Space systems — Probabilistic risk assessment (PRA)

ISO 11231:2010 supports and complements the implementation of the risk management process defined in ISO 17666 in situations when application of quantitative risk assessment is deemed necessary. ISO 11231:2010 defines the principles, process, implementation and requirements for conducting a quantitative risk assessment, and explains the details of probabilistic risk assessment (PRA) as applied to safety. While PRA can be applied to project risk management involving cost and schedule, this application is outside the scope of ISO 11231:2010. ISO 11231:2010 provides the basic requirements and procedures for use of PRA techniques to assess safety or mission risk and success in space programmes and projects. ISO 11231:2010 is applicable to all international space projects involving: the design of space vehicles for the transportation of personnel in space; the design of space and non-terrestrial planetary stations inhabited by human beings; the design of space and launch vehicles powered by, or carrying, nuclear materials; other projects as directed by authorities or clients. These types of projects generally involve scenarios, chains of events or activities that could result in the death of, or serious injury to, members of the public, astronauts or pilots, or the workforce, or the loss of critical or high-value equipment and property. For other types of projects, it is intended that PRA be performed at the discretion of the project management.

Systèmes spatiaux — Évaluation du risque probabiliste (PRA)

General Information

Status
Withdrawn
Publication Date
15-Jul-2010
Withdrawal Date
15-Jul-2010
Current Stage
9599 - Withdrawal of International Standard
Completion Date
29-Apr-2019
Ref Project

Relations

Buy Standard

Standard
ISO 11231:2010 - Space systems -- Probabilistic risk assessment (PRA)
English language
17 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO
STANDARD 11231
First edition
2010-08-01
Space systems — Probabilistic risk
assessment (PRA)
Systèmes spatiaux — Évaluation du risque probabiliste (PRA)
Reference number
ISO 11231:2010(E)
ISO 2010
---------------------- Page: 1 ----------------------
ISO 11231:2010(E)
PDF disclaimer

This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but

shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In

downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat

accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.

Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation

parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In

the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

COPYRIGHT PROTECTED DOCUMENT
© ISO 2010

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,

electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or

ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2010 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 11231:2010(E)
Contents Page

Foreword ............................................................................................................................................................iv

Introduction.........................................................................................................................................................v

1 Scope......................................................................................................................................................1

2 Normative references............................................................................................................................1

3 Terms, definitions and abbreviated terms..........................................................................................1

3.1 Terms and definitions ...........................................................................................................................1

3.2 Abbreviated terms .................................................................................................................................3

4 Principles of probabilistic risk assessment .......................................................................................4

4.1 General ...................................................................................................................................................4

4.2 Safety risk assessment concept..........................................................................................................5

4.3 Concept of risk and probabilistic risk assessment ...........................................................................7

5 Objectives, uses, and benefits of probabilistic risk assessment.....................................................8

6 PRA requirements and process.........................................................................................................10

6.1 Probabilistic risk assessment requirements....................................................................................10

6.2 Overview of the probabilistic risk assessment process .................................................................10

6.3 Probabilistic risk assessment tasks..................................................................................................10

7 Peer review...........................................................................................................................................15

7.1 General .................................................................................................................................................15

7.2 Internal peer reviews...........................................................................................................................15

7.3 External peer reviews..........................................................................................................................15

8 Probabilistic risk assessment report — data content requirements .............................................16

Bibliography......................................................................................................................................................17

© ISO 2010 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 11231:2010(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies

(ISO member bodies). The work of preparing International Standards is normally carried out through ISO

technical committees. Each member body interested in a subject for which a technical committee has been

established has the right to be represented on that committee. International organizations, governmental and

non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the

International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of technical committees is to prepare International Standards. Draft International Standards

adopted by the technical committees are circulated to the member bodies for voting. Publication as an

International Standard requires approval by at least 75 % of the member bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO shall not be held responsible for identifying any or all such patent rights.

ISO 11231 was prepared by Technical Committee ISO/TC 20, Aircraft and space vehicles, Subcommittee

SC 14, Space systems and operations.
iv © ISO 2010 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 11231:2010(E)
Introduction

Structured risk management processes use qualitative and quantitative risk assessment techniques to support

optimal decisions regarding safety and the likelihood of mission success, as provided for in ISO 17666. The

most systematic and comprehensive methodology for conducting these evaluations is probabilistic risk

assessment (PRA).

