Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems [1 ed.] 9781614991311, 9781614991304

Citation preview

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

COMPARATIVE ANALYSIS OF TECHNOLOGICAL AND INTELLIGENT TERRORISM IMPACTS ON COMPLEX TECHNICAL SYSTEMS

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

NATO Science for Peace and Security Series This Series presents the results of scientific meetings supported under the NATO Programme: Science for Peace and Security (SPS). The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and Mediterranean Dialogue Country Priorities. The types of meeting supported are generally “Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience. Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action. Following a transformation of the programme in 2006 the Series has been re-named and reorganised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media, Dordrecht, in conjunction with the NATO Emerging Security Challenges Division.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Sub-Series A. B. C. D. E.

Chemistry and Biology Physics and Biophysics Environmental Security Information and Communication Security Human and Societal Dynamics

Springer Science and Business Media Springer Science and Business Media Springer Science and Business Media IOS Press IOS Press

http://www.nato.int/science http://www.springer.com http://www.iospress.nl

Sub-Series E: Human and Societal Dynamics – Vol. 102 ISSN 1874-6276 (print) ISSN 1879-8268 (online) Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems Edited by

Nikolay A. Makhutov Russian Academy of Sciences Moscow, Russia

and Gregory B. Baecher

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

University of Maryland College Park, MD, USA

Published in cooperation with NATO Emerging Security Challenges Division

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Proceedings of the NATO Advanced Research Workshop on Comparative Analysis of Technological and Sociological Consequences of Terrorism Moscow, Russia 5-7 April 2011

© 2012 The authors and IOS Press. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-61499-130-4 (print) ISBN 978-1-61499-131-1 (online) Library of Congress Control Number: 2012947887

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Publisher IOS Press BV Nieuwe Hemweg 6B 1013 BG Amsterdam Netherlands fax: +31 20 687 0019 e-mail: [email protected]

Distributor in the USA and Canada IOS Press, Inc. 4502 Rachael Manor Drive Fairfax, VA 22032 USA fax: +1 703 323 3668 e-mail: [email protected]

LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved.

v

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Preface The focus of this volume is the comparative analysis of technological and intelligence terrorism. Technological terrorism is the unauthorized impact on complex technical systems intending to breakdown protection systems, initiate secondary catastrophic processes (possibly caused by hazardous substances, power, or information stored or processed at a facility), and inflict secondary damages and losses outside the facility boundaries. Intelligent terrorism (or highly-sophisticated insiders terrorism), in contrast, is unauthorized purposeful interference into processes of design, construction, or maintenance of complex technical systems aimed at increasing existing vulnerabilities or creating new ones. These vulnerabilities, insider’s knowledge about the system, and access to its elements are used for triggering most disastrous scenarios of a terrorist attack. Approaches to grappling with technological terrorism and with intelligence terrorism differ. The approach to grappling with technological terrorism involves a study of the vulnerabilities of complex technical systems, potential sources of secondary catastrophic processes, and weaknesses of safety barriers. The most effective scenarios of attack need to be identified because at its root, technological terrorism makes use of vulnerabilities that are inherent to the complex technical system. This means identifying powerful initiating impacts that have the possibility of breaching safety system, and assessing scenario trees to determine the most disastrous scenario with severe secondary losses. In contrast, the approach to grappling with intelligence terrorism involves a vulnerability assessment of a system under design, construction, or operation with respect to scenarios of terrorist impacts, leading to identification the most critical failure scenario. This consideration must include insertion of latent changes into the system at the stage of its design, construction or operation to create new vulnerabilities to be exploited by technological terrorism; disconnection or disruption of a complex technical system monitoring system and safety barriers; “weak” impacts that use complex technical systems vulnerabilities for initiating the most disastrous failure scenario that can be achieved by bringing the system into critical or supercritical states, at which point even “weak” initial impacts can trigger cascading failures. The specific features of risks related to attacks of technological and intelligence terrorism at complex technical systems are determined by the ability of terrorists to make a rational selection of attack scenarios. This selection is based on the capability of terrorists to assess vulnerabilities and weaknesses of the complex technical systems, and estimate potential losses inflicted by attacks of different scenarios. This constitutes a strong feedback between vulnerabilities towards attack scenarios and expected consequences or outcomes, on the one side, and terrorist hazard on the other side. The main challenge is to describe intentions of terrorists, their preferences and the system of values (i.e., utility functions). It is also important that terrorist can choose the time and place of an attack, adapt to changes of safety barriers and defense strategies and learn lessons from previous attacks. Due to the above assessment, terrorist risk is a problem with intrinsic human and behavioral dimension. Therefore it requires a new set of mathematical modeling tools,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

vi

and a more substantial input from human and social sciences than is the case with natural and anthropogenic hazards. Assessment of the risk of technological terrorism and intelligence terrorism attacks must be conducted in a game oriented manner that treats terrorist values, intentions and resources related to selecting the attack scenarios, as well as values, resources, and motivations of the antiterrorist forces. Estimating terrorist risk for complex technical systems has primarily been a carried out using non-behavioral, physical engineering methods. It is now acknowledged that this approach needs input from other disciplines. There is a dangerous disconnect among professionals from multiple disciplines that are involved in designing, constructing, operating, maintaining, and managing complex technical systems. To address the issue of technological and intelligence terrorism, a comprehensive approach is required. There is a need to bring together specialists representing engineering and social sciences. The human dimension is critical for addressing terrorist problems in general and intelligence terrorism in particular. It is necessary to assess intentions of terrorists, their system of values, and their physical and intellectual resources. The objective of the Workshop on ‘Comparative Analysis of Technological and Intelligent terrorism Impacts on Complex Technical Systems’ was to lay the foundation for a risk-informed approach to modeling, analyzing, managing, and controlling complex technical systems in the face of terrorist attacks. It is necessary to combine the insights of a spectrum of disciplines across engineering, human and social sciences, and economics. The workshop focused on the urgent need to develop an understanding for the behaviors and vulnerabilities of complex technical systems; create a risk-informed analysis capability for modeling and predicting the behavior of complex technical systems; and apply emerging technology to the problems of designing, constructing, monitoring, and operating complex technical systems taking into account the possibility of sophisticated terrorist attack. The goal of the workshop has been to develop an understanding of vulnerabilities of complex technical systems to various scenarios of terrorist attacks. Such understanding can reduce vulnerabilities and contain or limit the propagation of failure within a complex technical system in case of terrorist attack, thus limiting the impact of terrorism. This will also lead to development of a set of design criteria and design codes that should take into account possible scenarios of terrorist attacks at complex technical systems. Areas of further research have been identified, along with opportunities for future exchange and collaboration, a project team can be created. Nikolay A. Makhutov Gregory B. Baecher 

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

vii

Contents Preface

v

Comparative Methods for the Assessment of Threats of Terrorist and Unauthorized Actions Nikolay A. Makhutov and Mikhail M. Gadenin

1

Risk Evaluation of Threats to Critical Infrastructure Gregory B. Baecher

12

Information Support to the Three Component Dynamic Model Development for Terrorist Risk Analysis Olga N. Yudina, Tamara N. Dvoretskaya and Tamara V. Silova

21

Controlling Security Risks with the MMO Method Coen Van Gulijk, Hinke Andriessen, Marieke Kluin and Ben Ale

30

Technological and Intelligent Terrorism: Specific Features and Assessment Approaches Dmitry O. Reznikov

45

Regional Resilience and Security for Critical Infrastructure Frederick Krimgold

61

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Technical Approaches to Supply Sea and Off-Shore Oil and Gas Objects Protection from Illegal Actions A.V. Bochkov and V.V. Lesnikh

69

Management for Security Processes (Abstract only) Sebastian Höhn

81

Individual Life Safety Risk Criteria P.A. Zielinski

82

Principles for Creating of Monitoring, Diagnostics and Protection Systems in the View of Potential Terrorist Attacks E.F. Dubinin, V.I. Kuksova and V.P. Petrov Methodology for Investigation and Provision of Reliability and Safety of Complex Technical Systems A.F. Berman

93

105

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

viii

Vulnerability Assessment of Complex Civil Works Systems Using Expert-Opinion Elicitation Robert C. Patev

120

Prevention and Liquidation of Emergency Situations of Man-made Character Valery A. Akimov and Sergey A. Kachanov

130

Maritime Terrorism (Abstract only) Valerio de Diviis Incorporation of Manmade Risk Components into General Risk Management Systems for Dams Ignacio Escuder-Bueno and Luis Altarejos-García

138

Innovative Aspects of Organizational Behaviour in Interests of Counterterrorism on Complex Technical Systems J.D. Vishnyakov and S.P. Kiseleva

148

Safety & Security Assessment to Prevent Terrorism Attack in Radioactive Waste Facilities in Albania Luan Qafmolla

152

Stability of Social System under Terrorist Impacts R. Akhmetkhanov

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

137

Uncertain System Management: The Redundancy as a Risk Mitigation Tool in Societal Technological Systems (Abstract only) Varzea Tavares

157

167

Societal Life Safety Risk Criteria P.A. Zielinski and Gregory B. Baecher

168

Antiterrorism Protection and Protective Engineering Design M. Zineddin

184

Subject Index

191

Author Index

193

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-1

1

Comparative Methods For The Assessment Of Threats Of Terrorist and Unauthorized Actions Nikolay A. MAKHUTOV, Mikhail M. GADENIN Institute of Machine Sciences, RAS

Abstract. The methodological foundation and methods for risk reduction have been developed in all countries of the world in the framework of the analysis of natural and technogenic risks. The problem was also intensively addressed to in Russia during the realization of the State Scientific Program “Safety of People and National Economy Assets in view of Risks of Accidents and Catastrophes” (19902000) and the Federal Research Program “Reduction of Risks and Mitigation of Consequences of Natural and Technogenic Emergencies in the RF until 2010.” In 1990-s it was suggested that the human factor be incorporated into the system of risk assessment in connection with unauthorized and erroneous actions. In the beginning of the 21st century that approach proved to be insufficient taking into account the acts of local, national and international terrorism. The generalization of terrorism evaluations led us to the concept of three kinds of terrorism – traditional, technological and intelligent ones. They differ in damage factors and in their initial, secondary and cascade effects as well. In view of the above it becomes possible to improve the evaluations of terrorist actions and to incorporate the results of the study into the complex system of safety research.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Keywords. Technogenic risk, risk assessment, complex systems, safety research.

1. Introduction The key problems of terrorism and other unauthorized impacts on engineering systems were already considered at the NATO-Russia workshop Protection of Civilian Infrastructure from Acts of Terrorism (Moscow, 2004 [1]). It was shown then (Figure 1) that modern terrorism can be divided into three main categories: traditional, technological, and intelligent terrorism. Traditional terrorism implies setting fires, organization of explosions, contamination of territories, etc. While previously the traditional terrorism was focused on physical elimination of certain people (politicians, statesmen or high-ranking officials), in recent years the center of gravity of terrorist actions has been transferred to the mass slaughter of civil population (explosions, shootings, fires, poisoning by biologically and chemically active substances). The technological terrorism on the national and international levels is becoming an important component of the modern terrorism aimed at man, society and country to achieve certain political, social, and economic goals [1-4]. Technological terrorism

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

2

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

should be considered as the new phases of terrorism development. Its fundamental features are:  carrying out terrorist actions against the objects of technological sphere with high social, economic, and technological risks;  carrying out terrorist actions with the application of potentially hazardous technologies, hardware and materials.

Figure 1. The types of and damaging factors in terrorist and unauthorized actions

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

2. Intelligent terrorism In case of technological terrorism the main losses are inflicted not by initial terrorist impacts but by secondary effects triggered by the failure of technical objects that were subjected to the attack. The intelligent terrorism can be considered as the most sophisticated type of terrorism. In this case terrorist and unauthorized impacts are directly inflicted on the control systems of hazardous industrial facilities. This may damage or disable those causing significant secondary and cascading effects. Modern terrorism is characterized by the existence of specific initiating impacts for each of the three types of terrorism. In the first case it is special programs, commands and actions of terrorists aimed against individuals by activating explosive devices, arsons, shots, poisoning, and kidnapping; in the second case the same terrorist impacts, except the two latter ones, that are aimed against high risk technical facilities; and in the third case the initiating impacts are aimed at the formation of the above-mentioned commands at the stage of design, construction, or operation of hazardous technological facilities. The analysis of major manmade disasters in Russia and abroad that occurred over the last 50 years such as Sovezo and Bhopal chemical plants; Three Mile Island and Chernobyl nuclear power plants; explosions at the intersections of pipelines and main

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

3

transportation arteries near Ufa and Arsamas; catastrophes at Thrasher, Komsomolets, and Kursk atomic submarines; radiation accidents at nuclear facilities Mayak and Tomsk-7; at space shuttles; explosions with a great number of casualties at ammunition depots, large airliners, and offshore oil-producing platforms – allowed one to develop the theory of manmade disasters and risks, and create the foundations of protection methods and systems [2]. The number of disasters initiated by terrorist actions has not been great so far. Airliner explosions and blastings of aircraft carriers, apartment houses, railway stations, hotels, and embassies in Russia and US, and explosions at railways and trunk pipelines should be mentioned here. Acts of technological terror against World Trade Center and Pentagon on 9.11.2001 had the most national and world response. However, due to a number of fundamental (civilization, ethnic, religious, social, political, and economic) reasons the growth of the number of technological terrorism attacks and the increase of the severity of their consequences can be predicted. Taking into account that investments in technological accident prevention are 1015 times more effective than investments in the elimination of the consequences; the main attention should be focused on diagnostics, monitoring, prediction, early warning, and prevention of terrorist attacks. That trend of Russian national policy is reflected in The Conception of RF National Safety and in a number of federal laws to ensure safety in different spheres. When considering risks of accidents at the technological facilities we have to assess damage and losses on the one hand, and the return periods (probabilities, frequencies) of their occurrence, on the other hand. In this context it is important to categorize the accidents and disasters according to their scale, type of facilities, and levels of threat. Here accidents and emergencies that occurred at a given facility or its site should be considered (Figure 2). If the disaster expands to the adjacent territories, it is classified as a regional one, and if its consequences expand further, then such disaster can be referred to as a national, global, or planetary one. Considering the categories of national and global disasters such as Chernobyl and Fucushima it should be noted that their real losses are measured in billions of US$. Initial calculations for their nuclear reactors envisaged that the probability of such disasters would not exceed 10-6-10-7. Three Mile Island and Chernobyl disasters demonstrated that the probabilities equal 2˜10-3, and that the calculated expectations proved 10000 times more optimistic. Considering the Fukushima disaster the risk for Fukushima NPP is about 2˜10-4, i.e. the 25-year experience after Chernobyl has been required for the risk only to be 10 times diminished. In other words, the return period of such major catastrophes proved to be not the required thousands (or hundreds of thousands) of years, but only tens and hundreds of years. Thus it can be assumed that to reduce risk by a factor of a hundred about 50 years of work in this direction will be needed. It appears from the above that it is problematic to offer mankind such a way for ensuring acceptable level of nuclear power plant safety. Loss estimation plays an essential role in the assessment of risk of such serious accidents. Thus, in case of Chernobyl it was initially supposed that initial losses would be only the losses related to facility destruction (about one billion of USD). But subsequent economic costs of people resettlement and creation of new residential infrastructure increased the national economy losses tenfold, and the further rehabilitation of territories led to their growth in one or even two hundred times. The example shows that due to secondary and cascading effects risks of major disasters can be essentially

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

4

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

higher than the expected ones. Similar conclusions could be made for assessment of losses inflicted by terrorist attacks.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 2. Losses and probabilities of occurrences of natural and manmade disasters, and terrorist attacks

Figure 3. Changes in the number of emergencies of different nature. Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

5

3. Technological terrorism The tendency of changing the number of emergencies of technogenic/manmade (the dotted line), natural (the solid line), and terrorist (dash-dot) nature for the last several decades is shown in Figure 3. If one analyzes manmade accidents at industrial facilities, it will be observed that their number NTechn tends to grow. The natural disaster trend character N Natur is less stable. The analysis of terrorist attack number NTerror shows their rapid growth, especially at the present period, which requires special attention to the problem considered. The number of victims of terrorist attacks in different countries as of the end of the 20th century is given in Table 1. The columns contain data on an approximate number of casualties and also on the so-called individual fatality risk. Table 1. Number of people killed in terrorist attacks and data on individual terrorist risk for different countries Victims of terrorist attacks



Country

Number of people killed in terrorist attacks

3238 + 1.

USA

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Counterterrorism

Fatality risk 10-6 11,05

Iraq- 4439 Afghanistan - 1057

29,81

2.

Russia

2111

14,54

3.

India

1928

1,81

4.

Israel

1274

219,3

5.

Columbia

1135

26,82

6.

Iraq

1122

44,22

7.

Algeria

869

27,05

8.

Pakistan

783

4,92

9.

Uganda

471

17,84

10.

Sri Lanka

409

20,55

It can be seen in Figure 4 that the individual fatality risk for people in different countries essentially differs. It should be noted that when the WTC was attacked, and a great number of people were killed, the risk equaled the value that in the Table is in the upper line for USA. However, with the US response to the terrorist act by way of war Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

6

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

in Afghanistan and Iraq, the number of victims grew, and the value of risk also did. Therefore, it should be understood that it is of course necessary to counter terrorism, but we should bear in mind that the risk will be increased. The conclusion is that the analysis of conditions for the occurrence of terrorist actions should assess not only the probability of their occurrence, but also the possible consequences that define the risk together with probability. The technological terrorism is especially dangerous for large cities, for political and economic centers, for transport and communication systems, and defense industry. The main threats of technological terrorism are: x x x x x

Attacks at high risk facilities and critical infrastructures (power, chemical, hydraulic, civil and industrial facilities), their lay-up and destruction; Destruction of and damage to the elements of transport systems (subway, railway, air, and waterborne transport, railway stations and airports); Attacks at and destruction of defense sector facilities (means of mass destruction, launchers, ammunition depots, aircrafts, surface vessels, and submarines); Destruction of information and control systems (systems of regional and federal communication, points of control of defense complexes, control stations); Application of chemical poisoning and radioactive substances in places of crowded gatherings, water supply systems.

The basic prerequisites to aggravate the technological terrorism threats are: x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x

Formation of national and international terrorist organizations that develop new methods, systems and means of performing terrorist acts; establishing centers of training specialists in technological terrorism; Appearance of new kinds of technological terrorism such as information, cyber, radiation, psychological, biotechnological terrorism; Unexpectedness and unpredictability of terrorist acts in time and space, the high level of their preparedness, the enhanced action of secondary and cascade effects, the growing role of intelligent terrorism.

Realization of the above threats will result in: long-term disruption of national and regional economic and technological processes; atmosphere of fear and panic; large human toll; and technological and environmental losses. The degree of potential danger of the technological facility determine whether the emergency caused by acts of technological terrorism will be of trans-frontier, federal, regional, territorial, or local character : x x x x x x x

Initial, secondary and cascade damaging factors of technological terrorism include: Exposure to radiation; Poisoning and contamination by dangerous chemical substances; Bacteriological contamination; Blast waves and shock actions; Heat radiation and heat loads; Mechanical effects and mechanical loads;

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

x x x

7

Impulsive acceleration and loads; Electromagnetic loads; Kinetic effects of flying debris and parts of objects.

Figure 4. Loss levels in disasters at different types of facilities

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Each of the indicated damaging effects of technological terrorism, or their combinations should be characterized and determined by quantitative indexes at different stages of accident and disaster development. Of essential importance is the type of the technological facility the terrorist action is aimed at. The targets can be either unique industrial facilities whose number is small, but the potential loss from the lay-up proves significant (Figure 4); or numerous large-scale production facilities.

4. Protection and safety A comprehensive obligatory program that would define the composition, sequence, organization, basic foundation, content and stages of fulfillment of measures to ensure the target level of protection and safety, is one of the important elements of ensuring the safety of technological system functioning. The program can be developed either for a component of the system or for a group of complex facilities integrated by their functional importance or technological process. Such program should describe: x x x

The required levels of protection for technological systems including those in emergencies; Ways to achieve the required level of protection for technological systems (reasonable design and structural solutions; the use of reliable and good equipment and its reservation); Protection systems ensuring the required level of error-free operation of personnel etc.;

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

8

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

x x x x x x x

Ways to maintain the required level of system operability in emergencies including the use of protection systems (disaster management); Ways to mitigate consequences of the accident at the facility or protection system; Methods to achieve the required level of training of personnel (safety culture); The system of accounting, enumerating, and analyzing the reasons for failures, unauthorized and terrorist actions during the technological system operation; Responsibility of operating organization; Independent control and supervision structures; The experience of operation, testing and studying of protection systems.

In developing programs and program measures on methods of analyzing and preventing terrorist and unauthorized actions it is necessary to account for different levels of fundamental and applied developments in this sphere. The following studies can be labeled as fundamental: x x x

Development of the theory of and new methods for modeling manmade disasters with the allowance for terrorist and unauthorized actions that cause strong perturbations in social, economic, and complex technological systems; Development of the general and criteria base of strategic risks and analysis of the interface between the technological terrorism risks and other kinds of strategic risks; Development of scientific, principles, legal and economic mechanisms to counter terrorist actions.

Studies in prevention of terrorist and unauthorized actions should be aimed at:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x x

Developing interdisciplinary methods for the assessment and management of technological terrorism risks; Developing systems of technological terrorism monitoring (early on-line and mobile diagnostics, data bases, mathematical modeling of scenarios, risk maps); Prevention of terrorist impacts on the technological sphere and protection of operators, personnel, population, and facilities (systems of nonlethal action, mobile robots, chemical marking of explosives, programmable fuses, special sprays, etc.).

Considering the complex of civil infrastructure facilities as an example, one can see (Figure 5) that the human factor has a great importance among the factors affecting the possibility of lay-up of those facilities. Here the human factor includes a large set of notions. Among them can be a researcher that defines the functional loading of the facility, an officer that inspects his work, operator, or a political figure. It is clear that each of them should have a specific level of qualification within his or her personal duties. If they do not have enough knowledge, skills, or ability to make adequate decisions in critical situations, it can contribute to creation of conditions for accident occurrence at the facility. In the context of technological and intelligent terrorism the first groups of human factors presented in Figure 5 are most vulnerable.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

9

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

The development of methods and systems for the analysis of human factor during terrorist and counterterrorist actions can be among the basic developments on risk analysis and safety procurement. Terrorist and counterterrorist impacts on man of wide range of types (mechanical, chemical, bacteriological, or psychological ones) and intensities result in the change of human response to those impacts. Under conditions of limited or no time for the scrupulous study of that response attention should be paid to the development of: methods and systems of real time complex analysis of changes in spectral characteristics of cardiograms and encephalograms with the application of special operational diagnostics parameters; methods and systems of diagnostic radar measurement of diagnostic parameters of human object in normal and abnormal situations with consequent or real-time analysis of the specters of those parameters.

Figure 5. The structure of human factors’ affecting the conditions for the occurrence of emergencies.

The study of the scientific foundations of such methods with mechanical, operative, vacuum, chemical, and psychological actions on man allowed us to create models and prototypes of the corresponding diagnostic complexes [2]. The scheme and results of diagnosing an operator placed into the pressure chamber with the imitation of being at the altitude of 7100 m with the registration of the cardiogram and the calculation on its basis according to the corresponding algorithm of work capacity parameter R is shown in Figure 6. The state of the operator is also influenced by both environmental factors and potential terrorists. The results of such diagnostics whose information value qualitatively increases allow one to essentially protect the object controlled by the operator from unauthorized action. Of importance is the question of selecting parameters meant for such complex diagnostics. We believe that the spectral analysis of such complex dynamic systems as man-machine interfaces, will give very important information. Such analysis carried out on some technological facilities and humans showed that on the whole if the human organism or a technological object goes over to an abnormal or catastrophic state, then the specter obtained after the diagnostics leaves the range of high frequencies for the range of low frequencies, which is the main symptom of their approximation to critical state [2].

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

10

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 6. The system of diagnostics and protection from unauthorized actions of operator in emergencies

Unauthorized and terrorist impacts and technological terrorism as a whole will further be transferred to the complex man-machine systems (airliners, nuclear power plants, space-rocket hardware, underwater and above-water transport complexes, chemical facilities, ammunition dumps etc.). Operators, personnel and high risk technological systems can be subjected to those impacts. Under such conditions the basic targets of research become: early on-line diagnostics of man-machine systems on the initial stages of actions using new detection methods and systems in real time with high resolution capability; automatic engaging of systems for functional protection of technological facilities with the development of dangerous damaging factors in man or object. In Russia there is a system of national documents and measures aimed at preventing severe accidents and disasters that are being developed by the RF Security Council, federal ministries as well as the Russian Academy of Sciences (Figure 7). The RF National Safety Strategy is being realized on the basis if these decisions. The strategy defines a number of problems related to countering terrorism that are being faced by means of the following general principles: x x x x x x x

Principle of obligation (countering technological terrorism should be an obligatory function of all national authorities, social structures, and citizens); Principle of legal conditionality (countering technological terrorism should be based on the norms of the constitution and law); Principle of universality (measures of countering technological terrorism should be organized taking into consideration all basic kinds of terrorist threats); Principle of prevention (counterterrorist measures are mostly aimed at timely prevention of threats and challenges of technological terrorism); Principle of reasonable sufficiency (the measures are organized and realized with reasonable sufficiency of rate, terms, and risk reasonableness); Principle of function separation (prevention of technological terrorism is based on separation of authority between federal and municipal government). Priorities in terrorist threat prevention should be:

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

N.A. Makhutov and M.M. Gadenin / Comparative Methods for the Assessment of Threats

x x x x

11

Achieving acceptable risk level for technological (and other types of) terrorism and manmade emergencies initiated by terrorist attacks; The raising of level and quality of life for people of all ranks; The raising of degree of social, political, religious, ethnic, and educational equality; Reducing the general level of crime and corruption.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 7. The Structure of solving problems of RF safety ensuring

5. Conclusion It should be noted in conclusion that countering terrorism is critical for ensuring safety and security. However terrorism is only a part of existing threats to life safety. A comprehensive analysis of natural, technological and social emergency occurrence and propagation allows a complex account for all factors affecting these processes and thus to elaborate general measures and recommendations on their prevention or reducing the probability of their occurrence and consequences mitigation.

References Protection of Civilian Infrastructures from Acts of Terrorism. Proceedings of NATO Advanced Research Workshop. Springer. 2005, 254 p. Safety of Russia. The legal, social, economic, and scientific aspects. Moscow: Znaniye, volumes 1-31, 1998 2009 (in Russian). High-Impact Terrorism: Proceedings of a Russian-American Workshop. Washington. The National Academies Press. 2002. 296 p. Terrorism. Reducing Vulnerabilities and Improving Responses. US-Russian Workshop Proceedings. Washington. The National Academies Press. 2004. 239 p.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

12

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-12

Risk evaluation of threats to critical infrastructure Gregory B. BAECHER University of Maryland, College Park, USA

Abstract. By 2050, 80% of the world’s population will live in urban areas and be totally dependent on infrastructure service systems. Immediate steps need to be taken to insure that future infrastructures meet the constraints of reliability, security, and global sustainability. Infrastructures mediate between societal behaviors and environmental conditions. The sustainability of modern civilization, in balance with a sustained global environment, will necessarily rely on implementing sustainable global infrastructures; and yet we know so little of how interconnected infrastructure systems perform, or how to manage them at large scales, or how they interact with social and environmental processes. To this end, efforts are in progress in North America and Europe to develop an analytical understanding of the behaviors and vulnerabilities of interacting infrastructure systems; to create a risk-informed analysis capability for modeling the behavior of complex infrastructure; to apply emerging information technology to the problems of designing, constructing, monitoring, and operating sustainable infrastructures; and to build an understanding of the social, economic, and environmental factors that effect, and are effected by, infrastructure systems and networks. The major education objective is to develop a new generation of globally engaged scientists and engineers who will facilitate the development of sustainable global infrastructures.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Keywords. Risk analysis, critical infrastructure, terrorism risk, threat, vulnerability.

1. Risk to critical infrastructures Modern society depends on constructed infrastructure of a broad variety of types for its very functioning. This infrastructure includes energy producing and distributing systems such as hydropower dams and the electrical grid, ports and harbors, land transportation networks, chemical and industrial producing facilities, and many other categories of facility. All of these are potential targets of malicious attack, but no category is perhaps as subject to attack as tall buildings, of which a great number of record-high structures have been constructed in recent years. Skyscrapers are iconic targets for terrorist attack, as they are highly visible symbols of dominant national identities. In order to allocate protective resources in an efficient way, society attempts to understand the risk posed by different infrastructures and infrastructure types by virtue of terrorist threats, and the possibility for risk reduction by investments in protection, hardening, or consequence reduction. In principle, a rank ordering of risk, or even better, an absolute-scaling, can be appraised such that relative investments of materiel, man-power, financial resources, and other protective goods can be optimized to achieve maximum risk reduction.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

G.B. Baecher / Risk Evaluation of Threats to Critical Infrastructure

13

Various approaches to assessing the risks posed by terrorist threats against critical infrastructure have evolved in recent years. Some of these have build on earlier risk analysis approaches developed to deal with natural hazards, such as hurricanes, earthquakes, or floods. Others have build on risk methodologies from the national intelligence sector developed to deal with security threats from other nation states. Yet others are evolving anew specifically to address peculiarities of terrorist threat, namely the presence of an intelligent adversary in contrast to a process of nature. Table 1.Tall buildings present iconic targets for terrorist attack as they embody national pride and present large financial opportunity for harm. Many large buildings, including the World Trade Centre in New York, have already been the subject of attack.

No. 1 2 3 4 5 5 7 8 9 10

Building name Burj Khalifa Taipei 101 Shanghai World Financial Center International Commerce Centre Petronas Tower 1 Petronas Tower 2 Zifeng Tower Willis Tower Kingkey 100 Guangzhou Finance Center

City Dubai (AE) Taipei (TW) Shanghai (CN) Hong Kong (CN) Kuala Lumpur (MY) Kuala Lumpur (MY) Nanjing (CN) Chicago (US) Shenzhen (CN) Guangzhou (CN)

Height (m) 828 508 492 484 452 452 450 442 442 439

Date 2010 2004 2008 2010 1998 1998 2010 1974 2011 2010

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

None of these various approaches is yet ideal to the task before us. Those methodologies that have evolved from other applications tend to have serious limitations when applied to terrorist threats. Those that are newly evolved are still in formative stages, although they may display promise for the future. This paper discusses current approaches to evaluating risks of terrorism against critical infrastructure, as well as questions arising out of the challenges of forecasting loss of life in terrorist attacks against critical infrastructures; and in deciding how much risk is tolerable, given the spectrum of other risks to which society is subject.

2. Risk analysis methodologies for critical infrastructures The analysis of risk due to natural hazard has been practiced for many decades and is reasonably well understood. For natural hazards there is usually some amount of historical data. Granted that geologists, hydrologists, meteorologists, and other scientists who analyze natural hazards always consider the historical record limiting, but compared to terrorism risks this record is long; and grated, too, that climate change, urbanization, land use evolution, and other factors are crating non-stationarities in natural processes. There are standard statistical techniques for natural hazard processes and a long history verification and validation. Model limitations, uncertainties, and the applicability of risk methodology to policy questions is well appreciated. To a large extent, risk analysis methodology for natural hazards are based on the principles of good practice embodied in National Research Council (NRC) reports on risk analysis and management in US Government agencies (e.g., NRC, 1996).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

14

G.B. Baecher / Risk Evaluation of Threats to Critical Infrastructure

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 1. Spectrum of traditional risk analysis methods. A wide variety of risk assessment methodologies have been developed since 9/11 to quantify the risks posed by terrorist threats against critical infrastructure. Those in the left-hand column use primarily qualitative and often subjective methods by which to scale risks, leading often to rank-orderings or ordinal scales. Those in the middle column employ more quantitative methods with the intent of generating probabilistic (ration-scaled) risks. Those in the right-hand column are principally based on historical statistics on the frequency and characteristics of terrorists attacks, but are stymied by common lack of such actuarial information. Source: NRC 2010.

Risk analysis of malicious threats involve events even more rare than most natural hazards. Some of the events postulated have never occurred. Thus, the historical record of statistical data or even of precursors is of little use in assigning probabilities. What is more, actions taken to protect infrastructures or to mitigate risk may well change the probabilities because terrorists or other malicious actors react to those actions and may change plans. Also, the probabilities of the “hazards” are not independent of target vulnerability or of consequence, since malicious actors presumably decide on actions based on vulnerability and consequence. For example, in recent terrorist attacks, targets with associated consequences including major loss of life seem more highly sought than those involving only economic consequences. Thus, in the TVC model the respective probabilities or probability distributions are correlated. In contrast the probability of hazard probabilities, vulnerability for natural hazards and terrorism risk differ little from one another. For natural hazards case, vulnerability studies have to do with the impact of wind, water, fire, ground acceleration, or other natural forces on structures. For terrorism risk, vulnerability studies has to do with the effects of blast, vehicle impacts, poisoning, etc. The methodologies of vulnerability evaluation are similar and well understood. As noted by NRC (2010), however, a significant contrast between natural hazards and terrorist threat is that public perception of the consequences is different: “[…] during the same year as the Oklahoma City Federal Building bombing (1995) in which 168 people perished, approximately 600 people died in a five-day period in Chicago due to unseasonable heat. Many Americans can remember where they were at the time of the Murrah Building bombing, but few even recall the deaths in Chicago.”

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

G.B. Baecher / Risk Evaluation of Threats to Critical Infrastructure

15

3. Risk matrices

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Risk matrix methods, typified by the diagram of Figure 2, have become popular in recent years, especially in government agencies and industrial concerns. They are quick and easy to evaluate, simple to understand, and appear—deceptively—to provide practical guidance for risk-informed decisions. Their use is exceptionally and unfortunately widespread, and have led to an increasingly common impression that risk is a color rather than a number.

Figure 2. Typical risk matrix showing increased probability of an adverse outcome toward the right-hand side and increased consequence of an attack toward the top. Color-scaled “risks” indicate an ordinal ranking from the lower left to upper right. The color coding implies thresholds of risk coordinated against policy options.

Risk matrices are closely associated in practice with risk inventories. A risk inventory is a list of things (issues) that might go wrong. They have proven useful in identifying and managing risks associated with infrastructure, by listing the various issues of concern, assigning a relative probability to each (high-medium-low), a relative consequence to each (high-medium-low), and then plotting the results on a two-way grid. Typically, the risk inventory also assigns organizational responsibility to each risk (who “owns” each), and usually a short description of actions to be take should the issues creating the risk materialize. There are several problems with color-coded ranking schemes of this sort. The first is that the rankings are ordinal. There is no meaning to the differences between color steps or the ratios of one step to another (e.g., “red” is not twice as risky as “orange”), and thus despite the wide-spread use of weighted rankings and numerical comparisons, such numbers applied to the scales lack mathematical meaning. The simplest way to see this is to ask, what does “yellow-and-a-half” mean in such a scale? Obviously, it is wholly without meaning. This means that two adjacent red cells in the matrix, each lying diagonally to one another along the boarder with yellow cells, should indicate the same approximate level of risk. This means that the change in probability

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

16

G.B. Baecher / Risk Evaluation of Threats to Critical Infrastructure

in going from one to the other must be balanced in preference by the change in consequence. Since these are ordinal scales, such a balance is undefined. Stevens (1946) argued for the importance of levels of scaling in creating metrics for worldly phenomena. Now, five decades later, we have yet to learn his lesson. He proposed four levels of scaling: nominal, ordinal, interval, and ratio. Nominal scales are like colors, they are classifications. Ordinal scales are like Moh’s Hardness, they are orderings. Interval scales are like Celsius temperature, they have defined units but no defined zero. Ratio scales are like Kelvin temperature, they have both defined units and a defined zero. Different levels of mathematical transformation and statistical description are admissible to each level of scaling (Table 2). In practice, these admissible operations are usually violated in the use of risk matrices. If inadmissible transformations are applied to a scale the resulting transformed scale lacks meaning, however carefully it has been calculated. Table 2. Levels of scaling and admissible statistical characterizations (Source: Stevens)

Scale

Mathematical Transformation Classification

Location measure Mode

Dispersion measure Entropy

Median

Percentiles

Interval

Orderpreserving Addition

Arithmetic mean

Ratio

Multiplication

Standard deviation Average deviation Percent variation

Nominal

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Ordinal

Geometric mean Harmonic mean

Correlation Information transmitted Rank correlation Product-moment correlation

Significance tests Chi Square Sign test Run test t-test F-test

This is related, in principle, to the US Department of Homeland Security’s ill-fated security warning advisory system, which used a ramp of colors from green to red to represent levels of risk. The advisory levels seldom drifted from a value of “orange,” and indeed from 2006 until termination of the use of the scale the warning level was continuously “orange,” and therefore of little use in informing the public. Other limitations also apply to risk matrix representations of risk. The assignments of probability and consequence are usually purely subjective: professional judgment is used to arrive at numbers, which are as a result often too simple, and often reflect too little of the advertised judgment. Differences among the boxes in the matrix usually provide poor resolution. Allocations of defensive resources made on the basis of risk matrices are usually suboptimal because they do not take account of quantified probabilities and consequences (Cox 2008).

4. Threat-vulnerability-consequence models The US Department of Homeland Security has invested heavily in risk assessment models based on a breakdown of threat, vulnerability, and consequence (TVC). This is an approach that has proven successful in analyzing natural hazards such as hurricanes

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

G.B. Baecher / Risk Evaluation of Threats to Critical Infrastructure

17

and earthquakes, and there is a wide variety of successful applications of this approach in the natural hazards literature. Risk to a facility, using the TVC approach, is summarized in a formula of the form, R=TVC, in which, R=risk, T=threat, V=vulnerability, and C= consequence (Figure 3). Threat is the probability of attack on a given infrastructure. Vulnerability is the conditional probability of success or damage, given an attack. Consequence is the level of damage, possibly probabilistic, given a successful attack. Thus, the risk calculated by Eq. (1) is an expected damage: Risk = P(attack) P(success|attack) P(damage|success,attack)

(1)

Often, the damages are accrued in three accounts: (a) impact on the mission of the infrastructure, (b) loss of life, and (c) economic impact.

Vulnerabilities

Threats

Facility

Consequences

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 3. Threat-vulnerability-consequence (TVC) logic of risk analysis favored by the US Department of Homeland Security.

The general approach to TVC models is to characterize the infrastructure and its attractiveness to attack, identify threats against the infrastructure, identify potential vulnerabilities, appraise the likelihood of success, forecast the consequences of a successful attack, and calculate TVC to rank-order the risks across different infrastructures (Dillon, et al., 2009). The US Department of Homeland Security (USDHS) has commissioned a number of TVC models of terrorist risk (Table 3). In general, the limitation of TVC models is that terrorist threat reflects intelligent agents in contrast to indifferent forces of nature. As a result, the probability of a threat is not easily assigned, and it is not probabilistically independent of the vulnerability of an infrastructure, of the consequences of a successful attack, or of actions taken by the defender to protect an infrastructure. In early applications of TVC models there was an implicit assumption that statistical histories of terrorist attacks and their characters could be used as a basis for assigning threat probabilities. These are the models represented by the right-hand side of Figure 1. This did not turn out to be the case. Such statistical data are difficult to come by, the incidence of terrorist attack, although significant, is not high enough to form statistical databases, and in any case few people have documented in detail the history of terrorist attacks. The biggest limitation of TVC models, however, is the presumed separability of threat from vulnerability and consequence. This turns out to be a poor assumption. To

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

18

G.B. Baecher / Risk Evaluation of Threats to Critical Infrastructure

begin, the probability of an attack depends on the attractiveness of the infrastructure to terrorists. The more vulnerable the infrastructure, the greater the consequences of a successful attack, the higher the likelihood that it will become a target. In principle, a cleaver risk analyst might be capable of factoring this probabilistic dependence in a model, but in practice that is seldom if ever the case. Furthermore, there is a built-in dynamic to the situation in which an intelligent adversary appraises defensive measures Table 3. TVC risk assessment models developed by the US Government agencies (NRC 2010)

Model name US DOE RAMCAP Model US Critical Infrastructure Protection Plan critical infrastructure and key resources (CIKR). US Navy – ARDA methodology Maritime Security Risk Analysis Model (NMSRA) New York City Transportation model (TRAM) Bio-Terrorism Risk Analysis Model Transportation Safety Administration's Risk Management Tool (RMAT). Biological Threat Risk Assessment (BTRA) Chemical Terrorism Risk Assessment (CTRA) Integrated Chemical, Biological, Radiological, Nuclear (iCBRN) assessment, Chemical Terrorism Risk Assessment (CTRA) HAZUS Natural Hazard Damage Prediction Model API Security Vulnerability Assessment

Developer US Department of Energy Argonne National Laboratory Navy Coast Guard Port of New York and New Jersey Department of Homeland Security Department of Transportation Department of Homeland Security Department of Homeland Security Department of Homeland Security Department of Homeland Security Federal Emergency Management Agency American Petroleum Institute

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

5. Game theory and modeling intelligent threats While some terrorist hazards might be modeled as random variables, usually they do not occur randomly, but are an outcome of willful human behavior. Cox (2009) discusses the limitations of treating terrorist threat, vulnerability, and consequences as independent random events and stressed the need for viewing terrorist hazards in the light of interactive games. This was also stressed, for example, in the NRC review of DHS’s Biological Threat Risk Assessment (NRC, 2008). Some experts believe that there is a place for traditional risk analysis—for example, von Winterfeldt and O’Sullivan (2006) where the attack scenario is constrained—yet many other researchers believe that such methods are generally inapplicable to intentional threats and need to be replaced by game-theoretic models (e.g., Bier, 2005). This is a controversial conclusion since robust game theoretic methods are not yet available for problems with realistic levels of complexity (Woo 2003). Also, assumptions of defender-attacker behavior is poorly known and open to question. However, it traditional TVC methods fail to capture intentional attacks. “In particular, risk analyses that do not reflect the ability of terrorists to respond to observed defensive actions tend to overstate the effectiveness of those actions if they ignore the ability of terrorists to switch to different targets and attack strategies or understate their effectiveness if they ignore the possibility of deterrence” (NRC 2010).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

G.B. Baecher / Risk Evaluation of Threats to Critical Infrastructure

19

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

6. Tolerable risk Quantitative estimates of the probabilities and consequences of possible adverse events can be used as indicators of safety levels and may be compared with safety goals also expressed probabilistically. A probabilistic safety goal is typically expressed as the annual probability of some adverse event. For example, a flood risk is characterized by a peak daily inflow with a certain annual probability of exceedance. Such defined safety goals can be used as a design or operational objective and interpreted as a target for establishing safe performance. The process of selecting safety goals can be either based on arbitrary criteria or can be established within the broader context of societal and individual acceptance of risk. This broader context can be established following the concepts developed in HSE (2001), and should provide an overall framework for decision making which would ensure consistency across the range of risks, including terrorism. In everyday life, we make decisions about individual risk based upon a variety of considerations. Some of these are subconscious and few are numerical. When decisions affect more than the individual, however, there is a need to establish criteria by which decisions can be made and justified. One effective way of addressing individual and societal concerns about the hazards posed by dams is through tolerability criteria. Individual risk relates to how individuals perceive the risk from a particular hazard affecting themselves and their property. It is the risk to a hypothetical member of the public living in the zone that could be affected by a hazard. Jonkman et al. (2003) and Bedford and Cooke (2001) discuss various measures of individual risk, Societal risk is more elusive than individual risk. One of the most exhaustive reports on societal risk in hazardous industries (Ball and Floyd, 1998) states that, “One of the problems with societal risk has been the term itself, which, as with the word risk means different things to different people at different times, leading to some misunderstanding and confusion. For instance, from an engineering perspective, societal risk is often regarded as no more than a relationship between the frequency and number of people suffering a specified level of harm from a particular hazard. Alternatively, other sees societal risk as a much broader concept incorporating many other dimensions of harm, in some cases even the socio-political response in the aftermath of major accidents, or even lesser accidents where these might give rise to a significant expression of public concern.” In general, societal risk refers to hazards that, if realized, could impact society beyond the individual and thus cause socio-political response. Some see societal risk as simply a relationship between the frequency of a particular hazard and number of casualties if the hazard is realized. Others understand the societal risk as “a much broader concept incorporating many other dimensions of harm, in some cases even the sociopolitic response inn the aftermath of major accidents, or even lesser accidents where these might give rise to a significant expression of public concern” (Ball and Floyd, 1998). ICE (1985) defines societal risk as “the relationship between frequency and the number of people suffering from a specified level of harm in a given population from the realization of specified hazards”. In applications dealing with hazards from engineered installations where the predominant issue is life safety, societal risk is often characterized by frequency-number (F/N) curves. These graphically display the potential for multiple fatalities by relating cumulative frequencies or probabilities (F) against number of casualties (N) on a log:log plots. Other measures are also used, depending of the nature of application.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

20

G.B. Baecher / Risk Evaluation of Threats to Critical Infrastructure

Reference

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

American Society of Mechanical Engineers. Risk Analysis and Management for Critical Asset Protection for Terrorist Threats and Homeland Security, Washington DC: ASME-ITI, 2005. Ball, D. J. and P. J. Floyd P.J., “Societal Risk,” Report prepared for HSE, London, 1998. Bedford, T. and R.M. Cooke, R.M., (2001). Probabilistic Risk Analysis: Foundations and Methods, Cambridge University Press, London and NY, 2001. Bier, V. M., “Game-theoretic and reliability methods in counter-terrorism and security,” in Modern Statistical and Mathematical Methods in Reliability, Series on Quality, Reliability and Engineering Statistics, World Scientific Publishing Co., Hacksenback, N.J., 2005: Cox, L. A., “Game theory and risk analysis.” Risk Analysis 29(7):1062-1068, 2009. Cox, L. A., “What’s wrong with risk matrices?” Risk Analysis 28(2):497-512, 2008. Deisler, Paul F., Jr. “A Perspective: Risk Analysis as a Tool for Reducing the Risks of Terrorism.” Risk Analysis. 22: 405-413, 2002. Dillon, R. L., Liebe, R. M. and Bestafka, T. “Risk-based decision making for terrorism applications,” Risk Analysis 29(3):321-335, 2009. HSE, Reducing Risks, Protecting People – HSE’s Decision Making Process, Health and Safety Executive, UK, London, 2001. ICE, Nomenclature for Hazard and Risk Assessment in the Process Industries, Institute of Chemical Engineering, London,1985. Jonkman, S.N., van Gelder, P. and J.K. Vrijling, H. “An Overview of Quantitative Risk Measures for Loss of Life and Economic Damage,” Journal of Hazardous Materials, 99:1-30, 2003. Leson, Joel. Assessing and Managing the Terrorism Threat. NCJ 210680 Bureau of Justice Assistance, Washington DC, September 2005. NRC, Department of Homeland Security Bioterrorism Risk Assessment: A Call for Change, The National Academies Press, Washington, D.C., 2008. NRC, Review of the Department of Homeland Security’s Approach to Risk Analysis, National Research Council, Washington, DC, 2010. NRC. Understanding Risk: Informing Decisions in a Democratic Society, The National Academies Press, Washington, D.C., 1996. Stevens, S. S. (1946). "On the Theory of Scales of Measurement." Science 103 (2684):677–680, 1946. Willis, H. H., Morral, A.R., Kelly, T.K., and Medby, J.J., Estimating Terrorism Risk, RAND Corporation, Santa Monica, 2005. Woo, G., “The Evolution of Terrorism Risk Modeling.” Journal of Reinsurance, 2003. von Winterfeldt, D., and O'Sullivan, T. M., “Should we protect commercial airplanes against surface-to-air missile attacks by terrorists?” Decision Analysis 3(2):63-75, 2006.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-21

21

Information Support to the Three Component Dynamic Model Development for Terrorist Risk Analysis Olga N.YUDINA, Tamara N. DVORETSKAYA, Tamara V.SILOVA Institute of Machine Science, RAS

Abstract. Safety problem in a social, natural and technogenic sphere is of particular importance at present in Russia. In the areas of a direct threat to human-beings life and health in case of man-made emergencies of various origin there are over one hundred million people. In the industrially developed regions, where the largest clusters of potentially hazardous industries are concentrated together with complex social and economic situation, terrorist risks are increasing gravely.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Keywords. Technogenic risks, information technology, terrorist risk

In a common case a risk assessment can be determined as identification and analysis of the probability of emergency occurrence with the aim to increase the efficiency of safety management. Risk is the quantitative characterization of risk volume, which characterizes the probability to cause damage and its value. The safety management implies the development and application at the international, federal, regional, branch and on-site level of legislation, regulation and supervisory acts, economic mechanisms, scientifically substantiated technical and technological measures on the safety support and on its growth for human-beings, society, environment, engineering facilities and their vital and operation functions under conditions of destructive impacts of natural, technological and human factors. The factors of unauthorized and terrorist intrusions are included into the number of the latter ones. The development of a comprehensive security system for human-beings and of safety for hazardous engineering facilities, using modern information technologies, includes the following main stages: x x x x

Analysis of state of operators and of complex technical facility Analysis of internal and external threats and of dangerous processes Risk analysis, i.e. Identification and analysis of the probability of emergency occurrence, of scenarios of their development and prediction of possible damage Development of rapid response scenarios in case of emergency occurrence.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

22

O.N. Yudina et al. / Information Support to the Three Component Dynamic Model

Rapid response scenarios can contain both direct offers on risks reduction and methods for emergency aftermath liquidation or mitigation . The goal of a quantitative risk estimation is not only to reveal probable risks, but also to determine quantitatively both a probability of their occurrence and the volume of probable damages. Technological risk is a generalized characteristic of the probability of accidents development at the critical infrastructure facilities that is determined through a probability of a technogenic accident or emergency due to technological, natural, social (including terrorists) threats, and mathematic expectation of its negative aftermath. The generalized formula used for this purpose is written in the form [1] R FR ^ P,U `

where

¦  P,U ³ C P˜U  P dP ³ C PU ˜U dU , i

i

P

U

P – probability of accidents or catastrophes occurrence U – mathematic expectation of damage from emergency; C – weight functions i – type of accident or catastrophe.

