of the risk assessment. When the assessment is completed and results are ready, this feeds back to the decisions again, together with other relevant information that is taken into account (e.g. feasibility and cost).
3.2.1.2 Step 1.2: Define Outputs from Risk Assessment
The required outputs from the assessment should be clearly defined. The decisions and decision criteria determine, to a large extent, which outputs are required, but several aspects need to be considered:
Should the outputs be qualitative or quantitative? The decision criteria significantly influence this decision.
In what format should the results be presented? Only in a technical report or also in other formats (summary report, presentation, brochure)?
What level of detail should be used when presenting the results? This ties in with the decision and also the users.
Are there several stakeholders with different backgrounds that require different types of information?
Most important always is to keep the decision in mind and ask ourselves whether what we are planning to present will help the decision‐maker to make the best decision with regard to risk.
3.2.1.3 Step 1.3: Define Objectives and Scope
The decision alternatives and the decision criteria determine the scope and objectives of the study. The objectives can often be derived directly from the decisions that the analysis is supporting and this in turn also determines the scope of the study. The objective may be to
verify that the risk is acceptable,
choose between two alternative designs,
identify potential improvements in an existing design,
a combination of these,
…and several more.
When the objectives are defined, the scope may be set up. The scope describes the work to be done and specific tasks that need to be performed. At this stage, it is possible to specify more clearly what resources and competences are required to perform the risk assessment.
3.2.1.4 Step 1.4: Establish the Study Team and Organize the Work
The risk assessment is usually carried out by a study team that is led by a team leader. The team members should together meet the following requirements:
Have competence relevant to the study object. Including team members from sectors with similar problems may also be useful.
Have necessary knowledge of the study object, how it is operated, and how safety is managed and maintained.
Have competence in risk assessment in general and risk analysis methods in particular.
Come from different levels of the organization. The purpose of this is to better reflect the priorities, attitudes, and knowledge of different organizational levels in the analysis.
The last item may seem unnecessary because as long as the analysis is done in an objective manner, based on the available information, should we not arrive at the same results regardless of who is involved? This is an important issue for any risk assessment and should always be kept in mind. A risk analysis predicts what may happen in the future. Because we are never able to know exactly what will happen, the analysis is always based both on facts and judgments. Different people may judge the situation differently and may thus arrive at different conclusions. A risk analysis should therefore never be seen as a completely objective study, but a reflection of the available data and the knowledge of the participants in the study, including their values, attitudes, and priorities.
The number of persons taking part in the study may vary depending on the scope of the risk assessment and how complicated the study object is. In some cases, it may be relevant to contract a consulting company to carry out the risk assessment. If the risk assessment is done by external consultants, it is important that in‐house personnel carefully follow the assessment process to ensure that the company accepts ownership of the results. The competence and experience of each member of the study team should be documented, along with their respective roles in the team. In cases where external stakeholders are exposed to risk, it should be considered if, and to what degree, these should be involved in the risk assessment.
3.2.1.5 Step 1.5: Establish Project Plan
For the results from the risk assessment to be used as the basis for a decision, it is of paramount importance that the assessment process be planned such that the results are available in a timely manner. The study team should, in cooperation with the decision‐makers decide on a time schedule and estimate the resources that are required to do the risk assessment. The extent of the assessment depends on how complicated the study object is, the risk level, the competence of the study team, how important the decision is, the time available for the study, access to data, and so on. The level of detail in the study should be agreed upon as part of the planning.
3.2.1.6 Step 1.6: Identify and Provide Background Information
Most study objects have to comply with a number of laws and regulations. Many of these give requirements related to health and safety, and some of them require that risk assessments be performed. It is important that the study team is familiar with these laws and regulations, such that the requirements are taken into account in the risk assessment.
Risk assessment standards and/or guidelines have been developed for many types of study objects and application areas (see Chapter 20). Internal requirements and guidelines given by the organization that performs the risk assessment may also need to be adhered to. The study team must be familiar with these standards and guidelines.
The number of documents required to support a risk assessment may be substantial. A document control system should therefore be established to manage the various documents and other information sources. This system must control the updating, revision, issue, or removal of reports in accordance with the quality assurance program to ensure that the information remains up to date.
3.2.2 Step 2: Define the Study
The structure of step 2 is shown in Figure 3.5 .
3.2.2.1 Step 2.1: Define and Delimit the Study Object
The study object must be defined precisely. When the risk assessment is initiated at an early stage of a system development project, we have to suffice with