Probabilistic risk assessment has, over the past three decades, become the principal analytic method for

identifying and analysing risk from project and complex systems. Its utility for risk management (RM) has been

proven in many industries, including aerospace, electricity generation, petrochemical and defence. PRA is a

methodology used to identify and evaluate risk, in order to facilitate RM activities by identifying dominant

contributors to risk, so that resources can be effectively allocated to address significant risk drivers and not

wasted on items that contribute insignificantly to the risk. In addition to analysing risk, PRA provides a

framework to quantify uncertainties in events and event sequences that are important to system safety. By

enabling the quantification of uncertainty, PRA informs decision makers on the sources of uncertainty and

provides information on the worth of investment resources in reducing uncertainty. In this way, PRA

supplements traditional safety analyses that support safety-related decisions. Through the use of PRA, safety

analyses are capable of focussing on both the likelihood and severity of events and consequences that

adversely impact safety.
PRA differs from reliability analysis in two important respects:

a) PRA allows a more precise quantification of uncertainty both for individual events and for the overall

system;

b) PRA applies more informative evaluations that quantify metrics related to the occurrence of highly

adverse consequences (e.g. fatalities, loss of mission), as opposed to narrowly defined system

performance metrics (e.g. mean-time-to-failure).

PRA also differs from hazard analysis, which identifies and evaluates metrics related to the effects of high-

consequence and low-probability events, treating them as if they had happened, i.e. without regard to their

likelihood of occurrence. In addition, the completeness of the set of accident scenarios cannot be assured in

the conduct of a hazard analysis. PRA results are more diverse and directly applicable to resource allocation

and other RM decision-making based on a broader spectrum of consequence metrics.

Through the PRA process, weaknesses and vulnerabilities of the system that can adversely impact safety,

performance and mission success are identified. These results in turn provide insights into viable RM

strategies to reduce risk and direct the decision maker to areas where expenditure of resources to improve

design and operation might be more effective.

The most useful applications of PRA have been in the risk evaluation of complex systems that can result in

low-probability and high-consequence scenarios, or the evaluation of complex scenarios consisting of chains

of events that collectively may adversely impact system safety more than individually.

© ISO 2010 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 11231:2010(E)
Space systems — Probabilistic risk assessment (PRA)
1 Scope

This International Standard supports and complements the implementation of the risk management process

defined in ISO 17666 in situations when application of quantitative risk assessment is deemed necessary.

This International Standard defines the principles, process, implementation and requirements for conducting a

quantitative risk assessment, and explains the details of probabilistic risk assessment (PRA) as applied to

safety. While PRA can be applied to project risk management involving cost and schedule, this application is

outside the scope of this International Standard.

This International Standard provides the basic requirements and procedures for use of PRA techniques to

assess safety or mission risk and success in space programmes and projects. This International Standard is

applicable to all international space projects involving:
⎯ the design of space vehicles for the transportation of personnel in space;

⎯ the design of space and non-terrestrial planetary stations inhabited by human beings;

⎯ the design of space and launch vehicles powered by, or carrying, nuclear materials;

⎯ other projects as directed by authorities or clients.

These types of projects generally involve scenarios, chains of events or activities that could result in the death

of, or serious injury to, members of the public, astronauts or pilots, or the workforce, or the loss of critical or

high-value equipment and property. For other types of projects, it is intended that PRA be performed at the

discretion of the project management.
2 Normative references

The following referenced documents are indispensable for the application of this document. For dated

references, only the edition cited applies. For undated references, the latest edition of the referenced

document (including any amendments) applies.
ISO 17666, Space systems — Risk management
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 17666 and the following apply.

3.1.1
acceptable risk

safety risk, the severity and the probability of which may be reasonably accepted by humanity, without durable

or irreversible foreseeable consequences on health, Earth, and the environment, at the present time and in

the future
[ISO 14620-2:2000, definition 3.1]
© ISO 2010 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO 11231:2010(E)
3.1.2
expert judgment

systematic and structured elicitation of likelihood data through estimation and assessment by specialists

NOTE 1 “Structured” implies the use of a method; “systematic” means regularly.

NOTE 2 Mathematical aggregation of individual judgments is generally preferred over behavioural or consensus

aggregation.
3.1.3
likelihood

probability of occurrence or measure for the occurrence rate or frequency of an event, a hazard scenario or

consequence
3.1.4
likelihood reference frame
relative indicator against which the likelihood is expressed

NOTE The likelihood reference frame is linked to the structure of the analysis. A typical reference frame in use in

space projects is “per mission”.
3.1.5
risk

quantitative or qualitative measure for the severity of a potential damage and the probability of incurring that

damage
[ISO 14620-2:2000, definition 3.27]

NOTE Risks arise from uncertainty due to a lack of predictability or control of events. Risks are inherent to any

project and can arise at any time during the project life cycle; reducing these uncertainties reduces the risk.

