reniers et al-2015-process safety progress

8/19/2019 Reniers Et Al-2015-Process Safety Progress

1/12

Security Risk Assessment and Protection in the

Chemical and Process Industry Genserik Reniers, a,c * Paul Van Lerberghe, b and Coen Van Gulijk ca ARGoSS, University of Antwerp, Belgium; CEDON, KULeuven, Belgium; [email protected] (for cbOptimit bvba, BelgiumcSafety and Security Science Group, TUDelft, The Netherlands

Published online 23 May 2014 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11683

This article describes a security risk assessment and pro-tection methodology that was developed for use in the chemi-cal and process industries in Belgium. The method employs arisk-based approach according to design principles for object-oriented protection, using so-called Typicals. The approach is benecial for workers in the chemical industry because of the familiarity with safety models and concepts in this partic-ular industry. The model combines the rings-of-protectionapproach with generic security practices including manage-ment and procedures, security technology (e.g., CCTV, fences,and access control), and human interactions (proactive as well as reactive). The method is illustrated in a case-study where a practical protection plan was developed for an exist-ing chemical company. This article demonstrates that the method is useful for similar chemical and process industrial activities far beyond the Belgian borders, as well as for cross-industrial security protection. In summary, this article offers

an insight into how the chemical sector might protect itself on the one hand and an insight into how security risk man-agement may be practiced on the other hand. VC 2014 AmericanInstitute of Chemical Engineers Process Saf Prog 34: 72–83, 2015

Keywords: security; risk assessment; Protection against crime; chemical industry

INTRODUCTION As in other contexts, security in the chemical processing

sector focuses on intentional harm, that is damage inicteddeliberately and which, therefore, can be regarded as mali-cious. Protecting organizations against that kind of threat isfundamentally different from protecting against negligenceor even recklessness that leads to accidents, which is thedomain of safety professionals. Nevertheless, some well-developed tools from the safety domain can be used effec-tively in designing a security system for a chemical plant.This article aims to build on that concept. Safety manage-ment and risk analysis take center-stage in this research, which takes a different viewpoint to the design of a security system than the more traditional security managementdesign approaches as described by Garcia [1]. The approachdescribed in this article is justied by the fact that workers inthe chemical and process industries are already very familiar with safety and risk models that are so important when

operating a plant. Safety design methods, while based onsimilar principles of the protection of human life and prop-erty, have nevertheless developed differently from security design methods. An overview of safety design in the processindustries is given by [2,3]. Since these works are quiteunusual in relation to the security management domain,much of this current article hinges on SRMbok by Talbot and Jakeman [4] where many design models are used that arefamiliar to security managers and process safety workersalike.

Starting from [4], security can be dened as the conditionof being protected against the potential danger or loss thatcan result from the deliberate, malicious , and unlawful actsof others. This denition considers security as an end prod-uct. Another way of looking at security is as a process lead-ing toward a situation where something is “to be secured.”Security can thus also be dened as the process involved in

taking preventive measures to avoid harmful incidentscaused by people as well as controlling and mitigating theeffects of such incidents [5]. Both denitions are useful forunderstanding prerequisites of adequate security risk assess-ments and protection. The motives for causing damage can vary through a wide range from mundane (e.g., small nan-cial gain through theft) to potentially highly damaging terro-rist actions. Terrorism is of particular concern for thechemical sector, whose stock-in-trade includes the very vola-tile, toxic, ammable, often (perceived) mysterious, andinvisible material that have such enormous capacity to alarmthe public.

Like safety practitioners, security professionals carry outrisk assessments [6]. The starting point for any security riskassessment is risk identication. However, identifying secu-

rity risks and determining the necessary measures to counterthem requires different methods from those familiar to safety personnel. Security risk assessments focus on “qualitativelikelihood” (in terms of “low,” “medium,” “high”), conse-quences, criticalities, vulnerabilities, threats, and target attrac-tiveness. It is typically a qualitative exercise that oftenfocuses on the identication of scenarios (e.g., blowing upinstallations X and Y in plant Z; burglary of item A in build-ing B, etc.). Such security assessment contrasts with safety assessments where the “quantitative likelihood” (in terms of probabilities and frequencies) and “consequences” often takecenter-stage [3].

Like safety assessments, security assessments are focusedon proactive action and consequence controls. It is theseVC 2014 American Institute of Chemical Engineers

Process Safety Progress (Vol.34, No.1) March 2015 72


2/12

similarities in safety and security that prompt experts to indi-cate that, for achieving an optimal result, an integratedapproach is required [7,8]. It is thus important to integratethe responses to a security threat with the needed security responses to a safety threat. This topic is explored in ecurity Risk Assessment Approach Section. The basic theoreticalconcepts that form the basis of such an integrated approachare dealt with in General Design Principles for Building Up aProtection Strategy Inside a Chemical Plant Section. Thetranslation to practical cases is explained in Security Meas-ures and Protection: Practice in the Chemical Industry Sec-tion, which is based on an existing chemical plant.

