Formation Mechanism and Coping Strategy of Public Emergency for Urban Sustainability: A Perspective of Risk Propagation in the Sociotechnical System

Urban public emergencies now break out frequently, causing heavy losses and threatening urban sustainability at the same time. To help better curb public emergencies, minimize their damage to cities, and maintain the sustainable operation of the city, this paper takes the urban public emergency as the research object, discussing the formation mechanism of urban public emergencies and putting forward feasible countermeasures. First, we propose the concept of risk propagation chain and construct an urban socio-technical system risk propagation chain model by introducing the Tropos Goal-Risk framework. The risk propagation chain formation mechanism and the emergency formation mechanism are researched by using this model to analyze the specific conditions and paths of risk propagation. Then the targeted countermeasures are put forward to prevent and manage emergencies, advancing the goal of sustainable development. Finally, a case is used to verify the theory and model. This study not only provides a theoretical framework for the formation of urban public emergencies but also provides a practical method for modeling public emergencies and dealing with urban sustainability problems.


Introduction
Sustainable development, as the core problem of the twenty-first century, has become the strategic target of urban development. Urban sustainability generally refers to the sustainable development of society, economy, and environment within the city [1]. There are quite a few studies that focus on the assessment of city sustainability [2], especially for its environmental dimensions [3,4]. In recent years, frequent urban public emergencies have caused heavy loss of life and property and adversely affected city surroundings. And more scholars have noticed the impact of public emergencies on urban sustainability [5][6][7][8]. For example, D. R. Godschalk considered the relationship between resilience and terrorism and put forwards urban hazard mitigation strategies to create resilient cities [9]. Emergencies not only cause huge economic losses but also affect cities' environmental and social stability, hindering sustainable development [10]. Managing emergencies is therefore necessary in order to maintain the sustainable development of the city. With the suddenness, uncertainty, and complexity of emergencies [11], predicting and controlling them present major difficulties. The cognitive degree of emergencies' occurrence mechanisms has a profound influence on the efficiency of handling and controlling emergencies [12]. Therefore, it is worth identifying the cause of occurrence as well as discovering the law of formation. Moreover, to minimize damage and ensure urban sustainability, it is interact with each other in the system and lead to the emergency. Although above studies initially considered the relations between various elements within the system to explore the risk, the process of propagation of risk factors in each part of the system from point of view of the sociotechnical system has not been discussed yet. In summary, the process by which risk transmits and evolves into an urban public emergency lacks a detailed and systematic analysis from the perspective of risk propagation based on the sociotechnical system. Accordingly, our research focuses on the perspective of risk propagation and urban public emergency control through the study of the formation mechanism of urban emergencies in the sociotechnical system, so as to ensure sustainable development of the city. The concept of risk propagation chain is put forward and the Tropos Goal-Risk framework is introduced to construct the risk propagation chain model of the sociotechnical system. Based on the model, the emergency formation mechanism is researched through a discussion on the specific conditions and paths of risk propagation. Under the guidance of the formation mechanism and sociotechnical system theory, effective countermeasures are proposed to prevent risks from evolving into public emergencies and to control the already transformed emergency and maintain urban sustainability.

Research Framework
The research framework of this paper is shown in Figure 1. The level of focus in this paper is urban public emergency, and the problems of focus are the formation mechanism and coping strategy of urban public emergency.
Sustainability 2018, 10, x FOR PEER REVIEW 3 of 23 elements within the system to explore the risk, the process of propagation of risk factors in each part of the system from point of view of the sociotechnical system has not been discussed yet. In summary, the process by which risk transmits and evolves into an urban public emergency lacks a detailed and systematic analysis from the perspective of risk propagation based on the sociotechnical system. Accordingly, our research focuses on the perspective of risk propagation and urban public emergency control through the study of the formation mechanism of urban emergencies in the sociotechnical system, so as to ensure sustainable development of the city. The concept of risk propagation chain is put forward and the Tropos Goal-Risk framework is introduced to construct the risk propagation chain model of the sociotechnical system. Based on the model, the emergency formation mechanism is researched through a discussion on the specific conditions and paths of risk propagation. Under the guidance of the formation mechanism and sociotechnical system theory, effective countermeasures are proposed to prevent risks from evolving into public emergencies and to control the already transformed emergency and maintain urban sustainability.

Research Framework
The research framework of this paper is shown in Figure 1. The level of focus in this paper is urban public emergency, and the problems of focus are the formation mechanism and coping strategy of urban public emergency. In order to better research urban public emergency, on the basis of sociotechnical system theory, we move up one level to urban sociotechnical system level, and regard city as urban sociotechnical system, which is composed of various types of sociotechnical systems, including the urban production system, the urban traffic system, and the urban lifeline system, and in which urban public emergency generates and evolves. "Sociotechnical", a term originally proposed by Tavistock in the UK [35], is used to refer to an organic whole consisting of people, technologies, facilities, and organizations linked together to achieve certain functions [36][37][38].
Urban sociotechnical system can be modelled using Tropos Goal-Risk framework. Tropos is a novel agent-oriented software engineering methodology [39], and has been extended to the Urban Public Emergency  Problems: How it is formed (formation mechanism) and How to cope it (coping strategy) Risk Propagation Chain  Theory: Risk management theory  In order to better research urban public emergency, on the basis of sociotechnical system theory, we move up one level to urban sociotechnical system level, and regard city as urban sociotechnical system, which is composed of various types of sociotechnical systems, including the urban production system, the urban traffic system, and the urban lifeline system, and in which urban public emergency generates and evolves. "Sociotechnical", a term originally proposed by Tavistock in the UK [35], is used to refer to an organic whole consisting of people, technologies, facilities, and organizations linked together to achieve certain functions [36][37][38].
Urban sociotechnical system can be modelled using Tropos Goal-Risk framework. Tropos is a novel agent-oriented software engineering methodology [39], and has been extended to the development of sociotechnical systems. Further, Tropos was expanded into Tropos Goal-Risk framework so as to accommodate risk analysis [40]. The Tropos Goal-Risk framework can depict the goals and internal relationships among subsystems of sociotechnical systems such as human, organization, and facility.
The formation of emergency in the urban sociotechnical system is often the result of the interaction between multiple risks, so we move down one level to risk propagation chain level on the basis of risk management theory, and research urban public emergencies by exploring the formation mechanism of risk propagation chain. Risk in a sociotechnical system, which is caused by uncertainties, exists objectively, and is characterized by transitivity. Because each part of sociotechnical system relies on the others in order for it to accomplish a common goal [41], this phenomenon cannot be neglected: the parts of the system are closely related to each other, so that when one part generates risk it may inevitably affect other parts, and may even bring losses to the entire sociotechnical system if it is not subject to effective control and management. Y. J. Hu from the perspective of system theory verified that emergency risk caused by uncertainties will lead to entropy production and disorder in system, which is not conductive to sustaining the system [42]. Based on these, the concept of risk propagation chain is proposed, which is embedded in urban sociotechnical system and can be divided into several limited risk units.
Risk propagation chain is suitable to be modelled by Tropos Goal-Risk framework, because risk is transmitted in the sociotechnical system along the dependencies among the parts, and Tropos Goal-Risk framework is able to describe risk based on the relationships among the actors within the organization, and helps to model and analyze the risk propagation chain embedded in a sociotechnical system. This framework is also a goal-oriented approach that states the "why" in addition to the "what" and "how" by clearly defining dependencies. It is therefore helpful in studying the mechanism of risk propagation chain.
To sum up, risk is accumulated, transmitted and transformed into emergency in the urban sociotechnical system, threatening urban security and development. This paper aims to first build a model of the urban sociotechnical system, and extract the risk propagation chain embedded in it. In this process, Tropos Goal-Risk framework is introduced into the model, based on the concepts, characteristics, and components of the sociotechnical system and risk propagation chain. Then the paper explores the risk propagation chain mechanism of emergencies in the sociotechnical system, so as to propose targeted countermeasures to curtail risk propagation process and promote sustainable development of cities.

