Managing Risk Through: Layers of Control
Managing Risk Through: Layers of Control
Managing Risk Through: Layers of Control
Peer-Reviewed
FROM ANCIENT TIMES, the concept of using multiple lines of de- The concept of employing multiple lines of defense is used
fense or layers of protection was practiced to survive. During the today in military strategies, cybersecurity of information tech-
Byzantine Empire, cities and castles were fortified by trenches, nology, and in high-reliability type organizations such as the
moats, multiple stone walls built 30 ft wide and 30 ft high or nuclear power industry and chemical processing. Seldom does a
higher, tall towers equipped with archers and drawbridge-gated single risk control measure suffice in providing the sustainable
entrances, all to provide layers of protection against outside forc- risk reduction required or desired. Since the 1960s, the nuclear
es. The walls of Constantinople were the most famous of the me- and petrochemical industries have made use of the concept of
dieval world, not only due to the scale of the layers of defense, but layering protection to prevent and reduce operational risk in
also due to their construction and design. These lines of defense their facilities.
were constantly challenged and tested by would-be invaders and Traditional safety practices have often taken a more singular
required continual improvement of defense weaknesses, learn- view of controlling known hazards. The reliance upon a single
ing from failures and breaches. However, even the best layers of machine guard or employee safety training comes to mind.
defense are vulnerable. Ultimately, the walls of Constantinople However, what if the control fails or is inadequate or circum-
were breached by an emerging risk of the time: gunpowder and vented? Are redundancies, backup controls or additional layers
cannon fire. When the Ottoman sultan acquired cannons, the of control in place to prevent the failure from occurring, and
walls of Constantinople were rendered obsolete. On May 29, mitigative measures to reduce its severity of harm?
1453, the Gate of St. Romanus was destroyed by artillery, the gar-
rison of the Circus Gate was seized, and the Fifth Military Gate Risk Treatment Strategies
was stormed by the Turks. The city was finally captured (Livius. In the OSH profession, several terms are commonly used,
org, 2020). Today, organizations face similar battles from an op- sometimes interchangeably, in association with reducing risk:
erational risk standpoint. prevention, protection, mitigation and control. As each is a risk
reduction strategy, each term has a specific meaning and place
KEY TAKEAWAYS in a risk treatment plan. Following are descriptions and exam-
•trols,
The concept of protecting people and assets with layers of con-
both preventive and mitigative, is an important aspect of
ples of these risk treatment terms.
Prevention. According to a standard dictionary, to prevent
reducing and managing operational risk. is to keep from happening or existing; to hold or keep back;
•Rarely is one control adequate in reducing and maintaining risk
THEERAPONG28/ISTOCK/GETTY IMAGES PLUS
and maintain an acceptable level of risk (ALOR), a risk level controls that do not require activation
that is as low as reasonably practicable (ALARP). The use of Layers of Active safeguards
Reduce likelihood or severity of hazard with
controls that detect and respond or activate to
a hierarchical system for selecting risk reduction strategies is protection external input
a fundamental concept in safety management. Many models Reduce likelihood of exposure through
operating procedures and administrative
are available including those from ANSI/ASSP Z590.3, ANSI/ Procedural safeguards
measures that rely on the human element to
ASSP Z10.0, NIOSH, ANSI B11 and American Institute of respond or perform
Note. Reprinted from “Final Investigation Report: Caribbean Petroleum Tank Terminal Explosion and Multiple Tank Fires (Report No.
2010.02.I.PR),” by CSB, 2015.
physical security and cybersecurity. A second consid- Reason’s defenses-in-depth concept can be effective in mak-
eration is the balance of the security measures such ing complex technological systems such as nuclear power plants
that equivalent risk exists regardless of the threat’s largely protected from single-point failures. But, as he points out,
pathway or method. (API, 2016) no defense is perfect. Controls can contain weaknesses, flaws and
A concept whereby several independent devices, sys- gaps such as holes in Swiss cheese slices. Under certain condi-
tems or actions are provided to reduce the likelihood tions, these holes or weaknesses can line up, allowing an incident
and severity of an undesirable event. (API, 2013) to occur, as illustrated by the Swiss cheese model (Reason, 2016).
