Session 750-2

Risk Assessment: Why & What You Need to Know!

Part 2: Getting Started Methodology
Bruce W. Main, P.E., CSP

INTRODUCTION
Starting down the path of conducting risk assessments can be overwhelming at first. There is
much to know and learn. However, once you grasp the basic terminology and see the process
demonstrated, the assessment process becomes much more straightforward. Fortunately, there
are now software tools that can guide you through the process of risk assessment. Part of the
challenge of risk assessment is figuring out which method to use. This presentation discusses the
various methods available and provides a brief overview of the implementation challenges.

TERMINOLOGY
The various risk assessment methods use slightly different definitions for terms. A comparison of
the definitions is provided at Appendix A. A single definition for each term would be most
beneficial for companies that work across several industries. However, such a consensus has not
yet been developed. As long as the safety practitioner is certain that all personnel involved are
working from the same definition, the differences in the definitions are not terribly significant.
However, when the safety practitioner benchmarks other companies or other industries he or she
should be certain of the terminology so as to avoid potential confusion.

GETTING STARTED
Getting started in risk assessments requires some basic training (see Christensen and Manuele,
1999 for more details). Although the basic procedures are quickly learned, some of the nuances
can be more difficult to grasp initially. Once an organization has decided to use risk assessments
to evaluate a design, the first step is to determine which method to use. There are several
techniques available, some of which are discussed herein. Several will be shown in the
presentation. For more details refer to Risk Assessment Benchmarks 2000: Getting started,
making progress (Main, 2000) or ANSI B11 TR3.
Many methods can be conducted using basic office programs such as Excel or Access. However,
there is no small effort required in setting up the analysis and formatting the results. Special
software is available to guide users through the risk assessment process. Some examples of
software can be found at: www.robotics.org, www.semi.org, www.sae.org and
www.designsafe.com.

A team is usually formed to conduct the risk assessment because a team reduces individual
biases. A team is also more likely to identify more hazards than an individual and will assess the
risks more accurately. The team members should include design engineers, safety practitioners,
operators or users, manufacturing, maintenance personnel and others as befits the design (e.g.
legal, finance, etc). With simple designs the safety practitioner can conduct much of the
assessment alone or with basic input from others.
Before the team begins an assessment, the parameters of the project should be clearly understood.
These limits can be related to the equipment, the environment, uses and misuses, or particular
users. Partial assessments that concentrate on certain aspects of the design or certain high risk
uses are acceptable provided such limitations are documented with the assessment. A partial
assessment that is later interpreted as being a shoddy complete assessment will bring trouble.

HAZARD ANALYSIS TECHNIQUES

Risk assessments are fundamental tools in the safety community. They help make and implement
decisions regarding safety, simultaneously preventing accidents, improving safety performance,
and reducing a manufacturers liability exposure by systematically identifying and evaluating
hazards concerning the design, its uses, and potential "failures." Risk assessments should
advance designs rather than solely reviewing and checking past decisions. Particular focus
should be given to areas in which the designer has not been able to concentrate, and where safety
problems are often overlooked.
Although some risk assessments are formal and extensive analytical efforts, many of the
techniques should be adapted to a designs specific needs. This ensures the analysis advances the
design and remains focused on the critical safety issues. Some of the most significant types of
hazard analyses are briefly discussed below. Additional detail can be found on these methods in
the references.

Preliminary Hazard Analysis (PHA) evaluates safety performance and identifies potential
hazards. This is often the initial safety analysis conducted on a design and helps in developing
preliminary design criteria as designers and manufacturers either eliminate or control the hazards
they discover.
Hazard analysis is essentially a hazard discovery process requiring engineers list hazards
associated with use and expected misuse of a design in the environments it might potentially see.
Safety practitioners must anticipate how accidents or injuries might occur using design and safety
data, and experience. The nature of a PHA lends itself to a team approach such as brainstorming.
The hazard identification portion of the analysis must be properly executed because without the
requisite skill and training, potential hazards can be overlooked. Just as with other engineering
analysis, a poorly conducted or incomplete hazard analysis could be counterproductive in
avoiding accidents and liability. Missing an important hazard could also raise issues of recall or
retrofit campaigns that are costly and can hurt a manufacturers reputation. Proper PHAs can be
particularly difficult for smaller manufacturers who do not have engineers trained in risk
assessments.
If conducted in the beginning of a design process, PHA evaluates a designs weak points and

