Professional Documents
Culture Documents
ISO 31010 Risk Assessment Techniques and Open Systems: Jean Cross
ISO 31010 Risk Assessment Techniques and Open Systems: Jean Cross
ISO 31010 Risk Assessment Techniques and Open Systems: Jean Cross
- 15 -
Sixth Workshop on Open Systems Dependability Tokyo, 2017-10-21
4. To understand risk more broadly as a background to The techniques included are those used by members of the
planning. This will result in actions to reduce risk even committee who are experts nominated from different countries.
though particular risks may not be identified. Some of the techniques were used in dependability applications
as long ago as the middle of the last century. Techniques were
Different measures of risk are discussed that allow for developed to fulfil the need at the time. Although there are few
events to be unpredictable and consequences to be represented
techniques explicitly intended for open systems, techniques
by a distribution. It is also recognised that understanding risk have evolved over time and continue to evolve and many can
involves data analysis and modelling as well as applying other
be used in a broad range of situations outside their original
specific techniques. The techniques described in the annex are application. Techniques can be adapted, combined and applied
categorized in the following way.
in new ways or extended to satisfy current and future needs.
• Eliciting views from stakeholders
IV. OPEN SYSTEMS
• Identifying risk;
• Determining sources and drivers of risk; A. Conventional life style stages
• Investigating the effectiveness of controls; In open systems boundaries and responsibilities are unclear,
no one has a complete understanding of the system which is
• Understanding consequences, likelihood and risk; complex and changing. An open system includes hardware, but
people and software have an important role and people are
• Analysing interactions and dependencies; involved in more complex ways as decision makers, rather only
• Selecting between options; as operators as considered in the past. Dependability
management for open systems is often described through the
• Evaluating the significance and tolerability of risks; DEOS life cycle model illustrated in Figure 1.
• Recording and reporting.
Every manager, whether in an open or closed system, has required availability and reliability of sub systems. In an open
objectives and defined authorities and responsibilities. Every system risks at the interfaces between subsystems and with
manager needs think about what might happen to affect those enabling systems are critical and as the system becomes more
objectives and what they are able to do so that their objectives complex these risks become more difficult to identify.
are achieved in the best way. I.e. the 31000 process is still Consensus techniques such as the Ishikawa method can be
applicable. Figure 2 shows where the various techniques listed useful here.
in 31010 can be used in this . process. Conventional techniques
such as Failure modes and effects analysis, fault tree 31010 extends the concept of risk assessment to include
the assessment of risk in decisions when there is a need to
analysis and Hazop are still useful as part of achieving the
select between options, i.e. where options may have both
- 16 -
Sixth Workshop on Open Systems Dependability Tokyo, 2017-10-21
positive and negative consequences and trade-offs between The DEOS life cycle model introduces two additional
objectives may be required. This may involve cost benefit cycles, the change accommodation failure response.
analysis where as well as expected costs and benefits uncertain
costs and benefits and potential events are taken into account.
Multi-criteria analysis can be used here.
Figure 2 IEC/ISO 31010 Techniques in the risk management process from ISO 31000 FDIS
important for any system but becomes even more critical for
B. Change accommodation open systems and may need some effort so that the right flags
When there is change in the environment or in purpose of a are identified for the changes that matter. A technique relevant
system risks are inevitably introduced. Initial risk assessment to change detection is HACCP (Hazard analysis and critical
will have made various assumptions which may become control point). HACCP is a method developed for food safety
invalid as time goes on. This means that during any risk that involves identifying the points in a procedure (or a system)
assessment, parameters which are critical to the assessment where it is possible to check that things are working as they
need to be identified so they can be monitored. This is
- 17 -
Sixth Workshop on Open Systems Dependability Tokyo, 2017-10-21
should and intervene if they are not. HACCP provides a the extent to which they would depend on external systems.
formal method to do this. However the drive to higher production that means plant
operate outside their design requirements could perhaps be
In an open system changes made in one part of the system
predicted and planned for. The value of scenario analysis is
can affect another part of the system. In pursuing their own that it encourages one to identify those changes that can be
objectives and managing their risks a manger may make
predicted from current trends and also to build in systems to
decisions which are very sensible from their viewpoint but that detect change.
cause problems because of things they don't know and cannot
be expected to know about other parts of the system. The
Cindynic approach is a technique where interviews are C. Failure response
carried out to find out the goals, values, rules, data and models Since the system is complex risks will remain unidentified
of the different stakeholders. It then identifies dissonances and and failures will occur. It is therefore necessary The critical
deficits. In this way the inconsistencies, ambiguities omissions needs here is to identify early warning signs of failure before
and ignorance that form systemic sources and drivers of risk they escalate,. And to undertake a root cause analysis (RCA)
can be identified. of failure to learn from failure. IEC 31010 covers basic RCA
techniques but these are discussed in much more detail in
Communication and feedback on outcomes of decisions IEC62740 Root cause analysis
that cross sub system boundaries are essential so that
interactions are better considered in the future. Influence
D. The dependability case
diagrams can help identify where feedback should be sought.
The dependability of an open system is assured through a
A characteristic of open systems is that they may continue dependability case. In a dependability case a reasoned
to operate far into the future adapting to change as it occurs argument is made to support the contention that the system is
One way of looking at the long term future and trying to dependable. One approach is to show through analysis
imagine future scenarios is scenario analysis. This technique measurement and prediction that the required level of
identifies possible futures through imagination, extrapolation dependability attributes are achieved. The other approach is to
from the present or modelling. What might happen is then identify risks to dependability and to demonstrate that those
considered for each of these scenarios. Scenario analysis has risks have been addressed. In order to make this argument the
been used for long term planning in the social and political risks need to be analysed to show that the sources and drivers
arena with fairly limited success. What people imagine for the of these risks have been addressed. The use of some of the
long term future is often not what happens. When many formal techniques in IEC/ISO 31010 can help provide
operating industrial process plants were built no one could justification for these arguments.
have predicted what modern control systems would look like or
ANNEX TECHNIQUES REFERRED TO IN TEXT
FMEA Failure Modes And Effects Analysis : Considers the ways in which each component of a
system might fail and the failure causes and effects.
FTA Fault Tree Analysis: Analyses causes of a focus event using Boolean logic to describe
combinations of failures.
Hazop Examination of a planned or existing process or operation in order to identify and evaluate
problems that might represent risk to personnel or equipment, or prevent efficient operation
Ishikawa analysis A team identifies contributory factors to a defined outcome (wanted or unwanted). These
are usually divided into predefined categories and displayed in a tree or a fishbone diagram.
Multi criteria Compares options in a way that makes trade-offs explicit. Provides an alternative to cost
analysis benefit analysis that does not need a monetary value to be allocated to all inputs.
A graphical model of variables and their cause-effect relationships expressed using
Bayes networks/
probabilities. An influence diagram, includes variables representing uncertainties,
Influence diagrams
consequences and actions
Scenario analysis Identifies possible future scenarios through imagination, extrapolation from the present or
modelling. Risk is then considered for each of these scenarios.
- 18 -