Professional Documents
Culture Documents
Risk Analysis Methodology Applied To Industrial Machine Development
Risk Analysis Methodology Applied To Industrial Machine Development
1, JANUARY/FEBRUARY 2005
Abstract—This paper will explore applied risk analysis tech- often lend themselves to a probabilistic understanding of the
niques used during the development and application of industrial outcomes. Some examples that lend themselves to probabilistic
machines. The method discussed is used to help define the hazard analysis methods are: a programmable logic controller (PLC)
to be addressed, apply a quantitative value to the hazard, evaluate
the applied quantitative value with consistent benchmarks, record program controlling a machine’s operation, or the flow of chem-
the mitigating next steps or record that the estimated residual ical streams to make up an ongoing chemical reaction. The de-
risk is below the established benchmark and that the process is termination of a probability function’s density and distribution
complete. The method will include hazards identified from the can often be reasonably approximated using relatively simple
machine design and those that occur from the mitigating methods. models (e.g., normal, uniform, parabolic, exponential, etc.).
This paper, while identifying some resources, does not address
generic risk analysis technology. The simplified quantification of risk evaluation and risk re-
duction, as a result of selecting the appropriate probability func-
Index Terms—Equipment design, hazard identification, indus-
trial machinery, iterative process methodology, life phase, risk tion, can be represented in analysis by using a safety integrity
analysis, risk evaluation matrix. level or Safety Integrity Level (SIL) value. The SIL is a number
that represents an evaluation of the likelihood and consequences
of adverse effects. Assigned values for the analysis of machines
I. INTRODUCTION are rooted in the likelihood of the event (continuous mode of op-
TABLE II
FREQUENCY AND DURATION OF EXPOSURE (Fr)
and the process ends, Fig. 3 “STOP”; or the process may provide A. Risk Assessment
a residual risk value greater than the tolerable risk or “de-min-
imus risk level”. If the end has not been reached, after the sug- The risk assessment block of Fig. 3, is broken down into an
gested steps to mitigate the hazard are applied and evaluated, analysis and evaluation activities in Fig. 4.
then the new resultant residual risk value is used as a guide 1) Analysis Activity: The analysis process consists of the
during the next iteration. following three basic areas of data gathering that need to be de-
veloped and recorded:
• limits of the analysis;
II. ITERATIVE PROCESS • hazard identification;
The iterative process or model to achieve safety in this paper • risk estimation.
is based on well-established practices with some variations; a a) Limits of the Analysis: The first step in any analysis is
general structure of the process is shown in Fig. 3 [10], [16], to establish the parameters of the area of interest, in this case
[17]. The values used in the examples are reasonable but are these might include the following.
ANDERSON: RISK ANALYSIS METHODOLOGY APPLIED TO INDUSTRIAL MACHINE DEVELOPMENT 183
i) Life phases of the machinery: A life phase identifies the require additional attention. Recording the limits in the
place in the processes, of conceptual, design, construc- documented analysis will help clarify what potential
tion, testing, start up, normal operation, maintenance op- sources for the hazards have been addressed in each of
eration, etc., from which the particular iteration of the the phases of the analysis process.
analysis perspective is being viewed. Often there are inter- iii) Full range of the reasonably foreseeable uses or states
actions between the different life phases of the machine. of the machinery: Although this does not have to be so
The interaction of the life phases is also where analysis broad as to include every conceivable situation, by stating
and subsequent risk reduction needs to be done. In some those in the analysis the reasonableness of the resultant
situations the entire risk assessment process might be cy- safe machine analysis should become apparent.
cled to a particular level of acceptable risk before passing iv) Anticipated roll and level of training, experience or ability
into the next life phase and next iteration of the process. of the foreseeable users: In the case of an industrial ma-
Suggested documentation is shown by the “Life phase” chine the level of training, including the possible inclusion
entry area in Fig. 5. The corresponding risk estimations or exclusion of, untrained workers, or the general public,
are done by using the corresponding life phase columns, should be stated and included in the considerations of the
e.g., “A”, “B,” and “C.” The number of life phase columns hazards involved.
