ASSETS OF MODEL METRO STATION AND THEIR CRITICALITY

The paper deals with the identification of protected assets in the model metro station, which is a part of critical infrastructure in Praha; and with the identification of their criticality. A metro station is used by a lot of people and it involves many expensive components and devices with interdependences which form a system of systems. The system, its components and fittings are very vulnerable to damages from disasters of many kinds. The first step of ensuring metro station safety is the identification of basic metro assets which are important for safe metro operation and for human (employee and passengers) security and environment safety; and the other is determination of criticalities of considered assets with taking into account all relevant sources of hazards. These facts are input data for further processes which are important for safe metro operation under the different conditions.


Introduction
A metro is very important means of transportation in cities.Therefore, to its safety it is pursued special attention, and it is part of critical infrastructure, to which it is now concentrated special attention because especially at critical situation its status predetermines the capability of human society to ensure human survival [1].Metro is composed from fix and movable parts; the fix ones are structure element, stations and tunnels with many fittings; the movable ones are trains [2].The paper takes into account the metro stations.
Each metro station is equipped by many technical devices and fittings that ensure metro operation and comfort space for passengers.From safety reasons it also involves support elements for safety operation of station; they are for instance construction design, operation devices and systems, control systems, protection systems, electronic devices like lifts, escalators, air conditioning, trains and systems for train control, communication systems, staff etc. Mentioned elements including the humans and personnel staff of station are in interaction each other and they create complex system prone to harm [2].Moreover, the system is mostly part of whole transportation infrastructureconnections with track and next stations, material, energetic and informatics flows, and number of served persons.
It is reality that devices and fittings that are very vulnerable to damages from disasters of many kinds [3].From the protection reasons in the practice it is necessary to identify the protected assets and to establish their criticalities taking into account all relevant disasters, i.e. the sources of hazards, and to consider possible risks.This procedure is a common part of formation of safety management systems in all systems, i.e. also in railway domain.The first step is the identification of basic metro assets that are important for safe metro operation and for human (employee and passengers) security; and the other is the determination of criticalities of these assets.

Critical Assets and Critical
Infrastructure Protection For ensuring the humans security and development, there is necessary the safe human system [3].Basic assets of human system called basic public assets are: human lives and health, property and welfare, environment, and also critical infrastructures and technologies.It means that the critical infrastructure is one of important asset of human system.Therefore, its protection is specially ensured in the EU, USA, Germany, Canada etc. [1].In the Czech Republic critical infrastructure it includes nine infrastructures [1] [4], i.e. infrastructure for: • energy (electricity; gas; heat energy; oil and petroleum products) supplies, • handling with water (drinking and industrial water; secure and manage the surface water and underground water resources; waste water system), • food supplies and agriculture operation (food production; care for food; agricultural production), • health care (pre-hospital emergency care; hospital care; the protection of public health; the production, storage and distribution of pharmaceuticals and medical devices), • transportation system (road; rail; air; water), • cyber-communication and information systems (fixed telecommunication network services; services of mobile telecommunication networks, radio communication and navigation; television and satellite communications radio; postal and courier services; internet and data services), • the banking and financial sector (management of public finance; banking; insurance; the capital market), • emergency services (Fire Rescue Brigade CR; units of fire protection for area coverage; Police of Czech Republic; Army of Czech Republic; radiation monitoring; forecasting, warning and mouthpiece for the service etc.), • public administration (State administration and self-administration; social protection and employment; the State social support and social assistance; performance of judiciary and prison system).
The transportation infrastructure includes road, rail, air and water infrastructure.Each of mentioned infrastructures is composed from elements and line structures.The protection of transportation infrastructure in the Czech Republic is only concentrated to the elements according to the crisis act (act No. 240/2000 Col.).It means that metro station is key asset, and therefore, we deal with its safety.
Transportation system provides the transportation of persons and goods.It includes all modes of transport, which, under the coordination of the various transport systems work together and creates a logistical network.The transportation network, together with energy network can be considered as the foundation of economic prosperity of the State.The transportation network consists of separate parts that make up self-reliant closed units.Each unit is a unit, the basis of which is the type of transport, accompanied by complex operational and administrative parts, which forms subsystems.The characteristic feature of technological units is their specialized ability to separate traffic operation.It is necessary to recognize that the individual parts are bound by the rules of their transport logistics, which coordinates the activities.In the Czech Republic the transport network consists of: rail transport system; the road transport system; the air transport system; and water transport system.
Transport system and its subsystems are vulnerable to natural disasters, the traffic accidents, technological accidents of facilities and buildings being in their vicinity, crimes, terroristic attacks, organizing accidents, war etc. [1] [3] [4]. Figure 1 shows the processes that are sources of disasters [3].
To ensure safety of each entity, i.e. each infrastructure and their components it is necessary to manage the safety by the way as is expressed by process model in Figure 2 [1] [5].
The safety needs to be formed on all levels of governance [3] [4] [5], as it is depicted in Figure 3.
The ways of coping with risks are shown in Each real system is composed from various heterogeneous subsystems, links and flows among them, so-called inter and intra-dependences.Subsystems    is possible categorized as controlled and control systems in the view of control.For improving system parameters (dependability, security, safety, etc.) the support systems are implemented, for instance a protection system reducing the risks.A subsystem can be classified as safety related, the safety related system carries out very important functions which failures or malfunctions could lead to improving the risks and event to accidents [6].From the protection reasons on the concept of integral safety of complex technological facilities in the practice it is necessary to identify the protected assets and to establish their criticalities taking into account all relevant sources of hazards.

