Інженерія управління ризиками електросамоката як 32-га engineering axis: risk-anticipation meta-axis — ISO 31000:2018 + ISO/IEC 31010:2019 + ISO Guide 73:2009 + Bowtie + ALARP + SFAIRP + LOPA + HAZOP IEC 61882 + FTA IEC 61025 + ETA IEC 62502 + FMEA IEC 60812 + ISO 14971:2019 + ERM COSO 2017 + Kaplan & Garrick 1981 triplet

20.05.2026 Scootify 15 хв читання

У серії інженерного гайду ми описали акумуляторну батарею з BMS і thermal runaway intro, гальмівну систему, мотор і контролер, підвіску, шини, світло і видимість, раму й вилку, display + HMI, зарядний пристрій SMPS CC/CV, connector + wiring harness, IP-захист, bearingи з ISO 281 L10, стеблину і механізм складання, деку, handgrip + lever + throttle, колесо як assembly, інженерію різьбових з’єднань як joining-axis, термоменеджмент як heat-dissipation axis, EMC/EMI як interference-mitigation axis, кібербезпеку як interconnect-trust axis, NVH як acoustic-vibration-emission axis, функціональну безпеку як safety-integrity axis, інженерію життєвого циклу батареї як sustainability axis, ремонтопридатність як repairability-axis, environmental robustness як environmental-conditioning axis, privacy і захист персональних даних як privacy-preservation axis, інженерію надійності як reliability-prediction meta-axis, software & firmware engineering як SW-process axis, human factors і ергономіку як human-machine fit axis та інженерію якості виробництва як manufacturing-process axis. Ці 31 engineering-axes описали підсистеми, способи з’єднання, теплові й електромагнітні явища, безпеку, sustainability, ремонтопридатність, environmental conditioning, privacy, reliability-engineering, SW-process, human-machine fit та manufacturing-quality. Кожна з них зафіксувала specifikацію (target dimension + tolerance + material property + test limit) або process (як виміряти/виробити). Кожна також зафіксувала певний види рисків — батарейний article описав thermal runaway risk + ageing risk; brake article — wet-stop risk + fade risk; cybersecurity article — TARA + STRIDE + DREAD; functional-safety article — HARA + ASIL determination; reliability article — FMEA + FMECA + FTA — але жодна з них не описала сам інструментарій управління ризиками як окрему formal methodology, що systematically intersects всі попередні axes і standardizes identification + analysis + evaluation + treatment + monitoring через єдину vocabulary і єдиний framework.

Risk management engineering — це risk-anticipation meta-axis усього e-самоката. Вона надає principle-and-framework стандарт (ISO 31000:2018 Risk management — Guidelines з 8 principles + framework з 6 components + risk-management process з 7 етапів), vocabulary (ISO Guide 73:2009 з 61 термін, від risk як «effect of uncertainty on objectives» до risk treatment як «process to modify risk»), techniques catalogue (ISO/IEC 31010:2019 з 41 method, від brainstorming до Monte Carlo simulation), toleration framework (UK HSE ALARP + SFAIRP principles + Edwards v National Coal Board 1949 reverse burden-of-proof), process-hazard methodology (HAZOP IEC 61882:2016 з guide-word/deviation analysis), component-failure methodology (FMEA IEC 60812:2018 inductive bottom-up), top-down logic methodology (FTA IEC 61025:2006 з boolean AND/OR/voting gates + minimal cut sets), consequence-tree methodology (ETA IEC 62502:2010 inductive forward-branching), combined visualization (Bowtie analysis з threats + barriers + consequences навколо top event), layered defense methodology (LOPA CCPS 2001 semi-quantitative з IPL credit + PFD), cross-industry inspiration (ISO 14971:2019 medical-device risk-management з benefit-risk analysis), enterprise umbrella (ERM COSO 2017 + 3 Lines of Defense model IIA), і cross-link to other axes (risk-based thinking ISO 9001:2015 clause 6.1; HARA ISO 26262; TARA ISO 21434).

Це тридцять друга engineering-axis deep-dive у серії гайду — і п’ятнадцята cross-cutting infrastructure axis (паралельна до joining DT + heat-dissipation DV + interference-mitigation DX + interconnect-trust DZ + acoustic-vibration-emission EB + safety-integrity ED + sustainability EF + repairability EH + environmental-conditioning EJ + privacy-preservation EL + reliability-prediction EN + SW-process EP + human-machine-fit ER + manufacturing-process ET, тепер risk-anticipation EV). Як і reliability + SW + ergonomics + manufacturing-quality, risk-management axis не має «залізної» реалізації — це methodology, що визначає, як systematically бачити невидиме: не factual current failures (це reliability + manufacturing-quality), а potential future failures (їхні scenarios + likelihood + consequence) у всіх 31 попередніх axes одночасно і у їхніх взаємодіях, які жоден single-axis FMEA не охоплює (e.g., взаємодія battery-thermal axis з EMC-axis: BMS-fault current generates EMI що affects controller axis що causes regen-brake malfunction що causes mechanical-brake reliance що exceeds brake-thermal axis limit — ланцюжок з 5 axes, який невидимий FMEA-на-axis).

1. Risk-management ≠ HARA ≠ FMEA: окрема axis

Reliability engineering (axis EN), functional safety (axis ED), cybersecurity (axis DZ), і manufacturing quality (axis ET) усі використовують окремі risk-related tools (FMEA, HARA, TARA, PFMEA). Risk-management engineering задає meta-framework, що уніфікує всі ці tools під єдиною vocabulary і єдиним process:

Вимір	Reliability FMEA (EN)	Functional safety HARA (ED)	Cybersecurity TARA (DZ)	Manufacturing PFMEA (ET)	Risk management (EV)
Scope	Component failures	Vehicle-level hazards (E + S + C)	Cybersecurity threats (STRIDE)	Process steps	Усі above + interaction across axes
Тригер	Reliability allocation	ISO 26262 compliance	ISO 21434 compliance	PPAP / control plan	Strategic decision / project initiation
Output	RPN / AP per component	ASIL per hazard	CAL per threat	AP per process step	Risk register + risk matrix + treatment plan
Standard	IEC 60812:2018	ISO 26262:2018	ISO/SAE 21434:2021	AIAG-VDA FMEA 2019	ISO 31000:2018 + ISO/IEC 31010:2019
Granularity	Component	Vehicle function	System interface	Manufacturing step	Enterprise + project + operational
Vocabulary	Failure mode + cause + effect	Hazard + severity + exposure + controllability	Threat + attack + impact + feasibility	Failure mode + cause + effect	Risk + hazard + consequence + likelihood + treatment

ISO 31000:2018 explicitly states: «It can be applied throughout the life of the organization and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.» Risk-management engineering — це organization-level scaffolding на якому specific-axis tools (FMEA, HARA, TARA, PFMEA) сидять як специфічні techniques з ISO/IEC 31010:2019’s 41-method catalogue. FMEA не замінює risk-management; risk-management каже, коли і чому запускати FMEA, як з’єднувати її output з top-management decision, і як combine її output з paralelним FTA + Bowtie + LOPA output для повного risk picture.

