Do you struggle with risk assessment? Safety in machinery is a very important, but often under taught area full of complicated terms from the ISO 12100 standard. This article will take you through a risk assessment example by using procedures and methods from ISO 12100 and the old ISO 14121-2.

Risk assessment is a way of finding risks and hazards in your machine design. All machine designers have to make sure their machines are safe for humans to operate. Eventually, it is our responsibility to find all the risks and then eliminate those risks.

Here’s an overview:

Standard Procedure for Risk Assessment

All this talk about risk assessment and risk reduction can sound a bit theoretical and far away from the actual machines. This is especially due to the standards describing the principles of risk assessment and risk reduction. They are written in a language most people never use. But on the other hand; the standards can help you a lot.

But what is a standard really?

A standard is a way of following the law. A practical way of following the law. Because laws are not very specific.

Take for example the Machine Directive. The Machine Directive is a common template that each country in Europe has to implement as a law. But the MD does not tell you anything about how you should assess and reduce risks. It only tells you that you should do it, in order to legally sell your machine in Europe.

Follow the Standard – Follow the Law

That is why we have standards. Standards are written to describe a practical way of following the law.

One of these standards describe how you can assess and reduce risks in machines. By following the standard you will have a solid procedure for risk assessment and risk reduction in your machine design.

The most well known standard is the ISO 14121. That standard has been withdrawn and merged with the ISO 12100. But the principles of risk assessment from the old standard still lives in the new one:

ISO 12100 Safety of Machinery – General Principles for Design

In this standard the use of special terminology is intense. It can be hard to connect the methods and procedures to the real world, when you are reading in this standard. In the end, your machine should be as safe as possible whether it includes safeguarding, safety relays etc.

That’s why I will do this as an example. A risk assessment example with different methods and hazard examples.

Risk Assessment Definition

Let me first outline the principles for risk assessment as they are described in the standards.

The principles are a series of logical steps. A flow diagram you can follow, until you’ve assessed all the risks involved in your machine. This series of logical steps is the procedure for risk assessment.

Here’s how the risk assessment procedure looks like:

As you can see the process is divided into 5 steps.

In these steps you will assess and evaluate the risks and dangerous situations that can arise when operating the machine – or actually in the whole life cycle of the machine. Each step will help you not only finding those risks, but also estimate and evaluate them, to see how dangerous they are. Or said in another way; how much harm they can do.

What is a Risk?

Let me first point out what a risk is and how it is defined in the ISO 12100 standard. This is how the standard defines risks:

“combination of the probability of occurrence of harm and the severity of that harm”

And by harm they mean physical injury or damage to health. When we talk about risks, we talk about not only the chances of people getting injured or damaged to their health, but also how severe these injures and health issues can be.

Risk Assessment Process

Let’s me walk you through the 5 steps of risk assessment, by applying them to this machine example:

1. Determination of the Limits of Machinery

The first step is for you to determine the limits of your machine. You have to establish the limits of the risks involved in the operation of your machine. These limits can be divided into 3 different types of limits:

Limits of Use

Limits of Space

Limits of Time

Limits of Use

So what does it mean that you should find the limits of use? It means that you should describe both the normal use of the machine and the potential misuse of the machine. This is called limits because it is here you find out where you should focus on safety and where not to. You are looking for the limits of your machine in terms of use, space and time.

Describe the people using your machine

An important thing you also want to include in the limits of use is the people involved in the machine. This includes operators, employees and other people where chances are they will use the machine.

What you include here is a relevant description of these people. For how long will they use the machine? And with what materials (eg. paper in a printing press)? How competent are they? Experience? Age? Gender?

Here, you should focus on relevant information that relates to the use and misuse of your machine. For example, by describing the experience of the operator, you will have a better chance of understanding how he will understand the machine. If you have a machine dealing with advanced technology, the operator might not always understand how the machine does what is does. When you know about these things you can build a much safer machine, because you are making it safe for the operator.

Limits of Space

Next step is to determine the limits of space. This is the physical limits of your machine. Meaning how much space it will take up, and how much space is needed for operation and maintenance.

