Considered parameters by group.
The need for scientific methodologies to assess quantitatively the resilience of critical infrastructures against natural hazards (like earthquakes, floods, storms, landslides and wildfires) during the last decade has become a relevant aspect for several countries and for the European Union. In fact, this quantification could allow setting and implementing effective measures to prevent or mitigate the negative socio-economic effects that a possible disruption of these infrastructures, caused by extreme natural events, could cause. This paper focuses, in particular, on energy corridors and proposes a new approach for evaluating their resilience, based on the definition of a criticality index able to estimate the economic damage associated to all the hazards by taking into account the spatial dimension of the infrastructure and by combining different interdependent parameters that could affect the criticality level. The procedure was tested by means of an application to a simplified case study. The obtained results highlighted the main advantages of the defined method, especially in ranking the critical sections of the infrastructure and prioritising the investments for reinforcing and protecting it or in identifying the further tests to be performed, especially in the case of a reassessment of the acceptable risk limit.
- critical infrastructures
- risk acceptability
- natural event
- criticality index
- energy corridors
The reduction in the vulnerability to all the possible hazards (in many cases unpredictable) that could damage Critical Infrastructures (CIs) by improving the level of their protection and by increasing their resilience is one of the main goals of the European Union. The objective is to limit as much as possible the probability of widespread negative effects on EU’s citizens and economy by ensuring services even in the case of significant disruptive events, coherently with the objectives of the Stockholm Programme  and of the EU Internal Security Strategy .
The United Nations International Strategy for Disaster Reduction (UNISDR) defined the resilience as “the ability of a system, community or society exposed to hazards to resist, absorb, accommodate to and recover from the effects of a hazard in a timely and efficient manner, including through the preservation and restoration of its essential basic structures and functions” . This general statement applies also to the CIs.
According to the definition firstly given by the European Community in the 2004 Communication on “Critical Infrastructure Protection in the fight against terrorism” , the Critical Infrastructures are crucial systems, facilities, networks or assets which disruption would lead to relevant impacts on the socio-economic condition and development of a Member State (MS). For enhancing their protection not only against terrorism, but also against all the other hazards (thus including natural disasters), the European Programme for Critical Infrastructure Protections (EPCIP) was set [5, 6]. The aim of this programme was to define a general framework based on several principles including subsidiarity, sector-by-sector approach, complementarity, confidentiality, proportionality and stakeholder cooperation. It focused on the identification of the European Critical Infrastructures (ECI) defined as CIs located in EU’s MS which disruption would significantly affect at least two MS . It also addressed their possible interdependencies, the assessment of their risk by means of common approaches, the measures that could be set to improve their protection, the impacts that hazards and accidents external to EU’s borders could have on the EU, the contingency plans to reduce or mitigate the negative effects of CI disruptions .
One of the most relevant documents for the implementation of the ECIP is the 2008 Directive on “the identification and designation of European critical infrastructures and the assessment of the need to improve their protection” . It represents the first approach to identify ECI and to evaluate the need for increasing their protection level, and it refers to only two specific sectors (energy and transport), pointing out the necessity of future reviews meant to include other sectors, like the information and communication technology (ICT) one. It also requires owners/operators of the identified ECI to produce Operator Security Plans (OSP), which define the options existing or being implemented for the ECI protection.
In 2013, a revision of the EPCIP was introduced , aiming at organising the implementation of the activities along three work streams (prevention, preparedness and response), at deepening the analysis of the interdependencies (both cross-sector and cross-border) and at taking into account critical ICT infrastructures and their relationship with other CIs (especially electricity generation and transmission infrastructures).
In 2017, an evaluation aiming at assessing the implementation of the 2008 Directive and focusing on its relevance, coherence, effectiveness, efficiency, EU added value and sustainability has been launched by the European Commission. The assessment process ended in 2019. It puts into evidence the need of revising the Directive, including further sectors besides the energy and transport ones and taking into account the interdependencies among sectors. Furthermore, it highlights the relevance that new threats – including those related to the artificial intelligence, the introduction of advanced ICT solutions that can create new vulnerabilities and the involvement of third countries in the ownership and operation of CIs – can assume [9, 10].