Information support to monitoring, control, regulation and increase of safety according to risk criteria, R, consists of qualitative and quantitative statistical and deterministic analysis at the given period of time of all the parameters of the formula and of carrying-out the comprehensive measures on risk reduction (risks of various levels – from unacceptable levels up to acceptable ones) basing on relevant background information. The following formula can be written for the probability of carrying-out the system threats, while conducting risk analysis for technological catastrophes [1, 2]

P

FP {PN , PT , PO }

, PN – emergency risk probability stipulated by a human factor PT – probability stipulated by a state of engineering l facilities of a technosphere P – probability stipulated by an environmental impact. While forming the background design data and analytical information, we should proceed from the fact that a role of a human factor, PN , is determined not only by operators, by the personnel of the technical facility, by the decision-makers at all levels of national security federal management, but also by taking into account the probability of terrorist and unauthorized impacts. Probabilities of PT substantially depend on the safety level of the engineering facility in case of emergency of natural, technological, human and terrorist character.. This engineering protection is defined by risk analysis at a design stage, by the level of degradation of the technical facilities at the pre-designed stage of their operation life cycle, by diagnostics and monitoring level, by the state of technical safety systems. Therefore, while analysing terrorist impacts parameters PT and PN , it is clear that they are directly interacting. Probabilities of P0 depend on, mainly, on natural calamities. However., in a number of cases terrorist acts can lead to allegedly "natural" emergencies (fires, floods, pollutions with chemical biologically dangerous substances). Damage, U, caused by emergencies can be expressed by the formula FU [1, 2, 3]

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

where

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

O.N. Yudina et al. / Information Support to the Three Component Dynamic Model

U

FU {U N ,UT ,U0 }

where

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

23

, UN – damage caused to population during interaction between primary and secondary factors of destruction while carrying-out the strategic system threats, UT – damage caused to engineering facilities of the technosphere, U0 – damage caused to environment.

Values of UN , UT and U0 can be calculated both in natural units of damage (for instance, in the number of the perished, in the number of destroyed buildings and the area of the affected territories), and also in equivalents (e.g., in economic, monetary indices). Acts of terror can substantially change both values of damage UN , U , U , and the ratio between primary, secondary and cascade damage due to the focused maximum negative aftermath of emergency. For risk reduction goals there are applied such comprehensive methods as build-up of protective barriers and of safety systems; diagnostics and monitoring of engineering facilities state; usage of forces and means of emergencies prediction and localization. The better effect is attained if the initial information on a critical infrastructure facility is complete and authentic. Magnitude of costs spent on the complex of safety measures aimed at risk reduction with relevant scientific substantiation using modern information technologies, can be significantly lower than losses from disasters and emergencies. Risk analysis and risk management should become the basic system of security control and of technical safety support, instead of existing earlier approaches to providing the complete (absolute) safety and security in cases of occurrence of dangerous initiating factors of natural and of technogenic (man-made) character. Actually, it's impossible to achieve absolute security and zero risks in case of terrorist attacks. Application of risks theory and of necessary information data bases, means adoption of the two principles: x x

Of the impossibility to obtain complete authentic background information, in particular, for serious accidents and grave catastrophes under terrorist technological and intellectual impacts, Of the necessity to make a decision under conditions of incomplete information, and of active usage of analysis of ill-posed inverse problems.

Distinctive features of terrorist risks (as compared to the risks of natural and technogenic catastrophes) are determined by the ability of terrorists to perform a conscious choice of terrorist attack scenario. Compilation and generalization of scientific information on these issues has been carried out within frames of RussiaNATO countries joint research projects and the collaboration programs between national academies of Russia and the USA [3-10]. The choice is based on the vulnerability estimation, V, of the considered technical facility regarding various scenarios of attack and the volume of damage, U, expected under various scenarios of attack. Vulnerability can be considered as the ability or inability of a technical facility to resist and to withstand to acts of terror.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

24

O.N. Yudina et al. / Information Support to the Three Component Dynamic Model

Choice of terrorists of attack scenario is based at the aspiration to provide maximum efficiency of attack, i.e., to cause maximum damage to the society with minimum expenditure of means and resources and with minimum risk of detection and elimination of preparation and carrying-out terrorist acts. Complexity of prospective evaluation of terrorist risks is increased due to the fact that terrorists are capable to correct their actions taking into account actions of antiterror forces, and also because the system of their motivational attitudes is often illogical and it turns out to be not quite clear even to the specialists. Aims of terrorist acts risk estimation, of relevant information accumulation and research are: x x x x

Obtaining the complete and objectively accurate picture by the authorities or by the owner of a technical facility regarding the vulnerability level of the technical facility in case of all specified types of hazardous impacts, Identification of priorities in development (reconstruction, upgrading, improvement) of protection systems and security barriers, Providing a guaranteed level of protection of health or property interests of the public from risks of accidents and disasters, Modelling and calculation of harm that can be caused to life or health of citizens, property of individuals and legal entities, federal or municipal property, the environment, as a result of terrorist threats

Terrorist impact risk assessment using accumulated knowledge and generalization of experience, is subdivided into the following stages [12, 13]: x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x x x x x x x

Analysis of state and vulnerability of the technical facility, level of its protection, Estimation of existing protection systems efficiency, Assessment of goals and values system of terrorists, of their resources, of their intellectual, organizational and technical capacity, Probabilistic analysis of various scenarios of terrorist attacks using experience of anti-terrorist actions at other technical facilities, identification and classification of scenarios of the probable terrorist attack, Determining the factors of destruction and modeling of their fields, Selection of criteria and estimation of impacts after factors of destruction, Risk indicators calculation, Development of recommendations on risk mitigation.

Opportunity of interaction between different (terrorist, anti-terrorist) forces, of information exchange between them should be taken into account. In this case a connection is revealed between the vulnerability to terrorist attack of a definite type and the probability of occurrence of terrorist attack of this type. It is typical for the goals connected with the estimation and control over terrorist risks: x

A high level of indefiniteness stipulated by the lack of knowledge on intentions of the terrorists, on their intellectual, organizational and technical capacity, on the aims pursued by terrorists, and on their values system,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

O.N. Yudina et al. / Information Support to the Three Component Dynamic Model

x x

25

The fragmentariness and often secrecy of data obtained from various sources of different nature, statistical information, expert alibis, efficiency of information obtained from security services, Terrorist risks dynamic character.

Risk analysis of majority of and natural calamities and of technogenic (man-made) catastrophes at critical infrastructure facilities shows [1], that catastrophes are determined by the three main parameters and dangerous processes: x x x

Uncontrolled release of the dangerous substances, w, Uncontrolled release of the hazardous (mechanical, thermal, electromagnetic, light) energy, e, Uncontrolled release or destruction of information flows, i.

Information component of safety and security is typical for any complex technical facility. Each engineering facility obtains systems of control, operation support and, therefore, it has appropriate information systems. The above-mentioned parameters, W, E, I, make it possible to conduct modeling of the critical areas of dangerous states of technical facilities. Comprehensive analysis of anti-terror security from the point of view of risk factors for emergencies generation and development, consists of several aspects: x x x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

Spatial aspect (at on-site, local, regional, national and global levels), Temporal aspect (short, medium and long term prospects), Social and political aspect (a personality, society, state, the world community), Component aspect (social, economic, ecological, military, naturaltechnogenic, demographical, information components).

The estimation of terrorist intentions, priorities, value system is complex interdisciplinary information problem in the field of creation of the original database. Compiling the database allows to determine the probability of various attack scenarios based on criteria of mathematic statistics and game theory. Definite attack scenario probability depends on considerations of terrorists on successfulness of their future attack and on their preferences regarding expected aftermath of the attack. Terrorist attack probabilistic analysis is the problem which is under the brightly expressed influence of a human factor. Solving this problem requires application of additional methods, techniques and approaches of sciences in their studies of humanbeings and social sphere, as compared to probabilistic analysis of natural and technogenic threats. Terrorist risk estimation model for the critical infrastructure systems is described basing on models of operating complex technical facilities, hazardous workflows, grave impacts of natural calamities and of human factor blunders. Information flows for analysis of three parties participating in terrorist impacts should be used in this model, 1) from the point of view of terrorists, 2) from the point of view of the organization (owner), that operates the complex technical facility of potential attack, 3) and the situation is being characterized from the point of view of the municipal authorities, at which territory the technical facility under probable attack is located. The

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

26

O.N. Yudina et al. / Information Support to the Three Component Dynamic Model

probabilistic model should make it possible to describe dynamic interaction between these three parties, each of them is leaded by their own strategy and is capable of rapid response to hostile actions. The above-enumerated requirements stipulate the expediency of the Bayesian Networks game theory apparatus application [11] , which allow: to take into account the independence of actions and rational strategies of conduct of terrorist and antiterrorist sides; to estimate situation in the conditions of high level of uncertainty; to provide information monitoring obtained from different sources, including periodically incoming information about the state of the separate variables of the model; thus, giving the opportunity to obtain more precise estimates a posteriori of the probabilities of the states of other variables of the model. The significant role of information support to terrorist risk assessment is being increased in this case. Goals of information support to security are as follows: x x x

x

The development of efficient monitoring systems of the critical infrastructure facilities for predicting the emergencies, The increase of reliability of the systems for data processing and transmitting, which safeguard the risk management of all levels, Population conduct prediction under the influence of false or unreliable information on probable emergencies and working-out the rapid response measures on rendering assistance to the large numbers of people in case of emergency, Development of special engineering techniques and measures on information systems safeguarding that provide control over hazardous objects.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Background information on terrorist threat assessment within the given territory should be systematized according to the following directions: x x x x x x x

Determining the facilities that can be subjected to terrorist attacks, Facilities vulnerability analysis, Social tension in the society, Foreign policy aspects, Terrorist organizations presence, level of their combat fitness, destructive means and equipment for subversive activity, Efficiency of the he counter-terrorism force rapid response, Analysis of the scale of probable aftermath of a terrorist attack.

their

At the on-site level it's necessary to conduct the probabilistic analysis for all the basic types of attacks (chemical, biological, radiation, nuclear, explosives impacts), and also of case studies of violation of information systems of monitoring, warning and rapid response. Thus, terrorist impacts can be subdivided into three basic types: traditional, technological and intellectual terrorism [14] . Examples of the traditional terrorism are generalized and studied profoundly [310]. The technological terrorism is considered to be powerful unauthorized intrusions into the engineering facilities that provide a breakthrough the security system of the complex technical facility; initiating the secondary catastrophic processes due to the

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

O.N. Yudina et al. / Information Support to the Three Component Dynamic Model

27

stored (recycled) stocks of dangerous substances, W, energy, E, and information, I; transboundary escalation of the catastrophe with substantial increase of grave secondary and cascade damage. The technological terrorism is based on the existing vulnerabilities within certain technological facility subjected to terrorist attack. The technological terrorism involves: x x x x

x x

x x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

preliminary analysis of the facility vulnerability, of potential sources of the secondary damage (storage of W, E, I), of weakness in the protection and identification of the most effective attack scenarios, application of powerful initiating impacts to the facility aiming at the security systems breakthrough. The intellectual terrorism presents by itself an unauthorized intrusion into design, construction and (or) operation of the engineering facility, targeted at expansion of existing vulnerabilities of the whole technical object and at creation of new ones, with use of insider information about the facility's security system, trying to gain access to some units of the facility for carrying-out the most catastrophic scenarios of terrorist attack. The intellectual terrorism involves: the detailed estimation of vulnerability of the facility at R & D, construction or operation stage as compared to different scenarios of terrorist impacts and identification of the most efficient method for performing an initiating impact on the facility, entering into the security system of the technical facility on the stage of its design, construction or operation of hidden changes in order to create new security vulnerabilities at the facility, shutdown or malfunction of systems for monitoring and protection of the critical infrastructure facility, application of weak targeted impacts focusing on the pre-laid system vulnerabilities and on existing in stock of W, E, I for initiation of powerful secondary catastrophic damage.

Information support and mathematic modelling for the three-component system "man-machine-environment" (from the point of view of prediction, warning, elimination of emergencies and terrorist impacts and also of minimizing their aftermath) is not focused on the formulation of the classical problems (such as "strength, durability, reliability, survivability, safety "), but on the solution of the inverse problems, when the original and defining problem is that of providing security for the whole technical facility [1]. At first stages the initial requirements for risk analysis of the most severe accidents and catastrophes should be formulated. Basing on this risk analysis, the generalized mathematic modelling for non-linear fracture and destruction at complex technical facilities at last stages of accidents and catastrophes, taking into account their scale, should be performed. Simplification of these mathematical models will allow to make risk analysis of easier and, ultimately, of simpler standard cases. Information support to risk estimation of terrorist threats includes stages of collection, analysis, use and dissemination of information and of accumulated

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

28

O.N. Yudina et al. / Information Support to the Three Component Dynamic Model

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

knowledge and experience on the problems of risk prediction, risk prevention and risk mitigation and on elimination of the consequences of terrorist actions. The aim of accumulation of relevant primary information on safety and security issues is to organize and systematize data about domestic and foreign publications on engineering safety, security of high-risk facilities; on international, federal, regional and branch regulations in the field of safety and counter-terrorism protection; and on proceedings of national and international expert committees, data of security services. Recently "Safety" information centre has been set up at the A.A.Blagonravov Institute for Machine Science (IMASH RAN) of the Russian Academy of Sciences basing on research and development on federal, regional and municipal purposeoriented programs, on international projects in the field of safety of critical infrastructure facilities. In this information centre there are collected for researchers' studying – scientific programs of different years and editions, international projects; annotations and complete reports on federal programs, directions and projects; guidance documents, analytical and reference materials; review articles, selected on different themes; popular literature, leaflets, handouts, maps on safety issues; foreign journals and periodicals on security and counter-terrorism problems; specialized scientific and technological editions, reference books; workshop and conference proceedings; information on scientific collaboration in the field of safety and security; photos, audio- and video archives for interaction between other information centres, databases of research institutes, laboratories, federal organizations. In this centre the special section is dedicated to international cooperation within frames of the U.S.-Russian project entitled "ASME-RAS Partnership" which includes information on collaboration between scientists of American Society of Mechanical Engineers and experts of the Russian Academy of Sciences on fundamental and applied problems of mechanics and engineering safety, symposia proceedings on environmental protection and its sustainable development; Russia-NATO countries collaborative workshop proceedings on terrorism problems, critical infrastructure facilities' safety and security, etc.

References 1. Safety of Russia. Risk analysis and problems of safety. Part 1. Fundamentals for risk analysis of safety management. – Moscow, ZNANIYE Scientific Foundation, 2006, 640 p.; Part 2. Security of civil and defence complexes and risk management. - Moscow, ZNANIYE Scientific Foundation, 2006, 751 p.; Part 3. Applied issues of risk analysis of critical infrastructure facilities. - Moscow,. ZNANIYE Scientific Foundation, 2007. 816 p.; Part 4. Scientific and methodological base for risk analysis and safety management - Moscow, ZNANIYE Scientific Foundation, 2007, 864 p. (in Russian). 2. Makhutov N.A.. Strength and Safety: Fundamental and Applied Research. Novosibirsk, Science Publishers, 2008, 528 p.(in Russian). 3. High-Tech. Terrorism, U.S.-Russian workshop proceedings, Viatka Publishers, 2002, 318 p. (in Russian). 4. Technological Terrorism and Prevention of Terrorist Threats, Proc. of the scientific conference, Moscow, Kombitel Publishers, 2004, 315 p. (in Russian). 5. Urban Terrorism: Counter-Measures in Russia and in the USA, U.S.-Russian workshop proceedings, Viatka Publishers, 2007, 320 p. (in Russian). 6. Terrorism. Reducing Vulnerabilities and Improving Responses. U.S.-Russian workshop proceedings, The National Academies Press. Washington, D.C. , 2004. 7. K. Frolov, G. Baecher. “Protection of Civilian Infrastructure from Acts of Terrorism”. Springer. P.O. Box 17, 3300 AA Dordrecht, The Netherlands. 2006. 252 p 8. Workshop on Open-source Risk Software. California Institute of Technology, Pasadena, USA 2007 9. Terrorism and Safety at Transportation Complex, Proc. of the VII International Conference, Moscow, February 6, 2008.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

O.N. Yudina et al. / Information Support to the Three Component Dynamic Model

29

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

10. Makhutov N.A., Reznikov D.O., Application of the Bayesian Networks for terrorist risk estimation and choice of optimal counter-terrorism strategy, J. of Problems of Security and Emergencies,  5, 2007, p. 43-63. (in Russian). 11. Petrov V.P., Reznikov D.O., Kouksova V.I., Dubinin E.F., Quantitative terrorist risk assessment, decision-making on expediency of build-up of counter-terrorism protection system, J. of Problems of Security and Emergencies,  1, 2007, p. 89-105. (in Russian). 12. Concept of development of independent risk estimation and monitoring in the field of fire safety, civil defence and population protection against emergencies of natural and technogenic type in the Russian Federation, Moscow, EMERCOM of Russia, 2006. (in Russian). 13. Makhutov N.A., Petrov V.P., Reznikov D.O., Threats of technological and intellectual terrorism for complex technical systems, J. of Public safety technology, 2009, 1. (in Russian).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

30

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-30

Controlling security risks with the MMO method Coen VAN GULIJK, Hinke ANDRIESSEN, Marieke KLUIN, Ben ALE Safety Science Group, Delft University of Technology Abstract. A fundamental analysis of crime and the juridical systems to punish crime has yielded a starting point for quantitative risk analysis of security risks. This method is called the MMO concept as a generic concept for the design of security barriers and their evaluation by quantitative risk analysis methods. It is based on a simplification of the basic elements for proving criminal liability that a defendant committed a crime under US law: motive, means and opportunity. These three elements form the preconditions that are needed to let an ill meaning person to develop into a hazard or threat. The MMO concept also forms the key to the development of successful barriers against the completion of the actual act. Taking one of these three away would render the hazard ineffective. This enables the development of a model for security threats along the same lines as safety threats and opens the possibility for similar qualitative and quantitative analysis. The MMO concept may seem relatively straightforward but the derivation of the theoretical foundation is not simple. Keywords. security risk analysis, complex technological systems, anti-terrorism, safety risks

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. Introduction The cold war, electronic crime, industrial espionage, and the war on terror have an impact on the way we perceive threats to our lives. If anything, the world in the 21st century is perceived as volatile and dangerous. Our lives, our computers, our homes, and our well-being seem to be challenged every day. It seems only natural that we respond by developing security measures to protect ourselves from harm: governments as representatives of society develop laws to increase security against terrorism; businesses protect themselves against crime and industrial espionage; and we protect our computers against electronic crime. That protection we call security. Especially terrorist threats are discussed widely in the risk literature and various were published [1,2,3]. However, these papers do not translate their findings in a way that is transparent to security personnel that, in the end, have to provide protection. In this work we contribute by the development of a method to analyze security threats based on risk methods that are also used in the risk literature and design security barrier systems with that same method. The method is based on juridical principles that have been around for over two centuries. Our contribution is the systematization of the juridical principles and the translation into a logic operator for risk analysis. That paves the way to combining knowledge from juridical, risk, and security operations to enhance security in the field. The method is called MMO method, after its three main components: motive, means and opportunity. This chapter is divided into five parts. First, the concept of MMO is introduced. Second, the theoretical background is given. This is followed by a section that discusses how the individual constituents (motive, means and opportunity) are used in

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

31

this method. Fourth the application in the design of security systems is described and fifth an example of a fault tree for MMO is given.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

2. The MMO Concept The concept of the MMO method is best illustrated by a historic a crime investigation from popular literature. In the following citation, the charismatic detective and his sidekick talk to people that might be involved in the murder or the forensic experts that try to find evidence for a perpetrator or the perpetrators. In this citation Sir Arthur Conan Doyle’s Sherlock Holmes’ Sherlock Holmes explains to his friend Dr Watson how he cracked the particular crime in ‘A study in scarlet’ which first appeared in Beeton’s Christmas Annal in 1887 [4]. ‘… On entering the house this last this last interference was confirmed, my well booted man lay before me. The tall one, then, had done the murder, if murder there was. There was no wound upon the dead man’s person, but the agitated expression upon his face assured me that he had foreseen his fate before it came upon him. Men who die from heart disease, or any sudden natural cause, never by any chance exhibit agitation upon their features. Having sniffed the dead man’s lips, I detected a slightly sour smell, and I came to the conclusion that it had been forced upon him from the hatred and fear expressed upon his face. By the method of exclusion, I had arrived at the result, for no other hypothesis would meet the facts. Do not imagine that it was a very unheard-of-idea. The forcible administration of poison is by no means a new thing in criminal annals. The cases of Dolsky in Odessa, and of Leiturier in Montpellier, will occur at once to any toxicologist. And now came the great question as to the reason why. Robbery had not been the object of the murder, for nothing was taken. Was it politics, then, or was it a woman? That was the question which confronted me. I was inclined from the first to the latter supposition. Political assassins are only too glad to do their work and to fly. This murder had, on the contrary, been done most deliberately, and the perpetrator had left his tracks all over the room, showing that he had been there all the time. It must have been a private wrong, and not a political one, which called for such a methodical revenge. When the inscription was discovered upon the wall, I was more inclined than ever to my opinion. The thing was too evidently a blind. When the ring was found, however, it settled the question. Clearly the murderer had used it to remind his victim of some dead or absent woman. It was at this point that I asked Gregson whether he had inquired in his telegram to Cleveland as to any particular point in Mr Drebber’s former career. He answered, you remember, in the negative. {…} I had already determined in my own mind that the man who had walked into the house with Drebbler was none other than the man who had driven the cab. The marks in the road showed me that the horse had wandered on in a way which would have been impossible had here been anyone in charge of it. Where, then, could the driver be, unless he were inside the house? Again, it is absurd to suppose that any sane man would carry out a deliberate crime under the very eyes, at it were, of a third person, who was sure to betray him. Lastly, supposing one man wished to dog another man through London, what better means could he adopt than to turn

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

32

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

cabdriver? All these considerations led me to the irresistible conclusion that Jefferson Hope was to be found among the jarveys of the Metropolis. {…} You see, the whole thing is a chain of logical sequences without a break or flaw.’ The reference to the world’s most famous detective is a deliberate one because the origin of the MMO method lies in crime and the law. If you are an enthusiastic fan of crime series you recognize that three basic elements are sought that identify the murderer: motive, means and opportunity. These elements are also recognizable in the explanation that Sherlock Holmes gives Dr Watson in the citation from ‘A study in scarlet’. The first paragraph says something about the means of the murder: he used poison. The second paragraph ponders about the motive that the murderer could have and decides that the crime had to be a passion crime. The third paragraph describes the opportunity. After eliminating the man that was driven by the cab, the only other person that had opportunity was the cab driver, Jefferson Hope, who was the killer. In security we are not trying to solve crimes. We are trying to prevent them from happening and if possible, mitigating the effects. So when we are using the principles of crime as a basis for prevention we use our understanding of how crimes are performed in the first place and inhibit their occurrence with that knowledge. The concept is given in figure 1. The figure sows a three-legged stool. The legs of the stool are motive, means, and opportunity; a crime is successful when a perpetrator combines them into an unlawful act. If we take away one of the legs (motive, means or opportunity) the stool falls down. A three-legged stool cannot stand if one of the legs is missing. An intentional crime cannot take place if motive, means, or opportunity is missing. Thus you block the machinery of crime.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

crime

Figure 1. A crime fails when means, motive, or opportunity is taken away.

The conclusion for this section is that we can use concepts that were known to us for years may be used to design security systems in a systematic way. The central concept is that elements of crime that are normally used only in hindsight can be used to prevent crime in foresight. The following section elaborates the theoretical background for doing that.

3. Theoretical background for MMO The MMO concept is based on two basic elements of security that are formulated in the definition of security by Talbot [5]: protection from danger or loss and prevention Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

33

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

against intentional and unwarranted actions of others. Protection is the installation of barriers and intentional and unwarranted actions means the protection against crimes. The first part of the definition is the barrier which is a basic concept from the safety sciences. The concept appears in its simplest form in the Hazard-Barrier-Target model or HBT model [6]. For an accident to occur, three basic elements are required: a hazard, a target and a failed barrier [6, 7]. Strictly speaking, a barrier or a deterrent condition is not required for an accident to happen but since an accident is an unwanted event, it is assumed that some form of barrier is always present even if it only is the will of the person that suffers the negative consequences. The MMO concept also makes use of the central idea that a hazard, in this case a crime, can be prevented by a barrier. In this case a security barrier. The second part in Talbot’s definition of security is protection against unlawful acts of individuals. Breaking of the law is by definition related to criminal law systems. For that reason a juridical base principle is used in the development of this security concept. In US law, criminal liability is proven by ‘elements’ of a crime. These ‘elements’ are derived from four juridical principles: ‘corpus delicti’ that shows that a crime has occurred, e.g. a homicide requires a killing; ‘mens rea’ or the criminal mind that intended to commit the crime; the ‘actus reus’, the criminal act or the unlawful omission of an act; and concurrence, where mens rea and actus reus combine in a causal relationship [8]. For a conviction, the elements require proof beyond reasonable doubt that a defendant committed the crime he or she stands trial for. For arson in the first degree, the following quote mentions the elements [9]: In order for you to find the defendant guilty of this crime, the People are required to prove, from all of the evidence in the case, beyond a reasonable doubt, each of the following three elements: 1. That on or about (date), in the county of (county), the defendant, (defendant's name), intentionally damaged a building [or motor vehicle] by causing an explosion or a fire by an incendiary device propelled, thrown or placed inside or near the building [or motor vehicle]; 2. That at the time, a person who was not a participant in the crime was present in the building [or motor vehicle]; and 3. That the defendant knew that such a person was present in the building [or motor vehicle], or the circumstances were such as to render the presence of such a person in the building [or motor vehicle] a reasonable possibility. For arson in the first degree, mens rea is the intentional damaging of a building or vehicle and knowing that a person, not part of the crime, was in the building or vehicle. The actus reus is damaging a building or motor vehicle by causing an explosion or a fire by an incendiary device propelled, thrown or placed inside or near the building where another person was present (which is the illegal act). The concurrence is that the defendant wanted to commit the crime and he or she undertook actions that led to the specific arson act (on a certain date in a certain county) that he or she stands trial for. Corpus delicti is not mentioned in the elements, it resides in the fact that a building or vehicle was found damaged while there was a person in it and that the defendant is accused of causing the event by his or her acts. The principles (corpus delicti etc.) that govern the elements (in the quote) are summarized in popular cultural summation as motive, means and opportunity. Motive

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

34

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

or mens rea relates to the intent of the crime. Means or actus reus relates to the devices used for the crime. Opportunity relates to the fact that the defendant could have caused the crime, even if he or she denies doing it. The last step in the development of the MMO concept is a translation into a mathematical form. Motive, means, and opportunity are preconditions as defined in the Tripod methodology [10], which have to be satisfied simultaneously to enable a crime. That means we can think of these as the events combining in a logical AND gate. The preconditions must be satisfied simultaneously to enable the event. The MMO AND gate is the MMO concept. Figure 2 illustrates the concept as an extension of the hazard barrier target model. motive

AND

means

M

M

O

opportunity hazard

barriers

target

Figure 2. Motive, means and opportunity are the preconditions for the hazard (the criminal) to develop and form barriers for preventing a threat into a crime.

This section provides us with a theoretical foundation for the MMO concept. It is demonstrated that the MMO concept can be captured in a logical AND gate which is a convenient mathematical expression for risk analysts, safety and security workers that use fault trees for analysis. It is demonstrated that MMO represents fundamental elements of the juridical system and is comparable to basic concepts of criminology and safety sciences.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

4. Operationalizing motive, means and opportunity In this chapter, we investigate the three constituents of the MMO method. We ask ourselves what are motive means and opportunity, which are useful definitions and how could they be used in this work? This discussion is important because we need a working definition for motive, means and opportunity for practical situations so that we can embed it in the logical AND operator. Though it is not difficult to design a working definition we shall demonstrate that there are complications that need to be considered. The complications are illustrated with the example of John the Jaywalker. 4.1. Motive The first parameter in the MMO method is the motive. Motive is the driver for intent or ‘mens rea’. Having a motive for a crime is that you have a reason to do so or a goal that you intend to achieve. Reasons for crimes are based on a personal or shared belief that a perpetrator can justify to commit crimes either to himself, to his group, culture, nation, deity or any combination of those. Whether that belief is correct or even realistic may not be relevant since a perpetrator may delude himself into justifying his actions, and they might be the result of an upwelling of emotions, mentally disturbance or other psychological condition. Mostly, however, perpetrators have a pretty good idea

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

35

of what kind of consequences they can expect when they are caught by the juridical system, either intuitively, through rationalizing, or from experience. The definition for motive that we shall use in this work is as follows. Motive is the reason that a person gives for explaining why he committed a crime when asked, assuming that the person would honestly tell the truth. This is the same definition as used by Winter [11] in his work ‘the power motive’. This working definition might be strange to a security worker that may never hear the truth from a suspect but it is an efficient definition. The point is illustrated by the story of John the Jaywalker after Winter’s book ‘The Power Motive’ [11]. John the Jaywalker crosses the street, 25 meters from the zebra crossing, ignoring traffic lights. When he is asked what his motive is to cross the road like that he answers: “To buy a newspaper.” The explanation implies a number of things. (1) Crossing the road was apparently a change of behavior that was voluntary and uncompelled. John was walking along the road and then crossed, apparently ignoring the zebra. If there were no obvious reasons that caused him to cross the road, such as obstructions on the sidewalk or the zebra, the only explanation for his actions is ‘motive’. (2) The motive may point to a more generic reason. He likes to read newspapers and buys them very often. (3) Apparently, jaywalking was an efficient means to achieve his goal. He knows that newspapers are sold on the other side of the street and that nobody is vexed with jaywalking these days. If he understands his culture well, he is likely to be correct. (4) The motive tells us something about his imminent future. After our brief conversation he will probably proceed and purchase a newspaper of his linking and move to a place where it is convenient for him to read it. We may also predict that he will do the same thing again tomorrow or next week. If tomorrow, he is already on the opposite side of the road, he will not cross it. His actions are governed by the goal, not because he is particularly fond of jaywalking. (5) The motive also gives us room to speculate about his future if his expectations are not met: if the newspaper is sold out. He will then look for another selling point or borrow a newspaper. (6) John might have an underlying motive for getting the newspaper. Perhaps he was interested in the news and, now that the papers are sold out, he could get that easier by turning on the radio or TV. Alternatively, he would like to know the value of his shares on the stock exchange market and resume his quest for a newspaper. (7) The motive does not explain why he jaywalked; he could just as easily have made a law-abiding crossing over at the zebra. The way in which he travels are based on habits or solutions that seem right at that point in time. (8) Extending on point 7, the motive alone does not explain the full spectrum of his actions; habits, expectations, and context also contribute to that. All these speculations illustrate that motive is not a simple concept nor has it simple consequences. That does not stop John in saying “to buy a newspaper” as satisfactory explanation of his motive. Obviously, a simple question for the motive may give insight into complex reasoning but the important point is that the insight is based on the views of the perpetrator. The motive that a perpetrator gives explains every self imposed act and explains his future behavior. Analysts may generalize, interpret, or otherwise alter John’s motive in a way that suits their purposes but it can never reproduce the accuracy that the John would give. This is why motive is efficiently described by the truth as given by the individual that is asked.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

36

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

4.2. Means The means for a crime are the capabilities and instruments that are needed to perform it. The instruments are required to perform the illicit act or ‘actus reus’ that ultimately leads to the crime that leaves a ‘corpus delicti’, a crime scene. The equipment can be physical: tools, weapons, computer programs or other physical aids for the crime. This work includes mental equipment: intellectual skills or knowledge to perform the crime. The means do not have to be concentrated in one person if a team is operating. The means do not have to be complete since the transgressors might have misjudged the challenge. The means do not have to be present on the site of the transgression; they may be stored or transported for later use. Remember John the Jaywalker who crossed the street, 25 meters from the zebra crossing to buy a newspaper. For arguments sake let us assume that the person asking John why he crossed the street was a security officer that was not satisfied with John’s answer because he has a bulging hump in his raincoat. John is searched and this is in his possession: keys, a dozen 100$ bills, sun glasses, a cash card, a cell phone and a gun. The findings imply a number of things. (1) Carrying keys and cash and a cell phone do not mean anything by themselves. Anyone can be carrying their car keys or the keys to their homes at any time and living without money is virtually impossible in the world we live in. So is living without cell phone. (2) Carrying 1200$ cash in 100$ bills is not illegal but it is an amount that may be unusual. There may be a perfectly good explanation for carrying that amount of cash in 100$ bills. Maybe, John is a second hand cars dealer that just sold a car and wishes to deposit the money in the bank (and grabbing a newspaper on the way). It is an unusual amount for buying a newspaper though. It would be much easier to carry small change to buy that newspaper, the newspaper seller may not even be able to change for a 100$ bill. So carrying that kind of cash seems to be out-of-place. (3) Carrying a gun is not illegal in all states but in many parts of the world a civilian is not allowed to carry a gun. A gun is recognized as a dangerous weapon which is seldom carried just for fun. In most countries it is simply illegal to possess a gun unless your are part of the work force that is allowed to carry a gun while on duty (like a soldier or a police officer), or have a permit to possess a gun (like a member of a shooting club). (4) The state of gun also says something about John. Maybe it still smells of fresh smoke or the registration number is erased. Reasons to question John’s benevolent nature even more. (5) It is easily imagined that John does not just carry the gun but knows how to use it and where to get more guns and ammunition. In a country where owning a gun is illegal, that would be a skill that is not widely spread. (6) The discovery of the gun on John makes it a sensible thought to investigate whether there are more individuals with guns in the vicinity. If John’s intentions are malevolent and he has an accomplice, the officer asking questions might not be safe. (7) Possessing a cell phone may not be a valuable clue but when it is found in combination with an illegal firearm it may contain information about other criminals, or even about John’s real motives. (8) There may also be clues in what John is NOT carrying. People tend to walk around with all kinds of stuff in their pockets. John does not have that. In fact it seems that his possessions are well prepared, maybe even designed for a specific purpose. Notably, he does not carry any identification documents so he may actually not be called John after all. (9) A further point that need to be addressed here are the intellectual means. John must have the intellectual skills to handle the gun in order to operate it. Not everyone has those skills so the gun itself does not have to be the problem in the first place. Though the

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

37

gun may be a poor example for requiring intellectual skills, it is a different story for hackers that try to infiltrate government data systems or terrorists trying to develop biological warfare agents. This point is not further developed in this work and remains a point for future attention. This section describes what means are the instruments that are required to perform crimes. Weapons and lock picks may be obvious means for committing crimes but anything that is used to achieve the perpetrators goals counts as means; that includes his or her intellectual skills to perform that crime.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

4.3. Opportunity The opportunity for a crime is the part where the criminal maneuvers in a position where the conditions enable the criminal act or ‘actus reus’. The actions of the perpetrator have to be causally linked with the initiation, the propagation, or cover up of the crime. The opportunity may be created by weak spots in the defense system but the opportunity can also be opened up by creating weak spots in the defense system with the proper means. An opportunity is a window in time and space that presents a weakness in the defenses that the perpetrator exploits to his advantage at the cost of others. Blocking opportunity is supplying stopping power and to limit accessibility. In this context, opportunity is exploiting accessibility e.g. by making use of a weakness. The weakness may be in surveillance systems, poor door locks, uninstalled firewalls, or non-overlapping changes of the watch. The weakness may be coincidental or created by the transgressor. If the weakness is coincidental a transgressor takes advantage of an unguarded or unexpected fault in standard defenses or faults in standard operations. Let’s return to John the Jaywalker. This time we focus on his surroundings. John was jay walking the road 25 meters from a zebra crossing. Let’s say that the event was staged near an intersection between a major road and a smaller, quieter road. John jay walks the smaller road. The corner building of the block across the street houses a newspaper shop, a lunchroom, a small bank building, two office buildings and a residential block that was built in the 1920’s. The block on this side of the street houses a garage and residential buildings, also originating from the 1920’s. The zebra crossing that John was jaywalking directly faces the newspaper shop. There are many cars parked on this relatively quiet road on either side of this street but currently there is no traffic. Two pedestrians are walking the street from the newspaper shop toward the bank. The larger road, which this smaller road intersects, is busy and no cars are parked there. There is no traffic light on the junction, nor are there any on the far side of this quiet road. The bank is two buildings from the corner of the street. An armored truck from the bank is parked tightly against the building façade and there are movements inside the truck. Obviously, the description of the environment can be made as detailed as we wish but the description above suffices for our purposes. (1) Apart from the fact that this seems to be a perfectly ordinary side street in any sizable city. The bank that has a value transport parked in the front stands out. The bank could be a subsidiary to for a larger bank chain or it could be a back entrance for a larger bank building that is located on the busy road. Either way, smaller bank entrances like might be secured with less formidable protection than a larger bank. Remarkably, there are no bollards. (2) The value transport in front of the bank façade may present well-prepared criminals with an opportunity. The protection system of the bank itself may be strong and so is

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

38

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

the protective system on the value transport. During loading and unloading the system could be weaker than the two individual systems. That weakness could be exploited by a well prepared criminal. (3) John did not just have sunglasses in his possession, he was wearing them. He might have worn them to prevent being recognized on CCTV cameras that the bank building will have. (4) Two people are walking towards the scene where John was walking to as well. On beforehand it may be impossible to know whether these two characters are related to John but theoretically it is possible that they are his accomplices in robbing a value transport loading scene. The behavior and equipment they are carrying could give more information. (5) Let’s move away from the bank and observe the cars that are parked. John was carrying keys. Maybe he was just walking to his car after picking up a newspaper. Or maybe he had the keys to the getaway car for the hit on the value transport. (6) Or maybe, John had a knack for opening aged locks in the front doors of 1920’s buildings with his keys. (7) Also he could just perform an armed robbery on the newspaper shop and disappear with one of the parked cars. (8) Another possibility is that John does not actually use his possessions in a crime but simply busts the window of a car and gets away with it. (9) Then again, he might not have criminal intentions at all. John’s surroundings do not make him a criminal per say. Unless, of course, he is inside a bank’s safe and does not belong there. This discussion shows that opportunity is a parameter that is difficult to pin down. It is way that the perpetrator uses weaknesses in defensive systems or breaks part of the defensive system to create a path for his crime. This section demonstrates how motive, means and opportunity are operationalized for practical use in the MMO method. This is necessary to work with the MMO method. It represents how the MMO method will be most effective for security.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

5. Application in the design of security systems In this section we investigate how we can block crimes by using MMO. Before we can do that we have to define instruments that provide protective functions to systems that are protected: security barriers. These barriers are the building blocks of for barrier systems where barriers are combined to form more effective security. This section starts by defining key characteristics of security barriers before describing how we can use them in MMO. The reason for having a security barrier is that it blocks hazards from propagating to damaging the target. This was demonstrated in figure 2. The first characteristic of a security barrier is that they exist to divide the world into parts; the part that is secure and the part where hazards can develop. The objective is that they separators between wanted and unwanted conditions in security environment. In geographical terms they separate secure areas from insecure or uncontrolled areas. The separation is projected on divisions in motive, means and/or opportunity. Motive barriers separate individuals with malevolent and benevolent intent. Means barriers separate areas were certain tools are permitted and areas where they are not permitted. An opportunity security barrier separate accessibility, a division between areas that are freely accessible and areas that are not. The second characteristic is that a security barrier has defensive capabilities itself or activates other barriers that provide defensive capabilities. In this context defensive capabilities are measures to manipulate the perpetrators in a way that they are less

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

39

likely or take more time to commit their crimes. Providing defensive capabilities can be done in two ways: active or passive. Passive defense capability is provided physical barriers like doors, fences, or walls that do not react to changing crime conditions. Active defense reacts to changing conditions. In physical security that usually means that someone has to intervene. The third characteristic follows from the previous characteristics. A security barrier is the smallest undividable element in a security system; if it is divided into parts any further it has no function in dividing the world into two parts and cannot manipulate perpetrators to prevent them from committing crimes. Consider a fence. It is not the wire in the fence that makes it a security barrier. It is the fence construction that provides the functionality. Note that the length of the fence is arbitrary, whether it is one meter or 100 meters, it remains a fence. A 100 meter fence may require another barrier to make it more secure (e.g. CCTV) but it remains a fence, a single barrier. A wall is an different barrier because its defensive capabilities are different. This characteristic defines the granularity of security systems: the security barriers are the smallest parts of a security system that have functionality as a security barrier but cannot be broken down any further without damaging its functionality. Note that the effectiveness of the security barrier does not define it in the same way as the characteristics given above. The effectiveness is a property of barriers much in the same way that cost is a property. Some security barriers are more efficient than others and some are counter-productive. Locks can be picked, fences cut, and data systems can be hacked. At this point it is useful to discuss a threshold value for a barrier to be called a security barrier. A decorative garden fence of 30 cm height provides little, if any defensive capability. Unless it has a very specific security function, we should not consider that barrier to be a part of the security system.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

5.1. Single element security barriers Single element security barriers are barriers where only one prerequisite, or element of MMO, is blocked by the barrier. The first basic element in MMO is motive. The question that has to be answered to find a single element motive barrier is the following: ‘What security instrument addresses motive but not means or opportunity?’ An answer to that question is a burglar alarm. A burglar alarm is a technical device that detects people in places where they should not be, e.g. at 3:00 pm inside a closed museum. The alarm itself does not check whether the person that is detected is carrying tools or weapons. It also does not prevent access (access prevention has probably already been broken). It simply detects that someone is there that is unlikely to have benign motivation to be there at that moment. The burglar alarm raises the alarm to activate defence capabilities: it alerts security workers to come and check the situation. A less obvious motive barrier is identification papers. Motives are always carried by individuals therefore determining the identity of individuals is an important motive barrier. That makes a passport part of a motive security barrier system. More complex systems exist to confirm the identity of a person e.g. retina scans or fingerprint scans. Other single element barriers for motive include, but are not limited to: x x x

Identification papers, including a passport Passport check point EV lights to detect counterfeit papers or money

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

40

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

x x

burglar alarms of any type (sound, infra-red, or any other) ICT systems that detect discrepancies in a bill of lading

The exercise is repeated for means. Means barriers check for weapons or other tools in places where they should not be. An x-ray machine at the airport is such an instrument. It scans suitcases and, if it is coupled to pattern recognition software, interprets the scans to check for weapons. It does not check whose suitcase this is, nor what the motive is that a weapon is inside the suitcase. It only detects them. When a suspect object is found inside it is passed on to a security guard. At that point a second security barrier comes into play: a security worker that will also want to know whose luggage this is (related to the person: motive). Other single element security barriers for means include, but are not limited to: x x x x x

Walk through metal detector X-ray machines of any size EDS bomb detectors Chemicals detectors Whole body scan

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

For opportunity, the exercise is relatively straightforward; it provides defence capabilities or stopping power. The prime example is a fence. The fence limits accessibility to a certain area, and thereby provides defence. It directly limits criminal opportunities. Any person, either with benevolent intent or with malevolent intent, is blocked by the fence: the fence is indiscriminate towards motive. Also, the fence does not check whether somebody that passes by is carrying weapons or has the intellectual means to perform a burglary. Other single function security systems for opportunity include: x x x x

Walls Fences Bullet-proof glass Reinforced glazing

Double element security barriers In fences or walls, you invariably need a door, an entry point that can be locked. A lock is a double element security barrier. When it is locked, it prevents opportunities by preventing access but it is also a sluice for motive. Authorized people have a key to open it, all others do not. That concept dictates that the lock is a security instrument for motive because it discriminates between people that should be allowed to enter and people that are not allowed to enter. The lock does not check your identity but it the key is associated with identity; thereby it is intended to separate people by motive. That make the lock a double function security system on motive and opportunity. Another example is the CCTV camera. It used to detect people with malevolent intent and weapons. In the MMO method, that makes it a security barrier with two functions. Note that the mere presence of a CCTV camera can deter crime which could be considered defense capability but within the framework this is considered a sideeffect since the camera itself does not provide defensive capabilities in the sense that it

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

41

does not physically stop anyone; its function as a security barrier is to prompt intervention. Another double element security barrier is a sniffer dog can be trained to combine means and opportunity. Double element security barriers include: x x x x

Locks of any kind (motive and opportunity) Sniffer dogs (means and opportunity) Password protection (motive and opportunity) CCTV camera’s (motive and means)

5.2. Triple element security There is only one triple element security barrier: security worker. When a security worker is properly trained that individual will have learned techniques for detecting motives (e.g. an interview with a suspect or plain intuition), techniques for detecting means (e.g. a body search), and techniques for apprehending miscreants. The individual skills could be classified according to the MMO elements but they are always combined in the individual. That makes the security worker the binding element in a security system; he provides interpretation and adaptation. The security worker does not only have to be supported by the other security barriers and barrier systems but also by an effective management; especially when many security workers are working in the same security system (like in an airport).

