Managing Risk Through: Layers of Control

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

RISK MANAGEMENT

Peer-Reviewed

Managing Risk Through


LAYERS OF
CONTROL
F
By Bruce K. Lyon and Georgi Popov

FROM ANCIENT TIMES, the concept of using multiple lines of de- The concept of employing multiple lines of defense is used
fense or layers of protection was practiced to survive. During the today in military strategies, cybersecurity of information tech-
Byzantine Empire, cities and castles were fortified by trenches, nology, and in high-reliability type organizations such as the
moats, multiple stone walls built 30 ft wide and 30 ft high or nuclear power industry and chemical processing. Seldom does a
higher, tall towers equipped with archers and drawbridge-gated single risk control measure suffice in providing the sustainable
entrances, all to provide layers of protection against outside forc- risk reduction required or desired. Since the 1960s, the nuclear
es. The walls of Constantinople were the most famous of the me- and petrochemical industries have made use of the concept of
dieval world, not only due to the scale of the layers of defense, but layering protection to prevent and reduce operational risk in
also due to their construction and design. These lines of defense their facilities.
were constantly challenged and tested by would-be invaders and Traditional safety practices have often taken a more singular
required continual improvement of defense weaknesses, learn- view of controlling known hazards. The reliance upon a single
ing from failures and breaches. However, even the best layers of machine guard or employee safety training comes to mind.
defense are vulnerable. Ultimately, the walls of Constantinople However, what if the control fails or is inadequate or circum-
were breached by an emerging risk of the time: gunpowder and vented? Are redundancies, backup controls or additional layers
cannon fire. When the Ottoman sultan acquired cannons, the of control in place to prevent the failure from occurring, and
walls of Constantinople were rendered obsolete. On May 29, mitigative measures to reduce its severity of harm?
1453, the Gate of St. Romanus was destroyed by artillery, the gar-
rison of the Circus Gate was seized, and the Fifth Military Gate Risk Treatment Strategies
was stormed by the Turks. The city was finally captured (Livius. In the OSH profession, several terms are commonly used,
org, 2020). Today, organizations face similar battles from an op- sometimes interchangeably, in association with reducing risk:
erational risk standpoint. prevention, protection, mitigation and control. As each is a risk
reduction strategy, each term has a specific meaning and place
KEY TAKEAWAYS in a risk treatment plan. Following are descriptions and exam-
•trols,
The concept of protecting people and assets with layers of con-
both preventive and mitigative, is an important aspect of
ples of these risk treatment terms.
Prevention. According to a standard dictionary, to prevent
reducing and managing operational risk. is to keep from happening or existing; to hold or keep back;
•Rarely is one control adequate in reducing and maintaining risk
THEERAPONG28/ISTOCK/GETTY IMAGES PLUS

to hinder or stop. In business, prevention is an action taken


to a level that is considered acceptable. Layers of control selected to reduce or eliminate the probability of specific undesirable
in accordance with the hierarchy of risk treatment and their actions events from happening and is described as generally less
should be constructed, implemented, verified and monitored to costly than mitigating the effects of negative events after they
achieve a level that is as low as reasonably practicable (ALARP). occur (WebFinance, 2020). ANSI/ASSP Z590.3, Prevention
• Techniques such as barrier analysis, layers of protection analysis,
bow-tie analysis and modified methods such as layers of control
Through Design (PTD), Section 9, Hierarchy of Controls,
states that the first four control levels of the hierarchy are
assessment can be used to assess existing controls and determine more effective because they are preventive actions that elim-
whether risk is at an acceptable level or whether further risk reduc- inate or reduce risk by design, elimination, substitution and
tion strategies are necessary to achieve and maintain ALARP. engineering measures. An example of a preventive measure

assp.org APRIL 2020 PROFESSIONAL SAFETY PSJ 25


FIGURE 1
BOW-TIE ANALYSIS DIAGRAM

Preventive Mitigative Resulting


Hazards Causes Scenario
controls controls consequences
Escalation factor

FIGURE 2 currence to protect assets during an incident and to limit dam-


CONSTRUCTING RISK TREATMENT age or impact. Examples of protection include automatic fire
suppression systems in buildings, cathodic protection for an
PLANS TO ACHIEVE ACCEPTABLE RISK underground storage tank and PPE. Insurance (or risk transfer)
could also be considered a form of protection measure for the
insured parties or properties.
Mitigation. Like protection, mitigation is used to reduce the
severity or seriousness of something, thus making a condition
Hierarchy or consequence less severe. To mitigate is to make less severe or
of risk painful. Federal Emergency Management Agency (FEMA, 2017)
defines mitigation as “the effort to reduce loss of life and property
Layers of treatment by lessening the impact of disasters.” Mitigative measures gener-
controls ally are reactive efforts, procedures or actions taken immediately
following an incident such as an emergency action plan.
Cost- Control. Control is a more encompassing term that is used
to reduce the incidence or severity of, especially to innocuous
benefit levels. ISO Guide 73 defines control as “a measure that modifies
analysis risk and may include processes, policies, devices, practices or
and ROI other actions” (ANSI/ASSP, 2011).
A comprehensive approach to reducing and maintaining
risk at an acceptable level often requires layers of controls: a
combination of preventive, protective, mitigative and control
measures (Lyon & Popov, 2016; 2019). The various measures for
prevention and mitigation of major incidents may be thought
of as lines of defense or layers of protection. These layers serve
to prevent an initiating event from developing into an incident
Achieve and maintain (e.g., release of a hazardous substance), and to mitigate the con-
ALARP/ALOR sequences of an incident once it occurs (Franks, 2017).
An example can be given in a bow-tie analysis diagram (Figure
1), which identifies the preventive measures on the left side of
is a pressure-relief valve on an enclosed tank designed to pre- the bow tie (barriers positioned between the hazard-causes and
vent over-pressurization and explosion. the event) and the mitigation measures on the right side of the
Protection. Protective measures are designed to reduce the bow tie (reactive measures between the hazardous event and the
severity of consequences by shielding, covering or isolating an consequences). Both preventive and mitigative measures are risk
asset from harm. To protect is to cover or shield from exposure, reduction treatment strategies (Lyon & Popov, 2019).
injury, damage or destruction; to guard; to maintain the status To achieve and maintain an acceptable level of risk, OSH
or integrity of, especially through financial or legal guarantees. professionals must be proficient and practiced in the selection,
Protection measures are generally put in place before an oc- implementation and verification of risk treatment plans. Such

