Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
31 The key risk assessment approaches discussed in Section 3 that involve concrete models or methodologies with suffi cient documentation or available information are further charac- terized in the matrices here. These matrices are designed to facilitate selection of a model for application to a hazmat transportation stakeholderâs particular needs. Section 4.1 presents matrices of common hazmat transportation-related decisions with a general summary of the models available to support those decisions. Models within each matrix are pre- sented within two broad categories: those that apply to safety decisions and those that apply to security decisions. This categorization reflects the fundamental differences between the two types of decisions, which stem, in part, from focusing on events that are likely to occur at widely different rates, involve different kinds and availabilities of input data, and are often purposefully considered in isolation from one another. If any model appears within the matrices that can be applied to both safety and security decisions, that model is listed in both categories. Each model listed in the decision matrices is presented in greater detail in Section 4.2. The individual model matrices in that section characterize each risk assessment approach in terms of its uses, model elements, data requirements, outputs, strengths and weaknesses, availability, and potential barriers to its use. For readers wishing to develop an approach to applying risk assessment to their hazmat transportation issue or problem, the first step is to determine which of the decisions listed in the table below most closely match the decisions they need to make. More than one may apply. The next step is to review the information listed in Section 4.1 to identify a first cut at the models that may be candidates for consideration. Then, reviewing the more detailed information for each model in Section 4.2 may provide additional information to eliminate one or more models. The discussion may identify concerns that can be addressed by making adjustments to a modelâs approach, collecting additional data, or performing addi- tional analyses to supplement the information that can be obtained from the model(s). Additionally, below the name of each model listed in Sections 4.1 and 4.2, cross-references are provided to facilitate movement among the matrices and the discussions of modelsâ uses in Section 3. 4.1 Decision Matrices S e c t i o n 4 Characterization Decision Page Mode Choice Route Choice Facility Siting Packaging Selection Alternate Product Selection Emergency Management Resource Planning Operational Changes Security Measure Identiï¬cation, Prioritization and Evaluation 32 Security Risk Situational Awareness 34 39 41 43 44 46 49 51
32 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects CCPS Guidelines: Risk Prioritization Process See also §3.3.1, 4.2.4 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Subjective selections for frequency (based on exposure), probability (can be based on past history), and consequence that should not require specialized data or analyses. The screening model provides a single risk score. Ranges are deï¬ned for serious, high, medium, and low. High-level screening process that can determine whether more detailed assessment is warranted. Would be comparing scores for diï¬erent modal options. CCPS Guidelines: Qualitative Risk Assessment Process See also §3.3.1, 4.2.2 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Benchmarking data from other companies or operations. The information that can be included is quite varied and includes chemical hazards, industry experience, container design and operating practices, and safety and security. List of actions to address, including the need for more detailed analysis. Benchmarking may indicate whether additional risk mitigation actions are necessary to close gaps as compared to the industry leader. The focus is more on the process used to select among alternatives than on the selection itself. Do peers use risk prioritization or quantitative analyses, for example? CCPS Guidelines: Semi-Quantitative Risk Assessment Process See also §3.3.1, 4.2.7 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantify or weight the frequency-related elements and develop scenarios with accompanying release size and probability estimates. Consequences are quantiï¬ed from model input data, including the scenario deï¬nitions and sensitive areas along the routes. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. Adds quantiï¬cation where needed to make an informed decision. Cost- eï¬ective because not all elements need to be quantiï¬ed. Risk indices or matrices provide easy means to combine the diï¬erent elements of risk without a formal calculation. CCPS Guidelines: Quantitative Risk Assessment Process See also §3.3.1, 4.2.3 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantity per shipment, annual shipments, loaded vs. empty miles, Infrastructure characteristics needed for accident rate calculations. Conditional probability of release after an incident, the range of release sizes to consider, the probabilities of diï¬erent release types (e.g., jet ï¬re, pool ï¬re, ï¬ash ï¬re, toxic gas, explosion, or no impact). Generally, three types: ⢠Risk indices ⢠Individual risk (contours, maximums, averages for exposed or total population) ⢠Societal risk (usually expressed as F-N curves) Depending on the form of the output, can provide annual risk values, distribution of people exposed to diï¬erent risk levels, or societal risks. High- consequence/low-probability and low-consequence/high-probability events can be represented. Population characteristics (including representative densities or detailed Census data) along the route, material hazard information, impact area; the âendpointâ criteria for the diï¬erent types of hazards: ⢠Toxic chemical exposure ⢠Vapor cloud explosion ⢠Flammability hazards ⢠Flash ï¬res Chemical Manufacturer Risk Assessment Framework See also §3.3.4, 4.2.8 --------------------- Large Chemical/Plastics Manufacturer Highway Rail Marine Pipeline (inbound only) Considers trip length, past experience, shipment size, available packaging, third- party consequence data (sensitive areas along their routes, presence of bridges and tunnels). Chemical property information is internal. Reports are generated for the corporate operations department and sometimes include risk matrices. Considers all modes for their shipments (at least two are available at all locations). Risk assessments triggered by any change in distribution, and are usually only qualitative. RADTRAN See also §3.4.1.2, 4.2.8 --------------------- Department of Energy, Oï¬ce of Environmental Management, Sandia National Laboratories Highway Rail Marine Users are able to input and adjust over 70 data points to customize how the tool calculates incident-free exposure along with risk of exposure from accident or sabotage. Key inputs with regard to assessing the exposure risk along a set route: ⢠Population density Expected Radiological Exposure/Consequence over set route during a shipping campaign. Exposure data is output according to: ⢠Groundshine ⢠Cloudshine Strengths: ⢠Highly customizable by user (over 70 individual data points that can be input or adjusted by the user). ⢠Users can adjust the parameters surrounding the probability and eï¬ects of an accident. ⢠Fatalities per accident Sa fe ty 4.1.1 Mode Choice
33 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects ⢠Weather conditions ⢠Probability fractions of event ⢠Packaging data Additionally, TRAGIS data can easily be inputted into RADTRAN. ⢠Inhalation ⢠Resuspension ⢠Overall Since its inception, RADTRAN has been used in most radiological transportation environmental assessments (EA) and environmental impact statements (EIS). RADTRAN also has the capabilities to conduct speciï¬c radiological transportation accident and sabotage scenarios. conjunction with WebTRAGIS and TRAGIS. Weaknesses: ⢠Calculates based on maximum- exposed individual ⢠Has been found to use conservative Dose Rates Requires substantial user-input, which can increase user error. Transportation Routing Analysis Geographic Information System (TRAGIS) See also §3.4.1.2, 4.2.19 --------------------- Department of Energy, Oak Ridge National Laboratory Highway Rail Marine User-input: ⢠Shipped material data ⢠Route preference (quickest, shortest, or combination) ⢠âBlocking oï¬â (not include) of: a. Railroad companies b. Nodes c. Links d. Road routes through beltways e. Tunnels f. Roads with limited size clearances TRAGIS uses ORNL-developed LandScan and Census data to calculate the exposed population. ⢠Population information for risk assessment along potential transportation routes using GIS and three buï¬er widths: 400m, 800m, and 2500m. ⢠Routes that are compliant with transport regulations. ⢠Table of tribal lands and mileage through those lands. ⢠Route maps contain background data on the transportation network, Census urbanized areas, and Native American tribal lands. Strengths: ⢠Users can adjust routes to their preferences. ⢠TRAGIS performs population calculations on alternative, compliant routes. ⢠Trucking routes can be optimized based on travel time, distance, or a combination of those two. ⢠The routes and population data can be inputted into DOEâs RADTRAN tool, which includes probability inputs. Weaknesses: ⢠Intermodal routing is not automatic. ⢠Only calculates exposed population. It does not factor in probability or frequency. CCPS Guidelines: Security Risk Prioritization Process See also §3.3.1, 4.2.5 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Chemical hazards, quantity transported per container, number of shipments, mode, interim storage, speciï¬c threat information, and the proximity to people, sensitive environmental areas, critical assets or infrastructure are all considered subjectively. Identiï¬cation of the issues that require additional analysis, such as transportation vulnerability security assessments (TVSA). Easy to implement; ensures that resources are placed on the issues that require the most attention. This subjective review elevates issues to a formal TVSA and includes a security review for those elements that are not elevated. CCPS Guidelines: Security Vulnerability Assessment Process See also §3.3.1, 4.2.6 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Both internal and external threat information is combined with relative target attractiveness factors. Vulnerability is qualitatively assessed based on how well existing countermeasures can withstand or eliminate an attack. Consequences considered can include casualties, theft of hazmat, disruption of the economy or company operations, environmental damage, ï¬nancial loss, secondary damage to critical infrastructure, loss of critical data, and erosion of company reputation. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. A list of prioritized countermeasures is also produced. Can allow companies to cost- eï¬ectively allocate their security mitigation resources. Relies a lot on subject matter experts and outside threat information. ⢠RADTRAN can be used in Se cu rit y 4.1.1 (Continued).
34 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects Boston Hazmat Route Evaluation See also §3.1.3, 4.2.1 -------------------- City of Boston Highway Truck accident rates and roadway functional classiï¬cations, transported commodities [commodity ï¬ow studies (CFS) data, shipper survey, PHMSA hazmat registrants, HMRIS incident reports, and city permits], population data along the routes (Census-derived), special population data, state environmental data. Risk scores and day and night population estimates for each route alternative. Based on one approach in the current (1996) FMCSA routing guidelines for non- radioactive hazmat. Through-route alternatives with ratio of risk indices greater than 1.5 were selected. CCPS Guidelines: Risk Prioritization Process See also §3.3.1, 4.2.4 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Subjective selections for frequency (based on exposure), probability (can be based on past history), and consequence that should not require specialized data or analyses. The screening model provides a single risk score. Ranges are deï¬ned for serious, high, medium, and low. High-level screening process that can determine whether more detailed assessment is warranted. Would be comparing scores for diï¬erent route options. CCPS Guidelines: Qualitative Risk Assessment Process See also §3.3.1, 4.2.2 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Benchmarking data from other companies or operations. The information that can be included is quite varied and includes chemical hazards, industry experience, container design and operating practices, and safety and security. List of actions to address, including the need for more detailed analysis. Benchmarking may indicate whether additional risk mitigation actions are necessary to close gaps as compared to the industry leader. The focus is more on the process used to select among alternatives than on the selection itself. Do peers use risk prioritization or quantitative analyses, for example? CCPS Guidelines: Semi-Quantitative Risk Assessment Process See also §3.3.1, 4.2.7 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantify or weight the frequency- related elements and develop scenarios with accompanying release size and probability estimates. Consequences are quantiï¬ed from model input data, including the scenario deï¬nitions and sensitive areas along the routes. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. Adds quantiï¬cation where needed to make an informed decision. Cost-eï¬ective because not all elements need to be quantiï¬ed. Risk indices or matrices provide easy means to combine the diï¬erent elements of risk without a formal calculation. CCPS Guidelines: Quantitative Risk Assessment Process See also §3.3.1, 4.2.3 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantity per shipment, annual shipments, loaded vs. empty miles, Infrastructure characteristics needed for accident rate calculations. Conditional probability of release after an incident, the range of release sizes to consider, the probabilities of diï¬erent release types (e.g., jet ï¬re, pool ï¬re, ï¬ash ï¬re, toxic gas, explosion, or no impact). Population characteristics (including representative densities or detailed Census data) along the route, material hazard information, impact area; the âendpointâ criteria for the Generally, three types: ⢠Risk indices ⢠Individual risk (contours, maximums, averages for exposed or total population) ⢠Societal risk (usually expressed as F-N curves) Depending on the form of the output, can provide annual risk values, distribution of people exposed to diï¬erent risk levels, or societal risks. High-consequence/low- probability and low-consequence/high- probability events can be represented. diï¬erent types of hazards: ⢠Τoxic chemical exposure ⢠Vapor cloud explosion ⢠Flammability hazards ⢠Flash ï¬res Sa fe ty 4.1.2 Route Choice
35 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects Chemical Manufacturer Risk Assessment Framework See also §3.3.4, 4.2.8 --------------------- Large Chemical/Plastics Manufacturer Highway Rail Marine Pipeline (inbound only) Considers trip length, past experience, shipment size, available packaging, third-party consequence data (sensitive areas along their routes, presence of bridges and tunnels). Chemical property information is internal. Reports are generated for the corporate operations department and sometimes include risk matrices. Route options would be considered in conjunction with mode choice. Risk assessments triggered by any change in distribution, and are usually only qualitative. Fedtrak See also §3.7.9, 4.2.10 --------------------- The Kentucky Transportation Center at the University of Kentucky for Transportation Security Administration Highway Accident data included in the modelâs network. Packaging provides a qualitative conditional probability of release or uses dated values. Consequences include population, critical infrastructure/key resources (CIKR), environmentally sensitive areas, and economic impact (most determined from model data). Safety risk scores are computed for the planned route and remain static. Model is designed for security but supports estimation and mitigation of safety risk. Alternate routes can be assessed and the safety risk scores can be compared. GeoCTA See also §3.4.1.3, 4.2.11 --------------------- Oak Ridge National Laboratory Center for Transportation Analysis Highway Rail Marine Air Pipeline Input data is self-contained within the tool and consists of GIS-based spatial data layers for describing incident locations and U.S. Census population data for calculating incident consequences. Outputs include a consequence index based on the magnitude of population at risk and GIS-based maps with information on critical and high-value locations. This software focuses on gauging human consequences within the framework of transportation and critical infrastructure in high-threat urban areas. GeoCTA contains a large number and variety of spatial data layers, including all of the data necessary for use of the system. Output includes GIS- based maps, which facilitate quick, informed decision making. Risk-related output is currently focused solely on estimations of aï¬ected population. The tool can be applied to any location within the United States and has been designed for easy integration of new spatial analysis functions. Presently, the tool is unavailable for public distribution, but could theoretically be made available with the exclusion / substitution of restricted data. IME Safety Analysis for Risk (IMESAFR) See also §3.3.3, 4.2.12 --------------------- Institute of Makers of Explosives Highway Rail Marine Air Pipeline Many of the input variables are stored within the software database. System data include event frequencies sourced from military and commercial sources and blast eï¬ect probability data sourced largely from military sources. Users must enter information including the location of personnel with regard to an explosion and construction characteristics of structures in the vicinity. A measure of the probability from an explosion along with a GIS-based map of explosive eï¬ects and risks to surrounding infrastructure. While designed for safety applications, security may be considered by multiplying frequencies by scaling factors to account for threat level increases. While IMESAFR is traditionally used for ï¬xed facilities explosive risks analysis, the model could be employed in route comparisons. Such comparisons could make use of facilities analyses with respect to stations and ports and could be used to analyze any distinct location along routes of interest. The storage of model parameter values within the system reduces the data gathering requirements of users and allows selection of appropriate input values simply by being on-site. Map output aids in user comprehension and communication of model results. By default, model calculations are strongly conservative. In the most recent version of the software, however, uncertainty is calculated and presented separately and conservative model assumptions may be switched on or oï¬. Other assumptions include the transferability of military frequency and explosive eï¬ects data to commercial applications. 4.1.2 (Continued). (continued on next page)
36 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects RADTRAN See also §3.4.1.2, 4.2.8 --------------------- Department of Highway Rail Marine Users are able to input and adjust over 70 data points to customize how the tool calculates incident- free exposure along with risk of exposure from accident or Expected Radiological Exposure/ Consequence over set route during a shipping campaign. Strengths: ⢠Highly customizable by user (over 70 individual data points that can be input or adjusted by the user). ⢠Users can adjust the parameters Energy, Oï¬ce of Environmental Management, Sandia National Laboratories sabotage. Key inputs with regard to assessing the exposure risk along a set route: ⢠Population density ⢠Fatalities per accident ⢠Weather conditions ⢠Probability fractions of event ⢠Packaging data Additionally, TRAGIS data can easily be inputted into RADTRAN. Exposure data is output according to: ⢠Groundshine ⢠Cloudshine ⢠Inhalation ⢠Resuspension ⢠Overall Since its inception, RADTRAN has been used in most radiological transportation EA and EIS. RADTRAN also has the capabilities to conduct speciï¬c radiological transportation accident and sabotage scenarios. surrounding the probability and eï¬ects of an accident. ⢠RADTRAN can be used in conjunction with WebTRAGIS and TRAGIS. Weaknesses: ⢠Calculates based on maximum-exposed individual. ⢠Has been found to use conservative Dose Rates. ⢠Requires substantial user-input, which can increase user error. Rail Corridor Risk Management System (RCRMS) See also §3.2.1, 3.4.2.3, 4.2.15 --------------------- Railroad Research Foundation / Association of American Railroads Rail Annual volume shipped, route length; mainline accident rates, which are a function of traï¬c density, method of operation (e.g., signalized or âdark territoryâ), and FRA track class combined with historical FRA accident data; and switching yard accident rates. Conditional probabilities of release (CPRs) for each of the DOT tank car speciï¬cations were used. The CPR for Isotainers and intermodal portable tanks utilize generic values. Environmental: water bodies, parks Population: daytime and nighttime population RCRMS provides a single risk metric that combines safety and security as well as the two individual risk scores. All risk scores are rounded and an attractiveness measure helps users distinguish between routes with similar risk scores. It also provides route-level totals for each of the 27 metrics that the federal regulations require carriers to consider. Leverages the FRA national rail network and railroad-speciï¬c data to provide carriers with a routing decision support tool with a government-vetted risk methodology. The integration of safety and security risks is useful for railroads with a very large number (thousands) of analyses to run. The best available data on rail accident rates, container release probabilities, and network link characteristics are used. Implemented by all Class I railroads and many others. FRA uses the model to verify industry compliance. There is no methodological approach for including some data that are available. Carriers may also consider factors that are not directly embedded in the risk equations: presence of nearby railroad facilities, miles with diï¬erent levels of passenger traï¬c, operating speed, mileage, transit time, and any known deï¬ciencies in crew training and skill level. Items that are reported for each route that are not explicitly listed above: miles of each route in each track class, miles with a grade more than 2.5%, miles of signalized and manual operation, listing of wayside detectors, counts of grade crossings and switch points, route miles greater than 10 miles from police and ï¬re stations (data from HAZUS), past incidents (from FRA data) 4.1.2 (Continued).
