Protection of Civilian Infrastructure from Acts of Terrorism (NATO Science for Peace and Security Series C: Environmental Security)

Protection of Civilian Infrastructure from Acts of Terrorism

NATO Security through Science Series This Series presents the results of scientific meetings supported under the NATO Programme for Security through Science (STS). Meetings supported by the NATO STS Programme are in security-related priority areas of Defence Against Terrorism or Countering Other Threats to Security. The types of meeting supported are generally "Advanced Study Institutes" and "Advanced Research Workshops". The NATO STS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATO's "Partner" or "Mediterranean Dialogue" countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action Following a transformation of the programme in 2004 the Series has been re-named and re-organised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer, Dordrecht, in conjunction with the NATO Public Diplomacy Division. Sub-Series A. Chemistry and Biology B. Physics and Biophysics C. Environmental Security D. Information and Communication Security E. Human and Societal Dynamics http://www.nato.int/science http://www.springer.com http://www.iospress.nl

Series C: Environmental Security – Vol. 12

Springer Springer Springer IOS Press IOS Press

Protection of Civilian Infrastructure from Acts of Terrorism edited by

Konstantin V. Frolov Institute of Machine Sciences, Russian Academy of Sciences, Moscow, Russia and

Gregory B. Baecher University of Maryland, MD, U.S.A.

Published in cooperation with NATO Public Diplomacy Division

Proceedings of the NATO Advanced Research Workshop on Protection of Civilian Infrastructure from Acts of Terrorism Moscow, Russia May 27--29, 2004 A C.I.P. Catalogue record for this book is available from the Library of Congress.

ISBN-10 ISBN-13 ISBN-10 ISBN-13 ISBN-10 ISBN-13

1-4020-4923-4 (PB) 978-1-4020-4923-1 (PB) 1-4020-4922-6 (HB) 978-1-4020-4922-4 (HB) 1-4020-4924-2 (e-book) 978-1-4020-4924-8 (e-book)

Published by Springer, P.O. Box 17, 3300 AA Dordrecht, The Netherlands. www.springer.com

Printed on acid-free paper

All Rights Reserved © 2006 Springer No part of this work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, microfilming, recording or otherwise, without written permission from the Publisher, with the exception of any material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Printed in the Netherlands.

TABLE OF CONTENTS Preface

vii

Acknowledgements

xi xiii

Contributors

Introduction Opening Address A.K. Frolov

3

Setting the Scene and Characterizing the Threat Risk Management in Natural and Societal Systems R. Akhmetkhanov Vulnerability Estimation of High-Rise Structures in Case of Non-Regular Dynamic Actions by Methods of Statistical Simulation V.T. Alymov and O.V. Trifonov

7

21

Setting the Stage: The Vulnerability of Critical Infrastructures T. Thedéen

33

The Risk Imposed by Fire to Buildings and how to Address it J.L. Torero

41

Analysis of Technogenic Risks Under Terrorist Impacts N. Makhutov

v

59

vi

Table of Contents

Vulnerability, Risk Analysis, and Risk Assessment Petroleum Supply Vulnerability Due to Terrorism at North Sea Oil and Gas Infrastructures M. Tørhaug

73

Lessons from Safety Assessment, Natural Disasters and Other Hazards J. McQuaid

85

Large Dams and the Terrorist Threat R.A. Stewart Decontamination in the Event of a Chemical or Radiological Terrorist Attack K. Volchek, M. Fingas, M. Hornof, L. Boudreau, and N. Yanofsky

103

125

Mitigation and Response Mitigating Water Supply System Vulnerabilities G.B. Baecher

149

Nuclear Terrorism and Insurance Liability O.M. Kovalevich and S.D. Gavrilov

159

Capital Wireless Integrated Network H. Ali, S. Yang and T.H. Jacobs

169

Emergency Services in Homeland Security F. Krimgold, K. Critchlow and N. Udu-gama

193

Communications Infrastructure Security M.J. Casey

231

On the Possibility of Detecting Explosives by the Combined use of Nuclear Reactions -(N,N), (N,J), (N,P) G. Kotel'nikov, S. Kotel'nikov, V. Stepanchikov, and G. Yakovlev

Index

247

253

PREFACE Konstantine V. Frolov1 and Gregory B. Baecher2 1

Director of the Institute for Machine Sciences, RAS; and 2University of Maryland

The objective of the Workshop on Protection of Civilian Infrastructure From Acts of Terrorism was to lay the foundation for a risk-informed approach to modeling, analyzing, predicting, managing, and controlling multisector Infrastructure networks in the face of human threats and errors. The goal was to combine the insights of a spectrum of disciplines across engineering, public policy, planning, and economics. The workshop addressed the need to develop an understanding for systems behaviors and vulnerabilities of interacting networks; create a riskinformed analysis capability for modeling and predicting the behavior of complex networks; apply emerging technology to the problems of designing, constructing, monitoring, and operating critical infrastructure; and build an understanding of the social, economic, and environmental factors that affect, and are affected by, critical infrastructure. The objective was to develop an understanding of the vulnerability of critical systems to various modes of terrorist attack. The benefit of developing such understanding is that approaches can be crafted to reducing vulnerability and to containing or limiting the propagation of failure within an infrastructure system, thus limiting the impact of terrorism. This also leads to improved understanding of infrastructure systems in general, not only in the face of threats but also natural hazards. Areas of research need and capability were identified, along with opportunities for future exchange and collaboration. The workshop was organized around eight major themes grouped in three areas: (I) setting the scene and characterizing the threat (the general problem of protecting civil infrastructure, lessons from conventional hazards and threats), (II) vulnerability (technogenic risks and safety, risk analysis, vii

viii

Preface

risk management), and (III) mitigation and response (mitigation, risk reduction, and capacity building). The more specific purviews of each respective theme are the following. General problem of protecting civil infrastructure: The infrastructures of modern society are big, interconnected and critical or the daily life of the citizens. Examples are the power network, transportation networks, and data and telecommunication networks. These infrastructures can be modeled using graphs. Threats can be of different kinds: Natural, technogenic, human error, hackers and antagonistic threats, including terrorism and war. These threats may result in system collapses. The hazards due to nature, technical and human error and random mishap and can be analyzed by risk analytical methods. Antagonistic threats must be handled by other methods. Lessons from conventional hazards and threats: The need to anticipate and prevent potential accidents with severe consequences has resulted in the development of structured procedures and methods of assessment for the different stages of the life cycle of a catastrophic event. Techniques of assessment are of varying degrees of complexity and, in their more developed forms, can help to promote understanding among interested parties of the intricacies of what are usually complex situations. The principal benefit that such techniques bring to decision making is imposing order and discipline on the process of assessment and in exposing difference in the exercise of judgment by assessors. Technogenic risks and safety: Modern terrorism can be divided into three types, traditional terrorism, technogenic or high impact terrorism, and intelligent terrorism. Emergency situations initiated by terrorist attacks and traditional man-made catastrophes are developed according to similar mechanisms and laws. The existing standards and codes in the field of designing, constructing, and maintaining critical infrastructures and facilities should therefore be modified and updated in view of terrorist impact threats. The rapid development of global infrastructure networks and the activity of international terrorist organization requires coordinated efforts to reduce the vulnerability of critical infrastructures towards potential terrorist impacts. Risk analysis and management: The peculiarity of terrorist impacts lies in the infliction of maximum casualties among a population at minimal expenditure. Terrorist acts lead to complex impacts on a system. This distinction for catastrophes of natural and technogenic character (or social crisis) as opposed to terrorism leads to the fact that while risk theory may be applied to natural an social system safety management, problems of estimating terrorist acts using probability theory are subject to difficulties because the analyses are changed in shape as well as in the traditional risk analysis stages and solutions. Systems approaches to risk analysis of natural and

Preface

ix

social systems are based on sub-systems considerations in their interconnection that makes it possible to take into account damage cumulatively; in contrast, there is a synergetic manifestation of terrorist impacts. Risk of national and social systems can be structured in the shape of potential functions and a power spectrum of different risks. Mitigation and response: Consequences of terrorist attacks in terms of damage values are comparable to those of major hazards and catastrophes. However, major hazards and catastrophes are occasional in character whereas terrorist attacks are well-planned events. Terrorists as a rule choose targets that are likely to cause the most striking social response. Therefore, development of methodologies and techniques to forecast the most probable target for terrorist attacks is a most urgent talks. The methods for complex assessment of safety level that have been developed in the framework of a federal safety program can be adapted to fulfill this task. Risk reduction and human errors: Human and organizational factors plan a critical role in safety management . It is estimated that in industrial settings, 70 to 80 percent of accident causation is attributed to human error. In almost all cases of technological disaster, warning signals are present in the system and either discounted or ignored. New models of safety management offer alternative methods of risk prediction and control. These can be examined from a cross cultural perspective to identify diagnostic and intervention techniques which many be effectively applied in both the natural and technologic spheres, including terrorist attacks.

ACKNOWLEDGEMENTS

Many people contributed to the success of the NATO-Russia Workshop on Protection of Civil Infrastructure from Acts of Terrorism. There is not space to acknowledge all of those who contributed. However, foremost among those who made the workshop possible was Dr. Alain H. Jubier, NATO Program Director, Environmental Security, Public Diplomacy Division, whose guidance, insights, and sponsorship allowed the workshop to happen. The editors also express their appreciation to the Institute for Machine Sciences of the Russian Academy of Sciences for hosting the workshop, and to Dmitry Reznikov for serving as liaison in planning the workshop and helping to produce these proceedings. The expert technical translation services and spirited contributions of Irina Pushkina allowed for effective communications even of the most complex technical issues. Lastly, nothing would have been possible without the participation of the number of NATO and Russian scientists and engineers who contributed insight and generously shared their ideas.

xi

CONTRIBUTORS

Rasim Akhmetkhanov Institute for Machine Sciences, RAS, 4 Maly Kharitonievsky st., Moscow Valentin T. Alymov

Institute for Machine Sciences, Russian Academy of Sciences, 4 Maly Kharitonievsky st., Moscow Gregory B. Baecher Department of Civil and Environmental Engineering, University of Maryland, College Park, MD 29742 Louise Boudreau SAIC Canada, 60 Queen Street, Ottawa, Ontario K1P 5Y7 Michael J. Casey Department of Civil Engineering, George Mason University, 4400 University Drive MS4A6, Fairfax, VA 22030 Keith Critchlow Virginia Polytechnic Institute and State University, 4300 Wilson Blvd, Suite 750, Arlington, VA 22203 Merv Fingas Environment Canada, 335 River Road, Ottawa, Ontario K1A 0H3 xiii

xiv

Contributors

Konstantine V. Frolov Institute for Machine Sciences, RAS, 4 Maly Kharitonievsky st., Moscow Sergey D. Gavrilov DECOM Technology Intellectual Ltd, PO 6 Moscow 123154 Ali Haghani Department of Civil Engineering, University of Maryland, College Park, MD 29742 Monica Hornof SAIC Canada, 60 Queen Street, Ottawa, Ontario K1P 5Y7 Thomas H. Jacobs Center of Advanced Transportation Technology, University of Maryland, College Park, MD 29742 Gennadii Kotelnikov Russian Research Center Kurchatov Institute, Kurchatov Sq., 1, Moscow, 123182 Vladimir Kotelnikov Spetssvyaz, Offis 267, Tverskaya 12, Bilding 7, Moscow, 125009 Oleg M. Kovalevich Nuclear & Radiation Safety Science and Technology Center, Moscow; Russia, 14/23, Avtozavodskaya ul., Moscow, 109280 Frederick Krimgold Virginia Polytechnic Institute and State University, 4300 Wilson Blvd, Suite 750, Arlington, VA 22203 Nikolay Makhutov Institute for Machine Sciences, RAS, 4 Maly Kharitonievsky st., Moscow James McQuaid Royal Academy of Engineering, Department of Mechanical Engineering, University of Sheffield

Contributors

xv

Vladimir Stepanchikov Russian Research Center Kurchatov Institute, Kurchatov Sq., 1, Moscow, 123182 Ramond A. Stewart BCHydro, 6911 Southpoint Drive (E-14), Burnaby, BC V3N 4X8 Magne Tørhaug Det Norske Veritas, Veritasveien 1, 1322 Høvik, Oleg V. Trifonov Moscow Power Engineering Institute (Technical University), 17 Krasnokazarmennaya st., Moscow Torbjörn Thedéen Royal Institute of Technology (KTH), SE-100 44 Stockholm KTH Sweden José L. Torero Edinburgh Center for Fire Research, The University of Edinburgh, Mayfield Road, Edinburgh EH9 3JL Natasha Udu-gama Virginia Polytechnic Institute and State University, 4300 Wilson Blvd, Suite 750, Arlington, VA 22203 Konstantin Volchek Environment Canada, 335 River Road, Ottawa, Ontario K1A 0H3 Genrikh Yakovlev Russian Research Center Kurchatov Institute, Kurchatov Sq., 1, Moscow, 123182 Saini Yang Center of Advanced Transportation Technology, University of Maryland, College Park, MD 29742 Norman Yanofsky Department of National Defence, 305 Rideau Street, Ottawa, Ontario K1A0K2

INTRODUCTION

OPENING ADDRESS Academician Konstantin Frolov Director of the Institute for Machine Sciences, RAS

We are glad to welcome the participants of the workshop ‘Protection of Civilian Infrastructure from Acts of Terrorism’ in Moscow in this historic building of the Institute for Machine Sciences that witnessed many glorious events in the public and scientific life of Russia. I would like to express our acknowledgement to the NATO Program ‘Science for Peace” for its support of fundamental science and its efforts to establish close relationships between the scientists of the NATO countries and Russia, to form climate of mutual trust, and for its attention to one of the global problems facing humanity, the problem of ensuring safety in the wide sense of this word. It is significant that the workshop that took more than a year to be prepared is in full conformity with recently approved new priorities of NATO scientific program that is to be concentrated on the countering terrorism and other threats to security. The cooperation between Russian experts in the field of safety and their counterparts in EU, US and Canada has been developed mainly as two-side contacts. In particular there is a program of cooperation between the Russian academy of Sciences and the US National Academies focused on countering technological terrorism. I believe it is very important that we have been able to get together in the frame of the workshop specialists from many countries because countering international terrorism could only be achieved through intensive multinational efforts. Russia like many other countries has substantial experience in assessing risks of natural and manmade catastrophes. The results of the research are summarized in a multivolume series ‘Safety of Russia’ that is being published by the Russian Academy of Sciences and the International foundation “Znanie”. I believe that further work on reducing terrorist risks has to be based on the existing methods and approaches to natural and manmade risks analysis that should be adapted to hazards initiated by terrorist acts 3 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 3–4. © 2006 Springer. Printed in the Netherlands.

4

A.K. Frolov

through taking into account the peculiarities of terrorist risks. We should bear in mind however that those risks would involve additional uncertainties due to special preliminary planning by terrorists. Damages and losses inflicted by terrorist attacks may differ from those caused by natural and physical processes developed due to natural and technological hazards. We are ready to share our experience in this field and are interested in the experience of other countries in protection of critical infrastructures against acts of terror and in reducing vulnerability of high risk facilities under the threat of terrorism. It is necessary to bear in mind that the problem of terrorism is complex and interdisciplinary. Its solution requires analysis of technical, social, political, historical and cultural aspects of the problem. In particular the problem of harmonization of national legislative frameworks is a priority one. A number of these aspects are beyond the frame of our workshop. Since we are representatives of engineering community, we are primarily interested in reducing vulnerability of critical infrastructures towards terrorist attacks, developing protection systems, allocation of resources, planning response and recovery operations after major terrorist attacks. In conclusion I would like to wish fruitful work to all of us. I hope that our workshop makes a tangible contribution to promote international cooperation in countering terrorism.

SETTING THE SCENE AND CHARACTERIZING THE THREAT

RISK MANAGEMENT IN NATURAL AND SOCIETAL SYSTEMS Taking into Account Terrorist Threats Rasim Akhmetkhanov Institute for Machine Sciences, RAS

Abstract:

The paper presents systemic approach to ensuring safety of naturalmanmade-social systems that could be subjected to terrorist impacts. The theory of risks and methods to risk analysis that are used in assessing natural, manmade and societal crises and catastrophes, can be applied to assess risks of terrorist impacts as well. Such approach allows to study cascadesynergetic process, to reveal week elements of a system and to undertake measures for protection against terrorist attacks. The presented systemic description of risk allows to conduct a profound and comprehensive study of interaction between various elements of natural-manmade-social system, to select basic elements and to determine a possibility of terrorist impacts on them at local and systemic (global) levels taking into account the internal characteristics of the system.

Key words:

risk analysis, terrorism, cascade-synergetic processes, systems

According to UN data terrorist activity tend to grow steadily during the past 15 years. In the 20th centurpy for the first time in human history terrorism became a global problem closely connected to the problem of human survival. Modern terrorism differs drastically from the terrorism of the past. Nowadays terrorists have the opportunity to make use of innovative technologies and weapons of mass destruction. This opportunity is not an abstract one. 1n 1994 a terrorist was detained in Ukraine who threatened to blow up a reactor in Chernobyl nuclear power plant if his requirements were not satisfied. Poison-gas was sprayed in Tokyo underground. 7 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 7–20. © 2006 Springer. Printed in the Netherlands.

8

R. Akhmetkhanov

Modern terrorism acquires a system character; the goal of terrorists is to break a system, to upset the balance, to change its structure and relations between elements. Modern terrorism has several aspects. Thus the new terrorism makes allowance for world interdependence, system character of processes going on the world and offers a corresponding strategy of threats. The actions of terrorism are based on a domino effect. A butterfly effect inevitably arises in the in the complex and globalize society: a fairly insignificant incident at one place cause an event with avalanche-like consequences at another place. Terrorism is seeking new means of intimidation, more cruel and large-scale ones.

Figure1. Kinds of terrorism. a- traditional terrorism; b- technological terrorism; c- intellectual terrorism; Ua- initial damage; Ub – secondary damage; Uk – cascade damage Terrorism has proved to be directly connected with the problem of human survival and ensuring national safety. Terrorism is an extreme form of social, ethnic religious extremism and nothing can prevent it from achieving its goals. This criminal phenomenon tends to grow steady everywhere in the world. Criminalists observe that year by year terrorist attacks are becoming more thoroughly organized actions that employ super modern technologies, weapons and means of communication. This kind of activity is now preferable for extremists to solve social, ethnic, religious and other conflicts.

Risk Management in Natural and Societal Systems

9

Modern industrial infrastructure in developed countries, especially mega-lopolises, comprising thousands radioactive, chemical, biologic objects, offers terrorists a real opportunity to inflict damage without resorting to weapons of mass destruction, though their efforts to get hold of it are evident. The nature of a hazard (or an opportunity to inflict damage) is connected with energy, substances or information flows that are inadequate for the infrastructure as an open system. Besides every infrastructure is a compilation of various components that have a common purposes, common condition of functioning and common resources. System approach to studying any threat implies primarily as complete as possible knowledge of adversary (his objectives, tasks financial and professional potential, materials, equipment, weapon and many other characteristics). Therefore potential targets for terrorists should be systematized according to their accessibility and possible damage in the case of destruction. These are basic data for organizing counteraction. The modern terrorism can be divided into three kinds: traditional, technological and intellectual (fig. 1) [1] that differ in the character of damage distribution in terms of time (initial, secondary and cascade damages). Analysis of various kinds of terrorist impacts on natural-manmade system shows that maximal damage corresponds to the secondary damage with cascade-synergetic effect being manifested. Examination of these facts leads us to the conclusion that technological and intellectual kinds of terrorism can be classified as systemic terrorism. Arising and development of initial, secondary and cascade factors of destruction in terrorism are practically governed by the same laws that govern traditional accidents and catastrophes in complex technological systems causing manmade emergencies. In the view of the above development of methods, means and systems for protection from threats of systemic terrorism comes to two basic tasks: (a) risk reduction or prevention of initiating hazards, threats, and challenges; (b) reduction of risks of further development of natural, manmade and societal emergencies provided that initiating terrorist impacts take place. The theory of risks and methods to risk analysis are used in order to assess natural, manmade and societal crises and catastrophes [2,3]. They can be applied to assess risks of terrorist impacts as well. It is necessary to take into account systemic characteristics of natural-manmade-social systems. Such approach allows to study cascade-synergetic process, to reveal week elements of a system and to undertake measures for protection against terrorist attacks, which leads to more efficient decisions on primary protection of key assets of infrastructure. which leads to more efficient decisions on primary protection of key assets of infrastructure. c

R. Akhmetkhanov

10

Systemic risks are determined by peculiar interactions of natural, manmade and social spheres. A catastrophe or crisis is a chain of sequential interconnected events. Te number of links in the chain can be fairly big. Analyzing systemic risks in natural-manmade-social systems, the probability that a systemic threat is realized can be presented as a functional [1]: Psis=Fps{Pn, Pm, Ps}, Where Pn– probability of unfavorable events in natural environment; Pm – probability of unfavorable events in manmade (engineered) environment Ps – probability of unfavorable events in social sphere; Probability Pm is considerably dependant on the level of protection of manmade facilities of military or civil designation from accidents and catastrophes. This protection depends on the extent of degradation of facilities at given stage maintenance, and the level of diagnostics and monitoring which means that Pm and Ps are directly related. Probability Ps is known to be depended on occurrence of natural disasters (Pn) as well as on the state of manmade facilities (on Pm). Damage Usis caused by realized system threat can generally be presented as a functional: Usis=Fus{Un, Uwm, Us} were Un is damage inflicted on natural environment Um is damage inflicted on manmade (engineered) environment Us is damage inflicted on social sphere (primarily on population) when a systematic threat is realized and initial and secondary destructive factors interact; Values Un, Um, Us can be measured both in terms of physical items (for example, a number of casualties, a number of building destroyed, area of contaminated territory) and in equivalents (for example, pecuniary loss).

Risk Management in Natural and Societal Systems

11

To analyze and govern risks Rsis with respect to two groups of 3 components one can use limit state surfaces: x Systemic risks to social environment (Rs), to manmade environment Rm), to natural environment (Rn) x Integrated damaging factors of crises and catastrophes: energy (E), substance (S), information (I). Then the state of utmost danger for Rn , Rm, Rs or E, S, I will be at the intersection between the vector of the current state of a system in risk Rsis or threats Dsis and the surface of utmost danger state. The state of a system is a function of parameters X=(Xloc, Xsis). Vector X consists of 2 sets of parameters that specify the elements of a system (local parameters) and the links between the elements (systemic para-meters). These parameters can be variable or stationary. They determine the level of risk in a system: (Xloc, Xsis) Ÿ R. The described analysis of systematic concepts of risks and losses in natural-manmade-social systems shows that in order estimate risk in natural-manmade-social systems it is necessary to proceed not only from the probability of occurring of a crisis situation, but also from a degree of vulnerability of its elements, allowing for synergetic cumulative effects. In this case potential complex damage caused by emergency to natural-manmadesocial system should be described by a matrix of losses in subsystems and elements of the system. This matrix is to allow for direct losses i.e. levels of destruction, infringement, radioactive and chemical pollution, negative aftermaths of damaging effects on natural and economic objects (land, people, flora and fauna, buildings, equipment, goods, raw materials, plantations, live stock and the like) as well as indirect losses inflicted by the said distractions and infringement on the state and functioning of other objects of nature and economy that did not suffer directly from the damaging factors. A system can be divided into different number of components, the degree of detailing depending on the level of emergency situation danger. A system is considered as a complex of 3 subsystems at any level of risk described: natural, manmade and social. A natural-manmade-social system of the highest level of danger is considered to include lower level of danger. Each subsystem is divided into subsystems of the next lower levels. Thus hierarchic (multilevel) presentation of a system is built up. When considering a system consisting of subsystems, the matrix of losses is presented as a matrix containing both diagonal blocks (units) and non-diagonal blocks. Diagonal elements of a loss matrix specify potential losses at the given element of the system in the case that an emergency occurs at this element. Non-diagonal elements of a loss matrix characterizing the linkage of the system’s elements with regard to criterion for loss, describe synergetic development of an emergency and its distribution onto the system.

R. Akhmetkhanov

12

This kind of matrix is build up through assessment of maximal potential losses to the elements (subsystems) of a system. All kinds of losses are taken into account. Probability of an emergency occurrence in conformity with such systemic approach is characterized by the matrix of probability of the emergency occurrence that contains probable estimations of emergency effects on the elements of the system, according to the scenario of the emergency development. Risk dependence on the level of protection of the system’s elements, on their location relating to the zone emergency occurrence is estimated by matrix of the system vulnerability in case of emergency. (This matrix contains characteristics of the system’s elements vulnerability in case of the given emergency). Then the risk for naturalmanmade-social system from a specific emergency can be presented as the matrix of the risk: Ri

R UT ( X loc ) ˜ U ( X

sis

)˜P

were RUT ( X loc ) is the matrix that contains vulnerability factors of the system’s elements, these factors depending on the parameters of the system’s elements X loc ; U ( X sis ) ˜ P - is the loss matrix, consisting of values of maximal losses and this matrix depends on the system’s parameters X sis ; P - is the matrix of emergency’s probability and effects on the system elements. Coefficients of the matrix RUT ( X loc ) are variable and vary according to the character of local governing impacts. The matrix of losses depends on the structural properties of the system, interactions of the systems elements and on systemic parameters X sis . The variations of the elements values of the matrix require systematic changes. Thus the risk government in natural-manmade-social systems implies local risk government through reducing vulnerability coefficients of the system’s elements, and if possible, of the probability of occurrence of a specific emergency, and of its effects on the system’s elements. The decisions on risk management can be made both on local and global (systemic) levels. In case of mature naturalmanmade-social systems with strong linkage of elements of natural, manmade, social spheres global decision require high expanse. Comprehensive risk that comprises all kinds of risks of a system can be presented as: n

Rs

R s*  R

f

¦

Rj  Rf,

j

1,... n

j

where R f is background risk including risks from those emergencies that cause insignificant loss and tend to occur frequently. The presentation of a risk as a matrix allows to take account of synergic cumulative and self organizing properties of a system for the whole complex

Risk Management in Natural and Societal Systems

13

of emergencies typical for the given natural-manmade-social system. The structure of the given matrix depends on the kind of considered risks. The presence of nonzero non-diagonal elements (blocks) in a matrix RS* characterizes the linkage of the system’s elements and corresponds with the principle of reciprocity. Presentation of a risk as a matrix allows to present the scenario of an emergency by means of its elements. For example, presentation * R11 o R12 o R22 o R21 o R22 . In this case an accident occurred in the first element of the system, affects its second element where it causes an emergency that causes a secondary accident in the first element. Here is a graph of emergency development in a natural-social system (fig. 2). Making up a risk matrix for natural-manmade-social system it is necessary to take into account not only accidents possible in given system but also accidents in surrounding natural-manmade-social systems, especially in those having a common boundary with the given system (transboundary transfers, i.e. external impacts on a system). Scalar characteristic of a system’s risk can be presented as a potential function of risk, considered as a function of the system’s parameters and elements (taking into account the matrix of the risk). This is a nonlinear dependence, that can be presented as a surface in the configurative space of system Xsis parameters and system Xloc elements that determine the matrix of the system’s losses and the matrix of its vulnerability as well as the probability of the emergency occurrence. Hypersurface in n-dimension space can have local peculiarities (characteristic points of elliptic, hyperbolic and parabolic type).These points and their distribution in the parameters space determine the system’s peculiarities. In the theory of catastrophes they are called critical points. The strategy of risk government in a system depends on how close the system is to the critical point. Presentation of risk as scalar value or as a matrix of risks could be classified as static assessment of the system’s risk. The structure of the risk matrix in this case characterizes the organization (self-organization) of the system at the moment of its evaluation. The relation between controllable parameters and uncontrollable ones can be defined trough relation between vulnerability matrix and emergency probability matrix. In order to take into account processes of the system’s self organisation it is necessary to consider dynamic risks.

R. Akhmetkhanov

14

Figure 2. Scenario of emergency development in a natural-manmade-social system. Subscripts: N- natural, M –manmade, S- social Risk is a function of the system’s state and its variable parameters. Its total differential could be presented as:

dR i

wR wR wR wR )dX 1  ...  ( )dX i 1  ...  ( )dX n  dt , wX 1 wX i 1 wX n wt 1,2,..., n (

Component

wR dt wt is to be included since risk R may depend on time as well. The differential components

wR wX i

Risk Management in Natural and Societal Systems

15

determine the dependence of a risk on the change of the system’s parameters (local and systemic ones). The values of partial derivatives on the system’s parameters allow to determine the direction of the controllable movement of the system to a minimal risk.

Figure 3. a, b, ɛ – points of local maximums and minimums of R values If we consider a system, whose parameters vary in terms of time, we will have the dependence of a risk on time R(t). Such presentation of risk depending on the system’s parameters an on time allows to make dynamic models of risk; it is the basis of risk management in natural-manmadesocial systems with reference of time parameter. It also allows to take account of the system’s self-organization and non-linear effects. In this case mathematical apparatus of the theory of catastrophes and nonlinear dynamics can be used. Potential risk surface for a system consisting of n elements will have a compound form were all types of critical points present. For example, in Fig.3 there are potential surfaces of risk in a system consisting of two elements with nonlinear links (X1 and X2 – are generalized parameters of the system). The theory of catastrophes, stability of motion, variational principles etc. are based on analyzing properties of potential functions.

R. Akhmetkhanov

16

The character of measures on ensuring safety in a system is determined by the way the critical points are spread relative to the point of the system state and by the change the surface around this point. Analysis for critical points and the way they are spread in space is necessary to carry out global risk minimization. Let us consider dynamic singularities of natural-manmade-social system under certain conditions of the interaction between subsystems. The changes of risk in a system can be characterized by the following Rossler’s equations:

R 1 R

( R2  R3 ),

R 3

a ( t )  R1 ˜ R3  c( t ) ˜ R3 ,

2

R1  a ( t ) ˜ R2 ,

R ( 0)

R0i ,

i=1,2,3

were R1, R2, R3 are risks in natural, manmade and social spheres, a(t)- is a coefficient that allows for development of development of the manmade sphere and its vulnerability, c(t) -is the similar coefficient for social sphere. These coefficients also depend on the possibility of terrorist effect on social and manmade sphere. Systemic risk is determined by the sum Rsis=R1+R2+R3. The presented model characterizes the variation of the total risk in natural-manmade-social system in relation to the trend value that increases in the system and can exceed the acceptable level. This model illustrates combined interactions between subsystems and conditions under which self-organization is triggered in the system. The model contains only three degrees of freedom, but illustrates wide variety of dynamic singularities of a system. The absence of R1 with the corresponding coefficient in the right-side of equation 1 comply with the condition that there are no noticeable changes in the natural sphere during the given period. Let us consider the condition of a system when the values of coefficients a(t) and c(t) that determine the level of the system’s development are constant. The analysis of properties of a potential function shows that there are two characteristic points R(a, 0, 0) and R(-a+2c, o, 2). The location of these points in relation to each other and their form determine the character of geodesic lines on the surface of the potential function and, consequently the system’s dynamics. In the given case these two points are of parabolic type (Gaussian curvature of the surface in characteristic points is a zero one) with two coordinates with indifferent stability. The third coordinate for the first point is not stable, but the one for the second point – is stable. Location

Risk Management in Natural and Societal Systems

17

of these points and their character determine the trajectories of the system’s motion and phase space of the system. The zero point (Ri(0)=0) was taken as an initial point to start computation. With certain values of coefficients a and c the system becomes selforganized in to a system that has a steady cycle of risk changing relating to some average value.

Figure 4. c=0.4; a=0.2 Let us assess system’s behavior by means of divergence of phase space.

D

wR 1 wR 2 wR 3   wR1 wR2 wR3

a ( t )  R1  c( t )

Having denoted the volume of phase space as G(t) we write the equation as:

G (t )

G (0)e ( a (t )  R1  c ( t ))t

The expression obtained shows the character of the natural sphere’s effect on the risk value in the whole system. The value of the change of natural risk R1 in this model is characterized as both positive and negative values, therefore phase volume has oscillatory mode. This is expressed as multifrequency interactions. In the case of a(t)+R1-c(t)>0 the systemic risk is

R. Akhmetkhanov

18

growing while in the case of a(t)+R1-c(t)<0 it is reduced. Taking a time averaged of value R1 over the time T, we have: T

R1

1 R1 (t )dt o 0 T ³0

Then the exponent in the expression of phase volume change is determined by the correlation of coefficients a(t)-c(t). The a(t) coefficient characterize the volume of the social sphere and the manmade one with both spheres affect the changing of the risk index. The changing of a(t) coefficient depends on how developed the manmade sphere is (its expanding and vulnerability (i.e. protection against terrorist impacts). c(t) coefficient determines the level the system can be managed in terms of ensuring its safety. The increasing of this coefficient makes the dynamics of the risk index more complicated, the frequency spectrum included into the description of dynamics of the system’s safety index becomes more complicated. Reduction of the c(t) coefficient leads to the system’s destabilization that is expressed by an abrupt increasing of risk index. In case of weak management a certain frequency becomes dominant in the spectrum, which leads to the growth of the risk in the social sphere (fig. 4) while oscillations in the other spheres remain on the same level. The total systemic risk grows then.

Figure 5. ɫ=0.5; ɚ=0.1

Risk Management in Natural and Societal Systems

19

Let us analyze the case when systemic changes take place, that is when a and c coefficients change in terms of time. For example, coefficient ɫ=c(t) is varied. It means that the second characteristic point changes its place in relation to the first one (the distance increases), and the amplitudes of fluctuations in risk values also increase (fig. 6). Model presentation of interactions in a system shows that in the system there are fluctuation processes characterized by different sets of frequencies and their power (spectral density). The relations between these frequencies can be rational or irrational. These indices determine risk dynamics. In order to take into account terrorist impacts it is necessary to introduce coefficients that depend on the kind and power of the impact. These impacts change the dynamics of a system and can cause system changes.

Figure 6. Amplitudes of fluctuations in risk values The presented systemic description of risk allows to conduct a profound and comprehensive study of interaction between various elements of natural-manmade-social system, to select basic elements and to determine a possibility of terrorist impacts on them at local and systemic (global) levels taking into account the internal characteristics of the system. This approach is a foundation for a comprehensive study of natural-manmade-social systems. To describe and analyze subsystems and their elements various methods can be applied such as methods of nonlinear dynamics, logical-andprobabilistic method, fuzzy sets, fractal analysis, neural networks).

20

R. Akhmetkhanov

REFERENCES Frolov, K., Makhutov, N., Scientific Basis and Methods for Prevention Terrorist Threats. Scientific Conference ‘Problems of Technological Terrorism and Methods for Countering Terrorist Threats’. November 2003, Moscow, (in Russian). Makhutov, N., Gadenin, M,. Strategic Risks in Manmade Sphere//Safety in Emergencies. ʋ4, 2003, (in Russian). Safety of Russia. Operation and Development of Complex Technological, Power Engineering, Transport and Communication systems. Moscow, IGF “Znanie”. 1998, (in Russian). Safety of Russia. Regional Problems of Ensuring Safety Taking into Account Risks of Natural and Man-made Catastrophes. Moscow, IGF “Znanie”. 1999, (in Russian).

VULNERABILITY ESTIMATION OF HIGH-RISE STRUCTURES IN CASE OF NON-REGULAR DYNAMIC ACTIONS BY METHODS OF STATISTICAL SIMULATION Valentin T. Alymov1 and Oleg V. Trifonov2 1

Institute for Machine Sciences, Russian Academy of Sciences, 4 Maly Kharitonievsky st., Moscow, Russia; 2 Moscow Power Engineering Institute (Technical University), 17 Krasnokazarmennaya st., Moscow, Russia

Abstract:

Development of methods of safety assessment of structures relative to nonregular natural, technogenic and terrorist influences of high intensity presents one of urgent scientific-technical problems. The dynamic reaction of structures under the action of extreme loads is highly nonlinear. The numerical statistical simulation appears to be the only way of vulnerability estimation. To reduce the computer modeling time an efficient Monte-Carlo simulation technique is applied for the estimation of failure probabilities. The method is based on splitting of samples at the stage of advance of sequential levels of viability on number of independently simulated samples. That makes possible to increase the number of failures for samples of relatively small volume and essentially reduce the time of statistical simulation. The models of high-rise structures, taking into account damage accumulation, development of inelastic deformations, large displacements, total or partial collapse, mutual pounding of closely-spaced structures are developed. Introduction into structural models of the most important non-linear factors allowed to take into account various mechanisms of structural collapse. The method for estimating the risk functions, based on the use of the developed models of high-rise structures together with algorithms of statistical simulation is suggested.

Key words:

Vulnerability, structural risk, safety, terrorist attack, extreme loads, statistical simulation, Monte-Carlo method, collapse of structure, damage, fracture

21 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 21–31. © 2006 Springer. Printed in the Netherlands.

V.T. Alymov and O.V. Trifonov

22

1. VULNERABILITY ANALYSIS BY THE METHOD OF STATISTICAL SIMUSLATION The problem of providing the reliability and safety of industrial and civil facilities subjected to extreme natural and technogenous influences becomes more and more urgent due to increase of power-intensity of production, height of buildings, growing of infrastructural assets (Bolotin 1984). Among most dangerous influences traditionally refer earthquakes, hurricanes, tornadoes, floods (Bolotin 1992; Bolotin 1993). At present stage of development society is faced with new threats, the major of which is terrorism. Terrorist attack on September, 11, 2001 showed that the cones-quences of acts of terrorism in respect of a number of casualties and economical damage can be comparable with rare natural hazards and may have the scale of national catastrophe. Development of methods of safety assessment of structures subjected to non-regular natural, technogenous and terrorist influences of high intensity presents one of urgent scientific-technical problems (Trifonov 2001; Alymov 2004). The complexity of problem of risk mitigation and protection of civilian objects from terrorist attacks is connected with complexity of their forecasting regarding the location, type and impact intensity. This is a substantial difference, e.g., from seismic actions, for which constantly growing statistical information is available(Bolotin 1984, 1992,1993). It is evident that the degree of danger of terrorist attack for any structure must be assigned on the basis of its responsibility and socio-economic significance. The utilization of probabilistic models in the given case is justified in the context of prediction of integral risk, which it is possible to introduce as the product of the measure of danger - probability of influence, on the vulnerability measure – conditional risk of reaching the limit state under prescribed influence. Dividing all the possible influences into classes I j , j = 1,…,n, according to their intensity, the integral risk is computed as total probability: n

P (f )

¦

j 1

P (f | I

j

)P (I

j

)

.

(1)

The modelling of the dynamic response of structure is a part of the problem of vulnerability estimation relative to non-regular influences of high intensity. The dynamic reaction of structures under the action of extreme loads is highly nonlinear, which implies the use of nonlinear models describing processes of damage accumulation, growth of inelastic deformations, partial or total collapse6, 7. Principal demand for structures and facilities is the viability in case of extreme loads. Consequently, analysis of possible

Vulnerability Estimation of High-rise Structures

23

mechanisms of collapse and estimation of the probability of their appearance is an important stage of design of a new structure. Damage and fracture modelling

Stochastic models of extreme loads

Load-carrying structure schematization

Nonlinear structural models

Vulnerability assessment

Figure 1. Scheme of the analysis of vulnerability with respect to extreme loads

The scheme of vulnerability analysis, presented on Fig.1, includes the influence simulation, the description of load-carrying structure and processes of damage accumulation, as well as the evaluation of conditional structural risk, which is the measure of vulnerability of facilities. In case of non-linear behaviour of structure, damage and fracture evolution the only way of risk assessment is statistical simulation by the Monte-Carlo method. The procedure of statistical simulation includes the repeated generation of samples of random actions, evaluation of the reaction of structure, statistical processing and the estimation of probabilities of the limit states (Bolotin 1993; Alymov 2004; Alymov et al. 2000; Alymov et al. 2001). Introduce risk measure equal to the probability of the first excursion of the phase vector v out of the admissible region : in the quality space through the boundary * on specified time interval: H (t )

P{v (t * ) n *, t *  [t 0 , t ]} .

(2)

Where P{˜} is the probability of the event in parentheses, t0 is an initial time instant, the symbol v(t * ) n * denote the first excursion of the phase vector out of the region : through the boundary * at the time instant t * (Fig. 2). As the measure of structural vulnerability, following works, introduce conditional risk equal to the probability of critical failures under the condition that an influence of the class I j occurs:

V.T. Alymov and O.V. Trifonov

24

v3

:(t )

v (t * ) 0

v2

v1 Figure 2. Admissible region in quality space

H (t | I j ) 1  P{v (W | I j , t )  :(t ); W T (I j , t )} .

(3)

Two different time parameters are used in Eq. (3): the ‘slow’ time t, measured in years, and the ‘fast’ time W describing the ground motion and the response of the structure during the action of the duration T (I j , t ) . The partial risk is equal to the probability of any specific structural failure. Let the boundary * of the admissible region be represented as the sum *1 ‰ *2 ‰ ... ‰ *N , and let v n *D denote the first excursion of the phase vector out of theregion : through the boundary *D . Then the partial risk HD (t ), as well as the conditional partial risk H D (t | I j ) are introduced by relations3: H D (t ) P{v (t 1 ) n *D ; t 1  [t 0 , t ]} ,

(4)

H D (t | I j ) P{v (W | I j , t ) n *D ; W T (I j , t )} .

(5)

The risk measures introduced are useful to shorten the process of numerical simulation and assessment of total (integral) risk during the time segment [t 0 , t ] . Limit states for every individual structure, quality space and admissible region in case of specified influences are selected according to the possible scenarios of structural failure.

2. ADVANCED MONTE-CARLO METHOD The structural models, in details describing basic non-linear effects, are systems with hundreds of degrees of freedom, the evolution of which is

Vulnerability Estimation of High-rise Structures

25

determined by non-linear differential equations with variable structure. The numerical simulation of such models requires a lot of computer time. Meanwhile, the statistical simulation by the Monte-Carlo method requires the repeated computation of model. It may be very time consuming or even unrealizable. To solve this problem an effective algorithm of statistical simulation is implemented 4. The method is based upon process realizations splitting at the stage of advance of the sequential levels of viability on number of independently simulated realizations that makes possible to increase the number of failures for sample of relatively small volume and essentially reduce the time of statistical simulation. In admissible region of system the intermediate disjoint boundaries * j j 1,..., m are introduced, the sequential crossing of which by quality vector v(t) is treated as the state of structure approaching the collapse through some intermediate levels of viability. These intermediate levels correspond to the state of partial damage of load-carrying elements (Fig. 3). The outer boundary of admissible region correspond to complete lose of the loadcarrying capacity and final collapse.

v2 N

N0

Ƚ1

Ƚj

Ƚ v1

Figure 3. Sample splitting on consecutive viability levels

If the sample in the time instant t * crosses the viability level * j , then N j copies of the phase vector v (t * ) are made, the evolution of which proceed independently. Estimate of the probability of collapse is determined by the expression ~ H

]N

N f

N

–

(6)

f m j

1

N

j

Where N f denotes the total number of samples leading to collapse, m is the number of intermediate boundaries.

26

V.T. Alymov and O.V. Trifonov

The application of the described algorithm proved to be highly efficient when estimating vulnerability of structures relative to stochastic dynamic actions. The gain in simulation time in comparison with traditional MonteCarlo method reaches 30 times. The highest efficiency of the method in comparison with traditional method of statistical simulation occurs when analysing rare events with probabilities P < 10-3. This area is of most interest in connection with analysis of reliability and safety of important machines and structures.

3. STRUCTURAL DAMAGE AND COLLAPSE SCENARIOS Simulation of non-linear behaviour of structure on the level of each structural element is rather a complicated problem with a large number of unknown parameters. In this connection it is suggested to take into account inelastic deformations and damage at the level of floor, floors block or some critical level. The shear-type building model is shown on Fig. 4, a. The compliance of the structure is referred to inter-story elements - columns, walls, while the floors are considered as rigid bodies. Inter-story drifts (or the average angles of inter-story shear) are considered as generalized coordinates. In order to include in the model essential non-linear effects, it is necessary to take into account inter-story plastic deformations and damage, as well as finite displacements. The deformation resistance of load-carrying structures is specified by forces of inter-story shear. On Fig. 4, b the building model, combining flexure-shear deformation mechanism, is shown. The angles of inter-story shear and rotation angles of stories relative to horizontal are accepted as generalized coordinates of nstory building in case of in-plane vibrations. The deformation resistance of load-carrying structure is specified by forces of inter-story shear and moments, corresponding to mutual rotation of stories. By taking into consideration large deformations, the model makes it possible to describe pendulum-type collapse of the building. This failure mechanism arises in case of non-uniform distribution of damage within the critical story. In historic centers of many cities the adjacent structures are often closely spaced. The problem exists of the assessment of the probability of damage of adjacent buildings when one of the structures collapses. Beyond that, closely spaced structures are deformed jointly, so the structural model should take into account the total stiffness increase of structures, the energy dissipation in case of mutual pounding and damage accumulation in the

Vulnerability Estimation of High-rise Structures

27

area of contact. The disposition of high-rise building near the building with lower number of stories create conditions for damage concentration on one or several floors of higher building, located on the roof level of adjacent structure. Earlier the pounding problem was considered by many researchers. However, linear elastic structural models were used, and the pounding was modeled according to classical theory. Damage processes, failures of elements and especially total collapse was not considered in published papers on the subject. p(x,t)

(a)

(b) Mk

Jk

M

k

M

Figure 4. Structural models: (a) shear model, (b) shear –rotation model u2 m2

J

u3

2

m1 J

1

G

m3 J3

Figure 5. Modeling of structural pounding

The model of two closely-spaced structures with different number of stories is shown in Fig.5. Two damage zones of higher building are introduced. The first zone is located at lower stories, while the second zone is located at the roof level of the building of smaller number of stories. For lower building the single damage area at lower stories is introduced. In this case we have three generalized coordinates-angles of inter-story shear J 1 , J 2 , J 3 and associated displacements u 1 h1 sin J 1 , u 2 u 1  h 2 sin J 2 , u 3 h3 sin J 3 , where h1 , h 2 , h3 are the vertical heights of damage zones, e.g., inter-story distances. Interaction of the three blocks with masses m 1 , m 2 and m 3 , is given by shear forces Q1 , Q 2 and Q 3 as well as the pounding forces.

V.T. Alymov and O.V. Trifonov

28

4. SIMULATION OF NON-LINEAR BEHAVIOUR Let u (u 1 , u 2 , ..., u n ) denote the generalized coordinates vector characterizing deformations of the structural member or story and Q (Q1 , Q 2 , ..., Q n ) denotes the generalized force vector. To take into account the stiffness degradation and fracture let us introduce the damage measures. Each damage measure is the functional of the history of deformations1: t

D(t )

: [u(W )] .

(7)

W 0

The special case of Eq.(7) for kth story is given by the relation6, 7: Dk

1

max | u k (W ) | 

u km 0dW dt

1 u kc

¦ | 'u k (W ) | .

(8)

0dW dt

The first item in Eq. (8) corresponds to damage accumulation under monotonic loading, while the second item corresponds to damage accumulation under cyclic loading. Depending on duration, intensity and influence pattern every item can have decisive importance. In particular, in case of explosion wave influence of high intensity the structural failure may occur under monotonously growing deformations, while in case of long-duration seismic actions gradual damage accumulation in cycles with large amplitudes of deformations takes place. In given relations the coefficients u km correspond to limit monotonic strains, the coefficients u kc correspond to limit value of accumulated deformations in case of cyclic deformation, 'u k is the range of strains within a cycle of deformations. The relations between Q k and u k are taken as bi-linear diagrams with parameters c Ek , c Hk , QYk , which characterize elastic and inelastic stiffness and the limit elastic value of the generalized force. In the developed models stiffness parameters and the limit value of the generalized force QYk are reduced because of damage accumulation according to the equations: c Ek QYk

0 c Ek (1  K Ek D k ), 0 QYk (1  K Qk D k ),

cH

0 c Hk (1  K Hk D k ),

(9)

Vulnerability Estimation of High-rise Structures

29

In Eq. (9) constants K Ek , K Hk and KQk characterize the residual loadcarrying capacity of completely damaged structures of the k-th story.

5. RESPONSE MODELING IN CASE OF EXTERNAL EXPLOSIONS AND SEISMIC ACTIONS To illustrate the simulation of dynamic behaviour with the suggested structural models an action of external explosion on the structure, schematized by the shear model (Fig. 4, a), is considered. The model parameters correspond to 8-story structure with stiffness and mass properties typical to residential buildings. The explosion action is given as the process p (z , t ) p (z )f (t ) of normal pressure variation in time t and along the spatial coordinate z. The exponential law of time dependence and parabolic pressure change by height are adopted. The value of top pressure taken for the numerical simulation corresponds to explosion of high-power charge in the neighbourhood of facility. On Fig. 6 the inter-story shear diagrams (a) and time histories of the damage measures (b) are shown for 1 - 4 stories (curves 1 - 4 respectively). The collapse mechanism corresponds to shear failure on the third story. The limit value of damage measure is attained in the time instant t 0.73 sec. Damage measures of 1 - 3 stories are close during the explosion action. The maximal damage, which is substantially greater than the damage measures of 1 - 3 stories, takes place on the fourth story. In area of inelastic deformations the diagrams have the negative slope, becoming steeper with approaching the collapse. This is the consequence of continuous accumulation of damage, influencing the value of parameters on diagrams. Significant property of the developed approach is the possibility of estimation of the need of human evacuation from building on the basis of the model results on damage accumulation. In this case the intermediate levels of damage are introduced, corresponding to specified phases on the way to limit state. Partial loose of viability corresponds to advance of one of the introduced damage levels. Let us mention that the damage accumulation may also accompany the normal operation of facility as a consequence of environmental action and service loads.

V.T. Alymov and O.V. Trifonov

30 3

1

Q , Ɇɇ

( a)

4

(b )

D 0 .5

1 .5

2

0

3

1

1 3 2

4

J,

0 .0 5

ra d

0 .1

0

0 .4

t ,s e c

0 .8

Figure 6. The response of structure to external explosion: (a) shear-force diagrams, (b) time history of the damage measures

1

D

III

1

II

2

0.5

3

I

0

15

t , sec

30

Figure 7. Structure approaching the limit state through the intermediate damage levels

The evolution of the maximal damage measure is shown on Fig. 7. Curves 1 - 3 correspond to complete, cyclic and monotonous components of damage measure. The influence used to calculate numerical results was taken as non-stationary stochastic process, simulating the motion of the building foundation during strong seismic action. The region I on the figure corresponds to small structural damage, such that the repair or replacement of damaged non-carrying structural members is to be made. The region II presents the state of badly-damaged structure, for normal usage of which overhaul repair and strengthening of the load-carrying system is needed. The region III means the catastrophic level of damage, requiring the immediate evacuation of staff. Further operation of facility in this case is impossible.

Vulnerability Estimation of High-rise Structures

31

6. CONCLUSION The approaches to the solution of the problem of vulnerability analysis of structures in case of natural and technogenous extreme influences are suggested. Major attention is paid to correct description of the mechanisms of structural collapse and the development of efficient methods of statistical simulation, allowing essentially reduce the modeling time necessary to estimate structural risk.

