ISO 11231:2010

INTERNATIONAL ISO
STANDARD 11231
First edition
2010-08-01
Space systems — Probabilistic risk
assessment (PRA)
Systèmes spatiaux — Évaluation du risque probabiliste (PRA)
Reference number
ISO 11231:2010(E)
ISO 2010
---------------------- Page: 1 ----------------------
ISO 11231:2010(E)
PDF disclaimer

This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but

shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In

downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat

Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation

parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In

the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,

electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or

Foreword ............................................................................................................................................................iv

Introduction.........................................................................................................................................................v

1 Scope......................................................................................................................................................1

2 Normative references............................................................................................................................1

3 Terms, definitions and abbreviated terms..........................................................................................1

3.1 Terms and definitions ...........................................................................................................................1

3.2 Abbreviated terms .................................................................................................................................3

4 Principles of probabilistic risk assessment .......................................................................................4

4.1 General ...................................................................................................................................................4

4.2 Safety risk assessment concept..........................................................................................................5

4.3 Concept of risk and probabilistic risk assessment ...........................................................................7

5 Objectives, uses, and benefits of probabilistic risk assessment.....................................................8

6 PRA requirements and process.........................................................................................................10

6.1 Probabilistic risk assessment requirements....................................................................................10

6.2 Overview of the probabilistic risk assessment process .................................................................10

6.3 Probabilistic risk assessment tasks..................................................................................................10

7 Peer review...........................................................................................................................................15

7.1 General .................................................................................................................................................15

7.2 Internal peer reviews...........................................................................................................................15

7.3 External peer reviews..........................................................................................................................15

8 Probabilistic risk assessment report — data content requirements .............................................16

Bibliography......................................................................................................................................................17

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies

(ISO member bodies). The work of preparing International Standards is normally carried out through ISO

technical committees. Each member body interested in a subject for which a technical committee has been

established has the right to be represented on that committee. International organizations, governmental and

non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the

International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of technical committees is to prepare International Standards. Draft International Standards

adopted by the technical committees are circulated to the member bodies for voting. Publication as an

International Standard requires approval by at least 75 % of the member bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO shall not be held responsible for identifying any or all such patent rights.

ISO 11231 was prepared by Technical Committee ISO/TC 20, Aircraft and space vehicles, Subcommittee

Structured risk management processes use qualitative and quantitative risk assessment techniques to support

optimal decisions regarding safety and the likelihood of mission success, as provided for in ISO 17666. The

most systematic and comprehensive methodology for conducting these evaluations is probabilistic risk

Probabilistic risk assessment has, over the past three decades, become the principal analytic method for

identifying and analysing risk from project and complex systems. Its utility for risk management (RM) has been

proven in many industries, including aerospace, electricity generation, petrochemical and defence. PRA is a

methodology used to identify and evaluate risk, in order to facilitate RM activities by identifying dominant

contributors to risk, so that resources can be effectively allocated to address significant risk drivers and not

wasted on items that contribute insignificantly to the risk. In addition to analysing risk, PRA provides a

framework to quantify uncertainties in events and event sequences that are important to system safety. By

enabling the quantification of uncertainty, PRA informs decision makers on the sources of uncertainty and

provides information on the worth of investment resources in reducing uncertainty. In this way, PRA

supplements traditional safety analyses that support safety-related decisions. Through the use of PRA, safety

analyses are capable of focussing on both the likelihood and severity of events and consequences that

a) PRA allows a more precise quantification of uncertainty both for individual events and for the overall

b) PRA applies more informative evaluations that quantify metrics related to the occurrence of highly

adverse consequences (e.g. fatalities, loss of mission), as opposed to narrowly defined system

PRA also differs from hazard analysis, which identifies and evaluates metrics related to the effects of high-

consequence and low-probability events, treating them as if they had happened, i.e. without regard to their

likelihood of occurrence. In addition, the completeness of the set of accident scenarios cannot be assured in

the conduct of a hazard analysis. PRA results are more diverse and directly applicable to resource allocation

Through the PRA process, weaknesses and vulnerabilities of the system that can adversely impact safety,

performance and mission success are identified. These results in turn provide insights into viable RM

strategies to reduce risk and direct the decision maker to areas where expenditure of resources to improve

The most useful applications of PRA have been in the risk evaluation of complex systems that can result in

low-probability and high-consequence scenarios, or the evaluation of complex scenarios consisting of chains

of events that collectively may adversely impact system safety more than individually.