In industries such as chemical processing, layers of pro-
tection are constructed with independent protection layers Case Study No. 1:
(IPLs). An IPL is defined as a device, system or action capable Petroleum Tank Terminal Explosion & Fires
of preventing an event or exposure from occurring that is inde- An example of the Swiss cheese model demonstrating layers
pendent of other controls and is verifiable or auditable for effec- of protection can be found in the CSB (2015) final investigation
tiveness (Rausand, 2011). As described by the aforementioned report on the Caribbean Petroleum Corp. (CAPECO) tank
API standards, IPLs are considered physical barriers or devices, terminal explosion and tank fires. The following statement and
typically engineering controls, that prevent the initiating cause Swiss cheese diagram in Figure 4 are from the report:
of an event from proceeding to an unwanted consequence. The CSB determined that numerous technical and
Administrative controls such as inspections, training, standard systemic failures contributed to the explosion and
operating procedures and PPE are not considered barriers and, multiple tank fires at the CAPECO tank terminal. The
therefore, are not included in a typical layers-of-protection CSB found that multiple layers of protection failed
analysis (LOPA). within the level control and monitoring system at
The Swiss cheese model made famous by Reason (2016) the same time. In addition, a lack of independent
illustrates the concept of using layers of protection. Reason safeguards contributed to the overfill. James Reason’s
states that all workplace incidents have at least three common Swiss cheese model best demonstrates these system-
features: 1) hazards; 2) failed defenses; and 3) losses. Of these ic failures that led to the accident. Reason postulates
three features, failed defenses offer the greatest potential for that an accident results from the breakdown of the
risk reduction improvement. This is an important observation. “interaction between latent failures and a variety of
Controls can exist at many levels and take various forms. How- local triggering events (active failures)” and although
ever, each control serves one or more of the following func- rare, the “adverse conjunction of several causal fac-
tions: to create understanding and awareness of the hazards; to tors” from various layers. The deficiencies or holes at
give guidance on how to operate safely; to provide alarms and each layer of protection are constantly increasing or
warnings when danger is imminent; to place barriers between decreasing based on management decisions and op-
the hazards and the potential losses; to restore the system to a erational deviations. (CSB, 2015)
safe state after an event; to contain and eliminate the hazards
should they escape the barriers and controls; and to provide the Case Study No. 2: Metal Dust Explosion & Fire
means of escape and rescue should the defenses fail catastroph- The following scenario is excerpted from the metal dust
ically (Reason, 2016). explosion and fire at the AL Solutions facility in New Cumber-
Very high risk = 15 or greater; high risk = 9 to 14; moderate risk = 5 to 8; low risk = 1 to 4
FIGURE 8
WHAT-IF ANALYSIS
Risk level
Human error and Risk Risk
# What if? Answer L S acceptable Additional controls L2 S2 % RR
systems issues level level 2
(Y/N)
Metal blender is not Ignition source Task complexity or Redesign the blender. Inert gas (no
1 4 4 16 No 2 3 6 63%
functioning properly? design oxygen). New procedures.
Sufficient concentration Explosion possible Task complexity or Redesign the blender. Inert gas (no
of combustible dust is design oxygen). Improve ventilation to reduce
2 4 4 16 No 1 4 4 75%
present? combustible dust concentration. New
housekeeping procedures.
Explosion generates Operators and EM Task complexity or Redesign the whole operation to
3 toxic gases? personnel exposure design. Experience 4 3 12 No 1 3 3 75%
eliminate operator exposure.
Thermal expansion - Sun - vent Tank vents Shade Explosion- Internal Spill Auto fire
gasoline - vapor failure 4 3 12 protection proof pressure containment extinguishing 4 1 4
generation for tanks equipment alarm system
Corrosion- gasoline Moisture/ Visual Corrosion Cathodic Nitrogen Auto fire Spill
tanks, trim and piping oxidation inspection 4 2 8 inhibiting protection blanket extinguishing containment 3 1 3
materials system
Human factors/errors- Distraction/ Visual - Overfill Automatic Overfill Auto fire Spill
gasoline tanks - deviation floating 5 3 15 tank shutoff alarm extinguishing containment 4 1 4
overfilling device design system
Bow-Tie Analysis
As described in ISO 31010-2019, a bow-tie analysis is a
graphical depiction of pathways from the causes of an event to
its consequences. The conventional bow-tie model shows the
controls that modify the likelihood of the event and those that
modify the consequences if the event occurs. It can be consid-
ered as a simplified representation of a fault tree (left side of
bow tie) and an event tree (right of bow tie). Bow-tie analysis
is useful in visualizing the existing preventive and mitigative
controls in place for an identified hazardous scenario (as shown
in Figure 1, p. 26).
