Roger Flage - lasar.polimi.it · This slide (modified) courtesy of Prof. Terje Aven. A Studies and management of the risk of specific activities. B Generic risk practices and research

University of Stavanger

uis.no

Guest lectures, Politecnico di Milano, 26-27 February 2018

Risk analysis: The field and science, the foundations, and the practice

with emphasis on quantitative risk assessment in selected applications

Roger FlageAssistant/associate Professor, Department of Safety, Economy and Planning / Faculty of Science and Technology

2/22/2018

1

Contents

▪ Lecture 1: Overview of risk analysis as a field and science

▪ Lectures 2 & 3: Foundations of risk analysis

▪ Lectures 4 & 5: Quantitative risk assessment

▪ Lecture 6: Quantitative risk assessment applications

4

Contents

▪ Lecture 1: Overview of risk analysis as a field and science▪ The (core) subjects of risk analysis

▪ Risk analysis as a science

▪ The field of risk analysis

▪ Lectures 2 & 3: Foundations of risk analysis▪ The risk concept

▪ Describing risk (generic risk assessment)

▪ Black swans and perfect storms

5

Contents

▪ Lectures 4 & 5: Quantitative risk assessment▪ Quantitative/Probabilistic risk assessment

▪ Risk metrics

▪ Event tree modelling

▪ Uncertainty in risk assessment

▪ Probabilities in risk assessment

▪ Epistemic versus aleatory uncertainty

▪ Model uncertainty

▪ Level 1 and level 2 uncertainty propagation

▪ Example

▪ Standard Bayesian approach

▪ Predictive Bayesian approach

▪ Risk-informed decision-making

▪ Lecture 6: Quantitative risk assessment applications▪ Offshore oil and gas risk assessment

▪ Infrastructure risk assessment

▪ Identifying safety and security critical systems

6

Lecturing style

▪ Traditional lectures with student-active elements

▪ The lecture presentation contains several “hidden” slides with

problems to be discussed directly in plenary as well as

problems to be first considered individually, then discussed in

groups of 2-3 students, and finally discussed in plenary

7


uis.no

Lecture 1: Overview of risk analysis as a

field and science

8

Risk analysis

9

Risk analysisRisk

characterization

Risk assessment

Risk

management

Risk

communication

Risk perception

Policy relating

to risk

Risk governance

Society for Risk Analysis

tradition

The risk management process

That being said …

10

ISO 31000

Risk analysis core subjects

… fundamental issues related to

risk analysis as a field and

science, basic concepts and

principles, including ways of

representing and expressing

uncertainties.

11

Society for Risk Analysis «Core subjects» document

Fundamentals


… principles, approaches, and

methods for identifying risk

sources, threats, hazards and

opportunities; understanding how

these can occur and what can be

their consequences including

adaptive behavior and recovery;

representing and expressing

uncertainties and risk; and

determining the significance of

the risk using relevant criteria

12


Risk assessment


… measures and activitiescarried out to manage and govern risk, balancing developments and exploring opportunities, on the one hand, and avoiding losses, accidents and disasters on the other. A main emphasis here is on providing insights and guidance on multi-dimensional, multi-actor, multi-institutional decision and policy making and on resolving emerging trade-offs

13


Risk

management

Risk governance


… issues related to perception

and communication of risk, how

affect and trust influence risk

perception and behavior, and

how exchange or sharing of risk-

related data, information and

knowledge between and among

different parties (such as

regulators, experts, consumers,

media, general public) can be

provided.

14


Risk

communication

Risk perception


… how to solve risk problems,

challenges and issues in real

practice, by integrating theories and

methods from the other four

categories of topics, and using

concrete, practical cases. Risk

analysis as a multidisciplinary and

interdisciplinary field is

demonstrated, and special attention

is devoted to the added value of risk

analysis relative to the contributions

from other fields and sciences.

15


Solving risk

problems and

issues

Risk analysis studies – a few examples

16

Pest risk analysis (PRA) for the

territories of the European Union (as

PRA area) on Bursaphelenchus

xylophilus and its vectors in the genus

Monochamus

HF Evans, DG McNamara, H Braasch… -

EPPO …, 1996 - Wiley Online Library

Probabilistic risk analysis for a

high‐level radioactive waste repository

BL Cohen - Risk analysis, 2003 -

Wiley Online Library

Some limitations of “Risk= Threat×

Vulnerability× Consequence” for risk

analysis of terrorist attacks

LAT Cox Jr - Risk Analysis, 2008 -


On some recent definitions

and analysis frameworks for risk,

vulnerability, and resilience

T Aven - Risk Analysis, 2011 -


http://onlinelibrary.wiley.com/doi/10.1111/j.1365-2338.1996.tb00594.x/full

http://onlinelibrary.wiley.com/doi/10.1111/1539-6924.00368/full

http://onlinelibrary.wiley.com/doi/10.1111/j.1539-6924.2008.01142.x/full

http://onlinelibrary.wiley.com/doi/10.1111/j.1539-6924.2010.01528.x/full

https://scholar.google.no/citations?user=q0OCFMwAAAAJ&hl=no&oi=sra

Risk analysis as a science

▪ Two knowledge-generating pillars (Aven & Zio, 2014):

A. Risk knowledge related to an activity in the real world (interpreted in a wide

sense to include, for example, also natural phenomena), for example the use of a

medical drug, the design of a bridge or the analysis of climate change

B. Knowledge on concepts, theories, frameworks, approaches, principles, methods

and models to understand, assess, characterize, communicate, manage and

govern risk

17

A)Studies and management ofthe risk of specific activities

B)Generic risk practices and

research: How to conceptualise,

understand, assess, communicate and manage risk

This slide (modified) courtesy of Prof. Terje Aven

We may ask, is the risk toohigh? Should we reduce it? And by how much, and howcan we best achieve such a reduction?

Studies and management ofthe risk of the specific

activity

Experts in offshore operations, process

engineers …

Risk analysis experts

A

BGeneric risk practices and

research: How to conceptualise, assess,

communicate and manage risk


http://upload.wikimedia.org/wikipedia/commons/1/18/StatfjordA(Jarvin1982).jpg

Activity, system

Real world

AStudies,

communication and management of the risk of this specific

activity

BGeneric risk practices

and research: How to conceptualise,

understand, assess, communicate and

manage risk

Experts in other fields

Competence

Risk analysisexperts

Insights into

risk, decision

support, good

decisions

What do they

give?