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

5.3. Security triangle The different types of security barriers is shown in figure 3; the MMO triangle. The three elements of this design system are on the points of the triangle: motive, means and opportunity. Inside the triangle, security barriers that are combinations of two elements are placed in area’s between the extremities of the triangle. At the heart of the triangle is the triple element security barrier of which there is only one: the security worker. He is the centre pin that binds the barriers in the system. The MMO triangle can be used to analyze existing security systems. Individual security barriers that are present in the system can be grouped according to the method described in this work and the figure gives an overview of them. The aims of the security system could then be combined with the analysis to see whether the security system is performing its protection function adequately. The analysis could be made quantitative by assigning probabilities of breaking or bypassing security barriers. The MMO triangle can also be used to design new security systems. Once the values and threats are identified, the balance between motive, means and opportunity can be assessed and fitting security barriers can be gathered to build and effective system. Note that the design is on a relatively high abstract level. It does not tell how well trained the security worker is nor does it consider crime scenario’s or timelines of a crime. This section shows how the MMO methodology can be used to design barrier systems for security. The section started by defining security barriers. Secondly, it was explained how these barriers can be classified according to the MMO methodology and finally they were combined in a figure that demonstrates how the barriers relate to each

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

42

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

other: the MMO triangle. The triangle is a powerful tool for designing security systems and easy to explain to security staff in the field.

motive

-passport -burglar alarm -…

-CCTV -…

motive+ means + opportunity

-locks -Password protection -…

security worker

means + opportunity -metal detector -x-ray -…

-sniffer dogs -…

-fences -reinforced glazing -…

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 3.: The MMO triangle.

6. Application in security threat analysis The application of the MMO method in threat analysis is based on the logic AND operator that was described in section two. That AND gate is a mathematical operator that is found in so-called fault trees. It is beyond the scope of this paper to describe fault trees; detailed information about them can be found elsewhere [12,13]. Essentially fault trees are mathematical constructs that show the linkages between faults or errors in technical or socio-technical systems and how they propagate to a hazardous situation. In the case of MMO, the hazardous situation is when an individual can successfully combine motive, means and opportunity for a crime. Fault trees are often used for assessing risks with nuclear plants, dams, and the chemical industry [14] but are also used for assessing terrorist risks [1,2,3]. By using fault tree methodology, security threats can easily be incorporated into existing fault tree models that address safety problems alone. An example of what such a fault tree could look like is given in figure 4. The figure shows a hypothetical fault tree for breaking in through the window of a building to commit a burglary. The hazard is the break in through the window. Means consists of the choices that a burglar has to break the window. He can force a load on the entire

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

43

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

system (e.g. by forcing it with a crow bar). He can force a subsystem (e.g. by forcing the lock). He can put a load on a critical part such as a hinge pin. Alternatively, he can mimic the tools for an entry system like using lock-picks or a false key. In the operation of the break in, these possibilities represent a logical OR gate. Entry is eventually achieved by one of these methods with the accompanying means, even if the burglar carried multiple means. The opportunity is granted by a logical AND gate. All conditions for not being detected or disturbed have to be satisfied to create a successful break in. The motive is the more difficult part of the fault tree since a burglar may have more than one motive for the break in. In figure 4, a conditional AND gate is used to approximate that phenomenon. In this example that would mean that two out of four possible motive contributors need to be present for the crime to proceed. At this point, figure 4 is based on speculation to illustrate the principle. It is to be validated by data. This data comes from crime databases of police or the juridical system to verify whether the individual nodes or constituents of the fault tree are the correct ones and also help find frequencies. The fault tree for MMO creates a new method to design and perform structured threat analyses. Motive, means and opportunity can be studied individually and they can be combined to give insight into security threats. In this way, the analyst studies the mechanism of crime or criminal acts and can easily combine data from different sources. A completed fault tree is a systematic analysis that yields probabilities for the crimes and but also shows the main constituents of such crimes. It is also possible to calculate probabilities of individual nodes so that the most pressing problems appear in a structural way. When the fault tree methodology is combined with the MMO triangle it can also be used to set minimum barrier efficiencies to lower the threat level to an acceptable one. This section demonstrates how the logical AND gate for MMO can be used for risk analysis. The fault tree methodology is well established in high-risk industries but not in security. The broad application of this method in security may have far-reaching consequences for the future of security risk management. Break in

AND

means

opportunity AND

OR

motive CONDITIONAL AND (2/4) AND

Load on system

No alarms

Expected gain

Load on subsystem

time

Training

No sound

Experience

No passers-by

Organization

Load on part

Mimic entry system

Figure 4: fault tree for burglary through a window (conceptual).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

44

C. Van Gulijk et al. / Controlling Security Risks with the MMO Method

7. Conclusion

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

This work introduces the MMO method as a security risk control tool. The method is based on juridical base principles where the requirements for proving that the defendant committed the crime are used to prevent the crime from happening in the first place. Thereby, MMO uses concepts that were known to us for years for design security systems in the future. The method is rooted theory of the juridical system and is comparable to basic concepts of criminology and safety sciences. The paper includes how motive, means and opportunity are operationalized for practical use in the MMO method along with definitions of security barriers for MMO. It is demonstrated that the MMO concept can be captured in a logical AND gate which is a convenient mathematical expression for risk analysts, safety and security workers that use fault trees for analysis. The paper also gives an example of a fault tree for a security risk. Note that the fault tree methodology is well established in high-risk industries and therefore a useful contribution to this field. Finally, the paper demonstrates how the MMO methodology can be used to design barrier systems for security with the MMO triangle. After a fault tree analysis was performed, the MMO triangle is a very powerful tool for designing security barrier systems. In addition, the fault tree analysis can directly be applied to the MMO triangle because it contains exactly the same parameters. Despite that, the triangle is easy to explain to security staff in the field. At this point, the MMO method is a conceptual model describes a new structured way of analysing security threats and embedding that information into a structured design method for security systems. By its design, the MMO method paves the way to combining knowledge from juridical, risk, and security operations to enhance security in the field. That combination makes it a useful tool for risk analysts but the results will be easily explained to security staff and security systems can be built upon that knowledge using the MMO triangle.

References [1] B.C. Ezell, S.P. Bennett, D. von Winterveldt, J. Sololowski & A.J. Collins (2010) Probabilistic risk analysis and terrorism risk, Risk analysis 30-4, 575-589. [2] J. Merrick & G.S. Parnell (2011) A comparative analysis of PRA and intelligent adversary methods for counterterrorism risk management, Risk analysis, DOI: 10.1111/j.1539-6924.2008.01142.x [3] E. Paté-Cornell & S. Guikema (2002) Probabilistic modeling of terrorist threats: a systems analysis approach to setting priorities among countermeasures, Military operations research 7 no. 4, 5-23 [4] A.C. Doyle (1984) Collected novels of Sherlock Holmes, Penguin, London. [5] J. Talbot and M. Jakeman, “Security risk management body of knowledge”, Risk management institution of Australasia, 2008, Carlton South. [6] B. Ale “Risk, an introduction”, Routledge, 2009, London. [7] M.M. Lanier & S. Henry (2004) Essential criminology 2nd ed., Westview press, Boulder. [8] G.P. Fletcher (1998) Basic concepts of criminal law, Oxford university press, Oxford. [9] Anonimous, “Arson first degree”, State of New York, Penal law 150.20, 2004. [10] J.A. Doran and G.C. van der Graaf, “Tripod-BETA: Incident investigation and analysis” Shell B.V. SPE Health, Safety and Environment in Oil and Gas Exploration and Production Conference, 9-12 June 1996, Society of Petroleum Engineers, Inc., New Orleans, 1996. [11] D.G. Winter (1973) The power motive, The free press, New York. [12] M. Stamelatos, W. Vesely, J. Dugan, J. Minarick & J. Railsback (2002) Fault tree handbook with aerospace applications version 1.1, NASA headquarters, Washington. [13] H.E. Roland & B. Moriarty (1990) System safety engineering and management, Wiley New York. [14] I.T. Cameron & R. Raman (2005) Process systems risk management, Elsevier Academic, Amsterdam.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-45

45

Technological and Intelligent Terrorism: Specific Features and Assessment Approaches

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Dr. Dmitry O. REZNIKOV Institute for Machine Sciences, RAS.

Abstract. The paper addresses specific features of assessing terrorist risks for complex technical systems (CTS). These include feedback between CTS vulnerability towards a specific type of terrorist attack and the threat of such attack, ability of terrorists to learn lessons from previous attacks, react upon actions taken by counterterrorist forces; high level of uncertainty regarding terrorists’ intentions, resources, and system of values. Conventional safety analysis for CTS is to be focused on the question: What is the way for an accident scenario to be realized in the given system? When addressing security problems for CTS one should also consider the situation from the terrorist’s standpoint. Hence the modified question for security analysis should be: What is to be done for the given scenario to be realized in CTS? Two types of attacks at complex technical systems are assessed: (1) Attack of technological terrorism implies powerful unauthorized impacts at CTS capable of: (a) breaking through the CTS protection system; (b) initiating secondary catastrophic processes due to hazardous substances, energy, and information, stored or processed at the CTS; (c) escalation of the accident outside the CTS boundaries with substantially increased secondary and cascade losses. (2) Attack of intelligent terrorism (smart terrorism, insiders terrorism), i.e. a purposeful unauthorized interference into the process of designing, building and/or operating the CTS aimed at the increase of its existing vulnerabilities and creation of new ones in the system so that to use these input vulnerabilities, insider’s knowledge of the system and access to its elements for future realization of most disastrous scenarios of a terrorist attack. Comparative assessment of these two types of terrorism is presented. Dynamic three-sided models that allow one to assess the situation from standpoints of terrorists, law enforcement agencies and administrations of CTS and analyze actions and counteractions of various sides involved. Keywords. Technological terrorism, safety analysis, complex systems.

1. Introduction According to the traditional risk assessment model risk is considered to be a function of threat T , vulnerability V and consequences C : R = f (T ,V ,C) . The model was developed to assess risks of technological catastrophes and natural disasters and now is widely used in terrorist risk assessments. Here threat is defined as probability of terrorist attack on a certain complex technical system (CTS): T = P(A) , vulnerability is estimated as conditional probability of system’s failure given the attack occurs: V=P(F|A), and consequences are defined as losses that occur as a result of the attack and the system failure: C = E (U | A, F ) . Then terrorist risk index is determined by the Equation (1):

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

46

D.O. Reznikov / Technological and Intelligent Terrorism

R = P(A) ⋅ P(F | A) ⋅ E(U | A, F )

(1)

For complex technical systems (CTS) that are subjected to multiple threats and multiple failure scenarios risk assessment implies assessment of a scenario tree (Figure 1). This is being done using graph models called scenario trees [1,2, 6]. The system is designed to fulfill the so-called success scenario S0 (i.e. a transition from its initial state IS to the designed end state ES0 ). Since any failure scenario S* presents a deviation from the success scenario S0 that corresponds to the successful functioning of the CTS, the scenario S* must have a disturbance point at which an extreme event, or, in case of terrorism, a terrorist attack ( Ak ), occurs (Figure 2). Each attack gives rise to a branch of a scenario tree that has a corresponding set of scenarios S i that ends with an end state ( ESi ). In this case one can get a similar risk index using matrix expression:

ª P[ES1 | A1 ] P[ES2 | A1 ] P[ESm | A1 ] « P[ESm | A2 ] « P[ES1 | A2 ] P[ES2 | A2 ] R = {P(A1 ); P(A2 );; P(An )} × «     « P[ES | A ] P[ES | A ] P[ES «¬ m n m n m | An ]

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Threat, T

Vulnerability, V

º ­ U ES1 » ° » ° U ES2 »×® » °  »¼ ° U ESm ¯

Consequences, C

½ ° ° ¾ ° ° ¿

(2)

Equations 1 and 2 give first order indicators of terrorist risk. They also determine three main ways of risk reduction: Reduction of terrorist threat is in the sphere of responsibility of law enforcement and intelligence communities, while reduction of vulnerability and consequences are the domains of engineering community and emergency management agencies respectively. In terrorist risk assessment framework the main challenge is to estimate the probability of a terrorist attack. Some specialists believe that probabilistic measure is not adequate for the terrorist risk assessment since terrorist attack is not a stochastic event but a deliberate action based on the assessment made by terrorists regarding their skills and capabilities and the system’s vulnerabilities. Assignment of probabilities to the terrorist attack is a task which has a substantial human and behavioral dimension. The main problem is to describe the intentions of terrorists, their preferences, system of values (i.e., utility function) and decision rule. This allows one to assess the probability of different attack scenarios. The probability of each attack scenario is a function of the terrorists perception of the probability of the scenario successful realization and their preferences regarding the expected consequences of that scenario.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

D.O. Reznikov / Technological and Intelligent Terrorism

47

Figure 1. Genneral risk assessm ment framework

Unfortunaately equation ns (1) and (2) could only be b considered first-order ind ndicators of the terroriist risk. The prroblem is thatt these equatio ons do not allo ow one to acc ccount for a number off specific featu ures of terroriism.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

2. Specific features of security relatted threats When asssessing securitty related prooblems for co omplex techniical systems oone should take into account a the following charaacteristics of th he terrorist thrreat [5, 10]: High level of dynam mism: Terroriist attack scen narios and imp pact factors are re more dympact factorss for natural an nd manmade ddisasters to namic by nature than sccenarios and im bject. A changge in the specttrum and inten nsity of terroriism related which the system is sub e on the system is siignificantly more m rapid thaan in case off natural or extreme effects manmade threat. This is due to the terrorists' cap pacity for con nstantly expannding their s usin ng modern meeans of atarsenal off mechanisms for initiatingg emergency situations tack, reaccting to chang ges in protecttion barriers, and learning g lessons from m mistakes made duriing previous attacks a on the system similaar to it. High level of unceertainty: In m modeling terrorrist scenarios,, we encounteer a higher f inherent in threats oof a natural level of unncertainty. In addition to thhe uncertain factors or manmaade nature, terrorist threats eentail new facctors of uncerttainty resultinng from the complexitty of evaluatin ng terrorists' system of vaalues and behavioral logic as well as their organnizational-tech hnical potentiial and the resources at theirr disposal. The capability c of terrorists t to chhoose attack scenarios delliberately: Thiis refers to terrorists' deliberate sellection of attaack scenarios (places, timess, and types oof actions), he losses expeected if an taking intoo account thee system vulnnerability paraameters and th attack is successfully s caarried out. Thhat is terroristss are capable of analyzing tthe vulnerability maatrix and struccture of lossess for various types of actio ons against thee CTS and selecting the t attack sceenario that maaximizes the harm to socieety (taking innto account secondaryy and cascadin ng losses). H Here, in additiion to probab bility analysis , it is also

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

48

D.O. Reznikov / Technological and Intelligent Terrorism

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

necessary to apply the tools of gam me theory, whiich makes it possible p to takke into account the intentional actions of terrorrists. Compplex nature off the terrorist tthreat: The prresence of a teerrorist organiization in a region maay give rise to the possibilitty of a broad spectrum s of atttack scenarioos. Thus, to counter teerrorist threatss and terrorist mechanisms for initiating emergency siituations to an even greater g degreee than for nattural and man nmade risks, a systemic ap approach is needed foor ensuring seecurity and deeveloping an optimal strateegy for counteerterrorism force and resource deplloyment. Inasm ources on prottecting one much as conccentrating reso orist action) ccould prove system eleement (or prottecting a targeet from one sccenario of terro useless beecause, after evaluating e thee situation, th he terrorists could c redirect the attack against annother elemen nt of the systeem or switch to a differentt attack scenar ario. In this case, counnterterrorism efforts e will faail to reduce risk r and increaase the system m's level of protectionn. Preseence of two-w way linkages bbetween the teerrorist threatt and system vvulnerability: The sttructure of link kages among the risk factorrs for the giveen CTS in casee of natural or manmaade catastroph hes is as preseented in Figurre 3a. One diffferentiating fe feature of a terrorist riisk assessmen nt is the preseence of two-w way linkages (feedbacks) ( beetween the terrorist thhreat and (a) vulnerability v oof the system to the threat and a (b) the maagnitude of expected losses l if the th hreat is succeessfully realizeed (see Figuree 3b). This chaaracteristic of terrorissm must be examined e in ddetail. In partiicular, reducin ng the vulneraability of a given sysstem makes it possible to reeduce substanttially the level of the terrorrist threat it faces.

Figure 2a. Systeem of linkages am mong risk factorss for natural or ma anmade hazards (

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

D.O. Reznikov / Technological and Intelligent Terrorism

49

F Figure 2b. System m of linkages am mong risk factors for f terrorist threatt (security contexxt)

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

In terrrorist risk assessment fram mework the maain challenge is to estimate the probability of a terrorist attaack. Some sppecialists belieeve that probabilistic meassure is not adequate for f the terroriist risk assessm ment since terrrorist attack is not a stochhastic event but a deliiberate action based on thee assessment made by terrorists regardding their skills and capabilities an nd the system m’s vulnerabiliities (Figure 2c).

Figure 2cc. Terrorist threat assessment

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

50

D.O. Reznikov / Technological and Intelligent Terrorism

Assignment of probabilities to the terrorist attack is a task which has a substantial human and behavioral dimension. The main problem is to describe the intentions of terrorists, their preferences, system of values (i.e., utility function) and decision rule. This allows assessing probability of different attack scenarios. Terrorists' capacity for self-learning: Because terrorists are capable of analyzing the results of previous attacks and drawing conclusions from them, their experience in "successful" and "unsuccessful" attacks can have a noticeable effect on the selection of a scenario for the next attack. Attack scenarios that proved their effective in the past are most likely to be repeated by terrorists in the future while scenarios that ended unsuccessfully, will most likely to be less attractive to terrorists and consequently are less likely to be repeated. Therefore, in assessing the chances that various attack scenarios will be realized, statistical self-learning models are more effective than traditional frequency methods. In solving the above problem of security analysis it is necessary to assess the resources the terrorists possess. In security analysis, by resources we mean a broad set of factors that determine the potential of a terrorist organization. These include: •

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

•

Material resources: technical means, equipment, “human material” that can be used for terrorist attack. Nonmaterial resources: experience, skills, knowledge, access to the CTS internal modes.

To answer the question of security analysis experts should consider the quality of equipment the terrorists have, their skills and knowledge of CTS, and their ability to take advantage of the existing vulnerabilities (and even create new ones) in order to organize the attack. The ability of terrorists to select the most vulnerable and critical elements of CTS, choose the time and place of an attack, adapt to changes of safety barriers and defense strategies and learn lessons from previous attacks requires that the game theory approaches be included into probabilistic risk assessment models. That means that (a) traditional scenario trees used in safety risk assessment which include only chance nodes, have to be supplemented by decision nodes that describe rational deliberate actions and counteractions of terrorists and counter terrorists; (b) models for terrorist risk assessment should be multi-sided and describe the situation from the perspective of terrorists and counterterrorist forces [8]; (c) these models should be dynamic and allow one to update actions and counteractions of various sides involved at different time steps.

3. Development of dynamic multi-sided models In view of the above an integrated (three-sided) terrorist risk model based on the approaches developed in Bayesian networks and game theory has been developed. The schematic representation of the model is given in Figure 3. Each of the three graphs represents an influence diagram from the perspective of the following players: terrorist group, administration of industrial facility subjected to terrorist threat, municipal authorities. These three diagrams are separated to keep the decisions made by different parties separately. Oval nodes represent random variables or events with their possible realizations and probabilities assigned. Rectangular nodes represent decisions and are

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

51

D.O. Reznikov / Technological and Intelligent Terrorism

characterized by possible options. The arrows represent probabilistic dependences between the events, state of variables or decision variables. The model is based on the assumption that all the players act in such a way as to minimize their maximum losses. This strategy is governed by so-called minimax criterion: counterterrorist players don’t know which attack scenario the terrorist group will select, that is why they should choose the defense strategy that results in the lowest possible worst-case expected losses. Graph 1 (Figure 4) represents an influence diagram from the perspective of terrorists. It allows one to assess (a) the probabilities that the specified attack scenario will result in damage, and (b) the expected utility to terrorist of different attack scenarios. m

EU(si ) = ¦ ª¬Ut(si ;v j ) × P(V = v j | S = si ) º¼ j=0

where

(i = 1, 2, ... , n) ,

(3)

Ut ( si ; v j ) is an element of utility matrix

ªW (s1;v0 ) − Z(s1 ) «W (s ;v ) − Z(s ) 2 0 2 « « « ⋅ « « « «¬W (sn ;v0 ) − Z(sn )

W (s1;v1 ) − Z(s1 )

⋅⋅⋅

W (s2 ;v1 ) − Z(s2 )

⋅⋅⋅

⋅

⋅ W (sn ;v1 ) − Z(sn )

⋅⋅⋅

W (s1;vm ) − Z(s1 ) º W (s2 ;vm ) − Z(s2 )»» » » » » » W (sn ;vm ) − Z(sn )»¼

(4)

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

si is attack scenario; v j is damage factor of the facility inflicted by the attack ( j = 0,1, n : j = 0 corresponds to not damaged system while j = n corresponds to completely destroyed system) ; P(V = v j | S = si ) is conditional probability of inflicting

j to the facility provided that attack scenario i was carried out; W (si ;v j ) is the outcome in case of attack scenario i and damage state j ; Z(si ) are the costs of implementing attack scenario i . damage factor

Calculation of expected utility values for different attack scenarios allows one to estimate probabilities of these scenarios (Equation 5) [8].

Pt (S = s i ) =

EUt (si ) n

¦ EU (s ) t

k=1

k

(i = 1, 2,...n) .

(5)

Equation 5 assumes that: (a) different attack scenarios are mutually exclusive and (b) decision taken by terrorists are rational, (i.e. they chose attack scenarios that maximize the expected utility) The results obtained in the Graph 1 are then used as inputs to Graphs 2 and 3. The results of Graph 2 are then used in Graph 3.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

52

D.O. Reznikov / Technological and Intelligent Terrorism

Graph 2 (Figure 5) represents an influence diagram from the perspective of administration of industrial facility subjected to terrorist threat. It allows one to assess expected disutilities related to various countermeasures made by the administration of the facility involved. The probabilities Pt ( S = s i ) (Equation 5) are used in Graph 2 as

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

state probabilities of the chance node 1. The graph permits estimation of expected disutilities to facility administration in case of various countermeasures adopted by the facility administration, to rank countermeasures. Graph 3 (Figure 6) represents an influence diagram from the perspective of local community authorities. Graphs 2 and Graph 3 permits assessment of risk reduction benefits of different countermeasures and their costs. The structure of the influence diagrams and probabilistic dependences between the variables should be developed by the joint efforts of specialists representing a broad spectrum of disciplines: (these include specialists in terrorist threat assessment, reliability theory, social sciences, loss estimation) each providing insights in relevant area of expertise. The model permits identification of effects of different factors and parameter values on the likelihood of success of different attack scenarios and on the expected utilities to different sides involved. The model described above can be used in dynamic fashion via discrete time steps. At each step, each player updates his beliefs, objectives and decisions based on previous step. Each of the players is uncertain about the other’s actions and state of knowledge. To address the dynamics of security problem one needs to model moves and counter-moves of all three sides involved, changes in the structure of terrorist organizations and systems of protection, lessons learned by all parties from previous attacks. At each consecutive time period all three parties make decisions regarding their actions in the upcoming time period based on the information accumulated so far (Blocks I tk and I tk+1 , Figure 7). Estimations of probabilities of various attack scenarios and countermeasures adopted by facility administration and community authorities obtained at time step tk could be treated as prior estimates for the time period t k +1 . Terrorist may take into account countermeasures of counterterrorist forces by including the respective chance nodes into Graph 1 at time step t k +1 and estimate probabilities of countermeasures adopted by facility administration

d j and municipal authorities ml

using Equation 6 similar to Equation 5:

Pa (D = d j ) =

EU a (d j ) 3

¦ EU (d ) a

g

g=1

Pm (M = m l ) =

, k = 1, 2, 3;

EU m (ml ) 3

¦ EU f =1

m

(m f ) , l = 1, 2, 3

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

(6)

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

53

Figure 3. Multi-sid ded terrorist risk assessm ment model

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

D.O. Reznikov / Technological and Intelligent Terrorism

54

D.O. Reznikov / Technological and Intelligent Terrorism

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 4. Influence diagram from the perspective of terrorist group

Figure 5. Influence diagram from the perspective of facility administration Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

D.O. Reznikov / Technological and Intelligent Terrorism

55

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 6. Influence diagram from the perspective of community authorities

This permits modeling of the dynamics of the situation as a game between three parties involved with learning of each party by updating both the model and parameter values after each time period. The model provides the opportunity to consider dynamic interaction (actions and counteractions) of all three sides involved. The numerical data needed in the numerical implementation of the model are being obtained from the following sources: output of lower level of models (results of analytical calculations, e.g. of hazards, vulnerability curves), statistics from past observations, expert assessments, intelligence data. The model forms the basis for rational decisions regarding various countermeasures.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

56

D.O. Reznikov / Technological and Intelligent Terrorism

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 7. Dynamic multi-sided m terrorrist assessment model m

4. Types of modern teerrorism Modern teerrorism can be b divided innto three typess: ordinary, teechnological aand intelligent terrorrism that diffe fer in resourcees used by terrrorists to carrry out the attaacks, attack scenarios and structure of losses infl flicted by the attacks of eacch type (Figurre 8) [3-5]. t impplies organizattion of explosions, fires, assassinations oof officials, Ordinary terrorism public figuures and peopple at large in order to intim midate people and destabilizze political situation in i the countryy or region. Riisks pertaining to ordinary terrorism are not considered in this t paper sinnce terrorism of o this level does d not invoolve attacks oon complex technical systems to trfrigger secondary catastroph hic processes. We are goiing to deal o types of terrorism thatt are directly related r to attaccks on CTS. with two other

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

D.O. Reznikov / Technological and Intelligent Terrorism

57

Figure 8. Types of modern n terrorism

4.1. Technnological terro orism

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Technnological terrorism () im mplies powerfful unauthorizzed impacts aat complex technical system s capablle of: • • •

b breaking throu ugh the CTS prrotection systeem; innitiating secondary catastroophic processses due to hazzardous substtances (W), e energy (E), and d informationn (I) stored or processed p at the CTS; e escalation of the t accident ooutside the CTS C boundariees with substaantially inc creased second dary and cascaade losses.

Technologgical terrorism m is based onn taking advan ntage of the existing e vulneerability of the system m. To perform m an attack off technologicaal terrorism it is necessary tto preliminarily: • • • •

aanalyze the CT TS structure aand vulnerability, i.e., to rev veal potential sources of secondary cataastrophic proccesses (stockss of W,E,I), the weak pooints in the C protection CTS n systems, andd to devise thee most efficien nt attack scenaarios; iddentify the CT TS key elemeents and links whose failuree would disruupt the systeem; c calculate the strength s of thee initial impaccts that mightt break througgh the CTS p protection systtems (PS); a assess the CTS S scenario treee and determiine the end staates ES* capaable of initiiating major secondary cataastrophic proccesses outside the CTS.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

58

D.O. Reznikov / Technological and Intelligent Terrorism

In case off TT, the attack king party do not have any insider inform mation and cannnot inflict point impaacts impercep ptible by the C CTS monitorin ng systems theerefore they hhave to prepare a pow werful action capable of brreaking throu ugh the CTS protection p barr rriers. It is necessary for the terrorrist to select tthe method fo or the attack resulting in the he CTS end w initiate the accident ppropagation outside o the CT TS boundaries.. state that would The selection s of th he attack scenaario is made through t a hybrrid scenario trree [2] that in case off TT could be quite simple.. It incorporattes several atttack trees desccribing the abilities annd resources of terrorists aand the event tree describin ng the CTS vuulnerability (Figure 9)).

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figurre 9. The Hybrid Scenario tree for technological terrrorism

4.2. Intelliigent (or high-sophisticatedd, insiders’) teerrorism Intelliigent terrorism m (IT) is a deeliberate unauthorized interrference into tthe process of designiing, building and/or a operatin ing the CTS aiimed at increaasing its existiing vulnerabilities annd creating new ones in thhe system so that t to use theese input vulnnerabilities, insider’s knowledge k off the system aand access to its elements for future reaalization of most disasstrous scenario os of a terrori st attack. IT im mplies: •

• • •

A comprehenssive vulnerabillity assessmen nt of a system m under designn, constructiion or operation with resppect to variou us scenarios of o terrorist im mpacts, and iddentification of o the most e ffective way of realization of the initiatting impact u upon the system m; Innsertion of laatent changes into the systeem at the stag ge of its beingg designed, b built or operateed, in order too give rise to new n vulnerabiilities in the C CTS; D Disconnection n or disruptionn of the CTS monitoring m and d protection syystems; T Triggering casscading failurees in the system and the env vironment.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

D.O. Reznikov / Technological and Intelligent Terrorism

59

As a rule IT requirres that a mem mber of a terrrorist group peenetrate into tthe staff of the organiization that iss designing, building b or op perating the CTS. C The terrrorist must possess innsider’s inform mation on the CTS and be able a to perform m well-camouuflaged actions in order to weakeen protection systems, creaate latent defeects undetectaable by the m sysstems. existing monitoring

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figu ure 10. The Hybriid Scenario tree for f intelligent terrrorism

Conseequently intelligent terrorissm implicates detailed know wledge of the CTS structure and working w princiiples. It also implies i awareeness of its exxisting and pottential vulnerabilitiees, its possiblee end states, possible p scenaarios of accideent propagatioon and initial impaccts that can triigger them. Additionally, A IT T can anticipaate distortion of the success scenaario, formulatee false targets, and generatee new disastroous scenarios. Attacks of intelligeent terrorism can be carrieed out at any stage of the C CTS’s lifecycle: • • •

At the stage off design somee latent defectts can be intenntionally introoduced into A thhe system. A the stage of At o constructioon additional vulnerabilitiees can be inpuut into the C through inntentional violations of the technologicall processes. CTS A the stage off operation some maintenan At nce procedurees that are critiical for the C CTS’s safety can c be intentioonally violated d.

m implies maaximal level of o the terrorisst competencee (compreIntelliigent terrorism hensive knnowledge of the CTS, its control, c operaation, and prootection barrieers), which enables it to select mosst disastrous accident a scenaarios, find most effective w way of their S monitoring systems in orrder to preinitiation, disconnectionn or disruptioon of the CTS mpt response to failures. The T assessmeent of the attack scenarioos is made vent prom through a hybrid scenarrio tree that inn case of IT co ould be more complicated c (F Figure 10). d thee abilities andd resources oof terrorists It incorpoorates several attack trees describing

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

60

D.O. Reznikov / Technological and Intelligent Terrorism

and the decision tree describing the system’s vulnerability. Scenario trees of technological and intelligent terrorism should be incorporated into multi-sided models (Figure 3) and used for a comprehensive terrorist risk assessment.

References

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Garrick B., Hall J., Et al. Confronting The Risk Of Terrorism: Making The Right Decisions/Reliability Engineering And Safety Systems, 86 (2004) 129-1768. Kaplan S. “Applying the General Theory of Quantitative Risk Assessment (QRA) to Terrorism Risk.” In Risk-Based Decision-Making in Water Resources X: Proceedings of the Conference, Y.Y. Haimes, D.A. Moser, and E.Z. Stakhiv, eds. Reston, VA: ASCE Publications. 2002. Makhutov N. “Analysis of Technogenic Risks Under Terrorist Impacts” in Protection of Civilian Infrastructure from Acts of Terrorism. K. Frolov, G.Baecher. Springer. P.O. Box 17, 3300 AA Dordrecht, The Netherlands. 2006. 54-67 Makhutov N. Methodology for Assessing the Risk of Terrorism. In Countering Urban Terrorism in Russia and the United States (ed. G.Schweitzer and C.Sharber). The National Academies Press. Washington DC. 2006. Makhutov N., Petrov V., Reznikov D. Characteristics of Technological Terrorism Scenarios and Impact Factors. (ed. G.Schweitzer), The National Academies Press. Washington DC. 2009. Makhutov N., Reznikov D. Application of Bayesian Networks for Assessment of Terrorist Risk and Identification of Optimal Counterterrorist Strategy. Problems of Safety in Emergency Situations Vol. 1, 2007 pp.89-104 (in Russian) Makhutov N., Reznikov D. Methods for Quantitative Terrorist Risk Assessment. Problems of Safety in Emergency Situations Vol. 1, 2007 pp.89-104 (in Russian) Pate-Cornell E. Probabilistic Modeling of Terrorist Threats: A Systems Analysis Approach to Setting Priorities Among Counter-measures. Military Operations Research, 2002, v7, N4, pp5- 23 Reznikov D. Models for Assessing Terrorist Risks. Workshop on Open-source Risk Software. California Institute of Technology, Pasadena, USA 2007 Woo G. “Quantitative Terrorism Risk Assessment.” The Journal of Risk Finance, Vol.4,No 1 pp 15-24.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-61

61

Regional Resilience and Security for Critical Infrastructure Frederick KRIMGOLD Advanced Research Institute, Virginia Tech Arlington, Virginia USA

Abstract. Critical Infrastructure systems provide the basis for modern urban life. While they deliver the material and services we have come to depend upon for daily survival, they are as extended network systems vulnerable to both large-scale threats such as earthquakes and hurricanes and to specific attack at key nodes. Risk and Resilience management of regional infrastructure systems requires detailed understanding of the vulnerabilities and dependencies of the constituent assets that make up individual systems and the dependencies and interdependencies between systems and the consequences of cascading failures across systems. Regional resilience management requires tools for the identification and prioritization of coordinated investments at a range of points across regional infrastructure systems. This requires the understanding of both the physical and administrative dimensions of regional infrastructures. This research is directed to the development of such analytical tools. Keywords. Resilience, critical infrastructure protection, fragility.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. Introduction At the core of any region’s security and resilience are its critical lifeline infrastructures. The foundation infrastructure sectors are Energy, Transportation, Water/Wastewater and Communications. Complex dependencies and interdependencies among such systems frequently contribute to “cascading” failures, as the disruption of one service causes others to fail, e.g., a power failure could interrupt water distribution, which could reduce fire suppression capacity to protect burning buildings. Such dependencies require a multi-sector regional analysis, where local knowledge and insight can be brought to bear. The research team worked with key departments in the metropolitan government of a major city and county. These included the metropolitan water service, the metropolitan electric service, the metropolitan department of public works, the emergency communications center and the metropolitan fire and emergency medical services and the office of emergency management. These infrastructure sectors and related public safety functions were subjected to an asset level risk assessment based on the RAMCAP (Risk Assessment and Management for Critical Asset Protection) methodology.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

62

F. Krimgold / Regional Resilience and Security for Critical Infrastructure

2. Define objective of Regional Resilience

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

The basic objective of this research is to provide decision-support to regional governments on the most effective ways to invest in regional security and resilience. To meet this objective a regional critical infrastructure risk assessment methodology is developed to complement the structure of the metropolitan budget process from the unit level to the department level and to the resolution of the office of management and budget and the final legislative budget approval process. A major challenge in this process is the reconciliation of long-term risk reduction investments in an annual budget process. Analysis of critical infrastructure resilience at the regional scale is necessary and appropriate in order to capture the impacts of system dependencies and to provide analyses relevant to the scale of management and investment decision-making. Typically local jurisdiction boundaries do not coincide with the boundaries of key infrastructure systems. Therefore the regional scale of analysis becomes relevant. This regional scale of analysis is particularly facilitated by metropolitan governments that include cities and their surrounding counties. Two principal issues make investment decisions in risk reduction difficult. First is the basic issue of balancing current priorities with the prospect of reducing undefined losses that may occur at an undefined time in the future. Second is understanding the complexity of interactions between the elements of critical infrastructure systems and determining where and in what combination risk reduction investments can be made. The primary objectives of this work are to better define specific threats and their consequences for the region in a common framework that allows for useful prioritization of risk reduction investments. The risk assessment methodology is based on analysis of key assets and facilities in each critical infrastructure system. This analysis at the asset/facility level includes the impact of failure of “up-steam” assets on which the asset in question is dependent and the consequences of that assets failure for “down-stream” dependent assets.

3. Analytical Method This methodology assesses the risk associated with each specific asset and facility of a particular infrastructure system for a comprehensive range of natural and man caused threats. Specific asset/threat pairs are assessed in terms of expected initial damage expressed in dollars of replacement cost, associated injury and loss of life, and impact on dependent community functions. The process is designed to support the program planning and investment decisionmaking of the budget processes of the systems under consideration and the comprehensive budget process for the metropolitan region. The process consists of an analysis cycle, followed by a planning cycle, together taking about six months. The analysis cycle for each infrastructure system consists of: x x

The decision-makers define and rank community goals and criteria for resilience, continuity and security; Each facility undergoes an in-depth risk/resilience analysis according to the RAMCAP process to define where improvements should be considered;

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

F. Krimgold / Regional Resilience and Security for Critical Infrastructure

x x x

63

The dependencies among the facilities are analyzed to determine where individual asset or facility failure could initiate a “cascade” of consequences in other facilities and systems; Probabilities of threat occurrence, resulting asset failures and potential initiation of cascading failures are combined to identify and prioritize investment options at the individual system or department level. Cross-system dependencies and interdependencies are identified on the basis of historical experience and expert judgment and cross-system/department comprehensive risk reduction options are identified for consideration in the regional metropolitan budget process.

The planning cycle defines a set of possible new programs and/or investments to enhance resilience, continuity and security and then revisits each phase of the analysis cycle to define precisely how and how much the programs and investments would improve resilience and security for the region; what they are likely to cost; and which would be the most valuable to the owners of the respective facilities and to the region’s citizens.

4. Planning cycle The result of the methodology is a set of rational priorities for making the infrastructures of a region more resilience, secure and reliable, to the benefit of all its residents and businesses. 4.1. Asset Level Analysis

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

RAMCAP analysis has been applied to representative systems of the four foundation critical infrastructure sectors: x x x x

Energy: Electric Power Service Transportation: Public Works Department Water/Wastewater: Metropolitan Water Service Communications: Emergency Communication Center

For each system mission-critical assets were identified and analyzed for specific threat vulnerability, dependency on external inputs and consequences of failure. Regional Electric Power System. The system is composed of a limited number of key assets including: x x x x x

Transmission lines Major gateway substations Headquarters Operations Center Supervisory Control and Data Acquisition Maintenance yards

The critical external dependency is on transmission of electric power from the grid. Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

64

F. Krimgold / Regional Resilience and Security for Critical Infrastructure

The principal threats to the system are to the distribution system from wind storms and ice storms. Tornados have caused serious damage to transmission lines and substations in the past and elsewhere in the state. Flooding has caused damage to substations but, to date the system has exhibited adequate redundancy and flexibility to avoid major outages. Malicious attack is acknowledged as possible but, there has been no experience to date. Regional Water and Wastewater System. The metropolitan water system includes two filtration and treatment plants that draw water from the major river in the region. Treated water is stored at five locations and the distributions system serves a population of roughly 650,000. Critical assets of the system are: x x x x x x x x x

Filtration plants Storage tanks Pumps Distribution system piping and valves Maintenance yard Vehicles Materials SCADA Headquarters Operations Center

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

The metropolitan water system suffered the loss of one filtration plant in a recent flood but, was able to meet regional demand from residual resources. The water system is dependent on the water source intake, electric power and treatment chemicals. Regional Wastewater and Sanitary Sewer System. x x x x x

The wastewater system is made up of the following assets: Treatment plants (2) Trunk sewers Lift stations Collector sewers

The wastewater system has suffered overflows in recent floods and is dependent on electric power for pumps and plants as well as sewage treatment materials. Regional Road Transportation System: Primary focus of attention is on the road transport system. Critical assets include: x x x x x x x

Roads Bridges Tunnels Road maintenance yard Traffic signals Traffic management system Street lighting

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

F. Krimgold / Regional Resilience and Security for Critical Infrastructure

65

Road system disruptions have been experienced as a result of flooding. The road system is dependent to some degree on electric power for signals, lighting and operable equipment. Regional Emergency Communications System: A critical component of the communications sector under the authority of the metropolitan government is the Emergency Communications Center that coordinates the call taking (911) of requests for assistance from the public and the relay of dispatches to the various public safety agencies. The critical assets for the Emergency Communications Center are; x x x

Call Centers Incoming lines and wireless Radio system for dispatch

The dispatch side of ECC is well planned with fully redundant facilities and redundant back up generation. However, the call taking function is totally dependent on the robustness of the commercial landline and wireless systems. Both these commercial systems are largely dependent on electric power to cell tower and to digital telephone instruments.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x x x x x x x x x x x x x x x x x x

Regional Public Safety Systems The metropolitan Fire Department includes both Fire Suppression and Emergency Medical Services. Key assets for these services include: Fire headquarters operations center Fire houses Fire apparatus Bottled air Water at incident site Resupply of expendable materials Key dependencies for Fire Department response are ; Emergency Communications (electric power) Road access to incident sites Water to hydrants (electric power) Emergency Medical Services critical assets include: Ambulances Medical supplies Key dependencies for the EMS include : Emergency communications (electric power) Road access to incidents Functioning hospital emergency rooms

5. Four Levels of Risk Assessment 5.1. Asset Level The asset level of risk assessment is undertaken with the relevant planning and operational staff of the system understudy. This may include managers for operations, spe-

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

66

F. Krimgold / Regional Resilience and Security for Critical Infrastructure

cial operations and budget development. With the guidance of these subject matter experts, agency/system mission is defined an key assets are defined in terms for their criticality for the central mission. These assets are then each evaluated in terms of their vulnerability to the range of relevant threats. The threats considers in this research include: x

x

x

Natural Hazards  Flood  Earthquake  Hurricane  Tornado  Ice storm Technological hazards  Industrial accident  Hazardous materials release  Deterioration/aging Malicious actions  Crime/vandalism  Sabotage/terrorism

Specific threat-asset pairs are evaluated in terms of intensity, frequency and consequences expressed in dollars, death and down time. 5.2. System Level

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

System consequences are assembled for event scenarios of estimated probability in terms of decrement of normal service delivery. System performance is estimated on the basis of the calculated consequences and assembled on the basis of previously calculated asset consequences. 5.3. System of Systems Level Inter-system dependencies are identified through analysis of after action reports for relevant disaster events and with the expert advice of experienced local subject matter specialists. Consequences for cross-system cascading failures are calculated based on the assembled asset and system consequence data. Prioritization of Interventions. Priorities are established at the asset level based on potential consequences of failure taking into account potential impacts of cascading failures within the system and across systems. Recognition of the importance of inter-system dependencies in the calculation of comprehensive regional consequences requires that probable cascading failure paths be addressed at each point of dependent failure. It is evident that the interruption of crosssystem cascading failures requires coordinated intervention at various points in the cascade path. This requires the coordinated action of multiple systems and management organizations. While system managers and their related department are typically aware of cascading failure paths with their principal system, it is more complicated and rare that these managers and departments are motivated to track the consequences of failures in dependent systems administered by other agencies. The essential functional

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

F. Krimgold / Regional Resilience and Security for Critical Infrastructure

67

specialization of public infrastructure departments effectively limits the tracking and mitigation of cross-system consequence of failure. 5.4. The Budget Process The budget construction process begins at the subunit level and continues up the hierarchy of each department. Priorities for future expenditure are primarily based on past expenditure patterns. Deviations from previous year budgets are typically incremental and reflect adherence to the central mission and traditional practice of the department. Departmental budget proposals are passed on from department budge analysts to the Office of Management and Budget where budgets for groups of agencies are assembled, compared and reviewed by the director of finance, a representative of the Mayor. Department heads are asked to defend their budget submissions before the Mayor and the Metropolitan council. Typically, there is no formal of informal reference to risk management related to disaster risk reduction. Risk management, when referred to, is usually concerned with questions of insurance purchase rather than risk reduction or mitigation investment.