Data on Metro in Praha and Metro Station Model
Stations of metro in the Praha capital are not the same; they have differences due to their locations in different site conditions and demands in the time of their building.All are threatened by disasters that threaten the Praha capital, i.e. its buildings, structures and facilities, and locally also by specific phenomena that are associated with local conditions, which are connected with local vulnerabilities.Therefore, for research needs we developed a model station that has characteristics that are common to all the stations of reference system taking into account the Praha land-use plan [7] and the Praha metro documentation ), the engineering parts and cyber technique were harmonised with demand of Building Law so they might obtain permission for operation.The metro operation control is performed according to the standards [11] [12] and it satisfies requirements given in standards [13] [14] [15].
The model metro station contains all elements, links and flows that are same in all metro stations because they are determined by the requirements of mentioned Building Law; i.e. we follow general features and do not study the details in structure, devices, fittings of both, the technical and the cyber domains.The detail studies of individual stations reveal real vulnerabilities that cannot be open to the public from the safety reasons.Such detail studies have been performed for the metro operator, and they are used for metro safety upgrade.The sources of phenomena that can damage the metro system will be discussed in the next chapter in which we use the advanced principle based on All-Hazard-Approach [16].
Considering the principle Defence-In-Depth described for complex technological facilities in [17] we shall mostly concentrates to the management units that keep the sufficient level of safety at normal, abnormal and critical conditions.Safety management system of metro (SMS) has central control system and controlled systems in each metro model station,  Metro station has subsystems stationary, track and on-board.On the basis of results in [6] obtained by application of principles given in [17] we select the main metro station assets in individual main parts.
Technological parts and some support subsystems of controlled system include assets: (1.) Energetic devices: transformer substations and distribution transformers, (2.) Communication equipment: communication cables, VHF connection with trains; passengers information systems including automatic check-in; communication systems for passengers and staff; CCTV, telephone, public address; clocks and fire alarms; protection systems and signalling, (3.) Machinery: escalators; pump stations in nodes in stations and between them; elevators; workshops and warehouses maintenance stations, (4.)Air conditioning, (5.) Mobile machines and devices: rolling-stock; devices and substances for cleaning, including the containers, cleaning machines, ladders, scaffolding for cleaning the lighting systems; fire protection equipment, (6.) Next important equipment: security keys and alarm buttons; equipment for fire alarm start; traction devices and lighting; track devices, the main water shut; moving stairs, plates, signal panel for machinery devices; closing equipment (shutters).
Praha metro control centre has denotation Operation Control Centre -OCC.It has Supervisory Control and Data Acquisition (SCADA) system that monitors technological facilities and processes and enables their control.Its variant used in the Czech Republic has denotation ASDŘ-D (automatic dispatcher system for transport control).The SCADA has several parts that are responsible, for: transport (UGTMS -Urban Guided Transport Management and Command / Control System); energetic tasks; technologies; communication and lighting.
The control system involves following assets: • train dispatcher (surveillance and control of trains); and OCC nodes, station nodes, nodes for automatic route setting system -ASDŘ-D, • energetic dispatcher -ASDŘ-E, • technological dispatcher -ASDŘ-T, • lighting system dispatcher -ADRŘ-O, • communiation and protection systems dispatching, • fire dispatching, • depot dispatching for train services and maintenance.
For a model metro station, the control system involves station that are also assets: • station nodes of control system, • station node for automatic route setting, • station nodes for connection of energetic and technological dispatching, • station nodes for central lighting control system, • station interacting with dispatchers (communication, protection, operation, fire men).
In the railway practice context a protection system is primary understand as system needed to mitigation of risks connected with train operation.It is also asset.They are: • station protection systems (ESA 11 M), • wayside protection systems (AŽD 71, ESA 11 M), • train protection systems (MATRA and on-board units).
The metro stations also ready on flows that are also assets, it goes on: • energetic flow, • information flow, • central dispatching and station nodes of control system, • central dispatching and station communication units, • station nodes of control system and protection systems, • station nodes of control system and communication system, • protection systems and technologies (on the track and on-board)-telephone connection between central dispatching (OCC) and station, • telephone connection between central dispatching and trains.
Controlled, control and support (protection) systems are not just electronical and mechanical devices, they can be also organization processes, other communication and information parts of the system, human resources and place which shall be taken into account in the assets identification context.
In the Czech practice the European directives and standards are respected for safety management of railway systems; there are taken in account: Common Safety Methods [18] [19], EN 50126-1 [13], CLC/TR 50126-2 [20], EN 62290 [14] [15], EN 92267 [21].Railway domain is regulated by European Directive 2004/49/EC [18] that establishes duties for national authorities.The mentioned directive refers also to railway interoperability and safety.According to the directive Regulation 402/2013 on The Common Safety Methods for risk assessment [19], there take into account only risks connected with human harm.Reason is an effort to ensuring the safety of passengers, employees, level-crossing users, unauthorised persons on the track and to ensuring the total safety on the basis of the above categories.
Weakness of mentioned directive is that it does not consider other assets which affect to people lives and healthy, it means public assets, important technological parts, facilities, any processes and infrastructure functions.The directives are insufficient for critical infrastructure needs and it does not provide assets protection.Moreover, mentioned directives are not apply to special railway systems like metro.
Railway standard EN 50126 [13] defines the specification and demonstration of Reliability, Availability, Maintainability and Security (RAMS) for a railway system including the metro.The standard defines whole life cycle including the concept and design of the system, through operation, maintenance, reconstruction, and up to decommissioning of the system.Risk management is included there, but it considers only risks affect to human, it means risk R = Rate (of accidents) x Degree of Severity (of Harm); according to CLC/TR 50126-2:2007 [20] in this context harm may imply: human harm (causing injures, fatalities); and also environmental harm (damage to property, spread toxic substances, other impacts, etc.).Most railway safety studies tend to concentrate on human harm.(CLC/TR 50126-2:2007).Security requirements to integral safety improving are not still covered.Standard EN 62290 [14] [15] defines requirement for Urban Guided Transportation Management and Control / Command System which is split into 5 degrees of automation.Each degree of automation (GOA) has specific demands and set of functional requirements.Although a standardisation commission has been established, no standard with safety requirements has been prepared [21].
Better approach is included in EN 62267 [21] for fully Automated Guided Transport (AUGT).The standard refer to EN 50126 [13] about risk management but it imposes demand on assets protection.Identified protected assets by the standard are: persons (passengers, staff, external emergency services, public); and property, shall be defined by railway authority and operator (infrastructure of whole system, trains, equipment, etc.) [22].
The European standard is intended to very short group of railway system and it does not establish methods for determining the protected assets.
The characteristic pattern of model metro

