Doctors bury their mistakes, and lawyers get to lock theirs away; but engineers build their mistakes out in the open for everyone to come and see. - Anonymous Engineering Professor

"It's all fun and games until someone puts out an eye." - Any parent, any time, anywhere.

The Beginnings of Risk Assessment

One of the notable characteristics of an industrialized society is the greater enjoyment of life¹   through the use of clever applications of technology, such as machines and so forth. Such machines have, ostensibly, been designed to perform functions that those living in the industrialized world do not wish to perform themselves, for reasons of either convenience or, in more frequent cases, the danger involved. We have machines to do everything from wash our clothes and dishes for us, to entertaining us during the times we used to spend washing dishes and cloths, and even to do some amazingly difficult and dangerous work involving something like methylethyldeath that is needed in the making of children's disposable diapers.²   Having machines to perform our most dangerous and/or undesireable tasks for us is a fine luxury indeed - unless they make things worse, of course. One might ask, "What if the machines make things worse? What do we mean by 'worse' anyway?" The answers to all of these questions are not to be had easily, and they are at the heart of any philosophical debate over the usefulness of any machine. One of the most important tools for evaluating a machine's usefulness is the concept of risk.³  

What Is Risk?

To understand what is meant by "risk," it must first be clearly differentiated from another important concept: specifically what a "hazard" is. In engineering risk assessment, "hazard" is a term used to refer to a physical property or condition of a material or a set of properties and conditions in a certain situation where there exists the possibility for harm. The term "hazard" may on the surface look a lot like the definition for "risk" that is to be described in just a moment, but the primary difference is that a hazard is property that is independent of frequency or consequence. In simple terms, a hazard is a source of danger while risk is a quantitative or qualitative expression of a possible loss that considers both probability and consequences. When identifying a hazard, there is no consideration of likelihood or credibility of accidents or of any sort of prevention or mitigation. There is a very important distinction to be made here. Risk can be controlled, lessened, or minimized; hazards either exist or they do not, they are not controlled or minimized.

Some Definitions

Many dictionaries define the term "risk" as, "the possibility of suffering harm or loss." Further entries list such synonyms for "risk" as, "danger," "peril," "jeopardy," and "hazard." While all of these terms are fine for the average use in language, the term risk came to be used more and more often by those who design and make machines, thus taking on a more detailed and specific meaning. Those people are commonly referred to as "engineers," and anyone who has met an engineer knows that engineers are most comfortable with things than can be measured and quantified. To risk management pioneers, a concept as nebulous and prone to human interpretation as "danger" or "peril" must have seemed quite unacceptable when applied to machines. Therefore, the term risk developed into a quantifiable concept that could then be applied in the all-important decision-making process carried out before the making of the machine. It should be noted that this is still a relative term; as discussed below, there are limits on the accuracy of how well we can predict probabilities and consequences, and therefore a lot of "engineering judgement" and other phrases that boil down to expert opinion become necessary.

What if ...

The need for risk-based decision making arose in the early days of industrialized society, when it quickly became apparent that there was a need to ask Very Important Questions, such as, "will this machine help," "will this machine work," and of course, "will this machine, in fact, kill us?" When people began to ask their engineers these questions, the answers were initially handled by phrases like, "well, hrmm, that depends - let's turn it on and see." It became apparent rather quickly that much more specific answers (such as "yes" or "no") were required before turning them on, which meant that engineers had some work to do in order to come up with something the people could hang their hats on.⁴   Engineers (and scientists, policy-makers, investors, governments, et al) then developed a means to quantify risk. They quickly realized that risk was best quantified as a combination of two factors: (1) how badly can something go wrong, and (2) how often it can happen. This made it easier to come up with some sort of "number" that could represent amounts of "risk" representing a combination of consequence and frequency (which can be thought of as the probability of something happening in a given time span). As an added benefit to splitting consequence from frequency, each part of the equation could be weighted individually according to certain criteria determined by the sensitivity of either factor in the final decision making process; that is, one could determine before hand that, no matter what the likelihood, certain consequences are too grave to accept. Through this application and the definitions used above, the modern engineering concept of risk came into being.

Understanding and Controlling Risk

Risk is determined using risk assessment methods that vary somewhat from application to application, but generally remain consistent on a few key points: a risk assessment begins with a hazard identification, then considers the effects of structures, systems, and components that prevent, detect, or mitigate accidents. Risk assessments may employ all sorts of methods to determine the frequencies of a particular hazard resulting in an accident or other undesired event (sometimes called, somewhat endearingly, "off-normal"), as well as the worst-case consequences that could result. It is at this stage where large amounts of science, such as mathematics (probability in particular) and physics come into play.

This article will not address the myriad of methods used in rigorous risk assessment for engineering applications since to do so would entail writing a textbook.⁵   Suffice it to say that the studies of probability and physics are required for anyone involved in engineering risk assessment applications professionally. The study of probability as it relates to engineered machines and other industrial factors is essential to determining half of the risk equation. The study of physics, in particular the sciences that deal with phenomena such as fire and explosions, as well as the study of medicine and human anatomy are crucial for understanding and predicting consequences of an event that makes up the other side of the risk equation. There are many more disciplines involved than any one person can normally become an expert in, and as such there are usually large amounts of scientists, engineers, medical doctors, and evironmental experts involved in engineering risk assessment. Usually, this large amount of information and people presents quite a logistical problem for conducting large scale industrial or engineering risk assessments. However, one problem that is ubuquitous to all risk assessment and must be recognized by those that rely on risk assessment to make critical decisions revolves around the fundamental concept of attempting to quantify risk itself.

