180 IEEE TRANSACTIONS ON INDUSTRY APPLICATIONS, VOL. 41, NO.
1, JANUARY/FEBRUARY 2005
Risk Analysis Methodology Applied to Industrial
Machine Development
William E. Anderson, Senior Member, IEEE
Abstract—This paper will explore applied risk analysis tech-
niques used during the development and application of industrial
machines. The method discussed is used to help define the hazard
to be addressed, apply a quantitative value to the hazard, evaluate
the applied quantitative value with consistent benchmarks, record
the mitigating next steps or record that the estimated residual
risk is below the established benchmark and that the process is
complete. The method will include hazards identified from the
machine design and those that occur from the mitigating methods.
This paper, while identifying some resources, does not address
generic risk analysis technology.
Index Terms—Equipment design, hazard identification, indus-
trial machinery, iterative process methodology, life phase, risk
analysis, risk evaluation matrix.
I. INTRODUCTION
S AFETY—“freedom from unacceptable risk” [1] or—“the
condition of being safe from undergoing or causing hurt,
injury, or loss” [2] is often an afterthought during the develop-
ment of an industrial machine. The associated risks are discov-
ered and risk reduction dealt with toward the end of the design
process; often the entire risk reduction action is done through
the use of guarding, control schemes, and training. However, the
concepts of safety can be more effectively accomplished when
they are included early and throughout the development process.
During an early and on-going approach, understanding relation-
ships between availability, reliability, and safety become impor-
tant factors to achieve a simpler and more cost effective solution
of the machine’s development. The risk analysis methodology
discussed in this paper is offered as a basic tool for developing
and understanding the safety function of industrial machines1.
Two views are used in understanding risk assessment and risk
reduction. In the probabilistic view of the world, certainty is im-
possible. In the deterministic view occurrences are determined
by preceding events. Both views have a place in the method-
ology shown in this paper.
In an industrial process there are actions and mechanisms that
change through continuous and multiple interactions which pro-
duce outcome events; these types of actions and mechanisms
Paper ICPSD-04-09, presented at the 2004 IEEE/IAS Industrial and Com-
mercial Power Systems Technical Conference, Clearwater Beach, FL, May
1–6, and approved for publication in the IEEE TRANSACTIONS ON INDUSTRY
APPLICATIONS by the Power Systems Engineering Committee of the IEEE
Industry Applications Society. Manuscript submitted for review May 6, 2004
and released for publication September 20, 2004.
The author is with The Procter & Gamble Company, Cincinnati, OH 45224-
1710 USA (e-mail: anderson.we@pg.com).
Digital Object Identifier 10.1109/TIA.2004.841006
1Safety function: a function of a machine whose failure can result in an im-
mediate increase of the risk(s) (ISO 12100-1:2003, 3.28).
0093-9994/$20.00 © 2005 IEEE
often lend themselves to a probabilistic understanding of the
outcomes. Some examples that lend themselves to probabilistic
analysis methods are: a programmable logic controller (PLC)
program controlling a machine’s operation, or the flow of chem-
ical streams to make up an ongoing chemical reaction. The de-
termination of a probability function’s density and distribution
can often be reasonably approximated using relatively simple
models (e.g., normal, uniform, parabolic, exponential, etc.).
The simplified quantification of risk evaluation and risk re-
duction, as a result of selecting the appropriate probability func-
tion, can be represented in analysis by using a safety integrity
level or Safety Integrity Level (SIL) value. The SIL is a number
that represents an evaluation of the likelihood and consequences
of adverse effects. Assigned values for the analysis of machines
are rooted in the likelihood of the event (continuous mode of op-
eration) and the likelihood of the risk reduction factors (safety
rated control system) being available and working when called
upon [3].
Also found in industrial processes are events that are clustered
as a single or small number of interactions taking place. These
apparent binary or other simple interactions, when looked upon
from a very long time frame, may in fact be part of a contin-
uous process, but whose probability function may be more dif-
ficult to establish from typical test data. Such types of events are
often evaluated from the deterministic (cause and effect) point of
view. The deterministic evaluation method shows that the action
of the required properties of the system flows logically through
a model of the system that is being analyzed. The deterministic
evaluation may use deductive or inductive analysis techniques.