One very important aspect of the space limits are the range of movements. If your machine has movable parts you have to determine the space they take up, also called range of movements. A good example of this could be a robot arm. How much space does it take up to move around?

Limits of Time

The last type of limits you have to determine is the limits over time. What is the expected life time of this machine? Over time your machine will wear out. This is important to describe to have estimates over how long different parts of the machine are expected to last.

Maintenance intervals and cleaning has to be considered here too. You want to describe the life cycle of your machine. From design to installation, use, maintenance to disposal at the end.

2. Hazard Identification

When you have determined the limits of your machine, the next step is to identify the hazards. A hazard is a potential source of harm.

This step is not just crucial. It the probably the most important step in the process of risk assessment. The obvious reason for this is that in this step, you have to identify all the dangerous situations that can arise. It is absolutely necessary that all hazardous situations and events are described here. If you miss something here, you will also miss it in the following steps, where you have to eliminate or reduce the dangers.

Hazards can be a lot of different things. To help you along the standard provides you with a list of hazard examples divided into groups according to their type:

While some of these hazards are obvious to machine designers and machine builders, some of them requires special knowledge. As an example, noise hazards require knowledge about the human body and how noise can be a hazard when it reaches a certain level. The same is true for material an substance hazards. You need to know what substances that can be a possible hazard.

Hazard and Harm

Remember that hazards are a potential source of harm – physical injury or damage to health. Harm can be a lot of things. Even a combination of these things. Heat and flammable substances together can be a very likely source of harm.

When you describe a hazard you want to include both the origin (what causes the hazard) and the potential consequences (the harm it can make). A rotating knife is the origin of a potential hazard and cutting is the potential consequence.

Using Limits to Look for Hazards

At last, you should also keep in mind that you are not just looking for hazards for the machine operator. You are looking for hazards to anyone that could possibly be using the machine. All these people where described in the first step where you determined the limits of machinery.

The scope for your hazard identification is exactly those limits you defined in the first step of risk assessment. When you identify hazards you should use the limits to define where you are searching for hazards. If cleaning personnel is in your machine’s limits of use, then you should also look for hazards from those peoples perspective.

Hazard Examples

Let me give some examples of the different types of hazards described in the ISO standard. Please note that these are just examples and there are many other hazards. You can find the full list in either the old ISO 14121-1 or the new ISO 12100 standard.

Mechanical Hazards

Cutting, crushing, shearing and much more. Mechanical hazards cover all hazards caused by mechanical parts of the machine. This includes everything from sharp edges to rotating and moving parts. A typical example of a mechanical hazard would be the pitch point of two gears. Free access to a running gear would be a hazard to consider.

Electrical Hazards

All hazards that involve electrical parts of the machine is an electrical hazard. Electrocution, arcs and thermal radiation are the obvious hazards here. But electrical hazards isn’t only the electricity being the direct hazard. Electrical hazards also includes parts that become live under fault conditions, overload, short-circuits and other hazards where the electricity is the indirect source of the hazard. If a part becomes live under fault conditions it won’t be the electricity that will cause harm, but rather the live part (typically moving or rotating when the part is not supposed to).

By following standards like IEC 60204-1 or the American NFPA 79 standards for electrical machine safety when you are building machines, you will automatically take care of many of these hazards. The standards describes safety requirements for electrical machines. As an example, the IEC 60204-1 describes different stop categories which are different ways of stopping a machine. Sometimes you need to stop the machine by cutting the power to the live parts. But sometimes you need to decelerate, break or even keep some parts live during a stop to avoid hazards.

Thermal Hazards

This is where it gets either very hot or very cold. Explosions, flames, parts with high or low temperature and radiation from heat sources are the thermal hazards. The harm caused by these hazards can be everything from discomfort to serious burns, dehydration and radiation injuries.

Noise Hazards

Noise can also be a potential hazard. Sources of noise can be a lot of different things. Some typical examples of noise hazards can be pneumatic whistling, unbalanced rotating parts and scraping surfaces. Even the manufacturing process the machine itself does can be a noise hazard.

