Most countries have product safety laws and nonfulfillment can expose a manufacturer to liability apart from being detrimental to reputation. Those found responsible for an incident can even be prosecuted and held personally liable. While consumer products have adequate product safety laws, the situation is different for both manufacturers and users of medium and high voltage equipment. While most such products are covered by technical standards, few aim to maximize safety. Instead, the focus is on product reliability and availability to minimize business interruption. Yet simultaneously maximizing safety and availability/reliability are not necessarily opposing goals. Responsibility for safety lies with those in top management who have the authority to put the right processes in place and check their effectiveness and execution. This edited contribution to INMR by Thomas Schütte of ABB Switzerland Ltd., Micafil Bushings in Zurich and Rolf M. Zoellner at TÜV SÜD Industrie Service GmbH, Risk Management in Munich reviews recent efforts at one high voltage equipment manufacturer (the OEM) to refine internal product safety processes by integrating advanced methods. An independent external auditing and certification authority (the Observer) then assisted fulfillment of applicable product safety laws. This article demonstrates how a structured product safety process can be applied, including preparation of proper documentation, adequate risk identification and mitigation measures as well as execution of risk reviews.
Structured Product Safety Process
Most consumer products have adequate standards or guidelines in place that establish a ‘state-of-the art’ benchmark for safety-related design and function. Strict adherence ensures that the companies and people involved in any ‘incident’ can avoid liability. Examples of such rules are: the pressure equipment directive, the low voltage directive, the machinery directive, etc. On the other hand, dedicated product safety laws for high voltage equipment, in particular bushings, are still not commonly available. With lack of relevant guidelines, a bushing manufacturer must establish their own processes to ensure adequate product safety. An appropriate process must be established and monitored such that, in the event of an incident impacting people, evidence can be presented that reasonable efforts were applied to ensure state-of-the-art product safety. The OEM bushing manufacturer in this instance found that application of relevant chapters of the European machinery directive 2006/42/EC, in combination with the related harmonized European and international standard ISO 12100, offer an adequate and state-of-the-art approach to address product safety aspects. This directive and ISO standard are well established in the industry and have consistently been updated. It is obvious that a bushing is not a machine and that the machinery directive is European law only. Nonetheless, the structured and comprehensive approach described below is a perfect fit and safety relevant chapters can be applied directly to bushing design and manufacturing such that one can safely demonstrate ‘reasonable effort’ when it comes proving that safety was suitably addressed.
Safety risks (injury or death) typically associated with high voltage bushings include:
• explosions and being hit by ejected parts;
• burns & cuts;
• electric shock;
• falling from high elevations during installation/maintenance work.
The manufacturer needs to ensure that all relevant safety risks are appropriately assessed and addressed even during the development phase. According to the ‘V’-curve (Fig. 2), the manufacturer also has to ensure that all 6 stages of the typical product life cycle are being considered:
1. design & manufacturing;
6. maintenance & de-commissioning/disposal.
During risk assessment (step 3 of the V-curve), all relevant risks are identified. A required risk reduction/mitigation measure can either be considered by adapting the design itself or by providing or implementing certain risk mitigation measures. These can include:
• S: Changing the design such the unsafe condition is entirely avoided => implement an intrinsically safe design => most effective;
• T: Implementing technical risk reduction measures => less effective but often still sufficient;
• O: Implementing organizational measures, e.g. providing recommendations/instructions in manuals => the least effective measure since it depends on training and discipline of people to adhere to instructions provided. It is also known that even well trained people often fail when in a stress situation;
• P: Procedures that raise awareness of safety risks and help mitigate these.
The S.T.O.P. principle meets the requirements for risk mitigation approaches as defined in the European Machinery Directive 2006/42/EC. In other words, the principle is considered mandatory and legally binding for the European market through Annex I of this directive. The related risk assessment process to identify the need for risk mitigation measures according to the S.T.O.P. principle applies different approaches. These allow:
• Identifying the relevant hazards and risk exposures;
• Determining the risk constituting superordinate risk elements, frequency of occurrence and consequences;
• Deciding whether the risk, defined as the product of frequency of occurrence and consequences, meets risk acceptance limits or whether additional risk mitigation is required;
• Deciding about effectiveness of any additional risk mitigation measures so as to meet risk acceptance limits.
