Design for Safety and Risk Assessment
Transcript of Design for Safety and Risk Assessment
Design for Safety and Risk Assessment
C h r i s t o p h e r S a l d a n a , P h . D .W o o d r u f f S c h o o l o f M e c h a n i c a l E n g i n e e r i n g
G e o r g i a I n s t i t u t e o f T e c h n o l o g y
A t l a n t a , G e o r g i a U S A
2
Linkages to major quality management standards
3
Identify safety risks and assessment
• Risk assessment matrix
Identify failure modes, their detectability, severity and probability of occurrence
• Failure modes and effects analysis (FMEA)
Combining individual solutions to deal with these failure modes
Learning Objectives
4
5
6
In 1992, 79-year-old Stella Liebeck bought a
cup of takeout coffee at a McDonald's drive-
thru in Albuquerque and spilled it on her lap.
She sued McDonald's and a jury awarded
her nearly $3 million in punitive damages for the burns she suffered.
Toyota Motor lied to regulators, Congress and the public for years about the sudden acceleration of its vehicles, a deception that caused the world’s largest automaker on Wednesday to be hit with a $1.2 billion Justice Department fine.
Consumer product safety cases
Toyota Accelerator
D. Douglas, “Toyota reaches $1.2 billion settlement to end probe of accelerator problems,” Washington Post, 03/19/2014
McDonald’s Coffee
Consumer Attorneys of California, “The McDonald’s Hot Coffee Case,” 01/30/2017
7
Industrial safety cases: Aerial Lift
“2 workers fell from an aerial bucket lift and were killed at the Oxy Chemical Wichita plant,” KSN TV, June 30, 2016
“Notre Dame Student Dies at Practice,” Associated Press, October 27, 2010
Important questions:
• How should training/documentation and
administrative/engineering controls be designed?
• How do we systematically assess risk?
8
1. Apollo 1: fire during launch test
2. Space Shuttle Challenger: shuttle failure on takeoff
3. Space Shuttle Columbia: shuttle failure on re-entry
4. Boeing 737 MAX – 2 hull losses on takeoff
Historical Case Studies
nasa.gov wsj.com
9
10
Accident Date: 27 January 1967
Crew: G. Grissom, E. White, R. Chaffee
Condition: ‘Plugs-out’ test (pressurized, no umbilical)
Official causes:
1. Ignition source due to faulty/frayed wiring2. Pure O2 atmosphere at greater than atmospheric pressure3. Combustible materials in cabin (e.g., Velcro)4. Inadequate emergency preparedness
Root issue: failure modes analysis
Case 1: Apollo 1 Spacecraft
nasa.gov
time.com
11
12
Case 2: Space Shuttle Challenger
Accident Date: 28 January 1986
Crew: F. Scobee, M. Smith, R. McNair, E. Onizuka, J. Resnik, G. Jarvis, C. McAuliffe
Condition: Shuttle takeoff
Official causes:
1. Low-temperature O-ring failure in SRB2. Failure in communication during/before launch day3. Flawed NASA management structure
Root issues: communication breakdown, groupthink nasa.gov
13
History: Social psychological phenomenon developed by I. Janis (1972)
Characteristic: Group of people make non-optimal decisions due to urge to conform and/or discouragement of dissent
Groupthink
Influencing conditions: Cohesiveness of the group, rules governing decision-making process, leadership character, social homogeneity, situational context
14
15
Case 3: Space Shuttle Columbia
Accident Date: 01 February 2003
Crew: R. Husband, W. McCool, M. Anderson, K. Chawla, D. Brown, L. Clark, I. Ramon
Condition: Atmospheric re-entry
Official causes:
1. Foam from external tank struck left wing on takeoff2. Impact caused breach in wing and heat shield3. Re-entry gases caused vehicle failure
Identified issue: decision-making and risk-assessment processesnasa.gov
16
Risk assessment matrix / form
• Tool for evaluating probable risks in terms of the likelihood or probability of the risk and the severity of the consequences
• Visualization of risk for decision making
• Development of actionable plans in a systematic manner
What Type of Risks Exist?
