Work Domain Analysis

The CWA framework consists of five phases: work domain analysis (WDA), control task analysis, strategies analysis, social organisation and cooperation analysis and worker competencies analysis (Naikar, 2013; Vicente, 1999). Only the WDA phase has been applied in this work. In the WDA phase, the functional structure of the system is described by identifying the purposes, values and priorities, functions, processes and object-related constraints of the work domain. As such, the WDA describe the fundamental reasons and resources for the different actors’ behaviour within the work domain (Naikar, 2013).

The WDA consists of an abstraction hierarchy analysis and a part-whole decomposition. Together, the abstraction hierarchy and the part-whole description form the abstraction-decomposition space (ADS) for which the system constraints apply. Since WDA is event-independent, the identified system constraints, e.g. the identified values and priorities, are applicable to many different situations, including unanticipated events.

The abstraction dimension of the WDA spans the set of concepts for describing the functional structure of the system (Naikar, 2013; Vicente, 1999). This is done by employing the abstraction hierarchy method which uses means-ends links to show relationships between nodes across different levels of abstraction. Linked nodes above a node under consideration (the ‘what’) describe ‘why’ that node is required, while linked nodes below the node describe ‘how’ the node is achieved. In the context of this study, a node can e.g. be a critical infrastructure system or an infrastructure asset. By applying the how-what-why triad four times, an abstraction hierarchy for identification of critical entities providing essential services for maintaining vital societal functions can be developed as illustrated in Figure 1.

Figure 1.

Five-level abstraction hierarchy with the how-what-why triad illustrated.

The abstraction hierarchy proposed in this work is a modification of the usual five-level abstraction hierarchy (Vicente, 1999), and consists of the following conceptual levels:

Here, the original term ‘physical objects’ has been replaced by ‘assets,’ which is considered to be more appropriate for describing infrastructures. This abstraction hierarchy is therefore consistent with the definition of infrastructure suggested by Oughton et al. (2018), i.e. “the coordinated operation and management of a group of physical assets to perform a range of processes, thereby providing infrastructure services to users”.

It is important to note that the representations at the different levels of abstraction should be categories and not specific instances of a category. Furthermore, the means-ends relationships should be structural and not action means-ends relations (Naikar, 2013; Vicente, 1999). Consequently, nouns rather than verbs should be used to describe the different functions and objects in the work domain.

The decomposition dimension of the WDA provides levels of granularity for describing the functional purpose of the system (Naikar, 2013; Vicente, 1999). The levels of decomposition are connected by so-called part-whole relations; i.e., nodes at lower levels are functional parts of those at higher levels. For the purpose of this work and given the objectives of the proposed European Union (EU) COM(2020) 829 directive (European Commission, 2020), the following levels of decomposition are found expedient for describing vital societal functions:

The fourth level, types of entities, describes the types of public or private entities that provide the assets, and will aid the identification of critical entities in accordance with Article 5 of the proposed EU COM(2020) 829 directive (European Commission, 2020).

Selection of Use Cases

To illustrate the usability and the different aspects of the proposed framework, several critical infrastructure use cases were selected. EU critical infrastructures, as described in the proposed EU COM(2020) 829 directive (European Commission, 2020), were selected as the main use case in this study. This use case is considered relevant for many country-specific applications of the framework. In addition, Norway and the United Kingdom (UK) were included as use cases for the discussion of qualitative and quantitative values and priority measures, respectively, while NATO’s seven baseline requirements (NATO, 2021b) were used to illustrate the use of the framework for defence-related use cases. UK was selected out of relevance for the discussion of quantitative values and priority measures, while Norway was selected out of convenience.

Abstraction-Decomposition Space Applied to Critical Infrastructure Systems

The ADS for describing critical infrastructure systems is summarised in Table 1. As argued by Vicente (1999), each cell in the ADS offers a complete but different representation of the same work domain. The top left cell in Table 1 represents the functional purposes of the whole system, while the bottom right cell describes the types of entities for all of the individual assets in the system. It is often not necessary to populate the whole table since the solution is often found along the diagonal of the ADS as indicated by the shaded cells in Table 1. Still, it can be useful to define specific values and priority measures, e.g. resilience criteria, for the identified sectors, sub-sectors and types of entities.

In the following, the use of the ADS will be exemplified and discussed with critical infrastructures in the UK and the EU as use cases. Examples from Norway and NATO will be leveraged as well. As a starting point for the discussion, the work domain (the whole system) is to be considered as an open sociotechnical system consisting of critical infrastructure systems that are to be identified. The work domain is therefore to be considered as a system of systems.