SECURITY RISK ASSESSMENT APPROACHSecurity risk assessment in the chemical and process

industry is characterized by a systematic approach to organiz-ing information concerning the assets that need to be pro-tected, the threats that may be posed against those assets,and the likelihood and consequences of attacks against them. Assets are usually grouped into the following categories: peo-ple, property and infrastructure (e.g., chemical installations),reputation , and information. Hence, security risk assessmentserves to audit a chemical company’s understanding of thethreats and possible responses to those threats; it forms thebasis for establishing a cost-effective security risk manage-

ment program to reduce the potential adverse effects of intentionally induced losses upon the company. Security riskassessment at a generic level is presented in Figure 1.

Before the security risk identication process can takeplace , it is important to undertake a geographical overviewof the company in the Facility Characterization phase. In thisphase, neighboring companies and their industrial activitiesthat may be a target for adversaries should be identied, asthey may be developing, using, or storing chemical productsor processes that have the potential to interact with the prod-ucts of the company under consideration, with extremely damaging results. Furthermore, the possible access roadsfrom where the adversary may intrude upon the company’spremises without being noticed should be determined.

The security hazard and risk identication process shouldidentify all company security risks. For more information onsecurity hazard identication in a chemical industrial sur-rounding, see e.g. [10] . This process should be carried outusing desk research as well as historical data. Desk researchis derived from rather fundamental and theoretical perspec-tives generating ideas on what could or might happen andcan be found in the professional and academic literature[11,12]. Historical data come from crime incident/management

databases, containing, for example, details of attack historiesand experiences at other chemical plants. This information is very useful both for carrying out security risk identicationand for understanding the specicities of risks and their con-sequences. It is important that relevant stakeholders (be they internal or external) should be involved in the security riskidentication process. This process might typically includethe company, government ofcials, policing organizations ,and even representatives from relevant intelligence networks.

Once the company’s security risks have been identied,every security risk should be analyzed. Also, the level of every risk, or combination of risks, should be assessed. Oncethis exercise has been carried out, individual security riskscan be compared and evaluated. As part of the evaluationprocess, the companies’ security level of concern has to beestablished and agreed upon with the relevant stakeholders.The outcome of the risk analysis is then compared with thesecurity level of concern of the company. Typically, it is theresponsibility of the security manager, together with theorganization’s board, to conclude whether the risk is accept-able, tolerable (ultimately with countermeasures), or unac-ceptable and, therefore, needs to be mitigated in some way.Every step in the process has to be rigorous and transparentso that changes over time can be captured as well.

GENERAL DESIGN PRINCIPLES FOR BUILDING UP A PROTECTION STRATEGYINSIDE A CHEMICAL PLANT

The Rings-of-protection concept So-called “Layers of Protection” are specically used by

safety managers in the chemical industry [13–15]. Detailedprocess design provides the rst layer of protection. The sec-ond layer of protection concerns the automatic regulation of the process heat and material ows and ensuring that suf-cient data are available for operator supervision. In thechemical industry, this layer is also called the “Basic ProcessControl Systems”. A further layer of protection is provided by a high-priority alarm system and instrumentation that facili-tates operator-initiated corrective actions. A Safety Instru-mented Function (SIF), sometimes also called the emergency shutdown system, may be provided as the fourth protectivelayer. The SIFs are protective systems which are only neededon those rare occasions when normal process controls areinadequate to keep the process within acceptable bounds. Any SIF will qualify as one independent layer of protection.Physical protection may be incorporated as the next layer of

protection using venting devices to prevent equipment fail-ure from excess pressure. Should these different layers of protection fail to function, walls or soil embankments may be present to contain liquid spills. Plant and community emergency response plans also deal with hazardous events.

The fundamental basis of security management can beexpressed in a similar way to the Layers of Protection usedin modern chemical process plants for addressing safety-related, accidental events. In the similar security-related con-cept of concentric so-called “rings-of-protection” or layeredprotection [11,16,17], the spatial relationship between thelocation of the target asset and the location of the physicalcountermeasures is used as a guiding principle. Rings-of-protection, also known as “layered defenses,” are based on

Figure 1. Iterative process of security risk assessment as partof security management [9].

Process Safety Progress (Vol.34, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2015 73


3/12

the “Defense in Depth” principle [17–19]. An effective coun-termeasure deploys multiple defense mechanisms betweenthe adversary and the target. Each of these mechanismsshould present an independent obstacle to the adversary.Note that the rings of protection in security may not neces-sarily be independent of each other. However, the Layers of Protection are intended to be independent of each other. Fig-ure 2 (based on [9]) illustrates the rings-of-protection conceptand its component countermeasures (listednon-exhaustively).

When the security management team has decided whichsecurity risks require protection measures, a company secu-rity concept can be designed. In this regard, a complete view of the chemical plant and its surroundings, geographi-cal, as well as sociotechnical, is the starting point.