In order to effectively enhance the protection of CIs, quantitative methodologies, able to evaluate their resilience and to assess, in a holistic way, the different dimensions involved are needed. In particular, the approaches proposed in the scientific literature focus on some key aspects related to the concept of infrastructure resilience, namely: ad hoc risk assessment methodologies for quantifying the resilience of CIs, interlinks and interdependencies among CIs, analysis of the infrastructure vulnerability with respect to different kind of threats. Some of these approaches also try to assess the multi-dimensional (energy, social, environmental and economic) impacts due to disruptive events involving CIs.
Considering the quantitative methodologies for evaluating the resilience of CIs, two studies prepared by the JRC can be firstly mentioned. In particular, Galbusera et al.  proposed a feasibility study for the application of stress tests (like those adopted in the nuclear and economic sectors) to the evaluation of CI resilience against several hazards. Giannopoulos et al.  carried out an analysis of the state of the art related to the risk assessment methodologies that could be useful for the protection of CIs. A general approach to risk analysis and management of system-of systems can be found in the studies performed by Haimes et al.  and by Ariel Pinto et al. . Eusgeld et al.  analysed instead the alternative modelling options (integrated and coupled models) for system-of-systems and proposed a specific High Level Architecture (HLA) for modelling Supervisory Control and Data Acquisition (SCADA) and “System under Control” (SuC, like gas supply system or power supply system). Labaka et al. [20, 21] suggested a holistic framework (based on the identification of resilience policies, on their influence and on the methodology for their implementation) aiming at increasing the resilience of CIs by identifying their resilience level, their weaknesses and the possible improvements to be implemented. Mao et al.  highlighted that different measures aiming at increasing the resilience of CIs can be coherent or conflicting among each other, due to a missing systemic approach. Consequently, they proposed a framework based on a quality function deployment (QFD) that takes into account the correlations between resilience improvement actions at different stages of the CIs lifecycle. Nan et al.  proposed a method for resilience estimation, which combines a hybrid multi-layer model (for capturing the interaction between different subsystems) and an integrated metric (for the quantification of the resilience, considering the different resilience capabilities). Ouyang et al.  focused on the CIs protection, starting from the actions that can be adopted to protect weak system components before a disruptive event happens and comparing the robustness-based approach (mainly related to the remaining functionality level of the system after the event and before the restoration) and the resilience-based approach (which includes the possible restoration path and the related rapidity).
The opportunity to model infrastructure networks as interconnected system-of-systems in order to properly describe the cascade effects due to their strong interdependencies has been underlined by several authors. Theocharidou et al.  suggested a new methodology – called CRitical Infrastructures & Systems Risk and Resilience Assessment Methodology (CRISRRAM) – developed in an all-hazard perspective and based on a system-of-systems approach (a definition of system-of-systems can be found in ), which introduces three layers (society, asset and system) and evaluates the direct or indirect effects on economy, environment and citizens caused by the hazards considered in each scenario. Another approach based on the system-of-systems concept, a Monte Carlo simulation and a Hierarchical Graph representation of the interdependent CIs is the one described by Ferrario et al. , which was applied to two case studies – concerning respectively small electric and gas grids (plus a SCADA system) and a large electrical distribution network – for the evaluation of their robustness. Kröger et al.  and Zio [29, 30] furtherly suggested an approach – helpful in CI protection – based on the risk and vulnerability concepts and able to allow the identification of possible vulnerabilities (both evident and hidden), thus avoiding the failures that could originate when the CIs are subject to hazards of multiple nature. Johansson et al. also focused on the opportunity to use vulnerability analyses to complete reliability studies of CIs  and demonstrated it by applying a Monte Carlo approach for reliability analyses and a vulnerability analysis to an electric power system. Moreover, Johansson et al.  proposed a model that could be useful in the framework of vulnerability analyses of interdependent infrastructures that are described by both a network model (based on the graph theory) and a functional model. Stergiopoulos et al.  explored the interdependencies among CIs that cause cascading effects in the case of failure. For this purpose, the authors started from the dependency risk methodology proposed by Kotzanikolaou et al. [34, 35] and introduced graph centrality metrics in order to identify the nodes that mainly affect the risk paths and that can thus be controlled in order to improve risk mitigation. Furthermore, Stergiopoulos et al.  extended the studies performed by Kotzanikolaou et al. [34, 35, 37] by considering the time evolution of each dependency (using fuzzy models) and the concurrent common-cause cascading failures, developing a supporting tool for decision making (named CIDA, i.e. Critical Infrastructure Dependency Analysis). This tool can be useful in assessing the CI’s resilience under different scenarios and the effectiveness of possible mitigation actions. Fu et al.  also focused on the opportunity of treating infrastructure networks as interdependent system-of-systems, while Utne et al.  proposed a methodological approach to model the interdependencies among CIs built starting from the use of relatively simple cascade diagrams. Furthermore, the JRC developed the Geospatial Risk and Resilience Assessment Platform (GRRASP), a graphical tool for analysing network systems that can be adopted to identify the critical elements of the network and to evaluate the cascading effects of CI disruptions, taking into account cross-sectoral and cross-border interdependencies .
