Upload
vantram
View
220
Download
0
Embed Size (px)
Citation preview
University of Stavanger
uis.no
Guest lectures, Politecnico di Milano, 26-27 February 2018
Risk analysis: The field and science, the foundations, and the practice
with emphasis on quantitative risk assessment in selected applications
Roger FlageAssistant/associate Professor, Department of Safety, Economy and Planning / Faculty of Science and Technology
2/22/2018
1
Contents
▪ Lecture 1: Overview of risk analysis as a field and science
▪ Lectures 2 & 3: Foundations of risk analysis
▪ Lectures 4 & 5: Quantitative risk assessment
▪ Lecture 6: Quantitative risk assessment applications
4
Contents
▪ Lecture 1: Overview of risk analysis as a field and science▪ The (core) subjects of risk analysis
▪ Risk analysis as a science
▪ The field of risk analysis
▪ Lectures 2 & 3: Foundations of risk analysis▪ The risk concept
▪ Describing risk (generic risk assessment)
▪ Black swans and perfect storms
5
Contents
▪ Lectures 4 & 5: Quantitative risk assessment▪ Quantitative/Probabilistic risk assessment
▪ Risk metrics
▪ Event tree modelling
▪ Uncertainty in risk assessment
▪ Probabilities in risk assessment
▪ Epistemic versus aleatory uncertainty
▪ Model uncertainty
▪ Level 1 and level 2 uncertainty propagation
▪ Example
▪ Standard Bayesian approach
▪ Predictive Bayesian approach
▪ Risk-informed decision-making
▪ Lecture 6: Quantitative risk assessment applications▪ Offshore oil and gas risk assessment
▪ Infrastructure risk assessment
▪ Identifying safety and security critical systems
6
Lecturing style
▪ Traditional lectures with student-active elements
▪ The lecture presentation contains several “hidden” slides with
problems to be discussed directly in plenary as well as
problems to be first considered individually, then discussed in
groups of 2-3 students, and finally discussed in plenary
7
University of Stavanger
uis.no
Lecture 1: Overview of risk analysis as a
field and science
8
Risk analysis
9
Risk analysisRisk
characterization
Risk assessment
Risk
management
Risk
communication
Risk perception
Policy relating
to risk
Risk governance
Society for Risk Analysis
tradition
The risk management process
That being said …
10
ISO 31000
Risk analysis core subjects
… fundamental issues related to
risk analysis as a field and
science, basic concepts and
principles, including ways of
representing and expressing
uncertainties.
11
Society for Risk Analysis «Core subjects» document
Fundamentals
Risk analysis core subjects
… principles, approaches, and
methods for identifying risk
sources, threats, hazards and
opportunities; understanding how
these can occur and what can be
their consequences including
adaptive behavior and recovery;
representing and expressing
uncertainties and risk; and
determining the significance of
the risk using relevant criteria
12
Society for Risk Analysis «Core subjects» document
Risk assessment
Risk analysis core subjects
… measures and activitiescarried out to manage and govern risk, balancing developments and exploring opportunities, on the one hand, and avoiding losses, accidents and disasters on the other. A main emphasis here is on providing insights and guidance on multi-dimensional, multi-actor, multi-institutional decision and policy making and on resolving emerging trade-offs
13
Society for Risk Analysis «Core subjects» document
Risk
management
Risk governance
Risk analysis core subjects
… issues related to perception
and communication of risk, how
affect and trust influence risk
perception and behavior, and
how exchange or sharing of risk-
related data, information and
knowledge between and among
different parties (such as
regulators, experts, consumers,
media, general public) can be
provided.
14
Society for Risk Analysis «Core subjects» document
Risk
communication
Risk perception
Risk analysis core subjects
… how to solve risk problems,
challenges and issues in real
practice, by integrating theories and
methods from the other four
categories of topics, and using
concrete, practical cases. Risk
analysis as a multidisciplinary and
interdisciplinary field is
demonstrated, and special attention
is devoted to the added value of risk
analysis relative to the contributions
from other fields and sciences.
15
Society for Risk Analysis «Core subjects» document
Solving risk
problems and
issues
Risk analysis studies – a few examples
16
Pest risk analysis (PRA) for the
territories of the European Union (as
PRA area) on Bursaphelenchus
xylophilus and its vectors in the genus
Monochamus
HF Evans, DG McNamara, H Braasch… -
EPPO …, 1996 - Wiley Online Library
Probabilistic risk analysis for a
high‐level radioactive waste repository
BL Cohen - Risk analysis, 2003 -
Wiley Online Library
Some limitations of “Risk= Threat×
Vulnerability× Consequence” for risk
analysis of terrorist attacks
LAT Cox Jr - Risk Analysis, 2008 -
Wiley Online Library
On some recent definitions
and analysis frameworks for risk,
vulnerability, and resilience
T Aven - Risk Analysis, 2011 -
Wiley Online Library
Risk analysis as a science
▪ Two knowledge-generating pillars (Aven & Zio, 2014):
A. Risk knowledge related to an activity in the real world (interpreted in a wide
sense to include, for example, also natural phenomena), for example the use of a
medical drug, the design of a bridge or the analysis of climate change
B. Knowledge on concepts, theories, frameworks, approaches, principles, methods
and models to understand, assess, characterize, communicate, manage and
govern risk
17
A)Studies and management ofthe risk of specific activities
B)Generic risk practices and
research: How to conceptualise,
understand, assess, communicate and manage risk
This slide (modified) courtesy of Prof. Terje Aven
We may ask, is the risk toohigh? Should we reduce it? And by how much, and howcan we best achieve such a reduction?
Studies and management ofthe risk of the specific
activity
Experts in offshore operations, process
engineers …
Risk analysis experts
A
BGeneric risk practices and
research: How to conceptualise, assess,
communicate and manage risk
This slide (modified) courtesy of Prof. Terje Aven
Activity, system
Real world
AStudies,
communication and management of the risk of this specific
activity
BGeneric risk practices
and research: How to conceptualise,
understand, assess, communicate and
manage risk
Experts in other fields
Competence
Risk analysisexperts
Insights into
risk, decision
support, good
decisions
What do they
give?
This slide (modified) courtesy of Prof. Terje Aven
BGeneric risk practices and research: How to conceptualise, assess and
manage risk
What is risk?