37 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects Transportation Routing Analysis Geographic Information System (TRAGIS) See also §3.4.1.2, 4.2.19 --------------------- Department of Energy, Oak Ridge National Laboratory Highway Rail Marine User input: ⢠Shipped material data ⢠Route preference (quickest, shortest, or combination) ⢠âBlocking oï¬â (not include) of: a. Railroad companies b. Nodes c. Links d. Road routes through beltways e. Tunnels f. Roads with limited size clearances TRAGIS uses ORNL-developed ⢠Population information for risk assessment along potential transportation routes using GIS and three buï¬er widths: 400m, 800m, and 2500m. ⢠Routes that are compliant with transport regulations ⢠Table of tribal lands and mileage through those lands ⢠Route maps contain background data on the transportation network, Census urbanized areas, Strengths: ⢠Users can adjust routes to their preferences. ⢠TRAGIS performs population calculations on alternative, compliant routes. ⢠Trucking routes can be optimized based on travel time, distance, or a combination of those two. ⢠The routes and population data can be inputted into DOEâs RADTRAN tool, which includes probability inputs. Weaknesses: ⢠Intermodal routing is not automatic. LandScan and Census data to calculate the exposed population. and Native American tribal lands. ⢠Only calculates exposed population. It does not factor in probability or frequency. UIUC Tank Car Risk Analysis See also §3.7.10, 4.2.22 --------------------- University of Illinois at Urbana-Champaign Rail, Intermodal Inputs include rail car derailment rates, conditional release probabilities for individual tank car types, tank car capacity values, historical rail accident information, origin/destination locations and mileages, spatially located population estimates, and evacuation / isolation distances for chemicals being modeled. Expected risk, in terms of number of people aï¬ected by releases of a given chemical transported in a speciï¬c tank car type. Alternative consequence metrics can be incorporated to reorient the model toward environmental risk analysis and remediation cost analysis. This risk assessment approach estimates the expected U.S. population aï¬ected by releases of individual TIH chemicals from speciï¬c rail tank car designs. This approach has been demonstrated for the comparison of risks associated with current tank car designs to potential alternative designs, but could also be employed for reducing transport risk through targeted infrastructure improvements and route selection. The model relies on academic, government, and industry data, some of which is widely available, and some of which is security-sensitive or restricted to industry use. CCPS Guidelines: Security Risk Prioritization Process See also §3.3.1, 4.2.5 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Chemical hazards, quantity transported per container, number of shipments, mode, interim storage, speciï¬c threat information, and the proximity to people, sensitive environmental areas, critical assets or infrastructure are all considered subjectively. Identiï¬cation of the issues that require additional analysis, such as transportation vulnerability security assessments (TVSA). Easy to implement; ensures that resources are placed on the issues that require the most attention. This subjective review elevates issues to a formal TVSA and includes a security review for those elements that are not elevated. CCPS Guidelines: Security Vulnerability Assessment Process See also §3.3.1, 4.2.6 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Both internal and external threat information is combined with relative target attractiveness factors. Vulnerability is qualitatively assessed based on how well existing countermeasures can withstand or eliminate an attack. Consequences considered can For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. A list of prioritized countermeasures is also Can allow companies to cost-eï¬ectively allocate their security mitigation resources. Relies a lot on subject matter experts and outside threat information. include casualties, theft of hazmat, disruption of the economy or company operations, environmental damage, ï¬nancial loss, secondary damage to critical infrastructure, loss of critical data, and erosion of company reputation. produced. Se cu rit y 4.1.2 (Continued). (continued on next page)
38 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects Center at the University of Kentucky for Transportation Security Administration Two separate vulnerability measures are estimated, the likelihood that the terrorists do not fail on their own due to the inherent nature of the scenario and the likelihood that the terrorists will be able to overcome security measures. Consequences include population, CIKR, environmentally sensitive areas, and economic impact (most determined from model data). Security risk scores can be computed for a route at the planning stage (identifying the locations of high risk along the route), but will be automatically computed as each new location coordinates are received, providing a near- real time view of each shipmentâs risk. The system relies on a complete picture of Tier 1 Highway Security Sensitive Materials (HSSM) shipments across the country for overall situational awareness. Still in the development stage. IME Safety Analysis for Risk (IMESAFR) See also §3.3.3, 4.2.12 --------------------- Institute of Makers of Explosives Highway Rail Marine Air Pipeline Many of the input variables are stored within the software database. System data include event frequencies sourced from military and commercial sources and blast eï¬ect probability data sourced largely from military sources. Users must enter A measure of the probability from an explosion along with a GIS-based map of explosive eï¬ects and risks to surrounding infrastructure. While designed for safety applications, security may be considered by multiplying While IMESAFR is traditionally used for ï¬xed facilities explosive risks analysis, the model could be employed in route comparisons. Such comparisons could make use of facilities analyses with respect to stations and ports and could be used to analyze any distinct location along routes of interest. information including the location of personnel with regard to an explosion and construction characteristics of structures in the vicinity. frequencies by scaling factors to account for threat level increases. The storage of model parameter values within the system reduces the data gathering requirements of users and allows selection of appropriate input values simply by being on-site. Map output aids in user comprehension and communication of model results. By default, model calculations are strongly conservative. In the most recent version of the software, however, uncertainty is calculated and presented separately and conservative model assumptions may be switched on or oï¬. Other assumptions include the transferability of military frequency and explosive eï¬ects data to commercial applications. While primarily focused on safety, security risks can be analyzed through use of multiplying factors to account for the likelihood of attacks. Rail Corridor Risk Management System (RCRMS) See also §3.2.1, 3.4.2.3, 4.2.15 --------------------- Railroad Research Foundation / Association of American Railroads Rail Threat estimates consider factors such as availability of hazmat for attack, proximity to iconic targets, venues, or other Critical Infrastructure/Key Resources (CIKR), and presence in TSA- speciï¬ed High-Threat Urban Areas (HTUAs). Other sources: daytime and nighttime population from FEMA HAZUS data that are in High Threat Urban Areas (HTUAs), RCRMS provides a single risk metric that combines safety and security as well as the two individual risk scores. All risk scores are rounded and an attractiveness measure helps users distinguish between routes with similar risk scores. It also provides route-level totals for each of the 27 metrics that the federal regulations require carriers to consider. Leverages the FRA national rail network and railroad-speciï¬c data to provide carriers with a routing decision support tool with a government-vetted risk methodology. The integration of safety and security risks is useful for railroads with a very large number (thousands) of analyses to run. The best available data on rail accident rates, container release probabilities, and network link characteristics are used. Implemented by all Class I railroads and many others. FRA uses the model to verify Fedtrak See also §3.7.9, 4.2.10 --------------------- The Kentucky Transportation Highway Attack mode, type of hazmat, and trailer/container type, nearby high-population density areas (Census data) and CIKR (from DHS or the states). The model will provide both static safety and dynamic security risk scores for each shipment along a planned route. The security risk methodology supports the quantiï¬cation of risk reduction through countermeasures or risk mitigation strategies. This includes reduction of the maximum risk and the cumulative reduction of route risk. 4.1.2 (Continued).
39 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects the risk equations: presence of nearby railroad facilities, miles with diï¬erent levels of passenger traï¬c, operating speed, mileage, transit time, and any known deï¬ciencies in crew training and skill level. Items that are reported for each route that are not explicitly listed above: miles of each route in each track class, miles with a grade more than 2.5%, miles of signalized and manual operation, listing of wayside detectors, counts of grade crossings and switch points, route miles greater than 10 miles from police and ï¬re stations (data from HAZUS), past incidents (from FRA data). other urban areas, or non-urban areas. industry compliance. There is no methodological approach for including Environmental: water bodies, parks Population: daytime and nighttime population Carriers may also consider factors that are not directly embedded in some data that are available. 4.1.2 (Continued). 4.1.3 Facility Siting Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects CCPS Guidelines: Risk Prioritization Process See also §3.3.1, 4.2.4 --------------------- Highway Rail Marine Air Subjective selections for frequency (based on exposure), probability (can be based on past history), and consequence that should not require The screening model provides a single risk score. Ranges are deï¬ned for serious, high, High-level screening process that can determine whether more detailed assessment is warranted. Would be comparing scores for diï¬erent facility Center for Chemical Process Safety Pipeline specialized data or analyses. medium, and low. locations. CCPS Guidelines: Qualitative Risk Assessment Process See also §3.3.1, 4.2.2 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Benchmarking data from other companies or operations. The information that can be included is quite varied and includes chemical hazards, industry experience, container design and operating practices, and safety and security. List of actions to address, including the need for more detailed analysis. Benchmarking may indicate whether additional risk mitigation actions are necessary to close gaps as compared to the industry leader. The focus is more on the process used to select among alternatives than on the selection itself. Do peers use risk prioritization or quantitative analyses, for example? CCPS Guidelines: Semi-Quantitative Risk Assessment Process See also §3.3.1, 4.2.7 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantify or weight the frequency- related elements and develop scenarios with accompanying release size and probability estimates. Consequences are quantiï¬ed from model input data, including the scenario deï¬nitions and sensitive areas along the routes. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. Adds quantiï¬cation where needed to make an informed decision. Cost-eï¬ective because not all elements need to be quantiï¬ed. Risk indices or matrices provide easy means to combine the diï¬erent elements of risk without a formal calculation. Sa fe ty (continued on next page)
40 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects by scaling factors to account for threat level increases. however, uncertainty is calculated and presented separately and conservative model assumptions may be switched on or oï¬. Other assumptions include the transferability of military frequency and explosive eï¬ects data to commercial applications. IME Safety Analysis for Risk (IMESAFR) See also §3.3.3, 4.2.12 --------------------- Institute of Makers of Explosives Highway Rail Marine Air Pipeline Many of the input variables are stored within the software database. System data include event frequencies sourced from military and commercial sources and blast eï¬ect probability data sourced largely from military A measure of the probability of an explosion along with a GIS-based map of explosive eï¬ects and risks to surrounding IMESAFR is a software tool for ï¬xed facilities explosive risks analysis. The storage of model parameter values within the system reduces the data gathering requirements of users and allows selection of appropriate input values simply by being sources. Users must enter information including the location of personnel with regard to an explosion and construction characteristics of structures in the vicinity. infrastructure. While designed for safety applications, security may be considered by multiplying frequencies by scaling factors to account for threat level increases. on-site. Map output aids in user comprehension and communication of model results. By default, model calculations are strongly conservative. In the most recent version of the software, however, uncertainty is calculated and presented separately and conservative model assumptions may be switched on or pool ï¬re, ï¬ash ï¬re, toxic gas, explosion, or no impact). Population characteristics (including representative densities or detailed Census data) along the route, material hazard information, impact area; the âendpointâ criteria for the diï¬erent types of hazards: ⢠toxic chemical exposure ⢠vapor cloud explosion ⢠ï¬ammability hazards ⢠ï¬ash ï¬res Chemical Manufacturer Risk Assessment Framework See also §3.3.4, 4.2.8 --------------------- Large Chemical/Plastics Manufacturer Highway Rail Marine Pipeline (inbound only) Considers trip length, past experience, shipment size, available packaging, third-party consequence data (sensitive areas along their routes, presence of bridges and tunnels). Chemical property information is internal. Reports are generated for the corporate operations department and sometimes include risk matrices. Risk assessments triggered by any change in distribution, and are usually only qualitative. Where risks were assessed to be too high in the past, on-site manufacturing was used to eliminate transportation risk. IME Safety Analysis for Risk (IMESAFR) See also §3.3.3, 4.2.12 --------------------- Institute of Makers of Explosives Highway Rail Marine Air Pipeline Many of the input variables are stored within the software database. System data include event frequencies sourced from military and commercial sources and blast eï¬ect probability data sourced largely from military sources. Users must enter information including the location of personnel with regard to an explosion and construction characteristics of structures in the vicinity. A measure of the probability of an explosion along with a GIS-based map of explosive eï¬ects and risks to surrounding infrastructure. While designed for safety applications, security may be considered by multiplying frequencies IMESAFR is a software tool for ï¬xed facilities explosive risks analysis. The storage of model parameter values within the system reduces the data gathering requirements of users and allows selection of appropriate input values simply by being on-site. Map output aids in user comprehension and communication of model results. By default, model calculations are strongly conservative. In the most recent version of the software, CCPS Guidelines: Quantitative Risk Assessment Process See also §3.3.1, 4.2.3 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantity per shipment, annual shipments, loaded vs. empty miles, Infrastructure characteristics needed for accident rate calculations. Conditional probability of release after an incident, the range of release sizes to consider, the probabilities of diï¬erent release types (e.g., jet ï¬re, Generally, three types: ⢠Risk indices ⢠Individual risk (contours, maximums, averages for exposed or total population) ⢠Societal risk (usually expressed as F-N curves) Depending on the form of the output, can provide annual risk values, distribution of people exposed to diï¬erent risk levels, or societal risks. High-consequence/low- probability and low-consequence/high- probability events can be represented. Se cu rit y 4.1.3 (Continued).
41 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects CCPS Guidelines: Security Risk Prioritization Process See also §3.3.1, 4.2.5 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Chemical hazards, quantity transported per container, number of shipments, mode, interim storage, speciï¬c threat information, and the proximity to people, sensitive environmental areas, critical assets or infrastructure are all considered subjectively. Identiï¬cation of the issues that require additional analysis, such as TVSA. Easy to implement; ensures that resources are placed on the issues that require the most attention. This subjective review elevates issues to a formal TVSA and includes a security review for those elements that are not elevated. CCPS Guidelines: Security Vulnerability Assessment Process See also §3.3.1, 4.2.6 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Both internal and external threat information is combined with relative target attractiveness factors. Vulnerability is qualitatively assessed based on how well existing countermeasures can withstand or eliminate an attack. Consequences considered can include casualties, theft of hazmat, disruption of the economy or company operations, environmental damage, ï¬nancial loss, secondary damage to critical infrastructure, loss of critical data, and For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. A list of prioritized countermeasures is also produced. Can allow companies to cost-eï¬ectively allocate their security mitigation resources. Relies a lot on subject matter experts and outside threat information. erosion of company reputation. oï¬. Other assumptions include the transferability of military frequency and explosive eï¬ects data to commercial applications. While primarily focused on safety, security risks can be analyzed through use of multiplying factors to account for the likelihood of attacks. 4.1.3 (Continued). 4.1.4 Packaging Selection Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects Sa fe ty CCPS Guidelines: Risk Prioritization Process See also §3.3.1, 4.2.4 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Subjective selections for frequency (based on exposure), probability (can be based on past history), and consequence that should not require specialized data or analyses. The screening model provides a single risk score. Ranges are deï¬ned for serious, high, medium, and low. High-level screening process that can determine whether more detailed assessment is warranted. Would be comparing scores for diï¬erent packages. CCPS Guidelines: Qualitative Risk Assessment Process See also §3.3.1, 4.2.2 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Benchmarking data from other companies or operations. The information that can be included is quite varied and includes chemical hazards, industry experience, container design and operating practices, and safety and security. List of actions to address, including the need for more detailed analysis. Benchmarking may indicate whether additional risk mitigation actions are necessary to close gaps as compared to the industry leader. The focus is more on the process used to select among alternatives than on the selection itself. Do peers use risk prioritization or quantitative analyses, for example? CCPS Guidelines: Semi-Quantitative Risk Assessment Process See also §3.3.1, 4.2.7 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantify or weight the frequency- related elements and develop scenarios with accompanying release size and probability estimates. Consequences are quantiï¬ed from model input data, including the scenario deï¬nitions and sensitive areas along the routes. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. Adds quantiï¬cation where needed to make an informed decision. Cost-eï¬ective because not all elements need to be quantiï¬ed. Risk indices or matrices provide easy means to combine the diï¬erent elements of risk without a formal calculation. (continued on next page)
42 which is widely available, and some of which is security-sensitive or restricted to industry use. Se cu rit y CCPS Guidelines: Security Risk Prioritization Process See also §3.3.1, 4.2.5 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Chemical hazards, quantity transported per container, number of shipments, mode, interim storage, speciï¬c threat information, and the proximity to people, sensitive environmental areas, critical assets or infrastructure are all considered subjectively. Identiï¬cation of the issues that require additional analysis, such as TVSA. Easy to implement; ensures that resources are placed on the issues that require the most attention. This subjective review elevates issues to a formal TVSA and includes a security review for those elements that are not elevated. Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects CCPS Guidelines: Quantitative Risk Assessment Process See also §3.3.1, 4.2.3 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantity per shipment, annual shipments, loaded vs. empty miles, Infrastructure characteristics needed for accident rate calculations. Conditional probability of release after an incident, the range of release sizes to consider, the Generally, three types: ⢠Risk indices ⢠Individual risk (contours, maximums, averages for exposed or total population) ⢠Societal risk (usually expressed as F-N curves) Depending on the form of the output, can provide annual risk values, distribution of people exposed to diï¬erent risk levels, or societal risks. High-consequence/low- probability and low-consequence/high- probability events can be represented. probabilities of diï¬erent release types (e.g., jet ï¬re, pool ï¬re, ï¬ash ï¬re, toxic gas, explosion, or no impact). Population characteristics (including representative densities or detailed Census data) along the route, material hazard information, impact area; the âendpointâ criteria for the diï¬erent types of hazards: ⢠Toxic chemical exposure ⢠Vapor cloud explosion ⢠Flammability hazards ⢠Flash ï¬res Chemical Manufacturer Risk Assessment Framework See also §3.3.4, 4.2.8 --------------------- Large Chemical/Plastics Manufacturer Highway Rail Marine Pipeline (inbound only) Considers trip length, past experience, shipment size, available packaging, third-party consequence data (sensitive areas along their routes, presence of bridges and tunnels). Chemical property information is internal. Reports are generated for the corporate operations department and sometimes include risk matrices. Risk assessments triggered by any change in distribution, and are usually only qualitative. For example, if the shipped quantities increased, they would look at bigger packages to keep the number of shipments down. UIUC Tank Car Risk Analysis See also §3.7.10, 4.2.22 --------------------- University of Illinois at Urbana-Champaign Rail, Intermodal Inputs include rail car derailment rates, conditional release probabilities for individual tank car types, tank car capacity values, historical rail accident information, origin/destination locations and mileages, spatially located population estimates, and evacuation/isolation distances for chemicals being modeled. Expected risk, in terms of number of people aï¬ected by releases of a given chemical transported in a speciï¬c tank car type. Alternative consequence metrics can be incorporated to reorient the model toward environmental risk analysis and remediation cost analysis. This risk assessment approach estimates the expected U.S. population aï¬ected by releases of individual TIH chemicals from speciï¬c rail tank car designs. This approach has been demonstrated for the comparison of risks associated with current tank car designs to potential alternative designs, but could also be employed for reducing transport risk through targeted infrastructure improvements and route selection. The model relies on academic, government, and industry data, some of 4.1.4 (Continued).