• Persons, Product, Environment
What are the SEVERITIES of the risk?
What is the PROBABILITY that the risk will occur?
Risk Assessment Matrix
17
Severity
Negligible – one minor injury
Marginal – one severe injury, multiple minor injuries
Critical – one death or multiple severe injuries
Catastrophic – multiple deaths
Probability – Certain, Likely, Possible, Unlikely, Rare
Risk Assessment Matrix
18
Negligible Marginal Critical Catastrophic
Certain High High Extreme Extreme
Likely Moderate High High Extreme
Possible Low Moderate High Extreme
Unlikely Low Low Moderate Extreme
Rare Low Low Moderate High
Risk Severity
Risk Probability
❖ Low Risk
❖ Moderate Risk
❖ High Risk
❖ Extreme Risk
Risk Types
Risk Assessment Matrix
19
Extreme Risk: The risks are most critical and that must be addressed on a high priority basis. The project team should gear up for immediate action, so as to eliminate the risk completely.
High Risk: Also call for immediate action or risk management strategies. Here in addition to thinking about eliminating the risk, substitution strategies may also work well. If these issues cannot be resolved immediately, strict timelines must be established to ensure that these issues get resolved before the create hurdles in the progress.
Moderate Risk: Take some reasonable steps and develop risk management strategies in time, even though there is no hurry to have such risks sorted out early. Such risks do not require extensive resources; rather they can be handled with smart thinking and logical planning.
Low Risk: These risks can be generally ignored as they usually do not pose any significant problem. However still, if some reasonable steps can help in fighting these risks, such steps should be taken to improve overall performance of the project.
Risk Assessment Matrix
20
Risk Assessment MatrixExample: Unsafe use of a tablesaw
• What is the risk severity?
• What is the risk probability?
• How can design and/or use changes affect the risk assessment?
woodgears.ca
21
22
Negligible Marginal Critical Catastrophic
Certain High High Extreme Extreme
Likely Moderate High High Extreme
Possible Low Moderate High Extreme
Unlikely Low Low Moderate Extreme
Rare Low Low Moderate High
Risk Severity
Risk Probability
❖ Low Risk
❖ Moderate Risk
❖ High Risk
❖ Extreme Risk
Risk Types
Risk Assessment Matrix
Design and/or training changes:
• Design changes, engineering controls,
administrative controls
• How do we systematically assess risk?
Example: Unsafe use of a tablesaw
woodgears.ca
23
Risk Matrix – Methods for Improvement
Elimination/Substitution• Most effective• Difficult to implement for existing processes
Engineering controls• Methods built into design to minimize hazards• Good idea as operator-independent• Can be expensive to implement
Administrative controls• Rules and work practices to minimize hazards• Good idea as these are cheap to implement• Operator-dependent need good safety culture
Personal protective equipment• Bare minimum to reduce exposure to hazard• Should not be the only method used
National Institute of Occupational Safety and Health (NIOSH)
24
Negligible Marginal Critical Catastrophic
Certain High High Extreme Extreme
Likely Moderate High High Extreme
Possible Low Moderate High Extreme
Unlikely Low Low Moderate Extreme
Rare Low Low Moderate High
Risk Severity
Risk Probability
❖ Low Risk
❖ Moderate Risk
❖ High Risk
❖ Extreme Risk
Risk Types
Risk Assessment MatrixExample: Unsafe use of a tablesaw
Miter gauge
woodgears.ca
25
26
Negligible Marginal Critical Catastrophic
Certain High High Extreme Extreme
Likely Moderate High High Extreme
