a hierarchical-multiobjective framework for risk management
TRANSCRIPT
Automatica, Vol. 27, No. 3, pp. 579-584, 1991 Printed in Great Britain.
0005-1098191 $3.00 + 0.00 Pergamon Press plc
1991 International Federation of Automatic Control
Brief Paper
A Hierarchical-muitiobjective Framework for Risk Management*
YACOV Y. HAIMESt* and DUAN Lit
Key Words--Large-scale systems; risk; multiobjective optimization; hierarchical decision-making; reliability.
Abstract--The management of risk is addressed in this paper within the broad hierarchical-multiobjective framework. Such a framework incorporates the hierarchical nature of the decision-making process; the multiple decision-makers at the various levels of the system's hierarchy; the multiobjective nature of large-scale systems; and the quantitative/empirical and the qualitative/normative/judgmental aspects. Three major topics dominate the methodological components of the paper: hierarchical-multiobjective coordination, risk of extreme events and impact analysis. Various application problems are used as a vehicle to communicate the methodological framework with the readers.
1. Introduction RISK--A MEASURE of the probability and severity of adverse effects--has become during the last decade a subject of intense study by scholars from diverse disciplines. In particular, the process of risk assessment and management, which encompasses several steps that include the identifica- tion, measurement, quantification, evaluation and management/control of risk, has gained cross-disciplinary attention that spans engineering; the natural, behavioral and social sciences; law; medicine; and business administration, Previous research in stochastic modeling and optimization, nevertheless, by and large addressed the quantitative, empirical aspects of risk management separately from the qualitative, normative and judgmental considerations, which are the driving forces that ultimately influence the decision-making process. The focus on the former and the de-emphasis of the latter have been counter to the holistic foundations upon which systems engineering is grounded. This paper attempts to capture some specific characteristics of risk assessment and management within the overall decision-making process. If one accepts the premise that the decision-making process itself is driven by multiple conflicting and noncommensurate objectives and that large-scale organizational and technological systems are characterized by inherent hierarchical structures and a hierarchy of decision-makers, then the process of risk assessment and management can be best understood, and thus modeled, via a hierarchical-multiobjective framework. Furthermore, the thesis of this paper is also grounded on the
* Received 24 December 1989; revised 29 July 1990, received in final form 5 September 1990, The original version of this paper was presented in a plenary session at the IFAC/IFORS/IMACS Symposium on Large Scale Systems: Theory and Applications, 29-31 August 1989, Berlin, Germany. The Published Proceedings of this IFAC Meeting may be ordered from: Pergamon Press plc, Headington Hill Hall, Oxford OX3 0BW, U.K. This paper was recommended for pubfication in revised form by Editor A. P. Sage.
t Center for Risk Management of Engineering Systems and the Department of Systems Engineering, University of Virginia, Charlottesville, Virginia 22901, U.S.A.
Author to whom all correspondence should be addressed.
579
premise that risk management should be an integral part of technology management, not a vacuous afterthought. Three major topics dominate the methodological components of the paper: hierarchical-multiobjective coordination, risk of extreme events and impact analysis. Applications from the areas of the maintenance of infrastructure and flood warning and evacuation systems are used as a vehicle to communicate the methodological framework to the readers.
2. Multiple objective aspects Lowrance (1976) makes a clear distinction between risk
and safety. Measuring risk is an empirical, scientific activity (e.g. measuring the probability and severity of harm); on the other hand, judging safety, which is a normative, political activity, is judging the acceptability of risks. The distinction between risk and safety is at the heart of multiobjective trade-off analysis. Clearly, the determination of how safe is safe enough requires a balance among all costs, benefits and r i skHt t r ibu tes that are measured and perceived in different, noncommensurate units. For example, a classical multiobjective analysis might involve trading off the spending of an additional $1000 per day for the reduction of one part per billion (ppb) of trichloroethylene (TCE) in a municipality's contaminated groundwater (given that the contamination level is already at 10ppb and $2 million has already been spent in cleaning up the aquifer that supplies drinking water to a community of 20,000 people). Such an analysis is also a risk management problem where the empirical act of measuring the risk of contamination must be followed by the normative step of determining the level of risk that is deemed acceptable by the decision-maker(s).
