ByDesign_PtDSpecial_Fall2007
-
Upload
authority0 -
Category
Documents
-
view
215 -
download
0
Transcript of ByDesign_PtDSpecial_Fall2007
![Page 1: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/1.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 1/13
regulation or a standard on Preventionthrough Design is remote. It is more
probable that an ANSI standard could bedeveloped and approved, but that could
take several years. For example,ANSI/AIHA Z10-2005, the OccupationalHealth and Safety Management Systems
Standard, was published 6 years after thesecretariat received ANSI approval to
begin work on it.Assume that the NIOSH initiative,
which is a several-year undertaking, issuccessful. Since hazards analyses andrisk assessments are the core of the PtD
concept, the impact on safety practition-ers with respect to their knowledge needs
will be significant. As a primer, this paperis written to address those needs.
Promoting the acquisition of knowl-edge of safety through design/prevention
ByDesi g nAMERICAN SOCIETY OF SAFETY ENGINEERS www.asse.org
A TECHNICAL PUBLICATION OF ASSE’S ENGINEERING PRACTICE SPECIALTY
The Engineering Practice Specialty (EPS)has developed this special issue of
ByDesign to highlight the importance of designing out or minimizing hazards and risksearly in the design and redesign processes toprevent and control occupational injuries, ill-nesses and fatalities. Fred A. Manuele, P.E.,CSP, president of Hazards Limited, hasauthored this issue’s featured article, “Preven-tion through Design: Addressing OccupationalRisks in the Design and Redesign Processes.”EPS believes this article effectively explains thecore of the prevention through design concept,and we hope that such concepts will lead toestablished principles, methodologies and stan-dards for controlling hazards and risks duringthe design and redesign processes.
Bruce L. Rottner Engineering Practice Specialty
Administrator
The National Institute for Safety and
Health (NIOSH) held a workshopin July 2007 to obtain the views of
a variety of stakeholders on a major ini-
tiative to “create a sustainable nationalstrategy for Prevention through Design.”
Some of the participants expressed theview that the long-term impact of the
NIOSH initiative could be “transforma-tive,” meaning that a fundamental shiftcould occur in the practice of safety
resulting in greater emphasis being givento the higher and more effective decision
levels in the hierarchy of controls. Forthis initiative, the NIOSH Mission is:
To reduce the risk of occupational
injury and illness by integrating
decisions affecting safety and health
in all stages of the design process.
To move toward fulfillment of its mis-sion, NIOSH Director Dr. John Howard
has said that:
One important area of emphasis will be
to examine ways to create a demand for
graduates of business, architecture, and
engineering schools to have basic
knowledge in occupational health and
safety principles and concepts.
The Prevention through Design (PtD)
initiative is based on the premise, as stat-
ed in NIOSH literature, that “One of the
best ways to prevent and control occupa-tional injuries, illnesses, and fatalities isto design out or minimize hazards and
risks early in the design process.” A defi-nition of PtD was written that limited the
activity to “early in the design process.”At the July 2007 workshop, a large num-
ber of participants wanted the conceptextended to include the redesign activitiesin which they are participants. A revised
definition was written.
Prevention through Design (PtD):
Addressing occupational safety and
health needs in the design and
redesign processes to prevent or
minimize the work-related hazards
and risks associated with the con-
struction, manufacture, use, mainte-
nance, and disposal of facilities,
materials and equipment.
Enthusiasm for additional knowledge
of prevention through design principlesand practices was significant. Severalattendees said it would be helpful if a reg-
ulation or a standard was in place thatsets forth the principles and the method-
ologies to address hazards and risks in thedesign and redesign processes. The prob-
ability that OSHA could promulgate a
Prevention through Design:
Addressing Occupational Risksin the Design & Redesign ProcessesBy Fred A. Manuele, P.E., CSP
ByDesi g nAMERICAN SOCIETY OF SAFETY ENGINEERS www.asse.org
continued on page 2
![Page 2: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/2.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 2/13
through design concepts is in concert
with the ASSE position paper on design-ing for safety approved by the Board of
Directors in 1994. The opening paragraphof that paper reads as follows.
Designing for Safety (DFS) is a
principle for design planning for
new facilities, equipment, and oper-ations (public and private) to con-
serve human and natural resources,
and thereby protect people, proper-
ty and the environment.
DFS advocates systematic process
to ensure state-of-the-art engineering
and management principles are used
and incorporated into the design of
facilities and overall operations to
assure safety and health of workers,
as well as protection of the environ-
ment and compliance with current
codes and standards.
1.0 Scope & Purpose1.1 This paper provides guidance on
incorporating decisions pertaining tooccupational risks into design and
redesign processes, including considera-tion of the life cycle of facilities, materi-
als and equipment.1.2 The goals of applying prevention
through design principles are to:1.2.1Achieve safety, defined as that
state for which the risks are at an accept-
able level, and1.2.2 Minimize the occurrence of occu-
pational injuries, illnesses and fatalities.
Since this paper is prompted by a
NIOSH initiative, and since NIOSH
is exclusively an occupational safe-
ty and health entity, the scope of
this paper relates principally to the
elimination, reduction or control of
occupational risks.
But, it would be folly to ignore
the fact that the events or exposures
that have the potential to result inoccupational injuries and illnesses
can also result in damage to prop-
erty and business interruption, and
damage to the environment.
Reference is made in several places
in this paper to those additional
loss potentials.
Thus, the definition of safety
through design, a broader definition
than that for PtD, is included in the
list of definitions.
2.0 Application2.1 While these guidelines apply to all
occupational settings, the focus is on pro-viding assistance to managements, design
engineers, and safety professionals atsmaller locations, say with 500 or feweremployees.
2.2 These guidelines apply to the threemajor elements in the practice of safety:
2.2.1 Pre-operational, in the designprocess – where the opportunities are
greatest and the costs are lower for hazardand risk avoidance, elimination, or control.
2.2.2 In the operational mode – wherehazards are to be eliminated or controlledand risks reduced before their potentials
are realized and hazards-related incidentsor exposures occur.
2.2.3 Post-incident as investigationsare made of hazards-related incidents and
exposures to determine causal factors andrisk reduction measures.
3.0 DefinitionsAcceptable risk: That risk for which
the probability of a hazard-related incidentor exposure occurring and the severity of
harm or damage that may result are as lowas reasonably practicable, and tolerable inthe setting considered. (This definition
incorporates the ALARP concept.)ALARP: That level of risk which can
be further lowered only by an incrementin resource expenditure that cannot be jus-
tified by the resulting decrement of risk.Design: The process of converting an
idea or market need into the detailedinformation from which a product ortechnical system can be produced.
