Space systems — Probabilistic risk assessment (PRA)

This document supports and complements the implementation of the risk management process defined in ISO 17666 in situations when the application of a quantitative risk assessment is deemed necessary. This document defines the principles, process, implementation and requirements for conducting a quantitative risk assessment and explains the details of probabilistic risk assessment (PRA) as applied to safety. While PRA can be applied to project risk management involving cost and schedule, this application is outside the scope of this document. This document provides the basic requirements and procedures for the use of PRA techniques to assess safety or mission risk and success in space programmes and projects. This document is applicable to all international space projects involving: — the design of space vehicles for the transportation of personnel in space; — the design of space and non-terrestrial planetary stations inhabited by human beings; — the design of space and launch vehicles powered by, or carrying, nuclear materials; — other projects as directed by the authorities or clients. These types of projects generally involve scenarios, chains of events or activities that could result in the death of, or serious injury to, members of the public, astronauts or pilots, or the workforce, or the loss of critical or high-value equipment and property. For other types of projects, it is intended that PRA be performed at the discretion of the project management.

Systèmes spatiaux — Évaluation du risque probabiliste (PRA)

General Information

Status
Published
Publication Date
28-Apr-2019
Current Stage
6060 - International Standard published
Start Date
29-Apr-2019
Completion Date
29-Apr-2019
Ref Project

RELATIONS

Buy Standard

Standard
ISO 11231:2019 - Space systems -- Probabilistic risk assessment (PRA)
English language
22 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO
STANDARD 11231
Second edition
2019-05
Space systems — Probabilistic risk
assessment (PRA)
Systèmes spatiaux — Évaluation du risque probabiliste (PRA)
Reference number
ISO 11231:2019(E)
ISO 2019
---------------------- Page: 1 ----------------------
ISO 11231:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 11231:2019(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms, definitions and abbreviated terms ................................................................................................................................ 1

3.1 Terms and definitions ....................................................................................................................................................................... 1

3.2 Abbreviated terms ............................................................................................................................................................................... 4

4 Principles of probabilistic risk assessment ............................................................................................................................. 4

4.1 General ........................................................................................................................................................................................................... 4

4.2 Mission success and system safety risk assessment concept ......................................................................... 4

4.3 PRA general process ........................................................................................................................................................................... 7

5 Objectives, uses and benefits of probabilistic risk assessment ........................................................................... 8

5.1 Objectives of a probabilistic risk assessment ............................................................................................................... 8

5.2 Probabilistic risk assessment results usage .................................................................................................................. 8

5.3 Benefits of a probabilistic risk assessment .................................................................................................................... 9

6 PRA requirements and detailed process ..................................................................................................................................... 9

6.1 Probabilistic risk assessment requirements ................................................................................................................. 9

6.2 Overview of the probabilistic risk assessment process ....................................................................................... 9

6.3 Probabilistic risk assessment basic tasks .....................................................................................................................10

6.3.1 General...................................................................................................................................................................................10

6.3.2 Task 1: Objectives and approach definition ...........................................................................................10

6.3.3 Task 2: System familiarization ..........................................................................................................................11

6.3.4 Task 3: Initiating event identification .........................................................................................................11

6.3.5 Task 4: Scenario modelling ..................................................................................................................................12

6.3.6 Task 5: Failure modelling ......................................................................................................................................12

6.3.7 Task 6: Quantification ...............................................................................................................................................13

6.3.8 Task 7: Uncertainty analysis ...............................................................................................................................13

6.3.9 Task 8: Sensitivity analysis ...................................................................................................................................14

6.3.10 Task 9: Ranking ..............................................................................................................................................................14

6.3.11 Data analysis .....................................................................................................................................................................15

7 Peer review ..............................................................................................................................................................................................................15

7.1 General ........................................................................................................................................................................................................15

7.2 Internal peer reviews .....................................................................................................................................................................15

7.3 External peer reviews ....................................................................................................................................................................15

8 Probabilistic risk assessment report — Data content requirements .........................................................16

Annex A (informative) Example of space systems unit-value/mission-criticality category

definitions ................................................................................................................................................................................................................17

Annex B (informative) Capability-based PRA process tailoring guidance .................................................................18

Bibliography .............................................................................................................................................................................................................................22

© ISO 2019 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 11231:2019(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso

.org/iso/foreword .html.

This document was prepared by Technical Committee ISO/TC 20, Aircraft and space vehicles,

Subcommittee SC 14, Space systems and operations.

This second edition cancels and replaces the first edition (ISO 11231:2010), which has been technically

revised.
The main changes compared to the previous edition are as follows:
— updated definitions of terms;
— simplification of Clause 4;
— updated figures and tables;
— addition of capability-based safety, reliability and quality assurance.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2019 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 11231:2019(E)
Introduction

Structured risk management processes use qualitative and quantitative risk assessment techniques

to support optimal decisions regarding safety and the probability of mission success, as provided in

ISO 17666. The most systematic and comprehensive methodology for conducting these evaluations is

probabilistic risk assessment (PRA).