Finally, with reference to the impact analysis of different threats on CIs, specific models have been developed in order to assess the physical security and the resilience of CIs themselves against single kinds of hazards. In particular, Khalil et al.  focused on the modelling of physical security of CIs under attack scenarios by using a Monte Carlo-based probabilistic dynamic approach. Urlainis et al.  implemented instead a supporting tool for decision making suitable to evaluate the risk related to oil & gas critical infrastructures after the occurrence of a seismic event. This tool adopts fault-trees, decision trees and fragility curves and allows the identification of the most critical sections of the analysed system based on the damage state of its components. Shakou et al.  proposed a framework for increasing the resilience of CIs with respect to climate change phenomena, based on different timescales and promoting flexibility, modularisation and diversification.
In comparison with the mentioned studies available in the scientific literature, the new methodological approach proposed in this paper mainly focuses on single large infrastructures (like energy corridors for oil and gas supply) and aims at taking into account their geographical dimension, allowing analyses characterised by a high spatial granularity. Furthermore, the proposed procedure is able to consider the most relevant interdependencies among the parameters that could impact on the criticality of an infrastructure with a simple mathematical formulation. Therefore, this work aims at being a supporting tool not only for infrastructures management companies and for the civil protection but also for public administrations.
The paper considers the energy CIs: according to the 2008 EU Directive, this category includes facilities and infrastructures for power generation and transmission, for oil and gas production, treatment, storage and transmission and LNG terminals . In particular, it focuses on the energy corridors (oil and gas pipelines, power lines).
Its goal is to define a methodology for the evaluation of a criticality index, related to the failure of an energy infrastructure due to extreme natural hazards like earthquakes, floods, storms, landslides and wildfires. This criticality index is useful to assess the criticality level of each section of the infrastructure itself (taking into account its spatial dimension) with respect to the socio-economic damage (measured in economic unit) caused by the failure. Furthermore, the possibility to estimate the distance from the criticality status even in case of non-critical scenarios and to compare the criticality condition with a risk acceptability criterion (identifying – for the most critical sections – the need for undergoing structural tests) could give a valuable support in prioritising investments and in defining suitable countermeasures and protective actions.
The proposed approach starts from the concept of energy corridor. A corridor can be defined as an extensive infrastructure (like natural gas and oil pipelines and large power lines), characterised by a start point and an end point, that links production/refining facilities with distribution hubs. Energy corridors are usually strategic elements for the economy of the countries that are connected to them, and their influence spreads over a large area not limited to the geographical neighbourhood of the infrastructure. In a future world that is expected to be increasingly interconnected with large scale energy markets, the role of energy corridors could become crucial: the diversification of the sources and the possibility to ensure the functionality of the infrastructures could significantly impact on the security of energy supply and on the economic systems of several countries, especially those characterised by a high level of energy import dependency.
For these reasons, the quantitative evaluation of the resilience of the energy corridors against possible adverse events through the numerical estimation of their criticality level and the simultaneous identification of suitable criteria for risk acceptability are essential in order to identify the sections that require attention and investments for preventing potentially severe failures which could impact on the GDP (Gross Domestic Product) with losses at different scales.
According to the methodology described in the following sections, a set of parameters influencing the criticality status of the corridor and their interdependencies have been firstly defined (Section 2.1). A relationship linking these parameters has then been built to define a new Criticality Index (Section 2.2). A criterion for the risk acceptability (Section 2.3) and the application of the whole procedure to a simplified case study have been eventually discussed (Section 3).
