The Holistic Integrity Test ( HIT )-quantified resilience analysis

The Holistic Integrity Test (HIT) Quantified Resilience Analysis. Rising sea levels and wider climate change mean we face an increasing risk from flooding and other natural hazards. Tough economic times make it difficult to economically justify or afford the desired level of engineered risk reduction. Add to this significant uncertainty from a range of future predictions, constantly updated with new science. We therefore need to understand not just how to reduce the risk, but what could happen should above design standard events occur. In flood terms this includes not only the direct impacts (damage and loss of life), but the wider cascade impacts to infrastructure systems and the longer term impacts on the economy and society. However, understanding the “what if” is only the first part of the equation; a range of improvement measures to mitigate such effects need to be identified and implemented. These measures should consider reducing the risk, lessening the consequences, aiding the response, and speeding up the recovery. However, they need to be objectively assessed through quantitative analysis, which underpins them technically and economically. Without such analysis, it cannot be predicted how measures will perform if the extreme events occur. It is also vital to consider all possible hazards as measures for one hazard may hinder the response to another. The Holistic Integrity Test (HIT), uses quantitative system analysis and “HITs” the site, its infrastructure, contained dangers and wider regional system to determine how it copes with a range of severe shock events, Before, During and After the event, whilst also accounting for uncertainty (as illustrated in figure 1). First explained at the TINCE 2014 Nuclear Conference in Paris, it was explained in terms of a Nuclear Facility needing to analyse the site in response to post Fukushima needs; the hit is however universally applicable. The HIT has three key risk reduction goals: The ability to tolerate and withstand shocks, while continuing to sustain key safety functions; the ability to wisely direct and manage the crisis situation, accounting for the diverse scenarios that could occur; to be able to quickly recovery and stabilise to a safe and secure state that is stable and sustainable in the long term.


Introduction
In this paper, we discuss the need for a new way to assess risk, particularly at the more extreme end of the spectrum of hazards, where the focus is on coping with and recovering from hazards.We discuss the need for analysis and quantification in what is now commonly referred to as resilience.The first part of the paper sets the scene and provides evidence why the existing risk assessment approaches are no longer enough, illustrating the shortcomings with some examples.The second part of the paper introduces the Holistic Integrity Test (HIT) which is a new method for risk assessment to deal with the issues not being addressed by existing methods.

