Content uploaded by Frederic Petit
Author content
All content in this area was uploaded by Frederic Petit on Mar 31, 2016
Content may be subject to copyright.
Life support networks allow the delivery of essential
services such as energy, water, telecommunications, etc.
They are the guarantees, for a society, of properly func-
tioning socioeconomic activisties, in respect to health
and safety of the general population. These networks
are constituted of a multitude of interrelated infra-
structure, which, upon the failure of one component,
can provoke, by the domino effect, the failure of other
components up to the point of a network-wide failure.
Therefore, the network can no longer carry out the oper-
ations for which it was designed. This domino effect
can also be observed between several networks that
are interconnected. The goal of this report is to present
a methodology for the evaluation of these domino effects
among life support networks.
This work is in line with the current international
trend toward establishing efficient and effective man-
agement plans for life support networks based on the
antagonistic concepts of maximum production and min-
imum risk. This approach is complex because the con-
sequences are great for populations and socioeconomic
activities upon failure of these networks. Thus, the need
to have operational emergency measures based on an
exhaustive evaluation of risks makes itself felt follow-
ing the appearance of increasingly frequent catastro-
phes. Analysis of the needs of emergency response
managers of life support networks established that the
behavior of these networks should have been studied
for the entire set of possible failure conditions, not
only for the most extreme events. Finally, the evalua-
tion of the domino effects between life support networks
demands an extremely multidisciplinary work and the
integration of technical, economic, and social expert-
ise. Therefore, a very real problem of risk communica-
tion exists.
In order to respond to the limitations of emergency
measures and the evaluation of risks as a function of
the domino effect between several life support networks,
a new structural approach was developed at the Centre
risque et performance of the École Polytechnique de Mon-
tréal. It is based on the characterization of the essential
elements of the network, which allow it to carry out
the operations it is allocated. This approach focuses on
the identification of the consequences of poor efficiency
of the network, then on the evaluation of its vulnera-
bilities. Thus, the domino effects can be identified and
studied. This approach will be explained in general
terms after presenting the overall context of emergency
measures and risk.
This report is composed of five major parts. First,
the problems faced by life support networks will be
presented. Second, the general notion of risk will be
explained in order to define the diverse challenges that
the managers of these networks must face. Work is cur-
rently being done on risk and life support networks.
They will be fully explained and analyzed in order to
define the characteristics of the new structural approach,
which will be presented in the last chapter. This will be
completed by a demonstration of the potential uses of
the structure of this approach for risk studies, emergency
response measures, and risk communication. Finally, the
application of such an approach in developing countries
will be presented.
Context
Life support networks are made up of a multitude of
civil infrastructure, which ensure the correct function-
ing of industrial activities and provide essential services
Chapter 17
A New Structural Approach for the Study
of Domino Effects between Life
Support Networks
Benoît Robert, Jean-Pierre Sabourin, Mathias Glaus, Frédéric Petit,
Marie-Hélène Senay
245
for citizens (Selcuk and Semih 1999; O’Leary 1997). Life
support networks composed of civil infrastructure can
be grouped according to the following categories
(Isenberg 1991; Lau 1995):
•Electricity (generation, transportation, distribution
infrastructure, etc.)
•Natural gas and liquid fuels (storage, transporta-
tion, distribution infrastructure, etc.)
•Potable water and wastewater (collection, treatment,
storage, transportation, distribution infrastructure,
etc.)
•Telecommunications (broadcasting, cable transmis-
sion, distribution infrastructure, etc.)
•Transportation (road systems, public transportation
systems, etc.).
Thus, these networks fulfill fundamental roles for the
proper functioning of a society by ensuring essential
services concerning the health and safety of populations
and the proper functioning of the economy. When a
life support network fails, the human and socioeco-
nomic repercussions are very significant. Therefore, they
cannot be ignored (Hubbert and Ledoux 1999).
Life support networks are made up of a set of strongly
interrelated components. The components, which are
directly related to the role of the network, form a pri-
mary network, but parallel or secondary networks—
such as remote control and computer networks—exist.
The set forms an integrated system whose reliability
depends on the set of its components. As soon as one
component exhibits a failure, the impact on the system
not only depends on the importance of the component
but also on the importance of the components linked
to the faulty one. In addition, the components of sev-
eral networks can be linked, provoking repercussions
by way of the domino effect (Allen 1997; Plate 1996;
Moses 1998; Lemperiere 1999).
A good understanding of the dynamics of these net-
works is therefore essential in order to avoid benign
malfunctions transforming into major crises. The numer-
ous catastrophic events observed throughout the
world over the last few years demonstrate just how much
the safety of the human and the natural environment
depend on the proper functioning of infrastructure. In
addition, the events of September 11th, 2001 in the
United States show that infrastructure is vulnerable to
varied acts of malevolence.
Various life support networks are currently being
studied by way of risk studies, the risk being the prod-
uct of the probability of recurrence of an event by the
consequences that the event begets (Kaplan 1997). These
studies generally only consider precise events (scenar-
ios) that can provoke a failure (CAN\CSA 1991). They
are normally focused on obtaining a unique result
(economic, technical, or industrial risk) and base them-
selves on the study of a finite number of natural or tech-
nical events (Stedinger and others 1996).
Nevertheless, analysis of past catastrophes indicates
that the actual methods of risk evaluation only par-
tially reflect the real risk of failure of these networks.
The origin of the events is rather of an anthropic nature;
in other words, they combine natural events with tech-
nical malfunctions and human intervention. In effect,
not only are the life support networks subject to unfore-
seen natural turns of events, but equally the infrastructure
that they are made up of differ in age, state, nature,
design, etc. The management methods used call upon
both automated systems and human intervention; how-
ever, several catastrophes are due or amplified by human
error (Hubbert and Ledoux 1999; Reason 1990).
On the other hand, current risk studies aim, for the
most part, to put a figure on the risk of failure, so that
the identified consequences must, generally, be expressed
as a number, often a dollar value. Social impacts, although
quite tangible, are broached very lightly or not at all,
while environmental impacts, even more intangible, are
often ignored. This approach, therefore, has a ten-
dency to minimize the consequences of a potential fail-
ure of a life support network. It does not permit a realistic
portrayal of the situation or the development of efficient
and effective emergency and mitigation measures. In
addition, the interrelations between several life support
networks are often neglected because certain links that
unify these networks are not identified.
Finally, the current risk studies are generally carried
out without regard for the highly multidisciplinary nature
of these works. In effect, to realize these works ade-
quately, it is important to gather experts from all tech-
nical, social, and emergency measures disciplines (as
much from the life support networks being studied as
from the communities affected by failures of the networks)
as well as the various competent authorities (BIT 1990)
and the other interconnected life support networks.
246 Building Safer Cities: The Future of Disaster Risk
Unfortunately, the communication between these con-
cerned parties is underestimated during the course of
these studies.
Risk: General Concepts
The notion of risk encompasses several concepts, which
must be clarified. This section sets out the general guid-
ing principles of the management, evaluation, percep-
tion, and acceptability of risks. They allow a clearer view
of the context of the problem presented by risk com-
munication, which is essential in the study of domino
effects between life support networks.
Risk Management
Risk management is a complex process during which
decisions concerning risks are made by reconciling
notions of analytic procedures that are necessary for the
efficient management of risk and the human, legal,
administrative, political, and organizational dimensions
of the decision-making process (Covello 1986). Fur-
thermore, efficient risk management corresponds to effi-
cient allocation of limited resources (Dynes 1994). It is
a question of identification, estimation, evaluation,
reduction, and control of risks (Petts 1992), allowing
the reinforcement of the ability of those involved to
interact in an organized manner during the prevention
and preparation phases. In this way, the goals of risk
management can be to control and reduce the risks to
an acceptable level, to reduce the level of uncertainty
in the decision-making process regarding risks, and to
increase the confidence of the public or other concerned
parties in the decisions taken (Gutteling and Wiegman
1996).
A life support network is a risk generator. It can be
considered the starting point of this approach; the infor-
mation the network possesses confers upon it a major,
even essential, role. Moreover, it is faced with an imper-
ative: its mission. In this context, it tries to reconcile its
obligations and constraints with the interests of the
community where its production facilities are located.
The identification and the estimation of risks take from,
without contradiction, the technical and scientific domains.
From a managerial point of view, expertise coming from
other disciplines, such as economics, law, and commu-
nication, must be taken into consideration.
Risk Communication
Risk communication is generally described as an exchange
(Covello and Merkhofer 1994; Leiss 1990), bilateral
(CAN/CSA 1997) or interactive (U.S. NRC 1989), of
information, perceptions, opinions, and preoccupations.
“As a discipline, risk communication tries to achieve
an adequate understanding of the communication
processes in the risk area, an understanding that responds
to its inherent complexity and array of participants. In
terms of its practical orientation, risk communication
seeks to improve the workings of these processes, and
so to reduce the level of mistrust among participants.
The ultimate objective is to assist in the formation of
the reasonable consensus in contemporary society on
how to assess and manage risk” (Leiss 1989).
There are two types of information circulation: within
a domain or a network and between several domains
or networks. Furthermore, a model proposed by Leiss
(1989) suggests that the difficulties of communication
will be even more considerable once information passes
from one domain to another. This process of commu-
nication is channeled, constrained, by the nature of risk
itself, but also by the institutional communication chan-
nels already in place. In this way, the circulation of infor-
mation relies on two approaches: structured and
nonstructured. The structured approach translates
into committees with sitting members being govern-
ment representatives, risk generators, experts, and
representatives of the public. The nonstructured approach
relies on the circulation of information arising from the
routine contact between those involved. These routine
contacts are a good starting point to put into motion a
more complete approach. However, they are not enough
for the risk communication approach and must be
enriched for a greater efficiency.
Communication must, therefore, play a role in medi-
ation that serves the entire group of concerned parties,
where each one gains by integrating into this media-
tion space if it wants its point of view known and if it
wants to exert some influence on the overall process of
risk management. This mediation, based on the exchange
of information and perceptions, represents the very
A New Structural Approach for the Study of Domino Effects between Life Support Networks 247
essence of risk communication. The explanation of the
nature of risks, as well as the preventive and response
measures put in place for the concerned public, will be
accomplished in a language understood by all and pre-
viously validated by representatives of concerned par-
ties. “In the revealed-preference and risk compendia
approaches favored by technical experts, a technology
is judged to be socially acceptable if the risks of death
associated with it do not exceed the risks of death asso-
ciated with comparable technologies. These approaches,
therefore, yield an absolute number of “acceptable” fatal-
ities (a so-called ‘acceptable risk’ level)” (Covello and
others 1986).
It becomes clear that the formation of committees
intended to improve the communication and the man-
agement of risk must include technicians and special-
ists capable of judging the scientific and technical data
(expert sphere), as well as citizens (public sphere) capa-
ble of rigorously validating the proposed measures.
“While expert knowledge of many different kinds is
called upon to address the complexity of such risks,
non-experts are also called upon to approve or disap-
prove, ultimately through political processes, deci-
sions based on accumulated facts and reasoning”
(Leiss 1989).
The task of clear communication is further com-
pounded by the presence of not one, but many publics,
characterized by a public mood that fluctuates, a public
perception that is inconsistent throughout the popula-
tion, and a public view that is difficult to measure
(Middlekauf 1989). Despite these constraints, a dem-
ocratic society must find ways to place specialized knowl-
edge into the service of public choice. Moreover, it must
be perceived to do so (Powell 1996).
