EISG in Risk Analysis

Risk Analysis is the official journal of Society for Risk Analysis and publishes peer-reviewed, original research on both the theory and practice of risk. The application areas are vast. Below are articles with particular relevance to the Engineering and Infrastructure Specialty Group.

May 2018

An Emerging New Risk Analysis Science: Foundations and Implications
To solve real‐life problems—such as those related to technology, health, security, or climate change—and make suitable decisions, risk is nearly always a main issue. Different types of sciences are often supporting the work, for example, statistics, natural sciences, and social sciences. Risk analysis approaches and methods are also commonly used, but risk analysis is not broadly accepted as a science in itself. A key problem is the lack of explanatory power and large uncertainties when assessing risk. This article presents an emerging new risk analysis science based on novel ideas and theories on risk analysis developed in recent years by the risk analysis community. It builds on a fundamental change in thinking, from the search for accurate predictions and risk estimates, to knowledge generation related to concepts, theories, frameworks, approaches, principles, methods, and models to understand, assess, characterize, communicate, and (in a broad sense) manage risk. Examples are used to illustrate the importance of this distinct/separate risk analysis science for solving risk problems, supporting science in general and other disciplines in particular.

People's Risk Recognition Preceding Evacuation and Its Role in Demand Modeling and Planning
Evacuation planning and management involves estimating the travel demand in the event that such action is required. This is usually done as a function of people's decision to evacuate, which we show is strongly linked to their risk awareness. We use an empirical data set, which shows tsunami evacuation behavior, to demonstrate that risk recognition is not synonymous with objective risk, but is instead determined by a combination of factors including risk education, information, and sociodemographics, and that it changes dynamically over time. Based on these findings, we formulate an ordered logit model to describe risk recognition combined with a latent class model to describe evacuation choices. Our proposed evacuation choice model along with a risk recognition class can evaluate quantitatively the influence of disaster mitigation measures, risk education, and risk information. The results obtained from the risk recognition model show that risk information has a greater impact in the sense that people recognize their high risk. The results of the evacuation choice model show that people who are unaware of their risk take a longer time to evacuate.

Public Response to a Near‐Miss Nuclear Accident Scenario Varying in Causal Attributions and Outcome Uncertainty
Many studies have investigated public reactions to nuclear accidents. However, few studies focused on more common events when a serious accident could have happened but did not. This study evaluated public response (emotional, cognitive, and behavioral) over three phases of a near‐miss nuclear accident. Simulating a loss‐of‐coolant accident (LOCA) scenario, we manipulated (1) attribution for the initial cause of the incident (software failure vs. cyber terrorist attack vs. earthquake), (2) attribution for halting the incident (fail‐safe system design vs. an intervention by an individual expert vs. a chance coincidence), and (3) level of uncertainty (certain vs. uncertain) about risk of a future radiation leak after the LOCA is halted. A total of 773 respondents were sampled using a 3 × 3 × 2 between‐subjects design. Results from both MANCOVA and structural equation modeling (SEM) indicate that respondents experienced more negative affect, perceived more risk, and expressed more avoidance behavioral intention when the near‐miss event was initiated by an external attributed source (e.g., earthquake) compared to an internally attributed source (e.g., software failure). Similarly, respondents also indicated greater negative affect, perceived risk, and avoidance behavioral intentions when the future impact of the near‐miss incident on people and the environment remained uncertain. Results from SEM analyses also suggested that negative affect predicted risk perception, and both predicted avoidance behavior. Affect, risk perception, and avoidance behavior demonstrated high stability (i.e., reliability) from one phase to the next.

