Risk management
Following ISO/IEC 15288:2015 [1], risk management process is one of technical management processes.
Historically it was mainly defined in ISO 31000 [2] and ISO Guide 73 [3]. Detailed set of risk management activities and
tasks is provided in ISO/IEC/IEEE 16085 [4]. ISO 9001 standard [5] provides risk-based preventive action requirements
in subclause 8.5.3.
According to [1], “The Risk Management process is a continual process for systematically addressing risk throughout the
life cycle of a system product or service. It can be applied to risks related to the acquisition, development, maintenance or
operation of a system.”
In general, the framework of transition process includes activities and tasks according to Table 1:
Table 1. Risk management activities and tasks
Activities
a) Plan risk management
b)
Manage the risk
profile
Tasks
1)
Define the risk management strategy
2)
Define and record the context of the Risk Management process
1)
Define and record the risk thresholds and conditions under which a level of risk
may be accepted
2)
Establish and maintain a risk profile
3)
Periodically provide the relevant risk profile to stakeholders based upon their
needs
c)
Analyze risks
1)
Identify risks in the categories described in the risk management context
2)
Estimate the likelihood of occurrence and consequences of each identified risk
3)
Evaluate each risk against its risk thresholds
4)
For each risk that does not meet its risk threshold, define and record
recommended treatment strategies and measures
d)
Treat risks
1)
Identify recommended alternatives for risk treatment
2)
Implement risk treatment alternatives for which the stakeholders determine that
actions should be
taken to make a risk acceptable
3)
When the stakeholders accept a risk that does not meet its threshold, consider it
a high priority and monitor it continually to determine if any future risk treatment
actions are necessary
4)
e)
Monitor risks
Once a risk treatment is selected, coordinate management action
1)
Continually monitor all risks and the risk management context for changes and
evaluate the risks when their state has changed
2)
Implement and monitor measures to evaluate the effectiveness of risk
treatments
3)
Continually monitor for the emergence of new risks and sources throughout the
life cycle
Standards of I&C systems and software for nuclear industry (like IEC 61513 [6], etc.) takes special attention to the
hazards, hazardous events and hazardous situations relating to the control systems (in all modes of operation), for any
reasonably foreseeable circumstances, including fault conditions and reasonably foreseeable misuse:
7.4.2.3 The hazards, hazardous events and hazardous situations of the EUC and the EUC control system shall be
determined under all reasonably foreseeable circumstances (including fault conditions, reasonably foreseeable
misuse and malevolent or unauthorised action). This shall include all relevant human factor issues, and shall give
particular attention to abnormal or infrequent modes of operation of the EUC. If the hazard analysis identifies that
1
malevolent or unauthorised action, constituting a security threat, as being reasonably foreseeable, then a security
threats analysis should be carried out.
7.4.2.4
The event sequences leading to the hazardous events determined in 7.4.2.3 shall be determined.
All these aspects should be carefully analysed and the results of the analysis are usually reported in the set of consequent
documents like «safety case» being released during nuclear facility project.
References
1. ISO/IEC 15288:2015 «System engineering - System life cycle processes»
2. ISO 31000:2018 «Risk management — Principles and guidelines»
3. ISO Guide 73:2009 «Risk management — Vocabulary»
4. ISO/IEC 16085:2006 «Systems and software engineering — Life cycle processes — Risk management»
5. ISO 9001:2015 «Quality management systems - Requirements»
6. IEC 61513:2001 «Nuclear power plants - Instrumentation and control important to safety - General requirements for
systems»
2