During the last two decades, the field of multiple criteria decision-making (MCDM) has grown by leaps and bounds, developing from a primarily utility-theory-oriented school to a diverse and balanced philosophical interpretation of utilities, attributes and objectives, More specifically, the nonutilitarian school of thought advances the premises not only that it is extremely difficult if not actually impossible in practice to model the preferences of a decision-maker (or of a group of decision-makers) through a utility function, but it is also not needful or desirable to do so. This premise is supported by the observation that the utility of a decision-maker is likely to be highly nonlinear and dynamic--constantly influenced by transient and exogenous elements that cannot be accounted for quantitatively.
The nonutilitarian multiobjective trade-off approach [e.g. the use of the surrogate worth trade-off (SWT) method (Haimes and Hall, 1974)] is particularly appropriate for risk management because the acceptability of risk is invariably driven by a host of perceptions, heuristics, and biases---a reality that tends to influence and shift the judgement of an acceptable risk level from an absolute venue toward a relative one that is subject to continuous changes and modifications (Kahmeman et al., 1982). This fact coupled with the hierarchical structure of most large-scale systems and the hierarchical nature of the decision-making process (as will be discussed subsequently) renders the hierarchical- multiobjective framework for risk management a natural imperative.
580 Brief Paper
I I ~ " J i
.... ~ i 3 i - ~ 4 8 - i J !
FIG. 1. Water distribution system.
i [-
()u t
3. Hierarchical aspects Most organizational as well as technological systems are
hierarchical in nature, and thus the management of risk of such systems is necessarily driven by this hierarchical reality and must be responsive to it. The risks associated with each subsystem within the hierarchical structure contribute to and ultimately determine the risks of the overall system. The distribution of risks within the subsystems often plays a dominant role in the allocation of resources within the organizational or technological system. This is manifested in the quest to achieve a level of risk that is deemed acceptable in the normative-judgmental decision-making process, when the trade-offs among all the costs, benefits and risks are considered.
Perhaps one of the most valuable and critical contributions of the hierarchical-multiobjective framework to risk assess- ment and management is its ability to facilitate the evaluation of the risks associated with each subsystem and their corresponding contribution to the overall risks of the total system. In the planning, design or operational mode, the ability to model and quantify the risks contributed by each subsystem to the overall system markedly facilitates the identification, quantification and evaluation of risk. In particular, the ability to model the intricate relationships among the various subsystems and to account for all relevant and important elements of risk and uncertainty renders the modeling process more tractable and the risk assessment process more representative and encompassing. Consider, for example, the problem of maximizing the availability measure of a maintainable infrastructure system. It is known that a given level of availability measure can be achieved by many different combinations of reliability and main- tainability. Reliability is defined here as the probability that the system is operational in a given time period. The system's reliability can be improved by applying a certain class of preventive maintenance policies, such as an "age" policy or a "block" policy. Maintainability is defined here as the probability of the duration of the system's downtime resulting from either scheduled or emergency shutdowns. The system's reliability or the maintainability of each of its subsystems can be independently improved if there is no budget constraint. In most real-world situations, however, a resource limitation usually acts as the driving force, and trade-offs thus exist between the reliability and the maintainability of the overall system.
Hierarchical control, when applied to risk management systems, induces a harmonizing effect over the subsystems and contributes to the holistic approach within which the overall system is viewed. Fault tree analysis (U.S. Nuclear Regulatory Commission, 1981), for example, is a widely used analytical tool that decomposes the overall reliability problem into several levels of reliability problems and systematically calculates the failure rate of the overall (top) event from the lower level to the upper level. Studies aiming at developing risk management strategies using decomposi- tion and higher-level coordination are currently under way. Dealing with a low-dimensional multiobjective optimization
problem and identifying the impact of the subsystems' reliability on the overall system's performance, a preferred Pareto optimal solution of a large-scale overall system can be reached by introducing coordination among the subsystems.
4. Hierarchical-multiob]ective framework for large-scale infrastructure problems
In the preface to a major study by the U.S. National Academy of Engineering (1988) on infrastructure, Robert R. White states that "infrastructure is the term applied to large-scale engineering systems and includes an array of public works, such as roads, bridges, and sewer systems, as well as privately managed utilities such as electric power and telephone service." Thus, the fundamental characteristics of infrastructure problems lie in their large number of components and subsystems. Most water distribution systems, for example, must be addressed within a framework of large-scale systems. In addition, a hierarchy of institutional and organizational decision-making structures (e.g. federal, state, county and city) is often involved in determining the best replacement/repair strategy. A certain degree of coupling exists among the subsystems (e.g. the overall budget constraint imposed on the overall system), and this further complicates the management of such systems. Different replacement/repair strategies for different subsystems often have different impacts on the overall water distribution system; the needs for the resources and their appropriate allocation have a diverse impact on the reliability of the overall system.