6. Conclusion The value of comprehensive risk assessment can be demonstrated at four levels: 1. 2.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

3.

4.

Asset level assessment provides useful guidance to operational units on the development of priorities for both short-term and long-term risk management. System level assessment provides useful guidance to system managers and department heads on the proper allocation of resources to balance current operational needs against investments in mitigation and preparedness for a range of potential future disaster events. Cross-system or system of system level of analysis provides understanding of the complex cross-system dependencies and interdependencies that account for a significant proportion of unanticipated losses due to disasters of all causes. The management and budget function is seriously in need of analytical tools that will make possible the clarification of relevant “packages” of investment across departments and agencies to provide maximum return on investments in regional risk reduction, security and resiliency.

References ASME-ITI, RAMCAP, Risk Analysis and Management for Critical Infrastructure Protection, Washington, DC, 2007 http://www.asme-iti.org/RAMCAP/RAMCAP_Plus_2.cfm ANSI/ASME-ITI/AWWA J100 RAMCAP® Standard for Risk and Resilience Management of Water and Wastewater Systems http://www.awwa.org/Resources/standards.cfm?ItemNumber=54453&navItemNumber=55050 Chang, S.E. and M. Shinozuka, “Measuring Improvements in the Disaster Resilience of Communities Earthquake,” Spectra 20, no. 3(2004): 739-755 Godschalk, D., “Urban Hazard Mitigation: Creating Resilient Cities,” Natural Hazards Review 4, no.3 (2003): 136-143

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

68

F. Krimgold / Regional Resilience and Security for Critical Infrastructure

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Krimgold, F. et al, Critical Infrastructure Resilience for the Hampton Roads Region: Energy, Transportation, Telecommunications and Water/Wastewater System Interdependencies and Resilience. City of Hampton, Virginia, 2009. Krimgold, F. et al, Critical Infrastructure Vulnerability in the City of Danville, Virginia, City of Danville, 2007 Krimgold, F, J. Bigger, M. Willingham, L. Mili, “Power Systems, Water, Transportation and Communications Lifelines Interdependencies: Experience of the 2004 Hurricane Season in Florida” American Lifelines Alliance, 2006 Krimgold, F, Bigger, J, Critical Infrastructure Vulnerability Assessment for the National Capital Region, Metropolitan Washington Council of Governments, 2003 DHS, National Infrastructure Protection Plan, Department of Homeland Security, Washington, DC, 2009 Longstaff, P. and others, “Building Resilient Communities: A Preliminary Framework for Assessment,” Homeland Security Affairs VI, no. 3 (Sept 2010): 1-23. Los Alamos National Lab, National Infrastructure Simulation and Analysis Center, Critical Infrastructure Protection Decision Support System (CIPDSS) si “a computer simulation and decision analytic tool that informs users when making difficult choices between alternative mitigation measures and operational tactics, or when allocating limited resources to protect critical infrastructures,” http://www.lanl.gov/programs/nisac/cipdss.shtml McDaniels, T. and others, “Empirical Framework for Characterizing Infrastructure Failure Interdependencies,” Journal of Infrastructure Systems 13, no. 3 (2007): 175-184 2007 Moteff, J. and P. Parfomak, Critical Infrastructure and Key Assets: Definition and Identification, RL 32631 (U.S. Library of Congress, Congressional Research Service, October 1, 2004) for a review of the evolving definitions of critical infrastructure and key assets in US policy. O’Rourke, T.C.,“Critical Infrastructure, Interdependencies and Resilience,” The Bridge 37 (2007): 22-29; George Mason University, “Critical Thinking: Moving from Infrastructure Protection to Infrastructure Resilience,” CIP Program Discussion Paper Series (February 2007) Paton,D., and D. Johnston, Disaster Resilience: An Integrated Approach (Springfield, IL: Charles C Thomas Ltd., 2006); Rose, A., “Defining and Measuring Economic Resilience to Disasters,” Disaster Prevention and Management 13, no. 4 (2004): 307-314, Sheffi, Y.,“Building a Resilient Organization,” The Bridge 37 (2007):30-36. Steinberg, L., N. Santella, and K. Parks, Validation of a CIPDSS Analysis of Hurricane Katrina's Impacts on Baton Rouge LA 2007, unpublished report available on request. U.S. Government Accountability Office, Critical Infrastructure Protection: DHS Efforts To Assess And Promote Resiliency Are Evolving But Program Management Could Be Strengthened, GAO 10-772 Washington, DC: Government Printing Office, September 2010

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-69

69

Technical Approaches To Supply Sea And Off-Shore Oil And Gas Objects Protection From Illegal Actions A.V. BOCHKOV, PhD, V.V. LESNIKH, Doctor of Sci, Prof. LLC «NIIgaseconomika»

Abstract. The technical approaches applied during supply sea and off-shore oil and gas objects protection from illegal actions are considered in this article, concepts of base threat for such objects are entered. The questions of rating features of sea and off-shore objects according to risk of commitment of illegal actions are considered and the requirements to levels of their security depending on a category are entered. The importance of the state participation in creation of considered objects protection system and their functioning safety ensuring are noticed. Keywords: oil and gas objects, off-shore, threat, risk, protection, illegal actions, rating features.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. General provisions The experience of last years shows that the share of losses of producer companies is increasing in the world as a result of actions of international organized criminal groups. In a greater or lesser degree this threat touches on politically unstable regions (the Near East, a zone of Persian gulf, Africa, India, the countries of South and Latin America), however a perspective development of a fuel and energy complex (FEC) of the Russian Federation, the exit of Russian producer companies on off-shore, and also strategic objectives of positions stabilizing of Russia in world labor share system as an energetic super state, raise new demands to safety and functioning reliability of FEC objects and, first of all, objects of oil and gas industry. As an example is one of the largest fields of the Russian off-shore – Shtokmanovskiy gas condensate field (ShGCF), discovered in 1988. The field is located in the central part of off-shore of the Russian sector of Barents sea in 600 km to the northeast from Murmansk. The sea depths in this area range from 320 to 340 m. The known reserves are estimated in 3.7 bn cubic m of gas and 31 mn tn condensate. One of the considered purposes of the project on ShGCF development is manufacture of condensed natural gas (CNG) and its realization in the markets of the USA and Europe. The achievement of this purpose is closely connected with safety of ShGCF surface facilities functioning and defines an actuality of development of new technical approaches to supply protection of these objects [1]. The primary objective of any protection system is finding and prevention of attempts of commitment of illegal actions concerning property of physical persons and information in objects.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

70

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

The so-called principle of acceptable equal risk included in supply of security of oil and gas objects located in the high sea and on off-shore at the level defined from a condition equal (with other objects) for the proprietor of risk of its destruction (the functioning termination) is put in a basis of the technical approach offered in the article. Further by risk we mean a probable damage (negative consequences) for the state and the proprietor of the objects, come out due to illegal actions concerning considered object. This risk is characterized by product probability of achievement of the purpose of illegal actions (index of object vulnerability) on the average damage caused by these actions. The factor of risk of illegal actions on sea and off-shore oil and gas objects is the basic factor of efficiency of realization of the actions directed on supply of their protection.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

2. Definition of base threat The concept of "threat" is one of the main at work performance on creation and modernization of protection system of any technological objects. Under the threat of illegal actions concerning sea and off-shore oil and gas objects (fig. 1) we understand the stated (shown) intention in any form to do physical, material or other harm to public or personal interests [2, 3]. That said it is supposed that a source of threats is a person (people), acting according to in advance developed purpose of infliction of harm. When considering diversions concerning modern technological objects statistics methods are little applicable: purposeful character of actions, presence of huge number of purposes, specificity of a situation, awareness of infringers don't allow somehow to predict place, time, character and scale of the next action. Moreover, infringers "study", accumulate experience of carrying out of successful/unsuccessful operations, and, thereby, don't repeat the errors and inefficient actions made by them (so-called intellectual terrorism). Taking it into account happened deliberate actions should be considered only in the aspect of definition of existing character and possibility of definition of development trends. For example, from the fact, that infringers have spent rather limited number of actions against platforms, doesn't follow that in the long term during rather limited time series of actions against the given objects can't begin. Owing to said, for forecasting of character and possible scales of losses from diversions the principle declared by IAEA «full pessimism» can be used at which it is considered that against considered objects all technical means and forces which are available for terrorists for carrying out of operations in the sea, off-shore and in ports can be used. The comparative analysis of models of the infringer, with reference to exploration objects, allows to allocate models of the following 4 types (fig. 2): x x

Model of actions against sea stationary surface object to which actions in regard to production platforms, floating storages and ships for overloading of liquid hydrocarbons are considered; Model of actions against sea mobile surface object including actions concerning tankers for transportation of liquid hydrocarbons;

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

Subsea transfer pipeline

71

Loading terminal

Ta nker

Sea production

Subsea producC NG

Subsea feeder

Ri

Figure 1. Structure of sea and off-shore oil and gas objects

x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

Model of actions against sea stationary subsea object, including actions concerning subsea production complexes, underwater sea transfer and off-shore pipelines; Model of actions against shore stationary object located at shoreline – shorebased terminals.

At the same time, it is clear that to organize effective diversion in a surface part of 1 sea object or the object located in off-shore zone , is extremely difficult. The operation can be easily disclosed at a preparation stage. Success of such action is also improbable. Besides, a damage from underwater diversion is order of magnitude greater than a damage from actions of diversionary group in a surface part of sea objects. A combination of secrecy of carrying out of underwater diversion with consequences (i.e. productivity) from its carrying out isn't comparable with any of other possible kinds of attack on sea objects. It is possible to confirm that productivity of underwater diversion is comparable, according to consequences, to destructions after armed attack to object with application of rockets and aircraft, and cost of preparation for carrying out and cost of its carrying out are rather low. Therefore, as a basic (base) threat of carrying out of acts of sabotage in sea and off-shore oil and gas objects, in a peace-time, it is necessary to consider a threat of action from under water.

3. Complex of organizational arrangements providing set level of safety The first to what it is necessary to draw attention is a problem of functioning safety and protection of sea and off-shore oil and gas objects against illegal actions, because of uniqueness of these objects, high cost both objects, and possible ecological, political 1

Further, speaking about sea oil and gas objects, we mean also oil and gas objects located on off-shore.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

72

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

and social consequences – a problem of federal scale which should be solved with attraction of all forces and means (both technical, and organizational, ecological and politic and legal) which the state has. Visibility zone of surveillance system (to small targets) Visibility zone of surveillance system (to small targets)

Surface infringer (pleasure or fishing craft,Surface inflatable boat) infring-

V =50-200 km/h, D V

=50-200 km/h, D

Air infringer (plane, copter of small aircraft, Air infringer t d lt l ) (plane, copter of small aircraft, t d lt l )

er (pleasure or fishing V craft, inflatable boat) =8-30 knots, V

D

=8-30 knots, D

Subsea infringer and Subsea infringer

and V=0 ,5-0,9 V=0

V

D

knots,

knots,

,5-0,9 knots,

=3-15 V knots, =3-15

D D

D

Safety

Safety

Figure 2. Model of actions against sea and off-shore oil and gas objects

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

The complex of organizational arrangements providing set level of sea objects safety, should be developed at a stage of design assignment preparation and at preliminary design and should provide timely detection and absolute suppression of any unauthorized activity that is provided, in turn, with efficiency and resoluteness of sea objects safety system management. Efficiency of management is provided with: x x x x x

Presence of systems providing positioning, communication, technical identification, hydro acoustic, radio engineering and specific supervision over conditions in distant and average zones of supervision; Presence of remote mobile systems of illumination of condition in the top hemisphere and sea-bottom survey (helicopters and submersibles of mine intelligence); Integration of illumination systems of condition around placing of objects in corresponding illumination systems of condition of navy fleet; Presence of automated control systems; Interaction with high-mobility duty forces of navy fleet.

Resoluteness of management provides the right of object security service to stop (either independent, or with attraction of high-mobility duty forces of navy fleet) any unauthorized activity (specified in international agreements): infringement of special rules of navigation around placing of objects; attack on objects; attack on working elements of condition illumination system, etc. In the complex of the organizational arrangements providing set level of sea objects safety it is necessary to provide obligatory development «Complex of arrangements for restriction of free navigation schedule», in the form of special rules, for ex-

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

73

ample: obligatory prior notification of object security about movement of all ships, all countries of the world (including fighting surface ships and submarines - in surface position), and also, helicopters and hydroplanes planning to cross a route; obligatory technical identification of the ships with protection service at crossing of borders of object protected zone (a pipeline route); other obligatory prohibitions. All mentioned restrictions and prohibitions with corresponding navigating descriptions are necessary to be coordinated and settled with the world community in the form of private changes in provisions of the international naval law. Thus obligatory study of questions on legal statute of sea oil and gas objects, objects protected zone and their safety maintenance systems should precede designing, and process of designing itself should be accompanied by carrying out planned and timely proofreading of a legal framework. Information interface of subsystems within the limits of safety system should have multilevel hierarchical structure providing centralized (within the limits of the general problems) and local (within the limits of object problems) management. Integration of information operating systems should be held on the basis of common technical policy considering features of cooperating federal executive authorities, the proprietor of objects and other interested organizations. All in all, realization of any protection measures demands the well-founded and rational expenses that can be provided within the framework of some procedure of management of objects security, the example of which is illustrated in fig. 3 [4, 5, 6]. In general view, realization of the specified procedures can be reduced to three basic groups: task of requirements to technical security of objects; security estimation; maintenance of security [4].

4. Sea and off-shore oil and gas objects rating features issues

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

2

The category of protected object is a complex estimation of its condition considering economic or other (for example, cultural) importance of the given object depending on character and concentration of the concentrated values, consequences from possible criminal encroachments on them and difficulty of maintenance of demanded reliability of its protection [6]. The problem of rating features, as a rule, is solved with attraction of expert methods [5, 7, 8]. Though rating features of objects alone doesn't solve a safety problem, they allow to establish degree of potential danger and general requirements to protection system of each concrete object. The major problem after carrying out rating features of objects is their separation on groups (turns) of equipment by safety means. Whereby the person who makes decision (decision-maker) as a rule possesses very indistinct information on belonging of this or that object to the set group. Thus, at decision-making on increase of protected objects set security as for which the procedure of rating features on degree of potential danger and criminal-terrorist vulnerability is held there is a problem known in mathematician as a problem indistinct problem blind clusterization (clustering analysis) [9].

2

See, for example, GOST R 50776-95 (MEK 839-1-4-89)

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

74

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 3. Security management algorithm for a group of facilities

It is obvious that on equipment simultaneously of all objects which have received the highest categories according to degree of potential danger and criminal-terrorist vulnerability, there are not enough means, therefore before corporations and owners of big territorially-distributed transport and power systems inevitably there is a question about priority of objects protection [11, 12]. Generally, classification of objects of arrangement by degree of risk of illegal actions is carried out with account of [10, 11, 12]: x

Results of classification by size of potential danger (cumulative damage from damage (destruction) of objects and their vulnerability to illegal actions; x Structure of classified object; x Probability of success of infringers at carrying out of diversions concerning object; x Threat level in region of object placing; x Preference of the given object for fulfillment diversions against it. Classifications of objects by degree of risk of illegal actions allows to establish: x x

Priority of objects protection; Objects of protection which are subject to primary protection.

Objects of protection of the 1st class on degree of external illegal actions (EIA) risk need primary protection. The object class on probable consequences (risk) of terrorist actions is established by means of criteria of scale of probable consequences Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

75

(risk) of terrorist actions concerning objects of protection (tab. 1). As a criterion parameter standardized value of probable consequences (risk) of terrorist actions r is used for which estimation the following things are necessary: the data of hierarchical classification of objects of protection; object classes on potential danger and terrorist vulnerability and model of infringer. Table 1 Class

Risk area

Classification criterion

Priority of measures on protection increasing

1

Negligible

r  r1

Adoption of supplementary safety measures is not needed

2

Acceptable

r1 d r  r2

Needed adoption of measures on protection increasing

3

Excessive

r t r2

Needed adoption of measures on protection increasing in high priority

Probable consequences (risk) as a result of possible destruction and/or termination of object functioning for the interested subject in standardized variable of qualitativequantitative scales of potential danger and terrorist vulnerability are estimated under the formula

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

r

qu w

where q and w are standardized values of degrees of absolute vulnerability of object and average consequences of terrorist act for the interested subject on set of possible scenarios of illegal actions against object. All considered variables are resulted in standardized ones by means of corresponding procedure of recalculation. For example, standardized degree of average consequences from terrorist act on object is calculated under the formula w wmax  lg k / ,

wmax is an object class on potential danger (standardized degree of maximum consequences of destruction and/or termination of object functioning); k  /  is a coef-

where

ficient of transfer of maximum consequences of terrorist act in averages on set of possible scenarios of terrorist actions. The level of awareness of infringer is given from 3 corresponding model . Critical elements of object are characterized by various consequences in case of their destruction. For example, on fig. 4 critical elements - the diversion purposes are numbered according to a caused damage in case of their achievement by infringer. Achievement of purpose No. 1 leads to maximum damage w1 wmax . As a result purposes are differed according to their importance for infringer, depending on effect from fulfillment of illegal action reached on his assumptions (the case of 4 different-type purposes).

3 At absence in model of infringer of the information about level of his awareness on object it is recommended to consider it as average.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

76

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

The infringer choosing the purpose of illegal actions aspire to cause to the interested subject maximum damage: w  wmax. But this aspiration is limited to absence of trustworthy information about sensitivity of possible purposes of illegal action. As a result the infringer forms subjective factors cj of relative importance of the purposes according to the information available for him.

wj

w1 =wmax w2=2/3wmax w3=1/3wmax w4=0 1

2

3

4

j

Figure 4. Damages in case of achievement of illegal actions purpose

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Criterion parameters r1 and r2 (see Table. 1) are established from consideration of the list of objects of protection (or other group objects) ranged according to size of probable consequences (risk) r of illegal actions. The value of negligible level of terrorist risk r1 is defined from a condition of sufficiency of led arrangements on protection of objects depending, in its turn, from objects classes on potential danger. For example, as a first approximation, at 6 digit scale on vulnerability and 5 digit scale on damage, it is recommended to accept value

r1 = 4.

The value of comprehensible level of terrorist risk r2 is established depending on planned volume of financing of target actions for objects protection. For this purpose total expenses for maintenance of security of all objects with standardized value of probable damage exceeding

r2

are calculated.

It is possible to say that value criterion parameter r2 is established from the condi-

tion C r2 d C  at substitution of inequality fore equality C r2

C  , where

C r2 - expenses within the limits of some program on objects protection with value of standardized probable consequences exceeding r2 ;  - resources made available on

program realization. According to results of classification of objects of protection by probable consequences (risk) of illegal actions it is established the priority of objects protection

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

77

against terrorist actions (depending on the received value of the index r ) and the ob4 jects which are subject to prime protection against terrorist actions are defined . As, objects of 3rd class on probable consequences (risk) of illegal actions are connected with excessive risk for the interested subject, such objects need acceptance of measures on security increase in a prime order. At definition of norms of equipment of objects placed in certain territory, being in conducting federal executive body or belonging to the proprietor, there is one more problem connected to the fact that various objects on industrial-technological and other application have different importance for the interested subject (the state, public authorities in constituent entity of the Federation, owners of corporation, etc.), in particular potential danger that influence their attractiveness for infringers and, hence, demand different volume of actions of technical protection. At rating features of objects on vulnerability degree to illegal actions there is a problem of maintenance of comparability of estimations of vulnerability. These estimations should be received at identical initial preconditions what are correctly mathematically described real operating conditions of objects with relation to possible deliberate actions on them. Both above mentioned problems are solved by setting of qualitative or quantitative requirements to objects security or efficiency of systems of their protection. Qualitative requirements consist in an establishment of requirements to object zoning, equipment of boundaries of protection by technical security equipment (TSE), to organizational arrangements. The result of deliberate actions (their purpose is reached or it is not reached) because of influence on it of a great number of random factors is casual event. Therefore to technical security of objects by analogy to the accepted practice of requirements setting on reliability, firmness, survivability, etc. it is expedient to set quantitative requirements in the form of restriction on an indicator of object security in probability form

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Pn • Pnmpeo where as an indicator of object of protection security Pn the probability of interruption of deliberate actions is used; Pnmpeo – demanded value of an indicator of security. Quantitative requirements to object security are also expediently differentiated depending on its category on degree of potential danger by setting of demanded value of an indicator of security. The indicator of security Pn of object of protection should be calculated with respect to the infringer set by formalized model, considering region of object placing (degree of criminal-terrorist threat) and its category on degree of potential danger. Naturally, for groups of homogeneous objects maintained in regions with equal criminalterrorist danger, these models can coincide. The example of recommended levels of object security depending on its category on degree of potential danger to various scales are resulted in tab. 2.

4

According to change of terrorist threat level, antiterrorist security of objects of protection and eco-

nomic possibilities of the interested subject the values of criterion parameters

r1

and

r2

also should be

periodically reconsidered. Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

78

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

Table 2 Object category

 

Object category

 

Object category

 

Object category

 

1

0,95

1

0,95

1

0,95

1

0,95

2

0,90

2

0,90

2

0,90

2

0,90

3

0,8

3

0,8

3

0,8

3

0,5

4

0,7

4

0,7

4

0,5

5

0,6

5

0,5

6

0,5

The complex of protection means on object should provide carrying-out of requirements on engineering-technical security in the form of given above condition that it is expedient to consider at an establishment of norms of object equipment and designing of its protection system.

5. Conclusions The analysis of experience of different countries on creation and operation of protection systems of sea objects of gas and oil producing complexes (production complexes, platforms, subsea pipelines, tankers, sea terminals) shows that various organizational and technical actions directed on safety of these objects, in particular they:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x x x x x x

Create power structures which are responsible for safety in a coastal zone; Organize patrol of areas of oil and gas platforms placement by power divisions and tankers following while passing through narrowness in ports call; Create in ports mobile groups equipped with water crafts and underwater weapon, for search, detection and counteractions to underwater swimmers; Periodically carry preclinical research of the bottom of ports water area, the bottoms of ships and constructions for the purpose of searching of mines, fillers and other dangerous subjects; Carry out control over surface conditions from coastal radar watch facilities; Organize protection against fast-moving ships in ports and moorings; Examine ships entering into ports and check of plans of their protection on conformity to the international requirements of International Ship and Port Facility Security Code (ISPS).

Thus, it is necessary for oil and gas companies to pay careful attention to working out of plans of safety of the objects, and plans of operational recovery in case of attacks. See it also motivated fit the use during development of actions structure and the procedures provided by plans of safety, the so-called concept of the minimum comprehensible risk (ALARP), i.e. these actions and procedures provided with organizational and technical means, don't apply at all for maintenance of the guaranteed object safety under any conditions.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

79

Also, in plans of oil and gas companies on safety of their coastal and off shore objects it is expedient to pay special attention to questions of interaction with the authorized governmental bodies of various levels which are responsible for safety at sea and adjacent areas to objects. Regarding requirements to system of objects rating features it is necessary to notice that rating features on degree of potential danger should be based on prior estimation of full damage for the interested subject in case of destruction (or functioning terminations) considered objects as a result of illegal action which is carried out under the most adverse scenario of illegal actions threat accepted for object. Essential factors of rating features problem (owing to the aforesaid) are the following: x

x x

x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

At the estimation of full damage from illegal action it is necessary to consider that its consequences have vector character (material, human losses, ecological harm, etc.), i.e. These components are rather different and their estimation can be essentially complicated (including a separate problem: a way of reception of the integrated indicator far and wide reflecting potential danger of object); For reasons of rating features not posteriori but aprioristic estimation (forecast) of consequences for some settlement case established by results of the special analysis should be given; Consequences of illegal action are considered not in general, but for the concrete interested subject, in whose interests rating features are given and which at the expense of own means will provide further security of objects belonging to him (being in his conducting) from illegal actions; At the estimation of potential danger maximum possible consequences (the term «potential danger» means this) which will take place at fulfillment of illegal action under the most adverse scenario should be considered; Possible scenarios of illegal action should be considered within the limits of fixed ("design", "base") threat set in particular by model of the infringer (his purposes, possibilities, etc.).

The carried out analysis shows that to a unified federal scale in objects classification according to degree of potential danger is inexpedient to aspire, as such scale won't consider features of objects of the interested subject and all of them can appear in one category. The scale is chosen by the interested subject (the state or the company), at classification of the objects it is expedient to company to use own scale considering features of functioning and sizes of damage at destruction (functioning termination) of its objects. At expert estimation integrated consequences are expedient to define on components that allow to realize operation of summation of sizes of consequences having different dimensions. Expert estimation of consequences components is expedient to realize not in absolute, but in relative scales (in relation to other objects of considered group). Besides, it is expedient to consider the importance of consequences components. It can be reached through realization of mark estimation with appointment of the most points on each component differentially according to the importance of corresponding consequences of illegal action on objects of oil and gas industry.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

80

A.V. Bochkov and V.V. Lesnikh / Technical Approaches to Supply Sea and Off-Shore Oil

References 1. 2. 3. 4.

5. 6. 7.

8. 9. 10. 11.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

12.

Lavrukhin, Yu.N., Bochkov, A.V., Lesnykh, V.V. Methodological Issues of Safety and Survivability for Onshore and Offshore Oil and Gas Facilities. Issues of Risk Analysis, Vol. 7, 2010, No.3. The Soviet encyclopaedic dictionary // Ch. Ed. AM Prokhorov. - Moscow: Soviet Encyclopedia, 1989. 1389. GOST 22.0.05-94. Safety in Emergencies. Technological emergencies. Terms and Definitions (in Russian). Lesnykh, V.V., et al. (2008). The Methodological Aspects of Setting Requirements to, Evaluating, and Providing Protection of Gas Industry Facilities against Criminal Acts / Monograph, Moscow: VNIIGAZ, 164 pages (in Russian). Konovalov, V.A., et al. (2006). Categorization of Facilities. A Key Factor in Ensuring the Effectiveness of Complex Security Systems, Security Systems, No. 6 (in Russian). Kravets, V.A. (1984). System Analysis of Safety in Oil and Gas Industry. Moscow: Nedra, 117 p. (in Russian). Bochkov, A.V. (2008). The Use of the Hierarchy Analysis Method for Categorization of Critical Facilities based on total damage and the risk of unlawful acts, Problemy Analiza Riska, Vol. 5, No. 4, pp. 6— 13 (in Russian). Bochkov, A.V. (2009). Categorization of Critical Facilities by Vulnerability to Unlawful Acts Using Expert Techniques, BDI (Bezopasnost, dostovernost, informatsia), No. 1 (82), pp. 22—24 (in Russian). Leonenkov, A. (2005). Fuzzy Simulation in the MATLAB and Fuzzy TECH — St. Petersburg: BHVPetersburg, 768 p. (in Russian). Ushakov, I.A., et al. (2007). Analysis of the Risk of Terrorist Attacks: the Use of Minimax Criterion, Strahovoye delo, No. 3-4 (in Russian). Radaev, N.N., Bochkov A.V. (2008). Assessment of Terrorist Risk in Operation of Facilities, Proceedings of International Scientific School MABR — Modeling and Analysis of Safety and Risk in Complex Systems, St. Petersburg, 24—28 June 2008 (in Russian). Ushakov I. Counter-terrorism: Protection Resources Allocation. e-Journal Reliability: Theory & Applications (vol.1), No 2, 3, 4, 2006.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-81

Management for Security Processes Sebastian HÖHN Albert-Ludwig University Freiburg. Centre for Security and Society. Germany Abstract. Nowadays most security relevant processes and workflows are statically defined and performed and hence all the necessary security measures must be determined in advance. Current research shows that the security level can be enhanced if these processes take into account real time risk information collected during their execution. We will present two application scenarios we developed for research projects: airport checkpoints with dynamically adapted security processes considering risk information from check-in luggage and passenger screening; and neutralization of improved explosive devices considering information from realtime risk mitigation. Both scenarios show that real-time risk mitigation and dynamically adapted workflows have the potential to enhance security and reduce risk. We will present basic conditions for the underlying information system infrastructure and the dynamic adaptation of the processes and workflows.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Keywords. Real-time information, risk mitigation, workflows.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

81

82

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-82

Individual life safety risk criteria P.A. ZIELINSKI Ontario Power Generation

Abstract. The goal of safety management is to ensure that every infrastructure presents a tolerable level of risk and that such risk be as low as reasonably practicable. This document comments on dam safety decision making, focusing on risk evaluation criteria. More detailed discussion of the philosophy of dam safety decision making is found in Hartford et. al. (2004). The objective of dam safety management is based on the principle that the standard of care should be commensurate with risk and should reflect society's values in allocating resources to protect life and property. ‘Risk’ incorporates both the consequences of an adverse event and the probability of the event occurring, taken here as the product, Risk = [Probability] x [Consequence]. In practice, however, the traditional approach to dam safety management has been to apply classification schemes in which consequences alone are used as a proxy for risk and probability is not considered. Because data are often limited, the assessor tends to be conservative in estimating consequences and the result is a “Maximum Loss” approach unrelated to risk. A quantified risk analysis is preferable to such classification schemes as long as scientific tools are available. Keywords. Tolerable risk, dam safety, loss of life.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. Individual Risk – Definition Although all adverse consequences resulting from exposure to health and life safety hazard are important, fatality is the consequence which is usually the major, if not the only concern addressed in legislative and regulatory considerations for life and health safety risk criteria in hazardous industries. Consequently, the term ‘health’ will be absent in this commentary and the focus will be exclusively on ‘life safety’. The discussion here in principally in the context of dam safety, but applies equally to other critical infrastructures and to risks do to both natural hazards and to security threats A generic definition of individual risk is of a general nature and may be restricted to a simple statement that it is the risk to a single individual exposed to a hazard. Assuming the traditional definition of risk in engineering and technology as a function of probability of being exposed to a hazard and the adverse consequences of this exposure, the risk for life safety purposes can be completely characterized by the probability of being exposed to a hazard since the only consequence taken into account is the fatality. ANCOLD (2003) and ICOLD (2005) define individual risk in the context of dam safety as: The increment of risk imposed on a particular individual by the existence of a hazardous facility. This increment of risk is in addition to the background risk to Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski / Individual Life Safety Risk Criteria

83

life, which the person would live with on a daily basis if the facility did not exist. Since the presence and the operation of dams in the absence of their failure modify the background risk of life in a positive way by reducing risk to life due to the natural flooding, the following modification of ANCOLD and ICOLD definition could be considered: Individual risk is the incremental probability of death that the failure of the dam imposes on some particular person. This increment of risk is in reference to the background risk to life, which the person would live with on a daily basis if the dam did not fail.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Various aspects of characterization of risk to individuals exposed to hazard was addressed in depth by the UK Health and Safety Executive (HSE, 2001). The report pointed out that although risk assessment can be done to assess the risk to an actual person such approach for a variety of reasons would not only be impractical but would also be of limited use. Therefore the HSE proposed to focus the attention of both risk assessment and risk criteria on an hypothetical person instead. An hypothetical person can be understood as an individual who is in some fixed relation to the hazard. In case of risks caused by dam failures an hypothetical person can be an individual living in a location within the dam break inundation zone having an assumed pattern of life. The reasons provided by (HSE, 2001) for accepting the concept of hypothetical person in defining the individual risk are sound and well argued. Therefore one proposes to adopt the following definition of individual risk: Individual risk is the incremental probability of death that the failure of a dam imposes on an hypothetical person. This increment of risk is in reference to the background risk to life, which the person would live with on a daily basis if the dam did not fail.

2. Individual Risk – Measures Measures of individual risk can be expressed in several different ways – as single numbers, as combinations of numbers, or as various graphical characterizations. It should be pointed out that although the precise definition of a particular measure used for assessing risk is of extreme importance in establishing risk criteria, it is quite often overlooked. For example, the ICOLD (2005) Bulletin does not discuss the individual risk measure at all and in the ANCOLD (2003) Guidelines a partial explanation of how the definition should be interpreted is provided within the text of the Guidelines. A summary of the various individual risk measures discussed in depth by CCPS (2009), Adler (2005), Jonkman et al. (2003), and Kauer et al. (2002) is provided below. For all of these measures the risk is understood as the probability of fatality per year. It can be noted that other, conceptually different risk measures, are also being used in applications (Bedford and Cooke, 2001; Proske, 2008), but are of limited use in dam safety applications.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

84

P.A. Zielinski / Individual Life Safety Risk Criteria

2.1. Location-specific individual risk Location-specific individual risk is the risk to an hypothetical individual who is unprotected and present at a particular location at all times. Location-specific individual risk is a property of a particular location and for that reason is often called location or geographical risk. It is typically represented by iso-risk contour plots for the areas that can be inundated as a result of dam failure and is not dependent on whether people or residences are present. Thus location-specific risk describes the geographic distribution of risk for the site. 2.2. Maximum individual risk Maximum individual risk is the individual risk to a person facing the highest risk within the populations at risk (exposed population). It can be derived from the information provided by location-specific individual risk by calculating the risk at these locations where people can be present and then selecting the highest value. 2.3. Individual risk averaged over the exposed population Individual risk averaged over the exposed population is the individual risk averaged over the populations at risk. This measure is recommended only if the risk is more or less uniformly distributed over the entire exposed population and for that reason may be not an appropriate measure for risk estimation for dam safety purposes. 2.4. Individual risk averaged over the duration of exposure

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Individual risk averaged over the duration of exposure is the individual risk calculated for the duration of exposure averaged over the year. 2.5. Comment on risk definitions It is worth pointing out that closer examination of available guidelines and regulations for life safety are often either silent or imprecise on what is the exact measure of individual risk. Examples are: x

x

x

USACE (2011a, b) state that “The individual risk is represented by the probability of life loss for the identifiable person or group by location that is most at risk.” This definition of risk measure is not precise enough. It can be understood as the maximum individual risk as defined above. On the other hand it is not clear whether the duration of exposure can be or should not be taken into account. ANCOLD (2003) states that it is the “[…] conditional probability of fatality for the person or group most at risk.” Similarly to USACE definition this definition of risk measure does not provides any guidance how the duration of exposure is to be accounted for. New South Wales Department of Planning (NSW, 2011a) and (NSW, 2011b) states that, “ ‘Individual fatality risk’ is the risk of death to a person at a particular point.” However, there is no further interpretation of how this risk

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski / Individual Life Safety Risk Criteria

85

should be measured. Further, NSW (2011b) provides the following clarification: “In setting criteria, it is also necessary to account for variations in the duration of exposure to that risk at any particular point by any one individual.” It should be noted here that although the intention of this statement is clear, it is entirely misplaced. The accounting for the duration of the exposure should be included in the calculated values of individual risk and not in the risk acceptance/tolerability criteria. Other, more precise guidance on estimation of individual risk and on how the measures for it can be constructed are quoted below. x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

HK (2012) guidelines are specific on calculation of risk metric and state that: Individual risk is the predicted increase in the chance of death per year to an individual who lives or works near to a P[otential] H[azardous] I[nstallation]. As individual risk varies with location, it is often shown on a map of the area surrounding a PHI as contours of equal risk which decrease according to distance from the PHI […] Furthermore, when utilizing risk contours, the estimated duration of exposure of a person to the Potentially Hazardous Installation (PHI) should also be taken into consideration to determine the individual risk for comparison with the R[isk] G[uidelines]. HSE (2001) addressed this aspect of risk metric when discussing advantages of considering hypothetical instead of actual persons and provided the following guidance: The concept of hypothetical person “deals elegantly with the phenomenon that exposure to many hazards is not uniform but comes in peaks and troughs. This, if present, must be factored in when determining the exposure of any exposed population by creating as necessary one or more hypothetical person to take this into account. For example, the period of exposure of the hypothetical person could be time-weighted and/or more than one hypothetical person could be constructed to deal with the various attributes of the exposure to the hazard.”

In order to avoid inconsistency in assessing individual risk and the lack of consistency between the assessed individual risk and acceptable/tolerable life safety risk criteria the proposal is made that the following interpretation of individual risk measure be included: The individual risk should be assessed as the risk to a person facing the highest risk within the populations at risk (exposed population) allowing for accounting for variations in the duration of exposure where appropriate.

3. Individual Risk – Safety Criteria 3.1. Basic Safety Limit and Basic Safety Objective The criteria for life safety risks described in this section follow the philosophy and general concepts in characterizing and evaluating risk as developed by the UK Health and Safety Executive (HSE, 2001) and as being increasingly considered as a preferable model for risk management of dams. The concept known as Tolerability of Risk framework has at its foundation the assumption that the health and safety risks to people can be categorized as on the diagram below:

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

86

P.A. Zielinski / Individual Life Safety Risk Criteria

Figure 1. UK Health and Safety Executive (HSE, 2001) Tolerability of Risk framework

Two horizontal lines dividing the entire spectrum of risk are often called the: x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

Basic Safety Limit (BSL) separating the risks which cannot be tolerated from the risks that can be tolerated under certain conditions Basic Safety Objective (BSO) separating the risks that can be tolerated under certain conditions from the risks which are broadly acceptable or that can be considered as negligible.

Since the Tolerability of Risk model was first proposed by HSE (2001) the risks associated with the BSL and BSO have been defined in various regulatory and guiding documents. The values were derived predominantly from numerous fatality rate studies and then adjusted to account for involuntary aspects of imposed risk considered as reasonable in modern society. At present, these values can be considered safety requirements that achieve a broad consensus among regulatory bodies and owners of installations creating life safety hazards engaged in safety management. 3.2. Basic Data on Life Safety Risks In order to relate the potential life safety risk criteria for dams to risks facing the population in other facets of life some basic information is provided below. (HSE, 2001) contains some basic information on fatality risks derived from the mortality data for the United Kingdom (Table 1). WHO (2012) and Proske (2008) provide the following information on maternal and infant fatality rates (Table 2). NSW (2011b) provides the following information on various risk individuals may be exposed to in everyday life in the state of New South Wales and in Australia (Table 3).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski / Individual Life Safety Risk Criteria

87

Table 1 - Fatality Data – United Kingdom Population Group

Annual Probability of Death

Entire population

103×10-4

Men aged 35 - 44

15.7×10-4

Women aged 35 - 44

10.1×10-4

Boys aged 5 - 14

1.45×10-4

Girls aged 5 - 14

1.15×10-4

Table 2 – Maternal and Infant Mortality Country

Annual Probability of Death Maternal mortality

Infant mortality

Germany

0.7×10

-4

30×10-4

Australia

0.8×10-4

40×10-4

Canada

1.2×10

-4

50×10-4

United Kingdom

1.2×10-4

50×10-4

United States

2.4×10-4

50×10-4

-4

80×10-4

Developed countries

1.0×10

Developing countries

500×10-4

640×10-4

Table 3 – Fatality data - Australia

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Risk Source

Annual Probability of Death

Cancers from all causes

18×10-4

Travelling by motor vehicle

1.5×10-4

Accidents at home

1.1×10-4

Accidental falls

6.0×10-5

Homicide

2.0×10-5

Accidental poisoning

1.8×10-5

Falling objects

3.0×10-6

Therapeutic use of drugs

2.0×10-6

Lightning strike

1.0×10-7

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

88

P.A. Zielinski / Individual Life Safety Risk Criteria

CCPS (2009) provides the following information on various risk individuals may be exposed to in everyday life in the United States (Table 4). Table 4 – Fatality data – Various Causes Risk Source

Annual Probability of Death

Travelling by motor vehicle

5.4×10-5

Accidental falls

5.9×10-5

Fire in building or structure

9.5×10-6

Accidental suffocation or strangulation in bed

1.7×10-6

Drowning (bathtub)

1.1×10-6

Lightning strike

1.6×10-7

3.3. Review of International Criteria The efforts in establishing life safety risk criteria were initiated at approximately the same time in two countries: the Netherlands (1953) the United Kingdom (1976). Other countries followed beginning in the late 1980’s and early 1990’s. The complete survey of worldwide life safety risk criteria can be found in CCPS (2009). The information related to individual risk criteria extracted from CCPS (2009) and augmented with additional sources is presented in Table 6. Some of the regulations and guidelines quoted as sources of information have two sets of criteria, namely for existing facilities (less stringent) and for new facilities (more stringent). All risk criteria values in the table refer to existing facilities.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

3.4. Individual Risk Criteria for Dam Safety in Ontario Review of the Basic Safety Limits (risk higher than BSL is generally considered as intolerable) in Table 6 indicates that internationally the values vary between 10-4 and 10-5. In selecting a value appropriate for the regulation of dam safety in Ontario a commonly used principle of equivalency (DNV, 2007) in establishing safety risk criteria can be applied. The principle compares the proposed criteria with known levels of risk that are widely considered as either intolerable or acceptable. Key national statistics on mortality rates have been used in the past by some regulators for the establishing the BSL value. One of the statistics is the infant mortality rate which for Canada is 50×10-4 (WHO, 2012). Another indicator of what can be helpful in defining what can be considered as intolerable risk is the maternal mortality rate which in Canada is 1.2×10-4 (WHO, 2012). The third is the annual mortality rate for this period of life when the fatality rate is at its lowest level (5 -14 years of age). This rate for Canada is also 1.2×10-4 (SC, 2008). Reviewing of these rates indicates that the 10-4 annual probability of fatality is 50 times lower than the current national infant mortality rate and is approximately 80% of the maternal mortality rate and the mortality rate for the group with lowest risk to life. Considering how these important statistics are being perceived by the public and their representatives (federal and provincial politicians) it seems that it is generally accepted by the Canadian society that these risks to life are not intolerable. Thus the selection of

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski / Individual Life Safety Risk Criteria

89

10-4 as the Basic Safety Limit should not be by any means controversial or to be considered as too weak. As the Basic Safety Objective a value of 10-6 is being proposed. This level of risk compares favorably with the fatality rates for everyday life risks such as: Table 5. Fatality rates for everyday life risks Data compiled for the United States Fire in building or structure

9.5×10-6

Accidental suffocation or strangulation in bed

1.7×10-6

Drowning in a bathtub

1.1×10-6

Data compiled for Australia Accidental poisoning

1.8×10-5

Falling objects

3.0×10-6

Therapeutic use of drugs

2.0×10-6

4. Conclusion In conclusion, the annual probability of fatality equal to 10-4 is proposed as the risk criterion separating risks that are intolerable from risks that can be tolerated under certain conditions, and the annual probability of fatality equal to 10-6 is proposed to separate risks that can be tolerated under certain conditions from risks that are considered as negligible.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

References Adler, M.D. (2005). Against “Individual Risk”: A Sympathetic Critique of Risk Assessment. University of Pennsylvania Law Review. Vol. 153(4), pp. 1121-1250. ANCOLD. (2003). Guidelines on Risk Assessment. Australian National Committee on Large Dams Inc., October 2003. Bedford, T., and Cooke, R. (2001). Probabilistic Risk Analysis: Foundations and Methods. Cambridge University Press. Cambridge, UK. CCPS. (2009). Guidelines for Developing Quantitative Safety Risk Criteria. Center for Chemical Process Safety. J. Wiley & Sons, Hoboken, NJ. DNV. (2007). Risk Evaluation Criteria. Det Norske Veritas AS. SAFEDOR-D-4.5.2-2007-10-24-DNVRiskEvaluationCriteria-rev-3.0 HK. (2012). Hong Kong Planning Standards and Guidelines: Section 12: Miscellaneous Planning Standards & Guidelines. Accessed on July 18, 2012 at http://www.pland.gov.hk/pland_en/tech_doc/hkpsg/index.html HSE. (2001). Reducing Risk Protecting People: HSE’s Decision Making Process. UK Health and Safety Executive. IMO. (2002). Guidelines for Formal Safety Assessment (FSA) for Use in the IMO Rule-Making Process. MSC/Circ. 1023, International Maritime Organization. London. ICOLD. (2005). Risk Assessment in Dam Safety Management: A Reconnaissance of benefits, methods and current applications. Bulletin 130. International Commission on Large Dams. Jonkman, S.N., van Gelder, P.H.A.J.M, and Vrijling, J.K. (2003). An Overview of Quantitative Risk Measures for Loss of Life and Economic Damage. Journal of Hazardous Materials, A99, pp. 1–30. Kauer, R., Fabbri, L., Giribone, R., and Heerings, J. (2002). Risk Acceptance Criteria and Regulatory Aspects. Operation Maintenance and Material Issues Journal, Vol. 1(3). NSW. (2011a). HIPAP 3: Risk Assessment. State of New South Wales Department of Planning. NSW. (2011b). HIPAP 4: Risk Criteria for Land Use Safety Planning. State of New South Wales Department of Planning.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

90

P.A. Zielinski / Individual Life Safety Risk Criteria

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

NSW DSC. (2010). Background to DSC Risk Policy Context. New South Wales Dam Safety Committee. Guidance Sheet DSC1B. Proske, D. (2008). Catalogue of Risks: Natural, Technical, Social and Health Risks. Springer-Verlag. Berlin. SC. (2008). Deaths and mortality rate, by selected grouped causes, sex and geography. Statistics Canada. Accessed on July 8, 2012 at http://www.statcan.gc.ca/pub/84f0209x/2008000/tablesectlistlistetableauxsect-eng.htm USACE. (2010a). Proceedings of the Workshop on Exploration of Tolerable Risk Guidelines for the USACE Levee Safety Program. Institute for Water Resources, Report 10-R-8. USACE. (2010b). Safety of Dams – Policy and Procedures. Engineering Regulation ER-1110-2-1156. VROM. (2004). External Safety Establishments Decree. Staatscourant. Sep 23, 2004, nt.183. WHO. (2012). World Health Statistics 2011. World Health Organization. Accessed on July 11, 2012 at http://www.who.int/gho/publications/world_health_statistics/en/index.html WSV. (2011). Guidance Note: Requirements for Demonstration – Advice to Operators of Major Hazard Facilities on Demonstrating an Ability to Operate the Facility Safely. WorkSafe Victoria.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Brazil

Australia

Hong Kong

Netherlands

1)

United Kingdom

Country

10-7 10-5

10-4

-5

-6

10-5

5×10

10

-5

5×10

10

-6

0.5×10

State of Sao Paulo and State of Rio Grande do Soul -

State of Victoria, Occupational Health and Safety-Major Hazard Facilities

Industrial

Sporting complexes and active open space

offices and entertainment centers

Commercial developments including retail centers,

Residential, hotels, motels, tourist resorts

Hospitals, schools, child-care facilities, old age housing

New South Wales Department of Planning

New South Wales Dam Safety Committee

10-4

10-6

Coordinating Committee on Land use Planning and Control Relating to Potentially Hazardous Installations

Ministry for Transport, Public Works and Water Management

Not available

Maximum individual risk - accounting for exposure duration not addressed

CCPS, 2009

WSV, 2011

NSW, 2011b

NSW DSC, 2010

Maximum individual risk - accounting for exposure duration not addressed

Maximum individual risk with accounting for exposure duration allowed

HK, 2012

CCPS, 2009

VROM, 2004

HSE, 2001

Source

Maximum individual risk with accounting for exposure duration allowed

Location-specific individual risk

Maximum individual risk with accounting for exposure duration allowed

All areas of application within the scope of the Health and Safety at Work Act Ministry for Housing, Spatial Planning and the Environment

Individual Risk Measure

Area of application/Regulatory Agency

10-5

10

10-6

10-4

-6

Basic Safety Objective

Basic Safety Limit

-6

Annual probability of fatality

Table 6 – Individual Risk Criteria – International

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

P.A. Zielinski / Individual Life Safety Risk Criteria 91

1.4×10-8 10-5

1.4×10-6 10-4

USA

International

Not available Not available Not defined

State of Sao Paulo and State of Rio Grande do Soul – fixed facilities New Jersey Air Quality Permitting Program - cancer risk to public International Maritime Organization – criteria for passengers and public ashore

DNV, 2007

IMO, 2002

CCPS, 2009

CCPS, 2009

The legal system in the Netherlands which is based on the Napoleonic law does not allow accommodating of the concept of tolerable risk and ALARP. The law defines precisely what is unjust, unlawful or forbidden

1)

10-6

10-5

pipelines

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

92 P.A. Zielinski / Individual Life Safety Risk Criteria

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-93

93

Principles for creating of monitoring, diagnostics and protection systems in the view of potential terrorist attacks E.F. DUBININ, V.I. KUKSOVA, V. P. PETROV

Institute of Machine Sciences, RAS Abstract: General principles for ensuring safety of complex technical facilities (CTF), including critical infrastructure facilities (CIF), should be taken into account at all stages of their operation life cycle. For the aim of safe operation of CTF it is necessary to reduce a probability of uncontrolled release of potentially hazardous substances, W, of energy, E, of information clusters, I, and of risks of failures and catastrophes. The above aim can be attained by modeling of systems for monitoring, diagnostics and protection. Keywords: Monitoring, diagnostics, protective systems

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. Introduction The main tasks for systems of monitoring, diagnostics and protection are: a decrease of probability P (t) for generating the dangerous states both in facilities at a design stage and in already operating facilities; a reduction of losses U(t) in cases when failures and a catastrophes have been inevitable [2]. The basic principles of modeling for systems of monitoring, diagnostics and protection are: a decrease of risks of initiating the harmful impacts; lowering risks of further development of emergencies; a rapid response measures of protection of engineering systems and a return of operating systems at a lower level of danger. The following types of protection for critical infrastructure facilities (CIF) exist against initiating harmful impacts and against developing emergencies: rigid protection; natural protection; functional (continuously operating) protection; combined protection; safeguarding protection (Figure 1): Functional protection systems application allows in case of accidents perform active impacts on the processes existing in complex technical facilities (CTF), in particular, to exclude from a technological chain the emergency sections. Security protection represents by itself a complex of measures for terrorist threats repulsion. As a rule, risk mitigation, R (t), for critical infrastructure facilities (CIF) is achieved with application of all enumerated protective systems. Diagnostics system is included into a functional protection of CIF. The following operative decision-making is required with the increase of risks R (t) up to limit values (according to signals, obtained from the systems of technical diagnostics and monitoring): technical control and rapid response of protection systems; facility operation termination; alarm and evacuation notification (Figure 2). In case of a terrorist threat the basic problems are: timely activation of protection system; facility operation outage, personnel evacuation and minimization of losses [2].