This International Standard supports and complements the implementation of the risk management process

defined in ISO 17666 in situations when application of quantitative risk assessment is deemed necessary.

This International Standard defines the principles, process, implementation and requirements for conducting a

quantitative risk assessment, and explains the details of probabilistic risk assessment (PRA) as applied to

safety. While PRA can be applied to project risk management involving cost and schedule, this application is

This International Standard provides the basic requirements and procedures for use of PRA techniques to

assess safety or mission risk and success in space programmes and projects. This International Standard is

⎯ the design of space and non-terrestrial planetary stations inhabited by human beings;

⎯ the design of space and launch vehicles powered by, or carrying, nuclear materials;

These types of projects generally involve scenarios, chains of events or activities that could result in the death

of, or serious injury to, members of the public, astronauts or pilots, or the workforce, or the loss of critical or

high-value equipment and property. For other types of projects, it is intended that PRA be performed at the

The following referenced documents are indispensable for the application of this document. For dated

references, only the edition cited applies. For undated references, the latest edition of the referenced

For the purposes of this document, the terms and definitions given in ISO 17666 and the following apply.

safety risk, the severity and the probability of which may be reasonably accepted by humanity, without durable

or irreversible foreseeable consequences on health, Earth, and the environment, at the present time and in

systematic and structured elicitation of likelihood data through estimation and assessment by specialists

NOTE 2 Mathematical aggregation of individual judgments is generally preferred over behavioural or consensus

probability of occurrence or measure for the occurrence rate or frequency of an event, a hazard scenario or

NOTE The likelihood reference frame is linked to the structure of the analysis. A typical reference frame in use in

quantitative or qualitative measure for the severity of a potential damage and the probability of incurring that

NOTE Risks arise from uncertainty due to a lack of predictability or control of events. Risks are inherent to any

project and can arise at any time during the project life cycle; reducing these uncertainties reduces the risk.

NOTE Risk contributors can be ranked relative to each other by their risk contribution (3.1.7).

measure of the decrease of the likelihood of a top consequence, when the events associated with the

NOTE 1 Risk contribution indicates (and is directly proportional to) the “risk reduction potential” of the risk contributor.

Important risk contributors are events, which have a high-risk contribution and risk reduction potential.

NOTE 2 Risk contribution provides a systematic measure that makes it possible to rank design and operation

constituents of a system from a safety risk point of view. It allows the identification of high risk or vulnerable areas in the

measure of the potential consequences of a hazard (e.g. expected number of casualties) considering the

probability of the associated mishap, the harm caused to people, and the damage caused to public and

NOTE 1 Safety risk is always associated with a specific hazard scenario or a particular set of scenarios. The risk posed

by a single scenario is called “individual scenario risk”. The risk posed by the combination of individual risks and their

NOTE 2 The magnitude of safety risk is represented by the severity and the likelihood of the consequence.

sequence or combination of events leading from the initial cause to the unwanted consequence

individual or organization that stands to gain or to lose as a result of risk consequences

lack of certitude resulting from inaccuracies of input parameters, analysis process, or both

NOTE Uncertainty can be represented as an interval with an upper and lower value or as an uncertainty distribution.

single event or particular set of events upon which the uncertainty of the top consequence depends

NOTE Uncertainty contributors can be ranked relative to each other by their uncertainty contribution (3.1.13).

measure of the decrease of the uncertainty of a top consequence, when the likelihoods of the events

associated with the corresponding uncertainty contributor are assumed to be without uncertainty