LOPA
Traditionally, LOPA has been used as a barrier analysis in
the chemical processing industry to analyze barriers or con- Layered $ mitigation $ amount
trols for their effectiveness in controlling an associated haz- First layer (retention) $100,000
ard. LOPA can be used qualitatively, semiquantitatively or Second layer $500,000
quantitatively to analyze each IPL and safety integrity levels Third layer $1,000,000
for risk reduction provided. IPLs are defined as physical
barriers and controls such as design changes, engineering
controls, warnings and alarms that prevent the initiating
cause of a hazardous event from proceeding to an unwant- LOMA
ed consequence. Lower-level controls such as inspections, The term mitigation is generally defined as the action of re-
training, standard operating procedures, and PPE are not ducing the severity or seriousness of something, thus making a
considered barriers and are not included in LOPA. This is condition or consequence less severe. Rather than a preventive
an important distinction. measure, mitigation is a reactionary measure used to reduce
IPLs are identified for each hazard-consequence pair. Each severity of consequences. An emergency action plan is a mit-
IPL is evaluated for its effectiveness, independence and prob- igation plan that is designed to limit damage and harm in re-
ability of failure on demand to determine whether the overall sponse to an emergency-type event (Lyon & Popov, 2019).
protection provides an acceptable level of risk. Each IPL should Similar to LOPA, the mitigation or reactive measures that are
be auditable or observable, allowing evidence and measure of designed to limit or reduce the impact of resulting consequenc-
its control status to verify effectiveness and reliability (Mul- es could also be layered. Such layers of mitigation might include
hausen, 2017; Rausand, 2011). Figure 10 provides an example of engineering, administrative, and financial and contractual
a conventional LOPA showing current and future states with measures. Examples of engineering-type mitigation measures
independent protection layers. include automatic fire suppression systems; secondary contain-
Modified LOPA methods can be used that extend the analy ment; automatic fire doors; and vent gas scrubbers (in case toxic
sis to administrative controls, financial controls and other gases release due to an explosion). Administrative-type miti-
risk reduction measures. However, if these additional layers/ gative measures designed to reduce the impact of the damage
methods are reactive or mitigative in nature (after the undesir- might include community early alarm systems and community
able event), they would not be considered layers of prevention. warnings; an emergency action and evacuation plan; coordina-
Hence, the new method, LOMA. tion plan with local fire and emergency responders; an Emer-
Likelihood
Event Cause Result
Risk level
Severity
1 2 3 4
FIGURE 13
LOPA WITH COMBINED RISKS CONSEQUENCES & RISK SUMMATION
Current layers of Current
Combined risk
prevention risk
Top event
Risk summation
Event Cause Result
residual risk
Combined
Likelihood
Likelihood
Risk level
Severity
Severity
1 2 3 4
Combustible Metal blender not Worker exposure; Administrative Explosion and toxic
dust generation functioning properly combustible dust (water spray, not 4 2 8 gas release:
accumulation effective) Explosive
Ignition Ignition source (sparks Minor fire Visual inspection concentration of
from blender) 3 2 6 combustible dust and 5 3 15 14
ignition source
Operators and Toxic gases and Hospitalizations
emergency hydrogen generation 4 2 8
personnel
exposure
FIGURE 14
LAYERS OF CONTROL ANALYSIS EXAMPLE
Current layers of prevention Current risk Combined risk Current layers of mitigation Risk reduction
