Risk, Safety and Liability

advertisement
PHIL/ENGR 482
Ethics and Engineering
Risk, Safety
and
Liability
Required reading:
• Harris, Pritchard and Rabins,
Engineering Ethics: Concepts and
Cases, 2nd ed. Chapter 7, “Risk,
Safety and Liability in Engineering”
An engineering responsibility
• Codes of ethics require the engineer
to prevent exposure of the public to
unacceptable risks.
NSPE Code
• “Hold paramount the safety, health and welfare of
the public” design to “accepted engineering
standards”
• Do not “complete, sign, or seal plans and/or
specifications that are not of a design safe to the
public health and welfare in conformity with
accepted engineering standards”
• In “circumstances where the safety, health,
property or welfare of the public are endangered”
engineers must “notify their employer or client and
such other authority as may be appropriate”
Understanding and
managing risks
• What is risk?
• How do we operate engineering
systems to reduce risks?
• How do we design engineering systems
to reduce risks?
• What are acceptable risks?
What is risk?
• One definition of “risk” is:
• “Exposure to the chance of injury or
loss;
a hazardous or dangerous chance” *
• This definition involves both
• the probability of an event occurring
• the consequences of the event
*
Webster’s Dictionary
An engineering definition of risk:
Risk  (probability of event)  (consequences)
Risk is inherent in engineering
• All engineering involves risk.
• Innovation in design generally increases risk.
More generally, any change (from proven
practice) will often increase risk.
• Examples:
• Tacoma Narrows Bridge--1940 collapse
• Three Mile Island Power Plant--1979 radiation
release
• Concorde airliner--2000 crash in Paris
Probability of failure
• A nuclear reactor will “meltdown” if the control
rods fail and the cooling pump fails. What is the
probability of this occurring?
Event tree analysis of failure probability
Engineering risk assessment
Risk  (probability of failure)  (consequences)
• Bridge foundation depths are often governed
by the depth of scour, which is related to the
size of the flood. A 100-year flood (a flood
which has a 1% chance of occurring in any
given year) is a common design flood level.
• Consider a bridge footing designed to have a
210-3 annual probability of being undercut
by scour in any given year.
Engineering risk assessment...
• Consider a a bridge that has an 210-3 annual
probability of collapse due to scour.
• If collapse occurs during a rush hour (1/24
probability), 10 lives will likely be lost. If collapse
occurs during non rush hours (23/24 probability) 1 life
will likely be lost. One way to measure this risk is…
• (210-3)(1/24)(10) = 83310-6 (risk of death)
• (210-3)(23/24)(1) =191710-6 (risk of death)
• Total risk is 83310-6 + 191710-6 =275010-6 (risk of death)
Problems with event-tree analysis:
• assigned probabilities are
sometimes conjectural
• cannot anticipate all failure modes:
• pipe rupture,
• pipe corrosion,
• terrorist attack,
• human error,
• etc...
Safety: Operation of engineering
systems to reduce risk
• Many “engineering” failures involve, at least in part, an
operations failure…consider the reactor failure at Three
Mile Island:
• The main feedwater pumps failed; a pressure relief valve
automatically opened, but stuck open. Signals failed to
show that the valve was stuck open.
• Because of either administrative or human error, a critical
valve in the emergency feedwater system was left closed,
delaying the operation of that system for 8 minutes.
• Systems are said to be tightly coupled when a failure in
one system can adversely and rapidly affect operations
in another system. Tightly coupled systems make
failures more difficult to predict and control.
Safety: Operation of engineering
systems to reduce risk
• The loss of the Space Shuttle Challenger is
another example of an engineering system
failure due to operations failure.
• The practice of “normalizing deviance”, that is
the acceptance of anomalies (unexplained
leakages of the O-ring seals) in previous flights
led to continued operation of a system that was
dangerously close to it’s safe limit of operation.
• Also, operational limits (launch temperature)
were increased without appropriate study.
