Living with High-Risk Systems Michael S. Tashbook Department of Computer Science University of...

Living with High-Risk Living with High-Risk SystemsSystems

Michael S. TashbookMichael S. Tashbook

Department of Computer ScienceDepartment of Computer Science

University of VirginiaUniversity of Virginia

September 23, 2002September 23, 2002

9/23/02 Living with High-Risk Systems 2

Categories of RiskCategories of Risk

• Not all high-risk systems are created equal

• We can partition the set of high-risk systems into three classes: Hopeless Cases Salvageable Systems Self-Correcting Systems

9/23/02 Living with High-Risk Systems3

Hopeless Cases

• This category is composed of systems where the (inevitable) risks far outweigh any reasonable benefits

• These systems should just be abandoned — at least in Perrow’s view

• Examples: Nuclear weapons Nuclear power


Salvageable Systems

• Salvageable systems are systems that we can’t do without, but

that can be made less risky with considerable effort, or

systems where the expected benefits are so great that some risks should be run

• Examples: Some marine transport DNA research


Self-Correcting Systems

• This category contains systems that are not completely self-correcting, but are self-correcting to some degree

• Only modest efforts are needed to improve these systems further

• Examples: Chemical plants Airplanes/Air Traffic Control


Is Abandonment the Answer?

• Should systems in the “Hopeless Cases” category be abandoned summarily?

• Should drastic modifications be made for other high-risk systems (namely, those in the “Salvageable” category)?

• Not necessarily; Perrow’s argument makes several assumptions that may not be true

7Living with High-Risk Systems9/23/02

Perrow’s Assumptions

Current risk assessment theory is flawed

The public is adequately equipped to make rational decisions, and its opinions should be respected by policy experts

Organizational changes will have little effect in increasing system safety


1. Risk Assessment1. Risk Assessment

• Analysis of the risks and benefits offered by new systems — examination of the tradeoffs (if any)

• Modern risk assessors work to: inform and advise on the risks and benefits of

new systems legitimate risks and reassure the public second-guess regulatory agencies’ actions


How Safe is Safe Enough?

• More accurately, how do we model risk?

• Mathematical models are generally used to model risk

• The problem with this kind of analysis is that it only measures things that can be quantified How much is your life worth?


Biased Interpretations

• Problem of systematic biases and public opinion Does every death have the same

impact? Is a death from diabetes or cancer as bad as

a murder? The public doesn’t seem to think so.

Are fifty thousand annual highway deaths really equivalent to a single nuclear catastrophe?


Systematic Biases

• Risk assessment differentiates between voluntary risks and involuntary risks

• However, the system doesn’t discriminate between the imposition of risks and the acceptance of risks

• This dispassionate cost-benefit approach often leads to “the tyranny of the bean-counters”


Cost-Benefit Analysis (CBA)

• CBA ignores the distribution of wealth in society Risk assessments ignore the social class

distribution of risks

• CBA relies heavily on current market prices Thus, low-paid employees are worth less

when risks are considered


More CBA Assumptions

• New risks should not be higher than others we have already accepted if other systems become riskier, we can

lower safety levels on new systems

• Competitive markets require risky endeavors


More RA/CBA Criticisms

• RA/CBA does not distinguish between: Addiction and free choice Active risks and passive risks

This isn’t just a matter of in/voluntary risk — it’s a question of control

• Risk assessors would prefer to exclude the public from decisions that affect their interests


2. Decision-Making2. Decision-Making

• Risk assessors assert that the public is ill-equipped to make decisions on their own behalf, and cognitive psychologists agree

• Humans don’t reason well: We maximize some dangers while minimizing

others We don’t calculate odds “properly”


Three Types of Rationality

• Absolute rationality Risks and benefits are calculated exactly,

offering a clear view of what to do

• Bounded rationality Employs heuristics to make decisions

• Social and cultural rationality Limited rationality has social benefits


Bounded Rationality

• People don’t make absolutely rational decisions, possibly due to: neurological limitations memory/attention limits lack of education lack of training in statistics and probability

• Instead, we tend to use hunches, rules of thumb, estimates, and guesses


More on Bounded Rationality

“There are two reasons for perfect or deductive rationality to break down under complication. The obvious one is that beyond a certain complicatedness, our logical apparatus ceases to cope—our rationality is bounded. The other is that in interactive situations of complication, agents can not rely upon the other agents they are dealing with to behave under perfect rationality, and so they are forced to guess their behavior. This lands them in a world of subjective beliefs, and subjective beliefs about subjective beliefs. Objective, well-defined, shared assumptions then cease to apply. In turn, rational, deductive reasoning—deriving a conclusion by perfect logical processes from well-defined premises—itself cannot apply. The problem becomes ill-defined.”

