Ebook: Computational Models of Risks to Infrastructure

The North Atlantic Treaty Organization (NATO) held an Advanced Research Workshop (ARW) about modeling of infrastructure risk in Primosten, Croatia on May 9–13, 2006. The US Society for Risk Analysis and Enconet International Zagreb cosponsored the ARW. Daniel M. Byrd and Dejan Skanata were the ARW director and co-director. Early on, Byrd and Skanata formed an organizing committee, consisting of the following seven (7) scientists:

Daniel M. Byrd, Ph.D., D.A.B.T., LSRO, Inc., Bethesda, MD, USA;

Adrian Gheorghe, Ph.D., ETHZ, Zurich, Switzerland;

Jacques Ganoulis, Ph.D., AUTh, Thessaloniki, Greece;

James Lambert, Ph.D., University of Virginia, Charlottesville, VA, USA;

Igor Linkov, Ph.D., Cambridge Environmental, Cambridge, MA, USA;

Davor Sinka, M.Sc., Enconet International, Zagreb, Croatia; and

Dejan Skanata, Ph.D., Enconet International, Zagreb, Croatia.

The program included papers and/or posters by most of the approximately forty (40) engineers and scientists. The objective, exploring different methodologies and related applications, recognized four (4) major topics:

Complex Models;

Simulation Models;

Distributional Models; and

Deterministic Models.

Extensive discussion concentrated on the following issues: the state of the art and practice, gaps between the arts and practices, ways to bridge the gaps, and future research directions. The co-organizers and the organizing committee take pride in the effectiveness of the ARW. The major factor in satisfaction with the ARW was its intellectual content. A good agenda and organization led directly to the intensity of discussions.

The Editors

The mathematical model is proposed for investigation of various fluctuations impact on transformation of fields of technogenic, social, economic and environmental risks with the help of catastrophes theory, theory of chaos and bifurcation. It permits to investigate the catastrophes nonlinear dynamics and to estimate the levels of technogenic and environmental vulnerability, efficacy of politics in the field of social and economic security.

To define a mathematical model to evaluate the impact of a vulnerability in an information infrastructure, we consider a zero sum game between an attacker and a defender, each allocating a fixed amount of resources to search for vulnerabilities. To prevent attacks, the resources allocated by the defender search for vulnerabilities to remove them. Instead, the attacker ones search for vulnerabilities to attack the infrastructure. Attacks results in a defender loss that, in the simplest case, is proportional to the time in-between the discovery of a vulnerability by an attacker resource and the discovery of the vulnerability by a defender one. We define conditions for Nash equilibrium where a player cannot improve its utility by changing its move only and show that the corresponding allocation requires a large defender investment with a low return. A condition is introduced to evaluate when open code components should be preferred.

Infrastructures provide the foundation for national economic vitality, security and every day comforts. The systems, processes, facilities and experts that form these infrastructures are sophisticated, complex and highly interdependent. Over time, these physical, human and cyber components have evolved toward economical and efficient systems that are robust against random failures and natural events. This evolution creates greater interconnectedness and complexity. Modeling is an essential process for anticipating and understanding how these complex, interdependent systems will respond to disruptions and changing conditions. Natural disasters, malevolent attacks, changes in regulations or market policy all have the potential to disrupt the flow of infrastructure goods and services. No single model or modeling approach is sufficient for answering the breadth of near-term and long-term questions being asked relative to critical infrastructure protection at a local to international level. This article presents the results of six years of model development at the National Infrastructure Simulation and Analysis Center (NISAC), USA; including the types of models developed, their utility in answering critical infrastructure protection questions and general insights regarding infrastructure behaviors and propagating effects of disruptions.

The National Infrastructure Simulation and Analysis Center (NISAC) is responsible for providing fundamentally new modeling and simulation capabilities for the analysis of critical infrastructures. We believe that by developing and exercising a variety of modeling approaches, over time we can build up a mosaic of collected insights and intuition and understanding about how complex, interdependent infrastructure systems will respond to disruptive events. This article describes some of our modeling efforts to date as related to energy and telecommunications and their interactions. We consider highly-abstracted models that allow experimentation about the interplay between network topology and tolerance for evaluating system robustness against cascading failures. And at the opposite end of the spectrum, we also consider high-fidelity models that include a sufficiently realistic representation of infrastructure elements to allow simulation of infrastructure responses to a variety of disruption scenarios. We conclude this article by showing how systems knowledge accumulated from this range of modeling efforts was used to forecast the infrastructure impacts from Hurricane Katrina.

