Risk Assessment Tools and Quality Methods

Abstract

Nowadays the risk management is one of the most important activities at every organization. Whether it is a process (e.g. natural disaster control) or product (e.g. a drone, which can be used for detection or rescue processes) it is necessary to discover and critical analyze the all potential risks. The risk assessment process can be divided into three determined steps: risk identification, risk analysis, risk evaluation. All process steps must be performed using the best and most suitable method so we can be sure of achieving the best results. These methods are most effective if we have enough experience and data from the past. Therefore it is important to present the methods which can be used for data collection and data analysis. We can not eliminate the risk factors in the risk assessment process but it helps us to be able to quantify and to reduce their effect with preventive actions. Our goal is to summarize these methods and techniques which can be used to analyze and evaluate risks based on our experience.

1.1 Introduction

An unwanted event whether the consequences of a natural disaster, an industrial accident, a machine or equipment failure can be interpreted on a wide scale from discomfort to the most serious. Human life, the natural environment can be in danger sometimes with property damage. In risk assessment is important we can distinguish between hazard and risk. In case of natural hazard the consequences can be flooding, earthquake, environmental pollution we usually examine the possibility of event occurrence. The risk analysis should take into account all factors (possible events) that lead to an undesirable event taking into account the likelihood of their occurrence. In our study the emphasis is on risk management and approaching the methods we can use to effectively implement it. The methodology of risk assessment has always been present in our lives in which we used it consciously or we experienced it. The risk-based thinking is in the management systems a fundamental principle therefore the techniques and methods are given more importance.

Terms and Definitions of Risk Management

The purpose of this chapter presents the terminology and the process of the risk management. For that we use the explanations and approaches of the relevant standards (ISO/IEC Guide 73; ISO 31000:2018; IEC 31010:2019). These standards contain the basic terms and the risk management process and techniques as well. According to the standard (ISO 31000:2018) the risk is the effect of uncertainty on objectives. The effect could be positive or negative which is especially important in the management systems. Goals can have different aspects such as health and safety or environmental aims and they can apply at different levels. These levels could be product, project, process or strategic. The standard contains some useful notes about the risk definition these are the follow.

• Risk is often characterized by reference to potential events and consequences or a combination of these.

• Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

• Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.

Risk Management Process

Risk management means the coordinated activities to direct and control an organization with regard to risk (ISO 31000:2018). The risk management process contains six stages and an indispensable part (Communication and consultation) which is a necessary activity with external and internal stakeholders during the process.

By establishing the context an organization can define the external and internal parameters and takes into account when managing risks. The external parameters are for example economic, natural environment or key drivers and trends having impact on the aims of the organization or people and so on. The internal context means the internal environment in which the organization seeks to achieve its aims (Klüppelberg et al. 2014).

Risk assessment (the red box) involves risk identification, risk analysis and risk evaluation (Fig. 1.1). Firstly it need to be identified the all risks. Therefore the organization should identify sources of risks, impacts of the risks and their causes, their potential consequences. The output of this step is a list of risks based on those events that might create, prevent, enhance, accelerate, degrade, or delay the achievement of targets (Fig. 1.2).

Fig. 1.1

Risk management process (ISO 31000:2018) (Color figure online)

Fig. 1.2

FMEA table (Tague 2015)

Risk analysis includes understanding of the risk. The result of the risk analysis is the input to risk evaluation and to decisions on whether risks need to be treated. This step involves to identification the source of the risks and determination the positive or negative consequences and estimation of the likelihood of occurrence. Furthermore, it contains information about the severity of the consequence. Based this information the risk levels can be defined.

The last step of the risk assessment is the risk evaluation which purpose is to assist in making decisions. These decisions based on the outcomes of risk analysis about which risks need treatment and the priority for implementation. Decisions should take account of the wider context of the risk and the tolerance of the risks borne by parties other as well. Very important requirement of the standard is that decisions should be made in accordance with legal, regulatory and other requirements.

Risk treatment based on the output of risk analysis and contents many options for treat risks.

The ISO 31000 standard involves the following options for treat risk:

• keep away from the risk by deciding not to start or continue with the activity that gives rise to the risk;

• taking or increasing the risk in order to pursue an opportunity;

• removing the risk source;

• changing the likelihood;

• changing the consequences;

• sharing the risk with another party or parties (including contracts and risk financing); and

• retaining the risk by informed decision.

Both monitoring and review should be a planned part of the risk management process and include periodic or ad hoc checking.

