Certification of Pipeline Risk Estimation Methodologies

How It Works

This certification process tests a risk assessment methodology by having it produce risk estimates for three parallel pipelines for which risk-pertinent data is available.  A sketch and dataset details some relevant facts for each pipeline.  Many, but not all, common pipeline risk issues are illustrated or implied by the data provided.

Someone seeking certification is asked to download  the provided information and produce risk estimates using this information and his own risk assessment methodology.  His risk assessment results can then be compared against benchmark results to evaluate how successful his assessment was in identifying and characterizing the risk issues implied by the data provided.

No specific risk assessment methodology is mandated for certification.  A methodology that meets minimum requirements and thereby is certified will 1) satisfy the Essential Elements and 2) satisfactorily address the risk issues implied by the test data. Criteria for certification is shown below.
Three different approaches are available to those seeking certification of their risk assessments.  Choice depends on type of evaluation sought (eg, internal audit only vs independent third party evaluation) and your available resources.

Completing a risk assessment using the provided information and preparing the submittal documents is estimated to require about ½ man day (4 hours) for an experienced pipeline risk assessor.


  1. DIY (do it yourself):  No cost and no submission required.  This option is available for those wishing to perform an internal audit on their risk assessment methodology.  User must register on site to download solution data.
  2. Evaluation by Certifying Committee:  This option is for those desiring an independent, third party evaluation/certification of their risk assessment methodology.  This option requires submission of prepared risk assessment results.
  3. Assistance in preparing risk estimates plus evaluation by certifying committee:  since this option involves more resources, it must be evaluated on case-by-case basis; please contact info@pipelinerisk.net


Objective: Produce risk estimates that include all issues implied by information given (or are otherwise addressed via submitter’s documented assumptions, eg; “submission omits consideration of sabotage/theft threats to pipeline integrity”)


  1. State the target level of conservatism employed in your risk assessment
  2. Specify units of measurements used in your risk assessment  (see Definitions)
  3. Download test case information
  4. Supplement the provided data with your assumptions covering all missing information
  5. Segment the pipelines for purposes of estimating risk
  6. Document your assumed info, specific to pipeline and stationing as well as any non-standard engineering or scientific relationships/equations used
  7. Populate the provided information along with your assumptions into your risk assessment methodology to generate risk estimates
  8. Prepare and submit risk assessment results to certifying committee (unless self-audit only)


For this certification effort, please note the following definitions and notes

Certified:  A methodology that achieves certification by this process is judged to meet or exceed minimum risk assessment requirements of a modern and robust pipeline risk management program.  This means almost unquestionably* that the assessment also meets all US IMP regulations (CFR 49 Part 192 and Part 195), both explicit and implicit.  That is, the regulatory objectives are met as well as the specific requirements detailed in the regulations and accompanying incorporated-by-reference documents.

Failure = any unintentional loss of integrity, including leaks and ruptures.  Expanded definitions of ‘failure’ are also acceptable.

Risk = Future frequency of some consequence.  Examples include failures per year; failures per mile-year; failures per km-year; fatalities per mile-year; $ of loss per year; dollars loss per km-year; and many other possibilities.  For purposes of this certification exercise, the time period of interest is for the following 12 months.

Units  Specify the measurement units associated with any final or intermediate risk value produced.

Monetized risks (eg, $/year and $/mile-year) are common and offer advantages such as context and understandability, but any user-specified units that capture a measure of failure consequence (eg, costs in dollars, fatalities, incidents, serious incidents, etc.  over time and space (pipeline segment length).  A submitter should provide definitions for uncommon units, especially if multiple interpretations are likely)

Including normalized units of risk, ie ‘risk per unit length’ (eg, incidents per mile-year, dollars per km-year, etc) is helpful, but not mandatory

A submitter may choose to employ more than one set of units in presenting risk.  He may use parallel processing of risk estimates with multiple CoF units such as estimating both non-fatality costs/year and fatalities/year for each location along each pipeline

Leaks vs Ruptures  May differentiate Leaks/ruptures, but this is not mandatory for this exercise.  For degradation failure mechanisms, limiting calculations to leak criteria only is acceptable for this exercise as is the use of both leak/rupture criteria.

