Safety Science 80 (2015) 127–134

Contents lists available at ScienceDirect

Safety Science
journal homepage: www.elsevier.com/locate/ssci

A research on subway physical vulnerability based on network theory

and FMECA
Yongliang Deng 1, Qiming Li ⇑, Ying Lu 2
Department of Construction and Real Estate, School of Civil Engineering, Southeast University, Nanjing 210096, PR China

a r t i c l e i n f o a b s t r a c t

Article history: Subway system is a critical and fundamental urban infrastructure and provides essential transport ser-
Received 15 April 2015 vices for promoting economic development and social stability. Due to the serious result of operation
Received in revised form 7 July 2015 interruption and accident, it is increasingly important for risk management to be proactive, targeted,
Accepted 24 July 2015
and effective. In this paper, a new framework based on network theory and FMECA method is proposed
Available online 6 August 2015
to study the vulnerability of subway system, in the form of analyzing network efficiency by network the-
ory and risk matrix in FMECA method. Then, a case study is used to demonstrate the effectiveness and
Keywords:
feasibility of the framework in identifying the vulnerable and critical functional module in subway sys-
Subway
Vulnerability analysis
tem and assessing severity of its failure modes. In the end, an organizational structure is put forward from
Network analysis three aspects of operation, research, and manufacturer for improving the subway safety level. This
FMECA research would be conducive to provide recommendations and suggestions regarding safety provisions
Failure mode for subway operation to reduce the occurrence of accidental failures.
Ó 2015 Elsevier Ltd. All rights reserved.

1. Introduction From perspective of historical experience, subway is invested

Critical infrastructures, such as the national electrical grid,
telecommunication and information networks, and transportation
systems, provide essential products or services for promoting
social and economic stability and healthy development. The econ-
omy of a nation and the well-being of its citizens depend on con-
tinuous and reliable functioning of infrastructure system
(Ouyang, 2014). In China, with the constant quickening of urban-
ization, more and more people have made their homes in cities
in pursuit of a better life. Currently, serious traffic congestion has
become a bottle neck of urban development, which can directly
influence city long-term and sustainable development (Tirachini
et al., 2014). The European Unification of Accounts and Marginal
Costs for Transport Efficiency (UNITE) project estimates the cost
of traffic congestion in the UK, for instance, to be £15 billion/year
($23.7 billion/year) or 1.5% of GDP (Nash, 2003).
⇑ Corresponding author at: Room 1302, Yi Fu Museum of Architecture, No. 2
Sipailou of Xuanwu District, Nanjing, PR China.
E-mail addresses: dengyongliang@seu.edu.cn (Y. Deng), njlqming@163.com
(Q. Li), luying_happy@126.com (Y. Lu).
1
Present address: Room 1308, Yi Fu Museum of Architecture, No. 2 Sipailou of
Xuanwu District, Nanjing, PR China.
2
Present address: Room 1407, Yi Fu Museum of Architecture, No. 2 Sipailou of
Xuanwu District, Nanjing, PR China.
when city is big enough at a certain stage of its development pro-
cess. Up to the end of 20th century, there are 115 cities with sub-
way, and the total length is over 7000 km. In contrast with other
transportation systems, the subway has many obvious advantages,
such as the capacity for a large volume of traffic, energy saving,
zero-exhaust fumes and low noise (Martínez and Viegas, 2012).
In view of this, the subway is becoming an increasingly appropriate
means of relieving traffic congestion. China is a country with large
population, contemporary Chinese cities are at a high-speed devel-
opment period, and all aspects of the city are faced with rapid and
drastic changes, especially in infrastructure construction (Li et al.,
2014). With the rapid construction in these years, subway has been
becoming one of the most important urban infrastructures in China
today. By the end of December 2014, subways have already been
put into operation in 22 Chinese cities with total mileage of
2700 km, and 15 other cities have been approved to construct their
urban subways. The increasing pace of urbanization accelerated to
subway project has ushered in a new period of great development
in China.
Subway is a typical complex system with many special charac-
teristics, such as large-scale, complicated spatially distributed,
interconnected, and interdependent. The complexities stem mainly
from a variety of complex functions and exogenous and endoge-
nous functional dependencies and interdependencies (Wang
et al., 2012). Subway is becoming gradually more complicated

