Keywords

1.1 Uncertainty: A New Perspective on Safety

The term “technological risk” was initially associated with the occurrence of unwanted circumstances (e.g. leading to accidents) which are both possible and probable. “Possible” expresses the fact that these circumstances are known and enumerable; “probable” means that these circumstances may arise in the future. These circumstances are described, for instance, by combinations of events or by sequences of events (scenarios), or both. In the context of safety, the considered circumstances inevitably lead to harmful events (accidents) when these circumstances arise (the deterministic approach to risk assessment). If all the circumstances are known, treatments can be defined a priori. Barriers prevent the occurrence of accidents by avoiding the occurrence of undesirable combinations or by neutralizing dreaded sequences of events. In this paradigm, safety is defined by the absence of such circumstances and by the absence of accidents, and is guaranteed by the presence of risk controls (barriers).

An adaptation of this viewpoint, called the “probabilistic approach to risk assessment”, involved a change to the assumption that the circumstances considered by risk analysts always lead to accidents, by attaching a probability to the appearance of harm. Furthermore, the harm caused is no longer assumed to be constant for the same circumstances. For example, the failure of a system component does not always lead to the system’s failure; the consequences of the failure may be more or less serious. Risk, or rather its estimation, is then defined using criteria such as a combination of the probability of the occurrence of a harmful event and the severity of the harms. Safety is defined by the absence of unacceptable risk, usually expressed as a threshold (e.g. probability of a catastrophic failure \({<}10^{-9}\) per flight hour). This viewpoint is the most commonly used today. Safety is still achieved by the introduction of barriers, whose availability (measured by the probability of failure) intervenes in the evaluation of residual risk. This value is compared with the maximum level of risk allowed (the acceptability threshold). While all accidents are not avoided, their risks are controlled.

However, these two viewpoints on risk and safety are only variations on the same underlying paradigm: the circumstances that may lead to accidents are known, as are their possible effects: causes and consequences are enumerable, even if they are probable and not certain. The risk controls (and therefore the level of safety) can be defined a priori. If unforeseen circumstances arise, they are handled by “experience feedback” and added to the list of circumstances, which is considered as a finite set.

We are currently facing a challenge to this founding paradigm of risk and safety, having to admit that the circumstances (such as initiating events and scenarios) which may lead to accidents are uncertain and potentially infinite. Our ignorance of causes (circumstances), effects (harms) and their relationships is primarily quantitative in nature. This ignorance concerns, for instance, the difficulty in determining the probability of occurrence of events (causes and effects), the effectiveness of the barriers and the severity of consequences. Our ignorance is also, even more importantly, qualitative. This concerns, for example, our inability to establish an exhaustive list of circumstances which may lead to accidents, as this list is not finite in complex systems. Similarly, the nature of the effects of certain circumstances (in particular medium- and long-term effects) cannot be predicted given the state of knowledge (e.g. emerging risks related to innovation). This paradigm shift has impacts on the concept of safety which has to be revisited, but also other related concepts such as risk acceptability and their operational implementations (models, techniques, processes, practices, cultures, etc.).

Until now, most approaches have aimed at reducing and finally liquidating uncertainty, being based on the illusory hope of the contribution of knowledge development. Other approaches consist in forbidding any circumstances that lead to increased uncertainty (e.g. certain applications of the precautionary principle). They have all proven unsuccessful, leading to dramatic accidents. The inability to nullify this uncertainty and the need to live with it must be accepted: such is the new premise.

However, the results of uncertainties on safety must not be considered as inevitable effects of fate that we have to suffer. Uncertainty gives a new perspective on safety.

1.2 Uncertainty: New Questions for Safety Management

Risk management has long been considered the magic wand to address safety. The growth of knowledge would lead to the disappearance of uncertainties and the development of fully controlled risks. This would promise the achievement of our objective: a safe world. Yet, it seems that in a number of accidents, risk management was not up to the challenge. What challenge? Dealing with the unexpected? Yet, the unexpected is now acknowledged as being unescapable...