Hazard: Potential for harm. Hazardsinclude all aspects of technology and
activity that produce risk. Hazardsinclude the characteristics of things
(equipment, dusts) and the actions orinactions of people.
Hazard analysis: A process that com-
mences with recognition of a hazard and
proceeds into an estimate of the severityof harm or damage that could result if ahazard’s potential is realized and a haz-
ard-related incident or exposure occurs.Hierarchy of controls: A systematic
way of thinking, considering steps in a
ranked and sequential order, to choose themost effective means of eliminating or
reducing hazards and the risks that derivefrom them.
Life cycle: The phases of the facility,equipment and material, including: design
OFFICERSADMINISTRATOR
Bruce L. Rottner201.287.1766
ASSISTANT ADMINISTRATOR
J. Nigel Ellis302.571.8470
NEWSLETTER EDITOR
J. Nigel [email protected]
COMMITTEESA WARDS & HONORS
Open
BODY OF KNOWLEDGE
Dennis [email protected]
CONFERENCES & SEMINARS
Open
MEMBERSHIP DEVELOPMENT
Gina Mayer-Costa [email protected]
NOMINATIONS
John W. [email protected]
WEBSITE DEVELOPMENT
Magdy [email protected]
STAFF LIAISON
Rennie Heath
847.768.3436
NEWSLETTER DESIGN &PRODUCTION
Susan Carlson
ASSE headquarters staff [email protected]
ByDesign is a publication of ASSE’s Engineering
Practice Specialty, 1800 E. Oakton St., Des Plaines,
IL 60018, and is distributed free of charge to mem-
bers of the Engineering Practice Specialty. The opin-
ions expressed in articles herein are those of the
author(s) and are not necessarily those of ASSE.
Technical accuracy is the responsibility of the
author(s). Please send address changes to the
address above; fax to (847) 768-3434; or send via
e-mail to [email protected].
ByDesi g n
Engineering Practice Specialty
2
Special Issue
Prevention through Design
continued from page 1
![Page 3: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/3.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 3/13
and construction, operation, maintenance,
and disposal.Prevention through Design:Address-
ing occupational safety and health needs in
the design and redesign processes to pre-
vent or minimize the work-related hazardsand risks associated with the construction,
manufacture, use, maintenance, and dispos-
al of facilities, materials and equipment.
Probability:The likelihood of an inci-dent or exposure occurring that could
result in harm or damage—for a selectedunit of time, events, population, items oractivity considered.
Residual risk: The risk remaining afterpreventive measures have been taken. Nomatter how effective the preventive actions,there will always be residual risk if a facili-ty or operation continues to exist.
Risk: An estimate of the probability of a hazards-related incident or exposureoccurring and the severity of harm or
damage that could result.Risk assessment: A process that com-mences with hazard identification andanalysis, through which the probable sever-ity of harm or damage is established, andconcludes with an estimate of the probabil-ity of the incident or exposure occurring.
Safety: That state for which the risksare at an acceptable level, and tolerable inthe setting being considered.
Safety through Design: The integra-tion of hazard analysis and risk assess-ment methods early in the design and
redesign processes and taking the actionsnecessary so that the risks of injury ordamage are at an acceptable level. Thisconcept encompasses facilities, hardware,equipment, tooling, materials, layout andconfiguration, energy controls, environ-mental concerns, and products.
Severity: The extent of harm or dam-age that could result from a hazard-relat-ed incident or exposure.
4.0 Responsibility4.1 Location management shall provide
the leadership to institute and maintain apolicy and procedures within the designand redesign processes through which:
4.1.1 Hazards are identified and ana-lyzed.
4.1.2 Risks deriving from identified
hazards are assessed and prioritized.
4.1.3 Risks are reduced to an acceptable
level through the application of the hierar-chy of controls described in Section 13.
4.2 These methods are to be appliedwhen:
4.2.1 New facilities, equipment, and
processes are acquired.
4.2.2Alterations are made in existing
facilities, equipment, and processes.
4.2.3 Incident investigations are made.
4.3All who have design responsibilities,the operations personnel who will be affect-
ed, and safety practitioners are to be involv-ed as participants in the decision making.
4.4 In carrying out these responsibili-ties, management may:
4.4.1 Designate qualified in-house per-
sonnel to identify and analyze hazardsand assess the risks deriving from them
for operations in place. 4.4.2 Engage independent contractors
with capabilities in hazard identificationand analysis and risk assessments as con-sultants to assist with respect to opera-
tions in place and in the acquisition of new facilities, equipment or materials.
4.4.3 Enter into arrangements withsuppliers of newly acquired facilities,
equipment or materials to fulfill theseresponsibilities, as in 5.0.
5.0 Relationships with Suppliers5.1 A large majority of employers will
not have design or technical staffs indepth to fulfill the requirements of 4.0.Thus, to avoid bringing hazards and risksinto the workplace when new facilities,equipment and processes are consideredand to assure that hazards and risks areproperly considered when alterations are
made in existing operations by contrac-tors, location management should:
5.1.1 Establish its design specificationsand objectives.
5.1.2 Have an in-depth dialogue withsuppliers and contractors on the expecteduse of the facilities, equipment andprocesses.
5.1.3 Include specifications in purchas-ing agreements and contracts for servicesto minimize bringing hazards and theirrelated risks into the workplace.
5.1.4 Ask suppliers of services to attest
that processes have been applied to iden-tify and analyze hazards and to reduce therisks deriving from those hazards to anacceptable level.
There is a precedent for such an
arrangement. Manufacturers of
equipment to go into a workplace in
the European Community are
required by International Organiza-
tion for Standardization (ISO) stan-
dards to certify that they have met
applicable standards, among which
is ISO 12100-1, Safety of Machinery:
Basic concepts, general principles
for design; Part 1, Basic terminolo-
gy, methodology. That standard
requires that risk assessments be
made as outlined in ISO 14121,
Safety of Machinery: Principles for
risk assessments.
5.1.5Arrange for persons on the orga-nization’s staff (design engineers, safetypractitioners, and maintenance personnel)
to visit the supplier of equipment that thestaff may consider hazardous or for
which design specifications have beenprovided the supplier before the equip-ment is shipped to assure that safety
needs have been met.
5.1.6 See that a test run of the equip-
ment is made during that visit.
5.1.7 Have an additional validation test
run made after the equipment has been
installed during which safety personnel orothers sign off that safety needs have
been met.
6.0 Making Hazards Analyses& Risk Assessments
6.1 For many hazards and the risks
that derive from them, knowledge gainedby management personnel, design engi-
neers and safety practitioners througheducation and experience will lead toproper conclusions on how to attain an
acceptable risk level without bringingteams of people together for discussion.
