Class Exercise: Accidents & errors ‘Human error’ ‘Unsafe conditions’ For the examples you came up with, which can be attributed to “human error” and which to “unsafe conditions”? Think of 1 accident you have witnessed/experienced that can be attributed to human error and 1 that can be attributed to unsafe conditions. ISE 311 - 18
Goals of safety engineering/management Reduce errors Reduce proportion of errors that become accidents Reduce proportion of accidents that become injuries Reduce lost days/injury ISE 311 - 18
Injury and severity rate Injury rate = Injury cases/yr× 200,000 ÷ Actual hrs worked/yr Severity rate = Days charged ÷ Injury cases/yr Unsafe conditions Unsafe acts Injury rate ISE 311 - 18
Selection of problems Decision method: Multiply frequency rate for each type of accident by the severity rate. Consider refining by including dollar cost/case. Rank order annual costs. Consider using a Pareto analysis. Examine high-energy sources. ISE 311 - 18
Open Manhole Analogy ‘Warning’ approach ‘Guarding’ approach Engineering approach The engineering approach is most effective and is permanent. ISE 311 - 18
Reduction of Unsafe Conditions Reduce human error Reduce equipment failure Design the proper control, display, and environment Use distance Use guards Use time Reduce Potential / Effects of Human Error – recall the guidelines Reduce Equipment Failure – Reduce the Failure Rate Reduce the number of failure locations. Design in safety factors. Use redundant equipment (parallel or standby). Use preventive maintenance. Reduce Hazard Use GFCIs to eliminate electrical hazard. Use fail-safe designs (fuses, deadman throttles). Use battery power or compressed air instead of 110V. Use smaller amounts of dangerous materials. Use radial tires and front-wheel drive. Use Distance as a Protective Technique – Separate people from equipment. Reduce speeds. Provide vertical clearance for people and vehicles. Provide barriers and walls (guards). Use Guards as a Protective Technique – Use guards that cannot be defeated easily. Make guard defeat or failure easily detectable. Guards should not present a hazard. A poor guard is a hazard. Machine guards: Are attached to equipment to prevent people from dangerous contact. Do not accept “guarded by location.” Consider guards as part of a layered defense. Use lockout/tagout procedures. Purchase guards from the manufacturer when the machine is purchased. Guards should not impair machine function. People Guards: Are protective clothing. Problems: Failure of protective clothing results in injury. Workers have incentives not to use protective clothing. Have a variety of sizes available. Impose severe penalties for not using safety equipment. Organizations should purchase and maintain the equipment. Use Time as a Protective Technique – Limit exposure time to hazardous conditions or materials. Use GFCIs to reduce electrical exposure. Provide washing facilities for chemicals. Minimize distances to carry hazardous items. ISE 311 - 18
Unsafe acts Treat all accidents as unsafe conditions. Unsafe acts may result from: Lack of knowledge Deliberate risk Drug effects Address the causes .. Lack of Knowledge Make a fault analysis of all possible failures. Consider both operator errors and equipment failure. Provide a decision structure table in case of a problem. Communicate this information to people at risk. Remember that training is not permanent. Deliberate Risk Occurs because risk is low, cost of compliance is high, or rewards are large and immediate. People modify their behavior to take more risks when a device reduces the risk. Reinforce safe behavior with positive rewards; punish unsafe behavior. Consider using a “safety traffic light.” Drug Effects Alcohol contributes to a significant number of accidents. Focus on changing the machine/system rather than the individual. ISE 311 - 18
Warnings Are information about a possible negative consequence. An effective warning should change behavior. May be visual, auditory, or vibratory. Need increases when: Injury potential increases Danger is less obvious Injury onset is not obvious More people are exposed ISE 311 - 18
Problems with Warnings P The information must be Present. R The warning must be Read. U The reader must Understand the warning. M The information must remain in Memory. A The person must Act on the information. E The warning must be Effective (the person must be able to perform the desired behavior). ISE 311 - 18
Fault Tree Analysis (FTA) Fault Tree: A graphic “model” of the pathways within a system that can lead to a foreseeable, undesirable loss event. The pathways interconnect contributory events and conditions, using standard logic symbols. Numerical probabilities of occurrence can be entered and propagated through the model to evaluate probability of the foreseeable, undesirable event. ISE 311 - 18
FTA is best applied to cases with … Large, perceived threats of loss, i.e., high risk. Numerous potential contributors to a mishap. Complex or multi-element systems/processes. Already-identified undesirable events (a must!) Indiscernible mishap causes (i.e., autopsies.) Caveat: Large fault trees are resource-hungry and should not be undertaken without reasonable assurance of need. ISE 311 - 18
FTA produces: Graphic display of chains of events/conditions leading to the loss event. Identification of those potential contributors to failure that are “critical.” Improved understanding of system characteristics. Qualitative/quantitative insight into probability of the loss event selected for analysis. Identification of resources committed to preventing failure. Guidance for redeploying resources to optimize control of risk. Documentation of analytical results. ISE 311 - 18
Some definitions FAULT FAILURE An abnormal undesirable state of a system or a system element induced 1) by presence of an improper command or absence of a proper one, or 2) by a failure (see below). All failures cause faults; not all faults are caused by failures. A system which has been shut down by safety features has not faulted. FAILURE Loss, by a system or system element, of functional integrity to perform as intended, e.g., relay contacts corrode and will not pass rated current closed, or the relay coil has burned out and will not close the contacts when commanded – the relay has failed; a pressure vessel bursts – the vessel fails. A protective device which functions as intended has not failed, e.g, a blown fuse. ISE 311 - 18