Vibration Hazards

Most people don’t think about it but vibrations can be a serious hazard. Especially if someone is exposed to vibration over a longer period of time. For the machine itself vibrations can be a hazard because bolts and other parts can go loose. But vibrations can also be a hazard for the operator since vibrations can harm humans.

Radiation Hazards

Including in radiation hazards are all types of radiation that involves a danger for humans. Ionizing radiation has the power to damage human tissue since it removes electrons from atoms. This can for example be radioactive radiation in form of X-rays, alpha, beta and gamma rays. WHO describes very well how ionizing radiation can be a hazard.

Material/substance Hazards

A lot of substances can be a possible risk. They can be both a short-term risk and a long-term risk. Regarding the machine everyone who are exposed to those substances are at risk and therefore the substances are considered a hazard.

These substances and materials can take many forms. Liquids, gasses, solids, fumes etc. We’re of course not talking about all types of substances, but only those who can cause harm to the human body when exposed. This can happen by skin contact, ingestion or inhalation.

Examples of material/substance hazards can be fumes from welding processes, oils and greases, acid and solvents.

Ergonomic Hazards

Ergonomic hazards is all about the well being of people. Can the working positions and procedures cause a risk?

Like all the other hazards the ergonomic hazards can be both short-term and long-term and be more or less severe.

To identify these hazards can be tricky. Because a working position that might seem okay could potentially be a risk on the long-term. Heavy lifting, repetitive movement or even looking for too long at a screen can all the ergonomic hazards and should be considered in the risk estimation.

Hazards associated with environment in which the machine is used

You will always put your machine in some sort of environment. Whether if it’s in a factory hall, outdoors or somewhere else you have to consider the hazards that the environment produces. If you have a machine working outdoors it could be the terrain.

Combination of Hazards

The last type of hazards described can be a little tricky and often overseen. Because this is not one thing only that makes the hazard, but rather multiple factors or a combination of hazards. One example of this is if you have a machine that produces some sort of flammable gas, but at the same time uses heating or even fire.

Methods for Identifying Hazards

When you are trying to identify the hazards it can be pretty overwhelming. The amount of possible hazards can reach a level, where you would need some sort of system to order them.

Some of the hazards can also be “hidden”. This means that they are not hazards until the machine or a part of the machine fails. What if you had a broken wire that could possible lead to a stop button not working? I’ve described that situation in another article about why you should use normally closed contacts for stop buttons. And that is just one example out of many “hidden” hazards that could arise with the use of your machine.

Another aspect of using a standard method or system for identifying hazards is the teamwork. You won’t be designing a machine alone (unless it’s a very small one). In fact, it is most likely that you will design machines in teams with other people.

When several people are working on a machine, and especially during the risk assessment, it is very important that you all work using the same method. By using a method for identifying hazards and failures with a fixed terminology, everyone on the team will understand and treat hazards in the same way. With a method, you can avoid misunderstandings and improve the communication among the team.

Hazard and Operability Study

A commonly used method for identifying hazards is the hazard and operability study or HAZOP.

Failure Mode and Effects Analysis

Another example of a method for identifying hazards and failures are the failure mode and effects analysis or just FMEA. This is one of the methods used to find those “hidden” hazards which arise from machine failures.

The FMEA is a technique for failure analysis. With the FMEA you can identify mechanical, electrical and software weaknesses and other items that are likely to fail. You then use the FMEA to describe the necessary actions to eliminate the weaknesses.

Usually the FMEA is a spreadsheet with fields to describe and analyze the different failure modes. This is how an FMEA typically looks like:

FMEA Terminology

With the FMEA comes a terminology too. Terms are defined clearly with a small description of their meaning. By doing so, there will be consistency among everyone working with the FMEA. Here are some examples of basic terms used in FMEA’s:

Failure

The loss of a function under stated conditions. Failure mode

The specific manner or way by which a failure occurs in terms of failure of the item (being a part or (sub) system) function under investigation; it may generally describe the way the failure occurs. Failure mode shall at least clearly describe a (end) failure state of the item (or function in case of a Functional FMEA) under consideration. It is the result of the failure mechanism (cause of the failure mode). For example; a fully fractured axle, a deformed axle or a fully open or fully closed electrical contact are each a separate failure mode. Source: Wikipedia

Defining words such as failure and failure mode won’t do the job alone. The whole team has to be encouraged to use the terminology. When someone is using their own terminology a lot of misunderstanding can suddenly arise. And since we are dealing with safety on machines, misunderstandings can be fatal.