6.2 For more complex risk situations, itis vital to seek the counsel of experienced
personnel at all levels who are close to thework or process. Reaching group consen-
sus is a highly desirable goal. Sometimes,for what a safety professional considersobvious, achieving consensus is still desir-
able so that buy-in is obtained for theactions to be taken.
6.3 The goal of the risk assessmentprocess is to achieve acceptable risk levels.
The process is not complete until accept-able risk levels are achieved.
6.4 A general guide follows in 7.0 onhow to make a hazard analysis and how to
extend the process into a risk assessment.
6.5Whatever the simplicity or complexi-
ty of the hazard/risk situation, and whatev-
er analysis method is used (there are
many), the thought and action process in
7.0 applies.
By Design
3
continued on page 4
![Page 4: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/4.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 4/13
7.0 The Hazard Analysis& Risk Assessment Process
Although the focus in this paper is on
eliminating, reducing, and control-
ling occupational risks, the process
outlined here is equally applicable in
avoiding injury to the public, damage
to property and business interruption,damage to the environment, and
product liability incidents.
7.1 Establish the analysis parameters.
Select a manageable task, system, process
or product to be analyzed, and establish its
boundaries and operating phase (e.g., stan-
dard operation, maintenance, startup).
7.1.1 Define its interface with othertasks or systems, if appropriate.
7.1.2 Determine the scope of the
analysis in terms of what can be harmedor damaged—people (employees, the
public); property; equipment; productivi-ty; the environment.
7.2 Identify the hazard.A frame of thinking should be adopted that gets to
the bases of causal factors, which are haz-ards. These questions should be asked:
7.2.1What are the aspects of technolo-gy or activity that produce risk?
7.2.2What are the characteristics of
things (equipment, dusts) or the actions orinactions of people that present a poten-
tial for harm?
7.2.3 Depending on the complexity of the hazardous situation, some or all of thefollowing may apply.
a) Use intuitive engineering and opera-tional sense.
b) Examine system specifications and
expectations.c) Review codes, regulations, and con-
sensus standards.d) Interview current or intended sys-
tem users or operators.
e) Consult checklists.f) Review studies from similar systems.
g) Consider the potential for unwantedenergy releases.
h) Take into account possible expo-sures to hazardous environments.
i) Review historical data – industryexperience, incident investigation reports,OSHA and National Safety Council data,
manufacturer’s literature. j) Brainstorm.
7.3 Consider the failure modes. De-fine the possible failure modes that would
result in realization of the potentials of the
hazards. Both the intentional and foresee-able misuse of facilities, equipment, and
materials should be considered. Ask:7.3.1What circumstances can arise
that would result in the occurrence of anundesirable event?
7.3.2 What controls are in place that
mitigate against the occurrence of such an
event or exposure?7.3.3 How effective are the controls?7.3.4 Can controls be maintained easily?
7.3.5 Can controls be defeated easily?
7.4 Determine the frequency and
duration of exposure. For each harm ordamage category selected for the scope of the analysis (people, property, business
interruption etc.), estimate the frequencyand duration of the exposure to the haz-
ard. This is a very important part of thisexercise. For instance, in a workplace sit-
uation, more judgments than one might
realize will be made in this process. Ask:7.4.1 How often is a task performed?
7.4.2 How long is the exposure period?
7.4.3 How many people are exposed?
7.4.4What property or aspects of theenvironment are exposed?
7.5 Assess the severity of conse-
quences. On a subjective basis, the goal
is to decide on the worst credible conse-quences should an incident occur, not theworst conceivable consequence. (In
Section 11.0, see Tables 7 and 8 for
examples of severity categories.)Historical data can be of great value as abaseline. Informed speculations are made
to establish the consequences of an inci-dent or exposure. Consider the:
7.5.1 Number of injuries or illnesses
and their severity and fatalities.
7.5.2Value of property or equipment
damaged.
7.5.3 Time for which the business will
be interrupted and productivity will be lost.7.5.4 Extent of environmental damage.
When the severity of the outcome of
a hazards-related incident or expo-sure is determined, a hazard analy-
sis has been completed .
7.6 Determine occurrence probabili-
ty. Extending the hazard analysis into arisk assessment requires the one additional
step of estimating the likelihood or proba-bility of a hazardous event or exposureoccurring. (In Section 11.0, see Tables 5
and 6 for possible probability categories.)
7.6.1 Unless empirical data are avail-
able (and that would be a rarity), the
process for selecting the probability thatan incident or exposure will occur is
subjective.
7.6.2 For the more complex hazardous
situation, brainstorming with knowledge-able people is necessary.
7.6.3 To be meaningful, probability
must be related to an interval base of
some sort, such as a unit of time or activi-ty, events, units produced, or the lifecycle of a facility, equipment, process, or
a product.
7.7 Define the risk. Conclude with astatement that includes the:
7.7.1 Probability of a hazards-relatedincident or exposure occurring.
7.7.2 Expected severity of adverseresults.
7.7.3 Risk category. (For example,high, serious, moderate or low.)
7.7.4A risk assessment matrix should
be used to identify risk categories. Amatrix assists in communicating with the
decision makers on the risk levels. (SeeSection 9.0 for examples of risk assess-
ment matrices.)
7.8 Rank risks in priority order. A
risk ranking system should be adopted sothat priorities can be established.
7.8.1 Since the risk assessment exer-cise is subjective, the risk ranking systemwould also be subjective.
7.8.2 Prioritizing risks gives manage-
ment the knowledge needed on the poten-tials risks produce for harm or damage sothat intelligent resource allocations can be
made for their elimination or reduction.
7.9 Develop remediation proposals.
When the results of the risk assessmentindicate that risk elimination, reduction,
or control measures are to be taken toachieve acceptable risk levels:
7.9.1Alternate proposals for the
design and operational changes necessaryto achieve an acceptable risk level would
be recommended.7.9.2 The actions as shown in the hierar-
chy of controls (Section 13.0) would be the
base upon which remedial proposals are
made, in the order of their effectiveness.
7.9.3 Remediation cost for each pro-posal would be determined and an esti-
mate would be given of its effectivenessin achieving risk reduction.
7.9.4 Risk elimination or reduction
methods would be selected and imple-mented to achieve an acceptable risk level
continued from page 3
4
Special Issue
Prevention through Design
![Page 5: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/5.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 5/13
7.10 Follow up on actions taken.
Although a hazard analysis and a risk assessment results from applying the
steps in the preceding outline, good man-agement requires that the effectiveness of
the actions taken be determined. Follow-up activity would determine that the:
7.10.1 The hazard/risk problem was
resolved, only partially resolved, or not
resolved.7.10.2 Actions taken did or did notcreate new hazards.