Assumptions and limitations Non-repairable system. No sabotage. Markov… Fault rates are constant. The future is independent of the past – i.e., future states available to the system depend only upon its present state and pathways now available to it, not upon how it got where it is. Bernoulli… Each system element analyzed has two, mutually exclusive states. ISE 311 - 18
The logic symbols (see also table 18.4, pg. 360) Most Fault Tree Analyses can be carried out using only these four symbols. Events and Gates are not component parts of the system being analyzed. They are symbols representing the logic of the analysis. ISE 311 - 18
Steps in FTA 1 Identify undesirable TOP event. 3 Link contributors to TOP by logic gates. 2 Identify first level contributors. 5 Link contributors to events by logic gates. 4 Identify 2nd level contributors. 6 Repeat/continue. ISE 311 - 18
Use FTA to … Identify probability of failures and faults. Identify candidates for engineering solutions. Identify common cause events … Events which, if they occur, will cause two or more fault tree events to occur. Typical common cause events include power failures, dust & grit, temperature effects (freezing/overheating), operator oversight, etc. Can be overcome through redundant systems, isolation or shielding, etc. ISE 311 - 18
Your turn … Identify a specific potential occurrence using a product, tool, or piece of equipment with which you are familiar (enough to analyze the occurrence in detail.) Conduct a FTA using this occurrence as the top-level event. ISE 311 - 18
Failure Modes & Effects Analysis, FMEA Evaluates reliability and identifies single-point failures that can lead to systems failure. Functional vs hardware FMEA: used early in design programs top-level, focus on systems and subsystems Hardware FMEA: based on detailed design data concentrates on assemblies, subassemblies, and components Limitations – FMEA doesn’t address operational interface multiple failures human factors ISE 311 - 18
Three key questions to be answered by the FMEA process: What could fail in each component of my product or design? To what extent might it fail and what are the potential hazards produced by the failure? What steps should be implemented to prevent failures? ISE 311 - 18
The FMEA process Define the system Identify potential failure modes & their causes Evaluate the effects on the system of each failure mode Identify failure detection methods Identify corrective measures for failure modes Document analysis / prepare FMEA report ISE 311 - 18
Your Turn … Define the system Identify a product with which you are familiar (enough to perform an analysis of failure modes.) Identify one part on that product to analyze in detail. (NOTE: use the attached FMEA form for this exercise.) ISE 311 - 18
FMEA Form and Definitions Part & Function Potential Failure Modes Potential Effect(s) of Failure ∆ S E V Potential Cause(s) / Mechanisms of Failure OCC Detection Method & Quality Controls DE T R P N Recommended Actions Design FMEA Analysis ∆ = Critical characteristic which may effect safety, compliance with Gov. regulations, or require special controls. SEV = Severity rating (1 to 10) OCC = Occurrence frequency (1 to 10) DET = Detection Rating (1 to 10) RPN = Risk Priority Number (1 to 1000) = SEV * OCC * DET ISE 311 - 18
Your turn … Identify potential failure modes & their causes Identify 2 – 3 potential failure modes and what could cause them. Evaluate the effects on the system of each failure mode Identify 2 – 3 potential failure modes and what could cause them. Using the table on the following page, evaluate the potential severity of each failure mode. ISE 311 - 18
Criteria: Severity of Effect Severity Rating, SEV Ranking Effect Criteria: Severity of Effect 1 None No effect 2 Very Minor Very minor effect on product or system performance. 3 Minor Minor effect on product or system performance. 4 Low Small effect on product performance. The product does not require repair. 5 Moderate Moderate effect on product performance. The product requires repair. 6 Significant Product performance is degraded. Comfort or convenience functions may not operate. 7 Major Product performance is severely affected but functions. The system may not be operable. 8 Extreme Product is inoperable with loss of primary function. The system is inoperable. 9 Serious Failure involves hazardous outcomes and I or noncompliance with govt. regulations or standards. 10 Hazardous Failure is hazardous, and occurs without warning. It suspends operation of the system and/or involves noncompliance with govt. regulations. ISE 311 - 18
Your turn … Identify failure detection methods How would you as the user/operator of this product recognize that the part has failed or is about to fail? Use the OCC table on the following page to evaluate the probability of failure occurrence. Identify corrective measures for failure modes Do you know how to correct the fault to restore safe and correct operation of the product? Use the DET table to evaluate the probability of detecting the failure. ISE 311 - 18
Probability of Occurrence, OCC Ranking Possible Failure Rates Probability of Failure 1 < 1 x 10-6 Nearly Impossible 2 1 x 10-5 Remote 3 1 x 10-4 Low 4 4 x 10-4 Relatively Low 5 2 x 10-3 Moderate 6 1 x 10-2 Moderately High 7 4 x 10-2 High 8 0.2 Repeated Failures 9 0.33 Very High 10 > 0.55 Extremely High: Failure Almost Inevitable ISE 311 - 18
Probability of Detection, DET Ranking Detection Probability 1 Almost Certain Detection 2 Very High Chance of Detection 3 High Probability of Detection 4 Moderately High Chance of Detection 5 Moderate Chance of Detection 6 Low Probability of Detection 7 Very Low Probability of Detection 8 Remote Chance of Detection 9 Very Remote Chance of Detection 10 Absolute Uncertainty - No Control ISE 311 - 18
Your turn … Document analysis / prepare FMEA report Calculate the risk priority number, RPN = SEV * OCC * DET Recommend action based on the RPN. ISE 311 - 18