The modeling of deteriorating water distribution systems is a focal issue in large-scale infrastructure problems (Andreou et al., 1987; Mays and Cullinane, 1986). A water distribution system may consist of many subsystems. The type of complex water distribution system considered in this paper is a series-parallel network. One example is given in Fig. 1.
The unreliability of an overall water distribution system can be expressed as a function of the unreliabilities of the water distribution subsystems
Fs = Fs(~, f2 . . . . . f~) (4.1)
where F~ is the unreliability of the overall water distribution system and f~, i = 1, 2 . . . . . N, is the unreliability of the ith water distribution subsystem. For the example given in Fig. 1, one possible decomposition may be as follows: Components 1, 2, 3 and 4 constitute subsystem 1; components 5 and 6, subsystem 2; components 7, 8, 9 and 10, subsystem 3; components 11, 12 and 13, subsystem 4; and components 14, 15 and 16, subsystem 5. The associated fault tree is given m Fig. 2. The overall system's unreliability is given by
b~ = 1 - [1 - flf2]{1 - [1 - (1 -A) (1 - f,)]f.s}.
In most cases, the optimization of a water distribution system is difficult to handle as a whole. Hierarchical (multilevel)-multi0hjective approaches (Tarvainen and Haimes, 1982; Li and Haimes, 1987a, 1988; Haimes and Li,
Brief Paper 581
FIG. 2. Fault tree of the water distribution system.
1988; Haimes et al., 1990b) solve large-scale multiobjective optimization problems by decomposition and upper-level coordination. In general, the structural nature of multilevel decomposition shows the following advantages. (1) Decomposition methods can reflect the internal hierarchical nature of large-scale multiobjective systems; (2) Trade-off analyses can be performed among subsystems and the overall system; and (3) Through decomposition, the complexity of a large-scale multiobjective system can be relaxed by solving several smaller subproblems.
Assume that the following water distribution system consists of N subsystems. The overall system's multiobjective optimization problem is posed as follows:
rain [F~(C1 . . . . . CN), Fz(fl . . . . . fN)]' (4.2a)
subject to Yi = Hi(x/, mi) i = 1, 2 . . . . . N (4.2b)
gi(xi, mi, y/)<~O i = 1 , 2 . . . . . N (4.2c) N
x i = ~ B q y / i = 1 , 2 . . . . . N (4.2d) i = 1
where C i = C/(xi, m/, Yi) and f/=~(xi, mi, y/) are the cost function and the unreliability of subsystem i, respectively;
N
= i~=1 CI is the overall cost and F 2 = F~(fl . . . . . fN) is the
overall system's unreliability; y~ is the output of subsystem i; m i is the control of subsystem i; x/is the interaction input of subsystem i; Hi represents the system's equation of subsystem i; gi represents the constraints of subsystem i; and Bi/ is a matrix representing the interaction between subsystem i and the other subsystems.
The optimization problem for a water distribution system will be used as a vehicle to present the hierarchical- multiobjective framework for risk management. At the lower level, the overall optimization problem can be decomposed into several smaller water distribution subsystems, which are interconnected by fixed values of coordination variables set by the upper level. The coordination variables often correspond to economic meaning, e.g. shadow prices. At the upper level, the coordinator adjusts the coordination variables according to the trade-off values among the subsystems and the overall systems.
Assume that the upper-level decision-maker's preferences expressed in terms of trade-offs are available. The internal indifference trade-off vector ~i in subsystem i is then obtained by mapping the indifference trade-off vector, [1, ~.12(F1, F2)], of the overall system into each subsystem:
)./ = [1, )tl 2( F1, F2) ~ ] ' (4.3)
Specific values yk are selected for output vectors yl at the upper level at iteration k in the feasible decomposition
method. Then the overall system can be decomposed into N subsystems,
min [Ci(xi, mi, yk), fi(x,, mi, y/k)], (4.4a) mi
subject to y/k = Hi(xi, mi ) (4.4b) N
xi = ~ B J k (4.4c) i=1
gi(xl ' mi ' y/k) ~ 0 (4.4d)
where the trade-off vector ~J generated by equation (4.3) is imposed on the subsystems by the higher-level coordinator to generate the preferred solution of the muitiobjective optimization problem given in (4.4).
