The recent attacks on petroleum plants in various countries such as Algeria, Nigeria, and Iraq have greatly changed the risk mindset of the chemical industry (Johnson and Gilbert, 2013; Nordland and Al-Sahy, 2014). Risk assessments and management traditionally are conducted on unintended (safety related) incidents and not on intentional acts. These intentional acts could either be from an internal or external source. This paper extends the probabilistic risk assessment methodology (generally focus on safety unintended) to the security facet (focusing on intended incidents) of a processing facility. The methodology is based on the barrier approach. Five security barriers are proposed throughout the facility to help deter an attack. These security barriers are external, internal, interior, critical, and the fail-safe barrier, which are implemented at various stages of a plant with varying objectives. For example, the fail-safe barrier aims to bring the plant to safe shutdown mode, once it observes breach of the barrier. Breach of each barrier is modeled using fault tree approach. A number of monitoring parameters are proposed to track the effectiveness of the barrier, which are modeled as basic events in the fault tree. The occurrence of each basic event is modeled using two failure modes: i) natural, and ii) forced failure. Conditional probability with soft computing theory is used to model occurrence probability. The proposed methodology also takes into account effectiveness of the management, and political parameters in an impeding attack.
In addition, the fault trees modeled are mapped into respective Bayesian Networks. Bayesian networks allow for manipulation of the conditional probability table. There are three relaxation assumptions that manipulate the conditional probability table that is explored in this paper. In order to eliminate uncertainty developed in the data, an updating mechanism is used along with a predictive component to make the model dynamic. This is significant as the model can be become dynamic to reflect any changes that may have occurred.
Finally, a case study of a typical processing facility is presented to demonstrate the effectiveness of the model and to indicate areas of further improvement. This paper aspires to bring awareness to security risk assessments and the need to create a database for security related failures.