PSA-LOPA – A Novel method for physical security

risk analysis based on Layers of Protection Analysis

Fabio Garzia European Academy of Sciences and Mario Fargnoli
Safety & Security Engineering Group - Arts Safety & Security Engineering Group -
DICMA Salzburg, Austria DICMA
SAPIENZA – University of Rome fabio.garzia@uniroma1.it SAPIENZA – University of Rome
Rome, Italy Rome, Italy
Mara Lombardi
& Safety & Security Engineering Group - Soodamani Ramalingam
Wessex Institute of Technology DICMA School of Engineering and Technology
Southampton, UK SAPIENZA – University of Rome University of Hertfordshire
Rome, Italy Hatfield, UK
&

Abstract—Physical security risk analysis represents a
fundamental tool to evaluate the threats regarding an
organization and it can be divided into distinct groups,
represented by: qualitative, semi-quantitative, quantitative,
and mixed. The method of analysis is very important because it
also allows to measure the increase in the level of security
following the improvements of planned activities to step-up the
levels of protection of a given site. In our case, the Layers of
Protection Analysis (LOPA) method, initially structured and
developed for industrial plants safety (such as chemical
industry), has been revised and adapted to the physical
security risk, providing interesting and useful results.
The purpose of this paper is to illustrate a novel method for
physical security risk analysis based on LOPA that represents
a general tool for any kind of organization.
Keywords—Physical security risk analysis, LOPA, Layers of
Protection Analysis.
I. INTRODUCTION
Physical security risk analysis represents a fundamental
tool to evaluate the threats regarding an organization,
allowing a subsequent optimal security management, even
using properly supporting integrated technological
framework based on Internet of Things (IoT) / Internet of
Everything (IoE) which can connect people, things (mobile
terminals, smart sensors, devices, actuators; wearable
devices; etc.), data / information / knowledge and processes
[1 - 6].
Risk analysis can be divided into distinct groups,
represented by: qualitative, semi-quantitative, quantitative,
and mixed [7 - 15].
Qualitative risk analysis is useful in doing a preliminary
overview of the threats of an organization, but it does not
provide quantitative results.
Quantitative risk analysis is fundamental in giving the
exact values of different threats. It can be a very complex
and expensive process.
Semi-quantitative risk analysis represents an
intermediate analysis between qualitative and quantitative
analysis.
Mixed risk analysis joins different techniques.
The method of analysis is very important because it also
allows to measure also the increase in the level of security
following the improvements of planned activities to step-up
the levels of protection of a given site.
In our case, the Layers of Protection Analysis (LOPA)
method, initially structured and developed for industrial
plants safety (such as chemical industry), has been revised
and adapted to the physical security risk, providing
interesting and useful results.
LOPA represents a semi-quantitative tool. As a risk
assessment methodology, LOPA uses order of magnitude
categories for initiating event frequency, consequence
severity, and the likelihood of failure of independent
protection layers (IPLs) to estimate risks. Objectives of
LOPA are to determine if risks can be tolerated by asking if
there are enough layers of protection against an accident
scenario and if supplementary independent protection layers
are needed.
The purpose of the proposed physical security adapted
LOPA (PSA-LOPA) technique is to define and quantify the
risk of occurrence of a dangerous security scenario and to
establish if, within a site, there are enough physical security
measures, defined as levels of protection (layers), such as to
evaluate the physical security risk acceptability.
The proposed methodology is very versatile as it adapts
both to the design of a new site, allowing to insert the right
number of levels of protection, and to the analysis of an
existing site, allowing, if necessary, to add new levels of
protection in a way that allows the risk to be acceptable.
The purpose of this paper is to illustrate a novel method
for physical security risk analysis based on LOPA that
represents a general tool for any kind of organization.
II. THE LAYERS OF PROTECTION ANALYSIS (LOPA)
The proposed Physical Security Adapted Layer of
Protection Analysis (PSA-LOPA) technique allows to
identify the exact number of physical security protections
(intrusion detection system, access control, video
surveillance etc.) that the site needs and the related
performances. It also allows the analyst to avoid
overestimating the risk as in the case of including redundant
protective devices that sometimes result to be useless,
thereby reducing any costs involved [16 - 19].
For these reasons, the correct application of the PSA-
LOPA technique represents a simple and effective screening
method to establish not only what physical security

