CHAPTER1: BACKGROUND 1.1 INTRODUCTION After September 11, 2001, many cities have experienced a proliferation of security measures around federal and private buildings. In some cases, these installations have been considered successful from a security, architectural, urban planning, and cultural preservation standpoint. In other cases, however, the installation of security barriers has been acknowledged as detrimental to the function, quality and viability of the public realm. Restricting access can cause significant traffic congestion and can create unnecessary obstacles on streets and sidewalks, that minimize the efficiency of pedestrian and vehicle circulations systems and prevent the access of first responders in emergencies. How exposed we are to manmade disaster still remains a difficult question to answer in spite of the advances that have been made in the last few years in identifying potential acts of terrorism. To stop a terrorist or physical attack on a site or building is very difficult. Any site can be breached or destroyed. Weapons, tools, and tactics can change faster than sites or buildings can be modified. Terrorism involves violent acts or acts dangerous to human life. These acts appear to be intended to intimidate or coerce a civilian population and influence government policy. Aggressor tactics run the gamut: moving vehicle bombs; stationary vehicle bombs; bombs delivered by persons (suicide bombers); exterior attacks (thrown objects like rocks, Molotov cocktails, hand grenades, or hand-placed bombs); attack weapons (rocket-propelled grenades, light anti-tank weapons, etc.); ballistic attacks (small arms handled by one individual); covert entries (gaining entry by false credentials or circumventing security with or without weapons); mail bombs (delivered to individuals); supply bombs (larger bombs processed through shipping departments); airborne contamination (chemical, biological, or radiological [CBR] agents used to contaminate the air supply of a building); and waterborne CBR agents injected into the water supply. Increasingly, the design community has become aware that security can no longer be viewed as a stand-alone capability. FEMA 430 promotes the adoption of sound mitigation measures that address both security needs and the functions, operations and aesthetic quality of the public realm. The better the site is designed to withstand a terrorist attack, the better the odds the building will not be attacked or, if attacked, will suffer less damage and more lives can be saved. FEMA endorses the view that the adoption of security measures can be, in many cases, cost-effective and can increase the overall efficiency and performance of sites and buildings. FEMA promotes the fact that security design needs to go hand-in-hand with good urban design practices and the preservation of urban landscapes in which cities will remain as viable places in which to live. This chapter provides some historical background on the design of sites and buildings to resist physical attack, followed by a note on contemporary developments in building security that were initially developed in response to attacks on U.S. embassies abroad in the 1980s. A set of governing principles is stated to guide a design team involved in balancing security needs with urban design. A basic concept of security design promoted in this publication is the concept of the three layers of defense, which is explained in Chapter 3, Section 3.2. The intent of this approach is to structure a defense in depth that creates cumulative security barriers that must be penetrated. Finally, the chapter closes by emphasizing the need for an integrated, holistic approach to security design. 1.2 THE EVOLUTION OF SITE SECURITY DESIGN 1.2.1 Some Historical Background The design of buildings to protect occupants from attack is as old as the history of architecture itself. The development of gunpowder and cannon in the middle ages forced walls to become lower and thicker in protection against cannon balls. The eventual result was the bastioned fort, which was developed in increasingly elaborate forms. With a broad open space in front of the moats; the drawbridge, inner and outer entries, the high walls with slit openings and the well guarded towers, the complex, in its mature form, shows all the elements that are present in today's doctrine of the three layers of defense against attack (Figure 1-1). The design of military structures to resist artillery fire or bombs is a specialized task that does not normally enter into the design of everyday buildings. However, design for security in the sense of protecting occupants from criminal behavior is a familiar, if not prominent, aspect of everyday design. Limited for a long time to the application of locking devices, barred windows in urban areas and the like, the rise in the extent and sophistication of everyday crime - such as shoplifting - has resulted in the development of surveillance devices now familiar to us, such as closed-circuit TV, that would have been inconceivable only a generation or so ago. Similarly, the closed building site with perimeter chain link barriers has become commonplace: the closed grade school campus, with visitors funneled through the administration office, and perhaps a local police officer's presence, is one such phenomenon. The gated community in an affluent suburb with its radio-controlled gate and guard house matches the more familiar benign custodian of the entrance to an upscale apartment in a major city. 1.2.2 Contemporary Developments in Building Security Of the attacks in the United States that occurred on September 11, 2001, the devastating attack on the World Trade Center (WTC) in New York and the Pentagon in Washington demonstrated in full measure the horrors of explosive attacks on large buildings. The WTC destruction was an extraordinary and pernicious triumph in the war against buildings and their occupants that had its origins in World War II, in systematic city destruction, and more recently, in terrorist attacks against American embassies in Africa and the Middle East and against public and commercial buildings in the United Kingdom during the intense Irish Republican Army activity in the 1980s and 1990s. They are summarized in Section 1-5. The WTC had been previously attacked by a truck bomber in 1993 in an attempt to cause collapse, resulting in some loss of life and considerable damage but no catastrophic collapse (see Section 1.5.2.4). Figure 1-1: Mediaeval castle elements. SOURCE: FEMA E 155 Some of the characteristics of the September 11, 2001, attack on the WTC are described below. The attacks used an extraordinary weapon (Figure 1-2). The figure shows a Boeing 767 superimposed to scale against the floor plan of a WTC tower. In this instance the explosive fireball occurred several hundred feet above the ground and caused the collapse of the two towers. Debris from the collapsing towers severely damaged buildings close by and caused the complete collapse of WTC-7, a 57-story tower adjacent to the site. The WTC towers had been designed to withstand the accidental impact of a Boeing 707 seeking to land at a nearby airport; the airplane was estimated to have a gross weight of 263,000 pounds and a flight speed of 180 mph with a modest fuel load. The Boeing 767-ER type aircrafts that hit both towers on September 11 had estimated gross weights of 274,000 pounds and flight speeds of 470 to 590 mph on impact with near- full loads of fuel. The burning fuel proved to be the deciding factor in the collapse of the towers. These differences in the design threat and the actual attack illustrate the critical importance of establishing the design basis threat, as described in the risk assessment process outlined in the next chapter. The nature of the design, the assets (consequences), and the building vulnerabilities lead to the overall risk assessment that drives the consideration of alternative protection strategies. Figure 1-2: The extraordinary weapon. The figure shows the relative size of the Boeing 767 and the World Trade Center towers, the weight of the airplane, and its fuel load. SOURCE: FEMA 403, WORLD TRADE CENTER, BUILDING PERFORMANCE STUDY, FEMA, 2002 A preliminary account of the WTC attack is provided in FEMA 403, World Trade Center Building Performance Study: Data Collection, Preliminary