Review of Regulatory Emphasis on Transportation Safety in the United States, 2002–2009: Public versus Private Modes
The U.S. Department of Transportation is responsible for implementing new safety improvements and regulations with the goal of ensuring limited funds are distributed to where they can have the greatest impact on safety. In this work, we conduct a study of new regulations and other reactions (such as recalls) to fatal accidents in several different modes of transportation implemented from 2002 to 2009. We find that in the safest modes of commercial aviation and bus transport, the amount of spending on new regulations is high in relation to the number of fatalities compared to the regulatory attention received by less safe modes of general aviation and private automobiles. Additionally, we study two major fatal accident investigations from commercial aviation and two major automotive recalls associated with fatal accidents. We find differences in the cost per expected fatality prevented for these reactions, with the airline accident investigations being more cost effective. Overall, we observe trends in both the automotive and aviation sectors that suggest that public transportation receives more regulatory attention than private transport. We also observe that the types of safety remedies utilized, regulation versus investigation, have varying levels of effectiveness in different transport modes. We suggest that these differences are indicative of increased public demand for safety in modes where a third party may be held responsible, even for those not participating in the transportation. These findings have important implications for the transportation industry, policymakers, and for estimating the public demand for safety in new transport modes.

April 2018

Insurance, Public Assistance, and Household Flood Risk Reduction: A Comparative Study of Austria, England, and Romania
In light of increasing losses from floods, many researchers and policymakers are looking for ways to encourage flood risk reduction among communities, business, and households. In this study, we investigate risk‐reduction behavior at the household level in three European Union Member States with fundamentally different insurance and compensation schemes. We try to understand if and how insurance and public assistance influence private risk‐reduction behavior. Data were collected using a telephone survey (n = 1,849) of household decisionmakers in flood‐prone areas. We show that insurance overall is positively associated with private risk‐reduction behavior. Warranties, premium discounts, and information provision with respect to risk reduction may be an explanation for this positive relationship in the case of structural measures. Public incentives for risk‐reduction measures by means of financial and in‐kind support, and particularly through the provision of information, are also associated with enhancing risk reduction. In this study, public compensation is not negatively associated with private risk‐reduction behavior. This does not disprove such a relationship, but the negative effect may be mitigated by factors related to respondents' capacity to implement measures or social norms that were not included in the analysis. The data suggest that large‐scale flood protection infrastructure creates a sense of security that is associated with a lower level of preparedness. Across the board there is ample room to improve both public and private policies to provide effective incentives for household‐level risk reduction.

Scenario Analysis for the Safety Assessment of Nuclear Waste Repositories: A Critical Review
A major challenge in scenario analysis for the safety assessment of nuclear waste repositories pertains to the comprehensiveness of the set of scenarios selected for assessing the safety of the repository. Motivated by this challenge, we discuss the aspects of scenario analysis relevant to comprehensiveness. Specifically, we note that (1) it is necessary to make it clear why scenarios usually focus on a restricted set of features, events, and processes; (2) there is not yet consensus on the interpretation of comprehensiveness for guiding the generation of scenarios; and (3) there is a need for sound approaches to the treatment of epistemic uncertainties.

Optimal Mission Abort Policy for Systems Operating in a Random Environment
Many real‐world critical systems, e.g., aircrafts, manned space flight systems, and submarines, utilize mission aborts to enhance their survivability. Specifically, a mission can be aborted when a certain malfunction condition is met and a rescue or recovery procedure is then initiated. For systems exposed to external impacts, the malfunctions are often caused by the consequences of these impacts. Traditional system reliability models typically cannot address a possibility of mission aborts. Therefore, in this article, we first develop the corresponding methodology for modeling and evaluation of the mission success probability and survivability of systems experiencing both internal failures and external shocks. We consider a policy when a mission is aborted and a rescue procedure is activated upon occurrence of the mth shock. We demonstrate the tradeoff between the system survivability and the mission success probability that should be balanced by the proper choice of the decision variable m. A detailed illustrative example of a mission performed by an unmanned aerial vehicle is presented.