2.1 Identification of the parameters and their interdependencies
The proposed methodology focuses on the quantitative assessment of the criticality of a single section of an energy corridor under an all-hazard perspective, i.e. with respect to all the possible extreme natural events.
For this purpose, the first step has been represented by the definition of a set of parameters that could affect the criticality level of an energy infrastructure, by their clustering into different groups and by the analysis of their interdependencies. Moreover, in order to take into account the spatial dimension of the energy corridors, the possible dependency of each parameter on the geographical position zc (ranging between 0 and the corridor length lc and measured in km) along the corridor itself has been explored. In fact, an infrastructure like a pipeline can typically run over long lengths and the natural environment surrounding it could significantly change along the route: consequently, certain natural hazards could be considered only for a limited set of branches and not for the overall length of the corridor. Eventually, the effects of a variation in the value of each parameter on the damage have been estimated. In particular, in this study 15 parameters and 4 groups (“Event related”, “Corridor related”, “Backup sources related” and “Users related”) have been considered: the parameters taken into account are listed in Table 1 and the dependency matrix is shown in Table 2. The interdependencies are identified assuming as increasing the value of each independent parameter and reporting the effect on the dependent parameter (decreasing or increasing when the independent parameter increases). The table reports also the effect of each parameter on damage.
|1. Event related|
|p||Probability to involve more than a single facility||—|
|λ||Damage distance (measure of the potential damage area of the event)||km|
|τ||Time scale of the event (measure of its duration)||s|
|s||Seasonal factor (influence of the season on the event)||—|
|2. Corridor related|
|lc||Length of the corridor||km|
|cp,c||Peak capacity of the corridor||GJ/s|
|3. Backup sources related|
|db||Distance between a single source and the corridor||km|
|cp,b||Peak capacity of the source||GJ/s|
|rm,b||Minimum available reserves for the single source||GJ|
|αb||Availability of the source||—|
|αtec||Technical availability of the source||—|
|4. Users related|
|αi||Availability of interruptible capacity||—|
|e||Energy intensity for the considered commodity||€/GJ|
|Parameter||Description||Dependency on the position zc||Effects on damage||Inter-dependencies|
|↑||↓||↑ with||↓ with|
|p||Probability to involve more facilities||X||X||λ||db|
|τ||Event time scale||X||s||s|
|cp,c||Corridor peak capacity||X||s||s|
|RT||Repair time||X||X||τ, s||s|
|cp,b||Source peak capacity||X||s||s|
|rm,b||Minimum reserve of the source||X||s||s|
|αb||Availability of the source||X||X||s, db||λ, s|
|αi||Availability of i||X||s||s|
Referring to Group 1, the seasonality s – that represents the variability of the considered natural event across the year – is the parameter that mainly affects the other ones. The probability p that the natural event could have an impact not only on the analysed corridor but also on other infrastructures supplying the same commodity (backup sources) is strictly related to the magnitude of the event itself and on the geographical context: it depends on the distance between the corridor (or corridor branch) and the considered backup source and on the potential damage area for the considered event, quantified through the damage distance λ. All the facilities located at a distance lower than or equal to λ are certainly involved by the event to such a degree that their functionality is lost.
In general, an increase in all the parameters related to the corridor (Group 2) causes an increase in the potential damage. It has to be highlighted that RT – which includes not only the time needed to repair the infrastructure but also the time for reaching the damaged section of the corridor and the time to get the requested spare parts – depends not only on the season but also on the temporal and spatial scale of the event: the greater the geographical extension of the natural event and its duration, the longer the time needed to reach the damaged section.
As it can be reasonably expected, an increase in the parameters related to the availability of backup sources causes a decrease in the damage. It can be underlined that the average distance between the backup sources provides information about the probability that a backup source could be involved in the considered extreme event: in fact, the higher the value of this parameter, the lower the probability. The availability of these sources depends not only on the seasonality, but also indirectly on the distance between the corridor and the source: in particular, it increases if the source is far from the epicentre of the event.
Considering Group 4, the parameters are related with the reference market: in case of a possible corridor failure, the market operator could decide a supply interruption for some selected users, in order to reduce the load of the considered infrastructure; the interruptible capacity could depend on the season. The energy intensity e (i.e. the amount of energy needed to produce a unit of GDP), instead, gives a measure of the importance of the commodity delivered by the considered corridor, allowing to quantify the economic damage deriving from the supply lost as a consequence of an extreme event.