This slide (modified) courtesy of Prof. Terje Aven
Risk = expected loss/consequences
1)
C X PAbraham de Moivre 1711
C: Consequences (loss) P: Probability
This slide (modified) courtesy of Prof. Terje Aven
2) Risk description = The combination of magnitude/severity
of consequences C and probability P
Alternative formulation:
Events/scenarios A, consequences C, probabilities P
Kaplan, S. and Garrick, B.J. (1981) On the quantitative definition of risk. Risk Analysis 1, 11-27. 2)
C & P
This slide (modified) courtesy of Prof. Terje Aven
The risk concept
How to measure
or describe
risk
Meeting the need ofthe decision situation
Society for Risk Analysis Glossary 2015
• Risk is the possibility of an unfortunate occurrence• Risk is the potential for realization of unwanted,
negative consequences of an event • Risk is exposure to a proposition (e.g. the
occurrence of a loss) of which one is uncertain• Risk is the consequences of the activity and
associated uncertainties • Risk is uncertainty about and severity of the
consequences of an activity with respect to something that humans value
a) Expected consequences (damage, loss)
b) The combination of probability P and magnitude/severity of consequences C
c) The triplet (C’,Q,K), where C’ is some specified consequences, Q a measure of uncertainty associated with C’ and K the background knowledge that supports C’ and Q
This slide (modified) courtesy of Prof. Terje Aven
AStudies and management ofthe risk of specific activities
BGeneric risk practices and
research: How to conceptualise, assess and
manage risk
This slide (modified) courtesy of Prof. Terje Aven
- Is there an objective best policy on how to deal with risk? o For you?
o For the company?
o For the society?
- How can we use methods and principles like▪ Cost-benefit analyses
▪ Precautionary principle what does this principle say, how can it be used?
- How should activities be best regulated to balancedevelopment and risk?
- …B
Generic risk practices and research:
How to conceptualise, assessand manage risk
This slide (modified) courtesy of Prof. Terje Aven
AStudies and management ofthe risk of specific activities
BGeneric risk practices and
research: How to conceptualise,
understand, assess, communicate and manage risk
Applied risk analysis
Generic risk analysis
This slide (modified) courtesy of Prof. Terje Aven
Type A) analysis
a) Descriptive analysis: What has happened previously in terms of losses, failures, etc.? What do the data indicate is (not) worth worrying about? What has changed that seems worth worrying about?
b) Predictive analysis - knowledge and uncertainties: What will happen if a specific activity is realized, a specific system is operated? What might go wrong? Why and how might it go wrong? What are the consequences?_ What will happen if we (do not) intervene? How soon, with what consequences? What do we know; what do we not know? What are the uncertainties and likelihoods? Causal analysis - knowledge and uncertainties: What will happen if we intervene in different ways? What do we know; what do we not know? What are the uncertainties? Likelihoods?
c) Prescriptive analysis and decision optimization - management: What should we do next, given the resources, risk, uncertainties, constraints and other concerns? Who should do what? Who should use what decision rules? What are intolerable or unacceptable risks? How can the public participate? How to be prepared in case of an event? How to build robust and resilient systems?
28
Type A) analysis
d) Communication: Who should say what to whom? How to address uncertainties? How to interpret probabilities?
e) How are perceptional aspects, like fear or prejudice, influencing risk judgments and decisions?
f) Evaluation analysis: How well is the risk analysis working? What have the consequences of our actions and policies actually been?
g) Learning analysis: How might we do better? What should we try next, and for how long? When should we stop exploring and commit to a policy?
h) Collaborative analysis: How might we do better together?
29
Type B) analysis
▪ Conceptual research relates to some abstract ideas, concepts,
theories, etc. and includes one or more of the following
elements:
▪ Identification (for example, a new concept or principle)
▪ Revision (seeing what has been identified in a different way, for example using alternative frames of
reference)
▪ Delineation (for example, a framework for when to use an assessment approach)
▪ Summarisation (to see the forest for the trees, for example reducing what is known about a matter
to a manageable set of contributors)
30
Example:
Risk = C x P
Type B) analysis
▪ Differentiation (for example, that there are several ways of interpreting a probability)
▪ Integration (to synthesise, amalgamate, or harmonise, for example as the unified understanding of
risk reflected in the SRA (2015) Glossary)
▪ Advocating (for example, argumentation to justify or support a given conclusion concerning the use
of a specific definition or principle)
▪ Refuting (for example, argumentation aimed at rebutting a given perspective) (MacInnis 2011).
The research is based on creativity, divergent thinking, comparative reasoning, integrative thinking,
logic, etc. and makes use of different types of tools as described in MacInnis (2011): for example,
metaphors, questioning of strongly held assumptions, and maps which show relationships between
different concepts
31
Example:
Risk = C x P
The risk analysis field
Totality of relevant
risk educational
programmes,
journals, papers,
researchers, research
groups and societies,
etc.
(Risk discipline)
Knowledge
generation related to
A) and B)
University of Stavanger
uis.no
Lectures 2 & 3: Foundations of risk
analysis
33
Common thinking about risk (I)
Risk is the combination
of probability and
consequences
Risk = C & P
Risk = P x C = E
35
C = consequences
P = probability
E = expected value
Example: Risk = C & P vs. risk = C x P
36
6 Win € 36,000
1,2,3,4,5 Pay € 6,000
Risk = C & P
C1: 36,000 P1: 1/6
C2: -6,000 P2: 5/6
Risk = C x P
36.000 × 1/6 – 6.000 × 5/6 = 1,000
Common thinking about risk (II)
Risk = U
Risk is uncertainty
37
U = uncertainty
Common thinking about risk (III)
Risk is an event
39
Risk = A
A = event
‘Risk’ - ISO Guide 73 / ISO 31000
An effect is a deviation from the expected (positive and/or negative).
Risk is the effect of uncertainty on objectives
‘Risk’ - ISO Guide 73 / ISO 31000 - Example
Activity
0 fatalities p0 = 0.9
1 fatality p1 = 0.1
Objective: 0 fatalities
Uncertainty: We do not know if the outcome will be 0 or 1 fatality
Expected loss = 0.1
Effect = Deviation from the expected: 0 or 1 fatalities (certain)
Risk = effect of uncertainty on objectives = ?
‘Likelihood’ - ISO Guide 73 / ISO 31000
the chance of something happening, whether defined, measured
or determined objectively or subjectively, quantitatively or
qualitatively, and described using general terms or mathematically
(such as a probability or a frequency over a given time period).
