1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationRisk managementRisk assessment techniquesBS EN 31010:2010National forewordThis British Standard is the UK implementation of EN 31010:2010. It is identical to IEC/ISO 31010:2009.T
2、he UK participation in its preparation was entrusted to Technical CommitteeDS/1, Dependability and terotechnology.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions of acontract. U
3、sers are responsible for its correct application. BSI 2010 ISBN 978 0 580 63461 1 ICS 03.100.01Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 June 2010.Amend
4、ments issued since publicationAmd. No. Date Text affectedBRITISH STANDARDBS EN 31010:2010EUROPEAN STANDARD EN 31010 NORME EUROPENNE EUROPISCHE NORM May 2010 CENELEC European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrot
5、echnische Normung Management Centre: Avenue Marnix 17, B - 1000 Brussels 2010 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members. Ref. No. EN 31010:2010 E ICS 03.100.01 English version Risk management - Risk assessment techniques (IEC/ISO 31010:2
6、009) Gestion des risques - Techniques dvaluation des risques (CEI/ISO 31010:2009) Risikomanagement - Verfahren zur Risikobeurteilung (IEC/ISO 31010:2009) This European Standard was approved by CENELEC on 2010-05-01. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which
7、stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the Central Secretariat or to any CENELEC member. This European St
8、andard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the Central Secretariat has the same status as the official versions. CENELEC members are the nat
9、ional electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Sp
10、ain, Sweden, Switzerland and the United Kingdom. BS EN 31010:2010EN 31010:2010 - 2 - Foreword The text of document 56/1329/FDIS, future edition 1 of IEC/ISO 31010, prepared by IEC TC 56, Dependability, together with the ISO TMB “Risk management” working group, was submitted to the IEC-CENELEC parall
11、el vote and was approved by CENELEC as EN 31010 on 2010-05-01. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and CENELEC shall not be held responsible for identifying any or all such patent rights. The following dates were f
12、ixed: latest date by which the EN has to be implemented at national level by publication of an identical national standard or by endorsement (dop) 2011-02-01 latest date by which the national standards conflicting with the EN have to be withdrawn (dow) 2013-05-01 Annex ZA has been added by CENELEC.
13、_ Endorsement notice The text of the International Standard IEC/ISO 31010:2009 was approved by CENELEC as a European Standard without any modification. In the official version, for Bibliography, the following notes have to be added for the standards indicated: _ IEC 60300-3-11 NOTE Harmonized as EN
14、60300-3-11. IEC 61078 NOTE Harmonized as EN 61078. IEC 61165 NOTE Harmonized as EN 61165. IEC 61508 series NOTE Harmonized in EN 61508 series (not modified) IEC 61511 series NOTE Harmonized in EN 61511 series (not modified) IEC 61649 NOTE Harmonized as EN 61649. ISO 22000 NOTE Harmonized as EN ISO 2
15、2000. BS EN 31010:2010- 3 - EN 31010:2010 Annex ZA (normative) Normative references to international publications with their corresponding European publications The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited app
16、lies. For undated references, the latest edition of the referenced document (including any amendments) applies. NOTE When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD applies. Publication Year Title EN/HD Year ISO/IEC Guide 73 - Risk
17、management - Vocabulary - Guidelines for use in standards - - ISO 31000 - Risk management - Principles and guidelines - - BS EN 31010:2010 2 31010 IEC:2009 CONTENTS INTRODUCTION.6 1 Scope.7 2 Normative references .7 3 Terms and definitions .7 4 Risk assessment concepts .7 4.1 Purpose and benefits 7
18、4.2 Risk assessment and the risk management framework8 4.3 Risk assessment and the risk management process8 4.3.1 General .8 4.3.2 Communication and consultation .9 4.3.3 Establishing the context.9 4.3.4 Risk assessment .10 4.3.5 Risk treatment .10 4.3.6 Monitoring and review .11 5 Risk assessment p
19、rocess .11 5.1 Overview .11 5.2 Risk identification 12 5.3 Risk analysis .12 5.3.1 General .12 5.3.2 Controls Assessment.13 5.3.3 Consequence analysis.14 5.3.4 Likelihood analysis and probability estimation .14 5.3.5 Preliminary Analysis 15 5.3.6 Uncertainties and sensitivities .15 5.4 Risk evaluati
20、on15 5.5 Documentation 16 5.6 Monitoring and Reviewing Risk Assessment17 5.7 Application of risk assessment during life cycle phases .17 6 Selection of risk assessment techniques 17 6.1 General .17 6.2 Selection of techniques .17 6.2.1 Availability of Resources .18 6.2.2 The Nature and Degree of Unc
21、ertainty.18 6.2.3 Complexity 19 6.3 Application of risk assessment during life cycle phases .19 6.4 Types of risk assessment techniques 19 Annex A (informative) Comparison of risk assessment techniques .21 Annex B (informative) Risk assessment techniques .27 Bibliography90 Figure 1 Contribution of r
22、isk assessment to the risk management process.11 Figure B.1 Dose-response curve37 Figure B.2 Example of an FTA from IEC 60-300-3-9.49 Figure B.3 Example of an Event tree52 BS EN 31010:201031010 IEC:2009 3 Figure B.4 Example of Cause-consequence analysis .55 Figure B.5 Example of Ishikawa or Fishbone
23、 diagram 57 Figure B.6 Example of tree formulation of cause-and-effect analysis58 Figure B.7 Example of Human reliability assessment .64 Figure B.8 Example Bow tie diagram for unwanted consequences .66 Figure B.9 Example of System Markov diagram .70 Figure B.10 Example of State transition diagram71
24、Figure B.11 Sample Bayes net 77 Figure B.12 The ALARP concept79 Figure B.13 Part example of a consequence criteria table84 Figure B.14 Part example of a risk ranking matrix 84 Figure B.15 Part example of a probability criteria matrix 85 Table A.1 Applicability of tools used for risk assessment .22 T
25、able A.2 Attributes of a selection of risk assessment tools .23 Table B.1 Example of possible HAZOP guidewords .34 Table B.2 Markov matrix 70 Table B.3 Final Markov matrix72 Table B.4 Example of Monte Carlo Simulation .74 Table B.5 Bayes table data .77 Table B.6 Prior probabilities for nodes A and B
26、77 Table B.7 Conditional probabilities for node C with node A and node B defined .77 Table B.8 Conditional probabilities for node D with node A and node C defined .78 Table B.9 Posterior probability for nodes A and B with node D and Node C defined.78 Table B.10 Posterior probability for node A with