March 2018

Flood Risk Management: Exploring the Impacts of the Community Rating System Program on Poverty and Income Inequality
Flooding remains a major problem for the United States, causing numerous deaths and damaging countless properties. To reduce the impact of flooding on communities, the U.S. government established the Community Rating System (CRS) in 1990 to reduce flood damages by incentivizing communities to engage in flood risk management initiatives that surpass those required by the National Flood Insurance Program. In return, communities enjoy discounted flood insurance premiums. Despite the fact that the CRS raises concerns about the potential for unevenly distributed impacts across different income groups, no study has examined the equity implications of the CRS. This study thus investigates the possibility of unintended consequences of the CRS by answering the question: What is the effect of the CRS on poverty and income inequality? Understanding the impacts of the CRS on poverty and income inequality is useful in fully assessing the unintended consequences of the CRS. The study estimates four fixed‐effects regression models using a panel data set of neighborhood‐level observations from 1970 to 2010. The results indicate that median incomes are lower in CRS communities, but rise in floodplains. Also, the CRS attracts poor residents, but relocates them away from floodplains. Additionally, the CRS attracts top earners, including in floodplains. Finally, the CRS encourages income inequality, but discourages income inequality in floodplains. A better understanding of these unintended consequences of the CRS on poverty and income inequality can help to improve the design and performance of the CRS and, ultimately, increase community resilience to flood disasters.

Hazard Analysis and Safety Requirements for Small Drone Operations: To What Extent Do Popular Drones Embed Safety?
Currently, published risk analyses for drones refer mainly to commercial systems, use data from civil aviation, and are based on probabilistic approaches without suggesting an inclusive list of hazards and respective requirements. Within this context, this article presents: (1) a set of safety requirements generated from the application of the systems theoretic process analysis (STPA) technique on a generic small drone system; (2) a gap analysis between the set of safety requirements and the ones met by 19 popular drone models; (3) the extent of the differences between those models, their manufacturers, and the countries of origin; and (4) the association of drone prices with the extent they meet the requirements derived by STPA. The application of STPA resulted in 70 safety requirements distributed across the authority, manufacturer, end user, or drone automation levels. A gap analysis showed high dissimilarities regarding the extent to which the 19 drones meet the same safety requirements. Statistical results suggested a positive correlation between drone prices and the extent that the 19 drones studied herein met the safety requirements generated by STPA, and significant differences were identified among the manufacturers. This work complements the existing risk assessment frameworks for small drones, and contributes to the establishment of a commonly endorsed international risk analysis framework. Such a framework will support the development of a holistic and methodologically justified standardization scheme for small drone flights.

Community‐Driven Hypothesis Testing: A Solution for the Tragedy of the Anticommons
Shared ownership of property and resources is a longstanding challenge throughout history that has been amplifying with the increasing development of industrial and postindustrial societies. Where governments, project planners, and commercial developers seek to develop new infrastructure, industrial projects, and various other land‐and resource‐intensive tasks, veto power shared by various local stakeholders can complicate or halt progress. Risk communication has been used as an attempt to address stakeholder concerns in these contexts, but has demonstrated shortcomings. These coordination failures between project planners and stakeholders can be described as a specific kind of social dilemma that we describe as the “tragedy of the anticommons.” To overcome such dilemmas, we demonstrate how a two‐step process can directly address public mistrust of project planners and public perceptions of limited decision‐making authority. This approach is examined via two separate empirical field experiments in Portugal and Tunisia, where public resistance and anticommons problems threatened to derail emerging industrial projects. In both applications, an intervention is undertaken to address initial public resistance to such projects, where specific public stakeholders and project sponsors collectively engaged in a hypothesis‐testing process to identify and assess human and environmental health risks associated with proposed industrial facilities. These field experiments indicate that a rigorous attempt to address public mistrust and perceptions of power imbalances and change the pay‐off structure of the given dilemma may help overcome such anticommons problems in specific cases, and may potentially generate enthusiasm and support for such projects by local publics moving forward.

February 2018

Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies
Managing cyber security in an organization involves allocating the protection budget across a spectrum of possible options. This requires assessing the benefits and the costs of these options. The risk analyses presented here are statistical when relevant data are available, and system‐based for high‐consequence events that have not happened yet. This article presents, first, a general probabilistic risk analysis framework for cyber security in an organization to be specified. It then describes three examples of forward‐looking analyses motivated by recent cyber attacks. The first one is the statistical analysis of an actual database, extended at the upper end of the loss distribution by a Bayesian analysis of possible, high‐consequence attack scenarios that may happen in the future. The second is a systems analysis of cyber risks for a smart, connected electric grid, showing that there is an optimal level of connectivity. The third is an analysis of sequential decisions to upgrade the software of an existing cyber security system or to adopt a new one to stay ahead of adversaries trying to find their way in. The results are distributions of losses to cyber attacks, with and without some considered countermeasures in support of risk management decisions based both on past data and anticipated incidents.