Disasters considered in Research
Since in the Czech Republic there is held long-term use of building codes and high quality engineering practice there are metro stations relatively well protected against design disasters of natural and technological origin that belong to the term All-Hazard-Approach [16], which ensures fixed safety level in these cases.The problems are connected with further disasters that belong to the term All-Hazard-Approach [16] but they were been introduced into practice later.It involves the following types of disasters: • so called organisational accidents [3] [4] [5] [17] because these disaster sources have been considered since the end of 80s of last century, • having the origin in cyber domain or in interdependences of different nature in system [3] [4] [5] [17] because these disaster sources have been considered since the end 90s of last century, • damaging phenomena caused by intentional human activities as crime or terroristic attack [3] [4] [5] [17] because these disaster sources come to size after 2000.
From above reasons last designated disasters were not considered in original designing the metro stations, and therefore, we will pay special attention to them.Data for the research we obtained from the sources on the Praha metro [2] [8] [10].All above mentioned metro station assets are threatened by disasters.For Praha capital and its facilities according to [5] [7] the following disasters are relevant: (1.)The results of the processes inside and outside the earth: flood; tornado; earthquake; liquefaction of the ground; landslide, (2.)The results of the human body, human behaviour and processes in human society: epidemics; pandemics; failure of the stability of human society (welfare disruption, criminality); assault; terrorist attack; attack using the chemical, nuclear, radiological and biological (CBRNE) weapons; armed conflict; war, (3.) Results of the processes and activities installed by people: industrial accident; accident during the transport or storage of hazardous substances; accident at transportation; failure of critical infrastructure; failure in economy; failure in cyber infrastructure; failure of supply chains; loss of serviceability, (4.) Interaction of Earth and environment to activities of people: disruption of bedrock stability due to vibration; air pollution; water pollution; rapid climate changes; migration of large groups of people, (5.) Internal dependences in the human system (natural or man-made): organizational accident; failure of flows of raw materials and products; disturbance in the flow of energy; failure in the information flow.

