Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec.

2002

Managing the pay-off between risk, reliability and remaining life –

weighting the consequences
J M Brear, P Jarvis and C J Middleton
Stress Engineering Services (Europe) Ltd., 28 Ember Lane, Esher, Surrey KT10 8EP, UK

Abstract
Practical implementation of a risk-based assessment procedure has led to an investigation into
the methods of treating hazard consequences at the qualitative and semi-quantitative levels.
These differences are seen to accord with both subjective (consequence aversion) and
objective (financial limit) criteria. Formal methods of applying consequence weighting to the
risk tolerability line on a probability-consequence graph are proposed. In particular,
Bernoulli’s concept of ‘utility’ is seen to provide useful insights.

Introduction
In everyday usage, terms such as ‘risk’, ‘probability’, ‘likelihood’, and ‘hazard’ have
considerable semantic overlap – and to some extent this confusion extends into the technical
literature. This paper follows the stricter usage now established in the risk-management
sciences. Here, ‘hazard’ refers to an event or situation, actual or hypothetical, which leads to
danger or loss – whether to life, to environment, to equipment or to business. The first stage
in any risk assessment is to identify all hazards. Each must then be considered in terms of its
contribution to the overall risk borne by the system, by determining the consequences that
arise should the hazardous event take place and the chance of it so doing. Current risk
philosophies often measure the consequences in absolute financial terms, with all impacts -
human, environmental, engineering and business - reduced to the common denominator of
money. It is useful, but not yet universal, to use the term ‘likelihood’ where the chance is
estimated qualitatively and ‘probability’ where it is calculated with some rigour.

Recently, considerable effort has been spent on practical methods of determining likelihood or
probability values for use in formal risk assessments (Jovanovic et al, 2001). These range
from detailed workbook approaches for qualitative and semi-quantitative assessment (API,
2000) through to rigorous probabilistic analyses for particular components or mechanisms
(Church et al, 2001; Williamson et al 2000; Wood et al, 2000). Whilst good progress has
been made, probability determination for rare events is inevitably difficult and this can
become an issue where the consequences are large – e.g. large accidents in nuclear power
plants or gross structural failures.

Within the engineering community, consequence determination has been treated less
consistently. Incidents involving release of toxic, inflammable or explosive fluids have been
addressed in detail – as much of the evaluation depends on strict engineering criteria, such as
hole-sizes, pressures, and release rates. The financial evaluation is in most cases handled in
broad terms or left to other experts.

As the total risk assessment process addresses the interaction between probability and
consequence, it is necessary to have a consistent approach to the evaluation of both
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 2

parameters. This paper addresses some aspects of this, particularly with regard to
consequences, and was prompted by an investigation into apparent inconsistencies that arose
when progressing from qualitative to quantitative analysis methods.

Qualitative and semi-quantitative approaches

Qualitative approaches – exemplified by API

Qualitative approaches to risk assessment are usually based on formalisations of accumulated

experience and simple, but robust principles. Whether computerised or paper-based,
experience has shown them to be straightforward in application and to meet reasonable
demands in terms of repeatability and reproducibility. An excellent example, though limited
in application to certain classes of hazard in a particular industry, is afforded by the American
Petroleum Institute’s Recommended Practices RP 580, 581 (API, 2000). A set of rules guides
the practitioner in identifying hazards and assigning likelihood and consequence classes to
each. A matrix, as shown in the left hand side of Fig. 1, then defines the risk level associated
with each combination of likelihood and consequence. Risk levels are graded subjectively
and colour-coded on the matrix. It is perhaps in the configuration of this matrix that the
highest dependence on experience and engineering judgement occurs in this procedure, not on
the part of the practitioner - for whom it is simply a look-up tool - but in its original
formulation.

A particular feature is the marked degree of asymmetry of the matrix, which is obvious on
inspection. This indicates that the likelihood and consequence axes are weighted differently
in the risk evaluation. It also has the result that at certain points on the matrix, an increment
of one unit in probability and consequence can result in a progression of two steps in risk
level. Clearly, the philosophic soundness of this deserves investigation.

Semi-quantitative approaches – exemplified by ASME

Progression to a semi-quantitative assessment level, for those items found to be at too high a
risk level in the qualitative phase of the assessment, may be done in two ways. A simplified
probability calculation may be applied but, as this usually takes as much time and effort as its
more rigorous counterpart, and as routes have not been established for all hazards, this is not
often done. Nevertheless if a semi-quantitative assessment is desired then the classes
determined in the qualitative assessment may be simply mapped onto probability and cost
bands. The ASME guidelines for risk-based inspection and in-service testing (ASME 1991,
1994, 2000) provide tables to assist in doing this, shown here as Tables 1, 2.