Risk Unit
The formation of emergency in the urban sociotechnical system is often the result of the interaction between multiple risks, and this makes the risk propagation in the sociotechnical system complex and nonlinear [43]. In order to better identify and control the generation and propagation of risk, this paper divides the risk propagation chain into several limited units, named as risk units. According to the process and principle of risk generation, risk generation is related to the interaction between risk factors and external environmental factors, and generated risk needs something to bear. Therefore, using the definition of the disaster system theory [44], this paper proposes the concept of risk unit, considering the risk subject, external environment, and other factors as an organic overall system. The risk unit is defined as the relatively independent part that may lead to risk in the process of the formation of urban public emergency, and risk is regarded as the state shown by the risk unit. The concept map of risk unit is shown in Figure 2.

Carrier of Damage
Carrier of damage is the object that bears the loss directly when the risk occurs. It can be either tangible or intangible. According to the research objects defined in this paper, the types of carrier of damage mainly include the social and economic activities, resources (such as various facilities and equipment), individuals and their constituent organizations within the scope of the urban sociotechnical system.

Loss Factor
Loss factors are all factors that may cause damage to the carrier with uncertainties. The loss factors in the risk unit can be derived from the risk-breeding environment, or from other risk units.

Risk Breeding Environment
Risk breeding environment is composed of all the factors associated with the carriers of damage and the loss factors. The risk-breeding environment are closely related to the formation of loss factors. The loss factors acting on the carrier of damage form and breed in this environment.
Risk units do not necessarily have risks, when a loss factor exists and the damage to the carrier does not become reality, or when the loss factor is effectively restrained. Therefore, the risk unit can be risky or healthy [45].

Risk Propagation
Because of frequent risk events, risk propagation has gained more urgency and attention recently, and scholars have tried to identify and study its laws. In enterprise risk propagation, it is held that risk is transmitted through a certain path within an enterprise or within the functional departments of the enterprise [46]. In the field of supply chain, risk propagation refers to the idea that the risk source, pushed by propellants, spreads along the chain due to the correlation between the node enterprises in the supply chain [47]. Besides, M. D. Garvey et al. [23] have also proposed a framework to measure risk and risk propagation in supply network by using Bayesian Network and developed a supply chain risk propagation model which took the network structure into account. In information system, security risk analysis model (SRAM) was proposed to analyze vulnerability propagation for managing security risk [48]. Based on existing research on risk propagation elements such as transmitters, delivery boosters, and receivers [46,49], this paper puts forward the concept of risk propagation by combining the concept and elements of risk unit and exploring the process of risk propagation microscopically.
The risk propagation process is shown in Figure 2. Under the action of the propellant for transmission, a risk unit serving as a transmitter passes risk consequences (if the risk has happed) and/or loss factors by carrier of damage to other risk unit serving as a receiver.

The Risk Unit Serving as a Transmitter
There is a risk unit serving as a transmitter in the risk propagation process. The risk transmitter is not necessarily the initial sender of risk, and the risk that it may suffer can also be derived from other risk units.

The Propellant for Transmission
The propellant for transmission is an essential force for promoting risk propagation [50]. Obviously the propagation of risk will cease without certain thrust.

The Risk Unit Serving as a Receiver
There is a risk unit serving as a receiver in the risk propagation process. The risk receiver can be risky or healthy. When the transmitter passes the risk consequences and/or the loss factors to the receiver, the results are varied. The risk receiver benefits by proposing countermeasures for determining the direction of risk spreading.  Combining the two basic concepts of risk unit and risk propagation, the concept of risk propagation chain is presented as a chain formed by the interaction of the risk units depending on the propellants of the risk transmission. The risk propagation chain is embedded in the urban sociotechnical system, which is the channel of risk transmission and causing some damage. When risk occurs in a risk unit, under the effect of the propellant, the risk consequences and/or the loss factors will be attached to the carrier of damage and propagated along a certain path between the risk units, thus forming the risk propagation chain.

Tropos Goal-Risk Framework
Tropos Goal-Risk framework, shown as Figure 3, provides a conceptual model and technical support for risk identification, description, assessment, and control. This framework is composed of three layers, namely asset layer, event layer and treatment layer. In the asset layer, the various stakeholders in the environment and their intentions are identified, and the relationships among these elements are analyzed. The event layer is used to identify the uncertain factors' impacts on the asset layer. In the treatment layer, countermeasures are put forward to mitigate risks.
Tropos Goal-Risk framework is composed of five types of nodes, which are actors, goals, tasks, resources and events, and seven types of relationships, which are dependency relations, OR decomposition, AND decomposition, means-end relations, impact relations, contribution relations and alleviation relations, shown as Figure 3 and Table 1. In seven types of relationships, dependency relations represent the relationships among actors, such as Actor 1 and Actor 2 in Figure 3, and the dependency between two actors denotes that one actor (e.g., Actor 2 in Figure 3) depends on another actor (e.g., Actor 1 in Figure 3) to attain goals, execute tasks, or furnish resources for some reason; OR decomposition, AND decomposition and means-end relations depict the relationships among the nodes (i.e., goals, tasks and resources) in the asset layer; impact relations depict the influences of the nodes (i.e., events) in the event layer on the nodes in the asset layer; contribution relations and alleviation relations model the effects of the nodes (e.g., tasks) in the treatment layer on the nodes (i.e., events) or impact relations in the event layer and asset layer, moreover, contribution relations can also be used to depict the influence relationships among the nodes in the asset layer.

Risk Propagation Chain
Combining the two basic concepts of risk unit and risk propagation, the concept of risk propagation chain is presented as a chain formed by the interaction of the risk units depending on the propellants of the risk transmission. The risk propagation chain is embedded in the urban sociotechnical system, which is the channel of risk transmission and causing some damage. Under the effect of the propellant, the risk consequences (if the risk has happed) and/or the loss factors may be attached to the carrier of damage and propagated along a certain path between the risk units, thus forming the risk propagation chain.

Tropos Goal-Risk Framework
Tropos Goal-Risk framework, shown as Figure 3, provides a conceptual model and technical support for risk identification, description, assessment, and control. This framework is composed of three layers, namely asset layer, event layer and treatment layer. In the asset layer, the various stakeholders in the environment and their intentions are identified, and the relationships among these elements are analyzed. The event layer is used to identify the uncertain factors' impacts on the asset layer. In the treatment layer, countermeasures are put forward to mitigate risks.
Tropos Goal-Risk framework is composed of five types of nodes, which are actors, goals, tasks, resources and events, and seven types of relationships, which are dependency relations, OR decomposition, AND decomposition, means-end relations, impact relations, contribution relations and alleviation relations, shown as Figure 3 and Table 1. In seven types of relationships, dependency relations represent the relationships among actors, such as Actor 1 and Actor 2 in Figure 3, and the dependency between two actors denotes that one actor (e.g., Actor 2 in Figure 3) depends on another actor (e.g., Actor 1 in Figure 3) to attain goals, execute tasks, or furnish resources for some reason; OR decomposition, AND decomposition and means-end relations depict the relationships among the nodes (i.e., goals, tasks and resources) in the asset layer; impact relations depict the influences of the nodes (i.e., events) in the event layer on the nodes in the asset layer; contribution relations and alleviation relations model the effects of the nodes (e.g., tasks) in the treatment layer on the nodes (i.e., events) or impact relations in the event layer and asset layer, moreover, contribution relations can also be used to depict the influence relationships among the nodes in the asset layer.

