2. Probabilistic interpretation of risk prediction for effective using "smart" systems

Because "smart" possibilities allow to forecast a future, we should view probabilistic vision of event prediction, its scientific interpretation, and, unfortunately, some existing illusory vision. Here, from the scientific point of view for anticipating dangerous development of events, it is difficult to construct an adequate probability distribution function (PDF) [1–4] of time between losses of system integrity. Damage may be to some extent estimated on practice (we will consider that the deviations in estimations can reach 100%). Therefore, leaving an estimation of a possible damage out of the work, we will stop on researches of a probabilistic component of risk. What deviations in risk predictions are possible here? To answer this question, it is necessary to understand typical metrics and engineering methods of risk predictions, in definition and concept to use "admissible risk," and then to compare various variants.

In practice probabilistic estimations of system integrity losses are quite often carried out by the frequency of emergencies or any adverse events. For example, with reference to safety, it can be frequencies of different danger threats influences, leading to a damage. That is, frequency replaces estimations of probability (risk to lose integrity of system during prognostic period). It is correct? From probability theory it is known that for defined PDF one of its characteristics is the mathematical expectation (Texp.). In turn, for PDF of time between losses of system integrity, the mathematical expectation is the mean time between neighboring losses of system integrity Texp., and moreover the frequency λ of system integrity losses is equal to 1/Texp. If to be guided only by frequency λ (with ignoring PDF) in practice, a large deviation may take place. Indeed, a probability that event has occurred till moment Texp. can be equal to 0.00 for approximation by deterministic (discrete) PDF and 0.36 for exponential approximation (see Figure 2). That is, as a result of erroneous choice of PDF, characterized by identical λ, the enormous difference may take place! On the one hand, it means ambiguity of a probabilistic estimation of events, being guided only on frequency λ, and on the other hand, a necessity of search (or creations) of more adequate PDF of time between losses of system integrity is very high.

Often today, engineers prefer exponential PDF: R(t, λ)=1 – exp. (λ∙t). If, for example, for 1 year of prognostic period to put λ about 10<sup>3</sup> times in a year or less, then under Taylor's expansion R(t, λ) ≈ λ∙t with accuracy o(λ<sup>2</sup> ∙t 2 ). And, if t = 1 year, the absolute value of frequency practically coincides with the value of probability. But if value λ∙t increases, it is capable to exceed 1 and by definition generally cannot be perceived as probability. Resume: focusing on

• If the limitation on the admissible level of maximum frequency of system integrity losses λadm. is set, it means that for exponential approximations the function of probability from time t is considered: R(t, λadm.)=1 – exp. (λadm.∙t). That is, this is the same "border strip" but in the form of the function from t and without an obvious binding to value Treq. This level of limitation by function Radm. (Treq) is logically to interpret also as "admissible" for the period of time from 0 to t. Admissible risk in the point of probability Padm. (treq.) for time treq. May be prolonged on the level of PDF by exponential distribution and the admissible frequency of system integrity losses λ = ln(1- Рadm. (treq.)). It is convenient, but is it adequate? In reality a vision about exponential PDF for behavior of "smart"

Probabilistic Methods and Technologies of Risk Prediction and Rationale of Preventive Measures by Using…

http://dx.doi.org/10.5772/intechopen.75109

27

Despite obvious incompleteness of the elementary forms of requirements to "admissible risks" (in reality, only the limitations in one or several points) and the absence of interrelations with a kind of real PDF of time between losses of system integrity (depending from many parameters: structure of system, heterogeneity of threats, different measures of counteraction to threats, etc.), these forms have got accepted by engineering community. In the further statement of the work, we will be guided by these elementary forms of requirements to "admissible risks." They also allow to extract latent knowledge from the results of adequate probabilistic modeling.

Today, specifications of safety in different fields characterize a frequency λ of system integrity

i.e., cannot be tested in system life! In practice it can be estimated by means of mathematical and/ or physical modeling. And, from statistics we know only that at the Russian systems of oil and gas industry, thousand emergencies are annually. But, the number of incidents with a compre-

Accordingly, there is an important question: what frequencies of system integrity losses should be used for risk predictions and where does it take? If these are only the frequencies of emergencies, the predicted risks will be essentially underestimated! These final frequencies are output

Figure 3. About erroneous vision of exponential PDF approximation instead of more adequate approximation.

hensible result (with prevented emergencies) is usually a hundred times more!

