0295-9 Future Security 2011 CD PDF

6
TH
FUTURE SECURITY
SECURITY RESEARCH CONFERENCE
BERLIN, SEPTEMBER 5
TH
7
TH
, 2011
PROCEEDINGS
Joachim Ender, Jens Fiege (Eds.)
F R AUNHOF E R GR OUP F OR DE F E NS E AND S E C UR I T Y

W
o
l
f
g
a
n
g

K
l
a
t
t

EDITORIAL NOTES
ISBN 978-3-8396-0295-9
9 7 8 3 8 3 9 6 0 2 9 5 9
Editors
Joachim Ender
Jens Fiege
Contact
Fraunhofer Institute for High Frequency Physics and Radar Techniques FHR
Neuenahrer Str. 20
53343 Wachtberg, Germany
www.fhr.fraunhofer.de
Phone + 49 228 9435-227
Fax + 49 228 9435-627
E-Mail info@fhr.fraunhofer.de
Conference host
Fraunhofer Group for Defense and Security
www.vvs.fraunhofer.de
Bibliographic information published by Die Deutsche Bibliothek
Die Deutsche Bibliothek lists this publication in the Deutsche Nationalbibliografe;
detailed bibliografc data is available in the Internet at http://dnb.d-nb.de.
ISBN 978-3-8396-0295-9
All rights reserved; no part of this publication may be translated, reproduced, stored in a retrieval system, or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording or otherwise, without the written permission of the publisher.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. The quotation of
those designations in whatever way does not imply the conclusion that the use of those designations is legal without the consent of the
owner of the trademark.
by FRAUNHOFER VERLAG, 2011
Fraunhofer Information-Centre for Regional Planning and Building Construction IRB
P.O. Box 80 04 69, D-70504 Stuttgart
Nobelstrasse 12, D-70569 Stuttgart
Phone +49 711 970-2500
Fax +49 711 970-2508
E-Mail verlag@fraunhofer.de
URL http://verlag.fraunhofer.de
PROCEEDINGS
Joachim Ender, Jens Fiege (Eds.)
FRAUNHOFER VVS
6
TH
FUTURE SECURITY
SECURITY RESEARCH CONFERENCE
BERLIN, SEPTEMBER 5
TH
7
TH
, 2011
TABLE OF CONTENTS
Proceedings
A.1 Sensor Technology for Security
Scanning for Hazardous Objects on the Seafoor State of the Art Technologies ........................................................................ 1
Detection of High Power Microwaves ......................................................................................................................................... 8
Clinotrons High Power Sources for Terahertz Sensors ............................................................................................................. 14
Scanning Polarimetric Imaging Radiometer: Microwave Imaging System and Image Merging with IR and Optical Data .............. 18
Standoff Detection of Suicide Bombers in Mass Transit Environment ..................................................................................... 24
B.1 Crisis Management I
Automated Planning in Evolving Contexts: an Emergency Planning Model with Traffc Prediction and Control ........................... 28
Highly Effcient Event and Action Processing for Emergency Management in Large Infrastructures ............................................ 38
Coordinating Ambulance Operations ........................................................................................................................................ 47
PROSIMOS A Tool for Identifying Business Cases in the Implementation of a Priority Communications Systems
for First Responders in Public Mobile Networks ......................................................................................................................... 51
An Integrated and Integrating Airport Security Management Concept ...................................................................................... 60
A.2 Supply Chain Security (invited)
Supply Chain Integrity Services Based on Hierarchical Sensor Networks ..................................................................................... 66
ProAuthent Integrated Protection Against Counterfeiting in Mechanical Engineering Through Marking and
Athenticating Critical Components ........................................................................................................................................... 71
Developing an Understanding of Supply Chain Security Management ....................................................................................... 75
100% Container Scanning: Impact on Effciency and Costs of Container Terminal Operation .................................................... 79
B.2 Crisis Management II
SECURITY2People Features of and Experience With the First Demonstrator of an Integrated Disaster
Management System ................................................................................................................................................................ 83
Crowd Management Simulation Crowd Management in Large Infrastructures ....................................................................... 87
FP7 Project ACRIMAS Aftermath Crisis-Management System-of-Systems Demonstration ........................................................ 93
Process Structures in Crises Management ............................................................................................................................... 101
Posters
Universal Detector of Concealed Hazardous Materials ............................................................................................................. 106
Laser Ion Mobility Spectrometer Technology and Security Applications .................................................................................... 112
Fluorescent Biosensors for Standoff-Detection of Gamma-Radiation ....................................................................................... 117
Development of a Fully Automated Centrifugal Lab-on-a-Chip System for Rapid Field Testing of Biological Threats ................. 121
Detection Technologies Common Concepts in Security and Safety ....................................................................................... 125
Variable Irradiation Geometry With a New X-Ray Backscatter Camera for Security Applications ............................................... 128
Surface Sensitive Detection of Trace Explosives With UV Photofragmentation ......................................................................... 132
A Security and Surveillance Solution for Scenarios With Time-Critical Response Time .............................................................. 140
Electromagnetic Protection of IT-Networks for Transportation-Infrastructure (EMSIN) ............................................................... 146
Posters
Managing Security Tasks With Modular and Mobile Sensor Data Processing Networks An Integral Approach ....................... 152
Towards Smart Infrastructures For Modern Surveillance Networks ........................................................................................... 158
Application of Special Purpose Blast Sets For Personal Rescue in a Hazardous Environment ..................................................... 164
Elimination of a Tanker Fire Through Shock Wave Interference ................................................................................................ 168
Acoustic-Generator Based on a Small Rocket-Burner With Intermittent Combustion to Dissolve Violent Demonstrations ......... 178
FP7 Project ETCETERA - Evaluation of Critical and Emerging Technologies for the Elaboration of a Security Research Agenda .. 181
Presentation of TALOS, a Project of a Mobile, Scalable and Autonomous System for Protecting European Borders .................. 186
Risk Treatment Measures for Managing Cargo Theft in Road Transportation ........................................................................... 195
Risk Analysis for a German Harbour within the Project ECSIT .................................................................................................. 201
Integrated Open-Source Software for Modeling the Effects of Bio- or Agroterroristic Attacks on The Food Chain .................... 208
Laser-Based Ranging and Tracking of Space Debris.................................................................................................................. 209
Concept for the Integration of Predictive Microbiology Tools and Models in the Efforts to Secure the Food Supply
Chain in Case of Bioterroristic Attacks .................................................................................................................................... 215
Scenario-Oriented Assessment of Hazardous Biological Agents ............................................................................................... 216
Positioning and Tracking of Deployment Forces Combining an Autonomous Multi-Sensor System with
Video Content Analysis ........................................................................................................................................................... 220
Sensors Data Fusion and Management in a New Security System on Airports .......................................................................... 225
Data Protection and Security Awareness in Complex Information Systems ............................................................................... 230
Effcient and Secure Data Transfer Using Jpeg Image Based Steganography ............................................................................ 240
Impact of Jamming on a Security-Enabled Anonymous MANET Protocol (SEAMAN) ................................................................ 246
Enhancing Information Security with Universal Core Approach ............................................................................................... 251
A New System for Mobile Phone Localization for Search and Rescue Applications ................................................................... 257
Multistatic 96 GHz Rotating W Band Radar for Passenger Inspection on Airports .................................................................... 261
A Multichannel Scanning Receiver System for Surveillance Applications .................................................................................. 265
How to Model and Simulate Multi-Modal Alerting of Population: The Alert4All Approach ...................................................... 269
VALUESEC - Mastering the Value Function of Security Measures ............................................................................................. 277
A Historical Analysis on the Nature of Criminal and Terrorist Threats Against Civil Aviation ...................................................... 282
Esfo The Information System on European Security Research ................................................................................................ 287
A.3 Detection of Hazardous Material
Novel Sensor Platform for Multiplexed Trace Detection of Hazardous Substances .................................................................... 289
Change Detection on Millimeter-Wave SAR Images for C-IED Applications .............................................................................. 293
Detection and Identifcation of Illicit and Hazardous Substances with Proton-Transfer-Reaction Mass Spectrometry (PTR-MS) .. 298
Characterisation of Critical Material Based on Phase and Amplitude Information of High Frequency Measurements ................ 304
B.3 Video Surveillance (invited)
Visual Search in Large Surveillance Archives ............................................................................................................................ 310
Towards People Re-Identifcation in Multi-Camera Surveillance Systems .................................................................................. 315
Multi-Spectral and Hyperspectral IR-Sensors for Improved Surveillance Applications ................................................................ 321
Automatic Maritime Video Surveillance with Autonomous Platforms ...................................................................................... 326
TABLE OF CONTENTS
A.4 Maritime Security
Introduction to Anti-Piracy The EU Operation Atalanta ......................................................................................................... 332
Development of Indicators to Evaluate a Vessels Vulnerability to Pirate Attacks and Packages of Appropriate
Technological Protection Systems ............................................................................................................................................ 339
Polarimetric Detection of Small Maritime Targets for Maritime Border Control ......................................................................... 346
Handling Security Relevant Information in the Maritime Domain with the Security Modeling Technique .................................. 350
New Challenges for Maritime Safety and Security Training Presentation of a Specifc Safety & Security Trainer (SST7) .............. 356
B.4 Social Dimension of Security
Psychosocial Support for Civil Protection Forces Coping with CBRN An EU-Project ................................................................ 366
Leaking in the Name of Justice ............................................................................................................................................... 370
Enhancing the Acceptance of Technology for Civil Security and Surveillance by Using Privacy Enhancing Technology ............... 372
Customer Security Environment: Understanding Customers Views on Security ....................................................................... 380
Towards Information Services for Disaster Relief Based on Mobile Social Networking............................................................... 386
A.5 Radar Sensors for Security Awareness
Security in Space Space Situational Awareness via Radar Observation ................................................................................... 395
Ground Moving Target Indication And Ship Surveillance With The German Terra SAR-X/TanDEM-X
Radar Satellite Constellation ................................................................................................................................................... 401
SecurityRelated Change Detection with TerraSAR-X Radar Satellite Data ............................................................................... 408
Pulse Radar Technology for Detection of Trapped and Buried Victims Electronic Devices .......................................................... 412
An Integrated Radar-Optronic Sensor Architecture and OperationalExperiences .................................................................... 416
B.5 Anomaly Detection and Risk Analysis
Towards Proactive Security Surveillance by Combining Technology and Human Factors ........................................................... 421
Searching for Abnormalities Instead of Suspects ..................................................................................................................... 426
Applied Text Mining for Military Intelligence Necessities .......................................................................................................... 431
Topic-Oriented Analysis of Data Streams ................................................................................................................................. 438
Video Analysis for Situation and Threat Recognition ............................................................................................................... 443
A.6 Terahertz Security Applikations (invited)
Security Check of the Future ................................................................................................................................................... 447
Progress in Device Technology Creates Potential for Active Real-Time THz Security Scanners ................................................... 453
Terahertz Sensor Systems for Field Applications ....................................................................................................................... 457
QPASS Quick Personnel Automatic Safe Screening for Security Enhancement of Passengers ................................................. 462
Millimeter Wave Radar Sensor for Protection of Outdoor Areas ............................................................................................... 468
B.6 Critical Infrastucture
Geometrical Design Criteria for Analyzing the Vulnerability of Urban Area Construction to Blast Effects .................................. 472
Security Impact Simulation for Critical Infrastructure of Freight Villages Using Software-Agents .............................................. 479
Safety and Protection of Built Infrastructure to Resist Integral Threats (SPIRIT) ......................................................................... 485
Risk Evaluation for Critical Built Infrastructure Asset Classifcation and Evaluation ................................................................... 490
Servitization in Security Business ............................................................................................................................................. 498
A.7 Response to CBRNE threats
Research Against CBRN-E Terrorism: A Real Opportunity for Materials Science ........................................................................ 503
DECOTESSC1: Results of an EU FP7 Demonstration Project Phase 1 CBRNE System-of-Systems Analysis .................................. 513
EXAKT Joint BMBF Research Project: Near Real-Time Trace Analysis of Airborne Chemical Warfare Agents and
Explosives using a TD-GC-TOF-MS .......................................................................................................................................... 519
B.7 Border Security (invited)
Integrated Border Management - Remarks on a Border Control Roadmap .............................................................................. 525
Coastal Surveillance Radars Developed in TUBITAK BILGEMUEKAE .......................................................................................... 530
Enhancing Nuclear Security at Ukrainian Border Stations to Prevent Illicit Traffcking ................................................................ 535
A.8 Food Chain and Transport Security
Risk Assessment, Epidemiology, Detection of Biological Agents to Secure the Feed and Food Chain........................................ 539
Network of German Authorities in the Context of Bioterrorism in the Food Chain .................................................................. 540
Securing the Feed and Food Supply Chain in the Event of Biologicaland Agro-Terrorism (BAT) Incidents
The German SiLeBAT Project ................................................................................................................................................... 542
Improving the Security of Critical Transport Infrastructures New Methods and Results .......................................................... 545
Improving Security in Intermodal Transports ............................................................................................................................ 555
B.8 Cyber Defense and Information Security
Botnets: Detection, Measurement and Defense ...................................................................................................................... 562
Realising a Trust Worthy Sensor Node with the Idea of Virtualisation ....................................................................................... 568
WSNLab A Security Testbed for WSNs .................................................................................................................................. 575
Interoperability of Information Systems for Public Urban Transport Security: The SECUR-ED Approach..................................... 580
Security and Backup-System at the IT Center of the Technical University of Applied Science Wildau Including Autonomous
Satellite Faculty and Degree Programme IT Systems ................................................................................................................ 586
A.9 Multiple Sensor Checkpoint Control (invited)
Detection, Classifcation and Localization of Hazardous Substances in Public Facilities ............................................................. 590
Multisensory Acquisition for Situation Awareness in Riot Control Scenarios ............................................................................. 594
The Need for High-Performance Detectors in Security Applications: Results from a Test Bed for the Detection of Vapours
Emitted from Moving Sources and the Results from Outgassing Experiments of Packaged TATP .............................................. 597
Detection of Explosives Scenarios, Sensors and Realistic Concentrations ............................................................................... 604
Multi-Sensor Awareness for Protection and Security ................................................................................................................ 608
B.9 Surveillance and Identifcation of People (invited)
GPS/EGNOS Based Surveillance and Guidance in an Airport Environment ................................................................................ 612
Realtime Event Detection and Prediction on Position Data Streams .......................................................................................... 618
Security Systems With Seamless Authentication Based on Smart Phones and Surveillance Cameras ......................................... 622
A Step Forward to Automated Latent Fingerprint Segmentation ............................................................................................. 627
Scanning for Hazardous Objects on the Seafloor State of the Art
Technologies
Wolfgang Jans
1)
, Holger Schmaljohann
1)
, Florian Langner
1, 2)
, Christian Knauer
2)
, and Wolfgang Middelmann
3)

1)
Bw Technical Center for Ships and Naval Weapons, Naval Technology and Research (WTD71), Research De-
partment for Underwater Acoustics and Marine Geophysics (FWG), Klausdorfer Weg 2-24, 24148 Kiel, Ger-
many, e-mail: WolfgangJans@bwb.org

2)
Universitt Bayreuth, Institut fr Informatik, AG Algorithmen und Datenstrukturen, Universittsstrae 30,
95447 Bayreuth, Germany, e-mail: christian.knauer@uni-bayreuth.de

3)
Fraunhofer Institute of Optronics, System Technologies and Image Exploitation (IOSB), Gutleuthausstrae
1,76275 Ettlingen, Germany, e-mail: Wolfgang.Middelmann@iosb.fraunhofer.de
Abstract
A broad variety of objects can be found on the seafloor. This starts for example with sea mines, a cheap and
widely used weapon, followed by wrecks, waste, or dumped ammunition and ends with pipelines or underwater
archeological finds.
Sea mines pose a very effective threat to Navies and the free maritime trade. Besides conventional units Navies
worldwide consider increasingly unmanned underwater vehicles (UUVs) with new technological solutions for
mine counter measures. This includes in particular high-resolution sonar techniques such as synthetic aperture
sonar (SAS) and computerized image analysis. Simultaneously, these new technologies can be adapted for civil
applications.
The Synthetic Aperture Sonar (SAS) is a new, innovative development in the field of acoustic imaging of the sea-
bed, which is related to Synthetic Aperture Radar (SAR). By coherent addition of data from a series of consecu-
tive pings a significantly longer antenna is synthesized in the direction of travel. Hence, the lateral resolution is
often improved by an order of magnitude or even more for SAS Systems compared to conventional side scan
sonars.
This paper will discuss briefly several main differences between SAR and SAS and the consequences. Due to the
much longer time for traveling one synthetic aperture, motion compensation is perhaps one of these differences.
An other main difference is the stronger influence of present environmental conditions. E.g., the image quality
can decline in wide areas due to the influence of multipath propagation mainly caused by reflections at the sea
surface or sea floor.
Then we will present our ongoing research in object detection and classification based on SAS image data. This
aims at a completely autonomous object detection and mine classification approach ("Automatic Target Recogni-
tion ATR)" for unmanned underwater vehicles. Our software is divided in into a couple of processing steps start-
ing with pre-processing, screening for regions of interest, reduction of false positives, object classification up to
and including fusion of detection and classification results for different algorithms. Examples for these different
processing steps based on real SAS data will be presented and discussed.

1 Introduction
Sea mines are a cheap and widely used weapon. They
pose a very effective threat to Navies and the free ma-
ritime trade. Therefore, detecting and / or eliminating
mines at sea is one of the most important tasks of any
navy in order to keep sea routes open.
Every Side Scan Sonar (SSS) allows for imaging large
areas of the sea floor with a relatively high resolution
in relatively short time. Therefore, SSS systems are
very interesting for military purposes and have been
constantly improved since the 1950s. First used to e.g.
find H-Bombs lost at sea or a lost Russian submarine
[1], today modern synthetic aperture SSS systems are
used to detect and classify small underwater objects
including underwater threads like sea mines or impro-
vised explosive devices (UW-IEDs). SSS systems are
particularly well suited for Unmanned Underwater
Vehicles (UUVs).
Apart from military purposes, SSS imagery can be
Session A.1 Future Security 2011 Berlin, September 5-7, 2011
1
used for various additional applications. E.g., among
other sensors, a low frequency 120/410kHz EdgeTech
2200-MP SSS was used to locate the debris field and
bodies of flight AF447, which disappeared on May
31
st
2009 over the Mid-Atlantic at 02:14 UTC, in
approx. 3900m depth after a week of a search and re-
covery missions in April 2011. This SSS sonar on a
REMUS 6000 AUV from IFM GEOMAR in Kiel
operated 75m above the seafloor and mapped 750m to
both sides of the vehicle track during surveys [2].
Apart from the ABYSS AUV of IFM GEOMAR two
additional REMUS 6000 AUVs from the Waitt Insi-
tute for Discovery / Wood Hole Oceanograthic Institu-
tion were deployed during these missions.

But the main field of SSS imagery produced by UUVs
is the shallow water environment - although the hard-
ware has to be adopted compared to deep sea equip-
ment. As an example, a detailed SSS image of a Dorn-
ier 17 WW II bomber wreck at a depth of ca. 16 m
can be found under [3]. This bomber was damaged
during the Battle of Britain in August 1940 and at-
tempted an emergency landing on the Goodwin Sands,
a sand bank in the English Channel. The aircraft
ground looped during landing and sank inverted. Ad-
jacent to the wreck a small debris field was found,
comprising e.g. flaps and bomb bay doors, torn off
during landing. The wreck lay proud of sand than dis-
covered in a tidal area with low visibility (max. 5 m).

In addition to entire structures and air planes current
conventional SSS imagery can also be used to search
for small objects and bodies. As an example the search
and recovery result, looking for a drowning victim,
can be found under [4]. Possible oil drums within a
debris field in a harbor (see [5]) are a second example,
which shows the potential to protect the environment
by using SSS systems. Using Synthetic Aperture Sonar
(SAS) processing further improves this capability of
SSS systems to detect and distinguish objects on a
highly structured sea floor, within a harbor and so
forth. The reason is that SAS processing normally (but
not always) enhances the along-track resolution sig-
nificantly by one order of magnitude or even more
compared to conventional SSS systems. Note that a
SAS system has in principle a constant along-track
resolution while this along-track resolution for a con-
ventional SSS system decreases with across-track
range.

Ammunition poses a log-term hazard to the environ-
ment. Many active and former military installations
worldwide have ranges and training areas. Some of
these include adjacent waters such as lakes, rivers or
coastal water areas. Other sites for training and testing
were situated on purpose at sea. In both cases military
operations have led to munitions contamination. In
addition, duds and lost or disposed ammunition con-
taminates waters and seas during military activities.
And last but not least, a lot of ammunitions was for
example dumped after WW II in the Baltic Sea and
North Sea for disposal. This dumped ammunition
needs to be removed e.g. before installations at sea
can be set up and poses a rising significant risk to
people using coastal areas for business or leisure ac-
tivities due to rust.
SSS systems have been used to survey areas at sea in
order to image the seafloor and recover dumped WW
II ammunition and to perform a risk analysis for such
areas [6, 7]. Since dumped ammunition range from
e.g. large ~3.5t torpedoes, over ~500kg sea mines and
~10kg shells to small bullets, the probability to detect
ammunition depends to a large extent on the size of
the objects looked for. For example, detecting ~10kg
shells with a conventional Benthos 400kHz SIS 1625
SSS can be a difficult task due to the small size of the
shells in conjunction with the limited resolution of the
sonar (see Fig. 1). Only the existence of comet marks
[8] created by tidal currents in the given example
permits the conclusion that small objects of the size of
a 10.5 cm shells are present.

Figure 1 SSS image of small objects including cur-
rent induced comet marks (presumably caused by
dumped ~ 10kg shells) of the coast of Helgoland [6]
gathered with a Benthos SIS 1625 SSS.

The given examples indicate, that objects of various
sizes can be detected and located using SSS systems.
Therefore, SSS imagery is often used to detect debris
items and other obstructions on the seafloor that may
be hazardous to shipping or to seafloor installations.
In addition, the status of underwater installations like
e.g. pipelines and cables on the seafloor can be inves-
tigated for maintenance. A inspection survey may in-
clude [9]:
- detection of burial for exposed installation or
detection of exposure for buried installation,
- detection of free span of a pipeline or cable
and estimation of span,
- detection of damages,
- detection of buckling,
- detection of debris next to the installation.

In Fig. 2 an example of an inspection task taken from
[9] is given. In this example a part of approx. 2000m
of a pipeline is shown from one side. This pipeline
part is covered by gravel in several locations.
Last but not least another application of SSS imagery
shall be mentioned, which is of special importance for
2
areas with a long lasting history. In territories like the
Mediterranean Sea maritime archaeology has derived
a lot of benefit from conducting SSS surveys [10, 11].

Figure 2 SSS image of ca. 200m part of a pipeline
shown from one side. The range is 0m (bottom) to
180m (top). (Image: FFI with the HISAS / HUGIN
AUV [9]).

2 Synthetic Aperture Sonar
A typical SSS image shows three different image re-
gions high light regions caused by an object, shadow
regions behind an object and background regions
caused by the sediment of the seafloor. In Fig. 3 a
submarine section is shown, which illustrates this.

Figure 3 SSS image of a submarine section insoni-
fied from the left side showing an object, an object
shadow and the surrounding seafloor.

In order to use a SSS system for detection and classi-
fication or inspection, three processing tasks or deci-
sions have to be taken [12]:
- Whether a pixel belongs to an object, shadow,
or background region is the first task or re-
quired decision for each pixel in a noisy SSS
image.
- Whether an image object is of interest or a
false target caused by speckle noise, stone, bot-
tom structures, is the second required deci-
sion for each observed image object.
- Finally, whether an object of interest is e.g. a
cylinder, a truncated cone, is the final re-
quired decision, which is normally regarded as
classification.

The performance for each processing task depends on
the physical resolution of the SSS system. One simple
predictive model which describes approximately the
performance of a human observer or an automatic tar-
get recognition (ATR) software analyzing SSS im-
agery are Johnsons Criteria [13, 14]. According to
these criteria the minimum required resolution (in the
direction of the shortest object dimension and for a
50% probability to discriminate an object to the speci-
fied task) is 1.5 - 3 pixels for detection, 8 10 pixels
for recognition or 13 16 pixels for classification.
This illustrates that the performance of the different
mentioned discrimination tasks get worse if the object
dimensions get small. Therefore, the physical resolu-
tion needs to be as high as possible in order to avoid
loses. One way to achieve an increase in resolution is
to apply synthetic aperture techniques.

SAS is a revolutionary development in the field of
acoustic imaging of the seabed. By coherent addition
of data from a series of consecutive pings a signifi-
cantly longer antenna the synthetic aperture - is syn-
thesized in the direction of travel. Hence, the lateral
resolution is often improved by an order of magnitude
or even more compared to conventional SSS systems.
This results especially in a benefit for object classifi-
cation. Required SAS processing steps are:
- estimation of the motion of the short physical
antenna from ping to ping using data driven
motion compensation (e.g. the Displaced
Phased Center Array DPCA algorithm),
- estimation of the sensor path based on DPCA
values without or with considering navigation
information from the inertial navigation system
(INS),
- synthetic aperture beam forming including fo-
cusing,
- re-focusing by auto-focusing algorithms.

Critical to the quality of a SAS image are position er-
rors for the physical antenna along the synthetic aper-
ture. Deviations from the often assumed perfectly
straight path can be measured from ping to ping by
data driven micro-navigation methods like DPCA and
have to be corrected for. The estimate of the trajectory
results by integration. One challenge is that the uncer-
tainty of the trajectory increases with the number of
pings. Hence, a combination of DPCA results and INS
readings are normally used for correcting the position
of the antenna in order to achieve the required posi-
tion uncertainty of less than /16 along the synthetic
aperture. This is within the (sub) millimeter range for
several 10-meters of track line.

In Fig. 4 the estimated lateral sway or transverse dis-
placement component of the trajectory is shown for a
data set gathered with an experimental SAS system
attached to the SeaOtter MK II AUV in the Baltic Sea
[16]. The different curves base on readings of the INS
(Green) and results of the DPCA algorithm (Red). For
the third curve (Blue) DPCA results for the yaw angle
(small graph) were complemented by measured head-
ing values from the INS. Fig. 4 illustrates, that the lat-
pipeline gravel
3
eral component of the sway estimate varies quite a bit
depending on the chosen method to get estimates for
the required navigation data. Note that the shown
sway movement is only the lateral component of the
trajectory. For the full trajectory of the SAS antenna
the vertical sway component as well as yaw estimates
and the surge estimates are also required.
The question which micro-navigation method pro-
vides the best results for SAS imagery can be deter-
mined by using a resolution test target. It consist of a
cross with five spheres of 5cm in diameter and dis-
tance on each leg [16]. In Fig. 5 generated SAS im-
ages for this test target and the different trajectory es-
timates from Fig. 4 are shown. The best image (right)
bases on a track estimate derived from the combina-
tion of INS data and DPCA results. Although, some
weak artifacts indicating remaining phase errors can
be still noticed. Track estimates using INS data (left)
or DPCA results (middle) provide much worse image
results.

Figure 4 Estimated lateral sway of the SAS antenna
over 80m of track line:
Green based on readings of the INS,
Red based on DPCA results,
Blue data-driven DPCA estimates of the yaw angle
(small graph) was complemented by measured
heading values from the INS.

Figure 5 SAS images of a resolution test target using
track estimates derived from INS data (left), DPCA
results (middle) and a combination of INS and DPCA
data (right).

2.1 SAS - SAR Comparision
The idea of SAS and Synthetic Aperture Radar (SAR)
is very similar. In both cases the scene echoes for a
number of pings are stored along a portion of the sen-
sor path. These echoes are afterwards combined co-
herently by an appropriate algorithms to generate high
resolution images.
In Tab. I typical system parameters (wavelength ,
SAR/SAS resolution D, synthetic aperture length LS,
vehicle speed V) for a satellite SAR and an aircraft
SAR system taken from [17] are given. These parame-
ters are compared to a 200kHz SAS system with a 30 -
150m swath. Tab. I indicates that the tolerable posi-
tion error r of /16 in order to avoid increased side
lobe levels is system dependent. It decreases from
3.5mm for the considered satellite based SAR to 0.05
mm for the assumed 200kHz UUV-SAS system. At the
same time the required position accuracy has to be ful-
filled over a longer period of time t for the SAS sys-
tem compared to the SAR systems, since under water
it takes much longer to travel the distance of one syn-
thetic aperture. The satellite needs about 0.7s to pass
through one synthetic aperture of 4850m while the
UUV needs about a factor of 20 more time (14s) to
travel 27m. Hence, motion compensation is normally
much more serious for SAS systems compared to a
SAR systems [17].

System / cm D / cm LS / m v / m/s r / t
Satellite ERS-1
(1991 2000)
5,7 500 4850 7000
3.5mm /
0.7sec
Aircraft SAR 5.7 50 570 200
3.5mm /
2.9sec
200 kHz UUV
- SAS
0.75 2.5 27 2
0.05mm /
13.5sec
Table I: Typical system parameters wavelength ,
SAR / SAS resolution D, synthetic aperture length LS,
and vehicle speed v for a satellite SAR and an aircraft
SAR system [17] and a 200kHz SAS system. The last
column gives the tolerable position error r of /16
and the time t for which this is necessary.

Motion compensation is not the only difficult issue for
a SAS system. Range ambiguity is also a more severe
problem for sonar than radar [17]. A single or low
number of element SAS avoiding range ambiguity has
a very low area coverage rate which is not tolerable.
Therefore, practical SAS antennas have always a
multi-element receiver array with N elements and total
length d (Typical N = 96 192, d = 1m - 2m).
Further differences [17] are that SAR systems suffer
mainly from thermal and electronic noise while SAS
systems operate in addition in the noisy sea. Also
sound propagation at sea is much more influenced by
the environment compared to wave propagation
through air or space resulting in a more unstable situa-
tion for sonar. Some factors which have to be consid-
ered for sonar are multipath propagation, a variable
refractive index including refraction effects, temporal
instabilities and sound attenuation. E.g., the SAS im-
age quality may break down to less than 30% and re-
cover to the normal 100% sonar range within a few
ten meters of travel due to the influence of multipath
propagation. This applies particularly for shallow
coastal waters. Also operational conditions causing
4
unexpected UUV movement may significantly de-
grade a SAS image. E.g. cross-currents may lead to
bearing angles or surface waves may result in rapid
changes in the altitude of the UUV. Both causes
blurred SAS images. Therefore, it is essential to un-
derstand all limiting factors in detail in order to use
the SAS technology successfully worldwide under dif-
ferent environmental conditions.

3 Image Processing
After SAS processing the next challenge is the analy-
sis of the obtained images. A SAS system typically
produces about 500 000 pixels per second. Due to this
amount of visual information, an operator needs sup-
port on the job. Object detection can be done, for ex-
ample, by computer-aided detection and classification
algorithms, which highlight and enlarge image regions
with suspicious objects. A second approach, which is
especially of interest for military applications is Au-
tomatic Target Recognition (ATR). An ATR system
analyses SAS or SSS imagery completely autonomous
in order to detect and classify objects on the fly during
the mission. The main military benefit is mission time
which is reduced to a half or more by ATR. Since an
operator is absent in the decision chain on board of an
UUV, requirements for ATR systems are much higher
than for operator assistance.

The image processing system under development at
WTD 71 consists of several processing steps includ-
ing pre-processing, screening (detection), reduction of
false positives and classification [19, 20]. We have
recently complemented our activities by addressing
special image processing issues such as the influence
of image resolution [13], edge preserving filtering
[21] or fusion [22, 23, 24] on the outcome of the en-
tire processing chain. We use in parallel different al-
gorithms for each processing step, to obtain a robust
system.
For physical reasons, side-scan sonar images are very
noisy. Hence goal of the required noise filtering is to
improve the image quality as much as possible by
noise reduction and at the same time preserve the
structural features and contours (e.g., object edges)
and textural information of the image. Several filters
can be used for this task and have been investigated
like Median -, Kuwahara -, Bilinear -, Curvelet - or
UINTA - Filter. In Fig. 6 an example is given. The im-
portance of pre-processing in total, which affects all
subsequent processing steps significantly, is often un-
derestimated.
Screening is the second step in our ATR processing
chain. It allows to detect image regions, that contain a
potential object. Since this processing step must be
fast and robust, typically a high number of image re-
gions are also highlighted which contain false targets.
Screening algorithms may base on statistical features,
contour features, correlation features or other proper-
ties of the image. The algorithms are typically opti-
mized for SSS or SAS data. As an example, a screen-
ing result for SAS data is shown in Fig. 7.

False targets can be caused during screening e.g. by
seabed structures or speckle noise. Since screening
reduces the volume of the remaining image data sig-
nificantly, computationally intensive algorithms, such
as Active Contour approaches (Snakes), can be used
for the reduction of false targets. Snakes minimize an
energy function associated to the contour of an object
and / or object shadow. How well a snake matches a
conture, a snake sepertes image regions with different
statistical properties or a snake represents an assumed
model are some factors, which can determine the en-
ergy function. As an example, image results of an
Gradient Vector Flow Snake taken from [20] are
shown in Fig. 8.

Figure 6: Illustration of edge-preserving behavior of a
Fast Bilateral Filter realized by Fraunhofer IOSB. The
original SAS object image, the filter result, and the
difference of both as an indicator of the loss of con-
tour information are shown.

Figure 7: SAS image of the MUSCLE system
(NURC) with five known objects, highlighted by
computer-aided detection. Each detected image region
with a potential object is overlaid in a filtered and
close-up version.

Afterwards commonplace objects such as stones are
separated from interesting objects such as sea mines
during classification. This is the most challenging
processing step since it requires high physical resolu-
tion [13] and the response of an object located on the
seafloor may vary significantly depending on e.g. ob-
ject position, sonar design / sonar parameters and en-
vironmental factors (e.g. ripple, vegetation).

5
Figure 8: Result of Gradient Vector Flow (GVF)
Snake algorithm for SAS data of a truncated cone and
a cylinder gathered by the MUSCLE system (NURC).
The results of the edge-preserving UINTA filter as
precursor and the Snake in the original images are
shown on the left and right, respectively.

The classification process is divided into two main
steps, feature extraction and association of these fea-
tures to a certain class of objects. Features represent
condensed information of an object image and can
range from simple structures such as points, corners or
edges to more complex structures such as shapes or
ridges. Mathematical or statistical values may also be
used as features.
Feature extraction from an ROI results normally in a
n-dimensional vector of numerical values that repre-
sent an object. This vector may be reduced in dimen-
sion and is then assigned to a certain object group,
which represents objects with similar attributes (e.g.
cylindrical objects). This is the actual classification
step. We use a Probabilistic Neural Network (PPN),
K-Nearest neighbor (KNN) and two forms of Support
Vector Machine (SVM) algorithms for this step.

Figure 9: Multi aspect fusion results for different
combinations of aspect angles

Finally, studies [22, 23, 24] indicate that fusion is a
promising strategy to further increase the probability
of detection and decrease the number of false posi-
tives. In Fig. 12 the fusion gain in a multi-view
framework, where a set of acoustic images for differ-
ent aspect angles are processed, is shown. Object im-
ages are processed individually down to classification.
Afterwards the results for three different aspect angles
are fused using a voting strategy and compared to the
results for a single view. This results in a significant
improvement for correct classification especially in
the region of low false alarms.

4 Conclusion
In the first chapter different application were de-
scribed. Main civil applications for SSS imagery in-
clude search and rescue missions ranging from
crashed airplanes to dumped ammunition and inspec-
tion missions.
The capability to detect, recognize and classify some-
thing in a SSS image depends on the resolution of the
measuring SSS system. This explains the importance
of SAS processing. The performance of high resolu-
tion SAS processing is very sensitive to the environ-
mental and operational conditions. This motivates cur-
rent research activities related to SAS.
Due to the high amount of visual information an op-
erator needs support analyzing SSS / SAS imagery.
First versions of computer aided detection and classi-
fication software are available mainly for military
purposes. Currently Automatic Target Recognition
software, which can analyze SSS / SAS imagery fully
autonomous, is in the focus of scientific research.
Acknowledgement
In recent years the Research Department of WTD 71
has investigated image processing methods for object
detection and classification in conventional side scan
sonar and synthetic aperture sonar images in coopera-
tion with the FU-Berlin and Fraunhofer IOSB (former
FGAN-FOM). The purpose of these activities was to
implement computer aided detection and classification
methods in order to investigate and improve these al-
gorithms and to test all implemented algorithms based
on measured image data. Recently these activities
have been complemented by investigating SAS proc-
essing in cooperation with NURC and Atlas Elek-
tronik. The authors would like to thank NURC for
supporting the SAS activities at WTD 71 FWG and
for providing SAS data from the COLOSSUS 2 sea
trial in the Baltic Sea with the MUSCLE system.
References
[1] http://en.wikipedia.org/wiki/Side_scan_sonar
[2] http://www.ifm-geomar.de/ Wracksuche AF447 -
MV Alucia
[3] History and Honor news article, 7 Sep. 2010
http://www.mod.uk/DefenceInternet/Defence
News/HistoryAndHonour/
[4] http://www.edgetech.com/edgetech/gallery/
item/4125-p-side-scan-sonar-system
6
[5] http://www.l-3klein.com/?page_id=17
[6] H. Fiedler und S. Behringer, Sonaruntersuchun-
gen in der Helgolnder Tiefen Rinne, Wehrtech-
nischer Bericht WTD 71 - 0027/2010 WB, Eck-
ernfrde 2010
[7] http://www.schleswig-holstein.de/AFK/DE/
Das Amt fr Katastrophenschutz, Munitionsalt-
lasten im Meer, Regionale Informationen, Helgo-
land
[8] F. Werner, G. Unsld, B. Koopmann, A. Stefa-
non, Field Observation and Flume Experiments
on the nature of Comet Marks, Sedimentary Ge-
ology 26, 1980, p. 233-262
[9] T.O. Sb, Seafloor Depth Estimation by means
of Interferometric Synthetic Aperture Sonar,
PhD Thesis Sep. 2010, University of Troms,
Norway and T.O. Sb, H.J. Callow and P.E.
Hagen, Pipeline inspection with synthetic aper-
ture sonar, Proc. 33th Scandibavian Symposium
on Physical Acoustics, 07 10 Feb. 2010
[10] R. Quinn, M. Dean, M. Lawrence, S. Liscoe, D.
Boland, Backscatter responses and resolution
considerations in archaeological side-scan sonar
surveys: a control experiment, J. Archaeological
Science 32, 2005, p. 1252 1264
[11] European Commission - ITC Research in FP 7:
VENUS - Virtual ExploratioN of Underwater
Sites, Final Report, 2009, http://www.venus-
project.eu/
[12] Advances in Sonar Technology, Edited by S.R.
Silva, 2009 In-teh, ISBN 978-3-902613-48-6
[13] F. Langner, C. Knauer, W. Jans and A. Ebert,
Side Scan Sonar Image Resolution and Auto-
matic Object Detection, Classification and Iden-
tification, Proc. IEEE Oceans09, Bremen, Ger-
many, 11 14 May 2009.
[14] J. Johnson, Analysis of Imaging Forming Sys-
tems, Proc. Image Intensifier Symposium, AD
220|60, p. 244 - 273, Warfare Electrical Engi-
neering Dept., US Army Engineering Research
and Development Laboratories, Ft. Belvoir, VA,
1958. Reprint in: R.B. Johnson, R. B. and W.L.
Wolf (eds.), Selected Papers on Infrared Design,
SPIE Proceedings vol. 513, pp. 761 - 781, 1985.
[15] R. Heremans, A. Bellettini, M. Pinto, Milestone:
Displaced Phase Enter Array, Sep. 2006,
http://www.sic.rma.ac.be/~rhereman/milestones/
dpca.pdf
[16] J. Rademacher, Interferometry performance -
shallow water experiments in the Baltic Sea,
UAM 2011, Kos, Greece, 20 24 June 2011.
[17] S. Holm, Synthetic Aperture Radar and Sonar
SAR and SAS, Department of Informatics, Uni-
versity of Oslo, 2010, http://www.uio.no/
[18] P.T. Gough and M.P. Hayes, Ten key papers in
synthetic aperture sonar, Proc. Acoustics08, Pa-
ris, France, 29 June 4 July 2008 and M.P.
Hayes and P.T. Gough, SYNTHETIC APER-
TURE SONAR: A MATURING DISCIPLINE,
Proc. ECUA2004, Delft, The Netherlands, 5 8
July 2004
[19] F. Langner, C. Knauer, W. Jans and W. Middel-
mann, Image processing in Side Scan Sonar Im-
ages for Object Detection and Classification,
Proc. UAM2009, Nafplion, Greece, 21 26 June
[20] F. Langner, W. Jans, C. Knauer and W. Middel-
mann, Computer Aided Detection of MLOs in
Side Scan Sonar Images, Proc. UDT Eu-
rope2010, Hamburg, Germany, 8 10 June 2010
[21] W. Jans, F. Langner, C. Knauer and W. Middel-
mann, The effect of pre-processing on the out-
come of an CAD/CAC system for underwater
objects in SAS and conventional side scan im-
ages, Proc. ECUA2010, Istanbul, Turkey, 5 9
July 2010.
[22] F. Langner, C. Knauer, W. Jans and A. Ebert,
Performance gain by fusing classification results
for different aspect angles in SAS side scan im-
ages, Proc. ECUA 2010, Istanbul, Turkey, 5 9
July 2010.
[23] F. Langner, W. Jans, C. Knauer, and W. Middel-
mann, Benefit for screening by automated acous-
tic data fusion, Proc. UAM 2011, Kos, Greece,
20 24 June 2011.
[24] F. Langner,

W. Jans, C. Knauer, A. Ebert, Benefit
for classification by automated acoustic data fu-
sion, UAM 2011, Kos, Greece, 20 24 June
2011.

7
Detection of High Power Microwaves
Christian Adami, Christian Braun, Peter Clemens, Hans-Ulrich Schmidt, Michael Suhrke, Hans-Joachim Taen-
zer, Fraunhofer-Institut fr Naturwissenschaftlich-Technische Trendanalysen INT, Germany
Yolanda Rieter-Barrell, TNO, The Netherlands
Abstract
The growing threat to critical infrastructure by high power microwaves (HPM) also increases the importance of
detection facilities for electromagnetic fields with high field strength. We discuss HPM detection principles as
well as capabilities and limitations of existing HPM detectors. Then we describe the basic requirements for a
system for the detection and identification of HPM threat signals and a demonstrator of a single-channel HPM
detection system for mobile and stationary use. The system allows the measurement of amplitudes within a very
high dynamic range, the pulse width, pulse repetition frequency and the number of pulses.

1 Introduction
The availability of components to build low-tech high
power microwave (HPM) sources together with the
increasing dependence on electronic devices and sys-
tems has lead to a situation where all microprocessor
controlled electronics can be disabled with HPM at-
tacks at least temporarily with medium sized device
within distances from several 10 m to a few hundred
meters. This is crucial all the more due to the reliance
of critical infrastructures on electronics. The exam-
ples of vulnerable systems range from commercial IT
electronics and network equipment used also in the
military area and in civilian security applications as
commercial off the shelf (COTS) electronics to elec-
tronic systems in vehicles, surveillance equipment
and logistics.
Because of their easy availability, it is very likely that
also persons or groups with criminal or terrorist inten-
tions can acquire such HPM systems. These then
could be used for burglaries, raids, blackmails and
attacks in cases where electronics is responsible for
the safety of persons and property. Without detection
and alarm systems it is easy for attackers to test their
HPM devices without being discovered. For this rea-
son failures and malfunctions of own electronic sys-
tems cannot be traced back to an electromagnetic at-
tack. This is the case the more so because of the gen-
eral lack of awareness of the electromagnetic threat.
Therefore, it becomes increasingly important to de-
velop and investigate detection techniques for this
threat.
For intentional electromagnetic interference (IEMI)
mainly the following procedures come into question:
Pulsed radio frequency (RF) emissions (narrow-
band sources), most conveniently at frequencies be-
tween 30 and 3000 MHz, with pulse widths of
about 0.1 to 10 s.
Single or repetitive ultra-wideband pulses (UWB)
with rise times and pulse widths in the range 10 ps
to 1 ns.
Single and repetitive broadband pulses, maybe also
damped sinusoidal (DS) signals, etc.
Continuous wave (CW) RF emissions in the lower
GHz range.
At the target device electromagnetic field strengths
must be generated which are sufficiently far above the
immunity of the unit. For CW signals and digital elec-
tronic devices the necessary field strength is roughly
in the range above 100 V/m, for pulsed RF or micro-
wave signals and damped sinusoidal oscillations ap-
proximately 1000 V/m and for very narrow, steep-
edged pulses a few kV/m.
The paper gives a short overview of detection princi-
ples and previous detector development in the second
section. Section 3 describes development at Fraun-
hofer INT of a demonstrator of a detection system
with high amplitude dynamics based on logarithmical
amplifier/detector ICs which is able to cover a large
frequency range with broad-band antennas and can be
deployed stationary or vehicle mounted. The paper
concludes with summary and outlook.
2 HPM Detection: Principles
and Previous Developments
2.1 Detection Principles
In the past, basically only low-impedance broad-band
diode detectors have been available as actual detec-
tion elements as both high-impedance diode detectors
and thermal power meters have much too large re-
8
sponse times for short pulses and are useful only for
the recording of time averaged signals. The disadvan-
tage of these detectors is the limited amplitude dy-
namics for pulse measurements which strongly limits
the detectable range of amplitudes and consequently
the possible detection range [1,2]. The voltage vs.
power characteristics of a typical Schottky diode de-
tector head [3] gives an achievable dynamic range of
about 20 to 25 dB under the realistic assumption that
pulsed voltages lower than 1 mV can not be identified
with a digital oscilloscope. This can be hardly in-
creased even with low-noise signal preamplifiers. The
measurement of the transient response of such a
Schottky diode detector shows that it is possible to
resolve rise and fall times of some nanoseconds [3].
Special detectors as resistive sensors based on the
electron heating effect in semiconductors in a strong
electric field or lithium niobate crystals utilising the
electro-optical effect are mainly useful for high field
strengths [1,4,5].
Recently, a number of highly broad band and at the
same time in part relatively inexpensive logarithmical
amplifier/detector ICs have entered the market which
allow to avoid the disadvantages of diode detectors.
In principle, these devices consist of a large number
of linear broadband amplifiers with defined gain,
which are connected in series. At the output of each
amplifier is a linear diode detector. The output signals
of all detectors are added via an analogue summing
circuit, so that a quasi-logarithmic detector character-
istic is achieved. The measurement of the detector
characteristic of such a logarithmic amplifier/detector
module shows a dynamic range above 60 dB [3],
which represents a significant improvement over the
previously used diode detectors. The frequency spans
from 1 MHz to 8 GHz with an amplitude correction
of a few dB above 5 GHz. Also the rise and fall times
of the detected signals meet the requirements for
HPM detection completely [3]. With such characteris-
tics the properties of these ICs considerably surpass
some of the conventional logarithmic ampli-
fier/detector units as employed e. g. in radar warning
systems.
2.2 Previous HPM Detector Develop-
ments
For surveillance of the surroundings of electronic fa-
cilities against electromagnetic attacks detection sys-
tems are needed, which register at least the occur-
rence of HPM signals as such. Those devices, option-
ally enhanced by a coarse display of amplitude levels
and number of threat pulses, are in many cases suffi-
cient as pure alarm units. Such small-sized low-cost
systems already have been realised in different im-
plementations in form of battery-powered pocket or
hand-held units with integrated omni-directional
broad band antennas [1].
As a first example Canary is a prototype sensor de-
signed and developed by Qinetiq, United Kingdom.
According to the Canary datasheet [6] the specifica-
tions of the detector are as follows:
Signal types: HPM, High Altitude Electromagnetic
Pulse (HEMP), Non-Nuclear Electromagnetic Pulse
(NNEMP), DS (for repetition rated waveforms),
UWB (for repetition rated waveforms, minimum
pulse width detected: ~ 300 ps).
Frequency range: 10 MHz - 8 GHz (calibrated), up
to 40 GHz has been detected.
Sensitivity threshold:
Low level: 1 mW/m
2
(E
eff
~ 1 V/m).
High level: 1 W/m
2
(E
eff
~ 20 V/m).
Electromagnetic Pulse (EMP): 1 kW/m
2
, single
pulse (E
eff
~ 615 V/m).
Maximum input level: not known.
The sensitivity levels can be tailored to meet require-
ments for specific applications.
The LO, HI and EMP detection levels of 1
mW/m
2
, 1 W/m
2
and 1kW/
2
correspond to an effec-
tive field strength (E
eff
) of 0.6 V/m, 19.4 V/m and
614 V/m, respectively. According to datasheet [6]
these levels are based on the following:
LO warning; Low alarm threshold indicating that
an EM event has been detected of sufficient mag-
nitude to cause IT upset or degradation (indication
visible and audible).
HI warning; High alarm threshold indicating that
an EM event has been detected of sufficient mag-
nitude to cause IT prolonged disruption or damage
(indication visible and audible).
EMP warning: Indication that a single EMP
event has occurred. Description of the physical
operation (indication visible and audible).
The second example is the microwave microphone, a
first generation high power microwave detector de-
signed and developed by Market Central, USA. Ac-
cording to the product sheet the specifications of the
detector is as follows [7]:
Signal types: Transient Electromagnetic Device
(TED), UWB and CW.
Frequency range: 900 MHz - 2.9 GHz (flat re-
sponse), 400 MHz - 3 GHz (-10 dB).
Sensitivity threshold: ~ 100 V/m.
Visual indication via a 10-segment LED covering a
30 dB range (up to ~ 3 kV/m).
Maximum input level: not known.
The detector can sense signals in all three polarisation
axes and has the capability to indicate detection real-
time or in a peak hold mode. It has an audible alarm
with a false alarm indication. The internal antenna can
be replaced by external antennae optionally [7]. The
detector contains a rechargeable battery and USB
connectivity. USB connectivity is presently used to
recharge the battery, but will be used for networking
and remote reporting at a later stage. The detector is
relatively light in weight and consumes very little
power [7].
9
The third example is a high power microwave detec-
tor prototype designed and developed by TNO, The
Netherlands [8]. The detector has been designed to
meet specifications on signal types, flat frequency re-
sponse, omni-directionality and response time. More-
over, the detector was designed to be low-cost. Less
attention was paid to the maximum input level the de-
tector is resilient too. The characteristics of the detec-
tor are as follows:
Signal types: Carrier-based pulses, UWB and CW.
Frequency range: 100 MHz - 8 GHz (flat response).
Sensitivity threshold:
Low level: 3 V/m.
Medium level: 10 V/m.
High level: 40 V/m
Visual indication via 3 LEDs, separate indication
CW and carrier-based pulses.
Maximum input level: > 1000 V/m (carrier based),
> 3 kV/m (UWB).
The detector has shown to have a flat frequency re-
sponse in the frequency range tested. The detector is
fast enough and sensitive enough to detect CW, car-
rier-based and UWB pulses in all directions (in cur-
rent set-up only one polarisation axis). The maximum
input level is not stated in the specifications but has
been further researched [9].
Sensitivity and robustness tests of some of the exist-
ing detector prototypes show that developers should
take special care of robustness of detectors against
HPM [9].
3 HPM Detector for Mobile and
Stationary Use
3.1 Detector Requirements and Devel-
opment Concept
For permanent surveillance of high-value or mission-
critical stationary facilities and especially for search
and identification of HPM sources such devices
should, however, feature an extended scope of per-
formance. These additional features include the dis-
play of field strength of the threat signal, an ampli-
tude dynamics (i. e. detection range), which should be
as large as possible, the counting of pulse number or
display of pulse repetition rate, the display of pulse
width, preferably a frequency independent display of
field strength in a wide frequency range, and finally
the directional and polarisation independence of the
receiving antenna or a radiation pattern with defined
wide angular range of constant gain for sector surveil-
lance. The detectors should be able to detect pulsed
electromagnetic fields with threat field strengths
above 1 kV/m independently of frequency, be im-
mune to field strengths of some 10 kV/m and be able
to detect HPM sources at medium distance (i. e. field
strengths down to at least 100 V/m). The detection of
all signal types from CW via narrow band and
damped sine pulses to ultra wide band (UWB) pulses
ideally requires response times in the upper picosec-
ond range. The classification of detected incidents ac-
cording to pulse form, i. e. amplitude, pulse width and
pulse number or repetition rate can help to identify
false alarms.
Further development stages should realise a coarse to
medium display of the direction of HPM impact for
localisation of an attacker and of the HPM frequency
via filter benches. The devices should be operable
with batteries for a certain time in addition to a sta-
tionary or on board power supply for operation from
vehicles.
The detection system developed at Fraunhofer INT
meets the following criteria in the first phase:
Notification that a pulsed electromagnetic field was
detected independent of frequency with threat level
field strength (> 1 kV/m).
Damage immunity against field strengths of up to
several 10 kV/m.
Frequency independent detection of HPM sources
in medium distances (e.g. detection of E > 100
V/m) for warning and searching.
Measuring dynamics preferably > 60 dB.
Polarization independence.
Directional independence (at least in the horizontal
plane) or in a defined sector (e.g. 90 degrees).
Classification of the detected events by amplitude,
pulse duration, pulse repetition frequency, form,
etc.
In the first stage the system is built as a single-
channel assembly with a polarization-independent
broadband antenna and a logarithmic ampli-
fier/detector module. To stay within the usable range
of the amplifier/detector module an attenuator of 60
dB is necessary between antenna and amplifier input.
A fast PIN diode limiter is connected at the entrance
of the IC in order to avoid damage of the device even
in the worst case. Figure 1 shows the block diagram
of the system. Accordingly values for field strength
can be obtained between < 100 V/m and > 10 kV/m.

DISCR. COUNTER
LOG. -
AMPLIFI ER-
DETECTOR
-60dB 0...- 60dBm
GAIN~0dB
P(an t)
DIGITAL-
OSCIL LOSCOPE
ATTEN-
UATOR
SPIRAL-
ANNTENNA
DI ODE-
CL IPPER

Figure 1 Block diagram of the first development
stage of the HPM detection system
The signal amplitude and pulse shape are measured
with a high-speed digital oscilloscope, which in turn
is read out by a PC via GPIB. In addition to the
10
graphical representation of the envelope of the HPM
pulse the evaluation software shows amplitude and
field strength, pulse width and pulse repetition rate.
Furthermore, the number of the threat pulses can be
registered by a separate counter or by counting the
trigger events of the oscilloscope.
3.2 Demonstrator of a Single Channel
HPM Detection System
Figure 2 shows the layout of the demonstrator. One
recognizes the spiral antenna on the left, the battery-
powered multi-channel oscilloscope for signal proc-
essing and the RF part in the middle and the computer
with GPIB interface and the necessary analysis and
display software in the right. The shielded RF part
contains the logarithmic amplifier/detector module
and an appropriate input circuit for self-protection.

Figure 2 Demonstrator of overall system
The spiral antenna is designed for the frequency range
0.5 - 2 GHz but can also be used between 0.5 and 10
GHz without significant gain changes and has a direc-
tional pattern with a width of greater than 90 degrees
(-1 dB to -2 dB). Due to the circular polarization the
spiral antenna receives linear polarized signals inde-
pendent of the polarization plane.
The system can be operated by mains or on-board
power supply and with internal batteries, respectively.
For this reason the oscilloscope has a built-in battery,
from which also the RF part can be supplied. The
computer can also run with its internal battery. In this
way the detection system can be flexibly moved
around, without relying on an external power supply.
The antenna and the RF part can be placed outside
protected zones. At expected high field strengths the
oscilloscope and the computer should be primarily
used within a shield. In the search mode at low field
strengths the screening of a motor vehicle should be
sufficient.
3.3 First Tests of the HPM Detection
System
Tests of the detector have been carried out in the TEM
waveguide of Fraunhofer INT using pulsed HPM
sources with frequencies between 150 MHz and 3.4
GHz and a pulse width of 1 s and low power sources
up to the upper frequency 8 GHz of the TEM
waveguide. The field strength has been measured and
compared with the detector characteristic in the meas-
urement setup as in Figure 3. The test setup with the
spiral antenna in front and the shielded RF part of the
detection unit behind it in the TEM waveguide is
shown in Figure 4. The digital oscilloscopes and the
controlling computer were positioned outside the
shielded hall.

HPM
detector S
E
H
Pulsed
source
Directional
coupler
.
TEM waveguide
Digital oscilloscope Digital oscilloscope
GPIB
Controlling computer
Udet
Diode detector
Amplitude

Figure 3 Measurement setup for detector tests

Figure 4 Test setup in TEM waveguide
The detector characteristic was calculated considering
the measured antenna factor of the spiral antenna and
the 60 dB attenuator besides the characteristic of the
logarithmic amplifier/detector module itself from a
minimum frequency of 500 MHz limited downward
by the antenna factor to 8 GHz as maximum fre-
quency of the logarithmic amplifier/detector module.
In parallel, the field strength was measured using a
directional coupler and a diode detector to determine
the input power into the waveguide (cf. Figure 3).
The latter is related to the field strength at different
measuring points inside the waveguide by calibration
11
measurements. As an example, Figure 5 shows the
comparison between measured and calculated results
for the frequency f = 1.2 GHz. Field strengths be-
tween some 100 V/m and about 1.5 kV/m have been
generated at the chosen measuring point inside the
waveguide for this frequency.
Finally, Figure 6 shows the frequency dependence of
the HPM detector characteristic determined at con-
stant detector voltage for frequencies between 500
MHz and 8 GHz with E
0
= E(f = 1.0 GHz). The sensi-
tivity of the detector, derived from the necessary field
strength to obtain a certain detector voltage, decreases
with increasing frequency. One reason for that is the
frequency dependence of the antenna factor at con-
stant gain, another reason is the frequency depend-
ence of the gain itself.
1
10
100
1000
10000
0 0,1 0,2 0,3 0,4 0,5
|Udet[V]|
E
[
V
/
m
]
calculated
measured
Figure 5 Comparison of measured and calculated
results for f = 1.2 GHz
-5
0
5
10
15
20
25
30
0 1 2 3 4 5 6 7
f[GHz]
E
-
E
0
[
d
B
]
8
Figure 6 Frequency dependence of detector charac-
teristic
So far, tightness and robustness (electromagnetic im-
munity) of antenna and RF part of the HPM detector
(cf. Figure 4) have been tested against field strengths
up to 1.5 kV/m for frequencies between 150 MHz and
3.4 GHz. In the future, robustness tests will be carried
out also in the reverberation chamber for field
strengths above 10 kV/m.
4 Summary and Outlook
For security reasons it is very important to have avail-
able a detection system to protect critical equipment,
systems and infrastructure against IEMI threats. For
this purpose we have given an overview of HPM de-
tection principles as well as capabilities and limita-
tions of existing HPM detectors. Sensitivity and ro-
bustness tests of some representatives show that ro-
bustness of detectors against HPM is an important
issue. We have described the basic requirements for a
system for the detection and identification of HPM
threat signals and have discussed single-channel dem-
onstrator of an HPM detection system at Fraunhofer
INT. In its first stage it enables the detection and iden-
tification of HPM threat by measuring the field
strength within a very high dynamic range, the pulse
width, pulse repetition rate and the number of pulses.
In future a number of multi-channel detection systems
will be developed at Fraunhofer INT on the basis of
the single-channel demonstrator. The first step will be
a rough determination and display of the direction of
the incident threat pulse. For this purpose four detec-
tion channels can be used with four spiral antennas
and logarithmic amplifier/detector modules. As angu-
lar ranges of 90 degrees can be covered with the pre-
viously described antenna types the detection in the
entire 360 degree azimuth range is possible with four
antennas. The direction of incidence can be roughly
evaluated and displayed by analyzing the amplitudes
in the four channels. The azimuthal information can
be determined in more detail through the use of an-
tennas with narrower antenna diagrams and the in-
crease of the number of channels.
To obtain more precise information about the carrier
frequency of the threat pulse, the signal of an antenna
can be split to a larger number of channels via a coax-
ial power divider, whose outputs are each equipped
with a band pass filter. Depending on the bandwidth
of the filter and number of frequency channels the
carrier frequency can then be determined from the
amplitude ratios of the individual channels. This
method was used in principle already in [2] for a
rough determination of the unknown frequencies of
pulsed microwave signals, but at that time with a
much smaller dynamic range compared with modern
logarithmic amplifier/detector modules.
In the demonstrator systems discussed up to now only
the antenna and the RF part can be exposed to the full
threat field strength, whereas the signal acquisition
and processing with a digital oscilloscope and a port-
able PC have to be operated in a shielded environ-
ment in most cases. In a further expansion stage the
analogue-digital conversion and analysis of the pulses
could also be conducted in the highly shielded RF
module instead by an external oscilloscope. The read-
out of the computer implemented in the RF module
would then be carried out over fibre optic cables to an
also highly shielded control unit. In this way the over-
12
all system will be usable in any environment without
restrictions.
Such an HPM detection system is flexible enough to
be used vehicle mounted but also stationary for pro-
tection of fixed critical infrastructure installations. It
complements the necessary shielding and protection
measures and alternatively the hardening of critical
infrastructure components against high power micro-
waves.
References
[1] Rieter-Barrell, Y.: Review on HPEM Detection
techniques, Final Report of NATO RTO
SCI-198 Task Group on Protection of Military
Networks against High Power Microwave At-
tacks, to be published
[2] Braun, Ch.; Clemens, P.; Schmidt, H.-U.; Taen-
zer, H.-J.: Ein Mehrkanal-Mikrowellen-Spektro-
meter zur Messung einmaliger Mikrowellenfel-
der im Frequenzbereich 1 26 GHz. Fraunhofer
INT Arbeitsbericht IB-7/00, 2000
[3] Adami, Ch.; Braun, Ch.; Clemens, P.; Schmidt,
H.-U.; Suhrke, M.; Taenzer, H.-J.: HPM Detec-
tion System for Mobile and Stationary Use.
Demonstrator of a Single-Channel Device,
Fraunhofer INT Arbeitsbericht IB-08/11, 2011
[4] Dagys, M.; Kancleris, .; Simnikis, R.; Schami-
loglu, E.; Agee, F. J.: Resistive Sensor: Device
for High-Power Microwave Pulse Measure-
ment, IEEE Antennas & Propagation Magazine,
Vol.43, No 5, 64-79, 2001
[5] Braun, Ch.; Suhrke, M.; Taenzer, H.-J.: Testing
of Resistive Sensors at INT EME Facility,
Fraunhofer INT Arbeitsbericht IB-18/10, 2010
[6] Qinetiq. Datasheet Canary EM detector; issue 3
[7] Market central. Product sheet Microwave mi-
crophone
[8] TNO: User manual HPM detector, 2009
[9] Adami, Ch.; Braun, Ch.; Clemens, P.; Rieter-
Barrell, Y.; Schmidt, H.-U.; Suhrke, M.; Taenzer,
H.-J.: Detection of High Power Microwaves,
NATO RTO SCI-232 Symposium on High
Power Microwaves and Directed Energy Weap-
ons, Virginia Beach, USA, 2011
13
Clinotrons High Power Sources for Terahertz Sensors
D. M. Vavriv
1
, K. Schuenemann
2
, V. A. Volkov
1
, and A. V. Somov
1

1
Institute of Radio Astronomy of the National Academy of Sciences of Ukraine, 61002 Kharkov, Ukraine
2
Technical University Hamburg-Harburg, Hochfrequenztechnik, D 21071 Hamburg, Germany
Abstract
A series of clinotron tubes and clinotron based oscillators, which effectively operate throughout the millimeter
and submillimeter wavelength bands, has been developed at the Institute of Radio Astronomy. In this paper, the
design and characteristics of these devices as well as prospects of clinotron oscillators for improving their char-
acteristics and extending the operation frequency range are considered. An example of using a 300 GHz clino-
tron oscillator in a beam steering imaging system is presented.

1 Introduction
The THz frequency range is becoming increasingly
attractive for researchers due to a number of current
and potential scientific and practical applications of
such frequencies. It is clear now that the development
of this frequency range will have a dramatic impact
on remote sensing, telecommunication, radio astron-
omy, plasma diagnostics, medical imaging, security
screening, industrial-process monitoring, monitoring
of atmospheric pollutions, spectroscopy and many
other areas [1-5]. The main factor that still essentially
prevents the application of THz-frequencies is related
to a lack of suitable sources operating within this
range. Most of the applications call for compact, high-
power, tunable, room-temperature oscillators. At pre-
sent time, sources for terahertz radiation are direct
multiplier-based sources, frequency mixers, the gyro-
tron, the backward wave oscillator (BWO), the far in-
frared laser, optically pumped lasers, free electron la-
sers, synchrotron type sources, single-cycle sources,
and some others. Each of these sources has its own
advantages and disadvantages, but none of them
meets completely the formulated requirements. As for
the low-frequency part of the THz-region - up to
about 3 THz, the BWO [6, 7] can be considered as the
most suitable candidate for wide practical applica-
tions. The only disadvantage of this type of oscillators
is related with its low power. In this presentation, we
describe a THz-tube, called the clinotron, which can
eliminate the indicated shortcoming of the BWO. The
clinotron was invented by Ukrainian scientists [810],
and it has already proved its efficiency for frequencies
up to 500 GHz. In the next section, design features of
the clinotron and its main characteristics are de-
scribed. A high level of the output power and a wide
tuning frequency range of the clinotron tubes make
them attractive for the development of various imag-
ing systems for security applications. It has been al-
ready demonstrated that imaging at submillimeter
wavelengths offers the definite advantage of being
able to scan objects through various different mate-
rials [11]. For instance, in security implementations,
dangerous objects can be identified through clothing,
cardboard packaging, and other concealing materials.
In aviation and flight safety, submm-wave imaging
can be used to provide vision through fog, haze, dust
storms, and other harsh weather conditions during air-
craft landing approach or contour chasing [12]. Vari-
ous approaches have been already proposed for the
development of such imaging systems [13, 14]. For
example, a beam steering technique is typically used
to focus scanned area segments onto a single of mul-
tiple receivers [13]. In Section 3, we describe a re-
cently developed beam steering imaging system that
is based on a 300 GHz clinotron oscillator with an
output power level of about 200 mW. Such system
offers advantages related with a long operation range.
2 Clinotron oscillators
The clinotron is similar to the BWO in the sense that
it utilizes the interaction of an electron beam with spa-
tial harmonic components of the electromagnetic field
of a slow-wave structure. However, some essential
modifications in the tube design were introduced. The
distinguishing features of the clinotron are the follow-
ing:
(i) The electron beam is inclined to the surface of a
grating as illustrated in Fig. 1, where the schematic of
the tube is given. By varying the tilt angle , it is
easy to optimize the length of the effective interac-
tion space without changing the geometry of the tube.
14
(ii) The beam thickness is large compared to that in
the conventional BWO.
(iii) The electrons are bunched in an exponentially
growing field.
(iv) A wide electron beam is used, which enables to
increase the beam current and the output power simul-
taneously.
(v) The clinotron is usually built as a resonance de-
vice. Nevertheless, the electronic tuning range of the
operating frequency is large what is achieved by suc-
cessively exciting the resonator modes with beam
voltage variation.
The above approaches have resulted in the develop-
ment of clinotron tubes for the frequency range from
30 GHz to 500 GHz [8, 9]. The output power level of
these tubes is at least an order of magnitude larger
than for conventional BWOs [6, 7]. For example, 300
GHz and 500 GHz tubes provide a power level of
about 500 mW and 100 mW, respectively. Physical
dimensions, weight, and the operating voltage of cli-
notrons are comparable with those of BWOs. The en-
ergy output in the clinotron is arranged by means of a
waveguide, as is schematically shown in Figure 1.
Figure 1 Configuration of the beam, the grating, and
the cavity in the clinotron

However, tubes with a distributed energy output,
where the energy is directly radiated via a transparent
window, as shown in Figure 2, have been developed
and produced as well [8-10].
The output energy is coupled out here by means of the
Smith-Purcell radiation. Thus such clinotron tubes ac-
quire the circuit solution used in orotron oscilla-
tors [15]. In the clinotron, this radiation is organized
by using a two-periodic grating. Such clinotron tubes
are easily matched with quasioptical transition lines
and, therefore, this modification is especially interest-
ing for applications in THz-systems.
Due to their unique characteristics, the clinotron tubes
have already been used in various electronic systems
like plasma diagnostic instruments, short-range ra-
dars, local oscillators, etc. To meet the above applica-
tions, compact, solid-state, high-voltage power sup-
plies have been developed for clinotron-based oscilla-
tors [16]. These supplies feature both high efficiency
and reliability. The possibility of the development of
clinotron-based synthesized oscillators with relative
frequency stability of about 10
-7
has already been
demonstrated, too.
Figure 2 Schematic view of the clinotron with dis-
tributed energy output

The theoretical studies [17-19] indicate that the clino-
tron has a large potential for further increasing both
the operating frequency and the output power. In or-
der to implement this potential, clinotron tubes with a
denser and more intensive electron beam should be
realized. It is important that the space charge and
temperature effects do not impose serious limitations
on an essential current density increase as compared
with those values used in the present clinotron design.
According to our recent simulation results, output
power levels of about 2 W and 70 W can be achieved
at frequencies around 1 THz in CW and pulsed oper-
ating modes, respectively. To embody such tubes, the
beam current density should be increased to about 100
A/cm
2
for the CW mode and to about 1000 A/cm
2
for
the pulsed mode. The beam cross section can be 0.05
mm x 2.5 mm, which is the same as in the already
produced tubes.
3 Clinotron-based imaging
system
A block diagram of the clinotron-based imaging
system that has recently been developed and tested is
shown in Figure 3. We developed an imager design
that produces a raster of the scene with a minimal loss
of the radiated energy in order to utilize the high out-
put power capability of the clinotron oscillator. A 2D
single-pixel scanner set-up has been realized so far.
In the imaging system, we use a clinotron oscillator
that is capable to deliver about 200 mW of CW power
in the 300 GHz frequency range. The clinotron wave-
guide output is directly connected to a diagonal horn
15
which forms the radiation pattern with high radial
symmetry. It was designed to provide a paraxial free
space mode within the angles of the lens illumination.
The output radiation is modulated at a frequency of
0.8 kHz by using a mechanical chopper. The radiation
then passes through a 3-dB quasi-optical beam-splitter
used to decouple the outgoing and incoming radiation
while keeping the Tx and Rx radiation patterns
oriented along the same scan axis.
On the receiver side, the detector is equipped with a
same horn which points normally to the transmitter
horn axis into the beam splitter.
The optical system consists of a dielectric focusing
lens that is used to focus the incident radiation and of
a flat mirror which is used to scan the scene. The pla-
no-convex focusing lens was made of Teflon, and it
has the diameter of 220 mm that equals to 220 wave-
lengths at the frequency of 300 GHz. The lens thick-
ness is 34 mm. The lens is illuminated by the trans-
mitting horn with a -10 dB taper at the edge to pro-
vide both optimal gain and maximum Gaussian beam
transformation efficiency. The lens was designed,
manufactured, and tuned to provide the diffraction-
limited beam waist of the spot to be less than 24 mm
at 5 m distance. [20]
The flat flapping mirror has a rectangular shape of
250 mm x 450 mm. The mirror is made of a silver-
plated glass plane that shows a flatness of better than
30 m. The mirror is placed on a PC controlled posi-
tioner.
The beam formed by the lens and positioned by the
mirror is reflected normal to the surface of the inves-
tigated object and returns back through the lens.
The beam then propagates through the beam splitter
reflecting it towards the receiving horn which is con-
nected to the detector. The signal from the detector is
read by a lock-in amplifier. The synchronizing signal
for the amplifier is obtained from an opto-coupler
placed on the chopper rim.

Figure 3 Diagram of the single-pixel scanner set-up

Further improvements that can be made to the imag-
ing system is that the beam focusing optics can be ac-
complished by metal reflectors such as an ellipsoidal
offset reflector mounted on a rotation stage. That
would boost the optical efficiency due to a reduction
of the absorption loss and a decrease of the reflection
loss from the thick Teflon lens. The backscatter loss
from the convex surface of the refractive lens could
also be eliminated.
However, even such a relatively simple set-up as
shown in Figure 3 makes it possible to use the devel-
oped 300 GHz imaging system for various security
and other applications.
4 Future of the clinotron-based
imaging systems
The potential of the clinotron oscillators looks very
well from the point of view of their possible applica-
tions in various THz systems. These oscillators com-
bine unbeatable properties, such as compact dimen-
sions, a high output power, and a wide frequency tun-
ing range. However, for their successful usage in
perspective high-resolution 3D imaging systems,
some further investigations and developments are still
needed. The problem is that any clinotron oscillator is
a self-oscillating device providing natural difficulties
in achieving both high frequency stability and fre-
quency modulation capabilities. This problem limits,
for example, an application of the conventional
FMCW technique for the realization of a fine range
resolution. Nevertheless, our preliminary results indi-
cate that this problem can be solved by using the
above technique in combination with the coherent-on-
receiver technique. In this case, the frequency varia-
tions of each individual frequency sweep are digitally
memorized and used for the processing of the back-
scattered signals. This approach does not require a
high frequency reproducibility and stability, and high
range resolution can be achieved even by using self-
running oscillators. The effectiveness of such ap-
proach has already been demonstrated during the de-
velopment of high-resolution, magnetron-based, mil-
limeter-wavelength radar systems [18].
Our estimations show that an implementation of the
FMCW technique in combination with the coherent-
on-receiver technique in the 300 GHz clinotron based
imaging system described above will allow achieving
a range resolution of about 2 cm. This opens up the
way for the development of novel high-resolution,
long range 3D imaging systems.
Acknowledgements
The authors are thankful to V. Chumak, O. Pishko, S.
Pankov, and E. Lysenko for the development of clino-
tron tubes and for useful discussions, and to R. Koz-
hyn, A. Suvid, K. Sirenko, V. Vasilev, A. Belikov, V.
Semenjuta for their contributions to the development
of the imaging system.
16
References
[1] Siegel P. H.: Terahertz technology, IEEE
MTT, vol. 50, no. 3, pp. 910 920, 2002
[2] Linfield E.: Terahertz applications: A source of
fresh hope, Nature Photonics, vol. 1, pp. 257
258, 2007
[3] Dragoman D. and Dragoman M.: "Terahertz
fields and applications," Prog. Quantum
Electron., vol. 28, pp. 1-66, 2004
[4] Kurt H. and Citrin D. S.: "Photonic crystals for
biochemical sensing in the terahertz region,"
Appl. Phys. Lett., vol. 87, pp. 104 108, 2005
[5] Phillips T.G., Keene J.: "Submillimeter astron-
omy", Proc. IEEE, vol. 80, pp. 1662-1678, 1992
[6] Golant M.B. et al: "Series of wide-range small
power generators for submillimeter wave range",
Pribory i Tekhnika Eksperimenta, vol. 4, pp.
136-139, 1965 (in Russian)
[7] Kantorowicz G. and Palluel P.: "Backward wave
oscillators", Infrared and Millimeter Waves,
vol. 4, K. Button, Ed., N. Y. Academic Press,
ch. 1, 1979
[8] Churilova S.A. et al: The Clinotron. - Kiev,
Naukova Dumka Press, 1992 (in Russian)
[9] Lysenko Yu. Yu., Pishko O. F., Chumak V. G.,
Churilova S. A.: State of the development of
CW clinotrons, Advances of Modern Radio
Electronics, Foreign Radio Electronics, no. 8,
pp. 3-12, 2004
[10] Churilova S. A., Pishko O. F., Schnemann K.
and Vavriv D. M.: Submillimeter-wave clino-
trons with distributed energy output, Proc. of
24th Int. Conf. on Infrared and Millimeter
Waves, Monterey, California, USA, Sept. 6-10,
1999
[11] Nicholas Karpowicz, Hua Zhong, Cunlin Zhang,
Kuang-I Lin, Jenn-Shyong Hwang, Jingzhou Xu,
and X.-C. Zhang: Compact continuous-wave
subterahertz system for inspection applications,
Applied Physics Letters 86, 054105, 2005
[12] Lettington A. H., Dunn D., Alexander N. E.,
Wabby A., Lyons B. N., Doyle R., Walshe J., At-
tia M., Blankson I.: "Design and development of
a high performance passive mm-wave imager for
aeronautical applications", Proc. SPIE,
vol. 5410, Paper 31, Orlando, April 2004
[13] Dobroiu A., Yamashita M., Ohshima Y. N., Mo-
rita Y., Otani C., and Kawase K.: Terahertz im-
aging system based on a backward-wave oscilla-
tor, Applied Optics, vol 43, no. 30, 5637-5646,
2004
[14] Domey T., Symes W. W., Baraniuk R. G. and
Mittleman D.: Terahertz multistatic reflection
imaging,J. Opt. Soc. Am. A, vol.19, no. 7, pp.
1432-1442, 2002
[15] Vavriv D. M. and Schnemann K.: Amplifica-
tion regimes of the orotron: A single-resonator
amplifier, Phys. Rev., vol. 57, pp. 5993-6006,
1998
[16] Volkov V. A., Vavriv D. M., Chumak V. G., Be-
likov A., Alekseenkov S. V. and Kozhin R. V.:
Clinotron-based synthesized oscillators for
THz-regions, MSMW07 Symposium Proceed-
ings. Kharkov, Ukraine, June 25-30, pp. 189-
191, 2007
[17] Schnemann K. and Vavriv D. M.: Theory of
the clinotron: A grating backward-wave oscilla-
tor with inclined electron beam, IEEE Trans. on
ED, vol. 46, pp. 5993 6006, 1999
[18] Manzhos S., Schnemann K., Sosnitskiy S., and
Vavriv D. M.: Clinotron: a promising source for
THz regions, Radio Physics and Radio Astron-
omy, vol. 5, no. 3, pp. 265-273, 2000
[19] Vavriv D. M.: Theory of the clinotron, Pro-
ceedings of IRE: Radiophysics and Electronics,
Special issue, pp. 35-47, 2007 (in Russian)
[20] Thakur J. P., Kim W.-G., and Kim Y.-H.: Large
Aperture Low Aberration Aspheric Dielectric
Lens Antenna for W-Band Quasi-Optics,
Progress In Electromagnetics Research, PIER
103, pp. 57-65, 2010
[21] Vavriv D. M., Volkov V. A., Bormotov V. N., Vi-
nogradov V. V., Kozhin R. V., Trush B. V., Be-
likov A. and Semenuta V. Ye.: Millimeter-wave
radars for environmental studies, Radio Physics
and Radio Astronomy, Vol. 7, no. 2, pp. 121-
138, 2002
17
Scanning Polarimetric Imaging Radiometer: Microwave Imaging
System and Image Merging with IR and Optical Data
Marco Canavero, IAP University of Bern, Switzerland
Dr. Axel Murk, IAP University of Bern, Switzerland
Abstract
A passive radiometer can be turned to an active imaging system by adding active source elements to it. We
conducted several observations, both active and passive, of human environments, landscapes and military
equipments using coherent and incoherent sources with various polarizations. The measurements were con-
ducted in order to emphasis the capabilities of a dual polarimetric imaging system to reveal specific details of a
scene, hard to obtain with other techniques such IR. Moreover, in surveillance and security applications, radi-
ometers can play a key role, especially in environmental analysis and object identification. In IAP institute we
are interested to compare radiometric techniques for surveillance with other methods. In particular, optical,
MW and IR images contain complementary and redundant information about an observed scene. Merging these
images can potentially lead to a system that is effective under all conditions (day/night, fog, rain, etc.) and able
to identify a wide range of objects.

1 Spira Radiometer
The Scanning Polarimetric Imaging Radiometer
(SPIRA) is a fully polarimetric imager in the 90-92
GHz [1]. The instrument can measure simultaneously
the 4 Stokes parameters for an observed scene using
two orthogonally polarized receiver channels and an
analog adding correlation network with 2 GHz of
bandwidth. The integration time/pixel is 18 ms while
average acquisition time/image and receiver noise
temperature are respectively 5 min and 600K.
The antenna consists of a dual polarized corru-
gated feed horn and a 90-axis parabolic reflector
with an effective focal length of 70cm and a projected
aperture of 45cm. The co and cross-polar antenna
pattern of the instrument has been simulated using
software package GRASP. The simulations result in a
full-with-half-maximum beam width of about 0.5,
which has been confirmed by far-field antenna mea-
surements with a 91 GHz transmitter.
The scene is scanned in two dimensions: the off-set
parabolic reflector is rotated around the horizontal
bore-sight axis of the feed horn (elevation), whereas
the antenna and the polarimeter support are rotated
around the vertical axis (azimuth). In both axes step-
ping motors, with a gear mechanism and optical en-
coder for the absolute referencing, are used. Figure 1
gives a schematic overview of the SPIRA polarimeter.
It consists of two heterodyne receiver chains, which
are both connected to the feed horn through an or-
thomode transducer (OMT). The OMT has a polari-
zation isolation of more than 30 dB, which corres-
ponds to 3.2% mixing of the co- and the cross-polar
signal in the correlator. This effect has to be corrected
by the polarimetric calibration of the instrument. In
each channel an additional noise signal from a
switchable noise diode can be injected through a di-
rectional coupler, which is used together with an am-
bient temperature black-body calibration target to
calibrate the gain and system temperature of the
receiver at the end of each antenna scan.
A high pass filter follows the coupler, selecting the
upper sideband of the subharmonic Schottky mixers.
They are fed by a common local oscillator (44 GHz)
to ensure the phase coherence between the two
receiver channels. Optimum pumping of the mixers
and fine adjustment of the phase shift between the
channels are achieved by variable attenuators and a
phase shifter in the local oscillator path. The down-
converted signals are amplified by low-noise IF
Figure 1 Schematic overview of SPIRA polarimeter
18
amplifiers and band limited to frequencies between 2
and 4 GHz [1].
For polarimetric observations it is necessary to
determine the complex cross-correlation between the
two IF signals. For that reason an analog adding cor-
relator is used, which consists of a network of 90
and 180 hybrid couplers followed by six square law
detectors and video amplifiers. From the 6 output
voltages the four Stokes are reconstructed in the fol-
lowing way:

6 1
6 1
5 4
3 2
u u I
u u Q
M
u u U
u u V
+ | | | |
| |

| |
=
| |
| |

\ . \ .

2 Active Measurement
The implementation of an active source for a pas-
sive radiometer can, under certain conditions, incre-
ment the contrast of the images acquired and add ex-
tra information to the measures. It can also turn an
essentially outdoor system in an indoor one (compen-
sating with active illumination the absence of cold
sky radiation). This topic was investigated by con-
ducting observations of various scenes with SPIRA
polarimeter. First indoor experiments with active il-
lumination by a laboratory CW signal source have
been performed. These measurements have the inhe-
rent problem that active measurements require a sig-
nificantly larger dynamic range than passive ones.
Since the receivers and detectors are designed for
thermal input signals they are easily saturated by the
much stronger active signal. A possible solution is to
use a thermal-stabilized background for the image, in
order to increase the contrast reducing the transmit-
ted power at the same time.

2.1 Active Illumination Optics
Concerning the optics of the active illumination
system, different rectangular horn antennas have
been considered. For images covering only a small
elevation range a low gain rectangular horn (Figure
2) can be mounted on the azimuth platform of SPI-
RA. To cover images with a wider field of view a
horn antenna with higher gain will be attached to ro-
tating reflector of SPIRA in order to track the anten-
na pattern. The direct crosstalk between these feeds
and the receiver has to be investigated and mini-
mized [2].
For this application a low side lobe antenna, like
corrugated feed horn, must be considered and the pa-
rallax error between transmitter and receiver has to
be compensated. We can also insert a septum polariz-
er or a retarder plate in the illuminating chain to cir-
cularly polarize the active beam.
2.2 Active Illumination Sources
In order to illuminate a scene an incoherent broad-
band noise source or a coherent continuous wave
(CW) signal or can be used. In general the broadband
noise will reduce interferences and thus the speckle
noise in the image. However, even the relatively
broad 2 GHz detection bandwidth of SPIRA cannot
prevent speckles completely if a single noise source is
used. This would require illuminating the scene with
extended noise sources from different directions. As
noise source for active illumination, we use a noise
diode from 75 to 110 GHz of bandwidth and 15 dB of
maximum noise power, coupled with a W-Band am-
plifier. A CW illumination produces much stronger
speckle artifacts in the image. On the other hand it
has the advantage that it will provide higher sensitiv-
ity and dynamic range, especially when used in com-
bination with digital signal processing techniques.
For SPIRA has been chosen an active W-band multip-
lier driven by a lower CW frequency from a synthe-
sizer. When the CW signal source is tuned outside of
the 2-4 GHz IF bandwidth of the passive receiver, it
can be still detected with separate narrow band detec-
tors tuned to this external frequency, which would
allow observing active and passive images simulta-
neously. Moreover, in the active illumination experi-
ments we have conducted, strong reflection from
metal parts in front of the transmitting antenna, and
increase scattering in received images were observed
(Figure 5). However, these effects seem to be useful
to better understand the shape of highly reflective
metal parts and to increase contrast in the images.
Considering the scene in Figure 3 where on the left a
periodical metal structure constitutes the wall of a
building and observing the active images taken by
SPIRA (Figure 5), the same periodical structure can
be seen in Q and U images, while in passive images
(Figure 4) the wall appears flat.
Figure 2 91 GHz radiation pattern in H-plane (line) and
E-plane (dotted) for the low-gain rectangular horn
19

2.3 Active Illumination Issues
In the process of implementing an active part to a
passive imager, some issues need to be faced. First of
all, direct cross talk between transmitter and receiver
must be avoided. In order to do so, transmitter and
receiver antennas must be separated. Consequence of
this is that additional equipment must be introduced
in order to move the transmitter unit. Thus one loses
the monostatic geometry. Only a coaxial arrangement
of the two antennas could provide an exception,
which is not possible in the circumstances of SPIRA.
The tracking systems of transmitting and receiving
antenna are also under high demands because of pa-
rallax, if both antennas have a high angular resolu-
tion. The problem is eased by one or more transmit-
ting antennas to illuminate the entire image scene, or
parts thereof. However, this increases the required
transmission power. Another solution consist of in-
troduce an azimuth angle fine tuning system for the
transmitter, which can reduce the parallax error but
has the problem to be retuned for each scene.
Figure 3 Optical Image of an Observed Scene
Figure 4 Passive I and U Stokes of the same scene
taken by SPIRA
Figure 5 Active I and U Stokes taken by SPIRA
20
Since the polarization of transmitting and receiv-
ing antenna can be chosen independently of each
other, with a polarimetric system you can obtain all
elements of Stokes matrix. Because of the complexity
in the generation and measurement of all polarization
combinations, a system with a single transmit polari-
zation is preferable.
A certain problem for static scenes is demonstrated
by the statistical speckle noise due to the small num-
ber of independent measurements (Figures 6, 7 and
8). With a CW transmitted signal, in fact, the waves
are superimposed on the surface of different scatter-
ers, which leads to interference effects. To reduce the
speckle noise significantly, the number of radiation
emitters should be substantially increased. This might
also be an extended emitter, accordingly to what hap-
pens to the passive radiometry at the cold sky, with
the difference that a hot spot area would be imple-
mented. Another solution is to increase the band-
width of the transmitted signal, using broadband
noise source. This will reduce the coherent length of
emitted radiation reducing the speckle interferences.
Even with 2 GHz of bandwidth in SPIRA receiver,
the coherent length is not very short. Considering the
following formula for coherent length L
c
:

c
c
L
B
=

where c is speed of light and B is the minimum
bandwidth between transmitter and receiver. In
SPIRA case L
c
= 15 cm [3].
Figure 6 Two hidden metal plates below a coat
Figure 7 Passive image of hidden metal plates taken
by SPIRA
Figure 8 Active image, CW signal with 0dBm of
transmitting power. The speckle interference is
dominant
21
3 Images Fusion
Multisensor data such often contain redundant and
complementary information. The aims of an images
fusion algorithm is to collect all the data coming
from different sources, reducing and selecting it and
finally create new images that contain the most rele-
vant information from the inputs. Application fields
for image fusion are widespread, from surveillance
application, detection of concealed weapons to medi-
cal diagnosis.
In IAP institute we combine data coming from
SPIRA polarimeter (Figure 9) with the one from
infrared (Figure 10) and optical cameras (Figure 11).
Each type of image possesses its own characteristics.
Visual images provide the best definition of objects
and structure but are ineffective in the night. IR im-
ages can then replace optical images in absence of
light, but they have poor penetration depth and can-
not identify hidden metal objects in security applica-
tions. Microwave images are very effective in this
task but suffer a lack of details compared with IR and
optical ones. The SPIRA feature of obtaining the four
Stokes images simultaneously can be used to identify
relevant component in the scene (such metal parts or
structure) and evidence it on the corresponding opti-
cal picture. At the same time, infrared data can be
used to locate human presence in a complete dark lo-
cation or warm bodies.
Techniques based on discrete wavelet transform
and features selection are applied to merge the data.
In particular commercial toolboxes for image
processing based on DWT are used and adapted to
the characteristic of polarimetric images, producing a
reconstructed image where warm objects and metal
parts are highlighted (Figure 12).

Figure 9: Mmw image. Metal parts are highlighted
in blue (cold sky reflection on metal). Warm absorber
in dark red

4 Conclusions
An overview of the activities of the microwave re-
search group in Institute of Applied Physics of Uni-
versity of Bern, regarding imaging systems, is given.
All the topics presented are still under continuous
development and investigation. The results of our ef-
forts look promising and further outcome will be pre-
sented in future.
Figure 10 IR image of the same scene
Figure 11 Visual image of the same scene
Figure 12 Reconstructed image
22

Acknowledgements
The development work for this project has been
funded by Armasuisse W+T under Project No. R-
3210/040-11.

References
[1] A. Duric, A. Magun, A. Murk, C. Mtzler, N.
Kmpfer: The Fully Polarimetric Imaging Ra-
diometer SPIRA at 91 GHz, IEEE Transactions
on Geoscience and Remote Sensing, vol.: 46,
no.: 8, pp.: 2323-2336, 2008.
[2] A. Murk, M. Canavero: SPIRA Hardware and
Software Development for Active Illumination,
Progress Report, IAP, University of Bern, 2010.
[3] Christian Mtzler, A. Murk: Aktive
Beleuchtung fr Szenen von SPIRA:
Vorabklrungen, Forschungsbericht Nr. 2009-
11-MW, IAP, University of Bern, 2009.

23
Standoff detection of "suicide bombers" in mass transit environment
Stanislav Vorobyev, Valery Averianov, Igor Gorshkov, Andrey Kuznetsov, APSTEC Ltd, Russia
Abstract
A device for standoff detection of metallic and non-metallic objects concealed under clothing on human body is
described. The device, based on active interrogation with gigahertz-range electromagnetic waves, can perform
secret inspection of moving subjects. It provides both the image of concealed objects and their dielectric
characteristics, which may be used to facilitate the detection of explosives.

1 Inroduction
Standoff detection of explosive devices concealed un-
der clothing on the human body is still a largely un-
solved task. Existing devices, such as metal detectors,
X-ray portals, thermal vision devices, etc. usually re-
quire that the inspected person stands still or walks
through a designated inspection area. This one per-
son at a time approach severely reduces throughput
of such systems, limiting their application to very few
areas, such as airport security and protection of gov-
ernment buildings. Even more important is that the
fact of inspection is evident to the potential suicide
bomber who can detonate the device right at the in-
spection site, which is usually a population dense area.
The result is that most public places including stadi-
ums, shopping malls, underground stations, etc. are
not well protected against suicide bombers.
That is why any modern detection system should ful-
fill the following main requirements:
1. Work from distance of several meters (ideally, tens
of meters) to provide early warning about the potential
threat.
2. Work secretly, so that the inspected person would
not know he is inspected.
3. Inspect moving targets.
4. Be safe to public and cause no interference with
cell phones etc.

APSTECs technology for detection of metallic and
non-metallic objects concealed under clothing on hu-
man body relies on active probing with coherent ra-
diation with stepped frequency change with Giga-
hertz-range microwaves. The device will offer the fol-
lowing advantages over competing methods:
1. Standoff detection at distances up to 10 meters.
2. Real-time inspection of moving people either in a
public area or at speed at a security portal.
3. Inspection of many people at a time.
4. Clandestine inspection ensures that the terrorist
does not necessarily know that he has been identified
(the device can be covered by any dielectric material
and disguised e.g. as an information stand).
5. Safe for health and property (< 10mW emitted
power).
6. Specificity to metallic/dielectric objects; automatic
analysis of the dielectric constant provides danger
level associated with the discovered concealed objects
(e.g. explosive or a wallet).
7. A video tracking system is an integral part of the
device.
8. Works at high humidity and through wet cloth mate-
rials

APSTECs technology has the additional benefits of
obviating the need for an operator to assess a naked
image of the target individuals, which has proved to
be a significant market sensitivity issue for other
cruder mmW technology solutions. The APSTEC al-
gorithms automatically detect suspicious items and
projects a threat warning box on a normal video image
of the person in question. This is a significant differ-
entiating advantage of APSTECs technology.

2 Technical Approach
2.1 Fundamental technology
Electromagnetic (EM) waves with frequencies about
tens of gigahertz used for such detection system for
the following reasons:
1. They do not require bulky portals, which would de-
mask the detection.
2. They have high-enough penetrating ability in wet
environments (unlike terahertz), enough to penetrate
tens of meters of humid air and layers of wet clothing.
3. Very low power levels needed for detection are
completely safe for health and electrical appliances.
4. They provide images with high-enough resolution
(~1 cm), which is enough to recognize the concealed
threat while not presenting privacy problems (unlike,
e.g. x-rays or terahertz).
The human body is an almost perfect reflector of mi-
crowaves in the frequency range 8-30 GHz used. Any
metallic objects concealed under clothes will be
shown as a bump on the image, while any dielectric
24
object will be shown as a pit, since its electrical
length is added to the waves path before the wave is
reflected from the object-body border. Analysis of the
waves that are reflected from the first (air-object) and
from the second (object-body) borders, when analyzed
jointly with the video image, provides information
about both the dimensions (depth) and dielectric prop-
erties of the concealed object (APSTEC holds Russian
patents [1], [2] covering this approach and two new
pending patents). This information is then used by an
automatic decision-making system to determine the
degree of threat associated with the found object.
Features of interaction of microwave electromagnetic
radiation with matter allow one to solve the following
tasks:
1. detect and localize objects hidden under clothing of
human body;
2. divide the found objects into conductors/dielectrics;
3. determine dimensions of hidden objects and equiva-
lent weight of explosive;
4. determine dielectric constant of found objects.
Figure 1 3D image of the wax block attached to hu-
man body shown from two viewpoints.
2.2 First prototype
The first laboratory prototype of the detection system
(developed in 2005) worked within a 2-8 GHz fre-
quency range. It used a coherent UHF-radiation with a
step frequency change (one step dF = 125 MHz). Ra-
diating aperture was synthesized by moving an ele-
mentary transmitter on a regular 2 cm step. It moved
horizontally and vertically within an area 60cm x
40cm. To reconstruct a 3D-image digital focusing was
used.

Figure 2 Laboratory prototype of the system for in-
spection of human body.
The laboratory prototype for detection of explosives
concealed on human body is shown on Figure 2. The
rectangle on the photo indicates the boundaries of the
inspected region.
A block of wax (yellow object on Figure 2) attached
to the body simulated the explosive charge. Dielectric
properties of wax are close enough to those of stan-
dard explosives.
A 3D image of the wax attached to human body (with-
out metallic wrap) from two viewpoints is shown on
Figure 1. Since the wax simulator, as well as the ma-
jority of explosives, is a dielectric, its image has two
surfaces: the first surface is the front border air-
simulator, the second the border simulator-body,
which is located from the front border at distance, de-
termined by the electrical length of the simulator.
Analysis of Figure 1 yields the following conclusions
about the found object:
1. The object attached to human body is a dielectric.
2. Dielectric constant of the object is 2.6 (correct for
wax; for some standard explosives the value of the di-
electric constant was measured to be about 3).
3. Equivalent mass of explosive corresponding to the
detected object is 1.8 kg.

2.3 Current prototype
The APSTEC prototype system Active Microwave
Device for Detection of Objects Hidden on Human
Body (AMD-256) operates on the principle of ac-
tive probing by coherent microwave range radiation
operating in the range of 8-18 GHz with step fre-
quency changes. The system consists of one elemen-
tary antennae matrix (256 receiving and transmitting
antennae), video cameras for stereoscopic vision, con-
trol and data processing electronics and software.
Only one narrow frequency is emitted and analyzed at
a time, which is changed in predefined steps to cover a
wide frequency range. This allows one to obtain an
image with a range resolution (in the directional se-
quence: antennaclotheshidden objecthuman body)
that is independent of the distance to the object. Dis-
crete software-selectable frequencies allow one to
avoid any interference with electronic equipment. The
total emitted power of the system is less than that of a
typical mobile phone. Real-time data analysis (cur-
rently at up to 10 frames per second) is performed us-
ing high-parallel calculations on commercial graphic
processing units (GPU).

The AMD-256 prototype device can:
1. detect and localize at medium distance any danger-
ous object hidden under the clothes or on body (e.g.
inside a backpack). Characteristic dimensions of the
detected object are 101010 cm
3
.
2. automatically characterize the detected object as
hazardous/benign;
3. determine its size, shape and equivalent mass;
4. perform inspection in real time;

25
5. perform inspection secretly from the inspected per-
son;
6. respect privacy during the inspection;
7. respect health issues during the inspection.

Figure 3 shows a mobile version of AMD-256 assem-
bled inside a protection case on wheels with total mass
of 25kg, which can be moved by one person and in-
stalled in any place to carry out the inspection of pass-
ing people. The device is ready to work 2 minutes af-
ter switching it on.
Figure 3 View of the operational prototype of the de-
vice AMD-256 (front cover is opened).
AMD-256 device performs the inspection of human
body at distances up to 4m, and can automatically de-
tect in real time explosive devices hidden under cloth-
ing or in backpacks (even if they have no metallic
components).
As a result, the operator gets the following informa-
tion on his/her screen:
1. A video image of the inspected area and the person
being inspected. The image is a normal video image.
2. A secondary microwave image of the inspected area
showing all concealed objects at colored bumps
(metals) or pits (dielectrics).
3. Locations of all concealed objects are shown by
colored frames on the video image; colors indicate the
proximity of the found dielectric to the known explo-
sives.

Figure 4. Screenshot of operators screen in AMD-
256 device when detecting: explosive device simulant.
The area containing hazardous object is marked by a
red square. The screen automatically shows an alarm
message (DANGEROUS), mass of the detected ex-
plosive device (M 1.9 kg), and a 3D UHF image of
the detected object.
Figure 5. Screenshot of operators screen in AMD-
256 device when detecting: a pack of biscuits. The
area containing the object is marked by a green oval.
No alarm is shown.
2.4 Methods of installation
Example of a possible installation of a full-scale sys-
tem is shown at Figure 6. The system can be installed
anywhere in subways, corridors, lounges, mobile plat-
forms etc. It continuously performs computer-aided
inspection of all people and objects passing or stand-
ing in the systems sensitivity zone
Figure 6. Schematic view of the full-scale system for
detection of explosives on human body.

To perform inspection AMD-256 can be installed
openly, e.g. on checkpoints of guarded territories and
objects with high-level security (airports, classified
units, border crossing points), or covertly along pas-
sages leading to such objects or along the access pas-
sages to public places (stadiums, concert halls, railway
stations, malls and etc.). For covert installation AMD-
256 can be covered by a panel made of dielectric ma-
terial (e.g. plastic advertising stand).

26

Figure 7. Possible stationary mounting of AMD for
simultaneous covert inspection of bi-directional flow
of people. The inspected areas are two escalators and
the area in front of them.

Figure 8. Possible mounting of a mobile AMD for in-
spection of people entering the building. Two devices
are installed behind temporary advertising stands. The
inspected area is the entrance to the exhibition hall.

3 Conclusions
The paper gives an overview of technological
achievements and current status of development a safe
and inexpensive devices for standoff detection of
threat objects (guns, knifes, plastic bombs, improvised
explosives) attached to human body.
The system based on gigahertz-range microwaves can
perform secret inspection of passing people from dis-
tances of several meters. It can be installed on walls,
ceilings, under floor, inside elevators, and disguised as
information or advertising board.

References
[1] Averianov V.; Kuznetsov A.: Method for remote
inspection of target in controlled area of space,
Patent #2294549, Russian Federation, 2005
[2] Averianov V.; Vorobyev S.; Gorshkov I.: The
method for determining the dielectric
permittivity of the object, Patent 2408005,
Russian Federation, 2008
[3] Averianov V.; Gorshkov I.; Kuznetsov A.;
Evsenin A. "Microwave system for inspection of
luggage and people" Proc. of the NATO ARW #
981699 "Detection and Disposal of Improvised
Explosives", St.-Petersburg, Russia, September
7-9, 2005
[4] Kjellgren J.; Millimetre Wave and Terahertz
Sensors and Technology Proc. of SPIE Vol.
7117

27
Automated Planning in Evolving Contexts: an Emergency
Planning Model with Traffic Prediction and Control
Florence Aligne, Thales Research & Technology, France
Pierre Savant, Thales Research & Technology, France
Abstract
Today crisis responses are structured and driven by predefined protocols specific to the type of event, to the res-
cue team and to the crisis extent. Yet implementations of these predefined protocols do not take into account the
evolution of the current situation such as traffic congestions. In this paper, we present an automated temporal
planning system to improve and coordinate emergency responses at a strategic level. This planning tool is based
on a simplified modelling of the crisis domain, established on the translation of the rescue plans into constrained
actions, and allows taking into account an evolutionary context. This constitutes a major step that enable to pro-
vide an optimal organization of the operations which integrates forecasts of the situation evolution such as estab-
lished by dedicated tools (weather forecasts, forecasts of social movements, of traffic conditions, etc.).
This new generation planner is described hereafter. The first section presents the approach used to model an
emergency and crisis domain. This model is generic and enables on one hand to easily construct adaptable crisis
scenarios, and on the other hand to insure the coordination plans compliancy with the current operational proto-
cols. A simplified modelling of an evolving context is introduced in the second section taking the example of
road traffic forecasts. The third section describes the solution plan and the obtained results.

1 Introduction
In a previous study, we have pointed out the lack of a
global decision support system to coordinate the re-
sponse to crises such as natural disasters, industrial
accidents, or terrorist attacks [1]. Today responses are
structured and driven by a set of predefined protocols
specific to the type of event, to the rescue team (po-
lice, firemen...) and to the crisis extent (regional vs.
local). Yet implementations of these predefined proto-
cols do not take into account the evolution of the cur-
rent situation such as traffic congestions, gas cloud
propagation... It is thus of primary importance to im-
prove these implementations so as to integrate the
context evolution, to optimise resource allocation and
the coordination of all actors to obtain an efficient cri-
sis response [2].

Within the Descartes project, Thales Research and
Technology assessed the central role of rescue plans
in the organisation of the crisis response, and pro-
posed an automated temporal planning system to im-
prove and coordinate emergency responses at a strate-
gic level. The classical planning problem in Artificial
Intelligence is to find a sequence of actions which
maps an initial state into a final state satisfying a set
of desired goals. Temporal planning extends the scope
with concurrent durative actions and aims at minimiz-
ing the total duration of the solution plan. Our plan-
ning tool is based on the definition of a generic model
of the crisis domain, established on the translation of
the rescue plans into constrained actions. This crisis
model is designed using the generic PDDL language
[3], which provides a great flexibility and preserves
independence from the search algorithm.
A recent upgrade of this planning tool enables to take
into account an evolving context. This constitutes a
major step as it allows establishing an optimal organi-
zation of the operations which integrates forecasts of
the situation evolution such as established by dedi-
cated tools (weather forecasts, forecasts of social
movements, of traffic conditions, etc.). This new ca-
pability has been highlighted on an urban terrorist at-
tack scenario where traffic congestions have a major
impact on transit times.

The paper details the results of this recent work as fol-
lows.
The first section presents the approach used to model
an emergency and crisis domain. This model is ge-
neric and enables, on one hand, to easily construct
adaptable crisis scenarios, and, on the other hand, to
insure the coordination plans compliancy with the
current operational protocols. A simplified modelling
of an evolving context is introduced in the second sec-
tion taking the example of road traffic forecasts. The
Session B.1 Future Security 2011 Berlin, September 5-7, 2011
28
third section describes the solution plan and the ob-
tained results. An optimal planner was used to mini-
mise the global crisis response duration, taking into
account traffic evolution and control (police regula-
tion) as well as the dispatching of casualties in hospi-
tals according to a bed type requirement. The adapta-
bility of the planning to the traffic congestions was
proved on several scenarios.
Finally, we discuss some generalizations and future
challenges and conclude.

2 Crisis Domain Model
Nowadays, we assist to a major development of a
wide diversity of crises (natural disasters, terrorist at-
tacks, pandemics, etc.) and the emergence of new
threats (development of atomized terrorism net-
works). This trend is emphasised by the growing ex-
pectation of civil populations towards the decision-
makers. Yet, many crises did not have an appropriate
response management (for example, 2003 heat wave
in France, 2005 Katrina hurricane in New Orleans,
etc.) There are many reasons to these failures: human
deficiencies, organisational problems, lack of training
to face exceptional situations, resources and means
shortage.

In a previous study [1] we identified lack of informa-
tion and decision support systems to assist the deci-
sion-makers during the disasters. In another study [2],
led by Thales Research & Technology in the DES-
CARTES project [8], we analysed that the crisis re-
sponses to any types of event (natural disaster, indus-
trial accidents, or terrorists attacks) are organized
through the elaboration and the application of a multi-
tude of predefined back-up plans and rescue proce-
dures. In France for example, there exist many differ-
ent plans, depending on the type of event (Piratox
plan for chemical terrorist attack, yellow plan for a
casualty with a large number of victims...), depending
on the targeted organisation (police, firemen...), de-
pending on the scale (regional, local...).
These plans structure the organisation of the rescue
operations and the coexistence of many of them must
be as complementary, coherent and effective as possi-
ble. In the DESCARTES project, we aimed to define a
planning tool to facilitate and improve the organisa-
tion and efficiency of rescue operations. A modelling
of the crisis issues has thus been proposed, built on
the translation of rescue plans into lists of linked and
constrained actions as described hereafter.

A simplified Modelling of the Crisis Re-
sponse Management
In DESCARTES, the aim was to facilitate the coordi-
nation and implementation of several rescue plans to-
gether, to adapt these plans to the current and fore-
casted situation and to insure the coherence and re-
spect of all activated protocols.

The objective was to provide some planning tool to
support the crisis manager in charge to coordinate the
crisis at a regional level (Prfet de dpartement). In-
deed, today no advance decision support system is
available at this level, yet the rescue operation coordi-
nation implies many different actors such as the po-
lice, the firemen and the medical services at the
minimum, but also, depending on the crisis type, road
traffic services, railways companies, power suppli-
ers...

Our modelling of the emergency domain is derived
from the translation of predefined protocols into a list
of elementary actions, characterised by a list of agents
(or rescue operators), a list of required resources and
explicit or implicit constraints. For example the
French red rescue protocol that is activated when
the disaster implies a large number of casualties, is
structured via two command posts: a technical and a
medical one. The organisation of the medical rescue
network has three phases: the gathering, the triage and
the evacuation of the victims. Here the phases are se-
quential, as the respect of good rescue practices im-
poses that the victims should not be evacuated before
the triage. This can be modelled by three elementary
actions linked together by some precedence con-
straints and a limited availability of resources (rescu-
ers and vehicles) (see Figure 1).

The analysis of crisis management requirements out-
lined that there is a need to improve the coordination
of all the actors to get back to a stabilised situation
(all victims shall be evacuated, fires extinguished,
etc.) as soon as possible. Using this time criteria and
the victim evacuation as a goal (see section 4), we
thus defined an emergency domain based on protocols
translation and develop a planning module. The aim is
Figure 1: Translation of Rescue Plans into List of Elementary
Actions
29
to provide an optimised sequence of actions as early
as possible after the alert has been triggered and a first
assessment of the crisis situation is available.
This model has been enriched so as to take into ac-
count additional operational requirements. There thus
was a need to improve the dispatch of the victims to
the closest hospital taking into account the number of
available beds and specialities, and a request to avoid
rescue means to be impeded into traffic congestion.

This last point is very interesting as this implies to
take into account the impact of the evolution of the
crisis context into the planning module so as to be
able to anticipate and to mitigate the effects driven by
this evolution. This question is complex and several
aspects must be taken into account: the predictability
of a situation, its modelling and its handling into our
planning module.
3 Traffic Prediction Modelling
The aim is to integrate the impact of the traffic into
the crisis management modelling, so as to handle both
the impact of the evolution of the traffic situation on
the rescues operation and the impact of rescue opera-
tions on this situation (thus as the clearing out of se-
lected roads by the police forces).

Today complex forecasting tools enable to predict
some situation evolution such as the weather forecast,
the propagation of a contaminated cloud, road traffic
congestions, etc.. Thanks to greater computing capa-
bilities, the quality of these predictions has greatly
improved. Predictions tools are split into two main
classes; they are either based on some statistical
analysis, either on some physical modelling of the
predictable phenomenon.

The quality and precision of a prediction tool depends
on the targeted level of the prediction: a prediction
tool can be design to provide a general trend at a
rather large scale or to predict local behaviour. For
example, weather forecast at a country level will indi-
cate occasional rains, as at a local level it should be
able to be more precise and forecast the localisation
and hours of the rains.

In traffic theory, there exist some statistical prevision
models. These models have been established perform-
ing some statistical regression on past traffic data
samples. A well known example is the French previ-
sion tool used to forecast road congestion: Bison Fut,
which is based on SAS programming (13 explicative
variables and 25 second order crossing variables) [6].

The other traffic models are distinguished into two
main types: microscopic and macroscopic models
[15]. Microscopic models are at the vehicle scale:
they model the car move using an ordinary differential
equation and take into account the actions of all sur-
rounding vehicles. These models are appropriate for
local urban traffic network where there is a lot of in-
teraction with the environment, in simulation game
for example [20]. Macroscopic models are at a global
level and are based on hydrodynamic equations. They
represent the road traffic as a fluid flow characterised
by a density and a speed function [16]. Last types of
model are the kinematic models, sometimes called
statistical models. They introduce a distribution func-
tion in space and velocity instead of a description of
individual cars.
For large traffic network the macroscopic models and
statistical forecasts are the most appropriate.

We used statistical data provided by the French Direc-
tion Interdpartementale des Routes (DIR) on the Sy-
tadin web site (www.sytadin.fr). The data represents
456km of rapid urban road, 331km of national road
with a heavy traffic and 4 millions of vehicles per day.
The traffic is commonly monitored using three global
indicators, the total length of jammed road (in km),
the average speed value (in km/h), and a comparative
congestion indicator (in %). The analysis of one year
data outlines some daily trends in the traffic load as
shown on Figure 2.

Furthermore, each value of the global indicator corre-
sponds to a geographical mean repartition of the traf-
fic load. For example, Figure 3 represents the average
repartition of the traffic load for a week-day between
7 and 8 oclock. It is clearly different from the aver-
age repartition of the traffic load for a week day be-
tween 17 and 18 oclock (see Figure 4).

Figure 2: Traffic Repartition by Day and Hour Slices [10]
30

We thus considered in our study that the traffic evolu-
tion can be modelled using some pre-computed refer-
ence traffic situations. Zooming on a week day global
indicator, the evolution of the traffic is simplified as
the succession of reference traffic situations (see Fig-
ure 5). As a first approximation, we used three inter-
vals of values for the global indicator and distin-
guished between the morning and evening travels, we
considered thus 5 traffic situations of reference.

A prediction of the traffic evolution can thus be estab-
lished as the ordered sequence list of these reference
situations: S
0
, S
1
, S
2
, S
1
, S
0
, S
3
, S
4
, S
3
, and S
0
. The re-
sulting traffic model is then reduced to the estimation
of the travel time between two points of interest for a
given reference situation. These travel times are esti-
mated by any external traffic model (macroscopic or
statistical), and stored in abacus for different traffic
situations, see Figure 6. The traffic prediction is then
obtained from these abacuses and the sequence of ref-
erence situations. Note that this modelling only relies
on symbolic points of reference: geographical coordi-
nates are not considered, and the locations are located
through the information of the travel time to go from
one point to another.

The precision of this model can be improved both by
increasing the discretisation of the reference situations
and by using intermediary points of passage between
locations of interest.

We have integrated this simplified traffic model into
the above crisis domain model to take into account the
impact of the traffic evolution into the crisis manage-
ment. As presented in the following section, the re-
sulting crisis domain model enables to handle both the
impact of the evolution of the traffic situation on the
rescues operations and the impact of rescue operations
on this situation (thus as the clearing out of selected
roads by the police forces).

Figure 4: Traffic geographical repartition, evening rush hours,
Figure 3: Traffic geographical repartition, morning rush hours,
[11]
Figure 5: Traffic Reference Situations
31

4 Integration of the Evolving Con-
text in an Optimal Planner
4.1 Definition of a Global Crisis Domain
4.1.1 Description in PDDL
The above defined crisis domain has been designed
using the generic PDDL language. This language is a
generic modelling language used to compare planning
solver tools in international competitions such as
IPC
1
. It thus provides a great flexibility to adapt both
the scenario and domain, and preserves independence
from the search algorithm.

First of all, an urban area is defined as a set of loca-
tions such as the crisis zone, hospitals, police and fire
stations which are connected through an average tran-
sit time for several situations (S
0
, free, S
1
, heavy, S
2
,
congested) and several configurations of the road
network (with open/closed roads). Since we can as-
sume that the best route to connect any of these points
for a given situation is known in advance (e.g. from
an underground station to a hospital), useless path

1
ICP : International Planning Competition,
http://www.plg.inf.uc3m.es/ipc2011-deterministic
planning in the road network is avoided. Resources
are mainly vehicles and equipment for casualty
search, extraction, decontamination, triage, medical
care and transportation, police units, and hospital
beds. Hospitals have a limited capacity and are spe-
cialized so that the casualties are dispatched according
to a bed type requirement.

In order to capture an evolving environment accord-
ing to some prediction we rely on PDDL2.2 timed ini-
tial literals [13].
To capture the traffic evolution we simply express the
schedule of predicted traffic situations in the initial
state. For instance:
(:init
(currentSituation heavy)
(at 121 (not (currentSituation heavy)))
(at 121 (currentSituation congested))
(at 300 (not (currentSituation congested))))

states that the traffic will be heavy in the time interval
[0,120] and congested in [121, 300]. The average time
to connect any two points with a vehicle is given in a
PDDL function which defines an abacus for each traf-
fic situation (S
0
, free, S
1
, heavy, S
2
, congested). Hence
to take the traffic situation into account, a move ac-
tion is written as follows:

Figure 6: Translation of Traffic Reference Situations into Abacuses
32

(:durative-action move
:parameters (?v - Vehicle
?p1 ?p2 Place
?s - Situation)
:duration (= ?duration (averageTime ?s ?p1 ?p2))
:condition (and (currentSituation ?s)
(loc ?v ?p1))
:effect (and (not (loc ?v ?p1))
(loc ?v ?p2)))

In order to specify police operations which alter the
traffic (also referred to as police traffic regulations)
we have introduced street network configurations.
The nominal configuration is when no police traffic
regulation is performed. The other configurations cor-
respond to all possible combinations of blocked
streets (which are not so many since only main boule-
vards are concerned). Abacuses are then extended in
order to store transportation times within each possi-
ble configuration and each possible situation.
The move action is then refined as follows:

(:durative-action move
:parameters (?v - Vehicle
?p1 ?p2 - Place
?s Situation
?c - Config)
:duration (= ?duration (averageTime ?s ?c ?p1
?p2))
(currentConfig ?c)
(loc ?v ?p1))
:effect (and (not (loc ?v ?p1))
(loc ?v ?p2)))

Police intervention on the road network is reflected in
a switch action devoted to switching between con-
figurations:

(:action switchConfiguration
:parameters (?c1 ?c2 - Configuration
?v1 ?v2 - policeunit ?s - Situation)
:duration (= ?duration (deployTime ?c1 ?c2 ?s))
(currentConfig ?c1)
(loc ?v1 ?s1)
(loc ?v2 ?s2)
(available ?v2))
:effect (and (not (available ?v2))
(available ?v1)
(not (currentConfig ?c1))
(currentConfig ?c2)))

Two other switch actions are specified for the cases
where either the source configuration or the target one
is the nominal network.
Another action describes how to secure the crisis
zone, for which the number of police units involved is
made proportional to the zone size.

Beside casualty extraction, decontamination, medical
care, and triage, which are simple resource alloca-
tions, the dispatching of casualties is made dependent
on the bed type required as defined by the open stan-
dard EDXL-HAVE [18]: AdultIntensiveCare, Pedi-
atricsIntensiveCare, MedicalSurgical, Burn,
AdultPsychiatric, PediatricPsychiatric, Negative-
FlowIsolation, or OperatingRooms. A scenario is built
up with a set of casualties with a bed type requirement
chosen among the above categories and the dispatch-
ing is captured with the following action:

(:action host
:parameters (?v - Victim
?h - Hospital
?n1 ?n2 - Natural
?b - BedType)
:condition (and (loc ?v ?h)
(bedRequired ?v ?b)
(bedCapacity ?h ?b ?n1)
(next ?n2 ?n1))
:effect (and (not (bedCapacity ?h ?b ?n1))
(bedCapacity ?h ?b ?n2)
(not (loc ?v ?h))(rescued ?v)))

The model is further refined to apply a priority to
casualties who might die if they are not rescued be-
fore a temporal boundary.

4.1.2 Timed Initial Literals
We made the choice to use an optimal planner to fa-
cilitate the definition of the emergency domain, in or-
der to verify step-by-step that solving problems in this
domain yields well the best solutions we have in
mind. Of course, optimal planners do not scale well in
comparison to the best satisficing planners, which
would be a preferable choice in an operational con-
text; but this proved to be useful in a design context.

The emergency domain requires concurrency and ac-
tions with duration, so we used the CPT planner ([5],
[22], [23], [24], [25] which is still, as far as we know,
the most efficient domain-independent optimal tem-
poral planner.

In order to capture the forecast of exogenous events,
we rely on timed initial literals introduced in
PDDL2.2 ([14], [13]). CPT has been extended to han-
dle timed initial literals in a very straightforward way.
Each timed initial literal of the form (at <time-
point> <literal>), meaning that the literal l must be
true at the specified time-point t in every plan, is
translated into an action a of duration 0 with no pre-
condition and l as effect. The insertion of such an ac-
33
tion in every plan at the specified time-point is then
forced in CPT by means of additional constraints: In-
Plan(a)=true (a belongs to every plan), and T(a)=t(a)
is executed at time-point t, and as its duration is 0, its
effect l is immediately made true). Finally, the
mechanism described in [25] to introduce several in-
stances of the same action is disabled for the special
actions introduced to handle timed initial literals.

4.2 Experimentation on an Urban Crisis
Scenario
4.2.1 A Terrorist Attacks Scenario
A reduced web interface has been developed to sup-
port the scenario definition (see Figure 7). A list of
locations is loaded from a database, together with a
list of available resources: rescue units and hospital
beds (SQL requests). The user can select some units
and dimension the number of victims to be evacuated.
The interface then enables to create the corresponding
PDDL scenario, using some pre-defined traffic aba-
cuses for each traffic situations. The interface enables
to run the planning solver and to display the optimal
solution plan.

Figure 7: Planning solver interfaces
34

4.2.2 Results
The following optimal solution plan was produced for
a scenario involving 4 casualties:

0:(move truckExt lbspp11 lcrise1 fluid in1 trafconf0)[7]
0:(move amb11 lbspp9 lcrise1 fluid in1 trafconf0)[7]
0:(move truckPMA lbspp9 lcrise1 fluid in1 trafconf0)[7]
0:(move truckRBC lbspp10 lcrise1 fluid in1 trafconf0)[8]
0:(move pol9b lpol9 lcrise1 fluid in1 trafconf0)[5]
0:(move amb12 lbspp9 lcrise1 fluid in1 trafconf0)[7]
0:(movetoconfiguration trafconf0 trafconf1 pol9a lpol9
fluid in1)[6]
5:(securezone lcrise1 medium pol9b)[2]
6:(deploytrafficconfiguration trafconf0 trafconf1 pol9a
trafficfluide)[1]
7:(installpma truck_pma lcrise1)[1]
7:(installextraction truck_ext lcrise1)[1]
8:(installdecontamination truck_rbc lcrise1)[1]
8:(extractvictim victime4 truck_ext lcrise1)[2]
10:(extractvictim victime4 truck_pma lcrise1)[2]
12:(decontaminatevictim victime1 truck_rbc lcrise1)[2]
12:(loadvictim victime4 amb11 lcrise1)[2]
14:(move amb11 lcrise1 lhop1 fluid in1 trafconf0)[2]
16:(unloadvictim victime4 amb11 lhop1)[5]
18:(move amb12 lcrise1 lhop1 fluid in1 trafconf0)[2]
20:(trafficconfigurationactivated trafconf0 trafconf1
pol9a fluid)[0]
21:(hostvictim victime4 lhop1 n2 n1 ortho)[1]
21:(move amb11 lhop1 lcrise1 heavy in1 trafconf1)[5]
25:(hostvictim victime1 lhop1 n4 n3 surgery)[1]
25:(move amb12 lhop1 lcrise1 heavy in1 trafconf1)[5]
28:(move amb11 lcrise1 lhop2 heavy in1 trafconf1)[10]
32:(move amb12 lcrise1 lhop1 congested in1 trafconf1)[5]
42:(hostvictim victime2 lhop1 n3 n2 surgery)[1]
43:(hostvictim victime3 lhop2 n2 n1 cardio)[1]

Makespan : 44

This is the list of recommended actions that will re-
duce the time to evacuate all casualties (target), for a
given set of resources (here 2 police forces 2 ambu-
lances 1 decontamination truck 1 extraction truck
1 medical assistance truck). For each action, the first
number represent the relative time ahead at which the
action should start (in minutes), the number in square
bracket is the duration of the action.
In this solution plan, the first moves are under the
configuration c0 and a heavy traffic. At time 20, the
configuration is switched to c1 by police intervention
(police action initiated at time 0 and deployed at time
6), whereas at time 21 the traffic becomes con-
gested.

The following table show the solutions that were pro-
duced for different scenarios. All scenarios were given
the same resources and target (same as above), but
had different traffic environment description.

Scenario
name
Possibility of
traffic regula-
tion by police
forces
Traffic
situation
Duration of
the crisis
response
(mn)
SC1 No Fluid 41
SC2 No Heavy 63
SC3 No Saturated 91
SC4 No Evolving 54
SC5 Yes Evolving 43

The first three scenarios do not take into account the
evolution of the traffic conditions: only a static esti-
mation of the road congestions is used, fixed over the
whole crisis response period. Scenario 1 is thus an op-
timistic scenario, using travel times that correspond to
a fluid traffic situation, whereas scenario 2 uses heavy
traffic conditions and scenario 3 saturated ones. Sce-
nario 4 and 5 integrate an evolution of the traffic con-
gestion: the traffic is fluid from 0 to 20mn, heavy
from 21 to 30mn and saturated after (because of the
crisis). The possibility to deploy police traffic regula-
tions is only given to the planner in scenario 5.
For all scenarios, the planner provides a plan of res-
cue operations that minimises the crisis responses du-
ration (the crisis response is considered to be finished
when all victims are evacuated).
The table results show that if no traffic evolution is
taken into account, the response will be either too op-
timistic (scenario 1) either too pessimistic (scenario
3). The comparison between scenario 2 (heavy traffic
fixed) and 4 (evolving traffic) shows that the use of a
fixed medium traffic situation has some limitations as
rescue moves are not regularly distributed over the
crisis response (here scenario 2 is pessimistic against
an evolving description of the traffic situations). Last,
in scenario 5, though the traffic will become saturated,
the crisis response is well minimised as the planner
was able to anticipate the traffic congestion and to
propose to deploy a police traffic regulation (regula-
tion performed in three phases, at time 0, 6 and 20,
see the planning solution above).

We have run several scenarios of increasing size with
the last release of CPT extended to handle timed ini-
tial literals and get optimal solutions up to10 casual-
ties. Another scenario includes a second attack occur-
35
ring a few moments later which of course has an im-
pact on the emergency planning.
5 Conclusion
The analysis of current crisis responses practices has
shown that the crisis responses are structured through
the elaboration and application of a multitude of pre-
defined back-up plans and rescue procedures. In this
paper, we proposed a planning tool to improve and
coordinate the implementation of several rescue plans.
This planning tool is based on a simplified modelling
of the crisis domain, established on the translation of
the rescue plans into constrained actions. The recent
upgrade of this planning tool enables to take into ac-
count an evolving context. This constitute a major
improvement as it enable to optimise the rescue op-
erations with respect to the forecast of the situation
evolution such as established by dedicated tools
(weather forecasts, forecasts of social movements, of
traffic conditions, etc.). This new capability has been
highlighted on an urban terrorist attack scenarios
where traffic congestions have a major impact on
transit times.

These results are very promising and larger applica-
tions are envisaged. Today, the DESCARTES project
is performing the integration phase, in which the
planning tool will be connected with MASA simula-
tion and visualisation tool [17]. This will facilitate the
analysis of the proposed planning solution and, in the
case of a what-if use of the planning tool, this will
help to dimension the rescue resources.
Also, a study led in the DESCARWIN project [9],
should enable to increase the complexity of the sce-
narios, by splitting the main planning problem into
easier sub-problems, using evolutionary techniques.
The planning system DAE
YAHSP
([4], [21]), supported
by DESCARWIN, has recently won the seventh In-
ternational Planning Competition in the deterministic
temporal satisficing track [12].
This planner will be demonstrated during the DES-
CARTES final experiment, in February 2012.
6 Acknowledgments
This work is being partially funded by the Sys-
tem@tic Paris Region Systems &ICT under the DES-
CARTES project (contract 08 2 93 0368), and by the
French National Research Agency through the COSI-
NUS programme, under the research contract DES-
CARWIN (ANR-09-COSI-002).
7 References
[1] Aligne F., Which Information and Decision
Support System for the Crisis Management?,
NATO RTO Symposium, IST086, C3I for Crisis,
Emergency and Consequence Management,
Bucharest, Romania, 11-12 May 2009.
[2] Aligne F. et Savant P., Gestion de crise :
optimisation de la mise en uvre des plans de
secours , Workshop Interdisciplinaire sur la
Scurit Globale (WISG 2010), Troyes, France,
2010.
[3] Awasthi A., Dveloppement dun systme de
routage hirarchique pour les rseaux urbains ,
thse, Universit de Metz, 2004.
[4] Biba J., Savant P., Schoenauer M., Vidal V.,
An Evolutionary Metaheuristic Based on State
Decomposition for Domain-Independent
Satisficing Planning, 20
th
International
conference on Automated planning and
Scheduling (ICAPS-2010), pp. 18-25, AAAI
Press, May 2010.
[5] Castillo L., Fdez.-Olivares J., Garca-Prez O.,
and Palao F., Bringing Users and Planning
Technology Together. Experiences in SIADEX,
16
th
International Conference on Automated
Planning and Scheduling (ICAPS 2006), pp. 11-
20, 2006.
[6] Danech-Pajouh M., Les modles de prvision
du dispositif Bison fut et leur volution
Recherche Transports Scurit n78 janvier-mars
2003, http://mdpdanech.free.fr/PDF-article/rts78-
bison.pdf
[7] Dautun, C., Organisation de la gestion de
crise : Les secours face une crise de grande
ampleur , Thse professionnelle, mastre
Scurit Industrielle et Environnement, Ecole des
Mines dAls et INERIS, France, 2004.
[8] DESCARTES, Projet du ple System@tic Paris
Region Sytems & ICT Clusters, contrat n08 2
93 0368, http://www.systematic-paris-
region.org/fr/projets/descartes
[9] DESCARWIN, Agence Nationale de la
Recherche, ANR-09-COSI-002
http://www.agence-nationale-
recherche.fr/documents/aap/2009/finance/cosinu
s-financement-2009.pdf
[10] Direction Rgionale de l'quipement (DRE),
Les dplacements sur le rseau de voies
rapides urbaines dle-de-France, anne 2004 ,
DRE, Observation des dplacements sur Voies
Rapides,
http://www.dir.ile-de-france.developpement-
durable.gouv.fr/IMG/pdf/Deplacements_VRU_A
N_2004_cle59612c.pdf
[11] Direction Rgionale de l'quipement (DRE),
Les dplacements sur le rseau de voies rapides
urbaines dle-de-France en 2008, DRE,
Observation des dplacements sur Voies
36
Rapides,
http://www.dir.ile-de-france.developpement-
durable.gouv.fr/IMG/pdf/indicateurs_2007_2008
_cle6ff7a5.pdf
[12] Dro J., Savant P., Schoenauer M., and Vincent
V., Divide-and-Evolve: the Marriage of
Descartes and Darwin, Seventh International
Planning Competition (IPC-2011) held at the 21
st

International Conference on Automated Planning
and Scheduling, pp. 29-30, 2011.
http://www.plg.inf.uc3m.es/ipc2011-
deterministic/Results
[13] Edelkamp S. and Hoffmann J ., PPDL2.2: the
Language for the Classical Part of IPC-4. In
proceedings of the International Planning
Competition held at the 14
th
International
Conference on Automated Planning and
Scheduling (ICAPS 2004), PP. 1-7, 2004.
[14] Fox M. and Long D., PDDL2.1 : An Extension
to PDDL for Expressing Temporal Planning
Domains, Journal of Artificial Intelligence
Research, Vol. 20, pp. 61-124, 2003.
[15] Haut B. and Bastin G., A second order model
of road junctions in fluid models of traffic
networks, Networks and Heterogeneous Media,
Vol. 2(2), pp. 227 - 253, 2007.
[16] Lebacque, J.-P.; Mammar, S.; and Haj Salem,
H., Generic second order traffic flow
modelling, 17
th
International Symposium on
Transporation and Traffic Theory (ISTTT),
London, 2007.
[17] MASA, MASA Sword for Security,
http://www.masagroup.net/images/products/swor
d/masa-sword-security-brochure.pdf
[18] OASIS, Emergency Data Exchange Language
(EDXL) Hospital AVailability Exchange
(HAVE), V1.0., OASIS Standard, 22 December
2009.
[19] Peral-Gutierrez de Ceballos J, F. Turgano-
Fuentes, D. Prez Daz, et al, Casualties treated
at the closest hospital in the Madrid, March 11,
terrorist bombings, Critical Care Med,
33:S107S112, 2005.
[20] Treiber, M.; Hennecke, A.; Helbing, D.,
Congested traffic states in empirical
observations and microscopic simulations,
Physical Review E 62 (2): 18051824,
doi:10.1103/PhysRevE.62.1805, 2000.
[21] Savant P., Schoenauer M. and Vidal V.,
Divide-and-Evolve: a New Memetic Scheme for
Domain-Independent Temporal Planning, 6
th

European Conference on Evolutionary
Computation in Combinatorial Optimization
(EvoCOP 2006), pp. 247-260, 2006.
[22] Vidal V. et Geffner H. Un planificateur
temporel optimal bas sur la programmation par
contraintes , Actes JNPC'04, 2004.
[23] Vidal V. and Geffner H., Branching and
pruning : An optimal temporal POCL planner
based on constraint programming, In
Proceedings of AAAI-2004, pages 570 577,
2004
[24] Vidal V. et Geffner H., Plus d'infrence et
moins de recherche pour la rsolution de
problmes de planification simples , Actes
JFPC 2005.
[25] Vidal V. et Geffner H., Branching and
Pruning: An Optimal Temporal POCL Planner
based on Constraint Programming, Artificial
Intelligence Vol. 170 (3), pp. 298-335, 2006.

37
Highly Efficient Event and Action Processing for Emergency
Management in Large Infrastructures
Rdiger Klein, Fraunhofer IAIS, Germany
Abstract
Critical Infrastructures (CI) are in a continuous change. Today, they become more complex, more heterogeneous,
more dependent on each other, and with a central role of modern ICT. Emergency management in such complex
infrastructures is a challenge for the methodology of information modelling and processing. To do this with tra-
ditional software technologies causes lots of problems in software design, implementation, validation, and main-
tenance. We need a new generation of information technologies in order to manage this complexity. We describe
Critical Infrastructures of different kinds in a unifying methodology as complex cyber-physical systems (CPS).
Based on this methodology we define a descriptive modelling and processing approach for CPS. This provides a
new abstraction layer which allows us to focus on the what of control leaving the how to the control machin-
ery. We introduce semantic models with event and action processing and integrated physical simulations as basis
for CI control. This abstraction layer is especially suitable to manage normal, exceptional, and emergency situa-
tions adequately. Three quite different CI use cases (airports, metro systems, and power grids) allow us to out-
line the practical usage of our approach.

1 Introduction
Critical Infrastructures (CI) [11] are currently chang-
ing significantly in many respects: technically, organi-
sationally, in their business models, or in the way they
are managed and controlled. They become more com-
plex, more heterogeneous, more dependent on each
other, and substantially based on modern ICT. Large
heterogeneous sensor networks and ubiquitous com-
munication and computation provide an innovative
basis for such complex CI. Control of normal opera-
tion and especially emergency management in such
infrastructures are a challenge for the methodology
and for information processing. The IT systems used
to control them have to work adequately under nor-
mal and under exceptional and emergency situations.
Today, these IT systems are mainly complex tradi-
tional software systems frequently including various
legacy systems. They are based on traditional pro-
gramming languages with all related problems of
specification, implementation, maintenance, valida-
tion, and verification.
Especially in the case of emergencies they do not sup-
port the operators adequately. There is a strong need
for a higher level of flexibility and additional func-
tionality for sophisticated decision support.

In order to manage the complexity in modern CI the
key issue is to provide a new level of abstraction for
information modelling and processing. We need a de-
scriptive approach to information modelling which
allows us to focus on the what and leaves the how
to a highly efficient processing machinery.

In order to find out what this abstraction layer has to
look like we first have to ask what the commonalities
of quite different Critical Infrastructures are. If we
can identify a sufficiently large set of commonalities,
this will help us considerably to map this unified
view on information technologies. A thorough analy-
sis of various CI allowed us to develop a unifying
methodology for large complex Critical Infrastruc-
tures. As we will show in this paper we consider CI as
complex heterogeneous cyber-physical systems
[13,10]. They are based on physical behaviour deter-
mined by the laws of physics and technology, and
they are controlled systems using information from
the physical system to specify adequate reactions.
They key issue is to describe the situation in which a
CI is with all relevant aspects and to assign adequate
reactions. The situation can best be characterised as a
complex system of states. Every change in these
states is indicated by events. Every new situation trig-
gers a set of actions which manage this new situation
according to pre-defined policies. This abstraction of
events, states, and reactions is the best way to manage
the inherent complexity. It defines the relations be-
tween events and states and where the association of
actions to complex states can be described on a logi-
cal basis without taking processing details into ac-
count.
The paper is structured as follows: in the following
chapter we outline the basic methodological approach
to describe Critical Infrastructures as cyber physical
systems and the resulting requirements to innovative
information technologies. In Chapter 3 these tech-
38
nologies are described: events, states, actions, reactive
rules, semantic context, and integrated simulations.
Chapter 4 shows how these technologies are applied
in three quite different Critical Infrastructure use
cases: metro systems, airports, and power grids. We
summarise and conclude in Chapter 5.
2 Emergency Management in
Critical Infrastructures
Critical Infrastructures are complex technical systems
of quite different kinds. For a methodology of CI
management we have to answer the question what the
commonalities are between such different Critical In-
frastructures as public transportation, airports, power
grids, oil or water pipeline systems? These common-
alities will provide the starting point for a methodol-
ogy of CI and especially of CI control. Of course, this
methodology will need adaptations to the concrete
kind of infrastructure. Based on this common CI
methodology the information technologies needed for
CI control can be specified.
2.1 Critical Infrastructures as Cyber-
Physical Systems
Critical Infrastructures are physical systems which
show behaviour according to physical and technical
rules. On the other side, they are controlled systems
which follow the rules defined in the underlying pol-
icy. They are run to fulfil certain goals in different
situations. Both aspects their physical nature and
their control - are tightly related to each other: a con-
trol which does not take the physical aspects (includ-
ing environment) into account will not be effective.
Physical behaviour without control is useless or dan-
gerous. Both sides depend on each other. Conse-
quently, we describe Critical Infrastructures as cyber-
physical systems (CPS).
Figure 1: Cyber Physical Systems

The notion of cyber-physical systems was introduced
recently [9,10]. It describes complex technical sys-
tems which are physical and computational systems.
CPS research as such is still at its beginning though it
can be based on a large amount of previous work in
different areas (system theory, control theory, embed-
ded systems, etc.). Recent progress in sensor and
communication technology, the increased complexity
of technical systems, and dramatically grown compu-
tational capabilities prepared the ground for a new
generation of technical systems like modern cars with
their sophisticated safety, control and driver assis-
tance, new airplane generations, transport systems,
industrial plants, and Critical Infrastructures. Previous
generations of such systems were mainly human con-
trolled systems with some control functionality pro-
vided by embedded micro-processors and/or tradi-
tional software systems (SCADA [2] etc.).
Cyber-physical systems in general and CI in particular
are complex, heterogeneous systems of systems. Each
single system or component may possess a more or
less complex behaviour depending on the physical
and technical mechanisms it is based on. As soon as
they interact with other systems in a more complex
system of systems these interactions need appropriate
design specifications in order to be manageable and
39
controllable. These interactions may be described in
different forms, for instance as characteristic parame-
ter curves or as parameter constraints.
2.2 States, Events, and Actions in CPS
For Critical Infrastructures as large networks of inter-
acting systems and components states have shown as
an appropriate abstraction from physical and technical
details. On a detailed technical level the precise volt-
age, temperature, or speed are meaningful, but on a
more abstract control level it is more important to
guarantee that these values are just in a certain state,
i.e., within certain limits for normal operational state,
for light deviations from normal, or for exceptional
and emergency states. Especially the operational
modes (on, off, broken, etc.) can be described in this
way appropriately. States allow us to describe de-
pendencies between systems and components and
their characteristic parameters.
In addition to physical states we need control states as
adequate abstraction for control actions. Voltage, tem-
perature, or speed are physical states instability, ex-
ceptional, or emergency can be defined as control
states. They are based somehow on physical as-
pects, but in a complex way. They allow us to abstract
from technical details and to focus on the essential
aspects of a situation. Whatever the technical reason
for a critical state is there are control actions to be
undertaken independently from the concrete physical
side in this situation (stop operation, warn stake-
holders, etc.). We can define rules in which control
states depend on each other in different parts of a CI.
An emergency situation in a part of a CI may cause an
exceptional state in the rest of the system.
Events are simply happenings like state changes or
parameter measurements. Sensors inform the control
system about happenings in the physical system. Fre-
quently, events are not isolated happenings but parts
of more complex processes: a component failure in a
power grid generates a cascade of event messages in-
dicating breaker reactions, other component failures,
etc.; a fire in a metro station triggers temperature and
smoke sensors to generate event messages; etc. The
set of events and the related system and component
states allow us to describe the complex situations in
which a system is. Complex events allow us to de-
scribe these relationships in an adequate and comfort-
able manner. This includes temporal aspects between
events, states, and actions, spatial relations, functional
aspects (within related parts of a complex system),
etc.
In a similar way we can describe complex actions as
collections of related elementary (or atomic) actions.
Time, space, logical relations, and other aspects can
be used to describe relationships between actions in a
complex action.
A key element in cyber-physical systems is the rela-
tionship between situations and actions. In order to
keep a complex cyber-physical system in an adequate
state the control system has to react to situations ac-
cording to certain control rules. These rules assign
appropriate actions to complex situations. They are
needed for all situations: for normal operational
mode, for different kinds of exceptions, and for emer-
gency situations.
2.3 Communication
Communication is an essential element in each cyber-
physical system. In a CPS, the physical and the con-
trol system communicate with each other through sen-
sors and actuators. Sensors tell the control system in
which state the various parts of the physical system
are and what happens there, and actuators execute ac-
tions initiated by the control system and change the
state of physical system components.
This communication is far from trivial. Whereas IT
systems are highly reliable physical systems show a
significantly higher rate of failure or disturbance. This
may result from external/environmental influences,
from depending systems, or from component failures
in the system itself. Sensors or communication lines
may be broken sending erroneous event messages or
losing them at all. Similar problems may occur with
actuators or their communication links. Consequently
it is important for the control system to keep track of
action execution including temporal aspects. Also
other components in the physical system may be dis-
turbed or broken, or the environment may be in an
unintended state and influence system operation other
than intended. Both may result in exceptional system
behaviour and have to be managed adequately by the
control system.
2.4 Physical Behaviour and Simulations
Of course, the physical behaviour is essential for a
CPS. The functionality resulting from this behaviour
is the reason for its existence. The control is needed to
get the intended functionality out of the systems be-
haviour. Even under exceptional and emergency con-
ditions certain rules have to be observed in order to
avoid unnecessary damage.
Though this may change to some extend in the future,
today physical systems frequently do not provide all
information describing their state to the control sys-
tem. By reasons of practicality or costs only some
data are transmitted through appropriate sensors. This
may be sufficient for normal operation. The control
system knows when a metro train left the platform
and knows that typically after 2 min. the train will
arrive in the next station. It does not know precisely
where the train is in between it can just estimate. In
40
a case of fire in a complex metro station the system
knows where the fire is but it does not know how the
smoke propagates through the platforms, staircases,
etc. This is especially true for future evolutions of
situations which are important for decision making.
Both aspects incomplete sensor information and
forecast are important reasons for simulations in
CPS control. The control system has to maintain a
model of the CPS with all relevant kinds of informa-
tion: spatial attributes and topological relations, mate-
rial properties, technical systems with their character-
istics and dependencies, etc. In order to take physical
behaviour adequately into account an integration of
complex events and actions with simulations is
needed.
2.5 Context and Situations
Critical Infrastructures are complex technical systems.
Typically they consist of various sub-systems with
special behaviours, dedicated roles and mutual de-
pendencies. They provide and need services from
outside. The physical system and the control system
communicate through sensors and actuators exchang-
ing messages about atomic and complex events and
actions.
It is extremely important for an adequate description
of the behaviour and control of cyber-physical sys-
tems that these messages about events and actions
carry all information needed to describe the state of
the physical system to the control system. Temporal
aspects between events and action, spatial relations,
functional dependencies between components and
sub-systems are necessary in order to enable the con-
trol system to maintain all relevant information for
control. Complex events allow us to interpret event
messages in more general patterns. The control sys-
tem does not just receive single alarms from sensors
it detects the rules behind this set of messages and
interprets them in their context.
For this purpose, the control system maintains a
model of the physical system with all relevant kinds
of information: types of components and sub-systems,
their technical and spatial attributes and relationships;
state dependencies between components and sub-
systems; typical behaviours as sequences of states and
transitions under normal and exceptional conditions.
2.6 Control of CPS
In a CPS, the physical and the control system com-
municate with each other through sensors and actua-
tors. Sensors tell the control system in which state the
various parts of the physical system are and what
happens there, and actuators execute actions initiated
by the control system and change the state of physical
system components.
There are two key issues in CPS control: to keep the
system in a desired state where it can provide its func-
tionality, and to react adequately to internal and ex-
ternal changes including failures, disturbances, etc.
Both control issues need reactions to changing situa-
tions: in order to provide its functionality the system
has to be adapted to changing functional requirements
(power to be provided in a power grid; trains arriving
or leaving in a metro station; etc.). If something goes
wrong (a power line is broken; a fire in a metro tun-
nel) the system has to react to this change in order to
avoid larger damages and restore normal operation as
soon as possible. Typically, time is a critical factor for
reactions. The situation may change rapidly, and the
dynamics of the system demands fast reactions
(where the time scale of course depends on the kind
of the system and the concrete situation).
Consequently, we have to bring these two main as-
pects of control together:
- situation assessment; and
- assignment of adequate reactions.
Situations can have many facets. Its not the single
event which describes the situation but the event to-
gether with other events and the states the system and
its parts are in. A fire signal sent by a sensor in a
metro station is a serious event but how serious (and
what reactions are adequate) depends on many other
circumstances: is it a real event or a malfunction of
the sensor; are other signals sent by related sensors,
what is the number of passengers in that area, the po-
sition of trains, are there any obstacles or construction
works around in the metro station, etc.
Following the comprehensive situation assessment we
have to decide which reactions
1
are adequate in this
situation. Reactions have to be assigned to situations
in a generic way and adapted to the concrete situation.
Of course, the physical behaviour is essential for a
CPS. The control system has to maintain a physical
model of the CPS with all relevant kinds of informa-
tion: spatial attributes and topological relations, mate-
rial properties, technical systems with their character-
istics and dependencies, etc. In order to take physical
behaviour adequately into account an integration of
complex events and actions with simulations is
needed.

1
Frequently, control is done partially automatically
(where the reactions are clear and time is short) and to
some extend by experienced human operators which
are supported by the control system. To find the right
work share between the automatic system and the
human operators is a great challenge for control sys-
tem design.
41
3. Innovative ICT for Critical
Infrastructures
The characteristics of information processing in Criti-
cal Infrastructures result in new requirements to in-
formation technologies:
x complex events can be described generically as rules
interpreting incoming event messages according to
certain temporal, spatial, and context patterns;
x complex actions are similarly described as patterns
of simpler actions to be performed with their tempo-
ral, logical, and other relationships;
x reactive rules allow us to assign atomic and com-
plex actions to complex events and situations
x where situations are described in a semantic model
with all necessary details.
x Where needed physical behaviour can be integrated
into event and action processing by simulations.
In the following we outline how these requirements
can be fulfilled by innovative information technolo-
gies.
3.1 Complex Events
Situation assessment is one of the main issues to con-
trol cyber-physical systems. For this purpose we have
to deal with atomic events, complex events as patterns
of (more) elementary events, and states and their
changes.
Atomic events are the elementary happenings in the
physical system. They are observed by sensors which
generate messages sent to the control system. These
events are sent by different types of sensors and indi-
cate a certain state change in the physical system.
They have a unique identity, they may have types like
temperature event or switching event, they are related
to sensors which have a position, a type, and other
attributes, they may carry values like temperature or
voltage, and they are of course characterised tempo-
rally by a begin and an end time
2
. We may assign
confidentiality values, precision values and other
kinds of information to
Figure 2: Event and Action Processing in CPS Control

them.

Atomic events provide basic information. Complex
events allow us to deduce condensed information
by combining different kinds of more elementary in-
formation from different sources including logical and
temporal relations into a useful pattern. We can
combine different events from different sensors at dif-
ferent times to see the change of a situation. We de-
fine complex events by deductive rules from (more)
atomic events, from states, and from logical and tem-
poral constraints [6].
3.2 Complex Actions
Similar to events actions can be atomic or complex.
Atomic actions change directly the state of objects
either in the physical system or in the control system.
They are characterised by a starting time and an end
time, they have a unique identifier, a state they are

2
We focus on occurrence times here though other
temporal aspects like detection time, processing time,
etc. may be relevant, too.
42
going to change, a value, and maybe some other in-
formation.
An important issue in cyber-physical systems is that
the control system has to keep track of action execu-
tion. For this purpose all physical actions are repre-
sented as stateful objects on their own in the control
system. For each action sent to the physical system
the control system introduces a specific stateful object
describing this action. These objects occur in four
states:
x sent for actions just sent to the physical system;
x confirmed for actions which have been con-
firmed by an appropriate event indicating that they
were successfully executed;
x failed for actions where failure of execution has
been explicitly confirmed by an event; and
x unknown for actions where the control system
after a certain specific delay (time out) did neither
receive a confirmation nor a denial message.
Actions can be composed to complex actions. Com-
plex actions are just a kind of macros allowing us to
formulate necessary domain specific relationships be-
tween actions in order to manage a certain situation.
Actions can be combined in various ways to complex
actions [7,8]: as concurrent actions, as sequences, or
alternatives. Logical conditions may be specified
within complex actions. This gives us expressive
means to formulate complex activity patterns which
can be adapted to concrete scenarios.
3.3 Reactive Rules
Complex events describe generic patterns which can
be used to identify and assess concrete situations as
combinations of events and states. Reactive rules as-
sign atomic or complex actions to these situation pat-
terns in order to manage them adequately. Concrete
situations which fit a certain situation pattern (com-
plex event definition) are related to actions using the
concrete specifications in the situation assessment
(through logical variable bindings).
Reactive rules are event condition action rules (ECA)
[1,3]: the events part is used to identify the dynamic
changes in a system, and the condition part provides
the static background to assess and interpret the
events (spatial relations between events and states,
events and states in related systems, etc.). Whenever
the concrete situation matches with the dynamic
(event) and static conditions the ECA rules fires
i.e., the actions are initiated. The generic action pat-
tern specified in the ECA rule is instantiated with the
concrete situation and static information.
These rules are not necessarily fired automatically.
Control is considered as an interplay between the con-
trol system and human operators. The control system
identifies those rules which can be fired and the op-
erator may decide to accept these proposals or not.
Other rules may be executed automatically. Which
approach is adopted in which case is a domain spe-
cific issue.
3.4 Semantic Models
Critical Infrastructures as complex systems of systems
have to process many different kinds of information
from different sensors, actuators, and other informa-
tion sources. Different pieces of information may
be related in various ways to each other. In order to
process this complex information correctly various
semantic relations between them have to be taken into
account:
x where does the information come from
x how is the information source related to compo-
nents, systems, areas, etc.;
x what are the types of involved components and sys-
tems and how are they related to each other, etc.
In order to interpret the many different kinds of in-
formation adequately in the respective context a rich
semantic information model is needed which provides
the necessary information backbone.
For this purpose in EMILI [4] various ontologies are
created and used as semantic information models:
x ontologies for temporal, spatial, causal, structural
and behavioural aspects of large infrastructures;
x a complex event and action ontology as modelling
backbone for the event and action rule engine.
The ontologies can be built on different levels of
granularity: a core ontology, domain specific exten-
sions, and application specific instance worlds.

The core ontology comprises the main kinds of in-
formation to be used in CI information modelling. It
consists basically of two main categories: physical
and abstract. The physical ontology is a coherent set
of concepts needed to model complex physical sys-
tems (see [4], esp. Deliverable 2.2 on SOMAL). It is
deliberately restricted to the most elementary and ab-
stract concepts and relations in this area. It mainly
contains ontologies for temporal, spatial, causal,
structural and behavioural aspects of large infrastruc-
tures. The other main part the abstract ontology is
focused on all event and action concepts needed to
describe situation assessment and reactivity in cyber-
physical systems and their relationships to the con-
crete systems, components, and their attributes and
relationships.
43
One of the main features of cyber-physical systems is
the communication between the physical and the con-
trol system. This communication goes through two
channels: the event channel where sensors and other
information sources tell the control system what hap-
pens in the physical part, and the action channel al-
lowing the control system to control the situation in
the physical system through action messages to actua-
tors, stakeholders, etc. This is one of the main particu-
larities of our approach with significant requirements
to modelling and event and action processing. Sensors
may be faulty, events may be lost, false positive
events may be sent, actions are sent which can not be
executed, etc. a whole spectrum of specific issues
related to event and action processing in cyber-
physical systems. The Core Ontology provides the
necessary means to model these aspects adequately:
complex events can be defined to deal with lost or
misinterpreted events, and actions can be defined in
relation to confirmation or falsification events.
Figure 3 Metro Station Use Case

States play a central role in order to describe the situa-
tion of cyber-physical systems in the physical and in
the control system. The Core Ontology allows us to
relate them to events, to actions, and to other states
through various kinds of dependencies.
For each application domain like metro systems, air-
ports, or power grids this Core Ontology is extended
to those concepts which are needed to model them
adequately. This extension can be done in different
ways: through concrete classes introduced as sub-
classes of the core ontology concepts, or through ad-
ditional attributes and relations for them. This gives
us a great flexibility of information modelling in con-
junction with a clear basic structure provided by the
Core Ontology.
Finally, the domain ontology is used to model the
concrete use cases: a concrete metro system, a con-
crete airport, power grid, etc. All entities populating
such a use case are modelled as instances of domain
specific concepts with their attributes and relations.
4. Use Cases
We consider three quite different but representative
use cases: airport, metro, and power grid. With the
broad spectrum of issues related to emergency man-
agement in these three different domains it was a
challenge to develop a generic methodology which
can be adapted to concrete requirements. In the fol-
lowing we outline the main issues in each use case.
4.1 The Airport Use Case
An airport is not just a complex building with many
areas of different kinds and roles but also a systems
with different technical systems for managing people,
luggage, airplanes, other resources, etc. This has to be
done under various normal, exceptional, and emer-
gency conditions. A network of interacting control
systems is operated in order to enable this functional-
ity.
There are many challenges for safety and security in
airports. A comprehensive analysis can be found in
[14]. We decided to consider a fire scenario as one of
the most important emergency situations in our airport
use case.
In order to manage an airport (including such an
emergency situation) different kinds of information
have to be collected, analysed, and processed for ap-
propriate reactions. The building structure, the kinds,
dependencies, and functionalities of various technical
systems, the number of passengers in various areas
and their movements have to be taken into account.
The airport ontology (see [4], D2.2 on SOMAL) was
designed as use case specific extension of the EMILI
Core Ontology allowing us to collect and process all
relevant information.
44
The fire scenario is used to demonstrate how events,
actions, and simulations work together. The incoming
sensor information is analysed by complex event rules
to provide a comprehensive situation assessment. This
situation triggers ECA rules which specify appro-
priate reactions. Simulations are used to calculate fire
and smoke propagation as part of the decision proc-
ess.
4.2 The Metro Use Case
Though metro systems are in some sense similar to
airports as infrastructures for the transport of people,
there are also a couple of differences between them:
metro systems are more distributes, they are more
open, and not so highly protected. As in airports we
need complex information to manage normal and
emergency situations in them: the number of people
in certain parts, the train positions, building struc-
tures, technical systems with their topology, their
various dependencies, etc. The EMILI Core Ontology
has been extended into a metro domain ontology pro-
viding all these kinds of information in a structured
way.
The scenario is again focused on the most critical
situation: a fire in a metro station or in a metro train.
Depending on the whole situation different options
for reactions are available. Which size does the fire
have and what evolution can be expected? How does
the smoke propagate? Which evacuation paths are
available due to the size and position of the fire, the
smoke propagation, construction activities, people
density, etc. How long does it take to evacuate people
along these paths?
Figure 4 Power Grid Use Case

Complex event definitions enable us to bring these
different kinds of information together in a coherent
way. Positions of fire sensors, positions of trains, data
about people density, etc. allow us to assess the over-
all situation. Appropriate reactions can be specified in
ECA rules. Smoke propagation simulation and simu-
lation of people movements allow us to predict sce-
nario evolutions as basis for decision making.
4.3 The Power Grid Use Case
Power grids are of course quite different from metros
and airports (see fig. 4). Today, they are managed
through (more or less) sophisticated control systems
which get their data from different kinds of sensors in
various network components [5]. Frequently, these
sensor networks do not allow the operators to get im-
mediately a complete picture of what happens in the
grid. In the case of component failures a sequence of
alarms is initiated by different sensors which can not
directly be mapped onto the real network situation.
They have to be interpreted by experts in order to find
out what really happened. The SCADA telecommuni-
cations have partial failures during disturbances. The
visibility is degraded, and State Estimators have tem-
porary failures (fail to converge). Alarms arrive in
avalanches that flood the operator so that the operator
is pressed to assess the situation as fast as possible,
45
and to take immediate action. But he knows that some
errors may make the problem much worse.
We need intelligent processing of alarms: not just a
filter, but actual interpretation of the possible scenar-
ios. This includes more holistic situational awareness:
integrating SCADA, alarms, and other contextual in-
ormation into a quick, effective visualization system. f

Complex event definitions allow us to formulate the
rules needed for this interpretation as patterns of
situations in power grids. They combine sensor in-
formation including temporal, topological, and other
kinds of data. In this way we can discriminate differ-
ent kinds of events: Breaker Events: those that only
affected to breakers and their protections; Line
Events: those events produced by breaker event com-
binations and other line events; and Link Events:
those events produced by line faults between two
elements
5. Summary and Conclusions
In order to manage the growing complexity of Critical
Infrastructures under normal, exceptional, and emer-
gency conditions innovative information and commu-
nication technologies are needed. The key issue for
these technologies is to provide a new abstraction
layer which allows modelling of the what and leav-
ing the how to a highly efficient processing machin-
ery. A unifying modelling methodology has been
worked out based on the paradigm of cyber-physical
systems. Events, states and their semantic context can
be used to characterise the situation of Critical Infra-
structures within this framework. Event condition ac-
tion rules are used to assign appropriate reactions to
these situations in order to manage normal, excep-
tional, and emergency states. Physical behaviour can
be taken into account within these complex considera-
tions through integrated simulations.
Events, states, actions, and their semantic context pro-
vide the desired new level of abstraction as a power-
ful descriptive means for complex dynamic systems.
Acknowledgement
The research presented here was partially funded by
the European Commission under contract 242438
within the FP7 project EMILI. All project partners
contributed to the results presented here.
References
[1] J.J. Alferes and W. May, Evolution and Reactiv-
ity for the Web, Reasoning Web, N. Eisinger
and J. Mauszyski, eds., Springer Berlin / Hei-
delberg, 2005, pp. 134-172.
[2] D. Bailey and E. Wright, Practical SCADA for
Industry (IDC Technology), Elsevier, 2003.
[3] E. Behrends, O. Fritzen, W. May, and F. Schenk,
Embedding Event Algebras and Process Al-
gebras in a Framework for ECA Rules for the
Semantic Web, Fundamental Information, vol.
82, Aug. 2008, pp. 237-263.
[4] EMILI, www.emili-project.eu, 2010.
[5] J.L.M. Espaol, D3.1 Annexe C: Specific report
for use case III, Power Networks, 2010.
[6] S. Hausmann, S. Brodt, and F. Bry, EMILI Delive-
rable D4.3 DEAL Concepts and Examples,
2011.
[7] R. Klein, J. Xie, and A. Usov, Complex Events
and Actions to Control Cyber-Physical Sys-
tems, Proceedings of the 2011 international
conference on Distributed event-based systems
- DEBS 11, New York, New York, USA: 2011.
[8] R. Klein, J. Xie, and A. Usov, An Innovative
Approach to Emergency Management in Large
Infrastructures, Critical Information
Infrastructure Security CRITIS 11, 2011.
[9] E.A. Lee, Cyber Physical Systems: Design Chal-
lenges, Proceedings of the 2008 11th IEEE
Symposium on Object Oriented Real-Time Dis-
tributed Computing, Washington, DC, USA:
IEEE Computer Society, 2008, pp. 363-369,
DOI:10.1109/ISORC.2008.25.
[10] E.A. Lee and S.A. Seshia, Introduction to Em-
bedded Systems, A Cyber-Physical Systems Ap-
proach, http://LeeSeshia.org, 2011.
[11] S.M. Rinaldi, J.P. Peerenboom, and T.K. Kelly,
Identifying, understanding, and analyzing cri-
tical infrastructure interdependencies, IEEE
Control Systems Magazine, vol. 21, 2001, pp.
11-25, DOI:10.1109/37.969131.
[12] N. Seifert and M. Bettelini, D3.1 Use Cases Re-
quirements Analysis and Specification Main
Report, 2010.
[13] L. Sha, S. Gopalakrishnan, X. Liu, and Q. Wang,
Cyber-Physical Systems: A New Frontier,
Machine Learning in Cyber Trust, Springer US,
2009, pp. 3-13.
[14] S. Vrane, V. Mijovi, N. Tomaevi, G. Kone-
ni, V. Janev, and L. Kraus, D3.1 Annexe A:
Specific report for use case I, Airport, 2010.

46
Coordinating Ambulance Operations
Thomas Remmersmann, Fraunhofer FKIE, Germany
Kellyn Rein, Fraunhofer FKIE, Germany
Ulrich Schade, Fraunhofer FKIE, Germany
Abstract
In the military domain, Battle Management Language (BML) has been developed to formalize command and
control communication. The use of such a formalized language enhances interoperability and prevents misinter-
pretations. In addition, all expressions are processable by systems as well as human-readable. Obviously, the
BML technique also can be applied for C2 communication in disaster relief operations in order to upgrade the
coordination and the collaboration of the many participating organizations and their relief units. Such a deriva-
tion of BML would be called Crisis Management Language (CML). In our paper, we will discuss the key bene-
fits that the use of CML can provide by an example illustrating the coordination of ambulance operations.

1 Introduction
In the daily work of rescue services and even more in
crises, communication over radio is mostly important
because most information is exchanged over this
channel. However, radio communication comes with
disadvantages. Firstly, information can be misunder-
stood because of language ambiguities, imprecise pro-
nunciation, background noise, or bad signal quality.
Secondly, in the control centers, operators spend a lot
of time typing the auditory information they receive
into their command and control systems (C2 systems).
This procedure not only takes time but also may result
in typing errors which, if, for example, they occur in
the numerical sequences of zipcodes, house numbers
or coordinates, might result in severe operational fail-
ures. One solution to these problems of radio commu-
nication could be to shift communication to text mes-
sages which are written in a formal and thus unambi-
guous but nevertheless human-readable language. We
have developed such a language, called Crisis Man-
agement Language (CML).
CML has advantages even beyond the ones correcting
the problems of radio communication. In particular, it
saves a lot of bandwidth compared to radio communi-
cation. Limited bandwidth often is a problem in crisis
situations. For example, during the airplane crash of
Turkish Airlines Flight 1951 at Amsterdam Airport on
the 25
th
of February 2009, the emergency units used
digital radio and had queues of up to 30 minutes delay
from the time at the permission to use the bandwidth
for voice transmission was requested and the granting
of that permission [1]. Due to these delays, the re-
sponses on the crash were delayed as well and, as a
result, the rescue actions were uncoordinated and of-
ten undertaken too late.
In addition to the advantages listed so far, CML in-
creases interoperability between the organizations that
participate in a crisis relief operation which is particu-
larly helpful if the participating organizations do not
often operate together. This is especially true if the
participating organizations usually work with differ-
ent languages, as is the case in international opera-
tions such as the rescue operations after the Haiti
earthquake in 2010. CML can then serve as the Lin-
gua Franca (bridge language).

Figure 1 Example of a GUI for CML input. It shows
a lot of information at the same time. This is more
suitable for operators in control centers with large dis-
plays than for people on site during rescue opera-
tions.
1

1
Map data (c) 'OpenStreetMap' (and) contributors
(http://www.openstreetmap.org/), CC-BY-SA
(http://creativecommons.org/licenses/by-sa/2.0/)
47
2 CML Overview
CML provides a means to express directives (orders
and requests in the case of military operations, and
assignments and requests in the case of civil opera-
tions) and reports in a formalized and unambiguous
way. In ambulance operations, it can be assumed that
each ambulance as well as the control center and the
participating hospitals are all part of a network. The
connected systems should all contain a GUI for CML.
The CML GUI allows the formulation of the direc-
tives and reports which are to be communicated.
A control center might have a GUI like the one shown
in Figure 1. For the rescue personnel at the disaster
area the GUI must be adjusted. A GUI that allows the
user to generate CML statements by making selec-
tions in the GUI might be most appropriate than re-
quiring them to type in full text. The selections can be
keywords from a list, a point on a map or a timestamp
from a calendar but it should be guaranteed that op-
erators should not have to type words on a keyboard.
A GUI with this concept is sketched in Figure 2. Op-
erating such a GUI is very intuitive because it is simi-
lar to processing natural language. Therefore, the
learning curve for users is reduced and the correctness
of the communications is increased, especially in
stressful situations. The GUI enforces the use of spe-
cific terms and strictly restricts the syntax of the ex-
pressions formulated. In addition, it provides a win-
dow that shows critical aspects on a map. These as-
pects include the positions of units (e.g., the
ambulances), the position of facilities (e.g., the hospi-
tals), and the locations where disaster has struck and
where patients are waiting to be picked up. This map
obviously contributes to situational awareness as it is
updated according to incoming reports. It also serves
as a tool for preventing typing errors since the spatial
aspects of CML messages can be expressed by click-
ing on the map. In summary, the GUI ensures that
formulated expressions comply with the CML stan-
dard and sends them to the selected addressee from
among the participating units and organizations.
When a CML message is delivered to its addressee, it
automatically appears in the addressees GUI. It also
is stored in a common database for messages so that
later communications can refer to it.
Figure 2 A CML-GUI for a mobile device. In these
four steps the user reports that he is transporting the
patient to the Main-Hospital.
The rest of the paper is organized as follows. In Sec-
tion 3 we give an overview on related work. Section 4
then describes the CML in more detail whereas in
Section 5 CML is demonstrated in a Use Case. The
paper ends with a conclusion in Section 6.

3 Related Work
CML is modeled on Battle Management Language
(BML) [2], a standard for the exchange of military
communication mainly used in systems of systems for
commanding simulations [3] or robotic forces [4]. For
BML an underlying grammar, the Command and
Control Lexical Grammar (C2LG) [5], has been de-
veloped and proposed in a cooperation between
Fraunhofer FKIE and George Mason University
(Fairfax, Virginia, USA). This development has been
carried out under the aegis of NATO RTO in its Mod-
eling and Simulation Group MSG-048 Coalition
BML. C2LG is a context-free lexical grammar mod-
eled on Lexical Functional Grammar (LFG) [6]. Since
they are based on a context-free grammar, BML ex-
pressions can be processed automatically. The lexicon
of BML contains the attribute values of the JC3IEDM
data model [7], standardized by NATO for the de-
mands of exchanging information in the military con-
text. To define CML on the basis of BML, the con-
text-free rules of BMLs grammar can be copied, but
the lexicon obviously has to be adjusted to the civilian
operational needs. In particular, specific lexical items
for expressing patient diagnoses are required in order
to use CML for ambulance operations.

4 CML in Details
As already mentioned, CML we introduce here is a
modification of BML. The modification is most no-
ticeable in the lexicon. Lexical items for the following
domains in parts had already been integrated whereas
some other still have to be integrated:

verbs to denote actions
items that denote events
elements for special cases, e.g., describing
the diagnosis of a patient
nouns for unit types, for facility types and
equipment

Each new lexical item must be unambiguously de-
fined in order to guarantee that the term is understood
in the same sense by all participants.
As in BML, the sentences of CML follow the C2LG
which means that they contain the so-called 5Ws:
What, Who, Where, When and Why. As example of
the assignment of a moving task in CML appears
thus:

48
move C2RFS Ambulance2 to Main Hospital start at
now in order to enable transport_145 move125;

The example can be decomposed as follows. First, it
answers the question What should be done? by a
unit should move. Next, Who is broken down into
Who is giving the directive? (answer: C2RFS)
and Who should execute the task? (answer: Am-
bulance2). Then it tells where Ambulance2 should
go: to Main Hospital. The answer to the When
question follows: start at now. This is followed by
the Why which is in order to enable transport_145.
The label transport_145 refers to another (earlier)
directive which has been assigned this label. That ex-
pression (transport_145) directs a specific patient to
be transported to some location. The final term in our
example expression is its label (move125). Labels
are unique IDs that can be used in other directives or
reports to refer to its directive.
Requests and directives look, at first glance, identical,
but they differ in one important aspect, namely that of
hierarchy. A unit may direct (order) a subordinate unit
to perform an action. However, it may only make a
request of a superior or peer unit. That is, one may
identify a CML task statement as a directive or re-
quest based upon the relative ranking within the over-
all task force hierarchy.
A list of verbs required for civilian usage of BML is
already included in the C2LG [2].
Reports also incorporate the 5 Ws. There are reports
about positions, task, events, persons, materiel (in-
cluding vehicles) and facilities.
These directives and reports can be automatically
processed by a computer. The information contained
in these CML statements can be instantly visualized in
the C2-System.

5 Use Case
In this section, an application of CML in a small sce-
nario is shown. In the scenario, a police unit (Police-
Unit13) reports a gas explosion (explo-
sion_report_01) at a house (building-1312) and is re-
questing help (rescue_request_02) for one injured
person. The control center for fire and rescue services
(C2RFS) commits to comply with this request (this
kind of speech act is called commissive in speech
act theory [8] which reflects in the example below as
commissive_03) and sends an ambulance to that
house (rescue_task_04). The ambulance reports back
that it has arrived at the building (reportposition_05).
Ambulance2 runs into difficulties rescuing their pa-
tient and require a crane. The ambulance requests a
crane from the control center for fire and rescue ser-
vices (request_support_06). The control center has no
crane available and forwards the request to the control
center of the army (request_support_07). The army
confirms the request (commissive_08) and sends a
crane to support the rescue operation (sup-
port_rescue_task_09). After the person was rescued
with the help of the army crane, the ambulance re-
ports what injuries the rescued person has and to
which hospital they plan to transport him (re-
port_transport_10).
The communication in CML for this scenario is as
follows:

report event PoliceUnit13 gas-explosion at building-
1312 ongoing at 201111051413 explosion_report_01;
request rescue PoliceUnit13 C2RFS one injured ci-
vilian at building-1312 start asap rescue_request_02;
commissive rescue Ambulance2 at building-1312
start at now regarding rescue_request_02 commis-
sive_03;
rescue C2RFS Ambulance2 one injured civilian at
building-1312 start at now rescue_task_04;
report position Ambulance2 at building-1312 at now
reportposition_05;
request support Ambulance2 C2RFS rescue_task04
by crane request_support_06;
request support C2RFS C2_MIL rescue_task04 by
crane request_support_07;
commissive support MIL_CRANCE_02 res-
cue_task04 regarding request_support_07 commis-
sive_08;
support C2_MIL MIL_CRANE_02 rescue_task04
start at now support_rescue_task_09;
report transport Ambulance2 C2RFS 1 male person
with fracture left leg, fracture left feed to Main Hospi-
tal start at now report_transport_10;

Figure 3 An example dialog how to add diagnoses to
a CML statement.
In comparison to its military progenitor, CML allows
the expression of a first diagnosis. This first diagnosis
normally is provided by the emergency physician who
treats the patient onsite. An example of a GUI to cre-
ate a diagnosis can be seen in Figure 3. The availabil-
ity of the first diagnosis via CML helps the control
center to suggest the best hospital for the patient in
question more quickly. In addition, all information
can be forwarded to the chosen hospital to prepare
timely emergency treatment. The hospital also bene-
fits from the fact that the ambulances report their cur-
rent positions in regular time intervals whose length
can be set as necessary. Thus, a hospital has the nec-
essary information about patients coming in, informa-
49
tion about the injuries and information about the point
in time at which the patient will arrive. In the case of
a disaster relief operation, where there might be many
more patients to be treated in hospitals than on any
normal day, the information advantage provided to
hospitals by the use of CML can play a critical role in
saving lives. This is enhanced by the fact that the con-
trol center is supported in its coordinating function.

6 Conclusion
In this paper we have presented the CML concept and
demonstrated it through a Use Case. This case con-
cerns ambulance operations and includes CML ex-
pressions of directives and reports.
Ambulance operations would benefit from the use of
CML in several ways. First, CML communications
can be managed using a very low bandwidth. Second,
CML increases the operational awareness, especially
for the hospital staff, as they will be aware when ex-
actly the ambulances will arrive at their emergency
wards. Third, CML reduces the chance for errors such
as typos in coordinate specifications as well as reduc-
ing the general workload for operators in the control
centers. Last but not least, CML increases the com-
munication interoperability between all participating
users. This is important if CML is used not only in
well-established operational procedures like common
ambulance operations but in crisis relief operations in
which the participating organizations cannot rely on
well-established procedures for cooperation, i.e.,
much must be handled on a more or less ad hoc basis.
References
[1] Marten, U.: BOS-Digitalfunkkommunikation
im Katastropheneinsatz, Anforderungen der
Aufgabentrger an den Digitalfunk fr den Ein-
satz im Katastrophenfall, presentation at the 6
th

European Congress on Civil Protection and Di-
saster Management, Bonn.
[2] Heffner, K., Brook, A., de Reus, N., Khimeche,
L., Mevassvik, O.M., Pullen, M., Schade, U.,
Simonsen, J. & Gomez-Veiga, R.: NATO MSG-
048 C-BML Final Report Summary. 2010 Fall
Simulation Interoperability Workshop (= Paper
10F-SIW-039), September 2010, Orlando, FL.
[3] Khimeche, L., Herbinet, J. G. and Cuneo X.:
APLETs lessons learned on C4I-simulation in-
teroperability, 2011 Spring Interoperability
Workshop (=Paper 10S-SIW-005), Bosten, MA,
2011.
[4] Remmersmann, T., Brggemann, B. & Frey, M.:
Robots to the ground, in Concepts and Imple-
mentations for Innovative Military Communica-
tions and Information Technologies. Military
University of Technology, Sep. 2010, pp. 6168.
[5] Schade, U., Hieb, M. R., Frey, M. & Rein K.:
Command and Control Lexical Grammar
(C2LG) Specification, Technical Rept. FKIE-
ITF/2010/02. Wachtberg: Fraunhofer FKIE,
2010.
[6] Bresnan, J.: Lexical Functional Syntax, Ox-
ford, UK: Blackwell, 2001.
[7] Gerz M. & Schade, U.: Das Joint Consultation
Command and Control Information Exchange
Data Model, in J. Grosche, & M. Wunder,
(Eds.), Verteilte Fhrungsinformationssysteme.
Heidelberg, Germany: Springer, 2009.
[8] Searle, J.R.: Expression and Meaning: Studies
in the Theory of Speech Acts. Cambridge, UK:
Cambridge University Press, 1979.

50
PROSIMOS A Tool for identifying business cases in the
implementation of a priority communications systems for first
responders in Public Mobile Networks
Authors
Roberto Gimenez, HI-iberia Ingenieria y Proyectos, Spain
Inmaculada Luengo, HI-iberia Ingenieria y Proyectos, Spain
Anna Mereu, HI-iberia Ingenieria y Proyectos, Spain
Diego Gimenez, ISDEFE, Spain
Rosa Ana Casar, ISDEFE, Spain
Judith Pertejo, ISDEFE, Spain
Salvador Diaz, Universitat Politcnica de Valncia, Spain
Jose F. Monserrat, Universitat Politcnica de Valncia, Spain
Vicente Osa, Universitat Politcnica de Valncia, Spain
Javier Herrera Lotero, Tecnalia, Spain
Iigo Arizaga, Tecnalia, Spain
Abstract
This article presents the research activities and the results that have been obtained during the PROSIMOS
(PRiority communications for critical SItuations on MObile networkS) project. The aim of this project was to
investigate the feasibility both technologically and economically of a wireless priority telecommunications
service for emergency agencies that relies on Public Mobile Networks (PMNs). The challenge was technological
since the system performance with respect to the traditional Private Mobile Networks had to be verified and the
advantages and limitations needed to be clearly determined; moreover, it was also a challenge from the point of
view of the economical feasibility of the implementation of PROSIMOS service at European level. The project
has reached both objectives allowing to clearly identify the most suited technological solution and the best
business model to be adopted for the development of PROSIMOS service.
1 Introduction
Effective crisis management is the key factor for
guaranteeing an efficient handling of emergency
situations and for assuring the security of critical
infrastructure and urban areas. In order to accomplish
this goal, communications between the personnel of
the emergency agencies have to be ensured.
Nowadays, these communications mainly rely on
dedicated radio telecommunications systems, called
Private Mobile Radios (like TETRA, TETRAPOL
and others). However, the usage of these private
networks entails several drawbacks: high deployment
and maintenance costs and interoperability problems
are the most notorious ones.
On the other hand, Public Mobile Networks (PMN)
are at the very heart of nowadays communications
since they are not only used by individuals, but also
by a large number of agencies committed to security
and safety. Nevertheless, its public nature has
traditionally discommended its usage during
emergencies. Indeed, day-to-day experience has
corroborated how, after a catastrophe, increase in
service demand brings PMN to collapse.
The idea of implementing priority services for first
responders in PMN may solve some of these
problems. In this sense, similar solutions have already
been addressed in USA, UK, Canada, Sweden and
other Countries. PROSIMOS project has researched
on business cases for the implementation of a priority
communications system on PMN. The objective of
this system is to enable critical users to communicate
during emergency situations, in a time when PMN
services may be restricted due to damage, congestion
or faults. The scope of the project has been to identify
the best business case to be adopted to cope with this
requirement, guaranteeing its short term
implementation in Europe. In order to accomplish this
goal a complete simulator has been designed
including both economical and network performance
features. For this reason, the simulation tool
comprises two modules: a network and a business
one.
The network simulator is a scalable radio simulation
platform for heterogeneous wireless networks. It is
51
able to simulate the network behaviour during
different emergency situation including several
technologies, such as EDGE, HSPA, LTE, WiMAX
and WLAN.
The business simulator takes into account different
business models, different use case scenarios and
outputs the exact costs and benefits per specific use,
extracts relevant economic and financial parameters
such as net present value, income, internal rate of
return and performs Monte Carlo simulations for
robust planning. The simulator has been customized
in order to take into account CAPEX costs (non
recurrent costs) and OPEX costs (operating costs).
End-Users belonging to first responders agencies
have contributed to the customization of the simulator
by providing specific user requirements for the
priority services.
This paper provides a complete description of the
simulation platform, giving details for both modules.
Moreover, simulation results obtained particularizing
the study in real use cases occurred in Spain will be
presented. These use cases encompass a terrorist
attack in a metro station, a plane crash and a forest
fire. Thanks to the proposed simulator, stakeholders
like government bodies, end-users and service
providers will be able to foresee the impact that this
new type of priority communication service could
have both from the technological innovation and
economic point of view.
2 State of the Art
In PROSIMOS a comparative research on the state of
art of wireless prioritization in Spain and other parts
of the World has been undertaken, in order to find out
which models prevail and to understand which
technical, operational and co-operative reasons they
are based on.
From the analysis it has become apparent that certain
countries, as for example EEUU, UK or Australia,
deploy a public network that prioritizes calls from
selected users. It is worthwhile to emphasize the
project WPS, implemented in USA, and MTPAS in
the UK, intended for emergency responders, enabling
them to obtain priority access to available wireless
radio channels when necessary to initiate emergency
calls.
In Canada, priority communications over public
networks based on the USA system have been
developed as well, while more examples can be found
in the systems deployed in Peru, RECSE, and
Australia, WPSS. Its worth mentioning that Peru
requires service providers both fixed and mobile to
permanently reserve free network capacity for
communication, prioritize the calls through this
network and implement an authoritys data base.
In Spain, there is a great fragmentation in the use of
networks and technologies, managed by local and
regional governments, which results in a lack of
interoperability between agencies and huge economic
costs of service maintenance for public entities. The
great majority of regions have chosen to deploy a
region-wide TETRA network. In two cases the
election was to join a nationwide TETRAPOL
network already deployed. In any case, digital
trunking radio systems are the election for the
deployment of new systems.
As a result of the research some unsolved issues have
been unveiled such as the need of interoperability
with other regional nearby systems or the increasing
demand of data transmission that causes reaching the
limits of data capacity these systems can offer.
Although new versions of TETRA and TETRAPOL
try to solve this latest issue, the data transfer rates
offered are far from other wireless systems, like
UMTS, Wimax and LTE. In fact, mobile telephone
services are mostly used as complementary systems
for cases of loss of coverage of the core system,
communication with other agencies and mobile high
rate data traffic purposes.
3 User Requirements and Use
Cases
An investigation on the modes of operation of
PROSIMOS potential end users has been performed,
together with a complete definition of communication
requirements that the PMNs should cope with to
satisfy their necessities. PROSIMOS Advisory Board
was composed by several potential users of the
prioritization service primarily belonging to Public
Safety agencies and emergency services as armed
forces at local and national level, medical services
and fire-brigades.
The research confirmed that at present PMN are not
deployed to meet the core operational requirements
for public safety and security use due to several
reasons like insufficient secure data transfer and lack
of guaranteed availability and control. Furthermore,
certain changes to existing end-users operation
practices could be required if PMNs were to replace
current Public Safety private networks especially due
to certain features that PMN only partially supports
(e.g. Direct Mode Operation of certain private
networks, fast call-set ups typical less than 0.5
seconds long). However, the greatest inconvenient
that keep emergency users discarding PMN is the low
reliability of the 2G/3G networks due to network
congestions or breaks during communications,
problem which is targeted by the PROSIMOS
prioritization service.
Two big outcomes of end-users consultations can be
highlighted, they are the following:
All potential end users have shown a great
interest in the topic of the project and have
expressed their wish of having the
52
opportunity to extend the use of technologies
that enable modern applications such as live
video transfer, geo-positioning, dynamic
calling group allocation, among others;
Consultations undertaken have shown that
prioritization mechanisms in public mobile
networks are necessary also in non critical
situations, i.e. daily work also requires
prioritization of communications for a
mobile communications system to be used in
regular basis by the emergency bodies.
The research covered the most important drawbacks
of using PMN in emergency communications. It sifted
major needs and translated them into technical
understandable parameters. Some important
requirements obtained are related to set a high level of
interoperability, network resilience, availability, trust,
etc, including robustness of handheld terminals. The
research specially focused on the necessary
prioritization mechanisms required by emergency
users which principally claimed for a permanently
activated service, the establishment of 3 different
priority levels and automatic authorized users set-up.
In order to validate PROSIMOS BMS the research
evaluated the communication needs under several
emergency situations. The selected scenarios belong
to diverse emergency levels of the five-level scale
classification defined taking into consideration the
response capacity required (e.g. local, regional or
national resources, logistics, area of intervention, time
to solve the situation) and emergency impact and
consequences (e.g. damage of communication and
mobility infrastructures, human victims, risk
expansiveness). For the sake of the project simplicity,
four synthetic test scenarios were defined: Incident in
a Critical Infrastructure (Metro); Natural disaster in a
rural area (Forest Fire); Aircraft crash in an airport
and a Major event in a city (like a football match).
Each scenario presents different prioritized
communication requirements (in terms of voice and
data services, occurrence, calls duration, etc) as well
as different communication flows, number and type of
resources, extension of intervention area and duration,
among others. These results have allowed the BMS
traffic module to perform a proper evaluation of the
level of fulfilment of end-users communication
requirements.
4 Technological Aspects
4.1 Simulating the System
The ability of Public Mobile Networks to support
Priority Services is basic enabler in PROSIMOS.
Foundation pillars for this ability are Call Admission
Control (CAC) and Congestion Control (CC). CAC is
used to control the users access. CC methods are
used to manage the network load in order to ensure
the minimum required QoS.
In the PROSIMOS project, the considered RATs are
GSM/GPRS/EDGE Radio Access Network
(GERAN), Universal Mobile Telecommunication
System (UMTS) and Long Term Evolution (LTE)
technologies. The reason is that the actual public
radio technologies deployed in Europe are GERAN
and UMTS, while LTE is now considered as the next
step forward in the development of 3G networks and
its massive roll-out is expected during 2011.
With respect to GERAN RAT and PROSIMOS, three
different 3GPP specifications can be used as possible
CAC solutions: TS 43.022, TS 22.011 and TS 22.067.
The CAC proposed for UMTS are TS 25.304, TS
25.33, TS 22.011 and TS 22.06. Finally, the CAC
proposed for LTE is TS 22.011.
When considering CC, one of the first challenges to
be solved is determining when the system is
overloaded to counteract this state. First step is to
know, in average, the load introduced by one user
depending on the service. Identifying this load in a
GSM system is simple neither for UMTS or LTE.
Second, it is important to know the maximum load
supported by the network with a specific
configuration.
The knowledge of users load is attained thanks to sys-
tem simulations, conducted to extract the main
behaviour of users. Extensive simulations have been
run in different scenarios and with increasing system
loads. Concerning maximum load, this will depend on
the business model and the levels of QoS that the
operator specifies. PROSIMOS has studied different
solutions for the CC implementation in a range of
load thresholds that act as inputs for the business
simulator.
In order to determine the technical aspects of the
business models, PROSIMOS makes use of a stand-
alone RAT simulator, SPHERE. SPHERE is a novel,
ambitious and scalable radio simulation platform for
heterogeneous wireless developed in the framework
53
of PROSIMOS. The platform currently integrates five
advanced system level simulators, emulating the GE-
RAN, HSDPA, WLAN and LTE RATs.

Figure 1 PROSIMOS Scenario
SPHERE is a unique simulation platform that
emulates all five RATs in parallel and at the packet
level, which enables an accurate evaluation of the
final user perceived QoS through the implementation
of novel Congestion Radio Resources Management
(RRM) and RRM mechanisms. The radio interface
specifications of these five technologies have been
faithfully implemented in the SPHERE simulation
platform, which works with a high time resolution.
This modelling approach validates the capability of
the SPHERE simulation platform to dynamically and
precisely evaluate the performance of RRM/CRRM
techniques devised in PROSIMOS.

4.2 Results
Leapfrogging technologies in PMNs were analysed
and the best technical solution has been chosen taking
into account the limitations of standards. Several
voice service simulations with different RATs, GSM
and HSDPA, were conducted. Simulations showed
how a PMN works with different precedence and pre-
emption services based on the standardized CAC and
CC mechanisms. Four different scenarios were
analyzed:
Scenario 1: Incident in a critical infrastruc-
ture (Metro).
Scenario 2: Natural disaster in a rural area
(Forest Fire).
Scenario 3: Aircraft crash in an airport
(within the airport perimeter).
Scenario 4: Major Event Management
(Football Match).

As an example of these analyses we will present
results for just one specific scenario, the aircraft
crash. Figure 2 shows the real situation of base
stations and the location of the accident.

Figure 2 Aircraft crash scenario

In this real case, higher priority was allocated to
security bodies in hot area (P1), priority 2 was given
to them in the warm area (P2) and, finally, airport
staff received the third level of priority (P3). Civilians
experienced in this case the lower priority in the call
(P4). From Figure 3 we can see the results obtained
simulating the GSM network.
Figure 3 GSM Results
With the GSM network configuration, the system can
manage the PROSIMOS users traffic without
additional transponders. The percentage of successful
calls is close to 93%.
Civilian users do not reach percentages of successful
calls higher than 65%. The calls are dropped because
the system is overloaded causing poor QoS. The
solution is easy, increase the number of transponders
that cover the terminals in order to support more
traffic. In this specific scenario, this action does not
affect PROSIMOS users because the accident is far
away from the terminals. If the accident was closer to
the terminals, the results for civilians will change
completely, decreasing the successful calls drastically.
54
In Figure 4 we see the results obtained for HSDPA
network.
Figure 4 HSDPA Results
We notice a higher capacity of HSDPA as compared
with GSM, and a low call rate that makes that the
percentage of successful calls for all groups higher
than 98%. There are not denied calls and 1% of drops
is caused by an insufficient QoS during the call.
Therefore, after analyzing the obtained results, not
only for this scenario but for the four cases, we
concluded that HSDPA can manage voice traffic
generated in almost all the scenarios with standard
CAC and CC mechanisms guaranteeing the
prioritization of traffic, whereas the limited capacity
of GSM does not allow managing all the traffic
generated during the emergency.

4.3 PROSIMOS Architecture and
Design
The simulations results reveal that HSDPA supports
more traffic than GSM. Additionally, the
establishment time in HSDPA is lower than in GSM.
In order to allow that different kind of users choose
the optimal RAT at each moment, the proposed
architecture should supports vertical HO between
different RATs.
The support of PROSIMOS prioritization mechanism
needs that public mobile network deploys concrete
radio resources. The whole set of radio resources for
an operator is considered to be partitioned into radio
resource pools. These radio resource pools are
controlled by two different types of functional entities
(see Figure 1):
Radio Resource Management (RRM) entity:
functional entity responsible for the
management of one radio resource pool, i.e.
this characterises the radio resource pool
Common Radio Resource Management
(CRRM) entity: functional entity responsible
for a common management, i.e. coordination
of overlapping/neighbour radio resource
pools controlled by different RRM entities.
This new CRRM entity is introduced to allow some
kind of coordination among different radio resource
pools whose radio resources are linked to the same
geographic area in the network. In the case of current
3GPP RATs, the SGSN is responsible for managing
the vertical handovers, in such a way that CRRM is
just limited to this functionality and all resources are
allocated in the local RRM entities. This level of
interaction is referred to as low degree.
Progressively, PROSIMOS has to increase the
integration degree in order to achieve considerable
capacity improvements. The following proposals are
the ones who have to be implemented progressively
in the public mobile network:
Intermediate interaction degree: The CRRM
entity manages the initial RAT selection and
vertical HO functions. The local RRM
entities provide RRM measurements
including the list of candidate cells for the
different RATs and cell load measurements,
so that the CRRM can take into account the
availability of each RAT for the
corresponding mobile terminal.
High interaction degree: In this case, the
CRRM entity is involved in most of the
functionalities, leaving the power control and
scheduling for the RRM entities. Thus,
CRRM is involved in each intra-system HO
procedure and requires a more frequent
measurement exchange. Similarly, joint
congestion control mechanisms could be
envisaged to avoid overload situations in any
of the underlying access networks.
Very high interaction degree: This approach
introduces the joint scheduling in the CRRM
entity. The RRM entities only manage the
power control. This solution would require
that CRRM decisions be taken at a very short
time scale in the order of milliseconds, with
the possibility of executing frequent RAT
changes for a given terminal. Consequently,
this poses hard requirements to the re-
configurability capabilities of the mobile
terminals and can be regarded as a long-term
implementation of CRRM functionalities.
5 Regulatory Framework and
Legal Issues
ISO, IEC and ITU are three worldwide
standardization organisms that jointly work in order
to define standard development for the benefit of the
global community (at European level, ETSI and
CEPT play the same role). Nowadays there are only
few countries where it has been implemented a
Wireless priority system, and no international
55
standard has been proposed to define guidelines for
the development of similar types of services for
emergency agencies. This means that, in case
PROSIMOS would be implemented and if no
standard for this type of service was released, there
would not be any particular standard specification to
be followed. In case a stakeholder or an industry
sector considered the need of a PROSIMOS standard,
it could communicate this issue to previous bodies.
Then, a consultation and a verification phase would
be launched among the technical committee members
in order to lead to the definition of the standard.
In addition PROSIMOS would be affected by EU
Directives, since they apply to all Telecommunication
Services operating in the European Union (or at least
they constitute the basic pillar that national laws have
to abide by). The most important directive that has to
be taken into account is 2009/136/EC. This Directive
is part of the new Telecom Reform Package
(Citizens Rights directive) and amends Directive
2002/22/EC on Universal Service and Users Rights
relating to Electronic Communications Networks and
Services, Directive 2002/58/EC concerning the
Processing of Personal Data and the Protection of
Privacy in the Electronic Communications Sector and
Regulation (EC) No 2006/2004 on Cooperation
between National Authorities Responsible for the
Enforcement of Consumer Protection Laws. As far as
PROSIMOS implementation is concerned, the legal
framework that will affect the service is the one
concerning users rights. Thus, the new directive
establishes the following points:
Article 13 on financing of universal service
(unchanged from 2002/22/EC) obligations
says that the possibility of Government to
partially fund the implementation of new
services for public utility is contemplated by
the European Commission; moreover, it is
possible that these costs can be shared
among different operators in a transparent
way.
Article 22 on Quality of service recalls the
one of 2002/22EC says that Quality of
service information have to be clearly
available for end users; therefore, it is
expected that information regarding QoS
parameters in case of emergency as deriving
from the implementation of PROSIMOS
service should be specified.
Article 23 on the integrity of the networks
(unchanged from 2002/22/EC) says that in
case of emergency the access of citizens to
emergency service has to be guaranteed; for
this reason, even if PROSIMOS is intended
to discourage public users from using mobile
networks in emergency situations, it has to
assure that calling to emergency numbers
can still be performed. Moreover, it is
highlighted that the possibility to limit end-
users access to the network is a matter of
Member States regulations.
In general, as far as regulatory framework is
concerned, regarding the implementation of a
prioritization service:
No specific standards neither guidelines
about prioritization in communications exist.
Priority mechanisms allowed but limitations
in users access mechanisms (included calls
refusal) are under the umbrella of national
framework.
The main impact of PROSIMOS implementation is
related to Users Rights and more concretely
following guidelines should be abide to:
Quality of Service should be clearly
available and guarantees of minimum
capabilities (quality reduction instead of
denial) should be provided. Then, some
possible modifications in the customers
contracts and maybe in the regulations
should be performed allowing a reduction of
this quality in case of emergency operations.
Users have the right of reimbursements by
service interruption: Some modifications are
needed in order to consider some exceptions
to this right in emergency operations like for
example cases of force majeure
Guarantee of access in case of emergency:
Even in emergency situations, calls to
emergency numbers must be guaranteed
6 Economic Assessment
6.1 CAPEX and OPEX costs
The analysis of the CAPEX (non-recurrent) and
OPEX (operational) costs allows estimating the
economical impact of PROSIMOS projects
deployment on PMN Operators, First Responder
Agencies and Government. In this activity, the
specific case of Spain has been analyzed.
CAPEX costs are mainly (60%) constituted by the
update or replacement of the mobile network
equipment, that is Mobile Switching Centers (MSC)
and Home Location Registers (HLR). In order to
compute these costs, the following information is
necessary for each mobile operator: number of total
MSC and HLR; number of network component that
have to be updated on the basis of their lifetime and
components unit cost. This information is not
available for the public; hence, it has been estimated
starting from the information of total number of
mobile users, approximate MSC and HLR user
capacity and update/replacement costs, and market
share of each PMN.
Other CAPEX costs are the following: design and
engineering tasks (that cover the cost of consultants);
transport, installation and configuration; costs of
56
management and control platform for call priority,
that have been estimated starting from other mobile
portability platforms; costs of the management and
control platform website for user registration and
other functionalities for First Responders.
On the other hand, OPEX costs can be classified into
fixed and variable costs. Fixed OPEX costs are the
structural, personnel and allowance costs related to
the new departments founded, and costs related to the
operation and maintenance concept. They are the
following: priority service management department,
that would cover the structural and personnel costs;
priority service information and training department
costs, that would cover the structural, personnel and
allowance costs and finally hosting and O&M
(Operation and Maintenance) of management and
control platform website.
Variable OPEX costs depend on the priority calls
routed by the service, in fact it is composed of the
quantity: Gross per-minute cost * Priority call length
* Number of priority calls. The latter element is quite
difficult to estimate at emergency scenario level, but
above all, it is difficult to estimate at annual level.
One of the goals of the simulator is also the
estimation of this quantity.
Therefore, the major amount of the total cost belongs
to the infrastructure update due to the old-dated
currently nodes existing (OPEX cost approximately
represents 10% from CAPEX costs). But thanks to
this renewal not only PROSIMOS would be posible,
but also other new services (not currently supported)
would be available to the carriers. Therefore, the costs
obtained from the CAPEX cost would be not only
amortized during the hardware (nodes) life cycle, but
also through the multiple incomes obtained from
these new services.

6.2 Business Models
Several Business Models have been developed for the
implementation of PROSIMOS service in Public
Mobile Networks. The foundation ideas are that
PROSIMOS is a service that has to be paid by users;
all Mobile Operators implement the same service and
the customer segments can select the operator on the
basis of the service cost: no incompatibility issues
arise and that Mobile Operators will profit from
enabling the service. The proposed business models
mainly differ from the way the CAPEX and OPEX
costs are divided among the three stakeholders:
Country Government, Customers (Emergency Units)
and Service Providers (Mobile Operators).
In the first Business Model it is considered that
countries Governments should be responsible for
providing needed infrastructure for PROSIMOS,
covering CAPEX costs (which in the Spanish case tot
up to 48 million-odd Euros), while network operators
should take care of OPEX costs. A further step in this
line of though considers the share of the OPEX costs
among the different mobile operators on their market
position. This first type of business model has been
named Model OnlyOp, thus referring to the fact that
mobile operators have to cover OPEX costs.
In the second solution we consider what happens
when the customer (First Responder agencies)
actively takes part in the cost distribution. This means
that both CAPEX and OPEX costs can be divided in
different ways and percentages between country
Government, mobile operators and First Responders
agencies. Also in this case all the mobile operators
owning a private infrastructure are induced to
implement PROSIMOS service. This second type of
business model has been referred as Model 3Shared,
implying that in this case three entities participate to
the distribution of costs.
Finally, the third considered business model
encompasses the complex procedures of Public
Authorities, bringing up into discussion the issue of
public open contests calls for service provision, with
the objective of selecting which mobile operator
would (on a sole/joint venture basis) implement
PROSIMOS service. Only those mobile operators
interested in deploying the service would apply to the
call (needed appealing of the business model).
Decision award criteria would have then to consider
the distribution of the costs among the three parties
and also the associated operational gain. This third
business model has been called Model Exc, thus
referring to the fact that in this case an exclusive
agreement between a customer segment and a mobile
operator according to free market practices is to be
reached. As can be seen, each Business Model
represents an evolution in complexity from previous
ones.
The proposed models vary also from the point of view
of the different revenue sources that can be applied
(subscription fees, call per minute costs, flat rates,
etc) and they can be further differentiated in other
variants that we will not describe here for brevity.

6.3 Business Models Simulator
In order to validate the previous Business Models, a
specific Simulator has been developed in the frame of
the project, limited to the Spanish use case, as
aforesaid mentioned: the simulator performs an
estimation of costs and incomes for the different
business models thus allowing understanding the
most suitable one to be adopted.
It is not indeed straightforward the identification of
the best business model for PROSIMOS service
without the support of a simulator. This difficulty
mainly arises from the fact that several actors take
part on the business process. Rather than being a
trivial customer/suppliers matter, where companies
aim at reaching the maximum profit guaranteeing the
satisfaction of the customers needs, it is a public
interest matter where also Government and First
57
MATLAB Business Model Simulator
Data Analysis Modules
Business Case
Module
Traffic Profile
Module
OPEX & CAPEX
Cost Module
Data Processing
Module
Parallel Computing
MySQL Database
OUTPUT VARIABLES
Traffic Characterization
Module
(UPVLC Simulator)
INPUT VARIABLES
PROSIMOS Web Interface
D9-Candidate
Technologies
D6-Requirements
Definition
D5- Market
Analysis
D7-Use Case
Definition
D14-Business Cases
Analysis
D13-OPEX & CAPEX
Cost
Data Validation Module
Results
Presentation
Module
OUTPUT VARIABLES INPUT VARIABLES
Responders have to pay a key role in order to foster
the implementation of the service. For this reason, we
think that Business Models including a participation
of government and emergency agencies in the
distribution of costs will probably turn out to be the
most suited one.
At this point, an important consideration must be
noticed. It is that PROSIMOS Business Models and
associated Simulator are considering, at present
moment, only voice communications. Although the
network simulator (SPHERE) is able of providing
information about data traffic behaviour, the
complexity of already performed work and the
foreseen load associated to defining the
corresponding BM for data traffic and holistic (voice
and traffic) ones have strongly suggested to limit
research at this stage only to voice capabilities,
providing then the uppermost quality results.
PROSIMOS Business Model Simulator will help
future entities involved in PROSIMOS service to
evaluate the performance of the service as well as the
implementation costs and the type of revenue sources
that are most suitable to refund the investment.
The Business Model Simulator is composed of three
elements: the web portal by which setting the input
variables, launching the simulation and analyzing the
results; the MySQL Database that stores the input
variables and the results of the simulations and the
Matlab Simulator which executes the simulation
according to the input variables set by the web portal
and writes the results on the Database.

Figure 5 Business Model Simulator Architecture
It can perform several types of simulations, at
emergency scenario and at national level. The
simulation at scenario level computes the total cost to
be afforded by each agency during an emergency
scenario. Therefore, it is possible to choose the
emergency scenario to be simulated: Forest Fire;
Incident in a Metro Station; Football Match; Airport.
The simulations at national level are conceived in
order to calculate economical parameters to assess the
viability of the implementation of PROSIMOS
service. It performs calculations at annual scale and
delivers different outputs depending on the simulation
type: BM-Revenue Sources vs Profit (type A): Given
the Business Model and the Revenue Sources, the
output is the profit of the mobile operator, and the
cost to be afforded by the mobile operator, the
Government and by the customer in one year. BM-
Profit vs Revenue Sources (type B): Given the
Business Model and the Profit to be obtained, the
Revenue Sources that allow obtaining the selected
Profit are the outputs. Revenue Sources Profit vs
BM (type C): Given the Revenue Sources and the
Profit, the outputs are the different business models
and CAPEX and OPEX costs distributions that allow
obtaining the selected Profit. Monte Carlo Revenue
Sources BM-Revenue Sources vs Profit (type D):
Given the Revenue Sources and the Profit, the outputs
are the different business models and CAPEX and
OPEX costs distributions that allow obtaining the
selected Profit with the corresponding setting of
aleatory variable.

6.4 Simulations Results
Business Model Simulations aimed at evaluating the
most suitable economical scheme that lead to feasible
implementation of PCPMN in terms of rational
economic and service efficiency have been carried
out. Simulation results allow end-users and service
providers to foresee the impact that this new type of
priority communication service could have from an
economic point of view.
PROSIMOS prioritization service over PMN is
affordable for public safety users. What is more, this
service appears to be much more beneficial while
comparing it to deployment and maintenance costs of
a private mobile radio network.
Approximately, CAPEX and OPEX costs of
deploying and maintaining prioritization service in the
whole Spanish territory reach 48m and 3m per year,
respectively, where as the current TETRA network
already deployed in few urban areas with
approximately 1200 base stations and 250.000 Public
Safety users reach 70m without counting neither
OPEX costs (in Madrid municipality reaches 10m
each two years with 3500 TETRA terminals) nor
terminals prices ranging from 800 to1400.
Simulations concluded that service requirements
(especially in terms of QoS) collected by end-users
are satisfied with the implementation of PROSIMOS
prioritization service over PMN. Concretely, results
ratified that HSDPA technology provides the required
QoS in opposition to GSM which presented poorer
QoS when the network is subjected to large amount of
data of certain scenarios. Following table provides a
deeper insight on this issue.
58

SCENARIO GSM HSDPA
METRO Better results than HSDPA.
All priority success, calls rates above
94%.
Success rates
above 91%.
FOREST Poor service results:
P1 less than 90%
P2 less than 70%
No service for non
priority users.
P1 & P2
successful rates
over 95%.
Non-priority users
have low access.
AIRPORT
Prioritized users above 90%.
Non-priority users reach 60% only if
low load.
Both prioritized
and non-
prioritized users
reach 98%.
FOOTBALL
MATCH
Very poor results for all users (due to
high network load)
Excellent results
for all type of
users above 99%.
Figure 6 Comparison of QoS parameters for the 4
scenarios

Simulations have helped to find the most efficient
economical schemes to implement PROSIMOS
service, taking into account Mobile Operators profit
and expenses that customers may be willing to pay.
Simulation results pointed out 3Shared Variant A as
the most efficient business model where CAPEX and
OPEX costs are to be shared among Country
Government, Customer Segments and Mobile
Operators. In addition, duration based revenue
sources is the most adequate scheme to refund the
expenses keeping high profits for all the operators
with lower costs for customers since they present
better results than charging a transaction fee per each
call plus a cost per minute to the customers. To sum
up, results confirmed the service feasibility for the
end-users as well as the market opportunity for the
operators and industries.
7 Conclusions
The main objective of PROSIMOS was to extract
which business model should be selected when
implementing PCPMN in terms of rational economic
and service efficiency. The results of the project have
allowed the definition of the most suited
technological solution to implement PROSIMOS
service and also the identification of the best business
model to be adopted for the service development. In
addition, this activity answered several additional
issues from the point of view of end-users, some
related to the costs comparison between using private
networks or prioritization services over the public
mobile networks, others related to the most suitable
and affordable revenue sources and others related to
the technology that provide best performance in QoS
terms. Important research activity has been also
performed in order to situate PROSIMOS service
within the European and worldwide regulatory
framework. Concrete results lead to the conclusion
that prioritization service over PMN is more
beneficial for the users than the deployment and
maintenance costs of private network, using HSDPA
technology, 3Shared Variant A business model and
duration based revenue sources. These results have
shown the PROSIMOS service importance and
feasibility to the end-users as well as the market
opportunity for the operators and industries betting
for these leapfrogging technologies over PMNs.
Further research in this field will consider business
models for high speed data traffic and next generation
networks (LTE) support for PPDR operations.

Disclaimer. PROSIMOS project has been funded
with the support of the Prevention, Preparedness and
Consequence Management of Terrorism and other
Security-related Risks Programme of the European
Commission - Directorate-General Home Affairs".
This publication reflects the views only of the
authors, and the Commission cannot be held
responsible for any use which may be made of the
information contained therein.

References
PROSIMOS project public deliverables, available at
www.prosimos.eu.

59
An Integrated and Integrating
Airport Security Management Concept
Torben Hecker, Nunzio Lombardo, Holger Pansch
EBS European Business School gGmbH, Germany

Abstract
Airport security has gone through significant changes in recent years and is nowadays an increasingly important
and challenging issue for airport operators. Hence, an Airport Security Management Concept (ASMC) is needed
that copes with the changed and changing challenges and integrates the single security management processes as
well as all relevant aspects. The development of such an ASMC is the objective of the EBS European Business
School within the German national research project FluSs (Flughafen-Sicherungssystem Airport Security
System). The paper gives an overview on the ASMC and presents its components and subcomponents. As risk
management is to be regarded as a core component of the ASMC it is introduced more in detail in chapter 6.

1. Argumentation of the need for an
integrated and integrating ASMC
New threats evolving from international terrorism, or-
ganised crime or epidemics as well as tightened secu-
rity regulations as a consequence and last but not least
the constantly growing number of passengers require
security measures and the development of efficient,
scalable and customer-oriented process architectures.
Taking into account additionally that the share of secu-
rity costs already accounts for an average of 35% of
the total operating costs
1
, the management of security
at airports has become a major challenge. As security
is furthermore a cross-sectional topic that affects many
processes an integrated and integrating Airport Secu-
rity Management Concept (ASMC) is of vital impor-
tance.

Today a lot of management instruments are in place to
plan and operate security at airports. They are respon-
sible for a secure aviation system. Nevertheless, those
procedures need improvement, especially due to the
needed integration of the different instruments on the
one hand and the high number of stakeholders on the
other hand.
Todays security management is often based on a
mainly reactive approach as well as not integrated and
incomplete in terms of missing sub components (e.g.
cost-benefit consideration of security measures, risk
analysis).

Within the BMBF
2
Project FluSs (Flughafen-
Sicherungssystem = Airport Security System) an inte-
grated and integrating ASMC is developed in order to
create a comprehensive and integrated airport security
system.

2. Short outline of the research pro-
ject FluSs
The research project FluSs is conducted within the
framework of the announcement Protection of trans-
portation infrastructure as part of the BMBF program
Research for Civil Security. The project focuses on
the development of a comprehensive security system
for airport infrastructures, developing both strategic
and operational solutions.
3
Twelve project partners in-
cluding the end user Fraport AG
4
as well as some sub-
contractors have been working on this system for three
years and will finish the project at the end of 2011.

On the strategic level, a theoretical concept for an
ASMC is developed, that is relevant to this paper. The
concept includes a methodology to evaluate security
measures by costs and benefit that broadens the scope
of existing approaches by indirect costs and soft fac-
tor benefits.

On the operational level, technological and organisa-
tional solutions have been developed based on a risk
analysis. To provide the employees in the control cen-
ter a comprehensive view on the security situation, a
new clearing ware has been developed to use, prepare
and present all kind of security related information.
60
3. Goals of the ASMC
The ASMC should provide the airport operators with
management instruments to handle airport security.
This instrument supports effective and efficient secu-
rity operation. It should incorporate the systematic
planning, implementation, steering and advancement
of security at airports and their direct surrounding area.

The ASMC has to consider all affected or involved
stakeholders and their processes. That means the con-
cept will pursue an integrating approach. That is nec-
essary because of the wide impacts of security opera-
tions within airport operations.

Besides the integration in such a horizontal dimension,
integration has to be developed in a vertical direction
as well: The ASMC has to be in line with other man-
agement instruments of the airport operator, e.g. vi-
sion, strategy, quality management. It is self-evident
that all aspects of security planning must be considered
within the ASMC.

Due to the fast changes of the surrounding conditions
it is of great importance that the new ASMC is up to
date. The ASMC has to be adapted to changing condi-
tions and, therefore, pursues an iterative character to
decline changes to all affected aspects.

In the past, security often responds to attempted or car-
ried out terror attacks. Thus, the security concept
forces a pro-active and anticipatory character. The role
of the operator should change from a responder to an
actor.

Last but not least, the ASMC should increase the secu-
rity awareness of all employees.

4. Methodological procedure
The ASMC has essentially been developed in four suc-
cessive steps:
1. Identification of components and requirements
2. Elaboration of the conceptual design
3. Discussion / verification with security experts
4. Adaptation and finalisation of the concept

To identify the components of an ASMC an extensive
survey has been conducted among representatives of
the airport security management of Frankfurt Airport.
In addition, security management concepts of further
German transport infrastructure operators (e.g. railway,
harbour and tunnel) have been analysed and compared
in order to learn and benefit from existing concepts
and know-how. Furthermore, relevant literature has
been analysed, especially the publications of the Ger-
man Federal Ministry of the Interior to Critical Infra-
structure Protection.

The requirements of the ASMC and its single compo-
nents have been deduced from a survey among repre-
sentatives of Frankfurt Airport Security Management,
affected business units of the airport operator, affected
stakeholders and security experts.

As a second step, the various findings of the surveys
and analyses were consolidated and supplemented with
the results of other FluSs subprojects (especially with-
in the cost-benefit analysis and the risk analysis).
Based on that, the conceptual design of the ASMC was
elaborated by defining and structuring the components
and subcomponents of the concept.

Thirdly, the elaborated conceptual design of the ASMC
and the single components were presented and dis-
cussed in a workshop-series with representatives of the
airport security management of Frankfurt Airport and
other security experts. The objective was to verify and
supplement the content of the ASMC with experts
from the field to ensure its future practicability and
applicability.

Finally, the concept will be adapted and adjusted ac-
cording to the outcomes of the workshop-series. The
ASMC will be completed at the end of 2011.

5. Components of the ASMC
Figure 1 shows the components of the ASMC as they
were elaborated within the research project FluSs.
These are beside a prefatory part six main components.
Each of the components includes further sub-
components which are also shown in Figure 1. Within
the concept, the single components and subcompo-
nents are described on the basis of certain criteria and
with regard to the special demands and framework re-
quirements of an infrastructure like an airport. The fol-
lowing criteria are adopted on each of the ASMC
components: Definition, Function/Intention, Sub-
components, Proceeding/Methods for the Implementa-
tion, Responsibility, Interrelations, Monitor-
ing/Evaluation/Updating, Other Recommendations,
Checklists.
61
Preliminary Information
Definition/description of the ASMC
Goals of the ASMC
Basic requirements of the ASMC
Validity and binding nature of the ASMC
Legal framework
Author of the ASMC
Security Strategy
Mission statement
Strategies and strategic goals
Security Organisation
Responsible person for the ASMC
Organisational structure
of the security management
Stakeholder list
Communication plan
Risk Management
Preliminary Planning
Hazard Identification
Risk Analysis
Risk Assessment
Risk Coping
Monitoring and Review
of the Risk Management
Incident and Crisis Management
Operating instructions for emergencies
Redundancy concepts
Measures for business continuity
Quality Management
Quality planning
Quality control
Quality assurance
Quality improvement
Change Management
Strategies, approaches, instruments, proc-
esses and measures for the adaptation
of the ASMC
Figure 1 Components and sub-components of the

6. Risk Management
Risk Management has to be considered as a core com-
ponent of the ASMC. While in the past the appraisal
of the financial risk
5
was in the foreground when talk-
ing about risk management, now it is also a matter of
strengthening the risk management referring on securi-
ty risks. As a part of the ASMC it allows the systemat-
ic identification, analysis and evaluation of security
risks at an airport. It supports the derivation and su-
pervision of adequate and economically feasible meas-
ures to mitigate security risks. By assessing the possi-
ble development of the surrounding conditions, the
risk management also supports a more anticipatory,
proactive approach and enables the security manage-
ment to operate no longer reactively alone. It helps to
make well-founded decisions on dealing with risks and
makes an important contribution to achieving a high
security level. The findings generated by the risk man-
agement are also an important basis for the incident
and crisis management of the airport operator.

Figure 2 shows the phases of the risk management
process. The phases are introduced briefly (see chap-
ters 6.1-6.6) pointing out how risk management helps
to identify risks to critical processes and how it sup-
ports the selection of the most effective and efficient
measures to counteract these risks. In addition, the
strengths and weaknesses of vulnerability analysis and
damage analysis as a basis for risk assessment are
briefly highlighted.

Figure 2 Phases of the Risk Management Process
6.1 Preliminary Planning (Phase 0)
During this phase the conditions for successful devel-
opment and establishment of a risk management are to
be determined. This requires in particular the will and
the support by the companys top management. The
latter discusses and coordinates the pursued objectives,
the approach to the establishment and the responsibili-
ties and competence concerning the establishment with
the Head of airport security. Besides, the human and
financial resources, which are necessary for the im-
plementation, have to be estimated and made available.
Any adjustments in the structure and process organisa-
tion through the establishment of the risk management
are to be checked and set.
6

62
6.2 Hazard Identification (Phase 1)
In Phase 1 of the risk management, critical processes
of an airport have to be identified. These are those
processes whose impairment (e.g. disruption or failure)
would have far-reaching consequences for the airport
and its operativeness and are therefore to be protected
against hazards. A suitable method for the identifica-
tion is the so-called criticality analysis.
7
The result of
this analysis is a catalogue that gives an overview of
all the critical processes of an airport, their sub-
processes and process elements.
8

Hazards which can affect the critical processes have to
be identified and assigned to them. This is done by a
hazard analysis - the result of which being a site-
specific hazard list. Based on that list, hazard scenarios
are developed either for all or for selected
9
critical
processes. They describe events that may lead to dis-
ruptions, failures and crises. For this, the hazards of
the hazard list are supplemented by further informa-
tion, e.g. expected intensity of the event, expected
temporal expansion, pre-warning time, secondary ef-
fects.
10

6.3 Risk Analysis (Phase 2)
In the risk analysis phase the specific risk for the criti-
cal processes due to the hazards is determined. Risk is
understood here as a function of the probability of oc-
currence of a hazard scenario and the vulnerability of
the critical process considered or the potential scale of
damage (caused by the occurrence of the hazard).

The determination or rather estimation of the proba-
bility of occurrence is carried out for each hazard sce-
nario. This can be done by developing a scenario tree
where the relative probabilities of threats concerning
conventional or unconventional instrumentalities
(bombs, firearms, biological weapons etc.) and the site
of crime are represented. Since the calculation of
probabilities is often difficult or impossible due to lack
of historical data and time series, they can usually only
be estimated. For this purpose, a multi-stage classifica-
tion can be applied (e.g. 5-stage scale: 1 = very low to
5 = very high).

Concerning the determination of risk, the ASMC offers
two options: 1.) a determination based on a damage
analysis for which an own approach was developed
within the project and 2.) a determination based on a
vulnerability analysis as it is described in the Guide-
line for Critical Infrastructure Protection of the Ger-
man Federal Ministry of the Interior.
11

Damage Analysis
The aim of the damage analysis is to determine or es-
timate the potential harm
12
in case of occurrence of a
hazard scenario for the relevant processes at an airport.
It distinguishes between primary damages (e.g., per-
sonal damages, real estate and equipment damages)
and secondary damages (e.g., business interruption,
possible loss of image of the airport). Key perfor-
mance indicators for the respective types of damage
are defined (e.g., costs for business interruptions per
day). Usually, the damage is monetized, which is diffi-
cult in case of personal damages (ethical reasons).
Thus, the potential damage is stated as the number of
dead, seriously and light injured. The damage sums of
each type of damage can be added, finally, to a total
loss amount.

Vulnerability Analysis
The aim of the vulnerability analysis is to determine
the susceptibility of a process (its sub-process and
process elements) to a certain hazard scenario and the-
rewith assessing the risk. The underlying context is
that the higher the degree of vulnerability of a sub-
process or a process element the more they can be af-
fected by a hazard and the more the airport operations
can be affected. The degree of vulnerability of each
process element is estimated with the help of different
criteria (e.g., dependence on external infrastructures,
restoration cost). Point values are awarded for each
criteria (e.g., 1 = very low, 5 = very high), from which
the vulnerability of every single process element can
be calculated. The vulnerability of the sub-process
arises from the sum of the vulnerability of its the sin-
gle process elements. Above that, a specific risk can be
calculated for each process element by multiplying the
vulnerability of the considered process element with
the probability of occurrence of a hazard scenario. The
risk of a sub-process is calculated from the sum of the
risks of the single process elements.
13

Strengths and Weaknesses of the Damage Analysis
and Vulnerability Analysis
The two approaches considered here have certain
strengths and weaknesses. The approach of damage
analysis has the advantage that damages can be quanti-
fied. That means they can be monetized or expressed
as a number of dead or injured people. In contrast, a
determination of concrete damage sums and personal
damages is not possible in the vulnerability analysis
and shows a weakness in the comparison.

In addition to the directly affected processes the dam-
age analysis offers the advantage to consider the dis-
ruption or failure of dependent processes in the deter-
mination of damages. Thus, the actual extent of dam-
age is more likely to be estimated. However, the
vulnerability analysis does not consider the effects on
related business units and processes. In contrast, by the
vulnerability analysis it is possible to include the de-
pendence of the affected sub-processes and their
process elements on its upstream processes into the
risk assessment.
63

A major difference between the two analytical methods
is the need for data. Thus, the damage analysis requires
data and key figures. The result depends substantially
on the date availability and the date quality (e.g., real
estate and equipment values). In addition, the time re-
quired for data collection and data generation is to be
considered.
The independence of data can be seen as strength of
the vulnerability analysis in the comparison. However,
the assessment of the degree of vulnerability by as-
signing point values is not unproblematic, since the
problem of subjectivity of the assessing person(s) ex-
ists. Thus, for example the score 2 = "low" can have
different dimensions and be understood or interpreted
differently by different people.

The strength of the vulnerability analysis compared to
the damage analysis lies in the assessment of vulnera-
bility and risk on the basis of vulnerability criteria for
each process element. This allows a differentiated con-
sideration and very good comparability of the vulner-
ability and risks, e.g.:

of process elements within one sub-process,
of alike process elements within different
sub-processes as well as
of sub-processes among themselves.

To use the strengths of both methods within the Risk
Management of the ASMC, both methods can be used
one after another. For example, a risk analysis on basis
of a damage analysis could be conducted to identify
the processes with the highest risk. For these processes
then a vulnerability analysis could be performed to ob-
tain further, more sophisticated results.

Since both approaches have certain strengths and
weaknesses in the comparison and there is not an ex-
clusive solution, the security management of an airport
operator has to choose the most applicable approach or
a combination of both within the scope of the risk
analysis.
6.4 Risk Assessment (Phase 3)
Once the risk values were determined, they should be
compared with each other to identify those critical
processes at the airport which are exposed to the high-
est risks. The airport operator must now decide which
risks he is willing to take (acceptable risks) and which
not (not acceptable risks). That decision depends
above all on the protection goals (the level of aspired
security) of the airport operator. A protection goal is to
be understood as an objective which an airport opera-
tor wants to reach with certain security strategies or
measures.
14
The protection goals have to be considered
when developing security measures to transfer not ac-
ceptable risks into acceptable risks (phase 4).
6.5 Risk Coping (Phase 4)
Different risk strategies or measures exist to achieve
the protection goals and, thus, to cope with the identi-
fied, not acceptable risks:

Risk avoidance - Consideration of certain po-
tential risks during site planning
Risk mitigation - Reduction of the probability
of occurrence
Risk limitation - Limitation of the effects in
the case of damage
Risk transferring - Transferring of (financial)
risks to others
Risk acceptance - Documentation and consid-
eration of accepted risks and rest risks

Measures to the risk mitigation, risk limitation and risk
transferring can also be taken simultaneously (in com-
bination) to address a risk.

The possible measures should be assessed by a cost-
benefit analysis. This helps the security management to
find out how efficient and effective different security
measures are. That supports the discussion of measure
alternatives and, finally, the choice of security meas-
ures which should be implemented afterwards.
6.6 Monitoring and Review of the Risk
Management (Phase 5)
Phase 5 ensures the actuality and functionality of the
risk management. The monitoring and review refers to
all previously described phases and should be carried
out
continuously,
after the implementation of (new or adjusted)
security measures,
under the circumstances of a changed sur-
rounding condition (e.g. a changed threat lev-
el, changed protection goals of the airport op-
erator).

It should be noted that the aforementioned methods,
analyses and processes can only be supporting tools".
They should support the airport operator or its security
management to identify hazards and risks and, finally,
to derive suitable measures. Nevertheless, they guaran-
tee neither absolute security nor release the people in
charge to make responsible decisions.

64
7. Terms for a successful implemen-
tation
The ASMC describes all relevant management instru-
ments and includes procedures how to implement
them. Besides this technical implementation guide-
line, the organisation should create surrounding condi-
tions to support the success of the ASMC.

1. The top management of the airport operator
should support the ASMC implementation. It
should be a top priority project in order to
guarantee the cross-sectional collaboration.
2. The implementation of the ASMC should be
coordinated by a professional project manager
because of the complexity of the topic and the
variety of stakeholders.
3. The implementation should be promoted by
stressing the benefit of the ASMC. Security
can be an enabler in the future and can leave
the image of the investigator behind.
4. The concept should be available to the rele-
vant stakeholders in order to achieve a com-
mon security understanding and living.
References
[1] ACI Europe An Outlook for Europes Airports.
Facing the Challenges of the 21st Century, p.
32, 2010.
[2] German Federal Ministry of Education and Re-
search
[3] Apart form Cargo and IT Security which are not
in the focus of the research project.
[4] Operating Company of Frankfurt Airport
[5] E.g. Corporate Sector Supervision and Transpar-
ency Act.
[6] See Bundesministerium des Innern Schutz Kriti-
scher Infrastrukturen Risiko- und Krisenmana-
gement, Leitfaden fr Unternehmen und Behr-
den, 2. berarbeitete Auflage, Berlin, S. 12 f.,
2011.
[7] See ibid., S. 16 f.
[8] Sub-processes are segments of operational proc-
esses (central processes, supporting processes).
They can be subdivided again into other sub-
processes. Process elements are understood in the
present paper as components of a sub-process
which contribute to the function of this sub-
process (e.g., people, areas/terrain, buildings, fa-
cilities, equipment, data). See Bundesministerium
des Innern, S. 15 f., 2011.
[9] The number of scenarios is to be determined by
the Security Management of the airport operator.
The objective should be to cover a broad range of
potential risk.
[10] See Bundesministerium des Innern, S. 17 f.,
2011.
[11] See Bundesministerium des Innern: Schutz Kri-
tischer Infrastrukturen Risiko- und Krisenma-
nagement, Leitfaden fr Unternehmen und Be-
hrden, Berlin, S. 19 f. und 81-84, 2008.
[12] Damage is here understood as circumstance that
arise material, moral and / or disadvantages to life
and limb caused by the occurrence of a hazard.
[13] See Bundesministerium des Innern, S. 19 f. und
81 f., 2008.
[14] Ehses, H.: Sicherheitsanalysen und Konzepte,
In: Ohder, C. (Hrsg.): Unternehmensschutz.
Praxishandbuch, S. 22, 1998.

65
Supply Chain Integrity Services based on hierarchical Sensor
Networks
Alexander Pflaum, Fraunhofer Institute for Integrated Circuits, Germany
Hauke Traulsen, Fraunhofer Institute for Integrated Circuits, Germany
Juergen Hupp, Fraunhofer Institute for Integrated Circuits, Germany
Abstract
In global supply chains goods are transported using maritime containers on ships, railways and trucks. Logistical
processes, organizational structures as well as information systems are highly complex and often not transparent
enough in order to guarantee full supply chain visibility. Theft, shrinkage, infiltration of fake products into sup-
ply chains, smuggling of dangerous goods, weapons and also people are more or less on the daily schedule in
global supply chains. Process-related security mechanisms have their limits and new technology based solutions
are necessary. Especially the Internet of Things-technologies RFID, wireless sensor networks and real time
locating systems might be an important enabler for future supply chain integrity solutions. During the last three
years such a solution based on sensor network technology has been developed by Fraunhofer together with SAP,
Giesecke & Devrient, Eurolog and some other smaller industrial companies within the lighthouse project
ALETHEIA funded by the German ministry for Education and Research. The challenges addressed by the pro-
ject were the development of energy efficient sensor nodes and gateways, the conception and realization of data
security mechanisms necessary in order to prevent hackers from infiltrating the system as well as the develop-
ment of sensor network protocols which allow real time monitoring of the container and its cargo. The contribu-
tion describes results developed during the project and gives hints concerning future developments. In order to
create a fully usable supply chain integrity solution the existing prototypes have to be transferred into real prod-
ucts, the developed communication protocols and interfaces have to be standardized on an international level.
One further challenge is the design of a supply chain integrity service which could be accepted by the logistics
industry from an economical point of view. Matching business models have to be developed.
1 Wireless Sensor Networks
could increase Supply Chain
Transparency
1.1 Breaches in Supply Chain Security
require new technical Solutions
In global supply chains goods are transported using
maritime containers on ships, railways and trucks.
Logistical processes, organizational structures as well
as information systems are highly complex and often
not transparent enough in order to guarantee full sup-
ply chain visibility. Theft, shrinkage, infiltration of
fake products into supply chains, smuggling of dan-
gerous goods, weapons and also people are more or
less on the daily schedule in global supply chains.
Process-related security mechanisms have their limits
and new technology based solutions are necessary.
Especially the Internet of Things technologies
RFID, wireless sensor networks and real time locating
systems might be an important enabler for future sup-
ply chain integrity solutions. During the last three
years such a solution has been developed by Fraun-
hofer together with SAP, Giesecke & Devrient, Eu-
rolog and some other smaller industrial companies
within the lighthouse project ALETHEIA funded by
the German ministry for Education and Research. The
following paper summarizes the more important re-
sults.
1.2 The Vision: Hierarchical Sensor
Networks increase Transparency
Figure 1 shows the vision behind the project [1]. The
idea was to attach sensor networks to product pack-
ages, pallets and sea containers and to link these net-
works hierarchically to each other. Within a depot
sensor nodes on pallets can communicate with an in-
frastructure of anchor nodes and one or more gate-
ways which represent the link to the depots IT sys-
tem. In case that a security breach occurs on the prod-
uct or pallet level an event is generated and sent to the
backend information system via the node infrastruc-
ture in the depot. Mobile nodes are able to determine
their position in the depot based on integrated locat-
ing algorithms. The system enables operators to send
messages or queries from a mobile phone or a desktop
66
PC to nodes on the pallet or product level using the
internet and the fixed node infrastructure in the depot.
Outside the depot pallet nodes on the sea container
(mobile gateways) use GNSS infrastructures to de-
termine their position and UMTS or satellite based
communication systems to communicate with infor-
mation service providers or other players within the
supply chain.
Anchor Node
Infrastructure
Products
on Pallets
Product
Packages
Indoor Outdoor
Figure 1: Vision Supply Chain Integrity System
The system increases the transparency of the supply
chain and sets up a permanent information link be-
tween a service provider and the transported goods.
Even on a container ship the connection is sustained.
Here containers within a stack root information from
the deepest to the top level. Any container on the top
level is then able to transmit a given message. The
precondition is that all containers on the ship are
equipped with networked communication modules.
1.3 ALETHEIA: A first Prototype to
prove the technical Feasibility
One of the main goals of the lighthouse project
ALETHEIA, funded by the German Ministry of Edu-
cation and Research BMBF was to show the techno-
logical feasibility of this approach. Since the left part
of the system presented in figure 1 had already been
realized in a preliminary research project the focus of
ALETHEIA was on the smart container on the right
hand side and here especially on the realization of the
mobile gateway and its connection to the sensor net-
work on pallet level. The project team defined the fol-
lowing working packages:
(1) Specification of a Supply Chain Integrity
Service and deduction of requirements,
(2) adaption of existing node hardware and
communication protocols,
(3) realization of distributed application software
for mobile sensor nodes, anchor nodes,
gateways and backend information system
(4) and integration of modules and testing of a
first demonstration system.
This paper addresses technology providers as well as
lead users willing to develop their own technological
problem solution. The next chapters summarize the
state of the art of supply chain integrity solutions
based on wireless sensor networks, the results of the
research project and give a very short outlook con-
cerning future developments.
2 State of the Art
2.1 Supply Chain Integrity
Companies like Metro Group, Volkswagen and other
pioneers have been working on projects concerning
supply chain integrity since years. Most companies
focus on the identification of packages, pallets, con-
tainers using UHF RFID technologies [2]. A compre-
hensive study which has been conducted by Fraun-
hofer and DHL showed that only a few logistics ser-
vice providers like DB Schenker, Wincanton,
Hellman, tried to go one step further. These compa-
nies ran pilots in which innovative technologies were
used in order to measure environmental parameters
like temperature, shock, vibration as well as for the
detection of theft and the unauthorized opening of
containers and swap bodies [3, 4]. Unfortunately none
of these pilots has been turned into a continuous op-
eration. Parcel services like UPS and TNT were more
successful. At least these two companies offer ser-
vices which allow not only the identification of a par-
cel but also the monitoring of the temperature.
2.2 Identification and Data Collection
Technology for Supply Chain In-
tegrity Systems
Since more than thirty years retail organizations and
logistics service providers use the one-dimensional
barcode in order to support their business processes.
Ten years ago companies like DHL and Metro Group
started experiments with RFID tags on pallet and case
level. Today the new technology is used in some op-
erations for the identification of pallets, a broad roll-
out into the industry has not taken place [5]. Also on
the container level UHF RFID has been tested by dif-
ferent companies. On the one hand there is an accept-
able business case for this application, on the other
one the identification technology RFID does not ad-
dress all requirements that have been defined by lo-
gistics companies. Telematics modules offer a broader
functionality. They can not be used for identification
only but also for locating [6]. In the past five years
there have been a lot of experiments like described
above. The companies used robust and large modules
with built-in GPS and GSM functions. The problem
here was the high energy consumption. Due to that
the technology has been used for exception handling
67
only. Since a few years the companies are doing first
experiments with solar powered modules. Only re-
cently DHL/Agheera started to equip 15.000 swap
bodies in Europe with such modules.
2.3 Supply Chain Integrity and Sens-
ing Technology
Besides identification and locating, technologies for
sensing are important from the logistics perspective.
During the last decade the logistics industry tested
electronic seals which detect the unauthorized open-
ing of containers and swap bodies as well as miniatur-
ized microelectronic tags with integrated sensors for
temperature, humidity, vibration and shock. Small
telematics devices with additional sensing functions
have been inserted into transport items in order to
make the transport processes more transparent in the
parcel sector of the postal market. On the container
level companies like DB Shenker have piloted the ap-
plication of door sensors which were wirelessly con-
nected with telematics module and experiments with
wireless sensor networks using the standard Zigbee
have been done by Wincanton. Logistics companies
have indeed recognized the importance of such solu-
tions. Unfortunately existing standards even Zigbee
do not meet all requirements which have been iden-
tified for supply chain applications. The project
ALETHEIA had the task to close this gap.
2 Prototype for a Supply Chain
Integrity Service based on
Smart Object Technologies
2.1 The Service Offering
The service which has been developed in ALETHEIA
addresses global supply chains with many different
and independent organizations. Transparency is lim-
ited for these players. Products which have left the
own logistics network disappear from the information
systems and it is unclear whether they have reached
the end customer at the right time in the right quality.
Therefore there is an increasing need for tracking and
tracing services which continuously monitor the flow
of goods between the manufacturers production sites
and retail outlets even for global supply chains. Like
described before companies like Agheera provide real
time tracking and tracing services for swap bodies
and sea containers. Telematics modules which are at-
tached to these assets determine their own position
and transmit the information on a regular basis or in
case of a critical event to a central monitoring unit.
The service developed in ALETHEIA goes further.
Here the pallets inside the container are monitored.
The system covers the following integrity breaches:
(1) unauthorized opening of a container,
(2) theft of a pallet and
(3) exceeding of previously defined temperature
ranges on the pallet level.
2.2 Network and Players
The service monitors products along the supply chain
between the end of the production line and the retail
outlet respectively the end customer. Different organi-
zations are involved. The manufacturer produces
goods somewhere on the globe, does the packaging
and operates a distribution network in order to trans-
port his products to the central warehouses of retail
organizations, to retail outlets and sometimes also to
the end customer. The retail organizations operate
outlets in countries, regions and cities. Especially the
larger retailers maintain their own logistics networks
with central warehouses, regional distribution centres
and cross docking stations in order to reduce costs.
The processes between warehouses are organized by
logistics service providers (LSP), the transport itself
is done by freight forwarders. Furthermore cross-
company enterprise application integration companies
(CC-EAI) are responsible for the information flows
between the already mentioned organizations. Taking
into account the roles of the different organizations
supply chain integrity services could be offered by
LSPs as well as by CC-EAI companies. The third al-
ternative is an information broker who is offering in-
formation services within the so-called Internet of
Things IoT. In the case of the project ALETHEIA
we have chosen the third alternative.
2.3 Hardware and Software
In order to provide the service each pallet is equipped
with a S3TAG (figure 2), a sensor node which has
been developed by Fraunhofer IIS. The nodes contain
a TI MSP 430 microcontroller of the newest genera-
tion with minimized energy consumption, increased
performance and reduced dimensions. They are able
to measure pressure, light intensity, temperature etc.
Figure 2: Sensor node S3TAG
68
For sea containers and swap bodies a mobile gateway
with a S3TAG-interface has been developed (figure
3). The heart of the configurable platform is a DILnet
PC module. The gateway contains four Mini PCI Ex-
press slots which allow for the integration of GPS,
WLAN, UMTS and other functional modules.
Figure 3: Mobile gateway for sensor networks
In case of the ALETHEIA prototype the position of a
container or swap body is determined by a GPS mod-
ule, a UMTS module is used for communication with
a backend server. The different players in the supply
chain can use a normal desktop PC or a smart phone
in order to communicate with the container or swap
body and its cargo. The application software is distri-
buted to the different hardware devices. The sensor
nodes on the pallet level monitor sensor outputs,
compare the measurements with given limits and
create a logic event limit X for environmental para-
meter Y exceeded in case that it is necessary. The
event is directly routed to the mobile gateway. On a
regular basis the pallet single nodes communicate
with their direct neighbors and check the availability
of the communication links. In case that one or more
nodes are no longer responding another logic event
connection with node Z can be generated and again
sent to the mobile gateway. The mobile gateway is
able to interpret this information based on business
rules, to transform the logic event into a business
event and to inform backend systems at different
companies, to send an e-mail or a short message to a
smart phone whose owner has subscribed for a cor-
responding information service before.
2.4 Communication Issues
The communication between the mobile gateway and
the backend server uses existing UMTS technologies
and standards. The gateway offers web services for
surveillance and communication which can be sub-
scribed by the end users via smart phones, desktop
PCs and a central server. Messages between this serv-
er and the gateway conform to the standard messages
defined by the Open Geospatial Consortium OGC. In
principle existing technologies and standards have
been used. The real innovation as far as wireless
communication is concerned is the sensor network
protocol s-net
. Normally a sensor network proto-

col has to be optimized in terms of latency time, ener-
gy consumption, scalability, data throughput and net-
work topology. Trade-offs have to be made in order to
meet application specific requirements. Unfortunately
existing sensor network protocols like Zigbee do
not support typical supply chain applications. There-
fore the proprietary protocol s-net has been devel-
oped respective adapted during the ALETHEIA
project. The protocol features very low energy con-
sumption due to time synchronization and time-
multiplex communication. Highly dynamic construc-
tion and self organization of the network topology re-
sult in low configuration efforts, maintenance costs
and robustness. The protocol supports bi-directional
multi hop communication in order to forward data be-
tween data source and data sink using intermediate
nodes. The protocol features can be configured in a
flexible manner. Due to that a lot of different applica-
tion areas and network dimensions could be sup-
ported by s-net
. Furthermore there is the possibility

to localize single nodes using an existing infrastruc-
ture of anchor nodes and gateways.
2.5 The Process View
The prototype which has been developed supports the
following process:
Nr. Activity
1 During packaging the manufacturer attaches an
active sensor node to the pallet and stores logis-
tics information on the node.
2 During the loading process the sensor node on the
pallet connects with the mobile gateway which is
attached to the sea container.
3 After the loading process the doors of the con-
tainer are closed and the monitoring system is
activated using a smart phone app. From this
moment the pallet nodes and the mobile gateway
form a security network.
4 At the destination the monitoring function of the
sensor network is de-activated by an authorized
person using another smart phone.
5 The pallets are then registered by the receiving
organization, the sensor nodes are taken away
from the pallets. The pallet information is deleted
on the nodes which can then be used for another
transport process.
Table 1: Basic usage process
69
During the transport process the integrity breaches
which have been defined before can easily be de-
tected: (1) In case that an unauthorized person opens
the door the sensors on the pallet nodes will detect
light and/or movement and create an event. (2) In
case that a whole pallet is taken out of the container
the other pallets as well as the mobile gateway will
loose the communication link and react in the same
manner. (3) In case that the temperature drops rapidly
or in case that the humidity exceeds a certain level,
sensors inside the pallet nodes or the mobile gateway
will detect this delta and send an event if certain lim-
its are exceeded.
3 Summary and Outlook
On the last four pages we have described the neces-
sity for innovative supply chain integrity solutions.
We have shown that existing technologies can solve
the security and integrity problems only partially.
Within the BMBF lighthouse project ALETHEIA a
solution based on wireless sensor networks has been
developed and realized in a prototypical manner. In
between the results have been shown during the
transport 2011 in Munic. The prototype will be ad-
ditionally exhibited in DHLs innovation centre in
Troisdorf. From our point of view the technical feasi-
bility of such a system is proven. Two major chal-
lenges have to be addressed in the future. On the one
hand side the data security concept which has been
developed in ALETHEIA has to be further developed,
optimized and integrated into the system. On the other
hand standards have to be developed which allow the
practical implementation of the system. Without such
standards the logistics industry will not be able to
adopt the innovative and powerful sensor network
technology in the coming years.
References
[1] Pflaum, A., Traulsen, H., Lempert, S., et al.
(2008): Sicherung teurer Produkte in den Distri-
butionssystemen der Wirtschaft mit Hilfe von
drahtlosen Sensornetzwerken Zu den Mg-
lichkeiten und Grenzen der neuen Technologie,
Tagungsband zum Wissenschaftssymposium des
BVL, 11. bis 12. Juni 2008, Mnchen.
[2] N.N.: RFID-Potenziale fr Deutschland Stand
und Perspektiven von Anwendungen auf Basis
der Radiofrequenz-Identifikation auf den natio-
nalen und internationalen Mrkten. Studie der
VDI/VDE Innovation+Technik GmbH, Berlin
im Auftrag des Bundesministeriums fr Wirt-
schaft und Technologie (Herausgeber), 2007
[3] Hellmann (2008): Satellitengesttzte Container-
sicherheit aus Bremen nimmt Gestalt an. Pres-
semitteilung Hellmann Worldwide Logistics.
Online Ressource: http://www.hellmann.de/de/-
country/germany/de/presse/satellitengestuetzte-
containersicherheitausbremennimmtgestaltan,
2008.
[4] N.N. (2007): Schenker RFID GPS Container Se-
curity Solution; verffentlicht in Logistics In-
sight Asia, 31.10.2007.
[5] Strassner (2005): RFID im Supply Chain Man-
agement. Auswirkungen und Handlungsempfeh-
lungen am Beispiel der Automobilindustrie. Dis-
sertation Universitt St. Gallen. Wiesbaden
(2005), Deutscher Universittsverlag
[6] Pflaum, A. (2009): Das Konzept des Reife-
grads als Basis fr strategische Entscheidungen
bei der Implementierung elektronischer Etiketten
in der logistischen Praxis, in: Mller, S., Roth,
A., Schmidt, N. (Hrsg.): Mrkte, Anwendungs-
felder und Technologien in der Logistik Er-
gebnisse und Reflexion von 20 Jahren Logistik-
forschung, Gabler Research, Wiesbaden, 2009,
S. 395 - 416.
70
ProAuthent
Integrated protection against counterfeiting in mechanical engi-
neering through marking and authenticating critical components
Prof. Dr.-Ing. Willibald A. Gnthner, Technische Universitt Mnchen, Institute for Materials Handling,
Material Flow, Logistics, Germany
Dipl.-Wi.-Ing. Dominik Stockenberger, Technische Universitt Mnchen, Institute for Materials Handling,
Material Flow, Logistics, Germany
Abstract
The menace of counterfeiting is growing constantly, especially the German mechanical engineering is more and
more attractive to copyists. To protect components and spare parts, there is a technical concept for anti-
counterfeiting developed. In this system, the parts are tagged with fraud proof marks which are read out at sev-
eral checking points along the supply chain and particularly within the machine. The checking results are stored
in a central database in order to create new services and to simplify the communication between manufacturer
and customer.

1 Introduction
The current OECD study of counterfeiting and piracy
shows an enormous increase of the value of
worldwide seizures from 1999 to 2005 ([1] p. 72). In
Germany, VDMA
1
estimates the loss in sales in the
Mechanical Engineering branch caused by
counterfeiting to amount to up to 7 billion per year.
In the related survey, 68% of the participating
companies reported being affected by counterfeiting
and piracy [2].
Despite the coverage of the issue in public, politics
and economics, effective methods and fully developed
technologies for the protection of products remain
elusive. Development and installation of supervision
along the entire value added chain from the supplier to
the customer as a core technique is particularly urgent.
([3] p. 8, 62- 77)
The main objective of the research and development
project ProAuthent
2
is to fight counterfeiting of
1
Verband Deutscher Maschinen- und Anlagenbau e.V.
2
This research and development project is funded by the
German Federal Ministry of Education and Research
(BMBF) within the Framework Concept Research for
Tomorrows Production and managed by the Project
Management Agency Forschungszentrum Karlsruhe
(PTKA).
Participants: Homag Holzbearbeitungssysteme AG; Infoman
AG; Mller Martini GmbH; Multivac Sepp Haggenmueller
GmbH & Co.KG; Schreiner Group GmbH & Co. KG;
Vollmer Werke Maschinenfabrik GmbH; Lehrstuhl fr
Betriebswirtschaft, Unternehmensfhrung, Logistik und
critical components and spare parts in Mechanical
Engineering through integrated protection by marking
and authenticating products at selected points in the
value added chain.
2 Research objectives and
methodology
The research objective is to develop a framework to:
1. Identify critical parts and components in a
manufacturing company
2. Select a suitable marking technology for parts and
components
3. Mark particular parts and components
4. Design and implement a distributed IT-system to
track and trace marked products within the value
added chain
2.1 Identification of critical parts and
components in a manufacturing
company
In a company threatened by counterfeiting and piracy,
adding security markings to every manufactured part
and component to always be able to recognize them as
Produktion, TU Mnchen; Lehrstuhl fr Frdertechnik

Materialfluss Logistik, TU Mnchen; Lehrstuhl fr
Wirtschaftsrecht und Geistiges Eigentum, TU Mnchen
71
original can be ineffective and cumbersome, because
marking and later checking each single product is
always associated with additional expenses. Therefore,
it is necessary to directly identify the parts which are
most in danger of being counterfeited and are also of
special interest to the original manufacturer. By
examining counterfeiters motives and comparing this
to the manufacturers priorities, specific aspects can
be determined as relevant criteria for selecting the
components requiring protection. These are products
with a high margin, sales figures, and research,
development, and know-how intensity as well as
successful products with unique selling points.
Additionally security relevance, functional relevance,
the risk of damage to the manufacturers reputation,
and linked services can be regarded (see Figure1).

Figure 1 Aspects for the selection of components to
protect (basic and additional)

2.2 Selection of a suitable marking
technology for parts and
components
After the parts and components to be protected are
identified, it is necessary to select a suitable marking
technology for each of them. This requires knowledge
of existing security marking technologies. A broad
search for technologies as part of the research project
lead to a catalogue of 39 technologies and their
particular special characteristics. These characteristics
formed the basis to identify the best fit according to
the requirements of the components to be protected.
In the special cases that were part of the research
project the best technologies were holograms, infrared
colors (IR), copy detection patterns (CDP) and radio
frequency identification (RFID). The first two
technologies are denoted as originality marking
technologies and the second two as unique marking
technologies.
The complete procedure for identifying parts to be
protected and the suitable marking technology is
described in a general guide.
2.3 Marking particular parts and
components
According to the international chamber of commerce
([4] p.9) the applied markings must be
i. impossible to copy or replicate,
ii. durable for the period of product use and
iii. impossible to remove.
In order to guarantee ii and iii for the selected parts
and technologies, the goal is to always have the
markings as an integral part of the components and to
apply the mark during the manufacturing process.
CDP or RFID (under certain conditions) are inherently
impossible to copy or replicate. Holograms and IR are
technologies for less expensive products that are
weaker against replication.
2.4 Design and implementation of a
distributed IT-system to track and
trace marked products within the
value added chain
As mentioned in paragraph 1, tracking and tracing
marked parts is an effective technique to combat
counterfeiting. This requires designing and
implementing a distributed IT-system (see Figure2).
Interesting
for copyists
Valuable and
important
for original
manufacturers
Components
to protect
Selection aspects for components to protect:
Basic aspects
high margin
high sales figures
high research, developement and know-how
intensity
unique selling points
Additional aspects
security relevance
functional relevance
risk of damage to the manufacturers
reputation
linked services
72
The identity of parts with worldwide unique markings
can be read by a user at every identification point and
stored together with the location and time stamp in a
central data base.

