E-scooter risk management engineering as the 32nd engineering axis: risk-anticipation meta-axis — ISO 31000:2018 + ISO/IEC 31010:2019 + ISO Guide 73:2009 + Bowtie + ALARP + SFAIRP + LOPA + HAZOP IEC 61882 + FTA IEC 61025 + ETA IEC 62502 + FMEA IEC 60812 + ISO 14971:2019 + ERM COSO 2017 + Kaplan & Garrick 1981 triplet

Scootify 15 min read

Across the engineering-guide series, we have described the lithium-ion battery with BMS and thermal runaway intro, the brake system, the motor and controller, the suspension, the tire, lighting and visibility, the frame and fork, the display and HMI, the SMPS CC/CV charger, the connector and wiring harness, IP protection, bearings with ISO 281 L10, the stem and folding mechanism, the deck, the handgrip + lever + throttle, the wheel as an assembly, bolted-joint engineering as a joining axis, thermal management as a heat-dissipation axis, EMC/EMI as an interference-mitigation axis, cybersecurity as an interconnect-trust axis, NVH as an acoustic-vibration-emission axis, functional safety as a safety-integrity axis, battery lifecycle engineering as a sustainability axis, repairability as a repairability axis, environmental robustness as an environmental-conditioning axis, privacy and personal-data protection as a privacy-preservation axis, reliability engineering as a reliability-prediction meta-axis, software & firmware engineering as a SW-process axis, human factors and ergonomics as a human-machine fit axis, and manufacturing quality engineering as a manufacturing-process axis. These 31 engineering axes have described subsystems, joining methods, thermal and electromagnetic phenomena, safety, sustainability, repairability, environmental conditioning, privacy, reliability engineering, SW process, human-machine fit, and manufacturing quality. Each one fixed a specification (target dimension + tolerance + material property + test limit) or a process (how to measure / produce). Each one also recorded certain kinds of risk — the battery article described thermal-runaway risk + ageing risk; the brake article — wet-stop risk + fade risk; the cybersecurity article — TARA + STRIDE + DREAD; the functional-safety article — HARA + ASIL determination; the reliability article — FMEA + FMECA + FTA — but none of them described risk management itself as a separate formal methodology that systematically intersects all prior axes and standardizes identification + analysis + evaluation + treatment + monitoring through a single vocabulary and a single framework.

Risk management engineering is the risk-anticipation meta-axis of the whole e-scooter. It provides a principle-and-framework standard (ISO 31000:2018 Risk management — Guidelines with 8 principles + a framework of 6 components + a 7-stage risk-management process), a vocabulary (ISO Guide 73:2009 with 61 terms, from risk as «effect of uncertainty on objectives» to risk treatment as «process to modify risk»), a techniques catalogue (ISO/IEC 31010:2019 with 41 methods, from brainstorming to Monte Carlo simulation), a toleration framework (UK HSE ALARP + SFAIRP principles + Edwards v National Coal Board 1949 reverse burden of proof), a process-hazard methodology (HAZOP IEC 61882:2016 with guide-word/deviation analysis), a component-failure methodology (FMEA IEC 60812:2018 inductive bottom-up), a top-down logic methodology (FTA IEC 61025:2006 with boolean AND/OR/voting gates + minimal cut sets), a consequence-tree methodology (ETA IEC 62502:2010 inductive forward-branching), a combined visualization (Bowtie analysis with threats + barriers + consequences around a top event), a layered defense methodology (LOPA CCPS 2001 semi-quantitative with IPL credit + PFD), a cross-industry inspiration (ISO 14971:2019 medical-device risk management with benefit-risk analysis), an enterprise umbrella (ERM COSO 2017 + 3 Lines of Defense model IIA), and a cross-link to other axes (risk-based thinking ISO 9001:2015 clause 6.1; HARA ISO 26262; TARA ISO 21434).

This is the thirty-second engineering-axis deep-dive in the guide series — and the fifteenth cross-cutting infrastructure axis (parallel to joining DT + heat-dissipation DV + interference-mitigation DX + interconnect-trust DZ + acoustic-vibration-emission EB + safety-integrity ED + sustainability EF + repairability EH + environmental-conditioning EJ + privacy-preservation EL + reliability-prediction EN + SW-process EP + human-machine-fit ER + manufacturing-process ET, now risk-anticipation EV). Like reliability + SW + ergonomics + manufacturing quality, the risk-management axis has no «hardware» implementation — it is a methodology that defines how to systematically see the invisible: not the actual current failures (that is reliability + manufacturing-quality), but potential future failures (their scenarios + likelihood + consequence) across all 31 prior axes simultaneously and in their interactions, which no single-axis FMEA captures (e.g., the interaction of the battery-thermal axis with the EMC axis: a BMS-fault current generates EMI that affects the controller axis, which causes regen-brake malfunction, which forces reliance on the mechanical brake, which exceeds the brake-thermal axis limit — a 5-axis chain invisible to per-axis FMEA).

1. Risk management ≠ HARA ≠ FMEA: a separate axis

Reliability engineering (axis EN), functional safety (axis ED), cybersecurity (axis DZ), and manufacturing quality (axis ET) all use separate risk-related tools (FMEA, HARA, TARA, PFMEA). Risk-management engineering provides the meta-framework that unifies all of them under a single vocabulary and a single process:

DimensionReliability FMEA (EN)Functional safety HARA (ED)Cybersecurity TARA (DZ)Manufacturing PFMEA (ET)Risk management (EV)
ScopeComponent failuresVehicle-level hazards (E + S + C)Cybersecurity threats (STRIDE)Process stepsAll of the above + interaction across axes
TriggerReliability allocationISO 26262 complianceISO 21434 compliancePPAP / control planStrategic decision / project initiation
OutputRPN / AP per componentASIL per hazardCAL per threatAP per process stepRisk register + risk matrix + treatment plan
StandardIEC 60812:2018ISO 26262:2018ISO/SAE 21434:2021AIAG-VDA FMEA 2019ISO 31000:2018 + ISO/IEC 31010:2019
GranularityComponentVehicle functionSystem interfaceManufacturing stepEnterprise + project + operational
VocabularyFailure mode + cause + effectHazard + severity + exposure + controllabilityThreat + attack + impact + feasibilityFailure mode + cause + effectRisk + hazard + consequence + likelihood + treatment

