etc.

Examples include safety glasses; face

shields; respirators; welding screens; safe-ty shoes; gloves; and hearing protection.

14.6.2Although the use of personalprotective equipment is common and isnecessary in many occupational situations

it is the least effective method to deal with

hazards and risks. Systems put in placefor their use can easily be defeated.14.6.3 In the design processes, one of

the goals should be to reduce reliance on

personal protective equipment to a practical

minimum, applying the ALARP concept.

14.7 For many risk situations, a combi-nation of the risk management methods

shown in the hierarchy of controls is neces-sary to achieve acceptable risk levels. Butthe expectation is that consideration will be

given to each step in a descending orderand that reasonable attempts will be made

to eliminate or reduce hazards and theirassociated risks through steps higher in the

hierarchy before lower steps are consid-ered. A lower step is not to be chosen untilpractical applications of the preceding level

or levels are exhausted.

14.8 A yet unpublished document,MIL-STD-882E, includes provisions that

further explain the thought process thatshould govern when the hierarchy of con-

trols is applied. Excerpts follow from the“System safety mitigation order of prece-

dence” in 882E.14.8.1 In reducing risk, the cost, feasi-

bility and effectiveness of candidate miti-gation methods should be considered. Inevaluating mitigation effectiveness, an

order of precedence generally applies asfollows.

a) Eliminate hazard through design

selection. Ideally, the risk of a hazardshould be eliminated. This is often done

by selecting a design alternative thatremoves the hazard altogether.

b) Reduce mishap risk through design

alteration. If the risk of a hazard cannot beeliminated by adopting an alternativedesign, design changes should be consid-

ered that reduce the severity and/or theprobability of a harmful outcome.

c) Incorporate engineered safety fea-

tures (ESF). If unable to eliminate or ade-quately mitigate the risk of a hazard

through a design alteration, reduce therisk using an ESF that actively interruptsthe mishap sequence.

By Design

9

continued on page 10



Special Issue


d) Incorporate safety devices. If unable

to eliminate or adequately mitigate thehazard through design or ESFs, reduce

mishap risk by using protective safetyfeatures or devices.

e) Provide warning devices. If designselection, ESFs, or safety devices do notadequately mitigate the risk of a hazard,

include a detection and warning system toalert personnel to the presence of a haz-

ardous condition or occurrence of a haz-ardous event.

f) Develop procedures and training.

Where other risk reduction methods can-not adequately mitigate the risk from a

hazard, incorporate special proceduresand training. Procedures may prescribe

the use of personal protective equipment.

15.0 Conclusion15.1 It would be folly for safety pro-

fessionals to ignore the impact of thePrevention through Design/Safety

through Design movement on theirknowledge needs. It is becoming evident

that it’s all about risk, about being able toidentify and analyze hazards and assessthe risks deriving from them. The entirety

of purpose of those responsible for safety,whatever their titles, is to deal with haz-

ards so that the risks deriving from thosehazards are acceptable

15.2 This paper is a primer on

PtD/Safety through design. An extensivelist of references follows for those whowould like to continue their education.

ReferencesANSI/AIHA Z10-2005. Occupational

Health and Safety Management Systems.Fairfax, VA: American Industrial Hygiene

Association, 2005. www.aiha.org/marketplace.htm.

ANSI/PMMI B155.1-2006. SafetyRequirements for Packaging Machinery

and Packaging-Related ConvertingMachinery. Arlington, VA: Packaging

Machinery Manufacturers Institute, 2006.ANSI B11.TR3-2000. Risk Assess-

ment and Reduction: A Guide to Esti-

mate, Evaluate and Reduce RisksAssociated with Machine Tools. McLean,

VA: AMT, The Association forManufacturing Technology, 2000.

“ASSE Position Paper On Designingfor Safety”. Approved by the Board of Directors in 1994. Des Plaines, IL: ASSE.

Aviation Ground Operation Safety

Handbook (6th ed.) Itasca, IL: NationalSafety Council, 2007.

Clemens, P. “A Compendium of HazardIdentification and Evaluation Techniques

for System Safety Application.” Hazard

Prevention, March/April, 1982.Christensen, W.C. & Manuele, F.A.

Safety Through Design. Itasca, IL:

National Safety CouncilChristensen, W.C. “Retrofitting forSafety: Career implications for SH&E per-

sonnel.” Professional Safety, May 2007.Christensen, W.C. Safety Through

Design: Helping design engineers

answer10 key questions. ProfessionalSafety, March 2003.

Failure Mode and Effects Analysis: A

Guide for Continuous Improvement for

the Semiconductor Equipment Industry.Technology Transfer #92020963A-ENG.Austin, TX: International SEMATECH,

1992. Available at www.sematech.org.Guidance Document for Incorporating

Risk Concepts into NFPA Codes and

Standards. Quincy, MA: The Fire

Protection Research Foundation, 2007.Guide to Use of the Management Over-

sight and Risk Tree. SSDC-103. Washing-ton, DC: Department of Energy, 1994.

