design for safety and risk assessment2110.me.gatech.edu/...slides/...productsafetyrisk.pdfidentify...

Design for Safety and Risk Assessment

C h r i s t o p h e r S a l d a n a , P h . D .W o o d r u f f S c h o o l o f M e c h a n i c a l E n g i n e e r i n g

G e o r g i a I n s t i t u t e o f T e c h n o l o g y

A t l a n t a , G e o r g i a U S A

2

Linkages to major quality management standards

3

Identify safety risks and assessment

• Risk assessment matrix

Identify failure modes, their detectability, severity and probability of occurrence

• Failure modes and effects analysis (FMEA)

Combining individual solutions to deal with these failure modes

Learning Objectives

6

In 1992, 79-year-old Stella Liebeck bought a

cup of takeout coffee at a McDonald's drive-

thru in Albuquerque and spilled it on her lap.

She sued McDonald's and a jury awarded

her nearly $3 million in punitive damages for the burns she suffered.

Toyota Motor lied to regulators, Congress and the public for years about the sudden acceleration of its vehicles, a deception that caused the world’s largest automaker on Wednesday to be hit with a $1.2 billion Justice Department fine.

Consumer product safety cases

Toyota Accelerator

D. Douglas, “Toyota reaches $1.2 billion settlement to end probe of accelerator problems,” Washington Post, 03/19/2014

McDonald’s Coffee

Consumer Attorneys of California, “The McDonald’s Hot Coffee Case,” 01/30/2017

7

Industrial safety cases: Aerial Lift

“2 workers fell from an aerial bucket lift and were killed at the Oxy Chemical Wichita plant,” KSN TV, June 30, 2016

“Notre Dame Student Dies at Practice,” Associated Press, October 27, 2010

Important questions:

• How should training/documentation and

administrative/engineering controls be designed?

• How do we systematically assess risk?

8

1. Apollo 1: fire during launch test

2. Space Shuttle Challenger: shuttle failure on takeoff

3. Space Shuttle Columbia: shuttle failure on re-entry

4. Boeing 737 MAX – 2 hull losses on takeoff

Historical Case Studies

nasa.gov wsj.com

10

Accident Date: 27 January 1967

Crew: G. Grissom, E. White, R. Chaffee

Condition: ‘Plugs-out’ test (pressurized, no umbilical)

Official causes:

1. Ignition source due to faulty/frayed wiring2. Pure O2 atmosphere at greater than atmospheric pressure3. Combustible materials in cabin (e.g., Velcro)4. Inadequate emergency preparedness

Root issue: failure modes analysis

Case 1: Apollo 1 Spacecraft

nasa.gov

time.com

12

Case 2: Space Shuttle Challenger

Accident Date: 28 January 1986

Crew: F. Scobee, M. Smith, R. McNair, E. Onizuka, J. Resnik, G. Jarvis, C. McAuliffe

Condition: Shuttle takeoff

Official causes:

1. Low-temperature O-ring failure in SRB2. Failure in communication during/before launch day3. Flawed NASA management structure

Root issues: communication breakdown, groupthink nasa.gov

13

History: Social psychological phenomenon developed by I. Janis (1972)

Characteristic: Group of people make non-optimal decisions due to urge to conform and/or discouragement of dissent

Groupthink

Influencing conditions: Cohesiveness of the group, rules governing decision-making process, leadership character, social homogeneity, situational context

15

Case 3: Space Shuttle Columbia

Accident Date: 01 February 2003

Crew: R. Husband, W. McCool, M. Anderson, K. Chawla, D. Brown, L. Clark, I. Ramon

Condition: Atmospheric re-entry

Official causes:

1. Foam from external tank struck left wing on takeoff2. Impact caused breach in wing and heat shield3. Re-entry gases caused vehicle failure

Identified issue: decision-making and risk-assessment processesnasa.gov

16

Risk assessment matrix / form

• Tool for evaluating probable risks in terms of the likelihood or probability of the risk and the severity of the consequences

• Visualization of risk for decision making

• Development of actionable plans in a systematic manner

What Type of Risks Exist?

• Persons, Product, Environment

What are the SEVERITIES of the risk?

What is the PROBABILITY that the risk will occur?

Risk Assessment Matrix

17

Severity

Negligible – one minor injury

Marginal – one severe injury, multiple minor injuries

Critical – one death or multiple severe injuries

Catastrophic – multiple deaths

Probability – Certain, Likely, Possible, Unlikely, Rare


18

Negligible Marginal Critical Catastrophic

Certain High High Extreme Extreme

Likely Moderate High High Extreme

Possible Low Moderate High Extreme

Unlikely Low Low Moderate Extreme

Rare Low Low Moderate High

Risk Severity

Risk Probability

❖ Low Risk

❖ Moderate Risk

❖ High Risk

❖ Extreme Risk

Risk Types


19

Extreme Risk: The risks are most critical and that must be addressed on a high priority basis. The project team should gear up for immediate action, so as to eliminate the risk completely.