Figure 2 Secure tracking and tracing within the value
added chain

In the case of RFID, the marking is a transponder
carrying the electronic product code (EPC) and the
unique tag id (UID) according to the worldwide
standards of EPCglobal
3
([5], [6]) and ISO [7].
These data can be read out at each identification point
and stored in the central data base to show the path of
every single part; making it possible to check the
originality of a part by comparing the read out data
with the stored data at any time.
Additional components and spare parts are particularly
affected by counterfeit and piracy in the Mechanical
Engineering sector [2]. To support a customer running
a machine, suitable readers can be installed as an
identification point inside of the machine to verify that
in the machine only contains original components.
This leads to significant advantages for the machine
owner, because he or she can be sure of the quality
3
EPCglobal is leading the development of industry-driven
standards for the Electronic Product Code (EPC) to
support the use of Radio Frequency Identification (RFID) in
todays fast-moving, information rich, trading networks.
[EPC-10]
and functionality of the original parts and doesnt risk
losing the machines warranty.
To expand the described tracking and tracing system
to other technologies, such as CDP, it is only
necessary to encrypt an EPC into the CDP and to
install the readers at selected
identification points. With the
originality marking
technologies, tracking and
tracing are based on the
uniqueness of the marking-
making system integration is
more difficult to realize.
However, in that case,
checking of the originality of a
marking would surely be
possible.
3 Expected results
At the end of the research
project, a functional and
holistic system to fight
counterfeiting of parts and
components in Mechanical
Engineering will be realized.
The system will monitor a
products path along the entire value added chain in
order to detect false parts at least by the point of
installation in the machine. For that reason, a
combination of tracking and tracing-functionalities
and automatic authentication of parts and components
inside the machine holds comprehensive anti-
counterfeiting potential. The system will integrate
several technologies to mark and recognize original
products (RFID, CDP, IR, hologram, etc.) while
leaving the possibility open to add further
technologies at any time.
Further results are the complete procedure to identify
parts to be protected and the suitable marking
technology as well as a catalogue of existing marking
technologies and their characteristics.
References
[1] OECD: The Economic Impact of Counterfeiting
and Piracy. Paris: OECD, 2008
[2] VDMA: Produkt- und Markenpiraterie in der
Investitionsgterindustrie 2008. Frankfurt/Main:
VDMA, 2008; www.vdma.org, 09.02.2010
73
[3] Wildemann, H.; Ann, C.; Broy, M.; Gnthner,
W.A.; Lindemann, U.: Plagiatschutz
Handlungsspielrume der produzierenden
Industrie gegen Produktpiraterie. Munich: TCW,
2007
[4] International Chamber of Commerce (ICC),
Counterfeiting Intelligence Bureau: Anti-
counterfeiting technology A guide to
Protecting and Authenticating Products and
Documents. Barking: ICC Commercial Crime
Services, 2006
[5] EPCglobal: EPC Information Services (EPCIS)
Version 1.0.1 Specification. Brussels:
EPCglobal, 2007
[6] EPCglobal: EPCglobal Tag Data Standard
Version 1.4. Brussels: EPCglobal, 2008
[7] ISO/IEC FDIS 15963: Information technology
Radio frequency identification for item
management Unique identification for RF tags.
Geneva: ISO/IEC, 2009

74
Developing an understanding of Supply Chain Security Manage-
ment
Irene Sudy, Hamburg University of Technology, Germany
Thorsten Blecker, Hamburg University of Technology, Germany
Abstract
This paper aims to highlight differences in ongoing and completed security research projects at the department of
Business Logistics and General Management at the Hamburg University of Technology (TUHH). The projects
presented show different approaches that can be used for addressing security threats in supply chains and help to
gain new insights into the understanding of Supply Chain Security Management (SCSM). The projects focus on
different aspects of Supply Chain Security (SCS). They address e.g. different security threats, different modes of
transport and make use of different methodologies. In all projects, the needs of different stakeholders of the sup-
ply chain are taken into account to make sure that the suggested approaches reflect business practice. In this way,
feasible approaches for SCSM can be provided.

1 Introduction
Security threats that can occur in supply chains are
multilayered and include theft, smuggling, counter-
feiting, piracy and terrorism. These threats negatively
impact the performance of supply chains and lead to
delays and disruptions of cargo flows. As world trade
nowadays is highly integrated and depends heavily on
reliable and efficient supply chains, the importance of
securing supply chains has become more important.
Supply Chain Security Management (SCSM) is the
management of security threats in supply chains with
the aim to increase its resilience. As SCSM constitutes
a recent research area, the number of scientific litera-
ture dealing with this topic is limited and many re-
search gaps exist [1]. Therefore, research in Supply
Chain Security (SCS) is necessary to provide e.g.
knowledge, tools, methods and strategies for the im-
provement of security in supply chains. Equally im-
portant is the development of an understanding of
SCSM.

In this paper, ongoing and completed research pro-
jects in SCS at the Department of Business Logistics
and General Management at the Hamburg University
of Technology are described. In the projects, different
security issues are emphasized and different ap-
proaches are applied for addressing security threats in
supply chains.

The paper will be structured as follows: First, aim,
definition and scope of SCSM are discussed, followed
by a description of security threats that can occur in
supply chains. Second, the projects are presented by
highlighting different aspects, e.g. security threats,
mode of transport, type of cargo and showing the aim
of each project and the methodology used. Also pre-
liminary results achieved will be shown in greater de-
tail. This contributes to the development of an under-
standing of the concept of Supply Chain Security
Management. Third, some conclusions are given.

2 Supply Chain Security Man-
agement (SCSM)
2.1 Aim, definition and scope of SCSM
Although SCSM is considered important, a lack of a
generally accepted definition of SCSM can be noticed
in literature [1] and SCSM is characterized from
many different views. While some contributions de-
rive from the risk management perspective, others
emphasize on vulnerability and resilience.

Prior to 2001, SCSM was mainly limited to the reduc-
tion of theft and smuggling, representing two types of
possible security threats that can occur in supply
chains [2]. After 9/11 it was realized that the scope of
security management has to be expanded by the threat
of terrorist attacks [2] [3] and since then, increased
attention has been paid to the research area of SCSM.

According to various contributions in literature, sup-
ply chain risks can be divided into different catego-
ries. An overview of various approaches to categorize
risk and risk types is given e.g. in Olson and Wu 2010
[6]. Various supply chain risk sources can cause dis-
ruptions in supply chains [4]. Supply chain risk
75
sources can be defined as variables which cannot be
predicted with certainty and from which disruptions
can emerge [4].

According to the focus of this paper, the following
risk categorization is applied: Disruptions can be the
result of either intentional events (e.g. terrorist activi-
ties, theft and organized crime or smuggling) or unin-
tentional events, i.e. natural disasters or disruptions
caused by accidental human behaviour [3] [4] [7].
SCSM therefore deals with (possible) disruptions of
flows between organizations resulting from inten-
tional incidents representing all malicious acts. This
view on SCSM excludes unintentional events and
natural disasters.

The aim of SCSM is to build a secure supply chain
that is resilient to possible and intentionally caused
disruptions of flows between organizations [8]. As
supply chains are only as strong as its weakest link,
and one failure can cause the whole supply chain to
fail, the vulnerability to disruptions has to be de-
creased along the whole supply chain [8].

Supply chain security management can therefore be
defined as the application of policies, procedures, and
technologies with the goal to increase security and to
protect the supply chain against disruptions caused by
intentional incidents and foster resilience of the sup-
ply chains [8] [9]. This definition involves efforts to
protect the supply chain against products leaving (i.e.
theft) and/or entering (i.e. smuggling) without the
permission of authorized stakeholders [1].

2.2 Why SCSM?
The events of 9/11 and the resulting reaction from
concerned governments changed the security percep-
tion and placed an emphasis on securing supply
chains. A variety of unilateral und multilateral secu-
rity measures and regulations as well as other initia-
tives have been developed or are under consideration
on a worldwide basis [10] [11] [12]. This framework
poses a challenge on all involved supply chain stake-
holders to comply with relevant regulations, despite
in practice the compliance with security rules differs
according to the region and type of stakeholder.

Because of the importance of logistics in the global
economy, reliable and sustainable goods and informa-
tion flows are vital. Supply chains and security are
two complex topics that have to be brought together
and practicable solutions for the stakeholders have to
be elaborated. By focusing on security and efficiency
at the same time, stakeholders can strengthen their
position in the supply chains and the supply chains
themselves.
3 SCSM projects
3.1 SefLog
SefLog, a project supported by the German Federal
Ministry of Education and Research in the frame-
work of the civil security research of the German
Government, calls for a close cooperation between
politics, authorities and companies. The project con-
sortium comprises freight forwarding companies,
technology providers, research institutions and uni-
versities.

The main objective of this project is the creation of a
comprehensive concept of security throughout the
supply chain. The main focus lies on containerized
transports, but independently from mode of transport
used. In this way, multimodal transport chains can be
considered. Security risks under consideration are ter-
ror attacks and other criminal activities like theft and
smuggling. To achieve the goals of the project, vari-
ous analysis tools and methods, e.g. process models,
evaluation and assessment methods, cost-benefit-
analysis, scenario technique and interviews, are ap-
plied.

In a first step, the processes of transport chains are
analyzed in close cooperation with all stakeholders by
means of personal interviews to reveal critical points
and security gaps along the transport chain. These
critical points divided into technical, organizational
and personal risks will be assessed to classify the
transport chains according to their security condition.
For the transport chains which are considered being
unsecure, measures to prevent or minimize risks are
developed and described my means of scenario tech-
nique.

Another important aspect in this project is the design
and refinement of interrelationships between different
stakeholders of the transport chain. Whereas politics
define the goals and control their adherence, authori-
ties supervise the execution and companies have to
adjust their processes according to the security re-
quirements. Relationships and interrelationships are
illustrated in different scenarios showing the interac-
tions between stakeholders of supply chains. An esca-
lation model is created showing responsibilities and
hierarchies which range from standard to critical
situations. This leads to efficient and well-structured
actions of the involved stakeholders and avoids prob-
lems and failures in the communication flows.

Technologies that support the identification and detec-
tion are demonstrated in the SefLog project. Finally, a
handbook is developed which assembles the main re-
sults and serves as best practice for supply chain secu-
rity for all stakeholders of supply chains.

76
Following this approach, SefLog contributes to the
improvement and further development of supply
chain security through creating an overall solution by
taking the requirements of companies, politics and
authorities into consideration and by placing an em-
phasis on the management of relationships and inter-
relationships between the supply chain partners. The
negative effects of security measures should be mini-
mized by strengthening corporate responsibilities and
avoiding cost-expensive technological and organiza-
tional solutions.
3.2 PiraT
The acronym of the project PiraT stands for Piracy
and Maritime Terrorism as a Challenge for Maritime
Trade Security: Indicators, Perceptions and Options
for Action and aims to increase the security of global
maritime trade. It is a joint research project financed
by the German Federal Ministry of Education and Re-
search. As the project follows a strong interdiscipli-
nary approach, the project partners cover a multitude
of disciplines, e.g. engineering, law, economics, peace
research and security policy as well as future research.
To meet the expectations and requirements of the af-
fected actors, associated partners such as interest
groups and associations representing e.g. ship owners
and insurance companies are involved. The project
provides a forum for politics, business and academia
for the exchange of views and sharing of knowledge
on maritime trade security.

As the threats of piracy and terrorism endanger global
trade flows, these threats are investigated in the pro-
ject. Since Germany heavily relies on well function-
ing sea routes because of high export and import vol-
umes via sea, the results of the project are particularly
interesting for the German economy and society.

The overall goal of the project is to elaborate non-
military measures to increase maritime trade security
and to develop a comprehensive concept for maritime
security. To achieve this goal, political, technological,
legal and economic perspectives have to be consid-
ered. For this, the achievement of a common under-
standing of the complexity of maritime security and
its impact on society and economy from different
viewpoints is essential; that is enabled by the multi-
disciplinarity of the project.

The project consortium works on interconnected tasks
that base on each other. In a first step, the insecurity
situation is objectified via the interdisciplinary ap-
proach of analyzing the economic, the security policy,
the safety-related, the legal as well as the strategic fu-
ture related situation. In a next step, the subjective
perceptions of insecurity are identified from economic
and state actors. Then, non-military courses of action
aimed at protecting maritime trade against piracy and
terrorism are developed. The results are presented and
discussed in workshops, conferences and publications.
3.3 IMCOSEC
The acronym IMCOSEC stands for IMprove the
supply chain for COntainer transport and integrated
SECurity simultaneously and is a project with a one
year duration supported by the European Commission
within the 7
th
Framework Program (FP 7). The IM-
COSEC project consortium includes international as-
sociations, security consultants and research institu-
tions, experts from the maritime and inland/combined
transport, as well as a container security platform op-
erator.

The main objective of IMCOSEC is to determine a
strategic roadmap for a large scale demonstration on
the security of supply chains. The project was com-
pleted successfully at the beginning of the year 2011
by presenting the Roadmap which is based on in-
depth results elaborated during the project phase.

The roadmap should provide an approach which con-
siders the needs of all stakeholders of the supply chain
to minimise the impact of security related actions on
cost and time for commercial operators and compa-
nies. The aim of the proposed approach is to create a
win-win solution between industry and public stake-
holders whereby the level of security is at an optimum
level balancing effectiveness with practicality within
the regulatory framework. Thus, IMCOSEC was not
aiming at introducing as much security as possible,
but as much as needed, practicable and acceptable.

IMCOSEC was guided by the following approach:

Identification and categorization of security
regulations, standards and trends.
Identification and assembly of security projects,
technologies and industry needs.
Identification of security gaps based on a generic
process model for supply chains using a resil-
ience matrix approach and threat trees.
Elaboration of target processes for minimizing
identified gaps.
Provision of a roadmap for demonstration activi-
ties where target processes and supporting tech-
nologies can establish efficiency, effectiveness
and acceptance.

Acceptance by the industry and public authorities was
one of the most important issues regarding the road-
map. Therefore, all the above steps were discussed
and validated by the projects Advisory Board and by
participants of various workshops involving addi-
tional stakeholders from private and public end-users.
77
The basic vision of the strategic roadmap developed
and agreed in IMCOSEC is that by focusing on
threats for security of business processes, not only the
supply chain security, but also civil security is in-
creased simultaneously. The security of business
processes implies the provision of flexible, harmless,
cost-effective and reliable flows. SCSM supports the
aim to show that by increasing the security of busi-
ness, civil security is increased too. Therefore, further
research and demonstration projects should develop
and provide transport mode, cargo type, technology,
and stakeholder independent solutions in considera-
tion of important trade lanes. The projects should be
international with all supply chain stakeholders par-
ticipating, including consignors and consignees, and
partners from other economies. Approaches should be
reasonable and practicable and suitable for all stake-
holders ranging from global players to SMEs. As a lot
of technologies already exist, new projects should fo-
cus on the application of existing technologies and
other measures and processes. Overall, evaluation and
in-depth cost-benefit analysis of demonstrated meas-
ures are necessary.
4 Conclusion and outlook
In order to manage SCS efficiently, further research
has to be done to develop appropriate approaches,
methods and technologies that help to increase SCS
without impairing the efficiency.

The three projects presented above contribute to this
goal by emphasizing simultaneously on security and
efficiency.

Further research should be interdisciplinary to con-
sider all perspectives from all supply chain stake-
holders. Strong collaboration between different stake-
holders, especially between public and private actors
is absolutely necessary and serves as prerequisite for
the advancement of an internationally co-ordinated
security approach. This supports the process of mutu-
ally recognizing and harmonising security regulations
on an international level.

In future projects, the simultaneous emphasis on both
security and efficiency has to be furthered to foster
the application of security management approaches in
companies and to allow cost-benefit-analysis of secu-
rity measures.

References
[1] Williams, Z.; Lueg, J.E.; Le May S.A.: Supply
chain security: an overview and research
agenda, International Journal of Logistics Man-
agement, Vol. 19, No. 2, pp. 254-281, 2008
[2] Thibault, M.; Brooks, M.R.; Button, K.J.: The
Response of the U.S. Maritime Industry to the
New Container Security Initiatives, Transporta-
tion Journal, Vol. 45, No. 1, pp. 5-15, 2006
[3] Voss, M.D; Whipple, J.M.; Closs, D.J.: The
Role of Strategic Security: Internal and External
Security Measures with Security Performance
Implications, Transportation Journal, Vol. 48,
No. 2, pp. 5-23, 2009
[4] Jttner, U.: Supply chain risk management,
International Journal of Logistics Management,
Vol. 16, No. 1, pp. 120-141, 2005
[5] Ponomarov, S.Y.; Holcomb, M.C.: Understand-
ing the concept of supply chain resilience, In-
ternational Journal of Logistics Management,
Vol. 20, No. 1, pp. 124-143, 2009
[6] Olson, D.L.; Wu, D.D.: A review of enterprise
risk management in supply chain, Kybernetes,
Vol. 39, No. 5, pp. 694-706, 2010
[7] Mitroff, I.I.; Alpaslan, M.C.: Preparing for
Evil, Harvard Business Review, Vol. 81, No. 4,
pp. 109-115, 2003
[8] Rice, J.B.; Caniato, F.: Building a secure and
resilient supply network, Supply Chain Man-
agement Review, Vol. 7, No. 5, pp. 22-30, 2003
[9] Closs, D.J.; McGarrell E.F.: Enhancing Security
Throughout the Supply Chain, Special Report
Series, IBM Center for the Business of Govern-
ment, 2004.
[10] Sheffi, Y.: Supply Chain Management under the
Threat of International Terrorism, International
Journal of Logistics Management, Vol. 12, No.
2, pp. 1-11, 2001.
[11] Donner, M.; Kruk, C.: Supply chain security
guide, The International Bank for Reconstruc-
tion and Development/The World Bank, Wash-
ington, 2009.
[12] Daschkovska, K.; Sudy, I.; Engler, M; Blecker,
T.: The Impact of Security Regulations on the
Processes and the Design of International Con-
tainer Supply Chains, GIC-Prodesc German-
Italian Conference on the Interdependencies be-
tween New Product Development and Supply
Chain Management, Conference proceedings,
2010.

78
100% Container Scanning: Impact on efficiency and costs of con-
tainer terminal operation
Frank Arendt, Institute of Shipping Economics and Logistics, Germany
Susanne Ficke, Institute of Shipping Economics and Logistics, Germany
Matthias Dreyer, Institute of Shipping Economics and Logistics, Germany
Abstract
Due to the increased global threat of terrorism and organized crime on the one hand, and the strong growth in
world trade of goods on the other hand, the demand for security solutions in the supply chain has grown consid-
erably. Terrorist attacks using radioactive substances in a freight container would have a severe impact on the
global logistics chain. An explosion or the widespread release of highly toxic substances would have devastating
consequences. Such attacks must therefore be avoided just as effectively as the smuggling of dangerous sub-
stances and goods or weapons. It is also important to ensure that significantly enhanced inspections should not
lead to new uncertainties or new security risks inside port terminals. The paper reports on the first findings of the
German R&D project ECSIT on process analysis and simulation.

1 Project background
Started in September 2010, the objective of the R&D
project ECSIT (Erhhung der Containersicherheit
durch berhrungslose Inspektion im Hafen-Terminal
Increase of container security by applying contact-
less inspections in port terminals) is the development
of solutions to avoid the export of containerized ra-
dioactive or illegal goods. ECSIT is funded by the
German Ministry for Education and Research
(BMBF) and coordinated by the Institute of Shipping
Economics and Logistics (ISL) in Bremerhaven. With
an active involvement of ten partners from industry
and research, ECSIT aims to raise the civil security by
hindering terrorist attacks and criminal actions. One
of the triggers is the H.R.1 law also called 100%
Scanning Rule - of the US from July 2010 request-
ing that all export containers to the US have to be X-
rayed and checked on nuclear substances in the port
of loading. The full implementation of this law re-
quires a substantial increase of the resources needed
in ports and cannot be applied with current technolo-
gies without risking to create a bottleneck in the port
processes. First ECSIT assessments show that in the
future up to 1,500 containers per day have to be
scanned in the container terminals at Bremerhaven
being the #1 US export port of the European Union
with a share of about 25% and thus the pilot port of
ECSIT.
In the project, security risks and requirements of the
involved parties are explicitly analyzed. The imple-
mentation of technologies to identify cargoes with
hazardous materials and the development of fast im-
aging methods for scanning containers form technical
challenges of ECSIT. The integration of these tech-
nologies into the process chain is necessary, otherwise
ongoing operations and port security will be affected.
Additionally, the inspection components have to be
integrated into existing alarm and security systems
and related information sources. Based on its impor-
tance in US trade, the Bremerhaven container termi-
nals will be used as a show case for the integration of
the developed components. Accompanying cost-
benefit analyses and a study of legal and policy
frameworks are carried out. Objective is the devel-
opment of an overall concept that can be transferred
to other container terminals worldwide.
Through this multidisciplinary approach ECSIT will
provide an important contribution to securing supply
chains against container security threats and threats
for the general public. By including relevant parties as
consortium members, an advisory board and a user
group, the basis for acceptance, usability, standardiza-
tion and dissemination of results is established in the
course of the research project.
2 Analysis of current processes
Before integrating new technologies into the existing
chain, all relevant current processes must be identified
and analysed. The result is a detailed documentation
of all processes on the terminal as well as export rele-
vant processes regarding the hinterland traffic for all
modes of transport (truck, rail, inland waterway) to-
gether with the parties involved.
79
Figure 1 Current processes
Flow charts were developed for all cases which can
be used to integrate the required additional processes
to ensure container innocuousness.
In a second step, the interfaces on the container flows
between terminal quay side and hinterland traffic in-
cluding the current volumes were identified.
Figure 2 Interfaces
With this approach, key data have been generated
which are used for the validation of the simulation
model to ensure that the simulation results (by check-
ing the integrated new processes) are applicable to
reality.
3 Development of future proc-
esses and required technolo-
gies
The current processes regarding US bound export
containers are serving as the basis for the future proc-
ess development. Strategies for a preferably optimum
integration of the needed detection technologies and
checking activities will be prepared. It must be veri-
fied, if checking processes outside the terminal area
are practicable for an equalization of the prospec-
tively increased terminal activities. Not only practical
aspects are regarded, but also legal ones. In addition,
new processes which take effect in case of alerts have
to be identified.
Figure 3 Combinations for technology integration
Processes for container security risk detection cannot
be integrated into the terminals daily routine without
effort. The terminal business is a highly complex sys-
tem being well optimised. All processes today are
very time-critical and must not be stressed unneces-
sarily in addition.
The container security check underlies pre-defined
formalities, which are applicable independently from
the mode of transport. This chapter reflects the actual
discussion on the checking processes.
3.1 Pre-check
Any container that has been announced to the termi-
nal before its arrival is checked on the basis of its
transport documents. Containers not destined for the
US can be placed into stock without further inspec-
tion and can then wait for their loading.
The containers with US destination must run through
a container security check for risk identification, oth-
erwise they will not be loaded onto the ocean vessel
since there will be no import permission from the US
side.
3.2 Container security check
The container security check is subject to formalities
which are specified in the US H.R.1 rule. Today only
the customs inspect containers (mainly imports) pri-
marily by performing a risk analysis based on the
manifest data which have to be reported electroni-
80
cally. The classical process contains three levels de-
pending if any suspicion has been detected: data
analysis (screening) X-raying (scanning) man-
ual check. Manual checks are very time-consuming
and costly. Since the number of container inspections
will increase tremendously if the US H.R.-1 rule be-
comes operative, high speed contactless inspection
technologies are necessary to decrease the number of
manual inspections.
One ECSIT approach is to declare containers as se-
cure for export after the so-called basic scan has
been performed. Only suspicious containers must then
be further handled.
3.2.1 Basic scan
The basic scan is stipulated for any export container
to the US and consists of two separate procedures. On
the one hand a 2-D X-ray image of the container con-
tent is captured, saved and evaluated and on the other
hand it is checked if the container is emitting radioac-
tive rays and to locate if there is an unbalanced con-
centration of rays in the container. If the 2-D image or
ray detection gives cause for suspicion on illegal
goods like weapons or radioactive substances that is
not declared on its transport documents, the container
will not be released for export.
In that case the container must be thoroughly in-
spected. Three kinds of further steps are possible:
Nuclide identification
3-D X-ray
Manual inspection
Unsuspicious containers will be declared as secure
and no further inspection is necessary.
3.2.2 Nuclide identification
In case of radioactive rays which are not allegeable by
means of the transport papers (e.g. bananas transmit
homogenous rays) a nuclide identification will be per-
formed. This inspection is more expensive than the
rays detection and takes more time. With this check
the type of radioactivity of the material can be exactly
determined, e.g. if the radiation is of natural origin or
not.
If the inspection result is still suspicious, a manual
check as the last step will be performed. Also here,
further actions in order to ensure the port security
may be triggered.
3.2.3 3-D X-ray
During the ECSIT project one of the participating
partners is developing a 3-D X-ray scanner for a de-
tailed container inspection without the need of open-
ing the container. This scanner delivers a 3-D image
of the suspicious section of the container content. A 3-
D X-ray image will only be created if the 2-D image
gives cause of suspicion. Only in case of a further
suspect the container must be opened and checked
manually. Depending on the assessment of the ur-
gency of the threat further actions in order to ensure
the port security may be triggered.
3.2.4 Manual inspection
If all previously described methods do not lead to the
release of the container, a manual inspection is neces-
sary. This means breaking the container seal and
opening the container. The inspection of the container
content and comparison with the loading papers may
take hours, may be performed only by specialised
staff (e.g. with ray protection suits) and several legal
and operational formalities must be regarded. If the
suspect can be disproved, the container must be re-
packed, re-sealed and stocked. Possibly that container
had missed its ocean vessel in the meantime.
But not only containers which are suspicious have to
be inspected manually: there are containers whose
content is not allowed to be scanned with X-rays be-
cause of their sensitivity (e.g. footage or animals) or
oversized containers which cannot be handled by the
scanning device. These containers are only controlled
for nuclear rays and possibly opened for a manual in-
spection.
3.2.5 Port security
In all cases of security alerts regarding radioactive
substances or illegal goods the container is suspended
from export and further steps for hazard control are
initiated. The container may be quarantined according
to the safety and security rules of the port.
3.3 Open issues
Besides the process design, the who issue is still
under investigation, e.g. who is responsible for
installing the equipment
performing the scans and
analyzing the scanning results.
Various legal regulations may lead to a recommenda-
tion that these three tasks maybe performed by dif-
ferent institutions.
4 Simulation and cost analysis
Based on forecasts of the number of containers to be
scanned and checked on radioactive rays, various sce-
narios including the modelling of future scanning
processes and their integration into the existing proc-
esses are developed in ECSIT. Parameter examples
are the amount and location of the scanning equip-
81
ment, the throughput per hour, the average and maxi-
mum number of containers per hour etc. Furthermore,
activities have to be defined, which take effect after
detecting a suspicious container. In close collabora-
tion with terminal operators and further associated
partners (such as harbour master, fire brigade, water
police, custom) the project team looks for an optimal
integration of the required detection equipment serv-
ing the economic and security requirements. A poten-
tial security service beyond terminal or port area will
also be analysed, for which the legal restrictions have
to be checked carefully. Each expedient scenario is
analysed in detail using simulation technology.
For this purpose, ISLs worldwide applied simulation
model SCUSY (Simulation of Container Unit Han-
dling Systems) will be enhanced by integrating the
new scanning and detection processes.
Figure 4 Strategy development for simulation
The simulation runs will show the effects of the addi-
tional processes in the future terminal operation (e.g.
duration of vessel operation, waiting time and utiliza-
tion of terminal devices etc.) as well as the related
costs. The simulation results will be discussed and
validated with the industry partners and authorities.
This task is still ongoing; results will be presented at
the conference.
5 The ECSIT team
Ten partners from industry and research form the
ECSIT team. The project is coordinated by the ISL
and attended by further associated partners as advi-
sory board.
82
SECURITY2People Features of and experience with the first
demonstrator of an integrated disaster management system
Lars Tufte, PRO DV AG, Hauert 6, 44227 Dortmund, Germany
Ellen Gers, Federal Office of Civil Protection and Disaster Assistance (BBK), 53127 Bonn, Germany
Peter Meyer zu Drewer, CAE Elektronik GmbH, 52220 Stolberg, Germany
Stefan Mllmann, Karlsruhe Institute of Technology, TMB, 76128 Karlsruhe, Germany
Wolfgang Raskob, Karlsruhe Institute of Technology, IKET, 76344 Eggenstein-Leopoldshafen, Germany
Kathrin Strk, Dialogik, 70176 Stuttgart, Germany
Abstract
The project SECURITY2People (Secure IT-Based Disaster Management System to Protect and Rescue People)
that is part of the German Security Research initiative, aims at exploring the needs for and the structure of an in-
tegrated disaster management system. This system should be applicable for all types of emergencies and at all
levels of disaster management from the local to the Federal Government. Following a first system design, the
question to be addressed in the second half of the project is mainly related to the functionality of the demonstra-
tor. To this purpose a first demonstrator has been completed and presented to the potential end users for com-
ment. Based on the feedback, the demonstrator will be further developed to reach a final status at the end of the
project in about one years time.

1 Introduction
The project SECURITY2People (Secure IT-Based
Disaster Management System to Protect and Rescue
People) is part of the German Security Research ini-
tiative and aims at exploring the needs for and the
structure of an integrated disaster management system
with simulation, decision support and interoperability
as key elements [1]. It will be applicable for all types
of emergencies and at all levels of disaster manage-
ment. Operators of critical infrastructures and organi-
sations dealing with security issues are also seen as
potential users of that system. Furthermore the project
strives for integration of emergency planning, training
and mission support.

The project follows an iterative approach: Require-
ments will be identified in co-operation with disaster
managers, followed by design and creation of a re-
spective demonstrator system. Within each iteration
the demonstrator is validated together with end users
to verify the approach.

At the end of 2010 the first SECURITY2People dem-
onstrator was finalized and presented to a group of
experts from different organisations (so-called asso-
ciated partners). Members of this group are execu-
tives from police, fire brigade, rescue services, critical
infrastructures and public administrations. The chosen
disaster scenario was based on a release of toxic gases
out of a chemical factory requiring decisions about
evacuation, sheltering and further environmental or
economic consequences. The aim of the first demon-
strator was to get direct feedback from the experts for
the further refinement of the system.
2 The Demonstrator
An open source portal was used as technological plat-
form to implement the demonstrator, which combines
simulation, decision support and common operational
picture (COP) components. The COP components
support most of the common geo standards and pro-
vide a set of tools for data creation and integration. In
the demonstrator they are used, for instance, for the
cartographic display of the simulation results (e.g. the
movements of rescue forces).

The figure 1 depicts the general setup of the first
demonstrator which combines two out of three main
use cases of SECURITY2People (S2P), namely com-
mand and staff training (CAST) resp. exercising and
mission operation. As basis for the demonstration and
evaluation, an exemplary scenario was implemented
focusing on a large crisis situation in the area of NRW
affecting Cologne and its surroundings. A large scale
frontal zone with high wind speeds and heavy precipi-
tation resulted in many car accidents, a crash of an air
plane at the Cologne Bonn Airport, mass panic at an
exhibition hall and finally a power blackout in the
southern areas of Cologne, which could result in a gas
83
dispersion. In particular the potential release of a pol-
lutant from an industrial area was the focus of a work-
shop presenting the demonstrator to the end users.

Figure 1 Demonstrator layout with the various com-
ponents and the connection to simulations such as
GESI and RODOS

Starting from the bottom of figure 1, resources such as
police and rescue forces but also incidents are pro-
vided by a tailored version of the GESI emergency
management simulation system, a detailed, entity level
simulation system provided by CAE. The data is ei-
ther populated into the S2P database, which holds a
combination of pure SQL and geo-referenced database
schemes, or through other, standardized means such as
geo-referenced RSS-Feeds.

Figure 2 Area affected by the pollutant; darker
colours indicate areas for potential countermea-
sures (picture from the COP component of S2P)

For the gas dispersion, the simulation and decision
support system RODOS was used [2]. RODOS does
simulate the transport of the gaseous substance with a
ten minute time step to allow for a detailed picture of
the ongoing release. Furthermore, RODOS provided
also information on the area for which countermea-
sures might be necessary. Based on reference levels
for the pollutant, areas for sheltering and evacuation
have been derived. Together with the area, also the
number of affected people could be provided to other
components of the S2P system.

All these data simulated resources, incidents and gas
dispersion are merged in the Common Operational
Picture Component in the S2P-portal. The Common
Operational Picture Component in itself again uses
open source software.

The following figure shows a screenshot of the Com-
mon Operational Picture component with resources at
the KoelnMesse in Cologne, Germany. Important to
note here is the capability to display resources as indi-
vidual units or aggregated as in particular on the
higher levels of decision making individual units are
not longer important.

Figure 3 Resources displayed as individual units
close to KoelnMesse (picture from the COP compo-
nent of S2P)

For the main use case mission support, the demon-
strator offers two interacting decision support compo-
nents: The first component is based on key perform-
ance indicators (KPI module), which are used to cal-
culate the time or resources required for relief
measures applied on a current disaster site [3]. The
idea is to provide a calculation methodology using
elementary performance values (e.g. the average speed
of a police car) to extrapolate the duration of the en-
tire measure. This methodology - once defined in a
certain framework - can be applied to any process that
can be split up into smaller parts. The second compo-
nent addresses the strategic decision level in disaster
management. It depicts the impact of the disaster on
key aspects (e.g. human beings, economy and envi-
ronment) on a time line. In addition the component
supports decision making by proposing countermea-

84
sures that might be applicable in that given situation.
These countermeasures and their impact can be simu-
lated and visualized on that time line. If the counter-
measure evacuation is proposed, the KPI module
can be triggered and returns on one hand if that meas-
ure is applicable under the given constraints, on the
other hand whether it is possible to carry out the
measures allocating further resources to that task. In
this way it validates the measure and eliminates those
which are not applicable at all.

Both components share the same data base that con-
tains knowledge on individual events and potential
countermeasures. This is an important feature as in-
vestigations are ongoing to which extend cased based
reasoning (CBR) approaches can be applied [4].
Knowledge databases have an enormous potential
when they will be expanded to CBR systems that con-
tain functionalities providing guidance on counter-
measures based on historic cases or exercise scenar-
ios. A CBR system has the purpose to solve new prob-
lems by adapting solutions that were applied for
previous cases. Even if the cases do not fit exactly,
algorithms can be developed allowing an adaptation of
past knowledge to the current situation.

3 Evaluation of the demonstra-
tor
The demonstrator has been presented to the potential
end users during a two days workshop. Within this
workshop, the S2P system was used as decision mak-
ing support system, embedded into a command and
staff training situation. The decision support provided
by the system was highly appreciated by the end users.
In particular the COP together with the decision sup-
port on the tactical-operational (KPI module) and stra-
tegic (simulation based on knowledge data bases) was
evaluated as extremely valuable in case of an emer-
gency event. It was also commented that the various
levels of decision making should be separated in terms
of information provided (avoiding information over-
flow) and that particular components might be tailored
to the use at these levels. Suggestions were also made
to expand the system to other use cases such as a pan-
demic event.

Also the idea and the presentation of S2P as command
and staff training tool was highly appraised. Through
the integration of a tool which simulates in detail re-
sources such as police and fire brigades in space and
time, but also forecasts various events which can lead
to critical situations, crisis managers and their staff
gain an important insight and understanding of the
evolution of a crisis situation and can be better pre-
pared for the reality.

Communication and information exchange with and to
the public was also discussed during the demonstra-
tion. No question, informing the public at the right
time with the right information is becoming more
and more important. In S2P it is envisioned that the
system will provide help to the crisis managers e.g. in
form of checklists for an optimized and timely com-
munication.

Last but not least another area of comments received
by the end users addressed the coupling of S2P to ex-
isting (simulation) models but also control centre sys-
tems used in emergency management. Here the end
users clearly pronounced that a duplication of work
should be avoided. Therefore, existing simulation
models such as those for environmental contamination
or notification should be connected to S2P.

4 The way forward
Based on the end users comments, in the next iteration
the project will focus on the interoperability of the
system to guarantee the necessary information ex-
change between the organisations involved and to
connect existing systems. The so-called interoperabil-
ity platform will be a combination of tools, technolo-
gies and data models. Hereby, existing or emerging
standards will be preferably selected, however, exten-
sions to these standards are expected as well. After all,
access to external systems is essential for simulation,
decision support and common operational picture
components to provide the most valuable information
at the right time to the stakeholders involved but also
to the public. Apart from the integration of the Ger-
man Emergency Preparedness Information System
deNIS IIplus there is also a need to integrate a control
centre system for the resource management to receive
reliable data for the different components.

Acknowledgment
The project SECURITY2People is funded by the Fed-
eral Ministry of Education and Research (BMBF) un-
der its Research Programme for Civil Security, which
is part of the High-Tech Strategy for Germany.

References
[1] W. Raskob, U. Rickers, D; E. Gers, D; R. Ka-
schow, D; L. Tufte, F. Ulmer, SECURITY
2People, in 5
th
Security Research Conference,
Berlin, September 7
th
9
th
, 2010
[2] Ehrhardt, J. and Weis, A. (eds), (2000), RODOS:
Decision Support System for Off-site Nuclear
Emergency Management in Europe. European
Commission, Brussels, Report EUR 19144
85
[3] S. Mllmann, D. Braun, H. Engelmann, W. Ras-
kob, Key performance indicator based calcula-
tions as a decision support for the tactical level,
in: 8th International Conference on Information
Systems for Crisis Response and Management
ISCRAM 2011, Lisbon, Portugal, May 8-11,
2011
[4] Main, J., Dillon, T., and Shiu, S., (2001) A Tuto-
rial on Case-Based Reasoning In: Pal, S.K., Dil-
lon, T., Yeung, D. (eds.): Soft Computing in Case
Based Reasoning, (Eds.) Sankar K Pal, Tharam
Dillon and Daniel Yeung, Springer (London)
Ltd, 2001, 1-28

86
CROWD MANAGEMENT SIMULATION
CROWD MANAGEMENT IN LARGE INFRASTRUCTURES

Simon Van Der Weij, INCONTROL Simulation Solutions, The Netherlands
Jeroen Steenbakkers, INCONTROL Simulation Solutions, The Netherlands
Holger Pitsch, INCONTROL Simulation Solutions, Germany
Abstract
To ensure safe and comfortable circumstances for visitors in large buildings or urban areas, simulation is in-
creasingly applied as evaluation tool. The increase is a result of both a growth in capabilities of the simulation
tools and a fast growing recognition of the importance of crowd management and evacuation studies, based on
tragic accidents in the last decades. With simulation, large-scale infrastructures can be studied under normal
conditions to determine the quality of the daily transfer, but even more important is to determine the perform-
ance in alternative situations or during evacuations. In this paper the use of discrete event simulation for these
purposes is demonstrated based on a case for the public transport terminal in Utrecht. The terminal will be com-
pletely renovated in the coming years, which results in continuous changing situations for travellers. This may
however never cause compromises in safety and only as little as possible loss of quality of the service offered to
the public. Based on the simulation results decisions are supported and some of the reconstruction phases have
been modified to prevent the determined bottlenecks. The simulation trajectory itself has resulted into new re-
search about modelling pedestrian flows.
1 BACKGROUND
Recently a 20 years lasting reconstruction of a large
part of the city centre of Utrecht, located in the mid-
dle of the Netherlands, has started. Due to the growth
of the city and the undesirable current state, this so-
called Station Area needs expansion of facilities and a
thorough facelift to render it a safer and more pleasant
place to work, stay and live in. The goal is to realize a
new city centre for Utrecht by unifying the new Sta-
tion Area and the old city.
An important element of the new Station Area con-
cerns the renewal of the complete public transport
terminal. This terminal will not only cover all train
platforms, including the High-speed Train tracks, but
it comprises also two separate bus stations, a tram
platform, taxi lanes and a large transfer area. Adjacent
to the terminal building large new office towers, a
shopping mall and leisure centres are erected and sev-
eral multilevel bike storage buildings will be devel-
oped to accommodate about 23.000 bikes.
All together it is expected that in the year 2025 over
100 million people per year will use this terminal as
their travel origin or destination and daily many thou-
sands will use it as the link between the city districts
as shown in figure 1.
Figure 1 Urban zones and connections framework
(source: City of Utrecht 2003)
2 THE CHALLENGE
Building such a terminal is already a tough labour, but
it is a real challenge to do so while the daily transfer
must go on and many involved parties have to work
in and around the terminal. During each of the nu-
merous stages in the building process it is required
that different sections of the existing terminal have to
87
be taken out of use to create new construction areas
and to assure safe transfer areas. Obviously this will
disturb the pedestrian flows, as pedestrians have to
deal with new and restricted situations frequently.

The public rail company carries the responsibility for
both accessibility, safety and convenience in the ter-
minal, but this interest is shared with other involved
organizations and authorities, including the Dutch
railways, the city of Utrecht and the building contrac-
tors. The municipal fire brigade, which demands that
the terminal can be evacuated within certain time lev-
els under all circumstances and that it does not affect
the safety in the vicinity, plays another vital role.
Without approval from the fire brigade construction
work in the terminal will not be authorized.

Therefore these joint parties have to propose and
evaluate possible measures to solve pedestrian flow
disturbances and keep evacuation procedures valid
during these construction phases. An appropriate in-
strument to test operational situations, to evaluate
measures and their effectiveness and to present it all
visually is pedestrian simulation.

The pedestrian simulation models will not only be
used to convince decision makers about the need for
certain measures by presenting performance indica-
tors. Another important value is that the visualisation
of situations and results can demonstrate the situa-
tions that occur and improve communication. The
same visualisations can however also be used to dem-
onstrate the effectiveness of certain measures, even
when they are just a simple 2D representation.

3. PEDESTRIAN SIMULA-
TION
Pedestrians moving through busy environments, like
for example a public transfer terminal, experience
constraints during their transfer. The effect of the con-
straints is that they have to adapt their walking
speeds, especially when they have to deal with large
crowds and opposing flows, they experience waiting
times, may choose other routes or even change a des-
tination. So the required transfer times will fluctuate
and so does the quality of transfer.
Pedestrian dynamics research focuses on the question
when, why and how people adapt their walking speed
or walking directions. From research over the last
decades it is concluded that many causes exist, rang-
ing from quantitative aspects like densities and flow
directions to more qualitative aspects like type of sur-
face, noise level, colour or smell. And then there are
differences between nationality, gender, and so on.
As the qualitative aspects are hard to model, most re-
search has been performed in the field of quantitative
analysis. Fruin (1971) has extensively described the
relation between walking speeds, flow rates and area
occupancies on walkways and stairs. Although several
researchers have captured a relation between speed
and density, see figure 2 from Daamen (2004), the
concept of Fruin with the accompanying Level of
Service system is still the basis for many pedestrian
research and simulation models, as it offers an intui-
tive way of visualizing and judging a crowd's per-
formance.

Figure 2 An overview of speed-density relations

The speed density relations are the basis for the
mesoscopic simulation approach, in which pedestrians
are modelled as individual object with their own de-
sired speed, behaviour and routing. The pedestrians
use networks, composed by nodes and walking paths,
to reach their next destination, through a pre-defined
route. During each event (or time step) the speed of
individuals can be adjusted based on the densities in
the area they are in. In more advanced mesoscopic
models it is even possible to change the routing when
faster route can be found.

Other simulation approaches are macroscopic simula-
tion and microscopic simulation (Taubck 2005). In
the macroscopic approach the pedestrian movements
is represented as a flow through space. With mathe-
matical models that resemble fluid dynamics models,
the behaviour of the combined behaviour of pedestri-
ans in a group is described.

In the microscopic approach each pedestrian is repre-
sented individually. The individual entities have a
unique behaviour, but unlike the mesoscopic ap-
proach, the mutual behaviour of pedestrians, like col-
lision avoidance, is also taken into account. Two main
groups of microscopic models can be distinguished,
the continuous approach (e.g. social force) or the dis-
crete approach (e.g. cellular automata).

88
A new kind of approach is described in Moussad
(2011). This cognitive science approach is based on
behavioural heuristics, that uses some simple proce-
dures. This method is very promising to be applied in
simulation, but it is still under research.

Microscopic models often use a type of continuous
simulation, in which the environment of pedestrians is
monitored continuously and its behaviour is adapted
instantly. Microscopic research is mainly used for de-
tailed representation of pedestrian behaviour in small
areas. Due to the continuous monitoring of pedestri-
ans and environment, the required computer processor
capacity of these models is very high. For that reason
large-scale microscopic simulation models are still
rare. Another reason is that these detailed models re-
quire very detailed input data and are hard to validate.

Since mesoscopic simulation applications are well
capable of dealing with large numbers of pedestrians
and large scale routing networks, they are very suit-
able for modelling large infrastructures such as a pub-
lic transport terminal, in which several ten thousands
are present at the same time.

For the case presented in this paper the discrete event
simulation tool Enterprise Dynamics PLATO is used,
which is one of the mesoscopic approach tools
3.1 Routing algorithms
The routing of pedestrians in the model is one of the
most important aspects. The foundation for the rout-
ing is a pre-defined activity plan. For passengers in a
terminal there are always mandatory activities that
have to be performed, like buying tickets, passing a
control gate or walking to the platform. Other activi-
ties, like visiting a shop, are voluntary, but can also be
part of the routing. In our approach chances, based on
historical data, are used to assign these voluntary ac-
tivities.
The A* search algorithm is used to determine the op-
timal path between two points in the network, by us-
ing cost values for each path and a heuristic function
that estimates the remaining path length to the goal.
The basic cost function is according to the Dijkstra
algorithm (Dijkstra 1959) which performs shortest
path calculations. However another approach is to use
a cost function in which the density in the areas on
this path is taken into account. With the speed den-
sity-relation as described before, expected travel
times are evaluated to determine the fastest path.
For the routing from current position to the next des-
tination the algorithm is evaluated each time a person
enters a new node in the network. In that way we al-
low re-planning of the route. That can even lead to
selecting new destinations, in case the person can
choose from several equivalent activities (eg. several
ticket machines or ticket control gates).
Special routing scenarios have to be used for model-
ling specific scenarios like evacuation and a calamity.
During a terminal evacuation all passengers in the
terminal have to walk to an emergency exits. In many
occasions the number of emergency exits differs from
the regular exits which creates other routing options.
Based on expert opinions two different ways of se-
lecting an exit are tested: running to the original en-
trance (a well known location) and taking the closest
exit, based on emergency signs. Both methods can be
used separately or in combination, to evaluate the
evacuation performances.
For a calamity situation, such as a train failure it is
assumed that the passengers in question go to specific
designated sections in the terminal to wait and get in-
formed, while other passengers keep on transferring
as normal.
3.2 Performance indicators
The different construction phases are judged by set-
ting up scenarios in the simulation study. For every
scenario the performances are expressed in many per-
formance indicators. The most important are:

Evacuation time distributions: for all emer-
gency exits the number of evacuees and their
exit time are collected.

Throughput times between origins and desti-
nations:

Waiting time distributions at several re-
stricted facilities: for evaluation of the facili-
ties in the terminal

Flow intensities (throughput per time unit)
on specific screen lines

Densities (occupation of areas) and accom-
panying levels: the main indicator used for
judging the quality and safety of the terminal
under normal circumstances.

In the simulation application used for this case study,
during the simulation time, the values for all of these
indicators are collected and the averages and maxi-
mum are presented in a result overview. These per-
formance indicators are compared to the formulated
levels to evaluate whether the flows are acceptable or
thresholds are crossed on specific locations.

89
4. THE PUBLIC TRANSFER
TERMINAL UTRECHT
CASE
4.1 Study area
The case study concerns the new public transfer ter-
minal of Utrecht, which will have the all under one
roof concept. The platforms for trains, trams and
busses are on the ground floor, the terminal building
itself is one level up. Several stairs, escalators and
elevators give access to the platforms. The terminal
building is the connecting layer for transfer between
modalities. Figure 3 presents a design impression of
the building.

Figure 3 Terminal design (source: ProRail / Benthem
Crouwel architects)

In the study not only the final situation around the
year 2020 is evaluated, but especially the road to-
wards this situation. Between 2010 and 2015 several
building phases with restricted space and flows occur
and each of the phases consists of numerous situa-
tions. For each of the situations a model has been cre-
ated describing the actual situation in that phase in
terms of accessible platforms, stairs, escalators, trans-
fer areas, etc.
These models comprise the complete infrastructure
and pedestrian flows in the train terminal and the arri-
vals from and departures to and from other means of
transport. Elements of the models are:

The terminal hall with all facilities such as
ticket sale, kiosks, shops and the chip card
gates

The passage lane for pedestrians who use the
station for transfer between the eastern and
western district without passing gates.

The tunnels under the platforms leading to
and from the other means of public transport
(tram, bus, taxi) and the city (by bike or foot)
The available platforms for trains, busses and
trams, including their connection to tunnels
and terminal hall through stairs and escala-
tors
The entrances and exits of the pedestrians,
e.g. the eastern and western bus terminal,
tram platform, bike storages and entrances
from/exits to the city districts where people
come from or go to by foot

During each of the construction phases, elements of
the infrastructure, e.g. entrances, tunnel sections or
stairs, will be closed. In order to see the effect of
these works and measures to reduce consequences,
especially during peak pressure, it is necessary to
simulate the terminal in detail. Therefore the models
are scaled representations of the available infrastruc-
ture, including marked building areas.

The terminal model is set up modular to enable link-
ing to other modules. Recently the model is extended
by joining modules for a large bike storage and the
two big forecourts, so that the scope is expanded and
the interaction between different modules in the re-
construction of the Utrecht Station Area can be
shown.
4.2 Data collection
The occupation of every part of the terminal is very
dynamical, then it is very dependent to the peak flows
of travellers. During the day one can off course dis-
tinguish common rush hours in the morning and the
afternoon, but the largest dependency is on the differ-
ent schedules. An arriving train, tram or bus causes
periodic crowds at the platforms, on the escalators, in
the tunnels and halls and in front of chip card gates,
but minutes later all can be calm again.
For the purposes of this study - to determine whether
there is or can be enough transfer capacity to handle
the passengers in an acceptable way - it is enough to
focus on the rush hours in morning and afternoon.
Therefore the required input data is collected for these
periods.
The input comprises:
the timetables for the different means of transport
(train, tram and bus), including the transport ma-
terial and exact halting locations
The expected load per transport (amount of trav-
ellers), based on counts and numbers from fore-
casting tools, all validated by ProRail and the
other stakeholders.
90
Dimensions of all elements in the infrastructure
such as widths of stairs, passages and platforms.
Distribution in use of entrances, exits, origins and
destinations
Use of facilities like ticket machines, shops or
kiosk
Levels for safety and quality that have to be met
The information is collected and linked to each other
in a large database-application. As a result the model
creates the expected about 110.000 pedestrians in a 2
hour peak, which each an origin (entrance, platform),
a creation time, a destination (exit, platform), an ex-
pected route (including activities) and (in case of a
transport) an estimated time of departure. This data is
read by the models and creates the start of all travel-
ling pedestrians.
4.3 Results
To show the results of putting these 110.000 pedestri-
ans in a 2 hour peak in the model is, the status of the
model is monitored continuously. In the animation the
density of every walking area, stairs and escalator is
indicated by colours, each representing a service
level. These densities are also stored in order to be
able to show the progress over time afterwards. For
reporting purposes the maximum density per area dur-
ing simulation time is captured in one picture, as
demonstrated in figure 4.
Besides a viewer is developed to replay the model,
without actually simulating. It can just plays the
logged states for all elements per time interval with-
out requiring simulation software. These images
prove to be very valuable in communicating the re-
sults to involved parties and even the public.
Figure 4 Density Overview

Other results of the model are tables, figures and
graphs of the other performance indicators for every
scenario. These concern the flow counts on screen
lines in the model (in persons per minute), waiting
times in front of each of the faculties, especially the
chip card gates, which are new in the terminal and
number of passengers in each of the terminal seg-
ments.
The travel times between origin and destination are
monitored and displayed, again during the day.
Special attention is given to the performance of the
evacuation scenario, as they are used for gaining per-
mission to carry on building. This means that evacua-
tion time distributions per exit are provided.

4.4 Validation and real life tests
An important stage in a simulation project is the vali-
dation of the model. This is never easy if it concerns a
complete new situation with not exactly known pas-
senger profiles. In that case one has often to fall back
on using available measurements and expert valida-
tion.

In this case however real life tests have been per-
formed recently during some of the building phases.
The results are not only used for validation of the
models, but also to test the predicted results of several
measures against detected potential bottlenecks, such
as moving fencing or introducing crowd control.

In addition, parallel to the simulation, ProRail and the
Dutch railways have started a project to improve the
knowledge of how the terminal is being used by the
passengers. For that reason several monitoring sys-
tems are tested and used, including counting, Blue-
tooth tracking and camera systems with software to
separate individual persons to determine densities,
speeds, directions and staying times. Figure 5 shows a
representation of these images.

The results of this camera system are not only perfect
for validating the model by comparing results, it is
also a huge source of information about the system
input as they provide data for 24 hours per day and
several weeks. For example the differences between
the weekdays appeared to be quite remarkable. The
results tell also a lot about the behaviour of passen-
gers in the terminal. That information is used to fur-
ther improve the model so that future model output
can be even more accurate.

91

Figure 5 Camera density scan

5. CONCLUSION AND OUTLOOK
Simulation and visualization have proved their value
in this project several times and the large numbers of
people were no problem for this mesoscopic model.
The results have not only resulted in taking measure-
ments like changing escalator directions in specific
periods, signing and active crowd management, but it
has also contributed to (minor) changes in the con-
struction phasing. When bottlenecks were detected
the model has been used to determine which measure
is effective or what transfer width is required. The re-
cent real life tests with counting methods and camera
recordings during the first construction phase have
confirmed the predictive value of the model.
The animation and replay functionality have been
used as means of communication and is present to all
stakeholders. As a result the simulation has gained
such a confidence, that no decision in the construction
phasing is done without first evaluating it with the
simulation models.
Another result is that the questions in return are get-
ting more detailed. For some issues the focus is on
such an detailed and isolated segment, that a micro-
scopic approach seems to be necessary. As this micro-
scopic approach is not desired to apply on the com-
plete environment, the future research focuses on a
hybrid approach. A next part of the research is aiming
at increased automation of the model set-up and rout-
ing networks and rerouting algorithms. Ideas as the
indicative routing method as presented by Kara-
mouzas (2009) seem to be fitting as a basis for the
proposed approach.
Finally new visualisation methods for such large envi-
ronments in VR mode are under research. With a po-
tential new standard as CityGML for 3D infrastruc-
ture models and the extensive geometry descriptions
in the building information model (BIM) and its ex-
change standard IFC, several developments are fore-
seen.

References
City of Utrecht (2003). Utrecht station area master
plan, Utrecht.
Daamen,W. (2004). Modelling passenger flows in
public transport facilities. PhD Thesis, Delft Univer-
sity of Technology.
Dijkstra, E. W. (1959). A Note on Two Problems in
Connection with Graphs, Berlin: Numerische Mathe-
matik, Vol. 1, 269-271.
Fruin, J. J. (1971). Pedestrian planning and design,
New York: Metropolitan Association of Urban De-
signers and Environmental Planners.
Karamouzas, I., Geraerts, R. and Overmars, M.H.
(2009). Indicative routes for path planning and crowd
simulation, proceedings of the 4th International Con-
ference on Foundations of Digital Games, 113 -120.
Moussad, M., Helbing, D. and Theraulaz, G. (2011).
How simple rules determine pedestrian behaviour and
crowd disasters, PNAS.
Taubck, S. M and Breitenecker, F. (2005). Spatial
modelling approaches in DEVS Simulation Systems
for Pedestrian Dynamics, Simulation News Europe
SNE Vol. 16, No. 44/45, 17-21.

92
FP7 project ACRIMAS Aftermath Crisis-Management System-
of-systems demonstration
Merle Missoweit, Fraunhofer INT, Germany
Hans-Martin Pastuszka, Fraunhofer INT, Germany
Marcel van Berlo
1
, TNO, The Netherlands
Martin Hamrin
2
, FOI, Sweden
Abstract
Large-scale incidents (man made and natural) inside and outside the EU require a coordinated response from cri-
sis managers and first responders from different agencies across Europe and with resources from all levels of
government. Among others, a common operational picture, well trained and equipped teams, secure communica-
tions, and mission flexibility are core assets for successful crisis management.
Currently, crisis management in the EU can be regarded as a highly diversified and heterogeneous system-of-
systems integrating diverse organisations and components with different cultures, policies and assets, and vari-
ous stakeholders and procurement schemes. This system-of-systems incorporates technology, procedures, or-
ganisational concepts, and human factors. It is the aim of the ACRIMAS project to prepare a large scale Euro-
pean demonstration and experimentation programme within the FP7 Security Theme, facilitating European wide
collaboration, cooperation and communication in crisis management and improving cross-fertilisation between
Member State organisations.
ACRIMAS, a 15 months project with 15 partners from 10 European countries, started in February 2011, and ad-
dresses organisational and legislative frameworks, situational awareness, decision support, logistics, communi-
cations, training and exercises, restoration of services and media involvement, by following a user-centric and
scenario-based approach. It will lead to the validation of shared user needs and the definition of a demonstration
and assessment method with associated metrics to define a continuous process of capability improvements. The
outcomes of ACRIMAS will be the definition and preparation of this method, documented in a roadmap (Phase
I) that will prepare the actual demonstrations and experiments (Phase II).
This paper describes the scope, approach, and envisioned results of the ACRIMAS project.

1
TNO Defence, Safety and Security, Kampweg 5, 3769 ZG Soesterberg, The Netherlands
2
Swedish Defence Research Agency (FOI), Gullfossgatan 6, 164 90 Stockholm, Sweden
1 Introduction
The FP7 security research project ACRIMAS Af-
termath Crisis Management System-of-systems Dem-
onstration Phase I is not a research project as such,
but a so-called Support Action to prepare the actual,
large Demonstration Programme on Aftermath Crisis
Management the Phase II , which will be pub-
lished as a call for proposals in the last work pro-
gramme of the FP7 security research in 2012. As a
Support Action, ACRIMAS will not deliver new re-
search and related results on aftermath crisis man-
agement, but a strategic roadmap setting out the main
areas and relevant topics of crisis management to be
addressed by concrete demonstration and experimen-
tation activities in Phase II, which have to be identi-
fied and sequenced in the roadmap to be delivered. In
addition, ACRIMAS has to deliver a demonstration
concept for Phase II, describing how and where the
demonstration and experimentation activities in Phase
II should be conducted.
Besides these two main deliverables, an important ob-
jective of ACRIMAS is to raise awareness among the
relevant stakeholders in Europe about the upcoming
Demonstration Programme and its preparation by
ACRIMAS. It is the aim of this ACRIMAS contribu-
tion to the Future Security 2011 conference to assure
that the broad stakeholder community present will be
made aware of the opportunities for participation in
the Phase II Demonstration Programme. By doing so,
ACRIMAS also intends to critically discuss and vali-
date its work approach and initial findings so far, and
to incorporate the feed-back of security research com-
munity into its successive work.
93
1.1. Crisis Management current situa-
tion and work approach of ACRI-
MAS
Crisis Management (CM) is a core capability of mod-
ern societies. Managing the return to normal life in
case of major incidents as quickly and swiftly as pos-
sible is paramount for limiting damage, chaos, and
panic. At the same time, CM is a complex multidi-
mensional discipline, incorporating both the manage-
rial aspect of organising the mission and the technical
facilities employed to assist. This mixture becomes
even more intricate as CM evolves along the phases
of a crisis, ranging from pre-incident to post-incident
phases. CM requires the involvement of a wide range
of stakeholders with different responsibilities, back-
grounds, capabilities and perspectives, including civil
protection forces, first responders such as Police, Fire
Fighters, Civil Protection, Health Services, Non-
Governmental Organisations, sometimes even the
military, and the public at large. CM, thus, is a highly
diversified and heterogeneous area with different ap-
proaches developed in terms of CM cultures, used
technologies and available assets in the Member
States (MS) of the European Union (EU).
To add to this picture, the growing globalisation and
interdependence between countries calls for an in-
creased number of cross border or external (outside
Europe) operations. They have an increasing geo-
graphical emprise, with regional or even trans-
national impact, involving a diversity of responding
services, adding complexity to the other challenges
crisis managers and first responders face. The close
collaboration and effective, targeted information shar-
ing between all the actors involved is therefore crucial
if the response to an emerging crisis requires has to be
quick, efficient and decisive. These elements, together
with the resulting necessity to inter-operate in a multi-
national set of multiple organisations including the
affected public generate new challenges for the man-
agement element of CM.
On the technical side, a number of new technologies
has evolved to address the above mentioned chal-
lenges. Above all, these technologies greatly enhance
situational awareness. New sensors allow for a more
accurate detection, identification and classification of
a situation, and information management infrastruc-
tures foster the compilation of a growing amount of
information at command and control level, requiring
new forms of display and interaction. This includes
agreed-upon protocols and integrated mechanisms
and tools that allow in particular for an improved ef-
fectiveness of multinational crisis response and inter-
action. In addition, new field systems allow more ef-
ficient location of the teams and better knowledge of
the missions, making the job of the decision-makers
to task the teams in the field easier.

1.1.1. Current situation of aftermath crisis
management in the EU
The ultimate goal of CM in the EU is to ensure a
timely, co-ordinated and effective response to any
large-scale crisis, man-made or natural, be it caused
by terrorist or criminal means, natural disasters, major
industrial or technical accidents, both inside and out-
side the EU, as recently outlined by ESRIF (European
Security Research and Innovation Forum, 2009). In
the context of this project, a crisis is understood as an:
incident affecting a society with the potential to
cause loss or damage to persons, property or the en-
vironment which requires extraordinary coordination,
resources, and skills in response. Subsequently, CM
relates to a process of planning and implementing
measures aimed at preventing, reducing, responding
and recovery from a crisis (ISO, 2010).
The multi-faceted CM landscape is reflected in poli-
cies, operational procedures, organisations, assets,
budgets and personnel at all levels of the CM Sys-
tem. This highly diversified and complex CM archi-
tecture reflects the EU maxim of National responsi-
bility and European solidarity, based on the subsidi-
ary and proportionality principle. National
sovereignty and responsibility has led to different CM
approaches in the MS, ranging from more centralistic
approaches (e.g. France, Italy, Spain) to fully federal,
subsidiary approaches (e.g. Germany, The Nether-
lands, Scandinavia). CM approaches are further char-
acterised by different degrees of involvement and col-
laboration of civil and military institutions some MS
being much more advanced in the "joint" vision ,
and by individual and specific CM system solutions
that generally exhibit little or no interoperability
across borders.
While the role of the EU predominantly was limited
to facilitate the European solidarity by e.g. co-
ordinating requests for support in catastrophic inci-
dents from MS and outside the EU and the deploy-
ment of available MS assets, recent EU initiatives in
CM respectively with relevance for CM have been
launched to improve the performance of the EU itself
in crisis situations. The main initiatives, covering
partly the internal as well as the external dimension of
EU security, which are to be acknowledged by AC-
RIMAS, so far include:
- The Community Mechanism for Civil Protection:
co-ordination of the deployment of civil protection
units from MS in major disasters via MIC, the Moni-
toring and Information Centre of the EU, run by DG
ECHO, Civil Protection Unit, and facilitated by a set
of supporting tools (CECIS, the Common Emergency
& Information System, the training programme and
the concept of Civil Protection modules),
- The provision of strategic assets like GMES (DG
ENTR) and GALILEO (DG TREN) and ESA (includ-
ing space research), and of CM-related R&D, in par-
94
ticular security research (DG ENTR), ICT (DG IN-
FSO) and policy research (DG RTD),
- ESRIF, the European Security Research and Innova-
tion Forum, which focused in its final report among
other areas on the mid- to long-term research and in-
novation needs in CM in Europe,
- Humanitarian aid, co-ordinated by DG ECHO,
- The Instrument for Stability (IfS), external aid in-
strument for quick response to political crises or natu-
ral disasters in 3
rd
countries (complementary to hu-
manitarian aid), supporting non-proliferation and
countering global threats, co-ordinated by DG
RELEX,
- Civilian & military CM capability development
(implications of the Lisbon Treaty).
In contrast to military operations, the civil crisis man-
agement system-of-systems does not belong to one
entity as civilian operations do not obey to a strict
unique chain of command. Although the coordination
and the tactical command and control are joint, the
various organisations keep their chain of command to
a large extent and use their respective legacy systems.
This situation increases complexity as no central or-
ganisation can impose the same organisational, pro-
cedural and technological choices to everybody. Any
development be it technological, methodological,
procedural or policy-related of CM based on a
blueprint, or even a static vision, will therefore not be
feasible. This is the common understanding of the
ACRIMAS consortium, and as such the baseline for
our work identifying and highlighting those CM areas
and individual topics, which should be addressed by
the Demonstration Programme to allow for a gradual
evolvement of CM policies, procedures and technolo-
gies.
Before illustrating the ACRIMAS work approach,
first the background of the FP7 Security Research
Program will be described.

1.1.2. Programmatic structure of FP7 Secu-
rity Research Program
Figure 1 Research routes to meet the FP7 security
theme objectives

Research in the FP7 security theme consists of several
building blocks, representing three - in some cases
parallel, in others subsequent - routes that contribute
to the overall objectives (European Commission,
2010, see also figure 1).
On the lowest level of the building block structure,
capability projects aim at building up and/or
strengthening security capabilities required in the se-
curity missions of FP7. On the medium level of the
building block structure, integration projects aim at
mission specific combination of individual capabili-
ties providing a security system and demonstrating its
performance. On the top level of the building block
structure, demonstration programmes will carry out
research aiming at large scale integration, validation
and demonstration of new security system-of-systems
going significantly beyond the state of art. They de-
pend upon the compatible, complementary and inter-
operable development of requisite system and tech-
nology building blocks of the integration projects and
capability projects. They intend to promote the appli-
cation of an innovative security solution, which im-
plies a strong involvement of end users, taking into
95
account the relevant legal and society related issues,
and strong links to new standardisation.
Demonstration programmes will be implemented in
two phases: Phase I projects will define the strategic
roadmaps and trigger Europe wide awareness, both
elements involving strategic public and private end
users as well as industry and research. The strategic
roadmaps will take into account relevant completed,
ongoing and planned work and indicate further re-
search needs for Security theme integration projects
and capability projects, but also for other themes of
the FP7 or for the national level.
Phase II projects will then technically implement the

system-of-systems demonstration, taking already into
account steps which have to follow the research, like
certification and/or standardisation (if and as appro-
priate), development of marketable products and pre-
procurement. This will mobilise a significant volume
of resources.
Upcoming EU research & demonstration activities in
the area of CM and so ACRIMAS need to care-
fully take into account and assess the described cur-
rent situation, in order to achieve improved coherence
and transparency in the development of this vital
European capability.

1.1.3. ACRIMAS working approach
The Phase I project ACRIMAS elaborates a system-
atic CM integration process, to be implemented
within a Demonstration Phase II programme (figure
2). The process allows for gradual evolvement of CM
capabilities through demonstration and experimenta-
tion (DE) activities, facilitating Europe wide collabo-
ration, cooperation and communication in CM at dif-
ferent levels of decision making, and respecting the
different CM approaches and ambitions of the EU
MS. This process will improve the transfer of related
knowledge between agencies and states and promot-
ing an environment for co-development of technology
and methodology where users and providers work to-
gether.
ACRIMAS further emphasises community-building
which will be considerably supported by the execu-
tion of the subsequent demonstration programme,
bringing together the various key stakeholders and the
available demonstration and experimentation infra-
structures in a case-by-case demonstration or experi-
mentation activity.

Figure 2: ACRIMAS general concept and vision
ACRIMAS is scenario-based in the sense that charac
teristic CM scenarios will be identified, selected and
developed to constitute a sound basis for ensuring the
work of posing user needs and requirements, finding
solutions and documenting corresponding R&D needs
and demonstrations topics to be integrated in the
roadmap. The scenarios embrace four major different
categories of crises; terrorist attack, natural disaster,
industrial accident, and a specific EU external CM
intervention scenario. The selection of the concrete
scenarios to be developed is driven by the aim to pro-
vide a structured, top-down approach to identify the
most relevant/urgent/critical areas of European CM,
which need to be addressed by the subsequent Demo
Phase II programme.
ACRIMAS is user-driven in the sense that users and
other stakeholders in terms of first responders, au-
thorities and governmental bodies are actively in-
volved throughout the project process, some of them
as full project partners, most of them linked to the
project through a supporting Expert Group. They play
a central part in the identification of relevant CM top-
ics which should be addressed by DE activities in
96
Phase II, and the demonstration concept to be elabo-
rated. The ACRIMAS consortium consists of 15 part
ners from 10 European countries: Fraunhofer (Ger-
many), Crisis Management Initiative (Finland),
NCSR Demokritos (Greece), Netherlands Institute for
Safety (The Netherlands), T-SOFT (Czech Republic),
Swedish Defence Research Agency FOI (Sweden),
Joint Research Centre Institute for the Protection
and Security of the Citizen (Belgium/Italy), Center for
Security Studies KEMEA (Greece), The Nether-
lands Organisation for Applied Scientific Research
TNO (the Netherlands), The Turkish Red Crescent
Society (Turkey), Technologies Sans Frontires (Bel-
gium), United Nations University Institute for Envi-
ronment and Human Security UNU-EHS (Ger-
many), Cassidian (France), SELEX Sistemi Integrati
(Italy), and the Public Safety Communication Forum
Europe PSCE (Belgium).

1.1.4. ACRIMAS demonstration concept
Demonstrations or experiments (DE) provide excel-
lent means to address problems that are inherently
complex, for example in its interaction of technology,
people, and methodology and external factors. As
such, DE are key activities to achieve progress in the
system-of-systems layer of EU-level enterprises.
The given cultural, technical and organisational diver-
sity of CM approaches in Europe, reflecting national
responsibilities, requires the mentioned user-driven,
broader system-of-systems view, focusing on the need
to achieve continuous management of the CM com-
plexity (which most likely can never be solved once
and for all by one solution). The aspired CM demon-
stration concept should allow for addressing the di-
versity of CM approaches in Europe while keeping its
local specificities, and continuously identifying its
weaknesses which need to be addressed by future re-
search and demonstration efforts.
Figure 3: ACRIMAS demonstration concept and
scope of Phase I
The ACRIMAS approach to work will lead to the
definition and preparation of such a systematic CM
integration process (Phase I). In Phase II the method
will be applied on a larger scale in the European CM
community, addressing concrete needs within selected
critical areas, by demonstrating candidates for solu-
tions to the needs, and by gathering and disseminating
the knowledge thereby gained. One outcome of the
Phase II will thereby be an established CM testbed
which shall lead step-by-step to a more harmonised
and coherent development of CM policies, capabili-
ties, procedures and technologies in Europe (figure
3).
ACRIMAS thereby aims at preparing a systematic
and continuous CM integration process, to pave the
way for a continued incremental development of the
CM community in Europe and its capabilities.

97
1.1.5. ACRIMAS Work plan
The ACRIMAS work plan is depicted in Figure 4 be-
low.

Figure 4: ACRIMAS work plan
WP1 - Project management: Deals with the project
management, including technical, financial and ad-
ministrative management.
WP2 - Political and legal framework: Analyses the
political, legal and societal aspects of CM. Together
with WP3, this will provide a basic framework for all
other WPs to consider.
WP3 - Scenario-based missions and tasks analysis:
Analyses the CM process to clearly identify the mis-
sions and tasks relevant for Phase II and to sort out
related commonalities and differences in the MS and
on the EC level. Selected scenarios will be identified
and analysed in terms of likeliness, severity, conse-
quences, cross-border character, multi-nationality,
complexity and type of complexity (technical, human,
legal etc.), thus providing an initial CM mission and
task (user need) analysis to be elaborated on in WP4.
WP4 - Gaps and requirements analysis: Uses the
outcome of WP2 and WP3 to identify and validate the
gaps, shortcoming and discrepancies of current CM
missions, tasks, procedures etc. to be addressed in
Phase II. Collected user needs, expanded from the ini-
tial input from WP3, and requirements will be set and
prioritised to define the main axes and objectives for
Phase II.
WP5 - Approaches and solutions identification:
Dedicated to identifying and analysing potential solu-
tions to the needs and gaps with respect to the the-
matic areas as found in WP4, by particularly taking
into account the results of completed and ongoing EU
projects in the CM domain (FPs 5, 6, 7, and PASR).
By performing a quick scan on these EU projects re-
sults solutions will be identified. Consequently, prom-
ising solutions will be selected based on their rele-
vance to cope with the WP3 scenarios and to solve
the gaps as defined in WP4. Next, there will be an in-
vestigation of the selected technical solutions, consist-
ing of an assessment of maturity, usability in different
crisis situations, upgradeability and interoperability.
The outcome is a list of potential (technical and non-
technical) topics for demonstration & experimentation
in Phase II, and a list of topics that require additional
R&D.
WP6 - Demonstration concept & Roadmap for
Phase II: Uses first the outcome of WP4 and WP5 to
provide a list of prioritised topics where there are
critical development needs that need to be addressed
with experiments and demonstrations. This will be
complemented by an assessment of what other activi-
ties must be performed, such as research and technical
developments. Additionally WP6 will assess what in-
frastructure will be needed for demonstrations within
CM, such as demonstration platforms or mechanisms
to assure the dissemination of demonstration results.
Top-level guidelines on how to perform demonstra-
tions in the area of CM will be developed. Methodol-
ogy for the selection of an optimal portfolio of dem-
onstrations, in contrast to simply viewing them as iso-
lated projects, will be provided, taking into account
their interconnectedness. The ACRIMAS demonstra-
tion concept of a continuous integrative CM process
98
will be prepared, based on the above tasks, together
with the experience from previous WPs and an adap-
tation of available DE methods to the CM context.
WP7 - Awareness raising and dissemination: Gath-
ers all essential activities of awareness rising and dis-
semination. The results of ACRIMAS, although vali-
dated by the users and stakeholders linked to the pro-
ject through their dedicated involvement in three
ACRIMAS workshops and the Final Event, also need
to be known and accepted by the greatest audience
possible as the CM community shall adhere to the ob-
jectives, approach and content of the Phase II.
1.2. Expected results
The mentioned EC initiatives and related efforts,
namely in the European Framework Programmes
(FPs) 5 7, and moreover in the 27 MSs, underline
the importance of an improved CM capability in
Europe. It is the understanding of the ACRIMAS
consortium that it has to support the achievement of a
holistic, comprehensive view on all these diverse and
still fragmented activities in the CM area.
ACRIMAS is going to successively assess these prob-
lem areas in the light of those hot spots which need
to be addressed in the Phase II demo programme. In
this way, a widely shared and accepted development
way forward through a set of identified DE activities
to enhance pan-European capabilities for effective
aftermath CM has to be achieved. This way forward
will encompass the following thematic areas, as so far
identified:
Common organisational and legislative frameworks:
to harmonize existing procedures within organisa-
tional boundaries and provide unified response plan-
ning.
Situation awareness: to gather the information avail-
able and display it in order to provide the end-users
with the most accurate view possible of the incidents,
at tactical, operational, strategic and political level,
whilst taking into account the human aspects of in-
formation processing such as information overload in
a stressed environment.
Decision support: to provide the end-users with ade-
quate (collaborative) tools to support their decision
processes, such as collaborative planning or model-
ling the spread of contamination.
Deployment of resources: to aid decisions taken at
operational, strategic, national and international levels
on the timely and effective deployment of resources
(personnel, equipment, medical centres, decontamina-
tion chain).
Communications: to allow all organisations and
teams to exchange information between themselves
and with media and the public, through reliable and
secure communications networks, using hybrid net-
works combining infrastructure, satellite and mobile
networks while warranting the security of the infor-
mation.
Training tools/methods: to provide common prepara-
tory activities for the involved organisations as a
means of promoting a common response to major in-
cidents, including joint training facilities and ex-
change of experts. This aspect is essential to reach an
optimal level of preparedness.
Systems and procedures for restoration of basic ser-
vices and infrastructures (water supply, energy,
transport, telecoms) including psycho-social support
of first responders and victims (prevent/deal with
psycho-traumatic stress).
Media involvement in crisis situations: to adequately
involve media in the development of crisis situations,
as a means to provide responsible and helpful infor-
mation to the public and minimising undesirable in-
terference. Moreover the media and public may serve
as valuable information sources, in effect additional
sensors, for managing the crisis.
1.3. Discussion
The ultimate aim of the ACRIMAS project is to fi-
nally contributing to an improved operational effec-
tiveness of CM within Europe, by preparing the Phase
II demonstration programme, which in turn has to ad-
dress and support the improvement of the operational
effectiveness. This improvement is expected to take
place by undertaking selected DE activities, in which
current CM systems, procedures and technologies to-
gether with new or emerging ones will be tested and
evaluated in defined, concrete CM scenarios. The
European added value has to be achieved by choosing
those DE scenarios and CM assets, which have a clear
European impact, e.g. because of its demand of cross-
border and multinational capabilities to fight a crisis.
Furthermore, ACRIMAS will provide a sound basis
for continuous R&D on European level, taking into
account all the dimensions mentioned in this paper,
making CM a complex process, both in a technologi-
cal, organisational, human factors and political per-
spective.
Finally, the active participation of end-users, stake-
holders, industry and researchers in this process is es-
sential not only for the relevance of the outcomes of
the ACRIMAS project, but also for the success of
European research on CM issues in the long term.
Within ACRIMAS the means of choice to achieve
this involvement are the three open project workshops
and the final event (figure 4), in which each main step
of the ACRIMAS work and its findings towards
Phase II will be discussed with and validated by the
CM stakeholder community present. Also, these
99
workshops and related awareness raising and dis-
semination activities of the ACRIMAS consortium
are dedicated to the need to support and initialise the
required active participation of the CM stakeholder
community in the DE activities of Phase II.
All relevant project information including information
on the project workshops and the final event can be
found in due time on the project website:
www.acrimas.eu.
1.4. References
European Commission (2010). Work Programme
2011, Cooperation Theme 10 Security. Brussels, Bel-
gium.
ESRIF (2009). Final Report. Brussels, Belgium.
ISO (2010). DIS 22300, Societal security Funda-
mentals and vocabulary. Geneva, Switzerland.

100
Process Structures in Crises Management
Harand, Alexander, Institute of Rescue Engineering and Risk Management, FH Kln, Germany
Peinel, Gertraud, Fraunhofer FIT, Schloss Birlinghoven, 53757 Sankt Augustin, Germany
Rose, Thomas, Information Systems, RWTH Aachen University, Ahornstr. 55, 52056 Aachen, Germany
Abstract
Research project InfoStrom strives to foster the communication and collaboration among crisis management ac-
tors in case of a severe power blackout (Schwarzfall). Specific attention is devoted to the transparency of proce-
dures amid counter measures that are initiated by different rescue organizations, e.g. fire brigades and mainten-
ance teams of utility providers. Although a crisis squad coordinates procedures at a strategic level, procedures at
the operational level of individual organizations are not always transparent to potentially affected organizations,
e.g., once police forces close regional roads this information can affect maintenance troops in their approach, but
they are not aware of this decision. Hence, better coordination of procedures with a cross-organizational impact
is required. This calls for a process management methodology that supports the modeling of procedures for syn-
chronization. To start with, our first task has been a thorough survey of the legal framework presented in crises
management literature and regulations in order to identify process structures. Surprisingly, only rudimental
process structures have been unveiled. Check lists or task skeletons that are even sometimes distributed across
organizations prevail. This paper will present our findings and reasons for this.

1 Introduction
For the social and economical life, reliability of power
supply is one of the most critical infrastructure ele-
ments, specifically in this high-tech world implicating
strong interdependencies with other critical infrastruc-
tures. Once hit by a breakdown of power supply, the
implications are limited at first sight. However, prob-
lems become seriously compounded when the black-
out lasts for longer periods of time, e.g. more than
eight hours. Blackouts that last even longer cause se-
rious implications for humanitarian inviolacy. During
the Japanese earthquake and tsunami disaster every-
one could witness how long-lasting power outages
caused severe impacts, also due to cascade effects [1],
[2].
But, the advanced planning of counter measures is
rather complex, since local peculiarities and the large
number of possible events hinder to detail concrete
procedures ex ante. As a result, several documents
specify counter measures in principle, but do not re-
flect rather specific events except for instance a
breakdown of communication networks. As such, legal
frameworks prescribe how to set up crisis squads
(Krisenstbe) for major crises (Groschadens-
lage) in Germany. However, the tasks of its members
are only itemized, going not in much detail on how
and when to do, and mostly being presented as mere
checklists to follow. Hence, they govern actions to as-
sure standard procedures while at the same time giv-
ing freedom for situational customization. Therefore,
no all-over plans rule the activities of the crises squad
team, but individual expertise, experience, and ad-hoc
decisions.
Project InfoStrom [3] aims to foster the communica-
tion and collaboration among crisis management ac-
tors. We participate in this project to leverage cross-
organisational process awareness. Its first task has
been to browse and unveil process structures in crises
management literature and legal texts. Unfortunately,
only rudimental process chains have been found,
check lists or task skeletons prevail.
2 Information Background
2.1 Public Regulations
In addition to interviews with experts from the emer-
gency management domain (fire brigade, police,
members of crises squads), a vast diversity of docu-
ments concerning crises management could be identi-
fied as relevant.
Most important regulations for public rescue organiza-
tions in North-Rhine-Westphalia and respective Coun-
ties are:
DV 100, German regulation 100. Leadership and
Command in Emergency Operations. Command
and Control System (Feuerwehrdienstvorschrift
100)
Stndige Konferenz der Innenminister und -
senatoren der Lnder (IMK), Arbeitskreis V
101
"Feuerwehrangelegenheiten, Rettungswesen, Ka-
tastrophenschutz und zivile Verteidigung", Hin-
weise zur Bildung von Stben der administrativ-
organisatorischen Komponente (Verwaltungsst-
be VwS), Berlin 2003
Ministerium fr Inneres und Kommunales des
Landes Nordrhein-Westfalen, 1 Ordnungsbe-
hrdengesetz NRW, 1980
as well as from the County of Siegen-
Wittgenstein: Fhrungsstrukturen zur Abwehr bei
Groschadenslagen and the Dienstordnung fr
den Krisenstab
and from the County of Rhein-Erft: Geschfts-
ordnung Bevlkerungsschutz, Bergheim 2006.
They furnish the framework constraints each public
organization has to obey for its operations.
The dependencies of a power blackout on other infra-
structure areas are described to a large extent in the
federal documents:
Bundesministerium des Innern, Krisenkommuni-
kation - Leitfaden fr Behrden und Unterneh-
men, 2008
Bundesamt fr Bevlkerungsschutz, Nationales
Krisenmanagement im Bevlkerungsschutz, Bonn
2008
Grambs, S.,Schultmann F. and Thiede T., Krisen-
management Stromausfall Langfassung. In Zu-
sammenarbeit mit dem Innenministerium Baden-
Wrttemberg (Hrsg.) und dem Bundesamt fr
Bevlkerungsschutz und Katastrophenhilfe, Hei-
delberg 2010
In Germany, hazard defense is based on four pillars:
military forces, intelligence service, police and civil
protection [1]. Thus, considering the case of a long
power outage, our emergency management partners in
project InfoStrom are well selected being police de-
partments as well as members of civil protection or-
ganizations of the two counties. The consortium is
complemented by a large electric power provider: in
most countries and also in Germany, most, if not all,
utility providers are from the private sector, which
ought to cooperate in crises situations strongly with
these public bodies.
We therefore expected an elaborated emergency strat-
egy that is based on a detailed planning of concerted
actions of public and private organizations well in ad-
vance [4]. Strangely enough, we did not find docu-
ments with harmonized procedures or emergency
plans covering the cooperation and interconnections
between these organizations.
The federal structure of Germany might be one reason
for this, since State, Lnder, and County specific regu-
lations describe responsibilities and relations, but they
do not go in clear details and often delegate tasks to
secondary bodies (principle of subsidiarity).
Another reason could be that the awareness of the or-
ganizations comes up slowly. Thus, in the recent past,
the local authorities led disaster control exercises con-
cerning power blackouts. Not surprisingly, these have
shown that the dependency on electric current influ-
ences strongly the possibilities of communication [5].
These empirical values were a welcome addition to
the other documents for us.
Published documents with protection concepts against
power outage of the federal offices are recognized as
expert reports, being not at all obligatory. On the other
hand, different regional protection concepts came into
effect and were implemented; but they are either kept
vague serving more as a frame structure, or, in the op-
posite case, they are detailed and tailored to particular
needs. Even worse and also as a consequence, they all
are showing different granularities and terminologies.
Thus, extracting common standard procedures is near-
ly impossible.
Concerning the problem of terminology, it has to be
noted that both, police and fire brigade regulations,
are historically based on the same military roots.
However, a common lingo is not in place and dic-
tionaries fail through different use, goals and ulterior
commands. Thus, comparing regulations of different
emergency management organizations is troublesome
and may lead to wrong results.
A specific problem lies in different communal regula-
tions. Although core structures and procedures are
similar in Germany, they have to be adapted by law to
local peculiarities [6, 7]. And exactly these adapta-
tions lead to misunderstandings and collisions of ac-
tivities hampering the inter-organizational cooperation
[8].
To establish an information network for the different
actors, we had to consider local- and federal regula-
tions to identify common and different process struc-
tures or at least fragments for later completion.
2.2 Utility Providers Planning
Looking at commercial utility providers we expe-
rienced that most of them already analyzed potential
risks and developed specific counter action plans, be-
cause of public regulations forcing providers of criti-
cal infrastructures to establish and use risk manage-
ment systems [9]. Most of them also established and
train needs-based and company-specific counter ac-
tion plans. Since the power supply industry mostly
works supra-regional, these plans are often fine-
grained and detailed. But they also miss details when
it comes to information exchange with other rescue
organizations and do not include updates of informa-
tion or - in other words courses of information ex-
change. Moreover, only my information push is
contemplated, information pull services from and to
others are currently neglected. There is no service in
place that constantly informs information seekers
about the current state of work. But we have learned
from interviews that for a quick recreation of the elec-
trical power supply an active and standardized ex-
change of information is important and desired.
102
3 Implementation / Technology
Several modelling endeavours in the emergency man-
agement domain have proven that process modelling
provides added value for decision support [10]. But
off-the-shelf tools turned out to be too complex and
too inflexible to be utilised by crises managers, which
complained about their lack of usability or their man-
datory but inaccurate terminology. Therefore, we need
less formal methods enabling domain experts to at
least grasp or sketch their planned courses of action in
a simplified way (means simple ordering of tasks,
concentration on necessary and often used relations,
dependencies and relationships, as well as resource
tracks).
For the initial capture, we started with a semi-formal
approach by employing MediaWiki [11] and its se-
mantic extension by [12]. This editor is well known
from Wikipedia, and allows one to edit and structure
content with relatively simple means. We then created
an Emergency Management Wiki, in which we col-
lected all rules, regulations and process fragments
concerning management of disasters that affect critical
infrastructures.
The advantages of this method are:
Common web based access to crisis management
procedures with discussion and versioning fea-
tures;
Familiar user interface thanks to Wikipedia, users
are less adverse to this media;
Capability of referencing and such archiving ref-
erence documents to trace decision making;
Macro-structure by concepts (i.e., pages) and
page outline;
Annotations by elements like category, attributes,
and data types (see box named Facts about in
figure 2).
Thus, domain experts can now subsequently review,
edit, and change the domain knowledge gathered. We
are currently in the process of reviewing, correcting
and completing these results. Then we will proceed by
transferring these processes in a further semi-formal
process editor. From there it will be used as navigation
tree for searching and collecting crises information in
a so called SecurityArena.
4 Experiences Made
We have experienced that in official documents proc-
ess know-how is somehow hidden in the description of
tasks, responsibilities, and measures (which can be all
perceived as processes or activities). But they are not
detailed enough to formalize them, and - much less -
put in temporal or logical order. Thus, applying here
process modelling means results in plain lists and the
prospects of control structures remain mostly unused.
It is obvious that the stated activities bear relations
and imply meta-knowledge of the actors involved. Un-
fortunately, this information is not disclosed due to the
claimed unpredictability of disasters and also due to
the non-acquaintance of actors with formal planning
approaches. And thus, a description of intersections
with other organizations is also missing. Since these
intersections bear the most critical problems [13], it is
important to answer: which actor has to communicate
when, how, with whom and about what.

Figure 1 Modelling Crises Management Concepts with MediaWiki

103
To summarize our findings:
Most emergency plans found are concentrating on
inner processes, while external connections and
relationships are somehow neglected or only su-
perficially mentioned. A clear when what who
with whom with which means is missing.
Thus, process structures are rarely found in public
documents. Described activities are somehow
hidden behind terms like responsibilities and
tasks, which we believe could not be translated
to processes one-to-one.
If activities have been found, they are mostly not
described in temporal or logical order.
Also, operating procedures are mostly generally
described and not adapted to specific disasters.

Figure 2 Modelling Crises Management Concepts
with MediaWiki and Semantic Annotation
5 Outlook & Summary
Rescue organizations have to prepare for an increas-
ing number of disasters as history shows. Because the
size of some incidents might exceed the capabilities of
a single organization, several rescue organizations
have to cooperate. Hence, a corporate planning
process is required to prepare for such an event.
Moreover, thinking about a large scale power outage
with numerous cascade effects.
Process management appears as natural candidate for
cooperative planning since each planning revolves
around activities that have to be conducted and moni-
tored, ands information exchanged [14].
In project InfoStrom the said SecurityArena will be
implemented providing means to disclose, describe,
and activate such crisis communication.
Our process management work for the SecurityArena
is to provide a tool for modelling, activating, updating
and navigating in cooperative processes, means to
help rescue organisations and authorities before, dur-
ing and after an event. And our first step was to find
out whether processes oriented thinking can be found
in the emergency management literature. This paper
described our findings namely that regulations, docu-
ments and information from interviews show only first
attempts of process management means. For the pro-
ject, we as process specialists extracted these frag-
ments, completed where possible, and now have to
discuss with emergency managers, where bottlenecks
exist. We are already sensing that the vast amount of
sorties during a power outage will lead to have a care-
ful selection of processes to observe.
6 References
[1] Grambs, S., F. Schultmann, and T. Thiede,
Krisenmanagement Stromausfall Langfassung,
In Zusammenarbeit mit dem Innenministerium
Baden-Wrttemberg (Hrsg.) und dem Bundesamt
fr Bevlkerungsschutz und Katastrophenhilfe:
Heidelberg, 2010
[2] Pernsteiner, J., Atom-Katastrophe in Tokio wre
nicht managebar, Experte: Megacitys besonders
verletzlich fr Risikokaskaden, in Interviews,
United Nations University Institute for
Environment and Human Security (UNU-EHS):
Bonn, 2011
[3] InfoStrom Konsortium. InfoStrom Projekt-
Homepage. Webpage, 2011, retrieved 3/2011;
Available from: http://www.infostrom.org.
[4] Klink, M., Polizeiliche Aspekte des lnder- und
bereichsbergreifenden Krisenmanagements, in
Die Polizei. Carl Heymanns Verlag. p. 293ff,
2006
[5] Schmidt, J., Bevlkerungsschutz Kln,
Kommunale Gefahrenabwehr aus einer Hand.
Statement during the VIII. Zukunftsforum
ffentliche Sicherheit 26.11.2009: Berlin, 2009
[6] Nordrhein-Westfalen, B., Gesetz ber den
Feuerschutz und die Hilfeleistung (FSHG). 1.
(GV. NRW 2009, Nr. 36, S. 767).
Innenministerium Nordrhein-Westfalen, 2009
[7] Nordrhein-Westfalen, B., Gesetz ber Aufbau
und Befugnisse der Ordnungsbehrden -
Ordnungsbehrdengesetz (OBG). (GV. NRW. S.
765, ber. S. 793). Innenministerium Nordrhein-
Westfalen, 1980
[8] InfoStrom Konsortium, Ergebnis der gefhrten
Interviews mit der Kriminalhauptstelle Kln
vom 06.04.2011 und der Kreispolizei Rhein-Erft-
Kreis vom 06.04. und 21.04.2011. InfoStrom
Project, 2011
104
[9] Bundesrepublik Deutschland, Aktiengesetz
(BGBL. I S. 1900). Bundesministerium fr Justiz,
1965
[10] Rose, T., G. Peinel, and E. Arsenova. Process
management support for emergency
management procedures. in eChallenges 2008.
Stockholm, 2008
[11] Wikimedia Foundation. MediaWiki. 2007,
retrieved 3/2011; Available from:
http://www.mediawiki.org/wiki/MediaWiki.
[12] Krtzsch, M. Semantic MediaWiki. 2008,
retrieved 3/2011; Available from:
http://semantic-
mediawiki.org/wiki/Semantic_MediaWiki.
[13] Jger, B. Fhrungsstrukturen bei
aufgabenbergreifenden Einstzen von
Feuerwehr, Rettungsdienst und Polizei am
Beispiel des Landes Hessen. 2003, retrieved
3/2011; Available from:
http://www.polizei.hessen.de/internetzentral/nav/
bd4/bd470ee1-825a-f6f8-6373-
a91bbcb63046&uCon=6a648ff1-1199-bf33-
62d6-1611142c388e&uTem=5dd7059f-c5be-
52f8-8de0-1121c7f5087f.htm.
[14] Peinel, G., T. Rose, and E. Berger. Process-
oriented Risk Management for Smaller
Municipalities. in 4th International Conference
on Information Systems for Crisis Response and
Management (ISCRAM). Delft, The Netherlands,
2007

105

Universal Detector of Concealed Hazardous Materials
Igor Gorshkov, Alexey Evsenin, Andrey Kuznetsov, Pavel Yurmanov, Dmitry Vakhtin
Applied Physics Science and Technology Center, Russia
Abstract
Overview of the test results from several prototype devices based on Nanosecond Neutron Analysis / Associated
Particle Technique (NNA/APT) detecting concealed hazardous materials in different scenarios is presented.
NNA/APT is a new powerful non-intrusive neutron interrogation method, which relies on high penetration abil-
ity of fast neutrons and high-energy -rays to automatically detect a wide variety of threat materials in highly
cluttered environments. Use of coincidences between secondary -rays produced by fast neutrons in the in-
spected material and the tagging -particles allows one to dramatically reduce the background and to obtain
3D distribution of chemical elements concentrations in the inspected volume. Further automatic analysis of
these concentrations provides identification of the material contained in the inspected volume. The following de-
tection scenarios have been investigated: a) detection of explosives in packages; b) detection of explosives in
luggage on conveyer belt; c) inspection of mid-size cargo containers; d) identification of small amounts of liq-
uids in sealed containers; e) inspection of UXO.

1 Introduction
There is an obvious need in a portable system that
could automatically detect and identify a broad range
of concealed threat materials: explosives, chemical
agents, drugs, UXO, etc.
In many cases the nature of the threat associated with
the suspicious object is not known in advance, and the
detection scenario (the amount and type of clutter ma-
terial, access to the threat object, its mass, type, shape
etc.) may vary widely.
Existing detection and identification methods all suf-
fer from some of the following deficiencies:
are not specific enough and produce many false
alarms (X-rays, radiography, thermal vision);
are too specific, and react only to a limited num-
ber of threats (vapour analysis methods);
cannot pinpoint the location of the threat object
(vapour analysis methods);
rely too much on the operators skills (X-rays).
We describe in this article a powerful new detection
method Nanosecond Neutron Analysis that can
automatically identify threat materials, including
those hidden behind thick metallic or other barriers.
The hardware and software developed for this method
can be assembled in different geometries to meet the
requirements of different scenarios: inspection of
abandoned luggage items, identification of UXO,
identification of sealed liquids, inspection of midsize
containers, resolving alarms produced by X-rays
based systems inspecting passenger luggage on a con-
veyer belt, etc.
2 NNA/APT Basics
Nanosecond Neutron Analysis / Associated Particle
Technique (NNA/APT) [1] is an advanced neutron
in, gamma out method [2] that can identify the hid-
den material by its elemental composition. Spatial dis-
tribution of chemical elements in the inspected vol-
ume is determined from the analysis of spectra of sec-
ondary -rays that are produced by tagged 14 MeV
neutrons.
Neutrons emitted in the direction of the inspected
volume from a miniature DT neutron generator are
tagged by using timing and position information
from a position-sensitive detector of -particles
(Figure 1).

Figure 1 Principles behind NNA/APT.
Session P Future Security 2011 Berlin, September 5-7, 2011
106

These -particles are emitted in the d+t+n reac-
tion in the opposite direction to the neutron.
NNA/APT devices typically use neutron generators
with built-in position-sensitive of segmented -
particle detectors. These neutron generators typically
produce 10
7
-10
8
neutrons per second, i.e. have much
lower intensities than the bulky neutron generators
used in most neutron radiography devices [3].
NNA/APT offers two main advantages:
1. Fully automatic decision making.
2. High penetration ability of 14 MeV neutron and
high energy -rays.
Its main disadvantages are:
1. Relatively long detection time (~ 1 minute).
2. Use of a neutron source.
The latter limitation is to some extent eased by the
low intensity of the neutron flux required by the
method, and by the possibility to switch off the neu-
tron flux between inspections. Radiation safety is also
ensured by the fact, that a reasonably sized exclusion
zone is always imposed by the bomb squads during
inspection of a potential threat object.
3 Hardware and Software Com-
ponents of an NNA/APT Device
3.1 Key hardware
The main component of any NNA/APT device is a
DT neutron generator with built-in position sensitive
detector of -particles. Usually, it is a small-size
sealed-tube or pumped electrostatic generator capable
of producing up to 10
8
n/s, some portion of which
(usually 1-10%) are tagged by detecting the associ-
ated -particle (Figure 1).
We are using ING-27 neutron generators produced by
VNIIA, Russia, which are among the most light-
weight (~8kg) and compact devices of their kind. The
detector of associated -particles (typically 33 or
more matrix of p-i-n diodes) installed in these genera-
tors allow counting rates of up to 10
7
/s, which is
enough even when operating at maximal intensity.
Another important component of an NNA/APT device
is one or several detectors of -rays, which provide
energy and timing information (relative to the tag-
ging -particle) about every detected -quantum.
Apart from having good energy and time resolution
and high efficiency to high-energy -rays, these detec-
tors must be able to operate at high counting rates
(typically, between 10
4
cps and 10
6
cps) due to close
proximity to the working neutron generator. These
requirements effectively rule out the use of HPGe-
based -ray detectors. The best candidates are detec-
tors based on BGO
1
crystals (they have high effi-
ciency and high photo peak-to-Compton ratio), and

1
Chemical formula: Bi
4
Ge
3
O
12
.
LaBr
3
crystals [4] (excellent energy and time resolu-
tion, and short signals, hence ability to work at high
counting rates).
Detectors of -rays are equipped with fully digital
combined spectrometer and power supply unit, which
is installed directly on the detectors body, and is con-
nected to the data acquisition system (DAQ) by a sin-
gle four twisted-pairs (Ethernet) cable.
The DAQ board is installed right above the pre-
amplifiers serving the -particle detector on the ING-
27 body. It provides synchronization, parameters
setup, and data collection for the -detector and up to
four -ray detectors. All the detectors parameters, in-
cluding HV and digital signal processing settings, are
stored in the power-independent memory on the re-
spective boards, removing the need in a separate con-
figuration file.
If more than four -detectors are needed, a larger ver-
sion of the DAQ is used, which can serve up to 40 -
and -detectors in any combination. This DAQ occu-
pies a single standard 2U-high 19-wide module.
Both compact and larger DAQs are connected to a
computer by a single standard Ethernet cat5 cable.

Figure 2 A minimal hardware configuration of an
NNA/APT-based device: a neutron generator with
control unit (right), a -ray detector based on LaBr
3

crystal (centre), and a computer (left). All DAQ elec-
tronics is built into the respective units.
Figure 2 shows the minimal hardware needed for an
NNA/APT device. In closely packed geometries, the
-ray detectors can be optionally shielded from pri-
mary 14 MeV neutrons to reduce the background
counting rate due to accidental coincidences between
-rays and -particles. Whether or not to use such
shielding depends on the required balance between
performance and weight.
Depending on the detection scenario, the above hard-
ware components are arranged in different systems,
which form a family of SENNA devices.
3.2 Data Analysis Software
In order to take advantage of one of the main features
of NNA/APT automatic data analysis one should
be able to perform the following operations:
1. Collect event-by-event information from the de-
vice. Each event contains:
a. energy of the -quantum;
107

b. time between the detection of the -
quantum and the tagging -particle;
c. coordinate, at which the -particle was
detected;
d. the number of the -ray detector.
2. Apply energy and time/coordinate/position cali-
brations to the raw data, and construct individual
energy spectra of -rays for each 3D voxel, of
the inspected volume.
3. Determine concentrations of chemical elements
in each voxel from the energy spectra of -rays.
4. Analyze the determined concentrations and make
decision about presence or absence of a hazard-
ous material, its type and location.
All these functions are implemented in the APSTECs
NNAsoft software (Figure 3).

Figure 3 Screenshot of the APSTECs NNAsoft data
collection and analysis program.
NNAsoft makes automatic energy calibration for each
collected spectrum, using a number of known lines
that are always present in the total -ray spectra (e.g.
lines of iron, carbon, and oxygen). Thus, the problem
of temperature drift in the spectra is solved.
Coordinate/time/position calibration is done once by
placing the device close to a large heavy flat object
(e.g. a wall) and collecting data for about 1 minute.
Then, using the internal geometrical model of the
hardware, the program automatically calculates all
parameters that are needed to transform -particle de-
tection coordinate and -quantum time-of-flight into
position of the material, which produced this -
quantum. This calibration is then applied during
measurements to every raw event. It can be periodi-
cally checked (typically, once a week) and repeated if
needed.
The next step of the data analysis is fitting of the mul-
tiple energy spectra of -rays collected for every
voxel with response functions of the device to indi-
vidual chemical elements. These response functions
are either measured directly using samples of materi-
als, or calculated using MCNP5
2
code.
Figure 4 shows examples of response functions of
BGO and LaBr
3
-based detectors measured for chemi-
cal elements from carbon to lead. For elements, for
which direct measurements are unadvisable (e.g.
flammable of poisonous), results of MCNP calcula-
tions may be used with care.

2
Monte Carlo N-Particle Transport Code: MCNP.

Figure 4 Response functions of BGO and LaBr
3

based detectors to chemical elements from C to Pb.
NNA/APT spectra usually have poor statistics (few
hundred or thousand events per spectrum), due to the
need to reduce the measurement time. Fitting such
spectra with large number of components is a non-
trivial task, since it constitutes a mathematically ill-
posed problem. The option of artificially limiting the
number of response functions used in the fit poses the
risk of erroneously removing the element that is pre-
sent in the inspected material.
Instead, we are using a version of Partial Least
Squares (PLS) algorithm, which allows one to per-
form stable fit of low-statistics spectra with virtually
unlimited number of fitting components.
The final stage of the data analysis is to somehow
automatically make sense of the elemental concentra-
tion data, and to identify the threat material, if any.
Since the device is supposed to be a universal detector
of threat materials in different scenarios, formalizing
the notion of a threat material is a challenging task.
We solve this problem by utilizing the decision-
making algorithm based on fuzzy logic. Fuzzy
logic provides mathematical formalism for the ex-
perts intuitive understanding of what could and what
could not be a hazardous material in the given detec-
tion scenario. It can take into account heterogeneous
(even qualitative) information about concentrations of
chemical elements and their error bars, the detection
time, distance to the object, the required detection re-
liability etc., and form a very fast and intuitively clear
decision-making procedure. Unlike more generic neu-
ral networks, this procedure should be taught
manually by an expert user, but the amount of the
handwork is not that large, if not too many input fac-
tors are used.
After a separate fuzzy logic configuration has been
set up for each detection scenario (e.g. for detection of
nitrogen-rich explosives, of nitrogen-free explosives,
and of different types of poisonous chemical agents in
a suitcase on a conveyer belt), each measurement is
automatically checked against all these configura-
tions. Detection scenarios may be added or removed
when needed.
0 1000 2000 3000 4000 5000 6000
0
1
2
3
4
1
2
3
4
5
BGO

E
[ keV]
C
N
O
F
Na
Mg
Al
Si
P
S
Cl
K
Ca
Ti
Cr
Mn
Fe
Ni
Cu
Zn
As
Br
Cd
Sn
Pb

C
o
u
n
t
s

[
a
.
u
.
]
LaBr
3
108

A typical detection scenario for detecting nitrogen-
rich explosives in a suitcase includes the analysis of
relative concentrations of carbon, oxygen and nitro-
gen, as well the error bars for these quantities. This
approach allows one to almost completely eliminate
false alarms on nitrogen rich benign materials, such as
leather, melamine, wool, etc.
4 Experimental Results
4.1 Inspection of Unattended Luggage
Unattended suspicious luggage can be left anywhere,
so the inspection device should operate in the one side
access geometry. A portable SmartSENNA prototype
was developed and built (Figure 5), which has the fol-
lowing main parameters:
Neutron source: ING-27
Intensity (typical/max): 510
7
/10
8
n/s
Type of -detector: 33 matrix of 11cm
2
p-i-n
diodes
Number of -ray detectors: 2
Type of -ray detectors: BGO, 33
-ray detector shielding: 15kg (optional)
Dimensions: 629mm552mm356mm
Weight without shielding: ~25 kg
Power consumption: < 50 W
Cables: single composite (data/power)

Figure 5 SmartSENNA (left) inspecting a suitcase
(right).
During the measurement SmartSENNA can be ori-
ented in any way, so that the tagged neutrons are
directed towards the inspected volume.
The test objects were midsize suitcases filled with be-
nign materials: clothing, bottles, drugstore articles,
cola cans, food and books, consumer electronics,
toothpaste, deodorants etc. In some measurements ex-
plosives simulants were places among the benign ob-
jects. These simulants with masses ranging from 200g
to 1kg had the same elemental composition as widely
used explosives: TNT, C4 and ammonium nitrate.
Over 500 measurements were carried out; each meas-
urement was repeated several times to check the sta-
bility of the devices performance.

Figure 6 Examples of automatic detection of con-
cealed explosives simulants.
Figure 6 shows examples of the measurements with
the simulants placed in suitcases with clutters filling,
and the respective screenshots of the NNAsoft pro-
gram with the indication of the locations of the
alarms.
In all measurement the explosive simulation samples
were successfully detected. The most difficult case
turned to be sheet explosive, for which measurements
from two directions were needed to detect if reliably.
No false alarms were registered either in suitcases
with purely benign filling, or in the areas that did not
contain the explosives simulant.
4.2 Inspection of Passenger Luggage on
a Conveyer Belt
A stationary version SENNA device with 12 BGO-
based -ray detectors was installed and tested at Ko-
rean Atomic Energy Research Institute (KAERI),
South Korea (Figure 7).

Figure 7 SENNA with 12 -detectors installed on a
conveyer belt at KAERI.
The setup simulated the inspection of the passenger
luggage moving on a conveyor belt, after some prior
targeting towards a suspicious area by a X-ray ma-
chine. This area was then automatically moved into
109

the sensitive volume of the NNA device, which pro-
vided automatic alarm resolution.
Two-side access geometry was used, with the neutron
generator under the belt, and 12 -ray detectors ar-
ranged over the inspected suitcase.
Explosives simulants of 10 different types were pro-
vided by KAERI, as well as samples of typical benign
suitcase filling: fabrics, drinks in bottles and cans,
rubber materials, etc. The detection procedure simu-
lated the possible use of the device at the second line
of defence (e.g. after an X-ray machine).
In all cases but one, SENNA was able to detect the
explosives simulants in the required time. The only
exception was a simulant with very low nitrogen con-
tent, for which the detection time needed to be in-
creased. No false alarms from benign objects were
produced, even though some of them (e.g. melamine)
contained a lot of nitrogen. This low false alarm rate
is due to the fact that material identification in
NNA/APT relies on the measured concentrations of
several chemical elements (in case of explosives
carbon, nitrogen, and oxygen).
4.3 Inspection of Sealed Liquids
Identification of sealed liquids is still an unresolved
problem, which affects economics of the transporta-
tion industry. Apart from obvious implications for the
aviation security, it may also play a role in Customs
control, e.g. by facilitating manifest verification.
A fixed-geometry SENNA device was used to identify
liquids in sealed containers..
The device was composed of a neutron generator and
three BGO-based -ray detectors, whose scintillating
crystals were directly below the inspected bottle or
can. The crystals were shielded against direct flux of
14 MeV neutrons by a combined polyethylene-lead
shielding.
Many liquid samples were used, representing three
main groups of substances:
1. benign aqueous solutions, gels, and foams (water,
toothpaste, shampoo, shaving foam, vodka, etc.)
2. flammable organic solvents (kerosene, acrylic
paint etc.)
3. explosives simulants, both liquid and solid
(TATP, TNT, C4, etc.)
Volumes of the samples ranged from 40 ml (aqueous-
ethanol extract of Calendula) to 1 litre (kerosene etc.)
Automatic identification by fuzzy logic was based
on relative content of carbon, nitrogen, and oxygen.
Measurement with each sample was repeated 5 times
to give an idea about the statistical accuracy of the
method. Figure 8 shows the distribution of all meas-
urements in the coordinates N/(C+O) vs. C/(C+O),
where C, N and O are the experimentally determined
concentrations of carbon, nitrogen, and oxygen re-
spectively.

Figure 8 Results of the analysis of multiple measure-
ments with liquids.
On this plot benign aqueous solutions are located
close to the origin, while flammable organic liquids
are located at high C/(C+O) values. Nitrogen-
containing explosives, which are also quite oxygen-
rich are well isolated on the top part of the plot. Non-
nitrogen TAPT is located between aqueous solutions
and organic liquids.
4.4 Identification of UXO
When a UXO is inspected in controlled environment
at a disposal facility, only a limited number of chemi-
cal elements components of different types of shells
and of the known construction materials of the device
itself are to be taken into account: Fe, C, N, O, S,
Cl, As, and few others.
The identification device consisted of a neutron gen-
erator with 36-pixel detector of associated -particles,
three detectors of -rays based on 33 BGO crys-
tals, and compact DAQ electronics.
The simulant mixtures (Table 1) were enclosed into
1cm-thick iron containers. Detectors of -rays were
placed right under the inspected simulant and were
shielded from 14 MeV neutrons by a composite
shielding (borated polyethylene + lead).
Table 1 simulants of UXO used in the experiments.
Type
Composition of the
actual shell
Composition
of the simulant
yellow
50% mustard gas +
50% Lewisite
arsenic oxide,
sulphur, salt,
graphite, water
black explosive
melamine, wa-
ter, graphite
red
diphenylcyanoarsine
+ explosive
arsenic oxide,
melamine, wa-
ter, graphite
brown Prussic acid
melamine,
graphite
The inspection time was 1 minute, and each meas-
urement was repeated 100 times in order to check re-
liability of the results. The -ray spectrum obtained in
each measurement was fitted with response functions
-0.2 -0. 1 0.0 0. 1 0.2 0.3 0. 4 0.5 0.6 0. 7 0. 8 0.9 1.0 1. 1 1.2
-0. 1
0. 0
0. 1
0. 2
0. 3
0. 4
0. 5
0. 6
0. 7
calendula
shavingfoam
cola
cola light
cola light
shampoo
toothpaste
vodka
yogurt
C4
TATP
TNT
acryl paint
benzine
deodorant
kerosin
solvent
white spirit
HMTD
NG
innocuous
explosives
flammable
N
/
(
C
+
O
)
C/(C+O)
TNT,TATP,C4: 200g
Flam. liq.: 1000ml
Deodorant: 150ml
Acryl. paint: <250ml
calendula: 40ml
toot hpaste: 100ml
cola: 330ml
shampoo: 200ml
sh. foam: 200ml
yogurt: 100ml
vodka: 500ml
110

of the device to individual chemical elements, and the
resulting elemental concentrations were plotted as 2D
plots. Examples of such plots for red and black
simulants are shown on Figure 9. Each small dot
represents result of a single measurement. The colour
of the dot corresponds to the simulant type that was
automatically determined by the decision-making
procedure. Large coloured symbols show the expected
location of the simulants based on their known
chemical composition.
The device was able to correctly identify simulants in
100% of measurements by comparing the distances
from the experimental dot to the expected locations of
all known simulants and choosing the closest one.
Such a simple data analysis procedure worked well,
because the system had a very limited number of clas-
sification options.

Figure 9 Distribution of measurements with red
and black simulants in coordinates N-O (left), and
As-O (right).
When identifying a totally unknown UXO that is ly-
ing on the ground, one has to additionally take into
account a large number of chemical elements that can
be found in the soil around the UXO: O, Si, Al, Ca,
Mg, K, Na, Ti, and many others. In order to facilitate
the analysis of the resulting complex -spectra, a ver-
sion of SENNA with LaBr
3
-ray detector having ex-
cellent energy resolution (see Figure 4) was used.
Simulants listed in Table 1 lying on the surface of
sand were used in these measurements.

Figure 10 Experimentally determined (solid symbols)
and real (open symbols) masses of chemical elements
in the simulants.
Concentrations of chemical elements that were ex-
tracted from the energy spectra of -rays are com-
pared to the real chemical composition of the simu-
lants on Figure 10. The values were normalized to the
known mass of carbon in the simulant (same normali-
zation value for all chemical elements). The yellow
simulant that contained arsenic, sulphur and chlorine
can be easily distinguished from brown (Prussic
acid) and black (explosive) simulants that contain
carbon, nitrogen, and oxygen. Brown and black
simulants can then be identified by nitrogen-to-carbon
ratio. Oxygen was not used in the analysis, since the
sand around and under each simulant contained a
large (und unknown) amount of oxygen, which dis-
torted the measured mass of oxygen in the UXO.
5 Conclusions
NNA/APT was shown to be a universal method for
detection of a broad class of concealed threat materi-
als in different environments. The main advantages of
NNA/APT are:
1. High specificity that allows fully automatic data
analysis, and independence from the operators
skills.
2. High penetrating ability of fast neutrons and high
energy -rays, which enables inspection through
thick barriers and walls.
3. Position sensitivity of the method, which facili-
tates inspection of highly cluttered environments.
4. Sensitivity to a large number of chemical ele-
ments, making the NNA/APT-based device a
universal and flexible tool that can be tuned for
the required task by simply adding a text file-
based detection scenario.
6 References
[1] A.V. Evsenin et al., Detection of hidden explo-
sives by nanosecond neutron analysis technique,
Detection of bulk explosives: advanced tech-
niques against terrorism (Proc. of the NATO
ARW #979920 St.-Petersburg, Russia, 2003),
(H.Schubert, A.Kuznetsov, Eds.), Kluwer Aca-
demic Publishers, p. 89 (2004)
[2] T. Gozani , The role of neutron based inspection
techniques in the post 9/11/01 era, Nucl. Instr.
and Meth. B, vol. 213, pp. 460-463 (2004)
[3] Liu Y, Sowerby BD, Tickner JR, 2008, Com-
parison of neutron and high-energy x-ray dual-
beam radiography for air cargo inspection, Ap-
plied Radiation and Isotopes, 66, pp. 463-473
[4] B.D. Milbrath et al. Comparison of LaBr3:Ce
and NAI(Tl) scintillators for radio-isotope identi-
fication devices, NIM A, Volume 572, Issue 2,
11 March 2007, pp. 774-7

0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0
100
200
300
400
black brown
yellow

CARBON
yellow
Solidsymbols: experiment
Open symbols: real mass
Yellow: Mustard gas + Lewisite
Brown: Prussic acid
Black: Explosive
black yellow
brown
NITROGEN
black brown
SULFUR

black
yellow
brown
ARSENIC

black brown
yellow
CHLORINE

M
a
s
s
,

g
r
a
m
s
111
Laser Ion Mobility Spectrometer Technology and
Security applications
Matthias, Kessler, Cassidian Electronics, D-89077 Ulm, Germany
Andraes, Borowsky, Cassidian Electronics, D-89077 Ulm, Germany
Thomas, Eggenstein, Cassidian Electronics, D-89077 Ulm, Germany
Anne, Krske, Cassidian Electronics, D-89077 Ulm, Germany
Jrg, Sander, Cassidian Electronics, D-89077 Ulm, Germany
Michael, Strasser, Cassidian Electronics, D-89077 Ulm, Germany
Manfred, Zoberbier, Cassidian Electronics, D-89077 Ulm, Germany
Abstract
Ion mobility spectrometry (IMS) is a well known trace-detection technology for gases and volatile com-
pounds in the field of security and military applications. The first devices based on the IMS technology were in-
troduced by M.J. Cohen and F.W. Karasek in 1970 [1]. During the past decades, these devices were designed
mainly for the security and military market to detect explosives and chemical warfare agents. Nowadays addi-
tional applications are emerging: production and quality control [2] as well as medical diagnostics [3]. Using a
novel laser ionisation (LIMS) high sensitivity detection of chemicals including detection of several explosives
could be demonstrated. The 3-detection limits of the explosives are in the picogramme range. A laser operating
at UV radiation enables the two-photon ionisation. The obtained LIMS spectra are robust and therefore a suit-
able base for mathematical signal enhancement and classification.
Keywords: laser ionization, photo ionisation, ion mobility spectrometry, (1+1)-REMPI, atmospheric pres-
sure chemical ionization (APCI), chemical detection, explosive detection, industrial application, diagnostic sup-
port

1 Introduction to IMS
An IMS is a time of flight mass spectrometer that op-
erates at atmospheric pressure instead of vacuum. In
contrast to mass spectroscopy, no complex sampling
method and no vacuum is needed. In the ionisation
area the samples are ionised commonly by radioactive
radiation, field or photo ionization. The drift rings and
the isolators establish a weak electrical field. The ap-
plied electrical field accelerates the ions towards the
collector. The collisions with the drift gas inside the
drift region decelerate the ions. Depending on mass
and cross section (size) the ions separate by their mo-
bility (travelling time), which is characteristic for the
sample. When the ions neutralise at the detector plate,
they produce a measurable electrical current. By
measuring the time between opening the gate and the
ions arrival versus the strength of the electrical cur-
rent, a typical ion mobility spectrum is obtained. The
drift gas purges the neutralised sample via the exhaust
to ensure a clean drift cell (see Figure 1).

Figure 1 The schematic overview of a typical ion
mobility spectrometer
2 Working principal of LIMS
The essential difference between common IMS de-
vices and the laser ion mobility spectrometer (LIMS)
device [4] is the ionisation process itself. For LIMS it
was decided to use multi photo ionisation based on
laser photons. Two photons are needed for ionising
the sample. This is known as (1+1) resonance-
enhanced-multi-photon-ionisation ((1+1)-REMPI).
The first photon lifts the sample in an excited inter-
112
mediate state, the second photon ionises it. Both, the
intermediate state and the ionisation level are charac-
teristics for the sample. Due to the pulsed laser opera-
tion, no electrical gate is needed. Only during the la-
ser pulse ions are created. Figure 2 shows the chrono-
logical sequence of the LIMS. The substances A, B
and C are carried by ambient air and are introduced
via the gas inlet. The pulsed laser beam creates the
ions A+, B+ and C+ which travel towards the collec-
tor. While travelling through the drift region they are
separated by their mobility. When the ions reach the
collector, they neutralise and produce an electrical
current. A current to voltage converter generates a
time dependent drift spectrum.

Figure 2 On the upper part one can see the chrono-
logical sequence of the LIMS. On the lower a drift
spectrum is displayed
By tuning the wavelength of the laser, different sam-
ples will be ionised. Comparing typical (1+1)-REMPI
spectra with the corresponding absorption spectra,
one will notice that the (1+1)-REMPI spectrum fol-
lows the absorption spectrum. Absorption spectra are
known to be characteristic for specific substances. In
Figure 3 the comparison of both, (1+1)-REMPI and
absorption spectrum of benzene are displayed [4]. The
laser wavelength was increased by about 0.2 nm
steps. The absorption spectrum was recorded with a
commercial UV-VIS spectrometer at 0.1 nm steps.

Figure 3 Comparison of the wavelength dependence
using (1+1)-REMPI and absorption measurements
As the photo ionisation energy is much smaller than
the radioactive radiation energy, the LIMS detector is
much more compatible to non-protected environ-
ments. In contrast to the radioactive ionisation the
(1+1)-REMPI ionises no air compounds and therefore
the obtained spectra are simple. Through the (1+1)-
REMPI process, selectivity is improved. The amount
of photons and ions is proportional which effects its
sensitivity. Therefore LIMS supports a wide range of
concentration, it can adapt to saturation effects by
changing the laser intensity. Knowing these funda-
mentals of the ionisation process, intermediate state
and ionisation levels of the samples, wavelength and
amount of the photon, the recorded spectra are simple
and can be evaluated automatically using pattern rec-
ognition algorithms leading to the straight forward
signal evaluation.
3 Explosive detection
3.1 Measurement procedure
A swipe sample method is used to analyse a suspi-
cious surface. This method is already established and
leads to reliable results. The swab is made of a suit-
able paper, cloth or glass fibre. Interaction between
the swab and the explosive should not occur. The
swab material should not be harmed by the thermal
desorption during the measurement. Several studies
on the swab material were executed. After choosing
the suitable swab material, the measurement cam-
paign is set up.
The most interesting explosive compounds to analysis
are provided by Restek (chromatography products
company) in 1000ng/1000l solutions with a suitable
solvent. The explosive compounds consist of different
chemical structures. These are aromatic ring struc-
tures for 2,4-DNT, 2,6-DNT, 2,4,6-TNT, m-DNB and
TNB, non-aromatic ring structures for Tetryl, RDX,
TATP and HMX and non-aromatic but aliphatic struc-
tures for PETN, ammonium nitrate, black powder,
EGDN and GTN. For the measurement lower concen-
trations are needed. At the EADS laboratory solutions
with 1000 / 100 / 10 and 1 ng/l are produced. De-
pending on the specific ion selectivity the desorbed
mass varies from 1 ng (TNT) to 20ng (HMX).
All analysed explosive compounds are solid at room
temperature. To evaporate the explosives a thermal
desorption is proceeded first. The temperature of the
desorber lies between 80C and 280C. The swab is
passed by the sample gas flow and collects the evapo-
rated explosives. This sample gas flow is introduced
to the gas inlet of the LIMS. To ensure no loss the gas
tubing is heated as well and the gas path is as short as
possible. The compact design is shown in Figure 4.
The light grey box is the shielded housing of the
113
LIMS. The dark grey tower on the right side of the
housing is the thermal desorber. On the most right
side one can see the wand. The swab is inside the tip
of the wand and can not be seen.

Figure 4 In the construction picture the LIMS inside
the light grey housing, the dark grey desorber and the
wand can be seen from left to right
For stable measurement conditions the explosive solu-
tion and the dopant are placed directly on the swab.
Naphtalene serves as dopant for the explosive meas-
urements [5]. Using one of the prepared solutions, an
exact amount of the explosive compound is known.
With a micropipette the solution is dosed on the swap.
After the solvent evaporated the selected amount of
the explosive material sticks to the swab and the
measurement can start.
3.2 Data recording and analysis
The data are recorded via a standard AD converter
controlled by a data acquisition system based on Lab-
View 8. This virtual instrument is developed by
EADS. The data analysis is done offline using Mat-
lab. As a next step the data analysis will be imple-
mented in the virtual instrument. The data acquisition
is recorded at 50 kHz with a 24 bit AD converter. The
raw data are post processed using bias correction,
noise reduction (Savitzky-Golay filter [6]) and de-
convolution (Richardson-Lucy [7]). For peak detec-
tion and pattern recognition a Gaussian fit provides
the necessary parameters. Figure 5 demonstrates the
effects of the signal enhancement [8]. The light grey
line represents the raw spectrum whereas the dark
grey line represents the enhanced spectrum of a TNT
and DNT measurement.

Figure 5 Comparison between the light grey raw
spectrum and the dark grey enhanced spectrum of a
TNT and DNT measurement
3.3 Measurement results
3.3.1 TNT measurement
The most common and well known explosive is TNT.
The temperature of the desorber for TNT is set to
230C. The spectrum shows single peak which could
be related to TNT
-
. The reduced mobility of TNT
-
(K
0

1.54 cm
2
/Vs [8]) and the mobility values from litera-
ture (K
0
1.55 cm
2
/Vs) are related [9], [10]. The light
grey line represents the enhanced spectrum (see Fig-
ure 6). The black peaks shows the Gaussian fit to ob-
tain the parameters for the pattern recognition. The
first peak is the reactant ion peak (RIP). The second
peak is the peak caused by the TNT
-
ions.

Figure 6 Spectrum of TNT
-
at the second position
and the RIP at the first position
3.3.2 RDX measurement
Another explosive is RDX. The temperature of the
desorber for RDX is set to 230C. The spectrum
shows a different amount of peaks depending on the
concentration. At low concentration (see Figure 7)
the RDX nitrate peak with the corresponding K
0
value
of 1.39 cm
2
/Vs [10] could be detected. The K
0
value
is 1.43 cm
2
/Vs [9]. At high concentration several
peaks are recorded (see Figure 8). The main peak has
the same reduced mobility K
0
like in the low concen-
tration measurement. The most right peak at K
0
1.00
cm
2
/Vs is a RDX dimer of RDX*RDX *NO
3
-
[8]. The
black peaks shows the Gaussian fit to obtain the pa-
rameters for the pattern recognition.

Figure 7 Spectrum of RDX at low concentration
with its main peak of RDX nitrate
114

Figure 8 Spectrum of RDX at high concentration
with the main peak and the peak of the RDX dimer
3.3.3 DNT measurement
During the production of TNT, six isomers of DNT
can be formed. Under certain conditions TNT can de-
generate into these isomers. During the measurement
campaign the isomers 2,4-DNT and 2,6-DNT are ex-
amined. The temperature of the desorber is set to
230C. The spectra of both explosive compounds are
different. In Figure 9 one can see the spectrum of 2,4-
DNT with the corresponding reduced mobility K
0

1.63 cm
2
/Vs [8]. The spectrum in Figure 10 shows
the reduced mobility of 2,6-DNT at 1.48 cm
2
/Vs [8].
The black peaks shows the Gaussian fit to obtain the
parameters for the pattern recognition. The drift time
varies by nearly 2 ms can therefore be easily resolved
by the LIMS. This experiment shows that LIMS is
capable to distinguish isomers. IMS is known to iden-
tify structural information from ions in the gas phase
[11].

Figure 9 Spectrum of 2,4-DNT with the reduced
mobility K
0
1.63 cm
2
/Vs

Figure 10 Spectrum of 2,6-DNT with the reduced
mobility K
0
1.48 cm
2
/Vs
3.3.4 Resolution capability
In the chapters above, the capability of the LIMS is
demonstrated by showing some spectra of explosive
compounds. In Figure 11 some additionally measured
explosives are shown. To give a better overview, the
recorded data of TNT, HMX, EGDN, RDX and
PETN are placed in one spectrum [12]. Please note
that these explosive compounds are measured in a
single measurement and put together for signal analy-
sis. The dark grey line represents the raw data
whereas the light grey line shows the enhanced and
deconvoluted spectrum. The raw spectrum differs all
explosive compounds but the post processed spectrum
is obviously a better base for pattern recognition.

Figure 11 Comparing the reduced mobility of differ-
ent explosive compounds with and without data post
processing
3.3.5 Sensitivity
The sensitivity of the LIMS is given by two different
standard methods taken from the theory of probabili-
ties. The first method is the last detectable 3-feature
taken from the desorption history. Recording the de-
sorption during at least 20 seconds, the peak caused
by the explosive compound vanishes below the 3
threshold. The second method to elaborate the detec-
tion limit is the so called positive alarm method. A
positive alarm occurs when a predefined amount of
115
spectra in series are detected and classified as an ex-
plosive compound. During the measurement, the total
amount placed on the swab is evaporated and causes a
peak belonging to the explosive compound. The area
below this chronological peak amplitude represents
the total mass of the explosive compound. This allows
to calculate the detectable mass for both methods [8].
Each explosive compound has its own desorption be-
haviour and detection limits. The 3-limits of TNT
and RDX are 0.01 ng and 0.03 ng, respectively. The
limit of the positive alarm for TNT and RDX are 1 ng
and 2 ng, respectively. For HMX the detection 3-
limit is 0.1 ng and the positive alarm limit 8 ng [8].
The above stated limits were calculated from data re-
corded with the LIMS developed at EADS. They are
in the same magnitude of actual IMS instruments.
4 Conclusion
During the measurement campaign 14 different ex-
plosive compounds were analysed. These are 2,4-
DNT, 2,6-DNT, 2,4,6-TNT, m-DNB, TNB, Tetryl,
RDX, TATP, HMX, PETN, ammonium nitrate, black
powder, EGDN and GTN. The LIMS detection device
is capable to detect all the above mentioned explosive
compounds. These compounds could be identified
with the post processing pattern recognition. The val-
ues of the reduced mobility K
0
taken from the meas-
urement campaign at the EADS laboratories and from
the literature correlate within the error bars. The cur-
rently implemented classification identifies the com-
pounds within seconds. The classifier is robust and is
a first attempt for positive alarm indication. The sensi-
tivity of the LIMS developed at EADS is high regard-
ing the 3- and the positive alarm method. For TNT
the 3-limit is calculated to 0.01 ng and the positive
alarm limit is 1 ng.
5 Further steps
As a future step the current software will be imple-
mented on a new processor board, it will include the
hardware control, the data processing and the pattern
recognition. A special user friendly graphical interface
will be designed. The hardware will be redesigned to
reduce size and weight. Aspects of serial production
and maintainability will be in the focus too.
6 Acknowledgement
The authors gratefully acknowledge the continuous
and helpful support from the colleagues at the EADS
Innovation Works, in particular Johann Gbel and Dr.
Andreas Langmeier. The fundamental part was sup-
ported within the framework of the German nationally
founded project MILAN, the European founded pro-
ject SAFEE, and the EADS internal projects LIMS
and LIMSensors
TM
.
References
[1] M. J. Cohen, F. W. Karasek, "Plasma Chroma-
tography a new dimension for gas chroma-
tograp hy and mass spectrometry", Journal of
Chromatographic Science, Vol. 8, pp. 330 337,
(1970)
[2] T. Kotaiho, F. R. Lauritsen, H. Deng, H. Paak-
kanen, "Membrane inlet IMS for on-line meas-
urement of ethanol in beer and in yeast fermen-
tation", Analytica Chimica Acta, Vol. 309, pp.
317 325, (1995)
[3] J. I. Baumbach, Process analysis using ion mo-
bility spectrometry, Analytical and Bioanalyti-
cal Chemistry, Vol. 384, pp. 1059 1070, (2006)
[4] J. Goebel, M. Kessler, A. Langmeier, A novel
Laser Ion Mobility Spectrometer, 13th ISOEN,
AIP Conference Proceedings, Vol. 1137, pp. 253
256, (2009)
[5] R. R. Kunz, W. F. Dinatale, P. Becotte-Haigh
Comparison of detection selectivity in ion mo-
bility spectrometry: proton-attachment versus
electron exchange ionization, International
Journal of Mass Spectrometry, Vol. 226, No. 3,
pp. 379 395, (2003)
[6] A. Savitzky, M. Golay, Smoothing and differ-
entiation of data by simplified least squares pro-
cedures, Analytical Chemistry, Vol. 36, pp.
1627 1639, (1964)
[7] L. B. Lucy, An iterative technique for the recti-
fication of observed distributions, Astronomical
Journal, Vol.79, Num. 6, pp. 745 754, (1974)
[8] A. Langmeier, W. Heep, C. Oberhttinger, H.
Oberpriller, M. Kessler, J. Gbel, G. Mller,
Detection and classification of explosive com-
pounds utilizing ion mobility spectrometry,
SPIE Proceeding, Vol. 7304, (2009)
[9] R. G. Ewing, D. A. Atkinson, G. A. Eiceman, G.
J. Ewing, A critical review of ion mobility
spectrometry for the detection of explosives and
explosive related compounds, Talanta, Vol. 54,
pp. 515 529, (2001)
[10] EADS internal report, Feasibility Study on ex-
plosive detection by LIMS technology.doc, pp. 1
14, (2007)
[11] G. W. Griffin, I. Dzidic, D. I. Corall, R. N. Still-
well and E. C. Horning, Ion mass assignments
based on ion mobility measurements. Validity of
plasma chromatic mass mobility correlations,
Analytical Chemistry, Vol. 45, pp. 1204 1209,
(1973)
[12] EADS internal presentation, referee J. Gbel,
Application of Laser Ion Mobility Spectrome-
try (LIMS) to Explosive Detection.ppt, pp. 1
26, (2008)
116

Fluorescent biosensors for standoff-detection of gamma-radiation
Wehner, Martin, Fraunhofer Institute for Laser Technology, Aachen, Germany;
Raven, Nicole, Fraunhofer Institute for Molecular Biology and Applied Ecology, Aachen, Germany;
Schillberg, Stefan, Fraunhofer Institute for Molecular Biology and Applied Ecology, Aachen, Germany;
Hund-Rinke, Kerstin, Fraunhofer Institute for Molecular Biology and Applied Ecology, Schmallenberg,
Germany;
Khn, Christoph, Fraunhofer Institute for Molecular Biology and Applied Ecology, Aachen, Germany;
Poprawe, Reinhart, Fraunhofer Institute for Laser Technology, Aachen, Germany

Abstract
Genetically engineered but environmentally safe soil bacteria can be tailored to function as specific and sensitive
whole-cell biosensors for trace amounts of harmful substances. Thereby, the short-ranging chemical contact sig-
nal is transformed into a long-ranging optical signal. This principle was first demonstrated in a TNT sensitive
biosensor. The detection limit for induced fluorescence response was estimated to an ADNT concentration of 10
mg/L in solution. Now we are considering a radiation sensitive promoter to trigger the expression of a fluores-
cent protein when radiation damage occurs. Such specific biosensors could be used for screening of large areas
for radioactive fallout and dust after nuclear accidents.

1 Introduction
A bacterial biosensor containing a TNT-inducible
promoter driving the expression of the red fluorescent
marker protein tdTomato has been constructed and
tested in a feasibility study [1]. Upon contact with
TNT or its derivatives the biosensor amplifies the sig-
nal by producing up to 10
5
fluorescent proteins per
cell. Fluorescence is already detectable after one-day
incubation period.

The readout of the biosensor signals is performed
from remote by a modified laser scanner. We success-
fully demonstrated the detection of fluorescent bio-
sensors with a home-made laser scanner at a distance
of 10 m under daylight conditions [2]. Optical remote
sensing technologies relaying on airborne laser scan-
ners are widely employed to create digital height
models of landscapes and canopy forestry. Terrestrial
laser scanners are used for mid-range applications in
archaeology, civil engineering, city modelling and
forestry [3]. Therefore, the instrumentation and the
data processing for area mapping of fluorescent bio-
sensors are already available.

Photoluminescent biosensors that indicate sources of
radiation have been described previously, e.g. a radia-
tion sensitive stress promoter is activated upon expo-
sure to gamma radiation and leads to the production
of luciferase in E. coli strains. The minimal detectable
dose was reported as 1.5 Gy after 30 min of 60Co-
irradiation. The onset of bioluminescence occurs after
3 h and highest production levels are reached after 4
6 h [4].

However, for field applications, bioluminescence as
marker protein has several disadvantages, e.g. its
short half-life and its weak signal intensity. Therefore,
we will combine a radiation sensitive stress promoter
with a gene coding for a fluorescent protein to create
biosensors providing higher signal strength. Since
fluorescence proteins have a high stability and high
fluorescent intensity the exploitation of those markers
will enable the generation of biosensors with fast re-
sponse time.

For practical reasons, we pursue the development of
cheap imaging sensors as an alternative to laser scan-
ners. Compared to laser scanner, the image data of a
digital camera do not need extensive data processing.
These low-weight array detectors could be mounted
to small unmanned aerial vehicles (UAVs) or ground
based robots to investigate suspicious areas without
the need for personnel to enter these areas. Informa-
tion on a visual basis can be provided in real time to
assist relief units. Additionally, images can be linked
to GIS/GPS data for geo-referencing, and image
processing algorithms applied for 3D reconstruction
of the scene. We think that whole-cell bacterial bio-
sensors could become powerful tools for safe detec-
tion and monitoring radiation sources in the environ-
ment.

117

2 Approach
2.2 Fluorescent bacterial biosensor
For the construction of the TNT sensitive biosensor
the red fluorescent marker protein tdTomato was
placed under the control of a TNT-inducible promoter
(i.e. pU promoter, ref. fig. 1). The promoter and its
regulatory element (i.e. XylR, Figure 1) were isolated
from a P. putida bacterial strain that metabolizes aro-
matic compounds such as N-xylene. The regulatory
element consists of two subunits, namely a binding
site for aromatics including TNT and a DNA binding
site. The latter translates the binding signal on a ge-
netic level and activates the pU promoter which then
switches on the production of fluorescent proteins.
Since the vitality of the biosensors is crucial for their
functionality, we intend to build biosensors that in vi-
tal stage constantly produce blue fluorescent proteins
in addition to the induced red fluorescent proteins in-
dicating traces of explosives.

Figure 1: Scheme of genetic elements and molecular
interactions in the TNT inducible biosensor.

In an approach similar to the TNT specific biosensor,
we intend to create a radiation-sensitive reporter sys-
tem. It has already been demonstrated that various
bacterial stress promoters such as recA, grpE or katG
are activated upon exposition to gamma-irradiation.
We will identify the most suitable promoter to achieve
gamma-irradiation-induced production of the
tdTomato fluorescent proteins in a dose dependent
manner.
Further, different formulations of the biosensor in
combination with various nutrient supply or nutrient
depletion strategies will be tested. This will ensure the
survival of the biosensor in the soil for the timespan
needed to enable detection of hazardous substances
on the one hand and the efficient elimination of the
biosensors from the soil after the detection procedure
is completed on the other.

2.1 Detection technology
2.1.1 Laser Scanner
For the first experiments on detection of biosensor a
laboratory type laser scanner was constructed. A fre-
quency tripled Nd:YAG laser was modified for coax-
ial emission of the frequency doubled (532 nm) and
tripled (355 nm) wavelength. Thus both fluorescence
signals from the trace substance (td-tomato) and the
viability signal of the bacterial sensor (blue fluores-
cent protein) are excited simultaneously in a single
pulse.

The laser beam was deflected by a two-axis galva-
nometer scanner with 20 mm aperture (Scanlab
SK2020). According to the laser beam divergence the
spot size at 10 m distance was approx. 1 cm in diame-
ter, and the angular step size adjusted for a beam off-
set of 1 cm. Under those conditions a 100% coverage
of the test area was assured. The excitation beam and
the backscattered fluorescence signals were combined
inside the scanner by segmented mirror; the effective
aperture for detection was 15 mm in diameter. Two
photomultiplier tubes (Hamamatsu H6780-20 and
H6779-4) equipped with band pass filters (Omega op-
tical 580DF30 and T 465AF30) were employed to
capture the red and blue signals.

The electronics consists of a time gated integrator for
the photo current and an analog-to-digital converter
for signal storage. The electronics is capable to per-
form single pulse measurements at a rate of 1000
pulses per second. After data collection the signal
heights were colour-encoded and 2D graphical repre-
sentation chosen. The performance of the scanner was
tested in a range of 7 12 m in the laboratory and in
an outdoor demonstration (Figure 2). Measurements
using artificially activated beads showed that detec-
tion under daylight conditions is feasible (Figure 4).

Further technical developments will allow to reduce
the size of the setup and to include the electronics re-
quired for signal conditioning and storage into a
smaller housing. A design concept of a small laser
scanner mounted on a ground-based vehicle has been
proposed (Figure 3).

Figure 2: Laboratory prototype scanner in outdoor
test environment at M-ELROB 2010 Hammelburg,
Germany.

118

Figure 3: Design study of a short range laser scanner

2.1.2 Camera-based acquisition
Terrestrial and mobile scanners are widely employed
for architecture, city modeling, facility management
and mining. These scanners are rugged and compact
devices, modifications of laser source and detectors
are virtually not possible. Airborne laser scanning is
used for data capturing of urban areas, forestry and
topographical applications. These high performance
laser scanners are equipped with bulkier laser sources
and system modifications are feasible due to the larg-
er frame size. Usually the data have to be analyzed
after capture and therefore airborne laser scanning is
not available in real time. Data storage, data
processing and georeferencing require specialized
software and high computing power.

To circumvent these limitations we propose signal
capture and processing by digital image acquisition.
State-of-the-art digital SLR cameras as well as OEM
cameras for sensing applications provide high per-
formance with respect to sensitivity, dynamic range
and data processing capabilities. For fast gathering of
information in the field a visual image of the scene
will be complemented by a fluorescence image of ac-
tivated biosensor beads. Excitation of fluorescence
can be accomplished by a portable green laser projec-
tor, as used for laser shows and events, or a high
power LED illuminator with an optical concentrator.
Fast capture and firmware processing assures real
time capability for generating images (Figure 4) or
even video sequences. Depending on the spectral cha-
racteristics of the sensor simple processing of raw im-
age data can be sufficient to filter out the spectral in-
formation; for higher discrimination a second image
sensor with a band pass for spectral filtering may be
applied.

Figure 4: Artificially induced biosensor beads when
illuminated by a green laser pulse.

By using natural or artificial landmarks and analysing
multiple images which were taken under different
perspectives a 3D reconstruction of a scene can be
performed. This photogrammetry technique is applied
for city modelling [5,6] and documentation of indus-
trial facilities. Commercially available are software
solutions for the generation of data sets and free soft-
ware for viewing of data sets [7,8]. Further, 3D point
clouds obtained with 3D laser scanning can be com-
bined with high resolution images [9]. Sophisticated
software solutions allow the fusion of data derived
from terrestrial stationary scans as well as mobile and
airborne data with image data and therefore the inte-
gration of close-up image data into a global environ-
ment.

3 Outlook
The advantage of the proposed technique would be
the provision of cheap and radiation sensitive biosen-
sors which can be deployed over a large area by
automated systems based on airborne or terrestrial
vehicles. After an incubation period signal detection
is performed by camera-based systems for simple
monitoring of hazard areas. A built-in deactivation
mechanism of the biosensor assures environmental
safety and allows for repeated measurements of the
same area.

Signal capturing of activated sensors will become fea-
sible from without entering the dangerous area and
without the need for personnel access. Various op-
tions for the technical realization represent a tool box
for fast visualization techniques and integration into
global data network. When commercially available
digital cameras can be used cost-effective solutions
become feasible.

119

Acknowledgement
The feasibility study on TNT was funded by the
North-Rhine Westfalia Ministery for Economics with
financial assistance by the European Regional Devel-
opment Fund (ERDF).

References
[1] Meurer, H.; Wehner, M.; Schillberg, S.; Hund-
Rinke, K.; Khn, Ch.; Raven, N; Wirtz, T.: "An
Emerging Remote Sensing Technology and its
Potential Impact on Mine Action", INTERNA-
TIONAL SYMPOSIUM HUMANITARIAN
DEMINING 2010 Sibenik, Croatia
[2] Wehner, M.; Wirtz, T.; Poprawe, R.; Schillberg,
S.; Khn, Ch.; Raven, N.; Hund-Rinke, K.;
Meurer, H: "Biosensors for Stand-Off Detection
of Mines and Explosives by Laser Induced Fluo-
rescence", 5 th Security Research Conference
Berlin, September 7th 9th, 2010
[3] Tiede, D., Burnett, C., Heurich, M.: "Objektba-
sierte Analyse von Laserscanner- und Multi-
spektraldaten zur Einzelbaumdelinierung im Na-
tionalpark Bayerischer Wald". In: Strobl, J.,
Blaschke T., Griesebner, G. (eds.): Angewandte
Geoinformatik 2004, Wichmann Verlag, Heidel-
berg, pp. 690-695.
[4] Min, J.; Lee, C.W.; Moon, S.-H.; LaRossa, R.A.;
Gu, M.B.; "Detection of radiation effects using
recombinant bioluminescent Escherichia coli
strains", Rdiat. Environ. Biophys. (2000) 39;41-
45
[5] Koehl M, Grussenmeyer P.: 3D data acquisition
and modelling in a Topographic Information
System. IAPRS 1998;Vol. 32:314-320.
[6] Zlatanova SPJ, Tempfli K.: 3D object recon-
struction from aerial stereo images. Proceeding
of the 6th International Conference in Central
Europe on Computer Graphics and Visualiza-
tion'98, 1998;Vol. III 9-13 February:472-478.
[7] Application software
http://www.bentley.com/en-US/
[8] Vexcel Corporation, Microsofts geospatial sub-
sidiary, provider of GeoSynth
http://www.vexcel.com/geospatial/geosynth/inde
x.asp ; Capturing and viewing software by Mi-
cosoft http://photosynth.net/
[9] Sima A, Buckley SJ, Schneider D, Howell JA.:
"An improved workflow for image- and laser-
based virtual geological outcrop modelling"
IAPRS 2010;38:115-119

120
Development of a Fully Automated Centrifugal Lab-on-a-Chip System for
Rapid Field Testing of Biological Threats

T. van Oordt
1
, D. Mark
1
, R. Zengerle
1,2,3
,
M. Eberhard
4
, M. Niedrig
5
and. F. von Stetten
1,2

1
HSG-IMIT - Institut fr Mikrotechnik und Informationstechnik, Wilhelm-Schickard-Strasse 10, 78052
Villingen-Schwenningen, Germany
2
Laboratory for MEMS Applications, Department of Microsystems Engineering - IMTEK, University of
Freiburg, Georges-Koehler-Allee 106, 79110 Freiburg, Germany.
3
Centre for Biological Signalling Studies (bioss), Universiy of Freiburg, Georges-Koehler-Allee 106,
79110 Freiburg
4
QIAGEN Lake Constance GmbH, Jacques-Schiesser-Strasse 3, 78333 Stockach, Germany
5
Robert Koch Institut, Nordufer 20, 13353 Berlin Germany

Abstract The worlds growing mobility, mass tourism, and the threat of terrorism increase the risk of
the fast spread of infectious microorganisms and toxins. Todays procedures for pathogen detection
involve complex stationary devices, and are often too time consuming for a rapid and effective
response. Therefore a robust and mobile diagnostic system is required. We present a microstructured
LabDisk which performs complex biochemical analyses together with a mobile centrifugal microfluidic
device which processes the LabDisk. This portable system will allow fully automated and rapid
detection of biological threats at the point of need.

The project S.O.N.D.E.
The project scenario-based emergency diagnostics system for field use (Szenario-orientierte Notfall-
Diagnostik fr den Feldeinsatz, S.O.N.D.E.) is funded by the Federal Ministry of Education and
Research (BMBF) under the research programme for Civil Security of the German Federal
Government as part of the high-tech strategy for Germany.
A mobile and fully integrated diagnostic system for the detection of bacterial pathogens (such as
B. anthracis and Y. pestis) and toxins (such as ricin and botulinum toxin) is being developed and field-
tested as part of the project.
The S.O.N.D.E. consortium unifies leading experts in molecular diagnostics, microsystems technology
and hardware development. Partners from industry and academia are:
Robert Koch Institute, Centre for Biological Security
QIAGEN Lake Constance GmbH
Institut fr Mikrotechnik und Informationstechnik (HSG-IMIT)
University of Freiburg, Department of Microsystems Engineering, (IMTEK), Laboratory for
Sensors
University Medical Center Goettingen, Institute of Virology
University Medical Center Freiburg, Institute for Molecular Medicine and Cell Research
University of Freiburg, Zentrum fr Angewandte Biowissenschaften

The diagnostic system
The diagnostic system consists of a microstructured LabDisk which in which the biochemical analysis
is performed, and a mobile centrifugal processing device which controls fully automated liquid handling
of the LabDisk (Figure 1). The system is designed for point-of-care applications: the ready-to-use
disposable LabDisk is equipped with pre-stored reagents and the portable centrifugal processing
device allows processing at the site of patient care.

121

Figure 1: Portable diagnostic system for point-of-care applications comprising a disposable LabDisk for the nucleic
acid based detection of pathogenic microorganisms and the immunoassay based detection of toxins, as well as a
centrifugal processing device.

LabDisk
The LabDisks are microstructured polymer disks which include all of the required liquid handling
operations to perform biochemical analysis. The foil based production approach by micro-
thermoforming of the LabDisks offers unique features such as low thermal resistance for efficient
thermocycling and low material consumption, which is attractive for a cost-efficient and large-scale
production of disposables
1
. Microthermoforming of polymer films of typically 180 m thickness is
performed in a modified hot embossing machine, using a defined pressure and vacuum protocol. The
use of this novel process has already been reported for the manufacturing of LabDisks used for
sensitive subtyping of pathogenic bacteria by real-time PCR
2
and isothermal amplification of an
antibiotic resistant gene of methicillin resistant Stapphylococcus aureus (MRSA)
3
.
Objective of the project S.O.N.D.E is to implement an immunoassay and a nucleic acid analysis into
the disposable LabDisk. The immunoassay allows the detection of ricin from blood plasma samples;
the nucleic acid analysis includes a DNA/RNA extraction and an isothermal amplification for the
detection of several microbial pathogens such as Y. pestis and B. anthracis. For both assays, the
complete microfluidic structures have been integrated into the foil-based disks and all the required
microfluidic unit operations required to perform the assays have been verified. This includes in
particular (i) the storage of liquids and lyophilised reagents on the LabDisk and their time-controlled
release, (ii) the transfer of sample material by the use of antibody-coated microbeads and (iii) the
aliquoting of sample material for simultaneous analysis on one LabDisk.

(i) On the disposable LabDisk the required buffer solutions are stored in aluminium pouches. Applying
a well-defined ultrasonic welding protocol the liquid filled pouches are equipped with a frangible seal.
Due to the hydrostatic pressure of the liquids during centrifugation of the LabDisk the frangible seal
bursts at a defined rotational threshold frequency of the disk and the reagents are released. Figure 2
shows a LabDisk with the microfluidic design for the immunoassay with integrated aluminium pouches
for reagent pre-storage. The pouches are filled with the required washing buffers as well as with
skimmed milk powder that, after rehydration, is used to block unspecific binding.

122

Figure 2: Disposable test carrier for immunoassay: reagents are stored in aluminium pouches. If centrifugal force is
applied, the pouches burst due to the increased hydrostatic pressureof the liquid.

(ii) Both assays, the immunoassay and the nucleic acid extraction, are based on magnetic beads as
mobile solid phase. Centrifugal acceleration forces mix the sample material with the magnetic
microbeads, and magnetic forces allow the transfer of the microbeads between reaction chambers.
Figure 3 indicates the transfer-procedure of microbeads from the sample chamber to the detection via
the washing chambers. The transfer is performed automatically rotating the LabDisk over stationary
magnets that are integrated into the processing device.

Figure 3: Transportation of magnetic microbeads in the LabDisk. The transfer of the microbeads is fully automated
by rotating the LabDisk over a magnet that is integrated into the processing device.

(iii) Aliquoting of liquid sample material enables the simultaneous detection of multiple biological
threats. Figure 4 shows the aliquoting structure of the nucleic acid analysis. After the extraction of
DNA/RNA from blood plasma the the sample is divided into multiple chambers with identical volumes
for isothermal amplification of individual target sequences used for specific identification of pathogens.

123

Figure 4: Aliquoting structure of the nucleic acid analysis. Dividing the sample enables the simultaneous detection of
multiple biological threats. After extraction and amplification the sample is divided into multiple chambers with
identical volumes of 10 l.

Processing Device:
In addition to the LabDisk, a centrifugal device for processing of the LabDisk is being developed within
the project. After being loaded with the sample the test carrier is inserted into this device which is able
to run a fully automated and defined rotation- and temperature protocol to control the complete
analysis. Integrated into the processing device are a heater for isothermal incubation and detection
units for a fluorescence and chemiluminescence readout. No additional manual handling steps are
needed to perform the required unit operations of the analysis such as valving, mixing and aliquoting.
The required frequencies of rotation for processing the test carrier are in the range of 0 50 Hz
allowing mixing and valving;.magnets that are integrated into the device allow the handling of the
LabDisk-integrated microbeads. The heater allows isothermal heating up to 70 C, however the
required temperatures for the nucleic acid analysis is only in the range of 25 C 55 C. The portable
processing device has a weight of 2 kg and allows user-friendly handling and therefore fulfils the
requirements for point-of-care applications.

Conclusion and outlook
The project S.O.N.D.E. aims at developing a mobile and fully integrated system that provides rapid
detection of pathogenic microorganisms and toxins. The production of the microstructured disposable
LabDisks and the development of a portable centrifugal platform have already been successfully
demonstrated. All the basic handling procedures to perform the assay have been developed and
integrated. Currently the performance of the complete assays is under validation. Future steps are to
fabricate a pilot series of test carriers in a prototyping line and to perform field tests with the integrated
S.O.N.D.E. system.

Acknowledgement
We acknowledge funding by German Federal Ministry of Education and Research (BMBF)
Grant Numbers 13N10113 - 13N10117.

References
1. M. Focke, D. Kosse, C. Mller, H. Reinecke, R. Zengerle and F. von Stetten, Lab Chip,
2010, vol. 10 (11), pp. 1365-1386.
2. M. Focke, F. Stumpf, B. Faltin, P. Reith, D. Bamarni, S. Wadle, C. Mller, H. Reinecke,
J. Schrenzel, P. Francois, D. Mark, G. Roth, R. Zengerle and F. von Stetten, Lab Chip,
2010, vol. 10 (19), pp. 2519-2526.
3. S. Lutz, P. Weber, M. Focke, B. Faltin, J. Hoffmann, C. Mller, D. Mark, G. Roth, p.
Munday, N. Armes, O. Piepenburg, R. Zengerle and F. von Stetten, Lab Chip, 2010, vol.
10 (10), pp. 887-893.
124
Detection Technologies Common Concepts in Security and
Safety
Kurt Osterloh, Norma Wrobel, Uwe Ewert, BAM Federal Institute for Materials Research and Testing, Berlin,
Germany
Vjera Krstelj, EFNDT European Federation for Non-Destructive Testing, CrSNDT, Zagreb, Croatia
Davor Zvizdic, FSB Faculty of Mechanical Engineering and Naval Architecture, University of Zagreb, Croatia
Abstract
Security and safety are separate fields with overlaps in methodological approaches and similar needs for assess-
ments of efficiency to resolving the respective problems. However, some actors in either field may be unaware
of what security technologies and non-destructive testing (NDT) may have in common. In both areas, the goal is
to identify signatures indicating certain threats so measures can be taken to prevent catastrophic events. This
gives rise to cooperate, to exchange experiences and to avoid unnecessary duplication. Within the European
Federation for Non-Destructive Testing (EFNDT), the Working Group 5 took initiative into this direction to
form a bridge connecting the two different areas security and safety.

1 Introduction
1.1 Separated Responsibilities
While technical safety arose from science and engi-
neering the public security classically has social roots
such as law enforcement, though with technical sup-
port. As a consequence, several authorities, organisa-
tions and agencies are committed to maintain security
in our society. Though already a fragmented area, it
is separated from caring for technical safety domi-
nated by all kinds of technical testings. The latter in-
cludes both, investigating the cause of accidents and
the preventive search for flaws that could lead to a
catastrophic event. It comprises scanning of technical
parts in the production line as well as in-service in-
spection of complete infrastructures such as railways,
industrial plants or power stations.
As a representative for the interrogation of technical
parts, the European Federation for Non-Destructive
Testing (EFNDT) has established working groups for
tackling certain subjects within the field of technical
safety. One of them is the Working Group 5 commit-
ted to linking technical safety with public security. As
stated in the Working Groups commitment [1], the
preservation of human achievements and progress is
undoubtedly a pillar of our society. This includes de-
tecting threats in time to prevent disasters that may
occur from forces of nature, defective technology, hu-
man failure or malicious intent. In this respect, argua-
bly there is no difference between safety and security,
though different institutions are involved in the regu-
lation and control of them. As a consequence, the uni-
fying rationale ought to result in the building of
bridges between them.
In both areas, the goal is to identify signatures indi-
cating certain threats so measures can be taken to pre-
vent catastrophic events. This gives rise to cooperate,
to exchange experiences and to avoid unnecessary
duplication, in other words, to establish a bridge be-
tween these two separate areas.

1.2 A Bridge between Separate Areas
Figure 1 The Glienicke Bridge between Berlin and
Potsdam symbolising a link connecting separate ar-
eas.
Symbolically, the Glienicke Bridge spanning the
Havel River in the south-east of Berlin connects the
two areas of Berlin and Brandenburg (see Figure 1).
125
At the time of the German-German separation it was
exactly on the borderline between the political entities
East and the West. It was the site of exchanging
spies. Ironically, the way from the political East to
the political West was directed geographically from
the west to the east. After the reunification of Ger-
many there is a free traffic flow in both directions. So
this bridge now serves its original purpose to link two
separate areas. Bearing this image in mind, the
EFNDT Working Group 5 intends to establish a
bridge between two organisational separate areas.
2 Estabishing a forum as a
mean for bridging
2.1 An Obvious Rationale
Though allocated in different responsibilities, it is the
common goal of safety and security, understood as
technical safety on one hand and protecting the public
life on the other hand, to prevent catastrophic events
by detecting their causation in time to launch render-
ing safe procedures. This means that both sides are
relying on various detection technologies. In spite of
the distinct fields of security and safety there are
doubtlessly overlaps in methodological approaches
and assessments of efficiency to resolving the respec-
tive problems. As a most obvious example, radiologi-
cal inspection is commonly applied in the scanning of
parts in a production line on one hand and in the bag-
gage inspection practised in any airport on the other
hand. However, several actors still may be unaware
of what security technologies and non-destructive
testing (NDT) are having in common. The other way
round, NDT operators in the field could learn from
the experience the security officers may have gath-
ered during their duty. As a consequence, both sides,
technical safety and public security, certainly would
profit from a forum for discussing technical and
methodological approaches and concepts on a mutual
base.

2.2 The formation of the EFNDT
Working Group 5
The European Federation for Non-Destructive Testing
(EFNDT) took the initiative in this direction by estab-
lishing a dedicated working group, the Working
Group 5, more than a decade ago [2]. The initial
problem tackled at that time was the detection of anti-
personnel mines as they were encountered after the
Yugoslav Wars between 1991 and 1995 and other
conflicts worldwide. They have made large areas
practically inaccessible. Different lanes of activities
have been evolved such as the dialog particularly be-
tween well established application fields (NDT) and
those of identifying newly raised threats (security,
[3]), the search for and development of advanced
technologies [4] and the evaluation of currently ap-
plied methods [5]. In the meantime, it became too
obvious that anti-personnel mines, though life threat-
ening in many parts of the world, are a problem con-
fined to certain areas only while a rather similar one
has become ubiquitous the terrorist threat. As a
consequence, the EFNDT Working Group 5 has ex-
tended its scope accordingly and changed its name to
Public Security and Safety NDT Technology
(PSSndtT). The foremost mission of this Working
Group is to bridge practicing security and safety by
the transfer of knowledge and experiences from estab-
lished applications to the countering of the current
and upcoming threats to the public life. This includes
consideration and drafting common future activities.

3 Realising a Bridge between
Safety and Security
3.1 Means of Realisation
The idea of pondering non-destructive testing tech-
nologies as they are used for technical safety for pub-
lic security applications could be regarded as the
bridge head on one side. One approach of this kind
was equipping prodders for demining with ultrasonic
sensor for material differentiation between a rock and
the shell of a mine [4]. Moreover, a large methodo-
logical principle is widely applied on both sides
though in slightly different ways: the radiological in-
spection, as mentioned before. On the side of techni-
cal safety, this is one of the key technologies to detect
flaws in critical parts that may be involved in vulner-
able facilities of any kind. On the other hand, princi-
pally the same method is a routine measure to inspect
the luggage in airports or other critical infrastructures.
The major difference consists in the existing knowl-
edge of the object to be interrogated. Blueprints may
be available on the technical side but definitely not on
the other (with the exception of military mines if visi-
ble, but one has to be well aware of booby traps).
Due to the particular nature of the objects searched
for there are diverging details within the technologies
applied. They have, of course, to be identified and
considered adequately.
Nevertheless, enough of common aspects remain to
be discussed. This includes the assessment of the reli-
ability of the various approaches or stressful working
conditions of the operators in certain conditions. As
an example, the reliability of metal detectors has been
assessed in the application of humanitarian deminging
by means introduced in non-destructive testing [5].
As a first point of contact commencing in participat-
ing in the dialog between the two distinct areas tech-
nical safety and public security, the Working Group 5
126
presentation within the EFNDT website [1] offers an
opportunity to everyone it may concern. It is in-
tended to serve as an exchange forum for future dia-
logs and the exchange of ideas and concepts. How-
ever, no group is viable without meetings and some
kind of collaboration. For this purpose, meetings and
workshops shall be organised on selected topics per-
taining to current developments or actual situations.
They shall be announced on the website mentioned
above. Moreover, these get-togethers should initiate
or sustain groups and consortia to commence com-
mon projects. This includes participation in various
funding programmes.
3.2 Subjects of Activities
The bridging concept the EFNDT Working Group is
committed to should be realised in detail as follows:
Identification of peculiarities of either safety or
security. Beside all common features also the
differences have to be identified and to be tack-
led accordingly. This includes pondering on the
existence of a priori knowledge (virtually blue-
prints). Modifications may be necessary re-
specting the different areas of application.
Providing a communication platform for a mu-
tual understanding between the separate areas.
Both sides could profit from the experiences of
the other one. This particularly applies for in-
field applications under stressy conditions.
However, this requires a common glossary to be
elaborated (see below).
Revision of existing NDT technologies for their
use in security applications. This pertains to
method rarely considered for security applica-
tions yet, if at all. In a broader sense, this in-
cludes also assessment protocols and quality as-
surance measures as they are implemented in the
field of non-destructive testing.
Setting frameworks for common definitions.
This means in practice to elaborating common
glossaries for mutual understanding, drafting
recommendations and contributing to standards,
certification rules and training modules.
Dedicated workshops on selected subjects per-
taining to both technical safety and public secu-
rity. It should comprise the whole range of
small seminars and workshops dedicated to cer-
tain topics arising from either fundamental tech-
nological problems e.g. in improving detection
capabilities or upcoming actual situations up to
thematic sessions within larger conferences or
events. This should help to increase the Work-
ing Groups visibility to the outside.
Formation of consortia for joint research propos-
als. They should arise from the events as men-
tioned before. The Working Group shall also be
open for existing consortia who are seeking ad-
ditional partners or support to complement in-
tended or drafted projects.
3.3 A Thought on Project Planning
The way how to realise any project requires some sort
of planning. However, there is a profound difference
if this is pertaining to erecting a building or develop-
ing a security measure. In the first place, there is an
exact plan to follow and the final purpose is abso-
lutely clear up to the last detail. In the other case, a
yet absolutely unknown threat may be encountered
and has to be countered immediately. None of the re-
cent catastrophic attacs had a precise precursor dis-
closing any sort of the apparent strategy ore means.
The most obvious common denominator seems to be
surprising the victim. Flexibility appears to be re-
quired more than conceptional details of past events
(scenarios). So it remains a challenge to either side to
prepare suitable countermeasures for future attacks
even another reason for building a bridge between
these separate areas for a mutual exchange and future
cooperation.
References
[1] EFNDT Working Group 5, http://www.efndt.org/
[2] Osterloh, K.; Krstelj, V.; Ewert, U.: EFNDT
Working Group 5: Public Security and Safety
NDT Technologies, 10th European Conference on
Non-Destructive Testing, Moscow 2010, June 7-
11, report 2_06
[3] Krstelj; V.: Public Security and Safety Technol-
ogy, 9th European Conference on NDT - Septem-
ber 2006 - Berlin (Germany) ECNDT 2006 -
Tu.3.4.1
[4] Krstelj, V.; Stepani, J.; Markui, D.: Concept of
Ultrasonically-based Materials Characterization in
Non-Characterized Environment, 16th World Con-
ference on NDT - 2004 Montreal (Canada)
WCNDT 2004, 320
[5] Mueller, C.; Gaal, M.; Pavlovic, M.; Scharmach,
M.: Reliability Tests for Demining, Proc. Vth In-
ternational Workshop, Advances in Signal Proc-
essing for Non Destructive Evaluation of Materi-
als, Qubec City (Canada),2-4 Aug. 2005. X.
Maldague ed., . du CAO (2006), ISBN 2-
9809199-0-X

Acknowledgement
The activities of the EFNDT Working Group 5 are
supported by the German Society for Nondestructive
Testing (Deutsche Gesellschaft fr Zerstrungsfreie
Prfung, DGZfP e.V.). Parts of the concept were
mapped out within the project FluSs (FKZ:
13N10054) supported by the German Federal Minis-
try of Education and Research (BMBF).
127
Variable irradiation geometry with a new X-ray backscatter
camera for security applications
Norma Wrobel, Kurt Osterloh, Uwe Zscherpel, Uwe Ewert, BAM Federal Institute for Materials Research and
Testing, Berlin, Germany

Abstract
Currently applied methods for X-ray backscattering radiography use a scanning pencil beam and a
large-area and highly sensitive detector. The location of the reflected radiation will be defined by the beam-
position and the intensity by the measured dose of radiation recorded by the detector system. The advantage of
this widely used process is the low radiation dosage concerning the inspected object. However, the disadvantage
remains that some structures remain undiscovered and dangerous objects might be masked by a surrounding
backscattering environment. The new X-ray backscatter camera with a special twisted slit collimator offers an
imaging method for solving those problems. This new technique allows variable irradiation geometry in
difference to existing solutions. The capability to visualise silhouettes of absorbing details in front of scattering
bulk materials will be beneficial in the inspection of luggage on airports or for screening cargo containers,
especially if for the inspection the access is only from one side.

1 The new X-ray backscatter
camera
1.1 The principle of the technique

The X-ray backscattering radiography is based on the
inelastically scattered X-ray photons, known as
Compton Scattering. With this radiation effect objects
transparent to X-rays emit scattered radiation so that
they appear shining. This occurs preferentially in
organic and low-numbered materials based on their
ranking in the periodic table. All elements with high
atomic numbers (e.g. heavy metals) mainly absorb X-
ray photons so they emit scattered radiation to the
outside with a much lesser intensity, if detectable at
all.
X-ray images are generated by beam attenuation with
the source on one side of the object and the image de-
tector on the other side. The situation changes princi-
pally if the object to be investigated only allows an
access from one side. Here, the alternative approach
to use scattered radiation for imaging provides a
solution.
The underlying fundament of the recently introduced
X-ray backscatter camera is based on the principle of
a simple pinhole camera.

Figure 1 Principles of generating backscatter images.

Figure 1 shows two different approaches to generate a
backscatter image: on the left side with a directed
pencil beam combined with a large area high sensitive
detector and on the right the illumination of a large
area with high intensity source and a camera as an
image detector. Commercially available systems for
scanning large objects like containers, or trucks are
generally using the first principle, i.e. the pencil beam
technique.
[1]
Because of the fact that no comparable
optical device exists which can be used for X-rays of
higher energy more than 100 keV, the new X-ray
backscatter camera has been developed comprising a
novel twisted slit collimator.

1.1 The novel twisted slit collimator

The new X-ray backscatter camera is equipped with a
unique twisted slit collimator. This offers an imaging
technique in spite of the thickness of the diaphragm
required for shielding.
[2]
Figure 1 demonstrates the
principle of generating images with a pinhole camera.
With this application it is perspicuous that the dia-
phragm in the pinhole camera has to be as thin as pos-
sible, or the hole functions merely as a collimator for
a pencil beam. To avoid this consequence a previous
technical approach consisted of a hole that has been
widened to a cone with an aperture of 8.
[3]
Other ap-
proaches such as the Soller-like aperture try to enable
imaging with series of parallel holes similar to a
thick-walled sieve but only able for passing parallel
rays.
[4,5]

The construction of the new X-ray backscatter camera
consists of a diaphragm with a virtual continuous se-
ries of holes in shifted direction which merges to-
gether forming a twisted slit. This approach results in
a large angular aperture with a wall thickness
128
adequate for shielding hard radiation like high energy
X-ray or even gamma rays.

Figure 2 Twisted Slit Collimator
Figure 2 shows a drawing of the twisted slit collima-
tor. On the front side the slit is inclined into one direc-
tion and on the back side into the opposite one. So a
linear passage through the slit is possible only
through a hole shaped gap in any vertical direction.

1.2 Development of the camera

In the last two years the design of introduced X-ray
backscatter camera has passed through an ongoing
development. The above described principle of the
twisted slit collimator has been realized at first as a
solid block of 50 mm thickness incorporated in a lead
brick which can be easily integrated into a variable
lead box (Figure 3).

Figure 3 Pictures of the originally camera and an example
of the experimental setup.

For the experimental setup the lead brick with the col-
limator is integrated in the middle of the front side of
a box built of lead bricks. To have a look inside the
lid has been removed (Figure 3 lower right panel). To
obtain an X-ray backscattering image this box is
equipped with a phosphor imaging plate as a detector.
The X-ray source for illumination here is placed on
the same side of interrogated object with an angle of
ca. 45 to the central viewing axis of the camera.
This first realisation of the camera, built of several
lead bricks, weighs about 300 kg and is rather imprac-
tical in use. Because of the complicated handling the
progress results in an advanced development of a next
generation of the new X-ray backscattering camera.

Figure 4 Next generation of the X-ray backscattering
camera with twisted slit collimator. In the lower
picture the image plate is replaced by a digital
matrix detector.
The next generation of the X-ray backscattering
camera (Figure 4) consists of a much smaller housing
made of tungsten with a weight of ca. 30 kg ten times
less than the previous model. Because of the weight
reduction and the compact construction the handling
of the camera is became easier. In addition, there is
another big advantage using the new camera. For
imaging the usual imaging plate can be replaced by a
digital matrix detector which reduces the exposure
time from about 30 min down to less than a minute.

Exposure Time

Camera
(Lead Box)
40-30 min Imaging Plate
Camera
(Tungsten)
30-15 min Imaging Plate
Camera
(Tungsten)
40 s !!!
Digital Matrix
Detector

Table 1 Reduction of the exposure time.

With this considerable time reduction making an X-
ray backscattering images by using this new construc-
tion of the camera in combination with a digital ma-
trix detector the technique of X-ray backscattering
will be more attractive.
129
2 Functionality and Application
2.1 Using X-ray backscattering with
this technique
Compared to the common methods for X-ray
backscattering using a scanning pencil beam the
location of the scattering bulk material that might hide
some absorbing details appears less limiting. With this
configuration of the new camera the object that has to
be interrogated will be fully illuminated by the X-rays
from directions independently from the viewing one.
This gives also the possibility to mask certain areas
especially the scattering ones lying in front of
absorbing details by additionally used shielding. With
this procedure those embedded parts are also made
visible as silhouettes.
A beaker filled with water and a bolt and nut inside
was selected as an efficient scattering object to test
the functionality.

Figure 5 Changing of irradiation geometry and viewing
direction

The experimental setup in Figure 5 shows that
absorbing details from the inside of object, here an
absorbing bolt with a nut in the centre of scattering
water, was made visible in the dependence of the
irradiation geometry, i.e. the angle between the
incident radiation and the viewing axis of the camera.
In the first experimental setup with a small angle only
the scattering water has been detected and the bolt
inside remained invisible. The camera and the
beaming were oriented here nearly in the same
direction. Changing the setup like in the second panel
of Figure 5 with the beaming direction and the camera
perpendicular to each other the bolt and nut inside the
water appears weakly but detectable. After
modification of the beaming direction by shielding
the part of the beam towards the camera with a lead
board (third picture) the bolt with the nut inside the
water became clearly identifiable. As a consequence,
absorbing details of objects which have to be
interrogated with the X-ray backscattering technique
will appear differently depending on their
surroundings and illumination. They may appear as
silhouettes in an X-ray image clearly, faint or not at
all.

Figure 6 Dependency of the object surrounding. Top row:
the object and its backscattering image stand-alone; bottom
row: the object and its image with a marble plate in the
back.

Figure 6 shows another example of the dependency of
the object surrounding using X-ray backscattering.
Investigating objects without any influence from
adjacent items show identifiably the object (top
panels) with their scattering outer shell only. In
contrast, some internal features of absorbing details
become apparent as silhouettes if the object of interest
is located directly in front of a scattering bulk phase
like a marble plate. Moreover, the absorbing parts of
the objects cause a shadow within the scattering wall
in the rear (to the left of the object itself). As a
consequence, some specimens appear differently
depending on the scattering properties of the
surrounding. With this freedom in varying the
irradiation geometry the new X-ray backscattering
130
camera offers the possibility of variable illumination
to unravel certain features of absorbing details not
directly visible due to their densities when applying
the backscatter principle.

2.2 Using this technique for security
application

Considering all the presented facts this new technique
will be beneficial for security application like in the
inspection of luggage on airport or for screening
cargo containers, especially if there is an access only
from one side for the inspection and suspicious details
may be disguised by a scattering shell.
Another consideration of interrogating luggage on
airport pertains to the transportation of liquids in the
hand luggage. The described method appears to be
useful also for this purpose. Liquids are particularly
prone to backscattering X-rays as shown above by the
beaker full of water. This makes them detectable
even in an unsorted environment.

Figure 7 Comparison of liquids and solids in an X-ray
backscattering image. On the left the liquids: left
water, right acetone; on the right: left water, right
CaSO
4
.

Figure 7 shows X-ray backscattering images of small
bottles with different fillings. In the images liquids
appear bright but it cannot be discriminated between
the different types (in the left panel water and
acetone). In the right panel it is obvious that there is a
liquid in the left bottle (here water) while the other
one contained a solid (here crystalline CaSO
4
). As a
result, there is a difference between liquids and solids
identifiable based on the comparison of the bright
intensities from the scattering liquids on one hand
with the lightly one from solids on the other hand.
So with this method liquid in hand luggage or in
cargo containers are detectable with this X-ray
backscattering technique shown above even in a
rather crowded environment with solids. Principally it
can be used to interrogate objects like suitcases,
parcels or containers that might be placed at a wall or
in a corner with access only from one side. It is
complementary to the conventional X-ray inspection
because it is sensitive for low Z materials and liquids.

References
[1] W.W. Sapp Jr., P. Rothschild, R. Schueller, A.
Mishin: New, low dose 1 MeV cargo inspection
system with backscatter imaging, Penetrating
Radiation Systems and Applications II (ed.
F.P.Doty et al.), Proceedings of SPIE Vol.4142
(2000), 169-174.
[2] K. Osterloh, U. Ewert, H.-J. Knischek, Blende
fr eine bildgebende Einrichtung, Patent DE 10
2005 029 674, granted 21.August 2008.
[3] Non-destructive testing Characteristics of focal
spots in industrial X-ray systems for use in non-
destructive testing Part 2: Pinhole camera
radiographic method, EN 12543-2:2008-10.
[4] J. Wong, P.A. Waide, J.W. Elmer, A.C.
Thompson: Spatially resolved diffraction using a
Soller Collimator-Imaging plate assembly, Nucl.
Instr. & Meth. Phys. Res. A 446 (2000), 581-
591.
[5] J.S. Iwanczyk, B.E. Patt: Radiation Imaging
Detector: US Patent No. 5773829. Granted June
30, 1998.

131
TNT HMX
PETN RDX

Figure 1 Structural formulas of different nitro based
explosives. The nitrogen dioxide (NO
2
)
functional groups are weakly bound and re-
lease on excitation with intense pulsed laser
radiation
Surface sensitive detection of trace explosives with UV pho-
tofragmentation
Jens-Uwe Guenther, Christian Bohling, SECOPTA GmbH, Ostendstr. 25, D-12459 Berlin, Germany,
jens-uwe.guenther@secopta.de, www.secopta.de
Mario Mordmueller, LaserApplicationCenter, Clausthal University of Technology, Am Stollen 19, D-38640 Go-
slar, Germany
Wolfgang Schade, Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, Fiber Optical Sensor
Systems, Am Stollen 19, D-38640 Goslar, Germany
Abstract
Trace detection of energetic materials is a method to screen personnel, packages, vehicles and other items for
concealed explosives. Surface sensitive techniques are promising, because it is likely, that a person who prepares
or carries explosives will inadvertently contaminate himself and the exterior of the package with the explosive. A
promising technique is pulsed laser fragmentation (PLF) in combination with subsequent detection of the charac-
teristical fragments. In PLF a pulsed laser is utilized to photofragment the natural molecules of a sample. For ni-
tro-based explosives, such as 2,4,6-trinitrotoluene (TNT), pentaerythritol tetranitrate (PETN) or hexahydro-1,3,5-
trinitro-s-triazine (RDX), the concentration ratio of the fragments NO and NO
2
is discussed to be a good indica-
tor. Characteristic for these energetic materials is an exceeding NO concentration.
We present first experimental results of the development of a compact surface sensitive detector based on PLF
and electrochemical sensing. In a laboratory setup, pulsed laser beams in the ultraviolet spectral range (266nm or
355nm) are directed to a contaminated specimen to generate NO and NO
2
fragments. The specimen is placed in a
hermetically sealed chamber. The increasing concentrations of NO and NO
2
are locally detected inside the cham-
ber using electrochemical sensors as well as from stand-off distances using MIR laser absorption.
Additionally, a portable setup is developed. In order to improve the sensitivity of the detector and the rapidity of
sensing the measurement volume is shrinked to a value of approximately 1cm
3
. The results promise, that a TNT
surface contamination of only a few nanograms per square centimeter can be reliably detected.

1 Introduction
In the last decade there have been significant advances
in explosives detection instrumentation. However, the
rapidly evolving threads have initiated an urgent need
for explosives sensing systems applicable for rapid
testing in a wide range of ambient conditions.
Nitro based explosive compounds e. g. 2,4,6-trinitro-
toluene (TNT), hexahydro-1,3,5-trinitro-1,3,5-triazine
(RDX), cyclotetramethylentetranitramin (HMX) or
pentaerythritol tetranitrate (PETN), are potent explo-
sives for which techniques for detection on a persons
body or in ones baggage is considered important for
assuring security in environments such as aviation,
public transportation networks and sensitive facili-
ties [1].
Contrary to bulk detection methods, such as X-ray im-
aging, trace detection technologies focus on vapor of
the explosives. Due to their very low vapour pressure
(P
v
10
9
to 10
6
mbar at room temperature) the sens-
ing of nitro based explosives is challenging using con-
ventional methods [2,3].
132
Microchip
Laser
M
i
r
r
o
r
Sealed
Chamber
N
O
N
O
2

Figure 3 Laboratory Setup

Figure 2 View inside the chamber
Technical trace detection methods have to compete
with trained canines. Due to their outstanding olfac-
tion they are widely considered as high-sensitive, mo-
bile and user-friendly method of explosives detection
[4]. Another advantage is the ability to rapidly follow
a scent directly to its source. Disadvantages of dogs
compared to technologies include: limited duty cycle
(a dog works about 1 h before requiring a break), the
need for regular retraining, the impossibility of quanti-
tative calibration, the deficient reproducibility and the
inability to communicate to the handler the type of
explosive that is detected [1].
Currently, many different techniques exist for detect-
ing trace explosives. The most established include ion
mobility spectrometry (IMS), mass spectrometry (MS)
and gas chromatography (GC) [5,6,7]. However, most
of these devices are immobile, expensive, susceptible
to false positives or require time-consuming prepara-
tion procedures.
A technique which emerges to become a powerful tool
for rapid onsite of nitro based explosives is pulsed la-
ser fragmentation (PLF) with subsequent detection of
characteristic fragments. Common to nitro based ex-
plosives are one or more nitrogen dioxide (NO
2
) func-
tional groups (Figure 1), which are weakly bound to
the main skeletal portion of the molecule [8]. The
NO
2
groups were found to release from the parent ex-
plosive molecule and to dissociate into nitric oxide
(NO) on intense excitation with pulsed laser radiation
[8,9,10].
In contrast to non-energetic materials, e. g. polyamide
(PA), where large amounts of NO
2
are generated dur-
ing fragmentation but only traces of NO, energetic
materials show a completely different ratio: it is char-
acteristic, that the NO emission rate exceeds the one
of NO
2
after PLF [10]. Additionally, the rate at which
NO is generated varies for different energetic materi-
als a feature which may be used to distinguish be-
tween different types of explosives [11].
In this contribution we report about two adaptions of
PLF:
The combination of PLF induced by UV laser ra-
diation with electrochemical sensing of the gener-
ated NO
X
allows the development of a field port-
able, inexpensive and userfriendly detector for
rapid testing.
A detection scheme for stand-off sensing of nitro
based explosives combines an actively Q-switched
Nd:YAG laser for PLF and subsequent detection of
NO and NO
2
via absorption spectroscopy in the
MIR spectral region.
2 Experimental
2.1 Combination of PLF with Gas Sen-
sors
2.1.1 Laboratory Setup
The concept is proofed experimentally using a labora-
tory setup, previously described in [12] and depicted
in Figure 3. The setup includes the high power micro-
chip laser FQSS 266-200 obtained from CryLaS
GmbH, Berlin, Germany (wavelength = 266nm,
repetition rate f
rep
= 60Hz, pulse energy E
P
= 200J,
pulse duration t
P
= 1.3ns) and a hermetically sealed
chamber. The specimen, a 10 mm 11 mm aluminium
tile, contaminated with different amounts of the explo-
sives as well as the NO and NO
2
gas sensors (NO/S-
25 and NO2/S-20 from Membrapor, Zurich, Switzer-
land) are placed inside the chamber (Figure 2). De-
tailed description of the sample preparation can be
found in [12].
Photofragmentation is performed by treating the sam-
ple surface with the UV laser radiation. In case of the
bare aluminium surface, neither NO nor NO
2
are gen-
erated (Figure 4a). Treatment of the TNT contami-
nated sample leads to significant NO
X
emission and
both, the NO and NO
2
concentrations increase linearly
during the scan of the sample surface while the gen-
eration rate of the former exceeds the latter (Figure
4b).
133
0 20 40 60 80 100
0.0
0.2
0.4
0.6
0.8
1.0
1.2
1.4
Scanned Area [mm
2
]

N
O
X

c
o
n
c
e
n
t
r
a
t
i
o
n

[
p
p
m
]
(a)
0 20 40 60 80 100
NO
NO
2
(b)

Scanned Area [mm
2
]
Figure 4 NO
X
emission during pulsed laser fragmentation: (a) bare aluminium surface, (b) after contamination
of the aluminium surface (A = 1.1cm
2
) with 100g TNT.

TNT RDX HMX PETN
0
1
2
3

N
O
X

m
a
x
.

c
o
n
c
e
n
t
r
a
t
i
o
n

[
p
p
m
]
NO
NO
2
(a)
TNT RDX HMX PETN PA*
0.1
1
10
(b)

m
a
x
.

c
o
n
c
e
n
t
r
a
t
i
o
n

r
a
t
i
o

(
N
O
/
N
O
2
)

Figure 5 (a): Maximum concentrations of NO and NO
2
after PLF of different nitro based explosives. Each sam-
ple is prepared with 100g of the particular explosive.
(b): Ratio between maximum concentrations of NO and NO
2
. Characteristic for energetic materials is
an exceeding NO concentration, while a polymer sample (polyamide, PA) shows inverted behaviour.
*standard chemiluminescence measurement after PLF with excitation at = 1.06m, as reported by
Bauer et al.[10].

Since the fragmentation rates depend on the kind of
the precursor compound, they may also contribute to
the selectivity of the method. Figure 5a shows the
maximum concentrations of NO and NO
2
after PLF
for different energetic compounds. Each sample is
prepared with m = 100g of the particular explosive.
An indicator to distinguish explosives from simple
plastics, like polyamide, is the concentration ratio be-
tween the generated NO and NO
2
(Figure 5b). For all
tested explosive compounds, the amount of NO ex-
ceeds the one of NO
2
at least by a factor of 2,
whereas this ratio is inverted for the polyamide sam-
ple [10].
Due to the large chamber volume (V 750cm
3
) sensi-
tivity and rapidity of this laboratory setup are limited.
Only surface contaminations of the order of g/cm
2

could be detected and the measurement time is about
5 minutes.

2.1.2 Compact Analysis Module for Mobile
Device
The scheme of a portable device which is applicable
for rapid sensing of trace explosives is shown in
Figure 6. To provide laser safety, i. e. to prevent UV
laser radiation from being emitted to the environ-
ment, the sampling part is splitted from the analysis
unit.
134
0 20 40 60 80 100
(a)
accum. time = 30s
Laser on
Time [s]

N
O
X

s
e
n
s
o
r

r
e
s
p
o
n
s
e

[
a
.
u
.
]
NO
NO
2
0 20 40 60 80 100
(b)
accum. time = 60s
Laser on
Time [s]

0 20 40 60 80 100
(c)
accum. time = 120s
Laser on
Time [s]

Figure 7 NO
X
emission during pulsed laser fragmentation in the mobile setup for different accumulation times of
(a): t = 30 s, (b): t = 60 s and (c): t = 120 s. The periods of laser treatment, when PLF is performed are
highlighted gray.
to gas pump
NO
x

sensors
cooled
target
heated tube
ablation
head
Microchip
Laser

Figure 6 Compact analysis module

A gas pump draws a stream of air via a flexible tube
into the analyse unit. To prevent re-adsorption of the
molecules of interest, the inner side of the tube is
heated to a temperature of about 90C. In the analyse
unit the airstream passes an aluminium surface. A
thermoelectric cooler maintains this aluminium sur-
face at sufficiently low temperatures to ensure effi-
cient trapping of the explosive molecules. The role of
this cooled target surface is to accumulate explosive
molecules from the incoming airflow. As source for
the fragmentation radiation a compact microchip la-
ser (FTSS 355-Q3, CryLaS GmbH, Berlin, Germany)
is used. This laser emits at a wavelength of
= 355nm with a pulse energy E
P
= 17J, pulse dura-
tion t
P
= 1ns at a repetition rate f
rep
= 1kHz. The
longer wavelength is chosen due to their reduced de-
gradative effects on the optical components of the
device. NO and NO
2
fragments are detected by com-
pact size gas sensors (NO/C-25 and NO2/C-20,
Membrapor, Zurich, Switzerland). The measurement
volume is kept small (V 1cm
3
) to improve sensitiv-
ity.
A typical measurement cycle is done in two phases:
accumulation and analysis. During accumulation
phase the air, collected in the vicinity of the sample,
passes the cooled target which adsorbs more and
more molecules. During analyse phase the surface is
treated with the laser to perform PLF and the NO
X

sensors response is monitored and analyzed. As an
advantage of this concept the sensitivity can be varied
by the accumulation time.
Figure 7 shows a related series of experiments. A few
micrograms of TNT are deposited onto an aluminium
block. To increase the vapour pressure the block is
heated to a temperature of approx. 50C. One end of
the heated tube is placed few millimeters above the
sample and the surrounding air is drawn via the
heated tube (temperature inside: T = 90C) to the
sensing unit. The accumulation time is varied in a
range of 30 to 120 seconds. As expected, the amount
of generated NO
X
increases with the length of the ac-
cumulation phase.
2.1.3 Mobile Explosives Detection System
Based on the compact analysis module a prototype of
a mobile explosive detection system is developed
(Figure 8). The portable main unit contains the com-
pact analysis unit with the microchip laser (described
in section 2.1.2), a rechargeable battery pack and a
microcontroller circuit which controls the device and
processes the sensor data. Surface contaminations are
desorbed by a handheld thermal ablation head. The
desorbed molecules travel to main unit via the flexi-
ble heated tube.
As test object for the prototype a TNT contaminated
textile cloth is used. After 20s of sampling with the
thermal ablation head, a significant increase of NO is
recorded (Figure 9).
135

Figure 8 Mobile explosive detection system XDetext

HgCdTe-
Detector
Nd:YAG-
PLF-LASER
2 m
R
e
f
l
e
c
t
o
r
CaF
2
-
lens
Lens
Probing QCLs
for NO and NO
2
Rotating mirror
Sample
Ge-
filter

Figure 10 Laboratory setup for stand-off detection
0 20 40 60
Laser on
Time [s]

N
O
X

s
e
n
s
o
r

r
e
s
p
o
n
s
e

[
a
.
u
.
]
NO
NO
2

Figure 9 Test measurement with XDetect: A TNT
contaminated textile cloth is sampled for
20s with the thermal ablation head

2.2 Stand-off Explosives Detection with
MIR Absorption Spectroscopy
Optical sensing techniques enable to analyze explo-
sive devices or even supposed explosive devices from
safe distances. So it is obvious to adapt PLF for stand-
off measurements as well. In this section we want in-
troduce the combination of PLF and subsequent detec-
tion of NO and NO
2
via absorption spectroscopy in
the MIR spectral region.
The actively Q-switched Nd:YAG fragmentation laser
is specified to generate pulse energies of up to
E
P
= 1.5J at its fundamental wavelength of
= 1064nm and a repetition rate of f
rep
= 10Hz. Fur-
thermore it provides the ability of second and third
harmonic generation (SHG, THG), i.e., emission at
= 532nm and = 355nm. For the spectroscopic de-
tection of NO and NO
2
two tunable quantum cascade
lasers (QCL) are used. The QCLs cover emission
ranges from 1595 to 1603cm
-1
and 1893 to 1901cm
-1

which are located in the absorption bands of NO
2
and
NO respectively.
Figure 10 shows a scheme of the laboratory setup.
The radiation of both QCLs is collinearly overlaid
with the optical axis of a telescope, which consists of
two spherical gold coated mirrors. The first one has a
diameter of D
1
= 400mm and radius of curvature
R
1
= 1500mm. Furthermore, this mirror has a 35mm
diameter hole in its centre which enables the radiation,
which is back reflected by the second mirror, to pass
to a liquid nitrogen cooled HgCdTe detector. The sec-
ond mirror has a diameter of D
2
= 50mm and a radius
of curvature of R
2
= 65mm. The telescope is aligned
that way, that the scattered radiation from the sample,
which passes through the hole of the first mirror, is
nearly collimated and is finally focused on the detec-
tor by a CaF
2
lens (f = 60mm). To suppress the influ-
ence of ambient IR radiation, a Ge-filter is placed in
136
1899.9 1900.0 1900.1 1900.2 1900.3 1599.7 1599.8 1599.9 1600.0 1600.1
0.00
0.02
0.04
0.06
0.08
0.10
0.12
1 atm
200 mbar

E
x
t
i
n
c
t
i
o
n
NO
0.00
0.05
0.10
0.15
0.20
0.25 1 atm
200 mbar
E
x
t
i
n
c
t
i
o
n

NO
2
Wavenumbers [cm
-1
] Wavenumbers [cm
-1
]

Figure 11 Stand-off measurements of NO and NO
2
test atmospheres. NO
X
concentration: 1000ppm

1900.0 1900.1 1900.2
1599.8 1599.9 1600.0
0.00
0.01
0.02
0.03

E
x
t
i
n
c
t
i
o
n
NO
NO
2
Wavenumbers NO [cm
-1
]
Wavenumbers NO
2
[cm
-1
]

Figure 12 Extinction of NO and NO
2
of a PETN
sample pellet after the application of PLF
at = 355nm.
front of the detector. The detector signal is measured
using a lock-in amplifier (delay t
d
= 30ms) which is
triggered with the QCL repetition rate of
f
rep
= 120kHz.
The Samples are placed in the optical axis of the tele-
scope at the other end of the laboratory table. In this
configuration, the maximum distance between the de-
tector and the sample is about d = 2m which is re-
stricted to the length of the table. For future field
measurements distances of up to 20m are envisaged.
For the first laboratory measurements the samples
have been placed into a cubic absorption cell with an
edge length of l = 7cm. Two neighbouring sides are
equipped with CaF
2
windows. One of the windows
faces the sample, the other one faces the back side of
the cell which is covered with an aluminium plate and
acts as reflector for the QCL radiation. The PLF beam
is aimed on the sample via a rotating mirror as shown
in Figure 10. The rotating mirror changes the inci-
dence of the beam on the sample surface and enables
to spread the applied energy over a bigger surface.
The spectra which are shown in Figure 11 have been
recorded from the absorption cell filled with 1000ppm
NO and NO
2
test atmospheres at a low-pressure of
p = 200mbar and atmospheric pressure by tuning the
QCL output wavelengths over selected absorption
lines at 1599.9 cm
-1
and 1900.1 cm
-1
, respectively.
These lines have been selected because they are nearly
free of interferences with other elements of the ambi-
ent air, such as water vapour. The laser wavelength is
tuned by a voltage ramp which is additionally applied
to the QCL operating voltage and causes the spectral
tuning over a range of approximately 0.5cm
-1
.
For a first approach a pelletized PETN sample has
been analyzed. Figure 12 shows the extinction (aver-
aged over 5 measurements) of NO and NO
2
after the
application of PLF for approximately 1 minute at
= 355nm and a low pressure of p = 600mbar. Both
graphs show a very good agreement with the spectra
of the test atmospheres that are shown in Figure 11.
The extinction of NO exceeds the one of NO
2
as ex-
pected for the presence of the nitro based explosive
PETN.
Present research is concentrated on evaluating the de-
pendence of the PLF process on the excitation wave-
length and the applied power densities. Since PLF is
most commonly performed in the UV spectral region
[12,13] where single photons carry enough energy to
separate NO
X
groups from complex explosives mole-
cules, photo dissociation can also be induced via multi
photon absorption at longer wavelengths such as
= 532nm. Multi photon absorption is on the other
hand a nonlinear process and hence requires a higher
power density.
In order to obtain realistic conditions with respect to
further field measurements, the setup will be adjusted
as shown in Figure 13. In this configuration the sam-
ple itself acts as a reflector which yields a weaker sig-
nal response due to the low coefficient of reflection of
137
HgCdTe-
Detector
Nd:YAG-
PLF-LASER
2 m
CaF
2
-
lens
Lens
Probing QCLs
for NO and NO
2
S
a
m
p
l
e
Ge-
filter

Figure 13 Application oriented setup
most sample materials. The PLF beam is aimed on the
sample in a very sharp angle at the same spot to which
the IR beams are aimed to. It should be taken into ac-
count, that interactions of the sample surface with the
PLF beam, such as perforation and combustion, may
have an impact on the measurements.

3 Conclusion
Two PLF based methods for the detection of nitro
based explosives are studied, to prove their abilities in
two different application fields.
The mobile detector for rapid testing utilizes electro-
chemical sensors for the detection of the characteristic
NO and NO
2
fragments. The handheld ablation head
desorbs contaminations from a wide range of surface
materials. PLF and NO
X
concentration analysis is per-
formed in a compact sensing unit. Because the
NO/NO
2
concentration ratios differ drastically for en-
ergetic and non-energetic materials, this detection
method is very selective and promises to suppress
false alarms. The sensitivity of the detector can be var-
ied by the duration of the accumulation phase.
As the first experimental results suggest, the combina-
tion of PLF with subsequent MIR absorption spec-
troscopy promises to be a good approach to comple-
ment other established stand-off detection methods
such as Laser Induced Breakdown Spectroscopy
(LIBS) and Raman Spectroscopy [14].
Acknowledgements
The research presented in section 2.2 of this article is
part of a cooperative project with the name OPTIX
which is funded by the Seventh Framework Pro-
gramme of the European Union [15]. The objective of
this project is the combination of LIBS, Raman Spec-
troscopy and PLF/MIR absorption spectroscopy for
the stand-off detection of explosives

References
[1] Haupt, S. G.; Rowshan, S.; Sauntry, W. C.: Ap-
plicability of portable explosive detection de-
vices in transit environments, TCRP Report 86,
Transportation Research Board, 2004
[2] Dionne, B. C.; Rounbehler, D. P.; Achter, E. K.;
Hobbs; J. R.; Fine, D. H.: Vapor pressure of ex-
plosives J. Energ. Mater., Vol. 4, pp. 447472,
1986
[3] Krausa, M.: Vapour detection of explosives for
counter-terrorism in [Vapour and Trace Detecti-
on of Explosives for Anti-Terrorism Purposes],
Krausa, M.; Reznev, A. A., eds., NATO Science
Series II: Mathematics, Physics and Chemistry,
Vol. 167, 2004
[4] Harper, R. J.; Almirall, J. R.; Furton, K. G.:
Identification of dominant odor chemicals ema-
nating from explosives for use in developing op-
timal training aid combinations andmimics for
canine detection, Talanta, Vol. 67, pp. 313327,
2005
[5] Fainberg, A.: Explosives detection for aviation
security, Science, Vol. 255, pp. 15311537,
1992
[6] Moore, D.S.: Recent advances in trace explo-
sives detection instrumentation, Sens. Imag.,
Vol. 8, pp. 938, 2007
[7] Garofolo, F.; Marziali, F.; Migliozzi, V.; and
Stama, A.: Rapid quantitative determination of
2,4,6-trinitrotoluene by ion mobility spectrome-
138
try, Rapid Communications in Mass Spectrome-
try, Vol. 10, pp. 13211326, 1996
[8] Lemire, G. W.; Simeonsson, J. B.; Sausa, R. C.:
Monitoring of vapor-phase nitro compounds us-
ing 226 nm radiation: fragmentation with subse-
quent NO resonance-enhanced multiphoton ioni-
zation detection, Anal. Chem., Vol. 65, pp. 529
533, 1993
[9] Roberson, S. D.; Sausa, R. C.: Laser-based de-
tection of TNT and RDX residues in real time
under ambient conditions, Applied Spectros-
copy, Vol. 64, pp. 760766, 2010
[10] Bauer, C.; Geiser, P.; Burgmeier, J.; Holl, G.;
Schade, W.: Pulsed laser surface fragmentation
and mid-infrared laser spectroscopy for remote
detection of explosives, Appl. Phys. B, Vol. 85,
pp. 251256, 2006
[11] Willer, U.; Saraji, M.; Khorsandi, A.; Geiser, P.;
Schade, W.: Near- and mid-infrared laser moni-
toring of industrial processes, environment and
security applications, Opt. Laser Eng., Vol. 44,
pp. 699710, 2006
[12] Guenther, J.-U.; Bohling, C.; Mordmueller, M.;
Schade, W.: Trace detection of nitrogen-based
explosives with UV-PLF, Proc. SPIE, Vol.
7838, pp. 783807-1783807-8, 2010
[13] Monterola, M.; Smith, B.; Omenetto, N.; Wine-
fordner, J: Photofragmentation of nitro-based
explosives with chemiluminescence detection,
Anal. Bioanal. Chem., Vol. 391, pp. 26172626,
2008
[14] Wallin, S.; Pettersson, A.; stmark, H.: Laser-
based standoff detection of explosives: a critical
review, Anal. Bioanal. Chem., Vol. 395, pp.
259274, 2009
[15] http://www.fp7-optix.eu/

139
A Security and Surveillance Solution for Scenarios with Time-
Critical Response Time
Martin Schmucker, Data Fusion Algorithms & SW, Cassidian, Ulm, Germany
Daniel Streller, Data Fusion Algorithms & SW, Cassidian, Ulm, Germany
Frank Bhringer, Data Fusion Algorithms & SW, Cassidian, Ulm, Germany
Abstract
Existing surveillance solutions often end in information flooding as for example the excessively increasing
amount of surveillance camera installations demonstrate: operators cannot always identify relevant information
in time on their video walls. Instead, post incident analysis of surveillance video sequences is prevailing.
These post incident analysis solutions are obviously not sufficient for applications where incident prevention is
predominant: the protection of critical infrastructures. For these scenarios, a suitable response time of the secu-
rity personnel is crucial. Two starting points to reduce the response time can be identified: threat analysis and
identification of suitable counter-actions.
In this paper we present a system that performs threat analysis automatically. Based on radar sensors the system
can observe and monitor the surrounding area. Further sensors such as surveillance cameras are integrated in the
system. All sensor data is automatically analysed to quickly indentify security threats from the mass of available
information. Suspects or suspicious incidents are automatically identified and displayed adequately.

1 Introduction
While military is classically responsible for defending
countries against actual and perceived threats from
the outside, modern society has increased necessity of
protecting assets within countries. The protection of
these assets, that are essential for society and econ-
omy, is commonly known as homeland security or
critical-infrastructure protection. As today's society
depends on various assets, critical-infrastructure pro-
tection is associated with a broad range of facility
categories [1]. The increasing demand for security so
far is satisfied by increasing the amount of sensors,
for example surveillance cameras. Their data is tradi-
tionally evaluated by human observers: in the case of
surveillance videos, operators gaze at huge video
walls.

As a matter of fact, relevant incidents are hidden in
the mass of available information as the excessively
increasing amount of video camera installations dem-
onstrate: operators cannot identify relevant informa-
tion in the pixel flood on their surveillance monitors.
The case of the "Video Killer Thriller In Dubai" [2] is
an example where the security of video surveillance is
mainly deprived to or based on post-crime analysis.
The security increase is therefore limited to specific
use cases like daily crime prevention where people
are afraid of being identified and convicted. Thus, re-
sponse time is not reduced and prevention of crime or
critical incidents by timely and opportune actions is
not possible where delinquents are either not afraid of
consequences or the identification of offenders is al-
most unlikely.

Furthermore, surveillance solutions that are only
based on video cameras do not provide the possibility
to scan surrounding areas due to physical and legal
constraints.

In the following sections, we present our security and
surveillance solution that automatically derives a
situation picture from different sensors and performs
an automatic threat analysis. It is designed as a flexi-
ble and extensible architecture. An overview of the
system is given in section 2. Section 3 sketches its ar-
chitecture and functional components. Application
and test scenarios are given in section 4. The conclu-
sion and outlook in section 5 summarizes our system
and outlines ongoing and future extensions.
2 System Overview
Our system is an automatic sensor data fusion system
that integrates and processes sensor data from various
sensor modalities. It is designed for surveillance ap-
plications. The automation level of our system with
respect to threat analysis and sensor triggering allows
reducing the operators' response time.
140

Although we describe a single system, it is designed
as the cornerstone for a product line or a product fam-
ily. Therefore, the focus of this article is neither on
sensors' nor on the system's subtleties. Instead, we
give an overview of the current state of its design and
implementation.

The system itself can integrate sensors with different
modalities. For pragmatic reasons, we limited the sen-
sors in the first development stage to radar sensors
and surveillance cameras due to their orthogonal sen-
sor characteristics:
o A radar sensor is almost rather independent
from weather conditions, can acquire (radial)
Doppler information and has a large surveil-
lance area with respect to its scan rate.
o A surveillance camera can be used as a tan-
gential motion detector and can provide vis-
ual classification information for targets
within a suitable range.

This initial sensor selection allows different ap-
proaches for handling the video data. Due to our
background in sensor data fusion, we enrich the data
from radar sensors, mainly position and velocity, with
the information extracted from surveillance video.
Thus, the basic situation picture is generated by radar
sensors. The surveillance cameras are considered as
additional information sources.

A similar integration of radar and video sensors for
border security was already described in [3]. Our ar-
chitecture was designed as a key element for a prod-
uct family to cover a broad range of surveillance and
security applications. Our flexible and adaptable ar-
chitecture includes functional key elements like
o the fusion of a broad range of sensors on a
higher semantic level,
o the definition of different security and sur-
veillance tasks, and
o a task dependent situation analysis.

2.1 Sensor Integration
The capability of integrating numerous sensors with
different sensor modalities affects the sensor inter-
faces.

The integration of different radar sensors requires a
flexible interface for the processing of radar informa-
tion as well as for radar control. This flexibility suits
the broad range of application and demonstration sce-
narios. We integrated radar sensors for
o short range (< 100 m),
o mid range (> 5 km and < 10 km) and
o long range (> 20 km ).

For the surveillance cameras, an internal independent
control interface was defined and implemented. We
integrated
o low-cost daylight surveillance cameras
o high-end thermal imaging systems

Vendor-specific peculiarities complicate the integra-
tion unnecessarily, especially the lack of a common
interface standard. Here, ongoing standardisation ac-
tivities such as ONVIF [4] or PSIA [5] for surveil-
lance cameras are promising future remedies.

2.2 Sensor Data Fusion Approach
According to JDL Data Fusion Model [6], our sensor
data fusion approach is based on level 1 (entity as-
sessment). Currently integrated in the system is a ra-
dar and IFF sensor that reports the position of objects
as plots and tracks. As second information source, the
video content analysis (VCA) can extract detected
objects in the EO/IR video stream as geo-referenced
or angular-only plots. All this information is used to
create a common representation based on the given
kinematics of the detected objects.

The presented solution is designed as a framework for
a software product family. It consists of independent
software components and can be arranged and tuned
to the specific needs of each customer. Due to the ap-
plication independent design of the sensor data fusion
component, we can benefit from its variability: In-
coming measurements, i.e. plots and tracks, can be
two- or three-dimensional, polar or angular-only
(strobes) measurements, which are typically related in
military application scenarios to electronic warfare
support measures.

Furthermore, the situation assessment (level 2) bene-
fits from existing functionality, e.g. for the processing
of information that is extracted from the surveillance
video. It can process a broad variety of information
ranging from eye observer to contextual information
like flight plans. The fusion of kinematics and attrib-
ute information is already implemented, e.g. for ap-
plications where object classification and identifica-
tion is required or for group tracking [7]. Also for
ground target scenarios, context information like road
maps and elevation data is integrated [8]. We consider
this surplus of functionality as alleviation for further
evolutions of our architecture.

As sensor data fusion has a long history in radar, we
see here the main advantage over existing video sur-
veillance systems: While the creation of a common
situation picture is typical for radar processing [9, 10,
11], an overall reliable situation picture only from sur-
veillance camera is still a challenging task.

141
2.3 Surveillance and Threat Analysis
For reducing the operators' response time the sensor
data has to be pre-processed. Especially for video sur-
veillance, a 'one-monitor-per-camera' policy is practi-
cally not manageable. Also a high system automation
level is required.

Operators' daily duty is defined in tasks. Therefore,
we implemented a concept that reflects surveillance
alarm events and corresponding actions. These sur-
veillance rules are in accordance with the operators'
tasks, which are potentially non-static. For example,
they can differ at day- and night-time. Key elements
for the surveillance events rules include areas and
alarm zones, objects, object motion and object classi-
fication. Corresponding actions include the automatic
classification of intruders.

The default operation mode of our system is the
autonomous surveillance mode. In this mode, the sur-
rounding is continuously observed by radar sensors, a
situation picture is generated and surveillance rules
evaluated. An operator overrules automatic surveil-
lance. So far, the implemented automatic action is the
classification of intruders. In other words, for each
object that is in an alarm zone, the track is marked in
the situation picture and an optical sensor is aligned
such that the object is displayed in the video stream
and the object classification is triggered as shown in
Figure 1. The system also has the potential of con-
tinuous classification of unknown objects or trigger-
ing of security staff or sentries via mobile devices.
3 System Architecture
Our system architecture is depicted in Figure 2. To
fulfil future requirements of the product family, the
system design aimed at an open architecture. The re-
sulting main components of our architecture are:
o refinement, including sensor data fusion,
situation assessment and sensor manage-
ment,
o extended sensor functionalities, and
o HMIs

3.1 Refinement
Refinement consists of the following functional com-
ponents.

The functional component 'fuser' is the heart of the
architecture and performs the multi-source multi-
sensor data fusion. Within this component the proc-
essing according to JDL level 0 (data alignment) and
JDL level 1 (entity assessment) is performed.

The functional component 'situation assessment' per-
forms the situation assessment, impact assessment and
process refinement (JDL level 2 to 4). For example,
this component handles the alarm zones and triggers
related actions like surveillance camera alignment and
video analysis.

The functional component 'sensor management' man-
ages the sensor state-models and the sensor coverage
information. The state-model represents the current
operation mode (e.g. manual or automatic control).
The sensor coverage information is essential for the
automatic selection of a suitable sensor. For example,
the most suitable EO/IR sensor for automatic tracking
and classification information collection is selected by
considering its proximity to the tracked object and the
current sensor mode.

The sensor management receives sensor surveillance
requests from the situation assessment and from the
operator. For each surveillance request, a suitable sen-
sor is selected and triggered accordingly. The manual
operator input overrides the automatic sensor mode
and the automatic mode has to be reset by the opera-
tor.

3.2 Extending sensor functionalities
Our system has an internal sensor interface for con-
trolling sensors and processing sensor information. If
this internal interface is not in accordance with the
external sensor interface, our so-called 'sensor SIP'
closes this gap.

In the simplest case, there are only syntactical differ-
ences. Then, the sensor SIP is a sensor specific adap-
tor that converts the incoming sensor information and
the outgoing sensor control to the required format.

If there is a functional or semantic gap, then the sen-
sor SIP performs the required processing. For the case
of the low-cost consumer surveillance cameras, we

Figure 1: The result of the VCA for the far range sce-
nario.
142
encapsulate direct access to the corresponding EO/IR
sensor in a higher semantic interface. The existing
pan, tilt and zoom (PTZ) controls of the cameras are
extended to a camera alignment based on WGS-84
coordinates [12]. Also, the EO/IR sensors are ex-
tended by a visual content analysis (VCA) component
[13,14,15] for the automatic classification of visual
objects. The VCA component consists of the func-
tionalities motion detection and model-based classifi-
cation. Its results are integrated as visual sensor plots
in the fusion system.
One key element of the above described extended
functionality for the surveillance cameras is geo-
referencing. Geo-referencing utilizes the information
of the intrinsic and extrinsic geometric camera cali-
bration together with the PTZ-parameters of the cam-
era to calculate a WGS-84 position from the localized
object in the camera frame (camera resectioning). The
geo-referencing is based on elevation maps. Similar
work is described in [16].

Obviously, this automatic processing of surveillance
camera information and the fusion into a single situa-
tion picture reduces the operators' workload and al-
lows him to focus on relevant data on the HMI.

3.3 HMIs
As shown in Figure 3, the HMI is separated into two
applications: situation picture display and the visuali-
zation and control of the surveillance cameras.

The situation picture display provides essential visu-
alization primitives, like maps and display of sensor
plots, tracks and classification results or sensor loca-
tion, viewing direction and aperture. It also includes a
user interface for sensor specific operator commands
(e.g. semi-automatic alignment of surveillance cam-
eras to tracks or WGS-84 coordinates) and alarm
event management namely alarm-zones to trigger trip-
wire events.

The second HMI visualizes surveillance camera
streams, camera-specific status information and clas-
sification results within the corresponding camera
frame. Here, manual control like PTZ-parameters and
camera modes (automatic or manual) control is en-
abled.
4 Application Examples
We evaluated our system in different test scenarios.
Their commonality is the surveillance rule: any object
that intrudes a pre-defined alarm zone is automati-
cally displayed in a surveillance camera and classi-
fied.

cmp Segment CCU SW
IConfi gurati on
IExtScenari o
IExtSensor
IExtNoti fi cati on
Segment CCU SW
IConfi gurati on
IExtScenari o
IExtSensor
IExtNoti fi cati on
ITaSP
IConfi gurati on
IExtSensor
IScenari o
IControl
ITest
HMI
ITaSP
IConfi gurati on
IExtSensor
IScenari o
IControl
ITest
IScenari o
IConfi gurati on
ISensor
ITaSP
ISystemCtrl
ITest
ITest
Refinement
IScenari o
IConfi gurati on
ISensor
ITaSP
ISystemCtrl
ITest
ITest
IConfi gurati on
ISensor
IScenari o
IExtSensor
ITest
SensorSIP
IConfi gurati on
ISensor
IScenari o
IExtSensor
ITest
i nterfaces to
enabl i ng systems
i nterfaces to sensors
and effectors
In the si mpl est versi on thi s i s
onl y a SensorAdapter.
Thi s i nterface/port i s onl y
for accessi ng standardi zed
vi deo streams.
ITaSP
IExtNoti fi cati on
ITest
NotificationService
ITaSP
IExtNoti fi cati on
ITest
Ext.Confi gurati onData
Ext.Recordi ngData
Ext.SensorData
Ext.SensorCtrl
Ext.Recordi ngData
S
e
n
s
o
r
D
a
t
a
S
e
n
s
o
r
C
t
r
l
TaSPData
TaSPData
E
x
t
.
S
e
n
s
o
r
D
a
t
a
Ext.Recordi ngData
S
y
s
t
e
m
S
t
a
t
u
s
S
y
s
t
e
m
C
t
r
l
SystemCtrl
SystemStatus
S
e
n
s
o
r
D
a
t
a
S
e
n
s
o
r
C
t
r
l
Ext.Recordi ngData
Ext.SensorData
Ext.SensorCtrl
TaSPData
Ext.Noti fi cati on
Ext.Noti fi cati on
del egate
fl ow
sensor pl ots
fl ow
fl ow
fl ow
fl ow
del egate
del egate
del egate
del egate
fl ow
del egate
vi deo stream
del egate
del egate
del egate
del egate

Figure 2: The system architecture consists of the HMIs, the situation refinement and the smart sensors (Sensor-
SIP). The notification service is a future extension.
143
4.1 Premises and Short-range Surveil-
lance
Building security and perimeter protection are typical
application scenarios for military, government, indus-
try and within the private sector. One advantage of a
radar sensor is the possibility for hidden installation.
Thus, it is not only protected against vandalism but
also hard to be perceived by an observer and almost
weather-independent. A radar based fusion system
that utilizes existing surveillance cameras has to be
capable of processing and controlling low-cost cam-
eras. For this scenario we integrated common low-
cost COTS components. For example, the integrated
EO cameras are of the types AXIS 214 PTZ and
AXIS 233D
1
.
A screen shot of a field trial is shown in figure 3.

4.2 Far-field and Long-range Surveil-
lance
For far-field surveillance, we integrated radar sensors
with an increased range in our architecture. In con-
trast to the radar sensors for the premises surveillance,
which already returned pre-tracked objects, the radar
sensors reported radar plots. Our fusion system calcu-
lates the corresponding situation picture. We also in-
tegrated a thermal imaging system, namely a FLIR

1
Axis a registered trademark of Axis Communica-
tions AB, see http://www.axis.com/
ThermoVision 3000 Multi Sensor
2
both in the visual
and the IR-spectrum.
The test site of the field trials for the far field surveil-
lance is shown in Figure 4.
5 Conclusion and Outlook
We introduced our architecture for security and sur-
veillance applications. Our system mitigates time
criticality by performing automatic situation picture
generation and threat analysis. By integrating radar
sensors, already the surroundings can be observed. In
addition to the automatic fusion of numerous sensors
with different sensor modalities, surveillance tasks
can be defined that are executed automatically. Sum-
marized, suspects or suspicious incidents are auto-
matically identified and displayed adequately.

As shown, the architecture itself is capable of ad-
dressing a broad range of application scenarios rang-
ing from building security and perimeter protection to
far-field surveillance. We demonstrated the architec-
ture's flexibility and extensibility by integrating dif-
ferent radar sensors, surveillance cameras and our ex-
tended sensor functionality that combines surveillance
video with automatic object classification and geo-

2
FLIR and ThermoVision are registered trademarks
of FLIR Systems, Inc., see http://www.flir.com.

Figure 3: An example of the HMIs for the short range scenario: The screen shot shows the premises surveillance
application. Radar sensors for the next-range and consumer low-cost cameras are deployed. In the background the
situation picture including the current field-of-view of the video cameras is shown. The foreground shows the
video stream and the status of the video cameras.
144
referencing. The architecture's functionality was veri-
fied in different field trials.

Future R&D activities will challenge the flexibility
and extensibility of our architecture by investigating
the integration of existing surveillance components.

The next possible steps for this system include
o the integration video archiving and scenario
recording and replay for testing,
o the integration of further radar sensors,
o the investigation the enhancement of the user
interfaces,
o the integration of new types of sensors like
unattended ground sensors or proximity sen-
sors,
o the integration of further VCA algorithms,
o the integration of mobile sensor platforms
like UAVs or UGVs, and
o the investigation of cooperative objects with
mobile units including sensors.
References
[1] Wikipedia: Critical infrastructure,
http://en.wikipedia.org/wiki/Critical_infrastructu
re, last visited: 21th June, 2011
[2] Forbes: Video Killer Thriller In Dubai,
http://www.forbes.com/2010/02/24/dubai-
surveillance-video-hamas-mahmoud-al-
mabhouh-opinions-columnists-claudia-
rosett.html,
last visited: 21th June, 2011
[3] Khler, B.; Dstner, K.; Opitz, F.; Kouemou, G.:
Sensor Integration in the Security Domain GI
Jahrestagung, 2009, 2445-2453
[4] ONVIF Open Network Video Interface,
http://www.onvif.org/,
[5] PSIA Physical Security Interoperaility Alli-
ance,
http://www.psialliance.org/,
[6] Steinberg, A. N.; Bowman, C. L. & White, F. E.
Revisions to the JDL Model Sensor Fusion: Ar-
chitectures, Algorithms, and Applications, Pro-
ceedings of the SPIE, 1999, 3719
[7] M. Feldmann and D. Fraenken, "Tracking of Ex-
tended Objects and Group Targets Using Ran-
dom Matrices", in IEEE Trans. on Signal Proc-
essing, vol. 59, no. 4, April 2011
[8] D. Streller "Road Map Assisted Ground Target
Tracking", in the 11th International Conference
on Information Fusion (Fusion2008), June 2008.
[9] Blackman, S.; Popoli, R.: Design and analysis of
modern tracking systems Artech House, 1999
[10] Bar-Shalom, Y.; Li X. R.; Kirubarajan, T.: Esti-
mation with Applications to Tracking and Navi-
gation, Wiley and Sons, 2001
[11] Liggins, M. E.; Hall, D. L.; Llinas, J.: Handbook
of Multisensor Data Fusion CRC Press, 2008
[12] WGS 84 Implementation Manual, Version 2.4,
February 12th, 1998,
http://www.dqts.net/files/wgsman24.pdf
[13] J. Schels, J. Liebelt, K. Schertler, R. Lienhart:
Building a semantic part-based object class de-
tector from synthetic 3D models, IEEE Interna-
tional Conference on Multimedia and Expo
(ICME) 2011.
[14] J. Liebelt, C. Schmid: Multi-View Object Class
Detection with a 3D Geometric Model, IEEE
International Conference for Computer Vision
and Pattern Recognition (CVPR) 2010.
[15] J. Liebelt, C. Schmid, K. Schertler: Viewpoint-
independent object class detection using 3D fea-
ture maps, IEEE International Conference for
Computer Vision and Pattern Recognition
(CVPR) 2008.
[16] Dstner, K.; Khler, B. & Opitz, F. Fusion of
IR/CCD Video Streams and Digital Terrain Mo-
dels for Multi Target Tracking GI Jahrestagung,
2009, 2334-2342
[17] OpenStreetMap, http://www.openstreetmap.org/

Figure 4: The test site of the field trials for the far field
surveillance is shown. The map is an excerpt from
OpenStreetMap [17].
145
Electromagnetic Protection of IT-Networks for Transportation-
Infrastructure (EMSIN)
Melanie Deperschmidt, University of Applied Sciences and Arts, Germany
Michael Koch, University of Applied Sciences and Arts, Germany
Abstract
Modern communication systems are the backbone for secure and smooth proceedings. Fast information-
transmission, continuous access to databases as well as the management of air traffic are most important for ef-
fective and safe operation. Malfunctions, a breakdown, damages or destruction of parts of the system may lead to
a breakdown of the whole communication system thus leading to severe failures in the system and even causing
catastrophic accidents.
The collaborative project EMSIN is sponsored by the Federal Ministry of Education and Research and is based
on scenarios for asymmetric threats applying electromagnetic weapons, so-called HPEM sources (abbr.: High
Power Electromagnetics), to deliberate and planned impact on electronic components of critical infrastructures.
Affected can be single electrical or electronic assemblies, circuits, as well as stand alone or networked electrical
and electronic systems, including IT and communication. Successful HPEM-attacks can lead to the collapse of
superior networks, such as air transport or intermodal transport.
The paper is organized as follows. Section 1 presents different kinds of electromagnetic threats like the Electro-
magnetic Pulse (EMP) or High Power Microwave (HPM). The most important components like monitoring sys-
tems or IT networks on airports are presented in Section 2. The next step in Section 3 is the replication of a
monitoring-system existing on airports in order to measure the breakdown behavior of such a system against
electromagnetic threats presented in Section 1. Among other things a typical test environment like the open
TEM-waveguide for testing the immunity of electronic systems is shown. In Section 4 the principle of immunity
tests is shown and a short conclusion about the most important facts is given in last section 5.

1 Electromagnetic Threats
1.1 Coupling process
Nowadays it is practicable to generate transient elec-
tromagnetic pulses with a high amplitude. The charac-
teristic of a double-exponential pulse is shown in fig-
ure 1.

Figure 1 Double-exponential pulse
Three variables describe the pulse form: E
0
character-
izes the amplitude of the electric field, t
describes
the rise time and t
]whm
the full width at half maxi-
mum, which characterizes the pulse duration. The rise
time and pulse length are determined by the source
(cp. Table 1).

Source Rise time t
Pulse length t
]whm
UWB
(artificial)
< 100ps > 1ns
NEMP (nuclear
electromagnetic
pulse)
1ns - 5ns > 100ns
LEMP
(lightning)
1ms - 2ms >> 50ms
Table 1 Pulse characteristics
The spectra of the different pulse forms are shown in
figure 2. The energy content at high frequencies in-
creases with decreasing pulse duration and rise time.

146

1.2 Electromagnetic Sources

Figure 2 Different pulses in frequency domain
The coupling process can be described by the transfer
function 0(]) of a system, which is shown in figure
3. The function results from the external electric field
E(]), which is applied to the electronic system, and
the coupled-in voltage u
L
(]).

Figure 3 Transfer function
Noticeable is a frequency domain between
1
and
2
,
where a large part of the energy couples into system.
Below the frequency
1
and above the frequency
2

the coupling into the system is negligible. The two
critical frequencies are defined by the dimensions of
the system. The typical coupling frequencies of elec-
tronic systems lies between several 10 MHz and a few
GHz [1].
Subsection 1.2 contains different kinds of sources of
intentional electromagnetic interference.

1.2 Sources of IEMI
Sources of intentional electromagnetic interferences
can be produces relatively easily and cheaply using
components from commercially available sources by
civilian persons with relevant expertise and can be
used as such for sabotage- or blackmail-purposes.

Figure 4 HPM-Suitcase
Figure 4 shows a high power microwave suitcase,
which is developed from the Bundeswehr Research
Institute for Protective Technologies and NBC-
Protection in Munster.
Noticeable are the different components and wires
fastened with duct tape. The contents of the self-made
suitcase seems conspicuous and suspicious.
This kind of source exists in professional form and is
available for the free market, which is shown in the
following figure 5.

Figure 5 HPM-Suitcase [2]
Besides the HPM-suitcase the Impulse Radiating An-
tenna (abbr.: IRA) characterizes a source of inten-
tional electromagnetic interferences. The IRA is a re-
flector type antenna with a high directivity.

147

Figure 6 Half-IRA
Figure 6 shows a Half-IRA, which is another form of
an impulse radiating antenna.
It is an ultra wideband antenna using a ground plane
as an electromagnetic mirror. This antenna produces a
very narrow beam in the bore sight direction. The ad-
vantage of this construction compared to a full
paraboloidal reflector is a better ruggedness, a broader
frequency range and an improved return loss.

2 Monitoring Systems on
Airports
2.1 Instrument Landing System (ILS)
The instrument landing system is the primary preci-
sion approach facility for civil aviation. The ILS con-
sists of three main components: Localizer, glide path
and marker beacons. Figure 7 shows the principle of
the instrument landing system.

Figure 7 Instrument Landing System

2.1.1 Localizer
The localizer transmitter supplies approach guidance
in azimuth along the extended runway centre line. It
consists of a number of dipole and reflector elements.
The radio signal transmitted by the localizer aerial
produces a composite field pattern consisting of two
overlapping lobes modulated by a 90Hz tone on the
left-hand side and modulated by a 150 Hz on the
right-hand side (fig. 8).

Figure 8 Localizer
A receiver located to the left of the centre line will
detect more of the 90 Hz modulation, while a receiver
located to the right of the centre line will detect more
of the 150 Hz modulation. The difference is called
DDM (Difference in Depth of Modulation). The line
along which the DDM is zero, defines the localizer
centre line. When flying along this line, there will be
no deflection of the needle, indicating that the aircraft
is on the centre line.
2.1.2 Glide Path
The glide path transmitter (fig. 9) provides approach
guidance in the vertical plane. It is placed 300 m up-
wind from threshold, because this is the optimum
touch down point at which the extension of the glide
path intersects the runway.

Figure 9 Glide Path in Hannover
148
It is similar to the localizer transmitter and gives the
position of the centre line of the glide path.
2.1.3 Marker Beacon
Marker beacons give the pilot an indication of range
from the threshold. Generally the marker beacons
consist of an outer marker and a middle marker and
provide range information while the aircraft is ap-
proaching. They transmit an almost vertical beam.
Figure 10 shows the principal of the marker beacons.

Figure 10 Marker Beacon in Hannover
2.2 Radar Systems
In addition to the instrument landing system the radar
(abbr.: Radio detection and Ranging) characterizes an
object-detection system and monitors the airspace.
Over the years, radar has been used for many and var-
ied military and non-military purposes. There is a dif-
ference between primary radar and secondary radar.
Both forms of air surveillance will be described in the
next two subsections 2.2.1 and 2.2.2.
2.2.1 Primary Radar
The primary radar works with passive echoes. The
transmitted high-frequency impulses are reflected by
the target and then received by the same radar unit.
By the use of adequate transmitting antenna it is pos-
sible to radiate the energy of the electromagnetic
wave in any direction. The principle of the primary
radar is shown in the following figure 11.
By using a primary radar it is possible to get informa-
tion about the direction, distance and velocity of the
aircraft. An active signal generated by the detected
object is not necessary to get these informations. This
is a major advantage of a primary radar.

Figure 11 Primary radar surveillance
Among other things the detection of unwanted echoes
returned from ground, sea, rain or atmospheric turbu-
lences for example is a disadvantage.
Another kind of radar is the secondary radar. The
principle is illuminated in the following subsection
2.2.2.
2.2.2 Secondary Radar
Compared to the primary radar working with passive
echoes the secondary radar system (abbr.: SSR) con-
sists of an active transmitter and transponder. The
transponder is a radio receiver and transmitter operat-
ing on the radar frequency. It replies to each interroga-
tion signal by transmitting a response containing en-
coded data. In addition to primary radar it also re-
quests information like identity from aircraft and its
altitude. Figure 12 shows the principle of the secon-
dary radar system.

Figure 12 Secondary radar surveillance
A major advantage is the reply signal transmitted
from the aircraft, which is much stronger when re-
ceived at the ground station. Thus giving the possibil-
ity of much greater range and reducing the problems
of signal attenuation.
The disadvantage is that it is only useable with an op-
erating transponder carried by the aircraft. In case of
an malfunction it is not possible to get informations.
Based on this fact an aircraft is equipped with an pri-
mary radar in addition to the secondary radar.
The aim is the replication of an IT-network based on
the knowledge of monitoring systems existing on air-
ports.
149
The following section 3 contains the development and
replication of a monitoring system in order to analyse
its breakdown behavior against electromagnetic
threats as well as the immunity tests.
3 IT Network
For analyzing the vulnerability of IT-networks of crit-
ical infrastructures it is sensible to replicate a moni-
toring system with typical characteristics of a real sys-
tem existing on airport.
The monitoring system developed within the frame-
work of the collaborative project EMSIN is a replica-
tion of a secondary surveillance radar described in last
section 2. The IT network contains the most important
characteristics of the SSR and consists of a transmitter
and a receiver module. The following figure 13 shows
the principle of the monitoring system.

Figure 13 Monitoring system
The IT network of the transmitter consists of a micro-
controller, a power supply and an UHF transmitter,
which converts an electrical signal to electromagnetic
wave, which is radiated by a loop antenna. The IT
network of the receiver consists of a microcontroller
and power supply as well but is differentiated to the
transmitter by an UHF receiver, which converts an
electromagnetic wave to electrical signal. The advan-
tage of integrated circuits like microcontrollers is the
flexible application and cost-effectiveness as well.
The signal transmission occurs in ISM radio band
(abbr.: industrial, scientific and medical) using the
frequency = 4SS,SS Hbz.
Figure 14 only shows the principle of the transmitter
module of the developed monitoring system by reason
that the layout of the receiver module is equivalent to
this.

Figure 14 Transmitter module
The three components of the module are intercon-
nected by exchangeable data cables to vary the cable
length. The battery supplies the UHF transmitter as
well as the microcontroller system, which does not
only actuates the UHF transmitter but also three dio-
des. The diodes characterize the activated state of the
microcontroller device, so that it is possible to ob-
serve the processes while accomplishing immunity
tests.
In figure 15 the transmitter of the monitoring system
consisting of power supply, microcontroller and loop
antenna is mapped.

Figure 15 Transmitter module
4 Immunity Tests
To analyze the breakdown behavior of the critical IT
network against electromagnetic field threats the
EMC immunity of the system has to be measured. The
measurements could carry out with an open transverse
electromagnetic waveguide (abbr.: TEM) shown in
figure 16.

Figure 16 Open TEM-waveguide
Injection
point
Septum
Absorber
Matching
resistors
150
To describe the failure effects, the breakdown failure
rate (abbr.: BFR) has been defined. It is the number of
breakdowns of the system divided by the number of
pulses applied to it [1].

Table II Breakdown Failure Rate
Breakdown is the inability of the system to perform
the function for which it is designed but without
physical damage. After a reset like an external or by
itself the system will return to its usual function. In
table II the typical characteristics of a breakdown are
shown.
To describe the breakdown behavior in statistical form
it is sensible to plot the breakdown failure rate against
the electrical field strength. The next figure 17 shows
the run of the curve.

Figure 17 Breakdown Failure Rate
To describe the susceptibility of a system two quanti-
ties have been defined [3]. The value of the electrical
field strength, at which the BFR reaches 5% of the
maximum value specifies the breakdown threshold.
The span of the electrical field strength, in which the
BFR changes from 5% to 95% of the maximum de-
fines the breakdown bandwidth [4].

5 Conclusion
Investigations in the past have shown that it is possi-
ble to produce electromagnetic pulse sources relative-
ly easily and cheaply by civilian persons with relevant
expertise.
The aim of the collaborative project EMSIN is the
technical protection of critical infrastructures like air-
ports against these electromagnetic threats.
Electromagnetic threats like the EMP and the Half-
IRA as well as the coupling process of electromagnet-
ic fields in electronic systems have been shown.
To analyze the susceptibility of critical IT networks
on airports it was necessary to define systems with
high priority like radar systems. Based on these in-
formations a monitoring system was developed which
contains the most important functions of a real system
existing on airport.
And finally the principle of immunity tests including
the test environment like the open TEM waveguide
and the examination of test results by means of the
breakdown failure rate were given.
References
[1] M. Camp: "Empfindlichkeit elektronischer
Schaltung gegen transiente elektromagnetische
Feldimpulse", Dissertation, Hannover 2004
[2] Dr. R. Stark: "Effektuntersuchungen an elektro-
nischen Systemen bei HLM-Exposition und Ver-
fahren zur Abschtzung HLM-
Strsicherheitsabstnden unter Verwendung von
Strahlungsquellen geringer Leistung", 12. Int.
Fachmesse und Kongresse fr Elektromagn. Ver-
trglichkeit Feb. 2004; Diehl BGT Defense
[3] M. Camp, H. Garbe, D. Nitsch: UWB and EMP
susceptibility of modern electronics, IEEE Int.
Sym. Electromagn. Compat., Canada Aug. 2001
[4] M. Camp, H. Garbe: "Susceptibility of Personal
Computer Systems to Fast Transient Electro-
magnetic Pulses", IEEE Transactions on Elec-
tromagn. Compatibility, Nov. 2006
[5] H. Thye, M. Koch, F. Sabath: "Aspects of Mod-
elling an UWB Impulse Radiating Antenna",
XXIX. General Assembly of URSI, Chi-
cago/USA Aug. 2008
[6] Simulation of the Destruction Effects in CMOS-
Devices caused by Impact of Fast Transient
Electromagnetic Pulses", Comsol Conference
Hannover 2008
[7] W.A. Radasky, M.W. Wik: "Overview of the
Threat of Intentional Electromagnetic Interfer-
ence (IEMI)", IEEE International Symposium on
Electromag. Compatibility, Goleta/USA 2003

151
Managing Security Tasks with Modular and Mobile Sensor
Data Processing Networks An Integral Approach

Peter Solbrig, Michael Arens, Dimitri Bulatov,
Kai Jngling, Peter Wernerus
Fraunhofer Institute of Optronics,
System Technologies and Image Exploitation
Gutleuthausstr. 1, 76275 Ettlingen, Germany
{peter.solbrig, michael.arens, dimitri.bulatov,
peter.wernerus, kai.juengling}@iosb.fraunhofer.de
Axel Brkle, Florian Segor,
Matthias Kollmann, Sven Mller
Fraunhofer Institute of Optronics,
System Technologies and Image Exploitation
Fraunhoferstr. 1, 76131 Karlsruhe, Germany
{axel.buerkle, florian.segor, matthias.kollmann,
sven.mueller}@iosb.fraunhofer.de

Abstract
This paper presents a complex surveillance system based around a ground control station called AMFIS. In addi-
tion, we introduce additional image exploitation algorithms and show how they can be used in the described mo-
bile surveillance system. Detected objects of interest are geolocated by means of image-registration methods and
classified as human or non-human. While the classification of objects of interest is running, their position, direc-
tion and speed can already be annotated in the operators display. Thus, the image exploitation process can accel-
erate the situation assessment significantly.

1 Introduction
AMFIS is a component-based modular construction
kit currently under development as a research proto-
type. It already has served as the basis for developing
specific products in the military and homeland secu-
rity market. Applications have been demonstrated in
exercises for EU (PASR program), German Armed
Forces, and the defense industry.
The next two sections describe the AMFIS ground
control station and its user interface. In section 4,
methods for image-based georeferencing are dis-
cussed. Sections 5 and 6 present, respectively, an ap-
proach for moving object detection and classification.
The paper closes with a description of the object clas-
sification process.

2 AMFIS
The surveillance system AMFIS is an adaptable mo-
dular system for managing both mobile and stationary
sensors. The main task of this ground control station
is to work as an ergonomic user interface and a data
integration hub between multiple sensors mounted on
MUAVs (micro unmanned aerial vehicles) or UGVs
(unmanned ground vehicles), stationary platforms
(network cameras), ad hoc networked sensors, and
superordinated control centers. Its open interface con-
cept supports the integration of AMFIS in existing se-
curity systems so that the input data can be exchanged
on a real-time basis with other guidance, supervision
or exploitation systems, as illustrated in Figure 1.
The AMFIS system is mobile and portable, thus it can
be deployed and operated anywhere with relative
ease. It can either supplement existing stationary sur-
veillance systems or act as a surveillance system on
its own if no pre-existing infrastructure is available.
The sensor carriers in this multi-sensor system can be
combined in a number of different setups in order to
meet a variety of specific requirements. At present,
the system supports optical sensors (infra-red and
visible) and alarms (PIR, acoustic, visual motion de-
tection), chemical sensors and environmental sensors
(weather, vibration, temperature).

Figure 1 AMFIS Concept and Components
152
The AMFIS system is scalable and can be extended to
any number of workstations. Due to this fact, several
sensor platforms can be coordinated and controlled
simultaneously. Heterogeneous sensor platforms can
be handled in a similar manner by a standardized pi-
lots working station that in turn minimizes the train-
ing requirement for the staff and raises the operational
safety. The user interface automatically adapts accord-
ing to the sensor or sensor platform at hand.

3 User Interface
The user interface of the AMFIS ground control sta-
tion at Fraunhofer IOSB consists of three worksta-
tions (see Figure 2). Basically, the system is designed
so that each display can be used to interact with each
function allocated by AMFIS. The standard setup con-
sists of one dedicated workstation for each operator,
and a situation awareness display in between that
supports both operators. The duties of the two opera-
tors can be divided into: a) sensor and vehicle control
and b) data fusion, archiving, exploitation and coordi-
nation tasks.

The user interface of the latter working place primar-
ily provides a function for the visualization of sensor
data streams, giving the operator access to the accu-
mulated data. The task of the operator is to obtain and
keep an overview of the situation and to inform the
higher authorities about important discoveries and
provide the associated data so that external systems or
personnel can utilize that information. It is incumbent
on him to mark important data amounts and to add
additional information when necessary. Furthermore,
he is the link to the pilot and coordinates and supports
the pilot in his work. The analyst as well as the pilot
relies on the central geographical information system-
supported situation representation that provides an
overview of the whole local situation. The geographi-
cal relations as well as the visualization of the situa-
tion and the position of the sensors and sensor plat-
forms are established here. This includes, for exam-
ple, the footprints of cameras or the position and
heading of MUAVs or UGVs.
The pilot's workstation is designed to control many
different sensor platforms. It is not clear which sensor
platforms will be used in the future and which status
information will be provided by the different systems,
or which information is needed to control future plat-
forms. For this purpose, the pilots workstation provi-
des a completely adaptable user interface that allows
selectively activating or deactivating the required dis-
plays. An artificial horizon, for example, is unneces-
sary while controlling a stationary swiveling camera,
but very helpful for controlling an airborne drone. The
GUI can be adapted to the particular circumstances
and is configurable for a wide range of standard ap-
plications. No matter which sensor platform the user
is currently controlling or supervising, the user inter-
face stays the same. The user does not have to switch
between different proprietary control stations.
In the current state of development, the operator
working at the pilots workstation is highly assisted
by the AMFIS System. The software carries out stan-
dard maneuvers like starting and landing as well as
creating multi-MUAV flight plans with a single click
(see [1] and Figure 3 for visualization). Although the
analysts workstation offers software features like
time shifting of sensor data, the user has to do most of
the image interpretation himself.
To reduce the workload of the analyst and to fit the
most common application scenarios, Fraunhofer
IOSB developed several image exploitation algo-
rithms which are described in the next sections.

Figure 3 A Micro Unmanned Aerial Vehicle (MUAV)
in Action, Remotely Controlled by AMFIS

4 Image-based Georeferencing
Using MUAVs for mobile surveillance, georeferenc-
ing of video frames can hardly be done just by means
of onboard navigation equipment due to its low accu-
racy. Then again, security surveillance of well-known
areas can be considered a predominantly cooperative
situation. General preparations like preprocessing an

Figure 2 AMFIS Ground Control Station
153
orthophoto can help to solve the problem of geoloca-
tion of objects detected in MUAV videos.
We assume a monocular video stream from a straight-
line-preserving camera. The availability of GPS/INS
is not constantly needed but useful for the initializa-
tion. Differences in illumination and appearance be-
tween orthophoto and video frames should be mod-
erate. Furthermore, we assume negligibly small depth
of the scene compared to the sensors altitude. In this
case, a suitable model to describe the frame-to-frame
mapping is a 2D homography [2]. We denote the ho-
mography between the frame I
t
captured at time t of
the sequence and the orthophoto by H
t
and the trans-
formation between the frames I
t
and I
j
by H
j,t
. Interest
points in the frame I
t
will be denoted by x
t
and in the
orthophoto by X. In order to estimate the homography
from point correspondences contaminated with out-
liers, robust methods, such as Random Sample and
Consensus (RANSAC) [3], are used. We modify the
standard RANSAC-procedure with T
1,1
-test (as de-
scribed in [4]) in order to speed up the processing.
Finally, two different methods are used in order to de-
termine point correspondences. For two consecutive
frames, the assumptions of rather short baseline and
little change in illumination are reasonable in the ma-
jority of cases. Therefore, standard KLT-tracking [5]
is robust enough for tracking x
t
into the next frames.
In order to relate interest points between orthophoto
and video, scale-, rotation-, and/or illumination-
invariant feature descriptors are computed and compa-
red. Examples of this kind of detectors can be found
in [6] [7]. In our experiments, we achieved the best
results using interest points detected by the SIFT-
approach (Scale Invariant Feature Transform) [7]. The
initial homography x
1
H
1
X is estimated using inter-
est points localized by the SIFT-algorithm or using
non-image information sources. In the AMFIS system
this can be done by the base station, assuming the
base stations geo-coordinates are given. The homo-
graphy between frame I
t
and the orthophoto is com-
puted incrementally: H
t
=H
t,t-1
H
t-1
. This common ap-
proach to perform image mosaicking is called intra-
sensorial registration. Pure image mosaicking usually
leads to severe deviations for reasons stated below.
First of all, the estimation of the local homography
H
t,t-1
can fail due to tracking errors (e.g. when tracked
points get lost or a frame is badly disturbed by radio
interference). The global homography can fail due to
accumulation of errors in the calculation of H
t
. To
cope with these problems, the system must become
aware of them. In the case of local homography,
RANSAC will yield an insufficient number of inliers
or an unfavorable distribution of inliers within the
frame. For certain points, we compute the reprojection
error and compare it with the threshold s. In our expe-
riments, s was chosen to be 1 to 2 pixels. If the num-
ber of inliers (points with registration error below s) is
low or if there is no inlier in any quarter of the frame,
the homography H
t,t-1
will be rejected. The global ho-
mography H
t
is checked by computing registration
errors in the orthophoto and the frame I
t
, which is
done by reprojection of tracked points. We use similar
criteria for rejecting H
t
. Even the initialization can
fail. In order to cope with this problem, we simply re-
ject H
t
in periodic lags (every 15 to 20 frames in our
experiments). If either H
t,t-1
or H
t
was rejected, we ex-
tract new interest points in the current frame and use
the last reliable value H
t-1
as an initialization for H
t
.
Then we use again descriptor-based matching to re-
initialize the process. This step is called intersensorial
registration.
If the background is mostly homogeneous (like
meadow or asphalt), some minor preparations of the
environment, e.g. applying artificial landmarks,
should be allowed. To keep the orthophoto up-to-date,
the process described above can also be used for actu-
alization.

Figure 4 Flow-chart of the Image-based Georefe-
rencing Process, see also [9]

Figure 4 illustrates the entire process. For virtually
every pixel in the MUAV video the geo-coordinate
can be computed and sent to the AMFIS station for
further processing.
The georeferencing of MUAV videos would not be a
valuable tool for surveillance if it is not suited for
real-time applications. The intrasensorial registration
as well as the mosaicking is already widely used in
various real-time processing systems (e.g., [8]). The
most time-consuming part in the whole process of
georeferencing, namely the registration of video
frame to the orthophoto, in contrast, needs some acce-
154
leration to keep the process from slow down. For on-
line georeferencing, it is indispensable to compute the
interest points and descriptors on the GPU of a mod-
ern graphics card [9] at a rate high enough and to
maintain a sophisticated (with respect to intrasensorial
and intersensorial registration) architecture of the
software [9].

5 Moving Object Detection and
Georeferencing
Moving objects tend to be of special interest in sur-
veillance applications; furthermore, moving objects
detection is a suitable application for illustrating the
advantages of online georeferencing of MUAV vid-
eos. Separating moving image region from back-
ground is generally a simple task if the camera itself
is not moving: compute a difference image from two
consecutive frames and extract all pixels higher than a
threshold. AMFIS may also control a considerable
amount of stationary cameras. For MUAV video
processing, a registration and transformation of con-
secutive frames into a common coordinate system is
necessary. This step is already done by the intersen-
sorial and intrasensorial registration described in sec-
tion 4. To separate moving image regions, we propose
an approach named Time-Recursive High-Pass Filter-
ing [11]. During Time-Recursive High-Pass Filtering,
n frames I
t-1
,I
t-2
,,I
t-n
are registered onto the frame I
t

by means of homographies H
t,t-1
,H
t,t-2
,,H
t
,
t-n
. The
difference image D
t
is computed according to:

( )
n
t t m t,t -m t -m
m=1
1
D = I w H I ,
n

where w
m
regulates the weight of the frames and H(I)
is an image obtained after every pixel of I was resam-
pled by H. Regarding the sensor motion, it makes
sense in our case to set 4 n 6
.
The separation of the
object from its background is the result of either a
threshold decision (illustrated in Figure 5) or a seg-
mentation of stable regions according to the procedure
of Maximally Stable Extremal Regions (MSER) [12].
After separation, a chain of morphological operations
is applied in order to close object contours. Compared
to alternative moving object detection methods, Time-
Recursive High-Pass Filtering requires slightly more
computational work and yields results after a latency
of n frames. However, our experiments showed one
major clear advantage that is particularly positive for
MUAV applications: the image stacking reduces a lot
of image noise before the difference image is com-
puted. For georeferencing of detected moving objects,
the image coordinates of the lowest pixel of the region
(if the frame shows an upright image, otherwise, a dif-
ferent corner of the region has to be chosen) is trans-
formed into geo-coordinates. The homography H
t
is
used for transformation into orthophoto-coordinates to
geo-coordinates is trivial since we use georeferenced
orthophotos. In our experiments, the error of geoloca-
tion usually does not exceed 2 meters and an average
error of about 1 meter can be considered realistic. The
coordinates and other object-related information like
size, speed or direction of motion (derived from a se-
quence of computed locations) will be bundled and
sent to the AMFIS station for further use.