ISO 31000:2018 explicitly states: «It can be applied throughout the life of the organization and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.» Risk-management engineering is the organization-level scaffolding on which specific-axis tools (FMEA, HARA, TARA, PFMEA) sit as specific techniques from ISO/IEC 31010:2019’s 41-method catalogue. FMEA does not replace risk management; risk management tells you when and why to run an FMEA, how to connect its output to top-management decisions, and how to combine its output with parallel FTA + Bowtie + LOPA output to obtain a complete risk picture.

2. ISO 31000:2018 — principles + framework + process foundation

ISO 31000:2018 Risk management — Guidelines was published in February 2018 and replaced ISO 31000:2009 with a major simplification (from 11 principles → 8 principles; from 5 + 11 framework components → 6 components; from a 7-step process → a 7-step process with clearer wording). It is a guidance standard (not a certification standard like ISO 9001) and sets out the general architecture of risk management for any type of organization, any kind of risk, in any context.

8 principles (clause 4 of ISO 31000:2018):

  1. Integrated — risk management is an integral part of all organizational activities, not an add-on.
  2. Structured and comprehensive — a structured + comprehensive approach gives consistent + comparable results.
  3. Customized — the risk-management framework + process is tailored to the organization’s context.
  4. Inclusive — appropriate + timely involvement of stakeholders enables knowledge + perception integration.
  5. Dynamic — risks emerge, change, disappear — RM must anticipate, detect, acknowledge.
  6. Best available information — based on historical + current data + stakeholder feedback + future expectations; transparent regarding limitations.
  7. Human and cultural factors — significantly influence risk management at all levels and stages.
  8. Continual improvement — through learning + experience.

Framework of 6 components (clause 5, a plan-do-check-act cycle):

  • Leadership and commitment (5.2) — top-management ownership, integration into organizational governance.
  • Integration (5.3) — RM iterative, embedded in decision-making.
  • Design (5.4) — context + stakeholders + framework design + resources + communication.
  • Implementation (5.5) — execute the framework with clear roles + competence.
  • Evaluation (5.6) — measure framework effectiveness against intended purpose.
  • Improvement (5.7) — adapting + continually improving.

Risk-management process of 7 stages (clause 6, iterative + dynamic):

  1. Scope, context, criteria (6.3) — establish boundaries + risk criteria.
  2. Risk identification (6.4.2) — find + recognize + describe risks.
  3. Risk analysis (6.4.3) — comprehend the nature of risk + likelihood + consequence.
  4. Risk evaluation (6.4.4) — compare against criteria; decide on treatment.
  5. Risk treatment (6.5) — modify the risk (avoid / reduce / share / retain).
  6. Communication and consultation (6.2) — engage stakeholders throughout (cross-cuts all stages).
  7. Monitoring and review (6.6) — track changes + verify treatments + update.

Key concept: the process is iterative + cross-cutting — communication + monitoring are not «steps in a line» but continuous activities during all the other steps.

3. ISO Guide 73:2009 + ISO/IEC 31010:2019 — vocabulary + 41 techniques

ISO Guide 73:2009 Risk management — Vocabulary gives 61 terms as the unified vocabulary for all ISO management-system standards. Key terms:

  • Risk«effect of uncertainty on objectives». Note 1: the effect can be positive, negative, or both. Note 2: objectives can have various aspects (financial, health, safety, environmental). Note 3: risk is often characterized by reference to potential events + consequences + likelihood.
  • Hazard«source of potential harm» (NOT the same as risk).
  • Consequence«outcome of an event affecting objectives».
  • Likelihood«chance of something happening» (NOT probability strictly — likelihood includes subjective + objective + numerical + non-numerical).
  • Risk owner«person or entity with accountability and authority to manage a risk».
  • Risk appetite«amount and type of risk an organization is willing to pursue or retain».
  • Risk tolerance«organization’s readiness to bear risk after risk treatment» (deviation allowed from appetite).
  • Residual risk«risk remaining after risk treatment».

ISO/IEC 31010:2019 Risk assessment techniques replaced ISO 31010:2009 with an expanded catalogue of 41 assessment techniques (vs 31 in 2009). Each technique is evaluated against 6 criteria: complexity, nature of resources required, nature of uncertainty addressed, ability to provide quantitative output, type of risks addressed, applicability across process steps. The 41 techniques are categorized as:

Generic identification + analysis techniques (≈12):

  • Brainstorming
  • Delphi technique
  • Nominal group technique
  • Structured interview
  • Checklist
  • Structured what-if (SWIFT)
  • Preliminary hazard analysis (PHA)
  • Survey
  • Scenario analysis
  • Toxicological risk assessment
  • Cindynics method
  • Root cause analysis (RCA)

Cause/source analysis (≈4):

  • Ishikawa (fishbone) analysis
  • Pareto analysis
  • 5-Why analysis
  • Bayesian network

Function/process analysis (≈8):

  • FMEA + FMECA (IEC 60812)
  • FTA (IEC 61025)
  • ETA (IEC 62502)
  • Cause-consequence analysis (combined FTA+ETA, predecessor of Bowtie)
  • HAZOP (IEC 61882)
  • HAZID (Hazard Identification)
  • LOPA (CCPS)
  • Bowtie

Control assessment (≈4):

  • LOPA
  • Bowtie
  • Markov analysis
  • Reliability-centered maintenance (RCM)

Decision support (≈8):

