Machinery Safety Risk Assessment of a Metal Packaging Company
Upcoming SlideShare
Loading in...5
×
 

Machinery Safety Risk Assessment of a Metal Packaging Company

on

  • 2,668 views

My thesis.

My thesis.

Statistics

Views

Total Views
2,668
Views on SlideShare
2,660
Embed Views
8

Actions

Likes
1
Downloads
67
Comments
0

2 Embeds 8

http://www.linkedin.com 6
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Machinery Safety Risk Assessment of a Metal Packaging Company Machinery Safety Risk Assessment of a Metal Packaging Company Document Transcript

  • AB HELSINKI UNIVERSITY OF TECHNOLOGY Faculty of Electronics, Communications and Automation Teppo-Heikki Saari Machinery Safety Risk Assessment of a Metal Packaging CompanyMaster’s Thesis submitted in partial fulfillment of the requirements for thedegree of Master of Science in TechnologyEspoo, December 15, 2009Supervisor: Professor Jouko LampinenInstructor: M.Sc. Hanna N¨atsaari a¨
  • Teknillinen korkeakoulu ¨ ¨ Diplomityon tiivistelmaElektroniikan, tietoliikenteen ja automaation tiedekuntaTekij¨: a Teppo-Heikki SaariOsasto: Elektroniikan ja s¨hk¨tekniikan osasto a oP¨¨aine: aa Laskennallinen tekniikkaSivuaine: Systeemi- ja operaatiotutkimusTy¨n nimi: o Pakkausmateriaalitehtaan koneturvallisuuden riskiarviointiTy¨n nimi englanniksi: o Machinery Safety Risk Assessment of a Metal Packaging CompanyProfessuurin koodi ja nimi: S-114 Laskennallinen tekniikkaTy¨n valvoja: o Prof. Jouko LampinenTy¨n ohjaaja: o FM Hanna N¨¨tsaari aaTiivistelm¨ aEU:n ja Suomen ty¨turvallisuuslains¨¨d¨nt¨ velvoittaa ty¨nantajaa arvioimaan ty¨ymp¨rist¨n o aa a o o o a oriskit ty¨kyvyn turvaamiseksi ja yll¨pit¨miseksi. Vaikka vaade ty¨olosuhteiden parantamiseksi on o a a olains¨¨d¨nn¨n kautta asetettu, eiv¨t kaikki yritykset Suomessa sit¨ noudata. Erityisesti pienten aa a o a aja keskisuurten yritysten ongelmana ovat olleet resurssien ja helppok¨ytt¨isten, selkeit¨ tuloksia a o atuottavien metodien puute.T¨ss¨ ty¨ss¨ selvitet¨¨n mink¨laisia k¨sitteit¨ turvallisuuteen ja riskiarviointiin yleisesti liittyy, a a o a aa a a asek¨ mink¨laisia metodeita riskej¨ ja ihmisten tekemi¨ virheit¨ arvioitaessa yleisesti k¨ytet¨¨n. a a a a a a aaLis¨ksi t¨ss¨ ty¨ss¨ arvioidaan pakkausmateriaalitehtaan riskej¨ k¨ytt¨m¨ll¨ er¨st¨ menetelm¨¨, ja a a a o a a a a a a a a aatutkitaan mink¨laisia tuloksia menetelm¨ tuottaa sek¨ mitk¨ tekij¨t vaikuttavat riskiarviointiproses- a a a a asiin yleisesti.Riskin k¨sitteeseen sis¨ltyy vaaran toteutumisen todenn¨k¨isyys. T¨ss¨ ty¨ss¨ tehtaalla esiintyvien a a a o a a o ariskien arviointiin k¨ytetty menetelm¨ perustuu asiantuntija-arvioihin, jolloin arvioinnin tulokset ovat a aluonteeltaan subjektiivisia. Menetelm¨ voikin antaa hyvin erilaisia tuloksia riippuen arvioinnin suorit- atajasta. Suuret vaihtelut tuloksissa johtavat ep¨varmuuteen siit¨, mitk¨ vaarat tehtaalla ovat kaikkein a a asuurimpia, ja n¨inollen arvioinnin pohjalta teht¨v¨t – mahdollisesti kalliit – p¨¨t¨kset eiv¨t ole a a a aa o atehty k¨ytt¨en tarkinta mahdollista tietoa ty¨ymp¨rist¨n turvallisuuden tilasta. T¨t¨ ep¨varmuutta a a o a o aa avoidaan pienent¨¨ selkiytt¨m¨ll¨ toimintatapoja ja parantamalla menetelm¨n dokumentaatiota. aa a a a aRiskej¨ on mahdollista hallita usein eri keinoin. Lains¨¨d¨nn¨lliset keinot pyrkiv¨t pienent¨m¨¨n a aa a o a a aaolemassaolevia riskej¨ ja ehk¨isem¨¨n uusia syntym¨st¨. Fyysiset keinot pyrkiv¨t suojaamaan a a aa a a ak¨ytt¨j¨¨ v¨litt¨m¨sti toiminnan aikana. Johtuen riskin ja turvallisuuden subjektiivisesta luonteesta, a a aa a o aselkein ja kustannustehokkain tapa pienent¨¨ riskej¨ on turvallisuusilmapiirin parantaminen vaikut- aa atamalla ty¨ntekij¨n toimiin muuttamalla h¨nen k¨ytt¨ytymismallejaan. Erilaiset ’behavioural safety’ o a a a a-ohjelmat ovatkin suurten organisaatioiden turvallisuuskulttuurin keskeisimpi¨ osia. aSivum¨¨r¨: 114 aa a Avainsanat: Koneturvallisuus, RiskiarviointiT¨ytet¨¨n tiedekunnassa a aaHyv¨ksytty: a Kirjasto:
  • Helsinki University of Technology Abstract of master’s thesisFaculty of Electronics, Communications and AutomationAuthor: Teppo-Heikki SaariDepartment: Department of Electrical EngineeringMajor subject: Computational ScienceMinor subject: Systems and Operations ResearchTitle: Machinery Safety Risk Assessment of a Metal Packaging CompanyTitle in Finnish: Pakkausmateriaalitehtaan koneturvallisuuden riskiarviointiChair: S-114 Computational sciencesSupervisor: Prof. Jouko LampinenInstructor: M.Sc. Hanna N¨¨tsaari aaAbstract:The occupational health and safety legislation of the EU and Finland require employers to assess workenvironment risks in order to secure and maintain the employees’ working capacity. Although therequirement comes through the use of legislation, it is not fulfilled by every entrepreneur in Finland.Especially the small and middle-sized companies have had a problem with the lack of resources andof easily applicable and productive methodology.The aim of this study is to find out what kind of concepts are generally related to safety and riskassessments, and what kind of methods are used to assess risk and human error. In addition, risks ina packaging materials factory were assessed by using a certain method, and the results and factorsgenerally affecting the risk assessment process were analysed in this thesis.The probability of hazard realisation is included in the concept of risk. The method used to assessthe risks at the site is based on expert judgement, which implies that the assessment results aresubjective in nature. The method can produce very different results depending on the assessor. Greatvariation in results lead to uncertainty in hazard ranking, and it has an effect on the subsequent –possibly costly – decisions that have not been made based on the most accurate information aboutthe safety situation of work environment. This uncertainty can be reduced by clarifying operationalmodes and by improving method documentation.It is possible to control risks in many different ways. Regulational controls aim at reducing existingrisks and preventing new ones. Physical controls directly protect the operator during the operation.Due to the subjective nature of risk and safety, the most clear and cost-effective way of reducing risk isimproving safety climate through affecting employee actions by changing his or her behaviour patterns.Various behavioural safety programs are a central part of safety culture in large organisations.Number of pages: 114 Keywords: Machinery safety, Risk assessmentDepartment fillsApproved: Library code:
  • - 3
  • He who knows and knows he knows,He is wise – follow him;He who knows not and knows he knows not,He is a child – teach him;He who knows and knows not he knows,He is asleep – wake him;He who knows not and knows not he knows not,He is a fool – shun him. — Arabian proverbScience perishes by systems that are nothing but beliefs;and Faith succumbs to reasoning. For the two Columnsof the Temple to uphold the edifice, they must remainseparated and be parallel to each other. As soon asit is attempted by violence to bring them together,as Samson did, they are overturned, and the wholeedifice falls upon the head of the rash blind man or therevolutionist whom personal or national resentmentshave in advance devoted to death. — Albert Pike
  • PrefaceI wish to express my gratitude to all of those who made this thesis possible. In Helsinki, December 6, 2009 Teppo-Heikki Saari ii
  • ContentsPreface iiAbbreviations vi1 Introduction 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 The Site and its operations . . . . . . . . . . . . . . . 2 1.2 Research questions and structure . . . . . . . . . . . . . . . . 32 Overview of risk assessment concepts 4 2.1 Basic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1 Risk, hazard, mishap, accident, incident . . . . . . . . 4 2.1.2 Categorisation of risk . . . . . . . . . . . . . . . . . . . 5 2.2 Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.1 Categorisation and taxonomy . . . . . . . . . . . . . . 8 2.2.2 Major error types of interest . . . . . . . . . . . . . . . 9 2.3 Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.1 Approaches to safety . . . . . . . . . . . . . . . . . . . 11 2.3.2 Safety hindrances . . . . . . . . . . . . . . . . . . . . . 12 2.3.3 Safety facilitators . . . . . . . . . . . . . . . . . . . . . 15 2.4 Human factors . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Overview of risk assessment methods 19 3.1 Probabilistic risk assessment . . . . . . . . . . . . . . . . . . . 20 3.1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 20 3.1.2 Defining objectives and methodology and gathering in- formation . . . . . . . . . . . . . . . . . . . . . . . . . 21 iii
  • 3.1.3 Identification of initiating events . . . . . . . . . . . . . 21 3.1.4 Scenario development . . . . . . . . . . . . . . . . . . . 22 3.1.5 Logic modelling . . . . . . . . . . . . . . . . . . . . . . 22 3.1.6 Failure data analysis . . . . . . . . . . . . . . . . . . . 22 3.1.7 Sensitivity analysis . . . . . . . . . . . . . . . . . . . . 23 3.1.8 Risk acceptance criteria . . . . . . . . . . . . . . . . . 23 3.1.9 Interpretation of results . . . . . . . . . . . . . . . . . 25 3.2 Human reliability analysis . . . . . . . . . . . . . . . . . . . . 26 3.2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 26 3.2.2 Task analysis . . . . . . . . . . . . . . . . . . . . . . . 27 3.2.3 Database methods . . . . . . . . . . . . . . . . . . . . 27 3.2.4 Expert judgement . . . . . . . . . . . . . . . . . . . . . 27 3.2.5 Technique for Human Error Rate Prediction (THERP) 28 3.3 Other risk and error assessment methods . . . . . . . . . . . . 29 3.3.1 Five steps to risk assessment . . . . . . . . . . . . . . . 29 3.4 Method used by the Company . . . . . . . . . . . . . . . . . . 30 3.4.1 Risk rating . . . . . . . . . . . . . . . . . . . . . . . . 32 3.4.2 Method previously used at the Site . . . . . . . . . . . 374 Risk control and regulation 39 4.1 Physical risk controls . . . . . . . . . . . . . . . . . . . . . . . 40 4.2 Behavioural safety . . . . . . . . . . . . . . . . . . . . . . . . 43 4.3 Regulatory standards in the EU . . . . . . . . . . . . . . . . . 44 4.3.1 The structure of European harmonised standards . . . 45 4.3.2 The European Machinery Directive . . . . . . . . . . . 47 4.4 Regulatory standards in Finland . . . . . . . . . . . . . . . . . 48 4.5 Regulatory standards in the Company . . . . . . . . . . . . . 50 4.5.1 The Company Directives . . . . . . . . . . . . . . . . . 50 4.5.2 OHSAS 18000 . . . . . . . . . . . . . . . . . . . . . . . 515 Case study 52 5.1 Analysis of current safety situation in the Company . . . . . . 52 5.1.1 Accident statistics . . . . . . . . . . . . . . . . . . . . 52 5.1.2 Safety culture and climate . . . . . . . . . . . . . . . . 54 iv
  • 5.1.3 Safety limitations at the Site . . . . . . . . . . . . . . . 57 5.2 Assessing risks with the Company method . . . . . . . . . . . 58 5.2.1 Drum line packaging area . . . . . . . . . . . . . . . . 58 5.2.2 Manually operated slitters and power presses . . . . . . 60 5.2.3 73mm/99mm tin can manufacturing line (CN02) . . . . 61 5.2.4 Machine tools at maintenance department . . . . . . . 626 Discussion 64 6.1 Issues encountered during the assessment process . . . . . . . 64 6.2 Comparison and critique of the methods . . . . . . . . . . . . 65 6.3 Analysis of the results . . . . . . . . . . . . . . . . . . . . . . 67 6.3.1 Are the results valid? . . . . . . . . . . . . . . . . . . . 69 6.4 Addressing the issues encountered during the assessment . . . 707 Conclusion 73References 74Appendix 79A Appendices 79 A.1 Safe system of work instructions for surface grinder . . . . . . 80 A.2 Modified Company method risk scoring components . . . . . . 81B Risk assessment results 82 v
  • AbbreviationsALARP As Low As Reasonably PracticableCCF Common Cause FailureDPH Degree of Possible HarmEEM External Error ModeEHS Environment, Heath and SafetyEOC Error of CommissionFE Frequency of ExposureFMEA Failure Mode and Effect AnalysisFTA Fault Tree AnalysisHEA Human Error AnalysisHEP Human Error ProbabilityHRA Human Reliability AnalysisLO Likelihood of OccurrenceLWDC Lost Work Day CaseMRO Maintenance, repair and operationsNP Number of People at RiskOHCA Occupational Health Care ActOSHA Occupational Safety and Health ActPEM Psychological Error MechanismPPE Personal Protection EquipmentPRA Probabilistic Risk AssessmentPSA Probabilistic Safety AssessmentPSF Performance Shaping FactorRCAP Risk Control Action PlanRCD Residual Current DeviceRHT Risk Homeostasis TheoryRR Risk RatingSRK Skill, rule and knowledgeTHERP Technique for Human Error Rate Prediction vi
  • Chapter 1Introduction1.1 BackgroundSince the days of the Renaissance, when gambler Girolamo Cardano (1500-1571 AD) took the first steps in the development of statistical principles ofprobability, and shortly after that Blaise Pascal and Pierre de Fermat (1654AD) created the theory of probability by solving Paccioli’s puzzle, the con-cept of risk has gone through several phases of evolution and it is nowadayswidely applied in nearly every facet of life. [3]Global competition has lead to higher demands on production systems. Endcustomer satisfaction is dependent on the production systems’ capability todeliver goods and services that meet certain quality requirements. To do sothe systems must be fit for use and thereby fulfil important quality parame-ters. One such parameter is safety.It is human to make mistakes and in any task, no matter how simple, errorswill occur. The frequency at which the errors occur depends on the nature ofthe task, the systems associated with the task and the influence of the envi-ronment in which the task is carried out. Providing safe equipment throughdesign and safe work environment through regulation and practises is the keyto reducing risk and removing occupational hazards in process industry.The technology of safety-related control systems plays a major role in theprovision of safe working conditions throughout industry. Regulations re-quire that suppliers and users of machines in all forms from simple tools toautomated manufacturing lines take all the necessary steps to protect work-ers from injury due to the hazards of using machines. It is through the usageof scientific methods that allow us to comprehensively identify the risks re-lated to working with machinery and to estimate what can go wrong duringthe process.It has been recognised by many authorities that safety should be number onepriority of the industry. Yet, in many cases companies tend to cut resourcesfrom risk assessment and a thorough analysis is never conducted. Although 1
  • the knowledge is readily available for use, many Finnish companies – espe-cially small and middle-sized ones – do not conduct risk assessments. Oneof the aims of this thesis is to examine do the risk assessment methods workand what kind of results they give.My thesis studies various methods of assessing risks in a manufacturingplant. My objective of the thesis to assess production process risks in CrownPakkaus Oy (hereafter referred to as the Site), a speciality packing companypart of CROWN Cork & Seal (hereafter referred to as the Company), as acase study. I have restricted the scope of the thesis to risk analysis of ma-chinery. Also, the other main objective is to give the reader a picture of thekey elements in the field of risk analysis and assessment. These include basicconcepts, methodology, and legislation.1.1.1 The Site and its operationsThe Site’s history goes back to the year 1876, when the family of G.W.Sohlberg began tinsmith products manufacturing in the Helsinki city area.Manufacturing of cans out of lacquered tinplates began in 1909 and the re-quired machines for the printing of sheets were acquired in 1912. Premisesbecame too small for the business, and the company’s operations were trans-ferred in 1948 to the existing factory premises in Herttoniemi, Helsinki. Thecompany acquired the first automated canline in 1959, began manufacturingdrums in 1964, and transferred to the welded cans among the first in Europein 1970. In 1993 the Site was merged into the Europe’s largest packagingcompany Carnaud Metalbox, and later from 1996 onwards the Site has beena part of the world’s leading packaging industry group, Crown Holdings, withheadquarters in the USA. In 1998 the Site started using the current name,Crown Pakkaus Oy.The Site’s clients are major chemistry and food processing companies fromFinland and from the neighbouring areas. The clients in the field of chem-istry are mainly paint, lubricant and chemical companies. The most impor-tant food clients are canning and vegetable companies.The range of packaging manufactured at the Site is wide and it covers thepaint pails from 1 / 3 litre to 20 litre, drums of 200 litre, chemical pails from34 litre to 68 litre, food cans from 73 mm to 99 mm (diameter) and seasonalcans from 155 mm to 212 mm (diameter). The slowest manufacturing pro-cess is capable of producing 6 pieces per minute, and the fastest 400 piecesper minute respectively.The Site operations can be categorised in the following way: pre-printing,printing, manufacturing, storage and maintenance. For the processing ofcolor-print data, the Site has a digital reprography equipment and the equip-ment for manufacturing print film and printing plates. There are three lac-quering lines and three two-colour sheet offset printing lines at the print shop.For packaging manufacturing, the Site has eight automated welding lines, 10 2
  • lines for manufacturing tin can lids/ends, and several individual manuallyoperated machines e.g. power presses and slitters.1.2 Research questions and structureThe thesis aims at answering the following questions: • What kind of concepts does the field of risk management deal with? • What kind of risks can be found in an industrial environment and production processes? • What kind of methods can be used to assess risks? • What matters affect the risk assessment process? • How is it possible to reduce the probability of occurrence of risks?The structure of the thesis is as follows.In the second chapter I examine different concepts related to risk and safetyanalysis. Next, I examine various aspects of risk assessment methods in thethird chapter. In Chapter 4 review some methods of controlling risks. Theseinclude physical controls and regulatory controls. My analysis of regulationstakes into account three viewpoints: the EU, Finnish Government, and TheCompany. The Company case study is introduced after that in Chapter 5.Beginning with a short description of what The Company does and what isthe main purpose of the thesis, I then present the results of the risk assess-ment. The risks were assessed using the Company method. In Chapter 6 Ipresent discussion of the results. Chapter 7 includes the conclusions. 3
  • Chapter 2Overview of risk assessmentconcepts2.1 Basic definitions2.1.1 Risk, hazard, mishap, accident, incidentThe field of risk analysis contains several concepts that are defined invarious ways depending on the author or researcher. In this chapter arepresented definitions of concepts that I have used in this thesis. I havechosen the definitions by their clarity, intelligibility and unambiguity. Theexact wording of concepts vary depending on the author.Risk is a measure of the potential loss occurring due to natural or humanactivities. Potential losses are adverse consequences of such activities inform of loss of human life, adverse health effects, loss of property, anddamage to the natural environment. [33]Accident is an unintentional event which results or could result in an injury,whereas injury is a collective term for health outcomes from traumaticevents [1].Incident is an undesired event that almost causes damage or injury [16].These are events to learn from before any damage has occurred.Much of the wording is comparable to that found in military standardsystem safety requirements. In system safety literature, writers trace theprinciples embodied in military standard system safety requirements to thework of aviation and space age personnel that commenced after World WarII. The U.S. Government standards define concepts like mishap and risk inthe following way.Mishap is an unplanned event or series of events resulting in death, injury,occupational illness, or damage to or loss of equipment or property, ordamage to the environment. Accident. [34]Risk is an expression of the impact and possibility of a mishap in terms of 4
  • potential mishap severity and probability of occurrence. [34]Hazard is a condition that is a prerequisite for an accident. [38]2.1.2 Categorisation of riskThe VTT Technical Research Centre of Finland has prepared a risk assess-ment toolkit for small and middle-sized enterprises [54]. The toolkit is foundon the Internet, and provides information on several types of risks and howto control them. The risks are classified from the point of view of companyand its business, thus taking a broader stand on different business risks. Forthe purpose of clarifying the concept of risk and its different aspects, I shallnow present the different risk views mentioned in the toolkit.Personnel risksThe term ‘personnel risks’ refers to risks to a company’s operations that eitherconcern or are caused by its personnel. At worst, these risks could mean acompany completely losing the input of a key employee, or an employeedeliberately acting against a company’s interests. Personnel risks include: • Fatigue and exhaustion • Accidents and illnesses • Obsolete professional skills • Personal or employment-related disputes • Unintended personal error • Information leaks or theftSmall companies may be more vulnerable to personnel risks. Key expertisemay rest with one person, another may have many ideas of responsibility orthere may be no contingency arrangements in place.Business risksBusiness risks are related to business operations and decision-making. Busi-ness risks involve profit potential. A company can neither be successful in itsoperations or make a profit or fail and suffer losses. The information availablefor the assessment of business risks is difficult to use because of the fact thatbusiness risks are often quite unique. In business, you must recognise prof-itable opportunities before others and react quickly, though decision-making 5
  • may be difficult due to the lack of precise information.Business risks form an extensive field. Because of risk chains, the assessmenthas to reach even the most distant links in the supply chain. For instance,a fire at the plant of a network partner can cause interruptions that lead toa loss of sales income and clientele. Business risks may therefore arise fromthe company’s own or external operations.The character of business risks depends on the company’s field of operationand its size. The risks of a small company differ from those of a larger oneoperating in the same field. The only common factor is that, in the end,companies always bear the responsibility for business risks themselves andcannot take out insurance to cover them.Agreement and liabilitiesAgreements and making agreements are an essential part of business activity.An appropriate agreement clarifies the tasks, rights and responsibilities ofthe parties in agreement. An agreement risk can be caused by the lackof an agreement or deficiencies in an agreement. An agreement risk canbe related to issues such as the way an agreement was made, a partner inthe agreement, making a quotation, general terms of agreement, contractualpenalties/compensation etc.Information risksInformation risks have long been underestimated and inadequately managed.All companies have information that is critical to their operation, such ascustomer and production management information, product ideas, market-ing plans, etc. There is a lot of information in different forms: personalexpertise and experience-based knowledge, agreements, instructions, plans,other paper documents, and electronic data e.g. customer, order and salaryinformation.Product risksA company earns its income from its products and services. Launching prod-ucts onto the market always involves risks. Errors in decision-making con-cerning products may prove very expensive. These risks can be reducedthrough systematic risk management that covers the entire range of productoperations and all product-related projects. 6
  • Environmental risksEnvironmental risks refer to risks that can affect the health and viability ofliving things and the condition of the physical environment. Environmen-tal risks can be caused by the release of pollutants to air, land or water.Environmental damage can also be caused by irresponsible use of energyand natural resources. Pollutants can include waste (controlled waste, spe-cial waste), emissions to air due to production or usage of the product (e.g.smoke, fumes, dusts, gases, etc.), releases to the ground and water systems(e.g. effluent, chemicals, oil/fuel discharges, etc.), noise (vibration, light, etc.if causing a nuisance), and radiation.Environmental risks can be hidden and cause damage over a long period oftime. A disused refuse pump can contaminate the ground around it. Anenvironmental risk can also emerge suddenly e.g. due to an accident. Achemical container that breaks during transport can result in the leakageof harmful substances into the ground, a water system, the air or a surfacewater drain.Project risksA project is a singular undertaking with an objective, schedule, budget, man-agement and personnel. There are two main types of project: • Delivery projects in which a customer is promised the delivery of a product or a service by a defined date and under stipulated conditions. • Development projects in which, for instance, a new device is developed for a company’s own use.These project types are often combines in small and middle-sized enterprises.A typical project frequently calls for some development work or tailoringbefore the product or service intended to meet the customer’s needs, canbe delivered. Projects are difficult and risky because each is unique andso nearly everything is new, such as the workgroup, customer or product.Projects are also subject to disturbances because there are usually severalprojects in progress the same company, and they compete in importance aswell as for resources – at worst interfering with each other.Crime risksMost crimes against companies are planned beforehand. Typically, a com-pany becomes an object of a crime because criminals observe it as a suitabletarget. In addition to preventing costs caused by crime, the management ofcrime risks also helps in the management of a company’s other risks. Struc-tural protection and alarm systems can prevent fire and information risks as 7