PRA has, over the past three decades, become the principal analytic method for identifying and

analysing risk from projects and complex systems. Its utility for risk management (RM) has been

proven in many industries, including aerospace, electricity generation, petrochemical and defence. PRA

is a methodology used to identify and evaluate risk, in order to facilitate RM activities by identifying

dominant contributors to risk, so that resources can be effectively allocated to address significant

risk drivers and are not wasted on items that contribute insignificantly to the risk. In addition to

analysing risk, PRA provides a framework to quantify uncertainties in events and event sequences that

are important to system safety. By enabling the quantification of uncertainty, PRA informs decision

makers on the sources of uncertainty and provides information on the worth of investment resources

in reducing uncertainty. In this way, PRA supplements traditional safety analyses that support

safety-related decisions. Through the use of PRA, safety analyses are capable of focusing on both the

probability and severity of events and consequences that adversely impact safety.

PRA differs from reliability analysis in two important respects:

a) PRA allows a more precise quantification of uncertainty both for individual events and for the

overall system;

b) PRA applies more informative evaluations that quantify metrics related to the occurrence of highly

adverse consequences (e.g. fatalities, loss of mission), as opposed to narrowly defined system

performance metrics (e.g. mean-time-to-failure).

PRA also differs from hazard analyses, which identifies and evaluates metrics related to the effects of

high-consequence and low-probability events, treating them as if they had happened, i.e. without regard

to their probability of occurrence. In addition, the completeness of the set of accident scenarios cannot

be assured in the conduct of a hazard analysis. PRA results are more diverse and directly applicable

to resource allocation and other RM decision-making based on a broader spectrum of consequence

metrics.

Through the PRA process, weaknesses and vulnerabilities of the system that can adversely impact

safety, performance and mission success are identified. These results in turn provide insights into viable

RM strategies to reduce risk and direct the decision maker to areas where expenditure of resources to

improve design and operation might be more effective.

The most useful applications of PRA have been in the risk evaluation of complex systems that can result

in low-probability and high-consequence scenarios, or the evaluation of complex scenarios consisting of

chains of events that collectively may adversely impact system safety more than individually.

© ISO 2019 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 11231:2019(E)
Space systems — Probabilistic risk assessment (PRA)
1 Scope

This document supports and complements the implementation of the risk management process defined

in ISO 17666 in situations when the application of a quantitative risk assessment is deemed necessary.

This document defines the principles, process, implementation and requirements for conducting a

quantitative risk assessment and explains the details of probabilistic risk assessment (PRA) as applied

to safety. While PRA can be applied to project risk management involving cost and schedule, this

application is outside the scope of this document.

This document provides the basic requirements and procedures for the use of PRA techniques to assess

safety or mission risk and success in space programmes and projects. This document is applicable to all

international space projects involving:
— the design of space vehicles for the transportation of personnel in space;

— the design of space and non-terrestrial planetary stations inhabited by human beings;

— the design of space and launch vehicles powered by, or carrying, nuclear materials;

— other projects as directed by the authorities or clients.

These types of projects generally involve scenarios, chains of events or activities that could result in the

death of, or serious injury to, members of the public, astronauts or pilots, or the workforce, or the loss

of critical or high-value equipment and property. For other types of projects, it is intended that PRA be

performed at the discretion of the project management.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 17666, Space systems — Risk management
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions

For the purpose of this document, the terms and definitions given in ISO 17666 and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at https: //www .electropedia .org/
© ISO 2019 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO 11231:2019(E)
3.1.1
acceptable risk

safety risk, the severity, and the probability (3.1.3) of which, may be reasonably accepted by humanity,

without durable or irreversible foreseeable consequences on health, Earth, and the environment, at the

present time and in the future
[SOURCE: ISO 14620-2:2011, 3.1, modified — The EXAMPLE has been removed]
3.1.2
expert judgment

systematic and structured elicitation of probability data through the estimation and assessment by

specialists

Note 1 to entry: “Structured” implies the use of a method; “systematic” means regularly.

Note 2 to entry: Mathematical aggregation of individual judgments is generally preferred over behavioural or

consensus aggregation.
3.1.3
probability

probability of occurrence or measure for the occurrence rate or frequency of an event, a hazard scenario

or consequence
3.1.4
probability reference frame
relative indicator against which the probability (3.1.3) is expressed

Note 1 to entry: The probability reference frame is linked to the structure of the analysis. A typical reference

frame in use in space projects is “per mission”.
3.1.5
risk

undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative

consequence on a project

Note 1 to entry: Risks arise from uncertainty due to a lack of predictability or control of events. Risks are inherent

to any project and can arise at any time during the project life cycle; reducing these uncertainties reduces the risk.