Figure 5 A moving person has been detected (left:
three positions marked in the mosaic) and geolocated
(center). Right: Positions annotated in the orthophoto

Figure 6 Two trucks have been detected and tracked
on an MUAV mission. Since every frame of the video
is georeferenced, those tracks can be marked in a map

Instantaneous georeferencing of situation reports can
be particularly useful if an object is reported by dif-
ferent sources, e.g. an MUAV and a stationary cam-
era, looking from a different direction. In this case,
the operator has to decide whether all reports refer to
the same object or several different objects. This criti-
cal decision could be taken much more well-founded,
if it is supported by automatic real-time assigning of
geocoordinates.

6 Object Classification
As result of the previous section, we are able to detect
image regions where motion is observed. Even though
it is useful to drag the systems attention to certain
scene regions, it is not sufficient to allow for the as-
155
sessment of the situation since the observed motion
could have been the result of many different events,
such as lighting changes or irrelevant objects (e.g.,
animals). To decide whether the motion was generat-
ed by an object of interest in this case, by a person
an additional classification step has to be performed.
This classification could be performed directly on the
basis of the motion segments. The disadvantage, how-
ever, is that motion segmentation based on change
detection is a difficult and error-prone task: specifical-
ly in outdoor scenarios sudden lighting changes result
in motion segments that do not necessarily coincide
with real world objects. For this reason, we employ an
approach that is directly based on the camera image
and can additionally be applied to an image region
where motion has been observed.
In a training step, an Implicit Shape Model (ISM) of
the relevant object class is trained based on sample
images of this object class. In this training stage, an
appearance codebook is generated by extracting SIFT
[8] features in the training images and clustering these
features in descriptor space. The cluster centers build
the codebook basis by using every cluster center as a
prototype for a codebook entry. In a second step, the
location of the features, i.e. the object center offsets,
are used to build a spatial distribution for each code-
book entry. This distribution is used in the object
classification step to localize objects of the trained
class in an input image.

Figure 7 Sample Results of the ISM-tracking. Dif-
ferent classes of local features are marked in differ-
ent colors.

Given the input image, SIFT features are extracted
and matched with the codebook prototypes. For an
image feature, codebook entries the similarity of
which exceeds a certain threshold are activated. The
feature distributions of these activated entries cast
probabilistic votes for possible object center locations.
The weight of such a vote is determined by the simi-
larity of codebook prototype and image feature (the
similarity is based on the squared Euclidean distance).
To determine the locations of objects of the relevant
class, a maxima search is conducted in the three di-
mensional voting space which consists of the two im-
age dimensions and a scale dimension.

Figure 8 Results of the ISM-tracking. This sample was
taken from an MUAV video.

The result of the mean-shift maxima search is a num-
ber of object hypotheses which each consists of a
number of votes that have been generated by certain
SIFT image features. The score of such a hypothesis
is the sum of the scores of all votes which are inside
the mean-shift kernel at the point of convergence. Us-
ing this score, a classification decision is made by re-
moving hypotheses with a too low score. This ap-
proach can determine whether an image region con-
tains an object of interest or not (compare Figure 7).
In addition to the classification of objects in single
input images, object tracking can be performed with
the extensions made in [13]. In this case, the single
image object detection is extended to the ISM-
tracking that considers image sequences and builds
tracks by a combination of model-based tracking and
tracking-by-detection. This tracking can stabilize ob-
ject detection and thus increase classification perfor-
mance in difficult situations. Sample tracking results
are shown in Figure 8.

7 Outlook
Future work on the AMFIS system will include more
support services to facilitate surveillance tasks, en-
hanced cooperation of available assets and increased
autonomy of unmanned vehicles. Furthermore, addi-
tional vehicles, such as fixed-wing systems, and fur-
ther sensor types, e.g. a detector for inflammable gas-
es, will be integrated.
Since the success of image-based georeferencing
usually depends on adequate iconic information, sup-
plementary methods shall be evaluated and imple-
mented. One promising approach is based on match-
ing of structural information. The concept is described
in [14].

156
References
[1] Florian Segor, Axel Brkle, Matthias Kollmann,
Rainer Schnbein: Instantaneous Autonomous
Aerial Reconnaissance for Civil Applications - A
UAV based approach to support security and
rescue forces, The 6th International Conference
on Systems ICONS 2011, January 23-28, 2011 -
St. Maarten, The Netherlands Antilles, 2011
[2] Richard Hartley and Andrew Zisserman: Mul-
tiple View Geometry in Computer Vision,
Cambridge University Press, 2000
[3] Martin A. Fischler and Robert C. Bolles: Ran-
dom Sample Consensus: A Paradigm for Model
Fitting with Applications to Image Analysis and
Automated Cartography, Communications of
the ACM, vol. 24, no. 6, pp. 381-395, 1981
[4] Ji Matas and Ondej Chum: Randomized
RANSAC with Td,d test, Proceedings of the
British Machine Vision Conference (BMVA),
vol. 2, pp. 448-457, 2002
[5] Bruce D. Lucas and Takeo Kanade: An Iterative
Image Registration Technique with an Applica-
tion to Stereo Vision, Proceedings of 7th Inter-
national Joint Conference on Artificial Intelli-
gence (IJCAI), pp. 674-679, 1981
[6] Herbert Bay, Tinne Tuytelaars, and Luc Van
Gool: SURF: Speeded Up Robust Features,
Proceedings of the 9th European Conference on
Computer Vision, 2002
[7] David G. Lowe: Distinctive Image Features
from Scale-Invariant Keypoints, International
Journal on Computer Vision (IJCV), vol. 60, no.
2, pp. 91-110, 2004
[8] Alessandro Bevilacqua and Pietro Azzari: A
Fast and Reliable Image Mosaicing Technique
with Application to Wide Area Motion Detec-
tion, Image Analysis and Recognition, 4th In-
ternational Conference (ICIAR), Montreal, Can-
ada, pp. 501-512, 2007
[9] Changchang Wu: A GPU Implementation of
Scale Invariant Feature Transform (SIFT),
http://cs.unc.edu/~ccwu/siftgpu, 2007
[10] Peter Solbrig, Dimitri Bulatov, Jochen Meidow,
Peter Wernerus, Ulrich Thnnessen: Online
Annotation of Airborne Surveillance and Recon-
naissance Videos, The 11th International Confe-
rence on Information Fusion, Kln, Germany,
pp. 1131-1138, 2008
[11] Christopher R. Wren, Ali Azabayejani, Trevor
Darell, and Alex Pentland. Pfinder: Real-Time
Tracking of the Human Body, IEEE Transac-
tions on Pattern Analysis and Machine Intelli-
gence, vol. 19, no. 7, pp. 780-785, 1997
[12] Ji Matas, Ondej Chum, Martin Urban, and
Tom Pajdla: Robust Wide Baseline Stereo
from Maximally Stable Extremal Regions, Pro-
ceedings of the British Machine Vision Confe-
rence (BMVA), vol. 1, pp. 384-393, 2002
[13] Kai Jngling and Michael Arens: Detection and
Tracking of Objects with Direct Integration of
Perception and Expectation, Proceedings of the
Int. Conference on Computer Vision (ICCV
Workshops), pp. 1129-1136, 2009
[14] Eckard Michaelsen, Klaus Jaeger: A GOOGLE-
Earth based Test Bed for Structural Image-based
UAV Navigation, FUSION 2009 in Seattle,
Proc. On CD, IEEE-ISIF, ISBN: 978-0-
9824438-0-4, pp. 340-346, 2009

157
Towards Smart Infrastructures
for Modern Surveillance Networks
Ren Golembewski and Michael Rossberg and Guenter Schaefer
Telematics and Computer Networks Research Group, Ilmenau University of Technology, Germany
Abstract
Nowadays, large-scale surveillance systems can be found in wide distributed security infrastructures or, more
regional, in big cities with highly frequented public transportation networks. Already the latter ones consist of
thousands of cameras with continuously enhancing quality, producing enormous amounts of multidimensional
and high-resolution multimedia data. While new hardware technologies lead to the evolution of so called Smart
Cameras with embedded processing and communication capabilities, distributed algorithms become more and
more important concerning efficiency and robustness against attacks or malfunctions. Ongoing improvements in
algorithms for robust object recognition and growing distributed processing power, are expected to enable sur-
veillance systems to work more and more autonomously, similar to wireless sensor networks. Thus, one im-
portant step in this direction is to support distributed applications and algorithms by developing intelligent com-
munication infrastructures and help spawning an efficient and robust network of smart devices. Within this arti-
cle the problem of distributed topology estimation is discussed in detail and a first solution approach is given.
Furthermore, we provide an overview of our simulation framework aimed to support computer vision research
by evaluating distributed algorithms in large, heterogeneous networks.

1 Introduction
Security in urban areas is one important field of re-
search and development due to the expectation that in
the future more than half of the 7 billion humans are
expected to live in cities. One major goal is to keep
people, buildings, and infrastructure free from vandal-
ism and crime. But also the planning and optimization
of urban traffic or public transportation needs intelli-
gent solutions to support the administrative personnel.

To achieve these goals future surveillance infrastruc-
tures will primarily make use of distributed smart
cameras (DSCs) that are characterized by the combi-
nation of integrated systems, computer vision (CV),
and sensor networking technology [1,2], and com-
municating via arbitrary, heterogeneous transport
networks.

A distributed setup in a metropolitan area will hence
consist of hundreds or thousands of DSCs, spanning
all over the city and analyzing the events. The net-
work connectivity for each system can be provided by
any kind of Internet uplink.

But using public networks for communication impli-
cates strong security requirements and an efficient use
of resources in order to keep operational costs at af-
fordable levels. Figure 1 depicts an exemplary net-
work of seven high-resolution cameras, attached to
computing devices for further processing and distrib-
uted communication without any centralized instance.

Figure 1 Distributed Smart Camera Network
While this outlook goes far beyond current operating
principles, where only small amounts of cameras are
used for live monitoring and most of the material is
solely analyzed reactively in case of an incident, there
is no alternative to online analysis, if preventive steps
shall be taken. Current urban surveillance infrastruc-
tures rely on centralized components for these analyt-
ical steps, leading to potential bottlenecks and gener-
ating single points of failure. Exposed targets for sab-
158
otage attacks are a direct consequence of the centrali-
zation, and also privacy should be considered, if we
think about a solitary huge database with potentially
intimate information.

Thus, the forecasted change towards a distributed
communication paradigm requires the development of
new algorithms in many different fields of applica-
tion. CV approaches should be validated in distributed
systems, and networking performance has to be made
measurable to prove functionality. Since refining and
evaluating those algorithms is not trivial in the ab-
sence of suitable test-setups, benchmarking frame-
works can help to deal with these problems.

The rest of this article describes scenarios with de-
rived objectives and states the need for proper
benchmarking solutions. We are presenting first re-
sults and give a case study for the problem of topolo-
gy estimation in distributed systems. Finally, a con-
clusion is made and further research topics are out-
lined.
2 Scenarios and Objectives
In the following section, after a short definition of our
understanding of smart camera networks, exemplary
scenarios are presented and analyzed in order to iden-
tify the requirements. Afterwards, most recent issues
for the development of smart communication infra-
structures are extracted.
2.1 Smart Camera Networks
Smart Camera Networks (SCNs) form loose alliances
of DSC nodes, connected by any kind of heterogene-
ous networking infrastructure, e.g., the Internet. The
main task of a camera device is not longer the deliver-
ing of video material to a central server farm or a ded-
icated processing cluster, as with growing advance in
signal processing and embedded devices [3] DSCs
can transmit meta-information and aggregated results
of their local analysis, only.

To define a more abstract model, we attribute all the
features of standard PCs to the interconnected smart
devices, because of the continuously increasing pro-
cessing power of embedded devices (cf. Fig. 1). Thus,
a DSC is able to make use of long-term memory, gen-
eral-purpose processors, special image processing
hardware, and an external power supply. Especially,
the latter delimits DSCs from the concept of wireless
sensor networks, in which the nodes are usually bat-
tery-powered and may thus not perform powerful cal-
culations. From an operators point of view, the whole
network shall provide collaboratively processed in-
formation, and it should also work fully autonomous-
ly even in the case of partial failures (graceful degra-
dation).
2.2 Topology Estimation in Smart
Camera Networks
In order to support location-aware applications and
enable efficient communication algorithms, an effi-
cient virtual communication topology is required, e.g.
cameras observing similar events should form a clus-
ter in order to align own observations with a macro-
scopic situation.

An important issue in this context is the self-
calibration of the networks, e.g., to automatically de-
duct the logical topology, estimate camera positions,
and detect structural problems. A definite arbitration,
which cameras interact, may solely happen based on
common events, as the physical topology and also the
geographical circumstances are not necessarily deci-
sive to determine the logical neighborhood. Thus, one
main objective is using exclusively visual information
to fulfill this task. Furthermore, it cannot be expected
that different cameras have shared fields of view
(FOVs) to support calibration or object tracking, be-
cause it is not economical in many large-scale scenar-
ios if multiple DSCs cover approximately the same
area. Therefore, we suggest to perform such a map-
ping by using object recognition, e.g., a person or car
that appears in one camera and was shortly seen be-
fore in another one indicates that both cameras are
linked.

Figure 2 Topology Estimation depending on the
movement of objects
Other difficulties arise with steadily changing envi-
ronmental conditions and mobility. Approaches trying
a calibration with special well-known training objects
would not be applicable in that case, due to the con-
stantly demand for recalibration.

At the present time, most recent topology estimation
solutions known to the authors [4] do not fully com-
ply with the already mentioned objectives:

High number of distributed cameras
Large area of application
No overlapping fields of view
159
Highly dynamic adaptivity
Difficult environmental conditions

We are working on a solution for the given estimation
problem and try to identify the main difficulties when
relying on noisy detection results and unreliable
transport networks. Decoupled from individual CV
algorithms, we want to give an approximation of the
required communication effort to achieve self-
calibration, and identify ways to optimize, support,
and extend networks of DSCs.
2.3 Intelligent Video Surveillance of
Safety-Critical Areas
Due to the mostly limited security personnel capaci-
ties, it is not possible to monitor all available imaging
devices at a time. Furthermore, humans are often not
able to fully recognize large and complex scenes,
spanning over many different camera views, because
of the flood of information. Therefore, intelligent sur-
veillance systems should analyse the whole scenario
in real-time and inform security service personnel on-
ly in case of an alert. This can be the case if the sys-
tem identifies suspicious luggage, or strange behav-
iour of people.

However, there are also situations where manual in-
tervention is needed, like the search for specific per-
sons or the pursuit of potential criminals. Intelligent
surveillance systems should be able to give an advice
of the most probable position and prior movement
patterns.

Contributions of ongoing research in computer vision
technologies show steady improvements on many top-
ics like face recognition [5,6], age estimation [7], gait
recognition [8], pose classification [9], and motion
detection [10]. The resulting challenge is now to
communicate the outcome of those CV approaches to
the network in an efficient and yet secure manner, en-
abling algorithms to generate hypotheses of observed
situations.
2.4 Urban Traffic Planning
One more interesting chance of camera surveillance is
to support the establishment of Smart Cities [11] and
Smart Traffic Systems. By adding more functionality
to distributed traffic observing cameras, it can be pos-
sible to deduct more efficient rules for traffic man-
agement or navigation software. Taking into account
the detected (and anonymized) official registration
numbers of vehicles, an estimation of complex flows
can be made to extend the traditional plain traffic
counting facilities.
But the more decisive part of transforming existing
systems to a distributed solution is to achieve robust-
ness, high availability, and privacy, independently
from a centralized server infrastructure. Again, in this
scenario we can find high dynamics and fast changing
circumstances, potential fields of application for self-
calibrating algorithms.
3 Solution approaches
In this section we want to state the first solution ap-
proaches of our research. Because of the large variety
of targeted distributed systems, we introduce an eval-
uation framework, built upon a discrete-event simula-
tor with replaceable transport networks, which is used
to develop novel algorithms and validate results.
3.1 Evaluation Environment
Figure 3 gives a high level view of our systematic
strategy to cope with many kinds of different problem
domains: The core simulation of our environment is
coupled to the extensible modules for Communica-
tion, Traffic Generation, Computer Vision, and Visu-
alization. Because of the strict separation of commu-
nication and platform specific programming code, all
implemented features can easily be migrated on native
Linux/Unix systems.
Figure 3 System Overview
The principal challenge in developing a smart infra-
structure for modern surveillance networks is to start
with a reasonable and well-founded model of possible
scenarios and conditions. While, the size of DSCs is
well known to reach hundreds or thousands of camer-
as, there physical and geographical topology cannot
be assumed to be randomly structured. Thus, within
our framework a Traffic Generation part is in charge
Trafc
Generation
Simulation,
Evaluation,
Testing
Visualization
Computer
Vision
Communication
160
of providing realistic camera topologies and of gener-
ating human traffic that is presented to the Computer
Vision part subsequently as input and enabling users
of the framework to evaluate any desired CV algo-
rithm by just implementing it as an extension of the
simulated DSC node. Hereby the output of the CV is
not limited to a named person. Every kind of detecta-
ble thing can be transformed into a complex feature
vector with properties like speed, structure, size, di-
rection, or in the case of humans, e.g., face, gait, pos-
ture, and age. This vector is an extensible data struc-
ture, e.g., an XML file.

The actual communication mechanism between the
DSCs is detached from the simulated transport net-
work where arbitrary topologies and protocols can be
used, like UDP or TCP, optional over wired links or
radio. All acts of communication are organized in a
layered fashion, and the DSC nodes are forming a
logical overlay network, depending on the imple-
mented behaviour. Due to the fact that DSCs are han-
dling sensitive data, also security and privacy issues
have to be considered and evaluated. The simulation
therefore will support the implementation of attacker
models as well as according countermeasures.
3.2 Distributed Topology Estimation
Algorithm: A Case Study
To underpin the strengths of the presented approach a
first implemented and evaluated use case is presented.
The previously concerned distributed topology esti-
mation algorithm that uses only the movement pat-
terns of visually identified objects, and without over-
lapping FOVs shall reveal the potential of our modu-
lar benchmarking platform.

The used algorithm can be seen as a form of distribut-
ed consensus algorithm with spatio-temporal-analysis
of distributed events that are communicated between
DSC nodes and used for finding correspondences af-
terwards. While trivial broadcasting of events is
working in simple scenarios, it has scalability issues,
and will only be considered for comparison here.

Instead, within the proposed system nodes will build
local clusters, based on an occasional message ex-
change with other nodes. If multiple events are de-
tected at several nodes within a configurable time pe-
riod, they assume to have a logical relationship result-
ing as an edge in the vision graph. Subsequent events
will only be communicated within clusters and the
emerging vision graph describes the logical topology
of the camera network.

To evaluate the algorithm a scenario with an area of
and 100 DSCs was simulated,
whereby the density of nodes in the center is higher
than in the outer zone in order to model an urban
downtown area. Figure 4 shows the directed input to-
pology graph with edges for simulated traffic flows.
Edges and also nodes have an additional capacity pa-
rameter, modelling the maximum number of objects
on lanes and places. This parameter allows the simu-
lation of congestion and also to evaluate ways for de-
tecting it.
Figure 4 Input Topology Graph with Traffic Flows

Traffic data is generated simultaneously by per-
sistent objects, which start from arbitrary entry points
and move on the previously defined input topology.
Each objects speed is modelled by a normal distribu-
tion . After reaching the
destination node, a new visual entity is generated
from a set of feature vectors and a new desti-
nation is chosen.

The detection of objects is simulated via an out-of-
band communication between traffic generator and
DSCs, to prevent an influence on the traffic measure-
ments in the transport network. Further parameters for
detection rate and false-positive rate describing the
quality of object recognition. For our simulation we
have chosen a detection rate and a false posi-
tive rate for event correspondence.

The transport network for nodes is modelled by a sin-
gle routing instance with adjustable delay and datarate
on all links, simulating Internet transmission proper-
ties. The applications within the cameras use UDP for
communication and all nodes are assumed to reach
others directly via the communication infrastructure.

After a simulated time of 3600s we get the result that
is depicted in Figure 5. In this case we used broad-
casting of events for all nodes to reach global
C
0
43
1
25
91
2
54
62
3
8
22
29
84
4
82 5 66
6
57
90
7
33
64
13
9
74
10
11
42
12
72 14
15
67
16
27 17
19
79
18
44
53
65
20
41
98
21
88
23
46
24
73
31
38
26
61
28
35
96
36
48
30
81
32 39
94
34
56
78
37 59
77
58
40
51
71
68
85
45
70
47
86
49
99
50
80
52
89
55
63
76
95
60
69
93
97
83
75
87 92
a
b
c
d
161
knowledge and demonstrate the accuracy of our im-
plemented estimation algorithm, when the bound
detection rate and false positives are deactivated.
Figure 5 Estimated Vision Graph (Broadcasting)
Based on the first simulation run, we can now have a
look at the evaluation of the proposed clustering algo-
rithm that we expected to be more sophisticated, con-
cerning communication expenditure. Again, Figure 6
shows the estimated neighborship graph, but now in-
correct and/or missing edges can be seen due to the
limited communication.
Figure 6 Estimated Vision Graph (Clustering)
In order to underpin the advantage of the saved com-
munication resources that were traded in for a slightly
worse detection rate, another experiment was con-
ducted. Here the accumulated message frequency for
node communication was recorded in 32 independent
simulation runs for each scenario to reach statistical
significance. Figure 7 shows the distribution of mes-
sage frequencies over different node counts, as well as
the 99% confidence interval and minimum/maximum.
According to expectations, broadcasting needs much
more messages to be transmitted than the optimized
clustering algorithm. Preferring the communication
with detected neighbors and reducing the notification
of potential non-involved nodes can save resources,
while only slightly delimiting the quality of topology
estimation.
Figure 7 Comparison of communication efforts in
reference system and presented approach
In order to allow for a detailed evaluation of parame-
ter changes and influences of different disturbance
variables, metrics have to be developed and tested.
With our further research we want to provide not only
new approaches to DSC self-configuration, but also
an extensible framework to evaluate these distributed
algorithms and visualize processes in real-time. The
latter should help developers monitoring the system
behaviour and identify problems.
5 Conclusion
Within this article, a first approach for modeling and
evaluating a distributed topology estimation algorithm
based on smart camera networks was presented. We
introduced a high-level description of our simulation
framework and named objectives for future camera
networks.

0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
5.5
25 50 75 100 125 150 175 200
Number of Nodes
M
e
s
s
a
g
e
s

[
1
/
s
]
Broadcast
Clustering
162
Ongoing research will focus on the development of
more sophisticated distributed algorithms for object
and situation detection, as well as aspects of efficien-
cy, security, and models for realistic camera environ-
ments.
References
[1] B. Rinner and W. Wolf, An Introduction to Dis-
tributed Smart Cameras, Proceedings of the
IEEE, vol. 96, Oct. 2008, pp. 1565-1575.
[2] M. Valera and S. Velastin, Intelligent distribu-
ted surveillance systems: a review, Vision,
Image and Signal Processing, IEE Proceedings-,
IET, 2005, p. 192204.
[3] Y.M. Mustafah, A. Bigdeli, A.W. Azman, and
B.C. Lovell, Face detection system design for
real time high resolution smart camera, Third
ACM/IEEE International Conference on Distri-
buted Smart Cameras (ICDSC), IEEE, 2009, pp.
1-6.
[4] R.J. Radke, A survey of distributed computer
vision algorithms, Aghajan (Eds.), Handbook of
Ambient Intelligence and Smart Environments,
Citeseer, 2008, pp. 1-21.
[5] V. Atienza-Vanacloig, J. Rosell-Ortega, G.
Andreu-Garcia, and J. Valiente-Gonzlez, Pe-
ople and luggage recognition in airport sur-
veillance under real-time constraints, 19th In-
ternational Conference on Pattern Recognition
ICPR, IEEE, 2008, p. 14.
[6] G.-F. Lu, Z. Lin, and Z. Jin, Face recognition
using regularised generalised discriminant loca-
lity preserving projections, IET Computer Visi-
on, vol. 5, 2011, p. 107.
[7] Y. Fu, G. Guo, and T.S. Huang, Age synthesis
and estimation via faces: a survey., IEEE
transactions on pattern analysis and machine in-
telligence, vol. 32, Nov. 2010, pp. 1955-76.
[8] D. Kim and J. Paik, Gait recognition using acti-
ve shape model and motion prediction, IET
Computer Vision, vol. 4, 2010, p. 25.
[9] V. Maik, D.T. Paik, J. Lim, K. Park, and J. Paik,
Hierarchical pose classification based on hu-
man physiology for behaviour analysis, IET
Computer Vision, vol. 4, 2010, p. 12.
[10] M. Murakami, J.K. Tan, H. Kim, and S. Ishika-
wa, Human motion recognition using directio-
nal motion history images, Control Automation
and Systems (ICCAS), 2010 International Con-
ference on, IEEE, 2010, p. 14451449.
[11] A. Caragliu, C. del Bo, and P. Nijkamp, Smart
cities in Europe, 3rd Central European Con-
ference in Regional Science CERS, 2009, pp.
45-59.

163
Application of Special Purpose Blast Sets for Personal Rescue in a
Hazardous Environment
Doc. Ing. Pavel Fiala, Ph.D,

Department of Theoretical and Experimental Electrical Engineering, Faculty of
Electrical Engineering and Communication, Brno University of Technology, e-mail: fialap@feec.vutbr.cz,
phone: +420 541 149 510
Ing. Ing-Paed IGIP Miroslav Janek, Ph.D. Explosives expert, mjanicek@tiscali.cz
Abstract
The authors propose and discuss the principles of special personal rescue technology [7, 8, 9 and 10] applicable
for traffic accidents in a hazardous environment (such as a highway pile-up). These rescue techniques utilise
special blast sets and igniters. The related theoretical analyses and models are presented together with the results
of experimental testing of the proposed technology.

1. Introduction

Two basic types of rescue technology are currently
used for vehicle extrication of automobile crash
victims in a hazardous environment (multiple vehicle
collisions). While the first group comprises hydraulic
rescue tools, various cutters and spreaders in
particular [1, 2, 3, 4, 5 and 6], the other category
includes a wide variety of electric or power angle
grinders and saws. The choice of a suitable

technology to be applied is always derived from the
concrete situation and it depends on several aspects;
among these aspects there are mainly the accessibility
of the crashed motor vehicles or their particular
components and the actual usability of a rescue tool
for the manipulation with individual parts of the
crashed objects (Fig.1). ). In concrete instances of
application, however, the requirements placed on
rescue tools often do not correspond to their technical
characteristics and potential: for example, we can note
at this point that only the top quality hydraulic cutters

Fig. 1 Photodocumentation of multiple vehicle collisions and hydraulic tools application
164
at this point that only the top quality hydraulic cutters
are capable of clipping the steel of automobile foot
pedals. During real rescue events, this drawback is
often compensated for by means of angle grinders
(saws), which are used to separate off the very rigid
door pillars or foot pedals and to open seized vehicle
elements such as lorry cabins. A major disadvantage
of angle grinders consists in the fact that the process
of steel cutting produces a bundle of hot sparks which
carry droplets of melted metal having a high capacity
of igniting susceptible materials. As fuel leaks (petrol
or oil leaks) often occur during multiple vehicle

2. Controlled Detonation Wave
The principle of the described method consists in

using a plastic detonating fuse to facilitate the
severingordisjunctionofvariouspillars,footpedals,
rivets, bolts, welds and other structural elements
appliedinautomotiveengineering.

Fig.2LowEnergyPlasticCordLEPC

Fig.3Plasticdetonatingfuseappliedforemergencybreakageof cockpitwindows
165
collisions, the use of angle grinders or saws during
rescue activities is not possible. Thus, the scope of
applicable rescue technology is limited only to
hydraulic tools, which are nevertheless bounded by
their specific technical parameters.
The abovementioned drawbacks and limitations of
the discussed methods related to personal rescue in
car accidents can be eliminated through an
introduction of new technologies and means using
mainly special blast sets and igniters; these new
approaches will enable us to sever crashed objects
regardlessoftheirthickness,strength,ortheapplied
production material (which is thus not limited to
steel). The related detonating fuse type is the LEPC
(Low Energy Plastic Cord), Ushaped (Fig. 2); this is a
special fuse utilizing the socalled directional effect
[7,8and9].Originally,thisinstrumentwasdeveloped
andusedforbreakingtheglasscockpitofsupersonic
aircraft (military aircraft in particular) in emergency,
immediately before the crew ejection (Fig. 3). The
detonating fuse shows the directional effect, which
means that the entire detonation impulse is utilized
only from the progressive side; thus, relative
protection of the unaffectedarea is secured. In view
of the fact, on the regressive side of this special
detonating fuse there is virtually no limitation as to
the presence of persons or animals and objects like
fuel or electronics within an immediate distance of
the cord. The detonation effect does not have any
negativeimpactontheimmediateenvironment(itis
important to note that, in an aircraft cockpit, the
detonatingfuseexplodeswithinadistanceofc.20cm
fromtheejectingpilotshead).
3. Special detonating systems

The group of special instruments applicable in a
hazardous environment as substitutes for the classical
rescue technology includes, among other items, the
unique modular detonating microsystem developed by
the Libra company [10]. Using this non-electric
system, the rescuers can prepare a detonating setup in
order to respond suitably to any momentary situation
when entering wrecked vehicles, heavy construction
equipment, or buildings through the windows and
doors. The system can be utilized also for rather
extensive demolition and blasting operations, and it is
not limited by the number of initiators or the distances
between individual charges. The Libra sets can be
used in tasks such as the liquidation of large
excavators or secondary blasting of rock; they are also
suitable for use under adverse atmospheric conditions
(in stormy weather) or in electricity distribution
centres, where electric blasting systems are forbidden.
Safe formation of openings (such as gaps facilitating
access for hydraulic cutters or lifting mechanisms) is
a rescue step where LIBRA microcharges find
application; as shown in Fig. 2, the related mass of
explosive equals to 7,5 or 8,2 g, and the
microcharges diameter is 18,5 mm.
These microcharges are constructed in such a
manner as to enable simple and quick connection
without utilizing other tools or devices to achieve the
required effect. The entire microcharge system is
specifically designed to facilitate the breaking of
locks, rivets, bolts, journals, pins and other elements.
Interestingly, as the aim is to achieve a more intensive
penetration effect, the actual structure of the system
makes it possible for rescuers to work under different
operating angles towards the object intended for
blasting. Therefore, the set also includes holders that
not only guarantee easier manipulation with the
charges during preparatory procedures, but also
provide a simple way of keeping the cumulative
microcharges in the required direction. The
connection between several microcharges (where
instantaneous transfer of the detonation is required)
can be secured by the LEPC plastic detonating fuse,
microdetonators, or standard no. 8 detonators; this is
made possible by the fact that the detonator well of
cumulative microcharges has a diameter of 7mm and,
for alternative reasons, is equipped with sealing rings
for fixed connection to any type of detonator. The 8,2
g LIBRA microcharge is capable of reliably breaking
through a steel plate having 50 mm in thickness.

Fig.4 LIBRA microcharges
4. Conclusion

The advantage of the proposed method of utilizing
new ways, principles, and effects of personal rescue
and property salvage in a hazardous environment
consists mainly in its simplicity and effectivity. These
two aspects are nevertheless further complemented
with the applicability of the method for accidents in
which only a small number of people (rescue
specialists) are involved and for situations when the
use of regular rescue technology is limited or
excluded. Other significant assets of the above-
166
described blast systems include the overall safety,
reliability and fast positioning; thanks to these
aspects, rescuers can have at their disposal an
alternative method complementing the classical
rescue tools.
The proposed method or principle of applying special
blast sets and igniters is predominantly characterized
by its superior parameters, simplicity, safety, and
rapid realization with only a small number of
intervening rescuers.
Significantly, it is assumed that in certain situations
this method may become the only utilizable
instrument due to the rapidity of application, which is
a criterion that may substantially limit (or even
exclude) the use of classical rescue procedures and
technology.

Acknowledgement:

The research described in the paper was
financially supported by FRV (a fund of university
development), by research plan No. MSM
0021630513 ELCOM, No. MSM 0021630516, and
grant Ministry of Industry and Trade of the Czech
Republic, FR-TI1/368. BUT internal grant BD-
FEKT-S-10-13

References:

[1] Bojov d jednotek porn ochrany -
taktick postupy zsahu vydalo
Ministerstvo vnitra generln editelstv
Hasiskho zchrannho sboru esk
republiky (The fire fighting units action
manual: tactical intervention procedures.
Issued by the Mnistry of the Interior of the
Czech Republic, management board of the
Fire Rescue Service of the Czech Republic
[2] Act no. 240/2000 Coll., On Crisis
Management (the crises act)
[3] Decree no. 247/2001, On the Organization
and Activity of Fire Fighting Units
[4] Decree on technical specifications of fire
fighting technology no.247/2001 Coll., On
the Organization and Activity of Fire
Fighting Units
[5] Mnistry of the Interior of the Czech
Republic, management board of the Fire
Rescue Service of the Czech Republic, The
fire fighting units action manual: tactical
intervention procedures in traffic accidents
on overland roads
[6] Mnistry of the Interior of the Czech
Republic, management board of the Fire
Rescue Service of the Czech Republic,
Reference number: MV-96828-2/PO-2008,
Catalogue file of typified activities ST
08/IZS, Typified activities of the Integrated
Emergency System units during a collective
intervention in a traffic accident
[7] US PATENT - # 4495867
[8] US PATENT - #4232606
[9] http://www.valka.cz/clanek_1185.html
[10] http://www.libraas.com/30-vybusniny.html
167
Elimination of a Tanker Fire through Shock Wave Interference
Doc. Ing. Pavel Fiala, Ph.D, Department of Theoretical and Experimental Electrical Engineering, Faculty of
Electrical Engineering and Communication, Brno University of Technology, e-mail: fialap@feec.vutbr.cz,
phone: +420 541 149 510
Ing. Ing-Paed IGIP Miroslav Janek, Ph.D, Explosives expert, mjanicek@tiscali.cz
Abstract
A non-traditional approach to the elimination of road and railway tank fires is presented in the paper together
with the related discussion. The proposed solution consists in utilizing the interference of shock waves that are
induced by highly explosive substances. Within the analysis, the authors introduce the results of numerical
modelling of the dynamical system behaviour and include the basic verification of the solution, which is realized
by means of the related experimental model. The paper also contains a comparison of the results as well as a
SWOT analysis table characterizing the proposed technology.

1. Introduction

Current activities related to the elimination
of flammable liquid fires are characterized by the
regular and predominant use of selected classical
extinguishing methods [1, 2]. The methods applied
in suppressing the fires of mobile containers or
tankers holding flammable substances (liquids,
gases) usually involve classical fire fighting
technologies using aqueous foam or solid wetting
agents [3, 4]. Depending on concrete conditions, the
fire-extinguishing substance is put on the tanker
along its entire surface from the frontal, lateral, or
top position. The main objective of such procedure
is to inhibit the burning and to decrease temperature
within the burnt area; thus, we can change physical
conditions of the combustion and avoid any
dynamical transformation of the fire into an
explosion. As noted above, the concrete situation is
always the determining factor, mainly in view of
the accessibility and surface of the fire. The
emergent fires are suppressed by means of various
fire retardants including special chemicals that slow
the combustion and fire progress by reducing
oxygen content in air. The fires of flammable
liquids stored or transported in tankers can be
extinguished also by the help of aircraft, mainly
special fire helicopters; however, application of
these vehicles is limited by the necessity to use
foam or wetting agents as the only utilizable
extinguishing substances [5, 6]. In order to gain
control of any fire, the firefighters have to resolve
three key problems or factors, namely temperature,
oxygen, and fuel. In extinguishing flammable
liquids, these problems are usually reduced to the
possibility of removing or reducing the access of air
oxygen to the flames.

2. Design of a Fire Elimination
Method Utilizing a Controlled
Explosion

Tanker fires on railway tracks or roads are often
poorly accessible for fire-fighting trucks and other
heavy equipment, and this condition constitutes a
significant problem as classical fire extinguishing
methods frequently have to be used. In this context,
the main disadvantage of the classical methods
consists in two aspects, namely the use of high-
pressure hoses and limited access to water sources.
Owing to these drawbacks, it is often necessary to
realize a very demanding transfer of fire-fighters
and the related bulk of technical equipment to
suppress a mere local fire which is nevertheless
situated in difficult terrain [7, 8]. In such
conditions, considerable damage to property may
arise in addition to personal health risks. Another
important factor is the actual length of the fire
suppression process; with long quenching of
burning liquid fuel there is a high probability that
the fire will eventually produce a detonation and
spread itself in the surroundings, Figs. 1 and 2. The
above-described drawbacks and limitations of
known fire extinguishing methods related to
flammable liquids transported by road or railway
tankers can be substantially reduced by the
proposed novel technique of eliminating such liquid
substance fires [9]; more concretely, the discussed
method is a procedure utilizing the interference of
shock waves induced by the explosion of blasting
agent charges. The principle of the technique
168
consists in creating a direct or concave operational
line formed by a homogeneous detonating system
[9] (Fig. 2) or, alternatively, by individual
detonating elements; these elements are then
interconnected by means of a quick match string
(Fig. 3) that carries the detonation pulse. The total
detonating potential of the operational line
corresponds to a speed of 4200 to 6700 ms
-1
. If we
use the new model of electronic detonators, then
each detonator is placed separately in the individual
detonating elements and, subsequently, the relevant
programming is carried out. Thus, we may
eliminate the process of interconnecting the
individual charges (detonating elements) by means
of the quick match string that carries the detonation
pulse (the detonating fuse - cord). The exact
distance between this line for centralized detonation
launch and the actual burning object depends on the
fire intensity. The explosion of a charge in air or a
compressible fluid is accompanied by the
propagation of a shock wave from the place of
detonation; this wave progressively loses its energy
until it converts itself into an acoustic wave, whose
speed is identical with the speed of sound
propagation. If the shock wave collides with a solid
barrier, it reflects from this barrier and acts on it
with a reflective pressure (whose value may reach
as high as thirty six times the pressure on the shock
wave front). These characteristics determine the
eventual destructiveness of the shock wave.
However, the reflective pressure value in acoustic
waves constitutes merely a double of the pressure
on the shock wave front. It is possible to prevent
the propagation of fire by means of exploding
charges arranged in two rows (or in a circle); this
arrangement enables us to ulitize the interference
energy of the impact and the reflection related to
two (or several) shock waves. The interference of
two circular (or spherical) waves occurs, for
example, during the explosion of two charges
which are placed within a sufficient distance from
each other (Fig. 5). Thus, undulations are generated
that propagate simultaneously against one another
from the direction of both sources. If two charges of
the same explosive having an identical weight are
blasted at the same moment of t
0
, they oscillate in
identical phases. The resulting interfered wave is
then given by the superposition of both travelling
waves. If both charges are blasted at the same
moment of t
0
, the wavefronts travel against each
other and, after colliding at the speed of v
0,
they
induce a backward wave; this wave, however, has a
speed of v
0
that may be up to 64-fold higher, which
constitutes a double (the sum) of both reflective
pressures. If we allow simultaneous induction of
waves from two elongated charges arranged in a
parallel way, with the fire area located between the
charges, we obtain a situation when both the blast
Fig. 2 Photodocumentation of a tanker railway collision
169
waves collide and reflect at a multiple speed in the
middle of the fire area. The effect is multiply more
intensive in comparison with the application of only
one detonating wave, and the advantage of the
solution consists in the fact that elongated charges
can be located at a greater distance from the fire.

3. Variants of the Fire Elimination
Method Utilizing a Controlled
Explosion

A homogeneous detonating system can be formed
advantageously using a continuous elongated
charge, Figs. 3 and 5. A heterogeneous fire-
quenching (operational) line usually consists of
individual detonating elements; these elements can
Fig. 1 Photodocumentation of a tanker highway collision

Fig .3 Elongated charges positioned to
extinguish a burning tanker
Fig .4 Arrangement of concentrated charges
extinguishing the fire of a railway tanker
170

Fig. 5a Distribution of pressure p(t), elongated charges, in times t=100s
Fig. 5b Distribution of pressure p(t), elongated charges, in times t=300s
171

Fig. 5c Distribution of pressure p(t), elongated charges, in times t=350s
Fig. 5d Distribution of pressure p(t), elongated charges, in times t=550s
172

be set up by the help of concentrated charges (Figs.
4 and 6), partial elongated charges, anti-tank or
anti-personnel mines, and explosive boxes
(containers). In order to transfer the related
detonation pulse, we can utilize instruments such as
a detonating fuse or a new electronic detonator
specially developed for the discussed purpose [9].
Fig. 6b Distribution of pressure p(t), concentrated charges, in times t=5.4s
Fig .6a Model 3D, initial state

173

Fig. 6d Distribution of pressure p(t), concentrated charges, in times t=100s
Fig. 6c Distribution of pressure p(t), concentrated charges, in times t=50s

174

Fig. 6e Distribution of pressure p(t), concentrated charges, in times of t=150s
Fig. 6f Distribution of pressure p(t), concentrated charges, in times of t=250s
175

Depending on the applied initiators and detonation
pulse transfer instruments, the detonation process is
then started by means of fire initiation, electric
ignition, or remote control.

4. Conclusion

The main advantages of the proposed method of
local surface (ground) fires elimination using
blasting technics consist in its simplicity,
effectivity, and application characteristics. The last
of these points primarily refers to possible
utilization of the method in emergencies where only
a small number of people (rescuers) are involved or
where water is available only with considerable
difficulty. These aspects of the discussed method
are further demonstrated on the reduced
experimental models, Fig.5. Significantly, this fire
extinguishing technique does not require the use of
heavy or special machines and eliminates the
problems connected with the transportation of such
machines or related fire-fighting persons. Thus, we
may control and progressively extinguish even very
complicated fires, which are difficult to eliminate
by means of currently available technologies.
Above all, however, the proposed quenching
method provides a higher degree of protection

regarding the engaged fire-fighters and their costly
equipment.

Acknowledgements:

The research described in the paper was
financially supported by FRV (a fund of
university development), by research plan No.
MSM 0021630513 ELCOM, No. MSM
0021630516, and by a grant of the Ministry of
Industry and Trade of the Czech Republic, FR-
TI1/368., internal grant BUT BD- FEKT-S-10-
13

Fig. 6g Distribution of pressure p(t), concentrated charges, in times t=500s
176

Table 1: SWOT analysis related to the classical
and the novel technologies of eliminating the fires
of liquid flammable substances

References:

[1] Bojov d jednotek porn ochrany -
taktick postupy zsahu vydalo Ministerstvo
vnitra generln editelstv Hasiskho
zchrannho sboru esk republiky (The fire
fighting units action manual: tactical intervention
procedures. Issued by the Mnistry of the Interior of
the Czech Republic, management board of the Fire
Rescue Service of the Czech Republic)
[2] Vilmek, M.,: Nedouc hoen por,
Konspekty odborn ppravy jednotek porn
ochrany Vydalo Sdruen pornho a
bezpenostnho inenrstv Ostrava 2008, s
pispnm sttn dotace Ministerstva vnitra
Generlnho editelstv Hasiskho zchrannho
sboru R, vytiskl tiskrna Kleinwchter Frdek -
Mstek 2. aktualizovan vydn, ISBN: 80-86111-
46-6 (Spurious Burning Fires: Professional
training abstracts. Issued by the Association of Fire
Protection and Safety Engineering under financial
support from the Ministry of the Interior of the
Czech Republic, management board of the Fire
Rescue Service of the Czech Republic).
[3] Government Decree no. 172/2001 Coll.,
laying down the rule of procedure for the Act on
Fire Prevention
[4] Act no. 133/1985 Coll., On Fire
Prevention
[5] Act no. 240/2000 Coll.., On Crisis
Management (the crises act)
[6] Decree no. 247/2001, On the Organization
and Activity of Fire Fighting Units
[7] Government decree no..49/2003 Coll.,
Decree on technical specifications of fire fighting
technology
[8] Decree on technical specifications of fire
fighting technology, no. 247/2001 Coll., On the
Organization and Activity of Fire Fighting Units
[9] Janek, M.,: Dizertan prce: Vyuit
trhac techniky pi mimodnch udlostech, ev.
slo: 28900220103001,ilinsk univerzita v iline,
Fakulta pecilnho ininierstva, ilina 2010
(Dissertation: Application of Blasting Technics in
Emergencies, reg. no. 28900220103001, ilinsk
univerzita v iline, Faculty of Special Engineering)
177
Acoustic-Generator Based on a Small Rocket-Burner with Inter-
mittent Combustion to Dissolve Violent Demonstrations
Helmut Schmid, Fraunhofer Institute for Chemical Technology (ICT), Germany, Mail: sd@ict.fhg.de
Abstract
The use of an acoustic-generator based on a smart rocket-burner with intermittent combustion is a new approach
to fight against violent demonstrators with adequate means. This small, lightweight and autarkic device can be
used as a de-central solution. The acoustic generator produces low-frequency sound waves below 100 Hz with
high volume outwardly directed to the target. Resonance effects with inner organs trigger nausea so that areas
with violent demonstrators may be cleared quickly and effectively. The apparatus can be operated easily and
handled by one person, is mobile, non-human-toxic, environmental-friendly and low in price.

1 Introduction
Undeniably it is necessary to fight against violent
demonstrations with adequate means in order to en-
sure de-escalation. Today e.g. armoured vehicles
equipped with water cannons are widely used to gen-
erate physical impacts. This procedure is relatively
safe, but complex, expensive and low effective. Pep-
per spray cartridges fired from pistols or rifles can put
attackers out of action in advance but a health risk
must be considered. The legality according to interna-
tional chemical weapon control is still under discus-
sion.
A new approach is the use of an acoustic-generator
based on a smart rocket-burner with intermittent
combustion.
2 Method
An acoustic-generator based on a smart rocket-burner
is a special application of a gas- generator-technology.
The small, lightweight and autarkic device can be
used as a de-central solution. The acoustic-generator
can produce sound waves in the audible range of fre-
quencies (20 100 Hz). By appropriate design of the
gas-generator, the volume is adjustable, whereby
sound pressures above 100 dB are easily achievable.
Additional functionalities such as fog generator, fire
extinguishing or expulsion system can be supple-
mented if necessary. The apparatus can be easily op-
erated and handled by one person, is mobile, non-
human-toxic, environmental-friendly and low in
price. The acoustic-generator uses a gas-generator as
active functional unit. Steady-state or intermittent re-
action principles can be applied. Gas-generators ([1]
[9]) can be seen in connection with systems capable
of particle-production and production of thermal en-
ergy, where also hybrid-systems can be applied.

Figure 1 Acoustic-generator based on a smart rocket-
burner (source: Stahl).
3 Results
A gas-generator may preferably use solid or liquid
fuels as energy source, where combinations with oxi-
dizers are possible. In any case it is important to con-
trol the gas- formation-reaction so that all require-
ments of the expulsion and water-fog-generation can
be optimally fulfilled. The pressure-build-up in a
combustion chamber (ballistic bomb) can be calcu-
lated and predicted considering gas-dynamics and the
following integral-equations for mass-, impulse- and
energy-conservation (symbols according DIN-
specification):

178

These tools are used to design the gas-generator. In
the selected example of a fast burning system a good
correlation between experimental and calculated p(t)-
data could be achieved (Fig. 2).
Another important parameter describing the behavior
of a solid gas-generator is the Linear- Burning-Rate r,
which either can be calculated directly from the p(t)-
data or determined experimentally in an optical bomb.
This value can be additionally T-dependent. Usually
the results at different pressures are plotted in a lgr
(lgp) - diagram, where the slope (gradient) represents
the so called Pressure-Exponent , considering
Vielles-Law. should be < 1 in order to achieve a
stable combustion at high pressure.

Figure 2 Pressure-build-up of a fast reacting solid
gas-generator. Experimental data + and calculated
data * according the explained algorithms show a
good correlation.
In the case of liquid hydrocarbons the combustion
with air can be performed in the simplest way at low
pressure-level in a pulsejet-engine with flutter-valve
(see Fig. 3).
)
_
) )
=
= +
S
L
j
j
V V
dS M dA N dV
t
1
,
c
c
, 0 = + + +
) ) ) )
S S V V
dS dS dA dV
t
f u
c
c
)
_
) ) )
=
= + + +
S
L
j
j j
S V V
dS M H dS q dA N p E dV E
t
1
, ) (
c
c
)
_
) )
=
= +
S
j
L
j
j
V V
dS M R dA N R dV R
t
,
1

c
c
)
_
) )
=
= +
S
j
L
j
j
p
V
p
V
p
dS M C dA N C dV C
t
.
1

c
c
,
2 1
2
u
+
p
E
)
_
) )
=
= +
S
L
j
j
V V
dS M dA N dV
t
1
,
c
c
, 0 = + + +
) ) ) )
S S V V
dS dS dA dV
t
f u
c
c
)
_
) ) )
=
= + + +
S
L
j
j j
S V V
dS M H dS q dA N p E dV E
t
1
, ) (
c
c
)
_
) )
=
= +
S
j
L
j
j
V V
dS M R dA N R dV R
t
,
1

c
c
)
_
) )
=
= +
S
j
L
j
j
p
V
p
V
p
dS M C dA N C dV C
t
.
1

c
c
,
2 1
2
u
+
p
E

Figure 3 Principle sketch of a pulsejet-system
(source: swingtec).

A carburetor supplies the combustion-chamber
through an open valve with an ignitable fuel/air-
mixture. Reaction starts after ignition with a spark
plug. The pressure increases, closing the valve and
expelling reaction gases including working-fluid
through nozzle exit. The subsequent step is character-
ized by a pressure-drop, opening the flutter-valve, so
that the initial step can be repeated. The whole proc-
ess can be described as an intermitting reaction. Ad-
vanced versions use an aerodynamic valve (see Fig.
4)
.
0
0
2
.
0
0
4
.
0
0
6
.
0
0
p
[
M
P
a
]
.00 20.00 40.00 60.00 80.00
t [ms]
.
0
0
2
.
0
0
4
.
0
0
6
.
0
0
p
[
M
P
a
]
.00 20.00 40.00 60.00 80.00
t [ms]
*
*
*
*
*
* *
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
* * * * * *

Figure 4 Principle sketch of a pulsejet-system with
aerodynamic valve [J] (source: SNECMA, escopette).

*
+
+
+
+
+
+
+
++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+++
+++
+
+
+
+
++
+
+
179

Figure 5 Suggested use of the acoustic-generator to
break up demonstrations (source: Tagesschau.de).
4 Summary / Conclusion
To ensure de-escalation violent demonstrations must
be fought with adequate means. Today armoured ve-
hicles equipped with water cannons are widely used
to generate physical impacts. This procedure is rela-
tively safe, but complex, expensive and low effective.
Pepper spray cartridges fired from pistols or rifles can
put attackers out of action in advance but a health
risk must be considered. The legality according to in-
ternational chemical weapon control is still under dis-
cussion.

The use of an acoustic-generator based on a smart
rocket-burner with intermittent combustion is a new
approach. This small, lightweight and autarkic device
can be used as a de-central solution. The acoustic
generator produces low-frequency sound waves be-
low 100 Hz with high volume outwardly directed to
the target. Resonance effects with inner organs trigger
nausea so that areas with violent demonstrators may
be cleared quickly and effectively. The apparatus can
be operated easily and handled by one person, is mo-
bile, non-human-toxic, environmental-friendly and
low in price.
5 Perspective
Numerous adaptation-developments are in progress. It
is quite clear, that modification on the gas-generator
as well as on the working-fluids opens up a wide
range of applications. As an additional functionality
the use of a latent marking approach that facilitates
the identification of criminals is particularly promis-
ing.

References
[1] Schmid, H.; Ebeling, H.; Eisenreich, N.; Gas
Generators for Fire Extinguishing in Cars,
ISATA Conference, Florence, Italy, 16.-
19.06.1997.
[2] Schmid, H.; Ebeling, H.; Eisenreich, N.; Langer,
G.; Weiser, V.; Untersuchung der Abbrandei-
genschaften umweltfreundlicher Gasgeneratoren
(Investigation on Burning Properties of Envi-
ronmental Friendly Gas Generators), 28th In-
ternational Annual Conference of ICT, Karlsru-
he, Germany, 24.-27.06.1997.
[3] Schmid, H.; Ebeling, H.; Eisenreich, N.; Weiser,
V.; Development of Gas Generators for Safety
Systems, 1st International Conference on Proc-
ess Safety, Internet Conference, 27.-29.01.98
[4] Schmid, H.; Ebeling, H.; Eisenreich, N.; Weiser,
V.; Development of Gas Generators for Fire
Extinguishing, Eurofire 97, BSMEE (Belgian
Society of Mechanical and Environmental Engi-
neering) The Institution of Fire Engineers Bel-
gian Branch, Brussels, 12.-14.03.1998
[5] Schmid, H.; Eisenreich, N.; Schubert, H.; Vari-
ous Gas Generator Designs for Car Occupant
Protection, SAE- Conference, Detroit, USA,
23.-26.02.1998.
[6] Schmid, H.; Hirth, Th.; Eisenreich, N.; Eyerer,
P.; Ziegahn, K.-F.; (ICT); Saur, K.; Hoffmann,
R.; Gabriel, R.; (PE); Total Life-Cycle-
Assessment as a decision supporting tool: Dem-
onstration for airbag components, 4th Interna-
tional Symposium and Exhibition on Sophisti-
cated Car Occupant Safety Systems (Airbag
2000+), Karlsruhe, Germany, 30.11.-02.12.1998.
[7] Schmid, H. et al.; Intelligent airbag model sys-
tem based on environmental friendly gas genera-
tors, 4th International Symposium and Exhibi-
tion on Sophisticated Car Occupant Safety Sys-
tems (Airbag 2000+), Karlsruhe, Germany,
30.11.-02.12.1998.
[8] Schmid, H.; Baier, A.; Neutz, J.; Weiser, V.;
Methods to characterize the flame structure of a
gas generator, 4th International Symposium
and Exhibition on Sophisticated Car Occupant
Safety Systems (Airbag 2000+), Karlsruhe, Ger-
many, 30.11.-02.12.1998.
[9] Schmid, H.; Baier, A.; Eisenreich, N.; Neutz, J.;
Schrter, D.; Weiser, V.; Gas Generator Devel-
opment for Fire Protection Purpose, Propel-
lants, Explosives, Pyrotechnics 3/99.

180
FP7 Project ETCETERA - Evaluation of critical and emerging
technologies for the elaboration of a security research agenda
Joachim Burbiel, Fraunhofer INT, Germany
Stefanie Goymann, Fraunhofer INT, Germany
Steven Savage, FOI, Sweden
Javier Herrera Lotero, Tecnalia, Spain
Abstract
The ETCETERA project is a contribution to effective and efficient security research planning on a European
level. Its aim is three-fold:
1. to develop novel methodologies for future strategic research planning,
2. to identify risks and potential benefits associated with Critical Dependencies and Emerging Technologies with
security implications, and
3. to recommend research plans to deal with these risks and potential benefits.

1 Introduction
1.1 Background
Evaluation of critical and emerging technologies for
the elaboration of a security research agenda (ET-
CETERA) is the name of a project addressing Topic
SEC-2010.7.0-3 Critical and emerging technologies
for security within the security theme of the 7th
Framework Programme. The topic asked for:
1. Identification of technology areas needed for secu-
rity purposes, specifically those where European in-
dustry is dependent from other world regions for
these technologies. Alternative technological solu-
tions are then to be sought to allow European pro-
duced security equipment to be used / sold / deployed
worldwide.

Figure 1 General structure of the project

2. Identification of topics within the Emerging Tech-
nologies of the future (10-20 years ahead), which are
suitable to set out high risk, high pay-off research pri-
orities. The study should
provide an in-depth analysis of different emerging
technology areas,
identify issues relevant to civil security research,
and
outline recommendations for future research priori-
ties.

181
1.2 Concept
The ETCETERA project takes up the two-fold struc-
ture of the topic by dealing with the issues Critical
Technologies and Emerging Technologies in two
separate but interrelated research strands (see Fig-
ure 1). Each strand is further divided into three work
packages (WP) that will be carried through in a se-
quential manner. A further work package deals with
project management (WP 7). Two Consultation Cam-
paigns will generate input from technical experts,
end-users, and public authorities for both strands.

1.3 Goals
The ETCETERA project is a contribution to effective
and efficient security research planning on a Euro-
pean level. Its aim is three-fold:
1. to develop novel methodologies for future strategic
research planning (e.g. through synthesis of known
methods in WP 4),
2. to identify risks and potential benefits associated
with Critical Dependencies and Emerging Technolo-
gies with security implications (WP 2 and WP 5), and
3. to recommend a research agenda to deal with these
risks and potential benefits (WP 3 and WP 6).

As an example for the development of new method-
ologies, an approach, similar to the scenario tech-
nique, but involving the use of a specifically designed
Weighted-bit Assessment Table (WBAM) will be ap-
plied in Strand 1 Critical Technologies and the 2nd
Consultation Campaign. Such a system does not exist
yet as an evaluation tool for Critical and Emerging
Technologies and thus constitutes a relevant innova-
tion in research planning. Furthermore, the military
DTAG method will be adapted to civil security set-
tings. Both methods are aimed to provide a platform
for efficient communication between stakeholders of
various backgrounds.
Among the methods applied for generating research
recommendations, a novel methodology for economi-
cal assessment of high risk/high pay-off technologies
deserves special notice. It is to be developed by a
group of academic and research & technology organi-
sation (RTO) researchers with involvement of indus-
trial specialists that work together for the first time as
members of the ETCETERA consortium.

1.4 State of the art
Thematic planning efforts concerning EU Security
Research started with meetings of the Group of Per-
sonalities (GoP) in 2003 and 2004. As an outcome,
the European Security Research Advisory Board (ES-
RAB) was created. In this board, comprising approx.
70 persons and supported by over 300 experts, the
foundations of what is now the Security area of the
7th Framework Programme were laid. From Septem-
ber 2007 to September 2009 an even larger pro-
gramme, the European Security Research and Innova-
tion Forum (ESRIF), aimed at devising a medium- to
long-term strategy for European security research.
While these actions were conducted directly by the
European Commission (EC), several advisory pro-
jects were carried through in a parallel fashion. These
were financed by the EC through research and sup-
port grants. The first project in this line of develop-
ment was the Security Network for Technological Re-
search in Europe (SeNTRE, December 2004 to Janu-
ary 2006), that aimed at supporting ESRAB through
the provision of expert advice. From January 2007 to
May 2008 the STAkeholders platform for supply
Chain mapping, market Condition Analysis and Tech-
nologies Opportunities (STACCATO) enlarged the
efforts of SeNTRE to all 27 member states. It also
aimed at creating a network of security technology
suppliers and users with the goal of achieving a more
integrate European security market. One of the out-
comes was the STACCATO Taxonomy, which tried to
integrate all security related technologies and capa-
bilities into one systematic framework. The Coordina-
tion action on Risks, Evolution of threatS and Context
assessment by an Enlarged Network for an r&D
rOadmap (CRESCENDO) project was granted as part
of the first security research call (Work Programme
2008) and ran from July 2009 to July 2011. Its aim
was to collate information from a diversity of expert
sources into R&D-roadmaps.
The Security Technology Active Watch (STRAW)
project was initiated in October 2008. The aim of this
project is to collect information from a variety of
stakeholders and to transfer it to the public at large,
public authorities, and the research community. While
STRAW focussed on the positive aspects of new tech-
nologies, Foresight of Evolving Security Threats
Posed by Emerging Technologies (FESTOS), which
runs from March 2009 to October 2011 looks a their
dark sides. The results of these projects will be
taken into consideration when the ETCETERA pro-
ject is implemented.
Of course, scanning technologies for security implica-
tions is not a purely European effort. As an example,
the US Department of Homeland Security features a
Science & Technology Directorate. Its mission is to
improve homeland security by providing to customers
state-of-the-art technology that helps them achieve
their missions. It has established a Science and Tech-
nology Transition Program to define major research
and development needs. Furthermore, the Homeland
Security Advanced Research Projects Agency
(HSARPA) was established in 2002 to foster the de-
velopment and adaption of new technologies for secu-
rity applications.
The security implications of new technologies are of
concern to military actors, too. One of the interna-
tional efforts to deal with Disruptive Technologies is
the Disruptive Technologies Assessment Game
182
(DTAG) conducted by NATO-RTO. Several RTOs of
the ETCETERA consortium are involved in this activ-
ity, and an approach to adapt this method with a mili-
tary background to civil security settings is part of the
ETCETERA project.

1.5 Consortium partners
The ETCETERA project will be carried out by a con-
sortium of 14 partners from seven European coun-
tries. A core group is constituted by the Fraunhofer
Society, FOI and Tecnalia. Further research and tech-
nology organisations (RTO) of the consortium are Is-
defe, AIT, CEA, TNO, VDI-TZ, and CSSC. This
group of RTO is complemented by two industrial
partners (Morpho and Ansaldo STS), a university
(UDE) and two end-user organisations (SSBF and
ComSec).

Figure 2 Location of consortium parties
2 Description of Work
2.1 Strand 1: Critical Technologies
The first research strand (Work Packages 1 to 3) can
be envisaged as a collating and analysis exercise (see
Figure 3).
Starting from all possible technologies, all technolo-
gies indispensible for European security now and in
the near future will be identified in Work Package 1.
This will be achieved through extensive consultations
within the consortium and with external experts. The
list thus obtained will be validated through an itera-
tive mechanism.
In the second work package (WP 2), the validated list
of Critical Technologies will be analysed for Critical
Dependencies. Critical Dependencies arise if Euro-
pean industry is not non-dependent in providing criti-
cal technologies/systems/capabilities to end-users.
Those dependencies could be caused by extra-
European intellectual property rights (IPR), trade and
academic restrictions, restrictions due to high classifi-
cation in dual-use technologies, and economic chal-
lenges (e.g. shifting production sites, lack of speciali-
sation in EU industry, deficient research orientation,
hindering or underdeveloped norms and standards,
failing business models).
The last work package of Strand 1 (WP 3) will pro-
pose and prioritise alternative solutions to alleviate
the Critical Dependencies identified. In the case of
solutions of technological nature, implementation
measures, including appropriate research agendas,
will be developed.
Strand 1 is associated with the 1st Consultation Cam-
paign which includes five parallel workshops held at
five locations and in six languages. The use of local
languages is an effort to incorporate the diversity of
European working practices by removing language
barriers.

Figure 3 Outline of Strand 1 Critical Technologies

2.2 Strand 2: Emerging Technologies
In the first work package of Strand 2 (WP 4), Emerg-
ing Technologies will be scanned for their security
implications in 10 to 20 years time. These implica-
tions might have the form of high risk/high pay-off
opportunities, but also of future threats. Three scan-
ning methods will be performed in a parallel fashion:
AIT will use bibliometric methods for the survey. A
broad range of sources will be electronically exploited
to identify relevant information using AIT's Bib-
TechMon approach.
Fraunhofer INT will exploit its broad technological
knowledge base which will be supplemented by addi-
tional analyses of relevant studies and expert inter-
views.
Isdefe will apply its proprietary systematic approach
to prepare a further independent list of Emerging
Technologies with security implications.
FOI
SSBF
TNO
Fraunhofer
ComSec
VDI-TZ
UDE
AIT
Ansaldo STS
CSSC
CEA
Morpho
Tecnalia
Isdefe
183
A comparative analysis of the results of these three
methods will then be performed, leading to the ex-
plorative task of developing a novel method for this
kind of technology scanning.
Emerging Technologies identified to be most relevant
will be further analysed in the second work package
of this strand (WP 5). These in-depth analyses will
mainly be carried out by experts of consortium mem-
bers, with external specialists engaged for highly spe-
cific input. Furthermore, it is endeavoured to adapt
the originally military Disruptive Technology As-
sessment Game (DTAG) to civil scenarios and to set
up an evaluative scenario workshop (2nd Consulta-
tion Campaign).
In the last work package of the strand (WP 6) all re-
sults on Emerging Technologies will be considered
when developing recommendations for an Emerging
Security Technology Research Agenda (ESTRA).
Measures will be taken to ensure that ESTRA is com-
patible with existing national and European research
strategies. Ethical aspects will also be taken into ac-
count.

2.3 Stakeholder recruitment strategy
The 1st Consultation Campaign includes a double
stranded, multi-level strategy for the recruitment of
stakeholders (technical experts, industrial suppliers,
end-users and public authorities; see Figure 4):
The "push" strategy takes advantage of the knowl-
edge already available at the Consortium Parties, in-
formation available from previous security R&D ac-
tivities (both by Consortium Parties and other re-
search organisations), and information gained through
network analysis methods. Especially the Research
and Technology Organisations (RTO) in the consor-
tium can draw from a large pool of technical experts,
which ensures that a sufficient number of experts can
be recruited by the "push" strategy. A "Fast Lane" al-
lows inclusion of experts identified by these measures
for further consultation without going through the
questionnaire step.
The complementary "pull" strategy is a very open
approach, using advertising in journals and over pro-
fessional organisations, and an open internet platform
that might well attract technical experts and end-users
that would not be reached by research efforts of the
European Union by other means. Furthermore, the
advertising campaign can be seen as the basis of
broad dissemination of information about the ET-
CETERA project. On the other side, it is associated
with the risk that not enough qualified stakeholders
can be recruited.
The combination of "push" and "pull" strategies will
deliver a well balanced approach to input from many
stakeholders. Some possibilities for stakeholders to
get involved are: Approaching consortium parties for
inclusion in the push strategy, filling out the online
questionnaires, and registering with the website. For
further information about opportunities for joining the
process, please check the project website at
http://www.etcetera-project.eu/
1a. Identification of
stakeholders
A) Persons inside Consortium Parties
B) Persons known to Consortium Parties
C) Persons identified through existing lists or networks
(special attention given to gender aspects)
D) Persons identified through network analysis
The information from
the questionnaires is
pooled and analysed.
Push Strategy:
Pull Strategy:
2a. First contact with
identified stakeholders
Short pdf-questionnaires are sent to the stakeholders.
Different questionnaires will be used for technical
experts, authorities and end-users.
The questionnaires include the possibility to express
interest in further contribution
1b. Information of
stakeholders
Stakeholders are informed about the project through
editorial input and advertisements in relevant journals:
The information will include general information on the
project, the project website and the possibility to fill in a
short questionnaire.
2b. First contact with
informed stakeholders
The website contains short (5 10 min) questionnaires.
Different questionnaires will be used for technical
experts and end-users.
The questionnaires include the possibility to express
interest in further contribution
3. Second contact stakeholders
that expressed interest
in further contribution
Persons that have expressed interest in further
contribution are checked for fields of expertise and
background. They will be contacted again for one or
more further activities.
Invitation to a workshop
Telephone interview
Written contribution
4. Stakeholder database
for the 2nd Consultation
Campaign
The information gained in the 1st
Consultation Campaign will be used to
recruit stakeholders for the 2nd
consultation campaign
Information output
to WP 1, 2, and 4
Information output
to WP 1, 2, and 5
Fast Lane

Figure 4 Stakeholder recruitment strategy
184
3 Expected Impact
The expected impacts given in the topic addressed
are:
1. A list of critical technologies and a plan to deal
with these to allow 'non-dependence' for Europe and
2. a list of emerging technologies and a plan to deal
with these to set out high risk, high pay-off research
priorities.
In the ETCETERA project the list of critical tech-
nologies will be developed in WP 1, while the plan to
deal with gaps identified is dealt with in WP 3. The
requested list of emerging technologies is created in
WP 4 and the plan concerning research opportunities
is prepared in WP 6. The high risk/high pay-off aspect
is contributed in a quantitative manner.
Other goals given for Activity 10.7 Security research
coordination and structuring are
to utilise limited resources in an effective and effi-
cient manner,
to indicate opportunities and constraints for devel-
oping and strengthening a European security related
market,
to contribute to the overall impact of the Security
theme by making it more effective and efficient, and
to contribute to the design of future Work Pro-
grammes of the Security theme.
The ETCETERA project addresses these issues, both
by the lists and plans described above, and the meth-
odological progress expected as a result of the work
proposed:
By combining and adapting several known methods
for the identification of Critical Technologies (WP 1),
Critical Dependencies (WP 2), and alternative techno-
logical solution (WP 3) two goals will be achieved:
opportunities and constraints for developing and
strengthening a European security related market will
be identified (e.g. by pointing out technologies to be
exploited, or by identifying sectors were market fail-
ure is imminent), and a contribution to future Work
Programmes will be made (e.g. by pointing out areas
were applied research will give desirable results con-
cerning European competitiveness).
Within Strand 1 Critical Technologies the
Weighted Bit Assessment Method (WBAM) is
adapted to technology planning. This will give a
novel method both for organising planning results in a
coherent way, and for discussing these results with
stakeholders from diverse backgrounds.
The thorough analysis of the economic, legal and
IPR environment of Critical Technologies performed
in WP 2 will be fundamental for future planning ef-
forts concerning the building of a competitive Euro-
pean security market.
In WP 4 an effort is made to develop a truly novel
method for the identification of security implications
of Emerging Technologies. This effort consists of the
parallel execution of three very different methods for
technology assessment, a comparative analysis of the
methods, and the development of novel ideas. It is
expected that significant methodological advance will
be made, which will benefit the design of future Work
Programmes of the Security theme.
The in-depth analysis of selected Emerging Tech-
nology fields (WP 5) will contribute to the design of
future Work Programmes of the Security theme by
assessing research opportunities for technologies with
a time horizon of 10 - 20 years time.
This positive impact on future Work Programmes is
enhanced by the very comprehensive integration of
factors performed in WP 6. The recommendations for
an Emerging Security Technology Research Agenda
(ESTRA) will be a significant input for future re-
search efforts concerning basic research that will lead
to truly innovative security technologies in the middle
future.
The production of an overview of national security
research programmes in Europe (WP 6) will also be
beneficial to future research planning of the EU.
Research on the ethical impact of future security
technologies will accompany all planning efforts
within ETCETERA (WP 3, 5, and 6).
The economic method to be developed for the eco-
nomical assessment of high risk/high pay-off tech-
nologies (task 6.3) will be adjuvant for distributing
limited resources in an effective and efficient manner.

The Final Report will sum up these efforts and results.

References
[1] AeroSpace and Defence Industries Association
of Europe/ PASR (2008): STACCATO Final Ta-
xonomy. http://www.asd-
eurpe.org/site/fileadmin/user_upload/STACCAT
O_final_taxonomy.pdf, last updated 06.09.2008
[2] ESRIF (2009): ESRIF Final Report (WEB).
I527-290.
http://ec.europa.eu/enterprise/policies/security/fil
es/esrif_final_report_en.pdf, last updated
09.12.2009

185
Presentation of TALOS, a project of a mobile, scalable and
autonomous system for protecting European borders
Yolande Louvet, Jean-Claude Krapez, Jean Pierro, Stphane Barbe, Stphane Langlois,

ON!", #he $ren%h
"erospa%e Lab, $ran%e
&ariusz "ndrze'%za(, &ateusz Kozins(i, P)"P, Poland
Kora* "(+a*, #olga Yurda(ul, Sa,i -u,an, "SLS"N, #ur(e*
,el .r,e, .zle, -engize(, S#&, #ur(e*
Yael Libson, O/er Ben 0vi, )"), )sra1l
-avid 2utierrez, ##), Spain
"ri 3irtanen, 3##, $inland
)oannis Kand*las, 4"), 2ree%e
"ndrze' "da,%z*(, )##), Poland
Janusz Nar(ie5i%z, 67#, Poland
Si,ion -as%alu, B)C, !o,unia
#i,o #o,son, -e/ende%, stonia
!obert -elogne, SON"C", Belgiu,
Jarosla5 Nos(o5s(i, #ele(o,uni(a%'a Pols(a, Poland
Abstract
#"LOS 8#ransportable and "utono,ous Land bOrder Surveillan%e s*ste,, 5559talos-border9eu: is an integrated
pro'e%t /unded b* the uropean Co,,unit* in the ; $ra,e5or( Progra,,e 8Se%urit*:9 )ts duration is <==>-
<=?<9 #he ,ain ob'e%tive o/ #"LOS ,ultidis%iplinar* pro'e%t is to develop and /ield test the innovative %on%ept
o/ a ,obile, ,odular, s%alable, autono,ous and adaptive s*ste, /or prote%ting uropean e@ternal land borders9
#he %o,plete s*ste, uses both aerial and ground un,anned vehi%les, supervised b* %o,,and and %ontrol %en-
tre, but in the %urrent phase o/ #"LOS pro'e%t, the e,phasis is put on appli%ation o/ 7n,anned 2round 3ehi%le
8723:, %o,,uni%ation and abilit* to %o,,and and %ontrol9 #he ground plat/or,s 5ill be both the 5at%hing sta-
tions and the /irst rea%tion patrols, 5hi%h 5ill in/or, the Control and Co,,and Centre /or an intruder about
herAhis situation, and 5ill underta(e the proper ,easures to stop the illegal a%tion al,ost autono,ousl* 5ith su-
pervision o/ border guard o//i%ers9
#he ,ost i,portant /eatures o/ the s*ste, are s%alabilit*, autono,ous operation, ,obilit* and adaptabilit*9 )t 5ill
be eas* to Bs%aleC the s*ste, to the lo%al reDuire,ents su%h as border length and topographi% %onditions9 #he s*s-
te, ele,ents 5ould operate autono,ousl* using the set o/ rules de/ined b* Co,,and and Control %entre9 #he
rules ,odi/ied /ro, ti,e to ti,e during s*ste, operation 5ill adapt the s*ste, to the variable ta%ti%s o/ border
%rossing 8in the spe%i/i% patrol s%enario, area o/ operation, border topograph*, et%9: and 5ill %onstantl* i,prove
per/or,an%e in the long ter,9
#he rationalAinnovation behind the %on%ept is to provide a generi% s*ste, that %an be deplo*ed all over urope,
to sele%ted lo%ations, 5here there are intelligen%e 5arnings /or illegal intrusion or 5here a high level o/ illegal
a%tivit* is alread* reported9 #he s*ste, is &obile 8CEC %enters, 723s and 7"3s: and #ransportable 8%ontainers
on trailers: as opposed to $i@ed A Stationar* 8to5ers: surveillan%e and re%onnaissan%e ,eans9 )n #"LOS s*ste,,
F$i@edF observation to5ers are lo%ated onl* in pla%es not a%%essible b* ground vehi%les or not visible /ro, the
air andA or border lo%ations 5here <G hr surveillan%e is reDuired9 )n %ontrast to the %onventional Border 2uard
%on%ept o/ /i@ed /a%ilities installed along the entire length o/ the border, 5hi%h reDuire huge in/rastru%ture e@-
penses, the #"LOS s*ste, is ,ore versatile, e//i%ient, /le@ible and %ost e//e%tive9
#his paper provides a general des%ription o/ the #"LOS s*ste, and its high-level ar%hite%ture9 )t also des%ribes a
t*pi%al s%enario 5hi%h highlights ho5 the di//erent un,anned units %ooperate /or preventing illegal border %ross-
ing9 " des%ription is also given o/ ON!" i,pli%ation in the pro'e%t, na,el* the develop,ent o/ so/t5are /or
si,ulating the in/or,ation trans/erred /ro, and to5ards the virtual sensors as 5ell as the evaluation o/ the per-
/or,an%e o/ the opti% sensors on-board o/ the un,anned ground vehi%les9

186
1 TALOS system presentation
1.1 Operational Contet
Border se%urit* pla*s a (e* role in ,aintaining na-
tional se%urit*, establishing legal i,,igration, pre-
venting s,uggling and de/ending against hostile
threats9 6ea( borders se%urit* allo5s hostile intrud-
ers, s,ugglers, as 5ell as ,illions o/ illegal trespass-
ers9
" t*pi%al %onventional stationar* border surveillan%e
solution usuall* %onsists o/ observation to5ers, patrol-
ling units and border se%urit* stations, in order to
over%o,e illegal border intrusion9 $igure ? depi%ts the
operational %on%ept o/ a %onventional border surveil-
lan%e solution9

!igure 1" #*pi%al Border Se%urit* Operational Con-
%ept 2raphi%

!igure #" 4ierar%hi%al 3ie5 o/ Operational Nodes
and "%tors

" t*pi%al organization o/ Border 2uards is given
belo5 and in $igure < /or %o,,on understanding9
&ain Co,,and O//i%e A 4eadDuarters
o Co,,ander, O//i%ers, et%9
o &apA#errain &odel Supplier
!egional Co,,and O//i%e
o !egion Co,,ander, O//i%ers, et%9
Border Se%tor Station
o Se%tor Co,,ander, O//i%ers, et%9
Observing 7nit
Patrolling 7nit
)nter%epting 7nit

1.# $ission of TALOS system
#"LOS 8#ransportable and "utono,ous Land bOrder
Surveillan%e s*ste,: is planned to be a s*ste, used to
provide land border se%urit* ,ission %overing all o/
the operational needs 5ith less hu,an intera%tion9 )ts
/un%tionalities are going to be /o%used on surveillan%e
o/ land border areas bet5een the border %rossing
points9 #he #"LOS s*ste, 5ill enable ,ore e//e%tive
border surveillan%e and support the 5or( o/ the patrol-
lers to be sa/er and ,ore %onvenient9
Ke* /eatures o/ the s*ste, 5ill in%ludeH
#ransportabilit* I allo5ing /or deplo*,ent on
de,and in areas 5here threat o/ illegal a%tivit* is
observed
&obileAun,anned end units I enabling /aster re-
a%tion to intrusion and ,ore e//e%tive surveillan%e
"daptabilit* to the area and %hara%ter o/ opera-
tion
S%alabilit*
#"LOS Pro'e%t a//e%ts ,an* aspe%ts o/ no5ada*sC
border se%urit* and surveillan%e9 Organizations ,ostl*
interested in the pro'e%t are National Border 2uards
and $!ON#J "gen%*9
Border 2uards /ro, %ountries 5hi%h %onstitute the
eastern border o/ the uropean 7nion are interested in
the pro'e%t to strengthen the border se%urit*9 )n these
%ountries authorities at govern,ental and national
level are also sho5ing interest in #"LOS pro'e%t in
order to have ,ore se%ure and sa/er borders9

1.% TALOS solution
#he #"LOS s*ste, ai,s to provide a /ull solution /or
land border se%urit*9 )t %overs the /un%tionalities that
ta(e pla%e in 4eadDuarters and !egional Co,,and
Centres also in addition to the operations that ta(e
pla%e in the border zone9
" vie5 o/ des%ribing the #"LOS %on%ept is provided
in $igure K9 #"LOS ai,s to use un,anned s*ste,s as
,u%h as possible in order to de%rease the need /or
,anned patrols9 #he in/or,ation gathered /ro, un-
,anned vehi%les and stati% sensor to5ers 5ill be %ol-
le%ted at 7n,anned 7nit Co,,and Centre, ne%essar*
a%tions 5ill be ta(en and the reports about the situa-
tion 5ill be trans/erred to higher levels in the hierar-
%h*9 #he ,ain /un%tionalit* o/ 4eadDuartersA#heatre
187
Co,,and Centre 5ill be to guide and %ontrol the
overall operation in their responsibilit* area and to
provide the ne%essar* intelligen%e to the 7n,anned
7nit Co,,and Centres9

!igure %" S*ste, Con%ept 3ie5
1.& System nodes
"%tors o/ #"LOS s*ste, 5hi%h %an be identi/ied as
the BS*ste, NodesL o/ #"LOS are given belo5H
4eadDuarters
#heatre Co,,and Center
#heatre Surveillan%e 7nit
o 7n,anned 7nit Co,,and Center
Co,,ander OC7
723 OC7s
o 723-Observer
o 723-Patroller
o 723-)nter%eptor
o 7"3 S*ste,
7"3 OC7
7"3
o Stati% Sensor #o5er

#he ar%hite%ture o/ #"LOS s*ste, is given in $igure
G to $igure M9

!igure &" 4ierar%hi%al 3ie5 o/ S*ste, Nodes

"s it %an be seen /ro, $igure N, it should be noted
that the K- &apsA#errain &odel 2eneration Station is
%onsidered as a separate s*ste, as in so,e %oun-
triesAregions this /un%tionalit* ,a* be supplied b*
so,e organizations other than the #"LOS 4eadDuar-
ters9
#"LOS develop,ent 5ill span in t5o phases9 )n the
/irst phase, 4eadDuarters and #heatre Co,,and Cen-
tre 5ill not i,ple,ented but ,ost o/ their /un%tional-
ities are assu,ed to be /ul/illed and the 7n,anned
7nit Co,,and Centre behaves a%%ordingl*9 "s a ,at-
ter o/ /a%t, the K- &apsA#errain &odel 2eneration
Station 5ill be i,ple,ented in order to use the gener-
ated data in #"LOS s*ste, tests and de,o9

"lso, the /un%tionalities o/ Patroller 723 and )nter-
%eptor 723 5ill be i,ple,ented in a single 723
5hi%h 5ill be na,ed as PatrollerA)nter%eptor 723 in
the /irst phase o/ #"LOS pro'e%t i,ple,entation9
)t should also be noted that the 7"3 and its Opera-
tional Control 7nit 5ill onl* be si,ulated in the %ur-
rent i,ple,entation o/ #"LOS9
#he #"LOS s*ste, design ai,s to %over all s*ste,
nodes as sho5n in $igure N9 But as des%ribed above
%o,plete /un%tionalit* o/ so,e s*ste, nodes 5ill not
be i,ple,ented in the /irst phase o/ #"LOS pro'e%t9
$igure M sho5s 5hi%h o/ the s*ste, nodes 5ill be i,-
ple,ented 8in 5hite: and 5hi%h 5ill be le/t /or the
se%ond phase o/ the pro'e%t 8in gre*:9

188
System A
Headquarters
System C
Theatre
Command
Centre Theatre
Commander
OCU
System E
Observer
UGV
System G
Interceptor UGV
System Main OCU
System I
UAV System
OCU ! UAV"
System H
Static Antenna
and Sensor
System #
Unmanned
Unit Command
Centre
Subsystem #$
Commander
OCU
Subsystem #%
UGV OCU
Inter&ace A
Inter&ace '
Inter&ace C
Inter&ace $
Inter&ace %
Inter&ace (
System )
*atro++er
UGV
Inter&ace ,
System '
(# Maps-Terrain Mode+ Generation
Station
(# Maps-Terrain
Mode+ Specia+ist
.....
.....
Subsystem #(
/or+d Mode+ -
GIS Server
Inter&ace 0
Subsystem #,
Mu+timedia
Server
Subsystem #0
Communication

!igure '" #"LOS S*ste, Nodes

System 1
*atro++er-
Interceptor
UGV
/i++ be imp+emented in
*hase2I
System A
Headquarters
System C
Theatre
Command
Centre Theatre
Commander
OCU
System E
Observer
UGV
System G
Interceptor UGV
System Main OCU
System I
UAV System
Simu+ator
OCU ! UAV"
System H
Static Antenna
and Sensor
Simu+ator
System #
Unmanned
Unit Command
Centre
Subsystem #$
Commander
OCU
Subsystem #%
UGV OCU
Inter&ace A
Inter&ace '
Inter&ace C
Inter&ace $
Inter&ace %
Inter&ace (
System )
*atro++er
UGV
Inter&ace ,
System '
(# Maps-Terrain Mode+ Generation
Station
(# Maps-Terrain
Mode+ Specia+ist
.....
.....
Subsystem #(
/or+d Mode+ -
GIS Server
Inter&ace 0
Subsystem #,
Mu+timedia
Server
Inter&ace 3
Subsystem #0
Communication

!igure (" #"LOS S*ste, Nodes 8Phase-):

$igure ; su,,arizes the ,ain s*ste, %o,ponents o/
#"LOS and the planned hard5are to use in order to
provide an overvie5 o/ ho5 the #"LOS s*ste, 5ill
be deplo*ed /or #"LOS Phase-) de,onstration9

System#
UUCC
Subsystem #0
Communication
Subsystem#,
Mu+timedia Server
Subsystem #(
/or+d Mode+-GIS Server
Subsystem #$
Commander OCU
Subsystem#%
UGV OCU
System E
Observer
UGV
System 1
*atro++er-Interceptor
UGV
System I
UAV System Simu+ator
OCU ! UAV"
System H
Static Antenna
and Sensor Simu+ator
System '
(# Maps-Terrain Mode+
Generation Station
U*S
*o4er
#istribution
Unit
*o4er
Generator
Air
Conditionin5
Unit

!igure )" #"LOS S*ste, -eplo*,ent -iagra,
8Phase-):
1.' *ole of system nodes
"t the +ead,uarters la*er there is the Co,,and,
Control and Co,,uni%ation Centre 8CG:, be a re-
gional stationar* %ontrol %entre, %ontrolling border
bet5een %ountries 8e9g9 Poland-7(raine: lo%ated in a
building in a regional %apital9 #he CG 5ill be %on-
ne%ted to higher %o,,and 8e9g9 &inistr* o/ -e/en%e:
and 5ill provide high level data, in/or,ation, intelli-
gen%e, et%9 #his CG 5ill %ontrol several #heatre Co,-
,and Centres9
$ap-Terrain $odel Supply Centre is identi/ied as
the s*ste, that is responsible o/ providing ,aps and
terrain ,odels that are needed b* the #"LOS s*ste,
/or ,ission planning and e@e%ution9
T.eatre Command Centre is a ,obile A transport-
able %o,,and Centre in %harge o/ a #heatre9 )t is as-
su,ed that there 5ill be several #heatre Control Cen-
tres on a spe%i/i% border, and the nu,ber 5ill depend
on border t*pe 8topograph*:9 a%h #heatre Co,,and
Centre 5ill be %ontrolling several #heatre Surveil-
lan%e 7nits9
T.eatre Sur/eillance 0nit is the s,allest operational
surveillan%e and patrol unit in a given area9 )t 5ill
%onsist o/H
7n,anned 7nits Co,,and Centre 877CC:
7n,anned 2round 3ehi%les 8723s:
7n,anned "ir 3ehi%le 87"3: S*ste,
Stati% "ntenna and Sensor #o5ers9
#he #heatre Surveillan%e 7nit is going to be %on-
trolled b* the #heatre Co,,and Centre9
T.e 0nmanned 0nits Command Centre 100CC2 is
going to be used /or %ontrolling and ,onitoring opera-
tion o/ the 7n,anned 7nits9 )t 5ill %onsist o/ the Op-
erator Control 7nits 8OC7s:H 723 OC7s and Co,-
,ander OC79 )t 5ill be operated b* the /ollo5ing
/un%tionsH 723 Operators and 7nit Co,,ander9 )t
5ill be installed in a %ontainer and ,ounted on a
trailer /or ,obilit* and transportabilit*9
0nmanned 3round 4e.icles 1034s2 are going to
patrol the border se%tion9 #he* are going to be %on-
trolled /ro, the 77CCH OdrivenC b* the operator using
a (ind o/ O'o*sti%(C and %a,eras %arried b* the vehi%le
or, in se,i-autono,ous ,ode o/ operation, ordered to
drive /ro, one point in the ,ission area to another
5ithout Ohands-on %ontrolC9 )n #"LOS Phase-) Patrol-
ler 723 and )nter%eptor 723 are going to be i,ple-
,ented into one 723H PatrollerA)nter%eptor 7239
Obser/er 034 is going to be used /or observation o/
large areas9 )t is going to be eDuipped 5ith long-range
dete%tors o/ ,oving vehi%les and people 8radar sen-
sor:, and sensors allo5ing the operator to re%ognize
the dete%ted ob'e%ts 8in/rared and visible %a,eras:9
Patroller-5nterceptor 034 is going to be used /or
observation o/ the ob'e%t dete%ted b* the Observer
7239 #his observation shall be done in relativel*
189
%lose range, reDuired to the %o,pletion o/ the inter-
%eption9 )ts se%ond appli%ation is intera%tion 5ith the
ob'e%t9 #he 723 is going to be eDuipped 5ith sensors
/or observation, a loudspea(er enabling %o,,uni%a-
tion 5ith the dete%ted person and devi%es /or deter-
ren%e9 #he observation sensor shall be able to point in
the dire%tion o/ the intruder, as it appears in the s*s-
te,sP operational la*ers9
0nmanned Air 4e.icle 10A42 System 5ill be re-
sponsible /or the aerial surveillan%e and %an be used
as %o,,uni%ation node in parti%ular situations9
Static Antenna and Sensor To6ers %an be used both
/or sensor pla%e,ent and as %o,,uni%ation nodes9
#he* are going to be deplo*ed in pla%es reDuiring
%easeless surveillan%e t5ent* /our hours a da*, seven
da*s a 5ee(, or in pla%es not a%%essible to the vehi-
%les9

!igure 7" Prin%iple o/ patrolling, observation and in-
ter%eption tas(
1.( 8ey capabilities

#he /ollo5ing %apabilities have been identi/ied as (e*
to su%%ess in the border se%urit* ,ission on se%tions
o/ land border bet5een the border %rossing points
8$igure >:9
Patrolling t.e border section I dete%ting, re%-
ognizing and observing a%tivities on the land bor-
der bet5een border %rossing pointsQ
5nterception of intruders I %apturing the per-
sons per/or,ing illegal a%tivities in the border
areaQ
Pro/iding situational a6areness I delivering
the situational a5areness to the patrol and theatre
%o,,anders9

# 9escription of a typical sce:
nario
#he s%enario reported in $igures R to ?N presents
dete%tion o/ atte,pt o/ illegal border %rossing b* one
or several people and ho5 the s*ste, supports Border
2uards in inter%eption o/ the trespassers9
" trespasser is going to %ross the border9 #he bor-
der se%tion is %ontrolled b* the #"LOS s*ste,9 #he
trailer 5ith 7n,anned 7nits Co,,and Centre
877CC: is lo%ated about N (, /ro, the border in the
,iddle o/ the border se%tion9 #he PatrollerA)nter%eptor
723 is Opar(edC near the trailer9 &anned patrol is
available in the border se%tion, per/or,ing a routine
patrol9
#he ,ain goal o/ the Border 2uards, relevant to
%ir%u,stan%es o/ this s%enario isH Oto prevent unau-
thorised border %rossings, to %ounter %ross-border
%ri,inalit* and to ta(e ,easures against persons 5ho
have %rossed the border illegall*C9 #his goal is in line
5ith Border Se%urit* goals de/ined b* the uropean
Co,,ission 8C: on the level o/ the uropean 7nion
87:H to Oredu%e the nu,ber o/ illegal i,,igrants 5ho
,anage to enter the 7 undete%tedC and to Oin%rease
internal se%urit* o/ the 7 as a 5hole b* %ontributing
to the prevention o/ %ross-border %ri,eC9
Border 2uards realize their goals b* border sur-
veillan%e9 #he ,ain tools o/ surveillan%e are patrolling
and stationing supported b* the surveillan%e in/ra-
stru%ture9 )n this s%enario the tas(s are supported b*
the #"LOS s*ste,9 #he Border 2uards o//i%ers are
going to use the s*ste, in order to a%hieve ,a@i,u,
e//e%tiveness in preventing unauthorized border %ross-
ing9
#he Border 2uards patrol the area b* ,eans o/ the
#"LOS s*ste,9 #he Observer 723 /ollo5s the ob-
servation path 8de/ined b* the Border 2uards o//i%ers:
and stops in the observation points to s%an the area9
#he long range radar sensor %arried b* the Observer
723 is used /or dete%tion o/ hu,an and vehi%le
,ove,ent in the observed area9 On dete%tion o/ a
,oving ob'e%t the s*ste, alerts the 723 operator9
#he o//i%er uses the 723Cs opti%al sensor to re%og-
nize the dete%ted ob'e%t9 )/ the re%ognized a%tivit*
needs to be interrupted, or inspe%ted, 723 operator
sends in/or,ation about the observed a%tivit* in/or-
,ation to the Co,,ander9 #he Co,,ander ta(es de-
%isions 5hether the a%tivit* 5ill be interrupted9 )/ the
Co,,ander de/ines the observed ob'e%ts 8the* are
e@pe%ted to be people or vehi%les: as suspi%ious, he
issues a reDuest /or the &anned Patrol and %o,,ands
the 723 operator to send the PatrollerA)nter%eptor
723 to the area o/ suspe%ted a%tivit*9 #he Patrol-
lerA)nter%eptor is going to tra%e or engage the possible
intruders and release the Observer 7239 #he Ob-
server 723 %ontinues its ,ission9 6hen the Patrol-
lerA)nter%eptor rea%hes its destination it allo5s the
723 Operator in 77CC to %o,,uni%ate 5ith the
trespassers or /ollo5 the, until arrival o/ the &anned
Patrol9

190

!igure ;" Phase ? o/ the s%enarioH the Observer 723
is patrolling the border se%tion

!igure 1<H Phase <H the Observer 723 is on its patrol
path and observes the border /ro, su%%essive observa-
tion pointsQ the trespassers ,ove to5ards the border

!igure 11H -uring s%anning the Observer 723 de-
te%ts the trespassers and alar,s the Border 2uards o/-
/i%ers about the dete%tion

!igure 1#H Phase KH the Operator a%Duires the de-
te%ted Bob'e%tL 5ith opti%al sensor /or re%ognition

!igure 1%H Phase GH a/ter a%%epting its path the Patrol-
lerA)nter%eptor 723 starts ,oving to the inter%eption
point

!igure 1&H nd o/ phase GH the PatrollerA)nter%eptor
arrives at the inter%eption pointQ the Observer %an %on-
tinue its ,ission
191

!igure 1'H #he last phase o/ the s%enarioH the Patrol-
lerA)nter%eptor engages the intruder be/ore arrival o/
the ,anned /or%esQ the Observer is ba%( on its patrol
path

% 034 de/elopment
$igure ?M provides a s%he,ati% o/ the 723 5ith its
observation and navigation sensors9 $igure ?; is a pi%-
ture o/ the 723 during the integration phase9

!igure 1(H ),plantation o/ the sensors on the 7239

!igure 1)H 723 during ,anoeuvring tests in the inte-
gration phase
& Simulation of t.e static to6er
and of t.e 0A4
Phase ) o/ #"LOS pro'e%t plans to develop t5o si,u-
lators9 One o/ the, si,ulates a stati% observation
to5er and the other one 5ill si,ulates a 7"39 Both o/
the, hold the /ollo5ing /eaturesH
- ,ulation o/ the behaviour o/ the sensors planned to
eDuip an observation to5er 8visible %a,era, in/rared
%a,era, radar, ,otion dete%tor, phoni% dete%tor: or a
7"3 8visible %a,era, in/rared %a,era:Q
- ),ple,entation o/ the standard proto%ol o/ %o,,u-
ni%ation J"7S vK9K 8Join "r%hite%ture /or 7n,anned
S*ste,:Q
- &anage,ent o/ the e@%hanges o/ ,essages bet5een
J"7S %o,ponents asso%iated to the sensors and the
other S*ste,s 877CC:Q
- "%%ess to a 27) 82raphi% user )nter/a%e: to ,onitor
the /lo5 o/ ,essages 8input A output: sent and re%eived
b* J"7S %o,ponents, the states o/ the e,ulated sen-
sors and /inall* to allo5 to generate events /eigning
alerts o/ dete%tionQ
- 2eneration o/ s*ntheti% i,ages o/ the surve*ed area
to si,ulate the vision o/ the opti%al sensors9 #he
sour%es o/ data to generate i,ages %o,e /ro, aerial
pi%tures9

#he ,ain te%hni%al spe%i/i%ations /or the si,ulators
areH
- 6indo5s JP pro S!K environ,ent
- -evelop,ent in Java Standard dition vM
- "r%hite%ture based on !CP 8!i%h Client Plat/or,: o/
%lipse vK9N 82alileo:
- 7se o/ librar* OJJ"7S vK9< 8Open Java J"7S: up-
dated to vK9K b* "SLS"N9

' 034 optical sensors
performances
#he %hoi%e o/ the opti%al sensors needed to eDuip the
ground robots, and ,ore spe%i/i%all* the 723 ob-
server, is the result o/ a /un%tional anal*sis 5hi%h 5as
based on a reDuire,ents anal*sis 5ith the end users9
#o this end, intervie5s 5ere organized 5ith border
guard tea, o/ several %ountries %onstituting the orien-
tal border o/ the uropean 7nionH Poland, stonia,
Lithuania, Latvia, !o,ania, $inland9 #he Duestions
%on%erned the opti%al ranges reDuired /or the tas(s o/
dete%tion, re%ognition and identi/i%ation 8-!): o/ hu-
,ans and vehi%les, in the da*ti,e and at night9
#he reDuire,ent anal*sis ,ade b* the ,anu/a%turers
o/ the 723 de,onstrator %on%erning the observation
per/or,an%es 5as used to sele%t di//erent %a,eras in
visible and in/rared bands9
One ON!" tas( %onsists in %o,pleting this preli,i-
nar* anal*sis b* %onstituting a -!) range per/or,an%e
si,ulation results database /or S large nu,ber o/ s%e-
narios 8%/9 #ab9 ?: and the /our sele%ted opti%al sensors
192
8%/9 #ab9 <:9 #hose sensors ,ust /ul/il ,ission re-
Duire,ents /or various environ,ental %onditions
8ba%(grounds, topographi% %hara%teristi%s, %li,ati%
%onditions, 5eather %onditions: e@isting /ro, $inland
in the North and Bulgaria A #ur(e* in the South o/
urope9
#hose /our opti%al sensors are respe%tivel*H
Long range visible %olor CC- %a,era /or the
da*ti,e observation tas( aboard Observer 723Q
&ediu, range visible %olor CC- %a,era /or the
da*ti,e observation tas( aboard Patrol-
lerA)nter%eptor 723Q
&ediu, and long range %ooled &6)! 8K-NT,:
%a,era /or the da* A night observation tas( aboard
Observer 723Q
Short range un%ooled L6)! 8>-?<T,: %a,era /or
the da* A night observation and navigation tas(s
aboard PatrollerA)nter%eptor 723Q

" laser range /inder 8L!$: 5ill also be part o/ the op-
ti%al surveillan%e s*ste, onboard the Observer 7239
"nother tas( 5ill be to evaluate the ulti,ate ranges o/
the L!$ in the %onditions des%ribed in #ab9 ?9

#"B9 ?H S%enario para,eters /or 723 opti%al
sensors per/or,an%es anal*sis
S%enario para,eter nb NU 3alue A des%ription
? astern urope H Poland
< Northern urope H $inland
2eographi%al area K
K &editerranean H Bulgaria A
#ur(e*
? 6inter Period o/ the *ear <
< Su,,er
? 2ood %ondition I Clear s(*
< &ediu, %ondition I Light rain
6eather %onditions K
K -egraded %ondition - 4aze
? -a* 8noon: -a* A Night %ondi-
tion
<
< Night 8,idnight: /or &6)!
and L6)! sensors
#5ilight /or visible sensor
? Stati% standing ,an
< &obile standing ,an
K Stati% s,all vehi%le
Ob'e%t G
G &obile s,all vehi%le
? 4o,ogeneous ba%(groundH
%lear s(*
< 4o,ogeneous ba%(ground H
short grass
K &ediu, %luttered ba%(ground H
soil V ro%(s A stones
Ba%(ground A Clut-
ter
G
G 4eav* %luttered ba%(ground H
$orest

#"B9 < H Opti%al sensors
? Long range 3isible %olor
CC- %a,era
< &ediu, range 3isible %olor
CC- %a,era
K %ooled &6)! 8K-NT,:
%a,era
Opti%al sensors G
G un%ooled L6)! 8>-?<T,:
%a,era

Conclusion
#"LOS s*ste, o//ers a ne5 solution /or the
se%urit* o/ the ground borders b* redu%ing the
e@posure to various ris(s and hazards o/ the units o/
hu,an patrols and b* allo5ing the %overage o/ large
areas 5ith high reliabilit*9 #he ,obile observation and
%o,,and s*ste, allo5s to adapt Dui%(l* to ris(s and
evolutionar* threats in ti,e and spa%e9 #he addition o/
stati% observation to5ers and 7"3 to 723s allo5s
the observation o/ ver* large areas even 5ith se%tors
di//i%ult to a%%ess9
)t is planned that the proposed s*ste, solution o/
#"LOS 5ill have the /un%tionalit* to %over the opera-
193
tional %on%ept and needs o/ the %urrent land border
se%urit* s*ste,s9
Ac=no6ledgements

#he results presented in this paper 5ere obtained b*
the %onsortiu, #"LOS 5hi%h is des%ribed belo59

Partenaires Acronyme Pays
? Prze,*sWo5* )nst*tut "uto,at*(i i
Po,iarX5 8%oordinator:
P)"P Poland
< "SLS"N le(troni( Sana*i ve
#i%aret "9S9
"SLS"N #ur(e*
K uropean Business )nnovation E
!esear%h Center S9"9
B)C !o,ania
G 4elleni% "erospa%e )ndustr* S9"9 4") 2ree%e
N
)sraeli "erospa%e )ndustries )") )sra1l
M )##) Sp9 z o9o9 )##) Poland
; O//i%e National dCtudes et de
!e%her%hes "rospatiales
ON!" $ran%e
> -e/ende% -e/ende% stonia
R So%it Nationale de Constru%tion
"rospatiale
SON"C" Belgiu,
?= S#& Savun,a #e(nolo'ileri
&Yhendisli( ve #i%aret "9Z9
S#& #ur(e*
?? #ele(o,uni(a%'a Pols(a S" #P Poland
?< ##) Norte S9L9 ##) Spain
?K #e%hni%al !esear%h Centre o/ $inland 3## $inland
?G Polite%hni(a 6arsza5s(a 67# Poland

#"LOS pro'e%t is /inan%ed b* the uropean
Co,,unit* in the %ourse o/ $ra,e5or( Progra, ; -
Se%urit* resear%h pro'e%t 8Border Se%urit*:9

194
Risk treatment measures for managing cargo theft in road trans-
portation
Irene Sudy, Hamburg University of Technology, Germany
Ellis Lehner, Wirtschaftsuniversitt Wien, Austria
Abstract
A set of risk treatment measures for the management of cargo theft in road transportation is given categorized
according to their ability to eliminate, reduce, transfer or accept the risk of theft. The measures are further cate-
gorized according to their ability to reduce the probability of theft occurrence or the extent of a theft incident. A
case study approach combined with literature review and personal interviews with internationally operating lo-
gistics service providers as well as insurance companies in Austria and Germany was conducted. In this way, the
measures applied in the practice are aligned with the measures which can be found in literature.
1 Introduction
Reports show that cargo theft in road transportation
has increased in recent years [1] [2] [3] [4]. A com-
prehensive transport security approach should be ap-
plied to manage the risk of theft adequately, and
measures to manage the risk of cargo theft in road
transportation should be implemented. This paper
gives an overview of risk treatment measures for the
management of risk of theft in transport chains cate-
gorized according to their ability to eliminate, reduce,
transfer or accept the risk. The risk reduction meas-
ures are further classified into two groups: Measures
that reduce the probability of an incident, and meas-
ures that minimize the effects of an occurred incident.
In order to ensure the practicability of measures pro-
posed, a case study approach was applied. Qualitative
semi-structured interviews using a questionnaire of
open questions were conducted with internationally
operating logistics service providers and insurance
companies based in Austria and Germany. This ap-
proach gives the possibility to reflect the results of the
literature review with the results of the case studies.
2 Risk of cargo theft in road
transportation
2.1 Definitions and cargo theft in
numbers
Theft is defined differently, depending on the country
and their legal frameworks [5]. Theft can be defined
as depriving a person/organisation of property with-
out force with the intent to keep it [5]. The associa-
tion TAPA (Transported Asset Protection Association)
defines theft in a more generalised way as the
wrongful taking of property without the owners wil-
ful consent [6]. The following research is based on
this definition as it covers all stealing crimes, i.e. pil-
ferage, robbery, burglary and hijacking [5] [7] [8] [9].
A major database with crime related data in transport
has been issued by TAPA EMEA, the Transported As-
set Protection Association for Europe, the Middle East
and Africa. Over the last years, the most reported type
of road transport related theft attacks remained to be
theft from vehicle [10]. Concerning the type of goods,
consumer electronics, food and beverage commodi-
ties, tobacco products and computer related products
are the types of cargo which are being most frequently
stolen [10] [11]. Theft incidents often occur at night
or shortly after business hours [12] [13]. Great Britain
and the Netherlands as well as the coast lines of
France and Germany are counted among the heavily
affected regions. Theft attacks in transport processes
are becoming more violent [10] [14]. Crime of theft is
very carefully organised, especially when high value
goods are the target [4].
However, as an interview partner from an interna-
tional insurance company stated, theft of goods does
not necessarily depend on its value. It is dependent on
the saleability, usability, disposability and portability
of the goods. If goods can easily be sold, they are at
high risk for being stolen. It does not always happen
that an entire truck load disappears. Often several
packages or partial loads get stolen. However, the risk
of theft is not only concerned with the kind of goods
carried, but depends furthermore on the transport
route and the level of security [4].
195
2.2 Application of risk management to
cargo theft
In order to manage cargo theft in road transport, the
application of the risk management approach is very
useful. It is a structured approach and comprises four
main steps, namely identification, evaluation, treat-
ment and monitoring of risks.
This paper focuses on the third step of the risk man-
agement process. In the third step, measures for the
treatment of the identified and assessed risks are de-
veloped, evaluated and selected. The measures can be
categorized according to their ability to avoid, reduce,
transfer or bear the risk. With regard to risk mitigation
measures, some of them reduce the probability of the
occurrence of theft incidents, while others reduce the
extent of the damage (see Figure 1).
Figure 1 Risk treatment measures
3 Risk treatment measures and
approaches for the manage-
ment of cargo theft
When looking at cargo theft with regard to road trans-
portation, a variety of risk treatment measures can be
found. As described above, they are categorized ac-
cording to their ability to eliminate, reduce, transfer or
accept the risk.
3.1 Elimination/Avoidance of cargo
theft
Eliminating or avoiding risk of cargo theft is a diffi-
cult, if not impossible option. Completely eliminating
the risk of theft would imply not carrying out trans-
portation at all in business practice an unrealistic
alternative. Therefore, the measures which minimize
the occurrence of theft incidents and/or its damage
extend prevail.
3.2 Reduction of cargo theft
In theory as in practice, a large variety of measures to
reduce the number of theft incidents or once the in-
cident happened to reduce the extent of damage can
be found. The measures can be grouped according to
the asset that should be protected:
x Securing vehicle, trailer or container
x Securing cargo
x Securing facilities
x Securing data
x Organizational security measures
3.2.1 Securing vehicle, trailer or container
An overview of cargo theft reducing measures is
given in Figure 2.
Figure 2 Measures for the reduction of cargo theft on
vehicle, trailer or container level
A wide variety of mechanical, electrical and electronic
locking devices for securing the vehicle and the trailer
can be applied. The purpose of locking devices is to
deny entry to the truck cab, engine, transport unit or
load compartment of a vehicle and to prevent a thief
from driving away [15]. Driver Recognition Systems
in form of a smart card or a key fob with an embed-
ded chip prevent the movement of the vehicle in ab-
sence of the chip [4]. For high risk transports which
require high levels of security, access to the cab can
additionally be hampered by bulletproof glass for the
cab windows and lattice-windows or metal doors [4].
As far as the load compartment of a truck is con-
cerned, curtain-side trailers are especially vulnerable
to theft as the trailer curtains can easily be cut open
with a sharp knife [4]. However, due to the ease of
access to the cargo load from all sides of the trailer,
the use of curtain-side trailers is very common. To de-
crease the vulnerability of curtain-side trailers, heavy-
duty security curtains of different degrees of attack
resistance can be obtained and fitted to the alarm sys-
tem of the vehicle. In case small wires embedded in
196
the curtain are cut, the alarm is triggered [4]. The use
of closed truck bodies decreases the risk of theft. Con-
tainers can be placed door-to-door on a truck.
Another risk mitigation measure is the alteration of
truck routings in the transportation network [16].
Convoying is another measure to reduce the risk that
trucks on roads get attacked. Escorted convoys are
usually used in high-risk areas. The use of secure
parking areas for rests and other waiting periods is
considered as one of the most practical measures to be
taken to reduce the risk of theft [2], but the number of
secure parking locations is still limited. Secure park-
ing areas have a higher number of security features in
place than non-secured parking areas, e.g. CCTV,
guards, lights and fences. Different organizations like
TAPA, IRU, the German Insurance Association and
the European Union foster the development of secure
parking areas. In case no secure parking areas are
available, two drivers can be deployed to make sure
that the vehicle is never left unattended during stops
and rest times.
Alarm systems are used to prevent or delay the at-
tempt of vehicle and cargo theft by deterring thieves
by audible siren and/or immobilising the vehicle and
prevent the vehicle from being driven away [4]. Keys,
lock switches, monitoring, and movement sensors as
well as alarm sensors serve as inputs, and alarm horn,
hazard lights and start inhibitor relays are outputs.
Alarm can be triggered in various ways, e.g. by door
opening, switching on the ignition, or movement in-
side the vehicle [17].
Contrary to locking devices, the main function of me-
chanical and electronic seals is not locking and pro-
tecting against unauthorized access, but rather identi-
fication, documentation of unauthorized access, integ-
rity of the shipment and assignment of liability.
Vehicle Identification Systems, electronic tracking
and tracing of vehicles as well as geofencing are
rather after-theft measures, as the intended purpose of
these measures is not the prevention of theft attacks,
but detection and recovery of the stolen vehicle and
its cargo load by providing information.
3.2.2 Securing cargo
Not only the transport vehicle and its trailer or trans-
port unit, but also the shipment itself can be protected
against theft with various measures (see Figure 3).
cargo level
Security can be increased by appropriate cargo pack-
aging or well considered arrangement of cargo loads.
The application of pallet foliation (transparent, black
or opaque) and protection tapes supports the reduction
of cargo theft. In the case of valuable cargo, some ex-
perts recommend the usage of black or opaque folia-
tion in combination with protection ties or tapes to
secure the cargo. But this measure can encourage
thieves as usually only high value goods are protected
in this way.
Similar to the application on vehicle or transport unit
level, mechanical and electronic seals are not very
useful for mitigating the risk of theft, but help in de-
tecting a theft as seals can provide documentation of
unauthorized access [18].
Tracking and tracing systems on cargo level are also
mostly applied for detection purposes. Various tech-
nologies detect misloadings and theft shortly after oc-
currence. The devices are attached to the goods and
send in pre-defined time intervals information about
the position of the goods. The systems can also detect
whether the goods are off time (e.g. when the truck
is stuck in traffic jams) or if the cargo is off track
(e.g. in case of misloading or theft).
With regard to theft, scanning of loads can be used to
inspect the content of a truck load [19] and to check if
during the journey the entire or part of the load got
stolen.
3.2.3 Securing facilities
Facilities like distribution centres are at high risk of
theft [2]. Days prior to the theft, criminals often keep
areas around the facility under surveillance hence it is
important to secure premises to minimize risk of theft
[20]. Figure 4 provides an overview of measures for
the reduction of cargo theft which can be applied on
facility level, according to their ability to reduce the
probability of theft occurrence or the extent of the
damage caused by a theft incident.
197
facility level
With a layered security approach, the premises can be
classified according to the necessary security level.
For high risk goods, specially equipped high-security
warehouses and/or separate storage areas with in-
creased security measures should be generally used.
More than one security system should be in place to
make sure that in case a protection system fails, an-
other system is still in operation and/or can report
and/or remove the breakdown. Access to the premises
where the cargo is located should be restricted by ac-
cess control mechanism [2]. Identification cards ham-
per unauthorized access to the facilities and provide
data for access documentation. Useful measures to
avoid or detect intruders are perimeter protection in
the form of fences as well as site access and its con-
trol with appropriate illumination and video surveil-
lance systems. Regular patrols, (night) guards (with
watch dogs) and burglar alarm can provide further se-
curity [2].
The storing of containers and swap bodies can be ar-
ranged in a manner that disables the opening or break-
ing of the container doors, e.g. by storing the contain-
ers door-to-door.
To avoid that employees, visitors or subcontracted
workers get involved in theft, eye-catching placed
video surveillance cameras with a high deterrence ef-
fect in high security areas, in the parcel area or at
loading bays can be installed. Checks of employee
lockers are another precautionary measure that serves
as a signal. Revealing that the premises and the
freight are well protected appeals deterrent to poten-
tial thieves and helps raising security awareness
among employees.
3.2.4 Securing data
The issue of information leakage is a critical factor
concerning cargo theft [3] [21]. Nowadays, thieves
already know in advance which truck they want to
attack, as important information about type of cargo
load and route has leaked from one or more involved
parties of the transport chain [3]. Therefore, it is nec-
essary to apply theft reduction measures on data level
(see Figure 5).
data level
Certain information concerning freight loads should
be restricted to those who need to know [20]. Infor-
mation can be classified, e.g. according to the loca-
tion, department as well as duties and responsibilities
of the staff, different application levels can be pro-
vided and certain information which is not relevant
for the employee can be retained [3] [21]. The internal
auditor from a logistics company stated that in com-
parison to open systems in-house data program so-
lutions also help to keep the information restricted.
3.2.5 Organizational security measures
Organizational security measures reduce the risk of
theft on an overall level without focusing on one spe-
cific level. Figure 6 shows the variety of organiza-
tional measures that can be applied.
an overall level
Partnerships with other in the transport chain involved
parties or with security companies can be seen as a
threat risk reducing measure as the joint design and
planning of the transport processes can support the
efforts to reduce cargo theft. Besides this, member-
ships in security initiatives or certificates such as
TAPA (Transported Asset Protection Association) or
national programs like the program of the subsidiary
of the Association of German Freight Forwarders and
Logistics Operators are beneficial as this implies in-
formation enrichment, and exchange of best-practice
strategies. It supports not only the raising of aware-
ness within the entire transport chain, but also within
employees who may be directly affected by theft inci-
dents, such as truck drivers.
198
Some companies implement their own security pro-
grams. These programs vary according to the needs of
the companies and e.g. focus on specific types of
cargo that are particularly exposed to theft.
Other crucial anti-theft measures are employee train-
ing and communication. Trainings help to implement
security in the daily routine of the employees [20].
The trainings should start immediately after an em-
ployee has been hired and continue on a regular basis.
Trainings support the communication among all em-
ployees to recall the issue of cargo theft. As far as
communication is concerned, multiple channels of
communication should be used, e.g. articles in com-
pany magazines, folders and flyers or via intranet.
As truck drivers are directly and particularly exposed
to theft, an emphasis should be placed on driver edu-
cation. The drivers should receive additional trainings,
manuals and instructions to raise the consciousness of
the issue. The driver instructions give useful tips how
the exposure to the risk of theft can be reduced or how
to act and react in case of a theft incident. In this way,
truck drivers can be prepared and coached to know
how they should behave in risky situations. Regular
checks should be included to make sure that the driv-
ers understand and know their responsibilities and fol-
low the security instructions.
The check of hauliers and drivers references by using
evaluation criteria before recruiting them is another
precautionary measure. To avoid that fictitious haul-
iers are recruited, black lists or white lists can be used
to identify reliable partners. White lists are reverted
black lists, showing reliable hauliers or drivers who
offer high quality and secure services. Nevertheless,
identification and check of correct shipping docu-
ments at any time when trucks and drivers arrive at
the gates of the company premises should be assured
[2].
3.3 Transfer of cargo theft risk
The risk of theft can also be transferred to other par-
ties. Risk of cargo theft is commonly transferred to
insurance companies. The calculation of the premium
depends on the types of goods and/or transport routes.
In case of theft-prone goods and high risk transport
routes some insurance companies insure only with
certain restrictions or provided that appropriate secu-
rity measures are taken, e.g. a second driver in road
transportation to make sure that the vehicle is never
left unoccupied during stops, or hauliers may not be
recruited via internet to prevent fictitious internet
hauliers. The insurance companies usually advise
their customers concerning the application of security
methods as raising the security is also in the interest
of the insurer.
Apart from transferring the risk of theft to an insur-
ance company it is also possible to transfer the risk to
other partners in the transport chain. This is for exam-
ple possible by contractual liability transfer via Inco-
terms. Incoterms clarify at which point in the trans-
port chain the responsibility is transferred from one
partner to the other.
3.4 Acceptance of theft risk
Risk acceptance implies that companies take the risk
of theft consciously with the willingness to bear the
consequences [22]. Despite numerous security meas-
urement possibilities, it is economically unreasonable
to prevent or transfer cargo theft entirely. Which kinds
of risks are beared to what extend depends largely on
the willingness and the possibilities of the company
[23].
4. Summary and conclusions
Because of rising theft incidents over the past years
resulting in annual economic loss of billions of Euros,
cargo theft is increasingly becoming important in road
transportation.
To foster resilience of road transport chains and to
implement appropriate risk treatment measures, the
risk management process can be applied. This paper
focuses on the third step of the risk management
process, and measures to secure vehicles and their
trailers or containers, the cargo itself, the company
facilities, data and transport chains in general are
compiled.
Risk treatment measures manage the risk of cargo
theft in various ways. Basically, some have a preven-
tative effect and minimize the probability of a theft
attack (e.g. locks) and some have a reactive effect in
the case the theft incident already occurred and help
to minimize the extent of the damage (e.g. seals,
tracking and tracing, geofencing). The various possi-
bilities are categorized according to their ability to
eliminate, reduce or transfer the risk.
The case studies revealed that the interviewed logis-
tics companies proactively manage the risk of cargo
theft in road transport by using a multi-layered ap-
proach that comprises a set of measures to reduce the
probability or the extent of theft on different levels
within their company. As an additional measure, in-
surances to transfer the risk of theft are commonly
applied to reduce the negative impact of theft inci-
dents. The risk of theft can hardly be totally elimi-
nated. However, it can be reduced by numerous anti-
theft security measures as described in this paper.
199
The costs of the described risk management measures
are still an issue, as its benefits are not always obvious
and the costs cannot always be transferred to the cus-
tomer as there is often no willingness on behalf of the
customer to accept higher prices.
The costs of theft do not merely consist of the value
of the stolen products. The costs include much more
like investigation costs, administrative costs, product
replacement, high insurance premium, contractual
penalty payments, lost sales, lost reputation, and lost
customers. These indirect costs arising from theft
have to be taken into account [24].
In conclusion, our research showed that transport
companies apply a combined approach of measures of
various types of risk treatment. As far as the risk miti-
gation measures are concerned, interviewed compa-
nies emphasized the importance of employee training
and education of drivers as well as the raising of risk
awareness.
References
[1] Ekwall, D.: The displacement effect in cargo
theft, International Journal of Physical Distribu-
tion and Logistics Management, Vol. 39, No. 1,
pp. 47-62, 2009
[2] Europol: Cargo Theft Report. Applying the
Brakes to Road Cargo Crime in Europe, The
Hague, 2009
[3] Van den Engel, A.W.; Prummel, E.: Organised
Theft of Commercial Vehicles and their Loads in
the European Union, European Parliament. Di-
rectorate General Internal Policies of the Union.
Policy Department Structural and Cohesion
Policies. Transport and Tourism, Brussels, 2007
[4] ECMT European Conference of Ministers of
Transport: Crime in Road Freight Transport,
OECD Publications, France 2002
[5] Aebi M.F. et al: European Sourcebook of Crime
and Criminal Justice Statistics, 4
th
edition,
WODC, Den Haag, 2010
[6] TAPA EMEA Transported Asset Protection As-
sociation Europe, Middle East and Africa,
http://www.tapaemea.com, accessed on 28 Octo-
ber 2010
[7] Trieschmann, J.S.; Hoyt, R.E.; Sommer, D.W.:
Risk Management and Insurance, 12
th
edition,
Thomson, South-Western, Ohio, 2005
[8] Greenberg, J.: Who stole the money, and when?
Individual and situational determinants of em-
ployee theft, Organizational Behaviour and
Human Decision Processes, Vol. 89, No. 1, pp.
985-1003, 2002
[9] Fennelly, L.J.: Handbook of loss prevention and
crime prevention, 4
th
edition, Elsevier Butter-
worth-Heinemann, Oxford, United Kingdom
2004
[10] TAPA EMEA IIS Database: IIS spreadsheet as of
25 February 2011
[11] IRU International Road Transport Union: At-
tacks on Drivers of International Heavy Goods
Vehicles, Secretariat General, Switzerland,
2008
sociation Europe, Middle East and Africa: IIS
Annual Report 2008, TAPA EMEA, 2008
sociation Europe, Middle East and Africa: IIS
Annual Report 2009, TAPA EMEA, 2009
[14] Johnson, P.: A vital contribution to protecting
trusted brands, The monthly cargo crime update
for members of TAPA EMEA, 2010
[15] Erjavec, J.: Automotive Technology: A Systems
Approach, 4
th
edition, Thomson Delmar Learn-
ing, New York, 2005
[16] Chopra, S.; Meindl, P.: Supply Chain Manage-
ment. Strategy, Planning, and Operation, 3
rd
edition, Pearson Prentice Hall, Upper Saddle
River, New Jersey, 2007
[17] Denton, T.: Automobile electrical and elec-
tronic systems, 3
rd
edition, Elsevier Butter-
worth-Heinemann, Oxford, Great Britain, 2004
[18] Ulrich, K.; Kckelhaus, M.: Mobile Solutions
for Secure Supply Chains, DHL Solutions &
Innovations, Presentation at the TAPA confer-
ence in Bonn, 2010
[19] Donner, M.; Kruk, C.: Supply Chain Security
Guide, The International Bank for Reconstruc-
tion and Development/The World Bank, Wash-
ington, 2009
[20] TruckPol: Steer Clear of Truck Theft,
http://www.truckpol.com/downloads/steerclear.p
df, accessed 30 March 2011
[21] zberk, B.C.: Mapping the Flow of Theft En-
dangered Goods in EU, Master thesis, Universi-
ty of Boras, 2010
[22] Haller, M.: Risiko-Management und Versiche-
rung, No. 13 des Versicherungswirtschaftlichen
Studienwerks, Gabler, Wiesbaden, 1981 (in ger-
man)
[23] Kummer, S.; Schramm H.J., Sudy, I.: Interna-
tionales Transport- und Logistikmanagement,
2nd edition, UTB, Vienna, 2010
[24] Caroll, J.: Cargo Crime the insurers view,
The monthly cargo crime update for members of
TAPA EMEA, 2010
200
Risk analysis for a German harbour within the project ECSIT
Ziehm, Julia, Fraunhofer EMI, Germany
Hring, Ivo, Fraunhofer EMI, Germany
Abstract
Dangerous objects hidden in sea freight containers pose a threat to the supply chain and to human life and the
economy. We demonstrate the applicability of the risk analysis methodology for terroristic events within the har-
bor terminals caused by dangerous goods. To this end, the risk analysis contains an event analysis and a hazard
and damage analysis of selected scenarios. The overall risk for persons is determined for selected scenarios. The
event analysis is based on the d atabase evaluation of historic events and a literature stu dy on possible threats.
Within the hazard and damage analysis two threats will be considered: the explosion of conventional explosive
substances and the spreading of a radioactive agent due to an explosion. The damage potential for persons and
the expected damage of structures are described. The risk analysis helps to determine possible threats and the
corresponding frequency of an event. It also estimates physical hazards and damage consequences for selected
threads. This information could be used to identify the best location for a future scanning system for containers
at harbors and for the optimization of counter and mitigation measures. The presented work is part of the collab-
orative project ECSIT, supported and funded by the German BMBF as part the topi c Securing of the supply
chain of the governments Research for Civil Security initiative. ECSIT investigates innovative ways to im-
prove security through contactless inspection of containers at the port of departure. It will explore demonstration
systems for the detection of radioactive material and fast X-ray-based imaging processes to identify illegal and
dangerous goods in sea freight containers.

1 Introduction
Due to th e American security requirements concern-
ing the worldwide maritime traffic the project ECSIT
(www.ecsit-security.de) was launched. The fear of il-
legal dangerous goods being smuggled or containers
being used for the transportation of bombs and con-
taminating sources led t he USA to release t he House
Resolution 1 (H.R. 1) [1 ]. It states that as from July
2012 every container that is shipped to the USA
should not enter the USA if it has not been screened at
its shipping harbour. ECSIT aims to increase the se-
curity of container shipping by screening technologies
in harbours without slowing down the usual process-
es. Demonstrators with new and fast screening tech-
nologies will be developed and presented in the end.
For a better and an aim-orientated development of
scanning systems and processes at a harbour it is nec-
essary to know

- the existing threats,
- the (future) threats that can be expected and
- the consequences of these threats.

To get an answer to these questions one of th e first
work packages is th e risk analysis described in th is
paper.
Due to the aim of ECSIT, possible threats include il-
legal and dangerous goods. The focus is on dangerous
goods, in particular conventional explosives with or
without radioactive material.
2 Risk management
Figure 1 shows the risk analysis and management
scheme. Within ECSIT the steps inside the red rectan-
gle are performed and are described in the next sec-
tions: event and threat analysis, hazard a nd damage
analysis, frequency of event and exposure analysis
and risk computation. We do not provide comparison
of the computed risks with other risks or risk criteria
nor proposed explicit counter measures. In general,
the decision if the dete rmined risks are acceptable or
not has to be made by the responsible authorities.

201

Figure 1
3 E
3.1 Ana

To obtain
bors coul
lyzing da
Fraunhof
3] contai
open sou
tion with
recently w
Terrorism
um for th
rorism (S
our TEDA
in the TE
Merging
between
figure 2.
available
been exe
tacks wer
or cargo
attacks di
damage.
sives (e.g
ets or fi r
the 80s i

Figure 2
tween 19

Risk analysi
Event and
alysis of his
n an overview
ld look like w
ata on historic
fer EMI Terro
ining about 3
urce data, whi
h respect to tar
we had the op
m Database ( G
he Study of T
START) [4] c
AS analysis s
ED scheme.
both datasets
1970 and 200
. For some e
and showing
ecuted by usin
re against spe
ships) locate
id not have th
Most of the
g. bombs, min
earms were u
s not a specifi
Terroristic e
70 and 2007.
s and risk man
d threat a
storic even
w how terrori
we looked into
c terroristic ev
orist Event Da
35 000 even
ich has a rela
rget and tactic
pportunity to a
GTD) of the N
Terrorism and
containing 80
software [3] b
s, 42 events
07 were found
events more
g that none of
ng a co ntaine
ecific people
d inside a h a
he intention to
attacks were
nes) and for so
used. The incr
ic phenomena
vents on harb
nagement.
analysis
nts
stic events at
o the past by
vents. We used
atabase (TED
nts collected
atively fine re
c of attacks. M
analyze the G
National Cons
Responses to
0 000 events
by putting the
(no double e
d as can be se
details have
f these attacks
er. Most of th
or ships (mil
arbor. Thereby
cause econom
done with ex
ome of them r
rease of attack
a of
bors worldwid
t har-
ana-
d the
D) [2;
from
esolu-
More
Global
sorti-
o Ter-
with
e data
entry)
een in
been
s has
he at-
litary
y the
mical
xplo-
rock-
ks in
de be-
terro
crea
taset
Mos
follo

Figu
bors

3.1
pra

Due
pare
fact
have
tions
threa
Toge
and
cont
type
tativ
ditio
cess
estim
threa
sum
sible
liter
are c

This
cove
threa

oristic attacks
ase of terrorist
ts.
st of t he atta
owd by Asia (
ure 3 Contin
s. 1970 - 2007
Qualitat
aisal
e to the relati
ed to the over
that some of
e not been rel
s had to be m
at table was g
ether with ou
Fraunhofer E
taining differe
es of usage [5
ve threat or ha
onal aspects t
s) and custom
mate was give
at is relevant
mmary the thre
e terroristic t
ature studies
classified in fo
- nuclear /
- conventi
- chemical
- weapons
s table does n
er a wide spec
at table, we de
1. Radiolog
Consider
oactive m
narios to
be exami
on harbors a
tic attacks dur
acks took pl a
see figure 3).
nental distribu
.
ive threat
ively small am
all amount of
f the expected
levant in the p
made to identi
enerated.
ur project pa
EZRT we de
ent types of th
]. The threat t
azard source l
that are rele v
ms. Also a freq
en. It was also
in the projec
at table is com
hreats (in the
and expert k
our different ty
/ radiological
onal (explosiv
l / biological
s
not claim to
ctrum of poss
educed four po
gical hazards
ring two of th
materials and
spread those
ined.
as there is a g
ring this time
ace in South

ution of attac
analysis a
amount of eve
f analyzed da
d threats (see
past, further c
ify threats. Th
artners Smith
eveloped a th
hreats and thei
table is a kind
list that also c
vant for d etec
quency of ev
o considered
ct context of E
mpact collecti
e future) deri
knowledge. T
types:
ves)
be complete
sible threats. O
ossible scenar
dirty bombs
he most reason
d their availab
over a certain
general in-
in the da-
America,
ck on har-
and ap-
ents com-
ta and the
section 1)
considera-
herefore a
Heimann
hreat table
ir different
d of quali-
covers ad-
ction (suc-
ent expert
whether a
ECSIT. In
on of pos-
ived from
he threats
but does
Out of this
rios:
s
nable radi-
bility, sce-
n area will
202

2. C
T
(
t
p

3. E
E
i
o

4. C
S
u

The deta
transport
in goods,
er.
4 H
As we wi
narios 1 a
correlatio
(no indoo

4.1 Exp

Figure 4

In the dam
Fireball (
large exp
to be rel
ment beh
yet finish
so not con

4.1.1 Bla
Figure 5
at a certai

Chemical and
The easiest w
(old) warfare
the adequate
ported.
Explosives an
Explosives ar
in terrorism.
of explosives

Conventional
Smuggling of
use are consid
ailed scenario
reservoirs wi
, amounts and
Hazard a
ill focus on ex
and 3) figure
on with explos
or explosions s
plosive haz
Explosive ha
mage analysis
(thermal effec
plosions and g
levant in the
havior is rudim
hed and resear
nsider crater t
ast
indicates the
in distance. P
d biological ha
way for a sce n
agents. Assu
amount of ag
nd incendiary
re the most co
So a lar ge bu
will be consid
weapons and
f a several m
dered
o description
thin a contain
d camouflages
analysis
xplosives and
4 shows the
sions under fr
scenarios).
zards
azards.
s we will focu
cts) is on ly c
ground shock
given contex
mentary descr
rch is still goi
throw.
characterizin
(side on over
azards
nario like tha
uming a big a
gent will be t
matters
ommon attack
ut realistic am
dered
d weapons syst
anpads for fu
contains pos
ner, locations w
s inside a con
d dirty bombs
general hazar
ee field condi
us on blast eff
considered in
is not consid
xt. Container
ibed in [6] bu
ing on. We wi
ng blast param
rpressure) and
at are
attack
trans-
k type
mount
tem
urther
ssible
with-
ntain-
(sce-
rds in
itions
ffects.
very
dered
frag-
ut not
ill al-
meters
d I

Figu
blas
pres
of o
sure
phas

(area
can
Swis
8]:

P
Z
I
=
e
=

The
scale

Z =

whe
and
from

4.1.
Burn
the
roun
the
burn

ure 5 Pressu
t wave at a
ssure, P
S
maxi
overpressure a
e phase. The
se following th
a specific bl
be calculated
sdak out of fo
| |
( )
1
1
0
exp
, ,

S
S
i i
t T
t
P P
a b
p t dt
+
=
}
c
ij
are const
ed distance Z
1
3
s
m

ere m is the T
the blast imp
m the explosiv
2 Thermal
ning of the sk
hot gasses, r
nding air due
first minute o
ns can be [9]
- absorptio
- heating a
- fires, cau
- secondar
shock, e.
ure-time histo
certain distan
imum overpre
and T
S
duratio
specific blast
he overpressu
last impuls),
d using poly
our large free
( )
4
0
p ln
exp
j
ij
j
j
c Z
I
=
|
\
|
=

\
ants which d
is given by
TNT equivalen
ulse respectiv
e source.
radiation
kin due to ex
respectively th
to the firebal
of an explos io
on of thermal
and ignition of
used by the the
ry effects du
.g. fires.
ory p(t) (red
nce. P
0
is t he
essure, t
1
the
on of positive
t impulse an
ure phase are i
for TNT(-eq
ynomials deve
field test expl
( )
4
0
,
ln
j
j
ij
j
c Z
=
|
|
.
|
|
.
differ for P a
nt (for t he ov
vely) and s t h
xplosions resu
the heating o
ll, that is caus
on. The reaso
radiation by t
f clothing,
ermal pulse an
ue to blast o
line) of a
e ambient
start time
overpres-
d sucking
ndicated.
quivalent),
eloped by
losions [7;

and I. The
erpressure
he distance
ults out of
f the sur-
sed within
on for the
the skin,
nd
or ground
203
The heat
fects: abs
section 4

is taken
(between
the Boltz
[10], its s
temperatu

4.2 Sp
ter an e

There exi
rials:

- t
m
- o
- |
-
- n

The dam
pending o

- r
- i
- a

The most
body by
most of
humans.
To estima
explosive
essary to
sion) of t
mans can

There exi
graphical
the Lagr
concentra
equation
compared
lation tim
in use (sin

( , , 0)
2
y
C x y
K =

flux inside th
sorption and
4.2.1 below) on

into account.
n 0 and 1, dep
zmann consta
surface A and
ure T.
preading of
explosion
ist different h
toxic effects
metals),
o-rays (He-4
|-rays (electro
-rays (photon
neutron-radiat
mage of these
on the type of
radiation in ai
interaction aft
absorption int
t severe one i
e.g. respiratio
the radioactiv
ate the hazar d
e spreading of
simulate the
the material.
n be estimated
ist two domin
l spreading: th
range Particle
ate on the Gau
n (1) and figu
d to the Lagra
mes (few secon
nce 1960). A t
) ex
,
y z
y z
Q
U
x
K
U
=
=
he skin is infl
transmission
nly the absorp
It depends o
pending on t h
ant o = 5 .670
the fourth pow
f radioactiv
hazards due to
(chemical pro
-atomic nucle
ons and positr
ns) and
tion.
hazards on h
f interaction:
ir,
ter deposition
to the human b
s the absorpti
on and ing est
ve materials
d (physical ha
f radioactive m
geographical
Then the con
.
nant models to
he Gaussian
e Model. In
ussian Plume M
ure 6) as it h a
ange Particle M
nds) and a lon
typical version
2
2
xp exp
2
2 .
y
z
y
x
K
U
| |
|
|
\ .
uenced by tw
. In HotSpot
ption of a body
on its emissi v
e surface text
03 10
-8
W m
-
wer of its abs
ve material
o radioactive m
operty, like h
eus),
rons),
humans varies
on ground an
body.
on into the hu
tion, especial
are poisonou
azard potentia
materials it is
spreading (di
nsequences for
o simulate the
Plume Model
the following
Model [9; 11]
as two advant
Model: short s
ng-time experi
n is
2
2
p ,
2
z
z
| |
|
\ .

wo ef-
(see
y
vity e
ture),
-2
K
-4

solute
l af-
mate-
heavy
s de-
nd
uman
lly as
us for
al) of
nec-
isper-
r hu-
geo-
l and
g we
] (see
ntages
simu-
ience
(1)
Equ
the G
grou
ured
of g
the w
ian
coef
ficie
(cro
the
of th
has t

Figu
ous
(Gau

4.2.
To e
prog
al L
Mod
The

Seco
stan
mate
rial o

HotS
ed to
trati
prop
tions
sis o
We
para
5
The
ings
desc

uation (1) [11
Gaussian Plum
und level, whe
d in g/m), Q i
as or particula
wind in the di
dispersion pa
fficient in y-di
ent in z-direct
sswind directi
orthogonal co
he concentrat
the coordinate
ure 6 Distrib
source alon
ussian Plume
1 HotSpot (
estimate the d
gram HotSpot
Laboratory [9]
del and therefo
main input pa
- type of r
- amount o
- TNT-equ
- predomin
- atmosph
ondary proper
dard settings,
erial, the settl
or the breathin
Spot uses a G
o explosive re
on. With the
perties of a r a
s lead to the h
of a scenario.
note that Hot
ameters like m
Dama
damage anal
s, building elem
cribed in the s
] is the well-
me Model for
ere C is the co
s the source st
ate (e.g. in kg
irection of x,
arameters, wh
irection and K
tion and x (d
ion) and z (he
oordinates of
ion. In figure
es (0,0,0) and
bution of conc
ng the wind
Model).
Gaussian Pl
damage of dir
of the Lawre
. It is b ased o
ore very fast.
arameters are
adioactive ma
of radioactivit
uivalent of exp
nant wind dire
eric state (clas
rties, which c
, are e.g. the
ing velocity o
ng rate.
Gaussian Plum
elease of mate
help of med
adioactive ma
hazard and fin
Spot does not
mountains, sea,
age analys
lysis describe
ments and per
ection before.
-established eq
r a continuous
oncentration (
trength or em
g/s), U is the v
y
and
z
are t
here K
y
is th e
K
z
is the diffu
downwind dir
eight above gr
the measurem
e 6 the sourc
shown is C(x,
centration of a
direction o
lume Model
rty bombs we
ence Livermor
on the Gaussi
aterial,
ty in Becquere
plosive,
ection and vel
sses A to F, se
can be adjuste
e breathable a
of the radioac
me Model that
erials and the
dical database
aterial these c
nally the dama
t consider geo
, forests etc.
sis
s the damage
rsons due to th
.
quation of
s source at
e.g. meas-
ission rate
velocity of
the Gauss-
e diffusion
usion coef-
rection), y
round) are
ment point
e position
,y,0).

a continu-
n ground
l)
e used t he
re Nation-
ian Plume
el,
locity and
ee [9]).
ed beyond
amount of
tive mate-
t is adj ust-
ir concen-
es and t he
concentra-
age analy-
ographical
e to build-
he hazards
204
5.1 Dam

Blast can
Injuries d
(eardrum
ary (fragm
juries. As
not be d
will be m
(x is e.g. t
b are posi

Pr(x)=a+

The dama
ett-Mode
damage d

- d
a
6
f

- d
s
(
o

Figure 7
(green),
eardrum
parallel li

Figure 8
buildings
blue) to c
mage due t
n cause damag
due to blast ca
m rupture, see f
ments) and te
s mentioned b
iscussed here
manly estimate
the scaled dis
itive or negati
+bln(x)
age of buildin
l [13; 14;
depending on
damage of ord
age classes fr
6 (complete
figure 8
damage of re
structed build
(e.g. broken w
or completely
7 Iso-damage
0.5 (orange)
rupture in cas
ines are 100 m
8 Da mage cl
s due to a bi
class 6 (red). G
to blast
ge to buildings
an be distingu
figure 7 , lung
ertiary (blow-
before fragmen
e. Primary an
ed by using pro
tance Z, see s
ive parameters
ngs is estimat
15]. It descr
the distance to
dinary masonr
rom 1 (e.g. br
destruction o
einforced con
dings, damag
windows) to
y destroyed)
e radii for the
and 0.9 (red
se of a bigger
m apart.
lass radii for
igger explosi
Grid 100 m tim
s and persons.
ished into prim
g damage) sec
down, impact
nts and debris
nd tertiary in j
obit functions
ection 4.1.1, a
s):
ted using the
ribes the buil
o an explosion
ry buildings, d
roken window
f a building)
ncrete frame
ge classes fr o
5 (only frame
e probabilitie
d) to suffer h
r explosion. B
ordinary mas
on; class 1 (
mes 100 m.

mary
cond-
t) in-
s will
juries
s [12]
a and
Jar-
lding
n:
dam-
ws) to
), see
con-
om 1
e left
s 0.1
heavy
Black
sonry
(dark
5.2

The

Dep
posu
from
dest

5.3
oac

In se
tive
impa
ing:

Figu
oact
To g
som
in a
dose

Figu
expl
dica
Damage d
skin consist o
- epidermi
thick
- dermis, c
- subcutan
ture and
pending on the
ure time (s) th
m first (rednes
royed), respec
Damage d
ctive materi
ection 4.2 the
materials wer
act (damage)
- toxic-eff
radioacti
- o-rays: n
very dan
body
- |-rays: c
(skin can
the body
- -rays: v
struction
(without
- neutron-r
with natu
it produc
with hyd
ure 9 shows a
tive material a
give informati
me German rec
radioactive en
e of 1 mSv per
ure 9 Spreadi
losion with ra
ated dose for e
due to therm
of two respect
is, death tiss
contains fine v
neous tissue, c
nerves
e thermal flux
hese parts of t
s and pain) to
ctively fourth
due to the
ial
different haza
re already intr
on the huma
fect: usually
ive effects
not dangerou
ngerous if inge
causes skin bu
ncer possible)
y (e.g. Iod-131
very dangero
n of genetic m
ingestion or i
radiation: not
ural decay. Da
ces free proton
drogen atoms i
an example fo
after the expl
ion how to int
commendation
nvironment sh
r year [18].
ing of radioac
adioactive ma
exposed perso
mal radiati
tively three lay
sue, 0.03 to
vasculature an
contains bigge
x (kW m
-2
) an
the skin can g
o third (skin c
degree [16; 1
spreading
ards caused b
roduced. Thei
an body are th
negligible ag
us outside of
ested or inhale
urns outside o
), very danger
1)
ous, ionizing
material, within
inhalation) an
t common for
angerous for h
ns when intera
inside the hum
or the spreadin
losion of a di
nterpret figure
ns: people no
hould have a
ctive material
aterial (dirty b
ons under the
ion
yers:
0.05 mm
nd glands
er vascula-
nd the ex-
get burned
completely
7].
of radi-
y radioac-
ir different
he follow-
gainst the
the body,
ed into the
f the body
ous inside
rays, de-
n the body
nd on skin
r materials
humans as
acting e.g.
man body.
ng of radi-
irty bomb.
e 9 we use
ot working
maximum
after a big
bomb). In-
spreading
205
radioactive cloud after 1 hour (wind 1 m/s, atmos-
pheric state cl ass B). Outer line 0,1 m S, inner line 1
mSv. Grid 1 km times 1 km.
6 Frequency of event, exposure
and risk analysis
After [19] there are different possibilities to determine
a risk:

- actual risk: can only be determined after-
wards by statistical calculations , assuming
the same conditions over a l onger period of
time.
- statistical risk: evalua tion of collected dat a
using simple statistical methods (e.g. mean
value)
- prognostic risk: risk for scenarios that did not
yet happen. Determined by u sing similar
scenarios or (complicated) models.
- perceived risk: individual/societal perceived
risk, depending on individual feelings or sit-
uational awareness.

As we showed in section 3 none of the known scenar-
ios in harbors was executed with a container involved.
Therefore we had t o make some frequency of e vent
assumptions to estimate a prognostic risk for the sus-
pected scenarios in section 1 and 3.1:
We assume the number of attacks on harbors stays the
same in the coming years (42 in 37 years, ~ 1 per
year), but in the future between 1 % and 10 % will be
of the type mentioned in section 3.1 (scenarios 1 and
3). There exist about 651 [20] harbors in the world
which leads to an average frequency of attack event of
1.54 10
-5
a
-1
(1%) to 1.54 10
-4
a
-1
(10%) for each har-
bor.

Out of the local d amage analysis we esti mated the
number of injured and deadly injured persons for each
scenario taking a certain exposure of person estimates
into account. We use these numbers to determine a
collective risk (group risk) for persons working at a
harbor or stay in the vicinity of it.
Taking one of the sce narios as an example, we con-
sider the explosive scenario (see e.g. figure 7, injuries
due to heavy eardrum rupture), we obtain a collective
risk of 1.54 10
-5
a
-1
for being injured and 3.1 10
-5
a
-1

for being deadly injured considering 1% probability
of novel types of attacks in harbors. For the 10%
probability we ob tain 1.54 10
-4
a
-1
for being injured
and 3.1 10
-4
a
-1
for being deadly injured.

7 Conclusions

It was sh own that the method of quantitative risk
analysis can be applied to the analysis of selected
threats (hazard sources) originating from containers at
harbors, in particular dirty bombs and conventional
explosives. This selection of scenarios was somewhat
motivated by an historic threat analysis and mainly
based on an expert threat list deemed to be relevant
for container shipping to the USA.
It was found that the scenarios can be analyzed in a
systematic and similar way by when describing blast
effects. In case of dirty bombs in addition radiological
dispersion (spreading) and damage effects on humans
must be considered. To this end we resorted to well
established Gaussian plume models.
The risk analysis in case of an event seems to be well
established, alas m aybe not very well documented
within open literature. We showed that we can deter-
mine collective annual over all risks assuming an ex-
posure of personnel within and outside the harbor re-
stricting ourselves mainly to short-time effects. How-
ever, the frequency of event estimate is base d on
rather weak assumptions. We assume that a ce rtain
fraction of historic events on harbors will be conduct-
ed in future using the attack scenarios analyzed.
In case of th e scenarios the collective risk, with our
estimations, is qu ite small. The scenario of a d irty
bomb with a small amount of radioactive material
seems more possible than one to spread radioactivity
over a large area. In case of this small amount scenar-
io the consequences are expected to be manageable as
there are existing plans for decontamination (e.g. the
German Federal Office for Radiation Protection pro-
vides advice to this topic). But it is not possible to es-
timate the economic consequences of such a scenario
and the reaction of people. E.g. the reaction of other
harbors due to a scenario like the ones described can-
not be evaluated.
Our risk analysis only considers events that occur di-
rectly at a harbor. It does not cover sce narios where
cargo shipping is used for transportation of dangerous
goods which have other targets.

We conclude that even when using only hazard or
damage analysis a ki nd of risk ranking can be per-
formed. The frequency of e vent data can easily be
changed if better estimates are available to obtain bet-
ter risk estimates.
Future work could deal with a much more concise
hazard and damage analysis. Furt her studies on the
risk of possible container transportation of dangerous
and illegal goods for further use (other targets like e.g.
airports, city centers) will be an interesting topic. Of
course also the scenario and frequency of event analy-
sis could be extended. Besides our threat t able could
be seen as a start that should be complemented when-
ever possible or if new expertise is available.

Acknowledgements

This work was supported by the German Federal Min-
istry of Education and Research (BMBF) and super-
206
vised by the Association of German Engineers (VDI).
We express our gratitude to our former colleague at
Fraunhofer EMI Nils Echterling for his contribution
to this work. Furthermore we are grateful t o our col-
leagues from Fraunhofer EZRT and our partners from
Smith Heimann GmbH concerning t heir expertise
contributions to the threat table.
References
[1] US Government, H.R. 1 - One Hundred Tenth
Congress of the United States of America - Title
XVII - Maritime Cargo,
www.govtrack.us/congress/billtext.xpd?bill=h11
0-1, Washington, 2007.
[2] TED - Terrorismus Ereignis Datenbank,
Fraunhofer Institut fr Kurzzeitdynamik -Ernst-
Mach-Istitut-, Efringen-Kirchen, 2007.
[3] U.Siebold, Untersuchung statistischer
Auswertverfahren zur Analyse
sicherheitsrelevanter Ereignisse - Auswertung
der Terror-Ereignis-Datenbank (TED) mit Hilfe
der TED-Analyse-Software (TEDAS),
Fraunhofer Institut f r Kurzzeitdynamik,
Efringen-Kirchen, 2007.
[4] Global Terrorism Database (GTD), National
Consortium for t he Study of Terrorism and
Responses to Terrorism (START), 2010.
[5] Julia Ziehm, ECSIT: Erhhung der
Containersicherheit durch berhrungslose
Inspektion im Hafen-Terminal - AP 1.4
Risikoanalyse, Bericht E 21/11, Fraunhofer EMI,
Efringen-Kirchen, 2011.
[6] John Tatom and Robert Conway, ISO Container
Source Function Development for the Klotz
Group Engineering Tool, DDESB - Department
of Defense Explosives Safety Board Seminar,
Portland, USA, 2010.
[7] M.M. Swisdak, Simplyfied Kingery airblast
calculations., Proceedings of the 26th
Department of Defence (DoD) Explosives Safety
Seminar, Miami, Florida, US, 1994.
[8] M.M. Swisdak, The Determination of Explosion
Yield / TNT Equivalence from Airblast Data,
Indian Head Devision / Na val Surface Warfare
Center, 2001.
[9] Steven G. Homan n, HotSpot, Health Physics
Code Version 2.07.1 User's Guide, Lawrence
Livermore National Laboratory, Livermore,
2010.
[10] Paul A. Tipler, Physik, Spektrum Akademischer
Verlag, 1994.
[11] Robert Macdonald, Theory and Objectives of Air
Dispersion Modelling, University of Waterloo,
Waterloo, 2003.
[12] Aschmoneit, T., Richter, I. Hri ng, C., Grke,
G., Brombacher, B., Ziehm, J., Da mage
assessment modeling for explosion effects, 13th
International Symposium on the Interaction of
the Effects of Munitions with Structure -
ISIEMS, Brhl, Germany, 2009.
[13] D.E. Jarrett, Derivation of the British Explosives
Safety Distances. Annals of the New York
Acedemy of Science (and M inistry of Defence,
United Kingdom) 152 (1968) 18-35.
[14] G. C. Mays, Blast Effects on Buildings, Thomas
Telford Publications, 1995.
[15] P.D. Smith, Blast an d Ballistic Lo ading of
Structures, Butterworth-Heinemann, 1994.
[16] L.H.J. Absil Ph. van Dongen, H.H. Kodde,
Inventory of damage and lethality criteria for HE
explosions, TNO report PML 1998-C21, TNO,
Rijswijk, Netherlands, 1998.
[17] Onmeda, Verbrhungen und Verbrennungen -
Symptome,
http://www.onmeda.de/krankheiten/verbrennung
-symptome-5486-4.html, 2010.
[18] Grenzwerte,
http://www.bfs.de/de/ion/beruf_schutz/grenzwert
e.html, Bundesamt fr Strahlenschutz, 2011.
[19] Andreas F. Fritzsche, Wie sicher leben wir?
Risikobeurteilung und -be wltigung in unserer
Gesellschaft, TV Rheinland, Kln, 1986.
[20] Wikipedia, List of seaports,
http://en.wikipedia.org/wiki/List_of_seaports,
2011.

207
Integrated open-source software for modeling the effects of bio- or
agroterroristic attacks on the food chain
Jan-Frederik Wigger, Federal Institute for Risk Assessment, Unit Epidemiology and Zoonoses, Germany
Matthias Filter, Federal Institute for Risk Assessment, Unit Epidemiology and Zoonoses, Germany
Dr. Armin Weiser, Federal Institute for Risk Assessment, Unit Epidemiology and Zoonoses, Germany
Dr. Annemarie Ksbohrer, Federal Institute for Risk Assessment, Unit Epidemiology and Zoonoses, Germany
Prof. Dr. Bernd Appel, Federal Institute for Risk Assessment, Dep. Biological Safety, Germany
Abstract
Food chains are considered as possible targets for agro- / bioterrorist attacks. The Spatiotemporal
Epidemiological Modeler STEM [1] is an opensource Java-based software project that integrates
epidemiological models with relevant data sets, e.g. on population, transportation and environmental conditions.
To extend the functionality of the STEM software such that it becomes applicable in the context of agro- /
bioterroristic scenarios the following features had to be implemented:
- the possibility to integrate user-specific data that do not contain geographical information
- the possibility to integrate external microbial models that simulate the fate of contaminants within the food
production and trade network.
As STEM is based on the object-oriented modeling concept, new features could be included seamlessly into the
software framework. Functionalities for data import, editing / visualization of graphs and integration of external
microbial models were added to STEM. With the newly developed import routines limitations in applicability of
the STEM software could be reduced. Additionally the management and the model configuration could be
improved with the newly implemented GUI editor that allows manual adjustments on GIS coordinates,
transportation rates and population properties. The possibility to include external microbial risk assessment
models into the simulation enables the user to make predictions about potential threats to animal and human
population caused by contaminations of the food chain.
Open source software solutions for the simulation of intentionally added bio- or agroterroristic contaminations
were not available until now. Due to the developed features STEM has now the power to model the effects of
those assaults on the animal and human population.
The STEM software (www.eclipse.org/stem ) can serve as a community resource for risk assessment tasks in
crisis situations and for crisis prevention.
Acknowledgement
This project has been funded by BMELV research
grant: 07HS019
References
[1] Ford, D. A., J. H. Kaufman, and I. Eiron. "An
extensible spatial and temporal epidemiological
modelling system." International Journal of
Health Geographics 5 (2006).

208
Laser-based ranging and tracking of space debris
Uwe Voelker, Ivo Buske, Wolfgang Riede, Jochen Speiser, and Adolf Giesen
German Aerospace Center, Institute of Technical Physics,
Pfaffenwaldring 38-40, 70569 Stuttgart
Germany
Abstract
Space debris imposes reasonable risk on present space missions, as these objects hold relative velocities on the
order of 10 km/s. Due to their high kinetic energies, objects up from 1 cm size have to be monitored in order to
prevent collisions with satellites. Since the number of objects within this risk category is reasonable high, an ac-
curate and effective monitoring system is necessary. Here, we present a concept for a laser-based space debris
monitoring system. The chosen approach combines passive optics (to detect non-catalogued objects) and laser-
based active optics (to fine-track and range the debris objects). The involved physical processes affecting such
approach such as optical turbulence, absorption, and scattering are modelled and the results will define the de-
sign of a future system. In addition, short range on-ground tracking and ranging will be conducted. The aim is to
simulate the strong signal attenuation by downscaling of photon densities in order to prove system feasibility.

1 Introduction
Due to the extended use of space since the first launch
of a satellite in 1957, an increasing number of rem-
nants of on-orbit collisions, explosions and defunct
satellites are circulating at high population density on
important LEO and GEO orbits. Due to the velocities
of these so called space debris objects, even small
particles impose an increasing risk for space assets.
While larger LEO objects are permanently tracked by
radar, barely any information is available on the orbits
of objects at a size range of 1 cm to 10 cm. Hence, an
effective and precise determination of exact orbital
data is a prerequisite for collision risk mitigation. For
risk analysis and following debris monitoring sched-
ules, the height distribution of the debris objects has
to be taken into account. Analysis shows that peaks in
debris density appear at approximately 900 km and
1400 km in LEO and at GEO altitudes, respec-
tively [1].
Up to now, a more or less sharp distinction between
the two available observation techniques for non-
cooperative targets, i.e. radar and passive optics, have
been made depending on the distance of the object
under observation. For objects located in low earth
orbits, radar techniques are at present the method of
choice. For objects at GEO altitudes, mainly passive
optical observations are performed by measuring re-
flected solar radiation. Such separation regarding the
field of application primarily results from (i) the sig-
nal decay with R
-4
for active methods (R being the
distance of the target object), and (ii) the limited ob-
servation time for passive methods resulting from the
object mainly being shaded by the earth for small dis-
tances, i.e. LEO, at night-time observability. How-
ever, active observation methods are not restricted to
radar only. Since the advent of the laser in the 1960s,
related technologies reached maturity and are still
emerging. In principal, the whole electromagnetic
spectrum could be used to actively illuminate and
subsequently detect radiation scattered off the target,
as experimentally demonstrated by the Australian
company EOS Technologies [2]. Due to the spectral
properties of the earth atmosphere, absorption, scat-
tering, and turbulence affect for instance radar and
optical wavelength differently. Within a future space
debris monitoring network, either of these frequency
windows should be employed in order to make the
best use of the respective features. This affects the
named spectral properties of the atmosphere, but as
well the reflectance characteristics of the target ob-
ject, the occupancy of frequencies for communica-
tion, and of course installation costs of monitoring
facilities as well.
The technique of satellite laser ranging (SLR) is well
established by now and has reached operational range
resolution of a few mm for distances of 20.000 km [3,
4]. Albeit laser ranging of optically non-cooperative
target objects will show its own specifics, such high
resolution hints towards the capabilities of this tech-
nique. Hence, for the application of space debris
monitoring, the components of a typical SLR system
have to be adapted. As a core component, the ranging
laser might be seen, whose pulse energy has to be ad-
justed considering the reflection characteristics of the
209
debris object, atmospheric losses due to turbulence
and extinction, and the detection efficiency.
The requirements for the components of a laser based
space debris monitoring system will be deduced from
involved physical processes including typical atmos-
pheric properties and basic assumptions on the reflec-
tion characteristics of debris objects in the following
chapters. A discussion with respect to technical feasi-
bility will be included. The development goal of our
activities is a demonstrator system, which is able to
find non-catalogued objects by detecting solar radia-
tion scattered by the debris. Subsequently, laser rang-
ing is intended to be performed in order to gain effec-
tively the Keplerian elements of the debris orbit.

2 Physical Processes
Within this chapter, the physical processes defining
the required performance of each system component
will be discussed. Starting from the necessary pulse
energy of the laser used for ranging, the influence of
the atmosphere (turbulence and extinction) on the
propagating laser will be discussed.
2.1 Photon Budget
For laser ranging of optically non-cooperative space
debris objects, the signal attenuation and subse-
quently the small number of detectable photons has
to be taken into account. In this section, we concen-
trate on a simple estimation which includes double
path transmission to LEO objects, reflection by an
ideal Lambertian scatterer and detection using a tele-
scope with a certain aperture equipped with a detec-
tor with known low signal to noise ratio (SNR). The
detectable power for a given beam diameter at the
target altitude then depends on the transmitted pulse
energy. We calculate the pulse energy of the ranging
laser necessary to receive a power of 4 nW, which
corresponds to a SNR of 4 of an commercially avail-
able low-noise detector. This is done for a 10 cm de-
bris object (diameter) at a distance of R = 600 km.
The emittance angle of transmitted laser beams hit-
ting the target and reflected beams reaching the de-
tection telescope, respectively, can in general be con-
sidered small for large distances of space debris. For
such case, the fraction of scattered power reaching
the telescope aperture is proportional to the transmit-
ted power multiplied by a transmittance factor and by
the fraction of the involved transmittance and reflec-
tance angles, respectively. Hence, the received power
can be expressed as follows:

tel
deb
trans refl *
rec trans
tot tot
trans
refl
P P .
O
O
= T
O O
(1)
In this formula, the power P
trans
transmitted by tele-
scope optics is multiplied by the ratio of the solid an-
gle defined by the target size and distance (
deb
trans
O ),
and the overall solid angle of emitted light. Follow-
ing, this expression gives the total power hitting the
debris object (not regarding transmittance losses, c.f.
section below). Now, an additional quotient of the
solid angle of the aperture of the detection telescope
(
tel
refl
O ) and the solid angle of the scattered
light (
tot
refl
O ) is added, multiplied with a parameter T
*

which accounts for the total double pass transmission
properties, including losses due to atmospheric ex-
tinction, debris reflectivity and transmission losses
within the telescopes.
For a debris object orbiting at a certain height R,
Equation (1) can be rewritten as

2
tel
4 deb *
rec trans
tot tot
trans
refl
D
A
4
P P R .
= T
O O
(2)

Obviously, P
rec
increases linearly with the surface area
of the debris object A
deb
, but quadratically with in-
creasing diameter of the receiving telescope (D
tel
).
Furthermore, the power hitting the detection telescope
decreases with distance to the fourth power, i.e. P
rec
~
R
-4
.
Equation (2) is well suited to estimate the necessary
transmitted pulse energy in order to receive a certain
power level. The pulse length is assumed to be on the
order of 10 ns and the detection threshold is set to a
signal to noise ratio (SNR) of 4. For commercially
available sensitive detectors, this SNR is achieved
with P
rec
= 4 nW, which corresponds to an energy of
410
-17
J for = 532 nm. The transmission parameter
T
*
is set to 0.3 for a first instance (the influence of
certain atmospheric models on the value of atmos-
pheric transmittance T will be discussed in the follow-
ing section).
A nice side effect of expressing P
rec
by simply using
the ratios of solid angles (transmission and scattering)
is that both the effect of atmospheric turbulence and
the beam quality of the pulse laser is included in the
value of
tot
trans
O . Hence, these two parameters only
have to be checked later on the ability to achieve light
cone diameters matching the assumed values of the
total transmission angle at debris heights R.
In Fig. 1, the transmitted pulse energy of the ranging
laser necessary to receive a power of 4 nW is plotted
as a function of the beam diameter at a distance of
R = 600 km for a 10 cm sized debris object, which is
supposed here to be an ideal Lambertian scatterer.
The solid line shows the relation for a 25-inch detec-
tion telescope, whereas the dashed line represents the
situation using a 40-inch telescope. As can be seen,
the transmitted pulse energy should be on the order of
1 J assuming an illumination cone diameter of about
5 m. It has to be emphasized, that we are dealing with
attenuation on the order of 2.510
-16
regarding trans-
mitted and received energy, respectively.

210

The above estimation is based on several assump-
tions. As pointed out, the beam quality and the influ-
ence of atmospheric turbulence are wrapped up in the
cone diameter. The losses due to atmospheric
transmission and the reflectivity of the target are in-
cluded in parameter T
*
. In the next section, we will
discuss whether the assumed values of the cone di-
ameter at R = 600 km as well as the value of T
*
= 0.3
could be reached under realistic circumstances.
2.2 Atmospheric Propagation
The above estimation suggests the feasibility of moni-
toring 10 cm space debris by means of active optics
using 1 J laser pulses. In this section, it will be exam-
ined under which atmospheric conditions the assump-
tions made in the above estimation could be met. For
this purpose, the impact of atmospheric turbulence on
propagating laser beams will be evaluated. Addition-
ally, the atmospheric extinction for different viewing
angles will be highlighted.

2.2.1 Turbulence
The strength of atmospheric turbulence is commonly
quantified by the value of the refractive index struc-
ture parameter
2
n
C in units of m
-2/3
. This accounts for
the statistical properties of the turbulence averaged
over the beam path for horizontal applications and
incorporates the power law present in the atmos-
pheres turbulence cells.
However, for applications such as space debris moni-
toring, the laser beam propagates for obvious reasons
mostly in vertical direction. Hence, any simulation of
beam propagation has to incorporate a height profile
of
2
n
C . In literature, there exist different models for
this purpose. The SLC (strategic laser communica-
tion) model has two versions, valid for day and night
time, respectively, which are based on averages of the
Miller-Zieske profile [5]. The Hufnagel-Valley (H-V)
model gives an analytical expression for
2
n
C (h) and
can be adapted to the turbulence properties of certain
locations:

( ) ( )
( )
( )
( ) ( )
10
2 2 5
n
16
C h 0.00594 v / 27 10 h
exp h / 1000 2.7 10
exp h / 1500 A exp h / 100 .
=
+
+
(3)

Here, v describes the wind speed and the parameter A
gives the turbulence condition of the considered site.
For numerical propagation simulations, the height
profile of
2
n
C is approximated using a step profile
where equally separated phase screens are introduced
corresponding to the respective value of
2
n
C .
The propagation simulation itself is based on a For-
tran 90 code and accounts for the influence of the tur-
bulent atmosphere on the laser beam by making use
of the FFT-method [6]. This method is well-
established to describe turbulence effects in laser
resonators and is described in detail elsewhere [7].
Within the propagation simulation, the laser beam is
supposed to propagate in vacuum above the atmos-
pheric zone, i.e. above a height 20 km. For this rea-
son, the propagation from h = 20 km to h = 1000 km
could be performed within one numerical step by us-
ing the paraxial wave equation employing the Fres-
nel-Kirchhoff integral [8]. Such approach allows for
the implementation of a large number of phase
screens within the turbulence zone each with a high
spatial grid sampling on the order of 2
10
x 2
10
and thus
offers a high level of flexibility versus commercial
available programs. The diameter of the modelled
beam at the transmitter is 0.5 m (1/e
2
) using a trans-
mission telescope of 1 m diameter. The wavelength
was chosen as 532 nm, but the sensitivity of the
propagation simulation for small variations of , for
instance 532 nm versus 515 nm, is relatively small.
As a first approach, we considered an ideal Gaussian
beam, i.e. M
2
= 1.
Fig. 2 shows exemplarily the far-field intensity pat-
tern for an on-ground turbulence value of 3.4
10
-15
m
-2/3
. In order to account for statistical effects,
150 pulses are averaged and yield a full width at half
maximum (FWHM) of 3.6 m, which is two times the
diffraction limit achieved in vacuum.

In order to achieve information not only on the result
for one particular turbulence value, the resulting
FWHM-values for 150 averaged pulses are shown in
Fig. 3 as a function of
2
n
C . Here, the diffraction limit
is indicated by the solid horizontal line. As expected,
Figure 2: Far-field intensity pattern at
R = 1000 km, averaged for 150 pulses. The value
of ( )
2
n
C h 0 = is 3.410
-15
m
-2/3
, the wavelength is
= 532 nm.
2 4 6 8 10
0
1
2
3
4
cone diameter @ 600 km [m]
p
u
l
s
e

e
n
e
r
g
y

[
J
]
Figure 1: Pulse energy necessary to receive a signal
level four times the noise level of a given detector.
The heights of the 10 cm debris object is 600 km
(for details, see text).
211
for very low turbulences the far field intensity pattern
approaches the vacuum case. For
2
n
C values above
410
-14
m
-2/3
, the single pulses get spatially structured
at a distance of 1000 km, which results in large
FWHM-value averaged over 150 shots. Hence, laser
based space debris monitoring employing 1 J pulses is
not likely to be feasible at locations offering such tur-
bulences properties. However, we are able to identify
turbulences which are likely to occur for German
night time conditions [9] and allow for illumination
cones on the order of the assumed 5 m (c.f. section
2.1), where simulated short-term beam wander is
evaluated to be on the order of 2 m (rms), which is
well beyond the particular FWHM.
The results presented so far are valid for ideal Gaus-
sian beam, i.e. M
2
= 1. However, a realistic laser sys-
tem will show degradation in beam quality. We as-
sume a value of M
2
6 to be realistic for a laser offer-
ing the postulated pulse energy and will analyze the
corresponding FWHM at a distance of 1000 km under
the presence of different turbulence scenarios in fu-
ture work. Furthermore, it has to be noted that the
presented propagation simulations represent an opti-
cal ground station at sea level.
An operational laser based space debris monitoring
station, though, will certainly be installed at a more
suitable site, which will of course lead to further im-
proved values of the beam diameter at the debris alti-
tude. As a first approach to quantify the effect, we
used the H-V-based turbulence scaling for ESAs
OGS given by Toyoshima et al. [10]. The resulting
averaged far field intensity pattern is comparable to
the one shown in Fig. 2 (FWHM = 3.6 m).

However, it has to be noted that effects of light scat-
tering on aerosols and molecular absorption, which
will be intensified by possible slanted paths, are not
included in the shown propagation simulations so far,
but will be discussed in the following section regard-
ing atmospheric extinction.

2.2.2 Extinction
In addition to the above evaluated effects of turbulent
atmosphere on the propagation of laser beams, atmos-
pheric extinction is the second physical atmospheric
effect which has to be considered when developing a
laser-based space debris monitoring system. The at-
mospheric spectral properties of both, scattering and
absorption, are well described by the Air Force Phil-
lips Laboratorys FASCOD3P model [11]. This model
is widely accepted as standard and was commercial-
ized by Ontar within the software PCLnWin [12].
This software is capable of simulating atmospheric
transmission properties with high spectral resolution
for certain visibilities, site altitudes, aerosol densities,
and elevation angles of the transmitted beam. In order
to select the wavelength of the ranging laser with the
purpose of minimizing transmittance losses, we
evaluate the situation for a center wavelength accessi-
ble by Yb:YAG lasers. Results show that the single
pass transmittance T for 1030 nm is about 86%,
whereas
SH
515 nm yields T 61%. Hence, we
concentrate on the center wavelength of 1030 nm and
proceed discussing atmospheric transmission for the
corresponding frequency window.
The spectral transmission around the central wave-
length of 1030 nm in general consists of a baseline at
approximately 96% for zenith direction, which is due
to scattering from aerosols. Additionally, several nar-
row absorption bands are present. Fig. 4 shows the
baseline-transmittance as a function of the telescopes
elevation angle, measured against zenith.

Here, the circles represent a site at sea level, hence
h = 0. The effect of the telescope approaching the ho-
rizon, i.e. growing angles, is clearly observable. The
transmittance decreases from 86% for zenith angle
towards 75% for 30 above horizon. For a site at rea-
sonable higher altitudes, the situation is dramatically
different.
Figure 3: The far field intensity distribution (av-
erage of 150 pulses) quantified by the FWHM of
the beam at R = 1000 km for different turbulence
values used as parameter A of the H-V model
given in Equation (3).
10
-16
10
-15
10
-14
10
-13
0
5
10
15
20
C
n
2
[m
-2/3
]
F
W
H
M

[
m
]
diffraction limit
Figure 4: Transmittance T versus elevation an-
gles, measured against the zenith angle for US
standard atmosphere. The diamonds represent a
site located at a height of 2.4 km (circles at 0 km).
212
ESAs OGS at Teide (Tenerife) is located at approxi-
mately h = 2.4 km. The diamonds in Fig. 4 represent
the transmittance from such heights into space for dif-
ferent elevation angles. As can be seen, the value of
T 0.95 stays nearly constant over a broad angular
range spanning from zenith (0) towards about 30
above horizon.

The value of parameter T
*
in equation (2) could be
estimated carefully by assuming a double path atmos-
pheric transmission T
dp
of 80%. The losses within
transmission and receiving telescope are mainly de-
fined by the reflectivity of the optical components and
by diffraction of light. By wavelength-optimized di-
electric coating of the mirror surfaces, the reflectivity
of each mirror is assumed to be 99%. The overall re-
flectivity of all involved mirrors (
tel
) is estimated to
be approximately 90%, which accounts for 10 mirror
reflections. Diffraction losses are expected to be
minimized to a negligible level by a sensible tele-
scope design. Accordingly, the overall transmission
parameter could be expressed as T
*
= T
dp

tel
debris
.
Using the above estimated values, the reflectivity of
the debris object
debris
is supposed to be larger than
40% in order to yield T
*
0.3, as assumed for the
photon budget calculation. For metals, glasses and
other debris materials, this reflectivity appears easily
achievable, but is of course depending on the particu-
lar state of the material surface after exposition to
high energy radiation and molecular oxygen in space.
In literature, the albedo of space debris for the solar
spectrum ranges from 2% to 50%; 20% is considered
as a typical value [13]. However, it has to be noted
that spectral analysis revealed that by doubling the
wavelength the reflectivity might easily be tripled.
Hence, the estimated debris reflectivity of 40% ap-
pears reasonable, especially for infrared lasers.
Operating a laser-based monitoring system at heights
like the OGS at Teide allows for achieving reasonable
cone diameters at R = 1000 km (c.f. above section)
combined with far less transmittance losses than ap-
parent when working at sea level (i.e. h = 0), which is
necessary to monitor debris objects with reduced re-
flectivity.

We want to point out that the consideration shown
here does exclusively regard spectral properties of the
atmosphere and the reflectivity of the debris object.
The overall system layout, though, has to take into
account the wavelength-dependant detector sensitivity
as well to be able to maximize the performance. How-
ever, the identification of benefits arising by choosing
a suitable site for debris monitoring can be transferred
from to
SH
as well, if required by the chosen sen-
sor. Additionally, the general ability to quantify the
expected effect of non-ideal sites on laser-based de-
bris monitoring, e.g. h 0 in Germany, is maintained
and will be facilitated for the scaling of on-ground
experiments necessary for proof of principle. For the
design of a future monitoring network, the presented
transmittance analysis could be extended by examin-
ing not only different altitudes, but different climates,
too. First investigations show that mid latitudes, i.e.
30 60, yield best transmittance properties (ex-
cluding polar regions). For a holistic view, it has to be
of course reviewed whether such latitudes prevent the
observability of too many debris objects due to their
inclination.

3 Summary
We presented our approach of laser-based space de-
bris monitoring in this paper. Our concept is mainly
based on laser ranging of optically non-cooperative
targets. Hence, an operational system has to include a
laser source with high energy pulses in order to re-
ceive signals of sufficient strength. As a first step of
system design, we estimated the photon budget.
Within certain assumptions regarding the scattering
characteristics of the debris object, beam diameter,
and atmospheric transmittance, we found that the
pulse energy is supposed to be on the order of 1 J. A
laser system offering such pulse energy at a repetition
rate of 1 kHz is currently commercially not available
and will be developed based on the thin-disk laser
concept [14] by the DLR Institute of Technical Phys-
ics simultaneously. Subsequently, we verified that the
assumed constraints beam diameter and transmit-
tance could be met depending on turbulence
strengths and atmospheric model by making use of
propagation simulations. Accordingly, for a future op-
erational system, the installation location is crucial to
keep these constraints within reasonable ranges. The
necessary debris reflectivity
debris
to meet the photon
budget calculation appear to be realistic for typical
debris materials.
During the development phase of the laser-based
space debris monitoring system, it is intended to per-
formed on-ground experiments. These experiments
are expected to serve both, qualification of key-
components and proof of principle of a working sys-
tem. For these purposes, it is planned in the subse-
quent project phase to scale both the geometric con-
stellation as well the photon densities for LEO objects
down to a distance of approximately 130 m in order
to perform on-ground experiments at the free space
propagation test range of DLR-TP. Hence, we estab-
lish a test bed were it is possible to simulate the track-
ing as well as the laser ranging of space debris repre-
sentatives by making use of the above quantified ef-
fects of atmospheric turbulence and atmospheric
extinction.
References
[1] H. Klinkrad, J. Bendisch, H. Sdunnus, P.
Wegener, and R. Westerkamp, An Introduction
213
to the 1997 ESA Master Model in Proceedings
of the Second European Conference on Space
Debris, 217-224 (1997)
[2] B. Greene, Laser Tracking of Space Debris in
Proceedings of the 13th International Workshop
on Laser Ranging (2002)
[3] G. Kirchner, D. Kucharski, and F. Koidl, Milli-
meter Ranging to Centimeter Targets in Pro-
ceedings of the 16th International Workshop on
Laser Ranging, 370-372, (2008)
[4] G. Kirchner, F. Koidl, and D. Kucharski, Graz
kHz SLR LIDAR: First Results in Proceedings
of the 16th International Workshop on Laser
Ranging, 373-375 (2008)
[5] M. G. Miller and P.L. Zieske, Turbulence Envi-
ronmental Characterization, RADC-TR-79-
131, ADA072379, Rome Air Development Cen-
ter (1979).
[6] J. W. Goodman, Introduction to Fourier Op-
tics, McCraw-Hill, New York,1968.
[7] E. A. Sziklas , A. E. Siegman, Mode calculation
in unstable resonators with flowing saturable
gain. 2: Fast Fourier transform method, Appl.
Optics, Vol. 14 (8), 1874-1889, (1975)
[8] A. G. Fox, T. Li, Resonant Modes in a Maser
Interferometer Bell Syst. Tech. J.., Vol. 40, 453-
488 (1961)
[9] K. Grnewald, Seasonal cycle of the optical
turbulence at the DLR free space propagation
test range in Lampoldshausen, DLR internal
report, IB-641-2010/01 (in German)
[10] M. Toyoshima, S. Yamakawa, T. Yamawaki, K.
Arai, M.R. Garcia-Talavera, A. Alonso, Z. Sod-
nik, and B. Demelenne, Long-term statistics of
laser beam propagation in an optical ground-to-
geostationary satellite communications link,
IEEE Transactions on Antennas and Propaga-
tion, Vol. 53 (2), 842-850 (2005)
[11] S.A. Clough, F.X. Kneizys, L.S. Rotman, H.J.P.
Smith, D.J. Dube, and M.E. Gardner, Fast At-
mospheric Transmittance And Radiance Algo-
rithm FASCODE, J. Opt. Soc. Am., Vol. 68
(10), 1424-1425 (1978)
[12] Ontar Corporation, http://www.ontar.com/
Software/ProductDetails.aspx?item=PcLnWin,
visited on June 16
th
, 2011
[13] J. L. Africano, E. G. Stansbery, and P. W. Kervin,
The optical orbital debris measurement pro-
gram at NASA and AMOS, Advances in Space
Research, 34, 892900 (2004)
[14] A. Giesen, J. Speiser, Fifteen Years of Work on
Thin-Disk Lasers: Results and Scaling Laws,
IEEE Journal of Selected Topics in Quantum
Electronics, 13 (3), 598-609 (2007)
214
Concept for the integration of predictive microbiology tools and
models in the efforts to secure the food supply chain in case of
bioterroristic attacks
Matthias Filter, Federal Institute for Risk Assessment, Unit Epidemiology and Zoonoses, Germany
Dr. Armin Weiser, Federal Institute for Risk Assessment, Unit Epidemiology and Zoonoses, Germany
Dr. Annemarie Ksbohrer, Federal Institute for Risk Assessment, Unit Epidemiology and Zoonoses, Germany
Prof. Dr. Bernd Appel, Federal Institute for Risk Assessment, Dep. Biological Safety, Germany
Abstract
Quantitative microbiological risk assessments in the farm-to-fork continuum require mathematical models for
growth, survival and inactivation of microorganisms in different matrices and under various physical conditions.
The internationally published quantitative microbial risk assessments (QMRA) are characterized by a great
heterogeneity in all aspects related to the analysiss (aims, data, process descriptions, modeling techniques and
software). Experimental data for such models are currently collected internationally (e.g. Combase project). The
goal of the concept presented here is to develop a community resource for the calculation of predictive
microbiological models and their model parameters (e.g. D-, Z- values, lag-times, maximum growth rates etc.).
Integral part of the concept is the development of a knowledge base on food matrices, food production
processes, process parameters, microbial agents and predictive models. The database structure integrates a
citation management resource (e.g. for scientific literature) and an information quality scoring feature. This lays
the foundation to a comprehensive documentation on model quality considering the data used for model
generation and the results from sensitivity analyses of the models.
Depending on the available and integrated (experimental) data the developed software and data infrastructure
can become an integral part of a strategy to safeguard the food supply chain in case of bioterroristic attacks.
Acknowledgement
This project has been funded by BMBF research
grant: 13N11202

215
Scenario-Oriented Assessment of Hazardous Biological Agents
Silke Rmer, Merle Missoweit, Britta Pinzger, Ruth Schietke; Fraunhofer Institute for Technological Trend
Analysis INT, Euskirchen, Germany
Abstract
The aim of this study is to elaborate a system that will enable easy, yet sound, communication between persons
of different background on the topic of dangers and risks associated with the liberation of potentially hazardous
biological agents. This system could then be used to assist planning procedures involving people with different
professional backgrounds, e.g. for identifying, discussing and assessing possible gaps in security concepts and
associated research needs. As a first step the feasibility of such a system assisting biological hazard assessment
is tested, including the analysis of possible limitations.

1 Introduction
The risk posed by potentially hazardous biological
agents has been assessed in a number of different con-
texts, ranging from biological agents as possible
weapons, as part of CBRNE related risks [1-5], to
food chain security and/or food hygiene [6-8] and epi-
demic models (e.g. influenza), often in the context of
standard, guidelines and legal issues [9-13].
Especially the nature of exposure (accidental or inten-
tional liberation) influences the resulting pool of
agents found to be most relevant. When regarding e.g.
food, including the threat of deliberate release poten-
tially changes the assumed amounts of the respective
agent and widens and/or shifts the spectrum (that is
otherwise mainly restricted to typical natural food-
born biological agents).
Based on the experience of developing a concept of a
Weighted-Bit Assessment Table of Hazardous
Chemicals [14] - developed by Fraunhofer INT as
part of a governmental expert group of the German
Commission for Civil Protection (Ministry of Interior)
and also aimed at enabling communication between
people of different professional backgrounds - we ex-
plore the possibility to develop an adequate tool for
biological hazard assessment.
2 Aim
The starting point of the research conducted in this
project was to find out if and to what extent new in-
sight on biological hazardous agents could be gained
through a scenario-oriented assessment tool, support-
ing the improvement of civil protection and disaster
management. The feasibility of the following meth-
odological tools was to be assessed:
A qualitative risk estimation approach to be used
to facilitate communication between persons of
different background (scientists, first responders,
decision makers etc.) on the topic of dangers and
risks associated with the liberation of potentially
hazardous biological agents,
A consistent description of influencing factors (a)
allowing pattern recognition for biological agent
attributes, parameters characterising the circum-
stances of its liberation, and combinations that are
crucial for risk assessment, and (b) enabling a
transparent comparison between results stemming
from this model and other studies,
A quantitative or semi-quantitative model for risk
assessment/estimation, enabling both (a) a com-
parison of risks represented by different biologi-
cal agents in different scenarios and (b) a com-
parison of these risks and other risks relevant for
civil protection.
3 Methodology
3.1 Overall framework
The hazardous potential of a biological agent depends
both on its agent-specific attributes and on parameters
characterising the circumstances of its liberation.
Therefore, we combine these two aspects and analyse
them in the context of generic scenarios. This com-
bined assessment is expected to have several advan-
tages compared to conventional risk describing lists,
as described in the previous section.
The level of detail of scenarios, however, has to be
chosen and carefully adjusted: For practical reasons,
complexity has to be limited; but care has to be taken
that reducing the complexity does not lead to loss of
crucial information: Agent characteristics are to be
216
categorised; other scenario determining factors are to
be limited to the most crucial aspects. Based on this,
sample agents and sample scenarios have to be chosen
for analysing the feasibility of the envisaged method.
3.1.1 Choice of sample agents
Sample agents have been chosen to fulfil the follow-
ing criteria:
One toxin, one bacterium, one virus should be in-
cluded,
At least on agent should include human to human
spreading,
Data for the sample agents should be available,
The agents should generally be considered to rep-
resent a hazard.
This led to the choice of three sample agents.
3.1.2 Choice of sample scenarios
Scenarios have been chosen to cover as many differ-
ent extremes of the following aspects:
Closed/open space
Overall number of persons present
Fluctuation of persons during short time periods
Point in time
Circumstances (private/business, every-
day/special event; possible symbolic value, po-
litical denotation)
Propagation pathway for the liberation of the bio-
logical agent
Based on these deliberations, three initial scenarios
were chosen and refined into generic descriptions of
three scenarios (large-scale catering establish-
ment/canteen kitchen & propagation via food; metro
station & airborne propagation, street festival &
propagation via air and/or food). A scenario workshop
focussed on the first two scenarios and expected dif-
ferences of the third one was conducted.
Figure 2: Project work packages
3.2 Influence factors
The scenarios of this feasibility study are focussed on
the intentional und unintentional liberation of the
agent and its primary effect. For practical reasons, this
deliberately excluded aspects of agent acquisition (in
case of an intentional release) taking place prior to the
release of an agent and also secondary effects includ-
ing epidemiological and socio-economic aspects. Ne-
vertheless, the tool developed allows the later in-
clusion of such factors.
3.2.1 Description of agent properties
Parallel to and accompanying this scenario-oriented
approach, a detailed list of agent properties was de-
rived and harmonised with RKI/IBBS (Robert Koch
Institut/Informationsstelle des Bundes fr Biologische
Sicherheit).. Data for the sample agents chosen was
provided by RKI. The complete list com-prises more
than hundred aspects describing agent properties.
3.2.2 Description of scenario framework
The results of the scenario-generation process are
three scenarios with different, but overlapping influ-
ence factors. The factors have been clustered:
Overall framework parameters
o Point in time (time of day, day of the week,
season, )
o Climatic conditions (air temperature, humidity,
rain, pressure (gradients), UV light, dust)
o Volume/Dimension of the involved loca-
tion/adjacent location
Present and involved humans and animals (num-
ber, density, special aspects)
Inventory
o Mobile
o Immobile

Choice of
relevant
scenario factor
abstraction to
generic scenario
factors
Description of
sample
scenarios Choice of propa-
gation pathway
Choice of sample
scenarios
Choice of
sample agents
Definition of
catagories (agent
properties)
& &
Concept for
application of
(generic) scenarios for
expert workshops
Scenario
data
Data on
relevant agent
properties
(RKI)
Choice of relevant
agent properties
Workshop:
Feedback on
scenarios and
concept
Choice of
relevant
scenario factor
abstraction to
generic scenario
factors
Description of
sample
scenarios Choice of propa-
gation pathway
Choice of sample
scenarios
Choice of
sample agents
Definition of
catagories (agent
properties)
& &
Concept for
application of
(generic) scenarios for
expert workshops
Scenario
data
Data on
relevant agent
properties
(RKI)
Choice of relevant
agent properties
Workshop:
Feedback on
scenarios and
concept
217
Any process or step in the scenario can be described
by a combination of the above factors plus informa-
tion of changes and their chronological sequence.
3.3 Scenario workshop
During the above mentioned scenario workshop, the
scenario-relevant agent-specific attributes of sample
agents were presented and scenarios were played
through. The following questions were asked while
going through the scenarios:
Will the liberation of the biological agent under
the prevailing circumstances result in at least one
infected or intoxicated person?
How can the liberation of the biological agent af-
fect a major group of persons (50-200) within the
scenarios?
What are the vulnerabilities within the scenarios?
Which random or intentional deviations affect the
vulnerability?
Which agent-specific attributes are the most im-
portant?
Are there preventive measures/counteractive
measures?
How many infected or intoxicated persons are
conceivable or what is the potential scale of the
damage?
4 Results
We are currently evaluating the results obtained in
respect to the following aspects:
Data availability
Range of scenarios (choice and detail level)
Complementing factors
Complementing methods
Next steps will include first conclusions on the feasi-
bility of a quantitative or qualitative risk assessment:
The description of necessary steps to incorporate the
complementing factors (both on agent acquisition and
on epidemiology/socio-economics) to assess the prob-
ability and impact, respectively. In addition, possible
means for validation of the results shall be consid-
ered.
5 Conclusions
The feasibility of this method to provide an added
value compared to other methodologies of assessing
the risk of different biological agents and to incorpo-
rate it into planning processes involving people of dif-
ferent professional backgrounds still needs to be as-
sessed.
The following applications are under examination:
Risk identification: If a pattern can be concluded
for relevant (i) agent-specific properties, (ii) sce-
nario-specific factor, (iii) combinations of both,
these insights can be used for re-assessing haz-
ardous agents and vulnerabilities.
Risk characterisation: If a scenario-specific pat-
tern for agent properties can be derived, this will
add to risk characterisation.
Risk communication: The identified clusters of
scenarios can be used as a communication base for
different stakeholders dealing with biological
risks.
6 Acknowledgements
This study is funded by the Federal Office of Civil
Protection and Disaster Assistance (BBK).
We like to thank the members of the current working
group [Entwicklung eines Systems zur Einschtzung
potentieller biologischer Gefahrenlagen] of the
Commission on Civil Protection of the Federal Minis-
try of the Interior, Germany, for their expertise and
advice.
References
[1] Biological Threats, Journal of the Royal Army
Medical Corps, 149(3) (2003)
[2] Medical aspects of Biological Warfare, Bor-
den Institute (2008)
[3] M. Hilleman, Overview: cause and prevention
in biowarfare and bioterrorism, Vaccine 20,
30553067 (2002)
[4] A. Tegnell, L. F. Van, A. Baka, et al.: Develop-
ment of a matrix to evaluate the threat of bio-
logical agents used for bioterrorism, Cell Mol
Life Sci, 63 (1920): 22232228 (2006)
[5] J. Suk1, A. Zmorzynska, I. Hunger, W. Bieder-
bick, J. Sasse, H. Maidhof, J. Semenza, Dual-
Use Research and Technological Diffusion: Re-
considering the Bioterrorism Threat Spectrum,
PLoS Pathogens, 7(1), (2011)
[6] Microbiological Risk Assessment Series of the
WHO/FAO
[7] E. Evers, J. Chardon., A swift Quantitative
Microbiological Risk Assessment (sQMRA)
tool, Food Control, 21 (3), 319330 (2010)
[8] T. Ross, J. Sumner, A simple, spreadsheet-
based, food safety risk assessment tool, Interna-
tional Journal of Food Microbiology, 77, 3953,
(2002)
[9] WHO global influenza preparedness plan
[10] I. Friesecke W. Biederbick. G. Boecken, R. Gott-
schalk, H.-U. Koch, G. Peters, S. Peters, J. Sas-
se, A. Stich, Biologische Gefahren II - Ent-
scheidungshilfe zu medizinisch angemessenen
Vorgehensweisen in einer B-Gefahrenlage,
Bundesamt fr Bevlkerungsschutz und Katast-
rophenhilfe / Robert Koch-Institut (2007)
218
[11] Codex alimentarius (collection of international
food standards that have been adopted by the
Codex Alimentarius Commission)
[12] Principles and guidelines for incorporating
microbiological risk assessment in the develop-
ment, Report of a Joint FAO/WHO Consulta-
tion (Kiel, Germany, 18 - 22 February 2002)
[13] The Use of Microbiological Risk Assessment
Outputs to Develop Practical Risk Management
Strategies: Metrics to improve food safety, Re-
port of a Joint FAO/WHO Consultation (Kiel,
Germany 3 7 April 2006)
[14] J. Burbiel, N. Engelhard, S. Grigoleit, H. John, J.
Schulze, Gefahrenpotentiale von chemischen
Kampfstoffen und toxischen Industriechemika-
lien - das Punktesystem, Bundesamt fr Bevl-
kerungsschutz und Katastrophenhilfe -BBK-,
Bonn: Gefahren und Warnung - Drei Beitrge.
Rheinbreitbach: MedienHaus Plump, 27-58
(2009)

219
Positioning and Tracking of Deployment Forces Combining an
Autonomous Multi-Sensor System with Video Content Analysis
Bernoulli, Thomas, Graz University of Technology (TU Graz), Austria
Dersch, Ulrich, Lucerne University of Applied Sciences and Arts (HSLU), Switzerland
Krammer Martin, Graz University of Technology, Austria
Walder, Ulrich, Graz University of Technology, Austria
Zahn, Klaus, Lucerne University of Applied Sciences and Arts, Switzerland
Abstract
Foot-mounted inertial systems for indoor positioning and pedestrian guidance are an elegant and cheap solution
to track first responders within buildings and underground structures. They can run completely autonomous, i.e.
they do not require preinstalled infrastructure installations. But there are some difficult problems to solve: Start-
ing from a known position the positioning error increases with the travelled distance, if only a double integration
of the accelerations is performed. Therefore it is necessary to cut down the integration intervals and to reposition
the system from time to time vis--vis a known landmark. Several algorithms have been developed at TU Graz to
reduce these errors. The precise recognition of the motion patterns allows for performing zero velocity updates
(ZUPT) to achieve a high accuracy in distance. Further improvements are gained by the fusion of additional sen-
sors like barometer or GPS. Different map matching algorithms are used to perform periodic repositioning. Since
ground floors often are not available, HSLU has developed a video content analysis based repositioning method
that increases the accuracy of the heading of the IMU system considerably.

1 Introduction
Foot-mounted sensors are getting more and more
popular in indoor positioning. The reasons are the in-
creased comfort and precision due to better, small and
wireless hardware, the fusion with additional sensors,
as well as new algorithms to recognize zero velocity
updates [1]. Different map matching solutions allow
for a further improvement of the positioning accuracy
[2]. The falling costs, resulting from the fact that the
basic hardware components are also part of modern
smartphones and the high autonomy of inertial based
systems, are other major advantages of this technol-
ogy.
Though the precision in distance is meanwhile in the
range of centimeters even for longer distances
(>100m), the stabilization of the heading causes major
problems in environments where the earths magnetic
field is heavily disturbed. Automatic gyro-stabilization
as used in high-end sensors reduces this problem sig-
nificantly, but is not stable enough to hold an initial
heading for a long time, especially in the case where
ground floors are not available for a periodic adjust-
ment of the heading by map matching techniques (Fig.
1). Normally GPS data fusion is used to enhance the
inertial data outdoors. But in urban areas with high
buildings the resulting precision is often too poor to
guide pedestrians precisely through streets and public
areas.
Figure 1 Map matching within an environment with
disturbed earths magnetic field caused by electrical
installations

In case that a facility can be documented in advance
by digital images, the technology of video content
analysis is a promising solution to adjust the heading
in real-time. From only a few image contents staying
constant, the algorithms developed at HSLU can cal-
culate the position of the camera with high accuracy
(<1m). The fusion of camera and inertial data allows
for stabilizing the heading and to hold it for the time
of a typical deployment e.g. of fire fighters in mixed
indoor-outdoor environments.

220
In the following the used technologies implemented in
the research and application framework AIONAV
(Autonomous Indoor and Outdoor NAVigation) and
achieved results of sensor fusion and video content
analysis are described and discussed in more detail.
2 The AIONAV System
The AIONAV (Autonomous Indoor and Outdoor
NAVigation) system developed at TU Graz mainly for
research purposes, but also for practical applications
like first responders support, consists of four main
parts: The sensor based positioning system, a building
information model (BIM) based position verification
and improvement system, a user interface, and a sub-
system to keep multiple AIONAV system instances
synchronized over networks.
The system is designed to provide position informa-
tion not only to the first responder wearing the
AIONAV device but to synchronize the available in-
formation between multiple system instances. This al-
lows first responders to coordinate more efficiently.
The user interface is twofold: One for the person on
the field having only a small touchscreen and not
needing a lot of options and one for the command cen-
ter where a common computer is used. The touch-
screen based interface allows quick access to impor-
tant information as well as setting the current position
if the position determined by the system does not ful-
fill the precision requirements.
The AIONAV sensor sub-system is a set of algorithms
and I/O operations processing data from sensors. Iner-
tial measurement units (IMUs) providing linear and
rotational accelerations, the magnetic field, as well as
temperature and pressure data, are the basis of the po-
sitioning system. To handle the described long term
accuracy problem additional sensors can be used.
Some of those, e.g. GPS receivers, already provide
positions in the global coordinate system.
Figure 2 Different sensor-fusion methods with best
results for track matching algorithm (<2m indoor and
outdoor for 900m)
As soon as different sensors act simultaneously and
provide complementary data, sensor fusion becomes
important. If each sensor is handled individually the
algorithms can be tailored to reflect the characteristics
of a sensor. For example different IMU based algo-
rithms such as a motion pattern dependent zero veloc-
ity updates (ZUPT) have been developed [1] to com-
pute positions from the sensor data. The data of sen-
sors already providing position information (e.g. GPS)
may be used unprocessed or processed dependent on
their accuracy and reliability. Every sensor type has its
advantages and disadvantages regarding error-
stability, reliability in specific situations etc. The aim
of sensor fusion is to use characteristics of one sensor
to counteract problems of another one.
There exist multiple approaches to fuse sensor data.
Raw data of different sensors can be combined using
specialized algorithms to get positions. AIONAV has
the requirement to be completely flexible. A user
should be able to connect sensors supported by the
system and AIONAV computes one ideal fused posi-
tion out of these multiple, inhomogeneous data-
sources. To provide this flexibility the position data is
used to perform position sensor fusion. The approach
provides high flexibility of combining fusion algo-
rithms. AIONAV supports all kinds of fusion tech-
niques - from general Kalman filtering to specialized
hand tailored fusion algorithms in case tweaking is
necessary (Fig 2).
Besides sensor fusion the system implements BIM
based position verification and improvement algo-
rithms. If floor plans of a building are available they
can be easily enhanced to a simple BIM. For indoor
navigation this provides a big improvement as long
term heading problems can be corrected using map
matching.
This paper focuses on a third way of improving indoor
navigation: The use of video content analysis which
has the advantage not needing even a simple BIM.
The AIONAV system has a great potential to make the
deployment of first responders more efficient. But this
is not the only group of people to profit from this sys-
tem. With the video content analysis it has the poten-
tial to improve e.g. the way how blind persons move
in public spaces helping them to find the tactile guid-
ing systems or build a bridge if these are not laid eve-
rywhere. Another field of application is for military
positioning and navigation systems used in urban war-
fare training and deployment. Tests with the Swiss
Army in this field showed very promising results.
3 Video Content Analysis
3.1 Basic Principle
The idea of fusing video and inertial data is motivated
by the human perception: a human can navigate
with closed eyes rather precisely over some ten meters

221

Figure 3 Common features in the live image (top left) and the database image (top center) are used to warp the
database image on the live image frame (top right). Then the respective edge orientations (represented by the
pseudo colors) are extracted (bottom left and right) and their correlation is determined (bottom centre)
using the vestibular system, the human inertial sensor,
situated in the middle ear. However, at longer dis-
tances the heading will diverge and has to be recali-
brated using the human vision sensor. Here a similar
approach is used: MEMS based inertial sensors of the
AIONAV system will provide information sufficiently
precise to allow for dead reckoning at shorter times
scales up to minutes. At longer times, when inertial
based navigation tends to accumulate integration er-
rors video image correlation techniques are used to
recalibrate the system. Therefore the AIONAV system
is extended by a small portable camera taking live pic-
tures, which are processed in real time.
As a first step images of the facility are taken in ad-
vance either along certain paths or at strategic
points and are stored, together with the positions
where these images were taken, in a database on the
AIONAV system. During the navigation the live im-
ages taken with the video camera are correlated in real
time to the images in the database. In case a match be-
tween the live and a preregistered image is found the
current position estimation from the inertial navigation
is checked for consistency with the position of the im-
age in the database and the former is corrected based
on the visual information if necessary.
3.2 Image Correlation Procedure
Obviously the goal should be to store as few images as
possible in the database. Therefore the image correla-
tion algorithm has to be flexible enough to allow for
the recognition of images not only close to but also in
a certain vicinity of those positions, where preregis-
tered images were taken. On the other hand the corre-
lation must be reliable enough such that false posi-
tives i.e. false correlations are highly unlikely.
Therefore a two-step correlation algorithm has been
developed. In a first step so called feature points are
determined in both images, which are known to be
insensitive to lighting and contrast variation and
invariant under scaling, rotations and translations [3].
The identification of corresponding feature points
between the live and a database image provides a first
estimate of a correlation coefficient. In Fig. 3 one
example is shown, where a live image (top left) could
be matched to a database image (top centre). Both
images show the same corridor, with a camera
displacement of approximately 2.5 m mainly along the
optical axis. Despite this displacement corresponding
features in both images could be identified and are
shown on the live image (red rectangles) together with
the difference vector (blue lines) indicating the
features shift onto the corresponding position on the
database image.
The feature matching is based on heuristic limits for
the maximum differences between feature descriptors
(in order to be considered as equal) as well as a
minimum required number of feature matches between
the live image and the database image. The feature
point correspondence gives a first hint on a possible
match of the live image with a preregistered database
image. However this criterion is not reliable enough
especially in larger facilities where structures tend to
be similar and feature matches even between non-
corresponding images are likely. This problem is
222

Figure 4 (top) IMU based navigation with heading
deviation induced by a parasitic magnetic field
(top). The same data corrected with the heading in-
formation obtained from the image correlation tech-
nique (bottom). The real path (for both cases) is
shown as blue arrows (top).
enhanced by the fact that the feature matching is tuned
to be fairly tolerant in order to cope with varying
illumination conditions.
Therefore, in a second step, a matching algorithm
based on global geometric image properties was
implemented. Therefore we apply the so called weak
perspective conditions, i.e. we assume that all feature
points lie on a single plane. Then by standard
techniques [4] the homography matrix, which relates
the coordinate system between the two planes
(respective images) can be extracted. In fact, as the
extraction of the homography matrix is based on a
random sampling (RANSAC) approach for the feature
points, only the subset of points fulfilling the
condition to be in (or close) to a single plane will be
selected. Using the homography matrix the database
image is transformed (warped) onto the coordinate
system of the live image (Fig. 3, top right). Now both
for the warped database image as well as for the live
image the edges are extracted through a Hough like
transform and classified according to their directions
(Fig. 3, bottom). For the edge direction binning
methods similar to the HOG classification scheme [5]
are used, represented by the different pseudo colors
for the different edge orientations. Then edges of the
same directions are correlated according to their
spatial proximity and their orientation, and the
matching edge segments between the two images are
determined. Fig. 3, bottom center, represents those
edges from the live image, which could also be
identified in the warped preregistered image. This
gives a heuristic overall correlation coefficient and
allows for a robust discrimination of possible matches
between the current image and images in the database.
3.3 Position Correction
Once a live image is identified to correspond to the
same scene as a picture in the database, the position of
the preregistered image is compared to the current
position determined from the inertial sensors of the
AIONAV system. If both values are not consistent the
current position will be corrected accordingly. Here
the complementarity of the combined system becomes
obvious. As we do not have precise scale information
from the cameras perspective transform, we cannot
estimate the position along the optical axis from the
video image with high precision. However, as the
motion is always in direction of the optical axis of the
camera (the camera is fixed to the navigators body)
and the error in the IMU data is mainly governed by
the heading drift, i.e. the error perpendicular to the
optical axis, we can rely on the distance information
from the IMU data and only correct the heading drift
using the position obtained from the database image.
This is illustrated in Fig. 4. There a person wearing
the sensor fusion system (AIONAV plus camera) was
moving several times back and forth the aisle of a
larger office building (the blue arrows (top)
correspond to the actual path). The system was
initialized with preregistered images of distance
granularity of about 2 m. Therefore the same sensor
fusion system could be used where the images,
together with the manually corrected IMU positions
are stored in real time. For the navigation test a large
heading drift of the IMU was caused intentionally by
decalibrating the magnetic field sensors with a
parasitic field created by a small permanent magnet.
In real applications this kind of error is frequently
caused by the magnetic fields lines of electrical
installations inside the buildings. The induced heading
drift leads to strongly corrupted position estimations
(red dots, top). At the bottom the same dataset was
evaluated using the image correlation technique in
conjunction with the discussed heading correction.
There the position estimation is always close to the
real path with a maximum error of the order of 1 m.
The important point to notice is that the position
correction based on the image correlation techniques
is not deteriorated at long time scales and would work
equally well forever.
4 Conclusions
A sensor fusion system was presented combining iner-
tial and video sensors for a semi-autonomous naviga-
tion system. It relies at short time on the position data
obtained from the AIONAV while at longer times im-
age correlation techniques are used to compensate the
223
heading drift of the inertial sensors. Therefore live
video images are identified with preregistered scenes
from a database. A two-step correlation and identifica-
tion process is performed based on feature correspon-
dence identification and subsequent geometric match-
ing using HOG-like edge direction classification. The
fusion system was shown to resolve the inherent long
time instability problem of inertial sensors and the po-
sition estimates remain correct at basically any time
scale. In addition the fusion system is auto configur-
able because the first recognition step of the live cam-
era image with a preregistered database image can be
used as position setup value. Potential applications are
for navigation or guidance situations where the path or
facility can be documented by preregistered images.
Acknowledgment
Indoor positioning research at TU Graz is kindly sup-
ported by a group of industry partners (RUAG Elec-
tronics AG, Securitron AG, MIGROS, Speedikon Fa-
cility Management AG and Building Insurance of
Berne), the Swiss Army (armasuisse), the Austrian
Army and the Ministry for Traffic, Innovation and
Technology, Austria.
References
[1] Walder U.; Bernoulli, T.: Context-Adaptive Al-
gorithms to Improve Indoor Positioning with In-
ertial Sensors, Proceedings of the 2010 Interna-
tional Conference on Indoor Positioning and In-
door Navigation (IPIN), Mautz, R., Kunz, M.
and Ingensand, H. (eds.), IEEE Xplore, page
968-973
[2] Glanzer, G.; Bernoulli, T.; Wieflecker, T.; Wal-
der, U.: Semi-autonomous indoor positioning
using MEMS-based inertial measurement units
and building information, 6th Workshop on Po-
sitioning, Navigation and Communication
(WPNC'09), Hannover, 2009.
[3] Bay H.; Tuytelaars, T.; Gool, L.V.: "SURF:
Speeded Up Robust Features", Proceedings of
the ninth European Conference on Computer Vi-
sion, May 2006.
[4] Zhang, Z.: A flexible new technique for camera
calibration, IEEE Transactions on Pattern
Analysis and Machine Intelligence 22 (2000):
13301334.
[5] Dalal, N.; Triggs, B.: Histograms of oriented
gradients for human detection, in: Computer Vi-
sion and Pattern Recognition, San Diego, CA,
June 2025, 2005.

224
Sensors data fusion and management in a new security system on
airports
Enrico, Anniballi, SESM, Italy 1
st
author's surname, company, country
Roberta, Cardinali, SESM, Italy first name, 2
nd
author's surname, company, country
Abstract
In this paper, a new concept for increasing the airport security is proposed. The strong point of this innovative
system, studied and developed in a project funded by the European commission named ATOM (Airport detection
and Tracking Of dangerous Materials by active and passive sensors arrays), is definition of a new architecture for
the airport security system that cover not only the access to the sterile area but also the public area, actually moni-
tored mainly using CCTV and increase the security capability thanks to the use of innovative sensors able to de-
tect metallic and non-metallic objects without the passengers collaboration. The need to fuse the data coming
from different sources can be an advantage to extract more useful information than a single type of sensor. In fact
Multi-sensor data fusion combines information from multiple sensors and sources to achieve inferences that are
not feasible from a single sensor or source. The fusion of information from sensors with different physical cha-
racteristics enhances the understanding of our surroundings and provides the basis for planning, decision-making.
The core of the new system is therefore the part dealing with data management and data fusion. A possible data
fusion strategy will be proposed and the performances obtained will be analyzed.
1 Introduction
In the last period the problem of protecting people
in the public and crowded places has been dramatical-
ly increased due to the current international situation.
In particular the air transport security entered in the
attention of public opinion, as well as to experts and
governments. This attention, already critical before,
has been further increased by the last terroristic at-
tempts, such as the failed attempt in December 2009
on the flight Amsterdam-Detroit and attack at Moscow
airport (January 2011). The airport can be considered
a sensible target for any crimes for the following rea-
sons:
(i) The large amount of people simultaneously
located in the airport areas with limited escape exits;
(ii) The potentially high level of damage for a
high number of people with a limited effort;
(iii) The impact of the terroristic action on the
public opinion with repercussion on world economy,
as a side-effect of the personal fears from potential
passengers, can become extremely large
(iv) The use of hijacked A/C as lethal weapons
against civil targets increased in the last years (e.g.
events of 11 September 2001 or disruption by Scot-
land Yard of the terroristic plan to use liquid explo-
sives carried on board several aircrafts travelling from
UK to the United States and Canada August 2006)
The airport security problem is very complex. To
provide an effective and reliable security level, a large
number of issues have to be considered, including the
following ones:
The wide extent together with the highly non-
homogeneous characteristic of the areas to be
monitored ;
The wide range of possible and potential wea-
pons to be considered: liquid or solid explo-
sives, metallic and non metallic objects, guns,
etc.;
The high concentration and the heterogeneous
typology of people with continuously changing
positions and densities;
The current methods to find hazardous materials
brought inside the terminal by suspicious person are
only by manual inspection, cameras, walk-through
metal detector and x-rays. The manual inspection is
very time consuming; the visual cameras depends by
the human factor to identify the suspicious person; the
walk-through metal detector can detect only metallic
objects and the x-rays are considered harmful to hu-
man health (they could be used only for bags and lug-
gage).
2 Security Concept
In the security context just described, a new air-
port security concept is emerging. The EU funded
project ATOM (Airport detection and Tracking Of
dangerous Materials by passive and active sensors ar-
rays), based on the fusion of different sensors, has as
main objective the improvement of the security level
inside all the airport area (both gates and terminals) by
the use of different sensors working in different ways
225
and different frequency. The basic idea is to identify
hazardous materials introduced in the area under ob-
servation and then to track the person carrying these
items until the intervention of security operators. The
primary goal is to detect different materials (not only
metallic items) without interfering the natural passen-
ger flow and the normal airport operations. The secu-
rity system foresees two imaging sensors, one in W
band and another one in the band from 15 GHz to 35
GHz. Furthermore, active and passive WiFi based
sensor nodes will be used in the airport area in order
to track suspicious people.
The core of the new system is the data fusion and
management block. In fact all data coming from dif-
ferent sensors have to be handle in a correct way to
extract all possible information . This block also deals
to initializing the tracking process when a suspicious
person is detected and when the threat ends the track-
ing is stopped. Moreover, the fused data have to be
presented to a security operator with a classification
level that identifies the type and the degree of the
threat. The development of advanced surveillance sys-
tems, as well as their integration with currently used
surveillance systems in order to obtain an integrated
security system having enhanced capabilities of detec-
tion and tracking of dangerous tools and materials is
the content of the research activities foreseen in the
ATOM project.
Figure 1 - Distribution of the detection and tracking
sensors of ATOM system in the airport area
The overall objective of the new concept is to contrib-
ute to improve the security in the airport area by [1]:
detecting and identifying, without interfering
neither with the normal passengers flows, nor
with the normal airport operations, the pres-
ence of hazardous materials or tools, concealed
(under clothes or inside bags) by ill-intentioned
people circulating inside airports and that
could be used for delivering attacks either
against the airports themselves.
tracking the movements of those threatening
people concealing those forbidden items, so
that they can easily be localized by security
operators.
Particularly, the ATOM system foresees two con-
trol levels, as illustrated in Figure 1:
A first control at the airport entrance, where an
automatic detection system controls all the
people (passengers and others) that coming in
the airport and alarms the security operators
when a suspicious person is detected. The
tracking system allows to the security operators
to track the suspicious people and analyze his
behaviors in order to maintain the security in
airport.
The second control is placed at the gate en-
trance, where the detection system controls all
the passengers. After this second control the
suspicious people are subjected at the regular
screening. After this second control the clean
and suspicious people can not get in contact in
order to not contaminate clean people.
Figure 3 shows the three main blocks of the new
system ATOM system will integrate innovative detec-
tion system and innovative tracking systems, as well
as an innovative data management and distribution
unit. If a person is classified as suspicious by the sen-
sor network, it will be tracked and picked up by secu-
rity personnel.
Figure 2 - Main blocks of the sensor network
In order to achieve this general objective, the
ATOM project intends to study, design and develop
the functional prototype of an innovative system based
on a multi-sensor approach that integrates active and
passive radar sensors, able to survey wide airport
areas without requiring the passengers cooperation as
well as to detect hazardous materials/tools and to track
threatening people; this way, the ATOM system will
improve the security level not only in the gate area,
but at a preliminary stage, also in the terminal area of
the airport.
226
3 Overall System data mana-
gement structure
The overall data management block is the core of
the whole system. Here arrive the data coming from
all the sensors utilized for monitoring the area under
test: both detection and tracking systems. A relevant
rule could be taken by the communication network
that will be responsible for transporting data to one
sub-system to another. The input for the management
block system are also all data coming from collabora-
tive people, e.g. operators, position of the security
man, etc., that can be useful for handling of possible
emergencies. The output of the data management
block are information for the security man. In case of
detection of suspicious people, the system provides
different alarm levels with a classification of the threat
and the track of the dangerous item introduced in the
area.
The overall data management block can be consi-
dered as composed from three sub-systems (Figure 3).
The detection management block: this block
receives inputs from detection sensors and pro-
vides, after data fusion, an alarm if a suspicious
object is detected. The alarm can be provided
automatically or by operator depending on the
input data.
The tracking filter block: it receives inputs
from tracking sensors and detection manage-
ment block and provides the current position of
the suspicious people. The system provides the
tracking data only for suspicious people.
The data management block: it provides both
to the central unit and to the security operators
the situation awareness and the target position
in order to provide them all the instruments for
the airport monitoring.
Figure 3- ATOM data management block
The ATOM data management structure foreseen
that the detection sensors are able to identify a threat
basing on three alarm level as follows:
Red Alarm: The sensor detects an anomalous
situation with an high probability (maximum
alarm level)
Yellow Alarm: The sensor detects an anomal-
ous situation with low probability
Green Alarm: The sensor doesnt detect any
anomalous situation
Basing on the previous considerations a possible
strategy of data fusion for the detection system is tak-
en into account as follow:
Assumed the presence of two different type of de-
tection sensors, the person under analysis is scanned
from both sensors independently and the output of the
sub-system is a combination of the sensors output.
Basing on the alarm level provided by each sensor,
different strategy of data fusion are provided, as
shown in the following figure
Errore. L'origine riferimento non stata trova-
ta. shows the overall data management algorithm for
ATOM system. As well as the alarm level, the detec-
tion sensors provide to the data management block the
following information:
The image of the threat;
A probability of classification of the detected
threat;
The position of the threat;
The detection time of the threat.
As showed in the previous figure the system fore-
seen three different behavior
An automatic alarm: if both the sensors detect
a threat;
A semi-automatic alarm, based on the decision
of an operator, aided by a decision support sys-
tem (DSS); This case occurs if only one sensor
detect a threat or both the sensors detect a
threat with alarm level 1
No alarm: if any sensors detect a threat
Figure 4- ATOM data management structure
The automatic alarm triggers if both the detection
sensors detect a threat in the observed scene. In this
case two possibility are foreseen: If both the sensors
provide a red alarm the classification function try to
identify the kind of materials, the tracking is initia-
lized, and the overall alarm is set to the maximum lev-
el (alarm 2). This information is sent to the data pres-
entation function that supports the security staff by
providing information on the detected target (overall
227
alarm level, kind of threat and track of the target) by a
graphical interface. If both the sensors detect a threat
but with a different alarm level(1 and 2 respectively)
the alarm triggers automatically once, with the same
steps described in the previous but with an overall
alarm level set to yellow (alarm 1).
The semi-automatic decision in taken by an opera-
tor if only one sensor detects a threat or both the sen-
sors detect a threat with alarm level 1. In this case a
graphical interface provide to the operator the infor-
mation about the detected target, that is: the available
images of the detection sensors; the alarm level pro-
vided by the detection sensors and the probability that
the threat corresponds to a kind of material (probabili-
ty of classification). Figure 5 shows the graphical in-
terface in case of both sensors detect a threat.
By the images provided by the sensors the opera-
tor can decided the overall alarm level and the kind of
material. Basing on this choose the security staff will
be eventually informed to stop the threat.
Figure 5- interface for supporting the operator deci-
sion
4 System Performances
In the following section an analysis of the system per-
formance will be presented. In particular as first
analysis the overall system probability to have a detec-
tion of a dangerous tools will be showed. The detec-
tion process is resumed in diagram on Figure 6.
Starting from the single sensors performances the dif-
ferent combination of the overall alarm probability
have been calculated. Basing on the probability
showed in Figure 6.the overall detection probability
have been calculated by considering also the decision
of the operator. The overall system detection probabil-
ity (probability to have a red or a yellow alarm) is
equal to 92.83%. The probability to have a missing
detection is equal to 7.17%.
In the following an analysis of the tracking block is
showed. The track of the detected threat has to be sent
to the security staff to a rapid intervene if necessary.
In this context the information about the validity of
the considered track assumes a key role
In our study we have considered the following
rule:
We consider a track as valid when a plot is
provided at least 3 times on 5 by at least a
tracking sensor (that is when the single plot
coming from the tracking filter is assumed as
estimated at least 3 times on 5).
We consider a track as lost when both tracking
sensors do not provide any plots 3 times on 5
Figure 6- detection probability study of ATOM sys-
tem
If we consider the presence of two different tracking
sensors with the same detection probability
P
d1
=P
d2
=0.3, The probability to have an estimated
track status is equal to 84%. On the other hand, the
probability to have a predicted track status is 16%.
According to this considerations we calculate the
probability to have a valid track as follows:
On the other hand the probability to lost the track
is:
On Figure 7 is resumed the tracking process based
on the above shown results.
228
Figure 7 - tracking process state diagram
5 Future Works
As shown in the previous paragraph we have
adopted a specific strategy for data fusion from detec-
tion and tracking sensors. New strategy can be studied
to increase the performance of the system.
In particular for the detection sensor we propose to
study:
The possibility that sensors could work in a
combined way (e.g. a sensor is used to steer the
other one) and provide a single output, that de-
pends on the strategies of work. In this case the
detection probability depends by the first sen-
sor and the classification probability depends
on the last sensor
The possibility that the sensors work in differ-
ent areas and the person under analysis is
scanned only by a sensor. In this case the per-
formance depends on the used sensor.
For the data management and tracking block we
propose to study different rules in the analysis of the
track validity. For example another possible strategy
is to consider the track as lost when both tracking sen-
sors do not provide any plots 3 times consecutively.
5 Conclusion
In this paper, a new concept for increasing the air-
port security was presented. It aims to overcome the
current systems in use at airports through the use of
different type of sensors (active and passive) to detect
and track suspicious people in the terminal area with-
out interfere with the normal airport operations and
with the passengers flow.
Particular attention was given to the data fusion
and management block, considered the core of the
whole system. For the detection system a possible
strategy of data fusion was studied and the perfor-
mances were analyzed by calculating the overall de-
tection and false alarm probability.
For the tracking system was done a similar thing.
In order to discriminate the false alarm, the number of
detections respect to the total plot were considered. In
our studies we assumed that the tracking sub-system
loses the track when both tracking sensors do not pro-
vide any plots 3 times on 5. Also in this case the ob-
tained performances were analyzed and the overall
system probability to lost a track of a suspicious per-
son was calculated.
References
[1] Description of work of EU-project ATOM, se-
venth framework programme, theme #7 transport
(including Aeronautics), Grant agreement no.:
234014
[2] ATOM system architectur3
[3] D. L. Hall and J. Llinas, An Introduction to
Multisensor Data Fusion
229
Data Protection and Security Awareness in Complex Information
Systems
Bier, Christoph, Fraunhofer IOSB, Germany
Abstract
Complex information systems increase the possibility of data misuse and uncontrolled flow of sensitive data. A
rational treatment of these risks requires a close linkage of Information Security, IT-Service and Data Protection
Management, as already proposed by the recent literature. This work presents a structured management approach
for data protection and identifies interfaces to the two other management processes. A major part of a successful
data protection management is the continuous examination of information systems with respect to incidents and
a continuous evaluation of management processes regarding the achievement of the given data protection objec-
tives. The application of usage control systems for this purpose is proposed.

1 Introduction
The widespread use of complex information systems
in companies and government agencies raises new
problems for data protection and data security. Sys-
tems with different types of connections to external
bodies increase the possibility of uncontrolled flow of
sensitive data. This constitutes serious issues for the
protection of personal data and for cyber defense.
Most of the recent data protection scandals have not
occurred due to missing privacy statements or lax data
security measures, but due to the absence of a data
protection quality lifecycle, missing enforcement of
privacy policies and the inability to understand the
flow of sensitive data. In most cases data leakage is
not done on purpose. Employees do not always exact-
ly know or think about what is allowed and propor-
tionate for which specific dataset. Thereby, cyber-
attacks can be supported by social engineering.

After a short overview of related work, an introduc-
tion to data protection quality management is given.
As data protection management has to be aligned to
given standards and good practices, the relationship
between them is topic of the next section. The neces-
sary organizational structure for an efficient data pro-
tection management is pointed out afterwards, fol-
lowed by a summary of data protection objectives.
Points of contact between data protection manage-
ment, standards and good practices are also part of the
subsequent discussion of the explicit data protection
processes, which are partitioned along the structure of
the Deming-cycle. Hence, after planning, the actual
operational processes of data protection management
(Do) are presented. The measurement of the cur-
rent data protection quality (Check) and the evalua-
tion of possible improvements (Act) are the final
steps exposed afterwards. Thereafter, it is argued, how
a usage control system can support this processes, es-
pecially the analysis of the current data protection
quality. Therefore, a short introduction to the architec-
ture of a usage control based data protection quality
management system is given. In the end, the work
concludes with the expected advantages of the im-
plementation of such processes and systems and ad-
dresses the main topics of future work.
2 Related Work
The basic idea of a data protection management
framework for todays complex information systems
has been discussed before. Bock and Rost [1] propose
to reuse CobiT and ITIL Key Performance Indicators
for a data protection management, but give no further
details. Meints [2] argues, which of ITILs (V2) Ser-
vice Support and Service Delivery Processes lead to
synergy potentials, if they are combined with a data
protection management. The IPCO argues in a study
with Deloitte & Touche [3] how paradox the relation-
ship between security and privacy is.
Hilty, Pretschner and Basin [4] propose the applica-
tion of usage control systems for privacy enforce-
ment. Mller [5] discusses the utilization of access
control policies for an automated data protection
management.

This work contributes a comprehensive analysis,
which parts of common standards and best practices
from information security management, IT service
management and general business management can be
reused for data protection purposes. Additionally, new
strategic an organizational recommendations are giv-
en. Finally, a framework is introduced, which explains
230
how usage control can be capitalized for the control of
an integrated data protection quality management.

3 A New Data Protection Quali-
ty Management
Data protection management has the objective to in-
crease the level of privacy of data subjects, to manage
risks, and to ensure compliance with data protection
law. It has to be embedded under the general quality
management framework of ISO 9000 and controlled
by a management framework like CobiT. Its integra-
tion with Information Security Management Systems
(ISMS) and Service Management Systems (SMS)
based on ITIL, ISO/IEC 20000, ISO/IEC 27000 and
IT-Grundschutz is essential to achieve acceptance in
the organization and efficiency in the overall business
processes.
The focus is laid on a continuous improvement pro-
cess for enterprise data protection quality. The basis
for this improvement process is the ability to check
and monitor the data flow in an institution. Thereby,
not only personal data can be monitored, but an over-
all tracking of sensitive and secret data can be estab-
lished to enforce cyber defense. The implementation
of privacy and protection requirements will be more
easily controlled.
To be effective, a data protection quality management
has to be done because of the organization and the
customers, not because of law. The internal (employ-
ees) and external (customers, suppliers and third party
contractors) marketing and communication of data
protection is an essential basis to accomplish the giv-
en objectives.
4 Relationship to Other Stand-
ards and Guidelines
As data protection management has to be aligned to
given standards and guidelines, the major ones are
introduced in this section. The relevance of specific
parts of the standards and guidelines is mentioned in
the discussion of each distinct process.
4.1 CobiT
CobiT is designed as a general IT control framework
for business managers. Hence, it contains no process
steps, but is an integrator for new and established
standards like ISO/IEC 27001 and ISO/IEC 20000,
good practice frameworks like ITIL and methodolo-
gies like BSI IT-Grundschutz.
Therefore, it is recommended to embed the data pro-
tection quality management in CobiT or a CobiT-like
organizational management framework.
4.2 ISO 9000
As a quality management system, the data protection
quality management has to be aligned to the global
quality management of the organization. The overall
standard for such a quality management is ISO
9000:2005.
The quality management principles defined therein
can also be applied to the data protection case in a
modified manner.
The principles are customer focus (which has to be
modified to data subject focus), leadership (especially
the accountability of the managing director for data
protection breaches), involvement of people (all stake-
holders), process approach (the focus of European
data protection law is on the process of processing
personal data and not on the data itself), system ap-
proach to management (that is exactly what this paper
wants to propose), continual improvement (the one
and only way to implement a system approach in data
protection quality management), and factual approach
to decision making (assessment of the individual case
and use of tools like the proposed usage control based
platform).
The last principle mutual beneficial supplier rela-
tionships is not relevant for data protection, because
the data subject is not in the role of a supplier and
other sources of data are not of major importance.
The procedure directory as one of the main docu-
ments of data protection can be utilized as a source for
the global quality manuals defined in ISO 9000.
4.3 ISO 20000 and ITIL
While ISO 20000 specifies requirements for an inte-
grated service management system, ITIL describes a
good practice how to implement such an IT service
management. Both do not consider the specific re-
quirements of data protection, but they contain organ-
izational and processual patterns, which can also be
applied to data protection quality management.
One of these patterns is the Deming-cycle or PDCA-
methodology (Plan, Do, Check, Act). The Deming-
cycle is on the one side a guideline for the general
structure of a management framework, on the other
side a pattern which can be found in the different
steps of each distinct process. Therefore, the Deming-
cycle will be reused in this proposal for an overall da-
ta protection quality framework.
4.4 ISO 27000 and IT-Grundschutz
ISO 27001 is the international standard for an infor-
mation security management system. One of the main
parts is an overall risk management process to assess
the information security needs of the organization.
231
The measurements listed in the ap-
pendix of ISO 27001 are discussed
in detail in ISO 27002. Part of these
measurements is also compliance
with policies, laws and regulations.
In a very general way, the need for a
data protection official, training and
privacy policies is mentioned.
IT-Grundschutz provides a holistic
approach to reach an adequate pro-
tection level for information with
normal protection requirements and
is in compliance with ISO 27000.
For applications requiring a high
level of protection, an additional
risk assessment and measurement
analysis is needed in many cases.
One of the IT-Grundschutz Catalogues (Module 1.5)
discusses data protection issues. Measurement 7.1
aligns the data protection process with the IT-security
process. It proposes explicit sub-processes for opera-
tion and monitoring of data protection.
5 Organizational Structure
The establishment of the organizational framework
has to be part of kick of data protection governance
initiatives.
Core of the matter is the appointment of a data protec-
tion officer. He can be appointed in dual role as IT-
security officer. The definition of his role, which de-
mands to protect secrets and to enhance transparency
at the same time, can cause conflicts of interest. These
conflicts have to be managed and resolved.
The data protection officer reports directly to the gen-
eral manager or CEO. He needs all necessary powers
to ensure compliance. It is strongly recommended to
create a distinct staff function for this role. Depending
on the size of the company the data protection officer
needs additional personnel, especially to man the
transparency desk and to supplement the incident
management with a second and third level support.
The other data protection processes have also to be
governed by data protection staff.
The qualification of data protection personnel has to
include technical, organizational and judicial
knowledge.
As data protection is a topic that affects a variety of
stakeholders, a steering committee has to be estab-
lished. The committee is headed by the data protec-
tion officer. Members of the committee are the IT-
security officer, the quality management officer, a
delegate of the workers council and the heads of all
departments dealing with personal and sensitive data.
If the organization has a distributed structure, contact
persons for data protection for each site have to be
appointed.

Aligned with:
IT-Grundschutz: M 7.2 Responsibilities
This Module of IT-Grundschutz describes how a data
protection official has to be appointed and what his
duties are.
6 Basic Principles of Data Pro-
tection as Management Objec-
tives
First guidelines for data protection were given by
OECD [6] and on the basis of European law by Bizer
[7]. Revisited by Pfitzmann and Rost in [8], they con-
dense to six data protection objectives creating the
basis for a global data protection strategy. Three of
them are the traditional information security objec-
tives confidentiality, integrity and availability (CIA).
The privacy part of the cake consists of transparency,
unchainability and intervenability. This mixture of ob-
jectives represents the strong relationship between da-
ta protection and IT-security, as well as their equal
importance. Bock and Rost [1] introduced a tableau
with a dual semantic for these objectives.
I propose to reuse this tableau as a spider chart to con-
stantly measure the data protection performance of an
organization (see Figure 1).
Each objective has to be underpinned by key perfor-
mance indicators (KPI). The indicators have to be de-
signed in a measureable way. A few suggestions may
be proposed:
Confidentiality can be estimated by the amount of da-
ta breaches. It refers also to the minimization of data
collection. Hence, the number of services which can
be used in an anonymized or pseudonymized way and
the size of an average personal data record could be a
measure.
Integrity is harder to quantify. An indicator can be the
number of records being changed without permission
and, respective data quality, the number of complaints
because of incorrect data records. An efficient backup
strategy could be measured, too (e.g. amount of re-
dundancy).
Confidentiality
Integrity
Availability
Unchainablity
Transparency Intervenability
Figure 1 Data protection principles spider chart based on [1]
232
Availability can be measured as a ratio of uptime and
downtime of the relevant systems.
A measurement for transparency can be the ratio of
processes with clear accountability and the number of
processes with automated individual decisions. A
grade for the quality of documentation could also be a
measure.
Unchainability can be measured by the average num-
ber of different purposes specified for each dataset. It
can also be measured by the separation or aggregation
of duties.
Intervenability can be measured by the availability of
a single point of contact (SPOC) or the number of da-
ta records used and stored without consent or notifica-
tion.
It has to be stated, that the quantitative key perfor-
mance indicators have to be accompanied by qualita-
tive examinations. E.g., it makes no sense to deter-
mine the average number of purposes, if they are not
accurately specified.
7 Strategy and Planning
The planning processes are designed to analyze the
structure of the business processes of the organization.
This also includes an overview of the data usage, the
roles and stakeholders. Additionally, risk analysis and
management takes place. The establishment of a pro-
cedure directory and a privacy statement document
the strategy and the results.

Aligned with:
CobiT: PO1 Define a Strategic IT Plan
The direction of the CobiT Strategic Plan is to define
an IT investment and development plan. It covers also
legal and regulatory requirements, but the focus is on
(financial) business alignment. For the detailed IT se-
curity planning, an additional planning process is de-
fined (DS5.2 IT Security Plan).
7.1 Process and Role Analysis
Basis of an effective data protection management is
the knowledge and documentation of all business pro-
cesses which handle personal and sensitive data. For
each process step the input, output and relevant IT-
systems have to be identified. The input and output
have to be partitioned into sensitive and non-sensitive
data. The sensitive data have to be classified accord-
ing to their type. The source of input data (data sub-
ject or other) has to be identified. Recipients of the
outputs and thereby interfaces to data subjects, third
parties and internal bodies have to be determined.
Overall, a data flow model has to be derived from the
business processes.
In the second step, the roles and assigned competenc-
es have to be made clear. CobiTs RACI-charts are a
good approach. RACI stands for Responsible (the
person who gets the task done), Accountable (exactly
one person who provides direction and authorizes an
activity), Consulted (a person, who is informed and
has the possibility to give its opinion), and Informed
(a person who gets all information necessary to be in-
volved). Thereby, decision rights and accountability
for correct data handling are made clear.
7.2 Setting up of the Procedure Direc-
tory
The procedure directory is a summary of the process
documentation. It has to be made public and accessi-
ble. The procedure directory has to be informative and
understandable for the data subjects. As the process
documentation is updated, it has to be kept up-to-date,
too. A version history has to be maintained.
A procedure is a set of processes, which are linked by
a common purpose. As the process roles are too fine
grained, a controller for each procedure has to be
identified. Purposes and possible purpose changes
have to be documented. Thereby, the data subject is
able to understand, what the organization is doing
with his data. If the process documentation is a de-
tailed analysis and the privacy statement is an overall
strategy and defines the general approach to data pro-
tection, the procedure directory is something in be-
tween.
7.3 Definition of a Privacy Statement
The privacy statement is an external and internal doc-
ument which provides a vision for the organizations
data protection. It depicts how the organization wants
to handle personal and sensitive data, why and what
kind of personal and sensitive data is needed in the
organization and who is responsible for the organiza-
tions conduct regarding personal and sensitive data.
The goal is to reveal compliance and data protection
as a unique selling proposition (USP). The commit-
ment of the board of directors of the organization is
strongly required.
All processes, internal guidelines and policies have to
be aligned to the privacy statement. Hence, the state-
ment has to be frequently reviewed and has to be con-
tinuous, but gentle, improved.
As the statement is the main document to communi-
cate the privacy friendly corporate image, it has to be
simple to access and frequently published.

Aligned with:
CobiT: PO6 Communicate Management Aims and Di-
rection
CobiT utilizes IT policies to communicate the man-
agement aims to stakeholders. They contain the ethi-
233
cal values of the organization and define responsibili-
ties for compliance with law and other requirements.
7.4 Risk Analysis and Management
As risk is a global matter for an organization, different
types of corporate risks have to be analyzed in a
joined approach. Hence, data protection risk manage-
ment has to be strongly aligned with risks from other
domains.
Data protection risk management covers legal, tech-
nical and organizational risks for personal and high
valuable data. The analysis of data protection risks
has first to look at the potential risks for the data sub-
ject and derive therefrom the risks for the organization
itself.
Afterwards, measures to reduce the potential risks
have to be defined. The probability of occurrence of a
data protection issue depends strongly on data securi-
ty and secure processes. The potential scale of dam-
age can be reduced by an effective incident manage-
ment and rapid and frank communication after the in-
cident. The remaining residual risk must be perceived
and communicated. It cannot be passed on.

Aligned with:
CobiT: PO9 Assess and Manage IT Risks
The CobiT Risk Management Framework focuses on
IT risks, but demands to align them with the global
organizational risk framework. With respect to data
protection, it integrates IT events with a negative in-
fluence on legal and operational goals (PO9.3 Event
Identification).
ITIL: SS Challenges and risks
ITIL provides a generic framework for risk manage-
ment and discusses different types of risk like contract
risk and operational risk.
ISO 27001: The ISO 27001 risk management process
includes the activities of risk assessment and evalua-
tion, risk treatment, risk acceptance, and risk commu-
nication.
8 Deployment of New Proce-
dures
If a new procedure to process personal data has to be
established, this procedure is target of a prior check.
This check has to answer the question, if it is allowed
by domestic law to process the considered personal
data and if it is allowed, how. If the personal data or
the processing has no particular sensitivity, a rough
scan is enough. Else, the data and the processes have
to be analyzed in detail.
First, the legal basis has to be evaluated. The pro-
cessing of personal data can take place on the basis of
consent, on the basis of a legal obligation or on the
basis of balancing the interests of the data subject and
the data consumer (including contracts). In the case of
consent, the consent has to be unambiguous, suffi-
ciently specific, based on free will, written and in-
formed. Informed means that the purpose and the
consequences of the refusal are known in advance.
Afterwards, a legal proportionality check (suitability,
necessity, and adequacy) has to take place.
In the case of processing of data by a processor, in-
cluding the case of maintenance contracts, a data pro-
tection agreement has to be fixed. The processor has
to act as instructed by the controller. Hence, to verify
compliance, monitoring an evaluation has to be ex-
tended to the domain of the processor.
If there are any doubts if and how the new procedure
is allowed, consultation of the data protection authori-
ty is mandatory.
Finally, if the procedure is allowed, the update process
for the procedure directory has to be triggered for
documentation purposes.
A revision has to be done, if the type of data, the
source of data, the purpose, the receiver or the proces-
sor changes.

Aligned with:
IT-Grundschutz: M 7.4 General Regulations and Pri-
or Check
This module contains a discussion of the proportional-
ity check and the measurements of a prior check ac-
cording to the German data protection law.
9 System-Lifecycle Manage-
ment
The system-lifecycle management accompanies IT-
systems during their whole lifetime from a data pro-
tection point of view. The different steps of the Sys-
tem-Lifecycle are development, configuration, deliv-
ery and discontinuation (see Figure 2).
The data protection aspect of development is well
known as Privacy by Design, a term invented by
Ann Cavoukian [9]. The best way to support data pro-
tection during the development process is to embed
privacy into the system design just from the begin-
ning. Thereby, business functionality is not hindered,
but supported by data protection. Data avoidance and
minimization provide a strong privacy and, at the
same time, reduce costs by lowering the amount of
data to be processed, sorted and stored. The same ap-
plies to the quality of data. A good idea is to imple-
ment automated checks of the data quality. As data
protection demands to avoid automated individual de-
cisions, it is recommended to place hooks for human
interaction into the data-processing operations. Addi-
tional measures are an automated notification of pro-
cessing for the data subject to reduce the workload for
the transparency desk and the logging of processing to
enable transparency and control for data protection
and data security. Privacy enhancing technologies
234
(PET) for pseudonymization,
anonymization and other pur-
poses are technically available,
too.
If a system is not developed by
the organization itself (external
products), Privacy by Design
can be demanded by requiring
certificates like EuroPriSe [10]
for such products.
In the deployment and configu-
ration phase, Privacy by De-
fault is the key. This means,
that all settings of the systems
are configured in a way that the
data protection principles are
respected the most. Access
rights and data collection has
only to be granted on purpose.
Particularly, the retention period
of data has to be set to a mini-
mum level.
During the delivery of IT-services, all actions, like
reading, storing, modification or transmission of data,
have to be controlled and reconfigured, if necessary. It
should be possible for the data subject to switch off
unwanted data usages, if there is no overriding inter-
est of the organization. Continuous Improved Trans-
parency leads to more efficient business processes
and a higher level of data protection.
If the discontinuation of a system is considered, it has
to be ensured that the data used by this system is safe-
ly erased or blocked. System components must be
disposed of in a way that no sensitive data can leave
the organization. Data is blocked, instead of erasing it,
if it is in the interest of the data subject, if it is de-
manded by the data subject, if erasure is technically
impossible, if a longer retention period is demanded
by law, or if the data is still required by other systems
and processes. The whole discontinuation process has
to be documented.

Aligned with:
IT-Grundschutz: M.2.110 Data protection aspects for
logging
IT-Grundschutz provides a full list of basic require-
ments for logging in a data protection context. It an-
swers the questions what has to be logged, in which
way and who has access to the log files.
ITIL: SS Service lifecycle
The common ITIL figure describes the service lifecy-
cle as the wheel of service design, transition, opera-
tion and continual service improvement which rotate
around the axis of service strategy.
10 Operation and Support
The processes of operation and support deliver con-
tinuous data protection services and transparency for
the business processes. Additionally, they are con-
cerned with human affairs like education.
10.1 Transparency Desk
The transparency desk is the single point of contact
(SPOC) for all Requests regarding the data subjects
rights. Especially it is responsible to inform the data
subject about the controller, types of data and purpos-
es for the collection and processing of personal data.
If it is not done automatically, the transparency desk
has also to notify the data subject about such relevant
events. Sources and recipients are only revealed, if no
business secret would be exposed. Sources and recipi-
ents enable the data subject to construct an overall da-
ta path of his personal data.
Via the transparency desk, the data subject has also
the opportunity to seize his right of access, correction,
erasure, or blocking. Hence, the Transparency Desk is
also part of the public relations facilities of the organ-
ization.
10.2 Incident Management
A data protection incident is an event, which violates
the rights and interests of a data subject or the organi-
zation by releasing or handling sensitive data in an
unintended or unlawful way. Types of incidents are
privacy breaches and data leakages.
Development
Privacy by Design
Configuration
Privacy by Default
Discontinuation
Data Erasure &
Blocking
Delivery
Continous Improved
Transparency
Lifecycle
Figure 2 System-lifecycle from a data protection perspective
235
The incident management has to handle the events
and escalate them according to their priority.
The escalation involves actions and procedures to in-
form the data subject or the public about a data leak-
age and measurements to minimize the outcome of
the privacy breach.
To enable a learning process and avoid future inci-
dents, an incident record has to be kept.

Aligned with:
CobiT: DS8 Manage Service Desk and Incidents (DS
8.3 Incident Escalation)
The service desk is responsible for a timely response
to user needs. As data subjects are not implicit users
or customers, their queries are not always covered by
the CobiT service desk.
ITIL: SO Incident Management
ITIL defines an explicit process how to handle incom-
ing events, especially how to classify them. One addi-
tional classification could be a data protection issue.
The incoming events are split into incidents and prob-
lems and forwarded to the respective management
processes. Besides the classification, each event gets a
priority and is escalated, if necessary.
The explicit definition of an incident is an unplanned
interruption to an IT service or reduction in the quali-
ty of an IT service. This definition matches not ex-
actly to the one for a data protection incident.
ISO 27002: Information Security Incident Manage-
ment
An organization needs a defined way how to antici-
pate and how to respond to information security
breaches. This includes standardized notifications for
and reactions on incidents, a learning process and
computer forensics.
10.3 Problem Management
A problem is an event that is cause of more than one
incident and affects more than one data subject.
Hence, the problem management is triggered by the
escalation of the incident management. The solution
of a problem is typically described in a request for
change. There are three types of subjects of a request
for change: Policies and privacy statements, process-
es, and IT-systems. To change an IT-system can be a
change of the system itself (e.g. fix a bug) or a change
of the system configuration. Therefore, the Problem
Management has to be exceptionally aligned to IT-
security and service management.

Aligned with:
CobiT: DS10 Manage Problems
The CobiT problem management aims to ensure the
end users satisfaction with the IT service by solving
and preventing problems. As same as the incident
management, it covers not all data protection related
events.
ITIL: SO Problem Management
In ITIL, a problem is defined as a (unknown) cause
of one or more incidents. The process of problem
management is very similar to the process of incident
management. But instead of escalation, a problem
needs a deeper inspection and can induce a request for
change.
10.4 Human Affairs and Education
The majority of data protection incidents are caused,
with or without intention, by employees and not by
misconfiguration of IT-systems or technical security
gaps. Therefore, continuous training of the whole
workforce is of major importance.
Similar to IT-systems, the tenure of an employee can
be modeled as a lifecycle. Starting with the assess-
ment of new employees, the qualification and trust-
worthiness has to be checked. When the person is
hired, he has to be pledged to his duties and obliga-
tions, especially the duty to maintain data confidenti-
ality. Additionally, he needs initial training and educa-
tion according to a well-defined education plan. If the
employee changes his position or his role in a process,
further training is necessary. All employees dealing
with sensitive data should also be integrated in a
learning process based on previous incidents. When
the employee leaves the organization, it has to be en-
sured, that he keeps sensitive data confidential and
takes no data with him.

Aligned with:
CobiT: DS7 Educate and Train Users
The users of IT systems have to be trained along the
needs of their specific user group to increase compli-
ance and reduce user errors.
11 Quality Measurement and
Evaluation
The quality management and evaluation has to moni-
tor the current state of data protection and privacy in
the company. Additionally, it has to develop proposals
for future improvements.

Aligned with:
CobiT: ME3 Ensure Compliance with External Re-
quirements
This CobiT process comprises the identification of
legal and other privacy requirements, an optimized
response to them, and the evaluation of the overall
compliance. The process is very general and looks at
the whole data protection quality management, but
solely from a monitoring and evaluation perspective.
236
11.1 Monitor Changes of External Re-
quirements
As data protection law is nothing static, but something
fluctuating as long as technology advances, the organ-
ization has to readjust itself continuously. Therefore,
recent changes of data protection law, standards and
guidelines have to be monitored and translated into
requests for change for the particular processes, sys-
tems, policies and privacy statements.
11.2 Internal and External Audits
Not all problems and inefficiencies of data protection
manifest themselves in incidents or easy to recognize
internal issues. Hence, internal and sometimes exter-
nal audits have to take place. Besides the reveal of
hidden problems, the purpose of audits is to control,
whether prior checks for new procedures take place,
whether all documents are up-to-date and whether the
lifecycles of IT-systems and human affairs are proper-
ly managed. Thereby, they broaden the continuous
improvement process from technical aspects to non-
technical topics. They can also cover external proces-
sors, which are not part of the technology-based quali-
ty measurement.
11.3 Technology-based Continuous
Measurement
To examine the information flow in the relevant IT-
systems continuously, the organization has to estab-
lish an automated data protection management and
data flow tracking. Thereby, the enforcement of data
protection policies is embedded into the organizations
network and workflows. To align the measurements to
the given objectives, a scorecard system has to be es-
tablished and integrated into the management system.
Based on the process documentation, it has to be de-
cided, where the measurement nodes of the manage-
ment systems have to be rolled out.
When the system is established, the workload for
manual control is reduced and individual errors are
inhibited. The accordance of data procession with data
protection law and given standards can be proven
without delay, if it is necessary for audits and inspec-
tions by the data protection authority. The costs for
the introduction of new rules, guidelines and stand-
ards are significantly reduced.
The next section introduces such a system on the basis
of usage control.
12 Supportive Systems
A supportive system for data protection has to assist
the data protection officer and his staff in all aspects
concerning the detection of data protection incidents
Figure 3 Supportive system for data protection management
Trusted Third Party (TTP) Law Enforcement Agency (LEA)
Independent User
System (IUS)
User / Company Sphere (CS)
Data Subject (DS)
Policy
Deployment
Data Protection
Quality Management
System (DPQMS) Signalling
Buffer
SPOC
Local
Signalling
Buffer
PEP
Local
PDP
PDP
237
and the evaluation of IT-systems and processes. Addi-
tionally, it has to support the average employee to
make the right decisions.
Particularly the system has to help to answer the fol-
lowing questions:
Are personal data actually processed
for the defined purpose
in the specified processes
by the preassigned roles?
How can, with respect to the user rights, be assured
that
an information is complete,
all personal data are deleted, and
a change of personal data prevails in all stor-
age locations?
How can, in the case of data leakage, be found out
which data
on which route
caused by which person
has been lost?
How can, in the first step, a data leakage be detected?

If sensitive and personal data are annotated by poli-
cies, a usage control system can give the answer to all
this questions.
Contrary to intrusion detection systems, the data pos-
sess, because of the policy, a semantic. Furthermore,
the observation can be limited to the real sensitive da-
ta. (E.g. copying a music file to a USB-stick vs. copy-
ing a set of customer data to an USB-stick).
12.1 Architecture
The actual data protection quality management sys-
tem (DPQMS) is only the point where the evaluation
and the structured representation take place. The data
needed for the evaluation is delivered by a usage con-
trol infrastructure (see Figure 3).
A usage control system consists of a set of policies
that are linked to the sensitive data, an enforcement
component and a decision point. The decision point
has to consider the desired actions and compare them
with the linked policies. This results in the decision
whether the desired action should be allowed and if
additional actions should take place. Then, the en-
forcement component has to take care that forbidden
actions are inhibited and additional actions are exe-
cuted. For a continuous quality monitoring, signaling
actions are of major importance. Based on them, in-
formation on the present flow of sensitive data is for-
warded to the DPQMS, enhancing transparency for
stakeholders. As complex information systems have
no hierarchical structure, a distributed signaling infra-
structure has to be provided. Distributed nodes collect
the information about the data flow and forward it on
demand to the central DPQMS.
Policy enforcement points (PEP) have to be deployed
to all relevant systems. These are mainly the gateways
to external bodies and between purpose groups
(roles). Additionally, end user systems with huge
amounts of personal data processing have to be con-
sidered.
12.2 Policies
Sensitive data has to be linked to the respective priva-
cy policies in a way that it is automatically determi-
nable which transfer of information is allowed and
which one is not (sticky policy). The linkage has to
take place at the time of data collection to ensure
transparency during the whole lifecycle. At mini-
mum, a policy has to contain the purpose and type of
the data.
For an easier and automated linkage process, the cases
have to be structured in policy classes. These classes
have to be general enough for an application in the
whole organization, but specific enough to be suffi-
cient for particular information. Some kind of a tem-
plate approach is recommended. One language our
research group uses to define such policies is the Ob-
ligation Specification Language (OSL) [11].
Beginning with a sufficient planning process, taking
into account all relevant stakeholders and data types
as well as defining the applied purposes, data protec-
tion and cyber defense can be established as part of
the corporate culture. The continuous feedback by the
quality management system and an institutionalized
incident management for data misuse provide aware-
ness for data protection and security. While the sys-
tem itself is supposed to support data protection ob-
jectives, it causes additional privacy concerns by
monitoring the behavior of employees. The check and
handling of the resulting legal concerns are topics for
future work.