REFERENCES Alymov, V.T., and Tarasova, N.P., Technogenous Risk: Analysis and Assessment. Textbook. (Academkniga, Moscow, 2004. In Russian). Alymov, V.T., and Markochev, V.M., Application of probabilistic fracture mechanic methods for assessment of service life and operational risk of nuclear power plant structures, In: Scientific session MIFI – 2000, Proceedings, 8, (MIFI, Moscow, 2000). Alymov,V.T., and Shashurin, G.V., Computer statistical modeling in assessment of technogenous risk for systems with high reliability, In: New informational educational technologies of XXI century. Proceedings. (VNIIGOCHS, Moscow, 2001). Bolotin, V.V., and Trifonov, O.V., On structural pounding during strong earthquakes // Mekhanika Tverdogo Tela. (4), 152 – 162 (2002). (in Russian). English translation: Allerton Press, Mechanics of Solids. 2002. 37(4). Bolotin, V.V., Estimation of structural reliability of nonlinear systems under seismic action, In: Nonlinear Stochastic Mechanics. IUTAM Symposium, Turin, edited by N. Bellomo and F. Casciati. (Springer-Verlag, Berlin, 1992), pp. 103 – 114. Bolotin, V.V., Prediction of Service Life for Machines and Structures. (Mashinostroyenie, Moscow, 1984. In Russian. English translation: ASME, New York, 1990). Bolotin,V.V., Seismic risk assessment for structures with the Monte Carlo simulation, Probabilistic Engineering Mechanics 8, 169 – 177 (1993). Trifonov, O.V., Analysis of collapse mechanisms of high-rise structures, Antiseismic engineering. Structural safety (5), 23 – 27 (2002). (in Russian). Trifonov, O.V., Estimation of probabilities of rare events for non-stationary systems with damage accumulation. Problem of machine building and reliability of machines. (4), 45 – 51. (2001). (in Russian).

SETTING THE STAGE: THE VULNERABILITY OF CRITICAL INFRASTRUCTURES

Torbjörn Thedéen KTH Sweden

Abstract:

The infrastructures of modern society are big, interconnected and crucial for the daily life of the citizens, i.e. critical, socio-technical infrastructures. Examples: Power network, transportation networks, data and telecommunication networks. The infrastructures can be modelled using graphs. Threats can be of different kinds: Nature, technical, human error ´hackers´ and antagonistic threats – terrorism and war. These threats might result in system collapses. The vulnerability of a system is the probability (conditional) of a system collapse. Acts of terrorism might destroy an infrastructure or cause chaos by threatening to do this. Terrorists usually form a mostly unknown network, which wish to destroy a critical infrastructure, which is known to them, i.e. a fight between two networks.

Key words:

Infrastructures, critical, vulnerability, risk analysis, graph theory, game theory

1. INTRODUCTION Modern society is characterized by large technical systems often in the form of infrastructures for communication and transportation. These structures will add to the welfare but are on the other side vulnerable. Some examples of collapses: Collapse of the electric power net in Auckland 1998. The cause was the extreme hot weather during which the insulation of some underground cables melted down. An ice storm in Western Canada in 1998 caused a collapse of the power and tele-networkss as well as the road traffic. 33 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 33–40. © 2006 Springer. Printed in the Netherlands.

T. Thedéen

34

In the Northwest part of the U.S. the electric power net collapsed in 2002. Before these events occurred the U.S. President in 1997 published a Roadmap on Critical Infrastructure Protection (CIP) which stressed the importance of intensified research. Critical infrastructures are such that their function is vital for the society. Examples are networks for electric power, data and telecommunications, transportation and finance transactions. The networks are mutual dependent, see figure 1.

D a ta n e tw o rk

F in a n c e n e t

Pow er net

T ra n s p o rt n e tw o rk

Figure 1. Infrastructures Typically we do not have many data on infrastructure collapses, examples of Low Probability Large Consequence (LPLC) situations. We then have to use combinations of logical models and data as is the case in risk analysis of large technical systems. Here the systems can be modeled using graph theory. The vulnerability is the probability of a system collapse. We shall give some examples for transportation and power nets. The threats can be of different kinds: Nature, technical, human and antagonistic threats – terrorism and war.

2. GRAPH MODELS An infrastructure can be modeled as a connected graph consisting of nodes and links. For road transportation networks the links are the roads and the nodes road intersections in towns or the towns and villages in a national network. Power networks consist of power plants, transformer stations and the consumers on different levels as the nodes and the lines being the links. A critical infrastructure including the flows in the links can be looked at as a technical system. Collapses of technical systems can be studied using methods of risk analysis as fault and event tree analysis In the case of infrastructures the system has a special form, which motivates a

Setting the stage: The Vulnerability of critical infrastructures

35

graph theoretical approach. We are here interested in the vulnerability of critical infrastructures with the ultimate purpose to control and limit it. A hazard, which is the cause or initial event of a partial or total collapse of an infrastructure can be of different kinds: x Nature – ´Acts of God´. Earthquakes, extreme floods, thunder storms… x Failures of material, component faults. x Human lapses x Organization collapses x Sabotage, hacker attack… x Terrorism x War. In the first three cases it is meaningful to talk of the probability of the hazard but this is not the case in the last three cases. Here we have more of a game situation where the attacker reacts to our defence activities. What should we then mean with the concept vulnerability? x Sensitivity to faults which might lead to serious society problems x Probability of a system collapse unconditional of an initial failure x The conditional probability of a collapse given an initial realized hazard. Here the last conditional vulnerability refers to the hazards caused by antagonistic attacks e.g. terrorism. In the infrastructure case we have always to calculate the effect of an initial attack on any link or node, the resulting consequence might be deterministic or random. The results together in relevant cases with the probability of the specific link or node to be destroyed at an initial attack will then give a measure of the vulnerability. In the following section we will give examples of both types.

3. TERRORISM We shall give some general remarks on how to treat terrorism in connexion with critical infrastructures. The purpose of terrorists is to cause fear, chaos and diseases/deaths among the enemy groups. The enemy can e.g. be the Western lifestyle represented by USA and Western Europe. This constitutes the base for recruiting terrorist groups with a common goal to use attacks on critical infrastructures to create chaos in the Western world. In order to fight terrorism we need knowledge or qualified guesses about probable terrorist groups, their goals and possible actions. This should be the basis for our defence and action against the terrorist groups. In principle we here have a fight between two networks. Our critical infrastructures such as power, transportation, data, finance, power dams, are assumed known to the enemy. Most of the relevant information is not classified and

36

T. Thedéen

is available on the Internet. The contrary is the case for the enemy networks and they also are changing in time. The research areas are then assessment of the terrorist groups and their motivation (religious, political, social, economic…). We have to estimate the consequences given specific attacks. We will then encounter a game situation where there are certain gains and costs for both sides. Using a game theoretical approach it is in principle possible to find optimal defence strategies. In some cases we have to apply a passive defence so that there is a certain minimal cost for a terrorist group to attack any critical node or link. If we have more information about the enemy we can also use this both to attack and disturb his network and also to get some idea about his strategies. Let us consider how to assess the topology of the terrorist network from the few available data. We know some terrorists and some of their connexions (links) to other group members. This means that we have access to a sample (non-random) of nodes and links from the whole connected graph. Using graph-statistical methods it is then possible to estimate some parameters of the whole graph, Krebs (2000). A difficult problem is how to handle the ongoing changes of the network in time in the ongoing war on terrorism. For a general overview of the use of mathematical methods to terrorist problems, see Harris (2004). In the war against terrorism we have two options. One is to strengthen the defence of the nodes and links of our critical infrastructures. This can be done by building barriers of the structures making it more costly to attack them. Such barriers will probably be known by the enemy. We could also use control and defence forces, which eventually have to fight the terrorists. Their activities might only partly be known by the enemy. The other option is to attack and disturb the enemy infrastructures. As was pointed out above these are just partly known but their structure can be estimated. In the following we shall illustrate the effect of some natural or intentional attacks - ´what if´- studies – on the transportation and power networks.

4. EXAMPLES In order to study the vulnerability some simulation studies have been done at KTH, see Berdica (2002), Holmgren, Molin (2004b) and Holmgren (2004a). For road transportation the traffic in Stockholm before and after some disturbances have been simulated, Berdica (2002).

Setting the stage: The Vulnerability of critical infrastructures

37

Figure 2. Terrorist network

There are some critical links connecting the northern and southern parts of Stockholm by bridges, see figure 3. Stockholm is divided into 1246 ODzones and information about travel lengths and travel times are given in condensed OD-matrices. The effect on travel times of closing a critical link is studied. The individual journeys are reallocated so that the new individual travel times are minimized. A principal problem with this type of simulation is that it does not take into account the transition period when partial stop of the traffic might occur. If we cut off northbound traffic during morning peak the increase in system travel time for the different bridges are: Essinge Route +15%

Central Bridge +6%

Western Bridge +1%

For more results, see Berdica (2002) The energy infrastructures are very critical for the society. They can be divided into energy producing units – nuclear reactors, hydro plants, power networks and energy consumers. The electric power for the consumers depends on the generation by mainly hydropower and nuclear power plants, which both can be subject to hazards from nature, material and human failures but also to terrorist attacks.

38

T. Thedéen

Let us consider the security of n hydro dams. An analysis can be done according to the following scheme: Using risk analytic methods the consequence of a successful attack on a dam (causing a total collapse) is estimated. random or deterministic. The terrorists try to estimate the probability of a successful attack on dam no. i, given the cost C, Pi (Success/C).

Figure 3. Critical links in the Mälaren - Saltsjön passage The vulnerability can here be treated by mainly standard risk analytic methods. But as important is the reliability of the power networks. In some studies done by researchers at the Center for Safety Research, KTH, the vulnerability of Swedish and Californian power grids are analyzed. As one very simplified model we consider a branching process. If the links in that process are subject to random attacks with the same probability for all links a rough calculation indicates that the proportion of consumers with no access to power will asymptotically follow a power law in the right tail of the distribution. Similar results for real power networks have been found for Swedish power nets, see Holmgren, Molin (2004 b) as well as earlier for US transmission grid, see Carreras, Newman, Dobson and Poole (2000).

Setting the stage: The Vulnerability of critical infrastructures

39

Figure 4. Log-log plot of the empirical distribution, log P(U!u), versus the power loss, log u, for the period 1998-2001. Data from a Stockholm power grid

1 Nordic grid Western USA ER random graph Mod. BA scalefree

0.8

0.6 S 0.4

0.2

0 0

0.2

0.4

0.6

0.8

1

f

Figure 5. Error tolerance of the different networks. For a random removal of vertices (fraction f) the relative size of the largest component S is used as a measure of the performance of the network. (ER stands for Erdös-Rényi and BA for a model proposed by Barabási and Albert, for definitions see Holmgren (2004 a, pp. 4-5)

The effect of random attacks on electric networks and some artificial ones are studied using simulation methods, see figure 5. As can be seen from the figure the real US and Swedish networks show similar structures different from the other two hypothetical ones. Many

40

T. Thedéen

other results from simulations of different attack strategies are found in Holmgren, (2004a).

5. CONCLUSIONS The vulnerability of critical infrastructures has to be studied using methods such as risk analysis, graph theory and in the case of antagonistic attacks also game theory. Using simulation examples for road traffic and electric power the conditional vulnerability has been studied. In the case of terrorism the limited access of data of enemy network give rise to problems of estimating the whole network from a sample.

REFERENCES Berdica, K., 2002, Vulnerability: A model-based case study of the road network in Stockholm. Technical report, KTH, submitted to Transportation. Carreras, B., Newman, D., Dobson, I., and, Poole A. 2000. Initial evidence for selforganized criticality in electric power system black-outs. Proceedings of the 34th Hawaii International Conference on System Sciences, January 2000, Maui, Hawaii. 2001 IEEI. Harris, B., 2004, Mathematical Methods in Combatting Terrorism. Risk Analysis 24(4, pp.985-989. Holmgren, Å., Molin, S. and Thedéen, T., 2001. Vulnerability of complex infrastructures: Power and supporting digital communication systems. Proceedings of the 5th international conference on technology, policy and innovation. LEMMA Publishers, Utrecht, pp. Holmgren, Å., 2004 a Graph modeling and vulnerability analysis of electric power grids. Paper, KTH, submitted to Risk Analysis. Holmgren, Å. and Molin, S., 2004 b. Using disturbance data to assess vulnerability of power delivery: A statistical analysis of Swedish power transmission and distribution data. Paper, KTH, submitted to Journal of Infrastructure Systems. Krebs, Valdis, E., 2002. Uncloaking Terrorist Networks. First Monday 7(4).

THE RISK IMPOSED BY FIRE TO BUILDINGS AND HOW TO ADDRESS IT

José L. Torero1 1

Edinburgh Center for Fire Research, The University of Edinburgh, United Kingdom

Abstract:

The history of fire science originates in the desire to enhance destruction of infrastructure by means of fire. Many of the basic principles of fire growth and the behaviour of structures in fire were developed within the context of an organized and deliberate attempt to use fire as a tool for urban destruction. Buildings are inherently vulnerable to fire due to their use, thus they have to be designed with the objective of minimizing the probability of fire occurrence and of damage potential. Nevertheless, the design criteria rely mostly on scenarios that are considered to be consistent with the building use. Within the design process there is no consideration to premeditated fires or those corresponding to a strategy for destruction. Furthermore, generally design is done in a prescriptive manner and thus is framed by rules and regulations that do not provide an estimate of performance. Only a detailed understanding of the performance of a building or structure in the event of a fire can allow estimating and understanding its vulnerabilities and can result in a strategy to minimize the impact of fire as a tool for terrorism.

Key words:

fire risk, buildings, structures, terrorism, damage

1. INTRODUCTION The introduction of practises that result in an increase level of safety dates probably to ancient times. Observations of the devastating effects of fires lead from very early on to the establishment of prescriptive requirements. These requirements can stand on very basic principles such as build41 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 41–57. © 2006 Springer. Printed in the Netherlands.

42

J.L. Torero

ing separation and maximum escape distances or on more complex specifications like the need for sprinkler systems and compartmentation. These requirements became formalized at the beginning of the 20th Century in a series of codes and standards. A good example is the fire resistance standard test methods and the “Standard Fire” curve embedded in it. This standard prevails as a commonly used method to assess the performance of structural elements in a fire [1]. The first building codes in the USA where developed after the Baltimore Fire in 1904. Since then, institutions like the National Fire Protection Association (NFPA) and Underwriters Laboratories have guided the development of codes and standard test methods, NFPA started in 1896 and Underwriters Laboratories in 1900. A similar history can be constructed for many countries. Since its initial formalization “fire safety” has been prescriptive, and despite the technical origin and empirical observations supporting most standards, these are incapable of assessing the performance of a building in the event of a fire. Instead they assume adequate levels of safety based on the scientific and empirical information that forms the basis to the codes. Clearly, scenarios that escape the experiments that support the standards result in undefined safety levels. Systematic generation of scenarios that escape the prescriptive design specifications became a destruction tool during World War II and the origin of modern fire science. Hoyt Hottel describes in great detail the process that lead to the establishment of active fire research programmes at Harvard and MIT, in the United States, as part of the war effort and with the specific objective of maximizing urban destruction via fire [2]. Hottel indicates that a meeting of the National Defence Research Committee convened by the presidents of Harvard and MIT in 1941 concentrated on the replacement of magnesium and rubber-thickened naphtha as incendiaries and on the radioactive ignition of wood. This meeting lead to what might be considered one of the first 20th Century explicit scientific publications on fire research [3]. A number of well known discoveries followed this initiative, among the best known is the generation of Napalm by Louis Fieser (Harvard University). Already, by 1942, gasoline thickeners such as Napalm where being tested to demonstrate their fire setting potential on wooden structures. Architects Mendelshon (of German Background) and Raymond (with 18 years of practice in Tokyo) where then summoned to carefully design structures that resembled those present in German and Japanese cities. Careful attention was given to between floor and ceiling cinders developed in Germany to stop the lateral spread of fire. Test of incendiary bombs were carried on these structures in May 1943. Similar studies where simultaneously in progress in Britain under Professors Finch and Egerton at Imperial College. Wartime events show that society has recognized the potential of fire as a tool for deliberate destruction and as a mechanism to undermine morale

Risk Imposed by Fire to Buildings

43

Furthermore, it brought top scientist to recognize this potential and devote their careers to the study of fire. The war effort focused on destruction was thus followed by a peace effort focused on understanding, controlling and preventing fires. In 1956 a Committee on Fire Research was formed bringing Professor Howard Emmons from Harvard University, a participant of the war fire research programme, into the centre of post-war fire research. Howard Emmons is now regarded as the father of modern fire science. The efforts of Howard Emmons lead to the Fire Research and Safety Act of 1967 and the formation of the Fire Centre at the National Bureau of Standards. A similar process followed the war in the United Kingdom through the Fire Research Station at the Building Research Establishment (BRE) and in Japan through the Building Research Institute (BRI). Notable are the scientific contributions of Thomas and Kawagoe. The post war efforts lead to dramatic progress in the understanding of fire and the recognition of the vulnerabilities inherent to prescriptive design of infrastructure. Scientifically based tools that quantify fire growth, its impact on buildings, fire detection, smoke management and suppression followed [4]. These tools strengthen the believe that building design can include elements of performance. Thus performance-based design alternatives for fire have been subsequently included in many legal frameworks around the world [5]. Performance based design has the capability of enabling predictions of the behaviour of a building in the event of any particular scenario, therefore is ideally suited to lead to solutions that respond well to premeditated fires, resulting arson, war or terrorism. This paper will discuss the current state of the art of performance-based design for fire in what relates to premeditated events.

2. PRINCIPLES OF PERFORMANCE BASED DESIGN It was indicated above that from the perspective of a Fire Safety, the design of a building can be approached in two different ways. The first is for the building to comply with existing regulations, and the second one is to achieve certain safety goals. Regulations have not been developed to fully specify the design of unique and complex buildings such as high rise buildings and even, in the event that they existed, they are of questionable effectiveness. Furthermore, if a scenario such as the one of September 11th, 2001 needs to be considered as a possible event during the life of the building, design on the basis of safety goals is the only path that can be followed.

J.L. Torero

44

This section will illustrate a simple framework that describes the concept of performance-based design for fire. The schematic presented in Figure 1 could represent the behaviour of a building in the event of a fire. It could be argued that the safety objective should be that the time to evacuation (te) at each compartment (i.e. room of origin, floor, building) be much smaller that time necessary to reach untenable conditions in the particular compartment (tf). Characteristic values of te and tf can be established for different levels of containment, room of origin, floor, building. Furthermore, it is necessary for the evacuation time to be much smaller than the time when structural integrity starts to be compromised (tS). In summary: te<
Risk Imposed by Fire to Buildings

45

ologies and tools have been developed to study each of these aspects and to quantify the different values to te, tf and tS, nevertheless many gaps of knowledge are still evident. Fire, % Evacuated, % of Total Structural Integrity, etc. Untenable

Untenable

Untenable

Conditions

Conditions

Conditions

tf

The Fire

te 100%

Detection

time

Subsequent Sprinkler

First Sprinkler

Fire Service

Figure 1. Schematic of the sequence of events following the onset of a fire in a multiple story building. The thick line corresponds to the “fire size,” the dotted lines to the possible outcome of the different forms of intervention (sprinkler activation, fire service). The dashed lines are the percentage of people evacuated, with the ultimate goal of 100% represented by a horizontal dashed line. The dashed & dotted line corresponds to the percentage of the full structural integrity of the building

3. CURRENT ENGINEERING METHODOLOGY Disasters, whether natural or manmade, are a test to design practices and in many cases prove the vulnerability of our infrastructure. Disasters force us to revisit our perception of the safety inherent to the environment in which we carry our everyday activities. Therefore, associated to disasters there is always anxiety and pressure to revisit those practices that lead to unsatisfac-tory performance. The behavior of structures in a fire has faced, in the events of September 11th 2001, one of those disasters that have directly challenged our current design practices. Anxiety has spread over those individuals linked to infrastructure that can be considered as potential

46

J.L. Torero

targets for terrorist activity. As we understand more about what happened with the World Trade Center Buildings questions are being raised about our current design practices, proposed amendments and the tools that we use to evaluate the performance of structures in the event of a fire. Furthermore, as mentioned before, the collapse of the World Trade Center buildings 1, 2 and 7 occurred within a period where design practices were being pushed out of an environment of prescriptive requirements to one where structures will be evaluated on the basis of their performance as predicted by engineering tools. To analyze the response of the designers to this disaster it is necessary to pose a series of questions. The first question relates to the actual nature of the disaster that is provoking the reaction. Why did these buildings collapsed carrying the lives of so many people? The answer to this question will be the product of a forensic investigation [6] that we do not intend to discuss here. Nevertheless, from this investigation will result different conclusions, some pertaining to the nature of the event, some pertaining to the nature of the buildings themselves and some pertaining to the design and construction practices involved in the development of these buildings. The latter point is the one of greatest interest to the public since it is associated to the safety of current and future buildings designed under the same principles. Significant information on the advantages and limitations of current design practices has already emerged from this introspection. The general question then becomes: in which way is fire incorporated into the design of structures? This question is then followed by a series of interrogations that relate to the details of the design practice, which are of a more fundamental nature but still directly concern the safety of our built environments. Deepening into the detailed processes, a fire affects a structure through the heat it supplies to all the constructive elements. Thus the first pillar of a design process is the understanding of the fire, the growth process it undergoes and the heat it supplies to the structural elements. In other words, the different values of tf need to be quantified. As much as it is clear to everyone that a fire affects a structure, it is not as common to understand how a structure can have an impact on the growth of a fire. Nevertheless, it is the case that as the structure heats-up energy will be provided by the structural elements to the fuels enhancing the rates of fire growth. Furthermore, deformation and failure of different structural components will affect the air supply to the fire and consequently the heat released. As a result structural and fire behavior are coupled (tS and tf depend on each other). Once the relationship between the fire and the structural elements has been defined it is important to understand how the structure will react to that external heat input. Material properties will change and it is accepted that all parameters

Risk Imposed by Fire to Buildings

47

describing the material strength will deteriorate, but this is only one part of the process. The geometrical features of structures are also affected by fire since materials expand with temperature and the constraints inherent to the geometry of the structure result in significant generation and redistribution of stresses. Once these fundamental questions have been addressed it is important to establish sources of uncertainty. Uncertainty or “error” can range from the purely probabilistic nature of the fire event to deterministic estimation of the variability of the thermal properties of insulation materials used for fireproofing. The combination of analysis on the basis of fundamental physical principles, simplifying assumptions and error estimates represent the design tools. Structural Fire Safety Engineers have numerous tools that can provide quantitative estimates of the performance of a structure in the event of a fire (i.e. tS). The design tools used by engineers address the different aspects explained in the previous paragraph. It will be the designers’ hope that all these tools were based on sound and fundamental engineering principles and that the answers obtained were exact thus include no potential for “error” or “variability.” The reality is that fire and structures are very complex problems whose complexity increases exponentially when coupled. No tool can solve the integrity of the structures in fire problem, thus all tools rely on a number of assumptions. Many of these assumptions have been thoroughly studied, their error bars established and their results validated. Therefore, it has been the believe of the designer that the tools provide accurate and robust results that have been the basis of the design process. The progression towards performance and the precedent set by the collapse of the World Trade Center buildings require from the engineer to revisit the design procedures and the tools with the objective of improving, modifying and gaining confidence. The following paragraphs will schematize design practices commonly used and present those areas that are being revisited through fundamental research. Table 1 provides an attempt to schematize some of the design methods commonly used to analyze the performance of structures in the event of a fire. The design framework defines a sequence of events. The architects provide a design from which the structural engineers will develop a structural analysis that will take into account all requirements that will guarantee that the building will support its own weight and perform adequately to its intended use. The architectural design and structural analysis do not include at this stage the potential for a fire. Any considerations for fire introduced by architects at this point are mostly associated with prescriptive requirements but include no evaluation of the impact that

48

J.L. Torero

these measures can have on the structure’s performance. Once the structure has been designed the fire needs to be incorporated. This can be done either through prescriptive requirements that are fundamentally based on the use of the building or through an engineered analysis of structural performance. The former provides no indication of the behavior of the structure in the event of a fire thus is unsuitable for any event that will escape the range covered by the historical data that support prescriptive design. An important aspect of the latter methodology is to establish a design fire. The choice of design fires can be achieved in a number of different ways. It could include a series of most probable events, “worst case scenarios” or could lead to the definition of protection systems and maintenance protocols that will constrain the fires to an acceptable level. The main limitation of the “Design Fires” is that any event (i.e. terrorist attack, arson) that escapes the chosen range of fires could lead to an unacceptable performance. A further limitation of this approach is that definitions such as “worst case scenario” or “most probable event” are difficult to establish. The outcome variables such as structural behavior, life safety, property damage are all coupled and in most cases a function that minimizes all negative outcomes is not possible. Probability based decisions are limited by then lack of a comprehensive set of statistics. Fires are, by definition, rare events. Given a building, its usage, its life and the potential threats, it is for many cases difficult to establish a probability database that gives adequate confidence. Given the “Design Fires” a series of sophisticated tools can be used to establish the growth of the fire and its impact on the structure. The main constraint of these tools is associated to the interface between the fire and the structure. Most models are computationally intensive therefore solutions are obtained for the fire without accounting for the structure and the impact that its heating can have on the fire. Furthermore, close to the interface there is significant uncertainty associated to the performance of these tools. Finally most tools treat fire protection devices, such as sprinklers or smoke extraction systems, in a very crude manner. The coupling of the structure and the fire is then done in an artificial manner. The classical approach is to test each individual element against a standard fire curve and obtain a rating that indicates the time lag until the structural element reaches a pre-defined critical temperature. Time to failure is the fine when an individual component reaches the critical temperature. The test could be substituted by calculations that use as input the standard fire (ISO-834 [1]), “parametric curves” [7], or the output of the calculations performed from the design fires. It has long been recognized that fires are affected by multiple factors, thus a single “standard fire” does not suffice. On the basis of this, time equivalences between the standard tests, the “parametric curves” and “computed fires” can be established [8]. The

Risk Imposed by Fire to Buildings

49

last stage of the design process is to introduce fire proofing to obtain the desired rating. Numerous methods exist to establish the required insulation [9] but they all imply a component of empirical data and uncertainty. As indicated in Table 1, this component of the design process has strong limitations and represents a very active area of research. These limitations and the proposed solutions will be discussed in a later section of this paper. The above description clearly establishes areas where improvements can be made and that represent the new face of structural design for fire. There is a strong evolution towards an integrated design process that incorporates fire behavior into the architectural and structural design processes. The benefits of this approach are significant because it allows optimization of the structural design to meet the architectural, structural and fire safety needs. To achieve integration it is necessary to address areas where the tools are not coupled, one important area is the interface between the structure and the fire. Numerical models used to predict structural behavior and methods to quantify fire growth are currently being coupled to encompass the dynamic interactions between the fires and the structures [10]. Furthermore, optimization of fire growth models has become necessary given the constant evolution of the architectural features of buildings. The Broadgate Phase 8 fire in London, UK and the subsequent Cardington frame fire tests have allowed researchers to fully investigated and understand the behavior of whole frame composite steel-concrete structures in response to fire [11, 12, 13]. In June 1990 a fire developed on the first floor of the 14-storey Broadgate building. The total duration of the fire was in excess of four-and-a-half hours, with a severe period for about two hours. Flames temperatures in excess of 1000°C were noted. The structure of the building consisted of composite steel deck/concrete floors. The steel structure was partially unprotected at this stage of the construction. Despite some large deflections, there was no collapse of any of the columns, beams, or floors. Table 1. Commonly used design methods Tools Architectural Design Structural Analytical design methodologies Design Design Step

Experimental Values Finite Element Numerical Simulations

Assumptions Structural design is conducted without the inclusion of a fire

Limitations The global evolution of the structure with the fire is not included as part of the evaluation of the design alternatives The uncertainty in the properties necessary for the calculations increases because high temperature

J.L. Torero

50

data is limited and notwell-understood phenomena such as “spalling” needs to be included.

Design Fires

Historical evaluation of occurrence probabilities Analytical tools to quantify fire growth Numerical Simulations of Fire Growth (Zone Models, CFD Models) Empirical/Analytical/Numerical methods to analyze heat input to structures Fire Protection Methods (i.e. sprinklers, fuel control, venting) to define fire scenarios

The structure is design to fit a fire that has a high probability of occurrence. The definition of the fire is given on the basis of an assumed performance of a multiplicity of elements (i.e. smoke evacuation, sprinklers)

Ignores events that escape the pre-defined scenarios. The performance of these fire control elements has been defined only for a reduced number of conditions.

The Broadgate fire prompted BRE to conduct a large-scale test program on an 8 storey composite steel frame at their test facility in Cardington, UK. The Cardington Frame fire tests provided a wealth of experimental evidence about how whole frame composite steel-concrete structures behave in fire. The main conclusions were that composite framed structures possess reserves of strength by adopting large displacement configurations with catenary action in beams and tensile membrane behaviour in the slab [12, 13]. Furthermore, for most of the fire duration thermal expansion and thermal bowing of the structural elements rather than material degradation or gravity loading govern the response to fire. Large deflections were not a sign of instability and local buckling of beams helped thermal strains to move directly into deflections rather than cause high stress states in the structure. Only near failure, gravity loads and strength will again become critical factors. These findings and the additional motivation provided by the WTC collapses have resulted in drastic shift of the design process, away from fire resistance principles and towards a global structural analysis. Broadgate and WTC show two different potential outcomes that can only be predicted via a detailed global analysis of the structural behaviour through the fire event. The need to use “Design Fires” still remains an unresolved problem. The volume of the calculations required to address the different aspects of a fire implies that only a reduced number of scenarios can be fully studied, thus educated engineering solutions are still necessary. Important strides are currently being made to optimize the necessary tools to allow for a more

Risk Imposed by Fire to Buildings

51

systematic evaluation of a multiplicity of scenarios where the “Design Fires” can be substituted by concepts such as design to obtain a “Minimum Damage Potential.” The concept of a “Minimum Damage Potential” implies a systematic evaluation of the different physical variables that will control the growth of a fire, the structural behavior and the evacuation of people. By systematically varying these physical variables in the models describing the different fire processes, a design condition that minimizes a damage function can be obtained. These damage function represents the combined negative impact of the fire. The generation of a damage variable is quite complex because it requires the combination of different damage criteria such as the threat to life safety, structural damage or even business interruption. Nevertheless, many areas of damage can be bounded this way. For example, the sizing of the openings of a compartment can be defined to restrict ventilation, thus diminishing the heat release rate. This will lead to lower compartment temperatures that subsequently can guarantee no structural damage until burnout of a fire. A current limitation to this approach is the complexity of fire related models that make quite difficult, with the available computer power, to run the number of scenarios required o minimize the “damage potential” variable. Nevertheless, this approach is based on “performance” therefore is more adequate than a “design fire” which is chosen on the basis of extrinsic considerations that are not linked to the building’s performance. Table 1 (continued). Commonly used design methods Tools Architectural Design Standard testing of indiFire Resisvidual components to tance Design Step

assess fire resistance (Fire Rating) Parametric Curves for more realistic scenarios

Assumptions

Limitations

The fire can be defined by a standard Temperature vs. Time curve. The test furnace (ISO834 [2]) provides a realistic representation of a fire. If the standard fire is deemed not to represent the “Design Fire” an equivalent Rating can be extracted from a different Temperature vs. Time curve (parametric curves) The feedback from the structure to the fire can be ignored. Failure is defined by attainment of a critical temperature of an individual structural element.

Does not address the fundamental heat transfer mechanisms controlling heat exchange between a fire and a structure Ignores the impact that geometrical effects have on structural behavior (i.e. restraint thermal expansion) Time equivalencies are only valid for a very small set of conditions, many unrealistic to fires

J.L. Torero

52 Fire Protection

Fire Proofing to achieve required Fire Ratings

Properties of insulating material are well characterized An adequate extrapolation from furnace test behavior to a real fire can be expected. Application, maintenance and life time have no bearing on the performance of fire proofing

There is not enough data to support the assumptions. Furnace can only be extrapolated to a fire for a very limited set of conditions.

4. CURRENT PRACTISES AND ENVIRONMENT In the realm of fire safety, two distinct areas emerge, fire safety systems and structural fire safety. Fire safety systems include detection, suppression and smoke control systems as well as evacuation. Structural fire safety concerns the integrity of structural elements in the event of a fire. Building authorities will have to approve these designs thus justification for all departures from prescriptive rules will have to be justified and understood by those in charge of approval. Engineered solutions require deep understanding of all physical principles underpinning the design methodology as well as the modern tools used in the process of design (CFD Fire Codes, Finite Element Models, Evacuation Models). This level of understanding is currently only available to a very reduced number of professionals (for example approximately 30 new graduates enter the building-design and construction industry per year in the UK [14]). Currently, architects receive a very restricted amount of information on fire safety matters, most of which is directed towards the understanding of prescriptive methods. Structural engineers follow a similar path. Fire Safety Engineers are a small minority that will only be consulted once a problem is identified [15]. Thus most Fire Safety Engineering professionals remain either in the Building Control areas, Fire Brigades or in consultancies. The result is an uncoupled approach to the design of structures to be fire safe. Traditionally it has been assumed once the steel is protected, or enough concrete cover is provided, no further response in fire can be expected, nor any further improvements can be made to enhance a structures response to fire. But, as mentioned above, powerful analytical tools and comprehensive understanding as a result of Cardington (tests and modeling)[13] has enabled us to predict structural response to fire with a high level of detail evidencing some positive traits on our current design practices. The key findings from modeling Cardington were rather unexpected: Instead of showing how

Risk Imposed by Fire to Buildings

53

the declining strength of individual structural elements progressively destroys the strength of a frame, the calculations revealed that steel frame composite structures of this kind have large reserves of strength through adopting large displacement configurations, and that thermal expansion, not material degradation was the dominant phenomenon. This means that structures are far more robust in fire than previously understood, and that total reliance on passive fireproofing is unnecessary. Detailing of connections, core construction and design, even the span of the structural frame all contribute to the robust response of the building in fire. Current code fire ratings are not based on this understanding and as such can over or under estimate building safety in fire. The realization that the geometrical characteristics of a structure can have a significant effect on the evolution of its strength in the event of a fire, opens the door to a much closer interaction between architects, structural and fire safety engineers. The basic architectural design of the built environment and its interpretation by a structural engineer now can be influenced by criteria that will make the structure safer. Two important conclusions emerge from this new understanding. The first is that traditional ratings based on fireproofing and standard testing methodologies [1, 16, 17] are clearly insufficient when assessing the performance of a structure in the event of a fire. Current testing practices deliver information on the thermal behaviour of a structural element but do not establish its structural performance. An a posteriori analysis of the collapse of WTC 1 & 2 gives a good example of the limitations introduced when there is complete reliance on current testing practices [18]. The second conclusion indicates that an optimal solution can only be achieved if building geometry, structural design and fire safety considerations are included simultaneously in the design process. This requires convergence of architectural, structural and fire safety concepts. Integration of separate disciplines allows the development of buildings that are explicitly designed, more robust, more valuable, and satisfy better the needs and requirements of clients and society. It allows these integrated disciplines to develop innovative solutions and allows engineers and architects with a means of being more valuable. It is important to note that both performance based design and integration of disciplines comes associated with a drastic increase in the average training provided to professionals exercising design and building control. Furthermore, tackling fire event in complex engineered buildings require a different level of skills from the fire brigade. Thus, in an ironic manner, authorities many times conclude that the elevated training requirements for those involved in the process is one of the main disadvantages of performance-based design [19] and thus forget that this problem can be re-

J.L. Torero

54

solved by consistent investment in higher education and research in this area. The accelerating trend to depart from prescriptive regulations towards engineering solutions and the reduced number of properly trained professionals has begun to worry those involved in the process. A recent Scottish survey [20] of fire brigade and building control personnel, fire safety and civil engineering consultants as well as architects gave alarming results. When those surveyed were asked if they believed that there were sufficient amount of trained professionals to cope with the change, 100% of the fire engineers consulted responded that there was insufficient number of well trained professionals, 80% of all building control officials indicated that not only there was not enough well trained people but they recognized that many of those professionals competent in a prescriptive world will be significantly limited when addressing complex engineering solutions. A similar response was provided by 74% of those consulted within the fire brigades. Interestingly enough 76% of the civil engineers and 82% of the architects consulted believed that the knowledge base was there and the transition will represent no problem. Given the different training of all different groups it is easy to conclude that it is difficult to understand a problem when you do not know that the problem exists. Clearly, building designs currently deemed to spouse performance principles are being designed as hybrids that are unfortunately limited by prescription and by performance, thus the conclusion by Buchanan [17].

5. THE POTENTIAL OF INTEGRATED DESIGN IN

FIRE

Integrated design of structures relies on the definition of built environments in a manner that will optimize “use” and “safety.” Options can be analyzed from the onset of the design process leading to a sequence of optimal decisions. The advantages of this approach are many. x Integrated design allows for simultaneous optimization of all variables. x Architectural concepts can be tested to achieve optimal fire safety and structural solutions. Therefore alternafte solutions can be weighted in a quantitative manner. Therefore, space definition, safety and structural designed can be optimized in an integrated manner. x It is not constraint by prescriptive design or by any “equivalency” concept. Equivalency concepts require engineered solutions to provide equivalent levels of safety to prescriptive solutions. Since prescriptive solutions include no estimates of performance, this approach is clearly inadequate [17].

Risk Imposed by Fire to Buildings

55

x It eliminates the need for a “design fire” since it allows to define in a parametric manner the impact that a fire can have on a specific environment. Currently, engineering based solutions require the definition of “design fires” and the evaluation of the building performance to these fires. The choice of design fires could include a series of most probable events or “worst case scenarios.” Being able to use “building geometry” as a variable allows the choice of modifying the space to minimize the potential growth of a fire. Thus a new concept of “minimum damage potential” can be embraced. x Elimination of the “design fire” and substitution for a “minimum damage potential” allows for a better treatment of extreme events. “Design Fires” require a “choice” of “extreme events” if their inclusion is explicitly required. The need for a “choice” clearly shows the limitation of the approach. Terrorist activities and such are designed to lie outside the realm of any forecasted design scenario. As mentioned before, a perfect example is the events of September 11th, 2001, where the “structures and fire” analysis unveiled design shortcomings of the WTC Towers [18].

6. SUMMARY Fire is a rare event with a large potential for damage, its low frequency does not encourage governments and industry to invest in more adequate tools. Nevertheless, the potential for large damage has made fire a favorite tool to inflict destruction and weaken morale in the event of a war. These inherent properties make infrastructure vulnerable to voluntary fires. The last decades have seen the development of sophisticated tools and a desire to migrate from a prescriptive to a performance based approach. Fire Safety Engineers have in their hands a large number of reliable and sophisticated design tools. These tools can still be improved but currently are in many cases appropriate for design purposes. Modern structural design for fire is making more and more use of these tools. The advantage of this approach is that it introduces more physical analysis to the design process and allows a more adequate quantification of performance and uncertainty. The evolution of design, and of the tools used in the process, is geared towards an increase in integration and efficiency and a constant reduction in uncertainty and error. The current limitations are mostly associated to gaps of knowledge within the underpinning processes controlling the behaviour of people and infrastructure in the event of a fire. Furthermore, the extreme computational

56

J.L. Torero

cost of integrated analysis results in a need to stipulate “Design Fires.” Design Fires inherently limit the potential of the engineered based methodology to address voluntarily induced fires. Finally, these tools require detailed understanding of the principles underpinning them, thus proper training is essential, not only for the designers but also for those professionals interacting with Fire Safety Engineers and those involved in the approval and inspection process.

REFERENCES Bailey C.G. and Moore D.B. The behavior of full-scale steel framed buildings subject to compartment fires. The Structural Engineer. 77(8), pp. 15-21, 1999. BS 476 : Part 20 : 1987 Fire tests on building materials and structures. Buchanan, A.H., Structural Design for Fire Safety, John Wiley and Sons, 2001. Burd, A., The Regulators View of Performance Based Design, Building Division, Office of the Deputy Prime Minister, Rasbash Lecture and ECD Conference, June 9th, 2004. Custer, R.L.P. and Meacham, B.J., Introduction to Performance Based Fire Safety, Society of Fire Protection Engineers, 1997. Drysdale, D. D., Generating the Graduate Flow, Fire 2004, Manchester, September 7th, 2004. Drysdale, D.D. An Introduction to Fire Dynamics, 1st Edition, John Wiley and Sons, 1985. Federal Emergency Management Agency (FEMA). World Trade Center Building Performance Study: Data Collection, Preliminary Observations and Recommendations. FEMA 403, May 2002. Hottel, H. C. and Wilkes, G., Wood Flammability Under Various Conditions of Irradiation, OSRD Publication No. 432, March 3rd, 1942. Hottel, H.C., Stimulation of Fire Research in the United States After 1940 (A Historical account), Combustion Science and Technology, vol. 39, pp. 1-10, 1984. ISO. Fire Resistance Test Elements of Building Construction. ISO 834, International Organization for Standardization, Geneva. Jackman, P.E., Risk Based Design-Getting Fire safety Engineering Recognized as a Profession, Fire 2004, Manchester, September 7th, 2004. Kirby B.R. British Steel data on the Cardington fire tests. Technical report, British Steel, 2000. Law M. A relationship between fire grading and building design and contents. Technical Report 1971. McGonigal, J., Evaluation of Building Control Methods in Scotland, Glasgow Caledonian University, M.Eng. Dissertation, 2004. Milke, J.A., Analytical methods for determining fire resistance of steel members, SFPE Handbook of Fire Protection Engineering, 3rd Edition, 2003. Petterson, O., Magnuson, S.E. and Thor, J., Fire Engineering Design of Structures, Swedish Institute of Steel Construction, Publication 50, 1976. Torero, J.L. and Steinhaus, T. “Applications of Computer Modelling to Fire Safety Design,” 53rd Jahresfachtagung der Vereingung zur Forderrung des Deutschen Brandschutzez e. V., Essen, Germany, June, 2004.

Risk Imposed by Fire to Buildings

57

Usmani A.S., Chung Y.C. and Torero J.L. How did the WTC towers collapse: a New Theory, Fire Safety Journal, Vol 38, pp 501-533, 2003. Usmani A.S., Rotter J.M., Lamont S., Sanad A.M. and Gillie M. Fundamental principles of structural behavior under thermal effects. Fire Safety Journal, Vol. 36, No. 8 pp 721-744, 2001.

ANALYSIS OF TECHNOGENIC RISKS UNDER TERRORIST IMPACTS

Nikolay Makhutov Institute for Machine Sciences of RAS

Abstract:

To carry out this work modern terrorism can be divided into three types: traditional terrorism, technological (or high tech, high impact) terrorism and intelligent terrorism. Emergency situations initiated by terrorist attacks and traditional man-made catastrophes are developed according to similar mechanisms and laws. The existing standards and codes in the field of designing, constructing and maintaining critical infrastructures and facilities should therefore be modified and updated in view of terrorist impacts threats. The project will contribute to vulnerability reduction at CIF through development of complex protection systems. It is planned to develop the scientific principles of protecting critical infrastructures and facilities from terrorist impacts; methods of designing and constructing of protection systems.

Key words:

Technogenic risk, standards, codes, critical infrastructure, vulnerability reduction.

1. INTRODUCTION An extensive bank of knowledge has been created by scientists of different countries for analysis and classification of natural and maninduced emergencies, and in-depth study of the processes of their initiation and propagation in order to reduce vulnerability of high risk facilities in case of natural or technogenic catastrophes. This scientific base should be used as widely as possible for countering terrorism. The presented approach to the terrorist risks analysis proceeds from the assumption that propagation of so called conventional/traditional accidents 59 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 59–69. © 2006 Springer. Printed in the Netherlands.

60

N. Makhutov

and catastrophes, and of those initiated by terrorist attacks are governed by the same laws. Therefore methods and models developed to solve classical problems of the theory of risks and to ensure natural and technological safety can be employed to study emergency situations triggered by terrorist attacks as well. The threat of terrorist attacks must be allowed for when determining a set of possible scenarios of emergency development. In particular the event trees used for risk analysis at critical infrastructure facilities should be supplemented by ‘terrorist scenarios’ that dramatically change the structure of emergency initiating factors, and lead to cascade effects in the development of catastrophes, which causes most severe consequences for man property, and environment. As it is imperative that terrorist risks and terrorist mechanisms of triggering emergencies be included into the framework of traditional risk assessment and safety research, the existing models and methods for analysis of catastrophes should be modified, and new ones have to be developed in order to take into account specific properties of emergency initiation by terrorist impacts which can be targeted at most vulnerable facilities of critical infrastructures. The first priority in conducting comprehensive risk analysis (when terrorist risks are incorporated in the system of natural and technogenic risks) is to study the stage of catastrophe initiation by terrorist impacts and identify changes in the structure of damaging factors of an accident triggered intentionally in comparison with those of a conventional natural or technological catastrophe. Now there is a need to move beyond traditional reactive approach based on post-attack recovery and mitigating consequences of emergencies initiated by terrorist impacts to the new strategy of managing risk of terrorism, prediction and prevention of terrorist acts. It is essential that modern strategy of ensuring natural and technological safety (strategy that is focused mainly on prediction and prevention of catastrophes, rather than on relief and response after those occurred) be applicable to emergencies triggered by terrorist activity as well.

2. CLASSIFICATION OF ACCIDENTS AND CATASTROPHES A huge bank of knowledge on technogenic, natural-technogenic and natural catastrophes was summarized in the framework of State Research and Development Program ‘Safety of Population and Industrial Facilities Taking into Account Risks of Natural and Technogenic Catastrophes’ that

Analysis of Technogenic Risks under Terrorist Impacts

61

was implemented by institutes of the Russian Academy of Sciences, Ministry of Science and Technologies, Ministry of Emergency Situations, Engineering Supervision Agency, Nuclear Supervision Agency. The results of the program were presented in a multivolume edition ‘Safety of Russia’. The information was analyzed and summarized according to the basic characteristics, conditions and scenarios concerning accidents and catastrophes initiation in natural an technogenic spheres that were caused by complex hazardous phenomena and processes in different regions of the world. This work allows to classify catastrophes in terms of losses and frequency of occurrence. The high-risk facilities that are listed on Fig. 1 (top left) can provoke catastrophes of the following types: global, national, international, regional, local and object-oriented. Losses per a catastrophe of each type vary from 1010y1011 to 103y104 USD, while the periodicity of these catastrophes changes from (3y5)˜101 to 10-1 years.

3. TYPES OF TERRORISM AND THEIR AFFECTING FACTORS Modern terrorism can be divided into three types: traditional, technological and intelligent (Fig. 2). Traditional terrorism has always been aimed at assassination (physical elimination or removal) of some political or social figures in order to achieve certain social, economic and political goals. While in previous decades traditional terrorists reached their goals mainly through assassinating or kidnapping influential individuals and damaging governmental structures, they now resort to methods of mass murder (explosions, arsons, poisoning, and contamination) to intimidate the civil population as a whole. The main losses in attacks of this kind are inflicted at the initial stage. Technological terrorism on both national and international levels is becoming one of the major components of terrorism, that is focused on man, society and country to achieve certain political, social or economic purposes. Technological terrorism is a new stage in the development of terrorism. It is targeted at damaging high risk facilities of critical infrastructure, and employs dangerous technologies, instruments and agents. Initial damaging factors of technological terrorism cause accidents and catastrophes that lead to secondary effects. The level of these secondary effects exceeds that of initial factors by hundreds of times. These secondary impacts affect not only the facility under attack and its personnel, but also the local population and environment.

62

N. Makhutov

Figure 1. Losses and periodicity of natural and manmade catastrophes The third type and stage of terrorism is called intelligent terrorism. In this case initial damaging factors are deliberately introduced into new technical systems at the stage of their design and construction, which enables terrorists to produce enormous secondary and cascade damages. The general structure of terrorism that includes damaging factors and levels of destruction is presented on fig. 2 Each of these three types of terrorism has specific initiating impacts of its own. They are connected with: – - specific terrorist plans and activity of terrorists against man (explosives, fires, poisoning, murder, kidnapping) in case of traditional terrorism; – - specific terrorist plans and activity against high risk engineering facilities (explosives, fires, poisoning) in case of technological terrorism; – - deliberate introduction of initiating factors at the stages of design and construction, which could later trigger accidents or catastrophes in case of intelligent terrorism.

Analysis of Technogenic Risks under Terrorist Impacts

63

Development of initial, secondary and cascade damaging factors in technological accidents initiated by terrorist act and in traditional technogenic emergencies is governed by practically the same laws. Therefore the scientific basis for ensuring natural- technological safety can be applied to counter terrorist threats and to reduce the risk of terroristtriggered emergencies. Hence, elaboration of methods, means and systems of protection from technological terrorism adds up to two fundamental tasks: – - to reduce the risk of initiating events (accidents or attacks); – - to reduce the risk of emergencies caused by certain initiating events (accidents or attacks). TERRORISM

Traditional terrorism

Technological terrorism

Initiating

Damaging

Initial -100 %

Intelligent terrorism

impacts

factors

Initial 1-10%

Initial <0,1 %

Secondary 90-99%

Secondary 90-99%

Cascade >90%

Figure 2. Types of terrorism and damaging factors A striking thing about terrorist events over the last decade is that the probability of their occurrence, P, and the damage in terms of the number of their victims, U, are increasing from 5 to 10 times faster than the number of natural, techno-natural and technogenic emergencies.

64

N. Makhutov

4. ANALYSIS OF ACCIDENTS INITIATED BY ACTS OF TECHNOLOGICAL TERRORISM Generalizing from the experience connected with man-induced accidents, (including those triggered by acts of terror), accumulated in nuclear power- and space engineering, it was suggested that these accidents be classified by the degree of protection against them. Thus four types of technogenic accidents identified by the probability of occurrence and level of consequences can be considered: – - regular accidents under normal conditions of operation (such accidents can occur at normal modes of operation of high risk facilities; their consequences are predictable; level of protection for that type of accidents is high); – - designed accidents (they can occur when the system operates beyond normal modes; their consequences are predictable and acceptable; level of protection is sufficient); – - not designed accidents (they could occur in case of irreparable damage to critical elements; these types of accidents cause severe losses and victims; level of protection from them is not sufficient; post-event recovery is necessary); – - hypothetical accidents ( their development is connected with unpredicted scenarios, their consequences are most severe, and victims are exceedingly numerous; the level of protection against them is low; the damaged facility can not be restored). Major terrorist acts used to be treated as hypothetical accidents. But now many of them should be referred to not designed and designed accidents and analyzed respectively. That makes it imperative to analyze initial, secondary and cascade damaging factors as well as protection from them at all stages of designing, constructing and maintaining high risk facilities.

