1 Introduction

For tunnels in general, the concept of risk analysis [1, 2] plays an important role in the creation of a fire safe design that meets the objectives of the different stakeholders. For road tunnels, many regulations, standards and directives are available as guidance [35]. For rail tunnels however, the amount of reference documents [6, 7] is much scarcer, leaving a substantial degree of freedom to the designer. Relying heavily on engineering judgement during the fire safety design may lead to poorly quantified safety levels. As a significant portion of designing fire safety systems is based on extreme events [1, 8], such as credible worst case Heat Release Rate (HRR) curves, it is of crucial importance to make the process of risk analysis as quantitative as possible. Railway tunnel fire safety is a very specific and exceptional scenario because the probability of having a fire on a train in a tunnel is reasonably low, but the consequences can be extremely high. Hence the need for an appropriate risk analysis methodology for rail tunnels to create a fire safety design, acceptable in an objective manner for all the stakeholders involved.

When dimensioning safety systems in an underground infrastructure in case of fire, the main parameter of influence is the design fire. In a deterministic approach, the fire safety design is based on a ‘plausible worst-case’ scenario [9]. Several guides for design fires have been developed [10, 11]. However, there is a wide range of possible fire scenarios occurring in underground structures [1, 9, 12] and as such it is challenging to define the worst-case scenario. Studies have been done to investigate the effect of tunnel conditions (e.g. geometry, wind, etc.) on fire propagation and smoke spread [1315]. In recent years some very extensive measuring campaigns [8, 16, 17] showed the possibility of very high peak HRR values (up to 67 MW) for rail carriages under specific conditions (depending, e.g., on the ignition source and the reaction-to-fire of the materials involved). A question that automatically comes to mind is whether all tunnels where trains are allowed, must be designed on the basis of such high HRR values. In other words, how ‘plausible’ is the worst-case scenario? This question can be addressed by introducing a probabilistic element in the fire safety design process, through the use of distribution curves that take into account a range of possible fire scenarios [18, 19].

In this paper an integrated quantitative risk assessment approach is presented to quantify the risk for people present in the tunnel in the context of a fire hazard in a railway tunnel. Moreover, the methodology enables the user to determine the societal risk and compare different alternative solutions to each other, with predefined acceptable risk criteria. The paper focuses on passenger transport only (Table 1).

2 Bow-Tie Model

Different risk assessment methodologies have already been used for tunnels in European countries. Two types exist. The first type concerns deterministic methods. In the technique, the consequences are assessed for possible accidents that can occur in a tunnel. Examples are the ‘scenario incident analysis’ and the ‘maximum credible accident analysis’ (MCA) [18]. The second type is the probabilistic risk assessment approach. The consequences and the frequency (per year) for these consequences to occur, are analysed. Consequences and frequencies are multiplied and presented as risk for the individual tunnel user, a societal risk and a risk for tunnel damage. Examples are TunPRIM, QRAM, etc. [18].

The second type is used in this study in order to address the above stated question whether the designer needs to consider the plausible worst case scenario. Using the probabilistic approach, the designer can also consider scenarios with high consequence and low probability, or scenarios with lower consequence level but higher probability, and not only focus on the worst case scenario.

This study shows that, within near future possibilities of computational capacity, statistical data acquisition, etc., allow the bow-tie model (Figure 1) to be a suitable method to approach this problem. The bow-tie model implies a high number of possible fire scenarios, which jeopardizes the use of computationally demanding models (such as CFD, evacuation software, etc.) in the global QRA (Quantitative Risk Assessment) analysis. However, by reducing and optimizing the number of scenarios a manageable balance can be found between accuracy and computation time. Optimizing statistical data acquisition will also lead to more accurate information.