26 PSJ PROFESSIONAL SAFETY APRIL 2020 assp.org


plans should be constructed according to the following prac- TABLE 1
tices (Figure 2): HIERARCHY OF CHEMICAL
•use of the hierarchy of risk treatment and higher-level controls;
•layers of controls and redundancies; PROCESS CONTROLS
•cost-benefit analysis and return on investment justification;
•testing and verifying effectiveness and reliability. 1st order Inherent safety measures Avoid or eliminate hazard
Reduce severity potential of hazard
2nd order Inherent safety measures
Hierarchy of Risk Treatment Reduce likelihood of exposure

The objective of occupational risk management is to achieve Passive safeguards


Reduce likelihood or severity of hazard with

and maintain an acceptable level of risk (ALOR), a risk level controls that do not require activation

that is as low as reasonably practicable (ALARP). The use of Layers of Active safeguards
Reduce likelihood or severity of hazard with
controls that detect and respond or activate to
a hierarchical system for selecting risk reduction strategies is protection external input
a fundamental concept in safety management. Many models Reduce likelihood of exposure through
operating procedures and administrative
are available including those from ANSI/ASSP Z590.3, ANSI/ Procedural safeguards
measures that rely on the human element to
ASSP Z10.0, NIOSH, ANSI B11 and American Institute of respond or perform

Chemical Engineers (AIChE). In most models, the first choic-


Note. Adapted from Inherently Safer Chemical Processes: A Life Cycle
es are risk avoidance and risk elimination. Where the risk
Approach (2nd ed.), by Center for Chemical Process Safety, 2008,
cannot be avoided or eliminated, substitution and minimiza- Hoboken, NJ: Wiley.
tion measures to reduce severity should be considered. Risk
reduction by lowering likelihood of occurrence through sim-
plification and passive safeguards are the next options. From FIGURE 3
an enterprise risk management standpoint, additional risk HIERARCHY OF RISK TREATMENT
treatment options include:
•separation of risks to minimize the adverse effect of a single loss;
•duplication of critical systems or use of backups; Avoid
•diversification of risk to spread exposure over many areas
rather than one concentrated area; Eliminate
•risk financing (insurance, hedging or self-funding); Substitute
•risk transfer (hiring third parties, contracts); Minimize
•risk retention (determined acceptable to the organization in Simplify
its present state); Passive control
•risk exploitation (speculative risks, opportunities, potential gains).
The concept of inherently safer design control measures can Active control
be found in the AIChE steps for managing chemical and pro- Warn
cess hazards and risks. An interpretation of AIChE’s hierarchy
is presented in Table 1 (CCPE, 2008). Adminstrative
The hierarchy of risk treatment (HORT) in Figure 3 (Lyon & PPE
Popov, 2019) combines the hierarchy from ANSI/ASSP Z590.3
(PTD standard) with concepts from inherently safer design
controls used in the chemical process industry. These models
all share a common theme that the strategies at the top, the
higher-level controls, should always be considered/selected first. Once treatments or controls have been implemented, it is criti-
cal to assess their effectiveness and reliability. Testing and verifica-
Risk Treatment Plans tion of control reliability and effectiveness ensuring that controls
Risk treatment is a continuous process that involves the for- are working as expected should be performed and documented.
mulation and selection of a treatment plan, its implementation As part of the testing of controls, it should be determined whether
and evaluation of the residual risk level to determine whether any unintended consequences or new hazards are created.
it is acceptable or whether further treatment is required. A risk
treatment plan can involve a single control; however, it more
likely requires multiple risk reduction measures to accomplish The Concept of Layers of Control
the desired risk reduction. Risk reduction concepts such as in- The terms layers of protection, lines of defense and depth in
herently safe design, layers of protection, recognized and gener- defenses are adopted from military strategy using multiple
ally accepted good engineering practices, and safer technology layers of defense to withstand an attack and maintain defenses
and alternatives, along with the hierarchy of controls should be through the use of layers that resist rapid penetration, slow the
incorporated into the risk treatment plan (Lyon & Popov, 2018). attack, fortify around critical elements and yield rather than
As outlined in ISO 31000, risk treatment options available in- exhaust themselves.
clude the decision to avoid the risk by choosing to not engage in American Petroleum Institute (API) standards provide the
the activity or exposure; eliminating the risk by removing the risk following definitions of the layers of protection concept:
source; reducing the likelihood or reducing the severity; sharing A concept of providing multiple independent and
the risk among other parties such as contracts and risk financing; overlapping layers of protection in depth. For security
and retaining the risk such as self-funding or other risk-based purposes, this may include various layers of protec-
decisions (ANSI/ASSP/ISO, 2018; Lyon & Popov, 2018). tion such as countersurveillance, counterintelligence,

assp.org APRIL 2020 PROFESSIONAL SAFETY PSJ 27


FIGURE 4
SWISS CHEESE DIAGRAM FROM CSB REPORT ON CAPECO INCIDENT

Note. Reprinted from “Final Investigation Report: Caribbean Petroleum Tank Terminal Explosion and Multiple Tank Fires (Report No.
2010.02.I.PR),” by CSB, 2015.