Dynamic Blowout Risk Analysis Using Loss Functions
Most risk analysis approaches are static; failing to capture evolving conditions. Blowout, the most feared accident during a drilling operation, is a complex and dynamic event. The traditional risk analysis methods are useful in the early design stage of drilling operation while falling short during evolving operational decision making. A new dynamic risk analysis approach is presented to capture evolving situations through dynamic probability and consequence models. The dynamic consequence models, the focus of this study, are developed in terms of loss functions. These models are subsequently integrated with the probability to estimate operational risk, providing a real‐time risk analysis. The real‐time evolving situation is considered dependent on the changing bottom‐hole pressure as drilling progresses. The application of the methodology and models are demonstrated with a case study of an offshore drilling operation evolving to a blowout.

Providing Limited Local Electric Service During a Major Grid Outage: A First Assessment Based on Customer Willingness to Pay
While they are rare, widespread blackouts of the bulk power system can result in large costs to individuals and society. If local distribution circuits remain intact, it is possible to use new technologies including smart meters, intelligent switches that can change the topology of distribution circuits, and distributed generation owned by customers and the power company, to provide limited local electric power service. Many utilities are already making investments that would make this possible. We use customers' measured willingness to pay to explore when the incremental investments needed to implement these capabilities would be justified. Under many circumstances, upgrades in advanced distribution systems could be justified for a customer charge of less than a dollar a month (plus the cost of electricity used during outages), and would be less expensive and safer than the proliferation of small portable backup generators. We also discuss issues of social equity, extreme events, and various sources of underlying uncertainty.

Assessing the Cost of Large‐Scale Power Outages to Residential Customers
Residents in developed economies depend heavily on electric services. While distributed resources and a variety of new smart technologies can increase the reliability of that service, adopting them involves costs, necessitating tradeoffs between cost and reliability. An important input to making such tradeoffs is an estimate of the value customers place on reliable electric services. We develop an elicitation framework that helps individuals think systematically about the value they attach to reliable electric service. Our approach employs a detailed and realistic blackout scenario, full or partial (20 A) backup service, questions about willingness to pay (WTP) using a multiple bounded discrete choice method, information regarding inconveniences and economic losses, and checks for bias and consistency. We applied this method to a convenience sample of residents in Allegheny County, Pennsylvania, finding that respondents valued a kWh for backup services they assessed to be high priority more than services that were seen as low priority ($0.75/kWh vs. $0.51/kWh). As more information about the consequences of a blackout was provided, this difference increased ($1.2/kWh vs. $0.35/kWh), and respondents' uncertainty about the backup services decreased (Full: $11 to $9.0, Partial: $13 to $11). There was no evidence that the respondents were anchored by their previous WTP statements, but they demonstrated only weak scope sensitivity. In sum, the consumer surplus associated with providing a partial electric backup service during a blackout may justify the costs of such service, but measurement of that surplus depends on the public having accurate information about blackouts and their consequences.

A Reliability‐Based Capability Approach
This article proposes a rigorous mathematical approach, named a reliability‐based capability approach (RCA), to quantify the societal impact of a hazard. The starting point of the RCA is a capability approach in which capabilities refer to the genuine opportunities open to individuals to achieve valuable doings and beings (such as being mobile and being sheltered) called functionings. Capabilities depend on what individuals have and what they can do with what they have. The article develops probabilistic predictive models that relate the value of each functioning to a set of easily predictable or measurable quantities (regressors) in the aftermath of a hazard. The predicted values of selected functionings for an individual collectively determine the impact of a hazard on his/her state of well‐being. The proposed RCA integrates the predictive models of functionings into a system reliability problem to determine the probability that the state of well‐being is acceptable, tolerable, or intolerable. Importance measures are defined to quantify the contribution of each functioning to the state of well‐being. The information from the importance measures can inform decisions on optimal allocation of limited resources for risk mitigation and management.