NOTE 1 Uncertainty contribution indicates (and is directly proportional to) the “uncertainty reduction potential” of the

uncertainty contributor. Important uncertainty contributors are events, which have a high uncertainty contribution and

NOTE 2 Uncertainty contribution provides a systematic measure that makes it possible to rank data and information

Probabilistic risk assessment assists engineers and managers in including risk results in management and

engineering practices and in the decision-making process throughout a project life cycle, for such aspects as

design, construction, testing, operation, maintenance and disposal, together with their interfaces,

Probabilistic risk assessment supports and interfaces with the risk management process by providing the

required relevant risk data. Risk assessment is an important task within the risk management process.

The steps in the risk management process, as described in ISO 17666, are as follows:

Step 2 constitutes a process and is also referred to as “risk assessment”. Once step 1 is completed, risk

assessment provides the information used to conduct the remainder of the risk management process. Risk

assessment provides the data upon which to base decisions concerning the design and implementation of

Step 3 includes the opportunity to decide whether the assessed risk is acceptable to programme/project

management and the stakeholders. If the risk is unacceptable, measures shall be taken to bring it down to an

acceptable level. If it is acceptable, management measures shall be taken (steps 4 and 5) to monitor the

Risk assessment can be performed qualitatively or quantitatively or both. Qualitative risk assessment is

performed by categorizing the likelihoods and consequences of risk as discussed below, where it applies to

In many cases, likelihoods and consequences need to be evaluated quantitatively. If sufficient statistical data

For rare (very low probability) events, where sufficient statistical data do not exist, the significance of important

risk drivers is assessed through probabilistic risk assessment. See Clause 6 for PRA requirements and

In the rest of this International Standard, PRA methodology primarily intended for safety applications is

discussed. Another form of risk assessment, called “programmatic risk assessment”, is used to assess the

risks of not performing within pre-defined programme schedule and cost estimates. In this process, schedule

profiles based on uncertainties in the originally defined schedule are modelled using simulation or Monte Carlo

methods. These uncertainties can occur due to a number of technical or management reasons. Subsequently,

the effects of schedule changes and of other technical or management impacts on cost are evaluated.

Programmatic risk is then evaluated in the form of distributions of probabilities of exceeding given schedule

The application of PRA to safety problems is discussed here. The safety risk assessment concept is derived

from PRA. Safety risk assessment complements deterministic hazard analysis by adding a probabilistic

dimension to the evaluation of hazards in support risk informed decision-making. The probabilistic dimension

The interface between safety risk assessment and hazard analysis is shown in Figure 1.

Safety risk assessment can be used to either assess the risks posed by individual hazard scenarios

separately, or assess sets of scenarios collectively, in the form of the overall risk posed by those scenarios.

The assessment of individual scenarios can be performed using consequence severity and scenario likelihood

categorization schemes by applying risk grids or risk matrices and risk indexes, as described in ISO 17666.

However, these risk matrix and index methods cannot be used to combine individual components of risk within

a scenario, or to combine scenarios to evaluate overall risk. These methods do not constitute combinatorial

Assessment of the overall risk posed by a particular set of scenarios requires the rigor of the PRA approach.

This assessment provides the basis for identifying and ranking risk contributors. Important contributors can

then be used for driving and optimizing the system design or operation from a safety performance point of

view. The calculated overall risk can also be compared to probabilistic safety targets or acceptance criteria.

