Analysis of disruptions cascade effect within and between urban sociotechnical systems in a context of risks

The vulnerability of critical infrastructures facing hazards is a burning issue for urban risks management. In this context, developing methodologies for analysing the causes and consequences of critical infrastructures vulnerability appears necessary for improving the proper functioning of cities that strongly depend on such infrastructures. The critical infrastructures are complex socio-technical systems in which the components are particularly interdependent. Interdependencies also exist between critical infrastructures. All these interactions may imply many failures caused by cascade effect in a context of risks. After a review of existing methodologies for assessing the interdependencies within and between critical infrastructures, the paper develops a global methodology based on dependability methods in order to automatically produce the scenarios of failures caused by cascade effect within a rail transport system, as an example of critical infrastructures, facing a flood hazard, as an example of urban risks. The paper discusses the generalizability of the methodology to other critical infrastructures.


Introduction
Reducing disaster damage to critical infrastructure and disruption of basic services, by 2030; strengthening disaster-resilient investments particularly through structural, non-structural and functional disaster risk prevention and reduction measures in critical facilities, in particular physical infrastructures; promoting the resilience of new and existing critical infrastructure, including transportation infrastructure to ensure that they remain safe, effective and operational during and after disasters in order to provide live-saving and essential services.These objectives were expressed on March 18, 2015, at the Third UN World Conference on Disaster Risk Reduction in Sendai, Japan, within the Sendai Framework for Disaster Risk Reduction 2015-2030 [1].Although this major agreement aims at achieving major objectives for the substantial reduction of disaster risk and losses in lives, livelihoods and health and in the economic, physical, social, cultural and environmental assets of persons, businesses, communities and countries over the next 15 years, it doesn't provide means of achieving these ambitious objectives.
The above-mentioned critical infrastructures, which constitute the backbone of modern societies [2], are clearly and collectively identified by a large number of international institutions [3][4][5].Moreover, the individual vulnerabilities of critical infrastructures become a major issue in urban risk management because, in a context of risks, they can generate collective vulnerability on account of the relationships between the different infrastructures.
These necessary interdependences, in a context of normal operations, may be sources of failures due to domino effects, in a context of risks.Indeed, the failure of one infrastructure may directly or indirectly affect other infrastructures and thereby have an impact on large geographical areas [6].Then, it would appear that scientific research on urban risk management is turning towards studying and modelling "systems of interdependent systems" [7,8] superseding the limited view of just "complex systems" [9,10].This evolution is revealed by the conceptual changeover in catastrophe risk management, going from the idea of protecting critical infrastructures towards a more systemic and global view of risk management [11].Consequently, specific methodologies have even emerged to assess the vulnerability of such systems of systems based on the existing dependencies and interdependencies between them [12].Therefore, the urban risk management requires a more holistic approach for giving rise to systemic and innovative methodologies in order to analyse the complex failure mechanisms to which urban critical infrastructures are subjected facing the occurrence of a risk.
The paper introduces a systemic methodology developed for analysing the failure mechanisms endured by a rail transport system, as an example of critical infrastructures, in the case of the occurrence of a flood hazard, as an example of the risks faced by these type of urban infrastructures.on the systems.The paper also discusses the ways of transposing the methodology to other critical infrastructures.In a first part, the paper provides a comprehensive review of the existing methodologies for investigating the interdependences within and between critical infrastructures that led to domino effect disruptions or even failures.The review outlines the specificities of the existing methodologies, the urban dimensions included, and the scale -within a critical infrastructure or between one or several critical infrastructures -of application of the methodologies.A second part deals with the methodology for assessing the failures due to domino effect within a rail transport system facing a flood hazard, its specificities and its interest for an evaluation of the vulnerability of an urban critical infrastructure.A last part discusses the potential transposition of the methodology to other infrastructures, the interests and the limits, in order to assess the vulnerability of such sociotechnical infrastructures at city level.