Figure 1
figure 1

Concept of the bow-tie model. Adapted from [20]

Full size image

The bow-tie model is a combination of the fault and event tree analysis (FTA & ETA) with a critical event in the middle (Figure 1). FTA is a top down, deductive failure analysis in which an undesired state of a system is analyzed using Boolean logic to combine a series of lower-level events [20]. ETA is a forward, bottom up, logical modeling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the outcomes and overall system analysis [20]. The bow-tie technique requires formation of fault structures at the left side and branch scenarios at the right side of the critical event. In this regard, risk is analysed from an engineering point of view by multiplying frequency and consequences. Each branch scenario has its own frequency and consequences in terms of fatalities per year. By providing preventive safety measures in the FTA and mitigation safety measures in the ETA part, the negative effects from fire situations are reduced.

3 Development of the Methodology

The bow-tie for fire situations in rail tunnels was constructed by analysing past accidents. The most important factors, based on the sensitivity analysis (see case study below) and literature [9, 21] which may lead to the sequence of events, were determined to be:

  • Human behaviour: Human behaviour is crucial in every fire situation. E.g., training of staff and guidance during evacuation circumstances can have significant impact [21] by reducing pre-movement and evacuation time.

  • Fire growth: the fire growth curve is of great importance when assessing life safety, due to the relation of the growing fire with the release of heat and toxic products of combustion [22].

  • Ventilation conditions: in combination with the fire growth curve this determines the generation of the heat and products of combustion, as well as their motion [23].

  • Safety systems: The safety system affects the fire and smoke spread and evacuation times.

  • Population distribution: High occupant densities correspond to higher evacuation times.

With these factors, representative scenarios are determined to be taken into account in the bow-tie. For the configuration at hand, two events are determined as ‘critical event’: the “Fire initiation” and “Stop in tunnel & fire in train”.

3.1 Fault and Event Tree Simplification

In order to reduce computation times, it is interesting to simplify the fault and event trees of the bow-tie where possible. This is done by means of the following procedure.

The “Fire initiation” event is considered as the first example of a critical event in the middle of the bow-tie. Instead of developing a fault tree structure for the left part of the bow-tie leading to this event, fire frequency data is collected from national governmental institutes and international research projects to determine the initial fire frequency in trains. This is then used as the starting frequency for the event tree. In other words, the fault tree is effectively removed for this critical event.

The critical event gives rise to an event tree with multiple pathway factors (e.g., the decision of the driver to stop, possible technical failures, emergency break activation, etc.).

These pathway factors initiate multiple branches, several of which have in principle the same outcome, e.g. a stop of the train on fire inside the tunnel (‘Fire + stop’ in Figure 2). In order to reduce the number of possible scenarios in the global risk analysis diagram, the pathways with identical outcome are grouped, before continuing further in the event tree. This principle is illustrated in Figure 3.

Figure 2
figure 2

The six pathway factors of the initial event tree

Full size image
Figure 3
figure 3

Concept of combining the outcomes of the first event tree for initialization of the second event tree

Full size image

In the second event tree again multiple pathway factors are used. In the example below, five pathway factors are defined (Figure 4). The number of parameters is taken as low as possible, taking into account a proper balance between completeness and computational cost. These pathway factors concern variations in parameters, such as:

Figure 4
figure 4

Example of pathway factors of the second event tree

Full size image

  • The fire growth (fire growth coefficient, peak HRR value, generation yields of products of combustion, etc.);

  • Detection & activation times: variability in the time to activation of the alarm and safety systems;

  • Ventilation performance: variation of the performance of the longitudinal or transverse ventilation system;

  • The smoke free zone: variation of the part of the train that is situated in the smoke-free side of the tunnel;

  • The population density: variation of the number of passengers present in the train.

The probabilities of the pathway factors are quantified by means of three different types of information gathering [20]. The first type of information is historical data. The incident data (i.e., occurrence of the incident), failure rate data (i.e., equipment failures) and failure probability data (i.e., human error) gives input. Information can be obtained from databases developed in different countries. In Table 1 an example of such information is presented from the Dutch database [24]. Care should be taken when using the data from other countries due to possible fundamental difference in infrastructure, safety systems, procedures, habits, etc.

Table 1 Dutch Database Train Fires
Full size table

A second approach, using fault tree analysis, is mentioned above. In this method, the data is determined through quantification of the initiation of fire occurrence by decomposing the event in basic events in which failure rates can be obtained from technical specifications. A straightforward example is given in the figure below (Figure 5).