Failures and Failure Modes

Not only is the terminology defined. The method for analyzing each potential failure mode is also predefined. All failure modes are analyzed equally. Each time a new potential failure mode is discovered, the same fields has to be filled out and the failure mode has to be analyzed by the same parameters.

What the FMEA also offers is partly the next two steps in risk assessment. As the next two steps in risk assessment are risk estimation and evaluation, these are both done in the FMEA too. But let me point out that both risk estimation and risk evaluation should be done with care. First of all because these two step extremely important, but also because hazard identification is often done with more than just the FMEA. A fault tree analysis is often used as another method for analyzing failures and failure modes.

The two next steps are analysis of the identified hazards. In these steps you will be working with probability and possible harm (severity), just like in the FMEA. But as you most likely will identify hazards with more than just the FMEA, you will also have to estimate risks found by other means than the FMEA to get all risks estimated.

3. Risk Estimation

The next step after you have found the risks is to estimate those risks. Remember, that risk assessment is often an iterative process. New risks can still be found in this step, and will often become visible when you are estimating other risks.

You might wonder what risk estimation really is, and at first it can seem a little confusing. There are many ways to do it and a lot of terminology attached to it. But the overall objective in this step is to analyze the risks and find out how “serious” they are. You have to estimate how severe the hazards are, and how often they are likely to appear as risks.

Probability and Severity

If you look under risk estimation in the standard you will find these two elements described as:

Severity of harm Probability of occurrence of harm

Another element is also mentioned, probability of occurrence of cumulative harm. This forces you look at a hazardous situation over time. Some can lead to harm due to cumulative exposure. In fact, the last one is made up by several elements like the frequency of exposure, the probability of occurrence of a hazardous event and the possibility of eliminating or limiting the harm.

Methods of Risk Estimation

Risk estimation can be done using different methods. The standard presents three different types of methods. It’s important to have a common method when you and/or your team is estimating risks. This is to make sure that the risks are estimated equally. A study has shown that parameters, architecture etc. can have a significant influence on the estimated risk.

With that said, the chosen method itself is not important. It is the process of risk estimation that is important.

Risk Matrix

Risk Graph

Numerical Scoring

Most risk estimation tools consists of one or more of the above types. You can also use a different type. But always keep in mind that you at least have to take the two elements (severity and probability of harm) into consideration.

Risk Matrix

A risk matrix is a multidimensional table with up to four dimensions. It is fairly intuitive and therefore also a widely used technique. Each of the parameters or dimensions are divided into levels. As an example from the standard, severity of harm can be minor, moderate, serious or catastrophic. You can also divide into your own levels as long as all the levels are clearly defined.

Catastrophic is defined as following:

“death or permanent disabling injury or illness (unable to return to work)” Source: ISO 14121-2

The risk matrix itself is a visual table, often colored to illustrate the risk level. Just like the levels of the parameters, the risks are also divided into levels. They are typically high, medium, low and negligible but you can also define your own.

Here’s what a typical risk matrix looks like:

Risk Graph

Another visual tool for estimating risks is the risk graph. Here the visual tool is a graph also known as a decision tree. It is made up by nodes connected as branches to other nodes. Each branch represents a decision. In a risk graph the decisions are levels of the parameters (e.g. catastrophic, moderate, minor). The nodes represent the parameters. If you have experience in determining the required performance level or SIL you probably have seen a risk graph before.

Let’s take a look at an example of a risk graph tool. In my experience, the best way to learn about something is to look at examples.

All the derived risk levels from 1-6 now corresponds with the risk levels high, medium and low.