27、node D and node C defined .78 BS EN 31010:2010 6 31010 IEC:2009 INTRODUCTION Organizations of all types and sizes face a range of risks that may affect the achievement of their objectives. These objectives may relate to a range of the organizations activities, from strategic initiatives to its opera
28、tions, processes and projects, and be reflected in terms of societal, environmental, technological, safety and security outcomes, commercial, financial and economic measures, as well as social, cultural, political and reputation impacts. All activities of an organization involve risks that should be
29、 managed. The risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances (intended or unintended) and their effects on agreed objectives. Risk management includes the application of logical and systematic methods for communicat
30、ing and consulting throughout this process; establishing the context for identifying, analysing, evaluating, treating risk associated with any activity, process, function or product; monitoring and reviewing risks; reporting and recording the results appropriately. Risk assessment is that part of ri
31、sk management which provides a structured process that identifies how objectives may be affected, and analyses the risk in term of consequences and their probabilities before deciding on whether further treatment is required. Risk assessment attempts to answer the following fundamental questions: wh
32、at can happen and why (by risk identification)? what are the consequences? what is the probability of their future occurrence? are there any factors that mitigate the consequence of the risk or that reduce the probability of the risk? Is the level of risk tolerable or acceptable and does it require
33、further treatment? This standard is intended to reflect current good practices in selection and utilization of risk assessment techniques, and does not refer to new or evolving concepts which have not reached a satisfactory level of professional consensus. This standard is general in nature, so that
34、 it may give guidance across many industries and types of system. There may be more specific standards in existence within these industries that establish preferred methodologies and levels of assessment for particular applications. If these standards are in harmony with this standard, the specific
35、standards will generally be sufficient. BS EN 31010:201031010 IEC:2009 7 RISK MANAGEMENT RISK ASSESSMENT TECHNIQUES 1 Scope This International Standard is a supporting standard for ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment. Risk assessm
36、ent carried out in accordance with this standard contributes to other risk management activities. The application of a range of techniques is introduced, with specific references to other international standards where the concept and application of techniques are described in greater detail. This st
37、andard is not intended for certification, regulatory or contractual use. This standard does not provide specific criteria for identifying the need for risk analysis, nor does it specify the type of risk analysis method that is required for a particular application. This standard does not refer to al
38、l techniques, and omission of a technique from this standard does not mean it is not valid. The fact that a method is applicable to a particular circumstance does not mean that the method should necessarily be applied. NOTE This standard does not deal specifically with safety. It is a generic risk m
39、anagement standard and any references to safety are purely of an informative nature. Guidance on the introduction of safety aspects into IEC standards is laid down in ISO/IEC Guide 51. 2 Normative references The following referenced documents are indispensable for the application of this document. F
40、or dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC Guide 73, Risk management Vocabulary Guidelines for use in standards ISO 31000, Risk management Principles and guidelines 3 Terms and
41、 definitions For the purposes of this document, the terms and definitions of ISO/IEC Guide 73 apply. 4 Risk assessment concepts 4.1 Purpose and benefits The purpose of risk assessment is to provide evidence-based information and analysis to make informed decisions on how to treat particular risks an
42、d how to select between options. Some of the principal benefits of performing risk assessment include: understanding the risk and its potential impact upon objectives; BS EN 31010:2010 8 31010 IEC:2009 providing information for decision makers; contributing to the understanding of risks, in order to
43、 assist in selection of treatment options; identifying the important contributors to risks and weak links in systems and organizations; comparing of risks in alternative systems, technologies or approaches; communicating risks and uncertainties; assisting with establishing priorities; contributing t
44、owards incident prevention based upon post-incident investigation; selecting different forms of risk treatment; meeting regulatory requirements; providing information that will help evaluate whether the risk should be accepted when compared with pre-defined criteria; assessing risks for end-of-life
45、disposal. 4.2 Risk assessment and the risk management framework This standard assumes that the risk assessment is performed within the framework and process of risk management described in ISO 31000. A risk management framework provides the policies, procedures and organizational arrangements that w
46、ill embed risk management throughout the organization at all levels. As part of this framework, the organization should have a policy or strategy for deciding when and how risks should be assessed. In particular, those carrying out risk assessments should be clear about the context and objectives of
47、 the organization, the extent and type of risks that are tolerable, and how unacceptable risks are to be treated, how risk assessment integrates into organizational processes, methods and techniques to be used for risk assessment, and their contribution to the risk management process, accountability
48、, responsibility and authority for performing risk assessment, resources available to carry out risk assessment, how the risk assessment will be reported and reviewed. 4.3 Risk assessment and the risk management process 4.3.1 General Risk assessment comprises the core elements of the risk management
49、 process which are defined in ISO 31000 and contain the following elements: communication and consultation; establishing the context; risk assessment (comprising risk identification, risk analysis and risk evaluation); risk treatment; monitoring and review. Risk assessment is not a stand-alone activity and should be fully integrated into the other components in the risk manageme