Possible Low Moderate High Extreme
Unlikely Low Low Moderate Extreme
Rare Low Low Moderate High
Risk Severity
Risk Probability
❖ Low Risk
❖ Moderate Risk
❖ High Risk
❖ Extreme Risk
Risk Types
Risk Assessment MatrixExample: Unsafe use of a tablesaw
Automated sawstop
woodgears.ca
Miter gauge
sawstop.com
27
Failure modes and effects analysis (FMEA)❖ FMEA - structured approach to:
– Identifying the ways in which a product or process can fail
– Estimating risk associated with specific causes
– Prioritizing the actions that should be taken to reduce risk
– Evaluating design validation plan (design FMEA) or current control plan (process FMEA)
❖ FMEA types – design and process
❖ Role in industrial processes
28
Failure modes and effects analysis (FMEA)❖ Important terms
– Failure mode – manner by which failure occurs for a function (related accident scenarios)
– Cause – failure mechanism for a specific failure mode
– Effect – consequences of failure on operation, function or status
❖ Important metrics for failures
– Severity (S) – 1 (not severe) to 10 (very severe)
– Occurrence (O) – 1 (not likely) to 10 (very likely)
– Detection (D) – 1 (easy to detect) to 10 (not easy to detect)
❖ Important overall measures
– Risk priority number (RPN), RPN = S x O x D
– Criticality (CRIT), CRIT = S x O
29
Failure modes and effects analysis (FMEA)
1. For each process input or product function, determine the ways in which the input or function can go wrong (failure modes)
2. For each failure mode, determine the potential effects and select a severity level for the effects.
3. Identify potential causes of each failure mode and select an occurrence level for the causes.
4. List current controls for each cause, select detection level for each cause.
5. Calculate the Risk Priority Number (RPN)
6. Develop actions and assign responsible persons (prioritize high RPNs)
7. Determine effects of possible changes in controls or design to RPNs
30
What can go wrong here?
p50cars.com
Peel P50 (1964)
31
Automobile with one headlight (no instrument cluster)What are the failure modes, effects, causes and controls?
Possible Failure Modes:• Light doesn’t turn on• Light doesn’t turn off
Possible Failure Effects:• Light doesn’t turn on
• Driver can’t see obstacles• Car inoperable at night (S = 8)
• Light doesn’t turn off• Battery dies
• Car won’t start (S = 10)
Possible Root Causes:• Light doesn’t turn on
• Battery dead (O = 8)• Broken wire (O = 3)• Headlight out (O = 10)• Switch corroded (O = 2)• Switch broken (O = 3)
• Light doesn’t turn off• Short circuit in switch (O = 2)• Operator error (left on) (O = 8)
Example: FMEA redesign
Example adapted from: Cyders, Ohio University, 2013.
Battery LightSwitch
p50cars.com
32
Example: FMEA redesign
Controls/indicators:• Light doesn’t turn on
• User notices lights off in dark• Light doesn’t turn off
• User notices lights on in dark
Detectability (D):• Light doesn’t turn on (D = 6)
• User notices lights off in dark• User doesn’t notice lights off
during day
• Light doesn’t turn off (D = 6)• User notices lights on in dark• User doesn’t notice lights
not on during day
Automobile with one headlight (no instrument cluster)What are the failure modes, effects, causes and controls?
p50cars.com
33
Possible Effect Root Cause S O D RPN
Car inoperable at night
Battery dead 10 8 2 160
Broken wire 8 3 6 144
Headlight out 3 10 6 180
Switch corroded 8 2 6 96
Switch broken 8 3 6 144
Result: improves usability at night (lower severity score)enables detection (lower detectability score)
Failure Mode: Light doesn’t turn on
Example: FMEA redesign
Example adapted from: Cyders, Ohio University, 2013.
