University of Stavanger uis.no Guest lectures, Politecnico di Milano, 26-27 February 2018 Risk analysis: The field and science, the foundations, and the practice with emphasis on quantitative risk assessment in selected applications Roger Flage Assistant/associate Professor, Department of Safety, Economy and Planning / Faculty of Science and Technology 2/22/2018 1
150
Embed
Roger Flage - lasar.polimi.it · This slide (modified) courtesy of Prof. Terje Aven. A Studies and management of the risk of specific activities. B Generic risk practices and research
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
University of Stavanger
uis.no
Guest lectures, Politecnico di Milano, 26-27 February 2018
Risk analysis: The field and science, the foundations, and the practice
with emphasis on quantitative risk assessment in selected applications
Roger FlageAssistant/associate Professor, Department of Safety, Economy and Planning / Faculty of Science and Technology
2/22/2018
1
Contents
▪ Lecture 1: Overview of risk analysis as a field and science
▪ Lecture 6: Quantitative risk assessment applications▪ Offshore oil and gas risk assessment
▪ Infrastructure risk assessment
▪ Identifying safety and security critical systems
6
Lecturing style
▪ Traditional lectures with student-active elements
▪ The lecture presentation contains several “hidden” slides with
problems to be discussed directly in plenary as well as
problems to be first considered individually, then discussed in
groups of 2-3 students, and finally discussed in plenary
7
University of Stavanger
uis.no
Lecture 1: Overview of risk analysis as a
field and science
8
Risk analysis
9
Risk analysisRisk
characterization
Risk assessment
Risk
management
Risk
communication
Risk perception
Policy relating
to risk
Risk governance
Society for Risk Analysis
tradition
The risk management process
That being said …
10
ISO 31000
Risk analysis core subjects
… fundamental issues related to
risk analysis as a field and
science, basic concepts and
principles, including ways of
representing and expressing
uncertainties.
11
Society for Risk Analysis «Core subjects» document
Fundamentals
Risk analysis core subjects
… principles, approaches, and
methods for identifying risk
sources, threats, hazards and
opportunities; understanding how
these can occur and what can be
their consequences including
adaptive behavior and recovery;
representing and expressing
uncertainties and risk; and
determining the significance of
the risk using relevant criteria
12
Society for Risk Analysis «Core subjects» document
Risk assessment
Risk analysis core subjects
… measures and activitiescarried out to manage and govern risk, balancing developments and exploring opportunities, on the one hand, and avoiding losses, accidents and disasters on the other. A main emphasis here is on providing insights and guidance on multi-dimensional, multi-actor, multi-institutional decision and policy making and on resolving emerging trade-offs
13
Society for Risk Analysis «Core subjects» document
Risk
management
Risk governance
Risk analysis core subjects
… issues related to perception
and communication of risk, how
affect and trust influence risk
perception and behavior, and
how exchange or sharing of risk-
related data, information and
knowledge between and among
different parties (such as
regulators, experts, consumers,
media, general public) can be
provided.
14
Society for Risk Analysis «Core subjects» document
Risk
communication
Risk perception
Risk analysis core subjects
… how to solve risk problems,
challenges and issues in real
practice, by integrating theories and
methods from the other four
categories of topics, and using
concrete, practical cases. Risk
analysis as a multidisciplinary and
interdisciplinary field is
demonstrated, and special attention
is devoted to the added value of risk
analysis relative to the contributions
from other fields and sciences.
15
Society for Risk Analysis «Core subjects» document
communication and management of the risk of this specific
activity
BGeneric risk practices
and research: How to conceptualise,
understand, assess, communicate and
manage risk
Experts in other fields
Competence
Risk analysisexperts
Insights into
risk, decision
support, good
decisions
What do they
give?
This slide (modified) courtesy of Prof. Terje Aven
BGeneric risk practices and research: How to conceptualise, assess and
manage risk
What is risk?
