The Role of Risk Assessment in Innovative Product Development
How this critical methodology ensures safety and facilitates innovative product development worldwide
by Louis Bialy
This article was first presented at the 2018 International
Elevator & Escalator Symposium in Istanbul. For more information on December 7-8, 2020’s event in Amsterdam and to participate, visit www.elevatorsymposium.org.
Risk assessment has been utilized extensively for many applications in the elevator industry for more than 20 years. Due to its importance to the industry, ISO 14798 Lifts (Elevators), Escalators and Moving Walks – Risk Assessment and Risk Reduction Methodology was developed by international experts under the International Organization for Standardization (ISO) umbrella. A principal use of this methodology has been for the development of innovative products. One of the objectives of this article is to demonstrate how ISO 14798 and other risk assessment methodologies have been incorporated in or normatively referenced in important national and international safety standards, and how this form of utilization may increase in the future. Another objective is to illustrate how risk assessment can be used as a valuable aid to innovative elevator product development. Pertinent examples relating to the determination of the subject to be studied, the establishment of viable teams, the formulation of scenarios and the effective mitigation of risk are described. Moreover, the role and responsibilities of the team moderator are discussed, and approaches to the building of consensus among the team members is addressed in some detail.
Innovation is the lifeblood of economic development, and risk assessment is a vital means of assuring the safety of innovative products not specifically addressed by prescriptive codes such as CEN EN 81-20/50 and ASME A7.1/ CSA B44. This paper elaborates on how risk assessment may be used to verify that safe, innovative products conform to the following when applicable: Essential Health and Safety Requirements of the Lifts Directive 2014/33/EU; the Machinery Directive 2006/42/EC; ISO 8100-20: Global Essential Safety Requirements (GESRs) and the ASME A17.7-2007/CSA B44-07 Performance-Based Safety Code for Elevators and Escalators.
Risk assessment has been used for many years in multiple industries as a structured method for identifying, evaluating and mitigating risk. There is a longstanding history of the use of various forms of risk assessment in the elevator industry for product design and installation, as well as passenger and worker safety purposes. Ultimately, the need for a unique elevator- focused risk assessment standard with global relevance became apparent. This need was emphasized by the emergence of innovative products that occurred with the publication of the Lifts Directive (LD) and its transposition into national regulations in the member states of the European Union (EU) in 1997.
By way of clarification, the LD and Machinery Directive (MD) that preceded it were intended to prevent technical barriers to trade between EU member states. They contained Essential Health and Safety Requirements (EHSRs), which were essentially written in performance language. The MD and LD also contained conformity- assessment processes intended to ensure adherence to the requirements of the directives. The MD and LD could be met by complying with the requirements of harmonized standards, such as CEN EN 115 and CEN EN 81-1/2. As an alternative, the MD and LD EHSRs could be complied with directly, provided that all relevant hazards had been identified and addressed. Moreover, the conformity-assessment process had to be followed. The certification process could best be achieved using a Notified Body.
The fact that the EHSRs were written in performance, rather than prescriptive, language provided latitude for the development of innovative products. While the MD and LD were valid only in the EU, it became clear that the innovative products that emerged would have global appeal. It, thus, became evident that a globally relevant risk assessment methodology was an essential part of a portfolio of standards needed to facilitate the deployment of safe, innovative products worldwide.
Development of ISO 14798
The need for a risk assessment methodology that could be accepted worldwide was recognized by ISO TC 178, and a resolution was taken to develop a suitable document. A team of international experts from Europe, Asia-Pacific and North America embraced the task under ISO/TC 178 Working Group (WG) 4. Many different methodologies were studied, and the document ultimately developed represented a broad consensus. The document is entitled ISO 14798: Lifts (Elevators), Escalators and Moving Walks – Risk Assessment and Reduction Methodology.