Numerical Scoring

The last type of risk estimation method is done with numerical scoring of the parameters. Instead of qualitative terms as used in risk graphs and matrices, numerical values are used.

At first you might think that numerical values are a more objective way of estimating risk levels than qualitative terms like moderate, serious etc. But in fact, doing so is also a subjective process. At the end, the numerical values are often grouped and translated into qualitative terms.

All parameters are divided into scores or numerical values. The interval these numbers are within is up to you. In the standard you will find an example with an interval of numerical values from 0 to 100. If you take a closer look at the example you will see that, in the translation from qualitative terms to numerical values, each qualitative term doesn’t represent equally sized intervals.

Here’s how the severity parameter is divided into a severity score (SS):

Catastrophic = 100 Serious = 90-99 Moderate = 30-89 Minor = 0-29

The same is true for the probability of harm parameter, which here is divided into a probability score (PS):

Very likely = 100 Likely = 70-99 Unlikely = 30-69 Remote = 0-29

After the numerical values (scores) for the parameters of the risk are found you can calculate the risk score (RS). This is often done by summing up the scores:

RS = SS + PS

You and your team can then interpret the risk score by using e.g. a table or another way of translating the score into a qualitative term.

High 160+ Medium 120-159 Low 90-119 Negligible 0-89

As I said before, it is the process of risk reduction and not whether you’re using numerical values or qualitative terms that is important. How you and your team interprets the risk level or score and what actions you take is what matters. This naturally leads us to the next step in the risk assessment process – risk evaluation.

4. Risk Evaluation

This step is, as the name indicates, all about evaluating the risks you found and estimated previously. It is a critical step in the process, because it is here we decide which actions we need to take to reduce those risks. If we need to take any actions at all. From the previous step we learned that a risk can be negligible (risk score from 0-89). If a risk is negligible it is not always necessary to try to reduce the risk.

Risk reduction has two main objectives:

To decide if a hazardous situation require further risk reduction To determine if risk reduction has introduced new hazards or increased other risks

First objective is to decide which actions to take in order to reduce risks. But we also need to make sure these actions doesn’t increase risks in other places, or even introduce new risks. It is here the whole idea about the iterative process comes into the picture. Risk evaluation should be done over and over again until the two objectives are reached. For high risks it can be useful to make a more detailed risk estimation.

After risk reduction it is necessary to evaluate risks again. If further risks are introduced you will need to go back and estimate those risks. In fact, for each hazard, hazardous situation, under each condition of use you will have to go through the whole risk reduction process.

5. Is the Machine Safe?

At each iteration of this last step the question should be asked. More precisely this question should be asked:

Has the risk been adequately reduced?

Because for each iteration you’re looking at one risk. If the answer to this question is no, then the next step is the process of risk reduction. Asking this question is the last step in the risk assessment process. Risk reduction is a process itself and is not considered part of risk assessment.

You can read all about risk reduction in my article about risk reduction and safety circuits. Safeguarding and safety circuits with safety relays are some of the ways to reduce risks.

But since risk reduction is connected to risk assessment, I will point out some of the relevant information here.

Risk Reduction

The flowchart from the beginning of this article can be extended in order to reveal the process of risk reduction.

Risk reduction can be done with different measures, but some should be considered before others. That’s why you will find this flowchart or schematic representation of the process:

First you should consider if the risk can be removed by inherently safe design measures. Only if that is not possible, safeguarding and other protective devices should be considered.

Notice how the risk reduction process is connected to the risk assessment process several places. After each of the three steps of risk reduction you should always ask the question:

Is the intended risk reduction achieved?

What is interesting here is that, if the answer to the question is no you will be lead back to the risk assessment process through another question:

Are other hazards generated?

One example of this could be introducing emergency stops or safety-related parts of the control system. Imagine cutting the power to an actuator that lifts a heavy object. Or stopping a motor with a big load too fast. Both can induce other hazards. Therefore you should go back and iterate over the risk assessment process again.

This is probably the most important point of the risk assessment flow diagram over the process. You should think of it as an iterative process. Not only should you iterate for each hazard, but also for potentially induced hazards due to risk reduction.