allows early corrective action. This analysis also provides information concerning resource
allocations and prioritizing design activities.
PHA provides a qualitative rather than quantitative risk assessment, meaning it can be largely
subjective. PHA also ignores the risks of combined hazards or concurrent failures. As with other
engineering design analyses, PHA will not provide good data or information for decision making
if the scope of the analysis is too narrow and hazards are missed. Conversely, if the scope is too
broad, the effort becomes large and costly to implement.

A What-If Analysis is a more formal brainstorming process of seeking out hazards that might
lead to injuries. According to the NSC (1992), A hazard review team asks itself hypothetical
questions about potential problems in the process, such as, What if the pipe breaks? Then the
team ponders the consequences and proposes solutions.
While the What-If method can be useful in generating ideas, it has significant limitations related
to knowing when to stop the analysis. In the context of product liability, there is no clear
indication that a What-If approach is ever carried far enough. In the occupational safety setting,
the What-If approach can lead to some fairly broad thinking that can lead to inefficiencies in the
analysis. On the other hand, some manufacturers have found this method to be useful in
identifying hazards in their designs and design processes.

Safety checklists are used extensively in both the design and safety communities. A checklist
typically includes safety items that must be addressed for a design. Such checklists are most
helpful in repetitive design tasks or operations where design variation is small. Safety checklists
are useful because creating them requires a safety analysis. The resulting checklist is tailored to
the particular design. This same checklist can be used for subsequent designs if strong
similarities exist between the designs. However, using an old checklist for a new design is much
like using a structural analysis results from one design to another; when designs differ, the
analysis or safety checklist could obscure serious hazards. For instance, a new lightweight design
developed to replace a steel bracket fixture could include plastic components. A checklist
developed for the steel design is not likely to detect or account for creep.
Hazards and Operability studies (HAZOP) is a method primarily used to examine potential
process failures. A team examines all the ways process failures might occur and then identifies
how the hazards might be mitigated or minimized. This method is widely used in the chemical
processing industry. For a more detailed explanation refer to AICHE (1985).

Failure Modes and Effects Analysis (FMEA) identifies potential failure modes that could lead
to incidents. It breaks down designs into components or sub-components, then systematically
evaluates the potential for and effects of individual failures, focusing on how they can lead to
hazards or unreliability in a design. Results of the analysis are used to evaluate and implement
preventative measures to eliminate or control hazards.
The first step in conducting FMEA is defining the projects scope. Dividing designs into
assemblies of manageable size is useful if it doesnt overlook important failure modes or effects.
Working with a complete component list, one can establish the operational and environmental
factors affecting each component, and determine significant failure mechanisms for them.
Answering the following questions for each component and subcomponent helps identify failure

