Find the PDF version here.
Reflections on risk analysis in the lift sector
It is well known that since the Lift Directive has been in force, more than twenty years now, it is no longer necessary for lift installers to follow prescriptive standards. They still exist and many operators comply with them, otherwise they would no longer be written down. However, other operators, particularly in specific situations, install lifts whose compliance with the essential health and safety requirements (EHSRs) of the Directive is obtained differently.
As much as we believe that these are already widely known topics, we summarise in a few words the usual procedure that is followed in these cases. The installer, having designed the lift, and possibly having made a prototype, carries out a risk analysis of his solution in the light of the EHSRs and submits it to a body notified under the Directive. The notified body examines the risk analysis and then possibly approves it. The installer then is authorised to install the lift and, once it has undergone a final examination with positive results, puts it into operation, after drawing up an EU declaration of conformity and CE marking.
The risk analysis can be conducted following different procedures, there are no obligations in principle. However, the lift world has decided to propose a common methodology, which has been implemented with the publication of the (voluntary) standard, EN ISO 14798.
It is not the purpose of this article to illustrate it in its entirety but to make some reflections on this not marginal issue.
Not respecting prescriptive standards is a very serious and demanding matter. These standards summarise, and periodically update, the experience of the whole sector in terms of safety. They are issued drawing on the knowledge of tens, hundreds, thousands of experts, on millions of installations and billions of trips. In the case of ISO standards, these are experts from all over the world.
A risk analysis made by a company involves, or it should involve, a group of people, which is however limited. In the same way, the experience of a notified body is important but does not include that of the whole sector.
To list the hazards to be taken into account, in the light of the ESHRs, is already a serious commitment. Appendix B of ISO 14798 is of great help in this, but individual solutions may not include some of these situations in their own scenario, or perhaps present others.
After that, for each dangerous situation, the risks are estimated and then assessed according to the standard, defining for each of them the severity of the damage, and the probability of it occurring. We believe that this method should be universal, except for the details. What is specific to ISO 14798 is to suggest a classification of the severity levels into four, and of the probability levels into six.
In drafting the update of a text published by the Italian sector association ANACAM on the safety and health of workers in lift SMEs, which refers to the installation and maintenance of the lift rather than its use, an assessment with a four-level classification of probability was proposed.
Nevertheless, it would be possible to further multiply the levels, going into more detail, and this is what is being discussed in the sector. The topic is not trivial, because there is a feeling that sometimes we work with insufficient professionalism on these issues, potentially with serious consequences.
The proliferation or not of levels is more about probability than about severity. It is in fact quite unquestionable that if a person falls into a lift shaft for a certain number of metres, he or she risks dying, just as he or she risks being badly maimed if not killed when leaning over an open door of a shaft while the car is moving. Many accidents lead to minor injuries, but in principle, their severity could be much worse.
However, the probability has its correspondent in frequency. An event that has historically occurred on average once a year, all things being equal, i.e. without measures being taken to lower or raise this frequency, has the probability of occurring once a year from now on too.
There are two considerations here.
The first is, starting from the knowledge we have of the past, the determination of how many and what levels of probability we want to consider. In ISO 14798 (clause 4.5), six levels are proposed, named with the letters of the alphabet, and corresponding to these definitions: highly improbable, unlikely, remote, occasional, probable. In appendix C the standard explains what is meant by these terms “precisely”, i.e.: in substance zero; unlikely to occur in a life cycle of the installation; may occur in the life cycle; likely to occur at least once; likely to occur many times; occurs frequently. I have quoted the adverb “precisely”, because in reality, these are not precise definitions, as you can see. It also goes without saying that if we do not define how long the life cycle of the lift is, we are far from giving figures.
The second reflection, which is fundamental, emerges from the reading of clause 22.214.171.124 of the standard which, rightly, suggests evaluating, among other elements, , statistical data and the history of accidents to establish one level or another of probability.
To this respect there are two elements to consider:
Coming to a concrete topical issue, let us mention the devices that until recently were called PESSRAL, and now SIL level devices. These safety components that have been present on lifts for some time have little history, in some applications none yet on the market. Others are not available as they are derived from privately owned experimental lifts. How is it possible to seriously apply the method suggested by ISO 14798 in these cases?
In the experts’ opinion, we are upstream of the problem of deciding how many probability levels we want to estimate, because even before that, we should have numbers to work on. In short, the discussion whether a device has a certain level of intrinsic safety (SIL) or another, has no solid basis if there is not precise data to discuss.
In the face of some inevitable uncertainties in defining the SIL of a device, and therefore in using it really safely, the proposal of some in the sector is to estimate the duration of the devices’ useful life, and replace them before, the probability of critical malfunction is too high. We would point out that a PESSRAL that even once does not adequately check whether a landing door is open or closed can lead to a fatal accident. If in its place there was a traditional electromechanical device, experience can show how many (in truth, very few) accidents there have been due to a critical malfunction. The well-known principle is that if a door appears to be open, perhaps without being open, the lift stops interrupting the interlock electrical circuit.
In short, there is the tangible risk that the replacement of a device that for the moment seems to work very well is certainly a good solution for the maintenance business, but it can be misleading from the safety point of view, with even serious consequences.
One does not need to be a statistical expert to understand that, if we estimate that a device will have a critical malfunction once a year, this does not at all mean that we can make it work for 364 days quietly, and replace it on the 365th. That failure could, in principle, occur on any day of that year. Of course, if there is wear-and-tear involved, the probability of a failure increases with time, but this is not a general situation. An electromagnetic device, for example, where there is no mechanical movement, is not subject to that kind of wear. It is also necessary to understand what is meant by malfunction. If a fault is such when it causes the lift to stop, from a safety point of view, it is welcome. If the fault consists in the failure of the car safety gear in the event of excess of speed, it is a much worst matter.
Therefore, to have not a certainty (which never exists), but an excellent probability of not having accidents, it is necessary not so much to establish a more or less short life cycle before replacing the component, but to implement the best possible protective measures, in compliance with the precautionary principle or, if one wants to use the language of the Machinery Directive, the principle of safety integration. Until proven otherwise, to be reasonably sure that a lift door, if opened, causes the lift to stop, an electromechanical solution might be inherently better than one without mechanical elements.
Similarly, in order to mitigate the risk of a maintenance technician hitting the lift shaft slab while standing on the car roof, either the lift can be maintained without ever having to climb on the roof (but the risk will never be zero if there is a material possibility to do so), or a sufficiently high headroom is made, where even a maintenance technician standing two metres tall, with the maximum of bad intentions, cannot physically hit the slab with his head, because in the meantime the counterweight has been stopped downward and the car must stop as well. On this point, there are some questionable risk analysis, which have given rise to more or less questionable solutions that are common on the market today.
Sometimes, unfortunately, it is clear from the outset where for some (usually economic) reason one wants to go, and the so-called expert is in charge of finding a way that looks convincing. Only experience will then tell whether the chosen solution is effective. On the other hand, it is also true that an excess of prudence would stop the evolution of the state of the art, and some risks must be taken, especially if others take them.