Hazard Based Safety Engineering (HBSE) principles have been used to better understand product safety and to help guide the design and evaluation of appropriate safeguards through analysis of sources, causes and mechanisms of harm. UL Applied Safety Science and Engineering Techniques (ASSETTM) takes HBSE to the next level.
ASSET leverages the strength of HBSE principles by expanding and integrating them with other established safety science and engineering techniques, including elements of risk management, systems and reliability engineering, functional safety and human factors. This paper outlines the expansion and integration of these principles and techniques, and demonstrates the potential of taking HBSE to the next level.
ASSET addresses diverse forms of harm, hazardous sources and objects of harm (persons, property, environment, critical operations), across a broad range of products, systems, services and applications, based on safety science. An asset in any organization is an item of value, a resource that provides advantage, such as a product realization design process that achieves safety by design. The design and evaluation of safety requires a systematic, methodical process. The effective use of a complete set of suitable, consistent design and evaluation techniques can help demonstrate that reasonable care and due diligence was exercised in the safety of a design.
The HBSE concepts initially conceived by engineers at HP/Agilent targeted typical types of hazards and forms of injury involving electronics products, such as information technology and office equipment. The HBSE concepts and tools have been further developed and applied with the support of research engineers at Underwriters Laboratories. UL University has been serving as the principal instructional organization for HBSE workshops. UL uses HBSE and applied safety science and engineering techniques in many facets of its work, such as research, development and interpretation of standards, and risk assessment with hazard and failure analysis of new and emerging products, applications and technologies. Applied safety science and engineering techniques will be briefly introduced in the context of safety and risk, and outlined in the context of other technical and managerial processes.
Safety and protection address the risk of harm. Safety has many meanings, applications, levels and contexts. Generally speaking, we can consider safety as freedom from unacceptable risk of harm. (IEC/ISO Guide 51). But let’s consider the qualifiers in this statement.
Harm can include unwanted effects or consequences, including injury or damage to health of persons (or animals including livestock and pets), damage to property or the environment, or interruption in essential commercial operations. This harm may be the result of a variety of factors, independently or in combination or sequence, involving hazardous situations and circumstances. Risk of harm is based on probability and severity, that is, the likelihood of harm occurring and the severity of its consequences if it occurs.
Unacceptable risk of harm is a level that is not tolerated. The degree of tolerance varies in accordance with many factors, including specific applications, situations and circumstances of product use, misuse and exposure. Risk attitudes and appetites vary among individuals, companies, industries, cultures, etc. Levels of unacceptable risk may be defined, for example, by regulatory bodies, authorities having jurisdiction, standards development bodies, etc., with input from others involved or affected.
Freedom from unacceptable risk of harm is a beneficial condition. But like many other freedoms that we enjoy, this freedom also comes at a cost. To achieve safety is no small task. It requires comprehensive, systematic review of all potential harm from hazards, and the prioritization of mitigating safeguards throughout the entire product lifecycle, considering all manners of exposure. Safety is relative, posing a challenge in product realization to balance with other design requirements, factors and constraints. This balance may be addressed, for example, by risk-benefit analysis, cost-benefit analysis or other techniques.
Safety is not without any risk, but with risk reduced to an acceptable level – by design, analysis and validation, including evaluation and testing for certification. It is said that safety is no accident. It is the practical manifestation of suitable design concepts, applied consciously and conscientiously.
There are a variety of means to assess, reduce and manage risk of harm. Risk analysis involves hazard identification and risk estimation in terms of likelihood of the occurrence of harm and the severity of its consequences should it occur. Risk evaluation involves judgment of acceptability of risk. This leads to analysis of options to accept or reduce this risk, and then maintain or control it at an acceptable level. In some cases, this risk level may be considered to be As Low As Reasonably Practicable (ALARP), typically used in risk-benefit analysis for medical devices having health benefits to balance the risk of harm
But risk is not necessarily a simple or straightforward combination of probability and severity rankings. Weighting factors may be applied to rankings, and scales may be nonlinear or contain discontinuities. Other factors may also need consideration, such as frequency, exposure, vulnerability, etc. In estimating and evaluating risk, it is important to consider that when the severity of consequences is very high (serious harm, death), then the likelihood must be demonstrated or known to be reliably low. This approach would be more conservative (safe) than an initial assumption of very low probabilities, resulting in trivializing (even unintentionally) the importance of potentially severe consequences.