Type Name Icon Description
Nodes Actors Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goals
Objectives that actors intend to fulfill.

Tasks
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resources
A physical or informational entity that can be used to perform the task or achieve the goal.

Events
Uncertain factors which can have a negative impact on the achievement of goals or execution of tasks in the asset layer.

Relationships
Dependency relations Dependency relations represent the relationships among actors.

OR decomposition
Alternatives for the satisfaction of goals, execution of tasks, or the occurrence of events can be modeled by OR decomposition.

AND decomposition
Objects (i.e., goals, tasks, and events) can be decomposed into subobjects by using AND decomposition.

Means-end relations
Means-end relations identify the means (e.g., tasks, resources) used to fulfill goals.
Impact relations Impact relations depict the influence of an event on the asset layer.    Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goal
Objectives that actors intend to fulfill.

Task
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resource
A physical or informational entity that can be used to perform the task or achieve the goal.

Asset Layer
Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goals
Sustainability 2018, 10, x FOR PEER REVIEW 7 of 23  Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goal
Objectives that actors intend to fulfill.

Task
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resource
A physical or informational entity that can be used to perform the task or achieve the goal.

Asset Layer
Objectives that actors intend to fulfill.   Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goal
Objectives that actors intend to fulfill.

Task
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resource
A physical or informational entity that can be used to perform the task or achieve the goal.

Asset Layer
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resources
Sustainability 2018, 10, x FOR PEER REVIEW 7 of 23  Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goal
Objectives that actors intend to fulfill.

Task
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resource
A physical or informational entity that can be used to perform the task or achieve the goal.

Asset Layer
A physical or informational entity that can be used to perform the task or achieve the goal.

Events
Sustainability 2018, 10, x FOR PEER REVIEW 7 of 24  Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goal
Objectives that actors intend to fulfill.

Task
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resource
A physical or informational entity that can be used to perform the task or achieve the goal.

Events Event
Uncertain factors which can have a negative impact on the achievement of goals or execution of tasks in the asset layer.

Relationships
Dependency relations Dependency relations represent the relationships among actors.

OR decomposition
Alternatives for the satisfaction of goals, execution of tasks, or the occurrence of events can be modeled by OR decomposition.

Asset Layer
Uncertain factors which can have a negative impact on the achievement of goals or execution of tasks in the asset layer.

Dependency relations
Sustainability 2018, 10, x FOR PEER REVIEW 7 of 23  Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goal
Objectives that actors intend to fulfill.

Task
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resource
A physical or informational entity that can be used to perform the task or achieve the goal.

Asset Layer
Dependency relations represent the relationships among actors. Alternatives for the satisfaction of goals, execution of tasks, or the occurrence of events can be modeled by OR decomposition.   Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goal
Objectives that actors intend to fulfill.

Task
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resource
A physical or informational entity that can be used to perform the task or achieve the goal.

Asset Layer
Objects (i.e., goals, tasks, and events) can be decomposed into sub-objects by using AND decomposition.   Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goal
Objectives that actors intend to fulfill.

Task
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resource
A physical or informational entity that can be used to perform the task or achieve the goal.

Events Event
Uncertain factors which can have a negative impact on the achievement of goals or execution of tasks in the asset layer.

Asset Layer
Means-end relations identify the means (e.g., tasks, resources) used to fulfill goals.   Stakeholders in the sociotechnical system that have their goals and achieve them by performing tasks using resources.

Goal
Objectives that actors intend to fulfill.

Task
Sequences of actions that are used to achieve goals in the asset layer or to treat events in the treatment layer.

Resource
A physical or informational entity that can be used to perform the task or achieve the goal.

Asset Layer
Impact relations depict the influence of an event on the asset layer.

Urban sociotechnical system model
Each subsystem of the urban sociotechnical system, as a function carrier, undertakes different tasks and links with the others to ensure the stable operation of the urban system. The urban sociotechnical system is modeled to illustrate the subsystems and their dependencies, and to identify and represent the risks within them. First the urban sociotechnical system is divided into layers, and then the sociotechnical system model is constructed using the Tropos Goal-Risk framework, shown as Phase 1 in Figure 4. Svedung proposed a hierarchical structure model for risk management of sociotechnical systems [32], but the six-layer model simply piles up layers and is unable to reflect the links between them. Therefore, this paper draws on ecological organization theory [26], dividing the sociotechnical system into three levels from top to bottom, which are the ecology layer, system feature layer and operation layer. There are inclusion and dependency relations among all the three layers. In ecology layer, the relationships between stakeholders, and thus the emergency breeding environment of the urban Phase 1：

Phase 2：
Risk propagation chain model

Urban sociotechnical system model
Each subsystem of the urban sociotechnical system, as a function carrier, undertakes different tasks and links with the others to ensure the stable operation of the urban system. The urban sociotechnical system is modeled to illustrate the subsystems and their dependencies, and to identify and represent the risks within them. First the urban sociotechnical system is divided into layers, and then the sociotechnical system model is constructed using the Tropos Goal-Risk framework, shown as Phase 1 in Figure 4. Svedung proposed a hierarchical structure model for risk management of sociotechnical systems [32], but the six-layer model simply piles up layers and is unable to reflect the links between them. Therefore, this paper draws on ecological organization theory [26], dividing the sociotechnical system into three levels from top to bottom, which are the ecology layer, system feature layer and operation layer. There are inclusion and dependency relations among all the three layers. In ecology layer, the relationships between stakeholders, and thus the emergency breeding environment of the urban Phase 1：

Phase 2：
Risk propagation chain model Alleviation relations, which can be distinguished into: -and -, are used to model the reduction of the influences of events on the asset layer by adopting the treatments, whose objects of action are impact relations.

Urban Sociotechnical System Model
Each subsystem of the urban sociotechnical system, as a function carrier, undertakes different tasks and links with the others to ensure the stable operation of the urban system. The urban sociotechnical system is modeled to illustrate the subsystems and their dependencies, and to identify and represent the risks within them. First the urban sociotechnical system is divided into layers, and then the sociotechnical system model is constructed using the Tropos Goal-Risk framework, shown as Phase 1 in Figure 4.

Urban sociotechnical system model
Each subsystem of the urban sociotechnical system, as a function carrier, undertakes different tasks and links with the others to ensure the stable operation of the urban system. The urban sociotechnical system is modeled to illustrate the subsystems and their dependencies, and to identify and represent the risks within them. First the urban sociotechnical system is divided into layers, and then the sociotechnical system model is constructed using the Tropos Goal-Risk framework, shown as Phase 1 in Figure 4. Svedung proposed a hierarchical structure model for risk management of sociotechnical systems [32], but the six-layer model simply piles up layers and is unable to reflect the links between them. Therefore, this paper draws on ecological organization theory [26], dividing the sociotechnical system into three levels from top to bottom, which are the ecology layer, system feature layer and operation layer. There are inclusion and dependency relations among all the three layers. In ecology layer, the relationships between stakeholders, and thus the emergency breeding environment of the urban Phase 1：

Phase 2：
Risk propagation chain model Svedung proposed a hierarchical structure model for risk management of sociotechnical systems [32], but the six-layer model simply piles up layers and is unable to reflect the links between them. Therefore, this paper draws on ecological organization theory [26], dividing the sociotechnical system into three levels from top to bottom, which are the ecology layer, system feature layer and operation layer. There are inclusion and dependency relations among all the three layers. In ecology layer, the relationships between stakeholders, and thus the emergency breeding environment of the urban sociotechnical system are studied. The system feature layer describes the structure of the system features. Finally, the operation layer is used to further refine each subsystem. The behavior of people within an organizational environment and their relationships with other people, as well as technical equipment, are also researched in the last layer.
After analyzing the hierarchical division of the urban sociotechnical system, we start to construct the urban sociotechnical system model, which involves the first two layers of the Tropos Goal-Risk framework. Modeling the asset layer aims to use the concept of actors (entities in a system that has autonomous behaviors) to describe the sociotechnical subsystem. The intention of the subsystem can be modeled by the goals, tasks, and resources, and the relationships between the subsystems can be analyzed by adopting goal, task, and resource dependencies. The impact of uncertain factors on the asset layer is used to construct the event layer. The constructs of the urban sociotechnical system model are shown in Table 1.