BGeneric risk practices and research: How to conceptualise, assess and

manage risk

What is risk?


Risk = expected loss/consequences

1)

C X PAbraham de Moivre 1711

C: Consequences (loss) P: Probability


2) Risk description = The combination of magnitude/severity

of consequences C and probability P

Alternative formulation:

Events/scenarios A, consequences C, probabilities P

Kaplan, S. and Garrick, B.J. (1981) On the quantitative definition of risk. Risk Analysis 1, 11-27. 2)

C & P


The risk concept

How to measure

or describe

risk

Meeting the need ofthe decision situation

Society for Risk Analysis Glossary 2015

• Risk is the possibility of an unfortunate occurrence• Risk is the potential for realization of unwanted,

negative consequences of an event • Risk is exposure to a proposition (e.g. the

occurrence of a loss) of which one is uncertain• Risk is the consequences of the activity and

associated uncertainties • Risk is uncertainty about and severity of the

consequences of an activity with respect to something that humans value

a) Expected consequences (damage, loss)

b) The combination of probability P and magnitude/severity of consequences C

c) The triplet (C’,Q,K), where C’ is some specified consequences, Q a measure of uncertainty associated with C’ and K the background knowledge that supports C’ and Q


AStudies and management ofthe risk of specific activities


research: How to conceptualise, assess and

manage risk


http://upload.wikimedia.org/wikipedia/commons/1/18/StatfjordA(Jarvin1982).jpg

- Is there an objective best policy on how to deal with risk? o For you?

o For the company?

o For the society?

- How can we use methods and principles like▪ Cost-benefit analyses

▪ Precautionary principle what does this principle say, how can it be used?

- How should activities be best regulated to balancedevelopment and risk?

- …B

Generic risk practices and research:

How to conceptualise, assessand manage risk


AStudies and management ofthe risk of specific activities




Applied risk analysis

Generic risk analysis


Type A) analysis

a) Descriptive analysis: What has happened previously in terms of losses, failures, etc.? What do the data indicate is (not) worth worrying about? What has changed that seems worth worrying about?

b) Predictive analysis - knowledge and uncertainties: What will happen if a specific activity is realized, a specific system is operated? What might go wrong? Why and how might it go wrong? What are the consequences?_ What will happen if we (do not) intervene? How soon, with what consequences? What do we know; what do we not know? What are the uncertainties and likelihoods? Causal analysis - knowledge and uncertainties: What will happen if we intervene in different ways? What do we know; what do we not know? What are the uncertainties? Likelihoods?

c) Prescriptive analysis and decision optimization - management: What should we do next, given the resources, risk, uncertainties, constraints and other concerns? Who should do what? Who should use what decision rules? What are intolerable or unacceptable risks? How can the public participate? How to be prepared in case of an event? How to build robust and resilient systems?

28

Type A) analysis

d) Communication: Who should say what to whom? How to address uncertainties? How to interpret probabilities?

e) How are perceptional aspects, like fear or prejudice, influencing risk judgments and decisions?

f) Evaluation analysis: How well is the risk analysis working? What have the consequences of our actions and policies actually been?

g) Learning analysis: How might we do better? What should we try next, and for how long? When should we stop exploring and commit to a policy?

h) Collaborative analysis: How might we do better together?

29

Type B) analysis

▪ Conceptual research relates to some abstract ideas, concepts,

theories, etc. and includes one or more of the following

elements:

▪ Identification (for example, a new concept or principle)

▪ Revision (seeing what has been identified in a different way, for example using alternative frames of

reference)

▪ Delineation (for example, a framework for when to use an assessment approach)

▪ Summarisation (to see the forest for the trees, for example reducing what is known about a matter

to a manageable set of contributors)

30

Example:

Risk = C x P

Type B) analysis

▪ Differentiation (for example, that there are several ways of interpreting a probability)

▪ Integration (to synthesise, amalgamate, or harmonise, for example as the unified understanding of

risk reflected in the SRA (2015) Glossary)

▪ Advocating (for example, argumentation to justify or support a given conclusion concerning the use

of a specific definition or principle)

▪ Refuting (for example, argumentation aimed at rebutting a given perspective) (MacInnis 2011).

The research is based on creativity, divergent thinking, comparative reasoning, integrative thinking,

logic, etc. and makes use of different types of tools as described in MacInnis (2011): for example,

metaphors, questioning of strongly held assumptions, and maps which show relationships between

different concepts

31

Example:

Risk = C x P

The risk analysis field

Totality of relevant

risk educational

programmes,

journals, papers,

researchers, research

groups and societies,

etc.

(Risk discipline)

Knowledge

generation related to

A) and B)


uis.no

Lectures 2 & 3: Foundations of risk

analysis

33

Common thinking about risk (I)

Risk is the combination

of probability and

consequences

Risk = C & P

Risk = P x C = E

35

C = consequences

P = probability

E = expected value

Example: Risk = C & P vs. risk = C x P

36

6 Win € 36,000

1,2,3,4,5 Pay € 6,000

Risk = C & P

C1: 36,000 P1: 1/6

C2: -6,000 P2: 5/6

Risk = C x P

36.000 × 1/6 – 6.000 × 5/6 = 1,000

Common thinking about risk (II)

Risk = U

Risk is uncertainty

37

U = uncertainty

Common thinking about risk (III)

Risk is an event

39

Risk = A

A = event

‘Risk’ - ISO Guide 73 / ISO 31000

An effect is a deviation from the expected (positive and/or negative).

Risk is the effect of uncertainty on objectives

‘Risk’ - ISO Guide 73 / ISO 31000 - Example

Activity

0 fatalities p0 = 0.9

1 fatality p1 = 0.1

Objective: 0 fatalities

Uncertainty: We do not know if the outcome will be 0 or 1 fatality

Expected loss = 0.1

Effect = Deviation from the expected: 0 or 1 fatalities (certain)

Risk = effect of uncertainty on objectives = ?

‘Likelihood’ - ISO Guide 73 / ISO 31000

the chance of something happening, whether defined, measured

or determined objectively or subjectively, quantitatively or

qualitatively, and described using general terms or mathematically

(such as a probability or a frequency over a given time period).

