Probabilistic Assessment of the Failure Risk of the Europa Clipper Spacecraft due to Radiations.

The Europa mission approved in 2019 is still in the development phase. It is designed to conduct a detailed reconnaissance of that moon of Jupiter as it could possibly support life as we know it. This article is based on a top-down approach (mission → system → subsystems → components) to model the probability of mission failure. The focus here is on the case where the (uncertain) radiation load exceeds the (uncertain) capacity of critical subsystems of the spacecraft. The model is an illustrative quantification of the uncertainties about (1) the complex external radiation environment in repeated exposures, (2) the effectiveness of the shielding in different zones of the spacecraft, and (3) the components' capacities, by modeling all three as dynamic random variables. A simulation including a sensitivity analysis is used to obtain the failure probability of the whole mission in forty-five revolutions around Jupiter. This article illustrates how probabilistic risk analysis based on engineering models, test results and expert opinions can be used in the early stages of the design of space missions when uncertainties are large. It also describes the optimization of the spacecraft design, taking into account the decisionmakers' risk attitude and the mission resource constraints.

Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies.

Managing cyber security in an organization involves allocating the protection budget across a spectrum of possible options. This requires assessing the benefits and the costs of these options. The risk analyses presented here are statistical when relevant data are available, and system-based for high-consequence events that have not happened yet. This article presents, first, a general probabilistic risk analysis framework for cyber security in an organization to be specified. It then describes three examples of forward-looking analyses motivated by recent cyber attacks. The first one is the statistical analysis of an actual database, extended at the upper end of the loss distribution by a Bayesian analysis of possible, high-consequence attack scenarios that may happen in the future. The second is a systems analysis of cyber risks for a smart, connected electric grid, showing that there is an optimal level of connectivity. The third is an analysis of sequential decisions to upgrade the software of an existing cyber security system or to adopt a new one to stay ahead of adversaries trying to find their way in. The results are distributions of losses to cyber attacks, with and without some considered countermeasures in support of risk management decisions based both on past data and anticipated incidents.

Asteroid Risk Assessment: A Probabilistic Approach.

Following the 2013 Chelyabinsk event, the risks posed by asteroids attracted renewed interest, from both the scientific and policy-making communities. It reminded the world that impacts from near-Earth objects (NEOs), while rare, have the potential to cause great damage to cities and populations. Point estimates of the risk (such as mean numbers of casualties) have been proposed, but because of the low-probability, high-consequence nature of asteroid impacts, these averages provide limited actionable information. While more work is needed to further refine its input distributions (e.g., NEO diameters), the probabilistic model presented in this article allows a more complete evaluation of the risk of NEO impacts because the results are distributions that cover the range of potential casualties. This model is based on a modularized simulation that uses probabilistic inputs to estimate probabilistic risk metrics, including those of rare asteroid impacts. Illustrative results of this analysis are presented for a period of 100 years. As part of this demonstration, we assess the effectiveness of civil defense measures in mitigating the risk of human casualties. We find that they are likely to be beneficial but not a panacea. We also compute the probability-but not the consequences-of an impact with global effects ("cataclysm"). We conclude that there is a continued need for NEO observation, and for analyses of the feasibility and risk-reduction effectiveness of space missions designed to deflect or destroy asteroids that threaten the Earth.

Bayesian assessment of overtriage and undertriage at a level I trauma centre.

We analysed the trauma triage system at a specific level I trauma centre to assess rates of over- and undertriage and to support recommendations for system improvements. The triage process is designed to estimate the severity of patient injury and allocate resources accordingly, with potential errors of overestimation (overtriage) consuming excess resources and underestimation (undertriage) potentially leading to medical errors.We first modelled the overall trauma system using risk analysis methods to understand interdependencies among the actions of the participants. We interviewed six experienced trauma surgeons to obtain their expert opinion of the over- and undertriage rates occurring in the trauma centre. We then assessed actual over- and undertriage rates in a random sample of 86 trauma cases collected over a six-week period at the same centre. We employed Bayesian analysis to quantitatively combine the data with the prior probabilities derived from expert opinion in order to obtain posterior distributions. The results were estimates of overtriage and undertriage in 16.1 and 4.9% of patients, respectively. This Bayesian approach, which provides a quantitative assessment of the error rates using both case data and expert opinion, provides a rational means of obtaining a best estimate of the system's performance. The overall approach that we describe in this paper can be employed more widely to analyse complex health care delivery systems, with the objective of reduced errors, patient risk and excess costs.