http://dx.doi.org/10.1016/j.ssci.2015.07.019
0925-7535/Ó 2015 Elsevier Ltd. All rights reserved.
128 Y. Deng et al. / Safety Science 80 (2015) 127–134
and mutually dependent along with the development of scientific
technologies. Due to interdependences inside the subway system,
the failure of one component may affect the normal function of
other components or even diffuse directly or indirectly to the
whole system (Colombi et al., 2013). Hence, component failure
may lead to operation interruptions or accidents and cause
tremendous economic, social, and physical disruption, amplifying
negative consequences and affecting unforeseeable and haphazard
sets of users. An example is the subway collision occurred on 27
September 2011 in Shanghai, which left 284 people injured and
95 hospitalized, was caused by a single small failure in a subway
station power supply. As it stands, the source of this accident is a
component failure in power system, then spreads to signal system,
and diffuses to train system in the end, which directly leads to this
accident. The whole process looks like a domino phenomenon. As
this example indicates, the occurrence of component failures
may not only cause damage to a single subsystem, but also spread
to the other function related subsystems. It is apparent that
increasing complexities and interconnectivities are making sub-
way system more in need of systematic vulnerability analysis.
Considering the crucial role of subway in the development of
the entire society, it is increasingly important for risk management
to be proactive, as failures or breakdowns often result in great
losses in many aspects (Mu et al., 2014). According to a statistics
of Beijing subway operation accidents from 2008 to 2011, it indi-
cates that about 70% operation accidents are caused by the occur-
ring of various component failures. Thus it can be seen that the
physical fault is the main cause of subway operation interruption
and accident. Vulnerability and risk analysis are essential tools
for proactive risk and crisis management (Johansson and Hassel,
2010). Hence, it is necessary to discern potential risks and vulner-
abilities and formulate corresponding coping strategies, which is
very important to improve the safety level of subway operation.
The paper is organized as follows: a literature review is summa-
rized on the theme of vulnerability research and hazard analysis in
Section 2. Then, Section 3 describes the methodology in this
research, including an analytical framework, modeling approach,
network theory, and FMECA method. Next, in Section 4, a case study
is presented in which the subway network’s vulnerable functional
modules are identified in terms of network efficiency, and the fail-
ure modes are assessed based on risk matrix analysis. In the end,
conclusions and suggestions concerning possible implementation
issues and future study are provided in the final Section 5.
2. Literature review
Vulnerability is a term with different meanings in different
research areas. Its definition is often ambiguous and sometimes
misleading (Jönsson et al., 2008). In the present context, the
research literature contains two related interpretations. The first
is that vulnerability is a global system characteristic that expresses
the magnitude of serious consequences following the occurrence of
a specific hazardous event (Eusgeld et al., 2011). The other inter-
pretation is that vulnerability applies to a system component or
an aspect of a system (Aven, 2007). The term vulnerability is used
here to describe a system property according to the first interpre-
tation. There are also three important perspectives of vulnerability
analysis: global vulnerability analysis (Johansson et al., 2007), crit-
ical component analysis and critical geographical locations analy-
sis (Wang et al., 2013). Considering infrastructures are always
distributed in a wide spatial range, Johansson et al. (2011) propose
geographical vulnerability analysis to study the spatially oriented
vulnerability involved.
Many models and methods have been implemented to study
the vulnerability of systems, such as agent-based modeling
(ABM) (Acosta-Michlik and Espaldon, 2008), System Dynamics
(SD) (Mirchi et al., 2012), object-oriented modeling (OOM)
(Eusgeld et al., 2009; Zhang and Yang, 2014), and network theory
(Hearnshaw and Wilson, 2013). Among these existing vulnerability
methods, network theory has the obvious advantage of describing
the properties of complex infrastructure systems due to its adja-
cency matrix being able to completely characterize relationships
between network nodes. It has been applied in many infrastructure
systems, such as power grid system (Koç et al., 2013) and pipeline
system (Ouyang et al., 2008). However, in current studies, almost
all network models assume a fixed topological structure or inde-
pendent relationships. Most of the infrastructures involved have
an obvious network topology structure, and with relatively clear
basic elements (i.e. nodes and edges) in the network. Only a few
studies take into account interface topologies (physical connec-
tions) across infrastructure systems to minimize the consequences
of component failure (Ouyang and Dueñas-Osorio, 2011). The
physical properties of infrastructure components are inevitably
ignored in the modeling process. In addition, the functional rela-
tionships between infrastructure elements may not be well cap-
tured in the network models.
The network analysis is a powerful tool to identify and assess
the vulnerable components in infrastructure system from system-
atic view. However, it is argued that component failure is the root
cause of system vulnerability. In reality, various events can lead to
failures during the subway operation, such as random incidents,
natural hazards and sabotage. Many studies have been carried
out to understand these failure mechanisms and develop models
and methods for effectively analyzing systems in order to provide
protective measures (Kutlu and Ekmekçioğlu, 2012; Sause et al.,
2012). To summarize, there are two main approaches, i.e., predic-
tive approach and empirical approach (Johansson and Hassel,
2010).
The predictive approach mainly involves modeling or simulat-
ing the characteristics of a particular infrastructure system. The
model is a reasonable simplification of the real infrastructure sys-
tem and is analyzed by a corresponding software platform. An
example is the inoperability input–output method (IIM) based on
1973 Nobel laureate Wassily Leontief’s input–output economic
model. This uses a linear matrix equation to express the inability
of a system to achieve its designed function. Oliva et al. have devel-
oped an extension of IIM that expresses expert knowledge con-
cerning infrastructure dependencies, involving a dynamic
inoperability input–output model to provide valuable insights into
the risk assessment and management of interdependent infras-
tructure systems (Oliva et al., 2011). Used in this way, the IIM
approach is a great help in understanding how perturbations prop-
agate among interconnected infrastructure systems and how to
mitigate their effects (Crowther and Haimes, 2010). The empirical
approach, on the other hand, its main purpose is to discern pat-