Method of Determination of Model Netro Assets Criticality
To ensure the safety of model metro station it is necessary to know the criticality of whole metro system and its components, i.e. in followed case it is the model metro station [17].As it was said above, each metro station is threatened by disasters, i.e. its safety depends on the quality of the work with the risks [5] [17].Safety and risk are together in some way in relation, but they are not complementary variables (complementary value to the safety is the criticality [17]).The criticality is a result of the exposure to risk factors.There are analysed the different types of factors: factors of human activity, decision-making and management, factors in the non-distinguishability of reality (because there are random and knowledge uncertainties).
According to [17] the criticality of technological system indicates a threshold value that means it the values are below this threshold, so the status is demanded (subcritical) and vice versa.The assessment of criticality of real system is not a trivial matter, because the elements and whole have different roles for different conditions of active, reactive, amplifying or dampening (but not additive), and among the sub systems of systems of system, which is a real entity, and each model metro station.Therefore, in accordance with [17] for its determination we use the method of risk engineering the Checklist [23], which for complex technological systems is given in Table 1.
Because each system of systems (in our case metro station) is a very complex system, the behaviour of which cannot be easily predicted, so the assessments from the perspective of the different sectors are often different, and therefore, it is necessary to choose the method that conflicts does not override, but it is trying to reasonably consider them [23].Therefore, it was used the method, based on the expert opinion of five experts who knew enough the metro and its operation, have been independent and were from the areas: • safety and protection of human health at work, • protection of property, • economy of operation, • protection of passengers, • technical and functional safety of operation.
The evaluation was carried out separately for each significant disaster using the value scale listed in Table 2.