Likelihood = chance

Described using e.g. probability or frequency

‘Probability’ - ISO Guide 73 / ISO 31000

Chance = ???

a measure of the chance of occurrence expressed as a number

between 0 and 1

Likelihood = chance

Probability = measure of chance

A)Studies and management ofthe risk of specific activities

B)Generic risk practices and



Link back to Lecture 1 …

The risk concept — historical and recent

development trends

47

Distinguishing risk as a concept and the

description of risk

The concept of risk The description of risk

What risk isHow risk is described

and measured

48

The risk concept versus the risk description

c C’ C

t1 t2 t3

K Q

Risk = (C,U)Risk description = (C’,Q,K)

Uncertainty

measure

… in the future

Consequences (risk sources,

events/scenarios,

effects/end states) …

Background

knowledge

(including but

not limited to c)

State of

uncertainty

(about C)

… in the past … in the risk assessment

U

49

Risk concept versus risk description –

Infrastructure

50

c C’ C

Ice storm

Hurricane

Pandemic

Fuel shortage

Food scare

Bank systems failure

…

t1 t2 t3

K Q U

Risk = (C,U)Risk description = (C’,Q,K)

P(Hurricane impact | K)

E[downtime | hurricane,K]

P(downtime > 2 days |

hurricane, K)

…

Ice storm

Solar storm

c

…

Number of system failures

Downtime durations

…

Simulations models

…

Assumptions

…

Ice storm

Hurricane

Heat wave

Flooding

…

Knowledge K

Data, Information, Argumentation, Testing, Modelling,

…

ConsequencesC of theactivity

UncertaintyU about C

Risk assessment and characterisation

Specifiedconsequences

C’

Description or measure Q of

theuncertainties

Risk description and characterisation(C’,Q,K),

with related metrics, meeting the need of the decision situation

Real world

Real world


53

In what types of situations

could we have the actual consequences C

not covered by the specified consequences C’?

54

I. The consequence is outside the scope of

the risk assessment

▪ C’ = {human death, human injury}

▪ A’ = {ice throw, ice fall}

▪ C = {animal death}

▪ A = {broken turbine blade thrown to the ground}

55

II. The consequence is within the scope of the risk assessment,

but was not identified in the risk assessment

▪ A’ = {ice throw from turbine blade in operation,

ice fall from turbine blade on stopped turbine,

ice fall from tower}

▪ RS’ = {weather, wind, other natural conditions}

▪ RS = {maintenance}

56

Risk source: Element (action, sub-activity, component, system,

event, …) which alone or in combination with other elements

has the potential to give rise to some specified consequences

(typically undesirable consequences) (SRA glossary, 2015).

II. The consequence is within the scope of the risk assessment, and

was identified in the risk assessment process, but was not included in

the risk assessment due to judged negligible probabiltiy

▪ C’ = {person injured by ice block with impact energy > 40 J}

▪ Assumption: Ice blocks with impact energy > 40 J are always fatal

▪ P(fatal|hit energy > 40 J) = 99.9 % => P(not fatal|hit energy > 40 J) = 0.1 %

▪ => P(C’) = negl.

▪ C = {person injured by ice block with impact energy > 40 J}

57

Knowledge K

Data, Information, Argumentation, Testing, Modelling,

…

ConsequencesC of theactivity

UncertaintyU about C

Risk assessment and characterisation

Specifiedconsequences

C’

Description or measure Q of

theuncertainties

Risk description and characterisation(C’,Q,K),

with related metrics, meeting the need of the decision situation

Real world

Real world


Uncertainty measure (Q)

59

Strength of knowledge evaluation (SoK):

• Level of phenomenological understanding / goodness of models

• Amount and relevance of data

• Level of agreement among experts

• Realism of assumptions made

Q = (P,SoK)

P(A|K)

Example: Risk description = (C,P,SoK,K)

60

6 Win € 36,000

1,2,3,4,5 Pay € 6,000

Risk description = (C,P,SoK,K)

C1: 36,000 P1: 1/6 SoK1 = weak

C2: -6,000 P2: 5/6 SoK2 = weak

K = No data, observed symmetrical die,

assumption of fair die

Risk description = (C,P,SoK,K)

C1: 36,000 P1: 1/6 SoK1 = strong

C2: -6,000 P2: 5/6 SoK2 = strong

K = Large amount of data

NUSAP notational system

▪ Numeral

▪ Unit

▪ Spread

▪ Assessment

▪ Pedigree

6122.02.2018

Qualitative evaluation of uncertainty/

value-ladenness

NUSAP – Example: Blowout rate

▪ Numeral 8.000

▪ Unit Sm3/day

▪ Spread [6.500,9.500]

▪ Assessment 90 %

▪ Pedigree Pedigree-matrix

6222.02.2018

«Pedigree» matrix

6322.02.2018

Score Theoretical structures Data-input Peer-acceptance Colleague consensus

4 Established theory Experimental data Total All but cranks

3 Theoretically based model Historic / field data High All but rebels

2 Computational model Calculated data Medium Competing schools

1 Statistical processing Educated guesses Low Embryonic field

0 Definitions Uneducated guesses None No opinion

Funtowicz & Ravetz (1990)

«Pedigree» matrix

6422.02.2018

Score Theoretical structures Data-input Peer-acceptance Colleague consensus

4 Established theory Experimental data Total All but cranks

3 Theoretically based model Historic / field data High All but rebels

2 Computational model Calculated data Medium Competing schools

1 Statistical processing Educated guesses Low Embryonic field

0 Definitions Uneducated guesses None No opinion

Pedigree = (3,3,3,4)

NUSAP – Example: Blowout rate

▪ Numeral 8.000

▪ Unit Sm3/day

▪ Spread [6.500,9.500]

▪ Assessment 90 %

▪ Pedigree (3,3,3,4)

6522.02.2018

Q =

(P,Pedigree)

1. What can happen (go wrong)? 2. How likely is it that that will

happen? 3. If it does happen, what are the

consequences?

1. What can happen (go wrong)? 2. If it does happen, what are the

consequences? 3. How likely is it that that will happen

and give these consequences?4. What is the knowledge supporting

the likelihood judgments? 5. How strong is this knowledge?

