Deception of Credible scenario
Apr 8th, 2020
Personal human experience, bounded rationality and deception of credible scenario are important in the context of risk identification.
Risk identification is a fundamental phase of a risk assessment. It intervenes after system and objectives definition. Oftentimes we hear that practitioners consider only credible scenarios in a risk identification exercise.
Today we explore why only considering credible scenario is a deception and could lead you to disaster. Incidentally, this might be one of the reasons leading numerous unrealistic risk assessment to describe rosy scenarios .
Credible and incredible scenarios
We always object that considering only credible scenario constitutes a blatant censorship. Indeed risk analysis should prioritize the scenarios, and no scenario should be censored at first. The prioritization resulting from the risk assessment will take care of eliminating “incredible” or meaningless scenarios. That is a result, not an arbitrary decision!
It is worth focusing on arrogance and censorship.
It takes 10,000 hours (or approximately 10 years or more) of practice, to reach expert level in a subject matter. This is what Malcolm Gladwell discusses in his bestseller “Outliers”.
So, when an expert says that a failure can’t happen, that a failure mode is “incredible”, it means that it is “unheard of” during the expert’s 10,000 hours of observation/practice. Those 10,000 hours do not occur with real hands-on experience, and not in the system’s real environment. As a matter of fact we all know that detailed environmental conditions change considerably, for example, the likelihood of failure.
As a side note consider that if one takes ten experts and puts them together, the sum of experience will not alter considerably the final result: they may very well all agree, and erroneously, that a failure is “incredible” because their observation times were “simultaneous”!
Tailings dams failures
Note that, in the context of tailings dams, those 10,000 hours are negligible compared to the collection of every incident over the collection of dams. Indeed 10,000 hours is slightly more than just one operational dam per year (8,760 hours). Furthermore that is completely negligible for 3*107 collective operational experiences per year (3,500 dams). Indeed, we have to observe 3*107 “hours” of service of those 3,500 dams to learn that there were perhaps 3 to 4 major failures.
3 to 4 major tailings dam failures per year
Now, those 3-4 major failure per year, on average, over the last hundred years have been painstakingly collected and analyzed. Publications like ICOLD (2001), see figure below, attempted to define “failure modes” for dams of different makes. Notice the large number of “unknown” to appreciate the uncertainties embedded in the definition of the failure modes. Furthermore, consider for example the slope stability category. How do we know that those “slope stability” accidents didn’t mask, say, some erosion, seepage, foundation problems and perhaps a small earthquake the day before? How come there is no liquefaction?
Developing a correct taxonomy of the failure mode would have required detailed and complex forensic analyses that were, unfortunately, not performed. Thus, the 10,000 hours of “expert observation rely on scant reports, hearsay and uncertain data. Even recent “statistical studies” and information collection efforts (Azam and Li and Church of new England) have shown the existence of information gaps that make censoring of failure modes a very doubtful practice.
In recent years however, in the aftermath of some of those 3-4 failures per year, expert panels have developed detailed and scientific forensic analyses that generally, and we would say correctly, determine a “set of circumstances” that lead to failure. And at that moment the tragic truth of censoring emerges. It is not one single failure mode that caused the deterioration of the dam, but a combination of triggers. A combination of “minor” failure modes that contributed to the failure of the dam or as many would say “a perfect storm”.
Failure modes and causality
So, it becomes apparent that failure modes, and in particular “credible” failure mode are toxic. They do not explain why failures occur. They explain, and not even completely, how a failure could occur under the influence of a very limited set of triggers. Forensic studies have shown that failures occur because of a set of causes. A dam may fail following an unstable slope failure mode, but the causes of that failure are way more complex. The question is: why do we keep trying to use a model we know is flawed?
Is it because we put together groups of experts that easily concur as they have too similar backgrounds and use the same knowledge-base?
ORE2_Tailings does not look at failure modes. It considers over thirty Key Performance Indicators (KPIs) of the considered structure and predicts the causalities of the potential failure.
The algorithm follows the rule that failure is due to the compounded effect of various deficiencies. Some of these deficiencies are congenital defects that exist from project inception e.g. too short boreholes, not enough effort put in the design, etc.
By doing so, ORE2_Tailings mimics the results of forensic investigations.
Thus, we cannot rely on our experience-based intuition, which is way too short.
We cannot put too much trust on knowledge gained through incomplete and oftentimes misleading knowledge either.
Using censored and simplistic failure modes to determine whether a failure can happen within required probability limits is wrong. Doing that is displaying technical arrogance.
Any scenario must be considered credible. The risk assessment methodology must be capable of filtering scenarios and leave the low-risk ones out. No arbitrary decisions should enter in this filtering to enable clear risk mitigation roadmap.
Tagged with: credible event, incredible event, likelihood of future failures, Risk Assessment, tailings dams failures
Category: Consequences, Hazard, Probabilities, Risk analysis, Risk management