i Question
Asst Note 1 1.Has the technological facility to incorporate the principles of inherent safety?2. Has the control system of a technological facility (SMS) set the basic control functions, alarms and the response of the operator set up so that the technological facility in normal (steady) state? 3. Has management system (SMS) instrumentation (built-in safety instructions) and relevant physical barriers, which at derogate from the normal state to keep technological system in a good condition, i.e. they prevent the occurrence of unwanted phenomenon?The operation is successful, when, after the occurrence of the abnormal state the technological facility will return to normal as a result of resilience or after the application of corrective measures (clean-up, repair, replacement of parts).4. Has management system (SMS) for the case of loss of control, i.e. critical conditions measures for emergency response that mitigate impacts on technological facility system and ensure the capability to return to a normal state?Operation of a technological object is successful, if it is a good continuity plan, which ensures that the technological facility shall ensure all the necessary tasks. 5. Does management system (SMS) for the case of loss of control, i.e. supercritical (beyond design, extreme) conditions the measures for: maintaining the operability of the technological system following its repair and maintenance; item and measures to ensure the protection of public assets (people, the environment and other assets) in the surroundings of technological facility? .Has the technological facility to incorporate the principles of inherent safety?2. Has the control system of a technological facility (SMS) set the basic control functions, alarms and the response of the operator set up so that the technological facility in normal (steady) state? 3. Has management system (SMS) instrumentation (built-in safety instructions) and relevant physical barriers, which at derogate from the normal state to keep technological system in a good condition, i.e. they prevent the occurrence of unwanted phenomenon?The operation is successful, when, after the occurrence of the abnormal state the technological facility will return to normal as a result of resilience or after the application of corrective measures (clean-up, repair, replacement of parts).4. Has management system (SMS) for the case of loss of control, i.e. critical conditions measures for emergency response that mitigate impacts on technological facility system and ensure the capability to return to a normal state?Operation of a technological object is successful, if it is a good continuity plan, which ensures that the technological facility shall ensure all the necessary tasks. 5. Does management system (SMS) for the case of loss of control, i.e. supercritical (beyond design, extreme) conditions the measures for: item maintaining the operability of the technological system following its repair and maintenance; item and measures to ensure the protection of public assets (people, the environment and other assets) in the surroundings of technological facility?The resulting rates of criticality for each item and disaster are set as median [23] from particulars determined by individual experts.

Criticality of Assets in Model Metro Station
On the basis of the procedure described in the previous chapter it was obtained a set of values that are listed in Table 3.The numbers in Table 3 indicate the following rates of criticality: • 0 -given disaster does not have a direct impact on the metro station and its operation, • 1 -given disaster has low impact on the metro station and its operation, • 2 -given disaster has middle impact on the metro station and its operation, • 3 -given disaster has high impact on the metro station and its operation.
From Table 3, it follows that the rate of criticality is high in many cases.While it is moderate, i.e. it is not very high or extreme, it is necessary in the frame of public interest to supplement the measures in all cases where the criticality rate is high.On the basis of the data referred to such cases according to [17] [24] it is necessary to perform in all cases where the criticality rate is 3 the following: • the analysis of the ability/competence of operator of metro to handle with emergency situations in the station and in the infrastructure, • the inventory of available resources for quick and proper response to the emergency situation in a metro station in the subway, • the assessment of current vulnerability of items of metro stations and the entire metro subway, • the specification of the coordination of activities to support the continuity of subway stations and underground infrastructure, • the division of responsibilities for actions to promote the continuity of the subway stations and underground infrastructure, • the setting up the organisational instructions and features to support the renovation of subway stations and underground infrastructure, • the establishment of criteria for the selection of main features of elements of subway stations and underground infrastructure, • the determination of support processes that support the main features of subway infrastructure, • identification of key personnel, to ensure the continuity of the subway stations and underground infrastructure, • prioritizing the main functions on the basis of the criticality of time, sequence of key recovery processes and personnel capacity.

Conclusion
From the protection reasons on the concept of integral safety of complex technological facilities in the practice it is necessary to identify the protected assets and to establish their criticalities taking into account all sources of hazards.The results of performed research show that metro stations have a certain level of safety (according to [17] it holds that level (rate) of safety = 1 -criticality rate).However, it is necessary to carry out the measures referred to in the previous chapter, because there are items for which in the occurrence of large (i.e.beyond design extreme) disasters there are get to significant impacts of disasters, which have the ability to disrupt seriously the metro station and the entire infrastructure.It means that present standards and legislative do not provide sufficient range for integral safety, including the safety of important assets and systems that predispose sufficient human security and human society development.

Figure 1 .
Figure 1.Sources of disasters in the Human system [3].

Figure 5 .
Figure 5.It is very complex distributed system that involves controlled, control and protection subsystems, their interdependences, operation states and conditions.

Figure 5 .
Figure 5.Control and controlled system in metro model station [6].

Table 1 .
Identification of deficiencies for specific disasters in a given territory, i = 1, 2, ..., n, i.e. assessment of the criticality of the viewpoint of the application of access the Defence-In-Depth.