Earlier Now


Expressing risk

Bow-tie diagram

Risk influencing factors (RIFs)

Barriers

(preventive)Initiating event

(hazard/threat)Consequences

Barriers

(consequence

reducing)

Causes

Black swans

“Rara Avis i terris nigroque

simillima cygno”

(A rare bird in the lands and

very much like a black swan)

Juvenal (ca. 55 - ca. 135)

London, 1600s

Black swans

Swan River, 1696

Black swans

▪ A surprising, extreme event relative to present

knowledge/beliefs (Aven, 2013)

Black swans

A surprise to some

Not a

surprise to

others


Was this a black swan?


Was this a black swan?


Unforeseen(unanticipated) events

Surprising events

Unthinkable(unimaginable) events

Extreme consequences

a) Unknownunknowns

b) Unknownknowns

c) Known but not

believed to occur

because of low

judged probability

Types of Black swans

Black swan: A

surprising, extreme

event relative to present

knowledge/beliefs


I. Outlier as it lies outside the realm of regular expectations, because

nothing in the past can convincingly point to its possibility

II. Extreme impact

III. In spite of its outlier status, human nature makes us concoct

explanations for its occurrence after the fact, making it explainable

and predictable

The Black Swan (Taleb, 2007)


The perfect storm (2000)

© 2000 - Warner Bros. Entertainment, Inc.

A perfect storm

▪ A rare event that might happen,

where we understand the phenomena involved

Black swans and perfect storms

«Epistemic

uncertainty»

(Lack of

knowledge)

«Aleatory

uncertainty»

(Variation)


uis.no

Lectures 4 & 5: Quantitative risk

assessment

81

Probabilistic risk assessment (PRA) (I)

▪ PRA = QRA (quantitative risk assessment) where uncertainty is quantified using probability

▪ A probabilistic risk assessment (PRA) systematizes the knowledge and uncertainties about the phenomena studied▪ What are the possible hazards and threats, their causes and consequences? The knowledge and

uncertainties are characterized and described using various probability-based metrics

▪ PRA stages:1. Identification of threats/hazards

2. Cause analysis

3. Consequence analysis

4. Probabilistic analysis

5. Risk description

6. Risk evaluation

82

Source: Aven (2008) Risk Analysis. Wiley

Probabilistic risk assessment (PRA) (II)

▪ Traditional frequentist approach▪ Typically applied in situations in which there exists a large amount of relevant data

▪ Founded on well-known principles of statistical inference, the use of probability

models, the interpretation of probabilities as relative frequencies, point estimates,

confidence interval estimation, and hypothesis testing

▪ The Bayesian approach▪ Based on the concept of subjective (judgmental, knowledge-based) probabilities

▪ Applied in situations in which there exists only a limited amount of data

▪ Based on use of probability models to reflect variation and subjective probability to

describe parameter uncertainty

83

Risk description in a safety context

(risk indices/metrics)

IR (Individual Risk)Probability of death for

specified person i

pi

In practice usually AIR

(Average Individual

Risk):

AIR = PLL/np1

p2

pn

f-N curve (≈ probability

distribution no. fatalities)P(N ≥ n’)

FAR (Fatal Accident Rate)Expected number of fatalities

during 108 hours

FAR = (PLL/T) 108

T = exposure time

PLL (Potential Loss of Life)Expected number of fatalities

PLL = EN

N = Number of fatalities

The f-N curve

85

Risk analysis information input formats

Data

Aspects of interest:

• Quantity/Amount

• Relevance

Expert statements

Models

Models of physical phenomena

Probability models

Data amount/quantity vs relevance

μ

(x1,x2,…,xn)

Xn+1

Extended population

(y1, y2,…,ym)

Low amount of relevant data

Quantity of interest

Less relevant data

Risk analysis information input formats

Data

Aspects of interest:

• Quantity/Amount

• Relevance

Expert statements

Models

Models of physical phenomena

Probability models

Logical models

Based on physical laws the effective duration of a flash fire may be derived as

Yields prediction in risk analysis

Physical model

3

1tan

2

1tan

kT2

3t 11

3eff

Probability model

• pi = fraction of times the die shows i in the long run, i = 1, 2,

…, 6.

• X : Number of failures in a time period• Poisson model

Pf(X = k) = lk e-l /k! = f(k|l)

EfX = l

Release

Immediate

ignition

Not

immediate

ignition

Short release

fraction

Vertical

Horizontal Jet fire, pool

fire, no effect

Jet fire, pool fire,

no effect

Bleve, pool fire,

flash fire, explosion,

no effect

Flash fire, pool

fire, explosion,

no effect

Delayed

ignition

No ignition

Dispersio

n

Residual pool fire

No effect

Logical model - Event tree – Hydrocarbon

release


N=100

N=1

N=0

B

Not

B

A

Not A

I

Event tree - Simple


N=100

N=1

N=0

q2

1-q2

q1

1- q1

q0 = EX: Expected

number of

initiating events

I

p = Pf(N ≥ 100) = q0 q1 q2

Probabilistic model based on event tree


▪ Simplified risk analysis▪ Qualitative

▪ Informal methods: Checklists etc.

▪ Standard risk analysis ▪ Qualitative or quantitative

▪ Workshops

▪ Formalised methods: SJA, HAZOP etc.

▪ Model-based risk analysis▪ Primarily quantitative

▪ Fault tree analysis, event tree analysis, etc.

Check list

Check list

…

…

Katastrofe Meget

alvorlig

Alvorlig Mindre

alvorlig

Ikke alvorlig

> 10 ganger

per år

VH VH H H M

1-10 ganger

per år

VH H H M M

en gang hvert

1-10 år

H H M L 3.1,

en gang hvert

10-100 år

H M M L L

< en gang per

100 år

M M L VL VL

Konsekvens

F

rekven

s f

.

7. Påkjørsel av ras/togblir tatt av ras (stein-,jord-, snø-, etc.)

Or 1

Tog kjører inn i ras

And 1

Ras i sporet

Basic 2

Ikke varslet

Basic 3

Toget klarer ikke åstoppe

80

Tog blir tatt av ras

Basic 1

DIPS feiler

Komponent

svikt

…………Bruker feil

SpenningsfallStrøm brudd Svak

komponent

Risk analysis methods

Expectations of a mathematical representation of

uncertainty (Bedford and Cooke, 2001)

▪ Axioms▪ Specifying the formal properties of uncertainty.