physical security and cybersecurity. A second consid- Reason’s defenses-in-depth concept can be effective in mak-
eration is the balance of the security measures such ing complex technological systems such as nuclear power plants
that equivalent risk exists regardless of the threat’s largely protected from single-point failures. But, as he points out,
pathway or method. (API, 2016) no defense is perfect. Controls can contain weaknesses, flaws and
A concept whereby several independent devices, sys- gaps such as holes in Swiss cheese slices. Under certain condi-
tems or actions are provided to reduce the likelihood tions, these holes or weaknesses can line up, allowing an incident
and severity of an undesirable event. (API, 2013) to occur, as illustrated by the Swiss cheese model (Reason, 2016).
In industries such as chemical processing, layers of pro-
tection are constructed with independent protection layers Case Study No. 1:
(IPLs). An IPL is defined as a device, system or action capable Petroleum Tank Terminal Explosion & Fires
of preventing an event or exposure from occurring that is inde- An example of the Swiss cheese model demonstrating layers
pendent of other controls and is verifiable or auditable for effec- of protection can be found in the CSB (2015) final investigation
tiveness (Rausand, 2011). As described by the aforementioned report on the Caribbean Petroleum Corp. (CAPECO) tank
API standards, IPLs are considered physical barriers or devices, terminal explosion and tank fires. The following statement and
typically engineering controls, that prevent the initiating cause Swiss cheese diagram in Figure 4 are from the report:
of an event from proceeding to an unwanted consequence. The CSB determined that numerous technical and
Administrative controls such as inspections, training, standard systemic failures contributed to the explosion and
operating procedures and PPE are not considered barriers and, multiple tank fires at the CAPECO tank terminal. The
therefore, are not included in a typical layers-of-protection CSB found that multiple layers of protection failed
analysis (LOPA). within the level control and monitoring system at
The Swiss cheese model made famous by Reason (2016) the same time. In addition, a lack of independent
illustrates the concept of using layers of protection. Reason safeguards contributed to the overfill. James Reason’s
states that all workplace incidents have at least three common Swiss cheese model best demonstrates these system-
features: 1) hazards; 2) failed defenses; and 3) losses. Of these ic failures that led to the accident. Reason postulates
three features, failed defenses offer the greatest potential for that an accident results from the breakdown of the
risk reduction improvement. This is an important observation. “interaction between latent failures and a variety of
Controls can exist at many levels and take various forms. How- local triggering events (active failures)” and although
ever, each control serves one or more of the following func- rare, the “adverse conjunction of several causal fac-
tions: to create understanding and awareness of the hazards; to tors” from various layers. The deficiencies or holes at
give guidance on how to operate safely; to provide alarms and each layer of protection are constantly increasing or
warnings when danger is imminent; to place barriers between decreasing based on management decisions and op-
the hazards and the potential losses; to restore the system to a erational deviations. (CSB, 2015)
safe state after an event; to contain and eliminate the hazards
should they escape the barriers and controls; and to provide the Case Study No. 2: Metal Dust Explosion & Fire
means of escape and rescue should the defenses fail catastroph- The following scenario is excerpted from the metal dust
ically (Reason, 2016). explosion and fire at the AL Solutions facility in New Cumber-

28 PSJ PROFESSIONAL SAFETY APRIL 2020 assp.org


FIGURE 5
RISK PATHWAY OF A DUST EXPLOSION

land, WV, as reported by CSB (2014). The incident resulted in FIGURE 6


three employee fatalities and one contractor injury. The explo-
sion and ensuing fire damaged the production building and
CLASSIC FIRE TRIANGLE &
ultimately caused shutdown of the plant. Figure 5 illustrates the DUST EXPLOSION PENTAGON
risk pathway of the event.
The CSB report states: Combustible Ignition
dust source
Like all fires, a dust fire occurs when fuel (the com- Fuel Ignition
bustible dust) is exposed to energy (an ignition source
Dispersion Confinement
source) in the presence of oxygen (typically from air).
Removing any one of these elements of the classic
fire triangle (depicted in [Figure 6]) eliminates the Oxygen Oxygen
possibility of a fire. Note. Adapted from “AL Solutions Inc., New Cumberland, WV: Metal
A dust explosion requires the simultaneous pres- dust explosion and fire (Case study No. 2011-3-I-WV),” by CSB, 2014.
ence of two additional elements: dust dispersion and
confinement (as shown in the dust explosion penta-
notes a risk can have more than one control, and that controls
gon in [Figure 6]). Suspended dust burns rapidly, and
can affect more than one risk. Important aspects to consider
confinement enables pressure buildup. Removal of
when analyzing controls include:
either the suspension or the confinement element
•the mechanism by which the controls are intended to modify risk;
can prevent an explosion, although a dust fire can
•whether the controls are in place, are capable of operating as
still occur. (CSB 2014)
intended, and are achieving the expected results;
Using this scenario and the risk matrix shown in Figure 7 •whether shortcomings exist in the design of controls or the
(p. 30), a modified what-if risk assessment shown in Figure 8 way they are applied;
(p. 30) indicates that there were no sufficient risk prevention •whether gaps in controls exist;
measures available at the time of the incident. As a result, addi- •whether controls function independently, or if they need to
tional preventive measures were added including the redesigned function collectively to be effective;
blender and inert gas blanket, creating layers of prevention. •whether factors, conditions, vulnerabilities or circumstanc-
As presented in the example, likelihood and severity could be es exist that can reduce or eliminate control effectiveness in-
reduced for all three hazards by 63% and 75%. The remaining cluding common cause failures;
25% may be retained if the organization assumes that the risk is •whether controls themselves introduce additional risks (ISO
within acceptable limits. 31010-2019).
A number of methods are available for analyzing controls
Methods for Analyzing Layers of Control and their effectiveness. Some of these are described in ISO
The analysis of risk control effectiveness is a critical aspect of 31010-2019 and include bow-tie analysis, hazard analysis and
risk assessment. ISO 31010-2019 states that “risk is affected by critical control points (HACCP), event-tree analysis and LOPA.
the overall effectiveness of any controls that are in place” and Barrier analysis, bow-tie analysis, conventional LOPA, a new

