Abstract
Railway systems are instrumental to countries’ economies. They are also vulnerable to manmade and natural disruptions and therefore need to be protected. This paper introduces an optimization model to identify the set of fortifications and network expansions to mitigate the impact of worstcase disruptions. The model incorporates multiple travel segments allowing to study the impact of different route choice behaviours. A Benders decomposition approach is developed to solve the bilevel problem alongside a more efficient nested GRASP heuristic. The algorithms are tested and compared on a set of artificial grids. A case study is developed using the Central London Tube network to provide managerial insights.
1. Introduction
Transporting people and goods on rail is crucial for the wellbeing of countries. Currently, more than 4 billion passengers and 11 billion tonnes per kilometre are moved on rail worldwide [1]. The impact on economic development is further highlighted by the massive investments in railway projects envisioned by the belt and road initiative [2]. Aside from longdistance transportation, the crucial role of rail in moving people around urban areas is especially evident in cities with capillary metropolitan systems, such as New York, London, or Tokyo, with a daily ridership of millions. Developing countries, particularly in South East Asia, are significantly expanding their urban railway networks to address their chronic traffic congestion issues. Bangkok, for instance, is planning on increasing its number of mass rapid transport lines from 5 to 15 and boosting the track length from 159 km to more than 400 km [3]. Similar projects, albeit on a smaller scale, are planned in Hanoi [4]. Building and expanding urban railway systems have also proved to have a beneficial impact on the reduction of air pollution [5]. The size of railway systems makes them vulnerable to disruptions. This is particularly true when the vast portion of the infrastructure is exposed and easy to access. The list of past disruptions is sadly long and includes manmade attacks [6–8], natural events BBC [9], and unintentional disruptions ABC [10]. It is economically unfeasible to protect a high standard of an entire railway system, yet there are mitigating strategies that can be employed. These strategies are threatdependent. Flood control measures can be implemented for systems vulnerable to flooding, while surveillance and access control measures are suitable to deal with human threats. We group these strategies together and refer to them as fortifications. They can be defined as targeted investments to reduce the vulnerability of an asset (stations, tracks, trains, etc.). Another approach to hedge against disruptions is to increase a railway’s network reliability by expanding its design and adding new connections and paths between stations. The concept of network expansion here is considered generic on purpose. In fact, depending on the stations being connected, an expansion could be a dedicated bus, a walking tunnel, or a line extension. In this work, both fortification and network expansions are considered as mitigation strategies. The disruption of critical infrastructure, like urban railways, can have a dramatic longlasting socioeconomic impact. The low probability of highconsequence disruptive events prompts decisionmakers to be riskaverse while devising mitigation strategies [11]. Because of this issue, we focus on worstcase disruptions. This is also further motivated by these systems often targeted by terrorism and other intentional disruptions.
One important aspect that needs to be accounted for when focusing on urban railways is the presence of different travel behaviours among a group of customers. Often, users have several choices they can make to reach their destinations. An example is choosing the transportation mode. Even within the same transportation mode, different paths might be available. For example, focusing on railway transportation, the quickest trip and the trip with minimum line changes do not necessarily coincide. The purpose of the trip will affect the choice a traveler will make, and the disutility incurred if the trip has to be cancelled. To the best of our knowledge, no attempt has been made to incorporate customer segments into mathematical models to find strategies to mitigate disruptions. This is crucial as an inaccurate estimation of pre and postdisruption travel demand can lead to suboptimal solutions, ultimately leaving the railway infrastructure less reliable.
To sum up, the contributions of this paper are as follows:(i)A novel mathematical model to identify railway network fortification and expansion decisions accounting for different customer segments(ii)Exact and approximate procedures to efficiently solve the aforementioned model(iii)Managerial insights obtained on the Central London Tube network case study
The remainder of the paper is organised as follows: In Section 2, a review of the relevant literature is provided. Section 3 introduces and describes the mathematical models. Exact and approximate solution approaches are given in Section 4. Computational analysis and managerial insights are discussed in Section 5. Finally, conclusions are drawn along with suggested future research directions in Section 7.
2. Literature Review
Over the past two decades, the interest in Operations Research in disruption management has seen a fast growth. Several research branches have appeared, focusing on different critical infrastructures and types of disruptions. Many papers, for instance, assume disruptions to be probabilistic and study the problem of protecting a system with stochastic models. Several examples can be found in supply chain systems [12, 13] and transportation systems [14–16]. In this work, we focus on worstcase disruptions. Two types of game theoretical frameworks are popular within this context: interdiction and fortification [17]. The first one models the problem from an intelligent attacker’s point of view, whose objective is to disrupt a number of system’s assets to inflict the highest damage. This attacker, typically referred to as an interdictor, is used as a proxy to identify the most vulnerable assets of a system. Interdiction models often are modelled as bilevel optimization programs, with one level representing the interdictor another, called the user, computing the system’s performance. The fortification framework adds another level, mimicking a benevolent actor aiming to distribute protective measures to minimize the impact of the interdictor’s actions.