City, critical infrastructures and risks: an essential triptych to investigate
If the vulnerability of the critical infrastructures is considered to have a direct effect on the vulnerability of the city, reflecting from a systemic point of view appears to be necessary for developing global methodologies for risk management.Although modelling and predicting the behavior of a critical infrastructure is challenging [13], a systemic approach appears to be essential for: -Getting a full picture on failures, by capturing second and third order consequences as well [14]; -Integrating all the interdependencies, irrespective of whether they are due to processes within the system, to external changes in the system's environment [15] or to unexpected or unforeseeable events [11]; -Determining failures due to domino effects between different urban technical networks considered to be critical [16].
These systemic and innovative methodologies need to integrate at least three essential dimensions to be relevant: the critical infrastructures, the risks and the city (Figure 1).
The city is hard to define mostly because the term covers both objective dimensions -the facilities, the networks, the flows between them… -and subjective dimensions -perceived and experienced by inhabitants, thought by planners… There is even no more commonly agreed definition for the city [17].However, this lack of definition can be offset by regarding the city as a complex system.But the question is to identify what type of complex system is relevant to modeling a city.Indeed, although understanding cities as social-ecological systems appeared useful in the study of urban sustainability [18] allowing to even include humans as components of these ecosystems [15,19,20], it seems more relevant to approach city as a technical object in terms of risk management issues.In this context, the city is composed of different elements such as population, public infrastructures, housing and networks; organized by governance; subjected to influences from the environment and related to its by exchanges with other cities [17].In fact, paradoxically, using complexity make easier the understanding of cities because it allows to divide it into elementary, constitutive, and especially independent subsystems in a transitory manner.Thus, considering cities as a complex technical systems, which are embedded within a systems of cities [21], readily allows to study the impact of risks, as perturbations in the normal functioning.
The risks that can affect a city are characterized by their origin, internal or external, and by the way they occur, gradually or suddenly [22].Actually, the hazard event itself is viewed primarily as element at risk, and since risk is generally defined as the product of the hazard probability and its consequences, risk can be viewed as a function of the hazard event [23].What is more, hazards, particularly natural related, has got spatiality and temporality features that must be incorporate into risks management practices, otherwise it could result in failure [24].But, the risks management raises the question of the relevant ways for the governance of these risks.The adequacy of a risk governance, understood as a holistic way of understanding and dealing with risk [25], is necessary and cannot be performed without a full and clear understanding of the criticality of each infrastructure [26] existing in the city.
The critical infrastructures are considered as critical in view of populations' increasing dependence on them [27].They are, as the city itself, regarded as a particular type of systems: the socio-technical systems.The socio-technical systems link physical systems (e.g.flood risk infrastructure) with actors (e.g.flood risk management organisations) and rules (e.g.acceptable flood risk standards) in order to provide a particular function (e.g.flood risk management) [28].[29] also identified and compiled a set of key-characteristics for what they called complex socio-technical systems grouped into four categories: a large number of dynamically interacting elements, a wide diversity of elements, an unanticipated variability and a resilient behaviour.This last characteristic consists of the systems' ability to adjust their functioning prior to, during, or following disturbances, so that the system can sustain required operations under both expected and unexpected conditions [30].This type of resilience, identified as the resilience engineering, seems able to cope with the challenges of complexity specific to socio-technical systems.In this way of thinking, the diversity of widely and dynamically interacting elements gives complex socio-technical systems the resilience that allow it to cope with a changing environment [31].Thus, the amount and multiplicity of interactions between elements are not viewed anymore as an important source of potential failures.Considering that the complexity may lead to a resilience behaviour, an interesting paradox seems to be emerging: the more complex, entangled, interlinked is a system -or a system of systems -, the easier it is able to operate in a resilient way.
Actually, the vulnerability is studied around these three dimensions in order to build a model for the urban risk management.But first and foremost, the links between vulnerability and resilience needs to be clarify inasmuch as the relationship between these two concepts is highly contextual and is certainly a matter of perception [32].Vulnerability often refers to the "flip side" or the antonym of resilience [33,34].But, within a complex sociotechnical systems approach, resilience seems to be an internal property of the system, as it have been proven for social-ecological systems [15].Furthermore, the vulnerability of populations to natural hazards can also be decomposes into three parts: exposure, resistance, and resilience [35].Hence, these approaches seem to be advocating the fact that resilience would be included within the concept of vulnerability, as a formal part of it.
Opposing vulnerability and resilience have significant limitations because reducing the vulnerability of a system does not always result in advances for resilience [36] as if lowering the vulnerability would mechanically raise the resilience [37].For example, a rail transport network, composed of several rail transport systems or lines, can be highly resilient according to the previous definition of [30] because it has significant interdependences with other networks and intra-dependences within its constitutive lines which allow it to sustain the operation under unusual conditions.But, considering that the whole network or a major part of it is located in a flood zone, then the global vulnerability of the network is high.Moreover, implementing protection strategies could substantially reduce the vulnerability to flood hazards while keeping the same level of resilience.Overall, the vulnerability and resilience does not respect this kind of antagonistic movement, not least in the case of socio-technical systems.
Finally, whatever the precise relationship between all these concepts, a consensus can be reached in the transportation field: "the fashionable concepts of resilience and vulnerability are increasingly entering the realm of transportation science.The interpretation and conceptualisation of such notions, however, do not reflect an unambiguous methodological position, but rather a range of various meanings and descriptive categories, such as reliability, variability, vulnerability or fragility.All such concepts are employed to map out the features of a transitional movement of a transport system that is affected by a shock" [38].Adding the fact that this "transitional movement" is difficult to assess because of its complex mechanisms, its particular dynamics, the specific causes that generate it and the consequences on the system itself, methodologies for characterizing all these damage processes are sorely needed in the scope of urban risk management.Considering that interdependencies within and between critical infrastructures are pinpointed as the main source of these processes, a review of existing methodologies and approaches for assessing the interdependencies has been realised.