January 2018

Sociotechnical Resilience: A Preliminary Concept
This article presents the concept of sociotechnical resilience by employing an interdisciplinary perspective derived from the fields of science and technology studies, human factors, safety science, organizational studies, and systems engineering. Highlighting the hybrid nature of sociotechnical systems, we identify three main constituents that characterize sociotechnical resilience: informational relations, sociomaterial structures, and anticipatory practices. Further, we frame sociotechnical resilience as undergirded by the notion of transformability with an emphasis on intentional activities, focusing on the ability of sociotechnical systems to shift from one form to another in the aftermath of shock and disturbance. We propose that the triad of relations, structures, and practices are fundamental aspects required to comprehend the resilience of sociotechnical systems during times of crisis.

Development of an Asset Value Map for Disaster Risk Assessment in China by Spatial Disaggregation Using Ancillary Remote Sensing Data
The extent of economic losses due to a natural hazard and disaster depends largely on the spatial distribution of asset values in relation to the hazard intensity distribution within the affected area. Given that statistical data on asset value are collected by administrative units in China, generating spatially explicit asset exposure maps remains a key challenge for rapid postdisaster economic loss assessment. The goal of this study is to introduce a top-down (or downscaling) approach to disaggregate administrative-unit level asset value to grid-cell level. To do so, finding the highly correlated “surrogate” indicators is the key. A combination of three data sets—nighttime light grid, LandScan population grid, and road density grid, is used as ancillary asset density distribution information for spatializing the asset value. As a result, a high spatial resolution asset value map of China for 2015 is generated. The spatial data set contains aggregated economic value at risk at 30 arc-second spatial resolution. Accuracy of the spatial disaggregation reflects redistribution errors introduced by the disaggregation process as well as errors from the original ancillary data sets. The overall accuracy of the results proves to be promising. The example of using the developed disaggregated asset value map in exposure assessment of watersheds demonstrates that the data set offers immense analytical flexibility for overlay analysis according to the hazard extent. This product will help current efforts to analyze spatial characteristics of exposure and to uncover the contributions of both physical and social drivers of natural hazard and disaster across space and time.

Resilience Analysis of Countries under Disasters Based on Multisource Data
Disasters occur almost daily in the world. Because emergencies frequently have no precedent, are highly uncertain, and can be very destructive, improving a country's resilience is an efficient way to reduce risk. In this article, we collected more than 20,000 historical data points from disasters from 207 countries to enable us to calculate the severity of disasters and the danger they pose to countries. In addition, 6 primary indices (disaster, personal attribute, infrastructure, economics, education, and occupation) including 38 secondary influencing factors are considered in analyzing the resilience of countries. Using these data, we obtained the danger, expected number of deaths, and resilience of all 207 countries. We found that a country covering a large area is more likely to have a low resilience score. Through sensitivity analysis of all secondary indices, we found that population density, frequency of disasters, and GDP are the three most critical factors affecting resilience. Based on broad-spectrum resilience analysis of the different continents, Oceania and South America have the highest resilience, while Asia has the lowest. Over the past 50 years, the resilience of many countries has been improved sharply, especially in developing countries. Based on our results, we analyze the comprehensive resilience and provide some optimal suggestions to efficiently improve resilience.

Industrial Safety and Utopia: Insights from the Fukushima Daiichi Accident
Feedback from industrial accidents is provided by various state or even international, institutions, and lessons learned can be controversial. However, there has been little research into organizational learning at the international level. This article helps to fill the gap through an in-depth review of official reports of the Fukushima Daiichi accident published shortly after the event. We present a new method to analyze the arguments contained in these voluminous documents. Taking an intertextual perspective, the method focuses on the accident narratives, their rationale, and links between “facts,” “causes,” and “recommendations.” The aim is to evaluate how the findings of the various reports are consistent with (or contradict) “institutionalized knowledge,” and identify the social representations that underpin them. We find that although the scientific controversy surrounding the results of the various inquiries reflects different ethical perspectives, they are integrated into the same utopian ideal. The involvement of multiple actors in this controversy raises questions about the public construction of epistemic authority, and we highlight the special status given to the International Atomic Energy Agency in this regard.