The rings-of-protection concept illustrated in Figure 2,and based on the Defense in Depth approach, is the back-bone of security systems [4,9,11,16–19]. Most commonly, theterminology of “perimeters” and “zones” is used.

Every ring in Figure 2 is dened and constructed accord-ing to the risk sensitivity of the objects inside that zone (e.g.,storage of ammable liquids; a reactor that is prone toexplode during process disturbances, etc.). The question of occupancy will be important for building the rings-of-protection for the chemical plant. The barriers that protect a

specic ring are designed with a certain “resistance againstintrusion.” The target in the center is the asset that is deemedattractive for a potential adversary and, therefore, requiresprotection. The resistance of a barrier and the time it takesan adversary to get to the target are important factors in theprobability of interruption when setting up a path analysis.

An adversary will choose a specic path (usually one of several options), also called an “adversary path” [1,20,21] toget to a target. The path can be seen as an ordered series of actions taken against a facility, which, if/when completed,results in a successful attack. As an example, to destroy a water pump, the series of actions may be: penetrate fence, walk to outside door O of building B, penetrate outside doorO of building B, walk to inner door D of target room R, pen-

etrate inner door D of room R, destroy water pump. Notethat several series of actions may be possible to destroy the water pump, and only one of them is followed. The “criticalpath” is that path (out of a number of possible paths) requir-ing the least time in order to complete the ordered series of actions. To adequately protect the target, it is essential thatthe time needed for the critical path is higher than the inter-ception time. To this end, for each of the actions composingthe path, there should be a delay element (e.g., a steelfence) and a detection element [e.g., a thermal camera with Video Content Analysis (VCA)] as well as a deection ele-ment in which the threat attempt is intercepted and pre- vented. Several possible calculation models are available tocarry out a path analysis, for example, the EASI model [1]. Of course, those adversaries taking a longer path to “avoiddetection” should also be detected. On the other hand, sui-cide bombers, who are only interested in one way, namely (possibly forced) entry should be considered as well. Hence,it is obvious that a diversity of countermeasures is neededand that detection should not only focus on the critical path.

A ring-of-protection translates into a number of measures,as it is a combination of physical security equipment, people ,and procedures. Elements of all these types are typically needed together in order to offer the best chance of

adequate asset protection against different threats, be they theft, sabotage, terrorism, or other malevolent human ortechnical attacks from outsiders as well as insiders.

The intrusion processBefore commencing the design of the protection barriers

(i.e., the rings-of-protection), the different steps correspond-ing to an adversary’s intrusion should be understood. Thesesteps will help the security manager in generating security specications. A description of an intrusion can be presented via the acronym “PICER”:

Preparation stage : This stage is where the adversary willstart gathering information about the site and the target.

Figure 2. Rings-of-protection concept found in modern chemical plants [9].

DOI 10.1002/prs Process Safety Progress (Vol.34, No.1)74 March 2015 Published on behalf of the AIChE


4/12

He or she may visit the chemical plant several times andpossibly participate in seminars, site visits, and engage insocial engineering (name dropping to enter the site) oreven contract work; the adversary path will be deter-mined by the adversary in this stage.

Intrusion stage : This stage is when he or she will enterthe site. The time taken to reach the target was calculatedby him/her (while determining the path in the previousstage) so that in the event of alarm activation there will

still be time to escape. Different methods can be used forcalculating the amount of required time to reach the tar-get. Most commonly used is the critical path method (asexplained before).

Collecting stage : At this stage, the adversary collects goodsor commits the malicious act .

Exit stage : This stage is when the adversary will leave thechemical plant .

Rewarding stage : This stage or process is more relevant tolaw enforcement than to the security manager since itinvolves trading stolen goods for money. Trading stolengoods can indeed take place immediately or some timelater.

The principle of “PICER” is mentioned in a handbook thatis published by the Belgian Institute of Security [22]. Thehandbook is used in training sessions as required by BelgianLaw [23] but is regrettably not publicly available. The PICER principle indicates that the design of the protective ringsshould be focused on the rst perimeter, or at least as early as possible in the protection process. The rst, second, etc.perimeters should be able to react as soon as possible, even(and preferably, if possible) during the preparation stage.Camera surveillance may, for example, help to identify peo-ple loitering around the rst perimeter or it might detectpeople trying to collect information about the strength of thefence. Indeed, when a CCTV system is installed on a largesite, then it will not only return information about an intru-sion itself, but it can also be used at a preventive stage by guards on patrol (receiving information from a distance), who are able to manually inspect the condition of the fence:

intact, broken, cut). At the moment an attack starts, a detection indicatorshould be executed. The later the detection takes place, thegreater the difculty of interception becomes. If an intrusionis detected, there must be a way of engaging a matchedresponse in terms of force.

