Truke KF

Introduction
User interface
Markdown
Failure analysis
Risk
Checklists
Learning
Recommendations

Supported norms

ISO 9001
ISO 26262
IEC 60812
AIAG / VDA FMEA Handbook

Downloads
Risk

Risk can be described as a mix of two factors: how likely something is to happen (probability) and how big the effect will be if it does (impact), and can be expressed in different ways: as a number, a class (low, medium, high), a color (green, yellow, red). KF calculates both, a numerical value and a discrete class.

While risk is a subjetive and context-dependent concept, there is agreement (in norms such as ISO 31000, ISO 14971, IEC 61508 and others) that the risk of an event is a function of its impact or severity (S) and its probability (P). If both quantities are on a linear scale, risk can be expressed as:

\[ R = S \cdot P \] When working with logarithmic values, the formula becomes:

\[ R_{log{}} = S_{log} + P_{log} \] This is the formula used by KF to obtain a numerical value for risk. It may not always capture how people perceive and respond to risk, as risk tolerance is often nonlinear. For those cases, KF supports the use of a risk matrix. This method produces only a few (typically 3 or 4) risk values, which is ok for highlighting events that need action but not for prioritizing them accurately.

ISO 31000 and ISO 9001:2015 both promote a balanced view of risk that includes threats and opportunities. ISO 31000 defines risk as the effect of uncertainty on objectives—positive or negative—while ISO 9001:2015 embeds risk-based thinking to improve planning and decision-making. This dual perspective shifts the focus from mere risk avoidance to a more dynamic approach that balances preventing undesirable outcomes with seizing favorable possibilities, ultimately supporting continuous improvement and strategic alignment with organizational goals.

To give a risk rating to an event, each event has 3 specific fields:

In KF, the input data to the numerical risk calculation are the 'Severity' and the 'Probability' fields that each event has. Based on the values of those fields, a numerical risk value is calculated as the product of both, or when using logaritmic scales as in KF, the sum of both. We use severity instead of impact because the most common scales for impact actually use positive numbers that increase when the consecuences are worse. But an event can also be an opportunity, that is, have a positive net result. In that case a negative number needs to be used.

The discrete class is derived from a risk matrix that produces only a few risk levels (typically 3), which is usefull for highlighting events that need action but not for prioritizing them accurately. The exact risk matrix is configurable; KF provides AIAG/VDA's Action Priority and ISO26262, both used in the automotive industry. Some risk matrices use a third variable called detection, a field that is available in KF events as well. Below you'll see the 3 fields related to risk that appear when adding or editing events or actions. Why an action has also these fields is explained later.

Risk can be defined as the chance that an event will lead to an outcome that is different from what was expected. This outcome might be positive (an opportunity) or negative (a threat). This definition aligns with current standards like ISO 31000 and ISO 9001:2015, and it differs from older definitions that always considered risk to be negative.

Each of these fields offers suggested values, which will be explained below.

Severity (S)

In KF, the severity scale is a list of labels (for example, "esthetic impact" or "life-threatening impact") and associated numeric values located in the file kf.ini that can be configured as needed. The numeric scale for severity is logarithmic, from 0 to 1. Each label points to a value in that range. If you want to assign a severity to an event, you just choose from one of the labels.

If an automotive risk scale is choosen, 'S1' to 'S3' are reserved for severity ratings defined in ISO 26262.

Labels that point to a negative value indicate opportunities. That means that the dual perspective of risk as defined in ISO 31000 is covered: both threads and opportunities can be associated witn an event.

Probability (P)

Probability (also known as ocurrence) can be entered either as a number or as a label from a selection list. Labels are, as for severity, located in the kf.ini file and are configurable. Probability is a value between 0 and 1, on a linear scale. Labels in kf.ini point to a value in that range. When entering numeric values, a modifier needs to be added: % or ppm or fit, equivalent to \(10^{-2}\), \(10^{-6}\) and \(10^{-9}\) respectively. Thus, for example, 10% equals 0.1, 10ppm equals \(10^{-5}\) and 100fit equals \(10^{-7}\).

If an automotive risk scale is choosen, 'E1' to 'E4' are reserved for probability ratings defined in ISO 26262.

Detection / Controllability (D)

Detection can be understanded as external action or system that observes, monitors, or identifies the occurrence of an event. It is independent of the event, which exists regardless of whether or not it is detected. Detection mechanisms aim to intercept the failure at an early stage to minimize or prevent its impact. Thus, detection is the probability that a failure will be identified. Detection can be used as feedback, to prevent or mitigate the effects of the event,

Detection accepts the same type of input as the probability field.

For automotive risk scales, three extra values 'C1', 'C2', and 'C3' are reserved for controlability ratings defined in ISO 26262. Controllability is merged into the detection field, since both are related but not used simultaneously.

Numerical calculation of risk

Risk is calculated as by adding S and P, assuming the both are on a logarithmic scale. S is already logarithmic, but P needs to be converted first: \[ P_{log} = \frac{log_{10}(P)-log_{10}(Pmin)}{log_{10}(Pmax)-log_{10}(Pmin)} \] where Pmax = 1 and Pmin is a parameter read from the configuration file kf.ini ([risk] probability_min) with a very low value. Pmin = 0 cannot be used since log(0) is undefined.

Since both S and P are in the 0 to 1 range, to maintain R in the same range we do:

\[ R_{log{}} = \frac{S_{log} + P_{log}}{2} \] More precisely, we set R equal to 0 if P or S are 0, thus:

\[ R_{log} = \begin{cases} 0 & if P_{log}=0 | S_{log}=0, \\ \frac{S_{log} + P_{log}}{2} & otherwise. \end{cases}\]

S and P have the same weight, that is, the formula is impact-neutral. Risk aversion is not implememented currently.

The detection value D is not used in the risk calculation, but may be taken into account in the risk matrix.

Risk matrices

A risk matrix is a table that maps S, P and D labels to a discrete risk level such as Low, Medium or High. Risk matrices are configurable and located in kf.ini. A default risk matrix is provided based on the calculated numerical value of risk and a set of configurable thresholds, but there are others, including 'Action Priority' from AIAG / VDA or ASIL from ISO 26262.

Event and action chains

Each event has the S, P and D input fields as described. Additionally, also actions have those fields, to be used when those actions are mitigation or detection (diagnotic) actions associated to an event. An event can have associated mitigation and detection (or diagnostic) actions. A detection action is identified when the Detection parameter is set.

The numerical risk calculation is done for the event itself and for the combination of the event and each of its associated actions combined. The action risk parameters take precedence over (that is, substitute) the event's equivalent parameters.

Comparison with known scales

VDA/AIAG FMEA Handbook 2019

ISO 26262



/products/kf/risk