▪ Interpretations▪ Connecting the primitive terms in the axioms with observable phenomena.

▪ Measurement procedures▪ Providing, together with supplementary assumptions, practical methods for

interpreting the axiom system.

100

1 2 3 4 5 6

1/6 1/6 1/6 1/6 1/6 1/6

Classical probability


Pf(A) is the fraction of times the event A occurs if the situation is repeated

(hypothetically) an infinite number of times

Frequentist probability

102

Subjective probability

• P(A|K) = 0.1

• The assessor compares his/her uncertainty (degree og belief) about the

occurrence of the event A with drawing a specific ball from an urn that

contains 10 balls (Kaplan and Garrick 1981, Lindley, 2000).

K: background knowledge


Subjective probability in the media

http://www.aftenbladet.no/lokalt/551553/-_Terror_i_Stavanger_hvert_10000_aar.html

104

- Terror in Stavanger every 10,000 years

http://www.aftenbladet.no/lokalt/551553/-_Terror_i_Stavanger_hvert_10000_aar.html

P(terrorist attack against Stavanger|K) = 0,01 %

Analyst:

‘Given (i.e., conditional on) my background knowledge (K),

I judge that a terrorist attack against Stavanger next year is

equally likely as drawing a red ball from an urn containing

the one red ball and 9,999 blue balls.’

105

Subjective probability

Probability - Overview

▪ Classical▪ Pc(A) = Number of outcomes resulting in A / Total number of possible outcomes

▪ Frequentist▪ Pf(A) = limn∞ nA/n, where nA is the number of occurrences of the event A in n trials

▪ Subjective▪ P(A) expresses a degree of belief

▪ Reference to a standard for uncertainty: P(A) = p implies that the event A is considered equally likely as a

standard event S with measure m(S) = p, e.g. drawing a red ball from an urn containing p x 100 % red balls

▪ Betting interpretation: P(A) is the price at which the person assigning the probability is neutral between buying

and selling a ticket that is worth one unit of payment if the event occurs and worthless if not

106

Treatment of uncertainty in risk assessment

108

‘There is only one kind of uncertainty stemming from our lack of knowledge concerning the

truth of a proposition, ... ’Apostolakis GE (1990) The concept of probability in safety assessments of technological systems. Science, 250: 1359-1364.


Treatment of uncertainties in risk

assessment

▪ Uncertainty analysis framework▪ A model g with parameters (input quantities) X is used to predict the quantity of

interest Z

▪ In a PRA/QRA, the quantities Z and X would typically be indicator quantities for

events (e.g. X = I(A), where I is the indicator function and A an event of interest),

or observable quantities (e.g. X = number of fatalities) or non-observable

parameters on the real line (e.g. X = λ = failure rate of some equipment)

109

Model uncertainty

▪ Model error▪ The difference ∆g(X) = Z – g(X)

▪ Model output uncertainty▪ Uncertainty about the model error ∆g(X)

▪ Structural model uncertainty▪ Uncertainty about the difference ΔG(Xtrue), when the true value Xtrue of the parameter (input

quantity) X is known

▪ Parameter (input quantity) uncertainty▪ Uncertainty (due to lack of knowledge) about the true value of the input quantities X

110

Aven T & Zio E (2013) Model output uncertainty in risk assessment. International Journal of Performability Engineering, 9(5): 101-116

Methods for representing and characterizing

uncertainties in risk assessment

▪ Two main concerns to be balanced (Aven & Zio, 2011):

▪ Knowledge should, as far as possible, be “inter-subjective” in the sense that the

representation corresponds to “documented and approved” information and

knowledge (“evidence”); the methods and models used to treat this knowledge should

not add information that is not there, nor ignore information that is there

▪ Analysts’ judgments (“degrees of belief”) should be clearly reflected (“judgments”)

111

Methods of uncertainty propagation (I)

▪ Level 1 uncertainty propagation setting▪ Example: Throw of two fair dice, where the sum of the number of eyes on the two dice is subject to

aleatory uncertainty, and the aleatory uncertainty of the outcome if a single die is reflected by a multinomial probability model with parameters θ = (θ1,θ2,θ3,θ4, θ5,θ6)

▪ Let W = X1 + X2, where Xi is the number of eyes on die i, then

▪ W ~ distr(θ), where θ is known

▪ Model: W = g(X1,X2,θ)

▪ Level 2 uncertainty propagation setting▪ Example: Throw of a single die, where the occurrence of a ‘6’ is subject to aleatory uncertainty and

this uncertainty is characterized by a binomial probability model with parameter θ, which is again subject to epistemic uncertainty and characterized by, for example, a (subjective) beta probability distribution

▪ Let Y equal 1 if a ‘6’ occurs and 0 otherwise, then

▪ Y ~ Binomial(θ), and

▪ θ ~ Beta(α,β), where α,β are so-called hyperparameters

▪ Model: g(Y,θ)

112

Fixed (known) quantity

Uncertain quantity

Epistemic

uncertainty

Aleatory

uncertainty

Methods of uncertainty propagation (II)

113

X ~ Binomial(θ)

Level 2 uncertainty propagation setting

Methods of uncertainty propagation (III)

▪ Level 1 uncertainty propagation setting▪ The input quantities (X1,…,XN) are divided into a group (X1,…,Xn), 1≤n≤N, subject to

aleatory uncertainty, and a group (Xn+1,…,XN), subject to epistemic uncertainty

▪ The frequentist probability distribution of (X1,…,Xn) is perfectly known (including parameter values), i.e. not subject to epistemic uncertainty

▪ Level 2 uncertainty propagation setting▪ The input quantities (X1,…,XN) are subject to aleatory uncertainty described by

frequentist probabilities with parameters θ subject to epistemic uncertainty, i.e.:

▪ Level I: Aleatory uncertainty characterized by frequentist probabilities with uncertain parameters θ

▪ Level II: Epistemic uncertainty about θ characterised by some uncertaintyrepresentation (subjective probability, possibility theory, evidence theory, …)

114

Uncertainty representation and propagation

in the risk assessment of a process plant (I)

▪ Case description

▪ System: Process plant

▪ Activity: Operation of the control room, which is placed in the compressor module