that are used to check for interactions of analysis between v) Exposure or domain of other persons to the hazards as-
life phases is dependent upon the machinery being ana- sociated with the machinery, where it can be reasonably
lyzed. Typically, “Life Phases” include but are not limited foreseen: On the first iteration, risk mitigation such as
to: design, construction (pre power “Life Phase” and with guarding is not included. During the subsequent iteration
power “Life Phase”), installation, commissioning, opera- the guarding and operating boundaries might be included
tion, maintenance, etc. Life phases often contain machine in these limits of the analysis.
states, user rolls and domains of exposure.
ii) Limits of the machinery: The limits would include the Documentation of ii)–v) and any other limits that may be
normal operating limits and the absolute limits that may relevant to the process need to be noted in the analysis and
184 IEEE TRANSACTIONS ON INDUSTRY APPLICATIONS, VOL. 41, NO. 1, JANUARY/FEBRUARY 2005
TABLE III
EXAMPLE OF HAZARDS TO BE CONSIDERED
may be documented on separate attachments to the information and a parameter (values) relating the occurrence of the harm. In
recorded in the Fig. 5 format. order for the risk assessment methodology to work it is neces-
b) Hazard Identification: Hazard identification can come sary to establish and document parameter estimates that are con-
from many methods, a FMECA, fault tree analysis, experience sistently related to representative integer values (normalized and
data bases, standards. Often existing industrial practices may consistent) for each of the combined qualitative and quantitative
generate a check list. situations used for the evaluation.
An example partial list of hazards to consider has been com-
piled in Table III. A more complete list can be found in the re- All of the risk estimation values that are established for the
spective product standards and other basic and generic safety analysis need to be consistent with the “de-minimus” and SIL
standards [16], [18], [19]. or fault-resistant category values that are going to be used. Ex-
The hazard numbers shown in Table III are only examples that ample nominal values for analysis are tabulated and shown in
may be used as a notation aid in the analysis. Suggested docu- the explanations below and in Fig. 5. Developing and standard-
mentation: see the “Hazard Identification” entry area in Fig. 5. izing of nominal integer values for machine applications is part
c) Risk Estimation: The risk estimation of consequences of the efforts in the development of IEC 62061 [6]. The guid-
and likelihood is carried out for each hazard by establishing a ance for the selection of (fault resistant) risk category values is
parameter (values) based on the probability of the severity harm, documented in the ISO 13849 standards [4].
ANDERSON: RISK ANALYSIS METHODOLOGY APPLIED TO INDUSTRIAL MACHINE DEVELOPMENT 185
The severity of a hazard is usually cataloged by the conse- A risk evaluation activity is done for each identified hazard.
quences; with a higher value representing the more severe. An The risk related to the identified hazard consists of the con-
example of establishing a nominal value is shown in Table I. sequences of the adverse effects (severity of the possible
Suggested documentation: see the “Risk Estimation Se for the harm) and the likelihood of the adverse effects (probability
particular life phase” entry area in Fig. 5. of occurrence of the possible harm). In the evaluation activity
The occurrence of harm is generally a function of the fre- the variables risk related to the identified hazard Se and
quency and duration of the exposure to the hazard, the probably probability of occurrence Pr Av relation-
of a hazardous event, the probably that the human–machine in- ships are evaluated as shown in the risk evaluation area of
teraction will occur (or be avoided) including the possibility to Fig. 5. Similar functional relationships are also seen in the
avoid the harm; each of these parameters is estimated indepen- relationships that are in the concept of SIL values [3], and,
dently. coincidently, similar functional relationships are used in the
An example of establishing a nominal value for frequency and selection of fault-resistant category values used to describe
duration of exposure is shown in Table II. safety-related parts of control systems [4].
An alternate example of establishing a nominal value for Fre- The chosen normalization of the values resulting from SIL
quency and duration is seen in the “Frequency Fr” table shown and fault resistant category functions may not exactly represent
in Fig. 5. Suggested documentation: see the “Risk Estimation a one to one relationship. The analysis involving both value
Fr for the particular life phase” entry area in Fig. 5 systems requires some judgment in the application of this
methodology. However, the judgment factors that are used
Daily in this methodology can be justified and documented using
Weekly proposed formats, such as those in Fig. 5.
