In the new international “threat” environment, the protective design calculus for a facility tends to focus on the hypothetical external terrorist attack involving explosive force. Sadly, in many instances, this assumption of a likely source of attack on a facility is all too valid. Creating a “secure” facility, however, means more than protecting personnel and property from the impacts of terrorist attack. Securing a facility involves many aspects of design and construction and can be formulated for a variety of objectives. In this discussion we will focus on secure design and construction elements that also seek to protect an organization’s ability to sustain critical operations despite an assault on the facility. This means protecting the heart of virtually all operations, the electrical systems.
While designing and building to protect facilities from terrorist attack may be a far cry from the code-oriented practices of the past, owners and design-build professionals still must address the more traditional threats from dangerous windstorms, floods, earth tremors, and similar natural occurrences. These natural disasters or catastrophic events can have catastrophic effects — witness the recent Hurricane Katrina along the U.S. Gulf Coast — and may pose an even more likely threat to operational continuity and personnel safety than terrorism. This is due in large part to society’s increasing reliance on electrically powered systems for nearly every task, from standard power systems to advanced communications, controls, and more.
“Traditional” electrical design practices were frequently distinguished by single failure points, since the design emphasis was focused on emergency evacuation. While safety remains a first priority, owners now also want operational continuity. Today’s facility owners need to recognize all these risks and ask designers and builders to provide contemporary approaches to design and construction that incorporate enhanced fail-safe solutions for both more traditional as well as new threats to building and occupants.
What, then, is today’s design-build team to do? What is today’s design-build partnership’s responsibility to owners when it comes to the security landscape? Given a heightened threat environment, how can the design-build process bring – and how have design-build processes brought – added value for clients?
The many aspects and complexities of producing secure facilities require every design discipline, contractor and sub-contractor, vendor and supplier, to collaborate with each other and the owner to create a package that meets expectations. Unless the owner shows some initiative in the RFP, our experience indicates that it may be difficult at best, if not impossible, to reorient them “after the fact.” In any event, the evaluation process must include the unexpected, anticipating multiple rather than single event failures, and consider design configurations that recognize those possibilities. Bringing all the project stakeholders to the same place in matters of secure facilities is a challenge that the design-build community is particularly adept at accomplishing by its emphasis on cross-communication and collaboration. One likely opportunity after team selection is to raise critical security points during design conferences with the owner and/or the owner’s representatives and stakeholders.
First, there must be agreement on just what is the facility’s security landscape. Are all the stakeholders viewing the same real estate in the same way? How can you plan for the unexpected? How much time, effort and money should be expended to achieve a reasonable level of security? What we hope to do here is provide some insights on how to evaluate a project and suggest how the design-build professional might approach safeguarding electrical and electronic systems to create a more secure project.
“Secure vs. Security”
Whether designing a new building or renovating an existing one, an engineer typically develops design solutions from the perspective of building functions. Variables such as required operations, available space, desired aesthetics, and project cost are harmonized to provide the owner a quality, cost-effective design. The “new world” has forcibly changed that methodology to include the factor of threat mitigation as one of the standard variables in the design mix.
Creating a more secure facility through threat mitigation design and construction isn’t just for government buildings anymore (see State Department graphic on page 19). While “terrorism” may be the first thought that comes to mind, a threat to the building’s occupants and operations can, as we have stated, originate from other sources, such as natural disaster, accidents, criminal activity, contamination, cyber attack, systems failure, or even collateral damage from an event affecting a neighbor.
There is a difference in designing and building to protect from human-induced force and stealth and designing to protect electrical power, communications, and security control systems from damage or compromised access.
Security Design includes various types of equipment appropriate for the protection and operation of the building and its occupants. Typical building equipment may include a combination of access control, intrusion detection and surveillance equipment as well as owner or owner-agent response. Access control systems create a safer and more secure environment; protect assets; make employees aware; control information; allow, deny, deter, and/or delay access; and track information. Access control devices range from basic to complex: fences, gates, planters and bollards; chains and padlocks; manual locks with keys; combination locks (manual and electronic); proximity readers; biometric readers; manned single point entry turnstiles; and X-ray machines and magnetometers. Intrusion detection devices include motion sensors, window and door contacts, and glass-break sensors. Surveillance systems use closed circuit television cameras, digital video recorders, and monitors, and can be integrated with the access control devices and software to track and identify personnel. The owner response team interprets the data from the access control and surveillance systems and takes appropriate action. It is critical that the owner’s security representatives are involved early in the design so that the design includes all equipment necessary for the building’s required security operations. This involvement will also ensure that they recognize the tasks they must undertake to maintain the building security once they accept the building.
