# Upgrading Safety Requirements to Prevent Technological Catastrophes

The safety requirements in the majority of engineering fields are optimistically designed and do not control the magnitude of very large outcomes. Some specified thresholds (lower bounds) can be exceeded with a low probability. Thus, the probability of exceedance (POE) function—also known as the survival, survivor, or reliability function—controls risk. In nuclear safety, for instance, a level of radiation release in the environment is specified that may be exceeded, say, only once in 10,000 years. Nevertheless, the magnitude of exceedance is not controlled, even for extremely large outcomes.

Safety requirements do not distinguish the magnitude of outcomes exceeding a threshold corresponding to a major accident. The requirements equally treat a large and extremely large radiation release (which may contaminate the whole globe and lead to a “nuclear winter”). To our knowledge, the safety requirements were not violated in the Fukushima nuclear accident. We can verify calculations of safety models for the Fukushima nuclear power plant and conclude that the plant worked as designed (no violation because the probability of radiation release is low, in spite of a very large magnitude of release). Similar concerns arise in defining financial ratings of companies, certifying materials (A/B basis), designing dams, etc.

We anticipate that a conservative upgrade of safety requirements, which takes into account both magnitude and chances of loss, will benefit virtually all engineering fields. We think that this inconsistency can be fixed via the newly developed buffered probability of exceedance (bPOE) risk measure.

Consider the following recent major technological catastrophes: the Fukushima nuclear accident in Japan, the 2008 financial crisis, the Space Shuttle Columbia disaster, and Hurricane Katrina flooding because of levee failure. These catastrophes resulted in many casualties and astronomical financial losses. Yet to our knowledge, safety requirements were not violated in any of these cases (at least from a legal point of view) and nobody was held accountable for the faulty designs of engineering systems.

Let us discuss the 2008 financial crisis. One can at least partially attribute it to defaults of financial companies overloaded with exposure to derivative instruments. Derivatives can lead to very high losses with low probability. This was true of AIG, a giant insurance company that overloaded the trading book with collateralized debt obligation (CDO) upper tranches. The chance of default was low, and AIG kept the AAA rating in spite of an extremely high exposure to CDO tranches. The U.S. government had to bail out AIG for $85 billion. Safety upgrade of financial regulations is of paramount importance (according to some estimates, the cost of the 2008 crisis tops $22 trillion).

Another important example is a non-conservative material certification process (A and B basis). The B basis is a 95 percent lower confidence bound on the 10th percentile, and the A basis is a 95 percent lower confidence bound of the first percentile. Let us consider a situation in which 1,000 coupons of a ceramic material are tested for material certification, and all coupons passed the test (i.e., the material was certified with A and B basis). Now suppose that we replace nine coupons with fake coupons of zero strength. This could happen because of a flaw in the manufacturing process, so that a small portion of coupons have zero strength. The chance of getting a defective coupon is 0.9 percent. The A- and B-basis requirements are still valid because they do not account for the magnitude of outcomes below the threshold. Engineers design good materials in spite of non-conservative strength certification requirements. Nevertheless, certification processes must be upgraded. The ceramic plates covering the Space Shuttle Columbia passed A- and B-basis strength requirements. But in this case, even the failure of a small number of plates leads to catastrophic consequences.

Our final example is the 2005 levee failures in New Orleans following the passage of Hurricane Katrina. Levee designers have not considered the magnitude of possible losses associated with levee failure. Safety margins should account for this.

We are sure that there is a need to develop conservative safety requirements that take into account not only the probability of exceeding some threshold, but also the magnitude of exposure given the exceedance. The majority of current safety requirements are formulated with low bounds on values of possible undesirable outcomes. There are two equivalent variants of the “optimistic lower-bound risk management approach”:

- Fix a threshold, which is the lower bound of outcomes in the distribution tail, and constrain the POE
- Fix the probability of the tail and constrain the lower bound of the tail outcomes, called the quantile (or value at risk (VaR) in finance).

The majority of risk constraints for controlling low probability events in various engineering areas are set with constraints on the POE.

In the financial field, it is recognized that the second approach based on VaR needs to be upgraded. VaR has been supplemented with the conditional value at Risk (CVaR), also known as expected shortfall, average VaR, tail VaR, and superquantile. By definition, CVaR is the average value of outcomes in the tail with some specified probability. For instance, if the probability of the tail is 10 percent, this is the average of the worst-case 10 percent outcomes. By construction, CVaR takes into account both probability and magnitude of events in the tail. It is a so-called “coherent risk measure” with exceptional mathematical properties.

**Figure 1.**Relation of buffered probability of exceedance (bPOE) and conditional value at risk (CVaR).

A new measure of risk called the buffered probability of exceedance (bPOE) takes into account both chance and magnitude of losses. bPOE is an extension of the buffered probability of failure concept developed by R.T. Rockafellar, J.O. Royset, and S.I. Miranda. It is the probability of a tail of the distribution with a known mean value of the tail. \(\textrm{bPOE} = 1 – (\textrm{inverse function of CVaR})\); Figure 1 illustrates this relationship. Similarly, \(\textrm{POE}= 1 – (\textrm{inverse function of VaR})\). The safety constraints with CVaR and bPOE are equivalent. Therefore, one can upgrade POE based- requirements to bPOE-based requirements in the same manner by which VaR requirements are upgraded to CVaR requirements. Like CVaR, the bPOE risk function has exceptional mathematical properties. In particular, the minimization formula for bPOE is available), which allows for *the reduction of bPOE minimization to linear and convex programming*. This formula gives a big boost to bPOE applications in various areas (optimal design of physical systems, portfolio optimization, etc.). The Air Force Office of Scientific Research has recently funded a project on parallel algorithms for bPOE minimization. Project participants include S. Uryasev, R.T. Rockafellar, M. Zabarankin, and D.P. Kouri.

Credit risk for companies and financial instruments can be assessed with bPOE instead of POE, as suggested in a paper by G. Pertaia and S. Uryasev. In this case, one can upgrade credit rating to *buffered credit rating*. The approach is quite simple: replace constraint for \(\textrm{POE}(x) < p\) with a similar constraint for \(\textrm{bPOE}(x) < e^*p\), with the same threshold \(x\) where \(e=2.71…\) is the base of the natural logarithm. Despite the simplicity of the upgrade, it will prohibit “risk arbitrage” (increasing exposure that has low probability without losing the rating).

Using a similar approach, it is possible to upgrade various safety requirements in multiple areas of engineering. This upgrade can yield requirements that will take into account the magnitude of adverse outcomes beyond safety thresholds.

*The authors presented this research during a minisymposium at the 2019 SIAM Conference on Computational Science and Engineering, which took place earlier this year in Spokane, Wash.*

Stan Uryasev is the George & Rolande Willis Endowed Professor and director of the Risk Management and Financial Engineering Laboratory at the University of Florida. His research is focused on efficient computer modeling and optimization techniques and their applications in finance and Department of Defense projects. Stan is also a co-inventor of the conditional value-at-risk and the conditional drawdown-at-risk optimization methodologies. He is currently developing optimization software in various areas of risk management. | |

Giorgi Pertaia is affiliated with the Department of Industrial and Systems Engineering at the University of Florida. |