A review of methodologies for assessing the interdependencies
A review has been performed in order to provide an overview of how existing methodologies deal with the interdependencies within and between critical infrastructures, as the main source of individual and collective vulnerabilities.In a context of risks, one of the most significant and pervasive risk is the occurrence of failures due to the so-called domino effects or cascading effects.In a situation of strong intra-dependence and strong interdependence, respectively within and between critical infrastructures, cascading effects can lead to different impact entry-points [14,39] which complicate the understanding of the damage processes.Moreover, society currently cannot afford the costs associated with absolute protection against all cascading effects [40] and this may not even be feasible [14].This is the reason why elaborating comprehensive methodologies is the key for the management of the risks that affect critical infrastructures and, consequently, the whole city.
Although there are literally hundreds of methods for conducting vulnerability assessments and risk management of critical infrastructures [41], the results of the review of literature for mapping out the features of approaches (Figure 2) reveals important and interesting facts.Firstly, it appears a preponderance of methodologies covering the interdependences between critical infrastructures compared to the methodologies approaching the intra-dependences within a given critical infrastructure.The service continuity of a specific infrastructure depends on the correct functioning of its own components and connections [42]: the intradependences, corresponding to internal dependences, are as important as the interdependences.Thus, the behaviour of critical infrastructure in the case of a risk occurrence seems to be less covered than the behaviour of a system of critical infrastructures in a similar context.Secondly, a discrepancy seems to exist between the urban dimensions taken into consideration in the methodologies.Indeed, some aspects are not treated in the same way: social, economic and governance issues concerning the interdependencies within and between critical infrastructures are well covered whereas environmental, climate change and urban planning aspects appears to be less included.The urban planning aspects mean, here, the configurations of installation for a critical infrastructure: at ground level, at underground level and at overground level.For a given hazard, especially for natural hazard type, the experience shows that the level positioning has an influence on the vulnerability of the system [43].These aspects may also include the presence of other facilities, the use of land, and the local topography… in the surroundings of the studied system.In summary, this overview showed a clear lack of wider knowledge on the damage processes due to internal dependences within a critical infrastructure and on methodologies including urban planning issues.
According to the conclusions of this overview, a systemic methodology has been developed for analysing the failure mechanisms endured by a rail transport system, as an example of critical infrastructures, in the case of the occurrence of a flood hazard, as an example of the risks faced by these type of urban infrastructures.The vulnerability of the rail transport systems is actually studied through these failures mechanisms because they are causing factors of damages on the systems.