5. METHODS OF PROTECTION FROM TECHNOLOGICAL TERRORISM While developing methods and systems for protection of critical infrastructures and facilities from technological terrorism the abovementioned basic tasks should be considered: – - reduction of risks of initiatory events, and – - reduction of risks of emergencies triggered by terrorist acts. In order to protect CIF from initiatory events and prevent propagation of emergencies, the following types of protection systems are being developed:

Analysis of Technogenic Risks under Terrorist Impacts

65

– - rigid protection systems, the ones that require large amounts of energy to breach; – - functional protection systems, the ones that are constantly in action and can execute some of the CIF’s functions during specified period of time in case the regular mode of functioning is violated; – - natural protection systems, the ones that employ passive natural phenomena and processes to prevent the catastrophe propagation; and – - combined protection systems that combine features of rigid, functional and natural protection systems. In case of antiterrorist protection these systems can be supplemented by special guarding protection systems that cover the protected CIF, its personnel and existing protection barriers. They involve military and special forces supplied with monitoring and alarm systems and special military equipment. rigid

combined

1 4

2

3

functional

natural

1 Bunkers, containments, containers, dry boxes 3

Management diagnostic systems;

2

Self protected, passive systems

4

Guiding protection

Figure 3. Types of protection systems

66

N. Makhutov

6. PROMISING NATO-RUSSIA RESEARCH PROJECTS THROUGH 2008 The discussions catastrophes related problems in the frame of NATORussia scientific program were initiated in 1998-2000 before the major terrorist attacks on US (New-York September 11) and Russia (Moscow, October 2002). After these two and many other terrorist attacks specialists came to the conclusion that it is necessary to alter the approach to ensuring engineered environment safety. Taking into account the new priorities of NATO ‘Science for Piece’ Program and the results joint NATO-Russia research projects implemented in the period from 2000 to 2004 in the frame of research area Prediction and Prevention of Catastrophes a number of long-term projects in the frame of NATO Science through Peace Program could be proposed for development: 1) Development of methodological foundation of Russia and NATO countries’ standards in designing, constructing and operating critical infrastructures and facilities in view of terrorist attacks and man-made catastrophes. In the frame of this project it is planned to continue joint efforts on developing and coordinating standards and codes in the field of ensuring engineering safety. The project will focus on the analysis of emergencies launched by terrorist impacts, and on the study of differences in the structure of the damaging factors in case of terrorist attacks and traditional man-made catastrophes. It would be helpful to divide modern terrorism into three types: traditional terrorism, technological, or high tech, high impact, terrorism and intelligent terrorism (Fig. 2). Emergency situations, initiated by terrorist attacks, and traditional man-made catastrophes develop according to similar laws and mechanisms. The existing standards and codes in the field of designing, constructing and maintaining critical infrastructures and facilities should therefore be modified and updated in view of terrorist threats. The rapid growth of global infrastructure networks and activity of international terrorist organizations require internationally coordinated efforts to reduce vulnerability of critical infrastructures towards potential terrorist impacts. Coordination of national approaches to safety provision and vulnerability reduction, envisaged in the project, is to be based on the analysis of integral risk management. National approaches to the strategy of preventing natural, and manmade catastrophes and acts of terror will also be analyzed and coordinated.

Analysis of Technogenic Risks under Terrorist Impacts

67

2) International recommendations and standards on CIF protection systems from manmade accidents and terrorist attacks. Vulnerability of critical infrastructure and facilities (CIF) towards strong impacts (earthquakes, fires, air crashes, explosions etc.) caused by accidents or terrorist attacks is one of the determining factors of safety level. CIF vulnerability can be reduced by developing reliable systems of protection from natural/man-induced catastrophes and terrorist attacks as well. In order to develop such protection systems it is necessary to solve two fundamental tasks: – - to reduce the risk of initiating event (accident or attack) – - to reduce the risk of emergency caused by an initiating event (accident or attack) In order to protect critical infrastructures and facilities from initiating events and prevent the propagation of emergency situations the following types of protection systems should be developed (Fig. 3): – - rigid protection systems that require large amounts of energy to breach; – - functional protection systems that are able to execute some of the CIF’s functions during specified period of time; – - natural protection systems that employ passive natural phenomena and processes to prevent the catastrophe propagation; – - combined protection systems that combine features of rigid, functional and natural protection systems. Since all methods have different degrees of protection from intentional and terrorist acts, indispensable requirement is vulnerability reduction along with decrease of basic parameters P and U, of risk R. The project will contribute to CIF vulnerability reduction through development of complex protection systems. It is planned to elaborate scientific principles of CIF protection from terrorist impacts and special methods to design, calculate and construct protection systems. In case of antiterrorist protection these systems could be supplemented by guarding protection systems that cover the protected CIF, its personnel and existing protection barriers. 3) National and international criteria and standards concerning the role of human factor and its control in risk management systems in view of terrorist attacks. The main purpose of the work in this field is to create functional models of risk management systems capable of working in conditions of growing terrorist threat and based on systemic allowance for the influence of managerial decisions on reducing probability P of terrorist actions at technological facilities, and losses U inflicted by them.

68

N. Makhutov

For creation of such a model at a regional level of management it is proposed to use the following ideas currently being developed by Russian and foreign scientists: – the list of typical professional tasks (TPT) of specialists and leaders working in the field of risk management and safety provision in territories and economy objects under threats of natural, industrial or terrorist origin; – - mathematical man-facility model of a decision-maker, working in a stress situation of time and information lack; the functioning of model is supposed to be based on the indexes and criteria unified within the framework of NATO/Russia system. Scientific results of investigations within national scientific programs will provide the base for the Project development. 4) Creation and development of NATO-Russia work programs and standards for training and education of specialists and managers to face unexpected and unpredictable catastrophic and crisis phenomena caused by terrorism. The main goals: – - to develop a certificated training system based on creative methods of teaching and modern communication systems; – - training top level managers to procure further development and reliable functioning of regional risk government and safety systems under increasing threats of unexpected and unpredictable events natural, industrial and terrorist origin; – - elaboration of unified national systems to certify top executive officers of Russia NATO-countries, with relevant standards to be developed. Dissemination of results of regionally oriented projects is essentially facilitated by educational and methodic association of 360 Russian universities that train specialists in economics and management headed by State University of Management. 5) The theory of terrorist threat risks Now there is a growing need to move beyond traditional reactive approach based on post-attack recovery and consequence mitigation to the new strategy of managing risks of terrorism, of prediction and prevention of terrorist acts. Risk management and catastrophe prevention strategy form the scientific basis for policy making aimed at ensuring sustainable development of territories, countries, and the world community as a whole. Risk management is a complex cross-discipline problem that can be solved only by joint efforts of specialists from different sciences and trough international cooperation.

Analysis of Technogenic Risks under Terrorist Impacts

69

Rapid development of global infrastructure networks (both physical networks like energy and transportation systems, and virtual ones like Internet) demands coordination of international efforts. Risk management implies risk reduction up to acceptable value. This problem could be solved on local, national and international levels. The level of management depends on risk value, potential damage, transfrontier transport of hazards. The possibility of global crises that affect the whole world is one of the prerequisites of cooperation in coordinating national approaches to risk management and terrorist acts prevention. The project realization is based on coordination of national approaches in ensuring safety through integral risk management and prevention of terrorist acts. The purposes of the project are: x to analyze the existing approaches to reducing risk of terrorist attacks; x  to develop new ones by updating the existing methods and models that are currently used for managing risks of accidents; and x to make them applicable to the problem of managing risks of terrorist attacks. x Experts from Russia and NATO countries have developed considerable expertise in risk management. Intensive exchange of knowledge and technical know-how as well as development of coordinated programs for terrorist attacks prevention is an indispensable condition for sustainable social and economic development.

REFERENCES Multi-volume edition “SAFETY OF RUSSIA. Legal, Social, Economic, Scientific, and Technological Aspects of Safety”. Vol. 1-23. 1997-2004. NII, Terrorism and Safety of Transportation Complex. Proceedings of the International Scientific Conference. Moscow. NII GP RF 2002 (in Russian). NRC, High-Impact Terrorism: Proceedings of a Russian-American Workshop. Washington, D.C. The National Academies Press, 2002, p. 296. Russian Academy of Sciences, Technological terrorism. Scientific Conference “Technological Terrorism and Methods for Terrorist Threat Prevention. Moscow, Ministry of Emergency Situations (in Russian). Russian Workshop Proceedings, Terrorism: Reducing Vulnerabilities and Improving Responses: U.S.. Washington, D.C. The National Academies Press, 2004, p. 254.

VULNERABILITY, RISK ANALYSIS, AND RISK ASSESSMENT

PETROLEUM SUPPLY VULNERABILITY DUE TO TERRORISM AT NORTH SEA OIL AND GAS INFRASTRUCTURES

Magne Tørhaug1 1

Det Norske Veritas

Abstract:

Steady supplies of oil and gas are vital to our societies. Terrorism is a threat to both the oil and gas field installations and to the transportation and distribution systems connecting petroleum fields to the markets. This paper will discuss the needs and means of managing risks due to terrorism. As an example we have chosen the North Sea oil and gas production and transportation systems and the European oil and gas markets. Terrorism risk management needs to deal with both the real threat of terrorist acts as well as the consequences of the threat of terrorism. In the oil and gas markets the threat has added to a perception of uncertainty of oil and gas supplies which may already have caused a higher market price for crude oil. This puts special requirements on risk management for both individual oil companies and national and international authorities.

Key words:

Risk Management; Oil Production; Gas Production; Vulnerability; Terrorism.

1. IS THERE A REASON TO BE WORRIED? The oil and gas markets have rarely experienced significant shortages of supply due to acts of war or sabotage. World supply has been adequate even during fairly substantial wars in large oil producing areas of the Middle East. Has the risk of terrorism caused an increased reason for worry? The supply chains seem to be very robust against most threats. Terrorist attacks at the individual pipeline, oil well or at other oil and gas installations may certainly cause significant local damage. However the oil and gas supply 73 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 73–84. © 2006 Springer. Printed in the Netherlands.

74

M. Tørhaug

chain is characterised by a large number of supply lines and the failure of one may be compensated by increasing supply from others. There is spare production capacity at the world oil and gas fields. There are possibilities of substitution, i.e. replacing one source of hydrocarbons (e.g. gas) by another (e.g. coal). Furthermore the mobility of oil and gas increases by development of additional transportation capacity - e.g. more pipelines and facilities for Liquefied Natural Gas (LNG) which can be transported by ship. Still oil market analysts assume that the current oil price carries a “terrorist premium” in the range of $5 to 15 per barrel. If this is true the effects are certainly large, e.g. a $5 per barrel price increase means that the “old” EU countries (i.e. prior to the latest EU expansion) spend an extra 17 bn $ per year for crude oil alone. One may look at this as the price of perceived extra risk in the oil market caused by the terrorist threat. Thus, in managing the risk of terrorism one must consider both the risk at the individual facilities as well as the risks to the entire market and attention has to be paid to both the real and the perceived risks.

2. GENERAL PRINCIPLES FOR MANAGING RISK The risk management principles discussed in this paper are geared towards handling undesired events like e.g. major accidents or terrorism. This paper therefore will focus on the management of accident risks as opposed to general business risk management practices which also include opportunities due to commercial risks. We will here only summarise the main principles. The basic principles for managing risk (of undesired events) are simple: x Know all risks x Focus management on those that are important x Disregard the rest – but review the entire picture at regular intervals to verify that your priorities are right x Select the optimal means based on cost–benefit assessments x Risk is expressed by the probability of undesired events (e.g. oil release) and their consequences to people, the environment, assets and production. Risk can be managed by changing the probability of the event or its consequences, i.e.: x Management of the barriers preventing a hazard from developing into an undesired event – e.g.: – Management of access to a facility – Reducing the attractiveness of oil and gas installations as a target of attack.

Petroleum Supply Vulnerability

75

x Management of recovery measures determining the consequences of the undesired event. At oil and gas installations this includes e.g. safety systems for detection of releases, shut down of the facility and active fire fighting. It also includes passive measures like e.g. structural design to withstand fires and explosions etc. as well as emergency preparedness procedures for evacuation, medical treatment etc. Both in assessing and managing risk all these factors will be taken into account – ref. fig. 1.

Figure 1. Management of hazards and undesired events Prioritising risk requires the decision maker to define his risk profile. Typically this profile classifies the events in three groups according to risk – those which the decision-maker considers negligible (white), those which should be watched (grey) and the ones which are unacceptable (black) and have to be reduced in some way. This may be expressed by a risk matrix as illustrated by fig. 2. The risk of an event may be unacceptable if e.g. the consequences are very high, or e.g. for smaller consequences – if the probability is high. The most difficult part of risk management is actually sticking to the priorities decided. There is considerable pressure to deal with “all fires” which occur regardless of their real importance. This normally may lead to overspending on the total handling of risks. More typically it leads to inefficient use of resources where time and effort is spent chasing unimportant risks while there is lack of attention to other risks which should have been prioritised. Terrorism is important and has to be dealt with in some ways. However it should be realised that the real risk of terrorism may be seen as

M. Tørhaug

76

Medium Low

PROBABILITY

High

too improbable to make it to the list of prioritised problems e.g. for individual companies even if this is a major challenge on a global basis.

Low

Medium

High

CONSEQUENCE

Critical (high priority) Significant (medium priority) Insignificant (low priority)

Figure 2. Risk matrix for defining risks which should be prioritized Managing perceived risk adds several elements to the risk management challenge. It is well known that people may perceive risk very differently from the real risk. It is also well known that perceived risk may play a very important part in determining the behaviour of the society at large, customers (for example on rumours around food safety) and investors. One of the most important objectives of terrorism is most likely to increase general uncertainty and affect how risk is perceived in society including, e.g. the risk to future supplies of oil and gas. As is seen by the market value of crude oil, dealing with this perceived risk of terrorism is as important as managing the real risk. Also, finding the right balance between managing the real and the perceived risks is of utmost importance. Successful management of perceived risk depends on x Obviously - managing real risks well, as outlined above x Keeping the stakeholders informed about both what the real risks are and what is being done to manage these risks – prior to any accidents that may occur. x Taking into account risk aversion factors in the society. For example this can be observed by attitudes to the risk of events with high consequences. People will more readily accept ten accidents with one fatality (e.g. traffic accidents) than one accident with ten fatalities (e.g. a hotel

Petroleum Supply Vulnerability

77

fire). Also, accidents with negative effects to the public are less acceptable than events with consequences to employees or owners of the site of the accident etc. x Staying in control of perceived risks during accidents and other crises. An important element of this is well thought through information strategies for explaining what has happened and what will be done to prevent such events from occurring again. x Avoiding events which could indicate that control has been lost. This is the more difficult element. Experience shows that certain types of accidents attract more negative attention than others. E.g. if an accident / event of a certain type are rapidly followed by another one of the same type, credibility suffers seriously. Thus the following factors may play a role in probability of an attack at a potential target (in addition to political and other reasons seen from the terrorist point of view): x The probability of an attack succeeding x The real consequences of an attack x The effects of the attack on general uncertainty / perceived risk within the societies targeted

3. THE RISK AT INDIVIDUAL OIL AND GAS INFRASTRUCTURES OF THE NORTH SEAF The oil and gas infrastructures of the North Sea consist of platforms, installations at the seafloor (e.g. wellheads), pipelines and pipeline landfall stations as well as onshore gas treatment facilities. Oil is loaded to tankers offshore and transported mostly to refineries in Europe. All gas is transported by pipeline - with the exception of heavier gas fractions (e.g. Propane and Butane) which are transported by ship, rail and road. The gas transmission pipelines are subsea except for short sections close to the landfall stations and gas treatment plants. Several of the pipelines collect gas from many fields. The subsea pipelines lead to landfall stations which are tied to the common European gas transmission and distribution network. The offshore installations are designed for handling the rough climate of the North Sea. These facilities are also often designed to withstand defined accident scenarios, in most cases fires and explosions which could occur during oil or gas releases. The transmission offshore pipelines are concrete covered and of substantial dimensions (typically at least 32” diameter). These are buried if crossing dry land outside the gas treatment plants. The treatment plants are typical industrial facilities for large volume handling of

M. Tørhaug

78

gas and condensates. Thus the installations are very robust - both North Sea weather requirements and the large size of North Sea installations make them more robust than the average offshore oil and gas installation in more benign waters. Typical risk figures for these installations are illustrated in Table 1. Table 1. Some typical risk figures for Norwegian oil and gas installations – excluding risk of terrorism Type of event Frequency of occurrence Any accident causing total loss of a platform with wells, processing facilities and living quarters (integrated platform)

For a new, permanently installed platform in Norway – typically estimated at 2E-04 per year. Historically there are two such losses in the North Sea history.

Any accident causing loss of life at an integrated platform, excluding common occupational accidents

For a new platform in Norway typical estimates are once every 25 to 50 years. No fatalities occurred in 2003 /1/.

Individual accidents, Norway 96 - 03

0.3 – 0.7 per platform / year

Oil or gas releases;

About 2% of the releases

Fire or explosions

Fires, explosions and blowouts (with subsequent explosion and fire) dominate the risk picture when considering the risk of major accidents outside terrorist risks. When including floating platforms the risk of loss of stability will have to be added to the list. The importance of these risks is illustrated by the fact that we have experienced several major accidents including two total losses in the North Sea during the past 35 years. Over this period there have also been other very serious accidents. If considering historical data only, the risk due to terrorism is negligible in comparison. Statistical evidence based on the ITERATE database indicates that world wide (ref /2/): x Only 2% of international terrorism during the period 1968 – 1999 was attacks against petroleum infrastructure. This amounted to 262 incidents. Of these only 152 occurred in petroleum producing countries (these data counted a very high number of pipeline attacks in Colombia as one event). – The most common types of attacks are blasting of onshore pipelines and kidnapping of oil company personnel followed by office bombings. This reflects that the most exposed assets are those which are most difficult to protect.

Petroleum Supply Vulnerability

79

x Only 23% of the recorded petroleum attacks occurred in peaceful democracies and the number of attacks in these areas seem to be decreasing. x There have been very few attacks to offshore installations. In part this could be due to general inaccessibility of such facilities combined with strong security measures /2/. Security measures are considerable in certain parts of the world – it is claimed that Saudi Arabia at any time has 30000 people involved in protecting the kingdom’s oil infrastructure/3/. – None of the recorded pipeline attacks have been to offshore pipelines. – Ref. /2/ found very few attacks to offshore platforms; the only ones mentioned specifically are two kidnapping and one hijacking incidents, all in Nigeria. – The database refers to no actual terrorist actions to Norwegian installations. However there have been bomb threats but these are not included in the figures above. Assessing the probability of a terrorist attack is connected to special challenges, e.g.: x The threat is varying over time and in a manner which is hard to predict typically based on the development of political and social conditions in various areas of the world. x The threat to a particular oil and gas installation varies depending on the background for the terror and the motives of the terrorists. x The selection of object for attack – given that an attack has been decided on – will be dependent on the relative “attractiveness” of the alternative targets – as discussed in section 2 above. x These data have counted the very high number of pipeline attacks in Colombia as one event. The consequences of terrorist attacks at the facilities could range from kidnappings and hijacking situations to physical damage to the facilities. Considerable damage could in theory be caused by the latter type of attacks provided a progressive collapse of structures could be initiated. Causing physical damage will however either take considerable knowledge and/or a large scale attack – after all these installations are built with safety systems designed to withstand and control releases of oil and gas, fires and explosions. Experiences from attacks with explosives to refineries show that the ensuing damage has been small. That said, it is technically possible to cause considerable damage by attacks to oil and gas platforms. There is no reason to believe that North Sea platforms are more exposed to terrorism than the average offshore facility. The exposure over time may be changing – as pointed out in /4/, the activity of European oil companies in areas of conflict may increase the possibility of actions also in Europe.

80

M. Tørhaug

Actions may not primarily be targeted at individual installations nor at the oil and gas industry, but at the European economy as part of a larger scaled operation. One could speculate that the large and remotely located North Seaplatforms would mainly be subject to large-scale, well planned terrorist operations. Considering therefore the above evidence and the normal principles of prioritising the management of significant risks one may conclude: x The North Sea oil and gas infrastructure is not particularly exposed to terrorism. x At present oil companies should prioritise protection of its most exposed assets against terrorism – i.e. employees, office facilities onshore as well as other easily accessible facilities onshore. x Offshore facilities seem to be unlikely targets. Compared to other risks present at such installations it seems that there is no reason for prioritising the risk of terrorism. x This situation could change – operators need input from national and international authorities to monitor trends and new developments. A certain preparation for how to manage a situation of increased threat is warranted.

4. DEALING WITH THE RISK IN THE PETROLEUM MARKETS The market risks are considerably different from the risks described in section 3. Terrorism is only one of several perceived threats to the supply of oil and gas. Other uncertainties range from the effects of political challenges in e.g. Venezuela or the Middle East to questions about the spare oil and gas production capacity as well as the level of future demand. Analysts claim the market has a “terrorist” premium on crude oil in the range from about $5 (end May) to about $15 (end August) per barrel. This effect is however not well defined. What seems to be certain is that the terrorist threat adds to the already existing uncertainties of the petroleum market and this has an effect on the price of oil. Thus the management of market risks has to deal with both the real and the perceived risks. Several questions need be answered; how vulnerable are the supplies really? And could an individual act of terrorism upset the supplies or supply lines in a serious way? And finally – how are the real and perceived risks to be dealt with? In short – it seems unrealistic that a single terrorist attack to oil and gas infrastructure could have a real effect on the supplies of oil or gas to the

Petroleum Supply Vulnerability

81

world markets. In real terms there is spare capacity both in production and transportation of oil and gas. The effective spare capacity of OPEC at the beginning of 2004 was estimated at about 1.5 million barrels/day /5/ (the total production of Norway is 3 million, “old EU” imports in 2002 was close to 10 million). Other production areas are replacing the more mature tracts of, e.g. the North Sea and the US. Russia is considered the most important future supplier of crude oil, now producing oil at the same level as Saudi Arabia (about 8-9 million bpd). Many areas of the world are still unexplored and existing fields are made to yield more of their petroleum than earlier expected by the use of new technology. A study by the International Energy Agency (IEA) /6/ concludes that the European (OECD area) gas market is well prepared for short term interruptions of gas supplies of a technical nature. Political unrest could stop all gas deliveries from a country. Even in this situation gas supply to core customers could continue for many months, in some cases indefinitely. There would however be side effects like, e.g. price increases for alternative fuels like, e.g. fuel oil. It is emphasised that this EIA study (/6/) is based on projections made in the early 1990-ies, newer data may not confirm this description. The transportation chains are multiple and robust from an oil and gas supply point of view. Almost all oil is transported by ship – in practice a mode of transportation which is very flexible and difficult to interrupt by individual terrorist attacks. There is a large number of gas pipelines to Europe and more are being built in addition to new facilities for the export and import of LNG. In this discussion we have disregarded the potential effects of coups in large oil producing countries, or the potential effects of actions threatening entire areas by other means like e.g. chemical or biological weapons to stop oil and gas production. On the other side, if terrorism contributes to greater uncertainty about petroleum supplies it already has a negative effect on all national economies which are net importers of petroleum, as well as individual companies and consumers world wide. Also the robustness of the world petroleum supplies against terrorism is subject to a high pace of change and some uncertainties: x The limited spare petroleum production capacity is not reassuring in the long run considering the growth of new consumer markets like, e.g. China and India. China has played a major role in the oil market especially in the last two years. This has not only increased the demand for petroleum – some of the new large consumer countries are also powerful political players with potential influence on the supply priorities in some petroleum producing areas.

82

M. Tørhaug

x There are of course several uncertainties regarding the world petroleum reserves. In 2004 these are 6% down from 2003 when measured by the reserves to production ratio – from 43 to 41 years /7/. This indicates that the discoveries of new reserves have not been adequate to replace the production from existing fields. x The decline of the production capacity in Western Europe and the US increases the dependency of production in areas with a higher level of political instability. This has a direct influence on the security of supply. x This also results in the need for longer transport routes and different types of transport - e.g. more gas will arrive North America as LNG imported through a relatively small number of LNG storage and gasification facilities transported by a relatively small LNG tanker fleet from a small number of gas liquefaction plants in the gas producing countries. x Questions may be asked about the vulnerability of some links in today’s supply chain for oil. E.g. some key harbours are extremely important to the import of oil like, e.g. Rotterdam. Furthermore the spare refinery capacity in the world is relatively low /5/. Also, not all production capacity can be substituted by other fuels or other production capacity, e.g. in the production of important petrochemicals. x The reaction of the industry and authorities in case of terrorist attacks will also play a role. If there was a terrorist attack to an offshore platform in Western Europe or the Gulf of Mexico – would the entire area be shut down until adequate means of security could be demonstrated? Shutting down, e.g. the US areas of the Gulf of Mexico would have significant effects to the petroleum supplies to the US (in the range of 30%).

5. CONCLUSIONS Considering the current market effects of terrorist threat, there are needs for dealing with the – real and perceived – supply risk. This is certainly the responsibility of national and international bodies. The following are some issues which need be evaluated: Analysis: Realising that the supply / market situation is rapidly changing it is desirable to keep a close watch on the vulnerability of the world supplies and supply chains. This should include not only petroleum production capacity vs market demand, but also transportation routes as well as manufacturing and refining capacities as well as dependency on special products. This needs to take into account all types of events which could upset the

Petroleum Supply Vulnerability

83

supply chains, not only terrorism. As a consequence of the analysis, priorities for dealing with the risks need be defined. Managing the supplies and reserves: Normally supply and demand has been balanced by the oil price and its effect on both consumption and exploration for new oil and gas fields. The question is if this provides adequate robustness to meet the uncertainties of the market to-day and in particular for managing the future effects of threats from terrorism. How can robustness be increased? The best means are to increase the spare production capacity as well as improve the knowledge about world petroleum reserves. In addition comes of course means to decrease our dependency on petroleum – such means will not be discussed here. Policies on exploration for petroleum is characterised by a national focus from the petroleum producing countries, combined with optimisation of exploration and production by individual oil companies. Means like the strategic oil reserve are designed to take care of temporary shortages of supply only. In a situation where there is a real lack of spare production capacity over a long period of time this policy would most likely not be considered adequate. It is therefore a question if this can be sustained in the long run. International co-operation may have to play a stronger role in the future to keep up both exploration and spare production capacity. E.g. it may be necessary to question the closure of certain tracts in e.g. Europe and North America to oil and gas exploration and production. It may also be desirable to increase general exploratory (seismic and drilling) activities in order to get a better overview of the actual reserves in various parts of the world. Managing the perceived risks: In the current situation the market does not seem satisfied with the evidence of supplies being secured – despite the fact that the real risk of interruptions seems small. Therefore managing the perceived risk will in part need to focus on providing better information. It will also be required to develop policies for handling new situations where the perceived risk is being challenged anew by terrorism. This has to be developed on a risk based approach – i.e. after identification of the most likely terrorist acts with the most severe consequences. How, e.g. will one deal with the market in case of a terrorist attack to an oil platform in the North Sea or the Gulf of Mexico after the attack is over? The question of what is adequate security means may be easier to discuss to-day than right after an incident. The risk of terrorism to oil and gas infrastructure may seem small at first glance. However the effects of this threat are already considerable. This is a signal that a more developed risk management approach is required especially in the arena of national and international co-operation.

84

M. Tørhaug

REFERENCES BP Statistical Review of World Energy 2004. International Energy Agency: “The IEA Natural Gas Security Study”, OECD/IEA 1995. Kjøk, Åshild and Lia, Brynjar: “Terrorism and oil – an explosive mixture” A survey of Terrorist and Rebel Attacks on Petroleum Infrastructure 1968 – 1999”. Norwegian Defence Research Establishment 2001. Klaus Rehaag, International Energy Agency: “A market on steroids”, MEPG 2004, Bahrain May 2004. Lia, Brynjar: “Is civilian infrastructure likely targets for terrorist groups in peace time?”. (In Norwegian). Norwegian Defence Research Establishment 2001. Petroleum Safety Authority Norway Upstream Vol 9, Week 35, 27 August 2004.

LESSONS FROM SAFETY ASSESSMENT, NATURAL DISASTERS AND OTHER HAZARDS James McQuaid Royal Academy of Engineering Visiting Professor, Department of Mechanical Engineering, University of Sheffield, UK

Abstract:

The anticipation and prevention of potential industrial accidents with severe consequences has benefited from the development of formal methods of assessment for the different stages of the life cycle of an accident. A similar approach has subsequently been applied in other situations where anticipation of hazards is necessary, including natural disasters and in areas such as food safety and public health. The application of the methods in high hazard sectors of industry has been accompanied by new regulatory procedures in the UK to ensure effective implementation. This paper reviews the relevant lessons from experience of regulating and managing industrial safety and responding to natural disasters and other hazards. It is concluded that learning from this experience would be beneficial to assessing and minimizing threats from terrorist acts and to improving preparedness and prioritizing protective measures.

Key words:

safety assessment; industrial accidentss; natural disasters; safety cases.

1. INTRODUCTION Precautions against both the threat and execution of acts of terrorism need to be designed and implemented in a disciplined way if they are to be effective. Much experience relevant to the achievement of discipline has been gained from the development in industrialized countries of measures to counter the threat of large scale industrial accidents. Although the causes of such accidents usually have their roots in failures of engineered systems and human errors, there is nonetheless a common structure to the life cycle of an accident and that of any other catastrophic event, whether naturally occurring or deliberate. They all originate from the existence of some kind 85 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 85–102. © 2006 Springer. Printed in the Netherlands.

86

J. McQuaid

of hazard, defined as anything with an innate propensity to cause harm. This propensity is given effect, or realized, by the action of some trigger or initiating event. The sequence to disaster then develops, influenced by physical and chemical behaviour of structures, equipment and substances. The harmful consequences depend on the prevailing circumstances. These might include the location, vulnerability of systems to the imposed challenge, potential for escalation, robustness of protection systems for arresting the sequence of events, the weather conditions at the time and, in human terms, the size and distribution of the population and the intensity of the harmful effects to which they might be exposed. The ultimate outcome depends on the extent to which the consequences can be mitigated by emergency actions. Any particular combination of these circumstances comprises a scenario. A safety assessment will usually require the investigation of multiple scenarios. The outcome of any scenario will be a matter of chance. The initiating event will have a probability of occurrence per unit time. The analysis of the various stages of the sequence is affected by uncertainties in data and knowledge and hence there will be a probability distribution of predicted consequences, given the occurrence of the initiating event. Protection systems will have a probability of failure per unit time. The overall outcome will usually be expressed in terms of the average risk or the average of the combination of consequences and probability of occurrence per unit time. The primary objective of safety is to reduce the risk. When hazards are high, a greater emphasis is given to achieving risk reduction by reducing the consequence element in preference to reducing the probability of occurrence by adding safety features to a poorly engineered system. The concept of risk is useful in informing decisions on priorities amongst multiple options rather more than its value in indicating, in conjunction with criteria of acceptability, what can or cannot be ignored in individual cases. The aim of this paper is to provide a general review of lessons from practical experience of formal safety assessment and management procedures in order to assist those involved in managing preparedness and response to deliberate acts of terrorism. The assessment of the life cycle of the potential catastrophes begins with the identification and characterization of hazards and initiating events. It is followed by the physical, chemical, biological, etc description of the postulated disaster sequence or sequences and the ensuing consequences through to the effectiveness of engineering and management interventions to reduce the severity of consequences and the overall likelihood of their occurrence. The process of assessment can be of varying degrees of complexity proportionate to the scale of the hazard and possible consequences. The purpose is generally to assist in the making

Lessons from Safety Assessment

87

of the decision on the consequences and chance that are regarded as tolerable in the light of the economic, social and political imperatives that apply to living with the hazard in return for benefits. The principal advantage that formal assessment brings to decision making is improved confidence derived from rigor and tractability of reasoning. The formality imposes order and discipline on the conduct of the assessment and is particularly effective in exposing and requiring justification of differences in the exercise of judgments that are an inevitable part of the process (Parkin, 2000; McQuaid, 2002). This advantage should be no less applicable where the initiation of the disaster sequence is postulated to be an act of terrorism.

2. SAFETY PROCEDURES RELEVANT TO PRECAUTION AGAINST TERRORIST ACTS Safety procedures had a long gestation period throughout the industrial era. For much of this time, the procedures were based on the primacy of good practice developed in an authoritative way and encoded in state regulations, usually in response to the occurrence of actual accidents. The enforcement of the regulations, and thus of the good practice embodied in them, was in the hands of the state. More recently, the philosophy has changed in some countries to transfer more of the responsibility for safety from the state to those who create and work with the hazards. The reasons for this change and its possible implications for control of terrorist acts will be discussed in more detail below. The application of good practice is an effective response where there is a well-defined and fully understood hazard and a foreseeable route to harmful consequences, for example from working with dangerous machinery or handling dangerous substances. The codification of good practice is then able to draw on the detailed and extensive experiences of the kinds of situation where such accidents recur. New situations, where prior good practice has not developed or is of limited applicability, have frequently arisen in the more recent era of rapid technological change, for example nuclear power, or changed social expectations, for example environmental degradation. This has brought a need to anticipate possible threats and to design measures to reduce them. Formal methods to assist with this task have been developed and there now exists an extensive body of knowledge on their application in diverse areas of safety. Examples of specific applications include Kletz (1999) in connection with hazard identification procedures in chemical plant safety, Vick and Stewart (1996) and Hartford (2001) in connection with assessment of dam safety and Connor et al. (2003) in connec-

88

J. McQuaid

tion with managing the response to a volcanic eruption. The methods are generally based on structured ways of representing the development of an accident sequence, such as event and fault trees, coupled with predictive mathematical models describing the relevant features of phenomena involved in the various stages of the sequence, such as models for atmospheric dispersion of a toxic gas and the health effects on people of particular patterns of gas concentration and time of exposure. The methods are powerful tools for investigating different scenarios. They display the overall picture of safety, pinpointing vulnerability to weaknesses in protection and informing the planning of emergency response measures. They can also be used in real time, given the occurrence of an event, to assist operational decisions in managing the consequences of the event. A distinct advantage of these formalized methods is that transparency of quality assurance requirements for predictive performance can be specified (McQuaid, 1999). In some areas of safety, there has been a proliferation of models either published in the literature or in proprietary use but with information often withheld or not readily available. For example, over 170 mathematical models for atmospheric dispersion are now thought to exist. It is thus of considerable practical importance that users have specific guidance on the reliability of models and this issue has been addressed by regulatory bodies either requiring the use of approved models or sponsoring research on a protocol for scientific evaluation of models (Daish et al. 1999). The development of these formal methods has allowed a greater insight into the value of specific measures in reducing vulnerability to the eventual outcome. These measures include the implementation of failure-to-safety philosophy. This requires that the system is designed so that, in the event of failure, the failure is to a safe state, for example a shutdown procedure should some failure of protection occur given the initiation of the accident sequence. Such a philosophy is clearly of relevance if the disaster sequence is initiated by a terrorist act. Furthermore, the concepts of redundancy (i.e. duplicated provision) and diversity (i.e. based on different principles) of measures of protection are commonly used in high reliability systems to reduce the impact of random failures of protection on the robustness of systems for arresting the accident sequence. An important feature of the methods is that they ensure clarity of the input information needed in planning or alternatively they enable the best possible use to be made of whatever information is available. The latter condition is most likely to prevail in responding to an unanticipated event such as a terrorist act. The application of good practice and of structured methods in dealing with specific situations needs to be overlain with a ranking of the relative

Lessons from Safety Assessment

89

effectiveness of safety measures. Such a ranking is illustrated in the hierarchy in Table 1. At the top of the hierarchy, corresponding to maximum effectiveness, is the concept of inherent safety. This kind of measure provides safety assurance either by eliminating the hazard or by making a particular accident sequence impossible, for example by a design that relies on a characteristic physical response rather than an engineered feature to maintain the system in a safe state An example of the latter is the use of natural rather than forced convection for cooling in inherently safe nuclear reactors. Next in the hierarchy is the replacement of the hazard by substituting something less hazardous (for example, a toxic material with one that is less toxic) or the mitigation of the hazard by judicious design (for example, reducing the quantity of flammable or toxic substance capable of being released from a storage vessel) or of the connectedness of a system where a domino effect could occur (for example the provision of adequate separation distances in explosive handling facilities). The examples quoted are illustrative of approaches that achieve safety by addressing the reduction of the hazard irrespective of the chance of an initiating event. The underlying philosophy is clearly applicable to many aspects of infrastructure design with the overall aim of reducing the scale of damage should there be an initiating event. This aim applies equally whether the initiation is accidental or deliberate. Lower down the hierarchy are engineering measures of protection to reduce the likelihood of a failure leading to a catastrophic outcome, such as pressure relief systems or emergency cooling systems. In high hazard situations such as nuclear installations, the concept of defense in depth is practiced by the provision of discrete layers of engineered protection, as distinct from redundancy or diversity in each layer. The layers of protection are intended to arrest the sequence of events leading to a catastrophe as identified by the formal safety analysis. Table 1. Hierarchy of effectiveness of safety measures Rank Order Descriptor 1 Inherent safety 2 Hazard substitution or reduction 3 Engineering measures 4

Management and training

5

Exhortations

Intention Elimination of hazard Reduction of hazard Control of accident development Control of human and management failures Dutiful compliance

90

J. McQuaid

For example, a layer of protection could be the provision of blast walls or fire protection to limit the spread of damage from a flammable gas incident or to avoid the escalation of the incident as a result of structural failure. Also under the heading of engineering measures are systems for collective protection of exposed people, most obviously the provision of ventilation in enclosed spaces to protect against excessive exposure to toxic gases. The above rank ordering in the hierarchy is a reflection of the fact that good safety practice gives priority to addressing the hazard ahead of addressing the risk and to adopting technical measures to make the achievement of safety as far as possible immune to operator error. However, operator errors will occur and the next level in the hierarchy covers management measures such as safe systems of work and appropriate training of operational staff. These together reduce the possibility of initiation by operator error and are backed up by provision of personal protection (such as gas masks) in the event that all else fails. Finally, at the bottom of the hierarchy are exhortations and appeals to act safely. While these can readily be implemented, their effectiveness is variable depending on the safety culture of the organization as discussed below. The hierarchy is intended as a guide, with higher levels being preferentially adopted where this is reasonably practicable though the lower levels will still be necessary. The formalities that have so far been described can only be effective if they are implemented in an organizational culture that promotes safety as a prime objective. The culture must permeate all levels of management and operations. Everyone needs to know and accept their individual responsibility and their part in the overall scheme. Senior management is responsible for instituting the arrangements for ensuring effectiveness and the representation of all involved in implementing safety policies and practices. There are many examples where failure to perform some simple operation has been the immediate cause of a catastrophe, as in the Herald of Free Enterprise accident (Boyd, 1990) where the bow doors of a ferry were left open and the ferry was inundated. Such accidents are often attributed solely to operator errors and senior management too readily disclaims responsibility. Nonetheless, the likelihood of their occurrence will be influenced by the overriding management imperatives communicated to operators. Furthermore, the influence of decision dynamics in a changing situation has been shown to be highly important to safety of flight operations on aircraft carriers (Roberts et al. 1994) while the problem of dealing with conflicting priorities has been discussed in terms of moral responsibilities by Hummels (1997) in the context of aircraft maintenance. The lesson for precaution against terrorist acts is that a safety culture must be nurtured and its vitality maintained by management action, particularly with regard to participation

Lessons from Safety Assessment

91

by all those with a part to play, rather than relying on delegation of responsibility without authority and on tightly specified instructions incapable of coping with the dynamics of an evolving situation.

3. SOME INTERNATIONAL COMPARISONS The aspect of safety practice that has proved to be the most intractable is the taking of a rational decision on what is acceptable or what should reasonably be done in the case of a particular postulated scenario. Much depends on national history and the prevailing social and political culture. There is no uniformity of practice in different countries, even within political unions such as the European Union. In the UK, authoritative good practice embodied in standards, or sometimes a clear political imperative for a particular solution, provides the basis for acceptable safety precautions. However, the role of technical and other standards, which might be regarded as objective, is influenced by the culture in different countries regarding the rigidity with which compliance with them is required. In the UK, compliance with standards represents the beginning of the consideration of precautionary measures i.e. the minimum level of safety that must be achieved. With some exceptions, it is not obligatory to comply with them but, if not, it is necessary to be able to show that what is done is at least as good in terms of safety. Furthermore, there is an obligation to implement further improvements in precaution where this is reasonably practicable, especially where new technology is available and improvements can be made at a cost that is justifiable compared to the safety benefits achieved. In the rest of the European Union, compliance with standards represents the beginning and end of the consideration. The standards have to be complied with and there is no obligation to look beyond them. A particular difficulty arises where there is no prior experience on which to base good practice standards and uncertainty about the scientific and technical knowledgebase or there is political uncertainty about where to strike the balance between achievement of safety, the cost of precautions and the benefits of allowing an innovation, especially where the public are affected. A particular example is that of nuclear power to which the concept of tolerability of risk was first applied in the UK (Health and Safety Executive, 1992b) and later extended to other areas of industrial risk (Health and Safety Executive, 2000). The decision making philosophy in the UK on industrial safety is thus largely risk based and has been emulated in other countries. Risk assessment and cost benefit analysis are the methodological pillars (Bacon, 1994). The tolerability of the assessed risk is decided by

92

J. McQuaid

comparison with commonly occurring risks and considerations of equity and the reasonable practicability of measures to reduce risk (Rimington et al. 2003). This approach seems to be of much greater relevance to decision making on defense against terrorist acts than the application of good practice through standards which would be vulnerable to deliberate subversion. It is also perhaps highly relevant that regulation of industrial safety in the UK uniquely takes explicit account of effects on the public. There is full integration of policies and practices for safety, emergency planning and controls on infrastructure developments around installations with accident potential affecting the public. Given that, it is pertinent to discuss further the experience of the UK system and the lessons that might be drawn for action by the state in seeking preparedness against terrorist acts.

4. DEVELOPMENT OF THE UK APPROACH TO SAFETY CONTROLS For most of the industrial era, the state laid down the rules by legislative prescription of control measures based on reaction to events that had caused injuries or ill health. The practical effect was that the state was perceived as being responsible for safety. The result was general apathy in industry and a culture of only doing what the state required, under threat of being found in contravention of the law by the enforcing inspectorate. There was often a considerable time lag between the appearance of evidence of harm and the enactment of legislation and the legislation became rapidly out of date as technology advanced. In the second half of the last century, it became increasingly clear that the state legislative process was unable to cope with the complexity and scale of modern industrial operations. The safety record was regarded as unacceptably poor and the lesson that was drawn was that rigid state control of a rapidly changing situation was no longer appropriate. The legal structure was fundamentally reformed in the early 1970s with the aim of placing responsibility for safety on those who create the risks and giving them greater freedom to devise solutions satisfying safety goals. A process began of replacing prescriptive legislation specifying detailed requirements covering the circumstances of individual industrial sectors with a minimal structure of regulations of wide scope setting out the ends to be achieved. They are intended to be easily understood and are supplemented by guidance on how compliance can be achieved. The guidance is prepared in close collaboration with industry and professional bodies. The involvement of workers in developing safe practices is ensured through safety committees and representatives in workplaces. Science and technol-

Lessons from Safety Assessment

93

ogy play a strong part in developing techniques and methods of evaluation through research in government, industry and universities. The principal characteristics of this modern approach, when properly implemented, may be summarized as follows: x It avoids reductionism or the tendency to separate a multi-faceted control task into discrete elements each of which is addressed in isolation from the rest. x Instead, it is systematic and recognizes the existence of interdependencies between the many component parts of the system. There is clear definition of the responsibilities of all those who interact to achieve the end result. These include designers, manufacturers, suppliers, managers in enterprises and employees. x It is self-adaptive to change by allowing solutions to match problems, subject to peer review and provided safety goals are met. x It generates awareness and involvement at all levels and ensures communication of intent between participants in the system through carefully prepared guidance. x It provides feedback through the support of wide networks linking different parts of the system both nationally and internationally.  The proof of the effectiveness of the approach is provided by the improvement in safety, in particular a reduction of deaths by a factor of 3 between 1970 and 2000. It may be seen that the approach resembles that of the engineer to the control of any complex system. It acknowledges the importance of the relationships between components and feedback between them. It seeks self-adaptation to ensure stability and, for a system involving human actors, it recognizes the importance of structured learning and communication. There is an obvious lesson here for the effectiveness of measures by the state to control terrorist acts, especially those directed at industrial installations or infrastructures or involving dangerous substances whose existence in sufficient quantity arises as a result of industrial operations. It cannot be expected that the state would have a command of all the scientific and technical knowledge needed to frame preventative measures in those circumstances. This applies irrespective of whether the measures are based solely on avoiding a repetition of past acts or, of greater relevance, on anticipation and prevention of the many ways in which unintended events might occur. The situation is thus no different to that already in place for state action to ensure safety in high hazard industries. A particular form of state intervention has been developed for such industries which uses an industry’s own detailed knowledge of its

94

J. McQuaid

operations in a highly structured way. The approach requires a demonstration to the regulator that there is adequate control of the hazards and the associated risks. The burden of proof is on the owner of an installation rather than the state and the installation is not allowed to operate without the acquiescence of the regulator. This form of intervention is generally known in the UK as a safety case or permissioning regime. The industrial sectors in which a safety case of some kind is required include nuclear plants, offshore oil and gas exploration and production units, railways, gas transmission networks and chemical plants above a defined size. The approach will be discussed in some detail in view of its potential application to preparedness against terrorist acts.

5. SAFETY CASE REGIMES The first requirement is to establish the criteria for the selection of the installations to which the regime should apply. The main criterion is that there should exist a potential for catastrophic events and hence a need for anticipation and planning. A full statement of current policy on the application of safety case regimes in the UK has recently been published (Health and Safety Commission, 2003). A useful work of reference, for the particular example of chemical plants, is the extensive description of the many aspects of safety prepared by a group convened by the International Council of Scientific Unions following the disastrous accident at a chemical plant in Bhopal, India in 1985 (Bourdeau and Green, 1989). This includes information on the development of European Union policy on the control of industrial major accident hazards following the chemical plant accidents at Flixborough, UK in 1974 and Seveso, Italy in 1976. It is relevant in the context of this paper that members of the public were affected outside all the plants in which these accidents happened.

5.1 Structure of a safety case The safety case is required to be prepared by the operator of the installation or infrastructure. It must provide evidence of the use of robust procedures for the identification and technical assessment of hazards and for the implementation of prevention, control and mitigation measures. The contents of the safety case are defined by law specific to the industrial sector and generally include: x a description of the facility and key features of the local environment; x identification of relevant on-site and off-site hazards and potential causes of major accidents;

Lessons from Safety Assessment

95

x description of measures for prevention, control and mitigation of the hazards; x description of the management system in place to ensure effective implementation of the safety case, and x demonstration that the residual risks to people and the environment are as low as reasonably practicable. In the above listing, the prevention measures address the scale and modes of initiation of an accident using the methods mentioned earlier. They seek to achieve robustness or resistance to failure in the system design. Control measures address the means to interrupt or limit the development of the accident sequence, given a failure of prevention. They seek to reduce vulnerability to escalation by the use of trip systems or isolation and containment measures. Mitigation measures address the protection of people and the environment from harm, given the occurrence of the accident. They seek to increase resilience to the effects of the accident and achieve recovery in both the short and, where applicable, the long term.

5.2 Assessment of safety cases The legal framework requires the submission of the safety case to the regulator for assessment against published principles, for example, Health and Safety Executive (1992a) for the principles applying to nuclear installations. The regulator examines the submission and provides feedback on issues that are not clear or are in dispute because of differences in judgments, for example on the significance of hazards or the validity of assessment methods used. The regulator and the operator are drawn into a dialogue in order to obtain convergence towards an agreed solution, with the safety case and its successive iterations being used as a tool for constructive dialogue rather than as a means of enforcing the law. In this way, the knowledge and experience of the operator are enabled to play their full part in the determination of the safety measures to be implemented. The final acceptance of the safety case rests with the regulator though the responsibility for safety remains with the operator. The main issues that arise in the assessment of a safety case are to ensure that: x the exercise of engineering judgment has a robust basis, traceable to transparent reasoning or demonstrable correspondence with experience as distinct from being simply an opinion or a guess; x full account is taken of human factors such as ergonomics and psychology as influences on response;

96

J. McQuaid

x management systems are connected at all levels and rigorous auditing is in place; x proper account is taken of interactions between hazards to avoid a domino effect; x where there is doubt about an effect, the action taken errs on the side of safety within the bounds of reasonable practicability i.e. there is a proper balance between expenditure of resources and the reduction of risk achieved. The safety case regime is considerably more demanding of the resources of the regulator and the operator than the normal system for ensuring compliance with the law through advice and enforcement of statutory requirements. It is important that the effort expended is kept in proportion to the safety issues. There are advantages and disadvantages to both industry and the regulator and these have been discussed by Bacon (1994). The review of policy in the UK referred to earlier (Health and Safety Commission, 2003) concluded that the regime is advantageous to safety and also importantly to ensuring public and political confidence in the adequacy of control of high hazard industries The thoroughness and rigor of the safety case approach seem to have much to commend it as a structured means for joint working in developing precautions against acts of terrorism. It would be applicable wherever a high hazard is identified as a threat and is within the management control of a discrete organization such as certain industrial installations or elements of infrastructure so that responsibility for preparing the safety case can be unambiguously placed.

6. NATURAL HAZARDS The assessment of hazards arising from natural occurrences has long been part of safety in some industrial sectors and some useful lessons may be drawn from that experience. Perhaps the sector with the greatest experience is underground coal mining and specifically in dealing with the hazard of firedamp, a flammable gas consisting mainly of methane. The routine emission of firedamp is an inevitable and natural consequence of mining coal. The rate of emission in normal operations is predictable with high accuracy, being proportional to the rate of extraction of coal and depending on the type of coal. Dilution to a safe concentration is achieved by application of good practice in ventilation, much as described in general terms in earlier sections. This approach is supplemented by rigorous control of sources of ignition. However, sudden large emissions can also occur and

Lessons from Safety Assessment

97

these have been the cause of explosions killing many miners. Whereas these were once thought to be unpredictable natural disasters or ‘acts of God’, they have proved to be amenable to prevention, control and mitigation on the lines of the model described earlier. The first step in the historical development of assessment was the identification of the source of the emissions and a notable contribution was made by Michael Faraday in 1844 when he investigated a mining explosion (McQuaid, 1997). He established that the source in that case was a large gas-filled cavity left behind as the coal seam was mined, with the gas in pressure equilibrium with the air pressure in the mine. The gas would originally be adsorbed on surfaces in the microstructure of the unmined coal and desorbed as the coal was mined. A sudden emission would be precipitated by a rapid fall in barometric pressure and this became a well known indicator of an impending emission (McQuaid and Mercer, 1991). Prevention is addressed by draining the firedamp from the coal and piping it to the surface, thus bypassing the normal ventilation. Control is exercised by requiring the monitoring of the barometric pressure and any fall above a defined rate leads to the suspension of mining operations. Mitigation is achieved by evacuation of miners to the fresh air side of the ventilation or from the mine or the provision of oxygen self rescuers. Similar prevention-control-mitigation practices have been developed for other natural hazards in mining such as unstable strata, sudden outbursts of coal and sudden rock bursts in deep gold mines, all relying on rigorous assessment and experience. Thus the lesson from underground mining is that apparently unpredictable occurrences cannot be left to chance, as they once were. Diligence in countering natural hazards requires a deep understanding of causes and effective means for prevention, control and mitigation just as with failures of technology and human behaviour and, as postulated here, with deliberate acts of terrorism. A similar lesson may be drawn from other industrial situations prone to the effects of natural occurrences such as earthquakes and floods. The particular example of dam failure assessment and management is described elsewhere in this volume by Stewart. The assessment of natural hazards unrelated to causation of an industrial accident is a very wide field of investigation. The aspect that seems most relevant to this discussion is that of mitigation of effects, given the realization of the hazard. An example that brings out a number of lessons is the eruption of the Soufriere Hills volcano on Montserrat, a small island in the West Indies. Although the island is self-governing, it is a dependency of the UK and hence the resources of the UK have been available to the government of the island. The eruption started in July 1995 and has since continued with varying intensity (Robertson et al. 2000). It has rendered twothirds of the island uninhabitable and has resulted in the emigration of a

98

J. McQuaid

substantial part of the population. The full details are given on the Montserrat Volcano Observatory website www.mvo.ms and only the relevant aspects will be described here. The monitoring regime that has been put in place is extraordinarily comprehensive and is designed to inform a continuous assessment of the future behaviour of the volcano in terms of risk of defined outcomes. This assessment is associated with scientific uncertainty of an extreme kind and has attracted world wide involvement of experts both directly and through the medium of the Internet. The exercise has been organized by a dedicated organization, the Montserrat Volcano Observatory with its own Chief Scientist and with links to the British Geological Survey. The exercise is, of course, highly relevant to the organization of response to terrorist incidents with long term effects. The principal facets of the exercise relevant to this discussion are: x the assessment of physical phenomena covers a wide range, including dome growth and collapse, pyroclastic flows, tsunamis and dust fallout; x state-of-the-art monitoring equipment has been installed from an early stage and the history of the eruption has been documented in unprecedented detail; x new ways of assessing hazard and risk in an eruption have been developed, involving techniques of eliciting and combining the judgments of experts based on interpretation of the monitored data combined with models of the different physical effects; x innovative use of the Internet has been practiced to gather expert views worldwide in real time; x new ways of providing scientific advice to decision makers have been developed; x crisis management and recovery has involved evacuation and the designation of exclusion zones, both on the island and at sea, on the basis of risk and the evaluation of long term health effects of dust inhalation; x the many environmental effects have been evaluated, for example on coral reefs, and x the interface with the public has required the development of a communication strategy for public outreach and volcano awareness. The overall exercise provides a valuable-and rare-opportunity for empirical evaluation of expert judgments of future events against actual experience. For this purpose, a meeting is being organized in July 2005 to reflect on key issues raised during the 10 years’ experience of handling the incident.