Safety: Design of engineering systems to
reduce risk to acceptable levels
• Develop inherently low-risk designs
• Incorporate redundancy in design
• Design for failure modes that give warning
before catastrophic failure (ductile
structures)
• Design for appropriate Factor of Safety
• Structural design philosophies...
• Allowable Stress Design (ASD or WSD)
• Load Factor Design (LFD)
• Probabilistic design methods (ex. LRFD)
Factors of Safety

Failure load 
 FS 

Design load 

• To accommodate uncertainties in...
•
•
•
•
•
applied loads,
material properties,
simplified methods of analysis,
construction quality,
maintenance, ...
• and, to reflect different consequences for
different failure modes.
Allowable (or Working) Stress Design
philosophy
• ASD design philosophy limits the stress to
a certain “allowable” value, which is
usually some fraction of the yield or
ultimate stress.
Design difficulties...
• Different loadings may have different uncertainties
• Different failure modes have different risk
(uncertainty  consequence),
• Also the resistance (strength) of some modes may
be affected more by construction quality,
maintenance inspection interval, etc…
• ...so different Factors of Safety may be appropriate
for different loadings and failure modes.
Load Factor Design philosophy
• Expected loads are multiplied by Load
Factors, which may have different values
for different types of loads
• Strength is reduced by a Strength
Reduction Factor reflecting the variability
in the strength
• Factored loads must not exceed factored
strength
Load Factor Design example
• Consider a bridge girder which carries its
own weight plus the weight of the deck
(DL) and traffic loads (LL).
• Denote the moments caused by these
loads as MDL and MLL, respectively.
• Denote the calculated ultimate moment
(which would cause fully plastic failure of
the section) as Mult.
Load Factor Design example
• The LFD philosophy requires...
F
LL
 M LL    FDL  M DL    M ult
• where…
• FLL and FDL are load factors for live and dead loads,
typically specified to be 2.2 and 1.3 respectively,
and
•  is a strength reduction factor, typically specified
be 0.90
Probabilistic design philosophy (LRFD)
• Load factors and resistance (strength)
factors are not fixed, by a design
code, but are chosen in each design
based on the specifics of the case.
• Factors are determined in such a way
that the “probability of failure” of each
limit state (failure mode) is
maintained at some uniform value.
AASHTO LRFD Bridge design example:
design for vessel collision
• Bridges in navigable waterways shall be
designed for vessel impact, considering...
• waterway geometry,
• size, type, loading condition, and frequency
of vessels using the waterway
• water depth,
• vessel speed and direction, and
• structural response of the bridge to collision.
Bridge design for vessel collision (cont’d)
• Bridges are classified as “regular” or
“critical”.
• “Critical” bridges shall continue to
function after more severe collisions
than the collision limiting “regular”
bridges
Bridge design for vessel collision (cont’d)
• An analysis of the annual frequency of
collapse is performed for each pier or
span component exposed to collision.
• The design vessel is selected using a
probability-based analysis procedure in
which the predicted annual frequency of
bridge collapse (AF) is compared to an
acceptance criterion.
Bridge design for vessel collision (cont’d)
• The Annual Frequency of collapse (AF) is
computed by…
AF  N  PA  PG  PC
• where...
•
•
•
•
N=annual number of vessels, by type, size...
PA=probability of vessel aberrancy
PG=geometric probability of a collision by an aberrant vessel
PC=probability of bridge collapse due to collision
Bridge design for vessel collision (cont’d)
• The Annual Frequency of collapse (AF) is
limited to a specified acceptable risk...
AF  N  PA  PG  PC
AF  10
3
AF  10
4
for " regular" bridges
for "critical" bridges
Acceptable risk...
• What is an acceptable risk?
Some acceptable risks...
• Note that the average American could, if he/she
chose, reduce his/her annual risk of death by
17310-6 by avoiding travel in automobiles or on
highways. Since the average American chooses
to accept this risk (because of the advantages of
automobile transportation), the risk of death
associated with automobile travel could be
considered an “acceptable risk”, that is one
assumed by a reasonable person.