This slide (modified) courtesy of Prof. Terje Aven
Risk = expected loss/consequences
1)
C X PAbraham de Moivre 1711
C: Consequences (loss) P: Probability
This slide (modified) courtesy of Prof. Terje Aven
2) Risk description = The combination of magnitude/severity
of consequences C and probability P
Alternative formulation:
Events/scenarios A, consequences C, probabilities P
Kaplan, S. and Garrick, B.J. (1981) On the quantitative definition of risk. Risk Analysis 1, 11-27. 2)
C & P
This slide (modified) courtesy of Prof. Terje Aven
The risk concept
How to measure
or describe
risk
Meeting the need ofthe decision situation
Society for Risk Analysis Glossary 2015
• Risk is the possibility of an unfortunate occurrence• Risk is the potential for realization of unwanted,
negative consequences of an event • Risk is exposure to a proposition (e.g. the
occurrence of a loss) of which one is uncertain• Risk is the consequences of the activity and
associated uncertainties • Risk is uncertainty about and severity of the
consequences of an activity with respect to something that humans value
a) Expected consequences (damage, loss)
b) The combination of probability P and magnitude/severity of consequences C
c) The triplet (C’,Q,K), where C’ is some specified consequences, Q a measure of uncertainty associated with C’ and K the background knowledge that supports C’ and Q
This slide (modified) courtesy of Prof. Terje Aven
AStudies and management ofthe risk of specific activities
BGeneric risk practices and
research: How to conceptualise, assess and
manage risk
This slide (modified) courtesy of Prof. Terje Aven
- Is there an objective best policy on how to deal with risk? o For you?
o For the company?
o For the society?
- How can we use methods and principles like▪ Cost-benefit analyses
▪ Precautionary principle what does this principle say, how can it be used?
- How should activities be best regulated to balancedevelopment and risk?
- …B
Generic risk practices and research:
How to conceptualise, assessand manage risk
This slide (modified) courtesy of Prof. Terje Aven
AStudies and management ofthe risk of specific activities
BGeneric risk practices and
research: How to conceptualise,
understand, assess, communicate and manage risk
Applied risk analysis
Generic risk analysis
This slide (modified) courtesy of Prof. Terje Aven
Type A) analysis
a) Descriptive analysis: What has happened previously in terms of losses, failures, etc.? What do the data indicate is (not) worth worrying about? What has changed that seems worth worrying about?
b) Predictive analysis - knowledge and uncertainties: What will happen if a specific activity is realized, a specific system is operated? What might go wrong? Why and how might it go wrong? What are the consequences?_ What will happen if we (do not) intervene? How soon, with what consequences? What do we know; what do we not know? What are the uncertainties and likelihoods? Causal analysis - knowledge and uncertainties: What will happen if we intervene in different ways? What do we know; what do we not know? What are the uncertainties? Likelihoods?
c) Prescriptive analysis and decision optimization - management: What should we do next, given the resources, risk, uncertainties, constraints and other concerns? Who should do what? Who should use what decision rules? What are intolerable or unacceptable risks? How can the public participate? How to be prepared in case of an event? How to build robust and resilient systems?
28
Type A) analysis
d) Communication: Who should say what to whom? How to address uncertainties? How to interpret probabilities?
e) How are perceptional aspects, like fear or prejudice, influencing risk judgments and decisions?
f) Evaluation analysis: How well is the risk analysis working? What have the consequences of our actions and policies actually been?
g) Learning analysis: How might we do better? What should we try next, and for how long? When should we stop exploring and commit to a policy?
h) Collaborative analysis: How might we do better together?
29
Type B) analysis
▪ Conceptual research relates to some abstract ideas, concepts,
theories, etc. and includes one or more of the following
elements:
▪ Identification (for example, a new concept or principle)
▪ Revision (seeing what has been identified in a different way, for example using alternative frames of
reference)
▪ Delineation (for example, a framework for when to use an assessment approach)
▪ Summarisation (to see the forest for the trees, for example reducing what is known about a matter
to a manageable set of contributors)
30
Example:
Risk = C x P
Type B) analysis
▪ Differentiation (for example, that there are several ways of interpreting a probability)
▪ Integration (to synthesise, amalgamate, or harmonise, for example as the unified understanding of
risk reflected in the SRA (2015) Glossary)
▪ Advocating (for example, argumentation to justify or support a given conclusion concerning the use
of a specific definition or principle)
▪ Refuting (for example, argumentation aimed at rebutting a given perspective) (MacInnis 2011).
The research is based on creativity, divergent thinking, comparative reasoning, integrative thinking,
logic, etc. and makes use of different types of tools as described in MacInnis (2011): for example,
metaphors, questioning of strongly held assumptions, and maps which show relationships between
different concepts
31
Example:
Risk = C x P
The risk analysis field
Totality of relevant
risk educational
programmes,
journals, papers,
researchers, research
groups and societies,
etc.