7.10.3 If an acceptablerisk level is not achieved,or if new hazards are
introduced, the risk is tobe re-evaluated and other
countermeasures are tobe proposed.
7.11 Document the
results. Documentation,
whether compiled under
the direction of locationmanagement or by the
provider of equipment or services, shouldinclude comments on the:
7.11.1 Risk assessment method(s) used.
7.11.2 Hazards identified.
7.11.3 Risks deriving from the hazards.7.11.4 Reduction measures taken to
attain acceptable risk levels.
8.0 Residual Risk8.1 Residual risk is the risk remaining
after preventive measures have beentaken. No matter how effective the pre-ventive actions, there will always be
residual risk if an activity continues.Attaining zero risk is not possible.
8.2 If the residual risk is not accept-
able, the action outline set forth in theforegoing hazard analysis and risk assess-
ment process (7.0) would be appliedagain. (Addendum A is an outline of one
company’s risk assessment process.)
9.0 Risk Assessment Matrices9.1 A risk assessment matrix provides
a method to categorize combinations of probability of occurrence and severity of
harm, thus establishing risk levels. Amatrix helps in communicating with deci-sion makers on risk reduction actions to
be taken. Also, risk assessment matricescan be used to compare and prioritize
risks, and to effectively allocate mitiga-
tion resources. Safety practitioners mustunderstand that definitions of the terms
used for incident probability and severityand for risk levels vary greatly in the
many risk assessment matrices in use.
9.2 Thus, safety practitioners should
create and obtain broad approval for a risk
assessment matrix that is suitable to the
hazards and risks with which they deal.
9.3 Three examples of risk assessment
matrices are provided here to serve as ref-erences.
9.3.1 Table 1 is an adaptation from a
matrix in MIL-STD-882 D, the Depart-ment of Defense Standard Practice forSystem Safety. (MIL-STD-882, first
issued in 1969, is the grandfather of risk assessment matrices.) 9.3.2 This second exhibit of a risk
assessment matrix (Table 2) is a composite
of matrices that include numerical values
for probability and severity levels that are
transposed into risk scorings. It is presented
here for people who prefer to deal with
numbers rather than qualitative indicators.
(A word of caution: The numbers are
arrived at judgmentally and are qualitative.)
9.3.3 Table 3 is taken from the Risk Estimation Matrix that appears in ANSI
B11.TR3-2000, the ANSI TechnicalReport titled Risk Assessment and Risk Reduction: A Guide to Estimate, Evaluate
and Reduce Risks Associated with
By Design
5
continued on page 6
TABLE 1 Risk Assessment Matrix
Occurrence Severity of Consequence
Probability Catastrophic Critical Marginal Negligible
Frequent High High Serious Medium
Probable High High Serious Medium
Occasional High Serious Medium Low
Remote Serious Medium Medium Low
Improbable Medium Medium Medium Low
TABLE 2 Risk Assessment Matrix: Numerical Gradings
Severity Levels Occurrence Probabilities & Values
& Values Frequent (5) Likely (4) Occasional (3) Seldom (2) Unlikely (1)
Catastrophic(5) 25 20 15 10 5
Critical (4) 20 16 12 8 4
Marginal (3) 15 12 9 6 3
Negligible (2) 10 8 6 4 2
Insignificant (1) 5 4 3 2 1
Very high risk: 15 or greater High risk: 9 to 14 Moderate risk: 4 to 8 Low risk: Under 4
TABLE 3 Risk Assessment Matrix: ANSI B11.TR3-2000
Occurrence Severity of Harm
Probability Catastrophic Serious Moderate Minor
Very likely High High High Medium
Likely High High Medium Low
Unlikely Medium Medium Low Negligible
Remote Low Low Negligible Negligible
TABLE 4 Management Decision Levels
Risk Category Remedial Action or Acceptance
High Operation not permissible.
Serious Remedial action to have high priority.
Medium Remedial action to be taken in appropriate time.
Low Risk is acceptable; remedial action discretionary.
![Page 6: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/6.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 6/136
Special Issue
Prevention through Design
Machine Tools. It is the basis on whichthe risk assessments shown in Addendum
B were made.
10.0 Management Decision Levels10.1 Remedial action or acceptance lev-
els must be attached to the risk categoriesto permit intelligent management decision-making. Table 4 provides a basis forreview and discussion. Other safety practi-
tioners who craft risk assessment matricesmay have differing ideas about acceptable
risk levels and the management actions tobe taken in a given risk situation.
11.0 Descriptions of the Terms:Probability & Severity
11.1 There is no one right method in
selecting probability (likelihood) andseverity categories and their descriptions,and many variations are in use. Examplesin Tables 5 through 8 show variations in
the terms and their descriptions as used inapplied risk assessment processes for
probability of occurrence and severity of consequence.
12.0. Descriptions of Hazards Analyses& Risk Assessment Techniques
12.1 Over the past 40 years, many
hazard analysis and risk assessment tech-niques have been developed. For exam-ple, Pat Clemens gave brief descriptions
of 25 techniques in “A Compendium of
Hazard Identification & Evaluation
Techniques for System SafetyApplications.” In the System Safety
Analysis Handbook, 101 methods aredescribed. Brief descriptions are given
here of purposely selected hazard analysistechniques.
If a safety practitioner understands all
of them and is capable of bringing them
to bear in resolving hazards and risk situ-ations, he or she will be exceptionallywell qualified to give counsel on risk
assessments. As a practical matter, havingknowledge of three risk assessment con-cepts will be sufficient to address most
risk situations. They are initial hazardanalysis and risk assessment; the what-
if/checklist analysis methods; and failuremode and effects analysis (FMEA).
12.2 It is important to understand that
each of those techniques complements,rather than supplants, the others.
Selecting the technique or a combinationof techniques to be used to analyze a haz-
ardous situation requires good judgmentbased on knowledge and experience.
12.3 Qualitative rather than quantita-tive judgments will prevail. For all but the
complex risks, qualitative judgments willbe sufficient.
12.4 Sound quantitative data on inci-
dent and exposure probabilities is seldomavailable. Many quantitative risk assess-
ments are really qualitative risk assess-
ments because so many judgments mustbe made in the process to decide on the
probability levels selected.
12.5
Preliminary
Hazard
Analysis
(PHA): Initial
Hazard
Analysis and
Risk Assess-
ment
12.5.1 Theorigin of thePHA tech-
nique is in sys-tem safety. Itwas to identify
and evaluatehazards in the
very earlystages of the
designprocess.