The deterministic deductive analysis technique generally
flows from where the initiating events are leading to the be-
ginning event of the failure modes; and then calculating their
probabilities and consequences (Fault tree Analysis or Event
tree Analysis). Deductive methods lend themselves to deter-
mine the initiating event, which can lead to the failure, and then
calculating the probability of that initial event. The deductive
methods can also be used to determine the consequences of
identified multiple faults.
The deterministic evaluation inductive techniques are gener-
ally used when the consequences of identified faults are being in-
vestigated, e.g., Failure Modes, and Effects Analysis (FMEA), or
FailureModes,EffectsandCriticalityAnalysis(FMECA).Induc-
tive techniques are more suited to investigate the consequences of
identified single faults. The choice of evaluation techniques, (de-
ductive or inductive) depends on the goal of the evaluation.
Deterministic evaluation is often used for the validation of
the safety functions through analysis rather than by testing
the safety rated control system(s) containing the safety-related
ANDERSON: RISK ANALYSIS METHODOLOGY APPLIED TO INDUSTRIAL MACHINE DEVELOPMENT
parts. The classification of the safety-related parts of a control
system with respect to their resistance to faults and their sub-
sequent behavior in the fault condition is expressed in terms
of fault resistant categories, often referred to as a risk category
value [4]. A typical event involving a safety function might be
the opening of a guard door, and the stopping of a machine.
The likelihood and consequences of adverse effects from these
events and the safety-related part failure are evaluated and
expressed by using the concept of risk categories [5].
The iterative process shown in this paper involves the quantifi-
cation of the risk estimation which then can be used to help iden-
tify effective risk reduction methods. The selection of a mean-
ingful SIL value system or the selection of a meaningful fault re-
sistant category value system is important. Typical hazard risk es-
timation may be done in SIL terms, while the safety rated con-
trol system parts use terms that are given as fault resistant or risk
category values. For a machine application, the bridging of this
gap between SIL and reduction fault resistant category values in
a manor that is consistent and useful for the analysis of industrial
machines has been attempted in the proposed standard IEC 62061
[6]. A discussion about the application of this value system is still
premature in that the standard is still under development; and is
proposed for another paper in the near future. At this point in time,
the assumption will be that either SIL numbers or fault resistant
category numbers are being used in the risk evaluation and in the
risk reduction or that there has been an appropriate selection and
integration of these value systems.
Both the SIL values and the fault resistant category values
are used to relate complex concepts used to make consistent and
useful decisions resulting from a risk analysis and risk reduction
process. The intermingling of the SIL values and fault resistant
category values for analysis of a machine can create confusion
and is not recommended. Exactly when the probabilistic view or
the deterministic view of an event is more relevant for risk assess-
ment and risk reduction efforts is one of the difficult questions
that has to be worked through when developing safety standards
for industrial machines.2 The analysis method mechanics pre-
sented here can use either the SIL values or the fault resistant
category values in understanding the safety aspects of an indus-
trial machine’s development. The analysis method is an iterative
process with the steps of risk assessment, risk reduction followed
again by risk assessment, etc., until a level of acceptable risk or
“de-minimus risk level” has been achieved. The “de-minimus risk
level” changes with the evolution of safer ways to accomplish
a desired action. The “de-minimus risk level” used for the itera-
tive process may be either based on existing or anticipated safe
practice standards.
Consciously or unconsciously a “de-minimus risk level” is
used in life’s daily decisions; making a rational choice to do
any action is accepting a “de-minimus risk level”. The concept
and the relative measurement of tolerable risk or “de-minimus
risk level” for industrial machine development is based gener-
ally on a realistic understanding of several aspects which flow
from political/social, financial and industrial bench marks. The
2IEC Technical Committee 44 WG7, which is developing the standard “IEC
62061 Safety of machinery—electrotechnical aspects—Functional safety of
electrical, electronic and programmable controls sytems,” has been working to
include some assistance in addressing this question through the new standard.
181
TABLE I
SEVERITY AND CONSEQUENCES (Se)
The integer numbered values shown are examples only.
The values that are to be used need to be consistent with
the overall analysis. The initial example values shown here
were from work done by J. Pearson and are now included
in the draft version of IEC 62061 [6]
Fig. 1. Risk evaluation matrix (example of format).
existence of a basis for a tolerable risk or “de-minimus risk level”
value is assumed to have been established as a part of the foun-
dation that was used for the design and development of the in-
dustrial machine in question.
