Professional Documents
Culture Documents
Apostolakis 2004
Apostolakis 2004
3, 2004
Perspective
George E. Apostolakis∗
This article discusses the use of quantitative risk assessment (QRA) in decision making regard-
ing the safety of complex technological systems. The insights gained by QRA are compared
with those from traditional safety methods and it is argued that the two approaches com-
plement each other. It is argued that peer review is an essential part of the QRA process.
The importance of risk-informed rather than risk-based decision making is emphasized. En-
gineering insights derived from QRAs are always used in combination with traditional safety
requirements and it is in this context that they should be reviewed and critiqued. Examples
from applications in nuclear power, space systems, and an incinerator of chemical agents are
given to demonstrate the practical benefits of QRA. Finally, several common criticisms raised
against QRA are addressed.
515 0272-4332/04/0100-0515$22.00/1
C 2004 Society for Risk Analysis
516 Apostolakis
experimenting with more substantive use of QRA wrong? (2) How likely is it? and (3) What are the con-
insights. sequences? It is a top-down approach that proceeds
Citizen groups that oppose a particular decision as follows:
or industry frequently raise questions about the valid-
ity of QRA, especially the “Q” part.(3) Although there 1. A set of undesirable end states (adverse con-
is occasionally a reply by responsible groups,(4) these sequences) is defined, e.g., in terms of risk to
criticisms, especially articles in the popular press, a the public, loss of crew, and loss of the system.
recent example being Reference 5, remain largely These answer the third question of Reference
unanswered. 6.
My purpose in this article is to address some of 2. For each end state, a set of disturbances to
these criticisms and to place the use of QRA in per- normal operation is developed that, if un-
spective. It is my thesis that QRAs should be viewed contained or unmitigated, can lead to the
as an additional tool in safety analysis that improves end state. These are called initiating events
safety-related decision making. QRA is not a whole- (IEs).
sale replacement of traditional safety methods or 3. Event and fault trees or other logic diagrams
philosophies. QRA analysts will be the first to admit are employed to identify sequences of events
that this tool is not perfect, yet it represents tremen- that start with an IE and end at an end state.
dous progress toward rational decision making. Thus, accident scenarios are generated. These
scenarios include hardware failures, human er-
2. TRADITIONAL SAFETY ANALYSIS rors, fires, and natural phenomena. The de-
pendencies among failures of systems and
It is important to recognize that even traditional
redundant components (common-cause fail-
safety analyses must deal with probabilities, but, un-
ures) receive particular attention. These sce-
like in QRA, these probabilities are not quantified.1
narios answer the first question.
The evaluation of safety is typically bottom-up, i.e., it
4. The probabilities of these scenarios are eval-
starts with postulated failures and proceeds to identify
uated using all available evidence, primarily
their consequences. If an event, such as the failure of
past experience and expert judgment. These
a component, is judged to lead to unacceptable con-
probabilities are the answer to the second
sequences, measures are taken either to make it less
question.
likely (without knowing quantitatively by how much)
5. The accident scenarios are ranked according
or to mitigate its potential consequences. Typically,
to their expected frequency of occurrence.
these actions include the introduction of redundant
elements and additional safety margins, i.e., the differ-
A peer review by independent experts is an es-
ence between the failure point and the anticipated op-
sential part of the process. Depending on the sig-
erating point is made larger. These actions are based
nificance of the issue, this review may involve
on engineering judgment informed by analyses, tests,
national and international experts occasionally sup-
and operating experience. The result is frequently a
ported by staff. The first PRAs for nuclear power re-
complex set of requirements for the design and oper-
actors and severe accidents were subjected to such
ation of the system.
detailed reviews.(7, 8) NASA’s QRA for the Inter-
A facility that meets these requirements is judged
national Space Station was also subjected to peer
“acceptable” in the sense that there is no “undue risk”
review.(9) The QRA for the Tooele incinerator of
to the public or the crew. What “undue risk” is remains
chemical munitions, sponsored by the U.S. Army, was
unquantified. The presumption is that meeting the re-
reviewed by independent experts(10) and the whole
quirements guarantees adequate protection of public
operation was under the oversight of an indepen-
and crew health and safety, i.e., the (unquantified) risk
dent committee of the National Research Council.(11)
is acceptably low.