(Risk discipline)
Knowledge
generation related to
A) and B)
University of Stavanger
uis.no
Lectures 2 & 3: Foundations of risk
analysis
33
Common thinking about risk (I)
Risk is the combination
of probability and
consequences
Risk = C & P
Risk = P x C = E
35
C = consequences
P = probability
E = expected value
Example: Risk = C & P vs. risk = C x P
36
6 Win € 36,000
1,2,3,4,5 Pay € 6,000
Risk = C & P
C1: 36,000 P1: 1/6
C2: -6,000 P2: 5/6
Risk = C x P
36.000 × 1/6 – 6.000 × 5/6 = 1,000
Common thinking about risk (II)
Risk = U
Risk is uncertainty
37
U = uncertainty
Common thinking about risk (III)
Risk is an event
39
Risk = A
A = event
‘Risk’ - ISO Guide 73 / ISO 31000
An effect is a deviation from the expected (positive and/or negative).
Risk is the effect of uncertainty on objectives
‘Risk’ - ISO Guide 73 / ISO 31000 - Example
Activity
0 fatalities p0 = 0.9
1 fatality p1 = 0.1
Objective: 0 fatalities
Uncertainty: We do not know if the outcome will be 0 or 1 fatality
Expected loss = 0.1
Effect = Deviation from the expected: 0 or 1 fatalities (certain)
Risk = effect of uncertainty on objectives = ?
‘Likelihood’ - ISO Guide 73 / ISO 31000
the chance of something happening, whether defined, measured
or determined objectively or subjectively, quantitatively or
qualitatively, and described using general terms or mathematically
(such as a probability or a frequency over a given time period).
Likelihood = chance
Described using e.g. probability or frequency
‘Probability’ - ISO Guide 73 / ISO 31000
Chance = ???
a measure of the chance of occurrence expressed as a number
between 0 and 1
Likelihood = chance
Probability = measure of chance
A)Studies and management ofthe risk of specific activities
▪ PRA = QRA (quantitative risk assessment) where uncertainty is quantified using probability
▪ A probabilistic risk assessment (PRA) systematizes the knowledge and uncertainties about the phenomena studied▪ What are the possible hazards and threats, their causes and consequences? The knowledge and
uncertainties are characterized and described using various probability-based metrics
▪ PRA stages:1. Identification of threats/hazards
2. Cause analysis
3. Consequence analysis
4. Probabilistic analysis
5. Risk description
6. Risk evaluation
82
Source: Aven (2008) Risk Analysis. Wiley
Probabilistic risk assessment (PRA) (II)
▪ Traditional frequentist approach▪ Typically applied in situations in which there exists a large amount of relevant data
▪ Founded on well-known principles of statistical inference, the use of probability
models, the interpretation of probabilities as relative frequencies, point estimates,
confidence interval estimation, and hypothesis testing
▪ The Bayesian approach▪ Based on the concept of subjective (judgmental, knowledge-based) probabilities
▪ Applied in situations in which there exists only a limited amount of data
▪ Based on use of probability models to reflect variation and subjective probability to
describe parameter uncertainty
83
Risk description in a safety context
(risk indices/metrics)
IR (Individual Risk)Probability of death for
specified person i
pi
In practice usually AIR
(Average Individual
Risk):
AIR = PLL/np1
p2
pn
f-N curve (≈ probability
distribution no. fatalities)P(N ≥ n’)
FAR (Fatal Accident Rate)Expected number of fatalities
during 108 hours
FAR = (PLL/T) 108
T = exposure time
PLL (Potential Loss of Life)Expected number of fatalities
PLL = EN
N = Number of fatalities
The f-N curve
85
Risk analysis information input formats
Data
Aspects of interest:
• Quantity/Amount
• Relevance
Expert statements
Models
Models of physical phenomena
Probability models
Data amount/quantity vs relevance
μ
(x1,x2,…,xn)
Xn+1
Extended population
(y1, y2,…,ym)
Low amount of relevant data
Quantity of interest
Less relevant data
Risk analysis information input formats
Data
Aspects of interest:
• Quantity/Amount
• Relevance
Expert statements
Models
Models of physical phenomena
Probability models
Logical models
Based on physical laws the effective duration of a flash fire may be derived as
Yields prediction in risk analysis
Physical model
3
1tan
2
1tan
kT2
3t 11
3eff
Probability model
• pi = fraction of times the die shows i in the long run, i = 1, 2,
…, 6.