Risk Propagation Chain Model
The actors cooperating with each other form the network chain structure to support the operation of the sociotechnical system. It is obvious that risks can be transmitted in the system due to the dependencies. The risk propagation is multidimensional and also includes human, technical and socio-economic factors and so on [51]. By constructing the risk propagation model in sociotechnical system, the multidimensional factors can be taken into account. Accordingly, constructing an urban public emergency risk propagation chain model means identifying the risk units inside actors and extracting the process of risk propagation based on the urban sociotechnical system, as shown in Phase 2 of Figure 4.
The first step is to identify the risk unit. According to the concept of risk unit, the various elements of the risk unit within the actor are recognized. In the urban sociotechnical system, the carriers of damage include resources, social and economic activities, people, and organizations. In order to model conveniently, we consider people and organizations as actors in the sociotechnical system model, and their intentions are classified as the carriers of damage. Therefore, in the previously constructed model of the urban sociotechnical system, the nodes in the asset layer, which are affected by the loss factors, are considered as carriers of damage, including goals, tasks, and resources. The risk breeding environment is composed of all the factors associated with the carriers of damage and the loss factors. Accordingly, the elements associated with the carriers of damage and the loss factors in the asset layer constitute the risk breeding environment. The loss factors are expressed by the relevant nodes acting on the carriers of damage in the event layer.
Next, the process of risk propagation is extracted. The risk propagation process consists of three parts: the transmitter, the propellant, and the receiver. The modeling of risk propagation processes can be divided into two steps: (1) identify the risk units serving as transmitters and the risk units serving as receivers in the risk units of the constructed model; and (2) identify the propellant for propagation. The interdependence between the actors in the urban sociotechnical system model creates favorable conditions for risk propagation. Therefore, the dependence between the actors that connects the two risk units is the propellant for propagation. There are three types of propellants for propagation: goal dependence, task dependence, and resource dependence. The extraction of the chain formed by the interaction of risk units is the construction of the risk propagation chain.

Formation Mechanism of Urban Public Emergency
In the Chinese National Emergency Plan for Public Emergencies [52], public emergencies are divided into the following four categories: natural disasters, accident disasters, public health incidents, and social security incidents. The urban public emergencies also include these four categories because the city is the main acceptant subject of public emergencies. According to the connotation of sociotechnical system, the interaction of human, organization and technical factors results in the urban public emergencies. Therefore, this paper does not consider emergencies caused by natural factors or social security incidents caused by human factors. Accident disasters and public health incidents are the main types of urban public emergencies considered here.
The risk propagation chain describes the generation, propagation, and evolution process of risk. On basis of the risk propagation chain model in sociotechnical system, this paper discusses the formation mechanism of risk propagation chain with the help of Tropos Goal-Risk framework and sociotechnical system, thus exploring the formation mechanism of urban public emergency. Observing the risk propagation chain model, it is obvious that the risk propagation chain is actually a combination of various types of transitive relationships between risk units. As a result, we should start from the "part" of the risk propagation chain and analyze the basic modes of the risk propagation between risk units. Later, the "overall" basic modes of the risk propagation chain are studied. Finally, the mechanism of urban public emergency is studied from two perspectives: the formation process and the formation form.

Basic Modes of Risk Propagation
From the view of the basic elements of risk propagation process, it is concluded that the propagation between risk units can form some basic modes in different angles [53]. In this paper, the Tropos Goal-Risk framework is used to describe the micro mechanism of each basic model, and the propagation mechanism between the risk units is explored based on the basic elements of risk propagation process.
Focusing on one or more elements of risk propagation process, according to the characteristics of the elements of focus, at least eight basic modes of risk propagation can be attained, shown as Table 2. Focusing on the transmitter of risk propagation process, the risk consequences and/or the loss factors can be attached to the carrier of damage and moved out of the risk unit serving as the transmitter, or the risk consequences and/or the loss factors remain in the risk unit serving as the transmitter when they spread outward. Thus, there are risk transfer mode and risk contagion mode focusing on the transmitter.
Risk transfer refers to the process by which the carrier of damage carrying the risk consequences and/or the loss factors is moved out of the risk unit serving as the transmitter, under the action of the propellant, entering into the risk unit serving as the receiver, shown as Figure 5. Actor A1 needs to rely on A2 to provide the resource R1 to execute the task T3, so that A1 can complete the task T1; A2 provides R1 by executing the task T4. However, due to loss factor E2, the quality of work of T4 could be influenced, and the resource R1 could become unqualified material. Under the action of dependence, the risk consequence attached to the carrier of damage R1 will be moved out of the risk unit 2 , and enter into the risk unit 1 . Thus, the risk consequence attached to the carrier R1 is transferred from the risk unit 2 to the risk unit 1 . Risk contagion describes the idea that from the spatial point of view, when the risk consequences and/or the loss factors attached to the carrier of damage transmit from the transmitter to the receiver, the risk consequences and/or the loss factors still exist in the transmitter, shown as Figure 6. This mode expands the scope of risk.

The Basic Modes Focusing on the Receiver
Focusing on the receiver of risk propagation process, after the receiver received the risk consequences and/or the loss factors attached to the carrier of damage, the risk consequences and/or the loss factors could (1) work together with the risk consequences and/or the loss factors inside the receiver; (2) be restrained by the receiver; (3) cause the risk breeding environment of the receiver to change and generate new risk consequences and/or new loss factors. Thus, there are risk overlap mode, risk restraint mode and risk mutation mode focusing on the receiver.
Risk overlap refers that the risk transmits to another unit and overlaps with the risk inside the unit. In Figure 5, the risks of the risk unit ① include two parts, one of which comes from the risk unit ②, and the other of which is generated by itself. That is to say, the two parts jointly affect the execution of the task T1.
Risk restraint refers to the fact that the risk could be inhibited when transmitted to another unit. In Figure 6, the risk consequence of the risk unit ② attached to the carrier can be transmitted to the risk unit ①. However, because the actor A1 has two ways to achieve goal G1 (the task T1 and the task T2), when the task T2 cannot be executed, the task T1 can ensure the completion of the goal. That is to say, the risk consequence transmitted from the transmitter can be restrained to a certain extent.
Risk mutation refers to the fact that the risk consequences and/or the loss factors received by the receiver could cause the risk breeding environment of the receiver to change and produce new risk consequences and/or new loss factors. In Figure 7, the task T2 of the actor A1 requires the actor A2 to execute the task T3 to complete. However, the quality of the task T3 is affected by the loss factor E1 when in operation, and the corresponding risk consequence can be transmitted to A1 dependent on Risk contagion describes the idea that from the spatial point of view, when the risk consequences and/or the loss factors attached to the carrier of damage transmit from the transmitter to the receiver, the risk consequences and/or the loss factors still exist in the transmitter, shown as Figure 6. This mode expands the scope of risk. Risk contagion describes the idea that from the spatial point of view, when the risk consequences and/or the loss factors attached to the carrier of damage transmit from the transmitter to the receiver, the risk consequences and/or the loss factors still exist in the transmitter, shown as Figure 6. This mode expands the scope of risk.

