THE AWWA J100 - WHAT IT IS,WHY IT IS BEING UPDATED,
AND
WHY IT MATTERS TO YOU?
John W. McLaughlin, P.E.*
Merrick & Company
1001 Morehead Square Drive, Suite 530
Charlotte, NC 28203
Abstract
What is the American Water Works Association (AWWA) J100? The AWWA J100, otherwise known as the Risk and Resilience Management for Water and Wastewater Systems standard, is the only standard for risk and resilience in the water sector. As such, it represents the most current and relevant thinking when it comes to risk management and therefore preparedness and sustainability within a utility.
The J100 standard was first adopted and approved as an American National Standards Institute (ANSI) standard in May 2010. That original standard is currently undergoing its first update. The draft is under review and revision by a standards update committee, for which this author serves as Vice-Chair.
The original J100 standard allowed for risk and resilience management for a variety of intentional acts and natural disasters. It allowed utilities to determine their level of risk from these various events in actual dollar terms. Utilities were then able to develop true cost-benefit analyses and make an actual business case for improvements to reduce risk and increase resilience.
Why is the J10 being updated? The current J100 update will likely add a number of other natural, intentional and other risks to the range of risks a utility can consider when doing the risk assessment. It should also include more explanations on how to develop threat likelihood for many of the natural disasters to be considered.
So why does this matter to you? Why should you consider undertaking a J100 based assessment of your utility? Because the J100 is the industry standard and thus implies a standard of care that you should be following. Because it allows you to develop actual dollar values of risk and thus dollar values of risk reduction. Because it is the only risk and resilience standard developed and in place for the water sector. Because it can give you liability protection in the event of a terrorist attack, and finally because until you go through this process, you may never truly know what your greatest risks are.
KEYWORDS
Risk, Resilience, Assets, Asset Management, Threat Likelihood, Consequence, Probability of Occurrence, Intentional Act, Earthquake, Hurricane, Wild Fire, Ice Storm, Tornado, Drought, Climate Change, Vandal, Sabotage, Terrorist, Terrorism, Vulnerability.
INTRODUCTION
Anyone who was alive at that time remembers the events of September 11, 2001. Those of us in the water industry also remember how much it impacted and changed how we think about water facilities. It was only about eight months after 9/11 that the Federal Government required virtually all water systems to develop a Vulnerability Assessment (VA) and Emergency Response Plan (ERP) focused on the results of that VA.
The idea of doing some level of security related assessment of water systems was a good one. It helped change the landscape and start utilities thinking about their vulnerabilities in a different way. The weakness of the VA/ERP process was; 1) The Federal requirement was written specifically around terrorism as a threat and not the multitude of other threats or risks faced by water utilities, and 2) The methodologies in place at that time were not true risk assessment/risk management methodologies.
Owing partly to the impacts of multiple large natural disasters impacting water systems, over the next nine years, the world of water system security evolved into an All Hazards way of thinking. All Hazards means just that, not just looking at the risk associated with one threat but understanding that your greatest risk might come from a threat that you previously had not considered. It is important to note here that when using the terms water systems or water sector, this includes both water and wastewater systems.
In addition, prompted by a focus on trying to find a common framework to assess risks at a variety of critical infrastructure, the methodologies themselves started to change and the Risk Analysis and Management for Critical Asset Protection (RAMCAP) was born. RAMCAP was started through efforts by the American Society of Mechanical Engineers, Innovative Technologies Institute, LLC (ASME-ITI) at the request of the White House. This started the shift from vulnerability assessments to risk assessments and risk management. This would also allow direct comparison of risks across different critical infrastructure sectors.
A team of risk analysis experts came together as a result and formally developed the RAMCAP seven step methodology, involving assessment of the likelihood of specific attacks, the vulnerability of assets to those attacks and the consequences of the attack. From this, specific benefits and costs can be determined and compared and risk reduction measures prioritized.
General guidance was widely circulated in 2004, still with a focus specifically on terrorist acts. By 2006, the first version to start looking beyond terrorism, to include natural disasters or threats was produced. This began the move towards the All Hazards framework that is the accepted concept today.
“In 2009, All-Hazards Risk and Resilience: Prioritizing Critical Infrastructure Using the RAMCAP Plus Approach was published, updating RAMCAP Framework 2.0 and providing the basis for a generic, all-sector standard by ASME Codes and Standards. The 2009 publication and the all-sector standard, when available, are the point of comparison for judging consistency with the RAMCAP methodology.”