Secure Design, in large measure, includes the building security equipment described above but, to have a successfully secure building, the design must involve much more. A multi-disciplinary approach, along with significant participation from the owner, is essential since tradeoffs among disciplines often must be considered. Secure design considerations include physically layered defenses, space planning, critical infrastructure protection, building hardening, vehicular and pedestrian traffic control, the use of landscaping and topography, the use of sacrificial building areas, operational policies and procedures, maintenance policies and procedures, and emergency/disaster planning. Design-build professionals are essential during this aspect of the design since their construction experience and cost estimating skills are indispensable in evaluating alternatives. Design-build team members can suggest and develop improved mitigation strategies that incorporate the associated tradeoffs with other disciplines that preserve the owner’s intent, enhance the deliverable, and yet adhere to budgetary restraints.
Utilities such as power, communications, fuel, heating, ventilation and cooling, domestic water, plumbing/sewer, and hazardous material storage are critical infrastructure. The loss of one or more utility can bring building operations to a standstill. For example, virtually the entire Northeast United States and Southeast Canada experienced the largest blackout in American history in August 2003. Emergency systems were severely tested during this event. While emergency evacuation was successful in large part, businesses without additional emergency provisions enabling continued operations could not function, resulting in billions of dollars in lost revenues and productivity.
It is nearly impossible from a practical standpoint to protect a building and its occupants from every possible threat. To do so would likely be impractical and cost prohibitive. Design-build professionals can assist an interested owner in assessing potential risks to a given facility and how best to use design-build resources for mitigating identified risks. References such as FEMA 452 (http://www.fema.gov/fima/rmsp452.shtm) and FEMA 426 (http://www.fema.gov/fima/rmsp426.shtm) are available to help a team assess an existing building’s vulnerabilities and plan for new construction.
One of the more critical elements in the assessment process is to identify single points of failure in the power, signal, and communications systems. The design-build team can work together to develop approaches for minimizing single points of failure, since it is unlikely that all single points of failure can be eliminated.
Prudence vs. Need
The design-build team should always exercise professional judgment. When an owner falls short in planning for asset protection, design architects and engineers use their professional skills to determine a weakness that either does not meet standards or, from the professional’s experience, bears strengthening. The normal course of action is to discuss the discrepancy with the owner and urge mitigation. How much protection is enough can be subjective. What level is “not enough?” A threat assessment will guide the team and the owner in making these critical decisions. Often, though, for the owner, cost/budget considerations will drive the solution. Nonetheless, when a reasonable doubt is made evident, reasonable response is needed.
Protecting the electrical power system from a threat appears at first to be a simple endeavor. Loss of utility power is usually not a problem since an uninterruptible power supply (UPS) system is often installed to protect critical equipment from outages, coupled with back-up emergency generators that deliver power for extended periods to support loads for life-safety and allow critical operations to continue. This is a fairly standard approach.
If a generator is required, it must be sized for the job. That means not only its power output, but also the fuel capacity in hours of continued operation. And should the back-up have back-up? The probabilities of various threats, determined by the threat assessment along with affordability, will help resolve those decisions. In any event, locating the UPS and auxiliary power plants is a serious design/construction issue that today’s design-build teams need to consider.
Typically, a generator plant would be located either in an outdoor service yard or in a generator room on the building’s exterior. From an architectural and aesthetic standpoint, an outdoor service yard has always seemed to be a sensible approach since it centralizes all of the “unattractive” equipment such as cooling towers, storage tanks, utility service entrances, and loading dock and dumpster in an out-of-sight location. This solution also saves interior floor space for building operations. However, centralizing all of this equipment in one area makes an inviting — and easy — target in today’s environment, leaving these ordinarily “routine” infrastructure support elements vulnerable to a host of threats previously not considered. Installing the generator plant in a room inside the building will enhance protection but, by ordinary practice, the room would still be located on the building exterior for easy access to combustion/intake air and exhaust louvers. The exterior of the building, though, is still a highly vulnerable location, particularly in the event of a blast.