The Evolution of quantified risk analysis of systems and needs of the future
Today, we all face a fundamental technical challenge; how to carry out credible and realistic quantified risk analysis now and into the future, when there exists profound uncertainty with the effects of climate change, compounded by an increasing population that tends to congregate in urban regions that happen to be extremely complex.The holistic characteristics of such complexity could be broken down into simpler parts related to the physical fabric, natural environmental resources, human populous, economic conditions, political stability, social well-being and feeling of general security as we live and work day to day.And how we think about doing and using quantified risk analysis into the future shall have to account for these diverse factors, encompassing many parts of our civilised life that could be classed into structural, non-structural, tangible and intangible systems.Never before have we needed to rethink the logic and method for carrying out objectively based risk analysis, recognising that we must now consider much more critical relationships and interactions as we start to experience factors like global sea level rise and superstorms, while potentially jeopardising tightly coupled service and supply networks that have become public expectations.
The future new logic and methodology that we must develop in order to carry out quantified risk analysis that can produce useable objective evidence for critical decision making shall need to be founded on a number of key principles: x Taking a more "Holistic" approach to capture the essence of our fabric and daily life; x Applying a "Systems" approach for describing bounds, perspective and context of what is at "risk"; x To clearly define the "Exposure" potential of an urban region and its populous at a given time into the future; x To understand the loss of "Integrity" due to system weaknesses against hazards, shocks and threats; x To think beyond design standards and consider exceedance; Many approaches to risk management in Europe and internationally involve an assessment of a) probability of occurrence and b) potential consequence (or loss), with Risk being the product of the two.The origins of this approach can largely be traced back to the 1970s and the nuclear power industry.The consequences of a nuclear incident (such as a reactor meltdown leading to a radiological release) were thought to be too serious to contemplate within society, and very few mitigation options exist.In other words if an incident happens which leads to a serious radiological release, something bad will happen to those exposed and mitigation will only reduce the long term impacts.This meant that the focus turned almost entirely to prevention and specifically reducing the probability of the incident occurring.Managing the residual risk was vital in continuing to operate and commissioning new nuclear plants.However, nuclear reactor powerplants are complex systems and assessing the probability of something happening that leads to a release of radiation is not easy, which called for sophisticated probabilistic analysis.The foundations of probabilistic analysis were introduced approximately 40 years ago, in the Reactor Safety Study (WASH-1400), prepared by Norman C. Rasmussen and sponsored by the U.S. Atomic Energy Commission [1].The fundamentals of the event tree and fault tree probabilistic techniques developed in WASH1400 are now used in Probabilistic Risk/Safety Analysis (PRA/PSA), which are fundamental to the identification and reduction of risks in Nuclear facilities around the world today.The purpose of the probabilistic analysis in a PRA/PSA is to identify risk reduction measures that need to be addressed in order to demonstrate that the residual risk has been adequately lessened to below a specified threshold and can be justified to be lowered As Low As is Reasonably Practical (ALARP) / As Low As is Reasonably Achievable (ALARA).In annual chance of occurrence terms, a 1 in 10,000 chance in a given year of a nuclear incident is typically the maximum frequency allowable.
Hence, the approach to quantified risk analysis used in the high consequence safety-critical industries matches a commonly used probability multiplied by consequence model.That type of risk simulation will continue to be used.But in this risk-based logic lies a fundamental problem, that since the possible danger is so final and potentially severe, the quantified risk analysis is used purely to establish cost benefit on how much to spend on preventative safeguards; essentially solving the "exam question".A different exam question arises with the advent of gross future uncertainty like with climate change causing mass flooding; "can we cope"?This raises a completely new and different set of problems that 'normal' quantified risk analysis, focused on prevention, is unable to answer.This paper does not discuss the threshold at which the probability cut-off is made, but rather emphasises that the focus is well and truly on probability reduction, with little analysis of how to cope with the hazard's consequences.Let us now expand on this type of thinking.
Over the past five years there has evolved a growing need to re-benchmark how we do and perceive the use of quantified risk analysis.On the 11th March 2011 the great north eastern earthquake and tsunami caused tens of thousands of people to die and three of the four nuclear power reactors at Fukushima Daiichi to melt down.In addition, governments across the globe have come to realise that climate change is both real and is causing extreme variations never before experienced by our civilisation, that is also ever growing and settling in denser population centres.We can use the quantified risk analysis methods used in WASH 1400, but we must now include the imperative to test whether we can cope with extreme hazards.The eastern seaboard of the USA is especially vulnerable to global and local sea rise.Hurricanes Katrina and Sandy were warnings that we must test our ability to cope with extreme transient conditions, checking for how much damage of our complex networks, services and supplies can happen.We need to make sure that our protection measures (like sea walls and flood protection systems) will actually do what we think they should do.We also have to be aware of the known limitations of designs, testing coping when design standards are exceeded.Hence, we have to holistically test our protection systems and ensure that our coping strategies actually work.Not only that, but we must also ensure that the previously designed and installed protection systems do not act as inhibitors, or at worst amplifiers of the loss consequences, while hampering the response and recovery countermeasures.Therefore, in addition to the earlier mentioned key analysis principles that encompass the consideration of the holistic context, the system being affected, the exposure potential, and the system's probable loss of its functional integrity, but also to properly account for the limit states and behaviour of the impacted system, and: • To better work out what the needed "Coping" strategies should be; for example, by introducing enhanced system robustness, preparedness and resilience.

The common approach to risk management
The existing method of risk assessment commonly used (outlined in section 1), probability multiplied by consequence, has been widely applied across many industries including Flood Risk Management (FRM).In FRM, risk is generally calculated as probability of flood event multiplied by consequences of flooding.The probability generally takes the form of the return exceedance of a particular magnitude of flooding, generally quoted as an annual chance (1 in 100), probability of occurrence (1%) or as a return period (1 in 100years).The consequences are typically the potential losses incurred from a flood event through flooding of property and assets, usually monetised for use in cost benefit analysis.

Design return exceedance probability
The common method of risk assessment outlined in section 2.1 generally focuses on reducing the probability of occurrence of consequences.In FRM, this typically takes the form of a physical measure to prevent a certain magnitude of flood from reaching the area at risk from flooding.This may take the form of upstream flood storage, hard defences such as a wall or embankment or some form of improved conveyance.The design standard of protection provided is generally quoted as the return exceedance probability of the design flood event, quoted as an annual chance (1 in 100), probability of occurrence (1%) or as a return period (1 in 100years).In England and Wales, implemented measures to reduce probability typically protect against floods with annual chance in the range 1 in 75 to 1 in 200, with some large tidal barriers up to 1 in 1000.There is variance across the rest of Europe, but the design standard is broadly speaking within this range.
However, any return exceedance probability event can be exceeded.When a design based on a particular return exceedance probability event (a probability cut-off), is exceeded, then the consequences can be extreme.In the nuclear industry, with consequences so potentially severe, the design probability of exceedance is reduced to a very low value, typically 1 in 10,000.If this probability cut-off is exceeded, extremely severe consequences are expected but the intention is that over the design life of the nuclear plant, it will not be exceeded.Therefore, a high confidence level in this value is required; this confidence level is achieved using sophisticated probabilistic techniques developed in WASH1400.It is also possible because the nuclear plants being analysed are largely man made systems, allowing logical analysis.
Yet in flood risk, the same risk calculation is applied, but the design return exceedance is an order of magnitude higher (more frequent), in the range 1 in 75 to 1 in 200, compared to 1 in 10,000.This becomes important when you consider the design life of the risk management measures in question.A nuclear plant may be designed for 40 years operation and extended to 60 years.Assuming a design standard of 1 in 10,000 annual chance is sustained over the design life, this equates to a 1 in 167 chance of occurrence over 60 years; the chance of exceedance of this and the unwanted consequences occurring is just less than this (say 1 in 170).If a flood risk management measure with a sustained design standard of 1 in 100 annual chance is to be operated for a similar life, the equivalent chance of the design standard event occurring is approximately 1 in 1.7; with the chance of exceedance and consequences slightly less (say 1 in 2).
Whilst the figures quoted above are approximations, they illustrate the distinct possibility of exceedance over the design life of a flood risk management measure.However, the existing risk management method only sets the standard of prevention and does not assess how the location would cope with exceedance.This design life failure chance is not generally understood by the public.