Acknowledgment: This work was supported by
Fraunhofer Gesellschaft Internal Programs, Attract
692166.
References
[1] Bock, K.; Rost, M.: Privacy by Design und die
Neuen Schutzziele, DuD 2011, p. 30.
[2] Meints, M.: Effektives Datenschutzmanage-
ment unter Nutzung von IT-Betriebsprozessen,
DuD 2005, p. 588.
[3] IPC/O; Deloitte & Touche: The Security-
Privacy Paradox: Issues, Misconceptions, and
Strategies, 2003.
[4] Hilty, M.; Pretschner, A.; Basin, D.: Verteilte
Nutzungskontrolle, digma 2007, p. 146.
238
[5] Mller, J.: Automatisiertes Management von
Datenschutzrechten, DuD 2006, p.98.
[6] Organisation for Economic Co-operation and
Development: OECD Guidelines on the Protec-
tion of Privacy and Transborder Flows of Per-
sonal Data, OECD Publications Service, 2002.
[7] Bizer, J.: Sieben Goldene Regeln des Daten-
schutzes, DuD 2007, p. 350.
[8] Pfitzmann, A.; Rost, M.: Datenschutz-Ziele re-
visited, DuD 2009, p. 353.
[9] Cavoukian, A.: Privacy by Design,
http://www.ipc.on.ca/images/Resources/privacyb
ydesign.pdf, Accessed July 5
th
2011.
[10] European Privacy Seal (EuroPriSe):
https://www.european-privacy-seal.eu/, Ac-
cessed July 5
th
2011.
[11] Hilty, M. et al.: A policy language for distribut-
ed usage control, Proc. 12th European Symp.
on Research in Computer Security (ESORICS)
2007, p. 531.
239
Efficient and Secure data transfer using Jpeg image based
Steganography
Mrs. Shantala. C.P, Research scholar. Dr. MGR Educational and research institute, Deemed university,
Chennai, INDIA.

Dr. K.V. Viswanatha, Professor Department of Computer Science and Engineering, C.I.T, Gubbi, Tumkur,
INDIA.
Abstract
Applying steganography for the images like JPEG is not straight forward process due to its lossy compression.
The objective of this paper is to carry out a brief research on steganography. Based on the research findings,
develop and implement a steganographic application to hide data in a computer image file, as well as retrieve the
hidden data from the image containing the hidden data and improving the hiding capacity by encrypting and
compressing the data.
Keywords: Steganography, Cryptography, JPEG Compression, Data Compression.

1. Introduction
The purpose of steganography is to hide
messages in innocent looking carriers. The purpose is to
achieve security and privacy by masking the very
presence of communication. Historically, the first
steganographic techniques included invisible writing
using special inks or chemicals. It was also fairly common
to hide messages in text. By recovering the first letters
from words or sentences of some innocent looking text, a
secret message was communicated. Today, it seems
natural to use binary files with certain degree of
irrelevancy and redundancy to hide data. Digital images,
videos, and audio tracks are ideal for this
purpose[1][7][8].
The subject of steganography has been brought
into limelight by several intelligence agencies and the
news media in recent times following some terrorist
attack all around the globe. It has been alleged that these
terrorists, apart from using state of the art communication
technologies and media, are using cryptography as well as
steganography to aid themselves with their objectives
[2][4][6].
Despite the sins steganography carries due to
some cynical comments by some people, it can be put to
good use. We all need privacy, that is the reason most of
us prefer sending a letter in an envelop instead of a
postcard. Cryptography has aided us to turn intelligible
data into gibberish data to disappoint the prying eyes of
nosy people[1][3]. However, some countries disallow use
of cryptography[3]. Cryptographic text can quite easily be
identified. A message, either encrypted or unencrypted,
can be hidden in a computer image file and transmitted
over the Internet, a CD or DVD, or any other medium.
The image file, on receipt, can be used to extract
the hidden message [1]. Hiding the message in
the image file enables the deniability of the
existence of any message at all.
2. Objectives
The objective of this paper is to carry
out a brief research on steganography. Based on
the research findings, develop and implement a
steganographic application to hide data (other
files containing images, text, etc.) in a computer
image file. There are lots of steganographic
programs available. A few of them are excellent
in every respect, especially the non-freeware
programs. Unfortunately, most of them lack
usable interfaces, or contain too many bugs, or
unavailability of a program for other operating
systems.
3. Image formats
3.1. Graphics Interchange Format
(GIF)
GIF was developed by CompuServe
back in 1987 to display color images. Although
present day computers can display millions of
colors, graphics hardware back then could only
display this amount of colors. Although GIF is
not suitable for displaying color real world
photographs for modern day video cards and
monitors capable of displaying millions of colors,
it is still excellent for graphics.

240

Figure 3.1 GIF images with color palettes of 256 and 64
colors

GIF uses a lossless compression scheme called
LZW which accounts for its small size. It has a color table
(palette) which can contain up to a maximum of 256
colors. Each pixel of the image maps to the color entries
in this table. If the exact color is not in the table, the pixel
points to the color with the closest match. Due to the color
limitation, GIF can be very poor for displaying
photographs; JPEG performs really well for photographs,
and on most occasions, the ideal choice. Alongside JPEG,
GIF is the most popular image formats on the Internet.
3.2. Joint Photographic Experts Group
(JPEG)
The Joint Photographic Experts Group released
the JPEG standard in the early 1990s to meet the needs for
high quality image compression standards for the storage
and transmission of real world photographic images.
The image standard makes use of human visual
characteristics and advanced mathematics
to deliver high quality photographic images. JPEG was
developed with photographs in mind, hence the word
photographic in its name. It can achieve very high levels
of compression. It uses a lossy compression scheme,
meaning some data of the image is lost due to the
compression. Compression is achieved not using a single
algorithm, like LZW in GIF, but a number of different
compression schemes. JPEG is not suitable for graphics,
only real world photographs. JPEG images have become
one of the two most popular image formats on the
Internet.
JPEG Image Compression
Appling the steganography for the images like
JPEG is not straight forward process due to its lossy
compression. Thats why JPEG steganography software is
very rare. There is plenty of software around that can hide
data in BMP images. Unfortunately, BMP pictures are not
widely used or exchanged, unlike JPEG. So, why
programmers don't do steganography programs for JPEG?
There are two main reasons. The first one is technical.
JPEG format is very complex. An order of magnitude is
more complex than a flat, uncompressed format like
BMP. There are many variations you must take in
account. Although you have a few libraries to
deal with this format, and although for
steganography with quantized DCT coefficients,
you can stop between steps 3 or 4 (i.e. run length
encoding-RLE and then recompress everything);
few programmers will have the patience to tear
apart the guts of a JPEG image. That's why
someone who just wants to play around not very
seriously with steganography will use BMP
format. And that's why even serious programs
which claim to do JPEG steganography actually
fake it (Invisible Secrets hides the data in the
comment field of the header; Secure Engine adds
the hidden data at the end of the file;
nevertheless, both are not bad for BMP
steganography, and are certainly coded by people
who understand cryptography and
steganography). The second reason is more
conceptual. The concept of lossy compression
like the one used in JPEG (or MP3 for audio) is
to remove most of the unimportant or redundant
information. The concept of most steganography
algorithms is to hide bits by replacing this very
same unimportant or redundant information (like
the Least Significant Bits). So both techniques are
going in opposite directions. The more you
compress, the more difficult it is to find room to
hide data.
The JPEG image compression standard
has become an important tool in the creation and
manipulation of digital images [5]. The primary
algorithm underlying this standard is executed in
several stages. In the first stage, the image is
converted from RGB format to a video-based
encoding format in which the grayscale
(luminance) and color (chrominance) information
are separated. Such a distribution is desirable
because grayscale information contributes more
to perceptual image quality than does color
information, due to the fact that the human eye
uses grayscale information to detect boundaries.
Color information can be dispersed across
boundaries without noticeable loss of image
quality. Thus, from a visual standpoint, it is
acceptable to discard more of the color
information than grayscale information, allowing
for a greater compression of digital images.
In the second stage, the luminance and
chrominance information are each transformed
from the spatial domain into the frequency
domain. This process consists of dividing the
luminance and chrominance information into
square (typically 8 x 8) blocks and applying a
two-dimensional Discrete Cosine Transform
(DCT) to each block. The ideal Discrete Cosine
Transform is of the form.

241

Equation 3.1 DCT

The cosine-transform converts each block of
spatial information into an efficient frequency space
representation that is better suited for compression.
Specifically, the transform produces an array of
coefficients for real-valued basis functions that represent
each block of data in frequency space. The magnitude of
the DCT coefficients exhibits a distinct pattern within the
array, where transform coefficients corresponding to the
lowest frequency basis functions usually have the highest
magnitude and are the most perceptually significant.
Similarly, cosine transform coefficients corresponding to
the highest frequency basis functions usually have the
lowest magnitude and are the least perceptually
significant.
In the third stage, each block of DCT coefficients
is subjected to a process of quantization, wherein
grayscale and color information are discarded. Each
cosine transform coefficient is divided by its
corresponding element in a scaled quantization matrix,
and the resulting numerical value is rounded. Basically
the process is.

Equation 3.2 Quantization

The default quantization matrices for luminance
and chrominance are specified in the JPEG standard, and
were designed in accordance with a model of human
perception.
The scale factor of the quantization matrix
directly affects the amount of image compression, and the
lossy quality of JPEG compression arises as a direct result
of this quantization process. Quantizing the array of
cosine transform coefficients is designed to eliminate the
influence of less perceptually significant basis functions.
The transform coefficients corresponding to these less
significant basis functions are typically very small to
begin with, and the quantization process reduces them to
zeros in the resulting quantized coefficient array. As a
result, the array of quantized DCT coefficients will
contain a large number of zeros, a factor that is employed
in the next stage to deliver significant data compression.
In the fourth stage, a process of run-length
encoding is applied to each block of quantized cosine
transform coefficients. A zigzag pattern is
employed in the run-length encoding scheme to
exploit the number of consecutive zeros that
occur in each block. The zigzag pattern is as
follows.

Figure 3.2 zigzag pattern

The zigzag pattern progresses from low-
frequency to high-frequency terms [5]. Because
the high-frequency terms are the ones most likely
to be eliminated in the quantization stage, any
run-length encoded block will typically contain at
least one large run of zeros at the end. Thus, the
amount of space required to represent each block
can be substantially reduced by representing a run
of zeros as (0, n), where n is the number of zeros
occurring in the run. In the fifth and final stage,
the resulting data may be further compressed
through a loss-less process of Huffman coding.
The resulting compressed data may then be
written to the computer hard drive in a file for
efficient storage and transfer.
4. Design
Hiding the data in the images merely
hides the data. Anyone can use the program to
retrieve the hidden data from the image. The
message would be encrypted using a secure
cryptographic algorithm before hiding it in the
image. The user would be able to choose whether
to encrypt the hidden data using a passphrase.

242
Figure 4.1 Flowchart for data Encryption
If encryption is used, it would be done after the
message to be hidden is compressed using ZIP. The
reason being encrypted text is random, and so the
encrypted text would not be highly compressible,
defeating the purpose of the compression functionality of
the system. Another reason is a ZIP file is easily
recognizable, as it have identifiable headers and EOF
markers. Encryption would turn this into random garbage
text which would not be easy to detect.
4.1.1 Hiding using end of file method
In this method, the insertion technique after the
EOF marker of the image would be employed. This
method would be used to hide data in both GIF and JPEG
images. For this method, there would be no restriction for
the number of bytes that can be hidden.
JPEG images have an EOF marker of two bytes
having the hex values FF D9, and GIF images have a
value of 00 B3. In order to hide a message, the data that is
to be hidden would be written after the EOF markers. A
fake appropriate EOF marker for the image would be
added at the end of the hidden message to fool any
steganalyst. The steganalyst would not suspect the image
ending with the usual EOF marker.
Retrieving the hidden data from the image would
be done by searching for the fist original EOF marker for
that image, the data after that would be copied in a
different file until the fake EOF is encountered at the end
of the file.
4.1.2 Hiding using Matrix embedding method
Instead of overwriting bits, it decrements the
coefficients absolute values in case their LSB does not
matchexcept coefficients with the value zero, where we
can not decrement the absolute value. Hence, we do not
use zero coefficients steganographically. The LSB of
nonzero coefficients match the secret message after
embedding, but we did not overwrite bits, because the
Chi-square test can easily detect such changes. So we can
hope that no steps will occur in the distribution.
Some embedded bits fall victim to shrinkage.
Shrinkage accrues every time when we decrements the
absolute value of 1 and 1 producing a 0. The receiver
cannot distinguish a zero coefficient that is
steganographically unused, from a 0 produced by
shrinkage. It skips all zero coefficients. Therefore, the
sender repeatedly embeds the affected bit since he notices
when he produces a zero. If we simply ignore the
shrinkage, the superior number of even coefficients
disappears. Unfortunately the receiver gets only fragments
of the message in this case. The application of an error-
correcting code like hamming code could possibly solve
the problem.
In many cases, an embedded message does not
require the full capacity (if it fits). Therefore, a part of the
file remains unused. Fig. 4.2 shows, that (with
continuous embedding) the changes concentrate
on the start of the file, and the unused rest resides
on the end.
To prevent attacks, the embedding
function should use the carrier medium as regular
as possible. The embedding density should be the
same everywhere.

Figure 4.2 Continues embedding concentrates
changes

Figure 4.3 Permutative embedding scatters the
changes

Permutative Straddling
Some well-known steganographic
algorithms scatter the message over the whole
carrier medium. Many of them have a bad time
complexity. They get slower if we try to exhaust
the steganographic capacity completely.
Straddling is easy, if the capacity of the carrier
medium is known exactly. However, we can not
predict the shrinkage, because it depends on
which bit is embedded in which position. We
merely can estimate the expected capacity.
The straddling mechanism used here
shuffles all coefficients using a permutation first.
Then, we embed into the permuted sequence. The
shrinkage does not change the number of
coefficients (only their values). The permutation
depends on a key derived from a password. This
method delivers the steganographically changed
coefficients in its original sequence to the
Huffman coder. With the correct key, the receiver
is able to repeat the permutation. The permutation
has linear time complexity O(n). Fig. shows the
uniformly distributed changes over the whole
image.

243
Matrix Encoding
Ron Crandall introduced matrix encoding as a
new technique to improve the embedding efficiency [10].
If most of the capacity is unused in a steganogram, matrix
encoding decreases the necessary number of changes. Let
us assume that we have a uniformly distributed secret
message and uniformly distributed values at the positions
to be changed. One half of the message causes changes,
the other half does not. Without matrix encoding, we have
an embedding efficiency of 2 bits per change. Because of
the shrinkage produced, the embedding efficiency is even
a bit lower, e.g. 1.5 bits per change. (Shrinkage means to
change without to embed sometimes.)
The following example shows what happened in
detail. We want to embed two bits x
1
, x
2
in three
modifiable bit places a1, a2, a3 changing one place at
most. We may encounter these four cases:

Equation 4.1

In all four cases we do not change more than one
bit. In general, we have a code word a with n modifiable
bit places for k secret message bits x. Let f be a hash
function that extracts k bits from a code word. Matrix
encoding enables us to find a suitable modified code word
a for every a and x with x = f(a), such that the Hamming
distance.
d(a, a) dmax ..Equation 4.2

We denote this code by an ordered triple (dmax,
n, k): a code word with n places will be changed in not
more than dmax places to embed k bits.
Bellow Table gives the dependencies between
the message bits X
i
and the changed bit places aj. We
assign the dependencies with the binary coding of j to
column a
j
. So we can determine the hash function very
fast.

Table 4.1 Dependency () between message bits x
i
and
code word bits a
j

So in general we find the bit place.

Equation 4.3 to find the bit place
That we have to change. The changed
code word results in

Equation 4.4
We can find an optimal parameter k for
every message to embed and every carrier
medium providing sufficient capacity, so that the
message just fits into the carrier medium.

5. Conclusion
We have explored the limits of
steganographic theory and practice.
Steganographic techniques can be used to hide
data within digital images with little or no visible
change in the perceived appearance of the image
and can be exploited to export sensitive
information. Since images are frequently
compressed for storage or transmission, effective
steganography must employ coding techniques to
counter the errors caused by lossy compression
algorithms. The Joint Photographic Expert Group
(JPEG) compression algorithm, while producing
only a small amount of visual distortion,
introduces a relatively large number of errors in
the bitmap data. It is shown that, despite errors
caused by compression, information can be
steganographically encoded into pixel data so that
it is recoverable after JPEG processing, though
not with perfect accuracy.
6. References
[1] Wayner P: Disappearing Cryptography, Inf
ormation Hiding: Steganography and
Watermarking (2nd edition), Morgan
Kaufmann Publishers, 2002.
[2] Cole E: Hiding in Plain Sight: Steganography
and the Art of Covert Communication,
Wiley Publishing, Inc., 2003.
[3] Schneier B: Applied Cryptography (2nd
edition), John Wiley and Sons, Inc., 1996.
[4] Kahn D: The Codebreakers: The Story of
Secret Writing, Macmillan Publishing Co.,
1967.
[5] Dave Marshall: 10/4/2001 JPEG
Compression, URL:
http://www.cs.cf.ac.uk/Dave/Multimedia/no
de234.html.
[6] Johnson N F, Jajodia S: Steganography:
Seeing the Unseen, February 1998, URL:
http://www.jjtc.com/pub/r2026.pdf
[Accessed Feb 15, 2006]
244
[7] NeoByte Solutions: Invisible Secrets 4, 2004, URL:
http://www.invisiblesecrets.com/
[8] Provos N, Honeyman P: Hide and Seek: An
Introduction to Steganography, May/June 2003,
URL:
http://www.citi.umich.edu/u/provos/papers/practical.
pdf
[9] Sun Microsystems, Inc.: Code Conventions for the
Java Programming Language, April 1999, URL:
http://java.sun.com/docs/codeconv/html/CodeConvTOC.d
oc.html
[10] Ron Crandall: Some Notes on Steganography.
Posted on Steganography Mailing List,1998.
http://os.inf.tu-dresden.de/westfeld/crandall.pdf
[11] James R. Weeks and BioElectroMech, Visit
ed BioElectroMech at URL
http://www.obrador.com.
[12] Suresh DS. And Udaya Shankara V.
External Hardware Security for
Steganography- Indian Journal of
Computing Technology-Vol. 1 issue2 Nov
2006.

245

Impact of Jamming on a Security-Enabled Anonymous MANET
Protocol (SEAMAN)
Bosch, Thomas, Fraunhofer FKIE, Germany
Hrr, Robert, Fraunhofer FKIE, Germany
Antweiler, Markus, Fraunhofer FKIE, Germany
Abstract
Public Safety organizations like police require a reliable communication capability for their operations e.g. to co-
ordinate units or exchange information. Additionally, tactical radios are expected to work properly in challenging
radio conditions, e.g. in buildings or subway stations. MANET technology may enhance the capabilities of tacti-
cal communication due to its inherent features, like decentralized operation without base stations and extended
range by multi-hopping. However, independent of the applied technique one typically requires a high level of se-
curity for tactical communications. Consequently, secure MANET communication must be ensured, which is a
challenging task due to the distributed nature of MANETs. The Security-Enabled Anonymous MANET Protocol
(SEAMAN) is designed to account for special tactical MANET requirements, e.g. multicast traffic. Recently
conducted work showed a promising performance.
In this work we are focusing on a jamming attack, which targets the protocol itself. Such an attack may be con-
ducted by major criminals, or terrorists to temporary paralyze the communication capabilities of public service
organization like police, or fire departments. The attack itself causes no direct damage but its impact may even
lead to loss of human life, e.g. when a police officer is unable to call for help or when ambulance or fire trucks
can not be directed to the scene of incident. Simulations are conducted to evaluate the impact of jamming attack,
which partially indicated astonishing results e.g. increase of SEAMANs performance.

1 Introduction
Modern communication systems are typically relying
on fixed infrastructure e.g. cellular systems like
GSM/UMTS/LTE. These systems require base sta-
tions for their operation, when radio terminals are un-
able to log into a base station, e.g. due to an attack or
no radio coverage between station and terminal, they
will be without any communication capability. How-
ever, it is almost impossible to have enough base sta-
tions to cover all possible locations. This especially
holds true when tactical radios are used in indoor, or
subway scenarios, e.g. when several police officers are
chasing a criminal inside a complex building or sub-
way stations. Nevertheless, tactical communication
must still be possible even under these bad conditions.
The properties of MANETs offer promising features,
e.g. operation without infrastructure and forwarding of
information over multiple hops. These features may
increase the capabilities of tactical forces like police,
or other public service units.
However, providing adequate security in tactical
MANETs is a challenging task, due to the decentral-
ized mode of operation. In MANETs one typically ob-
serve a lot of network partitions, consequently fixed
servers, e.g. for authentication or other security tasks
cannot be used as no constant connectivity can be
guaranteed.
The Security-Enabled Anonymous MANET (SEA-
MAN) protocol [1] is designed to secure tactical
MANET communication and considers special tactical
requirements, e.g. multicast support for efficient group
communication.
In previous work [2], [3], we evaluated SEAMANs
performance in a friendly environment without the
presence of attackers. However, tactical forces, e.g.
the police, have to deal with major criminals or terror-
ists, which will spare no efforts to achieve their goals.
Consequently, attacking communication systems of
tactical forces, e.g. police, is a possible thread, which
has to be considered. In this paper, we are focusing on
a jamming attacks impact on SEAMAN. It is a severe
attack that could be conducted by a major criminal or
terrorist, because it requires only minimal hardware.
An introduction on SEAMANs relevant functionality
is given in Section 2. In Section 3 we are focusing on
different types of jammers, SEAMANs general vul-
nerabilities and the metrics used to measure a jam-
246

ming attacks impact. Section 4 describes the simula-
tion setup and contains the corresponding results. In
the last section we are giving a conclusion.
2 SEAMAN
2.1 Functionality
This section contains relevant information on SEA-
MANs relevant functionality; more in-depth infor-
mation is available in [1], [2] and [3].
SEAMAN provides authenticity, encryption and integ-
rity for MANET traffic. Additionally, it uses an anon-
ymous authentication method for merge operations.
Technically, each node uses pseudonyms for the au-
thentication process during merge operations, which
are used only once to guarantee anonymity. The pseu-
donyms are distributed prior to a mission. Conse-
quently, each node will have a large number of pseu-
donyms on stock.
Further security features are also available, e.g. traffic
obfuscation to defend against a traffic analysis.
SEAMAN itself combines several components to se-
cure a MANET: a foreigner detection mechanism, a
proactive routing protocol that supports multicast, a
frame encryption scheme, a key management system
and an anonymous clear text authentication protocol.
The use of special protocol implementations, e.g.
WNET [4] as routing protocol is not required. As a
result one can easily replace the used components.

Figure 1 General SEAMAN terminology

The relevant functional roles, which are presumed by
nodes in a SEAMAN secured MANET are displayed
in Figure 1: key manager, bridge node and normal
node.
The key manager is responsible to distribute a com-
mon MANET key which is used to encrypt, authenti-
cate and protect the integrity of MANET traffic. Any
node may additionally become a bridge node when it
is part of the bridge setup process. This process is ini-
tiated whenever an unknown MANET is within radio
range.

2.2 Bridge Setup
The bridge setup is SEAMANs most important func-
tionality. In the context of SEAMAN, a bridge is a
temporary secure connection between two nodes that
are located in different MANETs, cf. Figure 1. The
bridge setup is initiated once a node of a foreign MA-
NET is detected.
Both nodes will have different MANET keys by de-
sign. When a node receives a non decipherable frame,
it assumes that an unknown MANET is within range
and will initiate a bridge setup by sending a Perfect
Pseudonym Challenge (PPC) message.
If a node receives a PPC message, it will answer the
challenge with a Perfect Pseudonym Reponse (PPR)
message. Both nodes will use the exchanged infor-
mation to authenticate each other, and to derive a
common bridge key. Consecutive frames will then be
encrypted with the common bridge key. An additional
authentication step ensures that compromised nodes
are denied access, cf. [1] for further details.
In the following, MANET traffic will be routed over
the bridge such that communication between the MA-
NETs is possible. However, the bridge is only used for
short period of time. Both bridge nodes will trigger a
negotiation process between the key-managers. Final-
ly, one of the key-manager will take responsibility for
both MANETs. It will then generate and distribute a
new common MANET key, which concludes the
merge operation. The bridge is disbanded, because
direct communication is possible.
2.3 Enhancement
In this section we are focusing on an important en-
hancement of the initial concept [1], that is particular
relevant in case of a jamming attack. More detailed
information on all enhancements can be found in [2]
and [3].
The initial concept specifies a blocking behaviour dur-
ing the first phase of the bridge setup process. When a
node responds to an undecipherable frame, it responds
with a PPC message and will wait for the correspond-
ing PPR message. Any received PPC message will be
ignored during that period of time. As a result, the
node will either receive the expected PPR message or
a timeout will occur.
A jammer can easily take benefit of this behaviour, by
simply emitting short dummy messages, which will
trigger all receiving nodes to respond with a PPC mes-
sage. The nodes will be blocked for further MANET
merges until the timeout occurs. Using this approach,
the jammer has a promising attack strategy to disrupt
the MANET merge process and as a consequence
prohibit communication capabilities.
In [3] we have proposed to use a non-blocking bridge
setup process, which allows nodes to decide whether
to wait for a PPR message or respond to a recently re-
ceived PPC message. The simulation results indicate a
substantial performance increase, although one ob-
serves a slight increase of network load, which is
caused by the additional PPR messages. The same en-
bridge node
key manager
bridge node
key manager
MANET A MANET B
MANET key MANET key
bridge
bridge key
node
node
247

hancement is expected to minimize the impact of
jamming, which will be analysed in more detail in
Section 4.2.
3 Jamming attack
3.1 Type of jammers
Generally, there are several different types of jam-
mers, which are using different transmit and pause du-
rations. Periodic jammers use a fixed pause and send
duration to interfere signals. Random jammers use
random decisions to determine duration and/or pause
time. Constant jammers are sending without pause.
The previously mentioned types of jammer require no
receiver functionality for their operation, as they are
transmitting without sensing.
However, a reactive jammer requires a receiver func-
tionality as it will only transmit an interfering signal
when it senses an on-going transmission.
As the random jammer will lead to varying non-
repeatable results, we refrained from using it in our
simulations. We have also considered using a reactive
jammer, but we observed more or less a constant
jamming behaviour. This behaviour was caused by the
periodically emitted control messages of the proactive
routing protocol.
Additionally, we assume that some kind of frequency
hopping mechanism will be used to confront jamming
attacks. Consequently, we have not considered a con-
stant jammer or a reactive jammer with an almost con-
stant jamming behaviour in our simulations. Instead
we have put our focus on a periodic jammer, which is
only able to periodically disrupt communication capa-
bilities.

3.2 General considerations
The SEAMAN protocol itself is the most vulnerable
during the MANET merge process, when SEAMAN
messages are exchanged during the bridge setup and
the following key distribution. A successful distribu-
tion of the bridge setup terminates the corresponding
MANET merge process. This will cause a complete
repetition of the bridge setup. When a jammer is ca-
pable to disrupt the key distribution, it may even in-
crease the network partition degree. Consequently, ex-
isting links can be disconnected, which is the most se-
vere impact of a jammer.
The jammer will have much less impact on the SEA-
MAN protocol, when all nodes are member of the
same MANET, i.e. they share the same MANET key.
Jamming messages will then provoke a PPC response
of the nodes. Additional network bandwidth is con-
sumed by the jammer itself and the nodes that are re-
sponding with PPC messages. Consequently, network
services, e.g. a voice service, may be affected when
there is not enough bandwidth left. However, a jam-
mer will be unable to partition the existing MANET
during that phase.
Nevertheless, a jammers strategy could also target
SEAMANs anonymity, e.g. by periodically jamming
and triggering all receiving nodes to respond with
PPC messages. Each PPC message requires infor-
mation from a new pseudonym to guarantee the
nodess anonymity. Consequently, a node may run out
of pseudonyms. It will then have to reuse pseudonyms,
which will endanger its anonymity.
As a result, the most critical SEAMAN phases in the
context of an active jammer will be during the net-
work built-up process and the periodic rekeying oper-
ation, which is required to guarantee forward secrecy.
3.3 Metrics
We have identified three different metrics that are ap-
plicable to measure a jamming attacks impact on
SEAMAN.
The convergence time (cTime) is used to
measure the time required by SEAMAN, be-
fore all nodes share the same MANET key.
This metric is used to evaluate whether a
jammer is able to delay SEAMANs conver-
gence process.
Specifying the percentage of converged sce-
narios is another metric (convScenarios),
which allows evaluating a jammers impact.
Each non-converged scenario indicates that
communication capabilities are affected to
some degree.
Measuring the network partition degree
(netPaDegree) is another metric, which al-
lows evaluating a jammers impact on SEA-
MAN. The value is measured at the end of
each simulation. A fully converged scenario
will yield a value of one and partition level of
two and more indicates that communication
is severely disrupted.
4 Simulations
4.1 Simulation environment
The SEAMAN functionality is implemented in an ns-2
module. All nodes deploy an IEEE 802.11 WLAN
MAC which uses CSMA/CA to access the medium.
All frames are sent with a total data rate of 6 Mbit/s.
The module uses WNET [4] as routing protocol,
which operates similar to OLSR but supports mul-
ticast and link-quality metrics. A simple but reliable
key-management is used that sends keys twice, simu-
lation results in [2] have shown a reasonable perfor-
mance. A small-scale and large-scale fading model is
used as propagation model for the network simulator.
No additional traffic load is present, consequently
traffic is caused only by the WNET routing protocol,
248

i.e. the periodic management messages, which are pe-
riodically sent by each node every 0.2s. The jammer is
implemented as an additional node that is transmitting
dummy traffic. It accesses the medium directly with-
out any carrier sense mechanism. All nodes are using
the same output power including the jammer.
We have analysed a mobile scenario with a single
merge operation. The jammer was positioned in be-
tween both MANETs. However, we were unable to
measure a reasonable impact on SEAMANs perfor-
mance. Only a few messages were required to get
through, which was always possible during the period
jammers short pause duration.
Consequently, we focused on a static scenario by
modelling a full network built-up process of 30 nodes,
which is attacked by a periodic jammer. Further de-
tails on the jammer are described in the next section.
The nodes are distributed over an area of 1000m x
1000m. Additionally, we ensured that we have a multi-
hop scenario with an average hop count value of 2-3.
The position of the node and jammer are static during
a scenario. We use 350 scenarios with random node
and jammer position for each configuration to get
meaningful results.

4.2 Results
This section shows the simulation results of the jam-
ming attacks, which are measured with the metrics in-
troduced in Section 3.3.

Figure 2 Impact of jamming on convergence time

Figure 2 shows the impact of jamming on the conver-
gence time. The x-axis denotes the transmission time
(txtime) of the jammer. The two leftmost boxes dis-
play results without an active jammer, which is speci-
fied as 0ms. The * suffix in the x-axis indicates, that a
non-blocking bridge setup is used instead of the initial
blocking bridge setup, cf. Section 2.3. The y-axis
specifies the required cTime value. The value below
the cTime value specifies corresponding convScenari-
os value. Generally, one has to be cautious to correctly
interpret the cTime metric, because the metric can on-
ly be computed for converged scenarios. As we are
having an equal amount of converged scenarios in
Figure 2, all scenarios have converged, we are able to
compare the cTime values with each other.
The plot indicates that SEAMAN is able to converge
with a median value of around 15s, when there is no
jammer present. The cTime value is further decreased
to a median value of around 12s, when the non-
blocking bridge setup is used. The presence of a jam-
mer with a txtime of 1ms and pause duration of 10ms
increases the outliers, some scenarios require a con-
vergence time of up to 50s. An astonishing result can
be seen for the non-blocking mode. The presence of
the jammer decreases the median cTime by around 2s.
Hence, in this case the attack reduces the convergence
time, because jamming messages trigger PPC trans-
missions by the nodes, cf. Section 3.2. This behavior
speeds up the network built-up, by increasing the
probability that more MANET merge processes are
conducted in parallel. Nevertheless, it has to be men-
tioned that this is only possible when the jammer is
unable to consume more bandwidth.

Figure 3 Impact of jamming on partition degree

In Figure 3 we are presenting results for a jammer
with txtime values between 300ms and 700ms, each
transmission is followed by a 100ms pause. The y-axis
specifies the netPaDegree. Additionally, the convSce-
narios value is specified below the corresponding
cTime value.
For a txtime value of 300ms we observe no measure-
able impact. All scenarios have converged, the
netPaDegree remains at 1 and no difference between
non-blocking and blocking bridge setup process is ob-
served.
A txtime value of 400ms increases the netPaDegree to
a median value of 4, when using the blocking bridge
setup. This is also reflected by the convScenarios val-
ue that decreases to around 17%. However, the
netPaDegree only slightly increases for the non-
blocking bridge with a few outliers with values of 2,
and 3 partitions. The corresponding convScenarios
value decreases also slightly to around 97%.
249

The same trend is observed when the txtime is further
increased. The partition degree increases to a median
value of 11, when the jammer applies a txtime of
700ms. In contrast, the same jammer configuration is
only able to increase the network partition to a median
value of 7, when SEAMAN nodes are using the non-
blocking bridge setup.
When considering the convScenarios metric values,
we observe a significant decrease of the number of
converged scenario with increasing txtime.
5 Conclusion
We have identified SEAMANs most vulnerable pro-
tocol phases: during its network build-up phase and
the periodically conducted re-keying. A jamming at-
tack during these phases will be able to increase the
network partition degree.
However, attacking a fully converged MANET will
not change its partition degree. Nevertheless, nodes
will respond to the messages send by the jammer,
which increases the network load and may influence
services, e.g. voice services.
The retrieved simulations results indicate that a short
duration jammer is partially able to increase SEA-
MANs convergence process. It has to be remarked
that this is only possible, when the underlying network
offers sufficient network bandwidth.
Additionally, simulations confirmed that a jammer,
which uses a sent duration of more than 400ms is able
to significantly disturb SEAMANs convergence pro-
cess, which poses a significant threat.
As a result, we propose that future work should focus
on SEAMANs vulnerable phases. Adequate mecha-
nisms must be proposed and evaluated to provide
more protection against jammers during the critical
phases.
References
[1] Bongartz, H. H.-J.; Ginzler T.; Bachran T.; Tuset
P.: ,,SEAMAN: A Security-Enabled Anonymous
MANET Protocol, NATO Research and Tech-
nology Organisation, 2008
[2] Bosch T.; Hrr R.; Tlle J.; Antweiler M.:
,,Evaluation of a Security-Enabled Anonymous
MANET Protocol (SEAMAN), manuscript
submitted for publication at IEEE Globecom,
2011
[3] Hrr R., Bosch T.; Tlle J.; Antweiler M.:
,,Analysing SEAMANs bridge Mechanisms,
manuscript submitted for publication at
MCC2011, 2011
[4] Bachran T.; Bongartz H. H.-J.; Tiderko A.: ,,A
Framework for Multicast and Quality based
Forwarding in MANETs, In Proceedings of the
CCN 05, 2005
250
Enhancing Information Security with Universal Core
Approach
Alexander Lw
Data-Warehouse GmbH
Beethovenstr. 33
85521 Ottobrunn/Munich
+49 89 660 393 0
info@datawh.de

ABSTRACT
This presentation will give an overview about next generation
software architecture approaches to enhance security in business
and governmental Software solution environments. The
presentation describes the scientific approach to provide
integrated frontend and backend solutions within a secure and
flexible architecture. This paper consists of two chapters. First
building individual business apps solutions and to provide a
secure backbone (and frontends). This technology example
explains how of providing secure databases, application servers
and frontends can be standardized to a universal core approach.
This approach generalizes the backbone to a security-approved
universal use database and secure application architecture.
Samples from data management systems of modern combat
aircrafts like Eurofighter will provide some practical experience
and potential areas for research.
Categories and Subject Descriptors
D.2.12 [Interoperability]: SOABased Data Exchange and mobile
application architectures .
E.2.4 [Data Storage Representations]: information abstraction
layer, metadata driven data management
J.1 [Administrative Data Processing]: providing secure mobile
applications
General Terms
Management, Performance, Design, Economics, Reliability,
Experimentation, Security, Standardization, Legal Aspects,
Verification.
Keywords
Mobile business apps, individual applications (Apps), universal
core, metadaten driven data management, secure databases,
historisation, cloud computing, social web computing,
collaboration
1. INTRODUCTION
Building individual business applications will be one of
challenges, because of the implicit existing complexity of
business workflows and decision pathes on the one hand and of
the simplicity of the end user devices like mobiles on the other.
Todays approaches offers tendencies to simplify complex
circumstances with the danger to simplify decision background
information (overcompactness) or in contradiction to overload
mobile applications with functionality and density to make it not
usable. Due to the limitation of mobile devices the information
needs to be sized to the media carrier like a mobile, a PDA, a
tablet or even a notebook. Every media device have its special
strength and is only able to allow the maximum use with
optimized presentation and frontends. All this would be a
challenge, but with the trend of multiple plattforms (n mobile, m
PDA, x tablet, y notebook manufacturer) the typical complexity
will be n*m*x*y (different plattforms, operations systems,
resolutions, user interfaces, security features, security impacts)
and with that impossible to handle individually. The following
architecture is a result of a several year work inside big
enterprises in the area of logistics, transportation and military
aircraft. The combination of fast changing business on the one
hand and reliable, trustworthiness, security on the other lead into
an architectural approach which roots began 15 years before and
had proven its future readiness until today.
2. INDIVIDUAL BUSINESS APPS
2.1 Information system paradoxon
Before starting building business apps nearly every modern
approach requires a requirement capturing (e.g. Process
defintions, UseCases), a logical information (and/or database)
model, a system architecture, a programming architecture, a
database architecture etc.
Most of the work is broke down to a very small level of
workpieces so that the resulting application can be provided by
everyone regardless if the people are working nearby or realizing
it offshore. This approach implies that every member of the
working team is working nearly at optimum level and best
expertise is available. Results in the past years had proven that
this approach will lead into a complexity level which is not easy
to handle. To reduce failures enormous effords are spend in
quality assurance and testing of these solutions. As this will not be
enough the aggregation and merger of companies will produce
more products with more specialized functionality and even more
complexity. Once started this approach will lead into the today
usual technology and complexity trap which freezes companies
into one technological direction, regardless from the
manufacturer. A typical success story will bring the project leader
of such a project into a net higher position, because he had
successfully implemented such a standard platform. Getting down
into deep he had successfully implemented a high complex
network of usual about 20.000 tables inside a database which
contain information in a non normalized way. These tables are
structured in a standard way in which every possible task of any
customer is supported. As a single human is not able to master a
complex datastructure like this is, the enormous effords are more
than easy to explain. In historic approaches of data management
the most efficient way of handling information was the real
success. Most of actual Standard platforms try to strengthen the
addiction to their technology with a maximum of complexity. This
antagonism between efficiency and today life technology im
calling the todays information system paradoxon.
251
2.2 Architectural approach UniversalCore
To enable flexible, individual solutions the customer needs to
clarify his information structures. This includes a methodology of
collecting information objects and their dependencies. Identifying
and collection this information objects is a common way of
building logical data models based on business requirements and
processes. In my approach this stage is the pure business
requirement, which the end-user needs realized.
This logical model includes informationobjects as a generalized
representation of the real business objects. It consists of attributes
and relations between these attributes and objects. As this is
already included in object databases it is state of the art. The
advantage of a new approach will be generated if it will be
possible to freeze this object into a special layer which provides
independence from the actual technology. This layer should
manage the technical database system and the views to the result
sets which are needed by following layers. In addition the Layer
should also handle the history of the information and some
additional information for example legal information, sources etc.
This layer encapsules the information from technical aspects
and keep (holds oder stores) the information and their
dependencies. Simplified described: To hold the logical
datamodel and the corresponding data in one area. A big (The
great advantage is the ) advantage would be the separation of
database development processes, which now can be driven
independent from datamanagement process, if the environment
supports the automated generation of simple standard applications
like master data management or reports.

This approach needs to be neutral this means it could be used
by every business application inside the company. Data Exchange
is included by integrated Import and Export Areas. An Export
Area consist of a single or a set of views, which are made
available to a group of users..
Users can also use other systems or platforms. In completion to
this the User will be supported by needs (requirements) and
workflow optimized Applications. All this is running on a
standardized Infrastructure to minimize administration.
These Cores are categorized in specialized Tasks (departments).

The following picture shows the use of several cores inside a
Company. The enduser doesnt need to know which special task is
solved by which department. He uses functionality provided by
his company-cloud. This approach combines existing
technologies like cloud-computing, SOA to a new approach. The
use of the UniversalCores enables standardization and efficiency
inside the company. The Core has only to be developed once and
can be used many times in different tasks.

2.3 Metadata management
To support this encapsulation layer the architecture need to be
managed by metadata based datamanagement. The separation
from technical representation and logical model provides the
needed flexibility and abstraction to build individual optimized
databases without repeating standard problems. Best practice
experience and user-requirements in metadata management lead
into the following requirements to the data management system:
- Metadaten driven multilayer object oriented Data
Warehousing similar repository system
- Object classes, object attributes, inherence, object
hierarchies
- Logical datalayer model offers a transparent and a
historical bi-directional view regarding to timesaxis
- automated protocolled auditing
Figure1, Information capsule
Figure2, Universal Core Platform
Figure3, UniversalCore based Information Management
252
Layers within the DWH Technology
Object Defini tions
Slow
Change
Data
Frequently
Change
Data
Events &
Unplanned
Data
Hierarchy
Relations
Job Scheduling
Transformation
Rules
User
Management
Application
Rules
(Option)
Filter
Rules
(Option)
Calculations
(Option)
V
a
r
ia
b
le
s
(
O
p
tio
n
)
S
o
u
r
c
e
D
e
f
in
it
io
n
Object Classes / Attributes
Hierarchy
- separation of logical and physical primary keys to
publish normalized data without loosing original
datastructure.
- Generalisation of physical structure and dynamical code
generation reduces efforts for indexing, primary keys
and foreign keys to zero.
- Reduction of equal datatypes with efficient references
and storage in generalized standard datatypes.
- Categorisation of data, this means different
characteristics of data dependent from its defined
context (e.g. language, currency)
The separation of layers enable the encapsulation framework to
focus to the management of data. A example of a Architectural
framework is shown below:

The result of this architecture lead into a selfenhancing
environment. Standard datamanagement tasks could be performed
by standard applications like described in Figure 5.

Standard Applications which could be generalized are typically:
- Administration Applications
o User/Role Administration,
o Administration of logical Datamodel,
o Administration of User defined Views and
Analysis,
- master data management application,
- Analysis functionalities, User defined Views for Data
analysis, Basic Data visualisation
- Data Exchange applications.
Long term expeirence have proved that 70% of basis functionality
can be covered by these standard applications.
2.4 Database architecture
To build up a flexible and reliable architecture the database
concept and model is one of the most important aspect of the
backbone. In order to support this, the architecture needs to be
stable, easy to maintain, transparent and flexible enough to be
open to future enhancements. The basic concept consists of a task
oriented structure for the areas of metamodel storage, data
storage, the management area, the application definition area and
user/role area.
The metamodel storage area contains the definition of classes,
attributes, relations and class inheritance (hierarchy). The
definition is also managed by metadata like domains, timeslices
etc.

The datastorage is separated in three different areas:. The first
area contains the slow changing data like reference or master data
and contains validity values for identifying valid or invalid data.
The second area contains massdata which are all time valid and
could be lead back to a single time event (shifts, time loaded etc.).
The third area is reserved for events which happen and cannot be
allocated to the both other areas (e.g. trafficjam or backlogs).
As an agent between both storages the management area
organizes the integrity and interaction of all areas. This defines
the systemheart and needs the most effort to be reliable and best
tested. The management area consists of several layers where
packages and code generation is performed. This provides the
database views and manages how to handle this view (access,
read/write ability, , etc)
Additional the application area contains metadata needed for
applications, like definitions, styles, setups etc.
Last but not least the user and role management handles the
access privileges additional to the database built in security. As
the data is held in a separate way the user rights need to be
organized.
Figure 6, physical database areas
Figure 4, Metadata System Architecture
Figure 5, Metadata based Data-Management Process
253
The Database architecture contains with all the modules a
complete engine to define and manage reliable data to solve
nearly every requirement.

2.5 Middleware
Most of the business intelligence is stored inside the abstraction
layer, so the middleware is needed to present the applications to
the user, support other architectures, support Services and handle
the frontend applications for a web presentation. This layer is
needed for reliable data exchange like figured below, if this is
needed.

2.6 Frontend applications
On the top level of this architecture the developers are open to
decide which frontend the need to use. As the database layer
provides standard database views the development is absolutely
free how to present this data. Standard frontend platforms are at
the moment Oracle Forms on Oracle Middleware and
RubyonRails on Apache Middleware. Both extended with Java
and actual frameworks. In the beginning of the development the
metamodels where managed via other tools like MS-Excel, MS-
Access or development environments like Centura or simple
HTML with a Coldfusion Server. This gives a short overview how
easy it is to exchange frontends. The frontends can easily adapted
to any new technology, because the database architecture ensure
that the data-views have all the time the same structure. With this
background the development towards mobile application becomes
more easy.
2.7 Integrated Security architecture
The last important aspect, also regarding to our history of building
up this architecture is the security aspect. To provide a secure
architecture it was needed to split the system into several
schemas.
This architecture defines three different schema areas:
The basic schema which contains the heart of the system. It
consist of the business data, the meta data, all the packages, stored
java modules, scheduler jobs etc. Access is only possible via
system grants.
User-x schema contains the logical data model represented by
views in to the basis schema and knows only synonyms to the
basis schema. This ensures the separation between both areas.
This contains also the business logic based on PL/SQL, Java etc.
and define Grants to the application schema .
The application schema access also controled via synonyms to
user-x schema and contains now a individual view to the data and
datastructure as the basis for the applications.
This stepped approach ensures that no application is able to have a
direct access to the backbone-data and handles many clients this
separation supports also the clustering into specialized tasks. All
schemas are open to be additional encrypted to provide more
security. Also manipulation or attacks can only be performed
through the particular layers. This approach is easily extensible to
enhance security or provide sandboxes to attackers.

3. DATAEXCHANGE ARCHITECTURE
The dataexchange architecture consist of several supported
approaches. The easiest is a direct online access to the views via a
database link with ODBC, JDBC, ODI etc. This enables every
granted application directly access to the information to work
with. The next level is the definition of user-defined views and
access via a standard application. This applications allow the user
to analyse the data, to export it in several formats (XML, EXCEL,
WORD, PDF, ASCII,..) and forward it to the target system. The
third level is a trigger managed dataexchange platform which
enables workflow driven data exchange with other systems. This
can be a service bus, web service and is integrated into the
middleware. This enables dataexchange with legacy systems or
enterprise applications, also SOA-buses can be addressed and
managed in a simplified way to get information into and out of the
system. One important aspect with the workflow driven approach
is the possibility to have additional quality assurance processes for
data exchange. The intelligent identification of data packets and a
separation into known and unknown formats/structures enables
different handling of these data. The known data will be sent into
a import area which enables the user to have a pre-loading
assurance to optimize data quality and get a direct (automated)
Figure 7, Database Schema Architecture
Figure 8 , Communication Middleware and Webservices
Figure 9 , Security architecture
254
Typical simplified Company interfacing structure (Enterprises >200 Interfaces found)
ERP
agency
compliance
maint
agency
agency
PSSC
MDM
additonal
Systems
Document
Log
HM
IETP
PSS
Industrial
legacy legacy legacy
PDM
SAP
SOA
legacy
ILS
PLCM
BI
Media:
files
email
Excel
Access
Word
PDF
Paper
etc
CRM
FAL
SAP?
feedback to the results of loading this data. To export the data an
similar procedure to define the export-data-sets and to authorize
them is provided (if needed). The different ways are just examples
how data exchange can be performed. As most of the companies
have different infrastructures and approaches every way of
exchanging information is possible.

4. Universal Core Approach
Building up a backbone like described sounds like it will be real
challenge to set up an environment like this. Enterprises need
usually 3 days for setup. Another apect is that we live in a
networked environment it should be no problem to identify the
data and to present it into a mobile application. If the information
infrastructure is optimal organized an well structured, this is
correct. But usually a company consist of a systems infrastructure
which contains several ages of Information technology. Even
companies which complains to have a standardized Application
Plattform like ERP-Systems usually have many users which work
with Excel, access etc. to support the lacks of the central systems.
To collect all this shadow-data into a presentable way a backbone
approach like described support the enduser to get free from the
shadow approach and work towards this central provided
plattforms. As a business mobile App needs to prove a business
enhancement to the actual situation / solution environment. To
enable this enhancements a flexible frontend strategy is needed to
take place as the apps can run on different plattforms like PDA,
Tablet, Notebook. Every platform can consist of different OS,
different sensors, functionalities and security features. The
following description is a application in which people can
communicate with internal functionalities, placing sticky notes on
any website for research issues and as a example of a working
architecture for workflow support on any device.
4.1 Connecting to the backbone
The first challenge for applications is to provide a company
private cloud which enables the business user to access to the
needed applications and data. If the company is able to provide a
backbone like described above the user access only to a applic-
schema which is located in a DMZ. To ensure the information
infrastructure is held inside the company every service from the
backbone to the web has to be devided into separate physical
hardware, if possible with different (hardened) operating systems.
This supports the robustness and prevents from hacking into this
cloud with a single leak. Main advantage is the freedom to choose
any frontend developing infrastructure. This enables most
companies to contiunue with best practice approaches and
minimizes dependencies to any vendor. In addition to this rapid
prototyping, SCRUM and all other software development
methodologies are supported without limiting them. In worst case
even Access or Excel Applications could access to the data inside
the backbone.

4.2 Resulting Universal Core Infrastructure
With implementing a Universal Core Infrastructure companies are
able to support their central systems, enhance functionalities in a
quick way and interface with all necessary information partners.
With a consequent realisation of these Infrastucture model the
company can minimize costs for interfacing and information
management dramatically, because all informations are held
inside one Core. Ideally the new infrastructure will look like in
figure 12 or in figure 3.

Figure 10 , Typical Company interfacing infrastructure
Figure 11 , System Communication Map example
Figure 13 , Individual Application Example
Figure 12 , Universal Core infrastructure example
255
4.3 Summary
To provide a business ready application to the enduser, many
steps in the background have to be taken in advice.
First the security issue. Many manager like to work remotely, but
with the more functionality a mobile is able to perform, the risk of
loosing a danger amount of information increases also. The
business impact can be enormous. How dangerous a leak can be is
shown by the HBGary security company or the crack of Sony
Network.
1
Even in security aware environments the WikiLeaks
disaster is a good example of collecting data without responding
security environments.
Second aspect is the provision of a reliable backbone to support
the companies workflows. The aspect of supporting business
processes to raise the business potentials.
The third aspect of a flexible frontend framework to minimize
customization will be one of the actual challenges to provide
secure business apps. Business needs to be supported without
having months of development.
Regarding to the strategy of companies the provision of business
solutions is necessary to support the mobile worklife. The user
acceptance is directly dependent to the comfort, the time of
provision and the benefit.

1
Henning, Edward, 2011, More background on the US security
firm break in

This directs to the fourth aspect how a business app can be
measured against productivity and quality aspects.
And last but not least the technology has to be discussed with
trades and work council to receive a support for the new way of
work. The danger of people tracking and surveillance is very close
to the benefit.
This aspects can be solved with a Universal Core approach,
because Data is secured, Users are managed, Interfaces are
transparent, individual Applications are central managed. This are
the key success factors for providing a efficient and secure
Information management infrastructure.
5. REFERENCES
[1] Henning, Edward. 2011. More background on the US
security firm break in. heise-online security UK (Feb. 2011),
DOI= http://www.h-online.com/security/news/item/More-
background-on-the-US-security-firm-break-in-1191797.html
[2] Lw, Alexander. 2010. Cost Efficient Information
Management am Beispiel Eurofighter. Presentation at
SASPF Introduction Conference. Bonn
[3] U.S. Army Cio Office. 2011. The Universal Data Core.
DOI=http://data.army.mil/datastrategy_universal_core.html
[4] NISO Press. 2004. Understanding Metadata. ISBN: 1-
880124-63-9
[5] Lw Alexander. 2011. Building efficient mobile business
applications from backbone to frontend.
256
A New System for Mobile Phone Localization for
Search and Rescue Applications
Stefan Zorn, Richard Rose, Alexander Goetz, Robert Weigel, Alexander Koelpin
Institute for Electronics Engineering, Friedrich-Alexander University of Erlangen-Nuremberg
Cauerstrasse 9, 91058 Erlangen, Germany
{ zorn, rose, goetz, weigel, koelpin }@lte.eei.uni-erlangen.de
AbstractRecent statistics show an increase in environmental
disasters, a fact which is also perceivable to the public as
reports of avalanches, earthquakes and landslides mount in media
coverage. Search and Rescue with modern localization techniques
consequently attracts attention from scientic and industrial
sides. This paper introduces one part of the I-LOV project,
endorsed by the Federal Ministry of Education and Research
Germany. Here partners from relief organizations, universities
and industry investigate enhancements to disaster handling and
victim rescue. One possible option is to take advantage of the
fact, that a lot of people own a mobile phone today. Future
developments in the area of mobile phone detection by eld
intensity measurements will be addressed in this paper.
I. INTRODUCTION
In todays search and rescue market there are already several
systems based on tags or hand held devices, which persons at
risk should carry with them. Examples are the RECCO System
or LVS equipment for avalanche rescue. These localization ap-
proaches are suffering from the fact that only a low percentage
of people at risk own such tags. Therefore it suggests itself to
use the most common handheld device: the mobile phone.
One part of Project I-LOV is to nd new approaches on locat-
ing mobile phones in search and rescue scenarios. The focus
lies here on localization of people trapped under collapsed
houses after natural disasters like earthquakes or landslides.
A survey made by the Federal Agency for Technical Relief,
which is the most important partner in this project shows
that about 80% of buried victims carry their mobile phones
with them. Of course their are already some approaches used
by network providers to fulll E-911 [1] specications or
to offer other location based services. The most promising
methods here are cell based like the timing-advance-method
or propagation time based like the time-difference-of-arrival
(TDoA) approach. These techniques achieve only a poor
resolution of 50 m at best, which is not suitable for search and
rescue applications. Of course more and more mobile phones
are equiped with global-positioning-system (GPS) chipsets,
which offer the option of Assisted-GPS (A-GPS) localization.
To use A-GPS the GPS chip needs a line of sight to at least
four satellites, which is seldom possible for trapped victims.
The tragic earthquake in Haiti in 2010 can be considered as
a typical scenario [3]. Taking everything above into account
shows that a new approach is necessary. This approach should
use the advantages and solve the disadvantages of mobile
phone localization.
II. THE SYSTEM APPROACH
Fig. 1. Layer Model.
In 1982 the Global System for Mobile Communications
(GSM) was invented and since then has become as a world-
wide standard. Even today in times of 3rd generation (3G)
and long term evolution (LTE) GSM is still the most common
mobile standard. GSM also has another advantage besides the
wide spread use. The lower the frequency of electromagnetic
waves the better the propagation through debris or concrete.
GSM offers a communication band around 900 MHz called E-
GSM 900 with uplink frequencies from 880 MHz to 915 MHz.
These frequencies have good propagation characteristics for
use in search and rescue applications. The attenuation caused
by e.g. broken walls and concrete is low compared with other
standards.
This newly presented system uses both eld intensity measure-
ments and an approach on TDoA simultaneously. The TDoA
approach will be addressed in a later publication. To locate a
mobile by its radiated eld strength it rst of all needs to be
forced to send a message. This message must be repeatable
as often as needed in a period of time. Because GSM was
once designed not to be easily located this appeared as the
biggest problem. In the following is described how such an
transmission request is achieved and a localization by radiated
eld strength takes place in this new system (Compare Fig. 1,
Layers 1, 2 and 3).
257
A. Step 1: Jamming
Because the GSM protocol is very strict, full control of the
mobile to be located is needed. This can only be achieved by
setting up a GSM base station locally. There are GSM base
stations (BS) commercially available but they are too big to be
portable and too expensive to afford in big numbers by rescue
organizations. Furthermore a standard BS does not provide
all functionality needed for localization purposes. Therefore
the decision was made to build a customized BS for project
I-LOV (Figs. 2 and 4). First of all it is necessary to cut all
existing connections between the mobile stations (MS) in the
area of interest and the BS of the native network providers.
This is important because the MS will not connect to the I-
LOV network unless no other ofcial network is present. This
is achieved by the rst part of the I-LOV BS, the jammer
(Fig. 2, green). A GSM and 3G scanner searches for all
present provider BS and transmits all found channels and
associated power levels to the PC. Here the data is conditioned
and fed to the jammer. The jammer calculates and generates
channel specic interference signals. In case of GSM900 200
kHz wide white noise signals are generated. This noise shaping
process is implemented on a FPGA. A detailed explanation
on the jammer function will be topic of a separate paper. The
generated signals are up-converted to RF, amplied by a 10 W
power amplier and emitted by a tri-band antenna with a gain
of 7dBi .
B. Step 2: Log in of victim mobiles
When a MS does not see any other networks according to
the GSM protocol [2] it has to connect to the I-LOV network
to at least provide emergency calling capabilities. The MS
connect one after another on to the I-LOV network where the
different MS are listed and allocated a phone number. Every
logged in MS receives automatically a SMS message, which
e.g. tells the victims not to switch off their mobiles and that
rescue operations are underway. The core of the I-LOV BS
forms a software dened radio (SDR) platform (Fig. 3).
This platform consists of an FPGA where buffering, interpola-
tion and decimation are realized and two mixed signal frontend
modules to generate and to process the IF-signal. In each case
a RX and TX frontend is included to generate or to process
the RF-signal. The interface to the host PC builds a USB 2.0
connection. The used GSM software stack is capable of all
important steps to generate and process GSM signals:
converting signalization and speech data to GSM protocol
conform bursts
modulation and demodulation of those bursts
synchronization with the time division multiple access
(TDMA) frame structure.
C. Step 3: Identication of non victim mobile phones
It is a fact, that nowadays search and rescue organizations
not only use their (digital) radios like TETRA. It happens
often that connection fails and they need to use their own
private mobile phones. Consequently a lot of staff members
but also members of the press and curious onlookers carry their
Jammer
3G
Jammer
GSM
PC
SDR
BS
Scanner
Frontend
Frontend
Frontend
Power
Fig. 2. Simplied schematic of the I-LOV BS.
DAC
DAC
Fig. 3. Simplied schematic of the SDR BS.
mobiles with them near by the demolition site. Those MS have
to be separated from those owned by potential buried victims.
Different options are used:
First of all all persons who are not urgently needed in the
area of interest should leave the site. Onlookers and the
press should also be forced to keep a distance of at least
200 m. Those people can be informed by a short message
sent to all MS in the area of interest. The transmitted text
can be adjusted easily.
It is possible to collect all International Mobile Subscriber
Identity Numbers (IMSI) of the mobile phones of the
rescue staff. The IMSI is stored on the Subscriber Identity
Module (SIM-Card) in every phone and is used to identify
the subscriber in the GSM-network. The I-LOV system
can be programmed to ignore all IMSI in a certain list.
The third and most powerful option is the use of the
TDoA approach in the I-LOV system. Here moving
targets can be identied very fast and added to an ignore
list. Moving targets of course are considered not to be
258
buried.
D. Step 4: Localization
Once all reachable MS are logged on to the I-LOV network
one after another can be forced to send locatable signals using
different methods:
1) The classical call: One possible option would be to
initiate a classical call. Such calls are called mobile termi-
nated calls (MTC). Here a paging channel is opened and a
measurable communication between BS and MS starts. It is
possible that the victim answers the call and tells the rescue
squad where to nd it. But even if this scenario is possible it is
not the most likely. Therefore a new, modied MTC (MMTC)
was implemented in the I-LOV network.
2) The Modied MTC: Here the handling of the call has
been changed. The paging will not lead to a ringtone of the
MS but to a stable channel between BS and MS. Where
a normal MTC would be terminated automatically after a
certain time of no response, the MMTC will not. Also the
automatic transmission power control of the MS is switched
off so the MS can be forced to send constantly with maximum
power. Now the rescue team has enough time to locate the
signal with a special developed hand set. This hand-held
device is designed to measure the radiated eld strength of
a MS. It will have directional antennas and special signal
processing optimized for nding the origin of GSM signals.
Also positioning capabilities like a compass module and a
inertial measurement unit will be included. The hand-held in
detail will be topic of a separate publication.
III. FIRST FIELD TEST
The rst eld test took place in Hartheim, Germany near the
French border on a former exercise area of the Bundeswehr.
Here the Federal Agency for Technical Relief built up several
training and testing sites for the I-LOV project partners. The
following is a short description of the results.
A. Measurement Setup
Figure 4 shows the basic measurement setup which consists
of the new I-LOV BS explained in section II, a Rohde &
Schwarz ESPI test receiver for measuring the received signal
strength of the MS to locate and a directional antenna Rohde
& Schwarz HE300 for the frequency band of interest.
B. Testing site setup and results
The system was set up about 30 meters besides two different
testing sites. Both of them with a scale of approximately
15 m x 5 m x 2 m. The GSM cell spanned by the I-LOV
BS at this development stage has the size of about 130 m x
100 m which is enough for most scenarios. However this will
be enhanced in an next step to get more buffer for difcult
operational areas where the system can not be set up near by
the accident site or where MS are buried very deeply. On both
testing sites a localization experiment was made. The rst site
consisted of a wooden chamber where persons or in this case
MS could have been hidden and upon it smooth debris like
Fig. 4. Measurement Setup.
sand, dirt, broken bricks and other rather small material. This
site should simulate the breakdown of a residential building.
This area was very homogeneous and packed. Therefore the
attenuation characteristics have been homogeneous but quite
strong. After we started the I-LOV MS localization system
(I-LOV MSLS) rst of all the few other BS operating in this
area have been successfully jammed. As an effect the buried
mobile immediately logged on to the I-LOV network. Due to
the homogeneous material it was easy to nd the origin of
the strong signal radiated by the mobile. Only the near wall
(compare Fig. 5) created a second maximum because of strong
reections (multipath propagation) which was easy to identify.
The MS was found in less then 3 minutes with an accuracy
of about 10 cm. The location of the mobile of course was not
known by the searching staff prior to that.
Measured Maximum
Hidden Mobile
Fig. 5. Smooth debris structure.
The second test site (Fig. 6) consisted mainly of big concrete
blocks over a similar wooden chamber. Here a collapsed
ofce building was simulated. This time two equal eld
strength maximums were measured. The two maximums were
measured right at the left and right edge of a big plate of
concrete which lied directly over the hidden mobile. Of course
the mobile was located but this test proofs something else.
In scenarios where big debris blocks barricade the way to a
259
victim the I-LOV MSLS shows not the direct way through
the barricading blocks but an even better way around the big
blocks. After this measurement it is clear that the victim is
located under the plate and the measurement also showed the
easiest way to reach the victim, similar to what rescue dogs
would nd because of ventilation.
Measured Maximum 1 Measured Maximum 2
Hidden Mobile
Fig. 6. Concrete debris structure.
220 m
Fig. 7. Extrapolated jammed area with 10 W PA.
Further on a full power test of the GSM jamming unit
was possible. With a 10 W power amplier (PA) an area of
220 m220 m could be spanned where no phone calls could
be established. (Fig. 7) shows the extrapolated jammed area.
Because of strict regulations only few measurements could
have been performed.
IV. CONCLUSIONS
In this paper a new system for mobile phone localization in
search and rescue scenarios has been introduced. The system
approach has been explained and the big potential also has
been demonstrated. First measurements at a eld test have
also been presented. Here the rst proof of concept has been
shown successfully and with very promising results.
Furthermore it is possible with the I-LOV system to set up an
own GSM communication platform which could be used by
all different rescue squads. At this design stage two calls can
be handled at the same time but it can be expanded without
any effort.
ACKNOWLEDGMENT
The authors would like to express their gratitude to the
German Federal Ministry of Education and Research, which
made all this possible with its funding and the German Federal
Agency for Technical Relief (THW) for the very useful test
site and fruitful cooperation.
REFERENCES
[1] Wang, S.S.; Green, M.; Malkawa, M., E-911 location standards and lo-
cation commercial services, Emerging Technologies Symposium: Broad-
band, Wireless Internet Access, 2000 IEEE.
[2] The 3rd Generation Partnership Project (3GPP), PS based Emergency
Call in Rel-5, 3GPP TSG CN Plenary Meeting #11,Palm Springs, 2001.
[3] Bundesanstalt Technisches Hilfswerk, THW-Koordinierungsteam startet
nach Haiti, www.thw.de, January 2010.
[4] Zorn, S. and Maser, M. and Goetz, A. and Rose, R. and Weigel, R.;
A power saving jamming system for E-GSM900 and DCS1800 cellular
phone networks for search and rescue applications, Proc. IEEE Topical
Conf. Wireless Sensors and Sensor Networks (WiSNet), 2011, pp. 33-36
260
Multistatic 96 GHz rotating W band radar for passenger inspec-
tion on airports
Sebastian Hantscher, Fraunhofer FHR, Germany
Beverly Schlenther, Fraunhofer FHR, Germany
Stefan Lang, Fraunhofer FHR, Germany
Manfred Hgelen, Fraunhofer FHR, Germany
Helmut Essen, Fraunhofer FHR, Germany
Axel Tessmann Fraunhofer IAF, Germany
Abstract
The paper describes the setup of a rotating 96-99 GHz millimeter wave FMCW radar for passenger inspection on
airports is presented. The radar frontend consists of 5 receive channels in order to look the person under test from
different aspect angles. A special focus is on the calibration of the integrated VCO of the radar module. Its non-
linearity has to be compensated precisely in order to avoid distortions of the intermediate frequency phase lead-
ing to a degrading of the image resolution. Test measurements performing a 360 degree scan show the ability of
the scanner to detect and localize dangerous metallic as well as non-metallic objects worn concealed under the
cloths.

1 Introduction
The failed attack on a flight to Detroit showed the vul-
nerability of current security systems on airports
Common metal detector systems require time-
consuming manual inspection and are just able to de-
tect metal objects. That is why upcoming technologies
are currently under close scrutiny. Emerging person
scanners like X-ray scanners or full body scanners
seem to be harmful or are questionable regarding the
privacy. Moreover, the suicide belt attack on the Mos-
cow Domodedowo airport showed that the airport se-
curity concept must not be restricted to the checkpoint
but has to be extended to the whole airport; that means
a person wearing dangerous weapons such as firearms
or suicide belts has to be stopped at least at the airport
entrance area. This requires a covert scanning proce-
dure, i.e. by a sensor operating in-ground or above the
person on the ceiling. Furthermore, no additional wait-
ing times have to be arised and the influence on natu-
ral passenger flow has to be kept as low as possible.
That is why it is important to image moving persons,
i.e. passengers standing on a moving walkway.
In this contribution, a W band person scanner is pro-
posed enabling a 360 scan. With this full-body meas-
urement, a comprehensive detection of hidden objects
is possible within a few seconds. For obtaining echoes
from different aspect angles, a coherent multi channel
set up using an HEMT based FMCW radar transmitter
and a W band 4 channel receiver has been developed.
The radar raw data are processed by the synthetic ap-
erture principle enabling the high resolution with si-
multaneously small antenna apertures. Tests measure-
ments show, without affecting the privacy of the per-
son, that metal objects are detectable as well as
dielectric ones. These data might be utilised as the in-
put for forthcoming radar systems.

2. Security Concept
The overall objective of the new concept is to contrib-
ute to improve the security in the airport area by at
first detecting and identifying the presence of hazard-
ous materials or tools worn concealed (under clothes
or inside bags) by ill-intentioned people. This task is
solved by using 2 radar systems operating in the band
of 15- 35 GHz and in the W band which is described
in detail below. Those people which are identified as
suspicious by the radar systems are tracked throughout
the airport terminal so that they can easily be localized
by security operators [1]. This procedure should be
carried out with preferably minimal interference with
the passenger flow or the airport operations. For this
purpose, passengers will already be screened when
they enter the airport terminal. Figure 1 shows airport
entrances equipped with netted radar sensors which
indicate after the evaluation of the raw data if a person
is suspicious or not. In the airport area, devices for
tracking are distributed to track them.

261

Figure 1 Distribution of the detection and tracking
sensors of ATOM system in the airport area

3 System setup
The radar sensor used for the demonstrator described
here operates in a FM-CW mode, thus guaranteeing
the highest possible average power. The monolithic
microwave integrated circuit of the 94 GHz radar
module includes a varactor tuned VCO with injection
port, very compact transmit and receive amplifiers and
a single-ended resistive mixer [2-3]. The radar module
has separated transmit and receive channels which is
equivalent to a bistatic setup. This is important to
yield a high dynamic range. In a monostatic configura-
tion, an additional electrical separation between
transmit and receive chirp is necessary which, how-
ever, does not work perfectly leading to an unintended
cross-talk from the transmit to the receive path.
Two photographs of the radar modules is depicted in
Fig. 2a. It has 6 connectors for the RF input and out-
put (W band waveguides), the intermediate frequency
(IF) outputs (I and Q signal) as well as the ports for
the voltage and the steering of the voltage controlled
oscillator (VCO). The technical data are shown in Fig.
2b. The usable frequency range spans from 95.8 GHz
to 99 GHz at a tuning voltage variation between 1.5
V to +1 V giving a bandwidth of around 3 GHz and

(a)

(b)
Figure 2 W band FMCW radar module developed at
Fraunhofer IAF, (a) photograph, (b) frequency and
power characteristic

Figure 3 Block diagram of the multistatic radar front-
end

thus, a range resolution of 5 cm. The FMCW signal
output power is nearly constant at 10 dBm.
Fig. 3 shows the block diagram of the whole RF setup.
A small part of the transmit chirp is coupled by a di-
rectional coupler. This signal feeds a W band receiver
module and is distributed by an internal power divider
to the mixers. Because all receive signals are mixed
with the same chirp signal which is derived by the

Airport Area
To airplanes
Airport entrances
(Detection of dangerous tools)
Devices for
tracking
Data fusion and advanced tracking
262

Figure 4 Acquisition board for data acquisition, A/D
conversion and signal amplification

Fig. 5 Simulated adiation pattern of a W band horn
antenna

mother oscillator, a coherent reception is realized. The
receiver output yields the intermediate frequency sig-
nals which are digitized by the board in Fig. 4. The
antennas we used are rectangular horn antennas with
20 dBi gain (Fig. 5). They have the advantage of be-
ing directly connected to the W band waveguides
without waveguide transitions which could probably
cause reflections.
3. Calibration
A crucial step before any radar measurements can
be carried out is a precise calibration. The reason why
a calibration is necessary is the non-linear behaviour
of the VCO. If the voltage would be swept linearly,
the frequency would increase in the same non-linear
way like the red curve in Fig 2. If a single target
would be measured a sinusoidal IF signal would be
expected, however, due to the non-linear chirp, the
phase of the IF signal is non-linear, too, resulting in a
smeared peak after the Fourier Transformation making
a determination of the target range quite impossible.
That is why, the VCO has to be fed by an appropriate
non-linear tuning voltage. For practical reasons, this
curve is approximated by piecewise linear voltages, as
illustrated in Fig. 6. A microcontroller supplies the
slope values of each part of the voltage curve. After an
A/D conversion, the slopes are integrated to voltage
ramps which are transferred to the VCO input. An ad-
ditional voltage offset can be added in order to steer
the VCO in a certain frequency range.

(a)

(b)
Figure 6 Generation of VCO tuning voltage, (a)
principle, (b) block diagram

(a) (b)

(c) (d)
Fig. 7 (a) distorted IF response of a corner cube, (b)
distortion compensated response, (c) unwrapped phase
of signal from (b), (d) voltage ramp

To carry out the calibration, a corner cube at a dis-
tance R
C
has been measured. Theoretically, the IF sig-
nal ( )
n dis
t s should be harmonic, however, in practice
it is distorted by VCO power variation and beat fre-
quencies caused by impedance mismatch of the an-
tenna and FMCW module. In order to remove the dis-
tortion, the upper and lower envelope curves
( )
n dis
t s
)
and ( )
n dis
t s
(
are determined as shown in
Fig. 7a:
Integration
263

(a) (b)
Fig 8 a) radar image (front view), (b) optical image of
the person to be screened

( )
( ) ( ) ( ) ( )
( ) ( ) ( ) 2
2
n dis n dis
n dis n dis n dis
n
t s t s
t s t s t s
t s
( )
( )

=
(1)
With this result ( )
n
t s depicted in Fig 7b, the phase
can be determined by simply application of the arcus-
sinus. However, an one-dimensional unwrap algorithm
has to be applied to overcome the phase ambiguity of
. For an ideal voltage ramp (shown in Fig. 7d), the
phase becomes highly linear. In the case that the there
is a difference between the measured and expected
phase, which is given by

( ) ( )
( )
0 exp
0 exp exp
4
2
t
N
n
c
B R
t t f t
Int
Chirp C
n IF n

+ =
= + =
(2)
then the slope values of the microcontroller are
adapted.
4 Results
The radar system has been validated by a measure-
ment. A person is standing in the middle of the scanner
wears an explosive simulant on the stomach and a
grenade on the belt on the left side of his body. For the
measurement, the items. have been concealed by a
down jacket. Figure 8b shows the radar image ob-
tained by applying a backprojection approach to the
raw data. During this processing, the radar data were
focused and mapped to a cylindrical surface with a
radius of 20 cm. The radar head was moved in 1280
steps with a radius of 55 cm around the person under
test yielding measurement time of 8 s at a pulse repeti-
tion frequency of 160 Hz. The achievable resolution
was 3 mm in cross-range and about 5 cm in range ac-
cording to the bandwidth of 3 GHz. Both, the explo-
sive stimulant as well as the grenade could be detected
and localized on the body.
5 Conclusion
In this paper, a new security concept for increasing the
airport security was presented. In particular, we intro-
duced a millimetre imaging radar operating from 96 to
99 GHz which will be part of the final sensor system.
All 5 channels have been setup coherently in order to
investigate the phase differences between the chan-
nels. The isolation between the channels is better than
40 dB. For obtaining undistorted IF signals, the VCO
of the radar module has been calibrated by a piece-
wise linear voltage curve consisting of 40 slope val-
ues. Based on a circular aperture, the scanner is able
to detect various hidden items on the body of passen-
gers by a 360 scan. The scanner is able to detect not
only firearms but also ceramic knives which cannot be
detected by common metal detectors.

Acknowledgement
The authors wish to acknowledge Gunnar Briese and
Daniel Nthen for the assistance and support in setting
up the radar system.
References
[1] Description of work of EU-project ATOM, sev-
enth framework programme, theme #7 transport
(including Aeronautics), Grant agreement no.:
218041
[2] M. Haegelen, S. Stanko, H. Essen, G. Briese, M.
Schlechtweg, A. Tessmann, A 3-D millimeter-
wave luggage scanner, 33rd International Con-
ference on Infrared, Millimeter and Terahertz
Waves, 2008.
[3] A. Tessmann, S. Kudszus, T. Feltgen, M. Riessle,
C. Sklarczyk, W. H. Haydl, "Compact Single-
Chip W-Band FMCW Radar Modules for Com-
mercial High-Resolution Sensor Applications",
IEEE Transactions on Microwave Theory and
Techniques, vol. 50, no. 12, pp. 2995-3001 De-
cember 2002.
[4] G. Briese, Entwicklung einer Steuerung fr ein
8 Kanal FMCW-Radararray Diplomarbeit FH
Aachen, 2007 [in German]

The Project ATOM was funded by the European Union, 7
th

framework program, Theme #7 Transport (including Aeronautics),
Grant agreement no.: 218041
264
A multichannel scanning receiver system
for surveillance applications
Frank Hausknecht, Raphael Mzyk, Gunther Dehm-Andone,
Georg Fischer and Robert Weigel
Institute for Electronics Engineering
University of Erlangen-Nuremberg, Erlangen, Germany D-91058
Email: {hausknecht, mzyk, dehm-andone}@lte.eei.uni-erlangen.de
Telephone: +49 9131 85-{27192, 25023, 27185}, Fax: +49 9131 302951
Abstract
The aim of the present work is to develop new approaches on surveillance receiver systems offering extended
frequency range, bandwidth and scanning speed at reduced cost, size and power consumption.
In this paper, the architecture of a multichannel receiver and its interfaces is proposed. New approaches have
been developed to handle multiple channels both faster and with less hardware effort. Design considerations for
such systems are explained. One of the key design considerations is where to put the crossing between analog
and digital domain. Detailed focus is put on the digital part of the receiver which controls both the analog and
digital front end and handles the received data.
1 Introduction
1.1 Research goals
The use of wireless mobile communication systems is
ubiquitous. Within the last decades there was an im-
mense growth both in civil and military applications.
The trend goes towards systems occupying higher
frequencies and bandwidth. But these systems may
also be used e.g. by terrorists or other criminal forces
which makes it necessary for governmental institu-
tions like police or military to be able to monitor
wireless communication. This poses the need for fast
scanning receiver systems covering a wide frequency
range with high bandwidth.
1.2 System specifications
The proposed surveillance system is intended to de-
tect and classify signals, bear and localize radio emit-
ters, as well as interpret and archive information. It
consists of multiple sensors and a central data fusion
unit (host). A sensor is formed by the combination of
at least one receiver with a local computer that also
sets up the receivers. A single receiver comprises a
central processor that parameterizes one or more re-
ceiver hardware channels (see Figure 1).
The sensor system offers an analogue input bandwidth
covering 30 MHz up to 3 GHz and an instantaneous
bandwidth of up to 50 MHz which allows the user to
capture fast frequency hopping systems like
SINCGARS at once. The scanning rate of a receiver
channel is higher than 10 GHz/s. A precise time base
is necessary for time stamping of received data pack-
ets for TDOA (time difference of arrival) based meas-
urements. Further, every sensor is able to receive mul-
tiple channels synchronously to provide AOA (angle
of arrival) based bearing.
2 System architecture
In order to accomplish the given design goals and fur-
thermore to provide user flexibility at low cost it is
necessary to use a combination of COTS (commercial
of the shelf) components on the hardware side as well

Figure 1 Scenario for a complete surveillance receiver
system consisting of several sensors (receiver in com-
bination with a local PC to store received data) and a
central data archive and data processing unit (host).
265
as existing software standards wherever preferable
together with reconfigurable custom solutions.
Hence, all communication interfaces are implemented
by gigabit Ethernet as hardware connection. TCP/IP is
used as remote control of the sensor ensuring that no
data is lost. Received data is transmitted via UDP/IP
to provide high data throughput. Figure 2 shows the
system constellation and the corresponding communi-
cation standards.
The receiver is parameterized by job lists that are
generated by the user at the host workstation and
stored in the receivers internal processor. These job
lists consist of a variable number of jobs. Each of
them contains all parameters to parameterize the re-
ceiver. These parameters are e.g. input frequency, in-
stantaneous bandwidth, job time, scanning speed and
the addresses of the hardware channels used for the
job. Thus, the user is able to handle a group of multi-
ple channels as one. Because it appears to the user
like one channel, this is called virtual channel. This
concept is going to be discussed in detail later.
3 Receiver architecture
3.1 State of the art
3.1.1 Superheterodyne receiver
Due to the limitations of digital components the mul-
tistage superheterodyne receiver with analogue base-
band signal processing or narrow band baseband sam-
pling and processing has been the most common re-
ceiver architecture for many decades [1].
Since ADCs (analogue to digital converter) offering
high sampling rates are still very expensive and avail-
able only at a limited dynamic range depending on the
sampling rate [2], it may still be advantageous to sep-
arate the analogue input signal in its inphase (I)- and
quadrature (Q) components within the analogue do-
main. Then both ADCs can operate at the half Nyquist
rate [3], [4]. Unfortunately, analogue I/Q demodula-
tion is very susceptible to I/Q imbalances compared to
precise digital processing.
As another disadvantage due to the third mixer stage,
third LO (local oscillator) and 90 phase shifter this
system architecture results in high hardware effort,
which makes the system more expensive and inflexi-
ble. This is why alternative concepts had to be found,
that are more flexible and reduce hardware effort at
one go.
3.1.2 Software defined radio
Due to the vast progression of digital electronics the
software-defined radio (SDR) has come up as a new
approach on radio technology beside traditional ana-
logue receivers. The idea is to minimize the analogue
front end components and to sample the antenna sig-
nal directly without any frequency conversion [5]. In
this approach, the input signal is only amplified and
band limited to half the Nyquist rate. All filtering,
mixing, decimation and base band processing is done
digitally. Figure 3 shows an example architecture of a
SDR.
For the maximum input frequency of 3 GHz this
would result in a demanded sample rate of at least
6 Gsps. Such fast ADCs are only available at a very
low resolution, high power consumption and high
price.
The thermal noise power at the matched input of a re-
ceiver is given as:
,
where
is Boltzmanns constant, is the absolute

temperature and is the signal bandwidth. This
means, that by increasing the input bandwidth, ther-
mal noise power is increased also and as a result the
SNR (signal to noise ratio) is reduced. Beside wide-
band noise at the input sampling clock jitter decreases
the SNR. In the presence of clock jitter
the
ADCs SNR is degraded depending on the absolute
input frequency
as follows:
20 log
.

Figure 2 Sensor system constellation and the corre-
sponding communication interfaces. TCP/IP ensures
secure transmission of remote control data, while
UDP/IP provides high data rates for the received data
transmission.

Figure 3 Typical software-defined radio architecture
using a direct sampling front end followed by an FPGA
for fully reconfigurable and fast signal processing.

Figure 4 Superheterodyne receiver architecture using a
third stage for I/Q-demodulation. This way each of the
ADCs can run at half speed.
266
The effective number of bits () expresses the
degradation of the ADCs dynamic range due to the
signal to noise and distortion ratio ( and is
calculated by:

1.76
6.02
.
It can be seen, that by increasing the input bandwidth
and absolute input frequency
the is de-
graded and thereby the dynamic range of a receiver is
reduced.
Beside this the receiver input is easily desensitized by
blocking signals when no analogue band selection is
applied.
3.1.3 Combined approach
This is why many systems use a combination of a
multi stage analogue front end and a fully reconfigu-
rable digital processor, e.g. an FPGA (field program-
mable gate array) (see vendors IZT, Grintec Ewation,
Mercury computer systems, Pentek, GE Intelligent
Platforms). This offers the benefits of analogue band
selection and frequency conversion on one hand and
of reconfigurable base band processing on the other
hand. In Figure 5 such a combined approach is
shown.
This architecture provides high performance but re-
sults in high cost because of complex analogue cir-
cuitry in combination with high end digital ICs.
3.2 The proposed receiver concept
In order to offer both good performance and reasona-
ble cost the crossing between analogue and digital
domain in general and between dedicated and recon-
figurable logic had to be reconsidered. Further, the
system concept had to be chosen such that highly syn-
chronous and fast scanning is possible using multiple
channels.
Because high performance FPGAs are very expen-
sive, resource-intensive operations needing a lot of
multiplication cells or RAM cells have to be realized
outside the FPGA using COTS elements. This is why
dedicated digital down converter processors and FIFO
(first in first out) memory have been chosen at the
cost of reprogramming flexibility. By doing so, one
FPGA is sufficient to realize more specialized DSP
(digital signal processing) functionality for several
channels (e.g. FFT). Furthermore one single micro-
controller is able to control all receiver channel com-
ponents inside and outside the FPGA, which is neces-
sary to realize the virtual channel concept mentioned
above. In Figure 6 the whole system architecture is
depicted. It can be seen that there is only one hard-
ware configuration bus that is shared by all hardware
receiving channels. This is acceptable because the mi-
crocontroller can only do one parameterization at the
same time. In scanning operation this allows faster
and inherently synchronous reconfiguration of all
channels grouped to a virtual channel compared to
configuring them one by one.
In the microcontroller a real time operating system
handles the job lists and downloads the next job into
the hardware after a job has been finished.
The precise time base needed for TDOA bearing is
realized by a GPS (global positioning system) mod-
ule. GPS was chosen because it is available wireless
and almost everywhere on earth, independent from
local infrastructure.
As mentioned above, gigabit Ethernet is used as data
connection for both the remote control communica-
tion via TCP/IP as well as the fast transmission of re-
ceived signals via UDP/IP. Due to its market position
using Ethernet provides high speed hardware that is
highly reliable at low cost and low design risk.
Figure 7 shows the realization of the data acquisition
unit in detail. It delivers down converted, filtered and
decimated baseband data, which are buffered in a
FIFO memory that can be directly read out by the
FPGA.

Figure 5 A common architecture combining a multi-
stage analogue front end with a reconfigurable base-
band processor in order to process received data.

Figure 6 The proposed system concept shown for four
input channels. By using dedicated DDC processors
and FIFOs one FPGA with an integrated microcontrol-
ler is sufficient so that the virtual channel concept can
be implemented.

Figure 7 Hardware realization of the data acquisition
unit.
267
4 Conclusion
In this paper the system architecture for a fast multi-
channel receiver system for surveillance applications
has been proposed. It has been shown that by reduc-
ing the FPGA internal logic such that one FPGA is
sufficient for multiple channels, the introduced virtual
channel concept can be implemented efficiently. This
provides fast and inherently synchronous channel pa-
rameterization for multichannel scanning applications.
5 Acknowledgment
This work was supported by FuE-Programm Infor-
mations- und Kommunikationstechnik in Bayern
(Verbund-Nr.: IuK320) in the context of project
KAIMAN (Compact frequency agile intelligent mo-
bile surveillance network).
6 References
[1] Tsui, J. B.: Microwave receivers with Electron-
ic Warfare Applications, SciTech Publishing,
2005
[2] Walden, R. H.: Analog-to-digital converter sur-
vey and analysis, IEEE journal on Selected ar-
eas in Communications, Bd. 17, No. 4, pp. 539-
550,1999
[3] Yoshida, H.; Tsurumi, H.; Suzuki, Y.; , "Broad-
band RF front-end and software execution pro-
cedure in software-defined radio," Vehicular
Technology Conference, 1999. VTC 1999 - Fall.
IEEE VTS 50th , vol.4, no., pp.2133-2137 vol.4,
1999
[4] Pekau, H.; Haslett, J.W.; , "A comparison of ana-
log front end architectures for digital receivers,"
Electrical and Computer Engineering, 2005.
Canadian Conference on , vol., no., pp.1073-
1077, 1-4 May 2005
[5] Yoshida, H.; Tsurumi, H.; Suzuki, Y.; , "Broad-
band RF front-end and software execution pro-
cedure in software-defined radio," Vehicular
Technology Conference, 1999. VTC 1999 - Fall.
IEEE VTS 50th , vol.4, no., pp.2133-2137 vol.4,
1999
268
How to model and simulate multi-modal alerting of population:
The Alert4All approach
Dr. Wolf Engelbach, Fraunhofer IAO, Germany
Sigmund Kluckner, IAT University of Stuttgart, Germany
Sebastian Kurowski, Fraunhofer IAO, Germany
Abstract
In natural and man-made disasters, people have a much higher rate of survival when they are informed about
what is happening. To inform people does not only mean to send out a message, but to send it out in time (usual-
ly, as fast as possible) and sending it in an understandable way. Also, a warning message should be distributed
through different media channels, so that the coverage is as large as possible. The EU-FP7 research project
Alert4All investigates the optimal alerting methods for disasters, and will combine state-of-the-art information
and communication technology, decentralized information sourcing through social media, and the simulation of
human behaviour. The expected result of this project will provide information about a better alignment of alert
procedures and processes to crises in a scalable manner, from a regional to an European perspective. This paper
presents our approach towards modelling human behaviour related to alerting the population.

1 Introduction
The Alert4All concept has been conceived with the
aim to improve the effectiveness of alerting and
communicating to citizens during a crisis and to be
highly scalable, so that it can be applied on a regional
scale as well as in European-wide crises. It describes
the key aspects in the dissemination of alerts. It is de-
signed as a system encompassing management, hu-
man and technological aspects, it identifies gaps for
improvement in each of them to propose suitable so-
lutions, and exploits synergies among the different
system elements [1]. The operational picture can be
further improved by what if simulation tools capa-
ble of simulating the impact of alert and communica-
tion strategies to the population, tailored to the given
crisis scenario to ease the decision making process.
The effectiveness of alerting of and communication to
the population in crisis situations is dependent on the
number of affected citizens timely reached by alerts,
trust of citizens on alerts and intended versus actual
impact of alert strategies. That implies that cultural
and personal aspects influence the reaction to alerts,
and alerts have effects on human behaviour. There-
fore, the complex relations of human behaviour and
alerts have to be understood, modelled and simulated
in order to support crisis managers with an idea of the
effects of alternative alerting strategies. To do so, the
Alert4All concept includes a simulation tool that
models the spreading of information and human be-
haviour according to key influencing factors, such as
a crisis scenario and selected communications plans.

1.1 Problem Definition
The general intention of alerts is simple: warnings
must reach potentially affected people, which these
people at risk then need to trust and understand, and
consequently should react as intended. But due to
many different technical alerting systems, several or-
ganizations involved and a different situation for eve-
ry addressed person, the effects of an alerting strategy
are not always clear to the staff within emergency
management authorities.
Therefore Alert4All addresses the different alerting
systems and their possible overlay to find their likeli-
ness to reach people at different places and in differ-
ent times. Also, the expected reactions of the targeted
people need to be taken into account, especially their
trust in the authorities and warning messages and
their prompted response to them, including the infor-
mal and independent diffusion of crisis related infor-
mation. This behaviour is dependent on a variety of
contextual aspects, mainly the personality and the sit-
uation of the person. These aspects need to be identi-
fied and classified during the course of the project.
Another problem given in the context of the Alert4All
project is the vast cultural and social differentiation in
the use of new communication technologies in society
(e.g. the use of mobile devices and the Internet varies
between different countries, social and age groups),
which needs to be understood to be able to model the
behaviour of the population when being warned of an
imminent crisis situation. Many more aspects that im-
pact the human behaviour within the alerting chain
exist. To provide the most effective alerting for a situ-
269
ation possible, the most influential aspects must be
isolated and considered in the design of the system
and its simulation.
One of the main goals of this project is to research
and elaborate these aspects in more detail, for exam-
ple by conducting thorough literature reviews and in-
terviews with domain experts such as emergency
managers and staff of humanitarian organizations.
For ethical reasons, evaluation experiments compar-
ing different communication plans and their caused
reactions are not possible in the real world, thus a
modelling and simulation approach helps to under-
stand the outcomes in this complex environment. On
one hand, the virtual combination of different media
channels and the adaptation of reaction assumptions
will be designed. On the other hand, the big picture of
human actions and reactions to alerts for different cri-
sis situations, environments and regions should be
displayed based on the specific assumptions. In this
environment it will also be considered how reactions
change when alerts are received through more than
one channel.
This model should then serve as the basis for a soft-
ware concept that will enable emergency managers to
simulate the consequences of different communica-
tion plans, and thus help them to determine the opti-
mal and most effective alerting available for a poten-
tial or even the given situation. The resulting tool
should then also seamlessly integrate into the whole
Alert4All concept, especially its information portal
and global alerting gateway [1].
1.2 Alert4All Modelling and Simula-
tion Approach
To understand how to best use the media and technol-
ogy available to alert the population, our research fo-
cuses on the human behaviour part of the warning
process; in specific we want to investigate how peo-
ple behave when they receive an alert message, and
how media usage impacts this behaviour.
The next challenge will be to map these factors into a
model of human behaviour. These factors can be ob-
tained from earlier research, experts and scientists in
the field, and we strongly build on the cooperation
with them to best include their expertise in the overall
modelling approach.
During first discussions with crisis managers, it ap-
peared that there is a need for improved decision
making support for the crisis management authorities.
A simulation tool that builds on a generic model of
human behaviour, but is adjustable to different situa-
tions or the characteristics of the population (accord-
ing to the input of experienced crisis managers) can
aid the decision making process with regards to what
the most effective warning and alerting strategy for
the given situation might be. In order to better under-
stand the outcome of their actions, the crisis managers
and decision makers need access to reliable estima-
tions and reasonable guesses, since there are no stable
and empirically proven globally valid data on alerting
effects for the vast amount of possible emergencies,
alerting options and contexts. Alert4All is leveraging
the contact to these experts to discover the impacting
factors and will try to offer a European standard
emergency behaviour, which should be changed in
detail according to the situation at hand. By keeping
all the input from experts and by improving the avail-
able simulation input parameters, emergency manag-
ers might even be able to learn from each others ex-
perience and estimates and thus create useful infor-
mation and improvements for the Alert4All project,
the simulation outcomes and themselves.
1.3 Methodology
Since human behaviour in crisis situations is varying
greatly between countries and cultures of the Europe-
an Union, Alert4All will use the approach of Generic
Alerting Assumptions. Generic alerting assumptions
could be described as default value for each aspect in
the model, which then can be adjusted to specific sce-
narios and simulation runs. Using such an approach
enables the usage of an abstract model without having
to pre-set too many details on the specific situation.
Obviously, the results of simulations are only as good
as the data and rules that are used within the model.
But since a large crisis does not happen regularly and
never meets the same conditions (e.g. weather, time,
region), the definition of empirical rules is not easy.
Nevertheless, at least for capacity planning and train-
ing purposes, good guesses and experience-based
rules of thumb are better than starting without any
assumptions. For some criteria, practically used rules,
best practice experience and algorithms already exist
and can be incorporated in the model. With so many
data sources and basic assumptions, the level of valid-
ity of data needs to be transparent. Alert4All intends
to define some initial criteria and a process to adapt
them to other conditions.
The intended approach is that human behaviour relat-
ed to crisis communication and the factors that can
impact and thus change such a behaviour first need to
be described and modelled in a qualitative way, based
on literature and expert opinions. To best be able to
understand the experts opinions and to be on one
page about the scope of the research, it is envisaged to
create and use research hypotheses about the human
behaviour and the impacting factors. These hypothe-
ses should then be approved by experts and be reused
in later stages of the project.
Secondly, the quantification of these qualitative fac-
tors should be as reliable as possible, considering ex-
isting studies, opinions and estimations by experts
and if deemed necessary and feasible for im-
portant factors additional empirical experiments. For
270
the purpose of understanding the interaction between
influencing factors and the overall results of different
communication plans in defined scenarios, simula-
tions can be run on the model. The simulation tools
can be configured accordingly to the circumstances of
the situation, e.g. type of crisis or characteristics of
the targeted population. This also shows the effects of
different locations and alerting messages. It can give
hints regarding the potential of new media (such as
Twitter) and alternative communication channels
(such as satellite phones) when communicating with a
heterogeneous crowd in a crisis situation. Figure 1
shows this planned course of actions during this pro-
ject.
The simulation tool is designed and implemented
based on the requirements set by the Alert4All infor-
mation system environment, so that it seamlessly fits
into the big picture. Additionally, the software speci-
fications allow for an incorporation of end user re-
quirements, e.g. from emergency managers.
2 Related Work
In the field of modelling of alerting, some research
projects have been conducted which we will reflect
and utilise as basis within the Alert4All project. The
following paragraphs present some of this relevant
related work and how it contributes to the human be-
haviour modelling and alerting simulation approach.
2.1 Human Behaviour in Crisis Alert-
ing Situations
Regarding human behaviour in crisis situations, a
broad range of potential actions and influence factors
can be defined. Since these actions and influence fac-
tors can vary largely, we will only focus on the factors
concerned with the human behaviour related to being
alerted in a crisis situation. The main focus is put on
the most important ones selected by the literature re-
searched, while using already existing processes with
regard to human behaviour in crises. [2] took the ap-
proach in breaking up the process of the populations
response to warnings. They extracted the parts Risk
identification, Risk assessment, Risk reduction
and Protective response. While this follows a rather
generic view on warning response, only the process
of Protective response deals with human behaviour,
making this model unsuitable for analyses when refer-
ring to human behaviour.
In order to achieve a clear view on the related work in
this field, we will therefore follow [3] and the influ-
encing factors they defined, namely Hear, Pro-
cess, Respond and Confirm. [3] hereby uses a
receiver-sender environment attached to these factors,
building a model with regard to the dissemination of
alerts, their interpretation by the public and the action
performed, while respecting possible influence of this
action on the message creation itself. The Process
part of the message hereby includes understanding the
message, believing its contents and personalizing the
message to oneself. We will use these factors in the
following in order to provide a clear overview on the
studies and research projects with regard to human
behaviour in crisis situations.
Addressing the role of the receiver in crises, [4] ag-
gregates several studies taken on evacuation. Howev-
er, with scenarios ranging from floods, hurricanes,
tornadoes over avalanches, earthquakes to hazardous
materials and chemicals related crises, evacuation
poses only one single response as described in [5].
Unfortunately, little research is found on choosing
protective actions and individual variations in re-
sponse [4]. However, using several social scientific
studies, [3] was able to provide an overview on major
factors influencing the warning response. Table 1
gives an overview on some of these factors, mention-
ing only those with a high level of empirical support.
The table lists several factors along with their influ-
ence on the response to a warning message. Attributes
can hereby increase the response, meaning that a per-
son will respond to the warning message more likely,
as pictured by the process model in [3] and described
above.

Figure 1 Methodological Approach
271
Among others, physical and social cues are listed.
Physical cues are described in [3] as environmental
factors (not related to other people) which influence
the warned persons. For example, a physical cue
could be when it is raining heavily when flood warn-
ings are received [3]. Social cues focus more on sur-
rounding persons, for example when neighbours are
seen evacuating when evacuation warnings are re-
ceived [3]. Also, the list features two attributes that
state to influence the response in a mixed way. This
means that this attribute can influence the response
both, positively and negatively. One factor is the ex-
perience with the hazard, reflecting the warned per-
sons knowledge with this or similar types of hazards.
For example, if a person already experienced a hurri-
cane without damage, the response to a hurricane
warning will probably be less effective in the future.

Factor Response due to factor
increase
Physical cues Increase
Social cues Increase
Knowledge of hazard Increase
Experience with hazard Mixed
Education Increase
Family united Increase
Kin relations (number) Increase
Community involvement Increase
Age Mixed
Socioeconomic status Increase
Personal warning vs.
impersonal
Increase
Message specifity Increase
Frequency Increase
Message consistency Increase
Message certainty Increase
Source credibility Increase
Source familiarity Increase
Table 1 Major factors co-varying with warning re-
sponse, excerpt from [3]

For modelling the individuals behaviour in warning
response, these factors and the underpinning their sta-
tistical data can be used to create probability distribu-
tions for further human behaviour modelling. Addi-
tional input for such factors is provided by the
CHORIST project [7]. CHORIST is a project funded
by the European Commission and was embedded in
the 6th European Framework Programme. It aims at
integrating Communications for enHanced envi-
rOnmental RISk management and citizens safeTy.
Within the project, a system was developed consisting
of 3 modules. The first module focused on risk as-
sessment and reporting. In the second module, warn-
ing message dissemination was covered. Finally, in
the third module a rapidly deployable telecommunica-
tion system was developed.
For the topic of human behaviour, the second module
is of most interest, providing contributions in the de-
sign of a warning message, analysis of the overall cy-
cle of warning message creation and response, and
definitions of actions and emergencies. For the influ-
ence of a warning message and the model involved in
creation and communication of warnings, CHORIST
defines the four influencing factors of Authorities,
Technology, Scenario and Citizens as contrib-
uting to a warning message. The Authorities hereby
select the message and disseminate it using Technol-
ogy. In CHORIST, Citizens perform an action
based on the message and hereby influence the Sce-
nario, which itself implies a required action to be
communicated by the Authorities. The resulting cy-
cle (as shown in Figure 2) gives a good insight in the
complexity of alert system modelling, since there is a
high dependency on both directly and transitively
connected participants. However, it already pins down
the process to a single cycled but directed process,
enabling further modelling.
When examining the role of human behaviour and
therefore the citizen, CHORIST abstracts this role to
simple message reception. This means, that the citizen
does not cope with any of the message response pro-
cesses, as presented in [4]. The overall concept seems
to rely on the assumption that any human action is
based on message transmission. Although the process
does include the citizens response to a warning mes-
sage, it leaves out interaction between the citizens.
None the less, mass panics are paid respect as poten-
tial emergencies during [5].
In terms of human behaviour, the project is more fo-
cused on the role of the warning message and its con-
sumption. For this purpose, a study was done showing
personal assessments of different message types (risk
& action, risk & information, risk & action & infor-
mation) and message lengths. This created a quantita-
tive analysis showing that messages containing risk
and action description with a length of 150 characters
was assessed mostly as exactly right [6]. With regards
to the content of warning messages, the participants
were in much more disagreement. Nevertheless, a
message that contains information about the risk and
the action to perform were mostly assessed as exactly
right. This outcome shows that the design of a mes-

Figure 2 Cycle of warning influences [6]
272
sage contributes to the overall dissemination of the
warning.
As a contribution for modelling, the CHORIST pro-
ject provides a list of potential actions for the Citi-
zens role, which can provide a key feature for the
abstraction of human behaviour in crisis situations. In
this list, the possible actions are abstracted to single
attributes such as move or evacuate. Further model-
ling is then done by correlating these attributes using
AND and OR combinations.
Although CHORIST mentioned mass panics in [5] it
does not pay respect to human interaction involved in
such panics, due to its model of citizens only receiv-
ing and responding to messages. This abstraction
avoids any further interaction of the human agents
involved in the response to an alert. However, [8] fo-
cuses on mass panics by creating a quantitative analy-
sis of past events. [8] describes panic as non-social
behaviour, where ordinary social relationships are
disregarded and pre-existent group action patterns fail
to be applied. Additionally it describes human be-
haviour to be consisting of a habitual pattern and
the course of the interaction among individuals fol-
lowing the definition of the situation as dangerous.
Or in our words, the person will choose the flight di-
rection which is most familiar if the direction does not
pose any immediate threat. For instance, a person will
always choose the known one with no visible threat,
but will choose an unknown one over a known exit
blocked by fire.
2.2 Integrated Alerting
CHORIST aimed at developing a complete alerting
system. Its structure consisted of systems to create
situation awareness, systems for alerting the popula-
tion and finally systems for incident response at
ground level. The overall system is hereby capable of
warning the population using cell broadcasting and
television broadcasting. Warnings are created in a
central institution which monitors possible upcoming
crises using awareness tools, such as water level indi-
cators and information fusion systems which repre-
sent data from i.e. meteorological forecasts and water
levels. Although this system does partly reflect the
idea behind Alert4All, namely to distribute warnings
using multiple media channels (or in our case simu-
late the distribution), its number of available media
channels is limited to television [9], GSM Cell
Broadcast [10] and sirens [11]. [12] additionally pre-
sents a concept for integrating instant messengers as
well. Unfortunately, no further data was found on the
distribution of a warning message using a particular
media. [4] respects this point and draws a picture of
the dissemination of the warning versus its distrib-
uting technology (see Figure 3).
Also the media influence as targeted by Alert4All is
left out in [4], except for the warning dissemination
(see Figure 3).

In the figure, dissemination of a warning is shown
depending on time and portion of received warnings.
Although this graphic draws a picture of four concur-
ring technologies, the aggregation of media to one
technology is below the scope of Alert4All, since it
leaves out the differences between different types of
media available today.
The Global Disaster Alert and Coordination System
(GDACS) [13] under the umbrella of the United Na-
tions, offers capabilities for alerting on global crises.
Hereby, information on occurring crises and disasters
such as tropical storms is collected and correlated
with satellite imagery, resulting in heat maps. Addi-
tionally, crisis managers are able to retrieve corner
data, such as the population density of an affected ar-
ea. GDACS additionally offers automatic warning,
using e-mail and short messaging services (SMS), but
its main goal is not the timely warning of the popula-
tion, but more the information provision for crisis re-
sponse. Unfortunately, both, GDACS and CHORIST
do not provide any assessment of the media involved,
providing no further input for the Alert4All simula-
tion related to the topic of human behaviour.
2.3 Modelling and Simulation for Cri-
sis Management and Alerting
When regarding alert message dissemination in crises
situations, the human behaviour and also mass re-
sponse to warning messages have to be modelled.
While [4] already gives a good overview on potential
attributes for individual modelling (see Table 1), fur-
ther attributes have to be researched as well. Addi-

Figure 3 Message dissemination vs. distribution tech-
nology [4]
273
tionally, depending on the simulation method, the
point of view regarding these attributes might change.
We will therefore have a look on general crises simu-
lations and then talk about different simulation meth-
ods and their potentials for crisis management and
alerting simulation.
Focusing on emergencies during events, [14] present
an approach on evacuation simulation. The simulation
approach hereby uses predefined event scenarios in
order to gather empirical data on human behaviour.
However, human behaviour in the context of evacua-
tion does only apply to the direction of movement.
Mass panics, as a result of environmental restrictions,
as in [8] are not respected. This allows the simulation
to use data which can be gathered by cameras or, as a
more generic expression, observers. Interviews as
done in [6] are not required, since any further behav-
iour modelling is not respected. Still, this simulation
can contribute to Alert4All after the dissemination of
a warning, showing the results of evacuation success.
Turning back to the dissemination of warnings, com-
munication in peer to peer networks can be of im-
portance for distribution of alerts within the popula-
tion. This behaviour can also be simulated, as it is
shown in [15]. Here, peer to peer networks are simu-
lated by randomly moving agents. If one agent enters
the communication pipe of another agent, infor-
mation is exchanged. By doing so, Kurhinen and
Vuori are able to measure the dissemination of a sin-
gle message in peer to peer networks. This technique
can be used in warning dissemination when the over-
all model for human behaviour is abstracted to always
believe a message (see [3]).
However, people believing a message is crucial, when
regarding the attributes found by [4] (see Table 1). If
the overall simulation model does not pay respect to
the process of believing a message, the overall re-
sults coming from this simulation may not be useful
in real crises. Information dissemination however, is a
phenomenon that is surveyed in other disciplines as
well. One of them is viral marketing, especially on the
Internet. [16] presents an approach based on empirical
data for modelling information dissemination regard-
ing a product. Although product marketing here in-
cludes attributes such as rating, recommendations and
incentives, similarities to the domain of alerting can
be found. Incentives are hereby defined in [6] as the
likeliness that a warning is being believed. The statis-
tical data from this publication, along the Bayesian
network of quality attributes as in [16], might enable
us to give an insight into the overall dissemination
rates of a single warning, and also to predict it
through simulation. [17] copes with the domain of
alerting and warning specific information dissemina-
tion. Unlike [15], the model created is specifically de-
signed for this domain and therefore may offer a high
value for the simulation targeted in Alert4All. As in
[15], the receivers of a warning are regarded as nodes
which hold a certain state. Table 2 gives a brief over-
view on the states defined in [17].

State Description Action
Disbelieved Node has re-
ceived a mes-
sage but does
not believe the
message
No action
Undecided Node has re-
ceived a mes-
sage but is un-
certain of what
to do
Query neigh-
bours in the net-
work
Believed Node has re-
ceived the mes-
sage and be-
lieves the value
of the message
Spread the mes-
sage to its neigh-
bours and leave
the network after
x time steps
Evacuated Node is no long-
er in the network

Table 2 Description of Node states as in [17]

Here, each state a node can be set to is correlated with
an action, abstracting the problem of human behav-
iour to 4 states and 4 actions. For further interaction
between the nodes, [17] uses a similar but refined ap-
proach as in [15]. Instead of the communication
pipe used in [15], 4 axioms are defined, offering a
more detailed modelling of node interactions. These
Axioms are the Information Loss Axiom, Source
Union Axiom, Information Fusion Axiom and the
Threshold Utility Axiom. Between the nodes,
sources and values are exchanged. Sources and values
consist of a number representing the impact of the
contents interpretation on the nodes action. The In-
formation Loss Axiom hereby correlates the value of
the information exchanged with a random number be-
tween 0 and 1. By multiplying this number, the value
of a message may decrease during dissemination.
The Source Union Axiom deals with multiple nodes
sending information to a single receiving node. In this
case the axiom defines that the information at the re-
ceiving node is unified with the information arriving.
If a source is contained in multiple information tuples
(source and value), the information is fused, aggregat-
ing the values to a new value between the maximum
value of the source and the sum of the sources val-
ues. Furthermore this axiom also shows how to com-
pute the fused value at a node. Finally the Threshold
Utility Axiom defines that the nodes switch into a
certain state (see Table 2), after a certain threshold is
exceeded. The simulation model described here pro-
vides a basis for warning message dissemination sim-
ulation, by defining attributes, states and actions upon
a warning message. [18] make use of this model, by
including it in an agent-based simulation. Here, for
274
each agent a predefined process is used, by leveraging
the warning message interpreting process as defined
in [4]. Figure 4 gives an overview on the model creat-
ed. In this model, the state of the public being in-
formed, believing the warning and relaying the warn-
ing is included as a model of the response to a warn-
ing.
3 Conclusions and Outlook
In this paper, we have shown our intended way of
modelling and simulating multi-modal alerting in
times of crisis. The model and simulation should be
used to find alternative ways of communication to the
population and to better understand the effects of
plans towards alerting the population.
The approach taken in this work is to first find factors
that can have an impact on the human behaviour in
times of crises, with a special emphasis on the effects
of alerting and warning. Based on these factors, a
model and a resulting simulation will be implement-
ed, using generic alerting assumptions to be able to
start off with a default set of attributes in the simula-
tion. These attributes will be changeable to adjust the
simulation and thus result in a more correct and repre-
sentative outcome of the situation in question.
The related work provides valuable contribution when
coming to modelling of human behaviour, mass be-
haviour and warning message dissemination. Attrib-
utes are being provided, as well as concrete simula-
tion models. These results will be further assessed and
used in the future simulation of warning messages
with respect to the media chosen in Alert4All.
A first workshop with end-users and experts of the
field already provided practical experiences about
human behaviour and assumptions concerning its im-
pacting factors. With these opinions and the available
literature we will postulate first hypothesis regarding
human behaviour related to alerting and try to identify
more detailed relevant impacting factors for relevant
categories, and hints on their impact and influence.
Acknowledgements
The research leading to these results has received
funding from the European Union Seventh Frame-
work Programme (FP7/2007-2013) under grant
agreement n 261732.
References
[1] C. Parraga Niebla et al., Alert4All: an
Integrated Concept for Effective Population
Alerting in Crisis Situations, in Proceedings of
the 8th International ISCRAM Conference,
Lisbon, Portugal, 2011.
[2] M. Lindell and R. Perry, Behavioral
foundations of community emergency planning.
Washington: Hemisphere Publishing Co., 1992.
[3] D. Mileti and J. Srensen, Communication of
emergency public warnings. Oak Ridge,
Tennesse: , 1990.
[4] J. Sorensen, Hazard Warning Systems:
Review of 20 Years of Progress, Natural
Hazards Review, pp. 120-125, 2000.
[5] Delft University of Technology, Meta
definition and general categorisation for
citizens early warning messages. 2009.
[6] Delft University of Technology, Lessons
learned by Delft University of Technology on
Emergency Warnings. 2009.
[7] P. Simon, CHORIST project - Some proposals
to improve Disaster Management, Apr-2009.
[8] E. L. Quarantelli, The Nature and Conditions
of Panic, American Journal of Sociology, no.
60, pp. 267-275, 1954.
[9] LogicaCMG Wireless Networks B.V.,
Personal Communication Networks Gateway
technical specification. 2007.
[10] TRAD, Broadcasting Networks Gateway
Technical Specification. 2008.
[11] KOMC, Public Announcement Network
Gateway technical specifications. 2008.
[12] VODAFONE Espana, Mechanisms to
distribute warning messages - Messenger and
Chat Services. 2007.

Figure 4 Flow chart including states of the public dur-
ing warning message response [18]
275
[13] T. De Groeve, T. Peter, A. Annunziato, and L.
Vernaccini, Global Disaster Alert and
Coordination System. 2009.
[14] H. Ronagel, J. Zibuschka, and O. Junker,
Agent-based Simulation for Evaluation of a
Mobile Emergency Management System, in
Proceedings of the Sixteenth Americas
Conference on Information Systems, Lima,
Peru, 2010.
[15] J. Kurhinen and J. Vuori, Information
Diffusion in a Single-Hop Mobile Peer-to-Peer
Network. 2005.
[16] J. Leskovec, L. A. Adamic, and B. A.
Huberman, The dynamics of viral marketing,
ACM Transactions on the Web, vol. 1, no. 1,
May-2007.
[17] C. Hui, M. Goldberg, M. Magdon-Ismail, and
W. A. Wallace, Simulating the Diffusion of
Information: An Agent-based Modeling
Approach, International Journal of Agent
Technologies and Systems (IJATS), vol. 2, no.
3, pp. 31-46, 2010.
[18] M. Nagajaran, D. Shaw, and P. Albores,
Informal dissemination scenarios and the
effectiveness of evacuation warning
dissemination of households - A simulation
study, Procedia Engineering, no. 3, pp. 139-
152, 2010.

276
VALUESEC - Mastering the Value Function of Security Measures
Eduardo Bellido Ziga, Atos Origin, Spain
Christian Blobner, Fraunhofer Institute for Factory Operation and Automation, Germany
Abstract
The VALUESEC project is funded in the European Commissions 7th Framework Program. It addresses an area
that is relatively new and underdeveloped in terms of methodologies and decision supporting tools. Its objective
is to support and enhance the decision making process in the sense that security measures should reflect the in-
terests of all stakeholders. Decisions need to be based on transparent decision criteria and on rigorous cost-
benefit-analysis, incorporating quantitative and qualitative aspects as social, cultural, ethical and economic im-
plications in the overall analysis.
VALUESEC brings together an interdisciplinary team of researchers and end-users to generate a knowledge base
of the current state and trends in theory and in practical applications of economic analysis methods, applied to
security decision making. The projects task will be defining, context modelling, assessing threaths, risks, and
impacts, weighting and quantifying attributes of costs and benefits, advantages and draw-backs of security meas-
ures, and the demonstration of the approach through a software tool to support the decision making process. The
projects main challenge will be to combine economic and political factors and societal effects of security meas-
ures into a value function to establish a basis for a cost-benefit approach, allowing for trade-off along different
dimensions. In effect, the project will bring together quantitative and qualitative information and combine it in a
common methodological framework and integrate it into a decision support tool.
The projects first year will be dominated by the gathering of inputs from public decision makers regarding their
requirements for an efficient cost-benefit analysis in a security framework. For this, the consortium currently de-
fines typical decision contexts and approaches stakeholders for their input. Additionally the consortium surveys
current approaches in cost-benefit analysis and in how far they are applicable to meet the decision makers re-
quirements. The mapping of requirements and needs on available methodology will be a major research effort
for the subsequent integration into a software-based decision support tool.
VALUESEC ensures the applicability of the developed approach and the subsequent software tool through vali-
dation in realistic use cases. These use cases will be built around typical scenarios for decisions in a security
context and will be developed in close cooperation with end-users and external stakeholders to guarantee maxi-
mum relevance. The VALUESEC consortium includes the Valencia Local Police as a end-user to provide on the
one hand inputs for the definition of requirements for a decision support tool and on the other hand to provide a
realistic application scenario in a use case. Valencia provides ample opportunities to validate the developed ap-
proach and the subsequent support tool, e.g. in a use case comprising strategic planning elements for the For-
mula One Gran Prix organized in the city.
VALUESEC aims to provide strategies for balancing security, policy and economic objectives.
1 Background of the ValueSec
Project
Most decisions in a security aspect are taken by pub-
lic stakeholders. Their overarching goal is to ensure
the security of citizens. Through this, they essentially
need to provide a public good.
Security related decisions, however, need to be taken
in a complex socio-economic and political environ-
ment This complexity obscures the full benefits of
decisions taken, and consequent actions, as effects
occur in different dimensions but are hard to attribute
to the specific decision. On the other hand, the com-
plexity also leads to the fact that the full costs of de-
cisions are often not transparent to decision makers.
Public stakeholders have to take into account a multi-
faceted set of parameters to analyze the cost and
benefits of their decisions. These parameters encom-
pass quantitative ones, such as monetary costs for a
technology acquisition, as well as qualitative ones,
such as citizens need for privacy.
Additionally, the complexity of the decision environ-
ment and the decision making process itself are ever
increasing, with competences in legislation and deci-
277
sion making being transferred from a national level to
the European Union level.
From this point of departure the ValueSec project is
committed to help support and enhance the decision
making process in the sense that security measures
should more than today reflect the interests of all
stakeholders. Solutions have to be found, which are
based on transparent decision criteria and on a rigor-
ous cost-benefit-analysis, including social, cultural,
ethical, economic implications in the overall analysis.
2 Conceptual design
The ValueSec project follows two distinct perspec-
tives in achieving the above mentioned objectives:
(1) The global view on security which includes
the wide spectrum of threats, risks and security
improvement measures, and
(2) The narrow view on a selected/developed
toolset and its validation in selected scenarios.
This is necessary, as presumably not all prob-
lems of rational decisions regarding security
measures can be covered by one single method-
ology.
With this approach ValueSec works in a field that
relatively new and still underdeveloped from a meth-
odological point of view.
Most previous and ongoing research in the field can
be found on the topic of ICT related security invest-
ments, see for example [1] and [2]. Research with a
broader perspective on the economics of security can
be found on the EU level with the projects A New
Agenda for European Security Economics
EUSECON and The Network for the Economic
Analysis of Terrorism NEAT
1
, both coordinated by
the German Institute for Economic Research DIW.
However, both projects put a (non-exclusive) focus
on the economic sources and effects of terrorism. Fur-
ther, international research has been conducted for
example by the RAND Cooperation on scenarios but
also on the cost effectiveness of measures to secure
the US passenger rail system, see [3].
What is missing from a decision makers point of
view, however, are clear supporting tools, which help
them to assess economic, social and political costs of
security measures and investments. Decision makers
must weigh many different factors (political, legal,
social, cultural, moral, economic, etc.) in their as-
sessment of threats and appropriate counter-measures.
Some of these factors are only indirectly related to
economic costs and benefits of security. For example,
increased surveillance of public spaces might be a
valid deterrent for terrorists and criminals but citizens

1
See http://www.economics-of-security.eu/ for more
information on both projects.
might not be willing to give up a certain degree of pri-
vacy. International coordination and differences in
risk perception and national/regional/personal prefer-
ences amplify these problems, especially with respect
to decisions taken on a supranational level. Moreover,
it has proven difficult to put concrete cost figures to
soft factors such as the reduction of public fear.
The economic crisis contributes to greater attention
on public spending for security. It is also important to
clarify who benefits and who pays for the effects of
security decisions. Furthermore, it has to be analysed
in how far non-action scenarios and/or the lack of se-
curity investments contribute to vulnerability or even
instability of societies.
Therefore effective and efficient cost-benefit-analysis
must integrate features that are unique to the security
domain:
Cost structure analysis of consequences of
security incidents.
Direct cost and returns of security related
measures.
Multi-criteria decision making (MCDM).
Effectiveness and cost-efficiency analysis of
security improvement measures and options.
Social costs of the impact of and public reac-
tion to, security measures.
Legal and ethical costs of implementing or
not implementing particular security meas-
ures.
Political value assessments related to security
governance.
The development of decision support system for deci-
sion makers, incorporating the points mentioned
above, is of paramount importance to not only help
them to make informed decisions but also to make the
decision making process more transparent and in-
crease the accountability vis a vis the citizens and ad-
ditional stakeholders.
The project follows the approach to first analyze the
current decision making process and survey decision
makers regarding their requirements and prerequisites
for making informed decisions. In parallel the consor-
tium surveys existing cost benefit analysis method-
ologies and available tools. For the technical develop-
ment of a decision support tool, the requirements will
be mapped on available methodologies to on the one
hand define a functional design of a tool and on the
other hand describe further research needs. The
ValueSec tool will be developed and validated on a
background of realistic use cases. Use-cases will be
carried out in the following decision making contexts:
Public mass event
Public transport
Airport- and/or air transport
Communal security planning
Cyber threat
The specific nature of the use cases will be further
defined in cooperation with decision makers and other
stakeholders.
278
SECURITY
CONTEXT
Public
mass
event
Public
transport
Airport /air
transport
security
Communal
security
planning
Cyber
threats
Internatllegislation/
regulation
ICAO
EUlegislation/regulation EPCIP EuroContr. DGJLS
ENISA
MemberStates
Governments
MinofTransp. MinofTransp. Min.of
HomeAff
LocalAuthorities Communal
Gov.
Local Gov. Local Gov Mayor CISO
City&localAdministr. CityParl.
WaterMgmt
Cityadmin Publ ic
Shareholder
Water Mgmt Local
Admin
FirstResponder Organiz. Police;Fire Brigades;Rescue services; Medical services
Affected Industry/privat
Businesses andPPP
Stadium
ownwer
Operator Private
shareholder;
Local
industries
All
Securityproviding
Industry
X X X X X
People&Society X X X X X
Adminis
trative Level
2.1 Decision making model
As described above the ValueSec tool will take into
account different factors, qualitative and quantitative,
for an assessment of different decision alternatives in
the field of security. Figure 1 describes the conceptual
decision making model, which is used in ValueSec.
The decision rational follows the premise that deci-
sions shall be taken following the assessment of indi-
vidual measures according to framework conditions
set out by decision parameters, such as threats and
risks, budget restrictions as well as political and so-
cietal needs; thereby combining the concepts of value,
cost and risk.

The figure shows the distinct steps that are necessary
to develop a decision support. A first step is the ac-
quisition of input data and the definition of data
sources that will be the base for the analysis of al-
ternatives in the ValueSec tool. This data consists of
scenario specific data such as threat assessments, spe-
cific costs or risks associated with the decision
alternatives, i.e. quantitative data in most cases. Also
qualitative data is used as input. However, this data is
often not scenario specific but describes e.g. societys
general attitude towards privacy or other social
values. Within the ValueSec tool, the data will be used to as-
sess different decision alternatives along the vectors
of societal impacts, (monetary) costs and benefits and
risk to produce an overall cost-benefit analysis. The
tool does not recommend specific decision alternative
but moreover will make costs and effects more trans-
parent to empower decision makers to make informed
decisions and making trade-offs between alternatives
based on their set of preferences and current frame-
work conditions.
The reporting function of the ValueSec tool, therefore,
has to incorporate easily accessible, preferably
graphical, representations of cost-and-benefits associ-
ated with the individual measures to be assessed. Re-
porting, and assessment for this matter, also has to
take into account the timeframe of decision-making.
Decisions under assessment by the ValueSec tool can-
not be short-term oriented, i.e. tactical decisions taken
by forces in the field. The assessment is oriented to-
wards decision alternatives in the medium- or long
term context.
2.2 Who shapes decision making
The decision model, laid out above, takes into ac-
count that the ultimate decision maker is not necessar-
ily the end-user of the ValueSec tool. Often decisions
are taken using and/or pooling of information, which
was prepared on lower levels of the administrative
hirarchy. The Chief of Local Police, for example, pre-
pares relevant decisions for the Mayor, who is then
making the final decision
2
. Table 1 below gives an
(non-exhaustive) example of decision making bodies
in the field of security for different decision making
contexts and for different administrative levels.

It can be seen that the upstreaming of information
from lower hierarchical levels to the top will be the
more pronounced the more the decisions can be char-
acterized as strategic and long-term oriented. The
higher the decision maker is in the administrative hi-
erarchy the more s/he also depends on a prepared as-
sessment of potential effects of his/her decision, espe-
cially with respect to effects on the citizen.
It is, therefore, a priority for the successful develop-
ment of a decision support tool to define a specific set
of functionalities, with respect to data input, analysis
and reporting to satisfy the needs and requirements of
decision makers.

2
This effectively breaks up the target group for the
ValueSec tool into two groups; end-users preparing
decisions and final decision makers. For the sake of
simplicity we shall continue describing the target
group simply as decision makers.
Figure 1 Conceptual ValueSec Decision Model
Source [6] based on [5], figure courtesy of Tony
Rosqvist, VTT
Table 1 Examples for security related decision
making bodies Source [6], table courtesy of Tony
Rosqvist, VTT
279
3 Surveying decision makers
requirements
The collecting of requirements of decision makers
with respect to a decision support tool is one of the
first efforts, the project consortium carried out in or-
der to define its desired functionalities. ValueSec col-
lected requirements of decision makers in a first effort
through a workshop format.
3.1 Workshop design
The workshop was designed to get as much structure
input as possible from the participants. To this end,
the input collection was supported through the use of
a computer aided brainstorming tool.
3
Workshop par-
ticipants came from different areas of expertise in the
field of security from infrastructure security to police,
rescue and fire services, to supra-national, national
and regional administration.
The main issues that the workshop tried to investigate
were [4]:
How and under which framework conditions
do public stakeholders make decisions re-
garding security measures?
How is the decision making process struc-
tured?
What are current priorities / parameters that
influence decision-making?
Which parameters are necessary to make in-
formed decisions?
The specific questions addressing these issues were
divided into four sections [4]:
Security related decisions and security meas-
ures encompassing questions regarding the
role, priority and character of decisions and
measures
Security-related decision-making - encom-
passing questions regarding the process steps
of decision making, involved stakeholders,
role of societal impacts as decision parame-
ters and current challenges.
Data requirements and evaluation of security
measures encompassing questions regard-
ing the current state of data- and cost-
benefit-analysis, data sources, the role of
qualitative vs. quantitative data, the handling
of uncertainties and current decision criteria.
End-user requirements encompassing ques-
tions regarding final users and their organ-
izational role, potential implementation ob-
stacles and necessary support to overcome
them, necessary reporting functions and in-
teroperability requirements.

3
The tool used was GroupSystems ThinkTank, see
http://www.groupsystems.com/.
Further comments encompassing questions
regarding drivers for the use of the tool.
3.2 Analysis results
Requirements of decision makers are regarding the
desired support from a tool was given in specific de-
tails [4]. Most stakeholders agreed that the tool will
most probably not be used by the final decision maker
but by supporting staff or (internal or external) con-
sultants preparing decisions. The tool itself should be
easy to use and interoperable with existing software
and data sources. Data security should be ensured.
Customization opportunities should be given with re-
spect to organizations needs and application cases.
The use of web-based services is preferred to soft-
ware application also with respect to lowering main-
tenance costs and efforts.
Reporting functions of the tool should be flexible
with output to be preferred in graphs and color coded.
There is a need for easy comparison of data, effects
and decision alternatives. The flexibility is particu-
larly needed with respect to the customization of own
reports for preparing decisions.
Desired functions for a decision support tool encom-
pass very disparate issues ranging from context analy-
sis and threat identification to the calculation of the
total risk, visualization of effects to calculate total
costs and benefits and prioritization of available
measures the estimation of damage costs.
The availability of reliable data is one of the main is-
sues, which supports the application of the tool. In
this respect stakeholders identified possible obstacles
in the form of comparability of statistical data from
different sources, limited access to data bases, data is
often experience based and historical data might be
unsuitable in certain circumstances.
Further obstacles were identified with respect to the
acceptance of and/or trust in a software- / computer-
based tool, supporting the decision making process in
a sensitive field such as security. This fact relates both
to internal acceptance/trust from decision makers and
external acceptance/trust from potentially affected
stakeholders, e.g. citizens. A major concern is its per-
ceived value added. This incorporates issues, such as
the quality of information provided and the usability.
Additionally, there might be organizational obstacles
as the use of a decision support tool might affect cur-
rent processes and lead to changes in the overall deci-
sion making process.
3.3 Further steps
The workshop will be followed-up by additional
stakeholder consultations to further refine specific re-
sults. The goal is to orient the overall design of the
subsequent ValueSec tool as close as possible towards
280
the requirements of decision makers. This helps to
ensure the relevance of the developed solution and
also supports the future adoption of the tool.
4. Outlook
The ValueSec project will use the results of the ongo-
ing requirement analysis in defining the functional
range of the tool to be developed. This will be done
by taking into account available methodologies to
carry out necessary analysis in the field of risk as-
sessment, cost-benefit-analysis and social impact
analysis.
With the development of the tool, the consortium will
develop realistic use cases together with public stak-
holders in the above mentioned security decision
making contexts to validate the tool and its underly-
ing methodology. These use cases will be carried out
in the final third of the project.
References
[1] Sklavos, N.; Souras, P.: Economic Models and
Approaches in Information Security for Computer
Networks, International Journal of Network Security,
Vol. 2, No.1, PP.1420, Jan. 2006
[2] Drugescu C.; Etges, R.: Maximizing the Return
on Investment on Information Security Programs:
Program Governance and Metrics, Information Se-
curity Journal: A Global Perspective, Vol. 15, Issue 6,
Pages 30 40, 2006
[3] Wilson, J.M.; Jackson, B.A., Eisman, M;
Steinberg, P.; Riley, K.J.: Securing Americas Pas-
senger-Rail Systems, RAND Monographs, MG-705-
NIJ, 2007,
http://www.rand.org/content/dam/rand/pubs/monogra
phs/2007/RAND_MG705.pdf, retrieved June 23,
2011.
[4] Poussa, L.; Rikknen M.; Jhi M.; Rosqvist T.;
Kortelainen, H.; Molarius, R: D2.5 Report on work-
shop user needs and requirements, ValueSec project,
2011
[5] Kortelainen, H.: First ideas about the ValueSec
tool, ValueSec Stakeholder Workshop, Espoo, Fin-
land, May 24, 2011
[6] Blobner, C.; Hutter, R.: The ValueSec Project,
3
rd
iNTeg-Risk Conference, Stuttgart, Germany, June
08, 2011

ValueSec is a project funded by the European Com-
mission within the Security Theme of the 7th Frame-
work Program (Grant Agreement number 261742).
For further information visit www.valuesec.eu.
281
A Historical Analysis on the Nature of Criminal and Terrorist
Threats Against Civil Aviation
Sascha, Goldner, CASSIDIAN, Germany
Magdalena, Pree, Technische Universitt Mnchen, Germany
Abstract
The International Civil Aviation Organization (ICAO) defines criminal and terrorist incidents against civil avia-
tion as "acts of unlawful interferences". The first criminal act has been recorded 1931, the first act of terrorism
1976. Since then the constant threat of unlawful interferences within civil aviation, as well as extensive preven-
tive security measures at airports have become common practice. The goal of our work is to evaluate if the nature
of threats against civil aviation has been changed over the decades and in that case, how the changes manifest
themselves. Based on this analysis we seek for conclusions whether today's security mechanisms at airports are
still adequately aligned to current threats. The basis for our approach consists of a newly created database con-
taining in total 1185 cases of criminal and terrorist incidents from 1960 to 2010. In a next step, several evaluation
criteria have been defined that allow us to characterize each incident sufficiently for the analysis. As an interme-
diate result, we encountered that reliable and official information on security incidents in civil aviation before the
year 2000 is only partially available. As a consequence we performed a more narrowed analysis focusing on the
period between 2000 and 2010. Within this paper we present the findings of our statistical analysis and the con-
clusions we draw from these results.

1 Introduction
Since the 20
th
century civil aviation has become one of
the most important lifelines of our modern world and
evolved to a symbol of mobility and independence.
Generally, our modern, technical-oriented and indus-
trialized society depends on the reliable and robust
provision of civil air transportation services to main-
tain a constant supply of essential goods and services.
But since the beginning, civil aviation has been sub-
ject to criminal and terrorist acts resulting in a con-
stant race between security providers and criminal
forces.
The goal of our work is to evaluate how the nature of
criminal and terrorist incidents has changed over the
decades and how these changes manifest themselves.
Further we seek for conclusions whether today's secu-
rity mechanisms in civil aviation are still adequately
aligned to current threats.
2 Approach
The following approach has been chosen for the his-
torical analysis of incidents in civil aviation:
1) Research of relevant security incidents in civil
aviation and aggregation in a common database
2) Definition of proper evaluation criteria
3) Data analysis based on the specified criteria
The first step of the analysis consists of the collection
and storage of relevant events which have been regis-
tered officially as aviation security incidents. Events
that are safety-related have not been added to the data
pool. Also incidents which occur during the state of
war or during warlike conditions have not been taken
into account. Finally, the data base contains 1185
cases with a criminal or terrorist background in the
time period of 1960 to 2010.
To address the actual question (i.e. how has the nature
of attacks on civil aviation changed over the course of
time?) several evaluation criteria have been defined in
order to provide a sufficient description of the security
incidents for our cause. Regarding the attacker, the
motive, the country of origin, the target and the used
weapon were considered. Further evaluation criteria
are the affected security mechanism and the outcome
of the incident. Based on these criteria each event has
been characterized and stored in the database. Even-
tually the third step comprises the actual data analysis
whose results are presented in the next chapter.
During the first step it became apparent that the data
regarding security incidents in the years before 2000
is to a high degree unreliable and patchy. Therefore
we performed a second analysis focusing on the pe-
riod between 2000 and 2010. Nevertheless we made a
conscious decision to publish all available results.
Chapter 3.1 contains the long-term statistics from
1960 to 2010, whereas Chapter 3.2 consists of the
short-term analysis between 2000 and 2010.
282
3 Results
3.1 Long-Term Statistics from 1960 to
2010
3.1.1 Incidents from 1960 to 2010
Figure 1 shows an overview of all 1185 incidents that
have been taken into account within our analysis. The
statistics differentiates between criminal incidents and
hijackings which is a common practice in aviation se-
curity.
Figure 1 Incidents from 1960 to 2010
Criminal occurrences are cases where an airliner was
sabotaged (e.g. by the detonation of an explosive de-
vice on board) or the victim of an in-flight attack (e.g.
shot down using ground-based weapons or shot down
by another airplane) [1]. All together there were 997
hijacking events and 188 criminal occurrences. These
incidents have been analyzed based on the defined
evaluation criteria.
3.1.1 Motive
An attackers motive has been divided into three main
categories: personal, religious and political. The cate-
gory personal contains only cases where personal
gain is the primary target, e.g. (political) asylum, re-
venge, blackmail. But also incidents caused by men-
tally ill persons are assigned to this category.
Politically driven actions contain incidents by terrorist
groups like the RAF, FARC or Al-Qaeda. The primary
motive of such incidents is the implementation of a
different political system or attitude affecting not only
single persons but mostly a big portion of a society.
The third category comprises all events based on pure
religious motives. For some incidents a precise as-
signment to one of these categories is not possible be-
cause a clear distinction of the motives cannot be
made. Cases like 9/11 which are politically and relig-
iously driven are nevertheless accounted as politically
motivated incidents. Figure 2 shows the motives of all
1185 incidents.
Figure 2 Motive for an Attack
3.1.2 Country of Origin
The next statistic deals with the attackers country of
origin. In case an incident was caused by a group, only
a single country of origin has been taken into account.
Apart from the fact that in most of the cases it was not
possible to find out the perpetrators origin, there can
be discovered some peaks: USA (66), Russia (66),
Colombia (52), China (43), Cuba (26) and Angola
(25). Only countries with a value greater or equal 10
have been considered in Figure 3.
Figure 3 Country of Origin of an Attacker
3.1.2 Affected Security Mechanism
The goal of analysing the incidents according to the
affected protection mechanism is to identify the most
penetrated security elements and thereby the key ele-
ments of the security system. As Figure 4 shows, the
passenger security checkpoint at an airport is subject
to most of all unlawful interferences and therefore the

283
key element in aviation security. The high amount of
unknown cases is due to the insufficient documenta-
tion of cases before 2000.
Figure 4 Affected Security Mechanism
3.1.2 Target
Figure 5 shows that in 986 of all cases, which is
83,2%, the aircraft was the primary target of the at-
tack. Regarding the category air cargo, only inci-
dents have been assigned to this category where a
cargo aircraft was the primary target. Cases where
cargo was used to smuggle a weapon, e.g. explosive
devices, onboard of a passenger flight to perform the
attack during the flight, were assigned to the category
aircraft because the cargo was only a means to an
end.
Figure 5 Target of an Attack
3.1.2 Weapons
Figure 6 shows that explosive devices with 24,4% are
the most common weapon used in an attack, followed
by firearms with a percentage of 14,6%. However, in
most of the cases the type of weapon could not be de-
termined due to the lack of documentation.
Figure 6 Weapon
3.1.2 Attack outcome
According to Figure 7 most of the attacks could be
prevented. This includes all cases where the attacker
surrendered, was arrested or somehow overpowered
by occupants resulting in 574 prevented incidents
which is approximately 50% (48, 4%). Nevertheless,
in 385 cases the attack was fully or partially success-
ful.
Figure 7 Outcome of an Attack
As already mentioned before, for quite a number of
events not every evaluation criterion could be de-
scribed sufficiently especially cases before the year
2000. As a consequence we decided to perform a
short-term analysis focusing on the period between
2000 and 2010. Again the same evaluation criteria
were applied.

284
3.2 Short-Term Statistics from 2000 to
2010
This paragraph contains an overview of the analysis
results regarding aviation incidents between 2000 and
2010. In summary 94 incidents have been taken into
consideration based on the prior defined criteria (ex-
cept the country of origin).
Figure 8 Motive for an Attack
Figure 9 Affected Security Mechanism
Figure 10 Target of an Attack
Figure 11 Weapon
Figure 12 Outcome of an Attack
3.3 Interpretation of the Long-Term
and Short-Term Statistics
In this chapter we compare the results of the two sta-
tistics and draw our conclusions whether the prevail-
ing nature of unlawful interferences in civil aviation
has been changed in the course of time and more im-
portant, whether todays security mechanisms are for
the most part in line with the threat situation.
Regarding the motive, the long-term results (see Fig-
ure 2) with 75,5% and the short-term results (see Fig-
ure 8) with 72,6% indicate almost no change of the
primary motivation for an attack. Personal reasons
remain the main motivation for an attack on civil avia-
tion.
Regarding the affected security mechanisms it can be
observed that the passenger security checkpoint has
been subject to the highest amount of incidents (see
Figure 4 and 9). This applies to incidents of the last
decade (63,8%) and also to the long-term analysis
(52,6%).
Comparing the used weapons (see Figure 6 and 11),
the tendency for the usage of explosive devices hasnt
changed significantly. They are still the most used
kind of weapon with 25,5% (short-term analysis), re-

285
spectively 24,4% (long-term analysis). This conclu-
sion should be treated with caution because a high
amount of cases remain where the used weapon is still
unknown.
As for the target of an attack, the aircraft still is the
objective with number one priority. In 83,2 % of all
cases from 1960 to 2010 the airplane was the primary
target, from 2000 to 2010 even in 89,4% of all cases
(see Figure 5 and 10).
At last, the outcomes of the incidents have been com-
pared. The most interesting point here is, that based
on the long-term statistics 48,4% of all incidents could
have been prevented. During the last decade the num-
ber of prevented attacks increased even to 64,8%.
On basis of these results, we can conclude that the
most likely incident is caused by an attacker who has a
personal motive and uses an explosive device to force
the fulfilment of these demands. Further the attacker
acts as a regular passenger and intends to pass the ex-
plosive device undetected through the passenger secu-
rity check on board of an airplane.
This fits exactly the description of the classical
threat scenario in civil aviation. So, we can conclude
two assumptions from that. First, the classical threat
is still more than up-to-date. Based on that and the fact
that the number of prevented incidents of the short-
term view increased significantly in comparison to the
long-term view, the second assumptions is that the se-
curity mechanisms in civil aviation are adequately
aligned to current threats.
4 Conclusion
The main motivation of this work was the question
whether and how the nature of security incidents
within civil aviation has been changed over the years.
Therefore, a long-term statistics as well as a short-
term statistics has been performed on a database con-
taining 1185 officially registered security incidents.
The long-term analysis (1960-2010) is a kind of mean
value over all considered incidents and represents a
long-range tendency in aviation security. In contrast to
that, the short-term analysis focuses on a more recent
time period (2000-2010) and thereby generates more
up-to-date results.
Based on these two historical statistics it can be ass-
sumed that the prevailing nature of unlawful interfer-
ences in civil aviation has hardly changed in the
course of time and that the security mechanisms are
for the most part in line with the current threat situa-
tions. Also, the "classical" threat - an attack performed
by a perpetrator acting as a regular passenger using
explosive devices to target an airplane is still most
up-to-date.
At his point it again has to be pointed out that the
availability of reliable, complete and official data re-
garding security incidents in civil aviation is some-
times rather poor. Also, it has to be assumed that a lot
of incidents are not reported at all and remain unoffi-
cial.
References
[1] Ranter, H.: Airliner Accident Statistics 2006,
the Aviation Safety Network, January 2007
[2] University of Maryland: Global Terrorism Da-
tabase, National Consortium for the Study of
Terrorism and Responses to Terrorism (START),
accessed on February 25
th
, 2011
[3] Aviation Safety Network: ASN Aviation Safety
Database, accessed on February 25
th
, 2011
[4] Avihai, H.: Aviation Terrorism: Evolution, Mo-
tivation and Escalation, VDM Verlag, 2009
[5] AirSafe.com: Fatal U.S. Hijacking Events Since
1970, accessed on February 25
th
, 2011
286
esfo The Information System on European Security Research
Joachim Burbiel, Beate Becker, Sonja Grigoleit, Merle Missoweit, Sabine Mller, Britta Pinzger, Silke Rmer,
Ruth Schietke, Joachim Schulze, Fraunhofer Institute for Technological Trend Analysis INT, Germany
Abstract
A web-based information system on European security research has been developed at the Fraunhofer Institute
for Technological Trend Analysis INT. It contains information on key actors and elements of European security
research: Eight states as prime contractors of security research, the European Union as a political and economic
entity, approx. 80 organisations and public sponsors of research, approx. 60 research organisations, approx. 80
companies and industrial associations, approx. 70 strategic documents, and approx. 40 research programmes and
projects.
The information is interlaced by a complex ontology, giving insight into the manifold relationships between the
entities captured. The esfo information system is freely accessible at http://www.sicherheitsforschung-
europa.de (German only). It is updated twice a year by scientists of Fraunhofer INT.

1 Introduction
1.1 Background
European security research is a complex and dynamic
subject. Its primary purpose is to identify threats and
dangers, and to counter them through research and
development. Security research is closely related to
the European security and defence market, since eco-
nomic interests play a major role in its development.
For several years, the staff of the Business Unit Plan-
ning, Programs and Structures in Research and Tech-
nology of the Fraunhofer Institute for Technological
Trend Analysis INT has been analysing Europes se-
curity research landscape. As part of the project Ap-
plying Defence Technology Competence to Civilian
Fields, a program supported by the Federal State of
North Rhine-Westphalia, these scientists have con-
densed facts and data about actors, structures and pro-
grams, into a web-based information system (see Fig-
ure 1).
Figure 1 Screenshot of the esfo starting page

The system primarily addresses scientists and re-
search planners in security-oriented companies and
organisations.
1.2 Ontology
A special feature of esfo is that these data are linked
by a complex ontology (for example showing that
nation A is participating in project B, or that
document A contains information on organization
B; see Figure 2). These links enable users to identify
connections that would otherwise be difficult to rec-
ognize.

2 Implementation
2.1 Technical implementation
Technically, esfo is realised using Webgenesis
, a
framework for generating web-based information sys-
tems developed by Fraunhofer IOSB [1]. The content
is stored in a database and the web representation is
built dynamically. esfo employs the Webgenesis
fea-
tures for ontology representation. The database and
the web server are hosted by Fraunhofer IOSB. A lo-
cal copy of the database is updated continuously at
Fraunhofer INT and shifted to the internet server
twice a year.
287
2.2 Content philosophy
The esfo information system does not aim at com-
pleteness but at representing a choice of relevant
facts. In the case of states this means that eight ma-
jor European actors have been chosen (France, Ger-
many, Italy, the Netherlands, Sweden, Spain and the
United Kingdom, plus Israel as member of the Euro-
pean Union's Framework Programmes for Research
and Technological Development). In the case of in-
dustry, the choice for inclusion is dependent on the
involvement of the individual company in security
research, documented e.g. by participation in the FP7
Security Research Programme or by sustaining dedi-
cated research centres. These principles are generally
applied to all types of entries.
As a general rule, names of persons are only men-
tioned in the context of documents to avoid the pres-
entation of outdated facts.
2.3 Updating policy
Security research is a highly dynamic domain. In or-
der to give a relevant representation, the online ver-
sion of esfo will receive an update approx. every six
months. These updates will normally take into con-
sideration new relevant documents issued during this
time. Other new entries are generated when appropri-
ate. Furthermore, all numbers given are checked for
being up to date.
Figure 2 Schematic representation of the ontology
3 Access
Since January 2011, the major part of esfo is available
to the general public free of charge at:
http://www.sicherheitsforschung-europa.de

There is a charge for the premium sector, which offers
a range of in-depth analyses on a variety of key sub-
jects.

For further information please contact:
esfo@int.fraunhofer.de

Reference
[1] Fraunhofer IOSB, WebGenesis
- Generie-
rungssupport fr Web-basierte Informationssys-
teme,
http://www.iosb.fraunhofer.de/?webgenesis
Acknowledgements
The authors wish to acknowledge the contributions of
Sylvia Scheid (web design) and Florian Kotzur
(graphics).
is seat of / is involved in
is focal point of
is
fo
c
a
l p
o
in
t o
f
Actors
Industry
Enterprises,
industrial associations
Research
Research institutions and
-organisations
Documents
Strategic documents, treaties,
political, concepts
Subject Fields
Classification into safety-related
taxonomy
Countries
incl. EU
Programmes/Projects
Security research programmes,
selected international projects
Public Sponsors
Political/state actors and
organisations
is
s
e
a
t o
f / is
in
v
o
lv
e
d
in
i
s

c
o
n
t
r
a
c
t
o
r

o
f
is
c
o
n
tr
a
c
to
r
o
f
is seat of
i
s

c
o
n
t
r
a
c
t
i
n
g

e
n
t
i
t
y

o
f
i
s

i
n
v
o
l
v
e
d

i
n
c
o
n
ta
in
s
in
fo
rm
a
tio
n
a
b
o
u
t
c
o
n
t
a
i
n
s

i
n
f
o
r
m
a
t
i
o
n

a
b
o
u
t
i
s

p
u
b
l
i
s
h
e
r

o
f
c
o
n
t
a
i
n
s

i
n
f
o
r
m
a
t
i
o
n

a
b
o
u
t
i
s

f
o
c
a
l

p
o
i
n
t

o
f
i
s

f
o
c
a
l

p
o
i
n
t

o
f
i
s

p
u
b
l
i
s
h
e
r

o
f
is focal point of
288
Novel Sensor Platform for Multiplexed Trace Detection of Haz-
ardous Substances
Peter Ltzow, Daniel Pergande, Helmut Heidrich, Rozalia Orghici, Sophie Huscher, and Wolfgang Schade,
Fraunhofer Heinrich Hertz Institute, Einsteinufer 37, 10785 Berlin, Germany
peter.luetzow@hhi.fraunhofer.de
Abstract
Robust, reliable and easy to use sensors with fast response and negligible false alarm rate are of utmost interest
in safety and security applications. Integrated optical refractometric waveguide sensors have already been shown
to feature high sensitivity and fast response rate. Yet, reliability and specificity are seldomly addressed in this
context.
In this paper a novel approach for multiparameter detection of target species with arrays of frequency modulated
integrated optical microring resonators (MRR) is presented. The detection principle and first experimental inves-
tigations are described. Furthermore, initial experiments towards the realization of a highly sensitive and specific
sensor system for the detection of explosives are reported.

1 Introduction
Research on wafer-scale processing of integrated op-
tical waveguide circuits has focused mainly on tele-
communication applications for decades. Mature
technology and cost-effective high end laser systems
have resulted from this effort and paved the way for
research into other directions. Research on sensor ap-
plications based on integrated optics technology has
been particularly fruitful and amazing sensitivities
down to single molecule detection have been demon-
strated [1]. Microring resonators (MRR) are currently
among the most promising transducers in miniatur-
ized integrated optical sensors [2-4]. Usually, analyte
detection is based on the measurement of shifts in
resonance frequency caused by local changes in am-
bient refractive index. A chemically selective receptor
coating is employed to specifically promote the ac-
cumulation of target molecules on the MRRs surface
leading to an increase in local refractive index with
analyte concentration. While the use of a single recep-
tor layer already provides basic selectivity, many
practical applications require multiparameter analysis
in order to ensure the selectivity necessary to un-
doubtedly identify a set of certain target species.
Here, we present a novel approach for multiparameter
detection of hazardous species and review our recent
progress in developing this sensor platform. Our aim
is to close the gap between the high sensitivity pro-
vided by cost-effective integrated optical sensor tech-
nology and the large specificity needed in future secu-
rity applications.
2 Platform Concept
A schematic of the proposed sensor platform [5] is
shown in Figure 1. Multiple MRR are coupled to a
single feeding waveguide and each MRR is equipped
with a heating electrode used to modulate its reso-
nance frequency. While one part of the MRR is coated
with complementary chemically selective layers an-
other part serves as a reference to compensate for un-
specific adsorption and temperature drifts. The
knowledge of the resonance frequency shifts of all
MRR provides the necessary information on the pres-

Figure 1 Schematic of the sensor platform. Coloured
windows represent different chemically selective re-
ceptor coatings. Orange structures are electrical con-
tacts to the heating sections that are bent around each
ring. Thin blue lines trace the optical waveguides.
289
ence of the target species to be detected. Figure 2
shows the transmission spectrum of an unmodulated
array of 4 MRR with quality factors around 40,000
along with the MRRs individual contributions to the
combined spectrum deduced from a fit. The spectrum
is periodic in the frequency domain and the wave-
length difference between successive resonance or-
ders is called the free spectral range (FSR). Despite
the identical design of all four resonators, the large
sensitivity of the MRR to minute deviations in device
dimension, conditional of manufacturing, leads to dif-
ferences in the resonance wavelengths. As can be seen
in Figure 2, the number of resonators that can be
coupled to a common bus waveguide without induc-
ing significant spectral overlap depends on both the
FSR and the line width of the resonances. Since with
common readout schemes spectral overlap makes it
difficult to separate the individual resonances, an in-
crease in the number of resonators necessarily leads
to a reduction of the dynamic range of the sensor or
even completely hinders the tracking of resonance
frequencies.
In order to avoid this limitation we thermo-optically
modulate each ring and use lock-in detection, i.e.,
phase sensitive spectral filtering, to deduce the
MRRs individual signals. Figure 3 illustrates the
great potential of this method. Shown is a part of the
simulated spectrum of two individual MRR with
overlapping resonances coupled to a single bus
waveguide (shaded area). A clear identification of in-
dividual resonances is impossible from the actual
spectrum. However, if one of the rings is modulated,
the lock-in analysis reveals a distinct dip in the signal
that can be used to precisely track the resonance even
in case of strong spectral overlap. A detailed deriva-
tion of the detection principle along with the parame-
ters used for the simulations can be found in [5].

3 Design and Fabrication
First test devices have been fabricated on 100 mm
silicon wafers. A part of a processed wafer is shown
in the background of Figure 4. The lower inset shows
a microscope image of an exemplary MRR with metal
electrodes for thermal modulation. In the scanning
electron microscopy (SEM) image in the upper inset a
detailed view on waveguide and metal strip is given.
Waveguide cores made from silicon nitride are opti-
cally isolated from the silicon handle wafer by a thick
layer of thermal oxide. The waveguide widths range
from 1 to 1.5 m and all waveguides are designed to
Figure 2 Transmission spectrum of an array of 4 MRR
coupled to a single bus waveguide including line fits to
the resonances in order to clarify the individual contri-
butions of each ring to the combined spectrum and its
periodicity.

Figure 4 Fabricated test structures. Background:
100 mm Silicon wafer with MRR arrays. Lower in-
set: Microscope image of an exemplary MRR. The
waveguides are seen as thin lines surrounded by
metal structures. Upper inset: SEM image giving a
more detailed view on part of the MRR waveguide
and metal heater.

Figure 3 Simulated spectrum of two individual MRR
with partially overlapping resonances (shaded area)
coupled to a single bus waveguide. The MRRs indi-
vidual resonances are also shown for clarity (blue
and red curves). The dashed green line is the simu-
lated lock-in amplitude.

290
operate mono-mode for TE-polarization at telecom-
munication wavelengths around 1,550 nm. MRR radii
are chosen around 100 m. For the thermal modula-
tion, platinum electrodes are used. The process flow
used for early test devices is given in [5].
3 Experiments
3.1 Platform proof of principle

Initial platform characterization has been performed
using an external cavity laser source. Lensed fibers
were employed to launch the optical signal into the
bus waveguides and the cleaved chips were tempera-
ture stabilized during measurement. At the output side
of the chips light was collected by a high numerical
aperture microscope objective. The signal was di-
vided by an optical beam splitter and sent to both, an
infrared camera and a photo detector connected to a
lock-in amplifier. Heating electrodes were electrically
contacted using manual probe heads and the electrical
signal was supplied by a function generator. Figure 5
shows the transmission spectrum of an array of 4
MRR with moderate quality factors around 8000. Two
of the resonances (yellow shaded area) overlap too
strongly to locate the individual resonance frequen-
cies of the respective MRR. As a proof of principle
we used the modulation scheme described above.
Subsequently both MRR were modulated with a fre-
quency of 6 kHz. Figure 6 shows the resulting lock-
in signals in the relevant wavelength range.
The signals show distinct minima associated with the
respective mean resonance frequencies of the modu-
lated resonators. The modulation phase of the output
signal with respect to the phase of the modulation in-
put was also plotted. The resonance frequencies are
marked by a phase shift of 180.

3.2 Trace detection of explosives
A promising application of our sensor platform is
multiparameter detection of hazardous agents such as
explosives. First experiments related to the detection
of trinitrotoluene (TNT) were performed by using a
single MRR [6]. For these investigations a tuneable
DFB laser diode with a central emission wavelength
of 1,572 nm was used. The sensor chip was com-
pletely fiber pigtailed and mounted in a brass cage
serving as a gas cell for online measurements. A re-
ceptor layer (triphenylene-ketals) [7,8] with high
binding affinity to TNT was employed to provide ba-
sic selectivity. Figure 7 shows the shift in resonance
wavelength of the MRR transducer measured at dif-
ferent concentrations of TNT. The detection limit is in
the range of 500 ppt under ambient conditions. As can
be seen from Figure 8 the specifity is already impres-
sive. Nevertheless, the sensor displays a marked
cross-sensitivity to the structurally similar 2,4 DNT,
which is a precursor and a decomposition product of

Figure 6 Lock-in signals from modulated MRR with
overlapping resonances.

Figure 7 Single MRR sensor response to changing
concentrations of TNT.

Figure 5 Transmission spectrum of 4 MRR with par-
tially overlapping resonances.

291
TNT. For field applications, further functionalized
binding sites as well as reference and control elements
with a preferably high level of redundancy are needed
and can be realized by using the presented MRR array
technology for multiparameter detection.

We have presented a novel concept for multiparame-
ter detection of chemical species using arrays of fre-
quency modulated microring resonators as optical
transducers. We have described the basic idea and
given first experimental proof of concept. In addition,
highly sensitive detection of the explosive TNT under
laboratory conditions has been demonstrated using
single microring resonators. We are currently merging
both efforts to realize a highly sensitive and specific
sensor system for the detection of explosives that is
suited for field applications. Furthermore, recent op-
timizations in the fabrication process allow us to real-
ize higher quality factor resonators which will help to
significantly lower the possible detection limit.

References
[1] Armani, A. M.; Kulkarni, R.P.; Fraser, S.E.;
Flagan , R.C.; Vahala, K.J.: Label-Free, Single-
Molecule Detection with Optical Microcavities,
Science, Vol. 317, No. 5839, pp. 783-787, Au-
gust 2007
[2] Chao, C.-Y; Guo, L.J.: Biochemical sensors
based on polymer microrings with sharp asym-
metrical resonance, Appl. Phys. Lett., Vol. 83,
No. 8, pp. 1527-1529, August 2003.
[3] Chao, C.-Y; Guo, L.J. : Design and optimiza-
tion of microring resonators in biochemical
sensing applications, J. Lightwave Technol.,
Vol 24, No. 3, pp 1395-1402, March 2006
[4] Passaro, V.M.N.; DellOlio, F.; De Leonardis, F.:
Ammonia optical sensing by microring resona-
tors, Sensors, Vol. 7, No. 11, pp. 2741-2749,
November 2007
[5] Ltzow, P.; Pergande, D.; Heidrich, H.: Inte-
grated optical sensor platform for multiparame-
ter bio-chemical analysis, Opt. Express, Vol.
19, No. 14, pp. 13277-13284, July 2011
[6] Orghici, R.; Ltzow, P.; Burgmeier, J.; Koch, J.;
Heidrich, H.; Schade, W.; Welschoff, N.; Wald-
vogel, S.: A microring resonator sensor for sen-
sitive detection of 1,3,5-Trinitrotoluene (TNT),
Sensors Vol. 10, No. 7, pp. 6788-6795, July
2010
[7] Schopohl, M.C.; Faust, A.; Mirk, D.; Frhlich,
R.; Kataeva, O.; Waldvogel, S.: Synthesis of
Rigid Receptors Based on Triphenylene Ketals,
Eur. J. Org. Chem., Vol. 2005, No. 14, pp. 2987-
2999, July 2005
[8] Lubczyk, D.; Siering, C.; Lrgen, J.; Shifrina,
Z.B.; Mllen, K.; Waldvogel, S.R.: Simple and
sensitive online detection of triacetone triperox-
ide explosive, Sensor. Actuator B-Chem. 2010,
Vol. 143, No. 2, pp. 561-566, January 2010

Acknowledgements
The authors acknowledge fruitful cooperation with
H.J.W.M. Hoekstra (University of Twente) and H.
Venghaus. The work on the platform technology was
performed within the MINIMUM project (Grant-No:
101 47 221), partly funded by the Investitionsbank
Berlin (IBB) and the European Regional Develop-
ment Fund (ERDF). Financial support by the BMBF
under contract 13N9475 is gratefully acknowledged.

Figure 8 Cross-Sensitivity of the Single MRR sensor
to structurally similar analytes.
292
Change Detection on Millimeter-Wave SAR Images
for C-IED Applications
Mark Asbach, Georgios Evangelidis, Christian Bauckhage, Fraunhofer IAIS, Germany
Helmut Essen, Gregor Biegel, Thorsten Brehm, Stefan Sieger, Fraunhofer FHR, Germany
Abstract
Countering improvised explosives devices (IEDs) is a major concern for troops in peacekeeping and peace-
enforcing missions: the threat to become a victim of terrorists attacks by IEDs is present everywhere. Sensors
onboard of unmanned areal vehicles (UAVs) are one option to be able to survey a larger terrain for IEDs.
Among other imaging sensors, synthetic-aperture radar (SAR) can contribute to detect and classify the signature
of suspicious devices on the ground. Experiments have been conducted with a millimeter-wave SAR operating
simultaneously at 35 GHz and 94 GHz. Generic IEDs were put into the field and images have been generated for
the co- and cross-polarized channel at both radar frequencies. A change detection algorithm has been applied to
the data, which has been specially optimized for the application. The paper describes the experiments and dis-
cusses the detection algorithm in detail.

1 Introduction
Improvised explosive devices are currently a major
threat for the forces operating in peace-enforcing mis-
sions. They are mainly positioned close to or beneath
roads serving as routes for convoys. No special con-
struction or shape is known for an IED. However, a
common feature is the very high amount of explosive
material capable to destroy even heavy vehicles. Typi-
cally, they are not visible at the first glance, as they
are buried in the ground or hidden among non-
suspicious objects. Detecting such IEDs is a counter-
IED (C-IED) measure vital to secure supply routes
during peacekeeping missions of the armed forces.
Millimeter-wave radars can be miniaturized in such a
way that they may be used as sensors onboard of tac-
tical UAVs. Radars operating in this section of the
frequency spectrum are especially suited to detect
small-scale features on the ground. Due to the wide
bandwidth of the transmit signal of the radar, which
can be accommodated at millimeter-wave frequencies,
a high range resolution up to or even smaller than a
decimeter is possible. Although penetration into the
ground is not possible, indirect signatures of buried or
small objects on the ground can be determined from
the air.
A powerful tool to detect those IEDs is change detec-
tion between SAR images from successive flights
over the same terrain. To implement a change detec-
tion algorithm, one flight has to be done sufficiently
early to generate the reference scene. Shortly before
the convoy is passing the route, a second flight has to
be done from which the change detection algorithm
can derive alarms for items present in only one of the
SAR images. These alarms may be used to guide
ground-penetrating radars mounted on a ground vehi-
cle.

2 Change Detection with
Millimeter-Wave SAR
The following outline describes, how we envisage to
detect IEDs from change detection on SAR images:
1. During the planning phase of a convoy, conduct a
first flight over the area that will be passed by the
vehicles and record radar data.
a. Construct a single, large reference image by
SAR processing.
b. Extract key regions from the reference image
and store them in a database to allow for fast
queries at later stages.
2. Shortly before the convoy leaves, record the same
area from a tactical UAV. During the UAV flight
continuously
a. process radar data with a SAR algorithm,
b. coarsely register each SAR stripe to the refer-
ence image by using database keys,
c. fine-tune the registration, and
d. calculate a change map from registered image
areas.

2.1 The MEMPHIS Radar
MEMPHIS (Millimeter-wave Experimental Multi-fre-
quency Polarimetric High-resolution Interferometric
System) is a high-resolution SAR system, developed
and operated by Fraunhofer FHR [1]. The radar oper-
ates simultaneously at the 35 GHz and 94 GHz radar
293
bands, with a bandwidth of 800 MHz, using a pulsed
waveform with synthetic stepped-frequency chirp.
This provides a slant range resolution better than
0.2 m. MEMPHIS has four receiver channels at each
of the nominal transmit frequencies of 35 GHz and
94 GHz. Depending on the antenna, they can be used
for polarimetric or interferometric measurement con-
figurations. In the polarimetric mode, right-hand (R)
circular polarized pulses are sent, while co- (RR) and
cross-polarization (RL) are simultaneously recorded.
For the experiments discussed here, MEMPHIS was
mounted onboard a C-160 Transall airplane, flying at
relatively low altitude (300 m to 1000 m above
ground level). The collected data typically have a
swath width of 600 m, and can be up to 3 km long in
flight direction. Figure 1 shows MEMPHIS onboard
the C-160.
Figure 1 MEMPHIS radar onboard C-160

2.2 Image Processing on SAR data
Because flight routes differ slightly between the first
and the successive flights, pixels of the recorded SAR
images are not aligned between the flights and a direct
image comparison is impossible. Although georefer-
encing performed by the Remote Sensing Lab (RSL)
in Zurich is highly precise [2], a pixel-wise correspon-
dence cannot be guaranteed. Image registration tech-
niques are necessary to ensure direct correspondence
of pixels from subsequent flights, as registration er-
rors have proved to significantly impact the perfor-
mance of change detection algorithms [3].

After images have been registered, the task of change
detection is to estimate the so-called change mask,
that holds a set of pixels that are significantly differ-
ent between two images of a sequence [4]. Subtract-
ing image intensities of two corresponding pixels and
comparing the difference to a global threshold can
generate this mask. Since raw SAR images contain a
high level of speckle noise and different scans reflect
different noise realizations, the resulting change mask
is quite prone to false positives. In the literature,
change detection in SAR images is typically applied
to geographic mapping, where changes appear as con-
tiguous areas. As a consequence, instead of com-
paring single pixels, statistical properties of pixel
groups can be evaluated, resulting in an improved
change mask [5]. An alternative is to first classify im-
age regions into known types like buildings, forest,
roads, etc. and then finding changes in labels [6].
Contrary to these scenarios, the changes to be detect-
ed here are very small, as IEDs are built from small
parts with a diameter of two to three pixels relative to
the resolution of the SAR images. This hampers de-
tection by regional statistics. Moreover, there is not a
special signature, which could be attributed to the typ-
ical IED, also there are only indirect signatures, which
are sensed by the millimeter-wave radar and even
more also complete different environments, like open
terrain, arid or woodland, or urban terrain have to be
considered as background. Therefore typical object
detection methods for SAR images cannot be applied
(for an overview on such methods, see [7]).
2.2.1 Fast Image Registration
Our aim is to allow for online processing of the SAR
data recorded during the second flight. This requires
fast registration of newly acquired images to the exist-
ing data from the first flight. During the last years, the
concept of local image features has emerged as a tool
for image retrieval and registration. Here, we chose to
apply the SURF interest point detector and de-
scriptor [8] that identifies salient regions in scale
space. The appearances of these regions are then de-
scribed by the low-dimensional SURF-36 descriptor
composed of 36 values that can be used as a database
key further on.
For every incoming SAR stripe, we extract SURF in-
terest points and use their descriptors to find corre-
sponding landmarks in the reference image. Random
sample consensus (RANSAC) [9] exploits these cor-
respondences and yields the most likely homography
that aligns the input stripe with the reference image.
Notice that the homography model sufficiently de-
scribes the alignment between the images since the
altitude of flights is orders of magnitude larger than
the height of acquired objects (buildings, trees, moun-
tains, etc.).

294
2.2.2 Registration Refinement
Speckle noise in SAR images can lead to biased esti-
mation of the locations of interest points. Hence, alt-
hough RANSAC scheme rejects false positive match-
es, the above feature-based registration scheme pro-
vides a draft alignment and a refinement step is
required towards accurate change detection results. To
this end, the ECC algorithm [10] is initialized by the
output of the RANSAC model estimation and exploit-
ing all pixels of the stripes (area-based registration)
provides a more stable and exact homography. We
use the latter to warp the stripe and compute differ-
ences from the reference image.
2.2.3 Calculation of the Change Map
As described in the introduction, IEDs are small and
their exact shape is unknown in advance. Conse-
quently, higher order statistics cannot be employed to
discriminate changed regions from background re-
gions. Instead, we calculate the difference image of
the registered SAR intensities. If registration refine-
ment operates correctly, the noise contained in the dif-
ference image is uncorrelated between neighboring
pixels [11]. Because the image content is locally cor-
related, spatial low-pass filtering can reduce the noise
without impacting image contents. In our approach, a
Gaussian low-pass filter with a small standard devia-
tion is applied to the difference image. This has the
additional advantage that the (symmetric) filter kernel
is very similar to the expected small and blob-like
changes and consequently the chosen low-pass filter
approximates a matched filter. A similar approach is
described by Weydahl, who uses a box filter to en-
hance small-scale changes in SAR difference imag-
es [12]. Subsequent pixel-wise comparison with a
global threshold leads to a binary change map. As de-
scribed by Bruzzone and Prieto, statistical dependen-
cies of neighboring pixels can be exploited by model-
ing the difference image as a Markov random field
(MRF) [13]. The underlying parameter estimation,
however, is computationally expensive. To reduce
processing costs, we chose to approximate the result
by applying morphological opening to the binary
change map.
3 Counter-IED Experiment
3.1 Measurement Scenario
Measurements were conducted at the training area
Storkow, northeast of Berlin. To provide orientation
for the pilot of the aircraft, the area was chosen to in-
corporate a gravel road and four marker reflectors
with 360 visibility were placed at the corners of the
rectangular target area. During a first flight, a SAR
image was acquired without target objects on the
ground to serve as a reference. After installation of
eight IED-like objects, a second flight was conducted.
The objects were chosen to represent typical compo-
nents of IEDs, like gas canisters or anti tank mines
(depicted in Figure 2) and similar small objects with a
size < 0.5 m. Reflector locations were measured with
a handheld GPS indicator and the placement of the
target objects relative to the reflectors was assessed
with a tape measure. The full geometry of placed ob-
jects in relation to the gravel road and the marker re-
flectors is depicted in Figure 4.

Figure 2 Photos of IED-like objects

3.2 SAR Image Quality
To test the data quality and to allow a first overview,
the airborne data were processed using a quick-look
SAR algorithm [14]. The resulting images have a res-
olution of 75 cm. Figure 3 shows reference images for
both radar frequencies, 35 GHz and 94 GHz. It de-
monstrates, as expected from earlier measure-
ments [15], that at 94 GHz gravel roads can be seen
much more clearly, because of the enforced sensitivi-
ty for small-scale surface roughness.

Figure 3 Cutout of SAR images at 94 GHz (above)
and 35 GHz (below), co-polar channel each
295
The high-resolution SAR images were processed with
the SAR algorithm developed by RSL University Zur-
ich [16]. They serve as a basis for the change detec-
tion process.

3.3 Change Detection Results
High-resolution SAR stripes of the second flight were
registered onto the first flight image according to the
two-step procedure described above. Figure 4 shows
the target area from the first flight with a registered
single stripe of the second flight already subtracted.
The binary change map shows detected changes as
black dots; circles indicate the position of IED-like
objects. Because of the noise contained in the SAR
images, a couple of false positive changes can be
found in the change map. Using a morphological
opening filter, these false positives are eliminated at
the cost of a true positive (see Figure 4d and 4e) get-
ting removed as well.
Comparing radar bands and polarizations, the best ra-
tio of detected IED-like objects versus false positives
was obtained in the 35 GHz band with RR (co-polar)
reception. This setup also shows the highest absolute
number of correctly detected objects (see Table 1).
Co-polarized channels exhibit a higher number of de-
tected objects, which is expected, as man-made ob-
jects oftentimes possess surfaces angled at 90 that
result in an even number of polarization changes.

True positives False positives
94 GHz RR 0 (1) 0 (12)
35 GHz RR 5 (6) 1 (> 15)
94 GHz RL 1 (2) 3 (> 20)
35 GHz RL 3 (3) 4 (> 20)
Table 1 Total number of correct detections and false
alarms for the combinations of radar frequencies and
polarizations. Numbers in brackets represent results
without morphological post processing.
Target objects T1, T4, and T7 were visible in multiple
channels, while targets T2, T3, and T6 were only vis-
ible in the 35 GHz co-polar channel.
In this paper, we have described a novel approach to
the detection of improvised explosive devices that is
based on change detection from airborne synthetic ap-
erture radar images. The proposed approach was test-
ed on a set of eight small (diameter < 0.5 m) objects
that were placed onto grassland after a reference SAR
image was taken. Our change detection method is able
to correctly detect five out of eight targets with two
additional false alarms. Two targets were not detected
in any tested radar frequency, albeit one of the targets
seems to be placed in the radar shadow of nearby
trees. A third target was visible in the unfiltered
change maps but got removed by the closing opera-
tion because of its small size. In summary, we con-
clude from our experiments that it is possible to detect
even small IED-like objects with millimeter-wave
SAR change detection.
Because this experiment was but a first attempt to air-
borne IED detection, the number of tested objects is
too small to confidently estimate detection rates and
false alarm rates. However, as a diverse set of object
types has been tested and false alarms seem reasona-
bly few, we expect that the approach will applicable
with regard to decision support in the field.
So far, no information fusion between the recorded
channels was exploited. Extending our change detec-
tion algorithm to multi-channel input is expected to
decrease false alarm rates.

(a) (b) (c) (d) (e)

Figure 4 Target area: (a) positions of targets, (b) cutout of reference image, (c) difference of registered SAR
stripe (target positions marked as circles, corner reflectors marked as squares), (d) change map, (e) change
map after morphological filtering

296
5 Acknowledgements
The authors gratefully acknowledge the effort of our
colleagues at the Remote Sensing Lab (RSL) in Zur-
ich, who contributed the high resolution SAR pro-
cessing of the scenes, especially Erich Meier and
Christophe Magnard. We also thank the crew of the
Transall aircraft and the staff of Pioniersttzpunkt
TuT, who helped to arrange the experimental setup at
Storkow.
6 References
[1] H. Schimpf, H. Essen, S. Boehmsdorff, T.
Brehm: MEMPHIS a fully polarimetric Expe-
rimental Radar, Proc. IEEE IGARSS 2002,
Toronto, Canada, Vol III, pp 1714 1716
[2] C. Magnard, E. Meier, M. Regg, T. Brehm, H.
Essen: High Resolution Millimeter Wave SAR
Interferometry, Proceedings of the IEEE Inter-
national Geoscience and Remote Sensing Sym-
posium IGARSS, July 2007
[3] X. Dai, S. Khorram: The effects of image mis-
registration on the accuracy of remotely sensed
change detection, IEEE Trans. Geoscience and
Remote Sensing, Vol. 36, No. 5, 1998
[4] R.J. Radke, S. Andra, O, Al-Kofahi, B. Roysam:
Image change detection algorithms: a system-
atic survey, IEEE Trans. Image Processing,
Vol. 14, No. 3, 2005
[5] J. Inglada, G. Mercier: A New Statistical Simi-
larity Measure for Change Detection in Multi-
temporal SAR Images and Its Extension to Mul-
tiscale Change Analysis, IEEE Trans. Geo-
science and Remote Sensing, Vol. 45, No. 5,
2007
[6] W. Dierking, H. Skriver: Change detection for
thematic mapping by means of airborne multi-
temporal polarimetric SAR imagery, IEEE
Trans. Geoscience and Remote Sensing, Vol. 40,
No. 3, 2002
[7] G. Gao: An Improved Scheme for Target Dis-
crimination in High-Resolution SAR Images,
IEEE Trans. Geoscience and Remote Sensing,
Vol. 49, No. 1, 2011
[8] H. Bay, T. Tuytelaars, L. Van Gool: SURF:
Speeded Up Robust Features, Proc. 9th ECCV,
Graz, 2006
[9] M.A. Fischler, R.C. Bolles: Random sample
consensus: a paradigm for model fitting with
applications to image analysis and automated
cartography, Communications of the ACM,
Vol. 24, Issue 6, 1981
[10] G.D. Evangelidis, E.Z. Psarakis: Parametric
Image Alignment Using Enhanced Correlation
Coefficient Maximization, IEEE Trans. Pattern
Analysis and Machine Intelligence, Vol. 30,
No. 10, 2008
[11] A. Lopes, E. Nezry, R. Touzi, H. Laur: Struc-
ture detection and statistical adaptive speckle fil-
tering in SAR images, International Journal of
[12] D.J. Weydahl: Analysis of satellite SAR images
for change detection over land areas, Ph.D.
thesis, Universitetet i Oslo, Norway, 1998
[13] L. Bruzzone, D.F. Prieto: Automatic Analysis
of the Difference Image for Unsupervised
Change Detection, IEEE Trans. Geoscience and
[14] H. Schimpf, A. Wahlen, H. Essen: High Range
Resolution by Means of synthetic Bandwidth
generated by Frequency stepped Chirps,
Electron. Lett., 39, (18), pp. 1714 1716, 2004
[15] S. Boehmsdorff, K.-H. Bers, T. Brehm, H.
Essen, K. Jger: Detection of Urban Areas in
Multispectral Data, IEEE/ISPRS Joint
Workshop on Remote Sensing and Data Fusion
over Urban Areas, 2001
[16] C. Magnard, O. Frey, M. Regg, E. Meier:
Improved Airborne SAR Data Processing by
Blockwise Focusing, Mosaicking and Geocod-
ing. Proc. of EUSAR 2008 7th European
Conference on Synthetic Aperture Radar, 2008.

297
Detection and Identification of Illicit and Hazardous Substances
with Proton-Transfer-Reaction Mass Spectrometry (PTR-MS)
Philipp Sulzer, IONICON Analytik, Austria
Bishu Agarwal, Universitt Innsbruck, Austria
Fredrik Petersson, IONICON Analytik and Universitt Innsbruck, Austria
Simone Jrschik, IONICON Analytik and Universitt Innsbruck, Austria
Alfons Jordan, IONICON Analytik, Austria
Peter Watts, University of Birmingham, United Kingdom
Christopher A. Mayhew, University of Birmingham, United Kingdom
Kurt Becker, Polytechnic Institute of New York University, USA
Tilmann D. Mrk, IONICON Analytik and Universitt Innsbruck, Austria
Abstract
The innovative Proton-Transfer-Reaction Mass Spectrometry (PTR-MS) technology was invented and developed
in the 1990s by scientists at the "Institut fr Ionenphysik" at the Leopold-Franzens Universitt in Innsbruck and
was commercialized by the spin-off company IONICON Analytik GmbH. PTR-MS rapidly became a well estab-
lished analytical technology in the fields of environmental research, atmospheric chemistry, and food and flavor
science [1]. This resulted from its high selectivity (up to 8 000 m/m), extremely low detection limits (sub-pptv
levels), rapid response times (100 ms) and real-time quantification capability.
Here we present our latest studies on using PTR-MS in the analysis of explosives (TNT, RDX, PETN, Semtex,
etc.) in the gas and in the liquid phase, as well as chemical warfare agents (CWAs) and illicit, prescribed and de-
signer drugs [2-4]. It turns out that PTR-MS can detect all of these substances even in smallest concentrations
with high selectivity. Therefore, even in a complex chemical environment we are able to detect threat agents
with high levels of confidence, thus nearly eliminating so-called "false positives".
Moreover, from the beginning of 2008 until 2011, Ionicon was a partner in the European Defence Agency (EDA)
JIP-FP project "GUARDED". In this three-year project, we developed a rugged and compact PTR-MS instru-
ment for use on a robot platform. Details about the outcome of this project will be presented.

1 Experimental setup and tech-
nical developments
1.1 Experimental setup
In a typical PTR-MS instrument [2] water vapor
originating from a reservoir filled with distilled water
enters a hollow cathode ion source, where the H
2
O is
transformed into H
3
O
+
(primary ions). Due to the so-
phisticated design of the ion source, this process is
highly efficient, i.e. the purity of the primary ions is
greater than 99%, which means that no signal-
diminishing mass filter (as is used by techniques like
e.g. SIFT-MS) is needed between the ion source and
the adjacent drift tube. The actual ionization of the
trace compounds present in the sample air takes place
in the drift tube via proton transfer from H
3
O
+
to all
molecules that possess a higher proton affinity than
water. As all major air components (N
2
, O
2
, CO
2
, Ar,
etc.) have lower proton affinities than water, the air
itself acts as a buffer gas and no additional gas supply
is needed for the operation of a PTR-MS instrument.
Depending on the kind of instrument the protonated
molecules are subsequently introduced into either a
quadrupole mass filter or a time-of-flight (TOF) mass
analyzer. Figure 1 presents a schematic drawing of a
TOF based PTR-MS instrument.

Figure 1 Schematic drawing of a PTR-TOF-MS.
298
1.2 Latest technical developments
Some of the latest instrumental developments we
want to report here are: (i) the improvement of the de-
tection limit that now allows for measuring trace gas
compounds in a concentration range from several
ppmv down to the ppqv (parts-per-quadrillion) region
with a typical response time well below 100 ms, (ii)
the coupling of the sophisticated PTR source to two
different types of time-of-flight (TOF) mass analyzers
(one with an outstanding mass resolution called PTR-
TOF 8000 [3] and one with an increased sensitivity
called PTR-TOF 2000 [4]) and (iii) the possibility to
switch between H
3
O
+
, NO
+
and O
2
+
as reagent ions
[5].
Development (i) allows for entering new fields of ap-
plication where extremely high sensitivities are
needed. Explosives for example possess very low va-
por pressures and are therefore difficult to detect in
the gas phase. We performed proof-of-principle meas-
urements where we could detect and identify all of the
common solid explosives (RDX, TNT, PETN, etc.) by
analyzing the headspace above small quantities of
samples at room temperature and also from trace
quantities not visible to the naked eye placed on sur-
faces [4].
The use of TOF detectors in (ii) is especially impor-
tant for applications where not only high sensitivity
but also unambiguous identification is needed (e.g.
detection of chemical warfare agents [6] while avoid-
ing false positive alarms). The high mass resolution of
up to 8.000 m/m and accuracy of the PTR-TOF
8000 allow for separation of most isobaric compounds
(see Figure 2 for an example) and for substance iden-
tification via the exact mass. As there might be appli-
cations where an enormous mass resolution is not
necessarily needed but the sensitivity has to be as high
as possible, the PTR-TOF 2000 performs with an en-
hanced sensitivity at the expense of a somewhat lower
mass resolution. Comparison data demonstrate that
the resolution of this PTR-TOF 2000 is still around
2.000 m/m while showing an increased sensitivity
by a factor of five compared to the PTR-TOF 8000.
Figure 2 Separation of the two isobars ketene
(43.018 m/z) and propene (43.055 m/z) with a PTR-
TOF 8000

For iii) we see that the sensitivities obtained with NO
+

and O
2
+
are comparable or even better than the out-
standing sensitivity of the established PTR-MS in-
struments and therefore well above those from e.g.
SIFT-, IMR- and other CI-MS instruments for trace
gas analysis. To demonstrate the advantages of this so
called "SRI" (switchable reagent ions) setup we
measured e.g. acetone and propanal (isomeric mole-
cules at nominal mass 58 amu) utilizing NO
+
as the
precursor ion. According to Spanel et al. [7] NO
+
in-
teractions with aldehydes follow the reaction: NO
+
+
XH X
+
+ NOH whereas ketones follow: NO
+
+ XH
XH
+
+ NO (and clustering). This means that we
see isomeric compounds on different nominal masses
and can identify them unambiguously. Furthermore,
by using O
2
+
precursor ions we are able to ionize
molecules via charge transfer reactions that cannot be
measured via hydronium proton transfer reaction (e.g.
ethylene). This means that they are now detectable
with PTR+SRI-MS instruments.
Although PTR-MS is an outstanding technology for
trace gas analysis it has one drawback: trace com-
pounds dissolved in liquids can only be measured via
headspace analysis or membrane inlet setups. Both
sampling methods are suitable for certain applica-
tions, but suffer also from a number of disadvantages.
The direct aqueous injection (DAI) technique devel-
oped by us turns out to be an ideal solution for direct
analysis of liquid samples with PTR-MS. After suc-
cessful proof-of-principle measurements in [8] we
presented first data possibly leading to real-life appli-
cations, namely the contamination of water (e.g.
lakes) with explosives from dumped bombs / ammu-
nition sites [9].
In DAI a carrier airstream generated by a diaphragm
pump is cleaned and dried in an activated charcoal
filter and a cooling trap. Thereafter the exact amount
of clean and dry air of this carrier gas line entering the
injection region is adjusted by a mass flow controller
and subsequently heated in a thermostatic heating box
to ensure that all parts are at the same temperature, so
that no condensation on cold spots can occur. The
needle of a syringe holding the sample liquid is
pierced through a septum which seals one of the open-
ings of a T-piece mounted in the carrier gas line. The
injection speed is controlled by a high precision sy-
ringe pump.
2 Experimental data
2.1 Solid explosives
In [4] we described proof-of-principle measurements
showing that PTR-MS is able to detect all common
explosives like 1,3,5-triazine hexahydro-1,3,5-trinitro
(RDX), 2,4,6-trinitrotoluene (TNT), pentaerythritol
tetranitrate (PETN), etc. While the measurements of
299
the headspace of small quantities (a few mg) of the
above-mentioned substances proved that the sensitiv-
ity of a PTR-TOF 8000 is sufficient for detecting
them without the need of pre-concentration or heat-
ing, the scientifically most interesting results came
from so-called E/N investigations, i.e. measuring the
ion yield as a function of the reduced electric field
strength. As the E/N value, which can mainly be con-
trolled by changing the applied voltage on the PTR
drift tube, is proportional to the collision energy be-
tween the reagent ions and the sample molecules,
usually fragmentation can be suppressed by choosing
lower drift tube voltages or enforced by choosing
higher voltages respectively. This behavior is not only
true for many molecules investigated so far with PTR-
MS but also for the explosives PETN and RDX,
where the highest protonated parent ion yield, i.e.
lowest level of fragmentation could be obtained by
lowering the drift tube voltage and therefore the E/N
value (from usually 600V to about 350V). Figure 3
shows the E/N investigation for TNT. Although pre-
liminary measurements by us on the explosive 1,3,5
trinitrobenzene (TNB) indicate a similar E/N behavior
of TNB, we could not find any reports in literature of
other molecules showing such a behavior. One possi-
ble explanation for the huge difference of about one
order of magnitude between 90 and 180 Td in the ion
yield of the protonated TNT parent ion could be clus-
tering, e.g. with water molecules, which is suppressed
at higher E/N values. However, by recording mass
spectra up to about 1000 m/z we could rule out this
possibility, so that the E/N behavior of TNT still re-
mains unexplained.

Figure 3 Ion yield of the protonated parent ion re-
corded from the headspace of TNT as a function of
the reduced electric field (E/N).

Regardless of the fact that at present we are unable to
provide an explanation for TNT (and TNB) showing a
higher ion yield at elevated E/N values, this observa-
tion has a great potential in the unambiguous identifi-
cation of TNT. In addition to the rather high level of
confidence in substance identification using the exact
mass, which would in case of a PTR-TOF 8000 al-
ready be sufficient for separating e.g. protonated ni-
troglycerin (NG; 228.010 m/z) from protonated TNT
(228.025 m/z), comparing the ion yields at a rather
low and a rather high E/N value could make the iden-
tification even more certain, as the TNT signal should
drop about one order of magnitude at low E/N and the
NG signal should increase.
2.2 Chemical warfare agents
Also for CWAs we started off with proof-of-princple
measurements [6]. In contrast to the explosives which
were provided by the University of Innsbruck we did
not have access to real CWAs, so we had to use simu-
lants for the present studies, namely dimethyl methyl-
phosphonate, diethyl methylphosphonate, diisopropyl
methylphosphonate, dipropylene glycol mono-
methylether and the mustard gas analog 2-chloroethyl
ethyl sulfide (2-CEES). As all these CWA (simulants)
possess by definition rather high vapor pressures we
could detect them easily in the headspace. The signal
was so high that we had to wash the vials containing a
droplet of the substance repeatedly with distilled wa-
ter and do the investigations on the remaining traces
in the vials to avoid saturation of the detector. Also
the substance identification could be performed at
very high levels of accuracy based on the exact mass,
characteristic fragments and isotope ratios.
Besides these fundamental tests of detectability we
performed a "real-life" test (see Figure 4) by placing
the PTR-TOF 8000 inlet in the middle of our 60 m
laboratory. Subsequently we turned off the HVAC
system and opened a vial containing the mustard gas
analog (2-CEES; at around 300 s in Figure 4). Al-
ready seconds after opening of the vial the PTR-MS
instrument displays an increase on the exact mass of
protonated 2-CEES which continues until the vial is
closed again. After turning on the HVAC system the
2-CEES concentration slowly decreases with time.

Figure 4 3D view of the ion yield originating from a
mustard gas analog spreading in lab air.

This very preliminary test could act as a basis for the
FP7-SEC project "SPIRIT" in which Ionicon is part-
ner. In this project a PTR-MS instrument should be
adapted in a way so that it monitors the HVAC system
300
of an endangered building at sets of an alarm as soon
as a harmful substance is detected.
2.3 Illict and designer drugs
Table 1 lists all illicit [10] and designer drugs investi-
gated by us so far. Again, small amounts (about 50
mg) of each drug were placed in vials and the head-
space was investigated and could be detected and
identified easily.

Category Drug m/z
Illicit drugs
Heroin 370.17
Cocaine 304.15
Codeine 300.16
Morphine 286.14
Ecstasy (MDMA) 194.12
Designer
drugs
Dimethocaine 279.20
2C-D 196.13
Ethcathinone 178.12
4-Fluoroamphetamine 154.10
"Rape" drugs
1,4-Butanediol 91.07
gamma-Butyrolactone 87.04
Table 1 Overview of all illicit and designer drugs in-
vestigated by us so far.

Especially for designer drugs, where new substances
appear on the market frequently, one advantage of
PTR-MS becomes obvious. As many established de-
tection methods (e.g. test strips) only detect sub-
stances for which they are made for, PTR-MS can vir-
tually detect every drug, even the very new ones.
As there are drugs which are predominantly con-
sumed highly diluted in liquids, we extended our
headspace studies to gamma-butyrolactone (GBL) and
1,4-butanediol (BDO) traces mixed in different con-
centrations into plain water, tea, red and white wine.
Both substances are metabolized in the human body
to gamma-hydroxybutyric acid ("liquid ecstasy") and
are therefore frequently abused as recreational drugs
(in lower doses) or so-called "rape drugs" (in higher
doses). With the DAI system coupled to PTR-MS we
were able to detect both substances in all above-
mentioned liquids with great linearity down to con-
centration levels far below the activation threshold for
effects in human beings.
Figure 5 shows one exemplary measurement of GBL
mixed in red wine at different concentrations. Compa-
rable results were obtained in white wine, tea and tab
water.
Figure 5 GBL mixed in red wine at different concen-
trations and detected with the DAI system coupled to
PTR-MS.
3 JIP-FP project "GUARDED"
The official abstract of the Joint Investment Pro-
gramme - Force Protection (JIP-FP) "Generic Urban
Area Robotized Detection of CBRNE Devices"
(GUARDED) in which Ionicon was a partner reads
according to the official website of the European De-
fence Agency (EDA):
"The aim of this project is to demonstrate a remote
controlled mobile platform for sniffing a suspect
and/or dangerous area, having on board a set of com-
plementary CBRNE sensors to provide a safe diagnos-
tic obtained through data fusion between various sen-
sors, enabling weddings and solving the old paradox
of the need for compromising between resolution and
detection. Therefore, after a state of the art of various
detection techniques allowing to give an overview of
what can be detected and how nowadays, use cases
scenarios will be established with the help of opera-
tional experts to place the project in a realistic con-
text. From then, an intensive trials campaign will
conducted. Technologies like Ground Penetrating Ra-
dar techniques for localisation, even through walls or
buried objects, Proton transfer Reaction coupled with
Mass Spectrometry, Chemical and Biological based
on handheld devices and improving new sampling
techniques etc. will be used. To validate the approach,
a trial period is planned after the integration & tests
phase, which is traditionally crucial, allowing to point
out and measure the effects of the project, i.e. comple-
tion of the inspection & securing mission."
Already in the first phase of planning it became clear
that GPR and IMS are technologies for a quick and
approximate estimation whether an illicit substance is
present or not. In contrast, PTR-MS can identify and
quantify substances at a very high level of accuracy
while on the other hand consuming more space and
301
payload on the robot platform. Therefore it was de-
cided that two platforms would be built, one carrying
the "exploratory" sensors and one the more exact
PTR-MS.
From the beginning of 2008 until 2011 Ionicon devel-
oped a rugged and compact PTR-MS instrument for
being used on a robot platform. Starting from the es-
tablished "Compact PTR-MS" model we performed
some preliminary tests in a real-life scenario, i.e.
sniffing paper boxes containing explosives, chemical
warfare agents, toxic industrial compounds and harm-
less everyday substances. Based on these results we
went on with detailed analysis of the different sub-
stances in their pure form in the lab. Furthermore we
developed a simple form of a pre-concentrator cou-
pled with thermal desorption and integrated it into the
final GUARDED prototype. The software interface
had to be fundamentally adapted. Starting from the
established "PTR-MS Control" software that gives as
much information as possible about the measurement
process (instrumental parameters, voltages, masses,
count-rates, temperatures, etc.) we developed a highly
user-friendly and flexible graphical user interface
(GUI) for the fully automated instrument. Now the
operator does not need specific knowledge about
chemistry or physics but sees directly on the display
which of the pre-set substances have been detected
and at which threat level.
The whole system is entirely computer controlled via
an embedded PC that is continuously monitoring the
system status and providing a high level of safety, e.g.
by turning off the voltage supplies in case of a vac-
uum failure, etc. A second embedded PC with Win-
dows CE as an operating system acts as the platform
for the installed GUARDED GUI. Additionally this
prototype is equipped with a simple form of a pre-
concentrator combined with thermal desorption. A
high-power fan draws large amounts of (contami-
nated) air for a pre-defined time through a fine metal
mesh. As especially vapors from explosives are
known to be very adhesive, the common harmless air
compounds will pass through the mesh whereas the
explosive vapors will stick to it. After several seconds
the fan is turned off and a current running through the
mesh is ohmically heated. The evaporating explosive
molecules in their concentrated form are then directly
drawn into the PTR drift tube via a heated capillary.
The laptop computer controlling the instrument and
displaying the results is connected via common WiFi.
In addition the instrument itself is equipped with a
touch-screen display that can be used for displaying
the measurement results, i.e. alarms, substance identi-
fication, etc. Thus, the PTR-MS can be used as a
"standalone" instrument, i.e. without the need of an
external computer.
The GUARDED prototype is installed in a box with
roughly 55 cm side length and the previously men-
tioned pre-concentrator add-on is mounted on top.
The whole system weights around 60 kg. With the aid
of exactly dimensioned shock-absorbers the instru-
ment is mounted on the robot platform provided by
the project leader ECA (France), together with the
battery pack that is needed for cordless operation of
the PTR-MS.
Figure 6 shows the GUARDED platform "in action",
i.e. a box containing traces of the infamous CWA
chloropicrin is placed in a car trunk. The remote con-
trolled platform approaches the trunk and as soon as
the inlet comes close to the contaminated box the
threat is identified and an alarm is set off.

Figure 6 GUARDED robot platform approaching a
suspicious box in a car trunk (top) and an alarm for
chloropicrin is set off on the laptop computer con-
nected to the platform via WiFi (bottom).
4 Conclusions
With the present results we showed that PTR-MS is
capable of detecting and identifying virtually every
substance that can be a threat to society. In the
framework of the GUARDED project we demon-
strated that this is true not only for the previously
published proof-of-principle investigations in a lab
environment but more importantly also under real-life
conditions, i.e. in public places like a car park. In the
near future we are planning to adapt also the inlet sys-
tem which is at the moment (besides from the pre-
concentrator prototype) not optimized for the sam-
pling of very sticky compounds like e.g. explosives or
CWAs. Possible solutions could be utilizing alterna-
tive materials or devices like e.g. thermal desorption
strips like they are used in combination with IMS in-
struments at airports or at customs.
302
Acknowledgement
Work was supported by the European Defence Agen-
cy via a JIP-FP project (A-0378-RT GC), the EC,
Brussels and the FFG, Vienna. PW and CAM wish to
acknowledge the EPSRC (EP/E027571/1) that in part
supported this work. FP and SJ acknowledge the sup-
port of the Community under a Marie Curie Industry-
Academia Partnership and Pathways grant (Grant
Agreement Number 218065).
References
[1] R. S. Blake, P. S. Monks, A. M. Ellis; Chem.
Rev., 109 (3) (2009), 861-896.
[2] W. Lindinger, A. Hansel, A. Jordan; Int. J. of
Mass Spectrom. and Ion Processes, 173/3 (1998)
191-241.
[3] A. Jordan, S. Haidacher, G. Hanel, E. Hartungen,
L. Mrk, H. Seehauser, R. Schottkowsky, P. Sul-
zer, T.D. Mrk, Int. J. of Mass Spec., 286 (2009),
122128.
[4] C.A. Mayhew, P. Sulzer, F. Petersson, S. Hai-
dacher, A. Jordan, L. Mrk, P. Watts, T.D. Mrk,
Int. J. of Mass Spec., 289 (2009), 58-63.
[5] A. Jordan, S. Haidacher, G. Hanel, E. Hartungen,
J. Herbig, L. Mrk, R. Schottkowsky, H. See-
hauser, P. Sulzer, T. D. Mrk, Int. J. of Mass
Spec., 286 (2009), 32-38.
[6] F. Petersson, P. Sulzer, C.A. Mayhew, P. Watts,
A. Jordan, L, Mrk and T.D. Mrk, Rapid Com-
mun. Mass Spectrom. 23 (2009), 38753880.
[7] P. Spanel, Y. Ji, D. Smith; Int.J. of Mass Spec-
trom. and Ion Processes, 165/166 (1997) 25-37.
[8] S. Jrschik, A. Tani, P. Sulzer, S. Haidacher, A.
Jordan, R. Schottkowsky, E. Hartungen, G. Ha-
nel, H. Seehauser, L. Mrk, T.D. Mrk, Int. J. of
Mass Spec. 289 (2010), 173176.
[9] S. Jrschik, P. Sulzer, F. Petersson, C. A. May-
hew, A. Jordan, B. Agarwal, S. Haidacher, H.
Seehauser, K. Becker, T. D. Mrk, Anal Bioanal
Chem 398 (2010), 28132820.
[10] B. Agarwal, F. Petersson, S. Jrschik, P. Sulzer,
A. Jordan, T. D. Mrk, P. Watts and C. A. May-
hew Anal. Bioanal. Chem. (Accepted).
303
Characterisation of Critical Material based on Phase and Ampli-
tude Information of High Frequency Measurements
Matthias, Demming, Fraunhofer Institute for High Frequency Physics and Radar Techniques FHR, Germany
Jasmin, Rubart, Fraunhofer Institute for High Frequency Physics and Radar Techniques FHR, Germany
Dirk, Nler, Fraunhofer Institute for High Frequency Physics and Radar Techniques FHR, Germany
Christian, Krebs, Fraunhofer Institute for High Frequency Physics and Radar Techniques FHR, Germany
Badreddine, Derouiche, RheinAhrCampus Remagen of FH Koblenz, Germany
Ilona, Weinreich, RheinAhrCampus Remagen of FH Koblenz, Germany
Abstract
The detection and classification of hazardous material is one major task in the field of security checks. The char-
acterisation of different materials requires the specific material parameters. Essential factors are the permittivity
as well as the material thickness. The present paper describes the detection of different materials under test by a
clustering algorithm in connection with the optimization of the measured data with regard to the problem of am-
biguous phase values, called Phase Unwrapping. The permittivity and the thickness of the different clusters are
determined by a reconstruction algorithm.

1 Introduction
Today the non-destructive material analysis plays a
major role in several security applications, e.g. the in-
spection of letters to detect hazardous materials inside.
For those applications a new sensor concept working
in the millimetre wave range offers an alternative to
present systems, which are based on X-Ray or optical
sensors. One major advantage of millimetre wave sys-
tems is the low charge compared to X-Ray methods,
which are very cost-intensive due to the required
safety regulations. Another advantage is the informa-
tion about the internal structure of the device under
test (DUT), which cannot be collected by a cheaper
system with optical sensors.
The frequency range of interest is the lower THz re-
gion from 75 GHz to 325 GHz, which offers better
measurement capabilities than IR or optical spec-
trometers. Due to the shorter wavelengths compared
to classical radar applications a better spatial resolu-
tion can be obtained.
The procedure for the characterization of the different
material parameters is subdivided into three steps. The
first step contains the elimination of ambiguities in the
measured phase values, the so called Phase Unwrap-
ping [2], to ensure a precise reconstruction of the ma-
terial parameters. In a second step the different mate-
rials of the DUT are classified by a cluster algorithm
in matters of the measured phase values. The cluster
algorithm allows a graphic presentation of the DUT
where the different materials are explicitly distin-
guishable. In the last step the material parameters like
thickness and permittivity are determined for each
cluster, i.e. for each material, by a reconstruction algo-
rithm.
2 Measurement System
The measurement system enables the analysis of sev-
eral DUT in millimetre and sub-millimetre wave band.
The frequency range from 75 GHz to 325 GHz is real-
ized by a network analyzer (PNA E8361C) from
Agilent (Figure 1) [1].

The PNA allows the analysis of amplitude and phase
information of the DUT. With three connected linear
motors it is possible to scan a three-dimensional area
Figure 1 PNA E8361C from Agilent
304
with a scan region of about 320 mm in x- and y-
direction and 290 mm in z-direction.
Due to their low loss at higher frequencies compared
to common waveguides two dielectric waveguide tips
act as antennas. Another advantage of dielectric
waveguides is their high flexibility, which allows
changing simply between the transmission and reflec-
tion configuration. Figure 2 shows the measurement
system.

3 Device under test and meas-
urement method
The measured DUT is a parcel bomb dummy, which
contains a granular gun powder sample with a thick-
ness of 1.2 cm and a PVC (polyvinyl chloride) sample
with a thickness of 1.2 cm (Figure 3).

Both samples have a planar structure and are arranged
in a gift-wrapped card game case (Figure 4). PVC in
general has a permittivity of 3 to 3.5. The permittivity
of gun powder ranges from 2.7 to 3.8. The two mate-
rials were chosen by means of their similar permittivi-
ty to show whether they can be distinguished by the
clustering algorithm.

The measurement methods are a transmission and a
monostatic reflection measurement, where the DUT is
measured at 401 different frequencies in W-band, i.e.
from 75 GHz to 110 GHz. The complex measure-
ments yield amplitude as well as phase values of the
signal.
4 Characterisation of material
parameters
4.1 2D Phase Unwrapping
In general phase unwrapping describes the elimination
of ambiguities in the measured phase values, which
are wrapped into the interval (-,], i.e. the phase is
known except for multiples of 2. There are two ma-
jor approaches for Phase Unwrapping, namely the
path-following and the minimum-norm methods. Con-
trary to the minimum-norm algorithms, which operate
on the entire image, the path-following methods con-
sider the image pixel by pixel guided by a certain
path.
A classical path following method is the quality
guided algorithm which is guided by so called quality
maps, i.e. matrices whose entries describe the quality
of the recorded phase values. As a measure the vari-
ance of the phase gradients is used. Another possible
measure is the correlation of the phase values [2]. Due
to the error rate of the quality guided algorithm for
noisy data a modified quality guided method [3] is
used here. The modification consists of the valuation
of the adjusted phase values after each step and the
correction of possible errors to avoid their propaga-
tion. The algorithm is subdivided into two main steps,
the unwrapping of the recorded phase value and the
evaluation of the result by means of a certain quality
criterion:

1. The modified unwrapping algorithm starts as the
original one at a pixel of high quality in a homo-
geneous region. For each pixel the adjusted phase
is determined by the information of its eight
Figure 2 High frequency scanner with xyz-motors
Figure 3 DUT composed of a gun powder sample (on
the right) and a PVC sample (on the left)
Figure 4 DUT in a gift-wrapped card game case
305
neighbours in a region of 55 pixels around the
considered phase value (Figure 5), where only
those pixels are taken into account which are al-
ready unwrapped [3].

2. As criterion for the quality of the adjusted phase
value the deviation between the result and an es-
timate for the unwrapped phase value is estab-
lished [3]. If the deviation is lower than a certain
threshold, the adjusted phase value, calculated in
step one, will be hold. Otherwise the determined
phase will be discarded and the unwrapping con-
tinues at another pixel, i.e. the algorithm starts
again at step one.

Figure 6 shows the measured phase at 108.6 GHz with
the phase values wrapped into the interval (-,]. The
measurement method was a transmission configura-
tion.

Due to the inhomogeneity of the coarse-grained gun
powder, the phase shifts are mainly distinguishable at
the gun powder sample, i.e. there are jumps from to
between two adjoining pixels. These inhomogenei-
ties are also reflected in the amplitude image (Figure
7). Figure 8 shows in detail the comparison of the am-
plitude and the phase of the gun powder sample,
which show exactly the same inhomogeneities.

Comparing the complete amplitude and phase image,
the two different materials inside the gift are distin-
guishable more precisely in the phase image. Thus in
the following the phase information will be regarded
to ensure an optimal result of the clustering algorithm.

Figure 9 shows the unwrapped continuous phase,
which is no longer bound to the interval (-,]. It is in
evidence that the phase jumps within the gun powder
sample have been eliminated. The remaining varia-
tions within the sample also arise from the inhomoge-
neity of the coarse-grained gun powder.

In addition to the gun powder sample the border of the
card game case also exhibits diversified phase values,
which arise from the diffraction effects at the edges
and the resultant interferences. These effects also in-
terfere with the phase at the edges of the two samples,
where the phase changes to light yellow.
Figure 5 Unwrapping scheme for a pixel a in 5x5-
region with wrapped (black circles) and unwrapped
(white circles) neighbours
Figure 6 In transmission measured phase with
wrapped phase values (108.6 GHz)
Figure 7 Measured amplitude (108.6 GHz)
Figure 8 Phase (on the left) and amplitude (on the
right) of gun powder sample (108.6 GHz)
Figure 9 Unwrapped phase (108.6 GHz)
306
Based on the unwrapped phase image it is visual dis-
tinguishable that there are two samples within the gift.
4.2 Clustering Algorithm
The aim of cluster analysis is to identify groups of ob-
jects in a certain dataset, which are similar to each
other but different from individuals in other groups.
However, a cluster algorithm should capture the natu-
ral structure of a data set.
There are various ways in which clusters can be rea-
lized. One of the most straightforward methods is the
hierarchical clustering algorithm, which will be de-
scribed here briefly. Hierarchical clustering can be ei-
ther agglomerative or divisive. Agglomerative hierar-
chical clustering begins with each object of the dataset
as an own cluster. Similar clusters are merged after
successive steps into sub-clusters based on chosen lin-
kage functions. The algorithm ends with all objects in
one cluster. The divisive clustering method starts with
each object in one cluster and ends up with each as an
own cluster. However, it is the opposite way of the ag-
glomerative method (Figure 10).

Linkage functions are used to determine in which or-
der clusters may merge. E.g. two clusters can be
merged to one cluster if its elements are the most simi-
lar objects (single linkage) or if their objects are the
elements which are most dissimilar (complete lin-
kage). More linkage methods are listed in [4]. The key
of this algorithm is the calculation of the so called
proximity matrix between two clusters [5].
To display the result of the cluster algorithm, a tree-
like diagram, called dendrogram, is used as a graphi-
cal output. It displays the clusters respectively sub-
clusters as well as the level were the clusters were
merged (Figure 11).

As basis for the clustering algorithm only the un-
wrapped phase of the objects inside the gift is re-
garded (Figure 12).

Using the agglomerative clustering algorithm, the re-
sult of the cluster process is illustrated in Figure 13.

For merging the clusters, Wards method [6] was used.
This method uses an analysis of variance approach to
evaluate the distances between clusters. Wards algo-
rithm attempts to minimize the sum of squares of any
two clusters that can be formed at each step. The aim
is to create clusters of similar sizes. To determine the
number of groups in the current dataset, Mojenas
stopping rule was applied [7]. The number of clusters
is 4. Comparing the unwrapped phase (Figure 12) and
the clustered image (Figure 13), it can be seen, that
there are mainly two clusters within the gift, i.e. the
gun powder and the PVC sample are clearly repro-
duced (orange and light blue) in spite of their similar
permittivity. Due to the inhomogeneity of the coarse-
grained gun powder, this sample is subdivided into
several clusters, where the main part belongs to one
cluster.
4.3 Reconstruction of material pa-
rameters
For the reconstruction of the material parameters the
delay and the amplitudes of the individual reflections
divisive
Figure 11 Clustering of 10 objects displayed in a den-
drogram
Figure 12 Unwrapped phase of the gift

Figure 13 Result of the agglomerative clustering algo-
rithm with selected points () for reconstruction
agglomerative
Figure 10 Illustration of the agglomerative and the
divisive clustering method
307
have to be obtained from the complex measurement
data. This is realized by the matrix pencil method
(MPM) [9]. The MPM is a model-based spectral esti-
mation procedure, whose key benefit is the a priori
assumption of the following signal model (Equation 1)

(1)

where
n
is the nth measurement frequency and the
index k corresponds to the kth component of the sig-
nal. This adoption enables a better differentiation of
closely neighboring signal components and thus a
more precise detection than the common range resolu-
tion of FMCW radar [8]. For an exact description of
the MPM is referred to [9].
The relative permittivity of individual layers in the
DUT can be determined based on the precise delay
and amplitude of the reflections. It is based on the
adoption of parallel layered lossless mediums that can
be specified by a transmission line model. Via the
transmission line theory the material discontinuities
can be described as impedance jumps (Figure 14).

It is assumed that the incident electromagnetic wave in
the level of the first discontinuity has an amplitude of
A
0
= 1. The disregard of the multiple reflections re-
sults in the following recursive relationship between
the amplitude of the reflected signal units A
i
and the
reflection factors R
i
(Eq. 2) respectively the permittiv-
ities
r,i
(Eq. 3) of the ith material layer:

(2)

(3)

Based on the delay terms
i
the material layer thick-
ness can be determined by Equation 4.

(4)

The cluster algorithm shows that there are only two
different materials in the gift, therefore only the mate-
rial characteristics of one measuring point of each ma-
terial need to be reconstructed. For this reason only
one monostatic reflection measurement in the middle
of each material is enough. With the resulting complex
data the thickness and the permittivity of the two ma-
terials can be determined. A permittivity of 2.99 and a
thickness of 1.22 cm were reconstructed for the PVC
sample. For the gun powder sample a permittivity of
2.71 and a thickness of 1.21 cm were reconstructed,
i.e. the reconstructed thickness of both samples corre-
sponds almost exactly with the denoted thickness of
1.2 cm.
5 Conclusion
In conclusion a procedure for non-destructive detec-
tion and characterisation of hazardous materials was
presented. It was shown that different materials can be
distinguished by an agglomerative clustering algo-
rithm, based on the phase information of a transmis-
sion measurement. Previously the phase ambiguities
were eliminated by a path-following phase unwrap-
ping algorithm. It was shown that the clustering algo-
rithm detected all samples in each case as one cluster.
Based on the classification of the clustering algorithm
the material parameters of the different clusters were
reconstructed by means of their permittivity and
thickness by a reconstruction algorithm. The recon-
struction results showed that the material parameters,
i.e. the permittivity and the thickness, match with the
denoted values in an acceptable error range.
References
[1] Krebs, C.; Rubart, J.; Brauns, R.; Nler, D.:
High resolution measurements to determine the
permittivity in artificial structures, IRMMW,
2010
[2] Ghiglia, D.C.; Pritt, M.D.: Two-Dimensional
Phase Unwrapping: Theory, Algorithms and
Software, New York (USA), 1998
[3] Xu, W.; Cumming, I.: A Region-Growing Algo-
rithm for InSAR Phase Unwrapping, IEEE
Transactions on Geoscience and Remote Sens-
ing, Vol. 37, No. 1, pp. 124-134, 1999
[4] Tan, P.N.; Steinbach, M.; Kumar, V.: Introduc-
tion to Data Mining, Addison-Wesley, 2005

K
k
n
j
k n
n e A s
k k
1
), ( ) (

1
1
2
) 1 (
i
k
k
i
i
R
A
R
1
1
1 , ,
i i
i i
i r i r
R R
R R

i r i i i
c d
, 0 1
) (

Figure 14 The material discontinuities described with
the transmission line theory
308
[5] Kaufman, L.; Rousseeuw, P.J.: Finding Groups
in Data An Introduction to Cluster Analysis,
Wiley, 2005
[6] Ward, J.H.: Hierarchical Grouping to Optimize
an Objective Function, Journal of the American
Statistical Association, Vol. 58, No. 301,
pp. 236-244, 1963
[7] Mojena, R.: Hierarchical grouping methods and
stopping rules: an evaluation, The Computer
Journal, Vol. 20, No. 4, pp. 359-363, 1977
[8] Gumbmann, F.; Tran, P.H.; Weinzierl, J.;
Schmidt, L.-P.: Advanced Broadband Millime-
tre-Wave Characterization Techniques of Dielec-
trics, ECNDT, 2006
[9] Hua, Y.; Sarkar, T. K.: Generalized Pencil-of-
Function Method for Extracting Poles of an EM
System from Its Transient Response, IEEE
Transactions on Antennas and Propagation,
Vol.37, No.2, pp 229-234, 1989
309
Visual search in large surveillance archives
Csaba, Beleznai, AIT Austrian Institute of Technology, Vienna, Austria
Bernhard, Strobl, AIT Austrian Institute of Technology, Vienna, Austria
Stephan, Veigl, AIT Austrian Institute of Technology, Vienna, Austria
Michael, Rauter, AIT Austrian Institute of Technology, Vienna, Austria
Abstract
Surveillance archives encompass vast amount of data. Given the amount of data the need for search and data ex-
ploration arises naturally. Various authorities such as infrastructure operators and law enforcement agencies are
confronted with search needs based on a visual description (size, color, clothing, number plates, facial biometry,
etc..) and/or behavioral patterns (limping, loitering, etc.) in order to find a needle in a haystack of digital data.
In this paper we present a framework which allows for an efficient video archive forensic search and data explo-
ration in an interactive manner, and exploiting hardware-accelerated video analytics at the same time. Further-
more we present a query concept to facilitate and improve the search for a specific person in large video surveil-
lance archives using a synthetic human model in a query-by-example manner. The presented overall framework
combines know-how on user interfaces, computer vision algorithms and video archive management. The system
is designed with an open archive interface in mind enabling it to operate with CCTV (Closed Circuit Tele Vi-
sion) video archives from a wide variety of manufacturers.

1 Introduction
Exciting perspectives are emerging in the field of vis-
ual surveillance. Due to the rapidly growing amount
of cameras and video data there is a need for quickly
pinpointing relevant data within the sea of irrele-
vant. Manual search or browsing in such large ar-
chives is typically not feasible, since it is extremely
time-consuming, exhausting, and most likely unsuc-
cessful because relevant data represents only a small
fraction of the entire dataset. Consequently security-
critical events often go undetected or cannot be pre-
vented. This reduces the effectiveness of video sur-
veillance systems.
The input of the visual search is an image exemplar
(such as a snapshot of a suspect) or a synthetically
generated image from user-specified appearance-
attributes (clothing, pose, illumination) and a comput-
er graphics model (human avatar). A discriminative
description (meta-data descriptor) derived from the
input query image is compared to descriptions com-
puted on the images of the dataset and an initial
ranked list of hypothetical matches is returned. Cou-
pled with the visual appearance constraints, conven-
tional spatio-temporal constraints or rules such as
pedestrians crossing the tripwire in camera Nr. 10
between 8 and 10 pm can also be used to guide or
complement the search process. Based on the returned
list of potential matches the user can interactively re-
fine the query by specifying details (e.g. which visual
detail should the system focus on) and thus guiding
the search framework towards the sought object.
In this paper we present an interactive framework
which detects and tracks video objects (humans and
cars) using general purpose graphics processing units
(GPGPU) and computes a set of appearance-specific
cues capturing primary colour and texture features of
an object. These low-level object representations are
stored in a database and used for a rapid comparison
upon a search query. The system is designed with an
open archive interface in mind enabling it to operate
with CCTV video archives from a wide variety of
manufacturers.

2 Related work
In recent years there has been an increased interest in
the subject termed forensic visual search as a domain
of visual analytics; nevertheless only few systems ad-
dress the search task in surveillance archives. A rele-
vant example is the IBM Smart Surveillance System
[1], which is able to index a video according to multi-
ple search criteria, thus allowing for various query
types such as dominant object colors, object size and
type and visual features of the human face. Berriss et
al. [2] employ the MPEG-7 dominant color descriptor
to efficiently associate and retrieve the same person
across camera views in a retail environment.
Several works follow a similar line of thought target-
ing the core person re-identification task; however,
310
without deploying these algorithms within a visual
search system prototype. Person re-identification can
be described as recognizing an individual in different
locations across a network of non-overlapping camer-
as. Besides of specific re-identification scenarios, e.g.,
tracking criminals over multiple cameras, typical
tasks also include anonymous applications such as
crowd flow analysis by tracking single specific hu-
man instances.
In general, this task is considered to be very challeng-
ing. Typical problems that have to be handled are ex-
tremely varying person appearances across the camera
network (due to changing lighting conditions, differ-
ent viewpoints, varying poses, etc.), people occluding
each other, or a high number of very similar person
appearances.
Motivated by the large number of practical applica-
tions and still unresolved problems there has been a
considerable scientific interest within the last years.
Gheissari et al. [3] fit a triangulated graph to each in-
dividual to account for pose variations. However, the
approach is only applicable for similar viewpoints.
The same applies for the approach of Wang et al. [4],
who segment an image of a person into regions and
capture their color spatial structure by a co-
occurrence matrix. A more flexible approach was pre-
sented by Farenzena et al. in [5] exploiting perceptual
principles relying on symmetry and asymmetry. They
first run a segmentation step to obtain a persons sil-
houette and then accumulate the feature responses of
color and texture features to a signature. Bird et al. [6]
propose to segment the query image in equally spaced
horizontal segments and extract the median HSL color
of the foreground pixels of each of these segments.
In our framework we employ a compact appearance
representation in form of region covariance matrices
[7], which given their low dimensionality can be
easily stored as a descriptor in relational database ta-
bles and efficiently used upon search. During retrieval
similarity comparisons yield a ranked list of hypothet-
ical matches thus eliminating a large number of
non-matches - which can be further refined by user
interaction.
2 Search Framework
2.1 System Architecture
Our distributed high-performance archive search sys-
tem consists of the following components (see Figure
1):
Multiple Video Archives / Camera Metadata
Databases
Visual Analytics Core
Configuration and Meta-Data Database
Figure 1 System architecture comprising of several
surveillance archives or camera nodes (input), a visu-
al analytics service and a database for storing meta-
data descriptors in a structured form.

Several GUI Clients
Each of the above services is runs on a dedicated ma-
chine, optimized for the respective task.
The analytics core (Figure 1 - centre) is a three stage
system following a modular programming paradigm:
1. Object Detection and Tracking
2. Rule-based Filtering
3. Appearance-based Matching
In the following sections we describe the individual
analytics components in more detail:
Motion-based Object Detection: Moving fore-
ground regions are detected using a robust adaptive
background model [8]. Background model estimation
is based on our computationally efficient pixel-based
codebook model. Instead of capturing specific statis-
tical measures describing the distribution of temporal-
ly aggregated pixel intensities, as it is done by con-
ventional background modelling schemes, the distri-
bution is captured by a set of representative
codewords. A codeword consists of a vector of three
intensity values of the respective colour channels and
a significance (weight) value. Foreground detection is
performed by comparing pixel intensities of a new
frame to the existing codewords, while adaptivity is
achieved by continuously updating the codeword sig-
nificance entries. More algorithmic details can be
found in [8].
Human Detection: Blob-based object detection suf-
fers from sudden performance decay if the density of
image objects becomes high and frequent dynamic
occlusions are present. To overcome this problem, we
have developed [9] a human detection framework in-
corporating a Bayesian optimization, which is capable
of detecting and coarsely segmenting humans in mod-
erately crowded scenes in real-time. Shape and mo-
tion cues are combined to obtain a maximum a poste-
riori solution for human configurations consisting of
many - possibly occluded - pedestrians viewed by a
stationary camera. Example detection results for this
detection modality are shown in Figure 2.
311
Figure 2 Shape-based human detection results in
moderately crowded situations.

For both detection modalities meta-data descriptors
encompass the image location of detection responses,
the foreground regions (motion and shape-based seg-
mentation mask) and a reference to the corresponding
image frame.
Tracking: We employ a simple frame-to-frame data
association scheme and a Kalman filter based state
estimation strategy for maximum run-time perfor-
mance. All the above low-level analytics functionali-
ties are based on efficient implementations on
graphics hardware. These yield more than 100x real-
time performance for the case of the motion based de-
tector and real-time performance for the human detec-
tor.
Rule-based filtering: Detected image objects can be
filtered by a highly flexible combination of user con-
figurable events (e.g. crossing a tripwire, entering a
region, etc.) and properties (e.g. object height, width
and visual attributes). All rules on one video are pro-
cessed in parallel. Figure 3 shows an example for a
rule-based retrieval of image objects meeting specific
user-specified constraints.
Appearance-based Matching: An appearance-based
matching functionality allows searching for an object
with specific appearance attributes. The search is ini-
tiated by specifying a query image, which can be pro-
vided either by selecting an image region in a video
or uploading a bitmap. An object descriptor is com-
puted based on a compact, but highly specific appear-
ance representation.
Figure 3 An example of rule-based retrieved instanc-
es of image objects (cars and pedestrians) crossing a
user-specified tripwire.

In the first stage of our appearance modelling scheme
we generate a descriptive statistical model which en-
codes visual appearance information. Considering the
given task, the employed representation must meet
requirements of specificity, invariance and computa-
tional efficiency. It implies that on the one hand the
visual description must encompass discriminating
visual information. On the other hand it must remain
mostly unaffected in presence of photometric, view
and pose changes. Moreover, for practical applicabil-
ity the representation should be computed and
matched rapidly at small memory requirements.
For our purpose we employ the region covariance de-
scriptor of Tuzel et al. [7], which meets these criteria
quite well. The descriptor is capable to combine mul-
tiple complementary cues, easy to compute and gen-
erates a compact signature. In our case we encode the
YUV colour channels and gradient information com-
puted for each colour channel. Since the descriptor
aggregates several visual features, structural infor-
mation of human visual appearance such as the
brightness relationship between upper and lower body
halves is represented only to a limited extent. In or-
der to enhance the structural specificity of the repre-
sentation, we use a set of covariance descriptors com-
puted from multiple horizontal stripes (seven stripes
in our case) covering the area of the image patch of an
object.
Similarity computation between two appearances is
performed by estimating the distance between two
covariance matrices in pairwise manner, as described
in [7]. This set of distances is used to generate a rank-
ing for every image in the database with respect to the
query image. The user can selectively highlight cer-
tain horizontal stripes containing visually relevant
features such as a coloured bag and in a subsequent
refinement step distances computed between the
marked stripe regions are taken into account with a

312
Figure 4 An example of appearance-based retrieved
instances of cars ranked according to visual similarity
(right) based on an example-based query (left).
higher weight. Example appearance-based retrieval
results are shown in Figure 4.
3 Query using a synthetic model
In many forensic visual search tasks no image from a
surveillance camera is available, only a description
from an eye-witness. Our approach gives the operator
the ability to generate an according 3D human model.
A synthetic query is enabled by a framework which
includes a graphical synthesis tool capable of generat-
ing images based on a 3D human model capturing
pose, view and a range of appearance variations. Giv-
en the synthesis tool the user is able to modify a broad
range of appearance attributes such as type of apparel,
colour, texture, view and photometric properties. The
generated synthetic image is used in a query-by-
example fashion to perform the search. The 3D model
can be projected into a given camera view such that
its pose and photometric properties matches those of
the scene. From this view a 2D image template is
generated to compute visual features encoding the ap-
pearance of the model. This approach allows the op-
erator to use just one 3D model for different scenes or
camera setups.
We compute the same visual descriptors (as used for
appearance-based matching) on the synthetic query to
encode its appearance attributes and the returned ten-
tative matches typically exhibit a high perceptual sim-
ilarity to the sought human appearance attributes. An
example for the synthetic model based search and re-
trieved results van be seen in Figure 5.
4 Conclusions
In this paper we presented a powerful visual search
tools and its algorithmic components which allow for
appearance-based similarity search in large surveil-
lance archives. Most of the systems time-critical
components have been implemented in a parallel
fashion on general purpose graphics hardware which
allows for a two-orders-of-magnitude acceleration of
computations. The high computational speed and the
highly specific visual representation of
Figure 5 Generating a synthetic human model with
user-specified appearance attributes (top-left), placing
a derived 2d synthetic template into the image of
camera while matching pose and photometric condi-
tions (bottom-left) and performing a query (ranked
results are shown in the bottom-right image).
image objects with small memory footprint imply that
objects of user-specified relevance can be retrieved
from truly large datasets at tolerable computation
times while necessitating manageable storage re-
quirements.
References
[1] Hampapur A., Brown L., Feris R., Senior A.,
Shu C. F., Tian Y., Zhai Y., Lu M., Searching
surveillance video, IEEE Conference on Ad-
vanced Video and Signal Based Surveillance
(AVSS'07), 2007
[2] Berriss W.P., Price W.G., Bober M.Z., Real-
Time Visual Analysis and Search Algorithms for
Intelligent Video Surveillance, International
Conference on Visual Information Engineering,
2003
[3] Gheissari N., Sebastian T. B., Hartley R., Per-
son reidentification using spatiotemporal ap-
pearance. In Proc. CVPR, 2006
[4] Wang X., Doretto G., Sebastian T. B., Rittscher
J., Tu P. H., Shape and appearance context
modeling, In Proc. ICCV, 2007.
[5] Farenzena M., Bazzani L., Perina A., Murino V.,
Cristani M., Person re-identification by sym-
metry-driven accumulation of local features, In
Proc. CVPR, 2010.
[6] Bird N. D., Masoud O., Papanikolopoulos N. P.,
Isaacs A., Detection of loitering individuals in
public transportation areas, IEEE Trans. Intelli-
gent Transportation Systems, 6(2):167177,
2005.
313
[7] Tuzel O., Porikli F., Meer P., Region covari-
ance: A fast descriptor for detection and classifi-
cation, In Proc. ECCV, 2006.
[8] Schreiber D., Rauter M., Gpu-based non-
parametric background subtraction for a practi-
cal surveillance system, In Embedded Comput-
er Vision Workshop 2009, pages 870877, 2009.
[9] Beleznai C., Schreiber D., Rauter M., Pedestri-
an Detection using GPU-accelerated Multiple
Cue Computation, In Embedded Computer Vi-
sion Workshop 2011, pages 60-67, 2011.

314
Towards People Re-Identification in Multi-Camera Surveillance
Systems
Eduardo Monari
1
, Kai Jngling
1
, Tobias Schuchert
1
, Arne Schumann
1,2
, Michael Arens
1
, Rainer Stiefelhagen
1,2
1
Fraunhofer Institute of Optronics System Technologies and Image Exploitation, Germany
2
Karlsruhe Institute of Technology, Germany
Abstract
Re-Identification of a person in the context of video surveillance systems is of great interest in several applica-
tions such as the generation of consistent trajectories of people across widespread fields of view of cameras, re-
identification of a person temporally not visible to the system, or the search for a certain person in video footage.
In this paper we address the problem of person re-identification in complex non-cooperative environments
those with low resolution and challenging lighting conditions. We address the problem in a threefold manner:
first we show how local visual features, extracted on a persons image can be used for robust person tracking and
appearance based re-identification. Second, based on the person detection and tracking, face-based features are
extracted. Hereby, super-resolution techniques are used for face image improvement at a distance. Finally, ex-
traction of additional soft-biometric semantic features for re-identification will be discussed.
All approaches towards re-identification are presently examined under the research project Remote Biometrics
(Distante Biometrie) of the Fraunhofer Institute of Optronics, System Technologies, and Image Exploitation
(IOSB).
1 Introduction and Motivation
Due to the increasing threat by crime, industrial es-
pionage and even terrorism, video surveillance sys-
tems become more and more important during the last
years.
Especially for large camera networks, there is an in-
creasing need for high quality automated surveillance
systems. Using only a small number of sensors, an
operator is able to keep all objects in view simultane-
ously and to switch his focus between them as
needed. But with an increasing number of cameras the
object detection, tracking and re-identification can no
longer be done manually. Hereby, an important chal-
lenge is the multi-camera person tracking and re-
identification functionality, which allows for consis-
tent labelling of objects with a constant identity across
different cameras.
However, in the last decades algorithms for people
tracking and (re-)identification have been studied by
two well-separated research communities. The first
community focused on person detection and tracking,
especially in low-resolution videos and non-
cooperative scenarios. The second one developed ap-
proaches and algorithms based on biometrics for per-
son (re-)identification, but in cooperative scenarios,
which means that the person to identify is aware of
the identification process and acts in a way to facili-
tate the recognition process (e.g. looking straight into
the camera and standing in front of the camera for
high resolution face capturing).
Currently, these two communities merge to a new
field of research, called remote biometrics or bio-
metrics at a distance. Herby, the challenge is to en-
able a video surveillance system to re-identify people
using soft-biometrics and biometrics even when they
act in a non-cooperative way.
In this paper a multi-level approach for person re-
identification in camera networks is proposed. At the
first level, person detection and tracking in low-
resolution video from standard video surveillance
cameras is performed and local appearance features
are extracted for a rough estimate of similarities be-
tween persons. After person detection and localiza-
tion, face detection is performed. In a further step, a
novel super-resolution algorithm for non-rigid objects
is applied to an image sequence of faces to reconstruct
a high resolution face image. Using this high resolu-
tion face image, further face-based soft-biometric fea-
tures (e.g., age, hair color, glasses) and biometric fea-
tures for face recognition are extracted.
This paper is organized as follows: In the following
section the overall multi-level approach for person re-
identification is presented. In Section 3, the methods
used on each level are described in short. Finally, in
Section 4, a summary is given and future work is pre-
sented.
315
2 A Multi-Level Approach to
People Re-Identification
The basic idea of the proposed approach is a coarse-
to-fine feature extraction and feature matching strat-
egy for people re-identification. Hereby, on the first
level person tracking is performed. In particular, the
approach described in Section 3.1 is able to simulta-
neously generate a detailed local appearance model of
the observed person during tracking. The appearance
model allows for highly robust single-camera tracking
of the person to identify, but also to find similar look-
ing persons across different camera views. However,
in real world applications situations occur, where
people cannot be distinguished by appearance features
(e. g., groups of people with similar or identical
clothes). In these cases, additional discrimination can
be achieved through soft-biometrics (e.g., hair color,
age, gender, etc.) but also detection of appearance de-
tails (e.g. glasses). Most of these features can be ex-
tracted by state-of-the-art approaches using face im-
ages. But in non-cooperative environments, the robust
detection of face images with a sufficiently high reso-
lution is a hard task. To overcome this problem a
method for resolution enhancement especially for face
images is proposed in Section 3.2. Finally, if face im-
ages with sufficient high resolution are available, soft-
biometric features can be extracted.
3 Methods
3.1 Human Detection and Tracking
Person detection and tracking is the basis for any fur-
ther analysis in human-centric video analysis. A stable
and consistent tracking which correctly maintains per-
son identities is a precondition for correctly building
person trajectories which are the starting point for fur-
ther analysis.
Not only those 2D or 3D spatio-temporal trajectories
are relevant for further analysis but also the genera-
tion of appearance models which can be used for sin-
gle camera tracking itself, but also for more sophisti-
cated analysis purposes like person re-identification
when a wide spatial area or an extended timeframe is
considered. Since these appearance models are gener-
ated during tracking to integrate all characteristics of a
persons appearance, person detection, tracking and
re-identification can be treated as an integrated task.
Failures in detection and tracking would result in the
corruption of a persons appearance model and thus in
the inability to correctly re-identify the person later
on. For that reason, person re-identification benefits
from being coupled with person detection and track-
ing.
The detection and tracking approach we use in this
context was proposed by Jngling and Arens in [2].
This approach builds on the Implicit Shape Model
(ISM) [1] which is a trainable object detector that
works on the basis of local image features. In a train-
ing step, SIFT features extracted from person samples
are input to a clustering which determines relevant
features for this specific object class. The cluster cen-
ters serve as prototypes for a codebook which de-
scribes the object class appearance. For each code-
book prototype, a spatial feature distribution which
encodes the position of features in the coordinate
frame of the training samples as object-center offsets
is stored. A visualization of such a codebook is shown
in Figure 1 for the case of the object class person
and modality infrared.
This codebook is then employed to detect persons in
an input image by matching the prototypes with SIFT
features extracted from the input image and using the
spatial distribution to vote for possible object-center
locations in a 3D Hough-voting-space. Persons are
then detected by performing a maximum search in
this voting-space using mean-shift. For a single im-
age, the result of this detection step is a number of ob-
ject hypotheses which each is defined by a number of
SIFT features which voted for the specific hypothesis.
Based on the ISM-detection, we set up a tracking
where temporal development of features is taken into
account. The SIFT features which voted for a person
hypothesis are propagated from one frame to the next.
Here, feature correspondences are built which deter-
mine identity maintenance. The tracking itself is done
in the Hough-voting space by performing a hypothe-
sis-specific maximum search which includes votes for
this specific hypothesis and votes which result from
new SIFT features extracted for that frame. By that,
we are able to build person-specific SIFT feature
models using the feature correspondences built over
time to determine the influence of single features in
the person model as outlined in Figure 2.
Figure 1: Codebook for person detection (example: in-
frared codebook)
316
The advantage of this approach is that it can be em-
ployed for detection and tracking in the visible and
infrared spectrum since it is based on SIFT features
only and no modality specific features like color are
used. In addition, it works for moving sensors too
since no assumption on a stationary sensor is made.
Another important property of this tracking approach
is that the SIFT features collected during this tracking
can be used for the re-identification of persons later
on.
3.2 Local features for re-identification
A possible way to re-identify a person is using local
features. The advantages of the usage of local features
for re-identification are diverse. E.g. they are inhe-
rently invariant to many variations which usually ap-
pear in the context of person re-identification like
lighting changes. Another important property of local
features is that they do not rely on color which is an
advantage due to the difficulties in color calibration
between cameras. The independence of color has the
additional advantage that re-identification can also be
applied in the infrared spectral range. Additionally
they provide a way to model person appearance very
distinctively.
The SIFT features collected during tracking are the
starting point for the re-identification of a person.
This re-identification becomes necessary when a per-
son has left the systems field of view which can
include multiple cameras and reenters it again. For
re-identification, the volatile short-time single-camera
tracking feature models are extended to long-term fea-
ture models which include all specialties of a persons
appearance. All feature descriptors seen during track-
ing are clustered and stored in the long-term model
together with their spatial occurrence distribution (the
positions they have been seen in during tracking en-
coded in the reference frame of the person). In addi-
tion to the high-dimensional SIFT descriptors, low
dimensional codebook activation signatures are
stored. These are built by recording the codebook ac-
tivation of all SIFT features in the long-term model
and storing these in a single activation vector of the
codebook dimension N. These low dimensional acti-
vation signatures can be used for efficient person re-
identification since matching of these signatures can
be performed with little computational effort. In de-
tail, matching for person re-identification is per-
formed as visualized in Figure 3. In the first stage, the
activation signatures of codebook dimension N are
matched. This matching can be performed very effi-
ciently since only vectors of codebook dimension N
which is around 1000 are to be compared. In the
second stage, the person specific spatial features dis-
tribution of every codebook prototype is taken into
account and serves as an additional feature in re-
identification. This inclusion of the spatial distribution
Figure 2: Model generation during tracking: features in a person hypothesis which are repeatedly con-
firmed by new image data are increased in their influence in the person model.
Figure 3: Three-staged matching approach for person re-identification. In a first stage, low dimensional
codebook signatures are matched. The second stage adds the spatial feature distribution to comparison.
High-dimensional SIFT models are matched in stage 3.
317
increases distinctiveness of the appearance model
while matching complexity is increased only slightly.
In the third stage, high-dimensional SIFT feature
models are compared. Since this stage includes no
further abstraction, it has the highest distinctiveness
but also the highest computational demand. But, since
re-identification can be performed in a cascaded ap-
proach, the computationally expensive comparison in
the third stage has to be performed only for few mod-
els since most of the contemplable models of a data-
base can be rejected in the first two stages. Further
details on this re-identification approach can be found
in [3].
However, even highly robust appearance models show
limitations if persons with similar clothes or in gener-
al similar appearance have to be distinguished. Hu-
man operators intuitively handle such situations by
looking at details (e.g. hair color, gender, age, etc.).
In the next section, a method for classification of such
soft-biometrics from face images will be described.
3.3 Face Re-Identification at a
Distance
The most distinctive feature for humans to identify
other persons is usually the face. And facial features
also have the added advantage of remaining relatively
stable over longer periods of time. This makes them a
vital part of any automatic person re-identification
system.
Such a face-based re-identification system is de-
scribed in [10][11][13]. The approach consists of two
steps. First, face detection is aligned to a normalized
pose and size in order to achieve robustness to a poss-
ible head rotation. An example of the pose normaliza-
tion results can be seen in Figure 4. The second step is
the actual re-identification: the aligned image is split
into a grid of blocks on each of which the discrete co-
sine transform (DCT) is computed. The DCT coeffi-
cients are then used to generate an illumination-
invariant feature vector.
A re-identification score can then be obtained by
comparing feature vectors using a nearest neighbor
classifier.. This DCT based approach achieves state of
the art face recognition results on well-known face
recognition benchmarks [10][13] and a mean average
precision of 60% for re- identification in a camera
network observing several floors [12].
However, recognizing human faces gets more diffi-
cult, when the distance between camera and human is
large, resulting in face images of low quality and low
resolution. Many techniques to enhance the quality of
low resolution (LR) sequences have been proposed in
the last years to overcome this problem [4].
Starting from a sequence of face images, provided by
a face detector and tracker (as proposed in [10]), we
use multi-frame super-resolution (SR) to increase im-
age quality and resolution. Most multi-frame SR
techniques [5][6][7] deal with rigid moving objects.
However, facial video sequences suffer not only from
illumination changes and occlusions, but also from
non-rigid motions caused by facial expression varia-
tion (see Figure 5). The accuracy of multi-image SR
algorithms depends to a great extent on the accuracy
of referencing the LR images.
We use a local optical flow based method which com-
putes not only motion vectors for each pixel, but also
a confidence measure for each flow vector. The confi-
dence measure helps to reduce the influence of out-
liers coming from illumination and occlusion changes
as mentioned above. The optical flow algorithm is a
local technique based on a robust version of the struc-
ture tensor approach. The confidence of the flow es-
timate is calculated from the covariance matrix. In
order to compute SR images in real-time, the algo-
rithm was implemented on a GPU [15].
The procedure is as follows: First, the motion vector
field and its uncertainty measures are calculated be-
tween the current image and the reference image (see
Figure 6). In a second step these measures are used
for a multi-frame super-resolution technique, based on
the method of Farsiu et al. [5].
Figure 4: The effect of pose alignment and mir-
roring depending on head pose. (a) Original im-
age with detected face and detected/estimated eye
and mouth positions. (b) Aligned and cropped
face w/o considering the head pose. (c) Aligned
face after mirroring faces to positive yaw angles.
318
In the left column of Figure 6 the reference image and
an image from the input sequence are shown. The im-
ages have a size of 150x150 pixels. The estimated
motion field is depicted in the second column (top:
full flow field, bottom: 50% most reliable motion vec-
tors). The color code for the motion fields is shown in
the top right corner of the full flow field. The third
column presents a resized version of the reference im-
age (bilinear) and the calculated SR image This SR
image was generated from a sequence of 32 LR im-
ages with extensive head movements and facial ex-
pressions. The edges of the SR images are visibly
sharper and more details are reconstructed.
The proposed method has been tested under real con-
ditions in our video surveillance system NEST [19]
and shows qualitatively promising results for im-
provement of image resolution, reduction of motion
blurring but also reduction of artifacts in compressed
video streams. However, for a quantitative evaluation
of the overall approach, the performance gain for au-
tomated face recognition algorithms has to be deter-
mined, which is currently under investigation.
3.4 Face-based Soft-Biometrics
The DCT features described in the previous section
can also be used to determine soft-biometric semantic
features, such as gender and age. Semantic features
can be used to build a descriptive model of a person,
which is able to reduce the number of possible candi-
dates for a person's identity. In security scenarios it
may also be relevant that semantic features can be
communicated to human personnel more easily than
low-level visual features. The semantic model is sup-
plemented by two additional features:
1. Hair color: A persons hair color can be detected
by a combination of color histograms and support
vector machines [8]. The problem of identical col-
ors appearing differently in various cameras can
be reduced by relying only on a small set of dis-
tinctive hair colors, i.e. blonde, brown, black and
red.
2. Glasses: Another discriminative facial feature are
glasses. The presence of glasses is detected by the
bridge of the frame across the nose [8][9]. Inde-
pendent of the model of glasses, this bridge can be
found by searching for a strong vertical gradient in
the area between the eyes.
All of the aforementioned features have in common
that they are computed based on a face detection.
They can be applied on a frame-to-frame basis for a
given person track, thus achieving an increasing iden-
tification certainty. Additionally, these features can
benefit from the super-resolution component de-
scribed before, because detection accuracy increases
with higher resolution of the face images.
However, the requirement of a face-detection is also a
disadvantage. It can cause a delay of the identification
until the persons face is actually visible.
An earlier identification is possible by relying not on-
ly on the face but on the whole appearance of a per-
son.
Using the approach outlined in Section 3.2, as well as
similar methods that were evaluated in [11], the iden-
tification of a person is possible as soon as that person
enters a cameras field of view. This initial identifica-
tion can later be confirmed or corrected by the face
based features.
4 Summary and Future Work
In this paper, an overview of recent research activities
and state-of-the-art methods on person re-
identification at a distance has been given. Hereby, the
overall approach consists of a multi-level coarse-to-
fine strategy, starting from person detection and track-
ing, face detection, resolution enhancement and ex-
traction of face-based soft-biometrics.
First experiments on each level have shown promising
results. However, there is still room for improvement:
Figure 5: Images from a sequence with different
facial expressions and head movements.
Figure 6: Left column: Reference image and one
image from the sequence. Middle column: esti-
mated motion vector field (top) and masked with
confidence measure (50 % motion vectors with
highest confidence, bottom). Color code for the
motion is depicted in the top right. Right column:
Resized input image (bilinear, top) and computed
SR image from 32 LR images (bottom).
319
The presented local-feature based person re-
identification approach has certain advantages, like
multi-modal usage and distinctiveness, over other re-
identification methods which e.g. use color. On the
other hand, a shortcoming of local features in the con-
text of person re-identification is that they are only
view-independent to a certain degree. For that reason,
future work in this area should focus on increasing of
view independence.
For resolution enhancement of face images, the cru-
cial part is the pixel-based image/face registration for
multi-frame super-resolution. Hereby, in particular,
outliers and pixel misalignments lead to a significant
decrease of the resulting image quality. To overcome
these drawbacks current investigations focus on fur-
ther improvement of motion field accuracy including
outlier detection.
Finally, quantitative evaluation of the overall ap-
proach is planned - in particular, regarding the result-
ing performance gain for face recognition and extrac-
tion of soft-biometrics with and without the proposed
tracking and super-resolution framework.
References
[1] Leibe, B.; Leonardis, A.; Schiele, B.: Robust
object detection with interleaved categorization
and segmentation, In International Journal of
Computer Vision, 77:259-289, 2008.
[2] Jngling, K.; Arens, M.: Detection and Track-
ing of objects with direct integration of percep-
tion and expectation, In Proc. Of International
Conference on Computer Vision (ICCV Work-
shops), 1129-1136, 2009.
[3] Jngling, K.; Arens, M.: A multi-staged system
for efficient visual person reidentification, In
Proc. Of the Conference on Machine Vision Ap-
plications, 1-8, 2011.
[4] Borman, S.; Stevenson, R.: "Super-resolution
from image sequences a review" in Proc.
Midwest Symposium on Circuits and Systems,
1998.
[5] Farsiu, S.; Robinson, D.; Elad M.; Milanfar P.:
Fast and Robust Multi-Frame Super-
Resolution, IEEE Transactions on Image
Processing, 2003, vol. 13, pp. 1327-1344.
[6] Park, S. C.; Park, M. K.; Kang, M. G.: "Super-
resolution image reconstruction: a technical
overview", IEEE Signal Processing Magazine,
20(3):2136, May 2003.
[7] Irani, M.; Peleg, S.: "Super Resolution From Im-
age Sequences", ICPR, 2:115120, June 1990.
[8] van de Camp, F.; Bernardin, K.; Stiefelhagen,
R.: Person Tracking in Camera Networks using
Graph-Based Bayesian Inference, ICDSC 2009,
Como
[9] Jiang, X.; Binkert, M.; Achermann, B.; Bunke,
H.: Towards detection of glasses in facial im-
ages, ICPR 1998, Washington DC
[10] Ekenel, H. K.; Stiefelhagen, R.: Local Appear-
ance based Face Recognition Using Discrete Co-
sine Transform, EUSIPCO 2005, Antalya
[11] Buml, M.; Stiefelhagen, R.: Evaluation of Lo-
cal Features for Person Re-Identification in Im-
age Sequences, AVSS 2011, Klagenfurt
[12] Buml, M.; Bernardin, K.; Fischer, M.; Ekenel,
H. K.; Stiefelhagen, R.: Multi-Pose Face Rec-
ognition for Person Retrieval in Camera Net-
works, AVSS 2010, Boston
[13] Ekenel, H. K.; Stiefelhagen, R.: Analysis of
Local Appearance-based Face Recognition: Ef-
fects of Feature Selection and Feature Normali-
zation, CVPR Biometrics Workshop 2006, New
York.
[14] Bauer, A.; Eckel, S.; Emter, T.; Laubenheimer,
A.; Monari, E.; Mograber, J.; Reinert. F.:
N.E.S.T. - Network Enabled Surveillance and
Tracking, Future security: 3rd Security Re-
search Conference, pages 349353, Sep. 2008,
Karlsruhe, Germany.
[15] Oser, F.: Superresolution mittels bayes'scher Me-
thoden und des optischen Flusses, 2011.
(Karlsruhe, HS, Master Thesis, 2011).
320
Multi-Spectral and Hyperspectral IR-Sensors for Improved Sur-
veillance Applications
Ralf Scheibner, AIM Infrarot-Module GmbH, Germany
Rainer Breiter, AIM Infrarot-Module GmbH, Germany
Johann Ziegler, AIM Infrarot-Module GmbH, Germany
Wolfgang Cabanski, AIM Infrarot-Module GmbH, Germany
Markus Mller, Fraunhofer-Institut fr Optronik, Systemtechnik und Bildauswertung IOSB, Germany
Norbert Heinze, Fraunhofer-Institut fr Optronik, Systemtechnik und Bildauswertung IOSB, Germany
Martin Walther, Fraunhofer-Institut fr Angewandte Festkrperphysik IAF, Germany
Robert Rehm, Fraunhofer-Institut fr Angewandte Festkrperphysik IAF, Germany
Abstract
Asymmetric warfare scenarios drive the demand for highly sophisticated detection techniques in IR-surveillance
applications. In order to improve the detection range or identification capabilities, respectively, new types of IR
sensors are under development. Complementary to the general demand for higher resolution, which increases the
image processing data width, the improved image processing algorithms, which use the information available in
different spectral bands or the detailed spectral information within one or more atmospheric transmission win-
dows, rely on the use of an enhanced data depth.
Within this context, hyperspectral imaging, for example, has proven to be capable to gain sophisticated informa-
tion about vegetation and soil composition as well as the humidity content of the ground and the atmosphere.
This can be exploited for geographical and biological analysis in various space and airplane based applications.
For military operation, the availability of additional color information is very useful in order to improve auto-
mated image analysis, e.g., change detection algorithms.
Additionally, in order to comply with the needs for flexible and instant military operation at the same time, new
sensors or sensor systems with increased functional range have also to take into account the limits with respect to
Size, Weight and Power consumption (SWaP), which are given by the corresponding carrier platforms.
For example, Small Unmanned Aerial Vehicles (UAVs) as well as handheld solutions, thus, clearly require high
performance IR-sensors which have a high functional density.
The paper presents the current status of IR sensor technology for multi- and hyperspectral sensing applications
ranging from the Short Wave Infrared (SWIR) spectral range to the Very Long Wave Infrared (VLWIR) spectral
range.