A methodology for analysing disruptions cascade effect within a rail transport from flooded conditions
Natural hazards have complex impacts on transport system and the sources of this complexity can be distinguished into three types: a physical aspect, a functional aspect and an aspect linked to interrelationships between elements of the systems [44].The physical aspect is due to the hazard, characterizing by its intensity, which disrupts a great number of components putting them potentially out of service.Subsequently to the components disruptions, the operating of the transport system may be perturbed in varying degrees: trains slowing down, sections of a rail network unavailable…; this is the function aspect of the impact.The third characteristic and perhaps the most difficult to characterize, comes from the interrelationships between the components.Indeed, the interrelations are very numerous in a rail transport system because of the amount of elements, the interactions between the components because most of them needs other ones to properly operate.Thus, a single disruption within the system can create many indirect disruptions relatively unknown.
Choosing to implement methods resulting from operational safety concepts for studying the disruptions due to cascade effect can be justified on several counts.Firstly, operational safety is suitable for our problem inasmuch as it consists of knowing, assessing, anticipating, measuring and mastering failures in technological systems in order to limit the consequences of any such failures on human health and safety, on productivity and on the environment [45].To succeed in this, modelling using operational safety methods is based on functional modelling which consist of determining the interactions between the components of a system and its environment, in order to formally establish the links between functional failures, their causes and their effects [46].The second reason is that methods resulting from operational safety concepts can be considered as being a wide range of methods that are all at the service of risk management [47], and mainly for risks affecting urban systems.Lastly, and this is the third reason: recent applied research work uses these methods efficiently when modelling the way complex urban systems function when they are faced with flood risks [48][49][50].
Thus, the methodology for identifying and automatically producing failure scenarios due to cascade effect between the components of a rail transport system is based on dependability methods successively implementing on a rail transport system: the Functional Analysis, the Failure Modes and Effects Analysis (FMEA) and the Fault Tree Analysis (FTA) (Figure 3).Functional Analysis enables the way systems operate to be modelled on the basis of two mutually dependent analyses: structural analysis and functional analysis.Structural analysis qualifies the positions and relations between different components in the system in order to formulate the functions of each component in the functional analysis [51].Besides, another method often applied after the FA is the Failure Mode and Effects Analysis.The FMEA is a particularly efficient method of analysing failure modes and is used for structuring information on degradation in the form of tables: performance losses, their causes and their effects [52].By considering each system component and by analysing failure modes, the method provides a better understanding of how the system functions, for example, before, during and after flooding [47].Lastly a third operational safety method enables the results obtained by the FMEA to be modelled: events trees.These trees give a graphic representation of the sequence of events formed by an initiator event and a combination of successive failures.Benefiting from the completeness of the FMEA method, the objective is to automatically identify and produced the chains of failures, which mean the sequences of failure events.Indeed, the FMEA identified the interdependent connections between components which are at the origin of the chains of failures due to cascade effect in a context of risks.However, considering that the system is divided into many subsystems, and that each sub-system can also be divided into many components, the production of all the chains of failures is a tedious and complex work.Hence, a computer tool has been developed to exhaustively establish the chains of failures [44].The principle of operation is as follows: a database has been created using the FMEA as input data; then, the database allows to determine automatically the direct causal relationships between all the functions of all the components.A direct causal relationship is identified when the "failure effect" of a first component is exactly the "failure cause" of a second component, and so on.The first causal relationship is a first order dependency and the following causal relationships are higher order dependencies (second order dependency, third order dependency…) captured with the proposed methodology.This methodology for identifying intra-dependencies within a rail transport system, can take into account different configurations of installation.Indeed, the methodology has been applied to a rail transport system at ground level (e.g.tramways, high-speed lines), at underground level (e.g.metros, tramways) and at overground level (e.g.metros).Three FA and three FMEA have been realized and for each configuration of installation, hundreds of chains of failures have been produced by the computer tool.Two main conclusions emerge from the study.Firstly the underground configuration of installation generates considerably more domino-effect failure chains than the other two configurations.Therefore, underground rail transport system appear to intrinsically amplify the internal dependences that exist between components, and, in this way, provoke more potential failures due to cascade effect domino effect in flood hazard situations.Secondly the scenarios obtained for the underground configuration contain 2-3 times more components than the scenarios obtained for the two other configurations.Hence, an underground guided transport system seems to intensify the domino-effect failure process, which potentially spreads further, meaning that it involves a larger number of components in each chain of failures.
Finally, the methodology offers a modelling of disruptions cascade effect within a rail transport system, as an example of critical infrastructures, facing a flood hazard, as an example of risks.The methodology is also able to take into account the positioning of the system within the city and hence, characterizing the relevant configuration of installation according to the local weather and natural conditions.In terms of urban risk management, the questions arising from the above work are the following: how might the methodology apply to other critical infrastructures?How might a methodology for analysing internal dependencies (intra-dependencies) within a critical infrastructure might bring new and significant information about external dependencies (interdependencies) between critical infrastructures? 4 Generalizability of the methodology