terns relating to the propagation of failures and their consequences
for society. It mainly aims to gain experience or knowledge
through the analysis of past accidents or near misses, as learning
from previous failure experiences is a valued and relatively
pain-less process. McDaniels et al. (2007), for example, take an
empirical approach by using major electrical power outages to
understand how extreme events result in failures of infrastructure
systems.
The Failure Mode, Effects and Criticality Analysis (FMECA)
method is a typical empirical approach, which is very useful
method to propose improvement measures through the analysis
of potential failures and their effects on equipment, which
appeared during the sixties in aviation industry and achieved good
effect. The systematic application of this method has an important
significance for failure mode diagnosis and location and system
vulnerability improvement. It is a powerful tool for early
 Y. Deng et al. / Safety Science 80 (2015) 127–134
identification of failure mode and root causes of unacceptable out-
comes in various industrial applications (Wang et al., 2009), such
as medicinal product, ship, and electro-technical engineering
(Catelani et al., 2013; Meyer et al., 2015; Giardina and Morale,
2015). The FMECA method focuses on individual components and
their failure modes, which is efficient for ranking the criticality of
each potential failure mode.
In fact, the subway physical system is very complicated and
dynamic, making it difficult to prevent a failure propagating
throughout interconnected subsystems. One big difficulty is in
determining failure probabilities accurately due to most infrastruc-
tures being complex systems that are characteristically random,
fuzzy and uncertain (Calida and Katina, 2012). Hence, vulnerability
analysis emphasizes not just evaluating failure probabilities but
rather identifying system weaknesses that may be activated by
uncertain or even unknown threats or hazards through systemati-
cally exploring the consequences of component failures. It is
argued that minimizing failures in a single subsystem is a more
fundamental way to improve the safety and reliability of subway
system as a whole (Lu et al., 2013). In short, comprehensively con-
sidering the macroscopic and microscopic characteristics, network
theory and FMECA method are selected to study the vulnerability
of subway physical system, which contains both predictive
approach and empirical approach.
3. Methodology
3.1. Analytical framework
A more detailed methodical framework for subway physical
vulnerability analysis is proposed and described in Fig. 1. The
framework could be divided into four steps. The first step is to deep
analyze the functions and components of subway physical system.
The physical and functional decomposition of the subway provides
the basis for establishing the network model. The second step is to
establish and analysis the network model, aiming to discover the
vulnerable and critical functional modules. The third step is to
assess the various failure modes with the purpose of identifying
the most hazardous failure mode of vulnerable components. In
the end, the suggestions for vulnerability control are presented in
the fourth step. The network model and failure mode have formed
the two major parts of the vulnerability analysis, with the network
model being used to describe the subway system, and the failure
mode being employed to analyze vulnerability according to actual
failure conditions.
3.2. Modeling approach
Generally speaking, the complexity of system structure has
increased with the enhancement and advancement of compound
functions (Zanin and Lillo, 2013). The structure of subway system
is very complex and it is composed of multitudes of physical com-
ponents. It could provide various functions during its daily opera-
tion on basis of the stable operation of physical components, and
all physical components should function synergistically and collab-
oratively to produce and distribute a continuous flow of services or
products (Kadri et al., 2014). Therefore, there must be a direct map-
ping of relationships between physical components and functions.
From a network perspective, physical components can be repre-
sented as nodes, and functional mapping relationships are
abstracted as edges connecting the nodes. However, it is difficult
to build an infrastructure network model, as there may be thou-
sands of components in the system, with very complicated func-
tional relationships. In addition, physical components and
functions are not in one-to-one correspondence. For instance, one
129
Subway system
Physical decomposition Functional decomposition
of infrastrucutre of infrastrucutre
Abstract modules as Abstract relationships as
nodes edges
Establish and analysis
network model
Failure mode analysis
Recommendations for
vulnerability control
Fig. 1. The analytical framework.
component may provide several functions, or several components
may have to cooperate with each other in order to complete one
function.
Nevertheless, a modeling approach is used in this paper to
incorporate the physical components and their functions into one
network model. The network model is inspired by the network the-
oretic basic components of nodes and edges. This is applicable to
model infrastructures having clearly defined physical components.
There are three steps in establishing the network model. The
first step involves a detailed analysis of the physical components
to gain a standardized description of the functions involved and
ascertain all the corresponding relationships between the physical
components and functions. The second step is to divide these com-
ponents into different modules and use their corresponding rela-
tionships to create simplified cooperative relationships. The third
step is to establish the network model by representing the modules
and cooperative relationships as nodes and edges in the network.
3.3. Network analysis
Using this modeling approach, the physical infrastructure sys-
tem is abstracted as a directed connected network. In this network,
the nodes represent components in the real infrastructure system
and the edges represent the relationships among these compo-
nents. There is a one-to-one correlation between the network
and the infrastructure system.
The many failures of components of infrastructure systems can
be grouped into two forms: loss of part of functions and loss of full
functions. These two forms can be reflected in a network by differ-
ent deletion protocols. But in practice, either a component fully
loses its functions or partially loses its functions, the corresponding
node will unable to perform its normal functions and may lead to
operation accident. Therefore, in this paper, if a component fully or
partially loses its functions, the corresponding node in the network
will be deleted to simulate this.
Formally, for any network G = (V, E), where V = (v1, v2, . . ., vn) (the
set of nodes) and E = (l1, l2, . . ., ln), (the set of edges). In complex net-
work theory, the vulnerability of network G affected by an interfer-
ence factor d is defined as
U½G  U½DðG; dÞ
VðG; DÞ ¼ ð1Þ
U½G
130 Y. Deng et al. / Safety Science 80 (2015) 127–134