Early technology assessment of new medical devices.

OBJECTIVES: In the United States, medical devices represent an eighty-billion dollar a year market. The U.S. Food and Drug Administration rejects a significant number of applications of devices that reach the investigational stage. The prospects of improving patient condition, as well as firms' profits, are thus substantial, but fraught with uncertainties at the time when investments and design decisions are made. This study presents a quantitative model focused on the risk aspects of early technology assessment, designed to support the decisions of medical device firms in the investment and development stages. METHODS: The model is based on the engineering risk analysis method involving systems analysis and probability. It assumes use of all evidence available (both direct and indirect) and integrates the information through a linear formula of aggregation of probability distributions. The model is illustrated by a schematic version of the case of the AtrialShaper, a device for the reduction of stroke risk that is currently in the preprototype stage. RESULTS: The results of the modeling provide a more complete description of the evidence base available to support early-stage decisions, thus allowing comparison of alternative designs and management alternatives. CONCLUSIONS: The model presented here provides early-stage decision-support to industry, but also benefits regulators and payers in their later assessment of new devices and associated procedures.

Engineering risk analysis of a hospital oxygen supply system.

Reports from the Food and Drug Administration (FDA) and the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) have emphasized the potential for injury to patients caused by failures in oxygen supply systems. This article presents a model of patient risk related to the process of supplying oxygen at a single university hospital. One of the goals of the article is to illustrate how probabilistic risk analysis (PRA) can be used by hospitals to assess and mitigate risk and, therefore, to meet JCAHO requirements. PRA techniques are useful to 1) model the reliability of a complex system and 2) assess the cost-effectiveness of different risk mitigation measures. The authors focus on the risk estimation step, describing in detail their modeling of the oxygen supply system and analysis of the results. For the hospital that the authors study (20,000 admissions yearly), the total expected number of fatalities from oxygen system failure is 44 over a 30-year time horizon. The greatest contribution to the risk (94% of the expected number of fatalities) comes from problems that involve the supply network (e.g., damage to structure and poisoning) as opposed to incidents that occur inside patient rooms. Although the threat to patient safety is not dramatic, health care organizations should be concerned about potential failures of their oxygen system because improving this system could avoid low-probability, high-consequence failures at a low cost.

On the limitations of redundancies in the improvement of system reliability.

Some program managers share a common belief that adding a redundant component to a system reduces the probability of failure by half. This is true only if the failures of the redundant components are independent events, which is rarely the case. For example, the redundant components may be subjected to the same external loads. There is, however, in general a decrease in the failure probability of the system. Nonetheless, the redundant element comes at a cost, even if it is less than that of developing the first one when both are based on the same design. Identical parts save the most in terms of design costs, but are subjected to common failure modes from possible design errors that limit the effectiveness of the redundancy. In the development of critical systems, managers thus need to decide if the costs of a parallel system are justified by the increase in the system's reliability. NASA, for example, has used redundant spacecraft to increase the chances of mission success, which worked well in the cases of the Viking and Voyager missions. These two successes, however, do not guarantee future ones. We present here a risk analysis framework accounting for dependencies to support the decision to launch at the same time a twin mission of identical spacecraft, given incremental costs and risk-reduction benefits of the second one. We illustrate this analytical approach with the case of the Mars Exploration Rovers launched by NASA in 2003, for which we had performed this assessment in 2001.

Management Errors and System Reliability: A Probabilistic Approach and Application to Offshore Platforms.

Probabilistic risk analysis, based on the identification of failure modes, points to technical malfunctions and operator errors that can be direct causes of system failure. Yet component failures and operator errors are often rooted in management decisions and organizational factors. Extending the analysis to identify these factors allows more effective risk management strategies. It also permits a more realistic assessment of the overall failure probability. An implicit assumption that is often made in PRA is that, on the whole, the system has been designed according to specified norms and constructed as designed. Such an analysis tends to overemphasize scenarios in which the system fails because it is subjected to a much higher load than those for which it was designed. In this article, we find that, for the case of jacket-type offshore platforms, this class of scenarios contributes only about 5% of the failure probability. We link the PRA inputs to decisions and errors during the three phases of design, construction, and operation of platforms, and we assess the contribution of different types of error scenarios to the overall probability of platform failure. We compute the benefits of improving the design review, and we find that, given the costs involved, improving the review process is a more efficient way to increase system safety than reinforcing the structure.