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

94

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

2. Categories of sites It is expedient to conduct a subdivision into categories of technical sites with the aim of the adequacy of protection of CIF against the perceived threats. The main principles of build-up of protection systems are: layered protection barriers, systematic and comprehensive approach, continuity, equal level of strength for a protective contour. Barrier concept is widely used, which is based on application of the principle of multiplication of barriers (frontiers) and layered protection (Figure 3) [3].

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 1. Types of Protection for Complex Engineering Facilities

Figure 2. Control over Protection of Hazardous Engineering Facilities Regarding a Probability of a Terrorist Attack

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

95

Figure 3. Principles for Build-up of CTF Protection

3. Barriers Probability of a failure-free operation, P, using the set of barriers, n, can be calculated the following way n

P 1 – qi

(1)

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

i 1

As it follows from (1), with growth of a number of barriers, n, and/or with decrease of probability of destruction of the barrier qi (i = 1, 2, ..., n), the probability of failure-free operation of a set of barriers is being increased, i.e., the likelihood of defeat is being reduced [4]. Problems of a diagnostic control over the state of a technical facilities can be solved using diagnostics (with episodically definition of the most important parameters) and applying monitoring too (with constant tracking over the most informative parameters). Among the main types of monitoring at the hazardous industrial sites (HIS) and at the CIF taking into account of probable terroristic attacks there are: security monitoring, monitoring of equipment and of technological processes, monitoring of facilities and structures, monitoring of nature impacts. Technical diagnostical means, D, according to the character of usage can be conditionally divided into two main types: operative diagnostic means for emergencies, De, and diagnostical means for regular situations, Dr, which are used for tests, production, etc. Diagnostical systems both for hazardous industrial facilities (HIF) and for critical infrastructure facilities (CIF) consist of embedded systems which operate within all stages of regular service life and that provide efficient functioning of protection systems and of mobile means transported to the emergency zones. Operative means of regular and emergency diagnostics are included into the systems of comprehensive diagnostics

D

^

FD De, Dr

`

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

(2)

96

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

Figure 4. Methods of Technical Diagnostics

Diagnostic equipment solves the following tasks: rapid collection of information from the facility under protection with the aim to prevent any accident, to maintain a stable state of the object, to assist in reducing of consequences of the accident, to render help for the personnel in case of emergency, rapid notification about the emergency [5]. Classification of methods of technical diagnostics is shown in Figure 4. Diagnostical system for case of emergencies and for regular operation should provide the following: 1. 2. 3.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

4.

Serial and systematic measurements with monitoring of definite parameters which determine the danger of emergency generation and propagation Filing the parameters that have surpassed regular values and transition of the whole engineering system to emergency state Revealing of changes in these parameters during emergency and their comparison with the initial parameters Prediction of accidents and of their consequences

Figure 5. Initiating Impacts of Emergencies

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

5. 6.

97

Methods and techniques of providing survivability to means of diagnostics of emergency Development of both engineering recommendations for elimination of emergencies at the critical infrastructure facility and recommendations on attaining regular values of technical parameters.

At each stage of a life cycle of critical infrastructure facilities there are critical parameters which define operation of these facilities. These parameters should be analyzed regarding a probability of terroristic attacks [6]. Results of unauthorized intrusions to CIF are unpredictable, and as a rule, they lead to emergency at the technical object (Figure 5). That's why bearing in mind a danger of a technological terrorism, an additional type of protection is introduced - a security protection, that covers critical infrastructure facilities and their subsystems, personnel and existing protective barriers. The volume of measures and procedures for antiterrorist protection should be relevant to the level of terrorist threats. Significant contribution into implementation of security measures for the technical facilities is maid by the systems of physical protection (PPS) of technical sites [7,8]. Physical protection system of any critical infrastructure facility includes:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x x

organizational logistics subsystem physical protection barriers a complete set of technical means for a physical protection (Figure 6).

Figure 6. Structural Scheme of a Physical Protection System of a Facility

Modern physical protection systems (PPSs) apply a wide spectrum of technical means and of software packages and they consist of the following components (subsys-

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

98

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

tems): personnel admission control system (PACS); emergency alarm system (EAS); TV-monitoring and tracking system; rapid communications, warning and response system; technical supply systems (of lighting, of electric power supply, security lighting, etc.). For the arrangement of a physical protection system for an engineering facility it is used a classical principle of serial layered barriers. A scheme of emergency alarm system - one of components of PPS, is given in Figure 7 [9,10], schemes of protection within boundaries of the perimeter of the whole technical facility and of a single separate building are shown in Figure 8 and 9 [11].

Figure 7. Structural Scheme of the Alarm System of the Facility

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

99

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 8. Scheme of Protection within Boundaries of a Perimeter of the Whole Hazardous Industrial Facility (as an Example)

Figure 9. A Scheme of Protection within Boundaries of an External Perimeter of a Separate Building Using Infra-Red Motion Sensors (as an Example)

A scheme of a personnel access control system (PACS) is presented in Figure 10

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

100

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

Figure 10. Scheme of the Personnel Access Control System (ACS)

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Alarm signal sensors are the important components for the detection subsystem, which technical characteristics determine basic parameters of the whole protection system. Some types of physical protection sensors are shown in Figure 11 [12].

Passive Infra-Red Motion Sensor

Multi-Beam Infra-Red Sensor Made by IDL Firm (England)

Dual-Beam Infra-Red Sensor of AX Series Made by Optex Firm (Japan)

Microwave Motion Sensor Made by Perimeter Products Firm (USA)

Radio-Beam Motion Sensors Made by CIAS Firm (Italy)

Passive Infra-Red Sensor of ARK9130 Series Made by Arkonia Firm (England)

Figure 11. Some Types of Physical Protection Sensors

The principal goal of providing safety and security to critical infrastructure systems is protection of society and environment from harmful impacts and grave losses that may be caused by both natural calamities and by serious human blunders; for this noble purpose engineers all over the world are developing efficient security systems for Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

101

safeguarding the potentially hazardous facilities. The main aspects of application of monitoring, diagnostics and protection systems are presented in Figure 12.

4. Monitoring, diagnostics and protection systems

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

The main aims of monitoring, diagnostics and protection systems, used both for failure analysis, operative warning and rapid response measures connected with accidents at various stages of their development (taking into account a probability of a terrorist attack), are presented in Table 1.\ Usually an accident is preceded by a long-term process of accumulation of technical defects, mechanical injuries, crack propagation, faults and so on, and in case of a terrorist attack emergency is caused by unauthorized harmful and dangerous impacts. As it is seen from the Table 1, while developing the efficient monitoring and protection systems, it is possible to predict, foresee and warn about the emergency at its earliest (latent) stage.

Figure 12. Application of Monitoring, Diagnostics and Protection Systems for Warning and Rapid Response Measures to Be Taken in Case of Expansion of Emergencies

Under regular operation of the critical structure facility (CSF), the following information on the technical specifications of CSF state is required - on its stress-strained state, stress, (deformations, e); temperature, t; dimensions, shapes and initial location of defects, cracks propagation, l; etc. [13,14]. In emergency cases the following groups of parameters are also to be under control of the diagnostic system of CIF, these sets of parameters characterize three components of destructive impacts [15], such as: 1) uncontrolled release of energy, E; 2) uncontrolled release of radioactive, chemically and biologically hazardous substances, W; 3) violated or false information flows, I.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

102

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

Table 1. Goals for Monitoring, Diagnostics and Protection Systems Regarding Prediction, Warning and Rapid Response to Emergencies at Various Stages of Their Development and Taking into Account Probability of a Terroristic Attack Stage of an Accident /Emergency

Typical Features of the Stage

Rapid Response Goals

Used Systems and Means

1. Preceding (Latent) Stage

Regular operation of the facility.

Detection and elimination of terrorist threats. Prediction and warning.

Security monitoring system. Physical protection system. Regular diagnostics system.

Probability of terrorist threats. 2. Actual Accident

Terrorist impact on the facility. New unforeseen process, often causing damages. Uncontrolled release of hazardous substances and energy. Avalanche increase of undesirable effects Destructions, the injured.

Revealing the damage level. Determining technical and human losses. Control and measurement of deviations, emergency diagnostics. prevention of expansion of the accident, termination of the accident. Search and rescue operations, material loss mitigation.

System of regular and emergency diagnostics and monitoring. Emergency protection system. Human rescue means. Methods of withstanding and overcoming the emergency consequences.

3. Post-Accident Response

Local foci of the accident, destructions, the injured.

Reduction of consequences of the accident, staff salvation. Material losses mitigation. Restoration work. Diagnostics, revealing the real causes of the accident, solving problems on exception of the accidents

System of regular and emergency diagnostics and monitoring. Systems of struggle against emergency consequences. Means to conduct restoration work.

Recovery of the facility pre-accident regular operation, prevention of a possibility of recurrence of the accident.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Revealing the causes and conditions of the accident generation.

Actually, the goal of diagnostics and control (Figure 13) consists of the presentation of information on a current state of the facility (in on-line mode) and on the level of impact of damaging factors, P; on personnel and on population, N; on the facility itself, T; and on environment, S; - for the aim of emergency estimation and for adoption of urgent measures on localization of the accident.

D(t) FD ^W(t), E(t), I (t)` ; P(t) FP ^ N(t),T(t), S(t)`

(3)

For instance, among the priority goals for failure diagnostics system of nuclear power plants (NPPs) there can be enumerated [14,16]: assessment of the state of the facility and of the level of destructive factors impact on personnel, population, environment; support of stable operation state for NPP; definition of the character and of the volume of damage to nuclear reactor core and of integrity of containment and of various protective barriers; - with the aim of formation of strategy for emergency risk mitigation and for the liquidation of accident consequences. Within a post-accident period the following means are required: remote visual monitoring means; ultra-sonic sensing the location of materials in the reactor core; radiological control means; radiation monitoring means; remote exploration of the

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

103

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

thermal and metrical state and of the parameters that characterize both the fuel mass state and core materials state. The principal goals of post-accident period are: minimization of consequences, exclusion of probability of accident repetition, restoration work and repairs. Taking into account a probable scale of accident, the emergency diagnostics and monitoring systems, applied in this case, should include for analyzing the separate on-site elements, regional and national elements of ground, aerial and outer space basing [5].

Figure 13. Diagnostics of an Accident at a Critical Infrastructure Facility

5. Summary The monitoring and diagnostic control and protection systems development is a mandatory component of designing and exploitation of hazardous industrial sites and of critical infrastructure facilities, thus, ensuring their maximum safe operation.

References Makhutov, N.A., Gadenin, Ɇ.Ɇ. Research works and specialists training on ensuring safety to the facilities of critical importance. Machine-Building and Engineering Education, ʋ1, 2004, 19-32. (in Russian). Safety of Russia. Analysis of risk and of safety problems. Part.2. Safety of civil and defense complex and risk management. Znaniye International Foundation, Moscow, 2006, 752 p. (in Russian). http://www.tezacorp.ru/biblioteka/korp-konceptsii-fiz-zaschity (in Russian). Alexandrovskaya, L.N., Aronov, I.Z., Krouglov, V.I., et al. Safety and reliability of technical systems. 2008, 376 p. (Lerners' tutorial, University book, Logos Publishers, Moscow).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

104

E.F. Dubinin et al. / Principles for Creating of Monitoring, Diagnostics and Protection Systems

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Safety of Russia. Operation and development of comprehensive, national economic, technical, power generating, transportation, liaison and communication systems. Section 1, Znaniye International Foundation, Moscow, 1998, 448 p. (in Russian). Technological terrorism and methods to prevent terrorist threats. Proc. of scientific conference, EMERCOM of Russia, RAS, Combitel Publishers, Moscow, 2004, 320 p. http://www.z96.ru/concep.html. (in Russian). Alaukhov, S.F., Kotseruba, V.Ya. Issues of development of physical protection systems for large industrial facilities. J. Security Systems, ʋ 41, 2001, 93 -96. (in Russian). http://ognetech.ru/print:ochrannayasignalisacia.html. (in Russian). http://www.global2.ru/mont/choice8_2_1.htm. (in Russian). http://www.domdomov.ru/lib/umdom/a2159.htm. (in Russian). http://bre.ru/security/20047.html. (in Russian). Safety of Russia. Ecological Diagnostics. Edited by the Associate Member of RAS V.V.Kliuyev, Znaniye International Foundation, Machine-Engineering Publishers, Moscow, 2000, 496 p. (in Russian). Safety of Russia. High-tech complex and safety of Russia. Part 2. Problems of ensuring safety to militaryindustrial complex of Russia. Znaniye International Foundation, 2003, 624 p. (in Russian). Makhutov, N.A., Petrov, V.P., Akhmetkhanov, R.S., Dubinin, E.F., Kuksova,V.I. Issues of development of parameters of diagnostical systems for critical infrastructure facilities and for their protection regarding destruction factors. J. Problems of Security and Emergencies, ʋ 2, 2009, 85-105. (in Russian). Samoilov, Ɉ.B., Usynin, G.B., Bakhmetyev, A.M. Safety of nuclear power installations. Energoatomizdat Publishers, 1989, 280 p. (in Russian).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-105

105

Methodology for Investigation and Provision of Reliability and Safety of Complex Technical Systems Prof. BERMAN A.F. Institute for System Dynamics and Control Theory, Russian Academy of Sciences, Siberian Branch.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Abstract. The cause of a significant part of technogenic catastrophes is destruction of hazardous objects. This destruction occurs as a result of: catastrophic failures, operator errors, natural influences; terrorist activities. A methodology of modeling and investigation of safety for Complex Technical Systems is proposed. Complex Technical Systems are considered as unique technogenic objects which are designed in one or two instances, implementing extreme technologies and are subjected to influence of mechanical, physical and chemical factors. The generalized cause-and-effect complex and the scenario of violation of reliability and safety for such systems are formulated. Dynamic models related to formation of system’s states are grounded – from the initial defectiveness of the construction to the damages, destruction, failure, pre-emergency, -emergency and possible technogenic catastrophe. A concept of an intelligent program system, which is intended for computer-aided investigation of reliability and safety at all stages of existence, has been developed. The results obtained provide for efficient and qualitative investigation of revealing of hazards and grounding techniques and aids for provision of reliability and safety. Keywords. safety, terrorist activities, complex technical systems, unique mechanical systems, cause-and-effect complex, discrete-continuous system, computer-aided investigation, case-based reasoning, rule-based reasoning

1. Introduction The cause of a significant part of technogenic catastrophes is destruction of hazardous objects. This destruction occurs as a result of: catastrophic failures, operator errors, natural influences; terrorist activities. The final event for all causes is the same - the destruction of the constructions (designs), then can be used the common methodology (including principles, methods and models) for investigation of the causes. In turn, the destruction of objects is connected with changes of a technical state. The changes of a technical state are caused by slow or fast degradation processes with different mechanisms and kinetics. In particular, the dynamic effects due, for instance, shock waves can be taken as one of the mechanisms of destruction. The methods for provision of safety of constructions (designs) and constructions elements should take into account the factors causing the mechanism and kinetic of destruction. The methods and ways of protection, monitoring and diagnosing of parameters of functioning and technical state of object should depend on a kind and a type of destruction of objects. In the whole principles, methods and models of

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

106

A.F. Berman / Reliability and Safety of Complex Technical Systems

representation, accumulation and the processing of the information, knowledge and experience directed on provision of safety, will be identical. The difference is in information content and criteria of decisions making. The prototype of intelligent software is developed. The software developed is based on stated principles and provides forecasting of catastrophic failures, emergencies, technogenic catastrophes and decision making for their prevention, liquidation and reduction of losses. The software allows to make decisions approved by the experts of various scientific areas and disciplines which take part in provision of safety at all stages of life cycle of objects. Complex Technical Systems (henceforth – CTSs) designed in one or two instances and implementing extreme technologies are considered. Such systems and some elements included in them are characterized as unique. There are no statistical data for such systems prior to the beginning of application, and the absolute probabilistic estimate of the hazard caused by the system on the whole is also insufficiently informative. Furthermore, the opportunity of relative probabilistic estimate of safety for separate elements of such systems to the end of comparing them with each other and comparing them with similar elements is not excluded. Components of chemical, petrochemical, energetic (power) and similar technical complexes relate to such systems. Design of such components takes place under the conditions of uncertainty. To reduce the uncertainty, information about similar technical complexes, results of testing materials, some elements and components can be used. Computing and experimental-computing methods, which are based on various kinds of modeling and on support of decision making, are also employed. Contemporary investigations of safety for complex hierarchical systems imply integration of expert knowledge, modeling and application of computer-aided information technologies [[Mahutov-08, Berman-94, Berman-99, Berman-07, Nikolaichuk-08, Katulev-00, Schup-06]. For the purpose of provision of modeling accuracy, it is possible to use data and knowledge describing failures and emergencies of such systems with a description of the total cause-and-effect complex of their occurrence [Berman-94, Berman-98]. Furthermore, for each of the causes (factors) one has to determine techniques and aids, which help to remove it or to reduce the probability of its occurrence, or at least to reduce the intensity of influence of the factor. Adequate techniques and aids of counteraction to the causes of formation of the failures and emergencies are called to be the properties of safety [ Berman-99b]. Therefore, properties of safety characterize the ability of CTS to resist the development of hazards. Efficiency of provision of desired safety properties is conditioned by correctness in determination of both causes of the hazards and their degrees. Properties of safety depend on the parameters characterizing the cause of occurrence of a hazard and the consequences of the hazardous state, as well as on the dynamics of variation of such parameters. Models intended for the dynamic analysis of safety shall represent and connect the factors, which cause violations of safety, influence the frequency and consequences of such violations as well as the state dynamics. These shall substantiate the techniques and aids for provision of safety. Efficient and adequate application of such models is possible only when computer-aided information technologies and systems are employed. The objective of our work is development of a methodology for modeling, investigation and estimation of the hazard of CTSs subject to extreme effects. CTSs of

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.F. Berman / Reliability and Safety of Complex Technical Systems

107

hierarchical structure, which have a great number of subsystems and a substantial variety of links and relations between them, are investigated.

2. Methodology

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

2.1. The Generalized Cause-and-Effect Complex of Hazard Occurrence To the end of investigation of the causes of occurrence of hazardous states we have proposed a cause-and-effect complex which determines occurrence of such state. This is a sort of model intended to investigate the dynamics of undesirable processes. The block diagram of dynamics of this process is shown in Fig.1. Each sequential state is caused the previous one and is characterized by the substantial hazard. So, since presently our knowledge bound up with understanding sufficiency of the measures and undertakings needed for provision of reliability and safety is limited, failures of the systems intended to maintain reliability of operation and safety can provoke technogenic catastrophe. According to this model, hazardous states are caused by properties of the designed system, by the character of external factors and by properties of systems intended to provide for reliability and safety. System's properties are characterized, for example, by i) the number of new system's components and ii) the degree of their uncertainty, iii) predictability of development of the states, iv) the level of hazard for the substances either processed or transported, v) the degree of hazard for the technological process parameters. The properties influencing factors include: properties of mechanical, physical-chemical and biological effects, which violate safety; the rate of their development and distribution; the degree of their effect on the safe state. Properties of the safety system include, for example, observability and controllability; opportunity of state monitoring, which implies real-time information processing and realization of adequate measures for planning hazards; survivability, e.g. the operating time from the moment of occurrence of a hazardous state to the moment of transition onto another level of the hazardous state. 2.2. A Generalized Scenario of Safety Violation Let us select the events in the cause-and-effect complex, which cause the occurrence of hazardous states. For example, the event "the damage reaches the limit state" conditions (is the cause of) the state "inadmissible damage"; the event "the crack reaches a critical size" conditions the state "destruction"; the event "efflux of hazardous fluid" conditions the state "failure"; the event "distribution of hazardous substance" conditions the state "pre-emergency"; the event "explosion or fire" conditions the state "emergency"; the event "distribution of consequences onto life-support systems" conditions the state "technogenic catastrophe". Since each subsequent state is conditioned by the previous one, the events identified form a cause-and-effect sequence of events, in which each event, being the consequence, simultaneously is an initiating event. According to such an approach, the process of violating the safety of a CTS is represented with a set of the events reflecting a generalized scenario of formation of a hazard. A generalized scenario is shown in Fig.2. For each event of the scenario it is possible to compute the frequency

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

108

A.F. Berman / Reliability and Safety of Complex Technical Systems

and the consequences, and so, to estimate the risk of each event. Consequently, each state, which is conditioned by some event, also may be estimated by the degree of risk. The generalized scenario (as the sequence of states and the causes, which condition the states) reflects some level of formalization and extend the opportunities of application of the mathematical apparatus in modeling the process of investigation of reliability and safety. Properties of the complex mechanical system Properties of the safety system

Properties of the reliability system Reliability

Maintainability

Durability

Storability

Prevention Protection

Control

STATE of SAFETY State of defectiveness

State of technogenic catastrophe

State of damage

State of destruction

State of accident

State of failure

State of emergency

Space of states

Mechanical impacts Mistakes of the operator

Physics-chemical impacts Technological influences

Biological impacts Natural influences

Impacts

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 1. The cause-and-effect complex of state dynamics for Complex Technical Systems.

2.3. Modeling the Dynamics of the System's Hazardous States It is suggested to represent the CTS as a discrete-continuous system reflecting the process of state variations in the phase space. The states of mechanical systems vary continuously and discretely depending on the kind and the value of some parameters. For example, such a parameter as "the macro-crack length" is initially characterized by practically continuous variation of the numerical value. Next, owing to accumulation of potential energy in the crack tip there occurs a substantial (up to the sound velocity) change in the rate of its propagation and the stepwise change in the technical state which is characterized as "brittle destruction". Or, for example, "gradual increase of the concentration of some substance running out in the closed space", which represents a continuous process can cause explosion, i.e. a form of abrupt change of the state. So, there takes place discontinuity in the continuous state and appears discreteness. Therefore, discrete system's properties are determined by the necessity of decomposition of the object's state space into subspaces for the purpose of mapping the observations which characterize cardinal change of the object's states in the process of transition from one subspace to another. The regularities of transition between the states are described with the aid of information-type logic-mathematical models in the

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.F. Berman / Reliability and Safety of Complex Technical Systems

109

form of combination of computational modules, ontologies [Uschold], data and knowledge bases. State of defectiveness

Event which conditions the state of defectiveness

…

State of technogenic catastrophe

…

Event which conditions the State of technogenic catastrophe

Figure 2. A generalized scenario of safety change for Complex Technical Systems.

The subspaces of states have been determined on the basis of the generalized cause-and-effect complex of the process of variations of mechanical system's states proposed (Fig.1). Further, using the subspaces of states identified, we are going to describe the object under scrutiny with the aid of a model based on the aggregate model, whose components are characterized by determined nature:

^T,C, X, D,U,Y, H,G, R` .

C

ª¬ 0,Tj º¼ is a finite interval of modeling.

These components are determined below. T

1 ,..., c N ,

is the space of states c such that c

i are phase coordinates,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

c i d c i d c i i 1, N , t are phase trajectories of state variations. The phase coordinates describe the object's properties, in the set of which it is possible to identify: functional properties, structural properties, properties of reliability, and properties of safety. The properties of safety include properties of fire safety, properties of explosion safety, properties of chemical safety, etc. The phase coordinates have an objecti1 , i 2 ,...izi , i.e. if it is necessary, each coordinate can be oriented structure: i





described by a set of its properties. The space C of states has the structure



 ,..., corresponding to the cause-and-effect complex of the process of 1

K

state change for the CTSs. The state  

j

j



§  j ,..., c j , c j ¨ 1 n hs1 ©

nhs1 hs1 1

j

is described as follows:



,..., c hsj j

nhs j hs j 1

· ¸ ¹

j 1, K , n is the number of phase coordinates describing the object's design properties;

nhs1 ...nhs j

is the number of the phase coordinates describing the object's

properties acquired on the stage of manufacture and exploitation and describing the hazardous states; K is the number of state subspaces. Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

110

A.F. Berman / Reliability and Safety of Complex Technical Systems

X is a set of admissible inputs, x

>x ,..., x @, where l is the number of "input 1

l

channels", each receiving the information of corresponding type. The input information includes values of the parameters describing the internal influencing factors, which are conditioned by the system's functioning (loads; operating and auxiliary agents) and external influencing factors such as earthquakes, low temperatures, heavy showers, winds, hurricanes, etc. D is the set of output results d of the monitoring and/or object diagnostics,

d

>d ,..., d @ , on the stage of design D 0 . U is the set of controls, u >u ,..., u @ for the systems providing for reliability 1

q

r

1

and safety of the technogenic object. Y is the set of admissible outputs characterizing the parameters of the technical state, which are given on the stage of design and controlled in the process of exploitation. H Vx ,Vu ,Vd , L, P is the operator of transitions which determines the set of admissible "current" states known from the previous history of the object and including the certainty factor [Shortliffe] p number of such "current" states.

 t ,  m

m

H >c0 , t , p@ , m

1, S . S is the

V x , Vu , Vd are operators bound up with formation

of new initial states and possibly with new behavior in course of receiving sequential input information, controlling influence, information on results of monitoring and diagnostics, respectively; L is the information-type logic-mathematical model describing the object's behavior on the time intervals between the events L DB, Ont, KB, M , where DB are databases, Ont is the ontology of reliability

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

and safety, KB are knowledge bases, M are corresponding mathematical models; P is the certainty factor of the possible object's behavior. G is the operator of the outputs, y(t) G ª¬c 0 , t º¼ , transforms the information about the object's state into the set of controlled parameters for a given technical state, for example, into the set of parameters obtained with the aid of meters which monitor the size of cracks. R is the risk of state, defined as combination of expert appraisal of the possible of this state and loss from occurrence of this state. Risk is defined on basis of certainty factors P of previous states. The model developed allows one to investigate the behavior of a CTS, which combines continuous changes and jumps in the process of the following significant events: x Transition of the object's state to the boundary of an admissible subset of the phase space states; x Receipt of input signals; x Receipt of control signals; x Receipt of results of monitoring and diagnostics. Results of simulation carried out on the basis of the models developed are represented in the form of graph, where the edge denotes a discrete transition from one state to another, and the node denotes the period of continuous motion along the trajectory (the

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.F. Berman / Reliability and Safety of Complex Technical Systems

111

process of state change), i.e. in the form of a definite information-type logicmathematical model.

3. Methodology of the Computer-Aided Investigation of Safety The results of modeling obtained have formed the ground of the methodology of investigation of the properties and factors forming technogenic safety. The methodology is determined by the model of the object of investigation, by the structure and functions of the process of investigation, and by the set of methods employed in the investigation. The process of investigation has a hierarchical structure. The structure of the process of investigation is conditioned by the following factors: x The structure of the object under scrutiny: part – unit of an assembly – mechanical system – technical system; x The proposed structure of the technical state space: defect – damage – destruction – failure – pre-emergency – emergency – technogenic catastrophe; x A set of mechanisms of occurrence and a variety of hazards which are the causes of safety violation; x A set of scenarios of development of each hazard; x A set of variants of decisions for provision of safety properties which satisfy the conditions of acceptable risk. System’s functional blocks Defining the model for the objects (to be designed)

Identification of mechanisms of hazard state dynamics

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Estimation of the decision made

Constructing generalized scenarios of development of hazard state

Determination of properties of reliability and safety for the object

Identification of cause-and-effect complex of hazard state development

Determination of the risk of development of the hazard state

Informational software Database* of objects DB of hazards (risk factors) and risk criteria DB of damages

CB of emergency

DB of destruction

CB of accident

Case base** of failure

CB of technogenic catastrophe

Intelligent systems

Mathematical models

Expert system for constructing scenarios of development of hazard states

Modeling the events for scenarios of development of hazard states

Expert system for determination of the causeand-effect complex of hazard states

Modeling the consequences of events of hazard states

Expert system

DB of degradation processes

Estimation of probability (frequency) for the scenario then of hazard state

Expert system DB of consequences of hazards DB of available undertakings for reducing the risk of hazards (safety properties)

Expert system for defining of preventive, control and protective undertakings

Estimation of the risk for the scenario of a hazard state Making decision on efficiency undertakings

* DB – database. ** CB – case base

Figure 3. The architecture of the system for investigation and provision of reliability and safety of Complex Technical Systems.

The model of the cause-and-effect complex proposed is the decisive factor defining the scheme of investigation which includes consecutive investigation stages concerned with all the phases of states – from the appearance of a defect to the formation of the technogenic catastrophe. On each stage the factors are revealed, which Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

112

A.F. Berman / Safety of Complex Technical Systems

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

condition and influence the frequency and consequences of hazardous states. This is necessary for the purpose of determination of rational preventive, control and protective properties of the CTS, which are generalized in the concept of "property of safety". Methods and aids of provision of these properties are based on the results of such investigations. Functions of the process of investigations correspond to the stages of decision making needed for achievement of the objectives bound up with provision of acceptable risk for all the kinds of hazardous states of CTS (Fig.3). The information-logic-mathematical model of the object of investigation is developed with use of a combination of technologies: object-oriented databases, knowledge bases, mathematical modeling and dynamic analysis. Information about the properties of the object of investigation is contained in the database of mechanical systems; knowledge about processes and phenomena – in the knowledge bases; information on the principles of process dynamics and phenomena, which are described by mathematical models, are represented by computing modules (Fig.3). Model-based investigations are also provided by combining the methods: case-based reasoning, rule-based reasoning, numerical methods, ontologies [Berman -93, Nikolaychuk-08, Portinale-04, Uschold, Aamodt].

Figure 4. Review of investigation results.

The case-based approach [Aamodt] allows an expert to represent the knowledge about the problem situation as a complete pattern, i.e. a precedent, and make a decision, while conducting the reasoning on the basis of the known precedents (available experience), what is very close to the model of human common-sense reasoning. This approach will allows one to avoid previous mistakes and speed up the decision-making process.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.F. Berman / Safety of Complex Technical Systems

113

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

The process of solving the problem under the given approach represents identification (recognition) of a possible state with the aid of a specified (introduced by the user) set of external effects and a set of properties of the reliability and safety systems. Hence it is possible to identify the following principal stages: retrieval similar situations (cases) and reuse of decisions made in similar situations, while including their adaptation to the new problem situation. Ontology [Uschold] is the most contemporary form of information (data and knowledge) representation. The principal intention of the ontology is integration of information. Ontology facilitates structuring and modeling weakly-formalized problem domains. Being grounded on the general set of terms, it determines and simplifies the semantics of formal information, facilitates its computer processing, while representing the information in the form convenient from the viewpoint of perception. Application of ontology in problems of provision of safety of CTSs is conditioned by insufficient formalization and multi-disciplinary character of the problem under scrutiny. Decision of the problem necessitates application of knowledge in science of materials, solid body physics, physics and mechanics of destruction, physical and chemical mechanics and strength of materials, monitoring, diagnostics and forecasting, theories of risk and safety. Furthermore, likewise in all multidisciplinary investigations, there exists the problem of knowledge coordination, development of a uniform conceptual apparatus which would provide for efficient interaction between the researchers involved in different knowledge domains. In the proposed ontology of mechanical systems' safety the principal concepts are formalized from the viewpoint of the cause-and-effect complex of safety violation. The formalized concepts form a taxonomy of concepts which inherit properties of general concepts. Such abstract concepts as defect, damage, destruction, failure, preemergency, emergency, technogenic catastrophe have been decomposed into definite concepts. The ontology elaborated is supposed to be used as a knowledge base for the system proving for safety.

4. Discussion and Application 4.1. The Conception of Intelligent Information-Analytical System for Computer-Aided Investigation of Safety The problem of investigation, provision and enhancement (improving) of safety is solved during the whole of life cycle of CTS (pre-design investigation, design stage, manufacturing, assembly and exploitation). Development of recommendations concerning the provision of safety necessitates some obvious increase in the efficiency of research as well as elaboration of computer-aided systems intended for revealing regularities in development of hazards independently of the functions and the structure of CTS. The principal direction in development of such computer-aided systems intended for automation of both investigations and design (CAD-systems) implies application and improvement of i) contemporary information technologies, ii) the object-oriented approach, iii) principles and methods of an artificial intelligence. The conception of intelligent information-analytical system for computer-aided investigation of safety on design stage reflects the proposed methodology. The system's architecture is shown in Fig.3.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

114

A.F. Berman / Safety of Complex Technical Systems

On the first stage of the investigation, a model of the object of investigation is defined on the basis of available prototypes. The process of selection of the object's prototype starts from definition whether the object belongs to a definite industry (chemical-technological systems, energetic systems, mining complexes, etc.) and is completed by defining a technique of realization of the functions. Next, it is necessary to additionally define the system's structure (define the types of structural elements, choose prototypes of structural elements) as well as properties for the model of this prototype. The choice depends on the objective of investigations and on the information which the researcher possesses or intends to use. On the second stage, it is necessary to identify the mechanisms of occurrence of undesirable states. On the one hand, these are mechanisms of occurrence of degradation processes, on the other; these are the hazards inherent to the object of investigation. Among the hazards it is expedient to identify: hazardous (poisonous, fire-dangerous, radioactive, etc.) substances and hazardous technologies (high pressure, high temperature, etc.). Each mechanism of occurrence of a hazardous state is characterized by i) a set of properties, ii) computing models which determining these properties, iii) logic-mathematical models of dynamics. Each mechanism of occurrence (development) of undesirable states may cause a definite number of development scenarios (design, post-design, hypothetical scenarios). All the scenarios are considered in aspect of definition a generalized scenario (a cause-and-effect complex) of developments of the undesirable state. The scenarios form the basis for further detailed investigation of the cause-andeffect complex with the aid of the information- logic-mathematical model of the object's state dynamics. In the process of investigations object-oriented database, hybrid expert systems and mathematical models are used in the integrated form. Each event of the generalized scenario, as well as the state caused by this event, is characterized by frequency and consequences. Hence, each event of the scenario and also total set of events, which are included in the scenario, can be estimated in the aspect of risk. On the last investigation stages, it is necessary to provide for acceptable risk, while determine the model of the object of investigation with additional properties of reliability and safety for each of the events (states) and for the scenario on the whole. Each prototype of the model, each hazard, each scenario and each event are characterized by the its properties ranged with respect to efficiency from the viewpoint of the opportunity of providing for reliability and safety (on account of time limit) and cost of their realization. In course of realization of its main functions, the software, which we propose, shall actively employ the case information contained in the system's case bases. 4.2. Efficiency of Investigations Increase of efficiency of investigations is ensured with contemporary approaches and methods, which include systems analysis, mathematical modeling, information technologies and systems. The practical engineering knowledge, which is needed for solving the problem of providing safety of systems, forms a combination heuristics, mathematical and empirical models, algorithms and man-machine procedures of solving definite problems on these models. For the purpose of efficient solving problems, these are represented in the computer-aided system in the form of a hybrid expert system and ontology. Efficiency of the modeling technology is achieved at the

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.F. Berman / Safety of Complex Technical Systems

115

expense of automation of creation and application of the corresponding models in investigation of the phenomena, processes, events and states which conditions the risk are needed for substantiation of safety properties, which reduce the risk.

5. Application of the Methodology

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

The statement can be exemplified by the function "Identification of cause-and-effect complex of hazard states" of the computer system (Fig.3). The object of investigation is a mechanical system of the pipeline under the ammonia synthesis column. The main features have been outlined to solve the problem posed: x Properties of the system: it is manufactured from carbon steel; erection welds; impermeable elements; the pipeline is intended for transporting explosive and fire-risky agent. x Affecting factors (Impacts): high internal pressure; high temperature; vibration, etc. x Characteristics of reliability system: margin of safety; durability; periodic diagnostics. x There are some parameters of a phase space: x Space of imperfection – allowable equivalent area of welding defect not exceeding 5 mm2; allowable length of welding defect no more than 2 mm; allowable height of beaded weld no more than 3 mm. x Space of damage – a pipeline is allowed for the nearest repair, but no more than 3000 hours, cross cracks never exceeding 5 mm and longitudinal cracks with the depth no more than 3 mm; local corrosion is allowed to depth 2 mm only. x Space of destruction – an pipeline is not permitted to be divided into several parts, formation of strip breakage, swelling; x Space of failure – depressurization of permanent links is not permitted; depressurization of in-cut connections is permitted for only 1l/h. x Space of pre-emergency – filing premises with fire risky or explosive or poisonous agent with maximum permissible concentration (MPC) is not permitted; x Space of emergency – any explosion, fire, propagation of toxic cloud are not permitted; x Space of technogenic catastrophe – significant economic and/or social and/or environmental losses are not permitted. Consider the hypothetical scenario assuming that the object of investigation has an inadmissible defect when operation is begun. Let’s describe the mechanism of changing of pipeline state under the influence of internal causes. The type of causes is defined by operator H 1 based on model L1 . This model represents a combination of components: database of mechanical systems, including information on the pipeline characteristics and a production knowledge base, contained in «Expert system for determination of the cause-and-effect complex of hazard states» (Fig.3). The knowledge base contains a set of production rules: IF Manufacturing technology is erection welds (with certainty factor (henceforth – CF) = 1.0) THEN There are defects of welding (CF = 0.8); IF There are defects of

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

116

A.F. Berman / Safety of Complex Technical Systems

welding (CF > 0.6) AND There is a heightened vibration (CF > 0.8) THEN There is damage - cracks (CF = 0.4), etc (Fig. 4) [1, 12, 15]. Thus, in the space of "imperfection" the following variants of changing of a state are possible (Fig. 4):

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x Development of damage (cracks) from an inadmissible defect of welding with CF = 0,4; x Availability of an inadmissible defect of welding without development of damage with CF = 0.6 etc. Let’s examine the first variant of possible change of a pipeline state. The state characterized by the presence of damage in the object of investigation. This is unacceptable for the space of "imperfection". In the time, when the process of state changing reaches the boundary of the permissibility area of "imperfection" space, i.ɟ. when under the impact of vibration the transversal micro-crack begins development from transversal defect, the state at the point at the boundary of "imperfection" space changes in a sudden change-like manner, and it is described by the parameters of the following space, i.e. space of "damage". Operator H 2 determines to what point the sudden change occurred, based on the inference on the model L2 . Into the space of «damage» the state is described by new parameters, where the length of transversal crack should not exceed 5 mm. Using model L2 an inference on possible variants of changing the state of the objects of investigation is made, for instance on the further growth of a crack, i.e. increase of effective size, in this case the depth of crack, with CF = 0.4. At the moment of time when the size of a crack reaches the value which determines inequality K1  K1c , (or the crack comes through), the state of the object of investigation changes with transition to the next space – space of "destruction", where the element must not be divided into several parts. Operator H 3 determines to what point of the space the transition is accomplished according the model L3 . Model L3 operates with the production (rule-based) knowledge base and mathematical models involved. The production knowledge base contains the following rules: x IF There is a heightened vibration (CF > 0.8) AND K1 t K1C (CF = 1.0) THEN There is a brittle failure (CF = 1.0); x IF There is a brittle failure (CF = 1.0) THEN The brittle failure is expressed in dividing the object into parts (CF = 1.0); x IF The brittle failure is expressed in dividing the object into parts (CF = 1.0) AND There is displacement of parts in space (CF = 1.0) THEN A spark is derived in colliding parts with the other objects (CF = 1.0); x IF A spark is derived in colliding parts with the other objects (CF = 1.0) AND (There is an agent emission (CF = 1.0) OR There is an agent availability) AND The agent is explosive and fire risky (CF = 1.0) THEN There is fire (CF = 1.0); x IF There is a brittle failure (CF = 1.0) AND There is an agent emission (CF = 1.0) THEN The cloud is formed (CF = 1.0); x IF The agent is toxic (CF = 1.0) AND A cloud is formed (CF = 1.0) AND There is a wind (CF = 1.0) AND The wind has towards a settlement (CF = 1.0) THEN

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.F. Berman / Safety of Complex Technical Systems

117

A cloud displaces towards a settlement AND Inhabitants are poisoned (CF = 1.0). Mathematical models contained in block "Modeling the events for scenarios of development of hazard states" (Fig. 3) solve the following problems: x x x x x

Calculation of stress intensity coefficient in the top of crack ( K 1 ); Calculation of speed of pipeline parts displacement; Calculation of fire parameters; Calculation of a cloud size; Calculation of displacement speed of a cloud, etc. 3

Based on model of knowledge L an inference on possible variants of state change is made:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x The brittle failure with CF = 0.9; x Further growth of cross crack without of brittle failure with CF = 0.1.

Figure 5. Crack in a joint weld.