Observations, and Recommendations. In addition, the National Institute of Standards and Technology has conducted a number of detailed studies and developed recommendations for building code changes as a result of the WTC experience. For information, go to http://wtc.nist.org. The WTC attack in its size and planning was a unique event. A decision to include aircraft impact as a design parameter for a building would clearly result in a major change in the design, livability, usability, and cost of buildings. The bomb delivered by car or truck is the terrorist weapon of choice against buildings because it is relatively simple to mount an attack. As was shown in the United States in Oklahoma City in 1995, a single large bomb exploded close to the Murrah federal building in Oklahoma City, causing devastating damage and many casualties (Figure 1-3). While vehicle barriers would clearly not protect against an air attack, for the Murrah building a properly designed barrier system and adequate stand-off would probably have significantly reduced the impact of the attack. A summary of the attack on the Murrah building is provided in Section 1.5.2.6. Most commercial buildings are in downtown areas, and the building site under consideration for protection may not be the target of attack. However, the site may be close to one or more high-profile targets, in which case the entire site and any adjacent buildings will be subject to collateral effects, which will vary in severity depending on the proximity to the target and the magnitude of the attack. Security strategies and devices had been under development since the embassy bombings of the 1980s. The Department of State began implementing perimeter protection and access control at some embassies to prevent vehicles from penetrating into critical areas within the facilities. At the same time, extensive research was undertaken on the resistance of buildings to blast and issues such as progressive collapse and glass breakage. Military planners also developed formal methodologies for the assessment of threats, vulnerabilities, and risk. Figure 1-3: The Murrah Federal Building, Oklahoma City 1995. SOURCE: FEMA 277, The Oklahoma city bombing: Improving building performance through multi-hazard mitigation Well before September 11, 2001, military security approaches had begun to be investigated for their application in the civilian environment. For example, in 1995 the National Academy Press published Protecting Buildings from Bomb Blast: Transfer of Blast Effects Mitigation Technologies from Military to Civilian Applications. In 1997 the General Services Administration (GSA) published the Draft Security Criteria. In 1995 the federal Interagency Security Committee (ISC) was established by Executive Order 12977 to develop long-term construction standards for locations requiring blast resistance or other specialized security measures. In a series of working group discussions, the ISC revised and updated GSA's Draft Security Criteria, taking into account technology developments, the experience of practitioners applying the criteria, and recognition of the need to balance security requirements with building environments that remain open, lively, and accessible. The result was Security Design Criteria for New Federal Buildings and Major Modernization Projects, published in 2001. The GSA and ISC documents are significant in that they were the first attempt to truly integrate security into every facet of the design and construction of a facility for non-Department- of-Defense (DoD) organizations. Prior to these documents, security was generally an afterthought: the last item added and the first item cut from any typical project. Over the past several years, many facility owners who are not required to implement the ISC requirements have adapted and adopted the criteria. Other criteria exist specifically to meet the unique needs of other agencies such as the Department of Defense and the Department of State. Other agencies have provided guidance, rather than standards, to both public and federal agencies in a number of publications. FEMA has provided an ongoing series of publications providing guidelines for a number of aspects of security design that are described in Section 1.4. From the experience and studies of blast effects on buildings, the importance of distance (between the building and the bomb) became recognized and led to the concept of the protected setback, now called stand-off, as an effective mitigation of blast. In turn, this has led to stand-off distance requirements becoming a standard element in security design and a de facto regulatory requirement in the design of buildings constructed or leased by federal government agencies. This one issue alone at once highlighted the site as a major security design arena, and site planning became a major factor in the aim to reduce the effect of explosive attack. In 1997 the United States Air Force Center for Environmental Excellence published Installation Force Protection Guide that included chapters that covered comprehensive planning and facility site planning. The material in these chapters became one of the foundations of security measures recommended to this day for perimeter and site security. 1.3 THE IMPACT OF SECURITY NEEDS ON SITE AMENITY The impact of 9/11, particularly in Washington and New York, was so traumatic that many security measures were quickly applied on an ad hoc basis. For example, the ubiquitous Jersey barrier is one of many devices used as perimeter security that, if not properly located, can degrade the quality and character of public space and severely detract from the sense of openness and accessibility that are features of an attractive and functional urban environment (Figure 1-4). Figure 1-4: Jersey barriers installed in New York City and Washington D.C. after 9/11. SOURCE: TOP LEFT, NYPD; TOP RIGHT, NYPD; BOTTOM LEFT, NYPD; Bottom right, NCPC The possibility that a focus on building security design might have detrimental effects on the aesthetic and functional quality of buildings and their surroundings had been recognized before 9/11. In November 1999 the GSA and the American Institute of Architects convened a symposium on security and the design of public buildings entitled Balancing Security and Openness, in which potential conflicts between security needs and traditional building amenities were debated. In the following year, the National Capital Planning Commission (NCPC), an influential public agency entered the discussion. NCPC is the federal government planning agency in the capital region. Concerned by the number of hodge-podge security solutions being installed by individual federal agencies after the Oklahoma City bombing and the attacks of September 11, 2001, NCPC convened a task force to address and report on the impacts, including street and sidewalk closures, and the detrimental physical, visual and psychological consequences that unplanned and uncoordinated perimeter security was causing the city and its historic resources. This was published as the National Capital Urban Design and Security Plan in October 2002. Figure 1-5 shows a typical proposal from the plan. The NCPC Plan focuses exclusively on perimeter building security designed to protect employees, visitors, and federal functions and property from threats generated by unauthorized vehicles approaching or entering sensitive buildings. It does not address other kinds of security measures such as building hardening, operational procedures, or surveillance. The goal of the plan is to restore the beauty of the nation's capital by integrating building perimeter security into an attractive streetscape and by coordinating the design and installation of streetscape products. Figure 1-5: Streetscape, corner of 17th Street and Pennsylvania Avenue, Washington, D.C. SOURCE: NCPC 1.4 FEMA PUBLICATIONS ON BUILDING SECURITY Since 2003, FEMA has published, as part of the Risk Management Series (RMS), several publications that deal directly with the security of the building site and site development. The RMS is a collection of publications directed at providing design guidance to mitigate the consequences of man-made and natural disasters against buildings. This series includes the following publications: * FEMA 426: Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings discusses selected