However, in actual practice the techniquehas attained much broader use. The prin-ciples on which preliminary hazards
analyses are based are used not only inthe initial design process, but also in
assessing the risks of existing products oroperations. Thus, the technique needs a
new name: Initial Hazard Analysis andRisk Assessment. (Take note to avoid
confusion, for OSHA’s Rule For ProcessSafety Management Of HighlyHazardous Chemicals and for EPA’s Risk
Management Program for ChemicalAccidental Release Prevention, PHA
stands for process hazard analysis.)12.5.2 Headings on initial hazard
analysis forms will include the typicalidentification data: date, names of evalua-tors, department and location. The follow
ing information is usually included in aninitial hazard analysis process.
a) Hazard description, sometimes
called a hazard scenario.b) Description of the task, operation,
system, subsystem or product analyzed.c) Exposures to be analyzed: people
(employees, the public); facility, productor equipment loss; operation down time;
environmental damage.d) Probability interval to be consid-
ered: unit of time or activity; events; unitsproduced; life cycle.
e) Risk assessment code, using the
agreed upon risk assessment matrix.f) Remedial action to be taken, if risk
reduction is needed.12.5.3 A communication accompanies
the analysis, indicating the assumptionsmade and the rationale for them.
Comment would be made on the assign-ment of responsibilities for the remedialactions to be taken and expected comple-
tion dates. An initial hazard analysis andrisk assessment worksheet appears as
Addendum B in this paper, courtesy of Design Safety Engineering Inc.
12.6 What-if analysis
12.6.1For a what-if analysis, a groupof people (as little as two, but often sever-
al more) use a brainstorming approach toidentify hazards, hazard scenarios, failure
modes, how incidents can occur and theirprobable consequences.
12.6.2 Questions posed during thebrainstorming session may commence
with what-if, as in “What if the air condi-tioning fails in the computer room?” ormay express general concerns, as in “I
worry about the possibility of spillage
continued from page 5
TABLE 5 Probability Descriptions: Example ADescriptive Word Probability Descriptions
Frequent Likely to occur repeatedly
Probable Likely to occur several times
Occasional Likely to occur sometime
Remote Not likely to occur
Improbable So unlikely, can assume occurrence
will not be experienced
TABLE 6 Probability Descriptions: Example BDescriptive Word Probability Descriptions
Frequent Could occur annually
Likely Could occur once in 2 years
Possible Not more than once in 5 years
Rare Not more than once in 10 years
Unlikely Not more than once in 20 years
![Page 7: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/7.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 7/13
and chemical contamination during truck offloading.”
12.6.3All of the questions are recorded,
and assigned for investigation. Each sub- ject of concern is then addressed by one ormore team members. They would considerthe potential of the hazardous situation and
the adequacy or inadequacy of risk con-trols in effect, suggesting additional risk
reduction measures if appropriate.
12.7 Checklist analysis
12.7.1 Checklists are primarily adapta-tions from published standards, codes,and industry practices. There are many
such checklists. They consist of questions
pertaining to the applicable standards andpractices, usually with a yes or no or notapplicable response. Their purpose is to
identify deviations from the expected, andthereby possible hazards. A checklist
analysis requires a walk-through of thearea to be surveyed. Checklists are easyto use and provide a cost-effective way to
identify customarily recognized hazards.
12.7.2 Nevertheless, the quality of
checklists depends on the experience of the people who develop them. Further,
they must be crafted to suit particularfacility/operations needs. If a checklist is
incomplete, the analysis may not identify
some hazardous situations.
12.8 What-if/checklist analysis
12.8.1 A what-if/checklist hazardanalysis technique combines the creative,
brainstorming aspects of the What-If method with the systematic approach of aChecklist. Combining the techniques can
compensate for the weaknesses of each.
12.8.2 The what-if part of the process,
using a brainstorming method, can helpthe team identify hazards that have the
potential to be the causal factors for inci-
dents, even though no such incidents haveyet occurred. The checklist provides asystematic approach for review that canserve as an idea generator during the
brainstorming process. Usually, a teamexperienced in the design, operation, and
maintenance of the operation performsthe analysis.
12.9 Hazard and operability analysis
12.9.1 The hazard and operabilityanalysis (HAZOP) technique was devel-
oped to identify both hazards and oper-
ability problems in chemical processplants. It has subsequently been appliedto a wide range of industry processes and
equipment. An interdisciplinary team andan experienced team leader are required.
12.9.2 In a HAZOP application, aprocess or operation is systematically
reviewed to identify deviations fromdesired practices that could lead to
adverse consequences. HAZOPs can beused at any stage in the life of a process.
12.9.3 HAZOPs usually require pre-
work in gathering materials and a seriesof meetings in which the team, using
process drawings, systematically evalu-ates the impact of deviations from thedesired practices. The team leader uses a
set of guide words to develop discussions
12.9.4 As the team reviews each step
in a process, recordings are made of:a) deviations;
b) their causal factors;
c) consequences should an incidentoccur;
d) safeguards in place;e) required actions, or the need for more
information to evaluate the deviation.
12.10 Failure modes & effects analysis
12.10.1 In several industries, failuremodes and effects analyses (FMEA) havebeen the techniques of choice by design
engineers for reliability and safety con-siderations. They are used to evaluate the
ways in which equipment fails and theresponse of the system to those failures.
12.10.2 Although FMEA is typicallymade early in the design process, thetechnique can also serve well as an analy-
sis tool throughout the life of equipmentor a process.
12.10.3 An FMEA produces qualitative,systematic lists that include the failure
modes, the effects of each failure, safe-guards that exist, and additional actions
that may be necessary. For example, for apump, the failure modes would includefails to stop when required; stops when
required to run; seal leaks or ruptures; andpump case leaks or ruptures.
12.10.4 Both the immediate effectsand the impact on other equipment wouldbe recorded. Generally, when analyzing
impacts, the probable worst case isassumed and analysts would conclude
that existing safeguards do or do notwork. Although an FMEA can be made
by one person, it is typical for a team tobe appointed when there is complexity.