Acceptable risks are defined by authorities or clients in step 1 of the risk management process. Risk can also

NOTE S = Scenario i; S = Scenario 1; S = Scenario N: with severity = x and likelihood = p: Therefore S (x ) = the

severity of Scenario 1 and S (x ;p ) = risk of Scenario 1; and S (x ) = the severity of Scenario N and S (x ;p ) = risk of

A representation of the assessment of overall safety risk is shown in Figure 2. As indicated in the figure, safety

risk assessment uses hazard scenarios to model individual sequences of events that are necessary and

sufficient for an undesired system level consequence to occur. A scenario can be represented as a “logical

intersection” of the initial cause or initiating event and the necessary conditional intermediate events leading to

the associated consequence. The overall risk is then the logical union of the risk of the individual scenarios

Probabilistic risk assessments of complex systems identify scenarios typically using event trees, or event

sequence diagrams and fault trees, to derive the logical models that lead to particular undesired safety

consequences of interest. As described above, in order to quantify scenarios, the likelihood of the initiating

events (i.e. causes) and the probability of each subsequent intermediate event, conditional on the occurrence

of the previous events in the sequence, are combined to determine the probability that the end state (i.e.

consequences) will occur. For each scenario, the severity (i.e. magnitude) of the consequences is usually

determined based on the physical characteristics and nature of the scenario being evaluated. The overall

consequences are determined by summing overall scenarios in a process that is analogous to that used to

An estimation of event likelihoods is usually based on different sources of data. Typical data sources include

previous experience with the particular system [i.e. measured or directly observed relevant test or experience

data and lessons learned (see ISO 16192)], data from other systems or projects (i.e. extrapolation from

generic data, similarity data, or physical models) and expert judgment (i.e. direct estimation of likelihoods by

domain specialists). Events are quantified in the context of the corresponding hazard scenario, i.e. the

likelihood of an event is assessed conditionally on the previous events in the sequence.

Systematic identification and treatment of uncertainties is characteristic of the assessment of the overall risk

and conducted in two ways. The likelihood estimates of scenario events are produced with their associated

uncertainties and presented in the form of probability distributions or intervals. These uncertainties are then

Quantification of the overall risk is obtained by calculating the likelihoods and magnitudes of the

consequences. This calculation can be achieved through the use of point values or probability (uncertainty)

distributions. An uncertainty distribution is characterized by representative point values, e.g. the mean or a

specific quintile value in the upper part of the distribution. A representative point value in the upper part of the

uncertainty distribution associated with the overall risk, at a confidence level accepted by the decision maker,

tends to be used to implement the precautionary principle for risk acceptance decisions and for risk

comparisons. The precautionary principle implies that conservative assumptions with respect to the risk value

are preferred to optimistic ones, in order to ensure that a system is not considered to satisfy an agreed risk

target or an acceptance criterion falsely, or that one option is not falsely preferred to another one in the

comparisons. Higher uncertainty regarding the overall risk value transfers a higher representative point value

The relative importance of an event or a scenario to the overall risk is measured by its risk contribution. The

risk contribution provides information on the potential for safety improvement, i.e. potential for reducing the

overall risk associated with the event or scenario. Similar to individual events, design and operation

constituents can also be ranked from a risk reduction point of view by accumulating the risk contributions of

The relative importance of the uncertainty of an event or a scenario to the uncertainty of the overall risk is

measured by its uncertainty contribution. Uncertainty contribution values indicate and rank those events,

which are the main sources of uncertainty for the consequence likelihood and have the highest potential for

reducing this uncertainty. Reduction of consequence uncertainties directly transfers to the use of lower

Risk and uncertainty contributors are identified based on their ranking. Important risk and uncertainty

contributors are those events, or their corresponding system constituents, that have high-risk reduction and

NOTE SC = scenario 1, SC = scenario 2, SC = scenario 3, SC = scenario N; P(A ) = probability of A , the

initiating event; P(B│A ) = conditional probability of B given A ; P(C│B , A ) = conditional probability of C given B and

A ; P(D│C , B , A ) = conditional probability of D given C , B and A ; P(x) = total probability, the logical sum of the

The concept of risk includes both undesirable consequences, e.g. the number of people harmed, and the

probability of occurrence of the consequences. Sometimes risk is defined as the expected value of

consequence occurrence. This representation of risk results in a summary measure and not a general

definition. Understanding how the system fails and producing probability distributions for the consequences

A common definition of risk is represented by a set of triplets. Determining risk generally amounts to

The answer to the first question is a set of accident scenarios. The answer to the second question requires