  • Decision tree
  • Monte Carlo simulation
  • Sensitivity analysis
  • Multi-criteria decision analysis (MCDA)
  • Cost-benefit analysis
  • Cost-effectiveness analysis
  • Value engineering / target costing
  • Game theory

Human + organizational factors (≈5):

  • Human reliability analysis (HRA)
  • THERP (Technique for Human Error Rate Prediction)
  • SHERPA
  • Bow-tie with human factors
  • Safety culture assessment

4. Kaplan & Garrick 1981 triplet — formal definition of risk

Kaplan & Garrick in the seminal paper «On The Quantitative Definition of Risk» (Risk Analysis, Vol. 1, No. 1, 1981) proposed the triplet definition of risk, which became the foundational concept of quantitative risk analysis:

Risk = { ⟨s_i, p_i, x_i⟩ }, where for each scenario i:

  • s_i — what can happen? (scenario description)
  • p_i — how likely is it that it will happen? (likelihood / probability)
  • x_i — what are the consequences if it does happen? (magnitude of consequence)

That is, risk is not a single number — it is a set of triplets across all possible scenarios. The common simplification «risk = likelihood × consequence» is a reduction of the triplet to a single expected-value metric, which loses variance + tail-risk + non-numeric considerations. For critical infrastructure (nuclear plant, aerospace, medical device), a single expected value is insufficient: a scenario with low likelihood + extreme consequence (a plutonium accident) has the same expected value as a scenario with high likelihood + moderate consequence (frequent minor damage) — but the second is tolerable while the first is intolerable.

For an e-scooter:

  • Scenario A: battery thermal runaway. p_A ≈ 10⁻⁶ per cycle. x_A = total loss + fire risk + potential bodily harm.
  • Scenario B: wet-brake stopping-distance increase. p_B ≈ 10⁻¹ per rainy ride. x_B = elevated near-miss frequency + occasional minor abrasion.

Expected value may signal B as «greater risk» (a larger expected harm), but A is catastrophic + irreversible, so ALARP requires aggressive A-treatment even if the expected value of A is smaller.

5. Risk register + risk matrix + heat map — core artifacts

The risk register is the centralised list of all identified risks at the organization / project level, with the row structure:

FieldDescription
Risk IDUnique identifier (R-001)
DescriptionWhat can happen (scenario)
Risk categoryStrategic / operational / financial / compliance / reputational / technical
Risk ownerWho is accountable
Inherent likelihoodBefore treatment (1-5)
Inherent consequenceBefore treatment (1-5)
Inherent risk scoreL × C
Current controlsWhich barriers are already in place
Current risk scoreAfter existing controls
Treatment planAvoid / reduce / share / retain — details
Target risk scoreAfter planned treatment
Residual risk scoreThe current actual residual
Review dateWhen the next reassessment is due

The risk matrix is a 5×5 (or 4×4, 6×6) grid of likelihood × consequence with colour-coded cells (green = broadly acceptable, yellow = ALARP region, red = intolerable):

C1 minorC2 moderateC3 majorC4 severeC5 catastrophic
L5 almost certainMHHEE
L4 likelyMMHHE
L3 possibleLMMHH
L2 unlikelyLLMMH
L1 rareLLLMM

L=Low, M=Medium, H=High, E=Extreme. Calibration matters — the likelihood scale must have frequency anchors (L5 = ≥ once per year; L1 = < once per 1000 years), the consequence scale must have harm anchors (C5 = single fatality + national news; C1 = first-aid only). Without anchors, the matrix degenerates into subjective scoring, which does not give comparable cross-project results.

The heat map is a visualization of the risk register on the matrix, positioning each risk as a bubble (size = risk score, colour = category, arrow = trajectory from current to target).

Risk matrices have a common pitfall — as warned by Tony Cox in the seminal paper «What’s Wrong with Risk Matrices?» (Risk Analysis 2008):

  • Reverse ranking — two risks with the same colour can differ by a factor of 1000 in actual expected value because of the discrete binning.
  • Range compression — a log-scale likelihood (10⁻⁶ to 10⁰) compressed into a 5-bin range loses 6 orders of magnitude.
  • Categorization is not unique — the same risk lands in different cells under different choices of anchors.

ISO/IEC 31010:2019 recommends the risk matrix only for qualitative screening + semi-quantitative comparison; for critical decisions — supplement with FTA + LOPA + Bayesian methods.

6. ALARP + SFAIRP — toleration framework

ALARP — «As Low As Reasonably Practicable» — the UK Health and Safety Executive (HSE) framework, originating from the landmark UK Court of Appeal case Edwards v National Coal Board, 1949: the judges articulated the employer’s duty to reduce risk «so far as is reasonably practicable», where «reasonably practicable» means demanding action until the cost (money + time + trouble) becomes grossly disproportionate to the risk reduction.

SFAIRP — «So Far As Is Reasonably Practicable» — the wording of the UK Health and Safety at Work Act 1974, which is synonymous with ALARP in practice. The EU machinery directive and Australian work-health-safety law also use the SFAIRP wording.

ALARP region in the risk matrix:

Risk level
  │ ████████████ INTOLERABLE — must eliminate or accept extraordinary justification
  │ ────────── upper tolerability limit (e.g., 10⁻³/year individual fatality)
  │ ▓▓▓▓▓▓▓▓▓▓▓▓ ALARP REGION — risk tolerable only if reduced ALARP
  │ ▓▓▓▓▓▓▓▓▓▓▓▓ (reverse burden of proof — duty-holder must show further reduction grossly disproportionate)
  │ ────────── lower tolerability limit (e.g., 10⁻⁶/year — broadly acceptable threshold)
  │ ░░░░░░░░░░░░ BROADLY ACCEPTABLE — no further treatment required
  └──────────────────────► Time / scope

Reverse burden of proof — in the ALARP region the duty-holder (manufacturer / operator) must proactively prove that further risk reduction would require a gross disproportion of cost vs benefit. This is an active stance, not passive: the absence of proof = the absence of ALARP compliance.