The methodology provides a structured approach to risk assessment, including determination of the reasons for the risk assessment; formation of the team; determination of the subject of the assessment and identification of scenarios; and as risk estimation, evaluation and reduction. Teams were established in Europe, Asia-Pacific and North America to test the validity of the methodology. Each team independently addressed the same risk assessment studies. When compared by WG 4, the results were very close, thus illustrating the cogency of the methodology.
Use of ISO 14798
The risk assessment process constitutes a versatile tool that can be applied in multiple situations. The methodology is particularly valuable for use in product development if the design is innovative or not covered by published standards. In such cases, a preliminary design is subjected to a structured process in which hazardous situations and causes of possible harm are evaluated by the risk assessment team. Protective measures are developed, if necessary, to sufficiently mitigate identified risks.
Formation of the Risk Assessment Team
The composition of the risk assessment team is vital to the validity of the risk assessment outcome. It is vital that the members of the team are knowledgeable and qualified in the subject of the risk assessment and the details of the issues under consideration. It is important that a diverse range of expertise is represented in the team. In general, the different engineering disciplines upon which the function and safety of the equipment depends, as well as manufacturing, installation, servicing, inspecting and safety personnel, should be considered for the team. It is imperative that the team be impartial and empowered to carry out the task without consequence to or intimidation of any of the members.
There is no fixed number of team members for any given risk assessment, and the appropriate expertise is more important than the exact number of participants. Experience has shown that if there are too few members in the team, one member may dominate, and the team may be misled. On the other hand, if there are too many members, the result is no better, and it can be more difficult to reach a consensus. As a guideline, approximately eight members plus the moderator is a suitable team size for most purposes.
Role of Moderator
The role of the moderator is crucial to the success and validity of the risk assessment. For the best outcome, the moderator should be knowledgeable in the subject matter and experienced in leading and facilitating teams. The moderator should be capable of leveraging the talent of the team, and ensuring all points of view are fully expressed and that due process is followed.
One of the most important tasks of the moderator is to assist the group in reaching consensus. Voting can be used when consensus is difficult to reach but should be considered only as a last resort. A modified “Delphi method” can be used. This process assigns numerical values to the choices only for the purpose of reaching a decision. The votes are secret, and the average is calculated. The team is informed of the average, then votes again in secret until no further convergence occurs. The choice corresponding most closely to the final average is declared the decision of the group. Further descriptions of the role of the moderator are provided in ISO 14798 Clause 4.2.3 and Annex E1 and E4.
Subject of Risk Assessment
It is very important that the subject of the risk assessment be clearly defined and articulated to the team. This process is described in detail in ISO 14798 Clause 4.3. The moderator has the overall responsibility for keeping the team focused on the subject; however, all team members have a role in ensuring this. The risk assessment is typically documented as shown in Figure 1.
Formulation of Scenarios
In formulating a scenario, it is important to clearly distinguish between the hazardous situation, the causes and the effects. Identification of the hazards is the first step in the process, and ISO 14798 Table B1 is a helpful aid to this end. A hazard is a potential source of harm, and a hazardous situation occurs when a person, property or the environment is exposed to the hazard. As a simple example, a lift suspended or moving in a hoistway is a potential source of harm, as it may fall or stop suddenly. If a passenger is present in such a lift, the passenger is exposed to the source of harm. Thus, a passenger in a lift in a hoistway is a hazardous situation. A hazardous situation is not harmful in itself, but harm can occur as a result of a cause. If, for example, the suspension means fails, the lift would fall, thus endangering the passengers. The result of such a fall could be harm to the passengers and damage to the equipment.
The risk of harm is dependent on the possible severity of the harm and the probability of occurrence. The assessment of these elements is subjective in nature and challenging for the team. With regard to severity, ISO 14798 Clause 18.104.22.168 defines four levels: high, medium, low and negligible. It is important the team does not attempt to make medical judgments in assessing severity levels but, rather, use its expertise to determine the potential seriousness of a particular event. While reaching consensus can be challenging for the team, it is more readily achieved in terms of severity than probability.