assp.org APRIL 2020 PROFESSIONAL SAFETY PSJ 29


FIGURE 7
RISK MATRIX
Incident outcomes Likelihood of occurrence
1 2 3 4 5
Severity Property Environmental
Health effects (people) Very Very
rating damage impact Unlikely Possible Likely
unlikely likely

Death or permanent total Catastrophic Significant


5 5 10 15 20 25
disability damage impact

Permanent partial disability;


Significant but
4 hospitalizations of three or Severe damage 4 8 12 16 20
reversible impact
more people
Injury or occupational illness
Significant Moderate
3 resulting in one or more days 3 6 9 12 15
damage reversible impact
away from work

Injury or occupational illness Moderate


2 Minimal impact 2 4 6 8 10
not resulting in lost workdays damage

First aid only; no injuries or


1 Light damage No impact 1 2 3 4 5
illnesses

Very high risk = 15 or greater; high risk = 9 to 14; moderate risk = 5 to 8; low risk = 1 to 4

FIGURE 8
WHAT-IF ANALYSIS
Risk level
Human error and Risk Risk
# What if? Answer L S acceptable Additional controls L2 S2 % RR
systems issues level level 2
(Y/N)
Metal blender is not Ignition source Task complexity or Redesign the blender. Inert gas (no
1 4 4 16 No 2 3 6 63%
functioning properly? design oxygen). New procedures.
Sufficient concentration Explosion possible Task complexity or Redesign the blender. Inert gas (no
of combustible dust is design oxygen). Improve ventilation to reduce
2 4 4 16 No 1 4 4 75%
present? combustible dust concentration. New
housekeeping procedures.
Explosion generates Operators and EM Task complexity or Redesign the whole operation to
3 toxic gases? personnel exposure design. Experience 4 3 12 No 1 3 3 75%
eliminate operator exposure.

FIGURE 9 In the analysis, the hazards, potential tar-


CONTROLS LEGEND gets and consequences, and the pathways
through which hazards can affect targets
are defined. Within these risk pathways,
Existing controls, barriers and procedures that are
Existing Existing Existing
control New control designed to block the pathway and pre-
control control control
(functioned as
(ignored) (LTA) (failed)
needed vent the hazard from affecting the target
intended) are identified. The identified controls are
reviewed individually in sequence of the
pathway event, and in combination for
effectiveness. Controls are then evaluated
method called layers of mitigation analysis (LOMA), risk sum- as to their role and performance in the incident and identified
mation analysis, and a new method called layers of controls by color-coded octagons (Figure 9).
analysis (LOCA) are briefly presented here. Color-coding can be used to indicate control conditions
such as 1) green octagon: existing control functioned as in-
Barrier Analysis tended; 2) yellow octagon: existing control that was not used
Often used in incident investigation, a barrier analysis can be or ignored; 3) orange octagon: existing control that was less
used to identify and analyze all existing controls related to the than adequate (LTA); 4) red octagon: existing control that
hazard(s) of a system or events and conditions of an incident. failed to work as intended; and 5) purple octagon: additional

30 PSJ PROFESSIONAL SAFETY APRIL 2020 assp.org


FIGURE 10
LAYERS OF PROTECTION ANALYSIS
Independent
Current state (CS) - Existing Future state (FS) - After
protection layers Proposed additional IPLs
LOP additional IPLs
Event Cause (IPLs)

1 2 Severity Likelihood Risk level 3 4 5 6 7 Severity Likelihood Risk level

Thermal expansion - Sun - vent Tank vents Shade Explosion- Internal Spill Auto fire
gasoline - vapor failure 4 3 12 protection proof pressure containment extinguishing 4 1 4
generation for tanks equipment alarm system

Corrosion- gasoline Moisture/ Visual Corrosion Cathodic Nitrogen Auto fire Spill
tanks, trim and piping oxidation inspection 4 2 8 inhibiting protection blanket extinguishing containment 3 1 3
materials system

Human factors/errors- Distraction/ Visual - Overfill Automatic Overfill Auto fire Spill
gasoline tanks - deviation floating 5 3 15 tank shutoff alarm extinguishing containment 4 1 4
overfilling device design system

control needed. Each evaluated control is labeled within its FIGURE 11


color-coded octagon and placed within the map connected
to the affected event(s) and condition(s) as shown in Figure 9 LAYERED FINANCIAL MITIGATION
(Lyon, Popov & Roberts, 2018).