Climate change and uncertainty
As explained in 2.2, the existing flood risk management approach includes an inherent, but not always understood, acceptance of exceedance over the design life, but does not necessarily include any analysis of the exceedance events.However, climate change and sea level rise can have a dramatic effect on the return exceedance probability; some high end sea level rise scenarios can turn a present day 1 in 1000 event into a 1 in 150 by 2050, and can become an event occurring more than once a year by 2100.
There are currently several predictions of climate change based on various emissions scenarios run through climatic models, and as science develops, there will be more.This all adds to the uncertainty of future analysis and risk management, with risk managers pondering which predictions to base their decisions on.Yet thinly spread public budgets do not allow us to build defences against the highest predictions.The point here is that there is an increasing chance that flood risk management measures will be exceeded over their lifetime, but a range of predictions brings with it uncertainty as to how that chance will change.Current risk management tends to focus on setting the optimum economic standard of protection based on risk reduction (prevention of flooding).As part of this process, climate change is generally analysed over the proposed design life, but this only informs the choice of design standard and plans for future raising.For future raising, it is common to use so called managed adaptive approaches, which raise the level of defences with time, deferring large expenditure well into the future.However, with such uncertainty over the magnitude and rate of sea level rise, predicting the best time to raise is all but impossible, so it can become an uncomfortable gamble between defence raising as defence standard diminishes.No matter what the initial standard of protection, and whatever plans are put in place to raise, flood management measures are likely to be exceeded over their proposed design life.Yet current methods do not properly analyse what happens during exceedance.

Risk reduction through probability reduction progressively builds cliff edges
Existing risk management tends to drive towards reducing the probability of a consequence occurring to as lower level as possible within the constraints applied.The constraints on this reduction are generally economic, technical and environmental.A number of factors such as increased awareness amongst the public, the trend for instant news on natural disasters creating political pressure and climate change increasing the magnitude and frequency of various natural events, are all leading to a desire for higher standards of protection.Should the economic, technical and environmental constraints allow these increased standards, this will in many cases lead to higher flood defences such as walls or embankments.However, with reducing probability tends to come increasing consequences.An obvious statement perhaps, yet the real issue is that as you increase standards of protection to reduce the frequency of flood events, the consequences of flooding are rarely addressed.The higher the standard of protection, the lower the probability of exceedance, but the higher the consequence of exceedance.In other words, by striving for higher and higher defences, we are creating some potentially large, if not catastrophic consequences for future generations.This is compounded by the tendancy for complacency to develop in communities where there are visible flood defences.The probability of individuals responding to flood warnings or calls to evacuate reduces when defences are introduced.There will inevitably be a point where the consequences are so severe and the recovery so long, that the location never recovers.This point is rarely captured in existing assessments.

Consequence reduction is not the focus
With the focus on reducing risk by reducing probability of occurrence, there is typically a lack of attention given to reducing the consequences.There is some attention given to measures such as flood proofing, flood warning, planning rules to control development and new floor levels, places of safety and more thinking on emergency stand-by pumps, but this tends to be secondary to probability reduction and some of it reactive following large events.However, taking note of what has been said in 2.4, consequence reduction should perhaps get more consideration, and perhaps equal consideration to probability reduction.

The wider system of exceedance
As discussed in previous sections, if a flood risk management measure is exceeded, it is likely to be a relatively extreme event and the consequences are likely to be large.The required response to the event is likely to require resources from outside the area at risk of flooding, whilst the area at risk would have been the focus of analysis up to that point.Essentially, the system will have changed and expanded, and unless analysed, some important effects of the consequences on the system may be missed.Examples may be loss of transport networks hampering emergency response; power supply lost causing a secondary consequence like pump failure or hospital closure or a national shortage of vital goods through supply chain impacts.Existing flood risk management typically looks at the direct losses from flooding in exceedance events; it does not analyse how the location copes with the consequences and doesn't widen the system boundary.