[SOURCE: ISO 17666:2016, 3.1.12]
3.1.6
risk contribution

measure of the decrease of the probability (3.1.3) of a top consequence, when the events associated with

the corresponding risk contributor are assumed not to occur

Note 1 to entry: Risk contribution indicates (and is directly proportional to) the “risk reduction potential” of the

risk contributor. Important risk contributors are events, which have a high-risk contribution and risk reduction

potential.

Note 2 to entry: Risk contribution provides a systematic measure that makes it possible to rank design and

operation constituents of a system from a safety risk point of view. It allows the identification of high risk or

vulnerable areas in the system, which can then serve as drivers for safety improvements.

3.1.7
risk contributor
single event or particular set of events upon which the risk depends

Note 1 to entry: Risk contributors can be ranked relative to each other by their risk contribution (3.1.7).

2 © ISO 2019 – All rights reserved
---------------------- Page: 7 ----------------------
ISO 11231:2019(E)
3.1.8
risk management

systematic and iterative optimisation of the project resources, performed according to the established

project risk management policy
[SOURCE: ISO 17666:2016, 3.1.5]
3.1.9
risk scenario

sequence or combination of events leading from the initial cause to the unwanted consequence

Note 1 to entry: The cause can be a single event or something activating a dormant problem.

[SOURCE: ISO 17666:2016, 3.1.13]
3.1.10
safety risk

measure of the potential consequences of a hazard considering the probability (3.1.3) of the associated

mishap, the harm caused to people, and the damage caused to public and private property and the

environment
EXAMPLE Expected number of casualties.

Note 1 to entry: Safety risk is always associated with a specific hazard scenario or a particular set of scenarios.

The risk posed by a single scenario is called “individual scenario risk”. The risk posed by the combination of

individual risks and their impact on each other is called “overall risk”.

Note 2 to entry: The magnitude of safety risk is represented by the severity and the probability (3.1.3) of the

consequence.

[SOURCE: ISO 14620-2:2011, 3.30, modified — NOTE 1 and 2 have been removed; new Note 1 and 2 to

entry have been added; EXAMPLE has been added]
3.1.11
interested party
stakeholder

person or organization that can affect, be affected by, or perceive itself to be affected by a decision or

activity

EXAMPLE Customers, owners, people in an organization, providers, bankers, regulators, unions, partners or

society that can include competitors or opposing pressure groups.
[SOURCE: ISO 9000:2015, 3.2.3, modified — Note 1 to entry has been removed]
3.1.12
uncertainty

lack of certitude resulting from inaccuracies of input parameters, analysis process or both

Note 1 to entry: Uncertainty can be represented as an interval with an upper and lower value or as an uncertainty

distribution.
3.1.13
uncertainty contributor

single event or particular set of events upon which the uncertainty of the top consequence depends

Note 1 to entry: Uncertainty contributors can be ranked relative to each other by their uncertainty contribution

(3.1.13).
© ISO 2019 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO 11231:2019(E)
3.1.14
uncertainty contribution

measure of the decrease of the uncertainty of a top consequence, when the probabilities of the events

associated with the corresponding uncertainty contributor are assumed to be without uncertainty

Note 1 to entry: Uncertainty contribution indicates (and is directly proportional to) the “uncertainty reduction

potential” of the uncertainty contributor. Important uncertainty contributors are events, which have a high

uncertainty contribution and uncertainty reduction potential.

Note 2 to entry: Uncertainty contribution provides a systematic measure that makes it possible to rank data and

information sources.
3.2 Abbreviated terms
FMECA Failure Mode, Effects, and Criticality Analysis
IE Initiating Event
MLD Master Logic Diagrams
PRA Probabilistic Risk Assessment
P(A) probability of event A
P(A/B) conditional probability of event A given event B has occurred
RM Risk Management
4 Principles of probabilistic risk assessment
4.1 General

PRA assists engineers and managers in including risk results in management and engineering

practices and in the decision-making process throughout a project life cycle, for such aspects as design,

construction, testing, operation, maintenance and disposal, together with their interfaces, management,

cost and schedule (see ISO 17666).

In this document, the PRA methodology is intended for technical risk assessments involving mission

success and system safety.
4.2 Mission success and system safety risk assessment concept

The application of PRA to mission success and system safety risks is discussed here. Mission success and

system safety risk assessments complement deterministic failure modes and effects analysis (FMEA) and

hazard analysis (HA) by adding a probabilistic dimension to the deterministic evaluation in the form of

failure mode, effects, and criticality analysis (FMECA) in the case of the former and hazard risk assessment

in the case of the latter. These probabilistic evaluations support risk informed decision-making.

The relationship between the deterministic and probabilistic failure modes/hazards evaluation

methods is shown in Figure 1.