These probability and cost bands can also be superimposed onto the API risk matrix as shown
by the right hand side of Fig. 1, with the risk value, as derived from the ASME tables, being
calculated according to the usual product formula:

risk (of event i) = probability (of event i) * consequence (of event i)

The resulting numerical values have a symmetrical distribution when allowance is made for
the step in each of the axes.
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 3

Comparison of the matrices

It is clear from the superimposed matrices (right-hand side of Fig. 1) that each qualitative
class contains a wide range of semi-quantitative risk values. A significant practical result of
this is that on progressive refinement of a risk assessment, a number of hazards can have their
risk ranking reduced considerably. Whilst one might expect to benefit from such reductions
in calculated risk as more detailed information and less conservative methods are employed, it
is not desirable to find such changes resulting solely from differences in the underlying logic.

Consequence weighting
Observations

The asymmetry of the API matrix, remarked upon earlier, seems to lie at the root of this
apparent difference between the API and ASME risk estimates. The API matrix appears to
weight consequence more heavily than a simple product formula would suggest, particularly
at lower likelihood levels. This becomes very apparent when the matrix of Fig. 1 is plotted on
strict numeric axes, Fig. 2. There are several reasons why this consequence weighting might
arise, and why it might be reasonable.

The first reason is related to the subjective aspect of risk perception, where it is common to
perceive a low-probability, high-consequence event as more significant than one of high
probability and low consequence, with equivalent calculated risks. Thus rare, major aircraft or
rail accidents attract more public concern than do common motor vehicle accidents, for
example. A simple method of dealing with this ‘consequence aversion’ is to impose
‘tolerability limits’ on probability and consequence individually in addition to the limit on
risk. This formalises the concept that there are rare events of such consequence and frequent
events of such nuisance that they must be designed out or otherwise eliminated. The
flattening-off of the risk bands on the low likelihood side of the API matrix may in part reflect
this tendency.

A second reason arises from the limits of experience. Whilst low-likelihood, high-
consequence events are, unfortunately, well known, they do not occur in such number as
would allow their true frequencies to be determined. Likelihoods must therefore be estimated
a priori and such estimates may be subject to order-of-magnitude errors. It has been cynically
suggested that the limiting case of Bayes’ theorem is the credibility that hindsight gives to the
processes that led to an event that a priori could occur “only under incredible circumstances”.
Prudence would therefore require that risk tolerance should not be allowed to rise beyond the
levels that lie within direct experience. In this respect also, the horizontal trend of the API
class boundaries at likelihoods below ~10-5 seems reasonable.

The above arguments are largely based on subjective and experiential criteria. The third
reason relates more directly to the nature of the consequence itself. Resources are limited,
and there are hazards that, however rare, would lead to financial ruin of the responsible party
should they occur. Any thorough risk analysis must ensure that, within the bounds of present
knowledge, no financially crippling hazards are tolerated. Once this fact is recognised,
however, it becomes clear that the limits on tolerable consequence are dependent on the
economic situation of the risk-carrying company, as well as on the nature of the hazard. Thus
a main steam-line failure that would be expensive, but not financially ruinous, to a large
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 4

utility may force a single-station company out of business. A true risk analysis must address
this, and will accordingly require customisation of the consequence calculations.

The probability-consequence product defines risk in terms of the expected cost. Over a large
number of hazards where the individual cost-consequences are small compared with the
available financial resources, then this gives a reasonable guide to the balance between budget
and tolerable risk. However, the actual cost due to a hazard is either zero, if it is not realised,
or the full consequence if it does occur. Where the consequence of an individual hazard is
comparable to, or larger than, the available financial resource, then the tolerability limit is
better defined by consequence alone.

Approaches to the modelling of consequence-weighting

Weighting the consequence element in a risk calculation thus appears to have a reasonable
basis in both principle and practice. It is reflected in the configuration of the API qualitative
risk matrix, but not in the simple product definition of risk that is used in semi- and fully
quantitative calculations. What models are available upon which to base a consistent
procedure for consequence weighting?