• X : Number of failures in a time period• Poisson model
Pf(X = k) = lk e-l /k! = f(k|l)
EfX = l
Release
Immediate
ignition
Not
immediate
ignition
Short release
fraction
Vertical
Horizontal Jet fire, pool
fire, no effect
Jet fire, pool fire,
no effect
Bleve, pool fire,
flash fire, explosion,
no effect
Flash fire, pool
fire, explosion,
no effect
Delayed
ignition
No ignition
Dispersio
n
Residual pool fire
No effect
Logical model - Event tree – Hydrocarbon
release
This slide (modified) courtesy of Prof. Terje Aven
N=100
N=1
N=0
B
Not
B
A
Not A
I
Event tree - Simple
This slide (modified) courtesy of Prof. Terje Aven
N=100
N=1
N=0
q2
1-q2
q1
1- q1
q0 = EX: Expected
number of
initiating events
I
p = Pf(N ≥ 100) = q0 q1 q2
Probabilistic model based on event tree
This slide (modified) courtesy of Prof. Terje Aven
▪ Simplified risk analysis▪ Qualitative
▪ Informal methods: Checklists etc.
▪ Standard risk analysis ▪ Qualitative or quantitative
‘Given (i.e., conditional on) my background knowledge (K),
I judge that a terrorist attack against Stavanger next year is
equally likely as drawing a red ball from an urn containing
the one red ball and 9,999 blue balls.’
105
Subjective probability
Probability - Overview
▪ Classical▪ Pc(A) = Number of outcomes resulting in A / Total number of possible outcomes
▪ Frequentist▪ Pf(A) = limn∞ nA/n, where nA is the number of occurrences of the event A in n trials
▪ Subjective▪ P(A) expresses a degree of belief
▪ Reference to a standard for uncertainty: P(A) = p implies that the event A is considered equally likely as a
standard event S with measure m(S) = p, e.g. drawing a red ball from an urn containing p x 100 % red balls
▪ Betting interpretation: P(A) is the price at which the person assigning the probability is neutral between buying
and selling a ticket that is worth one unit of payment if the event occurs and worthless if not
106
Treatment of uncertainty in risk assessment
108
‘There is only one kind of uncertainty stemming from our lack of knowledge concerning the
truth of a proposition, ... ’Apostolakis GE (1990) The concept of probability in safety assessments of technological systems. Science, 250: 1359-1364.
This slide (modified) courtesy of Prof. Terje Aven
Treatment of uncertainties in risk
assessment
▪ Uncertainty analysis framework▪ A model g with parameters (input quantities) X is used to predict the quantity of
interest Z
▪ In a PRA/QRA, the quantities Z and X would typically be indicator quantities for
events (e.g. X = I(A), where I is the indicator function and A an event of interest),
or observable quantities (e.g. X = number of fatalities) or non-observable
parameters on the real line (e.g. X = λ = failure rate of some equipment)
109
Model uncertainty
▪ Model error▪ The difference ∆g(X) = Z – g(X)
▪ Model output uncertainty▪ Uncertainty about the model error ∆g(X)
▪ Structural model uncertainty▪ Uncertainty about the difference ΔG(Xtrue), when the true value Xtrue of the parameter (input
quantity) X is known
▪ Parameter (input quantity) uncertainty▪ Uncertainty (due to lack of knowledge) about the true value of the input quantities X
110
Aven T & Zio E (2013) Model output uncertainty in risk assessment. International Journal of Performability Engineering, 9(5): 101-116
Methods for representing and characterizing
uncertainties in risk assessment
▪ Two main concerns to be balanced (Aven & Zio, 2011):
▪ Knowledge should, as far as possible, be “inter-subjective” in the sense that the
representation corresponds to “documented and approved” information and
knowledge (“evidence”); the methods and models used to treat this knowledge should
not add information that is not there, nor ignore information that is there
▪ Analysts’ judgments (“degrees of belief”) should be clearly reflected (“judgments”)
111
Methods of uncertainty propagation (I)