In the nonfeasible method, the Lagrangian multipliers vj associated with (4.2d) are used as the coordination parameter. Assume that superscript k is used to indicate values assigned by the upper level at iteration k. The optimization problem for each subsystem i then becomes
min C/(x/, m/, y/) + j--~l (v~)'B// y~ - (v~)'x/ (4.5a)
. . . . i,ri fi(xi, mi, Yi)
subject toyi = Hi(x/, mi) (4.5b)
gi(xi, mi, Yi) <- 0 (4.5c)
where the trade-off vector ;t i generated by (4.3) is imposed on the subsystems by the higher-level coordinator to generate the preferred solution of the multiobjective optimization problem given in (4.5).
Based on the solutions generated at the lower level, the upper level modifies the values of the coordination variables and sends them back to the lower level. This iteration process is repeated until all optimal conditions are met.
5. Risk of extreme events 5.1. Overview. By its nature, an uncertain event defies our
ability to characterize its state in terms of one single definite number. Indeed, the modeling of a random variable through a probability density function (pdf) constitutes the best quantitative characterization of an uncertain event. In effect, the pdf assigns a probability for the occurrence of the uncertain event at a given level within a prespecified domain. In our quest to simplify the decision-making process under uncertainty, it has been a common practice to use the expected value of the random variable as the sole criterion that represents the probability and severity of the random variable. Often, the expected value is used as the risk measure associated with the random variable.
Reconsider, for example, the contamination of a groundwater system with the known carcinogen trichloro- ethylene (TCE). Since the concentration of TCE in the groundwater cannot be known for certainty, a pdf can be generated on the basis of a sampling and modeling effort. Let X be the random variable representing the concentration of TCE in parts per billion (ppb); let px(x) be the probability density function (pdf) of the TCE concentration; and let Px(x) be the cumulative distribution function (cdf) of the TCE concentration. Then, the expected value E ( X ) of the concentration of TCE in the groundwater system is given by:
E(X) = f o Xpx(X) dr. (5.1)
Note that the expected value is a mathematical artifice that commensurates concentrations (events) having high values and low probabilities with concentrations having low values and high probabilities. Such an averaging process, while helpful in some respects, can distort the true danger (risk) of extreme values (of TCE concentration), leading to complacency and ultimately to disasters. Experience has shown, time and again, that when the expected value is used as the sole index for risk, it often leads to the do-nothing option. On the other hand, when a different index, the conditional expected value (an index that measures the probability and severity given that the event occurs in a
582 Brief Paper
specified range of probability or a range of severity, e.g. TCE concentration) is used, the do-nothing option often becomes an inferior one. The expected value of adverse effects, which has been the most common'y used measure of risk, is in many cases inadequate, since this scalar representation of risk commensurates events that correspond to all levels of losses and their associated probabilities. The common expected-value approach is particularly deficient for addressing extreme events, since these events are concealed during the amalgamation of events of low probability and high consequence and events of high probability and low consequence. The partitioned multiobjective risk method (PMRM) and its extensions (using results from the statistics of extremes) provide a valuable tool in the quantification and evaluation of risk focusing on extreme and catastrophic events (Asbeck and Haimes, 1984; Karlsson and Haimes, 1988a, 1988b; Mitsiopouios and Haimes, 1989).
The PMRM is a risk analysis method developed for solving multiobjective problems with a probabilistic nature. Instead of using the traditional expected value, the PMRM generates a number of conditional expected risk functions, given that the damage falls within specific probability ranges (or damage ranges). Assume the damage (TCE concentration in the groundwater case) can be represented by a continuous random variable X with a known probability density function px(x ; s j ) , where s j , ] = 1 . . . . . q, is a control policy. The PMRM partitions the probability axis into three ranges. Denote the partitioned points on the probability axis by oc i, i = 1, 2. For each 06 and each policy sj, it is assumed that there exists a unique damage/30 such that
Pal/30; s,) = o,, (5.2)
where Px is the cumulative distribution function of X. These /3q (with [3oj and ~3j representing, respectively, the lower bound and upper bound of the damage) define the conditional expectation as follows:
f t3i '" x p , ( x ; sj) dx t% 2.j i = 2, 3, 4
fi(sJ) = t3,-,.j j = 1 . . . . . q (5.3)
f, px(x;sj)dx O~-2.j
where f2, f3 and f4 represent the risk with high probability of exceedance and low damage, the risk with medium probability of exceedance and medium damage, and the risk with low probability of exceedance and high damage, respectively.