where D is a set of interferences, U is the functional metric for the Table 1

network model, U[D(G, d)] denotes the extent of function loss and The main functional relationships in signal system.

0 6 V(G, d) P 1. U is obtained by ATP ATO ATS CI

1 X 1 ATP / Monitoring the speed / /

UðGÞ ¼ ð2Þ information and
nðn  1Þ 8;i;j;i–j dij Protecting the train in a
dangerous situation
where n is the number of nodes in the network, and dij is the dis- ATO / / Sending route
tance between two nodes. signal to interlock
equipment for right
direction
3.4. FMECA ATS Providing status Detecting the running / /
information of state of the train to
FMECA represents a systematic procedure with inductive logic, railway track to support the ATO
which is able to analyze a system with the aim to identify exist fail- support the ATP
CI / / / /
ure modes and its effect on the system, whose danger is deter-
mined in accordance with the severity of failure modes and its
probability of occurrence (Zhou et al., 2015). In general, EMECA
method contains FMEA (Failure Mode and Effects Analysis) and
CA (Criticality Analysis). FMEA is a qualitative method, which ATO CI
focuses on the equipment failure causes and effects. CA is a quan- Network
titative method, which focuses on failure modes severity.
In FMECA method, aj is the ratio of occurrence number of the ATS ATP
j-th failure mode to that of all possible failure modes, and its value
is between 0 and 1. It could be obtained by statistics, experiment,
prediction, or any other method. The failure effect probability bj is
the conditional probability of that the entire equipment is led to
Modules
some criticality due to the j-th failure mode, and its value is
between 0 and 1. It could be estimated by expert experience. The
failure rate kp is the probability of that the failure of the component
happens during its working time t. The criticality Cm(j) of the j-th
failure mode presents the degree of risk when the j-th failure mode
occurs, it can be calculated by the following formula (3).
Functions
C m ðjÞ ¼ aj bj kp t ð3Þ

In addition, severe degree of failure mode could be obtained by

expert experience. Then, risk matrix could be used to analyze the
severity of failure mode synthetically. In risk matrix, the vertical
axis represents the probability of the severity of the failure mode,
whereas the horizontal axis represents the severe degree of failure
mode. The magnitude of risks by each failure mode can be reflected
by the distance from distribution point on the diagonal–vertical
projection to the origin in Cartesian coordinate system (Shen
et al., 2014). The longer the distance is, the more dangerous the risk
of failure modes is.
4. Case study
4.1. Model establishing
Considering the length limit of this paper, the signal system has
been selected as example to explain the establishing process of the
subway physical network. Signal system provides many necessary
functions for the safe operation of subway, such as position detec-
tion, overspeed protection, and route management. According to
the physical make up of signal system, it contains four modules,
i.e., Automatic Train Protection (ATP), Automatic Train Operation
(ATO), Automatic Train Supervision (ATS), Computer interlock
(CI). The main functional relationships are listed in Table 1.
After the modules and relationships are ascertained, the net-
work model can be established on the basis of network theory.
The whole analysis and modeling process of signal system could
be depicted as shown in Fig. 2. Through these three steps, the sig-
nal system could be abstracted as a micro-network which contains
four nodes and four edges.
By using the above method, the subway system could be
divided into 31 functional modules as shown in Table 2. The
Fig. 2. The modeling process of signal system.
PAJEK software platform is employed to establish the entire sub-
way physical network (SPN), as shown in Fig. 3. The nodes in the
network model are interdependent, as these modules have to
cooperative with each other to complete the full function of the
subway system in practice.
4.2. Network analysis
According to the aforementioned vulnerability analysis, the net-
work analysis could be implemented in the form of invisible func-
tional or physical networking to assess changes in performance
measured by network efficiency through node based protocol. In
total, there are 31 nodes in SPN and a node in the network model
represents a module in the subway system. If a node is deleted
from the model, it means that this module is no longer functioning
in reality. In order to find the most vulnerable module in the SPN,
every node will be deleted respectively and network efficiency will
be calculated to assess the performance change in the SPN. Fig. 4
depicts the vulnerability of each module in form of radar map,
which is got by calculated the change of network efficiency after
each module is removed from the SPN. It is observed that the most
vulnerable and critical module of the subway system is the train
system (vertex 2). In reality, train is the direct carrier of transport
task, and it is quite easily disturbed by various risks in operation
environment. In addition, Optical fiber system (vertex 7), clock sys-
tem (vertex 8), and automatic fare collection system (vertex 12)
are also very vulnerable. If one or more functional modules of sub-
way system are broken, the subway operation may have to be
 Y. Deng et al. / Safety Science 80 (2015) 127–134 131

