Gambling with public safety?10 November 1998
Des Hartford*, argues that every dam safety decision is some form of risk assessment, and that these methods can strengthen traditional dam safety assessments. However he warns that probabilistic techniques have their own risks which must be understood and managed before they are used.
The notion of the absolute safety of dams is appealing, and supporters argue that this absolute safety is demonstrated by the very small numbers of dam failures as a proportion of the number of dams. Some argue that the exemplary safety record that exists in many countries, achieved through conservative deterministic methods, is justification enough not to adopt risk-based methods. Absolute safety has of course never been conclusively demonstrated: it is not proved, and that existing practices are adequate is only suggested by statistics which have been calculated from limited histories. They do not, for example, properly consider the number of dam failures averted by intervention.
Nevertheless the notion of absolute safety has been prevalent for years, and it is hard to imagine that society and the body politic would settle for less. This presents a problem for proponents of risk-based analysis: opponents claim that the risk-based approach is inherently less safe. Strangely, it is not always the public that puts forward this view; it is often engineers with views firmly aligned with the notion of absolute safety. Its roots lie perhaps in the observation that probability theory began with gambling problems, and statistics began with mortality tables. One challenge for proponents of risk-based methods is in demonstrating that what they are advocating is not a matter of gambling with public safety.
Risk analysis: why and how?
The real reason for every dam safety initiative is to manage the risk posed by a dam. Every dam safety decision is a risk assessment of some kind, whether deterministic, probabilistic, or somewhere in between.
Deterministic risk assessment is based on traditional standards but often encompasses elements of risk analysis which lead, in effect, to better engineering judgement. In cases that fall somewhere in between, practitioners acknowledge the value of risk analysis used in a limited or qualitative sense. They argue that the real benefits that arise from risk-based methods arise from using the process, which is logical, systematic and rigorous.
Using risk assessment in its full, quantitative, form requires all the skills and forms of traditional analysis, as well as qualitative risk analysis techniques, probabilistic models of failure mechanisms, and probabilistic evaluation criteria. This inevitably makes it slower, more difficult and more expensive than less rigorous methods.
The view that all we need is computer models and random number generators to assign probabilities is fundamentally incorrect.
When it comes to modelling, we should first acknowledge that not all failure processes are well understood. Secondly, we must recognise that full disaggregation of the failure mechanisms is the key to good analysis results. As the dam risk analyst must know how to disaggregate the problem to its fundamental parts, it follows that the analyst must necessarily understand every step in the failure process. Modelling is more complex than it first appears: as well as the model itself, the people who built it clearly play an important part. Ideally they will understand the failure processes to be modelled, and the weaknesses in the model, and they will be able to compensate for the weaknesses through sound engineering judgement.
Assigning probability is a similarly complex process. We can only have absolute confidence in probabilities that have been mathematically derived. In all other cases we are dealing with some form of judged probabilities — a property that is not inherent to ‘an event’ but is a statement of the extent to which the evidence supports an expert’s judgement that it will occur. If probabilities are not mathematically derived, analysts should have mechanisms in place to deal with weaknesses in the method of derivation. The probability calculus is a powerful mathematical tool which transforms input parameters into probabilities, but even this powerful tool cannot generate the essential input probabilities: these are produced by people placing their own (hopefully objective) interpretation on the evidence.
Generating probabilities can be done in several ways, but not as easily as some of the recent literature suggests. Apart from the application of mathematical theorems where the numbers can be mind-boggling and opportunities to use them for dams virtually non-existent, probability assignment necessarily involves a subjective element. This has all the problems associated with logically integrating the evidence and transforming it into an expert’s statement of probability, not the least of which is the fact that probability is not intuitive. Even for an expert, answers to the simplest probability questions can be counter-intuitive. An example: the probability that in a group of 23 people at least two will celebrate their birthday on the same day is usually estimated by most audiences — even expert ones — to be highly unlikely. When pushed to provide a number, people usually say less than 10%. In fact, the answer is 0.507, which demonstrates just how wrong perceptions or judgements of probability can be.
Probability is frequently used synonymously with statistics, but using the two terms in this way can be misleading in risk analysis for individual dams. For example, let us say that the frequency of a particular event, one of a series of events leading to dam failure, can be expressed statistically. In analysis, this may be expressed as a probability of, for example, 0.5. But the real question when examining a specific dam is: given the preceding conditions, will this event occur or not — a question that can only be answered retrospectively, and for which the possible answers are p=1 (the event occurred) or p=0 (the event did not occur). The problem here is that the analyst is required to use tools developed to predict the average behaviour of large populations and apply them to individual situations.