methodologies for risk assessment; architectural and engineering design considerations; blast theory related to the dynamics of the blast pressure wave, the response of building components; and CBR measures that can be undertaken to mitigate potential terrorist attacks. An entire chapter is devoted to site and layout design guidance that describes site-level consideration and provides concepts for integrating land use planning, landscape architecture, site planning, and other strategies to mitigate the design basis threat. * FEMA 427: Primer for Design of Commercial Buildings to Mitigate Terrorist Attacks addresses four high-population, private-sector building types: commercial office, retail, multifamily residential, and light industrial. This manual contains extensive qualitative design guidance for limiting or mitigating the effects of terrorist attacks. It includes a chapter on design guidance describing site location and layout, perimeter line, controlled access zones, physical protective barriers, effectiveness of anti-ram barriers, and a checklist for site and layout design guidance. * FEMA 428: Primer to Design Safe School Projects in Case of Terrorist Attacks provides the design community and school administrators with the basic principles and techniques to make a school a safer place in case of terrorist attacks. This publication includes a chapter on site and layout design guidance that addresses comprehensive architectural and engineering design considerations for the school site, from the property line to the school building. * FEMA 452: Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings is a comprehensive methodology to prepare risk assessments. This publication includes an extensive checklist and database that allows practitioners to analyze and rank site and building vulnerabilities. It introduces the concept of layers of defense that structures a defense in depth by creating cumulative security barriers that must be penetrated. * FEMA 453: Safe Rooms and Shelters provides guidance for engineers, architects, building officials, and property owners to design shelters and safe rooms in buildings. The section on "Staging Areas and Designated Entry and Access Control Points" is particularly relevant to site planning and design. * FEMA E155: Building Design for Homeland Security is a course of instruction that comprises all key materials introduced in the RMS Publications. The purpose of E155 is to familiarize students with assessment methodologies available to identify the relative level of risk for various threats. This course devotes a section to "Site and Layout Design Guidance," addressing topics such as land use considerations, layout and form, vehicular and pedestrian circulation, landscape, and semi-urban and urban design. This course emphasizes best practices, addressing prime concerns related to the design and placement of physical barriers. It addresses concerns about densities (from high to low) in urban areas. This course is offered nationwide to federal, state, and municipal agencies and private-sector owner and manager associations. 1.5 BUILDING DAMAGE FROM TERRORIST ATTACK: EXAMPLES AND LESSONS 1.5.1 Introduction This section provides summaries of terrorist attacks on buildings throughout the world. There are three main purposes in these accounts: * To show that information on large-scale terrorist bomb attacks on buildings is now based on over twenty years of experience, which has resulted in the development of many counter-measures. * To provide a sense of the effects of terrorist attacks on buildings and their occupants, the variety of groups or individuals that perpetrate these attacks, the kinds of targets that are selected, and the longer- term effects of attack. * To indicate specific lessons learned from the attacks that have been selected. For the United States, the rise of terrorist attacks as a significant problem began in the Middle East with attacks on military installations and U.S Department of State embassies and consulates. The Department of State and the military published a number of studies following these attacks in which many of the main principles of building protection were identified. These principles form the basis of measures now being implemented in other institutions and private companies that are considered possible targets of attack. Experience in other countries, such as the United Kingdom and Israel, has also provided much information on the vulnerabilities of buildings and the effectiveness of protection methods. 1.5.2 Selected Examples of Terrorist Attacks on Buildings The following sections provide short descriptions of terrorist attacks on buildings, presented in chronological order. Each of the examples is accompanied by a summary of "lessons learned." These lessons are presented in terms of the threat, asset value, and vulnerability, which are aspects of the risk assessment described in Chapter 2. In addition, the lessons are related to the three layers of defense, summarized in the box below, and the Community Context, both of which are described in detail in Chapter 3. All the information presented has been obtained from publicly available sources. Dollar values quoted are contemporary with the incident discussed. THE THREE LAYERS OF DEFENSE First Layer of Defense Outside the site boundary or defended perimeter Second Layer of Defense Between the site boundary or defended perimeter and the building or other defended assets Third layer of Defense The building envelope and structure and the interior assets 1.5.2.1 United States Embassy, Beirut, Lebanon, April 1983 The U.S. Embassy in Beirut, Lebanon, was attacked at about 1:00 p.m. on April 18, 1983, by a delivery van, reportedly stolen from the embassy, driven by a suicide bomber with about 2,000 pounds of explosive. It drove up to the embassy and parked under a portico at the front of the building, where it exploded. The front section of the embassy collapsed, killing 63 people, 17 of whom were Americans, including the entire U.S. Central Intelligence Agency Middle East contingent. Most of the victims were at lunch and were killed by the collapsing building. The building was a seven-story structure of reinforced concrete (Figure 1-6). The Islamic Jihad is believed to have been responsible for the attack. It was seen by some as marking the beginning of anti-U.S. attacks by Islamic groups. The embassy relocated to Awkar, north of the capital, where a second bombing killed 11 and injured 58 in September 1984. In 1989 the Embassy closed, and all American staff was evacuated due to security threats. The embassy re-opened in November 1990. Figure 1-6: U.S. Embassy at Beirut, Lebanon. SOURCE: (c) Bettmann/CORBIS 1.5.2.2 Marine Barracks, Beirut, Lebanon, October 1983 At around 6:30 a.m. a Mercedes delivery truck drove to Beirut International Airport, where the United States Marines had their headquarters. The truck turned onto an access road leading to the compound and circled a parking lot. The driver accelerated, crashed through a barbed-wire fence in the compound parking lot, passed between two sentry posts, crashed through a gate, and barreled into the lobby of the Marine Headquarters building. The marine sentries did not have loaded weapons and thus were not able to shoot the driver. The suicide bomber then detonated his truck, which contained 12,000 pounds of explosive. LESSONS LEARNED Risk - Threat Rating * A suicide bomber manages to drive truck under portico. Risk - Asset Value Highest asset value: U.S. Embassy in central Beirut. Risk - Vulnerability Rating * Nonductile structural design. * Nonredundant structure. * Building entrance vulnerable to vehicle penetration. Security Design - First Layer of Defense * No barriers or any defense features were present in the first line of defense. Security Design - Second Layer of Defense * Only width of sidewalk represented second layer of defense. * No defense features in the second layer of defense. * Car was able to reach the entrance of the building. Security design - Third Layer of Defense * Non-hardened structure that cannot compensate for the nonexistent first and second layers of defense. * No progressive collapse-worthy design. * Reinforced concrete connections at spandrel beams were not adequate. Community Context * Numerous casualties. * After relocation, a repeat bombing of