Using a FRAM model for prospective analysis (risk assessment)

How to use the FRAM to look for potential risks (prospective)

Prospective analysis as commonly practiced

The most common form for prospective analysis is risk assessment. The purpose of risk assessment is to identify the hazards that may render the system incapable of fulfilling its purpose and – preferably – to calculate the probability that this may happen. The risk is usually defined as the combination of the probability of something happening and the severity or seriousness of the outcome. This view is expressed by the traditional risk matrix.

Another form of prospective risk analysis is design evaluation, which is done to find conditions or factors that may counteract or prevent a newly designed artefact or system from functioning as intended. Here the FRAM can be used to see if combinations of multiple preconditions and/or resources can weaken a design, or whether a lack of control or time constraints can impede intended functioning. The use of the FRAM for design evaluation is, however, not described further here.

Looking for potential risks due to functional resonance

The purpose of a FRAM analysis is to describe how a system should function to meet its objectives (i.e., “everyday” performance), and to understand the variability of functions which alone or in combination may prevent that from happening. In order to do so it is necessary first to build a FRAM model of the system and then to analyse a number of scenarios or instantiations of that model.

A FRAM analysis differs from a risk assessment by being based on a functional model of the potential functionality rather than a specific representation such as a fault tree or an event tree. Thus, rather than analyse an assumed event path and look for the probability that single steps may fail or malfunction, a functional analysis tries to find the ways in which a situation can develop, and what the possible outcomes may be, specifically which of the potential couplings that may become actual couplings. The considerations that go into selection representative scenarios are nevertheless basically the same, namely a good understanding of the domain.

A FRAM model describes a system’s functions and the potential couplings among functions. The model does not describe or depict an actual sequence of events, i.e., a future accident scenario. The basic steps in building a FRAM model of the activity (or performance) that is to be analysed have been described here. The development of the model ended by describing the potential variability.

A scenario can be described by an instantiation of the model. The instantiation is a “map” of how functions are coupled under given – favourable or unfavourable - conditions.

A risk analysis using the FRAM comprises the following steps:

Characterise the (possible) actual variability for a set of instantiations of the model. Consider whether the actual variability will be what one should expect ('normal') or whether it will be unusually large ('abnormal').

Identify the dynamic couplings (functional resonance) that likely will play a role during an event. These comprise an instantiation of the model which can be used to predict how an event will develop and whether control can be lost. In relation to the traditional risk assessment, this instantiation provides an explanation of what may happen, although it does not necessarily identify unique or specific outcomes. The explanation will be based on the couplings of the variability of everyday performance, rather than failures and malfunctions.

Propose ways to monitor and dampen performance variability (indicators, barriers, design / modification, etc.) In the case of unexpected positive outcome, one should look for ways to amplify, in a controlled manner, the variability rather than for ways to dampen it.