Acceptability and Perception of Risks
Generally speaking, the notion of perception is associ-
ated with the public, media, and special interest groups
belonging to the public sphere. It is defined as an intu-
itive judgment regarding the nature and importance that
a risk presents for health. Nevertheless, it can be
defined and characterized by factors that influence it,
such as the level of understanding of the risk in ques-
tion, the fear resulting from the expected rate of death
and disease, as well as the size and the characteristics
(e.g., children) of the threatened population (Covello
and others 1994; U.S. NRC 1989; Leiss and Chociolko
1994).
Therefore, the domain of risk perception depends on
the social context, the political decision-making process,
and the influence of the population on the competent
authorities that are part of the process of risk manage-
ment. The public sphere gathers interested parties
who are normally more reactive when facing risks and
the actions or inactions of governments or risk gener-
ators. The understanding of the public, in the face of
risks, is generally limited by the perception of these
risks, resulting from their disturbing nature and from
the way this information is presented.
The acceptability of risks relies upon the presump-
tion that there is a probability that an event might not
occur. Thus, the population, tacitly or explicitly, accepts
the existence of these risks if they are below a certain
threshold and if the benefits related to their existence
exceed the perceived risks (Leiss 1994). It seems that
the population pays more attention to the qualitative
characteristics of the risk, while the sphere of expert-
ise is more concerned with the assessment of the level
of death and disease potentially linked to the risk
(Covello 1986). Moreover, the population seems effec-
tively ready to accept a certain level of risk if they per-
ceive it as being justified or if the risk allows them to
reach some goal or provide certain advantages (e.g.,
generate a job). Alternatively, it will be much more dif-
ficult for a risk to be accepted if it seems to be imposed
or if it is in opposition with certain values. Therefore,
the acceptability of risks will be part of the negotiation
between the interested parties, according to their respec-
tive perceptions of risks (Renn 1998).
The decisions coming from the competent author-
ities will be made while considering the acceptability
and perception of risks by society in an economic, social,
and political context. To not take into account the
acceptability and the perception is to risk controversy
and failure. In addition, two types of language are
used regarding risk, namely technical language and
perceptible language. Competent authorities are strad-
dled between these two languages that they must master.
Thus, they have an essential role to play in the under-
standing of the scientific and technical problems of risk,
while paying attention to the perceptions of the public
248 Building Safer Cities: The Future of Disaster Risk
sphere (BIT 1990). The competent authorities have
no choice other than to consider the risk in question
in a social, human, technological, political, and eco-
nomic global perspective (Leiss 1989).
Risk Studies: Traditional Approach
Risk definitions found in literature are numerous and
diverse, and content themselves to rule on the nature
of risk (Seidou 2002). Among these definitions, that of
Rowe (1997) best summarizes the approach used at
present. In this approach, risk is defined as being the
potential of incidence of unwanted and negative con-
sequences of an event. In technical fields, definitions
include a clause allowing the calculation of a value, gen-
erally by multiplying the probability of occurrence of
harmful events by the severity of these events, expressed,
generally, in monetary units. These formulas can apply
themselves to sequences of events (scenarios) by sum-
ming, for all the events, the products of the consequences
and the probability (Kaplan 1997; CAN\CSA 1991;
Stedinger 1996). Even though the use of probabilities
to assess risks related to extreme events is currently ques-
tioned (Zielinski 2001; Robert and others 2002a), the
approach that studies a finite number of scenarios remains
largely privileged in a highly linear process (figure 17.1).
This approach is based on the prior establishment
of boundary conditions. For every modification of the
initial conditions, the process is repeated, thus estab-
lishing as many scenarios (Law and Kelton 1991). Over-
all, this approach consists in first defining the source
event of the potential risk. The characteristics of the
event make up the source data of the model. This model
is established in order to simulate the behavior and the
effects of the event in a specific context (study area,
delimited geographical space, etc.) with specific objec-
tives (scale of representation, time progress, etc.). The
results of the simulation show the consequences engen-
dered by the event in the study area (city, region, potable
water supply network, etc.). These results can be illus-
trated using maps or balance sheets (Quach and others
2000).
Conventional risk analysis mainly focuses on extreme
events, of which the probability of occurrence is extremely
low. In such a context, the event is considered a
hazard, which is defined as being an unforeseeable or
a disruptive event (United Nations 1984). Within the
framework of risk analysis, a hazard can be defined as
a generic class gathering a potential set of causes, or as
a source of causes. For example, a hurricane is a hazard
that can generate causes like flooding of an underground
public transportation network, or strong winds that can
damage power lines.
Hazards
A risk or a hazard is an event. A cause is defined as being
the origin, the reason, for which an event occurs. It is
generally accepted that causes are of a natural or an
anthropic origin. The term “natural” refers to the phys-
ical world, except for humans and their works, and to
what occurs spontaneously in the universe without the
intervention of calculation, reflection, or will, which are
considered the prerogative of humans. The term “an-
thropic” relates to human industry, that which is made
by humans, that which is due to the existence and the
presence of humans. Based on these definitions, it is
possible to say that an anthropic cause, due to the exis-
tence of humans, is the cause that will bring about an
event (failure, malfunction) affecting the studied sector.
A natural cause, contrary to an anthropic cause, is not
at all influenced by human activities.
Today, it is increasingly difficult to define an excep-
tional event as exclusively of natural origin (IPCC 2001).
Risks are in interaction with one another (Zielinski 2001;
Denis 2002). In this context, no event said to be natu-
ral can be completely independent from human activ-
ities, particularly with regard to extreme weather
phenomena (tornadoes, hurricanes, ice storms, tor-
rential precipitations, floods). It is, however, admitted
that a natural event can be considered a trigger, where
the human activity and the anthropic risk that result
from it are defined as aggravating elements. In addition,
the anthropic causes are mostly internal to a system,
while natural causes are external to it.
A New Structural Approach for the Study of Domino Effects between Life Support Networks 249
Event Model Consequences
Figure 17.1 Risk scenario: a linear process
Although risk studies of either of the two types of
events (natural or anthropic) follow the same generic
approach, it appears important to make a distinction
in their specific treatment. Effectively, this distinction
allows the differentiation of hazards coming from out-
side a life support network from those propagated inside
this same network.
Natural Events
Particularities of exceptional natural events lie in their
low predictability. Therefore, the evaluation of natural
causes is essentially carried out using quantitative and
predictive methods based on statistical analyses and sto-
chastic modeling (IPCC 2001; Zielinski 2001; Bier and
others 1999). In this case, the establishment of a model
draws, on the one hand, on physical laws that govern
the components of the event (e.g., hydraulic laws in the
case of a flood) and, on the other hand, on the analysis
of prior recorded events in order to validate the model.
Historical, morphological, and cartographic studies as
well as studies more specific to the studied phenome-
non (seismic risk, floods, etc.) are fundamental in order
to collect data necessary to the proper operation of sto-
chastic models. It is a matter of better understanding
phenomena in order to better predict them.
Consequently, it is possible to simulate a multitude
of synthetic events (scenarios). The results of these sto-
chastic models are generally illustrated as maps, graphs,
and tables (RNC 2002). They allow reporting of the
effects of the event upon the studied geographical site.
As an example, table 17.1 shows three cases of the
evaluation of the consequences of natural causes.
These generic results are generally obtained in the
form of maps that integrate, for example, water levels,
tornado corridors, and wind speeds or even seismic
zones. This way of expressing the results has the
advantage of offering a global vision of the expected
impacts of the hazards in a given territory. However, the
approach generally followed during these evaluations
does not integrate, a priori, the concerns of the man-
agers of the life support networks located in the studied
territory (figure 17.2)
Therefore, for those in charge of the networks (par-
ticipants B and C, figure 17.2), the risk evaluation for
their infrastructure requires a specific approach for the
interpretation of the generic results obtained by par-
ticipant A. This process of nonintegrated sequential
250 Building Safer Cities: The Future of Disaster Risk
Table 17.1 Cases of evaluation of consequences of natural events
Official Application Model(s) Reference
U.S. Geological Survey Earthquakes in the Mississippi Embayment http://www.ceri.memphis.edu/usgs/model/
United States reference model index.shtml
U.S. Federal Emergency National Flood Insurance Numerical models accepted http://www.fema.gov/mit/tsd/en_modl.htm
Management Agency Program (NFIP)
National Hurricane Tropical cyclone track and Operational track guidance http://www.nhc.noaa.gov/aboutmodels.html
Center intensity guidance models models
Participant A
Natural
hazards
causes
Model
Generic
results
Participant B Participant C
… Processing of the generic results
according to their fields of activity …
Figure 17.2 Evaluation of the impacts of a natural
hazard and use of the results
steps highlights two main limitations. The first is related
to the single-sequence approach, generally observed by
authors of natural hazard studies (participant A). The
second limitation is related to the need of those in charge
of life support networks (participants B and C) to eval-
uate not only the most unfavorable scenario, but also
the set of potential situations with which they can be
confronted, in order to be able to understand the dynamic
behavior of their network and thus anticipate some mit-
igation or emergency measures.
Anthropic Events
Anthropic events refer to two main categories: techni-
cal malfunctions and human reliability. If the first cat-
egory is relatively well known and integrated into
analyses, the second one is in many regards minimized
in risk studies.
It is, however, important to differentiate between reli-
ability and human error (Nicolet and Celier 1985).
Human reliability is the probability that an individual,
a team, or a human organization, will accomplish a mis-
sion, under given conditions, within acceptable limits,
within a certain length of time. A human error is a behav-
ior that exceeds acceptable limits (variation between
what has been done, perceived, understood and what
should have been done). These two definitions demon-
strate that the study of human errors takes place after
the event occurs. In contrast, studies of human relia-
bility take place before the event takes place.
The study of human reliability is complex since it
can be approached in two different ways. A first approach
consists of defining human reliability as the gathering
of human errors, violations, and positive actions that
could be carried out by participants. Human errors arise
from intended actions (mistakes) and unintended actions
(slips, lapses). As shown in figure 17.3, drawn from
Reason (1990), a slip corresponds to a failure of atten-
tion, while lapses are failures of memory. Mistakes
refer to the incorrect application of a good rule or to
the correct application of a bad rule. Violations, accord-
ing to Reason (1990), “...can be defined as deliberate,
but not necessarily reprehensible, deviations from those
practices deemed necessary to maintain the safe oper-
ation of a potentially hazardous system. Therefore, the
border between violations and faults is often difficult
to determine.”
A second approach consists of differentiating latent
malfunctions from active malfunctions (Reason 2000).
Active malfunctions have almost an instant effect and
are often related to the operators of the system being
considered. Latent malfunctions, as their name indi-
cates, are more insidious since they can go by unno-
ticed until an event or a combination of events makes
them active. This last type of malfunction is related to
individuals, such as managers, who are remote from the
control interface (Reason 2000). Due to their nature,
latent malfunctions, which are more likely to affect a
system, are more difficult to assess than active errors.
Therefore, many studies tend only to consider active
failures in their evaluation methods. This differentia-
tion between types of malfunctions presupposes that
only a series of latent and active human malfunctions
can lead to the failure of the system.
When it becomes a matter of integrating anthropic
events as causes of potential risk, the approach proves
to be complex. However, these events can be taken,
not only as a direct cause, but also as a potential tech-
nical cause. Technical malfunctions are principally found
at the design, construction, operation, and maintenance
stages. These malfunctions are related to human factors.