Lessons from Safety Assessment

99

7. OTHER HAZARDS The Montserrat volcano experience should have lessons of considerable relevance to the validation of post-incident management of long-term effects arising from other hazards triggered by terrorist incidents. These other hazards include the deliberate large-scale release of chemical, biological or radiological (CBR) agents where detection, dispersal and decontamination are major scientific issues and public perceptions and reactions require special measures for reassurance, cooperation and recovery. Much work is being done in this area, some of which is reviewed elsewhere in this volume while a relevant review of methods for detecting and decontaminating chemical and biological agents has recently been published in the UK (Royal Society, 2004). The Montserrat and CBR examples share the common feature of an initial discrete event causing immediate effects followed by an evolution whose path depends on countermeasures and, in the case of Montserrat, is maintained or enhanced by the dynamics of volcano behaviour. A situation of a quite different character is where there is perceived to be a threat that grows in time rather than initiated by a readily identifiable incident but the way in which the threat may be brought about and where and when are all uncertain and likely to be unknowable in advance. The decision on the development and implementation of precautionary measures then becomes acutely difficult with questions of limitation of resources and avoidance of public alarm needing political resolution. This situation already occurs in the area of public health in relation to potential outbreaks of infectious diseases, particularly those that may develop into pandemics. However, the scenario could conceivably apply where infrastructures such as water and food supplies could provide the vector for proliferation. The lessons to be drawn from past experience relate to the interaction between science and political decision makers in situations where there is little evidence and conflicting signals may abound. A highly instructive examination of the dual responsibilities of science and politics in crisis response and management in an actual occurrence is provided by Neustadt and Fineberg (1978). The occurrence was the US swine flu affair of 1976/77, referred to as an ‘affair’ since the feared pandemic of swine flu did not materialize. The possibility of a pandemic meant that the vaccination of the entire population of the US had to be contemplated. This had major implications for availability of vaccines, the choice between different vaccines, their continued effectiveness and the possibility of serious side effects of the vaccines. The examination of the evolution of the response was commissioned by the Secretary of Health, Education and Welfare (HEW) for whom it raised two difficult questions:

100

J. McQuaid

x How do politicians deal with highly technical issues when knowledge is speculative, ‘facts’ are uncertain and hotly debated? x How should the public be involved and educated on complex issues and is a robust public debate possible? As a lawyer, the Secretary of HEW conceded that he did not even know what questions to ask in order to reach an intelligent decision. The conclusions of Neustadt and Fineberg’s examination, insofar as they relate to science, provide salutary lessons on the inadequacies of the scientific input to the crisis. These may be summarized as follows: x expert advisers over confident in their judgments; x strength of advice not supported by evidence; x no proper peer review by independent experts; x assumptions in predictions not linked to signals that might emerge that would question their validity; x experts resisted quantifying their judgments in probabilistic terms – deemed to be ‘unprofessional’; x all issues rolled into one decision with one deadline – no project management by defined stages and no break points, and x a political decision pushed by scientists on the politicians. The analysis leading to these conclusions is cogently argued though it might now be thought by some to be only of historical interest. However, history has a habit of repeating itself and it is unfortunate that some of these criticisms or variants of them reappeared in the handling of the BSE (Bovine Spongiform Encephalopathy or ‘mad cow disease’) crisis in the UK 20 years later (Phillips, 2000). As a result, new policies on the provision of scientific advice to government in the UK have been implemented (Office of Science and Technology, 2000, 2001) and these have been emulated in other countries. The lesson for preparedness against terrorist acts is that expert advisers must be vigilant in resisting the temptation to convey certainty in their advice where certainty does not exist and must always provide an appraisal of uncertainties so that an intelligent political decision may be made.

8. CONCLUDING REMARKS The view of this paper is that there is much advantage to be gained for precaution against terrorist acts by learning from scientific and engineering experience in handling industrial hazards, natural disasters and major public health issues. The evolution of this experience has produced many lessons on effectiveness which have been described in this paper. The main need is to apply robust analyses and considered judgments conforming to the

Lessons from Safety Assessment

101

established norms of professional practice in hazard and risk assessment and management. Only in this way can the inevitable uncertainties be handled consistently and effectively so as to reduce vulnerabilities, increase resilience and properly inform decision making.

DISCLAIMER The contents of this paper draw upon the author’s experience as Chief Scientist of the UK Health and Safety Executive from 1992 to 1999. However, the views expressed are those of the author alone and do not represent official policy.

REFERENCES Bacon, J., 1994, Risk-based regulation: setting goals for health and safety, Int. Conf. on Probabilistic Safety Assessment and Management (PSAM-II), San Diego, USA, 20-25 March, session 021. Bourdeau, P. and Green, G., 1989, Methods for Assessing and Reducing Injury from Chemical Accidents, John Wiley, Chichester, UK. Boyd, C., 1990, The responsibility of individuals for a company disaster, in: People in Corporations, G. Enderle et al. eds, Kluwer, Dordrecht, pp. 139-148. Connor, C. B., Sparks, R. S. J., Mason, R. M., Bonadonna, C. and Young, S. R., 2003, Exploring links between physical and probabilistic models of volcanic eruptions: The Soufriere Hills volcano, Montserrat, Geophys. Res. Letters, 30:1697-1701. Daish, N. C., Britter, R.E., Linden, P. F., Jagger, S.F., Carissimo, B., 1999, SMEDIS: Scientific evaluation of dense gas dispersion models, in: International Conference on Modelling the Consequences of Accidental Releases of Hazardous Materials, CCPS, New York, USA, pp. 435-457. Hartford, D. N. H., 2001, Risk analysis in geotechnical and earthquake engineering: state-ofthe-art and practice for embankment dams, in Proc. 4th International Conference on Recent Advances in Geotechnical Earthquake Engineering, University of Missouri-Rolla, USA. paper no.5. Health and Safety Commission, 2003, Policy Statement: Our Approach to Permissioning Regimes, HSE Books, Sudbury, UK. Health and Safety Executive, 1992a, Safety Assessment Principles for Nuclear Plants, HSE Books, Sudbury, UK. Health and Safety Executive, 1992b, The Tolerability of Risk from Nuclear Power Stations, HMSO, London, UK. Health and Safety Executive, 2000, Reducing Risks, Protecting People, HSE Books, Sudbury, UK. Hummels, H., 1997, Safety and aircraft maintenance: a moral evaluation, Int. J. Value-Based Management, 10:127-146. Kletz, T., 1999, Hazop and Hazan, 4th ed., Inst. Chem.Engrs, Rugby, UK. McQuaid, J., 1997, Safety’s debt to Davy and Faraday, Proc. Roy. Inst. GB, 68:177-208.

102

J. McQuaid

McQuaid, J., 1999, Quality considerations in predictive modeling, in: Fire and Explosions: Recent Advances in Modelling and Analysis, Inst. Mech. Engrs, London, UK, pp. 1-6. McQuaid, J., 2002, The realities of decision making on risks, in: Quantitative Methods for Current Environmental Issues, C. W. Anderson, V. Barnett, P. C. Chatwin and A. H. El-Shaarawi, eds, Springer-Verlag, London, UK. McQuaid, J. and Mercer, A., 1991, Air pressure and methane fluxes, Nature, 351:528. Neustadt, R. E. and Fineberg, H. V., 1978, The Swine Flu Affair: Decision Making on a Slippery Disease, Department of Health, Education and Welfare, Washington D.C., USA. Office of Science and Technology, 2000, The Use of Scientific Advice in Policy Making, DTI, London, UK. Office of Science and Technology, 2001, Code of Practice for Scientific Advisory Committees, DTI, London, UK. Parkin, J., 2000, Engineering Judgement and Risk, Thomas Telford, London, UK. Phillips, Lord, 2000, The BSE Inquiry: Volume 1 Findings and Conclusions, The Stationery Office, London, UK. Rimington, J., McQuaid, J. and Trbojevic, V., 2003, Application of Risk-Based Strategies to Workers’ Health and Safety Protection, Reed Business Information bv, Doetinchem, The Netherlands. Roberts, K. H., Stout, S. K. and Halpern, J. J., 1994, Decision dynamics in two high reliability military organisations, Management Science, 40(5):614-624. Robertson, R. E. A., Aspinall, W. P., Herd, R. A., Norton, G. E., Sparks, R. S. J. and Young, S. R., 2000, The 1995-98 eruption of the Soufriere Hills volcano, Montserrat, W.I., Phil. Trans. Roy. Soc. Lond., 358(1770):1619-1638. Royal Society, 2004, Making the UK Safer: Detecting and Decontaminating Chemical and Biological Agents, The Royal Society, London, UK. Vick, S. G. and Stewart, R. A., 1996, Risk analysis in dam safety practice, in: Uncertainty in the Geologic Environment, Geotechnical Special Publication No. 58, Amer. Soc. Civ. Engrs, New York, USA, pp. 604-635.

LARGE DAMS AND THE TERRORIST THREAT “A Completely New Dimension” or “An Additional Hazard” Ramond A. Stewart BCHydro

Abstract:

Dams in general are hazardous structures that, as every informed terrorist knows, harness vast quantities of potential energy, even by nuclear standards. Dams also fail, usually in unpredictable ways and frequently at the most inopportune times. Thus, dam owners have become attuned to having to deal effectively with unexpected failures, the failure of the Dale Dyke Dam in Sheffield, UK in 1864 and the Silver Lake dam failure at Marquette, USA in 2003 being just two examples spanning the last century. In simple terms, dam ownership necessarily demands the ability to respond to unexpected dam failure.

Key words:

Dam security, life safety, simulation

1. CONCEPT The invitation to prepare this paper presented a dilemma, specifically to prepare meaningful written documentation concerning the security of some of the largest dams in the world in the face of the sophisticated international terrorist threat. The world has come to understand that the international terrorist networks of the 21st century are highly sophisticated, comprising many very intelligent and well-organized people. One would be naïve to assume that large dams are not a potential terrorist target – very recent (Balkans conflict) and recent (World War II) history tells us that both Governments and their adversarial combatants regard dams as highly effective weapons of destruction. Accordingly, I expect that anything I might say or write about the terrorist attacks on large dams would be considered by these groups to be “long past their best by date”. 103 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 103–124. © 2006 Springer. Printed in the Netherlands.

104

R.A. Stewart

The first question that comes to mind is “Are large dams in Canada a potential terrorist target?”. The answer is yes, particularly since “both sides” appear to have adopted the mantra “if you are not with us, you are against us”. Consequently, I decided to focus my attentions on managing the consequences of a successful terrorist attack on a large dam.

2. SAFETY MANAGEMENT OF LARGE DAMS Dams in general are hazardous structures that, as every informed terrorist knows, harness vast quantities of potential energy, even by nuclear standards. Dams also fail, usually in unpredictable ways and frequently at the most inopportune times. Thus, dam owners have become attuned to having to deal effectively with unexpected failures, the failure of the Dale Dyke Dam in Sheffield, UK in 1864 and the Silver Lake dam failure at Marquette, USA in 2003 being just two examples spanning the last century. In simple terms, dam ownership necessarily demands the ability to respond to unexpected dam failure. Accordingly, whether the dam failure is caused by an unknown defect in the dam, an earthquake or a successful attack, the competent dam owner, and the community emergency preparedness authorities will be in a position to invoke their dam breach emergency plans. Therefore, the primary focus of this contribution is on the analysis of dam breach emergencies in general. This generalized approach is appropriate because dam owners and emergency response authorities can utilize their existing structures and procedures to respond to an unanticipated terrorist induced dam failure in much the same way as they respond to all other unanticipated dam failure scenarios.

2.1 The terrorist threat in the context of dam safety hazards In order for a terrorist group to cause a dam to fail, it must initiate sequence of events that results in a failure mode of the dam, which can be broadly characterized in terms of “overtopping”, and “structural collapse”. Examples of these two general failure modes are the Viaont Dam Failure in Italy in 1963 and the Malpasset Dam Failure in France in 1959. The death toll in the Vaiont tragedy was in excess of 2,000 and more than 400 in the case of Malpasset tragedy.

Large Dams and the Terrorist Threat

DAM OVERTOPPING

All water barriers

GLOBAL FAILURE MODES

FUNCTIONAL FAILURE CHARACTERISTICS

105

External Hazards Meteorological

Seismic

Internal Hazards (Design, Construction, Maintenance, Operation) Human Attack

Water barrier Hydraulic struct.

Mech/elec

Plans

Hydraulic adequacy (discharge capacity) Discharge reliability issues (failure to open) Operational adequacy (rules followed) Reservoir maintenance (debris clearing etc.)

Human Error

Wave overtopping (freeboard, upstream dams, landslides) Management systems (support hydraulic oper'ns) Management systems (support dam performance)

All water barriers

Liquefaction (static) DAM COLLAPSE (Internal structural and weakening)

Internal erosion (dam/abutments/foundation) Deformations (displacement/depressions) Structural weakening (crushing, strength loss) Waterstops/interfaces (unanticipated ingress water) Pumps and Drains (Uplift pressure control)

Figure 1. Hazards and Failure Modes Matrix From the perspective of a knowledgeable dam owner, the terrorist threat simply increases the probability of an unanticipated dam failure. Dam owners must accommodate a range of external hazards such as floods and earthquakes, and internal hazards such as design and construction flaws, mis-operation and the like. BC Hydro utilizes a Hazards and Failure Modes Matrix for the identification of how hazards and failure mechanisms might be combined to result in either the dam overtopping or dam collapse failure modes. The incorporation of the terrorist threat as an external hazard simply required the addition of a third column (Human Attack) to the matrix (Figure 1). The terrorist hazard is controlled to the maximum extent that is possible using available security measures. However, BC Hydro holds the view that absolute security for dams is unachievable and that once best available security is in place, that it is necessary to manage the terrorist threat in the same way as the other natural external and internal hazards that dams are exposed to. BC Hydro also considers that naturally occurring force such as that due to earthquakes, or internal design and construction flaws can cause dam failures to occur at least as rapidly and unexpectedly, if not more so than any terrorist attack. Thus in implementation, the BC Hydro’s risk management process assumes that a terrorist attack that breaches security and provides the terrorists with the opportunity to initiate a failure mechanism is a relatively

106

R.A. Stewart

low probability but high consequence event. It is because the terrorist hazard in its operation is comparable to several of the other hazards that dam owner must manage that the terrorist challenge can be addressed by adding another hazard to the hazard catalogue and responding to it. In this regard there is explicit recognition that a terrorist organization can initiate a dam failure mechanism, and that measures to mitigate the consequences of terrorist induced dam failure must be in place to protect the public form the resulting devastation. Here I hold the view that the terrorist threat while real and powerful is not as significant, nor as powerful as nature. Perhaps here I risk the wrath of a terrorist group by taking the position that nature rather than they are most powerful. However, I have given careful consideration to my position and I am satisfied that no terrorist group can unleash a dam failure faster than natural forces which can do so instantaneously and without warning. It is for this reason that the remainder of my discussion focuses on how dam owners might respond to instantaneous and unexpected dam failure regardless of cause.

2.2 Safeguarding the public in the event of instantaneous dam breach Recognizing that dams can fail catastrophically and unexpectedly due to natural causes at the most inopportune times (e.g. 3:00AM) and that many dams have large populations immediately downstream, BC Hydro is developing a “Life Safety Model” (LSM) to assist in the emergency response and management of such a calamity. The remainder of my discussion provides a rudimentary explanation of the model and the way we have used it to recreate the catastrophic failure of the Malpasset Dam in France in 1959.

2.3 The Malpasset catastrophe, 2 December 19591 In the winter of 1959, torrential rains come to fill for the first time the new dam at Malpasset, close to Frejus, in the south of France. When this yielded on December 2, 1959, nearly 50 million cubic meters of water,the dam gave way devastating couintry and villages to the sea. It is the greatest catastrophe of this kind which ever touched France. Of all the made works of the hand of man, this was among the most fatal. These words are those of the designer of Malpasset, the engineer André Coyne then president of the 1

Franck Bruel,. Tous droits réservés. Révision : 08 juillet 2001

Large Dams and the Terrorist Threat

107

International association of dam and specialist uncontested in the construction of the arch dams dead 6 months after the catastrophe. The stopping is thus filled to the brim when it yields, at 21.13 exactly. The noise of the cracking of its vault alerts in first the guard of the work, which takes refuge in top of its house, with 2 km and half downstream. Well takes some to him: gigantic a 40 height m wave breaks in the narrow valley at the speed of 70 km/h. Sweeping all on its passage, it leads to Fréjus 20 minutes later, before being thrown in the sea. Plan ORSEC - plan of organization of the helps - is immediately started. The soldiers of the local bases as of the helicopters of I armed American based in the surroundings deal with carrying help to the survivors, but also releasing the bodies of the victims. General de Gaulle, chair Republic later, came on the spot a few days, discovers a zone completely disaster victim. The catastrophe made 423 victims. In addition, 2,5 km of railways were torn off, 50 firm puffed up, 1000 sheep and 80 000 Ha of wine lost.The Malpasset Dam failure, like the Viaont Dam wave overtopping tragedy in Italy in 1963 in which more than 2000 people perished, provide powerful illustrations of the nature of instantaneous dam failures and seriously focus the minds of the owners of large dams above populated areas. Such catastrophes are matters that dam owners must do their utmost to prevent, through control of the hazard that causes the failure and mitigation of the consequences of dam failure. It is precisely because dam owners must have emergency plans to deal with instantaneous and unexpected dam failures that they are positioned to respond to the emergent terrorist threat.

3. BC HYDRO’S MODEL For the purpose of modeling, the world of people, buildings and infrastructure that could be impacted by a dam emergency is viewed from two perspectives: x a static view that describes long-term characteristics and relationships of people, and their world, which includes for example person’s age, societal, the construction type of a building, and the number of lanes of a road segment; and x a dynamic view that describes a snapshot of the world at a given time of day, week and year, which includes for example locations of people, weather related driving conditions, and state of alertness at day or night. The LSM approach is built around developing a static view of the world, which serves as the foundation for the dynamic snapshot views. Each of

R.A. Stewart

108

these snapshot views along with a corresponding flood simulation are then processed into an individual-based simulation engine, the Life Safety Simulator (LSS), which simulates peoples’ reaction, evacuation, and the impact on flood water on them, buildings and infrastructure (Figure 2.) The LSM is build based on a modular design, which provides flexibility in development, calibration, quality control and adopting future enhancements. The LSM architecture encompasses the following components (Figure 3). The People’s World Model (PWM), processes census and GIS data to develop static world views; x The LSM Scenario Generator, produces snapshot views of the world at given times of day, week and year; x The Life Safety Simulator, simulates the impact of inundation on the downstream communities, based on snapshot views and flood simulations produced by 2D hydrodynamic model; x A scenario management module; x A suite of data input/output processing and analysis; and x Companion software for visual simulation of LSM output.

Time(n)

Static View of The World (People, Buildings, Vehicles their Links and characteristics)

Time(i)

Hydrodynamic Run (Telemac, MIKE21)

Snapshot of the world (Locations of People at a given time)

Time(1)

Figure 2. The Life Safety Model Approach

Simulation of Impact of Inundation on Peoples & Objects

Large Dams and the Terrorist Threat

109

Figure 3. The Life Safety Model Architecture

4. THE PEOPLE’S WORLD MODEL Development of effective dam breach emergency plans requires a clear assessment of the size, distribution and characteristics of downstream population. The task is complex, as it is necessary to consider the dynamics of human communities, which usually involve significant hourly, weekly and seasonal spatial redistribution of the population. An example of this urban behaviour is the daily mass movement of workers from dormitory communities on the outskirts of large cities into downtown areas. Therefore, emergency planning based solely on reported census statistics is generally flawed and could lead significant mis-information being used as inputs to any emergency planning process. The People’s World Model (PWM) is designed to address the complexities of the spatio-temporal characteristics of human communities. The PWM produces a virtual society made up of persons who are members of residential groups and linked to transportation system and places of activities including residences, work places, schools and shopping and recreational places (Figure 4.) Each person is also associated with a schedule, referred to as the whereabouts table, which describes his/her likelihood of being involved in a given activity (such as being at home, work, etc) at a given time. Buildings and vehicles are also represented individually and assigned characteristics based on GIS and census data. The generated information is stored in a database to facilitate analysis, quality check and updating with external information.

110

R.A. Stewart

Figure 4. Representation of a Community in the People’s World Model

4.1 People’s world model algorithm The process of generating a static view of the world in the PWM can be summarized as follows: x Residential groups are created from census data. Residential groups contain information on the number, age and sex of their members. x GIS data on buildings, which are widely and increasingly available in many communities around the world, are used to produce information on buildings’ use class, type of construction, material, age and number of floors. Each building is classified in the model based on its use as a place of residence, work, school, shopping and recreation. In addition, buildings are assigned characteristics used in the Life Safety Simulator to assess their capability in sustaining damage under exposure to flooding conditions. x Each residential group is assigned a place of residence located within the same census subdivision. Allocation is assigned randomly, while observing restrictions that mirror known residency restrictions, such as age entry requirements in senior residences.

Large Dams and the Terrorist Threat

111

x Virtual models of individuals are instantiated based on the information contained in the parent residential group. These virtual models are assigned characteristics pertaining to their age, sex, social status, employment status, attendance of school, and parameters of the Life Safety Simulator. x Based on their employment status and attendance of

school, the virtual models are assigned to places of work and school. x Each virtual model is assigned a whereabouts table. x Virtual models of vehicles are assigned to residential groups based on statistical data on vehicle’s ownership.

4.2 The whereabouts table for the virtual individual The LSM scenario generation approach requires information on the time distribution of activities for each virtual individual at times of day, week and year that add up to a full calendar year. The virtual individual’s whereabouts table is designed to contain this information represented in the form of likelihoods of conducting daily life activities at given times during an average year (Table 1). Table 1. An Example of a Virtual Individual’s Whereabouts Table for a working individual. Likelihoods are expressed in terms of probabilities of being at a place during a given time of day, week and year

Time of Year Time of Week

Time of Day Frequency of period per Year At Home At Work At School Shopping Recreational On Road Out of Area Time of Year

September 1 to April 30 Weekdays (Mon-Fri) Weekends & Statutory Holidays 8am5pm- 10pm- 10am- 8pm5pm 10pm 8am 8pm 10am 0.1694 0.0941 0.1883 0.0881 0.1233 5 84 0 3 1 5 2

55 5 0 20 10 7 3

80 1 0 5 7 5 2

37 3 0 25 25 7 3

May 1 to August 31

80 1 0 1 10 5 3

R.A. Stewart

112 Time of Week

Weekdays (Mon-Fri)

Time of Day

8am5pm

5pm10pm

Weekends & Statutory Holidays 10pm- 10am- 8pm8am 8pm 10am

Frequency of period per Year 0.0871 0.0484 0.0968 0.0435 0.0609 At Home 5 42 70 25 60 At Work 60 3 1 1 1 At School 0 0 0 0 0 Shopping 5 20 5 25 2 Recreational 12 12 15 30 25 On Road 8 8 5 10 7 Out of Area 10 15 4 9 5

Although virtual individuals can be individually assigned unique whereabouts tables, these tables are usually assigned per class of person based on the person’s employment status, attendance of school, and/or age. A model of a working individual for example is expected to spend more time at work during typical working hours (e.g., 8am-5pm, weekdays); while a model of a home-maker is most likely at home or shopping during the same period.

4.3 Time domain The time dimension a PWM static view has to be composed of time periods that add up to a complete calendar year. This condition is essential to guarantee a full spectrum assessment of probabilities of occurrence of dam emergencies, which is a necessary component of a proper risk assessment process. A PWM representation can be assigned only one time domain, which is applied consistently throughout all generated scenarios. Time is therefore treated as the common thread that ties scenarios together as illustrated in the time-based probability tree shown in Figure 5. This approach streamlines and facilitates the development of probability trees and scenario crossanalysis.

Large Dams and the Terrorist Threat Time of Year

Reservoir’s Level (m)

113

Time of Week Day

PAR LOL Prob. # # # # #

# # # # #

##E-10 ##E-10 ##E-10 ##E-10 ##E-10

### ### ### ### ###

## ## ## ## ##

##E-10 ##E-10 ##E-10 ##E-10 ##E-10

#,### #,### #,### #,### #,###

### ### ### ### ###

##E-10 ##E-10 ##E-10 ##E-10 ##E-10

#,### #,### #,### #,### #,###

## ### ### ### ###

##E-10 ##E-10 ##E-10 ##E-10 ##E-10

8am - 5pm

JAN1 - APR31

425

Weekdays

5pm - 10pm 10pm - 8am

Weekends

10am - 8pm 8pm - 10am 8am - 5pm

MAY1 - JUN30

430

Weekdays

5pm - 10pm 10pm - 8am

Weekends

10am - 8pm

Weekdays

5pm - 10pm

8pm - 10am 8am - 5pm

JUL1 - AUG31

440

10pm - 8am

Weekends

10am - 8pm 8pm - 10am 8am - 5pm

SEP1 - DEC31

435

Weekdays

5pm - 10pm 10pm - 8am

Weekends

10am - 8pm 8pm - 10am

Figure 5. A typical LSM Time-Based Probability Tree

5. GENERATION AND MANAGEMENT OF SCENARIOS After the configuration of the PWM, the LSM becomes primed for generating single scenarios, or produce a set of scenarios representing the full spectrum of the given time domain. The former alternative is suited for analyzing dam breach consequences and possible mitigation measures under known or pre-determined hydrodynamic and time conditions. The later application is a prelude for a comprehensive risk assessment. Creating a LSM scenario involves first invoking the PWM to produce a snapshot view of the world at a selected time of the day, week and year. The snapshot view is then processed through the Life Safety Simulator as described in the next section.

R.A. Stewart

114 On Road Office Building

Time:

8am - 5pm

Day:

Monday - Friday

Month: April 1- May 31

At Home

School

Figure 6. An Example of a LSM Snapshot View The snapshot view captures locations and characteristics of each individual LSM object at the given time. The process is focused on individual models, where the location of each model is determined through random selection based on the likelihoods in the corresponding whereabouts table. Virtual individuals can be assembled into groups to reflect collective behaviour. For example, based on the whereabouts table presented in Table 1 the scenario generator would most likely (84%) locate the individual at a place of work during the daytime hours of 8am-5pm in a weekday. For another snapshot view, the model of the individual may be determined to be on the road, albeit at a much lower probability of 5%. An example of a snapshot view is shown in Figure 6. In the example, the process of individually allocating model individuals to associated locations results in populating the area under consideration. Locations and characteristics of the virtual individuals, buildings, vehicles, and roads are then passed to the LSS. The LSM provides a central tool for managing the configuration, generation and analysis of scenarios through a database of input snapshot views and corresponding output results. The flood warning mechanism is configured in the LSS as a web of virtual centers that receive, relay and disseminate information. Virtual models

Large Dams and the Terrorist Threat

115

of individuals can either receive the warning directly via these centers, from others, or hearing or seeing encroaching flood waves. The LSS provides access to modify the status of any individual object at any given time. This feature enables users to enforce certain events such as loss of a bridge or destruction of a building thus facilitating the process of testing “what if.. ?” scenarios and incorporation of additional information obtained externally via observation or from other models.

6. THE LIFE SAFETY SIMULATOR (LSS) The Life Safety Simulator (LSS) is designed to determine the impact of a dam breach event on downstream population through modeling the behaviour and mobilization of virtual individuals in response to advancing flood waves. Modelling is conducted at the individual’s level, which accounts for the location and characteristics of each virtual individual, building, vehicle and road segment at each time step. The LSS features a traffic simulation module that captures the collective behaviour of drivers through set of movement rules that mimic real traffic rules.

6.1 Basic structure The basic element of this version of BC Hydro Life Safety Model (BCHLSM) is the Population At Risk-Unit (PARU), which is defined as a virtual representation of a person who could be located within the area that would be inundated if the dam breach. The BCHLSM presents the world of PARU as a digital representation of the earth’s surface, water bodies, buildings, structures, and road networks in the inundated area. Changes in river hydraulics as a result of dam breach are estimated based on a simulation using a 2-Dimensional hydrodynamic model. PARUs are classified in terms of population sub-groups such as adults, children, and seniors. The virtual models are assigned a set of characteristics that define how they behave and respond to changes in their environment. A collection of PARUs who share the same location, such as the same building, traveling the same vehicle or walking together is labeled as a PAR Group (PARG). The concept of the PARG can be viewed as a representation of a bond among a group of people that make them behave as a collective unit. This bond could be social, such as the relationship among members of the same family, or born out of the human nature to help and support others in peril, or simply to react in a uniform fashion.

R.A. Stewart

116

PARUs reside in inhabited units (INUs). An INU could be a virtual model of a house, an apartment in a three-storey building, an office floor in a high-rise building, or a spot in a campsite, etc. Buildings have characteristics that define the nature of their use and structural resistance to flooding conditions. A collection of buildings (BLDGs) constitutes an Area (AREA). The hierarchy of the representation of virtual models of the population and infrastructure at risk in the BCHLSM is shown in Figure 7. World of The PAR

AREAi

AREA1

AREAA

BLDGij

BLDGi1

BLDGiB

INUijk

INUij1

INUijU

PARGijkl

PARGijk1

PARUijkl1

PARUijklm

PARGijkG

PARUijklP

Figure 7. Hierarchy of the Virtual Representation of the Population at Risk

6.2 Main algorithm A Model of the behaviour of an virtual Individual that determines reactions and decisions made by the virtual models once they become aware of the threat resides at the core of the LSS is. The general logic of this behavioral model is depicted in Figure 8, and can be summarized as follows (Assaf et al. 2001): The following outlines the main algorithm that ties together the different model modules, which together simulate response and movement of the par and assess their survivability.

Large Dams and the Terrorist Threat

117

1) Using GIS based information, the BCHLSM creates a digital representation of the area’s topography, water bodies, buildings and road networks. Each INU is assigned at least one PARG. The number and types of PARUs in a PARG are specified based on census data, commercial or industrial data sources. The number of PARUs in each INU is adjusted by factors representing daily, weekly and seasonal distribution of the PARUs. 2) Warning of a dam breach is first initiated at a Global Warning Center (GWC), which represents responsible authorities. The global warning center dispatches the warning to Local Warning Centers (LWC), located at center locations within neighborhoods and town centers. Each LWC disseminates warning at a specified rate to adjacent INUs. 3) A PARG may independently and possibly earlier become aware of the flood through sensory clues. This may occur during the daytime by seeing river levels rising, or during night by learning about inundated INUs within short distance. 4) Once it becomes aware of the flood, the PARG has to make a decision regarding moving to safety. The PARG could have several options, each representing a plan to get a Perceived Safe Heaven (PSH), defined as a location that the PARG perceives to be completely safe from flooding. The degree of perception of safety is represented as a percentage, ranging from 100% that indicates that the PSH is perceived to be very safe down to 0% which indicates that the place is not sought after as a safe place. Presently, the escape plan for the PARG is defined in terms of a lowest cost function which is equal to the time needed to get to a PSH multiplied by its degree of perception of safety. PSH could include high grounds, high-rise buildings or the INU in which the PARG is residing. 5) The model assumes that the PARG spends some time before it starts evacuating the INU. This delay, PDEU is defined as the average of the time it takes each PARU to start evacuating the INU. PDEU is attributed to the delay encountered while overcoming shock, helping others, making a decision regard staying or evacuating the INU and/or gather belongings. It takes the PARG an additional time to evacuate the INU, which is referred to as the INU Evacuation Time, IUET. So, it takes the PARG time PDEUAVG + IUET to evacuate the INU. 6) If the flood wave hits the BLDG in which the INU is contained, while the PARG is still inside the INU, the structural state and survivability of the BLDG are assessed (not presented). If the BLDG is not destroyed, the PARG is considered safe. However, if the BLDG is destroyed the INU is also considered destroyed, and survivability of each PARU is modeled independently.

R.A. Stewart

118

Iterative 2-Dimensional dam breach modelling procedure to simulate time varying forcefulnesss of flood waters

PARU in BLDG

Focus of this paper DECISION

STAY IN BLDG

NO

USE VHCL

WALK

PARU STAYS in BLDG

PARU FLEES on foot

PARU in VHCL

BLDG Destroyed

PARU Overwhelmed

VHCL Overwhelmed

NO

NO

PARU reaches safe area

Flood Recedes

NO

NO

NO

VHCL reaches safe area

YES

YES

YES

PARU SURVIVES

YES YES

YES

PARU does not SURVIVE

Figure 8. Main Algorithm of the Simulation Procedure 7) Depending on the outcome of the selection of the escape plan, the PARG selects one of the three following courses of action; stay in the same INU (if it is perceived to be a very safe PSH), flee on foot on an escape route (trail) (TRL), or in a vehicle (VHCL) on the road network. 8) If fleeing on foot, the PARG is modeled as moving on the trail at rate equal to the average of its PARUs walking speeds. If the PARG is caught by floodwater, survivability of each PARU is modeled individually. Surviving PARUs continue their journey to the PSH. Their characteristics are updated. 9) If the PARG escape is simulated as being in a vehicle (VHCL), the movement of the VHCL is dictated by the traffic flow, which is based on the collective behavior of VHCLs within the road network (not pre-

Large Dams and the Terrorist Threat

119

sented). The PARG could evacuate the VHCL based on its state. If the PARG evacuates the VHCL, survivability of each PARU is simulated, and live PARUs continue their escape on foot. If the VHCL overturned by the floodwaters while the PARG are still inside, the model presently assumes that the PARUs are overwhelmed. 10) Finally, the procedure simulates the PARG arriving at the perceived safe haven PSH. In more straightforward terms, the general modeling concept is as follows: After becoming aware of the threat of flooding, each model Person At Risk (referred to as PARU, where U stands for a “unit”) experiences some delay before making a decision regarding evacuation, If the PARU decides to evacuate, it does so either in vehicle or on foot, depending on the availability of a vehicle. For a PARU modeled as evacuating on foot, the LSS checks if the PARU comes in contact with flood waters. If this occurs, the PARU characteristics, assigned through the PWM, are checked against threshold functions of water depth and velocity to determine whether the PARU has toppled, overwhelmed or still walking. For a PARU evacuating in vehicle, the traffic simulator manages movement of vehicles and determines at cross-sections the route with the shortest time to safety. If the vehicle comes in contact with flood water, water depth and velocity are used to determine if the vehicle is still derivable, stalled or swept away based on characteristics determined initially through the PWM. For the PARU staying in building, the LSS checks the stability of the building based on encountered water depth and velocity. As mentioned above, the stability and the survivability of a given virtual individual, building, or vehicle are assessed via functions of water depth and velocity. The parameters of these functions are allocated for each individual by the PWM based on statistical parameters representing corresponding classes, e.g. models of men, women or certain type of buildings.

6.3 Assignment of parameters The selection of appropriate parameters for the virtual individuals, buildings vehicles and other infrastructure is based on physical modeling of the effects of forces of dam breach floods that utilize structural reliability methods calibrated by actual observations and laboratory data. Details of the approach used for people is presented by Lind et al, (2004), the general concept being as follows:

R.A. Stewart

120

U

W

H

v

B

h D

h/2

d

Figure 9. Structural Reliability Modelling Concept Flood waters apply horizontal and vertical forces to exposed objects. The horizontal force is a drag force, acting in the direction of the velocity vector of the water at the point of contact. In general, the drag force is of the form:

D C A U v2 / 2 where D = drag C = drag coefficient A = projection of wetted are normal to the flow vector U = density of water v = velocity of water Assuming that the resultant drag acts at one half the water depth, h/2, as in uniform flow, then, at incipient instability:

(W - B) x d D x h/2 where W = weight and, B = buoyancy.

Large Dams and the Terrorist Threat

121

Flood Hazard Graphs - Instability Boundary 6 Monoliths

5

Theoretical Curve Test Results Lower Limit

4

Upper Limit

De pt h 3 (ft) 2

1

0 0

2

4

6

8

10

12

Velocity (ft/sec)

Figure 10. Instability related to depth and velocity (from Lind et al. 1999) Lind et al. proposed the following empirical relation between critical product number (KD), body height (H) and weight (W), and flow depth (h).

hvcr

K D [W (1  h / H )]1 / 2

where KD which is of the form

K

[ f ( geometry) xg / C ]1 / 2

K is a random variable that can be estimated from the observations, and g is the acceleration due to gravity. The general form of the relationship between flood water depth, velocity and stability is as illustrated in Figure 10.

R.A. Stewart

122

1 1/2 story house drywall + brick veneer

water depth "d" (m)

10

Black (1975) -selection of data on timber-framed houses

8

2 story house plaster wall 1 1/2 story house plaster wall

Inundation only

1 1/2 story house drywall

6

1 story house drywall

Clausen and Clarke (1990) - brick and masonary buildings

Total damage

4

dv = 3 m2/s dv = 7 m2/s

2 Partial damage

0

2

4 6 water velocity "v" (m/s)

8

10

Figure 11. Effects of floodwaters on buildings (redrawn from Hartford and Baecher, 2004) The data presented in Figure 10 was subsequently been augmented and corroborated by additional laboratory testing that was carried out in Finland as part of the RESCDAM project (Karvonen et al. 2000). Seven human subjects aged 17-60 years, standing on a steel grating platform towed in a ship model basin. The subjects wore survival suits and safety helmets were tested. The subjects ranged in height from 1.60 m to 1.95 m (5 ft 3 in to 6 ft 5 in) and in weight from 48 kg to 100 kg (106 lb to 220 lb). Two were female and five were male. Each subject was tested in several water depths, beginning at each depth with a low product number. The subject was asked to walk into the flow, walk across the flow, and walk facing downstream. If the subject maintained maneuverability, the velocity was gradually increased until stability was lost. Depths ranged from 0.3 m (1 ft) to 1.1 m (3.6 ft). Speeds ranged from 0.6 m/s (2 ft/s) to 2.75 m/s (9 ft/s). Similar investigations into the stability of buildings were also carried out in the Rescdam project, the results of which supplemented the existing data on this topic (Figure 11).

Large Dams and the Terrorist Threat

123

7. VISUAL SIMULATION AND ANALYSIS OF LSM OUTPUT Simulation results from the LSS are viewed in a companion product EnSimLSM (CHC 2001) to produce high quality 2D and 3D images and animations. A computer screen image of an EnSimLSM animation of a LSM scenario for the Malpasset dam failure in 1959 is shown in Figure 12.

Figure 12. A Computer Screen Image of an EnSimLSM Visual Simulation of LSS Output In this animation, people at risk are depicted in buildings or evacuating on foot or in vehicles, in response to the encroaching flood waves represented by water depth and velocity vectors. EnSimLSM enables users to tap into the rich spatio-temporal output of the LSS via several means including: x displaying attributes of any selected LSM object at any given time; x plotting time series of any dynamic variable, such as location or physical status of a person; x plotting paths of escape;

R.A. Stewart

124

x displaying contour maps of max or min values; and x recording of animation in several formats for inclusion in popular presentation packages.

REFERENCES Assaf, H., and Hartford, D.N.D. 2001. Physically-based Modeling of Life Safety Considerations in Water Resource Decision-Making. The World Water and Environmental Resources Congress, Orlando, May 20-24, 2001. Florida. CHC 2001, BC Hydro Life Safety Model 2D Reference Manual. The Canadian Hydraulics Centre, November 2001. Hartford, D.N.D. and Baecher, G.B. (2004). Risk and Uncertainty in Dam Safety. Thomas Telford. Karvonen, T., Hepojoki, A., Huhta, H.-K., and Louhio, A., “The Use of Physical Models in Dam-Break Analysis,” RESCDAM Final Report, Helsinki University of Technology, Helsinki, Finland, 11 December 2000. Lind, N.C., Hartford, D.N.D. and Assaf, H. Hydrodynamic models of human stability in flood. Journal of the American Water Resources Association. February 2004. Lind, N.C. and Hartford D.N.D. (1999). Probability of Human Instability in a Flooding: A Hydrodynamic Model” in Applications of Statistics and Probability, R.E. Melchers and M.G. Stewart (eds.), Vol. 2, pp. 1151 – 1156, Balkema, 1999.

DECONTAMINATION IN THE EVENT OF A CHEMICAL OR RADIOLOGICAL TERRORIST ATTACK Konstantin Volchek1, Merv Fingas1, Monica Hornof2, Louise Boudreau2, and Norman Yanofsky3 1

Environment Canada, 335 River Road, Ottawa, Ontario K1A 0H3, Canada; 2 SAIC Canada, 60 Queen Street, Ottawa, Ontario K1P 5Y7, Canada; 3Department of National Defence, 305 Rideau Street, Ottawa, Ontario K1A 0K2, Canada

Abstract:

This paper analyzes technologies and methods that can be used to decontaminate buildings and structures affected by chemical or radiological terrorist attacks. Technologies are classified into three categories, including mechanical and physical methods, chemical methods, and biological methods (including natural degradation/attenuation). They are analyzed in terms of their effectiveness with regards to specific types of chemical or radiological agents, their status of application, equipment availability and associated costs. Technology limitations and gaps are identified. Needs for further technological research, development and evaluation are also discussed.

Key words:

chemical and radiological terrorism; decontamination technologies; mechanical and physical methods; chemical methods; biological methods; research and development.

1. INTRODUCTION The risk of chemical, biological, radiological or nuclear (CBRN) terrorism can hardly be overestimated in today’s reality. Even though a majority 125 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 125–145. © 2006 Springer. Printed in the Netherlands.

126

K. Volchek et al.

of terrorist acts involve the use explosives, there have been credible reports on the actual or attempted use of toxic chemicals, radioisotopes or deadly biological materials for the purposes of terrorism (BBC, 2004; Purver, 2000; Waller et al., 2003). The Canadian Federal Government responded to the threat of terrorism by allocating $7.7 billion Canadian to anti-terrorism efforts in the 2001 defence and security budget. Included in that budget was $170 million for a new, innovative program called the Chemical, Biological, Radiological and Nuclear Research & Technology Initiative (CRTI). CRTI is led by the Department of National Defence and was developed in collaboration with federal science-based departments and agencies. The purpose of CRTI is to fund federal research in support of counter-terrorism from a chemical, biological or radiological/nuclear threat (Yanofsky, 2003). CRTI addresses CBRN threats to Canada through collaboration among federal science-based department, with departments and agencies in Canada’s defence and security establishments and the “first responders” community. The program supports the operation of three clusters of federal laboratories organized around the three threats (chemical, biological and radiological/nuclear) and through a program of peer-reviewed, competitively sponsored research. In 2003, CRTI funded a three-year project to identify, evaluate and adapt promising and effective technologies for the decontamination of facilities that may be targeted in CBRN terrorist attacks (Fingas et al., 2004). The parties involved in this undertaking include Canadian and US Government agencies: Environment Canada, Health Canada, Canadian Department of National Defence, and the United States Environmental Protection Agency. There are also several private sector partners: Science Applications International Corporation, VLN Technologies, Vanguard Response Systems, and Hytec Hydrocarbons Reclamation. The project began with a review of existing technologies and will now move on to examining new technologies. This publication focuses on a review of available chemical and radiological decontamination technologies. Additional information on this project, including some aspects of biological decontamination, is provided in Fingas et al. (2004).

2. CHEMICAL DECONTAMINATION For this part of the study, a literature search was performed to obtain information on the methods available for decontamination of both chemical warfare agents and industrial chemical agents. Information was collected on decontamination techniques that were at different stages of application (i.e.

Decontamination in the Event of a Chemical

127

bench scale, pilot scale, commercial, etc.). The data collected was separated into the following main decontamination categories based on the mechanism involved: x Mechanical/physical; x Chemical; and, x Biological, including natural degradation.

2.1 Potential weapons of chemical terrorism Chemical terrorism is considered to be a major threat faced by the modern world. Even though the toxicity of chemical agents is generally lower than that of biological agents, it is still quite high and a chemical bomb or another delivery device could potentially kill thousands of people (Purver, 2000). Unlike radiological agents, some chemical agents or their precursors are commonly available and can be purchased from a hardware store. All chemical agents that terrorists might use fall into two categories: “conventional” chemical warfare agents and commercial toxic chemicals. Although chemical warfare agents may have been the only type of chemicals to be used in the past, this is no longer the case. Because industrial chemicals may be easier to access than warfare agents, these products must also be considered when evaluating decontamination techniques as they could be used in acts of chemical terrorism. 2.1.1 Chemical warfare agents Chemical warfare agents (CWA) can be placed into several broad classes: nerve agents, vesicants, pulmonary agents and blood agents (Brennan et al., 1999; Lawson and Jarboe, 2002). Table 1 presents a list of the agents identified and, where available, the military designator codes assigned to them. Table 2. Military Designator Codes for Common Chemical Warfare Agents Classes

Generic Name

Chemical name

Nerve agents

Tabun

ethyl N,Ndimethylphosphoroamidocyanidate isopropyl methylphosphonofluoridate

Sarin

Military Designator Codes GA GB

K. Volchek et al.

128 Classes

Vesicants (Blister Agents)

Pulmonary Agents (Choking Agents) Blood Agents

Generic Name

Chemical name

Soman

3,3-dimethyl-2-butyl methylphosphonofluoridate or pinacolyl methylphosphonofluoridate o-ethyl S-[2-(diisopropylamino)ethyl] methylphosphonothioate 2,2’dichlorodiethyl sulfide

Sulfur mustard Mustard Nitrogen mustards Lewisite Phosgene oxime Phosgene Chlorine Diphosgene

tris(2-chloroethyl)amine N-methyl-2,2’-dichlorodiethylamine 2,2’-dichlorotriethylamine dichloro(2-chlorovinyl)arsine

Hydrogen Cyanide Cyanogen Chloride Arsine Sources: Harris, 1993; Munro et al., 1999; Wei et al., 1996

Military Designator Codes GD

VX HD H NH3 NH2 NH1 L CX CG CL DP AC CK SA

2.1.2 Commercial toxic chemicals According to Purver (2000), a large number of industrial chemical substances have been identified as being of potential interest to terrorists. Those substances specifically mentioned in literature on chemical terrorism include: x Insecticides such as nicotine sulphate, parathion, malathion, DFP (diisopropylphosphorofluoridate), and TEPP (tetraethyl pyrophosphate); x Herbicides such as 2,4D (2,4-dichlorophenoxyacetic acid) and 2,4,5T (2,4,5-trichlorophenoxyacetic acid) (against plants), TCDD (2,3,7,8tetrachlorodibenzo-p-dioxin) (dioxin), and benzidine (112-14); x Prussic acid (hydrocyanic acid); x Arsenic; x Thallium; x Nickel carbonyl; x Osmium tetroxide;

Decontamination in the Event of a Chemical

129

x Sodium fluoracetate; x And many others.

2.2 Chemical decontamination using mechanical and physical methods Mechanical and physical decontamination methods involve the use of equipment, not chemicals, to physically decontaminate a surface. This equipment can be as simple as a brush or as complicated as a blasting machine. A major advantage of mechanical and physical decontamination methods is that usually only a small amount of secondary waste is produced. A pilot scale study was performed by Barkley (1990) on shotblasting for the decontamination of surfaces contaminated with PCBs. This physical technology consisted of cutting, followed by physical removal of the contaminated surfaces. In this particular study, a "shotblaster" using steel shot was used to remove the contaminated surface layers of concrete. Sorbents have a wide range of applications. "Neutral" sorbents simply act as porous sponges. There are also other types of sorbents, reactive ones, which not only remove the agents but also destroy them making them a chemical method for decontamination (Fatah et al., 2001). Neutral sorbents can include activated charcoal particles, and common materials including dry powders such as soap powder, earth, dirt, and flour (Lawson and Jarboe, 2002). Wiping or blotting techniques could be used for the removal of contaminants. There is relatively limited information available on the use of thermal processes for the decontamination of buildings and equipment. It is noted, however, that a thermal treatment process is typically followed by another process that destroys the volatilized agent (Fatah et al., 2001). The Karcher mobile field laundry CFL is an example of decontamination equipment that utilizes the two-step process presented above. Karcher decontamination equipment model AEDA1, which utilizes a combination of a lowtemperature thermal technology and a mechanical technology, is another example. The use of lasers as a building decontamination technology was reported in a study by Li et al. (1994). This technology can be used for the removal of contamination present on the surface and at depths of 0.1-4 mm in building surfaces. The lasers used were CO2 and Yttrium Aluminium Garnet (YAG) lasers. Some of the different uses of these lasers are briefly discussed. Laser vaporization can be used to remove contaminants such as black carbon rich soot. This technology is effective on low thermal

130

K. Volchek et al.

conductivity materials such as brick, concrete or stone. The removal rates 3 vary around 100-300 cm /hr kW. Another laser technology reported by Li et al. (1994) was laser combustion/decomposition. It was shown to be useful at removing organic materials such as paint, epoxy, plastic, fibre, paper, moss, lichen and rubber. Removal rates have been reported to be in the range of 2000-5000 cm3/hr·kW.

