A Practical Approach to Risk Assessmentand Risk ReductionPresented byRichard Harris Omron STI 2012

Today’s Learning Objectives What is a risk assessment and why do I have to do it?Who can do a risk assessment?How do I do it?What is the difference between risk assessment and riskreduction? What tools are available? Omron STI 2012

What is it? Risk Assessment The process by which the intended use (and reasonablyforeseeable misuse) of the machine, the tasks and hazards, andthe level of risk are determined Risk Reduction The application of protective measures to reduce the risk to atolerable level Omron STI 2012

Why do it? To create a safer working environment for employees (as required by OSHA)To reduce costsTo comply with national and international consensus standards, including:ANSI B11.0-2010 – Safety of Machinery – General Requirements and Risk AssessmentANSI B11.TR3-2000 – Risk Assessment and Risk Reduction – A Guide to Estimate, Evaluate and Reduce Risks Associated withMachine ToolsANSI/RIA R15.06-1999 (R2009) – For Industrial Robots and Robot Systems – Safety RequirementsNFPA 79-2012 – Electrical Standard for Industrial MachineryANSI/ASSE Z244.1-2003 (R2008) – Control of Hazardous Energy – Lockout/Tagout and Alternative MethodsANSI/PMMI B155.1-2011 – Standard for Packaging Machinery and Packaging-Related Converting Machinery – Safety Requirementsfor Construction, Care, and UseSEMI S10-0307 – Safety Guideline for Risk Assessment and Risk Evaluation ProcessMIL-STD-882D-2000 – Standard Practice for System SafetyCSA Z432-04 – Safeguarding of Machinery – Occupational Health and SafetyCSA Z434-03 – Industrial Robots and Robot Systems – General Safety RequirementsCSA Z460-05 – Control of Hazardous Energy – Lockout and Other MethodsNOM-004-STPS-1999 – Protection Systems and Safety Devices for Machinery and Equipment Used in the WorkplaceISO 12100:2010 – Safety of machinery – General principles for design – Risk assessment and risk reductionEN 954-1:2000 / ISO 13849-1:1999 – Safety of machinery – Safety-related parts of control systems – Part 1: General principles ofdesignISO 13849-1:2006 – Safety of machinery – Safety-related parts of control systems – Part 1: General principles of design2006/42/EC – European Machinery Directive Omron STI 2012

How do I do it? Regardless of which standard you follow, the processcontains 12 essential steps You can create your own process, as long as it’sbased on industry best practices You can conduct the process in house, request it fromyour OEM, or contract an outside service provider Omron STI 2012

Identify Machine / Process Usually done in reaction to an accident / near miss thathas already occurred Think Proactive! Can be prioritized based on common sense (morehazardous machines first) Based on hazards and/or frequency of use Omron STI 2012Step 1

Collect Proper Information Limits of the machine Requirements for the lifecycle of the machine Design drawings, sketches, system descriptions, or other meansof establishing the nature of the machine Information concerning energy sources Any accident and incident history Any information about damage to health System layout and proposed building / existing system(s)integration Affected personnel Level of training, experience, or ability of all personnel Exposure of other persons to the hazards associated with themachine where it can be reasonably foreseen Omron STI 2012Step 2

Gather Proper PersonnelEHS managerOperatorsMaintenance personnelEngineersElectriciansProduction managersSpecialistsUse Omron STI 2012approachStep 3

Observe Machine in UseAlthough many machines aresimilar in design, they areadapted to perform specific ordifferent operationsThe best way to understandthe operation and maintenanceof a machine is to see it in use– This helps ensure safety andcompliance while understandingand meeting productivity needs Omron STI 2012Step 4

Identify Hazardous Areas Follow task/hazard approach Tasks include:Packing and transportingUnloading/unpackingSystems installationStart up/commissioningSet up and try outOperation (all modes)Tool changeMajor repairPlanned maintenanceUnplanned maintenanceRecovery from posal Omron STI 2012Step 5

Task / Hazard ice PersonnelQuality CoachSales PersonnelContractorsRiggers Omron STI 2012Hazard

Task / Hazard ApproachPersonnelTaskOperatorLoadOperatorUnload PartOperatorUnload ScrapOperatorCycleOperatorLube DieOperatorClean DieOperatorTape DieOperatorPower UpOperatorPower DownOperatorClean PressOperatorClean WorkspaceOperatorTeach TraineesMaintenanceChange DieMaintenanceFirst Piece VerificationMaintenancePreventative MaintenanceMaintenanceRecovery from Crash Omron STI 2012Hazard

