AACE 132R-23 Level 4 risk-driven scheduling explained
What AACE Recommended Practice 132R-23 is, the four maturity levels of quantitative schedule risk analysis, and exactly what a fully risk-driven Level 4 schedule must contain.
Last updated: July 2026
AACE Recommended Practice 132R-23, "Quantitative Schedule Risk Analysis (QSRA) — As Applied in Engineering, Procurement, and Construction (EPC) and Other Capital Projects," is the AACE International framework that defines how to run a credible Monte Carlo schedule risk analysis. Its most-cited contribution is a four-level maturity model: a way to describe how much real risk modeling actually went into a schedule's confidence dates, from a back-of-envelope range to a fully risk-driven simulation.
Level 4 is the top of that ladder. A Level 4 schedule is not just a Gantt with a contingency line bolted on — it is a schedule whose dates are produced by simulating an explicit risk model against three-point activity durations, with the risk register, the simulation, the resulting contingency, and the audit trail all integrated into one defensible package. This guide explains each level, what Level 4 specifically requires, and why regulated R&D programs in pharma and federal research increasingly demand it.
What AACE RP 132R-23 actually is
AACE International (the Association for the Advancement of Cost Engineering) publishes Recommended Practices that codify how cost and schedule professionals should do their work. RP 132R-23 is the recommended practice for Quantitative Schedule Risk Analysis — the discipline of attaching probabilities to a project's finish date instead of presenting a single deterministic date as if it were certain.
The core idea is that a deterministic critical path schedule answers "when does the plan finish if nothing varies?" — a question no real program ever lives in. QSRA answers the question sponsors actually ask: "what is the probability we finish by this date, and how much schedule contingency do we need to be 80% confident?" RP 132R-23 sets out the inputs, methods, and reporting that make that probabilistic answer trustworthy.
The four QSRA maturity levels
The 132R-23 maturity model classifies a risk analysis by how rigorously the schedule's confidence dates were derived. Each level adds modeling fidelity over the one below it.
- Level 1 — Duration uncertainty only, applied broadly: a simple range (e.g. ±20%) is placed on activity durations and simulated. No discrete risk events, often no link to a risk register. The lightest, most subjective level.
- Level 2 — Calibrated three-point estimates: each activity carries optimistic, most-likely, and pessimistic durations derived deliberately rather than by a blanket percentage, then simulated to produce a finish-date distribution.
- Level 3 — Risk events mapped to the schedule: discrete, register-sourced risk events (probability × impact) are mapped onto the activities they would affect and injected into the simulation, on top of duration uncertainty.
- Level 4 — Fully risk-driven and integrated: duration uncertainty plus mapped risk events plus, where relevant, correlation and integrated cost/schedule risk — producing contingency that is driven by the risk model, with a complete audit trail from register to result.
What Level 4 requires
A Level 4 analysis is the fully risk-driven tier, and it has concrete, checkable requirements. It is not a label you can claim by running a single uncalibrated simulation.
First, every relevant activity needs a defensible three-point estimate (optimistic / most-likely / pessimistic), not a uniform blanket range. Second, a maintained risk register supplies discrete risk events with probability and impact, and each event is explicitly mapped to the activities it would hit, so the simulation injects real, traceable risks rather than generic noise. Third, a Monte Carlo engine runs thousands of iterations across the network — respecting the dependency logic, and where appropriate modeling correlation between activities so common-cause risks are not understated.
The simulation then yields confidence dates (P50, P80, P90), and schedule contingency is set from that distribution — for example, the gap between the deterministic date and the P80 — rather than from a flat percentage. Sensitivity outputs (a tornado of which activities most drive the finish date, and a criticality index showing how often each activity lands on the critical path) explain where the risk lives. Finally, the whole chain — register, mappings, distributions, inputs, assumptions, and the resulting contingency decision — must be auditable, so a reviewer can reconstruct exactly how the confidence dates were produced.
- Defensible three-point (optimistic / most-likely / pessimistic) durations on relevant activities.
- A maintained risk register with discrete risk events explicitly mapped to affected activities.
- Monte Carlo simulation over the network, with correlation modeled where it matters.
- Confidence dates (P50/P80/P90) and contingency derived from the distribution, not a flat add-on.
- Sensitivity analysis — tornado and criticality index — identifying the true schedule drivers.