Mapping schemes intended to convert individual judgements of probability into numerical values, while appealing to anyone who wants a quick, partly codified, way of estimating probabilities, have very interesting fundamental problems. Most people are comfortable with phrases such as ‘highly unlikely’ or ‘quite likely’, but there is considerable variation in the way different people interpret these phrases, and their interpretation is very context-dependent. Simple mappings between words and numbers are unlikely to be adequate, and indeed comparisons between various mapping schemes show little consistency.
According to Morgan and Henrion the most unequivocal result of experimental studies of probability encoding has been that assessors are poorly calibrated. Although the quality of assessment was sometimes improved by asking subjects to give reasons and construct arguments in support of their judgements, whatever elicitation procedure is adopted, subjective judgements are prone to bias and must be treated with care. The continued use of mapping schemes which relate verbal descriptors of probability to numerical values and which are symmetrical about 0.5 suggest that the dam safety profession’s understanding of subjective probability is inadequate for reliable quantitative risk assessment.
Nevertheless, in this situation the judgement of the expert is vitally important, and the question of whether his/her judgement has been demonstrated to be frequently correct arises. An expert’s substantive expertise refers to the knowledge that he or she has about what is being estimated. It can be measured by how well predictions fit the actual outcome of an event — the expert should, on average, assign high probabilities to those events that occur and low probabilities to those that do not occur. The expert’s normative expertise can be considered as calibration: how close the estimate of the probability of an event is to the frequency of occurrence.
How to use risk analysis
There is no doubt that good safety decisions can be made much of the time using traditional methods. More difficult decisions usually need some form of risk-based approach, and although qualitative risk assessment is effective much of the time the most difficult decisions will need numbers. Quantitative risk analysis will be required, even though as yet there are no accepted methods for using it. In using quantified risk, some uncertainties can be managed, as described below. But the first and most important aspect is the people carrying out the analysis. Reliance on people and on their judgement is unavoidable — to understand the problem, to build the models, to estimate probabilities and to interpret the result.
•Modelling uncertainties can be managed by selecting a ‘modeller’ who understands both the problem and the model, and who understands modelling risks. While the model selected should be the one most suited to the task, its limitations — including model uncertainty — should be recognised.
•Probability uncertainties are best managed by recognising that probability is not intuitive and by exercising great care with subjective probabilities. Experts and analysts must adhere to modern principles of probability and scientific interference. Standards of scientific proof should be considered and safeguards should be in place to manage the probability that the proof is false.
•People uncertainties should be managed by selecting analysts with a broad and deep understanding both of the problem and of analytical techniques and their weaknesses. Subject matter experts should be engaged — if necessary for every node in the event tree.
In developing risk assessment techniques commercial pressures are not inconsiderable. The demand is for risk assessment to become a routine engineering service that is quicker, cheaper and better than traditional methods. Dam safety professionals should have this as a long term objective but should not give the impression that quantitative risk analysis in this context is mature. It requires: engineers that know all there is to know about dam failure modes; an ability reliably to assign probabilities; application of probabilistic calculus of several variables; and judgements about individual situations made using tools developed for large homogeneous populations. This combination does not exist at present.
The risk to society
How will risk-based analysis affect the dam industry in society? Regulators and the body politic, who are responsible for establishing risk policy, do not appear to be in a position to do so at present for dams. The choice of using risk-based decision criteria for societal risk is not a matter for dam owners or engineers.
At present, true risk assessment can only be carried out for commercial risks to a business; but even then conducting an analysis when there is no process in place to interpret and use the results can be a mistake. For societal risk there is nothing worse than providing owners, the public and regulators with probabilities of death and destruction if there is not an established subsequent course of action.
True quantitative risk assessment is a grey area, and it will only become routine engineering practice when it is cleared. This transformation will not occur without a very significant investment in pure research. At present, funding for research and development in risk analysis in dam safety is hopelessly inadequate worldwide. Without such research, the reliable practical tools being demanded will only materialise by chance.
Society and owners need robust and dependable methods to assess the risks posed by dams, and these better risk-based techniques can be developed. But only if owners and society are prepared to make the necessary investments.