— W. Brian Arthur, “Inductive Reasoning and Bounded Rationality” (1994)


The Efficiency of Heuristics

• Heuristics are useful; they save time, even if they are wrong on occasion

• Heuristics: prevent decision-making “paralysis” drastically reduce search costs improve (are refined) over time facilitate social life work best in loosely-coupled (slack,

buffered) environments


Pitfalls of Heuristics

• Heuristics rely on the problem context; if this is wrong, then the resulting action will be inappropriate

• Context definition is subtle and difficult

• Heuristics are related to intuitions Intuitions are a form of heuristic Intuitions may be held even in the face

of contrary evidence


Rationality and TMI

• The TMI accident occurred shortly after it was put into service

• Absolute rationality acknowledges that a problem was was bound to happen eventually; it just happened sooner rather than later

• Is this comparable to the “1x10-9 standard”?


Rationality and TMI (cont’d)

• This may be true, but is it the point?• TMI was a new type of system, and

no heuristics existed for it at the time• Even though problems may be rare,

they can be very serious• Experts predicted that TMI was

unlikely to occur, yet it did; could they have been wrong?


Bounded Rationality vs. TMI

• The logic of the public response to TMI was technically faulty; even so, it was efficient and understandable

• Experts have been wrong before; it’s efficient to question them

• Bounded rationality is efficient because it avoids extensive effort Can John Q. Public make a truly

informed decision about nuclear power?


Social and Cultural Rationality

• Our cognitive limits are a blessing rather than a curse

• There are two reasons for this: Individuals vary in their relative cognitive

abilities (multiple intelligences theory) These differences encourage social bonding

Individual limitations or abilities lead to different perspectives on (and solutions to) a given problem


Risk Assessment Studies

• Clark University study of experts and the lay public The two groups disagreed on how to judge the

risk of some activities Disaster potential seemed to explain the

discrepancy between perceived and actual risk For the public, dread/lethality ratings were

accurate predictors of risk assessments

• Subsequent study identified three “factors” (clusters of interrelated judgments)


Dread Risk

• Associated with: lack of control over activity fatal consequences high catastrophic potential reactions of dread inequitable risk-benefit distribution belief that risks are not reducible

• Correlation with interactively complex, tightly-coupled systems


Unknown Risk

• This factor includes risks that are: unknown unobservable new delayed in their manifestation

• This factor is not conceptually related to interaction and coupling as well as dread risk


Societal/Personal Exposure

• This factor measures risks based on: the number of people exposed the rater’s personal exposure to the risk

in question

• Of all three factors, dread risk was the best predictor of perceived risk


Thick vs. Thin Descriptions

• A “thin description” is quantitative, precise, logically consistent, economical, and value-free

• A “thick description” recognizes subjective dimensions and cultural values, and expresses a skepticism about human-made systems


3. Organizational Solutions3. Organizational Solutions

• In general, risky enterprises are organizational enterprises

• Tightly controlled, highly centralized, authoritarian organizations should be put into place to run risky systems and eliminate “operator error”

• But does this really help things?


Suggested Organization Types

Linear Interaction Complex Interaction

Tight Coupling

Centralization for tight coupling and linear interactions

Centralization for tight coupling.Decentralization for complex interactionsThese demands are incompatible!!!

Loose Coupling

Centralization and decentralization are both feasible

Decentralization for loose coupling and complex interactions


Where Does the Problem Lie?

• Technology? “[W]e are in the grip of a technological

imperative that threatens to wipe out cultural values….”

• Capitalism? Private profits lead to short-run

concerns Social costs are borne by everyone

• Greed? Private gain versus the public good


The Problem of Externalities

• Externalities are the social costs of an activity (pollution, injuries, anxieties) that are not reflected in its price

• Social costs are often borne by those who receive no benefit from the activity, or who are even unaware of it

• Systems with identifiable/predictable victims are more likely to consider externalities


A New Cost-Benefit Analysis

• How risky are the systems we have been considering, only in terms of catastrophic potential?

• How costly are the alternative ways (if any) of producing the same outputs?

35Living with High-Risk Systems9/23/02

The Final Analysis

Systems are human constructs, whether carefully designed or unplanned emergences

These systems are resistant to change System catastrophes are warning

signals, but not the ones we think These signals come not from individual

errors, but from the systems themselves

Living with High-Risk Living with High-Risk SystemsSystems

Michael S. TashbookMichael S. Tashbook

Department of Computer ScienceDepartment of Computer Science

University of VirginiaUniversity of Virginia

September 23, 2002September 23, 2002

Date post:	14-Dec-2015
Category:	Documents
Upload:	lindsay-gleaves
View:	212 times
Download:	0 times

Living with High-Risk Systems Michael S. Tashbook Department of Computer Science University of...

Documents