Preliminary Hazard Analysis (PHA): New hybrid approach to railway risk analysis
WCRR 2016 paper 392
1. 1
Risk analysis and consequence modelling methodology
for improving the resilience of railway stations
to terrorist attacks
Antonio Lancia
1
*, Gilad Rafaeli 2
, Paul Abbott 2
, Jonathan Paragreen 3
, David Fletcher 3
, Emma Carter 3
,
Emiliano Costa 4
, Stefano Porziani 4
and Giulio Valfré 4
.
1
Heuristics GmbH. Capriasca. Switzerland
2
MTRS3 Solutions and Services Ltd. Tel Aviv. Israel.
3
University of Sheffield. Sheffield. United Kingdom.
4
D’Appolonia SpA. Genova. Italy.
*Contact: tony.lancia@heuristics.ch
Abstract
The SECURESTATION project has been executed within the European Union FP7 framework
programme, aiming to develop specific tools, models and design guidelines to improve the resilience
to terror attacks on railway stations. This paper addresses the research work related to tools and
methods for estimating the risks associated with diverse attack scenarios, with different alternate
countermeasures and architectural solutions.
The developed SECURESTATION Risk Analysis Methodology (“SEST-RAM”) includes methods and
procedures for defining the reference attack scenarios and, for each of them, assessing the probability
of occurrence, the vulnerability (probability that the attack is successful) and consequences (harm to
persons and economic loss). SEST-RAM can be applied in the early stages of railway station design for a
risk-based selection of general design and then for a more refined quantitative assessment, limited to
the selected design. Guidelines are also given for the challenging task of estimating the probability that
a certain attack tactic is selected by the terrorist adversaries.
SEST-RAM and the models below have been used in the project for a demonstrative example of risk
analysis applied to an ideal “model station” involving most of the safety and security challenges posed
by modern large intermodal railway stations.
A methodology was defined for evaluating the source terms and for applying Computational Fluid
Dynamics (CFD) modelling to predict the dispersion of toxic chemicals in a railway station
environment. Different toxic materials and spreading methods were simulated. For each scenario the
impact in terms of human harm was assessed, based on toxicity data. The simulations also allowed the
formulation of recommendations for building and ventilation system design.
A methodology was also defined for modelling the blast effects for diverse types of explosive devices,
e.g. IED (Improvised Explosive Device), VBIED (Vehicle Borne IED), etc., at railway stations, principally
by Finite Element Method (FEM) computing. Several blast simulations were conducted to demonstrate
how the methodology may be used to evaluate the effectiveness of certain architectural solutions in
reducing the consequences of blast scenarios. Modelling of fire, smoke spread and passenger
evacuation was also included in the project work, using state of the art tools that are already in use for
the fire safety evaluation of railway station design but this not discussed in this paper.
2. 2
A further computational tool, SARA, has been designed and demonstrated for simulation of the
cascade degradation of safety functions in a railway station following certain initial events
corresponding to the terror attack. Its use within risk analysis is particularly important for intermodal
and underground railway stations where the safe evacuation of the passengers depends on diverse
technological systems (fire extinguishing, power supply, ventilation, lighting, etc.) that may be
damaged by an attack and that are partly interdependent.
1. Introduction
The resilience of a railway station in the case of terrorist attack provides for the protection of
passengers and workers lives and the prompt restoration of public transportation services. Designing
and building a new railway station, or refurbishment of an existing railway station, to make them
resilient while keeping them economically sustainable is not a trivial task. This paper addresses the risk
analyses and modelling solutions developed by a multidisciplinary team of European experts from
2011 to 2014 within the SECURESTATION project, funded under the European Union 7th Framework
Programme, project reference 266202.
2. Description
Risk Analysis Methodology
The SEST-RAM methodology was developed as an upgrade of protocols that were previously used by
the same authors in modelling risk for terrorist attacks to various kinds of ground transportation
systems. A set of attack scenarios are initially defined as ways in which the considered threats (IEDs,
arson, dispersion of toxic substances, etc.) may be applied in diverse parts of the whole station (e.g.
mezzanine, shopping area, bus platforms, train platforms, etc.). For each scenario, a “relative risk”
value is evaluated as the product of “relative probability of occurrence”, vulnerability (probability that
the attack is successful) and consequences (harm to persons and economic loss). “Relative risk” values
for individual scenarios are “conditional risk” estimations proportional to actual risk values by a scalar
“renormalisation factor” that includes the probability that some form of terrorist attack occurs at a
particular railway station over a certain time period. The renormalisation factor is computed only
when needed because it generally has a high uncertainty and it widely varies over time due to drifts or
sudden changes in socio-political circumstances (demographic variation, insurgences, a new law, peace
talks, a change in foreign policy, the arrest of terrorists, etc.). Guidelines are however given within the
methodology to compute a reference value for the renormalisation factor and thus to express results
as risk values or risk “ranks” (instead of relative risk). The SEST-RAM formal approach also includes
rules to obtain representative overall risk values (relative or “absolute”) for a whole railway station
from the pool of scenarios, including sets of similar cases whose risk should not be simply summed.