1.2 Methods and Materials

1.2.1 Risk Management Tools and Techniques

There are many techniques were published which can be used in the field of risk assessment. But some of the strongly applicable for identify the risks but not applicable to evaluate the risks. In this chapter there will be some methodology which can be strongly used for overall the risk management process and some additional which are very popular and useful in just one step. Hereinafter three methodology would be presented which strongly applicable for overall risk management process (FMEA, HAZOP, Environmental risk assessment). After that there are some well-known techniques are shown which can be used in just one or two steps the process.

Failure Mode and Effect Analysis (FMEA)

The FMEA method developed by the US Military and few years later applied that in the NASA. After that in 1977 the Ford motors applied this methodology in the automotive industry. Nowadays it is widely used methodology. There were some descriptions about the FMEA method in the Automotive industry which content different steps of the FMEA and requirement of the evaluation (QS 9000, VDA) (Baynal et al. 2018). Currently there is just one handbook published by AIAG and VDA in 2017, which harmonizes descriptions about the methodology and requirements. This is a systematic risk assessment method which uses tree structures to identify the potential failures of a system, sub-system or components and causes of the failures and effects. After the analysis it can helps to evaluate them and suggest recommended actions. It can be used in teamwork (Ben-Daya et al. 2009). FMEA can help to find:

• all potential failure modes of the various parts of a system;

• the effects of these failures;

• the mechanisms of failure;

• how to avoid the failures, and/or relieve the effects of the failures.

There are three method of FMEA:

• Design FMEA;

• Process FMEA;

• FMEA-MSR (Monitoring and System) Response.

The FMEA applicable for

• system;

• sub-system;

• component.

The three methods followed by six-step process (FMEA Handbook 2017):

1. 1.

   Scope definition and project planning

2. 2.

   Structure analysis

3. 3.

   Function analysis

4. 4.

   Failure analysis

5. 5.

   Risk analysis

6. 6.

   Optimization.

The risk evaluation based on three viewpoints. S is the severity of the failure which depends on the effect of the failure. O is the occurrence of the causes of the failure which depends on the probability of occurrence and Detection (D) which means how to easy to find the cause of the failure. Based these values the handbook involves tables for the evaluation. It can help to define the Action priority (High, Moderate or Low) and suggest recommended action with deadline and responsibilities. But other evaluation table can be defined if it fits better with the examined system (FMEA Handbook 2017).

Hazard Operability—HAZOP

HAZOP is a structured and systematic examination of a product, process, procedure or system. It is a preventive tool which can help to identify risks to people, equipment, and environment objectives. This process is a qualitative methodology based on use of guide words. The HAZOP developed to analyse chemical process systems but has been extended to other types of systems and complex situations. It can be applied in teamwork and its time-consuming technique (IEC 31010:2019; Dunjó et al. 2010; Kletz 2018). Before the examination need to identify and collect the guide words (For example: No or not, Higher, Less, as well as, Part of, Reverse Opposite, Other than etc.) and define meaning the words. These words can help to reveal the potential risks. For this method the reference document is the IEC 61882:2016 standard.

Environmental Risk Assessment

The process of the environmental risk assessment is as follows:

• Problem definition: this step includes locate the extent of the assessment by defining the scope of target populations and relevant hazards.

• Hazard identification: this includes identifying all possible sources of injury to the target population from hazards. Usually the hazard identification relies on practiced knowledge and relevant literature;

• Hazard analysis: this contains understanding the nature of the hazard and the interaction with the target.

The following example for an environmental risk assessment with the diagram is from the IEC 31010:2019. “For example, in considering human exposure to chemical effects, the hazard might include acute and chronic toxicity, the potential to damage DNA, or the potential to cause cancer or birth defects. For each hazardous effect, the magnitude of the effect (the response) is compared to the amount of hazard to which the target is exposed (the dose) and, wherever possible, the mechanism by which the effect is produced is determined. The levels at which there is No Observable Effect (NOEL) and no Observable Adverse Effect (NOAEL) are noted. These are sometimes used as criteria for acceptability of the risk” (IEC 31010:2019) (Fig. 1.3).

Fig. 1.3

Dose-response curve (IEC 31010:2019)

Cause-and-Effect Analysis

The cause- and effect analysis is also known as Ishikawa or fishbone diagram. This diagram was developed by Dr. Kaoru Ishikawa at the University of Tokyo in 1943 (Tague 2015). With these tool can be analyse a complex problem or a risk. This technique is one of the seven quality tools. The shape of this diagram is like a fish skeleton (Fig. 1.4). It contains a central line (“spine”), and in the end of this line there is a problem, and involves several branches (categories). The type of categories depends on the problem (Man, Machine, Environment, Material etc.). In one category many potential causes can represented (Figs. 1.5 and 1.6).