Principles of generalization to other critical infrastructures
This section deals with the possibilities of applying the previous methodology to other critical infrastructures with the same objective: analysing disruptions cascade effect within a critical infrastructure in a context of risks in order to highlight and identify the intra-dependencies.Actually, the methodology could be generalized if some hypotheses and steps are respected.
Firstly, two main hypotheses should be verified before applying the methodology.The fist hypothesis is that the given system has to be a socio-technical system.Indeed, dependability methods and the concept of system are inseparable since the attributes of dependability express the properties which are expected from a system, such as reliability, availability and safety [53].Hence, to use the methodology based on three dependability methods successively applied, the object must be a system.This is totally the case for the critical infrastructures which can be described as socio-technical systems [54,55].Thus, a technical infrastructure, such as water distribution network, natural gas network or electric power network, can be seen as a large integrated socio-technical system that is built from objects linked together in a coherent system structure [56].Besides, the second hypothesis is that the system has to reach a high level of complexity.The methodology follows the fundamental idea of system thinking: studying systems as wholes rather than their elements in separation, as a way to address complexity [57].The complexity can be divided into two categories: the structural complexity and the functional complexity.The structural complexity comes from the elements composing the system which followed a Russian dolls pattern: the system contains sub-systems which themselves contain components which can be divided into sub-components, etc.The functional complexity comes from the interactions of both physical and actor networks since they collectively form an interconnected complex network where the actors determine the development of the physical network, and the physical network structure affects the behavior of the actors [56].This functional complexity is a major common feature of all critical infrastructures, characterized by dynamic behavior, nonlinearity, emergence [58], diversity [59] dispersed interaction and cross-cutting hierarchical organization [60].The cascading mechanisms in the case of global failures actually are behind the functional complexity.This distinction for approaching the systems complexity is relevant for the critical infrastructures.Indeed, each critical infrastructure has structural properties and functional responses, and what really changes from different systems is the functional model, that's to say how the system reacts to perturbations and the estimation of the consequences [54].The structural modelling corresponds to the first part of the functional analysis whereas the functional modelling corresponds to the following methods: FMEA and events trees.Secondly, the methodology can be used for any type of critical infrastructure if several steps are respected.The first step is to make a structural and functional modelling of the studied complex system using the FA.For example, for the electric power system, the structural analysis is necessary for identifying the elements of the system (electrical substation, power lines…) and the functional analysis for highlighting the dependencies between these elements.It must be emphasized that several critical systems have been quite extensively studied using network theory, such as electric power systems, road transportation networks and telecommunication systems [54] but the major limit is that important characteristics of the systems are lost when using a traditional network analytical approach because it over-simplifies the models contrary to standard engineering methods.One of the main characteristic which is not included in the network analytical approach is the urban planning aspect: is the system positioned at the ground level?At the underground level?The second step is to realize a FMEA following the structural and functional analyses.Once the FMEA has been carried out, the results are the inputs of the computer tool for automatically producing the chains of components failures due to cascading effect.In fact, the content of the FMEA is totally transparent to the computer tool which mean that the domino-effect failures can be generated for any type of critical infrastructure.Besides, in the methodology, the urban planning aspects are completely integrated through the FMEA and the identified failure modes, failure causes and failure effects for each component.For example, again the electric power system, the issue of the components positioning level and the impact on the vulnerability against hazards appears.Underground and overhead power lines, electrical substations partially or totally underground… are also major stakes for the management of the risks affecting an urban electricity network: strong wind, heavy rains, thunderstorms…