The Basic Modes Focusing on the Receiver
Focusing on the receiver of risk propagation process, after the receiver received the risk consequences and/or the loss factors attached to the carrier of damage, the risk consequences and/or the loss factors could (1) work together with the risk consequences and/or the loss factors inside the receiver; (2) be restrained by the receiver; (3) cause the risk breeding environment of the receiver to change and generate new risk consequences and/or new loss factors. Thus, there are risk overlap mode, risk restraint mode and risk mutation mode focusing on the receiver.
Risk overlap refers that the risk transmits to another unit and overlaps with the risk inside the unit. In Figure 5, the risks of the risk unit ① include two parts, one of which comes from the risk unit ②, and the other of which is generated by itself. That is to say, the two parts jointly affect the execution of the task T1.
Risk restraint refers to the fact that the risk could be inhibited when transmitted to another unit. In Figure 6, the risk consequence of the risk unit ② attached to the carrier can be transmitted to the risk unit ①. However, because the actor A1 has two ways to achieve goal G1 (the task T1 and the task T2), when the task T2 cannot be executed, the task T1 can ensure the completion of the goal. That is to say, the risk consequence transmitted from the transmitter can be restrained to a certain extent.
Risk mutation refers to the fact that the risk consequences and/or the loss factors received by the receiver could cause the risk breeding environment of the receiver to change and produce new risk consequences and/or new loss factors. In Figure 7, the task T2 of the actor A1 requires the actor A2 to execute the task T3 to complete. However, the quality of the task T3 is affected by the loss factor E1 when in operation, and the corresponding risk consequence can be transmitted to A1 dependent on

The Basic Modes Focusing on the Receiver
Focusing on the receiver of risk propagation process, after the receiver received the risk consequences and/or the loss factors attached to the carrier of damage, the risk consequences and/or the loss factors could (1) work together with the risk consequences and/or the loss factors inside the receiver; (2) be restrained by the receiver; (3) cause the risk breeding environment of the receiver to change and generate new risk consequences and/or new loss factors. Thus, there are risk overlap mode, risk restraint mode and risk mutation mode focusing on the receiver.
Risk overlap refers that the risk transmits to another unit and overlaps with the risk inside the unit. In Figure 5, the risks of the risk unit 1 include two parts, one of which comes from the risk unit 2 , and the other of which is generated by itself. That is to say, the two parts jointly affect the execution of the task T1.
Risk restraint refers to the fact that the risk could be inhibited when transmitted to another unit. In Figure 6, the risk consequence of the risk unit 2 attached to the carrier can be transmitted to the risk unit 1 . However, because the actor A1 has two ways to achieve goal G1 (the task T1 and the task T2), when the task T2 cannot be executed, the task T1 can ensure the completion of the goal. That is to say, the risk consequence transmitted from the transmitter can be restrained to a certain extent.
Risk mutation refers to the fact that the risk consequences and/or the loss factors received by the receiver could cause the risk breeding environment of the receiver to change and produce new risk consequences and/or new loss factors. In Figure 7, the task T2 of the actor A1 requires the actor A2 to execute the task T3 to complete. However, the quality of the task T3 is affected by the loss factor E1 when in operation, and the corresponding risk consequence can be transmitted to A1 dependent on T2, and make the breeding environment of A1 mutate. The mutation generates new loss factor E2, damaging the task T1.  Focusing on the transmitter(s) and the receiver(s), risk propagation can be from one to many, from many to one, and from one to one.
Risk propagation from one to many means that the risk consequences and/or the loss factors are transmitted from one risk unit to multiple other risk units. During this propagation, the risk unit as a transmitter may have more than one risk consequences and/or loss factors that can be transmitted. The carriers and the propellants are not necessarily the same in different directions of propagation. As shown in Figure 8, the risk consequence caused by the loss factor E1 to the task T1.2 is transmitted to the risk unit ② and ③ respectively via task dependencies. Risk propagation from many to one means that the risk consequences and/or the loss factors are transmitted from multiple risk units to one. As shown in Figure 9, the task T1 of the actor A1 is decomposed into T2 and T3, which are delegated to the actors A2 and A3 to execute, respectively, and the risk consequences and/or the loss factors carried by T2 and T3 converges and overlaps in the risk unit ① via the dependency relationships.

The Basic Modes Focusing on the Transmitter(s) and the Receiver(s)
Focusing on the transmitter(s) and the receiver(s), risk propagation can be from one to many, from many to one, and from one to one.
Risk propagation from one to many means that the risk consequences and/or the loss factors are transmitted from one risk unit to multiple other risk units. During this propagation, the risk unit as a transmitter may have more than one risk consequences and/or loss factors that can be transmitted. The carriers and the propellants are not necessarily the same in different directions of propagation. As shown in Figure 8, the risk consequence caused by the loss factor E1 to the task T1.2 is transmitted to the risk unit 2 and 3 respectively via task dependencies.  Focusing on the transmitter(s) and the receiver(s), risk propagation can be from one to many, from many to one, and from one to one.
Risk propagation from one to many means that the risk consequences and/or the loss factors are transmitted from one risk unit to multiple other risk units. During this propagation, the risk unit as a transmitter may have more than one risk consequences and/or loss factors that can be transmitted. The carriers and the propellants are not necessarily the same in different directions of propagation. As shown in Figure 8, the risk consequence caused by the loss factor E1 to the task T1.2 is transmitted to the risk unit ② and ③ respectively via task dependencies. Risk propagation from many to one means that the risk consequences and/or the loss factors are transmitted from multiple risk units to one. As shown in Figure 9, the task T1 of the actor A1 is decomposed into T2 and T3, which are delegated to the actors A2 and A3 to execute, respectively, and the risk consequences and/or the loss factors carried by T2 and T3 converges and overlaps in the risk unit ① via the dependency relationships. Risk propagation from many to one means that the risk consequences and/or the loss factors are transmitted from multiple risk units to one. As shown in Figure 9, the task T1 of the actor A1 is decomposed into T2 and T3, which are delegated to the actors A2 and A3 to execute, respectively, and the risk consequences and/or the loss factors carried by T2 and T3 converges and overlaps in the risk unit 1 via the dependency relationships. Risk propagation from one to one means that the risk consequences and/or the loss factors are transmitted from one risk unit to another one, which can be seen as the special case of from many to one or from one to many.
Obviously, for anyone of the three basic modes focusing on the transmitter(s) and the receiver(s), if the focus shifts to the transmitter or receiver, the mode can contain some basic modes focusing on the transmitter or receiver.

Basic modes of risk propagation chain
The basic modes of risk propagation chain are the "overall" mechanisms of risk propagation chain, which should build on the "part" mechanisms of the risk propagation chain, i.e., the basic modes of risk propagation.
In the model of risk propagation chain, risk is transmitted from the risk unit as the risk source to the risk unit as the final receiver through the dependency relationships between the actors. The direction of the propagation is the opposite of that in the dependency relationships. Obviously, the propagation of risk is directional, not blind and disorder. According to the characteristics of risk propagation directions and paths, the current research mainly studies two basic modes of risk propagation chain, i.e., chain pattern and network pattern [54].

Chain Pattern
Chain pattern of risk propagation process includes a series of risk propagation from one to one. In the chain pattern, besides the risk unit as the initial transmitter and the risk unit as the final receiver, other risk units both receive risk as the receivers and transmit risk as the transmitters. In the urban sociotechnical system, actors at the upper layer often rely on the next layer actors to achieve goals or execute tasks. Therefore, there is a specific chain pattern in which the risk is transmitted from the bottom up (i.e., reversing the dependency from the top down). More specifically, the risk is transmitted from the operation layer to the system feature layer, and finally to the ecology layer.