• Similarly, the 810-6 risk of death in commercial
aviation is accepted by most persons.
Cost-benefit risk assessment example
• The government is proposing legislation to limit
formaldehyde emissions to 3 ppm. Industry
estimates that to install and operate the
necessary scrubbers will cost $300 million
annually. Toxicologists estimate that this new
standard will save 30 lives annually. Using
cost/benefit analysis, should the new standard be
implemented?
• Cost = $300 million/yr
• Benefit = (30 lives/yr)($ ??? / life)
• What is the dollar value of human life?
What is the value of human life ?
• Some methods to place a value on
human life
• purchasing decisions involving safety
(e.g. car purchase)
• future earnings
• extra pay needed for risky jobs
(e.g. house painter vs. smokestack
painter)
Problems with using studies of purchasing decisions to
determine the value of life...
• wealthy people are willing to pay more
• people will pay 7 times more to reduce risk of cancer than
to reduce risk of death in an automobile
• decisions are based on perceptions (values)
• women value their lives more than men, i.e., men are more
willing to engage in risky behavior
• A 1984 study by Shualmit Kahn indicates that people
typically valued their lives at $8 million (Note: this figure is
higher than is typically used in public policy analysis. Also
note that Ford used $0.2 million in the 1970’s Pinto case
study.)
Public Policy Expert’s Approach to
Risk
• His/her first priority is to protect the public.
• Consider the consequences of an error in a
study to determine whether a chemical is
carcinogenic…
• False Positive The chemical is banned as being
carcinogenic, when in reality it is not. The producer
loses potential profits from the sale of this chemical.
• False Negative A dangerous chemical is approved as
safe and sold to the general public. The death rate
from cancer increases.
• A public policy expert will choose to err on the
side of public safety, when the facts are not
clear
Public policy expert approach (cont’d).
• In a democracy, the government policy makers
respond to the public’s wishes. The public tends to
react to different risks in different, and sometimes
irrational ways. As a result, we tend to allocate
differing amounts of money to save lives by
different measures...
Allocation of Money
Layman’s approach to risk
• Respect for Persons Approach
• Key Issues:
•
•
•
•
is the risk distributed equitably?
are those assuming the risk compensated?
is the risk voluntary?
does the person assuming the risk
understand it?
• does the person assuming the risk have
control?
Layman’s approach to risk...
• Laymen often overestimate low probability risks
• Willing to accept higher voluntary risks than
involuntary risks (by factor of 103)
• Laymen don’t compare a risk to already accepted
risks
• Laymen overestimate risks of human origin
compared to risks of natural origin
• Laymen’s approach more closely follows Respectfor-Persons approach than the Utilitarian
approaches used by many experts
An Acceptable Risk is one that is...
• freely assumed with informed
consent
• equitably distributed
• properly compensated
Informed Consent
• RP says we should treat people as “moral
agents” (autonomous, self-governing
individuals)…thus we should seek
“informed consent” before assigning risk
• Criteria for informed consent
• consent must not be coerced*
• person must be accurately informed*
• person must be competent* to assess information
*there are possible conceptual and applications
issues to be resolved
Problems with informed consent
• difficulty getting informed consent
• consent must be obtained before the risk is
assumed
• consent requires negotiation
• holdouts or unreasonable preferences
• parties must be well informed and reasonable
• people are often hysterical regarding dramatic or
catastrophic risk
• people underestimate the consequences of risks
that
have never happened before
When it isn’t possible to get informed
consent...
• Only expose people to risks they
would consent to, if they were
informed of all known risks.
Or, ...
• As an alternative to gaining consent
from everyone affected by the risk,
the group leaders can decide to
accept the risk for the group.
Problems with Informed Consent (cont’d.)
• Some people may give informed
consent to things that are not in
their interests, because of...