We provide commentary on selected methodologies of risk assessment and management for safety and security programs in critical infrastructure. The methodologies include risk identification, risk filtering and ranking, synthesizing quantitative and qualitative evidence of risk, risk-based project selection, and risk-based combinatorial optimization. The cited applications include: roadway lighting and guardrail, bridge security, airport improvements, port improvements, transit improvements, hurricane impacts to transportation systems, water distribution systems, telecommunications systems, flood levees, river navigation, and military peacekeeping.

The complexity and distinct management of our interconnected infrastructures makes their understanding and protection schemes very difficult. It is necessary to develop tools that represent the actual infrastructure and its dependencies on other infrastructures in order to assist infrastructure deployment, management, and assessment. However, even though it is necessary to share internal infrastructure information to model dependencies, operators, who often compete on the same market, are not willing to do so. In this paper, we propose a framework for an infrastructure simulator that gathers dependency information on a virtual market and assess the relevance of the information using dynamic trust models. We argue that a virtual market has the ability to motivate stakeholders to share information that can then be used in an internal simulator modelling dependencies.

Straightforward definition of terrorism is “the use of force or the threat of force against civilian populations to achieve political objectives.” The terrorists want to create fear, response and disruption. The international terrorism is also linked to drugs trafficking, gun smuggling and money laundering, so when the need comes or they are confronted, they kill without remorse or mercy. In order to counter these threats it is important to understand the motivation of terrorists – may be just creating havoc or they want to damage necessary resources available to the developed world. Risk assessment is used to estimate the flow and direction of the terrorist attacks: some believe their mission is based on their faith, while others carry out their missions in order to defend their ideological beliefs. In either case, terrorism is to be viewed as a crime committed against humanity and rooted deeply in poor education and lack of resources.

Over the last five years, we have developed a range of stochastic techniques for simulating the evacuation of public building including hospitals, entertainment complexes, a sports stadium, office buildings and concourse areas in an underground train system. This paper describes how simulations are developed from an initial risk assessment, through the integration of 3D architectural models and simulations of crowd behavior to the validation of results against ‘live’ evacuation drills and information about previous evacuations. The motivation behind this work is to support a form of 'mitigation engineering'. Evacuation simulations help us to reduce the consequences associated with a broad range of adverse events including fires, structural collapses and terrorist actions.

This paper presents basic ideas of an approach enabling to simulate multitask performance based on the single-channel theory of selective attention. The paper demonstrates the applicability and benefits of the use of computer discrete event simulation tools to imitate hazardous scenarios possibly taking place at a potentially hazardous installation with a focus on operators' performance. One of the outcomes of the modelling is the probability of action failure. A case study on the simulation of operators' performance under a medium Loss of Coolant Accident scenario at a nuclear power plant is briefly described in the paper.

Development of real-time predictive modeling to identify the dispersion and/or source(s) of airborne weapons of mass destruction including chemical, biological, radiological, and nuclear material in urban environments is needed to improve response to potential releases of these materials via either terrorist or accidental means. These models will also prove useful in defining airborne pollution dispersion in urban environments for pollution management/abatement programs. Predicting gas flow in an urban setting on a scale of less than a few kilometers is a complicated and challenging task due to the irregular flow paths that occur along streets and alleys and around buildings of different sizes and shapes, i.e., “urban canyons”. In addition, air exchange between the outside and buildings and subway areas further complicate the situation. Transport models that are used to predict dispersion of WMD/CBRN materials or to back track the source of the release require high-density data and need defensible parameterizations of urban processes. Errors in the data or any of the parameter inputs or assumptions will lead to misidentification of the airborne spread or source release location(s). The need for these models to provide output in a real-time fashion if they are to be useful for emergency response provides another challenge. To improve the ability of New York City's (NYC's) emergency management teams and first response personnel to protect the public during releases of hazardous materials, the New York City Urban Dispersion Program (UDP) has been initiated. This is a four year research program being conducted from 2004 through 2007. This paper will discuss ground level and subway Perfluorocarbon tracer (PFT) release studies conducted in New York City. The studies released multiple tracers to study ground level and vertical transport of contaminants. This paper will discuss the results from these tests and how these results can be used for improving transport models needed for risk assessment.

In the present methodological work, a simulation modeling approach to the evaluation of the reliability characteristics of network systems, based on a combination of Cellular Automata (CA) and Monte Carlo simulation (MC), is illustrated. By integrating the CA modeling paradigm with the MC technique for stochastic sampling and simulation it is possible to effectively verify the existence of the connection between source and terminal targets in a network of nodes and evaluate its reliability and availability characteristics.

