Legal information

Copyright DB Netz AG, licensed under CC-BY SA 3.0 DE (see full text in CC-BY-SA-3.0-DE)

ARCH.015 Define business risk control measures

SM-2751 - Populate Confluence page for activity definition: ARCH.015 Define business risk control measures Finished

GoalIdentify operational requirements needed for business risk mitigation
Requirements met by this process stepNone defined
Inputs

AMOD-130 Business loss and risk state model

AMOD-031 Unified risk model

AMOD-028 Operational activities and interaction definitions (single operational capability)

Outputs

AMOD-031 Unified risk model (updated)

AMOD-028 Operational activities and interaction definitions (single operational capability) (updated)

Methodology

This step must be done jointly between system and RAMS architect.

For every possible service-affecting deviation

If the risk level of the deviation is not negligible

Decide how the risk level will be reduced to a tolerable level

Document the rationale for the decision

end if

end for

Where in the risk model to insert a risk reduction measure

There are multiple points in the risk model where it is possible to reduce risk, and there is an order of preference for these. They are listed below in order of highest to lowest preference:

  • Reduce the probability of a business risk occurring (i.e., reduce the probability of the transition from allowed state to not-allowed state) (this is the same as increasing the probability that the allowed state persists);
  • Reduce the probability of a not-allowed state persisting (this is the same as increasing the probability of recovery from the not-allowed state to the allowed state);
  • Reduce the severity of the loss state(s) that could be caused by the not-allowed states reached from the deviation (by increasing the probability of a transition to a less severe sub-state within the loss state).

It is permissible to define more than one risk reduction measure for any one possible deviation. When doing so, the "Swiss cheese" model should be considered: that each measure has weaknesses, and so any set of measures should when taken together not have any common weaknesses.

Defining risk reduction measures in the operational activities model

Risk reduction measures in the operational layer of the model are always operational activities. Because the risk reduction measures have been determined in terms of probabilities, there is always a maximum allowable failure rate associated with any operational activity that is a risk reduction measure.

Where a suitable operational activity exists in the model, it is sufficient simply to add the maximum allowable failure rate to the corresponding outgoing interaction of that activity, following the modelling rules for that type of non-functional need.

Where no suitable operational activity exists in the model, one should be created, and the maximum allowable service-affecting failure rate should be added to the corresponding outgoing interaction.

Refer to ARCH.033 Update operational activities and interactions for instructions on updating or defining new operational activities.

If there exists more than one type of service-affecting failure for any activity, each rate can be added to one outgoing interaction of the operational activity.

Instructions for updating the model to reflect the risk reduction measures can be found under the process steps of group ARCH.904 - it is recommended to run these process steps in parallel with the risk assessment and mitigation process steps.

Tools and non-human resourcesTeam for Capella
CardinalityOnce per operational activity
Completion criteria

There exists a set of risk reduction measures in the model for each possible service-affecting deviation to the current operational capability.

Rationales have been recorded for each risk reduction.

Design review

ARCH.R.1 Operational feature review

ARCH.R.2 Operational review - consolidated

Step done by (Responsible)

System architect

RAMS architect

Provides input to/assists (Contributes)None identified
Uses outputs (Informed)None identified