1 Introduction
Current asymmetrical conflicts drive the need for high
performance cooled infrared sensors, which allow to
detect hidden threats and to distinguish between com-
batants and non-combatants. The numerous and
quickly changing conflict scenarios demand for multi-
functional, flexible in use, light weight devices and
applications which are in a short term easy to incorpo-
rate in the existing logistic infrastructure.
AIM has developed IR detector modules, IR cameras
for UAVs and thermal weapon sights, which give an
answer to the above listed requirements. In the fol-
lowing these are discussed with respect to their differ-
ent fields of application.
2 SWIR-modules for hyper-
spectral imaging
In the past years, hyperspectral imaging has proven to
be capable to gain sophisticated information about
vegetation and soil composition as well as the humid-
ity content of the ground and the atmosphere. In the
short-wave infrared (SWIR) spectral range this has
been exploited for geographical and biological analy-
sis in various space and airplane based applications.
Since the basic principle relies on the separation of
the incoming light into its spectral components by the
means of spectrographs and/or prisms in combination
with additional filter elements, these applications re-
quire the most sensitive detectors in order to detect a
small number of photons in a distinct narrow spectral
321
band. For this purpose AIM has developed the ActIR
family of cooled MCT detector modules for the SWIR
spectral range form 0.9 m to 2.5m.
2.1 ActIR 1024
The ActIR 1024 module (Fig. 1) features a 1024x256
MCT focal plane array. The pixel pitch of 24x32 m
is specifically adapted to the spectral applications
which require, e.g., in a push-broom type of applica-
tion, on the one hand side a high spatial resolution and
on the other hand side a highly sensitive detector in
the spectral dimension.
By the use of a long life split Stirling pulse tube
cooler, which features more than 50000 h of MTTF,
the module is designed for 24/7 operation which
makes it also interesting for space applications. Based
on this module the Environmental Monitoring and
Analysis Program (EnMAP), a German hyperspectral
satellite mission is equipped by AIM.
Figure 1 Image of the ActIR-1024 SWIR integrated
detector Dewar cooler assembly (IDDCA).
2.2 ActIR 384
The ActIR 384 features a 384x288 MCT focal plane
array with a 24 m pixel pitch. It can be either
equipped with an integral rotary Stirling cooler (see
Fig. 1) or a three stage thermoelectric cooler.

The ActIR 384 is the core component for the devel-
opment of a light weight SWIR hyperspectral imager
push broom application for the UAV Luna. In com-
parison with nowadays commercially available hyper-
spectral imaging applications, which are mounted on
small airplanes, the UAV Luna forces tight restrictions
with respect to camera size, weight and power con-
sumption (max. 80W, max. 6kg payload) and data
transfer rate. In order to meet these requirements,
while still having the advantages of this kind of small
tactical UAVs, which have been proving their flexibil-
ity in operation for many years, the functional re-
quirements to such a hyperspectral
Figure 2 Schematic drawing of the ActIR-384 SWIR
integrated detector Dewar cooler assembly (IDDCA).
The total length of the module is below 130 mm
(measured from the entrance window to the cooler
electronics on the backside).
imager has to be reduced as far as possible. In a first
step of this development, this is done by using on-
board data storage devices for the expected data rate
of approximately 80 Mbytes/s and by post operation
data processing in order to keep the power consump-
tion for on-board data-processing as small as possible.
Table 1 summarizes the power consumption and
weight of the Luna SWIR hyperspectral main compo-
nents. These values comply with available resources
of the UAV Luna. Furthermore, in order to minimize
the requirements for absolute spectral data referenc-
ing, the threat detection is done on the basis of a
change detection algorithm, which means that the ac-
tual mission data is compared to a set of reference
data acquired during previous flights. The develop-
ment of the corresponding data analysis tools is done
in cooperation with Fraunhofer IOSB in Karlsruhe.
Table 1 Power consumption and weight of the SWIR
HS-camera main components.
Sub-
Component
Power con-
sumption
[W]
Weight
[kg]
IDDCA 15 0.7
Opt. assembly 5 2.1
Main
processing
board
40 0.8
Storage device 10 0.2
Mech. assembly - 0.7
Others 10 0.5
SUM 80 5.0
322
3 3
rd
generation multi color IR-
Modules
For most companies, universities, and laboratories
developing IR detectors in the MWIR and LWIR, the
current focus or research is on the 3
rd
generation tech-
nology. This includes dual color, dual band, and also
large single color/band IR staring arrays [Ref.1].
3.1 Dual Color IR-technology
The MWIR/MWIR dual-color (DC) FPA technology
development aims at achieving a low false alarm re-
mote detection of hot CO2 signatures against a strong
clutter background around 4.3 m, as required for
modern missile approach warning systems for air-
borne platforms. In recent years, AIM and Fraunhofer
IAF have pushed forward the serialization of the fab-
rication process of DC-superlattice (SL) FPAs which
is summarized in detail in Refs. [2,3,4]. The out-
standing feature of the 384x288 FPA with 40m pixel
pitch is the simultaneous and spatial coincident detec-
tion of IR photons within the two colors of the MWIR
spectral band. Together with the requirement for a
very low number of defective pixel, two major re-
quirements for the detection of sub-pixel image size
of threats are given.
Figure 3 Schematic drawing of the dual color super-
lattice pixel design for simultaneous and spatially co-
herent detection of MWIR radiation.

Figure 3 shows a schematic drawing of the pixel de-
sign. One pixel is compromised of a red pin-
photodiode sensitive to 4-5 m wavelength radiation
and a blue pin-photodiode sensitive to 3-4 m
wavelength radiation in a so called back-to-back con-
figuration. The three electrical contacts of each unit
cell allow for simultaneous operation of both diodes.
Incident blue IR radiation passing through the re-
maining substrate and etch stop layers is absorbed in
the blue diode, whereas red IR radiation passes
through the blue diode and is absorbed in the red
diode. By comparing the signal strength of both col-
ors, thread signals, e.g. hot CO2 of the missile plume,
can be distinguished from background clutter signals
of e.g. sun light reflections, which have a high propor-
tion of blue IR radiation.
Compared to existing UV-radiation based missile
warning detection principles the advantages of the
dual color MWIR based solution is the extended de-
tection range of operation due to limited transmission
of the atmosphere in the UV.

3.2 Dual Band IR-technology
Because of the diverseness of the operation scenarios
and thus accordingly the broad spectrum of different
atmospheric, climatic and weather conditions, it can
be shown that only a selectable multi-band detection
principle approach gives an optimum on the systems
electro-optical performance in terms of image contrast
and detection range. Therefore, AIM is currently de-
veloping a MCT based dual band MWIR/LWIR detec-
tor in cooperation with Fraunhofer IAF. The detector
is, like the dual color detector, compromised of two
photodiodes in a back-to-back configuration. Howev-
er, due to the need of higher resolution the array for-
mat is 640x512 pixel with a pixel pitch of 20m. Due
to this small scale pixel pitch the double-diode is con-
nected on the backside via a common substrate con-
tact and one separate individual electrical contact for
each pixel.
By reversing the bias across this double diode, one
can either switch the MWIR or the LWIR diode into
its active state and thus operate the device in either
one of the two spectral bands or if desired in a frame
to frame switching mode between these bands.
Figure 4 shows the normalized spectral sensitivity as
a function of the wavelength. By exclusion of the wa-
velength range between 5 m to 7 m, which is of
very little interest for imaging applications, it can be
seen that the spectral cross-talk (e.g. MWIR radiation
detected by the LWIR photodiode) is very low.
323
Figure 4 Normalized spectral response for the dual
band MWIR/LWIR FPA operated at about 60K.
4 HOT MCT IR modules
Future developments of low weight, compact, and
cost-efficient thermal sights with reduced power con-
sumption in the MWIR or LWIR spectral range are
clearly dependent on the progress which can be
achieved by the raise of the FPA operating tempera-
ture and the further size reduction of the pixel pitch.
Figure 5 shows various Dewar/Cooler configurations
like integral rotary or split linear for different applica-
tions, including command and control electronics
(CCE), and an optional image processing electronics
providing non-uniformity correction (NUC) and dy-
namic reduction. These IDCAs represent the standard
detector modules, which are also available for multi
band applications in the sense that the MWIR-IDCA
and LWIR-IDCA can be provided with the same elec-
trical and mechanical interface configuration.
Figure 5 AIMs product family of MCT 640x512 15
m pixel pitch IDCAs.

While the first devices of AIMs product family of full
format 640x512 15 m pitch IR detector modules
Ref.[5] operate at typical temperatures of 67 K for
LWIR and 95 K for MWIR, the standard MCT tech-
nology was improved for higher operation tempera-
ture (HOT). Based on the experience gained by fabri-
cating VLWIR FPAs with a cut-off wavelength >
14m and the necessity of reducing the dark current
significantly within these FPAs, AIM now is in a po-
sition to manufacture standard cut-off (5.2 m)
MWIR FPAs working at 120K FPA temperature. Fur-
ther progress is expected to raise the operating tem-
perature for MWIR detectors to 150K in the next two
years.
Figure 6 shows the impact of this improvement on the
cooler power consumption and cool-down time for the
HOT LWIR FPA. The test was performed using an
integral rotary cooler with a 12 V power supply. The
power consumption decreases from 8.9 W at 65 K to
5.4 W at 90 K FPA operating temperature. Accor-
dingly the cool-down time decreases significantly
from 10:32 min at 65 K to 6:30 min at 90 K.

Figure 6 Power consumption and cool-down time at
room temperature for a LWIR FPA as a function of
the operating temperature.

Due to this improvement more compact MCT
640x512 15m pixel pitch modules have been rea-
lized. One of these configurations is shown in Fig. 7,
where the 640x512 15m pixel pitch detector is inte-
grated together with an AIMs SX040 split linear coo-
ler. Within this configuration, the resulting outline
dimensions have been reduced to below 10 cm x 10
cm (size of the black base plate).

Figure 7 MCT 640x512 15 m pixel pitch IDCA with
split linear cooler SX040.
Conclusion
AIMs developments of IR-modules cover three major
technological fields, which are crucial for improved
surveillance applications.
First, the use of AIMs MCT HOT FPA technology
allows to further force the reduction of size, weight
324
and power consumption. The future progress of this
technology will improve the capabilities of applica-
tions like small UAVs and handheld thermal weapon
sights which make use of e.g. AIM`s 640x512 MW
and LW HiPIR family.
Second the development of high end custom designed
solutions for the SWIR spectral band used in hyper-
spectral imaging applications will help to provide
more sophisticated information of buried threats by
the use of improved change detection applications.
Third, the serialization and development of advanced
3
rd
generation IR-FPAs will allow for missile ap-
proach threat detection applications by the use of
MWIR dual color FPAs and enable optimized vision
and improved target classification in the MWIR and
LWIR spectral band by the use of dual band FPAs.

These developments are partially supported by the
German Ministry of Defence and our cooperations
and partners within the Fraunhofer Gesellschaft. This
support is gratefully acknowledged.
References
[1] Ziegler J., Eich D., Mahlein M., Schallenberg T.,
Scheibner R., Wendler J., Wenisch J., and Wol-
lrab, Daumer V., Rehm R., Rutz F., and Walther
M.: The development of 3rd Gen IR Detectors
at AIM, Proc. SPIE 8012, 80o1237, 2011
[2] Rehm R., Walther M., Schmitz J., Rutz F., Wrl
A., Scheibner R., and Ziegler J.: Type-II su-
peralttices: the Fraunhofer perspective, Proc.
SPIE 7660, 76601G, 2010
[3] Walther M., Rehm R., Schmitz J., Niemasz J.,
Rutz F., Wrl A., Kirste L., Scheibner R.,
Wendler J., and Ziegler J.: Defect density re-
duction in InAs/GaSb type II superlattice focal
plane array infrared detectors, Proc. SPIE 7945,
79451N, 2011
[4] Rutz F., Rehm R., Walther M., Masur M., Wrl
A., Schmitz J., Wauro M., Niemasz J., Scheibner
R., and Ziegler J.:Current developments for
type-II superlattice imaging systems, Proc.
SPIE 8012, 2011
[5] Breiter R., Ihle T., Wendler J., Lutz H., Rutzin-
ger S, Schallenberg T., Hofmann K., and Ziegler
J.: MCT IR detection modules with 15 m pitch
for high reliability applications, Proc. SPIE
7660, 2010

325
Automatic Maritime Video Surveillance with Autonomous Plat-
forms
Zigmund Orlov, Fraunhofer IOSB, Germany
Wolfgang Krger, Fraunhofer IOSB, Germany
Norbert Heinze, Fraunhofer IOSB, Germany
Abstract

Criminal activities at sea such as illegal immigration, piracy or trafficking of drugs, weapons and illicit sub-
stances have been a reality for past years. In such activities, predominantly small maritime vessels are used,
which are difficult to detect. Until now, border agencies observe and protect the critical maritime areas by ships,
planes or helicopters. Therefore, surveillance is expensive and full coverage is difficult to obtain.
To improve this situation, the European research project AMASS (Autonomous Maritime Surveillance System)
investigates to use a network of unmanned surveillance platforms. The platforms are equipped with different sen-
sors. An important sensor is an uncooled thermal imager. In order to exploit the data delivered by this optical sen-
sor, detection and tracking algorithms, which are able to work with a moving sensor under a variety of weather
and visibility conditions, are required. In the AMASS project, Fraunhofer IOSB developed an image exploitation
module for maritime surveillance systems. It automatically detects and tracks distant vessels in the images gener-
ated by thermal or visual imagers on an autonomous mobile platform such as a buoy or a ship.

1 Introduction
Criminal activities at sea such as illegal immigration,
piracy or trafficking of drugs, weapons and illicit sub-
stances have been a reality for past years. In such ac-
tivities, predominantly small maritime vessels are
used, which are difficult to detect. Until now, border
agencies observe and protect the critical maritime ar-
eas by ships, planes or helicopters. Therefore, surveil-
lance is expensive and full coverage is difficult to ob-
tain.
To improve this situation, the European research pro-
ject AMASS (Autonomous Maritime Surveillance
System) investigates to use a network of unmanned
surveillance platforms. The platforms are equipped
with different sensors. An important sensor is an un-
cooled thermal imager. In order to exploit the data de-
livered by this optical sensor, detection and tracking
algorithms, which are able to work with a moving sen-
sor under a variety of weather and visibility condi-
tions, are required.
In the AMASS project, Fraunhofer IOSB developed
an image exploitation module for maritime surveil-
lance systems. It automatically detects and tracks dis-
tant vessels in the images generated by thermal or vis-
ual imagers on an autonomous mobile platform such
as a buoy or a ship.

A variety of tools from machine vision has been ap-
plied and described in the literature to detect ships and
boats in colour and infrared imagery. Examples are
template matching in [1], groups of adjacent image
regions in infrared images [2], radial blob detector
[3], edge-based approaches [4], [5], [6], [7] and oth-
ers.
Most approaches require the position and orientation
of the horizon line as input. Existing approaches to
detect horizon lines in images are based on colour
segmentation [8], [9] or edge detection [4].
There is only little information in the literature about
visual surveillance from moving autonomous plat-
forms deployed at sea. An example is [10] where the
authors describe an un-tethered autonomous buoy that
stations itself on the sea floor and is able to ascend to
the surface when needed. The installed optical surveil-
lance unit is based on a low-power minicomputer and
processes colour images from a web-camera. The
camera is more or less at sea-level and no physical
stabilization is available. Ship detection and tracking
is based on previous work of the authors [5], [7]. Due
to limitations in computing power, video data is col-
lected in an online phase and image exploitation has to
be done offline afterwards.
In this work we describe the system hardware and la-
layered software architecture with algorithms for
online robust detection and tracking of small distant
boats from thermal images captured by a camera
mounted on an autonomous platform (buoy or patrol
326
IMU
Camera
Image
Exploitation
PC
PTU
R
e
m
o
t
e

C
o
n
t
r
o
l

R
o
o
m
I
R

o
r

V
i
s

V
i
d
e
o

Y
/
C
Mobile Platform
(e. g. Buoy or Ship)
Communication
XML/TCP/IP
RS232
vessel). Compared to other approaches, the system
uses a combination of algorithms relying on comple-
mentary image cues to generate detections that are ro-
bust with respect to variations of boat appearance, im-
age quality, and environmental conditions. In this sys-
tem each algorithm can be developed individually or
can be easily substituted by another module. The fun-
dament of the image exploitation is a detection layer
which provides the results of several detection algo-
rithms in a motion-stabilized scene coordinate frame
aligned with the estimated horizon line. In the
autonomous system, detections are used to trigger
alarms and to facilitate multi-target tracking.
2 Architecture and Algorithms

In the following, the image-exploitation hardware
(Section 2.1) is described. Section 2.2 explains the
operating modes supported by image-exploitation. Fi-
nally, layered software architecture on the mobile plat-
form is presented in Section 2.3.
2.1 Image-Exploitation Hardware Archi-
tecture
Figure 1 depicts the hardware architecture of the im-
age exploitation on an autonomous platform. There
are four components: camera, pan-tilt unit (PTU), the
inertial measurement unit (IMU) and the image-
exploitation computer (IE-PC).
The IMU and the camera are located together on the
turret of the platform. Both components are mounted
on the PTU. The task of the IMU is to measure the
angular orientation of the camera with respect to a
world coordinate frame. The measured roll and pitch
angles are needed by the image exploitation software
in order to estimate position and slope of the horizon
line for processed camera images. The IE-PC is
mounted in a waterproof rack. It is connected to the
Ethernet switch, the IMU, the PTU and the camera. Its
task is to run image exploitation algorithms using re-
ceived IMU data, to control camera and pan-tilt unit,
and to perform communication with a remote control
room by using XML-based messages over TCP/IP.
An operator in the remote control room has to evalu-
ate the information received from sensor system and
to make decisions how to act.
2.2 Image-Exploitation Operating Modes
There are three operation modes supported by image
exploitation: manual scan, miniscan, tracking.
In manual scan mode, the operator will see the current
image from the camera looking to the desired direc-
tion. No image exploitation algorithms are executed.
Setpoint tracing of the desired direction to compensate
the buoy movement is supported.
In miniscan mode, an automatic observation of a cer-
tain angle range is initiated by a command from the
remote control room. Image exploitation algorithms
are executed for an internally chosen number of cam-
era positions covering the desired angle range. Upon
detection of small vessels alarms are generated and
sent to the remote control room, where the operator
has to evaluate them.
In tracking mode, a boat at an user-selected direction
will be tracked automatically. This mode is useful af-
ter a vessel detection and a positive evaluation by the
operator. This mode is initiated by a command from
the remote control room.

Figure 1 Overall architecture
2.3 Image-Exploitation Software Architec-
ture
The image exploitation software consists of four proc-
esses communicating with each other:
Communication and Control Process (CCP).
It is the image exploitation interface to the
remote control room and to the hardware
components of the image exploitation on the
buoy. It coordinates and controls each of the
image exploitation operating modes de-
scribed above.
Inertial Measurement Unit Communication
Process (IMUCP)}. The task of IMUCP is to
communicate IMU measuring data to CCP in
real-time. Data is send with a frequency of
100 Hz.
Optronic Process (OP). The OP controls the
PTU and the camera. It executes appropriate
operations upon commands from CCP. Addi-
tionally, it communicates the current compass
data to the CCP periodically and in real-time.
Image Exploitation Process (IEP)}. The IEP
contains algorithms for boat detection, classi-
fication, and tracking that are executed upon
commands from CCP. Results are communi-
327
Process
Image
Exploitation
Core
Communication
IE Control
Grabber
Communication and Control Process
XML over TCP/IP
XML over TCP/IP
IR video Y/C
IMU
Logging
PTU
XML over TCP/IP
XML over TCP/IP
Room
Remote Control
Camera
mi ni Scan
manual Scan
t racki ng
ready
manScan
mi ni Scan
t racki ng
cated to the CCP for further analysis and no-
tification of the remote control room.
2.3.1 Communication and Control Process
(CCP)
CCP is the master multithread-process in the IE-PC
initiating, coordinating, and controlling the operating
modes and the communication with the image exploi-
tation system (Figure 2).

Figure 2 CCP architecture

CCP has four communication partners (remote control
room, IMUCP, IEP, OP). The communication protocol
is XML-based. The messages are delivered over
TCP/IP.
The remote control room sends its requests to CCP,
where they are processed and transformed to the
commands for OP and IEP. The images generated by
the thermal imager are delivered to IEP in a shared
memory area. Every data entry in the shared memory
contains an image and appropriate IMU data, received
from IMUCP in real-time. IEP sends its results to CCP
over XML/TCP/IP channels. The CCP analyzes them
and sends e.g. alarms to the remote control room,
where they have to be evaluated by the operator.
According to the described operating modes of the
image exploitation, CCP implements a state machine
controlling the execution of operating modes (Figure
3).

Figure 3 CCP IE state machine
There are four states: ready, manualScan, miniScan,
and tracking. Only from state ready, all IE operating
modes are directly reachable, i.e. at one point of time
only one IE operating mode is possible. If an operat-
ing mode is finished or an abort-command was re-
ceived from the control room, the CCP is in state
ready again.

2.3.2 Image Exploitation Process (IEP)
The image exploitation process (IEP) implements and
runs the image exploitation algorithms. The algo-
rithms are structured according to the layer model in
Figure 4. Each layer builds on the results of the pre-
vious layer. Data processing is done from bottom to
top.

Figure 4 Layer structure of the image exploitation al-
gorithms.

The first and lowermost layer is the IMU-based esti-
mation of camera orientation. Input for this layer is the
measurement data generated by sensors (accelerome-
ters, gyroscopes, and magnetometers) inside the IMU.
An extended Kalman filter is used to estimate the
time-varying pitch and roll angles of the camera to
which the IMU is attached.
The next layer uses the estimated pitch and roll angles
to find and improve the localization of the horizon
line in the captured camera images. The horizon line
is determined by a robust fit to edge features extracted
from the images. Pitch and roll angles from the IMU-
layer are used to narrow the search areas for feature
extraction. The image-based horizon localization also
detects situations (e.g. bad visibility due to fog) when
the image quality is too low to find the correct horizon
line. In such a case the localization of the horizon line
is estimated from pitch and roll angles alone. Results
of this layer are demonstrated in Figure 5.
The third software layer is the boat detection layer.
Since the aim is to detect distant boats and those boats
will appear near the horizon line, the boat detection
layer uses the information about the horizon line in an
image to set up search areas for the implemented de-
tection algorithms. The search areas are fixed relative
to the horizon line. Since uncompensated pitch

328

Figure 5 Examples of the estimated horizon line (left,
green). Corresponding input images on the right.

motion of the buoy on which the camera is mounted
will cause the horizon line to move up and down in
the images, this amounts to an additional software-
based image stabilization.
The common idea of the boat detection algorithms is
to search for temporally stable image features to sepa-
rate detections at boats from those at sea clutter. To
enhance robustness with respect to variations of boat
appearance, image quality, and environmental condi-
tions, a combination of detection algorithms using dif-
ferent image features and search strategies has been
implemented in the detection layer. The first algorithm
is a track-before detect algorithm [11] using spatio-
temporal integrated blob strength, the second one ex-
ploits stable image regions [12], and the third algo-
rithm is based on tracking salient image points [13].
The detection layer is able to run in parallel several of
those detection algorithms on different search areas in
an image. A global scene data structure has been de-
signed to collect results generated from the detection
layer. Detection results are transformed from image
coordinates to a scene frame given by horizon line and
initial point of the compass. The transformation is

based on localization of the horizon line, inertial
measurements, and compass data. Transforming from
image to scene coordinates amounts to a compensa-
tion of camera motion. The scene data structure is thus
able to provide a motion-stabilized interface to the de-
tection results. Results of the detection layer are dem-
onstrated in Figure 6.
The final and topmost software layer uses the gener-
ated detections to compute internal alarms or to per-
form tracking. In order to do this, results from the de-
tection layer are fused and classifiers are used to sepa-
rate relevant detections at boat/ships from false or
irrelevant detections. The alarms sent to the remote
control room are produced in the CCP based on the
internal alarms received from the IEP.
Fusion of detection results, classification and alarm
generation are described in [14].
The tracking algorithm uses the spatial and temporal
information from the robust multi-algorithm detection
layer. The combination and processing of both types
of data in the scene data structure makes it possible to
perform a robust multi-target tracking. Tracking re-
sults are shown in Figure 7. Below the bounding
boxes identifiers are drawn which correspond to the
329

Figure 6 Estimated horizon line (green) with two
search areas (yellow) and detection result (red) for in-
put image on the right.

Figure 7 Multi-target tracking results: Below the
bounding boxes identifiers are drawn which corre-
spond to the tracks observed by the tracker.

tracks observed by the tracker. One of our tracking
implementaions is described in [15].
During the tracking process, the PTU will be reposi-
tioned, if necessary. The IEP sends tracking images
periodically to CCP. They can be requested from re-
mote control center over the XML-based communica-
tion channel.
3 Results and Conclusion
A vision-based maritime surveillance system has been
developed and tested on video sequences captured
with a thermal imager from shore and ships in the
North Sea.

Figure 5 shows results of the horizon detection layer.
It can be seen, that the horizon detection performs
well under different visibility conditions. If the condi-
tions are unfavorable, the horizon line can be detected
using the information about the roll and pitch angle.
Boat detection results are demonstrated in Figure 6.
On the right, the source image is presented. On the
left, we see the detected horizon line and two search
areas for two detection algorithms running in parallel.
A small object was detected and marked with a red
bounding box.
Figure 7 shows a tracking sequence with two objects:
a large vessel and a small one. Below the bounding-
boxes identifiers are drawn which correspond to the
tracks observed by the tracker. We see, that the tracker
330
is distinguishing and tracking both objects in parallel,
although they are crossing and almost merging.
The achieved image exploitation results for detection
and tracking of small boats and ships are promising.
The detection results have also been successfully used
for classification and alarm generation [14].
Further field trials are planned and the software will
be adapted based on the gained experience. The
XML/TCP/IP interfaces of the control and communi-
cation part of the software allows to use it in cus-
tomer-specific environments, where the software in a
remote control room only has to implement a system-
specific XML-based protocol to communicate with the
autonomous video surveillance platforms.
Acknowledgment
This work has been done in cooperation with Carl
Zeiss Optronics GmbH and was supported with funds
from the European Community's Seventh Framework
Programme (FP7/2007-2013) under grant agreement
No. SP1-Cooperation-218290.
References
[ 1 ] A. Ondini et al.: Techniques for detection of
multiple, extended, and low contrast targets in
infrared maritime scenarios, Optical Engineer-
ing, Vol. 45, 2006.
[ 2 ] W. Tao et al.: Unified mean shift segmentation
and graph region merging algorithm for infrared
ship target segmentation, Optical Engineering,
Vol. 46, 2007.
[ 3 ] C. Bibby and I. Reid: Fast Feature Detection
with a Graphics Processing Unit Implementa-
tion,
http://www.robots.ox.ac.uk/~cbibby/pubs/paper9
94.pdf.
[ 4 ] Y. Wei et al.: Wavelet analysis based detection
algorithm for infrared image small target in
background of sea and sky, Proceedings of the
3rd International Symposium on Image and Sig-
nal Processing and Analysis, ISPA 2003, Vol. 1,
pp. 23-28, 2003.
[ 5 ] S. Fefilatyev et al.: Towards detection of marine
vehicles on horizon from buoy camera, Proc.
SPIE, Vol. 6736, Unmanned/Unattended Sensors
and Sensor Networks IV, 2007.
[ 6 ] J. Canny: A computational approach to edge de-
tection, IEEE Trans. Pattern Analysis and Ma-
chine Intelligence 8 (6), pp. 679-698, 1986.

[ 7 ] S. Fefilatyev and D. B. Goldgof, Detection and
tracking of marine vehicles in video, 19th Inter-
national Conference on Pattern Recognition,
ICPR 2008, pp. 1-4, 2008.
[ 8 ] S. M. Ettinger et al.: Vision-guided flight stabil-
ity and control for micro air vehicles, IEEE/RSJ
International Conference on Intelligent Robots
and Systems 2002, Volume 3, pp. 2134-2140,
2002.
[ 9 ] T. G. McGee et al.: Obstacle Detection for Small
Autonomous Aircraft Using Sky Segmentation,
Proceedings of the 2005 IEEE International Con-
ference on Robotics and Automation, ICRA
2005, 18-22 April 2005, pp. 4679-4684, 2005.
[ 10 ] S. Fefilatyev et al.: Autonomous Buoy Plat-
form for Low-Cost Visual Maritime Surveil-
lance: Design and Initial Deployment, Proc.
SPIE, Vol. 7317, Ocean Sensing and Monitoring,
2009.
[ 11 ] L. D. Stone et al.: Bayesian multiple target
tracking, Artech House, 1999.
[ 12 ] J. Matas et al.: Robust Wide Baseline Stereo
from Maximally Stable Extremal Regions, Proc.
British Machine Vision Conference BMVC-90,
Sept. 24-27, 1990, Oxford, England, pp. 384-
393, 2002.
[ 13 ] J. Shi and C. Tomasi: Good Features to Track,
Proc. Conference on Computer Vision and Pat-
tern Recognition CVPR '94, June 21-23, Seattle,
Washington, pp. 593-600, 1994.
[ 14 ] M. Teutsch and W. Krger: Classification of
small Boats in Infrared Images for maritime Sur-
veillance, Proceedings of the 2010 NURC Wa-
terside Security (WSS), November 3-5, Carrara,
Italy, 2010.
[ 15 ] M. Teutsch and W. Krger: Fusion of Region
and Point-Feature Detections for Measurement
Reconstruction in Multi-Target Kalman Track-
ing, accepted for 14th International Conference
on Information Fusion, 2011

331
Introduction to Anti-Piracy The EU Operation Atalanta
Frank Reininghaus, Commander (senior grade) German Navy, M.Sc., M.P.S.
University of Applied Science, Bremerhaven, Germany
Abstract
With the operation Atalanta, the European Union (EU) has proven evidence that it is able and willing to provide
a very effective protection against acts of piracy in the area Gulf of Aden (GOA) and a thoroughly coordinated
stationing of military units in the Somali Basin. This article will introduce the EU operation Atalanta as well as
NATO- and US-led operations in the same area. With the Maritime Security Centre Horn of Africa (MSC-
HOA), there has been established a coordinating authority for a safe and secure passage through the Gulf of
Aden (GOA), nevertheless the area affected by Somali piracy activities is too large to ensure 100% security for
transiting ships. However, according to the motto a lot helps a lot, more ships and aircraft would enable the
EU to cover more of that vast area of ocean between Africa, Arabia and India.

1 The mission Atalanta
1.1 Atalantas main tasks
For a coordinated military action, the European Union
has released Common Action 2008/749/CFSP (Com-
mon Foreign and Security Policy), which is the basis
for EU Naval Force (EUNAVFOR) Atalanta, sup-
porting the successive Resolutions 1814 (2008), 1816
(2008), 1838 (2008), 1846 (2008), 1918 (2009) and
1950 (2010) of the United Nations Security Council
(UNSC).
EUNAVFOR Atalanta has started in December 2008,
its tasks are
- the protection of vessels of the World Food Pro-
gramme (WFP);
- the protection of vulnerable vessels,
- the deterrence, prevention and repression of acts
of piracy and armed robbery, and
- the monitoring of fishing activities,
all of these off the coast of Somalia [1].

Atalantas main task is therefore not the often quoted
anti-piracy mission, but related to the safe and se-
cure delivery of food aid to displaced persons in So-
malia.
1.2 The military command structure of
Atalanta
The strategic Headquarters (Operations Headquarters,
OHQ) of Operation Atalanta or in military terms
Task Force 465, is located in Northwood/United
Kingdom, the operative Headquarters (Force Head-
quarters, FHQ) is out at sea in the area, a command
and control center embarked in the flagship. Opera-
tion Commander of Atalanta is always a British flag
officer (i.e. a general or admiral of one of the services
of the British Armed Forces), his deputy is designated
by one of the participating ten EU nations for four to
six months. Another admiral, the so-called Force
Commander, is embarked in the flagship as well,
heading the formerly mentioned FHQ. Actually (June
2011), the flagship is the Portuguese frigate Vasco da
Gama (3.400 tons of displacement, crew of 212, one
organic helicopter on board) [2].

Figure 1 military command structure of operation
Atalanta [A]
At any point in time, there are up to six military ships
and up to five maritime patrol (and reconnaissance)
aircraft (MPRA) operating in the area. Regularly,
Task Force 465 consists of frigates and a tanker or
supply ship, as well as MPRAs Lockheed P-3 Orion
or Breguet Atlantic 2. An interesting detail is the
chartering of two civilian aircraft provided by the
Luxembourg government for the Seychelles Coast
Guard. These two Swearingen Merlin III have been
332
prepared for this special task by CAE Aviation, a
company specializing in airborne observation work,
and are therefore equipped with search radar and an
electro-optic turret, which enables them to detect pi-
rate vessels by day and night [3].
1.3 Other actors besides the European
Union ships and aircraft
Besides the Atalanta units, there are further military
vessels in the Somali Basin and in the Gulf of Aden;
some of them with a similar task, some of them on a
different mission.

1.3.1 Task Force 150 (Operation Enduring
Freedom)
As a reaction to the 9/11 attacks in the United States,
Task Force 150 (Operation Enduring Freedom) has
been launched under Article 51 of the United Nations
Charter [4] and under the provisions of Article 5
NATO Treaty [5]. This operation is lead by US Naval
Central Command (USNAVCENTCOM) in Bahrain
and aims to hinder terrorists to reach their areas of
retreat and to use potential transport routes in the
Horn of Africa area [6]. On the basis of a decision by
the Bundestag, Germanys involvement was brought
to an end in July 2010 [7].

1.3.2 NATO Operation Ocean Shield
NATO Operation Ocean Shield commenced on 17
August 2009 as a designated counter piracy operation
and followed Operation Allied Protector, which
ended the day before. Ocean Shield will entail the
following military tasks:

- Deter, disrupt and protect against pirate attacks, ren-
dering assistance to ships in extremis as required.

- Actively seek suspected pirates and prevent their
continued activity through detention, seizure of ves-
sels and property, and the delivery of suspects and
evidence to designated law enforcement authorities,
in accordance with NATO agreements.

- Facilitate and support the development of regional
states capacity to conduct effective counter-piracy
operations, in coordination with other related interna-
tional efforts.

- Coordinate NATO operations and initiatives with
coalition maritime forces, EU naval forces, and other
non-NATO forces conducting counter piracy opera-
tions off the Horn of Africa [8].

1.3.3 US-led Task Force 151 (Combined
Maritime Forces)
Task Force 151 is another designated counter piracy
operation, composed on 08 January 2009 and de-
signed to lighten Operation Enduring Freedom from
anti-piracy efforts.
Naval ships and assets from more than 20 nations
comprise the Combined (or sometimes: Coalition)
Maritime Forces [9], e.g. from the United States, the
Republic of Korea, Turkey, Pakistan and the Republic
of Singapore, who successively designated the com-
manding officers of Task Force 151 [10], [11]. Pre-
sently (third quarter of 2011) Task Force 151 is com-
manded by a New Zealander for the first time [12].

1.3.4 Individual military units in the Somali
Basin / Horn of Africa region
Besides multinational operations, there are numerous
individual units of seafaring nations, which have been
tasked to conduct counter-piracy or anti-piracy opera-
tions. Some of these nations and their participating
units shall give an impression of the variety of ships
and aircraft operating or intended to operate in the
waters off Somalia.

- Russia: The Russian Pacific Fleets fifth task force
in the Horn of Africa region was led by the Admiral
Vinogradov destroyer and has returned to Vladivos-
tok on 21 May 2011. The destroyer had been accom-
panied by the Pechenga tanker and a salvage tug.
During its four-month mission, Admiral Vinogra-
dov has escorted a total of 74 commercial vessels
with Russian and foreign citizens on board [13]. Inte-
restingly enough, some sources quote high-ranking
Russian military or government officials with their
intention to re-activate a naval base on Yemen's So-
cotra island, which lies off the Horn of Africa [14],
[15] or that Somali authorities [have given] the go-
ahead for the deployment of a host of Russian naval
bases on Somali soil [16].

- China: Chinese navy's first operation beyond the Pa-
cific set sail in June 2011, when [t]wo destroyers and
a supply ship left the port of Sanya on Hainan island
as a reaction to seven attacks [in 2008] on Chinese
vessels in the area. In contrary to Russia, China has
no bases in the region [17].

- India: The government of India has pledged a do-
nation of [three] new air surveillance assets to the
Seychelles [one] Dornier surveillance aircraft and
[two] Chetak helicopters, delivered from Hindustan
Aeronautics Limited, Bangalore, by the end of 2012.
India will provide one of its in-service Dornier air-
craft to carry out maritime surveillance to bridge the
gap until delivery of the promised three systems men-
tioned above. Furthermore a training cooperation is to
333
be established to offer help for capacity building of
the Seychellois Forces [18].

- Japan: Maritime Self Defense Forces (MSDF) of
Japan have replaced the destroyers Makinami and
Setogiri with Kirisame and Yudachi in Decem-
ber 2010 [19].

- Units from Singapore, South Korea, Iran, Pakistan
and many more maritime nations have been ordered
to the area off the Coast of Somalia or to the Strait of
Mozambique. With the stationing of the South Afri-
can Navy frigate SAS Amatola in Northern Mo-
zambique waters (i.e. between Mozambique, the
Comoros islands and Madagascar), it is clear how far
South the piracy threat has moved during the last few
years. The Amatola is temporarily assisted by a
South African Air Force reconnaissance aircraft, both
are based in the Mozambique port town of Pemba
[20].
2 Coordinating military assets
in the Horn of Africa region
and the Gulf of Aden
2.1 Coordinating military assets in the
Horn of Africa region / Northwes-
tern Indian Ocean
For obvious reasons, such a large number of ships and
aircraft should not share a common area of operations
(AOO) without a certain degree of coordination, even
if it is the vast area of the Northwestern Indian Ocean.
Several inter-, multi- and supranational groups, agen-
cies and installations have been created in the last
couple of years.
A few examples may illustrate the coordination effort.

- The Contact Group on Piracy off the Coast of Soma-
lia (CGPCS); this forum was created on 14 January
2009 pursuant to UN Security Council Resolution
1851 and brings together countries, organizations,
and industry groups with an interest in combating pi-
racy. () The Group meets three times a year at the
United Nations, while its four [w]orking [g]roups
meet regularly () to develop and implement nation-
al counter-piracy policies and programs. These
working groups deal with
- military and operational coordination, infor-
mation sharing, capacity building;
- judicial issues;
- strengthening shipping self-awareness and
- public information;
a fifth working group dealing with the illicit transna-
tional financial flows associated with piracy is under
discussion. Nearly 60 countries and several interna-
tional organizations participate in the Contact Group,
including the African Union [AU], the Arab League,
the European Union [EU], the International Maritime
Organization [IMO], the North Atlantic Treaty Organ-
ization [NATO], and various departments and agen-
cies of the United Nations [UN] [21].

- As it was experienced that it would be helpful to
implement working-level meetings ashore to discuss
counter-piracy coordination and de-confliction [22],
the three founding coalitions (Combined Maritime
Forces, EU NAVFOR and NATO Ocean Shield [23])
agreed on monthly meetings in the wake of the estab-
lishment of CTF 151 (Coalition Maritime Forces).
These meetings are held in Bahrain under the
acronym of SHADE meaning Shared Awareness and
Deconfliction. As of July 2010, this forum includes
26 mostly regional member nations [24] and navies as
well as representatives of industry and Interpol. Each
meeting is chaired by representatives of one of the
founding coalitions and co-chaired by representatives
of one of the participating nations. The results and
recommendations of SHADE, e.g. the updates and
discussions of the so-called Best Management Prac-
tices (BMP) [25], are regularly presented at the
CGPCS meetings. This best management practices
handbook is published by the UK Maritime Trade
Operations (UKMTO) on the website of the United
Kingdom Department for Transport (DFT) [26] and
recommended on the Maritime Security Centre Horn
of Africa (MSC-HOA) website [27].

2.2 The Maritime Security Centre
Horn of Africa
To ensure the safe and secure transit through the main
area of operations, the Gulf of Aden (GOA), the Ma-
ritime Security Centre Horn of Africa (MSC-HOA)
has been established in September 2008.
The centre provides 24 hour manned monitoring of
vessels transiting through the Gulf of Aden and on
the other hand an interactive website to communi-
cate the latest anti-piracy guidance as well as an op-
portunity to register [shipping] movements through
the region [28]. All ships passing through the GOA
either east- or westward are highly encouraged (but
not obliged) to register with the center. The focus of
MSC-HOAs coordinating effort is the

Figure 2 Internationally Recommended Transit Cor-
ridor [B]
334
Internationally Recommended Transit Corridor
(IRTC), dividing the GOA into 24 x 11 rectangles
(sectors) of 20 nautical miles (36 km, 22.5 mi) border
length, oriented parallel to the main shipping route
(065 eastbound/245 westbound). Four to six rectan-
gles, i.e. 1.600 to 2.400 nautical square miles (5.200
to 7.800 km, 2.030 to 3.050 mi) are being monitored
by one of the participating ships of operation Atalanta
and other operations.
2.2.1 Transit Procedures
In this area, there are three transit procedures availa-
ble:
- Scheduled Group Transits;
- Close Company Transits;
- Escorted Group Transits.
The difference between these three procedures is the
intensity and the proximity of the mer-
chant/commercial vessel and the accompanying mili-
tary unit. While in a Scheduled Group Transit, the
area of passage will be monitored by the military unit
via radar, observers and radio. During a Close Com-
pany Transit, as the name implies, the merchant ves-
sel is successively accompanied by the military ship
responsible for the sector(s) and handed over at the
relevant sector boundary to the next unit, whereas the
Escorted Group Transit is the closest convoy-type
passage with few merchant/commercial vessels being
accompanied through the whole corridor. This me-
thod is preferably offered by Chinese, Japanese, Rus-
sian and Indian military units for vessels flying their
flag [29].

Different types of merchant vessels are travelling at
different speeds, e.g. offshore supply ships at 10
knots, General Cargo and Very Large Crude Carriers
(VLCCs) at 12 knots and Liquid Natural Gas (LNG)
tankers at 18 knots. To have a convoy of vessels with
different speeds pass through the most dangerous sec-
tion of the IRTC in close company, it is necessary to
stagger the departure times at the entry point of the
IRTC; this means, that slower ships have to leave ear-
lier, faster ships depart at a later point in time, so that
the latter catch up with the former. Although opera-
tion Atalantas primary task is protection of vessels of
the World Food Programme (WFP), there is enough
time and opportunity for the three above mentioned
transit procedures, as the total number of WFP vessels
from Mombasa, Dar-es-Salaam or Mumbai towards
Mogadishu or from Djibouti to Berbera and Bosasso
on the Northern coast of Somalia is relatively small.

2.2.2 The Best Management Practices
Handbook
The handbook for Best Management Practices to De-
ter Piracy off the Coast of Somalia and in the Arabian
Sea Area [30] is meanwhile available in version 3
(hence BMP3), published in June 2010. This prac-
tical guideline gives a short overview e.g. about
- types of pirate attacks;
- planning advice for company and master;
- citadel (i.e. safe room) guidelines;
- practices to avoid being boarded by pirates
(e.g. increase speed, rapid change of course,
activation of water spraying devices and oth-
er passive means) and
- how to behave in case military assistance has
reached the vessel [31].
It also lists the signatories and the supporting opera-
tions (Atalanta, Ocean Shield, CMF) and organiza-
tions (UKMTO, MSC-HOA, NATO Shipping Center
(NSC))[32].

Several merchant ships that have not adhered to the
best management practices and have not reported to
MSC-HOA have (often enough successfully) been
aimed at by Somali pirates; on the other hand those
masters and crews who have made use of the BMP
did not become a piracy victim.

3 Conclusion
Undoubtedly the situation in Somalia - with its more
or less separate entities Somaliland, Puntland and
Southern Somalia (basically south of 6 Northern
latitude) and the non-existent stateness - is reponsible
for the increased pirate activities in the Somali Basin.
Therefore the International Community must thrive
towards stabilization on Somali soil. However, there
is also a significant contribution to be rendered from
the maritime environment. Examples are abundant, a
few may be listed here:

- confidence building measures with trainings, coop-
eration projects and exchange programs with Nor-
theastern African Coast Guard agencies [33], [34];
- a conference of the secretaries of defense of the Eu-
ropean Union held on 24 February 2010, who agreed
on expanding the objectives of Atalanta to include
control of Somali ports where pirates are based, as
well as neutralizing mother ships (usually previous-
ly hijacked merchant vessels which are then used by
the pirates to enable them to operate up to and some-
times even beyond 1.500 nautical miles (2.800 km,
1.750 mi) from the coast [35];
- training of Somali security forces under Spanish
command in Uganda (started in mid-2010) [36];

However, although [o]n any given day, between 30
and 40 international ships [plus numerous aircraft] are
involved in anti-pirating efforts in the Somali basin
and the western Indian Ocean [37], there are still
numerous acts of piracy occurring and the numbers
are increasing. The International Chamber of Com-
335
merce (ICC) - International Maritime Bureau (IMB)
quarterly report I/2011 lists a total of 97 attempted
and 18 successful pirate attacks in the first quarter of
2011 (same time period 2010 saw only 35 attempts)
off the coast of Somalia, with a total of 142 attacks
worldwide [38], i.e. more than two thirds of all pirate
attacks in the mentioned time frame happened there.

Figure 3 Piracy and armed robbery incidents reported
to IMB Piracy Reporting Centre during 2010 for the
Somali Basin / Northwestern and Western Indian
Ocean region [C]
It may be discussed whether the option arming mer-
chant/commercial ships in order to be able to defend
themselves against marauding Somali pirates because
international warships can't do the whole job [39] is
a step in the right direction or just another notch on
the ladder of escalation. One of the alternatives is the
installation and the use of non-lethal measures, as
published and proposed in the previously mentioned
BMP handbook; a combination of these has proven
successful in numerous cases of attempted, but then
rejected pirate attacks. Another option as stated in
the beginning would be to commit more military
ships and aircraft towards the fight against piracy (a
lot helps a lot); this would possibly lead to a Great-
er Horn of Africa Sea Patrol, as suggested by the
Danks Institut for Militaere Studier [40], although a
100% coverage factor of the Somali Basin / North-
western and Western Indian Ocean region cannot be
achieved.

Nevertheless it must be the primary goal of the Inter-
national Community to improve the situation in So-
malia itself. The entities must be stabilized at least to
a degree that the majority of the population accepts
the government(s), which in turn must take measures
to create opportunities for todays pirates to earn their
living in a legal way. The military can only be used as
a supporting element [41], it is not the primary means
of peace-, state- and/or nation-building. The opera-
tions introduced above (Ocean Shield, Coalition Ma-
ritime Forces and Atalanta) are hence important, ef-
fective and valuable assets to prevent acts of piracy in
the Somali Basin.

References
Paper based on authors article EU Naval Force
ATALANTA, Piratenabwehr am Horn von Afrika in:
Internationales Magazin fr Sicherheit, ISSN 1866-
6736, Edition 01/2010, pages 16-18 and his contribu-
tion Operation Atalanta am Horn von Afrika Die
erste maritime Operation der Europischen Union to:
Feichtinger, Walter & Hainzl, Gerald: Somalia, Op-
tionen Chancen Stolpersteine, Bhlau-Verlag,
ISBN 978-3-205-78582, Vienna 2011, p. 179 197
(projected)
[1] EU NAVFOR ATALANTA, official website;
see: http://www.eunavfor.eu/about-us/mission/;
accessed regularly since 15 March 2010
[2] EU NAVFOR ATALANTA, official website, EU
NAVFOR Flagship Thwarts Pirate Mothership
Deployment, 15 May 2011; see:
http://www.eunavfor.eu/2011/05/eu-navfor-
flagship-thwarts-pirate-mothership-deployment/;
access 10 June 2011
[3] EU patrol planes to help in fight against piracy,
in: Seychelles Nation.SC online, 28 August 2009
http://www.nation.sc/index.php?art=16865;
access 16 April 2011
[4] Charter of the United Nations, chapter VII: Ac-
tion with respect to threats to the peace, breaches
of the peace, and acts of aggression; see for ex-
ample: http://www.un.org/en/documents/charter/
chapter7.shtml; access 08 November 2010
[5] The North Atlantic Treaty, Washington D.C.,
April 1949; see for example:
http://www.nato.int/
cps/en/natolive/official_texts_17120.htm; access
18 October 2010
[6] Uhl, Andreas, Commander (senior grade) German
Navy, Nationale Fhrung - Einsatzfhrung fr
Deutsche Einheiten in maritimen Einstze, in:
http://www.globaldefence.net/artikel-analysen/
14946-deutschland-nationale-fuehrung-
einsatzfuehrung-fuer-deutsche-einheiten-in-
maritimen-einsaetzen.html; access 27 February
2011
[7] Operation Enduring Freedom, in: German De-
partment of State, see: http://www.auswaertiges-
amt.de/EN/Aussenpolitik/RegionaleSchwerpunk
-te/AfghanistanZentralasien/OEF.html; access 09
June 2011
336
[8] Operation Ocean Shields tasks quoted from:
NATO Shipping Centre (NSC) webpage,
http://www.shipping.nato.int/CounterPir, also
providing a daily piracy overview and a weekly
piracy assessment; access 09 June 2011
[9] Commander, Combined Maritime Forces Public
Affairs: New Counter-Piracy Task Force Estab-
lished; see: Official Website of the U.S. Navy,
released 08 January 2009, Story Number:
NNS090108-01; http://www.navy.mil/search/
display.asp?story_id=41687; access 09 June
2011
[10] Commander, U.S. Naval Forces Central Com-
mand: Combined Task Force (CTF) 151; see:
Official Website of the U.S. Navy,
http://www.cusnc.navy.mil/cmf/151/index.html;
access 09 June 2011
[11] Combined Maritime Forces, Republic of Singa-
pore assumes Command of Combined Task
Force 151, 01 April 2011; see:
http://combinedmaritimeforces.com/2011/04/01/
republic-of-singapore-assumes-command-of-
combined-task-force-151/; access 09 June 2011
[12] New Zealander to Command US-Led Counter
Piracy Task Force, press release by New Zealand
Defence Force, Thursday, 2 June 2011; see:
http://www.scoop.co.nz/stories/PO1106/S00025/
new-zealander-to-command-us-led-counter-
piracy-task-force.htm; access 09 June 2011
[13] Vasilyeva, Natalia: Russian task force ends anti-
piracy mission off Somalia, 22 May 2011; see:
http://english.ruvr.ru/2011/05/22/50646090.html
; access 09 June 2011
[14] Rajeh, Fuad: Russia To Set Up Navy Military
Base On Socotra, 19 January 2009; see:
http://www.yemenpost.net/64/LocalNews/
20082.htm; access 09 June 2011
[15] Finck, Benoit: Somali Pirates Give Russia
Chance to Flex Muscles; Agence France-Press,
22 November 2010; in: Defense News, see:
http://www.defensenews.com/story.php?
i=3833357; access 09 June 2011
[16] Vasilyeva, Natalia: Russian task force ends anti-
piracy mission off Somalia; see above; this ar-
ticle quoted also in http://www.guardian.co.uk/
world/2010/nov/25/russia-new-naval-bases-
abroad and http://www.coastweek.com/3420_
pirates_01.htm; access 09 June 2011
[17] quoted from BBC mobile, China begins anti-
piracy mission, 26 December 2008, see:
http://news.bbc.co.uk/2/hi/africa/7799899.stm;
access 09 June 2011; a more detailed view on
Chinas participation in multilateral anti-piracy
efforts in the Gulf of Aden and the attempts by
traditional actors () especially the EU, to co-
operate with China and Africa [in their anti-
piracy operations and other maritime issues] on
a trilateral basis can be found in: Chinas grow-
ing role in African peace and security; see: Sa-
ferworld,
http://www.saferworld.org.uk/downloads
//pubdocs/Chinas%20Growing%20Role%20in%
20African%20Peace%20and%20Security.pdf,
ISBN 9781904833574, London/UK, Janu-
ary 2011, page 61pp.; access 06 June 2011
[18] India Defense Online, in: Stratsis Incite, India to
assist Seychelles in anti-piracy operations, Au-
gust 2, 2010, see: http://stratsisincite.word-
press.com/2010/08/02/india-to-assist-seychelles-
in-anti-piracy-operations/; access 09 June 2011
[19] Aktuelle Entwicklungen bei Einsatzkrften, in:
Marineforum, 05 December 2010; see:
http://www.marineforum.info/html/wochenschau
.html; access 09 June 2011
[20] Port Management Association of Eastern and
Southern Africa (PMAESA), South Africa, Mo-
zambique Join Hands to Fight Piracy, 02 June
2011; see: http://www.pmaesa.org/information/
news/news.htm?nid=20; access 09 June 2011
[21] U.S. Department of State official website, Inter-
national Response; see: http://www.state.gov
/t/pm/ppa/piracy/contactgroup/index.htm; access
09 June 2011
[22] Naval Leaders meet to coordinate Counterpiracy
Efforts, published by US Navy, released 29 May
2009; see: http://www.defencetalk.com/naval-
leaders-meet-to-coordinate-counterpiracy-
efforts-19310/; access 09 June 2011
[23] EU NAVFOR ATALANTA official website, 8th
SHADE meeting sees largest international par-
ticipation so far, 01 October 2009; see:
http://www.eunavfor.eu/2009/10/8th-shade-
meeting-sees-largest-international-participation-
so-far/; access 09 March 2010
[24] Neptune Maritime Security, EU asks India to co-
chair anti-piracy group, published 14 July 2010;
see: http://neptunemaritimesecurity.posterous
.com/?tag=sharedawarenessanddeconfliction;
access 09 June 2011
[25] Oceans beyond piracy, Shared Awareness and
Deconfliction (SHADE); see:
http://oceansbeyondpiracy.org/matrix/activity/sh
ared-awareness-and-deconfliction-shade; access
09 June 2011
[26] Department for Transport, best management
practices handbook; see: http://www.dft.gov.uk/
pgr/security/maritime/deterpiracy0908bmp3.pdf;
the signatories of the handbook are listed in an-
nex F (page 59pp.); accessed regularly since 10
March 2010
[27] Maritime Security Centre Horn of Africa; see:
http://www.mschoa.eu/; accessed regularly since
08 March 2010
[28] ibid
[29] Individual Nations Escorts and Convoying Ar-
rangements, in: NATO Shipping Centre; see:
http://www.shipping.nato.int/; access 08 March
2010
337
[30] Best Management Practices to Deter Piracy off
the Coast of Somalia and in the Arabian Sea
Area, version 3 of June 2010, ISBN 978-1-
85609-397-2; see:
http://www.dft.gov.uk/pgr/security/maritime/dete
rpiracy0908bmp3.pdf; accessed regularly since
08 March 2010
[31] ibid, section 4, p. 9p.; section 6 & 7, p. 13pp.;
section 9.13 (ii), p. 33; section 10 & 11, p.
35pp.; section 12, p. 41; access 10 June 2011
[32] ibid, annex F; signatories p. 59pp., supporters p.
65pp.; access 10 June 2011
[33] Supreme Headquarters Allied Powers Europe
(SHAPE) official website, NATO Commander
Meets Puntland Coastguard, 17 January 2010;
see: http://www.shape.nato.int/page272205428
.aspx; access 08 March 2010
[34] Standing NATO Maritime Group 1 (SNMG 1)
official website, What is NATOs role in the
fight against piracy?; see:
http://www.manw.nato.int/
page_snmg1_fAQ.aspx#Q:_What_is_NATOs_
role_in_the_fight_against_piracy; access 08
March 2010
[35] EU NAVFOR ATALANTA official website,
OPERATION ATALANTA Expands Its Mission
On Piracy, 26 February 2010; see:
http://www.eunavfor.eu/2010/02/eu-navfor-
somalia-operation-atalanta-expands-its-mission-
on-piracy/; access 08 March 2010
[36] EU Common Security and Defence Policy, offi-
cial website: EU TM (Training Mission) Soma-
lia; see:
http://www.consilium.europa.eu/showPage.aspx
?id=1870&lang=en; access 15 June 2011
[37] Fitzgerald, Mark, Admiral U.S.Navy, in: Entous,
Adam: U.S. Admiral: military ships can't stop
Somali piracy, Washington, D.C., 16 April 2010;
see: http://in.reuters.com/article/2010/04/15/
idINIndia-47732120100415?pageNumber=2
&virtualBrandChannel=0; access 09 June 2011
[38] The International Chamber of Commerce (ICC) -
International Maritime Bureau (IMB) German
Section,
04_14_PM_ICC_Seepiraterie_Quartalsbericht,
London / Kuala Lumpur, 14 April 2011
[39] Fitzgerald, Mark, Admiral U.S.Navy, loc. cit.
[40] Bangert Struwe , Lars For a Greater Horn of
Africa Sea Patrol, Danks Institut for Militaere
Studier, March 2009, page 28; see:
http://www.humansecuritygateway.com/docume
nts/DIMS_GreaterHornOfAfricaSeaPatrol_Strat
egicAnalysisOfTheSomaliPirateChallenge.pdf;
access 09 June 2011
[41] EU Common Security and Defence Policy, offi-
cial website: EU TM Somalia, loc. cit.

List of Figures
[A] Figure 1: Authors depiction of military com-
mand structure of operation Atalanta, based on
EU NAVFOR ATALANTA, official website;
see: http://www.eunavfor.eu/; accessed regularly
since 15 March 2010
[B] Figure 2: Authors depiction of Internationally
Recommended Transit Corridor, based on Clark,
Alastair, Commander Royal Navy, presentation
Combined Maritime Forces (CMF) Operations
- Counter Piracy Operations, Challenges, 04
June 2009, p. 4; see:
http://www.nato.int/structur/ AC/141/pdf/PS-
M/Combined%20Maritime%20
Forces%20Ops.pdf, access 09 June 2011
[C] Figure 3: Authors adaptation of IMB Piracy
Map 2010, published by The International
Chamber of Commerce (ICC) Commercial
Crime Services; see: http://www.icc-ccs.org/ in-
dex.php? Option =com_fabrik&view= visualiza-
tion&controller=visualization.googlemap&Itemi
d=219; access 15 June 2011
338
Development of indicators to evaluate a vessels vulnerability to
pirate attacks and packages of appropriate technological protec-
tion systems
Niclas Jepsen, Hamburg University of Technology, Germany
Thomas Will, Hamburg University of Technology, Germany
Lutz Kretschmann, Hamburg University of Technology, Germany
Thorsten Blecker, Hamburg University of Technology, Germany
Abstract
Piracy has become a big and increasing risk for global shipping. These risks of piracy can generally be managed
by different approaches. One of them is the reduction of the vessels vulnerability. The target of this paper is the
development of a concept to evaluate a container vessels vulnerability in regard to piracy by a number of indica-
tors. A detailed analysis of the vessels vulnerability is necessary to evaluate different characteristics of vulner-
ability. Knowing the vessels weaknesses, appropriate countermeasures can be implemented. Potential technical
protection systems are analysed in regard to different structural conditions. This allows taking optimal measures
in respect to the identified weaknesses.
In a subsequent step, the feasibility, costs and benefits of technological protection systems are analysed. Single
technological systems can decrease the vessels vulnerability. However single technologies will typically only
improve one specification of vulnerability directly. On the one hand they can therefore be used to reduce the vul-
nerability in a highly systematic and well directed way. On the other hand combinations of different technologies
have to be taken into account. A detailed investigation of the technologies reveals their compatibility or appro-
priateness to be used together. An ideal mix of technologies depends upon the vessel itself and other technologies
applied. This analysis and the subsequent actions will enable to enhance the vessels security significantly and
therefore reduce the risk of successful pirate attacks. In cooperation with experts, packages of measures are de-
veloped and verified to ensure the practicability.

339
1 Introduction
Piracy has a significant and increasing influence on
worldwide shipping. The number of attacks almost
doubled over the past years from 276 registered at-
tacks in 2005 up to 445 in 2010 [1]. The increasing
number of attacks is attended by increasing amounts
of ransom. The average ransoms paid to Somali pi-
rates have grown from $150,000 in 2005 to $5.4 mil-
lion in 2010 [2]. Both developments lead to a total
ransom amount paid to Somali pirates in 2010 of ap-
proximately $238 million [2]. In addition to the ran-
soms paid there are even more costs involved e.g. in-
surance premiums, navy forces, technological protec-
tion systems. The One Earth Future Foundation
estimates the annual total costs of piracy of $7 to $12
billion. The additional costs are spent to reduce the
risks involved in piracy.
2 Risk Analysis
2.1 Risks of Piracy
The risk of piracy consists of different factors. The
first is the probability of being attacked by pirates,
while the second is the probability of a successful pi-
rate attack. The third factor is the amount of damage
caused by the attack. In this structure e.g. the ships
vulnerability has an impact on the probability of a
successful pirate attack.
Figure 1 Risk of Piracy

In general risks of piracy can be managed by different
approaches. First, risks can be avoided or reduced by
e.g. the adjustment of shipping routes to avoid piracy
hot spots and therefore reduce the probability of pirate
attacks. Second, risks can be transferred to insurance
companies which would lead to a smaller amount of
damage for the owners of the ship. The third option is
decreasing the probability of the success of a pirate
attack by e.g. reducing the vessels vulnerability
which is examined in further detail. This can be
achieved by different approaches: Structural changes,
organisational changes, additional human resources
and technological protection systems which are the
focus of this work. To address technological protec-
tion systems, Physical Protection Systems in general
are analysed in a first step.
2.2 Physical Protection Systems
Physical Protection Systems aim to provide security
for defined objects. Physical Protection Systems in-
clude human interaction, processes, electronic and
physical elements for the protection of objects [3]. In
this context objects can be people, property, informa-
tion or any other kind of possession of value [4]. The
target of the Physical Protection System is to provide
protection against any exposed or concealed mali-
cious activity. However, Physical Protection Systems
are also used to deter an accomplishment in the first
place. Typical malicious activities are sabotage of
critical equipment, theft of physical or intellectual
property as well as the injury of humans [4]. In order
to successfully repel an attack a Physical Protection
System has to provide the functions. These functions
are (1) detection, (2) delay and (3) response to an at-
tack. From a different perspective, these functions can
be regarded as indicators for the objects vulnerability.
This risk analysis therefore is mainly driven by an ob-
jects vulnerability including the three indicators. The
three vulnerability indicators have a significant im-
pact upon each other and therefore cannot be evalu-
ated completely separately from each other. In this
context a response is an action that needs prior detec-
tion of the attack. Delay on the other hand does not
require a prior detection. The necessity of prior detec-
tion is the main distinctive feature of delay a response
in the given analysis.

As Physical Protection Systems can be applied to any
object, the structure of Physical Protection Systems is
subsequently adopted to fit a ships vulnerability re-
garding pirate attacks.
2.3 Vulnerability
An objects vulnerability describes the probability of
the object being harmed in a certain scenario. Some
authors define the ships vulnerability as the probabil-
ity of a successful pirate attack [5]. However, if the
ships vulnerability was the only factor of success, the
pirates equipment would be irrelevant. Therefore the
ships vulnerability is only one major factor of the
success probability. Many factors of piracy risks can-
not easily be determined, e.g. the ex ante attack prob-
ability. The vulnerability can comparatively objec-
tively and easily be determined as the ships charac-
teristics are generally commonly known [6].
Vulnerability is characterised by different physical,
technical, operational and organisational aspects [7]
[8]. Those characteristics can be the ships construc-
tion design (e.g. height of freeboard), the technical
equipment (e.g. radar systems) and operations on
board (e.g. surveillance of ships surrounding) [9]. In
this analysis the vulnerability is described by the three
indicators detection, delay and response.
340

Figure 2 Vulnerability Characteristics

The three indicators in combination define the ships
vulnerability. Detection of a pirate attack is inevitable
for an active response to the attack. A good ability to
respond to an attack has no value unless the attack is
detected beforehand. Hence, the higher the detection
ability, the higher is the influence of the response abil-
ity to an attack on the ships vulnerability. In the de-
scribed model the delay ability is defined as being in-
dependent from prior detection. Vice versa the delay
of a pirate attack enhances the time given to detect an
attack. The detection ability is therefore increased by
a distinct delay ability. In this way the delay ability
has an indirect influence on the effectiveness of the
response ability

Figure 3 Vulnerability Characteristics Interde-
pendencies

Even though the different indicators depend upon
each other, in a first step they should be addressed
separately to generate a sophisticated analysis. This
approach allows identifying the weak spots of a ship
and in a subsequent step addressing them precisely.

2.4 Threat Scenarios
The vulnerability of a ship depends upon the threat
scenario. However, in order to define different scenar-
ios, piracy has to be defined in the first place. Some
definitions distinguish between attacks within and be-
yond sovereign territories. As this differentiation is of
no relevance for the given analysis, the definition by
the International Maritime Bureau (IMB) is appropri-
ate. The IMB defines piracy as an act of boarding or
attempting to board any ship with the intent to commit
theft or any other crime and with the intent or capabil-
ity to use force in the furtherance of that act [1]. The
condition for a pirate attack is the boarding of the ship
followed by different kinds of attacks. Casual theft is
the first and most common kind among all [10]. These
hit and run attacks usually occur secretly in har-
bours at night. One criterion for theft is that it is done
without weapons. The second kind of a pirate attack is
the armed robbery [11]. Typically pirates approach the
ship in small skiffs and try to board the ship without
being detected. Once on board, they take possession
of cargo or other valuable goods such as cash with the
use of weapons. The danger for the crew of an armed
robbery is evidently higher than for a casual theft.
Third, another kind of a pirate attack is the hijacking
of the ship (Flottenkommando Marine 2010, p.256).
The purpose of that can either be to hold the ship to
ransom or otherwise the long-term capture of ship and
cargo. In this case the threat for the crew is even
higher than in the case of armed robbery.

Figure 4 Threat Scenarios

Different threat scenarios represent different mental
attitudes and motivations. Even though the pirates'
motivation does not influence the ships vulnerability,
the way the attack is conducted has an impact on the
vulnerability. For example the vulnerability in case of
theft in a harbour might be different to the vulnerabil-
ity in case of an attempted hijacking at sea. Therefore
vulnerabilities have to be determined according to the
given threat scenarios.

2.5 Technological Protection Systems
Appropriate technological systems can decrease the
ships vulnerability. They typically help to improve
one of the three described abilities of a ship which are
described by the indicators. A wide variety of these
technological systems is available on the market. This
wide range of technologies was analysed regarding
costs, benefits und feasibility. In a first step this
analysis was mainly based upon literature and inter-
viewing manufacturers. While the costs are rather
341
simple to compare, the evaluation of benefits and fea-
sibility requires a competent knowledge of the threat,
the conditions on board and individual technologies.
To ensure correct findings, a workshop with experts
was executed. Here the previous results could be vali-
dated or adjusted accordingly.

In addition to the three categories of technologies, fur-
ther distinguishing features can be identified. Some
technologies, e.g. electric fences are reasonably in-
stalled permanently, whereas others can be used very
punctually such as armed vessel protection teams.
However, typical are also hybrid forms. Propeller ar-
resters for instance are permanently mounted but
commonly only used when shipping through danger-
ous areas. This characteristic has a significant influ-
ence on the costs of the technology.
3 Indicators
Indicators are management tools which describe char-
acteristics of complex contexts in a transparent way
and operationalise them. They connect theoretical
models of complex systems to the practical decision
making [12]. The major functions of indicators are
[12]:
The assessment of conditions and trends;
the comparison across places and situations;
the assessment of conditions and trends in re-
lation to goals and targets;
the provision of early warning information;
the anticipation of future conditions and
trends.

As a systems vulnerability generally depends upon
different factors, the vulnerability cannot be displaced
by a single indicator either. Hence the vulnerability
typically has to be displayed by Composite-Indicators
(CI) [13]. CI are particularly suitable to describe
complex models [14]. However, the selection and
weighting of single indicators play a decisive role in
the composition. Comparable to any other modelling,
the trade off between accuracy and simplification
needs to be considered [13].

3.1 Detection
The indicator detection states the probability to de-
tect pirates approaching or boarding the vessel. A rat-
ing scale was developed to evaluate the first vulner-
ability aspect.

Rating Detection of approaching pirates
1 (low) Detection cannot be expected
2 Detection is only probable within
striking distance
3 Reliable detection within striking
distance, possible detection within
enhanced distance
4 Extremely reliable detection within
striking distance, probable detec-
tion within enhanced distance
5 (high) Reliable detection within enhanced
distance
Figure 5 Detection Rating

The following factors have been identified being rele-
vant for detection:

Radar A ships radar system is central for the ob-
servation of the enhanced ships surroundings. How-
ever, not all objects can be detected by a radar system.

Optical surveillance Optical surveillance is com-
monly used for the observation of the closer ships
surroundings. Furthermore it is the basis for the
evaluation of threat.

Number of crew members on duty for detection
The higher the number of people in charge of detect-
ing pirates, the higher the probability of detection.

Diligence of observation The radar surveillance as
well as optical surveillance requires diligence of the
people involved. The higher the diligence, the higher
is the probability of detection.

Crew trainings A trained crew is more likely to de-
tect an attack than an untrained crew.

Technological equipment Appropriate technologi-
cal equipment can significantly improve the detection
ability.

3.2 Delay
The indicator delay states the vessels ability to sig-
nificantly delay or prevent a pirate attack. A rating
scale was developed to evaluate the second vulner-
ability aspect.

342
Rating Delay of pirate attack
1 (low) A delay cannot be expected or the
ships design even accelerates the
boarding
2 Delay can only be expected to a
small extend
3 A noticeable delay can be expected
4 A significant delay can be expected
5 (high) The attack can be delayed to high
extend, boarding can almost be ex-
cluded
Figure 6 Delay Rating

vant for delay:

Relative velocity The velocity difference between
attacking and attacked ship has influence on the delay.
The faster the attacking ship is and the slower the at-
tacked ship is, the faster the boarding will take place.

Absolute velocity A high velocity of the attacked
vessel increases the struggle of boarding a vessel.

Freeboard The difference between waterline and
rail influences the attacks delay. The higher the free-
board, the better is the ability to delay.

General design of rail Certain objects e.g. hatches
simplify boarding. The general design of rail therefore
significantly influences ability to delay.

General design on board The general design on
board determines the struggle pirates have when mov-
ing on board. Therefore barriers promote the delay on
board.

External circumstances External circumstances,
e.g. weather, visibility or sea conditions influence the
delay. Pirate struggling with external circumstances
will be delayed in their attempt to board.

Technological Systems Appropriate technological
systems can potentially delay an attack.

In the case of ships being situated in a harbour further
factors influence the ships ability to delay an attack:

Anchor cables or mooring lines Anchor cables or
mooring lines can promote the boarding. The ar-
rangement of them therefore influences the delay.

Territory security situation A fragile territory se-
curity situation influence the ability to delay nega-
tively.

3.3 Response
The indicator response states the vessels ability to
actively respond to a pirate attack. This analysis dis-
tinguishes between actively delaying and actively re-
pelling an attack. In order to meet this differentiation,
two rating scales were developed to evaluate the third
vulnerability aspect.

3.3.1 Delaying Response

Rating Delaying response
1 (low) No reaction is possible or effect of
reaction barely noticeable
2 A delaying response can only be
realised to a small extent, delaying
effect is small
3 Average delaying response, average
effect of response
4 Significant delaying response, sig-
nificant effect of response
5 (high) Considerable extent of delaying re-
sponse, boarding can almost be ex-
cluded
Figure 7 Delaying Response Rating

vant for a delaying response while travelling:

Velocity An increased velocity subsequent to detec-
tion can actively delay the pirate attack.

Manoeuvre In case of a detected attack, swift
changes of direction handicap boarding.

Manual countermeasures Appropriate counter-
measures by the crew can actively delay the attack.
For instance the usage of fire hoses for that purpose
can have the designated effect.

Technological systems Additional technological
systems can support the active delay of a pirate attack.

Crew trainings The effects of a response by a
trained crew is potentially higher than by an untrained
crew.

Vessel protection teams Vessel protection teams on
board can either actively respond to a attack or sup-
port the response. In either way it positively influ-
ences the responses effect.

343
3.3.2 Repelling Response

Rating repelling response
1 (low) No repelling response is expected
2 A repelling response can only be
carried out subsequent to a long de-
lay
3 A repelling response can only be
carried out subsequent to a certain
delay
4 A repelling response can be carried
out subsequent to a short delay
5 (high) A repelling response can be carried
out without any delay on the spot
Figure 8 Repelling Response Rating

vant for a repelling response while travelling:

External vessel protection teams The vessel re-
ceives help from external protection teams. In this
case the crucial factor is the time needed to arrive at
the vessel.

Internal vessel protection teams A vessel protec-
tion team on board should not require long till com-
mencing the response. Therefore the crucial factors
are rather the number of team members, their equip-
ment and education.
3.4 Visualisation and Interpretation
The visualisation of the vulnerability including the
individual indicators is exemplified for a vessel with
the following indicator ratings.

Indicator Rating
Detection 2
Delay 2
Delaying response 1
Repelling response 5
Figure 9 Exemplified Rating

The fictitious vessel possesses a radar system and
look-out, but the operation is considered lacking the
due diligence. A high velocity and freeboard posi-
tively influence the delay. No further measures are
taken to delay or actively delay the attack by respond-
ing. The present vessel protection team can respond/
repel the attack.

Figure 10 Exemplified Visualisation

In spite the high indicator for the repelling response
the overall vulnerability is rather moderate. Especially
the low detection rating increases the vessels vulner-
ability because a prior detection is inevitable for re-
sponding.

In order to reduce the vessels vulnerability effec-
tively, technological protection systems should be
considered. The low ratings for detection, delay and
delaying response indicate the aspects requiring im-
provement.
References
[1] ICC International Maritime Bureau: Piracy and
armed robbery against ships annual report,
January 2011
[2] Bowden, A.: The Economic Cost of Maritime
Piracy - One Earth Future Working Paper, De-
cember 2010
[3] Garcia, M.L.: Design and Evaluation of Physical
Systems 2nd Edition, Amsterdam, Elsevier But-
terworth-Heinemann, 2007
[4] Garcia, M.L.: Vulnerability Assessment of Phys-
ical Protection Systems, Amsterdam, Elsevier
Butterworth-Heinemann, 2006
[5] RAMCAP: Risk Analysis and Management for
Critical Asset Protection The Framework
Version 2.0, Washington D.C., 2006
[6] Ayyub, B.M. et al., Critical Asset and Portfolio
Risk Analysis: An All-Hazards Framework. Risk
Analysis, An International Journal, 27(4),
pp.789-801, 2007
[7] Moteff, J.: Risk Management and Critical Infra-
structure Protection: Assessing, Integrating, and
Managing Threats, Vulnerabilities and Conse-
quences, Congressional Research Service The
Library Congress, 2005
344
[8] Roper, C.A.: Risk management for security pro-
fessionals, Oxford, Butterworth-Heinemann,
1999
[9] Greenberg, M.D et al.: Maritime terrorism: risk
and liability, Santa Monica, CA, Rand Corpora-
tion, 2006
[10] Flottenkommando Marine: Jahresbericht 2010
Fakten und Zahlen zur maritime Abhngigkeit
der Bundesrepublik Deutschland, Glcksburg,
Flottenkommando der Marine, 2010
[11] Johnson, D. & Valencia, M.J.: Piracy in South-
east Asia: status, issues, and responses, Singa-
pore, ISEAS Publications, 2005
[12] Gallopin, G.C.: Chapter 1 Introduction, B.
Moldan & S. Billharz, ed. Sustainability Indica-
tors Report of the project on Indicators of Sus-
tainable Development, Scientific Committee On
Problems of the Environment, 1997
[13] Hiete, M & Merz, M.: An Indicator Framework
to Assess the Vulnerability of Industrial Sectors
against Indirect Disaster Losses, Gothenburg,
Sweden, May 2009
[14] OECD: Handbook on Constructing Composite
Indicators Methodology and User Guide, Paris,
2008
345
Polarimetric Detection of Small Maritime Targets for Maritime
Border Control
Hartmut Schimpf, Fraunhofer-Institut fr Hochfrequenzphysik und Radartechnik (FHR), GERMANY
Abstract
Small maritime targets like jet skis, water scooters, different types of small boats, and even swimmers became an
increasing threat to civilian or military ships or harbour installations. Also, small boats are frequently used for
drug trafficking or illegal border crossing off the coast. Fast reaction is only possible when these objects are de-
tected as early as possible by day or night and also under adverse weather conditions. This is achieved by means
of radar sensors with their excellent day/night and all-weather capabilities. Above all, polarimetric radar offers a
detection performance superior to that of a classical single-channel radar.

1 Introduction
During the past years, small maritime targets like jet
skis, water scooters, different types of small boats,
and even swimmers became an increasing threat to
civilian (cruise, freight or ferry) or military ships
(force protection) or harbour installations like port
infrastructure, entertainment piers or bridge pilings.
The scenarios may be part of asymmetric warfare and
terrorist attacks, i.e. small boats are used to deliver
weapons, moving on autopilot or remotely controlled,
or they are used for suicide bombing. Small boats
may also be deployed to smuggle drugs, weapons or
humans [1] like African refugees who cross the Medi-
terranean and violate European maritime borders
along long and complex coastlines.
A timely detection of such threats is important to buy
time that can be used either to identify the target, or to
analyse the threat e.g. by examining behavioral pat-
terns of suspicious activities. Also, time is needed for
an appropriate reaction at an adequate distance. Many
different sensors have been considered for this task
like radar, IR video cameras, or sonobuoys. Radar is
the ideal sensor for stand-off detection and wide-area
surveillance. This is due to its day / night as well as
adverse weather capabilities. Moreover, radar can be
used to measure the distance to an object and track it
after detection to monitor its behaviour. Also, radar is
not specialized to small boats but can detect any ob-
ject on the sea surface from larger vessels down to
swimmers and waterborne mines. A large bandwidth
yields a high range resolution which may help to ana-
lyse the spatial structure of a threat object. Radar po-
larimetry provides additional information on a target
by exploiting the orientation of the electrical field
vector and of its phase. Thanks to all these properties,
radar is of paramount importance to improve situ-
ational awareness and contribute to timely decision
making.
The paper will describe some results from measure-
ments that were performed at 35GHz. The classical
single-channel detection is compared to several po-
larimetric approaches, the superiority of the latter is
demonstrated.
2 Measurements
The fully polarimetric MEMPHIS radar [2] was used
to measure the backscatter behaviour of sea clutter
and embedded targets at 35 GHz. For this purpose, the
radar had been installed on top of a cliff at a height of
19 meters above sea level. The measurements were
performed in a staring configuration with real beam
resolution in cross-range and a moderate range resolu-
tion of 0,75m resulting from a 200 MHz chirp. The
transmit polarization was switched from pulse to
pulse between vertical and horizontal, two orthogonal
channels were received simultaneously thus providing
the full scattering matrix information. A careful po-
larimetric calibration was performed in order to re-
move effects like cross-talk and channel imbalance.
This was achieved using the concept of distortion
matrices on transmit and receive. Full scattering ma-
trix data thus could be used to analyse spatial and
temporal statistics of the sea reflectivity and the target
radar cross sections. The targets treated here were a
swimmer and a RHIB (rigid hull inflatable boat) (see
Figure 1) at distances between 700 meters and 2500
metres. Figure 2 shows a time series of high range
resolution (HRR) profiles acquired with a rate of
20Hz. The tracks of the boat and the nearby swimmer
are clearly visible. This facilitated the extraction of
pure data from sea clutter, boat, and swimmer for
the subsequent statistical analysis. Under realistic
346
conditions, these statistics are not accessible directly,
but rather have to be used indirectly by means of local
estimates via a CFAR (constant false alarm rate) [6]
detection scheme.

Figure 1 swimmer and boat in moderate sea state

3 Polarimetric Detection
The transmit polarization of the MEMPHIS radar was
switched from pulse to pulse between horizontal (H)
and vertical (V). In both cases the two mutually or-
thogonal polarisations H and V were received simul-
taneously. This results in four data streams, namely
HH, HV, VH, VV (first index = transmit, second in-
dex = receive). After applying the polarimetric cali-
bration it holds HV=VH due to the reciprocity theo-
rem in the case of monostatic radar, i.e. using the
same antenna for transmit and receive.
Therefore we end up with a three-component data
vector [HH VH VV] which is complex because each
value consists of amplitude and phase or in-phase and
quadrature components, respectively. These channels
can be used for detection individually in the case of
classical single-channel detection or in certain
weighted combinations in the case of polarimetric de-
tection.

3.1 Classical polarimetric schemes
In the literature there exists a wealth of polarimetric
detection schemes. Only three of the most important
and representative ones [4][5] will be described here
in some detail. These are the polarimetric span detec-
tor (PSD), the optimal polarimetric detector (OPD),
and the polarimetric matched filter (PMF). They will
be compared in the following to the single-channel
case and to the -detector which is based on the po-
larimetric persistence [3] described below.
3.1.1 The polarimetric span detector
The polarimetric span detector (PSD) physically is
equivalent to the total power detector where the
backscatter powers from all polarimetric channels are
summed up with equal weighting:

Y = |HH|
2
+ 2 |HV|
2
+ |VV|
2

Mathematically spoken, the PSD is a suboptimal de-
tector because the linear combination of channels is
not done using optimized weighting factors.
3.1.2 The optimal polarimetric detector
The optimal polarimetric detector (OPD) as intro-
duced by Novak et al. in 1989 [5] is based on the as-
sumption that targets as well as the sea surface can be
described by means of a multidimensional complex
Gaussian probability density function (pdf).

where X = [HH VH VV] is the data vector and
its covariance matrix. This is justified
when the resolution cell is so large that it can be
treated as a multi-scatterer entity. In the ideal case, the
pdfs of clutter and target (plus clutter) are known
from former experience. Then both classes
T+C
: target plus clutter
C
: clutter only
can be separated by means of their likelihood-ratio:
which has to pass a given threshold if a target shall be
declared to be present. The threshold T
D
is defined by
the requirement not to exceed a specified false alarm
rate.

Figure 2 tracks of swimmer (left) and boat during
70sec observation time
{ } X X X f
T

1 *
3
exp
| |
1
) (

{ }
* T
X X E

=
D
C
C T
T
X f
X f
>
+
) | (
) | (

347
3.1.3 The polarimetric matched filter
Cadzow [4] proposed the formalism of the polar-
imetric matched filter (PMF). The idea behind it is to
find an optimal linear combination y=h
T*
X of the
measured data channels such that the target-to-clutter
ratio offered to the detector is maximized.
Here again, the covariance matrices defined above are
needed. The optimal weight vector h
o
is obtained as
the solution to a generalized eigenvalue problem
where h
o
is the eigenvector corresponding to the
maximum eigenvalue.

3.2 Polarimetric persistence and the -
detector
The polarimetric state of any measured signal can be
described by its so-called Stokes vector, a 3-element
vector [Q, U, V] which describes the geometric locus
of that polarimetric state on the surface of the Poin-
car sphere. It is further characterized by the inten-
sity I of the wave field which is related to its Poynting
vector. The Stokes vector depends on the transmit po-
larization and is computed either from HH, HV to-
gether with their phases, or from VV, VH with their
phases.
By polarimetric persistence [2] we denote the simi-
larity of consecutive polarimetric states within each
individual range cell. If one takes the normalized
Stokes vector s=(s
1
, s
2
, s
3
) = (Q/I, U/I, V/I) then the
scalar product = s(t
n
)s(t
n+1)
is called polarimetric
persistence between a pulse at time t
n
and the subse-
quent pulse at time t
n+1
.

Its value is the closer to 1 the more similar to each
other both polarization states are, i.e. the more per-
sistent the polarization state is. From its definition,
can take values between 1 and +1. If one computes
for a large sample of temporal values from within one
individual range cell, then sea clutter yields an almost
homogeneous distribution. This means that there is no
regularity from one pulse to the next. The man-made
objects, on the other hand, show a strong concentra-
tion of near +1 which means that their polarimetric
state changes more steadily than that of sea clutter.
If one looks at all values for all times and all range
cells (range-time-diagramme in figure 3) there occurs
a striking difference between natural clutter and man-
made objects. The concentration of persistence values
close to =1 leads to well visible tracks of man-
made objects which are very much distinct from the
surrounding sea clutter.
The most straightforward way to use for detection is
to use the empirical probability density functions that
one can extract from the measured data as shown in
figure 3. Thus, pdfs for sea clutter and for the desired
target object (boat, swimmer) are obtained. The re-
sults derived from these pdfs are not better than those
from single-channel detection [3] as long as only one
transmit polarization is used. However, the polarimet-
ric detectors described in 3.2 make use of the full
scattering matrix. If one carries this over to the case of
the polarimetric persistence one gets two values
H

and
V
which belong to H and V transmit polarization,
respectively. These two values
H
and
V
are statisti-
cally almost independent of each other [3]. Therefore
they carry independent information usable for detec-
tion.
Next, one has to find a way how to combine
H
and
V

appropriately to make optimal use of their independ-
ent information. Typical scatter plots in the
H
vs.
V

plane show that the sea clutter follows a homogene-
ous distribution whereas the man-made objects, as
expected, are concentrated toward the point (+1, +1).
Based on this behaviour, the following combinations
of
H
and
V
to create one common variable were
analysed [3]:
=
H
*
V

=
H
+
V

= min(
H
,
V
)
= sqrt((
H
+1)
2
+ (
V
+1)
2
)
In the first and third case, will be close to +1 only if
both
H
and
V
are close to +1 which is more likely
for man-made objects than for sea clutter. The second
case corresponds to a rotation of the coordinate sys-
tem by 45 so that varies along the line that con-
nects (-1, -1) to (+1, +1), in the fourth case meas-
ures the distance to the antipode (-1, -1).
4. Results
The usual way to present detection results is by means
of ROC (receiver operation characteristic) curves
which plot the probability of detection P
d
vs. the
probability of false alarm P
fa
(figure 5). These curves
are obtained from the histograms of target (T) and
clutter (C) (or target plus clutter: T+C) by integration

Figure 3 range-time plot of persistence
h h
h h
C
T
C
T
T
T
out

*
*
=
+ +
= =
3
1
1 1
) ( ) ( ) ( ) (
i
n i n i n n n
t s t s t s t s


348
using the detection threshold as a sliding integration
limit (figure 4). The overlap of the two histograms
determines the amount of false alarms.

Figure 4 reflectivity statistics of sea clutter (left) and
swimmer (right) at VV polarization

Figure 5 single-channel ROC curves for swimmer in
sea clutter, red = VV polarization

After these single-channel results we now look at the
polarimetric results obtained by means of the classical
approaches described in 3.1. Figure 6 shows all three
cases (OPD = green, PMF = blue, PSD = black) com-
pared to the single-channel (HH polarization) case (in
red). The P
fa
-axis in this case has a logarithmic scale
for reasons of clarity. It is obvious that the combina-
tion of three independent polarimetric channels using
some optimization criterion leads to an increase in de-
tection performance. Taking P
fa
=0.1% as an example,
the P
d
-value is raised from 30% to 45% (PMF) and
even 60% (OPD, PSD).
Finally, we look at the -detector (figure 7). As men-
tioned before, using
H
or
V
alone (red, green) does
not perform better than the classical single-channel
detector. However, combining the two as described
above gives rise to superior performance. Cases 2 and
4 from ch.3.2 even perform slightly better than the
common polarimetric detectors (figure 6): for
P
fa
=1% the -detector reaches P
d
=82%, whereas OPD
and PSD remain slightly below 80%.
4. Conclusions
The superiority of polarimetric radar as opposed to
classical single-channel radar for the detection of
small maritime targets has been demonstrated based
on measurements of a swimmer and a small boat.
With its good day/night and adverse weather capabil-
ity in connection with measuring the distance to the
target and its speed, polarimetric radar warrants excel-
lent situational awareness.
References
[1] Carafano, James Jay: Small boats, big worries:
thwarting terrorist attacks from the sea, Back-
grounder No.2041, published by the Heritage
Foundation, June 11, 2007
[2] Schimpf, H., Fuchs, H.-H.: Polarimetric Detec-
tion of Small Maritime Targets , Proc.IRS
2007, pp.379-384, Kln, September 2007
[3] Schimpf, H., Fuchs, H.-H.: A Comparison of
Polarimetric Schemes to detect small Maritime
Targets, NATO-Symposium SET-125 Sensors
and Technology for Defence against Terrorism,
Mannheim, Germany, April 22-25, 2008
[4] Cadzow, J.: Generalized digital matched filter-
ing, Proc. 12th Southeastern Symposium on
System Theory, VA, May 1980, pp.307-312
[5] L.Novak et al.: Studies of target detection al-
gorithms that use polarimetric radar data , AES-
25, pp.150-165, 1989
[6] Gregers-Hansen, V.: A Survey of Radar CFAR
and some new Results, Proc. IRS 2005, pp.235-
243, Berlin, Sept. 6-8, 2005

Figure 6 comparison between 3 polarimetric detec-
tors and the HH single-channel case (in red)

Figure 7 detection performance of the -detector
349
Handling Security relevant Information in the Maritime Domain
with the Security Modeling Technique
Daniel Ley, Fraunhofer FKIE, Germany
Elena Dalinger, Fraunhofer FKIE, Germany
Florian Motz, Fraunhofer FKIE, Germany
Abstract
In the maritime domain activities to enhance the security against terrorist threats were initiated in consequence of
the terrorist attacks of 11
th
September 2001. Since the International Ship and Port Facility Security Code (ISPS
Code) was released in 2004 by the European Union ship owners, harbor operators as well as designated authori-
ties are required to implement the measures according to this regulation. VESPER, a collaborative project (2008-
2011) funded by the German Federal Ministry of Education and Research (BMBF), investigated the security
standards in the maritime domain concerning the international ferry shipping. Among others, VESPER reviewed
the sea- and landside measures and processes to identify optimization recommendations to enhance the security
for passengers and personal in the ferry shipping domain.
One result of the investigations is that the current representation of information in required security plans for
ships and port facilities are insufficient. Thus, on the one hand a prompt and complete implementation of rele-
vant measures in time-critical situations is difficult to achieve. On the other hand, a generation and audit of secu-
rity measures for ships and port facilities is very time-consuming. Therefore, the Security Modeling Technique
(SMT) was developed based on information and design requirements using the Applied Cognitive Work Analysis
(ACWA). SMT intends to support the decision making of security officers as well as the generation and audit of
measures to be established in security plans. In this paper, background, design method and concept of SMT are
presented.

1 Security in the Field of Inter-
national Shipping
1.1 Effects of the Attacks of 9/11
After the terrorist attacks of 11
th
September 2001 se-
curity has become increasingly important on a world-
wide scale. Since then, in the maritime domain exten-
sive activities to increase security were initiated to
avoid serious consequences. For example, a sudden
loss of a large number of human lives, destruction of
material assets, environmental damages, significant
disruptions of transport streams and a possible loss of
confidence in maritime infrastructures can be men-
tioned in this context.
As a consequence, the International Ship and Port Fa-
cility Security Code (ISPS Code; [1]) was released in
2004 by the European Union due to efforts of the In-
ternational Maritime Organization (IMO). In this
code, ship owners, harbor operators as well as desig-
nated authorities are required to conceptualize meas-
ures in form of ship respective port facility security
plans. These security plans are based on risk analyses
for the concerned objects and have to be audited by
corresponding designated authorities. Among others,
contents of security plans are based on a concept de-
fining three security levels. In the everyday operating
procedure level I ensures a minimum of protective
security measures. Additional measures are imple-
mented in level II, which represents situations of
higher risk. Level III becomes effective, when a secu-
rity incident is imminent. To ensure a prompt and
complete implementation of measures roles of Ship
Security Officers (SSO), Port Facility Security Offi-
cers (PFSO) and Company Security Officers (CSO)
are introduced by the ISPS Code.
1.2 The collaborative Project VESPER
VESPER, a collaborative project (2008-2011) funded
by the German Federal Ministry of Education and Re-
search (BMBF), investigated the security standards in
the maritime domain concerning international ferry
shipping, especially regarding roll-on roll-off
processes. Among others, VESPER systematically re-
viewed the sea- and landside measures and processes
to identify optimization recommendations to enhance
the security for passengers and personal in the ferry
shipping domain. Necessary data collection for further
investigations and optimization suggestions was per-
formed by means of analyses of security plans, sur-
350
veys and questionnaires with maritime experts (mas-
ters, security officers, police officers), and a process
analysis during a large-scale security exercise in a
port.
1.3 Problem Formulation
One result of the investigations in VESPER was that
the current representation of information in required
security plans for ships and port facilities are insuffi-
cient. Relevant measures for the different security le-
vels are depicted in terms of tables and continuous
texts in several text passages of a security plan and,
hence, are difficult to readout. Thus, on the one hand
an efficient, prompt and complete implementation of
relevant measures in time-critical situations is difficult
to achieve. On the other hand, a generation and audit
of security measures for ships and port facilities is
very time-consuming. Experts confirmed this weak
point concerning information management in inter-
views. In addition, the evaluation of the process anal-
ysis during a large-scale security exercise provided
additive evidence.
Hence, the representation and handling of security re-
levant information in security plans had to be im-
proved. In this way decision making of security offic-
ers regarding the implementation of different security
levels should be supported. The Applied Cognitive
Work Analysis (ACWA) was used to develop an anal-
ysis and presentation method, called Security Model-
ing Technique (SMT; [2], [3]).
2 Development of the Security
Modeling Technique (SMT)
2.1 Applied Cognitive Work Analysis
(ACWA)
In order to develop a modeling technique for support
of decision making processes of security officers,
first, an analysis of the work domain maritime secu-
rity was performed. To choose the appropriate me-
thod to describe the work domain different analysis
techniques were compared. The traditional task analy-
sis methods focus on what operators do and what
tasks must be fulfilled and provide descriptions of
task sequences ([4], [5]). To account for factors like
unanticipated events, dynamic changes of a situation,
and real-time reactions to these changes, methods are
required, which examine human cognitive processes
and therefore help to understand how experts make
decisions, what knowledge and strategies they use.
Thus, methods of Cognitive Systems Engineering
(CSE) were considered as suitable. CSE is a design
framework which focuses on analysis of cognitive
demands of operators ([6], [7]). The Applied Cogni-
tive Work Analysis (ACWA) is a CSE approach for
the analysis, design and evaluation of complex sys-
tems and interfaces. Primarily, ACWA is conducted
for the design of user interfaces for effective decision
support [8]. Since the ACWA process comprises the
identification of decisions that operators must make
and the identification of visualization concepts for de-
cision aiding, this methodology can be also used to
design any other form of decision support. Thus, we
applied it to develop a technique to support decision
maker, which is based on effective information visua-
lization.
ACWA comprises the following process steps ([9],
see Figure 1):
A Functional Abstraction Network (FAN) is de-
veloped which is a decomposition of the investi-
gated work domain and represents the functional
relationships between the domain elements. The
FAN is a multi-level representation, where each
node depicts a goal and links depict supporting
connections. Each goal has a process providing a
description how to achieve this goal. Processes
define supporting functions for achieving the
goals in the hierarchal level above.
Cognitive demands which arise in the domain and
need support Cognitive Work Requirements
(CWR) or decision requirements are identified.
The FAN provides a basis for the definition of
CWR. The decision requirements are to be de-
fined for each goal node in the FAN. This ensures
an understanding what decisions are to be made
to achieve the goals.
Information/Relationship Requirements (IRR) for
effective decision-making are identified: Factors
which are essential for decision making have
been identified with the CWR and, therefore, the
context for information requirements is provided.
Representation Design Requirements (RDR) are
identified which define how the information
should be represented. The decision-aiding con-
cepts made on the basis of the information re-
quirements ensure a consideration of human per-
ception and cognition. Appropriate information
visualizations can improve information
processing and thus the process of decision mak-
ing.
Representation requirements into a powerful vi-
sualization of the domain context are imple-
mented Presentation Design Concepts (PDC).
The developed visualization concepts provide
hypotheses about effective decision support. In
this step a prototype should be developed to eva-
luate the effectiveness of the new system. The
prototype can help to identify additional decision
and information requirements for decision sup-
port which have been missed in the first steps.
351
Cognitive Work
Requirements
2
Functional
Abstraction
Network
1
Presentation
Design
Concepts
5
Representation
Design
Requirements
4
Information /
Relationship
Requirements
3
G7: Manage
information
about measures
G4: Observe the
progression of
the execution
G3: Implement
measures
G1: Successfully implement
security measures
G2: Identify
relevant
measures
G9: Identify area of interest for
implementation of measures
G5: Make adjustments
to measures
G8: Successfully
manage resources
G6: Maintain
communication
Figure 1: Iterative procedure of the Applied Cogni-
tive Work Analysis (ACWA)
Thus, ACWA is an iterative process (see Figure 1)
which leads in several steps from the analysis of the
demands of the work domain to the identification of
an effective decision-aiding visualization.
2.2 Application of ACWA
In the following the application of ACWA for the de-
sign of a modeling technique is discussed.
Based on collected information a FAN which is the
first step of ACWA (Figure 1) was generated. The rec-
tangles (Figure 2) represent goals, which are organ-
ized hierarchically, links represent supporting connec-
tions from lower-level goals to higher-level goals.
Figure 2: Functional Abstraction Network (FAN)
The higher-level goal is to successfully implement
security measures from a ship security plan when a
change of a security level occurs. The subordinated
goals are to identify appropriate measures for a level
change, to initiate these measures and to control the
accomplishment of measures. The goal of the obser-
vation process is to determine, whether the implemen-
tation of measures is working as intended, and
whether the situation has changed or not. The obser-
vation should proceed continuously to assure the noti-
fication of failures. It will be possible to make ad-
justments to measures in sufficient time if something
goes wrong, the implemented measures fail, or
changes in the situation are identified.
Information about measures has to be managed,
which is a supporting goal for the measure adjust-
ments as well as the identification of relevant meas-
ures. Communication plays an important role in gain-
ing and forwarding information. One needs to provide
the information of the incident to responsible person-
nel on board and receive the responses.
Maintenance of communication supports the imple-
mentation and observation of execution of measures.
On the other hand communication maintenance and
implementation of measures are achieved through a
successful management of resources. Before the ini-
tiation of countermeasures it is essential to determine
whether the resources (including personnel and
equipment) necessary to fulfil the measures are avail-
able or adequate. Finally, the identification of the area
of interest is necessary for supporting the identifica-
tion of relevant measures and the management of in-
formation as well as resources.
In the following the further steps of ACWA are exem-
plarily presented for the goal Successfully manage
resources (G8).
CWR:
Select operator necessary to fulfill tasks,
Assign operator to area,
Select technical resources necessary to fulfill
tasks,
Allocate technical resources necessary to fulfill
tasks.
IRR:
Assignment of operators to measures,
Necessary means/tools,
Assignment of technical resources to measures,

RDR:
Integrate operator labels in measure shapes,
Separated representation of means/tools,
Connection of technical resources with appropri-
ate measures of a security level,

One of the decisions to be made is the assignment of
an operator and technical resources to the relevant
area. The information on their assignment to measures
in certain areas should be provided. Visualizations
like presentations of connections between associated
resources and measures support the decision maker.
The next step of ACWA is the development of presen-
tation design concepts and their prototypical imple-
mentation.
352
Figure 3: Exemplary simplified SMT model of a

2.3 SMT Presentation Design Co
In this section the presentation design concept
SMT evolved by the application of
duced. The design is based on five modeling sections.
The overall quantity of model compon
five sections has been minimized in order to e
simple generation and application
Numbers in brackets refer to those in F
represents a simplified SMT model of a
2.2.1 Modeling of Security Levels
Since measures of security plans are based on a co
cept defining three security levels, the SMT provides
a user-friendly intuitive way to represent and to di
tinguish levels. Level I is green-colored, level II ye
low-colored and level III red-colored.
curity levels are identifiable through Roman nume
als. In this way, relevant measures and other
information can be quickly recognized and selected.
Colored components are activities (
and contact points (6).
2.2.2 Modeling of Areas
Spatial conditions can be modeled
components for port facilities and ships (
be adopted in form and size to illustrate the real sp
tial conditions. By integrating port facility and ship
shapes in one SMT model, the interaction
them can be modeled. This circumstance is often ne
lected in security plans and even in the ISPS regul
tion. In reality, ships and port facilities
ordinated areas, distinguished in permitted and r
stricted areas (white-colored resp.
Persons as passengers have only access to pe
areas like passenger decks. Restricted areas
ships bridge are only accessible by, e.g., the ships
SMT model of a vessel with related interfaces to a port facility
Presentation Design Concepts
In this section the presentation design concepts of the
application of ACWA is intro-
is based on five modeling sections.
quantity of model components in these
has been minimized in order to ensure a
and application of SMT models.
Numbers in brackets refer to those in Figure 3 which
SMT model of a vessel.
2.2.1 Modeling of Security Levels
measures of security plans are based on a con-
cept defining three security levels, the SMT provides
friendly intuitive way to represent and to dis-
colored, level II yel-
colored. In addition, se-
curity levels are identifiable through Roman numer-
his way, relevant measures and other
information can be quickly recognized and selected.
are activities (3), resources (4)
can be modeled by means of area
components for port facilities and ships (1). These can
be adopted in form and size to illustrate the real spa-
tial conditions. By integrating port facility and ship
shapes in one SMT model, the interaction between
them can be modeled. This circumstance is often neg-
lected in security plans and even in the ISPS regula-
tion. In reality, ships and port facilities consist of sub-
ordinated areas, distinguished in permitted and re-
colored resp. grey-colored, 2).
ersons as passengers have only access to permitted
estricted areas like the
are only accessible by, e.g., the ships
crew or security staff. By arranging areas
ing to real conditions associated measures are intu
tively and quickly ascertainable
2.2.3 Modeling of Measures
Each security measure is allocated to
and a specific security level. Therefore, activity co
ponents were developed (3). An activity comp
arranged as follows (see Figure 4
for the area for which measures
a responsible operator is announced
the shape is divided into colou
ing the three security levels for the inserti
cific measures. Checkboxes allow the marking of i
plemented measures.
Placing an activity component o
component means an implementation of access rel
vant measures (3, right component). Placing an activ
ty component inside an area means an implementation
of measures carried out within the corre
(3, left component).
Figure 4: Activity component with allocated resource
component
In order to support the management of measure r
lated means (like additional security st
ment) resource components can be linked with speci
aces to a port facility
ranging areas correspond-
ssociated measures are intui-
ascertainable.
ures
Each security measure is allocated to a specific area
Therefore, activity com-
An activity component is
see Figure 4): Top left is a label
for the area for which measures are applied. Top right
is announced. Apart from that
ured sections represent-
for the insertion of spe-
cific measures. Checkboxes allow the marking of im-
Placing an activity component on the edge of an area
component means an implementation of access rele-
vant measures (3, right component). Placing an activi-
area means an implementation
of measures carried out within the corresponding area
Activity component with allocated resource
In order to support the management of measure re-
(like additional security staff or equip-
resource components can be linked with specif-
353
ic measures (4; see also resource component for secu-
rity level II in Figure 4). By visualizing resources out
of activity components, the necessary requirements to
conduct a measure are more obvious to the SMT
model user. In addition, this simplifies a reassignment
of resources in unforeseen and time-critical situations.
2.2.4 Modeling of Processes
Various access controls of, e.g., passengers, are often
conducted in a specific order. This order constitutes
an access path which is determined and, hence, inva-
riant. Such access or control procedures can be de-
picted in SMT models by means of process modeling
(5). For this purpose, arrows are used to connect ac-
tivity components. Start and stop circles represent the
beginning and end of a process. Such processes can
cross several permitted and/or restricted areas and
even interfaces between ships and/or port facilities.
The advantage for security officers is a possible quick
identification of measures in chronological order and,
thus, an efficient way to coordinate involved measures
and resources.
2.2.5 Modeling of Communication
Communication represents a significant role for han-
dling security relevant situations. Tasks like informing
authorities and coordinating measures are essential to
achieve the goal of obtaining or retrieving security.
Therefore, contact points (6, circle) can be integrated
in SMT models which contain information like rele-
vant persons or institutions and their reachability.
Contact points can be connected with each other, ac-
tivity components or specific measures. Connections
(6, dashed arrow) represent given communication
paths and can be supplemented by communication
tools.
2.2.6 Further Modeling Components
Beside the five described modeling sections, two fur-
ther components are determined.
Firstly, giving individual hints and other additional
information is most often necessary for specific con-
ditions. To correspond to this requirement, explana-
tion components were developed (7). Explanations
can be added at arbitrary positions in a SMT model.
Secondly, possible affiliations of different compo-
nents can be visualized by a group component. This
supports recognition of, e.g., content related measures
in different activity components for a clarity im-
provement.
3 Summary and Future Work
Within the collaborative project VESPER existing se-
curity standards in the maritime domain concerning
international ferry shipping were investigated. One of
the results was that the current representation of in-
formation in claimed security plans for ships and port
facilities are insufficient. By generating a functional
model of the work domain of maritime security and
by defining information and design requirements by
means of ACWA, a new analysis and presentation me-
thod, called Security Modeling Technique (SMT), was
developed to counteract identified deficiencies. Re-
sulting models of ships and port facilities support se-
curity officers in decision making during the imple-
mentation of measures and resource management in
case of a security level change. Models focus on an
efficient representation of security plan information.
They are based on five modeling sections: security
level dependent colors, measures and resources,
processes, communication and areas. Currently, a
SMT editor is under development to ensure a user-
friendly model generation. The editor includes a con-
trol function to prevent oblivion of measures.
However, the application of SMT is not limited to
ferry shipping. Since other transport carriers like con-
tainer vessels or tankers are also committed to intro-
duce security plans, SMT is applicable in the entire
international shipping. So far, the benefit of using
SMT models is confirmed not only by German ex-
perts like designated authorities and shipping compa-
nies but also by delegates of the European Commis-
sion.
Acknowledgement
The authors would like to thank the Federal Police
Office Schleswig-Holstein (Dept. 43 Maritime Se-
curity, Kiel, Germany) and the shipping companies
Scandlines Deutschland GmbH (Rostock, Germany)
and TT-Line GmbH und Co. KG (Lbeck-
Travemnde, Germany), partners of the collaborative
project VESPER, who dedicatedly participated in the
development of SMT.
References
[1] Regulation (EC) No 725/2004 of the European
Parliament and of the Council of 31 March 2004
on enhancing ship and port facility security. Of-
ficial Journal L 129 of 29.04.2004
[2] Ley, D., Dalinger, E.: Entwicklung einer Secu-
rity-Modellierungstechnik zur Entscheidungsun-
tersttzung in der Fhrschifffahrt, USEWARE
2010: 5. VDI Fachtagung. Grundlagen Metho-
den Technologien, Baden-Baden, 2010.
[3] Ley, D., Dalinger, E.: Security Modeling Tech-
nique: Visualizing Information of Security
Plans, in A. Weintrit (ed.): International Re-
cent Issues about ECDIS, e-Navigation and
Safety at Sea, London: Taylor & Francis, 2011.
354
[4] Annett, J.: Hierarchical Task Analysis, in D.
Diaper & N. Stanton (eds.): The Handbook of
Task Analysis for Human-Computer Interac-
tion, 67-82. Mahwah, New Jersey: Erlbaum,
2004.
[5] Kirwan, B., Ainsworth, L. K.: A Guide to Task
Analysis, London: Taylor & Francis, 1992.
[6] Crandall, B., Klein, G., Hoffman, R.R.: Work-
ing Minds: A Practitioners Guide to Cognitive
Task Analysis, Cambridge, MA: MIT Press,
2006.
[7] Rasmussen, J., Pejtersen, A.M., Goodstein, L.P.:
Cognitive Systems Engineering, New York:
Wiley, 1994.
[8] Dalinger, E., Motz, F.: Designing a decision
support system for maritime security incident re-
sponse, in O. Turan, J. Boss, J. Stark, J.L.
Colwell (eds.): Proceedings of International
Conference on Human Performance at Sea,
2010.
[9] Elm, W., Potter, S., Gualtieri, J., Roth, E., Easter,
J.: Applied cognitive work analysis: a prag-
matic methodology for designing revolutionary
cognitive affordances, in E. Hollnagel (ed.):
Handbook for Cognitive Task Design, Lon-
don: Lawrence Erlbaum Associates, 2003.
355

New Challenges for Maritime Safety and Security Training
Presentation of a specific Safety & Security Trainer (SST
7
)

Christoph Felsenstein
Capt. Dr. Ing. Hochschule Wismar Dept. of Maritime Studies / MSCW
christoph.felsenstein@hs-wismar.de
Knud Benedict
Prof. Dr. Ing. habil. Hochschule Wismar Dept. of Maritime Studies / MSCW
knud.benedict@hs-wismar.de
Michael Baldauf
Prof. Dr. Ing. World Maritime University Malmoe Sweden
mbf@wmu.se
Abstract
Emergency Response, Crew Resource and Crisis Management are some of the most important parts in educating
nautical officers and engineers. The STCW Manila Amendments [7] coming into force on 01st January 2012
reflect a major priority of training ships officers and crew with sufficient skills and appropriate procedures to
provide adequate protection and ensure the safety of all passengers and crew especially on ferries and cruise
ships. The best way to gain experience and necessary skills are practice runs on specially designed simulators.
Simulators have proved beneficial for ship handling training in real time on well equipped bridges throughout
the last decades. A new type of simulator has been developed for training and research aspects of Maritime
Safety and Security. Wismar University has been involved in the conceptual design and development of this new
technology produced by Rheinmetall Defence Electronics (RDE) in Bremen. The Maritime Simulation Centre
Warnemnde (MSCW) is one of the most modern simulation centre worldwide providing a full mission Ship
Handling Simulator (SHS with 4 bridges), Ship Engine Simulator (SES) and Vessel Traffic Services Simulator
(VTSS). This centre has recently been equipped with a new type of simulator called the Safety and Security
Trainer (SST).
Apart from existing regulations as e.g. SOLAS, STCW, ISM, ISPS it is essential to recognize the permanent
process of change and development and the necessity of upgrading precautionary measures against terrorism
both in port and on board vessels. Training human mental attitudes and motivation is vital to create a permanent
underlying security culture.
The SST simulator, newly designed for 3D visualisation and certified by Det Norske Veritas, is a procedure
trainer and enables officers and crew to move around inside the vessel using all safety equipment and available
emergency systems on board. It can be activated by interactive consoles on bridge and in engine control room.
The training can be carried out on basic, advanced or management level according to the scenarios created as
well as the specific objectives. The most challenging innovations in the development are complete models of
several types of 3D-designed vessels, a RoPax ferry and a 4500 TEU Container vessel already operable and a
Passenger Vessel in planning for the SST simulation system for stand alone developed scenarios and in
integrated mode, together with the SHS. Further an integrated Decision Support System (MADRAS) was
interfaced with the SST (one work station on bridge) and assists officers in coping with safety and security
challenges during manoeuvres. Functional tests of the existing system are running successfully and first practise
courses have been carried out in the simulation centre and aboard the vessels.
A new level of quality in simulation has been achieved at the MSCW. This innovative and enhanced simulation
facility allows for in deep study of the effects of the safety and security plans and procedures on board and
enables more detailed evaluation of effectiveness under various conditions and courses of events by a catalogue
of different simulation runs.
1 Introduction - Research Project
VeSPer and SST
1.1 Elements of the Research Project VeSPer
The research project "VeSPer" is dedicated to the
"Enhancement of passengers' safety on RoRo-Pax-
ferries" and was designed thanks to various initiatives
from the German government such as "Research for
civil safety" and specifically "Protection of traffic
infrastructures". The project is supported by the
Ministry of Education and Research, under the aegis
of the Technology Centre Dsseldorf (VDI).
Structure, content and methods of the project are
shown in Figure 1.

356

Entrance checks

Shore-side monitoring of ships in
ports by use of VTS and enhanced
port monitoring systems
Risk-based Scenarios

Ports and ship embarkings Safety and security on board ships
Process analysis
Analysis of requirements and application of IMOs ISPS-Code
Assistance and Decision-support
systems
Catalogue of requirements
experimental systems draft
Measures on board (organisational
and constructive)
Monitoring Sea area with extended
VTS capacities

Figure 1 Research project "Enhancement of passengers' safety on RoRo-Pax-ferries" -structure, content, methods

The focus of investigations within the project
"VeSPer" is laid on
- check-in procedures to increase the safety
level for entrances to ferry ships and ports
- preventive measures on board (constructive
and administrative)
- Sea side protection of ships in ports as well
as in open sea when sailing
- investigations into potential improvement of
measures in the case of a crisis
The analysis and investigations deal with subjects
such as
- use and optimisation of monitoring and
detection systems
- aspects of potential integration of decision
support systems on board ships
- identification of potential for optimisation of
processes and measures/procedures including
the integration of new innovative
technologies and
Bug-Bereich
(WLAN, GPS, Batterie
Spot, Kamera, ex. IF)
(FLS, Nav.)
Payload-Bereich
(SSS, Guidance Computer, inertial Nav.)
Heck-Bereich (Propulsion, FOC Link)
nge 2 m
eite 0,5 m
he 0,62 m
wicht 112 kg
yload
Side Scan Sonar (Edge Tech 900 kHz)
Forward Looking Sonar (Tritech)
ax. Geschwind. 5 Kn
ax. Einsatztiefe 300 m
sdauer Ca. 3 Std. (Lithium Polymer, 1 kWh)
@2 -3 Kn
SeaWolf HP AUV Version
Entwicklung, Integration und Test
2007 2008
357

- consideration and application of rules and
regulations according to national and
international law
Aims and structure of the overall project are given in
the Figure 1. With reference to risk based scenarios in
ports and on board the vessels following
investigations are processed
- Process Analysis from entering the port,
including booking and check in procedures,
on approaching access to the vessel and
access of embarkation
- Process Analysis on board the vessel from
embarkation/departure until
arrival/disembarkation
- Analysis of the ISPS Code and measures for
the full integrated application on board
- Measurements for improved processes on
board and access to the vessels and
developing new security technologies and
procedures
- Development of a support decision system
for emergency measures on board the vessel
in case of safety and/or security casualties
The Diplomatic Conference on Maritime Security in
London in December 2002 adopted new provisions in
the International Convention for the Safety of Life at
Sea, 1974 and the International Code for the Security
of Ships and of Port Facilities - ISPS Code, which
came into force 01st July 2004. The Code is in two
parts, Part A which is mandatory and Part B which is
recommended. The minimum requirements for ships
respectively ports are ship (port facility) security
assessment, ship (port facility) security plans in ports
and on board the vessels and certain security
equipment. Apart from existing regulations it is very
important to recognize the importance of permanent
process in changing and developing precautions and
measures implemented to fight terrorism in port and
on board the vessel. Human mental attitudes and
motivation are important and necessary for to creating
a general atmosphere of security culture.
Accept security comprised:
Apply risk management
Contemporary security knowledge
Create security culture
Enhance policies and procedures
Protective measure
Training commitment

Figure 2 Co-operation between HSW and shipping companies- - Scandlines (VeSPer) left) - TT-Line (VeSPer) - right)
1.2 Initial version of Safety and Security Trainer
SST and Overall Concept
From the very beginning of the VeSPer project in
2008 it was planned to use the Safety and Security
Trainer (SST) which was available as a basic version
in the design of 2D-presentation at the Department of
Maritime Studies of Hochschule Wismar at that time
[1][6]. It has been used for student lectures and
courses for shipping companies; this simulator
supports specifically the training of management level
personnel. Each station consists of two monitors. One
screen is called Situation Monitor and the other is
named Action Monitor. The workplace, comprises the
instructor console and two to sixteen stations,
provides full equipment for comprehensive safety and
security training. The trainee can freely move through
all rooms and decks, previously only in birds eye
view. The environment is shown on the situation
monitor; the operation of equipment is to be done on
the action monitor. The most important characteristic
of the simulator is its physical model for the
processes:
A fire model is incorporated into the simulator and
calculates the fire propagation according to flammable
materials and gives obvious realistic effects for easy
perception by trainees. A modern fire alarm
management system with smoke detectors and manual
calling points is built into the interior of the ship and
easily flammable materials are protected by fire
resistant A60 walls and doors. The fire model
includes smoke visualisation and a fire fighting
system and equipment such as fire extinguishers,
water hoses and hydrants, breathing apparatus, CO2
systems and foam. This enables the trainee to simulate
a realistic fire fighting situation on board and interact
with supporting teams as well as the management
358

team on the bridge and in the engine room. During the
simulation the persons health condition is monitored
in relation to oxygen, smoke, temperature and other
health influencing parameters and the measurements
are monitored in diagrams.
One feature of the simulation system is a model
calculating water inrush and its influence to the
stability of the ship. A ballast system is implemented
and can be used during simulation of an emergency
instance to help stabilize the ship. The trim and
stability calculator is used to predict the effect of a
water inrush and show the stability, bending moments
and share forces. Water tight doors are built into the
modelled vessel. The ballast and stability measuring
system is implemented in the simulator, which
enables the trainee to take countermeasures.
2 Specific Simulation features for the
Research Project VeSPer
2.1 Integration of innovative 3D-visual model of
SST
During the project it turned out that it would
beneficiary to implement new features for safety and
security measures and to take advantage from new
technologies like game engines and 3D-modelling
capabilities. One of the most challenging innovations
developed during the research project is the
improvement and further development of the Safety
and Security Trainer, specifically the implementation
of the 3D-designed RoPax ferry Mecklenburg-
Vorpommern (Figure 2) due to the strong ties
between the Hochschule Wismar and the industry.
The first step was to develop an application of the
ship plans which were intricately realised in a 3D
Studio Max version for test trials of the spectacular
3D-visualisation of the entire vessel. All decks of the
RoPax ferry are now available in the 3D-version and
integrated along with the dynamic safety equipment
into the games engine by RDE. Functional tests of the
developed system are in progress and already running
successfully. Figure 3 and Figure 4 show the 3D
visualisation of decks and public areas of the ferry.

Figure 3 Deck 6 (left) and 9 (right) of the RoPax ferry in 3D visualisation

Figure 4 Public areas of the RoPax ferry in 3D visualisation
2.2 Safety and Security Components in the 3D
Visualisation Model
In contrast to the 2D model, where the strategic
Figure is guided through the decks, now the trainee in
the 3D model moves and reacts from his own
perspective and can operate the entire spectrum of
safety equipment on board the vessel. In the case of
fire he activates the alarm from the next manual
calling point. According to the safety procedure on
board, and after the release of the fire alarm from the
bridge, the fire squad team (each trainee with specific
role) will operate the fire fighting equipment
including the breathing apparatus, fire protection
suits, fire extinguishers, fire hoses and other tools
(Figure 5).
359

Figure 5 Crew in action with fire fighting equipment in lounge and car deck of RoPax ferry
On the bridge and in the engine control room
(Figure 6) all the operational consoles including;
steering panel, fire panel, alarm panel, ballast- and
stability panel and the water drenching system, are
designed to a generic model and can be integrated on
other designed vessels as well. All consoles and
panels on the bridge and in the ECR correspond to the
integrated sensors placed all over the vessel. The
Master and officers operate an interactive board
system and can be trained in a wide spectrum
focusing on safety and security procedures.

Figure 6 Interactive consoles on Bridge and in Engine Control Room
In the 3D visualisation model the concept of fire- and
water inrush model has been completely revised. For
both, the fire and water inrush model a physical model
has been developed and integrated into the system
reflecting the components and spread of the fire
according to the specification and quantity of burning
material. Also the revised stability model has been
integrated for the specific RoPax vessel including an
operable Ballast system for filling-and de-ballasting
actions and counter-measures (Figure 7 and Figure 8).

Figure 7 Fire model M/V Flash Over

Figure 8 Water inrush model M/V

360

Figure 9 Graphic display with selection of components (6 components per cell)
On the graphic display (available at the instructor
work station) a number of parameter, e.g. fire,
temperature, oxygen, CO
2
and other parameter can be
selected for the actual run of exercise and the values
and parameter-development are shown on the graphic
display. The scenario can be stored and presented in
the replay mode at the end of simulation to the trainee
for evaluation and assessment (Figure 9). In addition,
the security components can be practised on the new
simulator. For example the RFID based appliance,
which is integrated into the SST bridge station,
enables the officer to observe the movement of
persons on board. In all security declared areas the
doors are locked and the areas are accessible only by
entering the specific code into the lock system beside
the doors. On all decks cameras are installed and can
be monitored from the bridge station. The camera
view can be changed and adjusted by the instructor. In
the case of a bomb alert the crew can investigate the
affected area with a bomb detector. On approaching
any dangerous object, the detector sounds alarm.
Figure 10 shows a crewmember crawling in the
direction of a suspicious suitcase. When the bomb has
been identified the dangerous object can be removed
with a new remote controlled defence system called
TELEMAX developed by German Company
TELEROB [5]. This multipurpose vehicle can be used
to detect and approach any suspicious objects from a
safe distance using the remote control. The threat of
gas attack has also been integrated into the simulation
system. In this kind of a threat the crew could
approach the affected area wearing protection suits
and breathing apparatus and can undertake all
appropriate measures, i.e. for ventilation and
evacuation of passengers.

Figure 10 Bomb search in the lounge and removal of suspicious object by TELEMAX
2.3 Workplace Concept of Safety- and Security
Trainer (SST)
10 stations are installed in the MSCW, eight training
stations (one of the stations on the SHS Bridge 1) and
two instructor consoles as well as one communication
computer system and another computer for a new
support and decision system called MADRAS. Each
station consists of Situation and Action Monitor is
equipped with head phones/microphone for
communication. The workplace concept provides full
equipment for comprehensive safety and security
training (Figure 11).
361

Figure 11 One Instructor and several stations for training with the SST

simulator
3 Support and Decision System
MADRAS
The simulation platform includes a new support and
decision system called MADRAS. This system was
designed by MARSIG mbH Rostock and especially
tailored for the SST and the simulated RoPax Ferry
Mecklenburg-Vorpommern. The MADRAS
computer is linked to the mars simulator and receives
the sensor data from the SST. The control module
selection contains the following elements for
automatic survey; FIRE, EXPLOSIVES, SECURITY,
EVACUATION, GROUNDING and FLOODING. In
the event of any sensor alarm the Madras menu opens
and displays the affected deck/area with the activated
alarm sensor. The following menus can be selected:
MONITORING list of all existing sensors,
grouped in different types and presenting the
actual data of sensors
DECISION SUPPORT recommendation
structure and decision advise in specific
safety- and security issues including
necessary procedures

OVERVIEW deck overview displaying all
installed sensors and highlighting the
activated ones including diagrams
DEVICE CONTROL list of all sensors
according to type, location, showing
maximum and minimum values and the
adjustable alarm level
PROTOCOL CHECK date and time of
sensor activation, location loop of sensors,
duration of alarm, values of alarm and time
record for reset
CONTROL menu for sensor connections,
support manager, value input, extended
functions and system options
MADRAS is an interactive system and a helpful tool
for Master/officers in critical situations. The system
guides the officer through all necessary choices and
helps in finding the correct emergency procedures.
This helps to avoid dangerous mistakes and ensures
not missing any steps imperative for the safety of the
vessel. See MADRAS Figure 12 Overview Deck
and Figure 13 decision support for security
measures. MADRAS was recently installed into the
SST. Test trials are running successfully.

Figure 12 MADRAS Overview of deck and installed sensors, diagram of activated sensor
362

Figure 13 MADRAS - decision support for security measures
4 Integration of SST into the MSCW
for complex scenario training
The new simulator, implemented as Safety and
Security Trainer SST, was designed by the
manufacturer Rheinmetall Defence Electronics
Bremen in co-operation with Hochschule Wismar,
Department of Maritime Studies ([2] to [4]). The
simulator can specifically be used for stand alone and
for integrated training with the MSCW. The complex
simulation platform Figure 14 with several full
mission simulators enables the department to simulate
the entire system ship with the maritime
environment including VTS and offers challenges to
officers and crew on board the vessels
(http://www.sf.hs-wismar.de/mscw/)[8].
The simulator arrangement (MSCW) comprises
already Ship Handling Simulator SHS with for 4 Full
Mission bridges and 8 Part Task Bridges, Ship Engine
Simulator SES with 12 Part Task station and Vessel
Traffic Services Simulator VTSS with 9 operator
consoles (Figure 14). 10 SST-stations are being
additionally installed in the MSCW this year
(Figure 15): eight training stations (one of the stations
on the SHS Bridge 1) and two instructor consoles as
well as one communication computer system and
another computer for the new support and decision
system MADRAS.

Figure 14 Overview on MSCW (left), Bridge 1 of SHS with new Displays of Bridge Safety & Security Centre of SST and
MADRAS Decision Support System (right top) and Training room of new Safety & Security Trainer of SST (right bottom)
363

Figure 15 Simulation Centre Warnemnde (MSCW) structure and interfacing network with new SST
Each station (with head phones or microphone for communication) consists of two monitors used as Situation
Monitor and Action Monitor. Complex scenarios can be developed and trained as for example in Figure 16.
1. SST - Scenario 3D - MECK-POM - Fire in Lounge Deck 7
Objective: Fire Fighting and Training Procedures in case of fire event
Initial Parameter: 3 Fire Cells Lounge activated - wood material, quantity 20kos
Capt., Ch.Off., 02nd Off. on bridge, 03rd Off. in lounge with BA, 2 Passengers in lounge
Ch.Eng., 01st Eng., 03rd Eng. (ECR), 2nd Eng. (Boats Deck)
1. SST - Scenario 3D - MECK-POM - Fire in Lounge Deck 7
Objective: Fire Fighting and Training Procedures in case of fire event
Initial Parameter: 3 Fire Cells Lounge activated - wood material, quantity 20kos
Capt., Ch.Off., 02nd Off. on bridge, 03rd Off. in lounge with BA, 2 Passengers in lounge
2. SST - Scenario 3D - MECK-POM - Gas Attack Lounge Deck 7
Objective: Precaution Meausures and Procedures in the event of gas attack
Initial Parameter: Lounge selected under parameter for gas attack - selected gas "Sarin"
Capt., Ch.Off., 02nd Off. on bridge, 03rd Off. located in front of lounge, equipped with HPS and BA.
2. SST - Scenario 3D - MECK-POM - Gas Attack Lounge Deck 7
Objective: Precaution Meausures and Procedures in the event of gas attack
Initial Parameter: Lounge selected under parameter for gas attack - selected gas "Sarin"
3. SST - Scenario 3D - MECK-POM - Bomb Alarm Lounge Deck 7
Objective: Precaution meausures and procedures in the event of bomb alarm
Initial Parameter: Lounge selected under Parameter for bomb alarm - suitcase with explosive placed in
lounge
3. SST - Scenario 3D - MECK-POM - Bomb Alarm Lounge Deck 7
Objective: Precaution meausures and procedures in the event of bomb alarm
Initial Parameter: Lounge selected under Parameter for bomb alarm - suitcase with explosive placed in
lounge

Figure 16 Sample scenarios for interfacing ship handling simulator with new Safety & Security trainer SST
364

5 CONCLUSIONS AND
ACKNOWLEDGEMENTS
Within the frame of investigations into potential
enhancements of maritime safety and security the use
of simulation facilities were investigated. The Safety
and Security Trainer is a new product developed by
Rheinmetall Defence Electronics (RDE) Bremen in
co-operation with the Wismar University, Department
of Maritime Studies in Rostock-Warnemuende. It can
be operated in a standalone version for up to eight
training stations and could be extended to include the
training of the entire crew. The SST is also designed
for integration into complex systems and was
interfaced now with the existing ship handling
simulator SHS of the MSCW for training of
comprehensive scenarios in combination with the
SHS, SES und VTS. The complex simulation
platform with the full mission simulators enables the
trainees to simulate the entire ship system and
presents challenges to both officers and crew. A new
quality of scenarios can be generated now for the
comprehensive training of ship officers. On the other
hand this new and enhanced simulation facility allows
for in depth studies of the effects of ships safety
procedures and to evaluate their efficiency.
The investigations and developments described here
are mainly performed in a project for research and
technical development funded by the German
Ministry of Education and Research Berlin and
surveyed by VDI Technology Centre Dsseldorf.
During the project also cooperation were established
with World Maritime University. This cooperation
covers e.g. aspects of international harmonisation of
training requirements and standards. The authors
would like to thank Rheinmetall Defence GmbH as
well as the company AIDA Cruises Ltd and the
involved ferry companies TT-Line and Scandlines for
their grateful assistance and cooperation.

6 References
[1] Sauer, T.: Contribution to Improvement of
Safety & Security Trainer by user friendly
Modeling of ships using Cruise Liner
AIDAdiva. Diploma Thesis at Dept. of Maritime
Studies of Hochschule Wismar, June 2008
[2] Meyer, V.; Benedict, K.: Maritime safety and
security environment mars - a unique way to
make Ship operation safer. Paper IMSF
Conference 2007, August 20-24 2007 Busan /
Korea
[3] Benedict, K.: Integrated Operation of Bridge-,
Engine Room- and VTS-Simulators in the
Maritime Simulation Centre Warnemuende.
Conference on Simulation CAORF / JSACC
2000, New York, 3-7 July 2000, Proceedings
Vol. 1.
[4] Oesterle, A. (2007): The new Simulator Safety
and Security Trainer mars and its use
training (in German) in: Moderne Konzepte in
Schiffsfhrung und Schifffahrt. Schriftenreihe
des Schiffahrtsinstituts, Rostock, 2007, Vol. 7.
[5] TELEROB GmbH, Vogelsangstr.8, D-73760
Ostfildern, www.telerob.de
[6] Benedict K., Felsenstein C., Tuschling G.,
Baldauf M., Sauer, T.: New Approach for
Safety and Security Training in Simulators.
IAMU 9th Annual General Assembly and
Conference of the IAMU, San Francisco,
California USA October 19-22, 2008 Proceedings
p.1-17
[7] IMO (2010) STCW/Conf.2: Adoption of the
final Act and any Instruments, Resolutions
and Recommendations resulting from the
Work of the Conference. The Manila
Amendments to the Seafarers Training,
Certification and Watchkeeping (STCW) Code,
2010
[8] Felsenstein, Ch.; Benedict, K. and Baldauf, M.,
Development of a Simulation Environment for
Training and Research in Maritime Safety and
Security. Journal of Marine Technology and
Environment, Editura Nautica 3(2) 2010: pp. 77-
89

365
Psychosocial Support for Civil Protection Forces Coping with
CBRN An EU-Project
Barbara Blanckmeister (PhD), German Federal Agency for Technical Relief, Germany
Claudia Schorr, German Federal Agency for Technical Relief, Germany
Abstract
Civil protection forces deployed in disaster response operations under CBRN conditions are exposed to addi-
tional risks and pressures that may constitute a heavy psychological strain. The same applies to hospital staff
having to deal with CBRN incidents. Nevertheless, integrating psychosocial crisis management for civil protec-
tion forces and hospital staff into the regular training program of civil protection organisations or hospitals is
not yet very common across Europe. In the framework of the EU-co-financed Project Psychosocial Support for
Civil Protection Forces Coping with CBRN Incidents, four partner organizations from Germany, the Nether-
lands and Spain have joint forces to address this perceived deficit. To this end, the project consortium will de-
velop and test a training program for operational forces (including volunteers) and hospital staff. The key objec-
tive of the project is to enable these two target groups to cope with CBRN incidents - and that also in the mid
and longer-term after exposure to such conditions.
1 Project rationale
The risk regarding CBRN situations has increased
over the last years in almost all EU Member States.
Civil protection forces deployed in disaster response
operations under CBRN conditions are exposed to
additional risks and pressures that may constitute a
heavy psychological strain. Nevertheless, integrating
psychosocial crisis management for civil protection
forces and hospital staff into the regular training pro-
gram of civil protection organisations or hospitals is
not yet very common across Europe.
Experiences made so far suggest, however, that the
adequate use of insights regarding psychosocial sup-
port helps to facilitate crisis management and re-
sponse in several respects by:
1. enabling the responders to cope competently
with highly difficult and unfamiliar opera-
tions such as CBRN incidents,
2. avoiding long term effects of psychosocial
stress,
3. improving the coordination during the mis-
sion,
4. taking care of the basic needs of the affected,
5. fostering the cooperation of the affected, and
6. facilitating a qualified risk and crisis com-
munication.
In the framework of a project co-financed by the
European Commission (DG ECHO / Civil Protec-
tion), four partner organizations from Germany, the
Netherlands and Spain have joint forces to address
the perceived deficit. To this end, the project consor-
tium will develop and test a training program for op-
erational forces (including volunteers) and hospital
staff who have to deal with CBRN incidents. The of-
ficial title of this project is Psychosocial Support for
Civil Protection Forces Coping with CBRN (in short
CBRN Incidents and PSS).
2 Project objective
The key objective of the training courses and the
whole project is to enable civil protection forces and
hospital staff to cope with CBRN incidents - and that
also in the mid and longer-term after exposure to
such conditions. This in turn will help to minimize
the probability that these two target groups develop,
for instance, a post-traumatic stress disorder after ex-
posure to a CBRN incident.
3 The project consortium
Coordinator of the project Psychosocial Support for
Civil Protection Forces Coping with CBRN is the
German Federal Agency for Technical Relief (THW).
The project consortium is composed of the following
organisations:
the German Federal Agency for Technical
Relief (THW)
366
Alexianer Krefeld GmbH, Centre for Psy-
chotraumatology, Germany (CoP)
Stichting Impact, Dutch Knowledge and
Advice Centre for post-disaster psychosocial
care (Impact)
Direccin General de Proteccin Civil y
Emergencias, Minsterio del Interior (the
Civil Protection Department of the Ministry
of the Interior of the Spanish Government)
(DG Civil Protection Spain)
the German Federal Office of Civil Protec-
tion and Disaster Assistance (BBK)
4 The project plan
4.1 Methods and outcomes
The CBRN Incidents and PSS-Project has started
on the 1st of February 2011. During the two-year
term of the project, the training courses to be devel-
oped will be tested twice by pilot groups of civil pro-
tection forces and hospital staff (respectively). The
pilot training courses will be developed on basis of
other (foregoing) deliverables to be produced within
this project, such as a study on the current situation
in the EU Member States regarding CBRN incidents
in the sense of preparedness, response and support
for civil protection forces. This will be done by way
of conducting expert interviews across several EU
Member States.
Besides that, a study on the interface between civil
protection forces and hospital staff as well as inter-
views with hospital personnel will be conducted.
Further outcomes of the CBRN Incidents and PSS-
Project will be the Guidelines on Psychosocial Sup-
port for the Uniformed Services (Impact, 2010)
adapted to the specifics of CBRN incidents, and a cri-
sis management plan for hospitals, again adapted to
the specific scenario of a CBRN incident.
In addition to that, the results gained from two Euro-
pean conferences held in the course of the project will
provide important input for the development and re-
finement of the final training courses.
4.2 Tasks and deliverables
In this section, an overview is given on the tasks and
deliverables to be developed within the CBRN Inci-
dents and PSS-Project. Therein it is also described
how the partner organisation in charge implements
the respective task.
4.2.1 Assessment of the current situation in
the EU Member States
Impact will carry out a quick-scan on the status quo
in the EU Member States concerning preparedness,
response and support for the responders in case of a
CBRN incident. Stichting Impact, the Dutch Knowl-
edge and Advice Centre for post-disaster psychosocial
care will thereto conduct semi-structured expert in-
terviews in several EU Member States.
4.2.2 Modification of the Guidelines on Psy-
chosocial Support for the Uniformed
Services (Impact, 2010) for the CBRN
scenario
In 2010 Impact developed guidelines on psychosocial
support for the uniformed services. In the project
CBRN Incidents and PSS these guidelines will be
adapted to the specific scenario of CBRN incidents.
In general, the impact of these incidents is high be-
cause of the unknown character of the threat, the po-
tentially deadly nature of its impacts and the per-
ceived lack of control. This asks for specific guide-
lines for the support of operational forces (including
volunteers) and hospital staff who respond in these
circumstances. Impact will implement this task by
means of scientific literature research on the psycho-
social consequences of CBRN incidents and on the
perception of these types of risks. Complementary to
this literature research, the Guidelines on Psychoso-
cial Care for Uniformed Services will be adapted on
basis of the results received from the aforementioned
expert interviews.
4.2.3 Study on the current state of prepar-
edness regarding CBRN incidents and
hospital disaster management
The aim of this task - overtaken by Alexianer Krefeld
GmbH, Centre of Psychotraumatology (CoP) - is to
assess the current challenges at the interface between
stress response among hospital staff and CBRN inci-
dents. This relates to the crisis management phase
when care is provided by hospital personnel to possi-
bly contaminated victims taken over from first re-
sponse (at admission to hospital).
4.2.4 Adaption of crisis management plans
for hospitals as regards psychosocial
crisis management in CBRN situations
Furthermore, Alexiander Krefeld GmbH (CoP) will
develop a model for CBRN incidents which will first
be tested at the Maria-Hilf Hospital in Krefeld (Ger-
many) and then adapted to and offered for national-
wide application. At the end of the CBRN Incidents
and PSS-Project, this model may be offered for EU-
wide application.
367
4.2.5 Development of a curriculum and
teaching material for a training course
(including guidelines and exercises) for
civil protection responders
This constitutes the key task of THW and BBK
within this project. The curriculum for the pilot train-
ing course for civil protection forces has been devel-
oped on the basis of the literature review and the ex-
perts interviews conducted by Impact (see 4.2.1), on
accomplished research and practical experience in
this field (by the BBK and THW), as well as on the
results gained from the first European conference
(see 4.2.7). The first pilot training course will take
place from 26 to 28 October 2011 at the Academy for
Crisis Management, Emergency Planning and Civil
Protection (AKNZ) in Ahrweiler, Germany. The les-
sons learned from the first pilot training will be im-
plemented in the second pilot training to be held at
the AKNZ in March 2012.
4.2.6 Development of a curriculum and
teaching material for a training course
(including guidelines and exercises) for
hospital staff
That is the key task of the Alexiander Krefeld GmbH,
(CoP) within the CBRN Incidents and PSS-Project.
The curriculum for the pilot training course for hos-
pital staff has been developed on the basis of the s-
tudy on the current state of preparedness regarding
CBRN incidents and hospital disaster management
(see 4.2.3) and the adaption of crisis management
plans for hospitals as regards psychosocial crisis
management in CBRN situations (see 4.2.4). As for
the training course targeted at civil protection forces,
the results gained from the first European Conference
will feed into the further development of the training
curriculum for hospital staff. The first pilot training
course will be carried out at the Alexianer-Krefeld
GmbH (CoP) in Krefeld in September 2011 and the
second one at the St. Hedwig Hospital in Berlin in
March 2012.
Common learning objectives of the training course
for both civil protection responders and hospital staff
are:
1. to sensitize the participants to self-protection
and to the reactions and needs of the affected
(the heightened stress factors they might
face during CBRN-incidents)
2. to teach the participants the basic measures
of psychosocial first aid during CBRN situa-
tions (these measures will be practiced dur-
ing an exercise composed of two or more
crisis-scenarios)
3. to raise the participants awareness for the
heightened media attention during CBRN
incidents and to advice them on how to cope
with the media during such crises
4. to foster the participants ability to perform
and their self-efficacy for the deployment to
CBRN situations
5. to inform the participants about strategies of
post-deployment psychosocial care and how
it is supplied (within the respective organi-
sation)
An extra session on basic deployment-tactics during
CBRN incidents will be offered to those participants
of the training course who belong to the psychosocial
crisis intervention team (e.g. psychologists, pastoral
emergency carer). This group of participants forms
the second target group within the training course for
civil protection forces (next to the operational forces
themselves).
4.2.7 First European conference
THW organised the first European conference which
took place in Berlin from the 12th to 14th of July
2011. About 70 experts from 21 EU Members States
participated in this conference. To receive a full pic-
ture of the needs of civil protection forces and hospi-
tal staff, a broad range of experts dealing with the
issue of psychosocial support and/or CBRN incidents
was brought together at this conference: the opera-
tional field (here both professionals and volunteers),
the psychological/medical field as well as the field of
media and communication. Thereby governmental as
well as non-governmental organisations were repre-
sented. The expertise that was shared and created
during the working group sessions of this conference
provides important input for the further development
of the pilot training courses.
The interdisciplinary pool of experts that was created
at the conference in Berlin will be kept regularly in-
formed on the further development of the CBRN In-
cidents and PSS-Project. Besides that, the same ex-
perts will be consulted again for evaluating the first
pilot training courses for both civil protection forces
and hospital staff. Hence, this pool of experts serves
not only as a platform for networking, but also as a
way to build consensus on the deliverables to be pro-
duced throughout the CBRN Incidents and PSS-
Project.
4.2.8 Final European conference
That is why also the same pool of experts will be in-
vited again to the final European conference in Ma-
drid held towards the end of the project (in autumn
2012). This key task is overtaken by the Spanish part-
ner organisation - Direccin General de Proteccin
Civil y Emergencias, Minsterio del Interior. The pro-
ject consortium will present the different project re-
368
sults at this conference. The assembled experts will
assess, discuss and comment on the findings and the
products developed by the project. Moreover, the par-
ticipants will be asked to give suggestions for a fol-
low-up of the project.
5 Expected results from the pro-
ject
The overall aim of the project CBRN Incidents and
PSS is to raise awareness EU-wide for the need
to provide psychosocial support to civil protection
forces and hospital staff especially to those who
might have to deal with CBRN incidents.
5.1 Evaluation and documentation of
Lessons learnt
The output and outcomes of the two European con-
ferences as well as the two pilot training courses con-
ducted within the CBRN Incidents and PSS-Project
will be evaluated by THW with support of the project
partners. As described above, the results received
from the two European conferences (see 4.2.7, 4.2.8)
will be used for the further development and refine-
ment of the training courses for hospital staff and
civil protection forces.
5.2 Recommendations and dissemina-
tion of project results
As project coordinator THW is, furthermore, in
charge of developing recommendations on the basis
of the deliverables produced within the project. This
will be done again by support of the whole project
consortium. The recommendations constitute them-
selves a deliverable of the CBRN Incidents and
PSS-Project. By the end of the very same project, the
finalized training courses and recommendations will
have been translated into English and offered for EU-
wide application.
References
[1] Directorate-General for Humanitarian Aid and
Civil Protection (DG ECHO): Grant Agree-
ment No 070401/2010/579071/SUB/C4, Brus-
sels (BE): DG ECHO, 2011
[2] Impact: Richtlijn psychosociale ondersteuning
geniformeerden, Amsterdam (NL): Impact,
2010
[3] Bundesamt fr Bevlkerungsschutz und Katast-
rophenhilfe (BBK): Psychosoziales Krisenma-
nagement in CBRN-Lagen / Psychosocial Crisis
Management in CBRN Incidents, Bonn (DE):
BBK, 2011
Co-financed by the
European Commission
369

Abstract
03/21/2011

Leaking in the Name of Justice?
Inside Jobs (Innentterattacken)
as a Strategy for (Tax) Law Enforcement?

The Case of the Liechtenstein Tax CD in the
German Federal Constitutional Court
(Bundesverfassungsgericht)
(file-no.: 2 BvR 2101/09 of November 9
th
, 2010)
1

What seems to have happened? An insider
2
at a bank in Liechtenstein sold a CD with bank-
ing data on German tax payers to the German Federal Intelligence Service (Bundesnach-
richtendienst). According to the law of Liechtenstein, he committed data theft
3
and the
Federal Intelligence Service perhaps committed
4
fencing of stolen data, when it provided
the information to law enforcement agencies. Not only celebrity offenders ((ex-)head of the
Deutsche Post, Klaus Zumwinkel
5
) were prosecuted and convicted of tax evasion (Steuer-
hinterziehung
6
); many turned themselves in out of fear of being named on the CD (volun-
tary declaration Selbstanzeige
7
). The following question arose in Germany: Was the Ger-
man government allowed to reportedly spend approximately four million Euros on banking
data to procure an estimated return on investment (ROI) in the amount of 300 million Euros
8
?
The German Minister of Finance rejoiced: It was the deal of my life.
9
One voice in the litera-

1
Incidentally, the scientific codex of the Department of Public Law at the Technical University of Darmstadt applies. The foot-
notes are the responsibility of the team.
2
H. Kieber, Der Frst. Der Dieb .Die Daten, 2009 (16.03.2011).
3
Cited from K. Ambos, Beweisverwertungsverbote, Berlin, 2010, p. 112.
4
Not in judicial terminology of the law of Germany see also 202a StGB (German Penal Code) and 17 Sec. 2 No. 1 and 2
UWG (German Law against Unfair Competition).
5
Datendieb Kieber hat Reform beschleunigt, bazonline.ch (4.3.2011).
6
370 AO (German Tax Law).
7
371 AO (German Tax Law).
8
Daten-CD aus Liechtenstein, Steinbrck macht das Geschft seines Lebens, Welt.de (1.3.2011).
9
P. Steinbrck quoted from: Daten-CD aus Liechtenstein, Steinbrck macht das Geschft seines Lebens, Welt.de (1.3.2011).

Call for Papers for the 6
th
Future Security, Security Research Conference,
Berlin, September 5
th
-7
th
, 2011
CyLaw TU-Darmstadt
Prof. Dr. Viola Schmid, LL.M. (Harvard)
370

ture of legal sciences
10
argues that paying money for (foreign) (banking) data is not constitu-
tionally objectionable under German law. Moreover, German (constitutional) law
11
would ob-
lige the German government to choose this appropriate and necessary enforce-
ment strategy. This enforcement strategy would be according to this opinion the conse-
quence of the legal principle of fair and just taxation (Prinzip der Steuergerechtigkeit bzw.
Besteuerungsgleichheit).
12
The question whose importance for governance cannot be
underestimated arises: Will the persons with authorized (privileged) access in the informa-
tion age (system administrators, directors of data processing centers, archivists etc.) become
informants in the interest of effective and efficient law enforcement? Should every data
organisation
13
expect the government to pay for private data and set incentives for inside
jobs (Innentterattacken) under the condition that it uses this information to enforce its
(tax) laws? These legal dimensions are to be presented as characteristics of (In-)Security of
Data Organisations in the Future. On November 9th, 2010,
14
three judges in the German
Federal Constitutional Court ruled that German law does not qualify such use of stolen data
as inadmissible evidence (exclusionary rule Beweisverwertungsverbot). The residences
of customers of foreign banks which had been determined using stolen banking data may
be searched by law enforcement agencies. Evidence found during these searches can be
used in criminal investigations. The contribution presents the rationes decidendi for the rul-
ings of the Federal Constitutional Court and poses the question: Is the Liechtenstein Tax CD
Scenario a new paradigm for a law enforcement strategy that is economized (economic
analysis of the law
15
) and violates Data Protection Law? Is such a law enforcement strategy
a contribution to an area of freedom, security and justice (Art. 67 TFEU
16
) in the European
Union?

10
J. Lang, Kapitalvermgen im Spannungsverhltnis der Steuerflucht zur Steuergerechtigkeit, in: U. Burgard/ W. Hadding/ P.O.
Mlbert/ M. Nietsch/ R. Welter, Festschrift fr Uwe H.Schneider zum 70.Geburtstag, Kln, 2011, p.737 (742).
11
proportionality in the strictest sense.
12
Fundamental for actual equal load and for securing an equal and complete law enforcement as Commandment of Fair
and Just Taxation (or taxation equality BVerfGE 84, 239 (268 f.) (Besteuerungsgleichheit)); BVerfGE 110, 94 (112); refer-
enced from BVerfG, Ruling from 15.1.2008, file-no.: 1 BvL 2/04, Ln. 126; on Fair and Just Taxation (Steuergerechtigkeit)
Ruling from 17.11.1998, file-no.:1 BvL 10/98, Ln. 17; Ruling from 10.3.1998, file-no.: 1 BvR 178/97, Ln. 48; Ruling from
5.2.2002, file-no.:2 BvR 305/93, Ln. 85; Ruling from 7.11.2006, file-no.: 1 BvL 10/02, Ln. 95.
13
In the terminology of the Department of Public Law at the Technical University of Darmstadt, Germany, data organisation
comprises all information technologies cited and defined in 3 Sec. 2-5 BDSG (German Data Protection Law).
14
Ruling from 9.11.2010, file-no.: 2 BvR 2101/09.
15
R.B. Cooter/ T. Ulen, Law and Economics, 6th ed. 2011.
16
Art. 67 TFEU: 1. The Union shall constitute an area of freedom, security and justice with respect for fundamental rights and
the different legal systems and traditions of the Member States. []3. The Union shall endeavour to ensure a high level of
security through measures to prevent and combat crime, racism and xenophobia, and through measures for coordination and
cooperation between police and judicial authorities and other competent authorities, as well as through the mutual recognition of
judgments in criminal matters and, if necessary, through the approximation of criminal laws. []
371
Enhancing the acceptance of technology for civil security and sur-
veillance by using Privacy Enhancing Technology
Vagts, Hauke, Karlsruhe Institute for Technology Vision and Fusion Lab, Germany
Beyerer, Jrgen, Fraunhofer-Institute of Optronics, System Technologies and Image Exploitation IOSB, Germany
Abstract
Video surveillance is a popular approach to ensure security. Systems have become powerful and modern technol-
ogies have huge potential for great performance and enforcement of privacy protection at the same time. Intelli-
gent video deployments perform multi-camera tracking of objects or can detect suspicious behaviour. However,
the enhancement in video analytics, digitalization and interconnection of video surveillance scares the observed
society. In addition heterogeneous data sources (GPS, RFID, online data bases, etc.) can be included in the sys-
tems and make them more powerful. Privacy Enhancing Technologies (PETs), e.g., algorithms for anonymization
of sensitive data in data bases or blurring of faces in video are promising. Approaches in other fields of research
exist and it must be investigated how they can be used in civil security. This work surveys existing approaches
and assesses them for a potential use in technology for civil security. Interaction technologies for surveillance
systems are PETs that are promising to enhance the acceptance. The integration of mobile devices can create a
balance between observed people and the observers. This work presents an approach based on them. In a first
scenario an intelligent surveillance system is enhanced with mobile tagging for easy access to information about
the surveillance task. A second scenario gives a person temporary and anonymized access to a video camera.

1 Introduction
Surveillance has become powerful and many installa-
tions, including cameras exist. It must be accepted that
that it will be even more instead of less in future.
The increasing potential of surveillance technologies
scares people and is blocking their success. New ap-
proaches are required that consider the needs of socie-
ty, the everyday observed people. Only if a higher lev-
el of acceptance is achieved, new surveillance tech-
nologies will be successful.
During the last years surveillance systems got intelli-
gent and have developed from simple multi-camera
and one monitor solutions to autonomous systems that
can perform all kind of tasks. New achievements put
privacy at risk, e.g., persons can be identified by bio-
metric attributes used in face recognition algorithms
and movement profiles can be generated.
Privacy in surveillance is still a new field of research.
Most approaches focus on technical solutions that do
not consider social and legal requirements. Complex
technical approaches are hard to understand and IT
security is impalpable for the average user.
You can put yourself ahead of an attacker by collect-
ing and fusing information of conventional sources as
CCTV systems (video) and new sources as social me-
dia, tracking (GPS, RFID, mobile networks, etc.) or
loyal shopping cards. Using all this information puts
privacy at risk and leads to growing concerns of peo-
ple. Existing solutions for privacy enforcement are
heterogeneous and are applied to different sorts of da-
ta. Therefore, it is challenging to compare them.
This work proposes an assessment model for existing
and future PET that allows an objective comparison.
Even if data is processed in different ways, in general
the processing of information in technology for civil
security follows certain order: data collection, storage
of data, processing of data and finally visualization of
it or the corresponding results. This work categorizes
PETs according to these steps.
This contribution proposes a new approach that focus-
es on the on the observed people. In the last quarter of
2010 more smart phones then personal computers
were sold. Hence, it can be presumed that most people
will own one and are capable to use it. Small mobile
applications (Apps) are already very popular. They are
mostly easy to install and use.
The paper is organized as follows. Section 1 high-
lights how omnipresent surveillance has become and
the opinion in society about it and what must be done
to achieve a higher level of acceptance. Section 2
gives an overview about related work in the areas of
intelligent surveillance, privacy and mobile tagging.
Section 3 surveys existing PETs, categorizes them for
surveillance and proposes a model for assessment.
Section 4 introduces the Privacy Control Manager
App, a new approach for enhancing the acceptance of
video surveillance. Details about the demonstrator
system are shown in section 5. Concluding, chapter 6
summarize and proposes future work.
372

1.1 Video Surveillance and Society
An impressive number of 4.2 million cameras is in-
stalled in the United Kingdom [1,2,3]; thereof
500,000 [3] in London. Even if the numbers are esti-
mated, it highlights that surveillance has become part
of our everyday life. The number of cameras, e.g., in
Germany, is lower, but in specific locations achieve
the same concentration. The central stations in Frank-
furt and Leipzig house 150 and 120 cameras, respec-
tively. Even critics of surveillance must accept that
these cameras are installed and will not be removed.
Rather, sinking costs for cameras and surveillance in-
frastructure will lead to more cameras. Modern sys-
tems can be extended with others sensors, e.g., RFID
technology, acoustic sensors or can be connected with
data bases and maybe with social networks. However,
technology, legal and social experts must discus to-
gether with operators and critics new approaches for
privacy.
The acceptance of surveillance differs from country to
country, e.g., 90% of the people in London think that
video surveillance is a good thing, while only 25%
in Vienna do [4]. Even if opinions about surveillance
differ, it can be said that most people want higher
transparency in surveillance. The power in the rela-
tionship between operators and observed subjects is
imbalanced. New solutions are required to bring back
the balance between them. It must be easy to access
information about operators and surveillance tasks.

1.2 Creating the Balance between Ob-
served People and Observers.
Average persons are mostly not interested technical
details. Hence, it is unlikely that most people would
configure all privacy details, especially if they not un-
derstand what they are doing. On the other hand it is
likely that people what to have the option to change
their privacy settings. They need the feeling that they
could be control and that there is a balance.
It has been shown, e.g., in [5] that security and the
sense for security can be far apart from each other. In
case of privacy the situation is similar. Acceptance of
privacy technology, especially Privacy Enhancing
Technologies (PET), and technical quality is not the
same.
This work proposes a catalogue for the assessment of
PET. It is based on a technical perspective and further
research is required to include social factors. An ac-
ceptance model that considers requirements for PET,
technical strengths and social factors must be created.
Technologies must be integrated in a single demon-
strator system, so that they can be seen and compared
by average users.
2 Related Work
Interaction and temporary access are not considered to
be a PET in a conventional definition, but can be
powerful PETs in video surveillance that bring ac-
ceptance to a new level. Hence, this chapter introduc-
es all related areas necessary to understand the inno-
vative approach for interacting with surveillance cam-
eras. PET and a catalogue for assessment are
discussed in section 3.

2.1 Intelligent Video surveillance
Modern systems can integrate, beside cameras, differ-
ent sensors, e. g., acoustic sensors [6], smell sensors,
Biometrics, RFID, or GPS. The overall quantity of
available data has increased. All kind of information is
digitalized. Hence, smart surveillance systems (e.g.,
[7,8,9]) evolve with the advancement of smart camer-
as (e.g., [10,11]), pattern recognition, multi-camera
tracking, situation and video analytics and other relat-
ed areas of research. Data must not merely be extract-
ed, but rather be organized and accessed. This is espe-
cially relevant in smart surveillance systems that may
generate a tangled data mess that cannot be handled
[12]. In [13] Hampapur et al. present a framework for
searching surveillance video. Inhomogeneous sensors
(different modalities), an increasing amount of infor-
mation and data fusion at different levels of abstrac-
tions, require a more abstract representation. A review
about other intelligent surveillance systems can be
found in e.g., [14, 15, 16].

2.1.1 Network Enabled Surveillance and
Tracking (NEST)
The NEST Architecture [8] provides a base for the
integration the the App presented in section 4, but it
can be integrated other intelligent surveillance systems
as well.
Core of the NEST architecture is an Object Oriented
World Model (OOWM) [17] that handles data repre-
sentation, organization and is easy to access. The
OOWM and the Privacy Manager [18] allow en-
forcement of privacy according to the Fair Infor-
mation Principles (FIP, [19]). Different PET, e.g., met-
rics for anonymization, data abstraction or privacy
policies are included.
However, the presented approach directly focuses on
the interaction with cameras and is independent from
the OOWM.

2.2 Barcodes and Mobile Tagging
Mobile Tagging is reading of barcode with a mobile
device. In most cases the barcode stores the address of
a web page. This allows the user to navigate to a web-
site without typing it, while he is on the move.
373
Figure 1 sketches the process of mobile tagging. At
first the mobile is adjusted to the barcode and then the
user takes a picture. Following the mobile decodes the
link embedded in the barcode and finally opens the
website with the requested information.
Typical fields for application are, e.g.:
Providing additional product information on
a package
Tagging of information, e.g., Wikipedia con-
tent in a museum.
Tagging of business cards to avoid scanning
Mobile tickets (trains and flights)

Figure 1 Mobile Tagging

When barcodes are used in logistics they are mostly
scanned by lasers. When using mobile devices, bar-
codes are scanned by the build in cameras, which is
less accurate. Hence, barcodes used for mobile tag-
ging must be more robust. They should also be able to
still read a code when a part is flawed. More infor-
mation about barcodes can, e.g., be found in [20].
Due to the high robustness two dimensional codes are
used in mobile tagging in form of Matrix Codes. The
most used one is the Quick Response Code (QR-
Code) [21]. Hence, it is used in this work as well.
A QR Code is squared matrix of black and white dots.
A special marking for orientation is used in the three
of the four corners. It has an error-correction up to
30%.

2.3 Multi-Cursor-MarkerXtrackT
(MC-MXT)
MC-MXT can be used to identify and locate people.
The marks used for identification are ring-shaped
barodes. Up to 100 markers can be used at the same
time. One marker is shown in Figure 2. More details
about MC-MXT can be found in [22].

2.4 Mobile Devices
A huge variety of manufactures for mobile devices ex-
ist. Since 2010 Android
1
is the most successful plat-
form for mobile devices and has, e.g., a market share
of 31.2% in January 2011, compared to market share
of of 24.7% of iOS, the operating system running on
Apple iPhones.
Due to the openness of the architecture and the high
quality of the development tools, Android is used as
the platform for App development in this work.
Figure 2 MC-MXT marker
3 Privacy Enhancing technolo-
gies
A huge variety of PETs exist and none of them have
been used in the area of surveillance. Following it is
shown how they can be categorized and assessed.
In surveillance the process of data processing can be
divided in the following steps:
1. Data collection
2. Storage of data
3. Processing of data
4. Visualization
PET can be used for different steps and the categori-
zation cannot be transferred one-to-one.
Hence, existing PET that can potentially be used in
surveillance are in a first step mapped to the classifi-
cation for PETs proposed by the OECD [23].

3.1 Existing PETs and Their Usability
for Intelligent Surveillance
In the following potential PETs for surveillance are
listed. The OECD categories are then mapped to the
data processing process. Detailed descriptions of them
are out of scope of this work and can be found in the
named references. Every PET is only described with
one sentence. PETs in surveillance must be seen in a
very broad way. On the one side, there are fully tech-
nological solutions, e.g., usage and control and on the
other side principles exist, such as the obligation to
label surveillance properly.

1
http://www.android.com/
1) Adjust mobile to bar code
2) Take a picture
3) Decode
4) Show website

374
All the categories consider that the surveillance sys-
tem is highly intelligent, distributed and can process
data gathered in heterogeneous data sources.

3.1.1 Information Brokers (IB)
Anonmyization strategies and metrics: Met-
rics as k-anonymity [24] or l-diversity [25]
can be used to quantify privacy. A simply
strategy is, e.g., to generalize a specific loca-
tion to an area that contains more than one
person.
Obligation to label video recordings on a site:
Requirement for labelling according to the
law.
Privacy-preserving Data Acquisition Proto-
col: Protocol allowing queries that cannot be
reconstructed by a data base [26].
Privacy-Preserving Face Recognition: If a
picture from Alice is matched with a data
base from Bob. Alice should not be able to
gain information about the DB and Bob not
about the picture [27].

3.1.2 Web-based Technologies (WT)
Anonymous remailer: One of the first PETs,
they can be used to send emails without iden-
tifying the sender, e.g. [28].
Data handling policies: Languages that can
be used to specify how personal data can be
accessed, e.g. XACML [29].
Mix networks: Creating a hard-to-trace com-
munication by using a chain of anonymous
proxy servers [30].
Platform for Privacy Preferences Framework
(P3P): Users and provider of website can
specify policies for the usage of sensitive da-
ta. Enforcement is not guaranteed [31].
Private Sharing of User Location over Online
Social Networks: The own location is only
visible to friends. Based on keys and en-
cryption [32].
OpenID: Decentralized authentication for
web sites that support multiple IDs [33].

3.1.3 Network-based Technologies (NT)
Firewalls: Firewalls can block specific con-
tent, which can also be sensitive data,
e.g., [34].
NEST Privacy Manager: Framework for pri-
vacy enforcement according to the FIP. See
section 2 or [18].
Mix networks: see above.
Path Confusion: Mixing of different tracks
when processing location information,
e.g., [35].
PAWS: Architecture for privacy enforcement
in ubiquitous computing [36].

Figure 3 Mapping of OECD Categories to Sur-
veillance Steps

3.1.4 Personal Privacy Enhancing Technol-
ogies (PPETs)
User Interaction: Approaches that allow the
user to have an active part in the surveillance
process (see Section 4). E.g., by using ges-
tures.
Usage Control: Mechanisms that allow a per-
son to be in charge of personal data, after
transmitting. Closely related to DRM [37].
Off-the Record Messaging: Encrypted com-
munication, but it is possible for the sender
to disavow that he has send the message [38].
Privacy-Preserving Ubiquitous Computing:
Observed people carry RFID tags in a smart
room. They are used for identification and
people can decide whether they want to be
recorded or not [39].
Scrambling of regions of interest in video
streams: Popular technology for privacy en-
forcement in video [40, 41].
Privacy for RFID: Multiple approaches exist
to enforce privacy when using RFID tags,
e.g., [42, 43]. One is to destroy tags, when
not required anymore.
Four-eye principle: Two people are required
to process sensitive data.
Security Tools: conventional technologies
used in IT security, as cryptography or access
control strategies.

As it can be seen in 3.1.1-3.1.4 many privacy en-
hancing technologies exist. However, most of
them cannot be applied directly and further re-
search is required to explore their suitability for
surveillance.
Collecting Storage
Visualization Processing
PPETs
NT IB
WT

375
The best possible mix is depending on the surveil-
lance task and the surrounding conditions. Data
can be gathered in different fields. PETs can be
used for data in the form of video, location data
(tracking), data collected via the internet and
acoustic information. This is shown in Figure 4.
As it can be seen, more research is required for
privacy enforcement for processing of acoustic
data, as no solutions exist for this kind of data.

Figure 4 PETs and different types of data

3.2 Assessment of PETs in Intelligent
Surveillance
PETs have not been assessed for the usage in intelli-
gent surveillance systems. In [44] Henning et al. pub-
lished a checklist, which is limited to PETs for RFID.
This work sticks to the idea of a checklist for the as-
sessment of PETs. The assessment is based on the pri-
vacy requirements specified in the Common Criteria
2
,
which contain requirements for privacy protection.

1. Limitation of the collection of personal data?
(3P)
2. Is the data secured sufficiently? (1P)
3. Can pseudonyms be used? (2P)
4. Are identifying attributes anonymized? (2P)
5. Is the user clearly authenticated? (1P)
6. Is the user in control of his data? (3P)
7. Can the user change is data? (2P)
8. Can an approach be integrated with reasona-
ble effort? (1P)
9. Can the usage of a PET also harm the privacy
protection, if not integrated well? (2P)
10. Does the PET enhance privacy protection?
(3P)
In sum a maximal amount of 20 points can be reached
by a PET. The weighting was made after the experi-
ences gained when using PETs in the NEST demon-
strator system. Hence, the weighting can slightly differ

2
http://www.commoncriteriaportal.org/cc/
in other systems or contexts; the general weighting is
the same in every system.
For instance, User Interaction has received a high rat-
ing of 15 points (3,1,0,2,1,3,2,0,0,3) and is a recom-
mended technology for intelligent surveillance sys-
tems. An approach for integration is proposed in the
following.
4 A Framework for User Inter-
action
Interaction with video cameras can redress the balance
between observed subjects and observers. Understand-
ing and quantifying privacy is complicated. In [45] it
is evaluated how existing metrics for quantifying pri-
vacy can be used in surveillance and an approach for
annomyized access of location data is presented, but it
cannot be used for raw video data.
As it is difficult to formalize the feeling for privacy or
to specify a general model about it, every user has dif-
ferent requirements and a different level he wants to
protect. Technophile people, with deep knowledge
about PETs and data protection law have the ability to
specify their own privacy requirements. Average users
mostly cannot assess privacy risks and PETs. Hence, it
must be as easy and quick as possible to control priva-
cy. Apps for mobile devices got popular and at it can
be supposed that most people will be capable of using
an app on their device for controlling privacy.
This work shows an app for privacy control in video
surveillance, which can be used in two modes. In the
basic mode an observed participant can access infor-
mation about the surveillance deployment. In access
mode the user is getting access to an anonymized view
through a web cam. Figure 5 sketches how the two
modes are started. A user is starting the Privacy Con-
trol Manger App (PCM), which starts the mobile tag-
ging, i.e., scanning of the barcode (1) and decoding
the information (2). Following the basic information is
shown to the user (3): Name of the camera, location, a
URL for further use and a symbol for checking. The
latter ensures that the barcode belonging to camera is
scanned. After scanning the user can choose between
further information or getting anonymized access to
the camera.
Figure 5 Identifying the camera and starting the App
Video Tracking
Audio Internet
PPETs
NT
IB
WT

Camera
D
(1) Scanning
(2) Recieve barcode info
(3) display basic info
Show
additional
information
Show
anonymized
camera
stream
Basic Mode Access Mode

376

4.1 Mobile Tagging in Video Surveil-
lance (basic mode)
To get further information the user can send a request
to the server of the surveillance operator, by using the
URL transmitted before (1). When the connection is
established the App transmits information about the
chosen camera (2). The server then creates a PDF with
all additional information and sends it to the user (3).
The PDF can potentially include any information, also
dynamic generated info as a timestamp or an ID of the
user who is accessing it. Important from privacy relat-
ed point of view, are more detailed information about
the reason for surveillance and contact information.
The information is then shown in the PCM to the user
(4) and the PDF is stored for later use.
Figure 6 Basic mode of the Privacy Control Manager

4.2 Anonymized Access to Video Cam-
eras (access mode)
The second option in the PCM is to get annoymized
acces to a video camera, which is sketched in Figure
7.
Figure 7 Anonymized access in the Privacy Control
Manager

In the first step (1) a user, i.e., the PCM App, requests
a marker (which can be limited to authorized users
only). The server of the surveillance operator then
sends the marker to the mobile device (2), where it is
displayed (3). The user now needs to place the mobile,
showing the marker, in front of the camera (4). After
detection (5), the user is granted access to the video
streaming server (6) and can access the anonymized
stream for a specific period.
For anonymization the entire video stream is blurred,
except the person holding the marker. When placing
the marker in the camera, a tracker for the person hol-
ing it is started. The tracker is running while the user
is authorized to use the camera.
Blurring the rest of the video ensures that the user
cannot abuse the system, but it is precise enough for
the user to see that nothing forbidden is seen by the
camera. The option to access the video stream of the
operator is redressing the balance between observed
and observing people.
If the camera has enough resources the marker detec-
tion and anonymization can be directly are executed
on it. Alternatively the detecting, blurring and stream-
ing can be done on the main server of the operator,
which is also hosting the server-side components for
the PCM.
5 Demonstrator
The Privacy Control Manger App is implemented on
the Android platform and it was tested on the HTC
Desire HD and the Samsung Galaxy Tab, both devices
are running Android 2.2. Server and mobile devices
communicate via a VPN secured WiFi connection.
The application has been integrated in a NEST de-
monstrator system.
For detection MC-MXT markers are used, which can
be detected robustly by the camera. Figure 8 is show-
ing the barcode in demonstrator and how it is scanned
by a user. Other markers can be used for the chal-
lenge-response procedure.
Figure 8 Barcode and scanning

Figure 9 shows the MC-MXT marker displayed on the
mobile and the video stream, which is shown in the
PCM App. The user holding the device is recognized
and then everything, except him, is blurred out.

(1) Establish connection to the server
(4) Show PDF
(2) Request camera information
(3) Submit PDF

(1) Request marker (user name & password)
(3) Display marker
(2) Transmit marker
D
Detect marker
(4) Place smartphone
In front of the
camera
(5) Marker
detected
(6) release camera stream
C
a
m
e
ra
s
tre
a
m
(7) Display video stream

377
Figure 9 Marker and blurred video
6 Conclusion and Future Work
This work categorized PETs for the use in surveillance
systems. It proposes a catalogue containing 20 ques-
tions based on the requirements of the OECD, which
can be used to assess current and future PETs.
User interaction is a promising PET that can help to
achieve higher acceptance of surveillance technology.
The proposed Privacy Control Manager App read-
dresses the balance between observers and observed
people. With the PMC even a user not knowing much
about technology and privacy can easily request in-
formation about cameras and can also get an anony-
mized view through a camera.
It has been shown that many PETs exist that can be
used in surveillance scenarios. Further research is
necessary to integrate them in existing systems. Real
users, who are not in touch with high-tech technology
every day, must test it to get more realistic results
about PETs and enhancing the acceptance of privacy.
Further research is required to enhance the use of mo-
bile devices in surveillance systems.
References
[1] Gras, M.: Kriminalprvention durch Video-
berwachung. Gegenwart in Grobritannien -
Zukunft in Deutschland?, Nomos Verlagsgesell-
schaft, 2003
[2] Buellesfeld, D.: Polizeiliche Videoberwachung
ffentlicher Straen und Pltze zur Kriminali-
ttsvorsorge , 2002
[3] Mccahill, M., Norris, C.: Estimating the Extent,
Sophistication and Legality of CCTV in Lon-
don Palgrave Macmillan, Basingstoke, Hamp-
shire, England, 2003
[4] Hempel, L., Tpfer, E.: CCTV in Europe Final
Report, Urbaneye Working Paper No. 15, August
2004
[5] ] Zurawski, N., Czerwinski, S.: Crime, maps
and meaning: Views from a survey on safety and
CCTV in Germany, Surveillance & Society
5(1), 2008
[6] B Lo, J. Sun, S.V.: Fusing visual and audio in-
formation in a distributed intelligent surveillance
system for public transport systems, Acta Au-
tomatica Sinica 29(3), 2009
[7] Hampapur, A., Brown, L., Connell, J., Ekin, A.,
Haas, N., Lu, M., Merkl, H., Pankanti, S.:
Smart video surveillance: exploring the concept
of multiscale spatiotemporal tracking, Signal
Processing Magazine, IEEE 22(2), March 2005)
[8] Mograber, J.; Reinert, F., Vagts, H. An Archi-
tecture for a Task-Oriented Surveillance System -
A Service and Event Based Approach, Proc.
Fifth International Conference on Systems
ICONS, 2010
[9] J-L Bruyelle, L Kuhoudour, D.A.T.L.A.F.: A
distributed multi-sensor surveillance system for
public transport applications. In: Intelligent Dis-
tributed Video Surveillance Systems, The Insti-
tution of Electrical Engineers, 2006
[10] Fleck, S., Strasser, W.: Smart camera based
monitoring system and its application to assisted
living, Proceedings of the IEEE 96(10), Octo-
ber 2008
[11] Bramberger, M., Doblander, A., Maier, A., Rin-
ner, B., Schwabach, H.: Distributed embedded
smart cameras for surveillance applications,
Computer 39(2), February 2006
[12] Limbach, J.: 25 Jahre Bundesdatenschutz In
the celebration of 25 years of Bun-
desdatenschutz, June 2002
[13] Hampapur, A., Brown, L., Feris, R., Senior, A.,
Shu, C.F., Tian, Y., Zhai, Y., Lu, M.: Searching
surveillance video, Advanced Video and Signal
Based Surveillance, 2007
[14] Foresti, G., Regazzoni, C., Varshney, P.: Multi-
sensor Surveillance Systems The Fusion Per-
spective, Springer, 2003
[15] Foresti, G., Mahonen, P., Regazzoni, C.: Multi-
media Video-based Surveillance Systems: Re-
quirements, Issues and Solutions, Springer,
2000
[16] Velalstin, S., Remagnino, P.,: Intelligent Dis-
tributed Video Surveillance Systems, Institution
of Engineering and Technology, 2006
[17] Bauer, A.; Emter, T.; Vagts, H., Beyerer, J.: Ob-
ject Oriented World Model for Surveillance Sys-
tems, Future Security: 4th Security Research
Conference, Fraunhofer Verlag, 2009
[18] Vagts, H., Bauer, A.: Privacy-Aware Object
Representation for Surveillance Systems, 7th
IEEE International Conference on Advanced
Video and Signal Based Surveillance, 2010
[19] OECD, Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data, 1980
[20] Kato H., Tan K., Chai D.: "Barcodes for Mobile
Devices", Cambridge University Press, 2010
[21] Winter, M.,: Scan Me - Everybody's Guide to
the Magical World of Qr Codes, 2011
[22] Geisler, J.; Eck, R.; Rehfeld, N.; Peinsipp-Byma,
E.; Schtz, C.; Geggus, S.,: Fovea-Tablett: A
new paradigm for the interaction with large
screens, International Conference on Human-
Computer Interaction, 2007

378
[23] OECD: Privacy Online:OECD Guidance on
Policy and Practice , OECD Publishing, 2003.
[24] Sweeney, L.: k-Anonymity: A Model for Pro-
tecting Privacy. International Journal of Uncer-
tainty, Fuzziness and Knowledge-Based Systems
10 (5), 2002
[25] Machanavajjhala, A. Kifer D., Gehrke J., Ven-
kitasubramaniam, M.: L-diversity: Privacy be-
yond k -anonymity. TKDD 1 (1), 2007.
[26] Kwecka, Z., Buchanan, W., Spiers, D.: Privacy-
preserving data acquisition protocol Computa-
tional Technologies in Electrical and Electronics
Engineering (SIBIRCON), 2010
[27] Erkin, Z., Franz, M., J. Guajardo, J., Katzen-
beisser, S., Lagendijk, I., Toft, T.: Privacy-
Preserving Face Recognition, 9th International
Symposium on Privacy Enhancing Technologies,
2009.
[28] Schneier, B.: E-mail security: how to keep your
electronic messages private, John Wiley &
Sons, Inc., 1995
[29] Vagts, H.; Krempel, E. & Beyerer, J.: Access
Controls for Privacy Protection in Pervasive En-
vironments, 4th International Conference on
Pervasive Technologies Related to Assistive En-
vironments, 2011
[30] Chaum, D.: Untraceable electronic mail, return
addresses, and digital pseudonyms, ACM, Feb-
ruary 1981.
[31] Cranor, L., Dobbs, B., Egelman, S., Hogben, G.,
Humphrey, J., Marchiori, M., Presler-Marshall,
M., Reagle J., Schunter, M., Stampley, D., Wen-
ning, R.: The Platform for Privacy Preferences
1.1 (P3P1.1) Specication, November 2006.
[32] Freudiger, J., Neu R., Hubaux, J.-P.: Private
Sharing of User Location over Online Social
Networks, HotPETs, 2010.
[33] Recordon, D., Reed, D.: OpenID 2.0: a platform
for user-centric identity management 2nd ACM
workshop on Digital identity management ,
2006.
[34] Freed, N.: Behavior of and Requirements for
Internet Firewalls , RFC 2979 (Informational),
2000
[35] Hoh, B. und Gruteser, M.: Protecting Location
Privacy Through Path Confusion, Security and
Privacy for Emerging Areas in Communications
Networks, 2005
[36] Langheinrich, M.: A Privacy Awareness System
for Ubiquitous Computing Environments 4th in-
ternational conference on Ubiquitous Compu-
ting, 2002
[37] Korba, L., Kenny, S.: Towards Meeting the Pri-
vacy Challenge: Adapting DRM, Digital Rights
Management Workshop, 2002
[38] Borisov, N., Goldberg, I., Brewer, E.: O-the-
record communication, or, why not to use PGP,
2004 ACM workshop on Privacy in the electron-
ic society, 2004
[39] Duan, Y., Canny, J.: Protecting User Data in
Ubiquitous Computing: Towards Trustworthy
Environments, International Workshop on Pri-
vacy Enhancing Technologies (PET), 2004
[40] Dufaux F., Ebrahimi, T.: Scrambling for Video
Surveillance with Privacy IEEE Workshop on
Privacy Research in Vision, 2006
[41] Martin, K., Plataniotis, K.: Privacy Protected
Surveillance Using Secure Visual Object Cod-
ing 2008
[42] Karjoth, G. und Moskowitz, P.: Disabling RFID
tags with visible conrmation: clipped tags are
silenced, 2005 ACM workshop on Privacy in
the electronic society, 2005
[43] Garnkel, S., Juels, A., Pappu, R.: RFID Priva-
cy: An Overview of Problems and Proposed So-
lutions, IEEE Security & Privacy 3 (3), 2005.
[44] Hennig, J., Ladkin, P. und Sieker, B.: Privacy
enhancing technology concepts for RFID tech-
nology scrutinized, 2004.
[45] Vagts, H.; Bier, C. & Beyerer, J. Anonymization
in Intelligent Surveillance Systems Proceedings
of 4th IFIP Conference on New Technologies,
Mobility and Security, 2011

379
Customer Security Environment: Understanding customers
views on security
Eija Kupi, VTT Technical Research Centre of Finland, Finland
Katariina Palomki, VTT Technical Research Centre of Finland, Finland
Mervi Murtonen, VTT Technical Research Centre of Finland, Finland
Andy Nolan, Schneider Electric, Buildings Business, Finland
Abstract
Based on several research projects and close co-operation with leading security providers and their customers,
we have identified some gaps between security providers and customers views on security. Currently, security
providers seek to offer more and more comprehensive security solutions, whereas customers are not automati-
cally willing to commit themselves to one security provider. For a service provider, it seems to be a challenge to
understand specific customer needs and benefits related to security services. Marketing of security solutions is
mainly based on negative arguments, i.e. risks, threats etc., whereas customers would welcome more positive
outcomes, i.e. promises of good functionality and financial benefits. How the customer sees the security and
what the salesman talks about are often two different things. In this paper, we provide a new framework of Cus-
tomer Security Environment as a solution that helps security providers to promote more customer-dominant
logic in their business. This paper answers the following research question: How can security services better
promote and provide benefits to the customers business?
1 Introduction
Security industry is growing and attracting invest-
ments and competition from new business sectors.
This enriches the business but also necessitates dif-
ferentiation. The trend in the security markets is to-
wards integrated one stop solutions that combine dif-
ferent kind of expertise in new ways. Integrated solu-
tions are seen to bring more value to customers but in
some cases customers want to optimise the costs of
different components of security. Security offerings
are mostly based on threats which do not become
concrete to customer before the costs of an incident
are realised. That is why a more positive and cus-
tomer oriented approach is needed.
The paper is structured as follows: First, based on ex-
isting literature, the paper discusses security markets
and customer oriented service logic. Next, we present
empirical findings and propose Customer Security
Environment framework which broadens the view of
security service providers to the security benefits of
customers. Finally, we discuss the importance of un-
derstanding the customer needs in security services
and the benefits of the framework.
1.2 Security market
Security industry has been defined as an industry that
supplies the products and services specifically used
by the human being to prepare, prevent, protect, re-
spond, reduce, palliate and deal with the threats and
consequences that undesired events have on our soci-
ety. These consequences may be summarised in terms
of damage to peoples life, health, property or other
assets, including information. [1] The sector has
been described to consist of guarding services, private
investigation, and physical security products, such as
burglar alarm systems [2] but lately the area of pri-
vate security has become increasingly everybodys
business [3]. Also in previous studies on security
markets in Finland [4], the key conclusion was that
the range of companies that provide security related
products and services is wider than usually consid-
ered varying from traditional safety and security pro-
viders to companies that add security to their core
offerings only as an additional feature. [4]. The pri-
vate security business field is very fragmented con-
sisting of both traditional safety and security actors
and variety of new actors with different kind of back-
grounds and novel service arguments.
380
Private security business field has been growing in an
extraordinary way because of various driving forces
(e.g. technological developments, globalisation, fear
of crime, increases in income, inadequacy of public
funding, privatisation) [3]. Especially industries such
as building monitoring and management, defence,
industrial automation and control, scientific instru-
mentation and ICT industry have all been acknowl-
edged to be closely related to the security industry. It
is expected that by 2020, the security industry is at-
tracting investments and competition especially from
the IT, building control and energy-management in-
dustries. Security firms usually operate concurrently
in some of these other industries and markets because
they provide advantages in terms of a more diversi-
fied customer base, synergies and economies of large
production. For example in the building monitoring
and management industry, solutions such as fire pro-
tection, access control, heating and air conditioning
are all interesting capabilities also from the security
businesss view point. In addition to these changes,
the trend in the security markets is towards one stop
solutions. [1] [5]
As the security business is changing, the offerings are
becoming more complex. According to our findings,
customers may not have enough understanding about
the new solutions and thus they are lacking knowl-
edge in order to buy the right products and services.
As the solutions are becoming integrated and compli-
cated and they are bought from one provider, cus-
tomer may need support in buying. On the other
hand, more complicated offerings may lead to more
tailoring and customer-specific solutions that in turn
call for close co-operation between provider and the
customer. This may be opposed by the customer that
does not want to bind oneself too closely with the
provider.
According to the aforementioned views, security
business area is developing rapidly. Security offerings
can be found almost anywhere. Understanding the
environment of the customers is the key issue. This
paper discusses how security services can better pro-
mote and provide benefits to the customers business.
The aim of this paper is to present the framework of
Customer Security Environment and discuss how the
framework helps security providers promote more
customer-dominant logic in their business.
1.3 Customer oriented logic
In current literature, service is mostly viewed as co-
creation dominated by and from the perspective of
the service provider instead of the customer [6]. Ser-
vice operations and processes are typically described
from the providers perspective, and most articles on
service development take the providers view. How-
ever, most researchers share the argument that the
ultimate goal for service should be to facilitate value
for the customer [7], but the overly emphasised pro-
viders perspective in service development will lead
to an incomplete understanding of what the customer
actually does with the service [6]. More customer-
oriented approach is needed.
In practice, this means that we need to understand in
what ways a specific service relates to customers
core business and day-to-day activities and what pur-
pose does that specific service serve in customers life
as a whole. This is a challenging task for all service
providers and for those, whose offerings do not di-
rectly target the core business of the customers, espe-
cially. They may have merely a supportive role in
customers business processes, and the links from
their services to customers core business might be
hard to prove. Therefore, these support services are
typically perceived to have only a low strategic im-
portance for the customer. These services can be
categorized as routine support activities like cleri-
cal tasks, cleaning, waste management as well as se-
curity and surveillance for the day-to-day opera-
tions of the customers. Typically, the companies in
this sector specialize in one or more of these support
activities and provide services to customers in a vari-
ety of industries and, in some cases, to households.
The support services are fairly simple and standard-
ized services, and in most cases, there are many al-
ternative providers in the market. Furthermore, no
unique expertise or major capital investments are
needed to establish a support service company [8].
On the other hand, our empirical notion is that secu-
rity services, like many other support services as well,
have a high importance to many customers. Without
a watertight security systems and reliable security
service workers many companies would be unable to
continue they everyday business. Shopping malls
could not keep their doors open, banks could not be
able to operate etc. We argue that the actual strategic
benefits for the customers of the current security of-
ferings are not adequately analysed and new ap-
proaches to relate security services to customers core
business processes are needed.
For a security solution provider, it is important to
recognise the specific safety and security needs from
the perspective of the customer. In the context of se-
curity guarding, for example, it has been noticed that
good buyer-seller relationship practices are of par-
ticular value in security guarding, and that business-
to-business customers of these services seek not only
the actual security outcomes but also service provid-
ers who understand the value of service-orientation,
fluent communication and listening the needs of the
customer [9]. Different customer segments and cus-
tomers value different aspects of the security envi-
381
ronment; therefore, one service concept will not be
suitable for all customers. Several concepts, varia-
tions or combinations are needed.
2 Materials and methods
This discussion paper is based on empirical findings
from several research projects that have included
close co-operation with leading security providers
and their customers. Above all, this study discusses
the findings of a project that aimed to visualise new
security business potentiality and opportunities, and
to describe the development and competence needs of
the company. All the research projects have yielded
conclusions and discussions that have also been con-
cretised in the case company from which some chal-
lenges and findings are presented in this study in
more detail. The research project with the case com-
pany included three workshops and several meetings,
and the discussions took place both with the case
companys personnel and customers. The workshops
focused on the vision and targets of the company,
customer security needs and service expectations, and
on economic benefits of security services.
The aim was to develop a new security service busi-
ness and comprehensive security solutions. The
company wanted to gain a clear understanding of the
customers needs. During the discussions about the
potentiality and opportunities for a new security
business a need to emphasise customer orientation
was discovered. Moreover, one of the biggest chal-
lenges for the case company was to understand how
the customer benefits from the services the company
provides, and how the company could better express
and demonstrate the benefits to the customer. The
company recognised a need to listen and understand
the customers needs and to develop services that re-
solve the customers needs. Especially the technical
needs of customers were recognised as important
ones to carefully consider. In the research project, a
need for integrated and more comprehensive solu-
tions combining different kind of expertise in new
ways was discovered. The convergence and integra-
tion of multiple systems, as well as a focus on behav-
iour and education increases the opportunity to de-
velop more intelligent solutions that provide an addi-
tional business benefits to the customer and lower life
cycle costs. With a high level of convergence the
case company wanted to develop solutions that an-
swer not only to security related needs but could solve
comprehensively various needs and challenges the
customer has. This approach cannot be successful
without understanding the customers business needs
and requires the solution provider to also act in the
role of a consultant.
To conclude, the empirical findings of this and sev-
eral other research projects and recent literature have
led us to following key findings of the security busi-
ness
- The benefits of security services to customers
are considered too narrowly
- Security offerings are technology-oriented
and service provider centred
- Security service providers do not consider
customer needs carefully enough
- Security offerings are based on threats, and
the value and benefits of services does not
become concrete to customer before the costs
of an incident are realised
Based on these notions and the empirical evidence
gathered during the research projects, we suggest that
a more positive and customer oriented approach is
needed. As an answer, we propose a new framework
of security environment of customers that consists of
five aspects: security, safety, business continuity,
brand, and emotional aspects (Figure 1).
Figure 1. Security environment of customers
Security and safety are a twosome that are closely
linked together and complete each other, and that
consider the same issue from different viewpoints.
Recently, alongside with these main elements, busi-
ness continuity management has been under discus-
sion compassing various factors that contribute to the
undisturbed and efficient operations of companies,
thus including parts of the areas of security and safety
as well. As security issues have become more impor-
tant and visible in societies, it has become a contro-
versial conversation piece that arouses opposition too.
Thus, security and safety issues are more and more
understood as a matter of feelings, and issues such as
do surveillance cameras give a feeling of secure or
insecure premises are being discussed. From a com-
pany point of view, the aforementioned aspects all
contribute to the image of the company: At best, a
company that is known as a reliable partner with
smooth and efficient operations or provides a secure
and safe working environment to its employees can
get competitive edge over its competitors. Thus, all
the dimensions of the security environment complete
each other, though for different customers different
382
dimensions may be more important than others. The
framework will be discussed in more detail in the fol-
lowing chapter.
3 Customer Security Environ-
ment
This framework was utilised in order to broaden the
view of a security service provider company to the
security benefits of customers. In the optimal case,
these five aspects of Customer Security Environment
are all taken into account. Which aspect of the secu-
rity environment is the most important, depends both
on the customers and even their customers
business goals and other specific needs. Therefore,
security portfolios are different between different sec-
tors - for example, for some customers safety issues
can be more important than brand related issues.
Investment in security affords relevant benefits by
means of the prevention and reduction of damage to
life and property and a better resilience to quickly re-
cover from a security incident. Investing in security
also diminishes the likelihood that the happened in-
cident spreads to other areas and finally ends up dis-
rupting key functions in a society. However, benefits
reaped from security are somewhat intangible and
therefore not easy to measure because cost savings
from prevented and avoided security breaches cannot
be directly observed since these breaches never even
occurred. When viewing from the level of societies, it
has been stated that the most appropriate measure of
success in the economic sector of security is to find
and offer affordable solutions to security issues that
improve the citizens feeling of confidence. [1]
In this approach, we distinguish safety from security.
The concept of safety is linked to unintentional acci-
dents, injuries and losses, and the concept of security
to intentional acts of damage, crime and terrorism
[10]. The benefits of safety arise mostly from prevent-
ing work related incidents from happening but there
are also studies and models that illustrate how
changed working conditions or increased efficiency
influence the production costs and change the pro-
ductivity [11][12]. The advantage of using cost bene-
fit analyses is to show the important financial role
that safe and efficient workplaces play. Conducting
cost-benefit analyses of architectural attributes such
as security has always been difficult, because the
benefits are difficult to assess. Security technology
benefits depend on how often a harmful incidence is
expected, how much damage is likely to occur and
how effective the security technology is in mitigating
the damage from an incidence.
Business continuity refers to elimination or reduction
of disaster condition before it occurs and recovering
from any type of business interruptions [13]. Business
continuity adds a strategic and long term perspective
to this framework and considers all key elements in
the organisation such as the people, process and in-
frastructure. Quickly recovering from any type of
business interruption is critical to a companys sur-
vival. The monetary value of business interruptions
can be estimated e.g. in downtime or infected com-
puters. [13]. Interruptions can lead to loss of work to
competitors, failures within supply chain, loss of
reputation, human resources issues, health and safety
liabilities, and higher insurance costs, and the im-
pacts can affect staff or public wellbeing, environ-
ment, premises, technology, or information, financial
viability, product or service quality, etc. [14]. The
consequences of business interruptions can lead to
great losses.
In addition, we see customer brand as a critical ele-
ment in Security Environment. Security affects how a
customers customers feel, think and act with respect
to the customers brand. A brand with the right secu-
rity identity appeals to the right customers and busi-
ness partners. Good reputation of a company can cre-
ate higher sales figures, experiences of better prod-
ucts, increased competitiveness, and feeling of
togetherness which can further lead to more efficient
operations. If a company falls into disrepute, com-
petitiveness, local positioning, trust and loyalty of
interest groups, media relationships and legitimacy
can all be lost. Bad reputation may also have an im-
pact on turnover of employees, employment of new
employees, getting and keeping customers. Effects
can be judicial, financial or they can negatively affect
business conditions. [15]. Reputation related risk is
one of the most important operational business risks
and up to 40% of the value of a vibrant company can
be attributed to its reputation. A good reputation and
a strong brand allow companies to stand out in
crowded markets. [16]
Emotional aspects consist of perceptions of and feel-
ings towards, safety and security. Security and safety
as feelings refer to customers fast, instinctive, and
intuitive reactions to potential threats [17]. The per-
ception of risk varies from one individual to the next,
even under the same conditions. The link between the
mental concept and the real world only shows itself
through actual harm. The role that dialogue plays is
often underestimated. To be successful, facilitators of
risk workshops (as well as security service providers)
need to take a neutral perspective and consciously
avoid transferring their views and opinions in seek-
ing solutions. [18]
Table 1 presents some examples of possible benefits
in customer security environment.
383
Table 1 Examples of customer benefits in security
environment
4 Understanding customers
views on security
Considering customers security environments
through the five aspects presented earlier helps in
better focusing on the benefits that investing in secu-
rity affords to customers. An important question is
how to argue the benefits to customers and what is
the value of these benefits to each customer. The
value also defines how much the customer is willing
to pay. The value to a customer is difficult to calcu-
late because it has to be defined in co-ordination with
the customer. There are different ways to determine
the benefits of the five aspects of security environ-
ment e.g. as presented in Table 1.
Selling by illustrating the risks is not always effective
before they have realised to the customer. The offer-
ing has to be translated to customer benefits. The
sales persons are very good in explaining the charac-
ters of their products and finding out the needs of
customers but how to get these to interact. One way is
to communicate the service promise, i.e. the benefits
the customer gets. The challenge is how to justify the
investment and operating costs of security solutions
to a customer. Sales persons also need to discuss with
customer representatives at different levels within the
same company, not only with the security personnel.
The Security Officer may be very keen to have the
most comprehensive solution but may also be under
pressure to reduce cost. The value of the investment
and the operating costs will usually be one of the
greatest influencing factors over whether to purchase
the solution or not. Therefore the advantages of new
technologies and more intelligent solutions that have
a high Return on Security Investment need to be pre-
sented clearly.
There is a need for integrated and more comprehen-
sive solutions that combine different kind of expertise
in new ways, and answer not only to security related
needs but at the same time to various needs and chal-
lenges the customer has. However, it has to be noted
that some customers may also prefer single security
product or service instead of comprehensive solu-
tions. This underlines the meaning of truly under-
standing what customer needs and appreciates.
5 Discussion and conclusions
We argue that by proposing the concept of Customer
Security Environment our approach extends and en-
riches the planning and selling of comprehensive se-
curity services. It is important to try to understand
what the customer wants and appreciates. Is it real,
hard security or the feeling or perception of security?
That is a very complex issue: hard and soft aspects
cannot be distinguished and either one left out, but
both can be quantified and qualified. It is also crucial
to consider customer objections and how to tackle
them.
This framework was developed based on hands-on
needs and the theoretical background still needs to be
revised. It is interesting to consider which other as-
pects could be introduced into it.
Understanding the security environments of a cus-
tomer is a key objective before a solution can be de-
veloped with the customer. Considering all five dif-
ferent aspects of the security environment is a way to
better understand where the customer is focused and
which aspects are particularly important, i.e. whether
the emphasis is on safety or security. The Security
Environment framework can be used to present to the
customer the variety of benefits they are getting from
the security solution. It is a useful tool that can help
them understand how security and safety can posi-
tively impact the overall business.
As a major conclusion, we propose that the frame-
work of Customer Security Environment enables the
security service providers to:
- Better understand where the customer focus
is with regards to security and safety and
which aspects are the most important
- Present a wide variety of business benefits
created for the customer
- Open a new kind of dialogue on several lev-
els, e.g. with CEOs, controllers, security
managers and end users.
384
In addition, this approach opens new windows for the
customers to fully understand the multidimensional
aspect and potential effects of security and safety is-
sues, and to discuss solutions in a more comprehen-
sive way with security providers. Also, customers can
use this approach to better meet the needs of their
own customers.
References
[1] Marti, C.: A survey of the European secu-
rity market, Berlin (GER): Economics of
Security, 2011
[2] Erickson, B.H.: Good networks and good
jobs: The value of social capital to employers
and employees, In: Social capital: Theory
and Research, New York: Aldine de Gruyter.
pp. 127-158, 2001
[3] Van Steden, R.; Sarre, R.: The tragic quali-
ty of contract guards: A discussion of the
reach and theory of private security in the
world today, The Journal of Criminal Jus-
tice Research, Vol. 1, No. 1, pp. 1 19, 2010
[4] Kupi, E.; Kortelainen, H.; Lanne, M.: Palo-
mki, K.; Murtonen, M.; Toivonen, S.;
Heikkil, A.; Uusitalo, T.; Wuoristo, T.; Ra-
jala, A.; Multanen, A.: Turvallisuusalan
liiketoiminnan kasvualueet ja -
mahdollisuudet Suomessa, Espoo (FIN):
VTT Tiedotteita Research Notes, 2010
[5] World Security Services Market 2010:
,,World Security Services Market, M59B-
11, Frost & Sullivan, 2010
[6] Heinonen, K.; Strandvik, T.; Mickelsson, K.-
J.; Edvardsson, B.; Sundstrm, E.; Anders-
son, P.: ,,A customer-dominant logic of ser-
vice, Journal of Service Management, Vol.
21, No. 4, pp. 531 548, 2010
[7] Grnroos, C.: Service Management and
Marketing. Customer Management in Servi-
ce Competition, 3. ed., Chichester (UK),
2007
[8] NAICS The North American Industry Clas-
sification System [Homepage of U.S. Census
Bureau], [Online], 2007, Available:
http://www.census.gov/eos/www/naics/
[2011, 6/6]
[9] Jhi, M.: Vartiointipalvelujen arvonmuo-
dostus asiakkaan nkkulmasta, Tampere
(FIN): Tampere University of Technology,
2010
[10] Naumanen, M.; Rouhiainen, V. (eds.): Se-
curity-tutkimuksen roadmap, VTT Re-
search Notes 2327, Espoo (FIN): VTT, 2006
[11] Liukkonen, P.; Suurnkki, T.: Tyn tulos ja
sen tekijt, Working Paper 43, Helsinki
(FIN): Tyturvallisuuskeskus, 1994
[12] Bergstrm, M.: The potential-method an
economic evaluation tool, Journal of Safety
Research, Vol. 36, No. 3, pp. 237-240, 2005
[13] Cerullo, V.; Cerullo, M.J.: Business conti-
nuity planning: A comprehensive approach,
Information Systems Management, Vol.
Summer, pp. 70-78, 2004
[14] BSi: Business continuity management
Part 1: Code of practice, Standard, BS
25999 1: 2006, 2006
[15] Aula, P.: Organisaatioiden maineriskit:
Kontekstina sosiaalinen media, In: Kriisit
ja tyyhteist Kriisijohtaminen tyyhteis-
jen tukena, Ty ja ihminen, Tutkimusraportti
37, Helsinki (FIN): Tyterveyslaitos, 2009
[16] Lux, E.: ,,Brand Value, The Wall Street
Journal, October 6, 2010
[17] Slovic, P.; Finucane, M.L.; Peters, E.; Mac-
Gregor, D.G.: Risk as Analysis and Risk as
Feelings: Some Thoughts about Affect, Rea-
son, Risk, and Rationality, Risk Analysis,
Vol. 24, No. 2, pp. 311-322, 2004
[18] Hancock, D.: The human side of the risk
equation, Strategic Risk, Vol. March, No.
68, pp. 40-41, 2011
385
Towards Information Services for Disaster Relief based on
Mobile Social Networking
Sander Wozniak and Guenter Schaefer
Telematics and Computer Networks Research Group, Ilmenau University of Technology, Germany
Abstract
The response to natural and man-made disasters as well as large-scale catastrophes has always been a challeng-
ing task. While in the past the focus of existing research has been on designing information and communication
technology (ICT) for official decision makers and relief forces, the idea of incorporating the public into response
efforts has begun to emerge recently. With more and more people carrying powerful mobile devices
(e.g. smartphones), mobile social networking techniques offer new ways of communication, information sharing
and response coordination among victims, volunteers and official rescue personnel. Motivated by these new pos-
sibilities, within the scope of this paper, we provide the following contributions. First, based on the process of
disaster management, we identify several information services, which should be considered when designing new
technologies for disaster response, and provide a systematic description and discussion of these services. Second,
we discuss a variety of technical requirements and present a communication architecture for these information
services. Finally, we outline related work and discuss future research directions.

1 Changes in Disaster Response
With local communities usually being unable to effec-
tively respond to natural disasters and large-scale ca-
tastrophes (e.g. floods, earthquakes, cyclonic storms,
tornadoes, wildfires), technological disasters
(e.g. structural fires, dam failures, hazardous materials
incidents, nuclear accidents), as well as events moti-
vated by social conflict (e.g. riots, wars, terrorism,
CBRN incidents) beyond the scope of day-to-day
emergencies, federal and international relief efforts
require complex coordination and disaster manage-
ment techniques [1]. While emergency management
traditionally considers the four phases of mitigation,
preparedness, response and recovery, a focus of re-
search in terms of information and communication
technology (ICT) is usually on disaster response,
i.e. the challenge of improving the immediate post-
incident relief efforts by enabling communication and
supporting information exchange among official res-
cue personnel. Although the adequate response to a
disaster, i.e. the management of operations, planning
and logistics, is vital for saving as many human lives
as possible, due to the extent of the damage and the
limited amount of rescue personnel, official authori-
ties are often unable to provide instant help to all vic-
tims [2,3]. Even under the assumption that major parts
of the communication infrastructure may still be func-
tional or can be restored quickly, decisions still have
to be made without proper knowledge of the actual
circumstances, as only the feedback and reports of
official first responders is able to increase the situa-
tional awareness of decision makers.
Based on the above-mentioned observations and the
fact that the affected population is usually the first to
witness and respond to an incident, the vision of pub-
lic participation via mobile social networking tech-
niques has begun to emerge as a promising new field
of research recently [2-5]. This vision is motivated by
the fact that more and more people are getting famil-
iar with online social networks and web-based ser-
vices and are using them actively. Furthermore, an
increasing number of people are in possession of mo-
bile communication devices like smartphones. These
devices are equipped with sensitive microphones,
high-resolution cameras, GPS receivers, motion and
acceleration sensors, as well as multitasking operating
systems running on increasingly powerful batteries,
processors, memory and graphics processing units
yielding a performance comparable to five to ten year
old desktop PCs. With the success of these devices,
mobile social networking applications, where users
are able to share information via a smartphone con-
nected to a web-based service, have emerged rapidly.
Thus, on the one hand, the short-term goal is to em-
ploy existing online social networks, microblogging
and other web-based services as a fast and less hierar-
chical way of gathering and sharing information
among officials and voluntary first informers (citizen
journalists), as well as among victims (citizen-to-
citizen communication) [2,3]. On the other hand, the
long-term vision is to develop and establish new in-
novative information and communication technolo-
386
gies for disaster response to further enhance official
and voluntary public relief efforts beyond the scope of
retrieving and extracting information from existing
online social media sites.
Therefore, within the scope of this paper, we make the
following contributions. First, we discuss information
needs for several audiences in a disaster situation. Se-
cond, we identify several information services for dis-
aster response and provide a comprehensive descrip-
tion and motivation of these services. Furthermore,
we present technical requirements, as well as a com-
munication architecture for the implementation of
these services. Finally, we outline related work and
discuss future research directions.
2 Information Needs
In a disaster scenario, there are typically two groups
of different or partially overlapping information
needs: official responders and the affected population
residing in the area of the incident. Between and with-
in these two audiences, several one- or two-way in-
formation pathways can be identified [2]: among offi-
cials, among the population, as well as between offi-
cials and the population. In the following, the
information needs of both groups are described in
more detail.
2.1 Official Responders
In order to be able to organize response efforts effec-
tively, federal agencies (e.g. the United States Federal
Emergency Management Agency, FEMA), as well as
inter-governmental and non-governmental organiza-
tions (e.g. the United Nations Office for the Coordina-
tion of Humanitarian Affairs and the International
Red Cross) have to be able to communicate with each
other at the site of the incident (e.g. via email, voice
communication, multimedia streaming or web-based
communication platforms) [1].
Furthermore, in order to be able to develop an inci-
dent action plan, i.e. in order to define mission objec-
tives and response measures, relief forces have to ob-
tain knowledge of the current circumstances (situa-
tional awareness) [1]. Such information might be the
current whereabouts of victims, the location and as-
signment status of resources like rescue personnel and
vehicles, information about the local infrastructure,
e.g. operational airports, capacity of road infrastruc-
ture, hospitals and shelter locations. In addition, relief
organizations have to obtain reports about the extent
and severity of damages and potentially remaining
and evolving hazards. For decision makers, it is im-
portant to obtain this information as soon as possible
in a timely and accurate manner in order to be able to
develop an adequate incident action plan.
2.2 Affected Population
Regarding the population affected by the disaster, one
of the most important aspects is typically to obtain
medical treatment, food, water and shelter. However,
with the communication infrastructure being over-
loaded, damaged, or inoperable due to power outages,
victims are often unable to call for help and receive
assistance within the first critical 72 hours. Hence, in
order to obtain medical treatment, victims may try to
reach hospitals or shelters in their surroundings.
However, with some shelter buildings and hospitals
being destroyed or unreachable due to road infrastruc-
ture obstructions, information about the extent of the
damage, remaining operable roads and the location of
useful resources (e.g. hospitals, gas stations, food and
supply of clean water) may be essential for victims to
reach a relief camp or to hold on until official re-
sponse forces arrive. Furthermore, when moving in-
side the area of the incident, victims should be in-
formed about potential hazards along their desired
route or alerted when approaching a certain danger.
In addition, while certain injuries may render victims
helpless and therefore require the intervention of re-
lief forces, other parts of the affected population may
still be able and willing to provide aid and support to
others [2,3]. Hence, for these volunteers or public re-
sponders, it is important to obtain knowledge about
the location of injured or handicapped victims, which
are in need of assistance, as well as the position of the
nearest suitable treatment centre or hospital.
Finally, with friends and families being separated in
the course of an evacuation or the incident itself, reu-
niting individuals may be an important aspect to min-
imize psychological stress or trauma among the af-
fected population. Apart from reuniting individuals
within the area of the incident, acquaintances that are
not affected by the incident are also interested in the
condition and whereabouts of friends, family mem-
bers or employees, which might have been a victim of
the incident. Therefore, individuals should be able to
get into contact with acquaintances inside and outside
the affected region.
3 Information Services
This section describes the most basic information ser-
vices that might be fulfilled by ICT for disaster re-
sponse based on mobile social networking. The goal
of this overview of potential information services is to
enable a systematic analysis and easier comparability
of systems and architectures.
In order to identify information services for disaster
response, we consider the basic steps of disaster man-
agement. This iterative process can roughly be de-
scribed by the following four phases, which are de-
rived from FEMAs National Incident Management
System (NIMS). It should be noted here that these
387
phases also concern public response efforts, where
decision makers are volunteers among the population.

1. Situation Assessment: In this phase, decision
makers try to obtain awareness for the current
circumstances at the site of the incident. This
usually involves retrieving information about
damages, potential hazards, the location and
status of victims and wounded, as well as re-
quests for needed resources (e.g. supply or ad-
ditional personnel).

2. Resource Reviewing: Given the current situa-
tion, decision makers review the resources,
which are available for potential response ac-
tions. Resources may be, for example, availa-
ble personnel, vehicles or bed capacities of
medical treatment centres.

3. Action Planning: Based on the assessment of
the situation, as well as considerations regard-
ing the available resources, decision makers
develop an incident action plan describing sev-
eral actions and tasks to be fulfilled using well-
defined resources.

4. Plan Execution: Finally, in the last phase, the
corresponding tasks of the incident action plan
are executed. Here, it is important for decision
makers to retrieve reports about the progress of
the tasks to get feedback on the actual fulfil-
ment of the action plan.

Based on this management structure, we now identify
and discuss several basic information services. Fig-
ure 1 gives an overview of the services derived from
the above-mentioned four management phases.
3.1 Damage Assessment
The damage assessment service provides a registry
and description of rather static damages dealt by the
disaster (e.g. damages to hospitals, shelter buildings
and transportation infrastructure) to official respond-
ers or the affected population. Damage information
may be reported by for example official first respond-
ers or the affected population. The description of
damages should be machine-readable to enable auto-
matic visualization and processing.
Official responders: This service might be imple-
mented using a centralized or distributed database,
which is provided and administrated by an official
agency or organization. Assuming that the update fre-
quency of the damage data repository is rather small
(apart from an initial queue of arriving reports), the
database should be optimized for a high number of
queries and efficient reading.
Affected population: Due to the lack of a centralized
storage structure, in order to implement this service
for the affected population, a distributed database
structure has to be established in an ad-hoc manner on
the mobile devices of the population. A possibility
may be, for example, to use the memory of
smartphones and rely on distributed hash-tables main-
tained over a wireless ad-hoc network among the mo-
bile devices to store and retrieve damage descriptions.
3.2 Hazard Monitoring
The hazard monitoring service provides an overview
of currently existing or potentially evolving hazards in
the post-incident area. Therefore, the hazards should
be monitored in real-time to enable forecasts of dan-
gerous developments. The description of a hazard

Figure 1: Iterative Disaster Management Process
388
should also be machine-readable and include infor-
mation about the vulnerability of the affected region
to enable automatic risk assessment, decision of inter-
vention, and prioritization of relief actions.
Official responders: This service may be implement-
ed using a centralized database system. Furthermore,
a realization of this service should be able to issue
warnings and alerts.
Affected population: People in the affected area are
usually only interested in hazards, which might affect
them (i.e. in their close surroundings). Such a warning
system may be implemented in a distributed manner
using a geocast approach, which aims at delivering
messages to certain geographical regions similar to
virtual warning sign approaches in the field of
VANETs [6]. Nevertheless, in terms of the navigation
service, individuals may also be interested to obtain
hazard information reports along a planned route.
Hence, this service should also provide distributed
storage similar to the damage assessment service.
3.3 Victim Registry
The victim registry service provides a list of people
assumed to have been residing in the area of the inci-
dent. Furthermore, this service should allow retrieving
status information about victims (last known location,
missing/dead/treatment) and provide patient tracking
(health condition, treatment location). The infor-
mation about victims should be machine-readable and
compatible to existing hospital management systems.
Official responders: This service may be implement-
ed according to the damage assessment / hazard moni-
toring services using a centralised database system.
Affected population: In order to provide public (and
official) responders with information about victims in
distress, the victim registry service might be imple-
mented similar to the hazard monitoring service by
delivering a list of the victims to the corresponding
geographic region.
3.4 Need Registry
The need registry service is used to keep track of
needs and resource requests from response teams,
other relief organizations or public responders from
the affected population. Information about needs and
requests should be machine-readable to enable auto-
matic analysis, prioritization and mediation of availa-
ble resources (e.g. in order to provide suggestions to
decision makers).
Official responders: This service may be realized us-
ing a centralized database system.
Affected population: According the above-mentioned
services, this service might be implemented using a
mobile device / smartphone storage system.
3.5 Resource Inventory
The resource inventory service enables users to locate,
monitors and tracks the status (e.g. assignment) of re-
sources like for example personnel, vehicles, fuel,
food and water, medical supplies, shelters or hospitals
(current bed capacities). The description of resources
should be machine-readable, e.g. in order to to enable
matching of requests and available resources.
Official responders: This service might be imple-
mented using a centralized database system according
to the services mentioned above.
Affected population: In order to track or locate re-
sources in the vicinity of a public responder or victim,
the previously mentioned smartphone-based storage
system might be employed here as well.
3.6 Task Monitoring
The task monitoring service provides an overview of
the current progress of certain tasks, which are part of
an incident action plan. Tasks should be described in
a machine-readable manner to enable automated
tracking of the fulfilment of certain tasks.
Official responders: According to the services de-
scribed above, this service might be implemented us-
ing a centralized database system.
Affected population: In contrast to the hierarchical
structure of an official emergency management sys-
tem, the monitoring of services among volunteers re-
quires a more sophisticated, distributed tracking
mechanism. Since volunteers among the affected
population are not bound to a command structure to
fulfil the assigned tasks, their actions have to be
monitored more closely in order to detect deviations
(e.g. using plausibility checks on their movements)
and thus enable the reassignment of tasks.
3.7 Information Dissemination
The information dissemination service is used to an-
nounce official or unconfirmed information, warnings
or alerts to the affected population. While traditional-
ly, this service has been implemented using broadcast
services like for example scoreboards, radio or televi-
sion, a more sophisticated implementation might con-
sider to disseminate information only to specific re-
gions or individuals among the population.
Official responders: This service might be realized
via cell broadcasts or in terms of a wireless ad-hoc
network of mobile devices using existing multicast
approaches like for example geocast.
Affected population: Since individuals are not able to
announce information via cell broadcasts, only mul-
ticast techniques may be applicable for implementing
this service among citizens in the area of the incident.
389
3.8 Event/Need Reporting
The event and need reporting service enables official
first responders and the affected population to report
observations about certain events (e.g. emergencies,
damages and hazards), as well as needs and status in-
formation (e.g. requests for food, water or medical
supply, emergency calls and Im OK notifications)
to other information services (damage assessment,
hazard monitoring, victim / need registry). The de-
scription of these needs and events should therefore
be machine-readable and employ an exchange format,
which is compatible to these services.
Official responders: In order to implement this ser-
vice, a communication stack like TCP/IP may be used
to send messages over a remaining wired or wireless
network to servers provided by relief organizations.
However, due to the potentially high number of re-
ports, a more complex, distributed solution may be
necessary to process the arriving information.
Affected population: While individuals may be able to
report needs and events using TCP/IP over a wired
infrastructure like the Internet, this service should also
consider using a wireless ad-hoc network and delay-
tolerant routing schemes to collect, aggregate and dis-
tribute information about needs and reports inside a
network of mobile devices.
3.9 Expert Consultation
The expert consultation service enables users to iden-
tify and locate experts among the affected population.
This enables for example decision makers to guide
professionals to certain regions requiring assistance or
to obtain a remote analysis of a situation by establish-
ing a communication link between the user and a suit-
able expert (e.g. trained in medical treatment or haz-
ardous materials) and providing information about the
situation, e.g. by sending a photo to the expert.
Official responders / Affected population: While
flooding a query for experts inside the network at the
disaster site may be able to identify trained personnel
among the affected population, more sophisticated
approaches might employ distributed registries of ex-
perts inside specific geographic regions, enabling a
more efficient localization of certain individuals.
3.10 Navigation
The navigation service enables route planning and
guidance to certain locations inside the area of the in-
cident. This is useful for official and public first re-
sponders, as well as victims to reach certain destina-
tions like for example relief camps and hospitals.
Apart from basic route planning, this service should
consider a more sophisticated approach, which aims
at incorporating information about traffic conditions,
damaged road infrastructure, avoiding hazardous are-
as and considering resource capacities of hospitals to
guide users to the most suitable location.
Official responders: In order to implement such a
navigation service including intelligent route plan-
ning, information from other services (e.g. damage
assessment and hazards monitoring) may be accessed.
Therefore, for decision makers, the realization of this
service is straightforward. However, when providing
navigation to personnel deployed in the disaster area,
accessing a centralized server may be not efficient. In
this case, an implementation should consider a peer-
to-peer system for sharing traffic information over a
fixed or wireless infrastructure.
Affected population: Since accessing a central server
may already be too expensive for official responders,
a realization of this service for public responders and
victims might rely on accessing information stored on
mobile devices by querying the geographic regions
along the shortest route and iteratively adapting to a
more suitable route.
3.11 Request/Pledge Mediation
The request and pledge mediation service is used to
match requests and fulfilment offers. Usually, this on-
ly concerns relief efforts among the affected popula-
tion in order to provide public responders with a tool
for self-organised task planning based on the infor-
mation services of damage assessment, hazard moni-
toring, as well as victim and need registry (e.g. in or-
der to assign tasks to individuals or small groups). In
contrast, among officials, the incident commander or
unified command typically performs the task of re-
quest and pledge mediation in cooperation with the
corresponding section chiefs (e.g. logistics section).
An implementation of this service should provide an
overview of relevant incidents in the surrounding ar-
ea, a list of potential responders and basic communi-
cation among these volunteers, e.g. group calls or
multi-user chat functions, which might be realized us-
ing a multicast approach over TCP/IP.
3.12 Contacting Acquaintances
The service of contacting acquaintances enables users
among the affected population to communicate with
family, friends or other acquaintances (e.g. in order to
report about the location, health condition or a
planned evacuation route of an individual to meet at a
certain relief camp). A realization of this service has
to identify the location of individuals without a cen-
tralized register server to handle a potentially high
number of requests. With flooding queries to find ac-
quaintances being too expensive, geographic forward-
ing schemes may be employed to limit and refine
searches to the assumed location of an individual.
390
4 Communication Architecture
This section provides an overview of the technical re-
quirements, the communication architecture, as well
as a discussion of the shortcomings of current infor-
mation and communication technologies regarding the
design of future ICT for disaster response.
4.1 Technical Requirements
Apart from the basic information services, when de-
signing ICT for disaster response, a variety of tech-
nical requirements have to be considered.

Robustness:
- Network Partitioning: Information services
should be able to cope with a partitioned
network, i.e. they should be disruption- and
delay-tolerant. Furthermore, they should be
robust against a dynamically changing parti-
tioning of the network.
- Node Failures: In a post-disaster environ-
ment, certain parts of the remaining infra-
structure, e.g. mobile devices or cell towers,
might become inoperable due to the loss of
power or damage taken in the course of the
incident. Hence, information services should
be robust against a certain fraction of node
failures within the network.
- Node Movement: With mobile devices being
carried by victims trying to reach treatment
areas, an information service should be able
to support a potentially high degree of node
mobility of a certain fraction of nodes.

Availability: Information services should be de-
signed to ensure the best possible availability to
users, potentially including resistance against De-
nial-of-Service attacks, for example in catastro-
phes in politically unstable regions.

Reliability: Since certain information (for exam-
ple a request for help) may be critical to save hu-
man lives, its reception at the respective destina-
tion (e.g. some volunteers in the surrounding ar-
ea) in a timely and accurate manner must be
ensured with a high probability.
Quality-of-Service: Due to limited wireless chan-
nel capacity, information flows should be priori-
tized so that different information services do not
interfere with each other. In particular, the wire-
less channel should not be overloaded in order to
be able to deliver important reports and warning
messages with a high priority at all times.

Energy Efficiency: In order to keep the network
infrastructure and thus the information and com-
munication services available as long as possible,
algorithms should be tailored to work as energy-
efficient as possible.

Scalability: With disasters typically affecting a
high number of people, information services for
victims and volunteers should support a high
number of participants and be able to handle a
large amount of user generated content (e.g. haz-
ard warnings) by incorporating data aggregation
and data fusion techniques.

Self-Organization: The communication network
should be established automatically and configure
itself for operation so that either the existing in-
frastructure or ad-hoc communication is availa-
ble. In particular, the network should be able to
handle the arrival and departure of nodes.

Localization: An important technical requirement
of ICT is the ability to automatically obtain the
current location of its user as accurately as possi-
ble under the given environmental constraints. In-
formation about the current location of a user is
normally required for emergency calls or when
reporting damages and hazards.

Interoperability: Due to the involvement of dif-
ferent governmental agencies and relief organiza-
tions working independently (up to a certain de-
gree) in so called clusters [5], the interoperability
of data formats has to be considered to enable
easy sharing of information among victims, vol-
unteers and rescue personnel.

Security and Privacy: In terms of security, user-
generated content has to be verified to prevent
false damage or hazard reports. This could for ex-
ample be achieved using majority-voting schemes
where information has to be rated by other users
in order to increase information credibility.
391
In addition, privacy concerns should be addressed as
well. While, for example, within the disaster area, ac-
cessibility to user profile information from online so-
cial networks should be extended, anonymising or re-
stricting access to certain information about victims,
which could be published for friends of relatives over
the Internet, should be considered.
4.2 Architecture Overview
When implementing the above-mentioned infor-
mation services according to the technical require-
ments, the following communication architecture
should be considered (see figure 2).
In a disaster scenario, according to FEMAs National
Incident Management System, there are four types of
facilities: incident command post, incident base, stag-
ing areas and relief camps. Typically, the incident
command post is the center of all official response
communication. The incident base is established at
the location of the primary support activities and pro-
vides equipment and personnel. Staging areas are es-
tablished as a temporary location of resources that
await further assignment. Finally, relief camps are es-
tablished as satellites for the incident base all over the
incident area to provide direct support for ongoing
response operations. These facilities are usually able
to communicate with each other over an infrastruc-
ture, which is established by technicians of communi-
cations units upon the arrival of relief organizations.
In terms of the affected population (victims and vol-
unteers, i.e. public responders), existing infrastructure
may be used for communication. However, in case of
malfunctioning infrastructure, the affected population
should still be able to establish ad-hoc communication
using their mobile devices. These communication
links might also only be intermittently connected, mo-
tivating the need for delay-tolerant networking in such
an environment.
Finally, the affected population may be able to access
the Internet sporadically using the remaining infra-
structure. In this case, information may be uploaded
to social networks or other web-based services.
Crowdsourcing initiatives may then try to extract, fil-
ter and aggregate useful information from the corre-
sponding services and make this information available
to official agencies or the affected population.
4.3 Discussion
Existing mobile devices like smartphones, which are
widely used today, are currently not able to establish
an ad-hoc communication infrastructure. Neverthe-
less, with mobile social networking applications for
every day use becoming more popular, the hardware
of future mobile devices might very well be able to
establish ad-hoc communication. Furthermore, secur-
ing and configuring a communication channel in a
self-organised manner is an additional requirement
not yet met by current hardware.
Apart from the problem of establishing ad-hoc com-
munications, the issue of overloading the communica-
tion infrastructure or the wireless channel after a dis-
aster is still present today. Thus, availability, reliabil-

Figure 2: Communication Architecture
392
ity and scalability of communication services have to
be considered in the development of future applica-
tions to provide an appropriate quality-of-service.
Furthermore, todays mobile devices are unable to
provide efficient energy management to maintain an
operational network infrastructure over the course of
several days (at least 72 hours). In order to implement
information services for disaster response, future mo-
bile devices will have to rely on some kind of energy
management mode for emergency situations.
In terms of localization, GPS can already be used to
obtain the location of a mobile device today. Never-
theless, indoor localization of mobile devices is still
an open issue and should be considered in the devel-
opment of future hardware. Here, using nearby devic-
es as anchor nodes, which are aware of their own lo-
cation, might be a promising direction.
5 Related Work
MEISSNER et al. describe the design challenges, net-
work aspects and basic architecture of an information
and communication infrastructure for relief forces [7].
The proposed architecture, however, does not incor-
porate the possibility of public participation using
mobile social networking applications.
Regarding public participation in disaster response,
PALEN et al. discuss a basic scheme aimed at integrat-
ing and publishing information about an incident from
social media websites using information extraction
and natural language processing techniques to emer-
gency workers and the affected population via web-
based applications and services [2].
ANDERSON et al. present the architecture of a data an-
alytics infrastructure to support future research on the
challenge of extracting useful information about a
disaster from social media and news websites [8].
In terms of crowdsourcing efforts for disaster relief,
several web-based platforms have been developed re-
cently (e.g. Sahana
1
and Ushahidi
2
). While these plat-
forms provide tools to extract and filter useful infor-
mation from social media websites, SMS or emails to
increase situational awareness of rescue personnel,
they do not enable communication between officials
and citizens, as well as mutual aid and public re-
sponse efforts among the affected population.
Apart from academic work, several emergency man-
agement information systems have been developed in
the last few years. Prominent examples are commer-
cial systems like WebEOC
3
and E Team
4
. While these
technologies provide useful tools to relief forces, the-
se systems do not consider applications for official
and public first responders, as well as information
services for the affected population.

1
http://sahanafoundation.org/
2
http://www.ushahidi.com/
3
http://www.esi911.com/esi/
4
http://www.nc4.us/
6 Conclusions
In this work, we discussed information needs of offi-
cial responders and the affected population in a disas-
ter scenario. Furthermore, we identified several in-
formation services for disaster response and presented
technical requirements, as well as a communication
architecture for future ICT.
Regarding future work, a basic question in terms of
ICT for disaster response is how to establish a robust,
delay-tolerant infrastructure in a self-organized man-
ner. While there is research regarding delay-tolerant
and pocket switched networking [9], these approaches
usually focus on mobile social networking applica-
tions and do not consider the specific requirements of
information services for disaster response [10,11].
Furthermore, in terms of mobile social networking,
the focus of existing research is usually on
privacy [12]. Privacy, however, may be less of a con-
cern in a disaster scenario, where it is more important
to prevent the injection of malicious user-generated
content. In order to filter malicious data, the applica-
bility of secure data aggregation techniques [13] from
the area of sensors networks to pocket switched net-
works for disaster response applications should be in-
vestigated. While, for example, trusted nodes are dif-
ficult to realize in sensor networks (attackers may
tamper with the hardware of the nodes), in pocket
switched networks, trusted nodes may be implement-
ed using asymmetric public-key cryptography with
official certificates distributed by a government be-
fore the emergency.
Finally, another open issue is the lack of realistic mo-
bility models for disaster scenarios, which are neces-
sary for evaluating the performance of information
services [14-16]. While it may be difficult or impossi-
ble to develop one single model for all potential inci-
dents, mobility models should aim at supporting spe-
cific disasters, incorporating mobility of both official
response forces and the affected population. Never-
theless, when developing a disaster mobility model, a
fundamental problem might be the validation with re-
al-world movement traces.
References
[1] G.D. Haddow, J.A. Bullock, and D.P. Coppola,
Introduction to emergency management, Butter-
worth-Heinemann, 2010.
[2] L. Palen, K.M. Anderson, G. Mark, J. Martin, D.
Sicker, M. Palmer, and D. Grunwald, A Vision
for Technology-Mediated Support for Public
Participation & Assistance in Mass Emergencies
& Disasters, Proceedings of the 2010 ACM-
BCS Visions of Computer Science Conference,
British Computer Society, 2010, p. 112.
[3] L. Palen and S.B. Liu, Citizen communications
in crisis: anticipating a future of ICT-supported
393
public participation, Proceedings of the
SIGCHI conference on Human factors in compu-
ting systems, ACM, 2007, p. 727736.
[4] H. Cheng-Min, C. Edward, and H. Adnan, Web
2.0 and Internet Social Networking: A New tool
for Disaster Management? - Lessons from Tai-
wan, BMC Medical Informatics and Decision
Making, vol. 10, 2010, p. 57.
[5] United Nations Foundation, Disaster relief 2.0
The future of information sharing in humanitari-
an emergencies, 2011.
[6] C. Maihfer, T. Leinmller, and E. Schoch,
Abiding geocast: Timestable geocast for ad
hoc networks, Proceedings of the 2nd ACM in-
ternational workshop on Vehicular ad hoc net-
works, ACM, 2005, p. 2029.
[7] A. Meissner, T. Luckenbach, T. Risse, T. Kirste,
and H. Kirchner, Design challenges for an in-
tegrated disaster management communication
and information system, The First IEEE Work-
shop on Disaster Recovery Networks - DIREN
2002, Citeseer, 2002.
[8] K.M. Anderson and A. Schram, Design and
Implementation of a Data Analytics Infrastruc-
ture in Support of Crisis Informatics Research,
Proceeding of the 33rd international conference
on Software engineering, ACM, 2011, p. 844
847.
[9] P. Hui, A. Chaintreau, R. Gass, J. Scott, J.
Crowcroft, and C. Diot, Pocket Switched Net-
working : Challenges, Feasibility and Implemen-
tation Issues, Autonomic Communication, 2006,
p. 112.
[10] A. Mei, G. Morabito, P. Santi, and J. Stefa,
Social-Aware Stateless Forwarding in Pocket
Switched Networks, Proceedings of the 30th
IEEE Conference on Computer Communications
- INFOCOM 2011, 2011.
[11] W. Gao and G. Cao, User-Centric Data Disse-
mination in Disruption Tolerant Networks,
Proceedings of the 30th IEEE Conference on
Computer Communications - INFOCOM 2011,
2011.
[12] W. Dong, V. Dave, L. Qiu, and Y. Zhang,
Secure Friend Discovery in Mobile Social
Networks, Proceedings of the 30th IEEE Con-
ference on Computer Communications - IN-
FOCOM 2011, 2011.
[13] S. Ozdemir and Y. Xiao, Secure data aggrega-
tion in wireless sensor networks: A comprehen-
sive overview, Computer Networks, vol. 53,
Aug. 2009, pp. 2022-2037.
[14] N. Aschenbruck, E. Gerhards-Padilla, M.
Gerharz, M. Frank, and P. Martini, Modelling
mobility in disaster area scenarios, Proceedings
of the 10th ACM Symposium on Modeling, ana-
lysis, and simulation of wireless and mobile sys-
tems - MSWiM 07, 2007, pp. 4-12.
[15] S.C. Nelson, A.F. Harris, and R. Kravets,
Event-driven, role-based mobility in disaster
recovery networks, Proceedings of the second
ACM workshop on Challenged networks -
CHANTS 07, 2007, pp. 27-34.
[16] M. Schwamborn, N. Aschenbruck, and P. Marti-
ni, A Realistic Trace-based Mobility Model for
First Responder Scenarios, Proceedings of the
13th ACM international conference on Mode-
ling, analysis, and simulation of wireless and
mobile systems - MSWIM 10, 2010, pp. 266-
274.

394
Security in Space Space Situational Awareness via
Radar Observation
Joachim Ender, Ludger Leushacke, Andreas Brenner, Helmut Wilden
Fraunhofer-Institut fr Hochfrequenzphysik und Radartechnik FHR, Wachtberg, Germany
Email: joachim.ender@fhr.fraunhofer.de
Abstract
The rapidly expanding military and civilian use of the near Earth space has led to a considerable dependence on
space based systems for example in the fields of satellite navigation, remote sensing and communication. In the
case of breakdown of such systems far reaching consequences for the industrial society would result. To retain
the security in space is a task of increasing importance in the national environment as well as in the international
community. This goal has been recognized by the European Union but also by the German armed forces - and
shall be reached by the establishment of new systems. The main task of such a system is to recognize the actual
situation of threat for own space vehicles and to provide all necessary information in the case of a concrete dan-
ger to prevent damages if possible. Satellite systems are endangered especially by the collision risk with space
objects other satellites or space debris. Radar systems play an outstanding role for space observation: A con-
tinuous surveillance of low Earth orbits can be reliably guaranteed only by high performance ground based
phased array systems. For high precision orbit determination and for ultra high resolution imaging of space ob-
jects wide band target tracking radars are necessary. At Fraunhofer FHR an experts group investigates space ob-
servation techniques with radar for many years. As a measurement instrument the high performance radar system
TIRA (Tracking and Imaging Radar) yields world-wide unique data for the exploration of detection, estimation
and imaging techniques. On the other hand FHR is building up a receiving system for a demonstrator of a Euro-
pean Space Situational Awareness System for the ESA. For the planned European Space Situational Awareness
System (ESSAS) as well as for the German national Weltraumlagesystem (WRLageSys) FHRs competence in
space observation is at the space authorities disposal.

1 The need for space situational
awareness systems
1.1 Our society is dependent on space
The immense importance of space systems for our so-
ciety was well recognized by the German policy. In
December 2010 the German Bundestag released the
Space Strategy of the German Federal Government
submitted by the Federal Government Federal Minis-
try of Economics and Technology (BMWi) [1]. We
cite from this document:
A paradigm shift has occurred within space: once a
symbol of the technology race and a contest between
opposing systems, it is now, in every sense, a part of
our everyday lives and an essential instrument for the
achievement of economic, scientific, political and so-
cial goals.
Also the roll of space systems for security was empha-
sized: Space systems ... make a decisive contribution
to Germanys ability to conduct an effective foreign
and security policy and to achieve whole-of-
government security preparedness.
As a whole, the industrial society today depends high-
ly on satellite systems in the domains of communica-
tion, navigation and Earth observation including mili-
tary surveillance and reconnaissance.
As a consequence it is of extreme public interest to
protect these systems from natural and unintentional
or intentional man-made threats: Our nations inter-
nal and external stability depends increasingly on the
proper functioning of our space-based infrastructures.
This makes us vulnerable to accidental or deliberate
interference (electronic interference, hostile takeover
of satellites, etc.) or even to targeted attacks aimed
specifically at important space-based capabilities. In
future, our efforts to guarantee our security must also
extend to the protection of these infrastructures and to
a situational assessment capability. In the last sen-
395
tence, the governmental demand for effective space
surveillance systems is expressed implicitly.

1.2 Threats from space
Collision with man-made objects: Since the begin-
ning of human use of space the number of man-made
objects surrounding the Earth has grown rapidly. The
minority of these objects are operational space sys-
tems. Today we count about 900 active satellites.
Much larger is the number of space debris particles:
burnt-out rocket stages and fragments of disintegrated
spacecraft.
Experts estimates count about 20,000 objects of a
size of ten centimeters or more, 15,000 of them are
flying in low Earth orbits (LEO) at altitudes of 200 up
to 2000 kilometers (as illustrated in Figure 1).
Figure 1: More than 20,000 objects of a diameter of
ten centimeters or more and 606,000 objects larger or
equal 1 cm are surrounding the Earth
These objects travel at a speed of up to 28,000 kilo-
meters per hour, which means even the smallest par-
ticles measuring a centimeter or less in diameter are
capable of causing serious damage to any satellite they
encounter, or even completely destroying it
(see Figure 2).

Figure 2 A collision experiment of the Fraunhofer-
Institute EMI (Ernst Mach Institut) shows the damage
caused by a 1 cm diameter aluminum sphere hitting a
solid 7,5 cm thick aluminum plate with a velocity of
6500 m/s.
The number of space debris particles is growing rapid-
ly, also by satellite collisions and intended destruc-
tions of satellites: In the year 2009 the US communi-
cation satellite Iridium 31 collided with the Russian
satellite Cosmos 2251. In 2007 the Chinese weather
satellite Fengyun 1C was destroyed on purpose by a
Chinese rocket at an altitude of 860 kilometers. In
2008 the US reconnaissance satellite NROL-21 was
shot off by a rocked fired from an American war ship.
To protect the crew, the International Space Station
ISS has to perform four to five evasive maneuvers
each year. Also the satellites of the German SAR-Lupe
reconnaissance system are recurrently threatened by
close encounters. On 29 June 2011 space debris
passed within a short distance of the ISS, forcing the
crew to enter their escape capsules to be ready to de-
part in case of a collision. Fortunately, the debris
passed within 260 meters of the ISS.

Other threats: Besides the danger of collision with
space debris several other events can affect the securi-
ty in space: Natural objects like asteroids crossing the
orbit, harmful space weather and human aggressions
using anti-satellite rockets and satellites, space based
weapons, destructive radiation from ground, electronic
countermeasures against sensors and telemetry.
1.3 Tasks of a space situational aware-
ness system
To protect the space infrastructure, a space situational
awareness system has a variety of tasks: registration
and forecast of space weather, detection, orbit estima-
tion and propagation of space debris and foreign satel-
lites or rockets, threat analysis, support of own space
missions by monitoring orbit, motion and orientation,
also during maneuvers, as well as damage access and
observation of de-orbiting.
To fulfill these tasks, the space surveillance sub-
system has to keep an extensive catalogue of space
objects and their orbit parameters which has to be up-
dated continuously. New space objects have to be de-
tected and registered, objects returning to Earth have
to be eliminated from the catalogue, maneuvers and
fragmentations have to be detected automatically and
possible collisions have to be forecasted.
It is necessary that a space surveillance system has to
use a variety of sensors primarily radar systems -
and other information sources and is equipped with a
powerful signal and data processing center.
2 Existing and planned space
surveillance systems
2.1 Existing space surveillance systems
USA: The United States Space Surveillance Network
(SSN) which is operated by the United States Strategic
Command (USSTRATCOM) consists of a worldwide
network of 29 space surveillance sensors - radars and
optical telescopes and a Space Based Space Sur-
396
veillance (SBSS) satellite [2]. The Space Catalog
keeps more than 22,000 objects. The actual informa-
tion about the non-classified objects is available in
form of two line elements (TLE). A TLE is a set of
parameters that describe the orbit of a space object in
a standardized way and allow the prediction of its fu-
ture position as a function of time. FHR uses the TLE-
information from SSN to steer its space observation
radar TIRA.

France: The French air force operates the bistatic ra-
dar system GRAVES (Grand Rseau Adapt la
Veille Spatiale) since 2005 [3]. GRAVES is the first
space surveillance system in Western Europe. It has
the main objective to detect satellites flying over
France and to determine their orbits. Transmitter and
Receiver of this VHF band phased array are based
close to the cities Dijon and Apt in a distance of 380
km. It is reported, that the number of objects in the
catalog is about 2,500 to 3,000.

Russia: The former Soviet Union operated its Space
Surveillance System (SSS) at eight sites distributed
over many thousands of kilometers. 20 radars and
telescopes were used. The radar systems were driven
at low frequencies (150 and 400 MHz) up to a range
of 4,000 km [4]. It is not known to the authors, how
this network is configured today, since some of the
sites now belong to EU countries.

2.3 Emerging systems
ESA: The European Space Agency (ESA) started in
2009 a Space Situational Awareness (SSA) program
aiming at a future European Space Situational
Awareness System (ESSAS) [6].
The objective is to enable Europe to autonomously
detect, predict and assess risks originated from space
objects and natural phenomena in space to protect Eu-
ropean space and ground based infrastructure. A good
example for an international system which has to be
protected with high priority is the European naviga-
tion satellite program GALILEO.
The future system ESSAS demands a radar system
able to detect and survey all objects of a size in the
order of one decimeter in low Earth orbits (LEO).

Germany: Presently, seven satellites are operated ex-
clusively for the demands of the Bundeswehr: five re-
connaissance satellites forming the system
SAR-Lupe and two communication satellites
SATCOMBw.
The vulnerability of these space-based systems due to
the mentioned threats led the authorities to initiate the
creation of a space situational awareness unit at Ue-
dem close to Kalkar in the west of Germany [5]. Start-
ing in 2009, this Weltraumlagesystem (WRLageSys)
will be expanded in the next years. The task of this
system is the surveillance and - if required - recon-
naissance of all near Earth objects (NEOs) with the
aim to create and verify a reliable and unambiguous
catalog of objects.

3 Space observation by radar
3.1 Properties of radar sensors
Radar systems play an outstanding role for space ob-
servation. This is due to some specific properties
which cannot be obtained by other sensors: Radar is
independent on daylight and weather; at suitable fre-
quencies the electromagnetic waves penetrate the at-
mosphere without considerable attenuation.
As a result, radar provides high detection probabilities
also at large and very large ranges. The use of Doppler
frequency, which serves as a measure of the radial ve-
locity, makes the generation of two-dimensional radar
images with range-independent resolution possible.
Radar techniques, suited to space reconnaissance, are
required for the verification of orbital systems, the as-
sessment of the orbital debris situation and its physical
characterization as well as for risk assessment of reen-
tering satellites.
To illustrate the demand on range coverage: To meas-
ure for a typical path an object at altitude of 500 km
over the whole observable orbit segment, the radar
system has to have a maximum range of at least 2750
km.
The maximum range of a radar system is calculated
via the radar equation. It is proportional to the forth
root of the product of the emitted power, the transmit
antenna gain, the receive antenna gain, the square of
the wave length, the radar cross section (RCS) of the
target, and the observation time used for signal
processing. Inserting the demands for space observa-
tion, large antenna dimensions (diameter at least some
tens of meters) and high transmit powers (order of
megawatts) result.
Since space observation radars are typically operated
at wavelengths of a decimeter or more, the high num-
ber of smaller particles fall into the Rayleigh scatter-
ing region (object extension small compared to the
wavelength). In this region the RCS decreases with the
forth power of the diameter. This is the reason why 10
cm sized objects are so much easier to detect than 1
cm sized objects, if the wave length is in the order of a
decimeter or more. If the wave length becomes short-
er, the transmission of the wave will be affected by the
atmosphere increasingly, moreover, the available
technology limits the maximum emitted power for
higher frequencies.
397
3.2 The need for complementary radar
systems
Current radar technology offers two principal types of
systems:
Systems with mechanically steered reflector antennas
allow a relatively simple realization of the demanded
high antenna gain, the large bandwidth necessary for
imaging can be obtained without too much effort. Low
sidelobes can be achieved by proper antenna design.
On the other hand the mechanical inertia does not al-
low scanning the sky completely during a justifiable
time.
The simultaneous observation of more than one target
is not possible apart from the situation that all tar-
gets are within the narrow mainbeam of the antenna.
The other type of radar systems operates with inertia-
free phased-array antennas whose look direction can
be steered very quickly by pure electronic means.
Several beams can be formed in parallel. Phased-
arrays allow surveillance of large angular sectors in
short time and can handle a lot of targets simulta-
neously in a multi-function operation. This technology
is very complex, high bandwidths are obtainable only
with tremendous effort and low sidelobes are realiza-
ble only by highly expensive design and tuning.
A continuous surveillance of low Earth orbits can be
reliably guaranteed only by high performance ground
based phased array systems. For high precision orbit
determination and for ultra high resolution imaging of
space objects wide band target tracking radars are ne-
cessary.
So, for an efficient space situational awareness system
at the current state of technology a twofold radar strat-
egy is necessary: Only by means of phased array radar
a complete hemispherical surveillance for known and
unknown objects is possible. On the other hand, such
systems will have only a limited bandwidth and the
position estimates will not be accurate enough to reli-
ably predict collision probabilities.
Wide bandwidth high power systems today are effi-
ciently based still on mechanically steerable dish an-
tennas which on the other hand cannot cover the he-
misphere because of their mechanical inertia.
So, a phased array system has to survey the space and
transfer the extracted information (e.g. two-line ele-
ments) to a high bandwidth system capable to analyze
the space object in detail.
4 Contributions to space securi-
ty by Fraunhofer-FHR
At the Fraunhofer Institute for High Frequency Phys-
ics and Radar Techniques FHR a team of scientists
investigates radar-based space observation since many
years. Extensive knowledge about the physics of Earth
near space, the orbital mechanics, the actual situation
of the space object population, the destination and
functionality of individual satellites, as well as the
scattering and propagation mechanisms of electro-
magnetic waves has been gathered during the last
three decades. Techniques for collision risk analysis,
algorithms for high precise orbit determination and
propagation, de-orbiting prognostics and analysis, sta-
tistics of the space debris distribution, classification
and technical analysis of satellites and other space ob-
jects have been developed.
The team provides assistance for government institu-
tions and companies, works in national and interna-
tional co-operations and performs studies in the na-
tional and European context. FHR represents Germa-
ny in the international Inter agency space debris
coordination committee (IADC).
For further improvement of space observation new
radar techniques are developed, e.g. stereo-ISAR, po-
larimetric and interferometric ISAR, improved infor-
mation extraction for objects at geostationary orbits
and stare- and chase techniques. Digital beamforming
will be a substantial part of a phased-array demonstra-
tor currently under construction at FHR.
Moreover, performance analyses for future space ob-
servation radar systems serve for the improvement of
future systems.

4.1 The TIRA system
The Tracking & Imaging Radar (TIRA) system of
Fraunhofer FHR (see Figure 3) serves as the central
experimental facility for the development and investi-
gation of radar techniques for the detection and analy-
sis of objects in space.

Figure 3: The TIRA System (the dish antenna inside
the radom was made visible by photo montage)
The TIRA system gains radar data at 22.5 cm (L-
band) and 1.8 cm (Ku-band) wavelengths. These form
the data basis for the development of image and fea-
ture based classification and identification algorithms.
The antenna system uses a 34-m parabolic reflector
which can be steered in azimuth and elevation to any
direction in the upper half sphere. A fully coherent
monopulse comparator allows precise estimation of
the target direction.
Based on radar data of space objects and techniques
developed at FHR, characteristic target features like
orbital elements, intrinsic motion parameters, orbital
398
lifetime, target shape and size, ballistic coefficient,
mass and material properties can be determined.
All subsystems are under steady development due to
the increasing reconnaissance capability demands.
The Ku-band imaging system generates due to its
large bandwidth high resolved radar images of space
objects at a distance up to 20,000 km, allowing identi-
fication and technical analysis (see Figure 4).
Apart from imaging also the analysis of object motion
yields information about status and mission. Abnor-
malities in the shape can be detected and used for
damage access, multi-payload discrimination and
identification.
The L-band radar can follow individual space debris
particles over the whole passage resulting in orbit de-
termination with high accuracy. Also with this non-
imaging radar information about size, mass, shape,
material properties can be obtained.
Figure 4: ISAR image of the space shuttle at a dis-
tance of more than 600 km

4.2 TIRA-GRAVES cooperation
In a bi-lateral cooperation with France it was several
times demonstrated, how the above mentioned
GRAVES system and the TIRA system complement
one another.
In common experiments the parameters of the objects
recognized by GRAVES were transmitted to TIRA
which could follow and analyze these objects. So, TI-
RA-GRAVES may be regarded as an example for
complementary space observation, as it is intended for
the future European Space Situational Awareness Sys-
tem.