Figure 5
figure 5

Concept of combining the outcomes of the first event tree for initialization of the second event tree [20]

Full size image

The third approach is to rely upon ‘engineering judgement’ to estimate probabilities for pathway factors for which no or insufficient data is available. After determining the branch probabilities, the consequences are evaluated for each branch outcome. In order to obtain the result in terms of fatalities per year, the methodology is assisted by three models (Figure 6): the Smoke spread model, the Evacuation model, and the Consequence model.

Figure 6
figure 6

Illustration of how the sub-models lead to a QRA. Input for the scenarios is obtained from the bow-tie branches as explained in Figures 2, 3 and 4

Full size image

3.2 Smoke Spread Model

The smoke spread model is needed to model the physical movement of products from the fire. The model should be able to account for complex tunnel and train geometry. Pressure losses should be modelled or imposed at the boundaries. The model should be able to account for the effect of different types of fire safety systems such as smoke and heat exhaust systems, different detection devices, train localisation systems, etc. Also transient effects of fire development are of importance in evacuation circumstances. As an outcome of the smoke spread model, proper input data must be provided for the evacuation model.

Different types of smoke spread models can be applied, ranging from 1D models to 3D CFD models. Whereas 1D models are obviously much faster, the output of the 3D model is assumed more appropriate for use as input for the evacuation model because the output concentrations from the 3D smoke spread model can be converted into proper format for the evacuation model. This is not always possible in a reliable manner with 1D models, particularly for complex geometries.

For the determination of the concentration and composition of the smoke at a certain location and at a certain moment in time, the smoke spread model must be supplemented with various input factors. According to [25], the CO and HCN asphyxiant gases are the most relevant toxic combustion products relating to incapacitation and death. Soot production directly affects visibility.

The generation of CO is largely determined by the amount of oxygen available for combustion [23, 26]. Depending on the fuel, yields can become as high as 0.18 g CO/g fuel consumed.

HCN concentrations are more material dependent. HCN can only be created if nitrogen is present in the fuel. According to [22] the HCN yield is related to the equivalence ratio, but there is strong spreading in the data due to material dependency. Consequently, it is advised to determine the materials which are likely to burn in case of fire in a rail car.

For the soot yield, the German guideline [27] advises values between 0.03 and 0.15 g soot/g fuel consumed for rail cars. Again, this value strongly depends on the configuration of geometry, materials and ventilation conditions.

3.3 Evacuation Model

The output data from the smoke spread model is used as input for the evacuation model, which quantifies the complex interactions between evacuating passengers and combustion products. The purpose of the model is to determine the exposure to heat and toxic gas doses of the different combustion products for each person during their evacuation.

Ideally, the evacuation model for rail tunnel fire incidents features the following aspects [28, 29]:

  • Tunnel and train geometry should be accounted for.

  • The evacuation should comprise the path from the train to the emergency walkway and from the walkway to the emergency doors or tunnel portal.

  • Aspects of human behaviour should be taken into account, such as people and place affiliation, interpersonal distance, reduced walking velocities in case of high people densities, distributions of pre-movement times, walking speeds, population types, etc. should be taken into account. Particularly, walking speed variations will have a large impact on evacuation times because it has been encountered that, in smoke filled tunnels, people tend to walk in one row behind each other next to the wall in order to have guidance from that wall during evacuation [30]. This means that slower people will slow down the people behind.

  • The time dependent effects of smoke (in terms of visibility and the presence of irritant and toxic gases) should be taken into account.

  • The model should account for the effect of different types of safety systems such as voice communication, passive and dynamic evacuation signalling, improved walkways, handrail, etc.

  • The output data obtained from the model should in a useable form in order to determine the effects on each person.

Additionally, in case of an evacuation out of the train into the tunnel towards an emergency exit, the effect of merging flow phenomena can be of importance on the walkway [31].

3.4 Consequence model

The third sub-model converts the exposure as obtained from the smoke spread and evacuation model for each person in the tunnel into a fatality rate per scenario.