These reviews had significant impact on the respec-
tive QRAs. The PRA Standard issued by the Ameri-
3. QUANTITATIVE RISK ASSESSMENT
can Society of Mechanical Engineers contains a peer
In its bare essence, QRA answers the three ques- review as an integral part.(12) Guidance on peer re-
tions posed in Reference 6, namely: (1) What can go views can be found in Reference 13. Insights from
QRAs should not be used in decision making un-
1 Traditional safety analyses are often called “deterministic.” This less they have been subjected to a peer review by
is a misnomer. Uncertainties are always present. independent experts.
Perspective 517
of nuclear safety experts. Several major new insights changed to limit the time any item is held in the feed
were as follows:(19) airlock.
r Prior thinking was that the (unquantified) fre-
quency of severe core damage was extremely
7. RISK-INFORMED DECISION MAKING
low and that the consequences of such damage
would be catastrophic. The RSS calculated a I wish to make one thing very clear: QRA results
core damage frequency on the order of one are never the sole basis for decision making by respon-
event every 10,000 to 100,000 reactor-years, sible groups. In other words, safety-related decision
a much higher number than anticipated, and making is risk-informed, not risk-based. The require-
showed that the consequences would not al- ments of the traditional safety analysis that I described
ways be catastrophic. above are largely intact.
r A significant failure path for radioactivity re- In all three examples that I have been us-
lease that bypasses the containment build- ing (Nuclear Regulatory Commission, NASA, and
ing was identified. Traditional safety analysis the Tooele incinerator), the safety requirements are
methods had failed to do so. overwhelmingly traditional. Only the Nuclear Reg-
r The significance of common-cause failures of ulatory Commission, which, as I have stated in
redundant components and the significance Section 1, has entered Phase 3, has a formal process for
of human errors were demonstrated quantita- modifying some traditional requirements using risk
tively. insights.(2)
Even in the Nuclear Regulatory Commission’s
An early QRA for the auxiliary power units (APUs)
case, however, it is interesting to see how cautious
on the shuttle’s orbiter produced some interesting re-
the Commission was when it issued its policy state-
sults.(20) A traditional qualitative method for develop-
ment in 1995:(22) “The use of PRA technology should
ing failure modes (Failure Modes and Effects Analy-
be increased in all regulatory matters to the extent
sis) had been employed to identify hazards. Of the 313
supported by the state of the art in PRA methods and
scenarios identified, 106 were placed on the so-called
data and in a manner that complements the NRC’s
critical items list using conservative screening criteria.
deterministic approach and supports the NRC’s tra-
r The QRA showed that 99% of the probability ditional defense-in-depth philosophy.” The Commis-
of loss of crew/vehicle was contributed by 20 sioners made it very clear that PRA insights were to
scenarios, two of which had not been on the be scrutinized and were subordinate to the traditional
critical items list. safety philosophy of defense-in-depth.
r Clearly, risk management is much more effec- At this time, formal methods for combining risk
tive when one has to deal with 20 scenarios information with traditional safety methods do not
as opposed to the 106 of the critical items list, exist. The process relies on the judgment of the de-
which, in addition, missed two important sce- cision makers and is akin to the analytic-deliberative
narios. process that the National Research Council has rec-
r The QRA demonstrated, once again, the sig- ommended for environmental decision making.(23)
nificance of common-cause and cascading fail- The continuous risk management process that
ures. These failure modes are handled very NASA employs is similar in the sense that risk infor-
poorly in traditional safety methods. mation is only one of the many inputs that the process
considers.
Unlike the QRAs for nuclear power reactors and
the space shuttle, the QRA for the Tooele incinerator
of chemical munitions was performed while the facil-
8. COMMENTARY ON FREQUENTLY
ity was still under construction. This allowed the use of
RAISED CRITICISMS
QRA insights in design and operation changes.(11,21)
For example, the QRA identified a scenario that dom- All QRA analysts care about is the bottom-line
inated worker risk, which involved the potential for numbers.