As already noted, physical protection in itself will not prevent an attack. It is typically a combination of different secu-rity measures that need to be employed, a principle which isdened as “OPER.” Similarly to PICER, the “OPER” principleis mentioned in the training handbook of the Belgian Insti-tute of Security [22]. The OPER acronym stands for:

Organizational—About security awareness, managementrequirements for security, and other procedures to prevent intrusion Physical—Security equipment such as barriers, fences, etc. Electronics—Security equipment such as access controls,burglar alarms, cameras, etc.

Reporting—Transmission of an alert to an internal controlroom or an external dispatch service

The design process of the rings-of-protection will bebased on this OPER principle. Each perimeter (equal to acertain ring of protection) will consist of a fence with gatesor barriers. The access to these rings will be equipped withthe right access control system and (depending on the orga-nization) often in combination with intrusion detection andCCTV. In the event of an adversary attempting to gain access ,the activation of the systems will generate a response.

Organizational Requirements Adequate security starts with the genuine commitment of

an organization’s top management. In the safety domain, topmanagement commitment has been identied as an essentialcontributing factor for adequate safety performance [24,25].Due to the similarity between operational safety and security management, it can be assumed that the same conclusion onmanagement commitment holds for security. However, in thesecurity eld, there are only a few scholarly publications that

prove this claim. As an example, qualitative research indi-cates that success will depend to a large extent on seniormanagement showing meaningful support for security [5].

Security within a chemical plant, as also in other industrialsectors, needs to be clearly dened and set up according tothe security risks present, and considering the balancebetween the threats and the level of concern of a company (see before). If the approach to security is not written downin a security manual, there is a danger that ad hoc decisions will be made in dealing with threats, possibly leading toinadequate responses. The development of a credible secu-rity manual should be based on the following domains of consideration [4]:

a security policy security procedures an employees’ screening process a security awareness program security training an emergency response facility incident reporting

The process needs to be accompanied by a security auditto assess the security level of the chemical plant, the resultsof which can feed into a gap analysis between the existingsituation and the desired situation, to identify areas needingimprovements. We recommend, based on practitioner’s expe-rience, that the audit be performed in 12 security domains:Risk Assessment, Strategy, Human Aspects, Physical Security, Access, Intrusion, CCTV, Fire, Integration, Guarding, Informa-tion Security, and Security Audit. Literature supports this tax-onomy, for example, Talbot and Jakeman [4] developed amodel in which most of the domains, which they call“categories,” can be retrieved. To our best knowledge, thesum of these domains encompasses all security items thatneed to be considered in a chemical organization, and thepossible integration of security with safety is also taken intoaccount.

The design of a physical protection model for chemicalplants is explained in more depth in the next sections. Theexplanation is based on the case study of a real chemicalplant and the way security was set up in this plant (for fur-ther reading on the development of an integrated security process [4]).

While in this section, we explained the general designprinciples for building up a protection strategy inside achemical plant, the next section elaborates a very practicalapproach to illustrate how these design principles can betranslated into an industrial case.

SECURITY MEASURES AND PROTECTION: PRACTICE IN THE CHEMICAL INDUSTRY

Physical Security In a previous section, the concept of the rings-of-

protection (i.e., defenses in depth or plant perimeters of pro-tection), was explained. Since the rings will be the basis of the complete security plan, there will be security breaches if they are not well researched.

Prior to determining the rings-of-protection, an inventory of each part of the plant (building, building level,



5/12


6/12

protection system. The URB as well as the URS are a combi-nation of all possible security requirements (people, proce-dures, and technical issues).

The way an URB is written down is given in the proce-dure displayed in Figure 4. This URB reporting structure isactually based on the OPER principle.

The generic procedure of Figure 4 gives for the rst URBthe syntax as displayed in Figure 5.

Once the complete set of URBs has been dened, theURSs can be drafted. An URS describes the technical speci-cations of the URB. It is, however, neither a technicaldescriptive of the solution, nor is it a set of procedures. Inthe case of an existing plant, it is often common that severalURSs are present but that some of them differ with respectto one or more specic parts. As an example, for the URB 1,six URSs can be identied, namely:

URS 15 the fence itself URS 25 the access-points for pedestrians and carsURS 35 the access-points for the trucksURS 45 the access-points for the trainsURS 55 the access-points for the boatsURS 65 the access-points to the utilities such as water

and electricity

It is worth noting that places where energy is producedor where cooling water or water needed for production isbeing stored are often forgotten as targets for adversaries.

However, these locations should also be protected [20],hence the URS 6 in our list above.

On the schematic security drawing of the plant, Typicals(i.e., as mentioned, the summation of technological itemsconstituting a security barrier) with a number and a lettershould be mentioned. An important point, especially inchemical plants, is also to make an inventory of ATEX-zonesor other zones with explosion risks, for example, in Figure 3marked as Zone 3. These zones will need specic equipmentfor every kind of security technology that will be installed.

To explain in detail the concept of Typicals , an exampleis given here. To enhance the understanding of Typicals, aplan of a chemical plant with the rings of protections andthe Typicals on that plan is shown in Figure 6.