  • well as property risks. At the same time, indirect costs caused by interrup-tions in production, cleaning up the consequences of vandalism and delayeddeliveries are prevented.2.2 ErrorThe term error refers strictly to human actions in contrast to risk or hazardwhich may be due to circumstances and environment when no human hascontributed to the situation. A human error is an unintended failure of a purposeful action, either singly or as part of a planned sequence of actions, to achieve an unintended outcome within set limits of tolerability pertaining to either the action or the outcome. [55]There are three major components to an error [24]: • External Error Mode (EEM) is the external manifestation of the error (eg. Closed wrong valve) • Performance Shaping Factors (PSF) influence the likelihood of the error occurring (eg. Quality of the operator interface, time pressure, training, etc.) • Psychological Error Mechanism (PEM) is the ‘internal’ manifestation of error (how the operator failed, in psychologically meaningful terms, eg. Memory failure, pattern recognition, etc.)2.2.1 Categorisation and taxonomyThe skill, rule and knowledge (SRK) based taxonomy was developed by Ras-mussen [40] and has since been widely adopted as a model for describinghuman performance in a range of situations.Skill based behaviour represents the most basic level of human performanceand is typically used to complete familiar and routine tasks that can be car-ried out smoothly in an automated fashion without a great deal of consciousthought. In order to complete the task successfully, the tasks that can be car-ried out using this type of behaviour are so familiar that little or no feedbackof information from the external or work environment is needed. A typicalrange of error probability for skill based tasks is from as high as 0.005 (al-ternatively expressed as 5.0E-03) or 1 error in 200 tasks to as low as 0.00005(5.0E-05) or 1 error in 20,000 tasks on average. [15]Rule based behaviour is adopted when it is required to carry out more com-plex or less familiar tasks than those using skill based behaviour. The task 8
  • is carried out according to a set of stored rules. Although these rules mayexist in the form of a set of written procedures, they are just as likely to berules that have been learned from experience or through formal training andwhich are retrieved from memory at the time the task is carried out. Errorprobability values for rule based tasks are typically an order of magnitudehigher than for skill based tasks. They lie within the range from 0.05 (5.0E-02) or 1 error in 20 tasks to 0.0005 (5.0E-04) or 1 error in 2000 tasks onaverage. [15]Knowledge based behaviour is adopted when a completely novel situation ispresented for which no stored rules, written or otherwise, exist and yet whichrequires a plan of action to be formulated. While there is clearly a goal tobe achieved, the method of achieving it will effectively be derived from firstprinciples. Once a plan or strategy has been developed, this will be put intopractice using a combination of skill and rule based actions, the outcome ofwhich will be tested against the desired goal until success is achieved. Knowl-edge based tasks have significantly higher error probabilities than either skillor rule based tasks mainly because of the lack of prior experience and theneed to derive solutions from first principles. Error probability values varyfrom 0.5 or 1 error in 2 tasks to 0.005 (5.0E-03) or 1 error in 200 tasks onaverage. [15]2.2.2 Major error types of interestIn contrast to the rough labeling of errors according to their probabilityof occurrence given by the SRK taxonomy, it is also possible to categoriseerrors by their nature of occurrence, i.e. their root cause. The followingcategorisation of different error types is omitted from [24]. • Slips and lapses (action execution errors): The most predictable errors, usually characterised by being simple errors of quality of performance or by being omission or sequence errors. A slip is a failure of the execution as planned (eg. Too much or too little force applied). A lapse is an omission to execute an action as planned due to a failure of memory or storage (eg. Task steps carried out in wrong sequence). • Diagnostic and decision-making (cognitive) errors: These relate to a misunderstanding, by the operators of what is happening in the sys- tem and they are usually due to insufficient operator support (design, procedures and training). Such errors have an ability to alter accident progression sequences and to cause failure dependencies between redun- dant and even diverse safety and backup technical systems. This type of error includes misdiagnosis, partial diagnosis and diagnostic failure. • Maintenance errors and latent failures: Most maintenance errors are due to slips and lapses, but in maintenance and testing activities, which 9
  • may lead to immediate failures or to latent failures whose impact is de- layed (and thus may be difficult to detect prior to an accident sequence). Most PSAs make assumptions that maintenance failures are implicitly included in component and system availability data. However, it is less clear that such maintenance data used in the PSA can incorporate the full impact of latent failures. • Errors of commission (EOC): An EOC is one in which the operator does something that is incorrect and also unrequired. Such errors can arise due to carrying out actions on the wrong components, or can be due to a misconception, or to a risk recognition failure. These EOCs can have large impact on system risk and they are very difficult to identify (and hence anticipate and defend against). • Rule violations: There are two main types of violations (Reason 1990). The ‘routine’ rule violation where the violation is seen as being of neg- ligible risk and therefore it is seen as acceptable and even a necessary pragmatic part of the job. The ‘extreme’ violation where the risk is largely understood as being real, as is the fact that it is a serious viola- tion. Rule violations are relatively unexpected and can lead to failure of multiple safety systems and barriers. PSAs rarely include violations quantitatively. • Idiosyncratic errors: Errors due to social variables and the individual’s current emotional state when performing a task. They are the result of a combination of fairly personal factors in a relatively unprotected and vulnerable organisational system. Some accidents fall into this category, and they are extremely difficult to predict, as they relate to covert social factors not obvious from a formal examination of the work context. These errors are of particular concern where, for example, a single individual has the potential to kill a large number of persons. They are not dealt with in PSA or HRA. • Software programming errors: These errors are of importance due to the prevalence of software-based control systems required to economi- cally control large complex systems. They are also important in other areas and for any safety critical software applications generally. Typi- cally there are few if any techniques applied which predict human errors in software programming. Instead, effort is spent on verifying and val- idating software to show it is error-free. Unfortunately complete and comprehensive verification of very large pieces of software is intractable due to software complexity and interactiveness.Whittingham [55] divides root causes of human errors into two categories,externally induced and internally induced errors. Externally induced hu-man errors are the factors that have a common influence on two or more 10
  • tasks leading to dependent errors which may thus be coupled together. Ex-amples of these adverse circumstances are deficiencies in organisation of thetask, poor interface design, inadequate training, and excessive task demands.Internally induced errors are sometimes called ’within-person dependency’.They are found in the same individual carrying out similar tasks which areclose together in time or space.2.3 SafetySafety may be the absence of accidents or threats, or it can be seen as theabsence of risks, which for some is unrealistic. It may also be the balancebetween safety and risks, i.e. an acceptable level of risk. [16] It is thuspossible to have a high risk level but even higher safety. Rochlin [45] arguesthat “the ‘operational safety’ is not captured as a set of rules or procedures,of simple, empirically observed properties, of externally imposed training ormanagement skill, or of a decomposable cognitive or behavioural frame”.Safety is related to external threats, and the perception of being shelteredfrom threats. Safety is not the opposite of risk but rather of fear, includinga subjective dimension, but it does not encompass positive health or aim atsomething beyond prevention. Defining an organisation as safe because ithas a low rate of error or accidents has the same limitation as defining healthas not being sick. [44] Safety may be seen as an important quality of workregardless of the frequency of accidents by regarding safety as larger thanjust the absence of risk or fear. [1]2.3.1 Approaches to safetyTechnical approachThe engineering approach focuses on the development of formal reliabilityand systems modelling, with only limited attention to some of the complexi-ties of the human issues involved. [39] The risk is viewed as deriving from thetechnical/physical environment. Technicians are the ones doing safety work,and changes in the technical environment are the way to reduce accidents. Acommon means for technical safety is passive prevention, which means thatsafety should be managed without active participation of humans.By means of safety rounds, audits, accident investigations, risk and safetyanalyses, it is presumed possible to measure the level of safety within theorganisation. The result is then analysed, providing a basis for formulatingaction plans and making decisions to reach the target level of safety. Stan-dards and routines offer assurances that the safety activities are good enough.[11] 11
  • Psychological approachThe psychological approach to risk and safety focuses on the individual per-spective, investigating perception, cognition, attitudes and behaviour. [39]Some researchers have studied how people estimate risks and make choicesamong alternatives (e.g. [48]). “Risk is largely seen as a taken-for-grantedobjective phenomenon that can be accurately assessed by experts with thehelp of scientific methods and calculations. The phenomenon to be explainedis primarily the malleability of risk perceptions“. [51] Individuals’ percep-tions of risk are influenced by the arguments concerning hazards that areprevalent in a particular society at a certain time. All organisations oper-ate with a variety of beliefs and norms with respect to hazards and theirmanagement, which might be formally laid down in rules and procedures, ormore tacitly taken for granted and embedded within the culture of everydayworking practices. Organisational culture may be expressed through sharedpractices. The process by which culture is created and constructed shouldbe borne in mind when organising everyday work. [43]2.3.2 Safety hindrancesControl and powerMany of today’s safety management systems are built on control. Managingrisk through control does not take into account the fact that individuals areintentional in how they define and carry out tasks. D¨os and Backstr¨m o¨ o[11] state that production problems which call for corrections in a hazardouszone may be impossible to handle. The machinery or safety rules may notbe flexible when changes in production are required. Production is usuallyconsidered more important than safety.The question of politics and power is not addressed in most models anddiscussions. The myth of individual control leads to a search for someone toblame instead of searching for the causes of accidents. [39] It is therefore ofimportance to ask who is defining the risk, safety and the accident, and whois responsible for the consequences. Does the responsibility for risk meanresponsibility for errors?Whittingham describes the concept of blame culture: ”Companies and/or industries which over-emphasise individual blame for human error, at the expense of correcting defective systems, are said to have a ‘blame culture’. Such organisations have a number of characteristics in common. They tend to be se- cretive and lack openness cultivating an atmosphere where errors are swept under the carpet. Management decisions affecting staff tend to be taken without staff consultation and have the appear- ance of being arbitrary. The importance of people to the success 12
  • of the organisation is not recognised or acknowledged by man- agers and as a result staff lack motivation. Due to the emphasis on blame when errors are made, staff will try to conceal their er- rors. They may work in a climate of fear and under high levels of stress. In such organisations, staff turnover is often high resulting in tasks being carried out by inexperienced workers. The factors which characterise a blame culture may in themselves increase the probability of errors being made.” [55]Work stressOne of the most important situational moderators of stress is perceived con-trol over the environment. Karasek [22] introduced the job demand-controlmodel, stating that jobs which have low job demands and low levels of con-trol (e.g. repetitive assembly line work) create strain. Control in this modelmeans (1) to have the power to make decisions on the job (decision author-ity) and (2) to have use for a variety of skills in the work (skill discretion).Stress is the overall transactional process, stressors are the stimuli that areencountered by the individuals, and strains are the psychological, physicaland behavioural responses to stressors. These factors are intrinsic to the jobitself and include variables such as the level of job complexity, the variety oftasks performed, the amount of control that individuals have over the placeand timing of their work, and the physical environment in which the work isperformed.Stress can also be related to roles in the organisation. Dysfunctional rolescan occur in two primary ways: role ambiguity: lack of predictability of theconsequences of one’s role performance and a lack of information needed toperform the role; and role conflict: competing or conflicting job demands.The association between role conflict and psychosocial strain is not as strongas that between ambiguity and strain. [6]Conflict between safety and production goalsA constant demand for effective resource allocation and short-term revenuesfrom investment may result in priorities that are in opposition to safety,reducing redundancy, cutting margins, increasing work pace, and reducingtime for reflection and learning. Landsbergis et al. [27] found that lean pro-duction creates intensified work pace and demands on the workers.Rasmussen [41] proposed a model that indicates a conflict between safe per-formance and cost-effectiveness. The safety defences are likely to degeneratesystematically through time, when pressure toward cost-effectiveness is dom-inant. The stage for an accidental course of events is very likely preparedthrough time by the normal efforts of many actors in their respective dailywork context, responding to the standing request to be cost-effective. Ulti- 13
  • mately, a quite normal variation in somebody’s behaviour can then releasean accident. Had this particular root cause been avoided by some additionalsafety measure, the accident would very likely have been released by anothercause at another point in time. In other words, an explanation for the acci-dent in terms of events, acts and errors is not very useful for the design ofimproved safety. It is important to focus not on the human error but on themechanisms generating behaviour in the actual dynamic work context. [41]Attitudes and normsSlovic [47] stated that risk is always subjective. There is no such thing asa real risk or objective risk. The concept of risk depends on our mind andculture and is invented to help us understand and cope with the danger anduncertainties of life. Slovic [47] stated that trust is an important element inrisk acceptance, and should be further investigated. To be socialised into thework role is to understand what is accepted and what is not.In the beginning, reactions towards obvious risks may occur, but may bedifficult to express, and safety has to be trusted. After an introductory pe-riod, during which risk and safety knowledge may be low, perception maybe higher, but along with increased experience risks may become acceptedas normal. Holmes et al. [18] also found that blue-collar workers regardedoccupational injury risk as a normal feature of the work environment and anacceptable part of the job. An experienced worker may become home-blindand not react to hazards. The reinforcement by risks that have been avoidedor mastered may also provide a false sense of safety.The risk homeostasis theory (RHT), presented by Wilde [57], stated thatpeople have a target level of risk, the level that they accept. This level de-pends on perceived benefits and disadvantages of safe and unsafe behaviour.The frequency of injuries is maintained over time through a closed loop.Whenever one perceives a discrepancy between target risk and experiencedrisk, an attempt is made to restore the balance through some behaviouraladjustment.Organisational culture, structural secrecy and unclear communication of in-formation are found to influence towards a normalisation of deviance, whichin turn may lead to failure to foresee risks. Deviance from the originalrules becomes normalised and routine, as informal work systems compen-sate for the organisation’s inability to provide the necessary basic resources(e.g. time, tools, documentation with a close relationship to action). [10] 14
  • 2.3.3 Safety facilitatorsParticipationMuch intervention research has emphasised the benefits of a participatoryapproach. Participation will improve the information and idea generation,engaging those who know most about the current situation. Participationmay result in a ‘sense of ownership’ and a greater commitment to a goal ora process of change. Behavioural change is likely to be more sustainable if itemerges from the need of the persons involved and with their active partici-pation, rather than being externally imposed. [50]Safety management, risk analyses and interventions are normally conductedby experts on safety. This information and these activities are not only im-portant for designers, technicians or safety committees. Safety work couldbenefit from involving the operating people, taking an active participatorypart. Using this approach in safety intervention work, the participants in-stead of a safety expert will own the process, being their own experts on theirspecial problems and abilities. [50]Social support and empowermentSocial support has been found to be of importance for behavioural change aswell as a moderator of felt work stress. [23] Risks and injuries are delicatesubjects and particularly so if linked to personal mistakes and shortcomings.A supportive social climate with a non-judging and respectful atmosphere isvital to encourage sharing such experiences.There are different sorts of social support: emotional, evaluative, informa-tional and instrumental. [19] The effects and mechanism of social supportcan be to fulfil fundamental human needs such as security, or social contact.It can also provide support in reducing interpersonal conflicts, i.e. prioritis-ing, and it may also have a buffering effect, modifying the relation betweena stressor and health.Perceived self-efficacy plays an important role in the causal structure of socialcognitive theory, because efficacy beliefs affect adaptation and change. [2]Unless people believe they can produce and foretell their actions, they havelittle incentive to act or to persevere in the face of difficulties. Other motiva-tors are rooted in the core belief that one has the power to produce effects byone’s actions. Efficacy beliefs also influence whether people think pessimisti-cally or optimistically and in ways that are self-enhancing or self-hindering.[2] 15
  • CommunicationCommunication is a key factor binding an organisation together. If risks andsafety are not communicated at and through all levels of the organisation,there will be little understanding of the risks and safety. Lundgren [28] statedthat the risk communication process must be a dialogue, not a monologuefrom either party. Continuous feedback and interpretations are necessary forcommunication to be effective, which forms the basis for the continuous safeoperation. Communication is linked to a systems view and the capability offinding, and analysing risks and implementing safety measures. [45]Effective communication needs openness so that sensitive information canbe outspoken and the question of error, responsibility, blame and shameis openly dealt with in the communication of accidents. All members of anorganisation need feedback, not only in their specific area of responsibility butalso on how the operating level functions and handles the complexity in whichthey operate. It is also of importance to anchor policies, goals and changesand to make them comprehensible and meaningful. [50] Saari stated thatknowledge of risk is not enough to bring about changes in unsafe behaviour,and that decision-making is influenced by feelings. Therefore, social feedbackencouraging safe behaviour has been quite successful in modifying behaviour.[46]LearningLearning is a key characteristic of safe organisations. [39] D¨os and Back- o¨str¨m [11] stated that demands on control and demands on learning and oacting competently appear to come into conflict. The critical competitivefactor for success is not only competence but also its development and re-newal.To learn implies changing one’s ways of thinking and/or acting in relation tothe task one intends to perform. The outcome of learning has two aspects.Within the individual, learning is expressed as constructing and reconstruct-ing one’s cognitive structures or thought networks. Outwardly, visible signsof learning are changed ways of acting, performing tasks and talking. Indi-vidual experiential learning [32] can be understood as an ongoing interchangebetween action and reflection, where past experiences provide the basis forfuture ones. Active participation and personal action are prerequisites forthe learning process to take place.Safety culture/climateSafety climate reflects the symbolic (e.g. posters in the workplace, state ofthe premises, etc.) and political (e.g. managers voicing their commitment tosafety, allocation of budgets to safety, etc.) aspects of the organisation which 16
  • constitute the work environment. On the other hand, safety culture is madeup of the cognition and emotion which gives groups, and ultimately theorganisation, its character. Unlike safety management and climate, whichcan often be a reactive response to a certain situation, the safety cultureis a stable and enduring feature of the organisation. [56] Flin et al. [12]found that safety climate can be seen as a snapshot of the state of safety,providing an indicator of the underlying safety culture of a work group, plantor organisation. In their review of 18 studies, they identified the six mostcommon themes in safety climate. These were: 1. the perceptions of management attitudes and behaviour in relation to safety, 2. different aspects of the organisational safety management system, 3. attitudes towards risk and safety, 4. work pressure as the balance maintained between pressure for produc- tion and safety, 5. the workforce perception of the general level of workers’ competence, 6. perception of safety rules, attitudes to rules and compliance with or violation of procedures.A number of techniques have been employed to measure safety culture, themost common method is a self-completion questionnaire. Employees respondby indicating the extent to which they agree or disagree with a range of state-ments about safety e.g. “senior management demonstrate their commitmentto safety”. The data obtained from the questionnaires are analysed to identifyfactors or concepts that influence the level of safety within the organisation.2.4 Human factorsHuman factors are defined as: “. . . ..environmental, organisational and job factors, and human and individual characteristics which influence behaviour at work in a way which can affect health and safety”. [17]Good human factors in practice is about optimising the relationships betweendemands and capacities in considering human and system performance (ieunderstanding human capabilities and fallibilities). The term is used muchmore in the safety context than ergonomics even though they mean verymuch the same thing. Like Human Factors, ergonomics deals with the in-teraction of technological and work situations with the human being. The 17