2. ISO 31000:2018 — principles + framework + process foundation

ISO 31000:2018 Risk management — Guidelines опублікований у лютому 2018, замінив ISO 31000:2009 з major simplification (від 11 principles → 8 principles; від 5 + 11 framework components → 6 components; від 7-step process → 7-step process з clearer wording). Це guidance standard (а не certification standard як ISO 9001), що задає загальну архітектуру risk-management для будь-якого типу організації, типу ризику, контексту.

8 принципів (clause 4 ISO 31000:2018):

Integrated — risk management є integral part of all organizational activities, а не add-on.
Structured and comprehensive — structured + comprehensive approach дає consistent + comparable results.
Customized — risk-management framework + process tailored to organization context.
Inclusive — appropriate + timely involvement of stakeholders enables knowledge + perception integration.
Dynamic — risks emerge, change, disappear — RM must anticipate, detect, acknowledge.
Best available information — based on historical + current data + stakeholder feedback + future expectations; transparent re: limitations.
Human and cultural factors — significantly influence risk management at all levels and stages.
Continual improvement — through learning + experience.

Framework з 6 components (clause 5, plan-do-check-act cycle):

Leadership and commitment (5.2) — top-management ownership, integration в organization governance.
Integration (5.3) — RM iterative, embedded в decision-making.
Design (5.4) — context + stakeholders + framework design + resources + communication.
Implementation (5.5) — execute the framework з clear roles + competence.
Evaluation (5.6) — measure framework effectiveness against intended purpose.
Improvement (5.7) — adapting + continually improving.

Risk-management process з 7 етапів (clause 6, iterative + dynamic):

Scope, context, criteria (6.3) — establish boundaries + risk criteria.
Risk identification (6.4.2) — find + recognize + describe risks.
Risk analysis (6.4.3) — comprehend nature of risk + likelihood + consequence.
Risk evaluation (6.4.4) — compare against criteria; decide treatment.
Risk treatment (6.5) — modify the risk (avoid / reduce / share / retain).
Communication and consultation (6.2) — engage stakeholders throughout (cross-cuts всі етапи).
Monitoring and review (6.6) — track changes + verify treatments + update.

Ключова concept: process iterative + cross-cutting — communication + monitoring не «steps in line», а continuous activities під час всіх інших steps.

3. ISO Guide 73:2009 + ISO/IEC 31010:2019 — vocabulary + 41 techniques

ISO Guide 73:2009 Risk management — Vocabulary дає 61 термін як єдиний vocabulary для всіх ISO management-system standards. Ключові терміни:

Risk — «effect of uncertainty on objectives». Note 1: ефект може бути positive, negative, або обидва. Note 2: objectives може мати різні aspects (financial, health, safety, environmental). Note 3: risk часто характеризується reference до potential events + consequences + likelihood.
Hazard — «source of potential harm» (NOT same as risk).
Consequence — «outcome of an event affecting objectives».
Likelihood — «chance of something happening» (NOT probability strictly — likelihood включає subjective + objective + numerical + non-numerical).
Risk owner — «person or entity with accountability and authority to manage a risk».
Risk appetite — «amount and type of risk an organization is willing to pursue or retain».
Risk tolerance — «organization’s readiness to bear risk after risk treatment» (deviation допустима від appetite).
Residual risk — «risk remaining after risk treatment».

ISO/IEC 31010:2019 Risk assessment techniques замінив ISO 31010:2009 з expanded catalogue до 41 техніки assessment (vs 31 в 2009). Кожна technique оцінена за 6 criteria: complexity, nature of resources required, nature of uncertainty addressed, ability to provide quantitative output, type of risks addressed, applicability в process steps. 41 техніка categorized:

Generic identification + analysis techniques (≈12):

Brainstorming
Delphi technique
Nominal group technique
Structured interview
Checklist
Structured what-if (SWIFT)
Preliminary hazard analysis (PHA)
Survey
Scenario analysis
Toxicological risk assessment
Cindynics method
Root cause analysis (RCA)

Cause/source analysis (≈4):

Ishikawa (fishbone) analysis
Pareto analysis
5-Why analysis
Bayesian network

Function/process analysis (≈8):

FMEA + FMECA (IEC 60812)
FTA (IEC 61025)
ETA (IEC 62502)
Cause-consequence analysis (combined FTA+ETA, predecessor of Bowtie)
HAZOP (IEC 61882)
HAZID (Hazard Identification)
LOPA (CCPS)
Bowtie

Control assessment (≈4):

LOPA
Bowtie
Markov analysis
Reliability-centered maintenance (RCM)

Decision support (≈8):

Decision tree
Monte Carlo simulation
Sensitivity analysis
Multi-criteria decision analysis (MCDA)
Cost-benefit analysis
Cost-effectiveness analysis
Value engineering / target costing
Game theory

Human + organizational factors (≈5):

Human reliability analysis (HRA)
THERP (Technique for Human Error Rate Prediction)
SHERPA
Bow-tie with human factors
Safety culture assessment

4. Kaplan & Garrick 1981 triplet — formal definition of risk

Kaplan & Garrick у seminal paper «On The Quantitative Definition of Risk» (Risk Analysis, Vol. 1, No. 1, 1981) запропонували triplet definition ризику, який став foundational concept quantitative risk analysis:

Risk = { ⟨s_i, p_i, x_i⟩ }, де для кожного scenario i:

s_i — what can happen? (scenario description)

p_i — how likely is it that it will happen? (likelihood / probability)

x_i — what are the consequences if it does happen? (magnitude of consequence)

Тобто risk не є single number — це set of triplets по всіх possible scenarios. Common simplification «risk = likelihood × consequence» — це reduction triplet до single expected-value метрики, який втрачає variance + tail-risk + non-numeric considerations. Для critical infrastructure (nuclear plant, aerospace, medical device) — single expected value недостатній: scenario з low likelihood + extreme consequence (плутонієва аварія) має той самий expected value, що scenario з high likelihood + moderate consequence (часті minor пошкодження) — але tolerable друге, intolerable перше.