A risk assessment process should ideally be performed by a team that includes representatives of all disciplines involved in product development, operation, maintenance and dismantling, e.g. mechanical engineers, electrical engineers, instrument engineers, project manager, production manager, quality manager. Moreover, lessons learned from daily practice improve effectiveness and efficiency of risk assessment. It is also good practice to involve an independent third party that accompanies and moderates the risk assessment process.
A risk assessment process starts with a hazard identification study (HAZID) and is a qualitative methodological approach for systematic identification of potential hazards and risks. The scope of the HAZID depends on the technical systems and its sub-systems and must include all relevant phases in the life cycle. The HAZID itself is a combination of identification, analysis and brainstorming performed by a team. Key words are used in order to identify potential and hazardous effects as well as threats. A typical guideline for the hazard identification is provided in the EN ISO 12100, Annex B. Typically the catalogue of possible hazards includes categories as listed below:
The next step is to identify frequency of occurrence, respectively the probability of the identified hazards, and categorize them on the Y-axis (according to Fig. 4).
The categories for consequences or extent of any damage are displayed on the X-axis according to Fig. 5.
Based on these categorical scales, a risk matrix is developed and related risk acceptance limits for its individual cells are included. The resulting risk matrix and risk acceptance areas are shown in Fig. 6.
The potential hazards identified in the HAZID study are then typically evaluated without any risk mitigation measures. This approach allows properly documenting a benchmark for the effectiveness of each risk mitigation measure. Fig. 7 illustrates an example for 3 hazards labeled as ‘event 1’, ‘event 2’ and ‘event 3’. In a next step appropriate risk mitigation measures according to the S.T.O.P. principle will be applied. Either frequency of occurrence or extent of damage are reduced or even both – which is the most effective risk reduction approach. Residual risk is then determined and it must be decided whether additional measures are required or whether the residual risk is sufficiently controlled (see Fig. 8).
The risk assessment process has to repeated whenever new risks are identified, e.g. at a later stage during operations. The following selected 3 examples of this particular OEM fall into either category of the S.T.O.P. principle.
Example O (Organizational Measures): Operation& Maintenance Manuals
The importance of carefully prepared operation and maintenance manuals is often disregarded. Yet they are the most important documents ensuring product safety for personnel dealing with a bushing throughout its service life. A risk that could have been foreseen during the design phase by the manufacturer applying reasonable effort but not appropriately addressed in the manual can result in unnecessary risk and even in serious injury or death. This OEM decided to adapt a structured product safety process and perform detailed risk analysis (Fig. 9) followed by designated risk reviews.
The detailed risk analysis lists all dedicated risk mitigation measures that are then often addressed with specific remarks in the bushing manual (see example in Fig. 10).
It must be noted that, even with the best training and instruction, people tend to make mistakes and, under stress in particular, can sometimes make bad choices.
Example T (Technical Measures): New Measurement to Identify Potentially Defective Connections on Bushing to Reduce Risk of Catastrophic Failures Impacting People
Condenser-type bushings are the state-of-the-art technology for high voltage bushings predominantly used on transformers. They have been manufactured for decades and are extremely reliable. Although they require little maintenance, it is still common practice within the industry to regularly test the quality of the electric connections between the electrically conductive layers of the bushing and external connection points, e.g. voltage measuring taps or grounding connections. These connections are intended to provide a solid bonding to the dedicated conductive layers of the condenser bushing (see mark-ups in Fig. 11).