Fig. 1.4

Fishbone diagram (Tague 2015)

Fig. 1.5

Fault tree and the gate symbols (ISO 31010:2019)

Fig. 1.6

ETA diagram (ISO 31010:2019)

The basic steps of the analysis:

• Identify the occurrence of malfunctions or problems.

• Find the reasons: e.g. with brainstorming and consider the theoretical and practical facts.

• Define categories (4M–9M) related to the problem.

• Group the individual causes by category and write down the most important causes (primary causes).

• Finding the root causes e.g. with 5 Why method (secondary causes).

This method can be use for identify risks or analyse the consequences. The fishbone diagram provides a systematic indication of the cause (problem) and the underlying causes, thereby facilitating the resolution of the problem. Using to get to the root causes of a problem this should help to promote effective actions (IEC 31010:2019).

Fault Tree Analysis

This method widely used and apply a hierarchical structure. It can use logical gates to show the relationships between the factors/items. The factors identified in the tree can be events that are related with component hardware failures, human errors or any other relevant events which induces the unwished event.

The basic steps of the fault tree analysis:

• Identify the failures or problems (top event).

• Collect the causes of the problems, they will be the events.

• Find the adequate gate symbols to show the relationship between the events.

• Determine the probability of the events with Boolean algebra.

• Analyze the relations and the results of the probabilities and propose actions to prevent and avoid the potential failures.

Nowadays this method is widely used in the different fields, e.g. in the analysis of accidents and complex systems. In the FTA can be calculate and analyze the probability of the failures therefore it is easier to determine preventive actions to eliminate the risks and the failures and their effects (IEC 31010:2019; Modarres 2016).

Event Tree Analysis (ETA)

The ETA is a graphical method for analyse an event series. It considers the functioning/not functioning of the various systems. The main goals are to mitigate the consequences of the failures. It can be applied both qualitatively and quantitatively.

The basic steps of the event tree analysis:

• Firstly, the initial event should be selected (Critical event).

• The goal is mitigating outcomes with function of the system.

• For each function or system, a line is drawn to represent their success or failure.

• Probability values can be calculated.

This method can help to model different pathways from the initiating event and analyse the system (IEC 31010:2019; Modarres 2016).

Decision Tree

A decision tree represents decision alternatives and outcomes in a hierarchical structure. It is similar to an event tree. It starts an initial decision and can be displayed different pathways and outcomes. Events or the state of the system and results depend on the decisions. This analysis provides the opportunity to select the optimal decision path. The decision tree is used in managing project risks.

On the Fig. 1.7 there is a decision tree which contains three levels. The nodes represent the states of system, and the arrows are the decisions. Below the leaf points can be found the results.

Fig. 1.7

Decision tree (ISO 31010:2019)

The basic steps of the decision tree analysis:

• Firstly, the initial decision should be selected.

• As the two hypothetical way proceed, different events will occur, and different predictable decisions will need to be made.

• The probability of the events can be estimated with cost.

• The probability of pathway and total cost per branch can be calculated.

• The pathways can be compared, and the optimum can be chosen.

This is a method which is used a hierarchical structure for creating a decision map and helps to find the best decision series. It is suitable for qualitative and quantitative analysis (IEC 31010:2019).

Bow-Tie Analysis

The bow-tie analysis combined a fault tree analysis (FTA) and an event tree analysis (ETA). The centre of the bow-tie is a critical event and on the left side can be seen the FTA and on the right side the ETA. The FTA can help to analyse the history of the event (causes) and to define preventive controls. The ETA gives an overview of the consequences and help to place control actions to mitigate the effects.

The basic steps of the bow-tie analysis:

• A critical event is determined (Central event).

• The causes of event occurrence should be analysed.

• Define preventive controls which relate to each cause, draw to the left side of the bow-tie.

• The consequences can be determined, and controls can be defined to mitigate the effects of the consequences.

This method is so simple but spectacular for analyse a critical event and it helps to prepare for prevention and treatment (IEC 31010:2019) (Fig. 1.8).

Fig. 1.8

Bow-tie analysis (ISO 31010:2019)

Consequence/Probability Matrix

The consequence/probability matrix is an easy to use tool for analysing and evaluating the risk, defining levels. In Fig. 1.9 there is a matrix with two dimensions [Consequence rating (1–5), Likelihood rating (1–5)]. And three risk levels can be seen [I.-critical level (red), II. Moderate level (yellow), III. Low level (green)]. The definition of the levels depends of the creator or other requirements, but it is flexible.