Interdiction and fortification problems are described with the leaderfollower game theoretical framework. As a result, they are modelled as bilevel or trilevel programming problems. More details are provided in Section 3 and Appendix A.
These problems have been studied within different contexts (e.g., logistics and supply systems, and electrical grids) and under different assumptions (e.g., complete vs partial protection).
In the following, we review the interdiction and fortification research streams that are most relevant to this work.
Research on worstcase disruptions in supply chains gained momentum after Church et al. The authors of [18] studied the interdiction problem on pmedian and maximal covering problems. Resulting models were customized afterwards, for instance by introducing uncertainty in the intensity of disruptions [19], considering partial disruptions [20], and focusing on hubandspoke systems [21]. Most of the efforts are being directed toward fortification problems. Scaparra and Church [22] study the problem of allocating fortification resources on a supply chain facing worstcase disruptions. This work has been extended in several ways. For instance, Liberatore et al. [23] consider the number of disruptions to be uncertain.
Shifting the focus to network problems, several seminal works appeared in the past, studying interdiction problems on the flow [24–26] and shortest path networks [27]. These works were more recently extended and specialized. Focusing on flow networks, Wood [28] provides a mathematical programming formulation for the interdiction problem where the attacker aims to maximize the flow on a network. This work is extended by Cormican et al. [29], by assuming uncertainty in the interdiction outcomes and arc capacities. Bell [30] proposes a bilevel formulation to estimate the reliability of a single origindestination network. In their model, the interdictor does not directly disrupt a link, but it selects the route utilities by choosing from a set of scenarios. Lim and Smith [31] focus on the flow interdiction problem with multiple commodities studying both total and partial disruptions. A dynamic version of the network flow interdiction problem is studied by Rad and Kakhki [32] by adding traversal times to arcs. Schäfer et al. [33] introduce a biobjective formulation to study interdiction on a network with two flows where arcs have two separate capacities. Myung and Kim [34], Murray et al. [35], and Matisziw and Murray [36] study similar flow interdiction problems assuming that origindestination paths are precomputed and measuring the amount of postdisruption unserved flow. Scaparra et al. [37], and Starita and Scaparra [38] extend these models by adding fortification decisions and assuming that the protection budget is spread on a planning horizon, respectively. Hien et al. [39] study a flow network fortification problem assuming demand uncertainty and considering both arc capacity expansion and arc fortifications to thwart attacks from the interdictor.
Focusing on shortest path networks, Israeli and Wood [40] provide a mixedinteger formulation for the interdiction problem where an attacker aims to disrupt arcs in order to increase the distance between two nodes. Bayrak and Bailey [41] propose an interdiction model where the information about arc lengths between the interdictor and the user traveling the network is asymmetric. Sefair and Smith [42] provide a dynamic formulation allowing the interdictor to disrupt arcs once the user travels to any point in the network. Wei et al. [43] introduce a model to minimize the resources of an interdictor aiming to limit the network capacities to a given threshold. The fortification problem on shortest path networks is first introduced by Cappanera and Scaparra [44]. This work is extended by Sadeghi et al. [45] to account for partial disruptions and protections.
More closely relevant to this paper is the line of research that studied interdiction and fortification in demandbased networks, while customizing more generic models by incorporating features typical of transportation systems. Alderson et al. [46] and Starita and Scaparra [47] assess vulnerabilities in road networks by studying interdiction problems that account for congestion on the roads, using the popular Bureau of Public Records (BPR) formula. Küçükaydın and Aras [48] study an interdiction model for railways, where both stations and tracks are capacitated and subjected to disruption. Sarhadi et al. [49, 50] propose trilevel fortification models to allocate protective resources on a railtruck intermodal terminal network. The objective is to identify the set of terminals to fortify so that the postdisruption shipping cost of the container flow is minimized. Focusing on urban railway systems, Jin et al. [51] study a fortification problem where stations are subject to several disruption intensities affecting their capacities. A comparison between vulnerability metrics typically used for railway network risk assessments and interdiction models is provided by Starita et al. [52]. They highlight that interdiction models, while requiring higher computational costs, yield better results. Starita et al. [52] introduce a fortification model that measures the postdisruption railway network’s performance by combining connectivity, demand loss, and travel time.
Another related research stream is the one investigating how to design critical infrastructure robust to disruptions. This problem has been widely studied for supply chains, with several papers proposing modelling solutions to design supply networks where facilities can fail with some probability. Within this stream, seminal papers by Daskin [53] and Drezner [54] were followed by many works investigating the problem from different angles. For a more comprehensive discussion on the topic, the reader is referred to Scaparra and Church [55]. While several works can be found on the design of transportation networks robust to uncertain demand [56, 57], only a small number of them explicitly address disruptions of the network’s assets. Among them, Laporte et al. [58] propose an integer program to design a robust railway that provides different routes to address arc failures and limit congestion. Cadarso and Marín [59] introduce a network design model to tradeoff between robustness and recovery of a transportation system subject to a set of disruption scenarios. Luo and Xu [60] propose a stochastic model with the aim of minimizing the postdisruption unsatisfied demand of a railbus system, by integrating the original network with new additional bus connections. Laporte et al. [61] formulate an interdiction problem to design a railway transit network. They assume that only one link at a time can fail, and the objective is to find the network that maximizes the trip coverage.