In the model at hand, the effects of asphyxiant gases (CO, CO2, HCN and low O2) and irritant gases are taken into account by means of correlations formulated by Purser [23]. In contrast to the ISO 13571 [32], these correlations take into account the non-linearity of different types of concentrations. Combining correlations for the different gases, a single value is used to determine whether a person becomes incapacitated or not, namely the FID (Fractional Incapacitation Dose). When the FID value becomes unity it is assumed that the considered person will incapacitate and is likely to lead to a fatality [23]. The correlation for the FID of CO reads:

$$ FID_{co} = 3.317 \times 10^{ - 5} \left[ {CO} \right]^{1.036} V \frac{t}{D} $$
(1)

In Eq. (1), [CO] is the concentration of CO (ppm), V is the volume of breathed air per minute (l/min), t is the total exposure time (expressed in min) and D is the exposure dose for incapacitation (%COHb). This is on average the concentration of CO in the blood a person can inhale before the person becomes incapacitated.

However, Eq. (1) is only valid for a population of healthy young men, whereas, in reality, also children, elderly, pregnant women, etc., take the train. Additionally, the factors in Eq. (1) contain a degree of uncertainty.

This can be taken into account by using distributions, rather than fixed numbers, in Eq. (1). To give an example: instead of using the common assumption that D is constant, the variability of susceptibility can be taken into account, using statistical data from experiments performed on primates. Figure 7 shows a Normal and Beta distribution based on such data [33]. In the model in the present paper the normal distribution is used because it is slightly more conservative. For the determination of the FID value per person from Eq. (1), every person in the tunnel must be assigned one D value from the curve. This is done by using Monte Carlo simulations. By running the model many times the final value will be an average fatality rate for the scenario under consideration.

Figure 7
figure 7

Normal and Beta distribution for the exposure dose for incapacitation

Full size image

The volume of breathed air (V) can be approached similarly, as it will depend on age, physical condition, walking speed, stress, etc. However, this variability was not analysed in the study and is not included in the model.

The visibility effect is added through the Yin-Yamada correlation [34] for the walking speed as function of the extinction coefficient.

3.5 Risk Calculation

The advantage of the above described models is that they can consider all types of geometry and materials, human behaviour and different susceptibilities of people for smoke. Together, they determine the possible number of fatalities, by means of a FID value, in case of a fire in a rail tunnel. The final risk is presented as the expected number of fatalities, the individual risk and the societal risk. The societal risk or the risk to a group of people is demonstrated by means of an FN-curve. The curves are plots of the cumulative frequency (F) of various incident scenarios against the number (N) of casualties associated with the modelled incidents [35].

As with all risk analysis methodologies, it is important to have reliable probabilistic data. In order to address the uncertainty on the proposed input parameters, a sensitivity analysis must be performed. Two types of analysis are chosen in the case study:

  • An individual sensitivity analysis on the most important input parameters. The results are visualised in a tornado diagram.

  • A collective sensitivity analysis in which all significant input parameter are varied at once. The purpose is to determine the uncertainty of the end results. The results are visualised in an FN-curve.

The two types of sensitivity analyses are presented in the case study below.

4 Case Study

The method is now applied to an existing underground rail link. The goal is to determine the societal risk and show the possibility of comparing alternative solutions. The part of the rail link studied is the combination of a 500 m tunnel section and a station. The tunnel contains six tracks and has a cross section of about 32 × 5.2 m2. The vehicles are 26 m long double-decker rail-way cars (Figure 8).

Figure 8
figure 8

CFD model tunnel and station (Left) and Double-decker railway-car (Right) [36]

Full size image

In order to compare different alternative solutions, several safety systems can be proposed. In the case study at hand, the following safety systems are always assumed to be in place: automatic brake stopping system, emergency response, alarm and voice communication system. The following systems are compared in alternative solutions: a linear heat detection system, a train localisation system, a longitudinal ventilation system and a brake overrule system.

