340 likes | 749 Views
Risk Assessment and Management. Getting the Measure of Risk. Having understood the potential accident sequences associated with a hazard (e.g. using ETA) … Next step is to determine the severity of the credible accidents identified
E N D
Getting the Measure of Risk • Having understood the potential accident sequences associated with a hazard (e.g. using ETA) … • Next step is to determine the severity of the credible accidents identified • Remember risk is the product of severity and probability of an accident • Two different approaches: • Estimate probability of accident, and hence get a measure of accident risk… then decide whether estimated risk is acceptable • Used in many domains, including rail, military aerospace • Will discuss this approach first, using rail standards as example • Establish acceptable risk, and set probability targets • Civil aerospace approach (ARPs etc.) • Will discuss this approach later
Accident Severity • Accident Severity Categories are qualitative descriptions of consequences of failure conditions (hazards) • considering likely impact EN 50126
Accident Probability Next, estimate (predict) accident probability • Use historical results, analysis, and engineering judgment to determine appropriate qualitative probability category • Note we may have to consider both • how likely hazard is to arise • how likely hazard is to develop into accident EN 50126
Classifying Risk • Having assigned severity and probability associated with hazard consequences … • Next step is to use a Hazard Risk Matrix to classify the the risk EN 50126
Accepting Risk Reasoning about risk • Using HRI now possible to say, e.g. Risk(Hazard H1) > Risk(Hazard H2) • In order to say what is acceptable / unacceptable, must provide an interpretation, e.g. EN 50126
Managing Risk Risk Resolution • Can associate objectives or actions with risk class, e.g. • technologies used • development processes • assessment criteria • Example, for “undesirable” risk, might decide • no single point of failure shall lead to system accident • probability of fatality must be < 1x10-8 per hour • failure behaviour over time (lifetime of system) must be estimated using accepted engineering mathematics and models
Determining Risk - Civil Aerospace Style 1 Start with determination of severity • very similar to rail categories ARP 4761
Determining Risk - Civil Aerospace Style 2 • When severity has been determined, can set objectives (requirements) for risk control • primarily boundaries on acceptable probability of failure condition (hazard) Adapted from ARP 4761
Determining Risk - Civil Aerospace Style 3 For civil aerospace, severity-related objectives are set in standards • easy to work with • unambiguous • provided you can agree on standardised and objective measures of severity! BUT • Need to understand that direct mapping from severity to probability objectives is based on important assumption: Acceptable Risk is fixed and predetermined
Determining Risk - Civil Aerospace Style 4 Where does acceptable risk come from? • in principle, requirements reflect “what risk the public is willing to accept” • risk (A) = probability (A) * severity (A) • level of acceptable risk hard to determine, and subjective • in practice, certification bodies (airworthiness authorities) act as surrogates for the public • “bottom line” is hull loss rate • civil aviation hull loss rate target is currently 10-7 per flying hour • for comparison, military aviation (UK) hull loss rate target is 10-6 per flying hour
Determining Risk - Civil Aerospace Style 5 • Has further implications: • implicit assumption about number of catastrophic failure conditions on an aircraft • also implicit assumption about how probable failure condition is to actually develop into an accident • Example: • probability objective (target) for catastrophic failure condition is < 10-9 per flight hour • target hull loss rate is < 10-7 per flight hour • implies either a maximum of 100 catastrophic failure conditions on an aircraft, assuming all occurrences of catastrophic failure conditions will develop into hull loss accident • or if more than 100, must be assumption that not all occurrences will result in loss of aircraft
Determining Risk - Civil Aerospace Style 6 • Note that objective of probability per flying hour has its problems… • Consider: • histogram shows accidents / time • 1.8% of accidents occur in load / taxi / unload
The ALARP Principle 1 ALARP = As Low As Reasonably Practicable
The ALARP Principle 2 • Provides an interpretation of identified risks • Pragmatic – although you can always spend more money to improve safety, it is not always cost-effective • However, “cost-effectiveness” introduces ambiguity • Regions of tolerability defined by regulatory domain and customer • Approach is often implicit in the management of safety-critical projects anyway • Helps focus attention on most critical hazards
Risk Reduction Flowchart 1 • Identify and determine risk associated with identified hazards
Precedence in Risk Reduction 1 • Redesign to eliminate risk • Best where practical • Change in operational role, or removal of hazardous material • Redesign to reduce hazard likelihood • Select architecture or components • Duplex or triplex or … • Higher integrity components, with lower failure rates • Incorporate mitigation to reduce impact of failures • Automated protection, e.g. pressure relief valves • Where incorporated, need to check periodically • To avoid dormant failures
Precedence in Risk Reduction 2 • Provide warning devices • Detect the hazardous condition and warn operators • e.g. indicate that landing gear has not fully deployed • e.g. to evacuate building due to fire or fumes • Provide procedures and training • Reduce likelihood of hazard, or mitigate • may involve use of personal protective equipment • Do not assume procedures are enough by themselves • consider evolution of power guillotine regulations • Precedence order • Elimination is enough by itself • Others used in combination, typically emphasising automation
Residual Risk - 1 • Residual Risks are those that cannot be ‘designed out’ • risks inherent to design, where benefit is desirable • Significant residual risks must be formally accepted by the appropriate authority (typically customer / operator) • Can use Decision Authority Matrix, e.g. (MIL-STD-882C)
Residual Risk 2 Appropriate Decision Authority (From MIL-STD-882C) • HIGH – Service Acquisition Executive • e.g. no ground collision avoidance on F22 – signed off by4-star Air Force General • MEDIUM – Program Executive Officer • LOW – Program Manager • Usually a requirement to document all actions taken to resolve risk within terms of contract • Customer authority can then decide whether to attempt to apply additional resources to resolve risk or forward decision to higher authority
Summary • Risk Assessment is the process of identifying the risk associated with system hazards • Approach in many sectors (military, rail…) is to use Hazard Risk Matrix to determine the risk associated with a hazard from severity and probability estimates • then decide on acceptability of risk • Alternative approach (Civil Aerospace) is based around severity • assumption of fixed level of acceptable risk... • … so can derive objectives, including probability, from severity • Both approaches can be used to define how risks should then be tackled in system development