Task / Hazard ratorLoadCutting or SeveringOperatorLoadStabbing or PuncturingOperatorLoadContact with Live PartsOperatorLoadReaction to Stainless SteelOperatorLoadFailure of the Control SystemOperatorLoadFailure of the EquipmentOperatorLoadSlip, Trip, or FallOperatorLoadFalling ObjectsOperatorLoadEjected Objects or FluidsOperatorUnload PartCrushingOperatorUnload PartShearingOperatorUnload PartCutting or SeveringOperatorUnload PartContact with Live PartsOperatorUnload PartReaction to Stainless SteelOperatorUnload PartFailure of the Control System Omron STI 2012

Identifying Tasks & Hazards ANSI B11.0-2010Identifying tasks and hazards is a critically important part of the risk assessmentprocess because hazards not identified can create substantial unknown risks. Thereare many different approaches to identifying hazards. Depending on the complexity ofthe machinery, useful methods may include but are not limited to:using intuitive operational and engineering judgment;examining system specifications and expectations;reviewing codes, regulations, and consensus standards;interviewing current or intended system users and/or operators;consulting checklists;reviewing studies from other similar systems;evaluating the potential for unwanted energy releases/exposures to hazardous environments;reviewing historical data/industry experience, incident investigation reports (including accident or near-missevents), OSHA, Bureau of Labor Statistics and National Safety Council data, manufacturer’s literature; considering potential mishaps with surrounding equipment and operations; brainstorming. Omron STI 2012

Assumptions The risk assessment process includes identifying hazardsregardless of the existence of risk reduction (safeguarding)measures. The machine should not be considered harmless as shipped andguarded. To assure that all hazards are included, hazard identificationshould be conducted with all safeguards conceptually removed. This is to assure that hazards are not ignored due to an assumption that the safeguardsupplied is adequate for all tasks, including reasonably foreseeable misuse. Existing safeguards that help meet the risk reduction objectivescan be retained after evaluating their performance. This decision will be confirmed during the validation/verification portion of the riskassessment. Omron STI 2012

Identify the Risk Level and Required Level of RiskReduction There are several recognized methods to identify (label)risk levels ANSI, RIA, CSA, EN, ISO Choose the method which is easiest and most practical toapply at your location Risks must be aligned to a risk reduction category thatincorporates the selection of safeguarding devices andsafety-related parts of the control system Omron STI 2012Steps 6 & 7

ANSI B11.TR3 7.2 Severity of harmSeverity of harm addresses the degree of injury or illness that could occur. Thedegrees are based on extent of injury or illness (from death to no injury), andextent of treatment involved. The following is an example of severity levels: Catastrophic – death or permanently disabling injury or illness (unable to return to work)Serious – severe debilitating injury or illness (able to return to work at some point)Moderate – significant injury or illness requiring more than first aid (able to return to same job)Minor – no injury or slight injury requiring no more than first aid (little or no lost work time)When determining risk, the worst credible severity of harm is to be selected. 7.3 Probability of occurrence of harmProbability of occurrence of harm is estimated by taking into account thefrequency, duration and extent of exposure, training and awareness, and thepresentation of the hazard. The following is an example of probability levels: Very likely – near certain to occurLikely – may occurUnlikely – not likely to occurRemote – so unlikely as to be near zeroWhen estimating probability, the highest credible level of probability is to be selected. Omron STI 2012

ANSI B11.TR3Severity ry leNegligibleTable 1: Risk Determination Matrix Omron STI 2012

ANSI B11.TR3 Safeguards providing the highest degree of risk reduction are: Safeguards providing high / intermediate risk reduction are: Barrier guard or protective device preventing unintended exposure of any part of the body to the hazard, and notremovable or adjustable by unauthorized persons. If moveable, such a barrier should be interlocked using system controlcriteria as defined in this paragraph.Physical devices that do not require adjustment for use or other operator intervention.– Control systems having redundancy with self-checking upon startup to ensure the continuance of performance.Safeguards providing low / intermediate risk reduction are: Barrier guard or protective device preventing intentional exposure of any part of the body to the hazard, and securedwith special fasteners or a lock. If moveable, such a barrier should be interlocked using system control criteria as defined inthis paragraph.Control systems having redundancy with continuous self-checking to ensure the continuance of performance.Barrier guard or protective device providing simple guarding against inadvertent exposure to the hazard. Examples area fixed screen, chuck guard, or moveable barrier with simple interlocking using system control criteria as defined in thisparagraph.Physical devices that require adjustment for use.Control systems (including associated protective devices, actuators and interfaces) having redundancy that may bemanually checked to ensure the continuance of performance.Safeguards providing the lowest degree of risk reduction are: Physical barrier providing tactile or visual awareness of the hazard, or minimal protection against inadvertent exposure.Examples are post and rope, swing-away shield, or moveable screen.Electrical, electronic, hydraulic or pneumatic devices and associated control systems using a single-channel configuration. Omron STI 2012

