design for safety and risk assessment

Design for Safety and Risk Assessment Christopher Saldana, Ph.D. Woodruff School of Mechanical Engineering Georgia Institute of Technology Atlanta, Georgia USA

Upload: others

Post on 17-Jan-2022




0 download


Page 1: Design for Safety and Risk Assessment

Design for Safety and Risk Assessment

C h r i s t o p h e r S a l d a n a , P h . D .W o o d r u f f S c h o o l o f M e c h a n i c a l E n g i n e e r i n g

G e o r g i a I n s t i t u t e o f T e c h n o l o g y

A t l a n t a , G e o r g i a U S A

Page 2: Design for Safety and Risk Assessment


Linkages to major quality management standards

Page 3: Design for Safety and Risk Assessment


Identify safety risks and assessment

• Risk assessment matrix

Identify failure modes, their detectability, severity and probability of occurrence

• Failure modes and effects analysis (FMEA)

Combining individual solutions to deal with these failure modes

Learning Objectives

Page 4: Design for Safety and Risk Assessment


Page 5: Design for Safety and Risk Assessment


Page 6: Design for Safety and Risk Assessment


In 1992, 79-year-old Stella Liebeck bought a

cup of takeout coffee at a McDonald's drive-

thru in Albuquerque and spilled it on her lap.

She sued McDonald's and a jury awarded

her nearly $3 million in punitive damages for the burns she suffered.

Toyota Motor lied to regulators, Congress and the public for years about the sudden acceleration of its vehicles, a deception that caused the world’s largest automaker on Wednesday to be hit with a $1.2 billion Justice Department fine.

Consumer product safety cases

Toyota Accelerator

D. Douglas, “Toyota reaches $1.2 billion settlement to end probe of accelerator problems,” Washington Post, 03/19/2014

McDonald’s Coffee

Consumer Attorneys of California, “The McDonald’s Hot Coffee Case,” 01/30/2017

Page 7: Design for Safety and Risk Assessment


Industrial safety cases: Aerial Lift

“2 workers fell from an aerial bucket lift and were killed at the Oxy Chemical Wichita plant,” KSN TV, June 30, 2016

“Notre Dame Student Dies at Practice,” Associated Press, October 27, 2010

Important questions:

• How should training/documentation and

administrative/engineering controls be designed?

• How do we systematically assess risk?

Page 8: Design for Safety and Risk Assessment


1. Apollo 1: fire during launch test

2. Space Shuttle Challenger: shuttle failure on takeoff

3. Space Shuttle Columbia: shuttle failure on re-entry

4. Boeing 737 MAX – 2 hull losses on takeoff

Historical Case Studies

Page 9: Design for Safety and Risk Assessment


Page 10: Design for Safety and Risk Assessment


Accident Date: 27 January 1967

Crew: G. Grissom, E. White, R. Chaffee

Condition: ‘Plugs-out’ test (pressurized, no umbilical)

Official causes:

1. Ignition source due to faulty/frayed wiring2. Pure O2 atmosphere at greater than atmospheric pressure3. Combustible materials in cabin (e.g., Velcro)4. Inadequate emergency preparedness

Root issue: failure modes analysis

Case 1: Apollo 1 Spacecraft

Page 11: Design for Safety and Risk Assessment


Page 12: Design for Safety and Risk Assessment


Case 2: Space Shuttle Challenger

Accident Date: 28 January 1986

Crew: F. Scobee, M. Smith, R. McNair, E. Onizuka, J. Resnik, G. Jarvis, C. McAuliffe

Condition: Shuttle takeoff

Official causes:

1. Low-temperature O-ring failure in SRB2. Failure in communication during/before launch day3. Flawed NASA management structure

Root issues: communication breakdown, groupthink

Page 13: Design for Safety and Risk Assessment


History: Social psychological phenomenon developed by I. Janis (1972)

Characteristic: Group of people make non-optimal decisions due to urge to conform and/or discouragement of dissent


Influencing conditions: Cohesiveness of the group, rules governing decision-making process, leadership character, social homogeneity, situational context

Page 14: Design for Safety and Risk Assessment


Page 15: Design for Safety and Risk Assessment


Case 3: Space Shuttle Columbia

Accident Date: 01 February 2003

Crew: R. Husband, W. McCool, M. Anderson, K. Chawla, D. Brown, L. Clark, I. Ramon

Condition: Atmospheric re-entry

Official causes:

1. Foam from external tank struck left wing on takeoff2. Impact caused breach in wing and heat shield3. Re-entry gases caused vehicle failure

Identified issue: decision-making and risk-assessment

Page 16: Design for Safety and Risk Assessment


Risk assessment matrix / form

• Tool for evaluating probable risks in terms of the likelihood or probability of the risk and the severity of the consequences

• Visualization of risk for decision making

• Development of actionable plans in a systematic manner

What Type of Risks Exist?