Gross disproportion factor (GDF) — the UK HSE Reducing Risks, Protecting People (2001) proposes the GDF as a multiplier for the expected-value cost-benefit: for high-consequence risks, GDF can sit in the range 3× to 10× (the cost of a safety measure can exceed the risk-reduction benefit by 3-10× and still be ALARP-compliant). For an individual-fatality risk near the upper bound, GDF can be 10× or higher.

Risk appetite vs tolerance (ISO Guide 73:2009):

  • Risk appetite — a strategic statement: «we are willing to take risks of type X up to magnitude Y in pursuit of objective Z» (proactive boundary).
  • Risk tolerance — operational deviation allowed from appetite: «we can absorb a residual risk up to W in temporary situations» (operational flexibility).

For an e-scooter manufacturer:

  • Appetite: «accept the material risks intrinsic to a motorized 2-wheel vehicle (likelihood of fall = pedestrian baseline × 5)»
  • Tolerance: «individual fatality risk ≤ 10⁻⁶ per million km regardless of vehicle category»

7. HAZOP — IEC 61882:2016 deviation/guide-word methodology

HAZOP — Hazard and Operability Study — a formal structured technique for process-system hazard identification, founded at Imperial Chemical Industries (ICI) in the 1960s, formalized by Trevor Kletz of ICI in the 1970s, and standardized as IEC 61882:2016 Hazard and operability studies (HAZOP studies) — Application guide. Originally a process-chemistry tool; broadly applicable to any system with identifiable flows + parameters.

Methodology:

  1. Node decomposition — the system is broken into «nodes» (pipe section, vessel, control loop, software module).
  2. Parameter list per node — for each node, enumerate parameters (flow, pressure, temperature, level, composition, time, sequence, signal).
  3. Guide-word application — for each parameter, apply guide words systematically:
    • NO / NONE / NOT — total absence of the intended condition.
    • MORE / HIGH — quantitative increase.
    • LESS / LOW — quantitative decrease.
    • AS WELL AS — an additional unintended condition is present.
    • PART OF — only part of the intended condition is present.
    • REVERSE / OPPOSITE — the opposite direction / order.
    • OTHER THAN — completely different from intent.
  4. Deviation = parameter × guide-word — for each pair (e.g., «flow + NO» = «no flow»), the team brainstorms causes + consequences + existing safeguards + recommendations.
  5. Tabular record — all deviations + analyses are recorded in the HAZOP worksheet.

For an e-scooter BMS (example node = «battery-cell voltage measurement loop»):

ParameterGuide-wordDeviationCauseConsequenceSafeguardRecommendation
VoltageNONo measurementWire break, ADC failBMS cannot detect overvoltage → thermal-runaway riskDiagnostic timeoutAdd redundant measurement
VoltageMOREMeasurement higher than actualSensor calibration driftCharge cutoff triggers prematurely → reduced range; or BMS allows undervoltagePeriodic self-calImplement Type-1 Gage Study at PV
VoltageLESSMeasurement lower than actualSensor calibration drift, ground loopBMS allows overcharging → thermal runawayPlausibility check vs pack voltage sumAdd cell-voltage sum-check

HAZOP is strong at identifying systematic + scenario-based hazards that FMEA may miss (because FMEA is component-by-component while HAZOP is flow/parameter-by-parameter).

8. FMEA + FMECA — IEC 60812:2018 inductive bottom-up

FMEA — Failure Mode and Effects Analysis — an inductive bottom-up technique that, for each component, enumerates modes of failure (how the component can fail) + effects (what the failure causes) + severity + likelihood + detectability. FMECA — FMEA + Criticality analysis — adds a criticality matrix positioning failure modes by severity × likelihood.

IEC 60812:2018 Failure modes and effects analysis (FMEA and FMECA) was published in August 2018, replacing IEC 60812:2006. It standardizes:

  • Methodology — 8 steps (planning + structure analysis + function analysis + failure analysis + risk analysis + optimization + documentation + audit).
  • Severity scale — 1 (negligible) to 10 (catastrophic without warning).
  • Occurrence scale — 1 (extremely remote, ≤ 1/1.5M) to 10 (very high, ≥ 1/2).
  • Detection scale — 1 (almost certain detection) to 10 (no detection).
  • RPN = S × O × D (traditional) — but criticized for hidden discontinuities (RPN=120 may carry lower risk than RPN=90 depending on the individual S/O/D combinations).
  • AIAG-VDA FMEA 2019 replaces RPN with an Action Priority (AP) lookup table (High/Medium/Low for each S+O+D combination).

Cross-links to other axes:

  • DFMEA (design FMEA) — used in the reliability axis (EN) + functional-safety axis (ED).
  • PFMEA (process FMEA) — used in the manufacturing-quality axis (ET).
  • FMECA-Cybersecurity — adapted in the cybersecurity axis (DZ) as a component-level supplement to TARA.
  • Software FMEA (SFMEA) — used in the SW-process axis (EP) per IEC 61508-3.

9. FTA — IEC 61025:2006 deductive top-down boolean logic

FTA — Fault Tree Analysis — a deductive top-down boolean-logic technique, founded by H. A. Watson at Bell Labs in 1962 for the Minuteman missile launch-control system safety analysis. Broadly adopted after the WASH-1400 Reactor Safety Study (Rasmussen, 1975) for nuclear safety. Standardized as IEC 61025:2006 Fault tree analysis (FTA).

Structure:

  • Top event — the undesired event at the system level (e.g., «brake system fails to stop the scooter»).
  • Intermediate events — sub-failures decomposing the top event.
  • Basic events — component-level primary failures (no further decomposition).
  • Undeveloped events — known events not decomposed due to lack of data or scope.
  • Gates:
    • AND gate (∩) — the output failure occurs only if all input failures occur.
    • OR gate (∪) — the output failure occurs if any input fails.
    • Voting (k-out-of-n) gate — the output failure occurs if at least k of n inputs fail.
    • INHIBIT gate — the output occurs only if the input event AND a conditional event are true.
    • Priority AND — the output requires specific input ordering.
    • Exclusive OR (XOR) — exactly one input.