the embassy occurred. The force of the explosion collapsed the four-story cinder-block building into rubble, crushing to death many inside. Rescue efforts continued for days. Although hindered by sniper fire, rescuers pulled some survivors from the rubble. The death toll was 220 marines, 18 navy personnel, and 3 army soldiers. Sixty Americans were injured. The attack caused the greatest single-day death toll for the American military since the battle of Iwo Jima and remains the deadliest attack on Americans overseas. LESSONS LEARNED Risk - Threat Rating * A suicide truck bomber penetrated to the building lobby where the explosion caused the building to collapse, resulting in many casualties. Risk - Asset Value * Marine headquarters and nearby Beirut International Airport are high asset value facilities in same locale. Risk - Vulnerability Rating * Lobby not protected from car-ramming. * Design allows cars to accelerate as they approach the building. * Cinder block walls. * Nonductile construction. * Nonredundant structure. Security Design - First Layer of Defense * Barbed wires, wide sentry posts, nonresilient gate and nonsuspecting guards were not enough to prevent the car from breaking through the first layer of defense. Security Design - Second Layer of Defense * The parking area around the building did not have design features that might have slowed or stopped the car from driving into the building lobby. * Landscaping materials might have been beneficial. * Car could accelerate into building. Security Design - Third Layer of Defense * Car bomber was able to penetrate into the building lobby. * Concrete framed construction with no ductile detailing allowed a large interior blast to cause the structure to partially collapse. Community Context * The building was located near Beirut International Airport, a location that has limitations and vulnerabilities. * Deadliest attack on Americans overseas. 1.5.2.3 Baltic Exchange, City of London, April 1992 Founded in the mid-eighteenth century, the Baltic Exchange is a U.K. company that operates the premier global marketplace for shipbrokers, ship owners and charterers. It occupied a building built in 1903 that was listed as historic. In April 1992, at 9:20 p.m., the offices of the Baltic Exchange at 30 St. Mary Axe in the City of London were virtually destroyed in an Irish Republican Army (IRA) bomb attack. A small truck pulled up in St. Mary Axe, a narrow street in the heart of London's financial district. Inside the truck was the first large fertilizer-based home-made explosive device ever to be exploded: the bomb's power was enhanced by a Semtex-based detonating cord wrapped around the explosives. Although most of the office workers had gone home, the bomb killed three people, all by flying glass, and injured 91. The damage was estimated at about $1.2 billion (Figure 1-7). The day after the explosion, a witness wrote: "The area that had been damaged not only extended well beyond what anyone would have believed knowing the location of the bomb: damage done to this area was phenomenal. The impact of the explosion had showered the direct area with endless mountains of glass, and nearly all of the windows of the adjoining Commercial Union skyscraper were knocked to smithereens. The force had also damaged many other buildings and destroyed windows over a vast area and damaged cars." Figure 1-7: Damage to surrounding buildings (c) Matthew Polak/CORBIS Because of the building's historic value, initial attempts were made to restore the fa ade, but the damage proved to be more than at first realized. The exchange sold the land to a developer and the building was dismantled in 1998 at a cost of $6 million, packed in wooden crates, and stored in a barn. In 2004 the remains were offered for sale. The site is now occupied by a 41-story office building that was christened the "Gherkin" by the public (Figure 1-8). Figure 1-8: The "Gherkin": 30 St. Mary Axe, London. LESSONS LEARNED Risk - Threat Rating * First use of large home-made fertilizer-based explosive device. * Financial districts within a congested urban setting have a high threat rating. Risk - Asset Value * Special difficulties encountered in the aftermath due to the historical character of the building. * Early example of attack on private financial service building rather than military or government facility. * Importance of collateral damage in estimating asset value. Risk - Vulnerability Rating * Nonreinforced masonry-bearing walls have high vulnerability rating. * Glazing can cause immense damage if not properly designed. Security Design - First Layer of Defense * The narrow street of St. Mary Axe did not offer an adequate setback, especially for a non-ductile frame building such as the Baltic Exchange. * A comprehensive first line of defense was needed for such a congested urban area with high value assets such as the Baltic Exchange. Security Design - Second Layer of Defense * The urban setting did not permit use of a second line of defense. Security Design - Third Layer of Defense * Importance of ductile structural systems. * Importance of retrofitting older nonductile systems, especially in historic buildings. * Need for adequately designed glazing. * Importance of collateral damage when considering security of infrastructures. Community Context * Redevelopment of the site with an iconic high-rise building. 1.5.2.4 World Trade Center, New York City, February 1993 On Friday, February 26, 1993, at 12:18 p.m. a large explosion ripped through the public parking garage of the World Trade Center. The explosion resulted in six deaths, more than 1,000 injuries, and $300 million in property damage. The explosion was caused by a 1,500-pound urea-nitrate bomb (equivalent to about 900 pounds of TNT) packed in a rented Ford van, detonated by a timer after the van had been parked in the basement parking garage. The explosion created a crater 200 feet by 100 feet and several stories deep. The towers' power and emergency systems were wrecked. Most of the injuries were due to smoke inhalation (Figure 1-9). Within a month, four individuals were apprehended as responsible for the blast. One, Mohammed Salameh, had been traced through a fragment of metal at the scene with the serial number for a Ford van belonging to a Jersey City Ryder rental agency. On March 4, 1994, a jury convicted all four defendants on all 38 counts against them, and each was sentenced to 240 years in prison and a $250,000 fine. A large body of evidence suggested that the WTC conspirators were "transnational terrorists" inspired and assisted by several Islamic militant groups operating in the United States and abroad but not a formal part of any of them. Figure 1-9: Damage in WTC garage caused by the 1993 bomb attack. SOURCE: (c) mike seegar/CORBIS LESSONS LEARNED Risk - Threat Rating * Use of home-made fertilizer -based explosive device. Risk - Asset Value * Very high asset value. * High potential collateral damage due to congested urban conditions. Risk - Vulnerability Rating * High vulnerability of parking structures under buildings. * Importance of access control of cars and individuals. * Importance of adequate egress means. Security Design - First Layer of Defense * No access control. * Bollards and barriers were not an issue in this event, since the van was able to get inside the building. Security Design - Second Layer of Defense * Not an issue in this event. Security Design - Third Layer of Defense * Strong columns at base of tall building prevented major structural damage. * Loss of large floor areas, while the supporting column remained standing showed importance of hardened floors in vulnerable conditions. * Loss of power and emergency systems showed importance of redundant, hardened and reliable utility and emergency service design. * Importance of multidisciplinary design. Community Context * High value buildings in relatively congested urban areas showed the need for community context defense strategies. * Ensuing litigation showed that all stake holders need to take adequate steps to protect the public. 