Table 2 operation. Based on the importance of their functions, the bogie

Names and codes of functional modules. system is selected to be analyzed by FMECA method.
No. Functional No. Functional module No. Functional The key to implement FMECA is how to get the accurate data of
module module these variables. In this paper, the data was collected by a
1 High voltage 12 Automatic fare collection 23 Sign system three-stage process. In the first stage, investigate was carried out
network system to gain further information about the statistic data on various fail-
2 Train system 13 Screen doors 24 Fire control ure modes from Nanjing subway operation company. In the second
system
3 Catenary system 14 Escalator 25 Automatic train
stage, an interview was implemented to get the expert opinion on
operation the probability of failure effect. By doing this, quantitative data was
4 Computer 15 Environment control 26 Automatic train generated from 8 face-to-face interviews at the interviewee’s
interlock system supervision offices and meeting rooms in June 2015, including a high ranking
5 Dedicated 16 Water supply and drainage 27 Automatic train
senior officer, a middle ranked manager, two train drivers, and four
communication system protection
6 Public 17 Electrical and mechanical 28 Track system maintenance men in the train department of Nanjing subway oper-
communication control system ation company. The interviews lasted from 20 to 40 min and were
7 Optical fiber 18 Fire alarm system 29 Building transcribed into subsequent memoranda or research reports. In the
system automation third stage, a special meeting on the theme of severe degree of fail-
system
ure mode was held on July 2, 2015. Participating in the meeting
8 Clock system 19 Supervisory control and 30 Low voltage
data acquisition network were leaders from the train department of Nanjing subway opera-
9 Wireless 20 Passenger information 31 Elevator tion company and all the members of the research team. The fail-
communication system ure modes of train were analyzed in-depth and the potential
10 TV monitoring 21 Access control system
means of improving safety management levels were also dis-
11 Broadcast 22 Screen display system
system cussed. In the end, a classification standard for severe degree of
failure mode was determined, which was shown in Table 3.
According to the failure statistics of Nanjing Subway Operation
Company from January 2011 to December 2012 (Nanjing subway
interrupted in an extent or even spread to the entire subway net- operation refused to share the latest statistics data), failure modes
work, which will cause serious harm to society. could be classified in accordance with the fault phenomena. The
main failure modes of bogie system could be summarized respec-
tively as follows: shock absorber oil leakage (SAOL), wheel size
4.3. FMECA analysis problem (WSP), air spring failure (ASF), gear box oil leakage
(GBOL), abnormal vibration (AV), jib elastic node failure (JENF),
Through the result of network analysis, the train is one of the rubber ring damaged (RRD).
key vulnerable equipment in subway system. Considering the In rail transit industry, the total working time of train could be
length of this paper, it is not feasible to analysis every kind of fail- represented by the running mileage. In No.1 line of Nanjing sub-
ure node in this part because of that there are various failure way, there are 20 trains and the total failure number in 2011 and
modes in train system. Therefore, one of its subsystems would be 2012 is 482. The total mileage is 6.5 ⁄ 106 km. Therefore, the ratio
selected as an example to be analyzed. In general, the train is com- of occurrence number of failure mode a and failure rate k could be
posed of Train Control and Management System, train door sys- calculated by the statistical data accurately. In addition, the quali-
tem, train body system, auxiliary system, traction system, tative data of failure effect probability b is get from the expert
braking system, bogie system, and air conditioning system. The experience, and it could be converted to quantitative data by trian-
failure in these subsystems may result in serious accident in daily gular fuzzy number. The failure modes are divided into four

Fig. 3. The subway physical network model.