• Persons, Product, Environment

What are the SEVERITIES of the risk?

What is the PROBABILITY that the risk will occur?

Risk Assessment Matrix

Page 17: Design for Safety and Risk Assessment



Negligible – one minor injury

Marginal – one severe injury, multiple minor injuries

Critical – one death or multiple severe injuries

Catastrophic – multiple deaths

Probability – Certain, Likely, Possible, Unlikely, Rare

Risk Assessment Matrix

Page 18: Design for Safety and Risk Assessment


Negligible Marginal Critical Catastrophic

Certain High High Extreme Extreme

Likely Moderate High High Extreme

Possible Low Moderate High Extreme

Unlikely Low Low Moderate Extreme

Rare Low Low Moderate High

Risk Severity

Risk Probability

❖ Low Risk

❖ Moderate Risk

❖ High Risk

❖ Extreme Risk

Risk Types

Risk Assessment Matrix

Page 19: Design for Safety and Risk Assessment


Extreme Risk: The risks are most critical and that must be addressed on a high priority basis. The project team should gear up for immediate action, so as to eliminate the risk completely.

High Risk: Also call for immediate action or risk management strategies. Here in addition to thinking about eliminating the risk, substitution strategies may also work well. If these issues cannot be resolved immediately, strict timelines must be established to ensure that these issues get resolved before the create hurdles in the progress.

Moderate Risk: Take some reasonable steps and develop risk management strategies in time, even though there is no hurry to have such risks sorted out early. Such risks do not require extensive resources; rather they can be handled with smart thinking and logical planning.

Low Risk: These risks can be generally ignored as they usually do not pose any significant problem. However still, if some reasonable steps can help in fighting these risks, such steps should be taken to improve overall performance of the project.

Risk Assessment Matrix

Page 20: Design for Safety and Risk Assessment


Risk Assessment MatrixExample: Unsafe use of a tablesaw

• What is the risk severity?

• What is the risk probability?

• How can design and/or use changes affect the risk assessment?

Page 21: Design for Safety and Risk Assessment


Page 22: Design for Safety and Risk Assessment


Negligible Marginal Critical Catastrophic

Certain High High Extreme Extreme

Likely Moderate High High Extreme

Possible Low Moderate High Extreme

Unlikely Low Low Moderate Extreme

Rare Low Low Moderate High

Risk Severity

Risk Probability

❖ Low Risk

❖ Moderate Risk

❖ High Risk

❖ Extreme Risk

Risk Types

Risk Assessment Matrix

Design and/or training changes:

• Design changes, engineering controls,

administrative controls

• How do we systematically assess risk?

Example: Unsafe use of a tablesaw

Page 23: Design for Safety and Risk Assessment


Risk Matrix – Methods for Improvement

Elimination/Substitution• Most effective• Difficult to implement for existing processes

Engineering controls• Methods built into design to minimize hazards• Good idea as operator-independent• Can be expensive to implement

Administrative controls• Rules and work practices to minimize hazards• Good idea as these are cheap to implement• Operator-dependent need good safety culture

Personal protective equipment• Bare minimum to reduce exposure to hazard• Should not be the only method used

National Institute of Occupational Safety and Health (NIOSH)

Page 24: Design for Safety and Risk Assessment


Negligible Marginal Critical Catastrophic

Certain High High Extreme Extreme

Likely Moderate High High Extreme

Possible Low Moderate High Extreme

Unlikely Low Low Moderate Extreme

Rare Low Low Moderate High

Risk Severity

Risk Probability

❖ Low Risk

❖ Moderate Risk

❖ High Risk

❖ Extreme Risk

Risk Types

Risk Assessment MatrixExample: Unsafe use of a tablesaw

Miter gauge

Page 25: Design for Safety and Risk Assessment


Page 26: Design for Safety and Risk Assessment


Negligible Marginal Critical Catastrophic

Certain High High Extreme Extreme

Likely Moderate High High Extreme

Possible Low Moderate High Extreme

Unlikely Low Low Moderate Extreme

Rare Low Low Moderate High

Risk Severity

Risk Probability

❖ Low Risk

❖ Moderate Risk

❖ High Risk

❖ Extreme Risk

Risk Types

Risk Assessment MatrixExample: Unsafe use of a tablesaw

Automated sawstop

Miter gauge

Page 27: Design for Safety and Risk Assessment


Failure modes and effects analysis (FMEA)❖ FMEA - structured approach to:

– Identifying the ways in which a product or process can fail

– Estimating risk associated with specific causes

– Prioritizing the actions that should be taken to reduce risk

– Evaluating design validation plan (design FMEA) or current control plan (process FMEA)

❖ FMEA types – design and process

❖ Role in industrial processes

Page 28: Design for Safety and Risk Assessment


Failure modes and effects analysis (FMEA)❖ Important terms

– Failure mode – manner by which failure occurs for a function (related accident scenarios)

– Cause – failure mechanism for a specific failure mode

– Effect – consequences of failure on operation, function or status

❖ Important metrics for failures

– Severity (S) – 1 (not severe) to 10 (very severe)

– Occurrence (O) – 1 (not likely) to 10 (very likely)

– Detection (D) – 1 (easy to detect) to 10 (not easy to detect)

❖ Important overall measures

– Risk priority number (RPN), RPN = S x O x D

– Criticality (CRIT), CRIT = S x O

Page 29: Design for Safety and Risk Assessment


Failure modes and effects analysis (FMEA)

1. For each process input or product function, determine the ways in which the input or function can go wrong (failure modes)

2. For each failure mode, determine the potential effects and select a severity level for the effects.

3. Identify potential causes of each failure mode and select an occurrence level for the causes.

4. List current controls for each cause, select detection level for each cause.

5. Calculate the Risk Priority Number (RPN)

6. Develop actions and assign responsible persons (prioritize high RPNs)

7. Determine effects of possible changes in controls or design to RPNs

Page 30: Design for Safety and Risk Assessment


What can go wrong here?

Peel P50 (1964)

Page 31: Design for Safety and Risk Assessment


Automobile with one headlight (no instrument cluster)What are the failure modes, effects, causes and controls?

Possible Failure Modes:• Light doesn’t turn on• Light doesn’t turn off

Possible Failure Effects:• Light doesn’t turn on

• Driver can’t see obstacles• Car inoperable at night (S = 8)

• Light doesn’t turn off• Battery dies

• Car won’t start (S = 10)

Possible Root Causes:• Light doesn’t turn on

• Battery dead (O = 8)• Broken wire (O = 3)• Headlight out (O = 10)• Switch corroded (O = 2)• Switch broken (O = 3)

• Light doesn’t turn off• Short circuit in switch (O = 2)• Operator error (left on) (O = 8)

Example: FMEA redesign

Example adapted from: Cyders, Ohio University, 2013.

Battery LightSwitch

Page 32: Design for Safety and Risk Assessment


Example: FMEA redesign

Controls/indicators:• Light doesn’t turn on

• User notices lights off in dark• Light doesn’t turn off

• User notices lights on in dark

Detectability (D):• Light doesn’t turn on (D = 6)

• User notices lights off in dark• User doesn’t notice lights off

during day

• Light doesn’t turn off (D = 6)• User notices lights on in dark• User doesn’t notice lights

not on during day

Automobile with one headlight (no instrument cluster)What are the failure modes, effects, causes and controls?

Page 33: Design for Safety and Risk Assessment


Possible Effect Root Cause S O D RPN

Car inoperable at night

Battery dead 10 8 2 160

Broken wire 8 3 6 144

Headlight out 3 10 6 180

Switch corroded 8 2 6 96

Switch broken 8 3 6 144

Result: improves usability at night (lower severity score)enables detection (lower detectability score)

Failure Mode: Light doesn’t turn on

Example: FMEA redesign

Example adapted from: Cyders, Ohio University, 2013.