1.5.2.5 Bishopsgate, City of London, April 1993 A bomb hidden in the back of a large truck exploded in a narrow street, killing one person and injuring more than 40. The bomb was home-made with about one ton of fertilizer and was similar to the bomb that devastated the nearby Baltic Exchange, noted in Section 1.5.2.3. The explosion shook buildings and shattered hundreds of windows, sending glass showering down into the streets below. A mediaeval church, St. Ethelburga's, collapsed. Another church and the Liverpool Street underground station were also wrecked. The cost of repairing the damage was estimated at more than $1.5 billion. Repairs to the Baltic Exchange had just been completed and the building re-opened, when the same bank was damaged in the April Bishopsgate blast. Huge payouts by insurance companies contributed to a crisis in the industry, including the near financial collapse of the world's leading insurance market, Lloyds of London (Figure 1-10). Figure 1-10: Damage to surrounding buildings SOURCE: (c) CORBIS LESSONS LEARNED Risk - Threat Rating * A concentration of historic buildings, underground infrastructure, active businesses, and retail entities in a congested urban setting increases threat rating. * Home-made fertilizer-based device as a blast source. Risk - Asset Value * Large collateral damage to surrounding buildings in a dense urban setting caused crises in the insurance industry. Risk - Vulnerability Rating * Older underground infrastructures can be vulnerable from surface attacks. * Historic construction is particularly vulnerable due to mostly nonductile construction practices. Security Design - First Layer of Defense * Urban alleyways need protection by system of barriers and bollards to provide adequate setback. Security Design - Second Layer of Defense * Narrow alleys do not offer second layer of defense. Security Design - Third Layer of Defense * Showed vulnerability of glass curtain walls to blast. * Medieval church collapsed due to archaic construction practices. * Liverpool Street subway station was wrecked. Shows importance of 360 degree defense. Community Context * Diverse communities in an urban setting such as Bishopsgate need to combine their resources to provide for sensible strategies against bomb blast. * Historic buildings, which can be a source of pride and symbols of the community, need some measure of retrofit to increase ductile behavior of the structure. If that is not feasible, adequate stand-off must be provided. 1.5.2.6 Murrah Federal Building, Oklahoma City, April 1995 On April 19, 1995, at 9:02 a.m., a truck bomb exploded outside the Alfred P. Murrah Federal Building in Oklahoma City, causing 168 fatalities. The bomb was packed in a rented truck. It is estimated that the 7,000-pound bomb had a yield of about 4,000 pounds TNT, and the stand-off distance was less than 20 feet. The blast blew off the front fa ade of the building and caused progressive collapse of part of its structure. The nine-story building was constructed in 1977 and contained the regional offices of the Secret Service; the Drug Enforcement Agency; and the Bureau of Alcohol, Tobacco, Firearms, and Explosives; and several other federal and state agencies. Of the 361 building occupants, 118 workers, 15 children in day care, 4 children visitors, and 26 adult visitors were killed. One hundred sixty- six people were injured. Two people were killed and 39 injured in the adjoining Water Resources Board Building, and one person was killed and four injured in the adjoining Athenian Building. One person was killed and 60 were injured outside, and 167 injuries occurred in other buildings near the blast. Over 300 buildings were damaged or destroyed (Figure 1-11). Ninety minutes after the explosion, an Oklahoma Highway Patrol officer pulled over Timothy McVeigh for driving without a license plate. Shortly before he was to be released on April 21, McVeigh was recognized as a bombing suspect and charged with the bombing. His companion, Terry Nichols, was also charged with the bombing. Both were convicted: McVeigh was executed on June 11, 2001, and Nichols was sentenced to life in prison in May 2004. The building was demolished by implosion in May 1995. Figure1-11: This figure shows the site layout and impact location of the Murrah Federal Building after the bombing of 1995. Collateral damage in adjacent sites and buildings was substantial. SOURCE: FEMA 277, The Oklahoma city bombing: Improving building performance through multi-hazard mitigation 1.5.2.7 Town Center, Manchester, England, June 1996 On June 15, 1996, at a peak shopping time on Father's Day, a 3,000-pound IRA bomb (equivalent to about 1,800 pounds of TNT) exploded in Manchester, the second largest city in the United Kingdom, injuring more than 200 people and ripping into the fabric of the city's main shopping center (Figure 1-12). LESSONS LEARNED Risk - Threat Rating * Due to the location of the building in Middle America, the threat was not felt to be high. The event changed that line of thinking. * Another use of a home-made fertilizer-based device as a blast source. Risk - Asset Value * High asset value of a federal building. Risk - Vulnerability Rating * Needed hardened structural and envelope design because of limited setbacks. * Importance of choice of structural systems to increase redundancy and prevent progressive collapse. Security Design - First Layer of Defense * Setback (width of sidewalk) was not enough to prevent the devastating effects of the bomb. Security Design - Second Layer of Defense * No measures for second layer of defense. Security Design - Third Layer of Defense * Showed damaging effects of transfer girders. * Importance of redundant and ductile structural design. * Importance of adequate glazing design, particularly for buildings that are close to a high value target. * Importance of adequately designed egress systems. Community Context * High collateral damage even at long distances from ground zero. * Importance of community context design strategies for high-value targets in an urban setting. Major casualties were avoided because about an hour before the blast several telephone warnings, using a recognized IRA code word, had been sent to newspapers, radio and television stations, and at least one hospital, and police began clearing people away from the site twenty minutes later. An army bomb squad was employing a robotic anti-bomb device to check an illegally parked van, which had been recorded by several closed-circuit security cameras in the city, when the bomb exploded. Most injuries were sustained from falling glass and building debris. The main railroad stations were closed for several hours, and the city center was sealed off. The evacuation of shoppers took place from the Marks and Spencer Department Store at the center of the site, outside which the truck bomb was parked. It was estimated that up to 450,000 square feet of retail space and about 200,000 square feet of office space subsequently needed to be reconstructed. A master plan was quickly set in place for the redevelopment of the city center. An international urban design competition was launched one month after the bombing, providing a cohesive plan for rebuilding. After four years the devastated zone was completely restored. Marks and Spencer rebuilt on its original site, with its largest store in the world (Figure 1-13). Figure 1-12: Manchester shopping center damage. SOURCE: (c) matthew polak/CORBIS Figure 1-13: New Marks and Spencer Store, Manchester. LESSONS LEARNED Risk - Threat Rating * Avoidance of casualties by advance warning characteristic of IRA approach to limit public criticism of attacks. This reduces threat rating. * Preparedness in having anti-bomb devices available soon after threat is detected. Risk - Asset Value * Example of attack on shopping area with objective of urban disruption and terrorism rather than attacking military or political targets and installations. * In estimating asset value, cost of business interruption should be included in any analysis. Risk - Vulnerability Rating * Older construction detailing. * Non-blast-resistant glazing and building envelope. Security Design - First Layer of Defense * The van parked along the street curb: setback was only the width of the sidewalk. Security Design - Second Layer of Defense * No measures for second layer of defense. Security Design - Third Layer of Defense * The tower was spared from major damage due to setback offered by lower floors. * No major structural failure due to the relatively small bomb size and the width of the sidewalk. * Most of the severe damage and injuries were caused by