Featured Product
This Week in Quality Digest Live
Management Features
Constance Noonan Hadley
The time has come to check whether the benefits of teamwork still outweigh the costs
Naresh Pandit
Enter the custom recovery plan
Anton Ovchinnikov
In competitive environments, operational innovation could well be the answer to inventory risk
Julie Winkle Giulioni
The old playbook probably won't work
Sarah Schiffling
But supply chains will get worse before they get better

More Features

Management News
Program inspires leaders to consider systems perspective for continuous improvement and innovation
Recent research finds organizations unprepared to manage more complex workforce
Attendees will learn how three top manufacturing companies use quality data to predict and prevent problems, improve efficiency, and reduce costs
More than 40% of directors surveyed cite the ability of companies to execute as one of the biggest threats to improving ESG performance
MIT Sloan study shows that target-independent compensation systems can be superior
Steps that will help you improve and enhance your employee recruitment, retention, and engagement
300 Talent acquisition leaders and HR executives from companies gather in Kansas City
FedEx demonstrates commitment to customer-focused continuous improvement

More News

William A. Levinson

Management

Risk = np, Not p

The more exposures, the closer to near certainty

Published: Monday, February 29, 2016 - 15:26

ISO 9001:2015 has created a new focus on risk with regard to context of the organization and the needs and expectations of interested parties.

The Army Techniques Publication ATP 5-19 Risk Management, by the United States Government, U.S. Army (CreateSpace Independent Publishing Platform, 2014) is a helpful public domain resource for hazard identification and risk assessment that, while designed primarily for safety applications, works for quality as well. Among its chief takeaways is the fact that risk is not, as we might infer from traditional failure mode effects analysis (FMEA) the individual probability (p) that something might go wrong. It takes the individual probability (p) times the number of opportunities (n) for something to go wrong.

According to ATP 5-19: “Probability is assessed as frequent if a harmful occurrence is known to happen continuously, regularly, or inevitably because of exposure. Exposure is the frequency and length of time [that] personnel and equipment are subjected to a hazard or hazards.”

Consider an OSHA “safety pyramid” (as seen in figure 1) that shows one fatality for every 300,000 at-risk behaviors. A potentially fatal consequence has a severity rating of 10, but in the Automotive Industry Action Group’s reference manual Potential Failure Mode & Effects Analysis, AIAG recommends an occurrence rating of 2 for a 1/300,000 probability of occurrence. This means that, depending on the detection rating in an FMEA, the risk priority number (RPN) will be between 20 and 200. Although any failure mode with a 10 severity consequence requires attention regardless of the RPN, an RPN of 20 or even 40 is unlikely to become a top priority.

OSHA safety pyrmid

Figure 1: OSHA safety pyramid

Now suppose, however, that the at-risk behavior occurs a million times per year throughout the entire country. The chance of not having a fatal or serious accident, exp(-3.33), is less than 3.6 percent. Although an FMEA would tell us only the RPN based on the 1/300,000 individual probability of occurrence, the Army’s risk assessment matrix would set the risk level at “extremely high.”

The same concept applies, for example, to automobile components. A consumer watchdog article cited problems with the electrical and steering systems of the Chevy Cruze. GM responded that the battery cable problem affected “only” 6 vehicles per 1,000, while the steering problem affected “only” 2 vehicles per 1,000. The recommended occurrence rating for a 1 in 400 problem is 5, so the RPN is no less than 50 (given a best possible detection rating). If there are hundreds of thousands of vehicles on the road, however, the chance of trouble becomes almost certainty, and the Army’s risk assessment matrix again defines the risk as “extremely high.”

Figure 2: Risk assessment matrix

The takeaway so far is that any nonzero probability of occurrence will, if multiplied by a sufficiently large number of exposures, make a defect or accident a near-certainty. This applies not only to product safety but also to any manufacturing process that produces a large number of parts. Although this is basic statistics, it’s not reflected by the RPN of a traditional FMEA. This leads to the question: What do we do about it?

‘Can’t rather than don’t’

ATP 5-19 discusses three major types of controls. These are:
1. Educational controls
2. Physical controls (primarily applicable to safety, such as barriers)
3. Hazard elimination

The latter consist in turn of engineering controls, administrative controls (such as checklists and work instructions), and personal protective equipment. The latter again applies uniquely to safety rather than quality. Only engineering controls make the hazard or defect impossible.

According to ATP 5-19: “The preferred method is to control the hazard at its source, through engineering. Engineering is preferable because, unlike other controls, it generally focuses on the individual who is exposed. The concept behind engineering controls is that, to the extent feasible, engineers or Army units design the equipment or work environment and the task to eliminate hazards or to reduce exposure.”

This is the application of Henry Ford’s “Can’t rather than don’t” safety principle. In Ford Men and Methods (Doubleday, Doran, 1931), Edwin Norwood writes: “In so far as it is practicable it is not a case of ‘Don’t,’ but the installation of devices that stand for ‘Can’t.’” 

Safety contexts include lockout/tagout as well as machine guards that make it impossible to put a body part into moving machinery. It’s impossible to attach an oxygen tank to a hydrogen line, or a hydrogen tank to an oxygen line, because the valves and connectors are designed intentionally to not fit. In a similar way, Nestlé’s Spikeright enteric feeding bag cannot be connected to an intravenous line, a problem that has actually killed numerous patients. Quality contexts include poka-yoke or error-proofing (e.g., keys and slots that make it impossible to assemble parts backward).

The conclusion is therefore that any accident or defect that can conceivably occur, as indicated by a nonzero probability, will eventually occur if we expose ourselves to the risk a sufficient number of times. If the consequences are unacceptable, then application of engineering controls, poka-yoke, or “can’t rather than don’t” is mandatory.

Discuss

About The Author

William A. Levinson’s picture

William A. Levinson

William A. Levinson, P.E., FASQ, CQE, CMQOE, is the principal of Levinson Productivity Systems P.C. and the author of the book The Expanded and Annotated My Life and Work: Henry Ford’s Universal Code for World-Class Success (Productivity Press, 2013).

Comments

Risk =np, Not p

This is precisely where the statistic "The average American driver has a 40% chance of being hospitalized or killed as a result of an automobile accident sometime during their lifetime" comes from.