The connections are often soldered and could over years in rare cases become disconnected. In such events, a loosened connection could cause premature and sudden failure of the bushing that can also damage associated equipment such as the transformer on which it is installed. Depending on failure mechanism, people could be harmed during such catastrophic failure. Bushings should therefore be checked on a regular basis in order to maintain maximum reliability and availability. Here, the OEM encountered an increased failure risk probability on a specific type of bushing (IEEE style only). A probabilistic safety risk assessment method was conducted by applying state-of-the art risk assessment tools (Failure Mode and Effects Analysis or FMEA). The following parameters were chosen for the FMEA:
• Risk factor 1 (RF1) – cause and effect: number of catastrophic bushing failures in relation to the overall population of bushings of this type in operation (i.e. number in explosions per year);
• RF2 – risk reduction measures: technical/organizational that can be implemented to reduce the risk;
• RF3 – number of affected bushings with potential failure risk on the transformer (typically 3 on a step-down transformer);
• RF4 – average individual time people spend in vicinity of transformer (in h/year);
• RF5 – possibility of a person to avoid injury by evacuating the endangered zone (typical value 1.0 since an explosion happens quickly and leaves no time to evacuate the vicinity);
• RF6 – risk of serious injury or death (likelihood of a person to be seriously hurt in case of a failure while standing next to the transformer).
The individual ‘risk of serious injury or death’ can now be calculated as the value for the years between a deadly occurrence:
Individual Risk = RF1 * RF2 * RF3 * RF4 * RF5 * RF6
This approach is typical for event tree analysis (ETA). For each RF the frequencies of occurrence or probabilities are determined. Ideally, this data can be derived and evidenced from operational experience. For that purpose relevant data can be processed from databases that ensure comprehensiveness and representativeness. In case only a few incidents are observed in the field the zero error statistics can be used as an acknowledged heuristic and conservative statistical approach. In case no definitive or proven data from field experience is available, plausible and explainable assumptions have to be established by the risk assessment team, utilizing the uncertainty reducing effects of the methods like Delphi Technique. Also, in this case involvement of an independent third party expert organization is of advantage. Such organizations can assist based on experience from other industrial sectors and technical systems in determining an appropriate value for the frequency of occurrence or probability.
Determining the effectiveness of risk mitigation measures that can be applied for each of the RF is similar. Ideally, definitive values of the risk mitigation effectiveness can be directly derived from the risk mitigation measure’s design. For example, the Safety Integrity Level (SIL) of Performance Level (PL) of the Functional Safety according to standards such as IEC 61508 and EN ISO 13849 directly indicate risk reduction factor (RFF) achieved by using a related safety function for risk mitigation. Moreover, operation function approaches such as the Layer of Protection Analysis (LOPA) according to IEC 61511-3 provide examples of the generic effectiveness of measures that match with the S.T.O.P. principle. In all other cases, effectiveness has to be determined by the risk assessment team following principles of objectivity, plausibility and provability.
In this specific case, multiplication of the above RF parameters resulted in an unusually high residual risk value ‘years per serious injury or death’. The calculated value could then be compared with values commonly accepted within industry/society and was also compared with company-internal acceptance levels. The residual risk value was found to be above acceptable risk levels and the OEM then decided to immediately inform customers of the situation to ensure that nothing would happen to people or installations concerned. The OEM also provided a safety information letter explaining immediate organizational measures that would ensure that a safe condition could be established at all times. The immediate organizational risk mitigation measures impacted the operations of customers and the OEM quickly developed technical measures to be applied in lieu of organizational measures. Again, the OEM applied their structured product safety process and performed detailed risk analysis. This was followed by designated risk reviews to confirm that newly developed testing and the additional protection devices are as effective as the organizational measures that the OEM initially recommended be put in place. Again, a well-structured FMEA process was applied and in particular the guidelines of the functional safety aspects were considered to judge effectiveness of the risk mitigation measures.
The OEM engaged an external auditing and certification authority (Observer) to review product safety processes. The Observer also reviewed the process of development activities for the new test and additional protection devices specifically developed for this safety risk. This structured and externally assessed approach was key to ensuring that the newly introduced technical risk mitigation measures would be adequate to reduce safety risks to desired acceptance levels. A technical risk mitigation measure is always more effective and therefore preferred over an organizational risk reduction measure. The OEM made sure that customers were enabled to substitute the instructions in the previously submitted safety advisory with the newly developed technical risk mitigation measures to enhance safety of people.