3.1.6
risk contributor
single event or particular set of events upon which the risk depends

NOTE Risk contributors can be ranked relative to each other by their risk contribution (3.1.7).

3.1.7
risk contribution

measure of the decrease of the likelihood of a top consequence, when the events associated with the

corresponding risk contributor are assumed not to occur

NOTE 1 Risk contribution indicates (and is directly proportional to) the “risk reduction potential” of the risk contributor.

Important risk contributors are events, which have a high-risk contribution and risk reduction potential.

NOTE 2 Risk contribution provides a systematic measure that makes it possible to rank design and operation

constituents of a system from a safety risk point of view. It allows the identification of high risk or vulnerable areas in the

system, which can then serve as drivers for safety improvements.
3.1.8
safety risk

measure of the potential consequences of a hazard (e.g. expected number of casualties) considering the

probability of the associated mishap, the harm caused to people, and the damage caused to public and

private property and the environment
[ISO 14620-2:2000, definition 3.30]

NOTE 1 Safety risk is always associated with a specific hazard scenario or a particular set of scenarios. The risk posed

by a single scenario is called “individual scenario risk”. The risk posed by the combination of individual risks and their

impact on each other is called “overall risk”.

NOTE 2 The magnitude of safety risk is represented by the severity and the likelihood of the consequence.

2 © ISO 2010 – All rights reserved
---------------------- Page: 7 ----------------------
ISO 11231:2010(E)
3.1.9
(risk) scenario

sequence or combination of events leading from the initial cause to the unwanted consequence

[ISO 17666:2003, definition 2.1.13]
NOTE The cause can be a single event or something activating a dormant problem.
3.1.10
stakeholder

individual or organization that stands to gain or to lose as a result of risk consequences

3.1.11
uncertainty

lack of certitude resulting from inaccuracies of input parameters, analysis process, or both

[ECSS-P-001B:2004, definition 3.216]

NOTE Uncertainty can be represented as an interval with an upper and lower value or as an uncertainty distribution.

3.1.12
uncertainty contributor

single event or particular set of events upon which the uncertainty of the top consequence depends

NOTE Uncertainty contributors can be ranked relative to each other by their uncertainty contribution (3.1.13).

3.1.13
uncertainty contribution

measure of the decrease of the uncertainty of a top consequence, when the likelihoods of the events

associated with the corresponding uncertainty contributor are assumed to be without uncertainty

NOTE 1 Uncertainty contribution indicates (and is directly proportional to) the “uncertainty reduction potential” of the

uncertainty contributor. Important uncertainty contributors are events, which have a high uncertainty contribution and

uncertainty reduction potential.

NOTE 2 Uncertainty contribution provides a systematic measure that makes it possible to rank data and information

sources.
3.2 Abbreviated terms
FMEA Failure Modes and Effects Analysis
IE Initiating Event
MLD Master Logic Diagrams
PRA Probabilistic Risk Assessment
P(A) probability of event A
P(A/B) conditional probability of event A given event B has occurred
RM Risk Management
© ISO 2010 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO 11231:2010(E)
4 Principles of probabilistic risk assessment
4.1 General

Probabilistic risk assessment assists engineers and managers in including risk results in management and

engineering practices and in the decision-making process throughout a project life cycle, for such aspects as

design, construction, testing, operation, maintenance and disposal, together with their interfaces,

management, cost and schedule (see ISO 17666).

Probabilistic risk assessment supports and interfaces with the risk management process by providing the

required relevant risk data. Risk assessment is an important task within the risk management process.

The steps in the risk management process, as described in ISO 17666, are as follows:

⎯ step 1: define risk management implementation requirements;
⎯ step 2: identify and assess the risks;
⎯ step 3: decide and act;
⎯ step 4: monitor, communicate and accept risks;
⎯ step 5: control of residual risks.

Step 2 constitutes a process and is also referred to as “risk assessment”. Once step 1 is completed, risk

assessment provides the information used to conduct the remainder of the risk management process. Risk

assessment provides the data upon which to base decisions concerning the design and implementation of

controls used to prevent or mitigate risks.