- Integrated cost/schedule risk where the program calls for it.
- An auditable trail from risk register through simulation to the contingency decision.
Why pharma and federal R&D programs need it
Regulated and capital-intensive R&D programs cannot present unfounded dates. A biotech board deck that carries a P50 IND date no one actually computed, or a DARPA milestone with no probabilistic backing, is a credibility risk — and in late-stage pharma, where cost of delay can run on the order of hundreds of thousands of dollars per day, a soft estimate is also a financial one. Level 4 forces the discipline of deriving those dates from an explicit, reviewable risk model.
Federal sponsors and FFRDCs increasingly expect AACE-grade risk-driven scheduling, and pharma quality cultures expect the same defensibility they apply to everything else. The audit trail is the heart of it: when a regulator, a sponsor, or an internal reviewer asks "why is the contingency this size?", a Level 4 schedule can answer with the register, the mappings, and the simulation rather than with judgment. That traceability is also the foundation on which heavier compliance regimes (such as 21 CFR Part 11 electronic records and signatures) are later built.
How CritPath AI implements the Level 4 model
CritPath AI implements the full AACE 132R-23 Level 4 model as built-in product behavior rather than an analyst's spreadsheet exercise. PERT-Beta three-point estimates feed a Monte Carlo engine that injects discrete risk events from the risk register, optionally models duration correlation, and reports P50/P80/P90 confidence dates with a tornado sensitivity chart and a criticality index. Schedule contingency follows from that distribution, and an append-only audit log records the inputs and decisions so the result is reconstructable end to end.
Because the engine also runs CPM (four dependency types, lag, float, near-critical) and TOC / Drum-Buffer-Rope alongside the simulation, and because a Claude + Gemini copilot reasons over the actual dependency graph, the risk numbers are explainable in context — which activity is driving your P80, what a gate decision does downstream. CritPath is $10 per user per month for every standard feature, with AI usage billed separately by metered usage. The audit-trail foundation for regulated programs is in place today; full 21 CFR Part 11 electronic signatures and re-authentication are on the Enterprise roadmap and are not yet shipped, so they should not be relied on as available.
Frequently asked questions
What is AACE RP 132R-23?
It is the AACE International Recommended Practice for Quantitative Schedule Risk Analysis (QSRA). It defines how to run a credible Monte Carlo schedule risk analysis and introduces a four-level maturity model describing how rigorously a schedule's confidence dates were derived, from a simple duration range up to a fully risk-driven Level 4 simulation.
What does AACE 132R-23 Level 4 require?
Level 4 is the fully risk-driven tier. It requires defensible three-point activity estimates, a maintained risk register with discrete events mapped to the activities they affect, a Monte Carlo simulation over the network (with correlation where relevant), confidence dates such as P50/P80/P90, contingency derived from that distribution, sensitivity analysis, and a complete audit trail from register to result.
What is the difference between Level 1 and Level 4 QSRA?
Level 1 applies a simple, broad duration range and simulates it, with little or no link to a risk register. Level 4 combines calibrated three-point durations, register-sourced risk events mapped onto specific activities, correlation and integrated cost/schedule risk where needed, and an auditable trail — so the confidence dates and contingency are driven by an explicit, reviewable risk model rather than a blanket percentage.
Why do pharma and federal programs need Level 4 scheduling?
Regulated R&D programs must present dates that can be defended. Boards, FDA-facing teams, and federal sponsors (DARPA, ARPA-H, NIH, FFRDCs) increasingly expect probabilistically backed milestones and an audit trail explaining how contingency was set. Level 4 provides that traceability, which also becomes the foundation for heavier regimes such as 21 CFR Part 11.
Does CritPath AI implement AACE 132R-23 Level 4?
Yes. CritPath AI implements the full Level 4 model: three-point PERT-Beta estimates, risk-event injection from the register, optional correlation, P50/P80/P90 dates, tornado and criticality-index sensitivity, distribution-driven contingency, and an append-only audit log. Full 21 CFR Part 11 e-signatures are on the Enterprise roadmap and are not yet shipped.
Related
See the math on your own schedule
CritPath AI is $10/user/month — real Monte Carlo, CCPM, decision gates, and a schedule-aware AI copilot. Join the waitlist for beta access.
Join the waitlist