Considering the first variant of change of technical state, i.e. a brittle failure of pipeline, then using the model we infer on practically immediate sudden change of the object state into space of "emergency", for depressurization of permanent connection takes place through entire section (space "failure"); filling of area with fire risky and dangerously explosive agent (space "pre-emergency"); fire happens (space "emergency"). In each critical moment the subsystem yields the output signal, characterizing a technical state. When switching to the space of destruction the content of the output signal contains information on an agent emission.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

118

A.F. Berman / Safety of Complex Technical Systems

After the output signal on technical state is received, the data are evaluated by risk

R, calculated in the block of the mathematical modeling "Estimation of probability

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

(frequency) for the scenario of hazard state" (Fig. 3). If the calculated value of risk is higher than acceptable one, the control action is undertaken, which should change behavior of the object of investigation. The control actions at the stage of design and operation will be different. For instance, at the stage of design, when receiving information on the technical state in space "emergency", one undertakes control actions on reducing degree of vibration, ensuring quality of diagnostics and control of correspondence of the object to the design requirements. At this stage "Expert system for defining preventive, control and protective undertakings" is operating (Fig.3). The above-described hypothetical scenario was the case in industry. The failure in such pipeline, because of a crack in a welded seam and the increased vibration (Fig.5), caused fire and falling of the ammonia synthesis column (Fig.6) and therefore, significant economic losses.

Figure 6. Consequences of accident.

6. Conclusion The above generalized structure of the cause-and-effect complex is proposed for the first time and represents dynamics of technical state for complex mechanical systems. This structure allows the researcher to bring into the systematic form both data and

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

A.F. Berman / Safety of Complex Technical Systems

119

knowledge on regularities related to safety violation. A generalized scenario of safety variations for a complex mechanical system has been grounded. It gives the possibility to automate the process of development of scenarios of technical state dynamics for such a system. A discrete-continuous information-logic-mathematical model of the object of investigation, whose computer implementation will allow the researcher to perform simulation modeling of state dynamics for complex mechanical systems and conduct investigations to the end of defining the safety properties with respect to risk criteria, has been described. The proposed concept of information-analytical system gives the possibility to develop a software system intended for efficient qualitative investigations and provision of complex mechanical systems’ safety on the basis of contemporary information technologies and methods artificial intelligence.

7. Acknowledgements This work was supported in part by the Branch of Physical and Technical Prolems of Energetic of the Russian Academy of Science, the research program "Dynamics and stability of multicomponent machine-building systems with the account of technogenic safety" and Russian Science Support Foundation.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

References [1] [Aamodt] Aamodt, A., Plaza, E. Case-based reasoning: foundational issues, methodological variations, and system approaches. AI Communications. 1994, 7(1), 39-59. [2] [Berman-07] Berman A., Nikolaichuk O. Technical state space of unique mechanical systems. Journal of Machinery Manufacture and Reliability 2007; 36 (1): 10-16. [3] [Berman-93] Berman A, Khramova V. Automated data base for failures in pipelines and tubular highpressure apparatus. Chemical and Petroleum Engineering 1993; 29(2): 63-66. [4] [Berman-94] Berman A. Formalization of formation processes of failure for unique mechanical systems. Problems of Machinery Manufacture and Reliability 1994; 3:89-95. [5] [Berman-98] Berman A. Degradation of mechanical systems. Russia: Nauka Publishing, 1998.-320 p. [6] [Berman-99] Berman A., Nikolaychuk O. Modeling of investigation process for safety of complex technical systems. Safety Problems of Extreme Situations 1999; 8: 185-195. (in Russia) [7] [Berman-99b] Berman A., Nikolaychuk O. Structurization of investigation process for safety of complex technical systems. Safety Problems of Extreme Situations 1999; 6: 3-14. (in Russia) [8] [Katulev-00] Katulev A., Severtsev N. Operations research. Principles of decision making and safety ensuring. Russia: Publishing house of the physical and mathematical literature, 2000. [9] [Nikolaichuk-08] Nikolaichuk O. Automating studies of the technical state of dangerous mechanical systems. Journal of Machinery Manufacture and Reliability 2008; 37 (6): 597-602. [10] [Nikolaychuk-08] Nikolaychuk O., Yurin A. Computer-aided identification of mechanical system's technical state with the aid of case-based reasoning. Expert Systems with Applications 2008; 34: 635642. [11] [Mahutov -08] Mahutov N. Strench of constrictions and Safety. Russia: Nauka Publishing, 2008.- 495 p. [12] [Portinale-04] Portinale L., Magro D., Torasso P. Multi-modal diagnosis combining case-based and model-based reasoning: a formal and experimental analysis. Artificial Intelligence 2004; 158(2): 109154. [13] [Schup-06] Schup B. (Eds.) Design support for the systematic integration of risk reduction into early chemical process design. Safety Science 2006; 44: 37-54. [14] [Shortliffe] Shortliffe E.H. Comper-Based Medical Consulttions: MYCIN. New York: 1976. [15] [Uschold] Uschold M., Gruninger M. (1996). Ontologies: Principles, Methods and Applications. Knowledge Engineering Review, 11(2).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

120

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-120

Vulnerability Assessment of Complex Civil Works Systems Using ExpertOpinion Elicitation Robert C. PATEV Senior Risk Advisor, Risk Management Center US Army Corps of Engineers, Concord, MA USA

Abstract. This paper describes a technique that could be utilized to estimate the probabilities and consequences required in vulnerability assessment for terrorist threats of civil works projects. The Expert-Opinion Elicitation (EOE) methodology developed by the U.S. Army Corps of Engineers is presented in detail. The USACE EOE methodology limits the use of words of estimative probabilities to reduce the anchoring bias that is present with qualitative descriptors. A demonstration vulnerability EOE example will as be included to show how the process and opinion data may be properly analyzed. Conclusions are drawn to show the major benefits of using the EOE methodology to estimate probabilities for vulnerability assessment. Keywords. Vulnerability Assessment, Risk Assessment, Expert Opinion Elicitation, Delphi Method, Words of Estimative Probabilities,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. Introduction This paper will discuss the use Expert-Opinion elicitation (EOE) procedures to analyze the vulnerability assessment of complex Civil Works Systems. Civil works systems are defined as vulnerable to terrorist attacks and the estimation of the probabilities and consequences are critical in determining the risk mitigation that will be required by the owner. EOE sometimes called the “Delphi Method” developed by Dalkey and Helmer [1] has been integrated into various risk assessment procedures for many types of engineering structures. The process is defined by using experts in the field of interest and polling them on their beliefs and opinions as to the issues or questions to derive values (e.g., probabilities, consequences or simple binary numbers) to be used in the vulnerability assessment. However, the inclusion of using qualitative descriptors by Vick [2] to assist experts in estimating the probabilities during this process tends to lead to overconfidence and anchoring bias of the experts in being able to properly develop the reasonable range and statistical parameters that are a result from this type of subjective process.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

R.C. Patev / Vulnerability Assessment of Complex Civil Works Systems

121

2. Expert-Opinion Elicitation

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

The Expert-Opinion process was originally called the “Delphi Method” as it is called in other portions of the literature. The process was developed by United States Air Force Project RAND in the late 1950’s and early 1960’s for use during the Cold War as a method of estimating the number of atomic bombs that would reduce the munitions output by a prescribed amount. The EOE original work published by Dalkey and Helmer [1] called “An Experimental Application of the Delphi Method to the Use of Experts” defines a process of expert opinion using a series of repeated individual questioning (by interview and by mail (questionnaire) and avoided the direct confrontation of the experts. The goal of the experiments was to obtain the “most reliable consensus of opinion of a group of experts”. Dalkey and Helmer [1] examined consensus of experts using convergence of the results from each solicitation that used seven experts: four economists, a physical vulnerability expert, a systems analyst, and an electronics engineer. The experiment required mailing five questionnaires at approximately weekly intervals. The first and third weeks were followed up by interviews and the questions were updated based on feedback from expert’s responses. Each update had controlled feedback to experts on each new question. The results from the Delphi Method is shown in the plot of the expert’s convergence is shown below. Note that the expert’s never reached actually consensus since there is not one value but a range of opinions that are represented by the diversity of the experts that answered the questionnaires and participated in the study. In addition, Dalkey [3] compared Delphi process (anonymous) to face-to-face group process and concluded that either “did not yield a clear and simple outcome”. He concluded that further experiments are needed to establish the effect of face-to-face interaction of experts.

3. Words of Estimative Probabilities The term of words of estimative probabilities (WEP) was developed by Sherman Kent [4] and used by Intelligence Analysts at CIA to report the likelihood of a future event occurring. Kent [4] showed the drawbacks and problems with misleading expressions of odds in national intelligence. These types of table are called “Kent Tables” and are sometimes used to anchor expert opinions on the probabilities of events. These tables have been adopted into many fields including medicine and engineering to assist with linking a qualitative descriptor with a probability. However as Kent [4] states that “caution should be used in defining words for tables and need to avoid “weasel” words such as might, could, possibly, maybe, etc…” Kent added that this might lead to ambiguity and cause confusion to different experts trying to estimate any probabilities. The Kent’s original table showing the words and probabilities that he first defined as WEPs is shown in Figure 2.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

122

R.C. Patev / Vulnerability Assessment of Complex Civil Works Systems

.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 1. Convergence of Expert’s Result from Delphi Method [1]

Figure 2. WEPs defined by Kent [4]. Descriptor : Probability : Range

Similar researchers in psychology have shown the difficulty in this process and have identified the anchoring bias that is incorporated in using WEPs to define actual probabilities. Experimental results from Heuer [5], Lichtenstein and Newman [6] and Hillson and Hulett [7] are only a few of many classic case studies that show how WEPs capture a wide range of probabilities for each descriptor. These WEP tables for these researchers above are shown in Figures 3, 4 and 5, respectively. Another example is a WEP table currently used by the USACE in their estimation of their dam safety probabilities that was defined after the WEP tables presented in Vick [2]. This WEP table is shown in Figure 6. These tables are currently being utilized to gain a “consensus” of a single opinion for a group of experts using the descriptors and corresponding probabilities of failure. There is no supporting evidence or calibration of these probability values defined in this table to the descriptor. The values were set by arbitrary or possibly biased assignment of the values.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

R.C. Patev / Vulnerability Assessment of Complex Civil Works Systems

123

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 3. Results of WEP by Heuer [5] Verbal Description

Probability Equivalent

Low

High

virtually impossible

0.01

0.00

0.05

very unlikely

0.10

0.02

0.15

unlikely

0.15

0.04

0.45

fairly unlikely, rather unlikely

0.25

0.02

0.75

fair chance, toss-up

0.50

0.25

0.85

usually, good chance, probable, likely

0.75

0.25

0.95

quite likely

0.80

.030

0.99

very likely, very probably

0.90

0.75

0.99

virtually certain

0.99

0.90

1.00

Figure 4. Results of WEP Study by Lichtenstein and Newman [6]

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

124

R.C. Patev / Vulnerability Assessment of Complex Civil Works Systems

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 5. Results of WEP Study by Hillson and Hulett [7]

A recent USACE study was conducted on the WEP table shown in Figure 6 to see how close the probability values in the table were to actual estimates of the descriptors by unbiased experts. The study was conducted on 103 engineers from six different USACE Divisions during Risk and Reliability Workshops held throughout the United States. Students were blindly shown the descriptors in the WEP table as shown in Figure 6 and then asked to estimate their probabilities for each WEP descriptor. The students were told that the table was referring to dam safety failure probabilities to give them a basis for the selection of their estimates. The students were also asked if they had any questions on WEP table or their descriptions before they answered such that any weasel words could be addressed prior to their estimates being made. The results from the USACE study shown in Figure 7 were very similar in the trends s to the previous studies of Heuer [5], Lichtenstein and Newman [6], and Hillson and Hulett [7]. The study indicated a very wide range of minimum and maximum results from the engineers that were polled. This was probably due to the differences in their beliefs for the actual probabilities that are estimated for dam structures. The interesting results from this study show that the probabilities in the original WEP table are not really reflective of what the larger engineering population is thinking as a whole. The major difference is in the lower event probabilities which are an order of magnitude different than what was presented in the original WEP table. This is not surprising given the “weasel” that lurk in Figure 6.

4. USACE EOE Process The USACE has developed an Expert-Opinion Elicitation methodology that is a variation of Delphi Method discussed by Dalkey and Helmer [1]. The EOE process was incorporated into USACE risk protocol in the late 1990’s and was developed to assist in producing best estimate probabilities for very complex engineering problems.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

R.C. Patev / Vulnerability Assessment of Complex Civil Works Systems

125

Probability

Description of the Perceived Likelihood Associated with Occurrence There is evidence of event/issue occurring on this project; VIRTUAL CERTAINTY

0.999

There is supporting evidence either through performance, physica l condition, or a na lytical techniques which indicate the cha racteristics exist that make the event/issue VERY LIKELY TO OCCUR, BUT NOT A CERTAINTY

0.9

Supporting evidence exists either through performance, physical condition, or ana lysis tha t indicates the event/issue is possible; there is significant evidence from historical data that the event/issue has occurred on similar projects; However, it is deemed just a s likely to occur as to not occur given the information available; RISK NEUTRAL

0.5

Event/issue being eva luated is pla usible a nd there is evidence or characteristics to suggest tha t it could occur, but there is no supporting evidence to indicate that it will occur on this particular project; however, there is ample historical data available to suggest the event/issue has occurred on a simila r type projects; POSSIBLE

0.1

Event/issue being evaluated is plausible but there is no supporting evidence to indicate it will occur on this particular project and there is no historical data available to suggest the it has occurred on similar type projects; UNLIKELY TO OCCUR

0.01

Occurrence of the event/issue is considered VIRTUALLY IMPOSSIBLE

0.001

Figure 6. USACE WEP Table modified from Vick [2]

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Mean Median Std Dev

Min

Max

Virtually Certain

0.93

0.99

0.18

1.00E-02

1.00

Very Likely

0.79

0.83

0.19

1.00E-03

0.99

Risk Neutral

0.49

0.50

0.16

1.00E-04

0.90

Possible

0.33

0.33

0.17

1.00E-05

0.75

Unlikely

0.14

0.10

0.11

1.00E-06

0.50

Virtually Impossible

0.02

0.01

0.04

0.00E+00

0.25

Figure 7. Results for USACE WEP Study

The current process utilizes an undisclosed (blind) vote with a two-response elicitation process. EOE is a formal (protocol), heuristic (through discussion) process of obtaining information or answers to specific questions called issues. Heuristics are internal frames of reference used by individuals and groups to inform judgment when no firm data are available. These issues can be addressed by a set of pre-defined questions to obtain the failure rates or probabilities, and failure consequences of civil works components or structures. However, this process if not controlled properly does bring in motivational and cognitive biases to results. These have to be examined both during and after the elicitation is performed. The first applications of EOE was for USACE navigation projects but it is now being applied to estimate probabilities on Flood Risk Management projects (dam safety, levee safety and hurricane protection systems). Since the indoctrination of the EOE process into the USACE, the method has been successfully calibrated to predict both good and poor field performance of both navigation and flood risk management structures.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

126

R.C. Patev / Vulnerability Assessment of Complex Civil Works Systems

The USACE EOE process requires the use of the following participants: 1.

2.

3.

4.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

5.

Experts – selected by a team not participating in voting in the EOE. Experts are the only ones that can vote. The experts should follow the following criteria:  Strong relevant expertise  Familiarity and knowledge with issues  Willingness to act as impartial evaluators  Willingness to participate, prepare, and provide needed input  Strong communication skills, interpersonal skills, and ability to generalize  Experts come from inside USACE and outside technical experts Observers – are usually technical staff or subject matter experts that are involved in the elicitation and can assist the experts with their knowledge and opinion of the subjects. The observers do not get a vote. Listeners – are usually technical managers there to witness and hear the discussion during the elicitation. They cannot say anything to the experts and do not get a vote in the elicitation. They are at the EOE primarily for QA/QC after the EOE session is completed. These listeners will also assist in identifying if any bias were present during the response period. Technical Integrator and Facilitator is the person that formulates the questions to the experts, presents the results and facilitates the discussions to bring the convergence of the data on the second opinion. The TIF does not get to vote but can discuss with the experts his opinions based on what the formal discussion periods present. Peer Reviewers – reviews of EOE are completed after they are completed and the elicitation data is then process based on any comments of the reviewers that may catch motivational biases.

The elicitation process of opinions is a formal process that is performed systematically for each issue according to the following steps: a) b) c) d) e) f) g) h) i) j)

Issue familiarization of experts and review of critical component list Training of experts in elicitation process using two examples Discussion and agreement of experts’ assumptions for each issue First elicitation and collection of opinions Aggregation and presentation of results to experts Group interaction and discussion of first response Second elicitation and collection of opinions Final presentation of opinions by experts Solicitation on the experts’ confidence of final response Return to step c and repeat for all components

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

R.C. Patev / Vulnerability Assessment of Complex Civil Works Systems

127

Figure 8. Issue #1 – Estimation of the probability of damages given the threat. Example for levee surrounding a major metropolitan area. Event Name

Full Description of Issue

Expert-opinion elicitation

First Response

Question #1a:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Terrorist attack a levee system that protects City A with the following scenario: Home-grown terrorist Backhoe Middle of night Levees north of town Flood event 2 foot cut depth Levees patrolled

Given the event and the scenario information provided on the attack, what is the probability of damages given the threat defined?

Expert Expert Expert Expert Expert Expert

#1 #2 #3 #4 #5 #6

Minimum = Median = Maximum =

Median =

0.10 0.25 0.01 0.05 0.20 0.15

0.01 0.13 0.25

0.13

Summary Table

Second Response

Median =

0.05 0.10 0.01 0.01 0.05 0.01

0.03

Minimum =

0.01

25 Percentile =

0.01

Median =

0.03

75 Percentile =

0.05

90 Percentile =

0.08

High =

0.10

0.01 0.03 0.10

ASSUMPTIONS: Terrorist know how to operate equipment Terrorist can get access levee at night Water level is assumed to be lower than top of levee 2 foot depth of cut may not cause entire levee to breach Police monitor the levees all night

Figure 9. Issue #2 – Estimation of the probability of damages given the threat. Example for levee surrounding a major metropolitan area.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

128

R.C. Patev / Vulnerability Assessment of Complex Civil Works Systems

5. Application of EOE process to Vulnerability of Terrorist Attacks The following is an example to show the EOE process can be used to estimate the probability of damage for a levee system. The levee system selected for this example provides protection of a major metropolitan area of 500,000 people with 120,000 homes and about 5,000 businesses. The issues asked of the experts are to estimate the probability of damage given two similar threat scenarios as defined below. 5.1. Issue #1: The experts were asked to estimate the probability of damage to the levee given the following threat scenario: 1. Home-spun local terrorist group 2. Backhoe cuts 2 foot notch in top of levee 3. Levee crest upstream of population 4. Land attack 5. Middle of night, flood condition 5.2. Issue #2: Same as above but police will patrol levee during the night.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

The tables show in Figures 8 and 9 below show the experts first and second opinion as well as the results of the minimum, maximum and median values from each response. Figures 8 and 9 also show a table the assumptions made by the experts before addressing the issue. These assumptions are very important to document since this reflects the state of mind of the experts prior to voting. These results shown in the Figures 8 and 9 show how the expert’s opinion do convergence after the discussions between voting rounds. This is a critical point since the TIF wants to insure that the final response has reached closer to median and range estimates than the original response.

6. Conclusions The methodologies developed to estimate the risk for terrorist risk assessments is moving in positive direction. These methods face difficultly estimating probabilities for these risk assessments without sufficient statistical data which is often very difficult to obtain or most times just non-existent. The use of Expert-Opinion Elicitations is a quick and cost effective method to providing best estimate probabilities for vulnerability analysis. These results can also include a range of valued that can be used to estimate a range uncertainty in the vulnerability as well. In addition, strength for the EOE process is that they can account for interdependencies of probabilities through use of experts and their dynamic knowledge of vulnerability analyses.

References Dalkey, N. and Helmer O., An Experimental Application of the Delphi Method to the Use of Experts. United States Air Force Project Rand. The Project Rand. Santa Monica, CA 1962. Vick, S. Degrees of Belief. Subjective Probability and Engineering Judgment. ASCE Press. 2002.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

R.C. Patev / Vulnerability Assessment of Complex Civil Works Systems

129

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Dalkey, N. The Delphi Method. An Experimental Study of Group Opinion. United States Air Force Project Rand. The Project Rand. Santa Monica, CA 1969. Kent, S. Words of Estimative Probabilities. Central Intelligence Agency Center for the Study of Intelligence. Washington DC. 1964. Heuer, R. Psychology of Intelligence. Central Intelligence Agency Center for the Study of Intelligence. Washington DC 1999. Lichtenstein, S. & Newman, J. R. Empirical scaling of common verbal phrases associated with numerical probabilities. Psychonomic Science, 9 (10), 563-564. 1967 Hillson and Hulett, Assessing Risk Probability: Alternative Approaches. PMI Global Congress Proceedings – Prague, Czech Republic. 2004.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

130

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-130

Prevention and Liquidation of Emergency Situations of Man-made Character Valery A. AKIMOV, Sergey A. KACHANOV FGU All-Russian Scientific Research Institute GOCHS

Abstract. The developed technology allows to prevent or considerably reduce consequences of man-made emergency situations, including those caused by acts of terrorism: fires, explosions, increase of the level of chemically dangerous substances; increase of the level of radiation or biologically dangerous substances, sudden collapse of framework constructions. In Russia prevention of ES, caused by the accidents on PDO is one of the elements of the mechanism of legal regulation of man-made character ES and rather actual problem of the legislation. Partly, the problem of creation of such situations prevention mechanism in the legislation is solved. Keywords. Emergency situations, legal approaches, deterioration.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. Introduction The problem of safe functioning of industrial objects gets special significance in conditions of man-made and natural character threats aggravation and terrorist activity increase. According to the data of the State report «Protection of population and territories of the Russian Federation from emergency situations of natural and man-made character in 2010» about 45 thousand industrial objects function on the territory of the Russian Federation. The largest industrial enterprises were established more than 70 years ago, deterioration of their production assets makes 80-90 %. Deterioration of the process equipment in chemical complex makes more than 80 %, about half of main pipelines have been maintaining for more than 20 years, repair and replacement of the worn out equipment much more lag behind demands. About 200 water basins have been running for more than 50 years without required reconstruction and repair.

2. Executive authority Federal executive authorities, executive authorities of the subjects of the Russian Federation, local governments take series of measures, directed on forecasting and prevention of emergency situations (ES), liquidation of their consequences, reduction of material damage and population losses. At the same time, qualitative improvement in this field does not occur. Breakdown susceptibility indicators in the industry in the Russian Federation approximately hundred times exceed similar indicators in the countries of the

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

V.A. Akimov and S.A. Kachanov / Prevention and Liquidation of Emergency

131

European Union. So high breakdown susceptibility on objects of the industry of the Russian Federation is caused by a complex of the following interconnected reasons: x x x

x x x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x

High deterioration of the equipment; Absence of the modern systems of es prevention, population notifications about possible threats; Indistinct differentiation of spheres of responsibility, low level of interaction and coordination between executive authorities at all levels, and also between proprietors of potentially dangerous objects (pdɨ) and maintaining organizations; Distribution of budget funds between multiple insufficiently coordinated federal and regional target programs; Strengthening of negative influence of anthropogenic factors, system infringements of the established norms and service regulations; Projecting and installation of prevention, notification and liquidation of consequences systems by the organizations with no appropriate qualification; Poor training and low labor discipline of the personnel; Discrepancy of standard legal base of safety to modern conditions.

As an example of interrelation of all specified above reasons can be given the accident on Sajano-Shushenskaya hydroelectric power station, 17.08.2009 (fig. 1). In Russia prevention of ES, caused by the accidents on PDO is one of the elements of the mechanism of legal regulation of man-made character ES and rather actual problem of the legislation. Partly, the problem of creation of such situations prevention mechanism in the legislation is solved. Measures on prevention of man-made character ES are provided by federal laws: «About protection of the population and territories from ES of natural and man-made character» dd 24.11.94, «About atomic energy use» dd 21.11.95, «About radiation safety of the population» dd 9.01.96., «About production safety of dangerous industrial objects» dd 21.06.97ɝ., «About safety of hydrotechnical engineering constructions» dd 21.07.97 etc. According to the Assignment of the Government of the Russian Federation dd July, 16, 1998 ʋ Ȼɇ-ɉ4-20705 Integrated dispatching offices of service were founded in cities of the Russian Federations for the operative ES response. At the present moment, according to the concept approved by the Order of the Government of the Russian Federation dd August 25, 2008 ʋ 1240-r the works are carried out on creation of the system providing emergency calls services through the single number «112» on the basis of Integrated dispatching offices of service of municipalities. Integrated dispatching offices of service and system “112” will allow to provide operative ES response in case of the accident on PDO if objective information not depending on the person about ES is received automatically. The new direction of works on complex automation of technological processes control and management functions, systems of safety and life-support of industrial objects is developing today in Russia as well as abroad. However, these works are not systematized and do not completely solve problems of prevention and liquidation of ES on PDO. Moreover, in case of wrong projecting of above specified systems, they can lead to destruction of people on and around the object.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

132

V.A. Akimov and S.A. Kachanov / Prevention and Liquidation of Emergency

Fig. 1 Sajano-Shushenskaya hydroelectric power station machine hall before and after the accident

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

V.A. Akimov and S.A. Kachanov / Prevention and Liquidation of Emergency

133

The urgency of the works specified above is proved by the requirements of the Government of the Russian Federation on working out the basic system of monitoring of crucially important objects (the Protocol of the joint session of Security Council of the Russian Federation and Presidium of the State Council of the Russian Federation dd 13.11.2003 ʋ 4, approved by the President of the Russian Federation 4.12.2003 ɉɊ2192). EMERCOM of Russia currently developed and is improving now the original technology of creating the automated interconnected monitoring and management systems of technological processes, safety and life-support of objects. The given technology is based on the structured systems of monitoring and management of engineering systems of buildings and constructions (further SMIS) (fig. 2).

3. Technology The developed technology allows to prevent or considerably reduce consequences of man-made ES, including those caused by acts of terrorism: fires, explosions, increase of the level of chemically dangerous substances; increase of the level of radiation or biologically dangerous substances, sudden collapse of framework constructions etc. The offered system in comparison with foreign and domestic analogues has following advantages: x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

x

x

x

work of all technological systems, systems of safety and life-support in case of possible ES is carried out in accordance with the previously defined by the EMERCOM of Russia and the organization maintaining object algorithms allowing to prevent the accident or to minimize human losses and material damage. Forecasting and prevention of emergencies is done through the control over the processes parameters of objects functioning and identification of deviations of their current values from the standard; possibility of automated complex processing of information stating the condition of technological systems, life-support systems, safety and technical structure of objects and automatic transfer of the necessary information on their condition and ES parameters are provided under the established form and transferred to the service of object on duty and bodies of daily management of Integrated state system of the prevention and liquidation of emergency situations (RSChS) . The given information is compressed in a database and can also be used for the analysis by the experts; possibility of automated or compulsory start of population notification system about the ES and necessary actions on evacuations, automated or compulsory notification of the corresponding experts who are responsible for the safety of industrial objects are provided; possibility of life-support systems remote control and safety of industrial targets in case of ES from specialized point of management is provided.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

134

V.A. Akimov and S.A. Kachanov / Prevention and Liquidation of Emergency

    

   

Ɋɮɨɥɭ ɮɪɫɛɝɦɠɨɣɺ

            

    

           ,  ,      .

Fig. 2 Structured system of monitoring and management of engineering systems of buildings and constructions

For legal and technical regulation of actions on organization of complex safety and ES prevention on industrial objects, on the basis of specified above technology, there are developed:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x

x x

The national standard GOST Ɋ 22.1.12-2005 "Safety in ES. Structured system of monitoring and management of engineering systems of buildings and constructions. General requirements»; Methodic of estimation safety and life-support systems on potentiallydangerous objects, buildings and constructions, certified by the Government commission on prevention and liquidation of ES and fire safety securing , protocol dd 19.12.03 ʋ925.02.2003 ʋ 1; Methodic of estimation and certification of engineering safety of buildings and constructions, certified by the Government commission on prevention and liquidation of ES and fire safety securing, protocol dd 25.02.2003 ʋ 1; Monitoring methodic of bearing frames of buildings and constructions condition. General provisions and requirements, certified by the Government commission on prevention and liquidation of ES and fire safety securing, protocol dd 18.03. 2009 ʋ 3.

Wish to notice that necessity to carrying out the monitoring of the condition of basements, building constructions and systems of technical maintenance during constructing and (or) maintenance of building or construction was reflected in the Federal law dd 30.12.2009 ʋ384-ɎɁ Technical regulations «About safety of buildings and constructions».

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

V.A. Akimov and S.A. Kachanov / Prevention and Liquidation of Emergency

135

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Now the works are done on development of standard legal base on complex safety of industrial objects. EMERCOM of Russia has developed and presented to the Government of the Russian Federation the project of the federal law (technical regulations) «General requirements to the production, providing population and territories protection from emergency situations of natural and man-made character». The technical regulations, in particular, will establish obligatory requirements for the execution, providing protection from ES, for monitoring and forecasting ES means. The new edition of handbook of instructions “Order of working out and section structure “List of civil defense measures and actions for emergency situations prevention” of building projecting” developed on the instructions of the EMERCOM of Russia is at the adoption stage now. Requirements for SMIS projecting will be reflected in the new version. According to approved plans of EMERCOM of Russia for developed technical regulations following standard documents will be prepared : The handbook of instructions «Technical requirements for the monitoring systems of potentially dangerous objects» which will establish concrete requirements to SMIS. National standard «Safety in emergency situations. Monitoring and management of engineering systems of buildings and constructions structured system. Test methods» which will define requirements of conformity SMIS to the norms stated in technical regulations. The normative base providing creation, functioning and operation of systems of PDO monitoring, taking into account the documents planned to be worked out, under condition that it will include the requirements on SMIS, will allow to provide comprehensible level of safety of the objects under control. More than 100 SMIS projects has already been developed and will be implemented in the near future as the operating systems working within the limits of EMERCOM integrated anti-crisis system. According to the preliminary estimations as a result of SMIS creation ES number and damage from them will be reduced for more than 50 %.

4. Conclusion To increase security of industrial objects the following is appropriate: x

x

x

To equip industrial objects with SMIS and to provide automatic transfer of the necessary information about the condition of the objects under control and ES parameters under the established form to the object service on duty and bodies of RSChS management. To develop legislative documents of federal level allowing financial stimulation of the enterprises, introducing modern automated systems of monitoring for the ES prevention such as: essential reduction of insurance payments of objects, the preferential taxation if expenses of the enterprise are aimed at creation and operation of monitoring systems, etc. To organize training of experts of Integrated state system of ES prevention and liquidation, including industrial objects to the modern automated technologies of ES monitoring and prevention.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

136

V.A. Akimov and S.A. Kachanov / Prevention and Liquidation of Emergency

4. ɇeads of the ministries and departments responsible for industrial objects are to develop and coordinate with the EMERCOM of Russia the corporate standard on creation and introduction of SMIS on objects of the company. It’ll be reasonable that standard defines the list of objects which should be projected with the account of SMIS and the general principles of SMIS creation on objects of the company. Objects can be grouped on their specificity. In this case, it will be possible to develop typical special specifications on SMIS of industrial objects of the company considering specificity of their functioning. It will allow to reduce time and material costs for creation SMIS at increase of projected monitoring systems quality.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-137

Maritime Terrorism

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Valerio de DIVIIS International Organization for Migration Abstract. Maritime terrorism is the maritime dimension of contemporary asymmetric warfare conducted by international terrorist organizations. Maritime terrorism is the undertaking of terrorist acts and activities within the maritime environment against vessels or fixed platforms at sea or in port, or against any one of their passengers or personnel, against coastal facilities or settlements, including tourist resorts, port areas and port towns or cities as well as any maritime activity intended to support the existence or the purposes of one or more terrorist organizations through licit or illicit means sea-born migration flows when exploited for the movements of terrorists, of terrorism backers/supporters and for financial profit when it involves people trafficking and migrants smuggling perpetrated by transnational organized crime depending on a terrorist organization. Criminal trafficking’s are directly relevant activities for terrorist organizations for perpetrating their purposes. Maritime dimension offers an ideal environment to be exploited by criminal and terrorist organizations. Maritime environment and industry have intrinsic hinders to properly counter illicit phenomena and facilitating legal commercial and migration flows meanwhile which are vital for contemporary and future interdependent economy. Piracy and armed robbery against vessels are a plague to maritime security and global shipping. Such phenomena have implications for maritime shipping and are a meaningful damage for international trade and maritime traffic. Piracy has a functional role for terrorist organizations when it pursues aims of terrorism funding. According to many analysts, some terrorist groups are directly linked with piratical aggressions. Terrorist groups demonstrated to be trained to exploiting maritime environment for attacking offshore and ashore civilian and commercial targets as well as military vessels and to acquire sensitive information. Key factors enabling maritime terrorism are open registers and flags of convenience. National Maritime shipping industries would require stricter rules and implementation of policies not offering the possibility to easily conceal the real identity of ship owners and maritime companies' businessmen. Corruption and lack of accountability characterize flags of convenience offering good opportunities for criminals money launderers, or the insane practice of sinking a ship for profiting over insurance damages. Flags of convenience are the maritime sphere of offshore financial centers and bank secrecy. Phantom ships are assets of terrorist organizations and they compose certain fleet operating across the world. Maritime terrorism poses serious concerns to the international supply chain security as it affects worldwide international commercial shipping. When estimating harbors risks and exposition to terrorist attacks, if they serve as hubs for terrorist purposes such function could be a deterrent for this type of incidents. Activities aimed at countering maritime terrorism are a significant contribution to reduce international instability since the high exploitation of the sea for terrorist and criminal purposes is a concerning aspect of contemporary global (dis)order. Keywords. Real-time information, risk mitigation, workflows.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

137

138

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-138

Incorporation of Manmade Risk Components into General Risk Management Systems for Dams Ignacio ESCUDER-BUENO, Luis ALTAREJOS-GARCÍA Universidad Politécnica de Valencia, Spain

Abstract. Being aware that the understanding of all risk factors involved in dam and reservoir management activities constitutes the conceptual basis to implement logic systems or models aimed to inform decision making, the main objective of the very recently started project entitled “IPRESARA: Incorporation of manmade risk components into general risk management systems for dams, BIA2010-17852, Spanish Ministry of Science and Innovation, Dec 2010-Dec 2013” consists in incorporating all factors and components of security risk to the overall safety management of dams and reservoirs, so that needed actions and investments on such critical infrastructures may be justified and prioritized using a comprehensive risk informed approach. Keywords. Risk analysis, manmade risk, systems, dams.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. Introduction Dams are a vital and critical part of world’s infrastructure, providing extraordinary benefits to society. On the other hand, dams also affect what it is widely known as “public safety”, as dam failures can result in severe loss of life, economic disaster and extensive environmental damage. In particular since the beginning of the XXI century, there has been growing awareness of security threats to critical infrastructures and this issue has affected dam management in quite different ways. Recent relevant projects on the issue developed by Universidad Politécnica de Valencia have been DAMSE (A European Methodology for the Security Assessment of Dams), funded by the European Union, which resulted in a “qualitative” approach to analysis and evaluation of security risk, and “Risk analysis applied to dam and reservoir safety conservation, maintenance, and management programs (BIA2006-08948)”, funded by the Spanish Ministry of Science and Innovation. The cooperation established during the DAMSE project between Universidad Politecnica de Valencia, the Italian ERSE and the American Department of Homeland Security, resulted in the participation of Dr. Ignacio Escuder-Bueno and the Technical Director of the Duero River Authority, Eng. Liana Ardiles-Lopez, as observers on the security risk screening performed at some Columbia River Basin Dams. Being aware that the understanding of all risk factors involved in dam and reservoir management activities constitutes the conceptual basis to implement logic systems or models aimed to inform decision making, the main objective of the very recently started project entitled “PRESARA: Incorporation of manmade risk components into

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

I. Escuder-Bueno and L. Altarejos-García / Incorporation of Manmade Risk Components

139

general risk management systems for dams, BIA2010-17852, Spanish Ministry of Science and Innovation, Dec 2010-Dec 2013” consists in incorporating all factors and components of security risk to the overall safety management of dams and reservoirs, so that needed actions and investments on such critical infrastructures may be justified and prioritized using a comprehensive risk informed approach. This article, presented at “Comparative Analysis Of Technological And Intelligent Terrorism Impacts On Complex Technical Systems NATO-Russia Advanced Research Workshop (NRARW)” includes a detailed update on the objectives, methodological framework and expected results of IPRESARA (2010-2013).

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

2. Context and previous experience Understanding and recognizing all different risk components that are inherent in dam and reservoir safety management constitutes the conceptual basis to implement logic systems or models aimed to inform decision making. Starting by day by day basic activities, many surveillance tasks such as visual inspections, monitoring of the behaviour by means of instrumentation records or function test on the electromechanical equipment are typically covered. In fact, if a failure mode has already started and is under progression, the capacity for detection and successful intervention relies of the efficacy of these activities. Once any abnormal behaviour, thus affecting the safety of the facility, has been detected, intervention is focussed in both to overcome the deficiency and to protect the downstream population. First of these actions would result in diminishing probability of failure and second the potential adverse consequences mitigation, typically by means of conducting the activities included in an emergency action plan. Another of the core activities of any dam safety program is the periodical safety review, where load scenarios and system response in terms of safety factors are typically analysed, together with other factors such as gate functionality, communication reliability, accessibility, etc. In summary, all mentioned activities, studies and procedures linked to dam safety management that, for the Spanish case, it is mandatory to document in the Operation Rules, Emergency Action Plans and Safety Review Reports, are linked to the different components of risk: loads, system response, and consequences. Consequently, if all processes involved in dam safety management are integrated in a logic system or risk models that are capable of aggregating all risk components inherent to these infrastructures, the resulting information will be of great value to help in decision making. In order to achieve this value, the inputs to the risk model have to be converted into information to allow the identification, characterization and quantification of risk. The process that starts with gathering data and leads to risk quantification implies the consolidation of the existing knowledge on the facility and has to be guarantee with procedures to properly storage and update such data that will be integrated in a necessarily dynamic management tool. Consistency, robustness, efficacy and efficiency of risk models in order to provide valuable information in decision-making is reinforced by different means. One of the most important is exchanging information, debating on different procedures, etc. preferably in events such workshops or conferences that are typically oriented to owners and dam safety professionals. However, it also becomes critical that all personnel in-

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

140

I. Escuder-Bueno and L. Altarejos-García / Incorporation of Manmade Risk Components

volved in dam safety activities is trained and educated adequately to guarantee reliable results thus providing by itself a better safety condition of the dams. Focussing on the Spanish case, as a consequence of the achieved experience since the new Technical Regulations on Dam and Reservoir Safety were approved in 1996, a number of debates on safety levels that can be reasonably imposed to such structures have been maintained, and some Technical Guides have been published as helping technical material. Lots of the discussions have taken place in Congresses, Technical Meetings etc. (Valencia, 1996; Barcelona, 1998; Málaga, 1999; Zaragoza, 2002; Madrid, 2002; Valencia 2005; Cordoba 2008…), from where a new integral Law on Dam Safety was demanded. In January 2008, a new piece of legislation is approved also on a national level (Real Decreto 9/2008), whose main objective is providing protection to human beings, properties and the environment by modifying the flood and dams safety regulations. The law literally includes the following sentence: “Risk Management, a basic aspect that a modern country has to undertake, is the common base that inspires this new regulation…” As it can be derived from the legal advances, engineering can not be apart from the evolution of social values and demands, which can be summarized as follows:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x

A very low risk levels and in any case evaluated against the benefits provided. A rigorous diagnosis prior to significant investments, together with public involvement in decision making.

Fist of these demands is directly linked with safety assessment, while second is basically link to safety management. Focussing on “safety management” and, more in detail, on risk informed decision making for dam safety management, main contributions started in the middle nineties. From a series of papers by Dr. David Bowles and others (Utah State University), several dam safety agencies in the world started to develop risk analysis methodologies to estimate risks and make dam safety investment decisions informed on the tolerability of such risks. Some of the most important working groups since then are located in USA (Utah State University, University of Maryland, U.S. Bureau of Reclamation, etc.), Australia (University of New South Wales, ANCOLD, etc.) and Canada (BC Hydro, etc.). Since 2005, U.S. Army Corps of Engineers (USACE) and the hydropower regulator in the United States (FERC) have started their own risk-informed dam safety management processes, while other countries such as France, in 2008, have approved specific legislation to implement risk management on a national basis. Coming back to the Spanish context, the fact that dam owners have very recently completed a first set of Dam Safety Reviews (as well as documented the Operation Rules and the Emergency Action Plans), thus being in the position of investment planning on dam safety actions, makes it a particular challenge providing owners with new tools that can facilitate the work of dam safety professionals and allow them to make better decisions (while the efficiency of such decisions in terms of risk control can be monitored). As a Spanish practical example on this issue, the Duero Rver Authority (Confederación Hidrografica del Duero) is developing a series o tasks to implement risk analysis into its dam safety program, following a global trend an in cooperation with the UPV research team that leads IPRESARA project.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

I. Escuder-Bueno and L. Altarejos-García / Incorporation of Manmade Risk Components

141

Once a first screening step was performed, a complete risk analysis was performed on two pilot systems of dams, Carrion and Pisuerga, including quantitative estimations of probability of loads, failure and consequences. Such analysis, in combination with tracking the uncertainty and evaluation of different corrective alternatives, provided the owner with a tool to inform decisions on investment planning and prioritization. In fact, since 2009, the Duero River Authority is expanding the experience to all the systems (seven) of dams (twenty six) under operation. Another examples of dam owners in Spain that are undertaking similar projects since 2009, either in developing or pilot application phase, are Iberdrola (transnational hydropower firm) and Catalonia Water Agency (Agencia Catalana del Agua), also in cooperation with the UPV research team leading IPRESARA project. Finally, it is worth to remark that, among other contributions presented at the II International Week on Risk Analysis as Applied to Dam safety and Dam Security, organized by the UPV research team in 2008, in Valencia, results of the DAMSE project “A European Methodology for the Security Assessment of Dams” (European Commision. Directorate General Justice, Freedom and Security. JLS/2006/EPCIP/001.)” showed a qualitative approach on how these techniques can be applied to assess threats and vulnerability against sabotage, vandalism or terrorism. The international trend on this matter is to incorporate the “human induced risk” as one more involved in dam safety risk management procedures. In fact, quite recently, different tools on dam security risk management can be found mainly in the United States, which provided a robust background to DAMSE project. Some of them are:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x x x x

RAM-DSM and RAM-TSM methodologies developed by Sandia National Laboratories for dams and transmission systems [1]. DAMSVR developed for FERC by William Foos & Associates for dams. MATRIX Security Risk Analysis Program developed by USBR for dams. CARVER, a check list approach. RAMCAP, Risk Analysis and Management for Critical Asset Protection [2].

