The framework is based on a set of building blocks as summarised below. These building blocks are extracted from the review and discussion of the fundamental issues in Chapter 2.

(a) Risk is in general characterised by the combination of possible consequen- ces associated with an activity and the assessor’s uncertainty about these consequences. The consequences are normally expressed by quantities that can be measured (such as money, loss of lives, etc.). A set of quantities are typically needed to give a proper description of the consequences. We refer to these quantities as observable quantities or just observables.

IfC represents the consequence and c describes one possible value of C (or an interval defined by c, for example [0,c]), risk is expressed by the combination of possible c values and our uncertainty as to the consequence C will take the value c.

(b) Risk (uncertainty) is quantitatively expressed by probabilities and expected values. We assess the uncertainties and assign probabilities (and hence we assign values for risk). It is meaningless to speak about uncertainties in assigned probabilities and risk numbers, as these values express uncertain- ties, conditional on some information and knowledge.

(c) Risk analyses provide decision support, by analysing and describing risk (uncertainty). The risk analysts analyse the risks, and evaluate them, i.e., they discuss the significance of the risks, in relation to comparable activities and possible criteria. The combination of risk analysis and risk evaluation is referred to as a risk assessment. The analyses need to be eva- luated in light of their premises, assumptions and limitations. The analyses are based on background information that must be reviewed, together with the results of the analyses. The decision-maker performs what we refer to as a managerial review and judgement.

(d) A sharp distinction is made between facts, risk assignments, risk evalua- tion, and risk treatment, where risk treatment means the process of selec- tion and implementation of measures to modify risk.

(e) It is essential to make a sharp distinction between what are expected values determined at the point of decision-making and what the real observations (outcomes) are. The expected values give, to varying degree, good predic-

tions of the future observations. Uncertainty and safety management are justified by reference to these observations and not the expected values alone.

(f) Proper uncertainty management and safety management seek to produce more desirable outcomes, by providing insights about the uncertainties relating to the future possible consequences of a decision, and controlling and reducing these uncertainties.

(g) A decision rule based on the expected NPV with a risk-adjusted discount rate or risk-adjusted cash-flows, should be supplemented with uncertainty assessments to see the potential for uncertainty and safety management in later phases.

(h) What is acceptable risk and the need for risk reduction cannot be deter- mined just by reference to the results of risk analyses. To be precise, we do not accept a risk but a solution, with all its attributes.

(i) Cost-benefit analysis means calculating expected net present values with a risk-adjusted discount rate or risk-adjusted cash-flows. In a societal con- text, society’s willingness to pay is the appropriate reference, whereas for businesses, it is the decision-maker’s willingness to pay that is to be used.

(j) Cost-effectiveness analysis means calculating measures such as the expec- ted cost per number of expected saved lives.

(k) A multi-attribute analysis is an analysis of the various attributes (costs, safety, …) of the decision problem, separately for each attribute.

(l) Risk and decision analyses need extensive use of sensitivity and robust analyses.

Thus we adopt a broad perspective on risk, acknowledging that risk cannot be distinguished from the context it is a part of, the aspects that are addressed, those who assess the risk, the methods and tools used, etc.

We define the term vulnerability as the combination of possible consequences and associated uncertainties given a source, i.e. given a threat, hazard or opportu- nity. These three source categories are typically used in security, safety and econo- mic contexts, respectively. Security relates to intentional situations and events. An example of an ‘opportunity’ is a planned shutdown, which allows for preventive maintenance.

Based on this definition, we refer to ‘a vulnerability’ as an aspect or feature of the system, when the combination of possible consequences and associated uncer- tainties is judged to give a high vulnerability, i.e., is considered critical in some sense. For example, in a system without redundancy the failure of one unit may result in system failure, and consequently we may judge the lack of redundancy as a vulnerability depending on the uncertainties.

The issues (e) to (g) are related to the manageability of the risk. Some risks are more manageable than others, meaning that the potential for reducing the risk is larger for some risks than for others. The concept is illustrated in Figure 3.1.

Alternative 1 gives a medium risk level and low manageability, whereas alter- native 2 gives a higher risk but also a higher manageability. Thus by selecting alternative 2 a higher risk is initially assigned, but it provides a large opportunity

for reducing the risk and obtaining good safety performance (by adopting a good safety management).

Manageability

Risk

H

M

L

L M H

Alternative 1

Alternative 2 -

.

. Alternative 1

future

Alternative 2 future

Manageability

Risk

H

M

L

L M H

Alternative 1

Alternative 2 -

.

. Alternative 1

future

Alternative 2 future

Figure 3.1. Illustration of the concept manageability

Figure 3.2 illustrates how the degree of uncertainties and manageability depends on the phase of development. If our focus is observables X = (X1,X2, …), we predict X, normally using the expected value E[X|K], where K is the background infor- mation (knowledge). The degree of uncertainties and manageability is large at an early stage of development, and decreases as a function of time. Of course, this is a schematic illustration, showing typical trends in practice, we may have situations where for example the uncertainties increase. Because of large uncertainties the outcomes of X may deviate strongly from the predictions. However, by proper uncertainty management, and safety management the goal is to obtain desirable outcomes.

Following our definition of risk, a low degree of uncertainty does not neces- sarily mean a low risk, and a high degree of uncertainty does not necessarily mean a high level of risk. This is important. As risk is defined as the combination of possible consequences and the associated uncertainties (quantified by probabili- ties), any judgement about the level of risk, needs to consider both dimensions. For example, consider a case where only two outcomes are possible, 0 and 1, corresponding to 0 and 1 fatality, and the decision alternatives are A and B, having uncertainty (probability) distributions (0.5,0.5), and (0.0, 1.0), respectively. Hence for alternative A there is a higher degree of uncertainty than for alternative B.

However, considering both dimensions, we would of course judge alternative B to have the highest risk as the negative outcome 1 is certain to occur.

The above building blocks constitute a basis for the framework presented. They are premises for the work and their justification and suitability will not be discussed in this chapter.

Degree of uncertainty Degree of manageability

Predictions:

E[X|K1]

E[X|K2]

E[X|K3]

Figure 3.2. Illustration of the level of uncertainties and manageability as a function of time