Bow-Tie Analysis
As described in ISO 31010-2019, a bow-tie analysis is a
graphical depiction of pathways from the causes of an event to
its consequences. The conventional bow-tie model shows the
controls that modify the likelihood of the event and those that
modify the consequences if the event occurs. It can be consid-
ered as a simplified representation of a fault tree (left side of
bow tie) and an event tree (right of bow tie). Bow-tie analysis
is useful in visualizing the existing preventive and mitigative
controls in place for an identified hazardous scenario (as shown
in Figure 1, p. 26).

LOPA
Traditionally, LOPA has been used as a barrier analysis in
the chemical processing industry to analyze barriers or con- Layered $ mitigation $ amount
trols for their effectiveness in controlling an associated haz- First layer (retention) $100,000
ard. LOPA can be used qualitatively, semiquantitatively or Second layer $500,000
quantitatively to analyze each IPL and safety integrity levels Third layer $1,000,000
for risk reduction provided. IPLs are defined as physical
barriers and controls such as design changes, engineering
controls, warnings and alarms that prevent the initiating
cause of a hazardous event from proceeding to an unwant- LOMA
ed consequence. Lower-level controls such as inspections, The term mitigation is generally defined as the action of re-
training, standard operating procedures, and PPE are not ducing the severity or seriousness of something, thus making a
considered barriers and are not included in LOPA. This is condition or consequence less severe. Rather than a preventive
an important distinction. measure, mitigation is a reactionary measure used to reduce
IPLs are identified for each hazard-consequence pair. Each severity of consequences. An emergency action plan is a mit-
IPL is evaluated for its effectiveness, independence and prob- igation plan that is designed to limit damage and harm in re-
ability of failure on demand to determine whether the overall sponse to an emergency-type event (Lyon & Popov, 2019).
protection provides an acceptable level of risk. Each IPL should Similar to LOPA, the mitigation or reactive measures that are
be auditable or observable, allowing evidence and measure of designed to limit or reduce the impact of resulting consequenc-
its control status to verify effectiveness and reliability (Mul- es could also be layered. Such layers of mitigation might include
hausen, 2017; Rausand, 2011). Figure 10 provides an example of engineering, administrative, and financial and contractual
a conventional LOPA showing current and future states with measures. Examples of engineering-type mitigation measures
independent protection layers. include automatic fire suppression systems; secondary contain-
Modified LOPA methods can be used that extend the analy­ ment; automatic fire doors; and vent gas scrubbers (in case toxic
sis to administrative controls, financial controls and other gases release due to an explosion). Administrative-type miti-
risk reduction measures. However, if these additional layers/ gative measures designed to reduce the impact of the damage
methods are reactive or mitigative in nature (after the undesir- might include community early alarm systems and community
able event), they would not be considered layers of prevention. warnings; an emergency action and evacuation plan; coordina-
Hence, the new method, LOMA. tion plan with local fire and emergency responders; an Emer-

assp.org APRIL 2020 PROFESSIONAL SAFETY PSJ 31


FIGURE 12
HAZARD-BY-HAZARD LOPA WORKSHEET

Layers of prevention Current risk

Likelihood
Event Cause Result

Risk level
Severity
1 2 3 4

Combustible dust Metal blender not Worker exposure; Administrative


generation functioning properly combustible dust (water spray, not 4 2 8
accumulation effective)
Ignition Ignition source (sparks Minor fire Visual inspection
from blender) 3 2 6

Operators and Toxic gases and hydrogen Hospitalizations


emergency personnel generation 4 2 8
exposure

FIGURE 13
LOPA WITH COMBINED RISKS CONSEQUENCES & RISK SUMMATION
Current layers of Current
Combined risk
prevention risk

Top event

Risk summation
Event Cause Result

residual risk
Combined
Likelihood

Likelihood
Risk level
Severity

Severity
1 2 3 4

Combustible Metal blender not Worker exposure; Administrative Explosion and toxic
dust generation functioning properly combustible dust (water spray, not 4 2 8 gas release:
accumulation effective) Explosive
Ignition Ignition source (sparks Minor fire Visual inspection concentration of
from blender) 3 2 6 combustible dust and 5 3 15 14
ignition source
Operators and Toxic gases and Hospitalizations
emergency hydrogen generation 4 2 8
personnel
exposure

FIGURE 14
LAYERS OF CONTROL ANALYSIS EXAMPLE

Current layers of prevention Current risk Combined risk Current layers of mitigation Risk reduction
Adminstrative risk mitigation factor
Engineering risk mitigation factor
Consequence

Financial risk mitigation factor


Top event

Combined residual risk

Adminstrative layers

Event Cause Result


Engineering layers
Risk summation

Financial layers

Residual risk
Likelihood

Likelihood
Risk level
Severity

Severity

1 2 3 4

Combustible Metal blender Worker Admin (water Explosion and 1st layer Serious Water EPCRA
dust is not exposure; spray, not 4 2 8 toxic gas 100K injuries, deluge
0.7 0.9 0.95 8.08
generation functioning combustible effective) release: system
retention illnesses and
properly dust Explosive fatalities
Ignition Ignition source Minor fire Visual concentration Business 2nd layer Property
(sparks from inspection 3 2 6 of combustible continuity 500K to damage 1.0 0.9 0.95 11.54
5 3 15 14
blender) dust and plan primary
ignition source carrier
Operators Toxic gases Hospitalizations Natural Evacuation 3rd layer Environmental
and and hydrogen ventilation plans 1 M to issues
4 2 8 0.7 0.9 0.95 8.08
emergency generation excess
personnel carrier
exposure

