Redefining Risk for Critical Infrastructure
Q&A with EU STREST Coordinator, Professor Domenico Giardini
Fukushima: A Wake-up Call
Fukushima was a wake-up call to Europe. Could a natural catastrophe cripple critical infrastructure (CI) in Europe, like power, water, transport or communication?
To answer this question, the EU commissioned STREST, a project spanning 8 countries, led by Prof. Domenico Giardini, Chair of Seismology and Geodynamics at the Swiss Federal Institute of Technology in Zurich. Prof. Giardini is President of the International Association of Seismology and Physics of the Earth's Interior. He is also Head of the Swiss Competence Center for Energy Research in the Supply of Electricity. He directed the UN’s Global Seismic Hazard Assessment Program, and is the former director of the Swiss Seismological Service.
Prof. Giardini, what exactly is STREST?
“STREST is a response to Fukushima, which was a low-probability, high-impact (LP-HI) natural disaster. The EU realized that if it could happen in Japan, it could happen here. They immediately commissioned stress tests for Europe’s nuclear facilities, which showed that the majority of our nuclear plants would need some retrofitting to be safe in an LP-HI event.
“If the carefully regulated nuclear industry required additional safety procedures, the EU realized that they should also investigate non-nuclear CI, which is not as tightly regulated.”
Does this mean that you are stress-testing individual CI sites across Europe?
“It is more than that. The existing stress tests for individual facilities are fairly simple. Each plant carries out a plant safety analysis, which accounts for standard risk scenarios. But even the plant safety analysis of the nuclear plant in Fukushima could not prevent the catastrophic consequences there. The source of the nuclear accident was ultimately traced back to earthquake damage to an offsite power line, coupled with the failure of the plant's backup power generators, which failed, when they were flooded by the tsunami waves. Since the backup generators were located in a part of the plant deemed non-critical, the plant safety analysis did not identify every potential vulnerability.
“The lesson from Fukushima was that a LP-HI natural disaster can set off a chain reaction. Low-risk CI might become high risk, when damage or failure at a low-risk facility cascades onto a more dangerous facility. Or a chain reaction can be set off through unexpected connections between infrastructure elements which are not accounted for in the safety analysis. It’s those hidden risks and connections that have to be examined.
“The EU has commissioned STREST to develop a new stress-test methodology for cascading disasters.”
How will you study the hidden risks and connections across different categories of CI?
“We will study the systematics of cascading events and consequences, using six case studies to assess the threat of earthquakes, tsunamis, surface faulting, and floods on three CI classes.
“The first class is a single, high-risk site. One of our case studies revolves around an oil refinery and petrochemical plant on the Sicilian coast. It is vast and complex, and exposed to earthquakes and tsunamis. What is the probability that an offshore earthquake could generate a tsunami? How would the plant resist the double threat of shaking and inundation? What if the power is disabled? What happens if a single safety barrier, like firefighting water, is not available? What if local emergency rescue services lack sufficient capacity to respond in a LP-HI event? How quickly can one piece of damaged equipment affect the rest? What happens if the power goes out for 6, 12, or 18 hours? How will the length of the power outage multiply the consequences?”
Didn’t the deadly 1999 earthquake in Turkey also start an oil-refinery fire that burned for days?
“Yes, and that’s what we want to prevent. We know what caused that accident, yet we still do not have an exhaustive series of stress-test questions to address that risk from a multi-disciplinary perspective. This is our goal.
“The second CI class we will study is distributed infrastructure, like a gas or oil pipeline distributed over a thousand kilometers. In a long pipeline, designers know that certain segments lie across fault lines. They will make those segments flexible, able to move from side to side without breaking in an earthquake. But there are areas of the world which have yet to be mapped for fault lines. Inevitably, several pipeline segments will lie, rigid and unprotected, across unmapped areas. What if an earthquake strikes one of those segments, and it starts leaking? Could it start a fire that stretches a hundred kilometers? Would lives be threatened? How long would it take to identify the leaky segment? What could the leak do to the environment? What is the ultimate economic impact? Is it worth the time and money to make those segments flexible?