Example sources of information to determine the political/so-
cial benchmark dimensions of a “de-minimus risk level” are
found in OSHA and other government regulations, consensus
standards such as ANSI Z244 [7], NFPA 70B [8], NFPA 70E
[9], and ISO 12100 [10]. Financial considerations are evaluated
using historical cost data bases for the particular situation. And
for the industry benchmark dimension, resources would include
application standards such as NFPA 70 [11], NFPA 79 [12], IEC
60204-1 [13] as well as from various applicable IEEE, UL, IEC,
and ISO product standards. The translation of the level of toler-
able risk or the “de-minimus risk level” into a SIL or fault resis-
tant category related values is necessary for this analysis. The
iterative process uses the documented tolerable risk or “de-min-
imus risk level” value to establish a consistent end point for the
iterative process, which is when a tolerable (hazard) risk value
has been achieved [14], [15].
To illustrate establishing one point in a “de-minimus risk
level” using the example values in Section II-A.1c, where the
consequences of severity (Se) level 4 (death, losing an eye
or limb) in Table I, might be acceptable if the probability of
harm score, Fig. 1, was 4 or less. To achieve the “acceptable”
probability of harm score value the avoidance (Av) value could
be 1 (Obvious), the low probability of the event occurring
(Pr) represented by the value of 1 (Negligible) and Frequency
(Fr), or Frequency and duration Table II, score of 2 or less. In
another illustration it can be seen in Fig. 2 the consequences
of severity (Se) level 4 are unacceptable in any case. In this
iterative method the documentation of the selected values will
yield an understood repeatable solution.
In order to complete the iterative process, explained in this
paper, the output of the risk assessment has to show either that
the tolerable risk or “de-minimus risk level”, has been passed,
182 IEEE TRANSACTIONS ON INDUSTRY APPLICATIONS, VOL. 41, NO. 1, JANUARY/FEBRUARY 2005
TABLE II
FREQUENCY AND DURATION OF EXPOSURE (Fr)
The integer numbered values shown are examples only.
The values that are to be used need to be consistent with
the overall analysis. The initial example values shown here
were from work done by J. Pearson and are now included
in the draft version of IEC 62061 [6]
Fig. 2. Risk evaluation matrix (another example example of format and
values).
Fig. 3. General iterative process to achieve safety.
and the process ends, Fig. 3 “STOP”; or the process may provide
a residual risk value greater than the tolerable risk or “de-min-
imus risk level”. If the end has not been reached, after the sug-
gested steps to mitigate the hazard are applied and evaluated,
then the new resultant residual risk value is used as a guide
during the next iteration.
II. ITERATIVE PROCESS
The iterative process or model to achieve safety in this paper
is based on well-established practices with some variations; a
general structure of the process is shown in Fig. 3 [10], [16],
[17]. The values used in the examples are reasonable but are
Fig. 4. Risk assessment outline.
intended to be used as only an example to explain the mechanics
of the methodology.
The data values used in this process, which is representing
the likelihood and consequences of adverse effects, is most ef-
fective when not claiming more accuracy than the process can
yield. This recognition of the limitation of accuracy is carried
throughout the process by using only integer representations of
the relative values, or at most one decimal place; further refine-
ment is generally overstating the known precision of the quanta-
tive and qualitative data that is involved in the analysis process.
If the analysis involves a more complex situation, then more
complex analysis methods are probably needed, and then the
approach shown in this paper could be used for first order es-
timations. However, for many industrial machine applications,
this simpler iterative process, Fig. 3, yields an adequate level of
precision.
Risk reduction is the action step of modifying the machine
design, including employing safety related parts, to achieve the
desired safe operation of the machine. Though risk reduction is
shown in Fig. 3, this paper is focused on the risk assessment part
of the iterative process.
In order to be effective, the team which does the iterative
analysis process should include representatives with experience
in design, construction, installation, operation, editing technical
documentation, and maintenance, and those with experience in
the relevant engineering disciplines including mechanical and or
chemical, controls, power sources, safety (human factors), etc.
The iterative process begins with hazard identification which
is then documented. One part of the suggested documentation
is shown in Fig. 5; the remaining documentation might be a set
of attached sheets documenting analysis activity that would not
have been entered in the Fig. 5 format.
A. Risk Assessment
The risk assessment block of Fig. 3, is broken down into an
analysis and evaluation activities in Fig. 4.
1) Analysis Activity: The analysis process consists of the
following three basic areas of data gathering that need to be de-
veloped and recorded:
• limits of the analysis;
• hazard identification;
• risk estimation.
a) Limits of the Analysis: The first step in any analysis is
to establish the parameters of the area of interest, in this case
these might include the following.