32 PSJ PROFESSIONAL SAFETY APRIL 2020 assp.org


FIGURE 15
STRIPED BOW-TIE MODEL WITH LAYERS OF CONTROL ANALYSIS

Hazards Causes Preventive Scenario Mitigative Consequences Total RR


Layers S L Layers
5 3
HAZ #1 Total risk
8 15 C# 1 - Injury/illness
8.1

Engineering Multiple
Engineering multiple

Comb. Dust Engineering single fatalities

Administrative

Administrative
Substitution
Elimination

Combustible

Financial
E HAZ #2 Warning

PPE
dust explosion C# 2 - Property damage 11.5
H 6
and toxic gas
S Ignition
C# 3 - Environmental
8.1
HAZ #3 Residual risk (RR) damage
8 13.5
Toxic gas
AE Sub EngM EngS Wrn Adm PPE Total RR Eng Adm Fin Total RR
% RR 1 1 1 1 1 0.9 1 7.2 C# 1 0.7 0.9 0.95 8.1
HAZ #1
10% % RR 46%
% RR 1 1 1 1 1 0.9 1 5.4 C# 2 1 0.9 0.95 11.5
HAZ #2
10% % RR 23%
% RR 1 1 1 1 1 1 1 8 C# 3 0.7 0.9 0.95 8.1
HAZ #3
0% % RR 46%

FIGURE 16
EXPANDED LOCA WITH ADDITIONAL CONTROLS
Future
Future layers of prevention combined Future layer of mitigation Risk reduction
risk

Administrative risk mitigation factor


Engineering risk mitigation factor
Consequence

Financial risk mitigation factor


Administrative layers
Engineering layers

Event Cause Result


Financial layers
Risk summation

Residual risk
Likelihood
Severity

2 3 4 5 6

Combustible dust Metal blender is Worker exposure; Reduce Enclose the Local Dust Housekeeping CO2 fire EPCRA 1st layer 100K Serious injuries,
generation not functioning combustible dust quantities blender exhaust concentration protection retention illnesses, 0.7 0.9 0.95 2.99
properly accumulation ventilation monitoring fatalities
Ignition Ignition source Minor fire Enclose Local Explosion- H2 monitoring Housekeeping Business 2nd layer 500K Property damage
(sparks from the exhaust proof and FLIR heat 5 1 5 continuity to primary 1.0 0.9 0.95 4.28
blender) blender ventilation equipment detection plan carrier
Operators and Toxic gases and Hospitalizations Warning Local Toxic gases Evacuation 3rd layer 1M to Environmental
emergency hydrogen alarm exhaust monitoring plans excess carrier issues 1.0 0.9 0.95 4.28
personnel exposure generation (local) ventilation

gency Planning and Community Right-to-Know Act plan for Risk Summation Analysis
community evacuations or shelter-in-place; and a business con- Another important concept in risk assessment is whole-system
tinuity plan. Risk financing measures might include purchasing risk. Conventional risk assessment methods can be described, for
insurance for a large of portion of risks, transferring selected the most part, as linear. For example, risk assessment methods
risks to third parties by contractual agreements (risk transfer), such as failure mode and effects analysis, or preliminary hazard
and retaining the remaining risks through self-funding. An analysis typically analyze hazards individually or hazard by haz-
example of financial layers of mitigation is illustrated in the ard rather than as a whole. A hazard-by-hazard analysis would
stratified concept described here: consider only partial risks within the system or operation. If par-
The organization decides to retain the risk up to tial risks are acceptable, the system or operation is then judged to
$100,000 U.S. Any covered losses to the organization be safe. Such conclusions may be misleading.
above $100,000 would be transferred through insur- The potential effect of combined or whole-system risks is
ance contracts to the insurance carriers (first layer at often greater than any single risk in a system. Risk assessment
$500,000 to primary carrier; second layer at additional teams that identify and catalog individual hazards as line items
$1 million to excess carrier), as shown in Figure 11 (p. 31). may miss the potential for certain risks occurring at the same
time and producing synergistic effects. For example, in the

assp.org APRIL 2020 PROFESSIONAL SAFETY PSJ 33


FIGURE 17
FUTURE STATE STRIPED BOW-TIE LOCA MODEL

Hazards Causes Preventive Scenario Mitigative Consequences Total RR


Layers S L Layers
5 1
HAZ #1 Total risk FS
8 5 C# 1 - Injury/illness
2.99
Engineering multiple

Engineering multiple
Comb. Dust fatalities
Engineering single

Administrative

Administrative
Substitution
Elimination

Combustible

Financial
Warning
E HAZ #2

PPE
dust explosion C# 2 - Property damage 4.28
H 6
and toxic gas
S Ignition
C# 3 - Environmental
2.99
HAZ #3 damage
8
Toxic gas
AE Sub EngM EngS Wrn Adm PPE Total RR Eng Adm Fin Total RR
% RR 1 1 1 0.7 0.8 0.9 1 4.03 C# 1 0.7 0.9 0.95 2.99
HAZ #1
50% % RR 40%
% RR 1 1 1 0.7 0.8 0.9 1 3.02 C# 2 1 0.9 0.95 4.28
HAZ #2
50% % RR 15%
% RR 1 1 1 0.7 0.8 1 1 4.48 C# 3 0.7 0.9 0.95 2.99
HAZ #3
44% % RR 40%

