2. The Plot
• Understanding the League of Justice
(aka OSHA, ANSI, NFPA)
• Introduction to our hero Risk Assessment
• ANSI vs. ISO
• Project Definition unmasked
• Risk Assessment – his powers revealed
(a.k.a the impenetrable risk assessment form)
• Your Powers and how to apply them
3. Question: In the title slide
what is the Risk Assessment
to save us from?
SUPER TRIVIA
Answer: The Evil Hazard
4. O HA
• OSHA: Occupational Safety and Health Administration
– OSHA was created in 1971 under the Occupational Safety and Health
Act, which President Nixon signed into effect in December 1970.
– It falls under the Department of Labor of the National Government
– It’s mission is to help employers and employees reduce on the job
injuries, illnesses and deaths.
• Who is required to comply?
– The OSH Act covers private sector employers/employees in the 50 states. That means us.
– The OSH Act covers employers and employees either directly through Federal OSHA or
through an OSHA-approved state program.
• Ohio does not have a state approved program hence Ohio falls under the Federal OSH
Act
• What am I complying with?
– Part 1910 otherwise known as the Occupational Safety and Heath Standard
• There are actually 52 total standards covering everything from Implementing the
Privacy Act to Health and Safety Regulations for Longshoring.
5. Six Safety Powers of
O HA
• Administrative Safety (strength)
– program development, emergency planning, safety audits…
• Facility Safety (x-ray eyes)
– confined spaces, Electrical Safety, ergonomics, fire safety…
• Exposure Control (bullet proof)
– asbestos safety, bloodborne pathogens, hazardous
materials…..
• Personal Protection (laser beam eyes)
– back safety, first aid, PPE, eye safety……
• Tools and Equipment (can fly)
– compressed gas, Machine Guarding, rigging, welding…
• Behavior and Attitude (Protects the Innocent)
– conflict resolution, drug and alcohol, fitness and wellness…
6. O HA superpower
•General Duty Clause (Section
5(a)(1))
– “requires that each employer
“furnish … a place of employment
which [is] free from recognized
hazards that are causing or are
likely to cause death or serious
physical harm to their employees. ”
(Reverse time)
7. NFPA a.k.a The Torch
• NFPA: National Fire Protection Association
– NFPA has been a worldwide leader in providing fire, electrical,
building, and life safety to the public since 1896
– Responsible for over 300 codes and standards that are designed
to minimize the risk and effects of fire.
– Most notable standards for Swagelok are
• NFPA 70 (N.E.C)
• NFPA 70E (Arch Flash)
• NFPA 79 (Electrical Standard for Industrial Machines)
8. Question: The Torch was a
member of what superhero
group?
SUPER TRIVIA
Answer: The Fantastic Four
9. ANSI a.k.a Professor X
• ANSI: The American National Standards Institute
– ANSI, itself, does not develop standards;
• it facilitates the development of standards by establishing
consensus among qualified groups written entirely by
volunteers.
• OSHA has adopted many ANSI and NFPA standards by
reference over the years
– ANSI and NFPA both deal with employee safety but in different
areas.
• NFPA is mainly electrical in nature
• ANSI is mainly safeguarding in nature
• What about standards that are not referenced?.....i.e do we
have to respect the Green Lantern even though he doesn’t
live in the Westchester Mansion?
10. O HA accepts the Green Lantern
• The NFPA 70E is NOT referenced within OSHA, so is it
enforceable?
• Swagelok enforces it as it is referenced in SI-12-056 – PPE
for HRC-0, 1
• SP-12-026 (Swagelok Electrical Policy) references SI-12-056
and states “For Swagelok associates, failure to adhere to
this electrical policy can result in disciplinary action, including
termination.”
• Section 29 CFR 1910.2(g) states a “National consensus
standard” means any standard or modification thereof
which has been adopted and promulgated by a nationally
recognized standards-producing organization [NFPA /
ANSI / ISO] under procedures whereby it can be
determined that persons interested and affected by the
scope or provisions of the standard have reached
substantial agreement on its adoption”.