Cost benefit analysis and economic theory prevents management of the extremes
It is not true to say that existing risk management does not consider the extreme exceedance events.These events are considered at a direct loss level and included as residual risk in cost benefit analysis (CBA).However, cost benefit analysis in flood risk management typically adopts an annualised approach to risk assessment, considering a range of extreme events and factoring them by the annual return exceedance probability to get an annualised estimate.Therefore, a loss from a 1 in 1000 flood event will be divided by 1000 in the CBA model.This makes it hard for extreme events to influence expenditure on flood risk.This is further compounded by discounting, with future losses discounted to present day.The theory is well accepted, with governments preferring to defer expenditure into the future where there is uncertainty.However, this means that the effects of climate change over the next 100 years have less impact on the outcomes of CBA and it is difficult to justify large expenditure now to deal with potential future climate change.

4
Examples where existing risk assessment was lacking 4.1 Fukushima Daiichi (Japan) -design exceedance and failure of coping On March 11th 2011, an Earthquake and Tsunami at the Fukushima Daiichi Nuclear Power Plant resulted in meltdown in three of the six reactor units.There are many contributing factors but fundamentally TEPCO, the plant operators were not prepared for a beyond design standard event.Contributing factors include: x Event beyond design standard -the plant and defences at Fukushima Daiichi were not designed withstand a Tsunami of the magnitude of that which occurred on the 11th March 2011.x Distributed Hazard -the Earthquake and Tsunami, resulted in devastation across the Fukushima region, making the prioritizing of activities during the response very difficult x Unpracticed emergency procedures -the Japanese believed that Nuclear power was inherently safe, a culture existed where operators trusted that they would never need to work outside of their normal operating conditions.Emergency procedures were never practiced, such that during the accident conditions, operators spent 20 hours trying to locate a pressure relief valve.x Evacuation -during the evacuation some people were mistakenly directed to areas where the hazard was more severe.The evacuation procedure was unclear, and communication to the general public was poor.
In this example, we are not suggesting that the risk assessment should have recommended a higher standard; such extreme hazards will always have the potential to exceed the design standard.However, it was well within The key lesson from the Fukushima accident is to expect the unexpected and address what would happen if a beyond design basis event were to occur.

Hurricane Katrina (New Orleans, USA)design exceedance, duration of recovery
Over fifty breaches in New Orleans's hurricane surge protection were the cause of the majority of the death and destruction during Katrina on August 29, 2005.Eventually 80% of the city was flooded and the floodwaters lingered for weeks.Some areas of the city have never recovered.Some deaths resulted from thirst and starvation of stranded residents.Some of the flooding has been attributed to design failings in the defences, however, this is not our focus here.Even with stronger defences, perhaps even with higher crest levels, they would still have failed at some point in the future.This disaster merely brought forward the inevitable and exposed the true potential for severe short and long term impacts from hurricane surges in this location.
Whilst the flooding on this occasion may or may not have been possible to prevent, it should have been possible to predict the extent of the damage and duration of the recovery.Instead, this caught authorities by surprise, and in many ways left the response lacking.

York (UK) Flooding -design exceedance, lack of contingency and unforeseen failure [2]
On 26 th December 2015, significant flooding occurred in the UK City of York.A significant area of the flooding occurred where the River Ouse (the main river through York) and the River Foss (a tributary of the Ouse) meet.The Foss has a largely urbanised catchment and responds quickly to high rainfall; the Ouse has a largely rural catchment, responding to heavy rainfall in the surrounding hills with a typically slower rate of rise.The Foss barrier is a 16.5tonne gate normally held raised above the Foss to allow boats to pass.During high levels in the Ouse, the barrier is lowered to make a seal with the river bed and prevent the Ouse from backflowing up the Foss channel.During this time, the Foss cannot discharge into the Ouse and it must be pumped round the barrier into the Ouse.If levels in the Foss reach the level of the Foss barrier, a significant number of properties flood; to reduce the risk of this happening, 8 pumps discharge the flow from the Foss into the Ouse when the barrier is down.
Over the Christmas period 2015, significant rainfall fell over a wide enough area to create high levels in both the Ouse and the Foss, with the Foss barrier lowered to protect from the Ouse levels.Further rainfall resulted in the Foss barrier pumps being overwhelmed (flows above design standard) and Foss levels rising more quickly than Ouse levels downstream of the barrier.The water from the Foss then found a way into the electrical switch rooms for the pumps and barrier.If the electrical supply to the barrier was lost with the barrier in the down position, water levels in the Foss would have continued to rise to the barrier crest level.If electrical supply was also lost to the pumps, the rise would occur even more quickly.
The authorities decided to raise the Foss barrier on the evening of the 26 th December, to reduce the rate of rise to that of the Ouse.With the barrier in the raised position and pumps switched off, the electrical supply was isolated.A report has demonstrated that this was the right course of action in the circumstances, with these actions reducing the rate of rise and buying time for the emergency services.The barrier was lowered again late on 28 th December with help from a helicopter, four pumps were restarted in the early hours of the 29 th December, electrical power was restored via a temporary bridge installed by the army the morning of the 30 th , and this allowed the remaining four pumps to start and the barrier regain operational capability.
In the circumstances, the authorities dealt well with this situation.However, although the design exceedance and unexpected coincidence of two river events could have been modelled, no contingency pumping was in place.Unlike a long reach of defence walls, a pumped defence is one instance where such contingency may be viable.The potential vulnerability of the electrical supply to high Foss water levels could have been foreseen with some simple what-if questioning (what if the pumps and barrier failed down; how could this happen).This is not to say an easy solution would have been available, but the knowledge would have been useful in understanding above design flood events.The defences took several days to recover and in this time the area was at greater risk from the Ouse.The recovery period is important to understand for resilience.