ANSI/RIA R15.06Table rmally Irreversible; or fatality; or requires more than first-aid asS2 Serious Injurydefined in OSHA 1904.12Normally reversible; or requires only first-aid as defined in OSHAS1 Slight Injury1904.12FrequentTypically exposure to the hazard more than once per hour.E2ExposureInfrequentTypically exposure to the hazard less than once per day or shift.E1ExposureCannot move out of the way; or inadequate reaction time; orNot LikelyA2robot speed greater than 250mm/sec.Can move out of the way; or sufficient warning/reaction time; orA1Likelyrobot speed less than 250mm/sec.Table 1 - Hazard Severity/Exposure/Avoidance Categories Omron STI 2012

ANSI/RIA R15.06Table 2Avoidance Risk Reduction CategoryExposureE2 FrequentA2 Not LikelyR1S2 Serious InjuryA1 LikelyExposureR2AMore thanE1 InfrequentA2 Not LikelyR2BFirst-aidA1 LikelyExposureR2BE2 FrequentA2 Not LikelyR2CA1 LikelyExposureS1 Slight InjuryR3AFirst-aidA2 Not LikelyR3BE1 InfrequentA1 LikelyExposureR4Table 2 - Risk reduction decision matrix prior to safeguard selectionSeverity of Exposure Omron STI 2012

ANSI/RIA R15.06Table 3CategoryR1R2AR2BR2CR3ASafeGuard PerformanceCircuit PerformanceHazard Elimination or hazard substitutionControl Reliable (4.5.4)(9.5.1)Engineering controls preventing acess to Control Reliable (4.5.4)the hazard, or stopping the hazard (9.5.2),e.g. interlocked barrier guards, lightSingle Channel with monitoring (4.5.3)curtains, safety mats, or other presencesensing devices (10.4)Single Channel (4.5.2)Non interlocked barriers, clearance,procedures and equipment (9.5.3)R3BR4Awareness means (9.5.4)Single Channel (4.5.2)Simple (4.5.1)Simple (4.5.1)Table 3 - Safeguard Selection Matrix Omron STI 2012

Risk Reduction MeasuresModified Table 3Circuit feguard PerformanceHazard Elimination or hazardsubstitutionEngineering controls preventingacess to the hazard, or stoppingthe hazard, e.g. interlocked barrierguards, light curtains, safetymats, or other presence sensingdevicesANSI/RIAR15.06-1999(R2009)ISO 10218-2ISO 10218-1ISO 13849-1:1999 ISO 13849-1:2006 IEC 62061:2005CategoryPLSILControl Reliable(4) 3(e) d(3) 2Control Reliable3d2Single Channelwith Monitoring2d/c2/1Single Channel1c1b1b1an/aNon interlocked barriers,Single Channel1clearance, procedures andSimplebequipmentAwareness meansSimplebTable 3 - Safeguard Selection Matrix Omron STI 2012

ANSI/RIA R15.06 R1 Risk reduction shall be accomplished by hazard elimination or hazardsubstitution which does not create an equal or greater hazard. Whenhazard elimination or substitution is not possible, all provisions of acategory R2 risk reduction shall apply and provisions of categories R3and R4 shall be provided for safeguarding residual risk. R2 Safeguarding shall be by means that prevent access to the hazard, orcause the hazard to cease. Provisions of categories R3 and R4 may beused for safeguarding residual risk. R3 Safeguarding, at a minimum, shall be by means of non-interlockedbarriers, clearance from the hazard, written procedures, and personalprotective equipment if applicable. Provisions of Category R4 may alsobe used for safeguarding residual risk. R4 Safeguarding, at a minimum, shall be by administrative means,awareness means including audio/visual warnings and training. Omron STI 2012

EN 1050 / ISO 14121S: Severity of Potential injuryS1: Slight injury(minor cuts or bruises, requires first-aid)S2: Severe injury(broken bone, loss of limb or death)F: Frequency of exposure to potential hazardF1: Infrequent exposureF2: Frequent to continuous exposureP: Possibility of avoiding the hazard as it occurs (generally related to thespeed / frequency of movement of the hazard and distance to the hazardpoint)P1: PossibleP2: Less possibleL: Likelihood of occurrence (in event of a failure)L1: Very likelyL2: UnlikelyL3: Highly unlikely Omron STI 2012