Adminstrative risk mitigation factor
Engineering risk mitigation factor
Consequence
Adminstrative layers
Financial layers
Residual risk
Likelihood
Likelihood
Risk level
Severity
Severity
1 2 3 4
Combustible Metal blender Worker Admin (water Explosion and 1st layer Serious Water EPCRA
dust is not exposure; spray, not 4 2 8 toxic gas 100K injuries, deluge
0.7 0.9 0.95 8.08
generation functioning combustible effective) release: system
retention illnesses and
properly dust Explosive fatalities
Ignition Ignition source Minor fire Visual concentration Business 2nd layer Property
(sparks from inspection 3 2 6 of combustible continuity 500K to damage 1.0 0.9 0.95 11.54
5 3 15 14
blender) dust and plan primary
ignition source carrier
Operators Toxic gases Hospitalizations Natural Evacuation 3rd layer Environmental
and and hydrogen ventilation plans 1 M to issues
4 2 8 0.7 0.9 0.95 8.08
emergency generation excess
personnel carrier
exposure
Engineering Multiple
Engineering multiple
Administrative
Administrative
Substitution
Elimination
Combustible
Financial
E HAZ #2 Warning
PPE
dust explosion C# 2 - Property damage 11.5
H 6
and toxic gas
S Ignition
C# 3 - Environmental
8.1
HAZ #3 Residual risk (RR) damage
8 13.5
Toxic gas
AE Sub EngM EngS Wrn Adm PPE Total RR Eng Adm Fin Total RR
% RR 1 1 1 1 1 0.9 1 7.2 C# 1 0.7 0.9 0.95 8.1
HAZ #1
10% % RR 46%
% RR 1 1 1 1 1 0.9 1 5.4 C# 2 1 0.9 0.95 11.5
HAZ #2
10% % RR 23%
% RR 1 1 1 1 1 1 1 8 C# 3 0.7 0.9 0.95 8.1
HAZ #3
0% % RR 46%
FIGURE 16
EXPANDED LOCA WITH ADDITIONAL CONTROLS
Future
Future layers of prevention combined Future layer of mitigation Risk reduction
risk
Residual risk
Likelihood
Severity
2 3 4 5 6
Combustible dust Metal blender is Worker exposure; Reduce Enclose the Local Dust Housekeeping CO2 fire EPCRA 1st layer 100K Serious injuries,
generation not functioning combustible dust quantities blender exhaust concentration protection retention illnesses, 0.7 0.9 0.95 2.99
properly accumulation ventilation monitoring fatalities
Ignition Ignition source Minor fire Enclose Local Explosion- H2 monitoring Housekeeping Business 2nd layer 500K Property damage
(sparks from the exhaust proof and FLIR heat 5 1 5 continuity to primary 1.0 0.9 0.95 4.28
blender) blender ventilation equipment detection plan carrier
Operators and Toxic gases and Hospitalizations Warning Local Toxic gases Evacuation 3rd layer 1M to Environmental
emergency hydrogen alarm exhaust monitoring plans excess carrier issues 1.0 0.9 0.95 4.28
personnel exposure generation (local) ventilation
gency Planning and Community Right-to-Know Act plan for Risk Summation Analysis
community evacuations or shelter-in-place; and a business con- Another important concept in risk assessment is whole-system
tinuity plan. Risk financing measures might include purchasing risk. Conventional risk assessment methods can be described, for
insurance for a large of portion of risks, transferring selected the most part, as linear. For example, risk assessment methods
risks to third parties by contractual agreements (risk transfer), such as failure mode and effects analysis, or preliminary hazard
and retaining the remaining risks through self-funding. An analysis typically analyze hazards individually or hazard by haz-
example of financial layers of mitigation is illustrated in the ard rather than as a whole. A hazard-by-hazard analysis would
stratified concept described here: consider only partial risks within the system or operation. If par-
The organization decides to retain the risk up to tial risks are acceptable, the system or operation is then judged to
$100,000 U.S. Any covered losses to the organization be safe. Such conclusions may be misleading.