North of England Flooding -design exceedance and under prepared response
The towns of Carlisle, Keswick and Cockermouth in Cumbria, UK, all share a common fact.All three towns flooded in December 2015 having had flood defences installed relatively recently.The defences did not fail structurally; rather they were overtopped and their design standard exceeded.
After these events, questions were asked by local residents and the media "how could this happen again?"However, the fact is, as mentioned in section 2.2 that the design standards of most flood defences, which may appear high, are actually relatively likely to be exceeded during their design lives.When defences are analysed and appraised by the authorities, they are built for the long term, with design lives up to 100 years.However, with design standards typically in the range of 1 in 75 annual chance to 1 in 200 annual chance, the probability of exceedance over the design life is actually quite high.In other words these defences are being designed to be exceeded during their life.
There is no problem as such with defences being designed to be overtopped.However, the focus is generally on the defences remaining structurally sound when overtopped.There is little focus on the analysis of exceedance in terms of consequences.As such, whenever this occurs it always appears to come as a surprise to those affected and the authorities.There are reports from some of the affected areas that the businesses that had installed property level protection were able to re-open only a couple of days after the flooding, suggesting they had mitigated the consequences of that exceedance event; this suggests scope to increase this side of the analysis.
5 The needs of the future

Resilience
As the hazard from flooding increases with climate change, we will have to consider that our defences will be exceeded more often.This moves the focus from risk reduction to resilience.In very broad terms resilience involves three fundamental and generic principles: x The ability to tolerate and withstand shocks, while continuing the economic output and normal everyday life; x The ability to successfully direct and manage severe or extreme hazard crisis situations, accounting for the diverse scenarios that could occur; x To be able to quickly recovery and stabilise to a safe and secure state that is stable, and retains future sustainable, accounting for climate change effects.
The objectives for resilience, can then be summarised as encompassing: anticipation; situational awareness; stabilisation; mitigation; intervention and recovery.In this context it is anticipated that resilience improvement could be focused around and include: x Enhancements to (on and off site) engineering to reduce vulnerability and weakness to both the event and capability to respond to it; x Improving preparedness to respond to beyond design standard events through anticipated and planned mitigation and intervention measures and processes; x Enhanced situational awareness capability (on and off site); x Enhanced emergency arrangements and capability (to survive the event); x Enhanced response capabilities (stabilisation, mitigation, intervention & recovery); x Enhanced response capabilities storage and access (on and off site).
To deliver against these objectives, we cannot simply expand the existing traditional design basis to more unlikely events or greater magnitudes (higher standards of protection) by applying the same tools and techniques that inform todays flood risk management investment.Instead this needs a structured approach to understand and establish the sensitivity (weakness/vulnerability) of the location/city (the system), as a starting point, with the additional consideration of its ability to provide post event response capabilities.This wider approach of considering unexpected shocks and events on the system, and the provision of a response capability to allow the system to adapt and respond to them is much more fitting to the needs of the future, where the system needs the ability to adapt and evolve such that it survives.

Quantification
To deliver the resilience objectives is going to require investment.This investment will need to cover enhancements to the robustness of existing assets, and improving the ability to respond and recover; this is going to be a large investment.As we know from flood risk management in the last few decades, any large investment like this needs justification and is scrutinised with more rigour year on year as budgets get squeezed from all sides.In summary, the decision makers who have the power to sanction investments are going to want to see objective quantified analysis to underpin proposed investments in resilience.They will also want to see a degree of cover of their liability should things not go to plan.This cannot rely on solutions drawn up at practitioner workshops.