failure of the building envelope and shattered glazing. Community Context * The large scale of damage provided incentives and national funding assistance for a massive urban renewal project that had long been considered. * New Marks and Spencer store includes attractive all-glass fa ade. 1.5.2.8 Khobar Towers, Dhahran, Saudi Arabia, June 1996 Khobar Towers is part of a large housing complex in the city of Dhahran, Saudi Arabia. In 1996 it was being used to house foreign military personnel, including Americans. At approximately 9:50 p.m. a truck bomb exploded, throwing a force equivalent to about 20,000 pounds of TNT directly at Building 131. At the time this was the largest terrorist device ever directed at Americans. This eight-story building mostly housed United States Air Force personnel from the 4404th Fighter Wing. In all, 19 U.S. servicemen and one Saudi were killed and 372 injured (Figure 1-14). On the evening of June 25, a security policeman went to the top of Building 131 to check on two sentries posted there. From the roof they observed a sewage tanker truck and a white car enter the parking lot. They watched the truck drive to the second to last row, turn left as if leaving the lot, slow down, stop and then back up towards the fence line. It stopped directly in from to the center of the north fa ade of Building 131. The truck's driver and a passenger jumped out and hurried to a waiting car, which sped out of the parking lot. The security police acted rapidly: they radioed in an alert and started the evacuation plan to notify each floor of the building. Many of the evacuees were in the stairwell when the bomb went of. The stairwell was on the other side of the building away from the bomb, perhaps the safest location in the building. The actions of the guards saved many lives (Figure 1-15). As the blast waves hit the building, they propelled pieces of Jersey barriers into the first floor. The outer walls of the bottom floors were blown into rooms, and the facades of the floors peeled off and fell into a pile of rubble. The building did not collapse because it had been built to British code standards and was made of prefabricated concrete cubicles that were bolted together. The bomb blasted a crater 35 feet deep and 85 feet across. For some time Saudi Arabia was almost wholly free of terrorism, and the kingdom was regarded as one of the world's safest place for U.S. forces. Figure 1-14: The Khobar Towers housing complex, Building 131. SOURCE: (c) REUTERS/CORBIS Figure 1-15: Location of truck bomb and getaway car. However, in November 1995 a car bomb with the equivalent of about 220 pounds of TNT exploded in the courtyard of the Office of the Program Manager of the Saudi Arabia National Guard in Riyadh. As a consequence, the U.S. military reviewed the force protection measures in the theater, and in Dhahran the 4404th Wing took action to increase the level of protection. The perimeter was completely surrounded by Jersey barriers and the alert status was raised. The setback between the roadway and the buildings was approximately 80 feet. Senior U.S. officials had concluded that the upper limit on a terrorist bomb that could be smuggled into Saudi Arabia was no higher than the 220-pound device used at Riyadh the previous year. Traffic patterns were reset and lengthened, road stars and tire shredders were put place, and barriers and a bunker sealed the entry way. LESSONS LEARNED Risk - Threat Rating * Showed importance of threat assessment and fallacy of relying on past experience. Risk - Asset Value * As housing units for U.S. military personnel, the asset value was high. Risk - Vulnerability Rating * Higher standard of structural redundancy reduced overall damage. * Casualties reduced by location of egress stairs at the back of the building away from potential blast sources. Security Design - First Layer of Defense * Showed importance of alert surveillance by guards. * Showed importance of well-anchored barriers. * Showed that non-anchored barriers can have a negative effect on building security. Security Design - Second Layer of Defense * Showed importance of adequate setback: a shorter setback would have resulted in much more structural damage. Security Design - Third Layer of Defense * Precast concrete bearing wall system prevented what might have been a total building collapse given the size of the blast. * Showed importance of structural redundancy: the structure was highly redundant. * Showed importance of strong building envelope: the outer buildings' envelopes were not severely damaged. Community Context * Use of large trees could have had good aesthetic effect in the arid climate and at the same time interfered with blast pressures. 1.5.2.9 The United States Embassy, Kenya, August 1998 The United States Embassy in Nairobi, Kenya, was attacked on August 7, 1998, at 10:30 a.m. local time, five minutes after an attack on the U.S. Embassy in Dar es Salaam, Tanzania. The building was a five-story reinforced concrete structure, constructed under the supervision of the Foreign Buildings Operations in the early 1980s before the Inman Committee security standards were produced (Figure 1-16). The building was located at the intersection of two of the busiest streets in Nairobi near two mass transit centers. Terrorists driving a truck detonated a large bomb in the rear parking area near the ramp to the basement garage. The explosion killed 213 people, of whom 44 were embassy employees (12 Americans and 32 foreign national employees). It is estimated that 200 Kenyan civilians in the vicinity were killed and 4,000 injured by the blast. The following is an extract from a U.S. Department of State Accountability Review Board report: "Damage to the embassy was massive, especially internally. Although there was little structural damage to the building, the explosion reduced much of the interior to rubble - destroying windows, window frames, internal office partitions and other fixtures on the rear side of the building. The secondary fragmentation from flying glass, internal concrete block walls, furniture, and fixtures caused most embassy casualties. The majority of the Kenyan casualties resulted from the collapse of the adjacent Ufundi Building together with flying glass from the nearby Co-op Bank building and other buildings located within a three-block radius. Other casualties were pedestrians or motorists in the crowded streets next to the embassy. The local-hire contract guards at the rear of the embassy saw the truck pull into the uncontrolled exit lane of the rear parking lot just as they closed the fence gate and the drop bar after a mail van had exited the embassy's garage. (The drop bar paralleled a series of steel bollards that encircled the embassy outside the steel grill fence that surrounded the chancery). The truck proceeded to the embassy's rear access control area but was blocked by an automobile coming out of the Co-op Bank's underground garage. The blocking automobile was forced to back up, allowing the truck to come up to the embassy drop bar." Figure 1-16: U.S. Embassy, Nairobi, Kenya. SOURCE: (c) EPA/CORBIS LESSONS LEARNED Risk - Threat Rating * Threat rating considered low. Risk - Asset Value * The U.S. Embassy in Kenya is a high asset value. Risk - Vulnerability Rating * Building located at intersection of very busy streets close to mass transit centers. * Reinforced concrete structure designed prior to introduction of State Department requirements. * Many casualties caused by collapse of nearby building and flying glass from others. Security Design - First Layer of Defense * Inadequate setbacks (as short as 15 feet). Security Design - Second Layer of Defense * Truck was able to penetrate to parking area close to building. * Guards were alert but unarmed and unable to prevent truck penetration. Security Design - Third Layer of Defense * Limited structural damage but much interior damage. Most casualties caused by shattered glass, flying concrete block walls and furniture. * Windows covered by 4 mm mylar film, but frames not anchored to structure. Community Context * Many casualties to pedestrians and motorists in crowded streets near the Embassy. SOURCE: U.S. State Department, Report of Accountability Review Boards, Bombing of U.S. Embassies in Nairobi, Kenya and Dar es Salaam, Tanzania, "Executive Overview and Nairobi Discussion