modes for all components: "Will a system failure cause an unacceptable loss? And what are the
modes and effects of failure of each element?" Failure modes should also include any special
circumstances that would increase the possibility of failure.
When conducting a quantitative analysis, engineers should quantify the risk by providing a
probability of occurrence and severity. References can help establish failure severity values,
probabilities of occurrence, a failure severity rating system, and overall failure probabilities.
Unfortunately, such information often doesnt exist and may be difficult to obtain. In its absence,
the analysis quality and usefulness may be greatly diminished.
However, FMEA is particularly well suited to situations where engineers are unsure what
problems might occur or how small problems could lead to larger ones. This kind of analysis is
very strong when the coupling or interactions between failures are not complex, and when system
and hardware problems are more likely to occur than problems of human interactions or error.
FMEA is also useful in determining which of several potential problems should receive priority
attention.
As a safety analysis tool, FMEA offers several advantages, particularly its ability to thoroughly
quantify overall risk and the consequences. Quantifying risk can take much of the subjectivity
out of safety analyses. But FMEA is not without limitations. Perhaps its largest drawback is that
it does not include human error. Since many accidents involve human error, this can be critical.
A thorough FMEA can also be costly and may not always be necessary. Completing it can
consume time evaluating noncritical components or failure modes which dont result in accidents.
FMEA typically does not look at system linkages and interactions or multiple-element failures.
Finally, the level of design maturity required for a quantitative FMEA is not generally reached
until late in the design phase.
The auto industry also makes extensive use of Failure Mode and Effects Analysis (FMEA), a
technique that is very similar to risk assessment. In 1993, GM, Ford and Chrysler first published
a Reference Manual for performing Potential Failure Mode and Effects Analysis (FMEA) that is
the technical equivalent of SAE J-1739. The analysis is to be performed by companies
subscribing to QS-9000. Of all the analytical methods developed in the safety community, design
engineers tend to be most familiar with the FMEA.
An FMEA is described as a systemized group of activities intended to: 1) recognize and evaluate
the potential failure of a product/process and its effects, 2) identify actions which could eliminate
or reduce the chance of the potential failure occurring, and 3) document the process.
The focus of an FMEA is on identifying component failures and looking at the potential effects
on the overall system. While failures identified and analyzed in an FMEA are different from the
type of safety hazards identified in a risk assessment, many of the same analytical processes are
used. The following steps are part of the FMEA: 1) identify the failure and its causes, 2)
describe the potential effect of the failure, 3) identify and quantify the severity or seriousness of
the effect of the failure, and 4) quantify the probability of the cause occurring.
Then, the list of ways in which this failure can be prevented are identified. Last, a Risk Priority
Number is identified which quantifies the design risk. This number is a product of the severity,
probability and ability to detect the cause. Then these risks are ranked and decisions made as to
what failure modes will be taken care of by corrective action.

Again, while failures in this system are different from safety-related risks, the analysis that is
done and items quantified sound much like the typical risk assessment process. The primary
difference between these methods is that where the FMEA looks at design or component
failures, a risk assessment focuses on the human interactions and failures with the product or
system.

RISK ASSESSMENT MODELS

There are a number of risk assessment models in used today. Many of the models will be shown
during the presentation. Additional information about the models can be found in Main (2000).
Many models use two risk factors such as Severity and Probability. Within each factor are
varying levels or each factor, e.g. 2, 3, 4 or 5. Some models use as many as 10 levels for a factor.
Similarly, some models use three factors to assess risk. Usually the Probability factor is broken
down into two sub-factors such as Frequency of Exposure and Avoidance. Again the different
models use a variety of levels for each factor.
From the combination of the risk factor ratings, a risk level is derived. This combination can be
fixed mapping as occurs in the tabular format of MIL-STD-882D. The combination can be based
on a quantitative rating where the factors are mathematically combined to result in a risk priority
number.
The selection of a risk model should depend on the industry recommended practice and on the
company culture. There is no one best model. Which particular model is used is less important
than finding one that works within the culture of an organization.

IMPLIMENTATIONS ISSUES
One question that often arises is how long a risk assessment or safety analysis requires to
complete. The duration depends on a number of factors such as:

product or system complexity

scope of the analysis
company experience with similar designs (internal experience)
availability of data
originality of the design (external experience)
availability of industry standards and codes
formality of the analysis