It is not easy to differentiate between the two, and for
this reason, the notion of sociotechnological risk is often
A New Structural Approach for the Study of Domino Effects between Life Support Networks 251
UNSAFE
ACTS
UNINTENDED
ACTION
INTENDED
ACTION
VIOLATION
MISTAKE
LAPSE
SLIP
BASIC ERROR
TYPES
Attentional failures
Intrusion
Omission
Reversal
Misordering
Mistiming
Memory failures
Omitting planned items
Place-losing
Forgetting intentions
Routine violations
Exceptional violations
Acts of sabotage
Rule-based mistakes
Misapplication of good rule
Application of bad rule
Knowledge-based
mistakes
Many variable forms
Figure 17.3 Summary of the psychological varieties of
unsafe acts
Source: Reason 1990.
employed (Denis 1998). Even in the case of a mechan-
ical breakdown, human intervention cannot be disre-
garded, because it may be the result of an error in design
or maintenance. Therefore, the theoretical approach
normally relates human causes with technological causes.
In this category, there exists a multitude of tools,
which are more or less specialized and dedicated to
activities such as design, operation, maintenance, and
management of a network. In particular, certain models
permit the simulation of a technological risk (for
example, breakdown of a transformer station in a power
grid) and the measurement of the behavior of the net-
work faced with the risk. The organizations responsi-
ble for civil infrastructure generally have at their
disposition these models, which allow the simulation
and operation of their networks.
Limitations of Current Risk Studies
Profiting from the never-ending increase in perform-
ance of computers, these software tools allow a large
number of parameters and variables to be taken into
account. Nevertheless, the limitations of these models
have less to do with the computing power than with
fundamental understanding of natural phenomena, such
as meteorological events (hurricanes, tornadoes, or
cyclones). Models of natural phenomena collide with
the complexity of the interactions, between environ-
mental elements as much as between technological
elements. At present, models are mathematical relations
simplified from the rules of behavior of natural phe-
nomena. In effect, the majority of models rely on a com-
bination of empirical and theoretical relations (Tyagi
2001), which by their very nature imply incertitude as
much for the input values as for the algorithm of the
model being used. Therefore, these sources of uncer-
tainty are reflected in the results (output).
In addition to the incertitude engendered by the
ignorance of the behavioral mechanisms and interrela-
tions between different components, conditions of a
scenario are defined by historical data and the statistical
analysis of this data. However, certain authors (Bier and
others 1999) highlight the specific character of extreme
events. They define them as events that are at once
severe and outside the normal sequence of occurrence
of the system in question. This statement highlights the
uncertainty that exits in the area of the study of extreme
events (data and models). Presently, the form under which
risk study results are presented makes it difficult to take
into account this fundamental dimension of uncertainty.
For example, analysis of the risk of dam rupture (tech-
nological event potentially engendered by a natural hazard)
allows the establishment of a flood map for the regions
downstream of the infrastructure as a function of a fixed
scenario. However, taking into account sources of expressed
uncertainty, the results (water levels) do not allow the
managers of essential infrastructure, potentially affected
by the flood, to grasp the entire set of potential effects of
the event on the components of their infrastructure in
order to evaluate the consequences on the different mis-
sions of the essential infrastructure. For example, the mis-
sion of a potable water network is to deliver a volume of
water, of sufficient quality, with a minimum pressure.
Analysis, a posteriori, of so-called natural catastro-
phes shows, more often than not, that extreme events,
which on one hand are difficult to foresee according to
the models being used and the previously defined bound-
ary conditions (recovery time, initial conditions, etc.),
can combine with other events (technological risks,
etc.), which amplify the effects and the consequences
(Lavallée 2000). Scenarios consider, in general, single-
event conditions (simple hazards). This characteristic
is implicitly required for the statistical treatment of
previous events. So studies of catastrophes highlight the
synergetic effect that can exist between generators of
natural, technological, and human risks (Denis 2002).
For example, a hurricane engenders not only direct con-
sequences on populations, but also on essential infra-
structure (flood of an underground public transportation
network, felled telecommunication relays or electric
power distribution pylons, etc.). Out of service or mal-
functioning parts of the infrastructure, by definition,
have negative effects on one another and finally on the
functioning of civil society. This statement and the result-
ing consequences are repeated more and more often,
particularly in industrialized societies with essential
infrastructures that are increasingly complex and
interrelated. However, even if there are differences
between societies in industrialized countries and devel-
oping countries, the development of life support net-
works always tends toward an increased complexity and
interdependence.
252 Building Safer Cities: The Future of Disaster Risk
To be able to treat overall the multiple and complex
relations that encompass tangible and intangible param-
eters, one of the advocated approaches is to refocus the
analysis on essential infrastructure. In effect, simulation
of natural hazards does not integrate, a priori, the expec-
tations of the managers of these infrastructures. In this
context, the reference should no longer be the causal
event, but the infrastructure itself, which, if it does not
fulfill its mission completely or in part, engenders con-
sequences on civil society, and other infrastructure. From
here, research of potential causes that generate devia-
tion from the missions is accomplished with respect to
the preoccupations of the managers, regardless of the
type of risk: natural, technological, or human. In this
context, study of the domino effects between life sup-
port networks is clearly necessary in order to be able
to evaluate the risk and to contemplate emergency meas-
ures in order to respond adequately to catastrophes.
New Structural Approach
The classical approach, which consists of analyzing a life
support network from a finite number of potential fail-
ure causes, does not allow consideration of the entire
set of situations. In addition, the domino effects between
networks are rarely identified and considered. With
regard to the very nature of life support networks, which
have human and socioeconomic consequences result-
ing from their failure, it is dangerous not to have a com-
plete picture of the possible situations. To respond to
this disquieting situation, a new approach is proposed
to carry out an exhaustive study of life support networks.
This analysis will act as a catalyst for the study of the
domino effect between several life support networks.
The proposed approach relies on a precise character-
ization of the functions of a life support network, its
modes of operation, and the infrastructure that composes
it. The analysis of a life support network is based on two
study methodologies. The first is an evaluation of the
consequences of failure of the network, while the second
is a determination of its vulnerabilities. All of this infor-
mation will serve the study of the domino effects between
several life support networks. Case studies carried out
by the École Polytechnique de Montréal will illustrate
the proposed methodologies; the confidentiality of these
results has been maintained by removing all informa-
tion that could identify the zones studied.
Characterization of a Life Support Network
Fundamentally, a life support network is created in order
to fulfill certain missions or functions directly related
to human activity. To do this, certain operations are
available to managers of this network. In terms of engi-
neering, a network is composed of a set of important
infrastructure components, of which some are essen-
tial in terms of vulnerability of the network. A network
fails once one mission cannot be fulfilled in whole or
in part, following the failure of one or several opera-
tions or of infrastructure. Therefore, there is a notion
of degree of efficiency of a mission. The description of
the three principal elements—mission, operation, and
essential infrastructure—follows below.
Mission: the mission of a life support network cor-
responds to a function for which it was designed
and built.
As an example, the mission of a potable water supply
network is to:
•maintain a quality of water suitable for human
consumption;
•provide water (volume and pressure) in order to
fight fires;
•provide a volume of water;
•etc.
The mission of an electrical network is to:
•maintain constant electrical power;
•maintain a minimum electrical power;
•provide at least some organizations (hospitals...)
with electrical power;
•etc.
Operation: an operation is a technical process
allowing direct or indirect actions on part or all of
the network in order to accomplish the mission; these
actions can be automated or manual.
As an example, the operations of a potable water
supply network include:
•pumping;
•treatment;
•storage;
•etc.
A New Structural Approach for the Study of Domino Effects between Life Support Networks 253
The operations of an electrical network include:
•energy generation;
•transportation;
•distribution;
•etc.
•Essential infrastructure: infrastructure corresponds
to installations that are necessary to accomplish the
operations. Infrastructure is essential when it has a
primary role in the proper functioning of the network.
As an example, the essential infrastructure of a potable
water supply network is:
•ozonator;
•reservoir;
•pump;
•etc.
The essential infrastructure of an electrical network
is:
•transformer station;
•hydroelectric generating station;
•high voltage power lines;
•etc.
To fulfill a mission, several operations are available; an
operation uses a certain amount of essential infrastructure.
Figure 17.4 shows a schematic of these elements and
their potential interrelations. For example, the essen-
tial infrastructure (E.I. 1) allows the network to fulfill
its mission (M. 2) using the operations (O. 1 and O. 3).
These operations depend on the specificity of each
life support network and must be established with the
managers, design engineers, and the technical and oper-
ations managers. The correct identification of these
elements is essential to defining their efficiency and their
importance. These notions can be defined as follows.
Efficiency: an element is 100 percent efficient when
it adequately fulfills the task for which it was designed.
If an element cannot fulfill all of the tasks, its efficiency
decreases. When an element is out of service, its effi-
ciency becomes zero. Therefore, efficiency can vary
between 100 percent and zero. This efficiency is
evaluated differently depending on the elements:
•Mission: a mission is 100 percent efficient if all of
the conditions that characterize it are present and
the set of clients affected by the mission is served.
•Operation: an operation is 100 percent efficient if
the management procedures are valid, adequately
applied, and known by all of the personnel.
•Essential infrastructure: an essential infrastructure
is 100 percent efficient if it is in good condition,
functions correctly, is used within the design norms,
was designed according to the existing norms, etc.
Importance: characterizes how an element is essen-
tial for a network
•Mission: a mission is essential if it represents a
priority that whose fulfillment is imperative; some
missions can be secondary.
•Operation: rules of operation are essential if they
ensure a minimum level of service, while some
rules of operation can be identified as refine-
ments or can be used to ensure an optimization
of operations.
•Essential structure: the importance of an essential
structure is a direct measure of its role in the net-
work. In the case of a failure, or cessation of serv-
ices, the consequences on the correct functioning
of the network and the accomplishment of the
missions are significant.
Thus, a network is functional if the entire set of its
missions is fulfilled with a degree of efficiency of 100
percent. Once a mission is no longer efficient, the net-
work fails. A failure results from a vulnerability of the
network, in other words, once an operation and/or an
essential infrastructure is no longer efficient. The size
of the vulnerability depends on the importance to the
mission of the nonefficient elements.
There are two distinct notions, in terms of analysis,
related to correct functioning of the network: failure
and vulnerability. Failures of a network provoke con-
sequences on populations and socioeconomic activities
and will, therefore, be studied from the angle of the
study of consequences. Vulnerability of a network will
be analyzed by way of the study of vulnerabilities, which
254 Building Safer Cities: The Future of Disaster Risk
E.I. 1 E.I. 2 E.I. 3 … E.I. i
O. 1 Operations
O. 2
O. 3
…
O. i
M. 1
M. 2
M. 3 Missions
…
M. i
Essential infrastructure
Figure 17.4 Diagram of the characterization of a life
support network
allows the affected elements to be established. These
two studies are described in the following pages.
Consequence Studies
Analysis of current risk studies shows that the approach
by scenarios is too restrictive for studying life support
networks. In effect, these scenarios generally advocate
a macrosequential approach, based on the evaluation
of past events, composed of natural or technological
risks, where human reliability is rarely integrated. Finally,
they consider extreme events to the detriment of the
intermediate situations that affect a set of well-defined
infrastructure, usually coming from one network. These
studies bring about a generalization of knowledge,
whereas only a part of the entire set of possible situa-
tions has been analyzed. It follows that there is an appar-
ent gap in the evaluation of vulnerabilities of a network
and the domino effects resulting from the multiple fail-
ures that can arise. To alleviate these major weak-
nesses, during risk studies and the planning of emergency
measures, a new approach is proposed: the study of
consequences (Robert 2001b, 2002b).