ANDERSON: RISK ANALYSIS METHODOLOGY APPLIED TO INDUSTRIAL MACHINE DEVELOPMENT
Fig. 5. Example risk assessment and risk reduction documentation sheet.
i) Life phases of the machinery: A life phase identifies the
place in the processes, of conceptual, design, construc-
tion, testing, start up, normal operation, maintenance op-
eration, etc., from which the particular iteration of the
analysis perspective is being viewed. Often there are inter-
actions between the different life phases of the machine.
The interaction of the life phases is also where analysis
and subsequent risk reduction needs to be done. In some
situations the entire risk assessment process might be cy-
cled to a particular level of acceptable risk before passing
into the next life phase and next iteration of the process.
Suggested documentation is shown by the “Life phase”
entry area in Fig. 5. The corresponding risk estimations
are done by using the corresponding life phase columns,
e.g., “A”, “B,” and “C.” The number of life phase columns
that are used to check for interactions of analysis between
life phases is dependent upon the machinery being ana-
lyzed. Typically, “Life Phases” include but are not limited
to: design, construction (pre power “Life Phase” and with
power “Life Phase”), installation, commissioning, opera-
tion, maintenance, etc. Life phases often contain machine
states, user rolls and domains of exposure.
ii) Limits of the machinery: The limits would include the
normal operating limits and the absolute limits that may
183
require additional attention. Recording the limits in the
documented analysis will help clarify what potential
sources for the hazards have been addressed in each of
the phases of the analysis process.
iii) Full range of the reasonably foreseeable uses or states
of the machinery: Although this does not have to be so
broad as to include every conceivable situation, by stating
those in the analysis the reasonableness of the resultant
safe machine analysis should become apparent.
iv) Anticipated roll and level of training, experience or ability
of the foreseeable users: In the case of an industrial ma-
chine the level of training, including the possible inclusion
or exclusion of, untrained workers, or the general public,
should be stated and included in the considerations of the
hazards involved.
v) Exposure or domain of other persons to the hazards as-
sociated with the machinery, where it can be reasonably
foreseen: On the first iteration, risk mitigation such as
guarding is not included. During the subsequent iteration
the guarding and operating boundaries might be included
in these limits of the analysis.
Documentation of ii)–v) and any other limits that may be
relevant to the process need to be noted in the analysis and
184 IEEE TRANSACTIONS ON INDUSTRY APPLICATIONS, VOL. 41, NO. 1, JANUARY/FEBRUARY 2005

TABLE III
EXAMPLE OF HAZARDS TO BE CONSIDERED

may be documented on separate attachments to the information
recorded in the Fig. 5 format.
b) Hazard Identification: Hazard identification can come
from many methods, a FMECA, fault tree analysis, experience
data bases, standards. Often existing industrial practices may
generate a check list.
An example partial list of hazards to consider has been com-
piled in Table III. A more complete list can be found in the re-
spective product standards and other basic and generic safety
standards [16], [18], [19].
The hazard numbers shown in Table III are only examples that
may be used as a notation aid in the analysis. Suggested docu-
mentation: see the “Hazard Identification” entry area in Fig. 5.
c) Risk Estimation: The risk estimation of consequences
and likelihood is carried out for each hazard by establishing a
parameter (values) based on the probability of the severity harm,
and a parameter (values) relating the occurrence of the harm. In
order for the risk assessment methodology to work it is neces-
sary to establish and document parameter estimates that are con-
sistently related to representative integer values (normalized and
consistent) for each of the combined qualitative and quantitative
situations used for the evaluation.
All of the risk estimation values that are established for the
analysis need to be consistent with the “de-minimus” and SIL
or fault-resistant category values that are going to be used. Ex-
ample nominal values for analysis are tabulated and shown in
the explanations below and in Fig. 5. Developing and standard-
izing of nominal integer values for machine applications is part
of the efforts in the development of IEC 62061 [6]. The guid-
ance for the selection of (fault resistant) risk category values is
documented in the ISO 13849 standards [4].
ANDERSON: RISK ANALYSIS METHODOLOGY APPLIED TO INDUSTRIAL MACHINE DEVELOPMENT
The severity of a hazard is usually cataloged by the conse-
quences; with a higher value representing the more severe. An
example of establishing a nominal value is shown in Table I.