Step 3 includes the opportunity to decide whether the assessed risk is acceptable to programme/project

management and the stakeholders. If the risk is unacceptable, measures shall be taken to bring it down to an

acceptable level. If it is acceptable, management measures shall be taken (steps 4 and 5) to monitor the

evolution of risk and to ensure that it will not grow to unacceptable levels.

Risk assessment can be performed qualitatively or quantitatively or both. Qualitative risk assessment is

performed by categorizing the likelihoods and consequences of risk as discussed below, where it applies to

safety problems. In this context, it is called safety risk assessment.

In many cases, likelihoods and consequences need to be evaluated quantitatively. If sufficient statistical data

do not exist for this purpose, modelling techniques are used.

For rare (very low probability) events, where sufficient statistical data do not exist, the significance of important

risk drivers is assessed through probabilistic risk assessment. See Clause 6 for PRA requirements and

process.

In the rest of this International Standard, PRA methodology primarily intended for safety applications is

discussed. Another form of risk assessment, called “programmatic risk assessment”, is used to assess the

risks of not performing within pre-defined programme schedule and cost estimates. In this process, schedule

profiles based on uncertainties in the originally defined schedule are modelled using simulation or Monte Carlo

methods. These uncertainties can occur due to a number of technical or management reasons. Subsequently,

the effects of schedule changes and of other technical or management impacts on cost are evaluated.

Programmatic risk is then evaluated in the form of distributions of probabilities of exceeding given schedule

milestones and costs.
4 © ISO 2010 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 11231:2010(E)
4.2 Safety risk assessment concept

The application of PRA to safety problems is discussed here. The safety risk assessment concept is derived

from PRA. Safety risk assessment complements deterministic hazard analysis by adding a probabilistic

dimension to the evaluation of hazards in support risk informed decision-making. The probabilistic dimension

is expressed in terms of likelihoods.

The interface between safety risk assessment and hazard analysis is shown in Figure 1.

Safety risk assessment can be used to either assess the risks posed by individual hazard scenarios

separately, or assess sets of scenarios collectively, in the form of the overall risk posed by those scenarios.

The assessment of individual scenarios can be performed using consequence severity and scenario likelihood

categorization schemes by applying risk grids or risk matrices and risk indexes, as described in ISO 17666.

However, these risk matrix and index methods cannot be used to combine individual components of risk within

a scenario, or to combine scenarios to evaluate overall risk. These methods do not constitute combinatorial

computational tools.

Assessment of the overall risk posed by a particular set of scenarios requires the rigor of the PRA approach.

This assessment provides the basis for identifying and ranking risk contributors. Important contributors can

then be used for driving and optimizing the system design or operation from a safety performance point of

view. The calculated overall risk can also be compared to probabilistic safety targets or acceptance criteria.

Acceptable risks are defined by authorities or clients in step 1 of the risk management process. Risk can also

be used as a metric for quantifying safety in decision models.
SAFETY RISK ASSESSMENT
HAZARD ANALYSIS
evaluation
evaluation
identification
Scenario s
severity x
likelihood of
cause event consequence
causecause eventevent consequenceconsequence
occurrence p
Scenario s
S (x )
cause event consequence S (x ; p )
causecause eventevent consequenceconsequence
1 1 1 1 1
…… …… ……
Scenario s
S (x )
S (x ; p )
cause event consequence N N
causecause eventevent consequenceconsequence N
N N

NOTE S = Scenario i; S = Scenario 1; S = Scenario N: with severity = x and likelihood = p: Therefore S (x ) = the

i 1 N i i 1 1

severity of Scenario 1 and S (x ;p ) = risk of Scenario 1; and S (x ) = the severity of Scenario N and S (x ;p ) = risk of

1 1 1 N N N N N
Scenario N.
Figure 1 — Interface between safety risk assessment and hazard analysis
© ISO 2010 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO 11231:2010(E)

A representation of the assessment of overall safety risk is shown in Figure 2. As indicated in the figure, safety

risk assessment uses hazard scenarios to model individual sequences of events that are necessary and

sufficient for an undesired system level consequence to occur. A scenario can be represented as a “logical

intersection” of the initial cause or initiating event and the necessary conditional intermediate events leading to

the associated consequence. The overall risk is then the logical union of the risk of the individual scenarios

that lead to same consequence.