▪ Level 1 uncertainty propagation setting▪ Example: Throw of two fair dice, where the sum of the number of eyes on the two dice is subject to
aleatory uncertainty, and the aleatory uncertainty of the outcome if a single die is reflected by a multinomial probability model with parameters θ = (θ1,θ2,θ3,θ4, θ5,θ6)
▪ Let W = X1 + X2, where Xi is the number of eyes on die i, then
▪ W ~ distr(θ), where θ is known
▪ Model: W = g(X1,X2,θ)
▪ Level 2 uncertainty propagation setting▪ Example: Throw of a single die, where the occurrence of a ‘6’ is subject to aleatory uncertainty and
this uncertainty is characterized by a binomial probability model with parameter θ, which is again subject to epistemic uncertainty and characterized by, for example, a (subjective) beta probability distribution
▪ Let Y equal 1 if a ‘6’ occurs and 0 otherwise, then
▪ Y ~ Binomial(θ), and
▪ θ ~ Beta(α,β), where α,β are so-called hyperparameters
▪ Model: g(Y,θ)
112
Fixed (known) quantity
Uncertain quantity
Epistemic
uncertainty
Aleatory
uncertainty
Methods of uncertainty propagation (II)
113
X ~ Binomial(θ)
Level 2 uncertainty propagation setting
Methods of uncertainty propagation (III)
▪ Level 1 uncertainty propagation setting▪ The input quantities (X1,…,XN) are divided into a group (X1,…,Xn), 1≤n≤N, subject to
aleatory uncertainty, and a group (Xn+1,…,XN), subject to epistemic uncertainty
▪ The frequentist probability distribution of (X1,…,Xn) is perfectly known (including parameter values), i.e. not subject to epistemic uncertainty
▪ Level 2 uncertainty propagation setting▪ The input quantities (X1,…,XN) are subject to aleatory uncertainty described by
frequentist probabilities with parameters θ subject to epistemic uncertainty, i.e.:
▪ Level I: Aleatory uncertainty characterized by frequentist probabilities with uncertain parameters θ
▪ Level II: Epistemic uncertainty about θ characterised by some uncertaintyrepresentation (subjective probability, possibility theory, evidence theory, …)
114
Uncertainty representation and propagation
in the risk assessment of a process plant (I)
▪ Case description
▪ System: Process plant
▪ Activity: Operation of the control room, which is placed in the compressor module
▪ Purpose: Assess risk to the operators (two persons) as a result of possible fires and explosions in the module
▪ Decision problem: Whether to move the control room out of the module or to implement some risk reducing measures
115
Uncertainty representation and propagation
in the risk assessment of a process plant (II)
116
System: Status quo
Uncertainty representation:
Standard Bayesian
System: Status quo
Uncertainty representation:
Alternative/predictive Bayesian
Reflection exercise
Pros and cons of standard Bayesian
vs alternative/predictive Bayesian
Modelling
▪ Event tree
▪ A gas leak
▪ X number of gas leaks
▪ B1 ignition of gas
▪ B2 explosion
▪ N number of fatalities for scenario
▪ Y total number of fatalities
117
The standard Bayesian approach (I)
▪ Application in a nutshell▪ Input uncertain quantities:
▪ number of initiating events, X
▪ outcome of brancing events, B1 and B2
▪ Possion distribution rate parameter λ
▪ event tree branching event chances, θ1 and θ2
▪ Output quantity:▪ number of fatalities, Y
▪ Model:▪ See next slide
The assessment concerns computation of the probability distribution of the number offatalities, Y.
▪ Type of uncertainty on the input quantities:▪ aleatory on X, B1 and B2
▪ epistemic on λ, θ1 and θ2
▪ Uncertainty propagation setting:▪ level 2
118
The standard Bayesian approach (II)
▪ Bayesian updating machinery▪ First establish a probability model, then assign a prior distribution on the parameter of interest. Next use Bayes’s Theorem to
establish the posterior distribution, and finally compute the predictive distribution using the total law of probability.
where p(0|x,θ1,θ2) = (1-θ1)x, p(1|x,θ1,θ2) = x(1-θ1)
x-1θ1(1- θ2), …
▪ Probability models▪ Poisson p(x|λ) = λxe-λ/k!