Monte Carlo simulation offers a valuable tool for capturing the complex stochastic behavior of distributed, interconnected systems. To reduce the associated computational burden, it is possible to resort to biasing techniques which improve the efficiency of the simulation. In this paper, a biasing method is proposed for improving the efficiency of the unreliability estimate of complex multi-state network systems, in which the arcs and the nodes can stay in various states of different performance. The biasing is founded on a sample strategy tailored to encourage the multi-state system to enter failed configurations with respect to the required demand at the network target node. This is achieved by forcing the arcs to visit their lower performance states. The performance of the method is tested on a literature case study and a sensitivity analysis is carried out with respect to the parameter controlling the intensity of the bias.

In the SEVESO II Directive, there is no harmonised definition of the scenarios that have to be considered for risk assessment. Typically, the chosen scenarios (total loss of containment, fire in the largest tank, explosion of the largest mass of explosive, BLEVE,etc.) can be different according to the specific risk analysts and according to the deterministic or risk-based approach of the country applying the Directive. This situation is confirmed by the results of the EC project ASSURANCE, in which 6 European organisations perform a benchmark exercise for the risk analysis of a specific plant. The partners used various hazard analysis techniques and arrived at quite different conclusions with respect to the scenarios that are relevant for the safety assessment. The ARAMIS methodology builds further on the conclusions of the ASSURANCE project and propose a structured approach that reduce the discrepancies in risk assessment. The project consisted in the elaboration of a methodology giving consistent rules for the identification of scenarios that take into account mitigation devices and safety management, and being recognised by a large number of risk experts from Competent Authorities and from Industry. The risk level of an establishment is characterised with an integrated approach where 3 independent parameters are quantified: 1) the consequence severity estimation of scenarios, 2) the prevention management efficiency and 3) the environment vulnerability. The project has brought elements to fulfil the need to establish a method that is capable to assess the risk level of an installation by integrating the preventive measures implemented by the operators. Such a method is a prerequisite in order to reach the goals of the SEVESO II Directive, that are to improve the prevention linked in particular with the safety management. The application of this method results in a more consistent risk evaluation and safety management strategy in all European Countries. The paper presents the main results of the ASSURANCE project and describes how the ARAMIS method has improved the risk assessment phase, and in particular the determination of the scenarios to be considered. It is explained how this approach helps the operator of Seveso plants to demonstrate that risks are properly identified and under control.

We developed an approach for assessing the risk of injury and property damage for a proposed county animal control facility to be sited near the bulk fuel storage facility of a major regional airport. The property available for the county facility was attractive given the price, location, and accessibility. The agency charged with siting the animal control facility was concerned about the bulk fuel facility for two reasons: first, under normal operations there could be a catastrophic event resulting in an explosion or fire that could damage the county facility, or, second, a terrorist attack on the bulk fuel facility could result in an explosion or fire that could damage the county facility. We performed a risk analysis of internal failures and external threats that could cause a catastrophic event at the bulk fuel facility that, in turn, could cause damage to the proposed facility or injuries to the occupants. The risk analysis approach involved the evaluation of the following fuel facility systems and features: discharge prevention systems; inspections, tests, and records; bulk storage tank design; personnel and training; and emergency response plans. The risk analysis of external threats, e.g., terrorist attacks, was performed by evaluating the attractiveness of fuel facilities in general as terrorist targets, the attractiveness of this bulk fuel facility in particular, and the vulnerability of the bulk fuel facility.

Probabilistic methods of risk optimization are applied to identify the most effective arrangements of road tunnels. The total consequences of alternative tunnel arrangements are assessed using Bayesian networks supplemented by decision and utility nodes. It is shown that the probabilistic risk optimization may provide valuable information enabling a rational decision concerning effective safety measures of road tunnels. A general procedure is illustrated by the optimization of a number of escape routes considering both the societal and economic consequences. It appears that the discount rate and specified life time of a tunnel affect the total consequences and the optimum arrangements of the tunnel more significantly than the number of escape routes. Further investigation of relevant input data including societal and economic consequences of various hazard scenarios is needed.