Risk Management Publications
Many publications address various aspects and applications of risk management, including international guides, standards and series published by organizations such as the IEC (International Electrotechnical Commission) and ISO (International Standardization Organization), ranging from general-use to industry-, product-, hazard-, harm- and safeguard-specific categories. Basic references, some with very recent publications, include ISO IEC Guide 51 (Safety aspects), ISO 31000 (Risk management — Principles and guidelines), IEC/ISO 31010 (Risk management – Risk assessment techniques), IEC Guide 116, Guidelines for safety related risk assessment and risk reduction for low voltage equipment, IEC 60300-3-9 (Dependability management), and Risk Assessment Guidelines for Consumer Products (in Official Journal of the European Union, referencing GPSD, General Product Safety Directive and RAPEX, Community Rapid Information System).
Additional IEC and/or ISO Guides cover more specialized aspects such as terminology (73), vulnerability (50, 71), applications (37, 63, 78, 110, 112), environment (64, 106, 114), and procedural matters (2, 75, 104, 108).
Certain industries, such as medical devices and machinery have developed a tiered structure of risk publications. Publications covering medical devices range from guides on safety aspects (ISO Guide 51) and drafting of safety standards (ISO/IEC Guide 63) to risk management for medical devices (EN ISO 14971), quality management systems for regulatory purposes (ISO 13485), to more specific standards on basic safety and essential performance (IEC 60601-1), followed by a series of collateral standards (IEC 60601-1-1 to IEC 60601-112), particular standards (IEC 60601-2-1 to IEC 60601-2-54) and essential performance requirements (IEC 60601-3 (-1)). Likewise, publications covering machinery range from guides on safety aspects (ISO Guide 51) and drafting of safety standards (ISO Guide 78) to general standards on risk assessment principles (EN/ISO 14121-1), practical guidance and examples (-2), to more specific standards on design concepts with terminology, methodology (EN/ISO 12100-1) and technical principles (-2), and electrical equipment of machines (EN 60204-1).
ASSET and Risk Management
ASSET integrates the current IEC/ISO body of knowledge on risk management, and addresses specific aspects including appropriate risk and hazard identification, risk reduction and risk control. For example, guidelines are provided for a suitable assessment of the scope of the analysis, including general characteristics, intended use and users, environment, installation, operation, maintenance, repair, shipping, storage, and reasonably foreseeable unintended use and misuse conditions. Then for hazard identification, additional steps help identify sources and possible conditions for harm. Risk estimation is supplemented with guidance to estimate and express risk. Risk evaluation is aided by steps to define and apply tolerable risk criteria for decisions. Risk reduction is guided by steps to analyze protective measures that reduce and/or control risk via safeguard attributes. Reassessment of residual risk is supplemented by steps to monitor and apply field data.
Strategies are presented to identify, prioritize and validate appropriate safeguards that are suited to any product, including usage scenarios and exposure conditions. Such strategies help identify essential safeguard characteristics: those safety-critical functions relied upon under all conditions, including duress, throughout the product life. Relevant analysis techniques include Fault Tree Analysis (FTA) and Failure Modes and Effects Analysis (FMEA), which address failures and other conditions that may lead to system faults, as well as the need for, and the effects of, suitable protective mechanisms.
Safety Engineering Management Processes
Technical processes include the expansion and adaptation of HBSE, hazard analysis and risk assessment concepts, as well as application of techniques such as FTA and FMEA. Managerial processes include risk management, but the more overarching common element is “management” itself. Safety engineering management not only involves risk management, but also asset-, enterprise-, quality systems- (incl. quality assurance and continuous improvement), process- (design, mfg), document-, decision-, systems engineering- and system safety-, product safety-, project- and project risk-, design-, concurrent engineering-, design review-, configuration-, change control-, supply chain-, dependability-, life cycle model-, data(records), information security-, knowledge-, learning-, incident/recall- and disaster/emergency- management. As for risk management, these additional safety engineering management aspects are also addressed in many IEC, ISO and other publications. Document references are available upon request.