Figure 7 gives a schematic drawing of one illustrativeTypical, that is, the security equipment needed for a standardemergency exit. The emergency exit may only be used toleave a building in the event of evacuation. As often seen,this door is also used for shortcuts or for smoking outside

the building. To prevent the opening of this door by meansof the panic bar, a magnetic contact will be added in combi-nation with a loud sounder and a camera. In the event of the door opening, the sounder will indicate the opening of the door, and the camera will start recording the person(s)leaving the building.

Figure 8 shows the same Emergency Exit as shown inFigure 7, but now this door also needs to be used as anaccess point to the building. As its main function is to be an

Figure 4. Scheme of an URB.

Figure 5. Denition of URB for Perimeter 1.



7/12

Emergency Exit, the number of the Typical is kept but acapital “A” is added. This door has the same functionality asthe one in Figure 7, but with a specic operating instruc-tion, namely the use of the door as an entrance with abadge reader.

This emergency exit can be described using the technicalsheet as given in Figure 9.

In order to calculate the budget for such equipment, aninventory of all items has to be made. In Table 1 , all theequipment for such an installation of a Typical 12A is listed.

Perimeter Protection Every ring of protection is made up of a perimeter and

the corresponding zones (enter and exit zones). The perime-ter will have a specic resistance based on the results of theso-called critical path method (see also earlier in this article).The critical path method is a step-by-step technique for secu-rity intrusion that denes the path an intruder could use toreach his or her goal. To dene the critical path, an asset/attack matrix must be made up, and the path with the lowestdetection and delay probability needs to be determined[1,21]. To set up such a critical path analysis, the targets mustrst be dened. A target is dened as the location the adver-sary would like to enter and where he or she would like tocommit an undesired act. The method further denes thetime an intruder will need, considering the obstacles and thetools, to reach his or her target. This time will then be usedto calculate the maximum possible time before guards or thepolice force arrives on location. The way this resistanceneeds to be built up and the way the possible risks can bemitigated will be dened by the security manager of theplant.

The rst perimeter, usually being the property boundary of the plant, is mostly a simple wired fence. The fence is aphysical OPER measure. It usually serves to prevent trespass-

ing attempts and for keeping out unwanted visitors. If it isalso to act as a perimeter with a certain protection againstadversaries (such as burglars, terrorists, etc.), then a moreappropriate fence type can be chosen. If it also has to prevent attacks from vehicles then it may be extended with anantiramming device like a barrier of concrete. However, pre- venting or mitigating attempted illegal entry should not beregarded as sufcient protection. Evidence of a potential tres-passer should be available as promptly as possible. To thisend, an appropriate perimeter detection system (see, e.g.,

Figure 10) may be installed, introducing an electronic OPER measure. For chemical plants, the use of thermal cameras with VCA is suggested. As the premises of chemical plantsare usually rather large, often with trees and other vegetationpresent, tests indicated that thermal camera systems have thelowest rate of false alarms when used as perimeter detection.Even in the event of climbing and cutting the fence thisseems to be a good solution. Tests have revealed that well-organized intruders can overcome some of the other security countermeasures such as leaking coax or seismic pressuresystems in several seconds without setting off any alarm(also electronic OPER measures). A schematic drawing of such a perimeter protection is illustrated in Figure 10.

Access Control Access control methods combine physical and electronic

OPER measures in a single security system. The company security manual needs to guide the choice of an appropriateaccess system. It will indicate whether one-by-one access(i.e., access only allowing one person entering or leaving atone time) is required on the perimeter or just protectionagainst unauthorized access. Otherwise, it will indicate whether people have to identify themselves by means of asecond verication system. Maybe, there is also a need forinstalling an “antipass back” (i.e., a way to prevent peoplefrom accessing a site twice without leaving the site, e.g.,handing over of badges to other people). Installing such anantipass back system can be interesting, for example, if thenumber of people in a certain location has to be counted, or

if a person cannot access the plant if he or she does not pos-sess the right certication, or if a person is not authorized toenter this specic zone.

All these parameters must be carefully dened beforedecisions can be made about the type of cards, doors, a sys-tem with pin-codes, biometrics, and what have you. Theseparameters will indicate whether employees need to accessthe site by means of a man-height turnstile or a simple gate-door or no barrier. The number of users and the timeframe will indicate the type of door as well as the number of access points. If one-by-one access for every employee atPerimeter 1 is needed (e.g., having 500 people enteringbetween 8 am and 8:15 am), then several turnstiles to letthese people in in a correct manner during this timeframe,

Figure 6. Chemical plant and its Typicals.

Figure 7. Typical 12: “Emergency exit.”

Figure 8. Typical 12A: “Emergency exit with access-IN.”