Likelihood = chance
Described using e.g. probability or frequency
‘Probability’ - ISO Guide 73 / ISO 31000
Chance = ???
a measure of the chance of occurrence expressed as a number
between 0 and 1
Likelihood = chance
Probability = measure of chance
A)Studies and management ofthe risk of specific activities
B)Generic risk practices and
research: How to conceptualise,
understand, assess, communicate and manage risk
Link back to Lecture 1 …
The risk concept — historical and recent
development trends
47
Distinguishing risk as a concept and the
description of risk
The concept of risk The description of risk
What risk isHow risk is described
and measured
48
The risk concept versus the risk description
c C’ C
t1 t2 t3
K Q
Risk = (C,U)Risk description = (C’,Q,K)
Uncertainty
measure
… in the future
Consequences (risk sources,
events/scenarios,
effects/end states) …
Background
knowledge
(including but
not limited to c)
State of
uncertainty
(about C)
… in the past … in the risk assessment
U
49
Risk concept versus risk description –
Infrastructure
50
c C’ C
Ice storm
Hurricane
Pandemic
Fuel shortage
Food scare
Bank systems failure
…
t1 t2 t3
K Q U
Risk = (C,U)Risk description = (C’,Q,K)
P(Hurricane impact | K)
E[downtime | hurricane,K]
P(downtime > 2 days |
hurricane, K)
…
Ice storm
Solar storm
c
…
Number of system failures
Downtime durations
…
Simulations models
…
Assumptions
…
Ice storm
Hurricane
Heat wave
Flooding
…
Knowledge K
Data, Information, Argumentation, Testing, Modelling,
…
ConsequencesC of theactivity
UncertaintyU about C
Risk assessment and characterisation
Specifiedconsequences
C’
Description or measure Q of
theuncertainties
Risk description and characterisation(C’,Q,K),
with related metrics, meeting the need of the decision situation
Real world
Real world
This slide (modified) courtesy of Prof. Terje Aven
53
In what types of situations
could we have the actual consequences C
not covered by the specified consequences C’?
54
I. The consequence is outside the scope of
the risk assessment
▪ C’ = {human death, human injury}
▪ A’ = {ice throw, ice fall}
▪ C = {animal death}
▪ A = {broken turbine blade thrown to the ground}
55
II. The consequence is within the scope of the risk assessment,
but was not identified in the risk assessment
▪ A’ = {ice throw from turbine blade in operation,
ice fall from turbine blade on stopped turbine,
ice fall from tower}
▪ RS’ = {weather, wind, other natural conditions}
▪ RS = {maintenance}
56
Risk source: Element (action, sub-activity, component, system,
event, …) which alone or in combination with other elements
has the potential to give rise to some specified consequences
(typically undesirable consequences) (SRA glossary, 2015).
II. The consequence is within the scope of the risk assessment, and
was identified in the risk assessment process, but was not included in
the risk assessment due to judged negligible probabiltiy
▪ C’ = {person injured by ice block with impact energy > 40 J}
▪ Assumption: Ice blocks with impact energy > 40 J are always fatal
▪ P(fatal|hit energy > 40 J) = 99.9 % => P(not fatal|hit energy > 40 J) = 0.1 %
▪ => P(C’) = negl.
▪ C = {person injured by ice block with impact energy > 40 J}
57
Knowledge K
Data, Information, Argumentation, Testing, Modelling,
…
ConsequencesC of theactivity
UncertaintyU about C
Risk assessment and characterisation
Specifiedconsequences
C’
Description or measure Q of
theuncertainties
Risk description and characterisation(C’,Q,K),
with related metrics, meeting the need of the decision situation
Real world
Real world
This slide (modified) courtesy of Prof. Terje Aven
Uncertainty measure (Q)
59
Strength of knowledge evaluation (SoK):
• Level of phenomenological understanding / goodness of models
• Amount and relevance of data
• Level of agreement among experts
• Realism of assumptions made
Q = (P,SoK)
P(A|K)
Example: Risk description = (C,P,SoK,K)
60
6 Win € 36,000
1,2,3,4,5 Pay € 6,000
Risk description = (C,P,SoK,K)
C1: 36,000 P1: 1/6 SoK1 = weak
C2: -6,000 P2: 5/6 SoK2 = weak
K = No data, observed symmetrical die,
assumption of fair die
Risk description = (C,P,SoK,K)
C1: 36,000 P1: 1/6 SoK1 = strong
C2: -6,000 P2: 5/6 SoK2 = strong
K = Large amount of data
NUSAP notational system
▪ Numeral
▪ Unit
▪ Spread
▪ Assessment
▪ Pedigree
6122.02.2018
Qualitative evaluation of uncertainty/
value-ladenness
NUSAP – Example: Blowout rate
▪ Numeral 8.000
▪ Unit Sm3/day
▪ Spread [6.500,9.500]
▪ Assessment 90 %
▪ Pedigree Pedigree-matrix
6222.02.2018
«Pedigree» matrix
6322.02.2018
Score Theoretical structures Data-input Peer-acceptance Colleague consensus
4 Established theory Experimental data Total All but cranks
3 Theoretically based model Historic / field data High All but rebels
2 Computational model Calculated data Medium Competing schools
1 Statistical processing Educated guesses Low Embryonic field
0 Definitions Uneducated guesses None No opinion
Funtowicz & Ravetz (1990)
«Pedigree» matrix
6422.02.2018
Score Theoretical structures Data-input Peer-acceptance Colleague consensus
4 Established theory Experimental data Total All but cranks
3 Theoretically based model Historic / field data High All but rebels
2 Computational model Calculated data Medium Competing schools
1 Statistical processing Educated guesses Low Embryonic field
0 Definitions Uneducated guesses None No opinion
Pedigree = (3,3,3,4)
NUSAP – Example: Blowout rate
▪ Numeral 8.000
▪ Unit Sm3/day
▪ Spread [6.500,9.500]
▪ Assessment 90 %
▪ Pedigree (3,3,3,4)
6522.02.2018
Q =
(P,Pedigree)
1. What can happen (go wrong)? 2. How likely is it that that will
happen? 3. If it does happen, what are the
consequences?
1. What can happen (go wrong)? 2. If it does happen, what are the
consequences? 3. How likely is it that that will happen
and give these consequences?4. What is the knowledge supporting
the likelihood judgments? 5. How strong is this knowledge?