Monthly The methodology for risk evaluation explained in this paper
Yearly uses a matrix format (Fig. 1) using normalized (consistent)
Less . values of severity and probability to determine the risk evalu-
The first-order judgment or probability that the hazardous ation results.
event will in fact occur (Pr) arising from human and machine in- If the relationship of severity and probability of harm falls
teraction has many considerations. An example of establishing into the nonshaded area, the hazard is considered to be at a level
a nominal value for (Pr) as seen in the “Probability Pr” table of acceptable risk or below the “de-minimus risk level” (shown
shown in Fig. 5 is as follows: in this example) and the identified hazard is considered to have
Very high been properly addressed and a safe (or an acceptable risk) situ-
Likely or expected ation is considered to exist. Suggested documentation: place an
Possible . “X” in “Risk reduction area “end” entry column in Fig. 5.
Note, also, for example, considering “possible” under “given If the relationship of severity and probability of harm falls
situations” and then document for that item those “given situa- within the shaded area, it is considered to be above the level
tion” in the “comments” section of Fig. 5) of acceptable risk and the iterative process should continue to
the risk reduction activity. Suggested documentation: enter the
Rarely
proposed risk reduction in “Risk reduction column” in the “Risk
Negligible .
reduction area” in Fig. 5.
Another estimation parameter is the probability of avoiding or
In addition to the original item number (Fig. 5) that was being
limiting the harm (Av). An example of establishing a nominal
evaluated, a new additional item or items now are added to the
value for (Av) as seen in the “Avoidance Av” table shown in
evaluation process. The new item is used to evaluate possible
Fig. 5 is as follows:
new hazards resulting from the risk reduction additions (equip-
Impossible ment, design change, etc.) that are to be made to the industrial
Possible machine. The additional new items are a result of the risk mit-
Obvious . igation efforts from the previously noted new entry in the risk
Note that only three levels are used in the proposed IEC reduction column. The new items are documented in Fig. 5 (and
62061. are now included as items to be addressed in the iteration pro-
Suggested documentation: see the “Risk Estimation Av for cesses to achieve safety).
the particular life phase” entry area in Fig. 5. The iterative process shown in this paper, to achieve safety
Establishing the probability of occurrence of harm is found by using this methodology is completed when the hazards have
totaling the frequency and duration, probability of occurrence been identified; and those items having been estimated are
of the hazard event and the probability of avoidance of harm. evaluated to have residual risk below the established acceptable
Suggested documentation: see the “Risk Estimation Fr Pr or “de-minimus” level, leading to an “X” in the end column of
Av for the particular life phase” entry area in Fig. 5. the risk reduction area shown if the example documentation in
2) Risk Evaluation Activity: Following the analysis activity Fig. 5 is used. In industrial machine development, those items
above, risk evaluation is the next step in the risk assessment that have been identified but not completely resolved (“X”)
process indicated in Fig. 4. The evaluation is done by arranging could be dealt with during another iteration in this life phase or
the risk estimation data gathered in the analysis activity, the re- it would continue on to the next life phase for resolution.
sults is then available to determine if the level of acceptable risk It should be noted in the particular “Risk evaluation matrix
or “de-minimus risk level” has been achieved. (example of format)” above, the “Se” value of 4 with a prob-
186 IEEE TRANSACTIONS ON INDUSTRY APPLICATIONS, VOL. 41, NO. 1, JANUARY/FEBRUARY 2005
ability of harm value in the range “0–4” may in fact lie above Now, during the operation the cutting surface might need to
a typically established “de-minimus line” as this line is based be cleaned or serviced in some manor. The way the access would
on an assumed risk tolerance criteria to show in this example of be gained might involve the use of detection devices to reveal
methodology where the minimum probably number would be 3. that the access method was being used and is now a point of
Since none of the probability factors has been suggested to be safety concern. In this case assume a new cutting surface hazard
excluded with a 0 value, these ranges of values were not used in has presented itself, and in order to make the access activity safe,
the Fig. 5 example. the guarding and movement of the cutting surface needed to be
assured.