Для e-самоката:

Scenario A: battery thermal runaway. p_A ≈ 10⁻⁶ per cycle. x_A = total loss + fire risk + potential bodily harm.
Scenario B: wet-brake stopping distance increase. p_B ≈ 10⁻¹ per rainy ride. x_B = elevated near-miss frequency + occasional minor abrasion.

Expected value може signal B as «greater risk» (більший expected harm), але A — це catastrophic + irreversible, тому ALARP requires aggressive A-treatment навіть якщо expected value of A менший.

5. Risk register + risk matrix + heat map — core artifacts

Risk register — centralised list всіх identified ризиків організації / проєкту з структурою рядка:

Поле	Опис
Risk ID	Unique identifier (R-001)
Description	Що може статись (scenario)
Risk category	Strategic / operational / financial / compliance / reputational / technical
Risk owner	Хто accountable
Inherent likelihood	До treatment (1-5)
Inherent consequence	До treatment (1-5)
Inherent risk score	L × C
Current controls	Які barriers already in place
Current risk score	Після existing controls
Treatment plan	Avoid / reduce / share / retain — details
Target risk score	Після planned treatment
Residual risk score	Поточне фактичне залишкове
Review date	Коли next reassessment

Risk matrix — 5×5 (або 4×4, 6×6) grid likelihood × consequence з color-coded cells (зелений = broadly acceptable, жовтий = ALARP region, червоний = intolerable):

	C1 minor	C2 moderate	C3 major	C4 severe	C5 catastrophic
L5 almost certain	M	H	H	E	E
L4 likely	M	M	H	H	E
L3 possible	L	M	M	H	H
L2 unlikely	L	L	M	M	H
L1 rare	L	L	L	M	M

L=Low, M=Medium, H=High, E=Extreme. Calibration важливий — likelihood scale must mati frequency anchors (L5 = ≥ once per year; L1 = < once per 1000 years), consequence scale must mati harm anchors (C5 = single fatality + national news; C1 = first-aid only). Без anchors matrix degenerates до subjective scoring, що не дає comparable cross-project results.

Heat map — visualization risk register на matrix з positioning кожного ризику як bubble (розмір = risk score, color = category, arrow = trajectory from current to target).

Ризики у risk matrix є common pitfall — як предупреджує Tony Cox у seminal paper «What’s Wrong with Risk Matrices?» (Risk Analysis 2008):

Reverse ranking — два ризики з однаковим color можуть differ по факторі 1000 у actual expected value через discrete binning.
Range compression — log-scale likelihood (10⁻⁶ до 10⁰) compressed у 5-bin range втрачає 6 orders of magnitude.
Categorization not unique — same risk landing у different cells за різного choice of anchors.

ISO/IEC 31010:2019 recommends risk matrix тільки для qualitative screening + semi-quantitative comparison; для critical decisions — supplement з FTA + LOPA + Bayesian methods.

6. ALARP + SFAIRP — toleration framework

ALARP — «As Low As Reasonably Practicable» — UK Health and Safety Executive (HSE) framework, що походить з landmark UK Court of Appeal case Edwards v National Coal Board, 1949: судді сформулювали обов’язок employer reduce ризик «so far as is reasonably practicable», де «reasonably practicable» означає вимагання action доти, доки cost (money + time + trouble) не стане grossly disproportionate до зменшення ризику.

SFAIRP — «So Far As Is Reasonably Practicable» — phrasing UK Health and Safety at Work Act 1974, що synonymous to ALARP на practice. EU machinery directive і Australian work-health-safety law also use SFAIRP wording.

ALARP region у risk matrix:

Risk level
  ▲
  │ ████████████ INTOLERABLE — must eliminate or accept extraordinary justification
  │
  │ ────────── upper tolerability limit (e.g., 10⁻³/year individual fatality)
  │
  │ ▓▓▓▓▓▓▓▓▓▓▓▓ ALARP REGION — risk tolerable only if reduced ALARP
  │ ▓▓▓▓▓▓▓▓▓▓▓▓ (reverse burden of proof — duty-holder must show further reduction grossly disproportionate)
  │
  │ ────────── lower tolerability limit (e.g., 10⁻⁶/year — broadly acceptable threshold)
  │
  │ ░░░░░░░░░░░░ BROADLY ACCEPTABLE — no further treatment required
  │
  └──────────────────────► Time / scope

Reverse burden of proof — у ALARP region duty-holder (manufacturer / operator) має proactively prove, що further risk reduction would require gross disproportion of cost vs benefit. Це активна позиція, не passive: відсутність доказу = відсутність ALARP compliance.

Gross disproportion factor (GDF) — UK HSE Reducing Risks, Protecting People (2001) пропонує GDF як multiplier to expected-value cost-benefit: для high-consequence risks GDF може sit у range 3× до 10× (cost of safety measure may exceed risk-reduction benefit by 3-10x і still ALARP-compliant). Для individual fatality risk near upper bound — GDF can be 10× or higher.

Risk appetite vs tolerance (ISO Guide 73:2009):

Risk appetite — strategic statement «ми готові take risks of X type up to Y magnitude in pursuit of Z objective» (proactive boundary).
Risk tolerance — operational deviation допустима від appetite «ми can absorb residual risk up to W in temporary situations» (operational flexibility).

Для e-самокат manufacturer:

Appetite: «accept material risks intrinsic to motorized 2-wheel vehicle (likelihood of fall = baseline pedestrian × 5)»
Tolerance: «individual fatality risk ≤ 10⁻⁶ per million km regardless of vehicle category»

7. HAZOP — IEC 61882:2016 deviation/guide-word methodology

HAZOP — Hazard and Operability Study — formal structured technique для process-system hazard identification, заснована Imperial Chemical Industries (ICI) у 1960s, formalized Trevor Kletz з ICI у 1970s, standardized як IEC 61882:2016 Hazard and operability studies (HAZOP studies) — Application guide. Originally process-chemistry tool; broadly applicable до будь-якого system з identifiable flows + parameters.