Earlier Now
This slide (modified) courtesy of Prof. Terje Aven
Expressing risk
Bow-tie diagram
Risk influencing factors (RIFs)
Barriers
(preventive)Initiating event
(hazard/threat)Consequences
Barriers
(consequence
reducing)
Causes
Black swans
“Rara Avis i terris nigroque
simillima cygno”
(A rare bird in the lands and
very much like a black swan)
Juvenal (ca. 55 - ca. 135)
London, 1600s
Black swans
Swan River, 1696
Black swans
▪ A surprising, extreme event relative to present
knowledge/beliefs (Aven, 2013)
Black swans
A surprise to some
Not a
surprise to
others
This slide (modified) courtesy of Prof. Terje Aven
Was this a black swan?
This slide (modified) courtesy of Prof. Terje Aven
Was this a black swan?
This slide (modified) courtesy of Prof. Terje Aven
Unforeseen(unanticipated) events
Surprising events
Unthinkable(unimaginable) events
Extreme consequences
a) Unknownunknowns
b) Unknownknowns
c) Known but not
believed to occur
because of low
judged probability
Types of Black swans
Black swan: A
surprising, extreme
event relative to present
knowledge/beliefs
This slide (modified) courtesy of Prof. Terje Aven
I. Outlier as it lies outside the realm of regular expectations, because
nothing in the past can convincingly point to its possibility
II. Extreme impact
III. In spite of its outlier status, human nature makes us concoct
explanations for its occurrence after the fact, making it explainable
and predictable
The Black Swan (Taleb, 2007)
This slide (modified) courtesy of Prof. Terje Aven
The perfect storm (2000)
© 2000 - Warner Bros. Entertainment, Inc.
A perfect storm
▪ A rare event that might happen,
where we understand the phenomena involved
Black swans and perfect storms
«Epistemic
uncertainty»
(Lack of
knowledge)
«Aleatory
uncertainty»
(Variation)
University of Stavanger
uis.no
Lectures 4 & 5: Quantitative risk
assessment
81
Probabilistic risk assessment (PRA) (I)
▪ PRA = QRA (quantitative risk assessment) where uncertainty is quantified using probability
▪ A probabilistic risk assessment (PRA) systematizes the knowledge and uncertainties about the phenomena studied▪ What are the possible hazards and threats, their causes and consequences? The knowledge and
uncertainties are characterized and described using various probability-based metrics
▪ PRA stages:1. Identification of threats/hazards
2. Cause analysis
3. Consequence analysis
4. Probabilistic analysis
5. Risk description
6. Risk evaluation
82
Source: Aven (2008) Risk Analysis. Wiley
Probabilistic risk assessment (PRA) (II)
▪ Traditional frequentist approach▪ Typically applied in situations in which there exists a large amount of relevant data
▪ Founded on well-known principles of statistical inference, the use of probability
models, the interpretation of probabilities as relative frequencies, point estimates,
confidence interval estimation, and hypothesis testing
▪ The Bayesian approach▪ Based on the concept of subjective (judgmental, knowledge-based) probabilities
▪ Applied in situations in which there exists only a limited amount of data
▪ Based on use of probability models to reflect variation and subjective probability to
describe parameter uncertainty
83
Risk description in a safety context
(risk indices/metrics)
IR (Individual Risk)Probability of death for
specified person i
pi
In practice usually AIR
(Average Individual
Risk):
AIR = PLL/np1
p2
pn
f-N curve (≈ probability
distribution no. fatalities)P(N ≥ n’)
FAR (Fatal Accident Rate)Expected number of fatalities
during 108 hours
FAR = (PLL/T) 108
T = exposure time
PLL (Potential Loss of Life)Expected number of fatalities
PLL = EN
N = Number of fatalities
The f-N curve
85
Risk analysis information input formats
Data
Aspects of interest:
• Quantity/Amount
• Relevance
Expert statements
Models
Models of physical phenomena
Probability models
Data amount/quantity vs relevance
μ
(x1,x2,…,xn)
Xn+1
Extended population
(y1, y2,…,ym)
Low amount of relevant data
Quantity of interest
Less relevant data
Risk analysis information input formats
Data
Aspects of interest:
• Quantity/Amount
• Relevance
Expert statements
Models
Models of physical phenomena
Probability models
Logical models
Based on physical laws the effective duration of a flash fire may be derived as
Yields prediction in risk analysis
Physical model
3
1tan
2
1tan
kT2
3t 11
3eff
Probability model
• pi = fraction of times the die shows i in the long run, i = 1, 2,
…, 6.
• X : Number of failures in a time period• Poisson model
Pf(X = k) = lk e-l /k! = f(k|l)
EfX = l
Release
Immediate
ignition
Not
immediate
ignition
Short release
fraction
Vertical
Horizontal Jet fire, pool
fire, no effect
Jet fire, pool fire,
no effect
Bleve, pool fire,
flash fire, explosion,
no effect
Flash fire, pool
fire, explosion,
no effect
Delayed
ignition
No ignition
Dispersio
n
Residual pool fire
No effect
Logical model - Event tree – Hydrocarbon
release
This slide (modified) courtesy of Prof. Terje Aven
N=100
N=1
N=0
B
Not
B
A
Not A
I
Event tree - Simple
This slide (modified) courtesy of Prof. Terje Aven
N=100
N=1
N=0
q2
1-q2
q1
1- q1
q0 = EX: Expected
number of
initiating events
I
p = Pf(N ≥ 100) = q0 q1 q2
Probabilistic model based on event tree
This slide (modified) courtesy of Prof. Terje Aven
▪ Simplified risk analysis▪ Qualitative
▪ Informal methods: Checklists etc.
▪ Standard risk analysis ▪ Qualitative or quantitative
▪ Workshops
▪ Formalised methods: SJA, HAZOP etc.
▪ Model-based risk analysis▪ Primarily quantitative
▪ Fault tree analysis, event tree analysis, etc.
Check list
Check list
…
…
Katastrofe Meget
alvorlig
Alvorlig Mindre
alvorlig
Ikke alvorlig
> 10 ganger
per år
VH VH H H M
1-10 ganger
per år
VH H H M M
en gang hvert
1-10 år
H H M L 3.1,
en gang hvert
10-100 år
H M M L L
< en gang per
100 år
M M L VL VL
Konsekvens
F
rekven
s f
.