Concept
The Holistic Integrity Test (HIT) [6] aims to bring quantified analysis to resilience.It analyses a system's vulnerability to all possible conditions, including severe shock events, that could impair the quality and soundness of the whole socio-technical system.It is a 360 look around, to understand interfaces with system, hazards, shock and threats.Consideration is given to the overall system characteristics in order to ascertain probable and possible problems, indicating weaknesses inherent in the system's structural and non-structural parts; that may then be further investigated for resilience improvement and loss-risk reduction measures.
The HIT includes 10 key risk-related considerations that question if the threat posed by severe natural hazards, is being adequately accounted for and managed, thereby enhancing the capability to reduce the risk and consequences as far as is reasonably practicable:

Systems thinking and what if testing
Fundamental to the HIT is the need to first increase our awareness by understanding the system in question; to put this another way, we need to genuinely understand the problem and the exposure potential before we move to modelling the hazards (in this case flooding) and designing solutions.We need to understand how the system functions, the various dependencies and interactions, understand where it is weak and vulnerable and understand what could go wrong i.e. the exposure potential.In the case of flood risk, the system may be a town or city, or perhaps an industrial area or whole estuary.
To do this, we employ top-level "Systems Thinking".Systems thinking is a management discipline that concerns an understanding of a system by examining the linkages and interactions between the components that comprise the entirety of that defined system [3,4,5].
This starts in the HIT with a System What-if Test (SWIFT), where the system and design basis of any existing and proposed measures are stress tested against various forms of severe shock to understand how they behave once designs are exceeded.This defines the exposure potential which considers both structural and non-structural parts of the system and/or organisation being investigated, together with the specific emergent dangers that are likely to be released if the hazards and/or shock events were to occur.The SWIFT is an openminded appraisal of what anticipated and unanticipated events may occur for the particular system.A consolidated schedule of all the "What If These" event were to happen is equivalent to the Structured What If (SWIFT) approach that is applied in ISO/IEC 31000 Guidance on Risk Management.
Forms of severe shock are caused by loads and conditions that exceed the original design basis or operating capacity of a structural and/ or non-structural component.Reasons that cause severe shock events may be summarised into the following types of scenarios: x Greater magnitudes x Longer periods x Bigger spatial impact x Combined conditions x Coincidental failures x Cascade and domino In the SWIFT, we ask what if these actually happened?What would be the effect?Could the System survive?Could we cope?Could we recover to normality?This is done in a structured SWIFT workshop, which brings together key individuals from key stakeholders who can answer the what-if questions at a high level.The SWIFT is multi-discipline, cross cutting and is a forum to bring the entire system together.It is definitely not undertaken in traditional discipline silos.We often find this is the first time that organisations, departments and different disciplines actually come together in the same workshop to discuss such issues.This allows a system interaction that is not possible in other approaches which use a central body to interview individuals from these different organisations/ departments/ disciplines and collate responses.
However, what is fundamental to the HIT is that the SWIFT is structured and captured in a way to allow it to be carried forward into the quantitative analysis and modelling.It does not simply form the basis of a report and recommendations; it is simply the start of the analysis.

System modelling, shock event scenarios and coping cycle
The information, understanding and data gained from the SWIFT is then moved into system modelling tools and software.This pieces together the system into a practical model, with a focus on the objectives of the resilience analysis.The modelling includes basic techniques such as fault and event tree logic models, but with temporal and spatial components and success tree modelling.
The HIT applies the shock event to the system, modelling the before, during and after effects on the system, which includes the recovery to the state previous to the shock, or a degraded state or even an improved state (figure 1).The shock event is likely to take the form of hydraulic modelling outputs in the case of flood risk management.The shock simulation and system understanding are used to ascertain system vulnerability and weaknesses during the events, modelling the complete coping cycle to derive losses from the shock.The system recovery, or lack of it is important and can be used to understand cliff edges.

Options and coping strategy development
An understanding of the system vulnerabilities and weaknesses, scale of damage and likely recovery can then be used to formulate various strategies and interventions to mitigate the shock event.The important aspect here is that this can only be done once this understanding is available.

Expect the Unexpected
Accidents and disasters like Japan-March 2011, and Hurricanes Sandy and Katrina in the USA show us that we can no longer rely on prediction and risk reduction through prevention.A range of shocks can occur, including climate change extremes, which when they are over-laid on old and poorly designed infrastructure that is vulnerable, can lead to extreme damage and disaster situations.We must now consider and assess how to cope with the premise of "Expect the Unexpected".This will require contingency measures and unexpected contingency, in addition to robustness improvements to existing systems.
We would use the results from the system modelling under shock to inform the range of contingency measures.