The unconditional expected value of X is denoted by fs(sj). The relationship between the conditional expected values (f2, f~, f4) and the unconditional expected value (fs) is given by
~4s i) = 02fds,) + 03L(sj) + 04f,(s,) (5.4)
where 0i, i = 2, 3, 4, is the denominator of (5.3). Combining one of the generated conditional expected risk
functions or the unconditional expected risk function with the cost function, ft, creates a set of multiobjective optimization problems:
min [fD f,]' i = 2 , 3 , 4 , 5 (5.5)
subject to the system's constraints. Solving the family of the above multiobjective optimiza-
tion problems offers more information about the probabilistic behavior of the problem than the single multiobjective formulation of minimizing the cost and the unconditional expected risk function, min [fD fs]'. The trade-offs between the cost function f~ and any risk function f~, i ~ {2, 3, 4, 5} enable decision-makers to evaluate the marginal cost of a small reduction in the risk objective given a particular level of risk assurance. The relationship of the trade-offs between the cost function and the various risk functions is given by
l/A15 = 02/~,12 "t- 03 /Z13 "st- 04/~1,14 (5.6) where
~ l i = - O f l / O f , ; Zl i>0, i = 2 , 3 , 4 , 5 (5.7)
is the trade-off value between fl and fj in (5.5). Knowledge of
this relationship among the marginal costs is useful for the decision-makers to determine an acceptable level of risk. Any multiobjective optimization method, e.g. the surrogate worth trade-off (SWT) method (Haimes and Hall, 1974; Chankong and Haimes, 1983), can be applied at this stage.
While the multiobjective nature of risk-based decision- making is obvious from the preceding discussion, its hierarchical nature deserves more elaboration (Li and Haimes, 1987c). Indeed, rarely are policy options on important and encompassing issues formulated, traded off, evaluated, and finally decided upon at one single level in the hierarchical decision-making process. Rather, a hierarchy that represents various constituencies, stakeholders, power brokers, advisors and administrators and a host of shakers and movers constitutes the true players in the complex decision-making process. Relating to the groundwater contamination problem in the U.S. context, one may view the U.S. Environmental Protection Agency (EPA) as representing the higher level in the hierarchical- muitiobjective decision-making framework (notwithstanding the fact that the USEPA itself has its own hierarchical decision-making structure). The lower levels include the Department of Natural Resources of each of the 50 states (or the state's EPA) down to the regional, state and local levels. Furthermore, concerns about the expected value of contamination and the conditional expected value of extreme contamination with TCE vary within each level of the hierarchy; consequently, the risk measures vary correspond- ingly. At the upper level, the USEPA may consider long-term effects and a much broader geographical area, whereas at a lower level, a local government may consider a shorter time horizon and a much more localized geographical region.
5.2. Classification o f r isk-control systems. The class- ification of systems on the basis of their response to extreme events can be valuable to the decision-makers in their qualitative/normative evaluation of the acceptablity of risk (Li and Haimes, 1990). Such a classification might also provide an insight into the impacts that current decisions might have on future risk management options.
If a control has the same impact on the risk expectation and on the conditional risk expectation of the extreme events, we call this class of system "systems with neutral risk control". In other words, the control is "neutral" in terms of minimizing the expected value and in minimizing the expected extremes.
If a control has different impacts on the risk expectation and on the conditional risk expectation of extreme events, we call this class of system "systems with risk-manipulatable control". In most cases, risk management strategies make a greater reduction in the measure of the conditional expected extreme than in the measure of the expected value. Furthermore, for systems with risk-manipulatable control, if the minimization of the expected value is consistent with the minimization of the associated variance, we call this type of system "systems with mean-variance consistency risk control".
Finally, when there exists an inconsistency between the mean and the variance, minimizing the expected value and the expected extreme may conflict with each other. We call this class of system "systems with mean-variance inconsis- tency risk control".
The classification of risk-control systems can also prove to be useful for researchers in the field; it provides a taxonomy that is based not only on the nature of risk but also on its impact.