43 CCPS Guidelines: Security Vulnerability Assessment Process See also §3.3.1, 4.2.6 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Both internal and external threat information is combined with relative target attractiveness factors. Vulnerability is qualitatively assessed based on how well existing countermeasures can withstand or eliminate an attack. Consequences considered can include casualties, theft of hazmat, disruption of the economy or company operations, environmental damage, ï¬nancial loss, secondary damage to critical infrastructure, loss of critical data, and erosion of company reputation. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. A list of prioritized countermeasures is also produced. Can allow companies to cost-eï¬ectively allocate their security mitigation resources. Relies a lot on subject matter experts and outside threat information. Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects 4.1.4 (Continued). 4.1.5 Alternate Product Selection Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects CCPS Guidelines: Risk Prioritization Process See also §3.3.1, 4.2.4 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Subjective selections for frequency (based on exposure), probability (can be based on past history), and consequence that should not require specialized data or analyses. The screening model provides a single risk score. Ranges are deï¬ned for serious, high, medium, and low. High-level screening process that can determine whether more detailed assessment is warranted. Would be comparing scores for diï¬erent products and the entire supply chain risk implications that would have. CCPS Guidelines: Qualitative Risk Assessment Process See also §3.3.1, 4.2.2 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Benchmarking data from other companies or operations. The information that can be included is quite varied and includes chemical hazards, industry experience, container design and operating practices, and safety and security. List of actions to address, including the need for more detailed analysis. Benchmarking may indicate whether additional risk mitigation actions are necessary to close gaps as compared to the industry leader. The focus is more on the process used to select among alternatives than on the selection itself. Do peers use risk prioritization or quantitative analyses, for example? CCPS Guidelines: Semi-Quantitative Risk Assessment Process See also §3.3.1, 4.2.7 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantify or weight the frequency- related elements and develop scenarios with accompanying release size and probability estimates. Consequences are quantiï¬ed from model input data, including the scenario deï¬nitions and sensitive areas along the routes. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. Adds quantiï¬cation where needed to make an informed decision. Cost-eï¬ective because not all elements need to be quantiï¬ed. Risk indices or matrices provide easy means to combine the diï¬erent elements of risk without a formal calculation. CCPS Guidelines: Quantitative Risk Assessment Process See also §3.3.1, 4.2.3 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantity per shipment, annual shipments, loaded vs. empty miles, Infrastructure characteristics needed for accident rate calculations. Conditional probability of release after an incident, the range of release sizes to consider, the probabilities of diï¬erent release types (e.g., jet ï¬re, pool ï¬re, ï¬ash ï¬re, toxic gas, explosion, or no impact). Population characteristics (including representative densities or detailed Census data) along the route, material hazard information, impact area; the âendpointâ criteria for the diï¬erent types of hazards: ⢠Toxic chemical exposure ⢠Vapor cloud explosion ⢠⢠Flammability hazards Generally, three types: ⢠Risk indices ⢠Individual risk (contours, maximums, averages for exposed or total population) ⢠Societal risk (usually expressed as F-N curves) Depending on the form of the output, can provide annual risk values, distribution of people exposed to diï¬erent risk levels, or societal risks. High-consequence/low- probability and low-consequence/high- probability events can be represented. Flash ï¬res Sa fe ty (continued on next page)
44 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects considered can include casualties, theft of hazmat, disruption of the economy or company operations, environmental damage, ï¬nancial loss, secondary damage to critical infrastructure, loss of critical data, and erosion of company reputation. A list of prioritized countermeasures is also produced. Chemical Manufacturer Risk Assessment Framework See also §3.3.4, 4.2.8 --------------------- Large Chemical/ Plastics Manufacturer Highway Rail Marine Pipeline (inbound only) Considers trip length, past experience, shipment size, available packaging, third-party consequence data (sensitive areas along their routes, presence of bridges and tunnels). Chemical property information is internal. Reports are generated for the corporate operations department and sometimes include risk matrices. Risk assessments triggered by any change in distribution and are usually only qualitative. Where risks are assessed to be too high, alternate products could be used to alter and reduce transportation risks. Se cu rit y CCPS Guidelines: Security Risk Prioritization Process See also §3.3.1, 4.2.5 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Chemical hazards, quantity transported per container, number of shipments, mode, interim storage, speciï¬c threat information, and the proximity to people, sensitive environmental areas, critical assets or infrastructure are all considered subjectively. Identiï¬cation of the issues that require additional analysis, such as TVSA. Easy to implement; ensures that resources are placed on the issues that require the most attention. This subjective review elevates issues to a formal TVSA and includes a security review for those elements that are not elevated. CCPS Guidelines: Security Vulnerability Assessment Process See also §3.3.1, 4.2.6 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Both internal and external threat information is combined with relative target attractiveness factors. Vulnerability is qualitatively assessed based on how well existing countermeasures can withstand or eliminate an attack. Consequences For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. Can allow companies to cost-eï¬ectively allocate their security mitigation resources. Relies a lot on subject matter experts and outside threat information. 4.1.5 (Continued). 4.1.6 Emergency Management Resource Planning Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects GeoCTA See also §3.4.1.3, 4.2.11 --------------------- Oak Ridge National Laboratory Center for Transportation Analysis Highway Rail Marine Air Pipeline Input data is self-contained within the tool and consists of GIS-based spatial data layers for describing incident locations and U.S. Census population data for calculating incident consequences. Outputs include a consequence index based on the magnitude of population at risk and GIS- based maps with information on critical and high-value locations. This software focuses on gauging human consequences within the framework of transportation and critical infrastructure in high- threat urban areas. GeoCTA contains a large number and variety of spatial data layers, including all of the data necessary for use of the system. Output includes GIS-based maps, which facilitate quick, informed decision making. Risk- related output is currently focused solely on estimations of aï¬ected population. The tool can be applied to any location within the United States and has been designed for easy integration of new spatial analysis functions. Presently, the tool is unavailable for public distribution, but could theoretically be made available with the exclusion/substitution of restricted data. Pipeline Risk Management Manual See also §3.4.2.5, 3.7.7, 4.2.13 --------------------- W. Kent Muhlbauer Pipeline Input parameters can vary according to the speciï¬c goals of risk assessors and tend to require on-site data collection through inspections and surveys. Inputs include a wide array of data, examples of which include pipeline location, proximity to Outputs include indices for probabilities of third-party damage, corrosion, design issues, and incorrect operations; a leak impact (consequence) factor; and a relative risk score for each section of pipeline being studied. This approach, which focuses on risks associated with pipeline releases, can be employed to determine high-risk pipeline locations in order to guide emergency response training and resource allocation. As a scoring/index model, the model provides easily understandable and comparable output relatively quickly, but results may be aï¬ected by subjectivity and are not readily comparable to assessments of other modes of Sa fe ty
45 4.1.6 (Continued). Transportation Analysis and infrastructure are stored within the system database. managers. (map) and text, facilitating quick, informed comprehension and decision making. Application Mississippi State University of the tool is limited until continuous GPS location transmission systems are more widely employed by tow and barge operators. GeoCTA See also §3.4.1.3, 4.2.11 --------------------- Oak Ridge National Laboratory Center for Transportation Analysis Highway Rail Marine Air Pipeline Input data is self-contained within the tool and consists of GIS-based spatial data layers for describing incident locations and U.S. Census population data for calculating incident consequences. Outputs include a consequence index based on the magnitude of population at risk and GIS- based maps with information on critical and high-value locations. This software focuses on gauging human consequences within the framework of transportation and critical infrastructure in high- threat urban areas. GeoCTA contains a large number and variety of spatial data layers, including all of the data necessary for use of the system. Output includes GIS-based maps, which facilitate quick, informed decision making. Risk- related output is currently focused solely on estimations of aï¬ected population. The tool can be applied to any location within the United States and has been designed for easy integration of new spatial analysis functions. Presently, the tool is unavailable for public distribution, but could theoretically be made available with the exclusion/substitution of restricted data. TRACC See also §3.4.1.3, 4.2.18 Marine Current and historical vessel positions are reported by barge and tow companies GIS, web-based reports of anomalous/barge movements are This software identiï¬es high-risk or anomalous barge activity and alerts authorities and other shipment stakeholders. With the exception of --------------------- Oak Ridge National Laboratory Center for using GPS devices; high population locations and points of critical disseminated to governmental agencies, responders, and route vessel-speciï¬c information, data needed to use the tool is stored within the system database. Output is web-based and delivered as graphics Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects aboveground activities, atmospheric exposure, soil corrosivity, coating type and condition, fatigue, land movements, operations and procedures, maintenance, characteristics of transported transportation. The model is ï¬exible, able to use a wide range of input data and data precision, can be modiï¬ed to consider alternative consequence metrics, and allows for its relative output values to be converted into absolute risk numbers. The model is a standard industry tool, which facilitates communication about the model, data, and chemicals, and the location of potential human and environmental receptors. results, and increases potential access to model resources through the existence of a user community. While the manual provides guidance and sample input, the model is dependent upon a large amount of user-collected pipeline survey or inspection data. RADTRAN See also §3.4.1.2, 4.2.8 --------------------- Department of Energy, Oï¬ce of Environmental Management, Sandia National Laboratories Highway Rail Marine Users are able to input and adjust over 70 data points to customize how the tool calculates incident-free exposure along with risk of exposure from accident or sabotage. Key inputs with regard to assessing the exposure risk along a set route: ⢠Population density ⢠Fatalities per accident ⢠Weather conditions ⢠Probability fractions of event ⢠Packaging data Additionally, TRAGIS data can easily be inputted into RADTRAN. Expected Radiological Exposure/ Consequence over set route during a shipping campaign. Exposure data is output according to: ⢠Groundshine ⢠Cloudshine ⢠Inhalation ⢠Resuspension ⢠Overall Since its inception, RADTRAN has been used in most radiological transportation EA and EIS. RADTRAN also has the capabilities to conduct speciï¬c radiological sabotage scenarios. transportation accident and Strengths: ⢠Highly customizable by user (over 70 individual data points that can be input or adjusted by the user). ⢠Users can adjust the parameters surrounding the probability and eï¬ects of an accident. ⢠RADTRAN can be used in conjunction with WebTRAGIS and TRAGIS. Weaknesses: ⢠Calculates based on maximum-exposed individual. ⢠Has been found to use conservative Dose Rates. ⢠Requires substantial user input, which can increase user error. Se cu rit y (continued on next page)
46 Readiness and Resiliency Assessment System (RRAS) See also §3.4.1.3, 4.2.16 --------------------- Oak Ridge National Laboratory Center for Transportation Analysis Highway Rail Marine Air Pipeline Input data is largely security sensitive and non- distributable. Necessary inputs include spatial transportation system infrastructure data, security and response resources and capabilities, and population counts and locations. RRAS outputs are relative values describing readiness and resiliency that categorize a transportation asset or system as âFully Prepared,â âModerately Prepared,â or âUnprepared.â RRAS is capable of assessing readiness and resiliency of a transportation network on a national scale, but is applicable across all levels and modes of transportation systems. The framework has not been publicly distributed, owing to the fact that it was designed to employ data that is sensitive and not publicly available. Distribution of the tool is theoretically possible with the exclusion / substitution of sensitive data, however. RRAS is currently asset- or system- speciï¬c, and does not address the interdependence of systems. As such, the framework is more focused on transportation system readiness than resiliency. TRACC See also §3.4.1.3, 4.2.18 Marine Current and historical vessel positions are reported by barge and tow companies GIS, web-based reports of anomalous/barge movements are This software identiï¬es high-risk or anomalous barge activity and alerts authorities and other shipment stakeholders. With the exception of --------------------- Oak Ridge National Laboratory Center for Transportation Analysis and Mississippi State University using GPS devices; high population locations and points of critical infrastructure are stored within the system database. disseminated to governmental agencies, responders, and route managers. vessel-speciï¬c information, data needed to use the tool is stored within the system database. Output is web-based and delivered in as graphics (map) and text, facilitating quick, informed comprehension and decision making. Application of the tool is limited until continuous GPS location transmission systems are more widely employed by tow and barge operators. Transportation Sector Security Risk Assessment (TSSRA) See also §3.7.8, 4.2.20 --------------------- Department of Homeland Security, Transportation Security Administration, Oï¬ce of Security Capabilities Highway Rail Marine Pipeline For each non-asset speciï¬c attack scenario: ⢠Threat: Internal data from the Oï¬ce of Intelligence ⢠Vulnerability: Expert elicitation from industry stakeholders, based on countermeasures and target hardness ⢠Consequence: DHS- based methodology (historic information with certain expected values) and included: o Human o Economic o Psychological Relative risk scores between scenarios (including scenarios involving hazardous materials) and across modes. Various analyses that highlight the risk landscape by views of concern such as attack, likelihood, and conditional risk. Additionally, TSSRA can report quantitative values for the threat, vulnerability and consequence components of the risk analysis. Strengths: ⢠Measures relative risk across the full TSA domain using a common framework. ⢠The inclusion of external and internal stakeholders increases the credibility and transparency. Weaknesses: ⢠Vulnerability is measured based on human input, which introduces biases and limitations. ⢠The chief threat group analyzed was international extremists. ⢠Representative assets were used instead of speciï¬c sites. While sensitivity analysis allows for a better understanding across all sites, it is diï¬cult to map the risk for one speciï¬c site. ⢠Threat attack groups do not yet include domestic extremists ⢠The inputs into the consequence component need to be standardized. Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects 4.1.6 (Continued). 4.1.7 Operational Changes Center for Chemical Process Safety Pipeline specialized data or analyses. and low. strategy in mind. CCPS Guidelines: Qualitative Risk Assessment Process See also §3.3.1, 4.2.2 --------------------- Highway Rail Marine Air Pipeline Benchmarking data from other companies or operations. The information that can be included is quite varied and includes chemical hazards, industry experience, List of actions to address, including the need for more detailed analysis. Benchmarking may indicate whether additional risk mitigation actions are necessary to close gaps as compared to the industry leader. The focus is more on the process used to select among alternatives Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects Sa fe ty CCPS Guidelines: Risk Prioritization Process See also §3.3.1, 4.2.4 --------------------- Highway Rail Marine Air Subjective selections for frequency (based on exposure), probability (can be based on past history), and consequence that should not require The screening model provides a single risk score. Ranges are deï¬ned for serious, high, medium, High-level screening process that can determine whether more detailed assessment is warranted. Appropriate when there is no speciï¬c risk mitigation