11. So who wins DC or Marvel
I mean ANSI or NFPA
• There are important differences between OSHA and
ANSI / NFPA. It mainly has to do with technical scope.
– OSHA laws typically set out only a general framework,
procedure and/or set of standards to guard against a hazard.
– An ANSI / NFPA standard is consistent with the law but goes
into much greater depth. It provides the technical, nuts-and-
bolt details that the statutes leave out.
– ANSI / NFPA Standards also typically go much further than
the laws in protecting workers.
– You can think of OSHA as the statute or law and ANSI / NFPA
as the regulations or rules to follow that law.
• LOTO example
12. Question: What other NFPA
standard (already mentioned)
is not referenced by OSHA
Hint: It’s a prime number
SUPER TRIVIA
Answer: NFPA 79
13. Are all Villians (hazards)
created equal?
• Hazard Safety
– There are levels of Hazards
• Would you want the same safeguards to protect you from
Grumpy Bear as you would Galactus the ultimate Villain?
• Different machines inherently have different levels of
hazards to an employee and need to be guarded properly
to that level of hazard
• The levels are determined by the Risk Assessment
14. • The process by which the intended use of the
machine, the tasks, the hazards and the level of risk
are determined.
– ALL safety standards whether European or American require
a risk assessment
• Without determining what a hazard is, how do you know
how to protect against it and to what level of protection do
you need?
What is this Risk
Assessment?
15. O HA likes destroying hazards
• 29 CRF 1910.132(d)(1)
– The employer shall assess the workplace to determine if hazards are
present, or are likely to be present, which necessitate the use of
personal protective equipment (PPE).
• 29 CRF 1910.132(d)(2)
– The employer shall verify that the required workplace hazard
assessment has been performed through a written certification
that identifies the workplace evaluated; the person certifying that the
evaluation has been performed; the date(s) of the hazard assessment;
and, which identifies the document as a certification of hazard
assessment.
• So what does this all mean?
16. Question: What would happen
to Bruce Banner when he
became angry?
SUPER TRIVIA
Answer: He would become the HULK
17. Does our hero Risk Assessment
have a twin?
• There are many different risk rating systems and NO
universally accepted solution.
– ANSI B11.TR3 / R15.06:1999 - US
– ISO12100 / IEC 61508parts 1-7 - European
• Some of the European and American standards
are being harmonized
• R15.06:2012 Robot Safety Standard (US) and
ISO10218:2010 (International Standard for Robot
Safety)
• ISO is most widely recognized risk
assessment procedure
20. Put on your underroos
• Machine suppliers and End Users have the
responsibility for defining and achieving acceptable
risk over the lifecycle of the machine
– Machine supplier is responsible for the design, construction
operation and initial maintenance procedures of the machine
– End User is responsible for the operation and ongoing
maintenance of the machine through decommissioning
• Lifecycle progression from concept through
decommissioning
1
Design
Concept
2
Preliminary
Design
3
Detailed
Design
4
Build or
Purchase
5
Commission
(Install / Debug)
6
Production
Maintenance
7
Decommission
Machine and Equipment Lifecycle Stages
21. Step 1 – Even Superhero's have limits
• Determine the limits of the machine
– Use limits determined by the INTENDED use of the machine,
production rates, cycle times, speeds, people involved….