By Design
7
continued on page 8
TABLE 7 Severity Descriptions for Multiple Harm& Damage Categories: Example A
Catastrophic Death or permanent total disability, system loss, major
property damage and business down time
Critical Permanent, partial or temporary disability in excess of
3 months, major system damage, significant property dam-
age and downtime
Marginal Minor injury, lost workday accident, minor system damage,minor property damage and little downtime
Negligible First-aid or minor medical treatment, minor system
impairment
TABLE 8 Severity Descriptions for Multiple Harm& Damage Categories: Example B
Catastrophic One or more fatalities, total system loss, chemical release
with lasting environmental or public health impact
Critical Disabling injury or illness, major property damage and
business down time, chemical release with temporary envi-ronmental or public health impact
Marginal Medical treatment or restricted work, minor subsystem loss
or damage, chemical release triggering external reporting
requirements
Negligible First aid only, non-serious equipment or facility damage, chemi-
cal release requiring only routine cleanup without reporting
![Page 8: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/8.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 8/138
Special Issue
Prevention through Design
12.10.5 In either case, the traditionalprocess is similar, as in the following.
a) Identify the item or function to beanalyzed
b) Define the failure modesc) Record the failure causes
d) Determine the failure effectse) Enter a severity code and a proba-
bility code for each effect
f) Enter a risk codeg) Record the actions required to
reduce the risk to an acceptable level
12.10.6 The FMEA process described
here requires entry of probability, severi-ty, and risk codes. A FMEA form onwhich those codes would be entered is
provided here as Addendum C.(Good ref-erences explaining risk coding for FMEA
purposes are the reference manual titled
Potential Failure Mode and Effects Analysis issued by the AutomotiveIndustry Action Group; and the semicon-ductor industry publication Failure Mode
and Effects Analysis (FMEA): A Guide
for Continuous Improvement for the
Semiconductor Equipment Industry.)
12.11 Fault tree analysis
12.11.1 A fault tree analysis (FTA) is a
top-down, deductive logic model that traces
the failure pathways for a predetermined,
undesirable condition or event, called the
TOP event. An FTA can be carried out
either quantitatively or subjectively.
12.11.2 It is emphasized that a subjec-tive (or qualitative) analysis can produce
suitable results, especially when quantita-tive numbers are not available. The FTA
generates a fault tree (a symbolic logicmodel) entering failure probabilities forthe combinations of equipment failures
and human errors that can result in theaccident. Each immediate causal factor is
examined to determine its subordinatecausal factors until the root causal factors
are identified.12.11.3The strength of an FTA is its
ability to identify combinations of basic
equipment and human failures that canlead to an accident, allowing the analyst
to focus preventive measures on signifi-cant basic causes.
12.11.4An FTA has particular valuewhen analyzing highly redundant systemsand high-energy systems in which high-
severity events can occur. For systemsvulnerable to single failures that can lead
to accidents, the FMEA and HAZOP
techniques are better suited.
12.11.5 FTA is often used when anoth-
er technique has identified a hazardoussituation that requires more detailed
analysis. Making a fault tree analysis of other than the simplest systems requiresthe talent of experienced analysts.
12.12 Management oversight and
risk tree12.12.1All of the hazard analysis and
risk assessment techniques previously
discussed relate principally to the initialdesign process in the pre-operationalmode, or to the redesign process to
achieve risk reduction in the operationalmode. Management Oversight and Risk
Tree (MORT) is relative to the post-inci-dent element of the practice of safety.
12.12.2 MORT was developed princi-pally for incident investigations. In theAbstract for the Guide To Use Of The
Management Oversight And Risk Tree,this is how MORT is described:
MORT is a comprehensive analyticalprocedure that provides a disciplined
method for determining the systemiccauses and contributing factors of acci-dents. MORT directs the user to the haz-
ards and risks deriving from both system
design and procedural shortcomings
(emphasis added).
12.2.3 MORT provides an excellent
resource for the post-incident element of
the practice of safety during which thehazard identification and analysis and risk assessment methods described here canbe used.
13.0 Hierarchy of Controls13.1 A hierarchy is a system of per-
sons or things ranked one above the other.A hierarchy of controls provides a sys-
tematic way of thinking, consideringsteps in a ranked and sequential order, tochoose the most effective means of elimi-
nating or reducing hazards and the risks
that derive from them. Acknowledgingthat premise—that risk reduction meas-ures should be considered and taken in a
prescribed order—represents an impor-tant step in the evolution of the practice
of safety.
13.2 A major premise to be considered
in applying a hierarchy of controls is thatthe outcome of the actions taken is to be
an acceptable risk level.
13.3 Acceptable risk, as previously
defined, is that risk for which the proba-
bility of a hazard-related incident orexposure occurring and the severity of
harm or damage that could result are aslow as reasonably practicable, and tolera-
ble in the situation being considered.
13.4 That definition requires taking
into consideration:a) avoiding, eliminating or reducing
the probability of a hazard-related inci-dent or exposure occurring;
b) reducing the severity of harm or
damage that may result, if an incident orexposure occurs;
c) the feasibility and effectiveness of the risk reduction measures to be taken,and their costs, in relation to the amount
of risk reduction to be achieved.
13.5 Decision makers should under-
stand that, with respect to the six levels ofaction shown in the hierarchy of controls
in 13.6 that:13.5.1 The ameliorating actions de-
scribed in the first, second, and third actionlevels are more effective because they:
a) are preventive actions that eliminate
or reduce risk by design, substitution, andengineering measures;
b) rely the least on the performance of personnel;
c) are less defeatable by supervisors orworkers.
13.5.2 Actions described in the fourth,
fifth and sixth levels are contingent
actions and rely greatly on the perform-ance of personnel for their effectiveness.
13.6 The following hierarchy of con-
trols is considered state-of-the-art. It iscompatible with the hierarchy of controls
in ANSI/AIHA Z10-2005.a) Eliminate or reduce risks in the
design and redesign processes.
b) Reduce risks by substituting lesshazardous methods or materials.
c) Incorporate safety devices.d) Provide warning systems.
e) Apply administrative controls (work
methods, training, work scheduling, etc.).f) Provide PPE.
14.0. The Logic of Taking Actionin the Order Given
Comments follow on each of the
action elements listed in the preced-
ing hierarchy of controls, including
the rationale for listing actions to
be taken in the order given. Taking
actions in the prescribed order, as
continued from page 7
![Page 9: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/9.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 9/13
feasible and practicable, is the most
effective means to achieve risk
reduction.
14.1 Eliminate or reduce risks in the
design and redesign processes
14.1.2 The theory is plainly stated. If
hazards are eliminated in the design and
redesign processes, risks that derive from
those hazards are also eliminated. But, elim-
ination of hazards completely by modifyingthe design may not always be practicable.
Then, the goal is to modify the design, with-
in practicable limits, so that the:
a) probability of personnel makinghuman errors because of design inade-
quacies is at a minimum;b) ability of personnel to defeat the
work system and the work methods pre-
scribed, as designed, is at a minimumExamples are designing to eliminate
or reduce the risk from fall hazards;ergonomic hazards; confined space entry
hazards; electrical hazards; noise hazards;and chemical hazards.