8/12

are required. The denition of access authorization can be visualized as displayed in Figure 11. Access control will help to dene the access levels and the

behavior of the access. In a chemical plant , it is important toforesee up-scaling of the access levels. Due to the possibility of this up-scaling, the behavior of the access system can bechanged in a few seconds. Usually, three levels are dened:Level 1 5 normal operations; Level 2 5 degraded operations;Level 3 5 alarm. The levels should be seen as access levels when carrying out business continuity planning in respondingto exceptional circumstances of any kind. This approach will,for example, be reected in Level 1 as an operational level where everybody has a common or standard access, whenauthorized. For Level 2, for example, there will be limitedaccess restricted to persons needed at this operational level.So, this could mean that a person having an access for 24/7

in normal circumstances, no longer is allowed on the plant inspecial circumstances, or that the number of doors is restrictedand that he or she cannot enter the “usual” buildings.

Figure 9. Technical sheet for the Typical 12A from Figure 8.

Table 1. Required equipment for the Typical from Figure 8.

TYPICAL 12A—Emergency Exit with access-IN Card reader 1 Magnetic contact antisabotage 1 Internal siren with built-in in ash 1 PLC for logic? of door 1Camera external in housing (heated/ventilated) on support

1

Controller 1 Figure 10. Schematic drawing of Typical Perimeter 1 for achemical plant.



9/12

Another important issue concerning access control is thepossibility of using mustering points. These points must beequipped with “readers,” who have no access capabilitiesbut who build up a list of all persons present on this loca-tion. Such an inventory of people present can be very usefulfor rescue workers searching for people in the reactiveand curative phase of an incident. The lists will be used to verify whether there are still persons missing. However,usually one-by-one access is not possible as too many people have to enter a plant site at the same time. There-fore a “time and attendance” system, coupled to the wagesof the employees, may be a solution. As another example,competency access, where someone has to have carriedout the relevant instruction and training in order to beallowed access, is possible.

Access control is not only based on the readers andauthorization through having an access. It uses also doors.These doors must be of the same protection level as thefence. Obviously, it makes no sense placing a wooden doorin a steel fence or placing a reinforced door in plasterboard.

Intrusion Detection Intrusion detection systems are electronic measures in

OPER. We will use the same setup as for the access controlmeasurements. Figure 12 provides an overview of what isrequired for this security measure.

Most of the chemical plants work on a 24/7 regime. Intru-sion systems will, therefore, be installed on the perimeterand/or in administrative buildings or those buildings whichdo not have a 24/7 regime (e.g., vital zones).

Figure 11. Denition of access authorization for a chemical plant.

Figure 12. Denition of intrusion detection for a chemical plant.



10/12

As the size of a chemical plant can be very large, the rstpoint of detection is usually installed on the rst perimeter.However, intrusion can also start from the inside. The proba-bility of each type of intrusion scenario must be dened inthe security risk assessment process. Most often, a burglaralarm (i.e., a standalone detection system with an option foroffsite monitoring) is installed in the buildings, whereas aperimeter detection system (which is integrated into a secu-rity management system) is established on the perimeter.

These systems should be connected to an (entirely or par-tially) internal and/or external guarding room. Only this way can the guards react promptly after an intrusion. The fasterthe correct response after an alarm, the lower the probability of an adversary being successful.

Camera SurveillanceIt is often not possible to put a guard at every door or at

every location susceptible to an attack. This cost would be very high for any company, including a chemical company.Other solutions to detect possible intrusions are thusrequired. Electronic systems for detection of intrusion areadequate but unfortunately not always relevant. For exam-ple, a fence-wire has to cope with calibration and compensa-tion problems due to environmental and product behavior inoutdoor installations. As these problems still generate a lot of “unwanted” alarms, guards are needed for assessment and verication of these alarms. As guards are usually not presentat the location of the intrusion, an additional system must beput in place to aid them to prevent these alarms from beingneglected. Therefore, it is important to install cameras which will be the eyes at the location of the guards. Cameras countas electronic measures in the OPER system.

Cameras can only visualize what they see. A correctdescription of the means and scope of the camera surveil-lance system is, therefore, important. The following shouldbe dened in advance to overcome unusable images for thepurpose of the camera surveillance:

what must be viewed which part is important in the picture and which part not what denition is required (overview, detection, recogni-tion, identication, . . .)

who is viewing the images and on what basis (reactive,proactive, . . .)

what can prevent the camera from viewing the correct images(plants, construction site, changes on the perimeter, . . .)

Cameras are part of the overall security measures and by themselves they will of course not prevent incidents occur-ring. In Figure 13, some denitions of camera surveillancefor a chemical plant are presented. Nevertheless every chem-ical plant has its own peculiarities and, therefore, denitionsmust be tted to the result of the chemical plant’s security assessment and security manual.

As can be seen in Figure 13, the camera surveillance sys-tem will mostly be used as a verication of the act. A camera will, in the best case scenario, deter an adversary from com-mitting an unwanted act. On the other hand, if the adversary can see the camera, he may destroy or disable the camera

before committing the unwanted act. The integration of cam-eras with other security technologies is thus needed, espe-cially in chemical plants where premises can be large andnot always well illuminated at all locations. The absence of light can indeed be a problem for camera surveillance and itmust be resolved using the correct techniques.