Within the supply systems context, several authors have proposed models to combine fortification with design measures to mitigate disruptions, both focusing on probabilistic [62, 63] and worstcase disruptions [64–67]. On the other hand, in the distance and flowbased networks, this issue is somewhat neglected. This is particularly true when focusing on worstcase disruptions. Lou and Zhang [68] study both road design and fortification strategies to address random and strategic disruptions, but they do so by introducing two separate optimization models. Fotuhi and Huynh [69] introduce an intermodal freight network expansion design. Their objective is to locate new terminals and devise which of the existing ones should be enhanced or fortified. They assume uncertain demand and probabilistic disruptions. Perea and Puerto [70] propose a model to jointly design and protect a railway network. They use trip coverage as a performance metric while assuming singlearc worstcase disruptions.
One further limitation arising from the review of the railway disruption management literature is the typical assumptions on travelers’ behaviour. For example, no paper considers different travel segments. Moreover, route choice models adopted are generally simplistic, assuming users to pick the shortest/cheapest route or entire demand to be served as long as a connection is available. One diversion from this assumption is found in Starita and Scaparra’s study [71]. They propose a fortification model where the amount of travel demand on a given path changes with the length of the shortest available path. However, their model is limited in that the proportion of demand is precomputed as a parameter of a given route and does not change with the available route menu.
More complex route choice models can be found in the railway network design literature (e.g., Wang and Meng) [72]. However, to the best of our knowledge, in this stream, no paper addresses disruption issues.
Summing up, this work aims to address a few gaps in the disruption management literature for railway systems. It does so by accounting for different traveler segments, providing a methodology that allows for complex route choice behaviour to be incorporated, and using both fortification and design decisions to hedge against disruptions.
3. Mathematical Models
This section introduces the interdiction and fortification nonlinear models and their linearised counterparts.
The assumptions common to all formulations are listed as follows:(i)The railway system is modelled as an undirected graph where nodes and edges represent stations and track connections, respectively(ii)Every origindestination pair is connected by one or many precomputed paths(iii)Passengers are grouped into travel segments, defined by different route choice behaviours(iv)The demand for each segment is known(v)The problem is studied under worstcase disruption scenarios(vi)The performance of the railway system is measured in terms of total travel cost/time
In the following formulations, the railway system is modelled as an undirected graph, with known origindestination demand, where nodes and edges represent stations and track connections, respectively.
3.1. Railway Interdiction with Customer Segmentation (RICS)
The interdiction problem defined below models an intelligent actor whose aim is to disrupt edges so as to maximize the postdisruption economic loss.
The model is built with the following assumptions:(i)A disrupted edge becomes inoperable, rendering unavailable any paths using that edge(ii)The interdictor can disrupt only a limited predefined number of edges
We consider a set of customer segments , with a demand of for any pair . Customers in the same group share the same likelihood of selecting longer paths and incur the same cost if they cannot make the trip. Each segment is defined by a choice model computing the share of demand traveling on any given path. Specifically, the function represents the share of the customer from the segment choosing path , given the route options available (represented by the binary vector ). A segment is also defined by its penalty unit cost , which is paid on the share of demand that is lost, identified by . The rest of the notation is summarised as follows:
Set and Indices:(i)E set of edges, indexed by (ii) set of origindestination pairs, indexed by (iii) set of paths connecting pair , indexed by (iv) subset of edges forming the path (v)L set of customer segments, indexed by
Parameters:(i) is the total demand for customer segment and pair (ii) is the cost of the path (iii) is the unit cost incurred when a customer belonging to the segment abandons the trip(iv) is the maximum number of edges that can be disrupted simultaneously
Decision Variables:(i)x_{e} is equal to if the edge is disrupted; otherwise(ii)y_{r} is equal to if the path is disrupted; otherwise
An integer programming formulation for the RICS model is given as follows:
The objective of the interdictor is to maximize the total expected cost computed as the sum of travel and penalty costs. Constraint (2) states that up to edges can be removed from the network. Inequalities (3) enforce that path can be disrupted only if at least one of its edges is removed. Constraints (4) and (5) define variables and to be binary.
3.2. Linearisation via Interdiction Plans Enumeration
With a few exceptions, choice models are typically nonlinear. This assumption renders RICS’ objective function nonlinear. In order to linearise the problem, we propose an approach that relies on enumerating all the possible interdiction plans. Specifically, for each pair , we enumerate all the path status combinations where each path can be either nondisrupted or disrupted. Such combinations are indexed by and are referred to as interdiction plans. They are defined via parameter which takes 1 when path , connecting pair , is disrupted under combination , and otherwise. Table 1 shows an example of such plans assuming two paths are connecting a pair.