above $100,000 would be transferred through insur- The potential effect of combined or whole-system risks is
ance contracts to the insurance carriers (first layer at often greater than any single risk in a system. Risk assessment
$500,000 to primary carrier; second layer at additional teams that identify and catalog individual hazards as line items
$1 million to excess carrier), as shown in Figure 11 (p. 31). may miss the potential for certain risks occurring at the same
time and producing synergistic effects. For example, in the
Engineering multiple
Comb. Dust fatalities
Engineering single
Administrative
Administrative
Substitution
Elimination
Combustible
Financial
Warning
E HAZ #2
PPE
dust explosion C# 2 - Property damage 4.28
H 6
and toxic gas
S Ignition
C# 3 - Environmental
2.99
HAZ #3 damage
8
Toxic gas
AE Sub EngM EngS Wrn Adm PPE Total RR Eng Adm Fin Total RR
% RR 1 1 1 0.7 0.8 0.9 1 4.03 C# 1 0.7 0.9 0.95 2.99
HAZ #1
50% % RR 40%
% RR 1 1 1 0.7 0.8 0.9 1 3.02 C# 2 1 0.9 0.95 4.28
HAZ #2
50% % RR 15%
% RR 1 1 1 0.7 0.8 1 1 4.48 C# 3 0.7 0.9 0.95 2.99
HAZ #3
44% % RR 40%
meat processing industry, cold temperatures combined with In fact, the control methods were highly ineffective and may have
hand-arm vibration from pneumatic hand tools increase risk added hazards like hydrogen generation. Assuming that admin-
of soft-tissue damage that if analyzed individually may not be istrative controls would reduce the risk by 10%, the operation’s
considered (Lyon & Hollcroft 2012). combined residual risk would still be considered high at 13.5.
If the combustible metal dust explosion previously discussed
were viewed from a hazard-by-hazard perspective, the real risk LOCA
level would be missed. Consider the CSB (2014) statement that Recognizing a need for a method that considers the layers of
“removal of either the suspension or the confinement element can preventive measures along with layers of mitigative measures
prevent an explosion, although a dust fire can still occur.” If risks and their risk levels, the authors developed the LOCA method.
are analyzed individually without considering additive (summa- LOCA is described as a combination of LOPA, which analyzes
tion) effects, the whole-system risk can be underestimated. preventive independent protection layers, and LOMA, which
The LOPA of the combustible dust case (Figure 12, p. 32) analyzes reactionary measures including engineering, financial
finds each individual hazard or event to be moderate risk, while and administrative controls.
missing the combined-risk effects of all three events creating Taking the layers of protection analysis for the combustible
a catastrophic risk level. For the metal dust generation, it was dust explosion case study in Figure 10 (p. 31), the resulting
determined that it could lead to worker exposure and potential LOCA is presented in Figure 14 (p. 32).
combustible dust accumulation, but by itself it was not sufficient For consequences such as fatalities, serious injuries and
to cause an explosion. Therefore, the severity level was consid- illnesses, extensive property and environmental damage, miti-
ered high but not catastrophic with a low likelihood. For ignition gation measures have limited effect on reducing residual risk as
sources, a review of past incidents in the facility revealed two mi- indicated by the CSB report on the metal dust explosion.
nor fires leading to the determination that the severity was mod- The water deluge system on the ceiling of the production
erate and the likelihood low. Releases of toxic gas due to minor building is considered a mitigation layer. However, it is not
fires were determined to possibly lead to hospitalizations, which advisable to use water to fight a titanium or zirconium fire due
were considered high severity but low likelihood. Each individual to hydrogen generation. CSB (2014) found that “AL Solutions
event was viewed as moderate, not catastrophic. did not have a ventilation system to control hydrogen concen-
Such an analysis does not consider the potential additive trations. Natural ventilation was inconsistent in the production
effect or sum of all risks. If the additive effects of combustible building; employees reported closing rollup doors for tempera-
dust generation, ignition source from poor blender mainte- ture control during the cold months.”
nance, confinement, potential dispersion and the presence of Evacuation and business continuity plans would not reduce
oxygen are considered, the risk summation (total risk) would the risk significantly. Even the layered insurance would prob-
produce a more realistic risk level in the higher risk category as ably be insufficient. The families of three people killed in an
shown in Figure 13 (p. 32). industrial incident in 2010 have reached a $15.8 million final
Additionally, residual risk of the combined risks could be settlement with two private equity firms that had invested in
added based on the current controls. The company’s dust control AL Solutions Inc. (The Review).
methods of washing down the metal powder, an administrative To effectively reduce risk, both preventive and mitigative mea-
control, was considered acceptable by the property risk insurer. sures must often be used. This concept can be further visualized