Suggested documentation: see the “Risk Estimation Se for the
particular life phase” entry area in Fig. 5.
The occurrence of harm is generally a function of the fre-
quency and duration of the exposure to the hazard, the probably
of a hazardous event, the probably that the human–machine in-
teraction will occur (or be avoided) including the possibility to
avoid the harm; each of these parameters is estimated indepen-
dently.
An example of establishing a nominal value for frequency and
duration of exposure is shown in Table II.
An alternate example of establishing a nominal value for Fre-
quency and duration is seen in the “Frequency Fr” table shown
in Fig. 5. Suggested documentation: see the “Risk Estimation
Fr for the particular life phase” entry area in Fig. 5
Daily
Weekly
Monthly
Yearly
Less . values of severity and probability to determine the risk evalu-
The first-order judgment or probability that the hazardous
event will in fact occur (Pr) arising from human and machine in-
teraction has many considerations. An example of establishing
a nominal value for (Pr) as seen in the “Probability Pr” table
shown in Fig. 5 is as follows:
Very high
Likely or expected
Possible . “X” in “Risk reduction area “end” entry column in Fig. 5.
Note, also, for example, considering “possible” under “given
situations” and then document for that item those “given situa-
tion” in the “comments” section of Fig. 5)
Rarely
Negligible .
Another estimation parameter is the probability of avoiding or
limiting the harm (Av). An example of establishing a nominal
value for (Av) as seen in the “Avoidance Av” table shown in
Fig. 5 is as follows:
Impossible
Possible
Obvious . igation efforts from the previously noted new entry in the risk
Note that only three levels are used in the proposed IEC
62061.
Suggested documentation: see the “Risk Estimation Av for
the particular life phase” entry area in Fig. 5.
Establishing the probability of occurrence of harm is found by
totaling the frequency and duration, probability of occurrence
of the hazard event and the probability of avoidance of harm.
Suggested documentation: see the “Risk Estimation Fr Pr
Av for the particular life phase” entry area in Fig. 5.
2) Risk Evaluation Activity: Following the analysis activity
above, risk evaluation is the next step in the risk assessment
process indicated in Fig. 4. The evaluation is done by arranging
the risk estimation data gathered in the analysis activity, the re-
sults is then available to determine if the level of acceptable risk
or “de-minimus risk level” has been achieved.
185
A risk evaluation activity is done for each identified hazard.
The risk related to the identified hazard consists of the con-
sequences of the adverse effects (severity of the possible
harm) and the likelihood of the adverse effects (probability
of occurrence of the possible harm). In the evaluation activity
the variables risk related to the identified hazard Se and
probability of occurrence Pr Av relation-
ships are evaluated as shown in the risk evaluation area of
Fig. 5. Similar functional relationships are also seen in the
relationships that are in the concept of SIL values [3], and,
coincidently, similar functional relationships are used in the
selection of fault-resistant category values used to describe
safety-related parts of control systems [4].
The chosen normalization of the values resulting from SIL
and fault resistant category functions may not exactly represent
a one to one relationship. The analysis involving both value
systems requires some judgment in the application of this
methodology. However, the judgment factors that are used
in this methodology can be justified and documented using
proposed formats, such as those in Fig. 5.
The methodology for risk evaluation explained in this paper
uses a matrix format (Fig. 1) using normalized (consistent)
ation results.
If the relationship of severity and probability of harm falls
into the nonshaded area, the hazard is considered to be at a level
of acceptable risk or below the “de-minimus risk level” (shown
in this example) and the identified hazard is considered to have
been properly addressed and a safe (or an acceptable risk) situ-
ation is considered to exist. Suggested documentation: place an
If the relationship of severity and probability of harm falls
within the shaded area, it is considered to be above the level
of acceptable risk and the iterative process should continue to
the risk reduction activity. Suggested documentation: enter the
proposed risk reduction in “Risk reduction column” in the “Risk
reduction area” in Fig. 5.
In addition to the original item number (Fig. 5) that was being
evaluated, a new additional item or items now are added to the
evaluation process. The new item is used to evaluate possible
new hazards resulting from the risk reduction additions (equip-
ment, design change, etc.) that are to be made to the industrial
machine. The additional new items are a result of the risk mit-
reduction column. The new items are documented in Fig. 5 (and
are now included as items to be addressed in the iteration pro-
cesses to achieve safety).