The visualization of the images and the contents of theseimages can have a better level of performance using intelli-gent VCA-techniques. However, in contrast with the military sector, industrial security VCA-techniques are used that haveto cope with very small pixel objects. If combined with ther-mal cameras instead of standard cameras, even day/night, abetter result is often obtained in chemical plants. However,thermal cameras are good for large open spaces, but have vulnerabilities and their measure of performance, userexpectations, etc. also bring unique problems. Hence, theoptimal solution is site dependent.

Intrusion can be detected quickly, even sometimes beforethe actual intrusion takes place, when combined with thenewest 4D/3D techniques called “video image understanding.” Video image understanding is a technique that uses sensorsand telemetry in 2D-images together with human behavioranalysis. It is even arranged so that the combination of ther-mal cameras and VCA can be used for re detection or gasdetection. In this case, thermal cameras will have a doubleeffect and a reduced cost as they have a double functionality,especially in the chemical and process industry. Moreover,such thermal cameras are a nice example of the need for inte-gration of safety and security in a chemical industrial area.

Figure 13. Denition of camera surveillance for a chemical plant.



11/12

System Integration The necessity of integration of procedures, people, and

systems was already mentioned as the “OPER principle.” Allthe previous sections follow this principle. But there is also aneed for integration between systems. Not only between twosecurity systems, such as camera surveillance and access con-trol, but between all security systems installed and used within a chemical plant, and between security and safety needs.

Most often the security manager will use integration foran interaction between re detection and access control. It iscompulsory that some doors, in the event of a re, need tobe unlocked or locked, to prevent the re from expandingor to enable people to escape to re-free areas. This success-ful safety practice can be opposed to access control, whichis a purely security-based solution. Access control is set upto prevent “unauthorized” people from entering the plant, whereas re detection is set up to evacuate the plant in theevent of a re. Hence access control demands fail-securelocks where re detection demands fail-safe locks. In thiscase, the appropriate lock and access point must be installedso that everyone, in the event of re, has a free exit, but thatthe entrance is still secured and only available for those whohave access.

This practice is of course only one part of the integration,even though it is still a very difcult one. For example, aftera ash re alarm, an intrusion was seen but was not detecteddue to the integration of the two systems not being set upproperly. In most cases, the re alarm will cause the powerto be cut off from the access points and doors will be leftunsecured. Hence, integration is more than setting up somehardware links: it is also about the interaction between sys-tems that sometimes are not regulated. For example, con-sider the use of thermal cameras to ensure gas detection orthe help of camera surveillance to have an overview of thelocation of a re and the additional escape routes. In achemical plant, it is very important that security people as well as remen have a complete overview of the re, itslocation, its extension region, the escape routes for peopleand also the possible routes for the re brigade. For chemi-cal plants, it is important that part of the integration includesthe activity inside the control rooms, not only between sys-tems but also between people.

DISCUSSIONThis article describes the systematic development of a

practical security system in the chemical and process indus-try. One specic contribution it makes is the detaileddescription and analysis of risk-sensitive areas and the so-called Typicals functioning as security barriers. The detaileddescription aids the tracking of security measures and facili-tates and even enables, careful thinking about risks and thenappropriate processes and other mitigation measures. Wesuggest that chemical companies wishing to assess their

security situation initially perform a gap analysis between theactual state of the plant and the ideal security situation asdescribed above.

When the URB is dened, an inventory of the actual(existing) situation of the plant can be made. The plant’sURS can be used while dening correctly the Typicals. A dif-ference between the conceptual URS and the physical meas-ures will be observed. For example, there may be severaltypes of gates in the fence to facilitate an entrance to a cer-tain zone. At one time, the gate may be a sliding gate, atanother time it may be a bifold gate. The functionality of thegate will be the same, that is, a truck entering the site. Butthe technical specication will be different. Detection of theopen/closed state of a sliding gate will be different than for

a bifold gate. It will also impact upon the budget estimationfor the proposed security systems. What is an appropriatebudget allocation will vary with circumstances and in any event will depend on the ndings from the gap analysis.

Once all Typicals are dened for the plant, the budgetestimation can be commenced. For each Typical, the techni-cal equipment needs to be dened. This equipment typically combines several OPER measures and will then be used tox a complete price for the Typical. An inventory of the site

will provide a perspective on the present situation; the gapbetween this state and the to-be state. It also indicates thenumber of Typicals.

The combination of the number of Typicals and the “to-be installed equipment” provides for a calculation of theamount of investment that is needed for the installation of the security system. These Typicals can be of help later, when changing the site or constructing a new building onthis site or reassessment of risks.

CONCLUSIONSTo build an effective security design in the chemical and

process industries, it is essential to start from a structuredsecurity risk assessment that is recognized by people workingin that industry. This approach will help in choosing the rightconcept for the needed security solutions and protection.Designing a correct security plan is based on this concept.