6. Impact analysis
6.1. Overview. Good technology management necessarily incorporates good risk management practices. Determining the impacts of current decisions on future options, however, constitutes what might be termed as the imperative in good decision-making. Managers, public officials and other decision-makers are commonly rewarded, promoted and otherwise honored not because of the large number of optimal decisions that they make during their tenure in
Brief Paper 583
office; rather, they are acknowledged primarily and dominantly for the few disastrous decisions that they make. This trend explains, to a large extent, the conservative and often rigid attitude of bureaucrats who avoid untested paths and experimental options. The ability to model and assess the impacts of current risk-based decisions on the state of the system in the future can thus prove to be a potent tool in decision-making. This ability is particularly valuable for risk-based decision-making associated with dynamic systems, where decision-makers often need to balance short-term with long-term objectives.
In this sense, impact analysis is paramount to "looking before you leap". In particular, stage trade-offs in dynamic systems are needed to measure the impact of the variations of the objective functions at the present stage upon the levels of the objective functions at the remaining stages. Impact analysis thus provides useful information that might avoid adverse and irreversible consequences resulting from what might be perceived as an optimum present decision.
Consider, for example, the risk management problem associated with flood warning and evacuation systems (Haimes et al., 1990a). In general, such systems can be decomposed into a two-level structure. Two subsystems constitute the lower level--the forecast subsystem and the community response subsystem. Based on hydrological and meteorological information and observations, the forecast subsystem calculates the forecasted flood crest. By its nature, there can be no perfect forecast system, and two types of errors of forecasts occur. Type I errors are the missed forecasts and Type II are the false alarms. The performance of a forecast system can be best judged by some statistical measures. The fraction of people in the community who respond to the flood warning constitutes the state variable of the community response system and is dependent on the past performance of the forecast system. Type II errors (false alarms) have a "cry wolf" effect and markedly reduce the system's credibility (thus decreasing the future response of the population to warnings or to evacuations). The general interaction between the forecast subsystem and the response subsystem is given in Fig. 3. The task of the second-level coordination is to set a warning threshold, which can be preassigned such that a flood warning will be issued when the forecasted flood crest is higher than the warning threshold. If the warning threshold is set higher, there will be a few false alarms and more missed forecasts, and vice versa. Type I and II errors have different impacts on flood-loss reduction. A missed forecast results in an immediate flood loss, while a false alarm reduces the population response fraction in the future. A lower response fraction will cause a higher flood loss; thus, there exist trade-offs between short-term and long-term risk management objectives.
6.2. Hierarchical impact analysis for flood warning systems. The flood warning and evacuation system will be used as a vehicle to demonstrate the hierarchical- methodological framework for impact analysis. Define H to be a random variable which represents the actual flood crest and S to be a random variable which represents the forecasted flood crest. If the prior probability density function of the flood crest is denoted by g(h) and the conditional probability density function of s, given h, is denoted by f (s lh) , then the posterior probability density function of h, given forecast s, is
f(h ls) =f(s l h)g(h)/k(s) (6.1)
where k(s) is the marginal probability density function of
Response Fraction
[Decision Loglcl[Flood Warnlng]____+l Response ~i ,[ l Warning Probabilistle l Threshold Performance
Measures
FIG. 3. Interaction between forecast and response subsystems.
f o r e c ~ t $,
k(s) = J 0 f ( s I h)g(h) dh. (6.2)
Based on hydrological and climatic information, both observed and historical, the forecast subsystem provides the forecasted value s of the flood crest. From the Bayesian formula given in (6.1), the prior representation of the uncertainty associated with the flood crest is then updated to a posterior form f(h Is).
The flood warning threshold s* is introduced in the following context: (a) No flood warning will be issued if s < s* ; and (b) A flood warning will be issued if s ~ s*. In other words, a flood warning will be issued only when the forecasted flood crest s exceeds a preassigned threshold level s*. The selection of the flood warning threshold directly affects the evacuation action which is implemented by the community response subsystem.