Guidelines for Hazard Evaluation

Procedures, 2nd ed. with worked exam-ples. A Center for Chemical Process Safety

1992 publication, now available throughJohn Wiley & Sons, Hoboken, NJ.

ISO 12100-1. Safety of Machinery:Basic concepts, general principles fordesign. Part 1. Basic terminology, method-

ology. Geneva, Switzerland: InternationalOrganization for Standardization, 2003.

ISO 14121. Safety of Machinery:Principles for risk assessment. Geneva,Switzerland: International Organization

for Standardization, 1999.Main, B. Risk Assessment: basics and

benchmarks. Ann Arbor, MI: DesignSafety Engineering Inc, 2004.

Main, B. “Risk assessment is coming.

Are you ready?” Professional Safety, July2002.

Main, B. “Risk assessment: A reviewof the fundamental principles.” Profes-

sional Safety, December 2004.Manuele, F.A. Advanced Safety

Management: Focusing on Z10 and

Serious Injury Prevention. Hoboken, NJ:

John Wiley & Sons, 2007.Manuele, F.A. “ANSI/AIHA Z10-2005: The new benchmark for safety

management systems.” Professional

Safety, February 2006.Manuele, F.A. On the Practice of

Safety, 3rd ed. Hoboken, NJ: John Wiley& Sons, 2003.

Manuele, F.A. “Risk Assessments andHierarchies of Control.” Professional

Safety, May 2005.MIL-STD-882D. Standard Practice for

System Safety. Washington: DC:

Department of Defense, 2000. Also athttp://www.safetycenter.navy.mil/instruc-

tions/osh/milstd882d.pdf#search='MIL-STD882D’.

Potential Failure Mode and Effects

Analysis. Southfield, MI: Automotive

Industry Action Group, 3rd ed., 2001.SFPE Engineering Guide to Fire Risk

Assessment. Bethesda, MD: The Society

of Fire Protection Engineers, 2006.Stephans, R. & Talso, W.W., eds.

System safety analysis handbook: a

sourcebook for safety practitioners.

Albuquerque, NM: New Mexico Chapter,System Safety Society, 1997.

Stephans, R.A. S ystem safety for the

21st century. Hoboken, NJ: John Wiley &Sons, 2004

Swain, A.D. “Work situation approachto improving job safety.”Albuquerque,

NM: Sandia Laboratories.Vincoli, J.W. Basic guide to system

safety. Hoboken, NJ: John Wiley & Sons,

1993.


ANSI/AIHA Z10 Is Here ANSI/AIHA Z10:

Occupational Health and Safety Management Systems

Call ASSE at (847) 699-2929 or visit www.asse.org.



By Design

11

ADDENDUM A The Risk Assessment Process

1) Data gathering

Injury and proactive data

2) Set the limits/scope of the strategy

leadership team sponsorship

3) Develop and charter risk

reduction team

4) Identify tasks and hazards

5) Assess risk—Initial risk

scoring system

6) Reduce risk

Hazard control hierarchy

7) Assess risk—Residual risk

scoring system

Residual risk

acceptable?

9) Controls measurement system10) New hazard

ID

Evaluation complete

Reevaluate tasks

and hazards

Yes

No

8) Results/documentation

Identify new

controls

Test/verify

current controls

Identify current

controls


http://slidepdf.com/reader/full/bydesignptdspecialfall2007 12/1312 Special Issue Prevention through Design

ADDENDUM B Initial Hazard Analysis & Risk Assessment Worksheet



ADDENDUM C Potential Failure Modes & Effects Analysis Sequence

Howbad is

it?

What are thecauses?

How oftendoes it

happen?

How can this beprevented and

detected? How good isthe method atdetecting it?

What can bedone?

•Design

changes

•Processchanges

•Specialcontrols

•Changes tostandards,proceduresor guides

What can gowrong?

•No function

•Partial/over/ degraded function

•Intermittentfunction

•Unintendedfunction

What are thefunctions, featuresor requirements?

Subsystem

FunctionReqt’s

Potential

Failure Mode

What are theeffect(s)?

Potential

Effect(s)

of Failure

S

E

V

Class

Potential

Cause(s)/

Mechanisms

of Failure

Current

Controls

Prevention

Occur Direction

R.P.N.

Detec

Recommended

Action(s)

Responsibility

& Target

Completion

Date

Action Results

Actions

Taken

Sev

Occ

Det

Note: Reprinted from Potential Failure Mode & Effect Analysis (3rd ed.) with permission of DaimlerChrysler, Ford and GM Supplier

Quality Requirements Task Force.

ByDesign_PtDSpecial_Fall2007

Documents

Transcript of ByDesign_PtDSpecial_Fall2007