Methodology:

Node decomposition — system розбито на «nodes» (pipe section, vessel, control loop, software module).
Parameter list per node — для кожного node enumerate parameters (flow, pressure, temperature, level, composition, time, sequence, signal).
Guide-word application — до кожного parameter apply guide words systematically:
- NO / NONE / NOT — повна відсутність intended condition.
- MORE / HIGH — quantitative increase.
- LESS / LOW — quantitative decrease.
- AS WELL AS — additional unintended condition присутній.
- PART OF — only part of intended condition present.
- REVERSE / OPPOSITE — opposite direction / order.
- OTHER THAN — completely different from intent.
Deviation = parameter × guide-word — для кожної pair (e.g., «flow + NO» = «no flow») team brainstorms causes + consequences + existing safeguards + recommendations.
Tabular record — всі deviations + analyses recorded у HAZOP worksheet.

Для e-самокат BMS (приклад node = «battery cell voltage measurement loop»):

Parameter	Guide-word	Deviation	Cause	Consequence	Safeguard	Recommendation
Voltage	NO	No measurement	Wire break, ADC fail	BMS cannot detect overvoltage → thermal runaway risk	Diagnostic timeout	Add redundant measurement
Voltage	MORE	Measurement higher than actual	Sensor calibration drift	Charge cutoff triggers prematurely → reduced range; or BMS allows undervoltage	Periodic self-cal	Implement Type-1 Gage Study at PV
Voltage	LESS	Measurement lower than actual	Sensor calibration drift, ground loop	BMS allows overcharging → thermal runaway	Plausibility check vs pack voltage sum	Add cell-voltage sum-check

HAZOP сильна у виявленні systematic + scenario-based hazards, що FMEA може пропустити (бо FMEA — component-by-component, а HAZOP — flow/parameter-by-parameter).

8. FMEA + FMECA — IEC 60812:2018 inductive bottom-up

FMEA — Failure Mode and Effects Analysis — inductive bottom-up technique, що для кожного component enumerates modes of failure (як component може fail) + effects (що це failure causes) + severity + likelihood + detectability. FMECA — FMEA + Criticality analysis — додає criticality matrix posicioning failure modes за severity × likelihood.

IEC 60812:2018 Failure modes and effects analysis (FMEA and FMECA) опублікований серпень 2018, замінив IEC 60812:2006. Standardizes:

Methodology — 8 steps (planning + structure analysis + function analysis + failure analysis + risk analysis + optimization + documentation + audit).
Severity scale — 1 (negligible) до 10 (catastrophic without warning).
Occurrence scale — 1 (extremely remote, ≤ 1/1.5M) до 10 (very high, ≥ 1/2).
Detection scale — 1 (almost certain detection) до 10 (no detection).
RPN = S × O × D (traditional) — but criticized for hidden discontinuities (RPN=120 may carry lower risk than RPN=90 depending on individual S/O/D combinations).
AIAG-VDA FMEA 2019 replaces RPN з Action Priority (AP) lookup table (High/Medium/Low за S+O+D combination).

Cross-link до інших axes:

DFMEA (design FMEA) — used в reliability axis (EN) + functional-safety axis (ED).
PFMEA (process FMEA) — used в manufacturing-quality axis (ET).
FMECA-Cybersecurity — adapted в cybersecurity axis (DZ) як component-level supplement to TARA.
Software FMEA (SFMEA) — used в SW-process axis (EP) per IEC 61508-3.

9. FTA — IEC 61025:2006 deductive top-down boolean logic

FTA — Fault Tree Analysis — deductive top-down boolean-logic technique, заснована H. A. Watson at Bell Labs у 1962 для Minuteman missile launch control system safety analysis. Broadly adopted після WASH-1400 Reactor Safety Study (Rasmussen, 1975) для nuclear safety. Standardized IEC 61025:2006 Fault tree analysis (FTA).

Structure:

Top event — undesired event at system level (e.g., «brake system fails to stop scooter»).
Intermediate events — sub-failures decomposing top event.
Basic events — component-level primary failures (no further decomposition).
Undeveloped events — known events не decomposed через lack of data чи scope.
Gates:
- AND gate (∩) — output failure occurs only if all input failures occur.
- OR gate (∪) — output failure occurs if any input fails.
- Voting (k-out-of-n) gate — output failure if at least k of n inputs fail.
- INHIBIT gate — output occurs only if input event AND conditional event true.
- Priority AND — output requires specific input ordering.
- Exclusive OR (XOR) — exactly one input.

Minimal cut set (MCS) — smallest combination of basic events that causes top event. Top event probability = sum over all MCS of product of basic event probabilities (за independence assumption).

Для e-самокат top event = «motor controller drives wheel uncontrollably»:

            (motor drives uncontrollably)
                       │
                ┌──────┴──────┐
              [OR gate]
                │             │
       (throttle stuck-high)  (controller faulty)
              │                     │
       ┌──────┴──────┐         ┌────┴────┐
     [OR gate]              [OR gate]
         │       │              │      │
   (throttle  (wire             (MCU   (firmware
    pot fault) short)            stuck)  fault)
                                          │
                                    [AND gate]
                                          │
                                  (logic bug + plausibility check disabled)

Minimal cut sets:

MCS₁ = {throttle pot fault}
MCS₂ = {wire short}
MCS₃ = {MCU stuck}
MCS₄ = {logic bug, plausibility check disabled}

Top event probability ≈ P(MCS₁) + P(MCS₂) + P(MCS₃) + P(MCS₄). Якщо MCS₄ = 10⁻⁴ × 10⁻¹ = 10⁻⁵ vs MCS₁ = 10⁻³ — throttle pot dominates і treatment must focus on reducing P(throttle pot fault) before chasing redundant plausibility logic.

10. ETA — IEC 62502:2010 inductive consequence-tree branching

ETA — Event Tree Analysis — inductive forward-branching technique. Starts з initiating event (initial failure or trigger), then branches за success/failure of each safety function / mitigation, producing set of possible outcomes with probabilities. Standardized IEC 62502:2010 Event tree analysis (ETA).

