Featured Video
This Week in Quality Digest Live
Management Features
Harish Jose
The dangers of misapplying linearity
James daSilva
Like it or not, these are the good times
Chad Kymal
A single set of FMEA requirements will ease the burden on suppliers
Michelle LaBrosse
Projects go more smoothly if you have a consistent process for doing them
Rob Magee
The modern security mindset

More Features

Management News
Management's role in improving work climate and culture
Work with and learn from some of the nation’s best people and organizations
Cricket Media and IEEE team up to launch TryEngineering Together
125 strategies to achieve maximum confidence, clarity, certainty, and creativity
MIT awards more than $1 million to organizations creating greater economic opportunity for workers
Earn continuing education units
If you want to understand a system, try and change it
How to engage, retain, and develop talent for maximum performance

More News

William A. Levinson

Management

Risk = np, Not p

The more exposures, the closer to near certainty

Published: Monday, February 29, 2016 - 14:26

ISO 9001:2015 has created a new focus on risk with regard to context of the organization and the needs and expectations of interested parties.

The Army Techniques Publication ATP 5-19 Risk Management, by the United States Government, U.S. Army (CreateSpace Independent Publishing Platform, 2014) is a helpful public domain resource for hazard identification and risk assessment that, while designed primarily for safety applications, works for quality as well. Among its chief takeaways is the fact that risk is not, as we might infer from traditional failure mode effects analysis (FMEA) the individual probability (p) that something might go wrong. It takes the individual probability (p) times the number of opportunities (n) for something to go wrong.

According to ATP 5-19: “Probability is assessed as frequent if a harmful occurrence is known to happen continuously, regularly, or inevitably because of exposure. Exposure is the frequency and length of time [that] personnel and equipment are subjected to a hazard or hazards.”

Consider an OSHA “safety pyramid” (as seen in figure 1) that shows one fatality for every 300,000 at-risk behaviors. A potentially fatal consequence has a severity rating of 10, but in the Automotive Industry Action Group’s reference manual Potential Failure Mode & Effects Analysis, AIAG recommends an occurrence rating of 2 for a 1/300,000 probability of occurrence. This means that, depending on the detection rating in an FMEA, the risk priority number (RPN) will be between 20 and 200. Although any failure mode with a 10 severity consequence requires attention regardless of the RPN, an RPN of 20 or even 40 is unlikely to become a top priority.

OSHA safety pyrmid

Figure 1: OSHA safety pyramid

Now suppose, however, that the at-risk behavior occurs a million times per year throughout the entire country. The chance of not having a fatal or serious accident, exp(-3.33), is less than 3.6 percent. Although an FMEA would tell us only the RPN based on the 1/300,000 individual probability of occurrence, the Army’s risk assessment matrix would set the risk level at “extremely high.”

The same concept applies, for example, to automobile components. A consumer watchdog article cited problems with the electrical and steering systems of the Chevy Cruze. GM responded that the battery cable problem affected “only” 6 vehicles per 1,000, while the steering problem affected “only” 2 vehicles per 1,000. The recommended occurrence rating for a 1 in 400 problem is 5, so the RPN is no less than 50 (given a best possible detection rating). If there are hundreds of thousands of vehicles on the road, however, the chance of trouble becomes almost certainty, and the Army’s risk assessment matrix again defines the risk as “extremely high.”

Figure 2: Risk assessment matrix

The takeaway so far is that any nonzero probability of occurrence will, if multiplied by a sufficiently large number of exposures, make a defect or accident a near-certainty. This applies not only to product safety but also to any manufacturing process that produces a large number of parts. Although this is basic statistics, it’s not reflected by the RPN of a traditional FMEA. This leads to the question: What do we do about it?

‘Can’t rather than don’t’

ATP 5-19 discusses three major types of controls. These are:
1. Educational controls
2. Physical controls (primarily applicable to safety, such as barriers)
3. Hazard elimination

The latter consist in turn of engineering controls, administrative controls (such as checklists and work instructions), and personal protective equipment. The latter again applies uniquely to safety rather than quality. Only engineering controls make the hazard or defect impossible.

According to ATP 5-19: “The preferred method is to control the hazard at its source, through engineering. Engineering is preferable because, unlike other controls, it generally focuses on the individual who is exposed. The concept behind engineering controls is that, to the extent feasible, engineers or Army units design the equipment or work environment and the task to eliminate hazards or to reduce exposure.”

This is the application of Henry Ford’s “Can’t rather than don’t” safety principle. In Ford Men and Methods (Doubleday, Doran, 1931), Edwin Norwood writes: “In so far as it is practicable it is not a case of ‘Don’t,’ but the installation of devices that stand for ‘Can’t.’” 

Safety contexts include lockout/tagout as well as machine guards that make it impossible to put a body part into moving machinery. It’s impossible to attach an oxygen tank to a hydrogen line, or a hydrogen tank to an oxygen line, because the valves and connectors are designed intentionally to not fit. In a similar way, Nestlé’s Spikeright enteric feeding bag cannot be connected to an intravenous line, a problem that has actually killed numerous patients. Quality contexts include poka-yoke or error-proofing (e.g., keys and slots that make it impossible to assemble parts backward).

The conclusion is therefore that any accident or defect that can conceivably occur, as indicated by a nonzero probability, will eventually occur if we expose ourselves to the risk a sufficient number of times. If the consequences are unacceptable, then application of engineering controls, poka-yoke, or “can’t rather than don’t” is mandatory.

Discuss

About The Author

William A. Levinson’s picture

William A. Levinson

William A. Levinson, P.E., FASQ, CQE, CMQOE is the principal of Levinson Productivity Systems P.C. and the author of the book The Expanded and Annotated My Life and Work: Henry Ford's Universal Code for World-Class Success.

Comments

Risk =np, Not p

This is precisely where the statistic "The average American driver has a 40% chance of being hospitalized or killed as a result of an automobile accident sometime during their lifetime" comes from.