How to do Risk Assessment (Part 3)
01 July 2009
Keith Armstrong continues has current series on Risk Assessment, turning to the thorny subject of litigation. He outlines the extreme importance of proper client/contractor consultation and the instigation of thorough documentation procedures in order to avoid the worst outcomes
Many manufacturers reading this little series will have been complaining loudly, to anyone who would listen, that their customers won't tell them how their product is going to be used - so they cannot possibly do a risk assessment in the way I have been describing.
This is a common problem in our business, especially when our customer is not the end-user but another contractor higher up the supply chain. Not understanding the relevant Directives (but thinking that they do) - they often insist on us providing a Declaration (or certificate) of Conformity with our product that says it will be totally safe when integrated into their equipment, system or installation, even though they will not, or cannot tell us what we need to know to do the risk assessment to make such a declaration. They usually assume that all we have to do is apply the most relevant safety standards!
It helps to remember there are two basic types of safety issue:
1) Hazards that can be directly caused by the product (whether a panel or a system) itself and are directly under our own control. These might be called 'inherent safety', and safety standards that cover hazards from electric shock, fire, explosion, heat, mechanical stability, etc., usually deal with most of them.
2) Hazards that can be caused by incorrect operation of the product, for which we need information from the customer. These are almost always 'functional safety' issues, covered by IEC 61508 and related standards (ISO 14971 for medical equipment).
So where - despite our every reasonable effort - we have been unable to discover (from public knowledge and/or our customer) all the information that we need to cover every aspect of 2), we have to hope that we can use the evidence that at least we tried, if we ever need to make a legal defence for our design.
Some projects may even be too financially risky to undertake, so we need to find out everything we need to know and assess its consequences for the design and its costs and timescales before agreeing the contract with the customer.
A big problem with this is that our salespersons are only interested in their bonuses, which are based on the value of the contract. So they will press us very hard to ignore all the tedious safety details (are they safety and financial experts now?) until we have the contract 'in the bag'. Of course, this broad-brush maligns some salespersons, and I apologise to all three of them. (Luckily for me, sales people don't read PSB!)
Where our customer tells us he will install an independent safety system responsible for all of the hazards that the operation of the machine, process or whatever associated with our product can possibly cause, and therefore we don't need to worry about functional safety, we might be able to ignore item 2) completely.
But we must be aware that, in the courts, clever lawyers have proved that black is white; pink smells like aniseed, and that engineers who had used their knowledge and expertise to provide their customer with a good price and speedy delivery had dug themselves a hole so deep that there was no possible way they could climb out of it with a penny to their name.
Never make the mistake of assuming that the law is always fair or just! I can prove this, by telling you of several cases in the UK.
So to deal with 2), we must ask the customer for all the information we need, whilst pointing out that we will not be held liable in any way for any consequences of any information that we were not provided with.
We must frame our information requests in an open-ended manner, so that the customer will appear negligent if he did not tell us everything that we might possibly have needed to know. (Asking questions that are too specific can allow them to escape by showing that they answered all our detail questions, making it our fault that we didn't ask about the things we couldn't have known to ask about. I know, it is not fair).
This must all be in writing, in documents exchanged between people with the necessary seniority and appropriate positions so that their companies cannot disavow their statements, or claim that our copies of their documents are forgeries. I think emails count as legal documents these days, but check with your tame lawyer.
Also, all our documents must state that the customer bears the liability for not finding out and telling us anything that might later turn out to have been something we needed to know - even if we never specifically asked for it. I often write words to the effect: "My Rottweiler of a lawyer insists I include the following statement" - a sort of "bad cop, good cop" routine that does not appear to have harmed my relationships with my customers.
The trouble is, as soon as someone is killed or maimed by our customer's machine or process, and someone else is going to be sued for millions, our friendly customer contact, who we were happy to do favours for and assumed would stick by us in return, is replaced by a lawyer whose sole purpose in life is to destroy our business and even take our family home, regardless of justice, fair play, or "what was understood at the time".
If this all sounds like "cover your backside" - it is! But when you find your backside hanging out in a court of law through no fault of your own, you'll wish you had paid more attention to this column!
Returning to the subject of Risk Assessment - Part 2 made it clear that just doing an FMEA, assuming that faults occur at random or that only one can occur at a time, or assuming that people will not behave in amazingly stupid ways (or that if they do, we will not be blamed if our equipment causes harm) - are all incorrect.
And where electromagnetic interference (EMI or RFI) could possibly cause errors or malfunctions that could in turn increase safety risks - merely passing the normal EMC tests required by the EMC or R&TTE Directives, or by medical, military or aerospace standards such as IEC/EN 60601-1-2, DEF STAN 59-41 or 411, MIL STD 461F, DO160F, etc., will not be sufficient for demonstrating that tolerable safety risks have been achieved. See [1] for how to deal with this increasingly common situation.
Parts 1 and 2 showed how - for each hazard - we can determine the risks and compare them with what is considered tolerable, thereby completing the first three columns in the risk assessment spreadsheet introduced in Part 1. Now we can move onto comparing the actual risk with the tolerable risk from each hazard, and if the former is larger than the latter, calculate the "risk reduction" required to achieve the tolerable risk, and complete the fourth column in the spreadsheet.
The fifth column consists of references to other documents we create during our project that show how we reduced the risk of each hazard by at least the amount required in the 4th column. These will include references to the appropriate clauses in safety standards, show how we applied them and then how we verified that we had done a proper job.
Where a relevant safety standard exists and achieves the risk reduction required for a hazard, it is generally easiest (and best) to follow it. But sometimes there are easier, quicker or less costly alternatives, and sometimes no standard can help us and we have to use our own expertise (or that of other experts). In such cases, the documentation of the design and the calculations or simulations that went into it, and how its risk reduction was verified, must be detailed and comprehensive.
A letter, fax or email from a Notified Body, recommending a design or course of action, makes a great legal defence - but make sure the NB is 'Notified' for the safety directive concerned, and listed as being competent in the application area our product is intended for, and is given all the information required.
In all cases, the greater the degree of risk reduction required, the greater must be the depth of our analyses and expertise, and the greater must be our confidence in the verification and the diligence with which we document all this.
I hope to complete this little series in the next instalment.
Reference:
[1]Guide on EMC for Functional Safety (180 pages), The IET, August 2008, free download from www.theiet.org/factfiles/emc/index.cfm, or £27 plus p&p for a colour printed book from www.emcacademy.org/books.asp.
Note: The figures can be viewed via the PSB July 2009 digital issue, which is accessible from the PSB home page. On opening the current digital issue, click on 'view archive' (top left corner of screen) and locate July 2009 pages 6 and 7.
Contact Details and Archive...
Related Articles...
Most Viewed Articles...