  • job must ‘fit the person’ in all respects and the work demands should notexceed human capabilities and limitations. The meaning of ergonomics ishard to distinguish from human factors, but is sometimes associated morewith the physical design issues as opposed to cognitive or social issues, andwith health, well being and occupational safety, rather than with the designof major hazard systems.Tasks should be designed in accordance with ergonomic principles to takeinto account limitations and strengths in human performance. Matching thejob to the person will ensure that they are not overloaded and that the mosteffective contribution to the business results. Physical match includes thedesign of the whole workplace and working environment. Mental match in-volves the individual’s information and decision-making requirements, as wellas their perception of the tasks and risks. Mismatches between job require-ments and people’s capabilities provide the potential for human error.People bring to their job personal attitudes, skills, habits and personalitieswhich can be strengths or weaknesses depending on the task demands. In-dividual characteristics influence behaviour in complex and significant ways.Their effects on task performance may be negative and may not always bemitigated by job design. Some characteristics such as personality are fixedand cannot be changed. Others, such as skills and attitudes, may be changedor enhanced.Organisational factors have the greatest influence on individual and groupbehaviour, yet they are often overlooked during the design of work and dur-ing investigation of accidents and incidents. Organisations need to establishtheir own positive health and safety culture. The culture needs to promoteemployee involvement and commitment at all levels, emphasising that devi-ation from established health and safety standards is not acceptable. 18
  • Chapter 3Overview of risk assessmentmethodsIn this chapter we take a look at the well-established procedures for carryingout a risk assessment on a machine or assembled group of machines.Carrying out a risk assessment on a machine or assembled group of machinesis a well-established procedure in a European Commission standard EN 1050.[13] This procedure forms the basis of most safety design studies that haveto be carried out on machines to satisfy the requirements of the regulations.The standard points out that: • Risk assessment should be based on a clear understanding of the ma- chine limits and its functions. • A systematic approach is essential to ensure a thorough job. • The whole process of risk assessment must be documented for control of the work and to provide a traceable record for checking by other parties.EN 1050 describes risk assessment as a process intended to help designersand safety engineers define the most appropriate measures to enable them toachieve the highest possible levels of safety, according to the state of the artand the resulting constraints. The standard also defines several techniquesfor conducting a risk assessment, including the following: What-If method,Failure Mode and Effect Analysis (FMEA), Hazard and Operability Study(HAZOPS), Fault Tree Analysis (FTA), Delphi technique, Defi method, Pre-liminary Hazard Analysis (PHA), and Method Organised for a SystematicAnalysis of Risks (MOSAR). 19
  • 3.1 Probabilistic risk assessment3.1.1 IntroductionThe Finnish work safety regulations require the employer to conduct riskassessments that evaluate the safety of the workplace. It is stated in theOccupational Safety and Health Act [37] that ”Employers are required to take care of the safety and health of their employees while at work by taking the necessary measures. For this purpose, employers shall consider the circumstances re- lated to the work, working conditions and other aspects of the working environment as well as the employees’ personal capaci- ties.”In addition, ”Employers shall design and choose the measures necessary for improving the working conditions as well as decide the extent of the measures and put them into practice. ”Probabilistic Risk Assessment (PRA), also known as Probabilistic SafetyAssessment (PSA), is a systematic procedure for investigating how complexsystems are built and operated. The PRAs model how human, software, andhardware elements of the system interact with each other. The methodologywas first used in the USA in 1975 to assess and analyse the potential risksleading to severe accidents in nuclear power plants. [42]The study involved a list of potential accidents in nuclear reactors, estimationof the likelihood of accidents resulting in radioactivity release, estimationof health effects associated with each accident, and comparison of nuclearaccident risk with other accident risks. Since the WASH-1400 report theunderstanding of PSA has increased and it has become a useful tool in riskanalysis. A similar method is used by the NASA in analysing the risks inspace shuttle missions. One of the most important features of PSA is itsquantitative probability assessment of different components and events.The methodology includes several phases which can also be used indepen-dently to examine possible failures within a system. A risk assessmentamounts to addressing three very basic questions posed by Kaplan and Gar-rick: [21] 1. What can go wrong? 2. How likely is it? 3. What are the consequences? 20
  • The answer to the first question leads to identification of the set of undesir-able scenarios. The second question requires estimating the probabilities (orfrequencies) of these scenarios, while the third estimates the magnitude ofpotential losses.The NASA PRA Guide [49] describes the components of the PRA a modifiedversion. Each component is discussed in more detail in the following.3.1.2 Defining objectives and methodology and gath- ering informationPreparing for a PRA begins with a review of the objectives of the analysis.Among the many objectives possible, the most common ones include designimprovement, risk acceptability, decision support, regulatory and oversightsupport, and operations and life management. Once the object is clarified,an inventory of possible techniques for the desired analyses should be de-veloped. The available techniques range from required computer codes tosystem experts and analytical experts.The resources required for each analytical method should be evaluated, andthe most effective option selected. The basis for the selection should be doc-umented, and the selection process reviewed to ensure that the objectives ofthe analysis will be adequately met.A general knowledge of the physical layout of the overall system, adminis-trative controls, maintenance and test procedures, as well as hazard barriersand subsystems (whose purpose is to protect, prevent, or mitigate hazardexposure conditions) is necessary to begin the PRA. A detailed inspection ofthe overall system must be performed in the areas expected to be of interestand importance to the analysis.3.1.3 Identification of initiating eventsA system is said to operate in a normal operation mode as long as the systemis operating within its design parameter tolerances, there is little chance ofchallenging the system boundaries in such a way that hazards will escapethose boundaries. During normal operation mode, loss of certain functionsor systems will cause the process to enter an off-normal (transient) state.Once in this state, there are two possibilities. First, the state of the systemcould be such that no other function is required to maintain the process oroverall system in a safe condition. The second possibility is a state whereinother functions are required to prevent exposing hazards beyond the systemboundaries. For the second possibility, the loss of the function or the systemis considered as an initiating event (IE).One method for determining the operational IEs begins with first drawinga functional block diagram of the system. From the functional block di- 21
  • agram, a hierarchical relationship is produced, with the process objectivebeing successful completion of the desired system. Each function can thenbe decomposed into its subsystems and components, and can be combinedin a logical manner to represent operations needed for the success of thatfunction.3.1.4 Scenario developmentThe goal of scenario development is to derive a complete set of scenariosthat encompasses all of the potential exposure propagation paths thatcan lead to loss of containment or confinement of the hazards, followingthe occurrence of an initiating event. To describe the cause and effectrelationship between initiating events and subsequent event progression, itis necessary to identify those functions that must be maintained, activatedor terminated to prevent loss of hazard barriers. The scenarios that describethe functional response of the overall system or process to the initiatingevents are frequently displayed by the event trees.3.1.5 Logic modellingEvent trees commonly involve branch points which shows if a given sub-system (or event) either work (or happens) or does not work (or does nothappen). Sometimes, failure of these subsystems is rare and there may notbe an adequate record of observed failure events to provide a historical basisfor estimating frequency of their failure. In such cases, other logic-basedanalysis methods such as fault trees or master logic diagrams may be used,depending on the accuracy desired. The most common method used in PRAto calculate the probability of subsystem failure is fault tree analysis.Different event tree modelling approaches imply variations in the complexityof the logic models that may be required. If only main functions or systemsare included as event tree headings, the fault trees become more complexand must accommodate all dependencies among the main and supportfunctions within the fault tree. If support functions or systems are explicitlyincluded as event tree headings, more complex event trees and less complexfault trees will result.3.1.6 Failure data analysisHardware, software, and human reliability data are inputs to assess perfor-mance of hazard barriers, and the validity of the results depends highly onthe quality of the input information. It must be recognised that historical 22
  • data have predictive value only to the extent that the conditions under whichthe data were generated remain applicable. Collection of the various failuredata consists fundamentally of the following steps: collecting and assessinggeneric data, statistically evaluating facility- or overall system-specific data,and developing failure probability distributions using test or facility- andsystem-specific data. The three types of events must be quantified forthe event trees and fault trees to estimate the frequency of occurrence ofsequences: initiating events, component failures, and human error.After establishing probabilistic failure models for each barrier or componentfailure, the parameters of the model must then be estimated. Typicallythe necessary data include time of failures, repair times, test frequencies,test downtimes, and common cause failure (CCF) events. One might alsonon-parametric models and simulate the results.3.1.7 Sensitivity analysisIn a sensitivity analysis, an input parameter, such as a component failurerate in a fault tree logic model, is changed, and the resulting change in thetop event probability is measured. This process is repeated using either dif-ferent values for the same parameter or changing different parameters by thesame amount.There are various techniques for performing sensitivity analyses. These tech-niques are designed to determine the importance of key assumptions andparameter values to the risk results. The most commonly used methods areso-called “one-at-a-time” methods, in which assumptions and parameters arechanged individually to measure the change in virtually any input or modelassumption and observe their impact in final risk calculations.The key challenge in engineering risk analysis is to identify the elements of thesystem or facility that contribute most to risk and associated uncertainties.To identify such contributors, the common method used is the importanceranking. These importance measures are used to rank the risk-significanceof the main elements of the risk models in terms of their contributions to thetotal risk.3.1.8 Risk acceptance criteriaIn an engineering risk assessment, the analyst considers both the frequency ofan initiating event and the probabilities of such failures within the engineer-ing system. In a health risk assessment, the analyst assesses consequencesfrom situations involving chronic releases of certain amount of chemical andbiological toxicants to the environment with no consideration of the frequencyor probability of such releases.The ways for measuring consequences are also different in health and engi- 23
  • neering risk assessments. Health risk assessment focuses on specific toxicantsand contaminants and develops a deterministic or probabilistic model of theassociated exposure amount and resulting health effects, or the so-calleddose-response models. The consequences are usually in form of fatality. Inengineering risk assessment, the consequence varies. Common consequencesinclude worker health and safety, economic losses to property, immediate orshort-term loss of life, and long-term loss of life from cancer. One useful wayto represent the final risk values is by using the so-called Farmer’s curves. Inthis approach, the consequence is plotted against the complementary cumu-lative distribution of the event frequency.Individual risk is one of the most widely used measures of risk and is definedas the fraction of the exposed population to a specific hazard and subsequentconsequence per unit time. Societal risk is expressed in terms of the totalnumber of casualties such as the relation between frequency and the numberof people affected from a specified level of consequence in a given populationfrom exposure to specified hazards. [33]The ALARP (as low as reasonably practicable) principle [31] recognises thatthere are three broad categories of risk: 1. Negligible risk: Broadly accepted by most people as they go about their everyday lives. Examples of this kind of risks might be being struck by lightning or having brake failure in a car. 2. Tolerable risk: One would not rather have the risk but it is tolerable in view of the benefits obtained by accepting it. The cost in inconvenience or in money is balanced against the scale of risk and a compromise is accepted. This would apply to e.g. travelling in a car. 3. Unacceptable risk: The risk level is so high that we are not prepared to tolerate it. The losses far outweigh any possible benefits in the situation.The principle is depicted in Figure 3.1. 24
  • ! Figure 3.1: ALARP and risk tolerance regions (adapted from [55]) 3.1.9 Interpretation of results When the risk values are calculated, they must be interpreted to determine whether any revisions are necessary to refine the results and the conclusions. The adequacy of the PRA model and the scope of analysis is verified. Also, characterising the role of each element of the system in the final results is necessary Based on the results of the interpretation, the details of the PRA logic, its assumptions, and scope may be modified to update the results into more realistic and dependable values. The basic steps of the PRA results interpretation are: 1. Determine the accuracy of the logic models and scenario structures, assumptions, and scope of the PRA. 2. Identify system elements for which better information would be needed to reduce uncertainties in failure probabilities and models used to cal- culate performance. 3. Revise the PRA and reinterpret the results until attaining stable and accurate results. 25
  • 3.2 Human reliability analysis3.2.1 IntroductionHuman actions are an essential part of the operation and maintenance ofmachinery, both normal and abnormal conditions. Generally, man can en-sure a safe and economic operation by proactive means, but in disturbancesa reactive performance may also be required. Thus, human actions affectboth the probability of risk significant events and their consequences, andthey need to be taken account in PSA. Without incorporating human errorprobabilities (HEPs), the results of risk analysis are incomplete.The measurement of human reliability is necessary to provide some assur-ance that complex technology can be operated effectively with a minimum ofhuman error and to ensure that systems will not be maloperated leading toa serious accident. To estimate HEPs, and thus human reliability, one needsto understand human behaviour, which is very difficult to model. HEP isdefined as the mathematical ratio: Number of errors occurring in a task HEP = (3.1) Number of opportunities for errorPractically all HRA methods and approaches share the assumption that itis meaningful to use the concept of a human error, hence to develop waysof estimating human error probabilities. This view prevails despite seriousdoubts expressed by leading scientists and practitioners from HRA and re-lated disciplines. [14]Extensive studies in human performance accidents conclude that ”. . . ‘human error’ is not a well defined category of human perfor- mance. Attributing error to the actions of some person, team, or organisation is fundamentally a social and psychological process and not an objective, technical one.” [59]Also, Reason (1997) concludes that ”the evidence from a large number of accident inquiries indicates that bad events are more often the result of error-prone situations and error-prone activities, than they are of error-prone people.” [43]Attempts to approach to the human reliability problem with the same crite-ria as to the engineering reliability problem reveal their inconsistency. Thehuman failure probability can be determined precisely only for the specificperson, social conditions and short time period. Generalisation of obtaineddata to different peoples, social conditions and large time periods results inthe growth of the result uncertainty. 26
  • Nevertheless, HRA methods have been successfully used in assessing errorprobabilities. Numerous studies have been performed to produce data setsor databases that can be used as a reference for determining human errorprobabilities. Some key elements of human reliability analysis are presentedin the following sections, and some specific methods for examining that cer-tain area of human reliability are introduced.3.2.2 Task analysisTask analysis is a fundamental methodology in the assessment and reductionof human error. A very wide variety of different task analysis methods exist.An extended review of task analysis techniques is available in Kirwan andAinsworth. [25]Nearly all task analysis techniques provide, as a minimum, a descriptionof the observable aspects of operator behaviour at various levels of detail,together with some indications of the structure of the task. These will be re-ferred to as action oriented approaches. Other techniques focus on the mentalprocesses that underlie observable behaviour, for example, decision makingand problem solving. These will be referred to as cognitive approaches.In addition to their descriptive functions, TA techniques provide a wide va-riety of information about the task that can be useful for error predictionand prevention. To this extent, there is a considerable overlap between taskanalysis and human error analysis (HEA) techniques, thus a combination ofTA and HEA methods will be the most suitable form of analysis.3.2.3 Database methodsDatabase methods generally rely upon observation of human tasks in theworkplace, or analysis of records of work carried out. Using this method, thenumber of errors taking place during the performance of a task is noted eachtime the task is carried out. Dividing the number of errors by the number oftasks performed provides an estimate of HEP as described above. However,since more than one type of error may occur during the performance of atask it is important to note which types of error have occurred.3.2.4 Expert judgementThe use of expert judgement in the risk estimation step of risk assessmentaims at producing a single representation , i.e. in practise an aggregatedprobability distribution of an unknown quality. A formalised procedure forattaining this is described by several different researchers, Winkler et al. [58]and Cooke and Goossens [5] to name but a few. Such a procedure is knownas an expert judgement protocol. The main challenge of the protocol is to 27
  • control cognitive biases inherent in eliciting probabilities. [53]Expert judgement elicitation and aggregation approaches can be classifiedinto behavioural probability aggregation and mechanical probability aggre-gation. [4] In the behavioural probability aggregation approach, the expertsthemselves produce the consensus probability distribution. The normativeexpert only facilitates the process of interaction and debate. The main objec-tive of the approach is to ensure the achievement of a shared understandingof the physical and social phenomena and/or logical relationships representedby the parameter elicited. It is important to note that this approach inducesstrong dependence between the experts.In the mechanistic approach, experts’ individual probability distributions areaggregated by the decision-maker after their elicitation. The main challengeis to specify the performance of the experts. Such a specification presupposesat least two assumptions: 1. data for calibrating an expert’s performance is available, and 2. the expert has not learned from his past performance, and thus uses cognitive heuristics.In the case of Bayesian mechanistic probability aggregation, the decision-maker defines the likelihoods of the experts’ judgements and treats thesejudgements as data for updating his prior belief to posterior belief accordingto Bayes’ rule.3.2.5 Technique for Human Error Rate Prediction (THERP)Development of the THERP method began in 1961 in the US at Sandia Na-tional Laboratories and the developed method was finally released for publicuse in a document NUREG 1278 in 1983. [52] The stated purpose is topresent methods, models and estimates of HEPs to enable analysts to makepredictions of the occurrence of human errors in nuclear power plant opera-tions, particularly those that affect the availability or reliability of engineeredsafety systems and components.The method describes in detail all the relevant PSFs which may be encoun-tered and provides methods of estimating their impact on HEP. It also pro-poses methods of combining the HEPs assessed for individual tasks in theform of a model so that the failure probability for a complete procedure canbe calculated. This is carried out by using a method of modelling proceduresin the form of HRA event trees. The interaction between individual humanerrors can then be more easily examined and the contribution of those errorsto the overall failure probability of the procedure can be quantified.The key elements of the THERP quantification process are as follows: 28
  • 1. Decomposing tasks into elements. The first step involves breaking down a task into its constituent elements according to the THERP taxonomic approach given in NUREG 1278. 2. Assignment of nominal HEPs to each element. The assignment of nom- inal HEPs is carried out with reference to the THERP Handbook. Chapter 20 of the Handbook is a set of tables, each of which has a set of error descriptors, associated error probabilities and error factors. The assessor uses these tables and their supporting documentation to determine the nominal HEP for each task element. Problems will arise when task elements do not appear to be represented in any of the tables. 3. Determination of effects of PSF on each element. The determination of the effects of PSF should occur based on the assessor’s qualitative analyses of the scenario, and a range of PSFs are cited which can be applied by the assessor. The assessor will normally use a multiplier on the nominal HEP. 4. Calculation of effects of dependence between tasks. Dependence exists when probability of a task is different from when it follows a particular task. THERP models dependence explicitly, using a five-level model of dependence. Failing to model dependence can have a dramatic effect on overall HEP, and differences in levels chosen by different assessors can lead to different HEPs. 5. Modelling in a Human Reliability Analysis Event Tree. Modelling via an event tree is relatively straightforward, once step 1 has occurred. 6. Quantification of total task HEP. Quantification is done using sim- ple Boolean algebra: multiplication of probabilities along each event branch, with success and failure probability outcomes summing to unity.3.3 Other risk and error assessment methods3.3.1 Five steps to risk assessmentThe process for a risk assessment for the handling and use of machines fol-lows the same general rules for all risk assessments. These rules are mostclearly described in a widely used brochure published by the UK Health andSafety Executive (HSE) called ‘Five steps to risk assessment’. The processis depicted in Figure 3.2. 29
  • ! Figure 3.2: Five steps to risk assessment3.4 Method used by the CompanyThe Company uses a risk assessment method of its own. The method isbased on the principles presented in ‘Five steps to risk assessment’ by HSE.The risk assessment database works within the Company intranet frameworkwhere the assessor chooses the entity to be assessed (a production line or amachine) and then adds the risks identified.The Company policy is that all risks scoring above 30 on the risk rating levelneed to be controlled. This means defining risk control action plan (RCAP)for every risk exceeding the level. The RCAP includes identifying existingcontrols, nominating actioner, setting completion date and estimating costs.Risks scoring higher than 100 are unacceptable and they need to be elimi-nated urgently.The assessing process is depicted in Figure 3.3. The process has the following steps: 1. Identify activity. The machinery is used in different modes: normal operation, maintenance, repair, emergency. 2. Form assessment team. Consists at least of a trained assessor and the machine operator. 3. Gather information. Acquire information from previous risk assess- ments, accident and incident reports, work instructions, legal require- 30