978-1-5386-7931-9/18/$31.00 ©2018 IEEE

protections (PSPs) the site needs to be considered safe but,
above all, if the existing PSPs are necessary and enough.
The LOPA analysis consists of several steps:
• Identification of the physical security risk scenario.
• Study of the severity of the consequences of the
above scenario and assignment of a defined Target
Factor score.
III. THE PHYSICAL SECURITY ADAPTED LAYERS OF
PROTECTION ANALYSIS (PSA-LOPA)
As previously explained, since the LOPA methodology
was initially conceived for the calculation of industrial risk,
it was necessary to modify the aforementioned formula,
adapting it to the physical security risk, producing extremely
precise and useful results whereas the considered PSA-
LOPA technique has been applied.

• Identification of the triggering cause (Initiating Since physical security is generally applied according to
event). layers of protection so that any intruders find various levels
of protection such as perimeter protection, video
• Estimate of the frequency of occurrence of the surveillance, technological barriers, sensors etc. before
Initiating Event. reaching the desired target, LOPA method is very suitable
since it is necessary to invert the considered flow of risk.
• Identification of any other factors (Enabling Factors)
that, coupled with the Initiating Event, give rise to the In fact, LOPA considers the different level of protection
scenario. starting from the target and proceeding towards various
levels of protection that could progressively produce
• Evaluation of the actual time in which the risk is damages.
manifested (Time at Risk).
In the PSA-LOPA the processes are properly reversed,
• Identification of independent protections considering the various levels of protection as a sort of
(Independent Protection Layers, IPLs). progressive shields to avoid that an intruder could reach a
• Calculation of the probability of failure of the given target, producing the expected damages (Fig.s 1 - 3).
physical security protections (Probability of Failure
on Demand, PFD).
• Evaluation of credits.
• Evaluation of the acceptability of risk and possible
improvement activities.
To carry out the risk analysis it is necessary to calculate
how much the existing PSPs can reduce the probability that
the scenario will occur. To do this, the concept of ‘credit’ is
used. The definition of credit is closely linked to the
probability of failure, associated with each individual PSPi,
according to the following equation [16 – 19]:
(1)
Once the individual credits have been evaluated, the
PSA-LOPA analysis is performed with the calculation of the
risk coefficient, relative to the k scenario, using the
following equation [16 – 19]:
Fig. 1. Schematic example of different layers of protection of a single
target.
(2)
where:
• TF is the Target Factor.
• FI is the opposite of the logarithm of the frequency of
occurrence of the Initiating Event.
• FE is the opposite of the logarithm of the frequency of
occurrence of the Enabling Factor.
• IT is the index of the Time at Risk.
• IPLs are the Independent Protection Layers that, in
our case, represents the physical security protections,
or levels of protections, that intervene following the
IE.

Fig. 2. Schematic example of different layers of protection of multiple

targets (two in the figure).

Fig. 3. Schematic example of different layers of protection of multiple
targets (three in the figure).
In the present work, only technological protections are
considered but it is possible to extend the PSA- LOPA
considering not only technological barriers but even
physical barrier and human factor [20, 21] that represent
fundamental elements for security management.
The following assumptions were made to simplify the
proposed technique (but they can be obviously revised to
obtain a deeper level of analysis, but they are not considered
in this basic analysis):
IV. EXAMPLE OF APPLICATION OF PSA-LOPA
It is first necessary to define the damage levels and the
requested level of performances of the security solutions for
the related associated physical security risks and these
activities are specific of a given site of a given organization.
An example is shown in Tab. I where the reliability of
security solution (RSS) is also indicated.
The performance level of the security protection is
associated with the level of damage that the security event
can cause. The five levels of damage have been taken up by
a standard classification of a given organization, which
associates at each level the quantification of economic,
physical, company’s reputation, legal expenses etc.
damages. In this way, the PSA-LOPA technique has been
adapted and customized to a general context valid for any
kind of organization.
The TF target factor (derived by a previous qualitative
risk analysis) has been associated with each level of
damage. For example, a potential objective of the highest
strategic and economic importance for the considered
organization (data centre, vaults etc.) is associated with the
maximum damage level, and the score that will be assigned
will vary from 9 to 10, and so for the levels of lower risk.
TABLE I. RESUME TABLE OF THE DAMAGE LEVELS, THE
REQUESTED PERFORMANCE LEVELS OF THE SECURITY SYSTEM AND
THE PSA-LOPA COEFFICIENTS.
performance
Requested