47 4.1.7 (Continued). Center for Chemical Process Safety container design and operating practices, and safety and security. than on the selection itself. Do peers use risk prioritization or quantitative analyses, for example? CCPS Guidelines: Semi-Quantitative Risk Assessment Process See also §3.3.1, 4.2.7 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantify or weight the frequency- related elements and develop scenarios with accompanying release size and probability estimates. Consequences are quantiï¬ed from model input data, including the scenario deï¬nitions and sensitive areas along the routes. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. Adds quantiï¬cation where needed to make an informed decision. Cost-eï¬ective because not all elements need to be quantiï¬ed. Risk indices or matrices provide easy means to combine the diï¬erent elements of risk without a formal calculation. CCPS Guidelines: Quantitative Risk Assessment Process See also §3.3.1, 4.2.3 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Quantity per shipment, annual shipments, loaded vs. empty miles, Infrastructure characteristics needed for accident rate calculations. Conditional probability of release after an incident, the range of release sizes to consider, the probabilities of diï¬erent release types (e.g., jet ï¬re, pool ï¬re, ï¬ash ï¬re, toxic gas, explosion, or no impact). Population characteristics (including representative densities or detailed Census data) along the route, material hazard information, impact area; the âendpointâ criteria for the diï¬erent types of hazards: ⢠Toxic chemical exposure Generally, three types: ⢠Risk indices ⢠Individual risk (contours, maximums, averages for exposed or total population) ⢠Societal risk (usually expressed as F-N curves) Depending on the form of the output, can provide annual risk values, distribution of people exposed to diï¬erent risk levels, or societal risks. High-consequence/low- probability and low-consequence/high- probability events can be represented. Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects ⢠Vapor cloud explosion ⢠Flammability hazards ⢠Flash ï¬res Chemical Manufacturer Risk Assessment Framework See also §3.3.4, 4.2.8 --------------------- Large Chemical/Plastics Manufacturer Highway Rail Marine Pipeline (inbound only) Considers trip length, past experience, shipment size, available packaging, third-party consequence data (sensitive areas along their routes, presence of bridges and tunnels). Chemical property information is internal. Reports are generated for the corporate operations department and sometimes include risk matrices. Considers all modes for their shipments (at least two are available at all locations). Risk assessments triggered by any change in distribution, and are usually only qualitative. Fedtrak See also §3.7.9, 4.2.10 --------------------- The Kentucky Transportation Center at the University of Kentucky for Transportation Security Administration Highway Accident data included in the modelâs network. Packaging provides a qualitative conditional probability of release or uses dated values. Consequences include population, CIKR, environmentally sensitive areas, and economic impact (most determined from model data). Safety risk scores are computed for the planned route and remain static. Model is designed for security but supports estimation and mitigation of safety risk. Alternate routes can be assessed and the safety risk scores can be compared. Pipeline Risk Management Manual See also §3.4.2.5, 3.7.7, 4.2.13 --------------------- W. Kent Muhlbauer Pipeline Input parameters can vary according to the speciï¬c goals of risk assessors and tend to require on-site data collection through inspections and surveys. Inputs include a wide array of data, examples of which include pipeline location, proximity to above ground activities, atmospheric exposure, soil corrosivity, coating type and condition, fatigue, land movements, operations and Outputs include indices for probabilities of third-party damage, corrosion, design issues, and incorrect operations; a leak impact (consequence) factor; and a relative risk score for each section of pipeline being studied. As a scoring/index model, the model provides easily understandable and comparable output relatively quickly, but results may be aï¬ected by subjectivity and are not readily comparable to assessments of other modes of transportation. The model is ï¬exible, able to use a wide range of input data and data precision, can be modiï¬ed to consider alternative consequence metrics, and allows for its relative output values to be converted into (continued on next page)
48 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects procedures, maintenance, characteristics of transported chemicals, and the location of potential human and environmental absolute risk numbers. The model is a standard industry tool, which facilitates communication about the model, data, and results, and increases potential access to a fo ecnetsixe eht hguorht secruoser ledom .srotpecer user community. While the manual provides guidance and sample input, the model is dependent upon a large amount of user-collected pipeline survey or inspection data. TRACC See also §3.4.1.3, 4.2.18 --------------------- Oak Ridge National Laboratory Center for Transportation Analysis and Mississippi State University Marine Current and historical vessel positions are reported by barge and tow companies using GPS devices, high population locations and points of critical infrastructure are stored within the system database. GIS, web-based reports of anomalous/barge movements are disseminated to governmental agencies, responders, and route managers. This software identiï¬es high-risk or anomalous barge activity and alerts authorities and other shipment stakeholders. With the exception of vessel- speciï¬c information, data needed to use the tool is stored within the system database. Output is web-based and delivered as graphics (map) and text, facilitating quick, informed comprehension and decision making. Application of the tool is limited until continuous GPS location transmission systems are more widely employed by tow and barge operators. CCPS Guidelines: Security Risk Prioritization Process See also §3.3.1, 4.2.5 --------------------- CCPS Highway Rail Marine Air Pipeline Chemical hazards, quantity transported per container, number of shipments, mode, interim storage, speciï¬c threat information, and the proximity to people, sensitive environmental areas, critical assets or infrastructure are all considered subjectively. Identiï¬cation of the issues that require additional analysis, such as TVSA. Easy to implement; ensures that resources are placed on the issues that require the most attention. This subjective review elevates issues to a formal TVSA and includes a security review for those elements that are not elevated. CCPS Guidelines: Security Vulnerability Assessment Process See also §3.3.1, 4.2.6 --------------------- CCPS Highway Rail Marine Air Pipeline Both internal and external threat information is combined with relative target attractiveness factors. Vulnerability is qualitatively assessed based on how well existing countermeasures can withstand or eliminate an attack. Consequences considered can include casualties, theft of hazmat, disruption of the economy or company operations, For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. A list of prioritized countermeasures is also Can allow companies to cost-eï¬ectively allocate their security mitigation resources. Relies a lot on subject matter experts and outside threat information. environmental damage, ï¬nancial loss, secondary damage to critical infrastructure, loss of critical data, and erosion of company reputation. produced. TRACC See also §3.4.1.3, 4.2.18 --------------------- Oak Ridge National Laboratory Center for Transportation Analysis and Mississippi State University Marine Current and historical vessel positions are reported by barge and tow companies using GPS devices, high population locations and points of critical infrastructure are stored within the system database. GIS, web-based reports of anomalous/barge movements are disseminated to governmental agencies, responders, and route managers. This software identiï¬es high-risk or anomalous barge activity and alerts authorities and other shipment stakeholders. With the exception of vessel- speciï¬c information, data needed to use the tool is stored within the system database. Output is web-based and delivered as graphics (map) and text, facilitating quick, informed comprehension and decision making. Application of the tool is limited until continuous GPS location transmission systems are more widely employed by tow and barge operators. Se cu rit y 4.1.7 (Continued).
49 4.1.8 Security Measure Identification, Prioritization, and Evaluation Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects CCPS Guidelines: Security Risk Prioritization Process See also §3.3.1, 4.2.5 --------------------- Center for Chemical Process Safety Highway Rail Marine Air Pipeline Chemical hazards, quantity transported per container, number of shipments, mode, interim storage, speciï¬c threat information, and the proximity to people, sensitive environmental areas, critical assets or infrastructure are all considered subjectively. Identiï¬cation of the issues that require additional analysis, such as TVSA. Easy to implement; ensures that resources are placed on the issues that require the most attention. This subjective review elevates issues to a formal TVSA and includes a security review for those elements that are not elevated. CCPS Guidelines: Security Vulnerability Assessment Process See also §3.3.1, 4.2.6 --------------------- Center for Chemical Highway Rail Marine Air Pipeline Both internal and external threat information is combined with relative target attractiveness factors. Vulnerability is qualitatively assessed based on how well existing countermeasures can withstand or For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is Can allow companies to cost-eï¬ectively allocate their security mitigation resources. Relies a lot on subject matter experts and outside threat information. Process Safety eliminate an attack. Consequences considered can include casualties, theft of hazmat, disruption of the economy or company operations, environmental damage, ï¬nancial loss, secondary damage to critical infrastructure, loss of critical data, and erosion of company reputation. a single risk priority value. A list of prioritized countermeasures is also produced. Chemical Terrorism Risk Assessment (CTRA) See also §3.4.3.1, 4.2.9 --------------------- Department of Homeland Security Science and Technology Directorate Chemical Security Analysis Center Highway Rail Marine Pipeline Threat and vulnerability are considered in concert in the assignment of the event tree probabilities. The components are: (1) terrorist capability, (2) intent, (3) ease of acquiring the chemical, (4) terrorist knowledge of the chemical, (5) ability to carry out the attack, (6) probability of interdiction, and (7) probability of failure. For inhalation, HPAC is used for outdoor consequences, and the CONTAM model is used for indoor consequences. The SCIPUFF model is also used. Diï¬erent population densities and locations are used to get a range of consequences for a given scenario. For percutaneous, CSAC employs a statistical model that looks at the size of the contact area, the permeability of skin, and other materials that may push impermeable materials through skin. For ingestion, CSAC uses a stock and ï¬ow model that considers how much The outputs from one component model are used to feed subsequent models. Ultimately, there is a single risk number for each scenario or chemical being analyzed. These can be aggregated as needed. The CTRA is a combination of separate models. The models examine all routes of exposure: inhalation, ingestion, and percutaneous. They examine both lethal and non-lethal eï¬ects. The underlying framework is PRA. The event tree is broken out in great detail. The diï¬erent branches in the event tree can be combined as the user needs. Each event tree branch deï¬nes a scenario and the frequencies are applied along the path down that branch. Consequences are determined by the appropriate model for that scenario and multiplied by the overall frequency. The only diï¬erence from a traditional PRA is the inclusion of terrorist intention. The methodology supports large and small accidental releases as well as large intentional releases. Se cu rit y can get into the food supply, how it is distributed, and how many people would ultimately be aï¬ected. Toxicity values for over 120 chemicals, the three routes of exposure, and three injury severities are used as input data into the event tree. Fedtrak See also §3.7.9, 4.2.10 --------------------- The Kentucky Transportation Center Highway Attack mode, type of hazmat, and trailer/container type, nearby high-population density areas (Census data) and CIKR (from DHS or the states). The model will provide both static safety and dynamic security risk scores for each shipment along a planned route. The security risk methodology supports the quantiï¬cation of risk reduction through countermeasures or risk mitigation strategies. This includes reduction of the maximum risk and the cumulative reduction of route risk. (continued on next page)
50 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects at the University of Kentucky for Transportation Security Administration Two separate vulnerability measures are estimated, the likelihood that the terrorists do not fail on their own due to the inherent nature of the scenario and the likelihood that the terrorists will be able to overcome security measures. Consequences include population, CIKR, environmentally sensitive areas, and economic impact (most determined from model data). Security risk scores can be computed for a route at the planning stage (identifying the locations of high risk along the route), but will be automatically computed as each new location coordinates are received, providing a near-real time view of each shipmentâs risk. The system relies on a complete picture of Tier 1 HSSM shipments across the country for overall situational awareness. Still in the development stage. Risk-Based Preventative Radiological / Nuclear Detection Resource Allocation (CREATE Model) See also §3.7.6, 4.2.17 --------------------- National Center for Risk and Economic Highway Ports Inputs include selection of targets to be assessed, number and spatial layout of access paths to the targets, number and types of detectors within the system, and detector-speciï¬c detection probabilities. The data required for describing consequences depends upon the goals of the application of the model and can include traï¬c volume information and Probability of detecting a radiological or nuclear weapon; cost estimates of system deployment, success, or failure, etc. This model is a risk-based approach for the placement and operation of radiological and nuclear detectors within a transportation system. Is customizable to a wide array of outputs depending on user interests, and a majority of necessary data can be acquired from public sources. Analysis of Terrorism Events spatial population estimates. Transportation Sector Security Risk Assessment (TSSRA) See also §3.7.8, 4.2.20 --------------------- Department of Homeland Security, Transportation Security Administration, Oï¬ce of Security Capabilities Highway Rail Marine Pipeline For each non-asset speciï¬c attack scenario: ⢠Threat: Internal data from the Oï¬ce of Intelligence ⢠Vulnerability: Expert elicitation from industry stakeholders, based on countermeasures and target hardness ⢠Consequence: DHS-based methodology (historic information with certain expected values) and included: o Human o Economic o Psychological Relative risk scores between scenarios (including scenarios involving hazardous materials) and across modes. Various analyses that highlight the risk landscape by views of concern such as attack, likelihood, and conditional risk. Additionally, TSSRA can report quantitative values for the Threat, Vulnerability and Consequence components of the risk analysis. Strengths: ⢠Measures relative risk across the full TSA domain using a common framework. ⢠The inclusion of external and internal stakeholders increases the credibility and transparency. Weaknesses: ⢠Vulnerability is measured based on human input, which introduces biases and limitations. ⢠The chief threat group analyzed was international extremists. ⢠Representative assets were used instead of speciï¬c sites. While sensitivity analysis allows for a better understanding across all sites, it is diï¬cult to map the risk for one speciï¬c site. ⢠Threat attack groups do not yet include domestic extremists ⢠The inputs into the Consequence component need to be standardized. Trucking and Hazardous Materials Trucking Risk Assessment (THTRA) See also §3.4.3.2, 4.2.21 --------------------- Department of Homeland Security, Transportation Security Administration, Highway For each non-asset speciï¬c attack scenario: ⢠Threat: Internal data from the Oï¬ce of Intelligence ⢠Vulnerability: Expert elicitation from industry stakeholders, based on countermeasures and target hardness ⢠Consequence: DHS-based methodology (historic information with certain The three elements of DHS Risk (Threat, Vulnerability and Consequence) are scaled for each scenario using a modiï¬ed Kent scale (seven values ranging from very low to critical). Risk is reported out as a Strength: Vulnerability analysis was driven by expert elicitation, which allowed TSA to identify gaps and potential was to close them. Weaknesses: Acuity of qualitative, scaled risk values (what does medium risk mean?). The lack of transparency into the threat component is another identiï¬ed weakness. Highway Motor Carriers Division expected values) and included: o Human o Economic o Psychological relative risk score for each non-asset speciï¬c attack scenario. The false precision of results. 4.1.8 (Continued).