Fig. 1.9

Consequence/probability matrix (ISO 31010:2019)

The basic steps of the event tree analysis:

• Possible risks should be collected.

• Occurrence and the severity of the consequences can be identified.

• Levels of risks can be defined.

• Serious risks can be chosen and treated.

A consequence/probability matrix can be used to rank risks, sources of risk or risk treatments based on the level of risk. It is generally used as a selection tool when many risks have been identified, and we would like to focus on serious risks (IEC 31010:2019).

1.2.2 Useful Quality Tools and Techniques

In this chapter we summarize the quality tools and methods that can help organizations and experts analyze problems or determine the most appropriate way to solve a problem. Many methods have been developed to address quality issues that can be applied well regardless of the area of application and the operation of the organization. In many cases the most difficult task is to select the method that is most effective for the task (analysis) to be solved. To do this you can get help with the thematic knowledge of methods that are adapted to the nature of the problem. Standards and professional books mostly outline the areas of application to which the given quality tool can be applied, making their use more efficient and facilitating the decision-making process. We describe the aims, fields of application, process and main steps of the methods. The main steps of the creative creation process go into the field of conscious methods of problem solving. Knowledge of these methods is essential for quality professionals as they need to apply their daily work in order to perform their tasks more effectively.

The seven basic tools are well-chosen methods based on the graphical tools of industrial statistics and creativity technology (Table 1.1). These provide effective support for quality improvement and quality control. Quality improvement means a company-wide quality improvement. It is a continuous activity that affects all departments of the organization and in which each employee is involved.

Table 1.1 Relation between the steps of the problem solving and the recommend tools

The process of solving the problem with the PDCA cycle shows that each step of the process can be well matched to each stage of the Deming circle (Juran and De Fao 2010). The design step (P) involves identifying the problem or problem, selecting the most important problems. To do this the current processes must be assessed; data collection, data analysis and causal analysis must be carried out. Implementation (D) involves designing and implementing the solutions. Control (C) involves all activities that evaluate the effectiveness of the implemented solutions. During the intervention (A), the accepted proposals and measures are incorporated to reduce and prevent the recurrence of the problem. Its effectiveness is based on continuity. In line with the PDCA principle, the problem-solving process does not end and the “perfection” continues at a higher level.

In case of problem solving are the tools, procedures and methods applied appropriately to the task taking into account the material and personal conditions. Problem solving is always more efficient and effective if we work with colleagues in a team.

Data Collection

The aim of data collection is to have objective data for the right decision, judgment and action. Unclearly opinions are often untrustworthy and may lead to mistake. The “quality” of the data (source, credibility, correctness) is more important than the quantity. The data should be grouped according to the purpose of the desired judgment and the expected action. The goals of data collection can be:

• overview of the current situation,

• managing problems,

• workflow control,

• changing activities,

• decision on acceptance or rejection.

The way the data is processed depends on the nature and appearance of the data.

• Data Collection with 5W + 2H Method

We can use this method when we need to collect data shortly to identify exactly the problem. According to the method, we systematically ask questions about a process or a problem, the purpose of which is to collect data. The question words are (Tague 2015):

1. 1.

   Who?—e.g. Who does this?

2. 2.

   What?—e.g. What are essentials?

3. 3.

   When?—e.g. When can it happen?

4. 4.

   Where?—e.g. Where is this can it happen?

5. 5.

   Why?—e.g. Why do we do it?

6. 6.

   H: How?—e.g. How is it done?

7. 7.

   How much?—e.g. How much does it cost?

This is a simple method and it can be widely used (e.g. project planning, reviewing the completed project, creating a report or presentation).

Histogram

The histogram is a bar chart (Fig. 1.10) in which we can represent the frequency distribution of the data. This diagram can be used to show a large number of data and it is easy to visualize different statistical parameters (range of values, average, standard deviation).

Fig. 1.10

Histogram

The basic steps of the procedure:

• Data collection: number of data should be at least 50 or 100 or more.

• Determination of the bars: recommend number of the classes (B) can be choose according to the number of the data points (N) (N = 50–100 → B = 5–9; N = 100–250 → B = 7–11).

• Calculation of the width of bars: First it is necessary to calculate the total range of the data: R = largest value − smallest value after that the width of each bar: W = R/B.

• Creation of the frequency table which must contain: number of the bars, limits of the bars (or classes), frequency of each bars (absolute value or relative value).