It can be highlighted that the event related parameters can be evaluated on the basis of geological surveys and studies on natural hazards with respect to the specific site analysed. Among them, the probability of involving more facilities needs ad hoc formulations and cannot be generically expressed by means of a single mathematical relationship (as further discussed in Section 2.2). The majority of the corridor related and the backup sources related parameters are instead technical data that are usually available for the specific infrastructures considered. Only the repair time should be estimated by means of suitable databases or specific investigations (Maintainability Analyses). Eventually, referring to the users related parameters, the interruptible capacity is an information that should be known as depending on already signed contracts and agreements, while the energy intensity for the commodity carried by the corridor can be obtained from statistical sources.
Furthermore, for the proposed method, the corridor can be assumed as one-dimensional, i.e. only characterised by the running coordinate zc . This is because only the position along the corridor, the distance between the backup sources with respect to the corridor and the distance between the epicentre of the considered natural hazard and the corridor itself are relevant for the analysis.
2.2 Definition of the criticality index
Starting from the parameters and interdependencies identified in Section 2.1, in order to define a criticality index able to quantify the criticality of a single branch/corridor, a relationship expressing the socio-economic damage D due to a certain extreme natural hazard has been defined (Eq. (1)). It expresses the damage D in the section of the branch/corridor identified by the coordinate zc (running over the corridor length, from 0 to lc ).
Eq. (1) defines the economic value of the share of the commodity carried by corridor c over the emergency time period (identified by RT) that cannot be directly delivered notwithstanding the contribution of interruptible users and the availability of backup sources. In fact, focusing on the square bracket in the equation:
the term cp,c identifies the maximum amount of commodity that can be delivered per second in season s and that is lost due to the failure; as a consequence, the product between cp,c and RT defines the amount of energy unavailable during the repair time after the adverse event that caused the corridor failure
the product between αi , i and RT defines the part of this supply that can be avoided during the emergency due to the fact that some users are interruptible
the product between αb , cp,b and Tb corresponds to the amount of energy commodity that can be certainly supplied by the backup sources during the repair time.
Referring to the probability that the event could involve other facilities (in particular, the backup sources) than the considered corridor, this can be expressed by several relationships or by more complex considerations that do not allow a simple mathematical formulation according to the different classes of natural events. For example, in the case of a river flood, p is a function not only of the distance between the corridor and the facility but also of the distance between the river and the facility. Furthermore, p is equal to 0 if the considered facility is outside the boundaries of the natural hazard, regardless of the distance between the source and the corridor. A possible relationship that can be adopted for some classes of events, like earthquakes, is the one expressed in Eq. (4) where the possible involved facilities are supposed to be the backup sources b. If the distance between the backup source and the corridor db is lower than the damage distance λ, the facility is assumed to be certainly involved by the event. If the distance db is higher than λ (i.e. the facility is located outside the potential damage area) the probability that the facility is involved by the event decreases in a proportional way with the increase of db .
Moreover, it has to be highlighted that Eq. (1) is defined if
as, from the risk analysis point of view, the damage D has to be positively defined. A negative value of D means that the corresponding corridor section is not critical: negative values of this term could be obtained, for instance, in the case that no other facilities are involved by the natural event and the loss of corridor capacity is completely supplied by backup sources.
For this reason, the proposed relationship for defining the criticality index CI as a function of the socio-economic damage is the one reported in Eq. (5):
In this case, CI does not correspond to an economic value of the damage caused by the considered event (like D), but it allows to associate a numerical value also to the corridor sections that are not strictly critical (i.e. those for which D is negative) thus measuring their “proximity” to a real potential damage and ranking them according to a criticality perspective, as the safety margins progressively reduce when a negative value of D approximates to 0.
As it can be noticed, the CI relationship is built in order to have and CI = 1 for D = 0 (i.e., when the infrastructure status changes from “non-critical” to “critical”).
A graphical representation of CI as a function of D can be observed in Figure 1.
2.3 Criteria for risk acceptability
In the scientific literature, few studies are available to identify risk acceptability criteria for the socio-economic risk, and the differences among the economic systems do not allow to define easy procedures suitable to be applied to different contexts (like developed, developing and less developed countries).