  • ! Figure 3.3: The Company method ments, operating manuals, interviews with the operators and mainte- nance personnel, etc. 31
  • 4. Identify hazards. Using a method applicable, identify the possible haz- ards within the target activity. 5. Identify who might be harmed and how. 6. Identify existing control measures. There are several already applied measures, such as guarding, safety devices, procedures, personal pro- tection equipment, etc. 7. Assess risks. Using the data gathered, calculate the risk level for all the hazards identified using the risk rating formula below. 8. Remove the hazards. Limit the risk as far as possible. This can be applied by reducing speed and force, employing good ergonomics, ap- plying failsafe principles, and strengthening existing control measures. 9. Identify and implement additional controls. After re-assessing the resid- ual risk, inform and warn the personnel about any residual risk. This can take the form of signs and symbols. 10. Document the assessment. Risk assessments should be recorded in the Company database. Update for new information and closure for assigned corrective actions.3.4.1 Risk ratingCalculating the risk level is done based on the following formula: The Risk Rating = LO × F E × DP H × N P (3.2) Based on table 3.1, one estimates the risk based on the four variables.Because each of these elements has a range of values this can sometimes leadto difficulties in ensuring that they are applied consistently from site to siteand from risk assessor to risk assessor. The Company has provided someguidelines in order to maintain consistency in the assessments.Frequency of Exposure and Number of People at RiskThe number of people at risk should be calculated as the number of peoplewho come into contact with the hazard. Where there is a shift system inoperation then it is acceptable to calculate the number of people as thenumber per shift. For example, if the task is undertaken by 2 operators pershift in a 3 shift factory then the number of people is 2. However, one shouldalso remember to include other people who might also come into contactwith the hazard during each shift e.g. supervisors, quality staff, maintenanceengineers.If there are significant differences in the frequency of exposure of differentgroups of people then their risk should be assessed separately. 32
  • Likelihood of occurrence (LO) Degree of possible harm (DPH)Likelihood of the identified haz- An indication of how serious theard realising its potential and harm or ill health could becausing actual injury and/or illhealth during / or after the ac-tivity Almost impossible (possible 0.1 Scratch/Bruise0.033 only under extreme circum- stances)0.5 Highly unlikely (though 0.5 Laceration/mild ill health conceivable) effect1 Unlikely (but could occur) 1 Break – minor bone or mi- nor illness (temporary)2 Possible (but unusual) 2 Break – major bone or seri- ous illness (permanent)5 Even chance (could happen) 4 Loss of 1 limb/eye or serious illness (temporary)8 Probable (not surprised) 8 Loss of 2 limbs/eyes or seri- ous illness (permanent)10 Likely (only to be expected) 15 Fatality15 Certain (no doubt)Frequency of exposure (FE) Number of people at risk (NP)Frequency of exposure to the The number of people who couldidentified hazard during the ac- be exposed to the hazard duringtivity the activity 0.1 Infrequently 1 1-2 people0.2 Annually 2 3-7 people1 Monthly 4 8-15 people1.5 Weekly 8 16-50 people2.5 Daily 12 More than 50 people4 Hourly5 Constantly Table 3.1: Risk scoring components 33
  • Degree of possible harmAn important role of a risk assessment is to make employees aware of thehazards and risks they face day-to-day in carrying out their jobs. DPHchosen should therefore be realistic and reflect to a large extent accidenthistory within the Company or elsewhere.The examples shown in tables 3.2, 3.3, and 3.4 show other injuries, whichmight be considered of a similar gravity as the examples given in the scheme,and also suggest some of the types of activities and accidents that commonlylead to these injuries. DPH Activity 0.1 Scratch / bruise Splinters, skin irritation, blisters, superficial wounds, light swelling 0.5 Laceration/mild ill health ef- Handling tinplate fect Small cuts requiring stitches, Short term exposure to solvent, bump to head (no loss of con- fumes etc. sciousness), minor eye irritation 1 Break – minor bone or minor Workshop machinery illness (temporary) Contact dermatitis, fractures to Using tools fingers, toes, nose, open wounds requiring stitches, first degree Prolonged skin exposure to sol- burns ventsTable 3.2: Guidelines for evaluating degree of possible harm (table 1 of 3) 34
  • 2 Break – major bone or minor Being hit by slow moving fork- illness (permanent) lift truck – pedestrian Fractures to arms, legs, disloca- Slip/trip tion of shoulders, hips, sprains, strains, slipped disc, back in- Manual handling juries, noise induced hearing loss Noise level above 85dB 4 Loss of 1 limb/eye serious ill- Intervention on running ma- ness (temporary) chinery – coaters, presses Amputation of fingers (one or several), severe crushing injuries, Acid or caustic handling second degree burns or extensive chemical burns, non-fatal electric Use of low voltage electrical shock, loss of consciousness, con- equipment cussion 8 Loss of 2 limbs/eyes or seri- Scrap compactors ous illness (permanent) Contact with sensitisers Asthma, cancer, coma, third de- gree burns Serious fireTable 3.3: Guidelines for evaluating degree of possible harm (table 2 of 3) 35
  • 15 Fatality Working at any height over 2m Work in confined spaces where Immediate death or after pro- breathing apparatus is needed longed treatment or illness Collision between pedestrians and lorries Electrocution Falling into deep water or into chemical tanks Motor accidents as driver or passenger Being crushed by large falling objects eg. Tinplate coil Overturning forklift truck – driver Being hit by fast moving fork- lift truck Palletisers – trapping in hoist area Long term exposure to as- bestos (carcinogen) ExplosionTable 3.4: Guidelines for evaluating degree of possible harm (table 3 of 3) 36
  • Likelihood of occurrenceTwo factors can help to choose an appropriate likelihood score: • Accident history – do we know that accidents occur regularly relating to this activity within the Company? Throughout industry generally? • The existing controls in place (see table 3.5)The first column in table 3.5 shows how we can interpret the scores to reflectlevels of probability from simpler risk scoring schemes. One of such a schemeis the method previously used at the Site. The first two categories are equalto the lowest probability in the risk matrix approach. The next three areequal to medium probability, and the three last ones are equal to the highestprobability. Interlocked guards in place, pur- 0.033 Almost impossible (possible pose designed equipment in use only under extreme circum- (eg. elevated platform with har- stances) ness), traffic management fully implemented. All legally required and best prac- 0.5 Highly unlikely (though con- tice controls in place. The em- ceivable) ployee would have to remove or circumvent a control to be injured. LOW (1) Adjustable guards in place, 1 Unlikely (but could occur) PPE and SSW, basic walkway 2 Possible (but unusual) marking. MEDIUM (2) 5 Even chance (could happen) No guards, safety relies on 8 Probable (not surprised) operator’s competence and 10 Likely (only to be expected) training. HIGH (3) 15 Certain (no doubt) Table 3.5: Guidelines for evaluating existing controls in place3.4.2 Method previously used at the SiteBefore it was required by the Company that all the sites use the methodologydescribed above, a similar method was used to assess the risks at the Site.There were a couple of reasons for replacing the previous method with thecurrent one. First of all, the Company required the assessment teams to inputall the data in the Company Risk Assessment Database. The old method 37
  • did not evaluate all the required parameters. Secondly, the method seemed to be inaccurate in distinguishing severe risks from less severe ones. The method was based on simple risk matrix, where assessment team selected values for consequence and probability from three categories. The values for probability and consequence are displayed in table 3.4.2. The resulting severity of the risk follows from a risk matrix (Figure 3.4). Probability Consequence 1. Unlikely 1. Mild (eg. scratch or bruise) 2. Possible 2. Harmful 3. Probable 3. Serious (permanent damage) The notation of the severity is as follows:! Figure 3.4: Severity of risk in a risk matrix • N = negligible, there is very little risk to health and safety, no control measures needed • L = low but significant, contains hazards that need to be recognised, control measures should be considered • H = high, potentially dangerous hazards which require immediate con- trol measures • U = unacceptable, the task/operation in question is discontinued until the hazard is dealt with 38
  • Chapter 4Risk control and regulationAfter assessing risks it is important to control the risk. Risk control is aboutthe methods applicable to get rid of or manage risks: • Avoidance: identifying and implementing alternative procedures or ac- tivities to eliminate it. • Contingency: having a pre-determined plan of action to come into force as and when the risk occurs. • Prevention: employing countermeasures to stop a problem from occur- ring or having impact on an organisation. • Reduction: taking action to minimise either the likelihood of the risk developing, or its effects. • Transference: transferring the risk to a third party, for example with an insurance policy. • Acceptance / Retention: tolerating the risk when its likelihood and im- pact are relatively minor, or when it would be too expensive to mitigate it.The Company has employed several of the above-mentioned methods in dif-ferent forms. All the safeguarding of machinery and strengthening the exist-ing barriers aim at avoidance of risk. The result is usually reduction in thelikelihood, though. Another method used widely is prevention. This comesin forms of regulation and standards.In this chapter, I examine the various methods of controlling risks. Suchmethods are practical (physical and behavioural) risk controls aiming at re-duction and avoidance, and regulatory standards that aim at prevention. Inthe case of Finland, three levels of such standards are examined. These lev-els are federal level (the EU), state level (Finland), and corporate level (theCompany). 39
  • 4.1 Physical risk controlsPhysical risk controls account for the technical safety approach mentionedabove. There are various gear, devices and systems that control the riskspractical way at the Site. Most of them aim at reduction of the risk. Theyare very cost-effective and easily applicable. • Appropriate work clothing / personal protective equipment (PPE): Refers to protective clothing, helmets, goggles, or other garment de- signed to protect the wearer’s body or clothing from injury by blunt im- pacts, electrical hazards, heat, chemicals, and infection, for job-related occupational safety and health purposes. The workers at the Site are required to wear incision protection gloves, safety shoes, earplugs, and workwear. • Automated infeed: An apparatus for automatically infeeding work- pieces to slitters and other machinery. Automated infeeding reduces the need for handling the tinplates manually, thus reducing the risk of cut wounds and injuries. • Breathing apparatus: A form of PPE that provide breathable air in hostile environments. At the Site it is required to use open-circuit breathing sets when dealing with hazardous chemicals and vapours. The breathing sets have a filtering device for making the air breathable. • Captive key system: The basic principle of the system is the ability to lock equipment in the desired position allowing removal of the key, which, in turn, can be used to lock or unlock related equipment in a sequentially predetermined manner. A captive key system comprises of a switch and integral lock, typically fitted to a machine or equipment enclosure. The switch is operated by inserting a key into the lock, with the key being secured to the moving guard or enclosure door, usually as an integral part of the handle. When the guard or enclosure door is closed, the key enters the lock. Turning the handle then turns the key that operates the switch. The switch can therefore only be operated by closing the guard or door and turning the handle, locking the guard or door in its closed position. • Emergency stop: Also called a kill switch, an emergency stop is a se- curity measure used to shut off a device in an emergency situation in which it cannot be shut down in the usual manner. Unlike a normal shut down, which shuts down all systems naturally and turns the ma- chine off without damaging it, a kill switch is designed to completely abort the operation at all costs. Often, they are used to protect people from sustaining an injury or being killed, in which case damaging the machine may be considered to be acceptable. The Finnish and the EU 40
  • machinery directives and standards require the existence of one or more emergency stops in industrial machinery. An emergency stop needs to be clearly visible and easily reachable in case of an emergency.• Fire alarms, doors and extinguishers: Required by the Finnish legis- lation, fire alarms, doors and extinguishers are obligatory at the Site. They are inspected regularly by the fire inspector.• First aid: The Finnish Occupational Safety and Health Act (738/2002) states that “an adequate supply of appropriate first aid equipment shall be available in appropriate and clearly marked places in the workplace or in its immediate vicinity.” There are several spots at the Site from where one can find first aid supplies.• Fixed guarding: Fixed guards are designed to prevent access to the dangerous parts of a machine by providing a physical barrier that pre- vents both intentional or unintentional access. Where an opening is necessary in a fixed guard for the purpose of feeding in material by hand, it must not allow access to the danger zone. In most cases this is achieved by ensuring that the opening is situated at a sufficient dis- tance from the dangerous machine parts. It should not be possible to displace or remove fixed guarding; the method of fixing is of vital im- portance to the integrity of the guard and the safety of the operator. All fixed guards should be kept in place either permanently by welding etc. or by means of fasteners such as screws or nuts and bolts, making removal and/or opening impossible without the use of tools.• Adjustable guarding: These are movable guards that are adjustable for particular operations and normally remain fixed during use. Some guards require the intervention of an operator to be placed into posi- tion; it is vitally important that these types of guard are always fitted to the machine and then correctly positioned and used every time it is operated. In some cases self-adjusting guards are used but these only provide a partial solution to the problems associated with manually ad- justable guards. Self-adjusting guards are, when properly maintained, normally preferable to those needing routine manual adjustment.• Interlocked guarding: Designed to give ready access to the machine’s danger zone whilst ensuring the safety of the operator. When a machine is running, an interlocked guard remains shut. Opening the guard has the effect of making the danger area safe. It must be impossible to open interlocked guards without stopping the machine. To be effective, guard interlocking requires that the machine cannot be started unless the guard is in position.• Good housekeeping: The care and control of property and premises, ensuring its maintenance and proper use and appearance. Good house- 41
  • keeping reduces the risk of slips, trips and falls and improves general work safety and efficiency.• Maintenance, repair and operations (MRO): Maintenance, repair and operations is fixing any sort of mechanical or electrical device should it become out of order or broken (known as repair, unscheduled or ca- sualty maintenance) as well as performing the routine actions which keep the device in working order (known as scheduled maintenance) or prevent trouble from arising (preventive maintenance). MRO may be defined as, ”All actions which have the objective of retaining or restoring an item in or to a state in which it can perform its required function. The actions include the combination of all technical and cor- responding administrative, managerial, and supervision actions. The determination of a need for maintenance is carried out through regu- lar machinery inspections. Every piece of production machinery at the Site is inspected at least once a year.• Residual current device (RCD): An electrical wiring device that dis- connects a circuit whenever it detects that the electric current is not balanced between the energised conductor and the return neutral con- ductor. Such an imbalance is sometimes caused by current leakage through the body of a person who is grounded and accidentally touch- ing the energised part of the circuit. A lethal shock can result from these conditions. RCDs are designed to disconnect quickly enough to mitigate the harm caused by such shocks although they are not intended to provide protection against overload or short-circuit conditions.• Trip devices: These are designed to stop machinery and make it safe before or as the person approaches the danger zone. They include sensitive screens and barriers, telescopic arms, photoelectric safeguards, trip wires and pressure sensitive mats. They should incorporate a re-set mechanism which prevents the machine from being restarted before the tripping mechanism is released and the machine controls are operated. Most of the trip devices used at the Site are photoelectric guards (light curtains).• Two-handed controls: These require operators to have both hands in a safe place before the dangerous parts can be activated. It should not be possible to operate both controls with one hand, or with one hand and another part of the body, or by easily bridging them with a tool. To activate the machine, the two controls need to be sequenced so that they operate together with little or no time delay between them. It should also not be possible to reactivate the machine until both controls have been returned to the ‘off’ position. With this kind of control the operator must not be able to activate the machine and then reach the danger zone whilst a danger still exists. 42
  • 4.2 Behavioural safetyBehavioural safety accounts for the psychological safety approach. Promot-ing safe behaviour at work is a critical part of the management of health andsafety, because behaviour turns systems and procedures into reality. On theirown, good systems do not ensure successful health and safety management,as the level of success is determined by how organisations ‘live’ their systems.[29]Behavioural programmes have become popular in the safety domain, as thereis evidence that a proportion of accidents are caused by unsafe behaviour.Whilst a focus on changing unsafe behaviour into safe behaviour is appropri-ate, this should not deflect attention from also analysing why people behaveunsafely. To focus solely on changing individual behaviour without consid-ering necessary changes to how people are organised, managed, motivated,rewarded and their physical work environment, tools and equipment can re-sult in treating the symptom only, without addressing the root causes ofunsafe behaviour. [29]A range of psychological techniques, known as behaviour modification, havebeen developed to change people’s behaviour. Behaviour modification hasbeen used in a wide range of contexts from education to health care. Be-haviour modification techniques could be used to improve health and safetyrisk control by identifying and promoting critical health and safety be-haviours. [29]There are two main types of behaviour modification, classical conditioning(automatic / innate responses triggered by external stimulus) and operantconditioning (behaviour that operates on the environment). An example ofclassical conditioning is one’s mouth involuntarily watering at the smell offood. Operant behaviour refers to any behaviour that is not a simple au-tomatic response, in fact, most human behaviour is operant, e.g. driving acar, cooking food or playing football. The general theory and principles ofoperant conditioning have been developed in order to apply it within occu-pational contexts. Collectively, these techniques are referred to as Behaviourmodification. Behaviour modification has three features: [26] 1. Pinpointing of relevant behaviours – carefully specifying the be- haviour(s) to be changed, and directly observing behaviour 2. A focus on the antecedents and consequences of behaviour, as conse- quences (e.g. the type and frequency of feedback we receive) have a powerful impact on determining our behaviour. What takes place be- fore behaviour (the antecedents) also can have an important impact (e.g. training, goal-setting, communication of company policy). 3. Emphasis on evaluation – rigorously evaluating whether behaviour has changed as intended, and whether the change was due to the interven- tion, or other factors. 43
  • The core element of behaviour modification is the ABC model of behaviour,Antecedents (A), Behaviour (B) and Consequences (C). [9] The ABC modelspecifies that behaviour is triggered by a set of antecedents (somethingwhich precedes a behaviour and is causally linked to the behaviour) andfollowed by consequences (outcome of the behaviour for the individual)that increase or decrease the likelihood that the behaviour will be re-peated. The antecedents are necessary but not sufficient for the behaviourto occur. The consequences explain why people adopt a particular behaviour.4.3 Regulatory standards in the EUThe standards prepared by the European standardisation bodies CEN andCENELEC are common to all European community and EFTA countries.These standards were introduced in order to help machinery manufacturersconform to the requirements of the regulations. Generally speaking, theauthorities will assume that any machine manufactured to conform to thepublished European standards will comply with the Essential Health andSafety Requirements covered by those standards.The legal aspects of moving machinery safety are generally arranged to covertwo primary stages in the life of a machine. 1. Safe manufacture: This includes design and installation of plant and equipment 2. Safe operation: This includes maintenance and modification of plant and equipment.Generally, laws and regulations deal with these two aspects separately, al-though regulators are increasingly aware of the need to improve the linksfrom the supplier to the user.The sources of EU law through which the EU regulations are implementedcan be divided into three categories: 1. Primary sources: Comprising the founding treaties, Community Acts and further treaties (such as Maastricht or accession treaties). 2. Secondary sources: Comprising of regulations, directives and decisions. Through this, EU implements the policy in more detail. 3. Non-legally binding: Sources-opinions and other non-treaty acts (such as guidelines, resolutions, communications, etc.).Each country may create different laws or adapt existing laws but the end re-sult should still comply with the essential requirements of the EU Directives. 44
  • The typical result, e.g. in the case of machinery manufacture, will be thatmachines meeting the safety requirements of one EU member state shouldbe acceptable for use in any other EU member state. Uniformity of designand construction standards is assisted by reference to ‘harmonised standards’that are accepted by all member states. [30]4.3.1 The structure of European harmonised stan- dardsThe structure of the European harmonised standards can be seen in Figure4.1. !Figure 4.1: Structure of the European harmonised standards (omitted from[30])Type A standardsThese set the rules and principles for writers of more specific standards andfor any design team to apply to any new machinery project. Two of the mostwidely known type A standards are: 1. EN 292 Parts 1 and 2: Safety of Machinery. Basic terminology, general design principles. Part 1 mainly handles the risks to be evaluated and the design principles to be used to reduce the risks. Part 2 outlines the basic principles of machinery guarding, interlocking, E-stops, trip devices, safety distances, etc. 45