Assume that the elevation of the floodplain zone under consideration is y; the probability then that this zone will be flooded, conditioned on the forecast s, is P(h >y Is). There exist four possible outcomes that follow a flood warning decision: a correct warning that is a warning followed by a flood, a false warning that is a warning not followed by a flood, a missed warning that is a flood event not preceded by a warning, and a correct quiet that is an event of no warning and no flood. The probability of a correct warning is
P,,(s*, Y) = f~ P(h >- y t s)k(s) ds. (6.3)
The probability of a false warning is
Plo(s*,Y)=f~P(h<yls)k(s)ds. (6.4)
The probability of a missed flood warning is
Pm(s*, y) = P(h >- y [ s)k(s) ds. (6.5)
The probability of acting corectly in not issuing a flood warning is
Coo(S*, y) = P(h < y [ s)k(s) os. (6.6)
It is clear from (6.3)-(6.6) that the value of the selected threshold s* plays a key role in determining the probabilities of Type I and Type II errors. If the threshold s* is set lower, the forecast will have a lower probability value, Pol, of a Type I error and a higher probability value, Plo, of a Type II error. If the threshold s* is set higher, the forecast will have a higher probability value, Pro, of a Type I error and a lower probability value, P1o, of a Type II error.
Denote the fraction of people in the community who respond to a call of evacuation by acr for the Tth flood event. If a past flood event has been predicted, then the confidence in the forecast system will increase, and thus, future rates of response will also increase. On the other hand, a Type II error will decrease confidence in the forecast system, thereby decreasing future rates of response. The experience of a missed warning will decrease people's confidence in a flood warning system and increase people's alertness to the possibilities of future floods. For simplicity, it is reasonable to assume here that the response fraction will remain unchanged after a missed warning has been experienced. It is also reasonable to assume that a correct quiet does not change the response fraction in the future. In view of the above discussion, the fraction 0~ r can thus be assumed to evolve dynamically as a controlled stochastic process:
f oot+ c1(1 - a~r) with prob. P11(s~-, Y) = £~'T err+ 1 [.)c2~ r with prob. Poo(S~-, y) + Pot(S~-, y)
with prob. Plo(S~., y)
(6.7)
where the values of cl and c 2 are between zero and one and
584 B r i e f P a p e r
can be determined using identification methods based on historical data.
The flood warning threshold cannot be selected in isolation at each stage since the decision-maker must balance the desire for high present flood-loss reduction with the possibility of high future flood loss. A multiobjective multistage optimization model can be adopted to find the optimal values for the flood warning threshold at various stages. Evaluating the trade-off between short- and long-term effects leads to an acceptable balance between the expected loss reduction at the current stage and the future response fraction that is the key element in flood-loss reduction.
Assume that there are N successive flood events in the time horizon under consideration. Denote the expected property-loss reduction at the Tth flood event by fr(c~ r, s~, y), and the expected life-loss reduction at the Tth flood event by ff(cr r, s~-, y). The maximization of three noncommensurate/conflicting objective functions is con- sidered. The first objective is to maximize the sum of the expected property-loss reductions of all flood events over the time horizon under consideration; the second objective is to maximize the sum of the expected life-loss reductions of all flood events over the time horizon under consideration; and the third objective is to maximize the forecast system's credibility, which is implicitly expressed by E(ocN~l), the expected fraction of people who respond to the warning beyond the time horizon under consideration. Mathemati- cally, this overall multiobjective optimization problem can be posed as follows:
T = I
max f2= (6.8) s "
L f3 =f3 = E{°tN+,)
subject to (6.7). The multistage multiobjective optimization problem in
(6.8) can be effectively solved by multiobjective dynamic programming approaches, such as the envelope approach by Li and Haimes (1987b, 1988). The set of noninferior solutions provides the decision-maker the best solutions to balance the short- and long-term objectives and to avoid adverse consequences resulting from what might be perceived as an optimum present decision.
7. Conclusions Risk and uncertainty are fundamental elements of modern
life; they are ever-present in the actions of human beings, and are frequently magnified in large-scale technological systems. Engineering systems, for example, are almost always designed and operated under conditions of risk and uncertainty and are often expected to achieve multiple and conflicting objectives. Success is gauged by engineering, economic, legal and social criteria. To make a rational choice, the decision-maker must evaluate the alternatives in light of all these criteria, analyze trade-offs between them and make a final decision that combines engineering analysis with societal preferences. These complex and interrelated forces necessitate that risk and uncertainty be managed effectively within a holistic framework. The proposed hierarchical-multiobjective framework constitutes the build- ing blocks for risk management in such a holistic framework. Those private and public organizations that can successfully address the risk inherent in their business--whether future product design, resource availability, natural forces, market changes or the reliability of man/machine systems---will dominate the technological market.