–10<sup>7</sup> times a year. As a matter of fact, it is one danger event for 1000 years,

system may be roughly erroneous (see Figure 3).

losses at the level 10<sup>3</sup>

Figure 2. For the same λ, a probability that event has occurred can be equal to 0.00 for approximation by deterministic PDF and 0.36 for exponential PDF approximation.

probability is correct from the point of view of universal risk metric. And, focusing on frequency may be incorrect if λ∙t is approximately more than 10<sup>3</sup> .

The special importance has the concept of "admissible risk." The matter is that there should be a result of the consent of all parties involved in unsafe business on condition that it does not ruin business; by all it is unequivocally estimated and interpreted (not excluding emergencies) and is scientifically proven. In practice frequently the "admissible risk" is interpreted as "border strip," i.e., it is supposed that if it does not cross this "border strip," the system integrity cannot be lost. But in reality it is not so! The residual risk always remains. In operation research the similar restrictions are considered as a starting point for the decision of synthesis problems, connected with searching effective preventive measures of system integrity in life cycle. The complex use of these measures promotes in retaining the risk on the admissible level. It is the typical approach which should work correctly. And how does it work in practice?

Here, it is to quite pertinently address the developed form of the quantitative requirements, connected with the level of admissible risks. The elementary forms of requirements are:


What engineering explanations occur in practice? They are as follows:

• If the limitation on the admissible level of probability Radm. (Treq) is set, it means that crossing "border strip" should not occur on an interval of time from 0 to Treq. For exponential approximations there is an unequivocal functional dependence: λadm. = ln (1- Radm. (Treq)). That is, this dependence means that a given value of admissible probability Radm. (Treq) corresponds unequivocally with a value of the maximum frequency of system integrity losses.

• If the limitation on the admissible level of maximum frequency of system integrity losses λadm. is set, it means that for exponential approximations the function of probability from time t is considered: R(t, λadm.)=1 – exp. (λadm.∙t). That is, this is the same "border strip" but in the form of the function from t and without an obvious binding to value Treq. This level of limitation by function Radm. (Treq) is logically to interpret also as "admissible" for the period of time from 0 to t. Admissible risk in the point of probability Padm. (treq.) for time treq. May be prolonged on the level of PDF by exponential distribution and the admissible frequency of system integrity losses λ = ln(1- Рadm. (treq.)). It is convenient, but is it adequate? In reality a vision about exponential PDF for behavior of "smart" system may be roughly erroneous (see Figure 3).

Despite obvious incompleteness of the elementary forms of requirements to "admissible risks" (in reality, only the limitations in one or several points) and the absence of interrelations with a kind of real PDF of time between losses of system integrity (depending from many parameters: structure of system, heterogeneity of threats, different measures of counteraction to threats, etc.), these forms have got accepted by engineering community. In the further statement of the work, we will be guided by these elementary forms of requirements to "admissible risks." They also allow to extract latent knowledge from the results of adequate probabilistic modeling.

probability is correct from the point of view of universal risk metric. And, focusing on fre-

Figure 2. For the same λ, a probability that event has occurred can be equal to 0.00 for approximation by deterministic

The special importance has the concept of "admissible risk." The matter is that there should be a result of the consent of all parties involved in unsafe business on condition that it does not ruin business; by all it is unequivocally estimated and interpreted (not excluding emergencies) and is scientifically proven. In practice frequently the "admissible risk" is interpreted as "border strip," i.e., it is supposed that if it does not cross this "border strip," the system integrity cannot be lost. But in reality it is not so! The residual risk always remains. In operation research the similar restrictions are considered as a starting point for the decision of synthesis problems, connected with searching effective preventive measures of system integrity in life cycle. The complex use of these measures promotes in retaining the risk on the admissible level. It is the typical approach

Here, it is to quite pertinently address the developed form of the quantitative requirements, connected with the level of admissible risks. The elementary forms of requirements are: • "A frequency λ of system integrity losses should not exceed admissible level λadm."

• "Probability to lose integrity of system during time Treq should not exceed admissible

• If the limitation on the admissible level of probability Radm. (Treq) is set, it means that crossing "border strip" should not occur on an interval of time from 0 to Treq. For exponential approximations there is an unequivocal functional dependence: λadm. = ln (1- Radm. (Treq)). That is, this dependence means that a given value of admissible probability Radm. (Treq) corresponds unequivocally with a value of the maximum frequency of

.

quency may be incorrect if λ∙t is approximately more than 10<sup>3</sup>

PDF and 0.36 for exponential PDF approximation.

26 Probabilistic Modeling in System Engineering

which should work correctly. And how does it work in practice?

What engineering explanations occur in practice? They are as follows:

level Radm. (Treq)."

system integrity losses.

• Their combination.