The strategy to meet safety objectives begins with applied safety science and engineering techniques. This helps to identify and prioritize research, and apply these findings to develop safety requirements and test methodologies that are appropriate, proactive, focused and consistent. This can then lead to safety attributes that are properly identified, validated and controlled for all scenarios, conditions, and lifecycle stages, both up and down the supply chain. The result is a demonstrated degree of safety and improvement.
Hazard Based Requirements
Hazard-based safety standards can offer clear safety objectives and various means to meet them. A hazard-based approach serves to reduce risk of harm by addressing each hazard. This approach would determine which undesirable effects are to be avoided, the susceptibility to them, their conditions and causes, and appropriate protection against them. A hazard-based standard would identify the objectives of protecting against each specific undesirable effect, and directly relate them to appropriate protection requirements and limits. HBSE principles have also formed the foundation of hazard-based requirements in product standards such as IEC 62368-1, Audio/video, information and communication technology equipment – Part 1: Safety requirements.
ASSET EXPANSION OF HBSE CONCEPTS AND TOOLS
ASSET expands the basic HBSE concepts and analysis tools in ways that include the following, as shown in Figure 1.
Figure 1: HBSE Premise, 3-block energy transfer model for injury, expanded
The HBSE Premise for Injury is a 3-block model based on energy transfer, which outlines the 1) hazardous source and 2) transfer mechanism to 3) a body/part that is subject to injury. Injury can occur when the magnitude and duration of energy transfer exceeds the body/part susceptibility, or its inability to withstand it.
Examples include mechanical forms of energy that may cause various types of physical injury; thermal energy (heat) that may cause skin burn injury; electrical energy that may cause “electric shock” or unwanted physiological (including lethal) effects; and electrically caused fire that may cause injury and property damage. This model can forewarn of injury if its elements can be quantified, in terms of the characteristics of the energy source and rate and degree of transfer (delivered and received), and the inability of a body/part to withstand it (susceptibility).
However, this simple model can be expanded in a variety of ways, adapted to address other types of hazards, transfers and harm. For example, the hazardous source (1) can involve other forms of energy, including acoustic noise, pressure (sonic/ultrasonic/fluid/gas), explosion/implosion, arc flash/blast, radiation (visible, UV, IR, ionizing (gamma)/non-ionizing (laser)), vibration, fields (electric/magnetic/electromagnetic), unintended motion or activation, as well as potential energy (suspended masses, support failures) or stored energy (springs, capacitors) that may be converted to other forms.
In addition, the hazardous source (1) can also be in the form of matter. This could include an object (person contributes to transfer), involving a sharp edge (laceration) or small part (choking) or long part (strangulation), where other factors of the harm mechanism need also be considered. This could also include a harmful substance, such as chemical (toxic/carcinogenic) or biological (bacteria) material. Recall the RoHS (Restriction of Hazardous Substances) directive that curtails the use of materials such as lead, mercury, cadmium, hexavalent chromium, PBB and PBDE to infinitesimal levels (parts per million). The transfer mechanism (2) can cause harm in a direction to the body (e.g., applied force), as well as away from it (e.g., extracted heat), or even involve a reduction or restriction of transfer (energy or substance) that is needed to maintain health (e.g., air restriction due to small-part choking hazard).
And in addition to injury to persons (3), other forms and objects of harm can be addressed. Such harm may also involve damage to health or welfare of persons, injury to animals (livestock, pets), and damage to property, the environment or essential commercial operations.
Other factors must also be considered. For example regarding environmental harm, lifecycle issues of electrical and electronic products raise additional safety concerns. With concern for PBTs (Persistent Bioaccumulative Toxins), is the hazard persistent, taking a relatively long time to break down in the environment? Is it bioaccumulative, whereby substances collect in living organisms and ultimately end up in the food chain and persons? Is it toxic, with known potential for harm, whether acute (immediate) or chronic (longer-term)? By what means is it transferred, and in what amounts and durations, and to what degree?
Other functional aspects such as incorrect outputs can also lead to harm, involving energy or substance, due to hardware, software or human interface factors, resulting from incorrect control, timing, duration, sequence, etc. These aspects are more closely associated with functional safety, addressed separately.