51 4.1.9 Security Risk Situational Awareness Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects Se cu rit y Fedtrak See also §3.7.9, 4.2.10 --------------------- The Kentucky Transportation Center at the University of Kentucky for Transportation Security Administration Highway Attack mode, type of hazmat, and trailer/container type, nearby high- population density areas (Census data) and CIKR (from DHS or the states). Two separate vulnerability measures are estimated, the likelihood that the terrorists do not fail on their own due to the inherent nature of the scenario and the likelihood that the terrorists will be able to overcome security measures. Consequences include population, CIKR, environmentally sensitive areas, and economic impact (most determined from model data). The model will provide both static safety and dynamic security risk scores for each shipment along a planned route. Security risk scores can be computed for a route at the planning stage (identifying the locations of high risk along the route), but will be automatically computed as each new location coordinates are received, providing a near-real time view of each shipmentâs risk. Viewing the security risk scores for all en route shipments provides nationwide situational awareness. The security risk methodology supports the quantiï¬cation of risk reduction through countermeasures or risk mitigation strategies. This includes reduction of the maximum risk and the cumulative reduction of route risk. The system relies on a complete picture of Tier 1 HSSM shipments across the country for overall situational awareness. Still in the development stage. TRACC See also §3.4.1.3, 4.2.18 --------------------- Oak Ridge National Laboratory Center for Transportation Analysis and Marine Current and historical vessel positions are reported by barge and tow companies using GPS devices, high population locations and points of critical infrastructure are stored within the system database. GIS, web-based reports of anomalous/barge movements are disseminated to governmental agencies, responders, and route managers. This software identiï¬es high-risk or anomalous barge activity and alerts authorities and other shipment stakeholders. With the exception of vessel-speciï¬c information, data needed to use the tool is stored within the system database. Output is web-based and delivered as graphics (map) and Mississippi State University text, facilitating quick, informed comprehension and decision making. Application of the tool is limited until continuous GPS location transmission systems are more widely employed by tow and barge operators. Transportation Sector Security Risk Assessment (TSSRA) See also §3.7.8, 4.2.20 --------------------- Department of Homeland Security, Transportation Security Administration, Oï¬ce of Security Capabilities Highway Rail Marine Pipeline For each non-asset speciï¬c attack scenario: ⢠Threat: Internal data from the Oï¬ce of Intelligence ⢠Vulnerability: Expert elicitation from industry stakeholders, based on countermeasures and target hardness ⢠Consequence: DHS-based methodology (historic information with certain expected values) and included: o Human o Economic o Psychological Relative risk scores between scenarios (including scenarios involving hazardous materials) and across modes. Various analyses that highlight the risk landscape by views of concern such as attack, likelihood, and conditional risk. Additionally, TSSRA can report quantitative values for the Threat, Vulnerability and Consequence components of the risk analysis. Strengths: ⢠Measures relative risk across the full TSA domain using a common framework. ⢠The inclusion of external and internal stakeholders increases the credibility and transparency. Weaknesses: ⢠Vulnerability is measured based on human input, which introduces biases and limitations. ⢠The chief threat group analyzed was international extremists. ⢠Representative assets were used instead of speciï¬c sites. While sensitivity analysis allows for a better understanding across all sites, it is diï¬cult to map the risk for one speciï¬c site. ⢠Threat attack groups do not yet include domestic extremists. ⢠The inputs into the Consequence component need to be standardized. (continued on next page)
52 Name ------------------------------------------------------------------------------- ----- Sponsor/Developer Mode Input(s) Output(s) Key Aspects Trucking and Hazardous Materials Trucking Risk Assessment (THTRA) See also §3.4.3.2, Highway For each non-asset speciï¬c attack scenario in the Highway Domain: ⢠Threat: Internal data from the Oï¬ce of Intelligence ⢠Vulnerability: Expert elicitation The three elements of DHS Risk (threat, vulnerability and consequence) are scaled for each scenario using a modiï¬ed Kent scale (seven values ranging Strength: Vulnerability analysis was driven by expert elicitation, which allowed TSA to identify gaps and potential was to close them. 4.2.21 --------------------- Department of Homeland Security, Transportation Security Administration, Highway Motor Carriers Division from industry stakeholders, based on countermeasures and target hardness ⢠Consequence: DHS-based methodology (historic information with certain expected values) and included: o Human o Economic o Psychological from very low to critical). Risk is reported out as a relative risk score for each non-asset speciï¬c attack scenario. Weaknesses: Acuity of qualitative, scaled risk values (What does medium risk mean?). The lack of transparency into the threat component is another identiï¬ed weakness. The false precision of results. 4.1.9 (Continued). 4.2 Model Matrices Model Sponsor/Developer Page notsoB fo ytiC noitaulavE etuoR tamzaH notsoB CCPS Guidelines: Qualitative Ri 53 PCC ssecorP tnemssessA ks CCPS Guidelines: Quantitative SPCC ssecorP tnemssessA ksiR SPCC ssecorP noitazitiroirP ksiR :senilediuG SPCC CCPS Guidelines: Security Risk SPCC ssecorP noitazitiroirP CCPS Guidelines: Security Vulner SPCC ssecorP tnemssessA ytiliba CCPS Guidelines: Semi-Quantitativ SPCC ssecorP tnemssessA ksiR e Chemical Manufacturer Risk Assessment Framework Large Chemical/Plastics Manufacturer CASC T&S SHD )ARTC( tnemssessA ksiR msirorreT lacimehC ykcutneK ehT kartdeF Transportation Center at the University of Kentucky for TSA ATC LNRO ATCoeG EMI )RFASEMI( ksiR rof sisylanA ytefaS EMI Pipeline Risk Management Manual Risk Assessment Method PHMSA OPS aidnaS/EOD NARTDAR Rail Corridor Risk Management System (RCRMS) RRF/AAR Readiness and Resiliency Assessment Framework ORNL CTA Risk-Based Preventative Radiological/Nuclear Detection Resource CREATE .vinU etatS .ssiM/ATC LNRO CCART Transportation Routing Analysis GIS (TRAGIS) DOE/Oak Ridge Transportation Sector Security Risk Assessment (TSSRA) DHS, TSA, Oï¬ce of Security Capabilities (OSC) Trucking and Hazmat Trucking Risk Assessment (THTRA) DHS, TSA, HMC CUIU sisylanA ksiR raC knaT CUIU 54 55 56 57 58 59 60 61 62 63 64 65 66 67 69 69 70 71 72 73 74
53 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach City of Boston City oï¬cials desired to make changes in the designated hazmat route through Boston and were required to perform an analysis of alternate routes. State oï¬cials needed to approve the analysis and the recommendations. Risk scores for the analyzed routes were provided along with route daytime and nighttime population estimates. Highway The analysis was based on one of the options presented in the FMCSA routing guidance. The approach focused on through-route analysis, but provided additional assessments of the risk for other, local routes with diï¬erent origins/destinations. Potential route alternatives were identiï¬ed through a consultative process with state and local oï¬cials. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency Roadway truck accident rates are tied to roadway functional classiï¬cation (determined for each segment from MassDOT data) provided by the University of Mass. The report provides an uncertainty analysis and prescribes much of the uncertainty to the accident rate component (from uncertainty in truck traï¬c density). Sensitivity analysis was performed by using a diï¬erent endpoint for the routes. AN AN ytilibaborP Se cu rit y AN AN taerhT AN AN ytilibarenluV Commodities transported were identiï¬ed from Hazardous Materials Incident Reporting System (HMIRS) incident reports, city hazmat vehicle inspections, city permits and applications, shipper survey to PHMSA registrants within 75 miles of the study area, and the Census Bureauâs CFS. A ½-mile radius impact area for ï¬ammables was used to determine consequences (the range was from the FMCSA guidance document). Population data along the routes for TAZs that included day and night estimates were obtained from the Boston Regionâs Central Transportation Planning Staï¬ (CTPS). These data were derived from Census tract data. Additional sources were used to estimate other, special populations that were added to the Census-derived data: ⢠Employment (CTPS with daytime percentages estimated from the Bureau of Labor Statistics national average) ⢠Schools (locations from state GIS data; enrollment from the state Dept. of Elementary and Secondary Ed.) ⢠Hotels (Google Earth and hotel database website for location; hotel websites for sleeping and meeting rooms; assumptions used to determine occupancy and day/night split) ⢠Hospitals (Board of Registration in Medicine and Google Earth for location; various sources for capacity and occupancy) ⢠Nursing homes (state GIS data and Google Earth for location; various sources for capacity and occupancy) and ⢠Visitors (major National Park Service visitors only) Acres of environmental exposure for elements in 11 diï¬erent state databases within ½ mile of each route were combined with segment accident rates to determine the environmental risk. Emergency response times were considered, but not quantiï¬ed in the risk equation. Burden on commerce was also considered by computing the additional cost per year for industry to use each alternate route. No commodity ï¬ow studies were identiï¬ed for the study region, so the alternate methods listed were used. Ultimately, a single commodity (the most commonly transported) was used as the basis for the analysis. This results in a single scenario driving the risk assessment results. Commodities traveling longer distances through the study region would not be identiï¬ed through the shipper survey and the other sources do not cover all potential shipments, but do provide a good representation. The CFS data are for a broader region than the study area and not all data meet the reporting threshold. Some additional sensitivity analysis was performed to explore changes to the following parameters: ⢠Halving the percentage of resident population at home during the day ⢠Halving the percentage of employment population working at night The FMCSA guidance document is dated (1996) and more appropriate parameters and approaches are now available. Co ns eq ue nc e 4.2.1 Boston Hazmat Route Evaluation See also: §3.3.1 (continued on next page)
54 Strengths (including data) Weaknesses Availability Barriers/Desired Improvements The methodology makes strong use of a 1.5 ratio for decision making when comparing the risks of two alternatives. Above that threshold, cost implications were not considered. With the uncertainty analysis, this was increased to 2.3 (at the 95% conï¬dence interval). Selection of the route end points can aï¬ect the ratio of the relative risks of alternatives and potentially aï¬ect the outcome. The analysis focused on Class 3 shipments, the most common in the area. The FMCSA guidance document is dated (1996) and more appropriate parameters and approaches are now available. FMCSA routing guidelines are publically available from their website. The Boston study and clarifying responses to MassDOT questions are available from the MassDOT website.1 None 1 http://www.massdot.state.ma.us/highway/ProposedHazmatRoute.aspx as of 3/1/2012. 4.2.1 (Continued). Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Center for Chemical Process Safety of the American Institute of Chemical Engineers This model is designed to assist chemical companies manage their global transportation risks in a consistent framework. It includes determining which materials should be considered, the level of analysis appropriate, and the areas where mitigation actions may be warranted. Supported decisions cover a wide range of corporate activities and stakeholders. For any issue that was deemed in the risk prioritization step to require additional analysis, a qualitative risk analysis step is conducted. Benchmarking is particularly useful for companies that are not the industry experts in a particular area. The user must determine whether it is appropriate to close any gaps between each aspect of their operations and those of the industry leader. List of actions to address, including the need for more detailed analysis. All modes Three key areas are usually included: Benchmarking. This can be for internal or external practices, regulations, or standards. The information that can be included is quite varied and includes chemical hazards, industry experience, container design and operating practices, and safety and security. Identifying issues. For each element, the organization compares the operation being evaluated against other data and determines the appropriate response or whether further analysis is needed. Understanding the impacts from changes. Any changes to current operating practices need to be analyzed. Repeat the qualitative analysis with the change in operations included. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency Benchmarking can consider company operating practices, route mileage and accident rates, and recent incidents. Other factors include: storage proximity of other materials and their potential reactions, container and vehicle types and sizes, container securement, inspection procedures, oï¬-loading personnel qualiï¬cations and Data to benchmark against other companies may be diï¬cult to get; data from surveys might need clariï¬cation (which may not be available). Probability training, proposed route and restrictions, etc. Se cu rit y AN AN taerhT AN AN ytilibarenluV Co ns eq ue nc e Benchmarking can consider proximity to sensitive receptors, the materialâs potential to cause harm to people, eï¬ectiveness of potential evacuation and cleanup along route, etc. None 4.2.2 CCPS Guidelines: Qualitative Risk Assessment Process See also: §3.3.1
55 Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Cost-eï¬ective approach for considering options that do not require more detailed assessment. Can be tailored to speciï¬c carrierâs circumstances. Data can feed more detailed analyses. Benchmarking needs to be planned well if outside sources of data are used; otherwise, the collected information may lead to misleading results. Publically available by purchasing the book. None 4.2.2 (Continued). Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Center for Chemical Process Safety of the American Institute of Chemical Engineers This model is designed to assist chemical companies manage their global transportation risks in a consistent framework. It includes determining which materials should be considered, the level of analysis appropriate, and the areas where mitigation actions may be warranted. Supported decisions cover a wide range of corporate activities and stakeholders. Risk assessments can focus on alternatives for a single shipment or be as broad as the entire distribution operation for an organization. Mode and route choice, shipment quantities, and packaging are the typical issues being considered. Generally, risk experts conduct the analysis and present the results to the decision maker(s). Generally, three types (see strengths and weaknesses below): ⢠Risk indices ⢠Individual risk (contours, maximums, averages for exposed or total population) ⢠Societal risk (usually expressed as F-N curves) All modes The general approach includes 5 steps: selecting the scenarios or issues to be evaluated, data collection and evaluation, selecting consequence measures, conducting the analysis, and presenting the results to the decision makers. Optional steps include sensitivity analysis and evaluating diï¬erent approaches for risk reduction. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency Quantity per shipment, annual shipments, loaded vs. empty miles Infrastructure characteristics needed for accident rate calculations Try to use speciï¬c carrier accident rates, if speciï¬c movements are being considered (and use route-and-carrier-speciï¬c rates if there is suï¬cient volume over speciï¬c routes over time). In general, care should be taken to use data that most closely align with the operations being assessed. Where only generic accident rates are available, consider the implications if they do not match up well (the example given is using truck accident rates for hazmat truck accident rates; hazmat rates may be lower). Also, ensure that there is good alignment between the sources for accidents and miles traveled. Probability Conditional probability of release after an accident (or non-accident), the range of release sizes to consider, the probabilities of diï¬erent release types (e.g., jet ï¬re, pool ï¬re, ï¬ash ï¬re, toxic gas, explosion, or no impact) Only a representative range of release sizes are typically considered. Event trees can be used to estimate probabilities beyond that of whether or not a release occurs. This can include the phase of the material released (gas, liquid, solid), whether there is an ignition (and how soon after release), whether there is an explosion, and the ï¬nal type of impact. Se cu rit y AN AN taerhT AN AN ytilibarenluV Co ns eq ue nc e Population characteristics (including representative densities or detailed Census data) along the route, material hazard information, potential release sizes, impact area. As with the probability, the âendpointâ criteria for the diï¬erent types of hazards are important to understand: ⢠Toxic chemical exposure: a concentration over the exposure duration ⢠Vapor cloud explosion: blast overpressure The speciï¬c release scenarios play a big role in how the consequences should be estimated. Source elevation may play a role in the concentrations seen at any location. Quantity released may not be linearly correlated to downwind dispersion distance. Terrain and meteorological parameters are also big factors in the dispersion of released materials. Consider the impacts of using endpoints that reï¬ect where detectable eï¬ects may occur versus those that would result in serious injury or death. If representative population densities are used, they should at least cover major cities, urban areas, suburban areas, and rural areas. 4.2.3 CCPS Guidelines: Quantitative Risk Assessment Process See also: §3.3.1 (continued on next page)
56 Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Risk indices provide single annual risk number. Individual risks can be used to show a distribution of people exposed to diï¬ering risk levels (recognizing the dynamics of the risk along the route), the greatest risk that any individual might experience along a route, the average risk for all the exposed Requires risk professional to perform analyses. Risk indices do not inform about high- consequence/low-probability and low- consequence/high-probability events and usually do not provide suï¬cient information to make risk tolerance decisions. Publically available by purchasing the book. None population, and the average risk for a ï¬xed population (for comparing several alternatives). Societal risk outputs inform about high- consequence/low-probability and low- consequence/high-probability events. âThe greatest value is in providing a relative risk comparison ⦠so that the priorities for action can be set.â Some individual risk calculations can be diï¬cult or time-consuming to perform. Maximum risks do not provide information on the number of people exposed or how the risk level varies along or away from the route. The average risks do not indicate the number exposed in a release and may be misleading depending on the size of the areas and populations involved. Societal risks can be diï¬cult to interpret. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability ⢠Flammability hazards: o Pool ï¬res: steady heat load or thermal radiation load o Boiling liquid expanding vapor explosions (BLEVEs) and ï¬reballs: integrated dose criterion o Flash ï¬res: the concentration that is in the ï¬ammable range for the material 4.2.3 (Continued). Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Center for Chemical Process Safety of the American Institute of Chemical Engineers This process is designed to help industry managers understand the relative risk of diï¬erent transportation operations at a very high screening level. The screening model provides a single risk score that will range from 0 to 10,000. Values over 400 are considered serious. Other categories are: high (200 â 400), medium (70 â 200), and low (0 â 70). All modes and operations. The generic process starts out with data from a self- assessment of any third party involved (e.g., shipper, customer) and corporate history of the business relationship for context and key issues. A very qualitative process is used to characterize the magnitude of the risk, considering likelihood (0.1 to 10), exposure (0 to 10), and consequences (1 to 100). The risk score is checked to determine if the severity of the risk appears in line with the analystâs understanding of the nature of the activities that are being considered. A ï¬ow model outlines the appropriate steps based on the severity of the risk. Where appropriate, a more quantitative assessment and its timing are suggested. Action planning ensures that the risk monitoring and mitigation strategies are implemented. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency Exposure scale to capture the frequency that that the transportation activity occurs. The range of values is from no exposure (0) to continuous (10). Daily, weekly, monthly, several times per year, and yearly are the other intermediate options. Probability Likelihood scale to represent how often the adverse event (release of product) can be expected to happen. Past corporate history can be used to determine the appropriate value. The range of values is from virtually impossible (0.1) to happens often (10). Intermediate values include quite possible, unusual but possible, remotely possible, conceivable but very unlikely (hasnât happened yet), and practically impossible. This relies on very subjective judgment to distinguish between the less likely categories. 4.2.4 CCPS Guidelines: Risk Prioritization Process See also: §3.3.1
57 Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Strengths (including data) Weaknesses Availability Barriers/Desired Improvements This is a very simple process that can be implemented with no additional data. It can be used to determine where additional level of analysis detail is warranted (such as for risk scores determined to be high or serious). Because the analysis framework identiï¬es levels of risk, it could be used to determine the risk for a single transportation operation without the need to identify alternates or other activities to compare it against. This is a very subjective approach. The values listed are dated and can be updated by the user. .detsil enoNenoN Se cu rit y AN AN taerhT AN AN ytilibarenluV Co ns eq ue nc e Consequence scale uses a combination of injuries, fatalities, and damage estimates to categorize the potential impacts. The range of values is from minor injury and/or damage over $10K to catastrophic, with many fatalities and/or damage over $5M. The other human health consequences include injury, serious injury, 1 fatality, and a few fatalities. The damage levels include $50K, $500K, and $1M. 4.2.4 (Continued). 4.2.5 CCPS Guidelines: Security Risk Prioritization Process See also: §3.3.1 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Center for Chemical Process Safety of the American Institute of Chemical Engineers Corporate analysts and decision makers use this model to determine the speciï¬c issues that require a more detailed TVSA from those that only need a general security review. Identiï¬cation of the issues that require additional analysis (TVSA). All modes The process includes 6 steps: 1. Identify the chemicals that need to be considered. 2. Review the modes and quantities. 3. Deï¬ne scope of the evaluation (this may be necessary for complex supply chains, where some grouping may help manage the process). 4. Identify sensitive areas along the route (people, environmental, critical assets). 5. Evaluate the security a. Perform a security review on all items that do not warrant a full TVSA (the security review considers personnel security, unauthorized access, and en route security). b. Conduct a TVSA on those that do. 6. Review the security issues periodically or if there is speciï¬c, relevant, and actionable information. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF AN AN ytilibaborP Se cu rit y Threat At the screening level, the threat, vulnerability, and potential consequences are conceptually combined when considering the elements that would elevate an item to be a security concern: chemical hazards, quantity transported per container, number of shipments, mode, interim storage, speciï¬c threat information, and the proximity to people, sensitive environmental areas, critical assets or infrastructure. Analyst judgment determines whether an item is moved forward for a full TVSA. Vulnerability e Co ns eq ue nc e (continued on next page)
58 4.2.5 (Continued). 4.2.6 CCPS Guidelines: Security Vulnerability Assessment Process See also: §3.3.1 Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Easy to implement; ensures that resources are placed on the issues that require the most attention. Simpliï¬ed approach relies on the analystâs judgment to determine whether to move items to the next level of analysis. Publically available by purchasing the book. None Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Center for Chemical Process Safety of the American Institute of Chemical Engineers Corporate analysts use this model to analyze broad security risks. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. A list of prioritized countermeasures is also produced. All modes The risk is the likelihood that each identiï¬ed threat can exploit the vulnerabilities of identiï¬ed targets to achieve the desired consequences. The approach is generally qualitative (due to lack of predictive historical data). It includes 5 steps: 1. Characterize the route using the security prioritization process. 2. Assess the threats and the targets that would be attractive to them. 3. Analyze the vulnerabilities of the targets (segments of the route) identiï¬ed in Step 2. a. Deï¬ne scenarios for analysis b. Evaluate consequences. c. Evaluate security countermeasures. d. Estimate the vulnerabilities. 4. Analyze the risk and the need for additional countermeasures. 5. Analyze potential countermeasures and prioritize their implementation. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF AN AN ytilibaborP Se cu rit y Threat Knowledge from internal and other company sources as well as from federal, state, and local law enforcement agencies can help inform on the nature of the threats that may apply to a company or its transportation routes. To estimate relative target attractiveness, surrogate factors can be used to oï¬set the lack of intelligence data. Otherwise, a general estimate is used for the entire route or chemical. Some models use an estimate for the likelihood of an attack. This would use subject matter experts. Some of the factors identiï¬ed for target attractiveness include: potential for mass casualties, extensive property damage, proximity to national assets/landmarks, eï¬ects on critical transportation infrastructure, eï¬ects on the economy, ease of access to the target, extent of media interest, company reputation or brand exposure, iconic or symbolic target. No historical basis for determining the likelihood of an attack. Vulnerability This is a qualitative assessment of how well the existing countermeasures can withstand or eliminate an attack. The speciï¬c subject matter experts will have a large eï¬ect on the relative eï¬ectiveness of diï¬erent countermeasures. Co ns eq ue nc e Generally, the consequences can be the same or worse than for an accidental release. These consequences include: casualties (public, carrier, shipper, consignee, and responders), theft of hazmat, disruption of the economy or company operations, environmental damage, ï¬nancial loss, secondary damage to critical infrastructure, loss of critical data, and erosion of company reputation. The availability of data to support these consequences will vary depending on the company and the speciï¬cs of the analysis.