4.3 The ESSAS radar demonstrator
ESA has awarded a contract to the Spanish company
Indra Espacio to design and construct a radar demon-
strator for a future phased array space surveillance
system as part of the European space situational
awareness system (ESSAS). Under a subcontract,
FHR will participate in the project [7]. The Spanish
company will develop the transmitter array, leaving
the Fraunhofer scientists to develop the receiver sys-
tem. They are experienced in the design and realiza-
tions of phased-array radar systems. E. g. the first such
system in Europe (ELRA) has been built up in the
1970th dedicated to air space observation.
The receive system of the demonstrator is equipped
with modern digital beamforming techniques. A planar
array antenna with a representative number of ele-
ments (see Figure 5) forms the frontend. The signal of
each element is amplified, filtered and A/D converted.
After further signal processing it is possible to receive
from eight directions in parallel. The whole system is
assembled in a container (see Figure 6) at the insti-
tute's site at Wachtberg.
The future final system will be able to observe a large
number of objects simultaneously, detecting their po-
sition to a high degree of accuracy and sensitivity.
This is an essential requirement, given the objective of
having from 15,000 to 20,000 objects on the radar for
at least ten seconds each day.
Figure 5: The receiving planar array of the demon-
strator (CAD model)

The demonstrator receiver system will be capable of
capturing radar signals reflected by satellites and
space debris in up to eight directions at the same time.
In its final version, the surveillance radar will be able
to detect objects in geostationary orbit at an altitude of
approximately 36,000 kilometers above the surface of
the Earth, but its power will be mainly concentrated
on the low Earth orbit at altitudes between 200 and
2,000 kilometers, where it will be capable of detecting
particles of debris measuring down to a few centime-
ters in diameter.
The data this system collects is likely to be of interest
to numerous users, including not only European gov-
ernment departments and space agencies but also sa-
tellite operators, insurance companies, energy suppli-
ers and telecommunications companies.
399
The demonstrator is scheduled for delivery to ESA at
the end of 2011. It will then undergo a one-year test
phase. A decision on who will construct the full sys-
tem has yet to be taken, but there is the hope at FHR,
that ESA will recognize the importance of FHRs ex-
pertise and incorporate its know-how in the final ver-
sion.
Summary
The industrial society is highly dependent on space-
based infrastructure. This has to be protected against a
variety of threads, especially against the collision with
space debris. For this reason, space surveillance sys-
tems are indispensable. These are primarily based on
radar sensors. At the present state of technology, com-
plementary systems are necessary: Phased array radars
for surveillance and wideband systems with a mechan-
ically steerable dish antenna for tracking and imaging.

Figure 6: The shelter of the future ESSAS receive ar-
ray demonstrator at Wachtberg (CAD model)

References
[1] Making Germanys space sector fit for the future
- The space strategy of the German Federal Gov-
ernment Federal Ministry of Economics and
Technology (BMWi) Public Relations/L210115
Berlin www.bmwi.de
[2] http: www.stratcom.mil/factsheets/USSTRAT-
COM_Space_Control_and_Space_Surveillance
[3] http://www.satellitenwelt.de/spaceradar.htm
[4] http://articles.janes.com/articles/Janes-Space-
Systems-and-Industry/The-SSS-Space-
Surveillance-System-Russian-Federation.html
[5] Harald Borst, Andreas Noeske und Mike Hell-
mann: Das Weltraumlagezentrum, Strategie &
Technik, November 2010, http://www.strategie-
technik.de/11_10/lw.pdf
[6] http://www.esa.int/esaMI/SSA/ SEMY-
TICKP6G_0.html
[7] http://www.fraunhofer.de/en/press/research-
news/2010-2011/16/european-space-scout.jsp

400
Ground Moving Target Indication And Ship Surveillance With
The German TerraSAR-X/TanDEM-X Radar Satellite
Constellation
Stefan Valentin, Baumgartner, German Aerospace Center (DLR), Germany, Email: stefan.baumgartner@dlr.de
Gerhard, Krieger, German Aerospace Center (DLR), Germany
Abstract
In the paper first ground moving target indication (GMTI) and ship surveillance results obtained with the Ger-
man TerraSAR-X/TanDEM-X radar satellite constellation are presented and discussed. For processing a novel
GMTI algorithm applicable for dualplatform synthetic aperture radar (SAR) systems was used. This algorithm
enables the estimation of the true geographical positions, the velocities and the headings of the detected moving
targets with high accuracy. Since no a priori knowledge is needed also targets moving on open land and open
sea can be monitored. The algorithm is verified and evaluated using SAR-GMTI data and ground truth refer-
ence data acquired during the commissioning phase of TanDEMX in 2010.

1 Introduction
During the past years surveillance of road, land and
maritime traffic has evolved to important research
and security topics. Surveillance applications can be
found in the civilian as well as in the military field.
For instance, a lot of motorways are equipped with
stationary sensors to monitor the actual road traffic
situation with the aim to ensure mobility and to in-
crease the safety of road users. Unfortunately, such
detailed traffic information is missing outside the ma-
jor motorways due to a lack of sensor installations.
Up to now, no reliable information about non-
cooperative vehicles moving on open land exists. For
maritime traffic monitoring larger international voy-
aging ships are equipped with automatic identifica-
tion systems (AIS) to improve the guidance and to
avoid accidents [1]. However, AIS signals from ships
moving on the open sea often are too weak to be re-
ceived by the terrestrial AIS stations distributed along
the coast lines. Even with an AIS spaceborne system
information about smaller ships carrying no AIS
transceivers are not available.

Air- and spaceborne radars flying at high altitudes
provide an elegant solution to fill these gaps, espe-
cially if this information is required only on a non-
regular basis as in the case of major events, catastro-
phes or regional hot spots. An innovative spaceborne
radar system having already nowadays the capability
to contribute to land as well as to maritime traffic
surveillance applications is the German TerraSAR-
X/TanDEM-X satellite constellation [2]. Both satel-
lites are equipped with SAR instruments enabling
high resolution imaging of the earths surface, inde-
pendent of sunlight illumination and weather condi-
tions.

Originally SAR was designed for imaging the sta-
tionary world but not for imaging moving targets.
Thus, special signal processing algorithms are neces-
sary to detect moving targets, to estimate their actual
geographical positions, their velocities and headings.
One novel SAR-GMTI algorithm which can achieve
these tasks which high accuracy was developed by the
authors [3]. This SAR-GMTI algorithm combines the
data acquired with two SAR satellites, i.e. the Ter-
raSAR-X and TanDEM-X satellites, separated by a
large along-track baseline (i.e. a large distance in
flight direction) in the order of a few kilometres.

In the next three sections the TerraSAR-X/TanDEM-
X satellite constellation is introduced, the SAR-
GMTI algorithm is explained and first land and

Figure 1 TerraSAR-X and TanDEM-X in close for-
mation flight (artists view).
401
maritime traffic monitoring results are presented and
evaluated. Afterwards future SAR-GMTI system con-
cepts, enabling an improved temporal and spatial
coverage, are discussed.
2 TerraSAR-X/TanDEM-X
Constellation
TerraSAR-X and TanDEM-X are two identical SAR
satellites operating at X-band with a centre frequency
of 9.65 GHz. Both satellites, launched in 2007 and
2010, fly in close formation at an altitude of 514 km
(cf. Fig. 1). Their primary objective is the generation
of a consistent digital elevation model with global
coverage, according to HRTI-3 standard or even bet-
ter [2]. For this task both satellites act as a large SAR
single-pass interferometer. The baseline or distance
between the satellites, respectively, can be selected in
a nearly arbitrary manner.

In addition to the primary mission goal several sec-
ondary objectives of innovative character complement
the mission. One of these objectives is traffic moni-
toring from space, which never before has been dem-
onstrated with a SAR satellite constellation.

The SAR satellite constellation circles around the
earth 15 times per day. As a consequence an area of
interest cannot be monitored continuously. However,
a snapshot of this area can be taken every 2.5 to 4
days. This non-regular imaging period might be suf-
ficient for some applications, at least for demonstrat-
ing the traffic monitoring capabilities of the SAR sat-
ellite constellation. For surveillance tasks requiring a
more frequent or even continuous observation, more
than two SAR satellites or even different system con-
cepts are necessary [4]. Such system concepts are
suggested and discussed in section 5.
3 SAR-GMTI Algorithm
In conventionally processed SAR images moving tar-
gets cause some peculiar effects: they are depicted
blurred and displaced from their actual positions [5].
An example is shown in Fig. 2, where a train clearly
appears displaced from its actual position, the rail
track.

The displacements of the moving targets are propor-
tional to their across-track velocities, i.e. the veloci-
ties of the targets perpendicular to the flight path of
the SAR platform. Even slowly moving targets can be
displaced by several hundreds of meters. For in-
stance, the displacement of a ship moving with 17 kn
(= 31.5 km/h) is up to 600 m if it is imaged with Ter-
raSAR-X and TanDEM-X in a typical imaging ge-
ometry. A fast road vehicle moving with 130 km/h is
already displaced up to 2500 m. Thus, the reliable
determination of the actual position of a moving tar-
get is quite challenging.

If only one single dual-channel SAR satellite, e.g. the
TerraSAR-X satellite, is available for GMTI, the po-
sition estimation errors may be in the order of hun-
dreds of meters if only the along-track interferometric
(ATI) phases are exploited [6]. The estimation accu-
racy can be improved significantly if a priori knowl-
edge in form of a road database is incorporated into
the processing chain [7][8]. However, this approach
also has some drawbacks. For instance, the assign-
ments of the detected targets to the correct roads
might fail if the observed scene contains many adja-
cent parallel roads. Moreover, reliable monitoring of
targets moving on open land and open sea is not pos-
sible.

Figure 2 TerraSAR-X image acquired near Wolgo-
grad, Russia. The zoom shows a moving train ap-
pearing displaced from the rail track.

Figure 3 Displacements of the moving targets in the
SAR images acquired with the first (top left) and sec-
ond (top right) SAR satellite. At the bottom the dis-
placement difference between both images is shown.
402
The novel SAR-GMTI algorithm developed by the
authors does not have these restrictions [3]. The data
acquired with two satellites, i.e. the TerraSAR-X and
TanDEM-X satellites, are combined for extracting
moving target information. Without the need of a
road database or other a priori knowledge, the actual
position, the velocity and the heading of each de-
tected target can be estimated with high accuracy. For
achieving a good performance it is necessary that
both satellites are separated by a large along-track
baseline in the order of a few kilometres, correspond-
ing to a time lag of a few seconds. During that time
lag a moving target moves through several SAR reso-
lution cells and changes its position. As a conse-
quence, one and the same moving target appears at
different displaced positions in the SAR images (cf.
Fig. 3 top). None of these positions corresponds to
the actual one of the moving target. Nevertheless,
from the displacement difference (cf. Fig. 3 bottom),
which can be measured with high accuracy using a
two-dimensional (2D) cross-correlation, all relevant
moving target parameters can be computed. The de-
tailed description and the mathematical background
of the SAR-GMTI algorithm can be found in [3] and
should not be repeated here.

In Fig. 4 two displacement difference examples
with real SAR data are shown. The red images were
acquired with TerraSAR-X, the fore platform, and
the green images were acquired approximately 2.5 s
later with TanDEM-X, the aft platform. The dis-
placement differences of the coloured ship images
clearly can be recognized. The ship shown at the top
row moved mainly from left to right, the ship at the
bottom row moved from right to left and additionally
made a right turn.

A simplified flow chart of the implemented algorithm
is shown in Fig. 5. In the preprocessing stage two
SAR images Image 1 (acquired with TerraSAR-X)
and Image 2 (acquired with TanDEM-X) are gen-
erated taking into account the full bandwidth given
by the pulse repetition frequency of the SAR system.
Clutter suppression using the displaced phase centre
antenna (DPCA) technique is carried out only if land
traffic should be monitored (cf. Fig. 5 right). For de-
tecting ships a single SAR image is used (cf. Fig. 5
left) [9], for detecting land traffic the clutter sup-
pressed DPCA image is considered (cf. Fig. 5 right).
Within the 2D Correlator block the displacement
difference is measured. Afterwards in the Parameter
Estimation block the actual positions, the velocities
and the headings of the detected moving targets are
computed. The actual range and azimuth positions of
the moving targets are converted to corresponding
geographical coordinates within the Georeferenc-
ing block. Last but not least a so called Keyhole
Markup Language (KML) file is generated within
the Visualization block. This file, which can inter-
actively be visualized with Google Earth, contains the
parameter estimation results, the links to the images
of the detected targets and additional information.
During the early commissioning phase of TanDEM-X
in 2010 several GMTI data takes have been acquired
in the pursuit monostatic mode [2] with the aim to
demonstrate GMTI with a SAR satellite constellation
for the first time and to verify and evaluate the novel
SAR-GMTI algorithm. At that time the along-track
baseline between both satellites was in the order of 20
km, corresponding to a time lag of approximately 2.5
s. These are just the parameters promising the best
predicted performance of the SAR-GMTI algorithm
[3]. Different test sites for monitoring land as well as
maritime traffic have been chosen.
4.1 Land Traffic
For monitoring land traffic the Highway 1 in the
north-west of Los Angeles and the Interstate 15 in the
north-east of Las Vegas were chosen.
Figure 5 Simplified flow chart of the implemented
SAR-GMTI algorithm. Different processing steps are
necessary, depending whether maritime traffic (left)
or land traffic (right) should be monitored.

Figure 4 TerraSAR-X images of two ships (left col;
the orange crosses mark the points used for georefer-
encing) and corresponding superpositions with Tan-
DEM-X images (right col; TerraSAR-X image in
red, TanDEM-X image in green).
403
No ground truth data were available for the land traf-
fic data takes. As a consequence the probability of
detection cannot be evaluated. Nevertheless, the ac-
tual positions of the detected moving targets can be
estimated and the residual offset to the known road
axes can be measured. These residual offsets or posi-
tion differences, respectively, are related to the posi-
tion estimation accuracy as well as to the across-track
velocity estimation accuracy (remember that the dis-
placements are proportional to the across-track ve-
locities and, hence, the residual offsets are propor-
tional to the across-track velocity estimation errors).
Furthermore the heading differences can be deter-
mined by comparing the estimated headings with the
known heading of the road axis.

One result of an Interstate 15 data take is shown in
Fig. 6. False detections have been precluded so that
the evaluation of the position and velocity estimation
accuracy is not biased. The remaining 31 targets have
signal-to-clutter plus noise (SCNR) values in the
range from 10 to 23 dB. The mean value of the meas-
ured position difference is 10.97 m (cf. Fig 6 bottom
left). This value, which corresponds to a velocity es-
timation accuracy of 0.57 km/h, is really impressive.
Never before a spaceborne SAR system has reached
such a moving target position estimation accuracy,
particularly without the use of a road database or
other a priori knowledge. The mean of the heading
difference is only 0.55 (cf. Fig. 6 bottom right).
Small heading differences indicate that the 2D veloc-
ity estimation, i.e. the estimation of the velocity com-
ponents in along-track and across-track direction, is
very accurate.
4.2 Maritime Traffic
For monitoring maritime traffic the Port of Halifax
and the Strait of Gibraltar have been chosen. As
ground truth AIS reference data were used. By com-
paring the AIS reference data with the estimates ob-
tained from the SAR-GMTI algorithm, the position,
velocity and heading differences have been computed.
Larger ships appear as extended targets in the SAR
images. Thus, for georeferencing the centre of the
area of the ship image is used (cf. Fig. 4 left column).
It has to be noted that the position of the centre of the
area not necessarily corresponds to the position of the
GPS antenna of the AIS. As a consequence the com-
puted position difference has an uncertainty which
depends on the ship size. Furthermore, to achieve
high parameter estimation accuracy possible turns of
the ships between both observations have to be con-
sidered, for instance by successively rotating the ref-
erence image patch before each 2D cross-correlation
(cf. Fig. 4 bottom right).

One result of a Gibraltar data take is shown in Fig. 7.
All eight AIS reference targets labelled with ID 0 to 7
have been detected automatically. The ships moved
mainly in east direction which differs only by 9.5
from the across-track direction. Thus, the UTM nor-
thing position difference shown at the top left in Fig.
7 corresponds to the along-track re-displacement er-
ror, one of the most critical errors in GMTI. The po-
sition difference of -125 m of the target 1 is an out-
lier, identified by a bad correlation coefficient of the
2D cross-correlation. The time offset between the
SAR and the AIS data for target 7 was 440 s. In this
case the AIS position extrapolation, for which a con-
stant target velocity and heading are assumed, is not
correct. If both outliers are precluded the maximum
position difference is -25m. The maximum velocity
difference is with 0.29 kn (= 0.54 km/h, cf. Fig. 7 top
right) in the same order as for land traffic monitor-
ing, indicating again a high velocity estimation accu-
racy. The heading differences shown at the bottom in
Fig. 7 are almost below 10, except for target 1 (bad
correlation coefficient) and target 5, which has made
Heading Difference []
MEAN : 0.55
STDDEV: 3.82
Heading Difference []
MEAN : 0.55
STDDEV: 3.82
MEAN : 10.97 m
STDDEV: 13.28 m
O
c
c
u
r
r
e
n
c
e
Position Difference [m]
MEAN : 10.97 m
STDDEV: 13.28 m
O
c
c
u
r
r
e
n
c
e
Position Difference [m]
Position Error

Figure 6 Land traffic monitoring results obtained
from an Interstate 15 data take (top: Google Earth
image, the coloured triangles represent the detected
targets on their actual positions; bottom: histograms
of the position (left) and heading differences (right)).
Heading Difference
H
e
a
d
i
n
g
D
i
f
f
e
r
e
n
c
e
[
]
Velocity Difference
! 0.29 kn (= 0.54 km/h)
Northing Position Difference
P
o
s
i
t
i
o
n

D
i
f
f
e
r
e
n
c
e
[
m
]
-25 m
V
e
l
o
c
i
t
y

D
i
f
f
e
r
e
n
c
e
[
k
n
]

Figure 7 Maritime traffic monitoring results ob-
tained from a Gibralter data take (top left: UTM nor-
thing position differences; top right: velocity differ-
ences; bottom: heading differences).
404
a strong turn between both observations (cf. Fig 4
bottom right).

The maritime traffic monitoring results from Fig. 7
are visualized in Fig. 8. Here the motions of the de-
tected ships clearly can be recognized. A more user-
friendly Google Earth visualization of the results is
shown in Fig. 9. In Google Earth the user can click
on a ship symbol to open a window showing addi-
tional information about the ship (cf. Fig. 9 right),
for instance the automatically merged AIS data.
5 Future SAR-GMTI System
Concepts
One challenge of future SAR-GMTI systems is the
combination of wide area coverage with frequent
monitoring. Such requirements have a direct impact
on the choice of the satellite orbits [4]. Even low cost
SAR satellites operating in low earth orbit (LEO)
may be too expensive to be operated in large num-
bers. An attractive alternative are satellites in me-
dium earth orbits (MEO). Such systems cover a wider
region and provide the opportunity to continuously
observe an area of interest for a long time period
ranging from minutes to hours. As a consequence
fewer satellites would be required. During the large
observation time intervals valuable information about
the traffic taking place on the earths surface could be
gained. Owing to the higher altitudes the satellite ve-
locity and the clutter bandwidth are reduced. On the
other hand higher altitudes and, hence, larger ranges
mean that the instrument and satellite costs will rise.
Although the achievable SCNR values of MEO SAR
systems are smaller compared to LEO systems, at
least ship surveillance applications should be feasi-
ble. From the technical point of view MEO SAR sys-
tems seem to be realizable in near future. During the
past years especially the progress in antenna technol-
ogy development must not be disregarded. Unfoldable
lightweight reflector antennas in combination with
advanced digital beamforming techniques could be
the key to an affordable operational MEO system
[10].

Another interesting solution for surveillance applica-
tions requiring continuous temporal coverage and
data downlink are unmanned stratospheric airships
[11]. These airships, measuring more then 100 m in
length, are designed to operate at altitudes of ap-
proximately 20 km, above the jet-stream. They can
carry a few tons so that even multi-channel SAR-
GMTI systems with larger and heavier antennas can
be installed. SAR swath widths in the order of 20 km
are feasible. Besides the SAR-GMTI systems also
complementary sensors, for instance hyperspectral
sensors, and communication technology enabling a
continuous data transmission to a ground station or
satellite could be installed on the same platform. The
platform velocity can be chosen in a certain range,
starting from zero metres per second. Especially for
the continuous surveillance of geographically limited
areas (e.g. cities and regional hot spots) slowly mov-
ing airships are well suited. By choosing the flight
velocity and the along-track baselines between two or
more antennas carefully, also a time lag of 2.5 s is
adjustable so that in principle the proposed SAR-
GMTI algorithm [3] can be used without major modi-
fications. Stratospheric airships flying slightly faster
for instance can be used for border monitoring with
short revisit times. Illicit trafficking could be detected
with such systems.
6 Conclusion
The presented preliminary results confirm that the
proposed and implemented dual-platform SAR-
GMTI algorithm is well suited for land and maritime
traffic monitoring. For vehicles moving on land the
position estimation accuracy is on average smaller
than 11 m. This is a really impressive value, espe-

Figure 8 SAR image of the Strait of Gibraltar (left,
size 15 x 50 km) and detected ships (right). The red
and green colours represent the ships in the Ter-
raSAR-X and TanDEM-X images.
405
Slide 47
First GMTI Results With The TerraSAR-X / TanDEM-X Constellation stefan.baumgartner@dlr.de > 11.03.2011

Figure 9 Google Earth image of the Strait of Gibraltar overlaid with the KML file from the SAR-GMTI proc-
essor output. The colour coded symbols (colour is velocity dependent) represent the automatically detected ves-
sels on the estimated true positions. Also the displaced vessel images in white colour are visible.
cially under the aspect that no other SAR satellite
system has ever achieved such a moving target posi-
tion estimation accuracy, particularly without the use
of a road database or other a priori knowledge. Still
more of the acquired GMTI data takes need to be
evaluated in order to statistically confirm the first re-
sults presented in this paper.
References
[1] (2011, June) Automatic Identification System.
[Online]. Available: http://en.wikipedia.org/-
wiki/Automatic Identification System
[2] G. Krieger, A. Moreira, H. Fiedler, I. Hajnsek,
M. Werner, M. Younis, and M. Zink, Tan-
DEM-X: A satellite formation for high-
resolution SAR interferometry, IEEE Transac-
tions on Geoscience and Remote Sensing,
vol. 45, no. 11, pp. 33173341, 2007.
[3] S. V. Baumgartner, G. Krieger, and K.-H.
Bethke, A Large Along-Track Baseline Ap-
proach for Ground Moving Target Indication
Using TanDEM-X, in International Radar
Symposium (IRS), Cologne, Germany, Septem-
ber 2007.
[4] K. Bethke, S. Baumgartner, M. Gabele,
D. Hounam, E. Kemptner, D. Klement,
G. Krieger, and R. Erxleben, Air-and space-
borne monitoring of road traffic using SAR
moving target indication Project TRAM-
RAD, ISPRS Journal of Photogrammetry and
Remote Sensing, vol. 61, no. 3-4, pp. 243259,
2006.
[5] R. K. Raney, Synthetic aperture imaging radar
and moving targets, IEEE Transactions on
Aerospace and Electronic Systems, vol. AES-7,
no. 3, pp. 499505, May 1971.
[6] J. H. G. Ender, C. H. Gierull, and D. Cerutti-
Maori, Improved Space-Based Moving Target
Indication via Alternate Transmission and Re-
ceiver Switching, IEEE Transactions on Geo-
science and Remote Sensing, vol. 46, no. 12, pp.
39603974, December 2008.
[7] F. Meyer, S. Hinz, A. Laika, D. Weihing, and
R. Bamler, Performance analysis of the Ter-
raSAR-X traffic monitoring concept, ISPRS
Journal of Photogrammetry and Remote Sens-
ing, vol. 61, no. 3-4, pp. 225242, 2006.
[8] S. Suchandt, H. Runge, H. Breit,
U. Steinbrecher, A. Kotenkov, and U. Balss,
Automatic Extraction of Traffic Flows Using
TerraSAR-X Along-Track Interferometry,
406
IEEE Transactions and Geoscience and Remote
Sensing, vol. 48, no. 2, pp. 807819, February
2010.
[9] S. Brusch, S. Lehner, T. Fritz, M. Soccorsi,
A. Soloviev, and B. van Schie, Ship Surveil-
lance With TerraSAR-X, IEEE Transactions on
Geoscience and Remote Sensing, vol. 49, no. 3,
pp. 10921103, March 2011.
[10] G. Krieger, I. Hajnsek, K. Papathanassiou,
M. Younis, and A. Moreira, Interferometric
Synthetic Aperture Radar (SAR) Missions Em-
ploying Formation Flying, Proceedings of the
IEEE, vol. 98, no. 5, pp. 816843, May 2010.
[11] T. Brner, M. Galletti, N. P. Marquart, and
G. Krieger, Concept study of radar sensors for
near-field tsunami early warning, Natural Haz-
ards and Earth System Sciences NHESS. Spe-
cial Issue: The GITEWS Project (German-
Indonesian Tsunami Early Warning System), pp.
19571964, September 2010.

407
SECURITY-RELATED CHANGE DETECTION WITH
TERRASAR-X RADAR SATELLITE DATA
Diana Weihing, Oliver Lang, Lutz Petrat, Astrium GEO-Information Services, Germany
Abstract
Monitoring and change detection play an important role for many security applications. With the radar satellite
TerraSAR-X, high resolution images can be acquired reliably and independently of weather conditions and illu-
mination for any area of interest on the globe. The repeat-pass images with nearly identical acquisition parame-
ters allow for a direct comparison of the image magnitudes as well as the exploitation of interferometric infor-
mation. The latter is useful to derive a more complex picture of surface changes and activities. This paper pre-
sents results of TerraSAR-X based change analyses demonstrating the potential of incoherent and coherent
change detection and a subsequent change assessment.

1 Introduction
Change analyses are an important task for many secu-
rity applications, such as the monitoring of critical
infrastructure or for assessing damages and impacts
following after natural disasters. Depending on the
specific application, requirements on the sensitivity of
changes can vary.

Satellite SAR missions like TerraSAR-X entail poten-
tial for such applications, not only because of the
large coverage in combination with high resolution,
but also due to the independence regarding daytime
and weather conditions. TerraSAR-X provides radar
imagery with a resolution of up to 1m and a unique
geometric accuracy. The location error of slant range
products is well below one meter [1]. Therefore, the
pixel location error of orthorectified images depends
predominantly on the quality of the underlying DEM.
Additionally, TerraSAR-X offers the capability for
radar interferometry. Interferometric data processing
opens up a wide range of applications since the result-
ing phase information is sensitive to terrain elevation,
ground motion and surface changes.TerraSAR-X
based change analyses make use of this interferomet-
ric capability for coherent change detection as well as
of the radiometric stability for amplitude change de-
tection.

This paper demonstrates the potential of both Ter-
raSAR-X based change analyses with a focus on the
coherent change detection method. It is applied on
data of the copper mine in Chuquicamata, Chile, as an
example of site monitoring. The described techniques
are transferable to other applications of interest in the
security domain.
2 Change Detection & Analysis
The detection of changes on the Earths surface
means locating features that have changed between
different acquisition dates by a comparison of multi-
temporal datasets.

Two types of change detection using repeat-pass SAR
data can be distinguished:

Amplitude change detection (ACD)
Coherent change detection (CCD)

Amplitude Change Detection analyses the backscatter
of two images, [2]. Typically substantial surface
changes, which strongly influence the backscatter of
an area, are indicated. The power change estimate is
affected by speckle noise, whose reduction has to be
considered in the processing.

The second method - Coherent Change Detection
makes use of the interferometric coherence which acts
as a change indicator, see e.g. [3, 2]. The interfer-
ometric coherence is a measure of the phase correla-
tion of two SAR scenes. Several impacts can cause
phase decorrelation [4], such as atmospheric effects,
volume decorrelation, temporal decorrelation, and fi-
nally man-made changes. Temporal and volume
decorrelation is the main factor in repeat pass inter-
ferometry, particularly for X-Band. CCD's applicabil-
ity is therefore limited in case of dense vegetation
cover. However, under stable surface conditions, as in
rocky deserts and arid areas, CCD has the potential to
detect even subtle changes on ground.

408
In both methods known probability density functions
of the change indicators are applied to distinguish
changes by assuming a certain false alarm rate. The
known functions of the intensity ratio [5] and of the
coherence [4, 6] are used to separate changed from
non-changed pixels.

Since the two indicators are sensitive to different
measures, they can provide complementary charac-
terisations of the changes. A combination of the more
robust ACD and the sensitive CCD increases the in-
formation content of a change analysis.

Once potential changed areas on ground have been
identified, the assessment of these regions is con-
ducted visually by professional image analysts. Ancil-
lary data generally supports the interpretation. An ex-
ample for useful ancillary information is a digital ele-
vation model (DEM) which can been derived from
interferometric data pairs.

3 Application to data
In order to demonstrate the potential of TerraSAR-X
based change analyses using ACD and CCD, the
methodologies have been applied to an interferomet-
ric data stack in order to monitor changes on a spe-
cific site of interest.

3.1 Available Data
A number of repeat-pass TerraSAR-X images were
acquired with following acquisition parameters, listed
in Table 1.

Satellite TerraSAR-X 1
Acquisition date
2009-04-13
2009-04-24
2009-06-18
2009-06-29
2009-09-03
2009-09-14
Imaging Mode StripMap
Ground Range
Resolution
2.0 m
Polarisation HH
Incidence Angle 33.8-36.8
Pass Direction Ascending
Product Type SSC
Table 1 TerraSAR-X acquisition parameters

Only a subset of the images, approx. 5x5 km, will be
shown in the following processing results.

3.2 Observed site
The observed site is located at Chuquicamata, a city
in the Atacama Desert in the north of Chile. One of
the World's largest copper mines is operated there.
During the acquisition window on-going activities
and changes took place, such as of course mining and
dumping of waste rocks around the mine. In Figure 1
a subset of the TerraSAR-X average intensity image is
shown covering mainly the southern mine on the right
hand side. Dumping sites are located around the mine
and in the north of the city.
4 Results
The TerraSAR-X based change detection consists of
interferometric processing, which requires inherently
a subpixel coregistration process to match the pixels
with maximum precision. In order to reduce image a
multi-looking processing step is applied. For the sub-
sequent estimation of the two different change indica-
tors - the interferometric coherence and the intensity
ratio - moving window operators are used. Both indi-
cators mark potential changed areas, whereas the in-
dicators have a different sensitivity with respect to the
type of change. Pixels which contain change are sepa-
rated from non-changed areas in a statistical analysis
of given probability density functions and false
alarms rates. These detections are subsequently visu-
ally assessed and analyzed in combination. The as-
sessment step includes also the use of ancillary data,
which is extracted additionally from the TerraSAR-X
acquisitions. Elevation information derived from in-
terferometric image pairs, for example, provides in-
formation about the local conditions and allows for a
detailed analysis and for drawing complete conclu-
sions of the results and the identified changed re-
gions.

Figure 1 Chuquicamata, Chile - subset of StripMap
TerraSAR-X Average Intensity image.

409
4.1 ACD
In Figure 2 the change detection result using ACD
with a chosen false alarm rate of 5% is shown. The
change layers are coloured labelling the change direc-
tion, "Backscatter Increased" and "Backscatter De-
creased" between the acquisitions of April 13th and
24th. Changes and activities are mainly detected at
the mine and at the dumping sites, which are caused
by ground work, mining or the landfill of waste rocks.
As one example a part of a dumping site, where waste
rocks of the mine are filled in terraced shape is
marked with the red rectangle, which has been con-
firmed by optical data.

4.2 CCD
Figure 3 shows a time series of coherence images dur-
ing the acquisition interval. The values are scaled
from black to white, where black parts indicate no
correlation and bright areas indicate a high correla-
tion. The shown coherence images origin from Ter-
raSAR-X input data with 11-days separation and
show high coherence in the main parts of the scene.
The estimated average coherence is about 0.73, which
indicates a good stability of the test site, which is lo-
cated in a dry area. Significant activities are observed
e.g. in the area north of the city at one of the dumping
sites annotated in the figure with a red rectangle. Be-
tween the pairs of April, June and September (Figure
3, a-c), landfill was ongoing in different areas, which
is indicated by the varying parts of low coherence.
Additional on-going changes and activities at the
mine and the dumping sites are visible on the right
hand side of the scene.

Figure 2 ACD Change layers overlaid on TerraSAR-X
intensity image of April 24th.

(a)

(b)

(c)
Figure 3 Coherence images a: April, b: June, c Sep-
tember 2009. Changes in and around the mine are un-
veiled. Dark pixels indicate decorrelation while bright
areas indicate high coherence.
410
However, decorrelation can be caused also in regions
due to layover and radar shadow. These features have
to be separated from the potential changes of interest.
This can be done by considering the intensity images
for interpretation and also by applying layover and
shadow masks estimated based on the terrain eleva-
tion and on the known satellite acquisition geometry.

The comparison of the indicated changes of CCD and
ACD analyses with optical data shows a good plausi-
bility and consistency. When comparing the areas
with low coherence with the change detections based
on the intensity, it is visible that some parts, which
have been changed, are better identified in the coher-
ence as in the ACD results. For example the usage of
the roads towards the dumping sites is indicated
stronger and more complete in the coherence than in
the intensity. CCD has the potential to provide indica-
tions of changes, which still might not be that strong
visible or detectable in radar amplitude. With this
supplementary information it is possible to extract
more information about potential changed areas than
form a single image source. In particular, coherence
information is additionally helpful for the interpreta-
tion and classification of scenes since finer structures,
e.g. roads, stand out against the surrounding region,
apparent in Figure 3.

4.3 Change assessment
For a complete change analysis and interpretation of
the indicated changes, spatial and context information
are key elements. Ancillary data support the assess-
ment of change detections. The inclusion of elevation
models into the analysis provides a deeper insight into
actual terrain conditions of the monitored site. There-
fore, the TerraSAR-X images have been used to cre-
ate an interferometric elevation model in order to pro-
vide more information about the local conditions of
the scenery. The combination of changed areas indi-
cated by the coherence of data pair September 3rd and
14th, labelled in black, with the elevation model is
shown in Figure 4. This overlay provides a better un-
derstanding of terrain conditions and the recent activi-
ties. The roads north of the city coming form the mine
towards the dumping sites are intuitively comprehen-
sible. This 3D-view facilitates a complete interpreta-
tion of the features which may be not that clear when
viewed only in 2D images. For monitoring concepts
the combination of the different techniques with their
varying sensitivity towards changes together with an-
cillary extracted data, such as the elevation, is of great
value. Amongst and together with optical images they
are strong tools for interpreters which observe critical
infrastructure or any site of interest.
5 Conclusions
TerraSAR-X based coherence and amplitude change
detections provide high potential for the observation
and identification of changes and activities on the
Earths surface. Both techniques are complementary
and provide different sensitivities. CCD is less robust
than ACD with respect to temporal and atmospheric
effects, but under stable conditions much more sensi-
tive for the detection of subtle changes. Generally, the
combination of both techniques provides a more com-
plete picture of the observed changes. In addition, an-
cillary data, like elevation information derived from
the same (interferometric) TerraSAR-X data, can
strongly support the interpretation of detected
changes or indications of activities. Context informa-
tion and spatial analysis are important for the identifi-
cation of changes and hence for many future security
applications.
6 References
[1] Schubert, A; Jehle, M; Small, D; Meier, E.: Ge-
ometric validation of TerraSAR-X high-
resolution products. 3rd TerraSAR-X Science
Team Meeting, Oberpfaffenhofen, November
2008
[2] Preiss, M.; Stacy N.J.S.: Coherent Change De-
tection: Theoretical Description and Experimen-
tal Results, STO-TR-1851, 2006
[3] Wright, P.; Macklin, T.; Willis, C.; Rye, T.: Co-
herent Change Detection with SAR, 2nd EMRS
DTC Technical Conference, Edinburgh, 2005.
[4] Hanssen R. F: Radar Interferometry, Data In-
terpretation and error analysis, Kluwer Aca-
demic Publishers, Dordrecht, 2001
[5] Touzi, R.; Lopes, A.; Bousquet, P.: A statistical
and geometrical edge detector for SAR images,
IEEE Transactions on Geoscience and Remote
Sensing, Vol. 26 (6), pp.764-773, 1988
[6] Touzi, R.; Lopez, A., Bruniquel, J.; Vachon, P.
W.: Coherence Estimation for SAR Imagery,
IEEE Transactions on Geoscience and Remote
Sensing, Vol. 37 (1), pp. 135-149, 1999
Figure 4 Combination of changed areas indicated by
the coherence with the interferometric elevation model.
411
Pulse Radar Technology
for Detection of Trapped and Buried Victims Electronic Devices
J. M., Pavlina, University of Freiburg- IMTEK - Laboratory for Electrical Instrumentation, Germany
L. M., Reindl, University of Freiburg- IMTEK - Laboratory for Electrical Instrumentation, Germany
T., Ostertag, University of Freiburg- IMTEK - Laboratory for Electrical Instrumentation, Germany
Abstract
Recent interest has lead to the investigation of novel search and rescue techniques to aid workers. This paper
will present recent results of studies made within the I-LOV project the German national research program for
civil security funded by the German Federal ministry of Education and Research (BMBF) concerning improved
time efficiency and reliable novel detection system for search and rescue. Detection and accurate localization of
victims buried inside demolished buildings is important for saving peoples lives. Research was performed on
the ability to search for electronic RF-devices, which can be buried with people, by using a pulsed radar like sys-
tem. Frequency filters of such device can be exposed to a radar pulse near the filters resonance frequency and an
echo can be detected, enabling the localization of a device and possibly its owner. Experimental results will be
shown of a pulsed radar like system used to excite wireless devices. Result will be shown with devices using
passive duplexer or diode based front-end receiver. These older architectures have at least one direct connection
from the antenna to the filter allowing a direct channel for the pulse to flow.

1 Introduction
The systematic classification of damages introduced
by Maack [1] is the basis for most international work
on search and rescue principles and the usage of ap-
propriate technology. Todays ceilings and walls are
often built with armored concrete instead of bricks
and wooden ceilings, which influence directly the de-
bris of structures and burying scenarios. Meeting the
current challenges with further improvements of strat-
egy and technology for search and rescue purpose of
trapped and buried people is the goal of the research
project I-LOV.
Time efficiency is one major challenge to meet. If
human victims have been inside a collapsed building
after an anthropogenic or natural disaster like an
earthquake, the fastest possible search for buried
people is absolutely necessary for their survival.
People that are not killed immediately by the misfor-
tune, usually must be saved within the first 72 hours,
depending upon climatic conditions.
The probability of survival reduces to ~19% after 72
hours due to dehydration and/or hyperthermia and
falls below 8% after 120 hours.
In order to improve time efficiency of search proce-
dures, the combination of classical methods like K-9
units or geophones and newer ones like robots or ra-
dar based detection systems is desired. The aim of this
research is for the detection of electronic components
and devices which are often carried by persons. Mo-
bile phones, of course, could be located either by the
mobile phone provider using simple triangulation.
However, it cannot be guaranteed that these devices
are still working. A radar-like approach can be taken
with such non functioning devices. Modern mobile
RF devices contain a multiplicity of radio interfaces
such as Bluetooth, W-LAN, and GPS which enhances
the probability of detecting at least one of these.
The remainder of the paper is organized as follows.
Section 2 will give a brief background. Section 3 will
discuss the pulse radar system further. Section 4 will
show experimental results of a pulsed radar like sys-
tem used to excite wireless devices. Followed by the
conclusion in Section 5 and then the acknowledge-
ments.
2 Background
Optical and acoustical detection technologies are
widely used in search and rescue missions. Optical
detection instruments are in most cases manually con-
trolled and guided with borescopes with a limited
number of degrees of freedom in a debris area. Acous-
tical detection instruments, such as geophones, are
quite simple to use but require quiet working envi-
ronments. Therefore, radar detection systems seems to
be an interesting technology to work properly with K-
9 units for time efficient and mission improved search
and rescue applications. For the detection of persons,
presently both, UWB and CW radar systems are used
[3].
1
Further information

about the research project I-LOV: www.i-
lov.org The study is supported by BMBF.
412
Detection of passive electronic components in wire-
less system is analogous to a wireless reading of sen-
sors based on the surface acoustic wave (SAW) tech-
nology [4]. Using a radar system, detection of the RF
filters beyond the antenna and duplexer is possible.
The quality factor of a mobile phone RF filter is typi-
cally between 3.000 and 5.000. If a burst of the radar
is transmitted to the mobile phone, the burst is re-
ceived by the antenna and forwarded over the du-
plexer to the frequency-selective filter (see Figure 1).
If the frequency of this stimulating burst lies in the
passband of the RF filter, the energy is stored in the
filter. After switching off the transmission burst, the
stored signal can be measured as an RF echo which
propagates again over the duplexer and the antenna of
the mobile RF device into its environment. Shown in
Figure 2 is an example of how an echo may be re-
ceived and evaluated by the radar system. This
evaluation was performed using a VNA and the S11
data was processed. Additional info can be found in
[2].
3 Pulse Radar System
A pulse radar system is useful for many applications
[5]. The system described here is based on a very
simplistic approach to the pulsed system. A basic ra-
dar system consists of a transmitted signal propagat-
ing over a channel and then reflecting some of the
signal back as an echo. The transmitting antenna can
either be collocated with the received antenna or in
some other location as in a bi-static radar system. The
radar approach used here currently employs the trans-
ceiver concept. Shown in Figure 3 the setup consists
of a pulse frequency generator fed into a switch and
through to the antenna. The response is then received
as an echo response from any device within the field
of the antenna. The response is amplified after going
through the switch and then evaluated by an analyzer.
Synchronization exists between the frequency genera-
tor, analyzer and the switches. The synchronization
ensures proper switching and evaluation of the data.
The test setup consists of a one microsecond burst RF
signal generated at the frequencies of interest within
the GSM cellular phone band. A sweep of significant
frequency bands currently used by cellular companies
is needed. The signal was fed to the device under test
Figure 1. Block diagram of a generic radar system
and a pictorial representation of the SAW device in a
mobile phone.

Figure 2. The time response, when a phone is pre-
sent and when there is no phone, showing where the
resonance is clearly observed.

Figure 4. Pictorial diagram of the time characteris-
tics of a transmitted and received signal with and
without an echo response.

Figure 5. Example of an actual received signal with
the transmitted pulse overlaid on two echo responses.
One echo response from the test chamber only and
the other of when a phone is present

Figure 3. Generic diagram of the system used to excite
the devices.
0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2
-200
-180
-160
-140
-120
-100
-80
-60
-40
Time (us)
A
m
p
l
it
u
d
e

(
d
B
)
Time Resonance Response

No Resonance
Phone Resonance
413
through the use of a testing chamber. A reflected sig-
nal was read through an analog-to-digital converter
(ADC) into separate in-phase and quadrature chan-
nels. The digital signal was transferred to a computer
for evaluation. A characteristic signal can be seen in
Figure 4. An actual echo response shown in Figure 5
contains a feedthrough signal, a resonance from the
test chamber and antenna, and when applicable the
signal from the mobile device.

With the system described above, evaluation was per-
formed on four separate phones. The phones shown
in Figure 7 were donated from their previous owners
and therefore the characteristics of these phones were
not known a-priori. As such each of the potential fre-
quency bands were searched and a resonance looked
for. The devices were assessed using a testing cham-
ber. This cavity was created within which the cell
phone could be tested wirelessly while limiting out-
side interactions. Each phone was tested with the
phone powered off. Three had their batteries removed
and one was apparently damaged in some way as the
screen was cracked.
While more frequency bands were searched only the
results from the frequency bands that showed a reso-
nance will be shown. Because of the resonances be-
tween 900MHz and 1000MHz each of the phones
were apparently meant to be used in the GSM900
band. The results shown in Figure 6 have the first mi-
crosecond removed as it presents no useful data. The
phones each had a perceivable resonance. Phone 2
shown in Figure 6 (b) had the least noticeable reso-
nance. One can be seen around 920MHz but it decays
much faster than the other phones. This might be due
to the different antenna configurations. Different an-
tennas will likely couple different amounts of energy
into the filters. The PRF was changed from 100kHz
to 600kHz with no perceivable difference observed.
A study was also performed on the pulse length, while
under one microsecond the resonances shaped and
length decreased significantly. When the pulse was
over one microsecond there is nearly no difference in
resonance profile. The results from this test are
shown in Figure 8. As shown in Figure 6(a) a phone
may present a quite significant resonance. A 1us
pulse resonates for nearly 4us.

Figure 6. Results from four phones using the pulse signal system described in section three. The results shown in
(a) and (c) indicate a clear resonance around 950MHz. In (b) and in (d) the resonance is observed around
920MHz.

Figure 7. Phones used for testing. All are considered
older generation phones
414
While it is clear that it is possible to view the reson-
ance quite easily on some phones, it still remains to be
seen whether this technology can be taken into real
world scenarios. It is possible to improve detection
by summing multiple signals in order to improve the
signal level. However, it is not clear the trade off that
must be met in order to use different techniques.
5 Conclusion
This paper presented recent results of studies made
within the I-LOV project the German national re-
search program for civil security funded by the Ger-
man Federal ministry of Education and Research
(BMBF) concerning improved time efficiency and
reliable novel detection system for search and rescue.
Detection and accurate localization of victims buried
inside demolished buildings remains important for
saving peoples lives. Research was performed on the
ability to search for electronic RF-devices, which can
be buried with people, by using a pulsed radar like
system. Frequency filters of such device were ex-
posed to a radar pulse near the filters resonance fre-
quency and an echo detected, enabling the potential
localization of a device. Experimental results were
shown of a pulsed radar like system used to excite
wireless devices. Result will be shown with devices
using passive duplexer or diode based front-end re-
ceiver. These older architectures have at least one di-
rect connection from the antenna to the filter allowing
a direct channel for the pulse to flow. The results
seem promising for the detection of these devices.
Further evaluation is necessary for real world imple-
mentation.
6 Acknowledgements
This work was supported by the BMBF (German
Federal Ministry of Education and Research) under
contracts no 13N9759 and 13N9762.
References
[1] C.-M. Feng and T.-C. Wang, "Highway emergency
rehabilitation scheduling in post-earthquake 72
hours," Journal of the 5th Eastern Asia Society
for Transportation Studies, vol. 5, 2003.
[2] Feige, C.; Ostertag, T.; Loschonsky, M.; Reindl,
L.M.; , "Radar assisted detection of passive elec-
tronic components," Radio and Wireless Sympo-
sium (RWS), 2010 IEEE , vol., no., pp.200-203,
10-14 Jan. 2010
[3] Loschonsky, M.; Feige, C.; Rogall, O.; Fisun, S.;
Reindl, L.M.; , "Detection technology for
trapped and buried people," Wireless Sensing,
Local Positioning, and RFID, 2009. IMWS 2009.
IEEE MTT-S International Microwave Workshop
on, vol., no., pp.1-6, 24-25 Sept. 2009
[4] Malocha, D.; Kozlovski, N.; Santos, B.; Pavlina,
J.; Belkerdid, M.A.; Mears, T.J.; , "Ultra wide
band surface acoustic wave (SAW) RF ID tag
and sensor," Military Communications Confer-
ence, 2009. MILCOM 2009. IEEE , vol., no.,
pp.1-7, 18-21 Oct. 2009
[5] Skolnik Merrill I, Radar Handbook,2nd Edition.
New York: McGraw-Hill Pubilishing Company,
1990

Figure 8. The results from phone four when varying
the pulse width between point one and one microsec-
onds.
415
An Integrated Radar-Optronic Sensor - Architecture and Opera-
tional Experiences
1
st
Andreas Strecker, EADS CASSIDIAN Electronics, Ulm, Germany
2
nd
Dirk K Neumann, EADS CASSIDIAN Electronics, Ulm, Germany
3
rd
Stefan Jock, EADS CASSIDIAN Electronics, Ulm, Germany
Abstract
In 2006 EADS CASSIDIAN Electronics (CE) received a contract for the development and production of two
demonstrators of a surveillance system called BR (Boden-berwachungs-Radar) from the German army mate-
rial command (BWB). A main part of this contract was the development of a completely new ground surveil-
lance radar (GSR) called TRGS which today is part of the new security radar prodcut family SPEXER. This is
the first radar worldwide in the class of ground surveillance radars that uses active electronic steered antenna
(AESA) technology for the reliable detection of a single pedestrian in a range of >15km. This antenna re-
moves in comparison to existing, conventional radars the need of mechanical movement of the antenna and
provides a multi-beam capability. Many operational limitations of existing radar solutions can therefore be
removed.

In particular, this AESA antenna technology offers additional and very effective possibilities in the field of
wide-area surveillance, especially when it is run in a master-slave configuration with an optronic senor. An ex-
treme low false alarm rate, high clutter resistance and a precise and continuous control of the optronic sensor on
a moving target of interest while doing sector scanning in parallel is only one example of several advantages that
will be discussed in the following.

In the context of border security the SPEXER radar has already been sold more than 80 times to provide wide
area surveillance in combination with an optronic sensor. In all cases, the advantages of the AESA antenna tech-
nology could be proven.

1 TRGS Description
1.1 TRGS Architecture
This new radar can not only be operated on a mast, as
for vehicle integrated versions, but based on the
modular realisation also on a tripod installable by two
persons within minutes without special tools. The
TRGS (see Figure 1) is based on existing and proven
technologies of GSR:
Pencil Beam with low side lobes,
Pulse-Doppler radar with fine Doppler tone,
Doppler high resolution for the detection of slow-
ly moving targets with small RCS in clutter,
High stability with consequently high sub-clutter
visibility,
and uses existing EADS technology yet innovative
technology for GSR:
Antenna with electronic beam control (AESA-
Active Electronic Steered Antenna).
The use of the proven GSR technology is the basis for
a reliable detection of slowly moving targets in clut-
416
ter. The use of an antenna with electronic beam re-
moves the operational disadvantages and limitations
of the existing mechanically scanning GSR and offers
up to now not possible operational features like
Multimode operation with flexible scan strategy
like Point surveillance or target verification with
high update rate during sector surveillance.
Dual-Beam Mode operation for single target
tracking with constant Doppler tone of the
tracked target parallel to sector surveillance. This
mode is only achievable by two radars when us-
ing radars with reflector antennas and is espe-
cially suitable for operation in an area with short
target visibility.

Figure 1 TRGS tripod configuration

Other important features, in particular in the area of
security, are the very low false alarm rate, the capabil-
ity of target classification and high target resolution
(<1m have been operationally shown) by using the
high Doppler resolution.

The radar is built up in a modular way (see Figure 2).
All for the radar performance relevant components
are integrated in the Generation and Processing Unit
(GPU) and in the antenna unit (ANU).

Figure 2 TRGS mechanical design

The GPU consists of the complete radar processor
(RAP) and the radio frequency unit (RFU). All physi-
cal radar performance relevant signals are conse-
quently generated and processed inside one housing:
the GPU. This is the basis for the realisation of a ra-
dar stability of >75dB.
For radar operation in 120 azimuth angle only ANU
and GPU are necessary. For operation of n*360 the
pedestal (PED) is necessary and the GPU and the
ANU are mechanically mounted to a frame which can
be adapted in elevation by the elevation drive.
1.2 Main TRGS feature
The main features of TRGS are:
Built up modular, easily installable and remotely
controllable for unattended operation.
The following target detection ranges are based
on standard radar Blake range calculations with
90% detection probability and 10e-6 false alarm
rate.
o Pedestrian (RCS 0,5m) in a range
>20km,
o Light vehicle in a range > 20km,
o Light truck in a range of > 25km,
o Low level helicopter in a range of
>30km.
Frequency band: X-Band (>100 channels from
9.2-10 GHz).
Fully coherent Pulse-Doppler radar using pulse
compression with NLFM.
Azimuth beamwidth ca 2.4, elevation beam
width ca. 4.5.
Accuracy in range <5m and in angle <5mrad.
Low minimum velocity detection <0.5m/s.
Unambigious Doppler range up to 94km/h, us-
ing PRF staggering beyond 400km/h.
3 forms of tracking (track-while-scan, multiple
target tracking with an update rate of <2s, and
single target tracking (also parallel to sector sur-
veillance using dual-beam mode).
Flexible electronic scan range 60 (azimuth),
mechanical azimuth adjustment 360.
Radar modes (360 surveillance, multi sector sur-
veillance, multiple target tracking parallel to sec-
tor surveillance, single target tracking parallel to
sector surveillance, etc).
Mechanical elevation angle adaptation 20.
Surveillance modes: Ground surveillance, sea
surveillance and air surveillance.
Interfaces: 24V/500W, Ethernet LAN using open
format for control and data.

1.3 Operational Advantages of TRGS
TRGS has been demonstrated at several radar trials in
Germany but also in operation abroad in different re-
gions (deserts, mountain areas, savanna etc). Based
on its inherent features in comparison to radars using
reflector antennas TRGS demonstrated far better per-
formace and consequently higher operational accep-
tance than conventional, mechanically turning radars:

417
No antenna movement during coherent data
evaluation, consequently no clutter Doppler-
spread and therefore improved target detection
performance of slowly moving targets resulting
in better performance for security applications.
Use of most modern technology with realisation
of very high radar stability (>75dB) and conse-
quently high sub clutter visibility.
Most modern pulse compression technology with
e.g. >50dB side lobes as basis for the detection of
small targets like pedestrian in difficult clutter
situations.
Multi-beam operation with e.g. operation of sin-
gle target tracking in parallel to sector surveil-
lance, a functionality which is not possible with a
radar using a reflector antenna. Consequently re-
moving the operational limitations of mechani-
cally scanning radars for which target verification
requires stopping of the surveillance function
thus losing control of the area to be surveilled.
Low life-cycle costs as no mechanically moving
parts are used.
Graceful degradation, i.e., if some of the trans-
mit-receive modules fail the radar is still opera-
tional with only slightly reduced performance.

1.4 Radar Product Family SPEXER
Based on the BR TRGS radar demonstrator devel-
opment, CASSIDIAN realised a radar product family
called SPEXER by re-using the main features and op-
erational advantages of TRGS
Multimode and multi-beam operation,
High stability, excellent pulse compression per-
formance,
Use of Active Electronic Steered Antenna,
etc.

and adding new functionalities. Furthermore, due to
the non-military environment and requirements sev-
eral cost optimisation measures could be initiated.

The SPEXER family today includes:

SPEXER 2000
This is a direct derivative of the BR TRGS ra-
dar with some small changes (change of refer-
ence oscillator frequency and removal of mo-
nopulse functionality). SPEXER 2000 is in pro-
duction and more than 40 units have already been
delivered and installed and the next 40 units are
in production. SPEXER 2000 is able to detect a
single person with an RCS of 0.5m with a Pd of
90% and a Pfa of 10e-6 in a range of more than
18km.
For security applications, it is optimised for the
detection of asymmetric threats for ground-, sea-
and air-surveillance like pedestrians, small boats
and scooters in the sea waves or very small and
slowly flying UAVs with an RCS of 0.1m or
smaller.

SPEXER 2000 Coastal
SPEXER 2000 Coastal has the performance of
SPEXER 2000 and additionally a mode of sur-
veillance up to 5km range with several beams in
parallel. The operation of several beams in paral-
lel has the benefit of the realisation of a much
higher update rate in comparison to a surveillance
with only one beam. Therefore, SPEXER 2000
Coastal can be operated with Doppler high reso-
lution and high update rate. This feature is the
basis for the detection of very small targets like
swimmer, mines or periscopes in sea waves.
Thus, SPEXER Coastal is optimised for security
applications for coastal surveillance like surveil-
lance of harbours or industrial areas at the coast
with asymmetric threats from the sea side.

SPEXER 1500
SPEXER 1500 is a cost optimised derivative of
SPEXER 2000. This cost reduction is realised
based on a slight reduction of the detection per-
formance for a single pedestrian from >18km to
15km range by e.g. size reduction of the antenna
and higher integration of the radar electronics in
the GPU. This size reduction has the additional
benefit that the ANU and GPU are both realised
with a single weight of <30kg. Therefore, for se-
curity applications SPEXER 1500 is especially
suitable for mobile applications or as gap filler in
combination with SPEXER 2000 for large sur-
veillance system solutions.

SPEXER 3D
SPEXER 3D is under development and can be
realised for the TRGS based members of the
SPEXER radar product family. SPEXER 3D is
the realisation of a 3D antenna with additional
electronic steering in elevation. This functionality
is realised by exchanging the radiating elements
of the ANU and the use of the many frequency
channels and large bandwidth for a frequency
controlled elevation beam steering.

SPEXER 1000/500/100/10
This is a cost optimised part of the radar family
using the FMCW principle in combination with
digital beamforming for different detection
ranges for the pedestrian up to 10km.

418
2 Radar Optronic Sensor
2.1 Principles
A radar is able to monitor large areas and to generate
detections, plots and tracks of a large number of tar-
gets. It therefore complements existing security sen-
sors such as light barriers, CCTV, movement detec-
tors, etc. that are limited in range and/or field of view
as well as the detection of a large number of targets.

For security applications, which include the need of
wide area monitoring, a combination of a ground sur-
veillance radar with an optronic sensor can signifi-
cantly increase the effectiveness and efficiency of the
security system.

Therefore, the need for a sensor-combination of radar
and camera is attractive. This combination should
work in an automatic master-slave mode such that the
camera picture of a radar detection based selected tar-
get is displayed automatically on a screen.

However, a real operational benefit of such a sensor-
combination can only be achieved if the radar pro-
vides the key-advantages of AESA technology:

The SPEXER detects targets in a large area inde-
pendent of environmental conditions like weather
and day-time with a very low rate of false alarms,
which is very important for the efficient use of
security personnel.
Only suspicious targets (e.g. selected by location,
speed, Doppler spectrum) could automatically
trigger a function that steers the optronic sensor
onto the target.
Using the Dual-beam mode the radar does single
target tracking in parallel to the area surveillance
with track-while-scan. This enables a very pre-
cise and continuous auto-control of the optronic
sensor on the target without losing any informa-
tion of the area to be monitored. Therefore, the
operator can concentrate on the identification and
engagement of only relevant alarms and real
threatening scenarios.
Only a precise auto-control of the optronic sensor
enables the use of a video content analysis
(VCA) tool, which makes the security system
even more powerful, i.e., single target tracking is
a key feature.
When tracking a single target additional target
information is generated by the use of the con-
tinuous Doppler spectrum of it. This can be used
for an automatic target classification to differen-
tiate between wheeled and tracked vehicles, heli-
copters and pedestrians. Furthermore, the radar
operator could classify the target manually based
on his/her experience by listening to the Doppler
tone.

In the context of security applications the information
that is provided by an optronic sensor is very relevant
for the final verification of an alarm, to assess the
threat and to evaluate the right and most efficient
counter measures.

For radars using reflector antennas the use of single
target tracking and focusing on a single target has the
consequence that the surveillance sector is not
scanned any more and the operator loses the situ-
ational awareness for the area to be monitored.
The only solution to overcome that is the interaction
of the operator who then has to focus on the manual
control of the camera and is not able to manage other
alarms at that time. Furthermore, without single target
tracking the use of VCA is hardly possible, which fur-
ther degrades the effectiveness of the security system.
Another operational problem of reflector antennas is
the relatively low stability leading to decreased detec-
tion performance and an increased false alarm rate
due to limited Doppler resolution. Both facts impact
the efficiency and therefore the operational effective-
ness and operational costs significantly compared to
AESA technology based radars.

2.2 Radar Optronic Solution
CASSIDIAN worked out a solution by using the in-
herent features of the SPEXER radar product family
No antenna movement during radar operation
This is the basis for mounting a camera directly
on top of the radar. This way, a very high accu-
racy can be achieved and the installation and
alignment is extremely simple. Radars using me-
chanical scanning antennas have to stop the an-
tenna movement and consequently radar surveil-
lance to use a camera which is directly mounted
to the antenna. For the SPEXER radar family an
additional pan-tilt (P/T) drive for the camera can
be mounted on the frame and during radar sur-
veillance the camera including the drive can be
operated without any impact to the radar opera-
tion.
Single target tracking in parallel to the sector sur-
veillance
This feature offers the possibility of tracking a
target in parallel to the surveillance with a high
accuracy. The target information of range and
azimuth can be used directly to control the cam-
era and also the P/T of the camera.

419
A first realised solution is displayed in Figure 3

Figure 3 Combination of TRGS with high per-
formance Optronic Sensor with CCD and IR cam-
era
A second solution is shown in Figure 4

Figure 4 Combination of TRGS with CCD camera

The interface between radar and optronic is simple,
24V power supply, a standard Ethernet interface to
the optronic for control and transmission of the cam-
era picture and a mechanical interface on the mount-
ing frame of the radar.
This flexible interface definition is the basis that dif-
ferent kind of cameras can be mounted easily to the
different kind of radars of the SPEXER family.
The complete integrated radar-optonique sensor is
supplied by one power supply and controlled through
one Ethernet interface by one human machine inter-
face (HMI).

3 Summary
The now available SPEXER radar product family of-
fers the possibility of realisation of an integrated ra-
dar-optronic sensor with full operational performance
of both sensors in parallel
The radar-optronic sensor features one Ethernet
interface to the human machine interface (HMI).
Master-slave operation of the optronic by the ra-
dar or vice versa with a high accuracy is assured.
Shadowing effects or blind areas as they are
known from mounting of the sensors on different
tripods or masts do not occur.
The product family of radar but also optronic as-
sures that a radar-optronic sensor can be realised
in many different forms optimised to the different
tasks.
With the availability of the SPEXER 3D antenna
the SPEXER radar family offers, for the first time
in this radar class, the possibility of 3D tracking
and consequently 3D optronic control which
makes this radar-optronic sensor very useable for
security applications with airborne threats like
small UAVs.
The radar-optronic sensor increases effectiveness
of security systems (e.g. large area surveillance)
and reduces operational costs (e.g. reduced work-
load for operators, less false alarms).
Low life-cycle costs due to non-moving parts and
graceful degradation capability.
The next step will be the automatic target identi-
fication by combining the radar information of
range, angle, track and classification with an op-
tronic picture evaluation.
Optronic sensor and radar are very easy to inte-
grate.
420
Towards proactive security surveillance by combining technology
and human factors

Maaike Lousberg, TNO Behavioural and Societal Sciences, the Netherlands.
Jeroen van Rest, TNO Technical Sciences, the Netherlands.
Abstract
In security surveillance, observing and reacting to deviances in human behaviour may lead to the prevention of
criminal acts or in some cases even terrorism. Yet, human behaviour is complex and there are ethical and privacy
aspects that need to be taken into account. TNO focuses on how man and machine should cooperate to increase
the effectiveness and efficiency of proactive security surveillance by combining the strengths of man and ma-
chine and diminishing their weaknesses. This paper enumerates five major challenges in this field of research
and gives insight to our future focus.

1 Introduction
Looking at human behaviour for surveillance pur-
poses may sound very simple, but it requires a trained
eye. To increase the effectiveness of security surveil-
lance, research recently concentrated on what kind of
deviant, abnormal or even suspicious behav-
iour can be detected by security personnel or intelli-
gent systems [1]. Of course, many aspects have to be
taken into account besides behaviour detection to in-
crease the effectiveness and efficiency of proactive
security surveillance
1
. Even though we are slowly
starting to understand how to look at, and respond to
suspicious behaviour there are still some mayor chal-
lenges for research in this field. In this paper we will
enumerate five of these challenges.
2 Challenge 1: What is suspi-
cious, really?
In recent years, several researchers have focused on
defining suspicious behaviour that is associated with
criminal or terrorist actions [3][4][5]. Some of these
studies concentrate on behaviour that takes place prior
to a criminal or terrorist event [6][7]. For example,
Lousberg et al. [7] have compiled a survey on the
definition of observable deviant terrorist behaviour

1
Examples of these aspects are: goals of the organisation (e.g.
security versus service), selecting and training security personnel,
cooperation and communication between different types of security
personnel (operators and the people on the floor), designing the
surveillance centre in a way that supports behaviour detection [2]
and so on.
relevant for public transport locations. This research
has resulted in a list of 196 possible identifiable key
behavioural indicators of hostile intentions.
The study of Lousberg et al. and other researchers are
relevant; they have increased our knowledge on what
people think is abnormal, suspicious or deviant. But
what is suspicious, really?
In earlier studies data was collected in several ways.
First, security personnel was interviewed to find out
what behaviour they defined as suspicious. Second,
abnormality was automatically defined after recording
hours and hours of video of a specific location. Third,
a tape or an eyewitness story of a single criminal or
terrorist event was used to define suspicious behav-
iour. Fourth, deviant or suspicious behaviour was de-
fined by using actors or by red teaming exercises.
All these methods have their disadvantages;
Security personnel is not completely objective
(see also challenge 3) especially when untrained,
not all deviant behaviour is suspicious,
behaviour shown in small amounts of events is
not reliable,
exercises with actors are low in validity.
The only way to find out what is really suspicious is
to collect large amounts of video images of criminal
or terrorist events at specific locations on the one
hand, and compare them to large amounts of video
images of normal situations at specific locations on
the other. By doing this the reliability, validity, and
the context dependent variability is taken into ac-
count. Thereby the chance of the occurrence of false
positives (falsely accusing someone of being suspi-
cious) and false negatives (not accusing someone with
criminal or terrorist intentions) decreases.
421
When the definition of suspicious behaviour for spe-
cific types of incidents at specific locations (terrorism
at an airport differs from art theft at a museum) is
supported by science, crucial combinations of behav-
ioural indicators can be created to decrease the occur-
rence of false positives and negatives. This can be
done by analysing such a video database using Bayes-
ian Belief Networks [8]. By combining these indica-
tors, security personnel can be supported in making
the decision to watch someone a little longer, or in the
decision to act upon what they have seen.
3 Challenge 2: How can a ma-
chine understand a behav-
ioural scientist?
Historically, intelligent cameras in security applica-
tions have been designed primarily to assist in situa-
tions when the mere presence or absence of a human
or object should already generate a system action.
Four out of five current scenarios of UK based video
content analysis product-benchmark i-Lids [9] origi-
nate from such basic functionality:
Sterile zone monitoring;
Parked vehicle detection;
Abandoned baggage detection;
Doorway surveillance;
The fifth i-Lids scenario is multi-camera tracking. Al-
though substantially more difficult than the other four
scenarios, this capability can vastly increase the situ-
ational awareness for operators. At the Amsterdam
Central Station, automated tracking software has dis-
covered behaviour on a large geographic scale that is
difficult for operators, or police officers on the ground
to see, such as people avoiding the police [10].
Automated systems have to be told what relevant be-
haviour looks like, and which features of that behav-
iour can best be used to discriminate one type of be-
haviour from another. Basically, this can be done in
two different ways: by example, or by definition. So,
either behaviour is recognized because it looks like
certain examples, or pre-configured rules are applied
that distinguish relevant behaviour.
In both cases, a language is needed to describe the
behaviour in. For some applications, it is sufficient to
describe behaviour as the path that was followed, but
this is ignoring:
Physiological parameters, such as temperature of
body parts, or heart rate;
Face direction and expression, and body posture;
Clothing and attributes;
Interaction with surroundings, especially other
people and vehicles;
Such a language should also take into account seman-
tic ambiguities:
- Giving an object is complimentary to receiving an
object;
- Running correlates with fleeing;
In CORTEX [11], the Dutch part of the programme
Minds Eye (DARPA), an ontology of human behav-
iour is built. This ontology enables decision trees that
prune groups of behaviour-hypotheses in the recogni-
tion process, so the technical complexity of behav-
iour-recognition is reduced.
Behaviour observed in isolation is rarely relevant in-
formation. There is also an ethical side to this: there is
a lower boundary on the amount of information that is
needed before we can justify any action against an
individual. Technically, taking multiple measurements
can help to correct measurement errors. Both aspects
are addressed in system architecture concepts and
methods [12][13] that strives to improve detection
rate while minimizing impact on people flow.
Formalizing descriptions of human behaviour creates
several opportunities with regard to intelligent sys-
tems, training, business and ethics. Besides allowing
specialization by industry into recognizing specific
types of behaviour, making the behaviour explicit,
specific and public also educates the public about the
possibilities and traps, and enables an informed public
debate.
4 Challenge 3: Should we trust
our gut feeling?
Not all behaviour is automatically detectable by intel-
ligent cameras nor will this be the case in the (near)
future [7]. We will always need humans to make a de-
cision on whether what the sensor says is accurate.
Moreover, it is the human security officer that has to
respond to the detected suspicious behaviour.
This means that security personnel must be trained in
what behaviour to look for and/or, how to look for
this kind of behaviour. How to sharpen these skills
exactly is an on-going discussion. Because, what is
the best way to teach security personnel how to do
this? On the one hand it is possible to teach them to
focus on a specific set of behaviours. We call this the
part-task approach. This is a detailed method that fo-
cuses on training people in the specific tasks they
have to complete. For example, what kind of behav-
iour is prototypical for a pickpocket at a museum?
What kind of behaviour is prototypical for a drugs
dealer at a train station? What combinations are rele-
vant? After observing what kind of combinations is
acting allowed?
On the other hand, it is possible to focus on compe-
tences and cognitive skills that are needed to become
an expert in monitoring deviant or suspicious behav-
iour [14]. We call this the whole-system approach.
This is a method that focuses on training people in the
process and underlying principles that are needed to
define and react to deviant or suspicious behaviour.
Both methods have their advantages and disadvan-
tages. The part-task approach is very practical and
concrete; it gives people specific examples of what to
422
look for. This is especially important for the types of
threats security personnel have no or limited experi-
ence with, such as terrorism. It increases the under-
standing of why it is important to focus on behaviour,
instead of ethnicity, skin colour, or identity. The
downside to this method is that if security personnel
is trained in focusing on the wrong type of behaviour,
research in the field of lie detection concludes that
accuracy decreases with 10% [15]
2
. Another disad-
vantage is that the amount of information security of-
ficers need to store and remember combinations of
behaviour for specific types of threats and locations-
is large and might change over time. Also, by focus-
ing on specific sets of behaviour confirmation bias
might occur. Confirmation bias is a tendency for peo-
ple to favour information that confirms their precon-
ceptions or hypotheses regardless of whether the in-
formation is true [16]. As a result, it is possible that
people only focus on what they have learnt and not on
other signs that might be relevant.
The advantages of the whole-system approach are that
no large amounts of information need to be stored and
that changes over time are taken into account. The
disadvantage of this method is however that when the
behaviour is not specified, people will rely more on
their gut feeling to determine what is deviant or sus-
picious. This is not by definition a bad thing, research
states that intuition is sometimes marvellous and
sometimes flawed [17]. Klein and Kahneman con-
clude that evaluating the likely quality of an intuitive
judgment requires an assessment of the predictability
of the environment in which the judgment is made
and of the individuals opportunity to learn the regu-
larities of that environment. The question is whether
these regularities are present in surveillance situa-
tions. It is possible that this is the case for high occur-
rence incidents such as pick pocketing, but not the
case for low occurrence incidents such as terrorist at-
tacks.
The whole system approach is also more vulnerable to
something called operator bias, which is a term for a
collection of biases can be found with operators, such
as stereotyping or discriminating. For example, Norris
and Armstrong [3] found that American operators had
a strong tendency to target males, those in their twen-
ties and black people. Offering ways in which one can
decrease stereotyping, prejudices and confirmation
are needed to decrease the probability of the occur-
rence of false positives and false negatives [18].
The solution to this challenge probably lies some-
where in the middle and therefore research should fo-
cus on what type of training is effective in increasing
the accuracy of the security personnel in the detection
of and the reaction to suspicious behaviour.

2
This is another reason why we need to focus only on the deviant
or suspicious behavior supported by research as is stated in chal-
lenge 1.
5 Challenge 4: What about pri-
vacy?
A person cannot control his identity, ethnicity or skin
colour but with regard to behaviour, we do have a
very strong sense of autonomy. Having a free will im-
plies that we have control over at least a part of us,
which implies that we also have a responsibility about
it. So unless someone poses an elevated risk because
of previous behaviour, there should be refraining as to
what a surveillance system observes on him. Behav-
iour however, is something a person can control, at
least voluntary behaviour. Heart rate and body tem-
perature are on the boundary of voluntary and invol-
untary, as is clothing. In any case, this is an argument
that favours looking at behaviour over identity, skin
colour and ethnicity.
Making this kind of data, information and knowledge
available poses both risks and opportunities. By mak-
ing the knowledge explicit, it also becomes controlla-
ble. Transparency, accountability, privacy and free-
dom of choice should be guiding principles.
With regard to the principle privacy, the 7 steps of
privacy-by-design [19] could be applied to human be-
haviour observation, as follows:
Proactive not Reactive; Preventative not Reme-
dial: Separate identifying data such as faces and
license plates from surveillance footage. [20]
This prevents third parties to identify them with-
out proper authorisation. A second proactive de-
sign pattern would be to release long tracks of
persons only when suspicious behaviour was ob-
served on smaller sub-tracks. Large sets of ob-
servations on a person can then only be linked
when subsets already show suspicious behaviour.
Privacy as the Default: if a person doesnt dem-
onstrate suspicious behaviour then nothing
should happen with his personal data.
Privacy Embedded into Design: Tracking people
might be needed to link multiple observations on
them. Face recognition or a digital cloud (GSM,
RFID, etc.) could be used to track them, however
such technologies are out of proportion with that
intended goal, because persons can also be identi-
fied with these technologies. There are alterna-
tives with which people can be tracked without
using personal data. [21]
Full functionality positive sum, not zero-sum: If
a persons behaviour is suspicious, security offi-
cers should be able to investigate. Beware of de-
sign choices that prevent you from doing this un-
necessary.
End-to-end security lifecycle protection: Delete
surveillance footage after the retention period.
Visibility / transparency: the list of suspicious
behaviours could be classified information, but it
should be controlled by a DPA or parliament.
Respect for Users: Where possible in your par-
ticular surveillance concept: stimulate choice of
423
freedom and transparency. Explain that a persons
behaviour is directly controlling his privacy.
5 Challenge 5: Nice theories,
but is it safer now?
What works in the lab, needs to be tested in practice
so that it can be used at surveillance locations. The
maturity of an innovation can not be considered sepa-
rate from the interaction with the application domain.
The formal definitions of Technology Readiness Lev-
els 5 to 7 [22] refer to relevant and operational
environments. For stand-alone products and simple
systems, such environments are quite easy to arrange.
For more complex experiments and tests, such op-
erational environments, a.k.a. field-labs, need to be
selected and equipped with more care. For innova-
tions on the topic of human behaviour, we would need
environments where behaviour is as authentic as pos-
sible, where the behaviour can be manipulated in ex-
periments, and where parties, pre-competitively, can
cooperate to find out the true value of innovations,
and best way to apply them in practice. An example
of such an experiment was Yellow Line at the Am-
sterdam Central Station in 2010. [10]
In order to determine if an experiment or test are suc-
cessful, results must be measurable. So, performance
indicators need to be defined. However, defining
these performance indicators is difficult. It is hard to
define if the new security methods positively contrib-
uted to catching more drug dealers, or whether there
were actually more drug dealers active during the pe-
riod in which effects were measured. Also, we know
what we caught, but what did we miss? In other
words, how do we measure whether the new methods
or technologies positively attributed to safety or secu-
rity?
A similar question arises in the supply chain for secu-
rity products. The I-Lids benchmark [9] introduced in
challenge 2 was created to create more transparency
with regard to the performance of security products,
in this case video content analysis. Such benchmarks
also need agreed-upon performance indicators. The
question becomes, which indicators are suitable for
the wide range of human behaviour that is relevant in
the security domain?
These questions should be answered by evaluating
innovations on there own merits. Take, for example,
the question whether camera surveillance helps at all.
This could be translated to an experiment where areas
with camera surveillance are compared to areas or
periods- without camera surveillance. Such an ex-
periment would be complicated by many hidden pa-
rameters and ultimately the results can never be con-
clusively attributed to the absence or presence of the
cameras.
In another approach, we would map the same ques-
tions on a control loop such as OODA (Observe, Ori-
ent, Decide, and Act) [23], where camera surveillance
would be integrated with the Observe-functionality,
perhaps also with the Orient-functionality, but not
with Decide and Act-functionalities. The next step
would be to describe performance indicators for Ob-
serve and Orient functionalities, and measure effects
there. The evaluation hypothesis regarding camera
surveillance would become surveillance with cam-
eras sees more than without cameras. Note that this
hypothesis states nothing about security-effects in the
outside world.
Other possibilities to deal with measuring safety and
security is to focus on derived aspects of safety and
security, such as perceived safety, a decrease in the
amount of discrimination complaints, or positive
changes in cooperation between different security
teams at the location.
6 Conclusion
In this paper five challenges concerning the effective-
ness and efficiency of proactive security surveillance
were enumerated. One aspect is important for all of
the challenges; technical researchers and societal re-
searchers need to combine their knowledge. In the
field, people and systems work together to improve
the safety and security at surveillance areas. The chal-
lenges described show that in research, it should be
no different.
References
[1] Xiang, T. & Gong, S. (2008). Video Behaviour
Profiling for Anomaly Detection, IEEE Trans-
actions on Pattern Analysis and Machine Intelli-
gence, vol. 30, no. 5, pp. 893-908.
[2] Schilder, C., Lousberg, M. (April 4-6, 2011).
Combining Ergonomics and Psychology for in-
creasing effectiveness of proactive camera sur-
veillance. Paper presented at ODAM (Organiza-
tional Design and Management) Conference X,
Georgetown, South Africa.
[3] Norris, C. & Armstrong, G. (1999). CCTV and
the social structuring of surveillance. Crime
Prevention Studies, 10, 157-178.
[4] Bodor, R., Jackson, B., & Papanikolopoulos, N.
(June, 2003). Vision based human tracking and
activity recognition. In Proc. 11th Mediterra-
nean Conference on Control and Automation.
[5] Burgoon, J., Adkins, M., Kruse, J., Jensen, M.L.,
Meservy, T., Twitchell, D.P., Deokar, A. Nuna-
maker, J.F, Lu, S., Tsechpenakis, G., Metaxas,
D.N. & Younger, R.E., (2005). An Approach for
Intent Identification by Building on Deception
Detection. Proceedings from the 38th Hawaii In-
ternational Conference on System Sciences,
Hawaii.
424
[6] Troscianko, T., Holmes, A., Stillman, J., Mirme-
hdi, M., Wright, D. & Wilson, A. (2004). What
happens next? The predictability of natural be-
haviour viewed through CCTV cameras. Percep-
tion, 33, 87-101.
[7] Lousberg, M., Langelaan, S., Wetzer, I.M., &
Hemert van, D.A. (2009). Monitoring van afwi-
jkend gedrag. (Report TNO-DV 2009 C186)
Soesterberg, The Netherlands: TNO Human Fac-
tors.
[8] Neary, C., & Tatlock, K. (2008). Detecting Sus-
picious Behaviour Through Intelligent Surveil-
lance, D1 Report, Knowledge Acquisition and
Modelling (WP1) Results. BAE Systems, Inte-
grated Capability & Technology Programme
2008, TES 103529 In:
https://www.informationsystems.foi.se/.../ADAB
TS_D3.1_Abnormal_Behaviour_Definition_Pub
lic_(PU)_final.pdf
[9] Image library for intelligent detection systems
(2011).
http://tna.europarchive.org/20100413151426/sci
enceandresearch.homeoffice.gov.uk/hosdb/cctv-
imaging-technology/i-lids/index.html
[10] Burghouts, G. J., den Hollander, R., Schutte, K.,
Landsmeer, S., Marck, J-W. & den Breejen E.
(2011). Increasing the Security at Vital Infra-
structures: Automated Detection of Deviant Be-
haviors, SPIE Defence, Orlando.
[11] Burghouts, G. J. & Schutte, K. (2011). A vision
towards automatic inference of hostile intent
from sensory observations, NATO MSS con-
ference.
[12] Burghouts, G. J. & Marck, J-W (2010). Reason-
ing about threats: from observables to situation
assessment, IEEE Transactions on System, Man
and Cybernetics, special issue on Pattern Rec-
ognition for Anti-terrorism Applications, sub-
mitted.
[13] Rest, J.H.C. van, et al, Safety and Security Sys-
tems in Europe 2009, Sensors and Tracking
Crossing Borders, Proc Micromaterials and Na-
nomaterials
[14] Duistermaat, M., Hemert van, D.A. & Trijp van
S.M.A. (2010). Military Threat Detection. How
to effectively recognise indicators from the en-
vironment. TNO Report. TNO DV 2010 A452.
[15] Kassin, S. M., and Fong, C. T. (1999). Im in-
nocent!: effects of training on judgments of
truth and deception in the interrogation room.
Law Hum. Behav. 23, 499516.
[16] Plous, S. (1993). The Psychology of Judgment
and Decision Making, McGraw-Hill, p 233.
[17] Kahneman, D. & Klein, G. (2009). Conditions
for intuitive experts. A failure to disagree.
American Pschologist 64, 6, pp515526.
[18] McCahill, M. (2002). The surveillance web; the
rise of visual surveillance in an English city.
Cullopton: Willan Publishing.
[19] Cavoukian, A. (2011). Privacy-by-Design,
http://www.privacybydesign.ca/
[20] Roelofsen (2003). Patent WO 03/010728/A1
Method and System and Data Source for Proc-
essing of Image Data
[21] Khan, S.M. & Shah, M. (March 2009) Tracking
multiple occluding people by localizing on mul-
tiple scene planes. IEEE PAMI, 31, 3, pp 505
519.
[22] DoD (2009) Technology Readiness Assessment
(TRA) Deskbook, pp 1-1 & 1-2
[23] Boyd, J.R. (1995). The Essence of Winning and
Losing Boyd, a five slide set by Boyd.
http://www.danford.net/boyd/essence.htm
425
Searching for Abnormalities Instead of Suspects
Joanna, Pliner, ISCA, Israel
Ran, Cohen, ISCA, Israel

Abstract
As technology develops and progresses, it is imperative that human situational awareness skills and capabilities
not fall by the wayside. Rather, heightened situational awareness needs to be the leading component of public se-
curity. To embrace the most effective and progressive method of situational awareness, security personnel on the
ground and behind the screens need to stop looking for suspects, and start looking for abnormalities. Searching
for abnormalities is proactive security, rather than reactive.

Searching for abnormal behavior removes social blinders and allows security personnel to focus on searching for
potential dangers and deviant intentions instead of preconceived notions of what a suspect looks like. Security
personnel need to search for those who should be stopped, instead of stopping assumed suspects to find that for
which they are searching. Establishing a definition of local normality creates common ground between fellow
officers, which ensures that they are working along the same parameters and increases team cohesion. This
enhanced collaboration improves their performance and provides more effective security for the public. Heigh-
tened awareness advances the efficacy of technology and allows for the utmost public safety by ensuring that
someone is always prepared with the tools and capabilities to be proactive. The change from searching for sus-
pects to searching for abnormalities increases the effectiveness of security practices, and has the indispensable
added value of restoring trust between community members and law enforcement, and negating ethnic profiling.

1 Introduction
1.1 Awakening Our Instincts
Innate personal awareness was the origin of security,
and it is the future of security.

Personal awareness is a human instinct. Situational
awareness extends the given value of that instinct to
protect others, and is the root of public security. Hu-
mans instinctively used situational awareness as a sur-
vival mechanism during the origins of humanity
being aware of our surroundings for protection, and
for survival. People understood every physical and
cultural facet of their local setting out of necessity.

The progression of civilizations, inter-group conflicts
and technologies has drawn people away from using
personal awareness instincts, and that distancing has
adversely affected the field of public security. Search-
ing for abnormalities instead of suspects goes back to
the basics, increasing both the fairness and effective-
ness of public security practices.

1.2 Transcending Boundaries
The word suspect has a different connotation for eve-
ryone. It embodies a different combination of charac-
teristics for each person, dependent upon their per-
sonal experiences. If an officers idea of a suspect is
not relevant to the local environment, they are likely
to actually be distracted by their own restrictive blind-
ers, and let a legitimate threat pass by.

Deviant behaviour and public security threats tran-
scend cultural and technological barriersthere is no
absolute characterization of an adversary, no singular
offence that is always committed, and no one plan that
is habitually followed. Therefore, situational aware-
ness must also transcend cultural and technological
barriers by looking for abnormalities instead of sus-
pects.

1.3 Effectively Proactive
Searching for abnormalities instead of suspects allows
officers to approach a situation of deviant behaviour
before it manifests into a security threat. By defining
local normality and searching for abnormalities, offi-
cers embrace preventative security. Reactive secu-
rityreacting to an incident that has already oc-
curredmisses the mark. As soon as the incident has
occurred, it is too late; damage is already done, people
are already hurt, the security situation is already al-
tered. When officers proactively approach an abnor-
mality, they can maintain public order and prevent a
security threat from actually coming to fruition.

Looking for abnormalities is more professional and
more effective than looking for suspects, and has the
imperative added values of consistent preparedness,
being counter-ethnic profiling, building trust between
community members and law enforcement, and en-
hancing the benefits of technology.
426

2 What Does It Mean to Search
for Abnormalities?
2.1 See the Big Picture
Searching for abnormalities means to look for indica-
tors rather than incidents. There is a gap between
normal and suspect in which someone displays
anomalous behaviour indicative of malicious intent.
That space between is abnormality.

By the time someone is a suspect, it is already too
latepublic order has been disturbed, the security
situation has shifted, and security personnel are re-
sponding to a crime that already happened.

Searching for abnormalities means broadening the
lens through which one views a given area. Looking
for preliminary signals of malicious intent instead of
the results of a crime already committed equips secu-
rity personnel with preventative capabilities that can
keep a crime from happening at all.

2.2 Disregard Preconceived Notions
Searching for abnormalities means to focus on local
situational elements. Preliminary indicators of mali-
cious intent can be detected by security personnel
once pre-existing images of what makes up a suspect
are disregarded. Looking for predefined characteris-
tics drawn from previous experiences keeps security
personnel from being prepared for the unexpected. By
searching for preconceived notions of a suspect, offi-
cers bring about self-imposed blindness that directs
their focus toward locating their own definition of a
suspect and disregards all other possibilities.

Searching for abnormalities, however, ensures that all
those involved in protecting a given area are on the
same page. Individual presuppositions of what makes
up a suspect point each officer down their own narrow
path, leaving the team disconnected. Looking for ab-
normalities ensures that the team works in tandem to-
ward a cohesive goal.
3 How Does One Search for
Abnormalities?
3.1 Define Local Normality
Normal behaviour is defined differently for each set-
ting. A thorough comprehension of local normality al-
lows abnormalities that signify potential security
threats to stand out.

Normality is defined locally by including perspectives
from the entities involved in the public security of a
given area. Local culture, customs and laws need to be
taken into consideration, as well as the purpose of the
location. Someone taking twenty pictures while stand-
ing outside the Louvre may be normal, while someone
doing the same thing outside Charles De Gaulle Air-
port may be abnormal. The definition of normality can
change in a given location depending on events taking
place, changes between week-day and weekend activ-
ity, current events, etc.

3.2 Use the Definition of Normality as
an Assessment Tool
When local normality is established in a given set of
circumstances, anomalous behaviour is identified
more easily and more fairly. A single characteristic
inconsistent with the local definition of normality,
however, does not mean a person is suspect. Rather, it
is a cue to the officer to allocate more attention to that
person and read further into the situation, in line with
local procedures and protocols.

A person may be nervous because they are lost in a
new city, or they may be nervous because they are
about to carry out an attack. The way to tell the differ-
ence before it is too late is to take into consideration
various indicators that can be determined by using the
local definition of normality as a basis for comparison,
and approaching those whose indicators elevate their
behaviour to a higher state of concern.

4 Why Search for
Abnormalities Instead of
Suspects?
4.1 Maintain the Efficacy of Situ-
ational Awareness
Searching for abnormalities instead of suspects pushes
officers to maintain a heightened state of awareness.
Rather than scanning the population for a predefined
image of a suspect, searching for local abnormalities
requires officers to comprehend the larger picture of
normality in their location, and be on alert to identify
and analyze abnormalities.

As security practices develop and technologies pro-
gress, searching for abnormalities instead of suspects
will ensure the prominence of situational awareness
because of its inherent outcomes that heighten the ef-
fectiveness of public security.

Such inherent outcomes include elevating prepared-
ness, negating ethnic profiling, building community
trust, establishing common ground between officers,
and enhancing the value of technology.

427
4.2 Benefits of Searching for Abnormali-
ties Instead of Suspects
4.2.1 Elevating Preparedness
Searching for abnormalities ensures that an officer
will not be taken by surprise by a security threat.

By looking for suspects, an officer can be taken off
guard when a person who does not fit the description
they are looking for carries out an attack. But when an
officer is searching for abnormality, preliminary key
indicators will catch the attention of the officer and
serve as a cue to follow the appropriate procedures
and protocols until the situation is resolved, removing
the element of surprise.

Searching for abnormalities allows officers to be pro-
active instead of reactive. There have been numerous
incidents in which an officer had an inkling that
someone was going to cause harm, but did not take
any action because they did not know if their intuition
would be protected by local legislation. The officer
did not feel comfortable approaching the person be-
cause that person had not yet done anything overtly
illegal.

By searching for abnormalities, officers are able to
articulate the reasoning behind their gut feeling that
gave them concern. They can then fairly and legally
take proactive measures to prevent incidents, rather
than waiting to reactively restore order in an incidents
aftermath.

4.2.2 Negating Ethnic Profiling
When officers are searching for abnormalities, they
look objectively at each person to compare their de-
meanour to the local definition of normality.

The definition of normality in each locale is a compo-
sition of multiple components of the cultural norms
and legal guidelines of that setting. Since a singular
indication of abnormality does not make someone
immediately suspicious, ethnicity is therefore, not in
itself enough of a reason to approach someone.
Searching for abnormalities instead of suspects intrin-
sically negates ethnic profiling.

When officers search for abnormalities they are
searching for people who should be stopped, instead
of stopping presupposed suspects. The definition of a
suspect can change from person to person. If some-
ones idea of a suspect is not relevant to the local en-
vironment and does not take normal behaviour into
account, they are likely to be distracted by their own
restrictive blinders, and are at risk of missing a legiti-
mate threat.

Searching for abnormality ensures that officers can be
aware and see the big picture of the localized defini-
tion of normality, therefore allowing security person-
nel to focus on searching for potential dangers and
deviant intentions instead of preconceived notions.

The fairness with which the police treat citizens is di-
rectly related to those citizens compliance with the
law, and the legitimacy and respect with which those
citizens regard police and criminal justice agencies.
Ethnic profiling devastates the trust level between
members of the community and officers, and can illus-
trate how little the officers know about the people for
whom they are supposed to be working.

4.2.3 Building Community Trust
Searching for abnormalities allows officers to give an
honest and legitimate basis of reasoning for each
situation they address. Security personnel can set the
barometer of social and inter-group relations within a
community, and their procedures and protocols can
send signals of how members of society should be
treated. Tension that builds between community mem-
bers and law enforcement personnel from cynicism
and mistrust is eased when community members are
assured that officers are doing their work honestly, in
the best interest of the community, and in accordance
with the local environment.

Trust is something imperative to public safety, though
it is seldom publicly recognized. Searching for ab-
normalities instead of suspects has been proven to
lower the amount of citizen complaints about policing
practices. Building trust between members of the
community and officers dispersed throughout the
community is essential. When officers and community
members trust each other, the officers do their job
more honestly, and therefore more effectively and ef-
ficiently.

The stronger and more trustworthy the relationship is
between members of the community and security per-
sonnel, the more comfortable community members
will feel approaching officers if they have information
regarding dangerous or deviant activity.

4.2.4 Establishing Common Ground be-
tween Officers
Searching for abnormalities in relation to the defini-
tion of local normality ensures that a team of officers
is working toward a common goal with a common
428
method, and that they can collaborate and help one
another in the process.

A uniform understanding of procedures and protocols
strengthens team cohesion. Searching for abnormali-
ties as measured by a common understanding of nor-
mality increases effectiveness and efficiency of secu-
rity practices, and is ultimately fairer to community
members because each officer has the same way of
observing the local environment, and of treating the
community members.

A report published in 2000 by the UK Home Office
Police Research Series showed that a group of 90 op-
erational officers had greatly varying understandings
of the concept of reasonable suspicion. The lack of
an established definition of reasonable suspicion led
to the officers having unparallel criteria of when to
stop and search individuals.

An established definition of local normality would
provide the officers with a unified perspective of ab-
normality, therefore strengthening their credibility and
improving the fairness and effectiveness of their polic-
ing.

4.2.5 Enhancing the Value of Technology
Technology is active and reactive; but productive,
knowledgeable, trained human beings can be proac-
tive.

The full potential and purpose of the greatest technol-
ogy can only be achieved if security personnel work-
ing in conjunction with those machines are using them
properly, are looking for the right indicators, and have
the most heightened sense of awareness and prepared-
ness. Situational awareness enhances the usefulness of
technological advancements.

Technological devices provide greater benefits when
their value is enhanced above and beyond their imme-
diate capability. For example, when operators of re-
cording devices such as CCTV cameras understand
the local definition of normality, they, too, can be
searching for abnormalities along with the personnel
on the ground. The cohesive security apparatus is
therefore extended, and the technology is transformed
into a proactive, preventative component of situational
awareness.

5 Conclusion

Keen senses of self-awareness and situational aware-
ness are imperative to effective public security. In our
origins, humans were hunters and huntedawareness
was part of the survival instinct with which each per-
son got through the day. Reawakening those same in-
stincts in the field of public security simultaneously
enhances the effectiveness and fairness with which
security practices are carried out.

Searching for abnormalities instead of suspects re-
quires officers to clear their mind of predefined im-
ages of suspects. As soon as officers are looking for a
thief or a terrorist or a robber, the scope of each per-
sons detection will be narrowed to their own precon-
ceived notion, and key indicators will be ignored.
There is no set description of an adversary, but anyone
with malicious intent, regardless of the end goal, will
display signs of abnormality.

Those abnormalities can be detected by establishing a
local definition of normality. The definition of normal-
ity serves as a meter by which to measure local behav-
iour. Searching for local abnormalities places every-
body on a level plane, so that anomaliespotential
threatsare the ones to catch the officers attention.
That level plane of normality inherently prevents eth-
nic profiling, builds community trust, and unifies se-
curity practices.

Technology is undeniably a part of security practices,
and it is an important part. The advancement of tech-
nology has provided the field of security with many
benefits, and those advantages are enhanced when the
people operating such devices use them to search for
abnormalities.

Searching for abnormalities instead of suspects is a
proactive method to prevent security threats from
coming to fruition. Searching for abnormalities can
enhance the value of technology to be a contribution
to preventative action, rather than a reactive response
in the aftermath of an incident.

The heightened awareness that is inherently part of
searching for abnormalities maintains the relevance of
situational awareness as the leading component of
public security. Searching for abnormalities ensures
constant preparedness eliminates surprises, therefore
capturing the essence and importance of situational
awareness.

429

References
[1] Scientific Approach to Formulate Indicators &
Responses to Radicalisation (SAFIRE): Synthe-
sis report on the results from work package 2:
inventory of the factors of radicalization and
counterterrorism interventions, Seventh Frame-
work Programme, 28 Feb. 2011 (In Press)
[2] European Union Agency for Fundamental
Rights: Towards More Effective Policing, Un-
derstanding and Preventing Discriminatory Eth-
nic Profiling: A Guide, Belgium, 2010
[3] Quinton ,P.; Bland, N.; Miller, J..: Police Stops,
Decision-Making and Practice, UK Home Of-
fice Police Research Series, Paper 130, 2000
[4] Open Society Institute: Addressing Ethnic Pro-
filing by Police, New York (USA), 2009
[5] Tyler, T.: Why People Obey the Law, Yale
University Press. New Haven, Conn. (USA),
1990
[6] Mastrofski, Stephen D.: Policing for People,
Police Foundation. Mar. 1999
[7] Loader, Ian.: Policing, Recognition and Belong-
ing, The Annals of the American Academy of
Political and Social Science. 605.1 (May 2006):
202 221

430
Applied Text Mining for Military Intelligence Necessities
Bastian Haarmann & Lukas Sikorski
Fraunhofer Institute for Communication, Information Processing, and Ergonomics,
Neuenahrer Strae 20, 53343 Wachtberg, GERMANY

Jrgen Ziegler
IABG mbH, Einsteinstrae 20, 85521 Ottobrunn, GERMANY
Abstract
Natural language texts contain information that is not directly suitable for processing by a computer. However,
the amount of texts to be analyzed often exceeds the capabilities of human reconnaissance specialists. Current
intelligence, therefore, relies on the computational pre-processing of gathered HUMINT reports, SIGINT data
and open sources in order to reduce the number of reports to be evaluated by human experts. State-of-the-art text
mining featuring information extraction and emerging semantic role labeling can be used for automated threat
recognition and offers relief from searching through the haystack [1]. In this paper we present a system tailored to
the necessities of military text mining over HUMINT reports. We discuss the modules of the system to meet the
needs of the application by armed forces. As a conclusion we show how that system can be used in the text min-
ing process of automatic threat recognition.

1 Introduction
The number of military intelligence reports rapidly
exceeds the capability of what human experts are still
able to check for threats. The reports must therefore
be pre-analyzed automatically in order to find those
texts which might be of interest to recognize possible
indicated threats [2]. The automatic pre-processing is
often done by a search algorithm on the basis of key-
word spotting. But this method leads to a high number
of false hints. However, the field of computational lin-
guistics nowadays offers more precise tools for mili-
tary intelligence text mining.
We developed an application called MIETER (Mili-
tary Information Extraction from Texts and their Elec-
tronic Representation) for automatic information ex-
traction (IE), which is the core of each text mining
process. We use the open-source tool GATE (A Gen-
eral Architecture for Text Engineering /
http://gate.ac.uk/) provided by the University of Shef-
field to build our MIETER processing pipeline. Our
IE pipeline consists of the following main IE
processing modules:

Document Handling
Tokenizer
Gazetteer
Sentence Splitter
Part-of-speech Tagger
Named Entity Recognizer
Chunker
1.1 Document Handling
The documents to be processed often first need to be
in the same, machine-readable format. A processing
resource to handle the document format is therefore
needed at the very top of the processing pipeline. Fur-
thermore, the text in the documents needs to be trans-
formed as well. This holds i.e. for abbreviations which
frequently occur in the HUMINT reports, such as IVO
for in vicinity of. In order to obtain the right linguistic
processing of abbreviated constituents, we developed
a processing resource called Pre-Analyzer in order to
transform the occurring abbreviations into their nor-
mal form according to a list of abbreviations used in
military reports. At the end of the text mining process,
the abbreviations are being put back in their original
place in the text.

1.2 Tokenizer
A Tokenizer next identifies individual tokens of the
text. Tokens basically are single words. The tokenizer
segments them by the spaces in between. Furthermore,
tokens are numbers, abbreviations and punctuation
marks occurring in the text and are recognized by the
tokenizer as well.

431
1.3 Gazetteer
A Gazetteer is a lookup module which compares the
obtained token annotations to specific lists of words.
The matching of these lists form a first step in the se-
mantic exploitation of the texts. The Gazetteer lists
contain different types of names and abbreviations.
Normally, there is at least a list of popular forenames
and surnames as well as relevant geographic entities
such as countries, cities, rivers and so on. A matching
word is labeled Lookup and receives the features of
the respective type of the list, in which the matching
word was found. E.g. the token Oslo will be tagged as
Lookup with the features majorType = location,
minorType = city (cf. Figure 1).

Figure 1 Word token Oslo annotated majorType =
location, minorType = city

1.4 Sentence Splitter
The Sentence Splitter segments the text into whole
sentences. This task is less trivial than it might seem at
first glance, because not every occurring full stop in
the text forms a sentence end. Text elements such as
Mr., Dr. as well as abbreviations, internet- and IP
addresses needs to be excluded from the splitting. The
output annotation is Sentence. In a later step of the
processing pipeline, it is also possible to determine the
boundaries of subordinate clauses or extended parti-
ciples and infinitives. The detection of subordinate
clauses requires at least a preceding part-of-speech
tagging.
1.5 Part-of-Speech Tagger
The Part-of-speech Tagger (POS Tagger) determines
the category of each word. It adds the feature category
to the token annotation and enters the value for the
respective class (e.g. NN for normal noun) according
to the Penn Treebank tag set. The POS Tagger to be
used depends on the desired strategy of tagging. There
are older POS Taggers using a rule-based tagging ac-
cording to a lexicon and a rule set obtained from cor-
pus work, such as the Hepple Tagger [5] which is de-
rived from the Brill Tagger [6]. Newer approaches to-
wards a more accurate POS Tagging include tagging
on the basis of statistics (TnT Tagger [7]) or neuronal
networks such as Hidden Markov Models trained on
large corpora (Stanford Tagger [8]). Empirical re-
search shows that the latter strategy leads to a signifi-
cant higher accuracy of the POS tags obtained, up to
97%.

1.5 Named Entity Recognizer
In the next step of the process, bigger named entities
in the text are formed by the Named Entity Recogniz-
er out of the Lookup annotations obtained from the
Gazetteer module. The name for i.e. a person can con-
sist of a title, a forename and a surname. For the se-
quence Dr. Nelson Mandela the Gazetteer module
provided the labels title for Dr., male forename for
Nelson and surname for Mandela. The Named
Entity Recognizer annotates this sequence with the
label Person according to its rules. Similar name
labels such as Organization are obtained by the
Named Entity Recognizer as well.

1.6 Chunker vs. Parser

Parsers operate on the tags provided by the POS Tag-
ger and by the Recognizer for Named Entities. They
try to calculate a complete parse tree which represents
the syntactic structure of a sentence. However, the
complete and sometimes rather complex parse tree is
normally not needed. It is often sufficient to know the
verb group and the other constituents of a sentence as
well as their sequence. Even more, parsing might fail
because of unknown words or ambiguity. Additionally,
parsing is on the one hand highly time-consuming and
on the other hand computationally very resource-
intensive. With the problems of parsing in mind, we
substituted the parser in the IE processing pipe by a
chunker. Chunking is a kind of partial parsing. It iden-
tifies and classifies the (consecutive, non-overlapping)
constituents within sentences by statistical or rule-
based heuristics. The major advantages of chunking
are its robustness with respect to unseen words and
possible ambiguities, its ability to provide at least par-
tial results even if a full analysis is not feasible, and its
speed, which is especially important for an application
in a military context. For example, in The patrol
moves towards the airport, the was previously la-
beled determiner and patrol as well as airport la-
beled noun. The chunker recognizes a sequence of a
determiner and a noun as noun phrase. So the patrol
and the airport are annotated with the tag noun
phrase. In addition, towards is labeled preposition.
A preposition followed by a noun phrase constitutes a
prepositional phrase and is labeled accordingly. See
[9] for details on the deep approach and [10] for a
more detailed discussion on the pros and cons of both
approaches.

432
2 Semantic Role Labeling
A module for Semantic Role Labeling (SRL) is at-
tached at the end of the information extraction. After
the aforementioned steps in the text mining processing
pipeline have been completed, we next need to deter-
mine the actions, events and situations reported in the
text and assign semantic roles to the constituents the
sentences of the text consist of. The process of assign-
ing semantic roles to constituents is called Semantic
Role Labeling [1, 11]. Sometimes the term thematic
role is used for semantic role [12] so that Themat-
ic Role Labeling also denotes that process. The
process of Semantic Role Labeling links word mean-
ings to sentence meaning.
2.1 Choosing the role set
In order to build a module for Semantic Role Labeling
one first has to choose a set of semantic roles. Differ-
ent such sets have been discussed in the linguistic lite-
rature [12, 13]. Our system mainly relies on the work
of Sowa [12] although we have added a few roles. For
example, Sowa proposes the roles location, origin,
destination, and path as spatial roles to which we have
added direction. In general, roles can be assigned to
constituents in a process that exploits syntactic, lexi-
cal, and semantic information. With respect to Eng-
lish, syntactic information here means word order in-
formation. For example, in a sentence of active voice,
the subject constituent, the constituent which precedes
the verb, either receives the role agent or the role ef-
fector. Lexical information refers to information pro-
vided mainly by verbs and prepositions. For example,
a prepositional phrase that starts with the preposition
at normally opens a constituent that will be labeled
location as in at the marketplace or point in time as
in at noon. Semantic information normally provides
constraints that can be used to decide among alterna-
tives. For example, the role agent means an active
animate entity that voluntarily initiates an action [12,
p. 508] whereas effector means an active determinant
source, either animate or inanimate, that initiates an
action, but without voluntary intention [12, p. 509].
Thus, if semantic information tells us that a constitu-
ent that takes the subject position denotes an inani-
mate object, the role to be assigned to that constituent
has to be effector and cannot be agent.

2.2 SRL Preparation
In order to prepare Semantic Role Labeling, MIETER
incorporates a module which annotates the constitu-
ents identified by MIETERs chunker with prelimi-
nary semantic roles such as agent, affected, comple-
tion, time and location that then will be refined by
MIETER itself (cf. the following paragraph) and by
the process of Semantic Role Labeling (cf. [11] and
the next section).

Agent and affected annotations can in most cases easi-
ly be calculated out of the position of a noun phrase,
preceding or following the verb, and the voice of the
verb group (active or passive). In contrast, syntactic
and lexical information together often are needed, but
also are sufficient to decide whether there is temporal
or spatial information in a sentence. The preposition
under might at first glance be judged to be a loca-
tion marker, as in under the bridge. But preposition-
al phrases with the preposition under can also bear a
completion, under heavy bombardment, or temporal
information, under 9.58 seconds. MIETER uses Ga-
zetteer lists to annotate whether a prepositional phrase
most probably contains temporal or spatial informa-
tion. These lists include trigger words, e.g. morning
or Thursday for temporal information, or Oslo or
Helmand for spatial information.

After classifying constituents as temporal, spatial, or
completion, MIETER refines that classification by di-
viding the temporal constituents into start time consti-
tuents (a trigger word would e.g. be from), end time
constituent (until) or point in time constituent
(on). In the same way, MIETER sub-classifies spa-
tial constituents as location (at), direction (to-
wards), origin (from), destination (to) or path
(via). Figure 2 shows an example of the labeling
that is already achieved by the preliminary informa-
tion extraction process.

Figure 2 The preliminary labeling as calculated by
MIETER
2.3 Head identification
In our system, the process of Semantic Role Labeling
starts by identifying the verb group within a sentence.
The reason for this is quite obvious. Our reports are
about actions and events, and the expression of ac-
tions and events is the domain of the verbal vocabu-
lary, i.e. of verbs and to some degree also of deverbal
nouns (nouns derived from verbs; e.g., by detona-
tion in the IEDs detonation the event of an IED
detonating is referred to). By identifying the main
verb from the verb group (or the verb that is the base
of a deverbal noun) we got what linguists call the head
of a sentence [20]. As a next step, our system uses the
lexical information of that head to identify the set of
433
roles that are compatible with or even demanded by it.
For example, a verb that denotes an action that in-
volves a movement like advance is compatible with
the spatial semantic roles origin, path and destination
or direction (e.g., The company advanced from Wil-
derness Church via Dowdalls Tavern towards Chan-
cellorsville). In contrast, a verb that denotes an ac-
tion that does not involve movement is compatible
with the spatial role location only (e.g., The army
stayed at Stafford Heights). In the next subsection
Ontology, we will take a more detailed look at this.
After the set of compatible and mandatory roles has
been identified, the system calculates for each consti-
tuent which kind of role it might take. For this step
syntactic information as well as lexical information
from prepositions is used. Finally, the calculated poss-
ible roles for the constituents are matched against the
set of compatible and mandatory roles so that each of
the constituents receives an appropriate role. For this
step, the constraints provided by semantic information
are exploited.
2.4 Finishing SLR by Help of an On-
tology
The final process of Semantic Role Labeling exploits
lexical information and semantic information [2]. For
the building of ontologies, we use the freely available
tool Protg developed at the University of Stanford
[21]. In our system, the respective knowledge is stored
in an ontology (for general information about ontolo-
gies cf. [14]). The specific process is as follows: at the
end of the information extraction process, for each
sentence of the report its verb group is identified and
its constituents are marked. For Semantic Role Labe-
ling the main verb is identified in the verb group to be
looked up in our ontology. This ontology is focused
on verbs. It provides information about the verbs in
general and about their semantic frames in particular.
Semantic frames are a further development of Fill-
mores case grammar [15] that tells us which semantic
roles come with the verb and which of these roles are
mandatory, optional or forbidden. For each verb
looked up, its frame is taken, and then the slots of that
frame are filled with the constituents of the sentence
the verb in question comes from. In order to map the
constituents to the correct slot, semantic information is
exploited. This semantic information consists, for ex-
ample, of restrictions that refer to the slots and that are
also represented in the ontology. For example, the ac-
tion speak requires an animated human person, whe-
reas the action move can also be done by an inani-
mate machine.

We created the verb ontology based on FrameNet
[16, 17] and VerbNet [18]. Its construction was also
influenced by the work of Helbig [13], Levin [19], and
Sowa [12]. Although most existing ontologies focus
on the objects in the domain of interest, a verb ontolo-
gy has to focus on situations in general and on actions
in particular. As can be seen in Figure 3, left pane, the
verbs in the ontology are classified into those that re-
fer to static situations and those that refer to dynamic
situations. The latter are further divided into those
verbs that refer to actions and those that refer to
events. Action verbs demand an agent (an active
animate entity that voluntarily initiates an action [12,
p. 508]). The action verbs are divided into many
classes, among them cognition verbs (e.g., consid-
er), exchange verbs (e.g., receive) and motion
verbs (e.g., advance). Actions belonging to the same
class share the same semantic roles they demand and
allow. For example, motion verbs like advance inhe-
rit their frame of semantic roles for the Motion class,
cf. Figure 3, bottom right pane.

Figure 3 Semantic properties of the verb advance

The task to make the ontology available as resource
for the process of semantic role labeling is assigned to
the so-called Frame Slot Creator. This module of
our system takes the main verb out of the verb group
of each sentence and sends it to an Ontology Web-
Service. That service acts as an interface to the ontol-
ogy. It returns the semantic frame for each verb re-
quested. The Frame Slot Creator then stores the frame
in the verb group annotation as a matrix of attribute-
value pairs in which the semantic roles of the frame
serve as attributes. The values of these attributes have
to be the constituents of the respective sentence. To
fill the constituents into the appropriate slots is done
by a module called Frame Slot Filler that calculates
this mapping out of the constituents tags, especially
its preliminary semantic role tags, and the semantic
constraints the ontology provides for appropriate fil-
lers. Cf. [11] for a more detailed description of the
Frame Slot Creator and the Frame Slot Filler.
3 Indicator specification
Instead of searching for simple keywords we can con-
struct specific indicators. For example, we can try to
build an indicator for a IED attack. One possible trig-
ger for that indicator is the procurement of an item
used in IED construction. In order to define indicators
and their triggers, we have developed an indicator edi-
434
tor that uses the same resources (e.g., the same ontol-
ogy) as had been used in the IE pipeline described
above. Figure 4 shows the GUI of that editor.

Figure 4 Editor for indicators and their triggers

In order to define an indicator by this editor, the re-
spective triggers have to be defined. To take the ex-
ample, a possible trigger for the IED attack indicator
is the procurement of an item used in IED construc-
tion. In order to define that trigger, the procure entry
of the verb ontology is marked as trigger action (cen-
tral pane of the editor). As a consequence, the frame
of that verb, procure in our case, is copied into the
right pane which allows editing the restrictions to
what the role should be assigned to. In our case, we
set the restriction for theme to a constituent that has
fertilizer as its head, cf. Figure 5.

Figure 5 The indicator editor; defined trigger
procuring of fertilizer
4 Use of Text Mining Results for
Threat Analysis
To use the text mining results for threat analysis it is
necessary to combine them and to take into account
the overall relationships of threats. To be able to do
this a threat model is needed. This threat model
represents the view of domain experts concerning the
relevant components of threats and their weighted de-
pendencies. Figure 6 shows the schema of the threat
model in our system.

Figure 6 The threat model, its components and the
dependencies among the components

The components of the threat are as follows:

Actors within the Own Area of Interest: or-
ganizations, groups or single actors which are
regarded to be possibly threatening;

Actor-Types: for example terroristic actors or
actors from organized crime;

Actor Area of Influence: areas in which a
specific actor can perform his actions

Actor-Intentions: for example to drive away
ISAF troops from Afghanistan or to get
rich as fast as possible;

Options for Action: for example to perform
a bomb attack at a market place;

Action Chains: different concrete approaches
to realize a chosen option for action;

(Single) Actions: the elements which consti-
tutes an action chain;

Dependencies of Actions: descriptions about
which action has to be performed and suc-
cessfully finished before another action can
be started; i.e., a bomb has to be build before
it can be deployed.

For every element of the threat model an indicator can
be defined interactively by a domain expert. The indi-
cator models the domain experts know-how about the
possible observations or HUMINT information which
indicates that a defined model element is true, i.e., a
435
specific actor is doing something or a specific action
has been conducted.

The interrelations within the model have to be
weighted using a qualitative weighting schema like
very high, high, unknown, low or very low.
For example, a weight can be as follows. The actor
TALIBAN (organization) has a very high inten-
tion to drive away the ISAF troops from Afghanistan,
but he has a very low intention to get the Afghan
government stabilized. Furthermore, existing uncer-
tainties of interrelations has to be taken into account.

Taking weighted interrelations into consideration, a
Bayesian network (BN) is used for the mathematical
representation of the threat model. This BN is calcu-
lated automatically as follows:

The structure of the BN is generated from the threat
model taking into account that a single threat can con-
sist of multiple resources and multiple single ac-
tions.

The probability tables for the interrelations in the
model are generated using an approach from ergono-
my called scale based distribution retrieval [22].
This approach comprises two steps. In the first step,
the defined weighting values and uncertainties are
transformed into scale values. In the second step, the
resulting values are normalized as demanded by prob-
ability theory.

In order to calculate possible threat, the defined indi-
cators serve as evidence nodes: every indicator that is
met by information from input sources, i.e., that
matches a sentence of texts analyzed by the text min-
ing procedure as described in the first 3 sections of
this paper, is included in the BN and thus contributes
to BNs result. This is sketched in Figure 7:

Figure 7 Bayesian Network
After calculated, the Bayesian Network provides a re-
sult that may say a threat might become true. Then, the
operator of the systems receives a warning message
that lists all the texts that contributed to indicator
matches so that the operator can validate the systems
result for his own.
5 Conclusion
The technologies described in this paper have been
developed for and are integrated in the AUGE system,
a demonstrator for automatic threat recognition built
by IABG in a project sponsored by German Air
Forces Transformation Center [23]. In that project,
Fraunhofer FKIE served as subcontractor to IABG to
develop the tools for analyzing text documents.

Since the documents to be analyzed are written in nat-
ural language, the anomalies which are characteristic
of natural language like ambiguity, vagueness, and
creative usage provoke some gaps as well as some er-
rors in the assignment. Nevertheless, as long as the
texts refer to a restricted domain, as military reports
normally do (attack in these reports means a specific
military action and not a situation on the soccer field
and so on) the assignment is nearly complete and cor-
rect.

The question remains why text mining featuring SRL
means advancement beyond keyword search algo-
rithms. For example, if a report says that Amid Khan-
kulay died in a car accident the day before, the report
might be of importance for updating Khankulays data
base entry but does not indicate a threat. In contrast, if
a report tells us that Amid Khankulay bought lots of
items that are used for IED construction, this report
indicates a threat. The example tells us that keywords
can be used as indicators for threats but that they are
not very precise indicators. However, under the as-
sumption that the reports in question are represented
with the semantic role annotations we discussed
above, indicators can be constructed that are signifi-
cantly more precise. This is even truer if we use our
ontology to do some simple reasoning in addition. For
example, instead of searching for Amid or Khan-
kulay, we can construct an indicator which says
check for this person as agent of a procure action in
which the theme is an item needed for IED construc-
tion. The annotation provides information as to which
constituents are agent or theme, respectively. The on-
tology provides the knowledge regarding the several
referring to the person Amid Khankulay using differ-
ent names as well as which verbs can describe a pro-
cure action (like buy or steal) and the knowledge
which objects are part of an IED. The former know-
ledge is represented in the ontologys action branch
and the latter in its object branch.

436
In addition, these kinds of text mining results can easi-
ly be integrated into a Bayesian Network if the main
structure of that network, in our case the network that
represent the threat model, is already given. The net-
work than combines and evaluates the indicator
matches so that in the end the human experts are re-
lieved from complete searching through the haystack
of numerous reports.
References
[1] Bastian Haarmann. Semantic Role Labeling im
modernen Text-Analyse-Prozess. To be published.
Know Tech Conference 2011. Bad Homburg v.d.H.,
2011.

[2] Lukas Sikorski, Bastian Haarmann, Ulrich Schade.
Computational Linguistics Tools Exploited for Auto-
matic Threat Recognition. (Best Paper Award) Pro-
ceedings of the NATO RTO IST-099. Madrid, 2011.

[3] Hamish Cunningham, Diana Maynard, Kalina
Bontcheva, Valentin Tablan. GATE: A framework and
graphical development environment for robust NLP
tools and applications. In Proceedings of the 40
th
An-
niversary Meeting of the Association for Computa-
tional Linguistics, 2002.

[4] GATEs ANNIE: http://gate.ac.uk/ie/annie.html

[5] Mark Hepple. Independence and Commitment:
Assumptions for Rapid Training and Execution of
Rule-based Part-of-Speech Taggers. Proceedings of
the 38
th
Annual Meeting of the Association for Com-
putational Linguistics, pp 278-285. Hong Kong,
2000.

[6] Eric Brill. A simple rule-based part-of-speech tag-
ger. In: Proceedings of the 1
st
Applied Natural Lan-
guage Processing Conference ANLP. Association for
Computational Linguistics, Trento/Italy. 1992.

[7] Thorsten Brants. TnT: A Statistical Part-of-Speech
Tagger. In Proceedings of the 6
th
Applied Natural
Language Processing Conference ANLP, Seattle, WA.
2000.

[8] Kristina Toutanova, Dan Klein, Christopher
Manning, Yoram Singer. Feature-Rich Part-of-Speech
Tagging with a Cyclic Dependency Network. In Pro-
ceedings of HLT-NAACL, pp. 252-259. Edmonton,
Canada. 2003.

[9] Matthias Hecking. Information Extraction from
Battlefield Reports. In Proceedings of the 8
th
Interna-
tional Command and Control Research and Technolo-
gy Symposium (ICCRTS), Washington, DC, 2003.

[10] Matthias Hecking. System ZENON. Semantic
Analysis of Intelligence Reports. In Proceedings of
the LangTech, Rome, Italy, 2008.

[11] Bastian Haarmann, Lukas Sikorski, Ulrich
Schade. Text Analysis beyond Keyword Spotting. To
be published. Proceedings of the Military Communi-
cations & Information Systems Conference. Amster-
dam, 2011.

[12] John F. Sowa. Knowledge Representation: Logi-
cal, Philosophical, and Computational Foundations.
Brooks/Cole, Pacific Grove, CA. 2000.

[13] Hermann Helbig. Knowledge Representation and
the Semantics of Natural Language. Springer, Berlin,
2006.

[14] Steffen Staab, Rudi Studer (editors). Handbook
on Ontologies. International Handbooks on Informa-
tion Systems. Springer, 2004.

[15] Charles J. Fillmore. The Case for Case. In: Em-
mon Bach, Robert T. Harms (editors). Universals in
Linguistic Theory. Holt, Rinehart and Winston, New
York, 1968.

[16] VerbNet: A Class-Based Verb Lexicon.
http://verbs.colorado.edu/mpalmer/projects/verbnet.ht
ml.

[17] Martha Palmer, Dan Gildea, and Paul Kingsbury.
The Proposition Bank: An Annotated Corpus of Se-
mantic Roles. Computational Linguistics, 31, pp. 75-
105, 2005.

[18] Birte Lnneker-Rodman ,Collin F. Baker. The
FrameNet Model and its Applications. Natural Lan-
guage Engineering, 15, 415-453, 2009.

[19] Beth Levin. English Verb Classes and Alterna-
tions: A Preliminary Investigation. University of Chi-
cago Press, Chicago, IL. 1993.

[20] Peter Sells. Lectures on Contemporary Syntactic
Theories. Lecture notes no. 3. CSLI, Menlo Park, CA.
1985.

[21] http://protege.stanford.edu

[22] Max Krger, Jrgen Ziegler. User Oriented
Bayesian Identification and its Configuration. Pro-
ceedings of the. 11
th
International Conference on In-
formation Fusion, Cologne, Germany. 2008.

[23] Markus Bresinsky, Ulrich Schade, Jrgen Ziegler.
Methodische Grundlagen zur Umsetzung des Kon-
zepts Automatische Gefahrenerkennung, Annex 2 of
Final Report of the Study. 2009
437
Topic-oriented Analysis of Data Streams
Dr. Christian Betz, PLATH GmbH, Germany
Dr. Vera Kamp, PLATH GmbH, Germany
Mirko Bttcher, PLATH GmbH, Germany
Abstract
Establishing situation awareness from multiple data streams is a matter of aligning information, either to back-
ground knowledge or to other stream data events. For example, in disaster control it is necessary, to align infor-
mation to spatial background knowledge, e.g. density of population. Security agencies need to align information
from lawful interception to open source information from services like twitter, while journalists align informa-
tion from the web to their own research, e.g. from correspondents. In this paper, we propose an architecture for
data-stream analysis. This architecture needs to be flexible enough to incorporate new data streams and the tools
to align these to the known entities and topics easily, yet scalable enough to cope with mass data.

1 Introduction
Security is a business becoming harder every day:
only loosely organized groups of pirates or terrorists
are extremely harder to detect, identify, and track.
Furthermore, they rely on a much broader spectrum of
communication means than opponents in symmetric
conflicts. They communicate via mobile phones, E-
Mail, IM, voice over IP networks, micro-blogging
services and switch internet services without any ef-
fort.
To successfully operate in this context, Joint Intelli-
gence Centers (JICs) as one-stop-shops for intelli-
gence products for military and law enforcement
agencies need to integrate all relevant sources and
provide holistic Traffic Monitoring, Subject Identifi-
cation and Subject Monitoring.
As data available is generated at a rate faster than it is
consumable with a rational amount of effort, it is nec-
essary to automatically estimate relevancy with re-
spect to a given task. And, tasks are mostly defined by
topics, not by sources, e.g. produce situational pic-
ture on revolution in Libya. Thus, aligning data to
topics is a necessary prerequisite to search, filter, and
evaluation.

Aligning information from different streams to a com-
mon, interlinked stream can be done in two orthogo-
nal ways: The first identifies entities participating in
an event to link all data with the same origin. The
second identifies topics from the content, aligning
data to an ontology designed according to the tasks.

This paper proposes a generic workflow and a back-
bone infrastructure for such JICs. It discusses various
architectures and technologies to provide this infra-
structure, and also the intelligence toolset operating
on this backbone. This whitepaper concludes with
discussion of important aspects setting up a Joint In-
telligence Center.
Using realistic scenarios, we discuss techniques to
identify the origin of data, e.g. by using browser fin-
gerprints, authentication correlation, speaker identifi-
cation from audio streams. We also discuss tools and
techniques to align data from different sources to a
common ontology. The alignment processes use tech-
niques like hashtagging already provided by services,
voice stream analysis, semantic extraction, and classi-
fication mechanisms. Combining both yields a better
starting point to gain insights into the data. We pre-
sent tools to analyse the results of this process, com-
bining automated and manual processes. The analysis
uses tools for behaviour model detection, visual ana-
lytics, geo-information systems, and social network
analysis tools.
For example, to provide riot prediction services, a JIC
needs to gather and evaluate information from GSM
Networks and online services, e.g. Twitter. Especially
the combination of both tools gives a good impression
on preparation (via Twitter), gathering phase (SMS),
and publication of status (Twitter again) of a riot.
Also, situational pictures on piracy need different
sources (Human Intelligence, Ship Identification Ser-
vices, Radio) and a different strategy in acting oppor-
tunities.

438

2 Workflow
A Joint Intelligence Center serves different custom-
ers, mainly executive, sometimes judicative. Each
customer has different needs projected on the JIC and
its products and services.
To provide power and flexibility, the organization of
a JIC needs to be aligned according to the need to
share principle: Knowledge from different teams
needs to be accessible in other teams and different
contexts in order to leverage synergetic effects. Only
with the power and flexibility inherent to this ap-
proach, JICs will be able to cope with threats evolv-
ing ever faster and real-time communication in threat
networks.
One sample organization form is the matrix organiza-
tion, where specialists (Subject Matter Experts,
SMEs) are organized in lines, but the actual work is
done in cross-functional topic-oriented teams. In ad-
dition, there might be some service teams like trans-
lation services. Each team member has a specific role,
a Technical User (TU) Signal Analysis, or a TU
Knowledge Discovery, etc. For example, the TU
Meta Data Analysis is specialized in finding correla-
tions from connection data. He is trained to control
and use specialized tools for this task.
Architecture, infrastructure and services of a JIC op-
erating system need to support the chosen form of or-
ganization and the roles in each team.

To continue the example, the sample JIC has at least
the two topic teams riot and piracy, each sub-
scribed to the set of information relevant. They need
different source specific experts (e.g. trained to
proper handle GSM metadata), topic-related analysts
(e.g. knowing the structures of groups standing be-
hind piracy).
3 Backbone Infrastructure
For integrated situation awareness data from several
sources needs to be harvested. However, gathering
unrelated information only is a small, singular step.
Information becomes more valuable after an intelli-
gent merging process, where all information is related
to known entities and refined to a common stream of
information (CSI). For example, e-mails from or to a
known subject are aligned with phone calls made and
location information from both IP and GSM networks
provide a dense tracking of the suspect.
The intelligence tasks are performed upon this CSI,
backed up by an integrated knowledge base (KB) to
manage intelligence findings. Both CSI and KB pro-
vide a shared backbone for the JIC. By aligning in-
formation from multiple sources and the knowledge
base, a more complete situational picture is available,
providing more accurate decisions on operational op-
tions.

Figure 1 Concept of Backbone Infrastructure
439

4 Architecture and Technologies
The building blocks of a JIC, as outlined above, are
the CSI and the KB. While one is for raw and aggre-
gated source data, the other is for managing subject
and background knowledge.
To operate on the CSI, two techniques need to be
combined: An event driven architecture [1] and ser-
vice orientation. Each step in the chain of evaluation
operates on a stream of events coming from diverse
source systems and on aggregated data. To be flexible
and adaptable to a fast-paced outside world, a Joint
Intelligence Center needs to rely on a set of isolated
services: Each service can be implemented without
knowledge of the other services to optimize results.
CSI and KB act as blackboards for information shar-
ing between services. Sample services include
data aggregators to combine several intercepted
technical data events to one real world event, e.g.
to detect SIM-switching in mobile phones,
enriching services to align data events on the CSI
to background knowledge, e.g. e-mails to known
subjects, or
semantic services to align events to an ontology
(from the knowledge base), e.g. to extract entities
from a textual document.
As both CSI and KB are crucial backbone compo-
nents and have to operate on high volume data, mod-
ern distributed solutions like Apache Hadoop are re-
quired for data storage, processing and dissemination.
Those distributed systems are designed for scalability
and

reliability, and they perform well on commodity hard-
ware, lowering total cost of ownership for a JIC.
With respect to the fast development of new source
types especially related to services on the Internet
schema-les distributed storage provide the flexibility
to react to any new source. They also play very well
with distributed messaging and computing, taking full
benefit from distributed resources, making it possible
to automatically analyze the data stream in near-time,
i.e. with only very short delays from source to an ana-
lysts workplace.
5 Services and Components
The before mentioned services can be orchestrated to
fit the analysts workflow even multiple workflows
across different teams. The shell for these services to
integrate in is an Intelligence Merging and Evaluation
Suite (IMES), which provides common functionality
required by each service source registry, authoriza-
tion and authentication, access to CSI and KB, etc.
Picking up on the previous example, the piracy-
team visualizes calls from and to ships in a designated
area to uncover unusual communication. They are
supported by behaviour profiling services tracking
vessel communication, routes and comparing this to
both normal behaviour and behaviour in the cases of
known acts of piracy.
Following the Overview, Filter, Details-on-demand
paradigm, an Overview-Service provides a first im-
pression of the data available. Whether analysts start
Figure 1 Integration of Event Driven Architecture and Service Orientation for optimized Intelli-
gence Architecture
440
from source streams, collected documents, topics,
automatically generated notifications, or specially or-
dered investigations, the overview gets them going.
From there, Data Selectors (e.g., Geo, Time) allow
them to dig deeper into the available data. However,
as context is so important in intelligence analysis, ex-
ploration services (like search around a given data
element) provide a directed extension of the view into
the data.
Metadata Visualisation services provide visual analy-
sis tools to make meta data accessible to the analysts,
giving them an opportunity for insights that were im-
possible to conclude without a proper graphical repre-
sentation. The most commonly used visual analytics
tools in the intelligence domain are integrated Geo-
Information Systems and Network Maps.

Figure 2 Metadata Visualisation on a Map
Data Correlation services are used to identify and as-
sess hidden connections from the data. Typical exam-
ples are clustering, where data is grouped by machine
learning algorithms, e.g. to identify subjects in differ-
ent networks based upon metadata attributes like loca-
tion, time, or technical parameters.
Behaviour Profiling services identify patterns in in-
coming source data, aggregate it to behaviour and
trigger further action when it detects substantial
changes in behaviour, e.g. upon massive rise in com-
munication in a group of subjects, or dislocation of
one or all participants in a communication group [2].

Content Viewing services provide access to content,
such as viewing eMail content, attached documents,
or listen to GSM call audio.
Textual content is analyzed using Semantic Extrac-
tion services, which extract structured information
from unstructured text and classify given documents
with the topics associated.
In the example, the riot team classifies SMS and
Twitter messages using Semantic Extraction. The
Semantic Extraction service identifies entities such as
places, time data, and names. Based upon a rising
number of messages referring to a specific place an a
specific time, the riot team compiles a riot forecast.
All findings from different services contribute to a
common knowledge base, with sharing based upon
authentication and authorization. Each knowledge bit
can be versioned and associated with the appropriate
source information for later re-evaluation and the use
in multiple contexts.
6 Conclusion
The backbone infrastructure outlined and the IMES
services presented above are the enabling technolo-
gies for Joint Intelligence Centers. They foster a need-
to-share approach: Modern Intelligence cannot pro-
duce valuable results by isolating teams, but by fle-
xible cooperation of specialists. Only by cooperating,
hidden structures can be conceived and threats can be
uncovered in time.To round up the example, the in-
formation from both piracy and riot teams are
compiled into specific situational pictures, which in
turn are products to the customers of a Joint Intelli-
gence Center. Integration of all available data in near-
time is key to the success of a JIC.
Smart Data is one key to this Joint Intelligence,
where data is more than a table in a database. Smart
data carries information on where it comes from, who
might access it, which versions of the data exist and
how trustworthy it is. Thus, Smart Data is integrated,
swiping away singular data silos with their excessive
need of data replication, consistency issues, or au-
thorization nightmare.
Smart Architecture is the other key, enabling a flexi-
ble re-combination of intelligence services and even
the extension with new versions. In the early stages of
a Joint Intelligence Center this is a success factor in
its inherent ability to provide a minimal solution
within only a few months. But it also is enabling the
JIC to scale out to embrace more sensors, more analy-
sis strategies, aka a broader and deeper situational
picture, So, Smart Data and Smart Architecture are
core elements in intelligence strategy to cope with a
world changing at a pace both fascinating and horrify-
ing.

441
References
[1] Gero Mhl, Ludger Fiege, and Peter Pietzuch.
Distributed Event-Based Systems. Springer-
Verlag New York, Inc., Secaucus, NJ, USA,
2006.
[2] Matthias Haringer, Lothar Hotz, and Vera Kamp.
Two stage knowledge discovery for spatio-
temporal radio-emission data. In ECAI, pages
673677, 2008.
442
Video Analysis for Situation and Threat Recognition
David, Mnch, Fraunhofer IOSB, Germany
Kai, Jngling, Fraunhofer IOSB, Germany
Michael, Arens, Fraunhofer IOSB, Germany
Abstract
Vision is one essential cue in present and future security systems since it provides comprehensive information of
the surroundings. Especially in areas like surveillance and threat detection, vision provides indispensable infor-
mation about the environment which allows detailed analysis. One important aspect in surveillance and threat
detection is person centric analysis since people and their behavior are the focus of attention in many security
systems. In this paper, we present a system for person centric video analysis. In particular, we introduce a system
for person behavior recognition that is specifically suited for tasks like infrastructure protection and threat detec-
tion. For that, we combine state-of-the-art computer vision algorithms with high-level reasoning approaches.

1 Motivation
In the growing field of security surveillance applica-
tions the operators are getting either confronted with a
high cognitive load or long monotonic periods with-
out any incident which causes rapidly decreasing at-
tention of the operators. To support them keeping in
focus the predefined situations and threats, automatic
video analysis is gaining increasing importance.
For this purpose a flexible hierarchical system for sit-
uation and threat recognition is presented generating a
high-level logic description of scenes.
The overall system has several advantages over other
systems as it makes only little assumptions on appli-
cation scenario, employed sensors and objects of in-
terest and thus is applicable in a wide range of appli-
cation scenarios even beyond situation and threat
recognition, such as semantic video search, people
analysis or in the area of mobile security in urban are-
as. Here, the system comes to its full potential since
the employed algorithms neither assume a stationary
sensor nor do they simplify from reality assuming
that the only relevant objects are the ones that move.
In Section 2 the person tracking and distance estima-
tion are explained. Section 3 deals with the high-level
logic-based situation recognition. Section 4 presents
two real-world experiments followed by the conclu-
sion.
2 Vision Layer
2.1 Person Tracking
A state-of-the-art person tracking approach is em-
ployed to classify objects and to build space-time tra-
jectories of objects of interest present in the observed
scene. The tracking approach is based on the Implicit
Shape Model [7] detection paradigm and has been ex-
tended to track objects [6]. During a training phase
local image features (e.g. SIFT) are determined which
predominantly occur on objects of interest (e.g. per-
sons) and can then in the application phase be
employed to detect exemplars of this object category.
Tracking has been realized within this detection
framework by not only using actually present local
image features during object detection, but by taking
expected image features stemming from presently
tracked persons into account, too. By this we can di-
rectly search for a presently tracked person in the pre-
sent image and combine image evidence with ex-
pected appearance of that person (see [6] and [5] for
details).
There are advantageous properties of this approach
directly inherited from the original Implicit Shape
Model approach: (i) it can detect objects in a wide
range of scales based on the same trained object mod-

Figure 1 Tracking result in 2D.
443
el. As we will see later, this scale of an object is relat-
ed to its distance to the recording camera and can be
retrieved from the algorithm. (ii) the approach works
independently of sensor specifics like color, which
would otherwise cause additional problems in a multi-
camera setup as the color normalization between
cameras might not be given. There are also some ad-
vantages of the approach due to the way the tracking
is performed: (i) the algorithm provides stable object
tracks even during occlusions as it also takes expected
local features into account in those situations. (ii) the
algorithm works despite camera motion which is rele-
vant in todays surveillance systems due to the exten-
sive use of Pan-Tilt-Zoom cameras. On top of that,
the tracking approach is not restricted to single cam-
era tracking but can be employed for multi-camera
person tracking by using SIFT features models built
during single camera tracking (compare [5]).
2.2 Distance Estimation
The person tracking subsystem assigns a unique ID
for every detected person and returns its position in
the image coordinate system and its scale s. On the
one hand, the distances of the objects cannot be com-
puted from a single image as the scene geometry has
to be considered. On the other hand of course, it is not
always possible to apply a predefined world model, in
which different types of areas and their spatial com-
ponents are hard coded, e.g., if the camera is moving.
models the transformation from the image coordinate
system into the camera coordinate system. The varia-
bles u and v are the position in the image coordinate
system, f
x
and f
y
are the focal length and c
x
and c
y
are
the principle point; they are supposed to be known.
As the distance z
c
is unknown but deduced from the
second claim of intercept theorem the Least Squares
Method is applied to compute the relation of z
c
and s
-
1
. Altogether, the 3D information in the camera coor-
dinate system can be estimated only from the 2D in-
formation of the image coordinates and the inverse
scale. Figure 1 depicts a 2D tracking example and
Figure 2 visualizes the estimated 3D information from
a birds-eye view in the rendered 3D scene of Figure
1.
3 Situation Recognition Layer
Up until now the 2D tracking result and the estimated
3D position in camera coordinates is available. To
keep domain independence, general applicability, and
flexibility of our system the high-level semantic de-
scription and interpretation of the scene is uncoupled
from pure quantitative data. Instead, a conceptual de-
scription is applied. The advantage is easy swapping,
adding and changing of domain specific knowledge
while keeping the generic algorithms.

Figure 2 3D birds-eye view of scene of Figure 1.
Situation Graph Trees (SGT) and the Fuzzy Metric
Temporal Logic (FMTL) were developed by Nagel
and his group ([1], [3]). An SGT represents
knowledge and models situations which can be in-
ferred with high-level logic inference. The logical
language FMTL for this purpose is an extension of
first order predicate logic extended by fuzziness, time
and metrics on time.
Figure 5 depicts an example SGT used in Section 4.2.
An SGT represents the knowledge of the expected
behavior of objects. It consists of situation schemes
which have a unique name, a state scheme and an ac-
tion scheme. The state scheme is describable in terms
of predicates formulated in FMTL and serves as a
precondition of instantiation of the situation scheme.
After having been instantiated a situation scheme for
some agent the action scheme gets instantiated and
executed. Situation schemes are connected by two dif-
ferent kinds of edges modeling two different kinds of
conceptual relation between them. Conceptual spe-
cialization of situation is modeled with specialization
edges (thick edges in Figure 5); temporal successor
relations are expressed by so-called prediction edges
(thin edges in Figure 5). Every situation can be hier-
archically specialized with an SGT again, leading to a
temporally more detailed description of that same sit-
uation.
The knowledge represented by an SGT is referred to
as a behavior scheme as it models the development of
states and actions for a single agent which might be
one person presently tracked by a vision system. With
SGTs together with the underlying logic FMTL it is
possible to link the quantitative results from computer
vision processes to conceptual knowledge, as has
been demonstrated, e.g., in [1]. At this point the prop-
In summary, the equation
444
erty of fuzziness of FMTL is used to map quantitative
results to vague concepts.
The whole situation recognition is done with an SGT
traversal algorithm. By now ([1], [4]), it was possible
to find only at most one instantiation of a situation for
each agent. We extended this strict graph traversal to
a fuzzy graph traversal. This extension allows a con-
current traversal of the SGT. Thus the new fuzzy
graph traversal algorithm performs an exhaustive
complete recognition of any possible predefined sit-
uation and any of their instantiations.
Another advantage of our logical system is the pure
logic used to infer situations which allows proofing
the inference of every single situation instantiation.
4 Experiments
To prove the applicability of our system we applied it
to two real-world scenarios. One is a mobile driver
assistance scenario with a fixed infrared camera
mounted on a moving vehicle. The second is station-
ary surveillance scenario exemplified by a surveil-
lance sequence from PETS2009 [2].
In the first scenario (compare too, Figure 1) a vehicle
with a forward looking infrared camera is driving
through an urban area. Our system works as a driver-
and vehicle-assistance component. The pedestrians
walking on and next to the street are a potential threat
for the vehicle (and vice versa) if they get too close to
it.
There are three predefined situations: InGreen-
Zone, which means that this person is far away and
does not need to be noticed. InOrangeZone means
that the person is getting closer to the vehicle, does
not represent a threat but needs a little bit of observa-
tion. InRedZone are persons who are very close to
the car representing a threat and need undivided atten-
tion.
Figure 3 visualizes one snapshot of the recognized
situations. The two persons on the right are very close
to the vehicle and correctly recognized InRedZone.
The four persons on the left are recognized
InOrangeZone, the two person on the top right are
InGreenZone and there is one false alarm on the
top right.
In the second scenario a stationary surveillance sce-
nario exemplified on a sequence from the PETS2009
dataset we set the focus on three different types of
situations to be recognized: First, there are person
specific situations comprising only one single agent
and its properties such as speed. Second, interaction
specific situations always consist of at most two
agents such as meet or pass by. Finally, location spe-
cific situations concerning the relation of agents to
specific places in the scene such as restricted zones.
Due to the use of fuzzy situation recognition it is pos-
sible to have several situations per person per time. In
this case for visualization the colors are mixed.
Figure 5 depicts the used SGT representing the
knowledge of the situations to be detected. There are
the following situations inferable:
in_illegal_zone, meet, passby and
no_action.
Figure 4 visualizes one snapshot of the situation
recognition. On the left and on the right there are two
persons passing by each other and in the front on the
grass there is a person in the restricted zone.
5 Conclusion
We presented a monocular vision-based fuzzy situa-
tion and threat recognition system consisting of two
components. First, an object detection and tracking
component providing 3D spatial and temporal infor-
mation about objects in scenes is presented. Second,
the situation recognition component uses knowledge
encoded in Situation Graph Trees to perform a fuzzy
graph traversal allowing an exhaustive situation and
threat recognition.
The system was tested with real video data of persons
and their actions and interactions. In order to show

Figure 3 An infrared camera is mounted on a mov-
ing vehicle. Persons are tracked and detected; the
system raises alert if a person gets too close to the
car.

Figure 4 Visualization of recognized situations from
the PETS2009 dataset. Red stands for
in_illegal_zone; green stands for passby.

445
the domain independence we used recorded data from
moving vehicles and static surveillance cameras.
The results show that the system is usable with data
both from infrared and visible spectrum, with data
both from stationary and moving cameras, and is sim-
ple to modify and easy to extend in terms of the
knowledge represented by situation graph trees and
the underlying logic language and thus the situations
to be recognized by the system.
Recent work in progress is extending our system to
deal with multiple object categories. A further exten-
sion is the use of a multi-camera network.
References
[1] Arens, M., Gerber, R., Nagel, H. H.: Conceptual
representations between video signals and natu-
ral language descriptions. Image and Vision
Computing 26:1(2008) 5366.
[2] Ellis, A., Shahrokni, A., Ferryman, J.: Pets 2009
and winter-pets 2009 results: A combined evalu-
ation. In: Proc. International Workshop on Per-
formance Evaluation of Tracking and Surveil-
lance (PETS-2009), pp. 18 (2009).
[3] Gerber, R., Nagel, H.H.: Representation of oc-
currences for road vehicle traffic. Artificial Intel-
ligence 172:4-5(2008) 351391.
[4] Gonzlez, J., Rowe, D., Varona, J., Roca, F. X.:
Understanding dynamic scenes based on human
sequence evaluation. Image and Vision Compu-
ting 27:10(2009) 14331444.
[5] Jngling K., Arens, M.: Local feature based per-
son reidentification in infrared image sequences.
In: Proc. AVSS. pp. 448454 (2010).
[6] Jngling, K., Arens, M.: Pedestrian tracking in
infrared from moving vehicles. In: Proc. Intelli-
gent Vehicles Symposium (IV-2010), pp. 470
477 (2010).
[7] Leibe, B., Leonardis, A., Schiele, B.: Robust ob-
ject detection with interleaved categorization
and segmentation. IJCV 77(1-3), 259289
(2008)

Figure 5 Example Situation Graph Tree (SGT) used in the experiment in Section 4.2. The SGT represents the
knowledge of three (resp. four) situations of interest: In_illegal_zone, meet, passby and no_action.
The thick edges represent a conceptually specialization of a situation scheme, the thin edges specialize in time.
The priority of traversing the edges is indicated with numbers; start- and end- schemes are denoted with boxes
on the top left and top right.

446
Security Check of the Future
Christian Evers
1
, Sherif Sayed Ahmed
1
, Andreas Schiessl
1
, Torsten May, Hans-Georg Meyer,
1
Rohde & Schwarz GmbH & Co. KG, Munich, Germany
2
Institute of Photonic Technology, Jena, Germany
Abstract
The security of passengers at airports and in airplanes is subject to several threats, mainly due to possible terror-
istic attacks or criminal activities. To increase the safety of air transport, several concepts come to practical reali-
zation. Usual techniques include the utilization of walk-through metal detector gates, special equipment for iden-
tification of biological or chemical agents, or portals to screen people for explosives.
A vision for a security checkpoint of the future is not to stop the passenger for a scan, but to allow a walk through
of the persons while being automatically screened. A first step of this vision shall be realized by the QPASS sys-
tem (Quick Personnel Automatic Safe Screening), which incorporates a single or double panel, while the future
passage may consists of several of them. A combination with a passive scanner (THz-Videocam) is a solution to
increase the passenger throughput.
1 Requirements for a modern
checkpoint
The concept of security checks of air passengers in
Europe intends to do an optimized control of all pas-
sengers to detect every kind of carried objects. Clear
rules decide what is allowed to take on board the air-
plane within the hand baggage, depending on these
objects having been voluntarily presented to the secu-
rity staff or having been detected by any kind of
screening.
Special threats, such as plastic explosives or ceramic
knives cannot be easily detected by usual techniques.
For that, advanced imaging technologies are currently
brought into operation. Examples are backscatter X-
ray scanners, active millimeter wave scanners, and
passive Terahertz (THz) cameras. The advantage of
these methods is, that they are able to detect virtually
all types of objects, metallic as well as dielectric ones,
which are possibly hidden in or beneath the clothing
of a passenger. A former disadvantage, namely that the
scanners display images that show the naked body,
thus violating basic human rights, can be eliminated
by the usage of an appropriate image processing soft-
ware, sometimes called Automatic Threat Detection
(ATD) or Automatic Threat Recognition (ATR). Also
further aspects of public interest, as demanded by
governmental authorities, have to be fulfilled by a
modern scanner. This includes health effects that
might be caused by the ionizing radiation of backscat-
ter X-ray scanners or the radiated power of active mil-
limetre-wave scanners.
Figure 1 Future checkpoint scenario
Furthermore, a major aspect is the capability of the
scanners to produce images of suitable quality and
format for the automatic object detection and classifi-
cation. This is best reachable by the utilization of
three-dimensional images, which describe the scatter-
ing within the scanned region over depth, and hence
allow for slice-by-slice evaluation of the object vol-
ume.
For the attractiveness and competitiveness of an air-
port its customer kindness at the security check is an
very important index. This attractiveness is measured
by the subjective feeling of the passenger for the time
he has to invest for the security check and how com-
fortable the check has been done. Any kind of pad-
down controls are affecting the privacy of the passen-
ger and increasing the time he has felt to invest for
this unpleasant procedure.
447
Pax/hour
0
20
40
60
80
100
120
140
160
180
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Pax/hour
Figure 2 Typical statistic for a checkpoint
Every new technology will be measured by the state of
the art, well-known and established systems. The real
level of detection quality is not visible for the passen-
ger and has still to be a highly confidential issue. So
the improvement of quality in the security checks is a
fictitious number in all discussions. Therefore the pas-
senger as well as the financial controller highly priori-
tize the countable facts, that is the comfort of the
technique. Comfort is defined by invested time and
privacy issues. The check has to be shorter in time and
the necessary controls after alarms have to be very ef-
fective. The most attractive figure of merit for the fi-
nancial controller is the number of passengers (pax)
passing the check point per hour, the checkpoints
throughput. Increasing this number wins time for the
passenger, e.g. for visiting the duty-free shopping
area, and lowers the cost of the new technology.
Any new technology that is added to the check point
has to perform comparable or better than the conven-
tional techniques in terms of throughput. The staff
costs have to be minimized, the cost for invests have
to be in an acceptable relation to the improved
throughput.
The current procedure in a checkpoint including metal
detector gates includes the rule to control the complete
body in case of an alarm: front, back, quick shoe
check, opening the belt, etc. Due to the existing threat
scenario, a random alarm with adjustable alarm rate
also leads to full pat-down. This procedure ensures
that objects that cannot be detected are found at least
with a certain probability. The optimistic goal for
throughput at these checkpoints is 200 pax per hour.
The flow of passengers depends on the time of day
and varies a lot. Business travels start in the early
morning and are finished between 5pm and 8pm.
The typical variation is shown in Figure 2. This sums
up to 0.5 0.9 million pax per anno for one check-
point, so an average number for a well-organized
checkpoint is 0.7 million pax per anno. Investments of
technology and their amortization are typically done
for 5 to 10 years. To calculate with only 5 years is a
conservative approach. The cost estimation in section
3 is based on these numbers.
2 Visions for a checkpoint of the
future
In June 2011, the IATA organization presented a 1:1
model of a new checkpoint concept entitled Check-
point of the Future at the Associations 67
th
Annual
General Meeting in Singapore (Figure 3) [11].
The concept is a mix between passenger profiling and
the use of different new technologies. The underlying
technologies itself have not been discussed in detail.
The key idea is to separate the passengers in three dif-
ferent groups. Three walk-through tunnels are
equipped with different detection tools, whose com-
plexity is matched to the assumed security risk of the
passengers that pass that tunnel. The key elements
emphasized by IATA are:
Profiling leads to a group of trusted passen-
gers
The control for objects works in a walk-
through tunnel
The standard security check works contact-
less without pad downs
IATA assumes that this technology will not be avail-
able within the next seven years.
Figure 3 IATA: Checkpoint of the future
The worldwide passenger volume is expected to in-
crease from 2.5 billion per year in 2011 up to 16 bil-
lion per year in 2050. This dramatic increase produces
the need for an improvement of the throughput by fac-
tors in combination with a higher level of security. EU
regulations for body scanners are expected by the end
of 2011. The stakeholders are eager to run the certifi-
cation process to prove the security of their systems.
But this is just a prerequisite to bid for a tender, which
will also ask for proved numbers of throughput and
false alarm rates.
Multisensorics, combination and exchange of different
sensor systems, is a very difficult topic from the data
protection point of view, especially in Germany. In
Germany every detector system has to work and de-
cide independently.
The German requirements to protect the human pri-
vacy are pushing the research and development to its
limits. Current news from the US underline the wise
decision not to start the use of body scanners without
448
privacy software and only after the evaluation of the
field test, e.g. the one in Hamburg with the statistic of
0.8 million passenger tests.
3 Realistic approaches and
solutions
The gap between visions and the current status is
closed by the current research projects, some of which
are approaching the transfer to commercial products.
As building blocks for the idea of a complete check
point architecture, different active portal scanners and
passive detection systems based on non-radiating mm-
wave technology are under development in several
funded projects. Devices that use spectral analysis in
the THz-range to identify the signature of explosives
as an add-on to body scanners are still in a fundamen-
tal research stage and have to be postponed into later
future applications.
The requirements of the airports regarding the devices
for future checkpoint concepts vary significantly. Big
hubs, e.g. Frankfurt airport, will focus on different
system aspects than smaller regional airports, e.g. Er-
furt airport. So the systems that are under evaluation
have to be highly modular and configurable. This can
be achieved by optimizing the concepts of operation
(conops) for flexible and individual scenarios at the
airport. Some of the funded project have already en-
tered this phase.
Several approaches are evaluated by the funded re-
search projects. Among them, the active mm-wave
body scanner is most promising. Its main features are:
1) Detection of all kinds of objects, independent
of the material
2) Throughput improvement, because random
alarm is not necessary
3) Effective use of zone alarms
4) Improvement in effectiveness by the privacy
software.
The comparison to the metal detector gate in terms of
throughput is very tough for the mm-wave body scan-
ners. Only the combination of the system principle,
the geometry, software and the conops deliver an
competitive approach. The conops are representing
the strengths and weaknesses of the systems. Setting
the conops for a new technology changes the project
from a research demonstrator to a product.
In case of an alarm the body scanners show the exact
zone for the detected object at the surface of an ano-
nymized view of the human body, an avatar. If only
one or two zones are marked, only these zones have to
controlled by a dedicated padding. Typical time for
this padding is not more than 10 sec, this is a 30 sec-
ond advantage compared to the full padding at the
metal detector gate. By decreasing the number of full
body checks, the mm-wave scanner can achieve the
throughput requirement and even improve throughput
compared to the metal detector gate.
By the certification, random approvals and daily con-
trols of the detection quality, care will be taken for the
high detection rate of the instrument. New instruments
shall also be prepared to localize smaller objects than
the official ECAC certification procedure looks for: at
one hand better raw data can be provided to the soft-
ware development, which will lead to more robust de-
tection results, at the other hand the instrument will be
able handle new threats, which are unknown today.
The high detection quality of the privacy software, en-
abled by excellent raw data delivered from the sensor,
shall be the reason to abstain from the random alarm,
which is the standard at the metal detection gates.
The time needed to do the measurement with the mm-
wave scanner is very different for the existing instru-
ments and fixed by the conops. Of course the best re-
sults will achieved by the use of two scanner systems.
The maximum throughput will be achieved if the pas-
sengers can walk through the detection system without
any stops.
The procedure could run as follows: the passenger has
to get in eye-contact with the responsible security per-
son. If he gets the go, he has to follow the rules of
the conops and to bring him self in the relevant posi-
tions. The measurement that are then done by the
scanner are so fast, that no picture is getting worse and
detection robustness is not decreased by movements
of the passenger. Measurement and evaluation of the
measurement result by the privacy software adds no
extra time to the complete procedure.
At checkpoints where 6 pax per hour have to be
achieved, it is not possible to perform the alarm
checks directly at the scanner. The pax has to be
guided to an extra check box, where the pad-down
will be done. For each control box, female and male
security staff is needed to perform the pad-down. A
typical pad-down takes 40 seconds. The pax-flow
produces a new passenger every 10 seconds. The
number of required checkboxes is set by the relation
of the control times with alarm (40 s) to the time to
pass the check point without alarm (10 s), resulting in
a factor of 4 (40 s / 10 s = 4). The problem specifies a
serial-to-parallel transfer, with its special effects ( e.g.
control of shoes) that cannot be synchronized. The
false alarm rate decides on the occupation of the
boxes. If the pax flow shall not be slowed down at any
time, the number of the boxes cannot be reduced by
calculating with the average false alarm rate., as
alarms can happen continuously, independent of the
average rate.
The alarms generated by the body scanners are for-
warded to the control boxes by transfer of the avatar
image, which shows the zone and location of the un-
known object. The most efficient check can be done,
if only one zone is marked. For that reason, the loca-
tion and size of the zones on the avatar have to be
chosen carefully according to the statics of the posi-
tive alarm rates.
449
0
50
100
150
200
250
300
350
400
M
e
t
a
l

D
e
t
e
c
t
i
o
n

G
a
t
e
S
i
n
g
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l
D
o
u
b
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l
D
o
u
b
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l

+

1

C
o
n
t
r
o
l

B
o
x
D
o
u
b
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l

+

2

C
o
n
t
r
o
l

B
o
x
e
s
D
o
u
b
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l
+

4

C
o
n
t
r
o
l

B
o
x
e
s
D
o
u
b
l
e

m
m
-
W
a
v
e
-
P
o
r
t
a
l
+

2

C
o
n
t
r
o
l

B
o
x
e
s
w
i
t
h

P
r
e
c
h
e
c
k

b
y

T
H
z
V
C
Number of Pax / hour
Figure 4 Throughput for systems of different com-
plexity
The control of one zone can be done in 10sec, which
is in line with the pax-flow. If the alarm exceeds two
zones, a full pad-down is required and again the 40sec
are needed.
A lot of false alarms are produced by objects the pas-
sengers forget to take out of their pockets. Reducing
those false alarms would significantly increase the
throughput of the checkpoint. A passive scanner like
the THz Video Camera (THzVC, example image see
Figure 6) could perform a rough pre-check. Depend-
ing on the results of this pre-check, passengers will be
sent forward for more detailed checks by the next sys-
tem, e.g a QPASS [1] body scanner, or will be asked
by a security employee to empty all pockets, but with-
out pad-down, before proceeding.
Figure 4 shows the maximum throughput rates for dif-
ferent system configurations, consisting of QPASS and
THzVC modules. Even if the investment for the tech-
nology should be amortized within only five years, the
cost for the security staff exceeds the cost of the in-
vestment by factors (Figure 5). Even for the most
complex scanner equipment (2 QPASS panels + one
THzVC pre-check system) this is still valid.
The precondition for these scenarios is an excellent
quality of the mm-wave scanners, with a nearly perfect
detection rate and a false alarm rate, which is consid-
erably reduced compared to the field test in Hamburg
[12].
If prechecks or selections of passengers are planned,
the THz-Videocam [9,10] can be an important build-
ing block. The THz-Videocam is a funded German
project to build a passive security camera which visu-
alizes sub-mm wavelengths using cooled bolometer
arrays.
0,00
0,05
0,10
0,15
0,20
0,25
0,30
0,35
0,40
0,45
M
e
t
a
l

D
e
t
e
c
t
i
o
n

G
a
t
e
S
i
n
g
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l
D
o
u
b
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l
D
o
u
b
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l

+

1

C
o
n
t
r
o
l

B
o
x
D
o
u
b
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l

+

2

C
o
n
t
r
o
l

B
o
x
e
s
D
o
u
b
l
e

m
m
-
W
a
v
e

P
o
r
t
a
l
+

4

C
o
n
t
r
o
l

B
o
x
e
s
D
o
u
b
l
e

m
m
-
W
a
v
e
-
P
o
r
t
a
l
+

2

C
o
n
t
r
o
l

B
o
x
e
s
w
i
t
h

P
r
e
c
h
e
c
k

b
y

T
H
z
V
C
Cost for.Invest /Pax
for 5 years ()
Cost for staff
/ Pax ()
Figure 5 Total check point cost for systems of differ-
ent complexity
The new generation of THz-Videocam is designed to
meet the requirements of a flexible installation and an
intuitive usage by the security personnel. Major condi-
tion for an effective operation is a high frame rate of
the imager.
Some specifications of the THz-Videocam are:
Adaptive optics 3 to 10 m distance
Field of view 1 m by 2 m
128 pixel in one row
Resolution 256 x 128 pixel
Frame rate 25 Hz
For imaging, a 50cm class optics is used which is able
to resolve approximately 1.7 cm objects from 8 m dis-
tance. For a flexible installation, the object distance
shall be tuned between 3 and 10m.
The QPASS system is based on an active 3D mm-
wave concept [1], [2], [3]. The automated image
analysis, which is necessary to get the so called pri-
vacy software and throughput optimization is sup-
ported by the high quality and special capabilities of
the QPASS raw data:
1. Highest lateral resolution (1.5mm)
2. Analysis of multiple reflections of dielectric ma-
terial like explosives
3. Tomographic slices of 3D image
4. Phase-unwrapping to extract surfaces like human
skin
Most of the mm-wave images which have been pub-
lished are demonstrating the limited illumination of
shaped objects or of the human body. A powerful mm-
wave imaging system has to take care for a maximized
aperture and full visibility of all areas of the human
body. The QPASS system combines a full illumination
(see Figure 7) together with a flashlight picture,
which is done in only 20ms. Moving the arms or other
parts of the body do not produce unreadable images.
Figures 8 to 13 show sample images produced by
demonstrators built during the QPASS development.
The images illustrate the excellent raw data quality of
this system.
450
Figure 6 Use of passive THz camera for pre-checks
Figure 7 Simulation for illumination of the QPASS
sytem
Figure 8 Maximum intensity projection for a sheet of
explosives
Figure 9 Automatic detection by use of multiple re-
flections within the sheet of explosives
Figure 10 Example for lateral resolution by a meas-
urement of a clasp knife under a shirt and pullover
Figure 11 example of a 3D scenario
Figure 12 3D scenario with removed packaging
Figure 13 Example for enhanced depth resolution at
surfaces by phase unwrapping
451
4 Summary
Solid foundations are laid down to configure a check-
point of the future using German technology. Now, an
efficient cooperation of all parties is needed to start
into the next phase.
The intensive field test in Hamburg has produced a
clear picture of the improvements that are necessary
for a next generation body scanner. Those improve-
ments will shift bodyscanners to key components for
higher security, more comfort and maximized passen-
ger throughput at the airports.
The presented concepts elegantly fulfil: 1) the funda-
mental rules to protect all privacy issues and human
rights of the passengers, 2) the requirements for a safe,
performant and comfortable solution, based on Ger-
man technology, available much earlier than 2019
(expectation of IATA).
ACKNOWLEDGEMENT
The authors would like to thank the German Federal
Ministry of Education and Research (BMBF) for
funding part of the presented activities.
References
[1] Sherif Sayed Ahmed, Frank Gumbmann, Andreas
Schiessl, Markus Reiband, Sebastian Methfessel,
Cyrille Maire, Amir Cenanovic, Olaf Ostwald,
Christian Evers, Lorenz-Peter Schmidt, QPASS
Quick Personnel Automatic Safe Screening for
Security Enhancement of Passengers Future
Security, Berlin Sep. 2011
[2] S.S. Ahmed, A. Schiessl, and L.-P. Schmidt,
Near Field mm-Wave Imaging with Multistatic
Sparse 2D-Arrays, Proceedings of the 6th
European Radar Conference, Rome: 2009, pp.
180-183
[3] F. Gumbmann, P. Tran, and L.-P. Schmidt,
Sparse Linear Array Design for a Short Range
Imaging Radar, Proceedings of the 6th Euro-
pean Radar Conference, 2009, pp. 176-179
[4] S.S. Ahmed, A. Schiessl, and L.-P. Schmidt, Il-
lumination Properties of Multistatic Planar Ar-
rays in Near-Field Imaging Applications, Euro-
pean Radar Conference (EuRAD), 2010
[5] A. Schiessl, S.S. Ahmed, A. Genghammer, and
L.-P. Schmidt, A Technology Demonstrator for
a 0.5 m x 0.5 m Fully Electronic Digital-
Beamforming mm-Wave Imaging System, Eu-
CAP, 2011
[6] S.S. Ahmed, O. Ostwald, and L.-P. Schmidt,
Automatic Detection of Concealed Dielectric
Objects for Personnel Imaging, IEEE MTT-S
International Microwave Workshop on Wireless
Sensing, Local Positioning, and RFID, Cavtat:
2009, pp. 26-29.
[7] A. Schiessl and S.S. Ahmed, W-Band Imaging
of Explosive Substances, Proceedings of the 6th
European Radar Conference, 2009, pp. 617-620.
[8] A. Schiessl and S.S. Ahmed, W-Band Imaging
[9] T. May, G. Zieger, S. Anders, V. Zakosarenko,
H.-G. Meyer, M. Schubert, M. Starkloff, M.
Rler, G. Thorwirth, U. Krause, Visible, Infra-
red and Terahertz Object Recognition for secu-
rity screening application, Proceedings of SPIE,
Passive Millimeter-Wave Imaging Technology,
7309, 2009
[10] E. Heinz, T. May, D. Born, G. Zieger, S. Anders,
G. Thorwirth, V. Zakosarenko, M. Schubert, T.
Krause, M. Starkloff, A. Krger, M. Schulz, F.
Bauer, H.-G. Meyer, Passive submillimeter-
wave stand-off video camera for security appli-
cations, Journal of Infrared, Millimeter, and
Terahertz Waves, 31, 2010
[11] IATA organization, IATA media briefing, Sin-
gapore, June 2011
[12] Welt-online,http://www.welt.de/channels-
extern/ipad_2/politik_ipad_2/article13517197/N
ackt-Scanner-ueberzeugen-im-Test-nicht,
29.7.2011
452
Progress in Device Technology Creates Potential for Active Real-
Time THz Security Scanners
Alvydas Lisauskas, Physikalisches Institut, Goethe-Universitt Frankfurt am Main, Germany
Sebastian Boppel, Physikalisches Institut, Goethe-Universitt Frankfurt am Main, Germany
Viktor Krozer, Physikalisches Institut, Goethe-Universitt Frankfurt am Main, Germany
Hartmut G. Roskos, Physikalisches Institut, Goethe-Universitt Frankfurt am Main, Germany
Abstract
Actively illuminating body scanners employing electromagnetic radiation - as far as they are commercially avail-
able at present or will be so in the near future - operate in the millimeter-wave regime, at frequencies below 100
GHz. A strong reason for the frequency limitation is the price of the electronic components which increases extre-
mely rapidly with rising frequency; a consequence of the fact that, until recently, suitable electronic components
have only been developed for high-price specialized purposes in astronomy, for radiometers, etc. A broader inter-
est in ultrahigh frequencies and their application potential has recently resulted in an intensified device research.
Impressive progress has been achieved with the generation, handling and notably the detection of ultrahigh fre-
quency radiation up to hundreds of GHz, well into the terahertz frequency regime (beginning at 300 GHz). Even
silicon-based devices are nowadays able to detect THz radiation at frequencies as high as 1 THz and above. This
progress is, on one hand, due to advances in materials research, but results also from the application of novel de-
vice concepts. This presentation first reviews the advantages and limitations of active security scanning at THz
frequencies; experimental scanner systems are described and discussed. Then, recent progress in electronic de-
vice research is outlined and the possible implications for future scanner systems are explored.

1 Research Into Active Security
Scanners at Terahertz Fre-
quencies
1.1 Spectroscopy and Image Contrast
An important feature of electromagnetic radiation in
the THz frequency range (whose lower bounds we un-
derstand here to be 300 GHz) is its spectroscopic ca-
pability. However, most characteristic absorption lines
of explosives, substances of abuse, etc. lie at frequen-
cies above 1 THz and thus in a spectral regime beyond
the range of all-electronic scanners of interest in this
paper. The type of security scanning, on which we fo-
cus in this paper, derives its image contrast from re-
fractive-index differences, scattering and diffraction.
In this respect, a similarity exists with ultrasonic imag-
ing. In addition, both imaging modalities are capable
of ranging, i.e., three-dimensional imaging, which
turns out to be extremely useful for the detection of
hidden objects.
1.2 Examples of THz scanners
The main motivation for the exploration of the THz
regime with respect to security applications comes
from the goal of stand-off detection [1]. The larger the
target distance, the bigger the challenge to maintain
sufficiently good spatial resolution, which directly
leads to favor smaller wavelengths of the radiation
employed. While target distances above 10 m are
highly desirable, they are difficult to achieve with
good system performance because of the facts that ra-
diation power remains difficult and expensive to pro-
vide at THz frequencies, and that multi-pixel detectors
suitable to build a camera are only being developed
now. The challenge remains to generate images with a
high frame-rate, at video rate or close to it.

Figure 1 812-GHz scanner for real-time operation
Fig. 1 shows an example of an experimental active
THz scanner which has been developed recently to
453
operate at 812 GHz [2]. The telescope optics is de-
signed for a target distance of up to 6 m from the half-
meter main mirror. The small secondary mirror of the
telescope performs a tumbling rotational motion. Dur-
ing each revolution, a full image is taken of a target
area of 1326 cm
2
(for a distance of 4 m), which
translates into a rate of ten and more frames per sec-
ond. The high frame rate is only possible because the
system employs a 32-pixel detector array positioned in
the central bore of the main mirror of the telescopic
optics. The detectors are subharmonic heterodyne re-
ceivers. They are individually mounted in blocks of
eight. The mounting process leads to non-negligible
performance variations, which makes robotic mount-
ing or integrated detectors desirable.
Because of the coherent nature of the detection
mechanism, one can adopt advanced detection tech-
niques from radar technology, beyond those of the sys-
tem of Fig. 1, such as depth ranging via FMCW (fre-
quency-modulated continous wave) [3,4] and syn-
thetic-aperture imaging [1]. The probing of the third
dimension by time-of-flight depth ranging can play an
important role for the identification and distinction of
objects, as has been demonstrated impressively in
Refs. [2,3]. Such systems are currently under devel-
opment for stand-off security applications. Another
possible area of application are luggage inspection
and postal package scanning. In all cases, high fre-
quencies help to achieve a good spatial resolution
needed for the detection of smaller objects and for the
discrimination of objects being positioned close to
each other.
2 THz Electronics with Silicon
Todays THz electronics is mainly derived from tech-
nology developed for radioastronomy. It exhibits high
performance, but also high complexity and a high
price which does not readily scale downwards with
increasing production volume because it involves
much serial manufacturing technology. The high price
of THz electronics is a severe drawback which slows,
sometimes even threatens, the development of an ap-
plication-ready technology. Sources of THz radiation
are so expensive that people try to work with exceed-
ingly low power levels (in the order of a milliwatt and
less) and detector pricing limits the number of pixel
which can be implemented. Therefore, one recognizes
at present a strong push towards less cost-intensive
technologies, carried by the aim to link THz technol-
ogy with mainstream electronics (and optoelectronics,
not considered further here).
A striking and somewhat unexpected development of
recent years is that silicon electronics can be pushed
high into the THz frequency regime. Oscillators begin
to touch the half-THz point [5]. Detection exploiting
subharmonic mixing is possible at even higher fre-
quencies [6]. The progress comes from advances of
both materials science and device technology, but also
from the exploitation of physical effects which have
not been part of the recipes of electronics until re-
cently.
In the following, we focus on one example of the ex-
ploitation of novel effects for the detection of THz ra-
diation. This effect, a mixing process within the field-
effect transistors (FETs) themselves, allows to utilize
present-day mature CMOS technology to detect THz
radiation at frequencies as high as 4.25 THz [7]. It
lends itself to the development of focal-plane arrays
(FPA), i.e., multi-pixel detectors, which can be oper-
ated either as power detectors or as heterodyne re-
ceivers.
2.1 Si CMOS-Based THz Detection
The physical mechanism underlying this novel path
towards real-time-capable FPAs is rectification of the
THz signal in the FETs at frequencies which can ex-
ceed the FETs transit-time-limited cut-off frequency
by factors of many ten [8-10]. The mixing process in-
volves plasma waves of the charge carriers in the
channels of the FETs. At room temperature, plasma-
wave-based rectification can be understood to be an
extension of classical resistive mixing, well-known in
microelectronics. Resistive mixing is based on the
quasi-stationary behavior of FETs; if extended to the
non-quasi-stationary case, plasma-wave excitation has
to be included. The relationship to resistive mixing is
reflected now in the newly-coined term of distributed
resistive (self-)mixing [10].
150 m
2
0
0

m

Figure 2 Photograph of a first-generation FPA chip
(top) with the detector circuit layout (bottom).
Figure 2 displays an experimental FPA of the first
generation, consisting of 15 detector pixels for a fre-
quency of 0.65 THz. The dominant features in the
454
photograph of the device are the integrated rectangu-
lar patch antennae. The sketch in the lower part of Fig.
2 displays the circuit layout of each pixel [11]. Two
FETs are connected with each other to generate the
rectified signal in differential mode suppressing com-
mon-mode signals; the rectified signal is then ampli-
fied by a 43-dB voltage amplifier.
The detector arrays were fabricated entirely in a
commercial foundry, employing a 250-nm BiCMOS
technology. Since then, we have improved the design
and adopted a 150-nm CMOS technology. With it, we
now reach a noise-equivalent power of 43 pW/Hz at
0.6 THz [12] which compares well with other state-of-
the-art THz detectors made with specialized process
technologies. Unlike many of those, which work on
the basis of thermal effects, FET-based THz detectors
are fast-response devices which offer the possibility of
heterodyne operation for coherent detection with en-
hanced responsivity [13]. In this, they behave like
Schottky-barrier diodes, but with the advantage over
these that the technology is mature to allow for fairly
straightforward realization of large detector arrays
with high yield and low performance variations, while
Schotty-diode arrays are notoriously difficult to make
with decent yield.

Figure 3 Heterodyne image of a freshly cut leaf of a
ficus benjamina. Left: Photograph of the leaf; middle:
power transmission at 0.6 THz; right: pseudo-3D im-
age obtained by unwrapping of the phase information.
Image from [2.]
Figure 3 displays power-transmission and processed-
phase images taken with FET detectors in heterodyne
mode at 0.6 THz. Heterodyne detection gives access
to the phase of the radiation which can in cases like
that of Fig. 3 be utilized to render a three-dimensio-
nal representation of the object.
2.2 Potential of Si THz Electronics for
Security Applications
With our work, we have contributed to develop a link
between THz photonics and mainstream microelec-
tronics. The detection principle of distributed resistive
(self-)mixing allows to employ a fairly relaxed and
unmodified, commercial Si CMOS technology and to
use it for the fabrication of detectors of GHz and THz
radiation.
As the mixing processes involved are local effects in
the transistor channels, device response is not limited
by charge transit through the channels, but rather by
impedance and parasitic-capacitance effects which
limit the amount of THz signal which can be provided
at the mixing site. For the technology available to us
characterized by transit-time-determined cut-off fre-
quencies of 30-40 GHz , this limitation is not yet a
severe one even at 0.6-0.8 THz. One could say, that
the exploitation of plasma-wave phenomena in addi-
tion to charge transit somewhat relaxes the hitherto
unrelenting push of THz electronics towards ever
smaller device dimensions, at least with regard to THz
detectors.
Developments like these, coupled with advances with
respect to the generation and control of THz radiation,
hopefully will coalesce into an enabling technology,
which can spawn a much broader use of THz radiation
and a downward spiral with regard to the costs of
THz-photonic systems. While THz radiation has its
limitations (such as an increasing absorption in many
materials and even in humid air with rising fre-
quency), it also has advantages (such as the improving
spatial resolution with increasing frequency, and
strong contrast between materials) which could not be
exploited properly until now because the huge costs
limited the amount of power which one could afford,
as well as the number of detectors.
Applications which can profit from a higher level of
emitter and detector integration will benefit first from
such developments. We see package and mail moni-
toring as examples because they can be based on line
arrays of densely packed detectors. The system tech-
nology is also not so much different from that which
will be developed for quality control in production
lines. Long-distance stand-off detection, on the con-
trary, which does not profit from such synergy and
which is characterized by more distributed emitters
and detectors, may benefit later.
There remains much work to be done, until applica-
tions can take full advantage of the emerging device
potential. With respect to multi-pixel detectors, we see
a need for the development of arrays of subharmonic
heterodyne receivers, in order to produce detector ar-
rays with high sensitivity. Issues such as the genera-
tion and delivery of local-oscillator power must be
solved. Another matter is the development of fre-
quency-agile detector arrays for FMCW depth rang-
ing. But such developments are now part of the pro-
gress of semiconductor technology, and do not depend
exclusively on specialized materials and process tech-
nologies anymore as they used to.
Acknowledgement
Funding for our work outlined here was provided by
BMBF projects TeraCam and LiveDetect3D, and by
WI Bank Hessen. We are grateful for contributions by
455
W. von Spiegel, C. am Weg, B. Hils, T. Lffler (Syn-
View GmbH), R. Henneberger (RPG), A. K. Huhn
(Univ. Siegen), P. Haring Bolvar (Univ. Siegen), E.
jefors (Univ. Wuppertal) U. Pfeiffer (Univ. Wupper-
tal), and G. Valuis (Center for Physical Sciences and
Technology, Vilnius).
References
[1] Cooper, K. B., Dengler, R. J., Llombart, N., Ta-
lukder, A., Panangadan, A. V., Peay, C. S.,
Mehdi, I., and Siegel, P. H.: Fast, high-resolu-
tion terahertz radar imaging at 25 meters, Proc.
SPIE, vol. 7671, p. 76710Y, 2010.
[2] Friederich, F., von Spiegel, W., Bauer, M.,
Meng, F. Z., Thomson, M. D., Boppel, S., Li-
sauskas, A., Hils, B., Krozer, V., Keil, A., Lff-
ler, T., Henneberger, R., Huhn, A. K., Spicker-
mann, G., Haring Bolvar, P., and Roskos, H. G.:
THz active imaging systems with real-time ca-
pabilities, IEEE THz Science Technol., Inaugu-
ral Issue, Sept. 2011
[3] Cooper, K. B., Dengler, R. J., Chattopadhyay, G.,
Schlecht, E., Skalare, A., Mehdi, I., and Siegel,
P. H.: Penetrating 3-D imaging at 4- and 25-m
range using a submillimeter-wave radar, IEEE
Microwave Theory and Techn., vol. 56, no. 12,
pp. 2771-2778, 2008
[4] am Weg, C., von Spiegel, W., Henneberger, R.,
Zimmermann, R., Lffler, T., and Roskos, H. G.:
Fast active THz cameras with ranging capabili-
ties, J. Infrared Millim. THz Waves, vol. 30, pp.
1281-1296, 2009
[5] Seok, E., et al., A 410 GHz CMOS push-push
oscillator with an on-chip patch antenna, ISSCC
Dig. Tech. Papers, pp. 472-473, 2008
[6] jefors, E., and Pfeiffer, U. R.: A 650 GHz
SiGe receiver front-end for terahertz imaging ar-
rays, ISSCC Dig. Tech. Papers, pp. 430-432,
2010
[7] Boppel, S., Lisauskas, A., Seliuta, D., Minke-
viius, L., Kaalynas, I., Valuis, G., Krozer, V.,
and Roskos, H. G.: Silicon CMOS-transistor-
based detection up to 4.25 THz, IRMMW-THz
conf., Houston, Nov. 2011
[8] Dyakonov, M., and Shur, M.: Detection, mix-
ing, and frequency multiplication of terahertz
radiation by two-dimensional electronic fluid,
IEEE Trans. Electron. Devices, vol. 43, pp. 380-
387, 1996
[9] Knap, W., Kachorovskii, V., Deng, Y., Rumyant-
sev, S., L, J.-Q., Gaska, R., Shur, M. S., Simin,
G., Hu, X., Asif Khan, M., Saylor, C. A., and
Brunel, L. C.; Nonresonant detection of tera-
hertz radiation in field effect transistors, J.
Appl. Phys., vol. 91, pp. 9346-9353, 2002
[10] Lisauskas, A., Pfeiffer, U., jefors, E., Haring
Bolvar, P., Glaab, D., and Roskos, H. G.: Ra-
tional design of high-responsivity detectors of te-
rahertz radiation based on distributed self-mixing
in silicon field-effect transistors, J. Appl. Phys.,
vol. 105, p. 114511, 2009
[11] jefors, E., Pfeiffer, U., Lisauskas, A., and
Roskos, H. G.: A 650 GHz focal-plane array in
a quarter-micron CMOS process technology,
IEEE J. Solid State Circuits, vol. 44, p. 1968-
1976, 2009
[12] Boppel, S., Lisauskas, A., Krozer, V., and
Roskos, H. G.: Performance and performance
variations of sub-1 THz detectors fabricated with
a 0.15 m CMOS foundry process, Electron.
Lett., vol. 47, p. 661-662, 2011
[13] Glaab, D., Boppel, S., Lisauskas, A., and
Roskos, H. G.: Terahertz heterodyne detection
with silicon field-effect transistors, Appl. Phys.
Lett., vol. 96, p. 042106, 2010

456
Terahertz Sensor Systems for Field Applications
Bernd Sartorius, Helmut Roehle, Roman Dietz, Thorsten Goebel, Harald Kuenzel, Dennis Stanze, Martin Schell,
Fraunhofer Institute for Telecommunications, Heinrich-Hertz-Institut, Germany
Abstract
Terahertz has become prominent in the context of the body scanners. However, Terahertz sensors can find more
and new applications when they become portable and practicable. The paper describes limits and advantages of
THz spectroscopy and shows the way to sensor systems for field applications. Keys are the exploitation of fibre-
optic technologies and innovative chips converting telecom light into THz waves. Such systems cover the whole
frequency range of interest (0.1 - 3 THz). Application examples concern identification of powders in closed en-
velopes and liquid scanners for distinguishing between harmless and dangerous liquids.

1 Introduction
Terahertz spectroscopy is attracting increasing interest
in security applications. Plastic explosives like Sem-
tex or RDX have fingerprints in the THz range [1],
mail scanners using THz radiation are in development
[2], and the analysis of dangerous liquids in closed
bottles is under investigation [3]. The big advantages
of THz have been demonstrated in the context of the
body scanners: similar to x-rays, THz radiation can
look through clothing, paper or plastic packages, but
it is absolutely harmless for human beings.
In this paper we first point out the limits and merits of
THz spectroscopy. Then we describe concepts and
key developments towards turnkey and portable THz
sensor systems. The performance is evaluated, and
examples for security related applications give an idea
on the potential of such THz sensors.

2 Limits and advantages of THz
The Terahertz range, extending in the electromagnetic
spectrum from about 0.1 to 10 THz, is located be-
tween microwaves / radio on the low frequency side
and infrared light / optics on the high frequency side
(Figure 1). The difficulties in THz sensor systems are
that pure electronic or pure (quantum-) optic devices
(lasers, detectors) do not work well in this range. The
big advantage of THz, however, turns out if features
of radio waves (transparency for most non-metal ma-
terials) and of optics (spectroscopy) can be combined:
Spectroscopy of hidden materials. If transparency
alone is needed - as for the body scanners - then fre-
quencies below 100 GHz are preferable due to the
available and mature microwave electronic compo-
nents. The spatial resolution of a few millimetres is
sufficient for most applications.
If, on the other hand, the surface of unknown sub-
stances is accessible, then infrared spectroscopy is fa-
vourable because the spectra show more and sharper
characteristic structures. Looking through packages
and into the depth of materials is the advantage of
THz. However, most solid state materials become ab-
sorbing above ~3 THz (marked grey in Figure 1), and
thus the reasonable / usable THz window ranges only
from 0.1 to 3 THz.
Gases can show relative sharp spectral features in the
THz range, but they can be also completely transpar-
ent. Solid materials can show relative broad absorp-
tion bands - like some explosives, e.g. TNT, RDX,
Semtex, but they can also be without any THz signa-
ture. Liquids do not show characteristic absorption
lines in the THz range, but they differ in their com-
plex index of refraction and can be identified in this
way. Obviously it is more difficult to extract the
needed information out of THz measurements then
from IR spectra, which typically exhibit a lot of sharp
lines. However, whenever one has to analyze sub-
stances inside of a package or in the depth of materi-
als, then THz has its clear benefits. To exploit this po-
tential two steps are needed. First, means and sensor
systems to get the THz signals have to be available,
and second, experience is needed, how to extract the
target information out of those THz signals.

Figure 1 Frequency range of Terahertz in the elec-
tromagnetic spectrum. Typical absorption of solid
state materials is marked in grey.
457

3 Sensors for field applications
State-of-the-art THz systems are stationary, operated
in scientific labs by experienced staff. New applica-
tions especially in security will arise when THz sys-
tems for field use become available. Minimizing
weight and size for portable systems is only a first
step. Turnkey, robust function and operation by non-
specialized persons are further needs. Reducing the
costs is essential for widespread purchase. Impercep-
tible operation within crowds would be a very attrac-
tive future benefit.
Our way in following these targets is exploiting fibre
and semiconductor technologies developed for and
matured in optical telecommunication applications.
The scheme of the according system is sketched in
Figure 2. An optical control box contains compact and
robust femtosecond pulsed fibre lasers at the telecom
wavelength 1.55 m. Standard telecom fibres - typical
lengths in the 1m to 10 m range - lead the fs-pulses to
the movable emitter and receiver heads. Thus, the
THz sensors are flexible, they can be arranged in vari-
able geometry for transmission or reflection, and
scanning along conspicuous objects is possible.

Figure 2 Scheme of sensor system with fibre coupled
flexible THz emitter and receiver heads and a sepa-
rated optical control unit containing 1.5 m telecom
lasers.

4 Technological key innovation
Key innovations for the sketched fibre-coupled sys-
tems are chips, which convert the 1.5 m telecom
light into THz waves on the emitter side. At the re-
ceiver side, related chips mix received THz waves and
1.5 m light coherently and with high sensitivity into
an electrical detector signal. These chips (patent of
HHI) apply photoconductive InGaAs/InAlAs nano-
structures [1] (200 layers of about 10 nm, Figure 3,
top). The nano-layers are grown in the technological
facilities of HHI using a molecular beam epitaxy ma-
chine. Subsequently, mesa-structures are etched and
THz antennas with electrical side contacts to the
nano-layers are integrated (Figure 3, below).

Figure 3 Scheme of the photoconductive nano-layers
with 100 pairs of 10 nm thick InGaAs and InAlAs
(top) and SEM photo of the mesa-structured layers
with electrical side contacts and integrated dipole THz
antenna (below)

At last, the photoconductive THz antenna chips are
packed into robust fibre coupled housings (Figure 4,
diameter ~3 cm). The optical 1.5 m signal is injected
via the fibre, and the THz wave is emitted out of the
Si lens (visible in the centre of the module). Further
mirrors or lenses, e.g. made from Polyethylen (PE),
can be used for focusing or collimating the THz beam
very similar as known from visible optics.

Figure 4 Robust and movable fibre-coupled THz
emitter/receiver module, diameter ~3 cm

1.5 m light
THz-
wave
458
5 Performance of THz system
The optical control unit of our first TeraWave demon-
strator comprises a femtosecond pulse laser, an oscil-
lating (30 Hz) optical delay line and a high precision
linear stage delay line, electronics, and computer with
fast data acquisition means. The system operates turn-
key ready, and it allows real time THz spectroscopic
investigations. Figure 5 (top) shows the detected THz
pulse trace (width ~700 fs) versus delay time. The ac-
cording Fourier transform spectrum is shown in Fig-
ure 5 (below). One can notice an operation in the wide
frequency range 0.1 to 3 THz. This is just the range
where clothing, paper and plastics show good trans-
parency, and where also many explosives or bio-
agents show characteristic fingerprints [1].
Figure 5 Pulse trace measured using the fibre coupled
sensor system (top) and according spectrum obtained
by Fourier transformation (below).

6 Spectroscopic application
A first application field concerns spectroscopic analy-
sis of materials within packages. As explosives or bio-
agents are not allowed in our laboratory we use a
harmless substance for demonstrating this feature.
Figure 6 (top) shows the used transmission setup for
investigating a powder in a closed envelope. The ab-
sorption spectrum is derived and shown in Figure 6
(below). The absorption bands at 550 GHz, 1.2 THz
and 1.4 THz are typical for lactose, and so one can
identify the powder as harmless.

Figure 6 Spectroscopic investigation of powder in a
closed envelope. Photo of the transmission setup
(top), and measured spectrum (below), indicating
harmless Lactose.

Similar investigations are possible also for powders in
plastic bags. Especially in case of bio-agents the
opening of such a bag would be dangerous.
Portable THz sensors here allow on-site inspection
without a health risk. However, data bases are re-
quired to identify the THz fingerprints of various sub-
stances - and also to know where such fingerprints do
not exist. Data bases and information of non-
detectable material should not be public domain. Se-
curity institutions who are allowed to handle danger-
ous explosive or biological materials have to perform
these studies, and they are the first needing turnkey
sensor systems.

7 Application liquid scanner
Another potential application is shown in Figure 7:
Analysis of dangerous liquids in closed bottles. The
scenario is derived from airport security. The bottle is
e.g. lying on a transport belt. The THz emitter and re-
ceiver - in this case with PE lenses - are placed below
the bottle, the inspection is done in reflection mode.
The bottle itself (e.g. plastic or PET) is transparent for
THz. A first reflection at the air-bottle interface gives
information on the material of the bottle, while the
459
second reflection at the liquid-bottle interface can be
used for analyzing the content. Figure 8 shows results
for water-related liquids (top), where a high and posi-
tive peak indicates a harmless drink which can be
taken on board. In Figure 8 (below), a small negative
peak can be noticed which will give a warning signal
to the security services. Lighter gas and related liquids
give such a signal.

Figure 7 Demonstrator for a liquid scanner

Figure 8 Reflected THz pulses at the bottle-air and
the bottle-liquid interface. Water related harmless
drinks (top) give high positive pulses - can be taken
on board; Lighter gas related liquids give small nega-
tive pulses - dangerous, warning signal to security.

However, not for all dangerous liquids the distinction
from harmless drinks is as clear as shown here. Im-
proved measurement techniques and analysis tools -
e.g. for fitting the complex index of refraction over a
certain THz range [3] - are in development in order to
extend the applicability of the THz liquid scanner.
Again security institutions have to be included which
firstly know about the dangerous liquids potentially
used by terrorists, and which secondly are allowed to
handle them in order to check if they can be detected
by the scanner.

8 Summary and outlook
Key advantages of Terahertz are the possibilities for
spectroscopic inspections of packaged objects. Port-
able and practicable THz sensors are achieved by ex-
ploiting fibre-optic telecom technologies. Fibre cou-
pled flexible THz emitter and receiver heads are
driven from an optical control unit containing 1.5 m
telecom lasers. Innovative chips in the heads convert
the telecom light to THz waves or, vice versa, detect
THz coherently. Such systems cover the whole fre-
quency range of interest, from 0.1 THz up to 3 THz. A
first application example concerns the spectroscopic
identification of powders in a closed envelope. As
second example, a liquid scanner is shown for distin-
guishing between dangerous or harmless liquids in
closed bottles.
Further technological developments will target two
different sensor types: First, high precision systems
which still may need a power line, for e.g. inspection
of materials found in terrorists labs. Second, sensors
minimized in size, weight and power consumption to
get battery operated, easily portable units, potentially
for undercover use.
For widespread use of THz sensors one intermediate
step is essential: Development of Terahertz data bases
and analysis techniques for dangerous substances.
Here security institutions must play a key role, only
they know the real risk potential and only they are al-
lowed to handle such critical materials. Furthermore,
such data bases including detection gaps or tricks for
masking dangerous substances cannot be public do-
main. Turnkey sensor systems must be available at the
security institutions for this purpose. Nevertheless, a
close collaboration with the Terahertz experts is nec-
essary. The analysis techniques often are different to
simple optical spectroscopy and have to be adapted to
the problem and the scenario. In the case of liquid de-
tection, for example, no characteristic absorption lines
are available. However, analyzing the complex index
of refraction in the THz range and fitting with a data
base can identify the type of the liquid.
The technological developments on turnkey and port-
able Terahertz sensor systems for practical use have
made significant progress in the last years. It is time
now to evaluate and extend their applications in secu-
rity fields.

460
Acknowledgement
Part of this work was supported by the Bundesminis-
terium fr Bildung und Forschung (BMBF) under
contract 13N9516, project Handheld.

References
[1] Federici, J.F., Schulkin, B., Huang, F., Gary, D.,
Barat, R., Oliveira, F., and. Zimdars, D.: THz
Imaging and sensing for security applications -
explosives, weapons and drugs, Semicond. Sci.
Technol. 20, pp. 266-280
[2] Hoshina, H., Sasaki, Y., Hayashi, A., Otani, C.,
and Kawase, K.: Noninvasive Mail Inspection
System with Terahertz Radiation, Appl. Spec-
trosc. 63, 81-86, 2009
[3] Krumbholz, N. et al.: Handheld Terahertz Spec-
trometers for the Detection of Liquid Explo-
sives, Paper 7485-04 on SPIE Europe Security
and Defence, Berlin, FRG, 31.8.-3.9. 2009 Proc.
SPIE Vol 7485, p.54, 2009
[3] Sartorius, B., Roehle, H., Knzel, H., Bttcher,
J., Schlak, M., Stanze, D., Venghaus, H., and
Schell, M.:All-fiber terahertz time-domain
spectrometer operating at 1.5 m telecom wave-
lengths, Optics Express Vol. 16, issue 13, pp.
9565-9570, 2008

461
QPASS Quick Personnel Automatic Safe Screening
for Security Enhancement of Passengers

Sherif Sayed Ahmed
1
, Frank Gumbmann
2
, Andreas Schiessl
1
, Markus Reiband
1
, Sebastian Methfessel
2
,
Cyrille Maire
1
, Amir Cenanovic
2
, Olaf Ostwald
1
, Christian Evers
1
, Lorenz-Peter Schmidt
2

1
Rohde & Schwarz GmbH & Co. KG, Munich, Germany
2
Chair for Microwave Engineering and High Frequency Technology (LHFT),
University of Erlangen-Nuremberg, Erlangen, Germany

Abstract

Security of air passengers is an important aim in order to achieve safe and unimpeded traffic. One of the most ef-
fective safeguards is the utilization of modern concepts for personnel screening by millimetre waves. Electro-
magnetic waves, with wavelengths in the region of a few millimetres, are able to penetrate the clothing. They are
reflected by possible objects beneath the clothes and by the human skin, thus allowing to detect concealed items.
The quality of a screening system, and as a consequence its ability to reliably recognize hidden dangers, is influ-
enced by several technical parameters, as for instance the aperture size of the antenna array, the used bandwidth,
the number of single transmitting and receiving antennas and their smart arrangement. Furthermore, the effi-
ciency in reconstructing the image information from the gathered measurement data as well as an intelligent im-
age processing are mandatory for a capable screening system.

1 Introduction
The public acceptance of any security system is
mainly influenced by ethical aspects, privacy protec-
tion, safety of human health, and, of course, a distinct
advantage for the security of the passengers to be pro-
tected. All mentioned aspects are addressed by QPASS
system. As the system does not include any mechani-
cally movable or rotating parts in order to perform the
needed measurements, but is fully electronic, it allows
a quick scan. Privacy protection is ensured by firm
algorithms which are able to detect possible threats,
such as weapons or explosives, automatically. There is
no need to display images of the persons.
A special advantage of QPASS system, shown in Fig-
ure 1, is its ability of measuring complex reflection
data, i.e. in magnitude and phase, from thousands of
different aspects of the test scenario, which are the ba-
sis for generating three-dimensional images of the ob-
jects within a scanned volume of two cubic metres.
The system comprises highly integrated modern semi-
conductor technology. It consists of an optimized
multistatic sparse planar array and allows an optimal
range processing via flexible software focusing. The
measurement data is sampled in a few milliseconds,
allowing real-time measurements of humans. Image
reconstruction is performed by a digital back-end in-
cluding a tailored field programmable gate array
(FPGA) in less than one second. Automatic threat de-
tection avoids human errors and ensures a high pas-
senger throughput at the checkpoints. A further advan-
tage is the ability to distinguish and classify different
types of metallic and non-metallic threats, by evaluat-
ing their electrical as well as geometrical properties.
The system operation principle is introduced, fol-
lowed by a more detailed discussion about the tech-
nologies used in its realization. Imaging results are
presented to demonstrate the system performance. The
image processing methods, targeting an automatic
threat detection, are presented along with experimen-
tal results. Finally, conclusion and future work are
summarised.
Figure 1 QPASS system without cover, showing 32
antenna clusters

Tx and Rx lines
of antennas
462
2 Operation principle
There are several methods that can be used for per-
sonnel screening on close-range operation, based ei-
ther on active or passive techniques. Passive methods
depend on the self-radiation of the person and the ob-
jects one carries. In the active imaging, the imager
produces some radiation in order to illuminate the im-
aged volume. This radiation can be coherent, or non-
coherent. There are few systems present in the market
and several ones in research which utilise these meth-
ods. Among them, the active imaging systems with
coherent transmitters stand with exceptional advan-
tages in terms of image quality and operation speed.

Producing an image means a necessity to focus the
beam in space. The focusing can be reached by apply-
ing a direct focusing of the transmitted or received
beam much like the usage of lenses in optical domain.
In microwaves, this could be implemented by apply-
ing phase shifting to the RF channels. A more ad-
vanced method is focusing the beam only syntheti-
cally, i.e. virtually, inside a numerical computing unit.
This is known as synthetic aperture approach, in
which a reconstruction of an image is made in a com-
puter. Digital-beamforming [1][2] is used to focus the
image, getting rid of the restrictions of fixed focal
lengths known in lens systems, and getting rid of the
extra design costs associated with phase shifters in
hardware-beamforming cases. For this, a specially de-
signed antenna array with high sparseness is intro-
duced, by making use of an advanced multistatic ar-
chitecture. In the multistatic solution, the measure-
ments are collected for all combinations of
transmitters and receivers. The collected data is fully
coherent and thus system error correction can be
mathematically performed to accurately extract the
information of the object reflections. This operation is
made over a full frequency sweep, comprising the sig-
nal bandwidth essential for the range focusing after-
wards. All these measurements are used together to
reconstruct a 3D image of magnitude and phase for
each voxel position. The system, hence, benefits from
the coherence of the data by correlating millions of
reflection measurements together to reach an image of
a high dynamic range. Image dynamic range is a key
factor in the following image processing steps. These
main operation steps are illustrated in Figure 2. The
3D images produced by the array are applied to dedi-
cated algorithms to process them and to report about
the concealed objects. The display at the end is pre-
pared to be conform with the privacy of the screened
person, i.e. no images are shown and only graphical
information about the detected objects and regions is
displayed.

The system is designed to operate in the E-band, i.e.
65 GHz to 85 GHz, which was found to be very suit-
able for imaging humans [3]. The images are of 2 mm
lateral resolution, which meets the theoretical limit of
half the wavelength using a one metre wide aperture,
and approximately 10 mm range resolution, depending
on the used signal bandwidth.
3 Technological solution
The realisation of the considered operation principle
requires advanced hardware design on the analogue as
well as the digital sides. The QPASS system includes
around 3000 transmitters and 3000 receivers grouped
in 32 clusters covering a two metre high times a one
metre wide aperture, as shown in Figure 1, which
makes it an engineering challenge to keep them in co-
herent operation and maintain them stable over tem-
perature changes. Next, the various design decisions
made to achieve this will be overviewed.
3.1 Analogue front-ends
The front-ends consist mainly of the transmitter (Tx)
and receiver (Rx) chips, antennas, and the housing
construction used to deliver the electrical connections
as well as supply the mechanical support needed. The
technology advances available nowadays in the semi-
conductor technology enabled the high level of inte-
gration essential for fully electronic imaging systems,
as the QPASS one. Here, dedicated Tx and Rx chip
developments for QPASS were carried out based on
SiGe technology [4]. The chip manufacturing of these
high-end chips is done by Infineon. Targeting a high
integration level, two different types of chips were de-
veloped, where one includes four transmitter channels,
and the other four receiver channels. The technologi-
cal challenges to reduce the power consumption of
these chips and to keep high isolation level between
the various RF paths were met successfully, and
proved experimentally.
Measurement
Correction
Reconstruction
Image
processing
Display
Figure 2 The main flow of the QPASS operation

463
A major part of the imaging system functionality is
governed by the quality of its antennas. The antennas
are required to be very compact in size, allowing for a
close arrangement of the antennas with a spacing
down to half the wavelength. At the same time, they
must be integrated on a printed circuit board (PCB)
compatible with the chip mounting technology in or-
der to ensure a cost-effective solution. The radiation
quality, presented in the antenna radiation pattern, is a
further challenge in its design in order to reach a sta-
ble phase reference of the radiated field over a wide
opening angle. These all were reached with the inte-
gration technology developed by Rohde & Schwarz.
Figure 3a illustrates the PCB technology developed
for QPASS system including the mounting of the Tx
and Rx chips in multilevel cavities. The lines of an-
tennas are also visible, as well as a reference channel
on the edge of the cluster. This channel is well isolated
and used to correct for temperature changes in the sur-
roundings of the system, thus ensuring high stability
against variations in the airport environment. Fig-
ure 3b shows a simulation of a single antenna radia-
tion pattern [5], where the radiation quality is main-
tained over a wide opening angle without unwanted
side lobes.

3.2 Digital back-ends
Besides the analogue part of the system, the digital
part plays a central role in the system functionality. It
is responsible for the controlling of around 1500
chips, the sampling of the signals delivered from the
Rx channels, the calculation of the reflection data, the
computations of the system error correction, and fi-
nally the reconstruction of the image. Including all
these functionalities in one unit required a dedicated
development for FPGA modules and optimising them
towards reducing the hardware resources as well as
maximising the performance. This places the compu-
tation unit on the cutting-edge technology in the field
of imaging applications. A major design factor is the
capability of the controlling and sampling system to
perform the acquisition of the measurement data in a
few milliseconds in order to suppress any possibility
for image blurring due to breathing or movement of
passengers [6]. The image reconstruction with high
dynamic range and resolution requires high numerical
accuracy in order to avoid artefacts. Taking this into
account, a very high data-rate requirement for the
memory units was necessary. These different aspects
were optimised together, targeting the best perform-
ance of operation.
3.3 Health considerations
The QPASS system uses non-ionizing millimetre
waves with an average power density of approxi-
mately 800 pW/cm within the imaged volume, which
is many orders of magnitude below the limit of
1 mW/cm as established by the guidelines of the In-
ternational Commission on Non-Ionizing Radiation
Protection ICNIRP [7], and therefore is considered
safe for the human organism. It is also the characteris-
tic of the applied frequency range, i.e. E-band, not to
penetrate the human skin due to the short wavelengths,
and instead to be almost completely reflected. Thus,
the absorbed portion of the radiated energy is ex-
tremely low and cannot reach the internal organs of
human body.

Figure 3 a) The PCB of the cluster showing the in-
tegration of the Tx and Rx chips with the anten-
nas, all on a single carrier; b) A simulation result
of a single antenna showing the radiation pattern
over a wide opening angle.

464
4 Imaging results
The imaging system is capable of producing full three-
dimensional reflection images with high dynamic
range and resolution of magnitude and phase informa-
tion. This type of complex volume images is rich of
information about the imaged objects, and thus makes
the visualisation of the included information a chal-
lenge. As human eyes are not used for such type of
images, simplification of the images must be carried
out in order to prepare them for a representative view-
ing. However, this cannot illustrate the valuable in-
formation using a single visualisation method. The
magnitude response is best visualized by means of
volume rendering of the image. In this, the magnitude
of each voxel, i.e. the reflection intensity, is assigned
to certain transparency relative to its level. Thus weak
reflections, e.g. from clothes, are kept less visible than
the objects hidden beneath them. This is illustrated
using the example shown in Figure 4. The mannequin
was prepared with usual clothing while concealing a
pistol on its back. It was screened with QPASS system
and the resultant magnitude image was rendered for
3D viewing. As each image includes 3D information,
the viewing angle may be altered to view the object
from different perspective without repeatedly measur-
ing it. This is demonstrated in Figure 5 where the im-
aged concealed pistol is viewed from several angles.
The details of the pistol structure can excellently be
recognized, even at its plastic parts.

5 Automatic detection
An important aspect of a well-functioning automatic
screening system is an intelligent image processing.
Besides the characteristics of the hardware, the soft-
ware part, which automatically evaluates the images,
is essential for an efficient practical usage of the sys-
tem. A high throughput is an essential requirement of
each modern airport, thus leading to the need for
quick automatic screening of passengers. The effi-
ciency of a screening system can be measured by two
parameters, i.e. a high detection rate for unknown or
potential harmful objects, ideally 100 %, and a low
false alarm rate, near to 0 %. Both parameters are im-
portant for a highly efficient and quick screening, in
order to assure the security of the passengers while
avoiding unnecessary follow-up checks. Additionally,
even a well-trained and awake officer is not able to
detect every hidden object and he may erroneously
have assumed an object, where nothing is hidden. To
avoid human errors, it is the task of dedicated auto-
matic image processing techniques to analyse the 3D
image content. The first step is the detection of
anomalous objects, which are not expected to belong
to the human body. The second step is to classify the
detected object according to its electrical and geomet-
rical properties. A special challenge is the detection of
usual accessories, e.g. cuff buttons, tie clips, neck-
laces, or armlets and to differentiate them from poten-
tial threats, e.g. plastic explosives (bulks or sheets),
ceramic knives, or firearms.
The necessity of an automatic recognition of possible
threats is given by the requirement to protect the pri-
vacy of the passengers and to strictly avoid the display
or storage of any images. The image processing part
and the image evaluation and classification is there-
fore designated the privacy software. The input for the
privacy software is high quality 3D complex, magni-
tude and phase, images, which are reconstructed from
the millimetre wave measurements, as performed by
the hardware of the system. Within a first processing
step, low-pass as well as high-pass filters for the data
of each of the three dimensions of the screened vol-
ume are implemented. After that, the posture of the
screened human is evaluated, in order to check that a
proper position has been taken, especially for the arms
and the legs. These are necessary requirements for a
full unhindered view of the persons skin and conse-
quently a reliable detection of hidden objects.
The privacy software utilizes smart algorithms, to rec-
ognize the natural skin of a human as well as its cloth-
ing, and to subtract them from the 3D image, resulting
in the possibly concealed objects. While the clothing
can be recognised rather simple, because of its mostly
high transparency or its distance from the human
body, the human body itself is totally untransparent.
Figure 4 Mannequin with a concealed P99 pistol
behind a thick pullover, shirt, and a leather belt
Figure 5 Visualisation of a single 3D image from
different view angles showing the rich content of
the 3D information

465
The human skin produces a very high reflection and
appears bright. A detection of the skin is even possible
in areas where the illumination is rather bad, and the
skin therefore appears rather dark, thanks to the high
sensitivity of the receivers and the excellent overall
dynamic range of the QPASS system. By this, an es-
sential condition for a reliable evaluation of the phase
response is fulfilled, which allows the localisation and
curvature examination of the human skin. This valu-
able information is needed to subsequently subtract
the skin and to separate objects on or in the vicinity of
the human body. Experimental verification of this
method is carried out using a metal plate with blind
holes of very small depths, in order to demonstrate the
ability of QPASS system to detect such slight depth
variations. This is of great assist to the detection of the
human skin as the surface of the skin can be followed
with high accuracy. Figure 6 shows the test object as
well as the detection results. The phase response of
the reflected signal is extracted from the 3D image at
the appropriate distance. A special phase unwrapping
algorithm is applied to reconstruct the surface of the
object. The phase response is shown in Figure 7. The
detection of 0.05 mm range variations is visible in the
reconstructed image. This demonstrates a fine range
detectability for an imaging system.
Harmful dielectric objects, especially explosives,
which may be hidden on the skin or inside the cloth-
ing, show a relatively small attenuation for millimetre-
waves, thus appearing highly transparent. This opens
another possibility for their detection, without the
need of recognising or evaluating any edges of those
objects. They disclose themselves by a distinctive in-
terference response, which is caused by the double
reflection produced by a first reflection from the sur-
face of the dielectric object in combination with a
second reflection from the human skin, after the mil-
limetre wave signal passes through the item. The dou-
ble reflections are separated using time domain analy-
sis [8] [9]. Thanks to the high range resolution avail-
able in QPASS system, detection of a few millimetre
thick sheets is possible using this technique, which
was examined experimentally in [8], and showed suc-
cessful results. Figure 8 shows a detection result of
vanilla powder using this method (taken from [8]).
Within the QPASS project, the utilization of full-
polarimetric measurements is also under investigation,
with which different scattering mechanisms can be
separated. Thus, it is possible to apply an automatic
threat detection based on the polarimetric signature of
relevant threat objects. Especially in the case of a
multistatic imaging setup, it is furthermore possible to
extract the permittivity and thickness of dielectric
sheets by the analysis of the vertical and horizontal
co-polarisation. This is possible because of different
Fresnel reflection coefficients for the polarisation
components that are parallel and perpendicular to the
incident plane regarding a dielectric layer. The differ-
ence increases for larger incident angles. This results
in an improved accuracy of the permittivity and thick-
ness reconstruction. This principle is known as ellip-
sometry from the field of optics [10]. This leads to the
possibility of detecting very thin dielectric layers,
which would not be resolved by the time domain
analysis.

Figure 7 Phase response of the test object shown in
Figure 6

Figure 6 a) A test module for the range detectabili-
ty consisting of blind holes of 30 mm diameter
starting at 0.05 mm depth up to 1 mm depth in
0.05 mm steps; b) The successful reconstruction of
the test object using the developed phase unwrap-
ping technique to resolve very small range
changes. The depth of the blind holes is shown in a
magnified scale for illustration.

466
So, a range of different tools is available within the
QPASS project, assuring a highly efficient and fully
automatic screening of passengers while respecting
their privacy.
6 Conclusion & Future work
QPASS system has been designed and conceived to
enrich the security checks requiring personnel screen-
ing at either airports or other critical infrastructure
buildings. Several innovative solutions have been de-
veloped targeting this operation field, and they proved
excellent integrity of operation. Screening of humans
is thus made for the first time possible with fully elec-
tronic means while producing images of high dynamic
range and resolution. Benefiting from the current ad-
vances in semiconductor manufacturing technology
and digital circuitry, a cutting-edge solution is made
possible and realisable.
Future work includes: 1) Further enhancing of the
dedicated algorithms for automatic detection of ob-
jects, where the understanding of the image contents
must be transferred to the computer world, in order to
enhance its abilities for the automatic analysis of such
complex 3D images. 2) Optimisation of the hardware
units, especially the image reconstruction unit, is ex-
pected to increase the image frame rate and to reduce
the power consumption. 3) Polarimetric methods will
be advanced and integrated in the image processing
techniques used.
Last but not least, the newly developed technology
opens new chances for imaging applications and non-
destructive testing and evaluation techniques, which
would be supported by the scientific and engineering
results achieved during the QPASS development.
Acknowledgement
The authors would like to thank the German Federal
Ministry of Education and Research (BMBF) for
funding part of the presented activities.
References
[1] S. S. Ahmed, A. Schiessl, and L.-P. Schmidt,
Near Field mm-Wave Imaging with Multistatic
Sparse 2D-Arrays, Proceedings of the 6th Eu-
ropean Radar Conference, Rome, 2009.
[2] F. Gumbmann, P. Tran, and L.-P. Schmidt,
Sparse Linear Array Design for a Short Range
Imaging Radar, Proceedings of the 6th Euro-
pean Radar Conference, 2009.
[3] S. S. Ahmed, A. Schiessl, and L.-P. Schmidt, Il-
lumination Properties of Multistatic Planar Ar-
rays in Near-Field Imaging Applications, Euro-
pean Radar Conference (EuRAD), 2010.
[4] M. Tiebout, H.-D. Wohlmuth, H. Knapp, R. Sa-
lerno, M. Druml, J. Kaeferboeck, M. Rest, J.
Wuertele, S. S. Ahmed, A. Schiessl, and R. Ju-
enemann, Low Power Wideband Receiver and
Transmitter Chipset for mm-Wave Imaging in
SiGe Bipolar Technology, RFIC Conference,
2011.
[5] S. Methfessel and L.-P. Schmidt, Design of a
Balanced-Fed Patch-Excited Horn Antenna at
Millimeter-Wave Frequencies, Proceedings of
the Fourth European Conference on Antennas
and Propagation (EuCAP), 2010.
[6] A. Schiessl, S. S. Ahmed, A. Genghammer, and
L.-P. Schmidt, A Technology Demonstrator for
a 0.5 m x 0.5 m Fully Electronic Digital-
Beamforming mm-Wave Imaging System, Eu-
CAP, 2011.
[7] A. Ahlbom, U. Bergqvist, J. Bernhardt, and J.
Cesarini, Guidelines for limiting exposure to
time-varying electric, magnetic, and electromag-
netic fields (up to 300 GHz). International
Commission on Non-Ionizing, Health Phys,
1998.
[8] S. S. Ahmed, O. Ostwald, and L.-P. Schmidt,
Automatic Detection of Concealed Dielectric
Objects for Personnel Imaging, IEEE MTT-S In-
ternational Microwave Workshop on Wireless
Sensing, Local Positioning, and RFID, Cavtat,
2009.
[9] A. Schiessl and S. S. Ahmed, W-band Imaging
[10] R. M. A. Azzam and N. M. Bashara, Ellipsome-
try and Polarized Light, North-Holland, 1977.

Figure 8 Detection result of vanilla powder

467
Millimeter wave radar sensor for protection of outdoor areas
Reinhard Knoechel, University of Kiel, Germany
Alexander Teplyuk, University of Kiel, Germany
Grygoriy Khlopov, Institute of Radiophysics and Electronics of National Academy of Sciences, Ukraine
Klaus Schuenemann, Technical University of Hamburg-Harburg, Germany
Abstract
The peculiarities of millimeter wave coherent radar sensors are considered for protection of outdoor areas (traffic
centers, oil and gas stores etc.). The properties of coherent signals scattered by typical targets (pedestrian, ve-
hicles), vegetation and precipitation are given, including statistical data of their specific radar cross section and
Doppler spectra. The data obtained may be used for radar sensor design for outdoor applications.

Introduction
The optical (TV) sensors for protection of an enclosed
space are widely used. But in the case of outdoor ap-
plications (traffic centres, oil and gas stores etc.), path
loss in precipitation and fog (about 50 dB per 1 km)
strongly decreases the efficiency of such sensors. One
of the ways to improve reliability of the intruder de-
tection in outdoor conditions is to use millimeter wave
coherent radar for which total signal attenuation does
not exceed several dB for distances of about 1 km.
But another problem of signal-to-clutter ratio (SCR)
appears because of signal returns from terrain and
precipitation. The most radical way is to use coherent
signal processing which permits to detect the moving
intruder against the background of clutter.
Perhaps the movement of vegetation and particles of
precipitation due to wind action enlarges the spectrum
width that leads to masking of wanted signals. There-
fore the present paper contains a description of the
prototype of radar sensor and results of study of sig-
nals reflected from typical targets, vegetation and pre-
cipitation that permits to optimize algorithms for
wanted signal selection against the background of
clutter.
1 Coherent radar sensor
Because of the comparatively small operation distance
(less than 12 km), the path losses for millimeter
wave signals do not have important influence even at
3 mm wavelength. For example, the path loss for rain
of intensity R mm per hour is equal to
r
=A
r
R
Br
, dB
per km, where A
r
=0,25; B
r
=1. For a typical value R=4
mm per hour the attenuation is below
r
=1 dB per km.
That is why the choice of short millimeter wave-
lengths (=3 mm or even =2 mm) is quite optimal
taking into account the small outer dimensions of the
transceiver and the availability of industrial electronic
components.
So the coherent radar sensor was designed and built in
the 94 GHz band (see Figure 1) on the base of a dual
channel scheme (DG- driving generator, PA- power
amplifier, FI- ferrite isolator, DC-directional coupler,
M
xR
, M
xS
mixers of reference and signal channels,
LO-local oscillator, IFPA-immediate frequency
preamplifier, AT attenuator, IFA- intermediate fre-
quency amplifier, FC- ferrite circulator, NG-noise ge-
nerator, A
T
and A
R
transmitting and receiving anten-
nas, MGC manual gain control). The radar operates
in CW mode and includes reference and signal chan-
nels, the output signals of which are compared in an
IF mixer to compensate uncorrelated fluctuations of
driving generator and local oscillator (IMPATT dio-
des). The separate antennas provide high isolation
(>85 dB) between transmitter and receiver to minim-
ize noise leakage from transmitter to receiver. The ra-
dar was built (see Figure 2) and its parameters are
shown in Table 1 [1]. The radar was used to study
signals scattered by typical targets, vegetation and
precipitation. The results are presented in the next sec-
tion.

Figure 1 Structure of the coherent radar sensor
468
2 Properties of signals scattered
by a pedestrian
One of the most abundant targets for radar alarm sys-
tems is an intruder, which has weak radar reflectivity
so that its selection on the background of clutter is a
difficult problem. The total value of the signal scat-
tered is the result of a complex interaction of reflec-
tions from clothing and body of a person. That is why
the data for power transmission coefficient T and spe-
cific radar cross section
0
, m
-1
for different types of
clothing are shown in Table 2 [2].
As one can see, the smallest reflectivity corresponds
to clothing from synthetic fiber and cloth, on the con-
trary the largest values to warm clothing.
The specific RCS of the human body (in the neigh-
borhood of chest) for various transmission losses due
to clothing L
c
, dB is presented in Table 3.
The spectrum of signals reflected is a result of the in-
terference of a large number of moving body parts
(trunk, legs and arms). So the spectrum of coherent
signals from a pedestrian who is walking toward radar
(see Figure 3, =0) contains two peaks: in the neigh-
borhood of zero frequencies, which corresponds to the
legs and arms (when their speed is equal to zero) and
in the neighborhood of a mean Doppler frequency due
to the moving trunk. But if the person moves across
the radar beam (=90), only the spectrum in the
neighborhood of zero Doppler frequencies remains
present. Moreover, because of the rocking component
during walking, the signal spectrum becomes wider:
f 50-100 Hz that must be taken into account in the
design of a system for signal processing.
by vehicles
In a real situation, vehicles move not only in a straight
direction but are also rocking mainly in a vertical
plane (galloping). Moreover, the frequency of gallop-
ing is determined by the resonance frequency of the
vehicle suspension [3]. That is why the coherent spec-

Figure 2 Appearance of the coherent radar sensor
Table 2 Parameters of clothing
Clothing T
0

Overcoat 0,47 0,08
Jacket with synthetic fur 0,6 0,1
Fur coat 0,63 0,17
Nylon jacket 0,89 0,18
Quilted jacket 0,58 0,21
Jackboot 0,18 0,085
High fur boots 0,38 0,08
Steel helmet 0 0,23
Table 3 Parameters of radar sensor
Type of clothing L
c

0

Undressed 0 0,27
Synthetic shirt 0,2 0,27
Sweater 1,1 0,18
Quilted jacket 3,5 0,20
Fur coat 2,8 0,17
Overcoat 4,2 0,16

Figure 3 Coherent spectrum of a pedestrian walking
towards the radar (=0) and across radar beam (=90)
Table 1 Parameters of radar sensor
Parameter Value
- Sidelobe level, dB -26
- Antenna gain, dB 31,3
- Antenna beamwidth, Deg 3,0
- Operating wavelength, mm 3,23
- Average radiated power, W 0,12
- Frequency noise level, dB/Hz
(at frequency mismatch f=10 kHz)
-90
- Noise figure of receiver, dB 9
- Peak sensitivity, W/Hz 1 10
-19

- Intermediate frequency, GHz 1,4
- Doppler bandpass, kHz 18
- Sampling rate, kHz 44
- ADC resolution 10
469
trum of the signals reflected shows Gaussian shape
which is displaced at the Doppler frequency
/ 2
r d
V f =
(V
r
- radial speed) and its width is
,
0
kL C
m
=

where C
m
- constant that depends on
type of vehicle,
- RMS of rocking angles,

0
cen-
tral frequency of rocking spectrum (t), k=2/, L
dimension of the vehicle [3]. At millimeter wave-
length, the number of interference lobes of the scatter-
ing pattern which go to the rocking sector is quite
large 2kL
>>1 so that the spectrum width practically

weakly depends on character of rocking and architec-
ture of the vehicle [4].
But at short millimeter waves the relations mentioned
above can only be used as estimates. For example, the
average spectrum of a bus at 3 mm wavelength (see
Figure 4) shows a typical bifurcation of the spectrum
due to vehicle rocking. The nature of the bifurcation
deals with the vehicle rocking that is confirmed by
short-time spectra (see Figure 5) which were regis-
tered on successive occasions. As the analyses show,
the projection of these short-time spectra to the plane
S-O-f provides the bifurcation of the average spectrum
in Figure 4.
The parameters of radar returns from typical vehicles
are shown in the Table 4, where the RCS and effective
spectrum width are given.
by vegetation
Because of wind influence, the signals scattered by
vegetation fluctuate expanding the signal spectrum
leading to masking of the signals from an intruder. At
centimeter wavelengths, the spectrum shape can be
approximated [5] by a Gaussian curve S(f)=S
0
exp(-
(f/f)
2
) (f-spectrum width) in its energetic part (up to
-1015 dB) which describes the contribution of large
elements (boughs etc.). But at the wings of the spec-
trum, the power dependence S(f)=S
0
(1+( f/f)
n
) is
more appropriate corresponding to fast amplitude
modulation due to mutual shading of small elements
(leaves, lop etc.). According to [6], the effective spec-
trum width depends on the average speed of the wind
V and is inversely proportional to the wavelength
f=(/)V
, where the constants are =11,3 and

=0,14 at 3 mm wavelength.
Perhaps the experimental data in millimeter waveband
essentially differ from theoretical estimations [5] (see
Figure 6). The behavior of the experimental curves is
quite complex and cannot be described by the simple
models mentioned above.
The comparison for theoretical estimates and experi-
mental data of effective spectrum width of signals
scattered by some types of vegetation (see Figure 7)
shows that measured data are essentially small against
theoretical estimations. This is because of wind shiel-
ding in a real situation which is in contrast to theoreti-
cal models [5].
As the experimental study showed, the spectrum width
in autumn and winter is much smaller and does not
exceed 30-40 Hz because of a reduced wind loading
due to the absence of leaves.

Figure 5 Sequence of short-time spectrum of a bus

Figure 6 Average spectrum of a bus
Table 4 Parameters of spectrum from typical vehicles
Vehicle View angle RCS, m
2
f, Hz
Creeping tractor 0
0
12 58
Caterpillar
tractor
0
0

180
0

10
9
75
-
Jeep
0
0

180
0

10
12
111
-
Truck 180
0
15 84132

Figure 4 Average spectrum of a bus
470
by precipitation
The similar situation takes place for signals scattered
by precipitation. Because of wind turbulence, the sig-
nals reflected fluctuate in a wide frequency range that
may mask the wanted signals as in the previous case.
To calculate the specific RCS of rain for intensities up
to 20 mm per hour, usually the traditional relation is
used
r
=C
r
R
Dr
, (C
r
=0,0026; D
r
=1,015 for =8,6 mm
and C
r
=0,0081; D
r
=0,56 for =3,16 mm) [7]. For
snowfall the relevant expression may be written in the
form
s
=-65exp(-0,29 P
0,32
), dB per m
3
in the frequen-
cy band around 94 GHz [7]. But it is necessary to
consider such relations only as very approximate be-
cause of the strong dependence of scattering on the
physicochemical properties of the particles.
The shape of the signal spectrum also depends on the
type of precipitation (see Figure 8). For snowfall the
spectrum shape strongly depends on the wind direc-
tion and has its largest width up to 10 KHz.
So the data obtained permit to make the following
conclusions:
1. The main problem of a radar sensor for outdoor ap-
plication is to provide the selection of a target on the
background of clutter from terrain and precipitation;
2. Coherent signal data processing is a radical way to
improve the detection of an intruder on the back-
ground of clutter;
3. The use of data noted permits to optimize Doppler
filtering of radar signals and to provide selection of an
intruder which moves on grassland among shrubberies
at a distance of up to 0,8 km by the described radar
sensor.
4. Generally, the total energy reflected from terrain
and precipitation is distributed in an essentially wide
frequency range while the spectrum from a target is
concentrated in a quite narrow range. That is why co-
herent signal processing provides some appreciable
gain in the signal-to-clutter ratio.
References
[1] Schuenemann, K., Khlopov, G.: Application of
Millimeter Wave Sensors for Security Purposes,
Proceedings of Joint 30
th
International Confe-
rence on Infrared and Millimeter Waves and 13
th

International Conference on Terahertz Electron-
ics, Williamsburg, USA, pp.353-354, September
19-23, 2005,
[2] Khlopov, G., Martynjuk, S.: Spectral characte-
ristics of the coherent millimeter wave radar
echoes from humans in motion, Telecommuni-
cations and Radio Engineering, (USA), vol.51,
N1, pp.9-16, 1997
[3] Shtager, E.A. Scattering of radio-waves on bo-
dies of complex shape, Radio i Svyaz,
Moscow (USSR), 1986.
[4] Khlopov, G., Kostetsky, V.: Millimeter Radar
Sensor for the Detection of Stationary Ground
Vehicles, Proc. of the SET-059 Symp NATO
Target Tracking and Sensor Data Fusion for
Military Observation Systems, Budapest, pp.
283-284, 15-17 October 2003
[5] Kapitonov, V., Melenchuck, Yu., Chernikov .:
Spectrums of radar signals reflected from forest
in centimetre waveband, Radiotechnika i elek-
tronika. Vol. 18, N9, S.1816-1825, 1973
[6] Korostelev, V., Khlopov, G., Shestopalov, V.:
Experimental study of spectral characteristics of
coherent signals, reflected from vegetation in
short millimeter wavelengths, Izvestiya Vuzov,
RadioPhysics. Vol. 33, N8, S.895-901, 1990
[7] Nomarich, J., Welman, R., Lacomb, J.: Back-
scatter and Attenuation by Falling Snow and
Rain at 96, 140 and 225 GHz, IEEE Trans. in
Geosc. And Remote Sens., Vol. 26, N3, pp. 39-
329, 1988
[8] Khlopov, G.: The Spectra of Coherent Millime-
ter Wave Signal, Reflected from Hydrometeors,
Telecommunications and Radio Engineering,
(USA), vol.51, N1, pp.17-24, 1997

Figure 7 Width of coherent spectrum for vegetation

Figure 8 Signal spectrums from precipitation
471
Geometrical design criteria for analyzing the vulnerability of ur-
ban area construction to blast effects
Christian, Prez-Jimenez, Tecnalia Construction unit, Spain.
Mikel, Minguez-Fica, Tecnalia Construction unit, Spain.
Fernando, Morente-Belmez, Tecnalia Construction unit, Spain.
Abstract
Evolution of characteristics parameters of blast waves (pressure, impact, positive and negative phase) strongly
depends on the scenario where explosion occurs. Blast loads on the building target as well as effects on the ur-
ban layout are a function of the building geometry as well as the presence of other buildings in the vicinity. Blast
loads on buildings can either be reduced or enhanced due to their geometry configuration or by the influence of
nearby buildings. Effects on the urban layout, which have great importance on human safety, are also influenced
by those parameters. This study shows the importance of taking into account the behaviour of different building
geometries, orientation as well as the influence of adjacent geometries and relative position when planning an
urban area against blast effects. Maps of human damage will be obtained in different scenarios.

1 Introduction
Historical records indicate that the majority of terror-
ist incidents have occurred in an urban environment
in presence of nearby buildings forming the street ge-
ometries (New Yorks Twin Towers on 11th Septem-
ber 2001, the 11th March 2004 terrorist attack in Ma-
drid).
An explosion in an urban area affects not only the
constructive systems of the buildings but also their
occupants and those in the streets. The effects and
consequences depend on a great way on the explosive
charge but also on the urban planning and building
geometries (P.D Smith, 2001). In order to make them
less vulnerable, it is necessary to identify and analyse
the geometrical parameters that determine the vulner-
ability of urban area configuration to blast effect. In
order to solve that, it has been studied the influence of
some geometrical parameters of rectangular urban
layout (street width, building height), (T.A Rose,
2002; Fotis Rigas, 2005). Thus, in this paper it is in-
tended to go deeper in the present knowledge and
analyse the behavior of different geometrical configu-
ration of single buildings as well as different urban
layout against blast actions by means of validated
numerical methods.
Evaluation of the human damage in urban layout sce-
narios will be presented by means of maps of damage
based on probabilistic methods.

2 Scenarios Analysed
The number of possible urban area configuration is
limitless. The whole range of possible building ge-
ometries and urban layout is not considered in this
paper and the following set of scenarios is investi-
gated:

Single buildings: the objective is to determine
how the geometry of two common typologies of
building (rectangular, RB, and cylindrical, CB)
submitted to a blast explosion is affected and af-
fects the nearby regions due to the reflection of
the shock wave. Dimensions of the scenarios are
shown in Figure 1-(a) where the height of both
buildings, H, is assumed to be 24 m (typical six
floor building in Mediterranean residential areas
like in Spain). The width, a, and long, b, of the
rectangular building is 20 m as well as the diame-
ter, D, of the cylindrical one. A 100 kg and 1000
kg TNT charges, are chosen for each building ty-
pology. The distance between the charge and the
centre of analysed building is 25 m, given a
scaled distance of 5.4 y 2.5 m/kg1/3, respectively.
Rectangular urban layout: the objective is to de-
termine the influence of different typologies of
buildings, position and orientation placed on a
rectangular layout. Maps of human damage at 1
m above the ground are analysed. Dimensions of
the reference urban layout are shown in Figure 1-
(b). The height of both buildings, H, is assumed
to be 24 m. Both longitudinal, WL, and transver-
sal, WT, street widths are 10 m. A spherical 1000
472
kg TNT charge is placed in the middle of the lon-
gitudinal street at 1 m above the ground and 10 m
far from the building wall.

(a) (b)

Figure 1 (a) Schematic single buildings: rectangular
and cylindrical (b) schematic rectangular urban layout
3 Numerical Simulation
3.1 Material Model
In all simulations, buildings are assumed to be rigid;
air and high explosive (TNT) are modelled by an
Euler processor with equations of state being ideal
gas and JonesWilkinsLee (JWL), respectively
(Autodyn, 2009).

3.2 Single building and rectangular
urban layout simulations
Each simulation has been divided in three stages: in
the first stage, the initial detonation and propagation
of the spherical blast wave is modelled in 1D, using
100 x 10 mm cells. Then, in the second stage the re-
sults from the 1D analysis are remapped to a 2D
simulation, using approximately 150,000 x 100 mm
cells. Finally, the results obtained from the 2D simula-
tion are remapped to a 3D simulation; using approxi-
mately 1,040,000 x 500 mm cells and 800,000 x 500
mm cells for single building and urban layout simula-
tions, respectively.
The 3D numerical models were extended sufficiently
far in each direction to ensure that the presence of the
boundaries did not affect the results at the measuring
locations. Blast parameters were measured over the
front and rear part of the rectangular and cylindrical
building at three different planes above the ground (1
m, 10 m and 20 m).
4 PROBIT equation for human
damage
For evaluating the damage suffered by the population
submitted to the effects of urban blast, PROBIT equa-
tion, Y, are used. The type of damage analysed in this
paper includes eardrum rupture, Y1, and death for
whole body impact, Y2. Table 1 represents the se-
lected PROBIT equation found in literature (Fernando
Diaz, 2007).

___________________________________________
Type of damage PROBIT equation
___________________________________________
Eardrum rupture Y1 = -15.6+1.93ln(ps) (1)
Death for whole Y2 = 5-2.44ln((7.38 103/ps)+
Body impact +(1.3 109/( ps x i) (2)
_________________________________________
Table 1. PROBIT equations for different human
damage to be caused by explosions
where ps is the maximum peak overpressure, kPa; i is
the maximum peak impulse, Pa s.
5 Numerical Simulation
5.1 Single Building simulation
In the following figures, the maximum peak pressure
percentage with respect to a scenario in which no
building is considered, WB, is represented for the rec-
tangular and cylindrical building scenario. Both 100
kg and 1000 kg TNT charge are represented.

0 0 0 0 0 0 0 -1 -1 -1 -2 -2 -2
0 0 0 0 0 0 0 -1 -2 -2 -2 -2 -2
0 0 0 0 0 0 -1 -2 -2 -3 -3 -3 -3
0 0 0 0 0 -1 -3 -3 -4 -4 -4 -4 -4
0 0 0 0 -1 -4 -5 -5 -5 -5 -5 -5 -5
0 0 0 1 -6 -9 -9 -8 -7 -7 -7 -7 -6
0 0 0 50 -16 -14 -11 -17 -12 -10 -9 -8 -7
0 0 0 52 -17 -14 -11 -10 -8 -7
0 0 0 53 -16 -13 -10 -9 -7 -6
0 0 0 52 -17 -14 -11 -10 -8 -7
0 0 0 50 -16 -14 -11 -17 -12 -10 -9 -8 -7
0 0 0 1 -6 -9 -9 -8 -7 -7 -7 -7 -6
0 0 0 0 -1 -4 -5 -5 -5 -5 -5 -5 -5
0 0 0 0 0 -1 -3 -3 -4 -4 -4 -4 -4
0 0 0 0 0 0 -1 -2 -2 -3 -3 -3 -3
0 0 0 0 0 0 0 -1 -2 -2 -2 -2 -2
0 0 0 0 0 0 0 -1 -1 -1 -2 -2 -2

0 0 0 0 1 2 0 -2 -3 -3 -3 -3 -3
0 0 0 0 1 2 -2 -4 -5 -5 -5 -5 -5
0 0 0 0 1 1 -4 -6 -6 -5 -5 -5 -6
0 0 0 0 2 -3 -8 -8 -8 -7 -7 -8 -8
0 0 0 0 2 -11 -15 -13 -11 -10 -11 -11 -10
0 0 0 3 -13 -21 -22 -19 -16 -16 -15 -13 -12
0 0 0 150 -31 -26 -25 -43 -28 -23 -19 -17 -14
0 0 0 132 -42 -35 -28 -23 -19 -16
0 0 0 130 -40 -33 -26 -20 -16 -12
0 0 0 132 -42 -35 -28 -23 -19 -16
0 0 0 150 -31 -26 -25 -43 -28 -23 -19 -17 -14
0 0 0 3 -13 -21 -22 -19 -16 -16 -15 -13 -12
0 0 0 0 2 -11 -15 -13 -11 -10 -11 -11 -10
0 0 0 0 2 -3 -8 -8 -8 -7 -7 -8 -8
0 0 0 0 1 1 -4 -6 -6 -5 -5 -5 -6
0 0 0 0 1 2 -2 -4 -5 -5 -5 -5 -5
0 0 0 0 1 2 0 -2 -3 -3 -3 -3 -3

100 kg TNT 1000 kg TNT
(a)
0 0 0 0 0 0 0 0 1 0 0 0 -1
0 0 0 0 0 0 0 1 1 0 -1 -1 -1
0 0 0 0 0 0 1 1 0 -1 -2 -2 -2
0 0 0 0 0 1 2 0 -1 -2 -3 -3 -3
0 0 0 0 0 3 1 -2 -4 -4 -5 -5 -4
0 0 0 0 2 2 -5 -7 -7 -7 -6 -6 -5
0 0 0 0 6 -13 -13 -12 -10 -9 -8 -7 -6
0 0 0 3 -15 -12 -10 -9 -7 -6
0 0 0 35 -15 -11 -9 -7 -6 -5
0 0 0 3 -15 -12 -10 -9 -7 -6
0 0 0 0 6 -13 -13 -12 -10 -9 -8 -7 -6
0 0 0 0 2 2 -5 -7 -7 -7 -6 -6 -5
0 0 0 0 0 3 1 -2 -4 -4 -5 -5 -4
0 0 0 0 0 1 2 0 -1 -2 -3 -3 -3
0 0 0 0 0 0 1 1 0 -1 -2 -2 -2
0 0 0 0 0 0 0 1 1 0 -1 -1 -1
0 0 0 0 0 0 0 0 1 0 0 0 -1

0 0 0 0 0 0 3 3 2 1 0 -1 -1
0 0 0 0 0 1 5 4 2 0 -1 -2 -3
0 0 0 0 0 3 7 3 0 -1 -3 -4 -5
0 0 0 0 0 7 6 1 -2 -4 -6 -7 -7
0 0 0 0 0 12 1 -5 -8 -9 -9 -9 -9
0 0 0 0 8 5 -11 -15 -15 -14 -12 -11 -10
0 0 0 0 17 -29 -30 -25 -21 -17 -14 -12 -11
0 0 0 3 -37 -28 -22 -18 -15 -13
0 0 0 93 -36 -26 -18 -12 -7 -4
0 0 0 3 -37 -28 -22 -18 -15 -13
0 0 0 0 17 -29 -30 -25 -21 -17 -14 -12 -11
0 0 0 0 8 5 -11 -15 -15 -14 -12 -11 -10
0 0 0 0 0 12 1 -5 -8 -9 -9 -9 -9
0 0 0 0 0 7 6 1 -2 -4 -6 -7 -7
0 0 0 0 0 3 7 3 0 -1 -3 -4 -5
0 0 0 0 0 1 5 4 2 0 -1 -2 -3
0 0 0 0 0 0 3 3 2 1 0 -1 -1

100 kg TNT 1000 kg TNT
(b)

Figure 2 (a) Rectangular building scenario; (b) Cy-
lindrical building scenario

The following results have been found:
The presence of buildings creates an enhancing
pressure region and shadowing pressure region in
the front and rear part, respectively. Thus, the en-
hancing region in the RB is found on the front
wall while the shadowing one is obtained in the
lateral and rear walls. For CB scenario, the en-
473
hancing region reaches both front wall and a part
of the lateral walls.
RB scenario acts as a barrier stopping great quan-
tity of the shock wave energy. Thus, higher val-
ues of maximum peak reflected pressure are ob-
tained in the front wall and greater shadowing ef-
fects in the rest of the environment.
CB scenario deflects the shock wave around the
building reducing the shock wave energy absorp-
tion. Lower maximum peak reflected pressure
values are obtained and consequently lower
shadowing effects in the rest of the environment.
The enhancing region, in both scenarios, in-
creases with height. However, the maximum re-
flected pressure value reduces. This effect is rep-
resented in Figure 3.

Thus, Figure 3 represents the distance from the front
wall that is influenced by the reflected wave as well
as the maximum peak pressure in this point. The men-
tioned tendency of maximum peak pressure and influ-
enced region with height is appreciated.

0
4
8
12
16
20
0 1 2 3 4
[m]
B
u
i
l
d
i
n
g

h
e
i
g
h
t

[
m
]
100 125 150 175 200
[Kpa]
influenced distance
Pressure

Figure 3 Pressure and influenced distance as a func-
tion of the building height. Data taken in central plane
of the front wall of RB scenario (100 kg TNT charge
scenario).

For concise purposes, pressuretime curve for a
point placed at the front and the rear part of the rec-
tangular and cylindrical building for both 100 kg and
1000 kg TNT charge is represented in Figure 4.
It can be observed how the arrival time of the shock
wave to the rear part of the building is influenced by
the building geometry. Thus, faster shock wave is ob-
tained for the WB scenario, followed by the CB sce-
nario and finally the RB scenario. The reason of that
is found in the shock wave energy absorption of each
building configuration which becomes faint the front
wave in terms of speed, pressure and impact. Table 2
shows the arrival time of the shock wave to a point at
the rear part of the building for the 1000 kg TNT ex-
plosion charges.
On the other hand, the influence on the rear part of
the shock wave travelling above the roof results in a
train of waves, see Figure 4-(b). Points closer to the
roof are powerfully and faster influenced. This effect
is not really appreciated, Figure 4-(a), for weak ex-
plosions.

______________________________________
WB CB RB
___________________________________________
______________________________________
100 kg TNT explosion 69 86 101
1000 kg TNT explosion 98 110 120
___________________________________________
______________________________________

Table 2 Arrival time, ms, of the shock wave at a point
of the rear part at z = 20 m and 5 m from the wall.

50
100
150
200
250
300
350
0 10 20 30 40 50 60 70
Time [ms]
[
k
P
a
]
Z = 1 m. Z = 10 m. Z = 20 m.
RB
CB
WB
90
95
100
105
110
115
120
80 100 120 140 160
Time [ms]
[
k
P
a
]
RB CB
WB
Z = 20 m
Roof influence

100 kg TNT explosion charge
0
300
600
900
1200
1500
1800
0 10 20 30 40
Time [ms]
[
k
P
a
]
Z = 1 m. Z = 10 m. Z = 20 m
RB
CB
WB

80
100
120
140
160
180
40 60 80 100 120 140 160
Time [ms]
[
k
P
a
]
WB
CB
RB
Z = 20 m
Roof influence
Floor influence

1000 kg TNT explosion charge
(a) (b)

Figure 4 Pressure-time curve at different height (1 m,
10 m, 20 m); (a) front part and (b) rear part of the
building.

5.2 Rectangular urban layout
5.2.1 Reference scenario
In the following figure, the p-d curves of the longitu-
dinal (L
L
, C
L
, L
r
) and transversal (A
T
, B
T
, C
T
) lines of
the reference urban layout scenario are represented.
The i-d curves of the previously defined lines of the
reference urban layout scenario are represented in
Figure 6.

0
400
800
1200
1600
0 10 20 30 40 50 60
[m]
[
k
P
a
]
0
400
800
1200
1600
0 10 20 30 40 50 60
[m]
[
k
P
a
]

Central line (C
L
) Lateral line (L
L
)

Floor influence
Channelling
effect
Transversal
width
Channelling
effect
Transversal
width
474
120
130
140
150
0 5 10 15 20 25
[m]
[
k
P
a
]
120
130
140
150
0 5 10 15 20 25
[m]
[
k
P
a
]

Transversal line (A
T
) Transversal line (B
T
)

130
150
170
190
210
0 5 10 15 20 25
[m]
[
k
P
a
]

Transversal line (C
T
)

Figure 5 Pressure-distance curves for different lines
and planes of the reference urban layout scenario.
1000 kg TNT explosion

400
1200
2000
2800
3600
0 10 20 30 40 50 60
[m]
[
P
a
s
]
400
1200
2000
2800
3600
0 10 20 30 40 50 60
[m]
[
P
a
s
]

Central line (C
L
) Lateral line (L
L
)
400
500
600
700
0 5 10 15 20 25
[m]
[
P
a
s
]
400
500
600
700
0 5 10 15 20 25
[m]
[
P
a
s
]

Transversal line (A
T
) Transversal line (B
T
)
400
500
600
700
800
900
0 5 10 15 20 25
[m]
[
P
a
s
]

Transversal line (C
T
)

Figure 6 Impulse-distance curves for different lines
and planes of the reference urban layout scenario.
1000 kg TNT charge.

Analysing the reference scenario, the following re-
sults are obtained. Thus, for the longitudinal lines:

The global tendency of maximum peak pressure
and impulse is to decrease with distance.
Higher maximum peak pressure and impulse val-
ues are found at heights closer to the ground.
Both central and lateral lines experience a rise in
the maximum peak pressure due to the known
channelling effect provoked by the reflection
of the shock waves in the building walls (T.A.
Rose, 2002). This effect can also be seen in i-d
curves, where the decay of the maximum peak
impulse is attenuated.

For the transversal lines:

Similar tendencies for the maximum peak pres-
sure in transversal lines B
T
and C
T
are obtained
even at different heights.
Transversal line A
T
at heights 1 m and 10 m ex-
periences a rise in the maximum peak pressure
due to influence of the reflection process from
the opposite building wall.
Transversal line A
T
at height 20 m experiences a
continuous rise due to the reflection process as
well as for the influence of the shock wave com-
ing from the roof of the building.
Higher pressure ranges are found in the line C
T

where the shock wave incises directly.

5.2.2 Influence on the building orientation and
geometry
In this section, the influence on the maximum peak
pressure and impulse of a rectangular urban layout is
analysed taking into account the fact of having:
A rectangular building rotated 45 located in first
and second line of the urban layout; see Figure 7-
(a) & (b).
A cylindrical building located in first and second
line of the urban layout; see Figure 7-(c) & (d).

Dimension of the cylindrical building is similar to the
one analysed in section 5.1. However, in order to re-
spect the longitudinal and transversal street width, the
rectangular building side is reduced by a 2
1/2
factor.
In next figures, the perceptual differences of maxi-
mum peak pressures and impulse between the refer-
ence urban layout scenario and those mentioned in
Figure 7 are shown at height z = 1 m.

(a) (b) (c) (d)

Effect of the
reflected wave
Effect of the
reflected wave
Effect of the
transversal width
Effect of the
transversal width
475
Figure 7 Rectangular urban layout scenarios; (a)-(b)
lower and upper rotated rectangular building scenario,
respectively; (c)-(d) lower and upper cylindrical
building scenario, respectively

Positive numbers represent higher values in the ana-
lysed scenario than in the reference scenario. Note:
Cell dimensions where values are represented are 5
m. in longitudinal axis and 3.3 m in transversal axis.

-8 -3 0
-9 -3 0
-13 0 0
-12 -14 -8 -28 -5 0 0 0 0 0 0
-9 -9 -7 0 0 0 0 0 0 0 0
-13 -13 -8 0 0 0 0 0 0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

-14 -4 0
-13 -3 0
-13 0 0
-14 -20 -14 -28 -5 0 0 0 0 0 0
-9 -9 -7 0 0 0 0 0 0 0 0
-15 -13 -8 0 0 0 0 0 0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

Buildings in the upper part

-1 -2 -3
-2 -1 -5
-1 -3 -7
7 12 20 22 2 -6 -6 -6 -4 -3 -1
2 3 4 28 2 -4 -13 -8 -4 -3 -1
-9 -10 2 18 0 -2 -12 -7 -5 -5 -3
-16 -13 0
-18 -6 0
-30 0 0
-19 0 0

-2 -5 -6
-4 -6 -10
-5 -7 -15
8 17 23 17 -3 -11 -15 -17 -14 -12 -8
3 4 11 27 -5 -13 -21 -8 -8 -6 -5
-10 -10 4 30 -6 -16 -11 -7 -9 -10 -8
-23 -18 0
-12 -6 0
-30 0 0
-19 0 0

Buildings in the lower part

Figure 8. Perceptual maximum peak pressure differ-
ences with the reference rectangular urban layout sce-
nario

-24 -13 -3
-22 -2 -1
11 0 -8
-44 -27 -6 -4 -4 -10 0 0 0 0 0
-31 -24 -10 -18 0 0 0 0 0 0 0
-27 -21 -21 -16 0 0 0 0 0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

-32 -23 -17
-48 -9 -16
12 -13 -8
-43 -37 -12 -20 -17 -10 0 0 0 0 0
-42 -35 -23 -24 0 0 0 0 0 0 0
-44 -40 -39 -16 0 0 0 0 0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

Buildings in the upper part

-1 -1 -2
-2 0 0
-1 -2 0
9 33 45 43 -5 0 -8 -11 -11 -11 -10
-7 7 23 24 17 -11 -10 -14 -13 -14 -12
-16 -5 16 29 52 -17 -5 -6 -11 -13 -12
-29 -9 0
-29 5 0
11 -4 0
-27 -8 0

-14 -14 -14
-16 -12 -12
-13 -14 -11
17 39 59 45 -12 -11 -21 -22 -20 -19 -20
-4 10 24 33 8 -22 -20 -23 -22 -23 -20
-38 -25 -22 48 40 -25 -15 -16 -23 -23 -21
-40 -14 -9
-37 -1 -9
0 -13 -3
-30 -8 0

Buildings in the lower part

Figure 9 Relative maximum peak impulse differences
with the reference rectangular urban layout scenario

Analysing the results for the building in the upper
part:
No differences in the maximum peak pressure and
impulse are appreciated in the lower part of the
urban layout when cylindrical or the rotated rec-
tangular building is placed in the upper part.
Only an attenuation effect with respect to the ref-
erence scenario is found in these scenarios.
Higher attenuation effect is found in the rotated
rectangular building scenario. This is due to re-
flected wave created by each building.

For buildings in the lower part:
Both attenuation and enhancing effects, with re-
spect to the reference scenario are found. Enhanc-
ing effects appear in the transversal street, while
attenuation effects appear in the rest of the urban
layout.
Higher enhancing effect is found in the transversal
street due to the direct impact of the initial shock
wave with the reference rectangular building.
The enhancing effect region created by the cylin-
drical building is wider than for the rotated rec-
tangular building. It is observed how this region
reaches the longitudinal lines while for the other
scenario it remains in the transversal lines.

5.2.3 Maps of human damage

In order to have a vision of the catastrophic results
obtained in these urban layout configurations, the fol-
lowing human damages are considered: eardrum rup-
ture and death to whole body impact are considered.
Thus, taking into account the PROBIT equation, Ta-
ble 1, the following maps of human damage is ob-
tained.
Figure 10 represents the eardrum rupture damage
and the death for whole body impact for the reference
urban layout scenario. Figure 11 shows the eardrum
rupture damage and the death for whole body impact
for the analysed urban layout scenarios. Numbers in-
dicate the probabilistic damage, %.