Network Pattern
The risk propagation chain is the network pattern when there are risk propagation from one to many and/or from many to one in the risk propagation chain. Network pattern can be divided into network-centralized mode (only contain risk propagation from many to one), network divergent mode (only contain risk propagation from one to many), and network mixed mode (contain both risk propagation from many to one and from one to many) [54]. Because the risk propagation chain is complex due to the interdependencies among actors in the urban sociotechnical system, the pattern of the risk propagation chain is mostly the network mixed mode. Risk propagation from one to one means that the risk consequences and/or the loss factors are transmitted from one risk unit to another one, which can be seen as the special case of from many to one or from one to many.
Obviously, for anyone of the three basic modes focusing on the transmitter(s) and the receiver(s), if the focus shifts to the transmitter or receiver, the mode can contain some basic modes focusing on the transmitter or receiver.

Basic Modes of Risk Propagation Chain
The basic modes of risk propagation chain are the "overall" mechanisms of risk propagation chain, which should build on the "part" mechanisms of the risk propagation chain, i.e., the basic modes of risk propagation.
In the model of risk propagation chain, risk is transmitted from the risk unit as the risk source to the risk unit as the final receiver through the dependency relationships between the actors. The direction of the propagation is the opposite of that in the dependency relationships. Obviously, the propagation of risk is directional, not blind and disorder. According to the characteristics of risk propagation directions and paths, the current research mainly studies two basic modes of risk propagation chain, i.e., chain pattern and network pattern [54].

Chain Pattern
Chain pattern of risk propagation process includes a series of risk propagations from one to one. In the chain pattern, besides the risk unit as the initial transmitter and the risk unit as the final receiver, other risk units both receive risk as the receivers and transmit risk as the transmitters. In the urban sociotechnical system, actors at the upper layer often rely on the next layer actors to achieve goals or execute tasks. Therefore, there is a specific chain pattern in which the risk is transmitted from the bottom up (i.e., reversing the dependency from the top down). More specifically, the risk is transmitted from the operation layer to the system feature layer, and finally to the ecology layer.

Network Pattern
The risk propagation chain is the network pattern when there are risk propagations from one to many and/or from many to one in the risk propagation chain. Network pattern can be divided into network-centralized mode (only contain risk propagation from many to one), network divergent mode (only contain risk propagation from one to many), and network mixed mode (contain both risk propagation from many to one and from one to many) [54]. Because the risk propagation chain is complex due to the interdependencies among actors in the urban sociotechnical system, the pattern of the risk propagation chain is mostly the network mixed mode.

Formation Mechanism of Urban Public Emergency
Urban public emergency represents risk transforming into reality. Based on the mechanism of risk propagation chain, this paper analyzes the formation mechanism of urban public emergency from two aspects, i.e., formation process and formation form.

The Formation Process of Urban Public Emergency
The formation process of urban public emergency involves two stages: precursor stage and outbreak stage. Although risk erupts only in a flash, it has actually experienced a longer risk propagation stage before the eruption. The precursor stage involves the risk introduction latent stage and the risk brewing diffusion stage [55]. Risk generates in risk unit, under the action of propellant, transfers, spreads, overlaps, or mutates in certain risk propagation path. When the risk reaches the final risk receiver or risk energy exceeds the capacity of the urban sociotechnical system, public emergency breaks out and threatens social stability.

The Formation form of Urban Public Emergency
There are two types of the formation form of urban public emergency: sudden and gradual. This division is mainly based on the perception time of the qualitative change of risk and the critical point of outbreak. The critical point of the perceived time for the gradual type is earlier than that of the sudden type. In the gradual type, people have sensed the coming danger via dominant symptom before the occurrence of the event, but the event will break out due to a lack of immediate control measures. In the sudden type, because potential risk is not perceived, risk continues to accumulate and eventually leads to damage.

Countermeasures of Urban Public Emergency
There are two aspects of countermeasures for dealing with urban public emergency: the first is prevention and control measures before the uncertain risk factors evolve into an emergency; the second is coping measures when the risks evolve into an emergency. This paper mainly focuses on the first countermeasures. The countermeasures are proposed by constructing the treatment layer of the Tropos Goal-Risk framework to curb the development of events, reduce social and economic losses, and achieve the goal of sustainable development.

Countermeasures before Emergency
According to the mechanism of risk propagation chain, risk produces in a risk unit, and transfers along a certain path under the function of the propellant. Transmitting risks successfully depends on some basic elements constituting the process of risk propagation. So the treatments can be elicited through controlling the basic elements constituting the process of risk propagation [47]. In the risk propagation chain, a basic process of risk propagation includes the risk units serving as transmitters, the propellants for propagation and the risk units serving as receivers. Therefore, the establishment of risk control measures is in accordance with the three elements. This paper adopts the Tropos Goal-Risk framework to institute measures to reduce the possibility of risk or the harm caused by risk. Specific risk control measures are proposed from the two threads of technology control and social intervention under the guidance of the sociotechnical system theory.

Controlling the Risk Units Serving as Transmitters
In all risk propagation processes, risk units can be summarized as the following three types according to the source of risk: 1 The original producer of risks, namely the risk source; 2 The risks of the risk unit arise only from other risk units; 3 The risks of the risk unit come from a combination of other risk units and its own. This section considers risk units like 1 and 3 , which can internally generate risk, in order to cut the source of the risk to inhibit the propagation. Risk units like 2 and 3 , that have the risks arising from other risk units, will be considered in Section 5.1.3.
Focusing on the transmitter, there are risk transfer mode and risk contagion mode for risk propagation. Whether controlling risk transfer or risk contagion, according to risk management theory, a treatment should be adopted to impact a risk by reducing its likelihood or mitigating the loss it may incur. According to the characteristics of the risk unit that constitutes the risk propagation chain, two kinds of treatments can be worked out. First, reduce the likelihood of the loss factor in the risk unit, which is expressed by the contribution relations in the third layer, as shown in Figure 10. The loss factor E2 will cause loss to the goal G1.2 in the asset layer, and the contribution relation (expressed as an arrow) between the risk control measures C2 and E2 helps to inhibit the loss factor's occurrence. Second, mitigate the loss caused by the loss factor to the asset layer and reduce it to an acceptable level of risk. This kind of treatment is expressed as alleviation relation in the model. In Figure 10, C1 points to the impact relations between E1 and T, and "-" indicates that treatment C1 has a weakening effect on the extent of impact. Focusing on the transmitter, there are risk transfer mode and risk contagion mode for risk propagation. Whether controlling risk transfer or risk contagion, according to risk management theory, a treatment should be adopted to impact a risk by reducing its likelihood or mitigating the loss it may incur. According to the characteristics of the risk unit that constitutes the risk propagation chain, two kinds of treatments can be worked out. First, reduce the likelihood of the loss factor in the risk unit, which is expressed by the contribution relations in the third layer, as shown in Figure 10. The loss factor E2 will cause loss to the goal G1.2 in the asset layer, and the contribution relation (expressed as an arrow) between the risk control measures C2 and E2 helps to inhibit the loss factor's occurrence. Second, mitigate the loss caused by the loss factor to the asset layer and reduce it to an acceptable level of risk. This kind of treatment is expressed as alleviation relation in the model. In Figure 10, C1 points to the impact relations between E1 and T, and "-" indicates that treatment C1 has a weakening effect on the extent of impact.

Controlling the Propellants for Propagation
The propellants for propagation are the dependencies between the two actors, so an obvious measure for controlling the propellants is cutting off the dependencies. But if the dependencies between the actors are inevitable, ensuring the risk attached to the carrier of damage in a controllable level will be the focus of controlling the propellant. The carrier of damage is actually an element of the risk unit serving as the transmitter, and therefore controlling the risk level corresponds to controlling the risk unit serving as the transmitter.