Example S (Intrinsically Safe Designs): Increased Product Safety by Applying FEM Modeling for Seismic & Lifecycle Fatigue Calculations
Organizational or technical risk mitigation measures are necessary only if the original design bears an unacceptable risk for people. It is however a better approach to design the system such that the unsafe condition is entirely avoided. Such safe systems by design are then described as ‘intrinsically safe designs’. The following example explains how such a design can be developed using advanced design tools and validation processes. Premature failure of a bushing can always result in increased safety risks and expose people to risks as listed in 1 – but also as a consequence of the resulting power interruption. The OEM is by law required to assess safety risks of premature failure. In the case of a bushing, these can result from electric, thermal and/or mechanical stress. Mechanical stress can occur due to seismic stress or life cycle fatigue contributors. For example, continuous heavy wind loading can induce vortex forces behind the bushing and away from the wind, causing the bushing to oscillate with its Eigenfrequency and resulting in premature ageing.
FEM Modeling: Increasing Product Safety & Reliability – Seismic Stress
Fig. 12 shows an example of an RIP bushing that has been modeled in an advanced FEM environment (finite element modeling). The bushing can be exposed to virtually any specified seismic spectrum once the correct material properties are configured in the system. To determine whether a bushing can withstand the seismic stress, it is essential to have comprehensive know-how of material properties. i.e. flanges are typically made of metal and are of isotropic materials. Far more complex is correct modeling of anisotropic materials such as composite materials (RIP=resin impregnated paper or RIS = resin impregnated synthetics). This in-depth knowledge, however, is crucial for proper modeling of a bushing’s seismic behavior and determination of design boundaries.
Modeling requires confirmation through a comprehensive validation process. In this particular case, real-life tests of bushings on a shake table test were performed to calibrate the FEM tools. The calibrated tools were then used to check for critical stress zones in particular in the composite material of the insulator as well as the cast flanges (Figs. 13 & 14). Another important aspect is thorough knowledge of stress zones in the bushing flange, in particular if the flange is made by means of casting. Figs. 15 & 16 show how maximum stress is modeled and can then be optimized by altering design so that maximum stress levels are never exceeded.
In the past, this OEM had encountered quality issues whereby some flange suppliers did not adequately control casting process. Together with Swiss universities, the OEM recently modeled the best casting methods and is now in a position to specify and ensure optimum quality to ensure that flanges used are capable of handling maximum stress under all (seismic) loading conditions.
All validated FEM models of bushings can then be integrated into the overall transformer FEM model to verify that the transformer is able to withstand all seismic forces, including the modeled bushings. Installing the bushings on a transformer can easily change the characteristic seismic response of the bushing to seismic loading (see Fig. 19). As such, it is important to consider this effect in the overall analysis to ensure that the bushing remains intact and does not endanger people standing nearby or cause outages by failing prematurely.
FEM Modeling: Increasing Product Safety & Reliability – Lifecycle Fatigue
Another topic for the OEM in their effort to develop an intrinsically safe bushing design was to consider relevant life cycle fatigue elements. One component particularly prone to life cycle fatigue on an RIP bushing is flanges manufactured of cast aluminum. In particular, high winds can cause vortex oscillation on large bushings (see Figs. 20 & 21) and, over time, have a detrimental impact on lifetime. A manufacturer has to consider these effects to ensure that their products always meet the exceptionally long service life customers have come to expect from bushings.
Correct application of relevant product safety tools and standards ensures compliance with the law and is crucial for safety of people while also maximizing plant reliability. It is therefore essential to implement and follow strict product safety processes and that this starts early in the design phase and includes all relevant safety aspects throughout the entire lifecycle – including de-commissioning and disposal. Applying standardized and adequate processes can help allocate resources more selectively and often reduces overall cost during the entire product lifetime. The OEM in this analysis found that a straightforward approach to communicate potential safety risks to customers before something occurs and people get hurt was highly appreciated. Protection of human life is of utmost importance and application of state-of-the-art methods is essential.