2.3 Chemical decontamination using chemical methods The greatest amount of information was found for decontamination using chemical methods. One aspect that is important when considering chemical decontamination is the toxicity of the initial and final products. Decontamination time, accessibility, ease of use and the ability to decontaminate numerous chemicals are also major factors in the selection of a decontamination technique. The technologies presented in this section are at different stages of development. Some technologies are currently available for full-scale use, while others are still under development. The three main categories of chemical decontamination include: hydrolysis, oxidation, and dechlorination. 2.3.1 Hydrolysis Probably the simplest decontamination technique is the use of water. The use of water is both a physical and chemical decontamination technique (Lawson and Jarboe, 2002). Water is a multipurpose agent, as it can dilute and flush an agent away, but it can also react with numerous agents, detoxifying them by a slow hydrolysis. Water can be used alone or it can be used in a solution with detergents, or soap. Water can also be used as a carrier agent for other decontamination agents, such as acids and bases (Munro et al., 1999). Examples of how different contaminants react to water are provided in the following paragraph. Cyanogen chloride can be rapidly hydrolysed according to Munro et al. (1999). Hydrolysis can be accelerated by heating the solutions. Some G agents are also rapidly hydrolysed with water, and the rate of hydrolysis is higher in acidic or alkaline conditions. For example, GB is hydrolyzed in a fairly alkaline solution of hypochlorite with a half-life of less than one second. By comparison, the half-life of GB (2 x104 M) is approximately 11 minutes at 24.5°C and pH 6, when hypochlorite is present as either sodium hypochlorite or calcium hypochlorite (2.8 x103 M). The hydrolysis of GD is catalyzed by acids and bases. The process is rapid and is complete in 5 minutes in a 5% sodium hydroxide solution. The

Decontamination in the Event of a Chemical

131

hydrolysis can be further accelerated by copper and imidazole. VX, another nerve agent, can also be hydrolyzed in water when alkali catalyzed but not if acid catalyzed. Note that Yang et al. (1992b) claims the contrary from Munro et al. (1999). Yang et al. (1992b) mentions that hydrolysis of VX cannot take place if alkali catalyzed because a very toxic compound would be formed. Neutralization of VX with aqueous NaOH at 90°C should be done for a period of 6 hours, followed either by on- or off-site supercritical water oxidation (Munro et al., 1999). Stockpiled HD is being chemically neutralized by the Army Chemical Stockpile Disposal Program with hot water hydrolysis. The photochemical oxidation of hydrolysate is followed by biodegradation instead of incineration. Alkaline soap solutions as a decontamination method have advantages of being inexpensive and readily available. Alkali salts such as Na2CO3, NaOH, and KOH in solutions with extra hydroxide ion, were determined to be effective at rapidly detoxifying G agents (Yang et al., 1992b). 2.3.2 Oxidation Oxidation is another common technique used to detoxify chemical agents. Lawson and Jarboe (2002) consider this as the most important decontamination category when active chlorine such as hypochlorite is used. Calcium hypochlorite (HTH) and sodium hypochlorite are examples of bleach solutions that can be used to decontaminate equipment. Organophosphorus and mustard agents can be attacked by hypochlorite solutions. The alkalinity of these solutions also helps in the decontamination process. . Temperature also plays a role in the speed of decontamination. A 5% solution of either sodium hypochlorite or calcium hypochlorite is the current doctrine applied by the public health and military sector in the United States for equipment decontamination. The recommended contact time is 15 minutes followed by a thorough rinse using lukewarm water (Lawson and Jarboe, 2002). In emergency situations, 6% chlorine bleach can be used on materials with Kevlar. The method presented for Kevlar material is to soak it for one minute in a 6% solution. Following this, the equipment should be rinsed immediately with lukewarm water prior to drying. Only one application of the bleach should be done, however, because it could potentially damage the fabric. Bleaching powders and potassium permanganate are oxidation agents that have been used for many years (Yang et al., 1992b). The advantages of bleach are that the reactions are very vigorous and can convert both neat and thickened agents. During World War II, superchlorinated bleach was most common. Some disadvantages of bleach are: a decrease of the active component of chlorine with storage time (Lawson and Jarboe, 2002), large

132

K. Volchek et al.

amounts of bleach is required for oxidation (Yang et al., 1992b), it is corrosive on many surfaces, and its effectiveness may be reduced in cold weather. Yang et al. (1992b) also noted that bleach is ineffective at penetrating paint. Bleach may also react with fuels or solvents, resulting in ignition (Lawson and Jarboe, 2002). It can also burn the skin and destroy clothes. Calcium hypochlorite, in concentrated form, will burn when placed in contact with the nerve agent VX. In addition, toxic vapours will be released when bleach is contacted with G agents. When stored properly, degradation of bleach is approximately 1% per year (Lawson and Jarboe, 2002). There has been a great effort in developing and commercializing the methods that use reactive foams or gels. Examples of those are Sandia Foam (Sandia National Laboratories, 2004), CASCAD decontamination formulations (Vanguard Response Systems, 2004), L-Gel (Heller, 2002), and some others. All of these decontamination reagents have either peroxides or hypochlorite as oxidants. They also contain surfactants and other ingredients that increase their viscosity and adherence to the surface. The latter is particularly important since aqueous solutions do not wet hydrophobic surfaces and tend to drip off of vertical or tilted surfaces. Consequently, the contact time between chemical agents and the decontamination solution is significantly reduced. The use of foams and gels would improve the adherence and prolong the contact time making the decontamination reaction more complete. Many metals have special properties that improve effectiveness when using hydrogen peroxide to oxidize other compounds. Although several transitional metal ions have these properties, iron is the most common of those metals. It enhances the generation of highly reactive hydroxyl radicals (OH). Fenton first discovered the reactivity of this system in 1894, but its utility was recognized only in the 1930's when the process mechanisms were identified. Today, Fenton's reagent is used to treat a variety of industrial wastes containing a wide range of toxic organic compounds, such as pesticides, chlorinated solvents, phenols, wood preservatives, etc. (US Peroxide, 2003) The process may be applied to wastewaters, sludges, or contaminated soils. In general, Fenton's process is a two-step reaction (US Peroxide, 2003). The first step is the formation of the hydroxyl radical from the reaction of an oxidant with metal. The second stage is when the hydroxyl radical oxidizes the contaminant. No information was found in the publicly available literature on the use of Fenton's process for chemical restoration purposes. However, an analysis of the features of this process suggests that it may be applicable for this purpose due to the following attributes of the process: hydroxyl radicals generated in the process are the strongest oxidation species; unlike the hypochlorite oxidation, which is another effective chemical destruction process, Fenton's process does not generate hazardous

Decontamination in the Event of a Chemical

133

chlorinated organic by-products; the process uses inexpensive and readily available reagents, such as hydrogen peroxide and salts of divalent iron and finally, the process does not require light (although it is reported to accelerate in the presence of UV radiation). The performance of the process is highly dependent on process parameters, such as pH and the concentration of reagents. It is important therefore that the process is carried out as close as possible to optimum conditions. 2.3.3 Dechlorination Pilot-scale in-situ chemical treatment was studied for the decontamination of concrete contaminated with PCBs (Barkley, 1990). It consisted of applying an alkali metal/polyethylene glycolate mixture (IT/SEA Marconi reagent) using either a sprayer, brush or roller, to concrete surfaces. The dechlorinating reagent, a liquid at room temperature, was heated in a water bath prior to application. 2.3.4 Reactive sorbents Reactive sorbents first sorb the contaminant and then detoxify them (Fatah et al., 2001). Because of the detoxification stage, they are different from the neutral sorbents discussed in the “mechanical / physical technologies” section for the decontamination of chemical agents. Some of the reactive sorbents are prepared by soaking inert sorbents in alkaline solutions effectively saturating the sorbent matrix with caustic material (Fatah et al., 2001). Once the agent is sorbed into the matrix, it encounters the alkaline medium, reacts with it, and destroys it. Another approach for reactive sorbents is to prepare a polymeric material with reactive groups attached to the polymeric matrix (Fatah et al., 2001). In this case, the agent is sorbed by the polymeric matrix, it encounters the reactive groups, and it is neutralized by them. Yet another approach is to use microcrystalline metal oxides such as aluminium or magnesium oxides. Catalytic sorbents contain active groups that can react with chemical agents thus destroying them. Unlike reactive sorbents, where reactive groups become inert after they react with the agent, the groups in catalytic sorbents can be regenerated and the sorbents can be reused. Research is required to collect further information to suggest specific applications of many innovative technologies, such as the use of chelants, foams, gels, etc. Chemical agent properties can affect decontamination (Yang et al., 1992a) and in some cases may limit the decontamination process. For

134

K. Volchek et al.

example, thickened agents are more difficult to remove using mechanical decontamination methods (i.e., water jets) as they are more viscous and adhere to the surface. In fact, tests have shown that the use of soapy water or water jets is effective for the removal of neat agents, but not thickened agents. As well, a reactant in the decontaminant can serve a dual purpose by increasing the speed and removal of agents.

2.4 Chemical decontamination using biological methods For chemical warfare agents, decontamination using biological means is still in the experimental stage. Biological decontamination can be complicated because chemical warfare agents are generally complex manmade chemicals. It is also an option that is usually not feasible in a situation such as a terrorist attack or after an accident because the decontamination process can be lengthy. Natural degradation / attenuation may be another method used for the decontamination of chemical agents. The effect of this method may be highly dependent on the types of chemicals present and the environmental conditions. Factors such as the location and use of the contaminated site also play a major role in determining whether or not this decontamination technique is acceptable. One especially relevant publication on the use of biological methods for decontamination is discussed below. The subject of the natural degradation of pesticides is briefly presented in the report by Park et al. (1990). More specifically, a few experimental studies of natural degradation of methyl parathion and parathion are discussed. Experiments showed that parathion will decompose by approximately 50% in 24 hours. Similarly, methyl parathion was shown to decompose significantly within 28 hours of application on alfalfa. Parathion was also found to disappear within two weeks when stored in water at room temperature. Finally it took three months for methyl parathion to decay outdoors when spilled on cement blocks and four and a half months when spilled on cement blocks indoors. As can be seen from these experiments, natural degradation will effectively eliminate methyl parathion and parathion. However, decontamination time is too long for emergency decontamination purposes.

2.5 Management of chemical decontamination waste The most accepted method of managing chemical decontamination wastes is high-temperature thermal incineration (Lemieux et al., 2003). Medical/pathological waste incinerators, municipal waste combustors, and hazardous waste combustors could be used for this purpose. However, there

Decontamination in the Event of a Chemical

135

may also be advantages to using on-site portable incinerators. Particularly for large amounts of waste, incineration on-site would avoid transportation costs and would minimize personnel and environmental exposure to these wastes. The following unique properties of wastes resulting from decontamination after chemical terrorist attacks make incineration of these wastes a challenge: x The wastes can be complex and contain a variety of compounds that are difficult to identify and quantify. This can make it difficult to optimize incinerator operating parameters; x The contamination is typically bound within the matrix of the absorbent or porous materials being sent for disposal. There is a small possibility that some contaminants may short-circuit the incineration system and be released in the stack emissions or in the solid residue. The likelihood of this occurring is dependent on the fluid dynamics, the mass transfer, and the mixing efficiency of the system. Landfilling is another means to dispose of chemical decontamination waste, especially if the waste is not subject to leaching and is not highly hazardous. There are three types of landfills to which wastes from decontamination operations on contaminated buildings would likely be sent: construction and demolition landfills, municipal solid waste landfills, or hazardous waste landfills (Eastern Research Group, Inc., 2003). As in the U.S., there are very few hazardous waste landfills currently operating in Canada. As well, despite the fact that these sites are the best equipped for dealing with the contaminated waste, they may not be viable options because they are typically in remote areas far away from where a terrorist attack would likely occur and they typically have lower capacities than municipal landfills. It has been also noted that landfill operators may be hesitant, if not completely unwilling, to accept wastes that might be contaminated with chemical agents because of uncertainty with respect to the science behind the fate and behaviour of these compounds in a landfill. The liability, risks and uncertainties appear to be too large for them to justify taking a one-time load of chemical waste. A concern for worker safety was also considered a reason that landfill operators are reluctant to take these wastes. Landfill operators are also looking for clearer guidance and regulatory framework related to the landfilling of this type of waste.

136

K. Volchek et al.

3. RADIOLOGICAL DECONTAMINATION 3.1 Potential radiological agents In radiological decontamination, it is important to know what potential radiological agents may be used in a terrorist attack or what contaminants may be released during an accident. This is important because the type of decontamination method often greatly depends on the contaminant. A number of major accidents and attempts at radiological terrorism are discussed below. 3.1.1 Agents released during an accident A paper by Jensen (1999), details past radiological accidents as well as the contaminants that were deposited through nuclear weapons testing. Nuclear test sites such as Bikini Island, Rongelap Island, and the Marshall Islands show that the most common contaminants from weapons testing are generally Cs-137, Sr-90, and Pu-239 / Pu-240. The Maralinga test site in Australia is contaminated mainly with Pu-239 and Pu-241. Some of the most devastating radiological accidents have been Chernobyl in Ukraine, the rupture of a teletherapy source in Goiânia, Brazil, and the release of radionuclides in Kyshtym (in the Urals). The accident in Goiânia, Brazil, is also discussed in detail in Rochedo (2000). In Goiânia, a Cs-137 source was removed from a teletherapy machine and subsequently ruptured. Many households and gardens in a highly populated area were contaminated. Evacuation and some demolition of homes were required. There were many casualties in this accident. The main radionuclides released during the Chernobyl accident were Cs-137 and Cs-134. During the accident in Kyshtym, very large amounts of Sr-90, Cs-137 and other radionuclides were released. As can be seen, during accidental releases of radionuclides, the main isotopes released were Cs-137 and Sr-90. For this reason, many papers in the literature search focussed on decontamination of these isotopes. 3.1.2 Agents potentially used during a terrorist attack A draft paper by Waller et al. (2003) studies which radionuclides could potentially be used in radiological terrorism, how these radionuclides could be dispersed, what the availability of the radionuclides is, and other factors. This literature review is mainly interested in which radionuclides could be used and their availability.

Decontamination in the Event of a Chemical

137

European countries such as Germany and Poland have had the largest amount of seizures of illegal radioactive material, followed by other countries that were formerly members of the eastern communist block. The most commonly seized radionuclide was uranium, closely followed by cesium. Plutonium, radium, and americium were seized with much smaller frequency. A great concern is that radiological dispersal devices could be used for radiological terrorism. These simple devices also known as 'dirty bombs' are not very difficult to construct and only small amounts of a radionuclide (low activities) are necessary for the bomb. This is because these types of terrorist devices are meant to cause panic more than physical harm. As well, this type of device can have major economic consequences even if a very small source is used. Radionuclides that could potentially be used in such devices are cesium, strontium and californium. The greatest concern is that many sources (some of them quite large) have been lost in the former USSR and many of them consisted of these radionuclides. Other countries (including developed, economically stable countries such as the United States) have also reported lost radioactive sources. Other ways that radioactive sources could potentially be obtained for use during a terrorist attack is through theft. The US Nuclear Regulatory Commission (NRC) has reported radioactive sources stolen in the form of portable nuclear gauges. The radionuclides used in the gauges were mainly Am-241 and Cs-137. Sources can also be stolen from medical facilities. In North Carolina, 22 GBq of Cs-137 was stolen in the form of brachytherapy sources from a hospital. Similar thefts have occurred around the world. The main sources for radioactive material for use in radiological terrorism include industrial radiography and irradiator sources, nuclear medical sources, and portable gauge sources. In general, terrorists try to acquire large, high activity sources. Though it is easier to acquire these sources in some parts of the world than others (i.e. in the former USSR and in Eastern Europe), terrorists are generally able to acquire these sources through a variety of other connections, such as the mafia. Cesium is considered to be one of the most likely radionuclides to be used in a radiological terrorism attack. What is believed to be one of the first attempts at radiological terrorism was in fact carried out with a Cs-137 source. Terrorists were reported to have left the source under a park bench in Moscow, Russia. Another radionuclide considered to be a candidate for use in these types of attacks is Sr-90. Other materials, such as uranium and plutonium, have been seized often and could be used to make nuclear weapons. These weapons could cause much more widespread damage than the simpler radiological dispersal devices.

138

K. Volchek et al.

3.2 Basics of radiation decontamination techniques The need for radiological decontamination can arise in many different situations including general maintenance, clean up after accidents, clean up after terrorist attacks, and radiological decommissioning. Hundreds, possibly even thousands, of different decontamination techniques have been developed for these purposes. Some techniques are as simple as washing and scrubbing whereas others are much more complicated and involved technologies. Many techniques studied during the literature search have been used for many years whereas some are very innovative and not yet thoroughly tested. In many cases, the contamination removal efficiency of the technology is presented in terms of decontamination factor (DF). DF is defined as initial percentage of contamination (100 %) divided by the remaining percentage of contamination. As can be seen from this equation, the lowest DF possible is 1 and the higher the DF the better the removal efficiency. Determining which decontamination technique should be used can be quite complicated. Often, a combination of techniques is used. The literature search focused primarily on proven decontamination technologies. A lot of research has been done to ease the process used to determine the best restoration option for a site. As described in Jackson et al. (1999) and Zeevaert et al. (2000), a generic method for assessing and ranking restoration strategies (RESTRAT) was developed through a project partly funded by the European Union (EU). RESTRAT includes recommendations from the International Commission on Radiological Protection (ICRP). A manual has also been produced that describes how RESTRAT should be applied. Similarly as with chemical decontamination, radiological decontamination was categorized into mechanical, chemical, and biological decontamination methods. All decontamination methods and technologies have benefits and limitations (i.e. cost, waste produced, ease of application etc.). In evaluating which system to use for a decontamination activity, these factors have to be taken into consideration, as well as what material is being decontaminated and the radionuclides involved.

3.3 Radiological decontamination using mechanical and physical methods Many different types of mechanical decontamination methods exist. Some have been developed for use on building materials (i.e. concrete, brick), others for use on metallic surfaces. There are several methods that

Decontamination in the Event of a Chemical

139

have been used many years and are 'tried and true', but a lot of research is occurring in this field and many innovative decontamination methods exist. Most mechanical decontamination technologies involve blasting, cutting, surface removal and scrubbing. However, the media and equipment that are used are very important in the technology's efficiency. The material that the method is most efficient on is also important. With many mechanical decontamination technologies, very little secondary waste is generated. Most technologies have systems within their design to capture wastes and/or to recycle media which is generated by surface decontamination. There are many different mechanical decontamination techniques that can be used in nuclear decontamination. Some, such as simple and proven cleaning methods and blasting, are more appropriate for emergency situations (i.e. accidents, terrorist acts) because they are not as complicated. This is documented in several papers. In a paper by Jouve et al. (1994) the restoration of the area around the Chernobyl accident site is discussed. Proven methods such as sand-blasting and high pressure water jetting (Lawson and Jarboe, 2002) were used to decontaminate building materials. Soil scraping, turf harvesting, etc., were used to remove contaminated portions of topsoil. Rochedo (2000) discusses the cleanup after the release of Cs-137 in Goiânia, Brazil. Most decontamination was done by washing, scraping, and removal of contaminated items and soils. Several homes had to be completely demolished and the materials were then disposed as radioactive waste. Some simple mechanical decontamination methods such as fire hosing and water jetting produce a lot of liquid radioactive waste. However, these methods should be further evaluated as they offer a 'quick and dirty' decontamination option. Other decontamination methods such as the use of lasers, or experimental technologies such as the WallWalker® are not yet proven. These methods are not the best option to be used during an emergency situation when a quick effective solution is necessary. These methods are currently more suited to routine decontamination or decommissioning activities. However, technologies such as the soft abrasive media blasting by AEA Technology, cryogenic blasting, and wet abrasive blasting techniques show a lot of potential and could be cost effective. These should be more thoroughly researched.

3.4 Radiological decontamination using chemical methods Chemical decontamination methods offer another option for radiological decontamination. Chemical decontamination methods generally have high

140

K. Volchek et al.

efficiency. They are often used to remove contamination that is trapped below the surface of the contaminated object because they can remove a layer of the contaminated material. A major advantage of many chemical decontamination methods is that they can often be applied and left for several hours (the time required for decontamination), so operator exposure tends to be lower than with mechanical decontamination methods. However, many chemical methods use water or other liquids so secondary liquid wastes are often created. Chemical decontamination is often used in conjunction with mechanical decontamination methods. A paper by Jensen (1999) details the remediation efforts undertaken after several major radiological accidents and events. An example of how chemical methods were used in conjunction with mechanical methods was seen after the radiological accident in Goiânia, Brazil. Chemical washing of some contaminated surfaces was done in conjunction with mechanical methods such as vacuum cleaning, fire hosing and others. However, in many cases, the immediate decontaminating actions after a nuclear event / accident have in the past been simple mechanical decontamination methods. This is partly due to the fact that though more complex chemical and mechanical methods may be more effective and generate less waste than simpler methods, they are often not yet fully tested / commercially available. As well, in an emergency situation, it is often faster and easier to apply a simpler method. There are several processes by which chemical decontamination works. They include oxidation, reduction, corrosion and others. The type of chemical used depends on the material being decontaminated. A major advantage of chemical decontamination is that it is usually very effective on metals. The various ways by which chemicals can be used are discussed below. Chemical decontamination is generally used on systems made of metal. Many are based on corrosion and work by removing the oxide layer of the metal within which much contamination is often trapped. Both gel and foam chemical decontamination systems show promise and attempt to improve on liquid chemical decontamination. Both systems have the advantage of better adherence to contaminated surfaces. They also create significantly less secondary liquid waste than liquid chemical decontamination. Oxidation and reduction still remain as some of the most popular chemical methods for radiological decontamination. However, as chelants are further studied, it is becoming apparent that they could also be useful in this field and/or be used in conjunction with other chemical systems. Clays containing an ion such as NH4+ could prove to be useful in decontaminating urban materials such as concrete and tile because of their adherence to the surfaces thus increasing time for ion exchange.

Decontamination in the Event of a Chemical

141

The decontamination technique will greatly depend on the radionuclide being decontaminated, the surface being decontaminated, and the level of decontamination necessary. For example, in a desorption study done by Real et al. (2002) it was found that cesium is highly charged and mobile. It strongly binds to tile because of the silicates in tile and it binds to concrete as well. The porosity of the material can also have an effect. Depending on the affinity a radionuclide has for a material, some liquid decontamination methods such as fire hosing can further drive the radionuclide into the matrix of the contaminated material. This is often due to porosity, ion exchange between the surface and radionuclide, and decontamination technique. Corrosive substances such as acids are most often used to decontaminate metals. It has to be ensured, however, that a particular corrosive will work on a particular metal. For example, results from the decontamination of aluminium show that the best results are achieved with the use of sulphuric acids. Common corrosives such as hydrochloric acid and sulphuric acid are not effective on aluminium.

3.5 Radiological decontamination using biological methods Biological decontamination is a method that shows great potential for long-term decontamination of both concrete and soil. However, biological decontamination is a fairly slow process. It is not a feasible option when a rapid intervention is required to achieve a fast deactivation. This decontamination technique would be most useful after an accident/attack if buildings are demolished or if contaminated building material exists. This material could then be stored in a secure area and decontaminated using biological decontamination.

3.6 Management of radiological decontamination waste In Canada, all radioactive waste is stored at Atomic Energy of Canada Limited (AECL) in Chalk River, Ontario. AECL does not accept liquid waste and it therefore has to be converted to solid form prior to disposal. As well, the cost of disposal at AECL is very high. For this reason, when decontamination activities are carried out, there are two main objectives with respect to waste generation: x to limit the amount of secondary radioactive waste, and x to limit the amount of liquid radioactive waste (ideally, no liquid radioactive waste would be created).G Decontamination is often done to limit the amount of radiological waste resulting from nuclear activities. For example, the primary objective of

142

K. Volchek et al.

operations such as the decontamination of concrete from decommissioned facilities is often to remove the contaminated layer so that the rest of the concrete can be released as non-radioactive material and reused. The same is true for the decontamination of metals. In radiological decontamination, it is also desired to limit the amount of mixed secondary waste (i.e. radioactive material mixed with other hazardous materials such as lead or arsenic). A literature search for new and innovative techniques for the handling of waste from decontamination was conducted. Interesting papers on the subject of waste handling and dealing with large amounts of radioactive wastes are presented below. As part of a decontamination study by Langley and Williams (2001), some information on wastes generated by decontamination was gathered. In particular, it was noted that solid wastes are much easier to manage than liquid wastes. For this reason, in many decontamination operations, the type of secondary waste generated often dictates why one method is used over another.

4. CONCLUSIONS The analysis of literature on decontamination and restoration revealed that there are a number of technologies available, both established and innovative, that can be used to decontaminate structures and equipment after acts of terrorism. Several conclusions can be drawn from the analysis of the literature: x There is not one decontamination technique that will work for all contaminants on all surfaces. x The decontamination method selected will depend not only on the contaminant or surface being decontaminated, but on economic, social, and health factors as well. x There is no single procedure that was used to evaluate the effectiveness of these technologies. Standard procedures must be developed to evaluate and compare decontamination technologies. x The amount of waste generated by decontamination is a major feasibility factor. The waste volume should be minimized to avoid high costs of waste transportation and disposal. This is especially true for liquid wastes and mixed wastes. In the case of radiological decontamination, liquid wastes should be avoided altogether.

Decontamination in the Event of a Chemical

143

x Economic factors must be considered. It may be better to use a strong decontaminating agent and then destroy a facility rather than to try to save it. x Extensive laboratory and field testing must be conducted to further develop promising technologies and methods. Many of the ideas in literature have not been tried except on ideal targets and on ideal surfaces.

ACKNOWLEDGEMENT The funding for this study was provided by the Chemical, Biological, Radiological & Nuclear Research & Technology Initiative (Project chapter CRTI-02-0067RD). The authors appreciate comments and suggestions made by Dr. Garfield Purdon and Dr. Tom Cousins of the Canadian Department of National Defence, Laura Cochran of Vanguard Response Systems, and Monique Punt and David Cole of SAIC Canada.

REFERENCES Ahn, B.G., Won, H.J., and Oh, W.Z., 1995, Decontamination of Building Surface Using Clay Suspension, J. Nuclear Sci. Technol., 32[8]: 787-793. Babcock and Wilcox Company, 1995, Chemical Decontamination of Process Equipment Using Recyclable Chelating Solvent, Phase I, Contract No. DE-AC21-93MC30168, U.S. Department of Energy, Morgantown, WV, 68 p. Barkley, N., 1990, Update on building and structure decontamination", J. AWWA, 40(8): 1174-1178. BBC, 2004, BBC News (April 6, 2004), Chemical 'bomb plot' in UK foiled; http://news. bbc.co.uk/1/hi/uk/3603961.stm. Brennan, R.J., Waedkerle, J.F., Sharp, T.W., and Lillibridge, S.R., 1999, Chemical Warfare Agents: Emergency Medical and Emergency Public Health Issues, Ann. Emergency Medicine, 34(2): 191-204. Cheung, D., J.L. Pascal, S. Bargues, and F. Favier, Powerful Gels for Power Plant Decontamination, in Materials Research Society Symposium Proceedings Volume 608, Scientific Basis for Nuclear Waste Management XXIII, Boston, MA, pp. 631-637, 2000. Ebadian, M.A., and L.E. Lagos, Evaluation of Coating Removal and Aggressive Surface Removal Surface Technologies Applied to Concrete Walls, Brick Walls, and Concrete Ceilings, Contract No. DE-FG21-95EW55004, US Department of Energy, Morgantown, WV, 64 p., 1997. Fatah, A.A., Barrett, J.A, Arcliesi R.D., Ewing, K.J., Lattin, C.H., Helinski, M.S., and Baig, I.A., 2001, Guide for the selection of chemical and biological decontamination equipment for emergency first responders, US Department of Justice, Washington, DC NIJ Guide 103-00, Volume I (http://www. ncjrs.org/pdffiles1/nij/189724.pdf) and Volume 2 (http://www.ncjrs.org/ pdffiles1/nij/189725.pdf).

144

K. Volchek et al.

Faury, M., B. Fournel, G. Boissonnet, and H. Provens, Foams for Nuclear Decontamination Purposes: Achievements and Prospects, in WM ’98 Proceedings, Commissariat à l’Énergie Atomique, Tuscon, AZ, pp. 482-489, 1998. Fingas, M., Volchek, K., Hornof, M., Boudreau, L., Punt, M., Payette, P., Best, M., Wagener, S., Bertrand, K., Cousins, T., and Haslip, D., 2004, A project to develop restoration methods for buildings and facilities after a terrorist attack, Proc. 27th AMOPTech. Sem., Environment Canada, Edmonton, AB, pp.453-476. Flaherty, J., and M. Morgan, Decontamination Using Soft Media Blasting – Demonstration Projects, in Spectrum 2000, International Conference on Nuclear and Hazardous Waste Management, 8th, Chattanooga, TN, pp. 478-482, 2000. Harris, B.L., 1993, Chemicals at war, Encyclopedia of Chemical Technology, John Wiley and Sons, 4th Edition, 5: 795-816. Heller, A., 2002, L-gel decontaminates better than bleach, Lawrence Livermore National Laboratory, Livermore, CA; http://www.llnl.gov/str/March02/Raber.html. Jackson, D., Wragg, S., Bousher, A., Zeevaert, T., Stiglund, Y., Brendler, V., Jensen, P.H., and Nordlinder, S., 1999, Establishing a method for assessing and ranking restoration strategies for radioactively contaminated sites and their immediate surroundings, Nuclear Energy, 38(4): 223-23. Jensen, P.H., Analysis of case studies - contaminated facilities and sites, 2000, in Proc. Int. Symp. Restoration of Environments with Radioactive Residues, International Atomic Energy Agency, Arlington, VA, pp. 583-607. Jouve, A., Roed, J., Vasquez, C., and Maubert, H., 1994, Techniques applicable after a nuclear accident for protecting of populations from the effects of long-life radionuclides,” in Proc. 17th IRPA Reg. Congress, The Society for Radiological Protection, Portsmouth, UK, pp. 273-276. Langley, K.F. and Williams, J., 2001, Decontamination and waste minimisation techniques in nuclear decommissioning, Nuclear Energy, 40(3); 189-195. Lawson, J.R. and Jarboe, T.L., 2002, Aid for Decontamination of Fire and Rescue service Protective Clothing and E1uipment After Chemical, Biological, and Radiological Exposures, NIST Special Publication 981, National Institute of Standards and Technology, Washington, DC, 84 p. Li, L., W.M. Steen, W.M., P.J. Modern, P.J., and J.T. Spencer, J.T., 1994, Laser Removal of Surface and Embedded Contaminations on/in Building Structures, in Proc. SPIE Volume 2246 Laser Materials Processing and Machining, SPIE, UK, pp. 84-95. Munro, N.B., Talmage, S.S., Griffin, G.D., Waters, L.C., Watson, A.P., King, J.F., and Hauschild, V., 1999, The sources, fate, and toxicity of chemical warfare agent degradation products: Parts 1 - 4, Environmental Health Perspectives, 107(12). Park, J.M.C., Branson, D.H., and Burks, S., 1990, Pesticide decontamination from fabric by laundering and simulated weathering, .J. Envir. Sci. Health, Part B: Pesticides, Food Contaminants, and Agricultural Wastes, 25(3):.281-293. Purver, R., 2000, Chemical and Biological Terrorism: The Threat According to the Open Literature, Canadian Security Intelligence Service, Ottawa, Ontario, http:// www.csisscrs.gc.ca/ eng/miscdocs/tabintr_e.html#toc. Raber, E., R. McGuire, M. Hoffman, D. Shepley, T. Carlsen, and P. Krauter, 2002, Universal Oxidation for CBW Decontamination: L-Gel System Development and Deployment, Report Number 7-10-2000, Lawrence Livermore National Laboratory, US Department of Energy. Real J., F. Persin, and C. Camarasa-Claret, 2002, Mechanisms of Desorption of 134Cs and 85 Sr Aerosols Deposited on Urban Surfaces, J. Environ. Radioactivity, 62: 1-15.

Decontamination in the Event of a Chemical

145

Rochedo, E.R.R., 2000, The Radiological accident in Goiânia, in Proc. Int. Symp. Restoration of Environments with Radioactive Residues, International Atomic Energy Agency, Arlington, VA, pp. 365-385. Sandia National Laboratories, 2004, Sandia decon formulations for mitigation and decontamination of CBW agents, Albuquerque, NM; http://www.sandia.gov/Sandia Decon/ demos/demos.htm. US Peroxide, Reference Library: Peroxide Applications, 2003, Laguna Niguel, CA, http://www.h2o2.com/applications/industrialwastewater/fentonsreagent.html. Vanguard Response Systems, 2004, CASCAD Decontaminating Chemicals, Stoney Creek, ON, Canada; http://www.vanguardresponse.com/products_cascad_3. shtml. Waller, E., Volchek, K., and Cole, D., 2003, Technical Aspects of Radiological Terrorism, Report PWGSC W7714-2-0619, Defence Research and Development Canada, Ottawa, ON, 103 p. Wei, Y., Wang, J, Wei, G., Tang C., and Wang, W., 1996, A study of organic solvent component in the emulsion system for decontamination of polymer-thickened chemical warfare agents, J. Dispersion Sci. Technol., 17(3): 307-319. Yang, Y.C., J.A. Baker, and J.R. Ward, 1992a, Decontamination of Chemical Warfare Agents, Report ERDEC-TR-004, Edgewood Research, Development & Engineering Center, Aberdeen Proving Ground, Maryland, 47 p. Yang, Y.C., J.A. Baker, J.A., and J.R. Ward, J.R., 1992b, Decontamination of chemical warfare agents, Chem. Rev., 92(8): 1729-1743. Yanofsky, N., 2003, An approach to CBRN counter-terrorism – Defence R&D Canada’s response to an emerging global threat, Proc. 26th AMOP Tech. Sem., Environment Canada, Victoria, B.C., pp. 399-428. Zeevaert, T., Bousher, A., Brendler, V., Jensen, P.H., and Nordlinder S., 2001, Evaluation and ranking of restoration strategies for radioactively contaminated sites, J. Environ. Radioactivity, 56: 33-50, 2001.

MITIGATION AND RESPONSE

MITIGATING WATER SUPPLY SYSTEM VULNERABILITIES

Gregory B. Baecher1 1

Department of Civil and Environmental Engineering, University of Maryland, College Park, MD, USA

Abstract:

Common wisdom has held that the water system is reasonable invulnerable to terrorist threat because, (1) the physical infrastructure of dams, tunnels, aqueducts, and distribution systems is so physically massive that conventional explosives or other attracts would be unlikely to cause catastrophic damage; and (2) the volumes of water in the system are so large that contaminants are diluted below concentrations likely to cause infections or poisoning, at least to large numbers of people. In reality, informed opinion suggests that our scientific and technical understanding of threats to the water system, especially of a biological and chemical nature, are inadequate to draw this conclusion. Essentially all our experience is with naturally occurring contamination, and little thought has been given to purposeful attacks. There is heightened concern regarding the vulnerabilities of critical infrastructures, including the public water systems, to a deliberate terrorist attack, the consequences of which could be substantial. In the United States, the U.S. Environmental Protection Agency (EPA) holds lead responsibility for protecting the nation’s water systems and is currently working with other federal, state, and local government agencies, water and wastewater utilities, and professional associations to improve water security. This paper reviews categories of vulnerability of the water supply system, and discusses strategies for grappling with them.

Key words:

Water supply, risk, terrorism

149 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 149–157. © 2006 Springer. Printed in the Netherlands.

150

G.B. Baecher

1. WATER SUPPLY AND SANITATION INFRASTRUCTURE Water is essential to life and to the functioning of industry and agriculture. People need water for drinking, cooking, and sanitation; industry needs water for processing, cooling and other functional purposes, and waste removal; agriculture needs water for irrigation, food processing, and waste removal. It is often said that urban and regional water systems are among the great engineering achievements of the 20th C, and that the supply of clean water provided by those systems has done more to protect human health than all of modern medical science. Similarly, the great irrigation systems of the western U.S. have made a level of agricultural production possible that in earlier times could have hardly been imagined. The water system consists of four parts: (1) water supply, (2) treatment, (3) distribution, and (4) sanitary removal. The supply system comprises reservoirs, dams, groundwater aquifers and wells, and the aqueducts and transmission pipelines that deliver water to distant users. The treatment system comprises filtration and other plants that remove impurities and harmful agents, and sanitation facilities (typically chlorination) that kill bacteria and many other biological contaminants. The distribution system comprises head regulating reservoirs and towers, piping grids, pumps, and other components that deliver water from the treatment system to the final user. Finally, the sanitary and waste removal system comprises sewer and related collection systems that deliver waters contaminated with household and industrial wastes to sanitary treatment facilities, the treatment facilities that process these waste waters, and the outfall faculties that return recycled waters back to the natural environment. The water systems of North America are among the best in the world, providing clean and safe water to the majority of our population. These systems have led to the near eradication of water-borne diseases in the US, such as cholera, typhoid, giardia, cryptosporidium, and shigella; diseases which still account for five million deaths a year worldwide.

2. CURRENT CONDITION OF THE WATER SYSTEM The existing water infrastructure dates to the late 19th C. In eastern cities such as Boston, New York, Philadelphia, and Chicago significant portions of the physical infrastructure is old and long past its design life. In newer cities of the west and south, the water infrastructure is similarly newer, but also suffers deferred maintenance. Many components of the system are

Mitigating Water Supply System Vulnerabilities

151

aging and in need of repair or replacement. This makes them vulnerable to routine service disruptions as well as to possible terrorist acts. The level of physical security for the water system is as best inadequate. At many locations the public has full and unrestricted access to drinking water reservoirs and water transmission systems. Multiuse provisions of national and state water resource development acts, in fact, mandate public access. Water distribution systems, by their very function are located close to the bulk of the population, have become an unremarkable every day presence and thus both easily accessible and little noticed by officials and citizens alike. The control of public access to components of the water system is critical for security and needs to be improved.

3. THREATS Common wisdom has held that the water system is reasonable invulnerable to terrorist threat because, (1) the physical infrastructure of dams, tunnels, aqueducts, and distribution systems is so physically massive that conventional explosives or other attracts would be unlikely to cause catastrophic damage; and (2) the volumes of water in the system are so large that contaminants are diluted below concentrations likely to cause infections or poisoning, at least to large numbers of people. In reality, informed opinion suggests that our scientific and technical understanding of threats to the water system, especially of a biological and chemical nature, are inadequate to draw this conclusion. Essentially all our experience is with naturally occurring contamination, and little thought has been given to purposeful attacks.

3.1 Physical disruption Our water supply of 450 billion gallons per day (gpd) comes principally from surface water much of which is impounded in reservoirs behind dams (about 80%), and from groundwater pumped from wells (about 20%). A small fraction comes from other sources, such as desalination and direct rainfall collection. These waters are collected and transferred over long distances in pipelines and aqueducts, typically by gravity feed with occasional pumping stations. Some of these aqueducts are open to the surface, but are typically fenced off to the public. Three are over 76,000 dams in the US (TEC, 2001), ranging from small recreational structures to massive public works such as Hoover or Grand

152

G.B. Baecher

Coolie.2 These dams fail at a rate somewhat under one per 10,000 per damyear, so the nation is well familiar with the consequences of dam failures, which can range from a small number of lives lost, as in the Teton Dam (ID) failure of 1976, to thousands lost, as in the Johnstown (PA) failure of 1889, or the Vaiont (Italy) failure of 1963. The key element in reducing life loss is downstream warning time (Bowles, 1997). The consequential financial costs of dam failure can similarly be massive. In the 1970’s, US military intelligence training used the potential failure of Glen Canyon Dam on the Colorado River, upstream of Hoover Dam, and an illustration of how large such damage could be. Failure of Glen Canyon would overtop Hoover, and Davis and Parker dams downstream, disrupting the power grid of the Southwest, destroying irrigation in southern California, and flooding the Imperial Valley. Similar cascading failure scenarios are easily envisioned on the Columbia and other river systems. Unlike flood control dams in the eastern half of the country which are kept empty, western irrigation dams are kept full much of the year. Thus, upstream failures can be catastrophic. Concrete gravity and earth embankment dams are massive structures that hold back river flow by their shear weight. Extremely large explosive energies are needed for their destruction. At the time of the building of the High Dam at Aswan (1964), the Egyptian government concluded that a terrorist explosive device of so large a size would more likely be used against a city than the dam, and elected to downgrade this threat. Concrete thin arch dams, on the other hand, are light structures that hold back river flow by acting as diaphragms across a narrow gorge. Thin arches can be as thin as many meters at the top. They are much more susceptible to explosive attack than are massive dams, but there are similarly fewer of these structures in the US, and few very large impoundments of water behind them. Even so, military experience by the British in WWII and the US in Vietnam suggests that dams, even arch dams, are exceedingly difficult to destroy by bombing from the air. It is true, however, that a truck full of explosives detonated on the crest of a thin dam at full pool, could succeed in creating a cavity in the dam that would allow water to overtop the structure, and the water forces would destroy the dam. Few dams can successfully sustain significant over topping without failing. Thus, one relatively easy way to breech an earth embankment dam is to use conventional earthmoving equipment to excavate a notch in the dam crest, allowing water to flow over and erode the structure. This would require unrestricted access to the dam for many hours, but many dams in the US are unmanned and in remote areas. The response time to dam failure is measured in years. 2

The National Dam Inventory defines a dam as being over 25 feet in height or storing more than 50 acre-feet of water.

Mitigating Water Supply System Vulnerabilities

153

Aquifers and well heads are an easier target than dams, because they are dispersed across the landscape and little protected, but their physical destruction causes principally economic damage and disruption rather than loss of life. The response time to physical disruption of wellhead systems and pumps could be a short as days or weeks, although specialized . Damage to wells themselves would take longer to repair or replace with new wells, probably measured in weeks or months. The principal treat to groundwater systems may lie in the potential for introducing contaminants at the well head. Aqueducts and pipelines transfer water over long distances. The San Francisco water supply aqueducts from Hetch Hechy in the Sierra Nevada transport water some 300 miles in two parallel lines, one under San Francisco Bay and one to the south of the Bay through San Jose, to Crystal Springs Reservoir. Most aqueducts are covered or underground, as in Boston and New York, but not all, for example, the California Aqueduct carrying water from the Sacramento delta to southern California is an open channel. Aqueduct systems are designed to withstand natural hazards such as earthquakes and extreme storms. As part of the physical lifelines system that includes other physical infrastructure, aqueducts are planned to be robust to natural disruptions, and for rapid response to disruption. In-place systems for monitoring and response to natural disasters could serve as a basis for expanded monitoring and response systems aimed at intentional interventions. Potential threats to sanitary collection systems are less often considered vulnerabilities, but pose the potential for significant disruption to normal civil functioning, if not to loss of life. Modern urban systems cannot long function without the prompt and efficient removal of sanitary wastes. Loss of sewer services leads to the requirement to vacate homes and businesses, with possible response times of days or weeks to repair the damage. Odors and possible health hazards could make a many block area of the central city essentially uninhabitable for a period of time. Gasoline or other flammable or explosive liquids allowed to flow into the sewer system pose the potential for significant explosions over long stretches of city streets. Exactly such an event in 1992 in Guadalajara, Mexico killed at least 200 people and injured 1500 (Eisner, 1992). Indeed, sewer explosion due to the illegal or inadvertent release of flammable liquids are not uncommon in the United States. Sewer grates or storm water intakes exist on every city street. Little would stop a terrorist on a busy downtown street from draining a fully-loaded fuel tanker into such an opening, allowing gravity to carry the flammable fluids perhaps many blocks before an explosion inevitably occurred.

G.B. Baecher

154

3.2 Chemical, biological, and radiological vulnerability Possible more threatening than physical disruption is the potential chemical, biological, or radiological contamination of the water supply. Deininger (2000) provides a catalog of several dozen potential toxins, bacteria, viruses, protozoa, and toxic industrial chemicals that have been identified as possible water contaminants that could be used by terrorists. Even if the actual mortality or morbidity caused by such contamination is minimal, the psychological effect–and thereby the economic and social disruption–of a credible threat to the water supply could be significant. No one willingly drinks water that is suspected to have even trace contamination of a poison, a toxin, or radiation. The potential points of contamination of the water supply are, upstream of the intake of a water supply system, at the water intake or wellhead, at the treatment plant, at a point in the distribution system, or at an individual house connection. The threat of upstream or collection point contamination is limited by the large volumes of water and thus dilution involved at that stage in the system, and by the beneficial effect of filtering and sanitation downstream at the treatment plant. It is believed that truck-load quantities of toxins would be needed to harm water at the supply or collection points, event though certain biological agents can be harmful at low levels (Luthy, 2001). A further concern is that the water supply in several US cities, specifically those with superior natural sources of water supply, such as New York City, San Francisco, Portland (OR), Seattle, and Greenville (SC), is not filtered or otherwise treated other than by chlorination. Thus, contaminants that are not neutralized by chlorination can pass through these systems into distribution. Table 1. Effectiveness of surface water treatment (Source: Deininger, 2000)

Agent

Screens

Flocculation

Toxins

Ineffective

Bacteria

Ineffective

Viruses

Ineffective

Low effectiveness Low effectiveness Ineffective

Protozoa

Ineffective

Low effectiveness

Sand Filtration Low effectiveness Effective

Disinfection Effective

Ineffective

Effective

Effective

Effective

Effective

Reverse Osmosis High effectiveness High effectiveness High effectiveness High effectiveness

Mitigating Water Supply System Vulnerabilities

155

The most likely vulnerability to CBR contamination is at the distribution or individual end user level. Downstream of treatment and sanitation works, any contaminant that enters the distribution system has the potential of traveling unimpeded to end users. A scenario of concern to may water districts is the potential for “backflow” into the distribution system from any household connection or hydrant. Contaminated backflow introduced under pressure into the distribution system, could carry chemical, biological, or radiological agents to end users in at least a limited number of blocks adjacent to the point of entry. This might affect a few thousand households (Dreazen, 2002). These agents could arrive in concentrations high enough to be harmful, and would be subject only to residual levels of chlorine or other disinfectants remaining in the water far from the treatment plant. Since the activity could take place inside an building, the likelihood of prior detection by law enforcement would seem minimal. Examples of accidents causing backflow contamination to public water supplies are not unknown. Firefighters in Charlotte, NC in 1997 forced chemical foam into the drinking water pipe system causing city officials to order thousands of residents not to drink or bathe in public water for several days. A significant issue in contamination of water is the early detection of chemical or biological agents in the water system in time to take corrective action before water gets to a water treatment plant or into the distribution system. While water supplies are routinely monitored for a small number of contaminants, they are infrequently tested for a broader number, and conventional laboratory methods are both time consuming, and in exceptionally limited availability. There is, however, much that can be done to improve the situation. More sophisticated analytical techniques are available in the US chemical industry, and rapid advances in chemical and biological sensing are in development, including advances in immunoassays and nanotechnologies.

3.3 Other concerns In addition to concerns about physical disruption and contamination by CBR agents, other concerns about the water system involve the use of hazardous chemical in water treatment, cyber threats to the SCADA systems controlling water systems, the cross vulnerabilities of the water and other infrastructure systems, and the importance of water supply for fire protection. Water treatment involves hazardous chemical in large quantities, specifically chlorine. At the time of the Pentagon crash on September 11,

156

G.B. Baecher

directly across the Potomac River at the Blue Plains treatment works of the District of Columbia sat a string of railroad tanker cars loaded with liquid chlorine. Had an aircraft of even modest size crashed into these tankers, the death toll in surrounding communities could have been large. Chlorine, sulfur dioxide, and other dangerous chemicals are routinely used at every water treatment plant in the country, and pose a chemical spill risk unrelated to the water supply system itself. Cyber threats are not thought to be severe regarding the water supply and waste water systems. These systems are, indeed, controlled by telecommunications and computer systems, but the threats to interference with those SCADA systems are principally those of service disruption rather than posing serious threats to life or property. The water infrastructure depends on electricity to control pumps, valves, and other mechanical components; and to power sensor systems, computers, and telecommunications. Any disruption to the electrical system would have a cascading impact on water supply and treatment. An important design requirement of most urban water systems is providing water pressure for fire protection. A simultaneous attack to ignite urban fires and to disrupt the high pressure hydrant system could have a multiplicative effect on damage and loss of life. Indeed, many of the natural disasters of greatest import of the last hundred years involved the combination of conflagration with loss of water pressure, as in the 1906 San Francisco earthquake.

4. RESEARCH NEEDS Principal research needs for protection of the water supply and sanitation system include physical asset security; detection, monitoring and treatment of contaminants; and to a lesser extent, cyber security. Beyond these needs, four other areas of further research were identified by the January, 2001 report of the President’s Commission on Critical Infrastructure Protection. These are, (1) threat or vulnerability risk assessment, (2) identification and characterization of biological and chemical agents, (3) establishment of a center of excellence to support communities in conducting vulnerability and risk assessments, (4) application of information assurance techniques to computerize systems used by water utilities.

Mitigating Water Supply System Vulnerabilities

157

REFERENCES Bowles, David, Loren Anderson, and Terry Glover (1997). “A role for risk assessment in dam safety management,” Proceedings of the 3d Annual Conference on Hydropower 97, Trondheim. Critical Infrastructure Insurance Office, Reported To The President Of The U. S. On The Status Of Federal Critical Infrastructure Protection Activities. Dean, Joshua (2002). “Systems Failure,” Government Executive Magazine, February 2. Deininger, R.A. (2000). “The threat of chemical and biological agents to the public water supply systems,” Water Pipeline Database, SAIC, McLean. Dreazen, Y.J. (2001). “ ‘Backflow’ water-line attack feared,” Wall Street Journal, December 27, NY. Eisner, Peter (1992), “Mexico reels from explosion,” The Tech, Friday, April 24, v112(22): 2, MIT, Cambridge. Luthy, Richard G. (2001). “Safety of our nation’s water,” testimony before the House Committee on Science, November 14, Water Science and Technology Board, National Research Council. National Research Council (1964). Water for the Future of the Nation’s Capital Area: A Review of the U.S. Army Corps of Engineers Metropolitan Washington Area Water Supply Study, Water Science and Technology Board, National Academy Press, Washington, DC. National Research Council (2000). Watershed Management for Potable Water Supply: Assessing the New York City Strategy, Water Science and Technology Board, National Academy Press, Washington, DC. National Research Council (2002). “Water supply and wastewater systems,” in Making the nation safer: the role of science and technology in countering terrorism, National Academy Press, Washington, DC, pp. 245-252. Topographic Engineering Center (2001). National Inventory of Dams, U.S. Army Corps of Engineers, Alexandria, VA.

NUCLEAR TERRORISM AND INSURANCE LIABILITY Oleg M. Kovalevich1 and Sergey D. Gavrilov2 1

Nuclear & Radiation Safety Science and Technology Center, Moscow; Russia; 2DECOM Technology Intellectual Ltd, PO 6 Moscow 123154, Russia

Abstract:

It is known that terrorist attacks may cause tremendous consequences such third parties, operators and/or insurer. An approach to liability compensations and relief payments to third parties including transboarding has been suggested for nuclear and radiation terrorist acts with catastrophic accidents.

Key words:

nuclear and radiation terrorism; catastrophic damage; third party; liability compensations; relief payments; international Body of insurance liability; Fund of liability compensation

1. INTRODUCTION Application of atomic energy underwent numerous metamorphoses during last fifty-sixty years. Sometimes it instilled terror into humanity as well as hope to bright future of nuclear energy use. The political aspect of the problem is the application of the nuclear weapon in the middle of XX century and its threat. There is no doubt that the change of international relations at the end of the last century decreased the probability of nuclear weapon application in nuclear countries, first of all in the states-members of “nuclear club”. Together with optimism, as a result of unlimited energy sources development, rapid growth of nuclear power industry at the middle of last century is associated with anxiety of considerable part of the population including some representatives of the world scientific community. It is based on 159 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 159–167. © 2006 Springer. Printed in the Netherlands.