and Findings;" 1.5.2.10 U.S Embassy, Dar es Salaam, Tanzania, August 1998 On August 7, 1998, along with the embassy in Nairobi, Kenya, the United States embassy in the East African capital city of Dar es Salaam, Tanzania, was severely damaged in a truck bomb attack. The bomb killed 12 people and injured 85. Almost all the victims were African civilians; no Americans were among the fatalities, but many were injured, two seriously. The truck bomber drove to one of the two vehicular gates of the U.S. Embassy. Apparently unable to penetrate the perimeter because it was blocked by an embassy water tanker, the suicide bomber detonated his charge at 10:39 a.m. at a distance of about 35 feet from the outer wall of the chancery (Figure 1-17) The attack was linked to local members of the Al Qaeda terrorist network headed by Osama bin Laden; it was this incident that first brought him and Al Qaeda to international notoriety and led to the FBI placing him on the agency's most wanted list. The following is an extract from a U.S. Department of State Accountability Review Board report: "The U.S. Embassy in Dar es Salaam moved into the former Israeli Embassy compound in May 1980. The embassy consisted of a three- story Chancery, originally built as the Israeli Chancery in the early 1970s and a four-story annex, added in 1980. Both buildings were located in an enclosed compound. The construction of both the Chancery and Annex was of reinforced concrete frame construction. Figure 1-17: Damage to the U.S Embassy, Tanzania SOURCE: AP/WIDE WORLD PHOTOS The floors and ceilings were of concrete slab design, and the exterior and partition walls were of concrete block. Ground floor windows in the Chancery were minimal, possibly designed to limit potential bomb damage. The chancery suffered major structural damage and was rendered unusable, but did not collapse. No one inside the chancery was killed, in part due to the strength of the structure and in part to simple luck. Several American Embassy residences were destroyed as were dozens of vehicles. The Ambassador's residence, a thousand yards distant and vacant at the time, suffered roof damage and collapsed ceilings. The Chancery and Annex were surrounded by a perimeter wall that provided a 25-75 foot setback between the embassy and adjacent streets and properties. The base of the wall was a combination of concrete block and reinforced concrete, onto which tubular metal picket fencing alternated with concrete pilasters. Hardened guard booths were located at each of the entry ways to the compound Pedestrian visitor and vehicle screening was conducted at the perimeter, primarily at the entry where the bomber apparently intended to force access. Two vehicle entry gates allowed access to the compound; both were manually operated double-swing gates constructed of a tubular steel framework. Rising wedge barriers provided additional access control. Both of these were inoperative at the time of the bombings, and one had been out of repair for over two years despite attempts to make it operational. Vehicles were screened outside the gates by local guards with diplomatic security-provided inspection mirrors. A thorough review of the embassy security procedures was conducted by the regional security officer about two weeks before the attack. Alarm drills to identify contingencies, such as package bombs, were held on a weekly basis, and such a drill had been completed 30 minutes before the bombing. There were no drills, however, specifically designed to contend with vehicular threats." LESSONS LEARNED Risk - Threat Rating * Threat rating considered low. Risk - Asset Value * The U.S. Embassy in Tanzania is a high asset value. Risk - Vulnerability Rating * The reduction of setback from a State Department requirement of 100 feet to a range between 25-75 feet could have affected the vulnerability rating. Security Design - First Layer of Defense * The vehicle carrying the bomb failed to penetrate the perimeter because of the presence of a water truck that blocked its entry. Security Design - Second Layer of Defense * At the time of the explosion, the car was about 35 feet from the building. The second line of defense was not tested since the car failed to breach the first line of defense. Security Design - Third Layer of Defense * The 35-foot setback outside the chancery wall proved to be adequate to protect the building from major collapse even though the structure was severely damaged. Community Context * Several nearby buildings were damaged, including the ambassador's residence. * Dozens of vehicles were destroyed. SOURCES: US STATE DEPARTMENT, Report of the Accountability Review Board, Bombings of the US Embassies in Nairobi, Kenya and Dar es Salaam, Tanzania, from http://www.state. gov/www/regions/africa/board_overview.html; 1.6 GOVERNING PRINCIPLES The experience gained from the above events and others, such as the attacks on September 11, 2001, has provided the basis for a number of governing principles for site security design that are presented below. They are intended as a non-mandatory guide to the design team as it approaches its design task. At an early stage the site owner, the stakeholders, and the design team should review and discuss these principles and add to or modify them to suit the specifics of the risk assessment, the nature of the site and the building, and the resources and objectives of the building owner, whether individual, corporation or institution. Some topics relate both to the site and the building because their design is intimately related. * To acknowledge the need to accept a reasonable level of risk is inherent in striking an appropriate balance between security provisions and other fiscal, planning, design, and operational objectives. * To encourage a multi-disciplinary approach to the selection of security measures that make appropriate use of intelligence information, operational and procedural measures (such as surveillance and screening), and physical design strategies. * To provide an appropriate balance between the need to accommodate perimeter security for sensitive buildings and their occupants and the need to maintain the vitality of the public realm. * To produce a coherent strategy based on deploying specific families of streetscape and security elements in which security is balanced with the process of achieving aesthetic continuity along streets and around buildings. * To provide site security protection in a manner that does not impede or excessively restrict operational use of streets and to the greatest extent possible preserves or enhances the site's aesthetic and functional qualities. * To employ strategies that guarantee pedestrian mobility, traffic calming, and good access for first responders in case of natural or man-made disasters. * To provide flexibility for future protection by devising well thought out temporary measures that can be implemented for varying time spans when the threat level changes. * Even though security projects are complex and challenging in execution, all successful projects share these attributes: * A well-executed risk assessment process (as outlined in Chapter 2, Section 2.2) that defines the threat, assets, and vulnerability. The final risk assessment enables the property owner to determine the necessary level of protection, which in turn governs the selection of mitigation measures for the project and identifies the designers' tasks. * A cost-benefit analysis that enables comparison of alternative protection methods and selection of an effective and affordable strategy. * A multi-disciplinary design team, including architect; landscape architect; civil engineer; security consultant (including blast consultant); mechanical, electrical and plumbing (MEP) consultants, transportation consultant; lighting and communication consultants; and artists. Early establishment of security/design collaboration is essential for a successful project. * Design consultants that can support the development of the risk management strategy by sharing information with the security consultants about the impacts, costs, and alternatives for proposed solutions. * A comprehensive understanding of the design requirements and components must be developed by all members of the design and owners teams. The systems, components, and materials needed for effective security and site design have unique technical and structural details which may initially be unfamiliar to some team members. * Early identification of the stakeholders in the project and communication with them throughout the development of the design. * A clear and well-managed design process. All aspects of the project must be addressed from the very beginning and a decision-making procedure devised that balances multiple goals, objectives, and criteria. Negotiation is an essential part of every project. Typical steps of a site planning process incorporating security issues are diagrammed in Figure 1-18. * Utilization and accommodation of mitigation methods for other hazards, including earthquakes, high winds, floods, fire, etc. * A buy-in from the property owner and also from neighbors affected by the protection strategy and methods. 