59 4.2.6 (Continued). Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Can allow companies to cost-eï¬ectively allocate their security mitigation resources. Results rely on a lot of subjective information. Publically available by purchasing the book. None 4.2.7 CCPS Guidelines: Semi-Quantitative Risk Assessment Process See also: §3.3.1 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Center for Chemical Process Safety of the American Institute of Chemical Engineers This model is designed to assist chemical companies manage their global transportation risks in a consistent framework. It includes determining which materials should be considered, the level of analysis appropriate, and the areas where mitigation actions may be warranted. Supported decisions cover a wide range of corporate activities and stakeholders. For any issue that needs more detailed analysis than a qualitative analysis, a semi- quantitative risk analysis step is conducted. For risk indexes, the result for each option is a single value. For risk matrices, the result for each option is a single risk priority value. All modes Adds some quantiï¬cation to the qualitative approach. Techniques described include risk indexes and risk matrices. Risk index: most often the sum of several values corresponding to the attributes of concern (such as frequency of shipment, previous incidents, shipment quantity, and hazard rating). Values for each attribute might be determined on a scale from 0 to 10 and may be optionally combined with attribute weights. Options are assessed by the resulting single number. The higher the risk index, the greater the risk. Risk mitigation strategies can be easily evaluated by adjusting the attribute values to reï¬ect them and comparing the resulting risk index to the original one. Risk matrix: generally constructed with likelihood on the vertical axis and consequence on the horizontal axis. Categories are used for the likelihood or consequences, rather than actual values. Each cell in the matrix corresponds to a likelihood category and a consequence category and is assigned a risk priority, such as a value from 1 to 4. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency Quantiï¬cation (or weighting) of these elements may be appropriate: accident rate, route miles, and trips per year. It is important to consider the integration of data from diï¬erent sources or for diï¬erent modes, variations in data quality, and conï¬dence in data sources. Probability Release probability may be estimated by using route- speciï¬c data (infrastructure characteristics and speed information) and the type of accident to develop a set of scenarios, including the release size, with probabilities. None Se cu rit y AN AN taerhT AN AN ytilibarenluV Co ns eq ue nc e Quantiï¬cation (or weighting) of these elements may be appropriate: release types and size, container size, material conditions, range of potential consequences, meteorological conditions, sensitive areas along the route (people, property, and environmental receptors). Models are generally needed to take the input data and estimate the consequences. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Can be performed and used by many diï¬erent stakeholders (not just risk experts); cost-eï¬ective; can consider many risk- related factors, and supports comparative analysis. It is important to consider the integration of data from diï¬erent sources or for diï¬erent modes, variations in data quality, and conï¬dence in data sources. Publically available by purchasing the book. None
60 4.2.8 Chemical Manufacturer Risk Assessment Framework See also: §3.3.4 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Large Chemical/Plastics Manufacturer Corporate EHS performs the assessments and makes recommendation to the operations department on packaging, shipping, and mode choice decisions. Some assessments are summarized in 6- or 9- block risk matrices (likelihood and consequence categories on the axes). Reports are generated to present all risk assessment results. Primarily highway, rail, and marine. Limited air shipments (discouraged) due to the quantities typically shipped. Pipeline is used for incoming materials only. The risk assessment process is invoked when there are new movements (from new products, customers, or route options) or when larger quantities result from increased sales. Most assessments are qualitative and focus on identifying the signiï¬cant additional risks to human health or the environment. They include information from past experience and industry knowledge. In the qualitative approach, they look for ways to reduce handling and transfers, travel through sensitive areas. Quantitative assessments are used occasionally when the risks are perceived to be great enough to warrant them and their focus tends to be on the consequences. Transportation of most of their very high-hazard materials has been eliminated by co-locating manufacturing at the point of use. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency Trip length is a factor, but most of the focus is on past experience and the amount of handling and transfers that are involved. Internal data are used. Shipment size is considered and if the quantities are suï¬cient, they will examine building storage capacity onsite so that they can use larger packages and reduce the number of shipments. Increased mileage is more important in some parts of the country than others, based on where their operations are. For example, increased mileage in snow- prone areas is particularly undesirable. The focus on limiting handling is based on industry consensus that most of the accidents involve loading/unloading operations and transfers. Probability The most stringent container readily available that is appropriate for the product is used, even if it well-exceeds the requirements. No analysis is performed to quantify the risk reduction of container selection. Se cu rit y noiretirc a sa desu ton si ytiruceS AN taerhT in their decision processes that involve risk assessment; however, they do ensure that their carriers have adequate security plans. Vulnerability NA Co ns eq ue nc e A lot of the information that is used comes from third parties: populations and environmentally sensitive areas along their routes, and the presence of bridges and tunnels are primary factors. Chemical information is critical in assessing the nature of potential impacts (physical and chemical properties are obtained from internal company product information). Data to support detailed analyses can be diï¬cult to obtain. The consequence analysis often focuses on speciï¬c parts of the route to identify a reasonable worst-case scenario rather than developing a score that considers all parts of the route. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Looks at all possible modes for their shipments (all sites have both rail and truck options and some major sites have marine access as well). The analysis neglects probability and security components that might provide a more comprehensive view of potential risks. Analyses are business sensitive, but are shared with their carriers. A single location from which to obtain the speciï¬c route-speciï¬c information is needed, including GIS information.
61 4.2.9 Chemical Terrorism Risk Assessment (CTRA) Process See also: §3.4.3.1 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Department of Homeland Security Science and Technology Directorate Chemical Security Analysis Center The model is to provide an end-to-end assessment of the threat of terrorist use of toxic chemicals. It examines the terrorist use of chemical warfare agents and toxic industrial chemicals. The scope includes, but goes well beyond transportation. The outputs from one component model are used to feed subsequent models. Ultimately, there is a single risk number for each scenario or chemical being analyzed. These can be aggregated as needed. All modes except air: bulk and non-bulk highway, rail, barges, pipeline. They also consider that some storage vessels are transportation vessels. Depending on the speciï¬c analysis, pipeline may be considered a ï¬xed site or a transportation facility. The CTRA is a combination of separate models. The models examine all routes of exposure: inhalation, ingestion, and percutaneous. They examine both lethal and non-lethal eï¬ects. The underlying framework is probabilistic risk assessment (PRA). The event tree is broken out in great detail. The diï¬erent branches in the event tree can be combined as the user needs. Each event tree branch deï¬nes a scenario and the frequencies are applied along the path down that branch. Consequences are determined by the appropriate model for that scenario and multiplied by the overall frequency. The only diï¬erence from a traditional PRA is the inclusion of terrorist intention. The methodology supports large and small accidental releases as well as large intentional releases. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF AN AN ytilibaborP Se cu rit y Threat Threat and vulnerability are considered in concert in the assignment of the event tree probabilities. The components are: (1) terrorist capability, (2) intent, (3) ease of acquiring the chemical, (4) terrorist knowledge of the chemical, (5) ability to carry out the attack, (6) probability of interdiction, and (7) probability of failure. CSAC actively engages the law enforcement community regarding the likelihood of the scenario being interdicted. For eliciting expert opinion, CSAC uses the CREATE methodology. Industry tends to prefer GroupThink for this, but CSAC usually does not have an expert for every single chemical they consider in an analysis. The CREATE method is not focused on a single chemical. They generally use the model that the experts they are using are most familiar with, to facilitate obtaining the data. The PRA allows for computing uncertainties; CSAC identiï¬es unreliable data points and captures uncertainties around that point. It often reports risk with an error range using the t distribution. Vulnerability Co ns eq ue nc e All routes to the consequences are considered, each with their own models. For inhalation, HPAC (for outdoor consequences) and CONTAM (for indoor consequences). CONTAM is a multi-zonal model and the number of zones used is dependent on the scenario. The SCIPUFF model (which also is a collection of models) is also used. CSAC generally uses the default model values as suggested by the scenario. Diï¬erent population densities and locations are used to get a range of consequences for a given scenario. For percutaneous, CSAC employs a statistical model that looks at the size of the contact area (often the hand), the permeability of skin, and other materials that may push impermeable materials through skin. For ingestion, CSAC uses a stock and ï¬ow model that considers how much can get into the food supply, how it is distributed, and how many people would ultimately be aï¬ected. Toxicity values for over 120 chemicals, the three routes of exposure, and three injury severities (lethal, severely injured, and moderately injured) are used as input data into the event tree. For the LD50 values, for example, they need probability slopes and the toxic load exponent. For the injury categories, CSAC is lacking some of the data needed related to the severely and moderately injured categories; it makes assumptions where necessary. The lethal dose data are much more readily available. CTRA uses average container sizes for the materials as actually transported. It uses a modiï¬ed Latin hypercube Monte Carlo approach for sampling the range of container sizes possible, centered on the mean, but not using only the mean size. The component models are used by external (to CSAC) policy makers across government to assess the relative risk of representative scenarios (e.g., what is the riskiest scenario for a given chemical?), the relative risk of representative chemicals, how chemical risks change when examining diï¬erent scenarios (e.g., diï¬erent chemicals may be more suited for indoor, outdoor, or food-based scenarios). The purpose is to raise awareness, determine the relative risks. Examples of uses: HHS for developing medical countermeasures for chemical exposure; DHS for identifying the need for detectors for certain chemicals; and the National Security Council for developing communication processes. (continued on next page)
62 4.2.9 (Continued). 4.2.10 Fedtrak See also: §3.7.9 Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Because of the Secret classiï¬cation of the CTRA results, it can use complex, sensitive information. The CTRA is comprehensive, providing an end-to-end assessment. While there are still some items not considered, it does estimate the full nature of chemical risk. Because of the Secret classiï¬cation, distribution of any results is limited, so that some entities that could beneï¬t from the results are not able to do so. There are weaknesses in some of the models that are included in the CTRA. Transportation coverage is one of these (leading to the HM- 12 project). CTRA treats each mode separately and does not The CTRA involves a signiï¬cant amount of intelligence information, leading its results to be classiï¬ed Secret. The results are shared with other entities that can take action to address identiï¬ed risks (see the Users entry). There are a lot of data needs. The biggest is better toxicology data across the board. These data are needed for the three injury categories and the three routes of exposure for each of the 120+ chemicals (more than 1,080 toxicity values). A desired improvement is to address the weaknesses. look at intermodal shipments. Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach The Kentucky Transportation Center at the University of Kentucky for Transportation Security Administration Fedtrak is being developed to provide data and information for use by the federal government for real-time situational awareness of high- security risk highway hazmat shipments. The Fedtrak risk methodology will provide decision support: ⢠Help security specialists prioritize the trucks that should be closely monitored. ⢠Help security specialists prioritize which trucks require additional analysis and investigation based on anomalies that may indicate potential security concerns. ⢠Support real-time law enforcement and emergency response through state fusion centers in the event of a crisis situation (e.g., hijacked truck). ⢠Provide situational awareness to local, state, and Federal authorities about the potential for high-risk shipments passing through speciï¬c geographic regions. ⢠Quantify risk reduction through identiï¬cation and assessment of security countermeasure eï¬ectiveness and other risk management strategies. ⢠Allow carriers to determine if alternate routes exist that may be preferred to the planned route. The model will provide both static safety and dynamic security risk scores for each shipment along a planned route. Safety risk scores are computed at the planning stage and remain static. Security risk scores can be computed for a route at the planning stage (identifying the locations of high risk along the route), but will be automatically computed as each new location coordinates are received, providing a near-real time view of each shipmentâs risk. Highway Safety methodology considers frequency, probability, and consequence and security methodology considers threat, vulnerability, and consequence. Both risk measures are relative scores and are not combined together, but considered separately. Security risk would be computed based on the current location of the vehicle using both static and dynamic components and the safety risk would be static for a given planned route. The security risk for an entire route would be the maximum risk at any location along that route. Conversely, the safety risk for a route is a sum of all the risks along that route, calculated at the segment level. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency Accident frequency is based on national-level data tied to roadway functional classiï¬cation. Alternately, state- supplied data can be used. The accident rate per mile is multiplied by the length of each segment to get the frequency for that segment. There is only one scenario for safety risk. Generally, data do not support frequencies (or probability or consequence) by speciï¬c type of crash or its cause. Probability The conditional probability of a release, given a crash, is tied to the packaging used for each shipment and the material being shipped. One source is the dated Harwood et al. paper from 1993. The proposed approach is to use subject matter expert (SME) elicitation with the assistance of a Kent Scale to assign conditional probabilities. These would range from practically impossible to certain. Directly applicable data are not readily available. The Harwood paper does not address many of the high-security hazmat that Fedtrak is designed to assess and monitor (e.g., radiological materials and explosives).