Structure:

Initiating event (column 1) — e.g., «throttle stuck-high signal».
Safety functions / mitigations (columns 2..N) — sequence of barriers що can succeed (S, top branch) or fail (F, bottom branch).
Outcomes (terminal column) — final consequence depending on path through tree.

Для e-самокат initiating event = «throttle pot stuck high»:

Initiating          Plausibility    Brake          Operator      Outcome   P(path)
event               check works     applied        bails out
                                                                     
                    S──┬─Yes──┬────────────────────► safe stop    0.95×... 
   throttle──┐         │      │
   stuck─────┤    S    │      F────► hard fall                     ...
                       │
                  F──┬─Yes──┬────────────────────► safe stop       ...
                     │      │
                     │      F────► crash                            ...
                     │
                     F  ─────────────────────────► crash + injury   ...

Outcome probabilities — product of branch probabilities. Sum of all outcome probabilities = P(initiating event). Risk profile decomposition shows which mitigations matter most — sensitivity на P(plausibility check fail) vs P(brake fail to apply) tells the designer where redundancy buys most.

11. Bowtie — combined threats + barriers + consequences

Bowtie analysis — visualization combining FTA (left side: threats → top event) + ETA (right side: top event → consequences) у форму галстук-метелика з top event у центрі, threats ліворуч, consequences праворуч, barriers як vertical lines between them. Formalized у 1990s by Shell INSL HSE + ICI; commercial tooling BowTieXP by CGE Risk Management Solutions (Netherlands).

Bowtie structure:

   Threats              [top event]              Consequences
   ───────                                       ────────────
                              │
   T1 ──┐  ┃ B1 ┃  ┃ B2 ┃  ┃ B3 ┃    ╲  ┃ B4 ┃  ┃ B5 ┃ ─── C1
   T2 ──┤                  TE        ─╲           
   T3 ──┘  ┃ B1 ┃  ┃ B2 ┃            ─╱  ┃ B4 ┃         ─── C2

   B1..B3 = preventive barriers      B4..B5 = recovery/mitigation barriers

Barriers:

Preventive barriers (left side) — prevent threat from realizing top event.
Recovery barriers (right side) — mitigate top-event consequences.
Escalation factors — conditions що weaken barrier (e.g., «sensor calibration drift weakens BMS overvoltage barrier»).

Barrier-effectiveness rating — barriers classified per CCPS standard 8-grade scale:

Active vs passive
Hardware vs procedural vs administrative
Independent vs dependent (sharing common-mode failure)
PFD-rated for SIL compliance (LOPA cross-link)

Для e-самокат top event = «battery thermal runaway»:

Threats (preventive barriers →)	Top event	Consequences (← recovery barriers)
T1: overcharge → [BMS overvoltage cutoff] + [charger CC/CV control] + [fuse]	TR	[thermal-runaway propagation barrier between cells] + [fire-rated battery case] → C1: pack fire contained
T2: external short → [fuse] + [BMS overcurrent]	TR	[user warning beep + thermal cutoff] + [water-mist suppression] → C2: scooter ignition, user evacuates
T3: mechanical damage (puncture) → [case impact resistance] + [BMS isolation check]	TR	(insufficient recovery) → C3: pack fire spreads
T4: cell-internal short (manufacturing defect) → [cell-grading PPAP] + [ageing-detection BMS]	TR	[thermal-runaway propagation barrier between cells] → C4: single-cell event isolated

Bowtie’s strength — single visualization з clear barrier dependencies + escalation factors + cross-link до specific axis (BMS, charger, case, cell-grading, ageing-detection всі сходяться навколо одного top event).

12. LOPA — Layer of Protection Analysis CCPS 2001

LOPA — Layer of Protection Analysis — semi-quantitative methodology, formalized Center for Chemical Process Safety (CCPS) of AIChE у 2001 book «Layer of Protection Analysis: Simplified Process Risk Assessment». Цей метод bridges qualitative HAZOP/Bowtie і quantitative QRA з modest data requirements + explicit IPL credit accounting.

LOPA structure:

Initiating cause with frequency (events per year, e.g., 0.1/yr = once per 10 years).
Independent Protection Layers (IPLs) — кожен layer reduces risk by factor 10 (PFD = 0.1, RRF = 10) до 100 (PFD = 0.01, RRF = 100).
IPL qualification criteria — must be specific (designed для this scenario), independent (no common-mode failure with other IPLs), dependable (PFD validated by test/audit), auditable (records maintained).
Frequency calculation — final scenario frequency = initiating frequency × product of IPL PFDs.
Risk acceptance — compare to tolerance criteria; if exceeds → add IPL.

Для e-самокат initiating cause «BMS detection failure during overcharge»:

Layer	Type	PFD	RRF	Cumulative
Initiating frequency (charger CV mode fails high)	—	—	—	0.01/yr
IPL 1: BMS cell-voltage cutoff (qualified for this scenario)	active SIS	0.01	100	10⁻⁴/yr
IPL 2: pack-voltage sum-check (independent of cell-voltage)	active SIS	0.1	10	10⁻⁵/yr
IPL 3: fuse current-cutoff	passive	0.01	100	10⁻⁷/yr
IPL 4: thermal cutoff (PTC + thermistor)	active mechanical	0.1	10	10⁻⁸/yr
Scenario consequence	catastrophic (fire + bodily harm)	—	—	risk = 10⁻⁸/yr × catastrophic

LOPA tells designer: 3-4 IPLs needed для catastrophic outcomes; 2-3 IPLs для serious outcomes; 1 IPL для marginal. Якщо single BMS cutoff insufficient — LOPA explicitly quantifies the gap і defends additional layer cost-benefit.

LOPA ↔ SIL determination — cross-link з IEC 61508 functional-safety axis (ED): each IPL з safety-related function has minimum SIL requirement derived from required RRF.

13. ISO 14971:2019 — medical-device risk management cross-industry inspiration

ISO 14971:2019 Medical devices — Application of risk management to medical devices — though target sector medical, methodology widely respected cross-industry як operational implementation ISO 31000 з explicit benefit-risk + iterative + lifecycle integration. EN ISO 14971:2019 є harmonized standard для EU Medical Device Regulation (MDR) 2017/745 + In Vitro Diagnostic Regulation (IVDR) 2017/746. FDA US recognizes ISO 14971:2019 as consensus standard for medical-device risk management.