There are two primary, existing tools that were to be adapted to be consistent with RAMCAP. They are the Risk Assessment Methodology—Water (RAM-W™) and Vulnerability Self-Assessment Tool™ (VSAT™). An additional software tool was subsequently developed by AEM Corporation called the Program to Assist Risk & Resilience Examination (PARRE). This is an application designed to assist assessment teams in conducting a probability-based risk and resilience assessment of critical assets.
Per the standard, the J100 standard was developed to meet three major objectives in the water sector: (1) to define a common framework that can be used by the water sector to assess human-caused and natural hazards risk to their systems; (2) to develop risk-based vulnerability analyses and value-based prioritized actions to reduce risk and enhance resilience; and (3) to provide an efficient and consistent mechanism that can be applied to both private and governmental (federal, state, and local) sectors to report essential risk and benefit information to operators of the utilities, local and state governments, DHS, USEPA, and others with a need to know.
Because this standard is still actively being updated, the amount of discussion concerning the coming changes is limited and must come with a disclaimer acknowledging that any and all potential updates referenced in this paper are only under general consideration by the update committee and nothing is final until the document is approved by both AWWA and ANSI.
THE CURRENT J100 METHODOLOGY
The current standard is titled “Risk Analysis and Management for Critical Asset Protection (RAMCAP®) Standard for Risk and Resilience Management for Water and Wastewater Systems, Using the ASME ITI RAMCAP® Plus Methodology”. It is otherwise known as the J100 standard and was approved by the ASME-ITI Management Committee January 15, 2010, by the AWWA Board of Directors January 17, 2010 and by the American National Standards Institute (ANSI) May 4, 2010.
It is important to remember that this existing standard is currently in the midst of a significant update process and as such, what is documented in this section could change. Further in this paper, some of the potential changes will be listed and discussed but as with any standards update process, nothing is final until all the relevant approvals are obtained.
The standard is a methodology to analyze risk and resilience in the water sector (the only one of its kind) through a seven step process displayed in Figure 1. The seven steps are:
1)Asset Characterization
2)Threat Characterization
3)Consequence Analysis
4)Vulnerability Analysis
5)Threat Analysis
6)Risk/Resilience Analysis
7)Risk/Resilience Management
Asset Characterization
The Asset Characterization step determines which assets are critical enough to take through the rest of the steps of a J100. This can be done through a two-phased process involving an initial screening step to determine which assets to take through the more detailed subsequent steps. This screening addresses the fact that the initial set of assets for a utility can be substantial and thus the effort to take all of them through the entire seven step process can be unwieldy and unnecessary.
At a minimum, in this step, the following needs to be accomplished:
1)Define the mission and critical functions of the organization.
2)Identify the mission or critical functions of the utility to determine which assets perform or support the mission or critical functions.
3)Identify a list of potentially critical assets.
4)Identify the critical internal and external supporting infrastructures.
5)Identify and document existing protective countermeasures and mitigation measures/features. These are features that protect or mitigate the risks to critical assets, infrastructure or facilities.
6)Estimate the worst reasonable consequences resulting from the destruction or loss of each asset, without regard to the threat.
7)Prioritize the critical assets using the estimated consequences from the prior piece of this step.
Threat Characterization
The J100 standard allows consideration of a wide range threats/hazards, including man-made/intentional, natural and dependency. The standard includes a set of reference threats (see Table 1) to consider but the threats included in this Table are not meant to be comprehensive nor is the user required to include each reference threat in the full analysis. In order to comply with the standard, all the threats must be considered. That does not mean they all need to be incorporated into the complete analysis, just that they be considered and if not incorporated, that the logic behind not using them be documented. It is important to document the reasons why a particular reference threat would be excluded as well as why an additional threat might be included.
Along with the Asset Characterization, this step allows the identification of the Threat-Asset Pairs. The standard says that the user shall identify which threats apply to which assets and thus identify the set of specific threat-asset pairs which are to be carried through the analysis. The pairs may be ranked according to the judged magnitude of the resulting consequences. This allows the user to select the critical Threat–Asset Pairs to be included in the rest of the analysis process. These threat–asset pairs are the objects of analysis throughout the rest of the process.
Consequence Analysis
With identification of the Threat-Asset Pairs, it is now time to estimate the Consequences that might be caused by the specific threat acting on the corresponding asset. The term “worst reasonable case” is used.
The consequence analysis estimates the results of threat scenarios using common quantitative metrics that shall include:
- Number of fatalities,
- Number of serious injuries,
- Financial loss to the owners of the facility. The outage duration used as part of the financial loss calculation will be displayed.
- Economic losses to the community in which it operates.