Each interdiction plan identifies the menu of routes that will be available for the user to choose from. For example, when , both paths and can be used. However, if we focus on , the only path is available. For any of these plans, we can compute the choice probabilities. For example, the share of segment choosing the path , under the disruption plan , is defined by .
Formally, let hold all the interdiction plans for any given (i.e., ). For any pair and plan , the precomputed choice probabilities are defined as .
Finally, let be the binary variables set to 1 when the plan is selected for the pair . Having precomputed the choice probabilities, variables are no longer necessary. A linearisation of RICS is given as follows:
The objective is now to select the interdiction plans maximising the system’s cost. Constraints (7) enforce that a plan where the path is disrupted can be selected only if one of the edges along the path is removed. Constraints (8) state that only one plan must be selected for any pair. Selection variables are defined as binary by (9).
3.3. Hedging against Disruptions
In this section, we model a second benevolent actor, referred to as a network planner. Its aim is to select the right strategies to mitigate worstcase disruptions. Mathematically, this results in a bilevel model where the two levels represent the actions of the network planner and the interdictor. These actors have opposite aims, leading to a bilevel minmax model. The network planner can combine two mitigation strategies: fortifying edges and adding new edges.
The assumptions of the model are given as follows:(i)A fortified edge is immune to disruptions(ii)The network planner can fortify a limited predefined number of edges(iii)The network planner can add to the network a limited predefined number of new edges
The model uses the following additional notation:
Parameters.(i)s is the maximum number of edges that can be fortified(ii)t is the maximum number of new edges that can be built(iii)E′ is the set of candidate new edges, indexed by (iv) is the set of additional paths resulting by adding every edge in , connecting pair , indexed by (v) is the set containing only the new edges being part of the path (vi)
Decision Variables.(i)z_{e} is equal to if the edge is fortified; otherwise(ii) is equal to if the edge is added; otherwise
The bilevel model to hedge against interdictions (HRICS) is described as follows:
The objective (10) is to minimize the total expected system’s cost. Up to edges can be fortified, and new edges can be added, as respectively stated by constraints (11) and (12). Variables and must be binary (13) and (14). The inner level is the interdiction problem as modelled by RICS, with an additional set of constraints to model the impact of the network planner actions on the interdictor. Constraints (16) and (17) share the same interpretation with (2) and (3), respectively, while accounting for new sets of edges and paths resulting from the network planner’s decisions. Constraints (18) state that a new path is unavailable unless every edge composing it is added. Constraints (19) enforce that fortified edges cannot be disrupted. Finally, as in RICS formulation, and are binary variables (20) and (21). A linear version of the model can be obtained by adopting the same strategy devised for RICSL. We refer to this model as HRICSL, while omitting the formulation for brevity.
4. Solution Approaches
4.1. Benders’ Decomposition for HRICSL
In this section, we propose an optimal solution approach based on Benders decomposition. While the Benders partitioning technique [73] was initially developed to tackle complex mixedinteger linear problems, it has been extended and generalized to work with nonlinear [74] and bilevel problems [75]. Focusing on bilevel optimization, Benders decomposition has been successfully applied to a wide range of problems. For example, Fontaine and Minner [76] focused on traffic network design and Kazempour and Conejo [77] on strategic generation investment. This decomposition approach is also very frequently used to solve interdiction [40] and fortification [45] problems and to provide a benchmark for heuristic techniques [38, 78, 79].
The solution framework relies on first decomposing the two levels into two separate singlelevel optimization problems and then iteratively solving these problems until a stopping criterion is met. The inner model is built by fixing the fortification and expansion decisions. Solving this problem provides an upper bound to the system’s cost. Each time the inner model is solved, and the resulting interdiction plan is incorporated into a master problem via a set of constraints. This master problem is built to identify the fortification and expansion strategies to thwart all the interdiction plans discovered in previous iterations. At any iteration, the master problem computes the system’s cost accounting for a subset of the entire set of interdiction plans. Therefore, its solution is a lower bound on the cost. A pseudocode description of the algorithm is provided in Appendix B. The formulations for the inner and master problems are discussed as follows.
Additional notation is necessary to formulate the two problems. The superscript is used to identify values obtained after iteration , and the parameter tracks the number of iterations performed by the algorithm. Another set of selection variables , similarly to variables, is used by the network planner to identify leastcost interdiction plans. For a fixed network expansion plan identified by , a new set of paths and edges needs to be considered. This is reflected by the additional notation provided as follows:(i)(ii)(iii)
The inner model after iteration is defined as follows:
is obtained by fixing the network planner decisions in HRICSL. Solving this model provides an upper bound to HRICSL, and the solution can be used to generate cutting planes to add to the following Master model. Let us refer to as the optimal solution returned by and use the binary parameters set to 1 if the path connecting is disrupted at iteration . The master model is aimed at finding the network planner decisions to react to the cutting planes found by the inner subproblem. The formulation is given as follows:
The objective of the model is to find the combination of protection and network design strategies so as to react to the disruptions selected by the inner subproblem. These disruption strategies are referred to as Benders’ cuts (30). They enforce lower bounds on the objective function . For any iteration and pair , only one plan must be selected through variables (31). Constraints (32) enforce that if path is available under plan and is disrupted at the iteration, then it can be selected only if every edge disrupted (as indicated by ) is fortified. Moreover, if a new path is available under plan , then every additional edge must be added (33). Constraints (34) disable any plans where a path is unavailable as soon as such path is entirely built, fully fortified against or both. Finally, variables are forced to take binary values by (35).