• misunderstanding information
• immaturity
• irrationality
• Such consent isn’t autonomous.
Problems with Informed Consent (cont’d.)
• If consent is not autonomous, then
you should find a way to make
consent autonomous.
Risk concepts--Example
• The electric power company proposes to build a
nuclear power plant near your neighborhood.
Given the newly deregulated electricity market,
the power probably will be sold out of state
because prices are higher there.
Risk concepts--Example (cont’d.)
• Is the risk voluntary?
• Does the person taking the risk
understand it?
• Does the person taking the risk have
control?
• Is the risk distributed equitably?
• Do those taking the risk get the rewards?
Informed Consent by Group Leaders-Example
• The XYZ Chemical Company wants to build
a new plant in Smallville. The chemical
plant has a pollution effluent that may give
one citizen cancer every five years.
However, the plant will create 100 new jobs
and a substantial tax base for Smallville,
which will improve the local schools and
hospital. The XYZ Chemical Company asks
the town council for approval to build the
plant in the industrial park.
Informed Consent by Group Leaders
(cont’d.)
• Advantages:
• simplifies decision-making process
• Problems:
• How do we compensate those individuals who
suffer the consequences of the risk?
• Approval of group leaders does not reflect the
wishes of all individuals
• Works okay for small risks, but large risks
may need individual consent
Paternalism
• Paternalism: the exercise of power by
one person or institution over another
in order to help or prevent harm to
the latter, when...
• Weak paternalism--the latter is not exercising
moral agency effectively.
• Strong paternalism--there is no reason to
believe the latter is not effectively exercising
moral agency.
Paternalism (cont’d)
• Commonly-accepted criterion for
acceptable paternalism:
• A fully rational person informed of the
relevant facts would consent to
intervention in this case
• Paternalism often causes resentment.
• Paternalism (weak) is permissible if
protected person is not autonomous
• but people will disagree over who is
autonomous.
Summary
• Be aware that experts tend to use a
utilitarian approach and the lay public tends
to use a respect-for-persons (RP) approach
• Utilitarian and RP approaches each have
their limitations
• It is difficult to quantify risk
• Peoples’ values differ regarding risk
• Promote informed consent within your
limits as an engineer
For guidance...
• “People should be protected from the
harmful effects of technology, especially
when the harms are not consented to or
when they are unjustly distributed, except
that this protection must sometimes be
balanced against (1) our need to preserve
great and irreplaceable benefits and (2)
the limitations on our ability to obtain
informed consent.” Harris, et al.
Summary (cont’d.)
• Some technologies provide valuable and
irreplaceable benefits, yet are inherently
risky (e.g. automobiles)
• Engineers should be paternalistic and
protect the public from harmful impacts of
technology if:
• Consequences are severe
• Consequences are unjustly distributed
• Informed consent is not possible
Liability
An engineer’s ethical dilemma...
• All engineering involves some risk.
• Protecting the public from all risks is not
in the public’s best interest.
• We must protect the public from
unacceptable risks.
• We may be liable for injuries caused when
we misjudge the risks, as well as when we
make errors.
Different standards for tort law and
science...
• Tort (injury) law uses different standards
for risk and liability than we have been
discussing so far.
• An engineer might not feel confident that
action A had caused result B without
strong statistical evidence (ie., 95%
confidence)
• Tort law requires proof by a
“preponderance” of evidence (ie., 51%)
Recommendations...
• Work conscientiously, diligently, and
ethically; make sure your designs are
consistent with best engineering practice.
• Document your actions and decisions in a
Daily Log.
• Liability insurance is commonly purchased
by design engineers. Costs can be high,
depending on the work you do.
Representative costs for liability
insurance policies
• Chemical Engineers (with PE designations,
signatory authority, plant-scale
involvement)
• $1million coverage, $5000 deductible,
premium=$900/yr
• Architects/Engineers
• $75million coverage, $15,000 deductible,
premium=$10,000/yr
Download