(a) (b)

476
Figure 10 Human damage in reference urban layout
scenario; (a) eardrum rupture and (b) death by whole
body impact.

It can be appreciated that for distances close to the
explosive charge, the percentage of eardrum rupture
is over 90 % and it is slightly affected by the influ-
ence of building geometry or orientation. The incident
shock wave has enough energy to provoke this human
damage and the amplified energy of the reflected
wave has not really influence.

(a) (b)

Figure 11 Human damage in analysed urban layout
scenario; (a) eardrum rupture and (b) death by whole
body impact.

For the scenarios where the building is placed on the
upper part, it can be observed how in transversal line
(A
T
, B
T
and C
T
) lower eardrum rupture damage is ob-
tained with respect to the reference scenario, except
for further points where the opposite effect is found.
For buildings placed on the lower part, an enhancing
level of damage in transversal lines is obtained due to
the energy absorption of these building configuration
and orientation.
It can be observed how the death for whole body im-
pact only affects regions next to the explosive charge.
Thus, for the scenarios where buildings are placed on
the upper part, no difference between them and the
reference case are observed.
For the analysed buildings placed on the lower part,
slight variations of human damage are found between
them. However, comparison with reference scenario
indicates that the behaviour of the rotated rectangular
building and cylindrical scenario create more safety
urban layout.

6 Conclusions
A rectangular and cylindrical building with the as-
sumption of being placed on an isolated open space
has been analysed as well as the behavior of those
buildings placed in a rectangular urban layout with
the rectangular one rotated 45 is analysed.
Regarding the single building behavior, results indi-
cate that the shock wave experiences a deflection in
the cylindrical building and a barrier effect in the rec-
tangular one. These effects results in higher values of
maximum peak reflected pressure in the front wall
and greater shadowing effects in the rest of the envi-
ronment for the RB than in CB.
Regarding the urban layout, results show that cylin-
drical and rotated rectangular building placed on the
lower part of the urban layout affects in a negative
way to the building behind it. In the rest of the streets
and buildings, an attenuate effect occurs (with respect
to the reference scenario) due to the not existence of
the channeling effect.
If the analysed buildings are placed on the upper part,
no differences are found in the effect provoked by the
reference scenario. An attenuate zone occurs near
these analysed buildings.
The presented results clearly indicate the importance
of considering the influence of having different build-
ing geometries for designing, planning or assessing
vulnerable regions in urban environment.

7 Acknowledge
The authors thank Brenda Mendoza Castro of IBM
systems for her technical support. This work has been
supported by the Department of Industry, Trade, and
Tourism of the Basque Government under the
EMAITEK project.

8 References

[1] Fernando Daz Alonso et al. Consequence analy-
sis to determine the damage to humans from
vapour cloud explosions using characteristic
curves. Journal of Harzadous Materials (2007).
477
[2] Fotis Rigas, Spyros Sklavounos.. Experimentally
validated 3-D simulation of shock waves
generated by dense explosives in confined
complex geometries. Journal of Harzadous
Materials (2005).
[3] T.A. Rose and P.D. Smith. Influence of the
principal geometrical parameters of straight city
streets on positive and negative phase blast wave
impulses. Int J Impact Eng 27 (2002), pp. 359
376.
[4] P.D. Smith, G.P. Whalen and L.J. Feng et al.,
Blast loading on buildings from explosions in ci-
ty streets, Proc Inst Civil Eng.-Struct Build 146,
(2001) (1) pp. 4755
[5] AUTODYN users manual-version 12. Century
Dynamics Inc.; 2009.

478
Security Impact Simulation for Critical Infrastructure of Freight
Villages Using Software-Agents
Hendrik Wildebrand
1
, Institute of Shipping and Logistics, Germany
Hans-Dietrich Haasis, Institute of Shipping and Logistics, Germany
Falko Zimmermann, Institute of Shipping and Logistics, Germany
Marco Plger, Institute of Shipping and Logistics, Germany
Abstract
In the logistic infrastructure of Germany, freight villages perform important tasks as logistics hubs in the supply
of goods. In a freight village different modes of transport (e.g. road, rail) and actors are brought together and are
integrated with each other. The resulting complexity of the system freight village is raised by increasing flow
rates and variety of goods. A case of damage can lead to regional, national and even international production
losses and shortages for industry, trade and population. The underlying security scenario of the project Prepared-
NET assumes a disturbance of a freight village by terrorist attacks as well as general damages by unforeseen in-
cidents. The goal of PreparedNET is to explore an emergency concept to maintain the flow of goods through
critical infrastructure. In case of a serious disturbance, an emergency operation plan should act immediately. For
these situations a software-based simulation model is developed, based on a so-called multi-agent system. The
software not only simulates the incident, but also provides a quick, automated decision support for the freight vil-
lage actors.
2

1
Corresponding author: Dr. Hendrik Wildebrand; wildebrand@isl.org
2
The project PreparedNET is funded by the Federal Ministry of Education and Research (BMBF) within the
framework of the Federal Governments Research for Civil Security programme.
1 Introduction
Since the early 90`s the development of freight vil-
lages (FV) in Germany was successfully promoted na-
tionwide [1]. Today there are 34 freight villages
throughout the Federal Territory. In particular, the
freight village in Bremen provides a benchmark to
freight village development on the national, European
(e.g. Minsk, Athens, Krnten) and global level (e.g.
Chengdu, New York). A freight village is especially
characterized by following characteristics [2]:

Transport function (logistics hub): Transport
and transshipment hub between regional and
national transport networks embedded in a
national (German) and international (Euro-
pean) freight village network.
The settlement of transport-oriented compa-
nies, logistics service providers (e.g. freight
forwarders and CEP), logistics-intensive in-
dustrial and commercial companies as well as
establishment of customs services. In this
way a wide range of full quality logistic ser-
vices like transshipment activities, order
picking or value-added services is available
at one venue.
In a FV there is at least access to two modes
of transport, in particular road and rail, but
also inland waterway (generally by intermo-
dal terminals).
Freight villages contribute decisively to the securing
of flow of goods at the regional, national and interna-
tional level and are an essential prerequisite for con-
tinued economic growth and thereby for social pros-
perity.
Because of the important function of freight villages
and especially because of the numerous multiple con-
nected up- and downstream Supply Chains, which are
concentrated in this logistic infrastructure on a rela-
tively small area and utilize the same modes of trans-
port and technical infrastructure, freight villages come
inevitably into the sight of terrorist attacks [3]. These
attacks would attempt to interrupt the incoming and
outgoing flow of goods in the short, medium and long
term by destroying the modes of transport and techni-
cal infrastructure. As a result the supply of commercial
and industrial establishments as well as end customers
subsequent to the freight village could not be guaran-
teed. This could lead to production downtimes and
supply bottlenecks on the part of industry, trade and
population on a regional, national and international
level. There are no concepts similar to the project`s
objective.
Against this backdrop the first objective of the project
PreparedNET is the investigation, configuration and
479
exemplary implementation of an emergency concept
(interim concept) which maintains the flow of goods,
following terrorist attacks or other unforeseen inci-
dents, using as an example the freight village in Bre-
men in cooperation with the freight village in Dres-
den. The concept supports the flexible coordination
between the freight village actors in terms of partici-
patory, dynamic planning and control of damage-
specific remaining transport, transshipment and han-
dling capacities in damaged freight villages and in
consideration of freight village wide cooperation.
Cases of damage will be simulated based on the ap-
proach of multi-agent modeling to configure dynami-
cally adaptable organizational structures, problem-
solving strategies, cooperation and coordination
strategies and thereby decision-making behavior of
affected freight village actors including the fire bri-
gade as rescue service in a scenario-specific way.
Based on the results of the simulation a reference
training concept for FV actors will be generated. Fur-
thermore a software-based multi-agent system as a de-
cision support tool for freight village actors will be
implemented as a demonstrator. The system will be
scenario-specifically tested, using selected freight vil-
lage practice partners.
The acceptance and transfer of the solution will be
supported by the consideration of a legal point of view
and the preparation of a DIN SPEC. The observations
from the legal point of view ensure a harmonious inte-
gration of the interim concept in legal frameworks at
the regional, federal and international level. The DIN
SPEC will contribute to the national and international
standardization of the emergency concept.
2 Security scenarios of the
project PreparedNET

The scenario underlying the project PreparedNET
arises from a damage/disruption of the transport infra-
structure and/or of the technical logistical infrastruc-
ture within a freight village by terrorist attacks as well
as other unforeseen incidents.
The following security scenarios have to be taken into
consideration, which may occur individually or in
combination:

Security scenario 1:
Disturbance of the transport mode rail
Disturbance of the transport mode rail, for example
through terrorist bomb attacks as well as deliberate or
non deliberate derailment of train carriages, could in-
terrupt planned flow of goods by rail in and from the
freight village in short to medium term.

Disturbance of the transport mode road
In this scenario a disturbance of freight village road
entrances and exits, which may occur individually or
in combination is considered. A disturbance could oc-
cur due to a bomb attack on road sections as well as
deliberate or non deliberate closure of road sections,
for example because of truck accidents. Moreover,
road sections could be contaminated with several ha-
zardous substances. Altogether, entering and exiting
the FV via road, depending on the scale of damage,
would be impossible in the short to medium term, or
at least only partially feasible.

Disturbance of intermodal terminal
An intermodal terminal is an important service in a
freight village, which will be used by most of the FV
resident companies but also by non-resident compa-
nies, in order to conduct intermodal transport (e.g.
transshipment of goods from rail mode to road mode
or vice versa). This scenario starts from a disturbance
of technical infrastructure within the intermodal ter-
minal. A disturbance could occur due to bomb attacks
on one or more container lifting cranes. The contami-
nation of intermodal terminal areas or, as detailed in
scenarios 1 and 2, deliberate or non deliberate damag-
ing/disrupting of the transport infrastructure (rail,
road). This could cause individually or in combination
an interruption of transshipment processes in the short
to long term. The connection of supply chain actors to
national and international transportation networks
could not be warranted in the short to medium term.

The consequences of these three scenarios are depend-
ing on the extent of damage in addition to potential
injured, dead and damaged infrastructure in particular
supply bottlenecks on the part of commercial and in-
dustrial enterprises (e.g. losses of production) and
population. In addition to associated economic losses,
social psychological damages, such as stress, aggres-
sions or a loss of trust in the security of supply and the
crisis management of the government could arise.
The security scenario (emergency concept) considered
here aims at the initiation of an ad-hoc emergency op-
eration to maintain the flow of goods within the
supply chains after the occurrence of damages that are
stated above (ex post). On the bases of the emergency
concept (interim concept), which has to be imple-
mented in freight villages, flexible coordination be-
tween affected freight village actors in the sense of
participatory, dynamic planning and control of dam-
age specific remaining transport, transshipment and
handling capacities will be enabled. In order to main-
tain the flow of goods cooperation within the damaged
freight village as well as cooperation between differ-
ent FVs is considered. Through this a dynamic bal-
ance of supply and demand of logistics capacities will
be achieved that cannot be achieved by current, in-
adequate freight village emergency plans.
The emergency concept implementation will be
achieved by the configuration of a training concept for
freight village actors and by a hybrid software-based
480
multi-agent system (MAS). After the implementation,
the MAS offers automated decision support for af-
fected FV actors. The utilization of the MAS will in-
crease the efficiency regarding the coordination of the
remaining capacities significantly in contrast to a
coordination only based on the training concept.
The legal perspective is considered to achieve the in-
tegration of the emergency concept into existing law
frameworks, such as the disaster management law, as
conflict-free as possible. Another objective is to stan-
dardize a unified concept in the sense of a DIN SPEC
based on international standard ISO 28000: Specifica-
tion for security management systems for the supply
chain. Through this, the acceptance and intended
transfer of the solution can be sped up on the national
and international level.
3 State of scientific and
technical knowledge
From a scientific perspective, following disciplines
will be considered, extended and combined in the con-
figuration of the emergency concept: agent-based
modeling and simulation of the decision behavior of
human actors in complex, dynamic logistic systems;
planning and controlling of complex logistic systems
(supply chain management); cooperation theory; deci-
sion theory; knowledge management; investigation of
software-based, cross company multi-agent systems.
Agent-based modeling is a special, individual-based
method of computer-aided modeling. It is applied
when the focus of a problem is not on the stability of a
balance of a system or rather the assumption that a
system regains balance, but the question, how a com-
plex system can dynamically and goal-oriented adapt
to changed conditions (robustness) [4, 5]. Thereby it
is taken into account that complex non-linear prob-
lems require a direct investigation of the micro level
of decisions, i.e. decisions of different individuals,
their heterogeneity and their interaction. Simulation
experiments based on agent-based models allow as-
sumptions concerning the dynamics and the effects of
interlinked actor specific decisions (micro level) re-
garding their influence on the system level (macro
level) [6, 7]. The resulting findings allow the concep-
tion and configuration of dynamic adjustable organi-
zational structures, problem-solving strategies as well
as cooperation and coordination strategies for and
within the modeled and simulated systems [8]. Differ-
ent applications of agent-based modeling are used in
different sectors like in transportation sciences for si-
mulation of congestions [9], in social science for the
reproduction of social networks [10, 11] as well as in
economics for modeling artificial economic systems
[12]. Increasingly, agent-based modeling is applied in
logistics [13, 14, 15, 16].
Logistic systems can be mapped as multi-agent sys-
tems. The MAS can then be implemented as software
in the logistic system. In this context a software-based
multi-agent system is a long term working program,
whose work can be described as an independent pur-
suit of goals in interaction with an environment [17].
The contribution of agents lies in the reduction of
complexity regarding the coordination by distribution
of tasks to autonomous components in the overall sys-
tem [18]. The negotiation of transport capacities and
allocation problems, that Wagner has proposed, can
particularly make a contribution to the solution of
complex and distributed problems in intra- and inter-
organizational logistic networks [19]. On the one hand
a multi-agent system can work self-controlling. On the
other hand a hybrid approach, such as in the Pre-
paredNET

project, can be chosen with the aim, to
support dynamic decision-making of human users
(here: supply chain actors) through problem specific
solutions proposed by the agents.
The start of emergency operations in freight villages,
according to the scenarios described in chapter 2, de-
pends on a robust and to the scenario specifically
adapted dynamic organizational and information flow
structure to maintain the short-term initiated flow of
goods. The objective thus is the coordination of parti-
cipatory problem-solving strategies and the decision-
making behavior of supply chain actors
3
in the freight
village as well as between freight villages.
Against this backdrop the following central hypothesis
is developed: The agent-based modeling and simula-
tion provides a suitable methodological research and
development approach for the conceptualization of
dynamically adaptable organizational structures, prob-
lem-solving strategies as well as appropriate coopera-
tion and coordination strategies for the complex logis-
tic system freight village during an emergency opera-
tion. By the implementation of a hybrid multi-agent
system a dynamically adjusted efficient behavior of
actors on the system level will be enabled. The aim is
to maintain the flow of goods by flexibly coordinated
capacity planning and controlling of residual trans-
port, transshipment and handling capacities in freight
villages. The central hypothesis will be verified at the
example of the freight village in Bremen in coopera-
tion with the FV in Dresden.
To examine the state of scientific and technical know-
ledge and to identify the existing research gap regard-
ing the above mentioned hypothesis, the following as-
pects have to be considered:

3
The actors to be regarded and potentially to be mod-
elled as agents within the system freight village are
decision-makers in logistic-intensive industrial and
commercial establishments, freight forwarders and
transshipment terminal operators (e.g. intermodal ter-
minal operators, port infrastructure operators). These
also include transport operators (e.g. truck, rail and
inland waterway vessel). The FV extern actors in ac-
cordance with the here analyzed systems are other na-
tional freight villages.
481

1. In which areas of logistics is agent-based modeling
and simulation already used?
2. In which areas of logistics is currently the concep-
tualization and implementation of software-based
multi-agent systems carried out?
3. What measures are already applied in the above
outlined security scenarios?
4. What standards exist for security management of
complex logistic systems?

To 1: Application of agent-based modeling and si-
mulation in logistics
For agent-based modeling and simulation of social
and economic networks a number of successful re-
search and development projects can be identified
[20]. However, regarding the application of this me-
thodology to explain the implications of decision-
making behavior of actors with regard to the emer-
gence within complex logistic systems there is cur-
rently only limited relevant work on the theoretical
and/or practical level. Here it can be referred to Ick-
erot [15] who used the methodology for the explana-
tion of the bullwhip effect in supply chains. The
Bullwhip-effect, also called Forrester`s Effect or
Whiplash Effect, is a key problem in supply chain
management which results from the dynamic
processes within the supply chain. It describes that
different demand patterns or rather small changes in
consumer demand lead to fluctuations of order quanti-
ties that can build up like a whiplash along the logis-
tics chain. By using agent based modeling and simula-
tion Ickerotts goal is to configure an actor specific de-
cision making behavior to avoid this effect in reality.
Another relevant research and development project is
AMATRAK - traffic avoidance through intelligent
control of freight transport on the basis of autonomous
multi-agent transport coordination founded by the
BMWi and currently realized by the ISL [21, 22].

To 2: Conceptualization and implementation of
multi-agent systems in logistics
Although software-based multi-agent systems are al-
ready used in logistics, currently there is a lack of suc-
cessful practical solutions especially regarding inter-
company solutions. Successful application examples
are missing which would substantiate the in theory
highlighted potentials of self-control concepts in prac-
tice. Also in terms of an agent-based supply chain
event management that is used for planning, managing
and controlling the flow of goods within supply net-
works, the established concepts are rather limited to
linear supply chains [23, 24].

To 3: Measures already used in the considered se-
curity scenarios
Of course, there are emergency plans in place for
freight villages. These comprise a cross-departmental
alarm plan for freight villages that includes such as-
pects like fire-brigade plan, fire-fighting water supply,
general rescue routes and fire-fighting water contain-
ment. The plans also include instructions regarding the
organizational structure of information flow between
internal and external security administrators and
authorities. At the same time there are internal alarm
plans for each company. Plans to maintain emergency
operations after attack scenarios described in Section
2 do not exist, neither within the companies nor on
FV-level. Static traffic diversion instructions, e.g. due
to road blocks, are the only existing measures for
emergency operations in the context of the considered
security scenarios.
Even considering the ISPS code, which contents in-
ternational binding measures designed to improve
safety with regard to the risk of terrorist activities, no
concepts for emergency operations can be identified
e.g. emergency concepts for docks after terrorist at-
tacks [25].
The project Cluster Of User Networks in Transport
and Energy Relating to Anti-terrorist ACTivities
commenced in 2006 aims with its results at security
measures to avoid terrorist acts on intermodal trans-
port networks and their infrastructure, public passen-
ger transport as well as power plants (ex ante). The
focus of the project lies not on the conceptualization
of measures that are intended to initiate emergency
operations, in contrast to the PreparedNet project
[26].

To 4: Standards associated with security manage-
ment of complex logistic systems
Currently the following standard is in particular rele-
vant in the context of security management: Interna-
tional Standard ISO 28000: Specification for security
management systems for the supply chain. It specifies
principles for security management systems in the
supply chain in a very generalized form and gives
companies the possibility to systematically track risks
in the supply chain and to initiate counter measures
(ex ante) [27]. However, it does not include standar-
dized procedures for implementing an ex post emer-
gency management that is proposed in the Prepared-
NET project.

To summarize, following research gaps can be
identified:
It should be noted that there are currently only limited
relevant research and development works on theoreti-
cal and/or practical level with regard to agent-based
modeling and simulation of complex logistic systems.
Therefore a not yet used research potential can be
identified to examine the behavior of dynamic logis-
tics systems.
The small number of conceptualizations of software-
based multi-agent systems refers to linear supply chain
structures. So there is a lack of successful application
examples to substantiate the in the theory identified
482
potentials, especially regarding inter-company con-
cepts.
There are no measures or concepts for a participatory
start of emergency operations among affected freight
village actors, other logistics centers or industrial
parks regarding the outlined security scenarios.
There is a lack of standards or standardized proce-
dures to realize an ex post emergency management.
These gaps will be closed by the PreparedNET
project.
4 Methodical approach
The initial goal was to analyze and model a freight
village reference model consisting of supply chains,
freight village actors, their organizational structures
and associated intra- and inter-organizational informa-
tion flow and flow of goods. At the same time the ex-
isting transport infrastructure as well as the logistic
infrastructure of the FVs Bremen and Dresden was
analyzed to validate the freight village reference mod-
el.
The identification and risk assessment of potential
damage scenarios based on terrorist attacks or other
unforeseen damages within German freight villages
represents another essential goal.
The agent-based modeling is the next essential miles-
tone of the project. The model provides the dynamic
problem solving abilities.
The subsequent scenario-specific simulation experi-
ments aim to verify the designed multi-agent system
and the measures suggested by the system.
By summarizing these results a reference interim con-
cept (emergency concept) will be configured that in-
cludes scenario-specific operative activities.
The technical objective of the project is the configura-
tion of a MAS-demonstrator. This reference demon-
strator will be implemented at companies in the freight
villages in Bremen and Dresden. With these potential
end users detailed scenario-specific tests will be con-
ducted to investigate the systems stability. The test us-
ers will be represented by respective agents, which
will offer decision proposals to the users depending on
the specific damage scenario.
Moreover a standardization for emergency concepts of
complex logistics systems (e.g. freight villages) will
be developed. Basis for the standardization is the
standard ISO 28000.
Furthermore a training concept will be developed with
the aim to prepare FV actors for terrorist attacks or
other incidents. It will be based on emergency con-
cept.
Since no similar ex post emergency concept has been
developed until now, an assessment of the emergency
concept regarding the legal perspective cannot be giv-
en at this point. The integration of the developed con-
cepts in existing legal frameworks is another aspect of
the project. The developed methodology used for the
integration of complex logistics concepts in existing
legal frameworks has also potential for further appli-
cations.
5 Summary and conclusion
The scenario underlying the project PreparedNET
arises from a damage within a freight village through
terrorist attacks as well as by other unforeseen inci-
dents. The goal of the project is the configuration of
an emergency concept for maintaining freight village
operations after extensive disturbances.
As part of the project several supply chains, actors,
their organizational structures and associated intra-
and inter-organizational information flows and flow of
goods of freight villages were analyzed. This was the
basis to build a FV reference model. This model is
specifically designed for FV processes but is also
based on existing standards (such as the Supply Chain
Operations Reference Model). An important feature of
the reference model is its modular structure so that
other freight villages can customize the model if ne-
cessary. At the same time relevant infrastructure areas
of freight villages were identified that could be poten-
tial targets for terrorists or the source of other unfore-
seen incidents with a high damage potential. The next
step was the risk assessment. This involved an esti-
mate of the occurrence probability of a terrorist attack
or other unforeseen incidents to classify the in ad-
vance identified sensitive infrastructure areas. On the
basis of a qualitative threat analysis, the scenarios
with the highest relative probability of occurrence and
damage potential were defined as the basis for further
work.
The freight village reference model is the basis for the
software-based simulation model that is based on mul-
ti-agent technology. This simulates the chosen inci-
dents within the FV. The simulation will be used to
develop scenario specific problem solving strategies
for the different FV actors with the objective to main-
tain the flow of goods after disturbances.
The multi-agent system will provide automated capac-
ity management of the residual capacities after attacks
or other incidents. This dynamic elimination of supply
bottlenecks cannot be achieved by current static and
often inadequate emergency plans within freight vil-
lage.
Based on the simulation results, a demonstrator will
be configured and tested that is able to support the de-
cision-making process of test users automatically. Fur-
thermore, along with the emergency concept, a train-
ing concept for freight village actors as well as a DIN-
specification will be developed. The legal perspective
of harmonious integration of the emergency concept in
existing legislative frameworks will be also investi-
gated.
Freight village actors, end customers and the fire bri-
gade are involved in this project. They ensure the con-
483
sideration of user requirements as well as a realistic
focus of the project. Furthermore the results achieved
will be made accessible to a broader audience. Disse-
mination of the results will be supported by the in-
volvement of Deutsche GVZ Gesellschaft mbH.
References
[1] Nobel, T.: Entwicklung der Gterverkehrszent-
ren in Deutschland : eine am methodischen In-
strument Benchmarking orientierte Untersu-
chung, Univ., Diss., 2004
[2] Eckstein, W. E.: Logistik - Bedeutender Faktor
regionaler Entwicklung, Carl Duisberg Gesell-
schaft eV Fachgruppe E12 (Hrsg.), Kln, 2001
[3] http://news.feed-reader.net/46136-bka.html:
News of the Bundeskriminalamt 31.01.09, ac-
cessed 01.02.2009
[4] Urban, C.: Das Referenzmodell PECS : agen-
tenbasierte Modellierung menschlichen Han-
delns, Entscheidens und Verhaltens, Univ.,
Diss., 2005
[5] Schmidt, B.: Die Modellierung menschlichen
Verhaltens, Erlangen [et al.]: SCS European
Publishing House, 2000
[6] Mosler, H.-J.: Multi agent simulations of social
psychological theories, Method, results, and ap-
plication, in: Urban, C. (Ed.): 3rd Workshop on
Agent-Based Simulation, Erlangen: SCS - Euro-
pean Publishing House, pp. 24-31, 2002
[7] Malsch, T.: Die Provokation der Artificial So-
cieties, in: Zeitschrift fr Soziologie, Heft 1, pp.
3-21, Jg. 26, 1997
[8] Brenner, W.; Zarnekow, R.; Wittig, H.: Intelli-
gente Softwareagenten, Heidelberg: Springer,
1998
[9] Loibl, W.: STAU-Wien: Suburbanisierung des
Wiener Umlandes agentenbasierte Simulation
von Stadtumland-Entwicklung, SAGUF Work-
shop Zrich, 2003
[10] Freund, G.: Growing Artificial Societies, Su-
garscape, Modellierung und Simulation Sozialer
Dynamiken: Universitt Bayreuth, 2002
[11] Malsch, Th.: Sozionik: Erforschung und Model-
lierung knstlicher Sozialitt, http://www.tu-
harburg.de/tbg/Deutsch/SPP/Start_SPP.htm, ac-
cessed 22.06.2011.
[12] Herzog, O.; Kirn, S.; Krallmann, H.; Spaniol, O.;
Zelewski, S.: Intelligente Softwareagenten und
betriebswirtschaftliche Anwendungsszenarien,
DFG-Schwerpunktprogramm 1083, 1999
[13] Meier, L.H.: Koordination interdependenter
Planungssysteme in der Logistik: Einsatz multi-
agentenbasierter Simulation im Planungsprozess
von Container-Terminals im Hafen, Wiesbaden:
Gabler, 2008
[14] Becker, M.; Singh, G.; Wenning, B.-L.; Grg, C.:
On Mobile Agents for Autonomous Logistics,
in: International Journal of Services Operations
and Informatics, Vol. 2, No. 2, pp. 114-130,
2007
[15] Ickerott, I.: Agentenbasierte Simulation fr das
Supply Chain Management, Lohmar: Eul, 2007
[16] Alferes, J. J.: Logics in artificial intelligence,
Proceedings 9th European conference, Lisbon,
2004
[17] Burkhard, T.: Einfhrung in die Agententechno-
logie, in: it+ti - Informationstechnik und techni-
sche Informatik, 40. Jg., pp. 6-11, 4/1998
[18] Pfohl, C.: Wissenschaft und Praxis im Dialog:
Steuerung von Logistiksystemen auf dem Weg
zur Selbststeuerung, 3. Wissenschaftssympo-
sium Logistik in Dortmund, Hamburg: Dt. Ver-
kehrs-Verl., 2006
[19] Wagner, T.: An Agent-Oriented Approach to
Industrial Automation Systems, Berlin [et al.]:
Springer, 2003
[20] http://cordis.europa.eu/home_de.html, Accessed
12.02.2009. Current and completed projects to
agent-based modeling and simulation as part of
7. EU Research Framework Programme, such as
BRSCDP-TEA, GILDED, POLHIA, SOCIONI-
CAL, U4IA, PRIMA, LASUT
[21] http://www.intelligente-logistik.org/projekte/
amatrak.html, accessed 21.06.2011
[22] http://www.isl.org/projects/amatrak/, Accessed
21.06.2011.
[23] Zimmermann, R.: Agent-based Supply Chain
Event Management Concepts and Assessment,
Proceedings of the 39th Hawaii International
Conference on System Sciences, 2006
[24] Reinheimer, S.; Zimmermann, R.: Einfhrung
eines agentenbasierten Supply-Chain-Event-
Management-Systems, HMD, Heft 227, Octo-
ber 2002
[25] http://www.tis-gdv.de/tis/tagungen/workshop/
inhalt11.htm, accessed 21.06.2011
[26] http://www.counteract.eu, accessed 01.02.2009
[27] http://www.iso28000.de/i.html, accessed
21.06.2011

484
1
Safety and Protection of built Infrastructure to Resist Integral
Threats (SPIRIT)
Jolanda van Deursen, TNO, The Netherlands
Jaap Weerheijm, TNO, The Netherlands
Abstract
Terrorist attacks by bombing or Chemical, Biological or Radiological (CBR)-agents are threats with a low prob-
ability but with disastrous consequences. There is strong need to protect people, the societal community and cri-
tical infrastructures and utilities against being damaged, destroyed or disrupted by deliberate acts of terrorism.
Solutions have to be derived to realize sufficient resilience of the urban infrastructure for rare occasions with
minimum effect on normality. Hitherto, normal regulations and building guidelines do not take into account the
CBRE threat.

Within the 7
th
framework of the EU, the SPIRIT consortium was formed to bring the required expertise together,
make these commonly available and to find solutions that can be integrated into normal life and planning and
building procedures. Within SPIRIT a terrorist attack within the scope of CBRE-threat is addressed.

The anticipated main outcome of the project is an integrated approach to counter CBRE-threats, including pro-
posed guidelines for a EU Regulatory Framework. With this approach, government, end users of buildings and
designers can define and achieve a desired level of protection.

The overall goal of the SPIRIT project is to contribute to people safety and increase the resilience of built infra-
structure against a terrorist threat. A methodology to quantify the consequences of an attack and the effective-
ness of countermeasures as well as a suit of protective products are SPIRITs foreseen deliverables.

The SPIRIT project is a three year project and has started in August 2010. In this paper we present the main
goals and the approach of the project. Also the first concept of a vulnerability assessment tool is given in which
the building classification methodology is used that is developed by Schussler Plan Engineering Consultants and
described in a separate paper.

The partners are TNO, Fraunhofer EMI, CEA, Schussler Plan, ARUP, Hamilton & Erskine, Artemis, Ducon,
Ionicon, Corsmit and JRC.

1 Introduction
SPIRIT is an acronym for Safety and Protection of
built Infrastructure to Resist an Integral Threat. The
SPIRIT project is a collaboration between a number
of European government organizations, academic in-
stitutions and companies. It is assisted by the Euro-
pean Commission to meet part of the Security re-
search objectives within the 7
th
Framework Pro-
gramme.

The aim of the project is to develop an integrated ap-
proach to mitigate Chemical, Biological, Radiological
and Explosive threats to built infrastructure and to
propose guidelines for an EU Regulatory Framework.
SPIRIT is due to conclude and report to the European
Commission by the end of 2013.

This paper will focus on the overall strategy, the sce-
narios and scope, and the guidance tool. A separate
paper on evaluation for Critical Built Infrastructure
Asset Classification and Rating is presented by
Schussler Plan.
2 Overall strategy
The overall strategy (Figure 1) of the SPIRIT project
is: work package 1 (threat assessment and scenarios)
starts with defining the threat and categorizing build-
ings and installations by structure, use and relative
attractiveness to attack. Based on the threat and build-
ing categorization, representative scenarios will be
485
2
developed. These scenarios are input for WP2 (inci-
dent analysis) and WP 3 (protective measures).

Figure 1 Overall strategy

WP2 deals with the analysis of the incidents quantita-
tively. The weak parts of different classes of built in-
frastructures facing CBRE terrorist threats will be
identified and the consequences will be expressed in
terms of damages and injuries as well as in disruption
of functionality. In WP3, protective products will be
developed in order to provide architects and buildings
designers with ready-to-use products and solutions to
harden infrastructure against CBRE terrorist threats.
Cost factors for the products and solutions will be in-
cluded to allow cost-benefit analysis of protective de-
sign alternatives. The effectiveness of proposed pro-
tective measures will be quantified in WP2.

In WP4 recommendations for new guidelines and
standards for the design and retrofit of built infra-
structure against terrorist CBRE threats are formu-
lated. The qualitative and quantitative recommenda-
tions will be based on the input from the WPs 1, 2
and 3.

The results of all WPs will be integrated in WP5 in a
guidance tool, to make the gained knowledge and de-
veloped solutions easily accessible.

To maximise the dissemination of the project results
WP6 is defined. A website of the project is available
(www.infrastructure-protection.eu) and the project
produces flyers, a banner and presents the results at
symposia and exhibitions. A workshop will be organ-
ized at the end of the project to introduce the guid-
ance tool and the EU-regulatory framework.
3 Scenarios and scope
Within the SPIRIT project, scenarios are derived with
Chemical, Biological and Radiological agents and
Explosives which are specific for attacks on build-
ings. These scenarios form the basis to perform a
quantitative study of the vulnerability of buildings to
these scenarios, using quantitative numerical (com-
puter) models. In total, 20 Chemical, 12 Biological, 9
Radiological and 14 Explosive scenarios have been
defined [1].

To be able to make a well-considered choice of the
vast amount of available CBR agents, some new con-
cepts are introduced like building interaction vectors
and a threat space [2]. Interaction vectors describe
how a building interacts with the outside world. Ex-
amples of interaction vectors are resources, supplies
and communication or functional operation (for ex-
ample people entering/leaving the building). By ex-
ploiting these interaction vectors, one can get an indi-
cation about how a building can be attacked. Also, by
reciprocating safety principles (how can I make things
go wrong?), additional attack possibilities are defined.
A threat space is a (visual) representation of agents in
a multidimensional space to ensure that the threat has
been evenly distributed through the threat spectrum,
avoiding clustering around known (already hap-
pened/studied in the past) attacks which may cause
bias. By superimposing scenarios that have occurred
in the past or are considered to be credible in other
studies, some blind spots are identified in the inter-
action vector exploits, i.e. an exploited vector could
theoretically be used for an attack, however no oc-
curred or credible scenarios were (yet) found in exist-
ing literature. Finally a set of 41 attack scenarios were
defined to represent all different CBR attacks.

For explosive attacks, although a range of explosive
materials are known to have been used in actual ter-
rorist attacks, the well established procedure has been
adopted of representing credible scenarios by the det-
onation of representative quantities of high explosive
expressed as equivalent weights of TNT. In the
framework of infrastructure safety, (close-in) blast is
assumed to be the dominant phenomenon to be con-
sidered in this study, whereas fragments from either
casing around or shrapnel in the explosive charge
cause effects of second order. Therefore the TNT-
equivalency-approach is appropriate.

Furthermore the most important other conclusions
from the study are:
- Due to their closed nature, attacks on buildings
need 100 10,000 times less CBR material than
open air attacks (as were often the case in pre-
vious studies). Therefore agent selection criteria
applied in previous studies based on availability
(e.g. a large production volume) might be less
applicable for attacks on buildings;
- Many buildings contain some form of mechanical
ventilation (HVAC) that can act as an effective
transport mechanism of an agent in and through
the building;
- Due to their relative high concentration of people
or intrinsic value, buildings can be an attractive
target for attackers;
- To avoid the problem of combinatorial explosion
of scenarios, all attack scenarios are clustered in
4 categories: inside the building, in the prox-
imity of the building, outside the building or
the food/water supply of the building;
486
3

The infrastructural target, as considered within the
project, has been defined more precisely as well. We
limit ourselves to large modern buildings, often (part-
ly) public buildings such as stations or shopping
malls, where a lot of people can be present. Modern
refers to the fact that only buildings are considered
that are designed according to the current standards.

To be able to perform response and damage prediction
calculations two example buildings are defined for
analysis in WP2. These buildings are not further de-
scribed here.
4 Guidance tool
One of the main aims of the SPIRIT project is to
make the specialist knowledge available and easy ac-
cessible for the design and planning of the built infra-
structure. A safety integrated design is needed in
which also the vulnerability of a building, an asset, to
CBRE threat is considered.

To enable such an integrated design, a method to
quantify the potential loss of functionality and struc-
tural integrity due to CBRE attacks is needed. There-
fore the results of the individual SPIRIT work pack-
ages on the threat scenarios, the classification of the
buildings, the consequence modeling and the counter
measures will be integrated and combined in a guid-
ance tool. The guidance tool will be a two-step ap-
proach (Figure 2) [4].

Figure 2 Guidance tool

Step 1 is for the non-expert user to make a rough es-
timate of the asset vulnerability for threat scenarios
covered by the SPIRIT project. Step 1 is qualitative
and will be based on non-restricted information and
uses no, or only very simple calculations. Basically, in
this phase, the critical conditions for the asset, or
modules of the asset, are identified. This SPIRIT Step
1 model will have a web-based format and the distri-
bution is non-restricted.

In the second phase the initial vulnerability and the
effectiveness of countermeasures is quantified. In this
Step 2 restricted information may be used and the re-
sults are obtained by numerous calculations. This sec-
ond part of the tool is intended to be used by experts
and the distribution will be restricted.

In the next sections the outline of the tool for the
global assessment and its feature are presented. Note
that at the current stage of the SPIRIT project we are
in the middle of the development phase. The method
and models to be used are still under discussion.
4.1 Outline Step1
The basic idea behind the guidance tool is:
- a building, an asset is known and defined;
- the asset might be a target for a CBRE terrorist
attack;
- the user wants to know how vulnerable the asset
is to various CBRE threats;
- the user wants to know the possibilities and ef-
fectiveness of countermeasures;
- the user needs a tool to support the decision on
the necessity and the kind of protective measures.

To answer all these questions quantitatively expert
knowledge and classified information is needed. To
meet the requirements of public release, it was deci-
ded to make the vulnerability assessment in the 1
st

Step of the SPIRIT tool, as a ranking of the vulnerabi-
lity of the asset to the various scenarios.

The vulnerability of an asset is determined by the pro-
bability of an attack and the consequences. The pro-
bability of an attack itself cannot be quantified, but
aspects that determine the probability are known. It
depends on (i) the attractiveness of the building as a
target influenced by the representing value, the num-
ber of occupants, (ii) its prominence, (iii) the accessi-
bility and (iv) the effort and skils needed to perform
the attack (the likelihood). In the global vulnerability
assessment tool we want these aspects to be reflected.
Therefore, these probability aspects are integrated in
the factor P and combined with the possible conse-
quences, C, to estimate the vulnerability, V. In analo-
gue with the risk assessment, the vulnerability V
i
of
the asset to a certain scenario i, is determined by:
V
i
= P
i
. C
i
with P
i
a function of asset attractiveness, prominence
(both scenario independent), the accessibility and li-
kelihood (both scenario dependent).

The consequences of an attack are determined by the
amount of damage and number of fatalities. It is obvi-
ous that both aspects also determine the loss of func-
tionalities of the building. In the 1
st
Step of the global
assessment, the loss of functionality is not quantified
explicitly in the consequence term C.
487
4
4.2 Vulnerability assessment
In this section we report the way the probability as-
pects and consequences are quantified and estimated.

The first aspect is the asset attractiveness. Schussler
Plan Engineering Consultants developed a method to
classify buildings (see the companion paper in this
conference) [3]. The method originally developed for
entire buildings was extended to individual building
modules.
The attractiveness rating of the building and the indi-
vidual modules is based on this methodology and rep-
resented by the factor f
1
at the scale of 0-1.

The required user input is (see Figure 3):
- building characteristics
- dimensions of the building
- number of storeys
- number of occupants
- value per m
2

- air renewal rate
- identification of the decisive modules in the buil-
ding, i.e. selection form a list provided by the
tool (e.g. entrance hall, IT/telecom, office, par-
king garage)
- module characteristics
- dimensions of the module
- number of occupants, or
- value per m
2
.

Figure 3 User input screen of tool (version 0.5, not
final yet)

The user also has the opportunity to adjust the build-
ing attractiveness by the prominence factor f
2
. This
factor is of course subjective and can overrule the
building or module value represented by the objective
classification factor f
1
. The maximum value of f
1
and
f
2
determines the asset attractiveness denoted by F.

In (process) safety engineering the methodology to
work with layers of defence is well established. Ac-
cess control to the building for instance is a very ef-
fective layer of defence and is a filter for the probabi-
lity a certain attack scenario occurs. Currently this
aspect is presented by the factor t
a
(value between 0 -
1). The user can choose the levels: public, restricted
and secured.

To enable the ranking of the vulnerability of the asset
to the different kind of attacks (e.g. CBR versus E,
low toxic versus high toxic agents, small versus large
quantities) the likelihood factor is introduced, denoted
by t
l
also ranging from 0-1.

In the tool these probability factors are combined to
the factor P
i
with a value between 0 and 1.

The next step in the assessment tool is to quantify the
consequences for the different scenarios. As men-
tioned before, the idea is to make this 1
st
Step global
vulnerability assessment tool public. No restricted in-
formation should be released and it should also be fast
running. On the other hand, to rank the vulnerabilities
the consequences have to be quantified in an objec-
tive way. To meet these requirements it was decided
(i) to use simple models, (ii) choose per module
whether the damage level or the number of fatalities
are decisive and (iii) normalise the consequence per
scenario to the maximum damage level or number of
occupants. So, the consequence factor C
i
can range
also from 0 -1.
It goes beyond the scope of this paper to discuss the
applied models and the simplifying assumptions
needed to estimate and quantify the consequences. We
limit ourselves to some general comments to indicate
the approach followed for the different type of scenar-
ios. These comments also give an impression of the
features of the tool currently envisaged.

E-scenarios external
For the external explosion scenarios we determine
both the structural damage and the amount of window
failure as a function of the charge weight and dis-
tance. The load distribution on the building faade is
taken into account. The required user input is the
charge weight and distance. The structural damage
and window breakage is combined into a C-value.

E-internal
The internal explosion scenarios are analysed for
those building modules the user identified as decisive
and defined the characteristics. In the current version
of the tool, the modules are treated as independent
units. The damage due to an internal explosion
strongly depends on the structure type and material.
The parameter variations will be treated in Step 2 of
488
5
the guidance tool (see section 4.0). For the first Step
of the tool we choose concrete as the building mate-
rial and default thicknesses for floor, ceiling and
walls. Based on the module dimensions, location and
weight of the charge, the damage was assessed. Based
on the generated blast the critical distance for fatality
was determined. With this data the consequence for
the specific scenario is related to the maximum possi-
ble consequence.

CBR-scenarios external
For the whole scope of possible agents and toxic ma-
terials, the variety of scenarios was reduced to 4 clas-
ses of toxicity [2].
The fatality criteria for these classes are known and
implemented as default values. The fatal dose for each
class depends basically on the concentration and ex-
posure time. In the tool simple models are imple-
mented to estimate the concentration in the building
when the material is released outside. Besides the
amount and release location of the toxic material, the
air renewal time and the building dimensions are the
required input from the user.
Obviously the number of fatalities normalised with
the total number of occupants give the consequence
level for the specific scenario.

CBR-internal
The procedure to quantify the consequences when the
toxic material is released inside one of the modules,
the user identified as decisive, is analogue to the
method given for the external release. The concentra-
tion and the exposure time is determined and related
to the fatality criterion for the toxicity class.
Note that options are considered to implement in the
Step 1 tool also some countermeasures, e.g. filters,
warning systems, as well as the dispersion of the toxic
material to the neighbouring modules.
5 Concluding remarks
The EU-project SPIRIT started in August 2010 and
the targeted contribution to built infrastructure protec-
tion will be:
- A methodology to quantify the vulnerability of
built infrastructure in number of casual-
ties/injuries, amount of damage and loss of func-
tionality and services;
- A guidance tool to assess the vulnerability of a
design/building and select efficient and cost ef-
fective countermeasures (ready to use solutions)
to achieve a required protection level against ter-
rorist attacks;
- Protection portfolios for new and existing build-
ings. This comprises inter alia blast resistant
window/facade systems, retrofit system for walls,
explosion resistant columns and detection and fil-
tering systems to counter the CBR threat;
- Recommendations for draft EU regulatory frame-
work to enable safety based engineering and the
incorporation of CBRE protection in the regular
building guidelines and regulations.

The project is now running for one year, all work
packages have started and the first results are avail-
able. There are 55 scenarios derived with Chemical,
Biological and Radiological agents and Explosives
which are specific for attacks on buildings. These sce-
narios form the basis to perform a quantitative study
of the vulnerability of buildings to these scenarios,
and to develop the counter measures.

The results of the individual SPIRIT work packages
on the threat scenarios, the classification of the build-
ings, the consequence modeling and the counter
measures will be integrated and combined in a guid-
ance tool. This guidance tool is currently being devel-
oped and it will be a two-step approach. The first Step
is unrestricted for the non-expert user to make a
rough estimate of the asset vulnerability for threat
scenarios covered by the SPIRIT project.
In the second Step the initial vulnerability and the ef-
fectiveness of countermeasures is quantified. In this
Step 2 restricted information may be used and the re-
sults are obtained by numerous calculations. This sec-
ond part of the tool is intended to be used by experts
and the distribution will be restricted.

The overall aim of the SPIRIT project is to provide
the technology and know-how for the protection of
buildings and people against terrorist threat and to
minimize the consequences of a terrorist attack in
terms of number of casualties/injuries, damage and
loss of functionality and services.
References
[1] Veld, Frank van het; Groenli, Anders; Nldgen,
Markus: Selection of representative scenarios,
D1.3, June 2011
[2] Veld, Frank van het; Groenli, Anders: Database
on CBRE incidents, D1.1, June 2011
[3] Nldgen, Markus; Nawabi, Assad; Juszkiewicsz,
Marek: Categorization and classification data-
base of buildings and installations by structure,
use and relative attractiveness to an attack,
D1.2, June 2011
[4] Weerheijm, Jaap; Pronk, Sander: Progress re-
port 1 on development of SPIRIT tool, Step 1
(DRAFT), June 2011

489
Risk Evaluation for Critical Built Infrastructure
Asset Classification and Evaluation
Markus Nldgen, Assad Nawabi, Marek Juszkiewicz

Schler-Plan Ingenieurgesellschaft mbH, Dsseldorf
1. INTRODUCTION
Regarding the growing threat of terrorist attacks by explosives or CBR-agents (Chemical,
Biological and Radiological) targeting facilities such as high occupancy buildings, shopping
malls or governmental buildings there is a strong need to protect critical civil infrastructure.
Terrorist attacks occur with a rarely predictable probability but with an extremely high impact
and catastrophic consequences for life, environment and economy. Therefore it is necessary to
develop strategies to analyze the vulnerability of built infrastructures in order to quantify the
potential risk and select effective countermeasures.
The main focus of the following contribution is to describe the development of a
parametric concept for an attractiveness evaluation of built infrastructure subjected to
malicious CBRE threats. The methodology combines two established risk evaluation methods
related to accidental [1] as well as malicious hazards [2, 3] which are briefly summarized in
chapter 2. A linguistic and numeric scale system is developed to assign the asset parameters to
certain failure consequence classes (Chapter 3). Furthermore the common assessment
strategies are extended by the introduction of building modules, like e.g. IT-facilities, public
parking garages or restaurants as the smallest subunit of a building to be assessed with regard
to malicious threats. Finally the extended asset evaluation is integrated in the software based
risk assessment together with other important parameters such as the modules prominence
and accessibility (Chapter 4). This work is part of a comprehensive, parametric and software
aided risk assessment which is currently developed within a 3-year EU FP7 funded Project
SPIRIT (Safety and Protection of built Infrastructure to Resist Integral Threats) with
European industry and research partners under the Leadership of TNO, the Netherlands.
2. STATE OF ART OF RISK ASSESSMENT FOR BUILT INFRASTRUCTURE
The traditional risk analysis is based on the combination of two fundamental parameters
the probability (P) and the consequences (C) of an event multiplied by each other.
Risk =P(the probability of an event occurring)C(the expected loss or damage of the
event)
Usually the risk assessment for built infrastructure is determined by the probability of
possible threats P(H
i
), the damage of the structure caused by these threats N
D
(H
i
) and the
behavior of the damaged structure in N
S
different states S
K
with the adjacent failure
consequence classes C(S
K
) according to Eurocode 1-1-7 [1] see equation (1).
( ) ( ) ( )

= =
=
D S H
N
j
N
k
K j K i j
N
i
i
S C D S p H D p H p R
1 1
, , ) (

(1)
In order to quantify the expected loss or damage caused by the hazardous event, it is
necessary to define the corresponding scenario i concerning all relevant characteristics of the
hazard. Furthermore the structure has to be defined to a certain level of detail so that all
resulting damages D can be determined for all states S. With an increasing level of detail the
number of possible configurations of a scenario and the structure (summarized as vignettes)
increase disproportionately high as each branch of the resulting fault tree has to be analyzed
490
and evaluated individually. Against this background it has to be carefully checked to what
level of detail the risk assessment should be conducted.

There is a strong need for a minimization of complexity (minimum number of
vignettes) ensuring a satisfying appropriateness of the risk assessment results at the
same time.

In contrast to natural hazards and accidents where empirical and statistical resources are
available over a comparatively long period of time [4] malicious hazards such as terrorist
attacks can rarely be based on sufficient data. Furthermore the parameters which have to be
considered in a malicious threat analysis are governed by versatile criteria starting from
access to an agent, knowledge and expertise, history of an event, visibility, accessibility and
motivation [3].

The probability of a specific malicious threat can hardly be determined statistically.
Instead a number of relevant criteria is provided to help defining the threat for
individual cases.

FIGURE 1: The assessment process according to FEMA 426 [2]
A first approach to assess the risk of built infrastructure in case of malicious threats
systematically was published by the U.S. Department of Homeland Security in 2003 [2].
FIGURE 1 gives an overview of the adjacent evaluation scheme. It provides with a
comprehensive strategy using a simplified set of parameters and a multiplicative combination
law. The process of the risk evaluation is conducted in four parts:
1. Asset evaluation Identification of critical assets, value and numbers of
the people in the building
2. Threat evaluation Identification of threat by multiple parameters, such
as access to an agent, knowledge and expertise,
history
3. Vulnerability evaluation Evaluation of the vulnerability of the critical asset
against the identified threats
4. Risk evaluation Determination of the risk level against each
applicable threat
491
Along these lines Eurocode 1 Part 1-7 gives principal rules for the risk assessment for
unusual accidental and natural hazards such as earthquake, gas explosion or impact. In
annex A, the Eurocode provides with an exemplary categorization of the buildings in failure
consequences classes (C) FIGURE 3. According to table A.1, Eurocode 1 provides with a
classification of the buildings according to their use and defines their type such as office
building, residential building or hospital. In order to assess the consequence class of each
building type, only two asset parameters (number of storeys and area in m
2
per storey) are
given in numbers.

The following concept combines the Eurocode 1 and the FEMA 426 approaches by a
systematically derived linguistic and numeric scale so that it can be applied to any built
infrastructure by a comparatively small number of input parameters for malicious hazards
(Chapter 3). Additionally a new approach for the asset assessment is introduced which
identifies the so-called building modules such as IT-facility, parking garage or lobby as the
(decisive) smallest subunit of a building to be considered for a significantly improved risk
evaluation for malicious threats.
3. CONCEPT FOR THE EVALUATION OF AN ASSET
In contrast to accidental and natural hazards the risk assessment of malicious hazards for
built infrastructure is significantly influenced by the intentional character. Actors intend to
cause damage to organizations or companies, governmental facilities, supply nets,
infrastructures (bridges or tunnels) and often intend to destabilize trust in public security by
harming people. Therefore the building as a whole is not an appropriate unit to be
considered as it might be only affected indirectly.
Building level
Module level
Solution

FIGURE 2: Explanation of building and module level and rearrangement of modules to reduce the risk
concerning malicious hazards [3]
Against this background modules of buildings are introduced as the smallest subunits to
be considered instead of the whole building. In fact in security planning consultants use this
approach to design buildings by rearranging modules. FIGURE 2 shows the difference
between the deficient perception of a building as a whole (left) and the individual improved
approach considering modules (middle). At this level of detail the asset can be evaluated more
adequately and fairly accessible and vulnerable modules can be distracted from very
important/high value modules to lower the individual and collective risk (right) of the
building by functional rearrangements.
Under CBRNE focus a small part (module) of the building can be decisive
Evaluation on the building level often becomes very imprecise or even false!
The module approach is used in the following asset evaluation concept to provide an
improved and well-directed asset attractiveness evaluation and additionally to solve a further
problem for an software-aided, parametric approach for all buildings. The latter problem can
be explained as follows: Buildings are unique! Possible configurations of assets such as
modules, assembly, geometry, function are of infinite number impossible to be exactly
492
foreseen and rated! To solve this problem the concept makes use of the following logical
assumption: Any (non-expert) user of an automated, parametric risk assessment tool is well
aware of the individual character of his building and its modules. Making use of this logical
assumption it is quite convenient to decouple the building uniqueness from the tool without
any loss of important information. With the picture of the unique building and modules in his
mind (or instead on drawings see example in Figure 4) the parametric risk assessment
provides with a list of asset information on the attractiveness of the building and its modules
respectively. The allocation can be easily transferred to the individual case. The concept
introduces two major novelties into an improved, parametric risk assessment:
consideration of modules as the smallest subunit to be considered for malicious threats
and
decoupling of the building and module uniqueness from the parametric attractiveness
evaluation
The risk assessment strategy is subsequently developed based on these two major
assumptions. Hence the following chapter describes the derivation of relevant asset
parameters and typical ranges for the parameters for both buildings and modules.

FIGURE 4: Example of a typical building with relevant building modules and assigned failure consequence
classes
1.1. DERIVATION OF ASSET PARAMETERS FOR BUILDING MODULES
In order to identify all relevant asset parameters, it is necessary to ensure at first that the
same level of understanding determined in Eurocode 1 part 1-7 through the allocation of
buildings to consequence classes is achieved. (FIGURE 3a) gives a detailed overview
concerning the categorization of building types to consequence classes according to table A.1
EN 1991-1-7. Eurocode 1 considers only the number of storeys and/or the area in m
2
per
storey to determine the level of failure consequence class for natural and accidental hazards.
However the number of people in the building is considered implicitly by the combination of
linguistic and numerical metrics (e.g. residential building with 4 floors and 1000m/floor).
493

FIGURE 3a: Detailed overview of table A.1 in Eurocode

FIGURE 3b: Default values of asset parameters for A.1 in Eurocode
Consequence class Number of storeys Area in m
2
/storey
1.1
Single occupancy houses 1-4 not specified
--Agricultural buildings.
--Rarely visited buildings.
2.1
Single occupancy houses 5 not specified
2.2
Hotels 1-4 not specified
2.3
residential buildings 1-4 not specified
2.4
Offices 1-4 not specified
2.5
Industrial buildings 1-3 not specified
2.6
Retailing 1-3 1000
2.7
educational buildings 1 not specified
2.8
buildings with free public admission 1-3 2000
2.9
hospital not included not specified
3.1
Single occupancy houses not included not specified
3.2
Hotels 5-15 not specified
3.3
residential buildings 5-15 not specified
3.4
Offices 5-15 not specified
3.5
Industrial buildings 5-15 not specified
3.6
Retailing 5-15 1000
3.7
educational buildings 2-15 not specified
3.8
buildings with free public admission 5-15 2000-5000
2.9
hospital 1-3 not specified
4.1
Single occupancy houses not included not specified
4.2
Hotels 15 not specified
4.3
residential buildings 15 not specified
4.4
Offices 15 not specified
4.5
Industrial buildings 15 not specified
4.6
Retailing 15 not specified
4.7
educational buildings 15 not specified
4.8
buildings with free public admission 15 5000
2.9
hospital 3 not specified
2b
Upper Risk Group

3

1
Building type
2a
Lower Risk Group

Factor Failure of Consequence class max. Numbrer of Person Number of storeys Area in m
2
0.00
1.1 Single occupancy houses
1-10 1-4 <1000
0.125
--Agricultural buildings.
0.24
--Rarely visited buildings.
0.25
11-100 5 1000-6000
2.2 Hotels
11-100 1-4 1000-6000
2.3 residential buildings
11-100 1-4 1000-6000
2.4 Offices
11-100 1-4 1000-6000
2.5 Industrial buildings
11-100 1-3 1000-6000
2.6 Retailing
11-100 1-3 1000-6000
2.7 educational buildings
11-100 1 1000-6000
2.8 buildings with free public admission
11-100 1-3 1000-6000
0.49
2.9 hospital
---- ---- ----
0.50
---- ---- ----
3.2 Hotels 101-1000 5-15 6000-75000
3.3 residential buildings 101-1000 5-15 6000-75000
3.4 Offices 101-1000 5-15 6000-75000
3.5 Industrial buildings 101-1000 5-15 6000-75000
3.6 Retailing 101-1000 5-15 6000-75000
101-1000 2-15 6000-75000
101-1000 5-15 6000-75000
0.74
2.9 hospital
101-1000 1-3 6000-75000
0.75
---- ---- ----
4.2 Hotels
1000 15 75000
4.3 residential buildings
1000 15 75000
4.4 Offices
1000 15 75000
4.5 Industrial buildings
1000 15 75000
4.6 Retailing
1000 15 75000
1000 15 75000
1000 15 75000
1.00
2.9 hospital
1000 3 75000
Building type
0.875
0.375
0.625
MEDIUM HIGH
[0.5-0.74]
HIGH
[0.75-1.00]
LOW
[0-0.24]
MEDIUM LOW
[0.25-0.49]
494
Sources for building occupancies: FCC EC1, Earthquake eng., Statistical Data: Occupancy, Value
In order to get objective values for the parametric approach the Eurocode table A.1 is
transferred to three significant parameters through including the numbers of people for each
failure consequences classes. Evident quantities are derived for each parameter by taking
statistical data on building occupancies and their value per m
2
as a reference [4, 5]. Based on
this a combination of linguistic and numeric scale system is conducted to assign the asset
parameters to a certain consequence class. FIGURE 3b shows a detailed overview of the
defined asset parameters and their categorization to failure consequence classes (C) along
with the determination of their values. The results are validated by the examples given in
Eurocode 1 table A.1. However it has to be mentioned that table A.1 has not been adapted by
all European countries being replaced by different tables in the national annex to the
Eurocode.
1.2. DERIVATION OF FAILURE CONSEQUENCE CLASSESS
The module level divides the building into its smallest units called building modules
depending on the different types of utilization, activities or services which are located in the
building (FIGURE 5).

FIGURE 5: Overview of relevant building modules
In order to get objective values for the parametric approach for modules the three
significant parameters to determine the failure consequences classes are transferred for
modules. Evident quantities are analogously derived for each parameter by taking statistical
data on building occupancies and their value per m
2
as a reference [4, 5]. As an additional
parameter the redundancy is introduced for modules which coincide with the danger of
495
disproportionate effects, such as IT facilities. Based on this a combination of linguistic and
numeric scale system is conducted to assign the asset parameters to a certain consequence
class. FIGURE 4 shows an example of defined asset parameters and their categorization to
failure consequence classes.
1.3. ASSET ATTRACTIVENESS EVALUATION
In the previous section a parametric approach for the determination of the failure
consequence class C has been described. Additionally the asset attractiveness might be
influenced by further independent parameters such as the prominence of a module (exclusive
restaurant or hotel) or further political, societal, geographical or environmental parameters
which can be added by additional factors F
l
on demand. The residual attractiveness A
n
for
each module n out of all Modules M is gained by the most critical factor being
mathematically described as the maximum of C and F
l
.
{ }
l n n n
F C A M A , max :

(2)
4. RISK ASSESSMENT APPROACH
The risk assessment for malicious CBRE threats - being developed within the SPIRIT
project - is structured as a multiple step approach. In a first step a parametric, qualitative
vulnerability assessment is conducted for the building and for all modules chosen individually
by the user (see chapter 3). The vulnerability assessment requires inputs from the asset
attractiveness and threat evaluation as well as layers of defense which contain the important
aspect of accessibility to a building or module.. (FIGURE 5a). Furthermore qualitative
estimation of damage and potential loss is needed to define the vulnerability and risk. These
estimations are derived by a parallel work within the SPIRIT project concerning quantitative
vulnerability assessment.

FIGURE 5a: Step 1 of the risk assessment for non-expert (building owner)
Ri sk assessment process Step 1 (Qual i tati ve)
User: Non-expert (Bui l di ng owner)
Accessi bi l i ty
(Layer of defence)
Threat eval uati on
Asset attracti veness
Ri sk assessment Vul nerabi l i ty
assessment
496

FIGURE 5b: Step 2 of the risk assessment for expert (engineer)
In case that the required protection level is not reached for the built infrastructure, the
second step of the risk assessment provides with a higher level of detail and quantifications of
consequences and countermeasures. (FIGURE 5b). The advanced quantitative method is
addressed to an expert user for a preliminary risk assessment.
5. CONCLUSION
A parametric concept for an attractiveness evaluation of built infrastructure subjected to
malicious CBRE threats is developed to evaluate the attractiveness of built infrastructure
qualitatively. Based on the combination of two established risk evaluation strategies
(Eurocode 1 Part 1-7 and FEMA 426) related to accidental [1] as well as malicious hazards
[2], a linguistic and numeric scale system is systematically developed to assign asset
parameters to certain failure consequence classes. In this context, a new approach for the asset
assessment that ensures an improved and well-directed attractiveness evaluation through
decoupling the building uniqueness from the software tool without any loss of information
is presented by the introduction of building modules, like e.g. IT-facilities, public parking
garages or restaurants as the smallest subunit of a building to be assessed with regard to
malicious threats.
Independent parameters are additionally introduced to consider the prominence of a
module as well as political, societal, geographical or environmental aspects for the asset
attractiveness of building modules.
The new asset attractiveness assessment is integrated in a comprehensive software based
risk assessment for malicious CBRE threats- developed within the SPIRIT project- as a
multiple step method.
6. REFERENCES
[1] EN 1991-7 (Eurocode1): Action on structures Part 1-7: General actions Accidental actions; German version
EN 1991-1-7:2006+AC:2010
[2] FEMA 426 Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings Risk Management Series,
December 2003
[3] FEMA 427 Primer for Design of Commercial Buildings to Mitigate Terrorist Attacks Risk Management Series
December 2003
[4] Mnchner Rck: Naturkatastrophen 2008: Analysen, Bewertungen, Positionen
[5] Wohnen und Bauen in Zahlen 2009/2010, 5. Auflage Stand April 2010, (Bundes Ministerium fr Verkehr, Bau
und Stadtentwickelung)
Risk assessment process Step 2 (Quantitative)
User: Engineer (expert)
From Step 1
Accessibility
(Layer of defense)
Threat evaluation
Asset attractiveness

Vulnerability
assessment
Risk assessment
Mitigation
(Countermeasures)
Cost
Benefit
497
Servitization in Security Business
Markus Jhi, VTT Technical Research Centre of Finland, Finland
Mervi Murtonen, VTT Technical Research Centre of Finland, Finland
Abstract
Over the past few decades, increasing competition has forced many industrial branches to adapt to a more ser-
vice-oriented business perspective, and in this respect, security business is not an exception. In this paper, we
use a product-service system (PSS) as a lens through which to look at servitization, and discuss how servitiza-
tion is present in current security business. We analyse what types of product-service systems can be identified
within security service providers, and what kind of challenges security service providers face in the servitiza-
tion process. Building on rich empirical data from seven case companies, we conclude that in the security busi-
ness, the servitization process is still in its infancy, and a more thorough understanding of this phenomenon is
needed. We also found out that to produce more service-oriented solutions to business-to-business customers,
security service providers are in need to clarify their service offerings. As a concluding remark, we would like
to pose a challenge to the security service industry to revise the concepts of product and service, i.e. the ac-
tual content of what is being sold, in the context of security business. We also ask the academic community to
take part in this debate.
1 Introduction
Today manufacturers integrate more and more ser-
vices into their product offerings. This servitization
of products refers to a change, in which the manufac-
turers use and develop organisations capabilities and
processes to better create mutual value through a shift
from selling products to selling product-service sys-
tems (PSS) [1]. In service management literature, at
least three drivers for this development have been
identified. First, it is believed that services have bet-
ter margins than pure products. Second, there is a
growing demand for services by customers. Third,
services are seen to be more difficult to imitate,
which can be a sustainable source of competitive ad-
vantage. [2]
Servitization as a phenomenon is vague, and in order
to limit our examination, we use the concept of prod-
uct-service system as a lens through which to look at
servitization. To further limit our study, we focus on
PSSs in the context of one distinct industry, namely
private security services. We limit the scope of private
security services to security products and systems like
CCTV (closed-circuit television) systems, burglar
alarm and access control systems, and to combina-
tions of these technologies with pure services like
manned security guarding. Pure security services,
like traditional security guarding in its simplest form,
are excluded from the study.
In this paper, we discuss how the servitization is pre-
sent in current security business what types of prod-
uct-service systems can be identified within security
services, and what kind of challenges security service
providers face in the servitization process. The study
is based on empirical findings from seven case com-
panies, which provide security products, systems and
services. Before we present the results of our analysis,
we briefly describe the concepts of servitization and
PSS. After outlining the methodology, we demon-
strate the prerequisites of developing more service-
oriented product offerings in security business. Final-
ly, we discuss the implications of our findings to
managerial practice and security research.
2 Servitization and PSS
PSS is a special case in servitization, and it can be
regarded as a market proposition that extends the
functionality of a product by offering it with addi-
tional services [3]. In PSS, asset performance or uti-
lization plays a key role instead of ownership, and
differentiation is achieved through integration of
product and services to produce value for customer
[3]. A typical way of defining PSS is that it shifts the
business focus from designing physical products only
to designing a system of products and services which
together are capable of fulfilling customer needs [4].
In some cases, PSS is also seen as a method to pro-
duce sustainable products and services with lower
environmental impacts. However, this is controversial
in the light of PSS literature, and it is claimed that
most types of PSSs result only in marginal environ-
498
mental improvements at best [5]. In this paper, this
debate on environmental impacts is left aside.
In the recent PSS literature, three basic types of PSS
have been identified [3]: Product-oriented PSS, use-
oriented PSS and result-oriented PSS (see Figure 1).
Figure 1 Three types of product-service systems
(adapted from Tukker [5])
The simplest case, the product-oriented PSS refers to
a traditional manner of selling products with extra
attention being paid to additional services. These in-
clude maintenance, repair, advice, consultancy, etc.
The use-oriented PSS is focused on providing availa-
bility of a product to customer. These arrangements
can include product leasing, sharing, renting or pool-
ing. With user-oriented PSSs, service providers try to
maximize the use of the product and to extend its life
cycle. The result-oriented PSS is the most sophisti-
cated version of the PSS. In this most popular inter-
pretation of the PSS, the ownership of the products
remains at the hands of the producer, and the cus-
tomer buys only the actual results or capability pro-
vided by the service provider. Some authors have
identified more than three categories of different
PSSs [5]. However, these additional categories can be
regarded as subcategories to three main types of PSS,
and therefore, they are not presented here in detail.
3 Methodology
This study is a multiple case study, following an ac-
tion research approach. Action research is a partici-
patory research strategy where researchers are in-
volved in the development processes of the case or-
ganisations [6]. During the last two years, we have
had access to seven security companies that operate
in the Finnish security markets. Three of these com-
panies provide technical security systems and four
companies provide both manned security services and
technical systems. Names of the participating com-
panies have been disguised to maintain anonymity as
requested by the informants.
Findings of the study are based on rich empirical data
that were gathered in various workshops and meet-
ings. The analysed data included interview tran-
scripts, workshop memos and wide selection of dif-
ferent field notes. During the research process, we
participated in developing service concepts and strat-
egies in close cooperation with managing directors or
service developers of each company. We also orga-
nized several inter-firm and cross-firm workshops
where the findings were discussed. To broaden our
view, we also analysed public marketing material of
several security service companies.
4 Servitization in Security Busi-
ness
As a general trend, we found out that security com-
panies try to keep up with the global flow of serviti-
zation. They constantly develop new ways of combin-
ing products and services, and they would like to be
seen as strategic partners providing business solu-
tions to their customers, instead of producing mere
products and simple services. As a research result,
this is hardly surprising. Private security industry,
like many other business service industries, is trying
to build partnerships and networks with its custom-
ers, and to do so, they would like to be seen as solu-
tion providers who are creating added-value for their
customers.
In the security market, the reality seems to be more
ambiguous, however. The traditional security guard-
ing services and technical security systems like
CCTV, burglar alarm and access control systems are
still seen as the cornerstones of the industry. Tech-
nical security systems are usually sold with some
add-on services, like maintenance, advice or consul-
tancy. This is well in accordance with the product-
oriented PSS. Still, it is worth noting that servitiza-
tion is not only about attaching some additional ser-
vices to existing products, but perceiving the whole
offering as a system of products and services. Among
the studied case companies, examples of true use-
oriented PSSs and result-oriented PSSs, especially,
are still rare.
On the other hand, there seems to be several on-
going transitions that could end up with more sophis-
ticated PSS arrangements. In our case companies,
these transitions include simultaneous shifts towards
more comprehensive, customer-specific and integrat-
ed security services. In some cases, these are pursued
through more standardized service processes and
modularized security service concepts. In other cases,
customer value is searched from new technologies
that provide new possibilities to develop novel
knowledge-intensive business services (KIBS), like
security consulting and data analytics services.
Our interpretations of this rather ambiguous situation
is that despite the good intentions of the security ser-
vice providers, the servitization process is still in its
499
infancy, and a more thorough understanding of this
phenomenon is needed. It appears that the customers
see security services mainly in terms of outsourced
non-core and low-value activities instead of strategic,
high-value security partnerships. Thus, the essential
question is how could these servitization intentions of
the service providers be realised? Our answer to this
question is twofold. First, to be able to design more
service-oriented PSSs, the definitions of product
and service should be revised, and more emphasis
should be put on selling solutions. Second, the out-
comes of security services should be redefined to be
able to show the strategic benefits to the customers.
We will now turn our attention to these two aspects
(in chapter 5).
5 Towards More Service-
oriented Security Solutions
5.1 Security as a Solution
A modern service literature portrays service as a
perspective on value creation instead of seeing it as a
category of market offerings; it also underlines the
importance of customer perspective as well as co-
creation of value [7]. At a more abstract level, ser-
vice is seen as the fundamental basis of exchange, all
economies are regarded as service economies, and
goods are seen as a distribution mechanism for ser-
vice production [8]. One of the central implications
of seeing service as a perspective is that it makes the
product-service division obsolete. More attention is
paid to the actual results of the service, i.e. what is
being done on behalf of the customer instead of con-
centrating on the characteristics of the service per se
[9].
What we found out, however, was that products and
services are still seen as separate phenomena within
private security industry. Surprisingly, this applies
not only to customers of the private security industry
(as argued in the previous chapter) but also to service
providers themselves. This can be seen, for example,
in the way the private security industry depicts itself
on their company websites. Majority of the compa-
nies make a clear distinction between products (e.g.
technical systems) and pure services (e.g. security
guarding), or between different product families. In
addition, the variety of different security-related
products is wide, and the overall conception of what
is being sold can be difficult to form. An alternative
would have been to advertise more holistic security
solutions which consist of different components or
modules (i.e. products and services) and which are an
answer to specific customer needs. This is also a pre-
requisite for more sophisticated PSSs. The same
product-service oriented mindset can be seen in the
organizational structures of the same companies. The
companies are often structured around the traditional
division of products and services, or around different
product families.
We argue that in order to make a strategic shift from
producing distinct products and services to producing
solutions for the customers, the security service pro-
viders should renew their basic conceptions of their
products and services. This is by no means an easy
task, and we do not believe that it can be done over-
night either. However, we hypothesize that one step
to this direction would be to re-conceptualize the ser-
vice concept of security in general and the actual ser-
vice outcomes in particular. We argue that the actual
rationale for the security service consumption is by
no means self-evident, and that there is a clear need
for clarification.
5.2 Security as a Service Outcome
Service concept is like a prototype of service: it is a
detailed description of what is to be done for the cus-
tomer (what needs and wishes are to be satisfied) and
how this is to be achieved [10]. Moreover, service
concept can be understood to consist of three aspects
[11]:
1. The organising idea: the essence of the ser-
vice bought, or used, by the customer.
2. Service experience: the customers direct
experience of the service.
3. Service outcome: the results of the service
for the customer (benefits provided, the re-
sulting emotions and assessment of value for
money).
When we take a closer look at these three elements,
we can easily state that the organising idea is typical-
ly well defined in security services: related products
and service elements are usually specified in detail,
and for a security service providers, it is clear what
needs to be done to fulfil the service contracts. The
service operations are built according to long service
traditions, and they also draw from those needs that
customers express to service providers. Similarly,
service experience has been an active topic recently,
and the service encounters and more customer-
oriented approaches have been under active develop-
ment in many security companies. However, we argue
that the third aspect of service concept, security as a
service outcome, is too often taken for granted.
As stated above, the service outcome refers to the re-
sult of a service for a customer. We can take a simple
example to illustrate our view: a CCTV system is
used for surveillance in areas that may need monitor-
500
ing such as industrial plants, offices, shopping cen-
tres, etc. With sophisticated computer-controlled
technologies, a detailed analysis of the images is pos-
sible, and people, other objects and changes in the
environment can be automatically identified, tracked,
and categorized according to pre-programmed rules.
The immediate results of this kind of data analysis
are obvious: unwanted objects are identified so that
further actions can be taken at the earliest possible
stage. Unquestionably, this is useful and beneficial as
such. However, the indirect consequences, which can
be extremely important to the customer, often remain
under-analysed, under-discussed and underrated. For
example, how the identification of unwanted objects
relates to strategic objectives and business goals of
the customer? What kind of business potential is cre-
ated for the customer with more sophisticated CCTV
systems in use? And, how much the customer benefits
financially?
To make it clear: We do not claim that there are no
clear benefits for the customers. On the contrary, if
these benefits did not exist, we would not have wit-
nessed such a dramatic growth of the private security
industry as what we have seen during the past few
decades [12, 13]. There are plenty of sociological ex-
planations for this growth [e.g. 13, 14] but these
macro explanations do not consider the decision-
making from the business-to-business customers per-
spective. What is needed, thus, is a universal under-
standing of the benefits of these services to business-
to-business customers: Why do customers actually
buy these services? What are the practical benefits?
And, if there are strategic benefits, what are they?
Our answer is that the customer benefits of security
services cover a much wider range of topics than
usually considered, such as business continuity man-
agement, image and brand management, crime pre-
vention, occupational safety, and personnel security.
What we do not understand yet, is how these different
aspects constitute a single meaningful service concept
including direct and indirect service outcomes. How
are they inter-related? What is more important than
the other, and to whom? What is a core outcome for
each customer, and what are the additional benefits?
We argue that as long as the actual service outcome
remains unclear to the security providers themselves,
the service outcome can hardly be well communicat-
ed to the customers. And, as long as customers do not
see the proposed strategic benefits clear enough, there
are hardly any chances to strategic partnerships or
more developed result-oriented PSSs.
5 Conclusions and Discussion
In this paper, we discussed how the servitization is
present in current security business, what types of
product-service systems can be identified within se-
curity services, and what kind of challenges security
service providers face in the servitization process.
Based on empirical data from seven case companies,
we found out that despite the good intentions of the
security providers, the servitization process is still in
its infancy in security business. We argued that to de-
velop more service-oriented security solutions, securi-
ty service providers should, on one hand, revise the
concepts of product and service in security busi-
ness to be able to design security solutions. On the
other hand, we argued that the outcomes of security
services should be redefined to be able to show the
strategic benefits to the customers.
As a conclusion, we state that the product-oriented
PSS works rather well as a description of a present
state of private security industry. Technical security
systems and products are usually sold with some sort
of maintenance, advice or consultancy services,
which is without a doubt in accordance with product-
oriented PSS. In the same manner, the result-oriented
PSS works well as a description of the target state of
the industry. To be able to reach this target state, we
stress that security service providers should pay atten-
tion to and re-define the outcomes of their services.
By doing so, it would open up opportunities to learn
more about the strategic opportunities of security ser-
vices, and provide a starting point for a development
of more use-oriented or result-oriented PSSs.
As a concluding remark, we would like to pose a
challenge to the academic community to take part in
re-defining the service and the product as well as
the service outcomes of the security industry. For ex-
ample, we would like to find out, how customers see
the roles of business continuity management, image
and brand management, crime prevention, occupa-
tional safety and personnel security as a service out-
come when they buy security services. We have found
out that in a case of one service provider and a cer-
tain service offering, it can be rather straightforward
to define the benefits of the security services to a cus-
tomer. However, to produce generalized knowledge
on the issue is a challenge to be addressed in future.
We, as authors, will address these points more care-
fully in future, and we are pleased to ask the practi-
tioners of the industry as well as the research com-
munity to take part in this debate.
References
[1] Baines, T. S.; Lightfoot, H. W.: Benedettini, O.:
The servitization of manufacturing ,Journal
of Manufacturing Technology Management,
Vol. 20, No. 5, pp. 547-567, 2009
[2] Oliva, R.; Kallenberg, R.: Managing the transi-
tion from products to services, Journal of Ser-
501
vice Industry Management, Vol. 14, No. 2, pp.
160-172, 2003
[3] Baines, T. S.; Lightfoot H. W.; Evans, S.; Neely,
A.; Greenough, R.; Peppard, J.; Roy, R.;
Shehab, E.; Braganza, A.; Tiwari, A.; Alcock, J.
R.; Angus, J. P.; Bastl, M.; Cousens, A.; Irving,
P.; Johnson, M.; Kingston, J.; Lockett, H.; Mar-
tinez, V.; Michele, P.; Tranfield, D.; Walton, I.
M.; Wilson, H.: State-of-the-art in product-
service systems, Proceedings of the Institution
of Mechanical Engineers, Part B: Engineering
Manufacture, Vol. 221, pp. 1543-1552, 2007
[4] Manzini, E.; Vezzoli, C.: A strategic design
approach to develop sustainable product service
systems: examples taken from the environmen-
tally friendly innovation Italian prize, Journal
of Cleaner Production, Vol. 11, No. 8, pp. 851-
857, 2003
[5] Tukker, A.: Eight types of productservice sys-
tem: eight ways to sustainability? Experiences
from SusProNet, Business Strategy and the
Environment, Vol. 13, pp. 246260, 2004
[6] Reason, P.; Bradbury, H.: Handbook of Action
Research, 2. Ed., London (UK), 2007
[7] Edvardsson, B.; Gustafsson, A.; Roos, I.: Ser-
vice portraits in service research: a critical re-
view, International Journal of Service Industry
Management, Vol. 16, No. 1, pp. 107-121, 2005
[8] Vargo, S. L.; Lusch, R. L.: Evolving to a New
Dominant Logic for Marketing, Journal of
Marketing, Vol. 68, pp. 1-17, 2004
[9] Grnroos, C.: Service Management and Mar-
keting. Customer Management in Service Com-
petition, 3. ed., Chichester (UK), 2007
[10] Edvardsson, B.; Olsson, J.: Key concepts for
new service development, The Service Indus-
tries Journal, Vol. 16, pp. 140-164, 1996
[11] Johnston, R.; Clark, G.: Service Operations
Management. Improving Service Delivery, 3.
ed., Harlow (UK), 2008
[12] de Waard, J.: The private security industry in
international perspective, Journal of Criminal
Policy and Research, Vol. 7, No. 2, pp. 143-174,
1999
[13] van Steden, R.; Sarre, R.: The growth of pri-
vate security: Trends in the European Union,
Security Journal, Vol. 20, pp. 222-235, 2007
[14] Zedner, L.: Too much security?, International
Journal of the Sociology of Law, Vol. 31, pp.
155184, 2003
502
Research against CBRN-E terrorism: a real opportunity for materials
science

Laurent Olmedo
1
, Christophe Bossuet
1
and Franoise Simonet
1
, Catherine Gallou
2
, Philippe Bergonzo
3
, Mehdi Gmar
3
,
Frdrick Carrel
3
, Martine Mayne
4
, Claude Fermon
4
, D. Gillet
5
, H. Volland
5
, Guillaume Delapierre
6
, Franois
Simoens
6
, Jean-Louis Amans
6
, D. Poullain
7

Commissariat lnergie atomique,
1
CEA/DAM, Division for global security and non proliferation, Bruyres-le-Chtel, 91297, Arpajon Cedex France
2
CEA/DEN/DANS/DPC, 91191, Gif/Yvette Cedex - France
3
CEA/DRT/LIST/DCSI, 91191, Gif/Yvette Cedex France
4
CEA/DSM/IRAMIS, 91191, Gif/Yvette Cedex France
5
CEA/DSV/IBITEC-S, 91191, Gif/Yvette Cedex France
6
CEA/DRT/LETI, 38054, Grenoble Cedex 9 - France
7
CEA/DAM, Le Ripault, BP 16, 37260, Monts - France

Abstract
CEA, a prominent player in research, development and innovation has developed extensive expertise in a number of
topics which are now central within the global security research issues. As an example, in the field of fight against
terrorism, CEA is leading since 2005 the French joint ministerial CBRN-E (Chemical, Biological, Radiological,
Nuclear and Explosive) research and development program on behalf of French public authorities.
The main objective of this program is to identify, propose and implement scientific breakthroughs, mostly based on
cross disciplinary research actions, and including for some of them materials science, with a specific emphasis to
nanosciences and nanomaterials.

1 General context

The French Atomic Energy Commission
(Commissariat lEnergie Atomique) is a public body
which is active in three main fields: energy,
information and health technologies, defence and
security. Besides its objective to ensure that the nuclear
deterrence remains effective in the future, CEA has
developed extensive expertise in a number of fields
which are addressing CBRN-E (chemical, biological,
radiological, nuclear and explosives) research issues,
ranging from radiological and nuclear responses, non
proliferation and foreign nuclear policy, energy and
nuclear systems for the future, micro and
nanotechnologies, software technologies and life
sciences.
Through its involvement in research for tenths of years,
CEA has been developing technologies for global
security, international treaties monitoring and fight
against CBRN-E threats. Regarding their increasing
importance and the multiplicity of required skills, these
activities are managed since 2006 by a new transverse
program division (Division for global security and non-
proliferation).

2 The French joint ministerial
R&D CBRN-E program

Due to its large domains of expertise, CEA is the
leading and coordinating institution of the R&D actions
within the French national global CBRN-E R&D
program, started in 2005. In cooperation with other
French academicals research centres (Pasteur Institute,
CNRS, INRA, IRSN, etc) and in strong connection
with French authorities (including SGDSN, DGA and
ministries), the main objectives of this national
program is to identify powerful breakthroughs in the
field of detection & identification, diagnosis,
decontamination and countermeasures (prophylaxis
and therapeutics) against the C, B, R, N and E threat
agents.

At that time, this research program has led to the
realisation of a significant number of R&D projects
(more than 60from 2005) and to numerous laboratory
prototypes. This research work has lead to CEA
participation to collaborative projects in the framework
of national (ANR CSOSG, SYSTEM@TIC) or FP7
European programs (e.g. BIOPROTECT, BOOSTER,
DECOTESSC, PREVAIL, SECUREAU, SECUR-
ED, for DG ENTR and NDE, CTES,,for DG
HOME.
The position of CEA in CBRN research is global going
from risk analysis to forensics methods as shown in
Figure 1.

503

Figure 1: CEA approach in CBRN research
The specificity of explosive threats needs to build a
risk assessment analysis which includes chemical
synthesis of homemade explosives, the evaluation of
their intrinsic detonic performances and their effects on
infrastructures. In addition, a strong effort has been
conducted to develop innovative detection technologies
for traces and volumes analysis.
Some outstanding results in the field of CBRN-E
research will be presented and discussed in terms of
perspectives of applications and concepts of use, such
as for:
Radiological detection and identification of
complex radionuclides (taking into account the
shielding), by the use of passive techniques (including
new detection crystals, algorithms of neutron-gamma
discrimination) or active techniques (photofission,
neutron interrogation);
Biological identification of pathogens based on the
implementation of biological reagents (antibodies or
nucleic probes) in electro-optical devices including
micro or nano-electronics (microfluidics, Si nanowires,
NEMS,);
Chemical detection of traces with the use of
carbon nanotubes, NEMS, for point detection or
laser techniques for stand off detection (e.g. LIBS);
Explosive (home-made or not) detection of traces
with physico-chemical transducers (using
functionalized surfaces) and volumes with physical
techniques (Nuclear Quadrupole Resonance, THz
spectro-imagery, neutron interrogation,).
2.1 Detection of illicit nuclear,
radiological materials
Through its support to authorities in the fight against
proliferation activities and terrorism threat, CEA has
developed efficient methods and means to detect illicit
nuclear or radioactive material for security needs (mass
transportation, critical infrastructures, airports,..).
Beacons to detect N/R materials on moving vehicles or
pedestrians, photofission methods for materials inside
maritime containers (DEMIP Project [1]) ultratrace
detection, and high sensitive portable gamma camera
are examples of CEA research works.
For example, we developed a beacon (DIRAD
TM
) for
the real time identification of radionuclide on persons
or inside vehicles which allows sensitivity high enough
to be able to identify a radioactive source in a 100 km/h
moving vehicle [2].
We also developed a compact gamma camera for
source localisation or rapid cartography of
contaminated areas [3, 4]. In this case, the main
objective was to reduce the weight and to increase
performances, by the implementation of a pixillated
photon detector, Medipix
TM
, connected with a coded
mask aperture and a visible camera.
Technological transfer towards industry is now in
progress through license agreements to French
companies (DIRAD
TM
beacon and GAMPIX
TM
gamma
camera). In addition, these technologies have been
tested and integrated and are now in test phase in the
perspective of the definition of a future national R/N
detection network.
2.2 Biosecurity activities
For this field, the program included researches and
development in detection, diagnosis,
prophylaxis/treatments and decontamination. This
activity is supported by technology platforms including
high safety infrastructure (BSL 3 laboratories).
A strong focus has been put on the development of
tools and methodologies for the detection of toxins and
microorganisms. A series of reagents for detection of
pathogens and toxins are being produced. Toxins and
toxin fragments, bacteria and viral components
(proteins, cell wall extracts) are purified from natural
sources or by recombinant technologies. These
components are used to immunise mice and produce
collections of monoclonal antibodies. Nucleic acid
primers and probes are designed and synthesized to set
up PCR reactions.
Among the pathogens and toxins considered can be
cited the botulinum toxins, ricin, staphylococcal
enterotoxins, clostridium perfringens epsilon toxin and
others. Sensitive immunochromatographic strips have
been developed and have been transferred and put into
market in 2010 (see Figure 2) [5, 6].

Figure 2: Immunochromatographic strips

PCR kits against Clostridium botulinum A, B, E and F
and against Bacillus anthracis have been made and are
under industrialization by GeneSystems [7].
Mass spectrometry methods have been developed
through three different strategies: detection of the
product of the enzymatic reactions of toxins, proteomic
analysis of toxins digested by trypsin and absolute
504
quantification of toxins using recombinant toxin
standards labelled with stable isotopes [8, 9]. The
specificity of these mass spectrometry methods is
enhanced by an immunocapture step. The methods are
being transferred to French operational laboratories.
Finally, highly sensitive detection with antibody
sandwich can be obtained with multy-spotted chips
carrying toxin or bacterial markers antibodies and
surface plasmon resonance imaging [10]. The
secondary antibody in the sandwich is labelled with a
gold bead in order to dramatically enhance the plasmon
signal, enabling detection sensitivities in the pM range.
2.2.1 Micro & nanotechnologies
Acting as a bridge between academic research and
industrial transfers, CEA activities in the field of
Electronics and Information Technology spread from
miniaturization of the silicon technologies up to a
component prototyping for a wide variety of
applications.
CEA has developed systems based on new integrated
nano and micro-technologies to counter bio and
chemical threats.
These technologies perform multiparametric and
identification of B/C agents from air or liquid sample,
either in a one shot format or in a continuous flow
mode:
An ultra sensitive genomic analysis (DNA) able to
analyse liquid or air samples in a semi-continuous flow
mode based on digital microfluidics (see Figure 3)
[11, 12]. Few copies of bacteria, spores, viruses can be
collected, detected and quantified automatically in 90
min. 100 PCR per 64 nL droplets can be performed in
parallel in this portable system (40 L / 10 kg) (see
Figure 4).

Figure 3: Demonstrator of a semi-continuous fully
automated PCR system

Figure 4: An example of quantitative PCR results
obtained with digital microfluidic system

A cheap, fast and sensitive particle imaging / counting
based on a lens free camera imaging system has also
been developed [13, 14]. In few seconds, bioparticles
as small as 1 m are detected and imaged by
holographic reconstruction (see Figure 5) [15]. No bio
consumables are needed.

Figure 5: Detection of biological objects with thin
wetting film lensless imaging and holographic
reconstruction

A short response time detection system dedicated to
small molecules (toxins, explosives) in a continuous
flow mode without any sample preparation needed
(see Figure 6) [16]. The same system can detect bio
(toxins) and chemicals (explosives) [17]. Sensitivity is
high, with a detection limit down to 30 pg in a few
minutes. Up to 10 targets can be monitor in parallel.

Hologram
50 100 150 200
20
40
60
80
100
120
140
160
180
200 0
50
100
150
200
250

Hologram
50 100 150 200
20
40
60
80
100
120
140
160
180
200 0
50
100
150
200
250
Lensless
imaging
Phase
reconstruction
Amplitude
reconstruction Microscope x100
10 m
10 m
10 m 10 m
10 m
10 m
505

Figure 6: Immuno demonstrator and example of an
experimental result

2.3 Detection of chemical toxics
CEA has invested in the application of materials
science to the development of innovative trace
detection sensors, by using sol-gel functionalized silica
or carbon nanotubes. Moreover, for the detection of
residual traces after decontamination, CEA has
developed highly portable LIBS (Laser induced
breakdown Spectroscopy) for standoff chemical
compounds detection.
These technologies have mostly been dedicated to the
detection of TICs (toxic induxtrial compounds) but
have also been tested with organophosporous
simulants.
2.3.1 Multi-walled carbon nanotubes
Resistive gas sensors based on 2D mats of multi-walled
carbon nanotubes (MWCNT) are developed for the
detection of industrial toxic chemical agents (Cl2,
NH3, HCl) and chemical warfare agents. The sensor
sensitivity was optimised using chlorine by tuning
MWCNT network morphology, crystalline structure
and electronic properties. In particular, the crystallinity
of the MWCNTs plays a major role in the CNT-based
sensor sensitivity. Our results demonstrate that
optimized devices can be calibrated in a large range
(from 10 ppb up to 2ppm) and enable detection of Cl2
at room temperature and down to 27 ppb (see Figure
7). In order to enhance the sensor sensitivity and
selectivity for detection of several gases, MWCNT
were functionalized with poly(phenylene)-like or vinyl
polymers using a process based on the diazonium
chemistry [18]. By combining three different
MWCNT-based sensors, a selective detection of Cl2,
NH3 and HCl is possible down to 30 ppb, 300 ppb and
1 ppm respectively [19]. These results underline the
potentiality of MWCNT for the development of
sensitive, low-cost and reliable chemical sensor and
open up new avenues for fully calibrated sensing
platform.
10 100 1000
1
10
100

-
1
0
0
0
*
d
(
R
/
R
0
)
/
d
t

Cl
2
Concentration (ppb)
-5 0 5 10 15

0 10 20 30
0,60
0,65
0,70
0,75
0,80
0,85
0,90
0,95
1,00
1,05

R
/
R
0
-5 0 5 10 15

0,0
-0,1
-0,2

d
(
R
/
R
0
/
d
t
)

27 ppb 500 ppb 2 ppm
Cl2
Cl2
Cl2
Time (min) Time (min) Time (min)
a b

Figure 7: (a) Detection curves (bottom) and the
respective derivative curves (top) as a function of time.
(b) Calibration curve: maximum derivative signal as a
function of chlorine concentration. Black line: raw
CNT, red line: annealed CNT.
2.3.2 LIBS
Laser Induced Breakdown Spectroscopy (LIBS) offers
a unique in-situ capability to detect a contamination on
any surface by analysing the spectral response of the
material to a laser interrogation. Detection is performed
in real time, without sample preparation, and even
remote detection is possible. So, the CEA has
developed LIBS systems dedicated to security
applications, including a hand-held probe, connected to
the central unit with optical fibres [20], and a remote
system allowing detection up to several meters.
Developed in 2010, the remote system constituted of a
laser, a telescope, a spectrometer and a central unit is
fully transportable and ready for use within a few
minutes. It was presented in June at Stockholm during
CBW 2010 (see Figure 8) [21].
The detection of an organo-phosphorous compound
deposited on a surface was demonstrated for distances
up to more than 7 meters with an equivalent Sarin
concentration down to 10 g/cm in only a few
seconds. Moreover, the ability to discriminate surfaces
with and without chemical contamination was
demonstrated and also the ability to discriminate
several pure organic molecules with close
compositions. Discrimination is based on statistical
treatments and data bases. Measurements are still in
progress with thin depositions on surfaces.

700
750
800
850
900
950
40 50 60 70 80 90 100
Time (min)
F
l
u
o
r
e
s
c
e
n
t

s
i
g
n
a
l

(
r
f
u
)
SEB
0.5ng/mL
506

Figure 8: Standoff LIBS demonstrator (presented at
the CBW 2010 conference in Stockholm) and an
illustration of discrimination performances (confusion
matrix relative to organic bulk molecules)
2.3.3 Application of nanotechnologies to
chemical detection
In collaboration with Caltech University, a real-time
chemical detection system based on silicon NEMS
devices. Based on a new concept of architecture, this
system can discriminate compounds in complex
mixtures and offers a broad range of application with a
large dynamic scale, from sub ppm to 1000 ppm (see
Figure 9) [22-25].

Figure 9: NEMS packaged module with capillaries

2.4 Detection of explosive materials
CEA also gets a high expertise on explosive/chemicals
materials and detection systems and has experience of
system testing and evaluation.
Most of the developed technologies are based on
fundamental research lead by CEA on materials. From
theory study through numerical modelisation,
optimisation of materials to interact with a specific
explosive molecule, fabrication equipment,
characterization and test method, integration in a
sensor, CEA has the capability to design high sensitive
and specific detectors.
Therefore, for several years, CEA has developed
various detection systems to detect and identify
military explosives or home-made explosives. These
detection systems used various techniques to cover the
various concepts of operations (X-ray spectrometry
with CdTe or CdZnTe detectors at room temperature,
active neutron interrogation, NQR, trace detections
with quartz crystal microbalance, or optical sensors,
chemical sensors using micro cantilever transducers or
multiparameteric SAW sensor platforms [26, 27],
innovative explosive microsensors, standoff detection
with LIBS and LIDAR,.....) and imagery systems (mm,
THz, X-ray). Most of these technologies have been
patented and experimental facilities existing inside
CEA (experimentation field tests) are operated to
qualify developments and benchmark commercial
devices on a wide set of inside synthesized real
homemade explosives.
2.4.1 Explosive traces detection
Since several years, CEA aims to develop devices
based on a chemical reaction or interaction between a
sensitive material and an explosives vapour. Each
individual developed technology (Quartz Crystal
Microbalance, Surface Acoustic Wave and
fluorescence) has exhibited high level of performances.
In order to have a positive synergy between the
different technologies, a new approach has been
developed through a device that combines the 3
different transducers. The three technologies separately
have ever demonstrated their capability for detecting
explosives: SAW[28], QCM [29] and Fluorescence
[30]. As an example, SAWs functionalized with nano
diamond particles are exhibiting outstanding properties
when exposed to high vapour pressure molecules (see
Figure 10).
A major concern deals with direct detection of low
vapour pressure explosive compounds regarding to
conventional IMS trace detection through vaporization
of particle coming from swipe sampling.
Multi technology is an alternative which permits to
improve the response time and the possibility of
identification of low vapour pressure targets (PETN,
TNT,..). A prototype including these 3 technologies
(QCM, SAW and fluorescence) has been developed
and confirms the feasibility of the concept and the
integration of the system is on progress (see Figure
11). The advantages of this device are multi targeting,
reliability, and identification of the explosives.
Specificity comes from data processing (data fusion)
which is based on the assumption of a known model
linked to the target component (see Figure 12) [31].
This innovative concept is a real gap in the domain of
explosives chemical sensors: the coupling between 3
507
transductions systems and the data fusion permit quick
detection and identification of the explosive.

Figure 10: An example of EGDN traces detection with
SAW transducers functionalized with nano particles of
diamond

Figure 11: Demonstrator integrating QCM,
fluorescence and SAW transducers

Figure 12: Data fusion : detection of EGDN

2.4.2 CdTe/CdZnTe semiconductor
spectrometric detectors: new
perspective in X-ray detection of
concealed illicit materials

Most of present X-ray approaches for explosive
detection in packages are based on density and atomic
number characterization of materials through dual
energy transmission imaging. Due to the poor
resolution in energy of classical scintillator based
sandwich detectors (two detectors one over the other
separated by a filtering material to favour high energy
detection in the second detector) used on the dual
energy systems, the identification of illicit materials
remains tricky. A way to improve and to upgrade these
systems has been proposed by using multi-energy X-
ray generators. Nevertheless, the use of these systems
has been limited in reason of a complicated
technological implementation of multi-energy X-ray
shots. Another way of improvement of material
characterization has been investigated by combining X-
ray transmission information with analysis of narrow
angle scattering profile in energy. Such systems need
detectors with high energy resolution and were based
on the use of single pixel Germanium semi-conductors
detectors. These systems remain slow and need a
cumbersome cooling systems, which limits their use.

Semi-conductor material, and more specifically CdTe
or CdZnTe, enables to build spectrometric detectors
operating at room temperature with a high energy
resolution [32]. Moreover, these detectors can be
pixellized and assembled in order to provide either 1D
linear spectrometric detectors (see Figure 13) or 2D
spectrometric imagers with high count rate (see Figure
14). These characteristics associated to dedicated
spectrometric information processing [33-36] (multi-
energy image processing, spectral information of
narrow angle scattering, backscattering signal
analysis), open the gate to new improved systems for
an effective explosive detection and identification,
overcoming the drawbacks encountered by the present
systems.

Figure 13: CdTe spectrometric detector prototype
(linear array, very high count rate)

Fluorescence
SAW
QCM
-5000
0
5000
10000
15000
20000
25000
0 100 200 300 400 500 600 700 800 900
temps (s)
d
e
l
t
a

f

(
H
z
)
508

Figure 14: CdZnTe spectrometric detector (2D array,
high spatial resolution)

At CEA/LETI we develop spectrometric detectors
based on CdTe/CdZnTe semiconductor material for
different X-ray configurations in order to improve the
detection and the identification of illicit material:

- In X-ray transmission imaging luggage control,
using linear spectrometric detectors. As
CdTe/CdZnTe detectors count the number of
photons collected in several energy channels, a
multi-energy analysis with a single shot X-ray
generator can be implemented. Compared to a
classical dual energy approach, such multi-energy
approach refines the characterization of observed
materials in terms of transmission properties.

- In X-ray diffraction signature analysis based on
spectrometric detector. Use of CdTe/CdZnTe
spectrometric detectors enable to get a signature
with an adequate energy resolution while working
at room temperature;

- In X-ray backscattering signal analysis, using
spectrometric detector. The analysis of
backscattering signal provides some information
on the nature of the observed material.

2.4.3 THz active imagery of a stand-off scene
Most of solid explosives present specific spectral
signatures in the Terahertz electromagnetic range (0.3
10THz). A system coupling this spectroscopic
information to THz active imagery of a stand-off scene
is likely to provide at the same time information on the
location of potential hidden objects under clothes and
on the chemical composition.

Figure 15: Uncooled THz antenna-coupled
microbolometer pixel structure (Presented at SPIE
2011)

CEA-LETI in collaboration with French universities is
currently developing such a THz system that is based
on the illumination of the scene at several frequencies;
the reflected and backscattered radiation from the scene
is then imaged by an uncooled antenna-coupled
microbolometer focal plane array based on innovative
sensor patents of CEA-LETI (see Figure 15) [37, 38].

Figure 16: 320x240 pixels FPA

Prototypes of 320x240 pixels (50 m pitch) sensors
have been collectively processed above CMOS wafers
in CEA/LETI 200mm manufacturing facilities (see
Figure 16). First processed batch has shown for more
56 out of the 63 arrays present per wafer an operability
above 99.5%. This high pixel operability is achievable
thanks to CEA-LETI know-how in uncooled thermal
imaging derived from its mature IR a-Si bolometer
technology [39, 40].

509

(a)
(b)

(c)
Figure 17: Images of QCL beam reflected by reference
mirror (a), and explosives materials : TNT (b) and
HMX (c)
These fully multiplexed 320x240 pixels sensors have
permitted the imaging in real-time of a QCL beam
reflected on explosives samples in conditions close to
real-life applications with a quite comfortable Signal to
Noise Ratio (see Figure 17) [41, 42].

Figure 18: Razor Blade hidden in a postal envelop

Figure 19: Scalpel blade hidden in a postal envelop

With these 2D arrays, while small profiled objects (~ 4
cm) hidden in envelops were introduced in the optical
path, video-like sequences have been acquired,
demonstrating the major asset of wide focal plane array
operating in real-time at ambient temperature (see
Figures 18 and 19).
Forthcoming works will address the extension of the
number of frequencies and explosive materials
investigated and the demonstration of spectroscopic
identification in reflection configuration. Next step will
address industrial prototyping of such THz systems
with the goal of a technological transfer.

2.4.4 Bulk detection of explosives by Nuclear
Quadrupolar Resonance and Very Low
field Magnetic Resonance Imaging

Nuclear Quadrupolar Resonance (NQR) of nitrogen
allows selective detection of solid explosives
containing Nitrogen. That technique has the advantage
to be highly selective but its sensitivity is poor, in
particular for some products presenting long relaxation
time like Tri-Nitro-Toluene (TNT). The limitation is
given by the noise of the detecting system, mainly a
resonant coil tuned at the detection frequency. CEA-
IRAMIS-SPEC has developed a new kind of magnetic
sensors, called mixed sensors,[43] having a sensitivity
better than resonant coils for radio frequency detection
below 5MHz and a wide band detection allowing the
detection of several solid explosives with a rather
simple system [44].

Magnetic Resonance Imaging (MRI) is currently used
for clinical imaging but it requires high fields in order
to achieve a sufficient sensitivity for liquids analysis.
However, by using mixed sensors, it is possible to
perform MRI at very low fields, typically below 5mT
compatible with electronic devices with enough
sensitivity for liquid detection and discrimination [45].

X Index
Y

I
n
d
e
x
Mirror reflected signal

50 100 150 200 250 300
50
100
150
200
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Razor blade hidden in a postal envelope

50 100 150 200 250 300
50
100
150
200
Scalpel blade hidden in postal envelope

50 100 150 200 250 300
50
100
150
200
510
3 Conclusions

The need of science and innovation to combat the
threat from terrorism is of critical importance. As
illustrated by the description of some R&D activities,
numerous innovations are now mature for
technological transfer to industry.
The overall success of detection of CBRN-E threats
will be only achieved with the efficient integration of
multiple sensors modalities. Therefore, CEA works
actively in the domain of entire processing chain from
the sensor output to the high-level decision models.

References
1. Agelou, M.D., D.; Dupont, E.; Carrel, F.;
Gmar, M.; Ledoux, X.; Poumarede, B.; Perot,
B.; Bernard, P. , Detecting special nuclear
materials inside cargo containers using
photofission, in IEEE/NSS Conference Record
2009.
2. Disposal and protocols for real-time detection
and identification of a moving radioactive
source French Patent UD 10664
3. Gmar, M.A., M.; Carrel, F.; Schoepff, V.,
GAMPIX: a new generation of gamma
camera. NIM A, 2010. accepted for
publication
4. Carrel, F.A.K., R.; Blot, P.; Boudergui, K.;
Colas, S.; Gmar, M., Lemasle,F., Saurel, N.;
Schoepff, V.; Toubon, H. , GAMPIX: a new
generation of gamma camera for hot spot
localization. Proceedings of the ISOE
Symposium, Cambridge, 2010.
5. HCFDC, Special prize - Innovation, Paris
2011.
6. Khreich N, L.P., Lagoutte B, Ronco C, Franck
X, Crminon C, Volland H, A fluorescent
immunochromatographic test using
immunoliposomes for detecting microcystins
and nodularins. . Anal Bioanal Chem, 2010.
Jul;397(5): p. 1733-42.
7. Fenicia L, F.P., van Rotterdam BJ, Anniballi
F, Segerman B, Auricchio B, Delibato E,
Hamidjaja RA, Wieliga PR, Woudstra C,
Agren J, De Medici D, Knutsson R., Towards
an international standard for detection and
typing botulinum neurotoxin-producing
Clostridia types A, B, E and F in food, feed
and environmental samples: a European ring
trial study to evaluate a real-time PCR assay.
. Int J Food Microbiol. , 2011. Mar 1(145
Suppl 1): p. 152-7.
8. Duriez E, F.F., Tabet JC, Lamourette P,
Hilaire D, Becher F, Ezan E., Detection of
ricin in complex samples by immunocapture
and matrix-assisted laser
desorption/ionization time-of-flight mass
spectrometry. J Proteome Res. , 2008. Sep.(9):
p. 4154-63.
9. Lebert D, D.A., Garin J, Bruley C, Brun V.,
Production and use of stable isotope-labeled
proteins for absolute quantitative proteomics.
Methods Mol Biol. , 2011. 753: p. 93-115.
10. Villiers MB, C.S., Brakha C, Lavergne JP,
Marquette CA, Deny P, Livache T, Marche
PN, Peptide-protein microarrays and surface
plasmon resonance detection: biosensors for
versatile biomolecular interaction analysis..
Biosens. Bioelectron., 2010. 26(15): p. 1554-
1559.
11. Jary, D.a.c., Development of complete
analytical system for Environment and
homeland security. Biodetection Technologies
Baltimore 2010, 2010.
12. Delattre, C.a.c., SMARTDROP: An integrated
system from sample preparation to analysis
using real-time PCR 10th CBW Protection
Symposium, Stockholm, Sweden 8-11 June
2010
13. Allier, C.P.H., G.; Poher, V. and Dinten, J.
M., Bacteria detection with thin wetting film
lensless imaging. Biomed. Opt. Express 2010.
1: p. 762-770.
14. Allier, C.P.P., V.; Coutard, J. G.; Hiernard G.
and Dinten, J. M. , Thin wetting film lensless
imaging. Proc. SPIE, 2011. 7906: p. 790608.
15. Poher, V.A., C. P.; Coutard, J. G. ; Herv L.
and Dinten, J. M. , Lensfree in-line
holographic detection of bacteria. Proc. SPIE
2011. 8086: p. 808619.
16. Schultz, E.e.a., A novel fluorescent based
array biosensor: principle and application to
DNA hybridization assays. Biosensors and
Bioelectronics, 2008: p. 987-994.
17. Caron, T.e.a., Ultra trace detection of
explosives in air: development of a portable
fluorescent detector. Talanta, 2010: p. 543-
548.
18. Gohier, A.N., F.; Helezen, M.; Jegou, P.;
Deniau, G.; Palacin, S.; Mayne-LHermite, M.
, Grafting control of functional polymers onto
multi-walled carbon nanotubes using
diazonium salt based process. J. Mater. Chem,
2011. 21: p. 4615-4622.
19. Gohier, A.C., J.; Chenevier, P.; Porterat, D.;
Mayne-LHermite, M.; Reynaud, C. ,
Optimized network of multi-walled carbon
nanotubes for chemical sensing.
Nanotechnology, 2011. 22: p. 105501.
20. Pailloux, A., Chemical warfare detection by
LIBS NBC 2009 7th symposium on CBRNE
threats 2009.
21. D. L'Hermite, C.G., E. Vors, A. Pailloux, M.
Tabarant, In situ and remote detection of a
chemical surface contamination. CBW2010
10th International Symposium on Protection
against Chemical and Biological Warfare
Agents 2010.
22. Agache, V., Device for the gravimetric
detection of particles in a fluid medium,
comprising an oscillator over which a fluid
stream flows, production process and method
of employing the device. French patent: n
511
0802743- 20/05/2008, International patent:
WO/2009/141516- 26/11/2009.
23. Agache, V.H., A.; Vinet, F. , Procd de
fonctionnalisation des veines fluidiques
contenues dans un dispositif micro mcanique,
dispositif micromcanique comprenant des
veines fonctionnalises et son procd de
ralisation. French patent: n 10 02706 -
29/06/2010.
24. Agache, V.B.-G., G.; Baleras, F.; Caillat, P. ,
An embedded microchannel in a MEMS plate
resonator for ultrasensitive mass sensing in
liquid. Lab on a Chip, 2011. June
25. Agache, V.B.-G., G.; Cochet, M. and Caillat,
P. , Suspended nanochannel in MEMS plate
resonator for mass sensing in liquid.
Proceedings of IEEE MEMS, Cancun,
Mexico, 2011. Oral Communication(January
23-27): p. 157-160.
26. Chevallier, E., Scorsone, E., & Bergonzo, P.,
New sensitive coating based on modified
diamond nanoparticles for chemical SAW
sensors Sensors & Actuators. B. Chemical,
2011. 1542 (2): p. 238-244.
27. Chevallier, E., Scorsone, E., Girard, H. A.,
Pichot, V., Spitzer, D., & Bergonzo, P. ,
Metalloporphyrin-functionalised diamond
nano-particles as sensitive layer for
nitroaromatic vapours detection at room-
temperature. Sensors & Actuators: B.
Chemical, 2010. 1511(1): p. 191-197.
28. NIMAL, A.T., Sensors and Actuators B:
Chemical 2009. 135(Issue 2): p. 399-410.
29. Clavaguera, S., Talanta. 2010. 82(4): p. 1397-
1402.
30. Caron, T., Talanta, 2010. 81(1-2): p. 543-548.
31. Patent F. : YD 12078 (02/2011)
32. Verger, L.O.-B., P.; Mathy, F.; Montemont,
G.; Picone, M. ; Rustique,J. ; Riffard, C. ,
Performance of a New CdZnTe Portable
Spectrometric System for High Energy
Applications. IEEE Trans. Nucl. Sci., 2005.
Vol. 52(5): p. 1733-1738.
33. Montemont, G.M., C. ; Isard, J.; Verger, L. ,
A Digital Pulse Processing System Dedicated
to CdZnTe Detectors. IEEE Trans. Nucl. Sci.,
2005. 52(5): p. 2017-2022.
34. Montmont, G.G., MC.; Monnet, O.;
Rustique, J. ; Verger, L. , Simulation and
design of orthogonal capacitive strip CdZnTe
detectors. IEEE Trans. Nucl. Sci, 2007. 54(4):
p. 854-859.
35. Rebuffel, V.D., J-M. , Dual-energy X-ray
imaging: benefits and limits. Insight, 2007.
49(10): p. 589-94.
36. Verger, L.G.d.A., E.; Guerin, L.; Monnet, O.;
Montmont, G.; Nicolas, B.; Pelliciari, B. ,
New trends in Gamma-Ray Imaging with
CdZnTe/CdTe. Nucl. Instrum. Methods Phys.
Res. A, 2007. 571(1-2): p. 33-43.
37. Peytavit E., A.P., Ouvrier Buffet J.-L., Beguin
A., Simoens, F., Room Temperature Terahertz
Microbolometers. Proc. IRMMW-THz 2005:
p. 257-258
38. F. Simoens, T.D., J. Meilhan, P. Gellie, W.
Maineult , C. Sirtori, ,S. Barbieri , H. Beere,
D. Ritchie, Terahertz Imaging With a
Quantum Cascade Laser and Amorphous-
Silicon Microbolometer Array. SPIE Europe
Defense and Security, 2009.
39. Simoens F., A.A., Castelein P., Goudon V.,
Imperinetti P., Lalanne Dera J., Meilhan J.,
Ouvier Buffet J.L., Pocas S., Maillou T.,
Hairault L., Gellie P., Barbieri S., Sirtori C.,
Development of uncooled antenna-coupled
microbolometer arrays for explosive detection
and identification. Proc. SPIE 7837, 2010.
7837: p. 78370B-78370B-11
40. Simoens F., M.J., Pocas S., Ouvrier-Buffet
J.L., Maillou T., Gellie P., Barbieri S., THz
uncooled microbolometer array development
for active imaging and spectroscopy
applications. IEEE IRMMW-THz Roma,
2010.
41. F. Simoens, J.M., V. Goudon, J. Lalanne-
Dera, Jean-Louis Ouvrier-Buffet, Stphane
Pocas, Explosive detection with active
terahertz imagery system. Oral presentation at
the 1st EU Conference on the Detection of
Explosives-Avignon-France, 2011.
42. J. Meilhan, B.D., V. Goudon, G. Lasfargues,
J. Lalanne Dera, D.T. Nguyen, J.L. Ouvrier-
Buffet, S. Pocas, T. Maillou, O Cathabard, S.
Barbieri, F. Simoens, Active THz imaging and
explosive detection with uncooled antenna-
coupled microbolometer arrays. Proc. SPIE
2011: p. 8023, 80230E
43. M. Pannetier, C. Fermon, G. Le Goff, J.
Simola and E. Kerr, Science 304 (2004) 1648
44. Pannetier-Lecoeur Myriam, Fermon Claude,
Dyvorne Hadrien, Cannies Grgory et Le Goff
Grald,
14
N NQR detection of Explosives with
Hybrid sensors. NATO Science for Peace and
Security Series-B, Springer (2009)
45. Dyvorne Hadrien, Fermon Claude, Pannetier-
Lecoeur Myriam, Polovy Hedwige et al,
NMR With Superconducting-GMR Mixed
Sensors, IEEE Transactions on Applied
Superconductivity, Vol 19, (2009), p 819-p
822

512
DECOTESSC1: Results of an EU FP7 demonstration project
phase 1 CBRNE system-of-systems analysis
Maarten Nieuwenhuizen, TNO, The Netherlands
Mark van den Brink, TNO, The Netherlands
Abstract
CBRNE counterterrorism, by the nature of it, does not limit itself to borders between nations in each and every
tier of its impact. Cooperation / dialogue between EU Member States should be established for an improved
CBRNE counterterrorism concept.
TNO was leading the project DECOTESSC1 (DEmonstration of COunterTErrorism System-of-Systems against
CBRNE phase 1) within the EU 7th Framework Programme Security. The DECOTESSC1 consortium consisted
besides TNO of AIT and Seiberdorff Labor (Austria), CEA (France), Fraunhofer Gesellschaft (Germany), FOI
(Sweden), JRC (European Commission), VTT (Finland) and Technalia (Spain).
The basic idea of DECOTESSC1 was an analysis and subsequent prioritization of the gaps between the current
situation and the ideal situation of a system-of-systems against CBRNE terrorism. Furthermore, a strategic road-
map was proposed that should aim at filling the identified gaps. This included linkages with related subject areas
and with stakeholder communities and a study regarding proposals for real demonstrations in phase 2 of the dem-
onstration project.
The results of DECOTESSC1 were fed back into the current call of FP7 Security, more specifically the call for
the CBRNE counterterrorism demonstration project Phase 2.

513
1 Introduction
In the past decades a number of terrifying terrorist
attacks has taken place. So far the majority of these
attacks have been carried out with small arms or
with explosives. This part of the threat spectrum is
represented by the E in CBRNE.
The confluence of several developments, both in
terrorism and in science and technology, has given
rise to a wider threat spectrum: that of CBRN,
chemical (C), biological (B), radiological (R), and
even nuclear (N) terrorism.
A major characteristic of CBRN terrorism is:

Low probability versus High impact.

Low probability. The number of known CBRN at-
tacks is very limited and will not be high in the fu-
ture even if discovered terrorist conspiracies that
may not always be publicly known are included.
Examples are the Sarin attack on the Tokyo metro
system 1995, the attacks with anthrax in the USA
starting September 2001, attacks employing chlo-
rine in Iraq starting October 2006 as well as attacks
against Afghanistan school girls in 2010.
High impact. CBRN attacks can cause immense
societal reactions at multiple levels. There are 1st
tier effects on health and first responders actions at
the site of the attack, 2nd tier effects on societal
functions shortly after and close to the attack as
well as the 3rd tier effects on the economic and po-
litical national and international viability in terms of
the colossal damages that will consequently in-
curred both in human life (the so-called psycho-
social impact) and in economic losses.
The establishment of a dedicated national compre-
hensive CBRNE counterterrorism system-of
systems may be too expensive. Integration into
other security systems as well as integration into
safety (so-called all hazard approach) needs to be
investigated as well as international cooperation.
This because CBRNE counterterrorism does not
limit itself to borders between nations in each and
every tier of its impact.
From early 2010 to mid 2011, TNO was leading the
project DECOTESSC1 (DEmonstration of COun-
terTErrorism System-of-Systems against CBRNE
phase 1) within the EU 7th Framework Programme
Security. The consortium consisted of TNO as well
as AIT and Seiberdorff Labor (Austria), CEA
(France), Fraunhofer Gesellschaft (Germany), FOI
(Sweden), JRC (European Union), VTT (Finland),
and Inasmet-Technalia (Spain).
The basic idea of DECOTESSC1 was an analysis
and subsequent prioritization of the gaps between
the current situation and the ideal situation of a sys-
tem-of-systems against CBRNE terrorism. Further-
more, a strategic roadmap was proposed that should
aim at filling the identified gaps.
2 Results of DECOTESSC1
2.1 System description
As stated before CBRNE terrorist actions can cause
immense societal impact ranging from the 1
st
tier
effects through 2
nd
tier effects to 3
rd
tier. These so-
called impact layers are depicted in Figure 1.

Figure 1 Tiers of effect of CBRNE terrorism

Within DECOTESSC1 project the work package
System Description was dealing with a thorough
understanding of the system-of-systems structure.
The accomplished objectives were the definition of
the field of work, especially the area where the stra-
tegic roadmap would lead, thus facilitating the work
on the following analytical work packages of the
project by creating the appropriate structure and
harmonizing the different steps of the analysis. Fur-
thermore the description of the system-of-systems
was performed in such a way that it can be a starting
point for other items such as data bases, CBRNE
related communication, evaluation of current work
and for future work by aggregation of subtopics,
concentration to essential points and identification
of possibly important topics which have been ne-
glected up to now.
Using a multidimensional approach, a Multidimen-
sional Taxonomy System (MTS) was developed in
order to provide a comprehensive and broad over-
view to the subject. With the help of the MTS it was
possible to define an enormous number of topics
with only a limited number of terms. The MTS was
developed following an extensive compilation of
definitions and taxonomies taken from previous
projects or identified by security-related committees
and corresponding to a number of quality criteria.
Interfaces of the area of CBRNE threat and coun-
termeasures with other security-related themes were
identified and discussed, for example, related to
topics such as crime fighting, disaster control, or
environmental protection.

514
Figure 2 System-of-systems description of
CBRNE counterterrorism

The multi-layered system CBRNE counterterrorism
system description is hard to depict in a graphical
way. Figure 2 only depicts the security cycle ele-
ments as well as the system as-a-whole that where
employed at the top level of DECOTESSC1s
analysis. During the project the description of cur-
rent situation and the ideal system, the subsequent
gap analysis and road map studies as well as the de-
scriptions of the study scenarios many detailed sys-
tem elements were discussed.

2.2 The analysis
2.2.1 Ideal situation
The requirements for an ideal security system were
collected by the project partners from interviews
with experts in different organizations (end-users,
industry and R&D organizations), from the partners
own experience and relevant studies. The issues that
were addressed were organizational, procedural and
technical measures as well as responsible actors in
the different phases of the security cycle. The objec-
tive was to get an overall picture of the ideal secu-
rity system without going very deeply into details.
Where practicable, the results were also compared
with the EU CBRN Action Plan in 2009. The pre-
liminary results were introduced to a group of ex-
perts in a subsequent workshop where the findings
were discussed.
The results show that a comprehensive, balanced
and multidisciplinary approach is needed to counter
the various CBRNE threats. EU-wide cooperation
was identified necessary in information exchange,
regulations, training and storing of supplies. Ideally,
a system-of-systems security allows the optimal use
of available expertise and resources in the most ef-
ficient manner so that different actors are linked to-
gether to share information to achieve shared
awareness, and coordinate their actions potentially
increasing speed of execution. Such a system might
produce significant efficiencies in terms of sharing
skills, knowledge and limited resources as well as
gaining the synergy of providing a common operat-
ing picture and being readily able to share informa-
tion.

2.2.2 State-of-the-art description
The state-of-the-art description deals with the status
quo and analysis of the actual measures that are
available or about to be available in the fight
against CBRNE attacks, in each phase of the secu-
rity cycle as well as for forensics, the system-of-
systems, resilience and training.
Threat assessment focuses on actors, the CBRNE
threatening material and the delivery means they
might use as well as the target they might reach, af-
ter having specified the different toxic/pathogenic
effects of the CBRNE materials.
Prevention gives an overview on the policies and
regulations at the European and/or at the Member
States level, that contribute for example to prevent
terrorist from obtaining CBRNE threatening mate-
rial. It also precises what kind of technologies are
used or could be used to prevent illicit trafficking.
Preparedness describes the organization in place at
the European level to operate a Rapid Alert System
and at the Member States level for crisis manage-
ment. In order to prevent the terrorist to reach his
target or purpose, the public and private stake-
holders can or could propose pre-attack medical
treatment, warning detection systems, or physical
protection.
Response deals with first responders and the avail-
able means they can use in order to get support in
decision-making activities: prediction modeling,
personal protection as well as monitoring and con-
firmation / identification of the alert.
Recovery focuses on medical treatment and decon-
tamination that are the main issues in that phase.
The European Commission starts playing a role in
coordination of health emergency, particularly in
the event of large-scale cross-border disaster, helps
in cooperation between Member States on clinical
diagnosis, diagnostic capabilities of laboratories,
database on medicine stocks, EU guidelines or
handbooks on decontamination.
System-of-systems proposes architecture based on
systems that might equip the actors of the system-
of-systems, taking into account their duties, focus-
ing on better coordination and interoperability, key
factors of resilience.
Training and exercise, another set of key factors of
resilience. Especially in view of the low probability
character of CBRNE terrorism these transversal
topics must be handled in each phase of the security
cycle as well as the system as-a-whole in order to
increase the readiness level of first responders, to
educate the citizens, and to create awareness.

515
2.2.3 Gap analysis
The gap analysis was based on the findings from the
description of the ideal situation (2.2.1) and the
state-of-the-art description (2.2.2). The aim has
been to identify the weaknesses and gaps in the
counter CBRNE systems today, in order to give in-
put to the next step, being the ranking of the gaps,
leading on the creation of a strategic. The work of
assessing the gaps has been in close collaboration
with experts and stakeholders during a workshop,
and the results were validated by the same at a
workshop.
The gaps were described for each of the phases of
the security cycle. Each of these phases presents a
system for handling the counter-terrorist actions,
and in a final chapter the gaps in a system-of-
systems connecting the phases were described.
The gaps found were primarily in the areas of or-
ganization and methodology, techniques for detec-
tion and protection, and training. Some common
gaps were found with implications in all the phases.
An example is the link between the phases in terms
of information, coordination, training and learning
from each other. The same issues for the collabora-
tion between Member States and counterterrorism
actors within the Member States were also a com-
mon gap.
The gaps in technical aspects of for example detec-
tion and identification influence weaknesses found
in most of the security phases, such as the problem
of preventing production of illicit substances, the
problem of being properly prepared without having
reliable detection systems, and the problem of re-
sponding with the right measures without knowing
what the threat or attack characteristics are.

2.2.4 Creating the Roadmap
The Roadmap was created out of the myriad of
more than 100 gaps found. During a workshop the
expert group was briefed on the results of gap after
which the gaps were ranked into a top 25 list. In a
subsequent workshop each gap was rewritten into a
phrase that starting with The EU (its Member
States) should be able to.. After that, a first esti-
mate was given on the timeframe in which this was
expected to be achieved. In this way 25 roadmap
topics were created. Because in the DECOTESSC1
project the system-of-systems approach is predomi-
nant, the relationships between the different gaps
were also mapped.
Each of the roadmap topics in itself is a conclusion
on how to achieve a certain milestone (which capa-
bility needs to be achieved, which R&D and/or is-
sues need to be explored).
First, every roadmap topic was given a timeline,
starting today and moving towards 2020 and be-
yond. Each of the 25 roadmap topics was positioned
on its expected end-date; given the current status of
R&D and available products, the gap could be
solved at that point in time. Drawing a timeline
provides valuable insight in time tracking of subse-
quent deliverables and milestones. At the same time
the consequences of aspects which might delay or
speed up progress can be observed.
The second aspect that was addressed in the overall
conclusions was the relation that exists between the
25 roadmap topics. As stated before, none of the
topics is a stand-alone issue and by analyzing the
interdependencies one can get insight into which
clusters of topics is predominantly present in the
spectrum. For this analysis techniques from Social
Network Analysis were used.
Figure 3 shows a visual representation of the topic-
to-topic relationships; each of the topics is repre-
sented by a box. A line from one box to another
means that these topics are interrelated. It does not
state what the type of relationship is (negative or
positive).
When looking at the number of relations a topic has
to other topics, it is possible to prioritize the list of
25 topics. The separate topics have their impor-
tance, but given the amount of relations they have to
other topics, it can be stated that the top of the pri-
oritized list represents the system-of-system topics
to address in the near future. In this upper half of
the prioritized list, five clusters of topics are visible
(see figure 4). These clusters represent the 5 most
urgent and feasible challenges that should be dem-
onstrated in phase 2.

Figure 3 Links between the 25 roadmap topics

516

Figure 4 Roadmap topics clustered

2.3 The way ahead in Phase 2
In DECOTESSC1 the roadmap identified the way
to overcome the current gaps and how to demon-
strate it. A comprehensive set of R&D topics, capa-
bilities and policy measures placed in time between
now and 2020 was identified as key challenges.
In summary, the Phase 2 demonstration project
should focus on Integration and Information and
exhibit a consistent and coherent portfolio of coun-
termeasures for CBRNE terrorism. The most urgent
and feasible challenges within integration and in-
formation are:

Fusion of information and establishment of
a situational picture. As an element of a con-
tinuous CBRNE threat assessment there is a
need for real-time situational awareness of the
dynamic aspects before, during and after an in-
cident. This includes detection, identification
and monitoring of actors, agents, means of de-
livery, targets, and effects. In the case of assess-
ing the CBRNE threat and impact, the validity
of the perceived picture of the threat and its
consequences needs to be measured and veri-
fied.

Communication. Because of its low probabil-
ity vs. high impact nature, CBRNE related
communication to the general public requires
special attention. In addition to general disaster
management strategies, CBRNE awareness and
resilience should be created. Aspects such as
education, the role of local, regional, national
and European authorities and the passive and
active use of (social) media should be covered
by a dedicated communication strategy.

Cooperation. CBRNE counterterrorism in-
volves numerous players that have different
skills, knowledge levels, approaches and prac-
tical experience with CBRNE incidents. In or-
der to minimize the impact of an incident, ex-
tensive cooperation and coordination is re-
quired between these players. The requirement
is thus to link the phases the security cycle, to
pool (scarce) resources, to share (classified) in-
formation, and to use best practices from sepa-
rate C, B, RN, and E experiences. A lot can be
learned from and shared with other domains
(health, safety, environment, defence).

Consequence management. Many activities
focused on an efficient handling of an incident
require further improvement. Mostly post-
incident activities (the response and recovery
phases) are concerned, but these have a sub-
stantial relationship with pre-incident activities.
These involve medical countermeasures as well
as dealing with the effected infrastructure and
area. Topics to demonstrated are: search and
rescue, triage, on-site medical care as well as
transport to and treatment in hospitals, con-
tainment/quarantine, self-help, decontamination
of people/infrastructure/area, and dealing with
chaos and the (longer term) psychosocial ef-
fects. Furthermore, adequate (personal) protec-
tion is an important aspect. Dedicated solutions
are not always realistic and therefore integra-
tion with existing protection measures is re-
quired.

Realistic training and exercise. Current train-
ing and exercise does not fully reflect the com-
plexity of CBRNE counterterrorism. Given the
large impact and the organizational and finan-
cial burden of real-life exercises, new tech-
niques (like the use of virtual reality and seri-
ous gaming) need to be further explored, de-
veloped and demonstrated to meet both needs
and restrictions. There is a strong need to in-
clude aspects such as live agents, general popu-
lation, and cross border cooperation.

The coherent ensemble of demonstrations should
cover at least multiple hazards, multiple phases of
the security cycle, multiple tiers of effect and multi-
ple stakeholders. Preferably, demonstrations should
take place in a (semi-)operational context, including
simulation if required or more feasible. Small, con-
trolled in-lab demonstrations are anticipated, espe-
cially when live agents are to be used, but these
should be revisited in large scale demonstrations.
Topics to be demonstrated are: CBRNE field labs,
(cross-border) clusters of experts, CBRNE resil-
ience building including communication with the
public, preparedness of first responders and civil-
military cooperation.

Given the cross-cutting character of (CBRNE)
counterterrorism, linkages with demonstrations
within other projects must be considered. In this
way the European community for CBRNE counter-
517
terrorism will be strengthened and FP7 demonstra-
tions will become more efficient.

Capabilities that are being developed in the EU
military domain must also be taken into account
(European Framework Cooperation).
Ultimately, solutions should demonstrate the added
value of large scale integration of CBRNE counter-
terrorism improving effectiveness, efficiency, co-
herence, and cooperation/coordination at the na-
tional and European level.
518
EXAKT Joint BMBF Research Project: Near Real-Time Trace
Analysis of Airborne Chemical Warfare Agents and Explosives us-
ing a TD-GC-TOF-MS
Gudrun Bunte, Fraunhofer Institute for Chemical Technology, Germany, (Corresponding author)
Jrgen Hrttlen, Fraunhofer Institute for Chemical Technology, Germany
Moritz Heil, Fraunhofer Institute for Chemical Technology, Germany
Joachim Ringer, Wehrwissenschaftliches Institut fr Schutztechnologien ABC-Schutz, Germany
Franziska Rietz, Wehrwissenschaftliches Institut fr Schutztechnologien ABC-Schutz, Germany
Peter Boeker, Universitt Bonn, Ifl.-Sensorik, Germany
Jan Leppert, Universitt Bonn, Ifl.-Sensorik, Germany
Thomas Etterer, Securetec Detektionssysteme AG, Germany
Gerhard Horner, five technologies, Germany
Abstract
This presentation addresses the concept, objectives and primary outcomes of the joint project EXAKT,
which is financed by the German BMBF under the security related CBRNE research programme.
EXAKT comprises a new concept in on-line, near real time (NRT) analysis of trace level (airborne)
chemical warfare agents (CWA) and explosives using a continuous sampling Thermal Desorption
(TD) system and a new bench top Time of Flight (TOF) mass spectrometer. TD adsorption is achieved
using standard wide range and novel selective adsorption materials. The selective adsorption materials
are newly developed molecularly imprinted polymers (MIPs), which are synthesized, tested and evalu-
ated for the selective adsorption of explosives and direct desorption into the TOF-MS.
1 Introduction
Both, CWA and explosives, have to be detected
at extremely low concentrations with a high con-
fidence level. Furthermore, the analysis time re-
quired for this detection is a few minutes or sec-
onds. These are usually contradictory conditions
and therefore state of the art detection systems
have to compromise between speed of analysis,
lower detection threshold and a low (or zero)
false alarm rate.
EXAKT is a German BMBF financed project
running from 2008 until mid of 2011. EXAKT
investigated and optimized a concept for near
real-time detection of hazardous substances
based on pre-concentration using solid adsorp-
tion materials with subsequent thermal desorp-
tion and highly sensitive detection by Time of
Flight mass spectrometry and automated signal
evaluation employing techniques of principal
component analysis. Regarding the selective de-
tection of explosives one major project part was
focused on the synthesis and characterization of
so called MIPs, Molecularly Imprinted Polymers,
and the determination of their adsorption and de-
sorption properties, firstly off-line with specially
developed characterization techniques and se-
condly online in a TD-GC-TOF-MS system. Ex-
emplary 2,4,6-TNT, 2,4-DNT and DMMNB
were selected as MIP specific template mole-
cules. For the detection of explosives and se-
lected chemical warfare agents Tenax as broad-
band solid adsorption material was used.
The general concept of EXAKT and proof of its fea-
sibility was presented at previous Future Security con-
ferences. The emphasis of this paper is to show some
of the main results of this joined research project.
2 Experimental
A TT24-7 thermal desorption system was inter-
faced to a GC-BenchTOF-dx Time of Flight
mass spectrometer. Thermal desorption sample
tubes containing Tenax TA sorbent and novel se-
lective molecularly imprinted polymers (MIPs)
were used to adsorb the hazardous substances.
After tube desorption and GC-TOF analysis the
data was processed using TargetView
TM
software.
This is based on a multivariate data analysis pro-
519
gram applying deconvolution and pattern recog-
nition algorithms for compound identification.
The analytical detector is a newly designed
bench top reflectron Time of Flight (TOF) mass
spectrometer using high accelerating voltages in
order to achieve NIST like mass spectra. This
highly sensitive instrument can be directly inter-
faced into different sampling devices (e.g. TD,
headspace, etc.) or conventional gas chromato-
graphs enabling speciated GC-TOF analysis. The
high (full scan) sensitivity of the TOF make it an
ideal detector for trace level analysis especially
in combination with sample pre-concentration,
and the fast spectral acquisition complimentary
to the deconvolution / chemometric approach.
The analysis of tube based CWA simulant sam-
ples enables characterisation of the online con-
tinuous sampling system.
Chemical warfare agents have been analysed in
complex matrices (e.g. S-LOST and GB in petrol
and diesel). Explosives, like TNT or DNT have
also been detected in airborne matrices.
3 Results
3.1 Data Evaluation
An automated background subtraction algorithm
removes a dynamic baseline from each ion trace
of the GC-MS data. A deconvolution algorithm
then detects (unknown) substance peaks in the
background compensated data and calculates the
deconvolved spectra for those substance peaks.
Target substances which can be imported from
user specific target libraries are then identified in
the deconvolved data using principal component
analysis (PCA) (compare Figure 1a to 1c).
Figure 1a Total ion chromatogram of S-LOST in die-
sel.
The fast algorithms can be applied to the GC-MS data
on-line and off-line. The analysis does not require any
user interaction and will result in a report showing
identified target compounds with their matching coef-
ficients to the target library compounds. Peak sums of
the deconvolved substances can be used as a quantita-
tive measure.
Figure 1b Identification of S-Lost in a Diesel matrix
on a PCA discriminant plane.
Figure 1c Deconvolved spectrum of S-LOST in diesel
(top) compared to the NIST spectrum (bottom).
3.2 Tested and detectable CW agents
One part of the project was related to the detectability
of chemical warfare agents, particularly to determine
their mass spectra and their limits of detection. The
overall system consisting of the tandem desorber sys-
tem, the GC and the TOF-MS requires the optimisa-
tion of many parameters to achieve a good preconcen-
tration, short desorption times and very fast GC run
times.. The optimisation of those parameters was done
using CWA simulants. The optimized system was then
tested using real CW agents, firstly as pure reference
standards and secondly analyzing the CWAs in real
matrices such as diesel and petrol.
With the developed TD-GC-TOF-MS system we were
able to successfully measure and detect the following
CW agents with detection limits in the low pg range:
439 single substances 439 single substances
520
Sarin (GB, respiratory agent) and its homo-
logues (Ethylsarin, Crotylsarin)
Tabun (GA, nerve agent)
Cyclosarin (GF, nerve agent)
Soman (GD, nerve agent)
S-Lost (HD, mustard gas)
N-Lost (NH-3, blister agent)
Lewisite (blister agent)
VX (nerve agent)
Figures 2 to 4 show some special results. Lewisite I
and Lewisite II are usally identified indirectly as both
substances react rapidly and quantitatively with di-
thiols in a substitution reaction. The derivatives are
then identified with mass spectrometry. Using the
above described TD-GC-TOF-MS system we were
able to directly detect the Lewisite I spectrum (Figure
2). VX is one of the most difficult substances to detect
via GC/MS as it easily degrades when passing the de-
tection system. Figure 3 shows a section of the VX
mass spectrum. The ratio of the high ions is in good
agreement with the reference spectrum of the NIST
library spectrum.
Figure 2 Mass spectrum for Lewisite 1 measured with
TD-GC-TOF-MS (top) and NIST library spectrum (bot-
tom)
Figure 3 Section of the high ions of measured VX (top)
and NIST library spectrum (bottom)
Under optimised GC conditions very fast retention
times can be achieved at very low detection limits.
Figure 4 shows a fast GC run where 30 pg of Sarin
could be detected at a retention time of 1.576 minutes
with a match coefficient of 0.912.
Figure 4 Total ion chromatogram for 30 pg Sarin
(sampled on Tenax), positively identified at 1.576 min
with a match coefficient of 0.912.
3.3 Synthesis and characterisation
of MIPs capable of selectively
binding explosives from air
3.3.1. Different tested synthesis approaches
Molecularly imprinted polymers are highly cross-
linked, porous polymers which are synthesised in the
presence of a template, namely the analyte to be de-
tected later. When the template is removed, the MIPs
have highly selective adsorption / binding sites for the
targeted analytes. A lot of efforts were focused on the
suitable synthesis conditions of MIPs in order to
achieve the best results regarding type of porogenic
solvent, amount of cross-linker, porogen and emulsi-
fier as well as stirring conditions (speed, type of stir-
rer). Main objectives were to achieve regular particles
with narrow particle size distributions, high specific
surface areas and high adsorption capacities for the
targeted analyte (TNT, DNT or DMNB). [2, 3]
In order to increase the yield of one synthesis batch,
the previously used normal glass ware synthesis pro-
viding only 10 grams of MIPs was up-scaled. One ar-
gument for the up-scaling was the fact that the neces-
sary characterisation methods and test procedures
need several grams of material (e.g. BET needs about
2 g for one measurement) which might exceed the
produced output if a second or third repetition of the
same experiment must be carried out. In addition,
suitable amounts of the same MIP batch are needed
for future detection tests under realistic matrix spe-
cific scenarios. For the up-scaling of the MIP synthe-
sis a special reactor with two parallel 6 L autoclavs
was designed, installed, tested and successfully opti-
mized. Furthermore the necessary cleaning procedure
was successfully up-scaled including soxhlet cleaning
Retention time 1.576 Minutes
Match=0.912
30pg Sarin
Retention time 1.576 Minutes
Match=0.912
30pg Sarin
521
steps, vacuum oven handling and sc-CO
2
extraction as
the last step. Using the best set of synthesis conditions
also a variation of the monomer type was investi-
gated, respectively, acrylamide (AA), methacrylic
acid (MAA) and methacrylic amide (MAAM).
Because the synthesis of MIPs under suspension con-
ditions leads to particles with sizes of only 20 to 40
m a new approach for synthesising so called core-
shell MIP particles was tested and optimized in order
to achieve particles with larger sizes. This results in
an increased gas flow through the MIP packing in a
standard glass tube used for air analysis. Different
core materials were tested (e.g. magnetite cores or
SiO
2
cores). Silica cores showed the best results as
they offer the most suitable linker procedure for de-
positing a thin adhesive layer to bind the MIPs onto
the cores. The best suitable anchoring technique used
an acrylate-based anchor applied in a special fluidized
bed reactor.
Adsorption properties of the synthesized MIPs and
non-imprinted NIPs as well as core-shell products
were studied using self-made gas generators for off-
line adsorption tests and SPME-GC-MSD and/or HS-
GC-MSD test procedures for characterisation of ad-
sorbed amounts. The best full particle MIPs and core-
shell MIPs were tested online in the TD-GC-TOF-MS
system which was coupled with a generator for explo-
sive vapors. Process conditions were optimised for all
parameters of the hyphenated measurement system.
3.3.2. Particle properties of produced MIP
Figure 5 exemplarily shows extremely different MIP
particle types obtained via suspension polymerisation
[1] using chloroform, CHCl
3
or carbon tetrachloride,
CCl
4
. Using CHCl
3
as porogenic solvent leads to
spherical, porous polymers with mean particle sizes of
about 20 to 40 m and specific areas up to 400 m/g.
In case of CCl
4
the solubility and prearrangement of
all ingredients of the MIP suspension mixture was
rather poor, yielding to asymmetric irregular, hollow
particles. The more polar solvents 2-
ethoxyethylacetate and dichloromethane also lead to
unsatisfying polymerisation results or even failed to
polymerise in some experiments.
Best used synthesis conditions using chloroform as
porogenic solvent in combination with PEG4000 as
emulsifier lead to uniformly layered core-shell MIP
particles having sizes of about 230 m and BET sur-
face area values of about 240 to 270 m
2
/g with pore
radia of 28 to 33 . As used for the full polymeric
MIPs, the core-shell MIPs were synthesized using
about 83 % of EGDMA, ethylene glycol dimethacry-
late as cross-linker.
Figure 5 SEM images of spherical, porous MIP parti-
cles using CHCl
3
(left) and hollow irregular MIP parti-
cles using CCl
4
as porogenic solvent (middle) and SEM
of obtained core-shell MIP particles (right, CHCl
3
used)
3.3.3 Off-line adsorption tests for qualification
of adsorption selectivity of MIPs
Adsorption properties of the synthesized MIPs were
studied using SPME-GC-MSD and/or HS-GC-MSD
test procedures. Both developed tests qualitatively
lead to comparable results. Best imprint effects for
full MIP particles were realized using 120 g PVA and
AA for TNT as template. In case of DNT best imprint
effect was achieved using 40 g PVA combined with
AA. The third addressed template, DMNB, yielded to
best adsorption properties compared to the non im-
printed polymer when using MAAM and 40 g PVA.
All produced MIPs nearly show no cross-sensitivity;
for example the TNT imprinted MIP does not show a
relevant adsorption tendency for DNT (having only
one nitro group less) or DMNB. Specific adsorption
of the other imprinted MIPs also are very selective,
showing hardly any cross-sensitivities for the explo-
sives which were not used for imprinting the MIPs.
The core-shell MIPs and NIPs were also treated with
explosive vapors. TNT or DNT treated MIPs were
characterized via SPME-GC-MSD and/or HS-GC-
MSD test procedures. DMNB treated MIPs/NIPs were
tested using HS-GC-FID. Due to the fact that core-
shell MIPs were synthesized using PEG4000 as emul-
sifier, the chemical surrounding for the template
molecules TNT, DNT and DMNB differs from the full
polymeric MIP particles where PVA was used. The
different chemical surroundings lead to somewhat dif-
ferent adsorption tendencies compared to the full par-
ticle MIPs. The cs-MIP with the best sensitivity for
TNT was synthesized using acrylamide with 140 g of
PEG4000, whereas the best DMNB sensitive cs-MIP
was based on methacrylic acid together with 140 g of
PEG4000. The best DNT imprinted core-shell MIP
was obtained using methacrylic acid together with
140 g of PEG4000. The above described off-line test
procedures showed that the cs-MIPs had no relevant
cross sensitivities to explosives not present as tem-
plate during their synthesis.
3.3.4 Adaption of explosives gas generators to
the TD-GC-TOF-MS system
As reported earlier the TD-GC-TOF-MS system was
coupled with the self-made explosives gas generators
100 m 100 m 100 m
522
providing well defined concentrations of the explo-
sives TNT, DNT or DMNB using nitrogen as a carrier
gas. Firstly, processing conditions were tested and op-
timized in order to measure suitable reference mass
spectra of the explosives TNT, DNT and DMNB us-
ing Tenax as adsorber material. Secondly, sufficient
adsorption and desorption system parameters were
tested and optimized. First tests using a 30 m GC-
column after the tandem desorber combined with
preliminary separation / oven parameters led to a
retention time for TNT of 19 min. With a fila-
ment current of 4A the lower detection limit for
certain identification was 640 pg TNT. Increased
GC oven temperature conditions and shortening
the column length to 10 m reduced the TNT re-
tention time to about 8 min. Under these condi-
tions the lower detection limit for certain identi-
fication of TNT was 200 pg@4.3 A. Direct injec-
tion to the GC provided a limit of detection for
TNT of about 10 pg. Future adaption and optimi-
zation of the run time conditions of all included
system parts might further enhance the achiev-
able detection values. For example the currently
applied GC-parameters were optimized accord-
ing to the required method development and
were until now not optimized for the shortest
analysis times. Fast chromatography usually re-
sults in decreasing chromatographic peak widths
and increasing peak heights enhancing the limits
of detection.
3.3.5 Online-tests of best MIPs and cs-MIPs in
the TD-GC-TOF-MS system
The best produced MIPs and related NIP materials as
well as the best core-shell MIPs and NIPs were char-
acterized according to their online-adsorptivities ap-
plying short adsorption times (20 or 8 min) of the
coupled explosives vapor generators. Figure 6 exem-
plarily shows the TOF detector intensities measured
for the best produced full MIP particles imprinted
with TNT compared to the related NIP particles (AA
with 120 g of PVA).
Figure 6 Measured TOF peak intensities after TNT ad-
sorption on TNT imprinted full particle MIP and NIPs
(online treatment for 20 min @ TNT gas generator) and
subsequent desorption from tandem desorber
Results clearly show the achieved imprint effect as
detected also for the off-line test procedures. Com-
pared to the latter the short term adsorption experi-
ments more clearly pronounce the better adsorptivity
of the MIP against the NIP (regard the logarithmic
sale of TOF intensity). The best DNT and DMNB im-
printed full MIPs showed comparable results. Cross-
sensitivity tests are currently verified.
Same online tests were made for the best core-shell
MIPs and NIPs. As shown in figure 7 acrylamide,
AA-cs-MIP, was the cs-MIP with the highest adsorp-
tivity for TNT. Short term adsorption of TNT does not
show a relevant uptake of TNT to the measured non-
imprinted core-shell polymers (note the logarithmic
scale of figure 7). Compared to the off-line experi-
ments the relative adsorption of the AA-cs-MIP is not
so pronounced compared to other both MIPs, but
clearly enhanced for the AA-cs-MIP.
Figure 7 Measured TOF peak intensities after TNT ad-
sorption on core-shell MIP and NIPs (online treatment
for 8 min using TNT gas generator) and subsequent de-
sorption from tandem desorber
Figure 8 shows a histogram of the match factors of a
series of TNT measurements (about 400 adsorp-
tion/desorption cycles). The match factors were calcu-
lated by comparing the deconvolved mass spectrum
for TNT to the NIST library spectrum. Fig. 8 proves
that TNT can be clearly identified during long-term
measurements using cs-MIPs as adsorption materials.
Figure 8 Likelihood of recognition for repeated sam-
pling comparison of measured TNT spectrum with
NIST library spectrum (each after 8 min TNT treatment
with subsequent desorption using cs-AA-MIP, JH 230)
TNT adsorption of produced Core-Shell MIPs and NIPs
1
10
100
1000
10000
100000
T
O
F

M
S

I
n
t
e
n
s
i
t
y

[
a
.
u
]
JH 225 NIP
JH 223 MIP
JH 227 NIP
JH 230 MIP
JH 229 NIP
JH 228 MIP
MAAM AA MAA
TNT adsorption of produced Core-Shell MIPs and NIPs
1
10
100
1000
10000
100000
T
O
F

M
S

I
n
t
e
n
s
i
t
y

[
a
.
u
]
JH 225 NIP
JH 223 MIP
JH 227 NIP
JH 230 MIP
JH 229 NIP
JH 228 MIP
MAAM AA MAA
100 m 100 m 100 m
Best TNT imprinted full particle MIP and NIP
1
10
100
1000
10000
100000
1000000
AA, 120g PVA
T
O
F

M
S

I
n
t
e
n
s
i
y
t

[
a
.
u
]
JH185 NIP
JH186 MIP
20 40 m 20 40 m
400 cycles each adsorbing 8 min
TNT@20 ml/min
Likelihood of recognition: 99,2 %
R > 0,7: 97,4%, R > 0,8: 92,2%
400 cycles each adsorbing 8 min
TNT@20 ml/min
Likelihood of recognition: 99,2 %
R > 0,7: 97,4%, R > 0,8: 92,2%
523
Comparative analysis of the two other MIPs based on
MAA or MAAM shows a much greater likelihood of
recognition in case of the AA-cs-MIP compared to the
other MIPs (99.2 % in case of AA-cs-MIP in stead of
83.6 and 69.3 % for MAAM and MAA).
In comparison, adsorption of explosives on Tenax
showed higher background noise resulting in lower
match factors of the measured mass spectra.
3.3.6 Realistic explosives containing samples
Some preliminary test measurements on realistic IED
probes were made using a specially prepared radio
equipped with a block of technical TNT in the rear of
a radio, which was wrapped in a polymer foil. Using
the best TNT imprinted cs-MIP as adsorption material
in the TD-GC-TOF-MS system, TNT was positively
identified via airborne sampling near the radio. When
replacing the TNT cs-MIP with the best DNT im-
printed cs-MIP in the tandem adsorber, DNT could
also be identified, which is a typical by-product of
technical TNT.
For practical applications a mixture of different cs-
MIPs could be used to cover a wide range of explo-
sive materials. Alternatively, explosives imprinted
MIPs could be used together with the broadband ad-
sorption material Tenax. Further evaluation tests of
the developed TD-GC-TOF-MS system are necessary
using Tenax and/or the produced MIPs under realistic
scenarios as well as the testing of the CWA specific
detection capabilities under realistic CWA and/or TIC
specific scenarios.
4. Conclusions and outlook
In the joint research project EXAKT a sensitive and
selective detection system for the near-real-time de-
tection of airborne chemical warfare agents and ex-
plosives in the low pg range was developed and suc-
cessfully tested. By using fast GC methods and opti-
mising the process parameters of the measurement
system very low amounts of CW agents could be
identified in the range of some minutes. The concept
of the tandem adsorber (no sampling blind spots) in
combination with a very sensitive detection system
enables online monitoring of ambient air for the near-
real-time detection of hazardous substances at very
low concentrations.
Airborne explosives could be detected and positively
identified at relevant concentrations. The measure-
ment conditions for explosives can be improved fur-
ther to reduce the analysis time per cycle (e.g. shorter
GC columns, faster temperature gradients, etc.). When
using MIPs or mixtures of different MIPs as multi
sorbents the chromatography might even be elimi-
nated as only target substances are trapped by the se-
lective adsorbers.
Selective MIPs can also be used as on-board passive
diffusion adsorption materials for the surveillance of
containers. The adsorber tubes can then be analysed
off-line using an automated tube sampler together
with the TD-GC-TOF-MS system at the airport or in a
harbour. Preliminary test measurements also showed
the potential use of the developed TD-TOF-MS sys-
tem for the analysis of swab or swipe probes after
sampling contaminations from surfaces. Most swab
and swipe materials showed a high background signal
which in many cases was in the same order of magni-
tude as the target explosives DMNB, DNT and TNT.
Selective MIPs can significantly reduce this back-
ground and applying the developed deconvolution al-
gorithms and software for target identification trace
analysis of swab samples can be promising. Further
developments of best procedures and a modified de-
sign of the thermal desorber allowing easy insertion
of the swab samples will be necessary.
References
[1] J.-P. Lai, X.-Y. Lu, C.-Y. Lu, H.-F. Ju, X.-W. He,
Anal. Chim. Acta, 2001, 442, 105-111.
[2] Horner, G.; Ringer, J.; Boeker, P.; Bunte, G.; Et-
terer, Th., EXAKT Joint BMBF Research Pro-
ject: Near Real-Time Trace Analysis of Airborne
Chemical Warfare Agents and Explosives, Pro-
ceedings of Fraunhofer Symposium Future Secu-
rity 3rd Security Research Conference,
Karlsruhe, 11th-12th September 2008
[3] G. Bunte, J. Hrttlen, J. Ringer, F. Rietz, P.
Boeker, J. Leppert, T. Etterer, G. Horner,
EXAKT Joint BMBF Research Project: Pro-
ject Status on Near Real-Time Trace Analysis of
Airborne Chemical Warfare Agents and Explo-
sives, Proceedings of Fraunhofer Symposium
Future Security 5
th
Security Research Confer-
ence, Berlin, September 7th 9th, 2010
524
Integrated border management -
Remarks on a border control roadmap

Heiner Kuschel, Fraunhofer FHR
Ingo Walterscheid, Fraunhofer FHR
Grt-Oliver Luedtke, Fraunhofer FKIE
Wolfgang Koch, Fraunhofer FKIE
Neuenahrer Str. 20
53343 Wachtberg
Abstract
The implementation of an integrated border management (IBM) system requires the integration of separate in-
formation systems of all organizations and entities participating in border management and the integration of
these systems with international border control environment. The technical framework includes plans for inte-
grated information system details for IBM. It is performed together with the agencies, to correctly identify suit-
able applications for use in prototype border crossing gates and border surveillance areas. This includes an as-
sessment of new technologies for border management and intelligence and information sharing. Border surveil-
lance is considered a basic part of the border management. Optimum border gate management is affected by
border crossing activities in less densely controlled areas between border gates. Here, new technologies for bor-
der surveillance and area surveillance are requested.
1 Introduction
Integrated Border Management (IBM) Systems are
essentially to be designed and implemented within a
Systems of Systems architecture that enables informa-
tion sharing for improved situational awareness for
border control at the local, regional, national, and
European level. A catalyst to be able to move quickly
to operational systems will be interoperable data base
architectures such as those developed in the defence
domain. The improved situational awareness is ex-
pected to enable the various organizations, responsi-
ble for border control, to carry out their tasks.
IBM architectures enable users to combine and
intelligently fuse data from different sources and se-
curity domains. These sources include mandatory
data such as AIS reports (AIS: Automated Identifica-
tion System), data from legacy sensor systems such as
radar, data from new platforms and sensors, or exter-
nal data sources.

2 Benefits of IBM Architectures
IMB systems of systems interconnecting and improv-
ing existing systems show the following features:

1. Improved information sharing between national
organisations within their own country, between
countries and at the EU level.
2. A methodology for the determination as to which
information is shared and between whom and on
which legal basis.
3. Permanent and all weather surveillance coverage
of maritime areas.
4. Continuous collection and fusion of heterogene-
ous data provided by various types of sensors and
other intelligent information from external infor-
mation sources and security domains.
5. Supervised automatic detection of abnormal be-
haviour (tracks and activities) and generation of
documented alarms.
6. Understanding of suspicious events and early
identification of risks and threats from series of
detected spatiotemporal abnormal behaviour in-
dications.
7. Detection and tracking of targets.
8. Detecting and preventing illicit movements of
persons and goods through multilayered and end-
to-end surveillance
9. Provision of data from unconventional platforms.
10. Provision of data from new or upgraded sensors.
11. Provision of new and/ or upgraded communica-
tion solutions.

525
3 Information Fusion Aspects
Surveillance is carried out for different domains, such
as border control, environmental protection, or trans-
port safety. The installed surveillance systems include
reporting and messaging systems and sensor systems
such as radar, video, IR-and thermal imaging, Syn-
thetic Aperture Radar (SAR), etc. to collect informa-
tion to receive an overall situational picture.
In this context, integrated border surveillance and
control system provide officers on all levels of hierar-
chy, as well as automated decision support systems,
with a vast amount of data. To prevent human users,
or actuators involved from being overwhelmed by the
continuously streaming data and information and to
optimize its use for the manifold and various decision
tasks, it is necessary that only the right piece of high-
quality information, relevant to a given situation, is
transmitted at the right time to the right user or com-
ponent and appropriately presented.
The development of sophisticated novel software
processing technologies and algorithms are mandatory
e. g. for under clutter detection, identification and
tracking of small objects, persons, vessels, and low
flying aircrafts. One main objective is robust and re-
liable information fusion, information sharing and in-
formation exchanging software and data base archi-
tecture aiming at the automatic detection of anoma-
lies.
Therefore, dedicated data and information fusion
algorithms have to provide appropriate situation pic-
tures, according to the respective level of command,
responsibility, and type of function to be supported.
Only if this is given, the data streams will support
goal-oriented decisions and coordinated action plan-
ning in practical situations and on all levels of deci-
sion hierarchy. The trends and features are aiming at:

1. Robustness (one failing module should not
come out to failure of the whole system),
2. Scalability (upscaling of the IT-structure for
a nation-wide approach),
3. Flexibility (integration of novel and legacy
systems),
4. High availability (24/7 operation, redundance
of IT-structure mandatory),
5. Standardization (conversion of data and in-
formation to standardized formats for use in
the whole information sharing environment),
6. Vendor independency (enabling of system of
systems - operation with technologies and
standards from different system suppliers).

4 Border Surveillance by Radar
An analysis of available radar technologies for sur-
veillance ranging from air- and space-borne to
ground-based active and passive radar has been car-
ried out in order to assess their potential to yield in-
formation, which may improve the border situation
awareness and thus facilitate or increase the efficiency
of border management.

4.1 Ground Based Active Radar
Ground surveillance radars, which are designed to de-
tect moving objects on the ground or at low altitudes
have been developed in the recent years and are ready
for use. They either come as mobile devices, mounted
on vehicles like the BUER-system, which will be used
by the German Armed Forces, or even as man-
portable systems being carried and operated by only
one person.
The Lynx, a system of the latter type is reported to
operate in the Ku-band with a bandwidth of 450 MHz
and an instrumented range of 70 m to 12 km. With
omni-directional azimuth coverage and elevation cov-
erage of a few degrees it shall detect persons at ranges
up to 6 km and cars, helicopters and zodiacs at ranges
up to 12 km dependent on their size and velocity.
With its 25 kg weight and compact dimensions (53 cm
x 35 cm x 13 cm) it can integrated in almost any
structure or operated with high mobility. It provides
an Ethernet/Asterix interface and can thus feed its
tracks into information networks. Such active radars
can be used to monitor critical border zones automati-
cally or operated by a small number of personnel with
high precision and in all weather conditions.
The BUER radar of EADS is a new generation mobile
X-Band pulse Doppler radar for ground and sea sur-
face surveillance applying active phased array antenna
technology. This technology enables the radar to fulfil
the multi-role requirement, providing flexible adap-
tive scanning and tracking schemes and to perform in
conjunction with other SW techniques its complex
analysis tasks. In sum using consequently the benefits
of SW controlled electronical scanning with the op-
erational advantages it provides new functionalities
for the operator.
4.2 Ground Based Passive Radar
Passive radar systems using broadcast transmitters
as non-cooperative illuminators have become the
focus of attention for military air surveillance in
homeland security applications. Passive coherent lo-
cation (PCL) is performed by measuring the time-
difference-of-arrival (TDOA) between a direct trans-
mitter signal and a target echo signal either from mul-
tiple transmitters or together with a direction-of-
arrival (DOA) of the target echo signal. Such radars
using digital broadcast as well as FM radio signals -
and for short range applications even WIFI or GSM
signals - are expected to offer some operational ad-
vantages over conventional active radars. The use of
passive systems can potentially provide superior
low level coverage compared to active systems due
to the energy distribution of the illuminators and pro-
vide potentially better radar cross section by virtue of
526
the bistatic geometry and frequency of operation
(usually VHF and UHF). As passive radars are essen-
tially receive-only sensors they are covert; fur-
thermore, as they do not radiate their own beacon
signal, they are generally cheaper than active sys-
tems [1] [2].
Such attractive features, however, come at the
expense of having to rely on non-radar signals as
the illuminating source. Use of a non-radar signal
such as a broadcast communications signal can result
in ambiguous target detections in single-frequency
networks or coarse resolution at low frequencies
and narrow signal bandwidths. Hybrid passive radar
systems have been proposed in order to exploit the
advantageous features of all available sources of illu-
mination. Experimental systems like the CORA.
or PETRA system of Fraunhofer FHR [3] - figure 1
shows the Cora system during trials - or demonstra-
tors like the HA100 of Thales and the PARADE of
Cassidian have demonstrated the detection capabili-
ties against small aircraft and ships and a technology
readiness level, which makes ground based passive
radar a strong candidate for border surveillance.
In particular,
their covertness
and cost effi-
ciency could be
a driving argu-
ment for net-
works of pas-
sive radars to
survey border
lines for low
level air traffic
or shore-
lines/blue bor-
ders for marine
traffic.
4.3 Airborne Active Radar
For ground surveillance from airborne platforms gen-
erally synthetic aperture processing is applied. A syn-
thetic aperture is spanned during flight by the -e. g.
side looking - antenna on the aircraft taking consecu-
tive positions along the flight path for measurements
and processing the measured data simultaneously as if
they were taken at the same time by a long antenna
consisting of multiple elements.
The ASTOR (Airborne Stand-Off Radar) programme
of the UK is such a ground surveillance radar on an
airborne platform, which uses phased array antennas
and SAR-MTI radar processing based on the Ad-
vanced Synthetic Aperture Radar Type 23 (ASARS-
2) of Raytheon (former Hughes). The UK company
Marconi Radar & Countermeasures systems has
developed the 4.6 m antenna, which will be mounted
in a radome under the front part of the fuselage. The
ASTOR SAR will have a search mode with coarse
resolution and a track mode with a resolution below
30 cm. It will apply electronically scanning and pro-
vide a maximum range of 250 to 300 km. Up to 8
ground stations shall receive the SAR data simultane-
ously for evaluation in real time.
Smaller versions of SAR-systems can be mounted on
drones, which then may patrol critical border zones.
The SAR can include a Ground Moving Target Indi-
cator (GMTI), which highlights objects and people
that are on the move. The drone's ability to stay aloft
for hours, if not days on end gives operators the per-
fect platform from which they can monitor an area of
interest.
4.3 Spaceborne Active Radar
The German SAR-Lupe is an example for a space
borne reconnaissance system. The SAR-Lupe pro-
gram consists of five identical (770kg) satellites,
which are controlled by a ground station [4] which is
responsible for controlling the system and analysing
the retrieved data. They have been developed by the
German aeronautics company OHB-System,
The "high-resolution" images provided by SAR-Lupe
[5] can be acquired day or night through all weather
conditions. On December 19
th
2006 the first satellite
was launched from Plesetsk in Russia, about a year
after the intended launch date; four more satellites
were launched at roughly six-month intervals, and the
entire system achieved full operational readiness on
July 22
nd
2008.
The five satellites operate in three 500-kilometre or-
bits in planes roughly sixty degrees apart. They use an
X-band radar with a three-metre dish, providing a
resolution of about 50 centimetres over a frame size
of 5.5 km on a side ('spotlight mode', in which the
satellite rotates to keep the dish pointed at a single
target) or about one metre over a frame size of 8 km
x 60 km ('stripmap mode', in which the satellite
maintains a fixed orientation over the earth and the
radar image is formed simply by the satellite's motion
along its orbit). Response time for imaging of a given
area is ten hours or less. Thales Alenia Space provided
the core of the Synthetic Aperture Radar sensors
4.5 Airborne Passive Radar
Like in ground based passive radar systems broadcast
transmitters may also be used as illuminators for pas-
sive radars mounted on moving platforms. The con-
straints for passive coherent processing, however, are
somewhat different from ground based PCL-systems.
The movement of the platform introduces Doppler
spread of the clutter, which is thus more difficult to be
filtered out. The Doppler spread clutter may mask
slowly moving ground ones targets.
First approaches to airborne PCL are pursued by War-
saw University of Technology (WUT), where an FM
radio based PCL radar had been mounted on a car
platform for measurements in order to verify the con-
cept of Doppler spread clutter cancellation.
Figure 1: CORA System during
passive radar trials
527
Presently the work is focused on processing methods,
which can be used for clutter suppression in airborne
PCL radars including Doppler-spread clutter filtration,
displaced phase center antenna (DPCA) techniques
and STAP processing. An experimental system has
been installed on an airborne platform (SKYTRACK
plane Figure 2) to test DPCA and STAP techniques.
The first results were promising. The suppression of
moving targets was at an acceptable level and the
simulation results show that a DPCA technique based
on two antennas can be a useful tool for ground clut-
ter suppression. This method is expected to help solv-
ing the problem of detection of slow moving targets
for PCL radar installed on a moving platform. With
respect to border surveillance, particularly small air-
borne platforms like drones may profit from doing
without an own transmitter saving weight and power.

Figure 2: Skytrack aircraft used in the experiment
4.4 Air-Spaceborne Bistatic Radar
The spatial separation of the transmitter and the re-
ceiver in bistatic synthetic aperture radar (SAR) en-
ables a variety of data acquisition geometries to
achieve benefits like the increased information con-
tent of bistatic SAR data. However, in the case of hy-
brid bistatic SAR constellations where the transmitter
is spaceborne and the receiver is onboard an aircraft,
one has to deal with a huge discrepancy between plat-
form velocities.
The Fraunhofer FHR has conducted several bistatic
spaceborne/airborne SAR experiments, where the ra-
dar satellite TerraSAR-X was used as a transmitter
and the airborne SAR sensor PAMIR (Phased Array
Multifunctional Imaging Radar) was used as a re-
ceiver [6]. Due to the fact that both sensors are
equipped with phased-array antennas, which offer the
possibility of beam steering, new innovative acquisi-
tion modes could be successfully tested to overcome
the discrepancy between platform velocities. The syn-
chronization of the transmitter and the receiver was
achieved using the direct satellite signal and a pulse
synchronization circuit to trigger the internal receiver
clock.
In 2008, first experiments have been performed and
the data could be successfully focused. In 2010,
bistatic data have been acquired to demonstrate the
feasibility of airborne forward-looking SAR [7].
Such bi-static airborne-spaceborne SAR configuration
can, in border surveillance, combine the covertness of
spaceborne illumination with an increased signal-to-
noise ratio of airborne radar due to the shorter range.
Figure 3 shows an artists view if the experiment set-
up.
Figure 3: Bi-static SAR experiment with TerraSAR-X
and PAMIR

5 Conclusions
We provided an overview of demands and architec-
tures required by integrated border surveillance and
control. The particular relevance of radar sensors as a
source of information was expressed. Hence a road-
map for border control and surveillance and its mile-
stones can be designed in order to achieve a capable
and efficient integrated border management system,
which follows international standards like those ap-
plied in the defence domain.
References
[1] N. J. Willis, Bistatic Radar, 2nd Edition, SciTech
Publishing, 1995.
[2] M. I. Skolnik, Introduction to Radar Systems,
2nd Edition, Mc Graw-Hill Company, 1981
[3] H. Kuschel, Experimental passive radar systems
using digital illuminators (DAB/DVB-T)
IRS2007
[4] SAR-Lupe ground station: Zentrum fr Nach-
richtenwesen der Bundeswehr (ZNBw), Max-
Planck-Str. 17, 53501 Gelsdorf
[5] Strategie & Technik International Edition
11/2007
[6] I. Walterscheid, T. Espeter, A. Brenner, J. Klare,
J. Ender, H. Nies, R. Wang, O. Loffeld: Bistatic
SAR experiments with PAMIR and TerraSAR-X
setup, processing and image results, IEEE
528
Trans. on Geosci. Remote Sens., Vol. 48, No. 8,
August 2010, pp. 3268-3279.
[7] T. Espeter, I.Walterscheid, J. Klare, A. R. Bren-
ner, and J. H. G. Ender, Bistatic forward-
looking SAR: Results of a spaceborneairborne
experiment, IEEE Geosci. Remote Sens. Lett.,
to be published.

529
Coastal Surveillance Radars Developed in TUBITAK BILGEM
UEKAE
Nazli, Candan, Ph.D., TUBITAK
1
BILGEM
2
UEKAE
3
, TURKEY

Abstract
Increasing demand on border security along littoral zones has been the driving force for getting strong provi-
sions and technological support for TURKEY, a country which is surrounded by sea in all three directions.
TUBITAK UEKAE has established the domestic engineering resources and made vast investments on develop-
ing sensor technology, particularly on Surveillance Radars. The deliberate choice of FMCW Radars for this pur-
pose and their salient features are presented in this paper.

1
The Scientific and Technological Research Council of Turkey
2
Center of Research for Advanced Technologies in Informatics and Information Security
3
The National Research Institute of Electronics and Cyrptology
1 Introduction to BILGEM Ra-
dars
1.1 Contribution of Radars to Border
Security
The Coastal Surveillance in countries with large blue
borders is of profound importance in many aspects.
Main reasons are the security and the control of the
coasts. Border security does not only involve home-
land security but safety of all international affairs and
cooperation such as trade, touristic voyages taking
place along the border, as well.
Modern radars, as a significant part of sensor tech-
nologies, occupy wide and effective place in coastal
guard provisions because of their diverse capabilities
-other than simply detecting and displaying the veloc-
ity and range of the targets- such as classification,
identification, route estimation. Moreover network of
radars over a wide area [1] ensures the effective ob-
servation, control and protection of coastal borders
thus aiding for countering terrorism and smuggling
operations, improving situational awareness, avoiding
the environmental pollution, and relaxing navigation
traffic, etc [2], [3].
1.2 BILGEMRadars: Fruits of R&D
TUBITAKas the leader research council in Turkey
managed domestic engineering resources on this sub-
ject and developed Surveillance Radars in a relatively
short time, 2 years. The first radars being developed
in a Turkish Government organization for civil pur-
poses were realized in UEKAE one of the institutes of
TUBITAKBLGEM, in 2007 and 2008 respectively.
The deployment plan of them in Gebze Campus is
shown. (see Figure 1)

Figure 1 Radar Deployment in TUBITAK Campus,
Gebze TURKEY
SAGRAD-1 is produced for coastal surveillance tasks
(see Figure 2a). GEMRAD is a shipborne LPI Navi-
gation Radar (see Figure 2b). SAGRAD-2 is another
advance version of SAGRAD-2 and designed as a
VTS radar as well as for coastal surveillance purpose
(see Figure 2c). Unlike sophisticated military radars,
due to their low-power, solid-state architecture asso-
ciated with LFMCW signal modulation, they are low-
cost, inexpensive, small, light, and easily deployable
on vessels and vehicles.

530

Figure 2a SAGRAD-1

Figure 2b GEMRAD-1

Figure 2c SAGRAD-2

2 FMCW Radars
The waveform generated and the RF architecture of
the FMCW radar differ from those of conventional
pulsed radars due to the frequency modulation of con-
tinuous wave radar signal. Basically, the range and
velocity parameters of the target cause frequency shift
in the Radar return signal [4]. A typical linear FM
wave form is a triangular frequency modulation with
up-down chirp signals (see Figure 3).

Figure 3 FMCW wave
T
d
: time of return signal from the target
'f: frequency deviation (instantaneous frequency
bandwidth)
T
m
: modulation interval
T
g
:gap for processing time
The main characteristic of FMCW operation is the
continuous transmission of power which is much
lower than the peak and average value of pulsed
power. This gives opportunity for the utilization of
solid state electronics in the design.
A block diagram of FMCW Radar with the Tran-
sciever unit is given (see Figure 4) [5]. A homodyne
receiver architecture is used. In the Tx unit, the main
DDS Block performs wave shaping while yielding
linearity in the frequency modulation. Moreover, the
digital control of RF parameters such as frequency
hopping, gain of the signal etc brings in exclusive fea-
tures in the operational performance of the system.
These features are presented in subsequent sections.

Figure 4 Block Diagram of FMCW Radar Units
Unlike a monopulse radar antenna configuration,
quasi-monostatic (i.e. separate identical antennas be-
ing deployed side-by-side) allows continuous trans-
mit-receive operation with 60 dB isolation.

2.1 FMCW vs Pulsed Radars
In Table 1, a comparison between pulsed and FMCW
radars is presented which explains the choice of
FMCW radar, particularly for surveillance applica-
tions.
531
Table 1 A Qualitative Comparison between FMCW
and Pulsed Radar Characteristics
Properties Pulsed
Doppler
FMCW
Peak Power High Low (LPI)
Range Resolution High-
Medium
High
Velocity
Resolution
High Medium.
Complexity in
Hardware and
Algorithms
High-
Medium
Low
Detectibility Medium Low
Range Ambiguity Yes (High-
Medium)
No
Clutter fold-over Yes No
Eclipse Yes No
Matched Filter
Requirement
Yes No
Multiple Target
Tracking
Time Domain Frequency
Domain-
Easier
TX-Rx Isolation
for simultaneous
Tx-Rx
Hard
(monostatic),
min 100 dB
Easy
(quasi-
monostatic)
, ~60dB
enough
Frequency
hopping (wider
bandwidth)
Hard Easy
Maintainability Medium High
Cost High Low

2.2 The Prominent Features of Surveil-
lance Radars of TBTAK
A basic Surveillance Radar configuration in sub-
system level (see Figure 5) as well as common fea-
tures and performance values of BILGEMRadars are
given in this section [6], [7]. The X-band radar
GEMRAD-1 is selected as the reference Radar.
2.2.1 The Main Sub-system Composition of
GEMRAD-1
Figure 5 GEMRAD-1 Sub-system Configuration of
GEMRAD-1
2.2.2. GEMRAD-1 Performance and Struc-
tural Features
Radars have a detection range as required by
IMO and IALA standards and are
comparable to modern pulsed navigation
radars [8].
Having the capability of wide band frequen-
cy range and frequency hopping, the radars
can eliminate sea-clutter effect and have high
resistance to ECCM.
The Transceiver and the Signal Processing
units are implemented with solid state com-
ponents, as separate modules. The
Transceiver and Antenna units can be built
over the deck of ships or towers with its own
pedestal and the Radar Signal Processing
unit can be deployed under the deck or in-
side the building.
The range resolution is often better than for
pulsed systems and the minimum usable
range is generally very short.
GEMRAD navigation radar with the
Antenna and Signal Processor Unit can be
completely self contained or can be part of a
navigation system or even of a CMS
(Combat Management System) on a larger
ship.
The Antenna is of SWG array type [9]. The
polarization is particularly selected as
vertical for better clutter suppression. In
532
SAGRAD-2, circular polarization is chosen
so as to be less susceptive to rain clutter.
With the Ethernet/LAN interface, all of the
radars in the entire surveillance network, ra-
dar parameters and target tracking options
can be controlled remotely, which is
available for data fusion in target
identification /classification.
The target detection process runs in real time
while tracking runs scan-to-scan off-line.
With the help of optional Target Tracking
software, 200 afloat targets can be monitored
simultaneously.
Spread spectrum techniques such as frequen-
cy hopping is available both in custom and
random hopping pattern. The frequency agil-
ity accompanying very low side lobe levels
keeps them immune to jamming.
LPI and High Power are optional. Besides,
the output power between 1mW and 1 Watt
for LPI, it is also possible to increase the
power output up to 15 W to 30 W. (optional
hardware & software controlled). With op-
eration under 1 W they exhibit Low Power
Detection (LPD) feature.
Non-coherent integration of modulation
chirps improves detection performance. In
recently developed systems coherent integra-
tion is introduced surpassing the non-
coherent processes. Moreover, coherency is
inevitable for Doppler resolution
STC is introduced for the equalization of the
signals coming from the nearby targets with
the one of the distant targets.
Built-In-Test and localization of the errors is
available with the proper circuitry residing in
the TR unit.
With sector blanking selection, disabling the
output power in the desired angular sectors is
possible.
The radar overdeck units (antenna, TR and
pedestal units) exhibit low RCS (stealth) pro-
file.
32 k FFT provides less than 10 meters target
resolution up to a range of 24 nmi.
Cell Averaging CFAR Algorithm is efficient
in manipulating the background clutter issue.
The detection peformance, common to all
others:
Range Accuracy: < 4 m
Range Resolution: < 12.5 m
Angle Accuracy: < 0.4
Angle Resolution: < 2, 1.2, 0.55
( SAGRAD-1, GEMRAD, SAGRAD-2,
respectively)
The intercept range of GEMRAD for a given
sensitivity level vs. transmitted power is
given in Table 2.
Table 2 The Intercept Range of GEMRAD vs Output
Power
Output
Power
(Antenna
Gain
31 dB)
GEMRAD ESM Intercept Range (km)
(Sens:
-40dBmi)
Channelized ESM
Receiver
OmniAntenna
(Sens: -60dBmi)
High
Performance
Directional
Antenna
(Sens: -80dBmi)
1 W

0.266

2.6

26.5

100 mW

0.084

0.84

8.3

10 mW

0.027

0.26

2.6

1 mW 0.008 0.08 0.8

In the snap-shot from GEMRAD-1 display, the land
profile together with the targets present at the moment
can be seen.(Figure 6a). On the selection of the track-
ing screen, stationary and moving targets are indi-
cated (see Figure 6b)

Figure 6a GEMRAD-1 display- moving targets with
land profile
533

Figure 6b GEMRAD-1 target track display- indicat-
ing moving and stationary targets
3 Potential Developments in
Surveillance Radars
The progress in technology indicates aggregation in
radar capabilities which has a direct impact on meas-
ures for Border Security. Further improvement in the
parameters and performance quantities such as fre-
quency bandwidth, data processing rate, power effi-
ciency as well as compactness, reconfigurability, reli-
ability can be attained. When networking of surveil-
lance radars together with the complex sensors are
considered the versatile provisions for surveillance
operations could be achieved, such as multiple target
identification/classification, assessment of their threat
level etc.
BILGEM Radars can be the primary selection, fitting
particularly into the blue border safety measures, with
their exclusive features such as LPI, LPD, network
compatible, remote configurable, etc. presented here.
References
[1] Giompapa, S.; Farina, A.; Gini, F.; Graziano,
A.; Croci, R.; Di Stefano, R.: Study of the
Classification Task into an Integrated Multisen-
sor System for Maritime Border Control, IEEE
Radar Conference, pp. 1-6, 2008
[2] Butler, W.: Design Considerations for Intrusion
Detection Wide Area Surveillance Radars for
Perimeters and Borders, IEEE Conference on
Technologies for Homeland Security, pp.47
50, 2008
[3] Weber, P.; Premji, A.; Nohara, T.J.; Krasnor, C.:
Low-cost Radar Surveillance of Inland
Waterways for Homeland Security Applicati-
ons, IEEE Radar Conference, pp. 134 139,
2004
[4] Pace, P.E.: Detecting and Classifying Low
Probability of Intercept Radar, MA (USA),
2004
[5] Yayil, F.: TUBITAK UEKAE Radars, Tech-
nical Report TUBITAK UEKAE, 2009
[6] Belgul, A.: FMCW Radar Parameters, Tech-
nical Report TUBITAKUEKAE, 2008
[7] Hizal, A.: SAMRAD Coastal Surveillance Ra-
dar, Technical Report TUBITAKUEKAE,
2006
[8] IALA Guidelines on AIS as a VTS tool,
December 2001, http://www.iala-aism.org.
[9] Turetken, B.: Alatan L.:, Yayil F.; Radar
Antenleri-1: Yarikli Dalga Kilavuzu Antenleri,
UEKAE Dergisi, C.1, S.1, Sf.105-109, 2010

2
GZL
Hareketli
Hedefler
Hareketsiz
Hedefler
Stationary
targets
Moving
targets
534
Enhancing Nuclear Security at Ukrainian Border Stations to Pre-
vent Illicit Trafficking
Wolfgang Rosenstock, Wolfram Berky, Sebastian Chmel, Hermann Friedrich, Theo Kble, Monika Risse, Olaf
Schumann, Fraunhofer-Institute for Technological Trend Analysis (INT), Germany
Abstract
In the context of the possible threat of illicit trafficking of radioactive or nuclear material it is of great impor-
tance to stop the transport of such material across international borders in order to prevent terrorist groups from
facilitating nuclear explosive devices or radiological bombs containing this kind of material. The TACIS (Tech-
nical Assistance to the Commonwealth of Independent States) program of the European Commission comprises
several projects concerning the enhancement of borders of former Soviet Union states to the European Union
(EU) with respect to nuclear security. One of these projects refers to a common project of the European Com-
mission and the State Border Guard Service of Ukraine concerning Ukrainian border stations. The Fraunhofer
INT attends to this project as consortium leader. Other projects in that respect refer e.g. to Republic of Belarus
and Republic of Armenia.
Several Ukrainian border stations to EU states were examined concerning the necessities and options for install-
ing radiation detection equipment for the purpose of monitoring of vehicles and pedestrians crossing the Ukrain-
ian border. For that reason Fraunhofer INT scientists visited some of the Ukrainian border stations. To assure an
appropriate selection of equipment several aspects were taken into consideration, e.g. general layout of the sta-
tion, traffic flow, and detection systems which had already been installed at or near the station. Based on these
considerations both the technological needs for the detection of radioactive and nuclear material including a pri-
ority list and the associated technical specifications were provided to the contracting entity by the Fraunhofer
INT.
The next step, which is currently under way, is an invitation to tender addressed to manufacturers of relevant
equipment concerning appropriate measuring systems with requirements specifications based upon the Fraun-
hofer INTs expertise. After the acquisition and installation of the measuring devices at the border stations in
question, demonstration exercises of the new detection systems will follow, also with participation of the Fraun-
hofer INT. Furthermore Fraunhofer INT will be involved in supporting the training of the Ukrainian experts.
This project serves as a further step towards a higher degree of security in the nuclear sector at EU borders. The
course and the preliminary results of the project will be presented.

1 Introduction
Illicit trafficking of nuclear or radioactive material
became an issue of worldwide concern in the early
1990s after a number of incidents involving the sei-
zure of highly enriched uranium. The global terroris-
tic activities during the last decade increased the
worry of governments and the public that such mate-
rial may fall into the hands of people who could use it
for malicious purposes.
In that regard special problems arose when in 1991
the Soviet Union fell apart and a highly developed
nuclear industry had to be reorganized. The new
states of the Commonwealth of Independent States
(CIS) had to manage the problems of safety and secu-
rity of this material. New authorities and regulations
were established to fulfil this difficult task. The proc-
ess of allocating these responsibilities had to be car-
ried out against the background of State's structures
development and reforming with all consequences
arisen.
In 2000 the European Commission launched the pro-
gram TACIS (Technical Assistance to the Common-
wealth of Independent States) to encourage democra-
tisation and to strengthen the rule of law as well as the
transition to a market economy in the former Soviet
Union states [1, 2]. Improving the nuclear safety and
security is an important objective of the program, too.
Since 1
st
January 2007 the TACIS program is part of
the ENPI (European Neighbourhood and Partnership
Instrument) [3].
The project Ukrainian border crossing station is a
task within this TACIS program where the European
Commission is represented by the Institute for the
Protection and Security of the Citizens (IPSC), Italy,
part of the European Joint Research Centre (JRC).
The overall objective of the project is the strengthen-
ing of the non-proliferation regime and the extension
535
of the counteraction against the threat posed by illicit
trafficking of nuclear or radioactive material (NRM)
and its use for terrorist purpose. It is a follow-up of
the TACIS Task Counteraction against non-
authorized transfer of nuclear material [4] and is
dedicated to the security situation at the borders of the
Ukraine.
Especially methodological and metrological support
is to be provided to the activities of the relevant
Ukrainian institutions aimed at the detection, identifi-
cation and categorization of NRM at Ukrainian bor-
ders. This includes training activities as well. The pro-
ject is conducted by a consortium with the Fraunhofer
Institut fr Naturwissenschaftlich-Technische Tren-
danalysen (Fraunhofer Institute for Technological
Trend Analysis, Fraunhofer INT) as consortium
leader and the Bundesanstalt fr Materialprfung
(German Federal Institute for Materials Research and
Testing, BAM) as partner and extends over four years
until 2012.
In the following a review on the so far performed ac-
tivities and achieved results is given: Objective of the
first phase of the project was to get and document an
updated overview about the general situation concern-
ing illicit trafficking and criminal use of NRM in
Ukraine, about related countermeasures [5] (see 2.1)
and about the related current regulations, equipment
and procedures at Ukrainian borders [6] (see 2.2). In
the next phase the needs with highest priority were
identified, described and a related procurement call
was launched by the European Commission [7, 8]
(see 2.3). In the last phase the new equipment will be
installed and a related training of trainers will be im-
plemented. The project will close with a demonstra-
tion exercise of the new equipment and the training
results (see 3).
2 Illicit Trafficking of Nuclear
or Radioactive Material
(NRM) in Ukraine
2.1 The National Situation
As mentioned above the breakdown of the Soviet Un-
ion and the process of reorganisation has caused a dif-
ficult situation with respect to nuclear safety and se-
curity in the new independent states amongst them
Ukraine, a country with nuclear industry and materi-
als (e.g. in the Chernobyl Exclusion Zone), a difficult
economic situation and the geographical position be-
tween Asia and Europe: The north-south axis was the
main traffic axis in the time of the Soviet Union.
Since the independence of Ukraine west-east orienta-
tion is rising.
Today Ukraine is an important transit country be-
tween Middle Europe and Caucasus, and between
South Europe and Russia, respectively. An alarming
number of cases of illicit trafficking of NRM have
been observed, indeed, in the recent years in Ukraine.
Therefore many national and international efforts
have been made to cope with the situation.
Multilateral and bilateral programs and projects have
been established. International technical assistance is
provided by the US Department of Defense, the US
Department of Energy, the European Commission, the
IAEA, and the Swedish Nuclear Power Inspectorate
(SKI) by means of projects concerning the prevention
of proliferation and the installation of detection
equipment at border crossing points. Bilateral and
multilateral support schemes have contributed (and
are still contributing) to a significant improvement of
the situation with respect to detection and response to
illicit trafficking in the Ukraine.
In general the efforts of the European Community, the
IAEA and Department of Energy (DoE) / National
Nuclear Security Administration (NNSA) in combat-
ing illicit trafficking at borders are coordinated
through the Border Monitoring Working Group
(BMWG), which was established in 2005. Support
projects, programs and activities are amongst others:
The US Second Line of Defense Program (SLD), US
Nuclear Smuggling Outreach Initiative (NSOI) or
Program Technical Assistance to the Commonwealth
of Independent States (TACIS).
An overall number of more than 10 Ukrainian state
agencies and legal entities are at least in part involved
in the field of prevention of illicit trafficking concern-
ing nuclear or radioactive material in Ukraine.
Amongst others response plans were developed to de-
fine responsibilities and actions with respect to illicit
trafficking of NRM, trainings were provided and bor-
der crossing stations were equipped with detection
systems. This process is far from being finished. The
measures and provisions have to be continued and
expanded.
2.2 Detection of NRM and Related
Procedures at Ukrainian Borders
This Ukraine has borders with seven countries with a
total length of nearly 6000 km. The border traffic in
Ukraine includes ground vehicles (trains, buses,
trucks, cars) and pedestrians, but also sea and air traf-
fic. Many of these check-points are used for multiple
transportation modes. For example most of the auto-
mobile check-points are also used by pedestrians.
All Ukrainian border stations are designed with the
same structure. There are three areas starting from the
foreign country: border control (controlled by the
State border guard service - SBGS), customs and neu-
tral (see Figure 1).
The general procedure for passing a border crossing
station is as follows: For travelling from Ukraine
abroad first a SBGS officer controls whether the bor-
der crossing persons have passports and provides
them a checklist. Secondly in the customs office de-
536
clarable goods are checked and duty has to be paid.
Thirdly the passports are inspected in detail. Fourthly
a SBGS officer controls the fulfilled checklist before
the travellers leave the border control area. For travel-
ling into Ukraine the customs office and the passport
control is done in reversed sequence.

Border Control
SBGS
Customs
SBGS Officer
SBGS
Officer
Border Area
: possible position for RPM
West State

Figure 1 Sketch of a typical border crossing station
Thus on both sides of the border crossing station area
a SBGS control exists where the vehicles are stopped
and controlled at only one or two, seldom more lanes.
This is an ideal position for the installation of radia-
tion portal monitors (RPM), where for technical rea-
sons a slowdown of the vehicles is necessary. At this
position the number of monitors is minimal and no
additional delay of the total procedure is required.
Equipping the border crossing stations with suitable
portal monitors was therefore the main focus of sev-
eral programs.
If an alarm is created by the RPM due to the exceed-
ing of the preselected levels by the measurement val-
ues the vehicle is stopped and taken out of the line. A
special place for the following examination purpose is
foreseen (see Figure 2).

Figure 2 Measuring place for a closer examination of
a suspicious vehicle
Then a task force committee comes into operation
consisting of one member of the SBGS, one member
of the customs and one member of the Ministry for
Environmental Protection and Nuclear Safety of
Ukraine. This committee is available 24 hours 7 days
a week and conducts the further investigations of the
case as they are described in 2.3.
2.3 Technical Aspects of NRM Border
Control
The first and main measure for the detection of NRM
at border crossing stations in general are radiation
portal monitors (RPM). If a RPM shows an alarm (de-
tection) additional measurements have to be pre-
formed. This includes a detailed scan of the object -
vehicle or pedestrian - to identify the position of the
measured radioactive source (localisation) as well as
the nuclides of which the source is comprised (identi-
fication) (see Figure 3).

Figure 3 Typical inspection situation with hand held
detectors (picture made during an exercise) [9]
A reasonable first step is to repeat the measurement
with the RPM to verify the alarm, and in the case of a
vehicle to perform a first localisation by a very slow
transit. If a controlled person has got a medical treat-
ment with radioisotopes the vehicle should be
checked without the person to rule out other hidden
sources. Generally an identification of the radioactive
material is important in the case when legal radioac-
tive sources (e.g. the mentioned person after medical
treatment with radioisotopes) are found and a com-
parison with the shown declaration has to be done.
Because it is generally thinkable that an illegal nu-
clear source is masked with a legal source all steps
detection, localisation and identification - are impor-
tant. In order to compare the measured results with
the written declaration beside the identification a de-
termination of the amount is necessary. In all cases it
is necessary for self-protection to have personal do-
simeter with direct indication of the received dose
rates.
Radiation Portal Monitors (RPM) are detection sys-
tems with large detection areas which are mainly used
only for detection of radioactive or nuclear sources
and not for identification purposes. These RPM
should have high detection efficiency for being able
537
to detect also smaller or shielded NRM sources.
Handheld detectors are used for detection, identifica-
tion and for searching NRM. At border crossing sta-
tions they are called into action when the RPM shows
an alarm. With handheld detectors the suspicious ve-
hicle or person are searched for the location of the
supposed NRM. Furthermore the handheld detectors
are used for the identification of gamma sources. Per-
sonal dosimeters respectively pagers (direct indication
of the occurrence of increased radiation) are used for
self-protection measures. Portable contamination
monitors are necessary for the verification if objects
are contaminated with radioactive or nuclear material.
One of the fields of application for contamination
monitors is for example the control of surfaces and
objects after handling with NRM.
A comparison of the general technological needs with
the status quo at the border crossing stations leads to
the general requirements that were specified for the
selected border crossing stations in phase two of the
project. Furthermore a priority list for the importance
of the installation of the described equipment needs
was included. The technical specifications for vehicle
RPMs, personnel RPMs, handheld radioisotope iden-
tifier devices and handheld radiation detection de-
vices were defined according to ANSI N42.35-2006,
ANSI N42.34-2006, ANSI N42.33-2006, ISO 22188
and IAEA standards and regulations. In addition local
needs and conditions had to be taken into account.
3 Outlook
After the evaluation of the tenders new equipment
will be bought and installed in the last phase of the
project. In close cooperation with the parallel TACIS
Task Armenian Border Crossing Station related
training will be implemented. Fraunhofer INT will
support the JRC in the organisation and execution of
training for Ukrainian specialists to provide them with
the competence to train other Ukrainian specialists.
The training will take place at the JRC training centre
in Ispra, Italy.
At the end of the project a demonstration exercise will
be organized at a border crossing station in Ukraine to
guarantee realistic conditions. Therewith it should be
verified that NRM can be detected, localised and
identified with the help of the implemented equip-
ment and based on the given support. Also successful
training is to be demonstrated in that way.
With all these technical and organisational measures
the potential illicit trafficking of NRM will be re-
duced considerably thus prohibiting terroristic acts
with such material.
References
[1] Commission of the European Communities,
Communication from the Commission to the
Council, the European Parliament, and the
Committee of the Regions on Cross-border Co-
operation within the framework of the TACIS
Programme, COM (97) 239 final, 1997
[2] Council of the European Union, Council Regu-
lation (EC, EURATOM) No 99/2000 of 29 De-
cember 1999 Concerning the Provision of Assis-
tance to the Partner States in Eastern Europe and
Central Asia, OJ L 12, 18.1.2000, p. 1-9, 2000
[3] Council of the European Union and European
Parliament, Regulation (EC) No 1638/2006 of
the European Parliament and of the Council of
24 October 2006 Laying down General Provi-
sions Establishing a European Neighbourhood
and Partnership Instrument, OJ L 310,
9.11.2006, p. 1-14, 2006
[4] MEPNS report, presented in kick-off meeting of
TACIS project CANATNUM at ITU in
Karlsruhe, Germany, April 1999, , see: Final in-
ception report of TACIS Project DG I No U5/95:
Arrangement 98-0079, pp. 5ff
[5] R. Arlt, W. Berky, S. Chmel, T. Kble, M. Risse,
W. Rosenstock; Report A 2: Illicit trafficking of
radiological and nuclear material in Ukraine
the national situation in 2009, EU TACIS Pro-
ject, Consortium leader: Fraunhofer INT, Ger-
many, 2009
[6] R. Arlt, W. Berky, S. Chmel, T. Kble, M. Risse,
W. Rosenstock; Report A 3: Description of pro-
cedures concerning illicit trafficking of radioac-
tive material in place at borders of Ukraine,
Consortium leader: Fraunhofer INT, Germany,
2009
[7] H. Friedrich, W. Berky, S. Chmel, T. Kble,
M. Risse, W. Rosenstock, O. Schumann; Re-
port B 1: Metrological needs for the detection of
illicit trafficking of RNM at Ukrainian borders
crossing stations, Consortium leader: Fraunhofer
INT, Germany, 2010
[8] H. Friedrich, W. Berky, S. Chmel, T. Kble,
M. Risse, W. Rosenstock, O. Schumann; Re-
port B 2: Technical specifications for detection
systems related to illicit trafficking at Ukrainian
borders, Consortium leader: Fraunhofer INT,
Germany, 2010
[9] V. Shendryk, Detection and Procedures Im-
provement within the Border Monitoring Activ-
ity, presented at the Kick-Off-Meeting of EU
TACIS Project, Ispra, Italy, Jan. 2009

538
Risk Assessment, Epidemiology, Detection of Biological Agents to
secure the Feed and Food Chain
Juliane Braeunig, Annemarie Ksbohrer, Heidi Wichmann-Schauer, Bernd Appel,
Department for Biological Safety, Federal Institute for Risk Assessment, Germany
Abstract
In a global world of trade of feed, livestock and food the safety of products for human or animal consumption is
strongly dependant on secured supply and production lines.

Incidents in recent years with chemical contaminants like melamine and dioxin in feed and food, or the effects of
biological agents like Foot and Mouth Disease Virus on livestock, or the efforts of eradication of BSE to protect
consumers have impressively demonstrated the vast financial and logistic consequences for the producers, the
traders and all public and private organisations involved in food control and management. In addition, huge
amounts of investments and risk communication efforts had to be paid to regain the trust of the consumers in af-
fected products and companies.

Safe products are strongly dependent on secured supply chain logistics. This is especially important, if producers
want and have to exclude or minimize the risk of criminal activities like sabotage, fraud or intentional contamina-
tion of products or production and transport lines with harmful chemicals or biological agents.

Security measures must follow and support safety issues:
In the case of monitoring the possible existence and types of biological agents (pathogens) along the feed and
food chain, the so called zoonotic agents, which originate from animal sources and may infect humans, have to be
identified and excluded or minimized by technical and hygienic means. The security measures should especially
be adopted and optimized to secure the production and trade chains and the products for livestock and human
consumption in order to prevent intentional contaminations or sabotage.

Besides increasing travel activities, the global import of animals and foodstuff like mostly illegal bushmeat
imports may increase the overall load of zoonotic disease burden. To analyse the consequences, identify the
sources and import routes and finally drastically reduce illegal imports, logistic, diagnostic and analytical tools
have to be developed or modified to support customs for early identification and confiscation of those products.
This is especially important from the perspective of an epidemiological outbreak analysis:
Early identification and analysis have to discriminate between natural background cases, non-intentionally out-
breaks or the threat of an unexpected intentional release of pathogens harmful to animals and humans: bioterror-
ism.

The presented talk will give an overview on relevant cases or scenarios and demonstrate the necessities of new
foci and the improvement of existing risk assessments and management tools and options along supply chains.

References
[1] Buchanan, R.L. and Appel, B., Combining analysis tools and mathematical modelling to enhance and har-
monize food safety and food defense regulatory requirements. Internatl. J. Food Microbiol.139: Suppl.1,
p.48-56, 2010

539
Network of German Authorities in the Context of Bioterrorism in
the Food Chain

Dr. Anja Buschulte, Federal Institute for Risk Assessment, Germany
Dr. Niels Bandick, Federal Institute for Risk Assessment, Germany
Prof. Dr. Bernd Appel, Federal Institute for Risk Assessment, Germany
Anja.Buschulte@bfr.bund.de
Abstract
Terrorism which focuses on food (or feed) is defined as an act or threat of intentional contamination of food for
human consumption with chemical, biological or radio nuclear agents for the purpose of causing injury or death
to civilian populations and/or disrupting social, economic or political stability (1). Therefore, the effects of the
intentional contamination of food with microbial agents could be the same as those for natural, unintentional con-
taminations.
Historically unintentional contaminations of food demonstrated the sensibility of the food chain with regard to
criminal acts. This chain extends from farm to table covering all sectors of the food chain, including feed produc-
tion, primary production (livestock), food processing, storage, transport and retail sale or supply to the consumer.
Despite all efforts to improve the safety of food there is still a risk of foodborne illness and outbreaks. In the
European Union around 320.000 cases of reported zoonotic infection in humans in 2008 (2) are indicating the
vulnerability of food without any known intentional activity.
The examples of both, deliberate or unintentional contamination of food in recent decades illustrated the follow-
ing:
- a lot of people may be harmed or infected
- for some agents the identification of the causing product takes a long time
- time point of identification determines the start of investigation strategies
- the number of potential illnesses depends on detection time
- deliberate contamination could occur at any point along the food chain.
At the same time historic events show that the vulnerability of the food chain has become apparent for criminals
or terrorists too. Some aspects of food production may still increase the attractiveness for bioterroristic use (3):
food is mainly produced in open systems, production units are large, nearly every person or social group can be
reached and an attack may result in enormous negative economic implications. The WHO (1) stated that the ma-
licious contamination of food for terrorist purposes is a real und current threat, and deliberate contamination of
food at one location could have global public health implications.
To ensure food safety in Germany a network of responsibilities takes care of all relevant aspects on the different
levels of food production. An overview about the stakeholder of this Network, their competence and possible
lacks of security will be presented as well as ongoing research activities to improve biosecurity. Therefore a brief
glimpse into a system for the assessment of vulnerabilities in food production systems will be given.

540
References
[1] World Health Organization (2002). Terrorist
threats to food: guidance for establishing and
strengthening prevention and response systems. ISBN
92 4 154584 4.

[2] European Union (2010). The Community
Summary Report on Trends and Sources of Zoonoses,
Zoonotic Agents and foodborne outbreaks in the
European Union in 2008, The EFSA Journal (2010),
1496.

[3] Buchanan, R. L. and B. Appel. "Combining
analysis tools and mathematical modeling to enhance
and harmonize food safety and food defense regula-
tory requirements." International Journal of Food Mi-
crobiology (2010).

541
Securing the Feed and Food Supply Chain in the Event of Biologi-
cal and Agro-terrorism (BAT) Incidents - The German SiLeBAT
Project

Matthias Filter, Federal Institute for Risk Assessment, Germany
Dr. Anja Buschulte, Federal Institute for Risk Assessment, Germany
Dr. Anneluise Mader, Federal Institute for Risk Assessment, Germany
SiLeBAT-partners: Analytik Jena AG; Federal Office of Consumer Protection and Food Safety; Federal Institute
for Risk Assessment; Freie Universitt Berlin, Institute for Animal Nutrition; Friedrich-Lffler Institute; Johann
Heinrich von Thnen Institute; Max Rubner Institute, Institute for Microbiology and Biotechnology; University
of Bonn, Institute for Animal Sciences; BALVI GmbH, Germany
Prof. Dr. Bernd Appel, Federal Institute for Risk Assessment, Germany
Bernd.Appel@bfr.bund.de; www.silebat.de
Abstract
The project SiLeBAT elaborates practical solutions to secure food supplies for the general population in the
event of a biological and agro-terroristic (BAT) damage scenario. The research focus is laid on the operability of
the affected food commodity chain. Solutions for prevention, early detection and damage containment will be
developed.
The project examines BAT damage scenarios, which jeopardise the health of the general population through the
contamination of food or indirectly through the infection of livestock. This could for instance happen through
the intentional contamination of agricultural products in the field of feed production.
As an example for a corresponding scenario, an attack on the meat and milk commodity chain is studied. The
commodity chain starts with the import of feed components and leads through the production of feed, the rear-
ing of the animals, the harvesting of milk, slaughtering and processing, the distribution of fresh meat and dairy
products to the retail trade. In the event of a biological or agro-terroristic attack on this commodity chain it
would be necessary to include all steps of the chain into the damage analyses and into the development of man-
agement options. Effective and co-ordinated acting of all those involved in crisis management is only possible if
there is a secured availability of comprehensive and valid technical information. Therefore, structuring and mak-
ing available of technical information is an essential component of the approach developed by the research net-
work. This includes, amongst others, the following topics: epidemiology and tenacity of agents, availability and
effectiveness of detection procedures, detection limits, sample preparation methods, decontamination processes,
handling rules, recommendations for handling and management procedures etc. Furthermore, computer-based
procedures to analyse commodity flows and assess risks and crisis management options will be developed (e.g.
cost/benefit analyses). Technical information, which is not or only incompletely available, is elaborated and / or
updated within the framework of the project. Another goal is to elaborate a solution, which makes all resources
developed and released within the project available to those parties involved in case of need through a specially
designed, secured and extendable information platform. In parallel, a practising and training concept is elabo-
rated and implemented in an exemplary manner.
542
1 Project Objectives
1.1 Background
The intentional contamination of food or feed is con-
sidered as a relevant threat to public health and ani-
mal production infrastructures [1]. Such events would
additionally directly affect the existing food and feed
commodity supply chains and thus cause high eco-
nomic damage in the private and public sector. The
SiLeBAT projects aims at the development of damage
mitigation and prevention strategies based on scien-
tific risk assessments in the food and feed sector.
1.2 General Solution Strategy
The proposed solutions are based on a set of basic
theses that represent the consensus view of all part-
ners involved in the project. These theses are:
- BAT damage events are that dangerous for the pub-
lic health in general, the responsible decision makers,
as well as the affected private sector companies, that a
strong and transparent collaboration between all
stakeholders has to be the foundation of any kind of
crisis management. This implies that in these specific
scenarios no stakeholder alone will be able to provide
comprehensive solutions on his own.
- Certain solutions that will be developed for BAT
events will be applicable in the case of food or feed
associated regular contamination events as well.
- It is feasible to develop solutions on the basis of the
existing regulatory framework.
- The misuse of developed solutions must be avoided.
- The solutions developed within the SiLeBAT project
will demonstrate the proof-of-concept. The develop-
ment of commercial products, their implementation
and their maintenance will cause significant addi-
tional costs.
Figure 1 SiLeBAT working areas and their applica-
tion mode
Based on these underlying principles the project part-
ners aim at developing a collection of solutions that
will enable efficient science based risk assessments.
These risk assessments together with certain stand-
alone solutions can be used in crisis situations as well
as in preventive efforts (see Figure 1).
2 SiLeBAT Consortium
2.1 Project Partners
The SiLeBAT consortium is led by the Federal Insti-
tute for Risk Assessment who co-ordinates the pro-
ject, models and analyses scenarios, optimises and
validates detection methods, develops software for
risk assessments and elaborates a utilization and
maintenance concept. The Analytik Jena AG creates
solutions for optimised sample preparation and devel-
opes a demonstrator for a specific detection system.
The Federal Institute for Consumer Protection and
Food Safety analyses existing commodity chain struc-
tures and possibilities for early detection. The Freie
Universitt Berlin, Institute for Animal Nutrition,
characterises agents and focuses on aspects of decon-
tamination of feed. The Friedrich-Lffler-Institute
simulates the dissemination of agents and examines
pathogen behaviour for early detection. The Johann
Heinrich von Thnen Institute examines the economic
impact of BAT damage scenarios and their preven-
tion. The Max Rubner Institute, Institute for Microbi-
ology and Biotechnology elaborates new and opti-
mises known investigation methods for different
foods. The BALVI GmbH examines the necessary
data structures and creates the demonstrator of an in-
formation platform. The University of Bonn, Institute
for Animal Sciences, creates a model for crisis related
data and information exchange.
Additionally the project partners are supported by six
Federal State authorities, six private sector associa-
tions and four private sector companies working to-
gether with the work package leaders in the projects
steering committee.
2.2 Project Work Organization
The project work is organized along the project scope,
i.e. the supply chains in the feed, animal farm and
food production area with the consumer as the target
population (see Figure 2). For performance reasons
the working focus is further narrowed down to the
food chains of beef and veal as well as milk and milk
products and a selection of relevant BAT agents.
Figure 2 The four thematic work areas with eight
SiLeBAT work packages and their connection to the
project scope
543
3 SiLeBAT Solutions
Within each of the work packages specific solutions
for the specific thematic focus will be developed, e.g.
the agent centred tasks will generate improved detec-
tion and sample preparation technologies for a set of
BAT agents together with an increased knowledge on
the inactivation potential of food processing tech-
nologies for certain food matrices. The SiLeBAT
strategy to integrate all these recourses will be de-
scribed in greater detail.
3.1 BAT-Information and Software
Platform
The key element to achieve sustainability for the
plethora of specific solutions generated within this
project will be a web-based infrastructure (see Figure
3) with the following features:
- Based on open-source software platform to assure
compliance with requirements of government and lo-
cal authority IT systems
- Central entry point for users information requests
related to BAT (guidance documents, best-practice,
risk assessments, agent related information)
- Central entry point for services and software solu-
tions, e.g. software for vulnerability analyses, risk as-
sessment toolbox, network analysis software
- Dedicated user management solution to secure
proper access to and use of resources
- Decentralized data and content management syn-
chronized with web feature service technologies to
increase data quality
- Standardized data formats and information exchange
protocols extending (where necessary) currently
available standards
Additionally the developed infrastructure will be de-
signed such that a so called double-use concept can
be implemented. This concept will facilitate the appli-
cation of technologies and solutions that are not only
relevant for BAT damage events, but also for e.g. un-
intentional contamination scenarios. By that an addi-
tional critical success factor can be implemented,
namely the training of stakeholders in using these
new software resources.
Figure 3 Conceptual structure of a BAT-information
and software platform
4 Summary
Within the SiLeBAT project efforts will be under-
taken to improve and to extend the available re-
sources to prevent and cope with BAT damage scenar-
ios. This is feasible as the project is supported by a
large number of associated project partners from both
the federal state authorities and private sector associa-
tions. Their input is especially valuable in the re-
quirement analysis of the BAT information and soft-
ware platform. Thus the SiLeBAT project might serve
as a seed for the development of an extendable com-
munity software infrastructure supported by private
and public sector stakeholders from the field of food
safety and security.
Acknowledgement
This project is funded by BMBF research grant
13N11202
References
[1] Buchanan, R. L. and B. Appel. "Combining
analysis tools and mathematical modeling to enhance
and harmonize food safety and food defense regula-
tory requirements." International Journal of Food Mi-
crobiology (2010).
544
Improving the Security of Critical Transport Infrastructures -
New Methods and Results
Sascha Goldner, CASSIDIAN, Germany
Alf Papproth, Fraunhofer-Anwendungszentrum fr Logistiksystemplanung und Informationssysteme, Germany
Erhard Petzel, Institut fr Risiko- und Prozessmanagement (IRPM) GmbH, Germany
Gebhard Geiger, Technische Universitt Mnchen, Germany

1 Introduction
As one of the critical infrastructures of modern soci-
ety, air transport has become a prevalent target of ter-
rorist attacks. Exposure to terrorist threat is particu-
larly high for international airports since they provide
the operational bases of large-scale air traffic. SiVe
(Verbesserung der Sicherheit von Verkehrsinfrastruk-
turen) is a research project co-funded by the German
Federal Ministry of Education and Research which
aims to develop an innovative methodology of risk
management suitable to optimise critical infrastructure
protection. It starts from the fact that, on the one hand,
airport security management is increasingly being
forced to combine advanced security standards with
cost efficiency in a more closely-knit and systematic
way, while, on the other hand, measurements of the
effectiveness and efficiency of risk reduction provi-
sions continue to pose considerable methodological
problems. This paper describes the scientific goals and
the essential research findings of the SiVe project on
the basis of a concrete case study. The newly devel-
oped methodology is generic while pilot application
examples are chosen from airport security.
2 Approach
SiVe research and development has been split into
three major steps, (1) generation of a specific threat
scenario, (2) development of simulation models as
scenario refinements, and (3) comparative assessment
of security management measures. Advanced tech-
niques of systems analysis and simulation have been
employed to model relevant airport structures, proc-
esses and security incidents. Computer experiments
have been carried out to compare and optimise solu-
tions. The optimality analyses have been based on ap-
proaches to quantitative risk assessment recently de-
veloped in the operational sciences.
To exploit the advantages of the various techniques,
an integrated simulation workbench has been built up
that provides the functionalities for executing the three
major steps. Integration is necessary to fully support a
computer based simulation study that mirrors the full
complexity of critical infrastructures. Figure 1 shows
the modules of the workbench. The workbench sup-
ports simulation studies to address numerous impor-
tant issues. In the case of a novel type of attack be-
coming known, one can use the workbench to find an-
swers to the following questions: (1) What are the
affected scenarios? (2) What are the affected proc-
esses in the airport? (3) How large are the potential
losses? (4) Are they acceptable in the light of ones
risk aversion? (5) Which processes or procedures have
to be modified and/or which preventive or reactive
measures can be applied? (6) Which are the conse-
quences of these measures in terms of costs and in
terms of risk reduction?
Other significant issues are the optimisation of secu-
rity processes and the application of new security
technologies considering already known attacks. With
Figure 1 Modules of the SiVe security incident modelling and simulation workbench
545
the processbuilder software developed in SiVe, one
can find the most relevant airport processes including
all affected elements that are subject to the threat con-
sidered. In particular, one is now in a position to ad-
just processes and security arrangements and to simu-
late alternative layouts of the system and also modifi-
cations of the parameterisation of the processes
involved, such as attributes of time and cost as well as
probabilities and risk factors (what if scenarios).
In the simulation studies, as is systems (status quo)
are compared with to be systems. Each of the secu-
rity system layouts can be simulated under varying
conditions so as to generate numbers on potential
casualties, infrastructural damage and financial loss.
The workbench includes a logistics and agent-based
simulation engine to represent the passenger flows and
the behaviour of attackers. With these representations
one can model, in sufficient detail, the environment of
the processes involved and derive probabilities of
reaching decision nodes and of incurring losses in the
stochastic simulation.
The stochastic simulation engine is capable of simu-
lating complex system processes. Central outputs are
distributions of possible losses, which can be gener-
ated at different aggregation levels.
These distributions are the basis for the calculation of
certainty equivalents as the intrinsic prices of risk
(see section 2.4 below). Optimal layouts and configu-
rations of security systems can thus be derived, given
the users security standards, requirements and
budgetary constraints (acceptable risk, maximum tol-
erable damage or loss, costs, etc.).
In the next chapters, airport process models and the
modules for simulation and evaluation are described
in more detail. For the other modules, we refer to [1].
Within this paper, we focus solely on step (2) and (3)
of our approach. In chapter 3 we will explain the SiVe
approach further by using the comprehensive scenario
Implementation of a new scanning technology to de-
tect liquid explosives.
2.1 Airport process models
A business process can be considered as "goal-
oriented, chronological sequence of tasks which can
be executed by different organizations or organiza-
tional units using information and communications
technologies" [2]. The goal of every single business
process is to create a specific result, e.g. a product or
services, which helps to reach a companys overall
strategic goals. In our case, we focus on airport proc-
esses such as passenger handling. In general, business
processes are described hierarchically at different lev-
els of detail and from different perspectives. Within
our approach, we have selected three levels of detail
for our graphical business process models (Figure 2).
Each level is characterised by certain syntactical re-
quirements. The first level represents the most abstract
description of the business processes, the third level
the most detailed. The first level, which is the strategic
one, single core business processes are described in a
very abstract and simple way. The intention of this
level is to provide a quick overview of all exiting
processes and their interdependencies. Next, the sec-
ond level contains security-oriented process models.
That is the strategic level extended by a highlighted
representation of the security relevant aspects within
the core processes. This level still provides mainly an
abstract view of the overall system and no detailed
guide for operators, but clearly indicates where secu-
rity related tasks, e.g. security check points, are lo-
cated within the processes. The lowest level, the ele-
mentary process level, represents the most detailed
description of the business process containing the
process tasks with all the elementary steps and sub-
goals that have to be executed by a single user. Within
our work we concentrate on core business processes
of an airport and their security relevant aspects.

At this point it has to be decided which business proc-
ess modelling notation should be used to operate op-
timally within the given use case. A graphical repre-
sentation of business process information has proven
to be intuitive and effective for presentation to differ-
Figure 2 Business process models: levels of descrip-
tion
Figure 3 An example of a BPMN process model
546
ent types of users. One of the major requirements for a
process modelling notation in our relevant use case is
the capability of describing not only the activities of
the entities of the airport but also their interactions.
Hence the modelling notation has to meet the follow-
ing requirements and support the following features:
communication and data flow
different type of events
process hierarchies / encapsulation
mutual dependency
actor-oriented perspective
executable process models
extendable process modelling notation
After comparing different graphical notations for
business process modelling (i.e. workflow nets, event-
driven process chains, process algebras, unified mod-
elling language, Petri nets), we decided to use the
Business Process Modelling Notation (BPMN). Fig-
ure 3 shows an example of a BPMN process model.
The BPMN 2.0 standard provides a graphical notation
which is more expressive than the other notations
mentioned. Since version 2.0, BPMN provides rich
support for extending the notations syntax and for the
simulation of process models. The most important fea-
ture of BPMN is that the architecture of its process
models is quite similar to that of the agent-based mod-
els. Each pool or lane represents a single organisa-
tional unit or actor and thereby provides an actor-
oriented perspective of the business process. Further,
this perspective can be compared with the perspective
of an agent-based model. Each agent can be repre-
sented by a single process lane or vice versa. The
process steps within a single lane represent the inter-
nal tasks of an agent. The communication of the agent
with other agents or the environment is represented by
message and data flows to other lanes in the process
model. Thereby the agent-based approach and the
business process approach can be integrated very eas-
ily. A complete description of the BPMN 2.0 standard
is provided in [3].

2.2 Logistic and agent-based simulati-
on
Agent-based, logistic simulation provides an alterna-
tive to the conventional planning and decision making
instruments that consider the specific characteristics of
an airport, in particular the cognitive and social as-
pects of the behaviour of the people included in the
processes. Apart from detailed and realistic imaging of
the movement patterns of the passengers and airport
staff, the focus of the simulation carried out in the
demonstrator is on the abstracted determination of the
loss repartition caused by terrorist attacks in which
explosives are used. The intuitive and effective ap-
proach for describing the
passenger handling processes chosen in the demon-
strator is a combination of the modelling of business
processes and the agent-based simulation. By doing
this, the continuous modifications of regulatory basic
conditions due to the changing security situation with
its significant effects on the processes and infrastruc-
tures of the airports, can be recorded and imaged.
Compared to the conventional methods for describing
passenger flows, the agent-based simulation in combi-
nation with the detailed modelling of business proc-
esses allows a more precise imaging of the real world
[4]. This results in detailed, high-quality quantitative
findings about the behaviour of passengers in the air-
port system, such as the identification of recurring pat-
terns of behaviour, duration of stay, etc., by which
significant evaluations of potential performance
and/or security-enhancing optimisation measures are
possible under cost-benefit aspects.
The BDI agent architecture (Belief-Desire-Intention
software model) is used for simulating the human be-
haviour and the decision-making of the persons at the
airport [5]. During the logistic simulation, the agent is
understood as an autonomously acting entity who per-
ceives his environment through sensors and, at the
same time, interacts with it in a target-oriented way.
These characteristics of the agents interaction can be
used to model social or individual human behaviour.
The agents have knowledge of their environment (be-
liefs, e.g. knowledge of the regulations for departure),
desirable targets (desires, e.g. departure) and inten-
tions presently pursued (intentions, e.g. having
checked in). Detailed information about the agent ar-
chitecture has been given in [5]. The partial aspects,
'beliefs', 'desires' und 'intention', are modelled as
graphs using the specification language BPMN. In ad-
dition to that, each agent has got attributes that influ-
ence/characterise his decision-making and movement
patterns. A BDI interpreter has been developed to
process the graphs depending on the assigned agents
attributes, thus describing the individual behaviour of
the agents/passengers. Details have been described in
[4].
Figure 4 Structure and functional principle of the
logistic simulation
547
The multi-agent simulation environment (MAS) is
used for imaging both persons and technical systems
as agents. Agents who have the same or similar char-
acteristic values show similar or the same behaviour
patterns and can be combined to clusters. To simplify
the calculation, four different passenger clusters are
used in the demonstrator (business travellers, holiday-
makers, normal travellers and attackers) as well as
various types of employees (security and baggage
handling staff, shop assistants). Heterogeneous char-
acteristics can be assigned to the various passenger
clusters via a number of attributes, the diverse pa-
rameter values of which characterize their behaviour.
Both the attributisation and the modelling of agent be-
haviour and thus the characterization of the agent clus-
ters are largely built on existing data bases and, addi-
tionally, on the results of a passenger survey carried
out at Munich Airport. Attributes for the passengers
that are relevant to the utilisation of the airport are, for
example, the various kinds of baggage carried (hand
baggage, check-in baggage or bulky baggage), the
kind of check-in or the secondary behaviour during
the passengers stay (e.g. visits to shops or restaurants)
between the individual handling steps.
Apart from imaging the passengers' behaviour and
generating measured values and key figures for the
data supply of the stochastic simulation on the micro-
simulation level, the damage caused by a bomb attack
is determined in the damage category "damage to per-
sons" during the logistic simulation. To assess this
damage, three categories are defined: killed persons,
severely injured persons and slightly injured persons.
According to the description of the scenario, the at-
tacker's intention is to cause maximum possible dam-
age in terms of persons killed. To achieve his object-
ives the attacker looks for the maximum possible con-
centration of people in the waiting area where he then
ignites his explosive device. The simulation-aided de-
termination of the damage to persons is based on the
research results obtained by the George Mason Uni-
versity (GMU) Center of Air Transportation System
Research, Virginia/USA. [6] According to those re-
sults, a deadly radius is determined depending on the
type and quantity of the explosive. If the detonation of
the explosive device takes place, all persons staying
within the deadly radius of damage will very probably
be killed (Figure 5). [6] To determine the number of
injured and severely injured persons, the GMU model
approach was extended according to the above princi-
ple, in consultation with several experts, by the intro-
duction of two additional radii of damage.
Figure 6 provides the loss distribution caused by deto-
nating 1000 ml liquid explosive, (DEGDN, ethylen
glycol dinitrate), that was obtained from 1000 simula-
tion runs both for the passenger check / security check
and in the non-public security area. A precondition for
the determination of the loss repartition is that there
are realistic events at the airport in particular with re-
gard to the quantitative distribution of the passengers /
the passenger volume at the airport. For this purpose,
the simulation model will be initialized after the start
of the simulation. The chosen time of day, the appro-
priate flight schedule and the available capacities of
the aircraft and their average utilisation give informa-
tion about the passenger volume present. The initiali-
sation of the simulation model is carried out bearing in
mind the passenger volume determined and the typical
arrival behaviour of the various types of passengers.
The arrival behaviour is derived from the observation
of passengers and describes the kind of check-in, the
Figure 7 Architecture of the stochastic simulation
engine
Figure 6 Radii of damage
Figure 5 Loss distribution on security check and in
waiting area
548
carrying of baggage and the in time span between a
passenger's arrival at the airport and his departure.
During the initialisation, the passengers are allocated
in different numbers to the terminal areas, e.g. check-
in, security check, waiting area, etc. The passengers
do not always start at the start node of the graph, i.e.,
arrival at the airport.

2.3 Stochastic simulation
2.3.1 Architecture
The architecture of the stochastic simulation engine is
shown in Figure 7.
The airport process models in BPMN notation of a
certain scenario are the input for the simulator. Be-
cause not all elements of a BPMN model are helpful
or necessary to execute such a model, a directly ex-
ecutable model is automatically generated in a specific
notation. This notation is part of the subject-oriented
methodology, which is a new, revolutionary approach
to the modelling and execution of business processes
[7].
The second step is the parameterisation of the proc-
esses like activity times and costs, of decision nodes,
waiting queues and damage events. If the parameteri-
sation is complete, one can start the simulation. The
result of a simulation run is a log of activities and
events assigned to a global timeline.
A configurable report generator creates a set of useful
reports to compare different simulations easily. The
final output is distributions of possible losses.

2.3.2 Simulation Concept
A set of generators specifies the distribution of start-
ing times for instances of processes. Instances are pas-
sengers or terrorists, in general the elements which are
served by the different processes. A process is built
from a set of subjects. A subject is the graphical speci-
fication of a single thread of execution within an in-
stance of its process. Generators can start any number
of instances of a process for parallel execution. Exe-
cution within each process instance is exactly one in-
stance of each subject contained in the process.
Consequently, the number of threads of execution
within each instance of a process is fixed. Execution
within each subject instance results in a sequence of
activities. The duration of each activity on the global
timeline is sampled from a specified random distribu-
tion. The start of a new activity may be delayed when
waiting for messages or resources. Additionally, ac-
tivities can be interrupted when scarce resources are
reallocated to activities of higher priority. Subjects
within a process instance communicate by sending
messages to each other. Subjects do not communicate
directly between process instances, but may still inter-
act implicitly through either competing use of re-
sources or interactions based on counters.
The simulation starts at a specified time and date on
the simulation calendar. It stops when either an (op-
tional) end point on the calendar has been reached or
when all activity has ceased.
2.4 Certainty equivalent as a utility-
based measure of risk
Safety and security management must be both effec-
tive and cost-efficient. These objectives must usually
be accomplished under the constraints of risk, limited
resources and economic competition. It is therefore
often necessary to assess, in quantitative terms, the
risks against which expensive and inconveniencing
protective measures have to be taken. Methodologi-
cally and practically, quantitative risk assessment is,
however, a difficult task. Many of the available quan-
titative approaches to risk assessment are inherently
flawed in the sense that the statistical information re-
quired to estimate potential damage systematically
does not exist or cannot be acquired (e. g., for rare ca-
tastrophic events, non-repetitive incidents, planned
attacks on security, etc.)
In view of this situation, an approach has been devel-
oped and applied in the SiVe project to provide and
test innovative methods of assessing the effectiveness
and cost-efficiency of security planning, engineering
and decision-making. The approach draws on recent
advances in econometrics (non-expected utility
theory [8]) enabling the calculation of intrinsic
prices of risks in many applications in which purely
statistical measurements of risk must fail. Intrinsic
hereby means that risk prices are calculated within
particular accounting systems rather than determined
by the price mechanisms of insurance markets. Risk
prices are indicators of the (economic) utility of risk
taking. Accordingly, a risk price is the sure amount of
loss or damage (money, numbers of injuries or fatali-
ties incurred in a security incident, time or other re-
sources expended, etc.) at which a decision-maker is
indifferent in preference between incurring this
amount of loss and taking a particular risk. Because of
this indifference, or equivalence, the intrinsic price of
a risk is also referred to as the certainty equivalent
of that risk.
Once certainty equivalents can be assigned to security
incidents and their potential consequences in a syste-
matic way, they will provide critical support to the
planning and operation of effective and economical
protective systems. To this end, security incidents
have been simulated in computer-based models of air-
port operating systems differing in their security man-
agement provisions (technical, procedural, organisa-
tional, etc.) with the use of suitable scenario and soft-
ware techniques. Some such simulation experiments
are described in more detail below, while the mathe-
matical approach to calculating certainty equivalences
of airport security risks has been outlined in previous
publications [1, 9]. We concentrate here on the analy-
549
sis of the test cases and experimental results. The si-
mulation experiments give different probabilities of
damage, and their certainty equivalents, depending on
the different risk management arrangements characte-
ristic of each of the systems involved. Comparison of
the resulting certainty equivalents gives the effective-
ness of the measures planned or taken, while the nu-
merical differences indicate the degrees of risk reduc-
tion achieved. Dividing these differences by the cost
required to achieve the reductions gives the cost-
efficiency of the measures (to be) taken.
One of the many practical advantages of this approach
to quantitative risk assessment is its capacity to ac-
commodate, in systematic ways, the many realistic
constraints of the (economic, social, technological,
etc.) context of security management on infrastructure
risk planning and decision-making. It is also clear that
the approach is generic and not limited to threats to
airport security.
3 Scenario-Based Application
3.1 Scenario "Use of new scanner
technology for detecting liquid ex-
plosives"
The amalysis is focused on the passenger checkpoint
at airports. The checkpoint separates the land side, i.e.
the area that is publicly accessible, from the air side
the security area where the departure gates and the
waiting areas for the passengers are located. The ob-
jective of the checkpoint is to prevent passengers from
bringing prohibited items into the security area.
Therefore, the passengers and their hand baggage are
checked for prohibited items. The way the security
check is carried out can vary from airport to airport,
but its basic structure is the same everywhere. If a
passenger wants to enter the security area, he has to
pass through the passenger checkpoint first. So he
lines up usually in one of several control lanes. A con-
trol lane is normally manned by four employees of the
security service and consists of the area of the hand
baggage check and the passenger check. The hand
baggage check is normally carried out by three em-
ployees the hand baggage deposit instructor, the
screening officer and the hand baggage instructor. As
an alternative, a separate, extensive examination of the
items of hand baggage for explosives may be carried
out with the aid of an explosive screener. The passen-
ger check is carried out by one man and one woman,
the screeners. The check of the passenger and the
check of his hand baggage are carried out independ-
ently of each other and mostly concurrently. A possi-
ble layout of the passenger checkpoint is given in Fig-
ure 8.
3.2 Experiment: use of a liquid explo-
sive detector
The sample scenario is used to examine how the use
of a liquid scanner for detecting liquid explosives dur-
ing the hand baggage check affects the security and
the cost structure. For this purpose, two types of pas-
senger check are compared with each other. The
'status quo' describes the configuration of a passenger
check presently found at most airports, i.e. there is no
additional liquid scanner. The 'alternative status' pas-
senger check is provided with a liquid scanner for the
hand baggage check. Each passenger check configura-
tion, i.e. the status quo and the alternative status, will
be analyzed for their cost and benefit aspects by two
simulation vignettes. The first vignette is used for
checking the benefit aspect of the status quo and alter-
native status. The second vignette is used for analyz-
ing the use of a liquid scanner according to cost as-
pects. The specific parameter values in the following
scenario are conjectural and do not claim to be 100%
applicable. The chosen scenario shall only show the
approach of our methodology.
The following operational procedure takes place: the
attacker is disguised as a regular passenger and he in-
tends to detonate a self-built explosive device that is
ready to be fired and is hidden in his hand baggage, in
the waiting area of the airport. The components of the
explosive device (altogether one litre) are all liquid
and have been filled into 10 containers of 100 ml
each. The attacker has already got a boarding pass and
is proceeding directly to the passenger checkpoint af-
ter having entered the public area of the terminal
building where he lines up in the queue at a control
lane. Then he puts his hand baggage items into the ap-
propriate boxes for the hand baggage check. If the
hand baggage arouses suspicion, a manual follow-up
check will be carried out in the status quo and an addi-
tional explosive check in the alternative status. If there
is no suspicion, the hand baggage is regarded as se-
cure. After having been summoned by the security
staff, he walks through the metal detector. If no alarm
Figure 8 Passenger check with check for explosives
550
is triggered here, the attacker takes his hand baggage
and proceeds to the waiting area where he then ignites
the bomb. If the metal detector triggers a signal, the
attacker will be checked manually. It is assumed that
the attacker can detonate the explosive device on the
spot if it is detected in the hand baggage
3.2.1 First simulation vignette "Benefit con-
sideration"
The benefit consideration takes exclusively one single
attacker into account and no passengers. Therefore,
the probabilities given and the information about the
possible measure of damage refer exclusively to the
attacker. Costs, process times and the expenditure on
resources have not been taken into consideration for
this vignette. The probabilities are calculated on the
attackers passing through the passenger checkpoint
undetected and achieving his goal. Possible damage
caused by the attacker will also be calculated. Ten
subvignettes are used to compile the various detection
rates of liquid explosives detected by the liquid scan-
ner.
Parameters:
The assumption is made that the attackers explosive
device is contained in commercially available pack-
ages of 100 ml each. In addition to that, the assump-
tion proceeds from a liquid explosive that is easy to
handle. Therefore, there is a very low detection prob-
ability (5%) in the status quo. If a manual check is
carried out, the detection rate will be just slightly
higher (25%). In the alternative status it is possible to
vary the detection rates of the liquid explosive de-
tected by the liquid scanner between 1% and 95%
(Figure 9). If the check leads to any suspicion, there
will be a specific determination of the liquids by an
additional separate liquid-analysis device with an
assumed detection rate of 85%. As the attacker does
not have any metallic or prohibited items on his body,
the probability of suspicion being aroused during the
passenger check is set to 0%.
When the attacker has reached his target area, he ig-
nites the explosive device in the waiting area, thus
causing considerable damage. If the explosive device
is detected during the hand baggage check, the at-
tacker will still be able to detonate it at the passenger
checkpoint. In this case, the assumed measure of
damage is not as severe as with an explosion in the
waiting area.
Apart from the calculation of the damage, the prob-
ability that the attacker can pass the passenger check-
point undetected is also calculated. For this purpose,
different detection rates of the liquid explosive are re-
viewed. The probability is determined using a count-
ing variable. If there is a detonation in the waiting
area, i.e. the attacker has passed the checkpoint unde-
tected, the counter is incremented by 1, whereas the
counter reading remains the same for an explosion at
the security checkpoint. The result of the ratio of the
number of simulation runs per subvignette and the
counter reading is the probability of passing through.
3.2.2 Second simulation vignette "Cost con-
sideration"
The second simulation vignette is used for analysing
the use of a liquid scanner according to cost aspects.
The aim is to determine how the cost structure affects
the costs of handling the passenger check when the
scanner is used compared to the status quo. Therefore,
the simulation images passengers only, without taking
the attacker and possible damage into consideration.
However, this investigation is not based on varying
detection rates of liquid explosives but on different
assumptions in terms of the probability that there will
be a manual follow-up check of the hand baggage that
will increase the costs. The cost consideration is pri-
marily made with due regard to the personnel costs
and how they will alter when the liquid scanner is used
and the rate of a manual follow-up check changes.
Parameters:
Figure 9 Probability of passing the security checkpoint
undetected
551
Any suspicion of prohibited items in the hand baggage
requires a follow-up check to be carried out by addi-
tional security staff by which the expenditure on staff
and of time increases. The assumption is made that
35% of all passengers both in the status quo and in the
alternative status will trigger a signal when walking
through the metal detector during the passenger check
and will be subjected to a manual follow-up check. A
follow-up check rate of 35% is also assumed for the
hand baggage check in both cases. However, an addi-
tional factor will be added to this basic value in the
alternative status to image the additional expenditure
caused by a liquid check. The follow-up check rate
will be changed to range from 35% to 65% in the sub-
vignettes resulting from this.
The time spent by the security staff on the checks is a
critical influencing factor. Figure 10 and Table 1 show
the assumed process times spent on average by the se-
curity staff on checking each passenger. Unless other-
wise stated, the process duration times are assigned to
both the status quo and the alternative status.The total
personnel costs were estimated to be 13.80/h (pri-
mary personnel costs + incidental personnel costs).
[10]
Process step Process time
Hand baggage deposit instructor:
Supervision of passengers
18 secs.
Hand baggage deposit instructor:
Feeding of hand baggage
16 secs.
Screening officer:
Scanning and analyzing of results
49 secs.
Screening officer:
Informing the hand baggage inspector
3 secs.
Hand baggage inspector status quo:
Manual baggage inspection
11 secs.
Hand baggage inspector alternative
status:
Precise liquid analysis
30 secs.
Screener:
Supervising metal detector
4 secs.
Screener:
Manual passenger inspection
14 secs
Table 1 Processing times
The cost model outlined thus far implies that the costs
incurred basically increase in proportion to the
amount of effort (scanning technology, time, staff) in-
vested in liquid scanning. We have also employed
more inclusive cost models, following recent devel-
opments in the literature. [11] They cover effects of
the economies of scale such as concurrent effects of
decreasing marginal cost, and increasing rate of mar-
ginal cost and of improvements in infrastructure secu-
rity. These models have previously been developed in
production theory in economics. But they also apply
to investment problems in other fields, such as secu-
rity risk management [12]. As will become apparent
from the applications illustrated by Figures 11 and 12,
the particular cost structure of risk reduction provi-
sions are critical for optimising the efficiency of infra-
structure security.
3.3 Simulation results
3.3.1 Simulation results of first vignette
"Benefit consideration"
1,000 simulation runs were carried out for each sub-
vignette, i.e. for each of the 10 different detection
rates of the liquid explosive, to be able to approximate
the loss repartitions as precisely as possible. Figure 6
shows the possible damage that can be caused by the
attacker at the varying settings of the detection rates in
this specific scenario. Figure 9 shows the probabilities
that the attacker will pass the security checkpoint un-
detected.
Figure 10 Handling time and costs per passenger
0 20 40 60 80 100
0
1

C
e
r
t
a
i
n
t
y

e
q
u
i
v
a
l
e
n
t

(
m
i
l
l
i
o
n

)
Detection rate of liquid scanner (%)
Cost function (linear)
Cost function (scale effects)
Certainty equivalent
Cost-efficiency
Optimal detection rate (efficiency)
Figure 11 Effectiveness and cost-efficiency of risk reduc-
tion. Aspiration level = 12 million .
552
Figure 11 shows the certainty equivalent of risk reduc-
tion due to an increasing detection rate of liquid ex-
plosives at which the liquid scanner is respectively
assumed to work. The certainty equivalents shown in
Figures 11 and 12 are those of the risk of financial
damage. Similar equivalent values can be derived
from trials of the experiment simulating the risk of fa-
tality and injury (see Section 2.2). To demonstrate our
methodological approach, the analysis solely of the
risk of financial loss due to security incidents may suf-
fice, however. The parameter values used in the simu-
lations are those described in Subsection 3.2.1 (status
quo, detection rate between 1% and 95%, etc.) In ad-
dition, it has been assumed in the trials underlying
Figure 11 that the airport holds anti-terrorism insur-
ance limited to a total of loss of 12 million per inci-
dent and that the probable loss per incident in the
status quo varies about a mean value of 16.24 million
euros. Thus, only losses above the aspiration level
of 12 million matter (the discrepancy between what
matters for the airport operator and what for the insur-
ance company may give rise to the notorious problems
of moral hazard in risk and insurance).
The certainty equivalent is positive and increases with
the detection rate, meaning that liquid scanning re-
duces the risk of financial damage below the aspira-
tion level. The increase is slightly subproportional
(solid line). Most importantly, however, the overall
risk reduction that can be achieved by screening pas-
sengers and luggage items for liquid explosives is al-
ways low as compared to the expected loss of 16.24
million (assessed at amounts of mostly less than 1
million per incident). To increase it to the upper
limit, the scanning device must be quite reliable and
must operate at detection rates higher than 80%. Un-
fortunately, this is far from being cost-efficient, the
optimum of which is placed at about 38% if the cost
function involving scale effects (dashed line) applies.
The dotted straight line represents a cost function in-
creasing strictly in proportion to the detection rate.
With this cost model, the optimum of cost-efficiency
is reached at a 100% detection rate. The difference
between the two optima reflects the impact of high
costs of risk reduction measures (dashed lines) on se-
curity: if risk management is expensive, the most effi-
cient solutions may be ineffective, and conversely.
Unfortunately, this discrepancy between what is desir-
able and what is affordable in security corresponds to
all too realistic, virtually daily experience. As our ex-
periments demonstrate, however, this discrepancy can
at least be understood very much in detail in system-
atic, quantitative ways, using the SiVe approach.
Two more of the operational constraints on the effec-
tiveness and efficiency of airport security management
are illustrated by Figure 12. The meaning of each of
the curves is the same as that of their counterparts in
Figure 11. In the example of Figure 12, the maximum
insurance coverage of loss (18 million per incident)
and, thus, the aspiration level is assumed to be higher
than the expected value of loss in the status quo
(16,24 million ). This implies that, other than in the
previous case, the airport risk management is risk
averse and, thus, appreciates more the risk reduction
achieved at each particular detection rate (larger cer-
tainty equivalent). Similarly, the solid curve is much
less straight in shape than the corresponding one in
Figure 11. This departure from the previous curve also
expresses strong risk aversion: the certainty equivalent
of a risk is much smaller than its expected value.
3.3.2 Simulation results of second vignette
"Cost consideration"
300 passengers were generated in the simulation for
calculating the costs and handling times of passengers
during the passenger check. They were handled in one
single check lane. At the beginning of the simulation,
all 300 passengers had already been generated in the
simulation, i.e. the arrival behaviour of the passengers
was not taken into consideration. The passengers
waiting time before the passenger check was also ne-
glected.
Based on the simulation results, it is now possible to
ascertain different values of the detection rate in terms
of costs incurred and the efficiency of the defined
threat. Figure 10 shows the average costs incurred for
checking a passenger in the status quo and when a liq-
uid scanner is used at varying detection rates.
4 Conclusion
Airport passenger checks involve numerous variables
and operational constraints which make measures and
procedures to ensure airport security difficult to assess
in quantitative, realistic terms. In view of the immense
complexity involved in the protection of transport in-
frastructures against physical attack, incident simula-
tion techniques and methods of quantitative risk as-
sessment are necessary, however, to prevent or miti-
0,0 0,2 0,4 0,6 0,8 1,0
optimal detection rate (efficiency)
cost-efficiency
.
C
e
r
t
a
i
n
t
y

e
q
u
i
v
a
l
e
n
t

(
m
i
l
l
i
o
n

)
Detection rate of liquid scanner (%)
.
x
0
= 18 Mio.
= 0.8
0
2
4
6
8
10
certainty equivalent
cost function (scale effects)
cost function (linear)
optimal detection rate (efficiency)
Figure 12 Effectiveness and cost-efficiency of
risk reduction. Aspiration level = 18 million .
553
gate damage from catastrophic events in systematic,
practical, effective and cost-efficient ways. The SiVe
project has been especially designed to cope with
some of the core problems involved here, combining
methodological perspectives of scenario building,
software-based incident simulation and econometric
approaches to risk assessment. The results obtained in
the initial simulation studies outlined above already
show that, on the basis of SiVe development, valuable
detailed information can be gained to improve security
planning and decision- making. This information
might otherwise have been difficult if not impossible
to obtain.
Acknowledgement. The authors are grateful to the
German Federal Ministry of Education and Research
(BMBF) for substantial financial support to SiVe as
part of the Ministrys Hightech Strategy and Security
Research Programme.
References
[1] M. Breiing, M. Cole, J. DAvanzo, G. Geiger, S.
Goldner, A. Kuhlmann, C. Lorenz, A. Papproth,
E. Petzel and O. Schwetje, Optimisation of Crit-
ical Infrastructure Protection: The SiVe Project
on Airport Security. In E. Rome and R. Bloom-
field (Eds.): CRITIS 2009. Lecture Notes in
Computer Science 6027, 7384. Springer-Verlag,
Berlin-Heidelberg 2010.
[2] A.:Gadatsch, Grundkurs Geschftsprozess-
Management, 6. Aufl. Vieweg+Teubner Verlag,
Wiesbaden 2010.
[3] Object Management Group (OMG), Business
Process Model and Notation (BPMN), Version
2.0, 2011.
[4] S. Goldner, L. Huber, A. Papproth and C. Stegn-
er, , Using Agent-Based Simulation and Busi-
ness Process Modelling to Evaluate the Perfor-
mance of Airport Security Systems A Conjoint
Approach. Proceedings of The 2011 World
Conference of Air Transport Research Society,
Sydney, Australia 2011. In Print.
[5] U. Meinberg, C. Lorenz, L. Huber, A. Papproth,
C. Stegner and R. Hyka, Agent-Based Simula-
tion of Security Related Logistic Processes on
Airports. Proceedings of The 14th World Multi-
Conference on Systemics, Cybernetics and In-
formatics, 354-359. International Institute of In-
formatics and Systemics, Orlando, FL USA
2010.
[6] E. Castaneda, J. Gonzalez, S. Harris and J. Kim,
Optimized Airport Security Infrastructure Sys-
tem (OASIS). 2007 IEEE Systems and Informa-
tion Engineering Design Symposium, Charlot-
tesville, VA USA 2007.
[7] H. Buchwald, A. Fleischmann, D. Seese and C.
Stary (Eds.), S-BPM ONE: Setting the Stage for
Subject-Oriented Business Process Manage-
ment: First International Workshop, Karlsruhe,
Germany, October 22, 2009. Springer-Verlag,
Berlin-Heidelberg 2010.
[8] C. Starmer, Developments in non-expected
utility theory: the hunt for a descriptive theory of
choice under risk. Journal of Economic Litera-
ture 38, 332382, 2000.
[9] G. Geiger, E. Petzel and M. Breiing, Process-
Based Identification and Pricing of Risks: Me-
thodological Foundation and Applications to
Risk and Security Management. Fraunhofer
Symposium Future Security 2009, 208-220.
Fraunhofer Verlag, Stuttgart 2009.
[10] Statistisches Bundesamt, Verdienste und Ar-
beitskosten, Fachserie 16, Heft 1, Dezember
2010.
[11] J. L. Virta, S. H. Jacobson and J. E. Kobza,
Analyzing the Cost of Screening Selectee and
Non-Selectee Baggage. Risk Analysis 23(5),
897-908, 2003.
[12] C. Thomas and S. C. Maurice, Managerial Eco-
nomics, 10. Aufl. McGraw-Hill/Irwin, Boston,
MA 2010.
[13] Freund, J.; Rcker, B.; Henninger, T.; Praxis-
handbuch BPMN, Mnchen (DE): Carl Hanser
Verlag, 2010
554
Improving Security in Intermodal Transports
Prof. Dr. Frank Arendt, Institute of Shipping Economics and Logistics (ISL), Germany
Dr. Nils Meyer-Larsen, Institute of Shipping Economics and Logistics (ISL), Germany
Rainer Mller, Institute of Shipping Economics and Logistics (ISL), Germany
Abstract
This paper describes two research projects: INTEGRITY and CASSANDRA. INTEGRITY aims at significant
improvements of the visibility and security of global door-to-door container transports in the China-EU trade cor-
ridor by optimising the cooperation between the transport industry and Customs Authorities. As core element, the
platform Shared Intermodal Container Information System (SICIS) has been developed - allowing authorised
companies and authorities to access planning and status information of selected containers. The follow-up project
CASSANDRA aims to create interfaces between existing information platforms and visibility solutions, in order
to design and to manage efficient and secure supply chains on the basis of monitoring data.

1 Introduction
For the transport industry, the implementation of addi-
tional security measures are always equal to increased
costs whereas the related benefits are seen to be rather
limited. The two EU funded projects INTEGRITY
and CASSANDRA focus on enhancing the visibility
of transport chains thus supporting their security and
their logistics optimisation at the same time.
The term Supply Chain Visibility means to close in-
formation gaps still existing in international intermo-
dal container chains in order to achieve a better reli-
ability and predictability. Today, the majority of the
high amount of involved parties (from industry and
administration) are not well informed in such a way
they can perform their tasks on planning and monitor-
ing in an optimal way. Closing these information gaps
can be obtained in different ways:
using classical EDI with EDIFACT or XML
interfaces being which may lead to time de-
lays between an event occurred and the re-
ceipt of the respective message
receiving information in an automated way,
e.g. by using identification technologies such
as RFID or Automatic Identification System
(AIS), positioning technologies such as GPS
or Galileo signals, and the related communi-
cation technologies either land based, via
GSM or satellites
intelligence for analysing information in or-
der to detect the interesting ones, e.g. com-
paring planning and actual status information
automatically in order to identify the devia-
tions where the planner has to act (this is
what we call Supply Chain Event Manage-
ment)
performing risk analyses based on these in-
formation for security risks (as mainly per-
formed by authorities) as well as logistics
risks (e.g. not to be able to deliver the con-
tainer on time).
This paper will deal with the three last issues.

After the decrease due to the economic crisis, con-
tainer transport figures are increasing again. Thus,
container terminals and transport operators once more
are facing several challenges like increasing cargo
volumes and security demands that put additional bur-
den on them but offering potentials for process opti-
misation at the same time. Main drivers are:
Commercial: how to cope with continuously
rising cargo volumes to be handled
Legal/Security: how to deal with new security
rules and regulations for fighting against ter-
rorism and the change of responsibilities in
the chain
Technical: how to best integrate technologies
such as Container Security Devices (CSD)
for monitoring the position of the container
using RFID, GPS and GSM communication.
Furthermore electronic seals (eSeal) can be
used for combining the benefits of classical
bolt seals with RFID capabilities.