If a risk assessment methodology uses an expanded definition of ‘failure’ that also includes, for instance, service interruptions, that expanded definition can be used if the leak/rupture aspect is not readily separable.  Submitters should highlight this fact to the certification committee.

Risk Profile = risk values at specific locations, ie, a final or intermediate risk value versus position along pipeline centerline

*With performance-based regulation, compliance has elements of subjectivity and can never be absolutely guaranteed.

Submission to Certifying Committee

The minimum documents to be submitted to the certifying committee are shown below.  Certification-seekers are encouraged to supplement this minimum list with clarifying documents to ensure that evaluators understand all nuances of the particular assessment.

  • List of assumptions employed in producing risk estimates including target level of conservatism
  • Tabulated risk estimates for each segment of each pipeline with units specified
    • Risk
    • PoF (probability of failure or frequency of failure)
      • Failure mechanism 1
      • Failure mechanism 2
      • Etc
    • CoF (consequence of failure)
  • Aggregated risk values for each PL
    • for entire 2400 ft lengths
    • for values on each PL
      • 3 summary values:  Risk, PoF, CoF
      • a summary value for each threat included in PoF

Time Requirements

The certification exercise is designed to minimize time requirements without sacrificing too much needed detail.  Around 4 hours of one knowledgeable person’s time is suggested for this exercise.  Additional time may be required depending upon a user’s process-specific factors such as ease of data integration

60 minutes study input information; translate input info into risk values; perform segmentation
30 minutes



fill information gaps document specific assumptions employed or at least the assumed region/geography produce tabulated list of defaults assumed
30 minutes perform risk calculations with QA/QC
30 minutes



create risk profiles.

tabulate all risk assessment results, aligned to pipeline ID’s and stationing

Optional:  Graphics depicting all results for 3 pipelines, entire lengths, on same plot for each risk calculation

30 minutes Aggregate results
30 minutes Document all non-standard relationships employed, eg, non-linear corrosion rates, and other information pertinent to certification committee’s understanding of submission
210 minutes Total

Note that these time estimates also illustrate that good risk assessment can be done in relatively short times—ie, man-hrs, not man-weeks–once info has been collected and aligned.

Information Gaps

The test data set does not provide complete information for every location along every pipeline nor does it provide information on all aspects of risk.  This reflects the reality of actual operating pipelines, where all desired information will not be available.  For purposes of risk assessment, missing information must be supplied by whatever means are available, sometimes even only a judgement by a knowledgeable individual.  For this certification process, certification seekers are asked to simply make assumptions for all information not provided in the downloaded data and to document those assumptions for the certification committee.

It is recognized that values used may range significantly, depending on assumptions and desired level of conservatism in the submitted risk assessment results.  This does not detract from the evaluation of the methodology.  This certification phase is not judging the appropriateness of the choice of defaults.  That aspect of the risk assessment process is to be evaluated in subsequent certifications.

It is expected that relationships and equations in common use by engineers and scientists will be a part of most risk assessment methodologies.  These generally require no documentation by submitters.  If submitters employ any non-standard equations or relationships in producing their risk estimates, those should be explained to the certification committee.


Different levels of conservatism are appropriate for different intended uses of a risk assessment. See detailed discussions on this elsewhere on this site.  Certification-seekers must communicate to the certification committee the target level of conservatism that was employed in generating the submitted risk assessment results.  Nomenclature that uses values such as P50 for ‘most likely value’ to P90 for ‘negative surprise one out of ten times’ to P99.9 ‘negative surprise one time out of one thousand times’, etc, can be used to state the target level of conservatism.  These target levels can refer to conservatism of each input or of the final results.  The former is usually far easier to gage.


Certification-seekers should not need to provide any information deemed confidential.  Company names, individual names, company-specific information, and any other particulars communicated intentionally or accidentally during the certification process will be considered to be non-disclosable information and will not be shared for any purpose.

Certification Criteria

When independent certification is sought, the criteria to be used in evaluating the submitted risk assessment are described below.