7. Påkjørsel av ras/togblir tatt av ras (stein-,jord-, snø-, etc.)
Or 1
Tog kjører inn i ras
And 1
Ras i sporet
Basic 2
Ikke varslet
Basic 3
Toget klarer ikke åstoppe
80
Tog blir tatt av ras
Basic 1
DIPS feiler
Komponent
svikt
…………Bruker feil
SpenningsfallStrøm brudd Svak
komponent
Risk analysis methods
Expectations of a mathematical representation of
uncertainty (Bedford and Cooke, 2001)
▪ Axioms▪ Specifying the formal properties of uncertainty.
▪ Interpretations▪ Connecting the primitive terms in the axioms with observable phenomena.
▪ Measurement procedures▪ Providing, together with supplementary assumptions, practical methods for
interpreting the axiom system.
100
1 2 3 4 5 6
1/6 1/6 1/6 1/6 1/6 1/6
Classical probability
This slide (modified) courtesy of Prof. Terje Aven
Pf(A) is the fraction of times the event A occurs if the situation is repeated
(hypothetically) an infinite number of times
Frequentist probability
102
Subjective probability
• P(A|K) = 0.1
• The assessor compares his/her uncertainty (degree og belief) about the
occurrence of the event A with drawing a specific ball from an urn that
contains 10 balls (Kaplan and Garrick 1981, Lindley, 2000).
K: background knowledge
This slide (modified) courtesy of Prof. Terje Aven
Subjective probability in the media
http://www.aftenbladet.no/lokalt/551553/-_Terror_i_Stavanger_hvert_10000_aar.html
104
- Terror in Stavanger every 10,000 years
P(terrorist attack against Stavanger|K) = 0,01 %
Analyst:
‘Given (i.e., conditional on) my background knowledge (K),
I judge that a terrorist attack against Stavanger next year is
equally likely as drawing a red ball from an urn containing
the one red ball and 9,999 blue balls.’
105
Subjective probability
Probability - Overview
▪ Classical▪ Pc(A) = Number of outcomes resulting in A / Total number of possible outcomes
▪ Frequentist▪ Pf(A) = limn∞ nA/n, where nA is the number of occurrences of the event A in n trials
▪ Subjective▪ P(A) expresses a degree of belief
▪ Reference to a standard for uncertainty: P(A) = p implies that the event A is considered equally likely as a
standard event S with measure m(S) = p, e.g. drawing a red ball from an urn containing p x 100 % red balls
▪ Betting interpretation: P(A) is the price at which the person assigning the probability is neutral between buying
and selling a ticket that is worth one unit of payment if the event occurs and worthless if not
106
Treatment of uncertainty in risk assessment
108
‘There is only one kind of uncertainty stemming from our lack of knowledge concerning the
truth of a proposition, ... ’Apostolakis GE (1990) The concept of probability in safety assessments of technological systems. Science, 250: 1359-1364.
This slide (modified) courtesy of Prof. Terje Aven
Treatment of uncertainties in risk
assessment
▪ Uncertainty analysis framework▪ A model g with parameters (input quantities) X is used to predict the quantity of
interest Z
▪ In a PRA/QRA, the quantities Z and X would typically be indicator quantities for
events (e.g. X = I(A), where I is the indicator function and A an event of interest),
or observable quantities (e.g. X = number of fatalities) or non-observable
parameters on the real line (e.g. X = λ = failure rate of some equipment)
109
Model uncertainty
▪ Model error▪ The difference ∆g(X) = Z – g(X)
▪ Model output uncertainty▪ Uncertainty about the model error ∆g(X)
▪ Structural model uncertainty▪ Uncertainty about the difference ΔG(Xtrue), when the true value Xtrue of the parameter (input
quantity) X is known
▪ Parameter (input quantity) uncertainty▪ Uncertainty (due to lack of knowledge) about the true value of the input quantities X
110
Aven T & Zio E (2013) Model output uncertainty in risk assessment. International Journal of Performability Engineering, 9(5): 101-116
Methods for representing and characterizing
uncertainties in risk assessment
▪ Two main concerns to be balanced (Aven & Zio, 2011):
▪ Knowledge should, as far as possible, be “inter-subjective” in the sense that the
representation corresponds to “documented and approved” information and
knowledge (“evidence”); the methods and models used to treat this knowledge should
not add information that is not there, nor ignore information that is there
▪ Analysts’ judgments (“degrees of belief”) should be clearly reflected (“judgments”)
111
Methods of uncertainty propagation (I)
▪ Level 1 uncertainty propagation setting▪ Example: Throw of two fair dice, where the sum of the number of eyes on the two dice is subject to
aleatory uncertainty, and the aleatory uncertainty of the outcome if a single die is reflected by a multinomial probability model with parameters θ = (θ1,θ2,θ3,θ4, θ5,θ6)
▪ Let W = X1 + X2, where Xi is the number of eyes on die i, then
▪ W ~ distr(θ), where θ is known
▪ Model: W = g(X1,X2,θ)
▪ Level 2 uncertainty propagation setting▪ Example: Throw of a single die, where the occurrence of a ‘6’ is subject to aleatory uncertainty and
this uncertainty is characterized by a binomial probability model with parameter θ, which is again subject to epistemic uncertainty and characterized by, for example, a (subjective) beta probability distribution
▪ Let Y equal 1 if a ‘6’ occurs and 0 otherwise, then
▪ Y ~ Binomial(θ), and
▪ θ ~ Beta(α,β), where α,β are so-called hyperparameters
▪ Model: g(Y,θ)
112
Fixed (known) quantity
Uncertain quantity
Epistemic
uncertainty
Aleatory
uncertainty
Methods of uncertainty propagation (II)
113
X ~ Binomial(θ)
Level 2 uncertainty propagation setting
Methods of uncertainty propagation (III)
▪ Level 1 uncertainty propagation setting▪ The input quantities (X1,…,XN) are divided into a group (X1,…,Xn), 1≤n≤N, subject to
aleatory uncertainty, and a group (Xn+1,…,XN), subject to epistemic uncertainty
▪ The frequentist probability distribution of (X1,…,Xn) is perfectly known (including parameter values), i.e. not subject to epistemic uncertainty
▪ Level 2 uncertainty propagation setting▪ The input quantities (X1,…,XN) are subject to aleatory uncertainty described by
frequentist probabilities with parameters θ subject to epistemic uncertainty, i.e.:
▪ Level I: Aleatory uncertainty characterized by frequentist probabilities with uncertain parameters θ
▪ Level II: Epistemic uncertainty about θ characterised by some uncertaintyrepresentation (subjective probability, possibility theory, evidence theory, …)
114
Uncertainty representation and propagation
in the risk assessment of a process plant (I)
▪ Case description
▪ System: Process plant
▪ Activity: Operation of the control room, which is placed in the compressor module
▪ Purpose: Assess risk to the operators (two persons) as a result of possible fires and explosions in the module
▪ Decision problem: Whether to move the control room out of the module or to implement some risk reducing measures
115
Uncertainty representation and propagation
in the risk assessment of a process plant (II)
116
System: Status quo
Uncertainty representation:
Standard Bayesian
System: Status quo
Uncertainty representation:
Alternative/predictive Bayesian
Reflection exercise
Pros and cons of standard Bayesian
vs alternative/predictive Bayesian
Modelling
▪ Event tree
▪ A gas leak
▪ X number of gas leaks
▪ B1 ignition of gas
▪ B2 explosion
▪ N number of fatalities for scenario
▪ Y total number of fatalities
117
The standard Bayesian approach (I)
▪ Application in a nutshell▪ Input uncertain quantities:
▪ number of initiating events, X
▪ outcome of brancing events, B1 and B2
▪ Possion distribution rate parameter λ
▪ event tree branching event chances, θ1 and θ2
▪ Output quantity:▪ number of fatalities, Y
▪ Model:▪ See next slide
The assessment concerns computation of the probability distribution of the number offatalities, Y.