▪ Purpose: Assess risk to the operators (two persons) as a result of possible fires and explosions in the module

▪ Decision problem: Whether to move the control room out of the module or to implement some risk reducing measures

115

Uncertainty representation and propagation

in the risk assessment of a process plant (II)

116

System: Status quo

Uncertainty representation:

Standard Bayesian

System: Status quo

Uncertainty representation:

Alternative/predictive Bayesian

Reflection exercise

Pros and cons of standard Bayesian

vs alternative/predictive Bayesian

Modelling

▪ Event tree

▪ A gas leak

▪ X number of gas leaks

▪ B1 ignition of gas

▪ B2 explosion

▪ N number of fatalities for scenario

▪ Y total number of fatalities

117

The standard Bayesian approach (I)

▪ Application in a nutshell▪ Input uncertain quantities:

▪ number of initiating events, X

▪ outcome of brancing events, B1 and B2

▪ Possion distribution rate parameter λ

▪ event tree branching event chances, θ1 and θ2

▪ Output quantity:▪ number of fatalities, Y

▪ Model:▪ See next slide

The assessment concerns computation of the probability distribution of the number offatalities, Y.

▪ Type of uncertainty on the input quantities:▪ aleatory on X, B1 and B2

▪ epistemic on λ, θ1 and θ2

▪ Uncertainty propagation setting:▪ level 2

118

The standard Bayesian approach (II)

▪ Bayesian updating machinery▪ First establish a probability model, then assign a prior distribution on the parameter of interest. Next use Bayes’s Theorem to

establish the posterior distribution, and finally compute the predictive distribution using the total law of probability.

▪ Predictive distribution▪ p(y|K) = P(Y=y|K) = ∑x ∫θ1∫θ1∫λ p(y|x,θ1,θ2) p(x|λ) f(λ,θ1,θ2|K) dλ dθ1 dθ2

where p(0|x,θ1,θ2) = (1-θ1)x, p(1|x,θ1,θ2) = x(1-θ1)

x-1θ1(1- θ2), …

▪ Probability models▪ Poisson p(x|λ) = λxe-λ/k!

▪ Binomial p(Bi|θi) = θi, i = 1,2

▪ Priors▪ Gamma f(λ|K) = baλa-1e-bλ/Γ(a)

▪ Beta f(θi|K) = θiαi-1(1-θi)

βi-1/B(αi,βi), i = 1,2

▪ K = background knowledge (e.g. general information from similar situations, more or less relevant historical data from similar situations, expert judgments)

119

The standard Bayesian approach (III)

▪ Likelihood (Poisson):

▪ Prior (Gamma):

▪ Prior predictive:

▪ Posterior (Gamma):

▪ Posterior predictive:

120

lll e

xxXP

x

!)|(

lll baa

ea

bf

1

)()(

lll )(1

1

1

1

)(

)()|( nbya

ni i

ya

eya

nbyf

n

i i

n

i i

0

)()|()( lll dfxXPxXP

),...,,( 21 nyyyy

0

0,2

0,4

0,6

0,8

1

1,2

0 2 4 6 8 10 12 14

Gamma(5,5)

0

)|()|()|( lll dyfxXPyxXP

An alternative (predictive Bayesian) approach based

on subjective probabilities (I)

▪ Application in a nutshell▪ Input uncertain quantities:

▪ number of initiating events, X

▪ outcome of brancing events, B1 and B2

▪ Output quantity:

▪ number of fatalities, Y

▪ Model:

▪ See next slide

The assessment concerns computation of the probability distribution of the number of

fatalities, Y:

▪ Type of uncertainty on the input quantities:

▪ epistemic on X, B1 and B2

▪ Uncertainty propagation setting:

▪ level 1

121

An alternative (predictive Bayesian) approach based

on subjective probabilities (II)

▪ Predictive distribution▪ p(y|K) = P(Y=y|K) = ∑x p(y|x,θ1,θ2) p(x|K)

▪ X ~ Poisson(λ)

▪ Data/observations of X previous years: (1,1,2,0,1)▪ Observed mean equal to 1

▪ Rather strong background information

▪ Use the Poisson distribution with mean 1

122

Poisson approximation

123

Now

One year

Day 1

Observed 5 eventsin 5 years, i.e. onaverage 1 eventduring a year P(event)

=5/(365 x 5)

P(event) = (5+d1)/(365x5+1), whered1 = 1 if an event occurs during day 1 and 0 otherwise

X= X1 + X2 + …

where Xi is the number of events in day i

X ≈ Poisson(1)

Verification of Poisson approx. result (I)

124

T = 1 (length of time interval)

(x1,x2,x3,x4,x5) = (1,1,2,0,1)

n = 5 (number of observations)

q = 1 (average in observations)

k = 104 (number of time periods in time interval T)

d1 = (0,0,…,0), where |d1|= M = 105 (number of simulations)

pi = (di + q*n) ./ ((i-1) + n*k)

i = 1 p1 = (1/10000,1/10000,…,1/10000,1/10000), since (0+1*5)/(0+5*10000) = 5/50000 = 1/10000

ri = (ri1,ri2,…,riM), where rij = rand(0,1)

i = 1 r1 = (0.34,6.7*10-5,0.56,0.89,…,1.2*10-6,0.25)

for all j such that pij > rj, dij = dij + 1

i = 1 d1 = (0,1,0,0,0,0,0,1,0,0,1,1,…,0,1,0)

Repeat for i = 1,2,…,k

i = 2 p2 = (5/50001,6/50001,…,6/50001,5/50001)

…

i = k dk = (3,2,5,0,0,1,1,4,…,6,1,3)

P(X=x) = (#x in dk) / M

Verification of Poisson approx. result (II)

125

R code:

## Verification of Poisson approximation of the number of times an event occurs during a time period

## where events occur independently of each other and cannot occur at the same time

# Input

L = 1 # length of time interval

k = 10^4 # number of time periods in the time interval

M = 10^5 # number of simulations

n = 5 # number of observations

q = 1 # average number of events per time interval observed in data

# Simulation

d = array(0,c(M,1)) # make a vector of M zeros

for (i in 1:k){

p = (d + q*n) / ((i-1) + n*k) # vector of probabilities of events in time interval i

r = runif(M) # vector of M random numbers uniform between 0 and 1

plusone = p > r # identify which vector elements of p that are greater than generated random numbers

d[plusone] = d[plusone] + 1 # add the value 1 to plusone elements indicating that an event has occured there