• Space limits
– Range of movement, space requirements for installation,
maintenance and operator interface
• Time limits
– Maintenance and wear of tools, mechanical and electrical
components
• Environmental limits
– Temperature, humidity, noise, location
• Interface limits
– Other machines or auxiliary equipment
22. Step 2 – The task at hand
• All tasks of the machine should be identified
• Remember to consider the entire lifecycle of the machine
– System install
– Start up / commissioning
– Setup
– Operation
– Tool Change
– Planned maintenance
• Unplanned maintenance
– Recovery from control failures, jams
– Decommissioning
23. Question: What was Batman’s
secret identity
SUPER TRIVIA
Answer: Bruce
Wayne
24. Step 3 – Identify the Risk
Risk
Related to the
considered hazard
Is a function of
with
Severity
That results from
the hazard
Frequency
of occurrence
Probability
of avoidance
and
25. Step 4 – Reduce that Risk
• If the level of risk is not acceptable, risk reduction
measures shall be implemented to reduce that
risk
• Risks shall be reduced using the hazard control
hierarchy
– We’ll get to this in a bit
• Risks can be reduced by
– Reducing the potential severity of harm presented by the
hazard
– Improving the possibility of avoiding the harm
– Reducing the need for access to the hazard zone
26. Hazardous Control Hierarchy
Most
Preferred
Least
Preferred
Protective
Measure
Example Influence on Risk Classification
Elimination
Or
Substitution
• Robots and
conveyors
• Redesign the
process
• Impact on overall risk (elimination)
• May affect severity of harm
Design Out
Guards and
Safeguards
• Barriers
• Interlocks
• Presence sensing
devices
• Two hand
controls
• Greatest impact on the probability
of harm (occurrence of hazardous
events under certain
circumstances)
• Minimal if any impact on severity of
harm
Engineering
Controls
Awareness Devices
• Lights and beacons
• Computer warnings
• Signs and labels
• Potential impact on probability of
harm (avoidance)
• No impact on severity of harm
Administrative
Controls
Training and
procedures
• Safe work
procedures
• Lockout / Tagout
(LOTO)
• Potential impact on probability of
harm (avoidance and/or exposure)
• No impact on severity of harm
Personal Protection
Equipment
(PPE)
• Safety glasses
• Ear plugs
• Gloves
• Protective footwear
• Potential impact on probability of
harm (avoidance)
• No impact on severity of harm
27. Question: How did Spiderman
get his powers
SUPER TRIVIA
Answer: He was bit by a
radioactive spider
28. Step 5 – Assess Residual Risk
• When risk reduction measures have been
selected, the residual risk shall be assessed.
• This process follows the same procedures as the
initial risk
• The incentive to defeat or circumvent risk
reduction measures shall be considered when
validating risk reduction measures
– Prevents the task from being performed
– It slows down production
– The hazard is not recognized by associates as a
hazard
– The risk reduction measure in not accepted as
suitable, necessary or appropriate for its function.
29. Step 6 – Achieve Acceptable Risk
• Once the residual risk has been established for
each hazard, a decision shall be made to accept
the residual risk or further reduce it.
• High Residual Risk – only acceptable when all
reasonable alternatives/options have been
reviewed and formally deemed impracticable or
infeasible
• Medium Residual Risk – Undesirable but
permissible only when all reasonable alternatives
have been formally deemed infeasible
• Low Residual Risk – Usually acceptable
• Negligible Residual Risk - Acceptable
30. Step 7 – Validate solution
• After the risk reduction measures have been
implemented, their effectiveness shall be validated
– Testing and verifying operation of safety devices
– Review of training
– Presence of warning labels preferably scratch n’ sniff
– Presence of lockout procedures and safe job procedures
– Functioning of complimentary equipment
• I shouldn’t even have to say this but, the testing of
the safeguarding measures shall not expose an
individual to potential harm should the safeguard
not provide the protection expected.