The most straightforward is a simple set of consequence cut-off limits, based on the API
matrix and adapted where necessary to any particular economic circumstances. This directly
reflects the ‘tolerability limit’ idea discussed above.

A more sophisticated method is to re-introduce the concept of ‘utility’, a scaling of the

consequence to the resources of the affected entity. This idea was originally developed by
Bernoulli (1738, see also Kraitchik, 1943, and Bernstein, 1996). In the context of positive
outcomes, Bernoulli proposed that the utility of a benefit is not absolute, but is inversely
proportional to the current wealth of the recipient – a Euro gained provides a greater benefit to
a poor man than to a rich one. A simple extension of this concept to risk assessment leads to a
scaling of the consequence axis to the resources of the risk carrier:

risk (of event i) = probability (of event i) * consequence (of event i) / financial resources

In this way, identical events with identical probabilities and cost-consequences would
generate different risk values, depending on their significance to the production capacity or
capital resources of the company concerned. This approach should produce a more consistent
approach to risk management than the current tendency to address this issue by modifying the
tolerability limit on risk according to local circumstances.

However, whilst it highlights those hazards that could lead to ruin, this method distorts the
tolerable costs associated with routine maintenance and inspection. For a given item, the
maintenance cost is largely independent of the economic situation of the owner. Resolving
this requires a little more mathematics, and the introduction of two economic criteria.

Taking Bernoulli’s concept that a benefit (or disbenefit) is proportional to the current
resource, so that:

Benefit = d$ / $
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 5

It follows that an event that produces a change in bank balance from $a to $b will have an
overall benefit of:
∫ d$ / $ = ln (b / a)

For an entity with a total realisable resource B, that incurs an event with absolute cost C, then
the effective consequence-cost, Ceff becomes:

Ceff = B . ln ( B / (B – C))

Using the effective consequence-cost, rather than the absolute cost, generates a tolerability
line on a consequence-likelihood graph that becomes asymptotic to a value of B at low
likelihood levels. Keeping the basic product definition, the whole tolerability limit becomes:

RT = L . B . ln ( B / (B – C))

This defines a likelihood–consequence, L-C, locus in terms of two financial criteria, the total
realisable resource, B, and a per-item maintenance budget, RT. This latter corresponds to a
traditional tolerable risk and represents the money which the risk carrier budgets to spend; the
former is the maximum available to spend should the very worst happen. The overall curve
shows a smooth transition between the simple product form and the consequence cut-off.

Figure 3 takes this model and applies it to the comparative data of Fig. 2. Loci of this form
are seen to separate the risk classes reasonable well. The values of B and RT required are
given in Table 3; their reasonableness is left as a matter for judgement. It might be expected
that the values of RT should be broadly independent of the risk carrier, but those of B should
vary with his economic size.

Plotting an individual hazard within these bands indicates whether its tolerability is governed
by planned budgets or by emergency reserves, and what financial resources actually be
required.

The above model seems to provide a sound approach to providing quantitative risk tolerability
limits that are consistent with the qualitative approach of API 580, 581. Practical use would
involve plotting individual hazards according to the simple product of their absolute cost-
consequence and their probability, as is current practice, but evaluating them against
tolerability limits calculated according to the Bernoulli model, rather than a simple product
formula.

This works well for the low likelihood, high consequence events of greatest concern. To
address less extreme or less controllable events, it has been proposed (Sutton, 1992) that the
risk be calculated as the product of the probability and the consequence raised to a weighting
power, P, in the range 1.2-1.5:

risk (of event i) = probability (of event i) * consequence (of event i) P

Though no theoretical basis has been proposed for this modified definition, it does provide a
simple way of weighting consequences in the intermediate range, where financial ruin is
unlikely, but a series of higher consequence events may still have a disproportionate effect.
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 6

In the context of production plant, this formulation suggests that small, more frequent losses
are easier to tolerate than rarer, larger ones. This is reasonable, since the former could be
managed by adequate reserve storage or a small level of over-capacity, while the latter could
lead to large secondary effects such as the loss of a key customer. Weighting of the
consequence factor in this way can therefore also be justified on strictly objective grounds
Sutton’s suggestion requires further study. It could readily be integrated with the Bernoulli
model.