The HBSE Process is a flow diagram that considers all sources (hazardous energy) associated with a product, how they may cause harm by transfer, and how this transfer can be reduced to protect against injury. It helps us to analyze specific protective mechanisms (safeguards) having features and properties that are needed to protect against specific harm mechanisms.
Figure 2: HBSE Process with expansion notes
This simple model can also be expanded in a variety of ways. For the first HBSE Process step (1), “Identify Energy Source”, consideration is needed for all sources (energy/ substance) that are supplied to, contained within, converted by, used by or associated with the product.
For the next step (2), “Is Source Hazardous”, consideration is needed for whether the source is capable of causing harm. These steps need to conducted for each type of source, transfer means/mechanism, potential for harm and entity subject to harm. Is the source hazardous with respect to the product function, application, environment, uses, users and others involved, exposed, having access, or otherwise affected?
Is this an unacceptable risk of harm? How is an acceptable level of risk determined? What factors may this depend on (use, users, environment, values, etc.)? What conditions make the source hazardous or its transfer harmful? Can this occur in normal operation and intended, normal use? Or does it require an abnormal or unintended condition? Must other unwanted or fault conditions have occurred in the past or exist in the present?
Are these conditions of omission (inaction) or commission (action/ reaction)? Do they involve hardware, software and external influences (environment, human interaction and error, etc.)? Are these conditions reasonably foreseeable? It’s been said that all conditions are foreseeable (which may not necessarily require action), but following an incident a jury may decide what is reasonable (what actions should have been taken).
The product may have been evaluated to perform all design functions as intended (do what intended). But have all reasonably foreseeable conditions been anticipated? Has the product been evaluated to suitably and safely respond to all these conditions, combinations and sequences and at least fail-safe (NOT do what NOT intended)? Has this performance been validated by test? Have the safeguards, and their specific properties, relied on for this performance been evaluated and controlled?
For the next step (3), “Identify Means by which Energy can be Transferred to a Body Part”, consideration is also needed for direction and/or restriction of transfer, whether to, from, or blocked (if needed) from the person (body part) or other object of harm (property, environment, etc.).
For the next step (4), “Design Safeguard Which Will Prevent Energy Transfer to a Body Part”, consideration is also needed for preventive safeguards that reduce, control or eliminate the source (total amount), as well as mitigating safeguards that reduce, control or eliminate the transfer (transferred rate, duration and amount). The hierarchy of protection should be to first eliminate the hazard (design it out), then guard against the hazard (reduce the source and then the transfer), then warn about the hazard (relying on personal responsibility and other factors for avoidance). In some cases it may also be possible to reduce susceptibility to a hazard by increasing the resistance to the source, such as through material properties including resistance to ignition.
For the next steps (5), “Measure Safeguard Effectiveness” and (6) “Is Safeguard Effective”, much additional consideration is needed to properly understand and apply this “effectiveness” measure, which involves safeguard attributes. Which specific properties of safeguards are relied upon for each protective function? Under what conditions must they function effectively? What conditions may tend to degrade this performance or render it ineffective? How well do these attributes hold up under each of these conditions, including combinations and sequences? Just as in evaluating risk, when the severity of consequences is high (i.e., safeguard failure), the likelihood must be demonstrated or known to be reliably low.
Safeguards attributes are properties of protective features and mechanisms, which need to be specifically identified, evaluated and validation tested under all reasonably anticipated conditions, and controlled in design and manufacturing. These attributes can be summarized in the descriptive term DURESS (Durability, Usability, Reliability, Efficacy, Suitability, Scalability), which helps describe the needed characteristics:
Durability – protective characteristics should be able to withstand, and not be adversely affected by conditions, circumstances and scenarios of use (reasonably foreseeable use, unintended use, misuse or abuse)
Usability – protection should function as needed, without interfering with normal, intended product functions (so as not to invite defeating of safeguards)
Reliability – protection should maintain its essential performance throughout its entire design life, in all conditions and stages of the product lifecycle (cradle-to-grave)
Efficacy – protection should be able to effectively perform the needed safety function, without introducing or increasing other hazards (fix one problem but create another)
Suitability – protection should be provided to a degree appropriate for the application, based on the level of risk with a suitable safety factor that demonstrates the degree to which tested performance limits exceed minimum thresholds of harm
Scalability – protection should perform as needed in the intended scale of use, properly interacting with other materials, components, systems and environments (small-scale properties appropriate for large-scale applications and conditions)
HBSE Fault Tree for Injury
Fault Tree Analysis (FTA), a deductive, graphical, top-down analytical method in which the top event is a fault, such as harm or other undesirable event. It outlines the necessary and sufficient conditions and logical relationships for this harm to occur, in order to determine the most likely contributors (root causes on critical paths) and the most effective safeguard strategies.