  • 2. EN 1050: Safety of Machinery, Principles of Risk Assessment. EN 1050 sets down methods for risk assessment that form the first essential stage in the development of protection systems for machinery.The Safety of Machinery standard requires designers to: • Specify the limits of the machine. This includes determining the in- tended use of the machine, the performance limits, space limits, range of movements, space requirements for installation and time limits for the foreseeable life of the machine or, if necessary, of some of its com- ponent parts (wear on faces, tools or control components). • Identify the hazards and assess the risks. This should be considered over all phases of the machine’s life: in manufacture, transportation, assembly, installation, commissioning, normal use, foreseeable misuse, maintenance, dismantling and disposal. Again, the degree of injury and probability of occurrence must be assessed at this point. • Remove the hazards or limit the risk as far as possible. This can be achieved by taking out traps, reducing speed and force, employing good ergonomics and applying failsafe principles. • Design in safeguards against remaining risks. Where hazards cannot be designed out, safeguards must be designed in. These can include interlocked guards, light curtains, pressure mats, two-hand controls, trip devices etc. • Inform and warn the user about any residual risks. This can take the form of signs and symbols (both visual and audible) for all personnel including operators, installers and maintenance engineers etc. • Consider any other precautions. At this stage designers must determine whether additional requirements will be necessary for personnel, taking into account emergency situations.Type B standardsType B1 standards set down design requirements for safety techniques.Examples relevant to control engineers are: EN 60204: Safety of machinery– electrical equipment of machines Parts 1 and 2 and EN 954: Safety ofmachinery – safety-related parts of control systems – Parts 1 and 2.Type B2 standards deal with widely used safety devices such as light curtaindetectors and two hand controls. Examples are: EN 418 for E-stop switchesand EN 61496 for the application of light barriers. 46
  • Type C standardsA large number of type C standards have been produced to deal the hazardsof specifically identified types of machines. The most common of these are themanufacturing plant machines beginning with power presses. Because thesemachine type standards have been prepared using the foundation of type Aand B standards they will generally have a consistent basis for the safetyrequirements defined in their texts. For example, they will base any devicessuggested for safety guarding or E-stops to the relevant type B standard.4.3.2 The European Machinery DirectiveThe Machinery Safety Directive impacts all machinery that is to be made orsupplied in the EU even if it is imported from outside the EU. For importedmachines the Directive also applies to re-furbished used machinery. Henceany machinery designer/builder wishing to supply to an EC country must beable show conformance to the EC Machinery Directive.The official reference description for the Machinery Directive is: Directive98/37/EC of the European Parliament and of the Council of 22 June 1998on the approximation of the laws of the Member States relating to machineryOfficial Journal L 207, 23/07/1998 pp. 1–46.The scope of the directive makes it very clear that most forms of machineryare covered. Machinery is defined as one of the following: • An assembly of linked parts or components, at least one of which moves, including, with the appropriate actuators, control and power circuits, joined together for a specific application, in particular for the process- ing, treatment, moving, or packaging of a material. e.g. A pump, mo- tor, and starter unit are not machines as individual components, but they are integral components of an independently functioning machine capable of moving a material (fluid). • An assembly of machines which, in order to achieve the same end, are arranged and controlled so that they function as an integral whole. e.g. A pumping skid containing two or more of the assemblies above tied into a common outlet line for the purpose of boosting flow volume is also a machine. • Interchangeable equipment modifying the function of a machine which is supplied for the purpose of being assembled with a machine (or a series of different machines or with a tractor) by the operator himself in so far as this equipment is not a spare part or a tool. e.g. Farm equipment, which modifies the function of a tractor when attached.The Machinery Directive also covers safety components for machinery, de-fined as: 47
  • Components which are supplied separately to fulfil a safety func- tion when in use and the failure of malfunctioning of which en- dangers the safety or health of exposed persons. e.g. A limit switch for a safety guard or a light barrier at the opening of a press.The directive consists of 14 Articles and 7 Annexes. The Essential Health andSafety Requirements in Annex I of the Directive require the manufacturerto ensure safety of the machine by applying the following principles, in theorder given: • Eliminate or reduce risks as far as possible (inherently safe machinery design and construction) • Take the necessary protection measures in relation to risks that cannot be eliminated • Inform users of the residual risks due to any shortcomings of the pro- tection measures adopted; indicate whether any particular training is required.The protection goals must be responsibly implemented in order to fulfil thedemand for conformance with the Directive. • The manufacturer of a machine must prove that the basic requirements are fulfilled. This proof is made easier by applying harmonised stan- dards. • The Machinery Directive demands the integration of safety as early as the design process. In practice this means that the designer must perform a hazard analysis and risk assessment during the development of the machine so that the measures developed from the analysis and assessment can flow directly into the design.It is important to understand that standards have no legal status unless theyare referenced by legislation or legal decree. In the ‘new approach’ Directives,technical standards are always applied voluntarily and failure to comply withthem is never in itself a fault.4.4 Regulatory standards in FinlandThe most concrete legal requirements followed at the Site are given by theFinnish government, and followed by the government occupational safetyofficial.The Safety at Work Act, the most important Finnish enactment determining 48
  • the level of safety at work, was adopted in 1958. This act is general in nature,it applies to nearly all work in employment relations, whether private orpublic, which is one of the reasons why the concepts used in it are broad andopen to interpretation. Most of the 21st century work safety legislation hasbeen replaced by the Occupational Safety and Health Act 738/2002 (OSHA).The objectives of the Finnish OSHA are to ”. . . improve the working environment and working conditions in order to ensure and maintain the working capacity of employees as well as to prevent occupational accidents and diseases and elim- inate other hazards from work and the working environment to the physical and mental health, hereinafter referred to as health, of employees.” [37]The Section 10 deals with risk analysis and assessment. It states that theemployer ”. . . shall, taking the nature of the work and activities into account, systematically and adequately analyse and identify the hazards and risk factors caused by the work, the working premises, other aspects of the working environment and the work- ing conditions and, if the hazards and risk factors cannot be elim- inated, assess their consequences to the employees’ safety and health.” [37]The employer is thus required to conduct regular risk assessments. If theemployer himself is not capable of assessing the risks, ”. . . he or she shall use external experts. The employer shall make sure that the experts have adequate competence and other quali- fications needed for carrying out the task properly. Provisions on the use of occupational health care experts and professionals and on workplace surveys are laid down in the Occupational Health Care Act 1383/2001 (OHCA).” [37]The employers are required to provide adequate instruction and guidance foremployees for them to be able to perform in their duties. The employers arealso required to provide protecting and auxiliary equipment for use ” . . . if the risk of injury or illness cannot be avoided or adequately reduced by measures focused on the work or working conditions.” [37]Regarding the use of machinery, the Finnish OSHA states that only 49
  • ”. . . such machinery, work equipment and other devices may be used at work that comply with the applicable provisions and that are suitable and fit for the work and working conditions con- cerned. Their correct installation and necessary safety devices and markings shall also be ensured. The use of machinery, work equipment and other devices shall not in any other respect cause hazard or risk to the employees working with them or other peo- ple at the workplace.” [37]The regulations concerning the safety of machinery in Finland are based onthe harmonised EU standards described above. In 1994, the government ofFinland passed a proposal for the new machinery standard. [35] All machin-ery acquired after the year 1994 are subjected to the law. In broad outline,the contents of the statute are equal to the regulations given in the EU stan-dard. The statute now in force will be replaced by the end of the year 2009with a newer version, which passed the Finnish parliament in 2008. [36]The Finnish government has given a decree on the safe use and inspectionof working equipment (403/2008). Valid from the beginning of the year2009, the decree gives detailed specifics on how to safely use and inspectproduction equipment by requiring risk assessments, markings, instructions,emergency stops, safe maintenance, and control equipment. Specific guide-lines are given for moving machinery and elevator equipment. The decreeapplies to all equipment used at work under the Finnish OSHA.4.5 Regulatory standards in the CompanyThe Company has implemented several quality, environment, health, andsafety standards in form of corporate policies and directives. The effectiveworking of the Safety Management system must be verified through OHSAS18001 certification.4.5.1 The Company DirectivesThe Company Directives are rules that are applicable and mandatory at allsites within the Company Division. Directives do not replace the overall re-quirement (as stated in the Company policy) to comply with national andlocal legislation but they may require some legislative requirements to beexceeded in certain territories. The Company has published five EHS Direc-tives: Working at Height, Palletiser Safety, Working Safely with ProductionEquipment, Safety Board, and Hand Protection. The process outlining aCompany Directive is depicted in Figure 4.2. From the Figure it can beseen that the Company Directives are constantly being reviewed, with riskassessment being one of the main and core elements of the process. 50
  • !Figure 4.2: Flow chart of the process leading to outlining a Company direc-tive4.5.2 OHSAS 18000OHSAS 18001 ”Occupational health and safety management systems – Re-quirements” was first published in 1999. During 2005 it was subjected to a”systematic review” to determine if it should be updated. A large major-ity of respondents indicated that it should be revised to be aligned to ISO14001:2004. A revision programme was conducted during 2006/2007, result-ing in a new edition of OHSAS 18001 being published in July 2007.Introducing altogether 19 new requirements, the 2007 version of OHSASgives greater emphasis to health. The new standard introduces five newrequirements in Hazard identification. The procedure must now • take account of human behaviour and capabilities, • identify hazards originating outside the workplace, • take account of legal obligations relating to risk assessment, • take account of work area design and organisation, and • identify hazards and risks associated with changes in the organisation prior to the introduction of such changes and ensure that results are considered when determining controls. 51
  • Chapter 5Case studyIn this chapter, I present a case study conducted about Crown Pakkaus Oy(the Site). The object of the study is to analyse the production line risksusing the proposed method used by the Company. The structure of thechapter is as follows. First, the general issues concerning the safety cultureare addressed based on the concepts already outlined in this thesis. Thesafety culture analysis is based on an interview with the current quality,environment, health, and safety manager at the Site. Second, a descriptionof the implementation of a certain safety Directive is provided. This is togive more information of the safety process outlined and its outcome. Lastly,the phases of the risk analysis procedure and its results are presented.5.1 Analysis of current safety situation in the Company5.1.1 Accident statisticsAs can be noted from the previous chapters, the regulations in different levelsare extensive, and they should guarantee safe work environment, even withlarge and hazardous machinery, provided that the employer conducts risk as-sessments to reduce risks. But the reality is not always so. The overall safetyof the work environment depends on the time, resources, and motivation ofthe employer.The Company has pushed vigorously different kinds of regulations and prac-tices to make the working conditions safer. As a result, the number of acci-dents has dropped dramatically. In the year 2009, there has not been a singleone accident leading to loss of workdays. In Figure 5.1, the annual numberof reported accidents has been presented. Between the years 2002-2008, thenumber of reported accidents – in which an employee suffered any harm –varies from 5 to 15. The annual number of accidents leading to the loss of 52
  • ! Figure 5.1: Annual number of accidents at the Siteworkdays is presented in Figure 5.2. It can be seen from the Figure, that adramatic reduction in the number of cases takes place in the year 2008. Thezero number of accidents holds still (August 2009), and not a single one acci-dent leading to the loss of work days has been experienced in 2009. In 2008there has been 1 accident leading to restricted work and in 2009 1 accidentneeding medical attention.In Figure 5.3, the rate of accidents leading to loss of workdays per 200 thou-sand working hours has been presented. It can be seen from the Figure, thatthe overall rate of accidents has dropped down to one quarter of its originalvalue during two decades. The data is missing for year 1998.There are several different causes of accidents when working in a metal pack-aging manufacturing plant. The most common accident is a cut wound fromhandling tinplates, blanks or metal wastes. The causes of reported accidentsbetween the years 2002-2009 is shown in Figure 5.4.There have been some serious mishaps and accidents at the Site. In 2004,a summer worker lost three fingers in an accident while operating a powerpress. The employee was operating a machine that punches holes for plugsin the lids. There was some scrap metal stuck inside the machine. Theemployee was removing the scrap metal through feeding hole, while the ma-chine accidentally performed the pressing movement. Employee’s left handwas caught resulting in the amputation of index, middle, and ring-finger.The accident occurred partly due to the fact that no risk assessment hadever been conducted on the machine. Furthermore, the power press did notcomply with the machine safety regulations. To control the risk, the machineoperation control was switched from a pedal to two-handed control device.A safety inspection was performed on all power presses at the Site. 53
  • !Figure 5.2: The annual number of accidents leading to the loss of workdaysIn 2002, there was also a severe accident in the drum department. A me-chanic was doing a maintenance work on a seaming machine and he wasstanding in the middle of a conveyor. At the same time another employeewho was working in the beading machine accidentally started the conveyorand the conveyor squeezed the mechanic’s legs resulting in a broken leg andbruises in the other leg. There were no risk assessment conducted on themachine prior to the accident. Also, the employees did not use the “log out– tag out” procedure. To control the risk interlocked guards were installed,and a ”log out - tag out” procedure was introduced.Figure 5.5 shows the annual number of accidents by department. Figure 5.6shows the annual number of lost work days by department. When looking atthe number of accidents, the departments with most accidents in the plantare the print shop and pail lines. These are also places where most of thehandling of raw materials, such as tin plates and pail bodies, takes place. Inthe print shop, the handling of raw materials is one of the main explanatoryvariables of the number of accidents occurring. In the pail lines, the numberof workers is the main explanatory variable. When looking at the severity ofthe accident, indicated by the number of workdays lost, the two departmentshave the most lost work days.5.1.2 Safety culture and climateChanges in the technical environment are the a to reduce accidents’ DPH andLO. The Company has committed itself to reducing all accidents by meansof safety rounds, audits, accident investigations, and risk and safety analy-ses. It is also required by statutes and legislation, especially by the health 54
  • ! Figure 5.3: Lost work day case rate per 200 000 working hoursand safety standard based on OHSAS 18001. The number of accidents andincidents itself is a common way to measure safety, but it does not reveal ev-erything. One also needs to examine the standards and regulations in effect,which form the basis of safety culture.One factor having an effect on the LWDC is a labour union agreement in theyear 2008. Since that time, it has been possible for employees to do restrictedwork after a work capability reducing mishap occurs. Before the agreement,accidents commonly led to loss of workdays as doctors wrote sick leave afteran accident that was found to affect an employee’s capability of working.Another observable is the number of incidents and near-misses. During theyears 2006-2008, the average annual number of reported near-misses was26,3. During the same period, the average number of reported accidents was9. Always after reporting an incident or a near-miss, corrective actions areinitiated. This also contributes to reducing risk. Risk management is a con-tinuous ongoing process that is integrated into the risk assessment procedurein form of RCAPs.Risk communication is regular procedure within the Company. Most of thepossible hazards and causes of accidents are communicated through the Siteand required to be published to inform workers. Every significant incidentor accident is required to be reported through the Company Intranet.Behavioural safety program STOPOne proven method to achieve a “Total Safety Culture” is to implement oneor more programs of behavioural safety. A behavioural safety program isa system of implementing constructive and reinforcing observations of em- 55
  • ! Figure 5.4: Accident causesployees and peers, and providing positive feedback through dialogue andreporting in order to achieve safety excellence.Various successful programs of behavioural safety can provide effective re-sults in reducing injuries, by increasing the visibility of unsafe behavioursthrough skill development, and instilling safety as a value. As employees de-velop these observation and communication skills, they increase their comfortlevel with the process, and safety coaching becomes and integral part of thework culture.The goal of the STOP program is to train all Company employees to be-come skilled observers for everyday work activities, in order to increase thelevel of safety awareness and to eliminate injuries and incidents in the work-place. Through quality observations and effective discussion, the Companycan modify the way that work activities and tasks are being done by encour-aging safe work practices. Effective observations and dialogue will reduce andeliminate at-risk work activities, helping the Company to achieve its goal ofzero accidents and zero impacts.In addition, the Company promotes so-called “Best Practices” to ensure bet-ter working conditions. These are ways of working that have been shown toproduce better results and solving some of the common problems in all in-dustrial manufacturing areas within the Company.Accident investigation and reportingThe Company EHS procedures require managers to report and investigateaccidents and incidents that take place at the Site. All accidents (lost work- 56
  • ! Figure 5.5: Annual number of accidents by departmentdays, restricted workdays, medical treatment cases) must be investigated andreported; this includes accidents that happened to non-employees at the Site.5.1.3 Safety limitations at the SiteSeveral reasons are holding the Site back from being the safest possible.Most of the machinery and conveyors are old, even dating back to the 1950s,which is the reason why the original level of safeguarding is low or even non-existent. Most of the machinery and conveyors are old, even dating back tothe 1950s. Improving safeguarding to the level required by current legislationis a task demanding time and expertise. To improve expertise, the Companyhired a EHS coordinator in 2006, whose responsibilities include improvingmachine safeguarding through risk assessment.In general, some 95% of all accidents taken place are due to human behaviour.Why do people take risks? The most common reason is that people usuallybenefit from taking risks somehow, e.g. they might save time or try toincrease production. The second reason is that people don’t understand orbelieve in the risk if the probability of occurrence is low. If they have takenthe risk dozens of times and nothing has happened, they tend to think thatit will never happen. Other reasons might be that taking a risk doesn’tnecessarily have an instant effect, e.g. not wearing hearing protection, or thedegree of possible harm is considered low, e.g. slipping, tripping.Many of the employees working at the Site have a long work history and theyadapted certain routines and ways of working, that are not easy to change.In particular, improving behavioural safety requires changing the ways of 57
  • ! Figure 5.6: Annual number of lost work days by departmentpeople working and perceiving their environment. Such a task needs consid-erable effort and its impact on the safety climate is observable after a longerperiod of time.The employees receive productivity bonus after reaching target level of pro-duction. This affects the safety climate, as employees tend to ignore safetyregulations in order to increase production to get bigger bonuses. Safe work-ing practises might lower the production rates and thus have an effect onthe wage received. However, to inspirit the employees adapt to safe workingmethods, the Company has also some safety bonuses. An employee receivesbonus if he makes a safety initiative. Also, a free lunch is offered to employeesonce a month if the zero number remains.5.2 Assessing risks with the Company method5.2.1 Drum line packaging areaThe first risk assessment took place in the drum line packing area. The 200litre drums are packed on pallets using an automated machinery. Beforepalletising the line personnel add plugs to the drums using a pneumatic tool.The palletised drums are banded and moved to storage area from wherethey will be taken to the customer.In order to assess the risks, a team was assembled. The team consisted oftwo assessors, three operators and the department head of operations. The 58
  • assessment was conducted using the Company method. The packing processwas divided into smaller phases. The hazards related to each phase werethen identified, and the risk score was calculated as presented above. Onlythe worst-case hazards were considered due to the limited resources availablefor assessment. Also, photographs were taken of the hazardous areas.The drum line packing area is a dangerous department area when consider-ing risks. The drum palletising is done using large automated machinery,and there is a risk of getting crushed by the elevator or the drum lift.Particularly, these risks are due to human error. An operator clearinga jam in the machine might be unaware of another employee who couldaccidentally start the production line.Since the year 2002 there has been a total of 4 LWDC and 1 reportednear-miss in the drum department, but 0 in the packaging area. The numberof accidents leading to loss of workdays is small, and it is quite hard to usethe accident data to aid the identification of the most severe risks.The results of the assessment are presented in tables B.1, B.2, and B.3. Thehighest scoring risks were clearing a jam in the drum pallet conveyor andin the drum elevator area (RR = 188), clearing a jam in the drum palletmachine (RR = 113), and clearing a jam in the drum lift or elevator (RR =75). All of the risks ratings were above the control limit of 30, so they needto be controlled.The risk with greatest risk rating in this assessment was found out to beclearing a jam in the drum pallet conveyor. The packing machine piles thedrums in four layers. There is a possibility that a drum pallet is stuck andan employee loosening the pallet is crushed under a falling drum. In suchan accident, the worst case is the death of an employee.In the case of clearing a jam in the drum pallet machine, the palletisergets stuck from time to time, as the pallet moves so that the conveyors arenot able to control the pallet anymore. Various other situations require anemployee to enter the palletiser area. If another operator does not takenotice of an operation being performed on the machine and he starts it, theemployee in the palletiser area is crushed by moving machinery resulting inthe death of an employee.Clearing a jam in the drum lift elevator requires the employee to climbup ladders and perform work at a height of over 3 meters. During theassessment it was found out that the working platforms were insufficient.There is a risk of falling down which could result in death.To control these risks, the elevator was decided to be isolated with anoptical sensor (light curtain) that stops the operation if movement in theproximity of the elevator is detected. A preventive maintenance plan forthe packing department will be introduced, which will include machinerysafety inspections. Some more guarding and additional safety controls willbe added to the packing line, such as “log out – tag out” procedure. Insuch a procedure, the employee is required to lock the main power switchto the “off” position before entering any hazardous area when maintaining 59