Functional Purposes

The first level of abstraction in the ADS describes the purposes that the system, i.e. the system of systems, serves in its environment. That is, the system exists because the environment has certain needs and the system can fulfil these needs. As argued by Dolan (2018), such a strategic need assessment requires a clearly articulated systemic vision comprising sector-, solution- and technology-neutral desired outcomes which is understood and accepted. This is important in a defence and security context. First, it will be difficult to protect a system if the functional purposes of the system are not fully understood and accepted. Secondly, any solution- or technology-biased purpose description will shape the decisions made for the subsequent abstraction levels. Poor decision-making can result in “lock-in” effects that put the infrastructure systems on long-term path-dependent trajectories that can be hard to break away from due to, e.g. the financial or technological hurdles involved (Oughton et al., 2018).

Depending upon how the needs are described, who is the reference object for the need and which constraints are provided, different models of a system can emerge. For example, the purpose of the system can be to safeguard the basic needs of the population in the society. Here, one may say it is the population in the society that frames the constraints for the work domain. A different functional purpose can be to maintain national security, national defence and the functioning of the state. In this case, the national security act would provide a constraint on the work domain. A third functional purpose could be to safeguard the nation as a democracy and a state based on the rule of law and universal respect for human rights in accordance with the nation’s constitution. In this case, the constitution provides the constraint. A fourth type of need could be to maintain vital societal functions or economic activities in the EU internal marked in accordance with Article 1 of the proposed EU COM(2020) 829 directive (European Commission, 2020); consequently, the constraint is given by the directive. A last example of a need is the need to resist armed attack as described by Article 3 in The North Atlantic Treaty. Here, it is the Treaty that provides the constraints on the work domain. Understanding the functional purposes of the system is therefore essential for applying the ADS.

Values and Priority Measures

The values and priority measures level of abstraction provides two types of criteria: The first is measures for how well the system is progressing towards its functional purposes, while the second is criteria for comparing, prioritising and directing resources to the various purpose-related functions so that the functional purposes of the work system are fulfilled. Examples of the first type at the national level could be sustainability measures or levels of services, while the second could be resilience criteria. Since the criteria at this level of abstraction are invariants or relatively stable properties of the work domain, they provide guidance for reasoning from first principles when the system is confronted with stressful, unanticipated events.

Values and priority measures at the national level (whole system) may be difficult to describe quantitatively; such criteria are therefore usually qualitative. Taking the Norwegian Act relating to national security as an example, the values and priority measures for the system as a whole could be described as protection of national security interests. Such interests are defined as “Norway’s sovereignty, territorial integrity and democratic system of government, and general political security interests related to a) the activities, security and freedom of action of the highest state bodies; b) defence, security and contingency preparedness; c) relations with other states and international organisations; d) economic stability and freedom of action; e) fundamental national functions and the basic security of the population” (Security Act, 2019). In the Norwegian security act, fundamental national functions are defined as “services, production and other types of activity which are of such importance that a complete or partial loss of the function would have consequences for the State’s ability to protect national security interests” (Security Act, 2019). For the proposed EU COM (2020) 829 directive, the values and priority measures could be described as ensure the provision of essential services for the maintenance of vital societal functions or economic activities in the EU internal marked (European Commission, 2020).

Quantitative performance measures for infrastructure sectors are possible and have been taken by the UK National Infrastructure Commission (NIC) (National Infrastructure Commission, 2018). These performance measures provide clear guidance for how to assess and measure each infrastructure sector’s performance. For this purpose, Dolan et al. (2016) have proposed a conceptual approach for identifying outcome-oriented performance indicators for infrastructures, which has been applied by Carhart et al. (2016). However, because of infrastructure interdependencies, performance loss in one infrastructure sector may influence the performance of other infrastructure sectors. It is therefore necessary to define desired outcomes for the system as whole and not at a sector-by-sector level in order to define meaningful outcome-oriented performance indicators to evaluate cross-sectoral performance (Dolan et al., 2016). Indicators at the sectoral level may still be helpful to guide the development of such whole-system performance indicators.

