|
Risk management has been a major function at the Marshall Space Flight Center (MSFC) at the National Aeronautics and Space Administration (NASA) from the very start of the organization. An extensive analytical approach to ensure safety/reliability risk control for projects was introduced in the early 1970s, and was imposed for the shuttle program contracts in 1974. The provision was revised and replaced by NASA Handbook 5300.4 (ID2), "Safety, Reliability, Maintainability, and Quality Provisions for the Space Shuttle Program," in October 1979. Since the Challenger accident in 1986, this program has been enhanced considerably. An effort to simplify the process was undertaken in 1999. The Continuous Risk Management (CRM) system, as developed by the Software Engineering Institute (SEI) of Carnegie Mellon University [Ref. 1], presents a systematic and comprehensive procedure that can be applied as a general guideline for several types of projects.
MSFC is in the process of implementing CRM for current projects at the Center. The objectives of this study were to assess the status of CRM implementation and to identify any modifications of the basic plan required to facilitate the implementation process.
Continuous Risk Management (CRM) Process
CRM provides a means of proactive decision-making in assessing the status of risk items, selecting the critical risk items for action, and monitoring the effectiveness of the implemented strategies. The CRM process includes identifying the risk items in a project, analyzing to prioritize the items for action, planning and implementing control measures, monitoring the status to take corrective steps, and communicating through documentation.
The outcome of the identification phase includes both a statement and context statement of risk. The major tools used for identification of risks are brainstorming, questionnaires, checklists and personal experience gained from similar situations.
The outcome of risk analysis is recorded on a Risk Information Sheet. The activities consist of evaluating attributes of risk, as well as classifying and prioritizing risks. The prioritizing is based on probability and impact of mishap, and time frame. The planning phase consists of determining the approach to adopt, defining the scope, and assigning responsibility for action. Action plan options are usually of four types: carry out research, accept risk, track the status, and plan mitigation.
There must be a realistic and measurable goal for mitigating risks. The tracking activities consist of acquiring data on performance, compiling and evaluating these with respect to the plan, and reporting the status and risks. Tracking must be based on the needs of the organization and the corresponding goals. An effective threshold value that triggers an action has to be chosen so that an indicator does not trip unnecessarily. The subsequent control activities are based on evaluation of tracking results and risk items. This communication is central to the success of risk management. Documentation and communication ensure the visibility of risk information. Documentation also ensures an understanding of risks and mitigating plans, and enables all project personnel to participate in the effort. Typical documents of the CRM system are risk management plans, risk implementation plans, risk information sheets, risk analysis reports, risk mitigation reports, a risk database, tracking logs, and test reports.
Prerequisites for Implementation
For successful implementation, the CRM system requires top management support, budget, resources, milestones for transition effort, evaluation measures, completion criteria and establishment of a baseline method. CRM at MSFC/NASA has management support and resources, and effort is continuing to enforce implementation of this program at the center.
next page »
|