Minimal cut set (MCS) — the smallest combination of basic events that causes the top event. Top-event probability = sum over all MCSs of the product of basic-event probabilities (under an independence assumption).

For an e-scooter the top event = «motor controller drives wheel uncontrollably»:

            (motor drives uncontrollably)
                ┌──────┴──────┐
              [OR gate]
                │             │
       (throttle stuck-high)  (controller faulty)
              │                     │
       ┌──────┴──────┐         ┌────┴────┐
     [OR gate]              [OR gate]
         │       │              │      │
   (throttle  (wire             (MCU   (firmware
    pot fault) short)            stuck)  fault)
                                    [AND gate]
                                  (logic bug + plausibility check disabled)

Minimal cut sets:

  • MCS₁ = {throttle pot fault}
  • MCS₂ = {wire short}
  • MCS₃ = {MCU stuck}
  • MCS₄ = {logic bug, plausibility check disabled}

Top-event probability ≈ P(MCS₁) + P(MCS₂) + P(MCS₃) + P(MCS₄). If MCS₄ = 10⁻⁴ × 10⁻¹ = 10⁻⁵ vs MCS₁ = 10⁻³ — the throttle pot dominates and treatment must focus on reducing P(throttle pot fault) before chasing redundant plausibility logic.

10. ETA — IEC 62502:2010 inductive consequence-tree branching

ETA — Event Tree Analysis — an inductive forward-branching technique. It starts from an initiating event (the initial failure or trigger), then branches by the success/failure of each safety function / mitigation, producing a set of possible outcomes with probabilities. Standardized as IEC 62502:2010 Event tree analysis (ETA).

Structure:

  • Initiating event (column 1) — e.g., «throttle stuck-high signal».
  • Safety functions / mitigations (columns 2..N) — a sequence of barriers that can succeed (S, top branch) or fail (F, bottom branch).
  • Outcomes (terminal column) — the final consequence depending on the path through the tree.

For an e-scooter the initiating event = «throttle pot stuck high»:

Initiating          Plausibility    Brake          Operator      Outcome   P(path)
event               check works     applied        bails out
                                                                     
                    S──┬─Yes──┬────────────────────► safe stop    0.95×... 
   throttle──┐         │      │
   stuck─────┤    S    │      F────► hard fall                     ...
                  F──┬─Yes──┬────────────────────► safe stop       ...
                     │      │
                     │      F────► crash                            ...
                     F  ─────────────────────────► crash + injury   ...

Outcome probabilities = the product of branch probabilities. The sum of all outcome probabilities = P(initiating event). The risk-profile decomposition shows which mitigations matter most — sensitivity to P(plausibility check fail) vs P(brake fail to apply) tells the designer where redundancy buys most.

11. Bowtie — combined threats + barriers + consequences

Bowtie analysis — a visualization combining FTA (left side: threats → top event) + ETA (right side: top event → consequences) into a bowtie-shaped diagram with the top event in the centre, threats on the left, consequences on the right, and barriers as vertical lines between them. Formalized in the 1990s by Shell INSL HSE + ICI; commercial tooling BowTieXP by CGE Risk Management Solutions (Netherlands).

Bowtie structure:

   Threats              [top event]              Consequences
   ───────                                       ────────────
   T1 ──┐  ┃ B1 ┃  ┃ B2 ┃  ┃ B3 ┃    ╲  ┃ B4 ┃  ┃ B5 ┃ ─── C1
   T2 ──┤                  TE        ─╲           
   T3 ──┘  ┃ B1 ┃  ┃ B2 ┃            ─╱  ┃ B4 ┃         ─── C2

   B1..B3 = preventive barriers      B4..B5 = recovery/mitigation barriers

Barriers:

  • Preventive barriers (left side) — prevent the threat from realizing the top event.
  • Recovery barriers (right side) — mitigate the top-event consequences.
  • Escalation factors — conditions that weaken a barrier (e.g., «sensor calibration drift weakens the BMS overvoltage barrier»).

Barrier-effectiveness rating — barriers are classified per the CCPS standard 8-grade scale:

  • Active vs passive
  • Hardware vs procedural vs administrative
  • Independent vs dependent (sharing a common-mode failure)
  • PFD-rated for SIL compliance (LOPA cross-link)

For an e-scooter the top event = «battery thermal runaway»:

Threats (preventive barriers →)Top eventConsequences (← recovery barriers)
T1: overcharge → [BMS overvoltage cutoff] + [charger CC/CV control] + [fuse]TR[thermal-runaway propagation barrier between cells] + [fire-rated battery case] → C1: pack fire contained
T2: external short → [fuse] + [BMS overcurrent]TR[user warning beep + thermal cutoff] + [water-mist suppression] → C2: scooter ignition, user evacuates
T3: mechanical damage (puncture) → [case impact resistance] + [BMS isolation check]TR(insufficient recovery) → C3: pack fire spreads
T4: cell-internal short (manufacturing defect) → [cell-grading PPAP] + [ageing-detection BMS]TR[thermal-runaway propagation barrier between cells] → C4: single-cell event isolated

Bowtie’s strength is the single visualization with clear barrier dependencies + escalation factors + cross-link to a specific axis (BMS, charger, case, cell-grading, ageing-detection all converge around one top event).

12. LOPA — Layer of Protection Analysis CCPS 2001

LOPA — Layer of Protection Analysis — a semi-quantitative methodology, formalized by the Center for Chemical Process Safety (CCPS) of AIChE in the 2001 book «Layer of Protection Analysis: Simplified Process Risk Assessment». This method bridges qualitative HAZOP/Bowtie and quantitative QRA with modest data requirements + explicit IPL credit accounting.