▪ Type of uncertainty on the input quantities:▪ aleatory on X, B1 and B2
▪ epistemic on λ, θ1 and θ2
▪ Uncertainty propagation setting:▪ level 2
118
The standard Bayesian approach (II)
▪ Bayesian updating machinery▪ First establish a probability model, then assign a prior distribution on the parameter of interest. Next use Bayes’s Theorem to
establish the posterior distribution, and finally compute the predictive distribution using the total law of probability.
▪ Predictive distribution▪ p(y|K) = P(Y=y|K) = ∑x ∫θ1∫θ1∫λ p(y|x,θ1,θ2) p(x|λ) f(λ,θ1,θ2|K) dλ dθ1 dθ2
where p(0|x,θ1,θ2) = (1-θ1)x, p(1|x,θ1,θ2) = x(1-θ1)
x-1θ1(1- θ2), …
▪ Probability models▪ Poisson p(x|λ) = λxe-λ/k!
▪ Binomial p(Bi|θi) = θi, i = 1,2
▪ Priors▪ Gamma f(λ|K) = baλa-1e-bλ/Γ(a)
▪ Beta f(θi|K) = θiαi-1(1-θi)
βi-1/B(αi,βi), i = 1,2
▪ K = background knowledge (e.g. general information from similar situations, more or less relevant historical data from similar situations, expert judgments)
119
The standard Bayesian approach (III)
▪ Likelihood (Poisson):
▪ Prior (Gamma):
▪ Prior predictive:
▪ Posterior (Gamma):
▪ Posterior predictive:
120
lll e
xxXP
x
!)|(
lll baa
ea
bf
1
)()(
lll )(1
1
1
1
)(
)()|( nbya
ni i
ya
eya
nbyf
n
i i
n
i i
0
)()|()( lll dfxXPxXP
),...,,( 21 nyyyy
0
0,2
0,4
0,6
0,8
1
1,2
0 2 4 6 8 10 12 14
Gamma(5,5)
0
)|()|()|( lll dyfxXPyxXP
An alternative (predictive Bayesian) approach based
on subjective probabilities (I)
▪ Application in a nutshell▪ Input uncertain quantities:
▪ number of initiating events, X
▪ outcome of brancing events, B1 and B2
▪ Output quantity:
▪ number of fatalities, Y
▪ Model:
▪ See next slide
The assessment concerns computation of the probability distribution of the number of
fatalities, Y:
▪ Type of uncertainty on the input quantities:
▪ epistemic on X, B1 and B2
▪ Uncertainty propagation setting:
▪ level 1
121
An alternative (predictive Bayesian) approach based
on subjective probabilities (II)
▪ Predictive distribution▪ p(y|K) = P(Y=y|K) = ∑x p(y|x,θ1,θ2) p(x|K)
▪ X ~ Poisson(λ)
▪ Data/observations of X previous years: (1,1,2,0,1)▪ Observed mean equal to 1
▪ Rather strong background information
▪ Use the Poisson distribution with mean 1
122
Poisson approximation
123
Now
One year
Day 1
Observed 5 eventsin 5 years, i.e. onaverage 1 eventduring a year P(event)
=5/(365 x 5)
P(event) = (5+d1)/(365x5+1), whered1 = 1 if an event occurs during day 1 and 0 otherwise
X= X1 + X2 + …
where Xi is the number of events in day i
X ≈ Poisson(1)
Verification of Poisson approx. result (I)
124
T = 1 (length of time interval)
(x1,x2,x3,x4,x5) = (1,1,2,0,1)
n = 5 (number of observations)
q = 1 (average in observations)
k = 104 (number of time periods in time interval T)
d1 = (0,0,…,0), where |d1|= M = 105 (number of simulations)
pi = (di + q*n) ./ ((i-1) + n*k)
i = 1 p1 = (1/10000,1/10000,…,1/10000,1/10000), since (0+1*5)/(0+5*10000) = 5/50000 = 1/10000
ri = (ri1,ri2,…,riM), where rij = rand(0,1)
i = 1 r1 = (0.34,6.7*10-5,0.56,0.89,…,1.2*10-6,0.25)
for all j such that pij > rj, dij = dij + 1
i = 1 d1 = (0,1,0,0,0,0,0,1,0,0,1,1,…,0,1,0)
Repeat for i = 1,2,…,k
i = 2 p2 = (5/50001,6/50001,…,6/50001,5/50001)
…
i = k dk = (3,2,5,0,0,1,1,4,…,6,1,3)
P(X=x) = (#x in dk) / M
Verification of Poisson approx. result (II)
125
R code:
## Verification of Poisson approximation of the number of times an event occurs during a time period
## where events occur independently of each other and cannot occur at the same time
# Input
L = 1 # length of time interval
k = 10^4 # number of time periods in the time interval
M = 10^5 # number of simulations
n = 5 # number of observations
q = 1 # average number of events per time interval observed in data
# Simulation
d = array(0,c(M,1)) # make a vector of M zeros
for (i in 1:k){
p = (d + q*n) / ((i-1) + n*k) # vector of probabilities of events in time interval i
r = runif(M) # vector of M random numbers uniform between 0 and 1
plusone = p > r # identify which vector elements of p that are greater than generated random numbers
d[plusone] = d[plusone] + 1 # add the value 1 to plusone elements indicating that an event has occured there
}
z = table(d)/M # Relative frequencies of the number of events
x = 0:10 # Range of the Poisson distribution simulated here - used for plotting and comparing
y = dpois(x,q) # Values of the Poisson distribution given the estimated intensity of q
# Make bar chart
plot(range(x),c(0,1),type='n',xlab='Number of events',ylab='Relative frequency')
lines(table(d)/M,lwd=10,col='gray')
lines(x,y,type='h',col='red',lw=3)
legend('topright',c('Poisson distribution','Simulated freq.'),col=c('red','gray'),lw=c(3,3))
Verification of Poisson approx. result (III)
126
Pros and cons of predictive Bayesian
approach
127
Pros Cons
Aven T (2012) On when to base Event Trees and Fault Trees on Probability Models and Frequentist Probabilities in
Quantitative Risk Assessments. International Journal of Performability Engineering, 8(3): 311-320.