B. Arranging the Analysis In the analysis method shown here there would be several
passes thought the analysis structure. The first iteration would
Since most of the process of risk estimation is based on both
be to determine the hazard because the cutting surface needed
objective and somewhat subjective experience factors, it is im-
to be serviced; the risk reduction portion of that iteration could
portant that the arrangement of the analysis data be documented
determine that the design needed to be modified in order to re-
in a way that the principle estimation factors are kept visible for
duce the chances of jams. The analysis of the design could also
reasonability check and so that they can also be used to validate
have revealed that the blade surface needed to be improved to
the risk analysis conclusions.
require only infrequent service, (e.g., hardened cutting surfaces,
The reasonable consistency and simplicity of the iterative
cutting pressure, etc.).
process mechanics shown lends itself to a simplified documen-
Now with a minimum number of access activities established
tation system and a way to organize the focus of the analysis
the next risk assessment iteration’s risk reduction might reveal
into reasonable parcels of action and information. For example
the effectiveness of using fewer devices such as limit switches or
existing and new items that appear during early life phases may
position detection devices than would have been originally re-
be resolved then, or they might remain open for resolution in a
quired to prevent hazardous movement during the jam clearing
subsequent stage; but at all life phases the same format can be
or blade service actions. Each device change would have be-
used to connect the risk analysis process throughout the various
come a separate iteration with the identified hazard(s) to be re-
development stages of the industrial machine. Fig. 5 gives an
solved.
example of the form that could be used along the machine de-
If the risk reduction were the application of an appropriate
velopment process for each of the iteration processes.
control device and that appropriate control device had then
The results of each iteration is a residual risk that is either ac-
been selected and applied; the next iteration would include
ceptable [below the “de-minimus” level] or is a residual risk that
the hazard(s) arising if the detection device would fail, and
has to be dealt with in the subsequent risk reduction process and
how that hazard would be addressed in a risk reduction effort.
risk assessment iteration(s). After the mechanical and process
Generally such hazards from failed equipment are addressed
residual risk evaluation and risk reduction has been resolved as
by using a system that would give the user, who is depending
much as possible the remaining residual risks are often dealt
on that “safety device, ” a positive indication that the device
with using safety related control functions.
that had been selected had worked. Or even though the safety
Another example of using the risk evaluation method, now
device failed, it had been applied in a failed to safe mode. In
with a slightly different data value system (Fig. 2) is from one
other words the failure of that device presented no additional
of the drafts of IEC 62061 it is shown in order to demonstrate
hazard then a yes could be the possible answer at the acceptable
the application of the general methodology of this paper. In this
risk decision point (Fig. 3).
example the SIL assignment value is developed and shown in
Getting a device or equipment design to fail in a safe mode in-
the matrix and is the proposed target for the safety related con-
volves thoughtful design work. For example to know if a switch
trol function needed to mitigate the hazard being analyzed. The
contact has failed closed (welded) the previous transition needs
“B (OM)” is recommended other measures e.g., risk category B
to have been detected. In a typical safety relay there are really
(ISO 13849-1), the shaded area is above the “de-minimus line”
two or three mechanically connected relays that go through a
established in the draft of the standard. Also the risk estimation
transition operation from open to close and back in a way that
sum Fr Pr Av column ranges were adjusted to fit the SIL
the safety circuit that is controlled will not be completed upon
assignment numbers that were used. The gray area defined by
closing of the safety relay, if it had not already been open (the
the “de-minimus line” boundary can provide additional infor-
failure detected might have happened because one of the con-
mation/guidance for addressing the residual risk that is revealed
tacts that had thought to have opened previously had in fact
during the next risk assessment part of the analysis process.
