Engineering Risk Assessment and Failure Analysis

Engineering risk assessment and failure analysis constitute two intersecting disciplines that determine whether a design, structure, or system can perform its intended function under defined conditions without causing harm or economic loss. These methodologies underpin regulatory compliance across aerospace, civil, chemical, and structural sectors, and they are formally required by agencies including the U.S. Nuclear Regulatory Commission (NRC), the Occupational Safety and Health Administration (OSHA), and the Federal Aviation Administration (FAA). The scope ranges from a single mechanical component to complex sociotechnical systems serving millions of users.

Definition and scope

Risk assessment in engineering is the systematic process of identifying hazards, estimating the probability and severity of adverse outcomes, and determining whether those outcomes fall within acceptable thresholds. Failure analysis is a complementary discipline focused on determining the root cause of an actual or postulated failure after — or before — it occurs.

The two disciplines are formally distinguished in standards practice. The International Organization for Standardization (ISO) defines risk as the combination of the probability of harm and its severity in ISO 14971 (medical devices) and ISO 31000 (general risk management). The American Society of Mechanical Engineers (ASME) governs failure analysis methodology for pressure vessels and piping through its Boiler and Pressure Vessel Code (BPVC), while the American Society for Testing and Materials (ASTM) publishes metallurgical failure analysis protocols under standards such as ASTM E2332.

Scope boundaries matter significantly. A risk assessment for a nuclear facility must satisfy NRC requirements under 10 CFR Part 50, while a risk assessment for a workplace chemical process falls under OSHA's Process Safety Management (PSM) standard at 29 CFR 1910.119. The applicable regulatory frame determines which methods, documentation standards, and acceptance criteria apply.

The engineering risk and failure analysis domain intersects directly with engineering standards and codes and forms a foundational component of the broader engineering analysis and modeling methods landscape.

How it works

Structured risk assessment follows a defined sequence of phases:

1. Hazard identification — Cataloging all potential failure modes, energy sources, or adverse conditions associated with the system. Tools include HAZOP (Hazard and Operability Study), What-If Analysis, and checklists derived from industry standards.
2. Consequence analysis — Evaluating the severity of outcomes for each identified hazard, typically classified across a 4- or 5-level severity matrix (catastrophic, critical, marginal, negligible).
3. Probability estimation — Assigning likelihood values using historical data, fault tree analysis (FTA), or event tree analysis (ETA). Quantitative methods produce numerical probabilities; qualitative methods produce ordinal rankings.
4. Risk characterization — Combining severity and probability into a risk matrix or risk priority number (RPN), as formalized in Failure Mode and Effects Analysis (FMEA) per MIL-STD-1629A (U.S. Department of Defense).
5. Risk control and mitigation — Selecting design changes, safeguards, or procedural controls that reduce risk to an acceptable level, often defined by an As Low As Reasonably Practicable (ALARP) criterion.
6. Documentation and review — Producing a risk register and maintaining it through design iterations, as required by ISO 31000 and project-specific regulatory submissions.

Failure analysis diverges at step one: rather than hypothesizing hazards prospectively, it begins with a known failure event and works backward through evidence — fracture surfaces, stress analysis, material testing, and operating history — to establish root cause. The National Transportation Safety Board (NTSB) employs formalized failure analysis procedures in every aviation and infrastructure accident investigation it conducts.

Common scenarios

Engineering risk and failure analysis appears across 4 primary professional contexts:

• Structural engineering — Assessment of fatigue crack propagation in bridge members under cyclic loading, governed by AASHTO LRFD Bridge Design Specifications and FHWA bridge inspection standards.
• Aerospace engineering — FAA-mandated safety assessments under AC 25.1309-1B require that catastrophic failure conditions have a probability no greater than 1×10⁻⁹ per flight hour.
• Chemical and process engineering — OSHA PSM requires quantitative risk analysis for facilities handling more than threshold quantities of 137 verified highly hazardous chemicals (29 CFR 1910.119, Appendix A).
• Product and mechanical engineering — Consumer product failure analysis follows CPSC reporting obligations under the Consumer Product Safety Act (15 U.S.C. § 2064) and ASTM failure analysis protocols.

Decision boundaries

Risk assessment and failure analysis require practitioners to resolve several classification questions that determine which tools and standards apply.

Quantitative vs. qualitative analysis: Quantitative risk assessment (QRA) produces probability values — such as the FAA's 1×10⁻⁹ threshold — and demands statistically robust failure rate data. Qualitative assessment uses ranked categories and is appropriate where data are insufficient or where regulatory frameworks accept ordinal judgment. ISO 31000 permits both approaches but requires justification for the method selected.

Prospective vs. retrospective analysis: FMEA and HAZOP are prospective — applied during design to anticipate failures. Root cause analysis (RCA) and metallurgical failure analysis are retrospective — applied after a failure event. The two modes are not interchangeable; a prospective FMEA cannot substitute for post-incident forensic investigation when regulatory reporting obligations are triggered.

Component-level vs. system-level scope: A component FMEA examines individual parts in isolation; a system FMEA traces failure propagation across subsystem interfaces. The distinction affects the depth of analysis required and the engineering discipline credentials needed. Licensed Professional Engineers (PE) are typically required to certify risk assessments submitted to state or federal agencies, as the National Council of Examiners for Engineering and Surveying (NCEES) defines scope-of-practice boundaries for the PE credential.

The broader context of professional responsibility governing these determinations is covered within engineering ethics and professional responsibility as part of the full engineering services landscape.