Introduction

In today’s society, most security professionals adopt the usage of risk analyses, as a best practice. Typically, a risk analysis will begin with an assessment to determine the likelihood that an unfortunate event may occur with an undesirable consequence. With that, a risk analysis may also require some type of estimation in the event or likelihood that an event will occur. It also assesses this likelihood and provides a comparative analysis in order to determine the probability that the existing protection layers will or will not operate as required (sometimes technology, procedures, or human behavior may not act or perform as predetermined). In addition, a risk is the result of any deviation from the expected operation, process design, failed procedures, or a lax (possibly a nonexistent) site safety and security culture. The risk analysis seeks to identify these deviations and to develop a plan to reduce or mitigate an event should one occur. Once the results of each deviation have been measured and analyzed, the design and previous performance should be included as part of the holistic posture. This of course may result in some of the event deviations being significant enough that a serious hazard may be likely. However, by using the Layers of Protection Analysis (LOPA) concept a security professional can reduce or mitigate the risk as low as reasonably manageable.

Process Hazard Analysis

As mentioned previously, businesses and agencies that have implemented and use a risk ranking procedure do so in conjunction with a Process Hazard Analysis (PHA) that is supported by a risk matrix comparing the frequency and consequence priorities. The risk ranking procedure is used to determine both the priority and criticality posture in order for the security professional to make recommendations that will additionally reduce or mitigate a risk of any deficiencies specifically within the safety and security measures. In addition, a security professional is then able to provide the rankings of the consequence severity by considering the hazardous situation posed by the event. It is important that the consequence severity ranking be based on the harm that results when everything that could go wrong, either has gone wrong, or may go wrong (training, testing, and any simulations that can be done will assist with finding any deviations). Also, sometimes the historical data can be used to determine previous incidents or difficulties that security professionals may have experienced. Determine if there are any incident records including any safety and security operation safeguards that can reduce the potential harm caused by varied types of hazardous situations (i.e., such as an armed intruder or a failed emergency response procedure). As stated previously, any type of consequence modeling or simulations, role playing, or realistic training that can be practiced can be used to better understand the hazardous situation and impact zones where the situation have or may possibly occur moving forward.¹

Layers of Protection Analysis

The security professional also may use varied levels of a risk analysis to provide estimates that the event likelihood technique called LOPA. The LOPA also allows the risk to be estimated along various points throughout the incident sequence. In addition, it can provide quantitative estimates of the risk which LOPA can be applied to hazardous events that have a consequence severity involving any type of scenario:

• Any facility or equipment damage or failures that may cause harm (i.e., may be either an internal or external explosion, or a detonation within the facility perimeter)

• Significant operations interruption (i.e., possibly a bomb threat, workplace violence incident, threat via the mail, etc.)

• Serious injury or fatality of an employee or staff (i.e., active shooter, etc.)

• Any external injury or fatality to the community at large

• Significant environmental impact that affects everyone (i.e., gas or chemical exposure)

When LOPA is used by the security professional, they will begin with examining how causes lead to process deviations (or initiating events), this will assist with understanding how they propagate (also called “chain reaction” or domino effect). This evaluation also allows the security professional to determine if any enabling conditions were critical to understanding the failed event, i.e., typically more than one thing must be wrong for the process deviation to occur. In addition, the risk rank procedure that is performed will use a risk matrix for calculation purposes, and then the event risk is compared to the operations risk in order to determine whether additional risk reduction or mitigation techniques are required. According to Summers and Hearn (2010),² who argue that when the process risk does not satisfy the chosen risk criteria then an independent protection layer (IPL) is used to close the gap by reducing or mitigating the hazardous or harmful event frequency.³ Initially, the main purpose of IPLs is to stop propagation of the hazardous event (think of it as a time delayed mechanism) and any probable harm that may result from the event. Generally, most security professionals will utilize an onion-skin concept (sometimes referred to as lines of defense or defense in depth), used to illustrate the typical order of IPL deployment. If the event propagates through the onion skin of IPLs, the impact on the process operation becomes greater as does the uncertainty of the final outcome (typically, the outer lines of defense are physical security measures as opposed to inner measures which may be procedural in nature). Also, a key element of using these types of lines of defense is that it will cause time delays, or difficulties, or the propagation (sometimes called a hard target versus a soft target that doesn’t use layers of protection). Using LOPA is exactly represented by the layers of an onion skin (Figure 9.1).