From internal dependencies characterization to external dependencies characterization
Concerning the generalization of the methodology developed in this paper, another way is possible.Indeed, in the first step of the methodology during the structural and functional analyses, the level of detail in which the system is studied is set.The chosen level of detail for the application of the methodology to a rail transport system has been the component level (the components are included in a sub-system).This level of detail offers the possibility to identify the interdependencies between the components of the system.But, considering that the studied system is a system of critical infrastructures, the level of detail could be a critical infrastructure.[61] built and applied a very similar methodology using dependability methods for studying impact of hazards on network infrastructures and to study interdependencies between different networks.In their research, the studied network infrastructures are the traditional networks necessary for the proper functioning of the city: the electric network, the drinking water network, the sewage treatment network, the transportation networks… For each network, a functional analysis and a FMEA was carried out.After processing the data contained in the FMEA, a failure mechanism model had been defined, and failure scenarios had been designed thanks to event trees.Hence, similarly to the methodology applied to a rail transport system at the underground, ground and overground level, the model developed in [61] highlights domino effects induced by networks failure.Finally, according to the chosen level of detail which could be the system of systems, the system, the sub-system or the component, the specific methodology described in Figure 3 allows to identify the interdependencies.Applied at the level of the system of systems, such as between critical infrastructures, it provides the interdependencies whereas at the level of the system, it provides intra-dependencies.

Conclusion
The functional interdependencies between the elements of a socio-technical system are necessary to ensure its proper functioning during normal operation.But, in a context of risks, these interdependencies are the source of failures within the system due to cascade effects.This is particularly the case for the urban critical infrastructures, necessary for the societies.The need for understanding the cascade effects failures, that is to say the mechanisms of failures propagation, is actually growing in the field of urban risk management.In order to analyse the mechanisms of disruptions and failures due to cascade effect, a methodology has been established and applied to a rail transport system positioned at the underground, ground and overground level.Based on the use of dependability methods, a computer tool has been developed in order to exhaustively produce the chains of disrupted components due to cascade effect.Thus, the computer tool highlights all the causal relationships between all the components, providing a global cascade effect modelling and identifying the scenarios of failures.The methodology appears to be generalizable to other critical infrastructures and to a system of several critical infrastructures.In this case, the methodology identifies the interdependencies between the critical infrastructures and the consequences of a critical infrastructure failure on another one.Further research around this methodology may be investigated.Firstly, the methodology can be applied to a rail transport system facing other natural hazards, providing the same type of cascade effect modelling, likewise with any other critical infrastructure.Secondly, the methodology can be considered as a procedure to qualitatively identify the interdependencies between critical infrastructures and the intra-dependencies within a critical infrastructure through the domino-effect failures, in a context of risks.The whole methodology could be improve by including quantitative considerations: what is the probability of a given critical infrastructure failure?How much time does an operator have for repairing a failure on a critical infrastructure A before it spreads to a critical infrastructure B through cascading effect?Lastly, it would also appear to be of interest to re-use the computer tool with components that have been protected against a given risk.This would enable evolutions in domino-effect failures to be determined, when compared with the same configuration of installation where components are not protected against the studied risk.Therefore, on operational levels, the methodology would enable to assess the interest for a system in protecting some critical elements in order to limit the failure within the system and out of the system to other interconnected systems.

Figure 1 .
Figure 1.A triptych to assess the urban vulnerability and its characteristics.

Figure 2 .
Figure 2. Synthesis of the literature reviewed on the existing methodologies and approaches dealing with the interdependencies within and between critical infrastructures.

Figure 3 .
Figure3.The methodology used to establish failure scenarios due to cascade effect between the components of a rail transport system facing a flood hazard.[44] The vulnerability of the rail transport systems is actually studied through these failures mechanisms because they are causing factors of damages FLOODrisk 2016 -3 rd European Conference on Flood Risk Management