On the other hand, from the perspective on how to integrate manmade risk components into general risk management systems for dams, it is important to mention the recent works developed by the Department of Homeland Security of the United States, as it can be found in the last edition (2009) of “Handbook of Science and Technology for Homeland Security” under the title “Application of a conditional risk assessment methodology for prioritization of critical infrastructure”, by Hecker, Matheu, Seda-Sanabria, Morgeson and Fainberg. Finally, the cooperation established during the DAMSE project between the Polytechnical University of Valencia, the Italian ERSE and the american Department of Homeland Security, resulted in the participation of the main researcher of this project, Dr. Ignacio Escuder Bueno and Eng. Liana Ardiles Lopez (Spanish Ministry of Environment), as observers on the security risk screening performed at some Columbia River Basin Dams, and a common paper entitled: “A European methodology for risk based security assessment of dams (DAMSE): checking screening outcomes with DHS procedures” (Ignacio Escuder, Massimo Meghella, Manuel G. Membrillera and Enrique Matheu), presented at USSD Annual Meeting hold in Nashville, April 2009.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

142

I. Escuder-Bueno and L. Altarejos-García / Incorporation of Manmade Risk Components

3. Initial hypothesis The main initial hypothesis is that security risk management (sabotage, vandalism, terrorism, etc.) hast to be incorporated to the modern general risk management systems for dams. In addition, any security risk control measure should be quantifiable in terms of efficiency in risk reduction, taking advantage of the risk analysis techniques, as those that have permitted the first experiences in Spain on integral risk management systems for dams and reservoirs, many of them as a result of previous research activities of the authors. In the recent past, the confidentiality policy and the sensitivity of data in this field have been making very difficult researching and making significant advances in this field. Consequently, the situation is a unique opportunity to make significant advances in the research of dealing with manmade risk in dams, aiming to an objective characterization of security risks to build better dam safety management tools for such “critical” infrastructures as dams are (in many cases). The support to the initial hypothesis are these three basic pillars: 1. x x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

2. x

x

DAMSE project conclusions, finished and technically accepted by the European Commission. Among them: “The security risk value obtained with the DAMSE methodology is a qualitative estimate that must be checked considering all three risk components: threat, vulnerability and consequences” “The current security measures seem not fully justified and/or not based on rationale and comprehensive assessment”. The works already finished under the project “Risk analysis applied to dam and reservoir safety conservation, maintenance, and management programs. BIA2006-08948”, that already provided an integrated risk analysis tool for dams and reservoirs in Spain ([3], [4] and [5]). The path in the same direction started by several very significant dam owners and regulators in the word: From the perspective of security risk quantification, some outstanding works as those undertaken by the Department de Homeland Security (“U.S. Department of Homeland Security (2006), National Infrastructure Protection Plan” y “SRA International, Inc. (2008), Risk Methodology Evaluation Project, Draft Report submitted to Dams Sector Branch, Sector-Specific Executive Management Office, Office of Infrastructure Protection. D.H.S”) From the perspective of integrating such risk to general management systems, some of the recent and outstanding works have also been undertaken by Department of Homeland Security and the US Army Corps of Engineers (2009. Handbook of Science and Technology for Homeland Security: “Application of a conditional risk assessment methodology for prioritization of critical infrastructure”)

Coming back to DAMSE outcomes, main constrain in order to develop a quantitative approach was due to the interactions among the three components of the risk equation: loads, system response and consequences. Figure 1 shows this complexity: Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

I. Escuder-Bueno and L. Altarejos-García / Incorporation of Manmade Risk Components

143

R = R [PA, (1 – PE), C]

Dam Owners and Stakeholders Intelligence Communities

Emergency Agencies

Figure 1. Interaction of manmade- risk equation components

4. Main objectives Main objectives of IPRESARA project are:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

x x x

x

x

Build up a justified catalogue of plausible “potential threats”, so that the methodology can be linked to “manmade load” scenarios. The improvement is due to the way threats are going to be processed, as extra loading conditions to the system, thus making possible a logical and quantitative management of them. It is scheduled for the first year. Develop a quantitative estimation of “system effectiveness” against “manmade loads”. The improvement will be that the estimation will be “quantitative” instead of “qualitative”. It is scheduled for the two first years. Develop a quantitative estimation of the “consequences” in case of failure or loss of mission. The improvement again will be that the estimation will be “quantitative” instead of “qualitative”. It is scheduled for the two first years. Study of interaction among “threats”, “system effectiveness” and consequences” to define a global quantitative score. The interaction between risk components will be characterized and use to weight the global risk estimate. It is schedule for the second year. Incorporation of the results to the risk-informed dam safety modern management programs. An specific module for iPresas software will be developed and added to the existing normal, hydrologic and seismic scenarios. It is scheduled for the second and third year. Practical application to a portfolio of Spanish dams, so that investments with regard to security risk can be justified and prioritized as part of the dam safety

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

144

I. Escuder-Bueno and L. Altarejos-García / Incorporation of Manmade Risk Components

management procedure. It will be applied to a portfolio of dams during the third year. In summary, the proposed project has as main objective to incorporate all factors and components of security risk to the overall safety management of dams and reservoirs, so that needed actions and investments on such critical infrastructures may be justified and prioritized using a comprehensive risk informed approach. Figure 2 shows an idealized scheme of such a comprehensive tool:

Figure 2. Comprehensive framework for an integrated risk analysis tool

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

5. Methodology and organization of the works The methodology will be developed according to the following working plan: 1. Build up a justified catalogue of plausible “potential threats”, so that the methodology can be linked to “manmade load” scenarios. 1.1 Consolidation and study of main security risk factors. 1.2 Interview with specialists and review of recorded incidents 1.3 Document 1: Catalogue Threats will be characterized in terms of a series of factors such as: location, public information on the facility, type of dam, specific features of the site, potential consequences general perception, annual ratios of incidents, world frequency of incidents. 2. Develop a quantitative estimation of “system effectiveness” against “manmade loads” 2.1 In-depth review of DAMSE methodology 2.2 Proposal and experimentation by numerical simulation 2.3 Document 2: Quantitative estimation methodology The metrics will be supported, among other factors, in: critical assets and their fault trees, critical path to the assets, vehicle accessibility, boundaries protection, communiComparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

I. Escuder-Bueno and L. Altarejos-García / Incorporation of Manmade Risk Components

145

cation systems, location of response forces, elements needed to disable critical assets, protection systems and their redundancy, etc. 3. Develop a quantitative estimation of the “consequences” in case of failure or loss of mission. 3.1 In-depth review of DAMSE methodology 3.2 Proposal and experimentation by numerical simulation 3.3 Document 2: Quantitative estimation methodology The metrics will be supported, among other factors, in: communication system and protocols, understanding of emergency messages by public protection agencies and population at risk, flood inundation maps, potential life losses, economical and environmental damages of losing a dam mission, including effects on the energy system and the overall water resources systems (potentially on a regional or national scale) 4. Study of interaction among “threats”, “system effectiveness” and consequences” to define a global quantitative score. 4.1 Study and analysis of all interactions 4.2 Document 4: Definition of a global quantitative score The weighting will be defined in terms of interaction and correlation among risk components, supported by numerical simulations along fault trees and event trees, Monte Carlo analysis and comparison with expert judgment and non human risk sources.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

5. Incorporation of the results to the risk-informed dam safety modern management programs. 5.1 Practical application to a pilot portfolio of dams showing the utility as tool for help in decision making. 5.2 Document 5: An specific module for IPresas software With that purpose the methodology will be applied to a portfolio of dams, where non human risk have been previously studied and incorporated to a general risk management system, so results will be compared and potentially calibrated. The tool will be used to justify how “critical” a “critical infrastructure” may be, along with efficiency of planned investments and prioritization, within the same framework other investments are currently being “risk-informed” for decision making.

6. Benefits expected and first year more important activity: 3IWRDD The most significant scientific expected benefits are: x The implementation of a quantitative tool of security assessment of dams x Development of a metrics that allows comparison and efficiency checking among different alternatives x Integration of the tool to a more general one thus able to incorporate human made risks into general and modern dam safety management tool Within the first year of the project, the most important action is related to the third edition of the “International Forum on Risk Analysis, Dam Safety, Dam Security and

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

146

I. Escuder-Bueno and L. Altarejos-García / Incorporation of Manmade Risk Components

Critical Infrastructures Management”, at the Universidad Politécnica de Valencia, in other to present methodological aspects that can be of general interest to dam engineers. In support of the 3IWRDD, UPV is collaborating with four co-organizing entities, including the United States Department of Homeland Security (DHS), the Jucar River Authority (CHJ, MMARM), the International Commission on Large Dams (ICOLD), as well as the Spanish Committee on Large Dams (SPANCOLD). In addition, the Professional Association of Civil Engineers (CICCP, Valencia) is also collaborating in the organization of this event. The 3IWRDD is also aligned with several research and development efforts focused on integration of infrastructure safety and security that are currently being conducted by UPV and funded by the Spanish Ministry of Science and Innovation (MICINN). The 3IWRDD represents a unique international meeting that will consist of two different events, including the 3rd International Forum on Risk Analysis, Dam Safety, Dam Security, and Critical Infrastructure Management (Forum) from October 17-18, and the 11th ICOLD Benchmark Workshop on Numerical Analysis of Dams (Benchmark Workshop) from October 20-21.

7. Overall conclusion As society continues to increase its demands for higher levels of safety, security and reliability for all critical infrastructures, the design, construction, and operation of dams should be integrated as part of a comprehensive risk management framework that can effectively address natural and manmade hazards. Integrated management strategies are becoming increasingly important in recent years and as such, their related implementation efforts should include aspects such as sustainability, resilience, and public participation.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Acknowledgements The project which is referred in this article has been funded by the Spanish Ministry of Science and Innovation: MICINN. Subdirección General de Proyectos de Investigación. Departamento Técnico de Medio Ambiente y Recursos Naturales. Proyecto IPRESARA, BIA2010-17852, Plan Nacional de I+D+I (2007-2013).

References [1] Matalucci, R.V. “Risk Assessment Methodology for Dams”, In Proceedings of the 6th International Conference on Probabilistic Safety Assessment and Management (PSAM6), Vol. I, pp.169-176; USA 2002 [2] ASME Innovative Technologies Institute, LLC. “RAMCAP: Risk Analysis and Management for Critical Asset Protection – The Framework” Version 2.0; Washington DC, 2006.114–119. [3] Serrano, A.; Escuder, I.; Membrillera, M.; Altarejos, L. Methodology for the calculation of annualized incremental risks in systems of dams. Risk Analysis: an International Journal. DOI: 10.1111/j.15396924.2010.01547.x. ISSN: 0272-4332. United Kingdom. 2010 [4] Serrano, A.; Escuder, I.; Membrillera, M.; Altarejos, L. iPresas: Software for risk analysis. Transactions of 23nd International Congress on Large Dams. Q91. VOL. 4. Pags. R.47. ISSN: 0254-0703. La Chapelle Montligeon, France. 2009

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

I. Escuder-Bueno and L. Altarejos-García / Incorporation of Manmade Risk Components

Escuder, I.; Membrillera, M. G.; Meghella, M.; Serrano, A. “A European methodology for risk based security assessment of dams”. Transactions of 23nd International Congress on Large Dams. Q.91. VOL. 4. Pags. R. 48. ISSN: 0254-0703. La Chapelle Montligeon, France. 2009

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

[5]

147

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

148

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-148

Innovative Aspects Of Organizational Behaviour In Interests of Counterterrorism On Complex Technical Systems VISHNYAKOV J.D., KISELEVA S.P. The state university of management Moscow, Russia

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Abstract. It is known that underestimation of human factor and insufficient attention to it is the principal risk in the field of management of complex technical systems (CTS) in conditions of the terrorist threats. The innovation aspects of organizational behavior presented by authors concern modern and specific approach to the dynamics of activity of terrorist and counterterrorism structures not only inside the CTS areas, but also in the adjacent areas, including the information, communication and control systems. Special attention has to be paid to growing international character of the terrorist and counterterrorist activity. In accordance with the estimation of modern situation in the field examined it is expedient to establish a new research project «Forecast and Prevention of Technogenic Emergencies Caused by the Troubles in the CTS Normal Operation as a Result of Terrorist Attacks» within the framework of NATO «SCIENCE FOR PEACE» program. The main targets of the project are the increasing of readiness of emergency forces on different levels to respond to the warning about the troubles, and prevention of accidents on critical facilities. Keywords. Organizational theory, counter-terrorism, complex systems

Underestimation and insufficient attention to the human factor is the major strategic risk in the field of management, including management of CTS safety in the conditions of threat of terrorist influence. Comparison and the joint analysis of dynamics of preparation and character of threats of terrorist attacks on CTS gives the grounds for working out of the modern and enough special conceptual approach to understanding of dynamics and situational conditionality of activity of terrorist and antiterrorist structures. Disturbances of a regular mode of the information-communication and operating systems (ICOS) is capable to serve as the reason of failures, accidents and emergencies on especially dangerous and critically important objects of economy. The basic types of disturbance of a regular mode of the specified systems: 1) Not predicted refusal of the system working in one of modes specialized information technologies (IT). In this case suddenly and completely stops the management and regulation of responsible (including fire - and explosive dangerous) technological processes, the power units possessing high concentration of energy, etc. It is a direct way to occurrence, on scale close to a situation on the Chernobyl. 2) Sudden transition of information-communication system to a mode of distortion of an information stream. It is especially dangerous in systems with dispatcher management in which reaction to

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

J.D. Vishnyakov and S.P. Kiseleva / Innovative Aspects of Organizational Behaviour

149

information distortion will be late owing to influence of the human factor (HF). There are also other disturbances of regular mode ICOS fraught with occurrence of the emergency. The innovative aspects of organizational behavior presented by authors basically consist in the modern and special enough conceptual approach to understanding of dynamics and situational conditionality of activity of terrorist and antiterrorist structures not only in actually ɋɌS zones, but also and in the interfaced systems and zones, including in information-communication and operating systems (fig. 1.) . The understanding of a role of the human factor in regulation and safety ɋɌS taking into account possibility of terrorist attacks is naturally interfaced to results of the analysis of organizational behavior regarding creation and use «out design» vulnerabilities ɋɌS. It means the full complex of features of organizational behavior of separate physical persons, the organizations and organizational systems and structures, both the state and private-state class, and terrorist groups and structures. The simplified enough scheme of stages of development of procedures of the technological and information terrorism, presented on fig. 1, gives the ground for the analysis of organizational behavior in considered area.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Creation of I I I «in advance introduced » vulnerabilities of technical systems

Analysis of vulnerabilities of technical systems, which are proposed terrorist attacks targets, including «in advance introduced» technical system vulnerabilities , as named outdesign vulnerabilities

Using ( threat of using ) existing in technical system vulnerabilities

II

I

!

Human factor: " Personnel, who are creating «outdesign » vulnerabilities " terrorists !

Shortage of responsibility

Organizational outlay of intercountries hostility

!

!

Logistic chain of terrorist activity !

Absence of spirituality as a principal feature of the modern consumer civilization !

Figure 1. Stages of development of procedures of technological and information terrorism

The terrorism is defined as «Violence or threat of its application concerning physical persons or the organizations, and also destruction or threat of destruction of the material objects, destructions of people creating danger, causing’s of a considerable property damage or the approaches of other socially dangerous consequences which are carried out with a view of intimidation of the population or rendering of influence on acceptance by authorities of decisions, favorable to terrorists, or satisfactions of their wrongful property and other interests ….» [1]. Clearly that terrorists can't realize a stage III (fig. 1), owing to that they, as a rule, solve short-term problems. Expansion of an arsenal of their methods of influence on the government and the separate companies at the expense of use «out design» vulnerabilities. ICOS can occur, as it was marked earlier, by use introduced earlier «out design» vulnerabilities. The stage III is realized by the state structures and the industrial companies. Creation «out design» vulnerabilities is carried by forces of the industrial companies working

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

2

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

150

J.D. Vishnyakov and S.P. Kiseleva / Innovative Aspects of Organizational Behaviour

under contracts or supplying with the equipment objects of the potential opponent. The state structures do it in territory of the potential opponent, preparing possibility of diversionary operations. Access possibilities to in advance introduced out design vulnerabilities terrorists receive by various ways: abduction or purchase of the documentation from the corresponding state structures, preparing these vulnerabilities in territory of the potential opponent; direct reception of this documentation from the same structures, including with the skilled instructors directed for the period of preparation of terrorist operation at the disposal of terrorists, etc. Activity of actually terrorist organizations it is concentrated in stages I and II. It necessary understanding the form of ICOS with preliminary introduced vulnerabilities terrorists receive the powerful tool of influence on the government and administrative bodies of that state or region where terrorists plan to solve their own problems, more often, short-term character: to achieve unbinding of accomplices, to receive enough great sum of money, etc. Important is the designation of possibilities of forecasting and prevention emergencies, caused disturbances of a regular mode of operation of the big information-communication and operating systems (ICOS) as a result of terrorist influences on these systems. Counteraction to terrorist influences on S is the complex problem including necessity of the decision of sociopolitical, ethical, economic, organizational and technological problems. First, it is the sociopolitical and ethical problems having the international character. Their real solution demands occurrence of special responsibility of the state structures as for consequences of preparation of acts of diversions on S, and for especially careful protection of own documentation for the purpose of access prevention to it of terrorists. Secondly, it is problems of economic, organizational and technological character. They are expedient for solving by joint efforts (the countries of the NATO and Russia) as they have the general character and are opened for solving without dependence from the decision of problems of the first group. The underestimation and insufficient attention to the human factor is the major strategic risk in the field of regulation of operation of ICOS in a situation unapproved influences on these systems. According to an estimation of modern conditions in investigated area it is expedient opening of the project «Forecasting and prevention of the technogenic emergencies, caused by disturbances of a regular mode of operation in information communication and operating systems (ICOS) as a result of unapproved influences on these systems» within the framework of the scientific NATO program «SCIENCE FOR THE SAKE OF THE WORLD». Project main objective - essential increase of readiness of saving forces of various levels to reaction to a signal about disturbances of regular mode ICOS and, accordingly, maintenance of forestalling actions on forecasting and prevention emergencies for especially dangerous and crucial objects of economy. Working out of a package of the instructive documents regulating forestalling actions of the personnel and rescue forces, should be made with understanding that vulnerability ICOS increases proportionally to increase in scales of these systems, and also use in these systems of imported elements and blocks of systems, and also imported information technologies. Instructive documents should be developed on the basis of results of the analysis of consequences of disturbances of a regular mode of the specified systems that will allow to formalize a corporate control system of risks in investigated area. The special attention is demanded by activity internationalization on forecasting and prevention emergencies, caused by disturbances of ICOS as a result of unapproved influences.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

3

J.D. Vishnyakov and S.P. Kiseleva / Innovative Aspects of Organizational Behaviour

151

References

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. J.D.Vishnjakov, G.A.Bondarenko, S.G.Vasin, E.V.Gratsiansky. Bases of counteraction to terrorism. : Publishing center "Academy", 2006. 2. Safety of Russia. The human factor in safety problems. "Knowledge", 2008.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

4

152

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-152

Safety & Security Assessment to Prevent Terrorism Attack in Radioactive Waste Facilities in Albania Luan QAFMOLLA Center of Applied Nuclear Physics (CANP), Tirana, Albania Abstract. In the last decade, substantial progress has been made in improving safety & security for nuclear material worldwide, both by states’ own domestic actions and through international cooperation. Al Qaeda continuously expressed interest in unleashing radiological terrorism by building and using radiological dispersal devices (RDDs), known as “dirty bomb” for instance. Common radioactive materials, such as commercial radioactive sources used in medicine, industry scientific research could fuel RDDs. Since 1998, in Albania a special centralized building exists for radioactive waste management and temporary storage facility situated inside the INP territory. Radioactive waste conditioned with or without shielding was successively placed into this building for long-term storage. Keywords. Nuclear safety, radiological terrorism, nuclear waste.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. Introduction In the last decade, substantial progress has been made in improving safety & security for nuclear material worldwide, both by states’ own domestic actions and through international cooperation. Al Qaeda continuously expressed interest in unleashing radiological terrorism by building and using radiological dispersal devices (RDDs), known as “dirty bomb” for instance. Common radioactive materials, such as commercial radioactive sources used in medicine, industry scientific research could fuel RDDs.

Since 1998, in Albania a special centralized building exists for radioactive waste management and temporary storage facility situated inside the CANP territory. In fact, the Radioactive Waste Management Laboratory and Interim Storage facility have been included for physical protection in the framework of GOA-RTR-Al-01 – SOW-3 Project, supported by USA Department of Energy in September 2004. Radioactive waste conditioned with or without shielding was successively placed into this building for long-term storage. So far, in worldwide have been several incidents with terrorism potential that involved nuclear waste materials and radioactive materials and its repository facilities, which may to be as target by attacks of terrorism.

DU was also feared to causes the environmental contamination through its widespread, especially in territories and borders of our countries involving the risk and injuring the civilian population. Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

L. Qafmolla / Safety & Security Assessment to Prevent Terrorism Attack

153

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

2. Radioactive waste management Since 1998, in Albania a special centralized facility exists for radioactive waste management and temporary storage situated inside the CANP territory, as well as a radiopharmaceutical Lab was established since that time. Radioactive waste conditioned with or without shielding was successively placed in the drum until an activity of about 20 GBq has been reached. Large amounts of big radioactive sources used in research, industry, medicine, and army are stored in interim storage facility in CANP. The designs of these facilities were intended for temporary storage of significantly smaller amount of radioactive material as well as Spend High Activity Radiation Sources (SHARS), which are used usually in tele-therapy devices, semi industrial irradiators and in radioisotope thermoelectric generators like: 60Co, 137Cs and 90Sr with activity some thousands TBq reached. Factors determining the security risk of a type of radioactive source include prevalence of use, radioactivity content, portability, and dispersibility. Generally, the most prevalent, radioactive, portable, and dispersible sources the higher security risk it present. For instance, cesium chloride containing relatively large amounts of radioactive cesium 137Cs and consisting of an easily dispersible powder would definitely be categorized as a high security compound. If this material were also housed inside a portable container, a thief or terrorist could readily seize and transport the radioactive source if adequate security measures are absent. The radioisotopes of highest security concern include the reactor-produced americium-241, californium-252, cesium-137, cobalt-60, iridium-192, plutonium-238, and strontium-90, as well as the naturally – occurring radium-226. For the moment into our centralized facility are stored some tenth-conditioned drums. We have conditioned by Oncological Hospital some pieces of 137Cs, with initial activity A≈ 0,55 GBq each of them. A manual bracitherapy device with five 137Cs spent sources with total activity At= 18,5 GBq was conditioned also. In December 2006 was conditioned and stored in repository facility a spent 60Co tele-therapy source with At= 92,5 TBq. CANP has conditioned some metal scraps contaminated with strontium-90, Iridium-192, americium-241 etc., generated by Albanian private and public companies. Regulatory agency (authority) has also place emphasis on focusing safety and security enhancements on this class of radioactive sources used in Albania.

3. Establishment of a layered and integrated Safety / Security System Perfect safety and security system do not exist, but Albanian authority tends to overact by plugging the exposed gap in the system while often neglecting other gaps. A layered system means that multiple barriers are in place to lessen the likelihood of a radiological terror act. Added layers would frustrate terrorists’ attempts to break through the security system. An integrated security system means that adequate layers of safety and security protect every stage of a high-risk radioactive source’s lifecycle from cradle to grave. This lifecycle begins with radioisotopes production in research reactors, accelerators or radiopharmaceutical Labs etc., as first stage, continuing with their transport at end users in an application, such as food irradiation, medical instrument sterilization, cancer treatment at a hospital, industrial radiography, scientific research at a university etc.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

154

L. Qafmolla / Safety & Security Assessment to Prevent Terrorism Attack

Since 1998, a building has been constructed as a centralized waste management facility, based on the IAEA reference design for such components facilities. The Technical Cooperation with ALB/4/008 IAEA Project, untitled “Upgrading of Radioactive Waste Management in Albania”, was development during the years 2003-2004(1,2). During this period an IAEA mission has defined the needs for equipment to improve the waste management processes in that facility. Also, the Radioactive Waste Management Laboratory and Interim Storage facility have been included for physical protection in the framework of GOA-RTR-Al-01 – SOW-3 Project, supported by USA Department of Energy in September 2004. In our centralized radioactive waste management facility all entries to the operated, storage and disposal areas of building are protected with security locks, PIN Code, magnetic panel, as well as into these areas have alarm systems, which are connected with central system alarm at the main safeguard building. Also, at the above-mentioned facilities were equipped by surveying system in order to be more efficient for safety and security if is undertake any terrorist attack. A controlled computer video monitoring system watch’s all the time at the sites of buildings. The images identified by the cameras are recorded and displayed on the monitors. A protective fence system gives automatic signal if any unauthorized person moves at 3-4 meters closes these facilities. The surveying control system is in operation by electronic cards, based on access control system, which record all information concerning the movement in and out the sites. At the main gate of the fence of RAW Laboratory and Storage Facility is installed a camera in order to monitor and detect illegal transport of radioactive materials / sources. State of the art equipment ensures the adequate physical protection control, as well as the safety and security of the radioactive wastes and spent radiation sources on the sites. There is a fire brigade with radiation protection training present in CANP, which is on duty during working hours. Outside working hours there is police present on the site.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1.

2.

3.

4.

The RAW management Lab & Interim Storage Facility is main centralized site / center to whole country for processing and storage of radioactive materials and wastes, which needs to be implemented in a secure infrastructure and system; The procedures to secure spent high radiation sources or indeed any other radioactive material stored in this facility, often requires the use of highlyexpensive, specialized trained staff that in this context need to be improved / upgraded for more secure in our case; The infrastructure of Albanian’s borders to monitor / check the penetrating of smuggling / illicit trafficking of the radioactive material / spent radiation sources by neighbor countries like: Kosovo, Montenegro or Macedonia is limited but a terrorism attack can happen forever. A regional infrastructure strengthened, including Albanian territory, to help and to solve the problems associated with disused / spent sealed radioactive sources during an emergency situation under / after a terrorism attack, in our and regional countries needs to be implemented.

A safety assessment for the facility and for the planned waste storage operations was undertaken. This was performed on the basis of an assessment of the potential impacts of the waste management at this facility to workers and to the public and adComparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

L. Qafmolla / Safety & Security Assessment to Prevent Terrorism Attack

155

dressed engineering aspects, as well the management regime required for a safe operation of the facility (3). To perform this assessment the following topics are addressed: • • •

Assessment whether the facility is in general suitable for safe waste management; Assessment of the potential hazards to workers and to the public; Evaluation of the safety of the present system (building, characteristics, used material etc.) and of the planned waste management operations based in the international specialized organization requirements and identification of possible deficiencies;

4. Waste Management Facility in CANP The dimensions of this building are 16 x17 x 3.20 meters and contain the following areas: • • •

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

• •

waste reception area for checking the kind of wastes and their documentation; two decay-storage areas for solid waste and spend radioactive sources; operational area for the storage of the delivered waste prior to their conditioning; operating area for the conditioning of the waste; storage area with dimensions 16 x 7 x 3, 20 meters to store 200 Litters standard conditioned drums, which foreseen to be fulfilled about 2030 year.

The facility represents a solid concrete construction with outside walls of a thickness between 20 and 40 cm. All main entrances to the facility are protected with double security locks. There exists an alarm system, which is monitored by cameras at the main entrance of the Center by policeman. The position of the waste management facility is indicated. The three adjacent buildings are the neutron generator (10 m distance) and Van de Graf accelerator and Food Irradiator source 137Cs are in 20-meter distance. Both buildings have reinforced concrete structures. Behind the fences of the CANP a residential area begins. The closest buildings are at a distance of 60-80 m. The fence separating these building from the site has a height of 2 m., but the fence needs for the security improvements. The seismicity of the CANP site belongs to VIIth degree of MSK-64, so that potential severe impacts can be avoided by an adequate design of the building structure. The waste management facility has been designed for VIIIth degree of seismicity MSK-64; therefore no detrimental impacts from earthquakes are to be expected. • • •

There are no faults close to the site and geo-technical conditions are appropriate. In the site vicinity has no major industries with risk of explosion. There is a sufficient distance from railway lines and the airport (over 10 and 20 km., respectively).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

156

L. Qafmolla / Safety & Security Assessment to Prevent Terrorism Attack

The policemen permanently guard the CANP site for 24 hours and visitors are checked and accompanied by the staff of the Center. At night two policeman are on duty. Exposures from incidents and accidents will be addressed in the emergency response planning, ensuring that adequate responses are taken. Security technologies and system must be evaluated in terms of current and longterm impacts. Security technology has a very important role in creating more secure facilities and we need to invest precious resources in more secure facilities and greater physical protection and better protection of our vital information system. Though these challenges appear daunting, prioritizing security improvements on the high-risk radioactive sources will make great strides toward reducing the risk of a radiological dispersal device attack by terrorists.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

5. Recommendations Recommendations for further development of the waste management concept are given, addressing the safe operation of the waste processing and storage. The recommendations derived from the assessment of the current situation and of the plans for the further development of strategies and procedures: a] Although a substantial degree of the physical protection is provided in the current situation, improvements should be considered. An important step could consist in the installing of a new sounding and lighting alarm system, which will notify the guards of any attempt to enter the waste storage building. The physical security of the waste storage building should be integrated into the planned project to upgrade the physical protection of the CANP. b] Appropriating the main facilities into the CANP territory, this should be needed to be included into the already existing emergency plans from Albanian government. c] These facilities, into CANP territory will be regularly inspected by the competent authority given during inspections at the sites, recommendations for well physical protection by any incident/accident or terrorism attack.

References [1] INTERNATIONAL ATOMIC ENERGY AGENCY, TEC-DOC No. 806 (1995) [2] INTERNATIONAL ATOMIC ENERGY AGENCY, predisposal Management of RAW Including Decommissioning, Safety Standard Series WS-R-2, IAEA, Vienna (2000) [3] INTERNATIONAL ATOMIC ENERGY AGENCY, Predisposal Management of Low and Intermediate Radioactive Waste, Safety Standard Series WS-G-2.5, IAEA, Vienna (2003) [4] ACADEMY OF SCIENCES, “Strengthening of Agricultural, Industrial and Medical Uses of Isotopes by Means of a Research Reactor”, Institute of Nuclear Physics, Tirana (1989).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

157

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-157

Stability of Social System under Terrorist Impacts R. AKHMETKHANOV Institute of Machine Sciences, RAS

Abstract. The social system stability under terrorist impacts is considered from the perspective of nonlinear dynamics of systems and deterministic chaos. The traits of social system dynamics and system stability are determined by the properties of potential functions, i.e. characteristic points on potential hyper surfaces, and by their distribution in configuration space, or by special points in the corresponding phase space. The possibility for the system subjected to minor disturbances to transit from the stable state into the chaos area where its further behavior is unpredictable is shown. The special states of social systems when the system can be withdrawn from the stable state by minor disturbance can now be determined by means of monitoring the system state, analysis of complex quantitative and qualitative indices of strategic risks, and Kondratiev cycles. Keywords. Social systems, systems dynamics, stability

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. Introduction As a rule the crisis of a social system is preceded by the loss of stability. Crisis escalation in one area of the system can lead to crisis initiation or acceleration in its other areas. The speed of crisis development depends essentially on a number of random, but interdependently realizing factors, and for some time past it can start growing like a snowball. Some of the factors that lead to crisis realization, are terrorist impacts aimed at destabilizing the system by minor actions. The mathematical model of a social system (SS) can be generally described by the system of nonlinear differential equations

dX i = fi(t, , ), i = (1,…,n) dt

(1)

where X is vector of system’s parameters; t is time; and n is dimensionality of the state vector. The paper [1] presents a model of social system that allow one to assess dynamics of the conflict between SS elements. In this linear model accumulated “stress” Y for each of the parties participating in the conflict is taken into account. If we confine ourselves to the case of a two-side conflict, then the equation set will look as follows:

dY0 dt

F1  11Y0  12Y1 ,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

(2)

158

R. Akhmetkhanov / Stability of Social System Under Terrorist Impacts

dY1 dt

F2  21Y0  22Y1 .

(3)

where F1,2 are perturbing factors that were the initiating impulses; Dii is the rapidity of self-triggering of each side of the conflict, the rapidity being determined by inner motivation (i=1.2); ik is the rapidity of external excitation of side (i), the excitation being associated with the other side’s actions (k). Depending on the system parameters ii and ik one or another kind of attractor, or kind of stability loss can be realized. The development or selection of dynamic model of specific kind from a number of possible kinds is mainly determined by concrete features of the social system. The assessment and construction of an SS model requires certain idealization and simplification of real phenomena and processes. In fact one system can be described by different models depending on the aim of the study and the degree of idealization. Dynamics of some systems is characterized by linear differential, difference, and integral equations, or by linear functional relationships while other system dynamics can be described by nonlinear equations and functional relationships. Depending on the properties of social systems, the real processes occurring in them can be divided into stochastic and deterministically chaotic ones. According to traits of the processes studied we use models that determine the likelihood of forecasting the social system state (see Table 1).

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Table 1. Models and the likelihood of forecast Real processes and systems

Theories and models of the studies

The likelihood of forecasting

Forecasting horizon

Dynamic

Dynamic system theory; continuous models

The future is uniquely defined by the past; the processes are deterministic and completely predictable

Unlimited

Stochastic

Probability theory and mathematical statistics; probabilistic and statistical models

The future is in no way dependent on the past ; the processes are completely unpredictable

Zero

«Dynamic chaos»

Complexity theory and theory of self-organized criticality; models of hierarchical systems and models of nonlinear dynamics

Behavior can only be predicted for a small period

Limited

Due to SS complexity they can mainly be simulated by nonlinear models [2]. The evolution of complex nonlinear systems is defined by the influence of two factors: 1.

- creation of inhomogeneity in the system;

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

R. Akhmetkhanov / Stability of Social System Under Terrorist Impacts

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

2.

159

- the blurring of inhomogeneity in nonlinear system (analogous to various kinds of dissipation or diffusion). The interaction of the two factors (nonlinear feedback, and processes of scattering and dissipation) leads to different regimes of nonlinear system evolution, the regimes being able to cause stability loss. Let us apply the theory of stability to consider some alternate scenarios that can be realized in social systems. Internal and external actions on the system will result in continuous deviation of the system state from initial state . The list of possible alternate consequences of the deviations is represented by the following [3]: Scenario 1. The state of the system (t) remains in certain neighborhood of the initial (standard) state X at all the times exceeding certain initial time t0. o be more exact, with any preassigned perturbance of the system >0, we can always find such  depending in general case on  and t0 that, with the initial perturbance not exceeding , the deviation x(t) remains less than  at all the times exceeding t0. Such state 0 is stable according to Lapunov. When analyzing a system we are interested not in the response of the given state to perturbance, but rather in the response as the whole sequence of states defining a certain trajectory. In this case a relevant measure of distance between the standard trajectory and the perturbed one is introduced. Afterwards the above definition of stability is used, which leads us to the concept of orbital stability. Scenario 2. State (t) tends to  while time tends to infinity, in other words, the initial perturbance (t) with the course of time tends to null. Then state X0 is asymptotically stable. This definition can be generalized into asymptotic orbital stability. It is clear that asymptotic stability inevitably implies reversibility. Such systems can at best be stable according to Lapunov. On the other hand, dissipative systems can eliminate the influence of perturbance on them and thus restore the standard state. This ensures predictability and reproducibility of the regime called attractor. Scenario 3. State (t) does not remain in the neighborhood of 0. To be more precise, for each neighborhood 0 there exists the initial perturbance, for which the state (t) cannot always be less than certain arbitrarily predetermined value. Then standard state 0 is unstable. This situation occurs at the initial stage of rapid (typically exponential) growth of disturbance. All of these properties are easy to summarize, and the definition of orbital stability is easy to derive. Scenario 4. State X(t) remains in some neighborhood of the standard state 0 if the initial disturbances do not exceed some threshold value. In case that disturbances do exceed the threshold value, state X(t) leaves the neighborhood. Then state 0 is locally stable, but globally unstable. On the other hand, if state X0 is steady under any amplitude of initial disturbances, then global stability is observed, state 0 being a global attractor. The presented types of the system stability mathematically generalize the common properties of systems of any nature. All scenarios for the initiation and development of dangerous states of the systems that describe the transition in time t from normal stable states of the system to critical situations can be divided into the following groups: - Monotonous transition scenarios where the current parameters of external effects, system responses, and states are monotonically changing (usually in a dangerous direction);

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

160

R. Akhmetkhanov / Stability of Social System Under Terrorist Impacts

- Abrupt transition scenarios (with intensification) where parameters of disturbance actions or responses change very rapidly (almost instantly) over short periods of time; - Scenarios with soft and hard bifurcation transitions when systems in a number of unstable states are likely to change according to bifurcation diagrams with complex trajectory of the changes of the system state. Let us consider dynamic system S whose states can be described through a set of values x, denoted by index j, i.e., values xj. Values xj may change over time. All xj make up the vector of state (x1(t),x2(t),... xn(t)). The evolution of vector X(t) over time, i.e. the dynamics of the system, is determined by the differential equations looking like d/dt=N(,a)+F(t), (0)=x0 ,

(4)

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

where N(X,a) is the deterministic part; and F(t) is the fluctuating force (noise). If in the absence of fluctuating forces the value of the vector of state (t) at the initial time is known (and stable), and so-called control parameters a are determined, then the future of vector X(t) is explicitly defined. The relation between deterministic and random components in space and time is important for the subsequent state of the system. Over time vector X(t) according to expression (4) tends to enter the attractor that defines the features of the dynamic behavior of the system. To clearly view a simple example of the attractor, let us imagine a surface with elevations and troughs (potential surface). To describe the system dynamics a physical model of the process is commonly used in the form of dynamics of the ball on the surface (trajectory of the representation point in the configuration space) (fig. 1) [4].

b) a) Figure 1. Horizontals of the potential surface relief (a) the system transition from one attractor (attracting fixed point) to another (b) [4]

The change of potential function singularities is associated with changes of the system parameters over time, and the dynamics of the point is connected with internal and external forces acting on the system. The potential function also describes the properties of system safety that can be presented in the form of a potential barrier, preventing the modification of the system state.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

R. Akhmetkhanov / Stability of Social System Under Terrorist Impacts

161

The setting up system a parameters means a choice of certain relief on which the ball can roll by gravity. The setting up the state vector X(t) at the initial time means that at this time the ball is placed in some very specific point. It rolls from there until it reaches the point of trough which in this case is the attractor. Dynamical systems can also have attractors of other types, for example, limit cycles when the system performs continuous oscillations, or even more complex attractors known as chaotic ones. Given the oscillation, the ball can jump from one local minimum of the surface to another, i.e. from one attractor to another. The probability of the transition from one area of the local minimum to another depends on the size of the potential barrier and the force of the impact on the system F(t). The transition of the system into the area of the point of another minimum generates dynamics characterized by the new attractor. In a general case of considering the dynamical systems of various nature the values of the potential function Es(W,E,I) in points of the local minimum are characterized by the stocks of energy E, substances W, and information I in the system. Fig. 2 shows examples of the change in the nature of the potential function, given the disturbances of the potential, i.e. the change of system a parameters. The system withdrawal from the stable state can be possible due to disturbances of the potential function, i.e. change in the parameters of system a (fall in protective properties). Another option is external disturbance, resulting in the skip of the system from one attractor to another with the invariance of the potential function

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

a

b

c Fig. 2. Unperturbed (continuous curve) and perturbed (dashed curve) potentials

b) When considering the dynamics of the system, we are interested first of all in the assessment of the ability of the system to maintain the attractor invariance under disturbances. Let's start with the analysis of system S described by differential Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

162

R. Akhmetkhanov / Stability of Social System Under Terrorist Impacts

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

equations (4) and assume that in the absence of external disturbances that the point of origin is the equilibrium point under certain parameters of system a and F(t)= 0. In the light of our understanding of the system stability the following questions arise: a) Under what conditions can function F(t) describing the disturbances make the system characterized by function x(t) leave the area of attraction (for example, the origin of coordinates)? What changes in the parameters of system a would lead to such a distortion of the potential function that the position of the system would be shifted into the area of the attractor different from the attractor at the point of origin? On the basis of the above, the scenario of crisis development could be defined as a series of events of transition from one attractor to another that are possible with certain probability P(t). These events can be implemented given the changes of system a parameters and the action of certain disturbances F(t), and they depend on the characteristics of the dynamic behaviors of the dynamical system (fig. 3). The features of its dynamics can be represented through the phase plane that includes separatrixes separating the movement modes possible in the system. In this case they are barriers, or limit lines. Within the area limited by them the system dynamics is quite definable. (There is an attractor). And going beyond the limit lines leads to attractor change. Such a potential function is characteristic of many dynamic systems.

a

b Fig.3. An example of a potential function () and a corresponding phase plane (b)

For assessing the likelihood of transitions from one system state to another, let’s consider the dynamics of systems near separatrixes. They separate invariant curves (attractors) of various topology. Stochastic movement typically occurs near separatrixes. It is characteristics of this dynamics that determine the possibility of Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

R. Akhmetkhanov / Stability of Social System Under Terrorist Impacts

163

chaotic transitions from one attractor to another. In this area stochastic zones are being formed (fig. 4), i.e. chaos [5]. The stochastic layer in the neighborhood of the separatrix causes random transition of the particles from one potential pit (attractor, i.e. the system state) to another.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Fig. 4. The stochastic zones

The phenomenon of chaos is only typical for non-linear systems. It may occur when the number of degrees of freedom is N = 3 or more. It is linked to instability and fracture of invariant tori (the fracture of stability zones in the neighborhood of the points with minimum energy, i.e. elliptic points). Almost all dynamical systems have a zone of chaos. And vice versa, systems which only have regular dynamics are exceptional. An obvious source of chaos is associated with the existence of the hyperbolic point (saddle). In the neighborhood of the saddle cycle there is a complex picture of intersections, stable and unstable manifolds, characterized by an infinite number of homoclinic paths [6]. There appears a homoclinic structure containing a set of saddle motions of the same type and an aggregate of complex trajectories that are doubly simptotic to them. The important common property of any homoclinic trajectories and patterns is that, given the variation of system a parameters, an infinite number of various bifurcations of generation and disappearance of the set of regular and strange attractors occurs in their neighborhood. Accordingly, in general, any dynamical system has an unremovable stochastic area in phase space. Although the existence of stochastic area really becomes a certain universal property of dynamic systems, still this does not mean strong instability of system S. The reason for this assertion is that the chaotic zones are very narrow. Therefore the fate of the stochastic trajectories is determined by how the chaotic zones join or, in other words, by what the topology of weak chaos in phase space is. The merging of all stochastic layers in phase space may form a single network, i.e. stochastic web. In the web an arbitrary far wandering of a particle is possible. Therefore, the existence of the web means a qualitatively new manifestation of chaos. It is expressed in the universal mechanism of irremovable diffusion in phase space. In fact, this is only one of the consequences. Another one, and no less important, is connected with the geometry of the web. The presence of islets of stability is a fundamental property of real physical systems. The very structure of the islets is also an extremely complex and confusing picture. There are islet systems of different orders and ever diminishing sizes (fig. 5) [5].

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

164

R. Akhmetkhanov / Stability of Social System Under Terrorist Impacts

As previously stated the stochastic layer is formed in the neighborhood of the separatrix. Under certain conditions, stochastic layers merge, and total stochastic sea is formed.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Fig. 5. Stochastic-sea formation. Islets of various orders in the stochastic sea. Separate randomly located points belong to the same trajectory

As the parameters of the system S change, stochastic sea can fill an increasing part of the phase space while the islets of stability (attractors) decrease in their syze. The relative measure of the islets is simultaneously reducing, and the probability of hitting into stochastic zones is growing. Thus, in the general there is always stochastic domain with an arbitrarily small disturbance parameter H. The stochastic domain is exactly localized. Its bearer is the separatrix neighborhood, and this statement is considerable generic. It is difficult to build a model of the social system that would reflect all the features of the system’s dynamics and stability. But in the analysis of social systems it should be taken into account that it is possible for a social system under small impacts to lose stability according to the scenario of deterministic chaos. Therefore it is necessary that characteristics of the system’s state be analyzed, which characteristics being able to qualitatively and quantitatively define the properties of the systems. They are usually called parameters or properties. The state of a system can be determined if the value of each structural parameter is known.The selected set of structural parameters must meet the following requirements: 1) Functional independence (each structural parameter Si can change independently on parameters Sj), i.e. there should be not any function that would allow one to uniquely determine parameter Sj according to the known values of parameter Si; 2) External constraints of the change of the selected structural parameters: their components can be functional, technological, economic, political, and other constraints. In general, a model of the system state can be represented by a set of structural parameters in the form of a state vector specified in n-dimensional space. When determining the state, the selection of the diagnostic parameters to diagnose a system, especially a most complex one, is a most important and challenging problem. First, this is because of the fact that between structural and diagnostic parameters there may be different interrelations depending on the complexity of the object. Second, various diagnostic parameters in different ways meet the above requirements for parameters of output processes used for diagnostics purposes. On the basis of the above, the question arises as to how you can determine the state of the social system close to the area of stochasticity. To answer that question, let's consider the quantitative and qualitative indicators of social system state. They include Kondratiev cycles (KC) and strategic risks (SR). As it is known, social system states change over time in accordance with Kondratiev cycles [2], i.e. changes of parameters and dynamics of the system occur. Social system parameters are changing in accordance with the phases of the dynamics of socio-economic system (prosperity, decline, depression and recovery)

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

165

R. Akhmetkhanov / Stability of Social System Under Terrorist Impacts

(Table 2). Phases of recession and depression belong to social system state in the area close to separatrix. Table 2. Assessment of social system’s state Prosperity

Recession

Depression

Recovery

Training

falls

low

increases

high

The desire for risk

falls

low

grows

high

Perception of favorable

limited

very limited

expanding

wide

weak

grows

falls from the

falls

opportunities Perception of direct threat Motivation, morals,

maximum falls

low

grows

high

varies

low

increases

Maintains the high level

job satisfaction Creative activity

up to the maximum

Alienation and dissolution of morals

grows

the greatest

falls

low

Alarm

low

Reaches the

decreases

low

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

maximum

In addition to KC, parameters (attributes), i.e. characteristics of strategic risks (SR) should be considered. SR are versatility indicators. On the one hand, SR are diagnostic parameters, on the other hand they also define functional characteristics of the system. Research carried out by organizations of the Russian Academy of Sciences and the Emercom of Russia allows one to select and rank nearly 40 factors in the main spheres of the national activity to be taken into account in assessing strategic risks (RS).) The main spheres of national and social activities: political, economic, social, natural, technological, scientific and technical were chosen as indicators of strategic risks (SR) [7]. The main factors of strategic risks in major areas of national activity are: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

Irrational choice of economy development priorities. Incompetent and corrupt authorities. Irrational choice of priorities of policy in science and technology. Economy criminalization and outflow of capital. Decline in living standards and antagonism in social structure. Decline in productive potential and investment. Decline in scientific, technological and innovative capabilities. Decline in the nation’s defense capability and army’s fighting efficiency Internal interethnic and inter-confessional conflicts. The likelihood of energy crisis. Exceeding the limits for openness national of economy. Natural disasters. Anthropogenic accidents and disasters.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

166

R. Akhmetkhanov / Stability of Social System Under Terrorist Impacts

In view of the foregoing the likelihood of social stability loss can be defined by functional: P (t) = f (ES (t), CK (t), the RSTR (t), FT (t))

(5)

where ES(t) is the potential of the social system; SK(t) are Kondratiev cycles; RSTR(t) are strategic risks; FT(t) are terrorist impacts. Solution of this problem requires appropriate research through social systems models.