The HBSE fault tree for injury outlines conditions leading to the injury top event, with initial necessary and sufficient conditions of hazardous energy and exposure of (for transfer to) a susceptible body part. This fault tree model can be expanded to include other types of hazards and harm. It can also depict the order of priority for safeguards, to eliminate, guard or warn about the hazard. Such FTA models have been successfully used in analysis of fire scenarios, including those caused by lithium ion batteries.
Figure 3: HBSE Fault Tree for Injury, expanded
click image for larger view
FTA AND FMEA/FMECA
To complement the deductive, top-down FTA, one can use an inductive, bottom-up analysis method such as Failure Modes and Effects Analysis (FMEA) or Failure Modes and Effects Criticality Analysis (FMECA), which more directly considers the effect of severity and risk rankings. This method begins at the “bottom”, with individual items (components, materials) and their functions (in each operating mode). Failure modes, effects, severities, likelihoods and other factors are determined, and then potential causes, recommended actions, and resulting effects are analyzed methodically. Integrated FTA/FMECA techniques have also been successfully applied to fire risk involving lithium ion batteries, as we presented at the latest NASA Aerospace Battery Workshop (2009).
Elements of the systems engineering approach address scope and context, from concept through all product lifecycle stages (cradle-to-grave), from design through prototyping, manufacturing, assembly, packaging, transport, storage, installation, commissioning, operation, maintenance, repair, decommissioning, reuse to disposal.
Specific properties of materials and components, including hardware, software and human elements, need to be compatible with the needs, influences and interfaces of subsystems and the overall system, including external systems and the environment (micro and macro). Functions, characteristics and properties need to be considered for materials, components, devices, circuits, subsystems, systems and processes, as contributing to harm or to protection.
Reliability engineering elements address the criticality of safety-critical functions and features, and the conditions under which they must continue to perform effectively. Reliability approaches such as probability of failure, circuit redundancy and fail-safe modes are also used in techniques such as FTA and FMEA, and addressed by a number of related disciplines, including system safety and dependability management.
Functional safety is a special field that specifically addresses electrical, electronic and programmable systems. Similar to other types of safeguards, reliance is placed on specific functions or characteristics of a product, requiring certain attributes. But a safeguard in functional safety is considered to be the essential performance of hardware and software controls that manage safety-critical functions. Some functional safety aspects may be directly protective by design (life safety). Functional safety aspects in other applications address functions for which failure may lead to increased risk of harm (immediate or imminent), loss of a required level of protection, or other reduced ability to protect against harm. In “single-fault” analysis, the conditions that rely upon protective mechanisms to operate should be considered as given conditions, and any failure or inadequacy of this protection would be considered as the fault condition.
Elements of human factors address many aspects, including anthropometry, physiological responses and susceptibility to energy and substance transfer, behavior (product use, misuse, abuse or hazard avoidance), human error, interaction, and other human characteristics including performance, limitations, etc. related to aspects of a product or system, such as design, manufacturing, operation, maintenance, etc.
ASSET integrates these elements to leverage the strengths of HBSE, risk management, and other techniques, to optimize the value of our resources and assets: our individual and collective safety knowledge, experience and expertise. The application of safety science and engineering techniques to any hazard is based on examining the types and mechanisms of harm in order to consider appropriate mechanisms for protection. This analysis includes the conditions and circumstances that must be present, first for harm to occur, and then for protection against it. It’s a basic but robust approach, in which simple tools can be applied, with appropriate subject matter expertise, to simple or complex scenarios in a consistent, repeatable manner, an asset to any organization.
“The great liability of the engineer compared to men of other professions is that his works are out in the open where all can see them. His acts, step by step, are in hard substance. He cannot bury his mistakes in the grave like the doctors. He cannot argue them into thin air or blame the judge like the lawyers. He cannot, like the architects, cover his failures with trees and vines. He cannot, like the politicians, screen his shortcomings by blaming his opponents and hope the people will forget. The engineer simply cannot deny he did it. If his works do not work, he is damned.” – Herbert Hoover (1874 – 1964).