The iterative process shown in this paper, to achieve safety
using this methodology is completed when the hazards have
been identified; and those items having been estimated are
evaluated to have residual risk below the established acceptable
or “de-minimus” level, leading to an “X” in the end column of
the risk reduction area shown if the example documentation in
Fig. 5 is used. In industrial machine development, those items
that have been identified but not completely resolved (“X”)
could be dealt with during another iteration in this life phase or
it would continue on to the next life phase for resolution.
It should be noted in the particular “Risk evaluation matrix
(example of format)” above, the “Se” value of 4 with a prob-
186 IEEE TRANSACTIONS ON INDUSTRY APPLICATIONS, VOL. 41, NO. 1, JANUARY/FEBRUARY 2005

ability of harm value in the range “0–4” may in fact lie above Now, during the operation the cutting surface might need to
a typically established “de-minimus line” as this line is based be cleaned or serviced in some manor. The way the access would
on an assumed risk tolerance criteria to show in this example of be gained might involve the use of detection devices to reveal
methodology where the minimum probably number would be 3. that the access method was being used and is now a point of
Since none of the probability factors has been suggested to be safety concern. In this case assume a new cutting surface hazard
excluded with a 0 value, these ranges of values were not used in has presented itself, and in order to make the access activity safe,
the Fig. 5 example. the guarding and movement of the cutting surface needed to be
assured.
B. Arranging the Analysis In the analysis method shown here there would be several
passes thought the analysis structure. The first iteration would
Since most of the process of risk estimation is based on both
be to determine the hazard because the cutting surface needed
objective and somewhat subjective experience factors, it is im-
to be serviced; the risk reduction portion of that iteration could
portant that the arrangement of the analysis data be documented
determine that the design needed to be modified in order to re-
in a way that the principle estimation factors are kept visible for
duce the chances of jams. The analysis of the design could also
reasonability check and so that they can also be used to validate
have revealed that the blade surface needed to be improved to
the risk analysis conclusions.
require only infrequent service, (e.g., hardened cutting surfaces,
The reasonable consistency and simplicity of the iterative
cutting pressure, etc.).
process mechanics shown lends itself to a simplified documen-
Now with a minimum number of access activities established
tation system and a way to organize the focus of the analysis
the next risk assessment iteration’s risk reduction might reveal
into reasonable parcels of action and information. For example
the effectiveness of using fewer devices such as limit switches or
existing and new items that appear during early life phases may
position detection devices than would have been originally re-
be resolved then, or they might remain open for resolution in a
quired to prevent hazardous movement during the jam clearing
subsequent stage; but at all life phases the same format can be
or blade service actions. Each device change would have be-
used to connect the risk analysis process throughout the various
come a separate iteration with the identified hazard(s) to be re-
development stages of the industrial machine. Fig. 5 gives an
solved.
example of the form that could be used along the machine de-
If the risk reduction were the application of an appropriate
velopment process for each of the iteration processes.
control device and that appropriate control device had then
The results of each iteration is a residual risk that is either ac-
been selected and applied; the next iteration would include
ceptable [below the “de-minimus” level] or is a residual risk that
the hazard(s) arising if the detection device would fail, and
has to be dealt with in the subsequent risk reduction process and
how that hazard would be addressed in a risk reduction effort.
risk assessment iteration(s). After the mechanical and process
Generally such hazards from failed equipment are addressed
residual risk evaluation and risk reduction has been resolved as
by using a system that would give the user, who is depending
much as possible the remaining residual risks are often dealt
on that “safety device, ” a positive indication that the device
with using safety related control functions.
that had been selected had worked. Or even though the safety
Another example of using the risk evaluation method, now
device failed, it had been applied in a failed to safe mode. In
with a slightly different data value system (Fig. 2) is from one
other words the failure of that device presented no additional
of the drafts of IEC 62061 it is shown in order to demonstrate
hazard then a yes could be the possible answer at the acceptable
the application of the general methodology of this paper. In this
risk decision point (Fig. 3).
example the SIL assignment value is developed and shown in
Getting a device or equipment design to fail in a safe mode in-
the matrix and is the proposed target for the safety related con-
volves thoughtful design work. For example to know if a switch
trol function needed to mitigate the hazard being analyzed. The
contact has failed closed (welded) the previous transition needs
“B (OM)” is recommended other measures e.g., risk category B
to have been detected. In a typical safety relay there are really
(ISO 13849-1), the shaded area is above the “de-minimus line”
two or three mechanically connected relays that go through a
established in the draft of the standard. Also the risk estimation
transition operation from open to close and back in a way that
sum Fr Pr Av column ranges were adjusted to fit the SIL
the safety circuit that is controlled will not be completed upon
assignment numbers that were used. The gray area defined by
closing of the safety relay, if it had not already been open (the
the “de-minimus line” boundary can provide additional infor-
failure detected might have happened because one of the con-
mation/guidance for addressing the residual risk that is revealed
tacts that had thought to have opened previously had in fact
during the next risk assessment part of the analysis process.