160

O.M. Kovalevich and S.D. Gavrilov

long-term effects of nuclear power plants (NPP) application because of probable severe accident like in Chernobyl and global problems of spent nuclear fuel (SNF) and radioactive waste management touched the prosperity of the available population and subsequent generation. Within the last decades the International community undertook some large-scale actions under the aegis of IAEA. They include the following Conventions: 1. Convention on Physical Protection of Nuclear Materials, 1980. 2. Convention on Assistance in Case of Nuclear and Radiation Emergency Situation, 1986. 3. Convention on Operational Warning about Nuclear Accidents, 1986. 4. Convention on Environment Impact Assessment in a Transboundary Context, 1991. 5. Convention on Nuclear Safety, 1994. 6. Vienna Convention on Civil Liability for Nuclear Damage, 1997. 7. United Convention on Safe Radioactive Waste Management, 1997. The above Conventions reflect the specific characteristics of the international relations of atomic energy application though they do not in fact consider problems concerning the defense against nuclear terrorism.

2. NUCLEAR AND RADIATION TERRORISM By the way, there is a classic development of the insurance activity appealed for securing insurance liability from prospective damages as a result of this practice. The activity under consideration is developed both at the national and international levels. Federal Law “Nuclear Energy Application”, Article 18, declares the obligatory free of charge insurance of the personnel working at the nuclear facilities as well as a third party liability in case of damage from radiation impact at the supervised area at the expense of owner or user of nuclear power facility (hereinafter operator). The law covers the all-civil nuclear facilities including decommissioned nuclear powered submarines (NPS) and ships with NPP, atomic support ships, and coastal atomic support bases transferred to the Federal Agency of Atomic Energy of Russia.

2.1 Nuclear and radiation terrorism as a new threat The civilization development in the twenty first century has faced new problems including global terrorism and nuclear terrorism being among the most hazardous ones.

Nuclear Terrorism and Insurance Liability

161

There were attempts to give the proper definition to this term but it hardly involves all aspects by a short definition. Prevention of terrorism became the serious world-wide problem consolidated countries with different social, economic and political views, and anti-nuclear terrorism activity is one of its main aspects. This paper deals with two types of probable terrorism as a nuclear terrorism related to damage infliction with application of nuclear devices and facilities or products of nuclear technology. The first type is based on the application by terrorists of materials and devices such as nuclear weapon, radioactive substances, etc. to do harm to the country or region. The second type of terrorism is the nuclear facilities; products of nuclear technology impact resulted in population damage and/or environment contamination. These types of nuclear terrorist effects are described, e.g. in [1,2]. We do not touch the active prevention of terrorism because it is the separate multistage problem both at the national and international levels. We have to note that the International counteraction against terrorist activity did not reach the planned results so far though it helps to decrease the activity of terrorists. Physical security created to prevent the unauthorized accessibility to the nuclear facilities and stealing of fissile materials and fission products, is unable to protect the world community against terrorist’s activity in full. Probable destruction of nuclear facilities by terrorists is similar to the existent attitude to nuclear power plants (NPP) safety when together with proper safety measures there is a system of the insurance liability of the operator, owner or user of nuclear facility, for compensation of potential damage from insured accident. It is related to both internal and external effects. A destruction of nuclear facilities by terrorists with considerable escape of radioactive substances differs not much from a severe beyond the design basis NPP accidents both by character, damage rate and the relevant insurance liability organization.

2.2 Specificity of nuclear terrorism The main difference of nuclear terrorism risk and the damage in comparison with risk of beyond the design basis nuclear accidents is in the probability of one or other events and their succession. The probability of (10–7 – 10–5) year–1 is taken for severe beyond the design basis NPP accidents. Someone is likely to state values for major terrorist action though the probability of nuclear terrorist action is evidently more. Therefore, it is still

162

O.M. Kovalevich and S.D. Gavrilov

impossible to indicate the acceptably accurate range of risk values necessary for insurance liability of operator assessment. The paper [3] deals with the view to the insurance of nuclear damage in case of NPP accidents. It considers the insurance liability of operator relatively third persons, legal and natural, and personnel, for beyond the design basis NPP accidents as “the last barrier” after creating protection and mitigation systems of NPP safety, and under the coordinated activity of regulatory authorities and insurance companies. It is proposed to use the same approach in the insurance of liability of operators of other nuclear and radiation facilities to the catastrophe insured accident [4]. Authors of this paper think that the similar principle may be used for the insurance of liability of operators of various nuclear and radiation facilities for insured accident caused by a terrorist action. It is based on the facilities; insured accidents and their possible damages are of the same physical, social, economic and legal parameters and/or characteristics. We would like to consider main approaches to the establishment of the International insurance system taking the necessity of the insurance liability of operator availability as a main premise. Will this system function together with insurance system from severe accidents at NPP and other nuclear facilities? In principle it is possible to establish a united system. But at the first stage the insurance liability system under nuclear terrorism must operate separately from the operators' liability under the other type accidents at the nuclear facility according to our reckoning. Systems of the insurance liability in a case of nuclear accident in the most countries are unstable because of the insufficient funding and there is no the acknowledged International organization of this specific field. Convention on assistance in case of nuclear and radiation accident did not properly show itself worth during 17 years.

3. "OUTER" DEFENSE AGAINST NUCLEAR TERRORISM The following diagram of the insurance liability in case of nuclear

terrorism is proposed (Fig. 1).

Nuclear Terrorism and Insurance Liability

163

Figure 1. Diagram of the insurance liability in case of nuclear terrorism

3.1 International Body of Insurance Liability International Body of Insurance Liability in Case of Nuclear Terrorism is the leading administrative body of proposed insurance system. Main objectives of the International Body: x Organization of financial aid to the country that was exposed to nuclear terrorism; x Development of the system approach to the prevention of nuclear terrorism; x Prevention of nuclear terrorist actions in the countries that have no necessary resources and specialists; x Assistance in the elimination of nuclear terrorist actions effect. x So it is necessary to attract financial contribution from membercountries of this initiative and to accumulate monetary funds in the International Fund of Insurance Liability. It is necessary to determine the form and the place of the International Body. May be it will be the independent organization in UNO or IAEA or special established organization. The Russian Federation plays not the last part in the world policy and economics especially in power engineering.

164

O.M. Kovalevich and S.D. Gavrilov

Russia founded the international prize for power engineering achievements (as Nobel Prize). Russia also has great experience in nuclear and radiation accidents prevention and elimination. Therefore the Russian Federation could be the Headquarters of the newly established UN Organization. Probably it will be necessary to develop special Convention concerning this problem. May be it will be similar to Convention on assistance in case of nuclear and radiation emergency situation or even a part of the Convention itself. National Bodies is the next levels of the proposed diagram (Fig. 1). Each country of course has own problems. Below we considered especially the aspects of the insurance liability of third persons in given region, in Russia. We once more underline our position that National Bodies of Insurance Liability of Operators in Case of Nuclear Terrorism are non existent insurance companies or pools at least for Russia and other countries where insurance and insurance liability do not cover probable catastrophic risks being conditioned by nuclear terrorism but specially established State Bodies. Objectives of the National Body: x The determination of facilities being potentially hazardous from the nuclear terrorism point of view; x The development of national approach to the prevention of nuclear terrorism including nuclear terrorist actions; x The elimination of nuclear terrorist action effects including compensation of damage to third persons; x The assistance to National Bodies of suffered countries.

3.2 National fund for insurance liability National Body achieves objectives on the base of: x collection of financial contributions from facilities being hazardous from nuclear terrorism point of view, its accumulation in the National Fund of Insurance Liability with transferring some of resources to the International Fund of Insurance Liability, and x necessary scientific and technological activity both in the country and abroad including the support of the International Body of the Insurance Liability of Operators in Case of nuclear terrorism. Our National Body should content experts from the reestablished concerning ministries, agencies and agencies of Russia, and may be an independent structure or a part of one of State Organizations.

Nuclear Terrorism and Insurance Liability

165

Two types of nuclear terrorist effects mentioned above are the most probable. In case of private nuclear and/or radiation means application by terrorists, country’s facilities including nuclear hazardous ones can not be the financial sources of a Fund of Insurance Liability even if terrorist or terrorist organization attacks hazardous facilities. In this case terrorists may use nuclear materials and fissile products against non-nuclear and nonradiation hazardous facilities, industrial, social or state management facilities. Sources of replenishment of National Funds of Insurance Liability and International Fund of Insurance Liability in Case of Nuclear Terrorism must be interested countries including Russia. These countries are to allocate resources from budget or special non-budgetary funds. Budgeting resources of insurance funds not used within the financial year may be directed to both the increase of their own funds and carrying out measures for terrorist activity prevention as well as to damage mitigation or facilities and areas rehabilitation. We also tried to estimate financial flows for the International Insurance System and national and International Fund of Insurance Liability in Case of Nuclear Terrorism and their uncertainty error. Assume that countries, having gross capacity of exploiting NPP of 500 GW(e), will support this System. Then by deducting 1% from electric energy cost in national and International Insurance Liability Funds the annual sum of contributions will be $350 million with cost of electric energy of 1 cent per kW(e) ˜hr and average duration of NPP unit operation of 7,000 hours per year. For Russia, having the established capacity of 30 GW(e), the sum of contribution in these both Funds will be about $20 million. Other nuclear and radiation hazardous facilities including enterprises of Nuclear Fuel Cycle (NFC), radioisotope sources, etc. may increase sum of $350 million up to $450-550 million.3 Considering of the all totality of uncertainty error allows estimating roughly the financing flows of the International Fund of Insurance Liability in Case of Nuclear Terrorism as $100-1000 millions. Is it much or little? The size scale is not cheap for many countries but for some ones the sum is not too much.

3

It is necessary to note that the cost f National Fund for Insurance Liability services may be included in the cost of the electric power, other commercial products of nuclear power plants.

166

O.M. Kovalevich and S.D. Gavrilov

Necessary financial flows will be determined, first, by the scale of nuclear terrorism, counteraction to it from interested countries, and probable damages. Size of damage and the insurance event probability itself will depend on the efficiency of the counterterrorist measures. The approach to shielding systems vs. probable damage optimization is developed [5]. Paper [6] gives the estimation of probable damage under the severe accident at NPP for some countries, maximum damage, media expected damage, etc. It is shown that the damage may vary from dozens million to lot of billion of dollars. In terrorist actions nuclear terrorism, independently for its type, may probably be directed to the environment and population on a considerable scale. The mostly problematic is risk estimation for nuclear terrorism due to very unɫɟrtainty of terrorists actions. The probabilistic risk assessment based on logic but has not proper statistic base. Therefore, it is not well accurate for insurance liability even for NPP though this direction has being developed. Now in front of the humanity, scientific community, first, again there is a question whether it is possible to reach a proper risk level to the every parameters of the considered system such as probabilities, damages, shielding and securing optimization, insurance fees, etc., or relatively deterministic approach.

4. CONCLUSIONS Growing risk of nuclear terrorist actions or its threat from individual terrorist or their organization led to new problems of safe operation of NPP, NFC facilities, and other nuclear and radiation hazardous facilities. At present the last “barrier” of safety for prevention of terrorist actions and their effects elimination is the insurance liability of NPP and NFS enterprises out of technical systems and physical shielding, the social and economic barrier. International Insurance Liability System could be established for Nuclear Terrorism prevention. The prevention of nuclear and radiation accident including nuclear terrorist actions, may be used for a reevaluation of nuclear industry and engineering, and will give new impetus to its development.

Nuclear Terrorism and Insurance Liability

167

REFERENCES Koryakin, Yu.V., Environs of Nuclear Power Industry of Russia: New Challenges (Moscow, NIKIET Publ., 2002). Kovalevich, O.M, On Some Issues of Expenditures Optimization for Emergency Cases Risk Management, Some Risk Problems, and Risk Management, (Moscow, VINITI, 2000) p. 22. Kovalevich, O.M., S.D. Gavrilov and V.F. Demin, Insurance Liability on Nuclear Damage and Nuclear Energy Use Safety. Problems of Safety in Case of Emergency Situations, No. 2, p. 63 (2003). Kovalevich, Ɉ.M., Operation Period Extension of Power Units of Nuclear Power Plants of the First Generation and Civil and Legal Liability on Probable Losses and Damage in Case of the Accident, Atomic Energy, 88, 481 (2000). Mikhailov, V.N., Non-Proliferation Regime and Nuclear Threat Reduction, in: Proc. Conf., "Prospects of Stability on Nuclear Subcontinent", Bangalor, India (2002), http//www.iss.niiit.ru/pub-eng/pub-07 Voronov, D.B., V.G. Prokhorov, S.D. Gavrilov, and Ⱥ.A. Derevyankin, Insurance of Nuclear and Radiation Risks in Russia as an External Factor of Personnel and Third Parties Safety, In: Proc. 14th Annual Conf. of Nuclear Society of Russia, Udomlya, 2003 (Moscow, NSR Publ, 2003), p. 87.

CAPITAL WIRELESS INTEGRATED NETWORK Communication and Emergency Response Haghani Ali1, Saini Yang2 and Thomas H. Jacobs3 1, 2

Department of Civil Engineering, University of Maryland, USA, Transportation Technolog, University of Maryland, USA

3

Center of Advanced

Abstract:

The public’s concern for safety in the Washington Metropolitan area has generated a need for improved coordination and information sharing between numerous public safety and transportation agencies and organizations in Maryland, Virginia, and the District of Columbia. To meet this demand, public safety and transportation agencies are looking to use technology to share more timely and accurate information between agencies serving the Capital Beltway and surrounding Washington area road network. In this paper, we give an overview of the Capital Wireless Integrated Network Project (CapWIN) and the ongoing research that deals with the development and evaluation of a real time emergency response system that uses real time travel time information to assist emergency response vehicle dispatchers in assigning appropriate response vehicles and guiding those vehicles through less congested routes so as to minimize the response time and overall system efficiency. A simulation model is developed to test and evaluate this system.

Key words:

CapWIN, Communication, Emergency Response, Real Time, Dispatching, Routing

1. INTRODUCTION The public's concern for safety has generated a need for improved coordination and information sharing between numerous public safety and

169 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 169–192. © 2006 Springer. Printed in the Netherlands.

170

H. Ali, S. Yang and T.H. Jacobs

transportation agencies. These agencies are also becoming interested in developing partnerships that will allow them to share limited resources towards the common goal of improving safety for their customers. Historically public safety agencies have depended upon their own standalone communication systems. There are not only different systems for different agencies within a jurisdiction; neighboring jurisdictions maintain their own systems, too. These systems are not interoperable making it difficult for agencies to communicate. While there is no one solution to address this problem, jurisdictions are starting to consider altering historical patterns of spending in isolation. Public officials are realizing they can share the costs and benefits of regional communications infrastructure and services by leveraging their limited available resources. The Capital Wireless Integrated Network (CapWIN) program is a partnership between the States of Maryland and Virginia, and the District of Columbia to develop an integrated first responder information network. Project management and staff support is provided through the University of Maryland’s Center for Advanced Transportation Technology. This unique and challenging program will result in the first multi-state and multidiscipline interoperable public safety wireless communications and information access system in the United States. CapWIN can minimize communication failures among first responders caused by differing technologies, systems, and standards by creating a single, open, shared, and secure system for the public safety community for use by all levels of government. CapWIN project also supports ongoing research activities in emergency response fleet management at the University of Maryland. In this paper, we will provide a review of the CapWIN project, and introduce the on-going research on real time emergency vehicle dispatching and routing that is a part of the CapWIN project application.

2. REVIEW OF PROJECT CapWIN is the nation’s first mobile system designed specifically to connect police, fire, transportation, and other first responders across multiple jurisdictions and across Federal, State and local levels (Figure 1), the CapWIN system connects first responders through a secure information hub using a variety of wireless technologies currently available. Developed using “open” standards, CapWIN has been designed to grow and adapt to changing and evolving technologies in order to leverage the power of new

Capital Wireless Integrated Network

171

technologies as they are deployed throughout the region. CapWIN has been developed with constant input from a coalition of public safety agencies from across the Washington, D.C., region.

Figure 1. Structure of CapWIN System Establishing a working coalition of police, fire/EMS and transportation agencies across the National Capital Region (NCR) to oversee CapWIN planning, design, implementation and operations required a tremendous effort. A formal Executive Leadership structure has been created for CapWIN with key stakeholders representing all public safety disciplines and jurisdictions, including Federal and local levels. CapWIN’s success to date can be attributed to the unique partnership that has been established. This partnership has resulted in key milestones in public safety coordination, such as a pending agreement to share regional law enforcement data across multiple jurisdictions through CapWIN. In late 2003, CapWIN began a “Beta” release of the system to select transportation, fire, and police agencies across the NCR. As of today, 225 first responders from 19 different agencies can now access CapWIN. CapWIN is currently being used daily by police, fire, and transportation personnel across D.C., Maryland, and Virginia to communicate operations related information. Authorized users are currently able to query state and

172

H. Ali, S. Yang and T.H. Jacobs

federal criminal justice databases. Access to CapWIN is now occurring through existing and newly deployed Mobile Data Computers (MDCs). A PDA client that provides law enforcement query and instant messaging capability has also been designed and is currently being tested. Additional functionality, including email functionality, will be implemented in the near-term. CapWIN also provides a foundation for CAD data exchange across participating agencies which will be explored later in the CapWIN development cycle. CapWIN’s initial user base will come from agencies that have already deployed MDCs. CapWIN has also provided a small number of MDCs to agencies without mobile computing in order to engage multiple disciplines across the three jurisdictions. Of course, CapWIN represents a major benefit to public safety agencies who have not yet invested in mobile data. By investing only in MDCs and wireless connectivity, public safety agencies can gain access to CapWIN and immediately utilize incident management, messaging, and law enforcement query capability. The vast majority of public safety agencies (especially small public safety agencies) in Maryland, Virginia, and D.C. do not have mobile data capability and could quickly connect to CapWIN with minimal investment. Beyond MDCs and PDAs, the CapWIN system can also be accessed via direct WAN/LAN access. The potential benefit of using CapWIN via agency “desktops” is substantial by facilitating public safety and transportation center-to-center4 information exchange and incident management, cross discipline, cross jurisdictional investigations, as well as providing access to a greater number of public safety personnel across the NCR who are not mobile users. CapWIN has been used in support of recent major regional events, such as the World War II Memorial dedication on the National Mall where fire, police and transportation officials used CapWIN to coordinate activities and document specific incidents. In more than one instance, the use of text based messaging documented in public and private “rooms” in the CapWIN system provided greater information clarity than traditional radio communication. By design, CapWIN provides improved “situational awareness” by identifying users by both name and discipline. For example, identification of participants in CapWIN incidents is facilitated by visually highlighting which disciplines (police, fire or transportation) are engaged. Regular feedback from users is being collected in order to identify issues and to enhance functionality and system stability. As CapWIN continues to improve the initial production system release during summer 2004, additional agencies and users across the NCR have begun using CapWIN. 4

EOC’s, PSAPs, Traffic Management Centers (TMCs), and other command centers.

Capital Wireless Integrated Network

173

2.1 Goals and objectives The primary goal of the CapWIN project is to create a single, shared, and secure system that provides seamless communications and data interoperability for first responders across the National Capital Region (NCR). The successful development of the CapWIN system will have significant and positive impacts for emergency response and incident management as well as intelligence coordination, preparedness, and knowledge management. Specific objectives for achieving CapWIN goals cover a wide range of public safety interest areas (below): Regional Incident Management & Coordination x Based upon and fully exploiting evolving data communications technology, enhance response capabilities of transportation and law enforcement first responders involved in critical incidents. x Improve the reliability, timeliness, and quality of shared data in support of regional incidents managed by multiple public safety disciplines across the NCR. x Provide critical information to public safety and transportation officials regarding life-threatening situations. (HAZMAT, NBC/WMD, traffic stops, wanted persons, etc.) Public Safety Network Interoperability and Integration x Seamlessly connect multiple mobile data communication platforms regardless of their jurisdiction or geographical location and include endusers representing Federal, State and local police, fire, and EMS vehicles as well as state DOT service patrols. x Deliver appropriate data in a meaningful, relevant, and understandable form, whenever and wherever it is needed. x Develop an information hub which is expandable to serve more agencies in Virginia, Maryland, District of Columbia and other states. Public Safety Network Enhancement & Expansion x Develop the requirements for future mobile data applications for transportation and public safety. x Examine the potential for integrating new mobile data platforms into CapWIN and other regional public safety systems. Public Safety Network Standards & Education x Identify architectures and standards appropriate to the integration of public safety data/technology into existing law enforcement, transportation, fire, and emergency medical services. x Develop operational policies and requirements for CapWIN and applicable regional information sharing.

174

H. Ali, S. Yang and T.H. Jacobs

x Educate transportation, law enforcement, fire, emergency medical services, and legislative leaders on the benefits of developing partnerships and cooperating in technology research efforts to help solve the problems associated with lack of communications interoperability. Long-Term Cross-Jurisdictional Coordination x Develop a business agreement with memorandums of agreements with each participating agency for the maintenance and long term requirements of the CapWIN system. x Create an administrative model and supporting documentation that can be replicated in other areas of the United States and, potentially, other countries.

2.2 Evaluation strategy The CapWIN project was identified by the US Department of Transportation as a project of “National Significance.” As a result, the Federal Highway Administration (FHWA) has contracted with SAIC to conduct a performance evaluation of CapWIN. This evaluation is designed to assess the operational benefits to first responders (end users) of the system and to assist CapWIN with ongoing system development. A detailed evaluation has been developed and baseline data has already been collected. Current evaluation metrics include: x Incident response time x Changes to response effectiveness (correct personnel, equipment, etc.) x Improved communications internally (own agency) and externally across disciplines/jurisdictions x Clarity and efficiency of communications x Reductions in redundant requests/“calls” George Mason University is also working to conduct an evaluation of institutional issues related to the establishment of the CapWIN Executive Leadership Group and the various agreements that will be required to exchange and access data. In terms of institutional evaluation, the John F. Kenney School of Government at Harvard University has developed a CapWIN case-study focusing on the development of a multi-state governance partnership. In addition to these external assessments, CapWIN technical staff is collecting system performance data on a daily basis in order to monitor and improve the CapWIN system.

Capital Wireless Integrated Network

175

3. CAPWIN RESEARCH IN REAL TIME EMERGENCY RESPONSE VEHICLE FLEET MANAGEMENT By providing an extraordinary opportunity to improve interoperability and information exchange across all public safety disciplines in the NCR, CapWIN benefits the public by allowing a better management of the emergency response services in the region. This can be accomplished by coordination of activities and data communication between the regional traffic management centers and agencies that are responsible for emergency response services. Operation of an emergency response system is summarized in Figure 2. The operational efficiency of such systems can be improved significantly if the dispatch centers can monitor the location and status of the emergency vehicles and make use of the real-time traffic information that can be provided by the traffic management centers. Efficient management of the emergency response vehicle fleet plays an important role in improving the performance of an emergency response system. When emergency calls arrive at the emergency response system, the most important responsibility of the dispatcher is to decide the number and types of required vehicles, and to dispatch these vehicles to the emergency scenes. When real-time traffic information is available, the dispatch center can provide route guidance as well to avoid congested areas in the transportation network. Intuitively, it is preferred to send the nearest available vehicles to the emergencies. Since the number of available vehicles is limited, when the number of emergencies that need attention grows, the system becomes heavily loaded and the response to some less severe emergency calls may have to be delayed to deal with the more severe ones. In this process, some emergency response vehicles that were dispatched earlier to respond to less severe emergencies may also be re-assigned to the new more severe ones and re-routed. CapWIN research is focused on developing a system for real-time emergency response vehicle fleet management. The main goal is to develop a mathematical optimization model for making real-time dispatching and routing decisions.

3.1 Background literature Emergency response management has been an attractive subject for operations research specialists and management scientists. Most of the literature is on EMS (Emergency Medical Service) systems. The studies always focus on location, fleet size, and operations performance. Approaches

H. Ali, S. Yang and T.H. Jacobs

176

involved in research can be categorized into 3 groups: queuing methods (Larson 1974, 1975), mathematical programming (Toregas et al., 1971), and simulation (Savas 1969, Lubicz et al., 1987, Goldberg et al., 1990, 1991). Developing analytical methods (mathematical programming and queuing models) for emergency response system is a rather unrewarding task. Even if we succeed in building an appropriate sophisticated, analytical model, it may not be possible to solve the model using known analytical techniques. This limitation could be overcome if we embedded mathematical models into simulation to represent the system and its performance. The Application of mathematical models and simulation models enables us not only to find an optimal solution to an emergency vehicle dispatching decision problem, but also to observe an emergency response system under different sets of assumptions. It also allows us to test new operational strategies such as different facility locations or dispatching rules.

Traffic Data

Depots Dispatching Order Vehicle Information

Center Emergency Site Hospital Information

if necessary

Hospitals Emergency Information

Figure 2. Emergency Response System Operation A real-time emergency vehicle dispatching model must rely on solving a dynamic shortest path problem. Shortest path problems are by far one of the most fundamental and the most commonly encountered problems in the study of transportation and communication networks. Deo and Pang (1984) made a thorough classification scheme as well as a more comprehensive

Capital Wireless Integrated Network

177

and updated bibliography. The first paper dealing with the time-dependent shortest path algorithms appears to be by Cooke and Halsey (1966). Their algorithm is based on the general Bellman’s principle of optimality. It discretizes the horizon of interest into small time intervals. Starting from the destination node, it calculates the path operating backwards. Ziliaskopoulos and Mahmassani (1993) introduced Cooke and Halsey’s algorithm to calculate the time-dependent shortest paths from all nodes in the network to a given destination node for every time over a given time horizon in a network with time-dependent arc costs. Dynamic shortest path algorithms depend on travel information of links such as the travel time on link starting from the node at some time later than current time. Therefore, a proper travel time prediction method should be identified so that the dynamic shortest path could have a base on which to work. The existing prediction methodologies include system wide method and statistical method. The system wide dynamic approach is based on a dynamic traffic assignment model, working in connection with dynamic O/D prediction method. This method will be more accurate for prediction horizons in the range of 15 to 30 minutes. The statistical models use the data collected in the links with explicit prediction errors feedback. It is expected that statistical model are more accurate for short time periods (1 to 10 or 15 minutes). Ben-Akiva et al. (1995) have shown that the statistical model outperforms the dynamic traffic assignment model for shorter prediction horizons.

3.2 System specifications The proposed framework for the real-time emergency response system is shown in Figure 3. This system incorporates the dynamic shortest path algorithm and the mathematical programming for dispatching decision. For this research, two random generation modules are used to generate traffic and emergency information. Traffic generation module creates the real-time traffic information. The emergency generation module generates the emergencies in the network. In the real world implementation these modules can be replaced by available real-time information. 3.2.1 Response time Normally, emergency response time is the time between receiving a call at the dispatch center and the arrival of the first emergency response vehicle on the scene. The duration of the dispatch time depends on the emergency

H. Ali, S. Yang and T.H. Jacobs

178

service vehicle availability. It is a function of the generated workload for emergency medical services, i.e. number, spatial, temporal, and severity of the emergencies. If the emergency call rates are not high, the capacity of the system can deal with all service requirements. In this case, the duration of the dispatch time is relatively constant. If this is not the case, a server’s queue is created in which the emergencies wait for available response vehicle. This model focuses on the travel time component of response time since this is the component most affected by dispatching and routing decisions. Travel time depends on the travel speed of the emergency response vehicles and the size of their service area. Besides this, this time substantially depends on emergency response vehicle management that includes dispatching strategy and route determination. Therefore, the emergency restoration time, and consequently the performance of the emergency response system, can be enhanced substantially by reducing travel time. External Modules

Internal Modules Travel Time Predictor

Simulator

Dispatching Optimizer

Shortest Path Calculator

Real Time Traffic Data

Real Time Emergency Data

Evaluator

Figure 3. Real-Time Emergency Response System Framework 3.2.2 Dispatch strategies The real-time assignment of dynamic vehicle allocation and routing problem is concerned with assigning newly arriving request to specific response vehicle and modifying existing assignments as changes happen in

Capital Wireless Integrated Network

179

the system. The following three assignment strategies are studied in this research: x First Called, First Served (FCFS): The FCFS strategy assumes the service calls are assigned to available vehicles in the order in which requests are received. Service requests are added to a queue of requests on arrival; when a vehicle becomes available, it is assigned the first request in the queue. If one (or more) vehicles is (are) idle when the request arrives. The request is assigned to the vehicle that has been idle longest. A driver must contact the dispatch center upon completion of service. x Nearest Origin Assignment and (NO): In nearest origin assignment, service requests enter the pool of unassigned requests. Upon assignment completion, the driver contacts the dispatch center for a new assignment, at which time an assignment is made to the nearest unassigned request. Service calls arriving when one or more vehicles are idle are assigned to the nearest idle vehicle. A driver must contact the dispatch center upon completion of service. x Flexible Assignment Strategy (FA): In the flexible assignment strategy, service requests enter the pool of unassigned requests when all vehicles are busy, or the idle vehicles cannot reach the emergency spot in maximum required response time. At each time point, the dispatch center will optimize the current assignment so as to minimize total response time according to associated weights of different priorities of emergencies. Therefore, en route diversion and reassignment of vehicles to emergencies are allowed in this strategy. Namely, responding vehicles can change their current route or destination under the guidance of the dispatch center. Under this strategy, a mathematical optimization model is needed for the decision making of vehicle dispatching and routing. Two definitions used in the remainder of the paper are stated here in advance. If a vehicle’s destination is different before and after a certain time point, the vehicle has undergone a Route Change. If a vehicle is dispatched to a waiting emergency other than the destination at last time point, the vehicle has undergone a Reassignment. Under the objective of minimizing the total response time, the route and the destination of the emergency response vehicles could change frequently. Too many and too often changes in the destination or route can be confusing and counter productive. It is helpful to introduce a Reassignment Condition into the formulation.

180

H. Ali, S. Yang and T.H. Jacobs

3.3 Mathematical formulation The mathematical formulation for the real-time emergency response vehicle dispatching problem minimizes the overall response time subject to vehicle availability and service constraints and is as follows: Nv

5

¦ ¦¦

Min

al

Nv Nh

xij tij ( t )  b

i 1 jW l

l 1

¦¦

Nv Ns

xik tik ( t )  c

i 1 k 1

¦¦ x t

is is ( t

)

i 1 s 1

S.T. Nh

Ns

¦ x ¦ x ¦ x

ij jW 1  ... W 5

ik

k 1

1 i

is

(1)

s 1

Ns

¦ xij  ¦ xis

jW 1  ...W 5

¦x

ij jW  ...W 5

1

i  V 1 ,V 6

(2)

s 1

i  V 2

1

(3)

1

x ij0

x ij

i  V 3 , V 5

(4)

1

i  V 4

(5)

1

j  W 0 , W 1 ,...W 5

(6)

T j (t ) j  W 1 ,...W 5

(7)

Nh

¦x

ik

k 1

Nv

¦x

ij

i 1

Nv

¦x t

ij ij

i 1

(t )

Capital Wireless Integrated Network

§  ¨ ¦ tij (t ) xij0  ¦ tij (t ) xij  W ¨ 1 jW 1  ... W 5 © jW ...W 5 1  ¦ xij0 xij d M (1  y i )

181

· ¸ d M ˜ yi ¸ ¹

i  V 2

(8)

jW 1  ...W 5

where:

V

Nv i V1 V2 V3 V4 V5 V6 W Nw j W0 W1

W2 W3

W4 W5

ai H Nh k S Ns

The set of Emergency Medical Service (EMS) vehicles in the system The total number of emergency response vehicles The index of vehicles in set V i 1,2,..., N v The subset of the vehicles in V that are staying at home station with “idle” status The subset of the vehicles in V that are moving to an incident point The subset of the vehicles in V that are staying at specific points to deal with emergencies The subset of the vehicles in V that are leaving for hospitals after finishing the tasks at incident points The subset of the vehicles in V that are staying at hospitals The subset of the vehicles in V that are moving back to home stations The set of emergencies that are waiting for service The total number of emergencies that are waiting for service The index of emergencies in set W , j 1,2,..., N w The subset of emergencies in W that are currently being treated The subset of emergencies in W that are waiting for treatment with 1st priority The subset of emergencies in W that are waiting for treatment with 2nd priority The subset of emergencies in W that are waiting for treatment with 3rd priority The subset of emergencies in W that are waiting for treatment with 4th priority The subset of emergencies in W that are waiting for treatment with 5th priority The weight of response time for emergencies with i th priority. The set of hospitals in the system The total number of hospitals The index of hospital in set H , k 1,2,..., N h The set of home stations The total number of home stations

H. Ali, S. Yang and T.H. Jacobs

182

s xij0

The index of home station in set S , s 1,2,..., N s =1 if the a vehicle i was dispatched to an emergency j ; =0 otherwise 0 xik =1 if the a vehicle i was dispatched to hospital k ; =0 otherwise xis0 =1 if the a vehicle i was going back to its home station s ; =0 otherwise xij =1 if the a vehicle i is dispatched to an emergency j ; =0 otherwise xik =1 if the a vehicle i is dispatched to hospital k ; =0 otherwise xis =1 if the a vehicle i is going back to its home station s ; =0 otherwise T j (t ) The required response time for emergency j at time t (see Section 3.2). t ij (t ) The predicted travel time for vehicle i to arrive at emergency j while departing at time t t ik (t ) The predicted travel time for vehicle i to arrive at hospital k while departing at time t t is (t ) The predicted travel time for vehicle i to arrive at home station s while departing at time t The total weighted travel time is the objective function of this formulation. The total travel time includes: the travel time to the emergency waiting for service, the travel time to the hospitals, and the travel time to home station. The objective function gives higher weights to emergencies with higher priority so that the severe emergencies would be served quicker. Constraints 1 state that every emergency response vehicle must have a destination after assignment at time t . The destination of any vehicle could be either an emergency, or the hospital or the home station. Constraints 2 ensure that vehicles that are staying at their home stations ( V 1 ) can be only dispatched to an emergency or remain at their current home station(s). The vehicles cannot be dispatched to a hospital without going to an emergency first. Constraints 3 state that the vehicles that are dispatched to emergencies ( V 2 ) will continue going to their previous destination or another emergency in the network. They cannot go back to their home station without finishing any job in their trips. Constraints 4 ensure that vehicles that are dealing with emergencies cannot be dispatched to any other emergencies. Constraints 5 state that the vehicles driving to hospitals can change their destination, but their new destination should be another hospital. Constraints 6 state that one vehicle must be dispatched to an emergency waiting for service. If the number of emergencies is greater than the available number of vehicles at some time point t , a pre-processing will be

Capital Wireless Integrated Network

183

done. Some calls with lower priorities and later arrival times will be put in a queue. This pre-processing ensures that the number of vehicles is greater than or equal to the number of emergencies waiting for service so that the formulation has a feasible solution. Constraints 7 ensure that although we are trying to optimize the total weighted travel time, every emergency is treated justly. The bottom line is that each of them should be reached in some required response time so that the service standard could be met. Constraints 8 are mathematical expressions of the reassignment conditions that were discussed in Section 3.4. y i is an indicator variable. If a vehicle i is assigned to a new destination, y i is equal to 0, otherwise y i is equal to 1. The condition of reassignment is that the travel time to the new destination is less than the travel time to previous destination by a threshold W .

3.4 The conceptual simulation To evaluate several emergency response vehicle dispatching strategies, a simulation model is developed that incorporates all issues discussed so far. As shown in Figure 4, at each simulation point, the program will update the emergency and vehicle information. The information to update for a vehicle includes: the current location, the route to take, the destination, the time to have the next status change, the current status, and the next proposed status. All the information must be updated at each step. Each vehicle in the study network is treated as a moving node. If the position of a vehicle changes, the program updates the shortest path between each pair of nodes simultaneously. The information for an emergency to update includes: the current status of the emergency and the required response time. More details of the simulation program will be presented in the following sections. Object-oriented C++ programs are developed to simulate the system under alternative dispatching strategies. For the Flexible Assignment strategy, at every simulation point, the program will prompt CPLEX to optimize the assignment. 3.4.1 Dispatch center At each simulation time point (receiving a new service call, vehicle status change from “busy” to “available”, or at an incremental time point), the dispatch center runs the program and makes decision about the movement of all vehicles according to an assignment strategy and the result of simulation. So it is the brain center of the operation, receiving and processing all service calls and controlling all activities.

H. Ali, S. Yang and T.H. Jacobs

184

Generate Traffic Flow

Generate Emergency Incident

Predict Travel Time

Calculate Dynamic Shortest Path

Update Incident and Vehicle Information

Select the Next Simulation Point

Assign Vehicle (Using Formulation)

Change Emergency Vehicles’ Destinations or Routes

Update System Time

Figure 4. Conceptual Flow Chart of the Simulation Model

3.4.2 Emergency module The emergency list contains the following information: (a) the temporal distribution of the emergency calls, (b) the spatial distribution of the emergency calls, (c) the priority distribution of the calls. 3.4.3 Vehicle module Each response vehicle in the fleet represents a working crew and provides emergency service. Various classes of vehicles, with varying attributes that affect their functionality and ability to respond to particular types

Capital Wireless Integrated Network

185

of request, could be represented. Vehicle activities are described by keeping track of the location, the status, the destination and the path to destination for each vehicle. The nodes representing the vehicles are “temporary” and “movable”. That is, the nodes are attached and move together with the vehicles. At any given instant, each vehicle has an associated status. A vehicle changes status at the occurrence of certain events that mark the occurrence of service call or the completion of the corresponding activity. For instance, a vehicle status changes from “idle at station” to “on the way to an emergency spot” on receiving an assignment from the dispatch center. 3.4.4 Simulation time advances The simulation time advance process in this research is by “event” and “fixed time increment”. That is, the process is event-driven as well as timedriven. During the interval of any two simulation points, the system smoothly follows the best solution in memory. When an emergency happens or a vehicle changes its status, such as from “busy” to “free”, we should update related variables according to these events. Operation Optimization may be performed at these time points. The simulation is based on real-time traffic data. Events The events include the “emergency” part and “vehicle” part. The emergency part is referred to the “arrival” of a new emergency. The “disappearance” of emergency should also be included in the “vehicle” part, since the corresponding response vehicle will change its status once the on scene service is accomplished. But the emergency and vehicle in the system are not independent because vehicles are corresponding to some calls. It is observed that when a vehicle changes its status from “on the way to an emergency X” to “service an emergency X”, that means the emergency call changes its status from ”waiting for service” to “in service”. Or if a vehicle changes its status from “serve an emergency X” to “on the way to hospital Y”, that means the emergency is removed from the “call list” under consideration. The vehicle status change is tightly related to the emergency status change. Furthermore, some vehicle status changes may result in the reconsideration of the dispatching decision. For instance, if a vehicle finished its task and it is on its way back to depot, that means the vehicle is “free” at this point. We may assign it to an emergency site. So the formulation and re-assignment is needed upon this event. Time Increment Since the traffic situation will affect the travel time and thus affect the route of emergency vehicles, it is necessary to check our vehicles’ route occasionally. It is also possible to change their destination at

186

H. Ali, S. Yang and T.H. Jacobs

some points. There are “event series” and “time increment” to drive the simulation process. We will rank these time points and select the earliest one as the next simulation time point. In each simulation point, the program will update the emergency and vehicle information. The information for vehicles to update includes: the current location, the route to take, the destination, the time point of next status change, current status, next proposed status, etc. Each vehicle in the studied network is treated as a “moving” node. If the position of vehicle has changed, the program will update the adjacency matrix and shortest path between each pair of nodes simultaneously. The information for an emergency is relatively simple. That is because some emergency information is recorded by the corresponding vehicles. The information to update includes adding or removing an emergency and the remaining time to the required time limit. 3.4.5 Traffic generation For real world implementation, real-time traffic information will be available to the emergency response system with the help of CapWIN. However, in order to run the simulation and test the dispatching model, a traffic generation module is required to build a complete simulation framework. The average flow for each time period (for example, AM and PM peak hours) is also assumed available. Typically, there are AM and PM peak hours for weekdays and a midday peak hour for weekends. Traffic volume q ij (t ) over link ij at current time t will be generated as a random variable with normal distribution N ( P ij (t ), V ij (t )) , where P ij (t ) is the average flow rate at time t , and V ij(t ) is proportional to P ij (t ) . With the flow rate generated above, the travel speed on each link is determined using a unique speed flow relationship for that link. 3.4.6 Dynamic shortest path algorithm A discrete approach for determining the dynamic shortest paths is selected for this research. Most recent research in dynamic shortest path algorithms concentrates on discrete approaches. Discrete dynamic shortest path algorithms are developed and tested successfully with the advantage of fast computation time, which is essential in our research. The algorithm for computing the dynamic shortest path between each O/D pair and each starting point is available in literature (Ziliaskopoulos and Mahmassani 1993).

Capital Wireless Integrated Network

187

4. MODEL TESTING AND ANALYSIS RESULTS 4.1 Computation time The computational time is a major issue in this model to be applicable in real-time situation, so the computational efficiency should be examined. CPLEX is selected as a tool to solve the mathematical programming. 4 sample networks are created with sizes from 30 nodes to 200 nodes. Number of emergency vehicles is about 1/6 of the number of nodes. Nodes are generated with 2-dimensional coordinates ( x, y ) . Each node is connected to nearby nodes by straight lines. Every node has about 4 links that are connected to it on the average. Emergencies are generated randomly with some geographical distribution. The current location and destination of each vehicle is designated according to these emergencies. For each network 5 tests are done. Different emergencies and vehicles status are generated for each test. For a network with 30 nodes, the average computational time is about 0.01 second, whereas the time is 0.17 second for a 200-node network. This indicates that the computation time increases almost linearly with the increase in the number of nodes in the tested range. This computation time is efficient enough for implementation in this research.

4.2 Parametric sensitivity analysis 4.2.1 Reassignment threshold Three sample networks are tested on reassignment condition threshold. Changing W from 0.5 to 6 minutes, the number of reassignments is decreasing gradually (see Table 1) and the number of over-waited calls is increasing. When W t 10 minutes, no reassignment is observed in solutions. Table 1. Reassignment Threshold

W

(min.) Criteria

0.5

1.0

2.0

4.0

5.0

6.0

Average response time

4.96

5.12

5.18

5.23

5.41

5.56

Maximum response time

17.30

17.30

17.10

18.1

20.7

21.2

Number of over-waited calls

1

0

2

3

4

6

Total number of times the vehicles change routes

20

15

13

10

8

4

H. Ali, S. Yang and T.H. Jacobs

188 4.2.2 Weights of response time

Weights of response time ai (i 1,2,...,5) are a set of important parameters that could impact the solution of mathematical programming. The weight of response time for emergency calls with i th priority is ai . The formulation gives higher value of ai to the calls with higher priority so that those calls could be served earlier if possible. The ratio of weights, or the relative weights of response time is defined as: rij

ai aj

(9)

The ratio of weights of response time is changed in 5 test scenarios. Test 1 gives equal weights to all types of emergencies. Test 5 gives weights with the greatest differences to various types of emergency calls. These 5 scenarios are tested in 2 sample networks with about 60 nodes and 12 vehicles. The average response times for emergencies with different priorities are plotted (see Figure 5). If an emergency with higher priority is given a higher relative weight, the average response time for calls with higher priorities is less than the average response time for those with lower priorities. In test 1, all emergency calls are given equal weights, so the average response times for all priority are approximately the same. In test 3, the average response time for emergencies with 1st priority is 6.3 minutes whereas the average response time for those with the 5th priority is 8.8 minutes. With the increase of ratios, the difference of average response time increase for example, in the test 2, difference of response time between emergencies with 1st priority and the ones with the 5th priority is 1.2 minutes. The difference is 2.1 minutes in test 3, 4.5 minutes in test 4, and 4.6 min in test 5.

4.3 Comparison of dispatch strategies and shortest path algorithms When compare alternative dispatching strategies under different emergency arrival rates, the average response time is the main criterion to judge a dispatching strategy since it plays a crucial role in minimizing the adverse impacts. Figures 6 and 7 indicate that regardless of considering static or dynamic travel time information, the Flexible Assignment dispatching strategy performs better than the Nearest Origin and the FCFS dispatching strategies in terms of the average response time, and the Nearest Origin

Capital Wireless Integrated Network

189

Averager Response Time (min)

dispatching strategy is better than the FCFS dispatching strategy. When the time interval between two consecutive emergencies is small, namely, when request calls are more frequent, the advantage is more dominant. For instance, under dynamic travel time information, when the interval with a mean of 8 minutes, the average response times for the FCFS, the Nearest Origin, and the Flexible Assignment dispatching strategies are 11.78, 5.27, and 4.33 minutes respectively, while when the mean of emergency interval is equal to 2 minutes, they are changed to 23.44, 17.23, and 7.0 minutes. 12 Test 1

11 10

Test 2

9 8

Test 3

7 6

Test 4

5 4

Test 5 1

2

3

4

5

Call Priority

Figure 5. Average Response Times with Different Weight Scenarios When the time interval of emergencies is smaller, the average response time changes dramatically with its change. For example, when the interval changes from 2 minutes to 2.5 minutes, the average response time changes from 23.44 minutes to 13.17 minutes for the FCFS dispatching strategy, 17.23 minutes to 9.33 minutes for the Nearest Origin dispatching strategy, and 7.00 minutes to 6.06 minutes for the Flexible Assignment dispatching strategy under dynamic travel time information. That means for each dispatching strategy, the capacity of the system for requests for service is different. Beyond this capacity, the system will become very busy and the workload for each emergency vehicle is so high that it takes a long wait time for emergencies before service. Dispatching strategy plays an essential role for minimizing the total response time in comparison with travel time variation. Figures 6 and 7 also show that dynamic travel time information is quite helpful for reducing emergency response time. For FCFS and NO strategy, when using dynamic shortest path algorithm, the average response times are around 5% less than those with static shortest path algorithm, and for Flexible Assignment Strategy, the saving of average response time is about 20%.

190

H. Ali, S. Yang and T.H. Jacobs

5. CONCLUSIONS AND FUTURE RESEARCH This study concentrated on developing a dynamic dispatch strategy and a simulation model to test the strategy. An integer programming formulation was proposed for developing the flexible real-time dispatching strategy. The model ensures that the emergency response system is always working efficiently and shows advantages in that when severe emergencies happen, the system can handle them in a more timely fashion and reduce important response times. The formulation utilizes dynamic shortest paths in determining the routes for vehicles.

Figure 6. Comparison of Dispatch Strategies under Static Shortest Path Algorithm A simulation model, which uses the mathematical formulation above as decision module, was developed to demonstrate how the formulation works under real-time traffic conditions. Proper methods for travel time prediction and dynamic shortest path are selected upon full review of the state-of-art. A moving node method is created to track the location of emergency vehicles. Although the simulation model presented in this paper is a prototype for real-time emergency vehicle dispatching, compared with traditional models, this new model has shown advantage in utilizing the real-time information and it could improve the performance greatly especially when there is significant traffic congestion in the road networks. Future research can concentrate on developing better and more realistic model formulations that incorporate some of the real-world characteristics that may have been ignored in the proposed model. It can also concentrate

Capital Wireless Integrated Network

191

on developing new and improved algorithms for solving these models and comparing the performance of the solution algorithms.

Figure 7. Comparison of Dispatch Strategies under Dynamic Shortest Path Algorithm

REFERENCES Ben Akiva, M., E. Cascetta, and H. Gunn, 1995, An On-line Dynamic Traffic Prediction Model for an Inter-urban Motorway Network, Urban Traffic Networks: Dynamic Flow Modeling and Control, pp. 83-122. Cooke, K., and E. Halsey, 1966, The Shortest Route Through a Network with TimeDependent Internodal Transit Times, Journal of Mathematical Analysis and Applications, 14: 493-498. Deo, N., and C. Pang, 1984, Shortest-Path Algorithms: Taxonomy and Annotation, Networks, 14: 275-323. Glodberg, J., R. Dietrich, J. Chen, and M. Mitwasi, 1990, Validating and Applying a Model for Locating Emergency Medical Vehicles in Tucson, AZ, European Journal of Operational Research, 49: 308-324. Glodberg, J., and L. Paz, 1991, Locating Emergency Vehicle Bases when Service Time Depends on Call Location, Transportation Science, 25(4): 264-280. Larson, R., 1974, A Hypercube Queuing Model for Facility Location and Redistricting in Urban Emergency Services, Comput. & Ops. Res., 1: 67-95. Larson, R., 1975, Approximating the Performance of Urban Emergency Service Systems, Operations Research, 23(5):845-868. Lubicz, M., and B. Mielczarek, 1987, “Simulation Modelling of Emergency Medical Services,” European Journal of Operational Research, 29: 178-185.

192

H. Ali, S. Yang and T.H. Jacobs

Savas, E., 1969, Simulation and Cost-effectiveness Analysis of New York’s Emergency Ambulance Service, Management Science, 15 (12): B608-B627. Toregas, C., R. Swain, C. ReVelle, and L. Bergman, 1971, The Location of Emergency Service Facilities, Operations Research, 19:1363-1373. Ziliaskopoulos, A., and H. Mahmassani, 1993, Time Dependent, Shortest-Path Algorithm for Real-Time Intelligent Vehicle Highway System Applications, Transportation Research Record 1408: 94-100.

EMERGENCY SERVICES IN HOMELAND SECURITY Vulnerability and Infrastruture Dependence Assessment Frederick Krimgold, Keith Critchlow and Natasha Udu-gama Virginia Polytechnic Institute and State University

Abstract:

The National Capital Region (NCR) is recognized as a leading target for terrorist attack. The emergency services sector (ESS) is our first line of defense: local police, fire and rescue, emergency medical services, public health departments, and public works departments. This sector is critical to the region’s ability to detect, prevent, respond to, and recover from disaster or terrorist attack. This capability, vital to the security of residents, is also required for maintaining the region’s quality of life and continuing economic development

Key words:

Emergency services, first responders, National Capital Region, infrastructure

During the events of 9/11, first responders amply demonstrated the importance of their role in saving lives and protecting people. Understandably, enhanced emergency response has been a first priority for homeland security investment ҟ initially, in the form of equipment procurement and specialized training. Parallel to upgrading emergency response capability has been the recognition of vulnerability for critical infrastructure service delivery systems, including emergency services. Presently, little attention is paid to the potential vulnerability of emergency services organizations to critical infrastructure system failures. With some exceptions, notably Montgomery County Fire and Rescue, this is a major problem. As a result of complex system interdependencies, disruptions of critical services can cause major loss of life and property. This report discusses the infrastructure system interdependencies of the emergency services sector. Interdependencies are both upstream, in which 193 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 193–229. © 2006 Springer. Printed in the Netherlands.

194

F. Krimgold, K. Critchlow and N. Udu-gama

ESS is dependent on services provided by other critical infrastructure systems such as energy, transportation and communications, and downstream, in which other critical infrastructure systems are dependent on the services of ESS. Emphasis here is placed on the upstream dependencies of ESS and on steps needed to identify and mitigate the effects of lost infrastructure services on ESS mission capability. The inclusion of emergency services as a critical infrastructure recognizes the ESS as a service delivery system. This sector is made up of subsector systems including emergency management, law enforcement, fire and rescue (including hazardous materials and search and rescue) and emergency medical services. In light of the expanded range of threats and experience with large-scale disasters, the concept of emergency services in the National Capital Region includes public health, public works and social services departments at the local level. The sub-sector systems are integrated at the local jurisdiction level, although the extent of inter-jurisdictional coordination varies. Mutual aid agreements are well developed between the fire departments of adjacent jurisdictions however, local and state-level agencies have not developed an integrated regional system of emergency services delivery well. Hence, it is important that local, state and federal response agencies share the vision of a regional ESS infrastructure. The complex inter-governmental relationships of the National Capital Region pose a major challenge to the development of an efficient, coordinated and effective regional emergency response capability for large-scale threats facing the region. This study examines the structure of ESS in the NCR, the current practices related to vulnerability assessment and risk management, and the potential impact of critical infrastructure interdependencies on the mission capability of ESS. From review and analysis of relevant documents, and interviews with key ESS leadership in the NCR, a number of recommendations were developed to assess and enhance ESS effectiveness in the NCR. Principal among them are: (1) develop a coordinated operational management mechanism for the NCR that effectively includes local and state level and federal response agencies; and (2) =develop a dynamic, real-time, GIS-based, common operating picture (COP) for the National Capital Region to optimize application and deployment of emergency response.