  • the machine or clearing jams. This is to prevent any accidental start-ups ofmachinery by other employees while operating in the hazardous area.5.2.2 Manually operated slitters and power pressesAt the Site there are several standalone machines that are operated manuallyand they are used somewhat more rarely than the large manufacturing lines.Slitters and power presses are used when manufacturing the lids and ends ofdrums and pails. The most common task to be done manually is infeeding.Infeeding the tin plates by hand poses a cut wound risk. Since 2002, therehas been one serious injury when operating the machines in 2004. The casewas described in Section 5.1.1.Two serious near-misses happened in 2008 with power presses. A screw hold-ing the tool on one of the power presses ruptured and the helical springs andclamp fell off nearly hitting employee’s legs. There was a possibility of legfracture had the falling parts hit the employee. As a corrective action, allpower presses were inspected and safety stoppers were installed to all faultypower presses.Another case was in the summer of 2008, when an operator received an elec-tric shock from the stacker of one of the power presses. As a corrective action,the stackers were inspected and RCDs were installed.The task of organising the assessment in the absence of senior advisor wasgiven to me to be conducted together with the mechanics. The mechan-ics were selected to be in the assessment team because of their knowledgein fields of operating the machine, as well as maintaining the machine. Iresearched the records to find out what hazards were identified in earlier as-sessments. Taking note of these, I introduced the assessment procedure tothe mechanics. We went through the hazard list and elicited probabilities andfrequencies of exposure to the hazards. If the mechanics saw other hazards inthe operation or maintenance, they were also identified and analysed. I havelisted some of the things encountered during the process in the discussionchapter. The results of the analysis are found in the tables B.4, B.5, B.6,B.7, B.8, B.9, and B.10 for the slitters, B.11, B.12, B.13, B.14, B.15, B.16,and B.17 for the power presses. The results for some miscellaneous manuallyoperated machines (guillotine shears, plugging machines) that were inspectedare found in tables B.18, B.19, B.20, B.19, B.21, and B.22.Most of the machines need only one power switch to be turned on, andthe machine is operational. Maintenance is an area requiring considerableexpertise, although the machines are not the most complicated ones to bemaintained at the Site. Slitters and power presses are mostly mechanical innature, so they do not contain complex electronic units. Neither do theyrequire the use of hazardous chemicals. As long as the general principles ofsafe work are followed, the risks should remain quite small. 60
  • When operating manual slitters and power presses, there is always a shearrisk with the moving tool and blades. Up to date safeguarding (two-handedcontrol or fixed guards) and annual inspections notably lower the possibilityof manifestation of the hazard. In case of power presses, the highest scoringrisks were exposure to live electricity (RR = 75, or RR = 30 if the electri-cal cabinet was lockable), fingers crushed by moving tool (RR = 20), andhandling metal sheets (RR = 13). Also, if the electrical power could not belocked out by a lockable main switch, there is a risk of someone accidentallystarting up the machine while someone else is performing an operation to it(RR = 15). This has been the case in some accidents at the Site.In the case of slitters, risks scoring highest were exposure to live electricity(RR = 75 or RR = 30), hands drifting to the slitter blades (RR = 20), a packof sheets falling down while banding or moving it (RR = 20), and handlingmetal sheets (RR = 13). Also, if the forklift truck traffic is intensive in theproximity of the machine, there is a risk of being hit by a moving forklifttruck (RR = 20). An operator is exposed to all of these risks constantly (orat least many times a day), although the likelihood of occurrence is small.One of the most cost-effective way of reducing these type of risks is throughbehavioural safety. As a control measure for the exposure to live electricity,the electrical cabinets will be locked and a system of controlling the accessto the cabinets will be enforced. Also, all the personnel needing access to thecabinets will be given further training.5.2.3 73mm/99mm tin can manufacturing line (CN02)The CN02 line produces cans of diameter of 73 or 99 millimetres. Severalmachines are connected to each other by conveyors at the production line.There are some conveyors that reach above normal standing height.There has been one accident in the line since the year 2002. In 2008, a me-chanic was removing a metal plate from the welding machine using tongs.The plate detached, but it hit the mechanic’s nose. Personal protective equip-ment was not worn. As a control measure, the mechanics were told to usesafety glasses in similar situations in order to prevent plates from hittingemployees’ eyes.In 2009, there was a severe near-miss case. A mechanic fell into a hole inmaintenance platform. The hole was in the platform due to line changes thattook place there before. As a control measure, the hole was covered and allplatforms were inspected for similar faults.The risks were assessed by a team of two assessors, an industrial safety del-egate, two line operators, and line supervisor. The machines were inspectedpiece by piece for hazards and they were then assessed using the Companymethod. The results are presented in the appendix, in tables B.23, B.24,B.25, B.26, and B.27.The highest scoring risks were adjusting the welding machine (RR = 100), 61
  • clearing a jam or changing product size at upper level conveyor (RR = 100),or performing an operation to the cutting machine (RR = 80).The welding machine uses copper wire in welding the can. The wire needsto be replaced occasionally during maintenance, when it is cut, or it runsout. When performing operation on the welding machine, there is a risk offinger amputation by machine turning on unexpectedly. Such is also the casewith the upper level conveyors. Someone might turn on the lines while anoperation is performed on the conveyors, thus resulting in amputation.In the case of cutting machines, there is also a risk of finger amputation byunexpected machine part movement during maintenance or other operation.What is notable is that the cutting machine is operated only once a year fora period of a couple of weeks. In the assessment process the frequency ofexposure was chosen to be the highest possible (constantly), though.5.2.4 Machine tools at maintenance departmentThe maintenance department have different kind of machine tools neededin maintenance of other manufacturing equipment. The tools are sharpenedand fixed when maintenance is performed, or when a machine breaks downin the production area. At the maintenance department, one is capable ofmaking completely new parts for the machines if such are required.With machine tools, one is able to work with metal and shape it in differentforms. The machines assessed include tools for cutting (band saw), grinding(grinding wheel and bench), turning (lathe), milling (milling machine), anddrilling (pillar drill). The Finnish government has given several guidelineson the safety of machine tools.When looking at the number of accidents, the maintenance department seemsto be a very safe place. Since 2002, not a single accident took place at main-tenance department. There are several explanatory factors to this. One isworker experience. Most of the maintenance personnel using the machineshave been using the machines at the Site for several decades. It takes severalyears of time and effort to master the skill in one of the abovementioned cut-ting processes. Another explanatory factor is that the statistics cover onlythe seven year period of 2002-2009.The risks were assessed with a three-person team consisting of myself as anassessor, the head of maintenance department, and one of the operators ofthe machines. The analysis results are presented in tables B.28, B.29, B.30,B.31, and B.32.In all of the machines tools, the greatest risk is contact with the moving toolor blade. There is a risk of severe mishap, even amputation if a fast-movingblade hits one’s hands or fingers. Using protective equipment such as glovesis not possible, however, when using metalworking machines. Gloves pose arisk of entanglement (for instance, with the grinding machines), and workersface an equally severe risk of losing their fingers during machine operation. 62
  • It is crucial that the employees know how to operate the machines and thatthey know what they are doing when operating machine tools.The ability to concentrate on the job was found to be very important. Anoperator faces a risk of human error if he loses his concentration. Risks ofthis kind take place usually with inexperienced operators. Constant trainingaiming at developing the skills and expertise of employees was seen to be anessential component of using machine tools.Thirdly, in many of the machines there is a risk of ejection of material (sparks,metal splinters and burrs) that is very hot and can cause skin or eye damage.Almost all of the machines have some kind of machine guarding in order toprevent such occurrences. In addition, the employees are required to wearpersonal protective equipment (safety shoes and goggles) which further re-duces the risk.Due to the nature of the work performed with the machines, machine toolsusually may not have fixed or interlocked guards protecting the operator.Instead, they are required to, by law, have adjustable guarding. Of course,adjustable guarding by its definition does not guarantee operator safety un-less the operator has him/herself adjusted the guarding before operating themachine. This in turn emphasises the importance of behavioural safety andsafety culture. At the Site, the usage of adjustable guards is good, and theoperators know the importance of adjusting the guards.The most effective way to prevent machine tool accidents is through be-havioural safety. I was given a task of writing instructions for safe system ofwork with machine tools. I gathered information about the machines thatwas found in various instructions manuals and at the websites of differentmanufacturers and occupational health and safety institutions, and I thencompiled them. The purpose of the safe system of work instructions is to in-form about the various risks that the operator faces when using the machine,and how to avoid them. I wrote instructions for seven different types of ma-chine tools found at the maintenance department. An example of one of thesafe system of work instructions, for grinding wheel, is found in AppendixA.1. 63
  • Chapter 6Discussion6.1 Issues encountered during the assessment processRisk assessment is a challenging field and several difficulties can arise whenworking with people. During the assessment process, the following factorswere found to affect the process.Lack of resources to conduct a detailed analysisAlthough risk assessment is required by the Company and national laws, theemployees do not always see its importance or effectiveness. Conflicts withproduction goals hinder the assessment, as team members find they don’thave enough time for the assessment. As a result of limited resources, theassessment focused only on the hazards that are the most severe. Scenarioswere not analysed in detail. Only few machinery failure modes were examinedmore closely.Because of the resources for implementing preventive measures are limited,however, a detailed analysis might not be necessary. The costly actions takento reduce risk are usually directed towards the most severe ones, that usuallyare identified no matter what method is used.Psychological factors and team synergyThe assessment procedure is affected by the team members’ ability to co-operate. In a situation where personal grudges have an effect on the teamcommunication, the assessment process is inevitably less efficient. The team’sability to identify all the relevant hazards is affected by the lack of motivationand communication. It could be seen during the assessment process betweengroups of different people conducting the assessment, that the team synergy 64
  • and results were different. The execution of the assessment could be delayedif the employees are not willing to co-operate.Probability quantification errorAs stated above, probability is a subjective concept. The role of the assessorin the Company risk assessment process is to facilitate the probability quan-tification by interpreting the views of other team members and assigning avalue representing the probability of occurrence of the hazardous situation.Because of this, the quantification is not easy. It is possible that the assessorpicks a number that poorly reflects the views of the team members. Mis-matches can be avoided by using statistical analysis of the operation data ineliciting probabilities, but in this case it was not possible due to the lack ofavailability of the data. This fact emphasises the need for re-assessment ofthe risks in the near future.Older workers are more apt to take risks, as stated above. This affects the riskassessment procedure, because workers might not see a hazardous situationdangerous enough, and they tend to give smaller risk probabilities.The Company risk assessment methodOne of the most important risk assessment issues in the long run is that themethodology needs to be concise and used in a consistent way between theassessors. The assessment procedure should be enough documented so thatothers can see the reasoning behind the numbers.The Company risk assessment method used in this thesis was the first timethe method was actually used at the Site ever. When the method is new tothe assessors and to other employees, there is much variation in the resultsdue to inexperience, even if the guidelines given were comprehensive enough.More of the Company method issues are dealt with in the next section.6.2 Comparison and critique of the methodsThe new Company method embodies similar structure to the previous riskmatrix based method used at the Site. There are more categories, and twonew variables. The previous method is likely to be easier to use, because thereneeds to be only two numbers selected that constitute the risk. Usability andsimplicity do come with a price, though. The previous method is simpler,but also more ineffective especially in describing various hazardous situations.The scalability of the older method is not good, and the method is incapableof “separating the wheat from the chaff”. The method classified several risksin the same category that had different orders of magnitude in risk rating 65
  • when assessed with the current Company method. With the previous methodit was not possible to properly identify the severity of the risk.Downsides of risk matricesThe previous method is based on risk matrices. Critisism of the risk matrixrating method has been heard from several researchers. Cuny and Lejeune[8] do not see this kind of 3x3 matrix as a reliable tool to assess the severity ofrisks. Cox [7] has identified several mathematical properties of risk matricesthat affect its ability to assess risks correctly. These are: • Poor Resolution. Typical risk matrices can correctly and unambigu- ously compare only a small fraction (e.g., less than 10%) of randomly selected pairs of hazards. They can assign identical ratings to quanti- tatively very different risks (“range compression”). • Errors. Risk matrices can mistakenly assign higher qualitative ratings to quantitatively smaller risks. For risks with negatively correlated frequencies and severities, they can be “worse than useless,” leading to worse-than-random decisions. • Suboptimal Resource Allocation. Effective allocation of resources to risk-reducing countermeasures cannot be based on the categories pro- vided by risk matrices. • Ambiguous Inputs and Outputs. Categorisations of severity cannot be made objectively for uncertain consequences. Inputs to risk matrices (e.g., frequency and severity categorisations) and resulting outputs (i.e., risk ratings) require subjective interpretation, and different users may obtain opposite ratings of the same quantitative risks. These limita- tions suggest that risk matrices should be used with caution, and only with careful explanations of embedded judgements.Downsides of the current Company methodThe documentation offers no appropriate guidance on how to pick a rightcategory for likelihood of occurrence. Currently, the documentation basesthe elicitation on the existing controls in place, but there are a lot of tasksthat have no controls at all. This could be interpreted in a way that says alltasks that have no controls (or the form of control is not possible to evalu-ate) should have bigger risk ratings, although the actual probability of therisk occurring might be extremely small. What is completely dismissed inthe documentation, when talking about controls in place, are the controlsintroduced through behavioural safety.The documentation mentions analysing accident history in eliciting proba-bilities. This makes the probability conditional on the frequency of exposure 66
  • (and thus correlated). The documentation gives no specific information onhow to assess likelihood of occurrence from accident history. If this is donenumerically, as it is possible in many cases, the documentation does not an-swer the question of how do the numbers of the Company method categoriestranslate to actual probabilities that are something between 0 and 1.The method of assessing risks is quite incapable of describing risks if thefrequency of exposure to the risk is very low. For example, a machine is usedfor manufacturing special cans that are only manufatured during summertime. The machine requires sharpening of tool blades before operation. Amechanic processes the blades with a machine tool for a week. During thatweek, there is a constant risk of finger amputation. Should the frequency ofexposure for the amputation risk be defined as annually or as constantly? Alow frequency of exposure makes the risks smaller in general, although therisks might be even lethal to employees. This makes it difficult to comparethe risks.Because of the problems mentioned in this section, specific guidelines andconventions are needed. It is ultimately up to the assessors to decide howthe method is implemented and interpreted. Currently, because there areno specific guidelines and conventions that would solve the problems, therisk ratings are not comparable with each other between assessment sessions.That is, one cannot say if the risk of finger amputation is greater with millingmachines or with slitters if the two machines were assessed by different peo-ple.To reduce ambiguity, the Company method was modified during the assess-ment process to suit the needs of assessors more properly. Some of thecategories in the four different risk variables were removed as not meaningfulenough. The assessors had difficulties differentiating between some of thecategories, and choice between them was not unambiguous. This also hadan effect to the resulting risk assessment. As an example of this, I mentionthe elicitation of probability. Because the assessors could not differentiatebetween some of the categories, they were removed (or combined). Theseinclude ’hourly’ from the frequency of exposure category; ’almost impossi-ble’, ’even chance’, and ’probable’ from the likelihood of occurrence category;’scratch/bruise’, and ’loss of 1 limb’ from the degree of possible harm cat-egory. The categories of the final version of the method are presented inAppendix A.2.6.3 Analysis of the resultsIn regards to the classification presented above, all of the risks are personnelrisks. In general, the risks are due to human actions, although there aresome risks that cannot be prevented through behavioural safety (e.g. failureof machinery parts). The risks scoring over 100 in risk rating all involve therisk of death, in nearly all of the cases being due from working at heights or 67
  • being crushed by something. In many cases the risk of accidental machinestartup has been accounted for, which is due to human error.Working at heights poses a risk that might not be reduced effectively throughbehavioural safety. Slips might happen to everyone regardless of how carefulthey are. Controlling risks related to working at heights is possible throughextending working platforms and using ladders fulfilling safety standards. Ifladders cannot be used, a passenger hoist is available to trained personnel.Behavioural safety is still the most cost-effective way of controlling risks. Theeffectiveness can be seen by looking at the accident statistics of the Site.It is very much up to the assessor to ask the right questions in order to findout the root causes of accidents and incidents. When looking at the results,one notices that the questions ’what could happen’ and ’how could it hap-pen’ are answered. But the underlying question ’why does it happen’ hasbeen left unanswered during the course of this assessment, although this isthe very essence of the analysis when trying to permanently remove accidentcauses.For the sake of example, let us look at the CN02 manufacturing line. In thecase of cut-off machines, the employees were able to recognise a possibility offinger amputation (what could happen), due to unexpected machine start-up (how could it happen). But in this case the underlying possible reasonswhy should the machine start unexpectedly were not dealt with. There areseveral reasons why this is not done.First of all, the assessor might not try to find out the root cause simply be-cause it is not the purpose of the assessment. The Company documentationdoes not require the assessor to take a stance on the root cause. There mightnot be enough resources for the assessors to dig very deeply into the matter,especially when there are several machines to be assessed. Root cause anal-ysis is required only in an accident investigation.Even if finding out the root cause was the purpose of the analysis, it mightstill be undiscovered. The assessment team might be unable to identify thecauses because they can’t model the combined effect of external and internalerror modes. Modelling common cause error dependency and coupling be-tween error modes is quite complicated, especially without proper data.The assessment team might be unable to find out root causes due to theinfrequency of the hazardous situation. Also, employees might think that acertain situation is not probable. None of the chains of events stand out asthe most probable cause of the accident.The methodology used to produce the results also affects what risks are per-ceived as greatest. The Company method gives predefined importance tocertain events more than to others through the Degree of Possible Harm pa-rameter. There is a concise list in the documentation to aid the assessor indetermining the appropriate value for the parameter. The results could beentirely different had we used a different methodology.The values and preferences of the assessment team are also reflected in the re-sults. For example, one of the greatest risks in many machines was exposure 68
  • to live voltage. This is a risk when employee is dealing with the electricalcabinets. When looking at the near miss cases and safety statistics fromthe past years, there is no evidence that the risk should be evaluated thathigh. During the years 2002-2008, there has been only one case in which anemployee came in contact with live electricity, but in that case the electricalcabinets were not involved. The Company has published guidelines dealingwith electrical cabinets. The risk of exposure to live electricity through theelectrical cabinets would have been evaluated differently had the Companynot published the guidelines describing the risk.6.3.1 Are the results valid?All in all, given the issues above I must now state that there is a grave conflictbetween the importance given on risk assessment (and subsequent decisionsbased on it) and the reliability of the results these methods produce. Itis clear that employers should strive for better work safety. But makingdecisions that affect every employee based on results that have that muchuncertainty in them is not recommendable. What backs up this considerationis the almost total and complete lack of methods for evaluating risk analysisresults in all of the standards discussed above.It seems that the only actual method of critically examining risk analysismethods, and furthermore promoted in safety analysis frameworks such asOHSAS, is re-evaluation. This would give rise to question ”how many timesshould risk analysis be conducted in order for us to know that the resultsare correct and reflect the underlying situation, thus enabling us to makethe best decisions possible”? The ANSI B11 Machine Tool Safety StandardsCommittee states in its technical report TR3 [20] that ”the risk reduction process is complete when protective measures consistent with the hazard control hierarchy are applied and tol- erable risk has been achieved for the identified task/hazard com- binations and the machine as a whole.”This implies that the risk assessment is done as long as the situation itrequires. It is also confirmed in the Company method documentation: ”Hazard identification, risk assessment and risk control is a con- tinuous process, which forms the basis of all decision and policy making in relation to health and safety within the division.”It is fairly easy for an assessment team to evaluate whether a company hasadapted to safety standards (auditing), as the guidelines for assessment areprovided in the related documentation. But it is not easy for a company toevaluate risk assessment results produced by expert judgement. This requiresa lot of resources, and no guidelines whatsoever for evaluation are given. It 69