• Completion of the histogram chart.

In the following we would like to introduce this procedure by an example. Examining the evolution of precipitation in the last five years the task is to illustrate the distribution of the frequency of precipitation using a histogram. Follow the steps of the procedures:

• Collection of the relevant data (Table 1.2).

  Table 1.2 Annual rainfall in Hungary years: 2013–2017

• Determination of the bars: In this case the number of the data points N = 75 and the chosen number of the bars is B = 5.

• Calculation of the width of bars: Based on the data R = 989 − 432 = 557. The width of each bar: W = R/B so W = 557/5 = 111.42 therefore we use W = 111.

• Creation of the frequency table which contains: number of the classes, limits of the bars (or classes), frequency of each bars (absolute value or relative value) (Table 1.3).

  Table 1.3 Frequency table

• Completion of the histogram chart (Fig. 1.11).

  Fig. 1.11

  

  Histogram (distribution of the annual rainfall in Hungary)

The histogram is the great tool to show graphically the statistical characteristics and it promotes error-correcting and error-prevention intervention based on our personal experience in the early stages of data processing. Histogram analysis may include:

• form of the diagram,

• the correct choice of class intervals,

• examining the shape of the histogram,

• for comparison with specification limits.

Pareto Diagram

Pareto analysis helps you find the most important thing of the many problems. Pareto principle (rule 80:20) means 20–30% of the causes are responsible for 70–80% of the causes. In practice:

• 80% of the errors are caused by a 20% defect,

• 20% of workers produce 80% of scrap labour,

• in a shop 20% of the goods bring 80% of the revenue.

In general it means that a small proportion of the causes of a problem is responsible for most of the effects. We often use it when we want to detect errors. In quality management we apply it when the task is to separate the “vital few” and “trivial many” problems (Juran and De Fao 2010). The Pareto diagram is a graphical representation of Pareto analysis (Fig. 1.12). It can be used to separate the factors according to the frequency of each factor. The diagram is a tool for implementing Pareto analysis which is a bar graph representing the data in an arrangement by size (number of defective pieces, time, cost, etc.).

Fig. 1.12

Pareto diagram

The basic steps of the procedure:

• Data collection and selecting the most important components.

• Discover how the importance of a problem is proportional to the amount of problems.

• Find out to what extent the situation has improved after we have made improvements in each area.

• Completion of the Pareto chart.

Scatter Diagram

It can be determine with scatter chart (correlation diagram) whether there is a relationship between two values, data or features therefore whether one is dependent on the other. There are many types of the scatter charts which are presented in Fig. 1.13.

Fig. 1.13

Types of the scatter diagram

The basic steps to create and analyze a correlation diagram

• Data collection and systematization: data must be in pair where the relationship is presumable.

• Completion of the scatter diagram: recording independent data on the vertical axis (y), recording dependent data on the horizontal axis (x).

• Representation of data points (dotted line).

• Analysis of the correlation.

A simple method of correlation analysis was presented by Tague (2015) to determine the relationship between the variables. The diagram area is divided into four quadrants so that the number of points above and below the half line and on the left and right is equal (Fig. 1.14). Count the points in each quadrant and make the calculation:

Fig. 1.14

Correlation diagram

• A + D = 4 + 4 = 8; B + C = 12 + 11 = 23 Q = min{A + D; B + C} = 8

• N = A + B + C + D = 31

• Determine the limit value from the trend test table (Table 1.4). The limit is in this case 9.

  Table 1.4 Trend test table

• Conclusions of the analysis may be:

  • If Q < Limit, there is correlation between the two features.

  • If Q > or = Limit, there isn’t correlation between the two features.

  • In this example Q = 8 and the Limit = 9 therefore the two variable are related.

1.3 Results and Discussion

The aim of this chapter is to present risk assessment process, methods and other quality tools. The presentation of the techniques is not exhaustive because the emphasis is on the procedures that may be relevant to the risk analysis. The Table 1.5 involves the ways of using the described methods which harmonize with the IEC 31010:2019 standard.

Table 1.5 Recommended use of described methods during the risk management process

These methods are not new but they have been used effectively in many areas for decades and their usage is increasingly emphasized when appears the risk-based thinking principle. These presented techniques are tools for identifying, analyzing, preventing or reducing problems (risks). The effectiveness of the analyzes is enhanced by a well-organized (so called cross-functional) team which includes representatives of the affected areas. When the goal is to create preventive actions or to analyze a disaster that has occurred these methodologies can help to professionals and experts if they use the right method and can prepare for a future unexpected event more effectively.