Damage
level of

R (PSA-
• the FI factor was assumed to be equal to 1, since the TF
LOPA)
RSS PFD
intrusion security system is evaluated when the
intrusion has already happened.
• The IT factor is not considered for simplicity even if
SEVERE

the times of exposure to a security risk can be

determined in particular environments. 5 9 - 10 R < -3 > 99,99 % < 0,0001

• The F factor is not considered for simplicity even if

E

in some security events it is possible to identify

‘enabling’ factors or factors that facilitate the
development of a security event.
HIGH

4 7-8 -3 < R < -2,1 99,9 - 99,99 % 0,001 - 0,0001

Since PSA-LOPA deals in this basic version only with
technological barrier and devices whose failure rate is lesser
than one and since this failure rate is used in eq. (1) as
MODERATED

probability of failure, the sign the logarithm calculation is

reversed since the result of the argument (failure rate, lesser
than one) gives already a negative result. 3 5-6 -2 < R < -1,1 99 - 99,9 % 0,01 - 0,001

It is evident that the higher the reliability of a given

security protection and the lower the failure rate. This means
that the value calculated with eq.(1) strongly reduces,
LIMITED

reducing the related R coefficient of the related risk

scenario. This is an obvious result since it means that the 2 3-4 -1 < R < 0 90 - 99 % 0,1 - 0,01
considered protection is very reliable, ensuring an elevate
level of security protection and therefore a reduction of the
related risk. The great advantage of the proposed method is
NEGLECTABLE

that it permits to evaluate the different level of protections

from the semiquantitative point of view, allowing to
evaluate if further levels of protection are necessary, 1 1-2 R>0
providing also all the necessary information to realize them
with an optimal ratio from the cost / benefit point of view.
 Different kind of qualitative analysis can be performed,
using, for example, qualitative matrixes such as: interaction
matrix targets-security protections, interaction matrix impact
on targets-threats, Interaction matrix accesses -security
protections etc., that provide useful information to evaluate,
the level of damage of each target of the specific site of the
considered organization necessary for the following PSA-
LOPA semiquantitative analysis.
TABLE II. AN EXAMPLE OF THE RESUMING TABLE, CONSIDERING 12
TARGETS AND RANDOM BUT REAL VALUES OF P1, P2, P3 COEFFICIENTS OF
EACH TARGET (EVEN IF THEY ARE NOT INDICATED FOR BREVITY).
physical security risk, which the qualitative risk analysis
provided in advance.
For simplicity, the layers of physical security protection
that have been considered are represented by video
surveillance, access control and intrusion detection, named
P1, P2, P3, respectively even if the method allows to consider
multiple levels of protections, as illustrated before, not
limiting to technological protection systems but also
considering physical barriers and human factor reliability
and errors [20, 21].
The probability of failure of protection levels P1, P2, P3,
are obtained from the failure rates of each kind of used
devices. In the specific case of video surveillance, the

Requested level of
Actual level of
performance

performance
Damage faceable by failure rate is multiplied for the percentage of visual
Estimated
Target the actual level of
damage
coverage of considered area (i.e. equal to 1 if all the
protection considered area is covered).
Once individuated all the targets, it is possible to
calculate for each target Ti, by means of the related level of
Target 1 LIMITED LIMITED 2 2 protections P1i, P2i, P3i and, using the previous equations, the
related PSA-LOPA risk factor Ri, obtaining the actual
physical security level of protection of each target of the
Target2 MODERATED SEVERE 3 5 considered site.
At this point it is possible to create a resuming table
Target 3 LIMITED MODERATED 2 3 (Tab. II) where the first column represents the
individualized targets, the second column represent potential
Target 4 NEGLECTABLE HIGH 1 4
damages as determined by PSA-LOPA (using Eq.(1) and
Eq.(2)), the third column represents the expected damage
calculated using the results of initial qualitative analysis
Target 5 NEGLECTABLE HIGH 1 4 converted using Tab. I, the fourth column the actual level of
performance of the security protections and the fifth column
the requested level of performance of the security protection
Target 6 NEGLECTABLE HIGH 1 4 necessary to face the expected damages (both converted
using Tab. I).
Target 7 NEGLECTABLE HIGH 1 4 The obtained results allow to evaluate immediately if the
performance level of protections of the single targets, and
3 5
therefore of the entire site, are suitable or if it is necessary to
Target 8 MODERATED SEVERE
enforce the existing layers of protection of each target
(increasing for example their reliability) or increase the
Target 9 MODERATED SEVERE 3 5 number of them to reach the requested performance level.
Tab. II can also be represented using a proper histogram
graph to have immediately a clear view of the situation, as
Target 10 NEGLECTABLE ELEVATED 1 4 shown in fig. 4, or in another synthetic way by means of a
radar graph representation, as shown in fig. 5.
Target 11 MODERATED SEVERE 3 5