EN 1050 / ISO 14121 Omron STI 2012

EN 954-1:1996 / ISO 13849-1:1999CategorySummary of requirementsSystem behaviourB(see 6.2.1)Safety-related parts of control systems and/or their protectiveequipment, as well as their components, shall be designed,constructed, selected, assembled and combined in accordance withrelevant standards so that they can withstand the expected influence.The occurrence of a fault can lead to the loss of thesafety function.1(see 6.2.2)Requirements of B shall apply.Well-tried components and well-tried safety principles shall beused.The occurrence of a fault can lead to loss of thesafety function, but the probability of occurrence islower than for category B.2(see 6.2.3)Requirements of B and the use of well-tried safety principles shallapply.Safety function shall be checked at suitable intervals by the machinecontrol system.- The occurrence of a fault can lead to loss of thesafety function between checks.- The loss of safety function is detected with thecheck.3(see 6.2.4)Requirements of B and the use of well-tried safety principles shallapply.Safety-related parts shall be designed so that:- a single fault in any of these parts does not lead to loss of thesafety function, and- whenever reasonably practicable the single fault is detected.- When a single fault occurs, the safety function isalways performed.- Some but not all faults will be detected.- Accumulation of undetected faults can lead to loss ofthe safety function.4(see 6.2.5)Requirements of B and the use of well-tried safety principles shallapply.Safety-related parts shall be designed so that:- a single fault in any of these parts does not lead to loss of the safetyfunction, and- the single fault is detected at or before the next demand uponthe safety function. If this is not possible, then an accumulation offaults shall not lead to a loss of the safety function.- When the faults occur the safety function is alwaysperformed.- The faults will be detected in time to prevent loss ofthe safety function.Table 2 – Summary of requirements for categories(for full requirements see clause 6) Omron STI 2012Principles toachieve safetyMainlycharacterizedby selection ofcomponentsMainlycharacterizedby structure

ISO 13849-1RISK FACTORVALUEDEFINITIONS1Slight (normally reversible injury)S2Serious (normally irreversible injury or death)Frequency and/orExposure toHazardF1Seldom to less-often and/or exposure time is shortF2Frequent to continuous and/or exposure time is longPossibility ofAvoiding Hazardof Limiting HarmP1Possible under specific conditionsP2Scarcely possibleSeverity of Injury Omron STI 2012

ISO 13849-1 Omron STI 2012

ISO 13849-1Relationship between Categories, DCavg, and MTTFd of Each Channel and PL Omron STI 2012

EN 954-1 vs. ISO 13849-1 Omron STI 2012

Comparison of Circuit Performance RequirementsCIRCUIT PERFORMANCE REQUIREMENTSANSI B11.TR3-2000ANSI/ASSE Z244.1-2003 (R2008)IndexHighHighCircuit Perform anceRedundancy withContinuous Self-CheckingRedundancy withContinuous Self-CheckingNo EquivalentIndexCircuit Perform anceISO 10218-1:2007ISO 13849-1:1999(EN 954-1:1996)CategoryR1Control Reliable(4) 3(e) d(3) 2R2AControl Reliable3d2R2BSingle Channel withMonitoring2d/c2/1ANSI/RIA R15.06-1999 (R2009)CSA Z432-04 & Z434-03ISO 10218:20(11?)ISO 13849-1:2006IEC 62061:2005PLSILMediumRedundancy with SelfChecking Upon StartupNo EquivalentNo EquivalentNo EquivalentNo EquivalentLowRedundancy that may beManually CheckedNo EquivalentNo EquivalentNo EquivalentNo EquivalentNegligibleSingle ChannelR2CSingle Channel1c1NegligibleSingle ChannelR3ASingle Channel1b1R3BSimpleBb1R4SimpleBan/aNo EquivalentNo EquivalentWhile there are similarities between the levels of risk reduction in the various columns, an exact one-to-one comparison is virtuallyimpossible. This chart is intended to show the comparative similarities between each standard. Where risk reduction measures dependon configurable devices, the reliability of these devices and the system should be appropriate for the level of risk. Omron STI 2012

Selecting Protective MeasuresCommensurate with Risk Level Omron STI 2012

Create Appropriate Risk Reduction System Follow hierarchy of control Elimination / substitution of the hazard Engineering controlsSafeguarding devices (interlock switches, light curtains,safety mats, etc.)Electrical / pneumatic / hydraulic circuits Awareness means (lights, signs, signals, etc.) Training and procedures (administrative controls) Personal protective equipment (PPE) Omron STI 2012Step 8

Hierarchy of ControlPROTECTIVEMEASUREMost nologies /Protective DevicesAwareness MeansLeastEffectiveEXAMPLESINFLUENCE ON RISK FACTORS Eliminate the need forhuman interaction in theprocess Eliminate pinch points(increase clearance) Automated material handling(robots, conveyors, etc.) Impact on overall risk (elimin