System Integrity -the damaged system
This is an understanding of the soundness of the system under a shock event.Does it work well and stay together after being exposed to various shocks?Will the system be damaged, and if so, how and what effect will it have on coping with the shock?This is extremely important when analysing if a coping strategy or contingency is going to be effective.Many coping strategies rely on a response to an event.They are often supplementary to hard engineered risk reduction measures, available to assist the response if needed.However, their success will generally require access to the flood damaged area, emergency personnel to implement them, communications to coordinate and services such as electricity or fuel.Yet all of these requirements are likely to be impacted by the event they are aiming to assist with.For example, in the case of Fukushima, the debris fields hampered the response to the tsunami damage.An understanding of the viability of such coping strategies and the status of the wider systems they rely on is a fundamental part of the HIT.

Analysis to inform the emergency planning and preparedness
An integral part of any coping strategy to a severe or extreme shock event is going to be the response of the emergency services.Their job is to some extent to "expect the unexpected", and they do this very well.However, we feel that resilience analysis could make their job a little bit easier.For instance, by making a direct link between the resilience analsysis and emergency services, we can help test the success of proposed emergency responses using the HIT modelling to identify success paths.Such paths will have a high chance of success, avoiding debris obstruction, or alternatively being pre-warned and ready for debris clearance.Modelling of the many planned responses can identify conflicting responses, such as a call to evacuate preventing emergency access.
In summary, we are suggesting that we can model and analyse the response to refine and optimise the plans and resources.We want to move from after event accident investigation to pre-event accident modelling.

Quantitative measurement and analysis of robustness and resilience.
Ultimately, the HIT brings quantitative measurement and analysis of robustness and resilience, which is important as it objectively indicates what the real situation is, as opposed to subjective perception and/ or political interpretation.Such quantitative measurement is important to ensure that proposed coping strategies, including robustness improvements, contingency measures and unexpected contingency, will work as planned under shock conditions.It will also be required to underpin proposed improvements to tackle liability issues and justify investments.
The HIT's more in-depth test methodology uses an objective quantitative risk analysis model.The newly developed temporal-risk analysis equation, designated the Severe Shock Event Risk (SSER) equation, has been formulated in order to objectively study the sociotechnical system's potential exposure level to hazards and shocks, the structural fabric's intrinsic vulnerabilities and weaknesses, estimates how much damage and consequential loss can occur, and finally informs on the likelihood of being able to recover the economy and local society to a sustainable state into the future.
The new SSER is able to better model the risk from severe and extreme natural hazards.Although it appears detailed and somewhat "mathematical", it is quite practical and soundly based.Such a new risk equation by its very definition had to be holistically derived when trying to model severe / extreme natural hazards and climate change effects, hopefully improving upon the "blunt instrument" offered by the basic legacy risk assessment measure of probability and unmitigated consequence alone.
Of specific note is that the SSER equation has been holistically derived by considering the actual temporal sequence of a severe or extreme shock event and its spatial effect, causing damage and loss on a potentially large scale across the regional system of concern.Hence, the SSER is broken down into three risk modeling parts that account for: (i) the hazard exposure and loss potential before any impact occurs; (ii) screening of the region's vulnerability and its weakness to be damaged and what the integrated losses would be; (iii) the amount of effort and time that is needed to recover from the consequential damage and integrated losses that the region has experienced.SSER = f {Exposure Before + Damage During + Ability to Recover After} (1) The SSER is made up of uniquely defined parameters that are quantitative and can be represented as a mathematical matrix set, formulated to encompass the temporal exposure, damage-loss and recovery sequence.

Influencing future investment decisions
In flood risk management, proposed investment is currently bound by the rules of economic appraisal as defined by various government agencies.As discussed in 3.7, annualised losses and discounting limit the ability to invest in hazard protection at the extreme end of the spectrum (so called resilience).However, we hope by quantifying the true losses, both in money and time of recovery, we may be able to influence investment decisions.
We can use the analysis and SSER equation to generate resilience ratios (figure 3), which will allow comparison of improvement options on holistic terms, which reflect not just risk reduction, but recovery improvements.We can show the true losses of the shock events and true benefits of improving resilience by including long term recovery losses with the short term damage impacts (figure 4).However, we have to recognise that even such metrics may not stimulate investment under current economic methods and funding prioritisation.
Where we hope to really make a difference is in identifying the point at which risk reduction (defence raising for example) ceases to be viable as the consequences of exceedance are permanent loss i.e. the system (city) never recovers.In such circumstances, the investment needs to re-focus to resilience and coping and this will no doubt need a new prioritisation method for investment.To illustrate the application of the HIT, we explain an example based on a city in a coastal location.The city does not exist in reality, but aspects of several examples around the world have been used to form the example.
The city is a reasonable size, coastal location facing out to open sea, has a history of severe cyclonic storms, is low lying and generally flat, with several hundred thousand properties at potential risk from flooding.In history the city has been a major military naval base and is still a significant base today.Military personnel need to access the base during extreme flooding.The city has several areas which are economically deprived and there is a push to develop the city economically, with some areas prone to flooding identified for development should the risk be reduced.
The city is at risk from tidal inundation, which presents the largest risk.It currently has tidal frontage hard defences (sea walls) which are both ageing and in need of raising.The city, like many coastal locations, also has a significant river running through the centre, which has a flood barrier to protect against tidal surges.The river has raised defences (walls and embankments) to protect against a mix of high river flows and tidelocking.The city also suffers widespread flooding from surface water when drainage is insufficient for extreme rainfall events, although a major pumping station has recently been installed to reduce a focused area of this risk.
The city is accessed by one major road and one major rail route; to the other side is flood plain and the coast.
Flooding is both a major risk to the people of the city but also seen as holding back the development of the city and surrounding region.