References

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

1. A. Bondarev Cycles and stability in the development of social. Systems. Vestnik RUDN, series Sociology, 2004, no. 6-7. P. 135-143. (in Russian) 2. Trubetskov D. Introduction to synergetics. Chaos and structures. Moscow: Editorial URSS, 2004. 240 p. (in Russian) 3. Malkin I.G. Theory of motion stability. Moscow: Nauka, Chief Edition of physical and mathematical literature, 1960, 515 p. (in Russian) 4. Haken G. Information and self-organization. Macroscopic approach to complex systems. Moscow: KomKniga, 2005. 248 p. (in Russian) 5. Zaslavsky G.M. Stochasticity of dynamical systems. -Moscow: Nauka, Chief Edition of physical and mathematical literature, 1984. 272 p. (in Russian) 6. Anishchenko, V.S. Complex oscillations in simple systems. -Moscow: Nauka, Chief Edition of physical and mathematical literature, 1990. 312 p. (in Russian) 7. Strategic risks of Russia: assessment and forecast. EMERCOM of Russia, edited by. Y.l. Vorobyeva, Moscow: Delovoy Express, 2005. 392 p. (in Russian)

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-167

Uncertain System Management: The Redundancy as a Risk Mitigation Tool in Societal Technological Systems Varzea TAVARES, PhD Engineering͒Consultant in Systems R&D and Risk Assessment. Abstract. After defining Societal Technological Systems (STS) as a class of systems intended to improve the economy, the security, the health and the environment (the well-being) in human societies, and Intentional Disturbance Actions (IDA) as the planned activities intended to weaken or to interrupt the appropriate management and/or performance of such systems, the author investigates the relationship between System Societal Value (SSV), System Exogenous Support (SES) and System Redundancy Level (SRL). A risk assessment is effected concerning to the risk of eventual degradation of System Societal Value, and the System Redundancy Level is selected as a management tool for the mitigation of such a risk. The transfer between Exogenous Support and Redundancy Level is adopted as a procedure for optimizing resources allocation. Finally, the sensitivity characteristics of this relationship and the main proprieties of its optimal configuration are considered. Keywords. Technological systems, risk mitigation, systems engineering.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

References Blomberg, S. B. (2002). Terrorism From Within Tavares, A. V. (2009). L’incidence du Risque dans la Prise de Décision Glassereman, P. (2004). Monte Carlo Methods in Financing Engineering Zadeh, L. A. (re-ed. 2008). Linear System Theory Godard, C. D. (2003). Méthodes de Recherche en Management

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

167

168

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-168

Societal life safety risk criteria P.A. ZIELINSKI Ontario Power Generation Gregory B. BAECHER University of Maryland



Abstract.People choose to live in risky landscapes for a variety of reasons: they derive benefits from those places despite the risk. From a planning perspective, how much protection is it reasonable to provide these populations against the risk of death due to coastal flooding? The acceptability of risk due to natural hazard, and the levels of protection that infrastructure should provide, may be approached from several directions: from economic calculations on the value of a statistical life saved, from people’s willingness-to-pay to reduce risk, from stated preferences, and from other risks that people willingly accept. This paper focuses on societal risks deemed tolerable from the last consideration, as now widely used for dam safety guidelines. Recent recommendations have been made that coastal defenses should be designed to provide the exceptionally low levels of societal risk associated with modern, well-engineered dams. These seem unreasonable. For fatalities fewer than the low thousands, the tolerable level of risk for coastal protection—based on other risks society accepts—is arguably on the order of 10-3 per year. This implies a corresponding acceptable level perhaps two orders of magnitude lower, to be consistent with current practice in other sectors of civil infrastructure. Between these bounds, as-low-as-reasonably-practicable (ALARP) practices seem a reasonable precaution.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Keywords: Risk, natural hazard, reliability, safety, ALARP, societal risk.

1. Introduction The question of “acceptable” risk is, in principle, amendable to decision-analytical thinking. These are approaches in which (1) objectives are specified, (2) alternatives are identified, (3) outcomes and their consequences are inventoried, (4) probabilities of the consequences are assigned, and (5) a value or utility function over the consequences is defined. The alternative that maximizes the expectation of value or utility is deemed the most acceptable (Keeney and Raiffa 1993). All decision alternatives have risks: benefits and costs are uncertain. So, in principal, one accepts decision alternatives, not their corresponding risks; and thus, there are no “acceptable risks,” just a most acceptable alternative. This most acceptable alternative is that which balances uncertain benefits and costs; it is not necessarily the alternative with the smallest down-side risk, and it is always situation dependent (Fischhoff, et al. 1994). The optimization depends on the objectives, alternatives, consequences, probabilities, and values. These change from situation to situation. Thus, “acceptable risk” is relative not absolute. The sketch of Figure 1, adapted from Fischhoff et al. (1994), suggests this balancing. Three decision alternatives, A, B, and C, are shown, each with a different cost and

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

169

risk. Alternative A has the lowest cost consequence but highest risk. Alternative B has the highest cost consequence but lowest risk. Alternative C has intermediate values of cost and risk. The best choice is that with both the lowest cost and lowest risk, but none satisfy this condition. The best choice depends on the value function. The value function is the locus of pairs of cost and risk consequences that are equally preferred. This is a subjective or political construct. Using the value function Fn-1 suggests that alternative C should be preferred; but using Fn-2 suggests that B and C are equally preferred to A.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 1. Schematic decision among three alternatives, A, B, and C, with differing costs and down-side risks.. Adapted from Fischhoff et al. (1994). The LHS shows the performance of the alternatives on the single attributes of cost and risk, respectively. The RHS shows a balancing of cost and risk, which depends on the value function adopted. Adopting a value function is a subjective or political activity.

For coastal protection projects, the strictly decision-analytical approach is usually impractical, because the problem is seldom fully specified. At a minimum, the sets of objectives and outcomes are incomplete. For example, the economic and social benefits of life in a thriving urban areas are never fully identified. Furthermore, there is little political agreement on what attributes should go into a value function and how they should be weighed and compared. So, the analytical construct is useful in thinking about risk, but its quantitative implementation is less so.

2. Acceptable risk Another and widely used approach to acceptable risk is to judge the risks individuals and society appear to accept now and to presume that these levels should be acceptable in other activities. The core presumption is that with time society has adjusted to a variety of risks and that in doing so has achieved a reasonable balance between risks and benefits. These risks that people now accept are a guide to what is acceptable for new or changed risks. A number of authors have critiqued these techniques (Fischhoff et al. 1994; Lowrance 1976; Wilson and Crouch 2001), but they are widely used, and form the basis of some fraction of public safety regulation in the US, UK, and Europe (HSE 2001).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

170

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

3. Societal risk Societal risk — the risk of multiple fatalities in a single event — is more elusive than individual risk. Here, the term is used to mean multiple fatalities, but in a broader sense societal risk refers to hazards that, if realized, could impact society beyond the individual and thus cause socio-political response. Ball and Floyd (Ball and Floyd 1998), in one of the more exhaustive reports on societal risk in hazardous industries, say, One of the problems with societal risk has been the term itself, which, as with the word risk means different things to different people at different times, leading to some misunderstanding and confusion. For instance, from an engineering perspective, societal risk is often regarded as no more than a relationship between the frequency and number of people suffering a specified level of harm from a particular hazard. Alternatively, others see societal risk as a much broader concept incorporating many other dimensions of harm, in some cases even the socio-political response in the aftermath of major accidents, or even lesser accidents where these might give rise to a significant expression of public concern.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

3.1. Frequency-number (F:N) curves For hazards associated with natural hazards and the built environment societal risk is usually portrayed by frequency-number (F:N) curves. These plot number of fatalities (N) on the abscissa against annual exceedance frequency (F) on the ordinate, usually on log:log grid (Figure 2). The annual exceedance frequency is a complementary cumulative probability distribution (CCDF). The F:N curve typically shows fatalities from all events and all failure modes within some identified suite, e.g., from all hazards and all modes of failure of a particular dam. Conceptually, F:N curves were first used to illustrate aleatory frequency of occurrence, but in recent practice this frequency is often replaced by epistemic probability, and the curves are more correctly referred to as P:N curves, although this usage is not (yet) common. While the use of cumulative probability distribution functions to describe risk is long-standing, in the modern risk analysis literature the CCDF as a measure of societal risk was given credence by its use in the USNRC Reactor Safety Study (USNRC 1975). This report used F:N charts to compare risks associated with nuclear power production to other, more familiar natural hazard and industrial risks. While the reactor safety risks reported in the study were the result of fault-tree and event-tree analysis, the comparative risks from natural hazards and industrial activities were empirical (Kastenberg 2006). Later work has served to sharpen these estimates based on historical records. The more pertinent risk curves for the present discussion are those treating dam failures (Figure 3). In certain applications, societal risk is portrayed by event probabilities, rather than exceedance probabilities. For example, this is the practice of the US Bureau of Reclamation for dam safety risks (Figure 4). In this plot, expected fatalities for individual modes of failure are plotted as points (or ellipses of uncertainty) against annual probability of occurrence. If the various failure mode probabilities are mutually independent—which may be a problematic assumption—the corresponding F:N curve can be approximated by summing the probabilities of failure modes plotting to the right of a

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

171

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 2. Frequency of man-caused events (right) involving fatalities (USNRC 1975).

Figure 3. F:N chart for numbers of fatalities due to historical dam failures in the US and Internationally, respectively (Baecher and Christian 2003), contrast against the “US Dams” F:N curve from the USNRC Reac-

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

172

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

tor Safety Study (USNRC 1975). For a given annual exceedance probability, the Reactor Safety Study estimated of fatalities about an order of magnitude higher than the historical record for US dams.

Figure 4. USBR’s f-N chart for displaying probability of failure, life loss, and risk estimates (USBR 2003).

particular fatality value, N. In an f:N chart, lines of slope negative one on log-log grid reflect constant expected loss. The probability-consequence data of Figure 5 originally appeared — somewhat as a side thought — in a consulting report prepared in the early 1980’s by T.W. Lambe & Associates (T.W. Lambe & Associates 1982) and was subsequently published in Baecher (1987). It also appeared in Whitman’s (1984) and Christian’s (2004) Terzaghi Lectures, and in other places, often citied (Kulhawy and Phoon 1996), but sometimes not. It is reproduced here for historical purposes. The idea for the chart followed from the Reactor Safety Study, which had been completed a few years earlier (USNRC 1975). Too often this figure has been applied with little understanding of its conceptual context and with only naïve understanding of risk concepts (Seed et al. 2006). The data

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

173

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

analysis underlying the figure is somewhat superficial, and the chart interleaves both F:N and f:N information; but although now dated, it seems to have filled a need 25 years ago. The “estimated US dams” curve in Figure 5 was an attempt to reckon the risk posed by an individual, large US dam. The assumption was made that there might be roughly 1000 such dams, and Figure 2 was adjusted accordingly. In practice, there are some 1,733 dams in the US inventory that are higher than 30 m, so this is perhaps a better number than the 1000 was in adjusting the historical record (Charlwood et al. 2006). The US suffers some five to ten dam failures a year, but few cause fatalities (McCann 2008). The bubble labelled, “dams,” was taken from Baecher, Paté, and deNeufville (1979), which, however, was written for a different purpose, and probably overstates the individual dam risk.

Figure 5. f-N chart of common civil infrastructure risks based on approximate actuarial failure frequencies, with subjective interpretations of “acceptability” (Baecher 1985).

3.2. ALARP The UK Health and Safety Executive (HSE) has been a pathfinder in risk-informed regulation of industrial hazards. Beginning in the 1990’s, the HSE developed an approach to risk and safety regulation based on societal risk that is now widely practiced in Europe, the Commonwealth countries, and Asia (HSE 2001).

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

174

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

The HSE approach is structured around the concept of tolerable societal risks, and is often implemented through F:N curve concepts. A tolerable risk is one that “society can live with so as to secure certain net benefits.” It is a risk that may not be broadly acceptable, and is not necessarily negligible; it is a risk that should be kept under review and reduced if and as possible, but it can be tolerated because of the concomitant benefits. In contrast, intolerable risks are those “so large that nobody should be exposed to [them] and thus risk reduction should be undertaken without regard to cost.” HSE also identifies “broadly acceptable risks.” These broadly acceptable risks are those that essentially everyone finds reasonable. Rimington et al. (2003) quantify these risk categories as, x Broadly acceptable risk: An annual risk of casualty significantly lower than 10-6 arising from any particular source, generally taken as negligible risk. x Unacceptable risk: An annual risk of casualty in excess of 10-4 deemed to be intolerable under normal circumstances. This does not preclude individuals from voluntary participation in recreational activities involving higher levels of risk, often in the range 10-3 to 10-2 fatalities per annum. x Tolerable risk: an annual risk of casualty between the values 10-6 and 10-4. Within HSE guidance, a risk that is low enough to be broadly acceptable requires no further action; but, a risk that is merely tolerable should be reduced as far as is practicable. That is, a tolerable risk, of whatever level, should be continually reduced as long as the cost of doing so is not disproportionate to the reduction achieved — this might be thought of as akin to continuous quality improvement: tolerable risks should be reduced to levels as low as reasonably practicable (ALARP) (Figure 6). This requirement originates from the duty to reduce risks to life to the point that further risk reduction is impracticable by requiring action that is grossly disproportionate in time, trouble, or effort when compared to the reduction of risk achieved. It is said that this is a concept arising out of common law concepts, and as a result the common law countries are these in which this regulatory approach appears to thrive (Ale 2005). ALARP is akin to continuous quality improvement. The ALARP principle was established in British law in 1949 by Edwards vs. the National Coal Board (HSE 2001). The trial court in that case found that, A computation must be made in which the quantum of risk is placed on one scale and the sacrifice, whether in money, time or trouble, involved in the measures necessary to avert the risk, is placed on the other; and that, if it be shown that there is a gross disproportion between them, the risk being insignificant in relation to the sacrifice, the person upon whom the duty is laid discharges the burden of proving that compliance was not reasonably practicable. Some aids that can assist the judgment of disproportionality involve risk reduction versus cost, and the corresponding computation of the cost-to-save-a-statistical-life (VSL). The latter is set as USD 5M in Graham (2000), as AUD 4M in ANCOLD (2003), and as USD 7M in current EPA regulation. It is clear that ALARP principle is the key to the determination of whether actual risk is tolerable. The ALARP test has to be taken seriously and usually requires a significant analytical effort. ANCOLD (2003) recognizes that the concept of ALARP has a major role in Australian law. It states that “the law of negligence recognizes a proportionality between the lengths to which a person, or legal person, is expected to go in avoiding a risk and the seriousness of the potential harm that could result from the

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

175

risk”. In practical terms, in order to satisfy the test, the dam owner needs to demonstrate gross disproportion between the sacrifice (costs and time required to implement risk reduction measures) and the reduction in risk that would be achieved by this sacrifice.

Figure 6. Tolerability of risk — the HSE model (HSE 1992).

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

3.3. Dam Safety The idea that levels of risk may be acceptable or unacceptable to the public has long been present in dam safety considerations. These typically presume that risks associated with dams are part of the broader set of societal risks associated with power generation, and thus are involuntarily imposed on the individual citizen. The matter of tolerability of dam safety risk to individuals and society has received attention by regulators in the United Kingdom and the Netherlands with respect to various water retaining structures. It has also been of interest to dam safety regulators in Australia and to the US Bureau of Reclamation. The key component in dam safety has traditionally been risk to life. In this respect, the Dam Safety Committee (the regulating body) of the Government of New South Wales proposed two principles (Dam Safety Committee 2006): 1.

2.

With respect to individual risk, the increment of risk imposed on an individual by a dam should not exceed a small fraction of the average background risk that the population lives with on a daily basis; and With respect to societal risk, the probability of an event that could result in multiple casualties should not exceed a value which is a function of the number of possible casualties (i.e., an expectation), and which is declining as the number of casualties increases.

The NSW Dam Safety Committee’s requirements for societal risk for a existing facilities are illustrated in Figure 7. Note, the societal risk associated with one fatality Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

176

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

is not individual risk, but is the sum of the individual risks to all within the exposed population (i.e., the population at risk, or PAR). This is the probability that anyone within the PAR is killed. DSC guidelines require that societal risk be below the limit of tolerability to the extent dictated by the ALARP principle. For acceptable risk, the DSC adopted what it describes as a “negligible” level two orders lower than the limit of tolerability. The US Bureau of Reclamation (USBR, 2003) uses societal risk criteria for rank ordering dam safety upgrades within their inventory of dams. The basic condition used in USBR Guidelines is that annualized incremental loss of life due to dam failure should be less than 0.001 lives per year for each loading (i.e., hazard) type (e.g., flood, earthquake, etc.), as shown in Figure 4. The guidance proposes that, if risk is identified in this way, then, x x

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x

For risk greater than 0.01 lives/year — “there is justification for taking expedited action to reduce risk” For risk between 0.01 and 0.001 lives/year — “Reclamation considers that there is justification for taking action to reduce risk.” For risk less than 0.001 lives/year — “the justification to implement risk reduction actions or conduct additional studies diminishes as estimated risk becomes smaller than 0.001.”

This form of presentation of risk in f:N curves makes the interpretation of aggregate risk difficult, and thus few organizations other than USBR have adopted the approach: most use F:N representations. ANCOLD (2003) adopts a modified version of the criteria of DSC. The “unacceptability” lines on these F-N charts are truncated at a certain level of annual exceedance probability, reflecting ANCOLD’s view that this is the “lowest risk that reasonably can be assured, or demonstrated, over all dams, given the technology that was used for construction (for existing dams) or would be available (for proposed dams), the diversity of site geotechnical conditions and the available techniques for estimating risks.” In other words, this guidance supposes that risk analysis technology is insufficient to credibly demonstrate annual exceedance probabilities lower than 10-5 for existing dams or 10-6 for new dams and major augmentations. The guidelines state that this truncation “[…] represents ANCOLD’s present judgment of the lowest risk that can be realistically assured in light of present knowledge and dams technology and methods available to estimate the risks. In the case of existing dams, many were built long time ago using very poor technology. Whilst some aspects of safety can be improved, it is simply impracticable to bring such dams fully up the safety levels of a well designed and constructed modern dam. The choice is to either accept the horizontal truncation or to abandon the dam. Since dams are of significant benefit to society, it is considered that the horizontal truncation is justified.” Arguments have also been made that the truncation line should be vertical rather than horizontal for these risks, if the argument is that lower probabilities cannot be demonstrated (Hartford 2008). ANCOLD, however, concludes that a vertical truncation (e.g., as in the Hong Kong guidelines below) is not practicable or appropriate for existing dams with large populations already living downstream. In a related approach, the Planning Department of the Government of Hong Kong provides preferred and alternative sets of societal risk criteria in interim guidelines for

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

177

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Potentially Hazardous Installations (PHI) as depicted on Figure 8 (Hong Kong 2003). These include sites that store, process, or use significant inventories of dangerous substances (e.g., chlorine, LPG, hydrocarbons, explosives, industrial gases and chemicals). Hong Kong extends the approach to landslide safety guidelines (GEO 1998). This approach is characterized by an upper bound on tolerable numbers of fatalities at 1000 to 5000 depending on the situation and hazard. Any situation involving more than 1000 potential fatalities is subject to “intense scrutiny.”

Figure 7. DSC Societal Risk Requirements for Existing Dams (Dam Safety Committee NSW, 2006). Note, the tolerable and acceptable limits on this diagram are one order-of-magnitude higher in risk than for new dams and major augmentations.

Hirst and Carter (2002) propose similar criteria for hazardous industrial facilities to the ones of the Hong Kong Government. The lines of tolerable and acceptable limits have the vertical cut-off lines at 100 and 1000 fatalities respectively. The original graphs in Hirst and Carter are expressed using different description of the vertical axis. It has the units of ‘chances per million per year’.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

178

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

4. Safety of civil infrastructure other than dams In the Netherlands the societal risk criterion is defined by an anchor point of 10-5 for accidents with 10 or more fatalities and the slope of -2 on the F-N diagram. This slope is different than the (-1) slope in other societal risk criteria discussed here, and as indicated by Ball and Floyd (1998) it was chosen to reflect multiple-fatality risk aversion. It causes larger fatalities to be accepted only with lower exceedance probability. It is worth pointing that the previous Dutch criteria (Ale 1992) had an additional ‘acceptable’ line located lower by two orders of magnitude. Thus, similarly to risk criteria in other countries, three zones (unacceptable, reduction desired, acceptable) were created. The argument is made by Ale and others, however, that the concept of ALARP guidance does not fit will within Napoleonic Code legal systems as in the Netherlands. The thorough discussion of causes, effects and implications for the formulation of risk evaluation criteria can be found in Ale (2005). In the context of the present risk criteria in the Netherlands, it is worthwhile to discuss some exceptions. RIVM (2004) says that over the years the societal perception of flooding hazards in the Netherlands has moved from floods being considered as a natural phenomenon to being perceived as an external (or human-induced) risk. The Delta Commission created in 1960 performed a cost-benefit optimization of flood defences and came up with an “optimum” protection level for the annual probability of flooding of the entire dike-ring area of Central Holland: this risk should be below 8x10-6. The commission also advised as a flood standard the event with 10-4 annual exceedance probability. However, as van Stokkom and Smits (van Stokkom and Smits 2002) indicate, nearly all dikes in the areas of Rhine branches have ‘safety norms’ of only 1/1250 per year. In the western part of the Netherlands, these norms are significantly higher in the range of 1/2000 per year, and up to 1/10,000 only in urbanized areas of the Central Netherlands which include the cities of Amsterdam, Rotterdam and the Hague. Vrijling and van Gelder (Vrijling and van Gelder 1997) have analyzed coastal flooding risks or the Brielse Polder in the Netherlands (Figure 9). Clearly, the risks associated with this polder, even give the much flaunted 1:10,000-year design standards for high risk locations in the Netherlands, reside outside Dutch safety criteria, which is hardly surprising. The authors comment, For the Brielse dike ring near Rotterdam a FN-curve (Figure 9) has been drawn estimating the probability of failure of the existing dikes at 10-4 per year. The FN-curve shows that there are five equally likely scenario's with death counts varying from 15 to approximately 5000 people. As these scenarios are assumed to be independent, the combinations, that claim even more casualties, are less likely by an order of magnitude. Another interesting example of societal risk criteria at work comes from the assessment of risk of Schiphol airport by the same working group at Delft (Vrijling et al. 2001). At Schiphol, the number of arrivals and departures is about 180,000 per year. Using average historical data, Vrijling et al. estimate that with probability 0.09 per year an airplane crash could cause up to 50 fatalities, excluding passengers and crew. The approximate F-N societal risk curve for the airport case is presented on Figure 10. It is clearly located in the unacceptable zone. The Dutch Government had to weight the benefits of the airport against all external risks and at the end of the political

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

179

process it has decided to accept both the individual and societal risk cause by the presence of the airport, subject to certain precautions. The authors note,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

In 2003, the government adapted a new policy in order to control the further growth of the risk. The policy states that it is not allowed to build within the 10-5-contours and that the current safety situation may not deteriorate. In 2010, no inhabitants will be allowed within the 5·10-5-contours. Apparently, the economic importance of Schiphol allows a larger risk for Schiphol than for other industrial activities.

Figure 8. Hong Kong Government PHI Societal Risk Criteria (GEO, 1998) Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

180

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Figure 9.. FN curve for flooding of the Brielse Polder, Holland (Vrijling and van Gelder 1997)

Figure 10. F-N Curve for Schiphol Airport (adapted from Vrijling, et al. (2005).

Switzerland has formulated societal risk criteria covering not only fatalities, but also number of people injured, damage to property, and the environment (ter Bekke 2006). The interesting part of Swiss approach is the development of separate risk indicators for different consequences and then superimposition of these indicators on a sin-

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

181

gle scale. Moreover, the slope of the lines separating the three zones is -2 and this reflect the same degree of aversion to large loss of life (or other large losses) by the Swiss society. Various other applications of F-N curve criteria for studies of the safety of civil infrastructure have been published. These include transportation safety (Evans 2003), chemical storage facilities (Hirst 1998), Hydrogen delivery systems (Haugom et al. 2004), slope stability (Reeves et al. 1998), and others.

5. Conclusion: Reasonable risks

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

What can be concluded from this state of practice with respect to risk of loss of life? Societal rather than individual risk appears to the preferred criterion of tolerability for civil infrastructure. For risks involuntarily imposed on the citizenry, such as those due to dams and other power generating facilities, there seems an emerging consensus that the ALARP approach makes sense. There also seems to be an emerging consensus on tolerable levels of societal risk associated with these facilities, and that tolerable risks are only such if subject to an ALARP process.

Figure 11. Comparative risk for NOLA and the Netherlands, against ANCOLD criteria for existing dams, and including conceptual ALARP zone for voluntary risks (Zielinski and Baecher 2008). The post-Katrina New Orleans risks depend on pumping to remove flood waters, but are orders of magnitude higher than current recommendations for dam safety. The Netherlands coastal protection systems are similarly much higher than recommended standards for dams.

The F-N curve of Figure 11 suggest the approximate risks faced in New Orleans and the Netherlands, respectively, from coastal storm surge flooding. These are highly approximate. The point representing New Orleans applies a protection return period of something above 100-years to the number of fatalities that were suffered in Katrina. The bar representing Dutch coastal protection plots 10,000-year protection against a

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

182

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

broad — arguably too broad on the high side — range of possible number of deaths. The sloping curves are ANCOLD’s tolerable and acceptable criteria for existing dams. It seems unlikely that there is any economically feasible way to move these risks down into the tolerable or ALARP region usually specified for dams, that is, to reduce them by three to four orders of magnitude, other than by relocating people. But would it be reasonable to attempt to attempt such a lowering? Second, risks that are voluntarily accepted — and those due to natural hazards arguably fit within this category — can reasonably be tolerated at perhaps 1000-times higher levels than those involuntarily imposed. This suggests that for mortalities in the low thousands, the limit of intolerability is about 1:1,000 per year, if current dam safety guidelines are accepted as reasonably reflective of social preference. So, it appears that a tolerable risk on the order of 1:1000 is appropriate, subject to the ALARP principle. That is, planning should be targeted to providing 1000-year protection for major coastal cities, subject to the constraint that this risk should be continually monitored and reduced as long as the sacrifices of doing so are not disproportionate to the reductions gained. Recent recommendations that coastal defenses be designed to provide the extremely low levels of societal risk associated with modern, well-engineered dams seem unreasonable.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

References Ale, B. (2005). "Tolerable or acceptable: A comparison of risk regulation in the UNited Kingdom and in the Netherlands." Risk Analysis, 25(2), 231-241. Ale, B. J. M. (1992). "The Use of Risk Information in the Netherlands." 7th Annual European Summer School on Major Hazards, Cambridge. ANCOLD. (2003). "Guidelines on Risk Assessment." Australian National Committee on Large Dams, Sydney. Baecher, G. B. (1985). "Acceptable risk at TONEN site 400." T.W. Lambe and Associates, Cambridge. Baecher, G. B. (1987). "Geotechnical risk analysis user's guide, report to the Federal Highway Administration." Haley and Aldrich, Inc., Cambridge. Baecher, G. B., and Christian, J. T. (2003). Reliability and statistics in geotechnical engineering, J. Wiley, Chichester, West Sussex, England ; Hoboken, NJ. Baecher, G. B., Pate, E. M., and de Neufville, R. (1979). "Risk of dam failure in benefit/cost analysis." Water Resources Research, 16(3), 449-456. Ball, D. J., and Floyd, P. J. (1998). "Societal risks." Health & Safety Executive, Risk Assessment Policy Unit, London. Charlwood, R., Bowles, D., Muller, B., Regan, P., and Halpin, E. (2006). "Recent trends in dam safety management in the USA." ICOLD 22nd Congress, International Commission on Large Dams, Barcelona. Christian, J. T. (2004). "Geotechnical Engineering Reliability: How Well Do We Know What We Are Doing?" Journal of Geotechnical and Geoenvironmental Engineering, 130(10), 985-1003. Dam Safety Committee. (2006). "Review of regulatory policy framework for dam safety." New South Wales Government. Evans, A. W. (2003). "Transportation accidents and FN-curves 1967-2001." University College London, Condon. Fischhoff, B. (1994). "Acceptable risk: A conceptual proposal." Health Safety & Environment, 1(1), 1-28. Fischhoff, B., Lichtenstein, S., Slovic, P., Derby, S. L., and Keeney, R. L. (1994). Acceptable risk: A concep-tual proposal. GEO. (1998). "Landslide and Boulder Falls from Natural terrain: Interim Risk Guidelines." C. E. D. Geotechnical Engineering Office, the Government of Hong Kong, ed., ERM Hong Kong, Ltd. Graham, W. J. (2000). "Should dams be modified for the probable maximum flood?" Journal of the Geotechnical Engineering Division, ASCE, Journal of the American Water Resources Association(36), 5. Hartford, D. H. D. (2008). "Personal communication." Haugom, G. P., Rikheim, H., and Nilsen, S. (2004). "Hydrogen applications: Risk acceptance criter and risk assessment methodology." European Commission, Norway.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

P.A. Zielinski and G.B. Baecher / Societal Life Safety Risk Criteria

183

Hirst, I. L. (1998). "Risk assessment: A note on F-n curves, expected numbers of fatalities, and weighted indicators of risk " Journal of Hazardous Materials, 57(1), 169-175. Hirst, I. L., and Carter, D. A. (2002). "A ‘Worst Case’ Methodology for Obtaining a Rough But Rapid Indication of the Societal Risk from a Major Accident Hazard Installation." Journal of Hazardous Materials, A92, 223-237. Hong Kong. (2003). "Hong Kong Planning Standards and Guidelines: Chapter 12, Societal Risk Guidelines for Acceptable Risk Levels." P. Department, ed., Government of Hong Kong. HSE. (1992). "The tolerability of risk from nuclear power stations." UK Health and Safety Executive, London: HMSO. HSE. (2001). "Reducing Risks, Protecting People – HSE’s Decision Making Process." UK Health and Safety Executive, London: HMSO. Kastenberg, W. E. (2006). "Daniel M. Tellep Distinguished Professor of Engineering." G. B. Baecher, ed., Berkeley. Keeney, R. L., and Raiffa, H. (1993). Decisions with multiple objectives : preferences and value tradeoffs, Cambridge University Press, Cambridge [England] ; New York, NY, USA. Kulhawy, F., and Phoon, K. K. (1996). Uncertainty in the Geologic Environment, ASCE, Madison. Lowrance, W. W. (1976). Of acceptable risk : science and the determination of safety, W. Kaufmann, Los Altos, Calif. McCann, M. W. (2008). "National Performance of Dams Program." Stanford University, Menlo Park. Reeves, A., Chan, H. C., and Lam, T. C. F. "Preliminary quantitative risk assessment of bouiulder falls in Hong Kong." Slope Engineering in Hong Kong, Hong Kong, 185-192. Rimington, J., McQuaid, J., and Trbojevic, V. (2003). "Application of Risk-Based Strategies to Workers’ Health and Safety Protection: UK Experience." 9059012755., Reed Business Information. RIVM. (2004). "Dutch Dikes and Risk Hikes: A Thematic Policy Evaluation of Risks of Flooding in the Netherlands." National Institute for Public Health and the Environment, Bilthoven. Seed, R. B., and al., e. (2006). "Investigations of the performance of the New Orleans flood protection systems in Huricance Katrina on August 29, 2005, Vol. 1, Main text and executive summary." University of Califronia, Berkeley. T.W. Lambe & Associates. (1982). "Acceptable risk at Kawasaki site 400." Report prepared for Towa Nenryo Kogyo Co. Ltd. (now, TONEN Corporation), Kawasaki, Japan, by G.B. Baecher and W.A.Marr, Cambridge. ter Bekke, E. C. A. (2006). "Risk Criteria – Background Information for Maritime Decision Makers." Delft University of Technology, Delft. USBR. (2003). "Guidelines for achieving public protection in dam safety decision making." US Bureau of Reclamation, Denver. USNRC. (1975). "Reactor safety study." WASH 1400, US Nuclear Regulatory Commission, Washington. van Dantzig, D. (1956). "Economic decision problems of flood prevention." Econometrika, 24(3), 276-287. van Stokkom, H. T. C., and Smits, A. J. M. (2002). "Flood Defence in the Netherlands: a New Ear, a New Approach." Flood Defence 2002, W. e. al., ed., Science Press, New York. Vrijling, J. K., van Gelder, H. J. A. M., Goossesns, P. H. A. J. M., Voortman, H. G., and Pandey, M. D. "A Framework for Risk Criteria for Critical Infrastructures: Fundamentals and Case Studies in the Netherlands." Critical Infrastructures, 5th Intl. Conference on Technology, Policy and Management. Vrijling, J. K., van Gelder, H. J. A. M., and Ouwerkerk, S. J. (2005). "Criteria for acceptable risk in the Netherlands." Delft University of Technology, Delft. Vrijling, J. K., and van Gelder, P. H. A. J. M. (1997). "Societal Risk and the Concept of Risk Aversion." Advances in Safety and Reliability, 1, 45-52. Vrijling, J. K., and van Gelder, P. H. A. J. M. "An Analysis of the Valuation of a Human Life." ESREL 2000 and SRA – Europe Annual Conference, Edinburgh, 197-200. Whitman, R. V. (1984). "Evaluating the Calculated Risk in Geotechnical Engineering." Journal of the Geotechnical Engineering Division, ASCE, 110(GT2), 145-188. Wilson, R., and Crouch, E. A. C. (2001). Risk-Benefit Analysis, Harvard University Press, Cambridge. Zielinski, P. A., and Baecher, G. B. (2008). "Loss of life criteria for dam safety risk management." Ontario Power Generation, Toronto.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

184

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-131-1-184

Antiterrorism Protection and Protective Engineering Design M. ZINEDDIN

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Institute for International and Civil Security, and Department of Civil Infrastructure and Environmental Engineering, Khalifa University of Science, Technology and Applied Research Abu Dhabi, UAE Abstract. The fundamental goal of protective construction is to improve the probability of survival of people and other contents in a given facility for a given threat. It is important to realize that the protective building is the last layer of defense against a threat and that all other protective measures (intelligence, law enforcement, surveillance, barriers, etc.) have failed if the threat can be projected onto a facility. This implies that a designer must “know” the threat before conceptualizing the design and this may not be possible in many cases. Attackers can use various weapon systems in different combinations and such events cannot be predicted. However, using reliable information and objective threat and risk assessment can produce effective estimates of such incidents. Usually, a facility design is based on a standard threat (for example, a specific bomb at a given stand-off distance). In other cases, a statistical approach, requiring that a specific percentage of facilities and contents will survive if a site is attacked, may be employed. Physical security can be achieved by a variety of means and devices with a wide range of capabilities. These capabilities can be used to enable detection, deterrence, delay, and prevention of hostile activities. Structural hardening is a passive defense capability; it is only one aspect of these considerations and should be addressed in the broader context of physical security. As with any other fortification technology, passive defense alone cannot be used to protect against mobile and constantly varying threats. A structure must be designed to prevent catastrophic failure and to protect its contents (personnel and equipment) from the effects of an explosion. Such effects may include nuclear and thermal radiation, electromagnetic pulse (EMP), air blast, ground shock, debris, fragments, and dust (protection from chemical and biological (CB) threats should be considered, as appropriate). In order for a military facility to survive, the continuation of its operational mission must be ensured. For civilian facilities, however, the main concern is protecting people and/or critical assets. Therefore, survivability requirements (criteria) vary from one type of facility to another. Keywords. Blast effects, Protective design, risk mitigation, physical security, antiterrorism protection, hardened structure.

1. Introduction It is neither realistic nor cost effective to try to prevent or protect against every negative event that may occur within or against a target. There are four key components to full spectrum risk mitigation as illustrated in Figure 1.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

M. Zineddin / Antiterrorism Protection and Protective Engineering Design

185

Figure 1. Full spectrum of risk mitigation

As these examples indicate, full spectrum risk mitigation works across a number of different areas and disciplines, providing a “layered” approach to security within the compound. To maximize the effectiveness of this approach, security measures should be considered and embedded where possible in the following areas:

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

x x x x x

Urban Planning: Harmonization with the security recommendations in building codes, standards and guidelines, and international best practice for similar sites. Building Design: Protective design of structures, including adequate standoff, designing against progress collapse and providing adequate emergency egress routes. Policies and Procedures: Compliance with regulatory regimes and coordination with relevant government agencies, as well as the development of crisis management and business continuity planning. Technology Applications: CCTV analytics, smart access control systems, automatic number plate recognition systems, passive screening, emergency alerting and communications systems. People: Educational awareness campaigns to report abandoned bags, suspicious behavior, adequate training and vetting of staff and security guards.

2. Explosion Effects An explosion is an extremely rapid release of energy in the form of light, heat, sound, and a shock wave. Explosive pressures encountered in design are typically much great-

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

M. Zineddin / Antiterrorism Protection and Protective Engineering Design

186

er than other loads that are considered, but they decay extremely rapidly with time and space. As a rule of thumb, the pressures generated by the shock wave increase linearly with the size of the weapon, usually measured in equivalent pounds of TNT, and decrease exponentially with the distance from the explosion. The security duration of the explosion is extremely short, measured in thousandths of a second, or milliseconds. As the shock wave expands, the incident or overpressure decreases. When it encounters a surface that is in line-of-sight of the explosion, the wave is reflected, resulting in a tremendous amplification of pressure on the surface of the object: shock waves can reflect with an amplification factor of up to about 12. The magnitude of the reflection factor is a function of the proximity of the explosion and the angle of incidence of the shock wave on the surface (with incidence normal to the targets resulting in the maximum pressure). Late in the explosive event, the shock wave becomes negative, followed by a partial vacuum, which creates suction behind the shock wave that can cause windows to fall outwards. For a specific type and weight of explosive material, the intensity of blast loading will depend on the distance and orientation of the blast wave relative to the protected space. These characteristics are aspects of the site size and placement of the building(s). Immediately following the vacuum, air rushes in, creating a powerful wind or drag pressure on all surfaces of the building. This wind picks up and carries flying debris in the vicinity of the detonation. In an external explosion, a portion of the energy is also imparted to the ground, creating a crater and generating a ground shock wave analogous to a high-intensity short-duration earthquake. Since the indications are that explosive devices will continue to be a primary hazard, the emphasis in this will be on blast, shock, and impact. Structural design for safety and physical security requires a sound background in fortification science and technology. One must realize that loading environments associated with many relevant threats (impact, explosion, penetration, etc.) are extremely energetic, and their duration is measured in milliseconds (i.e., about one thousand times shorter than typical earthquakes). Structural response under short-duration dynamic effects could be significantly different from the much slower loading cases, requiring the designer to provide suitable structural details. Therefore, one must explicitly address the effects related to such sever loading environments, in addition to considering the general principles used for structural design to resist conventional loads. One must be familiar with the background material on structural consideration and design, and the experience gained from recent terrorist bombing incidents. Figure 2 illustrates the parameters of a typical blast wave [1].

3. Security Design Physical Security consists of measures taken to address criminal and vandal threats. Physical Security uses defensive measures that provide layers of detection and delay around an asset. The defensive layer must provide enough delay time to allow a response force to halt the attack. Physical Security is addressed primarily by policy that defines operational procedures, electronic security systems, and structural security measures to provide the required delay time. The assumption is that some minimal level of protection is required and risk is evaluated on an organization-wide basis with the assumption that there is always a criminal threat.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

187

M. Zineddin / Antiterrorism Protection and Protective Engineering Design

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Antiterrorism Protection addresses the design of both the building and the site to minimize the blast loads and weapon effects from terrorist threats to assets - usually people. This may mean the building is destroyed, but damage to assets is minimized. The actual threat to a specific asset is seldom known and it is unlikely that a specific asset will ever have a terrorist attack. The price people are willing to pay for protection from an unlikely threat of unknown magnitude has historically been very little in the world, but it is changing. As part of Antiterrorism Protection, blast hardening is sometimes done, but does not commonly meet the level of protection in the following definition of a hardened structure.

Figure 2. Blast wave parameters

A Hardened Structure is usually designed to perform its primary mission after a wartime attack making hardening one of its primary requirements and a significant part of its cost. The facility is protected against a wide range of threats including forced entry, Chemical/ Biological/Radiological (CBR), airblast, ground shock, penetration, fragmentation, and damage to the structure and equipment due to explosive loading. Designs must consider how camouflage, concealment and deception, active defense, and manned response can reduce or limit the effectiveness of the threat. The design assumptions are that during a war, the facility will be attacked and that it must survive and function after the attack. Almost all hardened structures inherently satisfy the requirements for both Physical Security and Antiterrorism Protection.

4. Protective Design Generally, the following issues should be addressed to protect valuable assets. The first is maximizing standoff distance to reduce the blast and fragmentation loads on the structure under consideration. If sufficient space is available, this may be the most Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

188

M. Zineddin / Antiterrorism Protection and Protective Engineering Design

effective mitigation approach, but it requires one to ensure that the protecting perimeter is secured to ensure the specified distance. The next most important issue to consider is the prevention of building collapse, and this requires careful attention to the structural layout and design details. Once these items are addressed, one must minimize hazardous flying debris such as glass, dislodged structural parts, and nonstructural components such as furniture and equipment. Providing an effective building layout also can contribute significantly to protecting valuable assets. This may be achieved by placing less valuable assets closer to hazards and more valuable assets farther from hazards. Providing protected spaces to enable people to take quick refuge until further instructed from security and/or rescue personnel is known to be very effective. Limiting airborne contamination should be considered, as appropriate. Additionally, one should address requirements for fire hazard mitigation and effective evacuation, rescue, and recovery operations. Providing mass notification is essential to prevent panic and assist in postincident activities. Finally, one should consider options to facilitate upgrades, as might be required by periodic risk assessments [2]. A protected facility consists of several components: a protected perimeter, a protective structures, essential subsystems, and nonessential support subsystems. After all non-structural considerations are addressed; another specific issue that must be considered to protect a facility is blast- and shock-resistant design of the structure to protect contents from the effects of blast, shock, radiation, fragments, debris, dust, etc. It should be clear that the survival of the structure alone may not be sufficient if damage to the contents or personnel exceeds the survivability criteria. In order to consider all these factors, a designer should know very accurately what is expected of a facility. The term hardness and survivability define the capability of a protective system (or facility) to resist the anticipated effects and meet the protection criteria. Survivability can be increased by enhancing a facility’s hardness or other protective features. Other means for achieving the same goal can be employed as well (for example, redundancy, ensuring a larger standoff distance, location of other sites, etc.). Placing another protective layer between the facility or its contents and the weapon also can be very helpful because that layer will absorb some of the undesirable effects. Burying a facility in rock or soil will provide major benefits by reducing weapon effects on the system and/or by making it harder to locate the target [3]. A designer should employ protection criteria to ensure that the facility and its contents will not be subjected to environments (motions, stresses, etc.) beyond a certain limit.

5. Design Strategies The design process for protective facilities is described as follows: 1. 2.

3. 4. 5.

Define facility operational performance requirements. Establish quality assurance (QA) criteria for analysis, design, and construction work, and assign responsibilities for various activities throughout the entire project. Perform threat, hazard, and risk assessment and determine future risk assessment reviews. Determine explosive sources and their locations and magnitudes. Estimate corresponding loading conditions.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

M. Zineddin / Antiterrorism Protection and Protective Engineering Design

6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19.

189

Establish general siting, facility layout, and design criteria. Proportion members for equivalent static loads. Compute blast loads on facility more accurately. Compute loading from fragments. Compute loading from crater ejecta. Compute loading from ground shock. Combine all dynamic loads and perform preliminary dynamic analyses. Redesign facility to meet protective criteria under these dynamic effects. Consider nuclear radiation, EMP, thermal effects, CB, etc., if appropriate. Verify design by acceptable methods. Prepare design documentation for shop and fieldwork. Embark on contracting and construction activities; activate appropriate QA. End-of-construction inspection and review. Facility begins its service life.

The design of a facility usually requires interaction among specialists in several disciplines, such as security, architectural, structural, mechanical, electrical, electronics, and hardening. This effort utilizes a team approach to ensure that all possible aspects of the problem have been considered and that the proposed combined plan optimizes the available solutions in the various areas. A rational approach for selecting appropriate protective measures for an asset is based on comparing the cost of the mitigation with the cost of the consequence if no improvements are made in protecting the asset. Initially, small investments in protecting an asset can provide significant benefits. However, additional protection enhancements will become increasingly more expensive.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

References [1] Lane, R., Craig, B. & Babcock, W., Materials for Blast and Penetration Resistance. Material Ease, the AMPTIAC Quarterly, Volume 6, Number 4, pp. 39-45, Rome, NY, 2001. [2] Krauthammer, T., et al, Structural Design for Physical Security: State of the Practice, Structural Engineering Institute, American Society of Civil Engineers: Reston, Virginia, pp. 3-7 to 3-13, 1999. [3] Federal Emergency Management Agency, FEMA 426, Building Design Guidance (Chapter 3). Washington, D.C, 2003.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved.

191

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Subject Index ALARP 168 anti-terrorism 30 antiterrorism protection 184 blast effects 184 case-based reasoning 105 cause-and-effect complex 105 complex systems 1, 45, 148 complex technical systems 105 complex technological systems 30 computer-aided investigation 105 counter-terrorism 148 critical infrastructure 12 critical infrastructure protection 61 dam safety 82 dams 138 delphi method 120 deterioration 130 diagnostics 93 discrete-continuous system 105 emergency situations 130 expert opinion elicitation 120 fragility 61 hardened structure 184 illegal actions 69 information technology 21 legal approaches 130 loss of life 82 manmade risk 138 monitoring 93 natural hazard 168 nuclear safety 152 nuclear waste 152 off-shore 69 oil and gas objects 69 organizational theory 148 physical security 184 protection 69

protective design 184 protective systems 93 radiological terrorism 152 rating features 69 real-time information 81, 137 reliability 168 resilience 61 risk 69, 168 risk analysis 12, 138 risk assessment 1, 120 risk mitigation 81, 137, 167, 184 rule-based reasoning 105 safety 105, 168 safety analysis 45 safety research 1 safety risks 30 security risk analysis 30 social systems 157 societal risk 168 stability 157 systems 138 systems dynamics 157 systems engineering 167 technogenic risk 1 technogenic risks 21 technological systems 167 technological terrorism 45 terrorism risk 12 terrorist activities 105 terrorist risk 21 threat 12, 69 tolerable risk 82 unique mechanical systems 105 vulnerability 12 vulnerability assessment 120 words of estimative probabilities 120 workflows 81, 137

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems – N.A. Makhutov and G.B. Baecher (Eds.) IOS Press, 2012 © 2012 The authors and IOS Press. All rights reserved.

193

Author Index 157 130 30 138 30 v, 12, 168 105 69 137 93 21 138 1 81 130 148

Kluin, M. Krimgold, F. Kuksova, V.I. Lesnikh, V.V. Makhutov, N.A. Patev, R.C. Petrov, V.P. Qafmolla, L. Rezniko, D.O. Silova, T.V. Tavares, V. Van Gulijk, C. Vishnyakov, J.D. Yudina, O.N. Zielinski, P.A. Zineddin, M.

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

Akhmetkhanov, R. Akimov, V.A. Ale, B. Altarejos-García, L. Andriessen, H. Baecher, G.B. Berman, A.F. Bochkov, A.V. de Diviis, V. Dubinin, E.F. Dvoretskaya, T.N. Escuder-Bueno, I. Gadenin, M.M. Höhn, S. Kachanov, S.A. Kiseleva, S.P.

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

30 61 93 69 v, 1 120 93 152 45 21 167 30 148 21 82, 168 184

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,

Copyright © 2012. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems, edited by G. B. Baecher,