A study of consequences is based on the following
fundamental principles:
•A life support network fails when one of the missions
for which it was designed is no longer fulfilled with
an efficiency of 100 percent.
•The reduction of efficiency of the mission of a life sup-
port network is studied without consideration for
the causes that could have provoked the reduction.
•All of the degrees of efficiency of a mission are ana-
lyzed from 100 percent to zero, in a manner that
covers all of the possible situations.
From the preceding principles, a study of consequences
of a life support network is carried from the six princi-
pal steps, described generally below:
1. Evaluation of variations in efficiency of missions
Each mission of a life support network is analyzed
in technical terms in order to identify experts who
should be involved in the project to characterize the
failures and evaluate the consequences.
2. Sequential evaluation of missions according to
their importance
Prioritization of the study of consequences as a
function of the their importance. This step will
allow evaluation of the resources to establish those
that are available and those that must be sought.
3. Failure study related to the variation of efficiency
of a mission
Once a mission is not respected, the potential fail-
ures are numerous. For example, the mission of a
potable water supply network can be inefficient fol-
lowing multiple failures, such as chemical, biologi-
cal, or bacteriological contamination, etc. The
identification and characterization of these failures
are important in order to evaluate the potential con-
sequences properly. Failures can be grouped as a func-
tion of consequences. Equally, failures can be described
in terms of variation between no failure and maxi-
mum failure, with respect to the variation of the effi-
ciency of the mission.
4. Exhaustive evaluation of the consequences
A study of consequences is focused on the com-
plete analysis of a failure and the set of resulting
consequences. The entire set of possible and plausi-
ble situations is studied while considering all of the
graduations of the failure. Such an exhaustive approach
allows a progressive picture of the repercussions or
the consequences generated by the occurrence of a
failure to be established. For example, following the
failure of a hydroelectric reservoir, a flood is cre-
ated. A study of the consequences covers all the water
levels between the start of the flood and the maxi-
mum water level. The progression of the flood is
therefore studied as well as the increase in the
resulting consequences.
5. Drawing of consequence curves
The results of a study of consequences are pre-
sented in the form of curves or diagrams in order to
show the progression of the phenomena studied.
6. Identification of life support networks affected by
the failures
First, life support networks affected by the failure of
a network are identified. The conditions of failure of the
first network are also identified in order to establish
the initial conditions provoking the domino effects.
Communication mechanisms between these networks
are initiated in accordance with the concepts of risk
communication.
Actually, the consequence curves are established to
cover the human socioeconomic consequences of the
A New Structural Approach for the Study of Domino Effects between Life Support Networks 255
failure of a life support network. These curves were
established principally for the municipal emergency
measures managers directly affected by consequences
for their citizens and municipal affairs. Some examples
of produced curves:
•Number of people affected by the failure (flood and
water contamination)
•Damage to buildings (flood)
•Number of sensitive elements (hospitals, schools,
daycare centers, etc.) affected by the failure (flood,
contamination, loss of electricity)
•Dangerous industries affected by the failure (flood,
loss of electricity)
•Public transportation affected by the failure (flood,
loss of electricity).
Figure 17.5 presents an example of a consequence
curve for a municipality expressed in terms of number
of people affected by a flood. Analysis of such a curve,
in addition to providing all the knowledge for a good
plan of the mechanisms of evacuation, allows the estab-
lishment of the levels of severity of the emergency gen-
erated by these consequences (Robert 2001b).
These graphical results, coming from a progressive
and systematic approach, are easily used in a risk study
based on specific events. In effect, such risk studies allow
a result representing a precise state of vulnerability, which
corresponds with a point on the consequence curve, to
be obtained. For the different planning stages of emer-
gency measures, these graphics allow the entire set of
potential situations to be covered and establish thresh-
olds that correspond to the emergencies.
Vulnerability Studies
The failure of a network is a unique event generally
resulting from the conjunction of several distinct causal
chains. Therefore, the proposed approach consists of
studying the potential failures of the missions of a net-
work in order to define their causes, both natural and
anthropic. The goal is not to determine a probability of
occurrence of an event, which often proves to be sub-
jective, but to define the series of hazards that can lead
to the failure of the network. For example, for the bac-
teriological contamination of a water supply network,
it is a matter of determining the contamination points
of the network while taking into account the operating
procedures, the condition of the network, and the pos-
sible contamination of groundwater by natural phe-
nomena or technological accidents.
First, the methodology of the study of vulnerabili-
ties is presented overall. It is based on the identifica-
tion of the vulnerabilities of a life support network.
Explained next are the general concepts of evaluation
of the possibility of the vulnerabilities, since these data
are essentially for the study of risk.
Methodology
Network engineers must determine the conditions nec-
essary to reach a certain state, taking into account that
external risks can arise and that components of the
network (operations and essential infrastructure) can
become inefficient. Figure 17.6 diagrams these condi-
tions, which are described below.
External hazards: act as triggers by affecting the net-
work at the level of essential infrastructure. Three
causes of external hazards have been identified.
•Natural causes: subdivided into two groups:
°Instantaneous phenomena, such as earthquakes
256 Building Safer Cities: The Future of Disaster Risk
Affected population
350
300
250
200
150
50
030 32.25 34.5 38.75 39
100
Water surface elevation (meters)
Number of individuals
Figure 17.5 Consequence curve for a municipality
°Predictable phenomena, such as the seasonal
surge of a river.
In all cases, the natural events studied are excep-
tional phenomena.
•External technical malfunctions: correspond to the
transfer of vulnerability between life support net-
works following the domino effects between them.
•External human causes: are exclusively active human
failures such as acts of malevolence (sabotage).
Decreasing efficiency of the components of a net-
work: can only have two origins, either technical or
human.
The methodology of evaluation of overall vulnerability
is presented because it requires highly multidisciplinary
A New Structural Approach for the Study of Domino Effects between Life Support Networks 257
Mission
efficiency
Decreasing
Active human
failures
Chain of internal risks
-Errors
Mission
Latent human
failures
-Management
External risks
Natural event
Technical
failure
Transfer of
vulnerability Operations
-Design
-Maintenance
-Breakdown
Malevolence
Essential infrastructure
Figure 17.6 Diagram of the conditions for decreasing the efficiency of a mission
work, with a whole set of technical, managerial and
human resource participants. The concept of risk com-
munication will serve to identify the participants and
the precise structure of the steps to follow as a function
of the specifics of each life support network. Three main
steps can be identified.
1. Evaluation of vulnerabilities
The analysis of consequence curves allows the
identification of the missions where efficiency has
decreased. Therefore, it is a matter of determining
the causes bringing about the decrease in efficiency.
To do this, each element linked to the inefficient mis-
sion is analyzed.
•First, the operations are studied. It is a matter of
evaluating whether human error can diminish the
efficiency of an operation. For this, how and where
human interaction takes place must be identi-
fied. Next, management procedures must be ana-
lyzed in terms of response to an exceptional
situation.
•Essential infrastructure is then analyzed in terms
of internal efficiency. To do this, it is a matter of
evaluating whether the actual condition of an infra-
structure is satisfactory, then establishing the poten-
tial conditions for diminished efficiency, for example
the minimum level of maintenance necessary to
affect an infrastructure.
•External hazards are then studied. It is a matter
of establishing the natural events that can arise
and affect the efficiency of the infrastructure, while
assuring that the entire set of possible situations
is covered.
Technological causes coming from the failure of
another life support network are analyzed from the
failure curves of the network and from the trans-
fer function as described in the section on domino
effects. This transfer of vulnerability allows direct
evaluation of a decrease in efficiency of infrastructure.
Acts of sabotage must be considered possible,
requiring an evaluation of the protection of the
infrastructure.
The result is an exhaustive evaluation of the ele-
ments related to a mission, with the following infor-
mation for each one:
•A description of the conditions bringing about
a decrease in efficiency; and
•An evaluation, numerical or not, of the possi-
bility of occurrence of these conditions.
Next, an overall analysis is carried out in order to
obtain a complete picture of failure possibilities. The
variation in efficiency of a mission is analyzed to know
the progression of the magnitude of the failures.
2. Creation of vulnerability curves
The results of the evaluation of vulnerabilities can be
presented in the form of curves or diagrams that illus-
trate the progression of the phenomena. These curves
are associated with procedures of operation and essen-
tial infrastructure. They indicate variation in the degree
of efficiency. Figure 17.7 gives an example of a vulner-
ability curve of a transformer station, essential infra-
structure of a hydroelectric network, having to control
floods as a mission (Robert 2001b).
3. Identification of domino effects between several
life support networks
Consequence studies highlight the life support net-
works affected by failures of a first network. At this stage,
it is a matter of identifying the essential infrastructure,
which has links with other life support networks, and
evaluating at which threshold the efficiency of the first
network affects the second.
Possibility of Occurrence of Vulnerabilities
To carry out a risk evaluation, it is necessary to evalu-
ate the possibility of the occurrence of a hazard. Numer-
ous techniques exist for evaluating overall reliability
(human and technical) (Dhillon 1985, 1989) of a system
as well as the effects of natural events on it. Based on
the classification proposed by the Institut de Sûreté de
Fonctionnement (ISDF 1994), it is possible to define
five major classes of methods:
258 Building Safer Cities: The Future of Disaster Risk
100% 95% 80% 75% 0%
Accessibility
Limit
Out of
service
Normal operation
zone Failure zone
23 24 25 26 27 28 29 30
Water level at the station (meters)
Efficiency of the infrastructure
Figure 17.7 Vulnerability curve for a transformer station
•Quantitative and predictive methods (Kirwan 1994;
El Shahhat and others 1995);
•Descriptive analysis methods (Hadipriono and others
1986; Leverenz and others 1996);
•Combination approaches (Suokas 1993; Ridley and
Andrews 2000);
•Structural and descriptive analysis methods (NASA
1995; Modarres and others 1999); and
•Systematic design analysis methods (Garin 1994;
Cazaubon and others 1997).
The objective of quantitative and predictive meth-
ods is the evaluation of the probability of occurrence
of human errors, technical failures, and natural events
that are observable under the given conditions. The
majority of these methods call upon the opinions of
experts, which allows the various aspects—both natu-
ral and anthropic—that can bring on a failure to be con-
sidered. However, from these methods, probabilities
that are often subjective result, since they are strongly
correlated to the opinions of the experts who partici-
pated in working them out and to the variables used.
The objective of descriptive analysis methods is to
tackle the origin of the decrease in efficiency of a mis-
sion and provide reliable collection and failure analy-
sis tools. These methods are used once the event has
arisen, which is at the same time their strength and
their weakness. In effect, they allow the hazards
bringing about a decrease in efficiency to be described,
but they cannot serve to evaluate the network before
the failure.
The objective of combination approaches is to describe
and analyze in order to anticipate and even predict
failures. These methods, such as cause/consequence
trees, are very interesting. Starting from a potential con-
sequence, it is possible to rebuild the series of hazards
that have or could bring about a decrease in efficiency
of a mission.
The goal of structural and descriptive analysis is to
identify the structural characteristics of a network, in
other words, its boundaries, components, and inter-
connections. Because of their mode of representation
in block form, the use of such methods can be prob-
lematic, even impossible, for complex systems such as
life support networks. However, these methods are inter-
esting for defining, in an efficient manner, the entire
network and its interrelations with other systems.
The objective of systematic design analysis methods
is to consider an entire design project as much from a
technical as an organizational plan. These methods take
both human and technical factors into account at once.
It is important to note that several methods can obvi-
ously be combined according to the situation and desired
result, as long as they integrate into a common approach.