}

z = table(d)/M # Relative frequencies of the number of events

x = 0:10 # Range of the Poisson distribution simulated here - used for plotting and comparing

y = dpois(x,q) # Values of the Poisson distribution given the estimated intensity of q

# Make bar chart

plot(range(x),c(0,1),type='n',xlab='Number of events',ylab='Relative frequency')

lines(table(d)/M,lwd=10,col='gray')

lines(x,y,type='h',col='red',lw=3)

legend('topright',c('Poisson distribution','Simulated freq.'),col=c('red','gray'),lw=c(3,3))

Verification of Poisson approx. result (III)

126

Pros and cons of predictive Bayesian

approach

127

Pros Cons

Aven T (2012) On when to base Event Trees and Fault Trees on Probability Models and Frequentist Probabilities in

Quantitative Risk Assessments. International Journal of Performability Engineering, 8(3): 311-320.

«Hidden slide» - to be used in presentation but not to be included in distributed version

Pros and cons of standard Bayesian approach

129

Pros Cons

Aven T (2012) On when to base Event Trees and Fault Trees on Probability Models and Frequentist Probabilities in

Quantitative Risk Assessments. International Journal of Performability Engineering, 8(3): 311-320.

«Hidden slide» - to be used in presentation but not to be included in distributed version

Risk-based versus risk-informed decision-

making

▪ ‘I wish to make one thing very clear: QRA results are never the

sole basis for decision making by responsible groups. In other

words, safety-related decision making is risk-informed, not

risk-based.’

Apostolakis (2004)

131

Risk-informed decision-making

132


uis.no

Lecture 6: Quantitative risk assessment

applications

133

Offshore QRAs in Norway

▪ NORSOK Standard Z-013 (ed. 3, 2010) Risk and emergency

preparedness assessment:

▪ ‘Structured around the following main elements:▪ use of risk and emergency preparedness assessment as a basis for decision-making.

General requirements for planning and execution of risk and emergency preparedness

assessments regardless of activity and life cycle phase;

▪ specific requirements for planning and execution of risk and emergency preparedness

assessments for different activities and life cycle phases;

▪ the relation between the risk and emergency preparedness assessments, especially the

integration of the two types of assessments into one overall assessment process.’

134

Offshore QRA

135

General requirementsLife cycle-specific

requirements

Escape,

evacuation and

rescue

Strong

explosion

Escalation of

fire

Ignited leakIgnitionLoss of

containment

Containment barrier:

•Inspection

•Maintenance

•Operation

•Design

Barrier to prevent escalation:

•Fire detection

•Fire water

•Passive fire protection

•Fire walls

•ESD/Blowdown

Barrier to prevent fatalities:

•Emergency power and lightning

•Alarm and communication

•Evacuation means

•Etc.

Barrier to reduce cloud/pool size:

•Ventilation

•Drain system

•ESD/Blowdown

Barrier to prevent strong explosions:

•Layout

•Deluge

•Blast walls and panels

•Etc.

Barrier to control ignition sources:

•Gas detection

•Ignition source isolation

•Area classification

•Control of hot work

• Barrier function (e.g. detect gas leak)

• Barrier system (e.g. gas detection system)

• Barrier element (e.g. gas detector)

Barrier focus

The risk and emergency preparedness

process

137

NORSOK Z-013 (ed. 3, 2010)

The risk assessment process

▪ Forward approach▪ Initiating events

▪ E.g. gas leakages

▪ Backwards approach▪ Main safety functions

▪ E.g. impairment of safe area

Event Consequences

Medium

process

leak

Explosion

overpressure Death by specific person

Number of fatalities

Discrete leak rates Explosion model

Generic leak frequency Personnel distribution

assumption

Event tree model …

Ignition

Background knowledge

Probabilities and expected values

Events and consequences

Explosion

Impairment of main

structural

integrity

Sensitivity and risk reducing measures

Effect on impairment frequencies and fatality probabilities of altered input parameters and risk

reduction measures

Leak frequency Probability of main safety function

impairment

Probability of ignition Probability distribution/prediction interval overpressure

Probability of explosion Probability distribution no.

fatalities

Offshore QRA build-up

QRA assumptions

▪ A full blowout wil be represented by a blowout rate of 50% of the maximum rate ▪ Probability of pre-warning of personnel in case of a blowout (production) = 20 %▪ Blowout potential : 80 kg/s▪ Adjustment factor for blowout frequencies (relative to SINTEF blowout data basis):

2 (due to high pressure and temperature in the reservoir) ▪ Well-activity; number of wells drilled: 6, number of wireline operations: 2, coiled

tubing operations: 3 …▪ No hotwork activity and no rotating equipment will be in use in the operational

phase▪ Ignition probability for well releases: 2% ▪ Number of immediate fatalities per blowout (immediate ignition): 1 ▪ Manning distribution▪ Number of lifts/year▪ Restrictions for lifting operations … ▪ The jacket structure will withstand a ship energy of 9 MJ ▪ Time to failure of structure when subject to a sustained sea pool fire …: 15 min. ▪ Failure probability on demand for ESD valve: 1 %▪ If the leak is not successfully detected (within the first 30 s.) a 60 seconds delay is

assumed▪ …

Uncertainty in offshore QRAs

▪ ‘5) a discussion of uncertainty, including the following aspects:

▪ i. the perspective on risk used in the assessment, e.g. classical, statistical, probability of frequency, combined classical and Bayesian, Bayesian, Predictive approach;

▪ ii. the effect and level of uncertainty given the adopted perspective and the context for the assessment (including the ‘system boundaries’ and ‘system basis’) compared to the ‘actual’ or ‘real’ systems and/or activities of interest;

▪ iii. possible implications for the main results;

▪ iv. occurrence of unexpected outcomes, as a result of invalid assumptions and premises, or insufficient knowledge.

▪ 6) if used, define and/or discuss the meaning of terms and quantities like: probability, frequency, mean value, expected values, conservative side, conservative approach, etc.,

▪ 7) factors such as divergence of opinion amongst experts or limitations of the modelling should be stated and may need to be highlighted.’