– There I said it
31. Step 8 – Time to document
• The outcome of a risk assessment
shall be documented
• The documentation shall demonstrate
– The procedures that were followed
– The hazard identified
– The risk reduction methods employed to
reduce the risk to an acceptable level
32. Question: How many
superhero’s secret identity has
a first name of Bruce
SUPER TRIVIA
Answer: 2
Bruce Wayne and Bruce Banner
34. Flowcharts are like kryptonite to
Superman
Set Limits of the assessment (1)
Identify Tasks and Hazards (2)
35. Flowcharts are like kryptonite to
Superman
Set Limits of the assessment (1)
Identify Tasks and Hazards (2)
Assess Initial Risk (3)
Risk Scoring
System
36. Flowcharts are like kryptonite to
Superman
Set Limits of the assessment (1)
Identify Tasks and Hazards (2)
Assess Initial Risk (3)
Risk Scoring
System
Reduce Risk (4)
Hazard Control
Hierarchy
37. Flowcharts are like kryptonite to
Superman
Set Limits of the assessment (1)
Identify Tasks and Hazards (2)
Assess Initial Risk (3)
Risk Scoring
System
Reduce Risk (4)
Hazard Control
Hierarchy
Assess Residual Risk (5)
Risk Scoring
System
38. Flowcharts are like kryptonite to
Superman
Set Limits of the assessment (1)
Identify Tasks and Hazards (2)
Assess Initial Risk (3)
Risk Scoring
System
Reduce Risk (4)
Hazard Control
Hierarchy
Assess Residual Risk (5)
Risk Scoring
System
Residual
Risk
Accepted? (6)
39. Flowcharts are like kryptonite to
Superman
Set Limits of the assessment (1)
Identify Tasks and Hazards (2)
Assess Initial Risk (3)
Risk Scoring
System
Reduce Risk (4)
Hazard Control
Hierarchy
Assess Residual Risk (5)
Risk Scoring
System
Validate Solution (7)
Residual
Risk
Accepted? (6)
YES
NO
40. Flowcharts are like kryptonite to
Superman
Set Limits of the assessment (1)
Identify Tasks and Hazards (2)
Assess Initial Risk (3)
Risk Scoring
System
Reduce Risk (4)
Hazard Control
Hierarchy
Assess Residual Risk (5)
Risk Scoring
System
Validate Solution (7)
Results Documented (8)
Residual
Risk
Accepted? (6)
YES
NO
41. Question: What is Green
Lanterns weakness?
SUPER TRIVIA
Answer: The color Yellow
42. B11.0.TR3 Risk Assessment Matrix
Severity of Harm
Probability of
Occurrence
Catastrophic Serious Moderate Minor
Very Likely High High High Medium
Likely High High Medium Low
Unlikely Medium Medium Low Negligible
Remote Low Low Negligible Negligible
• In this model the risk terms are correlated to
the level of risk reduction required.
– Risk - The combination of the probability of occurrence of harm and
the severity of that harm
43. Probability of Occurrence
• It is estimated by taking into account the
frequency, duration, extend of exposure,
training and awareness.
• Very Likely – near certain to occur
• Likely – may occur
• Unlikely – not likely to occur
• Remote – so unlikely as to be near zero
• Remember when estimating the probability
the highest credible level of probability is to
be selected
44. Severity of Harm
• Catastrophic – death or permanently
disabling injury
– unable to return to work
• Serious – severe debilitating injury or
illness
– able to return to work at some point
• Moderate – significant injury or illness
– requires more than first aid
• Minor – no injury or slight injury requiring
no more than first aid.
45. Risk Reduction Architecture
• High
– Dual channel with continuous monitoring
• Medium
– Redundancy with self checking upon startup
• Low
– Redundancy that may be manually checked
• Negligible
– Physical barriers, electrical devices using a single
channel non-safety rated components
47. R15.06 (1999) Risk Assessment Matrix
• The new standard (not yet released) has been harmonized with
ISO10218 which has standardized on the ISO 12100 Risk Assessment
methodology and utilizing PL values based on the ISO 13849-1
standard
Severity of Injury Exposure Avoidance Risk Reduction
S2 Serious Injury
E2 Frequent A2 Not Likely R1
A1 Likely R2A
E1 Infrequent A2 Not Likely R2B
A1 Likely R2B
S1 Slight Injury
E2 Frequent A2 Not Likely R2C
A1 Likely R3A
E1 Infrequent A2 Not Likely R3B
A1 Likely R4
48. Severity / Frequency / Avoidance
• Severity
– S1 – Slight injury – Normally reversible or
requires only first aid as defined in OSHA
1904.12
– S2 – Serious Injury – Normally irreversible or
fatal or requires more than first aid as
defined in OSHA 1904.12
49. Severity /Frequency / Avoidance
• Exposure
– E1 – Infrequent – Less then once per
hour
– E2 – Frequent – More then once per
hour
• Avoidance
– A1 – Likely – Can move out of the way,
or sufficient warning /reaction time or
robot speed is less then 250mm/sec
– A2 – Not Likely – Cannot move out of
the way, or inadequate reaction time or
robot speed greater then 25mm/sec
50. R15.06 Safety Category
Category Safeguard Performance Circuit Performance
R1 Hazard elimination or hazard
substitution
Control reliable
R2A Engineering controls preventing access
to the hazard or stopping the hazard i.g.