welded shut). The action then presented is a failed to safe state,
assuming the safety relay is properly applied to the risk reduc-
C. Other Factors to Consider tion effort for the hazard it is supposed to be addressing.
Doing the analysis early in the development of an industrial
machine yields a simpler and more cost effective design. As an
III. CONCLUSION
example, if a cutting operation on a web is needed in a repeatable
pattern, the web would most likely pass through some form of This paper has explained the fundamentals of a particular risk
rotating knife or slitter. The web entrance point might be able analysis method which can be used for industrial machines with
to be made so narrow that an operator could not be placed in a reasonably consistent outcomes. There are numerous texts that
situation where an injury could occur. deal with safety and risk analysis and show ways to expand the
ANDERSON: RISK ANALYSIS METHODOLOGY APPLIED TO INDUSTRIAL MACHINE DEVELOPMENT 187
basic steps shown in this paper, if the situation should need the REFERENCES
more complex analysis. The methodology shown here can be [1] Safety Aspects—Guidelines for Their Inclusion in Standards, ISO/IEC
used as a fundamental structure for analysis and to understand Guide 51, Definition 3.1, 1999.
[2] Webster’s New Collegiate Dictionary, 8th ed. Springfield, MA: G&C
the relevance of the more complex solutions (tools) in achieving Merriam, 1981.
safety for an industrial machine. [3] Functional Safety of Electrical/Electronic/Programmable Electronic
It is to be noted that for industrial machine risk analysis, there Safety—Related systems—Part 5: Examples of Methods for the Deter-
mination of Safety Integrity Levels, IEC 61508-5, 1998.
are other methods available that take each of the basic steps [4] Safety of Machinery—Safety—Related Parts of Control Systems—Part
shown in this paper and expand them to account for more com- 1: General Principles for Design, ISO 13849-1, 1999.
plex situations. However, because the data in question is often [5] Safety of Machinery—Safety Related Parts of Control Systems—Part
100: Guidelines for the Use and Application of ISO 13849-1, ISO/TR
taken from qualitative sources or is a compilation of qualitative 13849-100, 2000.
and quantitative data, more complex analysis methodology will [6] Safety of Machinery—Electrotechnical Aspects—Functional Safety of
Electrical, Electronic and Programmable Controls Systems, IEC 62061,
not necessarily provide additional precision relevant to the out- expected publication of new standard 2005.
come obtained from the analysis method shown in this paper. [7] American National Standard for Personnel Protection—Lockout/Tagout
of Energy Sources—Minimum Safety Requirements, ANSI Z244.1, 1982
(reaffirmed 1998, new edition due out 2004).
[8] Recommended Practice for Electrical Equipment Maintenance, NFPA
NOMENCLATURE 70B, 2002.
[9] Standard for Electrical Safety Requirements for Employee Workplaces,
Parameters used in the risk estimation and risk evaluation NFPA 70E, 2004.
[10] Safety of Machinery—Basic Concepts, General Principles for De-
parts of the risk the assessment methodology: sign—Part 1: Basic Terminology, Methodology, Fig. 1—Risk Reduction
Se Severity and Consequences. Process From the Point of View of the Designer, Fig. 2—Schematic
Representation of the Iterative 3-Step Method for the Risk Reduction
Fr Frequency and duration of exposure. Process, ISO 12100-1:2003(E).
Pr Probability of the hazardous event occurrence. [11] National Electrical Code, NFPA 70, National Fire Protection Assoc.,
Av Probability of avoiding or limiting harm from the Quincy, MA, 2005.
[12] Electrical Standards for Industrial Machinery, NFPA 79, 2002.
hazard. [13] Safety of Machinery—Electrical Equipment of Machines—Part 1: Gen-
Note that all parameters are to be defined and documented for each eral Requirements, IEC 60204-1, 1997.
[14] E. M. Marszal and E. W. Scharpf, Safety Integrity Level Selection Sys-
risk assessment; the parameters are dimensioned to be consistent with tematic Methods Including Layer of Protection Analysis. Research Tri-
the established (chosen) “de-minimus risk level.” The suggested pa- angle Park, NC: Instrumentation Systems and Automation Soc., 2002,
rameters and values in this paper parallel current practices, but have ch. 3.