Consequence jump
Another phenomenon that arises from time-to-time is the jump in consequence level that takes
place as the likelihood of an event is revised upwards – through practical experience or
improved estimation. Two related situations can cause this.
It may often be cost-effective to deal with isolated, lower-consequence failures by addressing
the symptoms. However, if the frequency increases with time it becomes advantageous to
identify and eliminate the underlying cause. Thus occasional boiler tube leaks are simply
repaired, but frequent failures lead to an investigation into water chemistry and firing
conditions. There comes a point at which the higher immediate cost of identifying the root
cause and then rectifying it is rewarded by a significant reduction in future risk
Similarly, the realisation that separate failures – often at different sites or even in different
operating companies – are manifestations of a type fault or other common-cause phenomenon
may well indicate that the total consequence may well be greater than if they were unrelated
incidents.

Such a phenomenon is not always bad news, as a radical solution to a problem may well have
considerable benefit in reduced future risk, by eliminating a hazard – or significantly reducing
its probability of occurrence. This is exemplified by the following life assessment and
maintenance management study for a reheater tube bank on a natural gas fired station with
approximately 40 000h service. Full details of the background and method are given by Brear
et al (1988, 1997). The prime objective was to estimate the remaining life of the tube bank
using historical operational data and off-line measurements of fireside and steamside
corrosion rates, supplemented by tube specific creep data obtained by mechanical testing of
removed samples. As a secondary objective, the sensitivity of remaining life to the frequency
of chemical cleaning of the internal oxide was determined. Figure 4 shows cumulative
failure probability curves predicted for various chemical cleaning intervals. The results
indicate that the greatest benefit was obtained with a 30 000 hour interval, which substantiated
the existing, experience based, practice. However when consideration was given to the total
cost of the three cleans necessary to ensure the desired service life, it became apparent that
total replacement of the tubes with an upgraded, more corrosion resistant, material was not
only cheaper, but less disruptive to operation and less demanding on future maintenance and
inspection. The obvious decision was made.

Conclusions
Apparent discrepancies between the qualitative and semi-quantitative risk evaluation
procedures have highlighted the need for consequence weighting to be considered seriously.
For low-likelihood, high-consequence hazards, the Bernoulli utility concept allows a
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 7

reasonable modification to the simple probability-consequence product formula. For

intermediate events, Sutton’s suggestion, which indicates that the consequence should be
raised to a power of between 1.2-1.5 in the risk assessment formula, warrants further
investigation. The existence of a similar rational basis for absolute limits on probability
should also be explored.

Any rigorous risk assessment should:

• Apply consistent methods at all levels, particularly with regard to consequence

estimation
• Apply consequence weighting to the tolerability limits. The individual hazards should
still be plotted in terms of actual probability and cost-consequence.
• Address the total financial constraints on the risk-carrier, not merely his working
budget
• Explore all consequence options, the expensive ones may prove cheaper in the long
run

Acknowledgements
This paper is published with the permission of the Directors of Stress Engineering Services
(Europe) Ltd. Thanks are due to numerous colleagues, in various organisations, for
stimulating discussions – in particular to P Auerkari and A S Jovanovic. One of the authors
(JMB) would like to thank his parents for introducing him, many years ago, to Kraitchik’s
book.
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 8