The author wishes to acknowledge the HP/Agilent authors of the initial HBSE concepts, including R. Nute, R. Corson, J. Barrick and D. Adams, as well as UL Research, Engineering and UL University staff including R. Davidson and D. Bejnarowicz for their valuable technical contributions toward this material.
- Hazard Based Safety Engineering, Student Guide, 2nd Ed (B.03), Hewlett-Packard Company, Agilent Technologies, Inc., Underwriters Laboratories Inc., 2001.
- Hazard Based Safety Engineering (HBSE) UL Supplement, Underwriters Laboratories Inc., 2003.
- Safety aspects, Guidelines for their inclusion in standards, ISO IEC Guide 51, Second edition, 1999.
- Risk management — Principles and guidelines, ISO 31000, First edition, 2009-11-15.
- Risk management – Risk assessment techniques, IEC ISO 31010, Edition 1.0, 2009-11.
- Guidelines for safety related risk assessment and risk reduction for low voltage equipment, IEC Guide 116 (C/1614/DV, 2010-01-22).
- Risk Assessment Guidelines for Consumer Products, Official Journal of the European Union: OJ L22 Vol 53, 26 January 2010, Part IV, Appendix 5.
- Dependability Management, Part 3 Application Guide – Section 9 Risk Analysis of Technological Systems, IEC 60300-3-9, First Edition.
- Fault Tree Handbook, NUREG-0492, Nuclear Regulatory Commission, Washington D.C., 1981.
- Fault Tree Handbook with Aerospace Applications, NASA, Washington D.C., 2002.
- Potential Failure Mode and Effects Analysis in Design (Design FMEA), SAE J1739, 2009.
“ASSET: The Evolution of Hazard Based Safety Engineering into the Framework of a Safety Management Process” coming in the December 2012 issue.
© 2010 IEEE. Reprinted, with permission, from the proceedings of the 2010 IEEE International Symposium on Product Compliance Engineering.
© 2012 UL LLC. All rights reserved. This document may not be reproduced or distributed without authorization.
ASSET is trademark of UL LLC
ASSET and HBSE workshops are available through UL.
is a Sr. Research Engineer and Distinguished Member of Technical Staff at UL LLC (Underwriters Laboratories, Melville, NY) with nearly 30 years of applied practice in safety engineering. He is a registered Professional Engineer (P.E.) and principal instructor and practitioner of Hazard Based Safety Engineering (HBSE). He has led development of Applied Safety Science and Engineering Techniques (ASSET™), including the ASSET Safety Management Process for informed decisions to achieve, maintain and continuously improve safety as a design objective. This work has recently been recognized with a 2011 IEEE Region 1 Award for Technological Innovation.
This and related hazard analysis and risk assessment work has been extensively published and presented, including keynote presentation on the safety of consumer electronics into the future at the 2012 International Conference on Consumer Electronics (ICCE) by the IEEE CES, 2012 Advanced Product Safety Management course at St. Louis University, 2010 and 2011 International Symposium on Product Compliance Engineering by the IEEE Product Safety Engineering Society, 2011 IEEE Chicago Argonne National Laboratories Technical Conference, International Consumer Product Health and Safety Organization (ICPHSO 2011), Association of Southeast Asian Nations (ASEAN), Asia Pacific Economic Cooperation – Joint Regulatory Advisory Council (APEC JRAC Risk Assessment Workshop), American Society of Safety Engineers (ASSE) and NASA (2009 NASA Aerospace Battery Workshop).
An IEEE Senior Member, Tom is Founding Chair of the Long Island, NY Chapter of the IEEE Product Safety Engineering Society (PSES) and Vice Chair of the IEEE Risk Assessment Technical Committee (RATC). He serves as technical expert in committees for electric shock protection and risk management, including US National Committee Technical Advisory Groups (USNC TAGs), the International Electrotechnical Commission (IEC TC64 MT4) and the International Organization for Standardization (ISO 31000 / ANSI Z690). He can be contacted at +1.631.546.2464 or firstname.lastname@example.org.