“The third CI class is a multiple-site infrastructure. In this case, damage to a single building or site would not have a big impact, but when every building in an area is demolished, the collective impact would be terrible. Our case study will focus on the 2012 earthquakes in Northern Italy, which caused a large number of industrial buildings to collapse. It devastated the local economy, and knocked a percentage point off the national GDP. Each individual building was not critical, but the loss of a large number of non-critical buildings reached a critical consequence.”
Does the age of Europe’s infrastructure play a role in your study?
“Yes, of course, age is relevant wherever it increases the vulnerability of infrastructure. Many “modern” European structures were built over fifty years ago, and most often have not been retrofitted to meet modern design and safety standards. In addition, aging in itself is a major factor in increasing vulnerability.
“In fact, the 2012 Italian earthquakes leveled mostly old houses and industrial buildings which did not comply with today's regulations in the area.
“On the other hand, the impact of a natural catastrophe could also exceed modern safety margins, especially in the case of cascading disasters with less obvious triggers.”
Are scientists better able to predict LP-HI events like earthquakes now?
“No, when we define prediction as accurate and short-term. For example, we cannot predict earthquakes—although we keep trying! We cannot say that in 10 days, a 6.0 earthquake will strike a particular locale.
“The very definition of a LP-HI disaster means that we have hardly any data to understand it, much less predict it. The only thing we can do is determine statistical probability. We know where earthquakes have occurred in the past, how frequently they have occurred, and what the intensity has been, but we only have a few hundred years of solid historical data on earthquakes. Reliable meteorological data only dates back 150 years. In geological terms, that is nothing. What about the earthquake that strikes every two or three thousand years? One of the hardest things for scientists to do is to account for epistemic uncertainty, or the limits of our knowledge. For new stress tests to be viable, they have to encompass an element of the unknown.
“We also have to ask whether it is worth preparing for the extremely rare event. Of course, a meteor could eventually destroy an entire continent, but we have to draw the line somewhere! What’s important is that the research, methods, and technology we create today are laying the foundation for government decisions which will influence our safety for decades to come. Cost and risk have to be well-established before governments can make sound decisions.
“Most importantly right now, Europe needs to redefine “risk” for CI, to include cascading disasters. We even need to redefine “critical” to include long-term economic consequences, regionally, nationally, and even globally.”
Could you give an example of what you mean by redefining “critical” infrastructure?
“Everybody would agree that a nuclear plant is critical, but most would not consider the damage to a watch factory as critical. Well, an earthquake in Jura could decimate the Swiss watch industry. If several factories in the Jura cluster were severely damaged, it wouldn’t release deadly chemicals into the atmosphere. Yet, the industry employs nearly 60,000 people, and supplies over 3% of Swiss GDP. In reality, watch factories are part of the critical infrastructure in Switzerland. That should qualify them for high resilience standards.”
Your project started at the end of 2013. Could you share a progress report? Has anything surprised you so far?
“I guess the most urgent realization is how much legislation varies from country to country, across different types of infrastructures, and depending on the age of construction of the facility.
“All plants storing toxic substances in Europe - over 10'000 of them - operate according to the Seveso Directive, aimed at preventing and controlling accidental release. However, no common legislation covers the accidents initiating the accidental release.
“Other CI is run according to different standards across Europe. For example, hydropower dams don’t fall under the same scrutiny as nuclear plants, since dams don’t release dangerous chemicals when they collapse. But could a rush of dam water inundate a nuclear or chemical facility?
“It already seems clear to the STREST team that we need consistent legislation for critical infrastructure at the European level.
“STREST case studies will help us establish a consistent taxonomy of non-nuclear CIs, with a rigorous, stress-test framework and probability-modeling approach. By the end of 2016, our objective is to be able to assess the vulnerability, resilience, and interdependencies of CIs across classes. Ultimately, STREST should enable the EU to implement policies for systematic stress tests of CIs in Europe. This will help protect our citizens and the European economy against tragedies like the one in Fukushima.”