These metrics shall be estimated as single-point estimates or ranges. They may also be expanded to include additional detail as needed. The consequence analysis may be based upon either detailed calculations or may be estimated by qualified experts.
The “worst reasonable case” assumptions include normal factors and variables can occur simultaneously but does not assume that a;; uncontrollable variables of unpredictable events happen simultaneously. As with every step of the analysis, it is critical to document all assumptions and
Vulnerability Analysis
This vulnerability analysis step analyzes the ability of each critical asset and its protective systems to withstand each specified threat. The analysis is applied to man-made, natural, dependency and proximity threats or hazards.
The analysis is conducted using a four step process, as follows:
Review and documentexisting pertinent details of the facility construction, systems, and layout, including countermeasures, mitigation measures, features that provide deterrence, detection systems, and delay features, and response measures. Include information on interdependencies, personnel interactions, and process flows within the facility. Through this, identify vulnerabilities or weaknesses in these systems.
Analyze the vulnerability of each critical asset or system to estimate the likelihood that, given the occurrence of a threat, the consequences estimated earlier will result. This analysis can be accomplished using a fault- or event-tree analysis, path analysis, vulnerability logic diagrams, computer simulation methods, or expert judgment rules-of-thumb, as long as it can be used consistently across all relevant assets.
Document the method used for performing the vulnerability analysis, the worst-reasonable-case assumptions, and the results of the vulnerability analysis.
Record the vulnerability estimates as point estimates. The likelihood of attack success may be expressed as a fraction, a probability, a percentage, or the number of successes among attempts.
Threat Analysis
With the threats to the utility’s assets already identified and characterized, the next step is to estimate the likelihood of each threat occurring, i.e., a malevolent event, dependency/proximity hazard, or natural hazard.
For malevolent threats, likelihood is based on the adversary’s objectives and capabilities and the attractiveness of the region, facility, and threat–asset pair relative to alternative targets. There are three basic approaches to estimate likelihood:
The Proxy measure may be based on several factors, such as the attractiveness of utility, size of metropolitan area, amount of governmental facilities in the area, or other attributes and produces a likelihood value between 0.0 and 1.0.
The Best Estimate likelihood method is determined based on informed experience of the organization, input from federal, state, and local law enforcement, and others. The likelihood will be either an ordinal measure, such as low, medium, high, very high, or it can be a probability with a value between 0.0 and 1.0.
The current version of the standard also includes use of the Conditional Assignment, which has the threat probability set at 1.0. This is only useful for examining the worst-case potential for a variety of malevolent threats. Some may recall that the Sandia RAM-W™ methodology used strictly the Conditional method for threat likelihood.
Only the proxy indicator may be used when the results are to be compared with other RAMCAP analyses.
For Natural Hazards, the probability is estimated by drawing on the historical record for the specific location of the asset. Federal agencies collect and publish records for hurricanes, earthquakes, tornadoes, wildfires, and floods, which can be used as frequencies for various levels of severity of natural hazards.
Estimates of the likelihood for Dependency and Proximity Hazards are also based on local historical records for the frequency, severity, and duration of service denials. Likelihood of incurring collateral damage from an attack on a nearby asset is estimated based on the local situation and using the same logic in estimating malevolent threats.
As with each other step of the process, it is important to record the method used for making the estimates and the estimates themselves, as either single-valued point estimates or ranges.
Risk/Resilience Analysis
The analysis step combines the results from the previous five steps into estimates of the owner’s level of existing risk and resilience.
Risk is calculated for each threat–asset pair as the product of the results from the Consequence Analysis, Vulnerability Analysis, and Threat Analysis, using the following equation:
Risk = Consequences × Vulnerability × Threat Likelihood = C × V × T
Where:
Consequences areexpressed for each threat–asset pair in terms of the number of fatalities, number of serious injuries, financial losses to the owner, and economic losses to the metropolitan region in which the facility operates.
Vulnerability isthe likelihood, given that the threat occurs, that the threat to a particular asset results in the consequences already estimated.
Threat likelihood isthe probability of a specific threat occurring to the asset in question. The unit of measurement is the probability or frequency of occurrence over a given time period, generally understood to be one year.
With the existing standard, the use of “bins” or ranges is still included so where ranges are used, the midpoints of the ranges are used in the calculation.
The utility may estimate risk for the respective consequences (fatalities, injuries, financial loss to the owner) individually or may assume a “value of a statistical life and/or injury” in order to combine fatalities and injuries with the financial loss into a single term for use in net benefit or benefit–cost analysis.