Controlling the Risk Units Serving as Receivers
Focusing on the receiver, there are risk overlap mode, risk restraint mode and risk mutation mode for risk propagation. If risk is received by the risk unit in the mode of risk restraint, it can be controlled by the risk unit itself. If risk is received by the risk unit in the mode of risk overlap and/or risk mutation, it can be mitigated by reducing severity strategy or eliminating strategy.
The reducing severity strategy focuses on controlling the risk consequence. For example, shown as Figure 11, the risk carried by T1 changes the breeding environment of the receiver unit and forms a new loss factor E2 inside the receiver unit, affecting the intention elements in the asset layer, therefore, the reducing severity strategy C1 can be addressed so as to form an alleviation relation and control the corresponding risk consequence.

Controlling the Propellants for Propagation
The propellants for propagation are the dependencies between the two actors, so an obvious measure for controlling the propellants is cutting off the dependencies. But if the dependencies between the actors are inevitable, ensuring the risk attached to the carrier of damage in a controllable level will be the focus of controlling the propellant. The carrier of damage is actually an element of the risk unit serving as the transmitter, and therefore controlling the risk level corresponds to controlling the risk unit serving as the transmitter.

Controlling the Risk Units Serving as Receivers
Focusing on the receiver, there are risk overlap mode, risk restraint mode and risk mutation mode for risk propagation. If risk is received by the risk unit in the mode of risk restraint, it can be controlled by the risk unit itself. If risk is received by the risk unit in the mode of risk overlap and/or risk mutation, it can be mitigated by reducing severity strategy or eliminating strategy.
The reducing severity strategy focuses on controlling the risk consequence. For example, shown as Figure 11, the risk carried by T1 changes the breeding environment of the receiver unit and forms a new loss factor E2 inside the receiver unit, affecting the intention elements in the asset layer, therefore, the reducing severity strategy C1 can be addressed so as to form an alleviation relation and control the corresponding risk consequence. The eliminating strategy focuses on controlling the likelihood of risk occurrence, that is, the likelihood of the loss factor. For example, shown as Figure 12, the risk carried by T2 creates a new loss factor E1.2, which is the child node of E1, meanwhile, the treatment C1 acts directly on the root node E1, which affects the implementation of task T1, controlling the likelihood of the loss factor E1.2. Public emergencies within the sociotechnical system are often caused mainly by humans, equipment, and facilities, as well as by organizational management loss factors. Thus, the corresponding measures can be considered from the two aspects: technology control and social intervention. The objects of technology control are equipment and facility factors, while the objects of social intervention involve human, equipment, and facilities, as well as organizational management factors. Social intervention of the equipment and facilities mainly refers to changing the unsafe states of the equipment and facilities via organization and management. Hence, according to the formation mechanism of risk propagation chain and based on the actual risk propagation chain model, we can work out specific control measures to curb the occurrence of emergencies from the two clues of social and technological control.
It needs to be pointed out that we mainly use the basic modes focusing on the transmitter and the receiver to consider the countermeasures in this section. Other basic modes involve considering the countermeasures from the whole point of view, due to space limitations, we will research it in another paper.

Countermeasures after Emergencies
When the risk has reached the final risk receiver and the risk level exceeds its capacity, an urban public emergency breaks out. When urban public emergency occurs, the treatment aims to control the development of events in time. The specific response is as follows: first, the responsible body of the incident should report information, and at the same time, in order to prevent the events escalating, prior disposal is required. Next, search, match, and initiate emergency plans based on the The eliminating strategy focuses on controlling the likelihood of risk occurrence, that is, the likelihood of the loss factor. For example, shown as Figure 12, the risk carried by T2 creates a new loss factor E1.2, which is the child node of E1, meanwhile, the treatment C1 acts directly on the root node E1, which affects the implementation of task T1, controlling the likelihood of the loss factor E1.2. The eliminating strategy focuses on controlling the likelihood of risk occurrence, that is, the likelihood of the loss factor. For example, shown as Figure 12, the risk carried by T2 creates a new loss factor E1.2, which is the child node of E1, meanwhile, the treatment C1 acts directly on the root node E1, which affects the implementation of task T1, controlling the likelihood of the loss factor E1.2. Public emergencies within the sociotechnical system are often caused mainly by humans, equipment, and facilities, as well as by organizational management loss factors. Thus, the corresponding measures can be considered from the two aspects: technology control and social intervention. The objects of technology control are equipment and facility factors, while the objects of social intervention involve human, equipment, and facilities, as well as organizational management factors. Social intervention of the equipment and facilities mainly refers to changing the unsafe states of the equipment and facilities via organization and management. Hence, according to the formation mechanism of risk propagation chain and based on the actual risk propagation chain model, we can work out specific control measures to curb the occurrence of emergencies from the two clues of social and technological control.
It needs to be pointed out that we mainly use the basic modes focusing on the transmitter and the receiver to consider the countermeasures in this section. Other basic modes involve considering the countermeasures from the whole point of view, due to space limitations, we will research it in another paper.

Countermeasures after Emergencies
When the risk has reached the final risk receiver and the risk level exceeds its capacity, an urban public emergency breaks out. When urban public emergency occurs, the treatment aims to control the development of events in time. The specific response is as follows: first, the responsible body of the incident should report information, and at the same time, in order to prevent the events escalating, prior disposal is required. Next, search, match, and initiate emergency plans based on the Public emergencies within the sociotechnical system are often caused mainly by humans, equipment, and facilities, as well as by organizational management loss factors. Thus, the corresponding measures can be considered from the two aspects: technology control and social intervention. The objects of technology control are equipment and facility factors, while the objects of social intervention involve human, equipment, and facilities, as well as organizational management factors. Social intervention of the equipment and facilities mainly refers to changing the unsafe states of the equipment and facilities via organization and management. Hence, according to the formation mechanism of risk propagation chain and based on the actual risk propagation chain model, we can work out specific control measures to curb the occurrence of emergencies from the two clues of social and technological control.
It needs to be pointed out that we mainly use the basic modes focusing on the transmitter and the receiver to consider the countermeasures in this section. Other basic modes involve considering the countermeasures from the whole point of view, due to space limitations, we will research it in another paper.

Countermeasures after Emergencies
When the risk has reached the final risk receiver and the risk level exceeds its capacity, an urban public emergency breaks out. When urban public emergency occurs, the treatment aims to control the development of events in time. The specific response is as follows: first, the responsible body of the incident should report information, and at the same time, in order to prevent the events escalating, prior disposal is required. Next, search, match, and initiate emergency plans based on the type of event, the scope of impact, and the results of the hazard assessment. After starting the emergency plan, the emergency organization should respond immediately, set up the on-site command, carry out and coordinate the rescue work, and evacuate the masses to control the expansion of the accident and gradually eliminate the event. The emergency rescue plan should be adjusted dynamically according to the response effect during the emergency response. If the situation worsens, the input of emergency rescue resources should be increased to prevent further escalation.

Case Study
This paper selects the rear-end collision of Shanghai Metro Line 10 in 2011 for a case study. Based on analyzing the formation mechanism of the accident, the countermeasures are put forward, so as to verify the theoretical results of this paper, and to provide a reference for efforts to promote sustainable urban development.