The classical approaches to risk analysis advocate
probabilistic evaluations of risk, which essentially rely
on quantitative and predictive methods. These meth-
ods rest on the use of elaborate scenarios built from data
collected during observed decreases in efficiency of net-
works. The proposed approach distinguishes itself from
the scenario approach by addressing the problem with
the study of consequences of the decrease of efficiency
of a mission. Defining risks remains important, notably
for the design criteria and mitigation measures, with-
out associating probabilities, which often prove to be
subjective.
Different risks are strongly dependent upon one
another. Therefore, it appears necessary to define an
overall methodology integrating all of these causes to
better predict and manage the risks that can affect the
network being studied. This approach will have to com-
bine the evaluation methods of three large risks. Cer-
tain methods integrate two of the risks (natural and
technological, technological and human), but none inte-
grating the three seem to have been developed. Another
difficulty lies in the integration of the evaluation of dif-
ferent simultaneous natural phenomena, like for
example, the probability of occurrence of an earthquake
and a flood. Therefore, it must be determined, among
the large group of previously presented methods, which
technique or group of techniques would be the most
appropriate for evaluating the set of risks, both anthropic
and natural, that could lead to the failure of a life sup-
port network. While allowing the combination of dif-
ferent factors, the chosen evaluation methods must be
easily understood, quickly put into place, and adapt-
able to networks of different natures. Methods with a
low degree of subjectivity will have to be found, from
which mitigation measures can be implemented.
An overall methodology for risk evaluation will
have to be based on a good understanding of the net-
work being studied, its vulnerabilities, its environment,
impacts that could affect it in case of decreased efficiency
A New Structural Approach for the Study of Domino Effects between Life Support Networks 259
of another network, and equally the infrastructure that
it could influence in case of a failure (vulnerability trans-
fer). The evaluation of events that can engender risk
must be carried out in a systematic manner, not to elim-
inate risk, but to diminish the vulnerability of the set
of life support networks.
Study of Domino Effects between Life Support
Networks
Consequence and vulnerability studies highlight that
the failure of a life support network can provoke con-
sequences on another network by affecting its essential
infrastructure (external technological risk). The links
uniting several life support networks are numerous and
varied. A good understanding of the dynamic of these
networks is therefore essential to avoid benign mal-
functions transforming into major crises (Allen 1997;
Hubbert and Ledoux 1999; Lemperiere 1999). Figure
17.8 illustrates this principle of links.
A methodology was developed at the École Poly-
technique de Montréal to study the links that united sev-
eral life support networks (Robert 2001a, 2002b). It is
based on the idea that these links, which represent a con-
nection between different networks, allow vulnerabili-
ties of one network to reflect on another through a function
of repercussion of vulnerabilities. These links are direc-
tional, defined by a source and a destination. The
source is associated with an essential infrastructure spe-
cific to the originating network, whereas the destina-
tion is associated with an essential infrastructure of the
destination network. Two types of links can be identi-
fied: (1) a direct link if the two components are physi-
cally or mechanically connected (like an electric cable);
and (2) an indirect link if there is no clearly identifiable
connection. The type of link directly influences the reper-
cussion of vulnerabilities function. However, the method-
ology for the study of these links is the same. It uses the
following three steps.
1. Definition of the source vulnerability
The source vulnerability represents a combination
of consequence and vulnerability studies carried
out on the source life support network. The conse-
quences of multiple failures of the network are
identified as well as the other life support networks
affected by way of the links between these net-
works.
The study of vulnerabilities of the source net-
work allows the essential infrastructure where the
efficiency has decreased to be identified. If this
infrastructure is the source of a direct or indirect link,
there is a potential domino effect.
The set of degrees of efficiency of the essential infra-
structure must be analyzed and passed on to the des-
tination network. Equally, it is important to integrate
the consequences of these variations of efficiency. A
graphical representation illustrates this graduation
of the vulnerability of a network. Figure 17.9 shows
an example of a vulnerability curve for a hydroelec-
tric installation. On this curve, the different compo-
nents are identified and characterized in terms of
technical efficiency. In addition, the multiple conse-
quences of these failures are represented. Such a curve
synthesizes all of the information that must be com-
municated to the other networks affected by these
failures.
2. Definition of the repercussion function
The consequences of the variations in efficiency
of the source essential infrastructure must be propa-
gated, modified, or transformed before reaching the
destination component. The repercussion functions
are generally established by simulations, which attempt
260 Building Safer Cities: The Future of Disaster Risk
Source
network Destination
network
Essential
infrastructure
I.E. 1
Direct link
…
Indirect link
Vulnerability
source
Repercussion function of
vulnerabilities Vulnerability
destination
Example of a link
Essential
infrastructure
I.E. 2
Essential
infrastructure
I.E. i
Essential
infrastructure
I.E. 1
…
Essential
infrastructure
I.E. 2
Essential
infrastructure
I.E. I
Figure 17.8 Definition of links
to evaluate the consequences—direct or indirect—
of variations in the efficiency of the infrastructure
on the environment. The type of link, direct or
indirect, influences these studies.
a. Direct link: the repercussion function depends
on the physical nature of the link. For elec-
trical links, the function can be a variation in
power. In general, these functions are well doc-
umented, numerically modeled, and known
by the network managers and engineers.
b. Indirect link: the definition of a repercussion
function for an indirect link is more com-
plex in terms of technical expertise, because
it requires specific studies and calculations,
which are not regularly carried out by net-
work managers and engineers. For example,
for a hydroelectric installation, source vul-
nerability is shown in figure 17.9. The reper-
cussion function of this vulnerability
characterizes the behavior of water that over-
flows a reservoir and affects the infrastructure
of the other network affected by the same
flood. Therefore it is important to know the
flooded areas. Graphically, this function is
shown in figure 17.10, which shows a curve
relating water levels between a reservoir
and a transformer station.
3. Definition of the destination vulnerability
The source vulnerability transferred to the essen-
tial infrastructure of the destination network is con-
sidered an external technological risk that is going to
influence its efficiency as described in vulnerability
studies. Figure 17.7 shows the result obtained on a
transformer station.
The study of domino effects between several life sup-
port networks demands the collaboration of multiple
experts and requires complex studies, especially for
indirect links. It is a multidisciplinary work, which will
have to be carried out so that the entire set of human
and socioeconomic consequences can be considered
in the establishment of efficient and effective emer-
gency measures and the performance of complete risk
studies. The diverse uses of these studies are pre-
sented below.
A New Structural Approach for the Study of Domino Effects between Life Support Networks 261
46.50 46.60
47.00
47.00 47.13 47.28 47.30 47.40
47.50
47.70 47.70 47.80 47.85
48.50
49.00
48.16 m
47.50 m
46.94 m
48.16 m
49.5
48.5
49
47.5
Upstream reservoir level (meters)
48
46.5
47
46
45
Embankments 1, 2, and 5
Spillway
Municipality # 1/minor degree
Dam 2
Municipality # 2/minor degree
Canal/ left bank
Municipality # 1/serious degree
Canal/right bank, intake
Municipality # 2/ serious degree
Embankments 1, 2, and 5
Municipality # 1/ very severe degree
Municipality # 2/ severe degree
Canal/ weir
Dam 2
Dam 4, north shore
Municipality # 2/ very severe degree
45.5
47.50 m
46.94 m
++
+
+49.00
Failure
Dam break
Overtopping
+
Critical point - high risk
Very high risk
Loss of control
Figure 17.9 Affected components as a function of the water level rise in the upstream storage basin
Applications and Uses
The results of these studies are particularly well suited
for risk studies and planning of emergency measures.
For risk studies, two methods are possible: an approach
by scenario and an approach by consequences. The
choice of the method depends on the desired use of
the results. For emergency measures, the proposed stud-
ies are particularly useful for the planning and identi-
fication of mitigation measures. A section specific to risk
communication will be presented, since it acts as the
basis for the previous activities by ensuring the involve-
ment of all concerned parties. The diverse uses of these
studies will be presented below.
The applications described below allow the evalua-
tion of risks related to life support networks facing nat-
ural hazards. In the context of financing these networks,
the quality of the information obtained from conse-
quence and vulnerability studies will allow a better eval-
uation of the opportunity to develop these networks
with regard to consequences during a failure. It will also
be possible to evaluate whether the structures and the
networks, as planned, are adequate in terms of risks and
especially in terms of consequences for populations.
Alternative solutions can therefore be proposed and
developed. Proactive solutions for the protection of pop-
ulations can also be directly associated with the financ-
ing of networks by way of imposed emergency measures
centered on the network missions and the mecha-
nisms of risk communication. The initial planning of
these measures permits them to be integrated into financ-
ing mechanisms and therefore ensures their existence
and efficiency.
Risk Studies: Scenario Approach
A risk study based on the consideration of a finite number
of scenarios does not allow the entire set of possible
situations to be considered, but maintains a certain util-
ity, especially in establishing the data necessary for design
and rehabilitation. Equally, it can serve to evaluate a set
of similar infrastructure in a given territory. This type
of risk study is widely used for hydroelectric installa-
tions (Plate 1996; Lemperiere 1993; Quach and others
2000). The result of such a risk study is generally rep-
resented by the product of the probability of occurrence
of a scenario and the consequences, as defined at the
beginning of this report.
The proposed vulnerability studies coupled with
the precise definition of a scenario will permit the prob-
ability of a scenario arising to be established with
much greater precision. In effect, the scenarios studied
can be situated among a set of potential situations, which
is a plus when the sum of the probabilities must
remain equal to 1. Once the scenarios have been stud-
ied and simulated, the potential consequences gener-
ated by the scenarios will have been exhaustively studied
by consequence studies, including the domino effects
on the other life support networks. Therefore, the uncer-
tainties of risk calculations will be minimized.
Risk Studies: Consequences Approach
A way of evaluating the overall risk related to a life sup-
port network is to study the entire set of potential situ-
ations. In the face of infinite possible solutions, a finite
number of conditions can be analyzed to trace a risk
curve that corresponds to the variation in efficiency of
a mission. To determine the study points for this risk
curve it is a matter of analyzing the consequence curves
and establishing different levels of progression. Each
level corresponds to a significant and abrupt increase in
the consequences, therefore a network failure and a
decrease in the efficiency of a mission. Vulnerability stud-
ies allow the vulnerabilities of the network that pro-
voke the decrease in efficiency of a mission to be
determined. They identify the concerned elements at the
262 Building Safer Cities: The Future of Disaster Risk
30
29.5
29
28.5
28
27.5
27
26.5
26
25.5
25
24.5
46.5 46.8 47 4847.3 47.5
Water level in the storage basin (meters)
47.8 48.3 48.5 48.8
Water level at the
transformer substation (meters)
Figure 17.10 Example of a repercussion function:
relationship between the water level in a storage
basin and at a transformer substation
operations level and the essential infrastructure. There-
fore, it is possible to evaluate the plausibility of occur-
rence of these causes and to calculate a risk in terms of
the couple of plausibility of occurrence and consequences
(this result can be purely numerical or can have a sym-
bolic value). This risk calculation is carried out for each
mission of a network. A set of risk values is therefore
associated with decreases in efficiency of missions and
the results can be expressed, if necessary, as a graph.
Figure 17.11 shows a risk curve established for two mis-
sions (M. 1 and M. 2).
Such a risk study allows the maximum risk of a net-
work to be determined, and also the total risk, which
represents the sum of all the intermediate risks. These
results can serve the network managers, and also the
insurers, the financial organizations, and the compe-
tent authorities for the evaluation of the risks.