buildup and ignition of agent vapors in a furnace I know of no QRA analysts who act this way
feed airlock. As a result of this finding, a hardware (and I know a lot of them). The uncertainties about
change was implemented to vent the airlock and pre- the results and the dominant scenarios are the re-
clude agent buildup. In addition, the operations were sults that experienced analysts look for. The lower
Perspective 519
the probabilities that are reported, the more suspi- do with these numbers? The answer is very little, if
cious these analysts become. anything. There are no guidelines as to which num-
QRAs are performed to understand how the sys- bers are acceptable and, as I have said several times,
tem can fail and to prioritize the failure modes, not to the traditional safety requirements are intact. It is the
produce a set of numbers. The only QRA results that impact on decision making that matters, not that some
have any chance of influencing risk management are study produced indefensible numbers.
those that provide engineering insights. Having seen first-hand how PRAs have improved
NASA doesn’t seem to be able to get the numbers safety in the nuclear power industry, I believe strongly
for the shuttle right. that it would be a disservice to the nation if NASA
This is an interesting comment that one encoun- were discouraged from using this technology.
ters frequently. Old studies are cited(24) that appar- QRA results are not useful when they are highly
ently produced very low failure probabilities for the uncertain. Why bother doing a QRA in those cases?
shuttle (as low as once every 100,000 flights). Then, it These uncertainties exist independently of
is pointed out that there have been two failures in 113 whether we do a QRA or not. The decisions that need
shuttle flights; therefore, QRAs are no good. to be made will be better if quantitative information
An early QRA for the shuttle(25) gives a prob- that has been peer reviewed is available. Recall the
ability for the loss of vehicle that ranges from once misperceptions of the frequency and consequences of
every 230 flights to once every 76 flights. The ana- core damage that nuclear safety professionals had be-
lysts state that they are 90% confident that the failure fore the Reactor Safety Study was issued (Section 6).
probability is in this interval. The reported interval By attempting to quantify the uncertainties and
is on the right order of magnitude, especially for a to identify the dominant contributors, QRA analysts
first effort that has not been peer reviewed formally contribute to the common understanding of the is-
and in an industry that is still in Phase 1 of QRA de- sues and, in addition, may provide useful input to the
velopment.2 I doubt very much that the old studies allocation of research resources.
mentioned above had been subjected to the rigorous Probabilities cannot be realistically calculated.
peer-review process that modern QRAs receive. This criticism presumably means that one can-
But this criticism raises another important point. not use straightforward statistical methods and divide
There is a presumption that QRA should “get the the number of failures by the number of trials to cal-
number right” right away. This does not allow time for culate “realistic” probabilities. This criticism appears
the technology to mature in the NASA environment. to miss the point that QRAs are performed for sys-
As I mentioned in Section 1, the nuclear power indus- tems that are highly reliable and well defended, so a
try has had plenty of time to improve its PRAs and plethora of failures does not exist (and is highly un-
one would indeed expect its numerical results to be desirable to begin with). QRA methods analyze rare
consistent with operating experience. NASA, on the events in a systematic way and use all the available in-
other hand, is still exploring what QRAs can do and formation in evaluating probabilities. QRA analysts
how to apply them realistically to its systems, some are fully aware of the extensive use of expert judg-
of which are very different from nuclear power appli- ment and always look at the uncertainties associated
cations. For example, methodological improvements with the results. As I have stated, peer reviews are
are needed to handle the dynamic nature of space essential. Ultimately, the decision making process is
flights. I believe that the agency should be given time risk-informed and not risk-based.
to make this technology part of its standard analytical QRAs do not include “one technician’s unbeliev-
tools. able stupidity.”(5)
The fundamental question should not be whether I do not know how one defines “unbelievable
old studies failed to accurately predict the number (al- stupidity,” so I have difficulty dealing with this crit-
though the results I cited above show that this is not icism. Of course, these facilities are usually operated
quite true). The question should be: What did NASA by crews of several people, so I am not sure how
many trained persons would have to behave in an
2 NASA is currently in the process of producing a comprehen- unbelievably stupid manner for something extraor-
sive QRA for the shuttle that involves several NASA centers dinary to happen. As I mentioned above (Section 5),
and contractors. This QRA is undergoing rigorous peer review
and is considered as one that is truly embraced by NASA. The
QRAs do not model acts of unbelievable intelligence
agency intends to risk-inform its decision making processes using either, which, as the operating experience shows, oc-
this QRA. cur frequently.
520 Apostolakis