Conventional flood risk management
Flood risk management is split into three separate assessments to reflect the different nature of the flooding and different responsible authorities.The three assessments cover tidal flood risk, river flood risk and surface water flood risk; however, due to the low lying flat nature of the city, many properties flood from all three sources.All three sources of flooding have been modelled extensively with sophisticated 2D hydraulic models, which have been used to inform flood risk management assessments.
The tidal flood risk has been assessed and it is recommended that the sea walls are repaired, replaced, and raised to provide a present day standard of protection against floods with a return period of 1 in 200 annual chance.The current economic guidance prevents any higher raising as the cost benefit ratio is not enough.Sea level rise will present a major challenge with some predictions reducing the present 1 in 200 return period to an event in the order of annual frequency by the end of the century.There are future plans to raise defences to cope with this increase, but this will be done many years into the future to defer some of the costs and find the most economic solution.If the existing tidal defences were to overtop or breach, there would be significant flooding and likely risk to life.If such an event were likely, the hope is that adequate forecasting would enable flood warning, possible evacuation and defence strengthening.However, the major road and rail routes could be compromised by the flooding, as well as some significant infrastructure, including some hospitals.Under some more extreme tidal flood events, there would be long term consequences and it is questionable if the city would ever recover.
The flood risk from the river has also been assessed and a similar approach and standard to the tidal defences has been recommended.Due to the nature of the flood risk, flooding is more likely from the raised defences breaching, which could lead to extensive flooding as the low lying area fills with water.In the event of a breach, similar plans would be implemented to the tidal flooding, but warning time could be much less.
The surface water flood risk is more complex to solve, requiring multiple local schemes, involving a mix of pumping and storage.This is being assessed but is struggling for funding as the benefits relative to costs are less than for the tidal or river flooding.
All flood risk management proposals are costly and are struggling for funding.There is a hope that private investment can be unlocked and contribute on the basis that land will benefit from reduced flood risk.

Using the HIT for analysis of the problem
Applying the HIT, the first activity would be to gather all three authorities representing the three flood sources at a SWIFT workshop.Also invited would be key representatives from the infrastructure of the city (water supply, water treatment, electricity, gas, communications, hospitals, emergency services) plus representatives from the naval base.In the workshop what-ifs would be posed related to severe and extreme shock events, including flood and storm events and a system understanding would be developed.
The SWIFT would look at all scenarios and reveal some significant issues.For instance in the event of major tidal flooding with a storm coming in from the sea: x The power supply to the tidal surge barrier would be lost and the barrier would not be able to be raised for several days.This would lead to significant flooding from the river unless pumping could be provided x Power would also be lost to several key water infrastructure assets including a major water treatment works, the major storm water pumping station and sewage treatment works.It would not be possible to re-instate mains water supply for many days and sewage would have to be discharged without treatment for a period into the sea.x Although the key hospitals would not flood, they would be cut off and would lose electricity supply and communications.Their backup power would last for a few days x The planned evacuation would take much longer than flood risk managers assumed and may not be possible in the warning time provided by forecasts x The road and rail exits would be amongst the first infrastructure to flood x The naval base would need to remain operational in almost all conditions, including full staffing levels, but would need the roads and rail access for naval staff to access the base x If defences are raised to a certain height, the effects of flooding from a failure would be catastrophic, destroying some property and key naval infrastructure rendering the base inoperable.

Figure 1 .
Figure 1.Conceptual effect on system with a severe hazard/shock/threat

Figure 3 .
Figure 3. Resilience ratios for systemic robustness, feasibility of recovery and long term residual

Figure 4 .
Figure 4. Integrated losses; temporal effect with total consequential impact loss the authorities to predict and model what could happen in the event of defences being exceeded by a tsunami and the site being exposed to tidal inundation.This piece of analysis would have revealed potential weaknesses and provided data to inform the emergency planning and response.