The time needed to complete a risk assessment or other safety analysis depends on many of the
same variables that affect other engineering analyses. A typical analysis requires about a teamday to complete.
Risk assessments pay off in several ways, the primary one being a list of hazards associated with
the potential uses and foreseeable misuses of the design. Ideas for potential design changes and
improvements also commonly spring from analysis. Other potential outputs can form the basis
for specifying maintenance, training, and operating procedures. Risk assessments can also be
useful for subsequent design reviews as a design-specific safety checklist. When it comes to

litigation, results from risk assessment may soon become critically important in determining
whether a design was defective at the time of manufacture.
Risk assessments should ideally be part of a concurrent approach to product and process design,
with safety being just one of many analyses. Depending on system complexity and the number of
changes made, follow-up risk assessments may be necessary. Although usually considered a
method for new design development, risk assessments can also benefit a design evaluation at any
stage in the product or process life cycle (including in the field). In some cases, post design risk
assessments evolve into a springboard for new ideas and potential improvements.
As with many engineering analyses, better results are obtained by including different
perspectives. Obviously designers play a key role in risk assessments since no one knows the
design better than they. But they should understand not only the design and general hazards the
design presents, but also the analytical tools used. In addition, its important to include someone
knowledgeable and trained in conducting risk assessments. Others, such as users, assemblers,
repair and maintenance personnel, and legal counsel can also offer valuable insight to uses,
potential misuse, and hazards.
Many risk assessments require information not easily obtained or quantified such as probabilities,
failure rates, severity ratings. Obviously the output of a risk assessment will be only as good as
the quality of the inputs. Therefore, quantitative risk assessments tend to be used more often
when good information is available or the project warrants developing the data. One of the more
difficult aspects of quantitative analyses is determining what amount of risk is negligible, and
how safe is safe enough. Answering these difficult questions before starting the analysis usually
improves the result.
There are hundreds of other safety techniques, tools, and methods. Which particular technique is
best depends on the design, its stage of development, the level of complexity, the availability of
data, the projects needs and objectives, and personal preference. But conducting risk assessment
and tailoring it to the needs of a particular design is probably more important than which
particular analysis is used.
Unfortunately, there are no guarantees. As with other engineering analysis, things can go wrong
even when several analyses are conducted. One of the more common errors involves design
changes made after a risk assessment is completed. To avoid this, engineers must be aware of
how design changes affect a risk assessment and its underlying assumptions. Another risk
involved with risk assessments is in identifying a hazard but not resolving it. The analysis
summary would then constitute a "smoking gun" a document showing that designers knew of a
potential hazard but did nothing to prevent it. Designers must follow through when a potential
problem is identified.
An engineers ability to improve safety and avoid accidents may be limited by the amount of
safety training hes had. Most have received little or no formal safety training. And although
safety engineers have the methods and techniques to address safety issues in a comprehensive
manner, they arent often involved in the actual design process.
Drawing on techniques developed by the safety community can help designers concerned with
improving the level of safety in their designs. Integrating hazard evaluation procedures with
design can give designers the necessary tools to identify and modify components which have the
potential to cause accidents.

CLOSURE
Risk assessments are beginning to be integrated in engineering design processes. Understanding
the risk assessment process and how to get started in it is important for safety practitioners to
grasp. Safety practitioners can be more easily involved in or lead the process once they become
familiar with the terminology, the process and the choices that must be made in selecting the risk
assessment method.