Before going any further, it is worth going back to the notion of unexpected. Why is the unexpected? Several philosophies exist. Because no one put sufficient effort into anticipation is one of them. No one had the proper knowledge to anticipate some scenarios is another one. Who by the way is a question that would be worth addressing? Is it the first line operator who faced the real-time situation? Or the organization that provides the operators with the means and conditions to do their job? Or the risk manager who is in charge of identifying all risks and reducing the unacceptable ones? Or everyone, each one at his/her level and within his/her scope?

Going back to the initial question of the origin of the unexpected, is it a crisis of means allocation or of profound beliefs...? Or illusions? The illusion that everything can be controlled, including all risks.

To describe or explain these new situations that escape traditional risk management approaches, a new “magic” concept was introduced: uncertainty.

Beyond the magic word, what does the concept mean? What can it describe... and not describe?

Has dealing with uncertainty ever been within the scope of traditional risk management methods? If yes, what type of uncertainty did it pretend to address?

Are there alternative approaches that would work beyond the scope of traditional risk management?

If yes, how do these approaches relate to risk analysis?

Should we oppose them? Can they coexist? Under what conditions? Can we envisage their complementarity? How to build it?

1.3 Uncertainty: New Proposals

This book addresses various facets of the previous questions, proposing several viewpoints considered by various disciplines.

In Chap. 2, Ove Nja discusses the concept of uncertainty, analyzing its ontological status and its connections to safety. The chapter introduces the whole rationality spectrum (from relativism to positivism) of the uncertainty concept, focusing on its impact on the safety concept. This introduction also discusses a number of philosophical issues. The purpose is illustrated on safety concerns of the health sector and civil aviation.

The three following chapters deal with the control of effects of uncertainty.

In Chap. 3, Terje Aven presents and discusses recent advances in the risk field faced with uncertainty, linked to the conceptualization of the risk and specially addressing unforeseen events, surprises and so-called black swans. It shows how the traditional probabilistic approaches can be extended for assessing and then for handling uncertainties in the safety domain.

In Chap. 4, Jean Pariès extends the previous chapter discussing the way safety can be managed in an uncertain context. He highlights the illusion of reducing uncertainty and introduces and compares two management alternatives: Resilience engineering and High Reliability Organizations.

Nowadays, society through regulation requires safety cases. In a well-defined context, evidence must be provided to obtain an authorization to operate hazardous activities. Uncertainty disrupts this principle. In Chap. 5, Arie Rip develops, in a sociological perspective, the idea that regulation and other a priori risk controls are all part of the “danger culture” of our industrial society which requires conformance to rules for avoiding accidents. The chapter shows that uncertainty simultaneously jeopardizes this approach and, by allowing “gray zones” in which the actors can manoeuvre, provides some necessary flexibility to the system.

Chapter 6 examines risk governance in an uncertain context from a legal perspective. Eric E. Johnson considers the catastrophic possibility that the superconducting synchrotron particle accelerator built at CERN could create a black hole which would swallow the Earth. Courts have the power to order the halt of such an activity, but their usual approach to decisions on risky activities, based on expert judgment and benefit-cost criteria, are difficult to apply in situations in which possible consequences are properly cataclysmic and experts are all biased. The chapter analyzes a number of court decisions to extract general opinions about the way justice considers uncertainty in the safety domain.

Chapter 7 gives a historian’s perspective. Jordan Sand compares the way in which the Japanese handled fires during the Edo period (from 1600 to 1868) and their present approach to technological risks, with a particular focus on the Fukushima nuclear disaster. The comparison reveals that the emphasis during the Edo period on strength and continuity of the social order rather than on the preservation of material property produced a different view of risk and uncertainty.

A last chapter concludes the book, summarizing the lessons learned and highlighting some open questions.