14.2 Substitution of less hazardous
methods or materials
14.2.1 Substitution of a less hazardous
method or material may or may not resultin equivalent risk reduction in relation to
what might be the case if the hazards andrisks were reduced to a practical mini-
mum through system design or redesign.Consider this example.
Considerable manual material handling
is necessary in a mixing process for chemi-cals. A reaction takes place and an employ-
ee sustains serious chemical burns. Thereare identical operations at two of the com-
pany’s locations. At one, the operation isre-designed so that it is completely
enclosed, automatically fed, and operatedby computer from a control panel, thusgreatly eliminating operator exposure.
At the other location, funds for doingthe same were not available. To reduce the
risk, it was arranged for the supplier to pre-mix the chemicals before shipment (substi-
tution). Some mechanical feed equipmentfor the chemicals was also installed. The
risk reduction achieved by substitution wasnot equivalent to that attained by re-design-ing the operation. Additional administrative
controls had to be applied.Methods that illustrate substituting less
hazardous methods, materials, or process-es for that which is more hazardousinclude using automated material han-
dling equipment rather than manual mate-rial handling; providing an automatic feed
system to reduce machine hazards; using
a less hazardous cleaning material; reducespeed, force, amperage; reduce pressure,
temperature; replace an ancient steamheating system and its boiler explosion
hazards with a hot air system.
14.3 Incorporate safety devices
14.3.1 When safety devices are incor-porated in the system in the form of engi-
neering controls, substantial risk reduction can be achieved.
14.3.2 Engineered safety devices are to
prevent access to the hazard by workers.They are to separate hazardous energy
from the worker and deter worker error.Examples are machine guards; inter-
lock systems; circuit breakers; start-up
alarms; presence-sensing devices; safetynets; ventilation systems; sound enclo-
sures; fall prevention systems; and lifttables, conveyors and balancers.
14.4 Warning systems
14.4.1Warning system effectiveness
relies considerably on administrative con-
trols, such as training, drills, and the quality
of maintenance, and the reactions of people.
14.4.2 Although vital in many situa-
tions, warning systems may be reac-tionary in that they alert persons onlyafter a hazard's potential is in the process
of being realized (e.g., a smoke alarm).Examples are smoke detectors; alarm
systems; backup alarms; chemical detec-tion systems; signs; and alerts in operat-
ing procedures or manuals.14.5 Administrative controls
14.5.1Administrative controls rely on
the methods chosen as appropriate in rela-tion to the needs, the capabilities of peo-
ple responsible for their delivery andapplication, the quality of supervision, and
the expected performance of the workers.Some administrative controls are per-
sonnel selection; developing and applying
appropriate work methods and proce-dures; training; supervision; motivation,
behavior modification; work scheduling; job rotation; scheduled rest periods;
maintenance; management of change;investigations; and inspections.
14.5.3Achieving a superior level of
effectiveness in all of these administrativemethods is difficult and not often attained.
14.6 Provide PPE
14.6.1 The proper use of personal pro-tective equipment relies on an extensive
series of supervisory and personnel actions,such as the identification of the type of
equipment needed, its selection, fitting,training, inspection, maintenance, etc.
Examples include safety glasses; face
shields; respirators; welding screens; safe-ty shoes; gloves; and hearing protection.
14.6.2Although the use of personalprotective equipment is common and isnecessary in many occupational situations
it is the least effective method to deal with
hazards and risks. Systems put in placefor their use can easily be defeated.14.6.3 In the design processes, one of
the goals should be to reduce reliance on
personal protective equipment to a practical
minimum, applying the ALARP concept.
14.7 For many risk situations, a combi-nation of the risk management methods
shown in the hierarchy of controls is neces-sary to achieve acceptable risk levels. Butthe expectation is that consideration will be
given to each step in a descending orderand that reasonable attempts will be made
to eliminate or reduce hazards and theirassociated risks through steps higher in the
hierarchy before lower steps are consid-ered. A lower step is not to be chosen untilpractical applications of the preceding level
or levels are exhausted.
14.8 A yet unpublished document,MIL-STD-882E, includes provisions that
further explain the thought process thatshould govern when the hierarchy of con-
trols is applied. Excerpts follow from the“System safety mitigation order of prece-
dence” in 882E.14.8.1 In reducing risk, the cost, feasi-
bility and effectiveness of candidate miti-gation methods should be considered. Inevaluating mitigation effectiveness, an
order of precedence generally applies asfollows.
a) Eliminate hazard through design
selection. Ideally, the risk of a hazardshould be eliminated. This is often done
by selecting a design alternative thatremoves the hazard altogether.
b) Reduce mishap risk through design
alteration. If the risk of a hazard cannot beeliminated by adopting an alternativedesign, design changes should be consid-
ered that reduce the severity and/or theprobability of a harmful outcome.
c) Incorporate engineered safety fea-
tures (ESF). If unable to eliminate or ade-quately mitigate the risk of a hazard
through a design alteration, reduce therisk using an ESF that actively interruptsthe mishap sequence.
By Design
9
continued on page 10
![Page 10: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/10.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 10/1310
Special Issue
Prevention through Design
d) Incorporate safety devices. If unable
to eliminate or adequately mitigate thehazard through design or ESFs, reduce
mishap risk by using protective safetyfeatures or devices.
e) Provide warning devices. If designselection, ESFs, or safety devices do notadequately mitigate the risk of a hazard,
include a detection and warning system toalert personnel to the presence of a haz-
ardous condition or occurrence of a haz-ardous event.
f) Develop procedures and training.
Where other risk reduction methods can-not adequately mitigate the risk from a
hazard, incorporate special proceduresand training. Procedures may prescribe
the use of personal protective equipment.
15.0 Conclusion15.1 It would be folly for safety pro-
fessionals to ignore the impact of thePrevention through Design/Safety
through Design movement on theirknowledge needs. It is becoming evident
that it’s all about risk, about being able toidentify and analyze hazards and assessthe risks deriving from them. The entirety
of purpose of those responsible for safety,whatever their titles, is to deal with haz-
ards so that the risks deriving from thosehazards are acceptable
15.2 This paper is a primer on
PtD/Safety through design. An extensivelist of references follows for those whowould like to continue their education.
ReferencesANSI/AIHA Z10-2005. Occupational
Health and Safety Management Systems.Fairfax, VA: American Industrial Hygiene
Association, 2005. www.aiha.org/marketplace.htm.