Emergency Services in Homeland Security

195

1. SECTOR BACKGROUND The emergency services sector includes fire, hazardous material (HazMat), search and rescue (SAR), emergency medical services (EMS), law enforcement (LE), public health, public works, and social services departments. This is especially pivotal in the National Capital Region (NCR) because all of the other critical infrastructures are dependent upon it to provide assistance in the event of an emergency.

1.1 General Emergency services organizations are often referred to as “first responders.” They are responsible for detection, assessment, alerting and dispatch of specialized life support and life safety assets. All first responders have specialized training from one or more of the five aforementioned disciplines. Specifically, police are concerned with law enforcement, traffic and criminal justice. They are geared for rapid response and have generalized capability to provide immediate life support for a wide range of emergency situations. Firefighters, in addition to fire suppression operations, work with HazMat, search and rescue operations, basic life support (BLS), and advanced life support (ALS) EMS services. There are also private sector and non-governmental emergency services functions, including large utilities such as Potomac Electric & Power Company (PEPCO), Dominion, and Washington Gas, who have their own security, medical and first aid facilities. Trained only in basic first aid, these personnel must rely on assistance from the emergency services sector for large-scale events. Typically, the public most often engages with emergency services, “routine” day-to-day emergencies through calls to the primary Public Safety Answering Point (PSAP) where 9-1-1 calls are received and prioritized. The actual dispatch of response units may be carried out by that primary PSAP, or “calls for service” may be routed to a secondary PSAP, depending on the jurisdiction or particular type of service required. Traditionally, emergency services agencies do not view themselves as an infrastructure. They are not part of a fixed physical structure; they are dispatched mobile response organizations with responsibilities for particular defined territories, structures, and populations. Normal emergency services deployments can be distinguished from responses to catastrophic events. For instance, in events with lead time/warning (e.g., severe weather), it is possible to conduct pre-event deployment or to pre-position certain resources.

196

F. Krimgold, K. Critchlow and N. Udu-gama

1.2 Definitions Emergency: The time definition of incidents that threaten life, property, and health which require rapid response. Emergency response agencies are typically evaluated in terms of their average response-time to emergency incidents. Emergency Operations Center (EOC): This is a secure location or facility used to determine situational status, coordinate actions, and make critical decisions during emergency and disaster situations. Implicit in the existence of an EOC is the statutory authority to conduct operations in the identified jurisdiction. Emergency Services: A critical infrastructure characterized by medical, police, fire and rescue systems, and personnel that are called upon when an individual or community is responding to emergencies. These services are typically provided at the local level (county, city, or metropolitan area). In addition, state and federal response plans define emergency support functions to assist in response and recovery. These functions include, without limitation, fire fighting services, police services, medical and health services, rescue engineering, air raid warning services, communications, radiological, chemical and other special weapons defense, evacuation of persons from stricken areas, emergency welfare services, emergency transportation, existing or properly assigned functions of plant protection, temporary restoration of public utility services and other functions related to civilian protection. (In some locales, “emergency services” may refer to emergency medical services only.) Failure: Inability to deliver emergency services (e.g., lack of equipment or communication procedures, insufficient or untrained staff, missing plans). Fire and Rescue: The fire and rescue departments deal with fire suppression, building collapse, as well as traffic accident extrication and response to individual medical emergencies. Equipment and trained capabilities of these agencies correspond to their primary day-to-day missions. Interoperability: The ability to talk across boundaries among emergency services organizations, agencies and jurisdictions via radio communications networks to exchange voice and/or data in real time, when needed. It also refers to the ability of various emergency services agencies to interact and collaborate in emergency situations as appropriate. Mitigation: Measures taken to reduce the loss of life, livelihoods and property by reducing vulnerability. Mutual Aid Agreement: An agreement between jurisdictions for the provision of police, fire, rescue and other public safety and health or medical

Emergency Services in Homeland Security

197

services during a public service event, an emergency, or planned training event. Mutual Response: As it relates to the Northern Virginia Emergency Services Mutual Response Agreement, it is the pre-arranged automatic dispatching of the most appropriate response resources available to an incident location without regard to jurisdictional boundary lines. Risk: Expected loss due to a particular hazard. It is the dynamic interactions of hazard or threat, asset criticality, g18 gilities, and consequences. Risk Assessment: A study of vulnerabilities, threats, likelihood, consequences, and theoretical effectiveness of security measures. The process of evaluating threats and vulnerabilities, known and postulated, is to determine expected loss and to establish the degree of acceptability to system operations.

1.3 Features The emergency services sector is primarily organized at the local level and is predominantly a public activity. State level support is provided to local emergency services organizations, and federal level support is provided to state level emergency management agencies. In the case of the NCR, federal resources may be applied directly. Consequently, federal agencies, such as the FBI and Secret Service, may take an active role in law enforcement activities within the NCR. Several major jurisdictions have created positions of director of homeland security. In most cases, fire and rescue, and police chiefs report directly to county or city administrators or through a director of public safety. Yet health and social services departments, and departments of public works do not typically report through the public safety channel. Therefore, the challenge of regional security necessitates new patterns of coordination and cooperation within local government.

1.4 Service area The NCR has twelve local jurisdictions and the District of Columbia. They are: District of Columbia, Maryland, Montgomery County (includes 19 municipalities), Prince George’s County (includes 27 municipalities), Virginia, Arlington County, Fairfax County (included 3 towns), Loudoun County, Prince William County, City of Alexandria, City of Fairfax, City of Falls Church, City of Manassas, City of Manassas Park.

198

F. Krimgold, K. Critchlow and N. Udu-gama

1.5 Employees Each of the twelve jurisdictions has its own police, fire and emergency services organizations, although in the case of fire and EMS, those services may not be provided by a component of the city or county government. In addition, there are more than 80 police stations in the NCR and over 200 fire/rescue stations. The entire population of the NCR, permanent and visitors alike (approximately 4 million people), are primary “customers” of the emergency services sector.

1.6 Capacity Fire departments have 100% communications interoperability; all are on 800 MHz trunked systems (except for Prince George’s County, Maryland). Cross system interoperability, particularly in the case of radio communications between fire and police, remains a critical challenge. Several evolving efforts, notably CapWIN, are underway to ensure compatible communications in the region. Emergency services interface with the health sector primarily in the emergency department of hospitals. The NCR currently has 9,468 licensed hospital beds. In a major event, hospitals in the area can increase surgecapacity up to 30%; beyond that, triage and alternate, improvised facilities would be employed.

1.7 Review of authorities Because the emergency services sector is primarily made up of governmental agencies, intergovernmental relationships and coordination are of primary importance. The National Capital Region is a particularly complex collection of intergovernmental relationships consisting of two states, the District of Columbia, twelve local jurisdictions and a significant concentration of federal agencies. The majority of ESS workforce and resources are organized at the local level, but these local efforts require support and coordination from the state and federal levels. Thus, it is crucial to understand the legal basis for emergency management authorities exercised at each level. The National Capital Region does not have a designated, unified, political jurisdiction or the authority for centralized emergency management. The current authorities, outlined below, are oriented toward a local/state/federal hierarchy.

Emergency Services in Homeland Security

199

1.8 Statutes The NCR sub-sector systems are integrated at the local jurisdiction level, although the extent of inter-jurisdictional coordination varies between sub-sectors. Mutual aid agreements are well developed between the fire departments of adjacent jurisdictions; however, local and state-level agencies have not developed an integrated regional system of emergency services delivery well. Hence, it is important that local, state and federal response agencies share the vision of a regional ESS infrastructure. The complex inter-governmental relationships of the National Capital Region pose a major challenge to the development of an efficient, coordinated and effective regional emergency response capability for large-scale threats facing the region. HSPD-5 Management of Domestic Incidents HSPD-5 delegates administration to the secretary of DHS for a National Incident Management System (NIMS). NIMS will include a core set of concepts, principles, terminology and technologies that cover the incident command system; multiagency coordination systems; unified command; training; identification and management of resources; qualifications and certification; and collecting, tracking and reporting incident information and incident resources. In addition to the administration of NIMS, the National Response Plan (NRP) integrates federal government domestic prevention, preparedness, and response and recovery plans, into one all-discipline, all-hazards plan. The combined structure of NIMS and NRP facilitates national level policy and operational planning. It provides federal support to state and local incident managers and a mechanism to exercise and direct federal authority. HSPD-7 Critical Infrastructure Identification, Prioritization, and Protection This directive establishes a national policy for federal departments and agencies to identify and prioritize United States critical infrastructure and key resources, and to protect them from terrorist attacks. Nevertheless, federal departments and agencies will appropriately protect information associated with carrying out this directive, including handling voluntarily provided information and information that would facilitate terrorist targeting of critical infrastructure and key resources consistent with the Homeland Security Act of 2002 and other applicable legal authorities. HSPD-8: National Preparedness HSPD-8 is the companion to HSPD-5 and calls for developing a national preparedness goal. Toward that, it will establish measurable readiness priorities and targets that appropriately balance the potential all-hazards threats with the resources required to prevent, respond to, and recover from them. Moreover, it will include readiness metrics including standards for preparedness assessments and strategies to respond to major events, especially those involving acts of terrorism.

200

F. Krimgold, K. Critchlow and N. Udu-gama

1.9 Roles and responsibilities The Metropolitan Washington Council of Governments and the Office of National Capital Regional Cooperation of the DHS consider regional issues and develop regional responses in the realm of public safety. In August 2002, the governors of Maryland and Virginia, as well as the mayor of the District of Columbia, signed a joint statement outlining eight “Commitments to Action.” 1. Develop a coordinated process for decision-making for significant incidents or emergency situations in the region. 2. Enhance coordination and information sharing through their respective anti-terrorism task forces and joint terrorism task forces. 3. Identify and set protection priorities and guidelines for infrastructure assets and services in the region with the private sector. 4. Define and develop a common set of emergency protective measures to protect the health and safety of the public in the event of a major emergency in the region. 5. Facilitate mutual aid response between local governments across state boundaries, examine the development of mutual aid agreements between federal agencies or institutions and communities, and explore methodologies for enhancing private sector mutual aid support. 6. Develop a virtual joint information system for the NCR during response to a major emergency or disaster event. 7. Utilize mechanisms for regional cooperation to endorse and implement citizen corps programs within the National Capital Region. 8. Coordinate plans for terrorism and security-related training exercises across the region that is inclusive of all levels of government, as well as, schools and universities, health care institutions, and other private and non-profit partners as appropriate.

2. MAPPING RELATIONSHIPS The following tables outline upstream and downstream dependencies for each of the emergency services (emergency management, emergency medical services, fire and rescue, police, public health, public works and social services) that make up the emergency services sector.

Replenishment Limited role in of critical sup- emergency phase plies during extended incidents

Downstream Firefighting, Response to Protection of Dependencies facilities in the traffic accidents, protection of (Dependencies event of fire or vehicle rescue facilities and distribution sys- on ESS) structural coltems, response lapse, protection to gas and petroof recovery perleum leaks, prosonnel, HazMat tection of utility protection and recovery staff, decontamination HazMat protection and decontamination

Personnel pro- Firefighting, Functioning Communicaphylaxis, protec- high-pressure tions between bridges and tion of first re- hydrant system, incident sites viaducts, accesdecontamina- and call dispatch sible roads, acsponders and tion, vehicle and centers, com- cess to sites, dependents, building cool- munication be- access between reception of ant, drinking emergency tween vehicles, sites and medimedical trans- and sanitary communication cal facilities port with ESS across NCR

Water

Telecommunicat Transportation Energy ions

Upstream Dependencies (Dependencies of ESS)

Sector

201

Postal & Ship- Banking & Fi- Health nance ping

Service of fire station, maintenance of fire station services (communications, HVAC, lighting, refrigeration, vehicle maintenance), on-site (mobile generators)

Emergency Services in Homeland Security

Protection of Emergency Protection of medical trans- key facilities facilities and key personnel, portation, pro- and personnel, tection of key HazMat protecbuilding coltion and deconlapse, HazMat facilities and tamination protection and personnel, decontamination HazMat protection and decontamination, population management for evacuation to isolation and quarantine

Fire and Rescue Services

Protection of key facilities and personnel, HazMat protection and decontamination, building collapse

Personnel pro- Decontamina- CommunicaFunctioning CommunicaUpstream Dephylaxis, protec- tion, vehicle and tions between bridges and via- tions (mobile pendencies (Detion of first re- building coolant, incident sites ducts, accessible communications pendencies of sponders and drinking and and call dispatch roads, access to recharge), func- ESS) sanitary centers, com- sites tioning of cendependents munication betral call & distween vehicles, patch center, communication lighting, security with ESS across access, vehicle NCR maintenance

Postal & Ship- Banking & Fiping nance

Health

Water

Telecommunica- Transportation Energy tions

Sector

F. Krimgold, K. Critchlow and N. Udu-gama

Replenishment Limited role in of critical sup- emergency plies during phase extended incidents

202

Protection, secu- Downstream rity and surveil- Dependencies lance of key (Dependencies facilities and on ESS) personnel

Police

Protection, secu- Protection, secu- Protection, secu- Protection, secu- Protection, secu- Traffic control, rity and surveil- rity and surveil- rity and surveil- rity and surveil- rity and surveil- evacuation and lance of key lance of key lance of key lance of key lance of key management facilities and facilities and facilities and facilities and facilities and personnel personnel personnel, popu- personnel personnel lation management for evacuation, isolation and quarantine

Monitoring, Protection, Warning, protesting, protec- warning and phylaxis and tion, warning health surveil- protection for and health sur- lance of key critical personveillance of key facilities and nel/ facilities and personnel, de- travelers personnel contamination and treatment (particularly for CBR)

Replenishment of critical supplies during extended incidents

Replenishment of critical supplies during extended incidents

Laboratory services, monitoring & analysis, medical supply management, medical personnel management, hospital facilities

Decontamination, vehicle and building coolant, drinking and sanitary, patient care, hospital laundry

Health

Water

Postal & Ship- Banking & Fiping nance

Warning and Downstream prophylaxis for Dependencies CBR for critical (Dependencies on ESS) personnel

Communica- Access to af- Communica- Upstream Detions between fected popula- tions (mobile pendencies (Dependencies of incident sites tions, function- communicaand call dising bridges and tions recharge), ESS) patch centers, viaducts, acces- monitoring, epidemiological sible roads, reporting, demonitoring access to medi- contamination centers, com- cal facilities facilities, warnmunication ing between vehicommunication, cles, communilighting, cation with ESS security access, across NCR, vehicle maintebli i f Telecommunica- Transportation Energy Sector tions

203

Health workers protection, warning and health surveillance of key facilities and personnel, population management for evacuation, isolation and quarantine

Emergency Services in Homeland Security

Protection, warning and health surveillance of key facilities and personnel

Public Health

Protection, warning and health surveillance of key facilities and personnel

Debris clearance and structural evaluation, access to sites

Debris clearance and structural evaluation, access to sites

Debris clearance and structural evaluation, access to sites

Debris clearance and structural evaluation, access to sites

Debris clearance and structural evaluation, access to sites

Downstream Dependencies (Dependencies on ESS)

Upstream Dependencies (Dependencies of ESS)

Postal & Ship- Banking & Fiping nance

Sector

Health

Water

Telecommunica- Transportation Energy tions

F. Krimgold, K. Critchlow and N. Udu-gama

Auxiliary Limited role in Surveillance, Vehicles, drink- Communica- Access to af- Electricity for equipment pro- the emergency warning, pro- ing and sani- tion: Field to fected popula- power tools, vision phase tection for CBR tary, deconcall center, ve- tions, function- fuel for vehitamination hicle to vehicle ing bridges and cles and ESS com- viaducts, accesponents in NCR sible roads

204

Debris clearance and structural evaluation, access to sites

Public Works

Debris clearance and structural evaluation, access to sites

Healthcare for Service to relovulnerable cation sites and populations and vulnerable displaced per- populations sons

Communica- Access to vul- Building cli- Upstream Dependencies (Detions from vul- nerable popula- mate control nerable popula- tions, function- and lighting for pendencies of tions and relo- ing bridges and relocated, vul- ESS) cation sites viaducts, acces- nerable populasible roads, tions, and those evacuation of sheltering-invulnerable place populations

Postal & Ship- Banking & Fiping nance

Health

Telecommunica- Transportation Energy tions

Water

Emergency Services in Homeland Security

Distribution of Emergency financial and financial supmaterial sup- port to disport to displaced persons placed and vul- and vulnerable nerable popula- populations tions

Social Services

Downstream Support for Support for Support for Support for Support for Support for Support for dependents of dependents of dependents of dependents of dependents of dependents of dependents of Dependencies key personnel key personnel key personnel key personnel key personnel key personnel key personnel (Dependencies on ESS)

Sector

205

206

F. Krimgold, K. Critchlow and N. Udu-gama

3. STATE OF RISK MANAGEMENT The primary mission of the emergency services sector is to save lives and protect property and assets. Translating that mission into a sustained, regionally effective effort requires a high level of tactical planning, communication and coordination among NCR responders. Aside from the primary effects of the emergency itself, the capacity of emergency services to fulfill its mission is most centrally affected by, and so vulnerable to, its ability to remain agile, flexible and consistently coordinated in the face of a wide range of threats and hazards.

3.1 Assessment of status and application of CIVA / RM in sector The emergency services sector focuses on the needs of others. In an emergency, most sectors may rely upon the services provided by first responders. While there is a great deal of experience in carrying out vulnerability assessment and response training exercises directed toward other dependant elements of society, relatively little attention is paid to the potential vulnerability of emergency services organizations themselves to loss of services due to critical infrastructure system failure.

3.2 Awareness of value of CIP and CIVA / RM Awareness of vulnerability to interdependent infrastructure function and failure is not well developed in the ESS sector. Autonomous response, conversely, has been a proud tenet central to its culture: the ability to do whatever may be required—calling upon mutual aid / response as necessary— but, for the most part, utilizing its standalone capacity and ingenuity to solve problems “out there.” Challenging this notion is the proposition that ESS facilities need to look inward and visualize themselves as part of a networked service-delivery system with points of fragility and constraint.

3.3 Availability of appropriate tools Specific vulnerability assessment/risk management tools for emergency services organizations are not developed, although certain generic preparedness assessments have been employed. Currently available evaluation methodologies focus primarily on organizational and administrative issues, as is the case with Commission on Accreditation for Law Enforcement

Emergency Services in Homeland Security

207

Agencies and the Emergency Management Accreditation Program, the first two tools identified below. The National Incident Management System, although not an evaluation methodology per se, establishes a management standard to which state agencies and local governments must comply in order to be eligible for some elements of federal preparedness assistance. The fourth tool, the Target Capabilities List, is a functional grouping of critical tasks necessary for capable prevention, protection against, response to and recovery from an array of events from natural disasters to terrorism. Commission on Accreditation for Law Enforcement Agencies (CALEA) CALEA was established as an independent accrediting authority in 1979 by the four major law enforcement membership associations: International Association of Chiefs of Police (IACP); National Organization of Black Law Enforcement Executives (NOBLE); National Sheriffs’ Association (NSA); and Police Executive Research Forum (PERF). The executive directors of the four associations appoint members to the commission annually. CALEA develops a set of law enforcement standards and establishes and administers an accreditation process through which law enforcement agencies may voluntarily demonstrate that they meet professionally-recognized criteria for excellence in management and service delivery. The voluntary accreditation program is divided into two general parts: the standards and the process. The standards, discussed in the standards manual (Standards for Law Enforcement Agencies), are the building blocks from which everything else evolves. In addition, standards address nine major law enforcement subjects: roles, responsibilities, and relationships with other agencies; organization, management and administration; personnel structure; personnel process; operations; operational support; traffic operations; prisoner and court-related activities; and, auxiliary and technical services. These standards help law enforcement agencies: strengthen crime prevention and control capabilities; formalize essential management procedures; establish fair and nondiscriminatory personnel practices; improve service delivery; solidify interagency cooperation and coordination; and boost citizen and staff confidence in the agency. Five phases fulfill the accreditation process: 1. Application 2. Self Assessment 3. On-site Assessment 4. Commission Review, and 5. Maintaining Compliance and Re-accreditation. Major benefits of accreditation through CALEA include greater accountability within the agency, controlled liability insurance costs, strong

208

F. Krimgold, K. Critchlow and N. Udu-gama

defense against civil lawsuits, staunch support from government officials, and increased community advocacy. Emergency Management Accreditation Program (EMAP) The EMAP standard is designed as a tool for continuous improvement, as part of a voluntary accreditation process, and for local and state emergency management programs. Currently, EMAP is under federal contract to carry out evaluations across the jurisdictions of the National Capital Region over the coming year. It will establish a common set of criteria to assess, develop, implement and maintain programs to mitigate, prepare for, respond to, and recover from all-hazard disasters and emergencies. EMAP consists of 14 program areas, including: 1. Program Management 2. Laws and Authorities 3. Hazard Identification and Risk Assessment 4. Hazard Mitigation 5. Resource Management 6. Planning 7. Direction, Control and Coordination 8. Communications and Warning 9. Operations and Procedures 10. Logistics and Facilities 11. Training 12. Exercises, Evaluations and Corrective Action 13. Crisis Communications, Public Education and Information 14. Finance and Administration While considered extremely valuable, EMAP has been criticized for not adequately specifying security standards. Indeed, the sections relevant to critical infrastructure protection and risk assessment, 5.3.1 and 5.3.2, are too general to constitute a “risk management” approach: The entity shall identify hazards, the likelihood of their occurrence, and the vulnerability of people, property, the environment, and the entity itself to those hazards. The program uses a broad range of sources, including federal agencies, state/territorial agencies, local agencies, and private sector organizations to identify hazards and assess risk and vulnerability to those hazards. Hazards to be considered at a minimum shall include, but shall not be limited to, the following: (1) Natural hazards (geological, meteorological, and biological) and (2) Human-caused (accidental and intentional). The EMAP standards and processes are almost identical to, and derived from, the Commission on Accreditation for Law Enforcement Agencies

Emergency Services in Homeland Security

209

(CALEA) standards. In addition, EMAP is based on National Fire Protection Association (NFPA) 1600 standards: Standard on Disaster/Emergency Management and Business Continuity Programs.

3.4 National incident management system (NIMS) Approved by the Department of Homeland Security March 1, 2004, and is an integral component of the National Response Plan (NRP), NIMS establishes standard incident management processes, protocols and procedures so that all local, state, federal and private-sector emergency responders— across all jurisdictions and functional disciplines— can coordinate their responses, share a common focus, and place full emphasis on resolving an all-hazard event. In short, it integrates incident management best practices in a standard, scalable system applicable to the NCR. With regard to compliance, this system does not require any particular level of incident command system (ICS) training, nor does it require additional training for “already trained” personnel. Yet, guidelines suggest four increasing levels of ICS training, appropriate for first responders, command staff, general staff and incident commanders respectively. These levels, however, are decided by each state and are implemented at the local level as each jurisdiction identifies who should receive what level of training. Moreover, it is up to each jurisdiction’s city manager or county administrator to determine whether he/she is comfortable certifying that the jurisdiction’s training complies with NIMS’s loose requirement to “institutionalize the use of ICS.” In the absence of real-time incident information, NIPP data, in theory, can be modeled to provide anticipated consequences to critical infrastructures/assets and initial emergency response resources can be activated and deployed accordingly. Hence, deployment adjustments based on operational field assessments can be made and updated as appropriate. A more-promising analysis follows, which takes a task-based, functional approach to vulnerability assessment and risk management, consistent with National Response Plan strategic objectives. Homeland Security Target Capabilities List, version 1.1 (TCL) In April 2005, (from HSPD-8), the DHS Office of State and Local Government Coordination identified 36 target capabilities needed to perform critical homeland security tasks in response to the 15 National Planning Scenarios. The scenarios were analyzed to generate a comprehensive list of tasks required to prevent, prepare for, respond to, and recover from various events. The tasks were then organized into a menu called the Universal

210

F. Krimgold, K. Critchlow and N. Udu-gama

Task List (UTL). The original menu contained approximately 1,800 “critical tasks,” which was further reduced to 300 task, and finally grouped into 36 Target Capabilities (TCL). From these defined capabilities, the UTL is rigorously reviewed and so far has been updated four times; the next update will be October 2005. The Target Capabilities List seems to be an evolving, well-conceived planning tool for preparedness strategies, and for allocating resources while identifying priority areas for investment and redundant capacity.

3.5 Evaluation of tools’ effectiveness The generality of the above qualitative tools make it difficult to plan for, organize for, and deeply analyze ESS operational capabilities for largescale events. How many SWAT teams is enough? How much redundancy in the form of cached, pre-positioned radios may be appropriate or overkill? How many command cars? How much training in what sorts of exercises? Budgeting, investment decisions and cost recovery are not informed by such preparedness checklists, nor is risk management methodology employed. What may be an appropriate level of preparedness for an event like the 1995 bombing of the Alfred P. Murrah Building in Oklahoma City may not be adequate for nine simultaneous train bombings, as happened in Madrid. The permutations of ever-changing levels of preparedness for response to ever-changing scenarios must be subject to budget and time realities: a line must be drawn stipulating that emergency services are prepared for “this level of response,” and realistically not any more. The determination of whether that level is too little or too much may, unfortunately, be reduced to a simplistic dichotomy of what side of a protective fence one finds oneself. Responding to calls for actionable measures, there may likely be a rush into the mechanics of filling gaps with scant analysis: that fence will be sited; it will be erected. Whether such imperative action turns out to be strategically appropriate, or yet another vaguely coordinated “stovepipe” measure, is not well served by the abovementioned sorts of tools. The specific level of readiness posited by such tools is too vaguely-defined, resulting in an inability to do a meaningful gap analysis. 3. Developing CIP Risk Reduction Programs and Processes Critical infrastructure protection and emergency response are two major themes of homeland security. To date, the relationship between these two topics has not been the target of focused study. The emergency services sector is included in the list of critical infrastructures, the networks that

Emergency Services in Homeland Security

211

deliver essential services to the public. The goal of critical infrastructure protection (CIP) is to assess threats and vulnerability of infrastructure systems and to develop physical and organizational means to reduce the risk of service outages. In the case of ESS, risk reduction measures protect against the interruption of emergency services when they are most needed in the aftermath of an attack. Emergency services are primarily organized at the local jurisdiction level. Because their normal (peacetime) responsibility lies within their local jurisdiction, they have not been viewed as regional systems of service provision. The development of a regional systems concept on the part of emergency services agencies is essential to meeting the challenge of large-scale, long-term threats. The sub-systems within the ESS (police, fire and rescue, emergency medicine, public health, social services and public works), must be viewed as service networks superimposed over the region. The recognition of the regional systems approach is reflected in the existence of interjurisdictional mutual aid agreements. Continued emphasis must be placed on development of capacity for coordinated response which effectively allocates regional resources to regional threats. Network systems are vulnerable to damage at nodes and links. In the case of ESS, nodes are represented by service centers such as fire or police stations. Links are represented by the connections between first responders and victims, such as communications and transportation. The traditional emphasis of the first responder community has been on the assessment and response to client vulnerabilities and needs. Emergency services are unique in addressing acute short-term needs which arise with rapid onset. Emergency services typically provide alternative support to bridge interruptions in normal urban service delivery systems (i.e., emergency power supply, emergency water supply, emergency communications, and emergency transport). However, in spite of this expertise in assessment of the vulnerability and potential needs of other organizations and populations, emergency services agencies have not focused their attention on their own dependence on other critical infrastructure systems. The capacity to execute emergency services missions is ultimately highly dependent on infrastructure services such as energy, communication, transportation and water. The detailed examination of these dependencies and the development of priorities for protection or alternative sourcing of key input resources remain underdeveloped for the sector. Critical infrastructure protection programs recognize 13 urban services systems. Each infrastructure sector is subject to specific threats and vulnerabilities that may be referred to as intra-sector characteristics. Within an infrastructure network, failure can be initiated at a point source (i.e., point of attack). By means of cascading failure, that initial damage can propagate

212

F. Krimgold, K. Critchlow and N. Udu-gama

failure and service loss throughout the network system. This quality of loss amplification makes infrastructure systems an inviting target for terrorist attack. Beyond intra-sector damage propagation is the issue of infrastructure system interdependency. In the complex interactive fabric of urban infrastructure systems are many points of intersection and dependency. For example, the water delivery system is dependent upon the electric power system to power for pumps; the electric power system may in turn be dependent on the water delivery system for cooling of power plants. ESS is dependent on other critical infrastructure systems. Consequently, failures of those infrastructure systems can seriously reduce ESS mission capability. As a result, ESS established means of dealing with “normal” service interruptions with developed principles of short-term selfsufficiency. In considering the new threats of terrorism, weapons of mass destruction and their potential long-term effects on the region, the ESS should reassess its capacity for continued mission effectiveness in the absence of dependable, critical infrastructure service delivery. The emergency services sector is dedicated to the delivery of life-saving and protective services to the public. Preservation of this mission capability requires the protection of ESS physical assets (equipment and supplies) and personnel. It also requires the capacity to continue delivering emergency services even in the face of direct attack and loss of the critical infrastructure support. The following recommendations are directed to the protection of ESS assets and the preservation of ESS mission capabilities.

3.6 Risk reduction / project investment opportunities The relevant risk in the case of emergency services is the loss of capacity to deliver emergency services. Risk or potential loss is a function of threat, vulnerability, and consequence. Relevant threats include direct impact of natural, technological or terrorist hazard. In addition, the characterization of vulnerability reflects the nature of the ESS organization, and its ability to maintain critical functions in response to incidents of threat or hazard. And consequences refer to both the reduction of emergency service delivery capability and the social and economic impact on citizens of that service loss. Hence, risk reduction for the emergency services sector can be achieved through the reduction of any of these three factors; threat reduction, in the case of terrorism, requires the interdiction and apprehension of terrorists. On the other hand, vulnerability reduction requires the protection of critical assets or the development of alternative or redundant delivery systems;

Emergency Services in Homeland Security

213

while consequence reduction requires the containment of initial damage, the interruption of system failure propagation patterns, and rapid recovery of service systems. In the case of the ESS, reduction of risk due to infrastructure dependencies requires the assessment of those dependencies (See tables on upstream and downstream dependencies in Section 1). The development of mitigation measures to reduce dependency to both protect infrastructure service delivery systems and to prepare for continued mission capability in their absence relies on such an assessment which has not yet occurred. A fundamental challenge for the NCR is represented by its complicated inter-governmental relationships. A critical factor for emergency services in the NCR is communication and coordination across agencies, across jurisdictions and across levels of government to provide a coherent response to large-scale or distributed events affecting the region. The following recommendations address the functional requirements for effective regional coordination between emergency services agencies, and between public and private organizations for effective delivery of emergency services. Common Operating Picture for the NCR The NCR needs a dynamic, real-time, GIS-based common operating picture (COP). Currently, there are numerous EOC’s located in federal agencies, state agencies, local jurisdictions and private sector critical infrastructure. Because of the jurisdictional complexity of the National Capital Region, it is difficult to assemble a coherent overview of an incident that affects the region as a whole. Differences in structure and reporting systems between Maryland, Virginia and the District of Columbia make it difficult to integrate incident information from the three state-level emergency management systems. Development of the COP will require technical expertise and multijurisdictional cooperation. The project should be undertaken with the management of a major systems integrator, the support of the University Consortium for Infrastructure Protection and the oversight of the NCR Critical Infrastructure Group. Establish a standing capability for emergency operations coordination in the NCR. While there are numerous federal and state-level 24-hour operations and communications centers, there is currently no such facility that combines such monitoring and coordination functions for the NCR as a whole. In the event of a large-scale incident that affects multiple jurisdictions or states in the region, there must be an agreed upon coordinating facility that is capable of integrating the input of relevant federal, state, local and private sector inputs for the region. The facility must be connected to Maryland, Virginia, and District of Columbia emergency management agencies and be capable

214

F. Krimgold, K. Critchlow and N. Udu-gama

of combined monitoring and analysis of events anywhere in the NCR. Coordination protocols between the local, state and federal level response agencies must be developed to define the appropriate chain of authority. Establish regional infrastructure sector coordinating agency to bring together public and private sector infrastructure owners and managers and the regional emergency management community to identify and manage critical infrastructure interdependency issues. The NCR should establish permanent committees for each critical infrastructure sector to develop and review NCR incident response plans developed for various levels of the 15 national planning scenarios. The committees should be convened by NCR ESS agencies to inform critical infrastructure owners and operators on the organization of regional ESS capabilities and response plans. This regional partnership should identify critical infrastructure dependencies and mitigation strategies should be developed. Roles and responsibilities for critical infrastructure system managers should be defined and realistic expectations for post-event ESS support should be clarified. These committees could be organized and staffed by the Metropolitan Washington Council of Governments/the Greater Washington Board of Trade, or the Office of National Capital Region Coordination. Assess expected collateral damage associated with attack on identified target assets. The National Capital Region is home to many potential terrorist targets of operational and symbolic importance for the United States. In many cases, these target assets are surrounded by “civilian” neighborhoods whose safety is the responsibility of local ESS. Vulnerability assessments were carried out for the target assets themselves but not for the surrounding communities that may be subject to collateral damage. Relevant DHS national planning scenario events should be applied to the target assets to estimate potential collateral damage and associated impacts (but such analysis should not be limited to the DHS national planning scenarios). This specific study of collateral damage will provide the basis for realistic planning and capability demand assessment. It will also provide the basis for mitigation planning and the consideration of structural or occupancy change in areas subject to collateral damage. This activity is related to buffer zone planning for target facilities. The general methodology for collateral damage estimation should be developed by a multidisciplinary planning research center in conjunction with local ESS and planning departments.

Emergency Services in Homeland Security

215

3.7 Tactical steps for immediate benefit Tactical steps to strengthen ESS are those that can be undertaken without significant organizational change and will increase the effectiveness of current resources. Protection of homeland security requires development of response capabilities, much larger scale and much longer duration. WMD is the potential for incidents of much larger scale (in terms of affected population) and much longer duration (in terms of contamination and restoration of services). Hence, the quantitative demand for emergency services may far exceed available resources. Further, the threats of WMD are unfamiliar to ESS and the general public. Chemical, biological, nuclear and radiological attacks have no precedent in the region, which means the qualitative demand for emergency services will be unprecedented. With these factors in mind, specific tactical measures should be consistently implemented throughout the region: • Prepare for 72 hour self-sustained ESS operations Emergency services organizations must equip themselves and train for operations in the absence of normal infrastructure services. Currently, no generally accepted standard for self-sustained activity is recognized in the region. • Provide support for the families of ESS personnel In order for ESS personnel to effectively perform their jobs, they must be assured that their own families are provided for in their absence. • Expand training for ESS personnel on detection and protection related to CBR events • Develop back-up sources and redundancy for critical infrastructure services (alternative power generation, communications and transportation options) must be provided to maintain self-sufficient mission capability • Train citizen emergency response teams (CERT’s) to support ESS professional response Large scale disasters will require organized citizen support to expand emergency services manpower. • Organize private ambulances and medical personnel to augment emergency medical services In large scale incidents, public agency sources are likely to be overtaxed. Surge capacity will require mobilization of additional resources. • Organize construction industry resources and train volunteers to assist in large-scale urban search and rescue, debris clearance, and building stabilization.

216

F. Krimgold, K. Critchlow and N. Udu-gama

In the event of large scale disaster, organized emergency services and public works employees will be overtaxed and require organized private sector support.

3.8 Strategic steps for long-term benefit Strategic steps for strengthening ESS are those that require long-term planning and investment. They may involve development of new capabilities and significant modification of current organizational structures. • Assess potential collateral damage associated with identified target facilities The NCR has a large number of potential targets for terrorist attack. Local emergency services should develop plans for dealing with collateral damage to surrounding populations and property. • Consider appropriate organizational structures to meet the functional needs of regional ESS coordination in the event of major disaster or attack in the region. The NCR is a complex combination of numerous governmental authorities. Issues of information sharing, mutual aid, and coordinated control must be addressed to make the most effective use of regional resources in support of public safety.

4. RISK REDUCTION PROCESS IMPROVEMENTS The risk reduction process for ESS involves the assessment of threats, vulnerabilities and consequences, as well as the development and evaluation of mitigation measures. Actual reduction of risk results from the funding and implementation of cost-effective mitigation measures. • Encourage collaboration between ESS and critical infrastructure sectors to identify and mitigate interdependencies Emergency service dependencies on other critical infrastructure systems (upstream dependencies for ESS) must be identified in conjunction with those service providers. Mitigation measures include development of redundant sources, on-site storage, or alternative practice. • Clarify the relationship between critical infrastructure service failure and the cost associated with resulting loss of emergency service delivery Mitigation investments should be balanced against loss reduction, which includes losses due to dependent system failures (in this case, ESS).

Emergency Services in Homeland Security

217

4.1 Recommendations for enhancement of general guidelines Standards and guidelines for ESS deal with equipment, training and procedure. To date, the primary evaluation methodologies do not address the issue of ESS vulnerability to infrastructure interdependency issues. This is extremely problematic. A major challenge in evaluation of ESS stems from the lack of general experience with the scale and content of WMD incidents. The value of current evaluation methodologies should be enhanced by the addition of criteria related to assessment and mitigation of infrastructure interdependencies. The following recommendation aims to improve the ESS assessment process. Develop regional ESS goals and evaluation criteria based on DHS Target Capabilities List. The question of “how much is enough?” is central to the planning and funding of the emergency services sector in the NCR. Current staffing levels and expenditures are based on historical demand and do not reflect planning for response to large-scale or long-duration incidents. Limited experience with chemical, biological, nuclear, or radiological attack has made it difficult to anticipate workforce or equipment needs. The fundamental uncertainty about low-incidence, high-consequence terrorist attacks (frequency, intensity or pattern) limits the precision of risk assessment and the application of traditional cost-benefit analyses. Response to terrorism will require flexibility and improvisation to meet the unique requirements of any particular incident. The target capabilities list identifies the generic capabilities required for flexible response to the 15 DHS national planning scenarios. For the purposes of planning and exercising, these scenarios (and other appropriate scenarios) should be applied to the particular context of the NCR. Resource demands can be calculated by capability category. Such an approach provides the basis for evaluation of current ESS capacity in the region and meaningful guidance for investment in personnel, equipment, training, and exercises. Traditional workforce and resource requirements must be adjusted for large-scale, long-duration incidents as illustrated in the national planning scenarios.

4.2 Opportunities for enhancements in risk management Risk management includes the identification of risk, the reduction of risk and the distribution of risks. Risk identification for emergency services must include the evaluation of the impact of upstream infrastructure systems. For example, loss of electric power is a frequent and significant risk

218

F. Krimgold, K. Critchlow and N. Udu-gama

for emergency services. Mitigation of electric power loss may include emergency generators, batteries, or non-electric equipment. Distribution of risk can be accomplished by developing redundant and diverse approaches to maintaining critical functions. Another prime dependency that must be evaluated is reliance on the Internet for preparedness and response-- communications, databases, etc.

5. SPECIFIC OPTIONS FOR GOVERNANCE AT SECTOR LEVEL Establish an effective operational coordinating mechanism for the National Capital Region that is consistent with key stakeholder needs. Because of the complex inter-governmental relationships in the NCR, it is necessary to create an effective coordinating mechanism that can integrate the inputs of the three state-level response agencies and those of the 12 local jurisdictions and well as the resources of the federal government. This mechanism must be compatible with the existing hierarchy of intergovernmental roles and responsibilities and it must provide unified information analysis and coordinated management of response for the region as a whole.

5.1 Incentives The emergency services sector is primarily made up of local government agencies. As public agencies, they are not responsive to market incentives. However, recognition of meritorious service on the part of units and individuals is a valuable incentive for maintenance of service quality. Because ESS is totally dependent on its workforce, measures that support workforce availability are of key importance. • Provide support for the families of ESS personnel Many ESS workers live far from the urban and suburban areas of the NCR. Communications and transportation are critical for access to workforce. It is also of critical importance to provide mechanisms to assist ESS workers to meet their personal and family responsibilities in order for them to focus on their crisis response mission. • ESS accreditation contingent on infrastructure interdependency mitigation Accreditation, certification standards and professional recognition provide a useful incentive to improvement of practice. Agency funding and

Emergency Services in Homeland Security

219

reputation are often influenced by positive external professional recognition.

5.2 Organization and management • Organize and train private sector technical personnel and citizen corps to augment ESS response to incidents of large impact or long duration In the event of large-scale, long-duration incidents, career ESS personnel are likely to be overloaded. Many live outside the NCR and may not be able to reach their job. In addition, they may be isolated by failures of the communications or transportation infrastructure. ESS manpower may become a critical problem in the response to a major incident. Extreme demand for emergency services during a major incident will require reinforcement by non-career personnel, trained technical personnel from the private infrastructure sector, and self-reliance on the part of the population. A traditional source of manpower back up in natural disasters is the National Guard. It will also be necessary to call on the support of trained and organized citizen groups to carry out non-specialist functions related to rescue, first aid and evacuation. Emergency response capability development should be encouraged and supported in all public and private critical infrastructure organizations with appropriate training provided by ESS. Citizen corps participation must be dramatically expanded so that all neighborhoods of the NCR are involved.

6. SPECIFIC RECOMMENDATIONS ADDRESSING DEPENDENCIES The critical infrastructure dependencies of the ESS are the single most important topic of potential vulnerability revealed in this study. The ESS in the NCR has not addressed the risks specific to ESS posed by the widespread failure of supporting critical infrastructure systems. • Encourage collaboration between ESS and infrastructure sectors to identify and mitigate interdependencies ESS agencies must develop a collaborative and consultative relationship with upstream critical infrastructure providers to assess risks to provision of required services and to develop strategies for alternative service provision. • Develop back-up sources for critical infrastructure services (i.e., energy, communications and transportation) ESS agencies must develop, in advance of a major regional incident, strategies for alternative supply of critical input services. These may

220

F. Krimgold, K. Critchlow and N. Udu-gama

include redundant sources, on-site storage, alternative processes to meet functional requirements.

6.1 Intra-sectoral Intra-sectoral issues of dependency are both horizontal and vertical. Horizontal dependencies are those between the sub-sectors of police, fire and rescue, emergency medical, public health, public works and social services. Vertical dependencies are those between local, state and federal emergency management and response agencies. At the local jurisdiction level, there is considerable experience of coordination and collaboration. There is also well-established coordination between local and state agencies. The difficulty in the NCR derives from the fact that there is presently no effective mechanism of regional coordination that adequately integrates the local resources of the three state-level entities of Virginia, Maryland and the District of Columbia. • Complete regional inter-agency communications inter-operability initiative Several programs including the Capital Wireless Integrated Network (CapWIN) have been initiated to achieve ESS communications interoperability in the region. There are still agencies and jurisdictions that are not integrated into the regional system. Inter-operability of regional ESS communications and information distribution is essential to coordinated regional response. • Provide a mechanism for coordination among the state-level entities responsible for emergency management The most important dependency within ESS in the NCR is the command and control relationships between local and state agencies and the coordination of the three state-level agencies that share responsibility for the region. • Develop the technical, administrative and operational framework for an NCR common operating picture (COP) As described above, the common operating pictures for ESS in the NCR is a fundamental requirement for coordinated regional emergency response. Unified information on regional incidents and regional resources is needed for the rational allocation of response resources to large-scale incidents affecting the region.

6.2 Inter-sectoral Dependencies between ESS and other critical infrastructure sectors are usefully divided between upstream and downstream dependencies.

Emergency Services in Homeland Security

221

• Encourage collaboration between ESS and other critical infrastructure sectors to identify and mitigate interdependencies Consultative mechanisms must be established between each ESS agency and the relevant upstream infrastructure service provider to identify and mitigate the impact of dependencies on ESS mission capability. • Develop back-up sources for critical infrastructure services (i.e., energy, communications and transportation) Inter-sectoral consultation should provide the basis for development of alternative supply strategies for critical upstream inputs for ESS. Redundant supply strategies should be developed for all critical services.

6.3 Regional • Establish regional emergency response coordinated mechanism in the NCR Coordinated regional response must integrate 12 twelve local governments, three state-level entities and the federal government. Collaboration with the private sector must also be coordinated with the regional intergovernmental. • Hold regional table top and field exercises involving a range of key public and private stakeholders, including representatives of business community, nonprofits and community institutions • Create common operating picture for the region The common operating picture for the region requires the integration of information inputs from all the participating local, state and federal agencies to provide a comprehensive overview of regional impact, resources and response actions. This shared information facility will provide the basis for coordinated response.

7. MEASURING EFFECTIVENESS The ultimate measure of effectiveness will be seen in the response to an actual terrorist incident. However, in anticipation of such an event, general response capabilities can be defined and tested against hypothetical challenges and scenario events. Because the nature of future terrorist attack is unknown, it is necessary to base planning on limited experience and conjecture of potential patterns of attack. • Apply DHS national planning scenarios to the specific context of the NCR to assess potential scenario demand for emergency services and potential impact on upstream infrastructure services

222

F. Krimgold, K. Critchlow and N. Udu-gama

The national planning scenarios provide a starting point for the projection of potential demand for ESS in the region and an initial basis for projecting impacts on other critical infrastructures system under various modes of attack. • Adopt the Target Capabilities List methodology to set goals for ESS As recommended in the national preparedness goal, the Target Capabilities List, which is derived from the national planning scenarios, is currently the most relevant guidance for planning, development, and evaluating ESS. • Develop exercises based on regional scenarios to evaluate regional ESS capabilities. These exercises should include the impact of critical infrastructure interdependencies and potential service failures Exercises to test general response capabilities and flexibility in applying those capabilities under unanticipated adverse conditions will be valuable in developing capacity for coordinated, innovative response.

8. MANAGING CONTINUOUS IMPROVEMENT The terrorist threat is particularly challenging because it is continuously changing in response to protective measures. The dynamic intelligent nature of the threat requires constant evolution on the part of ESS. • Periodic updating of training and procedures based on the target capabilities methodology The evolution of the terrorist threat as evidenced in events around the globe and as revealed through intelligence sources requires periodic updating of response capabilities. The pace of training and the resources allotted to training will have to change to keep abreast of changing threats. • Accreditation and certification processes must take into account ESS vulnerability assessment and mitigation of infrastructure dependencies. Accreditation standards must also change to reflect changes in threat and relevant ESS capability A dynamic standards process will have to emphasize training and technical assistance as well as evaluation.

9. CONCLUSION The emergency services sector is the first line of defense in protecting life and property. The National Capital Region is well served by a highly developed police, fire and rescue, public health, public works, and social services infrastructure. While these services are geared to normal demand at

Emergency Services in Homeland Security

223

the local level, the challenge of WMD requires development of fundamentally new capabilities. Large-scale catastrophic events affecting multiple jurisdictions in the region will require more trained personnel, enhanced command and control and coordinated information support. Chemical, biological and radiological attacks are unknown to most of the residents of the region. These unprecedented threats will require a new scale of response from ESS augmented by trained civilian volunteers. The capacity of the emergency services sector to fulfill its mission may be compromised by loss of critical infrastructure services. ESS selfsufficiency must therefore be reassessed if we are to meet the challenge of WMD. Potential collateral damage resulting from attacks on identified targets must be analyzed. To date, this has not occurred. Measures taken to improve ESS response to WMD attack will have significant value in enhancing response for a wide range of catastrophic events. They will enhance the safety and security of the residents of the National Capital Region.

REFERENCES 2000 Emergency Response Guidebook: A Guidebook For First Responders During The Initial Phase Of A Dangerous Goods/Hazardous Materials Incident. (2000). Washington DC: US Department Of Transportation [PDF] Alper, A. & Kupferman, S. (2003). Enhancing New York City’s Emergency Preparedness: A Report To Mayor Michael R. Bloomberg. New York: New York City Emergency Response Task Force. American Academy Of Actuaries. (2004). P/C Terrorism Insurance Coverage: Where Do We Go Post-Terrorism Risk Insurance Act (TRIA)? Washington, DC: American Academy Of Actuaries, Extreme Events Committee. Www.Extendtrianow.Org/Aaapaper050404.Pdf [PDF] APCO. (2004). Recommended Best Practices: Telematics Call Processing. Montreal: APCO Telematics Task Force Work Group. Www.Apcointl.Org/Documents/Tspaug604.Pdf [PDF] ASME Innovative Technologies, LLC. (2004) Risk Analysis And Management For Critical Asset Protection: General Guidance (RAMCAP). Washington, DC: Department Of Homeland Security: [PDF] ASIS International (2003). Disaster Preparation Guide, V.2. Alexandria: ASIS International. Www.Asisonline.Org/Newsroom/Crisisresponse/Disaster.Pdf [PDF] Barlas, S., Earls, A., Fitzgerald, M. Et Al. (2004). Mission: Critical Infosecurity Magazine. Online: Http://Infosecuritymag.Techtarget.Com/Ss/0,295796,Sid6_Iss467_Art974,00. Html. Brave, M. & Ashley, S. (1996). Managing The Risk: Law Enforcement Jurisdictional Issues. LAAW International, Inc. Online: Http://Www.Laaw.Com/Managi_1.Htm.