Spatial planners need risk assessment input while establishing land-use plans. The purpose is to avoid proximity of industrial hazardous installations and vulnerable neighbourhood. Collaboration between spatial planners and risk assessors in this context still needs to be developed since common forms of risk assessment results do not match the form of input needed for land-use plans. While spatial planning aims at producing precise and justified identification of pieces of territory dedicated to a certain purpose risk assessment provides results in the form of probability of impact area based on analysed accident scenarios. Uncertainty of such scenarios and associated results may be within one or even two orders of magnitude, which makes them non applicable in the context of spatial planning. Therefore, collaboration between spatial planners and risk assessors is inevitable as to overcome these issues. The paper demonstrates weaknesses in accidental scenario development for risk assessment in selected industrial establishments in Slovenia and their implication to modelling results in the context of spatial planning. Due to significant differences, i.e., variations in terms of potential costs, damage to infrastructure, and casualties caused by uncertainty of accident scenarios, the paper shows that only trustworthy risk assessment makes point in decision-making associated with land development.

When there is little information on which probabilistic assessments are based, we cannot expect precise results. To avoid a false impression of accuracy and confidence, the degree of uncertainty must be explicitly seen in the resultant assessments on which decisions are based. In the approach described in the paper, probability assessments are interval-valued, and the width of the interval reflects the amount of information on which probabilities are based. As more data become available, the interval becomes narrower. Updating the interval-valued probabilities is performed with the imprecise beta-Bernoulli model which is described in the paper. An example on calculating the probability of failure of a component with the Bayesian approach and the beta-Bernoulli model is provided.

Bayesian belief nets (bbns) are becoming increasingly popular in modelling complex systems. They provide a high level graphical representation of the system in which the problem owner easily recognizes his/her problem. They incorporate the effects of proposed decisions in a natural and transparent way. Their application is however limited by the excessive assessment burden, which often leads to informal or unstructured quantification. In this paper we introduce various bbn models and contemplate their advantages and disadvantages in computing risks of complex systems. Moreover, we stress their usefulness as a decision support system, and in particular updating on the basis of possible observations. We illustrate different bbn models with recent applications in areas of occupational and aviation safety.

The aim of this study is to analyze risk model and software requirements for decision support system based on risk management (DSS-RM) as applied to power engineering installations. Power engineering safety substantially affects national security. So the decision support system is intended for the improvement of risk management by more effective risk and damage assessment, ranking strategies, proposing countermeasures on mitigating consequences. The main goal of DSS-RM is to reach lowest acceptable risk levels. However, the delicate problem is how to permit the responsible person to make voluntary decisions on the base of his own expert judgements or because of uncontrolled or unforeseen circumstances. DSS-RM have to take into account of this “human factor” uncertainty and software requirements must be developed very carefully in close cooperation with end user.

Bayesian networks (BNs) were pioneered to solve problems in Artificial Intelligence (AI) and have proven successful in “intelligent” applications such as medical expert systems, speech recognition, and fault diagnosis. In practical terms, one of the major benefits from using BNs is in that probabilistic and causal relationships among variables are represented and executed as graphs and can thus be easily visualized and extended, making model building and verification easier and faster. We illustrate how BNs can be used for risk analysis by introducing a novel approach modeling causal chains containing event triggers, consequences and interventions. However, if we want to incorporate continuous (as opposed to just discrete) variables in BN models the established BN tools and methods are inadequate. This paper reports on a new, unifying, approach to modeling continuous variables in BNs, called dynamic discretization, which approximates continuous variables without recourse to the traditional approach of Monte Carlo simulation methods. We illustrate the practical usefulness of the approach with an application involving the fusion of diverse sources of temporal data for fault diagnosis, classification and prediction of system behavior.

This article deals with use of Probabilistic Safety Assessment (PSA) model for infrastructure risk assessment. The first part of the paper provides background information leading to the selection of PSA as the preferred method for risk assessment. The article also discusses the initiating events, consequential events, and the consequences, dealing with scenarios and detailed list of various failure events, the associated failure modes and their cause/effect which could deal with various infrastructure interdependency risk. Example of event tree and fault-tree for selected infrastructure are discussed and presented. Emphases are given on the advantages and disadvantages of using PSA for infrastructure risk assessment. Main advantages are in the capability of PSA to deal with numerous scenarios to provide comparative risk assessment for various infrastructure types and some interdependencies. PSA is proven methodology for combining available data with expert opinion to model complex systems risk accounting for numerous number of initiating events, systems reliability, human responses and common causes. Final results are both important for qualitative and quantitative usage in infrastructure safety optimization. This is valuable inside particular infrastructure type or between infrastructures for specific region or country. Example of nuclear power plant PSA model and interdependency on power infrastructure is presented.