LOPA structure:

  1. Initiating cause with frequency (events per year, e.g., 0.1/yr = once per 10 years).
  2. Independent Protection Layers (IPLs) — each layer reduces risk by a factor of 10 (PFD = 0.1, RRF = 10) up to 100 (PFD = 0.01, RRF = 100).
  3. IPL qualification criteria — must be specific (designed for this scenario), independent (no common-mode failure with other IPLs), dependable (PFD validated by test/audit), auditable (records maintained).
  4. Frequency calculation — final scenario frequency = initiating frequency × product of IPL PFDs.
  5. Risk acceptance — compare to tolerance criteria; if it exceeds them → add an IPL.

For an e-scooter the initiating cause «BMS detection failure during overcharge»:

LayerTypePFDRRFCumulative
Initiating frequency (charger CV mode fails high)0.01/yr
IPL 1: BMS cell-voltage cutoff (qualified for this scenario)active SIS0.0110010⁻⁴/yr
IPL 2: pack-voltage sum-check (independent of cell-voltage)active SIS0.11010⁻⁵/yr
IPL 3: fuse current cutoffpassive0.0110010⁻⁷/yr
IPL 4: thermal cutoff (PTC + thermistor)active mechanical0.11010⁻⁸/yr
Scenario consequencecatastrophic (fire + bodily harm)risk = 10⁻⁸/yr × catastrophic

LOPA tells the designer: 3-4 IPLs are needed for catastrophic outcomes; 2-3 IPLs for serious outcomes; 1 IPL for marginal. If a single BMS cutoff is insufficient — LOPA explicitly quantifies the gap and defends the additional-layer cost-benefit.

LOPA ↔ SIL determination — a cross-link with IEC 61508 functional-safety axis (ED): each IPL with a safety-related function has a minimum SIL requirement derived from the required RRF.

13. ISO 14971:2019 — medical-device risk management cross-industry inspiration

ISO 14971:2019 Medical devices — Application of risk management to medical devices — although its target sector is medical, the methodology is widely respected cross-industry as an operational implementation of ISO 31000 with explicit benefit-risk + iterative + lifecycle integration. EN ISO 14971:2019 is a harmonized standard for the EU Medical Device Regulation (MDR) 2017/745 + the In Vitro Diagnostic Regulation (IVDR) 2017/746. The US FDA recognizes ISO 14971:2019 as a consensus standard for medical-device risk management.

Key concepts from ISO 14971 (applicable to e-scooter risk management):

  • Harm«injury or damage to the health of people, or damage to property or the environment».
  • Hazard«potential source of harm».
  • Hazardous situation«circumstance in which people, property, or the environment are exposed to one or more hazards».
  • Sequence of events — an explicit chain from hazard → hazardous situation → harm with probabilities P1 (hazardous situation given hazard) × P2 (harm given hazardous situation).
  • Benefit-risk analysis — an explicit weighing of clinical benefit vs residual risk; if benefit does not outweigh the risk, treatment must continue or the product cannot be released.
  • Risk-management file (RMF) — a single source of truth for all RM activities throughout the product lifecycle.
  • Post-production information — a formal feedback loop from field use back into the RM file (the analogue for an e-scooter is warranty + recall + accident data).

ISO 14971 ↔ ISO 31000 — ISO 14971 is the industry-specific implementation; ISO 31000 is the generic framework. ISO 14971 is prescriptive (mandatory steps + records); ISO 31000 is guidance (principles + structure).

14. ERM COSO 2017 + 3 Lines of Defense + risk-based thinking

ERM — Enterprise Risk Management — the broader organization-level RM that integrates strategy + objectives + performance + governance. COSO (Committee of Sponsoring Organizations of the Treadway Commission) — a joint initiative of AICPA + AAA + FEI + IIA + IMA — published the seminal 2004 COSO ERM Framework; updated as 2017 ERM — Integrating with Strategy and Performance with 5 components + 20 principles.

5 components of COSO ERM 2017:

  1. Governance and Culture — board oversight, operating structures, ethics, talent, accountability.
  2. Strategy and Objective-Setting — business context, risk appetite, evaluation of alternative strategies, business-objective formulation.
  3. Performance — risk identification, severity assessment, prioritization, response, portfolio view.
  4. Review and Revision — substantial change assessment, performance review, RM improvement.
  5. Information, Communication, and Reporting — leveraging information, communication, reporting on risk + culture + performance.

3 Lines of Defense (originally an IIA Position Paper 2013, updated as the IIA Three Lines Model in 2020) — the governance roles in risk management:

  • First Line — operational management owns + manages risks at the point of action (engineers, production operators, sales).
  • Second Line — risk + compliance + quality functions provide framework + advice + monitoring (Chief Risk Officer, ISO 9001 QMS team).
  • Third Line — internal audit provides independent assurance of the effectiveness of the first + second lines.

Risk-based thinking as a cross-link to ISO 9001:2015 clause 6.1 — perhaps the most consequential change in the 2015 revision: risks + opportunities must be identified in the context of the organization’s QMS scope; treatment must integrate with planning. ISO 9001 does not require a formal risk-assessment methodology (like ISO 31000) — leaves the choice to the organization — but does require evidence that risks have been considered + addressed.

Cross-links to safety-critical axes:

  • HARA ISO 26262:2018 Part 3 — Hazard Analysis and Risk Assessment for automotive functional safety; severity (S0-S3) × exposure (E0-E4) × controllability (C0-C3) → ASIL (A-D).
  • TARA ISO/SAE 21434:2021 — Threat Analysis and Risk Assessment for automotive cybersecurity; CAL (Cybersecurity Assurance Level 1-4) determination.

Risk-management engineering (EV) provides the framework that says when to run HARA/TARA, how to feed their output into the organization-level risk register, and how to monitor residual risk through field-experience cycles.