Possible Effect Root Cause S O D RPN

Car inoperable at night

Battery dead 10 8 6 480

Broken wire 8 3 6 144

Headlight out 8 10 6 480

Switch corroded 8 2 6 96

Switch broken 8 3 6 144

Original: Single headlight automobile. Redesign: (1) Use two headlights instead of one (2) Add visual lights-on console display

Page 34: Design for Safety and Risk Assessment


Example: FMEA redesignFMEA worksheet (original)Process Step or

System FunctionPotential

Failure ModePotential

Failure EffectPotential Causes

Current Controls

Severity (S)

Occurrence (O)

Detectibility (D)Risk Priority

Number (RPN)

Headlight operation /

Provide driver visibility at night

Light doesn't turn on

Car inoperable at


Battery expended

User observation

10 8 6 480

Wire broken 8 3 6 144

Bulb failure 8 10 6 480

Switch corroded

8 2 6 96

Switch broken 8 3 6 144

FMEA worksheet (redesign)Process Step or

System FunctionPotential

Failure ModePotential

Failure EffectPotential Causes

New ControlsSeverity


(O)Detectibility (D)

Risk Priority Number (RPN)

Headlight operation

Light doesn't turn on

Car inoperable at


Battery expended Use two

headlights instead of one. Add “lights

on” console indicator. User observation.

10 8 2 160

Wire broken 8 3 6 144

Bulb failure 3 10 6 180

Switch corroded

8 2 6 96

Switch broken 8 3 6 144

Page 35: Design for Safety and Risk Assessment


Page 36: Design for Safety and Risk Assessment


Page 37: Design for Safety and Risk Assessment


Case example: infant inclined sleepers

Failure modes

American Academy of Paediatrics (AAP)• “There is no such thing as a safe infant inclined sleeper” • “[An infant sleeper is] a product that typically positions an infant

at an incline of up to 30 degrees and usually has design elements such as a rounded sleep surface and plush side padding.”

• “The AAP recommends infants sleep on their backs, alone, unrestrained, on a firm, flat surface, free of padding, bumpers and other soft bedding.”

Product risks

Page 38: Design for Safety and Risk Assessment


Infant inclined sleepers - incidents

Page 39: Design for Safety and Risk Assessment


1) All product liability laws apply to childrens’ products

2) Additional laws, regulations, standards, (and jury expectations) exist specifically to protect children (and their parents/caregivers)

3) Stakeholders: Newborns, Infants, Toddlers, Youths, Parents, Grandparents, Caregivers, Daycares

Child-focused products

Page 40: Design for Safety and Risk Assessment


Child endangerment laws

• Penal Code 273a is California’s “child endangerment” law. It

punishes someone who willfully exposes a child to pain,

suffering, or danger. Under Penal Code 273a, it is the

possibility of serious danger that is being punished.

Juvenile sleeper safety standards• ASTM F1169 - Specification for Full-Size Baby Cribs

• ASTM F2194 - Specification for Bassinets and Cradles

• ASTM F406 - Specification for Non-Full-Size Baby Cribs

• ASTM F3118 - Specification for Infant Inclined Sleep Products

Relevant laws and standards

Page 41: Design for Safety and Risk Assessment


Informed Consent• The process by which a patient (1) learns about and understands the

purpose, benefits, and potential risks of a medical or surgical intervention, including clinical trials and then (2) agrees to receive the treatment or participate in the trial. Informed consent generally requires that the patient or responsible party (3) signs a statement confirming that they understand the risks and benefits of the procedure or treatment.

At Risk Groups (require extra precautions)

• Children, elderly, pregnant woman, prisoners

How can children Understand, Agree, and Sign?

Testing child-focused products

Page 42: Design for Safety and Risk Assessment


1) Initially positioning babies the same everytime

2) Positioning different size/weight babies

3) Stimulating the baby to roll (toys, noisemakers, enthusiasm of tester)

4) Time duration of tests

5) Once turned over, what is the duration to let them struggle to turn back to safety?

6) Monitoring health (e.g. oxygen levels) of baby

7) Repeat for many babies & many products

Product testing – challenges

Page 43: Design for Safety and Risk Assessment


1) Parents are allowed to give informed consent on behalf of their children

2) Babies are motivated or tempted by toys to engage in certain behavior

• Danger – experimenters do not give same inputs (temptations) for different babies and products

3) Parents fill out use surveys and provide their view of the product performance

4) Babies get very little voice in this process

Children test subjects - implementation

If your product fails because it requires the user to act/think in

unnatural ways, then it is a product failure, not a user error.

Page 44: Design for Safety and Risk Assessment


Identify safety risks and assessment

• Risk assessment matrix

Identify failure modes, their detectability, severity and probability of occurrence

• Failure modes and effects analysis (FMEA)

Combining individual solutions to deal with these failure modes

Summary / Learning Objectives