  • is only stated in the documentation to review the assessment and ’revise itif necessary’. The documentation requires that a review date is set for eachassessment, which guarantees that each assessment is reviewed in the future.The reason for making re-evaluation the method of choice for critical exami-nation of results becomes more clear when looking at the general machinerysafety situation. It is far more easier for the Company to call another assess-ment with the same personnel than to hire outside experts to evaluate theassessment. Even if some guidelines were given for critical examination ofthe results, this would in practice be another way of conducting the assess-ment. Because doing the assessment again is imminent anyway, giving anykind of result validation guidelines for this type of assessments might not benecessary. This is not the case with complex assessments that are conductedmore infrequently, e.g. nuclear power plant risk assessments.To answer the question ’are the results valid’, I would have to say yes. The re-sults were acquired by assembling assessment teams, by identifying hazardoussituations, by going through the situations with members of the assessmentteams who are experts on their field, and by assessing the hazards using theCompany method, as required by the Company and related regulations. Theresults are valid until a similar assessment is conducted.6.4 Addressing the issues encountered during the assessmentDuring the assessment it was found out that several issues affect the safetysituation at the Site and its evaluation process. I am going to address thesequestions now, and give some suggestions how to deal with these issues.Old machineryThe topic here refers to the fact that the machinery in its original statedoes not have proper guarding. By now almost every machine that is usedfrequently at the Site has some form of safeguarding, and new safeguards areadded constantly.Training is also important, especially with machines that have less safeguardsand with employees who have less experience using them. The personnel atthe Site will experience a great shift in the next five years, as more and moreof older employees will be retired. They have decades of experience in usingthe machinery at the Site, and this experience should be used to train othersat the Site. Creating safe operation instructions for every piece of machineryis a practical way of passing this valuable knowledge to the next generationof employees. 70
  • Conflict between safety and production goalsThe productivity bonus system used at the Site is one reason for conflictbetween safety and production goals. This could be straightened out bychanging the bonus system. Instead of paying bonus based solely on produc-tion, the bonus could be paid based on safety factors, e.g. LWDC.The employees need to become more knowledgeable about various safety pro-grams at the Site. They need to internalise the goals of the programs, andrealise that safety does not exclude productivity, but in fact improves it.Employees’ ability to adapt to behavioural safetyIt should be made very clear to everyone working at the Site that compliancewith the rules and regulations is the top priority. During the year 2009 itwas made clear to everybody at the Site, that non-compliance will result inconsequences. A ’three strike rule’ was forced. Employees lose their job afterbreaking the rules three times.Lack of resources to conduct detailed analysisHere the term ’resources’ refers to time. It was seen during the assessmentprocess that many of the personnel had problems with scheduling. They saidthat they were in a hurry because they were lagging behind of the productiongoals. This was especially a problem during the months of June and July,when the Site had received many orders.Management commitment to EHS matters is very important. This strength-ens the safety culture. Stressing the importance of risk assessment makes itclear to everyone, that safety is the top priority.Team synergyTeam synergy is a very important factor that affects the assessment process.Improving team synergy means taking more professional attitude towardswork in general. Communication is also important. As stated above, ef-fective communication needs openness so that sensitive information can beoutspoken. This also applies to personal issues.General improvement of safety culture is key part in motivating personneltowards a common goal. This means adopting organisational values. Be-havioural safety can be seen as a means to an end in motivating employees.Probability quantification errorThe documentation of the Company method gives assessors freedom to con-duct the assessment as they see fit, but it also stresses the importance of 71
  • documenting the assessment well. This makes the method very flexible, butalso brings great responsibility.The assessors need to agree on the procedure and practice of eliciting proba-bilities, and follow this procedure strictly. If no such practices can be found,these should be given in the method documentation or through assessortraining. Training sessions can be very useful in sharing experiences on themethod.Poor method documentationThe term ’poor method documentation’ here refers to all inconsistencies thatwe came across during the assessment. Many of these were due to inexperi-ence.The documentation should give better descriptions of likelihood categories,and give better guidelines on eliciting the probabilities. There seems to begreat confusion with the concept of mathematical probability and how it re-lates to the likelihood of occurrence category of the method. The methoddocumentation should address this question.It would be useful to have a more comprehensive FAQ section (frequentlyasked questions) in the documentation. Addressing questions about prob-ability elicitation, how to determine the frequency of exposure in a casedescribed above, and also about other practices and questions the assessorscome across when using the method would greatly reduce ambiguity andvariation in results. 72
  • Chapter 7ConclusionMy thesis has tried to bring into light the multi-faceted field of risk manage-ment, its concepts, methods, and regulations. In particular, I have tried toanswer the question ’what matters affect the process of risk assessment’. Ihave reviewed the Company method and examined the results it produces.I also have discussed the safety situation in the Company.During the course of writing this thesis, the Company method was used forthe first time at the Site. This surfaced several issues that had to be ad-dressed. When the methodological practises have not yet been established,confusion and uncertainty take hold. These will disappear with time andexperience. It is vital that the assessors first using the method documenttheir findings and practises so that others see their logic and reasoning be-hind their numbers.I have reached most of my pre-set goals and managed to answer questions Iset as research questions. I had first hoped to be able to use Bayesian anal-ysis to analyse the uncertainty in the results, but lack of time and resourcesdid not make it possible. Should the study be continued, this subject wouldprove to be fruitful in determining how the uncertainty in results could fur-ther be reduced.It would also be useful to examine how the other methods relate to the Com-pany method. The Company method does not require anything else butidentifying hazards, rating them and documenting the findings. It does notexplicitly state what method should be used in assessments. There are quitea few methods available that are widely used and proven worthy in safetyassessments. Linking these to the Company method could give extra insightto assessors in assessing risks and improving safety climate. I would alsolike to study in a more general behaviour-related psychological context whatdifferent aspects of work environment could be improved in order to createmore mature safety climate. 73
  • Bibliography [1] R. Andersson. Injury causation, injury prevention and safety promo- tion – definitions and related analytical frameworks. In L. Laflamme, L. Svanstr¨m, and L. Schelp, editors, Safety Promotion Research, pages o 15–42. Karolinska Institutet, Department of Public Health Sciences, Di- vision of Medicine, 1999. [2] A. Bandura. Social cognitive theory: An agentic perspective. Annual Review of Psychology, 52:1–26, 2001. [3] P. L. Bernstein. Against the Gods: The Remarkable Story of Risk. John Wiley & Sons, New York, 2004. [4] R. T. Clemen and R. L. Winkler. Combining probability distributions from experts in risk analysis. Risk Analysis, 19(2):187–203, 1999. [5] R. M. Cooke and L. H. J. Goossens. Procedures guide for structured expert judgement. Technical report, European Commission. Nuclear Science and Technology, EURATOM, Luxembourg, 2000. [6] C. L. Cooper, P. J. Dewe, and M. P. O’Driscoll. Organizational Stress: A Review and Critique of Theory, Research and Applications. Sage Publications, 2001. [7] Jr. Cox, L. A. What’s wrong with risk matrices? Risk Analysis, 28(2):497–512, 2008. [8] X. Cuny and M. Lejeune. Occupational risks and the value and mod- elling of a measurement of severity. Safety Science, 31:213–229, 1999. [9] A. Daniels. Bringing out the best in people. McGrawHill, New York, 1999.[10] S. W. A. Dekker. Failure to adapt or adaptations that fail: contrasting models on procedures and safety. Applied Ergonomics, 34:223–238, 2003.[11] M. D¨¨s and T. Backstr¨m. Constructing workplace safety through con- oo o trol and learning. In J. Summerton and B. Berner, editors, Construct- ing Risk and Safety in Technological Practice, pages 175–192. Taylor & Francis, London, Routledge, 2003. 74
  • [12] R. Flin, K. Mearns, P. O’Connor, and R. Bryden. Measuring safety climate: identifying the common features. Safety Science, 34:177–192, 2000.[13] CEN European Committee for Standardization. Standard EN 1050 - Safety of machinery: Principles for risk assessment. CEN European Committee for Standardization, Brussels, August 1994.[14] Fujita and Hollnagel. Failures without errors: quantification of context in hra. Reliability Engineering & System Safety, 83:145–151, 2004.[15] G. W. Hannaman and A. J. Spurgin. Systematic human action reliability procedure (sharp). Palo Alto: Electric Power Research Institute, pages A–8, 1983.[16] L. Harms-Ringdahl. Safety Analysis – Principles and practice in occu- pational safety. Taylor & Francis, 2. edition, 2001.[17] Health and Safety Executive. Reducing error and influencing behaviour. HSE Books, 1999.[18] N. Holmes, T. J. Triggs, Gifford S. M., and Dawkins A. W. Occupa- tional injury risk in blue collar, small business industry: implication for prevention. Safety Science, 25(1-3):67–78, 1997.[19] J. S. House. Work stress and social support. Addison-Wesley, Reading, MA., 1981.[20] ANSI B11.TR3 (American National Standards Institute). Risk assess- ment and risk reduction – a guide to estimate, evaluate and reduce risks associated with machine tools. Technical report, Association for Manu- facturing Technology, 2000.[21] S. Kaplan and B. J. Garrick. On the quantitative definition of risk. Risk Analysis, 1:11–27, 1981.[22] R. Karasek. Job demands, job decision latitude and mental strain: Im- plications for job redesign. Administrative Science Quarterly, 24:285– 308, 1979.[23] R. A. Karasek, K. P. Triantis, and S. S. Chaudhry. Coworker and super- visor support as moderators of associations between task characteristics and mental strain. J. of Occupational Behaviour, 3:181–200, 1982.[24] B. Kirwan. Human error identification techniques for risk assessment of high risk systems – part 1: review and evaluation of techniques. Applied Ergonomics, 29(3):157–177, 1998.[25] B. Kirwan and L. K. Ainsworth. A Guide to Task Analysis. Taylor & Francis, Washington, DC, 1993. 75
  • [26] J. L. Komaki, T. Coombs, Jr. Redding, T. P., and S. Schepman. A rich and rigorous examination of applied behaviour analysis research in the world of work. In C. L. Cooper and I. T. Robertson, editors, Interna- tional Review of Industrial and Organizational Psychology, volume 15, pages 265–366. John Wiley & Sons, New York, 2000.[27] P. A. Landbergis, J. Cahill, and P. Schnall. The impact of lean produc- tion and related new systems of work organisation on worker health. J. of Occupational Health Psychology, 4(2):108–130, 1999.[28] R. Lundgren. Risk Communication, A Handbook for communicating Environmental Safety and Health Risks. Battelle Press, Ohio, 1994.[29] Fleming M. and Lardner R. Strategies to promote safe behaviour as part of a health and safety management system, HSE Contract Research Report, volume 430. HSE Books, 2002.[30] D. M. Macdonald. Practical machinery safety. Elsevier, London, 2004.[31] R. E. Melchers. On the alarp approach to risk management. Reliability Engineering & System Safety, 71(2):201–208, 2001.[32] S. B. Merriam, R. S. Caffarella, and L. M. Baumgartner. Learning in adulthood: a comprehensive guide. John Wiley & Sons, San Francisco, 2007.[33] M. Modarres. Risk Analysis in Engineering: Techniques, Tools, and Trends. CRC Press, 2006.[34] U.S. Department of Defence. Military Standard System Safety Program Requirements. MIL-STD-882D. Dept. of Defence, 2000.[35] Ministry of Social Affairs and Health. Council of state decision on the safety of machinery, 1314/1994.[36] Ministry of Social Affairs and Health. Council of state decision on the safety of machinery, 400/2008.[37] Ministry of Social Affairs and Health. Occupational safety and health act, 738/2002.[38] U.S. Department of the Army Effective. System Safety Engineering and Management. AR 385-16. US Army, 1990.[39] N. Pidgeon. Safety culture: key theoretical issues. Work and Stress, 12(3):202–216, 1998.[40] J. Rasmussen. Skills, rules, knowledge: signals, signs and symbols and other distinctions in human performance models. IEEE Transactions on systems man and cybernetics, SMC-13:257–267, 1983. 76
  • [41] J. Rasmussen. Risk management in a dynamic society: A modelling problem. Safety Science, 27(2):183–213, 1997.[42] N. Rasmussen. Reactor safety study. An assessment of accident risks in U.S. commercial nuclear power plants. United States Nuclear Regulatory Commission, NUREG-75/014, WASH-1400, 1975.[43] J. Reason. Managing the Risks of Organizational Accidents. Ashgate, Aldershot, 1997.[44] G. I. Rochlin. Safety as a social construct. the problem(atique) of agency. In J. Summerton and B. Berner, editors, Constructing Risk and Safety in Technological Practice, pages 123–139. Taylor & Francis, London, Routledge, 2003.[45] G.I. Rochlin. Safe operation as a social construct. Ergonomics, 42(11):1549–1560, 1999.[46] J. Saari. On strategies and methods in company safety work: From infor- mational to motivational strategies. Journal of Occupational Accidents, 12:107–117, 1990.[47] P. Slovic. Perception of risk: Reflections on the psychometric paradigm. In S. Krimsky and D. Golding, editors, Social Theories of Risk, pages 117–152. Peager, Westport, CT, 1992.[48] P. Slovic. The Perception of Risk. Earthscan Publications Ltd., 2000.[49] M. et al. Stamatelatos. Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners, Version 1.1. National Aeronau- tics and Space Administration, Washington DC, 2002.[50] C. Stave. Safety as a process: From risk perception to safety activity. PhD thesis, Chalmers University of Technology, G¨teborg, 2005. o[51] J. Summerton and B. Berner. Introduction. In J. Summerton and B. Berner, editors, Constructing Risk and Safety in Technological Prac- tice. Taylor & Francis, London, Routledge, 2003.[52] A. Swain and H. Guttmann. Handbook on human reliability analysis with emphasis on nuclear power plant application. US Nuclear Regulatory Commission, NUREG/CR-1278, 1983.[53] A. Tversky and D. Kahneman. Judgement under uncertainty. heuristics and biases. Science, 185:1124–1131, 1974.[54] VTT. http://pk-rh.fi. Pk-yritysten riskianalyysi, 2009.[55] R. B. Whittingham. The Blame Machine: Why Human Error Causes Accidents. Elsevier, 2004. 77
  • [56] Douglas A. Wiegmann, Hui Zhang, Terry von Thaden, Gunjan Sharma, and Alyssa Mitchell. A synthesis of safety culture and safety climate research. Technical report, Federal Aviation Administration Atlantic City International Airport, NJ, June 2002.[57] G. J. S. Wilde. Target Risk 2, A new psychology of safety and health, What works? What doesn’t? And why... PDE Publications, Canada, 2001.[58] R. L. Winkler, S. C. Hora, and R. G. Baca. The quality of experts’ probabilities obtained through formal elicitation techniques. Technical report, Center for nuclear waste regulatory analyses, CNWRA, San An- tonio, Texas, 1992.[59] D. D. et al. Woods. Behind human error: cognitive systems, computers and hindsight. CSERIAC, Columbus, OH, 1994. 78
  • Appendix AAppendices 79
  • A.1 Safe system of work instructions for sur- face grinder CROWN PAKKAUS OY T-H Saari 2009 Versio 1 TURVALLISEN TYÖN OHJE TASOHIOMAKONE YLEISIMMÄT RISKIT - Ruhjeet käsiin pyörivästä hiomalaikasta - Silmävammat lentävästä jätteestä - Hiontapöly - Sinkoutumisvaara hiomatyökalun hajotessa HENKILÖSUOJAIMET • Työvaatteiden ja turvakenkien lisäksi tasohiomakonetta käytettäessä tulee päässä olla suojalasit ja korvissa kuulosuojaimet. • Työskentelyn aikana ei saa käyttää käsineitä, jos on olemassa vaara niiden tarttumisesta terään tai muuhun liikkuvaan tai pyörivään koneen osaan. Myös liian löysä vaatetus, leveät tai revenneet hihat voivat vastaavasti takertua helposti. KONETURVALLISUUS • Hiomakoneessa tulee olla rikkomasuojus, jonka tehtävänä on estää kipinäsuihkua tai mahdollisesti irtoavia kappaleita osumasta käyttäjään sekä estää tahaton kosketus laikkaan. NORMAALI AJO • Tarkista hiomatyökalun siisteys, suojuksen asento ja kiinnitys sekä pöydän etäisyys. • Muista laittaa magneetti päälle. Kappale irtoaa pöydästä ellei magneettikytkin ole päällä. Sellaiset aineet jotka eivät tartu magneettipöytään voidaan kiinnittää ruuvipenkkiin ja ruuvipenkki magneettipöytään. • Laita ensin hiomamoottori päälle ennen vedensyöttöä. Katso että kivi pääsee vapaasti pyörimään. Pysähtyneenä hiomalaikka kerää vettä kuin sieni ja se saattaa haljeta pyöritettäessä (hengenvaarallinen). • Ole tarkkana syötön suuruudesta. Liian suuri syöttö voi irrottaa pienen kappaleen magneettipöydästä tai vääntää lämmetessä kappaletta. • Kun aloitat hionnan, katso että kone pyörii täysillä kierroksilla ennen kosketusta kappaleeseen. • Lopetettaessa poista kappaleesta magneetti poistolaitteen avulla. MUUT POIKKEAVAT TILANTEET (häiriöt, puhdistus) • Pysäytä kone ja varmista että hiontatyökalu on kokonaan pysähtynyt. • ÄLÄ KOSKAAN HIO MUITA KUIN RAUTAPITOISIA MATERIAALEJA! Esim. alumiinipöly on räjähtävää. • Jos moottori ylikuumentuu, on käytettävä tehokkaampaa konetta. • Sähkömoottorin tuuletusaukot on pidettävä avoimina ja puhtaina. • Siivoa jälkesi. Magneettipöydän tulee olla puhdas, sillä muuten kappale naarmuuntuu eikä kiinnity kunnolla pintaan. ASENNUKSET, HUOLLOT • Lukitse virransyöttö pää/turvakytkimestä henkilökohtaisella lukolla ennen asennusta. • Tarkista leikkuunesteen syöttöjärjestelmä kerran viikossa. Lisää nestettä mikäli tarpeellista. HÄTÄTILANTEET • Hätätilanteissa pysäytä kone hätä seis –pysäyttimestä. • Jos hiomatyökalusta sinkoutuu palasia, pysäytä kone heti. Rikkinäistä työkalua ei saa käyttää! • Tarkista säännöllisesti että hätä seis –painike toimii. SÄHKÖTYÖT • Sähkötöitä saavat tehdä vain sähköasentajat. Sähköasentajalta opastuksen ja avaimen sähkökaappiin saaneilla henkilöillä on lupa käydä kaapilla tekemässä tiettyjä toimenpiteitä kuten kuittaamassa rele. Muista aina lukita sähkökaappi käytön jälkeen.Figure A.1: Instructions for safe system of work for surface grinder (inFinnish) 80
  • A.2 Modified Company method risk scoring components Tapahtuman seuraus (S) 0.5Mustelmat, ruhjeet, haavat, silmän ärsytys, iskut päähän (ei tajunnanmenetystä) 1Luun murtuminen tai vähäinen, tilapäinen ammattitauti, ensimmäisen asteen palovammat 2Luun katkeaminen tai vähäinen, pysyvä ammattitauti, selkävammat, kuulovauriot 8Vakava, tilapäinen tai pysyvä ammattitauti / amputoinnit, näön menetys, vakavat puristusvammat, toisen asteen palovammat, kemikaalivauriot, ei-kuolettava sähköisku, astma, syöpä, kooma 15 Kuolema Altistuksen taajuus (TA) 0.1 Epäsäännöllisesti 0.2 Vuosittain 1 Kuukausittain 1.5 Viikottain 2.5 Päivittäin 5 Jatkuvasti Vaaralle alttiina olevien ihmisten lukumäärä (L) 1 1-2 2 3-7 4 8-15 8 16-50 12 Yli 50 Vaaran todennäköisyys (TO) 0.5 Erittäin epätodennäköinen 1 Epätodennäköinen 2 Mahdollinen (mutta epätavallinen) 5 Mahdollinen 10 Todennäköinen RISKIN SUURUUS S x TA x L x TO 0-1 Mitättömän pieni 2-5 Erittäin alhainen 6-10 Alhainen 11-50 Merkittävä 51-100 Suuri 101- Erittäin suuri 500 501- Äärimmäinen 1000 yli 1000 Sietämätön Mitätön 0-5 Työhön sisältyy erittäin pieni riski terveydelle/turvallisuudelle Alhainen mutta merkittävä 6-50 Työhön sisältyy vaaroja, jotka tarvitsevat seurantaa tai toimenpiteitä Korkea 51-500 Työhön sisältyy mahdollisia vakavia vaaroja, jotka tarvitsevat kiireellisesti seurantaa tai toimenpiteitä Sietämätön >500 Työn jatkaminen ilman korjaavia toimenpiteitä ei ole hyväksyttävissä. Figure A.2: The final categories of the new Company method 81
  • Appendix BRisk assessment results 82
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Adding plug and seal (oper- Conveyor could start moving unexpect- 0.5 5 1 2 5 ator) edly while an employee is standing on it Adding plug and seal (oper- After pressured hose ruptures or the 0.5 5 1 2 5 ator) valve fails it might hit the employee Adding plug and seal (oper- Pressured air machine (5kg) for adding 1 5 1 5 25 Inspecting the fastening ator) plug and seal might fall down if the fas- mechanism, maintenance tening mechanism fails plan for drum packaging area Adding plug and seal (oper- Lifting heavy plug containers can cause 2 1.5 1 2 6 ator) back strain Maintenance in printing Bruises caused by accidental start up of 0.5 0.1 1 1 0.583 oven (setter / mechanic) the oven conveyor during maintenance Blocking the access to the Fingers hit by moving drums 0.5 1,5 1 1 0.75 PPE drum turning machine with a metal bar (operator) Walking in the drum line Employees cross over conveyors while 2 2.5 1 2 10 Securing the area, better packaging area (operator) line is running. Steps in the walkways steps for stairs are inadequate Drum turner goes off track, Sudden machinery start followed by 2 1 1 1 2 employee correcting the sit- crushing uation (operator) Table B.1: Drum line packaging area risk assessment results 1 of 3
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Clearing a jam in the drum Sudden machinery start followed by 15 1,5 1 5 113 Maintenance plan for lift (operator) crushing drum packaging area contains inspection of safety boundaries. Miss- ing a lock in the main switch Clearing a jam in the drum Sudden machinery start followed by 15 2.5 1 5 188 See above. elevator area (operator) crushing Yearly maintenance of drum Sudden machinery start followed by 15 0.2 2 5 30 See above. lifts and elevator (setter / crushing mechanic) Clearing a jam in the drum Inadequate working platforms resulting 15 1 1 5 75 Extending the working84 lift or elevator (operator) in falling platform, adding a gate, raising the handrail of the existing working platform, using personal safety equipment Clearing a jam in the drum Sudden machinery start followed by 15 1.5 1 5 113 Guarding the area pallet machine (operator) crushing Clearing a jam in the con- Fingers or other parts of the body 8 2,5 1 2 40 Guarding the area veyor and turntable areas crushed (operator) Table B.2: Drum line packaging area risk assessment results 2 of 3
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Clearing a jam in the drum Drums are piled in 4 layers. A drum 15 2.5 1 5 188 A separate plan for con- pallet conveyor (operator) pallet might get stuck before the band- trol measures ing machine, and an employee loosen- ing the pallet might be hit by a falling drum Using the banding machine Banding machine does not have any 0.5 1 2 1 1 Adding a moving perspex (operator) guarding guarding85 Lifting a heavy banding roll Back strain 2 1.5 1 2 6 (operator) Manual banding of the Falling drum hits an employee 15 1 1 1 15 Helmet usage drum pallets (operator) Working at the drum pack- Cold working environment leading to 0.5 5 1 2 5 Using a tarpaulin aging area (operator) catching cold Clearing a jam in the scrap Entanglement hazard 8 0.2 2 1 3.2 metal conveyor (operator) Table B.3: Drum line packaging area risk assessment results 3 of 3
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 5 75 ter / engineer) Normal operation (opera- Shear hazard: hands drifting to the slit- 8 5 1 0.5 20 Fixed guards tor) ter blades Normal operation (opera- Moving vehicles: forklift trucks operate 8 5 1 0.5 20 Traffic management, op- tor) in the area erator competence Normal operation (opera- Shear hazard: metal sheets falling off 2 5 1 2 20 Safe system of work tor) the table Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 1686 ter / mechanic) able main switch, someone might turn the machine on Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Moving and banding pack of Shear hazard: pack of sheets toppling 2 5 1 1 10 Safe system of work metal sheets (operator) over Operating the elevator (op- Feet crushed under the elevator 2 5 1 0.5 5 Interlocked guarding: el- erator) evator table safety bar- rier Sharpening the slitter Cutting: fixed guards in place do not 8 0.2 1 1 1.6 blades (setter / mechanic) prevent access to moving parts Table B.4: 175mm earcup lid slitter, machine no. 959