1.7 PRESCRIPTIVE CODES AND A PERFORMANCE-BASED DECISION-MAKING PROCESS Traditionally, the building regulatory system has been based on building codes that focused on health and safety, with a strong emphasis on fire safety as an objective. More recently, building regulations have addressed natural disasters that are threats to life safety (hurricanes, tornados, floods, earthquakes, and snow storms) through prescriptive design requirements, accepted analyses, physical tests, reference standards, and inspection requirements. Some man-made risks, such as HazMat storage, have also been addressed in this way. These prescriptive codes set minimum standards that are regarded by consensus as prudent and affordable, with the result that the building owner and designers are not faced with establishing the risk to their building. These minimum standards do not, however, guarantee complete safety or even a defined level of performance. Compliance with the code is assumed to provide a level of risk reduction deemed acceptable by consensus vote, although it may be quite inappropriate for the owner of a specific property. Currently prescriptive codes for building security protection and its necessary elements and devices do not exist. Although there are mandatory guidelines for the protection of certain governmental buildings, these prescribe objectives rather than specific requirements for building and site features. In the absence of prescriptive standards, reasonable and appropriate protection should be based on expected performance and cost related to the design basis threat, the building vulnerability, and the owner's decision as to acceptable risk. Under this performance-based approach, the selection of the appropriate threat is fundamental to the design process and therefore requires very careful consideration. Once a design threat has been identified (either a terrorist act or a natural hazard), an initial determination of security and hazard mitigation measures should be based on broad classifications of assumed risks and expected performance. To assess the threat, the vulnerability of the assets, and the consequences of damage, a systematic quantitative risk assessment and management process are necessary. Such a process is outlined in Section 2.2 and is described in detail in FEMA 452: Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings. Working with the owner, facility manager, and the occupants, the protective design team can help to achieve a balance of security, aesthetics, and functionality that will combine to provide the desired level of protection within the available resources. The design basis threat (DBT) is the threat (tactics and weapons) against which assets within a building must be protected and upon which the security engineering design of the building is based. Protective guidelines are intended to be applicable to a wide range of governmental and private building types. Depending on their geographic location, they may also be faced with a wide range of natural hazards such as earthquakes, high wind events, landslides, and floods. Each facility will, in turn, have a unique set of programmatic objectives, site characteristics, threat profiles, risk tolerances, and budgetary limitations. Under these circumstances, it is impractical and certainly inefficient to present uniform security and hazard mitigation solutions for all buildings regardless of type, use, and location. Once the goals for performance and risk reduction have been established, and related functional and operational program requirements have been developed, they can be translated into design criteria. The delivery process for all facilities subject to protective design should have as its goal the identification and successful management of risk factors that can adversely affect facility performance. Investigations of performance failures, whether from an engineering standpoint or user expectations for a facility, have usually determined that failure is preventable. Many failures can be traced, at least in part, to poor communication between individuals or organizations involved in project delivery and missing or dysfunctional decision processes. This shortcoming is inherent in the traditional design and construction process, which is essentially linear through time and provides little opportunity to revise initial assumptions, verify acceptability of changes made during subsequent steps, and benefit from the synergy of a fully integrated project delivery team. Although risk will always be present when there are security and natural hazard concerns, better systems can be designed to both reduce the overall level of risk and manage the residual risk more effectively. Figure 1-18 is a model of a performance-based design process that integrates security and natural hazard objectives and performance requirements, while allowing the input of existing and new technologies related to risk management principles. The consideration of cost issues enables design solutions appropriate to the individual project to be achieved. Some broad considerations for achieving the maximum risk reduction for the minimum amount of money are presented in Section 2.8. An increasing number of site security projects that embody the necessary kinds of integrated design team and process have now been realized, and some are illustrated in this publication. The security design for the New York Financial District area, shown in Chapter 6, Case Study 6, is an example of integrated security design for a very dense high-risk location. SOURCE: SOME PORTIONS OF THIS SECTION ARE BASED ON THE PAPER, "A PERFORMANCE-BASED MULTI-OBJECTIVE DECISION FRAMEWORK FOR SECURITY AND NATURAL HAZARD MITIGATION," BY R. LITTLE, B. MEACHAM AND R. SMILOWITZ, 2001, FROM http://www.er1.org/docs. Figure 1-18: A performance-based multi-hazard model. SOURCE: BASED ON: R.LITTLE, B.MEACHAM, R.SMILOWITZ, "PERFORMANCE-BASED MULTI-OBJECTIVE DECISION FRAMEWORK FOR SECURITY AND NATURAL HAZARD MITIGATION." 1.8 CONCLUSION This chapter has sketched some of the background against which future security site design will be implemented. Design of buildings and sites to withstand attack is a reflection of the worldwide instabilities in politics and culture that designers must learn to accommodate. Events around the world in the last quarter of a century have created a new need for defensive design and have provided the experience and the lessons that can be applied today. Site and building mitigation measures add a new set of requirements to the long list of issues that the designer must deal with, and new sources of information are necessary. The FEMA Risk Management Series of publications aims to provide some of this information, and this publication emphasizes the relationship between security and amenity: that in the effort to make our buildings and cities more secure, we must be careful not to lose sight of the need for convenience, functional effectiveness, and amenity in our surroundings. As part of the background information that the designer needs, the chapter presents a set of selected examples of attacks on buildings that have been significant in the development of our mitigation measures and the procedures for their design and use. Because this is a new field of design, the customary set of codes and regulations that aim to ensure safety against other hazards do not yet exist, and the designers must use new procedures to establish criteria for appropriate mitigation measures with respect to security, amenity, and benefit-cost.