132 Y. Deng et al. / Safety Science 80 (2015) 127–134

degrees, in which the most serious degree is degree I, and the Table 4
degree IV is relatively not serious. The failure mode degrees were FMECA analysis table.

confirmed synthetically through professional discussion in the spe- Train Failure a (%) b k (%)/ Severity/ Grade
cial meeting. To sum up, the FMECA analysis table is shown in subsystem mode 103 km 103 km
Table 4. Bogie system SAOL 30.71 0.5111 7.42 1.1646 III
Comprehensive considering the probability and severe degree, WSP 33.82 0.6611 7.42 1.6505 II
the risk matrix could be drawn as Fig. 5. The x-axis is probability ASF 7.47 0.4944 7.42 0.2743 IV
GBOL 11.83 0.6500 7.42 0.5685 III
of the severity of the failure mode and the y-axis is severe degree AV 7.26 0.5611 7.42 0.3018 III
of failure mode. In this figure, distribution point on the diagonal– JENF 5.60 0.5278 7.42 0.2192 IV
vertical projection could be got by constructing the perpendicular RRD 3.32 0.4611 7.42 0.1139 IV
of diagonal line through the coordinate point of every failure mode.
The far the distance from the origin of coordinate system, the more
dangerous the failure mode is. The hazard analysis indicates that
the risk order of these failure modes is WSP, SAOL, GBOL, AV, Cm/103km
ASF, JENF, and RRD. The wheel size problem is the most dangerous 1.659
failure mode in bogie system. WSP