welded shut). The action then presented is a failed to safe state,
assuming the safety relay is properly applied to the risk reduc-
C. Other Factors to Consider tion effort for the hazard it is supposed to be addressing.
Doing the analysis early in the development of an industrial
machine yields a simpler and more cost effective design. As an
III. CONCLUSION
example, if a cutting operation on a web is needed in a repeatable
pattern, the web would most likely pass through some form of This paper has explained the fundamentals of a particular risk
rotating knife or slitter. The web entrance point might be able analysis method which can be used for industrial machines with
to be made so narrow that an operator could not be placed in a reasonably consistent outcomes. There are numerous texts that
situation where an injury could occur. deal with safety and risk analysis and show ways to expand the
ANDERSON: RISK ANALYSIS METHODOLOGY APPLIED TO INDUSTRIAL MACHINE DEVELOPMENT
basic steps shown in this paper, if the situation should need the
more complex analysis. The methodology shown here can be
used as a fundamental structure for analysis and to understand
the relevance of the more complex solutions (tools) in achieving
safety for an industrial machine.
It is to be noted that for industrial machine risk analysis, there
are other methods available that take each of the basic steps
shown in this paper and expand them to account for more com-
plex situations. However, because the data in question is often
taken from qualitative sources or is a compilation of qualitative
and quantitative data, more complex analysis methodology will
not necessarily provide additional precision relevant to the out-
come obtained from the analysis method shown in this paper.
NOMENCLATURE
Parameters used in the risk estimation and risk evaluation
parts of the risk the assessment methodology:
Se Severity and Consequences.
Fr Frequency and duration of exposure.
Pr Probability of the hazardous event occurrence.
Av Probability of avoiding or limiting harm from the
hazard.
Note that all parameters are to be defined and documented for each
risk assessment; the parameters are dimensioned to be consistent with
the established (chosen) “de-minimus risk level.” The suggested pa-
rameters and values in this paper parallel current practices, but have
not been standardized to date; their usefulness is established only when
they are contained in the documentation that is included with each risk
assessment.
Hzrd No. Hazard list number.
Note that the Hazard number shown in Table III and in Fig. 5 is de-
rived from a list of the types of hazards that were considered in the
assessment methodology and shown in Table III. The list of hazards
that are considered, using a defined numbering scheme both as a check
list and for ease of documentation, and should be included with the
documentation of each particular risk assessment. The suggested haz-
ards list may be added to or reduced for each situation. The suggested
numbering, though not yet formally standardized, is relatively aligned
with similar lists of hazards in existing standards [16], [18].
ACKNOWLEDGMENT
A methodology very similar to the methodology presented
in this paper was first shown to me by J. Persson of Tetra Pak
Carton Ambient AB, Lund, Sweden, who has contributed ex-
tensively to the development of machinery safety standards in-
cluding this methodology’s format and to IEC 62061. The au-
thor would like to also acknowledge the experts of IEC TC
44 Work Group 7 and their Convener, S. Frost from the UK
HSE, who are developing the standard IEC 62061 Safety of Ma-
chinery—Electrotechnical Aspects—Functional Safety of Elec-
trical, Electronic and Programmable Controls Systems.
The author would also like to thank Procter & Gamble en-
gineer J. Tuertscher who helped in the editing process for this
paper; D. Grimm, R. Van Dyke, both Procter & Gamble engi-
neers, and J. Persson of Tetra Pak Carton Ambient AB, for sug-
gested additions.
187
REFERENCES
[1] Safety Aspects—Guidelines for Their Inclusion in Standards, ISO/IEC
Guide 51, Definition 3.1, 1999.
[2] Webster’s New Collegiate Dictionary, 8th ed. Springfield, MA: G&C
Merriam, 1981.
[3] Functional Safety of Electrical/Electronic/Programmable Electronic
Safety—Related systems—Part 5: Examples of Methods for the Deter-
mination of Safety Integrity Levels, IEC 61508-5, 1998.