4.2. Nested GRASP
While the Benders’ decomposition procedure can find the optimal solution, it also comes with two drawbacks: first, it relies on the linearisation approach discussed in the previous section, and therefore, it requires to precompute a number of scenarios which grows exponentially with the number of paths. Furthermore, as it will be demonstrated in the following section, this procedure poorly scales with the problem’s size. To overcome these issues, a heuristic solution approach is introduced in this section. The choice of adopting a greedy randomized adaptive search procedure (GRASP) by Feo and Resende [80] is motivated by empirical analyses of the optimal solutions which frequently are close to the greedy ones. A nested GRASP (NGRASP) is developed to tackle both network expansion and fortification decisions.
A crucial step to enable NGRASP to be efficient is to quickly solve the interdiction level RICS with fixed expansion and fortification strategies. An empirical analysis of the solutions highlights the nonsurprising tendency of the interdictor to fully disrupt the connectivity of highdemand pairs so as to gain on the penalty costs. This motivates the development of a simplified interdiction problem RICSs to be used as a proxy to RICS. Let be a variable taking 1 if the pair is disconnected, and 0 otherwise. The formulation for RICSs is given as follows:
The model replaces the probabilistic objective of RICS with a simpler function (36) where penalties are paid on the entire demand for every segment once a pair is disconnected. Constraints (37) enforce that a pair is disconnected only if every path serving it (including the newly built) is disrupted. Finally, constraints (38) state that are continuous variables taking values between 0 and 1. The rationale is that, although the optimal objectives of RICS and RICSs are generally quite different, their interdiction strategies are often the same or similar. Solving RICSs with a MIP solver can then be enhanced by a simple singleedge local search to identify an interdiction strategy which can then be plugged into RICS to compute the actual cost.
Let , and be the sets holding fortified, added, and disrupted edges, respectively, as the algorithm progresses. We assume the notation to be equivalent to , enforcing and . The pseudocode of NGRASP is described in Algorithm 1.

At each iteration, the algorithm performs two main steps. First, it builds a randomised greedy solution and then aims to improve this solution via a local search. The first step sequentially builds the set of edges by randomly choosing from a list of promising candidates. Such a list is obtained by solving an inner GRASP procedure (GRASPF) in which for a given set of expansions, the best found set of fortifications and its corresponding cost is returned. The local search described in the code performs 1edge swaps to further improve the solution. For every odd iteration of the algorithm, this search is replaced by a 2edges local search. Once the stopping condition is met, best expansion , fortification sets and system’s cost are returned. The pseudocode of GRASPF is shown in Algorithm 2.

The algorithm has the same structure as NGRASP with the most noticeable difference in that it makes use of the set of disruptions to reduce the number of edges to be assessed. This is done by exploiting the obvious fact that in order to thwart a disruption, a fortification strategy should include at least one of the disrupted edges. The list of promising candidates is built by computing the cost by first solving to obtain ; then, having all the decision variables fixed, the system’s cost can be computed and used to rank the given edge. Again, a 1edge swap local search is performed.
4.2.1. Improving NGRASP Efficiency
The overall NGRASP procedure described above faces computational challenges given its nested structure. Each time a candidate expansion link is evaluated multiple GRASPF calls are required. For each of these calls, several mixedinteger problems are solved. A few improving steps can be implemented to reduce the computational burden.
NGRASP through its iterations is bound to evaluate combinations of variables that have been already assessed. Storing information in hash tables so that it can be efficiently retrieved leads to significant improvements. The algorithm uses two hash tables. The first takes as an input and returns corresponding and if that set of expansions has been already assessed by previous iterations. Similarly, a second hash table is used with and as input, returning the corresponding and disruption set . In other words, the algorithm will call the GRASPF routine only if is not in the first hash table. After that, the results will be used to populate the table and avoid recomputation. Similarly, and the following local search will be performed only if is not already in the second hash table.
Another simple strategy to enhance the computational efficiency of NGRASP is to limit the neighborhoods that are being investigated by the local searches. In order to do that, simple metrics are computed to rank all the edges, and only a subset of them are swapped in the tentative solutions. For a given (exp, fort, disr), NGRASP computes a score to rank every e \in M'. The score for an edge e is computed summing the demand (i.e., \sum_l d ^ l_\omega) of all the pairs \omega where $e$ is part of an entirely built and nondisrupted path (as defined by exp, fort and disr). As for the local search to improve the solution obtained by solving , the neighborhood is again restricted by computing a simple score for each . The score of is obtained by summing the entire demand of pairs when is part of any path connecting them and therefore has the potential to disrupt.