«Hidden slide» - to be used in presentation but not to be included in distributed version
Pros and cons of standard Bayesian approach
129
Pros Cons
Aven T (2012) On when to base Event Trees and Fault Trees on Probability Models and Frequentist Probabilities in
Quantitative Risk Assessments. International Journal of Performability Engineering, 8(3): 311-320.
«Hidden slide» - to be used in presentation but not to be included in distributed version
Risk-based versus risk-informed decision-
making
▪ ‘I wish to make one thing very clear: QRA results are never the
sole basis for decision making by responsible groups. In other
words, safety-related decision making is risk-informed, not
risk-based.’
Apostolakis (2004)
131
Risk-informed decision-making
132
University of Stavanger
uis.no
Lecture 6: Quantitative risk assessment
applications
133
Offshore QRAs in Norway
▪ NORSOK Standard Z-013 (ed. 3, 2010) Risk and emergency
preparedness assessment:
▪ ‘Structured around the following main elements:▪ use of risk and emergency preparedness assessment as a basis for decision-making.
General requirements for planning and execution of risk and emergency preparedness
assessments regardless of activity and life cycle phase;
▪ specific requirements for planning and execution of risk and emergency preparedness
assessments for different activities and life cycle phases;
▪ the relation between the risk and emergency preparedness assessments, especially the
integration of the two types of assessments into one overall assessment process.’
134
Offshore QRA
135
General requirementsLife cycle-specific
requirements
Escape,
evacuation and
rescue
Strong
explosion
Escalation of
fire
Ignited leakIgnitionLoss of
containment
Containment barrier:
•Inspection
•Maintenance
•Operation
•Design
Barrier to prevent escalation:
•Fire detection
•Fire water
•Passive fire protection
•Fire walls
•ESD/Blowdown
Barrier to prevent fatalities:
•Emergency power and lightning
•Alarm and communication
•Evacuation means
•Etc.
Barrier to reduce cloud/pool size:
•Ventilation
•Drain system
•ESD/Blowdown
Barrier to prevent strong explosions:
•Layout
•Deluge
•Blast walls and panels
•Etc.
Barrier to control ignition sources:
•Gas detection
•Ignition source isolation
•Area classification
•Control of hot work
• Barrier function (e.g. detect gas leak)
• Barrier system (e.g. gas detection system)
• Barrier element (e.g. gas detector)
Barrier focus
The risk and emergency preparedness
process
137
NORSOK Z-013 (ed. 3, 2010)
The risk assessment process
▪ Forward approach▪ Initiating events
▪ E.g. gas leakages
▪ Backwards approach▪ Main safety functions
▪ E.g. impairment of safe area
Event Consequences
Medium
process
leak
Explosion
overpressure Death by specific person
Number of fatalities
Discrete leak rates Explosion model
Generic leak frequency Personnel distribution
assumption
Event tree model …
Ignition
Background knowledge
Probabilities and expected values
Events and consequences
Explosion
Impairment of main
structural
integrity
Sensitivity and risk reducing measures
Effect on impairment frequencies and fatality probabilities of altered input parameters and risk
reduction measures
Leak frequency Probability of main safety function
impairment
Probability of ignition Probability distribution/prediction interval overpressure
Probability of explosion Probability distribution no.
fatalities
Offshore QRA build-up
QRA assumptions
▪ A full blowout wil be represented by a blowout rate of 50% of the maximum rate ▪ Probability of pre-warning of personnel in case of a blowout (production) = 20 %▪ Blowout potential : 80 kg/s▪ Adjustment factor for blowout frequencies (relative to SINTEF blowout data basis):
2 (due to high pressure and temperature in the reservoir) ▪ Well-activity; number of wells drilled: 6, number of wireline operations: 2, coiled
tubing operations: 3 …▪ No hotwork activity and no rotating equipment will be in use in the operational
phase▪ Ignition probability for well releases: 2% ▪ Number of immediate fatalities per blowout (immediate ignition): 1 ▪ Manning distribution▪ Number of lifts/year▪ Restrictions for lifting operations … ▪ The jacket structure will withstand a ship energy of 9 MJ ▪ Time to failure of structure when subject to a sustained sea pool fire …: 15 min. ▪ Failure probability on demand for ESD valve: 1 %▪ If the leak is not successfully detected (within the first 30 s.) a 60 seconds delay is
assumed▪ …
Uncertainty in offshore QRAs
▪ ‘5) a discussion of uncertainty, including the following aspects:
▪ i. the perspective on risk used in the assessment, e.g. classical, statistical, probability of frequency, combined classical and Bayesian, Bayesian, Predictive approach;
▪ ii. the effect and level of uncertainty given the adopted perspective and the context for the assessment (including the ‘system boundaries’ and ‘system basis’) compared to the ‘actual’ or ‘real’ systems and/or activities of interest;
▪ iii. possible implications for the main results;
▪ iv. occurrence of unexpected outcomes, as a result of invalid assumptions and premises, or insufficient knowledge.
▪ 6) if used, define and/or discuss the meaning of terms and quantities like: probability, frequency, mean value, expected values, conservative side, conservative approach, etc.,
▪ 7) factors such as divergence of opinion amongst experts or limitations of the modelling should be stated and may need to be highlighted.’