Target 12 SEVERE MODERATED 5 3

The R factor, i.e. the quantified calculation of the risk

factor obtained from Eq.(2), is associated with the damage
levels of the considered organization, thus combining each
of them the relative levels of overall reliability of the
security solution (RSS) and its probability of failure on
demand (PFD).
Fig. 4. Histogram graph of the results (red colour: actual level of
The PSA-LOPA method can be therefore applied to all performance of protections, green colour: requested level of performance of
potential targets Ti within the site of the considered protections).
organization that are exposed to physical security risks. The
choice of the targets included in the analysis was done with As it is possible to see from fig. 4, excepted target 1 and
respect to the criticality of the same for the organization and target 12, the targets are characterized by an actual level of
based on the qualitative indications, on the exposure to the performance of security protections (red colour) lesser with
respect to the relative requested level of performance of
security protections (green colour), and this provide a clear
idea of where and how it is necessary to increase the level of
protections to reach the desired goal.
In this way it is possible to study and eventually realize
all the necessary and further protections, considering
properly the cost/benefit ratio, to guarantee the necessary
level of protection to the different targets
Fig. 5. Radar graph of the results (red colour: actual level of performance
of protections, green colour: requested level of performance of protections).
V. CONCLUSIONS
The proposed PSA-LOPA represents a general method
apt for any kind of site of any organization and allows to
evaluate, in a quite rapid and efficient way, the level of
physical security risks and the related countermeasures,
intended as layers of protections, necessary to reach the
desired protection level, if necessary, as it was already done
in a plenty of real contexts, characterized by an optimal ratio
from the cost/benefit point of view.
It can be further developed to obtain more complete and
extended results, according to the specific needs but it is out
of the scope of the paper.
REFERENCES
[1] F. Garzia, L. Papi, “An Internet of Everything based integrated
security system for smart archaeological areas”, Proc. of IEEE
International Carnahan Conference on Security Technologies,
Orlando (USA), pp. 64-71, 2016.
[2] F. Garzia, L. Sant’Andrea, “The Internet of Everything based
integrated security system of the World War I commemorative
museum of Fogliano Redipuglia in Italy”, Proc. of IEEE International
Carnahan Conference on Security Technologies, Orlando (USA), pp.
56-63, 2016.
[3] M. Gambetti, F. Garzia, F. J. Vargas Bonilla, D. Ciarlariello, M. A.
Ferrer, S. Fusetti, M. Lombardi, S. Ramalingam, M. Ramasamy, S.
Sacerdoti, A. Sdringola, D. Thirupati, and M. Faundez Zanuy, “The
new communication network for an Internet of Everything based
security / safety / general management / visitor’s visitors’ services for
the Papal Basilica and Sacred Convent of Saint Francis in Assisi,
Italy, Proc. of IEEE International Carnahan Conference on Security
Technologies, Madrid (Spain), 2017.
[4] F. Garzia, M. Lombardi, S. Ramalingam, “An integrated Internet of
Everything – genetic algorithms controller – artificial neural networks
based framework for security systems management and support”,
IEEE International Carnahan Conference on Security Technologies,
Madrid (Spain), 2017.
[5] F. Garzia, “The Internet of Everything based integrated system for
security /safety /general management / visitors’ services for the
Quintili’s Villas area of the Ancient Appia way in Rome, Italy”,