Key concepts з ISO 14971 (applicable to e-самокат risk management):

Harm — «injury or damage to the health of people, or damage to property or the environment».
Hazard — «potential source of harm».
Hazardous situation — «circumstance in which people, property, or the environment are exposed to one or more hazards».
Sequence of events — explicit chain from hazard → hazardous situation → harm з probabilities P1 (hazardous situation given hazard) × P2 (harm given hazardous situation).
Benefit-risk analysis — explicit weighing of clinical benefit vs residual risk; if benefit not outweigh risk, treatment must continue or product cannot be released.
Risk-management file (RMF) — single source of truth for all RM activities throughout product lifecycle.
Post-production information — formal feedback loop from field use back to RM file (analog to e-самокат warranty + recall + accident data).

ISO 14971 ↔ ISO 31000 — ISO 14971 is industry-specific implementation; ISO 31000 is generic framework. ISO 14971 is prescriptive (mandatory steps + records); ISO 31000 is guidance (principles + structure).

14. ERM COSO 2017 + 3 Lines of Defense + risk-based thinking

ERM — Enterprise Risk Management — broader organizational-level RM, що integrates strategy + objectives + performance + governance. COSO (Committee of Sponsoring Organizations of the Treadway Commission) — joint initiative of AICPA + AAA + FEI + IIA + IMA — published seminal 2004 COSO ERM Framework; updated 2017 ERM — Integrating with Strategy and Performance з 5 components + 20 principles.

5 components COSO ERM 2017:

Governance and Culture — board oversight, operating structures, ethics, talent, accountability.
Strategy and Objective-Setting — business context, risk appetite, evaluation of alternative strategies, business objectives formulation.
Performance — risk identification, severity assessment, prioritization, response, portfolio view.
Review and Revision — substantial change assessment, performance review, RM improvement.
Information, Communication, and Reporting — leveraging information, communication, reporting on risk + culture + performance.

3 Lines of Defense (originally IIA Position Paper 2013, updated as IIA Three Lines Model 2020) — governance roles in risk management:

First Line — operational management owns + manages risks at point of action (engineers, production operators, sales).
Second Line — risk + compliance + quality functions provide framework + advise + monitor (Chief Risk Officer, ISO 9001 QMS team).
Third Line — internal audit provides independent assurance on effectiveness of first + second lines.

Risk-based thinking як cross-link до ISO 9001:2015 clause 6.1 — perhaps most consequential change in 2015 revision: risks + opportunities must be identified в context of organization’s QMS scope; treatment must integrate з planning. ISO 9001 не вимагає формальної risk-assessment methodology (як ISO 31000) — leaves choice до organization — але does require evidence that risks have been considered + addressed.

Cross-link to safety-critical axes:

HARA ISO 26262:2018 part 3 — Hazard Analysis and Risk Assessment for automotive functional safety; severity (S0-S3) × exposure (E0-E4) × controllability (C0-C3) → ASIL (A-D).
TARA ISO/SAE 21434:2021 — Threat Analysis and Risk Assessment for automotive cybersecurity; CAL (Cybersecurity Assurance Level 1-4) determination.

Risk-management engineering (EV) provides framework that says when to do HARA/TARA, how to feed their output to organization-level risk register, how to monitor residual risk through field-experience cycles.

15. Cross-axis matrix — risk-management relevance до 31 попередніх axes

Engineering axis (попередня)	Risk-management concept (це axis additionally constrains)
DT Joining (fastener torque)	Bowtie з top event «fastener loosens»; threats = vibration + thermal cycling + corrosion; barriers = thread-locker + torque mark + audit.
DV Heat-dissipation	FTA top event «component over-temp»; basic events = fan fail + paste degradation + ambient extreme; MCS analysis.
DX EMC/EMI	HAZOP node = «shield current return path»; guide-word «NO» = shield broken; deviation = noise injection → controller malfunction.
DZ Cybersecurity	TARA (specific instance of risk-management methodology) — STRIDE + DREAD per asset.
EB NVH	ALARP region для resonance exposure → owner discomfort vs cost of damper redesign.
ED Functional safety	HARA (specific instance of risk-management methodology) — S × E × C → ASIL.
EF Sustainability	Risk register entries for take-back program — likelihood × consequence of regulatory non-compliance.
EH Repairability	Bowtie з top event «captive component prevents repair»; consequences = e-waste + warranty fraud + customer churn.
EJ Environmental conditioning	ETA з initiating event «IPX seal compromised»; branching по barriers (drying + warning + safe-mode); outcomes = corrosion + short + thermal runaway.
EL Privacy	DPIA (Data Protection Impact Assessment) — specific instance of risk-management methodology per GDPR Art. 35.
EN Reliability	FMEA + FMECA (specific instances of risk-management methodology) — failure modes mapped to severity + occurrence + detection.
EP SW-process	Software FMEA (SFMEA) + STPA (System-Theoretic Process Analysis); risk-based testing prioritization per ISO 29119-2:2013.
ER Human factors	Human reliability analysis (HRA) — specific instance of risk-management methodology; THERP technique.
ET Manufacturing-quality	PFMEA + risk-based control plan; PPAP → risk acceptance gate.
Battery / BMS	LOPA з IPLs (BMS cell-voltage cutoff + pack-voltage sum + fuse + thermal cutoff); Bowtie з threats = overcharge / short / damage / cell-internal short.
Brake system	FTA top event = «brake fails to stop»; ALARP region для wet-stop distance vs cost of larger rotor.
Motor + controller	ETA з initiating event «throttle stuck-high»; branching по plausibility check + brake + operator-bailout.
Suspension	Bowtie з top event «spring breakage»; threats = corrosion / overload / fatigue; barriers = preload + coating + cycle-test PPAP.
Tire	Bowtie з top event «blowout»; threats = puncture / pressure-loss / sidewall fatigue / ageing; barriers = TPMS + visual + inflation reminder.
Lighting	FTA з top event «headlight out at night»; basic events = LED degradation + connector corrosion + harness break.
Frame + fork	Bowtie з top event «frame fracture»; threats = manufacturing defect / fatigue / overload; barriers = weld inspection + cycle-test ISO 4210.
HMI / display	Human reliability analysis (HRA) на throttle-vs-brake misread; checklist analysis per ISO 9241-110.
Charger	LOPA з IPLs (input fuse + thermal fuse + Y-cap + over-voltage + thermal monitoring).
Connector + harness	FMEA на pin-level + Bowtie на «multi-pin short» з threats = vibration + ageing + water ingress.
IP protection	Risk register entry «ingress causes electrochemical migration»; LOPA з IPLs (gasket + conformal coating + drying procedure + service indicator).
Bearing	FTA з top event «bearing seizure»; basic events = grease degradation + contamination + overload; ETA branching по operator notice + safe-stop.
Stem + folding	Bowtie з top event «latch unintended release while riding»; threats = wear + corrosion + impact; barriers = secondary lock + click-feedback + visual inspection.
Deck	HAZOP на «foot-slip» — guide-word «LESS» = less grip → wet conditions; barriers = grit + drainage + warning label.
Handgrip + lever + throttle	FMEA на throttle pot + brake lever + grip-pull-off; AP analysis per AIAG-VDA.
Wheel + rim	Bowtie з top event «spoke broken / rim crack»; threats = manufacturing defect + impact + fatigue; barriers = trueness inspection + spoke-tension Cpk.
Fastener (joint)	(Same as DT — duplicate row to confirm axis-by-axis closure)