For this reason, in the present paper a specific criterion has been proposed, based on the overall economic estimation of damages due to natural events, which takes into account both direct (i.e. to houses, infrastructures, industrial facilities, etc.) and indirect (i.e. productive losses, lack of basic services to population) damages.
According to the Munich Re insurance company statistical data, related to the global natural loss events worldwide (including geographical, meteorological, hydrological and climatological events) over the period 1980–2015 , the 2015 overall losses accounted for about 0.14% of the global GDP (GDP data from World Bank statistics ). However, during previous years significantly higher percentage values have been reached, in particular in 2011 (mostly due to the Tōhoku earthquake and tsunami in Japan), when the losses peaked at about 380 billion US dollars, and in 2005, mainly related to the hurricane Katrina in the U.S.. These two events, in particular, highlight that extreme events involving developed countries generally lead to more relevant economic effects even at a global scale.
The proposed expression for the acceptable annual economic damage related to a certain corridor is evaluated as a fraction of the annual GDP, by taking into account the contribution of the energy sector to the GDP composition, the contribution of the analysed corridor to the overall energy supply of the country/area, the weight of the economic losses due to an extreme natural event.
The contribution of the energy sector to the GDP is expressed by the fen factor, defined as:
The contribution of the analysed corridor to the regional energy supply is given by the economic value of the commodity carried by the corridor c per year; the factor fc , is defined as:
EVc : economic value of energy commodity delivered by corridor c
The annual value of economic losses and expenditures related to the failure of the corridor c due to the natural event ne is assumed as the maximum acceptable risk, and the factor fne is defined as:
Lne : total economic losses and expenditures due to the natural event ne.
As no statistical data is available to evaluate the expenditures and economic losses for a specific natural event ne causing the failure of corridor c, the average value fne , defined at regional/country scale, is used as equivalent of the “local” ratio between the annual economic losses and expenditures associated to the failure of corridor c and the economic value EVc of the commodity carried by c per year.
The previously described steps can be summarised into a single relationship (Eq. (9)), which allows to quantify the current economic risk in terms of monetary losses as a consequence of the adverse natural event ne:
It has to be highlighted that specific estimations of the total economic losses and expenditures Lne are not commonly available as public data and should be provided by insurance companies.
Once the current risk is defined, the maximum tolerable frequency (number of events per year) for a given damage in the corridor section identified by the coordinate zc is assessed by adopting a graphical approach which starts from the previously defined Criticality Index (i.e. the economic value of the damage caused by the service disruption due to the analysed event) (Figure 2).
From the obtained maximum acceptable frequency, the corresponding event intensity can be evaluated using the frequency-intensity curve, which is characteristic for each class of events (Figure 3).
Several studies are available in literature regarding the relationship between the frequency and the intensity (or magnitude) of natural events. For example purpose, the ones performed by Hungr et al. , Jakob et al. [49, 50], Riley et al.  (related to the debris flow landslides), Hooke , Zhang et al.  (focusing on floods), and Papadakis  (considering earthquakes in Greece) can be mentioned.
In general terms, the intensity is associated to specific characteristics of the considered event (like the peak ground acceleration for the earthquakes, the maximum water level for floods, the maximum wind speed for storms and the heat flux for fires) and the link between intensity and frequency is evaluated on the basis of historical data analyses.
The obtained intensity has to be compared with the design limit value for the analysed infrastructure.
It has to be further underlined that Ra represents the current overall risk related to the event ne. If a lower limit for risk acceptability for that event is desired, a reassessment (i.e. a reduction) has to be performed, according to Eq. (10).
R’a : reassessed limit for risk acceptability (see Figure 2)
αne : reassessment factor for the definition of the limit for risk acceptability related to the class of natural events ne; α ∈ [0,1]
In this case, the same CI value corresponds to a lower maximum acceptable frequency, which – in turn – corresponds to a higher intensity that could exceed the design conditions of the infrastructure. In such a situation, new structural analyses have to be performed in order to verify its resilience and the possible need for mitigation actions, such as structural reinforcement, redundancy or relocation.