ISO 14798 Clause 22.214.171.124 defines six levels of probability, ranging from highly probable to highly improbable. In assessing probability, it is essential that the team considers the frequency and duration of the exposure, the probability of the harmful event occurring and the possibility of avoiding or limiting the harm (e.g., if the doors are open and the lift is not present, users have a chance of not stepping into an open hoistway).
It is important that the team determines the highest level of risk for a given scenario, rather than the risk with the greatest severity. For example, a risk level of 2C or 3B is higher than a risk level of 1E, even though the latter has the higher severity level. Sometimes, teams display a reluctance to assess the probability as level “F.” Level “F” is highly improbable, but it is intended to be used in the risk assessment when appropriate.
Reaching consensus can be a time-consuming process, and patience and understanding are key attributes the moderator and the team need to exercise.
Figures 2 and 3 are very useful in guiding the team in the evaluation of risk. They illustrate that similar action is taken in a given risk group in several cases, even though the probability component is different. Thus, for example, risk levels 1A, 1B, 1C and 1D are all in the same risk group. This gives a measure of robustness to the process, as the team often struggles to reach a consensus on probability levels, but the required action is often the same, even with differing probability assessments.
Protective measures are required to address risks that fall into risk group I, while no action is necessary for risks that fall into risk group III. Risks that fall into risk group II need further consideration by the team. Such further consideration should take into account current societal values.
Societal values are complex and by no means uniform. They evolve with time and should be reexamined from time to time. In general, members of society are concerned about safety, comfort, convenience and value. The expectations of society regarding safety constitute an evolving process. Early automobiles had no passenger restraints, and this was acceptable to society. Over the years, seatbelts, followed by airbags, became the norm. More recently antilock braking systems and similar features have become more familiar. Modern metro stations feature platform doors that prevent passengers from falling onto the railway track. In the same way, in the past, lift passengers tolerated lifts not leveling at the floor. This is no longer accepted. There is now an increasing expectation that the lift doors will stop before a passenger in their path is contacted.
Passengers also expect comfort while in the lift. This includes the temperature and quality of the air, sensation of motion and pressure changes on the ears, ride smoothness, etc. Passengers do not expect sudden stops of the lift or entrapment within the car.
Building owners and passengers expect the lift service to be convenient and reliable. Long waiting periods are not acceptable, nor are frequent breakdowns and situations where lifts are out of service.
Societal expectations are paramount considerations in assessing whether further protective measures are appropriate. The feasibility and practicality of further measures also needs to be considered. Furthermore, the effectiveness of further measures needs to be evaluated. For example, experience has shown that certain structural factors of safety and robustness criteria have led to low probabilities of failure. Increasing such criteria will not materially improve safety but will add to weight, energy consumption, etc. Reducing operating speeds of lifts and lift doors can reduce the effects of impacts but will add to passage times and inconvenience.
Society is not totally risk averse. Most people understand that the world is not totally safe and that there is a degree of risk in everything they do. As times and technologies change, people continuously recalibrate their tolerance for risk. One of the tasks of the team is to find the appropriate balance between the ideal, the feasible and the practical, taking societal values into account at the time the risk assessment is carried out.
Reduction of Risk
The team should endeavor to follow the following hierarchy of risk reduction throughout the process of risk reduction.
Eliminate the Hazard, if Feasible
This is the most effective way of reducing risk, but it is not always feasible. This is particularly true when the hazard is directly connected to the function of the elevator. For example, the function of an elevator is to carry passengers up and down a building. However, the height of the elevator in the hoistway is a hazard, as the elevator car can fall. Clearly, it is not feasible to eliminate the elevator car, the height or the passengers without eliminating the function the elevator provides.
If, on the other hand, the hazard is not directly connected to the function, it is feasible to eliminate the hazard. For example, a handrail with a sharp edge installed in the elevator car is a hazard. Eliminating the sharp edge does not in any way affect the function of the elevator.