▪ Binomial p(Bi|θi) = θi, i = 1,2
▪ Priors▪ Gamma f(λ|K) = baλa-1e-bλ/Γ(a)
▪ Beta f(θi|K) = θiαi-1(1-θi)
βi-1/B(αi,βi), i = 1,2
▪ K = background knowledge (e.g. general information from similar situations, more or less relevant historical data from similar situations, expert judgments)
119
The standard Bayesian approach (III)
▪ Likelihood (Poisson):
▪ Prior (Gamma):
▪ Prior predictive:
▪ Posterior (Gamma):
▪ Posterior predictive:
120
lll e
xxXP
x
!)|(
lll baa
ea
bf
1
)()(
lll )(1
1
1
1
)(
)()|( nbya
ni i
ya
eya
nbyf
n
i i
n
i i
0
)()|()( lll dfxXPxXP
),...,,( 21 nyyyy
0
0,2
0,4
0,6
0,8
1
1,2
0 2 4 6 8 10 12 14
Gamma(5,5)
0
)|()|()|( lll dyfxXPyxXP
An alternative (predictive Bayesian) approach based
on subjective probabilities (I)
▪ Application in a nutshell▪ Input uncertain quantities:
▪ number of initiating events, X
▪ outcome of brancing events, B1 and B2
▪ Output quantity:
▪ number of fatalities, Y
▪ Model:
▪ See next slide
The assessment concerns computation of the probability distribution of the number of
fatalities, Y:
▪ Type of uncertainty on the input quantities:
▪ epistemic on X, B1 and B2
▪ Uncertainty propagation setting:
▪ level 1
121
An alternative (predictive Bayesian) approach based
Aven T (2012) On when to base Event Trees and Fault Trees on Probability Models and Frequentist Probabilities in
Quantitative Risk Assessments. International Journal of Performability Engineering, 8(3): 311-320.
«Hidden slide» - to be used in presentation but not to be included in distributed version
Pros and cons of standard Bayesian approach
129
Pros Cons
Aven T (2012) On when to base Event Trees and Fault Trees on Probability Models and Frequentist Probabilities in
Quantitative Risk Assessments. International Journal of Performability Engineering, 8(3): 311-320.
«Hidden slide» - to be used in presentation but not to be included in distributed version
Risk-based versus risk-informed decision-
making
▪ ‘I wish to make one thing very clear: QRA results are never the
sole basis for decision making by responsible groups. In other
words, safety-related decision making is risk-informed, not
risk-based.’
Apostolakis (2004)
131
Risk-informed decision-making
132
University of Stavanger
uis.no
Lecture 6: Quantitative risk assessment
applications
133
Offshore QRAs in Norway
▪ NORSOK Standard Z-013 (ed. 3, 2010) Risk and emergency
preparedness assessment:
▪ ‘Structured around the following main elements:▪ use of risk and emergency preparedness assessment as a basis for decision-making.
General requirements for planning and execution of risk and emergency preparedness
assessments regardless of activity and life cycle phase;
▪ specific requirements for planning and execution of risk and emergency preparedness
assessments for different activities and life cycle phases;
▪ the relation between the risk and emergency preparedness assessments, especially the
integration of the two types of assessments into one overall assessment process.’
134
Offshore QRA
135
General requirementsLife cycle-specific
requirements
Escape,
evacuation and
rescue
Strong
explosion
Escalation of
fire
Ignited leakIgnitionLoss of
containment
Containment barrier:
•Inspection
•Maintenance
•Operation
•Design
Barrier to prevent escalation:
•Fire detection
•Fire water
•Passive fire protection
•Fire walls
•ESD/Blowdown
Barrier to prevent fatalities:
•Emergency power and lightning
•Alarm and communication
•Evacuation means
•Etc.
Barrier to reduce cloud/pool size:
•Ventilation
•Drain system
•ESD/Blowdown
Barrier to prevent strong explosions:
•Layout
•Deluge
•Blast walls and panels
•Etc.