The usage of devices likes CSDs and eSeals plus fur-
ther event sources can support the concept of Supply
Chain Event Management (SCEM) in order to enable
transport operators to exploit these challenges.
555
2 CSD and eSeals in Container
Transport
The drivers in the above mentioned areas are twofold:
Security and logistics optimisation. While the first is
dominated by regulations mainly initiated by the US
Government, the latter is facing at logistics optimisa-
tions and cost reduction potentials e.g. due to auto-
mated identification procedures throughout the logis-
tics network. Especially RFID can on the one hand
raise the security level by the introduction of elec-
tronic seals (eSeals) and on the other hand develop
optimisation potentials through the automated con-
tainer identification by using container tags.
The Institute of Shipping Economics and Logistics
(ISL) accommodated the increasing importance and
relevance of these topics by the formation of its com-
petence area "AutoID and Security in Container
Transport" at the ISL branch at the city of Bremer-
haven, Germany. This competence area concentrates
on the design of concepts as well as the development
of pilot projects for the implementation of automatic
identification systems and their connection to business
and EDI processes, e.g. for container handling, as well
as for the building of surveying systems of intermodal
networks for the purpose of logistics and security.
Beside the capabilities of eSeals and RFID in inter-
modal container transport ISL examined and validated
also the adoption of the SCEM methodology on in-
termodal container transport chains which will be de-
scribed in chapter 3.
The above mentioned drivers in the field of intermo-
dal container transport will be described in detail.
2.1 Commercial drivers
Before the economic crisis cargo handling figures in
container ports were constantly rising. According to an
ISL analysis container traffic increased by 12% in
2010.
In order to manage this increase efficiently one can
build new infrastructure, optimise the storage capacity
or optimise existing procedures, at truck gates, rail
gates and in vessel handling. In order to cope with the
rising number of handled containers automation of
processes is one important issue.
2.2 Legal and security drivers
After 9/11, several regulations and laws have been
implemented to enhance the security in goods trans-
port. Most important one is the introduction of the
ISPS Code in port terminals and onboard vessels.
Terminals had invested huge amounts of money to be-
come ISPS compliant. But the ISPS code is not the
end of the story. In the future, also inland terminals
(road/rail or road/inland waterways) will be affected.
Additionally, the replacement of bolt seals with elec-
tronic seals is discussed on various political and in-
dustrial levels. If becoming mandatory, new require-
ments appear for the terminal operators.
Moreover, certification schemes such as C-TPAT
(Customs-Trade Partnership Against Terrorism) or
AEO (Authorised Economic Operator), advance re-
porting requirements such as CSI (Container Security
Initiative), ISF (Importer Security Filing also named
10+2 rule), ICS (Import Control System) as well as
the so-called 100% scanning rule requesting that all
export containers to the US have to be x-rayed and
checked on nuclear substances in the port of loading
put additional burden on all parties involved.
2.3 Technical drivers
Several new technologies are in discussion, which
create challenges for terminal and transport operators.
Processes can be optimised and accelerated tremen-
dously by using automatic identification and condition
checks with contact free reading abilities (container
RFID tags, eSeals, optical checks) without requiring
human intervention.
Beside eSeals which improve the security of standard
bolt seals there are also Container Security Devices
(CSDs) available. Additional functions of CSDs com-
pared to eSeals are their ability to monitor the position
of the container using Global Positioning System
(GPS) signals and their communication abilities via
GSM or GPRS to inform a backend system about po-
sition and status. Additional sensors can be applied
informing the user of the current temperature, humid-
ity or shock values.
CSDs are able to improve the visibility of the con-
tainer transport significantly but also increase the
transport costs. So, each company has to decide if the
benefits of an improved security and visibility justify
the higher costs. To sum up, it is very unlikely that
every container in the future will be equipped with
CSDs, in cause of the higher transport costs. The us-
age and benefits of CSDs were examined in the IN-
TEGRITY project.
3 Supply Chain Event Man-
agement
The Supply Chain Event Management (SCEM) meth-
odology is well known in production logistics; this
approach can also assist container operators monitor-
ing the international intermodal transport. To achieve
this goal, the physical progress of the container trans-
port will be compared with the planned procedure by
examining so-called events which occur during the
transport and could be generated e.g. using RFID,
CSDs or further event sources. On the one hand there
are expected events such as loading and unloading
556
messages, vessel arrival and departure etc. The events
and their sequence are clearly defined and can easily
be monitored. On the other hand there are events
which occur unexpectedly and which may allude to
problems such as delay messages or a notice indicat-
ing a technical defect. If the transport proceeds ac-
cording to the original plans, the system will stay pas-
sive in order to prevent the user from receiving useless
OK messages. Only if the system detects a deviation
of the physical transport from the planned procedure,
the operator will be informed pro-actively which en-
ables him to intervene at an early stage of the prob-
lem.
A software system adapting the SCEM concept com-
pares the expected events with the actual events and
decides on appropriate actions, e.g. inform the user,
here the manager of the intermodal transport chain, in
case of problems. The chain manager is enabled to
react in time on exceptions. Problems can be coped
with soon after their occurrence and before they cause
a more severe impact to the transport process.
Status events can be obtained via RFID, EDI (e.g. dis-
charge messages from container terminals), via mobile
devices (e.g. handheld computers using GPRS com-
munication) or using web interfaces.
In the run of the former research project CHINOS
(Container Handling in Intermodal Nodes - Optimal
and Secure) co-funded by the European Commission
in their 6th Framework Programme, ISL has devel-
oped an SCEM software component for logistic pur-
poses to evaluate how SCEM concepts can be used for
intermodal container transports covering several sub-
transports performed by different transport modes. For
each event which can occur during transport there are
decision rules which examine its occurrence on time,
delay or total absence. Depending on the result of
these examinations, the SCEM system is able to initi-
ate appropriate actions in a flexible way. It can send
emails or SMS which notify their receivers about the
occurrence of a specific event. In addition, the users
application system can be triggered such that contain-
ers originally associated to a cancelled voyage are
marked so they can easily be re-scheduled to another
voyage; details can be found in Blecker et al., 2007.
Applying the SCEM concept seems to be very attrac-
tive in several areas of transport, but is dependent on
close to real-time and highly reliable events and status
messages.
One further step was to extend the scope of the SCEM
application and software component from purely lo-
gistics considerations to security aspects.

4 INTEGRITY - Improving vi-
sibility and security
4.1 Concept
As outlined before, the visibility of container trans-
ports can be increased by SCEM software platforms
leading to a better reliability and predictability of the
transport chain performance.
In the INTEGRITY project [11], such a platform
named SICIS (shared intermodal container informa-
tion system) has been developed which evaluates in-
formation from various existing sources, like RFID for
container identification, e-seals or CSDs, X-ray in-
spection and radiation portals to identify illegal con-
tents, satellite tracking of vessels and other vehicles,
and external databases for tracing.
INTEGRITY is the acronym of Intermodal Global
Door-to-door Container Supply Chain Visibility be-
ing co-funded by the European Commission in their
7th Framework Programme and running until autumn
2011. It aims at creating Supply Chain Visibility by
providing a basis for commercial optimisation and se-
curing of intermodal container chains. Major clients
of the approach are the commercial participants in the
chain (3PLs, cargo owners, exporters, transport and
port operators) and authorities (mainly Customs) cre-
ating a win-win situation for both of these groups.
Different measures, such as the introduction of the
ISPS code in 2004 and the C-TPAT programme in the
US, enhanced the security in parts of the international
intermodal chain, but a worldwide approach covering
the chain from origin to destination is still missing.
However, first attempts have been made by the US
with the programmes OSC (Operation Safe Com-
merce) and SST (Smart and Secure Trade Lanes). An
important step towards secure operators is the EU
Customs Code issued by the Directorate-General
Taxation and Customs Union (DG TAXUD) with its
AEO (Authorised Economic Operator) approach. Co-
operation between Customs Authorities is actually be-
ing discussed e.g. in the SSTL project between EU
and China Customs Authorities which is closely linked
to INTEGRITY. Here, issues of the Customs-to-
Customs cooperation will be tackled also from the in-
dustrys perspective supporting Customs-to-business
and business-to-business cooperation.
If Customs Authorities agree on a mutual recognition
of their procedures and a common set of data facilitat-
ing pre-arrival clearance before the cargo arrives at its
destination, this will speed up the whole process and
even more important lead to an improved reliability
and predictability of the whole chain. Due to the ac-
tive involvement of Customs services along the dem-
onstration chains from China to Europe as well as the
close link to the SSTL Project, the ease of administra-
tion together with supporting measures and incentives,
557
e.g. the green lane for supervised secure transports, is
covered as well.
The expected benefits are significant: door-to-door
chains will become more secure and smooth. All target
groups will be satisfied in one approach. Specific
analyses on the benefits for all players in the chain
analysing actual bottlenecks and performing before-
after comparisons including the related costs for such
a service are part of the project.
INTEGRITY is an integration project. Although a lot
of building blocks are existing, most of the above
mentioned technologies have been run through techni-
cal feasibility tests without tackling the integration
into a common concept on the level of business proc-
esses, legal and administrative changes and possible
incentives when using them in a consistent and reli-
able manner. The combination of existing technolo-
gies and new business processes together with legal
and administrative agreements between administra-
tion/Customs and industry/logistics create a win-win
situation for both target groups.
4.1 The SICIS System
Different organisational and technical measures can
enhance the security of the chain and support the Sup-
ply Chain Visibility also for logistics purposes - at
the same time. These are:
working with trusted parties (AEOs, author-
ized economic operators)
using auto-ID methods like RFID for con-
tainers
using X-ray inspection or container imaging
(content) facilities
using radiation portals to identify nuclear ma-
terials
using eSeals or container security devices
monitoring the door condition, light, tem-
perature, humidity, radiation, chemicals, etc.
using satellite tracking of vessels and other
vehicles
using databases with tracing and event infor-
mation and intelligent algorithms to detect
possible risks
using EDI or web services to perform validity
checks with external databases (e.g. owned
by transport operators).

In addition to these measures, relevant business proc-
esses, e.g. for gaining permissions from authorities are
analysed and adapted for exploiting the technology
potentials in an optimal way.
The full-scale integration of IT systems along the
chain enables the creation of the SICIS system con-
taining either the data itself or links to the data pro-
viders (such as port community systems, shipping
lines, port authorities) allowing fast and reliable ac-
cess to the planning data and status information of se-
lected transports. Furthermore, SICIS pro-actively in-
forms the relevant user if possible risks were detected
during the transport process. Customs Authorities can
access all these information for enhancing their secu-
rity assessment. An important issue is the careful han-
dling of the data which is consolidated in the de-
scribed manner for the first time. The design of SICIS
allows its connection to any other system like port
community systems or existing legacy systems, hence
data security is ensured at any time. Therefore, the
data owner has the full control of granting access con-
cerning information on his transport to the partners
in the chain. Templates enable an easy set-up of recur-
rent cargo flows.

Figure 1 The Shared Intermodal Container Informa-
tion System (SICIS) will process data from different
data sources and communicate with various platforms

The following scenario will clarify the INTEGRITY
approach: A container is stuffed and sealed at a Chi-
nese factory by an AEO certified partner. Another
AEO transports the container to the ISPS (Interna-
tional Ship and Port Security Code) certified port of
Yantian. Inside the terminal, the seal is checked, and
the container is examined with respect to detect radio-
active contents and potentially scanned. After the con-
tainer was loaded on a vessel operated by an ISPS cer-
tified shipping company, all relevant information
about the transport including the inspection results is
forwarded to the Customs of the importing country.
On that basis, Customs can decide on the necessity of
a physical inspection of the container already during
the sea transport, which will lead to a possible pre-
arrival clearance. This will speed up the import proc-
ess and reduce the risk of delays caused by Customs
inspections. As a consequence, the on-carriage can be
planned with a much higher accuracy and predictabil-
ity.
As a first step, SICIS has been implemented at a trade
lane starting in mainland China, using the ports of
558
Yantian and Hong Kong on the Chinese side and the
ports of Rotterdam and Felixstowe on the European
side until the final destination or warehouse. Never-
theless, it is possible to transfer the respective experi-
ences and test results to any other corridor worldwide.
During the INTEGRITY project, tests were carried
out using a large number of containers. Rather than
focusing on a big bang implementation, INTEGRITY
chose a stepwise approach:
Demonstration phase 1 focused on container
data from port networks started in September
2009
Phase 2 integrated AIS data from vessels the
tracked containers were loaded (cp. Figure 2)
Phase 3 added container status and container
position data from Container Security De-
vices (cp. Figure 3)
Phase 4 (the actual one) enhanced the system
by consignment data adding documents in
pdf format.

Figure 2 Visualization of vessel events using stan-
dardised tools

Figure 3 The first CSD equipped container in prepa-
ration for its trip to Europe

Several cooperation agreements have been signed in
order to extend the INTEGRITY scope to other moni-
toring technologies, trade lanes and terminal opera-
tors.
Although a high data quality during the voyage can be
obtained using CSDs which can hardly be achieved by
other means, INTEGRITY is not dependent on using
that technology. The reason is that it cannot be ex-
pected that a significant number of containers will be
equipped with CSDs in the near future. Hence, as fall-
back solution covering also those containers without
CSDs, a manual trigger event of the voyage start and
end (via web interface) is feasible.
SICIS is achievable to large and SME players in the
container business these are represented e.g. by the
project partners DHL and BAP Group Ltd. It is the
clear intention of the project partners to transfer the
pilot system into a real business tool.
Until June 2011 more than 5,300 containers have been
monitored during the demonstration phase of IN-
TEGRITY, from which about 430 containers were
equipped with CSDs from different providers.
5 The CASSANDRA project
5.1 Introduction
The follow-up project CASSANDRA (Common as-
sessment and analysis of risk in global supply chains)
[17], also co-funded by the European Commission in
their 7th Framework Programme and started in June
2011, aims to create interfaces between existing in-
formation platforms and visibility solutions, in order
to design and to manage secure and efficient supply
chains on the basis of the monitored data with a spe-
cial focus on the acquisition of consignment data de-
scribing the cargo in the container. The integration of
data and risk assessment along the supply chain will
be demonstrated in three major trading routes to and
from Europe:
Asia Europe (China, Hong Kong, Malaysia,
Indonesia, to Netherlands and UK),
Europe US (Germany to US East Coast
ports via the port of Bremerhaven)
Africa Europe (Egypt to Spain and Cape
Verde to Portugal)

In order to integrate the stakeholders into the innova-
tion process in the project, CASSANDRA applies a
so-called living lab approach for each tradelane.
The living lab methodology is described in the follow-
ing section.

5.2 The living labs methodology
559
The living lab methodology aims to solve the problem
that only a small number of product ideas can be es-
tablished in the market. In detail, referring to [9] only
one of 3,000 products can survive successfully on the
market, which means that hundreds of ICT product
ideas developed in projects are far beyond the market
needs. Even successful products are unable to fulfil
the needs of their users - 75% of all users are not satis-
fied with their ICT tools (cp. [9]). Consequently, the
integration of users into the innovation process of new
product ideas can increase the outcome of product
ideas developed in research projects. Regarding the
integration of the user in the innovation process [10]
stated: Users working in real world environments are
actively solicited in order to inform technology devel-
opment and innovation. In these cases, living labs
have been positioned as platforms for user-driven in-
novation.
In order to centralize the role of users during the inno-
vation process the living lab methodology has been
developed, which is a user-driven open innovation
ecosystem enabling users to take an active part in the
research, development and innovation process. In the
living lab methodology the user is placed at the centre
of the innovation lifecycle which allows him to par-
ticipate in the creative process in order to detect the
change of processes at an early stage. Furthermore,
users participating in a living lab are empowered to
influence the development, validation and integration
of the product ideas according to their user specific
needs. The validity of the innovated concepts and
products is proved inside the living lab approach dur-
ing a demonstration phase. Furthermore, an early as-
sessment of the socio-economic implications of the
new concepts can validated during the demonstration
in the living lab.
5.3 Objectives of CASSANDRA
CASSANDRA aims to combine different available
building blocks in the field of supply chain visibility.
So the major challenge is to choose and to combine
the appropriate tools, hardware, visibility platforms or
other technical solutions that enable business and gov-
ernment to implement a risk based approach for their
operational work in an optimal way.
CASSANDRA will define and setup interfaces be-
tween visibility tools and platforms. The process of
integration of these building blocks will be demon-
strated in the living labs for the different geographical
corridors. Furthermore, an evaluation on the quality of
the integral data will be carried out from technical,
societal, business, risk management and exploitability
point of view. Moreover, in order to gain acceptance
of the risk self-assessment approach of business and of
the suitability of data use by government agencies a
dialogue between business and government will be
facilitated. Visionary Customs concepts, e.g. switching
the Customs reporting from a push to a pull mecha-
nism once all requested data are contained in a plat-
form, are included in the research. Compared to IN-
TEGRITY, the extension in corridors and improve-
ment of real consignment data are major issues to
investigate.
6 Conclusion
Achieving the optimisation of logistics processes and
an increase of security is not necessarily a contradic-
tion. Supply Chain Visibility in intermodal container
chains is important for logistics and security control
reasons. The paper has shown how technologies
(RFID, CSDs, AIS) and methodologies (SCEM, mu-
tual recognition of processes) can contribute to this
approach. However, a global take-up faces the chal-
lenges of investments and process changes for indus-
try and administration.
Developments can support operators to exploit present
and upcoming challenges like handling increasing
cargo volumes, the necessity for improved monitoring
and stronger security demands. They also support ad-
ministrations and authorities to perform their risk as-
sessment more efficiently.
The results of the project INTEGRITY are promising:
based on a broad consensus of the major stakeholders
the platform SICIS is widely accepted by industry and
Customs partners. The near future will show if the in-
tention to transfer SICIS into a commercial service
will be successful. Furthermore, the follow-up project
CASSANDRA will show how to manage secure and
efficient supply chains by integration of different sup-
ply chain visibility technologies. In order to actively
involve users of the created supply chain visibility so-
lution the innovation process and the demonstration
will be carried out in three living labs. The set-up of
widely accepted win-win situations between the main
different stakeholders, logistics operators and authori-
ties, seem possible.
7 References
[1] APL Logistics (2003) Adding Security and Value
to the Supply chain, http://www.apl.com/news/
documents/security_white_paper.pdf
[2] Aberdeen Group (2006): The Supply Chain Vi-
sibility Roadmap Moving from Vision to True
Business Value, Boston 2006
[3] Blecker, T. et al. (2007): Key Factors for Suc-
cessful Logistics, Erich Schmidt Verlag
GmbH&Co., Berlin
[4] Bundesministerium fr Verkehr, Bau und Woh-
nungswesen (Hrsg.) (2005), Verkehr in Zahlen
2005/2006, Deutscher Verkehrs-Verlag, Ham-
burg
[5] Chinos website: http://www.chinos-rfid.eu
560
[6] Collins, J. (2005) IBM, Maersk Developing Car-
go Tracker, RFID Journal Sept. 22,
http://www.rfidjournal.com/article/articleview/18
84/1/1/
[7] Donner, M., Kruk, C. (2009): Supply Chain Se-
curity Guide, World Bank, Washington 2009
[8] European Commission (2001), White Paper
European transport policy for 2010: time to de-
cide, Office for Official Publications of the Eu-
ropean Communities, Luxembourg
[9] European Commission, Directorate-General for
the Information Society and Media (2009), Liv-
ing Labs for user-driven open innovation, ISBN
978-92-79-10358-2
[10] Higgins, A., Klein, S. (2011), Introduction to the
Living Lab Approach, in Tan, Yao-Hua et al.,
Accelerating Global Supply Chains with IT-
Innovation, Springer Berlin Heidelberg
[11] INTEGRITY website: www.integrity-
supplychain.eu
[12] INTEGRITY/SmartCM Compendium, Delivera-
ble 1.1
[13] International Maritime Organisation (2003), The
International Ship and Port Security Code, 2003
Edition
[14] Kearney, A.T. (2005): Smart boxes RFID can
Improve Efficiency, Visibility and Security in the
Global Supply Chain, Chicago 2005
[15] Savi website: http://www.savi.com
[16] Smart & Secure Tradelanes (2003): Phase One
Review Network Visibility: Leveraging Securi-
ty and Efficiency in Todays Global Supply
Chains, 2003
[16] World Customs Organisation (2007): WCO
SAFE Framework of Standards, 2007
[17] CASSANDRA website: http://www.cassandra-
project.eu/
561
Botnets: Detection, Measurement and Defense
Daniel Plohmann, Fraunhofer FKIE, Germany <daniel.plohmann@fkie.fraunhofer.de>
Elmar Gerhards-Padilla, Fraunhofer FKIE, Germany <elmar.gerhards-padilla@fkie.fraunhofer.de>
Felix Leder, Fraunhofer FKIE, Germany <felix.leder@fkie.fraunhofer.de>
Jan Gassen, Fraunhofer FKIE, Germany <jan.gassen@fkie.fraunhofer.de>
Andr Wichmann, University of Bonn, Germany <wichmann@cs.uni-bonn.de>
Sebastian Eschweiler, University of Bonn, Germany <eschweiler@cs.uni-bonn.de>
Abstract
Malicious software, short malware, causes a yearly financial damage that is estimated at several billion Euros per
year. Botnets, networks of malware infected machines, used as a tool for criminal individuals, play an important
role in this context. In this paper, we present the main results of a study on the topic of fighting botnets conducted
by the Cyber Defense Research Group of Fraunhofer FKIE in cooperation with the Institute for Computer Sci-
ence 4 of the University of Bonn on behalf of the European Network and Information Security Agency (ENISA).

1 Introduction
Botnets are networks of compromised, remotely con-
trolled computer systems. Their main purposes in-
clude the distribution of spam e-mails, coordination
and execution of distributed denial of service (DDoS)
attacks, and the automated theft of identities and bank-
ing data, e.g. credit card information, for financial
fraud. Their presence is supported by the increasing
global availability of broadband access to the Internet,
which at the same time increases the value of the as-
sets they threaten.
A shift in the motivation for the creation of malicious
software has led to a financially oriented underground
economy of criminals acting in cyberspace. The total
annual global economic loss attributed to malicious
software activities is estimated at more than ten billion
Euros [1]. Other events demonstrate the significance
of botnets in a global context. One example were the
botnet-driven attacks against Estonia in 2007 [2].
These appeared to be politically motivated activities
in which Estonian institutions like the parliament,
ministries and various banks as well as media services
were targeted. The Stuxnet worm [3] is another recent
example of malicious software being highly sophisti-
cated and having generated much media interest.
Shortly after its revelation, this malware specimen was
considered as one of the most complex pieces of mal-
ware that was ever identified. Stuxnets functionality
includes routines that identify and attack industrial
systems. Thus, it is the first known worm targeting
critical infrastructure. Besides this functionality, Stux-
net contains typical features of a botnet. After success-
ful infection, the compromised host verifies Internet
connectivity and then tries to connect to possible
Command & Control (C&C) servers in order to send
information about the system and ask for an update.
The frequency and impact of these and other recent
events have led to an increased awareness towards the
topics of cybersecurity and botnets. In this paper, we
present the main results of our study which provides
an extensive overview and analysis of currently exist-
ing approaches and initiatives in the fight against bot-
nets. Furthermore, we present a set of recommenda-
tions for good practices, addressing the main issues on
technical, legal and policy level.
This paper is structured as follows. Section 2 provides
background information about the study, applied
methodology and resulted publications. Section 3
gives an overview of the identified mitigation ap-
proaches against botnets and summarizes the main
conclusions achieved through an analysis of them.
Section 4 explains the proposed strategy for a fight
against botnets, concentrating on the recommenda-
tions derived from analysis. Finally, section 5 summa-
rizes the main results of the study.
2 Background
Beginning in March 2010, the Cyber Defense Re-
search Group of Fraunhofer FKIE in cooperation with
the Institute of Computer Science 4 of the University
of Bonn conducted a study targeting botnets on behalf
of the European Network and Internet Security
Agency (ENISA) [4]. The main goal of the study was
to assess and analyze the current situation in the fight
against botnets by identifying techniques employed
for detection and measurement as well as countermea-
sures against botnets. Based on this analysis, recom-
562
mendations for good practices were derived, address-
ing various stakeholder groups such as regulators and
law enforcement, Internet Service Providers (ISPs),
researchers, and end-users.
In order to receive a high quality of initial input, a
questionnaire was designed and answered by more
than 70 globally renowned experts in the field to iden-
tify common approaches against botnets. The follow-
ing analysis process of these approaches was sup-
ported by ongoing personal discussions with and be-
tween the experts as well as an extensive desktop
research. Both of the publications released have been
released by ENISA so far, a technical report consisting
of 150 pages [5] and a shorter version entitled Bot-
nets: 10 tough questions [6] have been validated by a
distinguished peer review group. A third report target-
ing legal issues is currently in preparation in coopera-
tion with NATO Cooperative Cyber Defence Centre of
Excellence (CCD COE) located in Tallinn, Estonia.
3 Analysis of current detection
techniques, measurement ap-
proaches, and countermea-
sures
In order to capture the state of the art botnet mitiga-
tion, a survey of commonly used techniques was cre-
ated. This overview consists of 15 approaches to the
detection and measurement of botnets and 14 ap-
proaches to countermeasures against botnets. To en-
able an analysis and comparison of these approaches,
a feature set for characterization including aspects
such as generality, quality and accuracy, requirements
and limitations was created. It covers the technical,
legal and policy level of botnet mitigation.
The analysis revealed some general conditions on all
levels that influence efficiency and effectiveness of
approaches alike. To mention some examples: On
technical level, there is a need for measures to reliably
detect botnets and accurately assess their threat. On
legal level, clear definition of roles, their responsibili-
ties and rights in the fight against botnets is needed.
Finally, on policy level, it is important to facilitate in-
ternational, cross-border cooperation.
3.1 Detection and measurement of bot-
nets
The detection and measurement of botnets is moti-
vated by a desire to gain information that may be use-
ful for various purposes. It allows an assessment of the
potential threat posed by a certain botnet but also en-
ables the application of preventive methods that hin-
der further infections. More proactively, it can help to
prepare countermeasures and to validate their effec-
tiveness.
3.1.1 Analysis
To ease the comparison of the approaches, two classes
of intrusiveness have been used for characterization:
Passive approaches that cannot be detected when ap-
plied and that remain invisible to the botnet owner and
active approaches that have some kind of interaction
with entities controlled by the botmaster.
A representative for the class of passive detection and
measurement techniques is the analysis of communi-
cation data such as traffic and flow captures, emails,
or application log files. These may be gathered from
routers, e-mail servers and spam feeds as well as web
servers.
In general, these approaches have to solve the prob-
lem of distinguishing benign from malicious activities
before the real analysis process can start. However,
the amount of data that can be analyzed often is very
limited. On the technical side, techniques such as
sampling and filtering are applied to enable real-time
processing. On the legal side, analysis is limited by
data privacy. It must be assumed that the accuracy for
measurements of botnets is limited seriously by these
factors.
Probably the most prominent example of active ap-
proaches is sinkholing. When a domain name or IP
address has been identified as serving as a C&C in-
stance for a botnet, the according Domain Name Sys-
tem (DNS) record or routing entry can be changed in
accordance with the responsible provider to forward
all related traffic to a prepared analysis device, the
sinkhole. In contrast to the group of passive ap-
proaches, all incoming traffic can usually be assumed
to be malicious. However, applying measurements is
still affected by various causes adding inaccuracy, for
example dynamic IP address assignment or Network
Address Translation (NAT). By taking over the do-
main names of the Torpig botnet, Stone-Gross et al.
[7] have shown that this inaccuracy can be as big as a
factor of 7 by comparing unique bot identifiers with
unique IP addresses during a time span of 11 days.
However, evaluating unique IP addresses of incoming
connections is often the only way to measure as a
unique identifier is rarely present.
Reverse engineering of binary code takes a special
role in the context of detection and measurement tech-
niques. While reverse engineering itself is not a detec-
tion or measurement approach, the ability to analyze
program code on binary level is an important factor in
the in-depth analysis of malicious software and can
help to provide key insights into certain aspects or
functionality. This allows a more accurate profiling of
the threat posed by malware infected computers.
3.1.2 Conclusions
As illustrated in the previous section, it is hard to ac-
curately estimate the size of botnets. Additionally, size
is not the only indicator of botnet damage potential.
563
The threat posed by a certain botnet strongly depends
on the views of affected stakeholders. Even a small
botnet can cause severe damage; depending on the
type and quality of compromised machines. Quality in
these terms refers for example to the value of informa-
tion stored on these machines or potential bandwidth
provided for DDoS attacks.
Another big challenge for detection and measurement
of botnets are legal aspects concerning privacy of data
and the connected implications. In an international
context, the status of IP addresses as an item of per-
sonal data is just one important issue that massively
affects the ability to exchange information that could
help to notify owners of infected computers as early as
possible. More information on legal aspects in the
fight against botnets will be prepared in a separate le-
gal report that is to appear in the second half of 2011.
During analysis, it was observed that many measure-
ment approaches often are not fully transparent de-
scribed. While this helps to keep the details of the
techniques opaque from the subjects under surveil-
lance, it also makes these results hard to repeat or
evaluate independently. A challenge to the transpar-
ency of measurement itself is that the publication of
exaggerated numbers is an incentive for publishers as
they are usually also offering solutions for mitigation.
Approaches that are built on generic features seem to
provide more flexibility but offer lower accuracy and
degree of detail than specialized solutions that analyze
a botnet from within its C&C infrastructure. These on
the other hand seem to require much more effort in
order to achieve better results. Some of the analyzed
active approaches pose the risk of interference with
other investigators as observed clearly during the ac-
tivity of the Storm botnet [8].
Investigations into botnets and the engineering of de-
tection and measurement techniques require a lot of
in-depth technical understanding. This aggravates the
recruitment and training of analysts at least within a
short time frame in the near future. A further aspect in
this context is the ongoing arms race between analysts
and malware developers or botmasters that steadily
increases the amount of knowledge needed.
3.2 Countermeasures against botnets
The spectrum of countermeasures against botnets in-
cludes both technical approaches and social ap-
proaches aiming at the improvement of the overall
situation. Common to all analyzed approaches and ini-
tiatives is that thinking in a global perspective is man-
datory for a long-term success. This usually involves
several stakeholder groups that have to interact in
cross-border cooperations.
3.2.1 Analysis
Technical countermeasures can be roughly divided
into three classes: preventive, reactive, and proactive
countermeasures.
Preventive countermeasures have the intention to re-
duce the spreading of botnets and their infections. A
common way to achieve this is by blacklisting net-
work addresses and domain names as well as filtering
network traffic for potentially malicious contents. For
example, if a domain name is known for serving as a
command-and-control server, compromised machines
can be prevented from resolving this hostname. This
can either be performed by the responsible DNS
server or an Intrusion Detection System (IDS). An-
other preventive measure is to generically block port
25 that is heavily abused for sending out spam email
[9]. This practice has led to controversies because it
only targets a symptom of botnets and closes one of
the ways to detect infected machines.
Reactive countermeasures include the most popular
approaches against botnets. In the last years, multiple
large coordinated takedowns of C&C server infra-
structures have been echoed by media. In some cases,
as for example for the Conficker botnet, sinkholing
was employed by registering future domain names de-
rived from a Domain Generation Algorithm (DGA)
[10] in advance in order to be able to count the num-
ber of incoming connections [11]. There have even
been reports of whole hosting providers being discon-
nected from the Internet by their upstream providers
after it had been proven that larger fractions of their
traffic was related to botnet activities and they did not
try to change this condition [12].
While aforementioned reactive approaches target the
C&C infrastructure, a variant for the victim-side is
packet filtering performed by ISPs, or the employment
of so-called walled gardens. If a customer's connec-
tion is observed to contain malicious traffic, a limita-
tion of network connectivity is applied by the ISP. In
these cases, often only a special web page, explaining
the situation and giving advice for remediation of the
infection is reachable by the customer.
Proactive countermeasures consist of those methods
that offensively engage botnets. For example, Peer-to-
peer countermeasures may use certain weaknesses in
the routing mechanisms to disrupt or disable connec-
tivity between bots. Also, the infiltration of C&C in-
frastructure by exploiting vulnerabilities in the server
or bot software itself with the intention to remotely
shut down or disinfect computers is a proactive coun-
termeasure. This last approach is ethically question-
able and not compliant with the laws in most coun-
tries. Another example for proactive countermeasures
is the submission of fake or traceable data sets to the
C&C infrastructure. The intention is the ability to fol-
low money flows and observe the usage of stolen
credit card information.
564
Lastly, regulatory and social countermeasures address
the general framework in which botnets are fought.
This includes special legislature against cybercrime,
increasing user awareness and the enhancement of co-
operations across stakeholder groups and accordingly,
responsible information sharing.
3.2.2 Conclusions
First, it has to be noted that many of the identified
countermeasures build upon results of or interplay be-
tween detection and measurement approaches. Exam-
ples for this are blacklisting where connections to enti-
ties that have been observed to be involved in mali-
cious processes are blocked and sinkholing, which can
be applied as a measurement tool after obtaining con-
trol over a C&C infrastructure for example as result of
a takedown. In this context, the effectiveness of
walled gardens is directly coupled to the effectiveness
of detection methods, which provide the ISP with in-
formation about customers that are operating com-
promised computers.
Concerning the Domain Name System, some experts
issued that currently, the registration of domain names
is not regulated strongly enough and that it provides
criminals a too easy way of getting new domain names
that can be obtained in quasi-anonymous, automated
processes.
Peer-to-peer countermeasures mostly serve as a sup-
portive technique for takedowns. For example, during
the takedown of the Waledac botnet C&C infrastruc-
ture, the P2P communication channel was disrupted
and as a result, the botmasters were disabled from re-
gaining control [13].
In order to be successful, a takedown of C&C infra-
structure has to address all servers. This particularly
involves the risk that if not the full infrastructure is
affected by the takedown, some C&C servers remain
and can be used to regain control of the botnet. In this
case, the attempted takedown may even warn the bot-
master about an ongoing investigation, notify him
about vulnerabilities in his infrastructure, and teach
him to increase the resiliency of the C&C mechanisms
used, which is clearly an undesired side-effect.
Another aspect is that such actions against the C&C
infrastructure only disable the functionality of the bot-
net itself but the participating computers remain in-
fected. These computers may suffer from decreased
stability and disabled security and update mecha-
nisms, thus being potentially in danger to get infected
with other malware. The sinkhole for the Conficker
botnet illustrates that this can affect a huge number of
systems. After the shutdown in 2009, at the time of
writing there are still up to 4 million systems infected
with Conficker contacting the sinkhole on a daily ba-
sis and that are identified by their IP addresses [11]. In
case of multiple infections and a shutdown of one
C&C infrastructure, bots may get simply migrated into
other botnets.
Another example that illustrates the importance of
cleaning affected end-systems is the shutdown of the
rogue hosting provider McColo in 2008 [14]. Directly
after disruption of its connection, this action yielded
an instant 80% spam decrease. However, observed
spam volumes regained their previous amounts after
just 2 months.
While in theory often possible, infiltration and remote
disinfection, hence allowing for the cleaning of ma-
chines without user interaction, this approach is le-
gally highly questionable as it constitutes a manipula-
tion that is similar to the manipulations done by the
malware, if only with good intent. Interestingly, during
and after the study, two cases of this remote manipula-
tion of infected systems happened. In the Netherlands
during the Bredolab botnet shutdown, infected com-
puters directed owners to a webpage informing them
about this circumstance [15]. In the USA, during the
Coreflood botnet shutdown, software updates with
mitigation routines were issued to infected machines
using the botnet infrastructure [16].
Generally, countermeasures and investigations require
a lot of analysis and development effort. Additionally,
compliance with legal frameworks and various poli-
cies has to be ensured. At the moment, legal frame-
works have arguably the biggest impact on the effec-
tiveness of botnet countermeasures. The official proc-
esses required when sharing knowledge and
information but also the planning and execution of
countermeasures introduce serious delays and thus re-
action time which can be critical for success. Another
issue is that even if botnets are disabled, it is hard or
outright impossible to identify their operators as a va-
riety of services for so-called bulletproof hosting and
preserving anonymity is widely available.
4 Recommendations and Good
Practices
Based upon the results gained during the analysis, a
strategy for the fight against botnets was developed.
This strategy consists of a set of recommendations,
divided into three categories: First, the mitigation of
existing botnets, second, the prevention of further in-
crease of the number of infections, and third, minimiz-
ing the profitability of botnets as a tool for earning
money.
The recommended activities require certain capabili-
ties or powers that are distributed by constitution and
involve various stakeholders like governmental regu-
lators, law enforcement, ISPs, and researchers. In the
end, only a globally integrated and coordinated ap-
proach of forces will yield success.
565
4.1 Mitigation of existing botnets
Currently it has to be assumed that a serious fraction
of computer systems is infected with malware. As ex-
plained in section 3.1 on detection and measurement
of botnets, accurate numbers cannot be estimated
which aggravates both the assessment of the threat
posed by botnets and complicates measuring the effec-
tiveness of countermeasures. Furthermore, malware
concepts like pay-per-install or the update mecha-
nisms included in most botnet-related malware pro-
vide an easy way for infecting computer systems with
multiple instances of malware and allow fast acquisi-
tion of computers for new botnets. Additionally, many
types of malware provide mechanisms for disabling
security mechanisms like anti-virus (AV) software and
automatic updates, thus decreasing the security level
of networks where those machines reside.
As the reduction of infected machines is important,
this has to be accomplished with different approaches
that complement each other. Raising user awareness
for the necessity of AV software and other defensive
means is important. It should be supported by ISP-
based notification services. Successful models for this
approach exist in different countries, for example the
Anti-Botnet Initiative in Germany [17], Cyber Clean
Center in Japan [18] or the Australian Internet Secu-
rity Initiative [19]. As the performance of such ser-
vices is connected with costs, options for regulation or
financial incentives for ISPs should be evaluated. To
further support owners of malware-affected computer
systems, the installation of public contact points
should be considered.
From an organizational point of view, a standardisa-
tion of roles and responsibilities is necessary. On an
international level, a clarification and harmonization
of laws against cybercrime should be pursued with
high priority because this serves as a ground for fur-
ther activities. Furthermore, more qualified personnel
should be employed or trained by these institutions.
Potential suppliers of information need to know what
kind of information is relevant to law enforcement.
Sharing information about ongoing investigations is
important in order to not unwillingly affect the opera-
tions of each other [8].
In general, sharing of information has to be further
facilitated. To motivate involved parties, it should fur-
thermore be mutually beneficial and easy to do on a
technical level, for example by standardization of in-
formation exchange protocols or data description for-
mats.
A critical aspect in this context is that trust plays an
important role and is often considered a major issue.
Therefore, regular meetings of representatives from
key players can help to optimize the information ex-
change process.
Finally, an improvement of existing tools and proc-
esses for the analysis of malware and botnet infra-
structures is important to cut down the time between
discovery of a botnet and its mitigation.
4.2 Prevention of new infections
The second set of recommendations aims at prevent-
ing clean computer systems from becoming infected
and protecting networks they reside in. The main in-
tention for this is to reduce the overall number of ma-
chines that can be compromised with a certain attack
and to complicate the task for botmasters to acquire
new bots.
From a technical point of view, early detection of new
types of malware, their spreading vectors, and respec-
tive blocking mechanisms plus their control entities
are necessary. Furthermore, the computer system and
network protection level have to be generally in-
creased. Currently, many common productive network
protection schemes have a strong focus on the network
border gateways and less on the interior systems.
Proper vulnerability management that illustrates the
current patch level and reduces the time needed to roll
out new security updates can help to harden the whole
infrastructure and decrease the chance for a compro-
mise from within.
For private end-users, this translates to raising their
security awareness for the importance of keeping their
systems clean and up to date. Best practices require a
responsible operation of devices; this also includes the
increasingly popular smartphones and their software.
4.3 Minimizing profitability of Botnets
and Cybercrime
In order to fight botnets as effective as possible, they
should not only be fought with technical countermea-
sures. As they serve as tool to generate money from
criminal activities, their value creation chains should
be engaged as well.
For example, credentials that have been extracted
from infected machines should be more difficult to use
or not usable at all for any type of fraud. For instance,
as a form of raising user awareness information about
the use and added security of multi-factor authoriza-
tion schemes should be advertised more. Although
variants of trojans with components for the intercep-
tion of short messages sent to mobile devices have
been identified [20], these are exceptional cases and in
general using multi-factor authorization contributes
significantly to access security.
Another way to break profitability of botnets is to
minimize the time in which compromised computers
can be abused while being reachable through the
command and control infrastructure. The already men-
tioned notification services by ISPs can help to reduce
this duration and inform users about the status of their
computers.
566
In addition, the efforts necessary for the conversion of
money through untraceable schemes should be in-
creased. According to [21], money transfer services
like WebMoney or Liberty Reserve have been repeat-
edly abused for moving money that was stolen in the
course of processes related to botnets. The growing
number of arrests of people participating in the money
conversion schemes and the following prosecutions
may also cause deterrence and help to fight cyber-
crime as a whole.
5 Conclusion
To summarize, three central issues have been identi-
fied that seem essential for an effective fight against
botnets.
Because botnets and cybercrime are acting globally,
the defence has to be organized globally as well.
Cross-border coordination of investigations and ac-
tions as well as the willingness for cooperation and
data sharing are key objectives. This also includes
standardized and accepted data exchange formats and
processes.
To enable this cooperation, a harmonization of laws
related to cybercrime with respect to data privacy in
international context is necessary in order to create a
common ground for the future fight against botnets.
Finally, more efficient analysis tools and characteriza-
tion metrics for malware and botnets are needed in
order to shorten the time for investigations.
References
[1] ICT Applications and Cybersecurity Division,
Policies and Strategies Department, ITU Tele-
communication Development Sector: ITU
Study on the Financial Aspects of Network Secu-
rity: Malware and Spam, 2008.
[2] Tikk, E., Kaska, K., Vihul, L.: International Cy-
ber Incidents: Legal Considerations, CCD COE
Publications, 2010.
[3] Falliere, N., O Morchu, L., Chien, E.:
W32.Stuxnet Dossier v1.4, Symantec Corp.,
2011.
[4] European Network and Internet Security Agency
(ENISA), Heraklion, Greece.
[5] Plohmann, D., Gerhards-Padilla, E., Leder, F.,
Hogben, G.: Botnets: Detection, Measurement,
Disinfection & Defence, Technical Report,
ENISA, 2011.
[6] Plohmann, D., Gerhards-Padilla, E., Leder, F.,
Hogben, G.: Botnets: 10 tough questions,
Technical Report, ENISA, 2011.
[7] Stone-Gross, B., Cova, M., Cavallaro, L., Gil-
bert, B., Szydlowski, M., Kemmerer, R., Krue-
gel, C., Vigna, G.: Your botnet is my botnet:
analysis of a botnet takeover, in: Proceedings of
the 16th ACM conference on Computer and
communications security (CCS '09), 2009.
[8] Enright, B., Voelker, G., Savage, S., Kanich, C.,
Levchenko, K.: Storm: When researchers col-
lide, in: USENIX; login, vol. 33(4), 2008.
[9] MAAWG Recommendation: Managing Port 25
for Residential or Dynamic IP Space Benefits of
Adoption and Risks of Inaction, 2005.
[10] Porras P., Saidi, H., Yegneswaran, V.: An
Analysis of Conficker's Logic and Rendezvous
Points, Technical Report, SRI International,
2009.
[11] Conficker Working Group (CWG) and The Ren-
don Group: Conficker Working Group: Lessons
Learned, Technical Report, 2011.
http://www.confickerworkinggroup.org.
[12] Federal Trace Commission: FTC Shuts Down
Notorious Rogue Internet Service Provider, 3FN
Service Specializes in Hosting Spam-Spewing
Botnets, Phishing Web sites, Child Pornography,
and Other Illegal, Malicious Web Content,
2009. http://www.ftc.gov/opa/2009/06/3fn.shtm.
[13] Williams, J.: What we know (and learned) from
the Waledac takedown. Microsoft Malware Pro-
tection Center Blog, 2010. [Online]
http://blogs.technet.com/b/mmpc/archive/2010/0
3/15/what-we-know-and-learned-from-the-
waledac-takedown.aspx
[14] Masiello, S.: The McColo Effect: One Year
Later, McAfee Blog Central, 2009. [Online]
http://blogs.mcafee.com/mcafee-labs/the-
mccolo-effect-one-year-later
[15] Bredolab Infection Warning Page. Dutch Na-
tional Alerting Service, 2010 [Online]
http://www.waarschuwingsdienst.nl/Risicos/Viru
ssen+en+malware/Ontmanteling+Bredolab.html
[16] Governments supplemental Memorandum in
support of temporary restraining order, No. 3:11
CV 561 (VLB), submittted to United States
District Court, District of Connecticut, 2011.
[17] German Anti-Botnet Initiative,
http://www.botfrei.de
[18] Japanese Cyber Clean Center (CCC),
https://www.ccc.go.jp
[19] Australian Internet Security Initiative (AISI),
http://www.acma.gov.au/aisi
[20] Apvrille, A., Yang, K.: Defeating mTANs for
profit, ShmooCon, 2011.
[21] Team Cymru: The Underground Economy Brief
The PPI Model in the Underground Economy,
2010.
567
Realising a trustworthy sensor node with the idea of
virtualisation
Dennis Gessner, NEC Laboratories Europe, Germany
Marcel Selhorst, Sirrix AG security technologies, Germany
Christian Stble, Sirrix AG security technologies, Germany
Peter Langenoer!er, "#P Microelectronics, Germany
Abstract
$ireless Sensor an Actuator Net%or&s '$SANs( are typically use in orer to protect Critical "n!rastructures
'C"s() $SANs collect an transmit sensiti*e ata an nee to !ul!il their e!ine security re+uirements
accoring to the C" they protect) ,his ho%e*er has a high impact on builing such systems %ith respect to
security) $SANs epen on secure operation o! their noes an thus nee to rely on the use noe operating
system '-S() #o%e*er, typical $SAN noes are limite regaring their po%er consumption an a*ailable
har%are resources, %hich ma&es it i!!icult to implement rich security or reliability !eatures) Ne*ertheless, the
use -S shoul still pro*ie security mechanisms in orer to limit the e!!ects o! both, acciental errors as %ell
as malicious moi!ications o! the running so!t%are)
$ithin this paper, %e sol*e a signi!icant number o! the be!ore mentione issues by pro*iing a high.assurance
security &ernel !or $SAN noes) ,he security &ernel pro*ies strong process isolation) ,his allo%s !or example
to execute truste an untruste coe on the same noe, !or instance to separate truste encryption components
an &eys !rom untruste net%or& protocol stac&s)
/eali0ing trust%orthiness insie a $SAN is one o! the most important aspects !or protecting C"s) Each sensor
noe nees to trust the in!ormation !lo% along the net%or&) 1or example, in case o! an incient, it is essential
that a $SAN measuring a po%er gri notices this incient in a epenable an real.time %ay) All
corresponing actuators or e*en persons behin the control panels ha*e to react in.time on an abnormal
beha*iour o! the system) Since possibly cost.intensi*e or e*en li!e.threatening ecisions, such as shutting o%n
a high.*oltage po%er supply line, are mae base on the measure in!ormation o! $SANs, these net%or&s ha*e
to be !ully trust%orthy %ith regar to the ata pro*ie)
,he main aspect o! the presente security moel is to isolate security.critical parts o! the operating system, such
as encryption mechanisms, encryption &eys an security.relate so!t%are, an encapsulate each o! them in so
calle compartments) ,his is reali0e in such a %ay that no compartments can access, interact, or in!luence
each other %ithout permission o! the unerlying security &ernel)
,he security &ernel pro*ies such a trust%orthy plat!orm !or secure communication noes) "t is base on a
micro&ernel system %ith a *ery small ,ruste Computing 2ase ',C2(, %hich ma&es it easier to pro*e the
correctness o! such a system) -n top o! it, i!!erent security ser*ices hanle secure coe.upate, attestation,
secure communication, secure measurement o! the sensor, an secure storage o! the sensor ata) "n parallel to
the security rele*ant compartments, it is possible to run common $SAN noe operating systems 'e)g), a para.
*irtualise Linux, eCos, or ,iny-S()
1 Introduction
,oay C"s, such as telecommunication, transporta.
tion, an energy3%ater istribution net%or&s are es.
sential !or our companionship) ,hese in!rastructures
ha*e to be permanently a*ailable, 456 ays a year
an 78 hours a ay) Possible !ailures o! these systems,
improper maintenance, or e*en terrorist attac&s
threaten these in!rastructures an ha*e to be hanle
in a proper %ay) Most o! current a*ailable net%or&s
!or these &ins o! in!rastructures strongly epen on
!urther net%or&s, such as the Global Systems !or Mo.
bile Communications 'GSM( net%or&, %here a high
a*ailability, in case o! an incient, cannot be guaran.
tee) A possible solution to encapsulate these net.
%or&s !rom each other to achie*e more autonomy, are
$SANs) ,hese net%or&s exten the sensing capabil.
ities in an easy an cost e!!icient %ay, are easy to is.
tribute, an can be autonomous o*er a long time) 1or
example, a $SAN may be use to monitor the struc.
tural health o! a C", %here %ire sensing e*ices be.
come extremely cost.intensi*e) A $SAN can simpli!y
maintenance tas&s an pro*ie signi!icant support in
case o! an incient) "n aition, $SANs can be use
to etect potential attac&s against critical in!rastruc.
tures) Since $SANs can be !ault tolerant an the net .
568
%or& can sur*i*e critical situations, such as malicious
attac&s, natural isasters, or acciental !ailure, they
are more reliable than alternati*e %ire solutions)
Current $SANs are built using har%are an so!t.
%arore %ith almost no implemente security or reli.
ability) #o%e*er, the nature o! a $SAN gi*es the
possibility to highly increase the strength an possib.
ilities to obser*e an react on incients insie C"s,
there is a high necessity o! builing such systems
%ith respect to security techni+ues e*elope in the
", security en*ironment) $ithin the context o! this
paper, %e %ill help to sol*e a signi!icant number o!
the be!ore mentione issues, by pro*iing a high.as.
surance security &ernel calle ,9/A:A)embee)
,his short paper is structure into !i*e chapters)
Starting %ith a short introuction, %e gi*e an analys.
is o! current research in the area o! embee operat.
ing systems, micro&ernels an the iea o! *irtualisa.
tion in sensor net%or&s or embee e*ices) Section
4 escribes the ,9/A:A architecture, !ollo%e by a
escription o! our implemente proo!.o!.concept !or a
real.%orl scenario in section 8) Section 6 conclues,
together %ith a !irst outloo& to !urther %or& in this
area)
2 Related Work
"n the past years, a lot o! embee -S %ere e.
*elope an presente to the public, such as ,iny-S
;<=, MAN,"S ;7=, Conti&i ;4=, S-S ;8=, an /e!lex
;6=) ,hese operating systems pro*ie a !unctional sys.
tem !or embee systems %ith a *ery small amount
o! memory) #o%e*er none o! them %as esigne %ith
a special !ocus on -S protection 'i)e), protection o!
the -S !rom the applications() ,his results in the i!.
!iculty to run reliable sensor net%or& so!t%are on the
har%are) E*ery unrestricte access to resources res.
ults in a success!ul attac&, compromising the security
o! the %hole system) ,he authors o! ;5= emonstrate
ho% a return oriente programming attac& can be
use to circum*ent the isolation o! the ata an the
coe section o! #ar*ar.architecture e*ices) ,hey
use existing coe an tric&y reorering o! it to ex.
ecute an uncontrolle upate process)
1irst ieas to increase the -S security starte in the
past years) ,iny-S has recently been impro*e by
pro*iing e!!icient memory an type sa!ety ;>=) ,he
optimi0ations propose there ensure that all errors
prouce !rom accessing arrays an pointers are
caught be!ore they ha*e the possibility to corrupt the
sensor memory) Another approach is calle t.&ernel
;?=, %hich also impro*es resistance to application
!aults by pro*iing a so!t%are *irtual memory an
so!t%are separation o! the &ernel an application
memory spaces, achie*e by moi!ying the sensor
binary coe uring runtime)
"n literature, there are also solutions base on har.
%are extensions) "n ;@= the authors propose an ap.
proach to bloc& any &in o! stac& corruption attac&s
by accepting a small per!ormance penalty) "n ;<A= a
pure har%are approach is presente chec&ing each
memory access generate by a so!t%are entity) ,he
propose solution partitions the noeBs memory into
bloc&s %ith a !ixe si0e an aims at separating the se.
curity lea&s, cause by programming errors) ,he au.
thors o! ;<<= present a har%are extension !or an
AC/ MC9 that moi!ies the instruction set to chec&
memory accesses uring store operations an to in.
tegrate protection o! the return *alues)
"nepenent !rom common security solutions, the
iea o! *irtualisation !or achie*ing a higher le*el o!
robustness, epenability an sa!ety is also use by
*arious approaches) "n the %or& o! ;<7=, a Da*a.Cirtu.
al.Machine 'DCM(.base solution is introuce, in
%hich the noeBs so!t%are is %ritten in Da*a) Since
Da*a.coe oes not run on common sensor noes,
EES-, an ahea.o!.time 'A-,( compiler, is use to
generate the C coe ;<4=) ,his solution pro*ies a
so!t%are.base memory protection by separating so!t.
%are entities in isolate DCMs) A small.si0e *irtual
machine !or ,iny-S is presente in ;<8=) "t pro*ies
the execution o! portable pieces o! coe, has a *ery
small instruction set that allo%s a small memory !oot.
print o! the system image) Compare to our solution,
it is !ocuse on portability, security aspects are not
aresse) A similar approach is presente in ;<6=) "t
uses an extensible ,uring complete byte.coe lan.
guage) Again, this approach is inepenent o! secur.
ity aspects)
2esie the abo*e mentione aspects o! *irtualisation,
commercial proucts, such as ;<5= introuce the use
o! L8 base micro&ernels as a hyper*isor to *irtualise
operating systems on top) ,he %or& o! ;<>= sho%s
that this comes together %ith an o*erhea o! about 6.
>F, thus the bene!it !rom a security perspecti*e is
much higher compare to the lo%ere per!ormance o!
such systems) Alreay eploye micro&ernel
proucts, such as the high a*ailable GNH ;<?=, or the
high secure Green #ills "ntegrity ;<@= starte to be
interesting !or more proucts an areas o! interest,
such as the protection o! C"s ;7A=, or the mobile
phone mar&et ;7<=) ,here, the -EL8 micro*isor is
use to securely isolate parts o! the system to !ul!il
!ine granulate security re+uirements) 2ase on this
%or&, this paper introuces a ne% trust%orthy solu.
tion to be use insie sensor noes)
3 Trusted Sensor Node
Architecture
Current sensor plat!orms are built %ithout stanar
security mechanisms, such as memory management
569
units, %hich can be use to protect i!!erent applica.
tions !rom each other) E*en i! these har%are capab.
ilities are pro*ie, a strict isolation o! security rele*.
ant operations, such as measurement o! ata, coe.
upate, or any cryptographic operations, is not !eas.
ible %ithout aitional mechanisms at the operating
system le*el) "n orer to impro*e the security o! the
sensor noe, %e in*estigate the iea o! introucing a
micro&ernel.base architecture !or sensor noes)
,he general iea o! the propose architecture is to es.
tablish *arious isolate compartments on a single
sensor e*ice by using *irtualisation technology)
Compartments are strictly separate !rom each other
in a %ay that the in!ormation !lo% bet%een all com.
partments can be controlle by the unerlying secur.
ity architecture) ,his communication is restricte to
pree!ine static channels) Each isolate compart.
ment may ha*e its o%n security policy implemente)
,hese !eatures allo% protection o! sensiti*e ata, such
as measure ata or cryptographic &eys, on the e*ice
e*en i! 'untruste( parts o! the sensor noe inclue
malicious ata) 1or instance, i! the compartment re.
sponsible !or net%or& communication is uner con.
trol o! an attac&er, access to cryptographic &eys use
!or signing measurement ata, %hich are store in
another compartment, can not be retrie*e)
"n section 4)< %e shortly escribe ,9/A:A)embe.
e as a security &ernel to be use !or truste sensor
e*ices) A proo!.o!.concept o! this architecture has
been e*elope an eploye %ithin the $SAN8C"P
proIect) ,his implementation supports the separation
o! cryptographic operations, an it allo%s the secure
coexistence o! se*eral applications, *irtualise on a
single sensor noe)
31 T!RA"A Security #ernel
,he ,9/A:A)embee security &ernel consists o!
t%o layersJ a micro&ernel responsible !or isolating
critical parts o! the system an a security ser*ice lay.
er pro*iing i!!erent security ser*ices to applications
running on the sensor)
1igure < illustrates the propose architecture base
on the *irtualisation technology as pro*ie by the
unerlying micro&ernel)
,he micro&ernel itsel! pro*ies strict resource isola.
tion an encapsulates each compartment in such a
%ay that compartments cannot access, interact, or in.
!luence each other %ithout permission grante by
,9/A:A)embee)
,his architecture has a reuce ,ruste Computing
2ase ',C2() Compare to monolithic operating sys.
tems, such as Linux or $ino%s, the number o! lines
o! coe is *ery small so that it is by !ar more easy to
pro*e the correctness o! such a system)
32 Security Services
-n top o! the micro&ernel, ,9/A:A)embee
pro*ies se*eral security ser*ices responsible !or
coe.upate, attestation, secure communication, an
secure measurement o! the sensor ata) "n parallel to
the security rele*ant compartments, it is possible to
run stanar operating systems 'e)g), Linux(, so that
e*en non.plat!orm.speci!ic coe can run on the sys.
tem) Aitionally, this allo%s to execute existing
so!t%are %ithout the nee o! re.%riting it) Combining
these aspects, the ,9/A:A)embee security &ernel
o!!ers a secure an trust%orthy plat!orm !or sensor
an communication noes to be use in $SAN !or
the protection o! critical in!rastructures)
As alreay illustrate in 1igure <, !our i!!erent se.
curity ser*ices ha*e been e*elopeJ a compartment
responsible !or measuring sensing ata recei*e !rom
connecte har%are sensors, a compartment respons.
ible !or connecting the noe to a %ireless 'a.hoc(
sensor net%or&, a compartment !or remote attesta.
tion, an a compartment !or secure ata storage) A.
itional ser*ices, e)g), !or secure coe upate, can y.
namically be ae) #o%e*er this re+uires a reboot o!
the sensor noe ue to the static communication
channel e!initions)
321 Sensor $easure%ent
/unning as a nati*e application on top o! the mi.
cro&ernel, the measurement compartment collects
sensor.ata !rom the connecte sensors an transmits
them to a storage compartment using "nter Process
Communication '"PC() ,his compartment is the only
compartment that has access to the sensing e*ices o!
Figure 1: architecture of TURAYA.embedded
for trusted sensor nodes
570
the sensor noe) "n this speci!ic scenario, %e imple.
mente '"nter."ntegrate Circuit( "KC an Serial Peri.
pheral "nter!ace 2us 'SP"( base sensing e*ices,
such as !or temperature or oil.pressure measuring)
"n combination %ith signatures o*er the measurement
ata, it is not possible !or an a*ersary to alter the
ata, once it has le!t the measurement compartment)
322 Network
,he secon isolate ser*ice is the net%or&ing part o!
the system) "t consists o! an "P*8 net%or& stac& com.
bine %ith se*eral mesh routing protocols to ynam.
ically !orm an a.hoc net%or& %ith surrouning
sensor noes) "ts tas& is to trans!er ata to the con.
necte sensor net%or&) Aitionally, by !or%aring
incoming pac&ets !rom neighbor noes, the sensor
noes can be use to istribute an relay pac&ets o*er
a long istance) All external communication is only
possible through this compartment) Although attac&s
against this compartment o*er the net%or& can not be
pre*ente, success!ul a*ersaries are not able to ac.
cess the memory o! other compartments ue to the
strict isolation o! the unerlying micro&ernel) ,he
compartment.base architecture also pre*ents attac&s
base on misuse net%or& protocols as %ell as
against attac&s base on baly programme net%or&
ri*ers enabling the possibility to ta&e o*er the com.
plete system ;74=)
323 Re%ote Attestation
"n orer to assure the trust%orthiness o! the sensor
noe, the sensor noe nees to be able to proo! its in.
tegrity to external entities) ,his can be achie*e by
using ,ruste Computing technology, such as remote
attestation) ,his compartment pro*ies the re+uire
!unctionality to attest the sensor state to an external
sensor control instance)
,his, ho%e*er, re+uires a trust anchor insie the
sensor har%are) Aitionally either secure booting
o! the sensor noe or at least a truste bootstrap
mechanism is neee in orer to ensure the trust%or.
thiness o! the running sensor so!t%are)
Current sensor noes are typically not e+uippe %ith
a tamper resistant secure har%are anchor ue to re.
source restrictions an costs) #o%e*er the gate si0es,
the re+uire area an there!ore the costs o! embee
har%are o statically ecrease ue to the impro*e.
ments o! chip manu!acturing technology) ,here!ore it
can be assume, that !uture sensor noes %ill be
e+uippe %ith more po%er!ul CP9s along %ith secur.
ity extensions, such as ,exas "nstruments M.Shiel
or a ,ruste Plat!orm Moule 'resp) its mobile *er.
sion the Mobile ,ruste Moule()
,his %oul allo% to chec& the state o! a speci!ic noe
!rom any remote point o! the sensor net%or& securely)
#o%e*er, a so!t%are base simulation o! remote at.
testation has been e*elope base on an M,M run.
ning in this compartment)
32& Secure Storage
,o store the measure ata locally on the sensor
noe, an isolate storage compartment on top o! the
micro&ernel system is use) ,he ata can either be
store insie the 1lash memory o! the sensor or on
connecte MMC cars) ,his compartment can only
be accesse through the communication channels
pro*ie by ,9/A:A)embee, pre*enting mali.
cious moi!ication o! the measure ata 'i)e), %rite
access to measure ata is only allo%e by the meas.
urement compartment()
& Trusted Sensor Node
Realisation
&1 Analysis' Isolation on resource
constraint %icrocontrollers
"t is o! importance to analyse the possible o*erhea o!
*irtualisation techni+ues on resource contraint micro.
controllers) ,here!ore i!!erent simulations ha*e been
per!orme on a lo% po%er microcontroller)
Currently isolation is consiere to be in!easible !or
microcontrollers %ith scarce resources such as the ,"
MSP84A) 2ut i! these controllers are use in critical
in!rastructures such means are essentially neee)
,here are t%o i!!erent techni+ues to guarantee isola.
tion) 1irst microcontrollers can be extene by
Memory Protections 9nits 'MP9s() 9sing such an
MP9, the memory o! a LC can be split into separate
memory entities) ,he MP9 then intercepts all
memory access an *aliates i! a process accessing a
certain memory entity is allo%e to o so) $e ha*e
implemente such an MP9 in a simulation en*iron.
ment !or the ," MSP 84A to sho% its !easibility ;77=)
,he problem %ith that type o! solution is that it re.
+uires manu!acturers to exten their LC %ith MP9s)
,he alternati*e %oul be to a an MP9 on sensor
noe Printe Circuit 2oars 'PC2s(, but such a solu.
tion %oul only allo% to control access to memory
not integrate in the LC, an such a solution is easy
to attac& since sensor noes are normally eploye in
unattene areas, i)e) physical access by attac&ers
nees to be ta&en into account)
Secon a so!t%are *irtualisation can be reali0e) So!t.
%are *irtualisation comes %ith a per!ormance penalty
an re+uires to emulate the instructions o! the LC)
,he latter has signi!icant impact on the complexity o!
the *irtualisation layer) $e ha*e one a !irst assess.
ment !or the ," MSP 84A LC %hich has a /"SC ar.
571
chitecture %ith only <> instructions an a !i*e stages
pipeline) ,he MSP84A nees up to six cloc& cycles
!or executing a complex operation) ,hat means that
in a %orst case the per!ormance penalty can be calcu.
late by the number o! cloc& cycles neee to emulate
partial instructions an the maximum number o!
cloc& cycles neee by the LC to execute an instruc.
tion) $e assume that our emulation nees bet%een 7
an 5 cloc& cycles per partial instruction so that the
%orst case estimation !or the emulation o! a complex
operation is <?A) 2ut the real penalty strongly e.
pens on the type o! instructions use in the applica.
tions)
&2 (roof)of)conce*t i%*le%entation
,he analysis in 8)< sho%s, that running *irtualisation
on a resource constraint sensor noe has a penalty in
execution time)
"n orer to sho% the possibilities o! the ,9/A:A)em.
bee security &ernel to buil truste sensor noes,
a proo!.o!.concept %as e*elope an eploye in a
real.%orl application scenario)
As a basis, t%o i!!erent har%are solutions ha*e
been testeJ ,he !irst approach use the Silex Europe
SH.65A boar, %hich has *ery limite har%are) "t is
e+uippe %ith a 7AAM#0 A/M.CP9 an ?M2 /AM
but has a $i1i.aapter on boar to establish an a.
hoc net%or& bet%een the noes) Although it %as pos.
sible to run the micro&ernel itsel!, ue to the memory
contraints o! only ? M2 it %as not possible to run all
the esire security ser*ices at a time) ,he use mi.
cro&ernel itsel! re+uires only a !e% &ilobyte, ho%e*er
running a rich operating system, such as Linux in or.
er to re.use existing e*ice ri*ers !or the %ireless
har%are re+uire more than ? M2 o! /AM)
Ne*ertheless, in orer to proo! the propose architec.
ture an to buil a truste sensor noe, a more
po%er!ul embee e*ice '2eagle2oar( %as use)
,he 2eagle2oar is also e+uippe %ith an A/M.
CP9 cloc&e %ith 5AAM#0) As a so!t%are !ouna.
tion, the -EL8 micro&ernel %as use)
$e attache $i1i an i!!erent sensor measurement
har%are to the boar, such as thermal, passi*e in.
!rare an *ieo sur*eillance) "n orer to isolate the
measurement ata, each sensor is ri*en by an isol.
ate compartment containing secure e*ice ri*ers
!or the particular e*ices)
,he storage compartment has access to the MMC
e*ice) ,he net%or&ing compartment %as ri*en by a
*irtualise Linux '-EJLinux( in orer to re.use the
existing %ireless LAN e*ice ri*ers as %ell as the
"P*8 net%or& stac& an the routing ser*ices !or the
net%or& itsel!)
$ithin $SAN8C"P, a proIect !une by the
European Commission 'EC(, !i*e sensors ha*e been
eploye into an existing critical in!rastructure %ith.
in the !acility o! an energy istributor in Portugal)
,he tas& o! the sensors is to measure the temperature
o! trans!ormers) Due to the po%er!ul sensor har.
%are, aitional sensors such as *ieo sur*eillance,
thermal image, an motion etectors ha*e also been
success!ully aopte to the truste sensor noe)
,his proo!.o!.concept sho%s, that lo%.cost embee
e*ices in combination %ith ,9/A:A)embee can
be use to !orm a truste %ireless sensor noe !or the
protection o! critical in!rastructures)
+ ,onclusion
,his paper introuce the architecture ,9/A:A)em.
bee to be use !or truste sensor noes) "t %as
success!ully use to buil a truste sensor plat!orm
base on *irtualisation techni+ues) ,hrough the se.
cure isolation o! each ser*ice, a high le*el o! trust.
%orthiness is introuce in the area o! $SAN) ,he
propose architecture is !lexible an can easily be en.
hance by aitional security ser*ices or har%are
speci!ic !unctionality 'such as aitional sensors()
,he small ,ruste Computing 2ase enables the pos.
sibility to !ormally pro*e the correct beha*iour o! the
o*erall sensor noe) 1uture *ersions o! sensor noes
e+uippe %ith security anchors %ill enable e*en more
security !eatures an allo% the *eri!ication o! the run.
ning so!t%are on the sensor noe) ,his %oul e*en
allo% the usage o! rich ,ruste.Computing !eatures,
such as a !orm o! ,ruste Net%or& Connect) Sensors
coul *eri!y each other be!ore routing net%or& pac&.
ets !rom possibly malicious sensors)
1urther steps %ill be to ecrease the har%are e.
penability to be able to run the architecture e*en on
small noes %ith *ery lo% po%er consumption com.
pare to the current implemente one) #o%e*er this
is the most essential topic in the area o! $SAN, %e
assume that battery po%er an a*ailable memory is
less important in the near !uture, compare to the in.
crease bene!its in security that are gaine)
Acknowledge%ents
,he %or& publishe in this paper is 'partly( !une
by the European Commission through the $SAN8.
C"P.ProIect) "t oes not represent the *ie% o! EC or
the $SAN8C"P consortium, an authors are solely
responsible !or the paperBs content)
572
References
;<= #ill, D)M S0e%c0y&, /)M $oo, A)M #ollar, S)M
Culler, D)M Pister E)J NSystem architecture
irections !or
net%or&e sensorsO, Cambrige, "nternational
Con!erence on Architectural Support !or
Programming Languages an -perating
Systems 'ASPL-S(, No*ember 7AAA
;7= 2hatti, SM Carlson, DM Dai, #)M Deng, D)M /ose, D)M
Sheth, A)M Shuc&er, 2)M Gruen%al, C)M
,orgerson, A)M #an, /)J NMAN,"S -SJ An
Embee Multithreae -perating System !or
$ireless Micro Sensor Plat!ormsO, ACM Mobile
Net%or&s an Applications, Col <A, No) 8, 7AA6
;4= Dun&els, A)M GrPn*all, 2)M Coigt, ,)J QConti&i .
a Light%eight an 1lexible -perating System
!or ,iny Net%or&e SensorsO, "EEE $or&shop
on Embee Net%or&e Sensors, No*ember
7AA8
;8= #an, C).C)M /engas%amy, /) E)M Shea, /)M
Eohler, E)M Sri*asta*a, M)J QS-SJ A ynamic
operating system !or sensor net%or&sO, ACM
Con!erence on Mobile Systems, Applications,
An Ser*ices
'Mobisys(, 7AA6
;6= $alther, E)M Nolte, D)J QA !lexible scheuling
!rame%or& !or eeply embee systemsQ,
Proceeings o! the 8th "EEE "nternational
Symposium on Embee Computing, 7AA>
;5= 1rancillon, A)M Castelluccia, C)J QCoe inIection
attac&s on har*ar.architecture e*icesO, "n
CCS
BA?J Proceeings o! the <6th ACM con!erence
on
Computer an communications security, pages
<6.75, Ne% :or& '9SA(, 7AA?
;>= Cooprier, N)M Archer, $)M Eie, E)M Gay, D)M
/egehr) D)J QE!!icient Memory Sa!ety !or
,iny-SO, ACM Con!erence on Embee
Net%or&e Sensor Systems 'SenSys(, No*ember
7AA>
;?= Gu, L)M Stan&o*ic, D) A)J Qt.&ernelJ Pro*iing
/eliable -S Support !or $ireless Sensor
Net%or&sO, ACM Con!erence on Embee
Net%or&e Sensor Systems 'SenSys(, 7AA5
;@= 1rancillon, A)M Perito, D)M Castelluccia, C)J
QDe!ening embee systems against control
!lo% attac&sO, "n SecuCoe BA@J Proceeings o!
the !irst ACM %or&shop on Secure execution o!
untruste coe, pages <@R75, Ne% :or& '9SA(,
7AA@
;<A= Lopriore, LJ Q#ar%are3Compiler Memory
Protection in Sensor NoesO, "nternational
Dournal o! Communications, Net%or& an
System Sciences, <'4(J746R78A), 7AA?
;<<= Eumar, /)M Singhania, A)M Castner, A)M Eohler,
E)M Sri*asta*a, M)J QA system !or coarse graine
memory protection in tiny embee
processorsO, "n DAC BA>J Proceeings o! the
88th annual Design Automation Con!erence,
pages 7<?R774, Ne% :or& '9SA(, 7AA>
;<7= Stil&erich, M)M Lohmann, D)M SchrPer.
Prei&schat, $)J NMemory protection at optionO,
"n CA/S B<AJ Proceeings o! the <st $or&shop
on Critical Automoti*e applications, pages <>R
7A, Ne% :or& '9SA(, 7A<A
;<4= ,homm, ")M Stil&erich, M)M $a%ersich, C)M
SchrPer.Prei&schat, $)J NEesoJ an open.source
multiI*m !or eeply embee systemsO, "n
Proceeings o! the ?th "nternational $or&shop
on Da*a ,echnologies !or /eal.,ime an
Embee Systems, D,/ES B<A, pages <A@.<<@,
Ne% :or& '9SA(, 7A<A
;<8= Le*is, P)M Culler, D) MateJ QA tiny *irtual
machine !or sensor net%or&sO, "nternational
Con!erence on Architectural Support !or
Programming Languages an -perating
Systems, San Dose '9SA(, 7AA7
;<6= Mller, /)M Alonso, G))M Eossmann, D)J NA
*irtual machine !or sensor net%or&sO, "n
EuroSys BA>J Proceeings o! the 7n ACM
S"G-PS3EuroSys European Con!erence on
Computer Systems 7AA>, pages <86.<6?, Ne%
:or& '9SA(, 7AA>
;<5= -pen Eernel Labs) -EL8 community site)
httpJ33o&l8)org
;<>= #Srtig, #)M #ohmuth, M)M Liet&e, D)M
SchPnberg, S)M $olter, D)J N,he per!ormance o!
L.&ernel.base systemsO, "n <5th S-SP, pages
55.>>, St) Malo '1rance(, -ct <@@>
;<?= Laroux, P)M Graham, 2)J QSecure by esignJ
9sing a micro&ernel rtos to buil secure, !ault.
tolerant systemsO, $hite paper, GNH,
httpJ33%%%)+nx)com3o%nloa3!eature)htmlT
programiU<@46?, Apr 7AA@
;<@= Green #ills "ntegrity)
httpJ33%%%)ghs)com3proucts3rtos3integrity)html
;7A= 2uttyVn, L)M Gessner, D)M #essler, A)M
LangenPr!er, P)J NApplication o! $ireless
Sensor Net%or&s in Critical "n!rastructure
Protection . Challenges an Design -ptionsO,
Special "ssue on Security an Pri*acy in
Emerging $ireless Net%or&s o! the "EEE
$ireless Communications Maga0ine, -ctober
7A<A
;7<= Selhorst, M)M Stble, C)M 1elmann, 1)M Gnaia,
9)J NMo,rust)Embee R Eine
*ertrauens%rige Sicherheitsplatt!orm !r
SmartphonesQ, <7) Deutscher ",.
Sicherheits&ongress, May 7A<<
;77= Stec&lina, -)M LangenPr!er, P)M Men0el, #)J
N,o%ars a secure aress space solution !or
573
lo% po%er sensor noesO, "nternational
Con!erence on Per*asi*e an Embee
Computing an Communication Systems,
March 7A<<
;74= 2utti, LM ,innWs, DJ QDisco*ering an exploiting
?A7)<< %ireless ri*er *ulnerabilitiesO, Dournal
in Computer Cirology, Col)8, 7AA>
574
WSNLab A Security Testbed for WSNs
Nils Aschenbruck, Jan Bauer, Jakob Bieling, Elmar Gerhards-Padilla, Matthias Schwamborn
University of Bonn - Institute of Computer Science 4
Friedrich-Ebert-Allee 144, 53113 Bonn, Germany
{aschenbruck, bauer, bieling, padilla, schwamborn}@cs.uni-bonn.de
Abstract
As the research of Wireless Sensor Networks (WSNs) focuses more and more on real-world scenarios (such as
public safety), security issues become increasingly important. Beside attacks known from conventional (wireless)
networks, resource constrains are a core challenge and also a possible vulnerability. The goal of the security
testbed, build in the project WSNLab, is to develop and evaluate security measures for WSNs. For this purpose, a
light-weight security architecture is specied. Furthermore, selected attacks and countermeasures are implemented
and evaluated in the testbed.
1 Motivation & Objectives
A Wireless Sensor Network (WSN) consists of
small, resource-constrained computing devices (so-
called motes) that perform physical measurements
(e.g., temperature, vibration) in a distributed manner.
The motes form a self-adaptive multi-hop network to
transport the measured data to a sink. The data may
be pre-processed and fused in the network. Further-
more, WSNs often provide capabilities using a reverse
channel for sensor control and management as well
as ashing of motes and Over-The-Air Programming
(OTAP). WSNs are deployed in a steadily growing
plethora of application areas. Especially their deploy-
ment in the industrial, military, public safety, and med-
ical domains renders security in these networks an is-
sue of high relevance.
The main goal of the WSNLab project, partly
funded by the German Federal Ofce for Information
Security (BSI), is to build a WSN laboratory for the
evaluation of WSN security measures. A second goal
Sub-net OS Hardware Chan.
1 Contiki 10 TelosB 11
2 iSense 10 CM10C 18
with Security Module
3 TinyOS 5 TelosB and 26
5 MicaZ with MTS400
Table 1. Hardware specication and ra-
dio channel for the three WSN sub-
networks.
is to develop, implement, and evaluate a security ar-
chitecture for stationary and mobile WSNs. By doing
so, different hardware and software platforms are con-
sidered to reect realism through heterogeneity. Thus,
all evaluations are performed within a testbed consist-
ing of multiple Operating Systems (OSs) and sensor
platforms to ensure broad system support.
The rest of this paper is structured as follows: The
testbed is described in Section 2. Next, we present
a threat analysis and security architecture for WSNs
(Section 3). Finally, we conclude the paper and point
out topics for future work (Section 4).
Contiki
channel 11
iSense
channel 18
TinyOS
channel 26
Figure 1. WSNLab security testbed.
575
Gateway
Testbed
BonnMotion
WiseML
file
Link Control
Server GUI
Figure 2. Integrating mobility in the
WSNLab testbed.
2 The Security Testbed
For the testbed, different WSN hardware and
software platforms are considered to reect realism
through heterogeneity. In its current setup, the testbed
consists of three OSs (Contiki [5], iSense [4], and
TinyOS [10]) running on three hardware platforms
(TelosB [13], MicaZ [12], and iSense-CM10C [11]).
For the WSNLab testbed, we realized three sub-
networks with different OSs. Figure 1 visualizes the
basic setup and Table 1 shows which combinations of
hardware and software are used in the testbed. The
different sub-networks are separated physically using
different radio channels, as the standard Media Ac-
cess Control (MAC) protocols of the different OSs are
not interoperable. A solution for the future may be
the use of IEEE 802.15.4 MAC protocol implementa-
tions. However, to the best of our knowledge, there is
only an implementation for TinyOS available [9] up to
now. Recongurations as well as the deployment of
new protocols (such as MAC protocols) is possible us-
ing OTAP. New modules and even full images can be
distributed and ashed onto the nodes.
The deployed application consists of a simple dis-
tributed sensor data collection process. Motes sense
and transmit the sensor data to the sink. As self-
adaptive WSN routing protocols, the Collection Tree
Protocol (CTP) [8] and the IPv6 Routing Protocol for
Low power and Lossy Networks (RPL) [16] are used
to deliver sensor data via multiple hops. Thus, the sen-
sor data can be delivered even though the sink is not in
direct communication range.
To realize multi-hop paths in a reliable and repro-
ducible way, the testbed supports topology manage-
ment using a link control system based on the con-
cept of virtual links (cf. [3]). Even complex topologies
can be dened by manipulating the delivery of mes-
sages. On each mote, there is a module that checks
whether packets received over the air are supposed to
reach the receiving mote based on the dened topol-
ogy. These topologies can even be changed during an
experiment. The motes become virtually mobile. By
Figure 3. Sample packet trace from our
testbed in Wireshark.
doing so, mobile sensor networks can be evaluated in
the testbed as well. Figure 2 visualizes the integration
of mobility into the testbed. Arbitrary scenarios us-
ing different mobility models [2] can be used through
the integration of BonnMotion [1]. BonnMotion sup-
ports WiseML [14], a scenario and experiment speci-
cation language for WSNs that is based on GraphML,
an XML dialect. The goal of WiseML is to specify in-
puts and outputs and enabling the reproduction of ex-
periments. The WiseML les are used as input for the
link control system. Overall, the testbed can be used
to evaluate WSN algorithms and protocols in hetero-
geneous, complex, static and mobile scenarios.
For evaluation purposes, we added a Jackdaw IEEE
802.15.4 Sniffer [15] (running Contiki) to the testbed.
This device allows us to capture all packets of a wire-
less channel and analyze them using packet analyzer
tools like Wireshark [17]. Figure 3 shows a sample
packet trace from our testbed in Wireshark. In the g-
ure, CTP routing packets as well as packets from the
collector application can be seen. Moreover, we added
a GNU Radio [7] USRP-Board [6] to the testbed. This
special hardware allows us to run various types of Jam-
ming attacks.
3 The Security Architecture
An attacker can achieve his objective(s) through
different kinds of attacks. These can be categorized
based on the targeted layer. Figure 4 shows a threat
analysis as well as countermeasures for WSNs. The
threat analysis is rst divided into the goals of the at-
tacker. An attacker may intend to
576
Sniffing Jamming
Access Node
Memory
Insert
Node
Reprogram
Node
Dislocate
Node
Remove
Node
Encrypt
Memory
Encrypt
Traffic
Sensor Data
Heartbeat
Localization
Anomaly
Detection
Protocolspecific
Detection
Digital
Signatures
WSN
Threat Analysis
Manipulate
Data
Eavesdrop
Data
Drop Data /
DoS
Network
Access
Sinkhole Wormhole Sybil
Goal
Countermeasure
Rushing
Denialof
Sleep
PHY
Attack
MAC
RTG
NODE
Figure 4. Threat analysis and countermeasures for WSNs.
manipulate data (e.g., the values sensed),
eavesdrop data (e.g., analyze sensor data),
drop data to conduct a Denial-of-Service (DoS)
attack, or
simply access the network.
Of course, different goals may be combined. To eaves-
drop the data, an attacker rst needs to get network
access. In the gure, the goals are connected to the
attacks that may be used to reach that specic goal.
The attacks are grouped by the layer on which they are
conducted.
On the physical (PHY) layer, Snifng and Jamming
can be used to attack the network. As wireless chan-
nels are used, an attacker may passively listen to the
channel (Snifng) and eavesdrop data. Trafc encryp-
tion is an effective, preventive countermeasure against
this attack. Furthermore, an attacker can send an inter-
fering signal (Jamming) and eliminate all the commu-
nication. Jamming can be detected by anomaly-based
intrusion detection.
On the MAC layer, Rushing and Denial-of-Sleep
attacks may be conducted. Many MAC protocols work
on a cooperative basis. It is assumed that all nodes
proceed according to a listen-before-talk scheme. An
attacker may simply ignore the listening and, by doing
so, get medium access faster (Rushing). Moreover, as
all nodes try to save energy by performing an effective
duty cycling, an attacker can try to prevent other nodes
from sleeping (Denial-of-Sleep). Both Rushing and
Denial-of-Sleep can be detected by anomaly-based in-
trusion detection.
On the routing (RTG) layer, Sinkhole, Wormhole,
and Sybil attacks can be used to manipulate, eaves-
drop, or drop data. Attackers are sending out fake in-
formation concerning their neighbors and/or link qual-
ities to attract or manipulate the routing. Depending on
the attack and the goal of an attacker, different attacks
can be conducted. The attacks on the routing layer can
be detected by protocol-specic and anomaly-based
detection approaches.
The motes and the networks can also be attacked
directly (NODE). Nodes can be dislocated, removed,
and reprogrammed. This can be countered by appro-
priate localization techniques, heartbeat control, and
digital signatures, respectively. The node memory
may also be accessed physically. This can be pre-
vented by memory encryption. Furthermore, inserting
nodes in the network may be a way to gain network ac-
cess and eavesdrop trafc. To prevent an attacker from
doing this, trafc encryption can be used.
Overall, the specic properties of WSNs lead to
special attacks as well as new challenges for coun-
termeasure development: The resource scarcity of the
nodes in terms of computing power, memory, energy,
and bandwidth requires countermeasures to be light-
weight but also effective at the same time. We have im-
plemented a security architecture based on the coun-
termeasures mentioned (cf. Figure 4). Preventive mea-
sures such as trafc encryption and digital signatures
577
Gateway
Testbed
Heartbeat-
Module
Movement-
Module
OTAP-
Module
Carrier-Sense-
Time-Module
IDS-Server
Figure 5. WSNLab IDS architecture.
were implemented on the motes. The detection mea-
sures were integrated in an Intrusion Detection System
(IDS). Figure 5 shows the architecture of the IDS. The
IDS server receives status and alarm messages gen-
erated by an IDS module on the motes. The server
analyzes these messages using different anomaly de-
tection algorithms, e.g., based on statistical or aging
functions. In the current version, the following attacks
are detected by the IDS:
Remove Node triggering the heartbeat and move-
ment modules,
Dislocate Node triggering the movement module,
Jamming triggering the Carrier-Sense-Time mod-
ule,
Reprogram Node triggering the OTAP module.
Based on the analysis of the server, alarmmessages are
generated and visualized using an IDS graphical user
interface. The design of the IDS is modular. Thus,
further modules can be easily integrated. However,
the resource scarcity of the nodes limits the number
of modules that can be used simultaneously.
4 Conclusion and Future Work
Due to the broader deployment of Wireless Sen-
sor Networks (WSNs) in real-world scenarios (such
as public safety), security issues become increasingly
important. In this paper, we have described the
WSN testbed developed in the project WSNLab. This
testbed can be used to examine security threats and at-
tacks in WSNs and evaluate security solutions. The
security threats for WSNs were surveyed and the secu-
rity architecture implemented in our lab was described
as well.
In the future, we will use the lab. One goal is to
examine threats and attacks. Jamming attacks as well
as routing attacks, such as Sinkhole and Wormhole,
will be examined concerning their impact in various
scenarios as well as the effectiveness of countermea-
sures. Furthermore, preventive solutions based on en-
cryption and authentication, e.g., secure Over-The-Air
Programming (OTAP) will be evaluated.
Acknowledgments
This work was supported in part by the German
Federal Ofce for Information Security (BSI). Further-
more, this work was supported in part by CONET, the
Cooperating Objects Network of Excellence, funded
by the European Commission under FP7 with contract
number FP7-2007-2-224053. The authors would like
to thank the WSNLab and CONET project teams for
feedback, sustainable discussion, and work.
578
References
[1] N. Aschenbruck, R. Ernst, E. Gerhards-Padilla, and
M. Schwamborn. BonnMotion - a Mobility Scenario
Generation and Analysis Tool. In Proc. of the 3rd Int.
ICST Conference on Simulation Tools and Techniques
(SIMUTools 10), pages 110, Torremolinos, Spain,
2010.
[2] N. Aschenbruck, A. Munjal, and T. Camp. Trace-based
Mobility Modeling for Multi-hop Wireless Networks.
Elsevier Computer Communications, 34(6):704714,
2011.
[3] T. Baumgartner, I. Chatzigiannakis, M. Danckwardt,
C. Koninis, A. Kr oller, G. Mylonas, D. Psterer, and
B. Porter. Virtualising Testbeds to Support Large-Scale
Recongurable Experimental Facilities. In Proc. of the
7th European Conference on Wireless Sensor Networks
(EWSN 10), pages 210223, Coimbra, Portugal, 2010.
[4] C. Buschmann and D. Psterer. iSense: A Modular
Hardware and Software Platform for Wireless Sensor
Networks. Technical report, 6. Fachgespr ach Draht-
lose Sensornetze der GI/ITG-Fachgruppe Kommu-
nikation und Verteilte Systeme, 2007.
[5] A. Dunkels, B. Gr onvall, and T. Voigt. Contiki - A
Lightweight and Flexible Operating System for Tiny
Networked Sensors. In Proc. of the 29th Annual Con-
ference on Local Computer Networks (LCN 04), pages
455462, Tampa, Florida, USA, 2004.
[6] Ettus Research LLC. Universal Software Radio Periph-
eral Motherboard Datasheet, 2011.
[7] Free Software Foundation. GNU Radio, 2011.
[8] O. Gnawali, R. Fonseca, K. Jamieson, D. Moss, and
P. Levis. Collection Tree Protocol. In Proc. of the 7th
Conference on Embedded Networked Sensor Systems
(SenSys 09), pages 114, Berkeley, California, USA,
2009.
[9] J.-H. Hauer, R. Daidone, R. Severino, J. B usch,
M. Tiloca, and S. Tennina. Poster Abstract: An
Open-Source IEEE 802.15.4 MAC Implementation for
TinyOS 2.1. In Proc. of the 8th European Conference
on Wireless Sensor Networks (EWSN 11), Bonn, Ger-
many, 2011.
[10] J. L. Hill, R. Szewczyk, A. Woo, S. Hollar, D. E.
Culler, and K. S. J. Pister. System Architecture Di-
rections for Networked Sensors. In Proc. of the 9th
Int. Conference on Architectural Support for Program-
ming Languages and Operating Systems (ASPLOS 00),
pages 93104, Cambridge, Massachusetts, USA, 2000.
[11] iSense. Core Module CM10C, CM10S Preliminary
Data Sheet, 2011.
[12] MEMSIC. MicaZ datasheet, 2011.
[13] MEMSIC. TelosB datasheet, 2011.
[14] Seventh Framework Programme FP7 Information
and Communication Technologies (ICT). WiseML
schema, 2011.
[15] Swedish Institute of Computer Science (SICS).
RZRAVEN USB Stick (Jackdaw), 2011.
[16] T. Winter and P. Thubert. RPL: IPv6 Routing Proto-
col for Low power and Lossy Networks. Draft, Internet
Engineering Task Force, 2011.
[17] Wireshark Foundation. Wireshark The worlds fore-
most network protocol analyzer, 2011.
579
Interoperability of Information Systems for Public
Urban Transport Security: The SECUR-ED Approach
Dr. Wolf Engelbach, Fraunhofer IAO, Germany
Dr. Heiko Ronagel, Fraunhofer IAO, Germany
Jan Zibuschka, Fraunhofer IAO, Germany
Abstract
Transport operators and security organisations collaborate on security issues. They use heterogeneous infor-
mation and communication systems, optimised for operational business needs. Recent events have demonstrated
that public urban transport can be subject to various security incidents. Exchange of information is relevant to
get a common operational picture and act in a coordinated manner. This paper presents the interoperability con-
cept for security in public transport that is designed in the EU demonstration project SECUR-ED and will be
tested in Berlin, Paris, Madrid and Milan. The interoperability concept addresses on a conceptual level how ef-
fective collaboration of security stakeholders can be understood, communicated and thus probably also
achieved.

1 Introduction
In public transport, and especially in large urban hubs
such as train stations, many transport operators and
first responders collaborate in the prevention of and
reaction to security issues. They use heterogeneous
information and communication systems that are op-
timised for their specific daily operational business
needs. Within these systems, security issues (if fore-
seen) are only one part. This also implies that it is
sometime very difficult to sort the security infor-
mation from the mass of information available.
At the same time, recent events have demonstrated
that public transport can be subject to various security
incidents, and outcomes may be quite severe due to
the mass of passengers [1]. In case of such incidents,
it is crucial that the various involved parties exchange
relevant information to get a common operational pic-
ture (which is the same view on a current situation
combined with a shared understanding) and act in a
coordinated way in critical situations [2]. However,
heterogeneous communication and information sys-
tem infrastructures often hinder this crucial flow of
information [3].
1.1 Project Background
SECUR-ED (Secure Urban Transport European
Demonstrator) is an EU FP7 Security demonstration
project that brings together 40 European partners
from different backgrounds in public transportation
and civil security from operators, first responders, in-
dustry and research. Being a demonstration project, in
four major urban European cities Madrid, Paris, Mi-
lan and Berlin security enhancing technologies and
systems will be put to practice and demonstrated; ad-
ditional tests will be conducted in several cities such
as Brussels, Lisbon, Istanbul and Bucharest.
A major challenge will be to demonstrate the con-
sistency of those security solutions, since the different
stakeholders like vendors, transport operators and se-
curity organisations do not necessarily share the same
understanding of threats, relevant information and IT-
interoperability. Moreover, societal and legacy con-
cerns define a very diverse environment of mass
transportation in the states and cities across Europe
[4].
Therefore, this paper addresses a general concept of
interoperability for Information Systems in the do-
main of security in urban transportation. Interopera-
bility is a property referring to the ability of diverse
systems and organisations to inter-operate. Within
SECUR-ED it addresses the level of a given city or
region, but the objective is not to interoperate be-
tween cities and regions.
Such an abstract definition of interoperability sup-
ports SECUR-ED in dealing with a diversity of secu-
rity challenges, technologies and organisational pro-
cedures. The interoperability concept concentrates on
the interoperability of Information Systems, but keeps
this broader context in mind. This concept should
support all project partners implementing coherent
steps towards a general approach of mass transporta-
tion security.
580
The interoperability concept is a framework that al-
lows the understanding of intra- and inter-
organisational IT-interfaces across different adminis-
trative, business and operational structures as well as
across technological environments. Within SECUR-
ED, this early interoperability concept serves as a
starting point to understand the relevant dimensions.
This framework will be further elaborated during the
project towards a system-of-system architecture.
This interoperability concept intends to provide a
shared understanding of the relevant differentiation
dimensions and abstraction levels for the approaches
in all the involved work packages. Thereby it should
be easier to identify similar challenges for a given city
and to gather possible solutions that can be trans-
ferred to other cities.
1.2 Concept Requirements
The interoperability concept is supposed to be used in
the context of security challenges and must be able to
handle a wide range of operational tasks and security
issues, but does not necessarily need to be restricted
to this domain. Ideally, the SECUR-ED solutions de-
veloped with the background of this concept should
offer improvements also for the everyday transport
operator business without incidents. It also should be
able to handle the setting of a broad range of different
institution involved, which are first of all public mass
transport operators and first responders, but can be
others as well.
The focus of the interoperability concept is on Infor-
mation Systems, but related aspects should be tackled
as far as necessary for a shared understanding, since
IT-interoperability should be motivated by security
activities and processes. The concept should also al-
low the taking into account of different organisational
concepts on top of Information Systems. It is in addi-
tion intended to enable the reflection about coherence
at mission level while accepting heterogeneity at sys-
tem level.
The interoperability concept moreover should help to
address IT-interoperability challenges such as:
Do we need and how should we design a com-
mon middleware?
Do we need and how should we handle different
access rights in crisis situation?
How do we realise the transfer and aggregation
of data between different entities?
Within this project context, the main requirements for
the interoperability concept can therefore be summa-
rized as follows:
The concept should be abstract enough to fit the
different technologies, organisational settings
and crisis management phases
The concept should be simple enough to be easi-
ly understood
The concept should be flexible enough to be
used and adapted in different cities and for dif-
ferent technologies
This also implies that the shared understanding is not
specific to one suppliers architecture, one countries
legislation, one security challenge, one city and its
public transport organisation or any given IT envi-
ronment or legacy system. It should instead reflect
approaches towards the interoperability of inde-
pendently designed Information Systems and towards
modularity in the sense that the same solution ele-
ments can be used for different purposes in different
contexts. Thus, it should reflect both sophisticated
and simple IT-solutions and organisational concepts
in different cities.
2 Related Work
Wegner defines interoperability as the ability of two
or more software components to cooperate despite
differences in language, interface, and execution plat-
form [5]. Similarly, the ISO defines interoperability
as the capability to communicate, execute programs,
or transfer data among various functional units in a
manner that requires the user to have little or no
knowledge of the unique characteristics of those
units [6]. Tolk and Muguira [7] proposed to define
several levels of interoperability, coming from the
simulation domain. Their approach soon evolved into
a widely used de-facto standard for the discussion of
systems interoperability in general [8].
Another research stream that is strongly relevant for
the interoperability concept introduced in this contri-
bution is System-of-Systems (SoS) engineering
(SoSE). Keating et al. define a SoS as a metasystem,
comprised of multiple () autonomous complex sub-
systems that can be diverse in technology, context,
operation, geography and conceptual frame [9].
However, Keating also notes that the concept of sys-
tem of systems is poorly defined, and in fact tautolog-
ical, since systems themselves are in fact considered
to be comprised of subsystems and therefore a system
of systems is itself just a system [10]. However, sys-
tem-of-systems engineering can still offer interesting
perspectives and insights, especially in cases that
match the properties associated with such scenarios,
such as those postulated by Sauser and Boardman
[11], namely Independence, Decentralization, Net-
work-Centricity, Heterogeneity, and Indeterminism.
However, as DeLaurentis and Callaway [12] put it,
Much confusion still remains about words and
phrases for system-of-systems type problems, let
alone the best modeling approaches for dealing with
them. While pockets of organizational restructuring
may address this challenge for particular projects,
there is a lack of systematic thinking at the basic level
about how to address the challenges. [12] First steps
towards applying those principles in the area of civil
581
security and public transport have been taken in
works such as [13], [14] whose results, along with the
results of other past and current projects, will be inte-
grated into the interoperability concept introduced in
this contribution. Hopefully, this systematic integra-
tion of results will lead to a broader intellectual foun-
dation for system-of-system frameworks in public
transportation.
3 Interoperability Concept
This chapter describes the general interoperability
concept of SECUR-ED. Interoperability in the sense
of this concept is the ability of Information Systems
to interact within a city. An interoperability notation
will help the project partners to apply the concept to
describe and improve their own use cases.
The interoperability concept needs to be used in close
relation to the organisational and operational proce-
dures that are being defined within SECUR-ED as
well, e.g. regarding the detailed roles and a common
vocabulary for scenarios, threats and other relevant
terms.
The general interoperability concept needs to be spec-
ified for the relevant environment, which consists of
context and content for each capacity and demonstra-
tion city. The described interoperability concept is
then focussed on the interoperability of Information
Systems. These Information Systems are related to
organisational roles. Information Systems also have
interfaces that allow the connection to other Infor-
mation Systems. These interfaces are mostly not di-
rectly connected, but use intermediaries, which are
specific kinds of Information Systems. Therefore, the
relevant objects of the interoperability concept are:
Information System
Role
Interface
Intermediary
For each of these relations, multi instances of the rela-
tion are possible in both directions. For example, each
role can be connected to many Information Systems,
and to each Information System many roles can be
connected. Not all relations need to exist, e.g. there
might be Information Systems without any IT-
Interface, or Roles without Information System.
Within each object, there can be additional relations,
for example between the Roles and between the In-
formation Systems. This allows the properties and re-
lations of these objects to be considered on a different
granularity.
In the following subchapters first context and content
and then the four central objects are described.
3.1 Context for interoperability
The interoperability is relevant in the context of a re-
lation between roles. Among others, the following
distinctions are relevant to understand the context of
the relation:
Is the relation within one or between several de-
partments or organisations?
Is the relation vertical (on the same level of hier-
archy) or horizontal (different levels of hierar-
chy)?
Is the relation within one kind of actor or across
different kinds of actors (e.g. transport operators
and first responders)?
Is the relation relevant in critical situations only
or also for daily routine operations (e.g. with re-
spect to crisis management phases)?
The relation has a purpose or intention. For SECUR-
ED, to react with several organisations consistently in
case of a security challenge (threat) could be a rele-
vant example. Therefore the risk and vulnerability
that are addressed as well as the current threat that
should be solved need to be stated. Moreover, the
phase within the crisis management cycle [15] is rele-
vant (prepare, prevent, react, recover). In addition it
may be helpful to mention the related business pro-
cesses and procedures of the involved roles, e.g. for
monitoring, alarming or commanding.
In general, the context for SECUR-ED is also influ-
enced by the nature of public urban mass transport
operation, which is characterised by many access
points, frequent stops, large geographical areas, and
in large cities daily millions of passengers [4]. It is
also often characterised by the multi-modality with a
large fleet of vehicles of different type (bus, tramway,
metro, train) [4].
The context itself is not an interoperability object, but
describes the setting of the objects on a meta-level.
3.2 Content to be exchanged
IT-Interoperability serves the purpose to transfer Con-
tent technically from one Information System (the
sender) to another Information System (the receiver).
This in many cases also means that this Content is in-
tended to be transferred with a message (e.g. to know
or to act) from one Role (the sender) to another Role
(the receiver).
For more clarity, Content can be distinguished on the
following levels:
Data, e.g. the temperature sent at a specific time
by a specified sensor
Information, e.g. the interpretation of that tem-
perature as being degree Celsius.
Knowledge, e.g. the interpretation of that tem-
perature as being critical and the action sugges-
tion related to that interpretation
582
The kind of content, e.g. video stream or alert mes-
sages has many implications for the details of the IT-
interoperability, e.g. the data volume, the file format
and the exchange methods.
The exchange of content may happen in critical situa-
tions only (which then have to be declared somehow)
or permanently, covering all crisis phases (e.g. pre-
pare, prevent, react, recover). The exchange of con-
tent is probably related to defined processes, proce-
dures or activities of the involved roles.
We suggest to always model the flow of content in a
directed form, which is from one Information System
to the other or even more exactly from one user-role
to the other. In case of bidirectional exchange be-
tween two Information Systems there still might be
differences that should be considered carefully. Even
in a directed content flow, the technical interaction
may be bidirectional, e.g. in the sense of feedback or
status messages.
The content itself is not an object itself, but describes
the usage of the objects with more clear examples.
3.3 Information System
An Information-System in the sense of this concept
can be discussed at different levels of granularity, for
example:
A single sensor
A network of identical sensors
A network of different sensor types
An IT System
A Network of IT Systems
An Organisation
This is a relevant approach towards the system-of-
system-architecture, since it allows the properties of
such systems to be considered on different levels of
granularity.
3.4 Role
The overall approach of SECUR-ED is grounded in
the understanding that qualified, trained and motivat-
ed staff is needed to solve security challenges, and
Information Systems can just support their activities.
Most SECUR-ED cities are characterised by multi-
operator-settings with shared responsibilities but dif-
ferent company cultures and business targets.
Each Information System has a relation to several
Roles. Among others, the following kinds of roles are
relevant:
Supplier of the system (designs and produces the
system)
Operator of the system (makes sure that the sys-
tem is running properly)
User of the system (works on the user interface)
There can be relations between the roles, and it is
possible to describe roles on different abstraction lev-
el, e.g. for complete organisations and event groups of
organisations (such as the transport operators) or for
the responsibility for distinct tasks within each organ-
isation.
3.5 Interface
Each Information System can have several Interfaces
that allow interaction with other Information Systems.
In this interoperability concept the object Interface
does not describe the user interface but is only intend-
ed to describe technical Interfaces between Infor-
mation Systems. These Interfaces can be, among oth-
ers, of the following kind:
Proprietary system or vendor specific interfaces
Proprietary interfaces with adapters for standard-
ised access and interaction
Standardised interfaces
The interface may support push or pull interaction
functionality. It may provide data and/or context (such
as time and location).
3.6 Intermediary
A specific instance of Information Systems is the In-
termediary. This is an Information System, or proba-
bly a system-of-systems by itself that serves the pur-
pose to support the interaction between other Infor-
mation Systems.
This can be on different levels, for example:
Network infrastructures (cable, wireless)
Enterprise Service Bus
Identity Brokers
The existence and the design of the intermediary have
a strong influence on the overall interoperability ap-
proach in a dedicated city and for the specification of
their Interfaces. Especially the Enterprise Service Bus
may handle challenges such as access rights and iden-
tity management, harmonisation of time stamps, loca-
tion information and reference data, data aggregation,
fusion and processing. For this reason this kind of an
Information System is modelled separately within the
SECUR-ED interoperability concept.
An Intermediary has the related Roles of (the sys-
tems) operator and its vendor, but does not have the
related Role of a user since the Role of an IT-
administrator of the Intermediary is covered by the
(systems) operator.
An Intermediary also has Interfaces. They may be
used to describe the interaction of elements within the
Intermediary, but also the interaction of the overall
Intermediary to the other Information Systems and
their Interfaces.
583
This chapter reflects how the described approach is
intended to be used and if it follows the requirements.
In addition, it illustrates the next related activities.
4.1 Usage of the interoperability concept
This general interoperability concept should allow
each city and technology to describe its approach,
challenges and solutions in a common way. For ex-
ample:
For each technology it can be described for dif-
ferent threats or scenarios, with the different ex-
isting or intended Intermediaries in the demo cit-
ies, or for several organisational settings. In ad-
dition, it is possible to use the concept to
elaborate the usage of these technological capac-
ities for normal operational activities.
Within the demonstration cities, for any threat or
scenario the current content flow can be de-
scribed and compared with the future content
flow with a new capacity and/or other operation-
al procedures. In addition, it is possible to use
the concept to elaborate the reaction to similar
threats on a different spatial level (e.g. station,
city and region).
For such a description it is relevant that each city or
technology leader can adapt the general concept, e.g.
in the following directions:
Restriction of objects: limit the scope of descrip-
tion to a specified set of objects, e.g. only In-
formation Systems, Interfaces and Intermediar-
ies.
Restriction within objects: limit the scope of de-
scription to specified instance of each object,
e.g. only the Role of users, or only the Content
type data.
Selection of objects: start with existing building
blocks of potentially relevant objects and select
the ones appropriate for your WP, e.g. the rele-
vant sensor types as an Information System.
Specification of objects: define the types or in-
stances of each object for the relevant city or
technology, e.g. the real-life user Roles within a
demo city or the existing intermediating net-
works.
4.2 How the concept serves the require-
ments
The interoperability concept within SECUR-ED fol-
lows the defined requirements as follows:
The concept is abstract enough to fit the differ-
ent technologies, organisational and settings and
crisis management phases, since the same con-
cept allows the handling of each of these chal-
lenges.
The concept is simple enough to be easily un-
derstood, since it is limited to four objects and
two environmental factors with straight rela-
tions.
The concept is flexible enough to be used and
adapted for different technologies and cities. Al-
so the Context provides the opportunity to ex-
tend the view to processes and procedures that
are considered relevant.
4.3 Next steps
Within SECUR-ED an interoperability notation will
be elaborated that describes the situation for capaci-
ties and demonstrations according to this interopera-
bility concept in a consistent format. Also the details
for the interoperability syntax will be elaborated, fo-
cussing on the Information System, the Interface and
the Intermediary, while a specification of the interop-
erability semantics will be focussing on Context, Con-
tent and Roles.
All this will be tested for different technologies and
demonstration cities and further elaborated towards a
system-of-systems approach for security-relevant in-
formation systems in public urban transport.
Acknowledgements
The research leading to these results has received
funding from the European Union Seventh Frame-
work Programme (FP7/2007-2013) under grant
agreement n 261605.
References
[1] Smith M. J., und Clarke R. V., 2000, Crime
and Public Transport, Crime and Justice, 27,
S. 169-233.
[2] Dantas A., und Seville E., Organisational Is-
sues in Implementing an Information Sharing
Framework: Lessons from the Matata Flooding
Events in New Zealand, Journal of Contingen-
cies and Crisis Management, 14(1), S. 38-52.
[3] Engelbach W., Frings S., Ronagel H., und Zi-
buschka J., 2010, Peer-to-peer-integration of
security-oriented Information Systems in public
urban transport, Proceedings of the 5th Securi-
ty Research Conference 2010.
[4] UITP, 2010, Secure Public Transport in a
Changeable World - Position Paper.
[5] Wegner P., 1996, Interoperability, ACM
Comput. Surv., 28(1), S. 285287.
[6] ISO, 2010, ISO/IEC 2382-1:1993.
[7] Tolk A., und Muguira J. A., 2003, The Levels
of Conceptual Interoperability Model, Pro-
ceedings IEEE Fall Simulation Interoperability
Workshop, Orlando, Florida.
584
[8] Wang W. G., Tolk A., und Wang W. P., 2009,
The Levels of Conceptual Interoperability
Model: Applying systems Engineering Princi-
ples to M&S, SpringSim09 Proceedings,
SCS, San Diego, CA, USA.
[9] Keating C., Rogers R., Unal R., Dryer D., Sou-
sa-Poza A., Safford R., Peterson W., und Ra-
badi G., 2008, System of systems engineer-
ing, Engineering Management Review, IEEE,
36(4), S. 62.
[10] Keating C. B., 2005, Research foundations
for system of systems engineering, Systems,
Man and Cybernetics, 2005 IEEE International
Conference on, S. 2720- 2725.
[11] Sauser B., und Boardman J., 2008, Taking
hold of system of systems management, Engi-
neering Management Journal, 20(4), S. 4449.
[12] DeLaurentis D., und Callaway R. K. CAB,
2004, A System of Systems Perspective for
Public Policy Decisions, Review of Policy Re-
search, 21(6), S. 829-837.
[13] DeLaurentis D. A., 2005, Understanding
transportation as system-of-systems design
problem, 43 rd AIAA Aerospace Sciences
Meeting and Exhibit, S. 2005.
[14] Eriksson E. A., 2009, System-of-Systems
Demonstration & Experimentation for Mass
Transport Security, DEMASST Presentation at
Workshop to discuss the scope of Call for
Demonstration Project Security of Mass Trans-
portation (Phase 2).
[15] Ritchie B. W., 2004, Chaos, crises and disas-
ters: a strategic approach to crisis management
in the tourism industry, Tourism Management,
25(6), S. 669683.
585
Security and backup-system at the IT Center of the
Technical University of Applied Science Wildau includ-
ing autonomous satellite faculty and degree programme
IT systems.
Alexander, Hftmann, B.Sc., University of Applied Science Wildau, Germany
Prof. Dr. Bernd, Eylert, University of Applied Science Wildau, Germany
Dipl. Ing. Bernd, Heimer, University of Applied Science Wildau, Germany
Abstract
Objective of this paper is to describe a current security & backup concept for the university computer center
of the Technical University of Applied Science Wildau. The complete IT infrastructure has been analyzed,
risks judged and suggestions for improvement are shown. For the consideration of the departments, special
systems are selected to find out basic problems. Based on these results suggestions for improvement were
made. A life cycle, which makes sure that the security concept is adapted to the current conditions in regular
intervals, is then conceived.
Keywords: Security, Backup, Emergency Management
1 Introduction
The university computer center manages all central
services like Web, email and VoIP
1
and provides the
network infrastructure campus wide.
The IT central has control over the complete network
infrastructure up to the network outlet. All servers and
clients hosted by the departments can only
conditionally monitored.
At present it cannot be traced, whether for example
passwords meet the policies, nor acceptable backup
concepts exist and are pushed through.
For this reason two satellite systems were checked
for their security that subsequently can be introduced
measures, which ensure the basic security.
To maintain the gained security, a life cycle was
introduced.
1 VoIP Voice over IP
2. Risk & Vulnerability Analysis
2.1 Overview
The risk and vulnerability analysis is based on the ba-
sic protection catalog of the Federal Office for Inform-
ation Security(BSI
2
) of the German Federal Republic.
Furthermore the BSI standards 100-1, 100-2, 100-3
and 100- 4 were taken into consideration. The imple-
mentation was also based on current German laws
like BDSG
3
, LDSG
4
and SigG
5
.
2.2 The IT Center
Up until now the university computer center did not
have any security concept which meets to all modern
requirements.
2 BSI Bundesamt fr Sicherheit in der
Informationstechnik
3 BDSG- Bundesdatenschutzgesetz [1]
4 LDSG Landesdatenschutzgesetz [2]
5 SigG Signaturgesetz [3]
586
A certain security exists, many technical possibilities
are used and improved by the time as well.
The project included a complete risk and vulnerability
analysis as well as a life cycle which ensures perman-
ent control.
2.2.1 Risk analysis
On examination of the risk analysis, one need to con-
sider two fields. Firstly, the business processes which
are of high importance for the core business of the
university.
Secondly the IT infrastructure which ensures that
business processes run smoothly.
The core business of the university puts its focus on
teaching and research. The business processes
looked at can be found in the administration of the
students, the staff and the budget.
To achieve a practicable approach, the IT
infrastructure was narrowed down into servers,
clients and network infrastructure.
The topics like backup and emergency management
were looked at simultaneously.
2.2.2 Vulnerability analysis
The analysis has shown that the network infrastruc-
ture is subdivided into virtual local area networks
with different security claims. These are secured with
a multi-level firewall system. The Internet connection
to the German research network is designed redund-
antly.
A Security suite which is provided by a central server
with daily updates is used for the protection of the
clients for the whole campus. In addition all clients
are configured so that they can also use the servers
of the supplier to keep the signatures on the current
state.
It is not comprehensible whether all students,
professors and guests who are using the wireless
local area network of the university are provided with
a security suite.
The backup concept makes sure that backups of the
databases and user data are created regularly. The
necessary spatial separation was caused from history
and the protection of historical monuments of the
building.
This concept was no longer up-to-date and was
adapted as far as possible.
In the course of rearrangement to a new
administration software and the customization of the
business processes it is necessary to introduce an
electronic archive system. This has to be integrated
into the current security guidelines.
By virtualization of many servers it is possibly to make
snapshots from the virtual machines. So you can save
the current state of the machine. This has the
advantage that you can reload the snapshot quickly
e.g. in case of failed update processes or system
crashes.
The enclosed management software for virtual
machines does not offer any automation in taking
these snapshots. For this reason VM Ware
Orchastrator[1] was established. This additional tool
offers a workflow Management which can automate
many functions or tasks.
The firewall concept contains a multi-level system of
stateful packet inspection firewalls. In addition, a
firewall is used for blocking applications.
To get a grip on the growing data volume and to be
protected from current threats, it is planned to change
on modern Next Generation Firewalls[2].
These offer a better protection in the fields of intrusion
prevention and layer 7 filtering. Also they have more
data throughput. They recognize the differences of
the protocol specification fixed in the RFC
6
standard
and can react correspondingly.
Due to the membership in the DFN
7
the
recommendations for hardening [3] the operating
systems should be followed additionally to the already
available security procedures for the protection of the
servers.
Furthermore the remote access via SSH
8
and
password has been changed over to SSH with
certificates. Every user wanting access remote to the
server needs a valid SSH certificate, which is issued
by the server.
This makes it more difficult for attackers to receive
server passwords by means of a brute force attack.
The greatest security risk also must be looked at
critically, the user himself next to the soft and
hardware.
As an example dealing with phishing mails has to be
mentioned here. So that in the future it will be more
easy for users to distinguish phishing mails from
administrative mails of the computer center, these
mails are provided with a digital signature as of now.
In the course of modernization of the security concept
it is imperatively necessary to adapt the emergency
management.
6 RFC Request of Comments
7 DFN Deutsches Forschungsnetz
8 SSH Secure Shell
587
2.2.3 Threat analysis
On the one hand, to work out effective protective
measures, it is important to know the vulnerability of
the objects fraught with risk, on the other hand it is
also important to know the current threats.
An everyday threat goes out from harming programs
like viruses, trojans, malware and spyware. To ensure
a good protection, all servers & clients were operating
system generally equipped with a security software.
If somebody should manage to take harming
software to use and add servers or clients to a botnet
it enters a warning system of the DFN. They detect,
whether hardware is used for a botnet, then send a
mail to the network administrator, who closes the
corresponding network port. Therefore the affected
hardware is isolated and the responsible person can
remove the harming software.
Cross site scripting and SQL
9
injection for the web
servers represent further threats.
There are web application reveals itself to firewalls,
which are specialized to recognize such attacks.
However, they only work for simple cross site
scripting attacks and SQL Injections. Therefore it is a
consideration of economic aspects to introduce such
an appliance. The best alternative to protect is to look
at its own source code critically and prevent
programming faults which manage gaps for these
attacks. As a precaution it is advisable to install
security queries which check whether
e.g. you enter in forms real data or harmful scripts.
In addition current information must be evaluated
from fora and mailing lists of the communities.
DoS
10
and DDoS
11
attacks are recognized by the
firewall service modules of the routers. These attacks
are logged via rich stateful inspection and will inform
the administrators.
Against unwanted spam mails there exists an e-mail
security appliance which with the help of blacklists
and samples the spam mails filters out before they
are delivered to the mail server. The mails which are
not clearly identified as spam are moved into
quarantine. The corresponding user will get a mail
requesting to check. Therefore it is assured that all
mails received by the mail server are delivered, due
to data protection regulations.
It is hard to protect itself against threats caused by
force majeure, misconduct and deliberate actions.
For economical reasons it is not feasible to take
precautionary measures against all existing
possibilities.
9 SQL Structured Query Lnaguage
10 DoS Denial of Service
11 DDoS Distributed Denial of Service
A certain basic protection can already be reached by
simple means - lightning conductor, entrance
safeguarding systems for the server rooms, UPS
12

so that in case of a power failure there is still enough
time to shutdown the servers properly.
2.3. The satellite systems
To get an insight into the satellite systems, two areas
were selected exemplary to analyze them on there se-
curity.
It merely were carried out a vulnerability analysis and
a risk analysis since the threats are the same.
2.3.1 Risk analysis
The departments provide their IT infrastructure for
teaching and research. The servers and clients are
also the objects with a high-risk potential.
2.3.2 Vulnerability analysis
Different software is used for the teaching on the cli-
ents. e.g. the servers are needed for web presenta-
tions, user data, databases and licenses. Servers in
addition are sporadically used for student projects in
the context of the teaching.
The departments are protected by the multi-level
firewall system against attacks from the network
infrastructure outside the computer center protected.
The clients as well are equipped with the campus
wide security suite
Deficits could be found in the backup area, in the
access control and in the password security.
Backups were partly started on manually and
sporadically and the spatial separation was not given
in the past.
Some productive servers were in areas of the school
which were not safeguarded by an access control.
Password guidelines are provided by the central
authentication system of the computer center. Many
departments use there own authentication system.
Therefore you cannot guarantee that the individual
password guidelines are in the departments strong
enough.
The remote connection on the servers are realized
through encoded connections with the help of
certificates and are allowed only through the network
infrastructure of the university.
12 UPS Uninterruptible Power Supply
588
Project server used by students represent a special
danger. They are set up according to the projects in a
special view of functionality. The security aspects are
at second place.
A workflow system which allows booking virtual
machines will be established soon to optimize the
usage of the central storage and VM Ware system
and to reach a higher security of the productive
servers.
Predefined virtual machines can therefore be used by
the administrators in the departments.
The benefit is, that they are therefore integrated in the
backup system of the computer center.
In addition, it will be possible e.g. to issue certificates
for a web server or the connection to the central
authentication system automatically.
3. Life cycle
Developing a security concept is no one-time task.
The attackers always develop new strategies, with
the help of a life cycle you can counteract this.
The question of one's own security asked in regular
distances should be content of the life cycle.
A security committee has to put itself together in
defined intervals or at a security occurrence to judge
current threats. The security procedures and the
emergency management have always to be adapted
to the current objectives.
4. Conclusion
The main focus of attention of an university is teach-
ing and research, this represents a balancing act
between security and user requirements.
In every case it is important to ensure the necessary
security, but without limiting the end-user in its daily
work by over-regimentation more than necessary.
References
[1] http://www.vmware.com/products/vcenter-orches-
trator/overview.html Viewed 20.06.2011
[2] http://www.heise.de/resale/artikel/Firewall-Trends-
Neue-Konzepte-gegen-altbewaehrte-Erfahrung-
1210087.html Viewed at 20.06.2011
[3] http://www.dfn-cert.de/informationen/links/haerten-
von-betriebssystemen.html Viewed at 20.06.2011
[4] A.Hftmann: Development an IT security and
backup system for the IT center of the Technical Uni-
versity of Applied Science, TH Wildau, 2011
589
Detection, Classification, and Localization of
Hazardous Substances in Public Facilities
Monika Wieneke, Wolfgang Koch
Fraunhofer FKIE
Neuenahrer Str. 20
53343 Wachtberg
Abstract
The localization and tracking of radioactive sources in public facilities like airports or stations is a problem of
highest security relevance. The accumulation and the severity of terrorist attacks during the past decade give rea-
son to the assumption that future attacks could also involve radioactive material packaged with conventional ex-
plosives. The only way to avoid such kind of attacks is to localize and arrest the person carrying the material to
its destination. But since radiation is not perceivable by human beings, the security guards are largely dependent
on technical decision support to perform this task. We consider a security assistance system comprising three
gamma scintillation detectors that are distributed along a corridor wall to check passing people for radioactive
material. Furthermore, the system consists of a set of tracking sensors simultaneously providing the positions of
all persons during their walk through the corridor. In this paper we propose and evaluate techniques to estimate
the assignment of radioactive detections to person tracks. These techniques provide a measure for each person
reflecting the probability that the person is a radioactive source carrier.
1 Introduction
In the context of intelligent surveillance of public
places, the observation and analysis of persons by dis-
tributed sensor systems increasingly gains in im-
portance. The detection of hazardous material in busy
areas as well as its assignment to a person is a chal-
lenging task that cannot be performed without tech-
nical decision support. However, the application of
conventional technologies and the corresponding
courses of action lead to long waiting times and pres-
sure of work for the security personnel. This situation
can be extremely relieved by security assistance sys-
tems that continuously observe an area by distributed
sensor systems, that call the security guards only in
case of a detection and that finally give a hint to those
persons who can be assumed to carry the detected
source.
We confine the discussion to the localization of
radioactive source carriers in person streams. The dis-
cussions about potential substances used for terrorist
attacks are not only coined by the already applied im-
provised explosive devices (IED) but also by the fear
of improvised nuclear devices, better known as dirty
bomb or radioactive dispersion device (RDD). An
RDD consists of a conventional explosive wrapped up
with radioactive material. The conventional explosive
conduces to disperse the radioactive material in the
environment. Although this type of threat has not been
put into practice so far, of growing concern are nu-
merous accidents involving a loss or theft of radioac-
tive sources that could possibly be used for a dirty
bomb. Hence, there is an increasing need for security
assistance systems that are able to localize such mate-
rial either on the way to the creation place of the bomb
or already packaged on the way to its detonation
place.
In this work, we consider the transportation of ra-
dioactive material by a person walking through a pub-
lic facility. In such a scenario a security assistance sys-
tem for source carrier localization is ideally equipped
with multiple sensors of complementary type. We pro-
pose a combination of scintillation detectors for radia-
tion detection with tracking sensors for determining
the positions of the persons. While the strength of ra-
diation detectors lies in their detection capability, their
substantial weakness is given by a limited spatio-
temporal resolution capability. Hence, a single detec-
tor is not able to reliably localize the source and to
assign it to a person, whereas tracking sensors enable
a precise localization of all persons and thus reduce
the search space to a countable set of potential source
positions.
A security assistance system combining sensors for
hazardous substances with tracking data has been first
proposed by Wieneke and Koch [WK09]. Within such
590
a kind of sensor system localization means the calcu-
lation of an assignment probability between a series
of radiation detections and each person track. The de-
cision whether a person is a source carrier or not can
thus be interpreted as a classification task.
We will propose three techniques to estimate the
assignment between a detection series and a person
track and evaluate their capability of finding the
source carrier. For this first analysis we completely
exclude potential position uncertainties in the tracking
data and assume the positions of the persons inside the
surveillance area to be exactly known. Persons are
considered as point source objects.
2 Remarks on the Measurement
Process and Sensor Model
The radiation strength of a radioactive source is called
activity [VS07]. The activity of a source is defined as
the number of radioactive decays per time unit. The SI
unit of activity is Becquerel (Bq). One Bq corresponds
to one decay per second. From a statistical point of
view the activity is the expected value of the number
of decays per time unit. The actual number of decays
in a certain time interval randomly deviates from the
expected value. The frequency of the numbers follows
a Poisson distribution.
There are three main types of radiation: alpha, be-
ta and gamma radiation, listed by their increasing ca-
pability of penetrating matter. Gamma rays can cause
serious damage when absorbed by living tissue, and
are thus a health hazard. A gamma scintillation detec-
tor counts the number of emitted gamma particles that
hit the detector surface. The number of emitted gam-
ma particles per decay is given by the decay scheme
of the radiator. For the sake of simplicity, we assume a
material with one gamma emission per decay.
The strength of radioactive radiation at a detector
is inversely proportional to the square of the distance
from the detector to the source (inverse square law).
In other words, the emitted particles are equally dis-
tributed on the surface of a sphere. Besides the source
particles, the detector counts particles of the back-
ground radiation with a certain rate.
The decision whether a measured countrate is
greater than the background, i.e. whether a real source
is present, is a problem of statistical testing. The
background rate aB is determined in advance by a
long-term measurement.
3 Accumulation of Counts and
Activity as a State Variable
A first simple approach to the problem of source car-
rier localization is the accumulation of counts. The
accumulation variable of person with respect to a de-
tector is gradually increased as follows: 1.) The pro-
cedure starts when a person enters the detection area
of the first detector. 2.) As long as the person is inside
the detection area all measured counts are compared
with a decision threshold. If it is larger than the
threshold, we accept the hypothesis that a source is
present and add the measured counts to the accumula-
tion variable and we continue. 3.) When the person
leaves the detection area the accumulated counts are
divided by the retention time of the person. 4.) Steps
1.) up to 3.) are processed for all passed detectors.
Hence, each person collects a personal countrate for
each detector. When the person leaves the surveillance
area the countrates of all detectors are summed up.
The greater this number is, the more suspicious is the
person. Thus, in this first approach the detector counts
are either fully included into the accumulation process
(if person is inside the detection area) or completely
ignored (if person is outside).
A second approach for source carrier localization
can be derived by introducing count weights. With
these weights the counts during the detection phase of
a person are no longer fully included but partially cor-
responding to the relation of the persons path seg-
ment to the detector position
Source carrier localization based on the treatment
of activity can be realized by estimating an additional
state estimate. See [W10].
Let the surveillance area consist of a corridor with
three gamma scintillation detectors that are equally
distributed at distances of 5 m along a single side of
the corridor. Two persons traverse the corridor from
the left to the right, walking on after the other at a
constant distance. Their velocity is 1m/s. The source
activity is 250 kBq. Hence, from the decision thresh-
old in Eq. (2) a detection radius of 2m can be derived
for the three scintillation detectors r = 1, 2, 3. The de-
tectors synchronously work at a deWHFWLRQ LQWHUYDO
of 1 s. The background radiation under the photo peak
is 10 counts per second [CPS].
In the following we will evaluate all three ap-
proaches for source carrier localization: the accumula-
tion of countrates (ACR), of weighted countrates
(AwCR) and the deviation of the estimated activity
(Dev). Fig. 1 Fig. 3 show the approaches for an ex-
emplary data set. The distance between the persons is
0.8m. The simple ACR approach in Fig. 1 obviously
has the worst discrimination capability. The weights in
AwCR lead to an improvement. The best approach is
Dev. The results in Tab. 1 confirm the evaluation
based on Fig. 1 Fig. 3. Besides the worse discrimi-
nation capability, ACR also makes wrong decisions
when the persons are close to each other.
591
Summary and Future Work
In this work we presented three approaches to the
problem of source carrier localization in person
streams. The novel Dev approach based on activity
deviations could be proven to be the best in terms of
discrimination. The activity estimation in Dev is
realized by a recursive Bayesian filter using Gamma
densities. Future evaluation will also include asyn-
chronous detectors, position uncertainty, real data
and various source strengths. The future activities
will consider persons as extended objects and
shielding effects.
References
[VS07] Hans-Gerrit Vogt and Heinrich Schultz.
Grundzge des Praktischen Strahlenschut-
zes (German). Hanser Fachbuchverlag, 3
edition, 2007.
[WK09] Monika Wieneke and Wolfgang Koch.
Combined Person Tracking and Classifica-
tion in a Network of Chemical Sensors.
Elsevier Journal of Critical Infrastructure
Protection, 2(12), 2009
[W10] Monika Wieneke, Localization of Radioac-
tive Source Carriers in Person Streams,
Proceedings the 5
th
Workshop SDF 2011,
Sensor Data Fusion Trends, Solutions,
Applications, Leipzig, 30. September 01.
October 2010.
592
593
Multisensory Acquisition for Situation Awareness in Riot Control
Scenarios
Dieter Willersinn, Fraunhofer Institute of Optronics, System Technologies and Image Exploitation (IOSB), Ger-
many
Abstract
Situation awareness at checkpoints includes the capability to detect events and activities in crowds. This contri-
bution describes a system approach for multiple sensors and sensor modalities which are connected via standard
IP networks. The underlying temporal referencing lays the foundation for the most time-critical signal analysis
task, i.e. acoustic localization. Another challenging task is robust tracking of humans within video sequences of
crowds, and the analysis of the resulting trajectories. A riot control benchmark for video tracking methods was
created to assess the performance of state-of-the-art tracking methods. Results of the most appropriate method
are shown. At the next level of abstraction, trajectories are analysed to reveal hidden activities.

1 Introduction
A relevant capability at checkpoints is to control riots,
i.e. aggressive behavior of crowds of people in front
of a gate. Video cameras are the primary enabling
sensor for situational awareness in this scenario.
However, some key events such as a ringleader shout-
ing via a megaphone are easier to detect using micro-
phones. For this reason we consider a multisensory,
audio-visual setup for riot control scenarios.

We start with a generic acquisition scenario from
which we derive technical requirements. We then pre-
sent our solution that satisfies these requirements, and
the instrumentation of a data collection that we car-
ried out to collect a relevant dataset. We conclude by
demonstrating some video analysis capabilities (track-
ing, re-identification and situation recognition) that
we developed using the collected data.
2 Acquisition scenario and
technical requirements
The underlying acquisition scenario for riot control is
based on acoustic localization of e.g. a person shout-
ing into a megaphone, and on setting up a video
tracker at that point in time and (image) space. We
assume that all sensors, i.e. microphones and video
cameras, are connected using standard network proto-
cols (IP). This makes it possible to integrate commer-
cial off-the shelf microphones and video cameras.
The video tracker setup using the result of acoustic
localization requires the selection of the right camera,
the right video image and the right region of interest
within this image. This means that the entire mul-
tisensory setup needs to be referenced to a common
spatial and temporal coordinate system. While spatial
referencing could be done using standard techniques,
temporal referencing was more challenging due to the
task of acoustic localization.

The technical requirements upon acoustic localization
of a person using a pair of microphones were:

basewidth : 0.5 m
localization uncertainty : < 1 m
distance : < 50 m

This translated into a tolerable uncertainty of the tem-
poral reference of 289 ns or better. Figure 1 shows
how we satisfy this requirement using a GPS receiver
and standard sensor signals (impulse in Figure 1),
e.g. the flash control of a camera.
3 Data collection and bench-
mark production
The audio-visual data was collected during a riot con-
trol exercise. Four microphone pairs were deployed
around the crowd, a crane truck lifted a total of 7 col-
or video cameras into an overhead position as illus-
trated in Figure 2.
594

Figure 1 Temporal referencing of sensor data, using a GPS receiver and an impulse of the sensor, e.g. the flash control of a
video camera.

Figure 2 Crane truck with camera setup (left), sample video image with markers (white crosses) on the ground for spatial
referencing (right).
All sensor data were time stamped as illustrated in
Figure 1. The size of the persons heads in the video
data ranged from 10x10 pixels to 18x18 pixels de-
pending on the camera type.

Using a fraction of the acquired data, we generated a
benchmark containing video and truth data (6000
frames) for training and test as well as tools for per-
formance analysis [1]. The truth data describe the out-
line of each human in all frames of the video data. To
bring down the workload of truth data generation, we
created an interactive annotation tool, see Figure 3.
In its current version, the tool can be used to create
ground truth for up to 4 simultaneously recorded vid-
eo sequences.

Figure 3 IOSB tool for interactive annotation of up to four
video sequences simultaneously.
The tool has a set of tracking algorithms integrated
which are available to a human operator. The setup is
done by outlining object signatures with polygons and
subsequent selection of an appropriate tracking algo-
rithm.

The following algorithms are currently available:
fix propagation, i.e. all polygons will remain
at the same image regions in further images.
a global image-to-image registration.
a colour histogram-based object tracking
algorithm.
a particle filter-based object tracking
algorithm.
a template matching-based object tracking
algorithm.
a optical flow-based object tracking
algorithm.
a covariance tracker.
an interpolation algorithm (using two
different frames for interpolation).

After automatic tracking, the operator can correct
tracking results by moving and modifying the outlin-
ing polygons in any frame, and restarting the tracker
from this frame. Performance analysis is based on
standard metrics obtained from literature.
595
4 Robust tracking, re-
identification, and situation
recognition
In this contribution, we concentrate on the analysis of
video data. The particular challenge of the riot control
scenario is robust tracking of movements of people
within a crowd.

Using the riot control benchmark, we carried out a
comparative study of tracking algorithms [2]. The
tracker that performed best on the benchmark was
then further optimized [3]. Our approach to tracking
in multi-camera networks is based on manifold learn-
ing.

At the next level of abstraction, trajectories are ana-
lyzed to recognize relevant situations, e.g. activities
that are hidden in the crowd such as a handover of an
object [4], see Figure 4.

Figure 4 Automatically detected object handover (red rec-
tangle) based on robust tracking in crowds.
References
[1] U. E. Jger, M. Hpken, B. Drr, J. Metzler, D.
Willersinn: Multisensor benchmark data for riot
control. In: Kamerman, G.W.: Electro-optical
remote sensing, photonic technologies, and ap-
plications II: Cardiff, 15-16 September 2008.
Bellingham, WA: SPIE, 2008. (SPIE Proceed-
ings Series 7114), Paper 711403.
[2] Y. Hbner, J. Metzler, B. Drr, U.E. Jger, D.
Willersinn: Assessment and optimization of
methods for tracking people in riot control sce-
narios. In: Kamerman, G.W.: Electro-optical re-
mote sensing, photonic technologies, and appli-
cations II: Cardiff, 15-16 September 2008. Bel-
lingham, WA: SPIE, 2008. (SPIE Proceedings
Series 7114), Paper 711404.
[3] J. Metzler, D. Willersinn: Robust tracking of
people in crowds with covariance descriptors.
In: Rahman, Z.: Visual information processing
XVIII: 14 - 15 April 2009, Orlando, Florida,
United States. Bellingham, WA: SPIE, 2009.
(Proceedings of SPIE Series 7341), Paper
73410T.
[4] Dr. U. Jger, Dr. D. Willersinn: Video Tracker
Trajectory Analysis - who meets whom, when
and where. In: Buford, J.F.: Cyber security,
situation management, and impact assessment II;
and visual analytics for homeland defense and
security II: 5 and 8-9 April 2010, Orlando, Flor-
ida, USA. Bellingham, WA: SPIE, 2010. (Pro-
ceedings of Series SPIE 7709), Paper 77090U.
596
The need for high-performance detectors in security applications:
Results from a test bed for the detection of vapours emitted from
moving sources and the results from outgassing experiments of
packaged TATP
Becher, Christopher, Bonn-Rhine-Sieg University of Applied Sciences, Germany
Kaul, Peter, Bonn-Rhine-Sieg University of Applied Sciences, Germany
Warmer, Johannes, Bonn-Rhine-Sieg University of Applied Sciences, Germany
Beisel, Mario, Bonn-Rhine-Sieg University of Applied Sciences, Germany
Abstract
Sensor information resulting from distributed locations and/or a multitude of instruments and heterogeneous sen-
sors can increase the reliability of safety and security applications. Sensor nodes have been equipped with metal
oxide gas sensors in order to identify hazardous materials. A number of these nodes have then been placed along-
side a corridor people had to pass to enter a restricted area. The data from the chemical sensors were fused with
tracking data from laser range scanners and video systems. It has been shown that it was possible to allocate a
chemical contamination of one individual within a group of moving people and discriminate between various fire
accelerating fuels and solvents. This was successfully demonstrated outside the laboratory with a test corridor
build in a tent during a military tech-demo in Eckernfrde, Germany [1]. The performance of the system is
confronted with the requirements necessary for the gas-phase detection of concealed TATP, highlighting some of
the problems of explosives trace detection.

1 Introduction
Freedom of movement for people as well as freedom
of assembling safely in open public events or build-
ings is vital for any open society. Defending this free-
dom against ubiquitous threats requires the develop-
ment of intelligent security assistance systems
comprising state-of-the-art surveillance technology
being able to function continuously. The core func-
tions of an indoor security assistance system for real-
time decision support based on distributed sensors is
demonstrated.
A security assistance system based on multisensor data
fusion has successfully been demonstrated in the EU
project HAMLeT [2,3]. The intention of HAMLeT
was the data fusion of individual tracking data (origi-
nating from laser scanners) with additional attribute
information in order to identify threats posed by haz-
ardous materials; the corresponding information
originated from chemical gas sensors.
The data fusion aspect combines tracking one or more
individuals with their respective sensor response. The
sensor response allows to calculate two parameters
helping to identify the individual carrying hazardous
material: One is the signal strengths, the other is the
time delay for the analyte cloud to reach the sensor.
Both is dependent on the distance between the
observed individual and the sensor system. Analyte
diffusion, convection and transportation by a ventila-
tion air stream reduce the gas concentration and influ-
ence both parameters [4].
In this work a demonstrator was realised as a harbour
entrance gate. In this particular project, early detec-
tion, localisation, and continuous tracking of individu-
als carrying hazardous materials within a group of
several other individuals was the main intention. The
feasibility of this concept was successfully demon-
strated for flighty fire accelerants (fuel and solvents).
However for security applications the detection of ex-
plosives is of highest importance. Due to the low va-
pour pressure of most explosives a system for real-
time stand-off gas-phase detection of hidden energetic
material appears to be unpromising with the possible
exception of a few volatile explosives. TATP is such a
volatile explosive which gained some prominence by
terroristic attacks in recent years.
The evaporation rates of packaged, phlegmatised
TATP were investigated. The results of these out-
gassing experiments were than connected with the per-
formance afore mentioned demonstrator.

597
2 Experimental setup
2.1 Sensor nodes
The sensor nodes are equipped with four metal oxide
(MOx) gas sensors (UST, Figaro and AppliedSensor)
and a Sensirion temperature and humidity sensor. The
sensors are mounted on flexible goose necks, figure 1.
This allows adjustment of the position of the sensor
within the air stream for better sensor results (reduced
noise level, shortened response time).
The main design goal for the sensor nodes were opti-
mum performance and flexibility, as the nodes are to
be used in various research applications and feasibility
studies.
The sensor nodes can be equipped with a broad vari-
ety of MOx gas sensors. While some of these sensors
can be operated in low power modes, many of these
sensors require high operating power. The total power
consumption of a node depends strongly on the em-
ployed sensors and configuration and may vary be-
tween 1 and 8 Watts. This allows battery operation
only over short periods of time (several hours up to a
day). Using a set of 1.5V AA batteries we achieved
battery operation for 2 to 3 hours. However in most of
our experiments, we have used a mains connected
power supply.
The main limitation in achieving low power with MOx
sensors is the necessity of operating at higher tempera-
ture. The power consumption of the heater of a micro
machined low power MOx sensor is between 30 to 50
mW in constant operating mode [5, 6, 7]. The power
consumption of an optimized sensor node with 4 mi-
cro machined MOx sensors could be as low as 150 to
250mW.
Power cycling of the heater may reduce the power
consumption further and improve prediction quality
[8, 9]. Thus sensor nodes can be constructed to
operate on battery for several weeks or even months.
In the application shown in this paper, short response
times are crucial. Therefore we refrained from power
cycling.
Figure 1 Sensor node: Sensors can be mounted on
the sockets at the end of the goose necks.
The temperature of each metal oxide sensor can be
adjusted by setting the voltage across the heater with a
potentiometer. Additionally the heater power can be
varied under software control using pulse width modu-
lation (PWM) of the heater voltage.
2.2 MOx-sensor array
For the development of the sensor array in order to
detect fuels and solvents as fire accelerating agents
different MOx-sensors (Table 1) were investigated.
Six different analytes were used to test both the sen-
sors' sensitivity and selectivity: ethanol, methanol,
diesel, petrol, petroleum ether, and paint thinner con-
taining acetone. For several sensors the heating volt-
age was varied between (1 5 V for the UST sen-
sors; 1.3 V and 2.3 V for AS-MLK and AS-MLC).
Producer Type
Heat-
ing
volt-
age *
Application
area*
UST
GGS
1530T
3.2 V
Broadband,
leak detection
of burnable
gases
UST
GGS
3420T
3.5 V
Hydrocarbons
(C1-C8)
UST
GGS
5430
2.3 V NO
2
and O
3

Figaro
TGS
2602
5.0 V
Pollutants in
air (e.g. ciga-
rette smoke,
H
2
S, NH
3
)
Figaro
TGS
2620
5.0 V
Alcohol, org.
solvents, CO
Appl. Sen-
sors
AS-
MLK
2.3 V Methane
Appl. Sen-
sors
AS-
MLC
2.3 V CO
Table 1 Tested sensors (* in accordance to the data-
sheets)
These agents were chosen since they are available on
the free market in large quantities. From the seven gas
sensors listed in Table 1, a short list of four sensors
was selected using the following experimental proce-
dure:
Synthetic air controlled by a mass flow controller
(MFC) is saturated with the analyte in a washing
flask and then led in to the measuring chamber. The
measuring chamber is equipped with a ventilator suck-
ing unfiltered air from the lab. The incoming turbulent
airflow is measured with a handheld anemometer di-
rectly in front of the nozzle. The original analyte con-
centration is evenly diluted by a static mixer. The ex-
perimental setup for the first investigations is shown
in figure 3. Increasing the length of the measuring
chamber or repositioning of the sensors did not sig-
598
nificantly change the peak height of the sensor re-
sponse. This leads to the assumption of the analytes'
concentration in the measurement chamber to be
evenly distributed. By controlling the flow via the
mass flow controller and the ventilators speed the
analyte concentration was adjusted to approximately 5
ppmV for pure substances. Because of the lower va-
pour pressure the concentration of diesel was adjusted
to 0,5 ppmV. For mixtures like petroleum ether with
known total vapour pressures the sum of the concen-
trations of all ingredients is also regulated to 5ppmV.
Otherwise the concentration was adjusted to 5 ppmV
with regard to the most volatile component of the mix-
ture.
The individual sensor responses to the analytes were
normalized and collectively described as a matrix
(figure 2). The response of the sensor to the different
analytes is displayed as vectors in rows. Each column
stands for one of the 6 analytes.
Figure 2 Matrix of normalized sensor responses, the
different heating voltages of the same sensor type are
treated as individual sensors.
To determine the independence of the sensors the co-
variance and subsequently the correlation coefficient
of the sensor vectors were calculated. A set of sensors
has the highest selectivity of all possible sensor com-
binations if the correlation coefficient is lowest. As
benchmark for sensitivity the sum of the normalized
sensor response of the individual sensor versus the
analytes were used. Sensitivity was assumed to be
much more important than selectivity, because the
main goal of this work was the detection of a chemical
anomaly in order to alert the security personnel to po-
tentially critical situations.
Figure 3 Experimental setup for the testing the sensor
response against various analytes.
2.3 Description of the test corridor
The test schematic view of the corridor is shown in
figure 4. It was designed as an entrance area which
could be integrated into a typical German army tent
Einheitszelt Bw II. It is built as a corridor with a
length of 10 meters containing a u-turn. Apart from
the necessary tracking system (three laser-range scan-
ner and two video systems) four chemical sensor
nodes (L1-L4) are integrated, hidden within the venti-
lation system, which creates a directed airflow across
the corridor.
The chemical sensors alone lack the spatial and tem-
poral resolution required to attribute a chemical signa-
ture to a moving individual. The problem can be
solved by data fusion of chemical sensor and tracking
data and the use of probability based algorithms
[3].This has already been demonstrated and was de-
scribed in detail [4]: People entering the corridor are
tracked, and classified and potential threats are local-
ized inside the demonstrator. Chemical signatures for
individual classification are provided by chemical
sensors detecting hazardous materials.
Figure 4 Schematic picture of the test corridor, L1
L4: chemical sensors, blue arrows: moving air from
the ventilation system, Laser: laser-range-scanner
The whole system was integrated into a tent which
was erected outdoors at the navy base in Eckernfrde,
at a distance of approximately 100 meters from the
seaside.
Small cloth covered vials were used as moving analyte
sources. For ethanol a mass loss of 24 g/sec at 20 C
was determined, which we consider to be comparable
to stained cloths or body parts. By additional experi-
ments a rate of evaporation of approximately 10
g/sec was estimated as necessary for detection and
substance identification by the system. If an individual
carrying this analyte source passes through the corri-
dor with normal walking speed the average time of
exposure to the sensor array was one second or less.
During the demonstration up to six people passed
through the corridor at any one time. Only one indi-
=
mn m
n
m
x x
x
x x x
ensor S
ensor S
ensor S
X
... ...
... ... ...
... ...
...
...
1
21
1 12 11
2
1
v
v
v
599
vidual was carrying an analyte source at the same
time.
2.4 Description of the TATP outgassing
experiments
Phlegmatised TATP was filled in LD-PE sample bags
(open, closed and heat-sealed) as well as in heat
sealed triple layer LD-PE freezer bags. Material
thicknesses were 0,15 mm for the sample bags and 0,1
mm for the freezer bag. Bag sizes as well as the
amount of filling were identical. The samples were
then stored in a drying oven at 36 C. This tempera-
ture was chosen to mimic body-temperature. The rates
of evaporation were determined by wheighing the
samples outside the oven at varying time intervals.
During weighing the samples remained outside the
oven for less than 5 minutes. Measurements were done
in duplicates. Also reference samples only filled with
the phlegmatising material were prepared and stored
in the same way as the TATP containing samples. Dur-
ing the experiment none of these showed any signifi-
cant weight loss.
3 Results and discussion
3.1 Sensor setup for best sensitiv-
ity and optimised analyte clas-
sification
The best results for sensitivity and fair selectivity were
achieved with an array consisting of four sensors:
UST GGS5430T (heating voltage: 5 V), Figaro TGS
2620 (5 V), Figaro TGS 2602 (5 V) and Applied Sen-
sor AS-MLK (2, 3 V).
Under laboratory conditions it was possible to unam-
biguously identify the substance at concentrations of
1-5 ppmV. Figure 5 shows an example of the time-
dependent signals of the four metal oxide sensors for
three different solvents resulting from open environ-
ment measurements in the corridor. The exposure time
of the analyte source (the above mentioned cloth-
covered vials) within the air stream was approximately
one second corresponding to the dwelling time of a
normal walking individual in the air stream.
The sensor response is very fast (peak maximum
within 2 seconds). After a recovery interval of 30 sec-
onds the sensor array is able to detect a new analyte
cloud precisely enough for classification.

Figure 5 Sensor signal of the array of three single
measurements with different analytes
For the system demonstration with the test corridor a
built in array was exposed to the six fuels and solvents
mentioned above and additionally to acetone. From
the results a PCA was created (figure 6) which clearly
shows the differences of the individual analytes. One
exception is acetone (white dots) which could not be
distinguished from the paint thinner (green dots). The
paint thinner contains mostly acetone so the concen-
tration of most volatile component acetone in air will
be the highest and therefore the amounts of the other
components can be neglected.
The system used this database for online identifica-
tion.
Figure 6 PCA of seven substances used for the dem-
onstration in the test corridor at Eckernfrde
3.2 Ventilation setup
To minimise dilution of the analyte on its way from its
source to the sensor and also to get sufficient repro-
ducibility of the sensor signals and to decrease the
time delay for the sensor signals a sophisticated vent-
ing system is required.
In order to optimize the ventilation system it was
tested how the analyte concentration decreases from
the source to the sensor. Together with a known va-
pour pressure of a test source dilution factors can be
calculated depending on the distance of the analyte
source to the sensor. Figure 7 shows the results of
these measurements.
600
Figure 7 Dilution factor vs. distance of the analyte
source to the sensor
By optimizing the ventilation system the dilution fac-
tor can be further reduced. This shows that not only
the detection limit of the sensor plays an important
role for reliable detection. Furthermore, the transport
of the analyte from a source to the sensor has to be as
good as possible to suppress natural convection.
3.3 Realisation of the security assis-
tance system
A quick sensor response to an analyte source facili-
tates the allocation of the chemical signature to a mov-
ing individual via the fusion algorithm. Therefore the
time delay was reduced by a strong, directed air flow
(up to 16 m/s air velocity using a blower nozzle with a
small diameter) and a fast electronic sensor network.
The maximum data throughput rate is 10 samples per
second. For the demonstrator a reading/data transfer
rate of 500 ms was sufficient.
The wireless operating mode of the sensor nodes was
mainly used during the configuration of the test corri-
dor in the tent and enabled quick test runs to optimize
placement of the sensors and venting conditions.
However, during the deployment in the military har-
bour problems concerning the data transfer rate arose,
whenever strong radar sources or electronic counter-
measures became active. Therefore the nodes were
mostly operated in the wired mode.
Figure (Figure 8) shows four pictures at different time
stamps of a group of three individuals passing through
the corridor.
The second individual is carrying the analyte source.
The thin black line behind the individual icon repre-
sents the history of their movement (tracking data).
The system identifies three different individuals. Al-
most immediately after the second individual crosses
the sensor node (S1), the system detects a threat (indi-
cated by change of colour from green to red). Within
the first time stamp the second individual is identified
as carrier (indicated by the icons red colour). At time
stamp three the system automatically identified the
substance to be ethanol. In the middle of figure 11 the
response of one sensor of each sensor node is dis-
played.
Groups of varying size passed through the demonstra-
tor at different speeds, with or without varying analyte
sources. In 95% of the 40 experiments with a con-
cealed analyte source being carried through the corri-
dor the analyte source was detected. No false positives
occurred. Interferents like menthol chewing gums,
coffee, wet clothes, or several perfumes only caused
minor disturbances at the sensor system and did not
lead to any false alarms. Tobacco fumes blinded the
sensors for some time, but did not result in false-
positive detection.
When an analyte was detected the allocation of the
chemical signature to the moving individual was cor-
rectly assigned in 95% of these cases. Identification of
the chemical substances occurred in 60% of the cases.
In two of 40 cases the substance was falsely identified.
In the remaining runs the substance remained uniden-
tified. However, a systematic investigation of possible
interferents was not conducted. The calibration of the
MOx-sensor-array with the test substances was per-
formed once at the beginning of the ten-day measuring
period.
Figure 8 A group of three individuals is moving
through the demonstrator. The second individual car-
ries an ethanol source. Each colour in the lower chart
represents one sensor node (S1 S4)
The problems with the identification of the substances
can be attributed to the small data base for the PCA (n
= 10). The big variations of the analyte concentrations
created in the experimental procedures in the test cor-
ridor can be considered a further reason. These varia-
tions are caused by individuals moving with varying
velocities, by different distances of the source to the
601
y = -0,0066x - 0,4399
R
2
= 0,9988
y = -0,0063x + 0,1802
R
2
= 0,995
y = -0,0058x - 0,8786
R
2
= 0,9986
y = -0,0047x - 1,8251
R
2
= 0,9995
-60,0
-50,0
-40,0
-30,0
-20,0
-10,0
0,0
0 2000 4000 6000 8000 10000 12000
time [min]
Mass loss [mg]
LD-PE bag
(open)
LD-PE bag
(closed)
LD-PE bag
heat-sealed
Freezer-bag
Heat-sealed
y = -0,0066x - 0,4399
R
2
= 0,9988
y = -0,0063x + 0,1802
R
2
= 0,995
y = -0,0058x - 0,8786
R
2
= 0,9986
y = -0,0047x - 1,8251
R
2
= 0,9995
-60,0
-50,0
-40,0
-30,0
-20,0
-10,0
0,0
0 2000 4000 6000 8000 10000 12000
time [min]
Mass loss [mg]
LD-PE bag
(open)
LD-PE bag
(closed)
LD-PE bag
heat-sealed
Freezer-bag
Heat-sealed
sensor and by changing temperatures influencing the
evaporation rate of the analyte source. These varying
analyte concentrations cause problems for the data
processing due to the non-linearity of the sensor sig-
nals. At low concentrations the initial slope of the sen-
sor signals is strongly dependent on the different ana-
lytes, whereas at high concentrations saturation effects
occur. Additionally, MO
x
-sensors have a tendency of
drifting over longer time periods which makes the
identification of an analyte even more challenging.
However, the main objective of the security assistance
system is to draw attention of security personnel to an
anomaly within a multi-person stream. The automated
identification of the analyte is desirable, but not nec-
essary. In the next step the security personnel will
have to separate the suspect and check him or her
individually, via body search, if necessary. More so-
phisticated but usually slower detection systems like
GC/MS could also be used.
The rate of false alarms has to be reduced as far as
possible. The percentage of false negative alarms as
well as wrong allocations of the chemical signature to
a person are with 5% each relatively low. Neverthe-
less, decreasing these numbers remains desirable. The
obvious way would be to use sensors with higher sen-
sitivities. Expected sequels for this approach are
higher costs for the sensors, as well as a higher rate of
false positive alarms due to increased problems with
chemical background noise. False positive alarms can
be tolerated, since the suspicious individuals are
meant to be rechecked anyway. However, too many
false positives will reduce the effectiveness of such a
security assistance system, increase the workload for
the security personnel and reduce the acceptance for
both security personnel and citizens.
3.4 Rates of evaporation of packaged
TATP
In figure 9 the time depended mass loss of the pack-
aged desensitised TATP (stored at 36 C) is displayed.
The linear weight loss indicates that steady state con-
ditions within the packages are quickly reached and
remain constant over a long period of time. The mass
loss between the different types of packaging in-
creases from the heat-sealed freezer bag to the open
sample bag. The sealing type (whether zipped closed
or heat-sealed did not make a difference for the sam-
ple bags. The measured mass losses varied between
0,4 mg/h for the open LD-PE sample bag and 0,28
mg/h for the heat-sealed freezer bag: 0,28 mg/h).
As stated before in test corridor which was equipped
with sensors with a identification limit around 1-5
ppmV at an exposure time of 1 sec, a minimum evapo-
ration rate of about 10 g/sec were determined. The
experiments show for TATP in an open LD-PE bag a
mass loss of 0,1 g/sec. Regarding the absolute
amount of analyte a sensor suitable for the detection
of TATP in the given setup has to be four orders of
magnitude more sensitive compared to the used MOx-
sensors.
Figure 9 mass loss of packaged TATP stored at 36 C
in drying oven
A distant depended dilution (figure 7) of three to four
orders of magnitude has been observed. This means
that with an equilibrium vapour pressure of 70 ppmV
for TATP the minimum sensitivity for any detector de-
ployed an above described security assistance system
has to be at least in the lower ppb range. In a realistic
scenario the explosive will be packaged and thus re-
ducing the starting concentration even further.
4 Conclusions
The concept of the fusion of tracking data described,
and additional sensor attributes especially chemical
sensor attributes is a very powerful security assis-
tance tool. To increase the correlation between an in-
dividuals track and the chemical signature a network
of chemical sensors is required. A larger number of
chemical sensors yield more information with respect
to time and space. The sensors should be placed so
that the distances between the moving individuals and
the sensors vary. This way, sensor signals can more
easily be correlated to different individuals tracks.
Due to the need for a high number of chemical sensors
they need to be small, inexpensive, and robust and
they should have low maintenance costs. For the de-
tection and identification of the volatile TATP the di-
lution in the airstream alone makes a minimum sensi-
tivity in the lower ppb necessary. Any kind of wrap-
ping will increase the requirements further.
The sensor signals must be available as quickly as
possible (one to two seconds after the individual
crossing the airstream which is directed to the sensor;
the shorter the better). With short time delays the fu-
sion algorithms enable better correlation to the track
data. A network of semiconducting sensors used for
the detection of fuel and solvents can partly fulfil
these demands but for the detection of explosives
other sensors with much higher sensitivities are neces-
sary.
602
The design of the control area will probably always
require a sophisticated venting system. The detection
area like a corridor should be kept as small as possible
to get smaller distances and low dilution factors. The
ventilation system used here and the fast data transfer
of the sensor nodes decreased time delay and in-
creased the quality of the sensor signals.
5 Outlook
For future research, especially the detection of explo-
sives and explosives-related compounds (ERC) or
well-concealed and well-packed hazardous material is
of great interest. Their detection is a very challenging
task, because both the low vapour pressure of the ex-
plosives and the packaging will reduce the amount of
evaporated analyte by several orders of magnitude.
For this task chemical sensors with extreme sensitivi-
ties and much better selectivity will be indispensable.
This concept of data fusion is not limited to chemical
attributes. It should be feasible to integrate many other
types of classifying information from gamma detec-
tors, metal detectors or face recognition systems
which will immensely enhance the impact of such a
security assistant system. Works aiming at the integra-
tion of over types of sensors are currently in progress.
Other design aspects still need to be improved. The
problems with the analyte identification for instance
could be solved by using more efficient methods for
statistical data processing in order to eliminate effects
caused by non-linearity of the sensors in the low and
high concentration range.
The still significant costs for such a system will decide
its possible range of applications. The most expensive
components are the laser-range-scanners, and the sen-
sor nodes. The laser-range-scanner might be
replaceable by video systems. Those are cheaper and
can also be used to obtain additional information like
facial recognition or behaviour analysis. The draw-
back of using video systems is lower accuracy with
respect to the kinematic data which are necessary to
allocate the chemical signature to the moving source.
The effect of the decreased data quality on the alloca-
tion algorithm still has to be investigated.
Acknowledgments
This work was supported by the HAMLeT-team of
the FhG FKIE in Wachtberg, Germany. The system
demonstration was funded and supported by the Fed-
eral Office of Defense Technology and Procurement
(BWB). Development of the HAMLeT- System was
subsidised within the EU FP6 (PASR SA 204400)
References
[1] Becher, C; Kaul, P.; Mitrovics, J.; Warmer, J.:
The detection of evaporating hazardous mate-
rial released from moving sources using a gas
sensor network, Sensors and Actuators B:
Chemical, Vol. 146, pp. 513-520, 2010
[2] HAMLeT, Hazardous Material Localisation &
Person Tracking, Proposal/Grant Agreement no.
204400, Preparatory Action on the enhancement
of the European industrial potential in the field
of Security research (PASR)
[3] Wieneke, M.; et al; Combined Person Tracking
and Classification in a Network of Chemical
Sensors; Proceedings of the 11th International
Conference on Information Fusion, Germany,
ISBN 978-3-00-024883-2, pp. 1663 1670,
2008
[4] Becher, C.; et al., A Security Assistance System
combining Person Tracking with Chemical At-
tributes and Video Event Analysis, Proceedings
of the 11th International Conference on Informa-
tion Fusion, Germany, ISBN 978-3-00-024883-
2, pp. 1447 1454, 2008
[5] Datasheets AS-ML sensors available from
www.appliedsensor.com
[6] Graf, M.; et. al.: Microfabricated gas sensor
systems with nanocrystalline metal-oxide sensi-
tive films; J. Nanoparticle Res., Vol. 8, pp. 823-
839, 2006
[7] Heilig, A.; et. al.: Gas Identification by Modu-
lating Temperatures of SnO
2
Based Thick Film
Sensors, Sensors and Actuators B, Vol. 43, pp.
45-51, 1997
[8] Far, A.; et. al.: "Temperature Modulation for Tin-
Oxide Gas Sensors"; 4th IEEE International
Symposium on Electronic Design, Test and Ap-
plications, pp. 378-381, 2008
[9] Modrak, M.; et. al.: Characterization of fugitive
emissions of greenhouse gases from a wastewa-
ter treatment plant using the radial plume map-
ping technique; WEFTEC.06, Conference Pro-
ceedings, Annual Technical Exhibition & Con-
ference, United States, pp. 7200-7205, 2006

603
Detection of Explosives -
Scenarios, Sensors and Realistic Concentrations
Frank Schnrer, Fraunhofer Institute for Chemical Technology ICT, Germany
Wenka Schweikert, Fraunhofer Institute for Chemical Technology ICT, Germany
Moritz Heil, Fraunhofer Institute for Chemical Technology ICT, Germany
Dirk Rseling, Fraunhofer Institute for Chemical Technology ICT, Germany
Gudrun Bunte, Fraunhofer Institute for Chemical Technology ICT, Germany
Horst Krause, Fraunhofer Institute for Chemical Technology ICT, Germany
Abstract
Tougher security requirements and an increasing number of terror attacks have led to rapid advances in the field
of explosive detection in the past few years.
The field of explosive detection is an extremely complex one. Beside a large number of different scenarios,
physical properties of explosives and their dispersion characteristics are highly relevant for the choice of a suit-
able sensor technology. For the detection of explosives and explosive devices many different techniques, based
on a wide range of different physical principles and designed for a wide variety of different scenarios, have been
developed.
As explosive devices are usually concealed in some way, detection can be a very challenging task. It is not yet
possible to detect hidden explosives over a large distance and therefore at an early stage of an imminent terroris-
tic attack. Since initial research results are still a long way from practical application, research in this sector is
still be carried out intensively on a global level.
Sensors need to be rapid and specific, to detect a variety of substances and reliably identify threats. As no sensor
can cover every scenario and type of explosive, multiple sensors are often necessary, which are selected depend-
ing on the substance to be detected and the application scenario. The selection of suitable detection methods and
sensors for individual scenarios requires a standardised test, which allows direct comparison of the performance
of different systems, independent of the institution performing the tests or the place where they are carried out.
1 Introduction
1.1 The growing Threat of Terrorism
The terroristic threats have been increasing world-
wide during the last decades. Media reports about sui-
cide bombers, car bombs, and explosions have be-
come commonplace, with the greatest threat emanat-
ing from suicide bombers in crowds and car bombs in
traffic.
Following the 1988 bombing of Pan Am Flight over
Lockerbie, security procedures, such as luggage and
passenger screening, were assessed by a number of
organizations. The terrorist attacks of September 11,
2001, and the attempted shoe bombing of an Ameri-
can Airlines Flight December 2001, led to enhanced
security measures on airports focusing on the screen-
ing of luggage and passengers utilizing close-
proximity detection methods and portal systems.
1.2 Remote and Standoff-Detection of
Explosives
However many terrorist threats fall outside the realm
of airport portal security. It is not yet possible to de-
tect hidden explosives over a large distance and there-
fore at an early stage of an imminent terroristic attack.
The societal, economic, and political sphere is inter-
ested in having all technological options exhausted to
prevent such attacks.
To identify potential suicide bombers effectively, the
following requirements must be met:
Detection over distances of up to 100 metres
Identification of explosive traces
Reliable measurement results within seconds
Very low false alarm ratio
Detection of a wide range of different explosives
These performance requirements demonstrate clearly
the technical challenge involved in the development
of suitable measuring systems for the stand-off detec-
tion of explosives. Initial research results are still a
604
long way from practical application.
Until now trained sniffer dogs are still the best alter-
native for sensing explosives remotely, albeit at dis-
tances of no more than a few metres.
2 Scenarios and Sensors
There are a wide variety of different scenarios in
which sensor technology can be applied:
x Monitoring of large areas at major events
x Protection of public buildings, such as stadi-
ums or theatres, and of critical infrastructure
such as power plants and communication
systems
x Rapid inspection of passengers and luggage
on public transport and in airports
x Search for hidden bombs in pedestrian
zones, streets and public spaces
x Monitoring the content of transport contain-
ers to ensure security of the supply chain
x Forensic investigations after attacks
As one single sensor or detection system that covers
all scenarios and detects all types of explosives isnt
available so far consequently multiple sensors are of-
ten necessary selected with regard to the key threats
and the application scenario.
Explosive detection systems detect a wide variety of
physical or chemical characteristics of explosives and
explosive devices. There are two different approaches
in the detection of explosive devices:
x Detection of the shape/structure of devices or
detection of anomalies
x Material-specific detection of the explosive
(traces or bulk)
A formulated explosive is an energetic material or a
combination of different energetic materials together
with other substances like binders or plasticisers to
improve stability, handling or other properties. Some-
times taggants (e.g. high vapour pressure compounds)
are added to improve the detectability. It is also possi-
ble that there are remnants of precursors from the
manufacturing of the explosive. These constituents
may be relevant concerning the material-specific de-
tection of the explosive.
3 Gas and Particle Dispersion of
Explosives
Although some explosives can be detected (as a
plume) in the gas phase, few technical solutions are
available for analysing the gas phase above a poten-
tial assassin. Most explosives adsorb well on many
surfaces, which facilitates their detection. The detec-
tion of traces of explosives on clothing or luggage is
therefore also a viable approach. For both detection
scenarios, very small quantities of explosives must be
detected. However, the sensitivity required in practice
is largely unknown.
Using experimental methods and mathematical mod-
elling, the Fraunhofer ICT determines the dispersion
of explosive gases and particle traces. Particular em-
phasis is placed on the dispersion behaviour of the
substances used in so-called Improvised Explosive
Devices (IEDs).
The focus of the research activities is to provide secu-
rity personnel with information about where signifi-
cant concentration of explosives can be expected, in
order to target these sites in their investigations. It is
then possible to define the minimum sensor resolution
necessary to detect concentrations of explosives
found
in reality.
3.1 Different Chemistry of Energetic
Substances
When investigating the dispersion of explosives, the
different chemistry of the energetic substances in-
volved is a first consideration. In regions of military
conflict, in which there are often uncontrolled quanti-
ties of used ammunition and abandoned weapons,
military explosives are generally used for the con-
struction of IEDs. In areas where waste ammunition is
not available, home-made substances are used for ter-
rorist attacks. The resulting variety of chemical com-
pounds, combined with the requirement for high ac-
curacy in their identification is a particular challenge
in the evaluation of a potential threat. Basic informa-
tion regarding the dispersion of explosives can be
found in studies which, for example, provide quanti-
tative descriptions of the release of TNT or DNT from
mines. This knowledge is best applied to IEDs with
military explosives attacks.
3.2 Determination of Realistic Concen-
trations in the Gas Phase
However, as yet little data exists concerning the con-
centration of the explosives in the gas phase at a
given distance from the source (for example an IED).
Figure 1 shows the determination of realistic gas con-
centrations of different explosives (e.g. TATP). A de-
fined amount of an explosive in a beaker is heated by
a sand bath.
605
Figure 1 Determination of realistic concentrations
With a gas sampling tube we take samples and use
Gas Chromatography to determine content and con-
centration. Table 1 shows the results concerning
TATP.
Temperature
(C)
Distance to
source (cm)
TATP-concen-
tration (ppm)
20 0 0,045
37 0 0,661
37 10 0,038
37 20 0,005
50 0 3,180
50 10 0,103
50 20 0,024
Table 1 Realistic concentrations of TATP in the gas
phase
At 20C directly above the explosive we found for
DNT 3.03 ppb and for DMNB 0,013 ppm. The con-
centrations we measured are about 100 - 1000 times
lower than the equilibrium concentrations published
by J.W. Gardner and J. Yinon [1].
Mathematical models support experimental investiga-
tions into dispersion behaviour, and ensure that the
results obtained are more widely applicable.
There is consequently a need for answers to funda-
mental questions relating to the dispersion and identi-
fication of explosives. The detection strategy deter-
mines whether information can be obtained directly
from the gas phase using a sensor, or whether, for ex-
ample, enrichment is necessary. The selection and op-
timal positioning of sensors, and the time span re-
quired for detection, can be determined from these
results.
3.2 Adsorption Behaviour of different
Materials
When investigating the dispersion of explosives, it is
also necessary to determine on which surfaces par-
ticularly high concentrations of explosives can be ex-
pected, for both spectroscopic stand-off detection of
particulate contamination from explosives, and for
generating wipe samples.
Figure 2 shows the determination of the substance-
specific adsorption behaviour of different textile sur-
faces.
Figure 2 Determination of substance-specific adsorp-
tion behaviour of different textile surfaces.
We put three different textiles at different positions in
an exsiccator and 2 mg explosive on the bottom of
exsiccator. After 60 minutes at 40 C we measured the
amount of adsorbed explosives using GC- headspace.
textile-sample
TATP-amount
in g
DMNB-
amount in ng
bag (PVC) 2,61 378,09
Trousers (50% poly-
ester & 50% viscose)
0,01 11,68
tie (silk) 0 7,18
Table 2 Adsorption behaviour of textile-samples
The type of textile surface significantly influences the
adsorbed amount. The position or height of the sam-
ples however seems to have no influence. More ex-
periments have to be done to verify these initial re-
sults.
Besides determining the substance-specific adsorption
behaviour of different materials - such as skin,
leather, hair and plastics - with regard to particle and
gaseous traces, it is also necessary to consider
whether, and to what extent, traces can accumulate
locally (for example in folds in the clothes, suitcase
handles, tickets and credit cards).
606
The focus of the research is to provide security per-
sonnel with information about where the highest con-
centration of explosives can be expected, so that they
can target these sites in their investigations. It is then
possible to define the minimum sensor resolution nec-
essary to detect the concentrations of explosives
found in practice.
4 Evaluation of Explosive De-
tection Systems
The selection of suitable detection methods and sen-
sors for individual scenarios requires a standardised
test, which allows direct comparison of the perform-
ance of different systems, independent of the institu-
tion performing the tests or the place where they are
carried out. Important parameters for standardised test
scenarios include a clearly-defined testing methodol-
ogy, a defined assessment and evaluation system and
a standardised set of testing samples. These samples
might consist of a set of defined containers and pre-
cisely determined compositions of explosives.
Standardised test set-ups and qualified samples are
generally not available except at security gates in air-
ports. This means that up to now it has been very dif-
ficult to obtain comparable results for different detec-
tion technologies. Standardisation on an international
level is a particularly high priority.
4.1 Certification of Liquid Detection
Systems
Concerning liquid explosives the European Commis-
sion aims to remove the current restrictions. There is a
need for reliable and certified bottled liquid detection
systems.
With the liquid test methodology developed by the
European Civil Aviation Conference (ECAC) task
force it is possible to benchmark the various detection
systems present today.
The Fraunhofer ICT is working on behalf of the Ger-
man Federal Police as National Test Centre for the
evaluation of liquid explosive detection systems at
security gates and for hold luggage screeners in the
airports.
Beside the official test campaigns according to the
ECAC common test methodology initiated by the
Federal Police the Fraunhofer ICT has developed a
test method adapted to the needs of the different
available detection methods of current detection sys-
tems. This test offers a secure infrastructure and in-
cludes standardised threat and benign samples, an ob-
jective test methodology as well as an intensive data
evaluation. Manufacturers of detection systems have
the chance to test their well-established or new devel-
oped devices against real explosive samples.
References
[1] J.W. Gardner and J. Yinon (Eds.), Proc. of
NATO Advanced Research Workshop on
Electronic noses and Sensors for the detec
tion of explosive, Warwick, UK, 2003
607
Multi-Sensor Awareness for Protection and Security
Christian Micheloni, University of Udine, Italy
Claudio Piciarelli, University of Udine, Italy
Gian Luca Foresti, University of Udine, Italy
Abstract
Video analytics is the field of computer vision that aims to improve the security of public and private areas by
understanding the activities acquired by the cameras installed in the environment. The main objective is to highlight
only the potential security issues and thus requiring the attention of a human operator only in a limited number of cases.
The research in this field has been very active and produced many techniques for video analysis and interpretation, but
many works are limited to the exclusive use of static cameras. Another limit of the current systems is that they often do
not rely on heterogeneous data, while chemical, laser or audio sensors represent an important support to video analytics
techniques. In particular, audio microphones have several advantages, like wide omni-directional coverage and low
price, and thus could be particularly useful to cover large environments. This work proposes a novel audio- and video-
based surveillance system, where audio sensors are used to cover large portions of the environment, and the detected
audio sources are further analyzed by means of PTZ (Pan-Tilt-Zoom) cameras. Cameras not focusing on audio sources
are automatically configured to optimize the visual coverage of the environment.

1 Introduction
During the last years, the need for security-oriented
surveillance systems has drawn considerable attention.
Video-Surveillance systems have become pervasive
being deployed in many different public environments
like airports, train stations, etc. The goal of such
systems is to prevent or assess security threats. Current
deployments range from the use of standard closed-
circuit cameras (CCTV) to sophisticated video
analytics based systems. The most common
deployments are represented by CCTV systems. They
have been the first kind of video-surveillance systems
and still are the cheapest solution. In this field the
evolution has mainly concerned the passage from the
analogue to the digital version. However as security
requirements have become more pressing their limits
become evident. The high number of cameras required
to monitor complex environments and the high mental
effort a human operator has to sustain opened a new era
in the research filed of computer based surveillance
systems. In order to face these problems, the research
in the field of computer vision has proposed several
works on automated systems, able to automatically
detect potential security issues (anomalous, forbidden,
dangerous events or behaviors) and notify them to a
human operator. However many of these systems are
limited both in the type of sensors used (video only)
and in the way the sensors are used (typically fixed
sensors).
Only recently the research community started focusing
on more sophisticated sensors like Pan-Tilt-Zoom
(PTZ) cameras [1][6][7], and very few have considered
the advantages of using heterogeneous sensors.
Cameras have been principally exploited to get
kinematical properties of the objects moving in the
scene. On the basis of such properties behavior
inference is computed. In this work we follow a
different approach, in which the possibility to
reconfigure (this is, change the pan, tilt and zoom
parameters) video sensors is used to guarantee an
optimal coverage of a large environment to be
monitored. The system relies on the dynamic definition
of relevance maps (maps describing the importance
of different zones of the environment) in order to apply
an Expectation-Maximization based algorithm [2] for
computing a new, improved sensor network
configuration.
The dynamic computation of the relevance maps itself
is a challenging problem, since it requires the entire
environment to be covered by sensors. In modern real-
world applications this is often impossible to achieve
with visual sensors since the areas to be monitored can
be very large (and this is why sensor reconfiguration is
needed). The problem can be tackled by using
heterogeneous sensors, and in particular audio sensors:
since audio microphones can achieve omnidirectional
coverage and are relatively cheap compared to video
sensors, they can be used to obtain full coverage and
detect acoustic sources by means of Acoustic Source
Localization (ASL) techniques. Other than building
relevance maps, acoustic data can also be used for
immediate video reconfiguration: when an object is
detected by the ASL the cameras with the best points
of view start tracking the target. On the other hand,
when a PTZ camera is tasked to track an object the
topology of the network is modified. As consequence,
a new configuration of the PTZ network is thus
required to provide optimal coverage of the monitored
environment.
608

2 System architecture

Figure 1 system architecture.

Figure 1 shows the proposed system architecture,
composed by two main modules: a) a Audio Analytics
subsystem and b) a Video Analytics subsystem. The
Video Analytics subsystem is composed by several
PTZ cameras with fixed position and reconfigurable
pan, tilt and zoom parameters. The Audio-Analytics
subsystem consists of two parallel processing lines,
corresponding to the left and right audio arrays. Each
array is composed by eight microphones properly
spaced to detect and localize specific audio sources (i.e.
sources with specific frequency components). The first
processing step is the Time Difference of Arrival
(TDOA) estimation, based on the measurement of the
time difference between the signals received by
different microphones. Multichannel Cross-Correlation
Coefficient (MCCC) method [4] is used to calculate the
TDOA. Two dimensional coordinates of the source can
be estimated combining the Directions of Arrival
(DOA) at the left and right arrays. If more than one
source is identified, a beamformer and a spectral
distance comparison provide a guide to solve the
problem of associating the DOAs of the left array with
those of the right array. Once the audio-sources have
been localized, they can be tracked and recognized.
Video sequences are acquired from each camera and
processed in order to extract relevant video features.
The feature extraction phase typically involves the use
of change detection, object classification and tracking
techniques in order to collect basic information on the
moving objects in the scene [5]. The video features are
used by an high-level event analysis and recognition
engine. Audio and video information are exploited by a
re-configuration module that computes the optimal
FoV for each PTZ camera in the network. The audio-
based reconfiguration relies on audio sources
localization computed by the audio subsystem. In this
case the video subsystem is given a specific location in
the monitored environment and one or more cameras
are oriented in order to observe that specific zone. The
optimal coverage reconfiguration approach instead
aims to reconfigure the sensors to maximize the
coverage of the monitored area. The optimal coverage
is computed on the basis of maps denoting which zones
are most used by moving objects and thus possibly
relevant for surveillance purposes. Finally, audio and
video data can be fused to improve the performance of
the two subsystems allowing a better PTZ-coverage
and improving the localization accuracy of the audio
subsystem.
3 Video sensor reconfiguration
As mentioned before, video sensor reconfiguration is
based on relevance maps. A relevance map is a map of
the monitored environment highlighting the zones that
are more relevant for surveillance purposes, and thus
requiring higher priority in terms of camera coverage.
The way relevance maps are defined is heavily
dependent on the practical application context of the
system. Typical relevance maps could be created using
visual information from wide-fov or omnidirectional
cameras, allowing to roughly identity the zones with
highest activity (i.e. presence of moving objects). In
this work we use maps built using audio microphones
mapping the presence of sound sources. Independently
from their definition, the relevance maps will look as a
matrix to be overlapped to the environment map, where
higher values denote higher relevance, as shown in
Figure 2.

Figure 2 A relevance map computed by
subsampling trajectories of audio sources.
Colours from blue to red denote increasing
number of detections of audio sources.

Given a relevance map, the proposed method considers
the cone of view of each video sensor and its
intersection with the ground plane, which is a conic
section (and specifically an ellipse if the camera is not
looking above the horizon). Solving for optimal camera
coverage thus means to find a set of ellipses that
encloses the most relevant zones. This could be
achieved by a popular data-fitting technique, the
Gaussian-mixture-based Expectation-Maximization
(EM) algorithm where ellipses can be interpreted as
support regions for a given quantile for each Gaussian
10 20 30 40 50 60
5
10
15
20
25
30
35
40
45
609
model. However, not all the ellipses found by EM can
be interpreted as valid solutions for the reconfiguration
problem: Figure 3 intuitively shows that the major axis
of the ellipse must be oriented toward the camera.
Rather than solving a complex constrained EM
problem, we approached the problem by using a simple
geometric consideration. Figure 3 again gives an
intuitive interpretation of the proposed solution: rather
than working with ellipses on the ground plane, we can
consider the surface of a sphere enclosing each camera
and with radius equal to the camera height. As it can be
seen, the intersection of the cone of view with the
sphere has a circular shape, and any circle corresponds
to a valid PTZ configuration of the sensor. Working in
the new reference system of the sphere surface thus
removes the constraints on ellipse orientation, and
standard EM with mixture of isotropic Gaussians can
be applied.

Figure 3 Geometry of a cone of view and its
intersections with the ground plane and a
sphere centred in the camera.

In order to work on the sphere surface, this must be
projected again on a bidimensional plane where EM
can be applied in order to search for the desired set of
circles. The projection of a sphere to a plane is a
problem that has been studied since centuries as it is of
fundamental importance in cartography. One of the
most used projections is the stereographic projection:
= 2 tan( 2 ) cos
= 2 tan( 2 ) sin

where and respectively are the tilt and pan angle of
a specific point (x,y,z) on the ground plane, computed
as:
= arctan

= arctan
( )
+( )

and X, Y, Z are the coordinates of the considered
camera.

Figure 4 Stereographic projections preserve
circular shapes.
Stereographic projections have the fundamental
property of preserving circles (see Figure 4): the circle
on the surface of the sphere, obtained by intersecting
the sphere itself with the camera cone-of-view,
preserves its circular shape also in the new uv-space.
This means that the Expectation-Maximization
algorithm can be applied in the new space, working
only with isotropic Gaussian functions (this is, circles
rather than ellipses), and any possible solution in the
new space will also be a valid solution in terms of
camera network reconfiguration. The problem can be
solved by means of standard EM solving equations,
iteratively interleaving the computation of the
expectation step:
(|) =

()((), )

()((), )

and the maximization step:
=
()(|)()
()(|)
=
()(|)()
2 ()(|)
=
()(|)
()

where () is the relevance for point x, () is the
projection of point x in the new uv-space, and (, ) is
the Gaussian function associated to a camera whose
reconfiguration parameters (pan, tilt and zoom) are
represented by the vector .
4 Experimental results
In order to evaluate the performance of the proposed
system, we tested it both on synthetic and real-world
data. In the first case a synthetic trajectory generator
has been used to create random trajectory sets, each set
has a varying number of clusters of trajectories (from 2
to 6) and each cluster is composed by a random
number of trajectories, between 50 and 150. 50
relevance maps have been built by discretizing the
space of each trajectory set with a 64x48 grid and
counting how many trajectories pass within each cell.
610
The counter is used as a relevance criterion, thus giving
more importance to the areas crossed by many moving
objects. The number and position of the cameras is
randomly generated, from a minimum of 2 to a
maximum of 6 cameras, always placed along the map
borders and at a fixed height. Figure 5(a) shows an
example of the optimal reconfiguration found after 12
iterations for a system with three sensors. Map colors
represent the relevance (blue: low relevance, red: high
relevance, white: no relevance). For each camera, the
observed elliptic region and the direction of
observation are shown. For real-world tests we
considered the scenario of a parking lot. Here, two
colour PTZ cameras are mounted on the roof of a
building facing the parking lot at an height of 12.1
meters, and the observed area is roughly 80x60meters.
The two cameras can span full 360 in pan and 0-120
in tilt direction, and thus can achieve any feasible
solution computed by the system. The minimum and
maximum zoom levels instead imposed a lower and an
upper bound to the computed values of
. The
relevance map shown in Figure 5(b) has been built
using the audio information acquired by the system
described in section 2 over 4 hours. Figure 5(b) also
shows the final configuration computed by the
proposed system.

Figure 5 experimental results (a) with synthetic
data; (b) with real-world data.

In order to give a quantitative measurement of the
system performance, we have defined a coverage
metric, describing the percentage of the environmental
area covered by at least one camera after sensor
reconfiguration, giving more weight to zones with
higher relevance. Formally, coverage is defined as:

=
()
()

Where E is the set of all points falling within at least
one cone of view. The coverage can thus be interpreted
of the ratio of observed relevance versus total
relevance. Using this metric, we evaluated the system
performance both on the synthetic and real-world data
sets, obtaining and average coverage of 97.57%.

References

[1] C. Micheloni, B. Rinner, G.L. Foresti, "Video
Analysis in Pan-Tilt-Zoom Camera Networks,"
Signal Processing Magazine, IEEE, vol.27, no.5,
pp.78-90, Sept. 2010.
[2] C. Piciarelli, C. Micheloni, and G.L. Foresti,
"PTZ camera network reconfiguration", In
ACM/IEEE International Conference on
Distributed Smart Cameras, pages 17, Como,IT,
Aug. 30 - Sep. 2 2009.
[3] D. Salvati, A. Rod, S. Canazza, and G. L.
Foresti. A real-time system for multiple acoustic
sources localization based on isp comparison. In
H. Pomberger, F. Zotter, and A. Sontacchi,
editors, Proc. of the 13th Int. Conference on
Digital Audio Effects - DAFx-10, pages 201-
208,Graz, Austria, September 2010.
[4] Chen, J., Benesty, J., Huang, Y. "Robust time
delay estimation exploiting redundancy among
multiple microphones. IEEE Transactions on
Speech and Audio Processing 11, 549557 2003.
[5] Foresti, G., Micheloni, C., Piciarelli, C.
Detecting moving people in video streams.
Pattern Recognition Letters 26(15), 22322243
2005.
[6] A. Mittal and L. S. Davis. A general method for
sensor planning in multi-sensor systems:
extension to random occlusion. International
Journal of Computing Vision, 76:31-52, 2008.
[7] Special issue on video analytics for surveillance:
Theory and practice. IEEE Signal Processing
Magazine, 27(5), 2010.
611
GPS/EGNOS Based Surveillance and Guidance in an Airport
Environment
Augusto Casaca, INOV/ INESC-ID/ IST, Portugal
Isabel Rebelo, ANA-Aeroportos, Portugal
Gabriel Pestana, INOV/ INESC-ID/ IST, Portugal
Abstract
The implementation of the Advanced Surface Movement Guidance and Control System (A-SMGCS) defined
by Eurocontrol requires the use of a precise localization system installed in airport vehicles. The paper
presents a system architecture based on the localization of vehicles through GPS/EGNOS, which is capable
of implementing the functions of the first levels of A-SMGCS. The practical aspects of the implementation
will be emphasized based on the experience of initial deployment in two Portuguese airports. It includes also
the analysis and discussion of the applications developed for the airport stakeholders as well as of the
graphical-user interfaces available at the central system and on-board units.

1 Introduction
Nowadays, technological advances in wireless
communication together with the progress in
Global Navigation Satellite Systems (GNSS) and
in Real Time Locating Systems allow small
electronic receivers to calculate the precise time
and determine their location within a few meters.
As such, a resource equipped with such devices
can transmit its position in addition to other
business data, which can be used as valuable
inputs to a decision making process.
In fact, the transmission of location-based data
enables, for instance, the identification of a
vehicle, of its speed and of its driver, and can
correlate the data with the status of a geo-fence. A
geo-fence represents a virtual perimeter for a real-
world geographic area, setting the boundaries of
that area. When a location-based service detects
that a location-aware device crosses a restricted
access geo-fence, an alert notification is triggered.
One area of prime interest for this type of services
is airports.
During periods of low visibility, such location-
based services would enable airport stakeholders
to obtain valuable information about on-going
surface movements without having to exclusively
rely on radar data and radio communications to
identify conflicts. An evidence of such a difficulty
to manage airport operations, especially under
low visibility conditions, is at the apron area
where multiple airport stakeholders have to
cooperate to avoid downgrading operational
efficiency and do not compromise safety
requirements. The current situation of aircraft and
vehicle ground movements in the European
airports has led Eurocontrol to define a strategy
for the implementation of a system to control and
guide aircraft and vehicle movements on
ground[1]. The system is known as the Advanced
Surface Movement Guidance and Control System
(A-SMGCS) and its main objective is to ensure
the safety and efficiency of airport surface traffic
under all circumstances with respect to traffic
density, visibility and complexity of the airport
layout. [1]
To cope with such goals the availability of the
European Geostationary Navigation Overlay
Service (EGNOS) allows determining the
localization of location-aware devices (e.g.,
vehicles equipped with GPS/EGNOS receivers,
known as cooperative vehicles) with integrity and
accuracy metrics to ensure that only valid data is
reported. The use of GPS with EGNOS allows
determining a very accurate localization of the
vehicles in the airside. The localization of these
cooperative vehicles can be reported on real-time
to a central system via a high speed wireless
communication network with bidirectional
capabilities deployed in the airside of the airport.
These vehicle localizations can be taken together
with the localization of non-cooperative vehicles
such as aircrafts on ground, which can be located,
for example, through the Automatic Dependent
612
SurveillanceBroadcast (ADS-B) system, to
support the airport authority at monitoring the
compliance of surface movements against airport
safety requirements and policies.
The rest of the paper provides in section 2 the A-
SMGCS concept, in section 3 an implementation
of the A-SMGCS, in section 4 examples of
applications for the airport stakeholders and in
section 5 the main conclusions.

2 The A-SMGCS concept
Although the A-SMGCS strategy was proposed
about five years ago, only in the most recent years
the technology evolved to a point that is able to
comply with the specification requirements of the
four distinct levels of the A-SMGCS. The A-
SMGCS concept includes surveillance, automated
monitoring and alerting functions, route planning
and automated guidance, with increasing
implementation complexity for all these functions
from level one to level four. It requires the
existence of a precise location system for the
airport vehicles. The existence of EGNOS is a key
factor to enhance the precision of vehicles
positioning provided by the GPS system and also
to give information on the integrity of the location
data.
It is foreseen that A-SMGCS will be implemented
progressively in a phased approach consisting in a
package of services structured according to four
different implementation levels. The main
concerns of levels 1 and 2 rely on the
improvements of safety [2], whereas the ground
movements efficiency is dealt with in levels 3
and 4. The first criteria for implementing A-
SMGCS relates to operational needs. This means
that services like surveillance and control have
priority on route planning, which serves the
efficiency of ground movements. Indeed, the
surveillance service is a pre-requisite for
implementing all the other A-SMGCS services.
The main goals of each package of services are:
Surveillance and Monitoring
functionalities address the requirements
to provide airport stakeholders (e.g.,
controllers, pilots and vehicle drivers)
with situational awareness in the airside
area. Such control functionalities aim to
allow preventing conflicts and collisions
by providing alerts for incursions into
restricted access areas.
The control services within the scope of
Monitoring should first detect the most
critical operational situations and
progressively monitor for other less
severe situations. For instance, such a
service may be first developed to detect
runway and taxiway incursions and later
on to deal with more complex situations,
e.g., detection of a non-authorized
vehicle in a stand area or vehicles
exceeding speed limit. Alerts should be
generated when appropriate with
information about the accuracy and
severity of the reported event.
The route planning service addresses the
planning and assignment of a route to
individual aircraft or vehicle to provide
safe and efficient movement from its
current position to its intended position.
The guidance service assigns continuous,
unambiguous and reliable information to
pilots of aircrafts and drivers of vehicles
to keep their aircrafts or vehicles on
assigned routes intended for their use.
Such approach eliminates the current
need for pilots and vehicle drivers to rely
on visual aids or on the controllers radio
instructions to guide them along
assigned routes on ground.
This solution is appropriate only for cooperative
vehicles. It can be extended to non-cooperative
vehicles if the appropriate systems, e.g., radar and
multi-lateration, are deployed and the data
coming from those systems go through a data
fusion process together with the data originated in
the cooperative vehicles as foreseen in A-SMGCS
strategy. Our solution copes with the requirements
defined for Level 1 (Surveillance) and Level 2
(Monitoring), including the surveillance and
monitoring of non-cooperative vehicles because it
was designed to integrate data collected from
existing airport systems. Hence, it is possible to
integrate data from the Surface Monitoring Radar
(SMR) for non-cooperative mobiles such as
aircrafts and by using the Data-Fusion algorithm
compute those positions with location data from
cooperative vehicles.

3 A-SMGCS implementation
An architecture to implement the A-SMGCS has
been proposed and developed. The research work
was done in some collaborative European
Research projects, such as AAS and LOCON, and
613
also in a Portuguese national project. Further
developments of the solution have been done by
ANA and INOV, which have led to the A-
Guidance system, presently being deployed in
some Portuguese airports [3]. The architecture of
the A-Guidance system is shown in figure 1.

Figure 1: An A-SMGCS implementation

All the airport vehicles have an on-board unit
(OBU), which contains a GPS/EGNOS receiver.
A dialog between the vehicles OBUs and a
control center is established through a Wi-Fi
network covering all the outdoor area of the
airport. The Wi-Fi network is an access network,
which is integrated into the core network of the
airport through a VLAN implementation. The
stakeholder applications are deployed in the
servers located at the control center.
The localization layer is concerned with the
OBUs installed in the vehicles. Besides sending
data to the control centre, this layer also ensures
the communication between OBUs. The
implemented solution includes GPS/EGNOS
receivers to monitor the vehicle positions. The
communication layer guarantees interoperability
with the existing airport systems. The
communication server acts as a gateway, which
validates the messages exchanged with the OBUs.
The application layer is responsible for the
processing of the received data and for its analysis
within the context in which they are inserted. It
contains a structured data base and functionalities
for automatic monitoring of movements. This
continuous recording of movements allows
creating indicators for management and safety
risk. These indicators are then graphically
presented to the stakeholders through dashboard
type interfaces. There are dedicated terminals to
Air Traffic Controllers (ATC) and Airport
Operation Operators (AOO).
The tests at the airports were split into two cycles.
The first cycle included a pre-test of the system
(hard- and software) followed by the assessment
and lessons learnt. After the improvement of the
system the second cycle involved sessions with
the airport stakeholders to analyse the results of
the tests. On top of these tests, geo-fencing and
access control enhancements were implemented
and tested for the following issues:
614
Real-time connection to existing airport
systems to obtain updated information
about flight data;
Surveillance of safety hazards caused by
drivers, considering a processing time
below one second to determine the
severity level of safety hazards;
Quality of the cartographic maps used to
represent the airport layout.

As a result there are differences in the focus of
validation. On the one hand, it was important to
validate the results of the fusion algorithm in
relation to quality-of-location (QoL) when
computing location-based data from multiple
location-aware devices. And on the other hand,
operational trials intended to prove the
applicability of the solution for ground handling
activities, taking the position accuracy and the
system capabilities to keep tracking the
movement of resources. Alert notifications with
the right context information are triggered
automatically to all intervenient end-users
whenever a safety occurrence is detected.
The need to provide situational awareness in real
time to all airport stakeholders and in particular to
apron personnel, determined the design of the
system as a client-server architecture with two
major interfaces. One, which acts as a control
center with functionalities for the management of
on-going ground operations, adequate for
controllers (e.g., ATC, AOO, Airport Authority
and Ground Handler Managers), and another to be
installed as an Onboard Unit (OBU) with
functionalities for cooperative vehicles, which is
adequate for field workers such as vehicle drivers
operating at the airside area.

4 Applications and Graphical
User Interface
A client application was specifically designed to
respond not only to the package services defined
for Level1 and Level 2 of the A-SMGCS, but also
to provide a Human Machine Interface (HMI)
compliant to the requirements defined by A-
SMGCS. The performance level of this client
application enables end-users to interact, in real-
time, with the airport map features. Figure 2
presents a print screen of the client application
graphical layout. [4]
One of the core components of the HMI is the
MapControl viewer, a component responsible to
manage the airport map layers that characterize
the airport layout. Three main features
characterize the functionalities provided by the
MapControl viewer:
Geo-fenced Areas: marks and identifies
the boundaries of an area to which is
forbidden for a vehicle to enter. Entering
such an area creates an alert within the
system. These infringements are logged
with date, time and vehicle identity (ID)
causing the safety incursion. The Apron
layer constitutes an example of a
restricted access geo-fence where only
authorized vehicles are allowed to
circulate. On the other hand, the
Roadway layer is an example of a geo-
fenced area, in which any vehicle is
allowed to circulate. In this case, the
alarm will be triggered only when the
vehicle leaves the boundary of a
roadway that crosses the Apron.
Dynamic Geo-fenced Areas: defines the
boundary of any operational area that
changes dynamically based on pre-
defined business rules, e.g., at the Apron
a stand area with information about
blocks-on for a valid parked aircraft will
automatically change the status of the
stand area from Open to Close. Any
vehicle entered into an aircraft parking
stand when an aircraft was approaching
to the stand will cause a safety incursion.
Violations create an alert which is
logged with date, time and vehicle ID in
the data base.
Alarms: vehicles with an OBU equipped
with a touch screen display are able to
present to the driver alarms generated
when the vehicle enters into dynamic
geo-fenced areas. These alarms are
recorded in the system data base with
date time, vehicle ID and driver ID (if
known). At the OBU screen display, the
pop-up window with the alarm
notification message will only disappear
when the vehicle moves into a geo-fence
area where it is allowed to stay or
circulate. The end-users at the Control
Centre will visualize the occurrence as a
new message in the Alert Viewer.
The MapControl viewer is a sophisticated
graphical component that uses the vector model to
represent geographic data. The vector model is
particularly adjusted to represent the airport
layout as a set of thematic layers and to represent
positional data of moving objects as a sequence of
point features. The primary focus of the thematic
layers is to represent map features with well-
615
defined boundaries, i.e., geo-fences, such as
roads, taxiways, aircraft parking areas, etc. Each
of these map features is self-contained, with
properties such as color, shape, orientation, speed,
size, and position on the screen.
A thematic layer is therefore a graphical map
representation of a specific area, showing the
spatial distribution of a particular geo-fence or
phenomenon that can be categorized and
symbolized using one of three basic data types:
points (e.g., moving objects), line symbols (e.g.,
taxi guidance lines) and area (e.g., stands). Such
performing requisites provide end-users with a
good experience in using the advanced data
navigation capabilities.

Figure 2: The HMI map layout used within the scope of the system.
In Figure 2, stands with a parked aircraft (i.e.,
Blocks-On) are painted in green, meaning that
vehicles are allowed to enter into the geo-fence
stand area without triggering a safety incursion
alert message. Stands with an assigned flight are
painted in red, meaning that no vehicle is allowed
to enter the geo-fence. From an operational point
of view such information causes the status of the
stand area to change from Open to Closed.
Vehicles movements into a closed stand area will
trigger any alert message only if the logged driver
has no assigned task to assist the parked aircraft.
The HMI was fully integrated into the system,
enabling a seamless integration with existing
airport systems.
Since airport activities are mostly related to flight
information and because changes derived from
flights delays/cancelations are quite common,
within the scope of the field tests performed, the
external airport system used for demonstration
was the flight information system. The goal of
such integration is to receive, in real time,
operational data related to estimated and actual
times for arrivals and departures, and resources
allocations such as ground handling tasks, check-
in counters, gates, aircraft stands and baggage
chutes (baggage handling system end point).
These data are relevant not only for the end-users
but are also relevant input parameters for the
surveillance and control algorithms.
By providing the possibility for airport
stakeholders to visualize the impact of changes
caused by flight delays, the system helps at the
management of resources enabling airport
stakeholders to rethink the planning on-the-fly.

616
5 Conclusions
The precision achieved across the entire
movement area surprised positively the airport
stakeholders; position accuracy was accomplished
at approaching/crossing taxi ways and even at
painted borderlines at the aircraft stands or
taxiway/runway limits. Such accuracy was also
accomplished at close proximity to the runway
protection area. The OBU showed the driver his
exact location on the airport surface and the
implemented geo-fencing function triggered
corresponding warning messages in case of
infringement of forbidden areas or excessive
speed. The precision of the position information
was extremely high (mostly below one meter).
All presented functions worked well when tested
by the different airport stakeholders in different
time periods and working operations. There was a
generalised agreement that the implemented
OBUs are of good industrial design. The system
proved to be appropriate to work in heavy and
stressing environments as in the case of apron
services to assist parked aircrafts and where apron
workers are under pressure to cope with airlines
goals to minimise flight delays at rush hours.
Another important feature to the successful
experimental deployment of the system, was its
ability to seamless integrate with existing airport
systems, i.e. the connection of the system with the
airport environment (e.g., flight data), providing
the proper means for an implementation of A-
SMGC Levels 1 and 2.

Acknowledgement

The authors acknowledge the collaboration of
their colleagues in the AAS and LOCON projects
and also on the A-Guidance development. The
opinions expressed in this paper are the sole
responsibility of the authors.

References

[1] Eurocontrol, Advanced Surface Movement
Guidance & Control System (A-SMGCS) -
2002-2006.
[2] Eurocontrol, Operational Concept and
Requirements for ASMGCS Implementation
Level 2, Ed. 2.1, 2010.
[3] A.Casaca, G.Pestana, I.Oliveira, T.Silva, A
Platform to Increase the Safety of Ground
Movements in the Airside Area of Airports,
chapter 1 of book Airports: Performance,
Risks, and Problems, editors: P. B. Larauge
and M. E. Castille, pp. 1-31, ISBN: 978-1-
60692-393-1, Nova Science Publishers, Inc.
New York, Setembro 2009.
[4] G. Pestana, N. Duarte, P. Catelas, J. Metter,
Technical Deliverable: LocON Client GUI
Specifications, available at
http://www.locon.org, October 2010.
617
Realtime Event Detection and Prediction on Position Data
Streams
Stephan Otto, Fraunhofer Institute for Integrated Circuits IIS, Germany
Abstract
With increasing availability of localization technologies such as Radio Freuency Identification !RFI"# or Real$
time %ocating Systems !R&%S# comes the possibility of using that data to analyze, to improve and to automate
security and surveillance tas's( &his is of special interest in cro)ded places li'e soccer stadiums, airports, train
stations and many more( *y performing real$time analysis on tra+ectory data, )e are able to detect the occur$
rence of special patterns as so called events( Such automated detection of events and behaviour of people and
goods leads to significantly faster reactions on possibly hazardous situations( &his paper provides an introduc$
tion to event processing on real$time tra+ectory data from position data streams( We sho) that our approach is re$
liable and efficient for real$time event detection in sports and sho) a perspective for event detection and predic$
tion for surveillance systems on cro)ded places li'e airports, )here )e usually already have security staff ob$
serving people for potentially dangerous situations(
1 Introduction
,o)adays, )e have the ability to identify and trac'
people and goods in most environments( -ence, )e
can gain 'no)ledge about their current location, their
locations in the past and other conte.t information
very accurately but )e cannot estimate or model the
behaviour for the future meaningfully( /t this level, it
is not important to estimate tra+ectories of persons but
rather to estimate the aims and targets of individual
ob+ects( For e.ample, it is not of interest to )hich co$
ordinate an ob+ect moves )ithin the ne.t second but
rather to )hich point of interest the ob+ect aims for(
*y combining real$time position data from Realtime
%ocating Systems !R&%S# )ith Comple. 0vent 1ro$
cessing !C01# )e can interpret the position data and
get a set of plausible an reasonable events( Such C01
systems usually build on middle)ares, service$ori$
ented architectures !SO/# or other event$driven archi$
tectures !0"/# to perform event detection( %uc'ham
et al( 234 give a comprehensive introduction to models
and techniues for C01( -ence, )e are able to recog$
nize certain events, )hich )e can define by ma'ing
assumptions or descriptions about( &his description or
definition of an event does not necessarily mean to be
source code )ritten in a programming language5 there
e.ist a lot of systems and methods so that events can
be described in a loose manner by +ust describing a
situation !see for e.ample S/S0 264 or 0vent Calcu$
lus 274#(
Figure 7 illustrates a scenario )ith a distributed event
recognition system( 8any people are euipped )ith
tags and can therefore be trac'ed precisely( 9arious
computing machinery produces positions and events,
)hich both are processed )ithin the distributed archi$
tecture( Security guards !indicated at the top of the
picture# simply get the results of the stream pro$
cessing, )hich could be for e.ample too many people
standing in front of the emergency e.it, obstructing it(
Figure 1 Distributed Complex Event Processing
In the end, this can support, for e.ample, security
guards in a )ay that the system could alert the guards
on certain irregularities, e(g( those certain persons go$
ing unusual )ays( &he guards can then loo' on the
situation more specifically and decide on a false
alarm or to react on the alarm( Such techniues could
be applied in a )ide number of scenarios, e(g( people
surveillance on cro)ded places or even for evacuation
scenarios !e(g( soccer stadiums or public events#(
,evertheless, locating big areas and recognizing and
predicting events does have certain reuirements( &he
reuirements are annotated as follo)s(
Localization( We need information about the position
of persons and goods( &here already e.ist commercial
618
solutions, )ith )hich it is possible to cover huge area
and places by scalable RFI" solutions( For e.ample
on several airports, luggage is already euipped )ith
RFI" transmitters( *oarding cards could also be
euipped so that passengers can also be trac'ed and
identified on area of the airport(
Semantic Inormation and Events( 1osition data
need to be processed together )ith a priori informa$
tion of the trac'ed environment( For e.ample, on
cro)ded places, there e.ist many areas of interest li'e
shops, tic'et stations, cash$points, restaurants and so
on( 1osition data needs to be processed so that it be$
comes more meaningful: if a persons moves from po$
sition !.7, y7# to !.;, y;#, this is of less interest !but of
course more precisely# than if he goes from the
chec'$in directly to the duty free shop( Information
that is e.tracted in a )ay li'e this, can be emitted in
form of events(
If )e can achieve these reuirements, )e can e.tract
patterns out of the data in order to detect hazardous or
dangerous situations in the future by learning from
current hazardous situations(
&he remainder of this paper is structured as follo)s(
Section ; revie)s related )or' and gives an overvie)
of possibilities and dra)bac's of currently published
research( Section 6 briefly introduces event detection
mechanisms based of finite state automata !FS/# and
points out advantages of that method )e already use
to perform event detection in sports( Section < out$
lines ho) such automata can be built out of event data
streams automatically( Finally, section = concludes the
paper and gives some prospectives for future )or' on
that topic(
! Related "or#
Related )or' in the field of event detection on local$
ization data has been done in collaboration )ith
video$based systems( -o)ever, video$based systems
suffer from identification and occlusion problems,
)hereas )e have precise location data in R&%S based
systems( &herefore, event detection can be performed
much more precisely(
/rti'is et al( 274 provide a system called 0vent Calcu$
lus for behaviour recognition( &he system aims to re$
cognize human behaviours out of surveillance videos
by differencing bet)een short$term !e(g( )al'ing,
running# and long$term !e(g( fighting# behaviour( &he
system )or's )ith logical rules for simple actions in
order to detect events( -o)ever, even the authors
themselves state, that performance is still an open is$
sue )hich prevents real$time application of the sys$
tem( /nother issue )ould be the missing ability to e.$
press behaviour out of position stream data > this
)ould be a tas' for higher level processing of data(
*renna et al( 2?4 present a system called Cayuga( &he
system ta'es an event definition formulated as an
S@% li'e uery, defining filters, publications and sub$
scriptions( Cayuga then builds a finite state automaton
out of that description and processes incoming events
)ith it( 0vents are prioritized by a ueue at the input
of the processing engine and sorts events by detection
times( Anfortunately, the authors do not mention ho)
they sort events )ithin that ueue, given the problem
that they do not 'no) if there )ill arrive another,
older event pac'et at that node( Indeed, the system fo$
cuses on runtime interpretation of event definitions so
that they do not need to compile events detectors prior
to any recognition( In our )or', )e do not focus on
that(
Related )or' in the area of event pattern learning has
only slightly been done( /rti'is et al( 2;4 provide a
good overvie) of e.isting methods for model repres$
entation, reasoning and machine learning for event re$
cognition( -o)ever, most of the presented methods
e.clusively deal )ith methods that are reuiring large
datasets, that cannot evolve over time or that are not
suitable for significant event items( /dditionally,
moste of the presented techniues can not cope )ith
volatile data from data streams(
%a.man et al( 2<, =4 provide several )or's about
event episodes in event streams( ,evertheless, finding
event patterns by ignoring noise !i(e( unimportant
events that are not of interest but are received very
freuently# is also not regarded here(
Finding event patterns by e.tracting those events
)hich finally lead to the target event is still an open
research topic(
$% Event Detection on Position
Data
When )e perform event detection on position
streams, )e have to process a massive amount of data
in short time( -ence, )e need to care about pro$
cessing time and algorithm comple.ity( &his can be
achieved by processing the stream in a hierarchical
)ay: lo)$level processing on ra) position data and
higher$level processing on event data( &he lo)$level
processing performs event detection on ra) position
streams, )hich is usually the tas' that )e have to
spend more calculation time on( If )e )ant to main$
tain a minimal delay for the event detection, )e have
to process every ne) position pac'et from any tag im$
mediately in order to detect e(g( area events !ob+ect o'
moves to location l'#( If )e process position streams
in such a )ay, )e do not need to care about position
related processing any more, because )e can assume
that events are detected and )e can use these events
as triggers for higher$level event detectors( 0vents
619
also can carry multiple information li'e timestamps or
transmitter information !i(e( the position of the ob+ect
)hen entering a specific region or area#( -igh$level
events are then generated by a )ell$defined set of
rules li'e Bevent / follo)ed by event * and then C
generates some other event "C( Conseuently, events
are aggregated to form a more abstract vie) on the
situation by discarding unneeded information(
Figure ! A deterministic inite state automaton
Figure ; sho)s a finite state automaton, embedded in
the event recognition system, recognizing an event
pattern for /*C if not " occurs in the stream mean$
)hile( With the help of such automata, event recogni$
tion can be performed efficiently(
/t the Fraunhofer IIS, )e implemented a distributed
event processing engine )hich is able to gro) pro$
cessing band)idth linearly )ith the number of pro$
cessing nodes( 1rocessing nodes may be laptops, serv$
ers or even sensor nodes, )hich simply have to be
connected to a shared net)or'( 0vents can be pub$
lished on specific multicast groups( 0vent detectors
simple +oin this multicast group and can receive sub$
scribed events by holding net)or' band)idth at a
minimum at the same time( 0vent detectors can move
to other nodes at runtime if the system load is not bal$
anced( 0vent arrival times and ueuing is managed
dynamically at runtime by evaluating timestamps and
measuring system loads(
With such a distributed environment, )e are able to
perform real$time event processing on heavily parallel
and +ittered position data streams by maintaining a
minimum delay at any time(
Such event detection algorithms have sho)n to be ef$
ficient in application of real$time soccer analysis( &he
Fraunhofer IIS has installed a localization system in
the soccer stadium in ,uremberg called RedFIR,
trac'ing players and balls )ith up to ;DDD positions
per second )ith a precision of a couple centimetres(
On that data, )e perform event$detection in order to
display live events during the game( Such events are
passes, crosses, goals, corners etc( Figure 6 sho)s the
hierarchical event layers that finally lead to the
double$pass event( &he lo)er layers are directly
)or'ing on the position stream, )hich are /ccelera$
tion Recognition !for ball hits#, /ctive *all !several
balls are trac'ed concurrently, )e only )ant to con$
sider the one that is on the field# and -eight 1ea' "e$
tection !in order to say the ma.imum height of the
ball )ithin a pass#( &he ne.t layer is an interlayer
bet)een position$based events !1*0# and event$based
events !0*0# called position$ and event$based events
!10*0#( /ny event detector running in an upper layer
from no) on only listens to specific event streams
rather than to the position stream, )hich decreases the
system load massively(
&% Automatic FSA 'eneration
/t this point, letEs assume that any event !or decision#
may eventually be describable by an automaton as
sho)n in the previous chapter( &he ultimate goal
)ould be, to automatically retrieve such an automaton
by listening to the event stream and the decisions of a
human observer !li'e a security guard )ho signals de$
cisions based on )hat he sa) to the system#(
/ssume, that )e have given !or that )e have the pos$
sibility to listen# to the complete event stream( &his
event stream consists of particular event tuples of the
form F0i, t+G, i(e( an event of type i !maybe )ith addi$
tional information attached to it# at time +, the time of
occurrence of the event( -uman observers also Bper$
ceiveC such a stream by visual contact and sounds
either in their surrounding or on the screen of some
video camera !or he +ust has an overvie) over the
complete observable region#( What they get, is a tre$
mendous flood of information from )hat they have to
e.tract crucial features and ma'e decisions( &he event
system is also confronted )ith such a flood )hich
may on the one side be not as accurate as the reality
!because pattern recognition does not )or' at 7DD
percent, and )e )ill miss some events#, but on the
other side, the event systems gets all the available in$
formation !)hereas humans only get )hat they actu$
ally see#( When people !e(g( security guards# ma'e
decisions, they do that because of certain events that
are embedded )ithin that flood of information !and
perhaps some 'no)ledge or e.perience they gained
Figure $ (ierarc)ical event order in RedFIR
Player Hits
Ball
Ball Height
Peak Detection
PBE
EBE
Pass / Direct Pass Control of the Ball
Double Pass
Begin & End of
Possession
Is-Near
recognition
PEBE
Height Peak
Detection
Actie Ball
Acceleration
recognition
620
from )hat they do every day#( 1robably, they even
'no) ho) to react on a given situation( For e.ample,
assume )e have a problem setting li'e depicted in
Figure <( We have given a cro)ded place li'e an air$
port or some public event( We have some security
policy satisfied by police, vigilantes and operators(
&his personnel observes the situations from different
points, e(g( by cameras, from )ithin the cro)d or
even from some)here farther( If )e see several
people !e(g( hundreds# coming from different direc$
tions, )e )ill pay attention if they may clog trans$
itions at some point )here different paths flo) togeth$
er, because the possibility is relatively high that this
may eventually happen !if the people move on li'e
they do at this point#(
Such situations !or better: defined order of specific
events# can be automatically learned by a recognition
system, if the human observer tells the system that
some problem !or event# has occurred( &he system
)ill get several e.amples and listens to a BbasicC
event stream from )hich it can deduce the circum$
stances that lead to this final state( For the future, the
system then can proactively support the observers by
calling their attention )hen such a situation is li'ely
to happen again(
*% Conclusion
In this paper, )e sho)ed ho) )e can detect patterns
out of massively distributed position data streams in
parallel so that )e can achieve real$time event recog$
nition( When )e have event recognition on localized
areas, )e can assist human observers at their daily
)or' by letting them cooperate )ith an event ob$
serving system )hich is able to learn ne) event pat$
terns( &his finally allo)s the system to signal such
events !)hich have not been predefined in the first
place# in the future to the observers( With time, the
system is li'ely to improve its classification on situ$
ations( &he system provides output to the user in short
time so that he can react uic'ly( Future )or' could
be to incorporate feedbac' strategies in the learning
process by letting the system as' the human to ans)er
if specific event seuences are special or dangerous(
With this, the system might find very specific beha$
viour patterns even faster )ith even less training data
instances(
Reerences
274 /le.ander /rti'is and Georgios 1aliouras(
*ehaviour Recognition Asing the 0vent
Calculus( In /I/IHDI, pages <3I><?J, ;DDI(
2;4 /le.ander /rti'is, Georgios 1aliouras, Francois
1ortet, and /nastasios S'arlatidis( %ogic$based
representation, reasoning and machine learning
for event recognition( In International
Conference on "istributed 0vent$*ased Systems
!"0*S#( /C8, Kuly ;D7D(
264 "aniel Gyllstrom, 0ugene Wu, -ee +in Chae,
Lanlei "iao, 1atric' Stahlberg, and Gordon
/nderson( Sase: Comple. event processing over
streams( In In 1roceedings of the &hird *iennial
Conference on Innovative "ata Systems
Research, ;DD?(
2<4 S( %a.man, 1(S( Sastry, and M(1( Anni'rishnan(
"iscovering freuent generalized episodes )hen
events persist for different durations( Mno)ledge
and "ata 0ngineering, I000 &ransactions on,
7I!I#:77JJ >7;D7, ;DD?(
2=4 Srivatsan %a.man, 9i'ram &an'asali, and Ryen
W( White( Stream prediction using a generative
model based on freuent episodes in event
seuences( In 1roceeding of the 7<th /C8
SIGM"" international conference on
Mno)ledge discovery and data mining, M""
HDJ, pages <=6><37, ,e) Lor', ,L, AS/, ;DDJ(
/C8(
234 "avid C( %uc'ham( &he 1o)er of 0vents: /n
Introduction to Comple. 0vent 1rocessing in
"istributed 0nterprise Systems( /ddison$Wesley
%ongman 1ublishing Co(, Inc(, *oston, 8/,
AS/, ;DD7(
2?4 %ars *renna, /lan "emers, Kohannes Gehr'e,
8ingsheng -ong, Koal Ossher, *is)anath
1anda, 8ire' Riede)ald, 8ohit &hatte and
Wal'er White( Cayuga: / -igh$1erformance
0vent 1rocessing 0ngine( In 1roceedings of the
;DD? /C8 Sigmod international conference on
8anagement of "ata, pages 77DD > 77D;, ,e)
Lor', ,L, AS/, ;DD?(
Figure & People surveillance events example
621
Security systems with seamless authentication based on smart
phones and surveillance cameras

Martin Klepal, Cork Institute of Technology, Ireland
Christian Beder, Cork Institute of Technology, Ireland
Abstract
A Security system is an essential part of any large infrastructure. It usually comprises of two main parts, an access
control system for managing the access to areas and resources within the organisation and a camera surveillance
system monitoring unauthorised movement. Both systems are often totally independent despite obvious perfor-
mance and cost benefits when integrated at the physical level as well as at the logical level. However, before be-
ing able to integrate both systems and leverage their complementarities for the access control, a new type of cre-
dential has to be introduced, the users physical position. The users physical position and his/her past trajectory
can support the seamless authentication. This paper claims that the high proliferation of smart phones, Wi-Fi
networks and camera surveillance systems in corporate environments allows the introduction of mobile access
credentials, which brings the users continuous position into the security system as an essential part of the deci-
sion process of unobtrusive seamless access authorisation. This will increase the users working comfort and de-
liver a higher level of security and system accountability. The paper describes the essential system components
which enable this seamless authentication from the smart phone and surveillance camera based localisation sub-
systems to the architecture for seamless data fusion prosed to work in the cloud in order to achieve high levels of
system scalability.

1 Introduction
A Security system is an essential part of any large in-
frastructure. It usually comprises of two main parts, an
access control system and a camera surveillance sys-
tem. The access control system provides the infra-
structure that enables an organisation to manage ac-
cess to areas and resources within the organisation.
For large infrastructures the access control system typ-
ically includes fixed security devices wired or wire-
lessly connected to the central security system and
mobile credentials carried by users to access the areas
(e.g. buildings, offices, manufacturing sites) and re-
sources (e.g. network, data sources). The camera sur-
veillance system monitors the security areas and de-
tects unauthorised movement in those areas.
In any larger organisation many groups of users and
stakeholders exist and have to share the security sys-
tems and collaborate on the access control policy def-
inition. With the increasing size and complexity of the
premises possibly thousands of devices and users with
various types of credentials exist and are often re-
quired to carry mobile authentication credentials rang-
ing from ordinary keys to RFID cards and fobs. To
mitigate the problem with the lost and stolen single-
factor credentials, two-factor authentication by RFID
card with PIN have been gradually enforced. Howev-
er, it often results in the requirement to carry multiple
credentials with associated PINs and cumbersome and
lengthy authentication procedures every time a user
needs to access other security areas or resources.
Currently, access control and surveillance systems are
often totally independent despite obvious performance
and cost benefits when integrated at the physical level
(common H/W and S/W infrastructure) as well as at
the logical level (data fusion and business operation).
However, before being able to leverage both systems
complementarities, mobile access credentials have to
become a part of a seamless localisation and tracking
system to be remotely tracked throughout the premise
and the camera surveillance system must be extended
by the target identification and tracking capability.
This integration enables the seamless authentication,
where users provide authentication credentials only at
the entrance to the promise and then their movement
trajectories as obtained by the integrated tracking and
surveillance system are used for subsequent authenti-
cation. For this continuous users trajectories are con-
sidered in the follow up automatic seamless authenti-
cation as users require an access to other security are-
as and resources without being forced to enter the
credentials again increasing working comfort and
bringing a higher level of security and system ac-
countability.
As the organisations are organically growing the ex-
pansion and adaptation of security systems infrastruc-
622
ture is often patchy and lacks an adequate formal de-
sign methodology, which makes the expansion of se-
curity systems expensive and prone to possible securi-
ty flaws in the systems. The software tools for inte-
grated security system deployment design,
commissioning and policy access definition is there-
fore a critical part towards a security system of the fu-
ture.
This paper will present the challenges and advances
made in the area of seamless authentication achieved
at the Nimbus Centre for Embedded Systems, Cork,
Ireland, in collaboration with various industry and ac-
ademic partners. The paper will cover research on the
enablers which effectively tackle above problems in-
cluding the ubiquitous smart phone based tracking
systems, localisation and video data fusion, underlying
embedded middleware and software tools for design-
ing the security systems infrastructure.
The rest of the paper will deal with the system scala-
ble architecture suitable for computation in the cloud
(Chapter 2). Then the localisation sub-systems based
on the smartphone and surveillance camera network
are briefly described in Chapters 3 and 4, respectively,
with the references to the detailed implementations.
Finally the paper summarises advances made in the
field of fusion of both complementary localisation
subsystems and its impact on the data fusion middle-
ware implementation in the chapters 5 and 6, respec-
tively.
2 System Architecture
The system architecture (Figure 1) uses the service-
oriented approach to cope with increasing demands on
reusability across various environments and platforms
and to scale up to serve a large number of various sit-
uation-aware security applications.
Figure 1 System Architecture
The architecture can be split into three logical parts,
the Sub-systems being any sensor and actuator towards
the real world, the Data Fusion Middleware pro-
cessing the sub-system sensory data and providing a
transparent service API towards multiple Situation
Aware Security Applications. The next description fo-
cuses on the middleware and subsystem part especial-
ly because this is considered the main contribution of
the paper.

Sub-systems:
There are three essential subsystem which have to be
integrated to provide seamless authentication. The
Smart Phone Based Localisation Sub-system, Video
surveillance Sub-system and others security related
systems such as the electronic Door Access System.
Additionally any other sensor being already installed
on site can be integrated and leveraged for improved
system performance such as the widely used Passive
Presence Detectors. More details will be given in the
following chapters.

Data Fusion Middleware:
The Data Fusion Middleware covers all core func-
tionality of the system. It is responsible for the selec-
tion and fusion of suitable location related data as
provided by all connected sub-systems for estimating
the seamless trajectories of all users carrying the mo-
bile credentials/smart phones. In this process it trans-
parently hides all the complexity related to the under-
lining subsystems infrastructure from Situation Aware
Security Applications.
Apart from the seamless and near real time estimation
of users location, the critical requirement on the ar-
chitecture is its ability to scale with the number of us-
ers, avoiding any potential processing bottleneck.
Therefore, the proposed architecture utilise the recent
advancement in cloud computing where individual
components are fully decoupled communicating
through a universal cloud messaging service imple-
mented using RabbitMQ [1]. The system is thus able
to replicate its functional components especially its
fusion engines across the corporate cloud without in-
troducing any latency.
All data as proved by the subsystem as well as the
output seamless authentication is logged for the pur-
pose of subsequent Data Mining and security event
analysis as potentially requested by the Context Aware
Security Applications.

Situation Aware Security Application
There may be multiple security applications for differ-
ent stakeholders sharing the same physical space or
building. The Service API and the middleware have to
provide a good data isolation to ensure high levels of
privacy.

Context
Data
Processing
Subsystem Interface
Dispatcher
Data
Logger

Location Fusion
Engine Manager
Fusion
Engines
Fusion
Engines
Fusion
Engines
Fusion
Engines

Image Fusion
Engine Manager

Fusion
Engines
Fusion
Engines
Fusion
Engines
Fusion
Engines
Context, Location and Image Data Fusion

Configuration
Platform
Manager
Cloud
Massaging
& Scaling
Subsystem
Manager
Data Mining Event Broker

Service API

Meta data
Extraction
Video Surveillance
Sub-systems
Video
Compression

Meta Data
Extraction
Smart Phone Based
Localisation Sub-system
Users Authen-
tication key
Passive IR
Detectors
Other Security Context Data
Sub-systems
Door Access
System
D
a
t
a

F
u
s
i
o
n

M
i
d
d
l
e
w
a
r
e

A
p
p
l
i
c
a
t
i
o
n
s
S
u
b
-
s
y
s
t
e
m
s

623
3 Smart Phone based indoor lo-
cation system
The localisation system is a phone-centric approach
which utilises all location related information and ex-
isting signals readily available in any information rich
device. In contrast to most other indoor localisation
systems, it does not require a fixed dedicated infra-
structure to be installed in the environment making it a
truly ubiquitous localisation service.
The readily available information depending on the
phone capability is typically a subset or all of the fol-
lowing: GSM/UMTS signal strength, Wi-Fi signal
strength, GPS, reading from embedded accelerome-
ters, compass and Bluetooth proximity information.
The reliability and availability of input information
depends strongly on the actual character of the mobile
clients physical environment. When the client is out-
doors GPS with GSM/UMTS is a favourable choice
typically combined with pedometry data derived from
the 3D acceleration and compass measurements.
When the client is in an indoor environment the Wi-Fi
signal strength combined with pedometry data per-
form best. If indoor floor plan layouts are available a
map filtering algorithm [5m] can further contribute to
the location estimation reliability.
The fusion engine runs a nonlinear recursive Bayesian
filter to seamlessly combine all incoming location in-
formation. A discrete Bayesian filter is implemented
using the Sequential Monte Carlo Method known as
Particle Filter [5]. A particle filter is based on a set of
random samples with weights to represent the proba-
bility density of the mobile clients location.
Within the Particle Filter the location related meas-
urements are translated into likelihood observation
functions, which differ for each localisation method
and technology considered. Implemented localisation
methods and technologies include the following:
Wi-Fi is a well-established technology nowadays
and the our smart phone based localisation system
benefits from the omnipresence of Wi-Fi networks
and the advanced RSSI based fusion methods pre-
sented in [4-6]. Depending on the availability of
signal strength fingerprints and the level of detail
of the environment description, either of the fol-
lowing localisation methods are used: fingerprint-
ing (and its variants) described in [5-6], multi-
lateration, or simple proximity
Outdoor GPS and 3G network based localisation is
provided as inherent capability by the majority of
smart phones already and there is no need to dis-
cuss it in any more detail.
The sensory information complementing the pre-
vious technologies are pedometry data estimated
from acceleration and compass measurement. Pe-
dometry data contributes to the seamless transition
between outdoor and indoor localisation. Pedome-
try data consists of number of detected steps and
their length and direction [2-3].
The availability of Bluetooth signal can also be
used to detect the proximity of other Bluetooth en-
abled devices. If such a relation is detected, our
smartphone based system can incorporate this
knowledge in its location estimation process.
4 Surveillance camera based lo-
cation system
One of the major drawbacks of all tag-based localisa-
tion systems, like the smartphone based solution pre-
sented in the previous chapter, is the fact that those
tags need to be carried at all times. Basically not the
people moving in the space are tracked by those sys-
tems but only the devices carried by them. This might
pose a problem especially in the context of security
applications.
For this reason large camera installations are very
popular in the surveillance domain and part of nearly
all large infrastructures. However, apart from very
limited applications for instance in the domain of car
number plate recognition [7] fully automated data
analysis, especially for the task of people tracking, is
not widely used, yet. The reason for this is the fact
that the identification problem, i.e. knowing exactly
who or what is in front of the camera, is still largely
unsolved for generic applications. But because this
particular part of the problem is solved very easily by
the tag-based systems, fusion of both systems is a very
promising approach to overcome the disadvantages of
each of the systems and benefitting from their mutual
advantages.
Because we intend to fuse the information from the
tag-based system and the camera based system we do
not focus on the identification part of the problem but
use the camera network basically for the task of occu-
pancy detection only. Combined with the smartphone
localisation system, which readily provides the identi-
fication information, the cameras help to increase the
localisation accuracy as well as provide a means for
triggering alarms if an unidentified object is detected
within the building. The latter ability will increase the
degree of automation by not requiring any interven-
tion in case of joint detection by the tag-based and the
camera-based system while at the same time allowing
to detect untagged people moving around the envi-
ronment and thereby providing an increased level of
security compared to solely tag-based systems.
Camera based occupancy detection as we understand
it is a two-stage process: first the foreground objects
are extracted from the images [8] and then the camera
calibration and orientation is used to extrude the ex-
tracted silhouette of the foreground object into 3d
space providing an occupancy hypothesis for the sub-
sequent information fusion. In this paper we are not
going to elaborate on the details of either of those to
tasks, but note that for the task of foreground back-
ground discrimination illumination changes posed a
624
major challenge to us [9] and that camera calibration
and uncertainty propagation [10] is used to forward
project the extracted image foreground object into 3d
space allowing for the geometry based statistical rea-
soning and data fusion outlined later on.
In order to avoid unnecessary heavy network load re-
sulting from the image transmission our embedded
smart cameras perform this processing themselves
and transmit only the spatial occupancy data to the
platform. Hence, the platform receives information
from the surveillance camera based system about are-
as in the building that are occupied by something. It is
then up to the information fusion within the platform
to identify this something and trigger actions ac-
cordingly. A compressed video stream is available to
the platform only on demand, so that for instance se-
curity staff is able to have a look at the scene in case
an unidentified occupancy had occurred.
5 Information Fusion
The fusion of the two different sources of information
is crucial for the overall system. This is because the
smartphone based system is well able to identify and
track smartphones but lacks the ability to track any-
thing untagged, while the camera based system is able
to track everything but is unable to identify what it
sees. For this reason the two sub-systems complement
each other very well in terms of the information pro-
vided.
In our system this fusion is performed using a Bayesi-
an geometric reasoning and filtering framework that
allows combining the multiple observations from the
different sub-systems into a single position estimate
for each tracked object. Two problems need to be
solved for this: first the camera derived geometry in-
formation needs to be associated with the currently
tracked objects within the system and second the ob-
servations from the two different sources need to be
combined into a single accurate position estimate.
Because the surveillance camera sub-system is unable
to provide any kind of identification of the object it
sees, the association between the image derived ex-
truded spatial silhouettes and the currently tracked ob-
jects is performed using statistical geometric reason-
ing techniques [10], that allow to identify which tag
corresponds to which tracked image object based sole-
ly on the common spatial occupancy. Once we have
established this correspondence incremental estima-
tion and filtering [11, 12] is used to update the esti-
mated position of the tag obtaining its current location
with the highest achievable accuracy given the availa-
ble input data sources.
For each image derived silhouette that does not corre-
spond to any tag currently tracked within the system
during this process an alarm is triggered requiring
human intervention as this event occurs when some-
body is moving around the building without authorisa-
tion. While the better accuracy obtained through the
information fusion is usually also desirable, especially
the feature of the fusion system being able to detect
untagged objects makes it so useful in security appli-
cations.
5 Conclusion
We have presented an approach for the integration of
an access control system and a surveillance camera
system to leverage their functional complementarities
and introduce seamless authentication for a security
access system. The key aspect is the high proliferation
of smart phones and Wi-Fi networks in corporate en-
vironments allowing the smart phone together with its
seamless localisation to bring the users current posi-
tion as an essential part of credential information into
the security system enabling decision processes of un-
obtrusive seamless access authorisation.
The critical requirement on the system is its ability to
combine all location related information for automatic
tracking of both authorised and unauthorised move-
ment of people even without smart phones/mobile
credentials. That was achieved by the seamless inte-
gration with the surveillance camera system.
Another major requirement is the systems scalability
when it has to be able to cope with any sudden in-
crease of the number of people in the premise without
compromising its reliability and responsiveness. That
was achieved by adopting state of the art programing
patterns and software design approaches known from
cloud computing.
6 Acknowledgement
This work has been supported by Enterprise Ireland
through the grant CF/2010/042 and EU FP7 project
LocON (224148).
Figure 2: Fusion between two images. The silhouettes
of the two views projected onto the ground plane are
shown in red, while the orange circle is the fused posi-
tion. If there is no smartphone detected within this ar-
ea an alarm is triggered.
625

References
[1] www.rabbitmq.com, RabbiMQ - Open source
enterprise messaging
[2] Maarten Weyn and Martin Klepal, OLS Oppor-
tunistic Localization System for Smart Phone
Devices, Ref: Mobile Phones: Technology, Net-
works and User Issues, Nova 2011
[3] Widyawan, G. Pirkl, D. Munaretto, C. Fischer,
Chunlei A., P. Lukowicz, M. Klepal, A. Timm-
Giel, J. Widmer, D. Pesch, H. Gellersen, Virtual
Lifeline: Multimodal Fusion for Robust Naviga-
tion in Unstructured Environments, submitted
to Elsevier Journal on Pervasive and Mobile
Computing, January 2011
[4] M. Klepal et al, OLS Opportunistic localisa-
tion system for smart phones devices, Mobi-
Held, ACM SIGCOMM 2009 Int. Workshop,
Barcelona, Spain, August 2009
[5] Widyawan, Klepal, M., Beauregard, S. 2008. A
Backtracking Particle Filter for Fusing Building
Plans with PDR Displacement Esti-
mates, WPNC, Hannover, Germany
[6] Widyawan, Klepal, M., Beauregard, S., Pesch,
D. 2008. A Novel Backtracking Particle Filter
for Pattern Matching Indoor Localisation, The
First ACM MELT, San Fransisco
[7] Anagnostopoulos, C.-N.E.; Anagnostopoulos,
I.E.; Psoroulas, I.D.; Loumos, V.; Kayafas, E.:
License Plate Recognition From Still Images and
Video Sequences: A Survey. In: IEEE Transac-
tions on Intelligent Transportation Systems,
vol.9, no.3, pp.377-391, Sept. 2008
[8] Piccardi, M.: Background subtraction tech-
niques: a review. In: IEEE International Confer-
ence on Systems, Man and Cybernetics, vol. 4,
pp. 3099-3104, 2004
[9] Beder, C., Breuels, A., Klepal, M.: Extracting
foreground objects from a video stream while
compensating for global brightness and contrast
changes. 2011, to appear
[10] Beder, C.: Grouping uncertain oriented projec-
tive geometric entities with application to auto-
matic building reconstruction. PhD thesis, Pho-
togrammetry Department, Institute for Geodesy
and Geoinformation, Bonn University, Germany,
2007
[11] Beder, C. and Steffen, R.: Incremental estima-
tion without specifying a- priori covariance ma-
trices for the novel parameters. Proceedings of
VLMP Workshop 2008, Anchorage, AL, June
2008
[12] Steffen, R. and Beder, C.: Recursive Estimation
with Implicit Constraints, DAGM Symposium
2007, Heidelberg, Germany, pages 194-203,
2007

626
A Step Forward to Automated Latent Fingerprint Segmentation
Sebastian Bod, University of Applied Science Heide, Germany
Prof. Thorsten M. Buzug, University of Luebeck, Germany
Abstract
As part of the identification of individuals in the forensic we are dealing with fingerprint impressions taken from
many variable surfaces for later inspection. These fingerprints are stored as images for experts to identify and
reveal the relevant information and finally the person associated with the fingerprint. This type of images is
called Latent Fingerprints and is typically of very poor quality. It contains a fingerprint impression together with
a lot of unnecessary information. In order to have a system that is capable of processing these images in an au-
tomatic fashion, we need to distinguish between the fingerprint and non-fingerprint areas. This process is known
as segmentation. The goal is to get a sharp area of the image where the fingerprint is located at. Algorithms that
were designed and optimized for fingerprint images acquired with commercial scanners are not of great use for
the application to latent fingerprints. The nature of disturbance that is contained within a fingerprint scanner im-
age often differs a lot from that what we can find in the latent case and is less hard to distinguish from the fin-
gerprint. Therefor we have to redesign the strategy and algorithms in order to find important information within
the latent fingerprint images.
One very robust way to detect the desired information is to partition the images into blocks. These blocks may
overlap and are subject to a dimension reduction of the 2D information into a 1D representation calculated with
the Radon transformation. Using this kind of transformation we can reduce the inspection of a 2D signal to the
analysis of a 1D signal. The transformation can be understood as a summation of the block content along parallel
rays in a defined direction that are scanning the image under them and accumulating the image intensity values.
The resulting signal then is a clear waveform if a fingerprint image was summed in the correct direction and a
flat signal for the orthogonal direction. For the case of a good sinusoidal wave we can extract the frequency and
amplitude of the signal to define the quality of the measured fingerprint within that block. This simplification of
the information leads to a better result for fingerprint and non-fingerprint areas compared to standard algorithms.
The more ambitious part is to distinguish between degraded fingerprint and non-fingerprint parts. This requires a
tradeoff in sensitivity and uniqueness.
To get an idea of the segmentation performance we are using a standard database of latent fingerprints where we
manually introduced a segmentation that the algorithm should be able to replicate. This ground truth data can be
used to algorithmically improve or optimize the parameter values that the algorithm uses in order to achieve the
best results. When optimizing such a set of parameters we have to define a goal that should be reached. One may
choose to minimize the false detected areas where no fingerprint is contained or to minimize the amount of
missed sections where a fingerprint should be detected. Our strategy and results are designed for a minimum of
false detections within the set of ground truth data.

1 The Segmentation Task
1.1 General Segmentation
Segmentation of a Fingerprint is only one of many
possible steps in the process of identification. The
main problem of identification is reduced to the simi-
larity analysis of minutiae points in a fingerprint im-
age. A person can be uniquely identified based on
these points. A minutiae point is a typical structure in
the ridge/valley image generated by a fingerprint as
shown in Figure 1. While the comparison of two sets
of minutiae points is a non-trivial task by its own the
steps until one has retrieved those points are quiet
Figure 1 A fingerprint of good quality showing
typical ridge/valley structures.
627
challenging. All methods used to reach that goal must
be very robust. Segmentation is of great use when it
comes to reducing the effort of matching and reducing
the count of false information taken for this process.
Independent of the type of matching strategy segmen-
tation is always of great use. Regarding segmentation
there have been many studies on how to solve that
task. A good overview over classical methods useful
in the most cases is given in [3] and [4]. The most so-
phisticated method here is a combination of a few
simple methods in a support vector machine to im-
prove the performance. Many of these methods use
gradients and thus increase the influence of noise. A
robust method must incorporate the essential informa-
tion of a fingerprint impression locally as well as in a
neighbourhood or even in a complete fingerprint im-
pression. A first step of reaching this is to model the
local impression of a fingerprint in a block. The
method we want to introduce here is based on the
work in [1] and [5] yet modifying the systematic of
local analysis. The method shown there has a great
potential so we picked the idea and improved the
processing. We call the method RidgeRadon (RR)
and will explain it in detail.
2 RidgeRadon (RR)
2.1 Principle
The whole processing is shown in Figure 2 and de-
scribes the process of the (RR) segmentation which is
based on a block wise analysis of the complete image.
Each block is then subject to a radon transformation at
a given rotation. The resulting projection is then fur-
ther analysed with respect to a few picked characteris-
tics. These characteristics are combined in a weighted
sum and define a distance measure of the signal to the
desired signal occurrence. In contrast to the original
implementation we decided to pick a few more char-
acteristics and let the weights be defined by an opti-
mization to reach the best results possible. The dis-
tance is then rearranged to a quality measure and
gives us the possibility to use a threshold for to decide
what block is a fingerprint (foreground) and a non-
fingerprint (background) area.
2.1.1 Image Partitioning
One may choose to process the image with or without
an overlap. For each block we assign a dominant
ridge direction used for the application of a radon
transformation. We found that the calculation of ridge
orientations based on [6] is the most robust method. It
uses a PCA to define the dominant orientation of all
gradients in a set of gradients. So in contrast to the
original implementation we can dramatically reduce
the computational complexity. The original imple-
mentation tests all radon transformations for a set of
angles from 0 to 180 [deg] by a step of 5 [deg]. Let

be the image of gray values in the

image plane . The image is partitioned in a set of
blocks
where N is the num-

ber of blocks and
is the set of points corresponding

to the ith block. The radon transformation of a block
is then denoted by
. The parameter is the set of angles used for the

projection direction. In our case the number of angles
is one but can be easily extended to M directions. The
resulting projections are then further analysed

2.1.2 Block Preparation
The radon transformation itself can be understood as a
summation of the image intensity values along paral-
Figure 3 In-tune (left) and off-tune projection of an
example block showing the results of the radon
transformation for two orthogonal angles.
Figure 2 Processing steps for the RR quality map
calculation.
628
lel lines crossing the image plane. The sum along each
line gives one value in the radon transformation re-
sulting in a line of values. The setup is shown in Fig-
ure 2. There is one problem associated with the pro-
jection of a block, namely the count of samples along
a line. Consider a squared block of samples and a pro-
jection diagonally across the image block. The count
of samples along a line then decreases from the centre
linear to the outmost edges. Because of the low count
of samples in those regions we decided to cut them
out by the following rule. Given a block of the size
the resulting maximal width of a projection thus
must be
that is the diagonal length of

a block. From this total length we build the difference
to the minimal projection length that is .
Half of the difference will be symmetrically sub-
tracted from both projection ends. We use a typical
square block size of 50 for 500[dpi] images and 100
for 1000[dpi] images. In addition we use a pre-
calculated set of corrections for each projection angle.
These corrections are then multiplied with the actual
projection to reduce the effect of different counts of
values.

2.1.3 Analysis
Given the already corrected and cut projection data
we can now inspect the set of one dimensional signals
resulting from the projection. Please note that in our
case there is only one projection but as mentioned be-
fore there can be M projections. Each projection is
processed and scanned for local and minima and
maxima. These maxima are then called centre of tran-
sition (COT) points. There is a set for the local
maxima and a set for the local minima. We store the
positions
in the projection
and the amplitudes
of the kth (COT) point that could be

found in the projections. From the ordered set of posi-
tions
we calculate the distances
.
Using this information we can calculate the mean of
the distance of local maxima
and
variance of distances
as well as the
mean of the amplitudes
and
. The same is done for the minima

denoted by a superscript L. When the superscript is
dropped then the whole set of L plus H is meant. Ad-
ditionally we analyse the Fourier transformation and
extract the energy in the desired ridge frequency range
and the energy everywhere else
while previously
subtracting the mean value of the signal before apply-
ing the Fourier transform. We combine these meas-
urements in a distance vector defined as:

(1)

The first component of the distance is telling the dis-
tance of the mean ridge distance within the block to
the ridge distance most likely to occur in a real fin-
gerprint. The second component is the standard devia-
tion of the distances over the desired ridge distance.
The third part is the energy of the ridges in the Fourier
domain over the complete energy. The last part called
cg is made from the absolute difference of found
min/max values to the actual awaited count given by
the distance of 0.02 inches between the ridges. For the
case that our analysis of the projection does not allow
us to find more local maxima and minima than 3 we
just set all distance vector entries to 1.
2.1.4 Decision
Once we have the distance measure we can use it to
build a quality value from it. This value is then de-
fined as

(2)

where

and w is a vector of weights
with the condition

(3)

and I is the number of parameters in d. This weighted
sum of distances then yields the quality value for each
block that we have previously picked. In the best case
our quality value allows us to clearly distinguish be-
tween the desired block content and the background.
This behaviour is to a certain extend steerable by the
weights that we may pick between zero and one.

2.1.5 Parameter Tuning
One may guess the value for the weight vector w or
try to systematically compute them. Let us assume
that we have analysed a lot of values in images and
know a set of good values
for the foreground and

many values
for the background. Furthermore we

define a value of 1 to be calculated using the weights
629
and the distances for the foreground and 0 for the
background. Then we can ask to optimize the follow-
ing function

(4)

There are many ways of solving this task. We found
that a good result can be reached using a genetic algo-
rithm to determine the weights. We used the NIST
SD27 and manually segmented data to know the de-
sired outcome of each decision for each measurement
and distance vector. The optimization reduced the er-
ror from 2.4 for a weights resulting in a simple aver-
aging to 0.6.
3 Results
Using a different set of images from the SD27 Data-
base we now evaluate the performance of the pro-
posed method and compare it to others. We will pre-
sent the results as ROC curves. The abscissa repre-
sents false positive values and the ordinate represents
true positive values. So the optimal plot would show a
jump at zero directly up to one meaning that all posi-
tive values are selected at once with a high threshold
value. In addition to the raw numbers we want to
show some examples. For every image and its result
we have not applied any morphology or region based
processing. The only thing after the quality map gen-
eration that was done is a smoothing with a Gaussian
smoothing kernel of 3 times 3 pixels. We show in
Figure 7 the quality maps of the coherence method
that is based on orientation similarity, the quality map
of the CFM method described in [7] that is a Fourier-
space based segmentation and the proposed method
RR. It is clear that only the RR method can deliver
higher energy in the region of the fingerprint while
having lower energy everywhere else. The images are
not contrast optimized in any case. The fact of energy
compactness in the fingerprint region can also be seen
in the ROC curves in Figure 5. Based on the energy
difference between fingerprint and non-fingerprint
regions one may build the segmentation by defining a
threshold that is then applied to the quality map im-
age. Some example quality maps for the SD27 are
shown for the RR method in Figure 6. If we calculate
the following signal to noise like measure

(5)
we get the following results for the categories good
bad and ugly predefined in the SD27 shown in Table
1.

RR COH CFM
Good 7.89 0.32 -0.05
Bad 9.89 0.31 -0.28
Ugly 5.39 0.38 -0.02

Table 1 SNR values for the different categories of
the SD27 images. There are a total of 66 images.

4 Conclusions
Many segmentation methods are available by now.
Most of them are optimized for the case of a scanner
based image acquisition. Latent fingerprint images
have a much higher demand to any algorithm. The
proposed method of extracting a quality map and thus
calculate a segmentation is a first step to the full
automatic latent fingerprint processing. Further im-
provements by analyzing the relation of blocks in
their neighbourhood can improve the results. One
might still build different distances d with other or
more parameters to have more possibilities to improve
Figure 5 ROC curve for coherence based value extrac-
tion.
Figure 1 ROC curve for RR based value extraction.
630
the segmentation. The proposed method also is very
well suited for scanner images but might be computa-
tionally to expensive in cases of fast coding for real-
time access.

References
[1] Karimi-Ashtiani, Shahryar: A Robust Tech-
nique for Latent Fingerprint Image Segmentation
and Enhancement, ICIP 2008, Vol. 90, No. 5,
pp. 1492-1495, Oct 2008
[2] S. Kapoor: Segmentation of Fingerprint Images
using the Directional Image, Pattern Recogniti-
on, Vol. 20, No. 4, pp. 429-435, 1987
[3] Helfroush, Mohammad S.: Fingerprint Segmen-
tation, World Applied Sciences Journal, Vol. 6,
pp. 303-308, 2009
[4] Jain, A. K.: Handbook of Fingerprint Recogni-
tion, New York, Springer -Verlag, 2003
[5] Jain, Anil: Fingerprin Image Enhancement:
Algorithm and Performance Evaluation, IEEE
Trans. On Pattern Analysis and Machine
Intelligence, Vol. 20, No. 8, August 1998
[6] Wang, Yi; Han, Fengling: Enhanced Gradient-
based Algorithm for the Estimation of Finger-
print Orientation Fields, Applied Mathematics
and Computation 185, pp. 823-833, 2007
[7] Buzug, T and Bodo, S.: Fingerprint Segmenta-
tion and Quality Map using a Combined Fre-
quency Model, IEEE International Instrumenta-
tion and , pp. 823-833, 2007

Figure 7 Example quality maps for the original image
(top left) with RR (top right) then CFM (lower left) and
coherence (lower right).
Figure 6 Example images from the SD27 (left) and
the quality map computed with the RR algorithm.
631

0295-9 Future Security 2011 CD PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

0295-9 Future Security 2011 CD PDF

Hochgeladen von

Copyright:

Verfügbare Formate

6

. Normally a sensor network proto-

. Furthermore there is the possibility

Produktion, TU Mnchen; Lehrstuhl fr Frdertechnik

The principle of the described method consists in

Session P Future Security 2011 Berlin, September 5-7, 2011

Fig. 6c Distribution of pressure p(t), concentrated charges, in times t=50s

Session P Future Security 2011 Berlin, September 5-7, 2011

is Boltzmanns constant, is the absolute

Session A.4 Future Security 2011 Berlin, September 5-7, 2011

Session A.4 Future Security 2011 Berlin, September 5-7, 2011

- RMS of rocking angles,

>>1 so that the spectrum width practically

, where the constants are =11,3 and

Figure 16: 320x240 pixels FPA

be the image of gray values in the

where N is the num-

is the set of points corresponding

. The parameter is the set of angles used for the

that is the diagonal length of

and the amplitudes

of the kth (COT) point that could be

we calculate the distances

. The same is done for the minima

and the energy everywhere else

for the foreground and

for the background. Furthermore we

Das könnte Ihnen auch gefallen