141NORSOK Z-013 (ed. 3, 2010)

Infrastructure Risk Analysis: An Overview

Seth Guikema

This slide courtesy of Dr. Seth D. Guikema

Infrastructure Risk Analysis: Traditional Components

1. Hazard model• What is the hazard?• How intense is the hazard?• How likely are the different levels of intensity of the hazard?• What is the spatial distribution of the hazard loading?

2. Infrastructure performance model• How does the infrastructure respond to the hazard loading at each location?• How does the collective system behave in response to individual asset behavior?• How do (inter)dependencies between systems affect the propagation of failures?

3. Consequence Model• How bad the consequences for society for a given level of infrastructure

performance?• What are the economic costs? How many deaths are there? What are


The Classic Example: HAZUS

• US FEMA (Federal Emergency Management Agency) software for natural hazards risk analysis

• Focused on infrastructure and buildings

• Flood, earthquake, hurricane, and tsunami modules

• Includes:• Hazard model

• Building models (fragility-based)

• Infrastructure models (fragility-based)

• Loss models (focused on economics)


Hazard Model Example


Fragility Curve Example


How It Works


Example of Output from HAZUS


(Some of the) Problems with HAZUS

• Fragility curves are at the core of HAZUS, yet:• Fragility curves used for many types of infrastructure are out of date

• Fragility curves are generally unidimensional – do not account for multiple hazard stressors and their impact on their collective impact system

• Some flood researchers are concerned about the accuracy of the flood model

• Does not explicitly account for changes in building stock, sea level rise, or behavioral adaptation over time – models what happens based on current infrastructure, buildings, and sea levels

• Does not do a strong job of accounting for uncertainty


Alternatives

Alternatives to HAZUS exist:• MAEviz – same idea, but updated information

• Approaches based on economic input-output models

• More detailed physical simulation models

• Statistical approaches


(Ref. Aven 2009)

Identifying safety and security critical

systems

151

Identification of critical systems (activities)

▪ Why identify critical systems?

152

S1

S2

S3

S4

S5

S6

S7

S8

S9

S10

Task

▪ Identify 10 critical

systems/infrastructures in the

city of Milano and rank these

according to their level of

criticality

153

Critical system

▪ A system is considered critical if its failure or malfunction may result in severe consequences, for example related to loss of lives, environmental damage or economic loss

(Falla 1997)

▪ A critical system is a system that, when failing, would

seriously disrupt society(Gheorge 2006)

154

Critical infrastructure

▪ organizations and facilities of key importance to public interest whose failure or impairment could result in detrimental supply shortages, substantial disturbance to public order or similar dramatic impact

(Gheorge 2006)

▪ those systems and assets — both physical or cyber, so vital to the Nation that their incapacity or destruction would have a debilitating impact on national economic security, and/or public health or safety

US National Infrastructure Protection Plan

155

Criticality measures

▪ Disutility of minimal cut sets(Apostolakis & Lemon 2005)

▪ [criticality refers to] the product of probability and importance (conditional criticality), where importance reflects the increase in travel cost when a link in the network is closed

(Jenelius 2006)

▪ Traditional risk and reliability importance measures▪ Birnbaums’s measure: The sensitivity (partial derivative) of the reliability (risk) measure with

respect to the parameter, for example the reliability of a safety barrier.

▪ Improvement potential (also referred to as the risk reduction worth): the risk measurecontribution from a specific system, determined by calculating the difference in the risk indices by assuming that the system has no failures or malfunctions.

156

157

A system or activity is critical if

1. the vulnerability is high 2. the risk is high

?

Example: Identifying safety critical systems

in a process plant

158

Safety critical system => More frequent inspection and testing

Example: Identifying safety critical systems

in a process plant

159

Failure mode Expected consequences (given failure)

F1 1 day shutdown

F2 2 days shutdown

F3 100 days shutdown

Failure mode Expected consequences (given failure)

F4 0.1 day shutdown

F5 10 days shutdown

F6 10 days shutdown

System 1

System 2

A risk-informed approach

▪ Candidates for a risk index expressing criticality

▪ Expected loss E[C], given by the product P(A) E[C|A]

▪ No distinction between low probability/high consequence situations and highprobability/low consequence situations

▪ There may lack a rigorous way of establishing the probabilities (e.g. in relation to intentional events)

▪ Not necessarily in line with the preferences of the decision-maker, who may be risk averse

▪ Expected disutility E[u(C)], where u is a utility function reflecting the preferences of thedecision-maker

▪ There may lack a rigorous way of establishing the probabilities (e.g. in relation to intentional events)

▪ Specifying the utility function may be problematic

161

An alternative approach

▪ A safety and security critical system (activity) is

a system contributing significantly to risk,

where risk is adequately defined.

162

An alternative approach: Criticality

measures

▪ The need for obtaining a ranking tool that would work in

practice, motivates the use of expected values.

▪ However, we need to address the strength of knowledge and uncertainties, as

surprising consequences (outcomes) may occur when seen in relation to the expected

values.

▪ As vulnerability is an important aspect of risk, the vulnerabilities need to be

highlighted.

163

Steps

1. Identify a list of systems for evaluation

2. Identify possible initiating events A

3. Define categories of consequences C (severity classification)

4. Rank the systems according to vulnerability using E[C|A], i.e. the expected consequences given the occurrence of A

5. Assign probabilities for the events A, calculate the unconditional expected consequences, EC, by EC = P(A) x E[C|A], and rank the systems according to EC

6. Assess strength of knowledge related to, and uncertainties in, underlying phenomena and processes that could result in surprises relative to EC, and adjust the ranking based on this assessment

164

Risk description

165

Categorising risk in a practical setting

166

Expected value risk

calculations

Overall risk assessment

Low Low

Medium Medium

High High

Reclassification (if the uncertainties in underlying phenomena and processes are very large)

Summary

167

Common idea: Safety and security critical systems can be identified by considering vulnerabilities and the expected consequences given system failures and malfunctions

Alternative approach: Risk-informed approachlooking beyond expected values and probabilities

Roger Flage - lasar.polimi.it · This slide (modified) courtesy of Prof. Terje Aven. A Studies and management of the risk of specific activities. B Generic risk practices and research

Documents