1 Risk evaluation Risk treatment

2 Risk Management Process Risk Management Process

3 The main elements of the risk management process are: Context identification –Identify areas of relevance and the background and structure of the evaluation. Develop risk evaluation criteria, against which risk is to be evaluated. Risk identification –Identify what, why and how things can go wrong as the basis for further analysis. Risk analysis –For each hazard analyse, evaluate and document their consequences. –Estimate their likelihood /frequency.

4 Risk Management Process Risk Management Process Risk evaluation –Combine consequence and likelihood to produce an estimated level of risk for each hazard. –Compare estimated levels of risk agianst pre-established criteria. –This enables risks to be ranked so as to identify management priorities. –If the levels of risk established are low, then risks may fall into an acceptable category and treatment may not be required. Risk treatment –Accept and monitor low-priority risks. –Identify options for risk treatment for hazards with non acceptable risks. –Assess alternative treatment options, which includes consideration of funding.

5 Risk classification -When quantitative methods are used to describe the severity end frequency of a hazard, it is possible to produce a numerical value for the associated risk by combining these two values. -This is however not possible when qualitative measures are used. -In such cases risk can be described by using a risk class (risk level, risk factor). -The use of risk categories is common even where numerical values are used for severity and frequency of hazards, as this simplifies the adoption of standards and guidelines. -Most standards define a set of risk classes and then set out development and design techniquesappropriate for each category of risk.

6 Risk classification Severity of a hazardous event Frequency / probability of a hazardous event Risk classification

Risk classification - IEC 61508

The acceptability of risk -ALARP ALARP = As Low As is Reasonably Practicable

9 The acceptability of risk -ALARP -IEC divides level of risk into three levels: -Unacceptable -As Low As is Reasonably Possible (ALARP) -Acceptable -The uppermost level represents hazards where the risk is so great that it is deemed to be intolerable. -The lowermost level represents hazards where the risk is so small that it generally can be neglected. -In between these two levels lies a third level where a risk, though not insignificant, may be acceptable under certain circumstances. -The criterion for acceptance of a particular risk is based on a decision as to whether it is as low as is reasonable practicable (ALARP). This is based on the benefits of the system and the cost of any further reduction. -A risk within the ALARP level is never acceptable if it easily can be reduced.

10 The acceptability of risk Acceptable risk Unacceptable risk

11 Levels of integrity Safety requirements differs widely between applications and is related to the risks involved. One can view the differing safety requirements in terms of the level of risk reduction required. High-risk systems require far more risk reduction compared to low-risk systems. –A nuclear reactor protection system requires more risk reduction than an electric toaster!

12 Levels of integrity -Differing requirements for safety systems lead to the concept of levels of integrity for safety-critical -Safety integrity: The likelihood of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time. -Although safety integrity can be expressed quantitatively, it is more common to allocate a system a safety integrity level. -Safety integrity levels can be expressed both quantitatively, in terms of measures of performance, or qualitatively, in terms of system characteristics.

13 Levels of integrity -Various standards classifies safety-critical systems into a different number of integrity levels. -IEC defines 4 different integrity levels, where level 1 represents the least critical level and level 4 the most critical level. For each level: -the standard sets out target failure rates for systems operating in continuous mode (failures per year) and on demand mode (failures on demand). -the standard also gives guidance on design - and development techniques that must be used for each level.

Allocation of integrity levels Severity of hazardous event Frequency of hazardous event Risk classification Integrity classification HW integrity classification Systematic integrity classification SW integrity classification Risk: measure of the likelihood, and consequences of a hazardous event. Safety integrity: measure of the likelihood of the safety system correctly performing its tasks.

15 Achievable levels of integrity? When developing critical systems, one must both: –Achieve a high level of integrity –Demonstrate that this has been done Unfortunately, the latter often proves to be difficult, and perhaps even impossible, for critical systems. Possible requirements can be : less than 1 failure pr 1000 years, years or years of operation. At present we know of no method of testing a system to demonstrate this level of performance. Is it possible to demonstrate this: –At present we know of no method of testing a system to demonstrate this level of performance. –Instead, requirements to which activities that must be performed are listed.

16 Risk treatment Possible options for risk treatment: -Avoid the risk by deciding not to proceed with the activity likely to generate risk (where this is practicable). -Reduce the likelihood of the occurrence -Reduce the consequences -Transfer the risk -Retain the risk

17 Exercises -Chapter 4: 7, 9, 14, 17, 20, 21, 23