High Risk: Also call for immediate action or risk management strategies. Here in addition to thinking about eliminating the risk, substitution strategies may also work well. If these issues cannot be resolved immediately, strict timelines must be established to ensure that these issues get resolved before the create hurdles in the progress.

Moderate Risk: Take some reasonable steps and develop risk management strategies in time, even though there is no hurry to have such risks sorted out early. Such risks do not require extensive resources; rather they can be handled with smart thinking and logical planning.

Low Risk: These risks can be generally ignored as they usually do not pose any significant problem. However still, if some reasonable steps can help in fighting these risks, such steps should be taken to improve overall performance of the project.


20

Risk Assessment MatrixExample: Unsafe use of a tablesaw

• What is the risk severity?

• What is the risk probability?

• How can design and/or use changes affect the risk assessment?

woodgears.ca

22







Risk Severity

Risk Probability

❖ Low Risk

❖ Moderate Risk

❖ High Risk

❖ Extreme Risk

Risk Types


Design and/or training changes:

• Design changes, engineering controls,

administrative controls

• How do we systematically assess risk?

Example: Unsafe use of a tablesaw

woodgears.ca

23

Risk Matrix – Methods for Improvement

Elimination/Substitution• Most effective• Difficult to implement for existing processes

Engineering controls• Methods built into design to minimize hazards• Good idea as operator-independent• Can be expensive to implement

Administrative controls• Rules and work practices to minimize hazards• Good idea as these are cheap to implement• Operator-dependent need good safety culture

Personal protective equipment• Bare minimum to reduce exposure to hazard• Should not be the only method used

National Institute of Occupational Safety and Health (NIOSH)

24







Risk Severity

Risk Probability

❖ Low Risk

❖ Moderate Risk

❖ High Risk

❖ Extreme Risk

Risk Types


Miter gauge

woodgears.ca

26







Risk Severity

Risk Probability

❖ Low Risk

❖ Moderate Risk

❖ High Risk

❖ Extreme Risk

Risk Types


Automated sawstop

woodgears.ca

Miter gauge

sawstop.com

27

Failure modes and effects analysis (FMEA)❖ FMEA - structured approach to:

– Identifying the ways in which a product or process can fail

– Estimating risk associated with specific causes

– Prioritizing the actions that should be taken to reduce risk

– Evaluating design validation plan (design FMEA) or current control plan (process FMEA)

❖ FMEA types – design and process

❖ Role in industrial processes

28

Failure modes and effects analysis (FMEA)❖ Important terms

– Failure mode – manner by which failure occurs for a function (related accident scenarios)

– Cause – failure mechanism for a specific failure mode

– Effect – consequences of failure on operation, function or status

❖ Important metrics for failures

– Severity (S) – 1 (not severe) to 10 (very severe)

– Occurrence (O) – 1 (not likely) to 10 (very likely)

– Detection (D) – 1 (easy to detect) to 10 (not easy to detect)

❖ Important overall measures

– Risk priority number (RPN), RPN = S x O x D

– Criticality (CRIT), CRIT = S x O

29

Failure modes and effects analysis (FMEA)

1. For each process input or product function, determine the ways in which the input or function can go wrong (failure modes)

2. For each failure mode, determine the potential effects and select a severity level for the effects.

3. Identify potential causes of each failure mode and select an occurrence level for the causes.

4. List current controls for each cause, select detection level for each cause.

5. Calculate the Risk Priority Number (RPN)

6. Develop actions and assign responsible persons (prioritize high RPNs)

7. Determine effects of possible changes in controls or design to RPNs

30

What can go wrong here?

p50cars.com

Peel P50 (1964)

31

Automobile with one headlight (no instrument cluster)What are the failure modes, effects, causes and controls?

Possible Failure Modes:• Light doesn’t turn on• Light doesn’t turn off

Possible Failure Effects:• Light doesn’t turn on

• Driver can’t see obstacles• Car inoperable at night (S = 8)

• Light doesn’t turn off• Battery dies

• Car won’t start (S = 10)

Possible Root Causes:• Light doesn’t turn on

• Battery dead (O = 8)• Broken wire (O = 3)• Headlight out (O = 10)• Switch corroded (O = 2)• Switch broken (O = 3)

• Light doesn’t turn off• Short circuit in switch (O = 2)• Operator error (left on) (O = 8)

Example: FMEA redesign

Example adapted from: Cyders, Ohio University, 2013.

Battery LightSwitch

p50cars.com

32


Controls/indicators:• Light doesn’t turn on

• User notices lights off in dark• Light doesn’t turn off

• User notices lights on in dark

Detectability (D):• Light doesn’t turn on (D = 6)

• User notices lights off in dark• User doesn’t notice lights off

during day

• Light doesn’t turn off (D = 6)• User notices lights on in dark• User doesn’t notice lights

not on during day

Automobile with one headlight (no instrument cluster)What are the failure modes, effects, causes and controls?

p50cars.com

33

Possible Effect Root Cause S O D RPN

Car inoperable at night

Battery dead 10 8 2 160

Broken wire 8 3 6 144

Headlight out 3 10 6 180

Switch corroded 8 2 6 96

Switch broken 8 3 6 144

Result: improves usability at night (lower severity score)enables detection (lower detectability score)

Failure Mode: Light doesn’t turn on


Example adapted from: Cyders, Ohio University, 2013.