Barrier to control ignition sources:
•Gas detection
•Ignition source isolation
•Area classification
•Control of hot work
• Barrier function (e.g. detect gas leak)
• Barrier system (e.g. gas detection system)
• Barrier element (e.g. gas detector)
Barrier focus
The risk and emergency preparedness
process
137
NORSOK Z-013 (ed. 3, 2010)
The risk assessment process
▪ Forward approach▪ Initiating events
▪ E.g. gas leakages
▪ Backwards approach▪ Main safety functions
▪ E.g. impairment of safe area
Event Consequences
Medium
process
leak
Explosion
overpressure Death by specific person
Number of fatalities
Discrete leak rates Explosion model
Generic leak frequency Personnel distribution
assumption
Event tree model …
Ignition
Background knowledge
Probabilities and expected values
Events and consequences
Explosion
Impairment of main
structural
integrity
Sensitivity and risk reducing measures
Effect on impairment frequencies and fatality probabilities of altered input parameters and risk
reduction measures
Leak frequency Probability of main safety function
impairment
Probability of ignition Probability distribution/prediction interval overpressure
Probability of explosion Probability distribution no.
fatalities
Offshore QRA build-up
QRA assumptions
▪ A full blowout wil be represented by a blowout rate of 50% of the maximum rate ▪ Probability of pre-warning of personnel in case of a blowout (production) = 20 %▪ Blowout potential : 80 kg/s▪ Adjustment factor for blowout frequencies (relative to SINTEF blowout data basis):
2 (due to high pressure and temperature in the reservoir) ▪ Well-activity; number of wells drilled: 6, number of wireline operations: 2, coiled
tubing operations: 3 …▪ No hotwork activity and no rotating equipment will be in use in the operational
phase▪ Ignition probability for well releases: 2% ▪ Number of immediate fatalities per blowout (immediate ignition): 1 ▪ Manning distribution▪ Number of lifts/year▪ Restrictions for lifting operations … ▪ The jacket structure will withstand a ship energy of 9 MJ ▪ Time to failure of structure when subject to a sustained sea pool fire …: 15 min. ▪ Failure probability on demand for ESD valve: 1 %▪ If the leak is not successfully detected (within the first 30 s.) a 60 seconds delay is
assumed▪ …
Uncertainty in offshore QRAs
▪ ‘5) a discussion of uncertainty, including the following aspects:
▪ i. the perspective on risk used in the assessment, e.g. classical, statistical, probability of frequency, combined classical and Bayesian, Bayesian, Predictive approach;
▪ ii. the effect and level of uncertainty given the adopted perspective and the context for the assessment (including the ‘system boundaries’ and ‘system basis’) compared to the ‘actual’ or ‘real’ systems and/or activities of interest;
▪ iii. possible implications for the main results;
▪ iv. occurrence of unexpected outcomes, as a result of invalid assumptions and premises, or insufficient knowledge.
▪ 6) if used, define and/or discuss the meaning of terms and quantities like: probability, frequency, mean value, expected values, conservative side, conservative approach, etc.,
▪ 7) factors such as divergence of opinion amongst experts or limitations of the modelling should be stated and may need to be highlighted.’
141NORSOK Z-013 (ed. 3, 2010)
Infrastructure Risk Analysis: An Overview
Seth Guikema
This slide courtesy of Dr. Seth D. Guikema
Infrastructure Risk Analysis: Traditional Components
1. Hazard model• What is the hazard?• How intense is the hazard?• How likely are the different levels of intensity of the hazard?• What is the spatial distribution of the hazard loading?
2. Infrastructure performance model• How does the infrastructure respond to the hazard loading at each location?• How does the collective system behave in response to individual asset behavior?• How do (inter)dependencies between systems affect the propagation of failures?
3. Consequence Model• How bad the consequences for society for a given level of infrastructure
performance?• What are the economic costs? How many deaths are there? What are
This slide courtesy of Dr. Seth D. Guikema
The Classic Example: HAZUS
• US FEMA (Federal Emergency Management Agency) software for natural hazards risk analysis
• Focused on infrastructure and buildings
• Flood, earthquake, hurricane, and tsunami modules
• Includes:• Hazard model
• Building models (fragility-based)
• Infrastructure models (fragility-based)
• Loss models (focused on economics)
This slide courtesy of Dr. Seth D. Guikema
Hazard Model Example
This slide courtesy of Dr. Seth D. Guikema
Fragility Curve Example
This slide courtesy of Dr. Seth D. Guikema
How It Works
This slide courtesy of Dr. Seth D. Guikema
Example of Output from HAZUS
This slide courtesy of Dr. Seth D. Guikema
(Some of the) Problems with HAZUS
• Fragility curves are at the core of HAZUS, yet:• Fragility curves used for many types of infrastructure are out of date
• Fragility curves are generally unidimensional – do not account for multiple hazard stressors and their impact on their collective impact system
• Some flood researchers are concerned about the accuracy of the flood model
• Does not explicitly account for changes in building stock, sea level rise, or behavioral adaptation over time – models what happens based on current infrastructure, buildings, and sea levels
• Does not do a strong job of accounting for uncertainty
This slide courtesy of Dr. Seth D. Guikema
Alternatives
Alternatives to HAZUS exist:• MAEviz – same idea, but updated information
• Approaches based on economic input-output models
• More detailed physical simulation models
• Statistical approaches
This slide courtesy of Dr. Seth D. Guikema
(Ref. Aven 2009)
Identifying safety and security critical
systems
151
Identification of critical systems (activities)
▪ Why identify critical systems?