Essential Elements

The first test verifies that the general provisions of the Essential Elements guidance document have been met.  Most of the Essential Elements serve as objective criteria.  That is, very little subjectivity is required in determining when the provisions of the element have been met by a risk assessment.  Some, however, do require some interpretation and judgement to gage whether the element’s provisions are satisfied.  In those instances, sufficient feedback will be provided to the submitter to fully understand the concerns, if any.

Additional Criteria:  Some Details

As noted in the Essential Elements, some general aspects to be evaluated by the certification committee include:

Profiles that differ along each pipeline, capturing changing risk conditions along a pipeline and between the pipelines. Profiles should showcase peaks and valleys in risk along each pipeline with drivers of significant changes readily identifiable eg, higher internal corrosion potential due to low spot in elevation profile.

Aggregates that avoids common aggregation errors and

  • appropriately summarize the differences between pipelines
  • allow rapid identification of key risk drivers
  • compare with benchmarks, ie, are similar with significant difference readily explained

Segmentation that is appropriate for the data available and avoids common errors.

Defaults:  while certification of a default-assignment program is a future phase of the certification process, the committee will examine the assignment of values used to supplement the provided information and will comment to the submitter if choices in values seem inappropriate for any reason.

Additional Criteria:  Risk Issues

Finally, the submitted risk assessment results will be examined in detail to determine if all risk issues have been captured and fairly represented in those results.  In addition to the Essential Elements and the general aspects just mentioned, a modern and robust risk assessment should be able to provide insights into issues such as these that are implied by the test dataset:

Role of inspection, especially ILI
no findings vs no ILI
non-actionable ILI findings
External forces
impacts falling objects
sympathetic reactions
debris loadings
water impingements
lack of support
scour and ext forces
Potential for cracking
seam susceptibility
flow stream oscillations
press cycling
Implications of casings
Role of pressure testing
age effects
test pressure effects
Effects of age on specific risk issues
Changes in corrosion potential
Unmitigated corrosion rates
Mitigation effectiveness

Additional Criteria:  Risk Issues Not Specified

Information provided in the test scenarios is designed to highlight many common pipeline risk issues.  However, it is not practical to showcase every possible risk issue in a test such as this.  Risk issues not explicitly defined in information provided can be included in analyses at option of submitter (ie, optional assumptions to be made by submitter—these should be documented).  Some examples (not a comprehensive list!) of additional risk issues or issues that may warrant a deeper examination (beyond data provided) include:

pipe manufacturing tolerances
inspection inaccuracies
valve failure mechanisms vs pipe, eg, wall thickness differences
disbonding/shielding coating
emergency response
leak detection
deinventory volumes
fatigue cracking
other impact potentials from falling objects, vehicles, etc



What if risk estimates submitted differ significantly from the benchmark?  Without prior agreement on ‘true’ risk estimates, how can certification be accomplished?  

Accurate risk assessments can produce a wide range of risk estimates for exactly the same scenario, depending on factors such as:

  • assumptions employed when information is missing or weak
  • target level of conservatism desired

Uncertainty must be acknowledged–even estimates that are exactly correct statistically (ie, over many repetitions) they will not be correct for each segment for each year.  For instance, an event might truly occur 1 time every 6 years as a long term average but have multiple occurrences per year for some period.  A one hundred year flood can happen twice in the same year.  That is the nature of the probabilistic world around us.

So, you’re saying the numerical estimates do not matter? 

Values submitted do matter, but for many purposes, including certification, they matter most in the context of the other estimates produced. In comparing to the benchmark profiles, the most critical aspects are where changes in risk occur and the directions and magnitudes of those changes (orders of magnitude changes often best reflect real world situations) relative to the overall profile.  These changes in a risk profile should be caused by changes in risk that are grounded in fundamental principles of engineering and science.

What are the fees for and who gets them?

Fees may be required when more significant certification efforts are required.  Fees are intended to only cover actual costs of performing the certification evaluation and communicating with the submitter.  When necessary, members of the certifying committee will engage appropriate technical resources from member companies to assist committee members in the analyses.  If the entire fee from a submitter is not required to complete the evaluation, remnant funds will be allocated to a general fund that is used to maintain this website and refresh the content as often as possible.

View the test case information