Featured Product
This Week in Quality Digest Live
Management Features
Stephanie Ojeda
How addressing customer concerns benefits the entire quality process
Shiela Mie Legaspi
Set SMART goals
Mike Figliuolo
Creating a guiding maxim helps your people think ahead, too
Melissa Burant
A way to visualize and help prioritize risks, actions
Denise Robitaille
Without ISO 9000, ISO 9001 lacks context

More Features

Management News
For companies using TLS 1.3 while performing required audits on incoming internet traffic
Accelerates service and drives manufacturing profitability
New video in the NIST ‘Heroes’ series
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Manufacturers embrace quality management to improve operations, minimize risk
How well are women supported after landing technical positions?

More News

William A. Levinson


Risk = np, Not p

The more exposures, the closer to near certainty

Published: Monday, February 29, 2016 - 14:26

ISO 9001:2015 has created a new focus on risk with regard to context of the organization and the needs and expectations of interested parties.

The Army Techniques Publication ATP 5-19 Risk Management, by the United States Government, U.S. Army (CreateSpace Independent Publishing Platform, 2014) is a helpful public domain resource for hazard identification and risk assessment that, while designed primarily for safety applications, works for quality as well. Among its chief takeaways is the fact that risk is not, as we might infer from traditional failure mode effects analysis (FMEA) the individual probability (p) that something might go wrong. It takes the individual probability (p) times the number of opportunities (n) for something to go wrong.

According to ATP 5-19: “Probability is assessed as frequent if a harmful occurrence is known to happen continuously, regularly, or inevitably because of exposure. Exposure is the frequency and length of time [that] personnel and equipment are subjected to a hazard or hazards.”

Consider an OSHA “safety pyramid” (as seen in figure 1) that shows one fatality for every 300,000 at-risk behaviors. A potentially fatal consequence has a severity rating of 10, but in the Automotive Industry Action Group’s reference manual Potential Failure Mode & Effects Analysis, AIAG recommends an occurrence rating of 2 for a 1/300,000 probability of occurrence. This means that, depending on the detection rating in an FMEA, the risk priority number (RPN) will be between 20 and 200. Although any failure mode with a 10 severity consequence requires attention regardless of the RPN, an RPN of 20 or even 40 is unlikely to become a top priority.

OSHA safety pyrmid

Figure 1: OSHA safety pyramid

Now suppose, however, that the at-risk behavior occurs a million times per year throughout the entire country. The chance of not having a fatal or serious accident, exp(-3.33), is less than 3.6 percent. Although an FMEA would tell us only the RPN based on the 1/300,000 individual probability of occurrence, the Army’s risk assessment matrix would set the risk level at “extremely high.”

The same concept applies, for example, to automobile components. A consumer watchdog article cited problems with the electrical and steering systems of the Chevy Cruze. GM responded that the battery cable problem affected “only” 6 vehicles per 1,000, while the steering problem affected “only” 2 vehicles per 1,000. The recommended occurrence rating for a 1 in 400 problem is 5, so the RPN is no less than 50 (given a best possible detection rating). If there are hundreds of thousands of vehicles on the road, however, the chance of trouble becomes almost certainty, and the Army’s risk assessment matrix again defines the risk as “extremely high.”

Figure 2: Risk assessment matrix

The takeaway so far is that any nonzero probability of occurrence will, if multiplied by a sufficiently large number of exposures, make a defect or accident a near-certainty. This applies not only to product safety but also to any manufacturing process that produces a large number of parts. Although this is basic statistics, it’s not reflected by the RPN of a traditional FMEA. This leads to the question: What do we do about it?

‘Can’t rather than don’t’

ATP 5-19 discusses three major types of controls. These are:
1. Educational controls
2. Physical controls (primarily applicable to safety, such as barriers)
3. Hazard elimination

The latter consist in turn of engineering controls, administrative controls (such as checklists and work instructions), and personal protective equipment. The latter again applies uniquely to safety rather than quality. Only engineering controls make the hazard or defect impossible.

According to ATP 5-19: “The preferred method is to control the hazard at its source, through engineering. Engineering is preferable because, unlike other controls, it generally focuses on the individual who is exposed. The concept behind engineering controls is that, to the extent feasible, engineers or Army units design the equipment or work environment and the task to eliminate hazards or to reduce exposure.”

This is the application of Henry Ford’s “Can’t rather than don’t” safety principle. In Ford Men and Methods (Doubleday, Doran, 1931), Edwin Norwood writes: “In so far as it is practicable it is not a case of ‘Don’t,’ but the installation of devices that stand for ‘Can’t.’” 

Safety contexts include lockout/tagout as well as machine guards that make it impossible to put a body part into moving machinery. It’s impossible to attach an oxygen tank to a hydrogen line, or a hydrogen tank to an oxygen line, because the valves and connectors are designed intentionally to not fit. In a similar way, Nestlé’s Spikeright enteric feeding bag cannot be connected to an intravenous line, a problem that has actually killed numerous patients. Quality contexts include poka-yoke or error-proofing (e.g., keys and slots that make it impossible to assemble parts backward).

The conclusion is therefore that any accident or defect that can conceivably occur, as indicated by a nonzero probability, will eventually occur if we expose ourselves to the risk a sufficient number of times. If the consequences are unacceptable, then application of engineering controls, poka-yoke, or “can’t rather than don’t” is mandatory.


About The Author

William A. Levinson’s picture

William A. Levinson

William A. Levinson, P.E., FASQ, CQE, CMQOE, is the principal of Levinson Productivity Systems P.C. and the author of the book The Expanded and Annotated My Life and Work: Henry Ford’s Universal Code for World-Class Success (Productivity Press, 2013).


Risk =np, Not p

This is precisely where the statistic "The average American driver has a 40% chance of being hospitalized or killed as a result of an automobile accident sometime during their lifetime" comes from.