meat processing industry, cold temperatures combined with In fact, the control methods were highly ineffective and may have
hand-arm vibration from pneumatic hand tools increase risk added hazards like hydrogen generation. Assuming that admin-
of soft-tissue damage that if analyzed individually may not be istrative controls would reduce the risk by 10%, the operation’s
considered (Lyon & Hollcroft 2012). combined residual risk would still be considered high at 13.5.
If the combustible metal dust explosion previously discussed
were viewed from a hazard-by-hazard perspective, the real risk LOCA
level would be missed. Consider the CSB (2014) statement that Recognizing a need for a method that considers the layers of
“removal of either the suspension or the confinement element can preventive measures along with layers of mitigative measures
prevent an explosion, although a dust fire can still occur.” If risks and their risk levels, the authors developed the LOCA method.
are analyzed individually without considering additive (summa- LOCA is described as a combination of LOPA, which analyzes
tion) effects, the whole-system risk can be underestimated. preventive independent protection layers, and LOMA, which
The LOPA of the combustible dust case (Figure 12, p. 32) analyzes reactionary measures including engineering, financial
finds each individual hazard or event to be moderate risk, while and administrative controls.
missing the combined-risk effects of all three events creating Taking the layers of protection analysis for the combustible
a catastrophic risk level. For the metal dust generation, it was dust explosion case study in Figure 10 (p. 31), the resulting
determined that it could lead to worker exposure and potential LOCA is presented in Figure 14 (p. 32).
combustible dust accumulation, but by itself it was not sufficient For consequences such as fatalities, serious injuries and
to cause an explosion. Therefore, the severity level was consid- illnesses, extensive property and environmental damage, miti-
ered high but not catastrophic with a low likelihood. For ignition gation measures have limited effect on reducing residual risk as
sources, a review of past incidents in the facility revealed two mi- indicated by the CSB report on the metal dust explosion.
nor fires leading to the determination that the severity was mod- The water deluge system on the ceiling of the production
erate and the likelihood low. Releases of toxic gas due to minor building is considered a mitigation layer. However, it is not
fires were determined to possibly lead to hospitalizations, which advisable to use water to fight a titanium or zirconium fire due
were considered high severity but low likelihood. Each individual to hydrogen generation. CSB (2014) found that “AL Solutions
event was viewed as moderate, not catastrophic. did not have a ventilation system to control hydrogen concen-
Such an analysis does not consider the potential additive trations. Natural ventilation was inconsistent in the production
effect or sum of all risks. If the additive effects of combustible building; employees reported closing rollup doors for tempera-
dust generation, ignition source from poor blender mainte- ture control during the cold months.”
nance, confinement, potential dispersion and the presence of Evacuation and business continuity plans would not reduce
oxygen are considered, the risk summation (total risk) would the risk significantly. Even the layered insurance would prob-
produce a more realistic risk level in the higher risk category as ably be insufficient. The families of three people killed in an
shown in Figure 13 (p. 32). industrial incident in 2010 have reached a $15.8 million final
Additionally, residual risk of the combined risks could be settlement with two private equity firms that had invested in
added based on the current controls. The company’s dust control AL Solutions Inc. (The Review).
methods of washing down the metal powder, an administrative To effectively reduce risk, both preventive and mitigative mea-
control, was considered acceptable by the property risk insurer. sures must often be used. This concept can be further visualized