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 5 75 ter / engineer) Normal operation (opera- Shear hazard: hands drifting to the slit- 8 5 1 0.5 20 Fixed guards tor) ter blades Normal operation (opera- Moving vehicles: forklift trucks operate 8 5 1 0.5 20 Traffic management, op- tor) in the area erator competence Normal operation (opera- Shear hazard: metal sheets falling off 2 5 1 2 20 Safe system of work tor) the table Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 1687 ter / mechanic) able main switch, someone might turn the machine on Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Moving and banding pack of Shear hazard: pack of sheets toppling 2 5 1 1 10 Safe system of work metal sheets (operator) over Operating the elevator (op- Feet crushed under the elevator 2 5 1 0.5 5 Interlocked guarding: el- erator) evator table safety bar- rier Sharpening the slitter Cutting: fixed guards in place do not 8 0.2 1 1 1.6 blades (setter / mechanic) prevent access to moving parts Table B.5: 175mm pressing lid slitter, machine no. 2789
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 5 75 ter / engineer) Normal operation (opera- Shear hazard: hands drifting to the slit- 8 5 1 0.5 20 Fixed guards tor) ter blades Normal operation (opera- Moving vehicles: forklift trucks operate 8 5 1 0.5 20 Traffic management, op- tor) in the area erator competence Normal operation (opera- Shear hazard: metal sheets falling off 2 5 1 2 20 Safe system of work tor) the table Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 1688 ter / mechanic) able main switch, someone might turn the machine on Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Moving and banding pack of Shear hazard: pack of sheets toppling 2 5 1 1 10 Safe system of work metal sheets (operator) over Operating the elevator (op- Feet crushed under the elevator 2 5 1 0.5 5 Interlocked guarding: el- erator) evator table safety bar- rier Sharpening the slitter Cutting: fixed guards in place do not 8 0.2 1 1 1.6 blades (setter / mechanic) prevent access to moving parts Table B.6: 268mm end slitter, machine no. 910
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 5 75 ter / engineer) Normal operation (opera- Shear hazard: hands drifting to the slit- 8 5 1 0.5 20 Fixed guards tor) ter blades Normal operation (opera- Moving vehicles: forklift trucks operate 8 5 1 0.5 20 Traffic management, op- tor) in the area erator competence Normal operation (opera- Shear hazard: metal sheets falling off 2 5 1 2 20 Safe system of work tor) the table Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 1689 ter / mechanic) able main switch, someone might turn the machine on Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Moving and banding pack of Shear hazard: pack of sheets toppling 2 5 1 1 10 Safe system of work metal sheets (operator) over Operating the elevator (op- Feet crushed under the elevator 2 5 1 0.5 5 Interlocked guarding: el- erator) evator table safety bar- rier Sharpening the slitter Cutting: fixed guards in place do not 8 0.2 1 1 1.6 blades (setter / mechanic) prevent access to moving parts Table B.7: 285mm pressing lid slitter, machine no. 3097 (8086 SETVB)
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 2 30 Permit to work system ter / engineer) Normal operation (opera- Shear hazard: hands drifting to the slit- 8 5 1 0.5 20 Fixed guards tor) ter blades Normal operation (opera- Shear hazard: metal sheets falling off 2 5 1 2 20 Safe system of work tor) the table Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 16 ter / mechanic) able main switch, someone might turn the machine on90 Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Moving and banding pack of Shear hazard: pack of sheets toppling 2 5 1 1 10 Safe system of work metal sheets (operator) over Operating the elevator (op- Feet crushed under the elevator 2 5 1 0.5 5 Interlocked guarding: el- erator) evator table safety bar- rier Normal operation (opera- Slip / trip hazard: tripping on the up- 1 5 1 1 5 Good housekeeping tor) board Sharpening the slitter Cutting: fixed guards in place do not 8 0.2 1 1 1.6 blades (setter / mechanic) prevent access to moving parts Table B.8: Slitter, machine no. 984
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 2 30 Permit to work system ter / engineer) Normal operation (opera- Shear hazard: hands drifting to the slit- 8 5 1 0.5 20 Fixed guards tor) ter blades Normal operation (opera- Shear hazard: metal sheets falling off 2 5 1 2 20 Safe system of work tor) the table Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Moving and banding pack of Shear hazard: pack of sheets toppling 2 5 1 1 10 Safe system of work91 metal sheets (operator) over Setup and adjustment (set- Human error / shear hazard: forgetting 8 1 1 1 8 ter / mechanic) to lock out the main power switch Operating the elevator (op- Feet crushed under the elevator 2 5 1 0.5 5 Interlocked guarding: el- erator) evator table safety bar- rier Normal operation (opera- Slip / trip hazard: tripping on the up- 1 5 1 1 5 Good housekeeping tor) board Sharpening the slitter Cutting: fixed guards in place do not 8 0.2 1 1 1.6 blades (setter / mechanic) prevent access to moving parts Table B.9: Lyon slitter, machine no. 3032
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 5 75 ter / engineer) Normal operation (opera- Shear hazard: hands drifting to the slit- 8 5 1 0.5 20 Fixed guards tor) ter blades Normal operation (opera- Shear hazard: metal sheets falling off 2 5 1 2 20 Safe system of work tor) the table Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 16 ter / mechanic) able main switch, someone might turn92 the machine on Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Moving and banding pack of Shear hazard: pack of sheets toppling 2 5 1 1 10 Safe system of work metal sheets (operator) over Operating the elevator (op- Feet crushed under the elevator 2 5 1 0.5 5 Interlocked guarding: el- erator) evator table safety bar- rier Sharpening the slitter Cutting: fixed guards in place do not 8 0.2 1 1 1.6 blades (setter / mechanic) prevent access to moving parts Table B.10: candybox lid slitter, machine no. 979
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 2 30 Permit to work system ter / mechanic) Normal operation (opera- Crushing hazard: contact with moving 8 5 1 0.5 20 Fixed guards: sealed tool tor) tool Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Setup and adjustment (set- Human error / shear hazard: forgetting 8 1 1 1 8 ter / mechanic) to lock out the main power switch Normal operation (opera- Slip / trip hazard: tripping on the up- 1 5 1 1 5 Good housekeeping tor) board Normal operation (opera- Shear hazard: sheets falling off the ta- 2 5 1 0.5 5 Safe system of work93 tor) ble Setup and adjustment (set- Fixed guards do not prevent access to 8 1 1 0.5 4 Fixed guards ter / mechanic) moving parts / shear hazard: flywheel not entirely covered Normal operation (opera- Entanglement hazard: conveyors 0.5 5 1 1 2.5 Emergency stop tor) Packing (operator) Crushing hazard: no guarding in 0.5 5 1 1 2.5 Emergency stop stacker Normal operation (operator Controls are not clearly identified or la- 0.5 5 1 1 2.5 / setter / mechanic) belled Changing tool (setter / me- Crushing: sudden release of suspension 8 0.2 1 1 1.6 chanic) while moving tool Table B.11: 360mm end power press, machine no. 2942
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 5 75 ter / engineer) Normal operation (opera- Crushing hazard: contact with moving 8 5 1 0.5 20 Fixed guards: sealed tool tor) tool Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 16 ter / mechanic) able main switch, someone might turn the machine on Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Setup and adjustment (set- Electricity: near miss situation - me- 15 1.5 1 0.5 11 Residual current device, ter / mechanic) chanic was electrocuted by the induc- examination of other tive part in stacker stackers94 Normal operation (opera- Shear hazard: sheets falling off the ta- 2 5 1 0.5 5 Safe system of work tor) ble Normal operation (opera- Slip / trip hazard: falling from upboard 1 5 1 1 5 tor) Normal operation (opera- Controls are not clearly identified or la- 1 5 1 1 5 tor) belled: Emergency stop badly visible Changing tool (setter / me- Setup cannot be done with power cut 8 0.2 1 2 3.2 Fixed guards chanic) off, and the guards are circumvented. Hands might be crushed due to acci- dental tool movement. Packing (operator) Crushing hazard: no guarding in 0.5 5 1 1 2.5 Emergency stop stacker Normal operation (opera- Entanglement hazard: conveyors 0.5 5 1 1 2.5 Emergency stop tor) Table B.12: 380mm earcup lid power press, machine no. 1380 (Raskin-100tn)
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 2 30 Permit to work system ter / mechanic) Normal operation (opera- Crushing hazard: contact with moving 8 5 1 0.5 20 Fixed guards: sealed tool tor) tool Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 16 ter / mechanic) able main switch, someone might turn95 the machine on Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages Setup and adjustment (set- Electricity: near miss situation - me- 15 1.5 1 0.5 11 Residual current device, ter / mechanic) chanic was electrocuted by the induc- examination of other tive part in stacker stackers Normal operation (opera- Shear hazard: sheets falling off the ta- 2 5 1 0.5 5 Safe system of work tor) ble Table B.13: 380mm R-lid power press, machine no. 2941 (1 of 2)
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Normal operation (opera- Slip / trip hazard: falling from upboard 1 5 1 1 5 tor) Normal operation(operator) Crushing: near miss situation - tool 2 5 1 0.5 5 Fixed guards, installing fastening mechanism ruptured, helical a safety stopper, inspec- clamp and springs fell down almost hit- tion ting employee Setup and adjustment (set- Fixed guards do not prevent access to 8 1 1 0.5 4 Fixed guards96 ter / mechanic) moving parts / shear hazard: flywheel not entirely covered Normal operation (operator Controls are not clearly identified or la- 0.5 5 1 1 2.5 / setter / mechanic) belled Packing (operator) Crushing hazard: no guarding in 0.5 5 1 1 2.5 Emergency stop stacker Normal operation (opera- Entanglement hazard: conveyors 0.5 5 1 1 2.5 Emergency stop tor) Table B.14: 380mm R-lid power press, machine no. 2941 (2 of 2)
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 2 30 Permit to work system ter / mechanic) Normal operation (opera- Crushing hazard: contact with moving 8 5 1 0.5 20 Two-handed control de- tor) tool vice Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 16 ter / mechanic) able main switch, someone might turn the machine on Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves97 tor) packages Normal operation (opera- Slip / trip hazard: falling from upboard 1 5 1 1 5 tor) Normal operation(operator) Crushing: near miss situation - tool 2 5 1 0.5 5 Fixed guards, installing fastening mechanism ruptured, helical a safety stopper, inspec- clamp and springs fell down almost hit- tion ting employee Normal operation (opera- Shear hazard: sheets falling off the ta- 2 5 1 0.5 5 Safe system of work tor) ble Table B.15: Candybox lid power press, machine no. 2325 CCCP-40tn
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 2 30 Permit to work system ter / mechanic) Normal operation (opera- Crushing hazard: contact with moving 8 5 1 0.5 20 Interlocked guards tor) tool Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 16 ter / mechanic) able main switch, someone might turn98 the machine on Normal operation (opera- Slip / trip hazard: oily surfaces around 0.5 5 1 5 13 Good housekeeping tor) the power press Normal operation (opera- Falling objects: reliever of the plug 1 5 1 1 5 tor) sealing machine (5kg) might fall off if fastening ruptures Normal operation (opera- Fingers crushed under plexi glass dur- 0.5 5 1 2 5 Interlocked guards tor) ing operation Table B.16: Drum end power press, machine no. 1448
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Normal operation (opera- Crushing hazard: contact with moving 8 1 1 1 8 Two-handed control de- tor) tool vice Normal operation (opera- Moving vehicles: forklift trucks operate 8 1 1 1 8 Traffic management, op- tor) in the area erator competence Normal operation (opera- Controls are not clearly identified or la- 8 1 1 1 8 tor) belled: Emergency stop badly visible99 Normal operation (opera- Crushing hazard: the machine stands 8 1 1 0.5 4 tor) on wooden blocks Setup and adjustment (set- Electricity: exposure to live voltage 15 0.1 1 2 3 Safe system of work ter / mechanic) Setup and adjustment (set- Human error: no lockable main switch, 8 0.1 1 1 0.8 ter / mechanic) someone might turn the machine on Setup and adjustment (set- No protection appliances provided: 8 0.1 1 1 0.8 ter / mechanic) Fingers crushed by moving tool Table B.17: Drum lid machine, machine no. 1653 CCCP-100tn
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 0.2 1 5 15 Safe system of work ter / mechanic) Normal operation (opera- Shear hazard: contact with moving tool 8 1.5 1 0.5 6 Fixed guards tor) Normal operation (opera- Moving vehicles: forklift trucks operate 8 1.5 1 0.5 6 Traffic management, op- tor) in the area erator competence100 Normal operation (operator Controls are not clearly identified or la- 2 1.5 1 1 3 / setter / mechanic) belled Setup and adjustment (set- Human error: no lockable main switch, 8 0.2 1 1 1.6 ter / mechanic) someone might turn the machine on Normal operation (opera- Inadequate housekeeping: all sorts of 0.5 1.5 1 2 1.5 Good housekeeping tor) scrap lying around Normal operation (opera- Cutting: handling metal sheets or 0.5 1.5 1 2 1.5 Cut proof gloves tor) packages Table B.18: Guillotine shear, machine no. 1538
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 0.2 1 2 6 Safe system of work ter / mechanic) Normal operation (opera- Shear hazard: contact with moving tool 8 1 1 0.5 4 Fixed guards tor) Setup and adjustment (set- Human error / shear hazard: forgetting 8 0.2 1 1 1.6 ter / mechanic) to lock out the main power switch Normal operation (opera- Cutting: handling metal sheets or 0.5 1 1 2 1 Cut proof gloves tor) packages Normal operation (opera- Interlocking guards in place unsuitable: 1 1 1 1 1 tor) light curtain not in use Normal operation (opera- Inadequate housekeeping: metal sheets 0.5 1 1 2 1 Good housekeeping101 tor) and scraps lying around Table B.19: Folding machine, machine no. 2778
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 2 30 Permit to work system ter / mechanic) Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 5 13 Cut proof gloves tor) packages102 Setup and adjustment (set- Human error / shear hazard: forgetting 8 1 1 1 8 ter / mechanic) to lock out the main power switch Normal operation (opera- Entanglement hazard: conveyors 0.5 5 1 1 2.5 Emergency stop tor) Setup and adjustment (set- Crushing hazard 2 1 1 0.5 1 Interlocked guards ter / mechanic) Table B.20: Automated plugging machine
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 2 30 Permit to work system ter / mechanic) Normal operation (opera- Crushing hazard: contact with moving 8 5 1 0.5 20 Interlocked guards tor) tool Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 16103 ter / mechanic) able main switch, someone might turn the machine on Normal operation (opera- Slip / trip hazard: falling from upboard 1 5 1 1 5 tor) Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 1 2.5 Cut proof gloves tor) packages Table B.21: 175mm plugging machine, machine no. 365 (GWS-16tn)
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Setup and adjustment (set- Electricity: exposure to live voltage 15 1 1 2 30 Permit to work system ter / mechanic) Normal operation (opera- Crushing hazard: contact with moving 8 5 1 0.5 20 Interlocked guards tor) tool104 Setup and adjustment (set- Human error / shear hazard: no lock- 8 1 1 2 16 ter / mechanic) able main switch, someone might turn the machine on Normal operation (opera- Cutting: handling metal sheets or 0.5 5 1 1 2.5 Cut proof gloves tor) packages Table B.22: 285mm plugging machine, machine no. 642 (GWS-10tn)
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H All tasks dealing with han- Cut wound 0.5 5 1 0.5 1.3 Cut proof gloves dling of metal sheets, waste strips, or unfinished prod- ucts (operator) 73 and 99 repress / feeding Pack of metal sheets toppling over due 8 4 1 1 32 The chains are inspected and replacing pack of sheets to chain rupture: at worst the amputa- during monthly mainte- (operator) tion of legs nance 73 and 99 repress / feeding Pack of metal sheets toppling over: at 8 4 1 0.5 16 73 cutter has a stopper and replacing pack of sheets worst the amputation of legs on its conveyor, and 99 (operator) cutter has a light curtain. The pack of sheets can-105 not be moved backwards down from the conveyor. Both represses have a limiter: the pack cannot be moved unless it is fully lowered 99 repress / feeding and re- Feet crushed under the elevator 8 4 1 0.5 16 Light curtains, control placing pack of sheets (op- panel outside the safe- erator) guarding 73 repress / feeding and re- Feet crushed under the elevator 8 4 1 2 64 Continuing the safe- placing pack of sheets (op- guarding to the erator) turntable, control panel outside the barrier, optical sensor Table B.23: 73mm/99mm can manufacturing line (CN02), 1 of 5
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H 73 and 99 repress / interfer- Cut wound when handling metal sheets 0.5 2.5 1 2 2.5 Cut proof gloves ence situation (operator) (no moving parts when correcting the situation) 73 and 99 slitters / sharpen- Fingers fractured by hitting the blades 1 0.1 1 2 0.2 ing and drying the cutting blades (setter / mechanic) 73 and 99 slitters / adjust- Fingers fractured by hitting moving 1 2.5 1 0.5 1.3 A safeguard needs to be ment (setter / mechanic) parts opened for adjustment 73 and 99 slitters / remov- Ergonomic discomfort, employee 0.5 4 1 10 20 Pull-out drawers with ing scrap metal underneath bruised rolls in the bottom to106 (operator) be placed underneath the cutters 99 conveyor / clearing a jam A metal sheet might hit fingers when 1 2.5 1 0.5 1.3 A safeguard with limit (operator) operational switch needs to be opened to clear a jam 73 cutter output (operator) Fingers hit by a metal sheet 1 5 1 2 10 Electrifying the existing safety limit switch 73 scrap metal conveyor / Fingers hit by a metal sheet 1 5 1 2 10 clearing a jam (operator) 73 scrap metal conveyor / Hitting the switch by accident: the con- 0.5 5 1 2 5 clearing a jam (operator) veyor slowly descends on the employee Table B.24: 73mm/99mm can manufacturing line (CN02), 2 of 5
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Welding machine hole Cut wound 0.5 1.5 1 2 1.5 Cut proof gloves suction / removing metal sheets (operator) Welding machine sheet feed Hands fractured by falling part to be 1 2.5 1 0.5 1.3 A mechanical safety lever / removing metal sheets lifted prevents accidental de- (operator) clining Welding machine / clearing Amputation of fingers when machine 8 2.5 1 2 40 Welding machine guard- a jam (operator) starts unexpectedly ing similar to CN01107 Welding machine / adjust- Amputation of fingers when machine 8 2.5 1 5 100 Welding machine guard- ment (setter / mechanic) starts unexpectedly ing similar to CN01 Welding machine / inserting Amputation of fingers when hitting 8 1 1 2 16 welding wire (setter / me- drain chanic) Oven / sampling (operator) Burn 1 5 1 1 5 Oven / sampling (operator) Entanglement to moving parts 0.5 5 1 1 2.5 Upper conveyors / clearing Death by falling 15 2.5 1 1 38 Service platforms ok, ver- a jam, changing size (oper- tical ladder ator) Table B.25: 73mm/99mm can manufacturing line (CN02), 3 of 5
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Upper conveyors / clearing Amputation of fingers, falling when 8 2.5 1 5 100 1) Written instructions a jam, changing size (oper- conveyors start unexpectedly: welding to lock the conveyor main ator) machine and the conveyors are main- power switch when oper- tained simultaneously. Welding ma- ating in the upper level. chine feed won’t start if the conveyors 2) Safeguarding all gear- are not operational. wheels and chains Normal operation (opera- Cut or bruise from cans falling down 0.5 4 1 2 4 tor) from conveyors108 Cut-off machine 73 / jams, Amputation of fingers when machine 8 5 1 2 80 6 different machine safe- maintenance, adjustments starts unexpectedly guards, only two of them (operator / setter / me- have safety limit (to be chanic) fixed). The machine is used approx. once a year Cut-off machine 99 / jams, Amputation of fingers when machine 8 5 1 2 80 6 different machine safe- maintenance, adjustments starts unexpectedly guards, only two of them (operator / setter / me- have safety limit (to be chanic) fixed). The machine is used approx. once a year Table B.26: 73mm/99mm can manufacturing line (CN02), 4 of 5
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H 73 flanging machine / Amputation of fingers when machine 8 1 1 0.5 4 Electrified guarding jams, maintenance, adjust- starts unexpectedly ment (operator / setter / mechanic) Beading machine / jams, Amputation of fingers when machine 8 1 1 0.5 4 Electrified guarding maintenance, adjustment starts unexpectedly (operator / setter / me- chanic) 99 end machine / jams, Amputation of fingers when machine 8 2.5 1 0.5 10 Safeguards, securing the109 maintenance, adjustment starts unexpectedly hole in the safety fence (operator / setter / me- chanic) 99 end feed (operator) Hands bruised at the conveyor 0.5 4 1 0.5 1 73 end machine / jams, Amputation of fingers when machine 8 2.5 1 0.5 10 Fixed guards maintenance, adjustment starts unexpectedly (operator / setter / me- chanic) 73 end feed (operator) Hands bruised at the conveyor 0.5 4 1 0.5 1 73 handling the ends at Hands bruised 0.5 4 1 1 2 Low fence but adequate feeding (operator) Table B.27: 73mm/99mm can manufacturing line (CN02), 5 of 5
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Normal operation (opera- Ejection hazard: loosening of the work- 2 5 1 2 20 PPE, adjustable guards tor) piece Normal operation (opera- Ejection hazard: Flying chips and 8 5 1 0.5 20 PPE, adjustable guards tor) swarf Normal operation (opera- Ejection hazard: drill bit is cut off or it 2 5 1 2 20 PPE, adjustable guards110 tor) gets loose Normal operation (opera- Entanglement of hair, clothes, jewelley 2 5 1 2 20 Adjustable guards tor) etc. Normal operation (opera- Ejection hazard: drill chuck is not re- 2 4 1 2 16 Emergency stop, opera- tor) moved prior to using the machine tor training Normal operation (opera- Hands damaged by moving tool 1 5 1 2 10 tor) Table B.28: Pillar drill
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Normal operation (opera- Human error: concentration breaking 2 5 1 2 20 tor) resulting in an accident Normal operation (opera- Ejection hazard: loosening of the work- 8 5 1 0.5 20 PPE, adjustable guards tor) piece111 Normal operation (opera- Ejection hazard: Flying chips and 8 5 1 0.5 20 PPE, adjustable guards tor) swarf Normal operation (opera- Entanglement of hair, clothes, jewelley 2 5 1 2 20 Adjustable guards tor) etc. Normal operation (opera- Ejection hazard: drill chuck is not re- 2 4 1 2 16 Emergency stop, opera- tor) moved prior to using the machine tor training Table B.29: Milling machine
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Normal operation (opera- Ejection hazard: Flying chips and 8 5 1 0.5 20 PPE, adjustable guards tor) swarf Normal operation (opera- Ejection hazard: loosening of the work- 8 5 1 0.5 20 PPE, adjustable guards tor) piece112 Normal operation (opera- Entanglement of hair, clothes, jewelley 2 5 1 2 20 Operator training tor) etc. Normal operation (opera- Hands severed by moving blade 8 5 1 0.5 20 Fixed guards tor) Normal operation (opera- Cutting: hands severed by sharp work 0.5 5 1 2 5 PPE tor) piece edges Table B.30: Bandsaw
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Normal operation (opera- Human error: concentration breaks re- 2 5 1 2 20 tor) sulting in mishap Normal operation (opera- Ejection hazard: Flying chips and 8 5 1 0.5 20 PPE, adjustable guards tor) swarf Normal operation (opera- Ejection hazard: loosening of the work- 8 5 1 0.5 20 PPE, adjustable guards tor) piece Normal operation (opera- Entanglement of hair, clothes, jewelley 2 5 1 2 20 Adjustable guards tor) etc. Normal operation (opera- Ejection hazard: drill chuck is not re- 2 4 1 2 16 Emergency stop, opera- tor) moved prior to using the machine tor training Starting new work (opera- Inadequate training: If the operator 2 4 1 2 16 Operator training113 tor) has no previous experience on the type of the workpiece, supervisor should be consulted. Normal operation (opera- Cutting: using sharp tools 0.5 5 1 5 13 tor) Normal operation (opera- Hands damaged by moving workpiece 1 5 1 2 10 tor) Table B.31: Lathe
  • Description of task or Description of hazard D F N L R Risk controls machine (person in risk) P E P O R H Normal operation (opera- Ejection hazard: grinding wheel is dis- 8 5 1 0.5 20 Adjustable guards, PPE tor) integrated Normal operation (opera- Ejection hazard: magnetic chuck not 8 5 1 0.5 20 Adjustable guards, PPE tor) holding securely Normal operation (opera- Ejection hazard: flying chips and swarf 8 5 1 0.5 20 Adjustable guards, PPE tor)114 Normal operation (opera- Ejection hazard: taking too heavy a cut 8 5 1 0.5 20 Adjustable guards, PPE tor) results in magnetic chuck ejection Replacing grinding tool Ejection hazard: failure to balance the 8 1 1 2 16 Adjustable guards, PPE (setter / mechanic) wheel Normal operation (opera- Human error: running a wet wheel may 8 4 1 0.5 16 Safe system of work tor) cause the wheel to disintegrate Normal operation (opera- Hands damaged by moving wheel 1 5 1 2 10 tor) Table B.32: Grinding machine