Risk Assessment. Marvin Rausand
subsystems and components. An alternative approach is to consider the system functions and to break each function down into subfunctions and actions. A functional breakdown structure may often be more useful than a hardware breakdown structure as a starting point for risk and reliability studies.
The causal structure for a system failure or a system accident may also be represented as a hierarchical structure starting from the system failure/accident. Indenture level 2 represents the direct causes of the failure/accident, whereas indenture level 3 represents the direct causes leading to each of the causes at indenture level 2, and so on. The obtained structure represents a hierarchical structure of the causes of the system failure/accident.
4.2.5 System Boundary
A risk assessment is always based on a number of assumptions and boundary conditions. The most notable is the system boundary that specifies which parts of the system that are included in the study object and which parts are not. All systems are used in some sort of environment that may influence and be influenced by the system. To delimit the study object, a system boundary is established to define what is inside and what is outside of the system. The inputs to and outputs from the study object are drawn up, as shown in Figure 4.2 . The system boundary may be defined as follows:
Definition 4.4 (System boundary)
The system boundary separates the internal components and processes of a system from external entities. Internal to its boundary, the system has some degree of integrity, meaning the parts are working together and this integrity gives the system a degree of autonomy. 1
4.2.6 Assumptions
All assumptions and boundary conditions should be clearly specified in the documentation of the risk analysis. Examples include answers to questions, such as
– What are the objectives of the study?
– What level of detail is required?
– What are the environmental conditions for the system?
– How is the system operated?
– Which operational phases are to be included in the study (e.g. start‐up, steady state, maintenance, and disposal)?
– Which external stresses should be considered (e.g. earthquakes, lightning strikes, sabotage, and cyberattacks)?
Some of these assumptions are also mentioned in Chapter 3.
4.2.7 Closed and Open Systems
The study object may be a closed or an open system. A closed system may be defined as follows:
Definition 4.5 (Closed system)
A system where the interface to the environment is static and always according to the assumptions specified.
In a closed system, the required inputs are always available and random disturbances in the environment that may influence the system are nonexisting. Most of the systems that are considered in this book have a closed boundary. An open system is defined as follows:
Definition 4.6 (Open system)
A system where disturbances in the environment may influence the study object and required system inputs and outputs may fluctuate or even be blocked.
Open systems are generally more difficult to analyze than closed systems.
4.3 Operating Context
Items are generally designed and built for an intended operating context that should be clearly stated in the item specification and in the user documentation.
Definition 4.7 (Operating context)
The environmental and operating conditions under which the item is (or is expected to be) operating.
The operating context specifies how the item is to be operated and maintained, the limits to various operating conditions (e.g. inputs, usage, and loads), and which environmental conditions the item is supposed to work in, as illustrated in Example 4.1
Example 4.1 (Operating context for a washing machine)
Consider a domestic washing machine. The user manual of the washing machine may, for example, specify intervals for the voltage and frequency of the power supply, the pressure and temperature of the water supply, the type and weight of laundry (e.g. clothes, carpets) put into the machine, the temperature in the room where the machine is located, and the surface on which the machine is placed. 2
Example 4.2 (Operating context for a passenger ship)
For a passenger ship, the operating context is continuously changing with the operation and the location of the ship. The environmental conditions, such as wind, visibility, waves, and current will change frequently. Depending on where the ship is traveling, more or less extreme environmental conditions may occur. It may also be exposed to subzero temperatures, causing icing, and may meet icebergs or icefloes. Further, when navigating close to shore, the ship has to avoid shallow waters where it can ground. A completely different operating context is when the ship is in port, loading and unloading passengers and cargo. When designing the ship, all the extremes of the operating context have to be considered, but in operation, the context will vary from hour to hour (or even more quickly) and operation has to continuously adapt to these variations.
In military applications, the concept of operations (CONOPS) document describes the operating context of the item.
4.4 System Modeling and Analysis
A system analysis is always based on a model, which is a simplification of the system or of one or more properties of the system. Many types of models are available. Among these are system structure models, also called architecture models, functional models, state transition models, and so on. System modeling helps the analyst to understand the structure and functionality of the system. Models may further be used to communicate with other stakeholders to the risk assessment. The IEV defines a model as follows:
Definition 4.8 (Model)
Mathematical or physical representation of a system or a process, based with sufficient precision upon known laws, identification, or specified suppositions (IEV 351‐42‐26).
An example of a model is a map of a terrain. The model (the map) provides a lot of information about the system, but it will always be a simplification compared to the real world. The information that is included is still useful for navigating.
4.4.1 Component Modeling
Models can be established for elements at all levels of systems. Models for the lowest level, the components, are usually black box models. In a black box model, the component is