Risk Modeling of Interdependent Complex Systems of Systems: Theory and Practice
The emergence of the complexity characterizing our systems of systems (SoS) requires a reevaluation of the way we model, assess, manage, communicate, and analyze the risk thereto. Current models for risk analysis of emergent complex SoS are insufficient because too often they rely on the same risk functions and models used for single systems. These models commonly fail to incorporate the complexity derived from the networks of interdependencies and interconnectedness (I–I) characterizing SoS. There is a need to reevaluate currently practiced risk analysis to respond to this reality by examining, and thus comprehending, what makes emergent SoS complex. The key to evaluating the risk to SoS lies in understanding the genesis of characterizing I–I of systems manifested through shared states and other essential entities within and among the systems that constitute SoS. The term “essential entities” includes shared decisions, resources, functions, policies, decisionmakers, stakeholders, organizational setups, and others. This undertaking can be accomplished by building on state-space theory, which is fundamental to systems engineering and process control. This article presents a theoretical and analytical framework for modeling the risk to SoS with two case studies performed with the MITRE Corporation and demonstrates the pivotal contributions made by shared states and other essential entities to modeling and analysis of the risk to complex SoS. A third case study highlights the multifarious representations of SoS, which require harmonizing the risk analysis process currently applied to single systems when applied to complex SoS.

Evaluating the Benefits of Adaptation of Critical Infrastructures to Hydrometeorological Risks
Infrastructure adaptation measures provide a practical way to reduce the risk from extreme hydrometeorological hazards, such as floods and windstorms. The benefit of adapting infrastructure assets is evaluated as the reduction in risk relative to the “do nothing” case. However, evaluating the full benefits of risk reduction is challenging because of the complexity of the systems, the scarcity of data, and the uncertainty of future climatic changes. We address this challenge by integrating methods from the study of climate adaptation, infrastructure systems, and complex networks. In doing so, we outline an infrastructure risk assessment that incorporates interdependence, user demands, and potential failure-related economic losses. Individual infrastructure assets are intersected with probabilistic hazard maps to calculate expected annual damages. Protection measure costs are integrated to calculate risk reduction and associated discounted benefits, which are used to explore the business case for investment in adaptation. A demonstration of the methodology is provided for flood protection of major electricity substations in England and Wales. We conclude that the ongoing adaptation program for major electricity assets is highly cost beneficial.

How to Design Rating Schemes of Risk Matrices: A Sequential Updating Approach
Risk matrices have been widely used as a risk evaluation tool in many fields due to their simplicity and intuitive nature. Designing a rating scheme, i.e., determining the number of ratings used in a risk matrix and assigning different ratings to different cells, is an essential part of risk matrix construction. However, most of the related literature has focused on applying a risk matrix to various fields, instead of researching how to design risk matrices. Based on the analysis of several current rules, we propose a new approach, namely, the sequential updating approach (SUA), to design the rating scheme of a risk matrix in a reliable way. In this article, we propose three principles and a rating algorithm based on these principles. The three principles, namely, adjusted weak consistency, consistent internality, and continuous screening, characterize a good rating scheme. The resulting rating scheme has been proven to be unique. A global rating algorithm is then proposed to create the design that satisfies the three principles. We then explore the performance of the SUA. An illustrative application is first given to explain the feasibility of our approach. The sensitivity analysis shows that our method captures a resolution-reliability tradeoff for decisionmakers in choosing an appropriate rating scheme for a risk matrix. Finally, we compare the designs based on the SUA and Cox's axioms, highlighting the advantages of the SUA.

Click here for abstracts from 2017.