Rating the relative probability of attack for a certain scenario is the most difficult and questionable
procedure within the evaluation of relative risk because it reflects the preference of a terrorist
decision maker for a certain attack plan vs. other alternative ones. Some general guidelines are given
on assessing this value, and a method is provided to compute the value in the specific (but common)
case of radical fundamentalist groups, using a computation procedure that was calibrated by the risk
ratings assigned by a panel of experts to a set of different scenarios.
3. 3
A set of alternative methods are specified for the estimation of vulnerability, including the use of event
trees to model the probability that attackers may be successful in the presence of a set of technical
and organisational countermeasures. Consequences assessment may be performed for a set of
damage classes of interest (e.g. human and economic, direct and indirect, losses) with a level of
accuracy varying from coarse parametric or “educated guesses” up to sophisticated computational
models such as the ones that were refined and applied in the project, as described below in this paper.
The SEST-RAM methodology was defined for integrating an analytical approach to security with the
architectural and engineering design activities along the development of the project for new railway
stations or for their revamping. The SEST-RAM risk model may be setup and risk computed in a few
weeks for one or for a few alternative basic designs, using simple preliminary estimates for
vulnerability and losses. In this way risk may be taken into account early in the decision making before
the project is adopted and further developed up to construction plans for building and technological
systems. The model may then be refined, running more accurate time consuming computations for
consequences assessment and by evaluating critical dependencies in the functional availability of
technological systems that contribute to the resilience of the railway station, aiming for safe
evacuation and the prompt restoration of station operation.
Modelling the dispersion of toxic chemicals and the consequences
A methodology for simulating chemical dispersions within a railway station environment was
developed for the SECURESTATION project with the aim of evaluating the impacts of such attack
modes and to produce recommendations for the design of railway stations and their ventilation
systems. A general-purpose computational fluid dynamics solver, ANSYS Fluent, was used. To enable a
large number of scenarios to be simulated it was necessary to balance solution time with accuracy and
therefore the realisable k-epsilon model for turbulence was used in conjunction with unsteady
Reynolds-average Navier-Stokes equations as it has been demonstrated to provide a good correlation
with experimental simulations, but without requiring excessive processing.
Different toxic materials and dispersion methods were simulated. The toxic agents simulated included
materials used in the past as chemical weapons such as choking agents, blood gases, blister and nerve
agents. From these, materials were selected with different physical properties and densities to enable
different dispersion methods and diffusion characteristics to be displayed. The materials selected also
ranged from extremely toxic nerve agents where very low concentrations result in serious injury or
fatalities, but are controlled materials and therefore more difficult to obtain, to choking agents and
blood gases which require higher concentrations to be effective, but are also common industrial
chemicals.
The dispersion methods simulated depended upon the physical properties of the materials, so the
compressed gases were simulated as being dispersed from a pressurized gas cylinder, whilst the
volatile liquids were simulated being dispersed as an aerosol and also as evaporating from a pool of
liquid by natural vapourisation in the air, as with the 1995 attack on the Tokyo subway. The rate of
vapourisation from the pool of liquid was calculated using a similar methodology to Edvard Karlsson et
al. and allowed the vapourising liquid to be simulated as a gaseous flow. Similarly for the aerosol
dispersion of the volatile liquid it was assumed that the aerosol droplets would rapidly vapourise and
could therefore be approximated to a gaseous flow of the toxic material with the carrier gas.
4. 4
The impact of the toxic material dispersions on humans could be evaluated using exposure limit data
which are published for chemical safety purposes and present the impact on human health at different
concentration levels. These limits can therefore define contours within the concentration plots from
the simulations and define the size of the zones where persons within that area would suffer serious
injury or receive a fatal dose of toxic material.
a) b)
Figure 1: a) 3D concentration plot showing the dispersion of HCN gas with strong extraction flows and b) the
contours demonstrating the areas of different levels of human harm
In general the simulations demonstrated that for the materials with the greatest toxicity, such as the
volatile liquid nerve agents, the strongest air ventilation flows diluted them spreading them over a
greater area causing increased levels of harm. Whereas, for the materials with reduced toxicity such as
the blood gases and choking agents, the dilution effect from the ventilation system rapidly diluted the
gases reducing the levels of harm. This demonstrates the need to be able to control the ventilation
flow rate and direction to respond depending upon the attack scenario in order to minimise harm.