Providing N+1 redundancy (where N equals the quantity of equipment required for operation) is another standard approach for ensuring continued operation of critical equipment. For example, if the building requires a generator plant with two emergency generators operating in parallel, N+1 redundancy requires a third generator for backup. Ideally, redundant equipment should be located in a separate space apart from the normal equipment. That solution, however, requires additional building space for electrical and mechanical systems, which requires increasing the building size or sacrificing program space for redundancy. This situation presents an opportunity for the design-build team to exercise value engineering. Let’s look at some options.
Protecting Power Distribution Assets calls for a broad approach to security:
a. Locate critical utility spaces such as electrical and mechanical rooms, UPS rooms, and fire command centers in the building’s most interior areas. Route major power distribution feeders as far from the building exterior as possible.
b. Conceal and/or harden incoming utility systems. Investigate the utility source equipment for vulnerabilities. For example, the incoming service may be installed underneath the building, but how vulnerable is the utility transformer, primary circuitry, or the substation?
c. Provide redundant power distribution even down to branch circuit level. We recently visited a facility with N+1 redundancy for all of the electrical and mechanical systems. Each air handler was provided with a normal and backup fan motor. Instead of a single point electrical connection to the air handling unit, each motor was fed from a separate circuit to provide additional redundancy. However, both circuits feeding the motors were fed from the same motor control center, which is the single point of failure for the system.
d. Identify the time to refuel from the local utilities. If the refueling time is unacceptable for maintaining continuous operation, provide on-site fuel storage sized to accommodate the required operational time until refueling can occur. Consider that fuel has a shelf life and provide fuel treatment and filtering systems to maintain fuel viability. Conceal fuel tanks as much as possible given your site limitations, and locate fuel storage tanks at least 100 feet from the building to minimize effects from a blast of those tanks themselves. Also consider dual fuel source generators, which can operate from two different fuel sources such as natural gas and propane. These generators provide an added level of redundancy and flexibility during an event.
e. Provide quick connects for portable utility backup systems. If space or cost prohibits N+1 redundancy, you can make relatively simple provisions in the switchgear that will allow the temporary connection to provide utility backup for portable generators or UPS.
Bring your design-build contractor experience to the process of installing and starting up equipment. This experience helps the owner by assisting with developing maintenance plans for the equipment.
Code-Plus is the recommended mindset for today’s facility design and construction. A quick scan of the building codes is all one needs to see to realize that the codes address fire emergencies and natural events such as earthquakes. Standard alarm systems and current signage would lead most building occupants to believe that a fire is the only emergency to worry about. But there are situations where evacuating the building, as most signage directs, may not be the safest or best course. Signal systems routinely used for fire, security, and public address have three parts: a single central control panel, initiating and annunciating devices, and a remote annunciator panel. The initiating and annunciating devices often connect directly to the central control panel. Loss of the control panel disables the entire system. Loss of a floor between higher floors and the control panel can disable major portions of the system. An improvement to this approach to signal systems design is to use a multi-panel arrangement where several control panels are used throughout the building. These panels can communicate with each other via a network but can also act alone in the event communication is lost among the different panels.
NFPA 72 (National Fire Protection Association) requires the fire command center to be at the building entrance unless approved otherwise by the authority having jurisdiction. In today’s threat environment, though, locating the command center at the entrance breaks one of the fundamental rules of secure building design: locate critical assets and necessary support equipment in the building’s most interior (and protected) area. Control of access to the fire command system as well as to other critical spaces should be layered, with the most restrictive control associated with the most critical assets.
Fail Safe/Feel Safe is the owner’s bottom line expectation. As facility designers and constructors, our responsibility is to deliver buildings that respond reasonably to credible, identifiable threats. As the standard of care for designer and constructors continues to evolve in this area, prudent professionals will strive to offer sound solutions that acknowledge this changing threat landscape. However, while we hope our services provide occupants a sense that they work where they have the best opportunity to survive the realization of those threats, we cannot guarantee such results. Nevertheless, as the world changes, we should be in the vanguard of changing practices to meet real-world needs.
Rachel Fore, P.E., holds a B.S. in electrical Engineering from Virginia Tech University, and is a member of NSPE and IEEE. Her experience covers a broad range of electrical design environments. She is the author of several articles for professional publications. She can be reached at rfore@hsmm.com.