Кожна попередня axis отримує risk-management overlay як systematic methodology layer: специфічна axis-tool (FMEA / HARA / TARA / PFMEA / DPIA / HRA) is recognized як specific instance of ISO/IEC 31010:2019’s 41-method catalogue, з output feeding єдиний organization-level risk register під ISO 31000:2018 framework.

16. Owner-level risk-management “tells” — DIY checklist

8-step DIY risk-management assessment при отриманні нового e-самокат (or used) — як побачити, чи manufacturer maintains formal risk-management process:

Recall registry tracking — перевір NHTSA (US, nhtsa.gov/recalls), EU RAPEX/Safety Gate (ec.europa.eu/safety-gate-alerts), UK PSD (gov.uk/product-safety-alerts-reports-recalls) на model + brand. Public recall history з clear scope + remedy = active risk-management; silent or denied recalls despite known field issues = absence of post-production information loop (ISO 14971 violation analog).
Safety-related characteristic markings — IATF 16949 clause 8.3.3.3 wymaga special-characteristic marking на critical components. Look for symbols (◆ або S/SC) на battery pack + brake assembly + motor housing = formal safety-critical classification.
Manufacturer field-issue advisory subscription — чи manufacturer publishes service bulletins / TSBs (Technical Service Bulletins)? Active publication = active 8D + post-production information loop = mature risk-management.
Warranty terms — RCA depth — read warranty document: чи описаний formal RCA process? Warranty terms «refund or replace» без mention of root-cause investigation = no 8D culture. Look for warranty mentioning «root cause analysis» + «corrective action» + «8D report» = formal post-production information.
Accident statistics transparency — large manufacturers (Boeing, Tesla, Bird) publish annual safety reports з incident statistics. Absence = lack of transparency на residual risk. Presence + trending = mature risk monitoring.
Disconnect / lock-out procedures — service manual must include lockout/tagout (LOTO) procedure for battery + electrical service. Absence = no formal occupational-safety risk-management for service technicians.
Owner-manual hazard warnings — read warnings carefully: vague «do not modify» = legal disclaimer; specific «do not charge below 0°C — risk of lithium plating reduces cell capacity 15% per cycle» = informed user + benefit-risk communication per ISO 14971.
Independent safety certification badges — UN 38.3 (battery transport) + IEC 62133 (battery safety) + IEC 60068 (environmental) + EN 17128 (PLEV) + UL 2272 / 2849 (e-scooter electrical safety). Multiple certifications from accredited bodies = layered risk-treatment evidence.

Owner-level “yellow flag” indicators:

No public recall registry для brand → product not registered with regulator → bypass of post-market surveillance.
Warranty terms exclude «misuse» broadly defined → manufacturer offloading residual risk to user without benefit-risk communication.
No serial-number registration mechanism → cannot trace individual unit to manufacturing batch → no traceability for recall.
No after-sales reporting channel (no email / phone / portal for incident reporting) → no field-feedback loop.

Green flags:

Public ISO 14971:2019-style risk-management file disclosure (rare у consumer e-scooter; common у medical/aerospace).
Published incident dashboard з anonymized statistics.
Owner-manual з clear hazard pictograms (ISO 7010 + ANSI Z535) + benefit-risk statements.
Active warranty + recall + accident-data publication.

17. Future axes — куди axis-серія розширюватиметься

Як reliability (EN), SW-process (EP), ergonomics (ER), manufacturing-quality (ET), і risk-management (EV), наступні process meta-axes:

V&V engineering як standalone axis (IEEE 1012:2016 System, Software, and Hardware Verification and Validation) — поки разділене між functional-safety (ED), SW-process (EP), manufacturing-quality (ET), і risk-management (EV); IEEE 1012 окремий стандарт з clear V&V tasks + minimum effort levels (V&V Class).
Production logistics & supply chain (ISO 28000:2022 Security and resilience — Security management systems + C-TPAT + AEO + UFLPA compliance) — flow axis.
Configuration management (ISO 10007:2017 Quality management — Guidelines for configuration management) — baseline + change-control axis з cross-link до functional safety + cybersecurity.
Project management (ISO 21500:2021 + PMBOK 7th ed. 2021 + PRINCE2) — schedule/budget/scope axis.
Sustainability impact assessment (ISO 14040:2006 + ISO 14044:2006 LCA — Life Cycle Assessment) — beyond sustainability axis (EF), full LCA methodology з cradle-to-grave + cradle-to-cradle scope.

Жодна з них не є prerequisite до risk-management-axis — порядок publication лишається на judgement автора, з основним критерієм «що зараз найбільш цінне для е-самокат power-user».

Підсумок — risk-management concept-як-pattern

Cross-cutting infrastructure axis pattern v15 — fifteen-instance set (joining DT + heat-dissipation DV + interference-mitigation DX + interconnect-trust DZ + acoustic-vibration-emission EB + safety-integrity ED + sustainability EF + repairability EH + environmental-conditioning EJ + privacy-preservation EL + reliability-prediction EN + SW-process EP + human-machine-fit ER + manufacturing-process ET + risk-anticipation EV).