Possible Effect Root Cause S O D RPN
Car inoperable at night
Battery dead 10 8 6 480
Broken wire 8 3 6 144
Headlight out 8 10 6 480
Switch corroded 8 2 6 96
Switch broken 8 3 6 144
Original: Single headlight automobile. Redesign: (1) Use two headlights instead of one (2) Add visual lights-on console display
34
Example: FMEA redesignFMEA worksheet (original)Process Step or
System FunctionPotential
Failure ModePotential
Failure EffectPotential Causes
Current Controls
Severity (S)
Occurrence (O)
Detectibility (D)Risk Priority
Number (RPN)
Headlight operation /
Provide driver visibility at night
Light doesn't turn on
Car inoperable at
night
Battery expended
User observation
10 8 6 480
Wire broken 8 3 6 144
Bulb failure 8 10 6 480
Switch corroded
8 2 6 96
Switch broken 8 3 6 144
FMEA worksheet (redesign)Process Step or
System FunctionPotential
Failure ModePotential
Failure EffectPotential Causes
New ControlsSeverity
(S)Occurrence
(O)Detectibility (D)
Risk Priority Number (RPN)
Headlight operation
Light doesn't turn on
Car inoperable at
night
Battery expended Use two
headlights instead of one. Add “lights
on” console indicator. User observation.
10 8 2 160
Wire broken 8 3 6 144
Bulb failure 3 10 6 180
Switch corroded
8 2 6 96
Switch broken 8 3 6 144
35
36
37
Case example: infant inclined sleepers
Failure modes
American Academy of Paediatrics (AAP)• “There is no such thing as a safe infant inclined sleeper” • “[An infant sleeper is] a product that typically positions an infant
at an incline of up to 30 degrees and usually has design elements such as a rounded sleep surface and plush side padding.”
• “The AAP recommends infants sleep on their backs, alone, unrestrained, on a firm, flat surface, free of padding, bumpers and other soft bedding.”
Product risks
38
Infant inclined sleepers - incidents
https://www.consumerreports.org/child-safety/while-they-were-sleeping/
39
1) All product liability laws apply to childrens’ products
2) Additional laws, regulations, standards, (and jury expectations) exist specifically to protect children (and their parents/caregivers)
3) Stakeholders: Newborns, Infants, Toddlers, Youths, Parents, Grandparents, Caregivers, Daycares
Child-focused products
40
Child endangerment laws
• Penal Code 273a is California’s “child endangerment” law. It
punishes someone who willfully exposes a child to pain,
suffering, or danger. Under Penal Code 273a, it is the
possibility of serious danger that is being punished.
Juvenile sleeper safety standards• ASTM F1169 - Specification for Full-Size Baby Cribs
• ASTM F2194 - Specification for Bassinets and Cradles
• ASTM F406 - Specification for Non-Full-Size Baby Cribs
• ASTM F3118 - Specification for Infant Inclined Sleep Products
Relevant laws and standards
41
Informed Consent• The process by which a patient (1) learns about and understands the
purpose, benefits, and potential risks of a medical or surgical intervention, including clinical trials and then (2) agrees to receive the treatment or participate in the trial. Informed consent generally requires that the patient or responsible party (3) signs a statement confirming that they understand the risks and benefits of the procedure or treatment.
At Risk Groups (require extra precautions)
• Children, elderly, pregnant woman, prisoners
How can children Understand, Agree, and Sign?
Testing child-focused products
42
1) Initially positioning babies the same everytime
2) Positioning different size/weight babies
3) Stimulating the baby to roll (toys, noisemakers, enthusiasm of tester)
4) Time duration of tests
5) Once turned over, what is the duration to let them struggle to turn back to safety?
6) Monitoring health (e.g. oxygen levels) of baby
7) Repeat for many babies & many products
Product testing – challenges
43
1) Parents are allowed to give informed consent on behalf of their children
2) Babies are motivated or tempted by toys to engage in certain behavior
• Danger – experimenters do not give same inputs (temptations) for different babies and products
3) Parents fill out use surveys and provide their view of the product performance
4) Babies get very little voice in this process
Children test subjects - implementation
If your product fails because it requires the user to act/think in
unnatural ways, then it is a product failure, not a user error.
44
Identify safety risks and assessment
• Risk assessment matrix
Identify failure modes, their detectability, severity and probability of occurrence
• Failure modes and effects analysis (FMEA)
Combining individual solutions to deal with these failure modes
Summary / Learning Objectives