63 4.2.10 (Continued). 4.2.11 GeoCTA See also: §3.4.1.3 Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Se cu rit y Threat Static factors (determine the threat baseline): attack mode, type of hazmat, and trailer/container type. Static factor values would be derived from SME elicitation. Dynamic factors: nearby high-population density areas (Census data) and CIKR (from DHS or the states). SME elicitation will derive a function to correlate diï¬erent levels of population or CIKR to threat values. Attack modes that deï¬ne the style of attack and the weapons used are combined with a hazmat type (or class) and a trailer/container type into a scenario. Ten attack modes and hundreds of scenarios are considered. These scenarios are the basis for estimating the threat, vulnerability, and consequence values. The threat baseline reï¬ects the typical security posture for the various scenarios. The DHS CIKR list is classiï¬ed Secret and may present issues regarding its availability or the communication of CIKR component values beyond. Vulnerability The likelihood that a terrorist will be successful based on the challenges in carrying out each attack. Two separate vulnerability measures are estimated, the likelihood that the terrorists do not fail on their own due to the inherent nature of the scenario and the likelihood that the terrorists will be able to overcome security measures. These are determined by SME elicitation supported by the use of Kent scales assigning numeric values to the various options for each variable. The same scenarios that are discussed for threat apply here. Co ns eq ue nc e Components include the aï¬ected population, CIKR, environmentally sensitive areas, and economic impact. A consequence equivalent scale will be used to combine these four components together into a single measure that reï¬ects an order of magnitude diï¬erence between the possible values for the overall measure (0 to 4). Data sources include the Emergency Response Guidebook (impact areas), the Census Bureau (aï¬ected population), USGS and National Park Service (environmentally sensitive areas), the Gross Domestic Product (GDP, for per-capita economic value), and DHS and the states (CIKR). The same scenarios that are discussed for threat apply here. The consequence equivalence table will have a signiï¬cant impact on the relative importance of the four diï¬erent components. However, this approach allows these diï¬erent consequence types to be considered in a single assessment without the need for arbitrary weights. The economic impact component is designed to capture the relative diï¬erence in the costs that would result from a hazmat release in areas of higher or lower GDP. It does not capture the expected value of the actual economic impact. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements The security risk methodology supports the quantiï¬cation of risk reduction through countermeasures or risk mitigation strategies. This includes reduction of the maximum risk and the cumulative reduction of route risk. The system relies on a complete picture of Tier 1 HSSM shipments across the country for overall situational awareness. Still in the development stage. The planned system will be SSI at a minimum and will, most likely, be classiï¬ed Secret. Onsite operators and designated security oï¬cials would have direct access. Carrier-speciï¬c data (such as route safety scores and high- level security information) would be available to the carrier via online portals. Suï¬cient funding and industry buy-in to develop an operational pilot and subsequent system that addresses industry privacy concerns. Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Oak Ridge National Laboratory Center for Transportation Analysis Informs emergency planning and response decisions by security managers and ï¬rst responders, with a focus on transportation and other critical infrastructure in high- threat urban areas. Population risk and consequence indices and GIS- based maps with information on critical and high- value locations. All modes GeoCTA provides a map of a transportation system of interest to the user, displaying spatial, contact, and descriptive information for sensitive locations in the surrounding area, including population centers, iconic potential targets, hazardous material facilities, etc. The tool calculates the population at risk for a one- or two and one- half mile radius from any user-speciï¬ed location within the map. Additionally, spatial analysis tools provide summary information on mapped layers based on user-deï¬ned lines and polygons. (continued on next page)
64 4.2.11 (Continued). Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF AN AN ytilibaborP Se cu rit y AN AN taerhT AN AN ytilibarenluV Co ns eq ue nc e Population data is stored within the system. While much of the data stored within GeoCTA is restricted, population data is freely available from the U.S. Census Bureau and day/night population estimates are available through FEMA as part of the HAZUS database. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements The tool contains a large number and variety of spatial data layers, including all of the data necessary for use of the system. Output population metrics include day and nighttime estimates, rather than a single count. Graphical output, in the form of GIS- based maps, facilitates comprehension of a variety of spatially interdependent data layers for quick, informed decision making. The tool can be applied to any location within the United States. The tool has been designed to allow for easy integration of new customized spatial analysis functions. While the potential exists for modiï¬cation of the tool, it was developed to be population focused and does not currently account for variables such as type and amount of hazmat, etc., or risks to other receptors. GeoCTA contains data restricted to Federal use and is not distributable. Theoretically, with the exclusion/substitution of restricted data, the model could be made publically available. The primary barrier to the widespread use of this tool is the inaccessibility of the tool in its current form. The removal or replacement of sensitive system data for distribution and development of the tool beyond population-focused analyses is desired. 4.2.12 Institute of Makers of Explosives Safety Analysis for Risk (IMESAFR) See also: §3.3.3 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Institute of Makers of Explosives IMESAFR is used by explosives manufacturers and regulators to gage explosives risks at ports and industrial facilities. IMESAFR outputs include a measure of the probability of fatalities and major and minor injuries from an explosion along with a GIS-based map of explosive eï¬ects and risks to surrounding infrastructure. IMESAFR is applicable to facilities (e.g., ports, industrial sites, safe havens, etc.) associated with any mode of transportation. Probability of fatalities and injuries is calculated based on user input regarding the type of explosive, type of activity, and building placements and characteristics. Users can select from pre-deï¬ned, system-stored values to specify input parameters. Casualties are calculated according to the general risk equation: Probability of casualty = Probability of event * Probability of casualty given an event * exposure. While IMESAFR was designed for safety applications, security may be considered by multiplying frequencies by scaling factors to account for threat level increases. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency IMESAFR internal explosive accidents database. Data is stored internally and is derived from IME member surveys, an IME explosive accidents database, and ATF data. Frequency data for military uses are used in the absence of reliable commercial frequency data. Probability IMESAFR internal probability data. Data is sourced from DOD testing data, which typically focuses on quantities of explosives that are larger than those typically on-hand in commercial activities.
65 4.2.12 (Continued). Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Se cu rit y Threat IMESAFR internal explosive accidents database. (Frequency can be multiplied by a scaling factor to account for security threats.) Data is stored internally and is derived from IME member surveys, an IME explosive accidents database, and ATF data. Frequency data for military uses are used in the absence of reliable commercial frequency data. Frequency data used for safety modeling is scaled according to threat levels to model security risks. Vulnerability IMESAFR internal probability data. Data is sourced from DOD testing data, which typically focuses on quantities of explosives that are larger than those typically on-hand in commercial activities. Co ns eq ue nc e User input of building locations and personnel. Consequence estimates are given for expected and worst-case scenarios and, by default, are strongly conservative (e.g., 100% fatalities assumed at an intra-plant level, small quantities of explosive are assumed to behave like large quantities). Strengths (including data) Weaknesses Availability Barriers/Desired Improvements The storage of model parameter values within the system reduces the data gathering requirements of users and allows selection of appropriate input values simply by being on-site. Map output aids in user comprehension and communication of model results. In the most recent version of the software uncertainty is calculated and presented separately and conservative model assumptions may be switched on or oï¬. Commercial explosion frequency and eï¬ects are often not characterized well enough to provide reliable data. In the absence of this data, IMESAFR employs data derived from military testing and historical frequencies. Commercially available Desired improvements to model data include: 1) additional data on the frequencies of commercial explosive accidents, 2) additional data on the eï¬ects of the types and quantities of explosives encountered in commercial applications (vs. military), and 3) data on the probability and characteristics of sympathetic detonation of explosive devices in proximity to one another. IMESAFR is currently not applicable to in-motion explosives. 4.2.13 Pipeline Risk Management Manual Risk Assessment Method See also: §3.4.2.5, 3.7.7 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach W. Kent Muhlbauer Pipeline industry members and governmental stakeholders use this approach to identify sections of pipe with relatively elevated risks of leakage in order to minimize potential damages to human health and the environment. Outputs include an overall probability of failure index and its constituent indices for probabilities of third- party damage, corrosion, design issues, and incorrect operations; a leak impact (consequence) factor; and a relative risk score for each section of pipeline being studied. Pipeline The Pipeline Risk Management model produces a relative risk score for individual sections of pipeline. The general risk equation is in the form of: Risk = event likelihood x event consequences. Likelihood is based on the potential for third-party damage, corrosion, design issues, and incorrect operations, while consequences focus on human and environmental impacts. Users assign scores to factors within each of the four likelihood categories and the consequence factor. The scores are summed for all likelihood categories and divided by the consequence factor to produce a relative risk rating. The manual provides further guidance on converting relative risks to absolute values; considering alternative consequence measures (i.e., service interruption), and making modiï¬cations to model elements. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF Probability Probability of a pipeline failure is broken down into probabilities of third-party damage, corrosion, design issues, and incorrect operations. While selected reference values are provided within the manual text and appendices, data for these factors must primarily be collected by the user through pipeline inspections and surveys. The model was developed to take advantage of a wide range of levels of data detail and availability. While much of the data discussed in the manual must be acquired through pipeline surveys and inspections, the model allows for the use of sources such as expert knowledge and estimation in place of exact measured values. (continued on next page)
66 4.2.13 (Continued). 4.2.14 RADTRAN See also: §3.4.1.2 Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Se cu rit y AN AN taerhT AN AN ytilibarenluV Co ns eq ue nc e Consequence values are dependent upon chemical characteristics, spill size, dispersion, and receptors. A variety of critical chemical data is provided within the manual itself and can be supplemented with MSDSs and a variety of publicly available chemical databases. The manual further provides values and methods for estimating spill size and dispersion. Receptor information can be acquired from the U.S. Census Bureau, in the case of population, and from federal data layers on hydrology, park lands, etc., available through the National Atlas. The data required for calculating consequences are largely publicly available or easily estimated given sample values presented within the manual. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements As a scoring/index model, the model provides easily understandable and comparable output relatively quickly. The model is ï¬exible, able to use a wide range of input data and data precision, can be modiï¬ed to consider alternative consequence metrics, and allows for its relative output values to be converted into absolute risk numbers. The model is a standard industry tool, which facilitates communication about the model, data, and results, and increases potential access to model resources through the existence of a user community. As with any scoring model, subjectivity may aï¬ect model results and results do not lend themselves to comparison with other modes of transportation. While the manual provides a great deal of guidance and sample input, the model, particularly the likelihood component, is dependent upon a large amount of user-collected survey or inspection data. Available for public purchase While the model is designed for a wide range of input data precision, the funding required to gather adequate input data is a barrier to the modelâs wider use. Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Department of Energy, Oï¬ce of Environmental Management, Sandia National Laboratories National and International radiological materials transporters, speciï¬cally DOE facilities. Calculates expected radiological consequences of incident-free radioactive materials transportation and associated accident risks. Initially created to calculate consequences for environmental impact assessments. Expected Radiological Consequence Since its inception, RADTRAN has been used in most radiological transportation EA and EIS. RADTRAN also has the capabilities to conduct speciï¬c radiological transportation accident and sabotage scenarios. Highway, water, rail RADTRAN combines user-determined demographic, routing, transportation, packaging, materials, and radionuclide data with meteorological data (partly user- determined) and health physics data to calculate expected radiological risk and consequences of incident-free radioactive materials transportation and associated accident and sabotage events. All the user inputs (14 categories) are fed into an algorithm that contains published dose rate data, and expected radiological exposure to persons is calculated with regards to: ⢠Groundshine ⢠Cloudshine ⢠Inhalation ⢠Resuspension ⢠Overall Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency Accident rates along a segment of the route, generally obtained from state DOTs. The User Guide oï¬ers guidance on identifying Accident Rate values along routes through state DOT data or through two national data sets that determine a value for each state. The frequency of an accident is not directly used in the RADTRAN model, but the user can take the expected radiological consequences and combine them with accident frequencies to determine risks.
67 4.2.14 (Continued). Se cu rit y AN AN taerhT AN AN ytilibarenluV Co ns eq ue nc e Population data is based on spatial Census data. Shipped material and its dispersion/clean-up data are user inputs. Traï¬c data in the model was originally sourced from the Bureau of Transportation Statistics (BTS) data and has been updated by Sandia National Laboratories. Dose rate data is built into the model. Users are able to input and vary the following model parameters: ⢠Vehicle density along routes ⢠Population density ⢠Persons per vehicle ⢠Fatalities per accident ⢠Farm fraction, or the fraction of roadway that is used for agriculture (eï¬ects ingestion dose) ⢠Data surrounding mid- to long-term stops in transportation ⢠Weather conditions ⢠Release, aerosol, and breathable fractions ⢠Isopleth areas Additionally, users can decide to use average values for parameters involving the exposure levels, such as: ⢠Shielding of buildings ⢠Fraction of people outside ⢠Distance of maximum exposure ⢠Average breathing rates ⢠Distance of vehicle to sidewalk, right-of-way and other vehicles going in either direction Limitations: A recent study has claimed that the RADTRAN Dose Rates are slightly conservative. The amount of user data points requires a substantial knowledge of where to ï¬nd certain data sets, their availability and how current the data is. For certain data points, DOE oï¬ers some guidance on articles to use or databases to search, such as using Bureau of Transportation Statisticsâ data to calculate fatality data. In other cases, such as for the Weather or Radionuclide inputs, TRAGIS oï¬ers the user the option to input their own data or use data already available in the tool. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Highly customizable by user (over 70 individual data points that can be input or adjusted by the user). Most importantly, users can adjust the parameters surrounding the probability and eï¬ects of an accident. Can be used in conjunction with WebTRAGIS and TRAGIS. Analysis is strongly conservative and is based on maximum- exposed individual. Likewise, the dose rates used have been found to be highly conservative. The model requires substantial user input, which can introduce errors. Public, including to international entities, but must apply for access. Interviewee expressed a desire to have RADTRAN validated, and improved upon, by the security and safety community. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Probability Probability data, such as probability fractions for various accident severities, packaging details, and data describing the transporting vehicle, must be supplied by the user. The RADTRAN user manual While it is input by the user, the RADTRAN user guide does oï¬er three references from which probability fractions may be obtained. suggests several sources for estimating these values. 4.2.15 Rail Corridor Risk Management System (RCRMS) See also: §3.2.1, 3.4.2.3 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Railroad Research Foundation / Association of American Railroads RCRMS is maintained by the rail industry to meet the federal requirements of HM-232E: Enhancing Rail Transportation Safety and Security for Hazardous Materials Shipments. It is designed to support routing determinations for high-hazard materials, considering both safety and security. FRA inspectors can review analysis results to verify that the carrier followed the regulation in making their route choices. RCRMS provides a single risk metric that combines safety and security as well as the two individual risk scores. All risk scores are rounded and an attractiveness measure helps users distinguish between routes with similar risk scores. It also provides route-level totals for each of the 27 metrics that the federal regulations require carriers to consider. Rail [only for toxic inhalation hazard (TIH), explosive, and radioactive materials]. Carriers identify all the material origin- destination combinations that require analysis and determine the viable route alternates for each movement. Risks for safety and security are computed at the route segment level and summed for safety; the maximum value (with some adjustments for routes through multiple HTUAs) is taken for security. In addition, the safety risk is comprised of a link (or segment) risk and a switching station risk that are summed together. (continued on next page)
68 4.2.15 (Continued). Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency Carrier provided: annual volume shipped Rail network-derived attributes: route length; mainline accident rates, which are a function of traï¬c density, method of operation (e.g., signalized or âdark territoryâ), and FRA track class combined with historical FRA accident data; and switching yard accident rates. Yard accident rates where switching occurs are based on a one- mile distance. Accidents rates are proprietary to AAR. Probability CPRs calculated for each of the DOT tank car speciï¬cations by Treichel et al., 2006, are used. The CPR for Isotainers and intermodal portable tanks utilize generic values. Speed is considered in determining the CPR to account for the reduced likelihood that lower speed derailments would result in a breach of the railcar. Speeds are provided by the railroads or deduced from the track classâ maximum allowable speed. Threat Threat estimates consider factors such as availability of hazmat for attack, proximity to iconic targets, venues, or other CIKR, and presence in TSA-speciï¬ed HTUAs. Other sources: daytime and nighttime population from FEMA Unclassiï¬ed CIKR data and deï¬nitions for HTUAs were provided by TSA. FEMA HAZUS data are available to entities that request a copy and have a legitimate need for the data. HAZUZ data that are in HTUAs, other urban areas, or non-urban areas. Vulnerability Characterized with consideration of any speciï¬c detection and deterrence measures in place along a route segment that would reduce the vulnerability. Scoring for this factor is considered SSI. Co ns eq ue nc e Environmental: water bodies (USGS National Hydrography Dataset), parks (Administrative Boundaries of National Park System dataset) Population: daytime and nighttime population from FEMA HAZUS data Carriers may also consider factors that are not directly embedded in the risk equations. Carrier provided: presence of nearby railroad facilities (storage and repair facilities), miles with diï¬erent levels of passenger traï¬c, operating speed, mileage, transit time, and any known deï¬ciencies in crew training and skill level. Items that are reported for each route that are not explicitly listed above: miles of each route in each track class, miles with a grade more than 2.5%, miles of signalized and manual operation, listing of wayside detectors, counts of grade crossings and switch points, route miles greater than 10 miles from police and ï¬re stations (data from HAZUS), past incidents (from FRA data) The larger of the daytime or nighttime population values is used for the consequence measure for each route segment. The exposure zone is taken from the Emergency Response Guidebook and adjusted when water-reactive materials are involved, based on the presence of water bodies in close proximity along the route. Similarly, the environmental exposure also considers those areas that are a short distance from the route. Quantities in a single shipment are not directly used to estimate exposure distances, the large spill protection distances in the ERG are used as the basis for all analyses. Users have diï¬erent perspectives on the value of the unscored factors and may choose to make diï¬erent decisions based on similar information. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Leverages the FRA national rail network and railroad-speciï¬c data to provide carriers with a routing decision support tool with a government-vetted risk methodology. RCRMS provides relative risk scores for comparing alternate routes. The integration of safety and security risks is useful for Implemented by all Class I railroads and many others â the relative risk scores are not as useful to some short line railroads with only one possible route to analyze. The integration of safety and security scores uses a ï¬xed weighting. Proprietary to the RRF. One railroad cannot see railroad- speciï¬c information from any other railroad. Future work to complete development of an approach to include the attributes listed in the weaknesses section is desired. railroads with a very large number (thousands) of analyses to run. The best available data on rail accident rates, container release probabilities, and network link characteristics are used. The GIS capability allows spatial diï¬erences in the routes that aï¬ect risk to be assessed. There is no methodological approach for including some data that are available. These include the presence of wayside detectors and the frequency and location of track turnouts. Some research has been performed to develop methodologies to include these factors, but the research is not yet complete. Se cu rit y
69 4.2.17 Risk-Based Preventative Radiological/Nuclear Detection Resource Allocation (CREATE Model) See also: §3.4.1.3 4.2.16 Readiness and Resiliency Assessment System See also: §3.4.1.3 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Oak Ridge National Laboratory Center for Transportation Analysis RRAS is used by the Transportation Security Network Management oï¬ce of the TSA to determine the nationâs transportation systemâs ability to prevent, respond to, recover from, and continue operating through any type of terrorist attack (e.g., chemical, biological, explosive, nuclear, etc.). Additional applications of the framework include assessment of threats, vulnerabilities, and protective measures; security resource allocation; dynamic assessment for event mitigation; and transportation system planning. RRAS outputs are relative values describing readiness and resiliency that categorize a transportation asset or system as âFully Prepared,â âModerately Prepared,â or âUnprepared.â All modes RRAS assesses relative risks to transportation assets or groups of assets/systems. Measures of the scope, duration, magnitude, and severity of threats to these resources are used in conjunction with asset vulnerabilities, mitigation factors, and consequence metrics to calculate relative risks. Risk values are then combined with measures of domain awareness and response capabilities to calculate a readiness and resiliency score. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF AN AN ytilibaborP Se cu rit y Threat Threats and scenarios are user- deï¬ned. TSA utilized input values and data are security-sensitive and unavailable publicly. Vulnerability Transportation infrastructure data can be sourced from ORNL and BTS; security and response resource information can be acquired through FEMA. Most of the TSA-utilized data is security-sensitive and unavailable publicly; however, ORNL and BTS transportation infrastructure data are freely available. Co ns eq ue nc e Population and economic information, which can be acquired from the U.S. Census Bureau Most of the TSA-utilized data is security-sensitive and unavailable publicly; however, U.S. Census data is freely available. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements RRAS is capable of assessing readiness and resiliency of a transportation network on a national scale, but is applicable across all levels and modes of transportation systems. The framework has been designed to employ data that is largely sensitive and not distributable. It is facility or system-speciï¬c, does not address the interdependence of systems and, as such, currently focuses more on readiness than resiliency. RRAS is security-sensitive and not distributable. With the exclusion/substitution of sensitive data, the model could theoretically be made publically available. Further development of resiliency assessment is desired, as the framework is currently more focused on readiness. Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach National Center for Risk and Economic Analysis of Terrorism Events Informs emergency management and terrorism oï¬cialsâ decisions about the type and placement of radiological/nuclear detection devices in order to prevent or deter terrorist attacks using these materials. Probability of detection; cost estimates of resource deployment and system success or failure, etc. Primarily highway, but also entry points for air and barge. A target, its related transportation network, and proposed detection system are identiï¬ed and represented as a link and node network. The probability of detection is calculated for each access path to the target, then for the network as a whole. Finally, the impacts and costs associated with system deployment are calculated, enabling comparisons of various detector deployment schemes. (continued on next page)
70 4.2.17 (Continued). 4.2.18 TRACC See also: §3.4.1.3 Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF AN AN ytilibaborP Se cu rit y stegrat fo tsil dezitiroirP denifed-resU taerhT is predeï¬ned by governmental users; this information is typically not available to the public. Targets may be analyzed individually, making threat constant within the analysis. Vulnerability Number and route of access paths to target can be sourced from governmental sources, such as the BTS or from private GIS vendors. Number/mode of detectors is user-deï¬ned. Individual detection probabilities for detectors must be measured or sourced from vendors. Highway networks are available from governmental and private GIS vendors. Detection, false detection, and false alarm rates may be diï¬cult to obtain/costly to measure or poorly characterized. Co ns eq ue nc e Data requirements vary depending on user goals. The U.S. Census Bureau and the BTS are key sources for estimating impacts to populations and traï¬c ï¬ow. Census and BTS data are freely available to the public. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Applicable and transferrable to any highway location; as an economic model, can be used with a focus on minimizing a wide array of consequence (costs of non-detection, cost of traï¬c delays, etc.) Detection, false detection, and false alarm rates may be diï¬cult to obtain or poorly characterized. Is an academic model for government institution (Cal EMA) and has been presented publicly. Barriers to the use of this model are low, with the primary potential impediment being adequately accurate detection probability information. Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Oak Ridge National Laboratory Center for Transportation Analysis / Miss. State University TRACC monitors positions of hazmat barges and compares them to nearby barges and historical trip information to identify potentially high-risk situations. Identiï¬ed events are reported to stakeholders, such as Homeland Security, ï¬rst responders, law enforcement, barge companies, and ï¬eeting managers to aid incident avoidance and response readiness. GIS, web-based reports of anomalous/barge movements are disseminated to governmental agencies, responders, and route managers. Barge TRACC is a web-based tool that gathers GPS reports from barges and determines the bargesâ positions on a river system. The positional information is used in concert with historical route data to predict the path of each barge. The predicted path is compared against historical route data and location information for nearby barges to detect unexpected stops or movements, communication lapses, or buildups of hazardous materials at a given location. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF Probability Pertinent vessel information (e.g., current / historical positions, commodities, etc.) is reported by barge and tow companies and GPS tracking devices. Continuous GPS location reporting is not currently standard; many barge reports are submitted manually at frequencies as low as once per day.