5. Computational Experience
5.1. Networks
To provide a thorough analysis, we build a dataset of square grid networks of different sizes. Figure 1 shows an example of a 25node grid. The existing edges (solid lines) are selected in a way that would replicate urban mass rail transportation systems. Specifically, inner nodes (representing central urban areas) are more interconnected than outer nodes (representing urban outskirts). Candidate edges (dotted lines) are added to allow trading off between connecting peripheral locations and increasing the connectivity of central areas.
Traveling times and passengers for edge are uniformly drawn according to Table 2.
These values are set in line with the numbers of passenger using underground systems of the large metropolis. For example, the London Underground shows daily passengers on its links ranging from a few hundreds to several thousands. Four network sizes are considered as follows: 16, 25, 36, and 49 nodes. For each size, two instances are built.
5.2. Customer Segments and Choice Model
We choose the popular multinomial logit model (MNL) to build travel choice models. Let define the utility that a customer of the segment associates to the path , then the probability that such path is chosen is given as follows:
Therefore, the probability that a customer from the segment abandons the trip is given by
The utility value of a given path is the sum of a base utility and the relative traveling time increment between and the shortest path connecting the same pair. Formally,where is a weight quantifying segment traveling time sensitivity. In the computational analysis, we consider two customer segments, referred to as commuters and leisure travelers. The first segment represents users that are strongly committed in making the trip and that by abandoning it would incur a significant socialeconomic damage (e.g., people commuting to work and to educational buildings). The second segment represents users traveling motivated by nonurgent reasons (e.g., shopping); hence, if they were to abandon the trip, the damage would be small. Commuters are assumed to be well informed about their options; hence, they mostly convey on the leastcost available paths. Conversely, we assume higher shares of casual travelers to choose more expensive journeys as a consequence of their reduced knowledge. Detailed choice model parameters are given in Table 3.
To clarify the parameters’ choice, Figure 2 shows the plot of the probability that a customer would abandon the trip as a function of the of two paths. Results are shown for both commuters (2a) and leisure segments (2b). The plots show that commuters are willing to accept longer delays in order to make the trip, while the probability of abandoning the trip for leisure travelers increases more rapidly.
(a)
(b)
5.3. Computational Analyses
In this section, the proposed solution approaches are evaluated and compared. Experiments are implemented using Visual Studio and Cplex 12.10 callable libraries. The PC uses an AMD Ryzen 7–3700X processor and 16 GB of RAM. Each combination of budget parameters , and is tested, letting to range between and , and between and . For each of the following analyses, a 1hour limit is enforced on the computing time of both solution algorithms. Moreover, a maximum number of 10 iterations is set for NGRASP. A summary of the results of the analyses on 16 and 25node grids is shown in Figure 3, More detailed results are reported in Appendix C. while more detailed tables are reported in Appendix C. Each symbol in the picture represents the percentage gap between the objectives returned by Benders and NGRASP, for a specific combination of values.
Smaller dots denote gaps for 16node grids, while larger ones show the gaps for 25node grids. For simplicity, the same symbols are used for the same sized grids so that it is easier to assess the impact of the size of the grids on the algorithms’ gaps. Results are arranged in a matrix of charts, where the 3 rows correspond to the disruption sizes considered, and each column is a combination of and . The top left quadrant, for example, reports on the gaps when and . If less than 4 dots appear for a combination, it indicates that instances are reporting the same gaps and their dots overlap. For example, when and , all four dots overlap because all gaps are .
The figure shows that most of the time, NGRASP retrieves the same solution as Benders (0% gap) which is the optimal one, unless Benders did not converge in time. The dots above line indicate that, at times, NGRASP performs worse than Benders. However, the highest gap is 4.9%, and in the majority of cases, the gap is less than 2%. On the other hand, dots below the line show that when Benders fails to converge within the time limits, NGRASP retrieves better solutions. As expected, this happens more frequently once the problem’s complexity increases.
With larger grids, the advantage of NGRASP over Benders becomes even more evident. Figure 4 reports the gaps on 36 and 49 nodes instances. Similarly to the previous analysis, detailed results are found in Appendix C. The figure shows that when NGRASP underperforms, the gaps are typically small. The increased number of data points below the line suggests that as and increase, Benders fails more frequently to converge to the optimal solution, and NGRASP performs significantly better.
To compare the computational efficiency of both algorithms, Figure 5 and 6 show the average computing times on 16 and 49 nodes instances, respectively. On small networks, the performances are very much alike. Both algorithms become slower when and increase. On the other hand, a stark difference arises in the analysis of large networks. In the majority of cases, Benders reaches the 1hour limit before convergence. Conversely, NGRASP executes all the planned iterations within the time limit in all but 4 cases.