15. Cross-axis matrix — risk-management relevance to the 31 prior axes

Engineering axis (prior)Risk-management concept (this axis additionally constrains)
DT Joining (fastener torque)Bowtie with top event «fastener loosens»; threats = vibration + thermal cycling + corrosion; barriers = thread-locker + torque mark + audit.
DV Heat-dissipationFTA top event «component over-temp»; basic events = fan fail + paste degradation + ambient extreme; MCS analysis.
DX EMC/EMIHAZOP node = «shield current return path»; guide-word «NO» = shield broken; deviation = noise injection → controller malfunction.
DZ CybersecurityTARA (a specific instance of risk-management methodology) — STRIDE + DREAD per asset.
EB NVHALARP region for resonance exposure → owner discomfort vs cost of damper redesign.
ED Functional safetyHARA (a specific instance of risk-management methodology) — S × E × C → ASIL.
EF SustainabilityRisk register entries for take-back programmes — likelihood × consequence of regulatory non-compliance.
EH RepairabilityBowtie with top event «captive component prevents repair»; consequences = e-waste + warranty fraud + customer churn.
EJ Environmental conditioningETA with initiating event «IPX seal compromised»; branching by barriers (drying + warning + safe-mode); outcomes = corrosion + short + thermal runaway.
EL PrivacyDPIA (Data Protection Impact Assessment) — a specific instance of risk-management methodology per GDPR Art. 35.
EN ReliabilityFMEA + FMECA (specific instances of risk-management methodology) — failure modes mapped to severity + occurrence + detection.
EP SW-processSoftware FMEA (SFMEA) + STPA (System-Theoretic Process Analysis); risk-based testing prioritization per ISO 29119-2:2013.
ER Human factorsHuman reliability analysis (HRA) — a specific instance of risk-management methodology; THERP technique.
ET Manufacturing-qualityPFMEA + risk-based control plan; PPAP → risk acceptance gate.
Battery / BMSLOPA with IPLs (BMS cell-voltage cutoff + pack-voltage sum + fuse + thermal cutoff); Bowtie with threats = overcharge / short / damage / cell-internal short.
Brake systemFTA top event = «brake fails to stop»; ALARP region for wet-stop distance vs cost of a larger rotor.
Motor + controllerETA with initiating event «throttle stuck-high»; branching by plausibility check + brake + operator-bailout.
SuspensionBowtie with top event «spring breakage»; threats = corrosion / overload / fatigue; barriers = preload + coating + cycle-test PPAP.
TireBowtie with top event «blowout»; threats = puncture / pressure-loss / sidewall fatigue / ageing; barriers = TPMS + visual + inflation reminder.
LightingFTA with top event «headlight out at night»; basic events = LED degradation + connector corrosion + harness break.
Frame + forkBowtie with top event «frame fracture»; threats = manufacturing defect / fatigue / overload; barriers = weld inspection + cycle-test ISO 4210.
HMI / displayHuman reliability analysis (HRA) on throttle-vs-brake misread; checklist analysis per ISO 9241-110.
ChargerLOPA with IPLs (input fuse + thermal fuse + Y-cap + over-voltage + thermal monitoring).
Connector + harnessPin-level FMEA + Bowtie on «multi-pin short» with threats = vibration + ageing + water ingress.
IP protectionRisk-register entry «ingress causes electrochemical migration»; LOPA with IPLs (gasket + conformal coating + drying procedure + service indicator).
BearingFTA with top event «bearing seizure»; basic events = grease degradation + contamination + overload; ETA branching by operator notice + safe-stop.
Stem + foldingBowtie with top event «latch unintended release while riding»; threats = wear + corrosion + impact; barriers = secondary lock + click-feedback + visual inspection.
DeckHAZOP on «foot-slip» — guide-word «LESS» = less grip → wet conditions; barriers = grit + drainage + warning label.
Handgrip + lever + throttleFMEA on throttle pot + brake lever + grip-pull-off; AP analysis per AIAG-VDA.
Wheel + rimBowtie with top event «spoke broken / rim crack»; threats = manufacturing defect + impact + fatigue; barriers = trueness inspection + spoke-tension Cpk.
Fastener (joint)(Same as DT — duplicate row to confirm axis-by-axis closure)

Each prior axis receives a risk-management overlay as a systematic methodology layer: the specific axis-tool (FMEA / HARA / TARA / PFMEA / DPIA / HRA) is recognized as a specific instance of ISO/IEC 31010:2019’s 41-method catalogue, with output feeding a single organization-level risk register under the ISO 31000:2018 framework.

16. Owner-level risk-management “tells” — DIY checklist

8-step DIY risk-management assessment when acquiring a new e-scooter (or a used one) — how to see whether the manufacturer maintains a formal risk-management process:

  1. Recall registry tracking — check NHTSA (US, nhtsa.gov/recalls), the EU RAPEX/Safety Gate (ec.europa.eu/safety-gate-alerts), UK PSD (gov.uk/product-safety-alerts-reports-recalls) by model + brand. Public recall history with a clear scope + remedy = active risk management; silent or denied recalls despite known field issues = absence of the post-production information loop (the ISO 14971 violation analogue).
  2. Safety-related characteristic markings — IATF 16949 clause 8.3.3.3 requires special-characteristic markings on critical components. Look for symbols (◆ or S/SC) on the battery pack + brake assembly + motor housing = formal safety-critical classification.
  3. Manufacturer field-issue advisory subscription — does the manufacturer publish service bulletins / TSBs (Technical Service Bulletins)? Active publication = active 8D + a post-production information loop = mature risk management.
  4. Warranty terms — RCA depth — read the warranty document: is a formal RCA process described? Warranty terms saying «refund or replace» without mention of a root-cause investigation = no 8D culture. Look for warranty mentioning «root cause analysis» + «corrective action» + «8D report» = formal post-production information.
  5. Accident statistics transparency — large manufacturers (Boeing, Tesla, Bird) publish annual safety reports with incident statistics. Absence = a lack of transparency on residual risk. Presence + trending = mature risk monitoring.
  6. Disconnect / lock-out procedures — the service manual must include a lockout/tagout (LOTO) procedure for battery + electrical service. Absence = no formal occupational-safety risk management for service technicians.
  7. Owner-manual hazard warnings — read the warnings carefully: a vague «do not modify» = a legal disclaimer; a specific «do not charge below 0°C — risk of lithium plating reduces cell capacity by 15% per cycle» = an informed user + benefit-risk communication per ISO 14971.
  8. Independent safety certification badges — UN 38.3 (battery transport) + IEC 62133 (battery safety) + IEC 60068 (environmental) + EN 17128 (PLEV) + UL 2272 / 2849 (e-scooter electrical safety). Multiple certifications from accredited bodies = layered risk-treatment evidence.