71 4.2.18 (Continued). Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Se cu rit y Threat High population locations and areas of critical infrastructure are identiï¬ed by governmental agencies and system stakeholders and stored in an internal system database. While population information is readily available through the U.S. Census, access to data on government-deï¬ned critical infrastructure is restricted. Vulnerability Pertinent vessel information (e.g., current / historical positions, commodities, etc.) is reported by barge and tow companies and GPS tracking devices. Points of interest and river network information are stored in an internal system database. Continuous GPS location reporting is not currently standard; many barge reports are submitted manually at frequencies as low as once per day. Co ns eq ue nc e High population locations and areas of critical infrastructure are identiï¬ed by governmental agencies and system stakeholders and stored in an internal system database. While population information is readily available through the U.S. Census, access to data on government-deï¬ned critical infrastructure is restricted. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements With the exception of vessel-speciï¬c information, data needed to use the tool are stored within the system database. Output is web-based and delivered in as graphics (map) and text, facilitating quick, informed comprehension and decision making. Application of the tool is limited until continuous GPS location transmission systems are more widely employed by tow and barge operators. Still under development. Application of the tool is limited until continuous GPS location transmission systems are more widely employed by tow and barge operators. 4.2.19 Transportation Routing Analysis Geographic Information System (TRAGIS) See also: §3.4.1.2 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Department of Energy, Oak Ridge National Laboratory Federal departments and agencies, national laboratories, federal contractors/sub contractors, and state/regional/tribal users. TRAGIS calculates population data across various routes that comply with hazmat transportation regulations. Users can decide to ship via highway, railway, or waterway. DOE uses TRAGIS to identify legally compliant routes and understand the at-risk population along routes. Outputs include spatial population information for risk assessment along potential transportation routes, potential routes that are compliant with transport regulations, a table of tribal lands intersected by the routes and mileage through those lands, and route maps. Truck, rail, water ⢠Users input routing parameters into WebTRAGIS on their PC. Parameters include: o Shipped material data o Route preference (quickest, shortest, or combination) o Blocking oï¬ (not include) of: Railroad companies Nodes Links Road routes through beltways Tunnels Roads with limited size clearances ⢠Information is submitted to TRAGIS server where compliant routes are analyzed ⢠Returns report on available routes with information about: o Estimated Travel Time o Distance o Population along route Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF AN AN ytilibaborP AN AN taerhT Se cu rit y AN AN ytilibarenluV (continued on next page)
72 4.2.19 (Continued). 4.2.20 Transportation Sector Security Risk Assessment (TSSRA) See also: §3.7.8 Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Co ns eq ue nc e LandScan USA and Census population datasets Population data is updated every 10 years and is output as: ⢠Table of population density by state ⢠Summary information for input to RADTRAN model ⢠Population count for three buï¬er widths either side of the entire route and by state: o 400 m o 800 m o 2500 m The ORNL-developed LandScan model spreads the population based on: ⢠Census geographic areas ⢠Proximity to roads ⢠Land use date ⢠Slope of land surface Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Users are able to adjust routes to reï¬ect preferences or construction. The model performs population calculations on alternative, compliant routes. It identiï¬es routes between points that comply with transport regulations. Trucking routes can be optimized based on travel time, distance, or a combination of those two. The routes and population data can be input into DOEâs RADTRAN tool, which includes probability inputs. While it analyzes truck, rail, and water transportation options, it does not allow for intermodal linkages between the modes. TRAGIS uses consequence as a proxy for risk; it does not contain information pertaining to frequency or probability of an event during the shipment or at one speciï¬c point along the route. Instead, it only focuses on the exposed population. Access requires screening by Oak Ridge National Laboratory Counterintelligence Not available to commercial or foreign users. Develop stand-alone system for users in the ï¬eld without access to server. Develop intermodal analysis. Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Department of Homeland Security, Transportation Security Administration, Oï¬ce of Security Capabilities Users include TSA, Congress, and other government entities with approval of TSA. TSSRA supports the understanding of overall risk landscape across all transportation modes, decisions regarding resource allocation, and compliance with Congressional mandate. Relative risk scores between scenarios (including scenarios involving hazardous materials) and across modes. Various analyses that highlight the risk landscape by views of concern such as attack, likelihood, and conditional risk. Additionally, TSSRA can report quantitative values for the threat, vulnerability and consequence components of the risk analysis. All transportation modes. Based on analyzing scenarios from speciï¬ed areas of concern by utilizing representative targets as assets. The initial assessment contained roughly 800 scenarios across all modes in TSAâs domain. The most recent assessment has dropped to 200 scenarios due to focus on the top 80% of scenarios and scenarios in which security proï¬les have changed. TSSRA uses the DHS Risk Lexicon that describes risk as a function of threat, vulnerability, and consequence. TSSRA utilizes quantitative and qualitative methods to measure, calculate, and analyze those three components. Uncertainty for key components was captured through triplet analysis (best case, worst case, and best estimate). Also, conï¬dence judgments were captured in the elicitation process. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF AN AN ytilibaborP
73 4.2.20 (Continued). Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Threat Oï¬ce of Intelligence Measured as a relative probability against other attack scenarios. Factors included intent, capability, and historical precedence. Threat is based on capability (conditional likelihood an adversary will have ability to undertake the given attack scenario) and intent (conditional likelihood that an adversary will choose a given attack scenario once committed to an attack). Vulnerability Subject-matter expert elicitations that included public and private stakeholders. Measured as a relative probability against other attacks scenarios. Vulnerability is measured based on the likelihood that an adversary will defeat the countermeasures in place at a particular target. The scenarios were scored on multiple occasions in order to validate the values. Reliance on SME input introduces biases and limitations of human certainty. Co ns eq ue nc e Developed by various contractors who used historical data, modeling, and elicitations to calculate scores for deaths, injuries, prop damage, indirect consequence (psychological and economic). Consequences data is divided into two ï¬elds: ⢠Direct: deaths, injuries and property damage ⢠Indirect: economic and psychological eï¬ects of an attack There was an accepted process to generate each consequence value. Depending on model availability and historical data, a determination was made on how to best assess each factor. Every factor value is distinctly maintained. Hence, the user has the ability to use direct, indirect or total consequence values for their speciï¬ed use. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements Measures relative risk across the full TSA domain using a common framework. The inclusion of external and internal stakeholders increases the credibility and transparency. Vulnerability is measured based on human input, which introduces biases and limitations. The chief threat group analyzed was international extremists. Representative assets were used instead of speciï¬c sites. While sensitivity analysis allows for a better understanding across all sites, it is diï¬cult to map the risk for one speciï¬c site. The overall risk scores are SSI information and are released on a need to know basis. Information derived from the report is submitted to Congress and other approved entities; however, TSSRA data is not released to the public. Threat data can be improved upon by including other terrorist/attack groups such as domestic extremist groups. Also, updates on threat data have been slow and intermittent and more regular updates are desired. Finally, the interviewee expressed a desire to improve the indirect consequence data by formalizing its use and creating a structure for calculating it. Se cu rit y 4.2.21 Trucking and Hazardous Materials Trucking Risk Assessment (THTRA) See also: §3.4.3.2 Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach Department of Homeland Security, Transportation Security Administration, Highway Motor Carriers Division TSA is the primary user, with additional use by various stakeholders. Decisions supported include regulatory/legislative compliance; THTRA was conducted to comply with the 9/11 Act with regard to risk assessments for highway transportation. THTRAâs focus included assessment of security risks, the protections already in place, potential security upgrades, industry best practices, and relevant research THTRA also supports situational and risk awareness and allows TSA and stakeholders to understand the risk of various scenarios to the trucking industry. The three elements of DHS Risk (threat, vulnerability and consequence) are scaled for each scenario using a modiï¬ed Kent scale (seven values ranging from very low to critical). Congress was mainly briefed on the vulnerability and consequence for approximately 75-100 scenarios, which included some involving Tier 1 and 2 Highway Security Sensitive Materials (HSSM). Highway Scenario-based with the overall DHS Risk Assessment Methodology forming the guidelines for THTRA. THTRA combines quantitative and qualitative approaches. The threat component comes from TSA intelligence, vulnerability was based on expert elicitation, and consequence was based on accepted practices within DHS (historic and expected cost of life) All components were then multiplied and vetted with DHS/TSA, with some adjustments made to the ï¬nal risk categories. (continued on next page)
74 4.2.21 (Continued). 4.2.22 UIUC Tank Car Risk Analysis See also: §3.7.10 Se cu rit y Threat Internal data from the Oï¬ce of Intelligence Unknown threats and scenarios â asymmetric data Vulnerability Expert elicitation from industry stakeholders. Two components are based on the (1) countermeasures and practices in place and (2) target hardness. Scaled components using a modiï¬ed Kent scale (seven values ranging from impossible to certain) were used to represent the vulnerability category for each scenario. Limitation: subjectivity of the subject matter experts, uncertainties, the industry itself is so large and complex that comprehensive data do not exist. Co ns eq ue nc e DHS-based methodology (historic information with certain expected values) Based on reasonable, worst-case outcome. Consequences included: human ($7m per life), economic (based on the cost of attacked asset replacement and remediation/decontamination where appropriate), and psychological (a ï¬ve-point scale for psychological eï¬ect). There is large variability in the consequences and the eï¬ects from the scenarios. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements THTRA was an independent assessment that veriï¬ed lots of the working assumptions in trucking security. THTRAâs vulnerability analysis was particularly strong due to using expert elicitation, which allowed TSA to identify gaps and recommend potential ways to close those gaps. Acuity of qualitative, scaled risk values (What does medium risk mean?). The lack of transparency into the threat component is another identiï¬ed weakness. The false precision of results. The THTRA results and methodology are considered Sensitive Security Information. A copy was sent to PHMSA, FMCSA, and various stakeholders through the Sector Coordinator Council (SCC) for trucking. Additional assessments for sub-sectors, such as hazmat and food/agricultural trucking, to close security gaps. For instance, HMC is working with USDA and FDA to assess the food/agricultural trucking industry since neither USDA nor FDA has looked at security during transportation. Congressional mandates and funding availability aï¬ect the ability to implement the recommendations. TSA continues to work toward voluntary adoption of measures to close the identiï¬ed gaps. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty AN AN ycneuqerF AN AN ytilibaborP Sponsor/Dev. Users/Uses/Decisions Output(s) Applicable Mode(s) Methodology or Approach University of Illinois â Urbana Champaign The AAR and its constituent members use the results of this approach to help guide their development of tank car technology standards. AAR standards informed by these model results have been incorporated into U.S. DOT tank car regulations for transporting TIH chemicals. Expected risk, in terms of number of people aï¬ected by releases of a given chemical transported in a speciï¬c tank car type. Alternative consequence metrics can be incorporated to reorient the model toward environmental risk analysis and remediation cost analysis. Primarily rail, also rail- highway intermodal This approach looks at the routes and volumes of individual TIH materials shipped by rail within the United States. The probability of a release of each material is calculated by using historic accident rates and published conditional release probabilities. Exposed populations are calculated using GIS for each material along all routes and within a distance of the track based on emergency response guidelines for that commodity. These data are then compared to analyses of alternative tank cars, whose release probability diï¬ers based on diï¬erences in the carâs tank head, shell, and/or top ï¬ttings.
75 4.2.22 (Continued). Co ns eq ue nc e Population exposure is calculated using population density from ESRI/U.S. Census Bureau, potential aï¬ected area size, derived from the U.S. DOT ERG. Location data is derived from industry waybills. Spatial population data is publicly available through the U.S. Census Bureau; likewise, the ERG is publicly available from the U.S. DOT. Aï¬ected population areas are assumed to be the size of the ERG-prescribed Protective Action Area for a chemical, plus half of the spillâs initial isolation zone. In order to determine the aï¬ected areas, spills were considered equally likely to occur during the day or night and small spills were considered to be releases of 5% or less of the tank carâs contents. Waybill data is restricted to industry stakeholders and is not publicly available. Strengths (including data) Weaknesses Availability Barriers/Desired Improvements The approach is simple, relying primarily on published and publicly available data sources. Data that may be unavailable to public users is primarily descriptive of volumes and exact origins and destination of industry shipments and would not inhibit public users from comparing individual theoretical routes for various tank cars (as opposed to aggregate historical routes). The modelâs consequence element is ï¬exible and allows for the use of alternative consequence metrics, such as environmental damages. Not all model data is publicly available â information on historic quantities and locations of speciï¬c commodities are diï¬cult for the public to obtain and may be restricted to the rail industry. Data on failure/release rates of new tank car technologies will always be inherently sparse in comparison to in-service technologies. The approach has been published and is publicly available. Release rates of new tank cars and their constituent technologies tend to be poorly characterized in comparison to their in-service counterparts. To the extent that this model will be used in comparison of current and proposed tank car technology, the lack of data for new technologies will be an inherent obstacle. One current example of where failure data is needed is for release rates on new top ï¬tting designs. Component Key Sources of Data Assumptions, Limitations, Biases, and Availability Sa fe ty Frequency The tank car derailment rate is the average railcar derailment value published by Anderson and Barkan Derailment of cars in the model is assumed to be that of an average rail car, though rates that consider carrier, track class, etc., could be developed and used. Probability Conditional release probabilities of tank cars given derailments are calculated based on published statistical models (e.g., Treichel, et al., 2006) and FRA-reported accident data. Mileage of transport for given commodities is based upon U.S. Surface Transportation Board data. Tank car capacity data is estimated using IlliTank and expert review. FRA-reported accident data is available to the general public. Surface Transportation Board mileage data is security-sensitive and is restricted. Se cu rit y AN AN taerhT AN AN ytilibarenluV