Probabilistic risk assessments of complex systems identify scenarios typically using event trees, or event

sequence diagrams and fault trees, to derive the logical models that lead to particular undesired safety

consequences of interest. As described above, in order to quantify scenarios, the likelihood of the initiating

events (i.e. causes) and the probability of each subsequent intermediate event, conditional on the occurrence

of the previous events in the sequence, are combined to determine the probability that the end state (i.e.

consequences) will occur. For each scenario, the severity (i.e. magnitude) of the consequences is usually

determined based on the physical characteristics and nature of the scenario being evaluated. The overall

consequences are determined by summing overall scenarios in a process that is analogous to that used to

determine the overall probability.

An estimation of event likelihoods is usually based on different sources of data. Typical data sources include

previous experience with the particular system [i.e. measured or directly observed relevant test or experience

data and lessons learned (see ISO 16192)], data from other systems or projects (i.e. extrapolation from

generic data, similarity data, or physical models) and expert judgment (i.e. direct estimation of likelihoods by

domain specialists). Events are quantified in the context of the corresponding hazard scenario, i.e. the

likelihood of an event is assessed conditionally on the previous events in the sequence.

Systematic identification and treatment of uncertainties is characteristic of the assessment of the overall risk

and conducted in two ways. The likelihood estimates of scenario events are produced with their associated

uncertainties and presented in the form of probability distributions or intervals. These uncertainties are then

propagated in the calculations of the likelihoods of the consequence(s).

Quantification of the overall risk is obtained by calculating the likelihoods and magnitudes of the

consequences. This calculation can be achieved through the use of point values or probability (uncertainty)

distributions. An uncertainty distribution is characterized by representative point values, e.g. the mean or a

specific quintile value in the upper part of the distribution. A representative point value in the upper part of the

uncertainty distribution associated with the overall risk, at a confidence level accepted by the decision maker,

tends to be used to implement the precautionary principle for risk acceptance decisions and for risk

comparisons. The precautionary principle implies that conservative assumptions with respect to the risk value

are preferred to optimistic ones, in order to ensure that a system is not considered to satisfy an agreed risk

target or an acceptance criterion falsely, or that one option is not falsely preferred to another one in the

comparisons. Higher uncertainty regarding the overall risk value transfers a higher representative point value

to be used for risk acceptance or comparisons.

The relative importance of an event or a scenario to the overall risk is measured by its risk contribution. The

risk contribution provides information on the potential for safety improvement, i.e. potential for reducing the

overall risk associated with the event or scenario. Similar to individual events, design and operation

constituents can also be ranked from a risk reduction point of view by accumulating the risk contributions of

the events associated with the particular constituents.

The relative importance of the uncertainty of an event or a scenario to the uncertainty of the overall risk is

measured by its uncertainty contribution. Uncertainty contribution values indicate and rank those events,

which are the main sources of uncertainty for the consequence likelihood and have the highest potential for

reducing this uncertainty. Reduction of consequence uncertainties directly transfers to the use of lower

representative point values of the consequence likelihoods.

Risk and uncertainty contributors are identified based on their ranking. Important risk and uncertainty

contributors are those events, or their corresponding system constituents, that have high-risk reduction and

uncertainty reduction potential.
6 © ISO 2010 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 11231:2010(E)
P(A ) P(B |A ) P(C |B , A ) P(D |C , B , A )
1 1 1 1 1 1 1 1 1 1
P(X):
X = X
…….
“Representative point value”.

NOTE SC = scenario 1, SC = scenario 2, SC = scenario 3, SC = scenario N; P(A ) = probability of A , the

1 2 3 N 1

initiating event; P(B│A ) = conditional probability of B given A ; P(C│B , A ) = conditional probability of C given B and

1 1 1 1 1 1 1 1

A ; P(D│C , B , A ) = conditional probability of D given C , B and A ; P(x) = total probability, the logical sum of the

1 1 1 1 1 1 1 1 1
probability of all scenarios 1 to N
Figure 2 — Example of the assessment of the overall risk
4.3 Concept of risk and probabilistic risk assessment

The concept of risk includes both undesirable consequences, e.g. the number of people harmed, and the

probability of occurrence of the consequences. Sometimes risk is defined as the expected value of

consequence occurrence. This representation of risk results in a summary measure and not a general

definition. Understanding how the system fails and producing probability distributions for the consequences

affords a much more complete description of risk.

A common definition of risk is represented by a set of triplets. Determining risk generally amounts to

answering the questions below.
a) What can go wrong? (the scenario)
b) How likely is it? (likelihood)
c) What are the consequences? (severity of the consequences)
© ISO 2010 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO 11231:2010(E)

The answer to the first question is a set of accident scenarios. The answer to the second question requires

eval
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.