References
API Recommended Practice RP 580, ‘Risk-Based Inspection’, Draft #2, May 2000, American
Petroleum Institute
API Recommended Practice RP 581, ‘Base Resource Documentation - Risk-Based
Inspection’, May 2000, American Petroleum Institute
ASME Centre for Research and Technology Development, ‘Risk based inspection -
development of guidelines’
Vol. 1 General document CRTD-Vol 20-1, 1991
Vol. 3 Fossil fuel fired electric power generating station applications CRTD-Vol 20-3, 1994
American Society of Mechanical Engineers, New York.
ASME Centre for Research and Technology Development, ‘Risk based in-service testing -
development of guidelines’
Vol. 1 General document CRTD-Vol 40-1, 2000 ISBN: 0-7918-1224-3
American Society of Mechanical Engineers, New York.
Bernoulli, D. “Specimen theoriae novae de mensura sortis”. Comentarii Academiae
Scientiarum Imperialis Petropolitanae, Vol. 5, 1738
(“Exposition on a new theory of the measurement of chance”. Papers of the Imperial
Academy of Sciences, St. Petersburg, Vol 5, 1738)
Bernstein, P.L. ‘Against the Gods – the remarkable story of risk’. John Wiley, New York,
1996. ISBN: 0-471-29563-9
Brear, J.M., Williamson, J., Cane, B.J., Jones, G.T. and Leavy, K. "Predictive evaluation of
superheaters and reheaters - a probabilistic treatment”, VGB, KEMA, CRIEPI, EPRI
International Conference 'Life Assessment and Extension’, The Hague, The Netherlands, June
1988
Brear, J.M., Jones, G.T., Jarvis, P. and Sanders, J. “On-line monitoring of power plant
components”, ERA Conf ‘Engineering Asset Management for Utilities, Industry and
Commerce’, London, 7-8 October 1997. Paper 3.7
Church, J.M, Lim, L-B, Brear, J.M., Jarvis, P., and. Lant, R.P.D. “Crack growth modelling
and probabilistic life assessment of coke drums operating under fatigue conditions”, Second
HIDA Conf ‘Advances in Defect Assessment in High Temperature Plant’, MPA, Stuttgart,
Germany, October 2000, Paper S8-2. Int J Pressure Vessels and Piping, Vol 78, Issues 11-12,
Nov/Dec 2001, pp.1011-1020
Jovanovic, A., Auerkari, P., Brear, J.M. “Introducing risk-related issues into power plant
component life assessment based on code calculations and inspection and monitoring results”,
Baltica 5, Helsinki, June 2001
Kraitchik, M. ‘Mathematical Recreations’. George, Allen and Unwin, Ltd., London, 1943.
Sutton, I.S. ‘Process Reliability and Risk Management’. Van Nostrand Reinhold, New York,
1992. ISBN: 0-442-00174-6
Williamson, J. and Brear, J.M. “Risk based life management of catalyst tubes and pigtails”,
Fourth Annual Ammonia & Urea Conf ‘Asia 2000’, Singapore, June 2000
Wood, M.I., Lant, R.P.D. and Brear, J.M. “Quantitative Risk Assessment and its Role in
Plant Maintenance Decisions”, IMechE Conf ‘Power Station Maintenance 2000’, St.
Catherine’s College, Oxford, September 2000
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 9

Table 1 - ASME estimates of failure probability

Definition Failure probability,

per year
An off-normal initiating event that may be expected to occur:
more than once during the lifetime of the component 10-1
once during the lifetime of the component 10-2
not during the lifetime of the component, but is considered possible 10-4
when integrated over all components
rarely 10-6
only under incredible circumstances 10-8

Table 2 - ASME estimates of failure consequences

Definition Estimated loss,

$US
Potential of significant off-site and system or facility costs 1,000,000,000
Potential for significant litigation
Major forced shutdown, significant system or facility costs 100,000,000
Potential for litigation
Unscheduled loss of system or facility 10,000,000
Significant component related costs
Repair can be deferred until next shutdown 100,000
Some component related costs
Insignificant effect on operation 10,000

Table 3 – Fitted financial criteria for the Bernoulli model

Boundary Very-high / High High / Medium Medium / Low Low / Very-low
Budget, RT 1,000,000 1,000 10 0.1
Reserve, B 1,000,000,000 100,000,000 1,000,000 30,000
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 10

Risk level log (Risk level)

Very high Very high 9 1 3 5 7 8

log (Consequence)
Consequence

High High 8 0 2 4 6 7

Medium Medium 7 -1 1 3 5 6

Low Low 5 -3 -1 1 3 4

Very low Very low 4 -4 -2 0 2 3

Very high
Very low

Medium -8 -6 -4 -2 -1

High
Low

Likelihood 1 log (Likelihood)

Fig. 1. API (qualitative) and ASME (semi-quantitative) risk matrices compared

Very high

1.E+09 High

Medium
Consequence

Low

Very low

1.E+06

1.E+03
1.E-10 1.E-08 1.E-06 1.E-04 1.E-02 1.E+00
Likelihood

Fig. 2. The API – ASME comparison mapped against lines of constant risk
Pay-off between risk, reliability and remaining life OMMI (Vol. 1, Issue 3) Dec. 2002 11

Very high

1.E+09 High

Medium
Consequence

Low

Very low

1.E+06

1.E+03
1.E-10 1.E-08 1.E-06 1.E-04 1.E-02 1.E+00
Likelihood

Fig. 3. Risk-class boundaries mapped using the Bernoulli model

1
Cumulative failure probability

0.1

No cleaning
0.01
40 000h
30 000h
20 000h
10 000h
0.001 Continual cleaning

0.0001
10000 100000 1000000 10000000
Remanent life, h

Fig. 4. Predicted failure probability for reheater tubes under different chemical
cleaning regimes