Risk-management, як reliability + SW + ergonomics + manufacturing-quality — methodology layered over all others rather than separate subsystem:

Reliability (EN) описала формальний апарат, щоб прогнозувати і валідувати надійність every попередньої axis.
SW-process (EP) описав формальний апарат, щоб будувати і доставляти firmware, що реалізує decisions кожної з 28 axes.
Ergonomics (ER) описала формальний апарат, щоб fit людину з кожною з 29 попередніх axes у статиці й русі.
Manufacturing-quality (ET) описала формальний апарат, щоб серійно виробляти конкретні exemplars кожної з 30 попередніх axes у такій кількості й якості, що statistical defect rate (DPPM) залишається в acceptable bound.
Risk-management (EV) описує формальний апарат, щоб systematically бачити невидиме: potential future failures (їхні scenarios + likelihood + consequence) у всіх 31 попередніх axes одночасно, і у їхніх взаємодіях, поверх єдиної vocabulary (ISO Guide 73:2009) + framework (ISO 31000:2018) + technique catalogue (ISO/IEC 31010:2019) + toleration framework (ALARP + SFAIRP).

Recap 10 points:

Risk-management ≠ reliability ≠ functional-safety ≠ cybersecurity ≠ manufacturing-quality — meta-framework above them all.
ISO 31000:2018 = 8 principles + framework з 6 components + risk-management process з 7 steps. Guidance, not certification.
ISO Guide 73:2009 = 61-term vocabulary. Risk = «effect of uncertainty on objectives» (not just bad outcomes).
ISO/IEC 31010:2019 = 41 risk-assessment techniques catalogue. Bowtie + FMEA + FTA + ETA + HAZOP + LOPA — лише 6 з 41.
Kaplan & Garrick 1981 triplet: risk = { ⟨scenario, likelihood, consequence⟩ }. Not single number.
ALARP + SFAIRP — UK HSE framework з reverse burden of proof + gross disproportion factor 3-10×.
Risk matrix is screening tool for qualitative ranking; supplement з FTA/LOPA/Monte Carlo для critical decisions.
Bowtie = FTA (preventive barriers) + ETA (recovery barriers) у combined visualization з top event у центрі.
LOPA = semi-quantitative; PFD × initiating frequency; IPL must be Specific + Independent + Dependable + Auditable.
3 Lines of Defense + risk-based thinking ISO 9001:2015 — risk-management integrates across enterprise, not isolated function.

ENG-first джерела (0 російських, 30+ official):

ISO 31000:2018 Risk management — Guidelines — iso.org/standard/65694.html
ISO Guide 73:2009 Risk management — Vocabulary — iso.org/standard/44651.html
ISO/IEC 31010:2019 Risk management — Risk assessment techniques — iso.org/standard/72140.html
IEC 60812:2018 Failure modes and effects analysis (FMEA and FMECA) — webstore.iec.ch/publication/26359
IEC 61025:2006 Fault tree analysis (FTA) — webstore.iec.ch/publication/4311
IEC 61882:2016 Hazard and operability studies (HAZOP studies) — Application guide — webstore.iec.ch/publication/24321
IEC 62502:2010 Analysis techniques for dependability — Event tree analysis (ETA) — webstore.iec.ch/publication/7131
ISO 14971:2019 Medical devices — Application of risk management to medical devices — iso.org/standard/72704.html
ISO 26262-3:2018 Road vehicles — Functional safety — Part 3: Concept phase (HARA) — iso.org/standard/68385.html
ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering (TARA) — iso.org/standard/70918.html
ISO 9001:2015 Quality management systems — Requirements (clause 6.1 risk-based thinking) — iso.org/standard/62085.html
S. Kaplan, B. J. Garrick «On The Quantitative Definition of Risk» — Risk Analysis Vol. 1, No. 1, 1981 — doi.org/10.1111/j.1539-6924.1981.tb01350.x
UK HSE Reducing Risks, Protecting People — HSE’s decision-making process (R2P2), 2001 — web.archive.org snapshot of hse.gov.uk/risk/theory/r2p2.htm
UK HSE/HID Approach to ALARP decisions (SPC/Permissioning/39) — hse.gov.uk/foi/internalops/hid_circs/permissioning/spc_perm_39.htm
Edwards v National Coal Board [1949] 1 KB 704 (UK Court of Appeal, leading ALARP case).
AIChE Center for Chemical Process Safety (CCPS) — Layer of Protection Analysis: Simplified Process Risk Assessment, Wiley, 2001 — aiche.org/ccps
CCPS Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, Wiley, 2015 — aiche.org/ccps
T. Kletz Hazop and Hazan: Identifying and Assessing Process Industry Hazards, 4th ed., IChemE, 1999.
N. J. Bahr System Safety Engineering and Risk Assessment: A Practical Approach, 2nd ed., CRC Press, 2014.
L. T. Cox Jr. «What’s Wrong with Risk Matrices?» — Risk Analysis Vol. 28, No. 2, 2008 — doi.org/10.1111/j.1539-6924.2008.01030.x
N. J. McCormick Reliability and Risk Analysis: Methods and Nuclear Power Applications, Academic Press, 1981.
E. J. Henley, H. Kumamoto Probabilistic Risk Assessment and Management for Engineers and Scientists, 2nd ed., IEEE Press, 1996.
N. Rasmussen WASH-1400 — Reactor Safety Study, US NRC, 1975 — nrc.gov
COSO Enterprise Risk Management — Integrating with Strategy and Performance, 2017 — coso.org/guidance-erm
IIA The IIA’s Three Lines Model — An update of the Three Lines of Defense, 2020 — theiia.org — IIA’s Three Lines Model position paper
BowTieXP / CGE Risk Management Solutions Bowtie Methodology Manual — cgerisk.com
J. Reason Managing the Risks of Organizational Accidents, Ashgate, 1997 (Swiss cheese model).
NHTSA Recalls portal — nhtsa.gov/recalls
EU Safety Gate (RAPEX) Rapid alert system for dangerous non-food products — ec.europa.eu/safety-gate-alerts
UK PSD Product Safety Database — gov.uk/product-safety-alerts-reports-recalls
US PMBOK 7th ed. (2021) A Guide to the Project Management Body of Knowledge — pmi.org/pmbok
IEEE 1012-2016 IEEE Standard for System, Software, and Hardware Verification and Validation — standards.ieee.org/standard/1012-2016.html