Today, specifications of safety in different fields characterize a frequency λ of system integrity losses at the level 10<sup>3</sup> –10<sup>7</sup> times a year. As a matter of fact, it is one danger event for 1000 years, i.e., cannot be tested in system life! In practice it can be estimated by means of mathematical and/ or physical modeling. And, from statistics we know only that at the Russian systems of oil and gas industry, thousand emergencies are annually. But, the number of incidents with a comprehensible result (with prevented emergencies) is usually a hundred times more!

Accordingly, there is an important question: what frequencies of system integrity losses should be used for risk predictions and where does it take? If these are only the frequencies of emergencies, the predicted risks will be essentially underestimated! These final frequencies are output

Figure 3. About erroneous vision of exponential PDF approximation instead of more adequate approximation.

instead of input data for modeling. Estimate, please: if to be guided by these frequencies and to consider that 50–70% of failures are the result of "human factor," it should mean that the frequency of critical errors from "human factor" on systems is about one time in thousand years! However, that is not so in real life! Errors are committed much more often. But they are under control, and the majority of them is in due time corrected. As consequence of these counteraction measures, required system integrity (including safety) is reached. The answer arises obviously: the frequency λ of system integrity losses used at risk predictions itself should pay off by the results of probabilistic modeling. Indeed, for adequate risk prediction, there is an important frequency of all the primary incidents (including neutralized incidents at the expense of control measures, maintenance, and timely reaction on initial signs of threat development).

PDF for risk predictions. In Figure 4 the limitations to admissible risks, fragment of exponential, and an adequate PDF of time between losses of system integrity with identical frequency of system integrity losses are demonstrated. The errors in comparison with vision in Figure 3

Probabilistic Methods and Technologies of Risk Prediction and Rationale of Preventive Measures by Using…

http://dx.doi.org/10.5772/intechopen.75109

29

An example when all requirements to admissible risk are met is presented on Figure 5. It is the right understanding of probabilistic vision of event prediction with scientific interpretation

Considering possibilities of "smart" systems, two general technologies of providing protection in different spheres are described: proactive periodical diagnostics of system integrity (technology 1) and additionally monitoring between diagnostics (technology 2) including recovery of integrity [2–3, 6–10]. These models allow to create more adequate PDF of time before the

Technology 1 is based on proactive diagnostics of system integrity that are carried out periodically to detect danger occurrences into a system or consequences of negative influences. The lost system integrity can be detected only as a result of diagnostics, after which the recovery of integrity is started. Dangerous influence on system is acted step by step: at first a danger occurrence into a system and then after its activation begins to influence. System integrity cannot be lost before an occurred danger is activated. A danger is considered to be realized only after a danger has activated and influenced on a system. Otherwise, the danger will be

Note: it is supposed that used diagnostic tools allow to provide system integrity recovery

Technology 2, unlike the previous one, implies that operators alternating each other trace system integrity between diagnostics. In case of detecting a danger, an operator recovers system integrity (ways of dangers removing and system recovery are the same as for technology 1). Faultless operator's actions provide a neutralization of a danger. When a complex diagnostic is periodically performed, this time operators are alternated. An occurrence of a danger is possible only if an operator makes an error, but a dangerous influence occurs if the

The probability of system operation with required safety and quality within the given prognostic period (i.e., probability of success) may be estimated as a result of using the next models for technologies 1 and 2. Assumption: for all time input characteristic, the probability distribution functions exist. Risk R(Treq) to lose integrity (safety, quality, or separate property,

after revealing of danger occurrences into a system or consequences of influences.

3.1. The models for the systems that are presented as one element ("black box")

3. Some basic probabilistic models for risk prediction

are noted.

considering situations in Figure 4.

next event of the lost integrity.

detected and neutralized during the next diagnostic.

danger is activated before the next diagnostic.

Consideration of "smart" system possibilities for proactive diagnostics of system integrity, monitoring of conditions, and recovering the lost integrity allows to create more adequate

Figure 4. The possible variants of correlations of the limitations to admissible risks, exponential, and an adequate PDF of time between losses of system integrity with identical frequency of system integrity losses λ.

Figure 5. All requirements to admissible risk are met for an adequate PDF of time between losses of system integrity.

PDF for risk predictions. In Figure 4 the limitations to admissible risks, fragment of exponential, and an adequate PDF of time between losses of system integrity with identical frequency of system integrity losses are demonstrated. The errors in comparison with vision in Figure 3 are noted.

An example when all requirements to admissible risk are met is presented on Figure 5. It is the right understanding of probabilistic vision of event prediction with scientific interpretation considering situations in Figure 4.