The hope is that the layers will stop or delay (maybe reduce or mitigate) a process deviation from exceeding the safe operations limit. Specifically, providing a safer design, with lines of defense and access control, any supervisory procedures or measures (checks and balance technique), preventive and mitigation layers will ultimately provide proactive measure to reduce or mitigate events from occurring. In addition, a well-designed posture that proactively reduces or mitigates any type of hazardous event can have a high certainty of effectiveness.

Since risk is a function of frequency and consequence, the frequency estimation and the LOPA concept can provide different techniques in evaluating its acceptability. Typically, the consequence severity is used by security professionals to conduct an assessment of the potential likelihood of events for more strict frequency analysis. As mentioned previously, many security professionals may rely on the assessment of operating experience and incident history to make their determination, and they may use holistic factors that influence the severity (i.e., crime rates, types of crime data, etc.), including operating practices, layers of protection, and conditional modifiers that can alert or monitor a situations events. Historically, during the assessments, the security professional may consider reactive and response layers, i.e., actions that facility personnel must take in order to reduce or mitigate harm; this will sometimes be in addition to the proactive layers (i.e., closing and locking a door from the inside of an office or room). One other important issue to keep in mind is that each layer provides protection independent of each other, the use of these layers and the conditional modifiers are critical, since they are often interrelated. For example, an alarm annunciator system may be used to initiate evacuation of personnel, or a lockdown situation for occupants.

Using LOPA

When using risk analysis, the LOPA can also be incorporated to improve implementation of consequence estimation tools (Summers, 2010). In addition to the consequence estimation tool, the risk analysis is also dependent on the estimated frequency of the hazardous event. Additionally, any error associated with the consequence severity estimate directly impacts the risk reduction measures. LOPA can also provide a determined priority based on the estimate of the hazardous event frequency by assessing the frequency of the initiating events that lead to the hazardous event and the possibility that the safety and security measures may fail. Security professionals will use experience to determine the right types of protection layers to utilize, and use best practices to demonstrate the risk reduction or mitigation techniques that have worked when conducting previous risk analysis. Security professionals will also attempt to analyze the root causes (or initiating causes) and determine those enabling conditions that result in process deviations (or initiating events). This is a critical part of a risk analysis since understanding the likelihood of the types of hazards that may occur and the conditions that enable them, security professionals can then estimate the initiating event frequency.

In LOPA, the security professional may recommend independent protection layers (IPL) based on the hazard or threat. Also, an IPL can be a best practice that is known to provide the risk reduction (i.e., fences, gates, guards, police, CCTV, alarms, etc.). Generally, all of the above-mentioned best practices used, however, alarms are typically identified as safety and security tools that are used as an input to identification and notification systems. Basically, these types of alarms are defined as “an audible and/or visible means of indicating to the operator an equipment malfunction, process deviation, or abnormal condition requiring a response.” Which is different from a safety alarm “an alarm that is classified as critical to process safety or to the protection of human life.”⁴

Using the IPL risk reduction method also allows the security professional to estimate the hazardous event frequency based on information and incident data that corresponds to key performance indicators (i.e., it could be alarm logs, CCTV usage determined to view incidents, police reports, staff or visitor information, etc.). LOPA is an excellent tool for assessing a wide variety of threat scenarios and applying protection layers of various types using the appropriate design measure. In addition, LOPA can be utilized as a semi-quantitative analysis as mentioned above with key performances, which will also allow for efficient evaluation of the threat or vulnerability. Realistically, the more that organizations progress with using and implementing LOPA throughout different schools, it will invariably result in similar usage, comparisons, and questions asked on implementation. When similar threats or vulnerabilities are compared from school to school, the LOPA will become more constant, and staff will see the variation in the risk estimate for similar threats. Once we begin to recognize that the LOPA procedures have well-defined methods for estimating the hazardous event frequency, the inconsistency in the risk estimate will generally be due to a variation in the estimated consequence severity.

As security professionals attempt to get consistency in the LOPA methodology by providing schools with varied types of LOPA scenarios, the safety and security measures will improve and eventually reduce or mitigate events. This is especially attractive in organizations with virtually identical facility types or those with multiple locations. Many of the LOPA template scenarios can be useful by providing specific guidance to a school safety and security measures. In many cases, the LOPA best practices utilized by security professionals have guidance on not only the risk analysis, but also the means for risk reduction and mitigation. Finally, many LOPA templates have proven to be difficult to develop, approve, and implement, predominantly because consensus on a school-wide consequence severity ranking is difficult to achieve.