Mission-success and system safety risk assessments can be used to either assess the risks posed by

individual risk scenarios separately, or assess sets of risk scenarios collectively, in the form of the

overall risk posed by those scenarios.

The assessment of individual risk scenarios can be performed using consequence severity and scenario

probability categorization schemes by applying risk grids or risk matrices and risk indexes, as described

in ISO 23460 and ISO 14620-1. However, these risk matrixes and index methods cannot be used to

4 © ISO 2019 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 11231:2019(E)

combine individual components of risk within a scenario or to combine scenarios to evaluate overall

risk. These methods do not constitute combinatorial computational tools.

Assessment of the overall risk posed by a particular set of scenarios requires the rigor of the PRA

approach. This assessment provides the basis for identifying and ranking risk contributors. Important

contributors can then be used for driving and optimizing the system design or operation from a safety

performance point of view. The calculated overall risk can also be compared to probabilistic safety

targets or acceptance criteria. Acceptable risks are defined by the authorities or clients in step 1 of the

risk management process. Risk can also be used as a metric for quantifying safety in decision models.

Key
S scenario i S (x ;p ) risk of scenario 1
i 1 1 1
S scenario 1 S (x ) severity of scenario N
1 N N
S scenario N: with severity = x and probability = p S (x ;p ) risk of scenario N
N i i N N N
S (x ) severity of scenario 1
1 1

Figure 1 — Relationship between the deterministic and probabilistic failure modes/hazard

evaluation methods

A representation of the assessment of the overall mission-success or system safety risk is shown in

Figure 2. As indicated in the figure, the risk assessment uses the failure mode or hazard scenarios

to model individual sequences of events that are necessary and sufficient for an undesired system

level consequence to occur. A scenario can be represented as a “logical intersection” of the initial

cause or initiating event and the necessary conditional intermediate events leading to the associated

consequence. The overall risk is then the logical union of the risk of the individual scenarios that lead to

the same consequence.
© ISO 2019 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO 11231:2019(E)

Probabilistic risk assessments of complex systems identify scenarios typically using event trees, or

event sequence diagrams and fault trees, to derive the logical models that lead to particular undesired

safety consequences of interest. As described above, in order to quantify scenarios, the probability of

the initiating events (i.e. causes) and the probability of each subsequent intermediate event, conditional

on the occurrence of the previous events in the sequence, are combined to determine the probability

that the end state (i.e. consequences) will occur. For each scenario, the severity (i.e. magnitude) of the

consequences is usually determined based on the physical characteristics and nature of the scenario

being evaluated. The overall consequences are determined by summing overall scenarios in a process

that is analogous to that used to determine the overall probability.

An estimation of event probabilities is usually based on different sources of data. Typical data sources

include previous experience with the particular system [i.e. measured or directly observed relevant

test or experience data and lessons learned (see ISO 16192)], data from other systems or projects

(i.e. extrapolation from generic data, similarity data or physical models) and expert judgment (i.e.

direct estimation of probabilities by domain specialists). Events are quantified in the context of the

corresponding hazard scenario, i.e. the probability of an event is assessed conditionally on the previous

events in the sequence.

Systematic identification and treatment of uncertainties is characteristic of the assessment of the

overall risk and conducted in two ways. The probability estimates of scenario events are produced with

their associated uncertainties and presented in the form of probability distributions or intervals. These

uncertainties are then propagated in the calculations of the probabilities of the consequence(s).

Quantification of the overall risk is obtained by calculating the probabilities and magnitudes of

the consequences. This calculation can be achieved through the use of point values or probability

(uncertainty) distributions. An uncertainty distribution is characterized by representative point values,

e.g. the mean or a specific quintile value in the upper part of the distribution. A representative point

value in the upper part of the uncertainty distribution associated with the overall risk, at a confidence

level accepted by the decision maker, tends to be used to implement the precautionary principle for risk

acceptance decisions and for risk comparisons. The precautionary principle implies that conservative

assumptions with respect to the risk value are preferred to optimistic ones, in order to ensure that a

system is not considered to satisfy an agreed risk target or an acceptance criterion falsely, or that one

option is not falsely preferred to another in the comparisons. A higher uncertainty regarding the overall

risk value transfers a higher representative point value to be used for risk acceptance or comparisons.

The relative importance of an event or a scenario to the overall risk is measured by its risk contribution.

The risk contribution provides information on the potential for safety improvement, i.e. potential for

reducing the overall risk associated with the event or scenario. Similar to individual events, design and

operation constituents can also be ranked from a risk reduction point of view by accumulating the risk

contributions of the events associated with the particular constituents.

The relative importance of the uncertainty of an event or a scenario to the uncertainty of the overall

risk is measured by its uncertainty contribution. Uncertainty contribution values indicate and r

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.