Possible Effect Root Cause S O D RPN

Car inoperable at night

Battery dead 10 8 6 480

Broken wire 8 3 6 144

Headlight out 8 10 6 480

Switch corroded 8 2 6 96


Original: Single headlight automobile. Redesign: (1) Use two headlights instead of one (2) Add visual lights-on console display

34

Example: FMEA redesignFMEA worksheet (original)Process Step or

System FunctionPotential

Failure ModePotential

Failure EffectPotential Causes

Current Controls

Severity (S)

Occurrence (O)

Detectibility (D)Risk Priority

Number (RPN)

Headlight operation /

Provide driver visibility at night

Light doesn't turn on

Car inoperable at

night

Battery expended

User observation

10 8 6 480

Wire broken 8 3 6 144

Bulb failure 8 10 6 480

Switch corroded

8 2 6 96


FMEA worksheet (redesign)Process Step or

System FunctionPotential

Failure ModePotential

Failure EffectPotential Causes

New ControlsSeverity

(S)Occurrence

(O)Detectibility (D)

Risk Priority Number (RPN)

Headlight operation

Light doesn't turn on

Car inoperable at

night

Battery expended Use two

headlights instead of one. Add “lights

on” console indicator. User observation.

10 8 2 160

Wire broken 8 3 6 144

Bulb failure 3 10 6 180

Switch corroded

8 2 6 96


37

Case example: infant inclined sleepers

Failure modes

American Academy of Paediatrics (AAP)• “There is no such thing as a safe infant inclined sleeper” • “[An infant sleeper is] a product that typically positions an infant

at an incline of up to 30 degrees and usually has design elements such as a rounded sleep surface and plush side padding.”

• “The AAP recommends infants sleep on their backs, alone, unrestrained, on a firm, flat surface, free of padding, bumpers and other soft bedding.”

Product risks

38

Infant inclined sleepers - incidents

https://www.consumerreports.org/child-safety/while-they-were-sleeping/

39

1) All product liability laws apply to childrens’ products

2) Additional laws, regulations, standards, (and jury expectations) exist specifically to protect children (and their parents/caregivers)

3) Stakeholders: Newborns, Infants, Toddlers, Youths, Parents, Grandparents, Caregivers, Daycares

Child-focused products

40

Child endangerment laws

• Penal Code 273a is California’s “child endangerment” law. It

punishes someone who willfully exposes a child to pain,

suffering, or danger. Under Penal Code 273a, it is the

possibility of serious danger that is being punished.

Juvenile sleeper safety standards• ASTM F1169 - Specification for Full-Size Baby Cribs

• ASTM F2194 - Specification for Bassinets and Cradles

• ASTM F406 - Specification for Non-Full-Size Baby Cribs

• ASTM F3118 - Specification for Infant Inclined Sleep Products

Relevant laws and standards

41

Informed Consent• The process by which a patient (1) learns about and understands the

purpose, benefits, and potential risks of a medical or surgical intervention, including clinical trials and then (2) agrees to receive the treatment or participate in the trial. Informed consent generally requires that the patient or responsible party (3) signs a statement confirming that they understand the risks and benefits of the procedure or treatment.

At Risk Groups (require extra precautions)

• Children, elderly, pregnant woman, prisoners

How can children Understand, Agree, and Sign?

Testing child-focused products

42

1) Initially positioning babies the same everytime

2) Positioning different size/weight babies

3) Stimulating the baby to roll (toys, noisemakers, enthusiasm of tester)

4) Time duration of tests

5) Once turned over, what is the duration to let them struggle to turn back to safety?

6) Monitoring health (e.g. oxygen levels) of baby

7) Repeat for many babies & many products

Product testing – challenges

43

1) Parents are allowed to give informed consent on behalf of their children

2) Babies are motivated or tempted by toys to engage in certain behavior

• Danger – experimenters do not give same inputs (temptations) for different babies and products

3) Parents fill out use surveys and provide their view of the product performance

4) Babies get very little voice in this process

Children test subjects - implementation

If your product fails because it requires the user to act/think in

unnatural ways, then it is a product failure, not a user error.

44

Identify safety risks and assessment

• Risk assessment matrix

Identify failure modes, their detectability, severity and probability of occurrence

• Failure modes and effects analysis (FMEA)

Combining individual solutions to deal with these failure modes

Summary / Learning Objectives

design for safety and risk assessment2110.me.gatech.edu/...slides/...productsafetyrisk.pdfidentify...

Documents