152
S1
S2
S3
S4
S5
S6
S7
S8
S9
S10
Task
▪ Identify 10 critical
systems/infrastructures in the
city of Milano and rank these
according to their level of
criticality
153
Critical system
▪ A system is considered critical if its failure or malfunction may result in severe consequences, for example related to loss of lives, environmental damage or economic loss
(Falla 1997)
▪ A critical system is a system that, when failing, would
seriously disrupt society(Gheorge 2006)
154
Critical infrastructure
▪ organizations and facilities of key importance to public interest whose failure or impairment could result in detrimental supply shortages, substantial disturbance to public order or similar dramatic impact
(Gheorge 2006)
▪ those systems and assets — both physical or cyber, so vital to the Nation that their incapacity or destruction would have a debilitating impact on national economic security, and/or public health or safety
US National Infrastructure Protection Plan
155
Criticality measures
▪ Disutility of minimal cut sets(Apostolakis & Lemon 2005)
▪ [criticality refers to] the product of probability and importance (conditional criticality), where importance reflects the increase in travel cost when a link in the network is closed
(Jenelius 2006)
▪ Traditional risk and reliability importance measures▪ Birnbaums’s measure: The sensitivity (partial derivative) of the reliability (risk) measure with
respect to the parameter, for example the reliability of a safety barrier.
▪ Improvement potential (also referred to as the risk reduction worth): the risk measurecontribution from a specific system, determined by calculating the difference in the risk indices by assuming that the system has no failures or malfunctions.
156
157
A system or activity is critical if
1. the vulnerability is high 2. the risk is high
?
Example: Identifying safety critical systems
in a process plant
158
Safety critical system => More frequent inspection and testing
▪ Candidates for a risk index expressing criticality
▪ Expected loss E[C], given by the product P(A) E[C|A]
▪ No distinction between low probability/high consequence situations and highprobability/low consequence situations
▪ There may lack a rigorous way of establishing the probabilities (e.g. in relation to intentional events)
▪ Not necessarily in line with the preferences of the decision-maker, who may be risk averse
▪ Expected disutility E[u(C)], where u is a utility function reflecting the preferences of thedecision-maker
▪ There may lack a rigorous way of establishing the probabilities (e.g. in relation to intentional events)
▪ Specifying the utility function may be problematic
161
An alternative approach
▪ A safety and security critical system (activity) is
a system contributing significantly to risk,
where risk is adequately defined.
162
An alternative approach: Criticality
measures
▪ The need for obtaining a ranking tool that would work in
practice, motivates the use of expected values.
▪ However, we need to address the strength of knowledge and uncertainties, as
surprising consequences (outcomes) may occur when seen in relation to the expected
values.
▪ As vulnerability is an important aspect of risk, the vulnerabilities need to be
highlighted.
163
Steps
1. Identify a list of systems for evaluation
2. Identify possible initiating events A
3. Define categories of consequences C (severity classification)
4. Rank the systems according to vulnerability using E[C|A], i.e. the expected consequences given the occurrence of A
5. Assign probabilities for the events A, calculate the unconditional expected consequences, EC, by EC = P(A) x E[C|A], and rank the systems according to EC
6. Assess strength of knowledge related to, and uncertainties in, underlying phenomena and processes that could result in surprises relative to EC, and adjust the ranking based on this assessment
164
Risk description
165
Categorising risk in a practical setting
166
Expected value risk
calculations
Overall risk assessment
Low Low
Medium Medium
High High
Reclassification (if the uncertainties in underlying phenomena and processes are very large)
Summary
167
Common idea: Safety and security critical systems can be identified by considering vulnerabilities and the expected consequences given system failures and malfunctions
Alternative approach: Risk-informed approachlooking beyond expected values and probabilities