The Advantages and Disadvantages of Quantified Risk

It is important to note that when employed rigorously using the sciences of mathematical probability and physics, risk assessment only gives a number that represents some relative concept of more or less risk. What that actually means in plain English is the most difficult part of risk assessment. Presently, there are no units of risk defined officially, with only a few having ever been attempted. There being no real means to develop a unit for consequences that vary greatly between accident scenarios, at least outside of military applications⁶   risk exists as a sometimes arbitrary-seeming grouping or range that have some sort of loosely-defined consequences assigned to them. However, regardless of how one may wish to express risk, those that use risk assessment to make decisions⁷   must recognize and remain cognizant of the fact that such an expression of risk is useful for a single, all-important purpose: how to control it.

Assessing Risk

While engineering risk assessments can be very complicated, quite frequently risk assessment is performed in a less-rigorous manner using the concept of estimation.⁸   In fact, people most likely employ some amount of risk assessment in their everyday lives using a bit of their own estimation. A fairly common example would be the decisions and actions involved when driving a car. The act of deciding to buckle one's safety belt when riding in a motor vehicle is a conscientious application of a risk assessment process. One has decided that, given the probability of being involved in an accident while driving or riding in the automobile, and in particular given the potentially fatal consequences of being in said accident, one wishes to control that risk before venturing out in the car. Since scientific experiments have been performed that compile a lot of evidence that seat belts are effective in reducing the damage to one's person if involved in an accident, the wearing of a safety belt of some sort can be said to reduce the consequences of being in an accident.

Controlling Risk

In engineering terms, our seatbelt-wearing person here has provided a control that mitigates the consequences of an accidental condition (particularly a collision with another moving vehicle or stationary object). The seatbelt does nothing for preventing the accident, it must be noted. To prevent accidents, one may study up on how to operate their particular automobile, taking courses in the safe operation and rules and regulations along the route(s) one is likely to use while driving the automobile. In analogous engingeering terms, these sorts of preventative human-interactive practices are termed, "administrative" controls. One might purchase a vehicle that is capable of stopping quickly or one that also handles well under a variety of conditions enabling it make collisions less likely. Such measures are termed preventative "engineered" controls when applied to an industrial process.

In industry, engineered controls are generally preferred over administrative controls actually because of their lack of a brain or cognitave reasoning, which represents a distinct advantage in the task of maintaining 100% vigilance over a risky situation. Machines are far better at waiting around for ages until something unexpected happens and then reacting in a very rapid and predictable manner, because they do not have brains that can get bored. Human beings tend to wander off in search of a doughnut or possibly a quick trip to the restroom when things are slow.⁹   An important and obvious caveat to the preference of engineered controls over administrative ones is the possibility that something can go wrong in a totally unplanned and unusual way, in which case engineered controls may be inadequate or, even worse, contribute to the overall negative consequence of an accident if allowed to perform as they were designed. In industry, particularly high-consequence industries like some toxic chemical processing facilities and large commercial nuclear reactors, risk is controlled through a wide range of engineered controls of varied complexity, which are all backed up by human beings at some point. People who monitor and control safety systems at commercial nuclear power plants are frequently called "Operators," and such a title has been applied elsewhere for similar positions at large scale industrial plants.

Maintaining Risk Control

Once the risk was assessed, the next step was naturally to try to control or manage the risk involved. From determining how to best control risk, maintaining the risk control becomes the highest priority. In fact, maintaining risk is usually where the most significant amount of resources and time is spent in the operation of highly hazardous industrial or engineering operations. It is essential, then, to determine how important a risk controlling thing or practice may be. Unfortunately, and sometimes tragically, the part about maintaining the risk control itself can be the most often skipped over, particularly with very complex processes and applications.

It seems logical that something that is relied upon to provide some amount of protection from a risky event would be maintained and treated as a Very Important Thing for Safety. Logically this is obvious, but as the complexity of machines and the systems they become parts of increases, the more difficult it becomes to maintain controls on small components that may seem to be insignificant parts of the overall process. Problematically, human beings are not particularly noted for their absolute adherence to logic. It is for this reason, then, that the requirement for properly documenting the risk assessment process has been implemented. People tend to be far less likely to to be allowed to make decisions outside of the risk-based logic if they are forced to write down their thought process on paper for their peers to read. In fact, although it is common and quite useful to have one's peers review the documented assessment of risk, people are known to be quite easily swayed by a natural tendency to think as a group following a leader.¹⁰   It is therefore important to have members outside of the immediate peer group to review and comment on the risk assessment process documented by the originating group of risk assessors. Taking this philosophy further, the level of public involvement in documenting and reviewing risk assessment has greatly increased over the past 20 years or so, most notably as a result of some very tragic events. As can be seen in the case histories part of this article, large-scale tragic accidents have led to the adoption of laws (frequently termed "rules" in the USA) as a result of tragic, large-scale accidents.