Emergency Measures
Consequence studies and consequence curves produced
are particularly well suited to emergency measures. In
effect, they synthesize the information to be used for
the preparation of an emergency plan. For the man-
ager of a life support network, preparing for an emer-
gency means evaluating all possible situations to ensure
the best protection to the people potentially touched by
a failure of this network, however remote the chance
of such a situation occurring. In effect, the human and
socioeconomic consequences are too important to
neglect a potential situation. It is one of the principal
drivers of the study of consequences.
Concerning the establishment of mitigation meas-
ures, a combination of consequence and vulnerability
studies is necessary. Similar to the risk studies done
according to the consequences approach, levels of
consequence must be established. These levels are deter-
mined from an evaluation of consequences that are unac-
ceptable for the population. Next, vulnerability studies
allow vulnerable elements at the operations level and
the essential infrastructure to be identified. It is, there-
fore, possible to determine the corrective measures to
apply—whether they are structural or not, permanent
or not—as much on the essential infrastructure level
as for the operational procedures, all the while consid-
ering external risk.
Risk Communication
Several studies have attempted to prove that the man-
agement of risks, as well as the process of risk com-
munication that accompanies it, reduces uncertainty
and increases the acceptability of risks. According to a
systematic approach, risk communication allows the
risks to personnel, populations, and material, indus-
trial, technological, and financial resources to be reduced
(Bates and Fitzpatrick 1994).
In the proposed structure of life support networks,
as soon as the domino effects have been identified at
the level of consequence and vulnerability studies, a
structure for risk communication must be created. It
ensures the transfer of information between concerned
networks, with the goals of planning emergency meas-
ures, and reducing and controlling risks. Of course, it
must not be forgotten that these networks are part of a
larger set of networks and that information concerning
risks and their consequences will have to be exchanged
with partners.
Risk communication must ensure an interactive
exchange of structured information between concerned
parties. Therefore, setting up a Risk Management Com-
mittee seems like an essential tool for exchange, dialogue,
mediation, and decisionmaking. All aspects relative to
prevention and preparation will be treated there.
The Risk Management Committee is composed of rep-
resentatives of the two networks: source and destination,
A New Structural Approach for the Study of Domino Effects between Life Support Networks 263
M. 1
(90)
Risk representation
Efficiency of the missions (percent)
M. 2
(85)
M. 1
(50)
M. 1
(20)
M. 2
(60)
M. 2
(45)
M. 1
(0)
M. 2
(15)
M. 2
(0)
Figure 17.11 Schematization of a risk curve
as well as representatives of the concerned authorities. The
committee must consist of different hierarchal levels and
expertise. It is also advisable to create working subcom-
mittees for precise domains of expertise, whose results are
submitted to the committee for discussion and approval.
The Risk Management Committee will have to first
approach certain points, which are described below.
Prevention: the first responsibility of the committee
is to ensure that the steps of vulnerability transfer
are adequately carried out and then establish the level
of acceptable consequences for the concerned par-
ties. Finally, the important question concerning the
disclosure of the risks to the population must be
addressed. If the anticipated consequences predict a
direct danger for the population, it will have to be
brought to the attention of the committee.
Preparation: each life support network has the respon-
sibility of reaching a level of preparedness that per-
mits it to maintain or re-establish, in the shortest
possible time, the functions that allow it to fulfill its
mission during a disaster or catastrophe. Certain ele-
ments of this preparation must be planned jointly
with the partners of the Risk Management Commit-
tee, including:
•Criteria and warning processes in case of an inci-
dent
•Protocol for these exchanges between networks
•Channels of communication used in such cases
•Encoding and decoding of transmitted informa-
tion as well as the feedback process
•The implementation of mitigation measures at the
level of operations and infrastructure
•The decisionmaking levels required and involved
in these exchanges of information.
Intervention: unlike the prevention and preparation
phases, where information to be exchanged and dis-
cussed passes via the Risk Management Committee,
the protocol for information exchange is very dif-
ferent during intervention. Therefore, direct links
between managers and experts must be anticipated
in order to allow an exchange of precise information
and to favor coordination between networks. The
preferred channels of communication must adhere
to certain precise criteria:
•Transport high-quality, concise, precise, and tan-
gible information
•Transmit information quickly and without dis-
tortion
•Transmit information that sets mitigation meas-
ures in motion
•Transmit information that integrates with the oper-
ations of the destination networks
•Establish a direct link between personnel of the
same hierarchical and operational levels
•Create robust, redundant, and compatible links
between the networks. All mechanical and elec-
tronic means can be considered.
The committee will have to look into the nature of
the information needing to be transmitted, and assure
itself of the robustness of these preferred communi-
cation links.
State of readiness: the committee has the responsi-
bility for maintaining the systems and functions put
in place. Therefore, the division of responsibilities
must be agreed upon for:
•Maintenance of the communication channels
•Verification of the robustness of these channels
•Training of personnel who intervene in emergency
situations
•Preparation of joint exercises, allowing the readi-
ness of all participants to be verified.
Application to Developing Countries
Current State of the Problematic
Independent of the location and the operation and
maintenance conditions, each type of life support net-
work has its own behavior. In effect, the accomplish-
ment of the missions of a life support network is
based on the needs (potable water, electricity, etc.) of
the community it serves. This statement defines the
structural as well as the functional aspects of the net-
work. The goal of the current work is to put into place
a theoretical basis for a methodology to understand life
support networks in terms of potential failures and to
evaluate their consequences on other life support net-
works. Therefore, this approach can be applied suc-
cessfully in developed and developing countries.
However, the use of this approach in developing coun-
tries requires the prior acceptance of the three princi-
ples described below.
264 Building Safer Cities: The Future of Disaster Risk
•Life support networks with a certain degree of com-
plexity must be present. This condition, as a general
rule, corresponds to large urban zones, which are
particularly sensitive to the failure of these networks.
“The concern over the risk to megacities, particularly
in the developing world, is their growing vulnerabil-
ity caused by their hyper-concentrations of popula-
tion, dependence on complex and aging infrastructure,
and unprepared local institutions” (Bendimerad 2000).
•The use of this method requires a regional method-
ological approach. For example Hurricane Hugo hit
the Caribbean and the Carolinas in 1989 (Badolato and
others 1990; Denis 2002). Blackouts caused the stop-
page of potable water treatment plants; the lack of water
lasted from three days to two weeks. The telephone
network on the island of St. Croix, Virgin Islands was
totally destroyed, and rebuilding took several months.
To evaluate the consequences on populations,
emergency plan measures and the establishment of
adequate mitigation measures are necessary to ana-
lyze regional networks. A national approach does not
permit such a refinement of knowledge.
•The study of these networks, as advocated, implies
the consideration of exceptional but noncatastrophic
events. In effect, if the natural events that trigger the
failure of these networks inflict considerable damage
on populations and destroy all social infrastructure,
it is illusory to specifically study life support net-
works. In this case it is preferable to concentrate on
the essentials, the protection of populations. There-
fore, there must be a global vision of the risks,
which cover all possible scenarios, not only extreme
ones. In terms of planning and preparation of emer-
gency and mitigation measures it is important to pre-
pare for intermediate emergency situations so that they
do not become exceptional situations. The 1995 Sakhalin
earthquake in the Russian Far East (Porfiriev 1996;
Denis 2002) is an example where the consequences
of a large noncatastrophic natural event (rated inter-
mediate) were strongly amplified due to poor knowl-
edge of the communication and energy distribution
networks and the domino effects resulting from their
destruction.
Fundamentally, the difference between life support
networks in developed and developing countries resides
in the physical characteristics of the infrastructure
(age, resistance, grid density, etc.) as well as on a suffi-
cient knowledge of the aforementioned to ensure ade-
quate planning of network management and operations.
The recent development of disaster management programs
by a number of countries emphasizes establishing national
policies and initiatives but seldom targets the specific
conditions pertaining to large cities. In most cases, the cen-
tral government retains the authority for disaster man-
agement programs that are often focused on developing
response capabilities, instead of proactive mitigation. With
the regulatory environment concentrating decisionmak-
ing authority and resources at the central level, the diffi-
culty in predicting, assessing, and controlling the impact
of catastrophes on large cities, with competing priorities
and limited resources, and local government officials defer-
ring decisions and responsibility to the central govern-
ment, the result is that local government action for disaster
management is often ineffective.
Yet experience and modern disaster management prac-
tice recognize the importance of a strong and well-struc-
tured local disaster management capacity, and the need
for decentralized authority to achieve an effective response.
During a disaster, local governments are immediately con-
fronted with the responsibility of providing relief to vic-
tims but often do not have the means or adequate legislative
authority to mobilize these resources. Local governments
also have difficulties in accessing mitigation funds because
funding and relief agencies typically work directly with
central governments. Reaching out to local governments
to help them build local capacity, acquire knowledge and
resources and providing them with authority for decisions
are essential policies for reducing losses (Bendimerad
2000).
Risk Reduction: Avoiding hazards and reducing vulnera-
bility to disasters result when an extreme natural or tech-
nological event coincides with a vulnerable human
settlement. Reducing disaster risk requires that all stake-
holders change their perceptions and behavior to place a
high priority on safety in planning and development. Effec-
tive risk reduction involves mitigation measures in hazard-
prone developing countries. Such measures include land
use planning, structural design and construction prac-
tices, and disaster warning systems. In addition to employ-
ing scientific and technical knowledge, risk reduction may
also involve overcoming the socioeconomic, institutional
and political barriers to the adoption of effective risk-
reduction strategies and measures in developing coun-
tries. This may be accomplished through projects analyzing
the possible roles of government, nongovernment, and
private sector organizations in risk reduction, local and
regional workshops and conferences aimed at heightening
A New Structural Approach for the Study of Domino Effects between Life Support Networks 265
the awareness of stakeholders to the threat of natural dis-
asters and what can be done about it, and educational and
training activities that increase the understanding of pol-
icymakers, decision makers and practitioners about dis-
aster management” (World Bank 2000).
The proposed approach for the study of domino
effects is perfectly consistent with this perspective.
Answer to the Problematic of Developing
Countries
It becomes apparent that the principal differentiation
between life support networks in developing countries
and those in developed countries resides in the physi-
cal characteristics and the planning of emergency meas-
ures. These two principal differences will be identified
below and the answer provided by the method of the
study of domino effects will be made explicit.
Physical Characteristics
Life support networks are in variable condition, designed
according to nonuniform criteria by multiple contribu-
tors originating from varied countries. The situation varies
according to the country, even the region. Therefore, con-
trary to developed countries, there is often a lack of homo-
geneity in the design and operational criteria of the life
support networks that serve the same community.
In this context, the proposed approach adapts itself
perfectly to the problematic because it is centered on
the definition of the missions of a life support network,
the principal characteristics of the network being linked
to these missions. It is possible to adapt itself very pre-
cisely to the specifics of a country.
Populations must know the missions of the life sup-
port networks and their importance to understand the
inherent risks. The competent authorities, managers,
and technical support personnel of these networks
can, in association with the populations, foresee miti-
gation measures in the event of failure. These measures
must be in agreement with the local resources and social
particularities. In terms of emergency measures, in a
crisis situation, multiple actors, governmental and others,
often from abroad, are called on location. The initial
knowledge of all the missions the networks allows, in
the absence of an emergency plan, permits minimal
measures to be put in place to protect populations and
ensure a quick return to normalcy.