1
5. Discussion and conclusion
SAOL

Criticality
In this paper, an analytical framework is proposed to study vul-
nerability of subway physical system based on its characteristics, 2
and it is proved to be effective and feasible. The proposed network
3
modeling approach is a useful tool for establishing network model
of infrastructure system. According to the research result of net- 4
GBOL
work analysis, train is the most vulnerable functional module in
subway system. Optical fiber system, clock system, and automatic 65
fare collection system are also very vulnerable. Then, bogie system, 7 ASF AV
the subsystem of train system, is selected to do FMECA analysis in JENF
order to identify the critical failure mode, which may lead to seri- RRD
ous accident in daily operation. It is discovered that the wheel size IV III II I
Severe degree
1 Fig. 5. Bogie system risk matrix.
31 2
30 3
29 4
28 5
problem is the most serious failure mode, followed by shock absor-
27 6 ber oil leakage and gear box oil leakage.
26 7 The vulnerability research can be used as a significant founda-
tion for improving the safety level of subway operation. In brief,
25 8 it is anticipated to enhance subway safety in three aspects. First,
Vulnerability network analysis will help in discovering the vulnerable and criti-
24 9 cal functional modules in subway system with quantitative
23 10 method, which provides a good basis on the hierarchical manage-
ment of equipment safety. More safety resources could be allo-
22 11 cated to the vulnerable and critical equipment in daily safety
21 12 management. Second, FMECA could be very useful in supporting
safety risk analysis, for instance, as a qualitative tool for identifying
20 13
the important failure mode and assessing the running status of
19 14
18 15 equipment. Third, vulnerability research results could provide
17 16
basic data for manufacturers to improve subway equipment per-
Fig. 4. The network vulnerability of subway physical module. formance and raise operational reliability.
Network theory is a powerful tool to research the vulnerability
of network model. The proposed modeling approach is a promising
method to model complex infrastructure system without fixed
Table 3 topological structure. The most important point is establishing a
Severe degree of failure mode. reasonable network model in accordance with the research object.
It is apparent that exploring vulnerabilities requires a detailed
Severe degree Description
knowledge of the global structure of the subway physical network,
Degree I May lead to loss of system functionality, endanger
but, it is very difficult to acquire such knowledge entirely and accu-
operation safety, and cause casualties
Degree II May lead to performance degradation of main components,
rately due to the complexity of the subway system. Hence, empir-
influence driving safety, and cannot repair in a short time ical system decomposition is used to abstract the real subway
Degree III Little impact on safety, may lead to train stopped, could be system into nodes and edges, which represent functional modules
repaired in a short time and functional relationships respectively. In FMECA analysis part,
Degree IV Almost no effect on safety, no need to replace parts, could
considering the diversity and complexity of failure modes, it is also
be repaired easily
impossible to do FMECA analysis on all the functional modules.
 Y. Deng et al. / Safety Science 80 (2015) 127–134
Metro
operation unit
Supervise
te
Co
ora
llab
llab
ora
Co
te
Metro safety
t As
sis sis
As t performances optimization of photovoltaic modules with FMECA approach.
Research
institution Collaborate
Fig. 6. The proposed organization structure.
Therefore, train is selected as an example to do FEMCA analysis
based on the data collected from Nanjing subway operation com-
pany, including statistical data, questionnaire data, and expert
opinion. In short, although involving some simplification of reality,
the modeling and analytical approaches are reliable and the result
is intuitively sound. In addition, it is demonstrated that using net-
work theory and FMECA method to study subway systems may be
a fruitful direction for vulnerability analysis of infrastructure sys-
tems in future.
Based on this research, an organization structure is proposed in
order to decrease the subway physical vulnerability, as shown in
Fig. 6. Subway operation unit is directly in charge of subway daily
operation, it plays a key role in ensuring the subway safety. The
subway operation company is responsible for organizing patrol
inspection and maintenance on vulnerable and critical instruments
and devices and making complete running and maintenance
records, which is the fundamental data for research institution to
implement related research work. It could be in the form of a man-
agement consultancy to help the subway operation company in
improving operation safety. For example, the research institution
could offer suggestions on modifying the management regulations
and preventing the operation risks. In addition, equipment manu-
facturer is also a critical role because it manufactures and supplies
the subway equipment. The equipment manufacturer, therefore,
could use the statistical data of subway operation company and
research results of research institution to analyze the failure modes
that are occurring and help identify their root causes to improve
technical design standards and manufacturing processes.
In future research, a detailed failure knowledge database is
needed, with case-based reasoning to analyze safety risks.
Meanwhile, a real-time early warning system could be developed
based on the characteristics of equipment failure modes, which
will be great help to improve subway safety level. In addition,
how to establish the cooperation and coordination mechanism
among subway operation unit, research institution, and equipment
manufacturer is also deserved to make a thorough study.
Acknowledgments
The research described in this paper is supported by the
National Science Foundation of China (Grant No. 51178116) and
the Humanities and Social Sciences Youth Foundation of China’s
Education Ministry (13YJCZH120), the Priority Academic Program
Development of Jiangsu Higher Education Institutions (PAPD) and
Postgraduates’ Science and Innovation Foundation of Jiangsu
133
Province (Grant No. CXZZ13_0111). The authors also gratefully
acknowledge those who provided data and suggestions.
References
Acosta-Michlik, L., Espaldon, V., 2008. Assessing vulnerability of selected farming
communities in the Philippines based on a behavioral model of agent’s
adaptation to global environmental change. Global Environ. Change 18 (4),
554–563.
Aven, T., 2007. A unified framework for risk and vulnerability analysis covering both