[15] B. W. Main, Risk Assessment Basics and Benchmarks. Ann Arbor, MI:
not been standardized to date; their usefulness is established only when Desin Safety Engineering, 2004, ch. 4.
they are contained in the documentation that is included with each risk [16] Technical Report for Machine Tools—Risk Assessment and Risk Reduc-
assessment. tion—A Guide to Estimate, Evaluate and Reduce Risks Associated with
Machine Tools, Fig. 1—Risk Assessment and Risk Reduction Process,
Hzrd No. Hazard list number. Annex A, ANSI B11.TR 3-2000 .
Note that the Hazard number shown in Table III and in Fig. 5 is de- [17] Safety of Machinery—Principles of Risk Assessment, Fig. 1—The Itera-
tiveProcess to Achieve Safety, ISO 14121:1999(E).
rived from a list of the types of hazards that were considered in the [18] Safety of Machinery—Principles of Risk Assessment, Annex A “Ex-
assessment methodology and shown in Table III. The list of hazards amples of Hazards, Hazardous Situations and Hazardous Events, ISO
that are considered, using a defined numbering scheme both as a check 14121:1999(E).
[19] Safety of Machinery—Basic Concepts, General Principles for De-
list and for ease of documentation, and should be included with the sign—Part 1: Basic Terninology, Methodology—Section 4—Hazards to
documentation of each particular risk assessment. The suggested haz- be Taken Into Account When Designing Machinery, ISO 12100-1:2003.
ards list may be added to or reduced for each situation. The suggested
numbering, though not yet formally standardized, is relatively aligned
William E. Anderson (S’68–M’72–SM’03) was
with similar lists of hazards in existing standards [16], [18]. born in Los Angeles, CA, in 1942. He received the
B.S. applied science degree from Portland State
University, Portland, OR, in 1972, the M.S.E.E.
degree from the University of Portland, Portland,
ACKNOWLEDGMENT OR, in 1976, and the M.B.A. degree from Xavier
University, Cincinnati, OH, in 1979.
A methodology very similar to the methodology presented Prior to attending Portland State University, he
in this paper was first shown to me by J. Persson of Tetra Pak attended Los Angeles Trade Technical College
Carton Ambient AB, Lund, Sweden, who has contributed ex- obtaining a commercial radio operators license,
worked for television and radio stations in Oregon,
tensively to the development of machinery safety standards in- and served in the U.S. Navy. Since receiving his B.S. degree he has worked for
cluding this methodology’s format and to IEC 62061. The au- Leupold and Stevens production engineering group and has done consulting
thor would like to also acknowledge the experts of IEC TC engineering work through H. C. Mason & Associates and Sandwell Interna-
tional in Portland, OR, and C&I Girdler/Bechtel, Louisville, KY. Since 1978,
44 Work Group 7 and their Convener, S. Frost from the UK he has been an Electrical Engineer with The Procter & Gamble Company,
HSE, who are developing the standard IEC 62061 Safety of Ma- Cincinnati, OH.
chinery—Electrotechnical Aspects—Functional Safety of Elec- Mr. Anderson serves as a member of the SAE Electrical Standard for In-
dustrial Machinery committee that produces SAE Standard HS1738. He is a
trical, Electronic and Programmable Controls Systems. principal member of the NFPA Electrical Equipment of Industrial Machinery
The author would also like to thank Procter & Gamble en- Committee that produces NFPA 79 and is an alternate as a representative IEEE
gineer J. Tuertscher who helped in the editing process for this SCC-18 on NEC Code Panel 12. He is a member of IEC TC 44 and 17B and ISO
paper; D. Grimm, R. Van Dyke, both Procter & Gamble engi- TC199. He serves as an expert for the U.S. National Committee to IEC TC44
on IEC 60204-1 standard maintenance committee. He is a Senior Member of
neers, and J. Persson of Tetra Pak Carton Ambient AB, for sug- the American Society for Quality and a Registered Professional Engineer in the
gested additions. States of Oregon and Ohio.