For example, performance measures for critical infrastructure sectors can be used to quantify resilience (Bruneau et al., 2003). Although several definitions of resilience exist (Cereè, Rezgui, and Zhao, 2017; Curt and Tacnet, 2018; Haimes, 2009; Petersen et al., 2020; Wied, Oehmen, and Welo, 2020), most definitions are formulated around the system’s ability to reduce the chances of an undesired event and to maintain and recover its core functionality in case of disruption. By setting constraints on minimum system performance loss and recovery time before the service level is restored, risk-based resilience standards for critical infrastructure sectors can be put forward (FEMA, 2019; Poland, 2009). However, as discussed by Haimes (2009), such efforts should be contextualised to the risks to the system and their associated consequences. This calls for unified approaches to risk and resilience analysis and management (Aven, 2019). In addition, critical infrastructure sectors should undergo stress testing to evaluate whether they meet the resilience standards (Esposito et al., 2020).

Resilience standards as part of the values and priority measures for critical infrastructure systems at the national level should therefore be established on the basis of the national risk assessment. Here, it is important to take the scale of possible undesired disruptive events into consideration. Lessons from the Covid-19 pandemic have shown that the pace, duration and the geographic scale of a crisis, the interconnectedness of critical infrastructures and the associated cascading risks, and nation states’ capacity to prepare and respond are all important drivers for a crisis (Collins, Florin, and Renn, 2020). Thus, these are all important factors to take into consideration when establishing resilience standards. Furthermore, it is also important to take the vulnerabilities of critical infrastructure systems into consideration in the national risk assessment, since such vulnerabilities may translate into threat scenarios if they are exploited.

As argued by both the UK NIC (National Infrastructure Commission, 2020) and the proposed EU COM(2020) 829 directive (European Commission, 2020), resilience standards for critical infrastructure systems should be government’s responsibility and not the (usually) private entities providing the services. This is in agreement with the ADS proposed in this work since values and priority measures apply to the system as a whole. The UK NIC provides several reasons for this (National Infrastructure Commission, 2020): Firstly, the government will be involved when there are serious failures or risks are too high for private entities. Secondly, resilience is not properly valued on the market. Thirdly, because of interdependencies, failure to provide a service does not just affect the consumers of that particular service. Lastly, markets focus on those who can pay, while in a crisis the focus should be on those who are in need.

Purpose-Related Functions

As mentioned, purpose-related functions are functions that are necessary for fulfilling the functional purposes of the whole system. This requires coordination of the purpose-related functions in accordance with the values and priority measures. Furthermore, the functions are generalised functions to accommodate a wide variety of activities by the underlying levels of abstraction.

Purpose-related functions are typically decomposed into sectors where each sector would constitute a system. In the proposed EU COM(2020) 829 directive, the following ten sectors are identified (European Commission, 2020): (1) Energy; (2) Transport; (3) Banking; (4) Financial market infrastructures; (5) Health; (6) Drinking water; (7) Waste water; (8) Digital infrastructure; (9) Public administration; and (10) Space. These sectors can be translated into purpose-related functions by using nouns for describing the different objects of action, e.g. provision of energy, provision of transportation, provision of banking services, provision of financial market infrastructure services, provision of health services, provision of drinking water, provision of waste water services, provision of digital infrastructure services, provision of public administration services and provision of space-based services. In the context of this study, these purpose-related functions can be considered as vital societal functions because they provide essential services for the functional purposes of the EU internal market.

If we look at the functional purpose of maintaining civil preparedness in accordance with NATO’s seven baseline requirements, the following purpose-related functions can be described (NATO, 2021b): (1) Provision of critical government services; (2) Provision of energy supplies; (3) Management of uncontrolled movement of people; (4) Provision of food and water resources; (5) Management of mass casualties; (6) Provision of telecommunications; and (7) Provision of transportation. Several sectors can be involved in providing the purpose-related function. In order to deal with mass casualties for example, both rescue services and the health sector are required.

Infrastructure-Related Processes

The infrastructure-related processes level of abstraction describes the functional capabilities that enable the purpose-related functions in the work domain. Taking EU critical infrastructures (European Commission, 2020) as an example, the provision of electricity, district heating and cooling, oil, gas or hydrogen all contribute to the purpose-related function provision of energy. Likewise, air, rail, water and road transport services enable the function provision of transportation.

Assets

The last level of abstraction in the proposed ADS represents the assets that enable the higher-level processes and functions. Such assets can be both physical and non-physical assets. Taking the electricity sector as an example, assets for generation, transmission, distribution, storage and supply are needed in order to provide electricity. Infrastructures can therefore be represented as networks that are interconnected with the physical and non-physical assets, where the network representation models the infrastructure-related processes and the asset representation models the components that are required for providing the processes (Goldbeck, Angeloudis, and Ochieng, 2019; Oughton et al., 2018; Ouyang, 2014).