Overall, the picture drawn by these analyses suggests that, with an equal computational budget, Benders’ algorithm is a suitable tool only for small problems. As the size and complexity of the problem grow, NGRASP is more efficient in retrieving good quality solutions.
6. Case Study
In this section, HRICS is applied to a case study based on the central London Underground network. TFL APIs and open data are used to estimate traveling times, the origindestination demand matrix, and the share of commuters and casual travelers. The same choice model introduced in Section 5 is used. Given the lack of information regarding new candidates’ links, they have been selected with the purpose of filling the geographical gaps in the network. Their traveling times are set using the average traveling time per unit of distance computed using the existing links. The network has 51 stations and 82 links plus 17 additional links for expansion.
The case study network is drawn in Figure 7. Thicker (gray) lines are used to draw existing connections, while thinner (orange) lines identify the candidate links for expansion. Details of the different tube lines are given in Figure 8.
The first analysis is aimed at assessing the impact of increasing the budget for protection and to evaluate the benefit of combining fortifications with network expansions. To this end, the graph in Figure 9 shows the relative reduction in the objective function as resources increase from 0 to 10. The concept of resource is maintained generic as it changes across the 3 cases reported in the analysis. Specifically, with the fortificationonly case, represents the number of fortified links (i.e., ). Similarly, with the expansiononly case, is the number of links to add (i.e., ). In the combined case, limits the sum of fortifications and expansions (i.e., ). Given that for a given , there are several combinations of and such that , the graph only shows the objective of the best combination.
Results show that when budget is limited, adding new links has a better impact than fortifying existing ones. For example, when , in all 3 disruptive scenarios, adding two links results in cost reductions 5%, 3%, and 4% greater than those obtained by fortifying two links. As the budget increases, the benefit of adding new links becomes marginal and eventually is outpaced by the benefit of fortifications. It is also evident the advantage of incorporating both protection strategies. This is particularly true for small disruptions (i.e., ), when, on multiple budget points, cost reductions about 10% greater are achieved. Smaller yet significant improvements can also be observed when .
The tradeoff between fortifications and expansions is further evident in Table 4, where the best distribution between the two protection strategies of the budget resources is reported. For small values of , the majority of the resources are devoted to adding links to the network. This trend changes for larger values of , where most of the resources are directed to fortifications. The disruption intensity also appears to play a role. When , the budget distribution is more balanced, with an average gap of 0.7 (3.1 fortifications and 2.4 expansions). This gap increases to 1.6 and 3, when and , respectively.
Both analyses discussed suggest that the intensity of disruptions leads to different protection strategies. To further analyse this issue, Figure 10 highlights how frequent links are chosen for fortification and expansion. The heatmap figures are obtained by solving HRICS with , and darker and thicker lines (green for fortification and orange for expansions) are used to draw the links that are more frequently part of the protection plans. For small disruptions (i.e., ), Figure 10(a) shows that fortifications are focused on the Victoria line which is the longitudinal line connecting stations King’s Cross to Victoria. Moreover, a few more links approaching Bank/Monument station along the circle and district line are targeted for fortification. Not surprisingly, links more frequently added are near fortification hotspots, with the sole exception of the link connecting Marble Arch to Edgware Road. When and , fortification sets become more diverse. A wider focus is given to the central point of the network (i.e., Oxford Circus) being a crossroads of multiple lines. Interestingly, in both cases, when focusing on expansions, there is clear a pattern of providing alternative northtosouth connections, by adding new paths from Angel to Temple (, Figure 10(b)) and from Edgware Road to Victoria (, Figure 10(c)). While differences are evident, there are also links that are consistently selected across the 3 scenarios, suggesting that some portions of the networks are vulnerability hotspots independently on how intense a disruption might be. One clear example is the new link connecting St. Pauls to Mansion House which is almost always selected. It is also clear that the demand is the strongest factor, with popular stations like Bank/Monument, King’s Cross and Victoria, and their neighbours acting like gravity points for protective measures.
(a)
(b)
(c)
The following analysis is aimed at showing the benefit of incorporating more complex route choice models and multiple travel segments. To this aim, we compare the HRICS model with commuters and leisure travelers (referred to for clarity as ) against HRICS with only commuters and only leisure . Moreover, a fourth comparative model is used assuming a single travel behaviour where passengers abandon the trip only when a pair is fully disconnected. A crosscomparison of the protection and expansion strategies is performed by first identifying the solutions of each model and then testing these solutions on other models to measure the cost impact.
Results Table 5 show that , and all identify solutions that are suboptimal when both customer segments are considered. Although results are not too bad on average, occasionally, these models lead to significant cost increments.
Finally, we narrow the focus on a single pair (from Oxford Circus to Cannon Street), chosen as it exemplifies the advantages of joint fortification and expansion strategies.