3. Case study and results discussion
The methodological approach described in Section 2 has been tested by applying it to a simplified case study. The main assumptions adopted can be summarised as follows:
an ideal corridor and related surrounding environment have been taken into account;
only two classes of extreme natural events (river floods and earthquakes) have been considered;
three backup sources are available, able to cover the load for the entire period of unavailability of the corridor; these alternative sources are independent from the corridor itself;
there is no interruptible capacity;
a reassessment of the limit for risk acceptability has been assumed, with a risk reduction of one order of magnitude.
|p1,f||Probability to involve backup source 1 – flooding||0.5||—|
|p2,f||Probability to involve backup source 2 – flooding||0.5||—|
|p3,f||Probability to involve backup source 3 – flooding||0||—|
|λe||Earthquake damage distance||5||km|
|λf||Flooding damage distance||5||km|
|s||Seasonal factor (influence of the season on the event)||0||—|
|cp,c||Peak capacity of the corridor||100||J/h|
|cm,b1||Minimum operative margin in capacity – backup source 1||50||J/h|
|cm,b2||Minimum operative margin in capacity – backup source 2||35||J/h|
|cm,b3||Minimum operative margin in capacity – backup source 3||45||J/h|
|αt,b1||Technical availability of the backup source 1||0.95||—|
|αt,b2||Technical availability of the backup source 2||0.95||—|
|αt,b3||Technical availability of the backup source 3||0.95||—|
|e||Energy intensity for the considered commodity||1||€/J|
|DBE||Magnitude of the design base earthquake||4.8|
|DBF||Maximum discharge of the design base flood||2000||m3/s|
|Ra||Current risk value||1||€/y|
|R’ a||Reassessed limit for risk acceptability||0.1||€/y|
It has to be underlined that, in this simplified case study, the values of the parameters have been chosen in order to be realistic but they are not corresponding to a real case. In particular, all the parameters have been assumed to be seasonally independent. Furthermore, the values have been set in order to describe a realistic configuration from a physical point of view, while from the economic perspective a unitary value for current risk limit (1 €/y) has been selected mainly due to the unavailability of specific public data on the total economic losses and expenditures. In the reassessment of the limit for risk acceptability, the hypothesis of reducing it by an order of magnitude has been made. In general, if the proposed procedure is applied to a real system, the evaluation of the parameters should be performed according to the considerations expressed in Section 2.1.
The obtained CI (z c ) is shown in Figure 5 for both earthquake (E) and flooding (F) events. In particular, it can be observed that the corridor sections characterised by the highest CI values are those close to the backup sources in the seismic area (in the case of earthquake event) and to the river (in the case of flooding event). The sections where CI < 1 are those corresponding to a damage D < 0, i.e. the capacity of the backup sources is more than the one requested to ensure the coverage of the load in the case of unavailability of the corridor.
However, it has to be remarked that all the sections characterised by CI value slightly lower than 1 have to be considered as they are close to a critical condition.
Referring to the evolution of the availability parameter αb (s,p) for the three backup sources, it can be noticed (Figure 6) that the lower the distance between the corridor and the source, the lower the availability: this is because if the natural event involves an area in which the corridor and the backup are close to each other, the probability for the backup source to be damaged is higher, and so its availability is lower.
Figure 7(a) shows the frequency-CI curves corresponding to the original limit for risk acceptability and to the reassessed one. Figures 7(b) and (c) represent the frequency-magnitude curves, which have been built by using two different approaches for the two considered classes of natural events:
the Gutenberg-Richter law  in the case of earthquakes;
a logarithmic relationship based on the one proposed by Wald et al.  in the case of flooding.
The vertical lines correspond to the design base earthquake magnitude (DBE) and flood (DBF) for the corridor.
Starting from these curves and from the previously defined CI evolution, the maximum acceptable frequencies and the related intensities for both earthquake and flood events and for both the original (E/F old) and reassessed (E/F new) limit for risk acceptability have been estimated, as reported in Figure 8.
As it can be observed in Figure 8a, the maximum acceptable frequency for earthquakes reaches its minimum value (corresponding to the maximum intensity, visible in Figure 8b) in the section where the corridor and the backup source 3 are closest each other and are both affected by the natural event (p = 1 in Eq. (4)). Furthermore, it can be observed that in the case of reassessed risk limit the intensity is beyond the design condition (DBE, Figure 8b), thus leading to the need for performing tests in order to assess the robustness of the involved corridor section and to define suitable mitigation actions. The same considerations are valid for the flood (Figure 8c and d): the main difference is that – in this case – in the most critical corridor section the intensity overcomes the design value also for the original risk limit (DBF, Figure 8d), requiring further resilience tests also without hypothesising a reassessment of the limit for risk acceptability.