SAFE 2017 – International Conference on Safety & Security
Engineering, Safety and Security Engineering VII, WIT Transactions
on The Built Environment, Vol 174, pp.261-272, WIT Press
(Southampton, UK), 2017.
[6] M. Gambetti, F. Garzia, V. Baiocchi, F. J. Vargas Bonilla, F.
Borghini, D. Ciarlariello, S. Chakaveh, D. Costantino, A. Culla, R.
Cusani, M. A. Ferrer, S. Fusetti, J. Kodl, S. Livatino, M. Lombardi, S.
Marsella, J. Peng, V. Smejkal, S. Ramalingam, M. Ramasamy, S.
Sacerdoti, A. Sdringola, D. Thirupati, and M. Faundez Zanuy, “The
Internet of Everything System for the Papal Basilica and Sacred
Convent of Saint Francis in Assisi, Italy”, Proceedings of WEF
(World Engineering Forum) - Safeguarding Humankind’s Heritage,
The Great Challenge for Engineers, Rome (Italy), 2017.
[7] F. Garzia, “An integrated multidisciplinary model for security
management and related supporting integrated technological system”,
Proc. of IEEE International Carnahan Conference on Security
Technologies, Orlando (USA), pp. 107-114, 2016.
[8] F. Garzia, M. Lombardi, “Safety and security management through an
integrated multidisciplinary model and related integrated
technological framework”, SAFE 2017 – International Conference on
Safety & Security Engineering, Safety and Security Engineering VII,
WIT Transactions on The Built Environment, Vol 174, pp. 285-296,
WIT Press (Southampton, UK), 2017.
[9] Lombardi, M., Guarascio, M. & Rossi, G., “The management of
uncertainty: Model for evaluation of human error probability in
railway system”, American Journal of Applied Sciences, Vol.,11, N.3,
pp. 381-390, 2013.
[10] Guarascio, M., Lombardi, M., Rossi, G. & Sciarra, G., “Risk analysis
and acceptability criteria”, WIT Transactions on the Built
Environment, Vo. 94, pp.131-138, 2007.
[11] Guarascio, M., Lombardi, M. & Massi, F, “Risk Analysis in handling
and storage of petroleum products”, American Journal of Applied
Sciences, Vol. 10, N.9, pp. 965-978, 2013.
[12] Broder, J. F. & Tucker, E., “Risk Analysis and the Security Survey”,
Buttherwoth-Heinemann, New York, 2012.
[13] Norman, T., L., “Risk Analysis and Security Countermeasure
Selection”, CRC Press, 2010.
[14] Lombardi, M., Fargnoli, M., ”Prioritization of hazards by means of a
QFD-based procedure”, International Journal of Safety and Security
Engineering, Vol. 8, N. 2, pp.342-353, 2018.
[15] Fargnoli, M., Lombardi, M., Haber, N., Guadagno, F., “Hazard
Function Deployment: a QFD based tool for the assessment of
working tasks – A practical study in the construction industry”,
International Journal of Occupational Safety and Ergonomics, pp.1-
22, 2018.
[16] Willey, R., J., “Layer of Protection Analysis”, Proc. of 2014
International Symposium on Safety Science and Technology, Procedia
Engineering, Vol.84, pp.12 – 22, 2014.
[17] Center for Chemical Process Safety, “Layer of Protection Analysis:
Simplified Process Risk Assessment”, Amer Inst of Chemical
Engineers, USA, 2001.
[18] Center for Chemical Process Safety, “Guidelines for Enabling
Conditions and Conditional Modifiers in Layer of Protection
Analysis”, Amer Inst of Chemical Engineers, USA, 2013
[19] Center for Chemical Process Safety, “Guidelines for Initiating Events
and Independent Protection Layers in Layer of Protection Analysis”,
Amer Inst of Chemical Engineers, USA, 2014.
[20] F. Borghini, F. Garzia, A. Borghini, G. Borghini, “The Psychology of
Security, Emergency and Risk”, WIT Press (Southampton - UK and
Boston - USA), 2016.
[21] F. Borghini, F. Garzia, M. Lombardi, M. Mete, R. Perruzza, R.
Tartaglia, “Human Factor Analysis Inside a Peculiar Job Environment
at the Gran Sasso Mountain Underground Laboratory of Italian
National Institute for Nuclear Physics”, International Journal of
Safety & Security Engineering, WIT Press, Vol.8, No.3, pp. 390-405,
2018.