Modelling of Blasts and their Consequences
Among the available methods to perform a blast study, in the SECURESTATION Project both empirical
methods and numerical techniques have been employed to assess the railway station structural
resilience to an attack involving explosive devices. Specifically the empirical approach was based on an
extensive experimental database built up after performing a large number of explosion tests by
detonating various charges of a reference explosive (typically TNT). The numerical approach involved
the numerical resolution of the mathematical system describing the physical phenomena to be studied
(mass, momentum and energy conservation equations) and also taking account of the physical
behaviour of materials involved in the study which is described by means of proper constitutive
relationships.
Considering the historical background of terrorist attacks in the EU as well as the suggestions from
stakeholders and experts in the railway transport field, different typologies of blast attack, e.g. Person
Borne Improvised Explosive Device (PBIED), VBIED and IED, have been assumed to occur at several
locations inside and outside the reference station buildings considered for such studies. In the case of
open environment scenarios, the empirical models were used to obtain reliable results with limited
computational effort, whereas for occluded environment analyses the numerical approach was
adopted.
Serious injury
Fatality
5. 5
Figure 2: Occluded environment PBIED: pressure contours evolution at different instants after bomb detonation
The results obtained for the selected scenarios have been used to evaluate structural loading and
damage, people harm (survival percentage) and the number of casualties and the effectiveness of
mitigation measures. With regard to structures, well-established methods such as the Single Degree Of
Freedom (SDOF) for dynamic analyses was used. Harm to people was evaluated by means of both the
pressure-impulse diagrams available in literature and an in-house code calculating a projectiles’
lethality as a function of people density distribution around a detonation.
Figure 3: Example of monitored pressure profiles and SDOF model applied to a structural column
Determination of the efficiency of some of the mitigation countermeasures comes from the critical
analysis of simulation results. Some of those include the introduction of passive (fixed) and active
(operated) vehicle barriers to enlarge the so called standoff distance and of partitions and protected
spaces.
Modelling Functional Resilience following an Attack
The aim of the SARA (SECURESTATION Attack Resilience Assessment) Tool is the implementation of a
systematic framework to evaluate the vulnerability of equipment in railway stations to security
threats. Ideally, application of the methodology enables designers and security experts to analyze a
given railway station from a security point of view, focusing on the functional behaviour of each
individual piece of equipment (e.g., ventilation, communication, power supply, etc.) installed in the
railway station. The results of the analyses of vulnerability and availability, aimed at identifying the
critical components and ranking their importance, enable the definition, evaluation, ranking and
selection of possible mitigation measures to be applied to the equipment of the railway station in
order to improve its resilience from terrorist threats. The equipment considered is related to the
functioning of the station building (allowing passengers to access and leave the transport operation)
rather than the operation of the transport service itself, which is usually subject to other types of
safety and security analyses during design, construction, commissioning and operation.
50
70
90
110
130
150
170
190
210
230
250
0 20 40 60 80 100 120 140 160 180
P
re
ssu
re
[kP
a]
Time [ms]
Gauge# 1
Gauge# 2
Gauge# 3
Gauge# 4
Gauge# 5
Structural element
SDOF
K
M
Blast Wave
F(t)
x(t)
x(t)
6. 6
In the tool the station building is investigated from a physical and functional point of view representing
and linking together both of these aspects. The model adopted also allows remedial options and cross-
correlation aspects between the different equipment to be considered.
Figure 4: flow diagram of the SARA tool for modelling the functional resilience of a station
A structural analysis aimed to represent the topological structure of the station and the network of the
equipment that allows the functioning of the station to be assessed, and a functional analysis aimed to
define the main functions of the station to be considered to define an appropriate way of measuring
them, are performed.
The physical and functional models of the station building and its equipment, provide the basis for
defining the critical elements of the equipment and the necessary mitigation measures, and also to
select a sub-set of these under specific constraints. A set of attack scenarios are chosen defining a
particular type of threat. For each scenario a set of user cases is defined specifying the position of the
threat inside the building, its magnitude and defining the effects in terms of damage to the structure
of the station and to each element of equipment.
Furthermore, a set of mitigation measures are defined on the basis of the experience of railway station
operators and from the identification of the critical parts of equipment. All the defined
countermeasures are applied to the user cases during the phase of ranking and selection of the
specific measure that best enhances the functionality of the station within defined constraints (i.e.
limited budget) or targeting a degree of system resilience to be eventually achieved.
The SARA Tool has been demonstrated by applying it to the general ‘model station’ adopted within the
SECURESTATION project - an interchange node constituted by a railway station, a metro station and a
bus station.
3. Conclusion
The SECURESTATION project has delivered a comprehensive set of risk assessment and consequences
modelling methods for the design of an economically sustainable railway station which is resilient to
terrorist attacks. The methodology has been successfully tested for a ‘model station’ and already
applied to a few real sites.