Protect or Guard Against the Hazardous Situation
When it is not feasible to eliminate the hazard, guarding or protection should be applied. This action generally addresses the cause of harmful event. For example, if an elevator car carrying passengers is suspended in the hoistway, and the suspension means fail, this would result in the harmful event. Ensuring a robust suspension system and inspection protocol would help address the cause; however, the suspension may still fail, and a safety device that stops the elevator car would reduce the severity of the harmful event.
Warnings of Residual Risks and the Use of Protective Equipment
It is necessary to warn the user of the residual risk when the identified hazard cannot be eliminated or sufficiently mitigated. Such a warning serves to further mitigate the risk, as the user will normally take precautions consistent with the warning. As an example, if a passenger boards a downward moving escalator, the height of the escalator constitutes a falling hazard. This cannot be eliminated without eliminating the function of the escalator. If the passenger slips on the steps or loses balance, this would be a cause of a harmful event.
Making the step surface slip-resistant and providing a handrail that moves synchronously with the steps are risk-mitigating actions. However, if the passenger fails to grasp the handrail, or decides to walk on the moving escalator, he or she could still lose his/her balance and encounter a harmful event. In this case, a warning or cautionary sign at the entrance to the escalator is appropriate to alert the passenger of the residual risk and, thus, further mitigate the risk.
In the case of personnel authorized to work on elevator equipment, it is sometimes necessary to remove safety guards or bypass safety systems to determine the causes of malfunctions. Such personnel should be trained to perform these functions safely. Protective equipment, such as fall protection, hard hats, safety shoes, safety goggles and safety gloves should also be used to reduce the risk of injury.
Elevator equipment should be designed to minimize the probability of defeating or circumventing protective measures.
It is important that the hierarchy of risk reduction be followed. It is imperative that warnings or protective equipment are used in addition to (and not in place of) design improvements, guards and installed protection means.
Determination of Whether Risks Have Been Sufficiently Mitigated
Once the hazard has been eliminated or protective measures implemented, the risk should be reevaluated, and a determination made as to whether a residual risk remains. If such a residual risk requires further mitigation, additional protective measures are implemented until the risk has been sufficiently mitigated. Protective measures can introduce new risks, and these need to be identified and mitigated, as well. It should be noted that protective measures usually reduce the probability of occurrence but may reduce the severity, or both probability and severity.
Risk Assessment and Performance- Based Standards
A major trend over the last two decades has been the swift advancement in technology. This has had major consequences on all aspects of life, including the elevator industry. The development of prescriptive standards is, by its very nature, slow and deliberate, with the result that prescriptive standards have not been able to keep up with the pace of innovation in the elevator industry. The MD and LD provided a path to the development and deployment of innovative products on the European market, and it was, thus, recognized that a global approach was needed to extend the European model worldwide.
ISO TC/178 again took the initiative to develop a suitable standard. The work was again undertaken by the international experts of WG 4. Starting from basic principles, the team applied ISO 14798 to develop the GESRs of ISO 22559-1 (since renumbered as ISO 8100-20). This document was followed by three additional documents: ISO 22559-2/3/4 (since renumbered as ISO/TS 8100-21/22/23).[7-9]
ISO 8100-20 defines 48 GESRs that are written in performance language and address the safety objectives of elevators. They are accompanied by explanatory narratives intended to assist the user in fully addressing the GESRs. The standard also contains guidance on its application, which includes the use of risk assessment to satisfy the GESRs. A recent update includes an annex, which identifies specific EHSRs from the MD and LD that need to be addressed for an innovative elevator product to be acceptable. ISO 14798 is listed as a normative reference in ISO 8100-20.