141NORSOK Z-013 (ed. 3, 2010)
Infrastructure Risk Analysis: An Overview
Seth Guikema
This slide courtesy of Dr. Seth D. Guikema
Infrastructure Risk Analysis: Traditional Components
1. Hazard model• What is the hazard?• How intense is the hazard?• How likely are the different levels of intensity of the hazard?• What is the spatial distribution of the hazard loading?
2. Infrastructure performance model• How does the infrastructure respond to the hazard loading at each location?• How does the collective system behave in response to individual asset behavior?• How do (inter)dependencies between systems affect the propagation of failures?
3. Consequence Model• How bad the consequences for society for a given level of infrastructure
performance?• What are the economic costs? How many deaths are there? What are
This slide courtesy of Dr. Seth D. Guikema
The Classic Example: HAZUS
• US FEMA (Federal Emergency Management Agency) software for natural hazards risk analysis
• Focused on infrastructure and buildings
• Flood, earthquake, hurricane, and tsunami modules
• Includes:• Hazard model
• Building models (fragility-based)
• Infrastructure models (fragility-based)
• Loss models (focused on economics)
This slide courtesy of Dr. Seth D. Guikema
Hazard Model Example
This slide courtesy of Dr. Seth D. Guikema
Fragility Curve Example
This slide courtesy of Dr. Seth D. Guikema
How It Works
This slide courtesy of Dr. Seth D. Guikema
Example of Output from HAZUS
This slide courtesy of Dr. Seth D. Guikema
(Some of the) Problems with HAZUS
• Fragility curves are at the core of HAZUS, yet:• Fragility curves used for many types of infrastructure are out of date
• Fragility curves are generally unidimensional – do not account for multiple hazard stressors and their impact on their collective impact system
• Some flood researchers are concerned about the accuracy of the flood model
• Does not explicitly account for changes in building stock, sea level rise, or behavioral adaptation over time – models what happens based on current infrastructure, buildings, and sea levels
• Does not do a strong job of accounting for uncertainty
This slide courtesy of Dr. Seth D. Guikema
Alternatives
Alternatives to HAZUS exist:• MAEviz – same idea, but updated information
• Approaches based on economic input-output models
• More detailed physical simulation models
• Statistical approaches
This slide courtesy of Dr. Seth D. Guikema
(Ref. Aven 2009)
Identifying safety and security critical
systems
151
Identification of critical systems (activities)
▪ Why identify critical systems?
152
S1
S2
S3
S4
S5
S6
S7
S8
S9
S10
Task
▪ Identify 10 critical
systems/infrastructures in the
city of Milano and rank these
according to their level of
criticality
153
Critical system
▪ A system is considered critical if its failure or malfunction may result in severe consequences, for example related to loss of lives, environmental damage or economic loss
(Falla 1997)
▪ A critical system is a system that, when failing, would
seriously disrupt society(Gheorge 2006)
154
Critical infrastructure
▪ organizations and facilities of key importance to public interest whose failure or impairment could result in detrimental supply shortages, substantial disturbance to public order or similar dramatic impact
(Gheorge 2006)
▪ those systems and assets — both physical or cyber, so vital to the Nation that their incapacity or destruction would have a debilitating impact on national economic security, and/or public health or safety
US National Infrastructure Protection Plan
155
Criticality measures
▪ Disutility of minimal cut sets(Apostolakis & Lemon 2005)
▪ [criticality refers to] the product of probability and importance (conditional criticality), where importance reflects the increase in travel cost when a link in the network is closed
(Jenelius 2006)
▪ Traditional risk and reliability importance measures▪ Birnbaums’s measure: The sensitivity (partial derivative) of the reliability (risk) measure with
respect to the parameter, for example the reliability of a safety barrier.
▪ Improvement potential (also referred to as the risk reduction worth): the risk measurecontribution from a specific system, determined by calculating the difference in the risk indices by assuming that the system has no failures or malfunctions.
156
157
A system or activity is critical if
1. the vulnerability is high 2. the risk is high
?
Example: Identifying safety critical systems
in a process plant
158
Safety critical system => More frequent inspection and testing
Example: Identifying safety critical systems
in a process plant
159
Failure mode Expected consequences (given failure)
F1 1 day shutdown
F2 2 days shutdown
F3 100 days shutdown
Failure mode Expected consequences (given failure)
F4 0.1 day shutdown
F5 10 days shutdown
F6 10 days shutdown
System 1
System 2
A risk-informed approach
▪ Candidates for a risk index expressing criticality
▪ Expected loss E[C], given by the product P(A) E[C|A]
▪ No distinction between low probability/high consequence situations and highprobability/low consequence situations
▪ There may lack a rigorous way of establishing the probabilities (e.g. in relation to intentional events)
▪ Not necessarily in line with the preferences of the decision-maker, who may be risk averse
▪ Expected disutility E[u(C)], where u is a utility function reflecting the preferences of thedecision-maker
▪ There may lack a rigorous way of establishing the probabilities (e.g. in relation to intentional events)
▪ Specifying the utility function may be problematic
161
An alternative approach
▪ A safety and security critical system (activity) is
a system contributing significantly to risk,
where risk is adequately defined.
162
An alternative approach: Criticality
measures
▪ The need for obtaining a ranking tool that would work in
practice, motivates the use of expected values.
▪ However, we need to address the strength of knowledge and uncertainties, as
surprising consequences (outcomes) may occur when seen in relation to the expected
values.
▪ As vulnerability is an important aspect of risk, the vulnerabilities need to be
highlighted.
163
Steps
1. Identify a list of systems for evaluation
2. Identify possible initiating events A
3. Define categories of consequences C (severity classification)
4. Rank the systems according to vulnerability using E[C|A], i.e. the expected consequences given the occurrence of A
5. Assign probabilities for the events A, calculate the unconditional expected consequences, EC, by EC = P(A) x E[C|A], and rank the systems according to EC
6. Assess strength of knowledge related to, and uncertainties in, underlying phenomena and processes that could result in surprises relative to EC, and adjust the ranking based on this assessment
164
Risk description
165
Categorising risk in a practical setting
166
Expected value risk
calculations
Overall risk assessment
Low Low
Medium Medium
High High
Reclassification (if the uncertainties in underlying phenomena and processes are very large)
Summary
167
Common idea: Safety and security critical systems can be identified by considering vulnerabilities and the expected consequences given system failures and malfunctions
Alternative approach: Risk-informed approachlooking beyond expected values and probabilities