Thus, in this context, it is possible to systematize this
approach by missions by simplifying the information to
be transmitted to take into consideration the resources
available for the collection of this data. Table 17.2 pres-
ents the essential information for gathering and collat-
ing. The information must be provided by the local actors
responsible for the management of the networks and
completed by the engineers that designed or rehabili-
tated them. In the table, fictional examples taken from
several different networks are presented by way of illus-
tration. The essential information is described below.
•Identification: the life support network is identified.
•Mission: this information is primary as it forces all
actors to define it together. It is a multidisciplinary
work that puts in place the basis for future activity
for planning emergency measures.
•Essential infrastructure: it is a matter of determining,
with the engineers, the infrastructure that is essen-
tial for the network to function. For example, one
identification criterion would be that, faced with a
total loss of this infrastructure, the efficiency of the
mission would be reduced by at least 75 percent. The
list of these essential infrastructure components should
be limited. Operations are not considered at this stage,
since the focus is on infrastructure without regard
to human intervention, which is more complex to
study.
•Links with other networks: The most important, or
essential, direct and indirect links should also be
identified and associated with the mission to which
they are attached. As for essential infrastructure, only
the links that significantly influence the networks in
question need to be identified. It is a matter of iden-
tifying the type of link (direct or indirect) and the
network connected to this link (destination network).
The consequences for the destination network can
be expressed globally. Next, the people responsible
for this destination network can be identified.
•All basic information found in this table is available
after the completion of consequence studies, without
regard to the causes of the failures or the probability
that they occur. Obtaining this information does not
require significant resources, and it is available
locally. In addition, the studies or steps necessary to
266 Building Safer Cities: The Future of Disaster Risk
obtain this information require contributions from the
principal actors, who must be gathered for the plan-
ning of emergency measures and crisis management.
Planning Emergency Measures
It becomes apparent that knowledge of life support net-
works is not enough to plan emergency measures ade-
quately. Basic information, such as the minimal example
presented in table 17.2, also shows the basic informa-
tion necessary for planning emergency measures.
The preceding information issuing from consequence
studies is fundamental because it identifies the essen-
tial infrastructure and the domino effects between life
support networks. These results allow, at the very
least, to alert those in charge to problems and put in
place adequate protection measures and emergency
measures. Minimal studies of vulnerability and reper-
cussion functions can be carried out on the essential
infrastructure affected by the domino effect.
This information allows concrete and tangible mitiga-
tion measures to be established, as much at the level of
essential infrastructure as at the level of links generat-
ing the domino effect. In effect, the establishment of any
prevention and mitigation measures requires a better
understanding of the consequences. The protection of
essential infrastructure and the identified links corre-
sponds to minimal but indispensable (considering the
consequences for the population) emergency measures.
In effect, the failure of these networks following excep-
tional natural events will greatly amplify the conse-
quences for the populations at risk.
Preferred channels of communication between those
in charge of networks (identified in table 17.2) should
be put in place to ensure that concrete measures are
taken. They will be based on routine contact between
A New Structural Approach for the Study of Domino Effects between Life Support Networks 267
Table 17.2 Example of essential information relative to life support networks
Network being studied: Potable water supply
Mission: Maintain a minimum pressure
Essential infrastructure: Pumping station
5 main conduits (no. 1, no. 2, no. 3, no. 4 and no. 5)
Links
Identification Type Connected Consequences Responsible
(D/I) networks personnel
Main water conduit no. 3 I gas A leak in a main conduit provokes Mr. Smith
(secondary road X the destruction of a gas conduit,
Facade of building Y) which creates a risk of explosion.
Mission: Provide quality water
Essential infrastructure: chlorination pool
reservoir
Links: none
Network being studied: Electrical power supply
Mission: Maintain a minimum voltage
Essential infrastructure: Thermal power plant
3 transformer stations (no. 1, no. 2, and no. 3)
2 main transmission lines (no. 1 and no. 2)
Links
Identification Type Connected Consequences responsible
(D/I) Network personnel
Transformer station D Potable water supply The loss of electrical power in the transformer Mrs. Smith
no. 2 (near the water station provokes the cessation of treatment
treatment plant) of water. There is no electrical transmission
line backup to the treatment plant. There is a
generator at the treatment plan, but it is not
in good condition.
the individuals identified. Later, they can be enriched
and serve as a basis for real risk communication. These
steps represent a minimal measure of protection for pop-
ulations, especially as the favored measures essentially
aim to reduce socioeconomic impacts.
The principles of communication and management of
risk do not change, whether we are in a developing coun-
try or not. Analysis and management methods and the
principle of information exchange remain the same. Only
the techniques of information transmission during an
emergency situation can cause a safety problem. Dialogue
must be instituted based on local practices and structures
and a minimal exchange of information must be carried
out between life support networks, despite the level of
sophistication of existing means of communication.
The development (including construction and reha-
bilitation) of a life support network in a developing
country should consider, from the start, not only the
possible consequences of a failure of this network for
other networks, but also the consequences of failures
of other networks on this network. Also, measures
designed to improve the network’s own robustness should
be anticipated with the principle that the missions of each
network can be ensured. The identification of informa-
tion needing to be exchanged therefore relies on the
consequence criteria: what must be demanded from the
risk generator? The risk generator must carry out a risk
and consequence study and provide the results. At a
minimum, national and regional authorities must be
made aware of the potential domino effects of certain
risks on other life support networks.
The Role of International Financial Organizations
Organizations that finance these networks can play an
initiating role in putting into place, maintaining, and
refining the information presented in table 17.2, and
in developing concrete, efficient, and operational actions
of emergency measures planning.
Better control of risk ensures a substantial reduction
in costs and better protection of populations in the event
of a catastrophe. This is also true in developing coun-
tries, which are often subject to large-scale natural haz-
ards with considerable socioeconomic consequences.
It is therefore mandatory for the people who develop
and finance life support networks in urban areas vul-
nerable to natural hazards to begin working to protect
populations and avoid network failures provoking a sig-
nificant amplification of consequences.
Finally, systematic steps are actually carried out to
reduce natural risk in developing countries. The ProVen-
tion Consortium is an example. “The ProVention Con-
sortium (2002) is a global coalition of governments,
international organizations, academic institutions, the
private sector, and civil society organizations aimed at
reducing disaster impacts in developing countries. The
Consortium functions as a network to share knowl-
edge and to connect and leverage resources to reduce
disaster risk. It focuses on synergy and coordination so
that efforts, and benefits, are shared.” The conse-
quence studies complete the work of these groups that
focus on natural hazards. However, in our approach
these hazards correspond to external trigger events
that affect essential infrastructure and the links between
networks. From that point, the socioeconomic conse-
quences are evaluated more rigorously and actions for
a return to normal are better planned. Information on
essential infrastructure, links, and consequences permit
the planning of replacement actions in response to
total or partial destruction. This planning includes the
hierarchical classification of the infrastructure to be reha-
bilitated to ensure minimal efficiency for missions judged
to be of primary importance; technical, human, and
financial resources necessary for the replacement of
infrastructure and direct links; and the timeframe for a
return to normal activities.
This process requires will on the part of the inter-
national community and local actors to work together
to establish minimal efficient and operational emergency
measures to cope with potential failures of the multi-
ple missions of life support networks.
Conclusions
Understanding risks relative to life support networks
is fundamental for populations to establish protection
measures in the face of potential failures. When con-
sidering the interconnection of life support networks,
the domino effects between them are supplementary
phenomena to which a certain importance must be
attached. Traditional risk studies based on scenarios
composed of extreme natural events do not allow the
entire set of possible situations to be considered.
268 Building Safer Cities: The Future of Disaster Risk
The proposed structural approach to life support net-
works is innovative in the sense that it is based on the
study of the missions that the networks must fulfill. If
these missions are not respected, the consequences
will be analyzed and synthesized without regard for
the causes, allowing operational and efficient emergency
measures to be put in place. For risk evaluation, knowl-
edge of the vulnerabilities of the network is critical.
The proposed structure allows not only the infrastruc-
ture in question to be evaluated, but also the operation
of the network that can diminish system efficiency.
It is essential to foresee that life support networks are
subject to external and internal risks. External risks,
combinations of natural events, technological events by
way of the domino effect, and acts of malevolence act
as triggers, which affect the network at the essential
infrastructure level. These result in a decrease in oper-
ational efficiency of the network’s mission. This approach,
combining natural and anthropic events, is in line with
a new international tendency in risk studies that does
not uniquely consider scenarios based on natural events
of a known frequency. The domino effects between life
support networks can now be studied systematically by
transferring the vulnerability of a network, the source
of failure, to another network. Thus, this transferred
failure becomes an external technological cause that
influences the efficiency of one or sets of essential
infrastructure of a destination network. This structural
approach allows, finally, risk communication mecha-
nisms between life support networks, structured by way
of Risk Management Committees, to be put in place.
These committees complete the emergency measures
by bringing together the concerned networks and assur-
ing efficient transmission of precise and tangible infor-
mation, allowing mitigation measures to be put in place
during a crisis.
This structural approach is particularly well suited
for developed countries with complex life support infra-
structure and emergency measures. The results of this
work will allow the state of preparedness of the vari-
ous participants to improve. Concerning developing
countries, situations vary from country to country.
Life support networks are in various conditions and
designed according to nonuniform criteria. Emergency
measures are not always efficient. The proposed approach,
in this context, offers several interesting alternatives.
Focusing the analysis of a network on the missions
that it must fulfill offers numerous advantages relative
to the particular context of these networks. In effect,
the construction, reconstruction, and rehabilitation of
life support networks are generally considered large
projects, and their financing comes from multiple inter-
national organizations. The management and mainte-
nance of these networks involves diverse authorities
and often nongovernmental organizations (NGOs).
Therefore, it is important that all participants know an
infrastructure’s mission and its relevance to other
infrastructure. It is the same for all people affected by
these networks. This knowledge allows missions to be
optimized and avoid becoming contradictory or ill-
suited for a local social context and to adapt financing
to local realities.
Knowledge of consequences allows better planning
of minimum emergency measures. In effect, consequence
studies being a representation of human and socioeco-
nomic risks, it is thus possible to concentrate on the
essential, as much on the level of protection provided
for populations as for the mitigation measures to put in
place. For organizations that finance these networks,
knowledge of these basic consequences allows the costs
that will be assumed for rehabilitation and reconstruc-
tion following a failure to be evaluated. A basic conse-
quence study for each mission of a life support network
should be systematically carried out, especially consid-
ering that it does not require significant resources.
The proposed approach focuses on the missions of
life support networks, coupled with consequence and
vulnerability studies, and has to its credit the ability to
identify the sensitive points of networks to put mini-
mum emergency measures in place. For the competent
authorities who participated in financing these net-
works, this approach offers a concrete picture of the
potential risks and, therefore, favors the implementa-
tion of efficient mitigation measures for populations.
Bibliography
Allen H. 1997. “Making a business of dam safety.” International
Water Power Dam Construction 49(8): 20–21.
Badolato E.V., J. Bleiweis, J.D. Craig, and H.W. Fleming. 1990.
Hurricane Hugo: Lessons Learned in Energy Emergency Pre-
paredness. Clemson, South Carolina: The Clemson University
A New Structural Approach for the Study of Domino Effects between Life Support Networks 269
Strom Thurmond Institute of Government and Public
Affairs.
Bendimerad F. 2000. “The risk of natural disasters occurring in
megacities is growing. Proper planning by local governments
can reduce the human and financial loss to cities.” Available from
<http://www.worldbank.org/dmf/knowledge/megacities.
htm>.
Bier V.M., Y.Y. Haimes, J.H. Lambert, N.C. Matalas, and R.
