Section 10 Risk assessment tools and techniques

10.1.1 The following provides some guidance on the risk assessment tools and techniques that may be relevant to support the technology appraisal (stage 1 of TQ) or during implementation of the TQP (stage 2 of TQ).

10.1.2 This Section is not intended to provide full instructions for conducting the assessment techniques, for further details reference should be made to the standards referenced below.

10.2.1 A prerequisite of risk assessment is hazard identification. A complete list of hazards related to a technology, subcomponent, equipment and system should be identified by means of a structured and systematic approach. A HAZID is one established technique for identification of all significant hazards.

10.2.2 Each identified hazard is reviewed to determine whether it is significant and requires further evaluation by applying hazard evaluation techniques.

10.2.3 It is important to record all identified hazards and the reasons for classifying some as not significant. This ensures traceability as the qualification progresses into later stages.

10.2.4 Hazards to personnel, the environment, and assets should be identified and potential associated risks should be evaluated. A formal hazard register should be prepared, detailing each hazard together with appropriate data such as potential cause, potential consequence, and actions for risk control measures.

10.2.5 More information on HAZIDs can be found in ISO 17776 Annex C.

10.3.1 A HAZOP study is a systematic examination of deviations from expected operational boundary conditions. It is performed by using a series of guidewords and parameters to identify if any of the combinations can occur, and if so the possible causes and consequences. In addition, existing measures to minimise causes and consequences are listed together with any recommendations to eliminate the deviation or improve upon the existing measures.

10.3.2 IEC 61882 may be referred to as a guide for HAZOP studies of systems, providing guidance on application of the technique and on the HAZOP study procedure, including definition, preparation, examination sessions, resulting documentation and follow-up.

10.4.1 The SWIFT is similar to a HAZOP in that it is a structured brainstorming session; it uses a set of questions to stimulate discussion on consequences, safeguards and recommendations. Instead of using the guidewords and parameters in the HAZOP, standard ‘what-if’ type phrases and a set of ‘prompt’ words associated with the system are used to facilitate the discussion.

10.4.2 The SWIFT technique is described in ISO 31010.

10.5.1 FHA is a ‘top-down’ safety assessment technique defined in SAE ARP4761. FHA is a predictive technique that attempts to explore the effects of functional failures of parts of a system.

10.5.2 FHA is first carried out for the whole system – working from a description of system functions. Then, following allocation of functions to the systems, FHA is performed again for each subsystem.

10.6.1 In the FMECA the function of each element of the system is analysed, and for each element consideration is given to the failures or incorrect performance that may occur. The associated cause of each failure and the corresponding effects of the failures are listed alongside each failure mode.

10.6.2 Each failure mode identified is ranked according to its importance or criticality. There are several ways this may be conducted. Common methods include the measure of the probability that the mode being considered will result in failure of the system as a whole, level of risk by combining the consequences of a failure mode occurring with the probability of failure, or a semi-quantitative measure of criticality obtained by multiplying numbers from rating scales (usually between 1 and 10) for consequence of failure, likelihood of failure and ability to detect the problem.

10.6.3 IEC 60812 provides a procedure for an FMECA.

10.7.1 The FTA is used to qualitatively identify the potential causes and pathways to a failure. It can also be used quantitatively to calculate the probability of the failure given the probabilities of the causes.

10.7.2 IEC 61025 describes the process of an FTA and IEC 60300-3-9 gives guidelines on dependability management which is used to develop the fault tree of the system.

10.8.1 The ETA is used to illustrate and quantify all possible outcomes from an initiating event by considering what can happen next. The tree is used to map the different ways the initiating event can escalate and the effectiveness of the control measures at each juncture.

10.8.2 IEC 62502 gives guidance on carrying out an ETA.

10.9.1 A CHAZOP is a procedure for carrying out a safety and reliability analysis of existing or planned control or computer systems.

10.9.2 It is recommended that a CHAZOP is considered for the technology risk assessment for control system or software aspects of technologies.

10.9.3 It should follow the approach and intent of HAZOPs with the boundary as the control system instead of the operating plan.