As mentioned before, the values of the considered parameters have been assumed without a specific reference to a real case, as the goal of the analysed case study is to show the functioning and the applicability of the proposed methodology through a theoretical example. For this reason, an analysis of the uncertainties has not been performed. Future works aiming at deeply exploring the criticality of existing infrastructures will include this aspect, especially regarding the event related parameters, with a particular attention devoted to the probability that different facilities are involved. As previously discussed, in fact, this probability needs detailed and complex considerations to be properly quantified with respect to the specific natural hazard and site studied.
This simplified case study, however, shows the potentiality of this approach in evaluating the possible critical sections of the infrastructures, prioritising the investments and the interventions in reinforcing them and in making them resilient to adverse extreme natural events.
On the other hand, it also allows to identify some aspects that could be more deeply investigated in future studies in order to enhance the applicability to real cases and the effectiveness of the obtained results. In particular, among them, the unambiguous definition of the system boundaries can be mentioned. In fact, the identification of boundaries can be not easy in the case of meshed networks like natural gas distribution systems or power lines, for which it is difficult to define a single entry point and a single end point. Another relevant aspect is represented by the availability of complete and uniform databases for both the technical characteristics of the analysed infrastructures/backup sources and the classes of natural events affecting the environment surrounding the infrastructure.
The protection of Critical Infrastructures against extreme natural hazards by evaluating and improving their resilience is one of the main goals for many countries or groups of countries (like the EU). For this reason, methodologies able to quantify the possible criticalities of these infrastructures are needed to better plan and implement actions, countermeasures and investments allowing to limit or avoid the negative energy, social and economic consequences deriving from natural hazards impacts.
With respect to other studies available in the scientific literature, the approach proposed in this paper focuses on energy corridors and aims at defining a criticality index, which is a function of the spatial position along the analysed corridor, and so it is useful to quantify the criticality level for each section of the considered infrastructure. This index is able to take into account a large variety of parameters (related to the natural event, to the corridor, to the availability of alternative sources and to the involved users) and their interdependencies. The developed methodology can be an effective supporting tool for decision makers and public administrations, for companies that have to manage crucial infrastructures for energy commodities transport and for the civil protection, as it allows – through a simple mathematical formulation – to identify the sections of an energy corridor that are critical with respect to a specific natural hazard or that are close to a criticality status, thus defining priority areas of intervention, preventive investments, mitigation actions and ad hoc countermeasures.
The introduced criticality index assesses in a numerical way the socio-economic damage (measured in monetary units) due to the effects of an extreme natural event on the selected infrastructure and can be used to evaluate the maximum acceptable frequency and the corresponding intensity of the event itself, allowing a comparison with the design condition of the corridor.
Furthermore, the possibility to evaluate the criticality index also for negative damage values (i.e. for not critical configurations) permits to measure the distance from the criticality, allowing to pay preventive attention to those sections that are closer to critical situations.
In general, the described approach gives the opportunity of ranking the single branches of a corridor according to their criticality and for all the different natural hazards, and, as a consequence, it gives the authorities in charge of protecting critical infrastructures the opportunity of prioritising the interventions.
The implementation of this methodology on real cases requires specialists from different fields and complex information. This can be deduced also from the application to a simplified case study (considering one corridor and two extreme events). However, the case study has underlined the advantages of the procedure, especially if a reassessment of risk acceptability limit is introduced, because it puts into evidence the safety margin with respect to the design conditions or the need for performing structural tests, quantifying the infrastructure resilience.
Additional aspects should be deeply analysed in the case of an extensive application of the proposed methodology, including – in particular – the availability of complete and homogenous technological and environmental databases and the proper definition of the system boundaries that could be not trivial in the case of meshed networks like the natural gas distribution ones.
Further studies could also be devoted to the analysis of multi-risk scenarios, i.e. to the concurrent occurrence of two or more extreme natural events, defining suitable strategies to allocate the acceptable risk (for instance by taking into account the safety margins of the infrastructure, if they are present), in order to test the infrastructure resilience in the worst (and low-frequency) conceivable conditions.