The design of so-called Typicals is suggested, and anapproach where risk, behavior, and standards will interacton the roll-out of these Typicals is proposed for drafting thesecurity plan. For chemical plants, specic information willbe needed, as these kinds of site are often very large andseveral types of production processes take place on thesame site, often using large amounts of various hazardouschemicals. The detailed description of risk-zones, PICER sce-narios , and Typicals based on the OPER system helps tokeep track of security measures in the plant, but also forcesanalysts to think carefully as to whether their security planprovides full coverage of the risks. Whenever possible, it is

recommended to look for double functionalities of the tech-nological equipment, so as to optimize the security counter-measures’ costs, and to integrate security needs with safety requirements. It is primordial to ensure that the responses toa security threat are integrated with the needed security responses to a safety threat.

LITERATURE CITED1. M. L. Garcia, Vulnerability Assessment of Physical Protec-

tion Systems, Butterworth-Heinemann, Burlington, 2008.2. S. Mannan, Lee’s Loss Prevention in the Process Indus-

tries, Elsevier Butterworth-Heinemann, Burlington, 2005.3. I.T. Cameron and R. Raman, Process Systems Risk Man-

agement, Elsevier Academic Press, Amsterdam, 2005.

4. J. Talbot and M. Jakeman, Security Risk ManagementBody of Knowledge, Wiley, New York, 2009.5. G.L.L. Reniers, Terrorism security in the chemical industry:

Resultsof a qualitative investigation, Secur J 24 (2011),69–84.6. American Petroleum Institute, API Recommended Practice

780, Security Risk Assessment Methodology for the Petro-leum and Petrochemical Industries, Document Draft, American Petroleum Institute, Washington, 2012.

7. F. Fontaine, B. Debray, and O. Salvi, “Protection of hazardous installations and critical infrastructures—Com-plementarity of safety and security approaches,” Manag-ing Critical infrastructure Risks, I. Linkov, R.J. Wenning,and G.A. Kiker, (Editors), Springer, London (2007), pp.65–78.



12/12

8. D. Holtrop and D. Kretz, Onderzoek Security & Safety:een Inventarisatie van Beleid, Wet- en Regelgeving, InDutch, Arcadis, The Netherlands, 2008.

9. G.L.L. Reniers, Multi-plant Safety and Security Manage-ment in the Chemical and Process Industries, Wiley-VCH, Weinheim, 2010.

10. G.L.L. Reniers, D. Herdewel, and J.-L. Wybo, A threat assess-ment review planning (TARP) decision owchart for complexindustrial areas, J Loss Prev Process Ind 26 (2013), 1662–1669.

11. CCPS, Guidelines for Analyzing and Managing the Secu-rity Vulnerabilities of Fixed Chemical Sites, Center forChemical Process Safety, American Institute for ChemicalEngineers, New York, 2003.

12. D.J. Landoll, The Security Risk Assessment Handbook, Auerbach Publications, Boca Raton, 2006.

13. CCPS, Inherently Safer Chemical Processes, A Life Cycle Approach, Center for Chemical Process Safety, AmericanInstitute for Chemical Engineers, New York, 1996.

14. A.M. Dowell, Layer of protection analysis and inherently safer processes, Process Saf Prog 18 (1999), 214–220.

15. T. Meyer and G. Reniers, Engineering Risk Management,De Gruyter, Berlin, 2013.

16. L.J. Fennelly, Handbook of Loss Prevention and CrimePrevention, 4th Edition, Butterworth-Heinemann, Burling-ton, 2004.

17. J. Ellis and C.A. Hertig, The Professional Protection Of-cer, Butterworth-Heinemann, Burlington, 2010.

18. IAEA (International Atomic Energy Agency), Defence inDepth in Nuclear Safety, IAEA, Vienna, 1996.

19. ASIS, Protection of Assets, Physical Security, ASIS Interna-tional, Alexandria, VA, 2012.

20. M.J. Arata Jr., Perimeter Security, McGraw-Hill, San Fran-cisco, 2006.

21. T.L. Norman, Risk Analysis and Security Countermeasure

Selection, CRC Press, Boca Raton, 2010.22. Institute of Security Belgium, Handbook “Basisopleidingbestemd voor Leidend Personeel van beveiligingson-dernemingen” (in Dutch), Ministry of Home Affairs,Brussels, 2013.

23. Belgian Ofcial Gazette, Wet tot regeling van de privateen bijzondere veiligheid (in Dutch), (1990), p. 10963.

24. T. Wu, C. Chen, and C. Li, A correlation among safety leadership, safety climate and safety performance, J LossPrev Process Ind 21 (2008), 307–318.

25. E.A. Kapp, The inuence of supervisor leadership prac-tices and perceived group safety climate on employeesafety performance, Saf Sci 50 (2012), 1119–1124.

26. H.A. Gabbar and K. Suzuki, The Design of a PracticalEnterprise Safety Management System, Kluwer AcademicPublishing, Dordrecht, 2004.


reniers et al-2015-process safety progress

Documents