34 PSJ PROFESSIONAL SAFETY APRIL 2020 assp.org


in the striped bow-tie model (Lyon & Popov, 2016). This model CSB. (2015). Final investigation report: Caribbean Petroleum tank
considers both the preventive measures for existing hazards on terminal explosion and multiple tank fires (Report No. 2010.02.I.PR). Re-
the left-hand side of the top event, and the mitigating or reactive trieved from www.csb.gov/assets/1/20/capeco_final_report__10.21
measures for reducing the impact of the event on the right-hand .2015.pdf
EPA. (2013, Dec. 19). AL Solutions Inc. Settlement. Retrieved from
side (Figure 15, p. 33). All three hazards are analyzed as a whole
www.epa.gov/enforcement/al-solutions-inc-settlement
for their severity and likelihood to determine their combined or Federal Emergency Management Agency (FEMA). (2020). What is
total risk, which is entered above the top event. Then, the miti- mitigation? Retrieved from www.fema.gov/what-mitigation
gating measures such as the administrative controls, water spray Franks, A. (2017). Lines of defense/layers of protection analysis in the
and visual inspections are analyzed together to estimate the re- COMAH context. London, England: Health and Safety Executive. Re-
sidual risk, which is displayed below the top event. trieved from www.hse.gov.uk/research/misc/vectra300-2017-r02.pdf
Using the barrier analysis previously discussed, any existing Livius.org. (2020). Constantinople, Theodosian walls. Retrieved from
controls that failed are identified, along with new additional con- www.livius.org/articles/place/constantinople-istanbul/constantinople
trols that are needed. The two octagons described in the barrier -photos/constantinople-theodosian-walls
analysis (see Figure 9) are inserted above the layers of prevention Lyon, B.K. & Hollcroft, B. (2012, Dec.). Risk assessments: Top 10 pit-
falls and tips for improvement. Professional Safety, 57(12), 28-34.
or preventive controls columns to indicate these actions. Lyon, B.K. & Popov, G. (2016, March). The art of assessing risk: Se-
As a general rule, it is more beneficial from a risk-reduction lecting, modifying and combining risk assessment methods to assess
standpoint to invest in layers of prevention, than layers of miti- risk. Professional Safety, 61(3), 40-51.
gation. Therefore, additional LOPs are added and the risk level Lyon, B.K. & Popov, G. (2017, Nov.). Communicating and managing
recalculated after the implementation of the new preventive control risk: The key result of risk assessment. Professional Safety, 62(11), 35-44.
measures. Suggestions for additional controls are presented in Fig- Lyon, B.K. & Popov, G. (2018). Risk management tools for safety pro-
ure 16 (p. 33). Notice that controls such as blender enclosure, local fessionals. Park Ridge, IL: ASSP.
exhaust ventilation and warning alarms will address multiple risks. Lyon, B.K. & Popov, G. (2019, May). Risk treatment strategies: Har-
Using the striped bow-tie methodology to analyze and esti- monizing the hierarchy of controls and inherently safer design concepts.
Professional Safety, 64(5), 34-43.
mate the total risk (or risk summation) in a future state indi-
Lyon, B.K., Popov, G. & Roberts, A. (2018, Oct.). Causal factors analy-
cates that a risk reduction could be achieved that is considered sis: Uncovering and correcting management system deficiencies. Profes-
acceptable. This, of course, requires assurances that all controls sional Safety, 63(10), 49-59.
(new and existing) are effective, reliable and consistently func- Manuele, F.A. (2014). Advanced safety management: Focusing on Z10
tioning as intended. Upon verification and validation of con- and serious injury prevention (2nd ed.). Hoboken, NJ: John Wiley & Sons.
trols, a green octagon from the barrier analysis can be inserted Mulhausen, J. (2017). Improving general industry qualitative risk
above the preventive controls columns as shown in Figure 17. assessment using LOPA concepts. Safety 2017: ASSP Professional Devel-
opment Conference, Denver, CO.
Conclusion Popov, G., Lyon, B.K. & Hollcroft, B. (2016). Risk assessment: A practi-
cal guide to assessing operational risks. Hoboken, NJ: John Wiley & Sons.
Layers of defense have been used throughout the years and Rausand, M. (2011). Risk assessment: Theory, methods, and applica-
have proven to be effective in reducing the risk from multiple tions. Hoboken, NJ: John Wiley & Sons.
threats. The OSH professional should consider this approach Reason, J. (2016). Organizational accidents revisited. Boca Raton, FL:
for the workplace when analyzing and designing risk reduction CRC Press.
measures, to include preventive measures as well as mitigating The Review. (2016, Oct. 5). AL Solutions settlement ends civil claims.
measures. Rarely is one control method adequate in preventing Retrieved from www.reviewonline.com/news/local-news/2016/10/
or protecting people, property or environment from harm. Using al-solutions-settlement-ends-civil-claims
methods such as bow-tie analysis, LOPA, LOMA and LOCA to WebFinance Inc. (2020). BusinessDictionary: Prevention. Retrieved
analyze existing controls and their effectiveness, and estimate from www.businessdictionary.com/definition/prevention.html
risk summation can help OSH professionals identify weaknesses
and needs for building additional layers of control. PSJ Bruce K. Lyon, P.E., CSP, ARM, CHMM, is vice president with Hays
Cos. He is a board member of BCSP, advisory board chair to University of
References Central Missouri’s (UCM) Safety Sciences program, and vice chair of the ISO
American Petroleum Institute (API). (2013). Security risk assessment 31000 U.S. TAG. Lyon is coauthor of Risk Management Tools for Safety Pro-
methodology for the petroleum and petrochemical industries (API Std fessionals and Risk Assessment: A Practical Guide to Assessing Operational
780) (1st ed.). Washington, DC: Author. Risk. He holds an M.S. in Occupational Safety Management and a B.S. in
API. (2016). Facility security plan methodology for the oil and natural Industrial Safety from UCM. In 2018, he received the CSP Award of Excel-
gas industries (API RP 781) (1st ed.). Washington, DC: Author. lence from BCSP. Lyon is a professional member of ASSP’s Heart of America
ANSI/ASSP. (2011). Vocabulary for risk management (National adoption Chapter, and a member of the Society’s Ergonomics and Risk Management/
of ISO Guide 73:2009) (ANSI/ASSP Z690.1-2011). Park Ridge, IL: ASSP. Insurance practice specialties.
ANSI/ASSP. (2016). Prevention through design: Guidelines for ad- Georgi Popov, Ph.D., CSP, ASP, QEP, SMS, ARM, CMC, is a pro-
dressing occupational hazards and risks in design and redesign process- fessor in the School of Geoscience, Physics and Safety Sciences at UCM. He
es [ANSI/ASSP Z590.3-2011(R2016)]. Park Ridge, IL: ASSP. is coauthor of Risk Assessment: A Practical Guide for Assessing Operational
ANSI/ASSP/ISO. (2018). Risk management—Guidelines (ANSI/ASSP/ Risk and Risk Management Tools for Safety Professionals. Popov holds a
ISO 31000-2018). Park Ridge, IL: ASSP. Ph.D. from the National Scientific Board, an M.S. in Nuclear Physics from
ANSI/ASSP/ISO/IEC. (2019). Risk management—Risk assessment Defense University in Bulgaria and a post-graduate certification in environ-
techniques (ANSI/ASSP/ISO/IEC 31010-2019). Park Ridge, IL: ASSP. mental air quality. He graduated from the U.S. Army Command and General
Center for Chemical Process Safety (CCPS). (2008). Inherently safer Staff College in Fort Leavenworth, KS. Popov is a professional member of
chemical processes: A life cycle approach (2nd ed.). Hoboken, NJ: Wiley. ASSP’s Heart of America Chapter and a member of the Society’s Risk Man-
CSB. (2014). AL Solutions Inc., New Cumberland, WV: Metal dust ex- agement/Insurance Practice Specialty. He received the chapter’s 2015 Safety
plosion and fire (Case study No. 2011-3-I-WV). Retrieved from www.csb Professional of the Year (SPY) Award and the 2016 ASSP Region V SPY Award.
.gov/al-solutions-fatal-dust-explosion In 2017, Popov received ASSP’s Outstanding Safety Educator Award.

assp.org APRIL 2020 PROFESSIONAL SAFETY PSJ 35

You might also like