Figure 11(a) shows 2 paths available under normal conditions. The shortest one starts with the Bakerloo line and switches to the District line at Embankment. As shown in Figure 11(b), both paths are disrupted under the worstcase scenario when , leading to the loss of the entire demand. Fortifying only the disrupted link is not enough as the same disruption outcome can be achieved by disrupting any of the 4 links shared by the 2 paths. If we assume that there are resources to fortify 2 links and add 2 new links (i.e., ), the best solution will connect Hyde Park Corner with Victoria and St. Pauls with Mansion House and fortify a small path linking Mansion House to Bank via Cannon Street (Figure 11(c)). The expansion strategy generates a new path sharing the last fortified link with the other paths. Combining these protection strategies creates a more robust connection between Oxford Circus and Cannon Street, forcing the interdictor to focus its resources elsewhere.
(a)
(b)
(c)
(d)
7. Conclusions and Future Work
This paper introduces a bilevel optimization model to find optimal fortification and design strategies to mitigate the impact of worstcase disruptions on a transportation network. The formulation accounts for different customer segments and travel behaviours. Two solutions approaches are discussed, one based on Benders decomposition, and the other is a nested GRASP heuristic. A computational analysis is run on a set of artificial grids. The decomposition algorithm identifies optimal solutions but poorly scales with the size of the networks. The heuristic is capable of finding good solutions in larger instances. The model is also applied to a case study based on the Central London underground, using real data, where possible.
Overall, the analyses point out a few interesting strategic managerial insights: the amount of budget available to hedge against disruptions plays a role in what mitigation strategies should be pursued. When the budget is small and only a few connections can be fortified, then a better strategy is to devote the resources to provide additional paths instead. As the budget increases, the benefit of combining fortifications and expansions becomes clear. These results highlight that mitigation strategies and network planning decisions, where possible, should not be considered as separate problems. Moreover, travel segments and their choice behaviours have a direct impact on where and how the protective resources are focused. Thus, suggesting that developing accurate demand models is an instrumental step for any disruption management problem. Failing to do so is bound to result in suboptimal defensive plans.
Several lines of research can be pursued to further extend this work. Accounting for multimodal transportation can allow to capture more realistically the travel. Applying the model to realistic case studies with more detailed travel segments can provide valuable insights. This is particularly true in a postcovid society where the traveling patterns and behaviour are likely to change due to the wide adoption of workfromhome policies. Expanding protection and design decisions to nodes as well is an interesting direction. For example, the current model can be combined with bikesharing station decisions.
Finally, further efforts in developing efficient solution algorithms are needed. This is particularly important if the focus is moved to larger and more complex networks, where the number of paths increases drastically and multiple travel segments are involved.
Appendix
A. Interdiction and Fortification Frameworks
To further clarify the interdiction and fortification frameworks, in this section, we provide a generic description of their components. The focus of these formulations is a system whose performance can be defined by a set of operating decisions and measured by a function of these decisions . An example of these decisions is the choice of facility locations for a supply chain design problem. In this case, the performance will be measured as travel cost from customers to facilities. The objective of a system planner would be to identify the best decisions out of a set of available options so as to optimize the system’s performances. In mathematical terms, or , depending on how the performance is modelled. In the following discussion, we assume that the system’s performance is optimized by maximising .
If the aim is to identify the most vulnerable assets of the system under study, we can model a second actor (i.e., interdictor or attacker) whose objective is to restrict decisions by choosing disruptive attacks , so that the performance of the system is minimized. Decisions are often binary to represent whether an asset is targeted for disruptions or not. They can also be continuous/integer and represent different disruptions intensity levels. The interdictor is generally limited in his actions by a budget or cardinality constraint. Assuming that is the set of all the available disruptive decisions, the interdiction problem is modelled as a bilevel program: . Solving this model will provide the set of most disruptive strategies, shedding light on where the system is most vulnerable.
Finally, if we assume that there are protection measures that can in some way limit the disruption efforts, a third actor (i.e., defender) can be modelled to identify the best allocation of such resources. The defender’s aim is, given a limited budget, to choose the best available fortification strategies and to maximize the performance of the system after a worstcase disruption. Similarly as for , fortification decisions could be binary or encode protection levels with integer/continuous variables. Formally, .
B. Benders Decomposition Algorithm
The pseudocode of the Benders decomposition algorithm is displayed as follows.

The algorithms iterate until the provable optimality gap between the bounds is equal or less than .
C. Tables with Computational Results
These appendixes report the detailed results of the computational analyses discussed in Section 5. Each row corresponds to a combination of parameters and reports the results of 2 instances of the same size. Columns Benders (UB) and Benders (sec) list the upper bound returned and computational time required by the Benders procedure. Columns NGRASP (gap %) shows the percentage gap between NGRASP and Benders. Finally, NGRASP (sec) reports the computational time spent by the heuristic (Tables 6–9).
Data Availability
The London Tube network and its traffic data are built using data openly available at https://tfl.gov.uk/infofor/opendatausers/Artificial grids that can be provided upon request to the corresponding author.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
This research received support from Grants for Development of New Faculty Staff, Ratchadaphiseksomphot Endowment Fund, Chulalongkorn University.