ISO/TS 8100-21 provides a list of Global Safety Parameters (GSPs) intended to assist the user in providing protective measures for the mitigation of risks. The GSPs are indexed to the GESRs of ISO 8100-20 but are not mandatory, as the risk may be mitigated by eliminating the hazard, or other suitable parameters may be applied. ISO/TS 8100-21 also lists anthropometric data to assist in the selection of GSPs related to body-part dimensions. Examples pertaining to the use of risk assessment in addressing particular GESRs using corresponding GSPs as protective measures are provided. ISO 14798 is listed as a normative reference in ISO 8100-21.
ISO/TS 8100-22/23 provide Global Conformity Assessment Procedures and general requirements for the certification of elevator systems, components and functions. These documents also provide accreditation requirements for Global Conformity Assessment Bodies. These documents are intended to provide a global conformity assessment procedure carried out by globally recognized competent authorities similar to the Notified Bodies of the EU.
As the demand for innovative products increased in North America, it became evident that a structured approach to acceptance would be helpful to both AHJs and manufacturers. To this end, A17.7/B44.7 was developed based upon the ISO 8100-20 GESRs and ISO 14798 risk assessment methodology. A17.7/B44.7 describes the process to be used to establish safety using the GESRs, and it provides a list of safety parameters consistent with A17.1/B44 prescriptive code. Accredited Elevator/Escalator Certification Organizations (AECOs) were created to provide independent verification and certification of equipment developed in compliance with A17.7/B44.7. These organizations are accredited by the American National Standards Institute or Standards Council of Canada.
Use of Performance-Based Standards and Risk Assessment in Innovative
For innovative products, the simplest approach in all regions is to basically follow the appropriate prescriptive code, except where the innovative product differs from the code. For elevators in the EU, EN 81-20/50 would be followed, and the relevant EHSRs of the MD and LD would be identified and satisfied where the innovative product differs from EN 81.
On completion of a comprehensive risk assessment, a technical dossier that contains complete technical information relating to the design, as well as the risk assessment document and a listing of the EHSRs in the MD and LD that have been addressed in the dossier, would be created. The dossier would also contain maintenance and inspection information pertaining to the equipment being certified. The technical dossier would be presented to any Notified Body (NB) accredited to certify elevator systems. The NB may request additional information or reevaluation of any portion of the dossier, including the risk assessment. The NB may also request demonstrations of the actual equipment, witness tests or take any further action believed to be necessary. The NB is under no obligation to approve the submittal. When it is satisfied that the MD and LD have been met, a certificate to that effect is provided. It is important to note that such certification is valid throughout the EU.
In the case of North America, the A17.1/B44 code would be used as a baseline. Deviations from this code would be addressed by complying with relevant GESRs of A17.7/B44.7 and conducting a risk assessment. A Code Compliance Document similar to the technical dossier described above would be generated and provided to an AECO. The certification process is similar to that described above. It should be noted that code approval in North America is on a jurisdictional basis. It is, thus, necessary to present the AECO certificates to and gain approval from each jurisdiction separately.
and conformity assessment is complex. Moreover, these important standards have not yet been adopted everywhere. It is, however, evident that using ISO 14798 to demonstrate compliance with ISO 8100-20 is a strong starting point to gaining approval for innovative products in specific areas. This is particularly true in areas whose prescriptive codes are aligned with EN 81 or A17.1/B44. However, local approval is necessary in all countries, and this can be a challenging task.
Looking to the Future
Considerable progress has been made in the development and adoption of risk assessment methodology and performance-based standards in many parts of the world. Efforts continue to revise and update these standards to ensure they represent the state of the art and continue to serve users’ needs. In this context, ISO 8100-20 has recently been revised, and the latest version has been published. A major revision of ISO 14798 is underway at present, with the objective of ensuring it represents the state of the art, addresses the latest technologies (such as SIL-rated design) and is user friendly.
It is envisaged that, with the passage of time, greater adoption and usage of ISO 14798 and 8100-20/21/22/23 will take place. Moreover, ultimately, an environment will be created where a single certification anywhere will be acceptable everywhere.