Owner-level “yellow flag” indicators:

  • No public recall registry for the brand → product not registered with the regulator → bypass of post-market surveillance.
  • Warranty terms exclude «misuse» broadly defined → the manufacturer offloads residual risk onto the user without benefit-risk communication.
  • No serial-number registration mechanism → an individual unit cannot be traced back to a manufacturing batch → no traceability for recall.
  • No after-sales reporting channel (no email / phone / portal for incident reporting) → no field-feedback loop.

Green flags:

  • Public ISO 14971:2019-style risk-management file disclosure (rare in consumer e-scooters; common in medical/aerospace).
  • A published incident dashboard with anonymized statistics.
  • An owner manual with clear hazard pictograms (ISO 7010 + ANSI Z535) + benefit-risk statements.
  • Active warranty + recall + accident-data publication.

17. Future axes — where the axis series will expand

Like reliability (EN), SW-process (EP), ergonomics (ER), manufacturing-quality (ET), and risk-management (EV), the next process meta-axes:

  • V&V engineering as a standalone axis (IEEE 1012:2016 System, Software, and Hardware Verification and Validation) — currently split between functional safety (ED), SW-process (EP), manufacturing-quality (ET), and risk-management (EV); IEEE 1012 is a separate standard with clear V&V tasks + minimum effort levels (V&V Class).
  • Production logistics & supply chain (ISO 28000:2022 Security and resilience — Security management systems + C-TPAT + AEO + UFLPA compliance) — the flow axis.
  • Configuration management (ISO 10007:2017 Quality management — Guidelines for configuration management) — the baseline + change-control axis with cross-link to functional safety + cybersecurity.
  • Project management (ISO 21500:2021 + PMBOK 7th ed. 2021 + PRINCE2) — the schedule/budget/scope axis.
  • Sustainability impact assessment (ISO 14040:2006 + ISO 14044:2006 LCA — Life Cycle Assessment) — beyond the sustainability axis (EF), the full LCA methodology with cradle-to-grave + cradle-to-cradle scope.

None of them is a prerequisite for the risk-management axis — the publication order remains a judgement call of the author, with the main criterion being «what is now most valuable for an e-scooter power user».

Recap — risk-management concept as a pattern

Cross-cutting infrastructure axis pattern v15 — a fifteen-instance set (joining DT + heat-dissipation DV + interference-mitigation DX + interconnect-trust DZ + acoustic-vibration-emission EB + safety-integrity ED + sustainability EF + repairability EH + environmental-conditioning EJ + privacy-preservation EL + reliability-prediction EN + SW-process EP + human-machine-fit ER + manufacturing-process ET + risk-anticipation EV).

Risk management, like reliability + SW + ergonomics + manufacturing-quality, is a methodology layered over all others rather than a separate subsystem:

  • Reliability (EN) described the formal apparatus to predict and validate the reliability of every prior axis.
  • SW-process (EP) described the formal apparatus to build and deliver firmware that realizes the decisions of each of the 28 axes.
  • Ergonomics (ER) described the formal apparatus to fit the human to each of the 29 prior axes in statics and motion.
  • Manufacturing-quality (ET) described the formal apparatus to mass-produce specific exemplars of each of the 30 prior axes in such quantity and quality that the statistical defect rate (DPPM) remains within an acceptable bound.
  • Risk-management (EV) describes the formal apparatus to systematically see the invisible: potential future failures (their scenarios + likelihood + consequence) across all 31 prior axes simultaneously and in their interactions, on top of a single vocabulary (ISO Guide 73:2009) + framework (ISO 31000:2018) + technique catalogue (ISO/IEC 31010:2019) + toleration framework (ALARP + SFAIRP).

Recap 10 points:

  1. Risk management ≠ reliability ≠ functional safety ≠ cybersecurity ≠ manufacturing quality — it is the meta-framework above them all.
  2. ISO 31000:2018 = 8 principles + a framework with 6 components + a risk-management process with 7 steps. Guidance, not certification.
  3. ISO Guide 73:2009 = a 61-term vocabulary. Risk = «effect of uncertainty on objectives» (not just bad outcomes).
  4. ISO/IEC 31010:2019 = a catalogue of 41 risk-assessment techniques. Bowtie + FMEA + FTA + ETA + HAZOP + LOPA — only 6 of the 41.
  5. Kaplan & Garrick 1981 triplet: risk = { ⟨scenario, likelihood, consequence⟩ }. Not a single number.
  6. ALARP + SFAIRP — the UK HSE framework with reverse burden of proof + a gross disproportion factor of 3-10×.
  7. The risk matrix is a screening tool for qualitative ranking; supplement with FTA/LOPA/Monte Carlo for critical decisions.
  8. Bowtie = FTA (preventive barriers) + ETA (recovery barriers) in a combined visualization with the top event in the centre.
  9. LOPA = semi-quantitative; PFD × initiating frequency; an IPL must be Specific + Independent + Dependable + Auditable.
  10. 3 Lines of Defense + risk-based thinking ISO 9001:2015 — risk management integrates across the enterprise, not as an isolated function.

ENG-first sources (0 Russian, 30+ official):