Zimmerman. 1999. “A Survey of Approaches for Assessing and
Managing the Risk of Extremes.” Risk Analysis 19(1): 83–94.
BIT (Bureau International du Travail). 1990. Prévention des acci-
dents industriels majeurs. Genève:: 117
CAN\CSA. 1991. Risk analysis requirements and guidelines: qual-
ity management. A national standard for Canada. Conseil cana-
dien des normes, Association canadienne de normalisation,
CAN\CSA Q850: 49.
CAN\CSA 1997. Gestion des risques : Guide à l’intention des décideurs,
Norme nationale du Canada. Conseil canadien des normes,
Association canadienne de normalisation, CAN\CSA-Q850-
97: 49.
Cazaubon C., G. Gramacia, and G. Massard. 1997. “Manage-
ment de projet technique: méthodes et outils.” Collection tech-
nosup, génie de production. Paris: Ellipses: 182.
Covello, V.T., J. Menkes, and J. Mumpower. 1986. Risk Evalua-
tion and Management. New York: Plenum Press: 435–457.
Covello, V.T. and M.W. Merkhofer. 1993. Risk Assessment Meth-
ods: Approaches for Assessing Health and Environmental Risks.
New York: Plenum Press: 319.
Denis H. 1998. “Comprendre et gérer les risques sociotech-
nologiques majeurs.” Éditions de l’École Polytechnique de
Montréal: 342.
Denis H. 2002. La réponse aux catastrophes, quand l’impossible
survient. Montréal, Canada: Presses Internationales Polytech-
nique: 318.
Dhillon B. S. and S.N. Rayapati. 1985. “Analysis of redundant
systems with human errors.” Proceedings of the Annual Relia-
bility and Maintainability Symposium, Philadelphia, PA: 315–321.
Dhillon B. S. 1989. “Modeling human errors in repairable sys-
tems.” Proceedings of the Annual Reliability and Maintainability
Symposium, January 24–26 1989, Atlanta, GA: 418–424.
Dynes, Russell S. 1994. “Community Emergency Planning: False
Assumptions and Inappropriate Analogies.” International Jour-
nal of Mass Emergencies and Disasters 12 (2): 141–158.
Dynes, R. and K. Tierney, eds. 1994. Disasters, Collective Behav-
ior, and Social Organization. London and Toronto: University
of Delaware Press, 71–84, 145–159.
El-Shahhat A.M., D.V. Rosowsky, and W.F. Chen.1995. “Account-
ing for human error during design and construction.” Jour-
nal of Architectural Engineering 1(2): 84–92.
Garin H. 1994. “AMDEC/AMDE/AEEL: l’essentiel de la méth-
ode.” Association française de normalisation, Paris: 39.
Gutteling, J. M. and O. Wiegman. 1996. Exploring Risk Commu-
nication. University of Twente: Kluwer Academic Publisher: 213.
Hadipriono F. C., C.L. Lim, and K.H. Wong. 1986. “Event tree
analysis to prevent failures in temporary structures.” Journal
of Construction Engineering and Management 112(4), Decem-
ber, 500–513.
Hubbert G. and B. Ledoux. 1999. Le coût du risque... L’évalua-
tion des impacts socio-économiques des inondations. Paris: Presses
de l’École Nationale des Ponts et Chaussées: 232.
IPCC (Intergovernmental Panel on Climate Change). 2001. “Cli-
mate Change 2001: The Scientific Basis.” Contribution of
Working Group I to the Third Assessment Report of the
Intergovernmental Panel on Climate Change. J. T. Houghton,
Y. Ding, D.J. Griggs, M. Noguer, P. J. van der Linden, and D.
Xiaosu, eds. Cambridge: Cambridge University Press: 944.
ISDF (Institut de Sûreté de Fonctionnement). 1994. “L’état de
l’art dans le domaine de la fiabilité humaine.” Octares édi-
tions, collection ISDF: 446.
Isenberg J. 1991. “Performance of lifeline and emergency response
in Watsonville, CA, to Loma Prieta earthquake.” Proceedings
of 4th US Workshop Earthquake Disaster Prevention Lifeline
System: 381–390.
Kaplan S. 1997. “The world of risk analysis.” Risk analysis 17:
407–417.
Kirwan B. 1994. A guide to practical human reliability assessment.
London: Taylor and Francis: 592.
Lau D.L. and others. 1995. “Performance of lifeline during the
1994 Northridge earthquake.” CJCE 22(2): 438–451.
Lavallée D., C. Marche, and T. Quach. 2000. “De nouvelles
approches pour quantifier le risque de rupture d’une retenue
d’eau.” Canadian Journal of Civil Engineering 27:1217–1229.
Law, Averill M. and David W. Kelton. 1991. Simulation Modeling
and Analysis. Columbus, OH: McGraw Hill: 221.
Leiss, William. 1996. “Three phases in risk communication prac-
tice.” In Annals of the Academy of Political and Social Science,
Special Issue, Challenges in Risk Assessment and Risk Manage-
ment. Thousand Oaks: 15–30.
Leiss, W. and C. Chociolko. 1994. Risk and Responsibility. Montreal:
McGill-Queen’s University Press: 405.
Leiss, W. and D. Krewski. 1989. “Risk Communication: Theory
and Practice.” In W. Leiss, ed., Prospects and Problems in Risk
270 Building Safer Cities: The Future of Disaster Risk
Communication. Waterloo: University of Waterloo Press, Water-
loo: 90–111.
Lemperiere F. 1993. “Dams that have failed by flooding: an analy-
sis of 70 failures.” International Water Power Dam Construction
45(9–10): 19–24.
Lemperiere F. 1999. “Risk analysis: What sort should be
applied and to which dams?” International Journal of Hydropower
Dams 6(4): 128–132.
Leverenz F. L., Chadwell G. Bradley, and S.D. Unwin. 1996.
“Process event tree based hazop studies.” Battelle Memorial
Institute. http://www.battelle.org/environment/irm/pdfs/pet-
hazop.pdf.
Middelkauf, R.D. 1989. “Regulating the safety of food.” Food
Tech 43: 296–307.
Modarres M., M. Kaminskiy, and V. Krivtsov. 1999. Reliability
Engineering and Risk Analysis. Quality and Reliability. New York:
Marcel Dekker: 542.
Moses F. 1998. “Probabilistic-based structural specifications.”
Risk Analysis 18(4): 445–454.
NASA. 1995. “System reliability assessment using block dia-
gramming methods.” Preferred Reliability Practices, Practice
No. PD-AP-1313: 5.
Nicolet J. L., and J. Celier. 1985. La fiabilité humaine dans l’en-
treprise. Collection le nouvel ordre économique. Paris: Masson:
302.
O’Leary S. 1997. “Concrete rehabilitation for dams.” Pro-
ceedings of International Conference on Hydropower 1610–
1622.
Petts, J. 1992. “Incineration risks perception and public con-
cern: Experience in the UK improving risk communication.”
Waste Management and Research 10: 169–182.
Plate E.J. 1996. “Dams and safety management at downstream
valleys.” Proceedings International NATO Workshop Dams Safety
Manage Downstream Valley: 27–43.
Porfiriev B.N. 1996. “Social aftermath and organizational response
to a major disaster: the case of the 1995 Sakhalin earthquake
in Russia.” Journal of Contingencies and Crisis Management 4(4):
218–227.
Powell, D. 1996. An Introduction to Risk Communication and the
Perception of Risk. Ontario: University of Guelph: 17.
ProVention Consortium. 2002. <http://www.proventionconsor-
tuim.org/objectives.htm>.
Quach T.T., J. Gagnon, B. Robert, and C. Marche. 2000. “Upper
Ottawa River: A Four Step Risk Assessment.” 20th Congress,
International Commission on Large Dams, Beijing, China, Sep-
tember 19–20, 2000. Q76-R32: 479–498.
Reason J. 1990. Human Error. Cambridge: Cambridge Univer-
sity Press: 302.
Reason J. 2000. “Human error: models and management.” British
Medical Journal 320: 768–770.
Renn, O. 1998. “The role of risk communication and public
dialogue for improving risk management.” Risk Decision and
Policy 3: 5–30.
Ridley, L.M. and J.D. Andrews. 2000. “Reliability of Sequential
Systems Using the Cause-Consequence Diagram Method.”
Proceedings of the 14th Advances in Reliability Technology Sym-
posium, Manchester, November. Available from <http://www.
lboro.ac.uk/departments/ma/preprints/papers01/01–26.pdf>.
RNC (Ressources Naturelles Cananda). 2002. “Programme de
Séismologie des Tremblements de Terre (PSTT).” Ressources
Naturelles Canada. Available from <http://www.seismo.emr.ca/
zoning/haz_f.html>.
Robert, B. 2001a. “A Method for the Study of Cascading Effects
Within Lifeline Networks.” Workshop on Mitigating the Vul-
nerability of Critical Infrastructure to Catastrophic Failures,
Alexandria, Virginia, September 10–11. Available from
<http://www.ari.vt.edu/workshop/>.
Robert, B. 2001b. “Outils d’aide à la décision pour les plans
de gestion des aménagements hydroélectriques.” Proceedings
of CDA Annual Conference. Fredericton, Canada, October:
39–46.
Robert, B., C. Marche, and J. Rousselle. 2002a. “Computeriza-
tion and use of flood impact curves.” ICLR Research, Paper
Series XX. Institute for Catastrophic Loss Reduction, April.
Robert, B. 2002b. “Étude des risques et des effets domino pro-
duits par la défaillance d’un aménagement hydroélectrique.”
Proceedings of Annual Conference of the Canadian Society for Civil
Engineering, June.
Rowe, W.D. 1997. An Anatomy of Risk. Wiley Series in System
Engineering and Analysis. New York: John Wiley and Sons:
256.
Seidou, O. 2002. “Intégration du risque dans les modes de ges-
tion des systèmes hydriques.” Philosophiae Doctor Thesis
(Ph.D.), École Polytechnique de Montréal, Canada: 251.
Selcuk A.S. and Y.M. Semih. 1999. “Reliability of lifeline net-
works under seismic hazard.” Reliability Engineering System
Safety 65(3): 213–227.
Stedinger, J.R., D.C. Heath, and K. Thompson. 1996. “Risk analy-
sis and safety evaluation: hydrologic risk.” Report No. 96-13-
16:51. Institute of Water Resources.
Suokas J. and V. Rouhiainen. 1993. Quality Management of
Safety and Risk Analysis. Elsevier Science Publishers BV: 296.
A New Structural Approach for the Study of Domino Effects between Life Support Networks 271
Tyagi A. and C.T. Haan. 2001. “Reliability, Risk, and Uncer-
tainty Analysis Using Generic Expectation Functions.” Jour-
nal of Environmental Engineering 127(10), October: 938–945.
United Nations. 1984. “Proceedings, Engineering Foundation
Conference: Maintenance and Rehabilitation of Dams.” Water
Resources Series No. 58. New York: United Nations: 117.
US NRC (United States National Research Council). 1989.
“Improving risk communication.” Committee on Risk Per-
ception and Communication. Washington, D.C.: National
Academy Press: 332.
World Bank. 2000. World Development Report 2000/2001: Attack-
ing Poverty. Available from <http://www.worldbank.org/
poverty/wdrpoverty/report/>.
Zielinski, P.A. 2001. “Flood frequency analysis in dam safety
assessment.” Proceedings of CDA Annual Conference, Frederic-
ton, Canada, October: 79–86.
272 Building Safer Cities: The Future of Disaster Risk