Acknowledgements--Financial support for the research was provided, in part, by the National Science Foundation, Grant No. CES-8617984, under the project title "Hierarchical- multiobjective management of large scale infrastructure"; the National Aeronautics and Space Administration, Contract No. NASA-4311, under the project title "Integra- tion of the partitioned multiobjective risk method (PMRM)
and fault-tree analysis"; and the Institute for Water Resources, U.S. Army Corps of Engineers. The editorial work of Virginia Benade and Gail Hyder Wiley is very much appreciated.
References Andreou, S. A., D. H. Marks and R. M. Clark (1987). A
new methodology for modelling failure patterns in deteriorating water distribution systems: Theory. Adv. Water Resources, 10, 2-10.
Asbeck, E. and Y. Y. Haimes (1984). The partitioned multiobjective risk method. Large Scale Syst., 6, 13-38.
Chankong, V. and Y. Y. Haimes (1983). Multiobjective Decision Making: Theory and Methodology. Elsevier- North Holland, New York.
Haimes, Y. Y. and W. A. Hall (1974). Multiobjectives in water resources systems analysis: The surrogate worth trade-off method. Water Resources Res. 10, 615-624.
Haimes, Y. Y. and D. Li (1988). Hierarchical multiobjective analysis for large-scale systems: Review and current status. Automatica, 24, 53-69.
Haimes, Y. Y., D. Li and E. Z. Stakhiv (1990a). Selection of optimal flood warning threshold. In Haimes, Y. Y. and E. Z. Stakhiv (Eds), Risk-Based Decision Making in Water Resources. American Society of Civil Engineering, New York.
Haimes, Y. Y., K. Tarvainen, T. Shima and J. Thadathil (1990b). Hierarchical-Multiobjective Analysis of Large- Scale Systems. Hemisphere, New York.
Kahmeman, D., P. Slovic and A. Tversky (Eds) (1982). Judgment Under Uncertainty: Heuristics and Biases. Cambridge University Press, Cambridge, U.K.
Karlsson, P. and Y. Y. Haimes (1988a). Risk-based analysis of extreme events. Water Resources Res., 24, 9-20.
Karlsson, P. and Y. Y. Haimes (1988b). Probability distributions and their partitioning. Water Resources Res., 2,1, 21-29.
Karisson, P. and Y. Y. Haimes (1989). Risk assessment of extreme events: Application. J. Water Resources Planning and Management, 15, 299-320.
Li, D. and Y. Y. Haimes (1987a). A hierarchical generating method for large scale multiobjective systems. J. Optimiz. Theory Applic., 54, 303-333.
Li, D. and Y. Y. Haimes (1987b). The envelope approach for muitiobjeetive optimization problems. 1EEE Trans. Syst. Man Cybern, SMC-17, 1026-1038.
Li, D. and Y. Y. Haimes (1987c). Risk management in a hierarchical multiobjective framework. In Sawaragi, Y., K. Inoue and H. Nakayama (Eds), Toward Interactive and Intelligent Decision Support Systems, Vol. 2. Springer, Berlin.
Li, D. and Y. Y. Haimes (1988). Decomposition technique in multiobjective discrete-time dynamic problems. In Leondes, C. T. (Ed.), Control and Dynamic Systems, Vol. 28. Academic Press, San Diego, CA.
Li, D. and Y. Y. Haimes (1990). Multiobjective control of risk of extreme events in dynamic systems. Presented at the IXth International MCDM Conference, Washington, D.C.
Lowrance, W. W. (1976). Of Acceptable Risk. William Kaufmann, Los Aitos, CA.
Mays, L. W. and M. J. Cullinane (1986). A review and evaluation of reliability concepts for design of water distribution system. Report to Department of the Army, U.S. Army Corps of Engineers, EL-86-1.
Mitsiopoulos, J. and Y. Y. Haimes (1989). Generalized quantification of risk associated with extreme events. Risk Analysis, 9, 243-254.
Travainen, K. and Y. Y. Haimes (1982). Coordination of hierarchical multiobjective systems: Theory and methodol- ogy. IEEE-SMC, 12, 751-764.
U.A. National Academy of Engineering (1988). Oties and Their Vital Systems: Infrastructure, Past, Present, and Future. National Academy Press, Washington, D.C.
U.S. Nuclear Regulatory Commission (1981). Fault Tree Handbook. NUREG-0492.