Risk Management: Changing subsystem risk and surety: How are risk and surety changes of a subsystem handled?
Option 1: The change can safely be made by following the transition plan.
IF the subsystem meets all surety requirements of all of the intermediate and final risk levels in the transition plan
AND risks never exceeds surety anywhere in the overall system in the transition plan
AND aggregated risks never exceed accepted risk aggregation thresholds anywhere in the overall system in the transition plan
THEN the change can be made by following the transition plan.
When changes are made that change risk or surety, a transition plan is necessary to assure that surety doesn't drop too low for risk during the transition. That is, the plant must remain within the risk management profile (i.e., surety must match or exceed risk) at all times. To do this, a transition plan is used to describe each event in sequence along with any optional events that may occur along the way (intentionally or otherwise). Note that when no change to risk or surety is being undertaken, this is trivial, so long as neither risk nor surety changes in any place at any time in the process. However, a plan may have to be undertaken to make certain that this is the case.
The transition plan: Generally, transitions either increase or decrease risks and/or increase or decrease surety. If surety is increased without altering risk, and assuming surety was appropriate for risk before the transition, the transition is safe because surety always meets or exceeds risk. Similarly, if risk is reduced with surety left unaltered and surety matched risk before, the transition is safe because surety always meets or exceeds risk. This is normally the plan:
There are sometimes situations in which such a plan is infeasible or problematic for some other reason. In these cases, the only acceptable path is to gain approval by those authorized to accept the risk of surety levels too low for risk levels at the given levels at issue. For example, in a low risk environment, low surety controls may be disabled for a time based on manger approvals. This is normally done by a risk acceptance process involving paperwork and signature approvals and is only allowed for a limited time, with reapproval sought periodically with periodicity related to risk level, so that management remains aware of their increased accepted risk.
Indirect risk (including aggregation) during transition: Since not all risks are obvious and direct, all such transition plans should also consider risk aggregation issues. For example, a change that involves a temporary connection of a DCS to a backup PLC which also handles other DCS components may result in an aggregated risk associated with the PLC in which inadequate redundancy remains to meet the surety needs of the totality of systems under control by the remaining PLC.
This analysis is particularly important in processes that appear to reduce risk and use this as a basis for reducing surety. At all times, both direct and indirect risks for all systems must meet the requirement that risk does not exceed surety without management approval at the appropriate level.