ANSI/PMMI B155.1-2006. SafetyRequirements for Packaging Machinery
and Packaging-Related ConvertingMachinery. Arlington, VA: Packaging
Machinery Manufacturers Institute, 2006.ANSI B11.TR3-2000. Risk Assess-
ment and Reduction: A Guide to Esti-
mate, Evaluate and Reduce RisksAssociated with Machine Tools. McLean,
VA: AMT, The Association forManufacturing Technology, 2000.
“ASSE Position Paper On Designingfor Safety”. Approved by the Board of Directors in 1994. Des Plaines, IL: ASSE.
Aviation Ground Operation Safety
Handbook (6th ed.) Itasca, IL: NationalSafety Council, 2007.
Clemens, P. “A Compendium of HazardIdentification and Evaluation Techniques
for System Safety Application.” Hazard
Prevention, March/April, 1982.Christensen, W.C. & Manuele, F.A.
Safety Through Design. Itasca, IL:
National Safety CouncilChristensen, W.C. “Retrofitting forSafety: Career implications for SH&E per-
sonnel.” Professional Safety, May 2007.Christensen, W.C. Safety Through
Design: Helping design engineers
answer10 key questions. ProfessionalSafety, March 2003.
Failure Mode and Effects Analysis: A
Guide for Continuous Improvement for
the Semiconductor Equipment Industry.Technology Transfer #92020963A-ENG.Austin, TX: International SEMATECH,
1992. Available at www.sematech.org.Guidance Document for Incorporating
Risk Concepts into NFPA Codes and
Standards. Quincy, MA: The Fire
Protection Research Foundation, 2007.Guide to Use of the Management Over-
sight and Risk Tree. SSDC-103. Washing-ton, DC: Department of Energy, 1994.
Guidelines for Hazard Evaluation
Procedures, 2nd ed. with worked exam-ples. A Center for Chemical Process Safety
1992 publication, now available throughJohn Wiley & Sons, Hoboken, NJ.
ISO 12100-1. Safety of Machinery:Basic concepts, general principles fordesign. Part 1. Basic terminology, method-
ology. Geneva, Switzerland: InternationalOrganization for Standardization, 2003.
ISO 14121. Safety of Machinery:Principles for risk assessment. Geneva,Switzerland: International Organization
for Standardization, 1999.Main, B. Risk Assessment: basics and
benchmarks. Ann Arbor, MI: DesignSafety Engineering Inc, 2004.
Main, B. “Risk assessment is coming.
Are you ready?” Professional Safety, July2002.
Main, B. “Risk assessment: A reviewof the fundamental principles.” Profes-
sional Safety, December 2004.Manuele, F.A. Advanced Safety
Management: Focusing on Z10 and
Serious Injury Prevention. Hoboken, NJ:
John Wiley & Sons, 2007.Manuele, F.A. “ANSI/AIHA Z10-2005: The new benchmark for safety
management systems.” Professional
Safety, February 2006.Manuele, F.A. On the Practice of
Safety, 3rd ed. Hoboken, NJ: John Wiley& Sons, 2003.
Manuele, F.A. “Risk Assessments andHierarchies of Control.” Professional
Safety, May 2005.MIL-STD-882D. Standard Practice for
System Safety. Washington: DC:
Department of Defense, 2000. Also athttp://www.safetycenter.navy.mil/instruc-
tions/osh/milstd882d.pdf#search='MIL-STD882D’.
Potential Failure Mode and Effects
Analysis. Southfield, MI: Automotive
Industry Action Group, 3rd ed., 2001.SFPE Engineering Guide to Fire Risk
Assessment. Bethesda, MD: The Society
of Fire Protection Engineers, 2006.Stephans, R. & Talso, W.W., eds.
System safety analysis handbook: a
sourcebook for safety practitioners.
Albuquerque, NM: New Mexico Chapter,System Safety Society, 1997.
Stephans, R.A. S ystem safety for the
21st century. Hoboken, NJ: John Wiley &Sons, 2004
Swain, A.D. “Work situation approachto improving job safety.”Albuquerque,
NM: Sandia Laboratories.Vincoli, J.W. Basic guide to system
safety. Hoboken, NJ: John Wiley & Sons,
1993.
continued from page 9
ANSI/AIHA Z10 Is Here ANSI/AIHA Z10:
Occupational Health and Safety Management Systems
Call ASSE at (847) 699-2929 or visit www.asse.org.
![Page 11: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/11.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 11/13
By Design
11
ADDENDUM A The Risk Assessment Process
1) Data gathering
Injury and proactive data
2) Set the limits/scope of the strategy
leadership team sponsorship
3) Develop and charter risk
reduction team
4) Identify tasks and hazards
5) Assess risk—Initial risk
scoring system
6) Reduce risk
Hazard control hierarchy
7) Assess risk—Residual risk
scoring system
Residual risk
acceptable?
9) Controls measurement system10) New hazard
ID
Evaluation complete
Reevaluate tasks
and hazards
Yes
No
8) Results/documentation
Identify new
controls
Test/verify
current controls
Identify current
controls
![Page 12: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/12.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 12/1312 Special Issue Prevention through Design
ADDENDUM B Initial Hazard Analysis & Risk Assessment Worksheet
![Page 13: ByDesign_PtDSpecial_Fall2007](https://reader033.fdocuments.us/reader033/viewer/2022052608/577d20401a28ab4e1e925bbb/html5/thumbnails/13.jpg)
8/2/2019 ByDesign_PtDSpecial_Fall2007
http://slidepdf.com/reader/full/bydesignptdspecialfall2007 13/13
ADDENDUM C Potential Failure Modes & Effects Analysis Sequence
Howbad is
it?
What are thecauses?
How oftendoes it
happen?
How can this beprevented and
detected? How good isthe method atdetecting it?
What can bedone?
•Design
changes
•Processchanges
•Specialcontrols
•Changes tostandards,proceduresor guides
What can gowrong?
•No function
•Partial/over/ degraded function
•Intermittentfunction
•Unintendedfunction
What are thefunctions, featuresor requirements?
Subsystem
FunctionReqt’s
Potential
Failure Mode
What are theeffect(s)?
Potential
Effect(s)
of Failure
S
E
V
Class
Potential
Cause(s)/
Mechanisms
of Failure
Current
Controls
Prevention
Occur Direction
R.P.N.
Detec
Recommended
Action(s)
Responsibility
& Target
Completion
Date
Action Results
Actions
Taken
Sev
Occ
Det
Note: Reprinted from Potential Failure Mode & Effect Analysis (3rd ed.) with permission of DaimlerChrysler, Ford and GM Supplier
Quality Requirements Task Force.