[4] Safety of Machinery—Safety—Related Parts of Control Systems—Part
1: General Principles for Design, ISO 13849-1, 1999.
[5] Safety of Machinery—Safety Related Parts of Control Systems—Part
100: Guidelines for the Use and Application of ISO 13849-1, ISO/TR
13849-100, 2000.
[6] Safety of Machinery—Electrotechnical Aspects—Functional Safety of
Electrical, Electronic and Programmable Controls Systems, IEC 62061,
expected publication of new standard 2005.
[7] American National Standard for Personnel Protection—Lockout/Tagout
of Energy Sources—Minimum Safety Requirements, ANSI Z244.1, 1982
(reaffirmed 1998, new edition due out 2004).
[8] Recommended Practice for Electrical Equipment Maintenance, NFPA
70B, 2002.
[9] Standard for Electrical Safety Requirements for Employee Workplaces,
NFPA 70E, 2004.
[10] Safety of Machinery—Basic Concepts, General Principles for De-
sign—Part 1: Basic Terminology, Methodology, Fig. 1—Risk Reduction
Process From the Point of View of the Designer, Fig. 2—Schematic
Representation of the Iterative 3-Step Method for the Risk Reduction
Process, ISO 12100-1:2003(E).
[11] National Electrical Code, NFPA 70, National Fire Protection Assoc.,
Quincy, MA, 2005.
[12] Electrical Standards for Industrial Machinery, NFPA 79, 2002.
[13] Safety of Machinery—Electrical Equipment of Machines—Part 1: Gen-
eral Requirements, IEC 60204-1, 1997.
[14] E. M. Marszal and E. W. Scharpf, Safety Integrity Level Selection Sys-
tematic Methods Including Layer of Protection Analysis. Research Tri-
angle Park, NC: Instrumentation Systems and Automation Soc., 2002,
ch. 3.
[15] B. W. Main, Risk Assessment Basics and Benchmarks. Ann Arbor, MI:
Desin Safety Engineering, 2004, ch. 4.
[16] Technical Report for Machine Tools—Risk Assessment and Risk Reduc-
tion—A Guide to Estimate, Evaluate and Reduce Risks Associated with
Machine Tools, Fig. 1—Risk Assessment and Risk Reduction Process,
Annex A, ANSI B11.TR 3-2000 .
[17] Safety of Machinery—Principles of Risk Assessment, Fig. 1—The Itera-
tiveProcess to Achieve Safety, ISO 14121:1999(E).
[18] Safety of Machinery—Principles of Risk Assessment, Annex A “Ex-
amples of Hazards, Hazardous Situations and Hazardous Events, ISO
14121:1999(E).
[19] Safety of Machinery—Basic Concepts, General Principles for De-
sign—Part 1: Basic Terninology, Methodology—Section 4—Hazards to
be Taken Into Account When Designing Machinery, ISO 12100-1:2003.
William E. Anderson (S’68–M’72–SM’03) was
born in Los Angeles, CA, in 1942. He received the
B.S. applied science degree from Portland State
University, Portland, OR, in 1972, the M.S.E.E.
degree from the University of Portland, Portland,
OR, in 1976, and the M.B.A. degree from Xavier
University, Cincinnati, OH, in 1979.
Prior to attending Portland State University, he
attended Los Angeles Trade Technical College
obtaining a commercial radio operators license,
worked for television and radio stations in Oregon,
and served in the U.S. Navy. Since receiving his B.S. degree he has worked for
Leupold and Stevens production engineering group and has done consulting
engineering work through H. C. Mason & Associates and Sandwell Interna-
tional in Portland, OR, and C&I Girdler/Bechtel, Louisville, KY. Since 1978,
he has been an Electrical Engineer with The Procter & Gamble Company,
Cincinnati, OH.
Mr. Anderson serves as a member of the SAE Electrical Standard for In-
dustrial Machinery committee that produces SAE Standard HS1738. He is a
principal member of the NFPA Electrical Equipment of Industrial Machinery
Committee that produces NFPA 79 and is an alternate as a representative IEEE
SCC-18 on NEC Code Panel 12. He is a member of IEC TC 44 and 17B and ISO
TC199. He serves as an expert for the U.S. National Committee to IEC TC44
on IEC 60204-1 standard maintenance committee. He is a Senior Member of
the American Society for Quality and a Registered Professional Engineer in the
States of Oregon and Ohio.