Subway Sociotechnical System Model
According to the background of the case, this paper first models the subway system that gives rise to the accident by applying the Tropos Goal-Risk framework. In the subway sociotechnical system model, the parts and the dependencies among them, as well as the risks, are captured and described. The subway sociotechnical system model involves the first two layers of the framework, namely asset layer and event layer. Before constructing the model, we first divide the subway sociotechnical system into layers. From top to bottom, the first layer is the ecology layer, and the subjects related to the accident mainly include passengers and the Shanghai metro operation system, which are interrelated with each other. The second layer is the system feature layer. This layer mainly involves the subsystems of the subway operation system and its internal management activities. The last layer is the operation layer. The operation layer takes the personnel that make up the subsystems of the subway and their relationships with other personnel and with technical equipment into account.
Then, each layer is constructed with asset and event layer by the Tropos Goal-Risk framework from top to bottom. The asset layer mainly describes dependencies between actors, and refines the intentions of the actors by identifying each actor's goals that need to be achieved and tasks that need to be performed. As is shown in Figure 13, passengers hope the subway system can guarantee their safety of life and property as well as allow them to reach their destination in time. Therefore, there is goal dependence between the passengers and the subway system. The dependencies among the actors are shown below in Table 3.
The event layer is constructed based on the asset layer, and uncertainties in the actors of this accident are identified from the view of the goals and tasks. The uncertainties are expressed by events in the model and the influences of the events on the asset layer are described by impact relations.
The subway sociotechnical system model for rear-end collision is shown in Figure 13.  Figure 13. The risk propagation chain model of subway sociotechnical system.

Risk Propagation Chain Model for Rear-end Collision
The model of risk propagation chain for the rear-end collision is constructed on the basis of the subway sociotechnical system model by identifying the risk unit and extracting the risk propagation process. In Figure 13, internal regions of the dispatcher, station attendant, and power supply subsystem marked by red dashed rectangle generate risk in this accident, constituting risk units. Other loss actors that may also lead to risk, such as vehicle substem but because the inside of these actors did not generate risk in this accident, these risk units show a healthy state before the risk propagation. On the limit of space, the various elements of the healthy risk units are not shown in Figure 13.
The risk units are numbered in the upper right corner of the red dashed rectangles in Figure 13. Driven by the dependencies among the actors, the risk can be derived from the risky risk unit and transmitted in the opposite direction of dependencies, thus forming a network chain structure, namely the risk propagation chain.

Formation Mechanism of Rear-End Collision
According to the model in Figure 13 and the formation mechanism of risk propagation chain, the risk propagation modes of the emergency are summarized in Table 4.  Figure 13. The risk propagation chain model of subway sociotechnical system.

Risk Propagation Chain Model for Rear-end Collision
The model of risk propagation chain for the rear-end collision is constructed on the basis of the subway sociotechnical system model by identifying the risk units and extracting the risk propagation process.
In Figure 13, the internal regions of the dispatcher, station attendant, and power supply subsystem marked by the red dashed rectangles generated risks in this accident, constituting the risky risk units. The internal regions of other actors marked by the red dashed rectangles did not generate risk before the risk propagation in this accident, constituting the healthy risk units. On the limit of space, the various elements of the healthy risk units are not shown in Figure 13.
The risk units are numbered in the upper right corner of the red dashed rectangles in Figure 13. Driven by the dependencies among the actors, the risk was derived from the risky risk unit and transmitted in the opposite direction of dependencies, thus forming a network chain structure, namely the risk propagation chain.

Formation Mechanism of Rear-End Collision
According to the model in Figure 13 and the formation mechanism of risk propagation chain, the risk propagation modes of the emergency are summarized in Table 4. Table 4. Modes of risk propagation in this case.

Mode of Risk Propagation
Transmitter Receiver risk transfer Table 4. Cont.

Mode of Risk Propagation Transmitter Receiver
risk propagation from many to one 6 and 7 3 risk propagation from one to many 9 4 and 8 risk propagation from one to one All except for the risk propagations from many to one and frome one to many.
In addition, according to the types and directions of the risk propagation, the risk propagation chain of the rear-end collision is of network mixed pattern. Electrical maintenance of the power supply caused signal system failure; hence, the system was converted from automatic control to manual scheduling. Further, the dispatching control center did not accurately verify the fault interval idle condition provided by the station and issued the dispatching order, causing the collision. The risk became the emergency and posed a threat to the life and property safety of the urban population. Based on the mechanism of risk propagation in Table 4, we can obviously identify the risk propagation chain and path. Thus, the specific treatments are put forward to cut off and end the propagation by controlling the elements of risk propagation chain to ensure the safety and stability of the city.

Countermeasures for Rear-End Collision
From the perspective of the elements of risk propagation, this paper puts forward targeted countermeasures from two clues of technical control and social intervention. In this way, the path of risk propagation is cut down to prevent and effectively control the subway emergency, achieving sustainable urban development.
A treatment may impact a risk by reducing its likelihood or mitigating the loss. First, as is illustrated in Figure 13, the phenomenon that the personnel on duty are low in business, technology, and safety management in risk unit 2 can be improved by training staff, thus reducing the occurrence of such loss factors. Controlling the loss factors E1.2 and E1.3 in risk unit 5 , which lead to the improper maintenance of power equipment, is also beneficial in mitigating risk. Second, in risk unit 6 , the risk received changes its internal risk breeding environment and forms a new loss factor, causing the absence of power supply and bringing risk to the goal of the signal system. In this regard, measures to improve the uninterrupted power supply of the signal system can mitigate the loss of risk. Limited by length, other controls are no longer elaborated in this paper.
When the rear-end collision occurs, the driver shall report to the traffic control immediately. Emergency organizations need to respond, conduct on-site command, rescue, and repair work at once to prevent secondary incidents and minimize losses as much as possible.

Discussion and Conclusions
This paper takes urban public emergency as its research object and explores the formation mechanism from the perspective of sociotechnical system risk propagation for controlling emergencies to ensure urban sustainability. Based on the formation mechanism, countermeasures are put forward to prevent risk from evolving into a public emergency. This paper puts forward the concept of risk unit, and based on this the concepts and elements of risk propagation as well as risk propagation chain are analyzed. That is to say, risk propagation is the process by which certain risk units pass certain elements and/or the consequences of risk to other risk units under the influence of necessary external factors. With the Tropos Goal-Risk framework, the urban sociotechnical system and risk propagation chain are modeled. Based on the model, the formation mechanism of emergency is analyzed, including the study of micro-mechanism of the risk propagation mode with Tropos Goal-Risk framework as well as the classified analysis of risk propagation path with the hierarchical structure of an urban sociotechnical system. Under the guidance of formation mechanism and sociotechnical system theory, we constructed the treatment layer of Tropos Goal-Risk framework to propose measures to prevent risk from evolving into emergencies. The specific measures are elicited by controlling the basic elements constituting the process of risk propagation from both technical and social intervention perspectives, which aim at reducing environmental, economic, and social losses. Finally, case analysis is used to verify the model and theory.
This paper innovatively explores how to maintain the sustainable operation of city from the perspective of sociotechnical system risk propagation. Our results include urban public emergency formation mechanism and coping strategies, which both promote the theoretical research of emergency management and enrich the theory of public crisis management. Most researches about public emergency management based on risk management focus on risk categories, factors, occurrence possibilities as well as influences, and the loss process caused by risk is ignored. This paper makes up this aspect of blanks and puts forwards the mechanism of risk propagation. Besides, in the field of risk management, this paper replenishes risk propagation related theory, and the urban public emergency risk propagation chain model based on Tropos Goal-Risk framework provides method and tool support for the study on the risk propagation mechanism and countermeasures. Limited of space, this paper mainly focuses on the study of risk propagation mechanism and risk control based on the mechanism to cut off and block the risk propagation, and does not elaborate the related content of risk assessment. Risk assessment after risk identification is a link of risk feedback and the risk mitigation measures are proposed according to the assess results [56]. For this part of content, we will adopt Petri net to evaluate the risk propagation path of emergency in another paper.
Our work not only provides the emergency management with a theoretical analysis tool, but also provides guidance and practice support for the public emergency response and sustainable urban development. However, this article does not analyze secondary and derivative events after emergencies occur and interacting with other risk factors, which we will consider in our future study. In addition, our theoretical results still need to be further tested in practice, which is what we plan to do in the future.