224

F. Krimgold, K. Critchlow and N. Udu-gama

Building Nonprofit Sector Capacity For Emergency Preparedness In Greater Washington: The Critical Role Of The Nonprofit Sector In Regional Disaster Response And Recovery. (2003) Washington DC: The Greater Washington Task Force On Nonprofit Emergency Preparedness. Capabilities-Based Planning Process: Explosives Scenario Prototype, Version 1.0. Department Of Homeland Security. Capital Area Guard Forces Sign Aid Pact. (July 23, 2004). Dcmilitary.Com Online: Www.Dcmilitary.Com/Army/Pentagram/9_30/National_News/30326-1.Html. Capwin: Capital Wireless Integrated Network – Building A Bridge In Transportation And Public Safety Communications. Governing Technology. (2003). Greenbelt: University Of Maryland, Capwin (Capital Wireless Integrated Network). [Power Point Presentation] Capital Wireless Integrated Network (Capwin): An Integrated Transportation And Public Safety Information Network. (2003). Cambridge: E-Government Executive Education (3E) Project. John F. Kennedy School Of Government: Harvard University. Capwin Connection. Volume 2, Issue 7. July, 2004. Candidate’s Guide To Accreditation. (2004). Louisville: Emergency Management Accreditation Program (EMAP). Centers For Disease Control And Prevention (CDC). Bioterrorism And Emergency Readiness: Competencies For All Public Health Workers. (2002). New York: Columbia University School Of Nursing Center For Health Policy. [PDF] Common Alerting Protocol, V. 10. (2004) Billerica: Organization For The Advancement Of Structured Information Standards (OASIS). [PDF] Conceptual Regional Vulnerability Assessment Framework. (2004). Alexandria: Community Research Associates (CRA) (Likely, But Uncertain, Attribution) Critical Infrastructure Interdependencies: Impact Of The September 11 Terrorist Attacks On The World Trade Center – A Case Study. (2001). Washington DC: US Department Of Energy, Office Of Critical Infrastructure Protection. Critical Infrastructure Protection Plan: The Department Of Defense Critical Infrastructure Protection (CIP) Plan – A Plan In Response To Presidential Decision Directive 63 ‘Critical Infrastructure Protection’. (1998). Washington DC: DASD (Security And Information Operations), Critical Infrastructure Protection Directorate. Online: Www.Fas.Org/Irp/ Offdocs/ Pdd/DOD-CIP-Plan.Htm. DC Business And Industry Emergency Management Plan. (2002). Washington DC: ICF Consulting: District Of Columbia Emergency Management Agency. Denlinger, R. & Gonzenbach, K. (2002). “The Two-Hat Syndrome”: Determining Response Capabilities And Mutual Aid Limitations. Perspectives On Preparedness. Harvard University: John F. Kennedy School Of Government. No. 11: August 2002. [PDF] Dodge, W. R. (2002.) Denver, CO: Regional Emergency Preparedness Compacts: Safeguarding The Nation’s Communities. Alliance For Regional Stewardship: [PDF] EMAP Standard. (2004) Louisville, KY: Emergency Management Accreditation Program (EMAP). Emergency Operations Centers – EOC Review, EOC Vulnerability And Capability Assessment. (2005). Columbia, MD: All Hand Emergency Management Consulting And Training Services. Online: Www.Allhandsconsulting.Com/EOC_Review.Htm. Emergency Operation Plan. (2002). Fairfax County, Virginia. Exercise Plan – National Capital Region – Command Post Exercise. September 27, 2004. (2004). Alexandria: Community Research Associates (CRA)

Emergency Services in Homeland Security

225

Fact Sheet: Office Of National Capital Region Coordination. (2003). Washington, DC: Department Of Homeland Security. Online: www.Dhs.Gov/Dhspublic/Display?Content= 1161. FEMA. Emergency Management Guide For Business & Industry: A Step-By-Step Approach To Emergency Planning, Response And Recovery For Companies Of All Sizes. Washington, DC: Federal Emergency Management Agency. [PDF] FEMA. (2004). Emergency Preparedness And Response Directorate, Homeland Security: Budget In Brief, Fiscal Year 2005. Washington, DC: Federal Emergency Management Agency. FEMA. (2002). State And Local Mitigation Planning How-To Guide: Getting Started Building Support For Mitigation Planning. Washington, DC: Federal Emergency Management Agenc. FEMA 386-1: September 2002. [PDF] FEMA. (2004). Washington, DC: United States Fire Administration Emergency Management And Response ISAC: Protecting The Critical Infrastructures Of The Emergency Management And Response (EMR) Sector. April 5, 2004. [Power Point Presentation] [Electronic] Fraser, M. R. & Mcdonald, S. (2005). Public Health Ready Prepares Agencies For Emergency Responses. Online: Http://Bt.Naccho.Org/E-Newsletter-Archive/PhreadyArticle.Htm. George Mason University, Et Al. (2004). Arlington, VA: National Capital Region Hurricane Isabel Critical Infrastructure Interdependency Assessment. George Mason University, Et Al. (2004). Arlington, VA: National Capital Region – Critical Infrastructure Vulnerability Assessment Project: Preliminary Observations And Progress Update. May – June 2004 Report. Draft. George Mason University, Et Al. (2004). Arlington, VA: NCR/CIVA: The Newsletter Of The National Capital Region – Critical Infrastructure Vulnerability Assessment Project. March 2004. Guzmán, M. (2003). A Region Responds To Hurricane Isabel: The Nonprofit Sector’s Role In Emergency Preparedness And Response. Washington DC: Prepared For: The Community Foundation Of The National Capital Region, The Nonprofit Roundtable Of Greater Washington. Haimes, Y., Lambert, J. & Mahoney, B. (2000). Risk Modeling, Assessment, And Management Of Interdependent Critical Infrastructures. Charlottesburg: Center For Risk Management Of Engineering Systems: University Of Virginia. June 29, 2000. [Power Point Presentation] [PDF]. Heller, M. (2003) Modeling And Simulation For Emergency Response: NSF’s Role. Modeling And Simulation For Emergency Response Workshop. March 4-6, 2003. Washington, DC: National Institute Of Standards And Technology [Power Point Presentation] Highlighting Coordination In The National Capital Region. (2003). Washington, DC: Department Of Homeland Security. Online: Www.Dhs.Gov/Dhspublic/Display?Content= 1162. Homeland Security Presidential Directive (HSPD) 7. Critical Infrastructure Identification, Prioritization, And Protection. (2003). Washington, DC: Online: Http://Www.Whitehouse. Gov/ News/Releases/2003/12/Text/20031217-5.Html. Hurricane Isabel. (2004). Rockville, MD: Montgomery County Fire And Rescue Response. Presentation For COPDI. January 24, 2004. [Power Point Presentation] Hurricane Isabel Plan Booklet. (2003). Rockville, MD: Division Of Fire And Rescue Services. Montgomery County, Maryland. September 17, 2003.

226

F. Krimgold, K. Critchlow and N. Udu-gama

Hurricane Isabel – Summary Of After Action Injects. (2005). Rockville, MD: Montgomery County, Maryland Fire & Rescue. February 8, 2005. Infrastructure Management Group, Inc. (2002). Washington, DC: Metropolitan Washington Council Of Governments (MWCOG) Infrastructure Report. Infrastructure Security In The Metropolitan Washington Region. (2002). Draft Report. October 18, 2002. Innovative Emergency Management, Inc. (2004). Baton Rouge, LA: National Capital Region Decision Matrix. DRAFT. [CD]. Jackson, B., Baker, J. Et Al. (2004). Arlington, VA: Protecting Emergency Responders: Volume 3, Safety Management In Disaster And Terrorism Response. RAND Science And Technology, NIOSH Department Of Health And Human Services. [PDF] James Lee Witt Associates, LLC For PEPCO Holdings, Inc. (2003). Washington, DC: Hurricane Isabel Response Assessment: Final Report May 2004. [PDF] Joint Commission On Accreditation Of Healthcare Organizations. (2003). Health Care At The Crossroads: Strategies For Creating And Sustaining Community-Wide Emergency Preparedness Systems. KPMG Peat Marwick LLP. (1998). Vulnerability Assessment Framework 1.1. Critical Infrastructure Assurance Office. [PDF] Lang, J., Thomas, K. & Siegel, J. (2004). Overview Of Regional Activities: Information Collected From Open Source Research. Arlington, VA: George Mason University. Lee, E., Mitchell, J. & Wallace, W. (2004). Assessing Vulnerability Of Proposed Designs For Interdependent Infrastructure Systems. Maui, HI: Proceedings Of The 37th Hawaii International Conference On System Sciences. Lee, E., Mendonça, D. & Mitchell, J. Restoration Of Services In Interdependent Infrastructure Systems: A Network Flows Approach. [Expanded Version Of: Wallace, W., D. Mendonça, D. Et Al. Managing Disruptions To Critical Interdependent Infrastructures In The Context Of The 2001 World Trade Center Attack] In Impacts Of And Human Response To The September 11, 2001 Disasters: What Research Tells Us. Myers, M., Ed. Boulder, CO: Natural Hazards Research And Applications Information Center, University Of Colorado, Forthcoming. [PDF] Kelly, Terrence K. (2001). Infrastructure Interdependencies. Based In Part On An Article In IEEE Control, December 2001. [Power Point Presentation]. Making Strategic Decisions About Service Delivery: An Action Tool For Assessment And Transitioning. Washington, DC: National Association Of County And City Health Officials (NACCHO). Malone, B. L. III. (2004). Wireless Search And Rescue: Concepts For Improved Capabilities. . Hoboken, NJ: John Wiley & Sons, Inc., Bell Labs Technical Journal 9(2), 37-49. Mathews, H. S. Analyzing Critical Infrastructure Dependencies: Security And Survivability Effects In The Service Sectors. Pittsburg, PA: Carnegie Mellon University. Macal, C. M. & North, M. Simulating Energy Markets And Infrastructure Interdependencies With Agent Based Models. Decision And Information Sciences Division: Argonne National Laboratory. US Department Of Energy. Metropolitan Washington Council Of Governments (MWCOG). (2003). Washington, DC: Partners In Preparedness: The Regional Emergency Coordination Plan At Work. September 2001-December 2003. [PDF] Metropolitan Washington Council Of Governments (MWCOG). (2002). Washington, DC: Regional Emergency Coordination Plan: Appendix A – Definitions And Acronyms. September 11, 2002. [PDF]

Emergency Services in Homeland Security

227

Metropolitan Washington Council Of Governments (MWCOG). (2002). Regional Emergency Coordination Plan. Washington, DC: Task Force On Homeland Security And Emergency Preparedness For The National Capital Region. September 11, 2002. MIEMS: MIEMSS Executive Director’s Update. (2004). College Park, MD: Online: Http://Miemss.Umaryland.Edu/Execdir.Htm. Mitchell, J., Lee, E, & Wallace, W. (2004). Disruptions In Interdependent Infrastructure Systems: A Network Flows Approach. Troy, NY: Rensselaer Polytechnic Institute. Online: Http://Www.Rpi.Edu/~Mitchj/Papers/Dmii.Html Moteff, J., Copeland, C. & Fischer, J. (2002). Washington, DC: Critical Infrastructures: What Makes An Infrastructure Critical? Congressional Research Service, The Library Of Congress. August 30, 2002. Mussington, D. (2002). Arlington, VA: Concepts For Enhancing Critical Infrastructure Protection: Relating Y2K To CIP Research And Development. Office Of Science And Technology Policy, RAND. [PDF] National Fire Protection Association. (2004). NFPA 1600: Standard On Disaster/Emergency Management And Business Continuity Programs, 2004 Edition. [PDF] National Incident Management System (NIMS). (2004). Washington, DC: Department Of Homeland Security. March 1, 2004. National Response Plan. (2004). Washington, DC: Department Of Homeland Security. Draft 2. April 28, 2004. [Includes 15 Scenarios] National Response Plan. (2004). Washington, DC: Department Of Homeland Security. Final. November, 2004. National response plan – ESF annexes. (2004). Washington, DC: Department of Homeland Security. November, 2004. NRIC VII. Focus group 1B - enhanced 9-1-1 long term issues: architecture properties that emergency communications networks are to provide by the year 2010. September 23, 2004. Olson, L., Barbera, J. et al. (2004). Report on the first regional EMS forum: national capital area. [EMS Research]. Washington, DC: The George Washington University: Institute for Crisis, Disaster & Risk Management Center for Excellence in Municipal Management. May 19, 2004. President’s Commission on Critical Infrastructure Protection. (1997). Critical foundations protecting america's infrastructures. (Report). Washington, DC. Price, M. (2004). “Incident command and GIS.” Entrada/San Juan, Inc. ArcUser: October – December 2004. Online: www.esri.com. [PDF] Progress in homeland security for the national capital region. Washington DC: District of Columbia Emergency Management Agency (DCEMA). [PDF] Proposed model intrastate mutual aid legislation. (2004). Louisville, KY: The NEMA Intrastate Mutual Aid Working Group. National Emergency Management Association (NEMA). February 10-13, 2004. Rauscher, K. (2004). Protecting communications infrastructure. Hoboken, NJ: John Wiley & Sons, Inc., Bell Labs Technical Journal 9(2), 1-4, 2004, [Online] http://www.lucent.com/ minds/techjournal/ Rinaldi, S., Peerenboom, J. & Kelly, T. (2001). “Identifying, understanding, and analyzing critical infrastructure interdependencies.” Ann Arbor, MI: IEEE Control Systems Magazine. December 2001. The role of the PSAs: policing for prevention handbook. (2000). Washington, DC: Online: http://mpdc.dc.gov/news/pubs/pdf/psarole1_pdf.pdf. Metropolitan Police Department: District of Columbia, 2000.

228

F. Krimgold, K. Critchlow and N. Udu-gama

Schrader, D., Kitchen, E., Contestabile, J. & Lewis, Jr., R.E. (2004). Enhancing voice and data public safety communications in maryland. Hanover, MD: Maryland Department of Transportation (MDOT), Maryland Municipal League Presentation. [Power Point Presentation]. November 20, 2004. State capability assessment for readiness (CAR). (2000). Washington, DC: Federal Emergency Management Agency (FEMA) and National Emergency Management Association (NEMA). April 2000. [PDF] The critical infrastructure protection process: job aid. (2002). Dulles, VA: NATEK, Inc. for United States Fire Administration. Ed. 1, May 2002. Threat advisory system response (TASR) draft guideline: guideline for preparations relative to the department of homeland security advisory system. (2003). Alexandria, VA: ASIS Commission on Guidelines. ASIS International. [PDF] www.nationalterroralert.com/ guidelinesthreat2003.pdf United States General Accounting Office. (2000). Critical infrastructure protection: comments on the national plan for information systems protection. Washington, DC: Testimony before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, US Senate. GAO/T-AIMD-00-72. February 1, 2000. United States General Accounting Office. (2002). Critical infrastructure protection: federal efforts require a more coordinated and comprehensive approach for protecting information systems. Washington, DC: GAO-02-474. July 2002. [PDF] United States General Accounting Office. (2003). Homeland security: efforts to improve information sharing need to be strengthened. Washington, DC: Report to the Secretary of Homeland Security. GAO-03-760. August 2003. [PDF] United States General Accounting Office. (2004). Homeland security: management of first responder grants in the national capital region reflects the need for coordinated planning and performance goals. Washington, DC: Report to the Chairman, Committee on Government Reform, House of Representatives. GAO-04-433. May 2004. United States General Accounting Office. (2004). Homeland security: communication protocols and risk communication principles can assist in refining the advisory system. Washington, DC: Report to Congressional Requesters. GAO-04-682. June 2004. [PDF] United States General Accounting Office. (2004). Homeland security: efforts under way to develop enterprise architecture, but much work remains. Washington, DC: Report to the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, House of Representatives. GAO-04-777. August 2004. [PDF] United States General Accounting Office. (2004). Homeland security: effective regional coordination can enhance emergency preparedness. Washington, DC: Report to the Chairman, Committee on Government Reform, House of Representatives. GAO-041009. September 2004. Virginia Department of Emergency Management. (2000). Emergency Management Update. December 2000. Online: http://www.vdem.state.va.us/emupdate/update00/emup1200.pdf. Virginia Polytechnic Institute and State University. (2002). Washington capitol region infrastructure organization security programs – phase 2 proposal. Draft. September 13, 2002. Vulnerability assessment and survey program: overview of assessment methodology. (2001). Washington, DC: Office of Energy Assurance: US Department of Energy. September 28, 2001. [PDF]

Emergency Services in Homeland Security

229

Wallace, W. A., Mendonça, D., Lee, E., Mitchell, J., & Chow, J. Managing disruptions to critical interdependent infrastructures in the context of the 2001 world trade center attack in M.F. Myers (ed.), Impacts of and Human Response to the September 11, 2001 Disasters: What Research Tells Us, Boulder, CO: Natural Hazards Research and Applications Information Center, University of Colorado (forthcoming). What is NIMS/ICS? (2005). Maryland Emergency Management Agency. Online: http://memapotal.mema.state.md.us/portal/server.pt/gateway/PTARGS_0_202_795_0_0_ 18/what_is_nims_ics_.html.

COMMUNICATIONS INFRASTRUCTURE SECURITY Dynamic Reconfiguration of Network Topologies in Response to Disruption Michael J. Casey George Mason University

Abstract:

Terrestrial backbone networks carry over 80% of Internet, voice, and video media communication globally. The increasing reliance on this network infrastructure raises concern for protection and survivability against terrorist attacks. Research in the organization of complex networks has revealed that communications infrastructure is vulnerable based on its topological and geospatial structure as well as its network traffic distribution and interdependence with other systems. This vulnerability is magnified in the network backbone and near its critical junctures, or core. Methodologies are needed to provide dynamic, wireless bridging in the event of disruption of the backbone at critical junctures. This chapter characterizes the threat imposed on backbone communication networks and their core and presents the feasibility of applying high-bandwidth, wireless, and reconfigurable communication links to bridge data networks in the event of disruption and promote sustained survivability.

Key words: survivability

infrastructure security, topology control, wireless communications, network

1. INTRODUCTION The unprecedented scale of disruption caused by the terrorist attacks on September 11, 2001 in the United States exposed numerous vulnerabilities in the infrastructure that underlies modern civilization. Transportation and emergency response were shown to be particularly vulnerable, due in part 231 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 231–246. © 2006 Springer. Printed in the Netherlands.

232

M.J. Casey

to failures in the communication infrastructure. Other infrastructure systems, even if not directly effected, failed or were disrupted due to their interdependent and interconnected nature. The unanticipated consequences of cascading failures, causing disruption both in geographic extent and into interconnected systems, raises a particular need for research in the survivability of network infrastructure. This chapter profiles the threats, vulnerabilities, and technologies for protecting critical civilian communications infrastructure from acts of terrorism. Global backbone communication links, most often composed of fiber optic cable, are presented as the principal infrastructure components susceptible to attack. The chapter will characterize the three principal vulnerabilities of the global fiber optic infrastructure, discuss the relevant theory that applies in modeling the topological and spatial organization of the Internet, and introduce the application of high-bandwidth wireless technology capable of dynamically reconfiguring the network after disruption occurs and bridging backbone networks. The common theme throughout this research will be that of security trade-offs. Scheier (2003) maintains that there is no perfect security in an efficient, cost-effective system. Further, in systems that must inter-operate with and be inter-dependent with other systems, adequate security, reliability, and survivability are even harder to attain. Our security objectives must, under the proper context and constraints, be traded-off against the competing performance and cost goals of the system.

2. COMMUNICATIONS INFRASTRUCTURE: CHARACTERIZING THE THREATS As the utilization of the Internet and other broadband communication technologies penetrates developing countries, significant growth in the spatial extent and volume of traffic carried on the fiber backbone network is expected. There is currently approximately 150 million km of installed fiber optic cable in the United States alone. Only a fraction of this installed fiber is actually active or “lit”, alluding to the potential growth in the data handling capacity possible in the future. The fiber backbone is composed of public networks for Internet communications as well as the private networks for the communications of governments, corporations, financial institutions, and media conglomerates. Voice over Internet Protocol (VoIP) communication is growing at a rapid rate as is the landline connections between an ever expanding (in extent, density, and handling capacity) wireless data and voice network. Besides the expected higher utilization of

Communications Infrastructure Security

233

currently inactive fiber in the future, expanded use of optical transport technologies such as wavelength dependent multiplexing (WDM), will further expand the carrying capacity and role of the fiber backbone as a “single pipe” for all packet-based digital communication. This convergence does not come without some consequences. In ever increasing efforts to increase efficiency and reliability and minimize cost, less attention has been paid to insuring survivability. Survivability, unlike reliability, describes the capacity for the communications network to remain operational should links become congested, temporarily unavailable, or severed as a result of random events or intentional attack. In considering the threats or modes of attack possible to the terrestrial communications backbone, two categories are identified: x Location-based attacks. Location based attacks include the intentional severing of the backbone at a pre-determined site or set of sites. x Cyber-attacks. Cyber-attacks use the network as a means of reaching, disrupting, or delaying the communications hardware (e.g., routers, servers) connected to the backbone. The threats identified share in common the targeted manner in which they are applied. In both cases, terrorists are expected to study the structure and dynamic behavior of the network and identify vulnerabilities which may be exploited. Having identified the two primary threat categories, and seeking an understanding of survivability and methods for achieving it, it is appropriate to characterize the specific vulnerabilities that are of concern to the communications backbone. These include: x Topological vulnerability. Vulnerability based on the logical organization of nodes and links in the backbone network. x Geospatial vulnerability. Vulnerability based on the spatial organization of nodes and links in the backbone network. x Traffic vulnerability. Vulnerability based on the frequency of paths utilized in the backbone network.Vulnerability based on topological structure A large volume of research on the behavior of large networks such as the Internet and World Wide Web (WWW) has been completed since 1999. Barabási and Albert (1999) and many others have described the topological properties of large networks and their implications for efficiency and vulnerability. So called scale-free or small world networks that feature a degree distribution approximating a Power-law tend to be highly robust to random failure, yet vulnerable to deliberate attack. This apparent “robust yet fragile” behavior stems from the presence of hubs in the network (i.e., a significant number of nodes with a higher than average number of links).

234

M.J. Casey

The efficiency that comes from being able to reach a large fraction of the network in a relatively few number of hops comes also with the vulnerability of being able to destroy connectivity in the network by targeting the hubs. Application of large network models to the structure of the Internet backbone was first performed by Faloustos and Faloustos (1999). This and subsequent studies (Yook et al., 2002) suggested that the topological structure of the Internet backbone (i.e., the logical organization of nodes and links) followed a power-law. In examining ~150,000 routers connected by ~200,000 edges, they verified a Power-law structure with J = 2.3 and average separation distance ( l ) of 10 nodes. The implication of this result is that some routers on the Internet backbone have a higher than average number of links and are hubs. Through cyber-attacks such as denial of service (i.e., hyper-frequent, artificial packet requests), the hub routers could be intentionally attacked and disruption of backbone communication could occur.

2.1 Vulnerability based on geospatial organization Although the Internet and WWW are frequently modeled as abstract logical graphs, the communication infrastructure that comprises the network is physically based, and the routers, switches, servers, and other hardware have a geographic (geospatial) organization. The geographic location of critical fiber connections or network operation centers could be exploited for both cyber-based attacks and point-based attacks. To illustrate the geospatial vulnerability, consider the logical vs. geographic or network distribution of the network. The fiber backbone at a particular location may resemble a mesh, ring or other low degree graph structure that does not offer a specific topological vulnerability due to the presence of hubs. However, the physical connections between fibers and the colocation of fiber switch hardware can reveal unintended vulnerability based on the backbone’s spatial structure where topologically separate infrastructure is installed. Recent research into the spatial organization of information infrastructure (Gorman, 2004) has shown that vulnerabilities exist in not only the logical self-organization of evolving networks such as the Internet, but also in the underlying geometric network. Gorman and others have suggested that long haul communications (i.e., long distance connections between disparate metropolitan areas), although made efficient by small world structure, result in unique vulnerabilities.

Communications Infrastructure Security

235

The communication backbone infrastructure, on the surface, has the perception of redundancy. Internet traffic is distributed across multiple backbone links, often links owned by separate companies. The illusion is that the diversity of links is disparate and distinct and that the owners of those links will provide some inherent resistance to disruption. What is not often revealed, however, is the relative physical proximity of the communications infrastructure. Geospatial analysis and infrastructure mapping shows that apparently distinct backbone networks are often co-located with one another and disparate routes often converge at a single data center or network operations center. Figure 1 shows an example of a fiber density map of North America. High densities of fiber optic cable (length of installed cable per km2) can be expected in large cities such as Chicago, Denver, New York and Los Angeles. High densities between cities however, especially the relative high densities in the Northeastern US are surprising. Densities are also relatively high where the population is low, such as in the US states of Montana and New Mexico.

Figure 1. Fiber density map of North American long haul fiber optic network. (Source: George Mason University, Infrastructure Mapping Project) The fiber density distribution can be explained in part by the evolutionary process through which network infrastructure is planned and installed. In the United States, the lack of available right-of-ways and easements for utilities has promoted the installation of fiber parallel to major transportation corridors. Because few disjoint easements exist between cities, and because of cost considerations, the tendency to co-locate long haul backbone communication links is common.

236

M.J. Casey

Similarly, in dense urban areas, communication backbones often occupy the same conduits on bridges, tunnels, or other utility “pipes.” The intended benefit, to centralize accessibility for maintenance operations, has the unintended consequence of directly coupling what should otherwise be distinct, separable networks. The implication of this geospatial organization is that given an appropriate infrastructure map of the backbone communication network, terrorist attacks could target critical vulnerabilities based on geospatial structure. This revelation has caused some controversy over the public availability of infrastructure location data and has brought to the forefront the issue of survivability considerations in network design.

2.2 Vulnerability based on traffic distribution Even with geospatially distinct networks that are topologically isolated and apparently robust, there are inherent vulnerabilities when the frequency of traffic on the links is considered. Network infrastructure, especially Internet infrastructure, is not homogeneous. By its Power-law organization, hierarchical levels exist within the network. The Autonomous System (AS) for Internet protocols is a universal routing framework. The backbone network exists at the highest tier of the AS hierarchy. If a backbone link participates in a high frequency of routes on the network, that link can be said to be vulnerable from a network layer standpoint. Although non-backbone routes are often available, they are much less favored due to their limited capacity resulting in latency and delay. Albert et al. (2004) studied the structural vulnerability in the North American power grid. They considered end-to-end flows in the electrical power generation, transmission, and distribution network. Nodes in the network were classified as either sources (generating nodes), relays (transmission nodes), or sinks (distribution nodes). By measuring betweenness (i.e., the number of shortest paths traversing a node calculated for all pairs of nodes in the network), the cumulative electrical load being carried across the network was simulated. 40% of the relay nodes were found to participate in only tens or hundreds of paths, while 1% participated in more than a million paths each. These relays were found to have less than average degree indicating they are not hubs yet still present significant vulnerability should disruptions occur in these nodes. Albert et al. (2004) conclude that the availability of short alternative paths is sufficient, however 15% of the edges in the backbone network lack any redundant paths between disparate locations in the network.

Communications Infrastructure Security

237

Table 1 presents a summary of the vulnerabilities presented in the terrestrial communications backbone. As will be illustrated in the following sections, these vulnerabilities are not independent and integrated methodologies that address each of these vulnerabilities simultaneously are needed. Table 1. Summary of backbone communication infrastructure vulnerabilities

Vulnerability

Critical concern

Topological

Presence of hubs, which if attacked, cause disruption and connectivity loss.

Geospatial

Co-location of otherwise disparate fiber optic cables.

Traffic distribution

Participation of certain relay links and nodes in a high percentage of end-to-end traffic routes.

3. WIRELESS HIGH-BANDWIDTH COMMUNICATIONS The global use of wireless communication has grown substantially over the past 10-15 years. Voice, data such as short-message service (SMS), and now multimedia broadcasts are delivered wirelessly. Licensed radio spectrum communications (e.g., cellular telephony) and unlicensed spectrum communications have evolved along different paths. As a result, the physical and network characteristics of each system differ with regard to their critical infrastructure protection concerns. The licensed spectrum wireless networks that are based predominantly on GSM standards employ cellular base-station architecture. Base-stations are linked by backhaul landlines that interconnect cells. The network is exclusively private – owned and operated by cellular providers. Security concerns for the licensed commercial spectrum are usually centered on redundant cell capacity. In the advent of disruption or capacity exceedance at a cell, automated load-balancing techniques allow hand-off of communications to neighboring cells. Since the backbone links between cells are typically private, i.e., access and operations are supervised, vulnerability is not considered high. The unlicensed spectrum, predominantly shown by the global adoption of IEEE 802.11 based standards, is the extension of Internet at the cluster head (lowest tier of the hierarchical backbone network). In this case, vulnerability is related directly to issues with the combined public back bone network and includes the issues to vulnerability due to topological

238

M.J. Casey

organization, geospatial organization, and traffic distribution as discussed in zation, geospatial organization, and traffic distribution as discussed in the previous section. The use of wireless communications as the backbone or as a bridge in the backbone is a relatively new concept made possible only recently through the availability of very high bandwidth wireless technologies. Broadcast wireless is generally considered to be inadequate for high-bandwidth networks due to energy, range, and interference constraints. On the other hand, directional wireless communications technologies such as Microwave and other high frequency media are now capable of supporting data rates above the 1 Gigabit per second (Gbps) threshold, considered to be the perquisite capacity level for backbone communications infrastructure. Beginning in the early 1990s, research into terrestrial wireless bridging technology was seen as an important advance for cost savings in not having to deploy expensive fiber between buildings in urban centers and campus environments. Further, such technology provided the possibility of extending the backbone wirelessly to the end users on the network, thereby allowing a wide range of multi-media applications. One technology in particular, Free Space Optical (FSO) networks emerged as a viable solution offering extremely high bandwidth and flexible links.

3.1 Free space optical (FSO) communications FSO communication is based on full duplex (simultaneous two-way communication) links comprised of narrow-beam (e.g., 700-800 nm) lasers. Optical transceivers are staged along a line of sight, separated by distances of up to several kilometers. FSO technology was first explored as a means to communicate with spacecraft during the 1960s by US National Aeronautics and Space Administration (NASA). Atmospheric effects, which cause attenuation of the laser in fog and in clouds, proved too difficult to overcome for space applications. However, commercial and military applications for roof-top wireless links between buildings and ad-hoc battlefield networking remain. Roof-top FSO links, especially in climates not affected by frequent fog conditions, have seen some commercial adoption. These links are typically static and use high-bandwidth links between corporate networks. They are typically not part of a fixed public access network such as the Internet backbone. At ranges up to 1 km, FSO links are capable of data rates on the order of 2 Gbps. Because free space optical links are extremely difficult to intercept, FSO communication also offers inherent security. Finally, since FSO links

Communications Infrastructure Security

239

require only power and down-link communications interfaces, they are rapidly deployable once alignment between transceivers is established.

3.2 Examples and disadvantages of FSO systems The range of commercial FSO systems available is limited to roof-top wireless bridging applications. Experimental systems, on the other hand, are being developed for a wide range of other applications including high bandwidth communications for emergency response.

Figure 2. Prototype FSO transceivers. (top-left) Omni-directional beacon, (top-right) Agile transceiver mounted on Gimbal arm, (bottom-left) 500 meter test range on University of Maryland campus, (bottom-right) retroreflector mirror for single transceiver alignment and calibration. Figure 2 shows photographs of some prototype FSO transceiver designed created by the Maryland Optics Group at the University of Maryland. Two architectures are presented: x Omni-directional FSO. Omni-directional FSO transceivers are low-bandwidth devices capable of “broadcast optical” links without the need for alignment between transceivers. x Agile FSO with PAT. Agile FSO transceivers are high-bandwidth units capable of dynamic PAT (pointing, acquisition, and

M.J. Casey

240

tracking). Through an autonomous control system, transceivers are capable of dynamically locating, aligning with, and maintaining connectivity with other transceivers. The advent of omni-directional and agile directional transceivers represents the greatest recent advancement in FSO hardware design. The ability for transceivers to be non-stationary (i.e., mobile) and reconfigurable is necessary for overcoming some of the disadvantages in the FSO platform. Alignment precision is an important concern for fixed links to maintain connectivity. For tall buildings subject to sway and wind deflection, alignments between transceivers can vary by several centimeters. Agile transceivers can mitigate this variability through PAT processes.

Figure 3. Typical FSO atmospheric attenuation curve As previously mentioned, atmospheric attenuation due to fog, clouds, smoke, or other obscuration severely impacts FSO transmissions. For example, for a typical exponentially decaying attenuation curve as in Figure 3, fog conditions with an attenuation rate of 225 dB/km have the effect of decreasing the 1 Gbps sustainable range to less than 100 m.m. Fortunately, solutions to the problem of atmospheric obscuration and attenuation exist in the form of agile transceivers which can alter the topology

Communications Infrastructure Security

241

of the network and hybrid systems that employ mixed optical and RF media.

3.3 Hybrid systems Because of the detrimental effects of atmospheric attenuation or other on FSO links, the ability to dynamically change media to lower-bandwidth directional RF is desirable. Through this “media diversity” data may be transmitted simultaneously over optical and directed, high-frequency radio links nominally capable of 50 Mbs data rates.

4. TECHNIQUES FOR TOPOLOGY CONTROL AND DYNAMIC RE-CONFIGURATION The availability of high bandwidth agile FSO transceivers and hybrid FSO/RF offers great promise in bridging critical backbone communication links. The ability to optimally control and dynamically reconfigure the resulting wireless topologies in response to disruption in near real-time, however, remains a research challenge. Topology Control is a class of methods for dynamically reconfiguring the network in response to disruption (Davis et al., 2003). It includes the PAT control systems and software for optimal topology formation and survivability. This section will present strategies for topology control in the physical layer to account for the effects of atmospheric attenuation and obscuration, strategies for the network layer to manage congestion and variable traffic demand, a combined formulation of the physical and network layers, and a discussion of trade-offs suitable in topology controlled FSO networks appropriate for mitigating the critical communications infrastructure vulnerabilities discussed in Section 2.

4.1 Physical and network layer topology control The detrimental effects of atmospheric attenuation and obscuration are manifested in the FSO network by the receiving of diminished power levels at the destination transceiver. Power level can be used to derive the bit error rate (BER) for a given link and subsequently its maximum throughput. Topology control in the physical layer is concerned with determining the minimum cost topology (i.e., the topology with the lowest BER and therefore the highest possible throughput). Experimental nodes with two agile transceivers each have been developed that are capable of forming closed ring topologies. Aggregate network

242

M.J. Casey

cost (C) is continuously measured by computing the sum of each link cost (cij) in terms of BER. Based on this information, a minimum cost ring is computed and the topology of the network is adjusted to form that ring in near real-time. Mathematically, this problem is equivalent to the Traveling Salesman Problem (TSP) and has been shown to be NP-complete. Heuristics developed by Davis et al. (2003) and others have demonstrated fast (<800 ms) solutions to this problem for networks up to N = 20 nodes. Other heuristics have been developed for higher degree networks (e.g., nodes with 4 transceivers each capable of forming mesh topologies). In the network layer, the objective of topology control is to minimize congestion on the most heavily loaded links. Flow on the network is measured in bits-per-second (or BPS) with the goal to minimize the aggregate BPS of the topology. Topology control in the network layer combines monitoring with routing to achieve new topologies that minimize congestion. Heuristics to compute optimal two degree (ring), three degree, and four degree (mesh) in near-real time have been developed.

4.2 Multi-objective topology control While the individual heuristics provide fast, near optimal topologies, the physical layer heuristic ignores the behavior of the network layer, and vise versa. This presents a challenge as both the physical and network layers contribute to the selection of a realistic, optimal topology.

Figure 4. Example of competing physical and network layer objectives Consider the example in Figure 4. Two candidate topologies are considered for a 4-node system. Topology 1 yields a lower cost (i.e., bit error rate,

Communications Infrastructure Security

243

BER) and is therefore preferable to topology 2 in the physical layer. In the network layer, however, Topology 2 has a lower level of congestion and it is preferable. Given that we wish to minimize cost and congestion for the same 4-node system, which topology is best? When regarding the system as a whole, a third topology may be needed, in which the physical and network layer objectives are jointly optimized. A multi-objective optimization formulation can be used to derive the third topology. A multi-objective (minimized BER and congestion) topology can be created by evaluating the Pareto optimality conditions between the competing objectives. Figure 5 presents a conceptual Pareto curve comparing three topologies for their respective performance with regard to minimum cost (minimum BER) and minimum congestion (minimum BPS on the most congested links).

Figure 5. Conceptual Pareto Optimality relationship between Physical network cost and congestion Topology (Tc) is optimized only on the basis of minimum network cost and therefore performs very poorly with respect to congestion. Similarly, topology (TR) is optimized only on the basis of minimum congestion and performs poorly with respect to cost. Although both of these topologies are part of the Pareto optimal set (i.e., the set of solutions for which an

M.J. Casey

244

improvement in one objective can come only at the cost of another), neither approaches the Pareto optimal solution. Only the combined topology (T) which includes consideration for both the physical and network layers succeeds at minimizing both objectives simultaneously.

4.3 Trading-off efficiency and survivability This illustration of topology control techniques provides a basis for the discussion of trade-offs applicable for mitigating the critical communications infrastructure vulnerabilities discussed in Section 2. The topological vulnerability in the fiber optic backbone can be mitigated in part by decreasing both the number and degree of hubs near the backbone core. A so called “mesh at the core” approach would promote a highly survivable topological structure while still maintaining Power-law like efficiency. Wireless bridging of the backbone using FSO links near the core would be directly applicable using topology controlled four degree mesh networks. Geospatial vulnerability can be mitigated by disjoining co-located fiber optic links and promoting reconfigurable backbones such that vulnerable topologies are not easily mapped and exploited. Wireless bridging of the backbone would allow for lower spatial densities of backbone nodes near the core of the network. Traffic distribution vulnerability can be mitigated by providing flexible, long haul wireless backbones capable of balancing the frequency with which backbone links participate in end-to-end network connections. Table 2 provides a summary of the identified vulnerabilities and tradeoff attributes when the application of wireless back bone technology is considered. Table 2. Summary of Topology Control trade-off behavior

Identified Vulnerability

Trade-off attribute with Wireless backbone extension

Topological

Degree of transceivers Number of landline backbones incident at wireless extension point

Geospatial

Geospatial extent Density of transceivers

Traffic distribution

Degree of transceivers (aggregate number of FSO links) Routing scheme

Communications Infrastructure Security

245

The previous sections have illustrated the comparative advantages and disadvantages of different topological, spatial, and network flow organizational patterns. Efficiencies in a particular configuration are coupled with vulnerabilities that must be explicitly addressed in critical communications infrastructure protection.

5. SUMMARY The convergence of many communications technologies into “one pipe” or backbone network has created unexpected concern with regard to the survivability of the backbone in the event of a terrorist attack. The impact of disruption can have far reaching consequences depending on the spatial and topological organization of the network. This chapter has presented three specific vulnerabilities; topological, geospatial, and distribution of traffic affecting the communications backbone and has proposed highbandwidth wireless technology as a solution to provide wireless bridging of the most critical nodes near the network core. A discussion of the relevant trade-offs in balancing survivability with the increasing demands of cost effectiveness and network efficiency was presented. Topology control is an effective means to dynamically reconfigure the network in response to disruption while jointly optimizing on these competing objectives.

REFERENCES Acampora, A. and S. Krishnamurty (1999). "A Broadband Wireless Access Network Based on Mesh-Connected Free-Space Optical Links." IEEE Personal Communications: 62-65. Albert, R. and I. Albert (2004). “Structural Vulnerability of the North American Power Grid.” Physical Review E. Barabási, A.-L. and R. Albert (1999). "Emergence of scaling in random networks." Science 286: 509-512. Davis, C. C., I. I. Smolyaninov, et al. (2003). "Flexible Optical Wireless Links and Networks." IEEE Communications Magazine. Dorogovëtìsev, S. N. and J. F. F. Mendes (2003). Evolution of networks : from biological nets to the Internet and WWW. Oxford ; New York, Oxford University Press. Faloutsos, M., P. Faloutsos, et al. (1999). "On power-law relationships of the Internet topology." Computer Communications Review 29: 251. Gastner, M.T., and Newman, M.E.J., “The Spatial Sturcture of Networks.” Information Infrastructure.” Journal of Contingencies and Crisis Management Gorman, S.P. and Kulkarni, R. (2004) "Spatial small worlds: New geographic patterns for an information economy" Environmental Planning B., vol. 31 pp. 273-296. National Research Council (2002) Making the Nation Safer: The Role of Science and Technology in Countering Terrorism. Washington, D.C., National Academy Press 415 p.

246

M.J. Casey

Schneier, B. (2003). Beyond fear: thinking sensibly about security in an uncertain world. New York : Copernicus Books, 295 p. Yook, S.-H., H. Jeong, et al. (2002). "Modeling the Internet's large-scale topology." Proceedings of the National Academy of Sciences: 13382-13386.

ON THE POSSIBILITY OF DETECTING EXPLOSIVES BY THE COMBINED USE OF NUCLEAR REACTIONS -(N,N), (N,J), (N,P)

Gennadii Kotel'nikov1, Sergey Kotel'nikov2, Vladimir Stepanchikov1 and Genrikh Yakovlev1 1

Russian Research Center Kurchatov Institute, Kurchatov Sq., 1, Moscow, 123182, Russia Firm Spetssvyaz, Offis 267, Tverskaya 12, Bilding 7, Moscow, 125009, Russia

2

Abstract:

It is proposed to use the set of reactions 1H(n,n)1H, 14N(n,J)15N, 16O(n, p)16No(E–, J)16 for detecting explosives. The employment of these nuclear reactions provides a higher probability of detecting explosives.

Key words:

Explosives, nuclear reactions, control systems

1. INTRODUCTION The technical progress in the miniaturization of explosives turns their detection and control of their transport and storage into high-priority tasks. Among the most well-known explosives are nitroglycerine C3H5(ONO2)3 (U=1.6 g/cm3), trinitrotoluene C6H2(NO2)3CH3 (U=1.6 g/cm3) and hexogen (CH2)3N3(NO2)3 (U=1.8 g/cm3) [1–4]. These materials may be effectively used under water and in air-free and closed spaces. However, the presence of hydrogen, carbon, oxygen, and nitrogen in characteristic proportions is an important unmasking attribute and can be used to control and detect explosives.

247 K.V. Frolov and G.B. Baecher (eds.), Protection of Civilian Infrastructure from Acts of Terrorism, 247–252. © 2006 Springer. Printed in the Netherlands.

248

G. Kotel'nikov et al.

2. UNMASKING SIGNS OF EXPLOSIVES These signs are defined by main physical and chemical properties of explosives. These are: vapor density, density, coefficients of electrical and magnetic permittivity, chemical composition, cross sections of interaction with ionizing radiation, characteristic spectral lines of emission and absorption of electromagnetic radiation, characteristic frequencies of EPR and NMR [3]. Next we shall consider how these signs may find application for detecting explosives.

3. NUCLEAR-PHYSICAL METHODS FOR DETECTING OF EXPLOSIVES There are a lot of nuclear-physics methods for detecting explosives, for example: X-raying, X-ray back scattering, X-ray computed tomography, radiative capture of neutrons, fast-neutron activation, neutron scattering, detection of explosives vapor, detection of IR radiation, detection of characteristic frequencies of nuclear quadruple resonance, spectrometry of elastically scattered neutrons, spectrometry of inelastically scattered neutrons, spectrometry of gamma-radiation [2-8].

4. DETECTION OF EXPLOSIVES THROUGH THE COMBINED USE OF NUCLEAR REACTIONS (N,N), (N,J), (N,P) Methods above-mentioned often request sophisticated apparatus for their implementation. The purpose of the present work consists in making the less complicated apparatus due to the combined use of nuclear reactions. Out of the four basic chemical elements (H,C,N,O) entering into explosives, we shall consider the detection of the three elements - hydrogen (H), nitrogen (N) and oxygen (O).

4.1 Detection of hydrogen For this purpose one can use the reaction of elastic back scattering of neutrons on hydrogen 1H(n,n)1H. This method was implemented, for example, in the device "Svertchok" (Tomsk, Russia). It is intended for detecting hydrogen-containing substances behind barriers of metal, brick, concrete and others. Its operation is based on the dependence of back scattered

On The Possibility of Detecting Explosives

249

neutron flux on the mass of scattering hydrogen-containing substance in place of control. The isotope 252Cf with an activity 106 n/sec is used as a neutron source. The sensitivity of the device is ~50-100 g. Its disadvantage is the possibility to detect only hydrogen [9].

4.2 Detection of nitrogen The use of nuclear reaction 14N(n,J)15N for detecting of nitrogen is the well-known positive example [8]. The 14N content in the natural isotopic mixture is 99.63%. The cross section of radiative capture of thermal neutrons is 0.0750(75) b. The J-ray spectrum of a daughter nuclei 15N is hard, and the efficiency of emission of 10.824-MeV J-rays per one captured neutron is high (14%). The radiation of 15N may be reliably detected within 2–3 s while inspecting the baggage of air passengers at a relatively low neutron intensity of 6 107 neutron/s. In this case, either radiation sources (252Cf, T1/2 = 85 years, Q=3.1, m = 300 Pg [7]) or equivalent pulsed neutron generators are used. In estimating the intensity of neutron radiation, we proceed from a 100-g mass of a trinitrotoluene pellet C7H5N3O6 (M = 227) with nitrogen contents NN = 8 1023. Let the number of photons emitted by 15N be dNJ/dt = NNIJ:HVn,J)Sf/S6 = 1 count/s. Here Vn,J = 7.5 10–2 b and IJ = 0.14 are, respectively, the cross section of the (n,J)-process and photon yield for 15N; Sf/S6 = 0.1 is the ratio of the photopeak (escape-peak) area to the entire spectrum area; H = 0.67 is the detection efficiency of a 25 X 25-cm NaI(Tl) crystal. For a space angle : such that :H = 5.3 10–2, the estimated neutron flux in the detection of 15N is )~2.2 104 neutron/(cm2s), which does not contradicts [8]. The equipment implementing this method has been installed and passed a test to satisfaction at the J. F. Kennedy airport, as well as at the airports of Miami, Gatwick, Dallas, Jeddah, San Francisco, and Santa Clara. More than 106 units of baggage have been inspected as of 1996 [8]. The disadvantage of this method is the possibility to detect only single element - nitrogen and the possibility to register the unwanted J-rays with energies of 10.038 (0.03%) and 9.298 (3.3%) MeV due to 58Fe and 55Fe isotopes from the environment [10]. This method is not designed for detecting the other explosive components.

4.3 Detection of oxygen It may be done with the help of a reaction 16O(n,p)16N(E-,J)o16O [3]. The 16O content in the natural mixture is 99.76%. The activation cross section for fission-spectrum neutrons is high enough 1.9 10–5 b to detect the isotope with a half-life of 7.35 s and J-ray energies of 7.12 (5%) and 6.13

250

G. Kotel'nikov et al.

(73%) MeV (the J-ray intensity is given in brackets) [11]. Since the upper limit of photon energy for the majority of radioactive products is <3 MeV, radiation of 16O is detected in the energy range where no characteristic peaks exist. Note that 16N isotope is the main source of the background activity for water coolants in nuclear reactors (its presence is a side effect of the reactor operation [11]) and is used to solve various engineering problems. Besides, the J-line 6.13 MeV also appears in the inelastic scattering of neutrons on 16O and is used as an additional information about the presence of explosives (the installation EDEN, France [12]). In estimating the intensity of neutron radiation we shall assume that the detection efficiency is the same, as in the case of 15N (see above). In the terms of oxygen NO = 16 1023 this estimate corresponds to a counting rate of 2.6 10–3 counts/s for photons from a 16N decay for the fission spectrum with the cross section of the activation process Vn,a = 1.9 10–5 b and IJ = 0.73. Hence, for the statistical error in detecting oxygen to be acceptable, it is necessary to increase the neutron flux to a level )~106 neutron/(cm2s) and the exposure time by a factor of 10. In this case, the estimated intensity of the neutron source is I = 4SR2)~108 neutron/s for R~5 cm (instead of 106 and 6 107 n/sec in the case of [8,9]). This condition is met if we use, for example, a TȽɂ-111 (Russia) neutron generator with an average neutron intensity of up to 109 neutron/s.

5. BLOCK-DIAGRAM OF THE DEVICE OFFERED The block-diagram of the device made up of the elements above- mentioned is given in the Fig. 1. In Fig.1 windows 10.8 MeV and 6.13 MeV are for the registration of nitrogen and oxygen, respectively. The neutron detector is used to register the scattered neutron from the reaction 1H(n,n)1H. The unit "Comparison" determines the ration N/O/H. Apart from nitrogen, oxygen, hydrogen monitoring, the device enable one to measures the N/O/H ratios with some statistical accuracy. This will permit one to increase the probability of detecting an explosive among other substances (organic, metals, liquids and so on). In particular, the probability of detecting an explosive P=1-(1-p1)(1-p2)(1-p3) increases from p=0.7 to P=1-(1-p)3 = 1(0.3)3~0.97 if p=0.7 is the probability of detecting the components H, N, O of an explosive. It is important for practical applications. The operating conditions may be the following: a 20-s interval of irradiation and detection of neutron and 15N radiation and a 20-s pause with the detection of radiation from 16N decay. The 20-s interval is the time in which the activation of 16N isotope reaches equilibrium.

On The Possibility of Detecting Explosives

Nitrogen

Window 10.8 MeV

Gammaradiation detector

Ratio N/O/H

COMPARISON Window 6.13 MeV

Neutron detector

251

Oxygen Hydrogen

Scattered neutrons

Figure 1. A block-diagram of the device for detecting nitrogen, oxygen, hydrogen and determining the N/O/H ratio

6. CONCLUSION On the basis of combined use of nuclear reactions 1H(n,n)1H, 14N(n, J) N, 16O(n, p)16No(E–, J)16 the method for detecting explosives is proposed. It may be used to search for hidden explosives if express-analysis is not required. For the further study of the method it is necessary to carry out its mathematical and physical modeling using the models simulating the composition of explosives and various accompanying materials. 15

REFERENCES Bar-Nir, I.M., P. Shee, T. Gozani. Abstracts of Papers, Second Explosives Detection Technology Symp. and Aviation Security Technology Conf., Atlantic City, New York, 1996, 370. Bartlett, P.N. Nature, 1989, 342, 848. Flight Int., 1989, July 8, 14. Groshev, L.V., A.M. Demidov, G.A. Kotelnikov, V.N. Lutsenko. Nucl. Phys., 1964, 58, 465. Kotel'nikov, G.A., G.V. Yakovlev. Instr. Exper. Teckniques, 2002, 45, 128. Learmont, D. Flight Int., 1989, 135, 13. Mostovoi, V.I., A.N. Roumiantsev, G.V Yakovlev et al. Abstracts of Papers, Second Explosives Detection Technology Symp. and Aviation Security Technology Conf., Atlantic City, New York, 1996, 148.

252

G. Kotel'nikov et al.

Neutron searching device "Svertchok", Tomsk Center of Scientific and Technique Information, Prospect List, 1990, N 173-90. Polikarpov, V.I., V.S. Filonov, O.V. Chubakova, N.N. Yuzvuk. Kontrol' negermetichnosti teplovydelyayushchikh elementov (Control of Leaking of Fuel Elements), Moscow, Gosatomizdat, 1962, 39. Rhodes, E., C.E. Dickerman, T Brunner, A. Hess. Report ANL/ACTV-95/1, 1994, p. 88. Stepanchikov, V.I., G.A. Kotel'nikov, S.V. Marin, S.A. Kotel'nikov. Problems of safety and extreme situations, 2004, N 1, 105. Yakovlev, G.V., G.A. Kotel'nikov, V.P. Zakharova. At. Tekh. Rubezhom, 1997, N. 3, 11.

INDEX accidents, 85 biological, 125 buildings, 41 butterfly effect, 8 capwin, 169 catastrophes, 60 center for safety research,, 38 chemical, 125 chemical warfare, 127 chernobyl, 7 coal, 96 codes, 52 communication, 169 control systems, 248 cost benefit analysis, 92 dam, 103 decontamination, 125, 134 dispatching, 169 earthquakes, 35 evacuation, 52 explosions, 29 explosives, 248 extreme loads, 21 failure modes, 105 fire risk, 41 first responders, 194 fractal analysis, 19 fuzzy sets, 19 game theory, 33 gas, 73 geospatial, 234

gis, 108 graph theory, 33 initiating event, 67 insurance, 163 liability, 159 malpasset, 106 manmade environment, 11 monte-carlo, 21 montserrat, 99 natural hazards, 96 natural-manmade-social systems, 15 network, 232 neural networks, 19 north Sea, 77 nuclear, 159 offshore, 77 oil, 73 opec, 81 performance based design, 43 power grids, 38 radiation, 159 radiological, 125 reactive sorbents, 133 rescdam, 122 response modeling, 29 response time, 174 risk, 59 risk analysis, 33 risk assessment, 92 risk management, 69 risk matrix, 13 253

Index safety, 55 safety assessment, 85 seismic, 29 simulation, 21 social environment, 11 standards, 59 structural damage, 26 structural risk, 21 technogenic, 59

254 theory of catastrophes, 13 topology, 232 toxic chemicals, 128 traffic, 175 ukraine, 7 vulnerability, 21 vulnerability analysis, 23 water, 134 wireless, 232 world trade center, 46