interlocked barrier guards, light curtains
Control reliable
R2B Single Channel with
monitoring
R2C Single Channel
R3A Non-interlocked barriers, clearance
procedures and equipment
Single channel
R3B Simple
R4 Awareness means Simple
51. Control Reliable R1/R2
• Control Reliable: Safety circuitry shall be
designed, constructed and applied such
that a single fault shall not lead to the loss
of the safety function.
– R1 is dual channel circuitry with continuous
monitoring of the safety function and will detect
a fault and stop machine function in a safe
manner
– R2A is dual channel circuitry that will check the
safety function at machine start-up and
periodically during operation. If a fault is
detected a stop signal will be generated
53. ISO 13849 Risk Assessment Matrix
Categories
B 1 2 3 4
F1
S2
S1
F2
P1
P2
P1
P2
Possible Category
Preferred Category
Over-dimensioned for risk
54. Severity / Frequency / Avoidance
• Severity
– S1 – Slight injury – Normally reversible
– S2 – Serious Injury – Normally irreversible
or fata
• Frequency
– F1 – Infrequent – Less then once per hour
– F2 – Frequent – More then once per hour
• Avoidance
– P1 – Likely – Can move out of the way, or
sufficient warning
– P2 – Not Likely – Cannot move out of the
way, or inadequate reaction time
55. CATEGORY B
• Fault can lead to the loss of the safety
function
• Basic components can be used
• Proper engineering practices
– i.e wiring, placement of parts…..
56. CATEGORY 1
• The same requirements as those of
Category B apply plus the following
• Well tried components
• Design with past success (industry
standard)
• Made and verified using principles
which demonstrate its suitability and
reliability for the safety-related
application
57. Question: What was the name
of Green Hornets car
SUPER
TRIVIA
Answer: Black Beauty
58. CATEGORY 2
• The same requirements as those of
Category B apply plus the following
• Well tried components
• Safety functions are checked at
startup and suitable intervals
59. CATEGORY 3
• The same requirements as those of
Category B apply plus the following
• Well tried components
• Safety functions are checked at
startup and suitable intervals
• Single fault does not lead to the loss
of the safety function
• Dual channel
60. CATEGORY 4
• The same requirements as those of
Category B apply plus the following
• Well tried components
• Automatic safety function detection
• Single fault does not lead to the loss
of the safety function
• Dual channel
• Diagnostic Coverage is High
61. The Mega Graph
Risk Reduction System Architecture
ANSI B11.TR6
(ISO 13849-1:1999)
ANSI B11.0 RIA R15.06
CSA Z434
ISO 13849-1
(1999)
IEC 61508
SIL
ISO 13849-1
(2006) PL
Requirement B shall apply.
Single fault immediately
detected and accumulation
of undetected faults shall not
lead to loss of safety
function
High
Redundant with
continuous
monitoring
R1/R2A
(control reliable)
4 3 e
Requirement B shall apply.
Single safety fault shall be
detected on subsequent
demand of system
Intermediate
Redundant with
self checking at
start-up
R2A/R2B
(control reliable)
SC w/monitoring
3 3 to 2 b, c or d
Requirement B shall apply.
Single fault of safety parts
shall not lead to a loss of
safety function
Low
Redundant with
manual monitoring
R2B / R2C
SC w/manual
monitoring
2 2 to 1 a, b, c or d
Requirement B shall apply.
Well tried and true
components and safety
principles shall be used
Lowest
Single Channel
R3A
Single channel 1 0 b or c
SRP/CS and or their
protective equipment as well
as their components
designed to withstand
expected influence
R3B / R4
simple B a or b