REFERENCES
1. AAMI/ISO 14971-1998, Medical devices, risk management, Part 1: Application of risk
analysis, Association for the Advancement of Medical Instrumentation, www.aami.org.
2. AICHE (1985) American Institute of Chemical Engineers. Guidelines for Hazard
Evaluation Procedures. New York.
3. ANSI B11 Technical Report #3 Risk Assessment - A guideline to estimate, evaluate and
reduce risks associated with machine tools, under final review, expected release date 2000,
www.mfgtech.org.
4. Christensen, W., and Manuele, F., (1999) Safety Through Design , Institute for Safety
Through Design, NSC Press, www.nsc.org.
5. designsafe the hazard analysis and risk assessment guide , design safety engineering, inc.
copyright 1997-2000, www.designsafe.com.
6. EN 292-1/ISO 12100-1, Safety of machinery Basic concepts, general principles for design,
Basic terminology, methodology, 1999.
7. EN 292-2/ISO 12100-2, Safety of machinery Basic concepts, general principles for design,
Technical principles, 1999.
8. EN 1050-1996, Safety of machinery; risk assessment.
9. Main, B.W. (2000) Risk Assessment Benchmarks 2000: Getting Started, Making Progress,
design safety engineering, inc. www.designsafe.com
10. MIL-STD-882D. Standard Practice for System Safety, Department of Defense, U.S.A., 10
February 2000.
11. NSC (1992) Accident Prevention Manual, 10th edition, National Safety Council, Itasca, IL.
12. Robotics Industries Association, Ann Arbor, MI, ANSI/RIA R15.06-1999 Safety
requirements for robots and robot systems, www.robotics.org.
13. SAE J-1739 (1995) Potential Failure Modes and Effects Analysis, Society of Automotive
Engineers, Detriot, MI.
14. SEMI S10 1296 (1996) Safety Guideline for Risk Assessment, and S10.xx unpublished
draft revision (2000), Semiconductor Equipment and Materials International, Mountain
View, CA, www.semi.org.

APPENDIX A
Comparison of Risk Assessment Terms
Harm
An unplanned event or series of events resulting in death, injury, occupational illness,
damage to or less of equipment or property, or damage to the environment (10) [MIL STD
882D]
Physical injury or damage to health of people (3) [ANSI/B11 TR3]
No definition (12) [ANSI/RIA R15.06]
Physical injury and/or damage to health or property (6) [EN 292-1/ISO 12100-1]
Physical injury or damage to health (8) [EN 1050]
Physical injury and/or damage to health or property (1) [AAMI/ISO 14971]
No definition given (14) [SEMI S10]
Hazard
Any real or potential condition that can cause injury, illness, or death to personnel; damage to
or loss of a system, equipment or property; or damage to the environment (10)
A potential source of harm (3)
A potential source of harm (12)
No definition (6)
A potential source of harm (8)
Potential source of harm (1)
A condition that is a prerequisite to a mishap (14)
Residual Risk
No definition (10)
Risk remaining after protective measures have been taken (3)
That risk that remains after safeguarding devices have been applied (12)
Risk remaining after safety measures have been taken (6)
Risk remaining after protective measures have been taken (8)
No definition (1)
No definition (14)
Risk
An expression of the possibility/impact of a mishap in terms of potential mishap severity and
probability (7)
A combination of the probability of occurrence of harm and the severity of that harm (3)
A combination of the probability and the degree of the possible injury or damage to health in
a hazardous situation (10)
No definition (6)
Combination of the probability of occurrence of harm and the severity of that harm (8)
Probable rate of occurrence of a hazard causing harm and the degree of severity of the harm
(1)
The expected losses from a mishap, expressed in terms of severity and likelihood (14)

Risk Assessment
The process by which the results of risk analysis are used to make decisions (10)
The process by which the intended use of the machine, the tasks and hazards, and the level of
risk are determined (3)
A comprehensive evaluation of the possible injury or damage to health in a hazardous
situation in order to select appropriate safeguards (12)
No definition (6)
The overall process of risk analysis and risk evaluation (8)
Investigation of available information to identify hazards and to estimate risk (1)
No definition (14)
Tolerable Risk
No definition (10)
Risk which is accepted for a given task and hazard combination [hazardous situation] (3)
No definition (12)
No definition (6)
No definition (8)
No definition (1)
No definition (14)
Severity
The severity of the mishap that could be caused by the hazard (10)
No definition (3)
No definition (12)
No definition (6)
No definition (8)
No definition (1)
The extent of the worst credible loss from a mishap caused by a specific hazard (14)
Probability
The probability that the hazard exists-usually 1.0 (10)
No definition (3)
No definition (12)
No definition (6)
No definition (8)
No definition (1)
The expected frequency with which a mishap will occur. Usually expressed as a rate (e.g.
events per year, per product, per wafer processed) (14)