4.1 FN Curves

Figure 9 presents the determined FN curves. The straight lines refer to prescribed levels (i.e., acceptable levels in Sweden and the Netherlands). As long as the FN curve is below the limit level, the risk is thus considered ‘acceptable’. The highest FN is the basic case and corresponds to the situation where no safety system is in place (i.e., no longitudinal ventilation, no linear detection, no train localisation system). This is clearly not acceptable, since the FN curve crosses the acceptable criteria line. Adding linear detection and longitudinal ventilation shifts the curve vertically downward and almost leads to a design within the acceptable limits. The addition of the train localisation system results in an acceptable curve. The lowest FN curve is obtained when also a brake overrule system is put in place.

Figure 9
figure 9

FN-curve case study with different alternative solutions

Full size image

More important than the absolute comparison of the curves for the specific case at hand, Figure 9 illustrates that the different safety systems can be compared directly to each other, in addition to assessing them against certain acceptable risk levels. The curves show a shift downward when multiple safety systems are added to the original concept, because failure frequencies of each branch in the event tree are adjusted. In case all systems are provided, scenarios (with potentially high consequences) will have lower probabilities than scenarios where fewer safety systems are in place. Note that no horizontal shift is observed because only reliability data are varied, i.e., only probability frequencies are considered and the deterministic aspects (in, e.g., the smoke spread model and evacuation model) are left unchanged. If, e.g., the effectiveness of a smoke and heat control system is added as sensitivity parameter in the smoke spread model, also the deterministic part in the methodology changes and horizontal shifts in the FN curves are possible. This, however, is considered beyond the scope of the present paper.

4.2 Sensitivity Study

As mentioned above, a sensitivity analysis is performed in two parts. The first part studies the sensitivity of the results to each parameter, where each parameter is varied individually within certain ranges. In the second part, all parameters are varied at once.

For the first study, a range of input parameters have been studied. The most important input factors are assigned a possible range of frequencies and probabilities based on fault tree data, historical frequencies and engineering judgment. The result is presented in a Tornado-diagram (Figure 10). The Y-axis shows each parameter and the X-axis shows the standard deviation of the final risk value when each parameter is varied within the specified interval. By means of the diagram, the designer is able to determine the most sensitive input parameters.

Figure 10
figure 10

Tornado diagram of the sensitivity analysis with the most sensitive input parameters (case specific result)

Full size image

The second sensitivity analysis determines the sensitivity of the concept when all parameters are variable. Distributions are applied to all input parameters. Depending on the parameter, a uniform, normal or beta distribution is applied. Figure 11 shows the result of the basic case. The upper bound shows the FN curve when two times the standard deviation has been added to the original risk level. This is simply taken as example for the reasoning and corresponds to a 97.73% reliability interval. Figure 11 shows that the limit curve is crossed. Thus, within the chosen reliability interval, the upper limit is not acceptable anymore. There are different ways to define an acceptable solution. One way is to add safety measures (i.e., lower the original FN curve, as illustrated in Figure 9) and lower the FN curve and the corresponding upper bound. Another way is to reduce the standard deviation, (in other words: to accept a smaller reliability interval), so the FN curve remains below the limit curve. This means that a statement could be made about the reliability of the results and therefore about the reliability of the applied safety system. For example, in the applied case study, it could be said that the results are within the acceptable limits of a certain percentage while taking the predefined assumptions into account.

Figure 11
figure 11

Societal risk representation of FN-curve with standard deviation for the basic case

Full size image

5 Conclusions

In this paper a bow-tie based risk assessment methodology has been described in the context of life safety in case of fire in a tunnel. The integrated approach, involving a smoke spread model, evacuation model and consequence model, in combination with an event and a fault tree analysis and simplification, allows quantification of the life safety risk. The models can take into account all types of geometry and materials, human behaviour and different susceptibilities of people for smoke.

As important end result, the possible number of fatalities is presented by means of an FN-curve. It has been illustrated that the methodology allows comparing the risk level to acceptable limit levels. Secondly, quantification of the installation of additional safety systems on the risk level is possible. As such, different designs can also be compared directly to each other. Finally, the impact of the desired reliability level on the acceptability of the risk level of the safety design can be quantified.