Interdependencies, object worlds and identification of critical entities

An infrastructure interdependency can be defined as a “bidirectional relationship between two infrastructures through which the state of each infrastructure influences or is correlated to the state of the other” (Rinaldi et al., 2001). Such interdependencies can be of many different types, see e.g. Ouyang (2014) for a review. Understanding the vulnerabilities induced by multiple interdependencies is generally considered one of the major challenges when it comes to improving infrastructure resilience (Chang, 2009). If the vulnerabilities can be exploited by an adversary, the vulnerabilities will translate into threat scenarios. Mapping of assets and their interdependency relations is therefore needed for risk management and improving infrastructure resilience.

The types of interdependencies proposed by e.g. Rinaldi et al. (2001), Zimmerman (2001) and Dudenhoeffer, Permann, and Manic (2006), see also Ouyang (2014) for a review, can be considered as caused-based interdependencies. Such dependencies could be of physical, informational, geospatial, procedural or societal types. In a recent study, Goldbeck et al. (2019) argued that effect-based classification of interdependencies is more important for modelling purposes, since interdependencies can yield similar effects despite having different causes. For this purpose, Goldbeck et al. (2019) proposed four types of effect-based dependency relations: (i) stochastic failure propagation, (ii) logic, (iii) asset utilisation and (iv) resource input dependencies. A framework for characterising infrastructure dependencies has also been proposed by Carhart and Rosenberg (2016).

This study proposes that ADS can be used as a tool to frame the mapping of interdependencies to different levels of abstraction and decomposition. Figure 2 shows a simple, yet illustrative example of how the ADS can be used to map interdependencies by using the dependency relations example provided by Rinaldi et al. (2001) for the electricity sub-sector that is a part of EU critical infrastructures (Table 2). As can be seen, the interdependencies are of both intra-sector and inter-sector types (Carhart and Rosenberg, 2016). Such interdependency mapping can inform policy and decision-making at the national level on risks across different infrastructure sectors as well as aid the identification of critical entities in accordance with the EU COM(2020) 829 directive (European Commission, 2020). It can also help inform entities to perform assessments of how their assets fit within and are affected by a broader web of interdependencies with other entities’ assets. Applying the ADS may therefore help to elucidate the structural complexity (Zio, 2016) of critical infrastructures at the national level.

Figure 2.

Simple, illustrative example of mapping of dependency relations (dashed arrows) for the electricity sub-sector using an abstraction hierarchy for EU critical infrastructures and an interdependency example provided by Rinaldi et al. (2001). The solid lines show the structural means-ends relationships.

Furthermore, as mentioned in the introduction, critical infrastructure systems in free market economies do not, in general, have a single entity in control of the system (Oughton et al., 2018). On the contrary, the control is often distributed amongst several stakeholders and where governmental authorities have limited regulatory control. In addition, governance at the national level is often fragmented across several government departments. The UK and other countries such as Australia and New Zealand have therefore taken steps to coordinate infrastructure policy across government (Oughton et al., 2018).

In the context of the ADS proposed in this work, stakeholders’ interests and decision-making will occur at different levels of abstraction and decomposition. Consequently, different stakeholders will have different but overlapping views of the same system (work domain). Such views can be considered as different object worlds (Naikar, Hopcroft, and Moylan, 2005). Because of the overlap and interdependencies between different stakeholders’ object worlds, changes or effects in one stakeholder’s object world can propagate to other object worlds (Naikar et al., 2005). Finding ways for the different stakeholders to collaborate effectively is therefore necessary for improving risk management. The ADS proposed in this work will help to elucidate and frame the object worlds of different stakeholders and decision-makers thus aiding the mapping of interdependencies and the coordination of policies across different infrastructure sectors.

Limitations

The limitations of this study pertain to the applicability of WDA in general and to critical infrastructure systems in particular. Although the usefulness of WDA has been demonstrated by many studies (Naikar, 2017), there is generally a lack of validation of such models (Rechard et al., 2015). Put simply, validation deals with building the right model (Rykiel, 1996). The lack of validation also applies to this work. We therefore do not have empirical evidence for whether the methodology for WDA will result in valid and reliable ADS models of critical infrastructure systems. This needs to be investigated further. Expert opinions (Naikar et al., 2005) and scenario mapping (Burns, Bryant, and Chalmers, 2001) could serve as useful methods for validating that a proposed ADS model captures all relevant domain constraints for the critical infrastructure system under study.