safety and security. Reliab. Eng. Syst. Saf. 92 (6), 745–754.
Calida, B.Y., Katina, P.F., 2012. Regional industries as critical infrastructures: a tale of
two modern cities. Int. J. Crit. Infrastruct. 8 (1), 74–90.
Catelani, M., Ciani, L., Cristaldi, L., Faifer, M., Lazzaroni, M., 2013. Electrical
Equipment Measurement 46 (10), 3898–3909.
manufacturer Colombi, C., Angius, S., Gianelle, V., Lazzarini, M., 2013. Particulate matter
concentrations, physical characteristics and elemental composition in the
Milan underground transport system. Atmos. Environ. 70, 166–178.
Crowther, K.G., Haimes, Y.Y., 2010. Development of the multiregional inoperability
input–output model (MRIIM) for spatial explicitness in preparedness of
interdependent regions. Syst. Eng. 13 (1), 28–46.
Eusgeld, I., Kröger, W., Sansavini, G., Schläpfer, M., Zio, E., 2009. The role of network
theory and object-oriented modeling within a framework for the vulnerability
analysis of critical infrastructures. Reliab. Eng. Syst. Saf. 94 (5), 954–963.
Eusgeld, I., Nan, C., Dietz, S., 2011. ‘‘System-of-systems’’ approach for
interdependent critical infrastructures. Reliab. Eng. Syst. Saf. 96 (6), 679–686.
Giardina, M., Morale, M., 2015. Safety study of an LNG regasification plant using an
FMECA and HAZOP integrated methodology. J. Loss Prev. Process Ind. 35, 35–45.
Hearnshaw, E.J., Wilson, M.M., 2013. A complex network approach to supply chain
network theory. Int. J. Oper. Prod. Manage. 33 (4), 442–469.
Johansson, J., Hassel, H., 2010. An approach for modelling interdependent
infrastructures in the context of vulnerability analysis. Reliab. Eng. Syst. Saf.
95 (12), 1335–1344.
Johansson, J., Jonsson, H., Johansson, H., 2007. Analysing the vulnerability of electric
distribution systems: a step towards incorporating the societal consequences of
disruptions. Int. J. Emerg. Manage. 4 (1), 4–17.
Johansson, J., Hassel, H., Cedergren, A., 2011. Vulnerability analysis of
interdependent critical infrastructures: case study of the Swedish railway
system. Int. J. Crit. Infrastruct. 7 (4), 289–316.
Jönsson, H., Johansson, J., Johansson, H., 2008. Identifying critical components in
technical infrastructure networks. Proc. Inst. Mech. Eng., Part O: J. Risk Reliab.
222 (2), 235–243.
Kadri, F., Birregah, B., Châtelet, E., 2014. The impact of natural disasters on critical
infrastructures: a domino effect-based study. J. Homel. Secur. Emerg. Manage.
11 (2), 217–241.
Koç, Y., Warnier, M., Kooij, R.E., Brazier, F.M., 2013. An entropy-based metric to
quantify the robustness of power grids against cascading failures. Saf. Sci. 59,
126–134.
Kutlu, A.C., Ekmekçioğlu, M., 2012. Fuzzy failure modes and effects analysis by using
fuzzy TOPSIS-based fuzzy AHP. Expert Syst. Appl. 39 (1), 61–67.
Li, N., Xu, Z., Zhai, L., Li, Y., Fan, F., Zheng, J., Xu, P., He, F., 2014. Rapid development of
proteomics in China: from the perspective of the human liver proteome project
and technology development. Sci. China Life Sci. 57 (12), 1162–1171.
Lu, Y., Li, Q.M., Xiao, W.J., 2013. Case-based reasoning for automated safety risk
analysis on subway operation: case representation and retrieval. Saf. Sci. 57,
75–81.
Martínez, L.M.G., Viegas, J.M., 2012. The value capture potential of the Lisbon
Subway. J. Transp. Land Use 5 (1), 65–82.
McDaniels, T., Chang, S., Peterson, K., Mikawoz, J., Reed, D., 2007. Empirical
framework for characterizing infrastructure failure interdependencies. J.
Infrastruct. Syst. 13 (3), 175–184.
Meyer, A., Vaquer, G., Birebent, B., Gautier, E., Segier, J.M., Gouby, J., Rouard, H.,
2015. The failure mode, effects and criticality analysis (FMECA) method: a
useful approach for risk management plan in advanced therapy medicinal
products manufacturing. Cytotherapy 17 (6), S11.
Mirchi, A., Madani, K., Watkins Jr., D., Ahmad, S., 2012. Synthesis of system
dynamics tools for holistic conceptualization of water resources problems.
Water Resour. Manage 26 (9), 2421–2442.
Mu, S., Cheng, H., Chohr, M., Peng, W., 2014. Assessing risk management capability
of contractors in subway projects in mainland China. Int. J. Project Manage. 32
(3), 452–460.
Nash, C., with contributions from partners, 2003. Project UNITE (UNIfication of
Accounts and Marginal Costs for Transport Efficiency). Final Technical Report,
Fifth Framework Competitive and Sustainable Growth (Growth) Programme,
Commissioned by European Commission, DG TREN. <www.its.leeds.ac.uk/
UNITE>.
Oliva, G., Panzieri, S., Setola, R., 2011. Fuzzy dynamic input–output inoperability
model. Int. J. Crit. Infrastruct. Prot. 4 (3), 165–175.
Ouyang, M., 2014. Review on modeling and simulation of interdependent critical
infrastructure systems. Reliab. Eng. Syst. Saf. 121, 43–60.
Ouyang, M., Dueñas-Osorio, L., 2011. An approach to design interface topologies
across interdependent urban infrastructure systems. Reliab. Eng. Syst. Saf. 96
(11), 1462–1473.
134 Y. Deng et al. / Safety Science 80 (2015) 127–134
Ouyang, M., Yu, M.H., Huang, X.Z., Luan, E.J., 2008. Emergency response to disaster-
struck scale-free network with redundant systems. Physica A: Stat. Mech. Appl.
387 (18), 4683–4691.
Sause, M.G.R., Müller, T., Horoschenkoff, A., Horn, S., 2012. Quantification of failure
mechanisms in mode-I loading of fiber reinforced plastics utilizing acoustic
emission analysis. Compos. Sci. Technol. 72 (2), 167–174.
Shen, G.X., Sun, S.G., Zhang, Y.Z., Wang, Z.Q., Chen, B.K., Ma, C., 2014. System failure
analysis based on DEMATEL–ISM and FMECA. J. Cent. South Univ. Technol. 12
(21), 4518–4525.
Tirachini, A., Hensher, D.A., Rose, J.M., 2014. Multimodal pricing and optimal design
of urban public transport: the interplay between traffic congestion and bus
crowding. Transp. Res. Part B: Methodol. 61, 33–54.
Wang, Y.M., Chin, K.S., Poon, G.K.K., Yang, J.B., 2009. Risk evaluation in failure mode
and effects analysis using fuzzy weighted geometric mean. Expert Syst. Appl. 36
(2), 1195–1207.
Wang, S., Hong, L., Chen, X., 2012. Vulnerability analysis of interdependent
infrastructure systems: a methodological framework. Physica A: Stat. Mech.
Appl. 391 (11), 3323–3335.
Wang, S., Hong, L., Ouyang, M., Zhang, J., Chen, X., 2013. Vulnerability analysis of
interdependent infrastructure systems under edge attack strategies. Saf. Sci. 51
(1), 328–337.
Zanin, M., Lillo, F., 2013. Modelling the air transport with complex networks: a short
review. Eur. Phys. J. Spec. Top. 215 (1), 5–21.
Zhang, Y., Yang, N., 2014. Development of a mitigation strategy against the
cascading propagation of risk in R&D network. Saf. Sci. 68, 161–168.
Zhou, A., Yu, D., Zhang, W., 2015. A research on intelligent fault diagnosis of wind
turbines based on ontology and FMECA. Adv. Eng. Inform. 29 (1), 115–125.